diff --git a/.github/README.md b/.github/README.md index 0661cc1..510d1f6 100644 --- a/.github/README.md +++ b/.github/README.md @@ -150,24 +150,26 @@ ### Hosts - | Name | Hardware | Use | - |--------------------|-----------------------------------------------------|------------------------------------------------------| - |💻 **pyramid** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | - |💻 **bakery** | Lenovo Ideapad 720S-13IKB | Personal laptop | - |💻 **machpizza** | MacBook Pro 2016 | MacOS reference and build sandbox | - |🏠 **treehouse** | NVIDIA DGX Spark | Workstation, AI playground and home-manager reference| - |🖥️ **winters** | ASRock J4105-ITX, 32GB RAM | Secondary homeserver and data storgae | - |🖥️ **summers** | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM | Main homeserver running microvms, data storage | - |🖥️ **hintbooth** | HUNSN RM02, 8GB RAM | Router | - |☁️ **milkywell** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | - |☁️ **moonside** | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services | - |☁️ **belchsfactory**| Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Hydra builder and nix binary cache | - |☁️ **monkeycave** | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Gaming server | - |☁️ **eagleland** | Hetzner Cloud: CX23 | Mail server | - |📱 **magicant** | Samsung Galaxy Z Flip 6 | Phone | - |💿 **drugstore** | - | ISO installer configuration | - |❔ **chaotheatre** | - | Demo config for checking out my configurtion | - |❔ **toto** | - | Helper configuration for bootstrapping a new system | + | Name | Hardware | Use | + |---------------------|-----------------------------------------------------|-----------------------------------------------------| + |💻 **pyramid** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | + |💻 **bakery** | Lenovo Ideapad 720S-13IKB | Personal laptop | + |💻 **machpizza** | MacBook Pro 2016 | MacOS reference and build sandbox | + |🏠 **treehouse** | NVIDIA DGX Spark | AI Workstation, remote builder, hm-only-reference | + |🖥️ **summers** | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM | Homeserver (microvms), remote builder, datastorage | + |🖥️ **winters** | ASRock J4105-ITX, 32GB RAM | Homeserver (IoT server in spe) | + |🖥️ **hintbooth** | HUNSN RM02, 8GB RAM | Router | + |☁️ **stoicclub** | Cloud Server: 1 vCPUs, 8GB RAM | Authoritative dns server | + |☁️ **liliputsteps** | Cloud Server: 1 vCPUs, 8GB RAM | SSH bastion | + |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM | Service proxy | + |☁️ **eagleland** | Cloud Server: 2 vCPUs, 8GB RAM | Mailserver | + |☁️ **moonside** | Cloud Server: 4 vCPUs, 24GB RAM | Gaming server, syncthing + lightweight services | + |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM | Hydra builder and nix binarycache | + |📱 **magicant** | Samsung Galaxy Z Flip 6 | Phone | + |💿 **drugstore** | - | NixOS-installer ISO for bootstrapping new hosts | + |💿 **brickroad** | - | Kexec tarball for bootstrapping low-memory machines | + |❔ **chaotheatre** | - | Demo config for checking out this configuration | + |❔ **toto** | - | Helper configuration for testing purposes | ## General Nix tips & useful links diff --git a/.sops.yaml b/.sops.yaml index f828b47..4b38475 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,12 +7,16 @@ keys: - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &hosts - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 + - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d + - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx + - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm + - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 + - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - - &milkywell age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh creation_rules: - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ @@ -21,12 +25,16 @@ creation_rules: - *swarsel age: - *winters + - *twothreetunnel + - *liliputsteps + - *stoicclub + - *belchsfactory + - *eagleland - *hintbooth - *bakery - *toto - *surface - *nbl - - *milkywell - *moonside - path_regex: secrets/repo/[^/]+$ key_groups: @@ -34,12 +42,16 @@ creation_rules: - *swarsel age: - *winters + - *twothreetunnel + - *liliputsteps + - *stoicclub + - *belchsfactory + - *eagleland - *hintbooth - *bakery - *toto - *surface - *nbl - - *milkywell - *moonside - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -47,6 +59,11 @@ creation_rules: - *swarsel age: - *nbl + - *twothreetunnel + - *liliputsteps + - *stoicclub + - *belchsfactory + - *eagleland - *hintbooth - *bakery - *toto @@ -86,6 +103,19 @@ creation_rules: age: - *moonside + - path_regex: secrets/belchsfactory/secrets.yaml + key_groups: + - pgp: + - *swarsel + age: + - *belchsfactory + - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *belchsfactory + - path_regex: secrets/bakery/secrets.yaml key_groups: - pgp: @@ -111,20 +141,61 @@ creation_rules: - *swarsel age: - *winters - - *moonside - - path_regex: secrets/milkywell/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/eagleland/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *swarsel age: - - *milkywell - - path_regex: hosts/nixos/aarch64-linux/milkywell/secrets/pii.nix.enc + - *eagleland + + - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc key_groups: - pgp: - *swarsel age: - - *milkywell + - *eagleland + + + + - path_regex: secrets/stoicclub/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *swarsel + age: + - *stoicclub + - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *stoicclub + + - path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *swarsel + age: + - *liliputsteps + - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *liliputsteps + + - path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *swarsel + age: + - *twothreetunnel + - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *twothreetunnel - path_regex: hosts/nixos/x86_64-linux/summers/secrets/ key_groups: diff --git a/SwarselSystems.org b/SwarselSystems.org index 5dd1d8c..61821f7 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -24,7 +24,6 @@ I used to have two separate files (=Emacs.org= and =Nixos.org=) because the NixO This configuration is part of a NixOS system that is (nearly) fully declarative and can be found here: - [[https:github.com/Swarsel/.dotfiles][~SwarselSystems~ on github.com]] -- [[https:swagit.swarsel.win/Swarsel/.dotfiles][~SwarselSystems~ on swagit.swarsel.win]] This literate configuration lets me explain my choices to my future self as well as you, the reader. I go to great lengths to explain the choices for all configuration steps that I take in order for me to pay due diligence in crafting my setup, and not simply copying big chunks of other peoples code. Also, the literate configuration approach is very convenient to me as I only need to keep of (ideally) a single file to manage all of my configuration. I hope that this documentation will make it easier for beginners to get into Emacs and NixOS as I know it can be a struggle in the beginning. @@ -230,24 +229,26 @@ The structure of this flake as seen many revisions, however lately I have settle Here I give a brief overview over the hostmachines that I am using. This is held in markdown so that I can render it into my GitHub README. #+begin_src markdown :tangle no :noweb-ref hosts - | Name | Hardware | Use | - |--------------------|-----------------------------------------------------|------------------------------------------------------| - |💻 **pyramid** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | - |💻 **bakery** | Lenovo Ideapad 720S-13IKB | Personal laptop | - |💻 **machpizza** | MacBook Pro 2016 | MacOS reference and build sandbox | - |🏠 **treehouse** | NVIDIA DGX Spark | Workstation, AI playground and home-manager reference| - |🖥️ **winters** | ASRock J4105-ITX, 32GB RAM | Secondary homeserver and data storgae | - |🖥️ **summers** | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM | Main homeserver running microvms, data storage | - |🖥️ **hintbooth** | HUNSN RM02, 8GB RAM | Router | - |☁️ **milkywell** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | - |☁️ **moonside** | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services | - |☁️ **belchsfactory**| Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Hydra builder and nix binary cache | - |☁️ **monkeycave** | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Gaming server | - |☁️ **eagleland** | Hetzner Cloud: CX23 | Mail server | - |📱 **magicant** | Samsung Galaxy Z Flip 6 | Phone | - |💿 **drugstore** | - | ISO installer configuration | - |❔ **chaotheatre** | - | Demo config for checking out my configurtion | - |❔ **toto** | - | Helper configuration for bootstrapping a new system | + | Name | Hardware | Use | + |---------------------|-----------------------------------------------------|-----------------------------------------------------| + |💻 **pyramid** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | + |💻 **bakery** | Lenovo Ideapad 720S-13IKB | Personal laptop | + |💻 **machpizza** | MacBook Pro 2016 | MacOS reference and build sandbox | + |🏠 **treehouse** | NVIDIA DGX Spark | AI Workstation, remote builder, hm-only-reference | + |🖥️ **summers** | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM | Homeserver (microvms), remote builder, datastorage | + |🖥️ **winters** | ASRock J4105-ITX, 32GB RAM | Homeserver (IoT server in spe) | + |🖥️ **hintbooth** | HUNSN RM02, 8GB RAM | Router | + |☁️ **stoicclub** | Cloud Server: 1 vCPUs, 8GB RAM | Authoritative dns server | + |☁️ **liliputsteps** | Cloud Server: 1 vCPUs, 8GB RAM | SSH bastion | + |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM | Service proxy | + |☁️ **eagleland** | Cloud Server: 2 vCPUs, 8GB RAM | Mailserver | + |☁️ **moonside** | Cloud Server: 4 vCPUs, 24GB RAM | Gaming server, syncthing + lightweight services | + |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM | Hydra builder and nix binarycache | + |📱 **magicant** | Samsung Galaxy Z Flip 6 | Phone | + |💿 **drugstore** | - | NixOS-installer ISO for bootstrapping new hosts | + |💿 **brickroad** | - | Kexec tarball for bootstrapping low-memory machines | + |❔ **chaotheatre** | - | Demo config for checking out this configuration | + |❔ **toto** | - | Helper configuration for testing purposes | #+end_src ** Programs @@ -303,6 +304,9 @@ Here I give a brief overview over the hostmachines that I am using. This is held #+end_src ** Manual steps when setting up a new machine +:PROPERTIES: +:CUSTOM_ID: h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a +:END: #+begin_src markdown :noweb yes :exports both :results html These steps are required when setting up a normal NixOS host: @@ -357,6 +361,9 @@ If the new machine is home-manager only, perform these steps: #+end_export ** Current issues +:PROPERTIES: +:CUSTOM_ID: h:b562adaf-536c-4267-88a5-026d8a0cda61 +:END: #+begin_src markdown :noweb yes :exports both :results html Currently, these adaptions are made to the configuration to account for bugs in upstream repos: @@ -364,6 +371,30 @@ If the new machine is home-manager only, perform these steps: <> #+end_src +#+RESULTS: +#+begin_export html +Currently, these adaptions are made to the configuration to account for bugs in upstream repos: + +- 202501102: + - flake: + - emacs-overlay: + - : version pinned because emacsclient is currently broken on latest + - niri-flake: + - currently not using the sugared version of screenshot-[,window], as it is currently broken + - home-manager: + - emacs-tramp: + - using stable version in extraPackages (broken in unstable) + - :ensure nil in emacs tramp settings to use package in extraPackages + - emacs-calfwL + - pinned to version not in nixpkgs (is in latest emacs-overlay, but that is broken) + - vesktop: + - running stable version (broken in unstable) + - batgrep: + - running stable version (broken in unstable) + - swayosd: + - pinned to version not in nixpkgs (fixes https://github.com/ErikReider/SwayOSD/issues/175) +#+end_export + * flake.nix :PROPERTIES: :CUSTOM_ID: h:c7588c0d-2528-485d-b2df-04d6336428d7 @@ -470,100 +501,57 @@ A short overview over each input and what it does: }; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1"; nixpkgs-dev.url = "github:Swarsel/nixpkgs/main"; nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs-stable24_11.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs-stable25_05.url = "github:NixOS/nixpkgs/nixos-25.05"; - systems.url = "github:nix-systems/default"; - swarsel-modules.url = "github:Swarsel/swarsel-modules/main"; - swarsel-nix.url = "github:Swarsel/swarsel-nix/main"; + home-manager = { # url = "github:nix-community/home-manager"; url = "github:Swarsel/home-manager/main"; inputs.nixpkgs.follows = "nixpkgs"; }; - swarsel.url = "github:Swarsel/.dotfiles"; - emacs-overlay = { - # url = "github:nix-community/emacs-overlay"; - url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; + nix-index-database = { + url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + + # emacs-overlay.url = "github:nix-community/emacs-overlay"; + emacs-overlay.url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; + swarsel-nix.url = "github:Swarsel/swarsel-nix/main"; + systems.url = "github:nix-systems/default"; nur.url = "github:nix-community/NUR"; nixgl.url = "github:guibou/nixGL"; stylix.url = "github:danth/stylix"; sops-nix.url = "github:Mic92/sops-nix"; lanzaboote.url = "github:nix-community/lanzaboote"; - nix-on-droid = { - url = "github:nix-community/nix-on-droid/release-24.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixos-generators = { - url = "github:nix-community/nixos-generators"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - nswitch-rcm-nix = { - url = "github:Swarsel/nswitch-rcm-nix"; - }; - nix-index-database = { - url = "github:nix-community/nix-index-database"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - disko = { - url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05"; + nixos-generators.url = "github:nix-community/nixos-generators"; + nixos-images.url = "github:Swarsel/nixos-images/main"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nswitch-rcm-nix.url = "github:Swarsel/nswitch-rcm-nix"; + disko.url = "github:nix-community/disko"; impermanence.url = "github:nix-community/impermanence"; - zjstatus = { - url = "github:dj95/zjstatus"; - }; - # has been upstreamed - # fw-fanctrl = { - # # url = "github:TamtamHero/fw-fanctrl/packaging/nix"; - # url = "github:Swarsel/fw-fanctrl/packaging/nix"; - # inputs.nixpkgs.follows = "nixpkgs"; - # }; - nix-darwin = { - url = "github:lnl7/nix-darwin"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - pre-commit-hooks = { - url = "github:cachix/git-hooks.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - vbc-nix = { - url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + zjstatus.url = "github:dj95/zjstatus"; + nix-darwin.url = "github:lnl7/nix-darwin"; + pre-commit-hooks.url = "github:cachix/git-hooks.nix"; + vbc-nix.url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; nix-topology.url = "github:oddlama/nix-topology"; flake-parts.url = "github:hercules-ci/flake-parts"; - devshell = { - url = "github:numtide/devshell"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - spicetify-nix = { - url = "github:Gerg-l/spicetify-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - niri-flake = { - url = "github:sodiboo/niri-flake"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixos-extra-modules = { - url = "github:oddlama/nixos-extra-modules"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - microvm = { - url = "github:astro/microvm.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + devshell.url = "github:numtide/devshell"; + spicetify-nix.url = "github:Gerg-l/spicetify-nix"; + niri-flake.url = "github:sodiboo/niri-flake"; + nixos-extra-modules.url = "github:oddlama/nixos-extra-modules/main"; + microvm.url = "github:astro/microvm.nix"; treefmt-nix.url = "github:numtide/treefmt-nix"; - + dns.url = "github:kirelagin/dns.nix"; + nix-minecraft.url = "github:Infinidoge/nix-minecraft"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; }; + outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { @@ -742,7 +730,7 @@ Concerning the =flake = _:= part: ) 4; subnetMask = lib.concatStringsSep "." (map toString octets); in - subnetMask; + subnetMask; mkIfElseList = p: yes: no: lib.mkMerge [ (lib.mkIf p yes) @@ -751,6 +739,23 @@ Concerning the =flake = _:= part: mkIfElse = p: yes: no: if p then yes else no; + getSubDomain = domain: + let + parts = builtins.split "\\." domain; + domainParts = builtins.filter (x: builtins.isString x && x != "") parts; + in + if builtins.length domainParts > 0 + then builtins.head domainParts + else ""; + + getBaseDomain = domain: + let + parts = builtins.split "\\." domain; + domainParts = builtins.filter (x: builtins.isString x && x != "") parts; + baseParts = builtins.tail domainParts; + in + builtins.concatStringsSep "." baseParts; + pkgsFor = lib.genAttrs (import systems) (system: import inputs.nixpkgs { inherit system; @@ -783,7 +788,7 @@ Concerning the =flake = _:= part: forEachLinuxSystem = f: lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: f pkgsFor.${system}); readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}"); - readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}")); + readNix = type: lib.filter (name: name != "default.nix" && name != "optional" && name != "darwin") (lib.attrNames (builtins.readDir "${self}/${type}")); mkImports = names: baseDir: lib.map (name: "${self}/${baseDir}/${name}") names; }; @@ -866,7 +871,7 @@ Lastly, in order make this actually available to my configurations, i use the =i #+begin_src nix-ts :tangle nix/globals.nix # adapted from https://github.com/oddlama/nix-config/blob/main/nix/globals.nix - { self, inputs, ... }: + { inputs, ... }: { flake = { config, lib, ... }: { @@ -972,41 +977,47 @@ The rest of the outputs either define or help define the actual configurations: }; modules = [ inputs.disko.nixosModules.disko - inputs.sops-nix.nixosModules.sops + inputs.home-manager.nixosModules.home-manager inputs.impermanence.nixosModules.impermanence inputs.lanzaboote.nixosModules.lanzaboote - inputs.nix-topology.nixosModules.default - inputs.home-manager.nixosModules.home-manager - inputs.stylix.nixosModules.stylix - inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm - # inputs.swarsel-modules.nixosModules.default - inputs.swarsel-nix.nixosModules.default - inputs.niri-flake.nixosModules.niri inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm + inputs.nix-index-database.nixosModules.nix-index + inputs.nix-minecraft.nixosModules.minecraft-servers + inputs.nix-topology.nixosModules.default + inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm + inputs.simple-nixos-mailserver.nixosModules.default + inputs.sops-nix.nixosModules.sops + inputs.stylix.nixosModules.stylix + inputs.swarsel-nix.nixosModules.default (inputs.nixos-extra-modules + "/modules/guests") + (inputs.nixos-extra-modules + "/modules/interface-naming.nix") "${self}/hosts/nixos/${arch}/${configName}" "${self}/profiles/nixos" "${self}/modules/nixos" { + _module.args.dns = inputs.dns; microvm.guest.enable = lib.mkDefault false; + networking.hostName = lib.swarselsystems.mkStrong configName; + node = { name = lib.mkForce configName; secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; + lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true); }; swarselprofiles = { - minimal = lib.mkIf minimal (lib.mkDefault true); + minimal = lib.mkIf minimal (lib.swarselsystems.mkStrong true); }; swarselmodules.server = { - ssh = lib.mkIf (!minimal) (lib.mkDefault true); + ssh = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true); }; swarselsystems = { - mainUser = lib.mkDefault "swarsel"; + mainUser = lib.swarselsystems.mkStrong "swarsel"; }; } ]; @@ -1053,7 +1064,6 @@ The rest of the outputs either define or help define the actual configurations: }; modules = [ inputs.stylix.homeModules.stylix - inputs.niri-flake.homeModules.niri inputs.nix-index-database.homeModules.nix-index # inputs.sops-nix.homeManagerModules.sops inputs.spicetify-nix.homeManagerModules.default @@ -1579,7 +1589,7 @@ Otherwise, I define the function =mkTemplates= here which builds a named attribu } #+end_src -** Formatter +** Formatter (treefmt-nix) :PROPERTIES: :CUSTOM_ID: h:5fce36ae-715d-42d3-9ad4-46137d85083f :END: @@ -1587,34 +1597,50 @@ Otherwise, I define the function =mkTemplates= here which builds a named attribu Defines a formatter that can be called using =nix flake format=. While a nice utility, I have stronger tools to perform this job. #+begin_src nix-ts :tangle nix/formatter.nix - { inputs, ... }: - { - imports = [ - inputs.treefmt-nix.flakeModule - ]; - - perSystem = { pkgs, ... }: { - # formatter = pkgs.nixpkgs-fmt; - # formatter is set by treefmt to: - # formatter = lib.mkIf config.treefmt.flakeFormatter (lib.mkDefault config.treefmt.build.wrapper); - treefmt = { - projectRootFile = "flake.nix"; - programs = { - nixfmt = { - enable = true; - package = pkgs.nixpkgs-fmt; - }; - deadnix.enable = true; - statix.enable = true; - shellcheck.enable = true; - }; - settings.formatter.shellcheck.options = [ - "--shell" - "bash" + { inputs, ... }: + { + imports = [ + inputs.treefmt-nix.flakeModule ]; - }; - }; - } + + perSystem = { pkgs, ... }: { + # formatter = pkgs.nixpkgs-fmt; + # formatter is set by treefmt to: + # formatter = lib.mkIf config.treefmt.flakeFormatter (lib.mkDefault config.treefmt.build.wrapper); + treefmt = { + projectRootFile = "flake.nix"; + programs = { + nixfmt = { + enable = true; + package = pkgs.nixpkgs-fmt; + }; + deadnix.enable = true; + statix.enable = true; + shfmt = { + enable = true; + indent_size = 4; + simplify = true; + # needed to replicate what my Emacs shfmt does + # there is no builtin option for space-redirects + package = pkgs.symlinkJoin { + name = "shfmt"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.shfmt ]; + postBuild = '' + wrapProgram $out/bin/shfmt \ + --add-flags '-sr' + ''; + }; + }; + shellcheck.enable = true; + }; + settings.formatter.shellcheck.options = [ + "--shell" + "bash" + ]; + }; + }; + } #+end_src ** TODO Modules @@ -1802,7 +1828,9 @@ On the structure of overlays: as you notice, all of the attributes within overla // (inputs.nur.overlays.default final prev) // (inputs.emacs-overlay.overlay final prev) // (inputs.nix-topology.overlays.default final prev) + // (inputs.nix-index-database.overlays.nix-index final prev) // (inputs.nixgl.overlay final prev) + // (inputs.nix-minecraft.overlay final prev) // (inputs.nixos-extra-modules.overlays.default final prev) ) (modifications final prev); @@ -1826,19 +1854,32 @@ This is an improvement to what I did earlier, where I did not use =nixos-generat { perSystem = { pkgs, system, ... }: { - # nix build --print-out-paths --no-link .#images..live-iso - packages.live-iso = inputs.nixos-generators.nixosGenerate { - inherit pkgs; - specialArgs = { inherit self; }; - modules = [ - inputs.home-manager.nixosModules.home-manager - "${self}/install/installer-config.nix" - ]; - format = + packages = { + # nix build --print-out-paths --no-link .#live-iso + live-iso = inputs.nixos-generators.nixosGenerate { + inherit pkgs; + specialArgs = { inherit self; }; + modules = [ + inputs.home-manager.nixosModules.home-manager + "${self}/install/installer-config.nix" + ]; + format = + { + x86_64-linux = "install-iso"; + aarch64-linux = "sd-aarch64-installer"; + }.${system}; + }; + + # nix build --print-out-paths --no-link .#pnap-kexec --system + swarsel-kexec = (inputs.smallpkgs.legacyPackages.${system}.nixos [ { - x86_64-linux = "install-iso"; - aarch64-linux = "sd-aarch64-installer"; - }.${system}; + imports = [ "${self}/install/kexec.nix" ]; + _file = __curPos.file; + system.kexec-installer.name = "swarsel-kexec"; + } + inputs.nixos-images.nixosModules.kexec-installer + ]).config.system.build.kexecInstallerTarball; + }; }; } @@ -2124,15 +2165,16 @@ My work machine. Built for more security, this is the gold standard of my config ./disk-config.nix ./hardware-configuration.nix - ]; + "${self}/modules/nixos/optional/amdcpu.nix" + "${self}/modules/nixos/optional/amdgpu.nix" + "${self}/modules/nixos/optional/framework.nix" + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/hibernation.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + "${self}/modules/nixos/optional/work.nix" - swarselmodules = { - optional = { - amdcpu = true; - amdgpu = true; - hibernation = true; - }; - }; + ]; swarselsystems = { lowResolution = "1280x800"; @@ -2181,10 +2223,6 @@ My work machine. Built for more security, this is the gold standard of my config } // lib.optionalAttrs (!minimal) { swarselprofiles = { personal = true; - optionals = true; - work = true; - uni = true; - framework = true; }; } @@ -2382,6 +2420,10 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se ./disk-config.nix ./hardware-configuration.nix + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + ]; swarselsystems = { @@ -2403,7 +2445,6 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se isSwap = true; rootDisk = "/dev/nvme0n1"; swapSize = "4G"; - hostName = config.node.name; }; home-manager.users."${primaryUser}" = { @@ -2629,13 +2670,28 @@ This is my main server that I run at home. It handles most tasks that require bi isBtrfs = false; isLinux = true; isNixos = true; - server.garage = { - data_dir = [ - { + proxyHost = "moonside"; + server = { + restic = { + bucketName = "SwarselWinters"; + paths = [ + "/Vault/data/paperless" + "/Vault/data/koillection" + "/Vault/data/postgresql" + "/Vault/data/firefly-iii" + "/Vault/data/radicale" + "/Vault/data/matrix-synapse" + "/Vault/Eternor/Paperless" + "/Vault/Eternor/Bilder" + "/Vault/Eternor/Immich" + ]; + }; + garage = { + data_dir = { capacity = "200G"; - path = "/Vault/data/garage/main"; - } - ]; + path = "/Vault/data/garage/data"; + }; + }; }; }; @@ -2735,15 +2791,23 @@ This is my main server that I run at home. It handles most tasks that require bi } #+end_src **** Summers (Server: ASUS Z10PA-D8) +:PROPERTIES: +:CUSTOM_ID: h:82bf7fb1-631b-4acd-966b-d0c71a9eb463 +:END: ***** Main Configuration +:PROPERTIES: +:CUSTOM_ID: h:dc2233df-cd78-43cc-bb45-57568a83fb24 +:END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/default.nix - { inputs, lib, config, minimal, nodes, globals, ... }: + { self, inputs, lib, config, minimal, nodes, globals, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/microvm-host.nix" ]; boot = { @@ -2770,9 +2834,6 @@ This is my main server that I run at home. It handles most tasks that require bi }; swarselmodules = { - optional = { - microvmHost = true; - }; server = { diskEncryption = lib.mkForce false; # TODO: disable nfs = false; @@ -2842,6 +2903,9 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src ***** hardware-configuration +:PROPERTIES: +:CUSTOM_ID: h:394b1f22-a61b-41da-9fe7-7625f164ed57 +:END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/hardware-configuration.nix { config, lib, modulesPath, ... }: @@ -2873,6 +2937,9 @@ This is my main server that I run at home. It handles most tasks that require bi } #+end_src ***** disko +:PROPERTIES: +:CUSTOM_ID: h:664b45fd-bd7e-4fff-bfc5-29f7a0657be6 +:END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/disk-config.nix { lib, config, ... }: @@ -2995,10 +3062,19 @@ This is my main server that I run at home. It handles most tasks that require bi } #+end_src ***** Guests +:PROPERTIES: +:CUSTOM_ID: h:5e571d89-6590-4aa4-a5f4-5c871683d09b +:END: ****** Guest 1 +:PROPERTIES: +:CUSTOM_ID: h:b9af4b1c-f35a-48a5-afa7-030c2be9c808 +:END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix - { lib, minimal, ... }: + { self,lib, minimal, ... }: { + imports = [ + "${self}/modules/nixos/optional/microvm-guest.nix" + ]; swarselsystems = { info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM"; @@ -3010,12 +3086,6 @@ This is my main server that I run at home. It handles most tasks that require bi server = false; }; - swarselmodules = { - optional = { - microvmGuest = false; - }; - }; - microvm = { mem = 1024 * 4; vcpu = 2; @@ -3026,8 +3096,14 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src **** Hintbooth (Router: HUNSN RM02) +:PROPERTIES: +:CUSTOM_ID: h:58c7563e-6954-42e6-a622-9d06523e8e24 +:END: ***** Main Configuration +:PROPERTIES: +:CUSTOM_ID: h:624b3c6a-6e31-4734-a6ea-7c5b461a3429 +:END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/default.nix { lib, minimal, ... }: { @@ -3069,6 +3145,9 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src ***** hardware-configuration +:PROPERTIES: +:CUSTOM_ID: h:b4a0b41c-52eb-4f0b-ba0b-64036c52e594 +:END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/hardware-configuration.nix { config, lib, modulesPath, ... }: @@ -3096,6 +3175,9 @@ This is my main server that I run at home. It handles most tasks that require bi } #+end_src ***** disko +:PROPERTIES: +:CUSTOM_ID: h:1500fb57-334b-4f1b-92de-566ea07924d1 +:END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/disk-config.nix { lib, config, ... }: @@ -3308,9 +3390,12 @@ My phone. I use only a minimal config for remote debugging here. #+end_src **** Treehouse (DGX Spark) +:PROPERTIES: +:CUSTOM_ID: h:ced1795a-9884-4277-bcde-6f7b9b1cc2f0 +:END: #+begin_src nix-ts :tangle hosts/home/aarch64-linux/treehouse/default.nix - { self, ... }: + { self, pkgs, ... }: { imports = [ @@ -3328,11 +3413,15 @@ My phone. I use only a minimal config for remote debugging here. }; }; + home.packages = with pkgs; [ + attic-client + ]; # programs.zsh.initContent = " # export GPG_TTY=\"$(tty)\" # export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) # gpgconf --launch gpg-agent # "; + swarselmodules.pii = true; swarselsystems = { isLaptop = false; @@ -3386,7 +3475,6 @@ This machine mainly acts as my proxy server to stand before my local machines. sops = { age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; secrets = { wireguard-private-key = { inherit sopsFile; }; wireguard-home-preshared-key = { inherit sopsFile; }; @@ -3513,9 +3601,16 @@ This machine mainly acts as my proxy server to stand before my local machines. isBtrfs = true; isNixos = true; isLinux = true; + server = { + restic = { + bucketName = "SwarselMoonside"; + paths = [ + "/persist/opt/minecraft" + ]; + }; + }; syncthing = { serviceDomain = config.repo.secrets.common.services.domains.syncthing3; - serviceIP = "localhost"; }; }; } // lib.optionalAttrs (!minimal) { @@ -3530,6 +3625,8 @@ This machine mainly acts as my proxy server to stand before my local machines. shlink = true; slink = true; syncthing = true; + minecraft = true; + restic = true; diskEncryption = lib.mkForce false; }; } @@ -3688,6 +3785,1005 @@ This machine mainly acts as my proxy server to stand before my local machines. } +#+end_src +**** Belchsfactory (OCI) +:PROPERTIES: +:CUSTOM_ID: h:90457194-6b97-4cd6-90bc-4f42d0d69f51 +:END: + +***** Main Configuration +:PROPERTIES: +:CUSTOM_ID: h:cb78799c-d47a-43d4-88ad-d32fcc0abd0b +:END: + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/belchsfactory/default.nix + { self, lib, minimal, ... }: + { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + node.lockFromBootstrapping = lib.mkForce false; + + topology.self = { + icon = "devices.cloud-server"; + }; + swarselmodules.server.nginx = false; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/sda"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + server = { + garage = { + data_dir = { + capacity = "150G"; + path = "/var/lib/garage/data"; + }; + keys = { + nixos = [ + "attic" + ]; + }; + buckets = [ + "attic" + ]; + }; + }; + }; + } // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + ssh-builder = lib.mkDefault true; + postgresql = lib.mkDefault true; + attic = lib.mkDefault true; + garage = lib.mkDefault true; + }; + + } + +#+end_src +***** hardware-configuration +:PROPERTIES: +:CUSTOM_ID: h:e9e29520-5800-4756-ad13-1ec9747ab911 +:END: + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix + { lib, modulesPath, ... }: + { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; + } +#+end_src +***** disko +:PROPERTIES: +:CUSTOM_ID: h:19a83f57-9e7a-44b9-ae7f-2f021f21abf7 +:END: + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/belchsfactory/disk-config.nix + { lib, pkgs, config, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } + +#+end_src +**** Stoicclub (OCI) + +***** Main Configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/default.nix + { self, lib, minimal, ... }: + { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + swarselmodules.server.nginx = false; + + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + isBastionTarget = true; + }; + } // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nsd = true; + nginx = false; + }; + } + +#+end_src +***** hardware-configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix + { lib, modulesPath, ... }: + { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; + } +#+end_src +***** disko + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/disk-config.nix + { lib, pkgs, config, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } + +#+end_src +**** Liliputsteps (OCI) + +***** Main Configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/default.nix + { self, lib, minimal, ... }: + { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + mainUser = "jump"; + }; + } // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = false; + bastion = true; + # ssh = false; + }; + + # users.users.swarsel.enable = lib.mkForce false; + # home-manager.users.swarsel.enable = lib.mkForce false + } + +#+end_src +***** hardware-configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix + { lib, modulesPath, ... }: + { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; + } +#+end_src +***** disko + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix + { lib, pkgs, config, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } + +#+end_src +**** Twothreetunnel (OCI) + +***** Main Configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/default.nix + { self, lib, minimal, ... }: + { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + }; + } // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = false; + }; + + } + +#+end_src +***** hardware-configuration + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix + { lib, modulesPath, ... }: + { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; + } +#+end_src +***** disko + +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix + { lib, pkgs, config, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } + +#+end_src +**** Eagleland (Hetzner) +:PROPERTIES: +:CUSTOM_ID: h:81bc8746-b46b-4d29-87de-ddbd77788b43 +:END: + +***** Main Configuration +:PROPERTIES: +:CUSTOM_ID: h:96540b9c-1610-45f2-ba19-916051ab5e10 +:END: + +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/eagleland/default.nix + { self, lib, minimal, ... }: + { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "2vCPU, 4GB Ram"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isCloud = true; + isSwap = true; + swapSize = "4G"; + rootDisk = "/dev/sda"; + isBtrfs = true; + isNixos = true; + isLinux = true; + proxyHost = "eagleland"; + }; + } // lib.optionalAttrs (!minimal) { + + swarselmodules.server.mailserver = true; + + swarselprofiles = { + server = true; + }; + + } + +#+end_src +***** hardware-configuration +:PROPERTIES: +:CUSTOM_ID: h:44c29a70-d5fc-49c1-b02e-a5cd2ec6119b +:END: + +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/eagleland/hardware-configuration.nix + { lib, modulesPath, ... }: + + { + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + } + +#+end_src +***** disko +:PROPERTIES: +:CUSTOM_ID: h:5c77e384-fdae-4994-bce3-ca736722529c +:END: + +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/eagleland/disk-config.nix + { lib, pkgs, config, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } #+end_src *** Utility hosts :PROPERTIES: @@ -4067,6 +5163,111 @@ TODO: cleanup this mess #+end_src +**** Brick Road (kexec image) +:PROPERTIES: +:CUSTOM_ID: h:e9fe580c-f1b2-4d7b-aaff-bbdf89a8c9f9 +:END: + +#+begin_src nix-ts :tangle install/kexec.nix + { lib, pkgs, modulesPath, options, ... }: + { + disabledModules = [ + # This module adds values to multiple lists (systemPackages, supportedFilesystems) + # which are impossible/unpractical to remove, so we disable the entire module. + "profiles/base.nix" + ]; + + imports = [ + # reduce closure size by removing perl + "${modulesPath}/profiles/perlless.nix" + # FIXME: we still are left with nixos-generate-config due to nixos-install-tools + { system.forbiddenDependenciesRegexes = lib.mkForce [ ]; } + ]; + + config = { + networking.hostName = "brickroad"; + + system = { + # nixos-option is mainly useful for interactive installations + tools.nixos-option.enable = false; + # among others, this prevents carrying a stdenv with gcc in the image + extraDependencies = lib.mkForce [ ]; + }; + # prevents shipping nixpkgs, unnecessary if system is evaluated externally + nix.registry = lib.mkForce { }; + + # would pull in nano + programs.nano.enable = false; + + # prevents strace + environment = { + defaultPackages = lib.mkForce [ + pkgs.parted + pkgs.gptfdisk + pkgs.e2fsprogs + ]; + + systemPackages = with pkgs; [ + cryptsetup.bin + ]; + + # Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs. + ldso32 = null; + }; + + # included in systemd anyway + systemd.sysusers.enable = true; + + # normal users are not allowed with sys-users + # see https://github.com/NixOS/nixpkgs/pull/328926 + users.users.nixos = { + isSystemUser = true; + isNormalUser = lib.mkForce false; + shell = "/run/current-system/sw/bin/bash"; + group = "nixos"; + }; + users.groups.nixos = { }; + + security = { + # we have still run0 from systemd and most of the time we just use root + sudo.enable = false; + polkit.enable = lib.mkForce false; + # introduces x11 dependencies + pam.services.su.forwardXAuth = lib.mkForce false; + }; + + documentation = { + enable = false; + man.enable = false; + nixos.enable = false; + info.enable = false; + doc.enable = false; + }; + + services = { + # no dependency on x11 + dbus.implementation = "broker"; + # we prefer root as this is also what we use in nixos-anywhere + getty.autologinUser = lib.mkForce "root"; + # included in systemd anyway + userborn.enable = false; + }; + + + + # we are missing this from base.nix + boot.supportedFilesystems = [ + "ext4" + "btrfs" + "xfs" + ]; + } // lib.optionalAttrs (options.hardware ? firmwareCompression) { + hardware.firmwareCompression = "xz"; + }; + } + +#+end_src + **** Hotel (Demo Physical/VM) :PROPERTIES: :CUSTOM_ID: h:e1498bef-ec67-483d-bf02-76264e30be8e @@ -4390,6 +5591,11 @@ in "nginx" "virtualHosts" ] + [ + "swarselsystems" + "server" + "dns" + ] ]; attrsForEachOption = @@ -4510,7 +5716,8 @@ in if netSubmod.config.cidrv6 == null then null else - lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; + # if we use the /32 wan address as local address directly, do not use the network address in ipv6 + lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6; }; }; }) @@ -4542,13 +5749,31 @@ in services = mkOption { type = types.attrsOf ( - types.submodule { + types.submodule (serviceSubmod: { options = { domain = mkOption { type = types.str; }; + subDomain = mkOption { + readOnly = true; + type = types.str; + default = lib.swarselsystems.getSubDomain serviceSubmod.config.domain; + }; + baseDomain = mkOption { + readOnly = true; + type = types.str; + default = lib.swarselsystems.getBaseDomain serviceSubmod.config.domain; + }; + proxyAddress4 = mkOption { + type = types.nullOr types.str; + default = null; + }; + proxyAddress6 = mkOption { + type = types.nullOr types.str; + default = null; + }; }; - } + }) ); }; @@ -4591,6 +5816,12 @@ in defaultGateway6 = mkOption { type = types.nullOr types.net.ipv6; }; + wanAddress4 = mkOption { + type = types.nullOr types.net.ipv4; + }; + wanAddress6 = mkOption { + type = types.nullOr types.net.ipv6; + }; }; } ); @@ -4600,6 +5831,10 @@ in main = mkOption { type = types.str; }; + externalDns = mkOption { + type = types.listOf types.str; + description = "List of external dns nameservers"; + }; }; }; }; @@ -4635,6 +5870,10 @@ in description = "Node Name."; type = lib.types.str; }; + lockFromBootstrapping = lib.mkOption { + description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap."; + type = lib.types.bool; + }; }; }; } @@ -4672,7 +5911,8 @@ in github-nixpkgs-review-token = { owner = mainUser; }; }) // (lib.optionalAttrs modules.emacs { emacs-radicale-pw = { owner = mainUser; }; - }) // (lib.optionalAttrs modules.optional.work { + github-forge-token = { owner = mainUser; }; + }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { anki-user = { owner = mainUser; }; @@ -4713,7 +5953,7 @@ in }; } #+end_src -**** General NixOS settings (nix, stateVersion) +**** General NixOS settings (nix config, stateVersion) :PROPERTIES: :CUSTOM_ID: h:24c9146f-2147-4fd5-bafc-d5853e15cf12 :END: @@ -4746,136 +5986,149 @@ A breakdown of the flags being set: - nix.nixPath: Basically the same as =nix.registry=, but for the legacy nix commands #+begin_src nix-ts :tangle modules/nixos/common/settings.nix - { self, lib, pkgs, config, outputs, inputs, minimal, ... }: - let - settings = if minimal then { } else { - environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' - assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false; - { } - ''; + { self, lib, pkgs, config, outputs, inputs, minimal, globals, ... }: + let + inherit (config.swarselsystems) mainUser; + inherit (config.repo.secrets.common) atticPublicKey; + settings = if minimal then { } else { + environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' + assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false; + { } + ''; - nix = - let - flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; - in - { - settings = { - connect-timeout = 5; - bash-prompt-prefix = "$SHLVL:\\w "; - bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; - fallback = true; - min-free = 128000000; - max-free = 1000000000; - flake-registry = ""; - auto-optimise-store = true; - warn-dirty = false; - max-jobs = 1; - use-cgroups = lib.mkIf config.swarselsystems.isLinux true; - }; - gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 10d"; - }; - optimise = { - automatic = true; - dates = "weekly"; - }; - channel.enable = false; - registry = rec { - nixpkgs.flake = inputs.nixpkgs; - swarsel.flake = inputs.swarsel; - n = nixpkgs; - s = swarsel; - }; - nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; - }; + nix = + let + flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; + in + { + settings = { + connect-timeout = 5; + bash-prompt-prefix = "$SHLVL:\\w "; + bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; + fallback = true; + min-free = 128000000; + max-free = 1000000000; + flake-registry = ""; + auto-optimise-store = true; + warn-dirty = false; + max-jobs = 1; + use-cgroups = lib.mkIf config.swarselsystems.isLinux true; + }; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 10d"; + }; + optimise = { + automatic = true; + dates = "weekly"; + }; + channel.enable = false; + registry = rec { + nixpkgs.flake = inputs.nixpkgs; + # swarsel.flake = inputs.swarsel; + swarsel.flake = self; + n = nixpkgs; + s = swarsel; + }; + nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + }; - services.dbus.implementation = "broker"; + services.dbus.implementation = "broker"; - systemd.services.nix-daemon = { - environment.TMPDIR = "/var/tmp"; - }; + systemd.services.nix-daemon = { + environment.TMPDIR = "/var/tmp"; + }; - }; - in - { - options.swarselmodules.general = lib.mkEnableOption "general nix settings"; - config = lib.mkIf config.swarselmodules.general - (lib.recursiveUpdate - { - sops.secrets.github-api-token = lib.mkIf (!minimal) { - sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml"; - }; + }; + in + { + options.swarselmodules.general = lib.mkEnableOption "general nix settings"; + config = lib.mkIf config.swarselmodules.general + (lib.recursiveUpdate + { + sops.secrets = lib.mkIf (!minimal) { + github-api-token = { owner = mainUser; }; + }; - nix = - let - nix-version = "2_30"; - in - { - package = pkgs.nixVersions."nix_${nix-version}"; - settings = { - experimental-features = [ - "nix-command" - "flakes" - "ca-derivations" - "cgroups" - "pipe-operators" - ]; - trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ]; - }; - # extraOptions = '' - # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins - # extra-builtins-file = ${self + /nix/extra-builtins.nix} - # '' + lib.optionalString (!minimal) '' - # !include ${config.sops.secrets.github-api-token.path} - # ''; - # extraOptions = '' - # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { - # buildInputs = [config.nix.package pkgs.boost]; - # patches = o.patches or []; - # })}/lib/nix/plugins - # extra-builtins-file = ${self + /nix/extra-builtins.nix} - # ''; + nix = + let + nix-version = "2_30"; + in + { + package = pkgs.nixVersions."nix_${nix-version}"; + settings = { + experimental-features = [ + "nix-command" + "flakes" + "ca-derivations" + "cgroups" + "pipe-operators" + ]; + substituters = [ + "https://${globals.services.attic.domain}/${mainUser}" + ]; + trusted-public-keys = [ + atticPublicKey + ]; + trusted-users = [ + "@wheel" + "${config.swarselsystems.mainUser}" + (lib.mkIf config.swarselmodules.server.ssh-builder "builder") + ]; + }; + # extraOptions = '' + # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins + # extra-builtins-file = ${self + /nix/extra-builtins.nix} + # '' + lib.optionalString (!minimal) '' + # !include ${config.sops.secrets.github-api-token.path} + # ''; + # extraOptions = '' + # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { + # buildInputs = [config.nix.package pkgs.boost]; + # patches = o.patches or []; + # })}/lib/nix/plugins + # extra-builtins-file = ${self + /nix/extra-builtins.nix} + # ''; - extraOptions = - let - nix-plugins = pkgs.nix-plugins.override { - nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; - }; - in - '' - plugin-files = ${nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - '' + lib.optionalString (!minimal) '' - !include ${config.sops.secrets.github-api-token.path} - ''; - }; + extraOptions = + let + nix-plugins = pkgs.nix-plugins.override { + nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; + }; + in + '' + plugin-files = ${nix-plugins}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + '' + lib.optionalString (!minimal) '' + !include ${config.sops.secrets.github-api-token.path} + ''; + }; - system.stateVersion = lib.mkDefault "23.05"; + system.stateVersion = lib.mkDefault "23.05"; - nixpkgs = { - overlays = [ - outputs.overlays.default - (final: prev: - let - additions = final: _: import "${self}/pkgs/config" { - inherit self config lib; - pkgs = final; - homeConfig = config.home-manager.users.${config.swarselsystems.mainUser}; - }; - in - additions final prev - ) - ]; - config = { - allowUnfree = true; - }; - }; + nixpkgs = { + overlays = [ + outputs.overlays.default + (final: prev: + let + additions = final: _: import "${self}/pkgs/config" { + inherit self config lib; + pkgs = final; + homeConfig = config.home-manager.users.${config.swarselsystems.mainUser}; + }; + in + additions final prev + ) + ]; + config = { + allowUnfree = true; + }; + }; - } - settings); - } + } + settings); + } #+end_src **** Setup home-manager base @@ -4900,7 +6153,6 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the inputs.nix-index-database.homeModules.nix-index inputs.sops-nix.homeManagerModules.sops inputs.spicetify-nix.homeManagerModules.default - # inputs.swarsel-modules.homeModules.default inputs.swarsel-nix.homeModules.default { imports = [ @@ -4939,14 +6191,11 @@ In case of using a fully setup system, this makes also sure that no further user For that reason, make sure that =sops-nix= is properly working before finishing the minimal setup, otherwise we might lose user access. The bootstrapping script takes care of this. #+begin_src nix-ts :tangle modules/nixos/common/users.nix - { self, pkgs, config, lib, globals, minimal, ... }: - let - sopsFile = self + /secrets/general/secrets.yaml; - in + { pkgs, config, lib, globals, minimal, ... }: { options.swarselmodules.users = lib.mkEnableOption "user config"; config = lib.mkIf config.swarselmodules.users { - sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; }; + sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; }; users = { mutableUsers = lib.mkIf (!minimal) false; @@ -5258,6 +6507,7 @@ Normally, doing that also resets the lecture that happens on the first use of =s hideMounts = true; directories = [ + "/root/.dotfiles" "/etc/nix" "/etc/NetworkManager/system-connections" "/var/lib/nixos" @@ -5313,102 +6563,106 @@ This section is for setting things that should be used on hosts that are using t Mostly used to install some compilers and lsp's that I want to have available when not using a devShell flake. Most other packages should go in [[#h:893a7f33-7715-415b-a895-2687ded31c18][Installed packages]]. #+begin_src nix-ts :tangle modules/nixos/client/packages.nix - { lib, config, pkgs, minimal, ... }: - { - options.swarselmodules.packages = lib.mkEnableOption "install packages"; - config = lib.mkIf config.swarselmodules.packages { + { lib, config, pkgs, minimal, ... }: + { + options.swarselmodules.packages = lib.mkEnableOption "install packages"; + config = lib.mkIf config.swarselmodules.packages { - environment.systemPackages = with pkgs; lib.optionals (!minimal) [ - # yubikey packages - gnupg - yubikey-personalization - yubico-pam - yubioath-flutter - yubikey-manager - yubikey-touch-detector - yubico-piv-tool - cfssl - pcsc-tools - pcscliteWithPolkit.out + environment.systemPackages = with pkgs; lib.optionals (!minimal) [ + # yubikey packages + gnupg + yubikey-personalization + yubico-pam + yubioath-flutter + yubikey-manager + yubikey-touch-detector + yubico-piv-tool + cfssl + pcsc-tools + pcscliteWithPolkit.out - # ledger packages - ledger-live-desktop + # ledger packages + ledger-live-desktop - # pinentry - dbus - # swaylock-effects - syncthingtray-minimal - swayosd + # pinentry + dbus + # swaylock-effects + syncthingtray-minimal + swayosd - # secure boot - sbctl + # secure boot + sbctl - libsForQt5.qt5.qtwayland + libsForQt5.qt5.qtwayland - # nix package database - nix-index - nixos-generators + # do not do this! clashes with the flake + # nix-index - # commit hooks - pre-commit + nixos-generators - # proc info - acpi + # commit hooks + pre-commit - # pci info - pciutils - usbutils + # proc info + acpi - # better make for general tasks - just + # pci info + pciutils + usbutils + # better make for general tasks + just - # keyboards - qmk - vial - via + # sops + ssh-to-age + sops - # theme related - adwaita-icon-theme + # keyboards + qmk + vial + via - # kde-connect - xdg-desktop-portal - xdg-desktop-portal-gtk - xdg-desktop-portal-wlr + # theme related + adwaita-icon-theme - # bluetooth - bluez - ghostscript_headless - wireguard-tools - nixd - zig - zls + # kde-connect + xdg-desktop-portal + xdg-desktop-portal-gtk + xdg-desktop-portal-wlr - elk-to-svg + # bluetooth + bluez + ghostscript_headless + wireguard-tools + nixd + zig + zls - ] ++ lib.optionals minimal [ - networkmanager - curl - git - gnupg - rsync - ssh-to-age - sops - vim - just - sbctl - ]; + elk-to-svg - nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [ - "jitsi-meet-1.0.8043" - "electron-29.4.6" - "SDL_ttf-2.0.11" - # audacity? - "mbedtls-2.28.10" - # "qtwebengine-5.15.19" - ]; - }; - } + ] ++ lib.optionals minimal [ + networkmanager + curl + git + gnupg + rsync + ssh-to-age + sops + vim + just + sbctl + ]; + + nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [ + "jitsi-meet-1.0.8043" + "electron-29.4.6" + "SDL_ttf-2.0.11" + # audacity? + "mbedtls-2.28.10" + # "qtwebengine-5.15.19" + ]; + }; + } #+end_src **** Environment setup @@ -5615,7 +6869,7 @@ Pipewire handles communication on Wayland. This enables several sound tools as w Here I only enable =networkmanager= and a few default networks. The rest of the network config is done separately in [[#h:88bf4b90-e94b-46fb-aaf1-a381a512860d][System specific configuration]]. #+begin_src nix-ts :tangle modules/nixos/client/network.nix - { self, lib, pkgs, config, ... }: + { self, lib, pkgs, config, globals, ... }: let certsSopsFile = self + /secrets/certs/secrets.yaml; clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml; @@ -5667,7 +6921,7 @@ Here I only enable =networkmanager= and a few default networks. The rest of the networking = { inherit (config.swarselsystems) hostName; hosts = { - "192.168.178.24" = [ "store.swarsel.win" ]; + "${globals.networks.home-lan.hosts.winters.ipv4}" = [ globals.services.transmission.domain ]; }; wireless.iwd = { enable = true; @@ -5940,9 +7194,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at sops = { # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ]; - age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ]; - # defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml"; - defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml"; + age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml"; validateSopsFiles = false; @@ -5951,6 +7204,96 @@ I use sops-nix to handle secrets that I want to have available on my machines at } #+end_src +**** Remote building + +#+begin_src nix-ts :tangle modules/nixos/client/remotebuild.nix + { lib, config, globals, ... }: + let + inherit (config.swarselsystems) homeDir mainUser isClient; + in + { + options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine"; + config = lib.mkIf config.swarselmodules.remotebuild { + + sops.secrets = { + builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; }; + nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; }; + }; + + nix = { + settings.builders-use-substitutes = true; + distributedBuilds = true; + buildMachines = [ + (lib.mkIf isClient { + hostName = config.repo.secrets.common.builder1-ip; + system = "aarch64-linux"; + maxJobs = 20; + speedFactor = 10; + }) + (lib.mkIf isClient { + hostName = globals.hosts.belchsfactory.wanAddress4; + system = "aarch64-linux"; + maxJobs = 4; + speedFactor = 2; + protocol = "ssh-ng"; + }) + { + hostName = "eu.nixbuild.net"; + system = "x86_64-linux"; + maxJobs = 100; + speedFactor = 2; + supportedFeatures = [ "big-parallel" ]; + } + ]; + }; + programs.ssh = { + knownHosts = { + nixbuild = { + hostNames = [ "eu.nixbuild.net" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM"; + }; + builder1 = lib.mkIf isClient { + hostNames = [ config.repo.secrets.common.builder1-ip ]; + publicKey = config.repo.secrets.common.builder1-pubHostKey; + }; + jump = lib.mkIf isClient { + hostNames = [ globals.hosts.liliputsteps.wanAddress4 ]; + publicKey = config.repo.secrets.common.jump-pubHostKey; + }; + builder2 = lib.mkIf isClient { + hostNames = [ globals.hosts.belchsfactory.wanAddress4 ]; + publicKey = config.repo.secrets.common.builder2-pubHostKey; + }; + }; + extraConfig = '' + Host eu.nixbuild.net + ConnectTimeout 1 + PubkeyAcceptedKeyTypes ssh-ed25519 + ServerAliveInterval 60 + IPQoS throughput + IdentityFile ${config.sops.secrets.nixbuild-net-key.path} + '' + lib.optionalString isClient '' + Host ${config.repo.secrets.common.builder1-ip} + ConnectTimeout 1 + User ${mainUser} + IdentityFile ${config.sops.secrets.builder-key.path} + + Host ${globals.hosts.belchsfactory.wanAddress4} + ConnectTimeout 5 + ProxyJump ${globals.hosts.liliputsteps.wanAddress4} + User builder + IdentityFile ${config.sops.secrets.builder-key.path} + + Host ${globals.hosts.liliputsteps.wanAddress4} + ConnectTimeout 1 + User jump + IdentityFile ${config.sops.secrets.builder-key.path} + ''; + }; + }; + } +#+end_src + **** Theme (stylix) :PROPERTIES: :CUSTOM_ID: h:e6e44705-94af-49fe-9ca0-0629d0f7d932 @@ -6847,7 +8190,7 @@ Auto login for the initial session. comment = "Sway compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/sway"; }; - niri = { + niri = lib.mkIf (config.swarselmodules ? niri) { prettyName = "Niri"; comment = "Niri compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/niri-session"; @@ -6858,45 +8201,6 @@ Auto login for the initial session. } #+end_src -**** Niri -:PROPERTIES: -:CUSTOM_ID: h:58162d08-3ded-441d-861e-2ebf30e32538 -:END: - -Auto login for the initial session. - -#+begin_src nix-ts :tangle modules/nixos/client/niri.nix - { lib, config, pkgs, ... }: - let - moduleName = "niri"; - in - { - options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings"; - config = lib.mkIf config.swarselmodules.${moduleName} { - - environment.systemPackages = with pkgs; [ - wl-clipboard - wayland-utils - libsecret - cage - gamescope - xwayland-satellite-unstable - ]; - - - programs.niri = { - enable = true; - package = pkgs.niri-unstable; # the actual niri that will be installed and used - }; - } // { - niri-flake.cache.enable = true; - programs.niri = { - package = null; - }; - }; - } -#+end_src - *** Server :PROPERTIES: :CUSTOM_ID: h:e492c24a-83a0-4bcb-a084-706f49318651 @@ -6984,7 +8288,6 @@ Here we just define some aliases for rebuilding the system, and we allow some in config = lib.mkIf config.swarselmodules.server.packages { environment.systemPackages = with pkgs; [ gnupg - nix-index nvd nix-output-monitor ssh-to-age @@ -7070,7 +8373,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in #+begin_src nix-ts :tangle modules/nixos/server/nginx.nix { pkgs, lib, config, ... }: let - inherit (config.repo.secrets.common) dnsProvider; + inherit (config.repo.secrets.common) dnsProvider dnsBase; inherit (config.repo.secrets.common.mail) address3; serviceUser = "nginx"; @@ -7133,9 +8436,12 @@ Here we just define some aliases for rebuilding the system, and we allow some in ]; sops = { - secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; + secrets = { + acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; + }; templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token} + ACME_DNS_API_BASE=${dnsBase} + ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token} ''; }; @@ -7155,6 +8461,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in networking.firewall.allowedTCPPorts = [ 80 443 ]; environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence { + directories = [ { directory = "/var/lib/acme"; } ]; files = [ dhParamsPathBase ]; }; @@ -7179,28 +8486,52 @@ Here we just define some aliases for rebuilding the system, and we allow some in ''; }; }; - system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { - deps = [ "generateDHParams" "users" "groups" ]; - }; - system.activationScripts."generateDHParams" = - { - text = '' - set -eu - - ${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath} - ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""} - - if [ ! -f "${dhParamsPathBase}" ]; then - ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096 - chmod 0644 ${dhParamsPath} - chown ${serviceUser}:${serviceGroup} ${dhParamsPath} - fi - ''; - deps = [ - "etc" - (lib.mkIf config.swarselsystems.isImpermanence "specialfs") - ]; + systemd.services.generateDHParams = { + before = [ "nginx.service" ]; + requiredBy = [ "nginx.service" ]; + after = [ "local-fs.target" ]; + requires = [ "local-fs.target" ]; + serviceConfig = { + Type = "oneshot"; }; + + script = '' + set -eu + + install -d -m 0755 ${sslBasePath} + ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""} + + if [ ! -f "${dhParamsPath}" ]; then + ${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096 + chmod 0644 "${dhParamsPath}" + chown ${serviceUser}:${serviceGroup} "${dhParamsPath}" + else + echo 'Already generated DHParams' + fi + ''; + }; + + # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { + # deps = [ "generateDHParams" "users" "groups" ]; + # }; + # system.activationScripts."generateDHParams" = + # { + # text = '' + # set -eu + + # ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else "${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}"} + + # if [ ! -f "${dhParamsPath}" ]; then + # ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096 + # chmod 0644 ${dhParamsPath} + # chown ${serviceUser}:${serviceGroup} ${dhParamsPath} + # fi + # ''; + # deps = [ + # (lib.mkIf config.swarselsystems.isImpermanence "specialfs") + # (lib.mkIf (!config.swarselsystems.isImpermanence) "etc") + # ]; + # }; }; } #+end_src @@ -7224,6 +8555,10 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; + AllowUsers = [ + "root" + config.swarselsystems.mainUser + ]; }; hostKeys = [ { @@ -7235,10 +8570,12 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) + # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; users.users.root.openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) + # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; security.sudo.extraConfig = '' Defaults env_keep+=SSH_AUTH_SOCK @@ -7247,26 +8584,165 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t } #+end_src -**** Network settings +**** Bastion +#+begin_src nix-ts :tangle modules/nixos/server/bastion.nix + { self, lib, config, ... }: + { + options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server"; + config = lib.mkIf config.swarselmodules.server.bastion { + + users = { + groups = { + jump = { }; + }; + users = { + "jump" = { + isNormalUser = true; + useDefaultShell = true; + group = lib.mkForce "jump"; + createHome = lib.mkForce true; + openssh.authorizedKeys.keyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + (self + /secrets/keys/ssh/builder.pub) + ]; + }; + }; + }; + + + services.openssh = { + enable = true; + startWhenNeeded = lib.mkForce false; + authorizedKeysInHomedir = false; + extraConfig = '' + Match User jump + PermitTTY no + X11Forwarding no + PermitTunnel no + GatewayPorts no + AllowAgentForwarding no + ''; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkDefault "no"; + AllowUsers = [ + "jump" + ]; + }; + hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + + home-manager.users.jump.config = { + home.stateVersion = lib.mkDefault "23.05"; + programs.ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = { + "*" = { + forwardAgent = false; + }; + } // config.repo.secrets.local.ssh.hosts; + }; + }; + }; + } +#+end_src + +**** ssh builder config + +Restricts access to the system by the nix build user as per https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834. + +#+begin_src nix-ts :tangle modules/nixos/server/ssh-builder.nix + { self, pkgs, lib, config, ... }: + let + ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" "; + + wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" '' + case $SSH_ORIGINAL_COMMAND in + "nix-daemon --stdio") + exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio + ;; + "nix-store --serve --write") + exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write + ;; + ,*) + echo "Access only allowed for using the nix remote builder" 1>&2 + exit + esac + ''; + in + { + options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server"; + config = lib.mkIf config.swarselmodules.server.ssh-builder { + users = { + groups.builder = { }; + users.builder = { + useDefaultShell = true; + isSystemUser = true; + group = "builder"; + openssh.authorizedKeys.keys = [ + ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}'' + ]; + }; + }; + + }; + } +#+end_src + +**** Network settings +:PROPERTIES: +:CUSTOM_ID: h:0ff3acc5-9ce8-4b22-a2e2-f6f1e69d47a5 +:END: + +Generate hostId using =head -c4 /dev/urandom | od -A none -t x4= #+begin_src nix-ts :tangle modules/nixos/server/network.nix { lib, config, ... }: + let + netConfig = config.repo.secrets.local.networking; + netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}"; + in { - options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + options = { + swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + swarselsystems.server = { + localNetwork = lib.mkOption { + type = lib.types.str; + default = ""; + }; + netConfigName = lib.mkOption { + type = lib.types.str; + default = netName; + readOnly = true; + }; + }; + }; config = lib.mkIf config.swarselmodules.server.network { - globals.networks.home.hosts.${config.node.name} = { - inherit (config.repo.secrets.local.networking.networks.home) id; - mac = config.repo.secrets.local.networking.networks.home.mac or null; + swarselsystems.server.localNetwork = netConfig.localNetwork or ""; + + globals.networks.${netName}.hosts.${config.node.name} = { + inherit (netConfig.networks.${netConfig.localNetwork}) id; + mac = netConfig.networks.${netConfig.localNetwork}.mac or null; }; globals.hosts.${config.node.name} = { inherit (config.repo.secrets.local.networking) defaultGateway4; + wanAddress4 = netConfig.wanAddress4 or null; + wanAddress6 = netConfig.wanAddress6 or null; }; networking = { - inherit (config.repo.secrets.local.networking) hostId; + inherit (netConfig) hostId; hostName = config.node.name; nftables.enable = lib.mkDefault false; enableIPv6 = lib.mkDefault true; @@ -7280,6 +8756,9 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t #+end_src **** Disk encryption +:PROPERTIES: +:CUSTOM_ID: h:19d829f6-580f-4e04-8776-2bfd83c3c3dd +:END: The hostkey can be generated with =ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key=. Use =lspci -v | grep -iA8 'network\|ethernet'= to supposedly find out which kernel module is needed for networking in initrd. However I prefer a different approach: @@ -7306,86 +8785,114 @@ lspci -k -d 14c3:0616 | | Kernel | modules: | mt7921e | | | | | | | | | #+begin_src nix-ts :tangle modules/nixos/server/disk-encrypt.nix - { self, pkgs, lib, config, globals, minimal, ... }: - let - localIp = globals.networks.home.hosts.${config.node.name}.ipv4; - subnetMask = globals.networks.home.subnetMask4; - gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; + { self, pkgs, lib, config, globals, minimal, ... }: + let + localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4; + subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4; + gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; - hostKeyPath = "/etc/secrets/initrd/ssh_host_ed25519_key"; - in - { - options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; - options.swarselsystems.networkKernelModules = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - }; - config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { + hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key"; + hostKeyPath = + if config.swarselsystems.isImpermanence then + "/persist/${hostKeyPathBase}" + else + "${hostKeyPathBase}"; + in + { + options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; + options.swarselsystems.networkKernelModules = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { - system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) { - text = '' - [[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath} - ''; - deps = [ "users" ]; - }; - environment.persistence."/persist" = lib.mkIf (config.swarselsystems.isImpermanence && (config.swarselprofiles.server || minimal)) { - files = [ hostKeyPath ]; - }; + system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { + deps = [ "ensureInitrdHostkey" ]; + }; + system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) { + text = '' + [[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath} + ''; + deps = [ + "etc" + ]; + }; - boot = lib.mkIf (config.swarselprofiles.server || minimal) { - kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [ - "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" - ]; - initrd = { - availableKernelModules = config.swarselsystems.networkKernelModules; - network = { - enable = true; - udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true; - flushBeforeStage2 = true; - ssh = { - enable = true; - port = 2222; # avoid hostkey changed nag - authorizedKeyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - ]; - hostKeys = [ hostKeyPath ]; - }; - # postCommands = '' - # echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile - # ''; - }; - systemd = { - initrdBin = with pkgs; [ - cryptsetup - ]; - services = { - unlock-luks = { - wantedBy = [ "initrd.target" ]; - after = [ "network.target" ]; - before = [ "systemd-cryptsetup@cryptroot.service" ]; - path = [ "/bin" ]; + environment.persistence."/persist" = lib.mkIf (config.swarselsystems.isImpermanence && (config.swarselprofiles.server || minimal)) { + files = [ hostKeyPathBase ]; + }; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; + boot = lib.mkIf (!config.swarselsystems.isClient) { + kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [ + "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" + ]; + initrd = { + availableKernelModules = config.swarselsystems.networkKernelModules; + network = { + enable = true; + flushBeforeStage2 = true; + ssh = { + enable = true; + port = 2222; # avoid hostkey changed nag + authorizedKeys = [ + ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}'' + ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}'' + ]; + hostKeys = [ hostKeyPathBase ]; + }; + # postCommands = '' + # echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile + # ''; + }; + systemd = { + initrdBin = with pkgs; [ + cryptsetup + ]; + # NOTE: the below does put the text into /root/.profile, but the command will not be run + # services = { + # unlock-luks = { + # wantedBy = [ "initrd.target" ]; + # after = [ "network.target" ]; + # before = [ "systemd-cryptsetup@cryptroot.service" ]; + # path = [ "/bin" ]; - script = '' - echo "systemctl default" >> /root/.profile - ''; - }; - }; - }; - }; - }; - }; + # serviceConfig = { + # Type = "oneshot"; + # RemainAfterExit = true; + # }; - } + # script = '' + # echo "systemctl default" >> /root/.profile + # ''; + # }; + # }; + }; + }; + }; + }; + + } +#+end_src + +**** BTRFS + +#+begin_src nix-ts :tangle modules/nixos/server/btrfs.nix + { lib, config, ... }: + { + options.swarselmodules.btrfs = lib.mkEnableOption "optional btrfs settings"; + config = lib.mkIf config.swarselmodules.btrfs { + boot = { + supportedFilesystems = lib.mkIf config.swarselsystems.isBtrfs [ "btrfs" ]; + }; + }; + } #+end_src **** Router +:PROPERTIES: +:CUSTOM_ID: h:b54f2bbb-0088-46b2-957d-fd8234b772c3 +:END: #+begin_src nix-ts :tangle modules/nixos/server/router.nix { lib, config, ... }: @@ -7452,15 +8959,11 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/kavita.nix - { self, lib, config, pkgs, globals, ... }: + { self, lib, config, pkgs, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - servicePort = 8080; - serviceName = "kavita"; - serviceUser = "kavita"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7469,6 +8972,10 @@ lspci -k -d 14c3:0616 calibre ]; + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "users" ]; }; @@ -7482,7 +8989,11 @@ lspci -k -d 14c3:0616 info = "https://${serviceDomain}"; icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -7492,7 +9003,7 @@ lspci -k -d 14c3:0616 dataDir = "/Vault/data/${serviceName}"; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -7526,23 +9037,26 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/jellyfin.nix - { pkgs, lib, config, globals, ... }: + { pkgs, lib, config, globals, dns, confLib, ... }: let - servicePort = 8096; - serviceName = "jellyfin"; - serviceUser = "jellyfin"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "video" "render" "users" ]; }; + nixpkgs.config.packageOverrides = pkgs: { intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; }; }; + hardware.graphics = { enable = true; extraPackages = with pkgs; [ @@ -7554,7 +9068,11 @@ lspci -k -d 14c3:0616 }; topology.self.services.${serviceName}.info = "https://${serviceDomain}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -7562,7 +9080,7 @@ lspci -k -d 14c3:0616 openFirewall = true; # this works only for the default ports }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -7597,18 +9115,18 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/navidrome.nix - { pkgs, config, lib, globals, ... }: + { pkgs, config, lib, globals, dns, confLib, ... }: let - servicePort = 4040; - serviceName = "navidrome"; - serviceUser = "navidrome"; - serviceGroup = serviceUser; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + environment.systemPackages = with pkgs; [ pciutils alsa-utils @@ -7638,7 +9156,10 @@ lspci -k -d 14c3:0616 networking.firewall.allowedTCPPorts = [ servicePort ]; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.snapserver = { enable = true; @@ -7702,7 +9223,7 @@ lspci -k -d 14c3:0616 }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -7764,12 +9285,9 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/spotifyd.nix - { lib, config, ... }: + { lib, config, confLib, ... }: let - servicePort = 1025; - serviceName = "spotifyd"; - serviceUser = "spotifyd"; - serviceGroup = serviceUser; + inherit (confLib.gen { name = "spotifyd"; port = 1025; }) servicePort serviceName serviceUser serviceGroup; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7823,14 +9341,10 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/mpd.nix - { self, lib, config, pkgs, ... }: + { self, lib, config, pkgs, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 3254; - serviceUser = "mpd"; - serviceGroup = serviceUser; - serviceName = "mpd"; + inherit (confLib.gen { name = "mpd"; port = 3254; }) servicePort serviceName serviceUser serviceGroup; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7925,10 +9439,11 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/postgresql.nix - { config, lib, pkgs, ... }: + { config, lib, pkgs, confLib, ... }: let - serviceName = "postgresql"; + inherit (confLib.gen { name = "postgresql"; port = 3254; }) serviceName; postgresVersion = 14; + postgresDirPrefix = if config.swarselsystems.isCloud then "/var/lib" else "/Vault/data" ; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7937,9 +9452,13 @@ lspci -k -d 14c3:0616 ${serviceName} = { enable = true; package = pkgs."postgresql_${builtins.toString postgresVersion}"; - dataDir = "/Vault/data/${serviceName}/${builtins.toString postgresVersion}"; + dataDir = "${postgresDirPrefix}/${serviceName}/${builtins.toString postgresVersion}"; }; }; + environment.persistence."/persist".directories = lib.mkIf (config.swarselsystems.isImpermanence && config.swarselsystems.isCloud) [ + { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; } + ]; + }; } #+end_src @@ -7950,15 +9469,10 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/matrix.nix - { lib, config, pkgs, globals, ... }: + { lib, config, pkgs, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 8008; - serviceName = "matrix"; - serviceDomain = config.repo.secrets.common.services.domains.matrix; - serviceUser = "matrix-synapse"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; federationPort = 8448; whatsappPort = 29318; @@ -7976,6 +9490,11 @@ lspci -k -d 14c3:0616 { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + environment.systemPackages = with pkgs; [ matrix-synapse lottieconverter @@ -8043,7 +9562,10 @@ lspci -k -d 14c3:0616 }; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { postgresql = { @@ -8242,7 +9764,7 @@ lspci -k -d 14c3:0616 # messages out after a while. - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -8306,17 +9828,11 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/nextcloud.nix - { pkgs, lib, config, globals, ... }: + { pkgs, lib, config, globals, dns, confLib, ... }: let inherit (config.repo.secrets.local.nextcloud) adminuser; inherit (config.swarselsystems) sopsFile; - - servicePort = 80; - serviceUser = "nextcloud"; - serviceGroup = serviceUser; - serviceName = "nextcloud"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; nextcloudVersion = "32"; in @@ -8324,13 +9840,19 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops.secrets = { nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; - - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { ${serviceName} = { @@ -8358,7 +9880,7 @@ lspci -k -d 14c3:0616 }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -8392,24 +9914,28 @@ lspci -k -d 14c3:0616 :END: #+begin_src nix-ts :tangle modules/nixos/server/immich.nix - { lib, pkgs, config, globals, ... }: + { lib, pkgs, config, globals, dns, confLib, ... }: let - servicePort = 3001; - serviceUser = "immich"; - serviceName = "immich"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "video" "render" "users" ]; }; topology.self.services.${serviceName}.info = "https://${serviceDomain}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -8423,9 +9949,9 @@ lspci -k -d 14c3:0616 }; }; - networking.firewall.allowedTCPPorts = [ 3001 ]; + networking.firewall.allowedTCPPorts = [ servicePort ]; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -8474,16 +10000,10 @@ This is my personal document management system. It automatically pulls documents Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml='s. This is needed for e.g. online services that only send their invoices through email body text. #+begin_src nix-ts :tangle modules/nixos/server/paperless.nix - { lib, pkgs, config, globals, ... }: + { lib, pkgs, config, dns, globals, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 28981; - serviceUser = "paperless"; - serviceGroup = serviceUser; - serviceName = "paperless"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; tikaPort = 9998; gotenbergPort = 3002; @@ -8493,6 +10013,10 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "users" ]; }; @@ -8504,7 +10028,10 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= networking.firewall.allowedTCPPorts = [ servicePort ]; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { ${serviceName} = { @@ -8574,7 +10101,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= ) ''; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -8613,10 +10140,9 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= :END: #+begin_src nix-ts :tangle modules/nixos/server/transmission.nix - { self, pkgs, lib, config, ... }: + { self, pkgs, lib, config, confLib, ... }: let - serviceName = "transmission"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; + inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain; lidarrUser = "lidarr"; lidarrGroup = lidarrUser; @@ -8802,17 +10328,12 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= :END: #+begin_src nix-ts :tangle modules/nixos/server/syncthing.nix - { lib, config, configName, globals, ... }: + { lib, config, globals, dns, confLib, ... }: let inherit (config.swarselsystems.syncthing) serviceDomain; - inherit (config.swarselsystems.syncthing) serviceIP; + inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress serviceProxy proxyAddress4 proxyAddress6; - servicePort = 8384; - serviceUser = "syncthing"; - serviceGroup = serviceUser; - serviceName = "syncthing"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; - specificServiceName = "syncthing-${configName}"; + specificServiceName = "${serviceName}-${config.node.name}"; cfg = config.services.${serviceName}; devices = config.swarselsystems.syncthing.syncDevices; @@ -8826,10 +10347,6 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= type = lib.types.str; default = config.repo.secrets.common.services.domains.syncthing1; }; - serviceIP = lib.mkOption { - type = lib.types.str; - default = "${serviceAddress}"; - }; syncDevices = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ "magicant" "winters" "pyramid" "moonside@oracle" ]; @@ -8855,6 +10372,10 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { + "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "users" ]; group = serviceGroup; @@ -8865,7 +10386,10 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= networking.firewall.allowedTCPPorts = [ servicePort ]; - globals.services."${specificServiceName}".domain = serviceDomain; + globals.services.${specificServiceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = rec { enable = true; @@ -8921,11 +10445,11 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${specificServiceName} = { servers = { - "${serviceIP}:${builtins.toString servicePort}" = { }; + "${serviceAddress}:${builtins.toString servicePort}" = { }; }; }; }; @@ -8955,6 +10479,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= :END: This manages backups for my pictures and obsidian files. +Note: you still need to run =restic- init= once on the host to get the bucket running. #+begin_src nix-ts :tangle modules/nixos/server/restic.nix { lib, pkgs, config, ... }: @@ -8963,6 +10488,14 @@ This manages backups for my pictures and obsidian files. in { options.swarselmodules.server.restic = lib.mkEnableOption "enable restic backups on server"; + options.swarselsystems.server.restic = { + bucketName = lib.mkOption { + type = lib.types.str; + }; + paths = lib.mkOption { + type = lib.types.listOf lib.types.str; + }; + }; config = lib.mkIf config.swarselmodules.server.restic { sops = { @@ -8985,20 +10518,10 @@ This manages backups for my pictures and obsidian files. in { backups = { - SwarselWinters = { + "${config.swarselsystems.server.restic.bucketName}" = { environmentFile = config.sops.templates."restic-env".path; passwordFile = config.sops.secrets.resticpw.path; - paths = [ - "/Vault/data/paperless" - "/Vault/data/koillection" - "/Vault/data/postgresql" - "/Vault/data/firefly-iii" - "/Vault/data/radicale" - "/Vault/data/matrix-synapse" - "/Vault/Eternor/Paperless" - "/Vault/Eternor/Bilder" - "/Vault/Eternor/Immich" - ]; + inherit (config.swarselsystems.server.restic) paths; pruneOpts = [ "--keep-daily 3" "--keep-weekly 2" @@ -9030,14 +10553,9 @@ This manages backups for my pictures and obsidian files. This section exposes several metrics that I use to check the health of my server. I need to expand on the exporters section at some point, but for now I have everything I need. #+begin_src nix-ts :tangle modules/nixos/server/monitoring.nix - { self, lib, config, globals, ... }: + { self, lib, config, globals, dns, confLib, ... }: let - servicePort = 3000; - serviceUser = "grafana"; - serviceGroup = serviceUser; - serviceName = "grafana"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; prometheusPort = 9090; prometheusUser = "prometheus"; @@ -9053,6 +10571,10 @@ This section exposes several metrics that I use to check the health of my server options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops = { secrets = { grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; @@ -9089,7 +10611,11 @@ This section exposes several metrics that I use to check the health of my server networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ]; topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { ${serviceName} = { @@ -9238,7 +10764,7 @@ This section exposes several metrics that I use to check the health of my server }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { "${grafanaUpstream}" = { servers = { @@ -9286,17 +10812,23 @@ This section exposes several metrics that I use to check the health of my server This is a WIP Jenkins instance. It is used to automatically build a new system when pushes to the main repository are detected. I have turned this service off for now however, as I actually prefer to start my builds manually. #+begin_src nix-ts :tangle modules/nixos/server/jenkins.nix - { pkgs, lib, config, globals, ... }: + { pkgs, lib, config, globals, dns, confLib, ... }: let - servicePort = 8088; - serviceName = "jenkins"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + services.jenkins = { enable = true; withCLI = true; @@ -9306,7 +10838,7 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w home = "/Vault/apps/${serviceName}"; }; - services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -9343,10 +10875,9 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w This was an approach of hosting an RSS server from within emacs. That would have been useful as it would have allowed me to allow my feeds from any device. However, it proved impossible to do bidirectional syncing, so I abandoned this configuration in favor of [[#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d][FreshRSS]]. #+begin_src nix-ts :tangle modules/nixos/server/emacs.nix - { lib, config, ... }: + { lib, config, confLib, ... }: let - serviceName = "emacs"; - servicePort = 9812; + inherit (confLib.gen { name = "emacs"; port = 9812; }) servicePort serviceName; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} server on server"; @@ -9379,14 +10910,9 @@ I am using this with CapyReader on my phone, set it up as a FreshRSS account wit FreshRSS claims to support HTTP header auth, but at least it does not work with my oauth2-proxy setup. Until this is fixed, I resorted to the "form" login, since I mostly do not use the web version anyways. #+begin_src nix-ts :tangle modules/nixos/server/freshrss.nix - { self, lib, config, globals, ... }: + { self, lib, config, globals, dns, confLib, ... }: let - servicePort = 80; - serviceName = "freshrss"; - serviceUser = "freshrss"; - serviceGroup = serviceName; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; inherit (config.swarselsystems) sopsFile; in @@ -9394,6 +10920,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "users" ]; group = serviceGroup; @@ -9435,7 +10965,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = let @@ -9455,7 +10988,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with # config.sops.templates.freshrss-env.path # ]; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -9493,16 +11026,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with :END: #+begin_src nix-ts :tangle modules/nixos/server/forgejo.nix - { lib, config, pkgs, globals, ... }: + { lib, config, pkgs, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 3004; - serviceUser = "forgejo"; - serviceGroup = serviceUser; - serviceName = "forgejo"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; kanidmDomain = globals.services.kanidm.domain; in @@ -9510,6 +11037,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + networking.firewall.allowedTCPPorts = [ servicePort ]; users.users.${serviceUser} = { @@ -9523,7 +11054,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -9624,7 +11158,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with ''; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -9659,14 +11193,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with :END: #+begin_src nix-ts :tangle modules/nixos/server/ankisync.nix - { self, lib, config, globals, ... }: + { self, lib, config, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 27701; - serviceName = "ankisync"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; ankiUser = globals.user.name; in @@ -9674,6 +11204,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + networking.firewall.allowedTCPPorts = [ servicePort ]; sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; }; @@ -9684,7 +11218,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with info = "https://${serviceDomain}"; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.anki-sync-server = { enable = true; @@ -9699,7 +11236,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with ]; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -9741,19 +11278,13 @@ A stupid (but simple) way to get the =originUrl= is to simply set any URL there To get other URLs (token, etc.), use https:///oauth2/openid//.well-known/oauth-authorization-server, e.g. https:///oauth2/openid/nextcloud/.well-known/oauth-authorization-server, with clienID being the client name as specified in kanidm. #+begin_src nix-ts :tangle modules/nixos/server/kanidm.nix - { self, lib, pkgs, config, globals, ... }: + { self, lib, pkgs, config, globals, dns, confLib, ... }: let certsSopsFile = self + /secrets/certs/secrets.yaml; inherit (config.swarselsystems) sopsFile; + inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; - servicePort = 8300; - serviceUser = "kanidm"; - serviceGroup = serviceUser; - serviceName = "kanidm"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; - - oauth2ProxyDomain = globals.services.oauth2Proxy.domain; + oauth2ProxyDomain = globals.services.oauth2-proxy.domain; immichDomain = globals.services.immich.domain; paperlessDomain = globals.services.paperless.domain; forgejoDomain = globals.services.forgejo.domain; @@ -9780,6 +11311,10 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid/ s3:// --endpoint-url https://. --region swarsel= + +or 2) use classic path addressing =aws s3 cp s3:/// --endpoint-url https:// --region swarsel= + #+begin_src nix-ts :tangle modules/nixos/server/garage.nix - { self, lib, pkgs, config, configName, globals, ... }: + # inspired by https://github.com/atropos112/nixos/blob/7fef652006a1c939f4caf9c8a0cb0892d9cdfe21/modules/garage.nix + { lib, pkgs, config, globals, dns, confLib, ... }: let - sopsFile = self + /secrets/${configName}/secrets2.yaml; + inherit (confLib.gen { + name = "garage"; + port = 3900; + domain = config.repo.secrets.common.services.domains."garage-${config.node.name}"; + }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; - serviceName = "garage"; - servicePort = 3900; - serviceDomain = config.repo.secrets.common.services.domains."${serviceName}-${configName}"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + cfg = lib.recursiveUpdate config.services.${serviceName} config.swarselsystems.server.${serviceName}; + inherit (config.swarselsystems) sopsFile mainUser; - cfg = config.services.${serviceName}; + # needs SSD metadata_dir = "/var/lib/garage/meta"; + # metadata_dir = if config.swarselsystems.isCloud then "/var/lib/garage/meta" else "/Vault/data/garage/meta"; + + garageRpcPort = 3901; + garageWebPort = 3902; + garageAdminPort = 3903; + garageK2VPort = 3904; + + adminDomain = "${subDomain}admin.${baseDomain}"; + webDomain = "${subDomain}web.${baseDomain}"; in { options = { swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; swarselsystems.server.${serviceName} = { - data_dir = lib.mkOption { - type = lib.types.either lib.types.path (lib.types.listOf lib.types.attrs); - default = "/var/lib/garage/data"; + data_dir = { + path = lib.mkOption { + type = lib.types.str; + description = "Directory where Garage stores its metadata"; + }; + capacity = lib.mkOption { + type = lib.types.str; + }; + }; + buckets = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "List of buckets to create"; + }; + keys = lib.mkOption { + type = lib.types.attrsOf (lib.types.listOf lib.types.str); + default = { }; + description = "Keys and their associated buckets. Each key gets full access (read/write/owner) to its listed buckets."; + example = { + my_key_name = [ "bucket1" "bucket2" ]; + my_other_key = [ "bucket2" "bucket3" ]; + }; }; }; }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + assertions = [ + { + assertion = config.swarselsystems.server.${serviceName}.buckets != [ ]; + message = "If Garage is enabled, at least one bucket must be specified in swarselsystems.server.${serviceName}.buckets"; + } + { + assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0; + message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys"; + } + { + assertion = + let + allKeyBuckets = lib.flatten (lib.attrValues config.swarselsystems.server.${serviceName}.keys); + invalidBuckets = builtins.filter (bucket: !(lib.elem bucket config.swarselsystems.server.${serviceName}.buckets)) allKeyBuckets; + in + invalidBuckets == [ ]; + message = "All buckets referenced in keys must exist in the buckets list"; + } + ]; + + nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = { + "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + "*.${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; sops = { secrets.garage-admin-token = { inherit sopsFile; }; secrets.garage-rpc-secret = { inherit sopsFile; }; }; + # DynamicUser cannot read above secrets + systemd.services.${serviceName}.serviceConfig = { + DynamicUser = false; + ProtectHome = lib.mkForce false; + }; + environment = { persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [ - { directory = metadata_dir; } + { directory = "/var/lib/garage"; } + (lib.mkIf config.swarselsystems.isCloud { directory = config.swarselsystems.server.${serviceName}.data_dir.path; }) ]; systemPackages = [ cfg.package ]; }; - systemd.services.${serviceName}.serviceConfig = { - DynamicUser = false; - ProtectHome = lib.mkForce false; + globals.services.${specificServiceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; }; + services.${serviceName} = { enable = true; package = pkgs.garage_2; settings = { - inherit (config.swarselsystems.${serviceName}) data_dir; + data_dir = [ config.swarselsystems.server.${serviceName}.data_dir ]; inherit metadata_dir; db_engine = "lmdb"; - block_size = "1MiB"; + block_size = "128M"; use_local_tz = false; + disable_scrub = true; + replication_factor = 1; + compression_level = "none"; - replication_factor = 2; # Number of copies of data + rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}"; + # we are not joining our nodes, just use the private ipv4 + rpc_public_addr = "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}"; - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "${config.repo.secrets.local.ipv4}:4317"; rpc_secret_file = config.sops.secrets.garage-rpc-secret.path; s3_api = { - s3_region = "swarsel"; - api_bind_addr = "0.0.0.0:${builtins.toString servicePort}"; - root_domain = ".s3.garage.localhost"; + s3_region = mainUser; + api_bind_addr = "[::]:${builtins.toString servicePort}"; + root_domain = ".${serviceDomain}"; + }; + + s3_web = { + bind_addr = "[::]:${builtins.toString garageWebPort}"; + root_domain = ".${config.repo.secrets.common.services.domains."garage-web-${config.node.name}"}"; + add_host_to_metrics = true; }; admin = { - api_bind_addr = "0.0.0.0:3903"; + api_bind_addr = "[::]:${builtins.toString garageAdminPort}"; admin_token_file = config.sops.secrets.garage-admin-token.path; }; k2v_api = { - api_bind_addr = "[::]:3904"; + api_bind_addr = "[::]:${builtins.toString garageK2VPort}"; }; }; }; - nodes.moonside.services.nginx = { + + systemd.services = { + garage-buckets = { + description = "Create Garage buckets"; + after = [ "garage.service" ]; + wants = [ "garage.service" ]; + wantedBy = [ "multi-user.target" ]; + + path = [ cfg.package pkgs.gawk pkgs.coreutils ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = "root"; + Group = "root"; + }; + + script = '' + garage status + + # Checking repeatedly with garage status until getting 0 exit code + while ! garage status >/dev/null 2>&1; do + echo "Garage not yet operational, waiting..." + echo "Current garage status output:" + garage status 2>&1 || true + echo "---" + sleep 5 + done + + # Now we check if garage status shows any failed nodes by checking for ==== FAILED NODES ==== + while garage status | grep -q "==== FAILED NODES ===="; do + echo "Garage has failed nodes, waiting..." + echo "Current garage status output:" + garage status 2>&1 || true + echo "---" + sleep 5 + done + + echo "Garage is operational, proceeding with bucket management." + + # Get list of existing buckets + existing_buckets=$(garage bucket list | tail -n +2 | awk '{print $3}' | grep -v '^$' || true) + + # Create buckets that should exist + ${lib.concatMapStringsSep "\n" (bucket: '' + if [[ "$(garage bucket info ${lib.escapeShellArg bucket} 2>&1 >/dev/null)" == *"Bucket not found"* ]]; then + echo "Creating bucket ${lib.escapeShellArg bucket}" + garage bucket create ${lib.escapeShellArg bucket} + else + echo "Bucket ${lib.escapeShellArg bucket} already exists" + fi + '') + cfg.buckets} + + # Remove buckets that shouldn't exist + for bucket in $existing_buckets; do + should_exist=false + ${lib.concatMapStringsSep "\n" (bucket: '' + if [[ "$bucket" == ${lib.escapeShellArg bucket} ]]; then + should_exist=true + fi + '') + cfg.buckets} + + if [[ "$should_exist" == "false" ]]; then + echo "Removing bucket $bucket" + garage bucket delete --yes "$bucket" + fi + done + ''; + }; + + garage-keys = { + description = "Create Garage keys and set permissions"; + after = [ "garage-buckets.service" ]; + wants = [ "garage-buckets.service" ]; + requires = [ "garage-buckets.service" ]; + wantedBy = [ "multi-user.target" ]; + + path = [ cfg.package pkgs.gawk pkgs.coreutils ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = "root"; + Group = "root"; + }; + + script = '' + garage key list + echo "Managing keys..." + + # Get list of existing keys + existing_keys=$(garage key list | tail -n +2 | awk '{print $3}' | grep -v '^$' || true) + + # Create keys that should exist + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: _: '' + if [[ "$(garage key info ${lib.escapeShellArg keyName} 2>&1)" == *"0 matching keys"* ]]; then + echo "Creating key ${lib.escapeShellArg keyName}" + garage key create ${lib.escapeShellArg keyName} + else + echo "Key ${lib.escapeShellArg keyName} already exists" + fi + '') + cfg.keys)} + + # Set up key permissions for buckets + ${lib.concatStringsSep "\n" (lib.mapAttrsToList ( + keyName: buckets: + lib.concatMapStringsSep "\n" (bucket: '' + echo "Granting full access to key ${lib.escapeShellArg keyName} for bucket ${lib.escapeShellArg bucket}" + garage bucket allow --read --write --owner --key ${lib.escapeShellArg keyName} ${lib.escapeShellArg bucket} + '') + buckets + ) + cfg.keys)} + + # Remove permissions from buckets that are no longer associated with keys + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: buckets: '' + # Get current buckets this key has access to + current_buckets=$(garage key info ${lib.escapeShellArg keyName} | grep -A 1000 "==== BUCKETS FOR THIS KEY ====" | tail -n +3 | awk '{print $3}' | grep -v '^$' || true) + + # Remove access from buckets not in the desired list + for current_bucket in $current_buckets; do + should_have_access=false + ${lib.concatMapStringsSep "\n" (bucket: '' + if [[ "$current_bucket" == ${lib.escapeShellArg bucket} ]]; then + should_have_access=true + fi + '') + buckets} + + if [[ "$should_have_access" == "false" ]]; then + echo "Removing access for key ${lib.escapeShellArg keyName} from bucket $current_bucket" + garage bucket deny --key ${lib.escapeShellArg keyName} $current_bucket + fi + done + '') + cfg.keys)} + + # Remove keys that shouldn't exist + for key in $existing_keys; do + should_exist=false + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: _: '' + if [[ "$key" == ${lib.escapeShellArg keyName} ]]; then + should_exist=true + fi + '') + cfg.keys)} + + if [[ "$should_exist" == "false" ]]; then + echo "Removing key $key" + garage key delete --yes "$key" + fi + done + ''; + }; + }; + + security.acme.certs."${webDomain}" = { + domain = "*.${webDomain}"; + }; + + nodes.${serviceProxy}.services.nginx = { + upstreams = { + ${serviceName} = { + servers = { + "${serviceAddress}:${builtins.toString servicePort}" = { }; + }; + }; + "${serviceName}Web" = { + servers = { + "${serviceAddress}:${builtins.toString garageWebPort}" = { }; + }; + }; + "${serviceName}Admin" = { + servers = { + "${serviceAddress}:${builtins.toString garageAdminPort}" = { }; + }; + }; + }; + virtualHosts = { + "${adminDomain}" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + oauth2.enable = false; + locations = { + "/" = { + proxyPass = "http://${serviceName}Admin"; + }; + }; + }; + "*.${webDomain}" = { + useACMEHost = webDomain; + forceSSL = true; + acmeRoot = null; + oauth2.enable = false; + locations = { + "/" = { + proxyPass = "http://${serviceName}Web"; + }; + }; + }; + "${serviceDomain}" = { + serverAliases = [ "*.${serviceDomain}" ]; + enableACME = true; + forceSSL = true; + acmeRoot = null; + oauth2.enable = false; + locations = { + "/" = { + proxyPass = "http://${serviceName}"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + + }; + } +#+end_src +**** nsd (dns) +:PROPERTIES: +:CUSTOM_ID: h:ef5b7ace-4870-4dfa-9532-9a9d2722dc9a +:END: + +#+begin_src nix-ts :tangle modules/nixos/server/nsd/default.nix + { lib, config, globals, dns, confLib, ... }: + let + inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6; + inherit (config.swarselsystems) sopsFile; + in + { + options = { + swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + swarselsystems.server.dns = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + options = { + subdomainRecords = lib.mkOption { + type = lib.types.attrsOf dns.lib.types.subzone; + default = { }; + }; + }; + } + ); + }; + }; + config = lib.mkIf config.swarselmodules.server.${serviceName} { + + sops.secrets = { + tsig-key = { inherit sopsFile; }; + }; + + # services.resolved.enable = false; + networking = { + # nameservers = [ "1.1.1.1" "8.8.8.8" ]; + firewall = { + allowedUDPPorts = [ servicePort ]; + allowedTCPPorts = [ servicePort ]; + }; + }; + + services.nsd = { + enable = true; + keys = { + "${globals.domains.main}.${proxyAddress4}" = { + algorithm = "hmac-sha256"; + keyFile = config.sops.secrets.tsig-key.path; + }; + "${globals.domains.main}.${proxyAddress6}" = { + algorithm = "hmac-sha256"; + keyFile = config.sops.secrets.tsig-key.path; + }; + "${globals.domains.main}" = { + algorithm = "hmac-sha256"; + keyFile = config.sops.secrets.tsig-key.path; + }; + }; + interfaces = [ + "10.1.2.157" + "2603:c020:801f:a0cc::9d" + ]; + zones = { + "${globals.domains.main}" = + let + keyName4 = "${globals.domains.main}.${proxyAddress4}"; + keyName6 = "${globals.domains.main}.${proxyAddress6}"; + keyName = "${globals.domains.main}"; + transferList = [ + "213.239.242.238 ${keyName4}" + "2a01:4f8:0:a101::a:1 ${keyName6}" + "213.133.100.103 ${keyName4}" + "2a01:4f8:0:1::5ddc:2 ${keyName6}" + "193.47.99.3 ${keyName4}" + "2001:67c:192c::add:a3 ${keyName6}" + ]; + + in + { + outgoingInterface = "2603:c020:801f:a0cc::9d"; + notify = transferList ++ [ + "216.218.130.2 ${keyName}" + ]; + provideXFR = transferList ++ [ + "216.218.133.2 ${keyName}" + "2001:470:600::2 ${keyName}" + ]; + + # dnssec = true; + data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; }); + }; + }; + }; + + }; + } +#+end_src +**** nsd (dns) - site1 +:PROPERTIES: +:CUSTOM_ID: h:dc1dbc54-46f7-406d-a551-527e97439614 +:END: + +#+begin_src nix-ts :tangle modules/nixos/server/nsd/site1.nix + { config, globals, dns, proxyAddress4, proxyAddress6, ... }: + with dns.lib.combinators; { + SOA = { + nameServer = "soa"; + adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin") + serial = 2025120201; # update this on changes for secondary dns + }; + + useOrigin = false; + + NS = [ + "soa" + "srv" + ] ++ globals.domains.externalDns; + + + A = [ config.repo.secrets.local.dns.homepage-ip ]; + + SRV = [ + { + service = "_matrix"; + proto = "_tcp"; + port = 443; + target = "${globals.services.matrix.subDomain}"; + priority = 10; + weight = 5; + } + { + service = "_submissions"; + proto = "_tcp"; + port = 465; + target = "${globals.services.mailserver.subDomain}"; + priority = 5; + weight = 0; + ttl = 3600; + } + { + service = "_submission"; + proto = "_tcp"; + port = 587; + target = "${globals.services.mailserver.subDomain}"; + priority = 5; + weight = 0; + ttl = 3600; + } + { + service = "_imap"; + proto = "_tcp"; + port = 143; + target = "${globals.services.mailserver.subDomain}"; + priority = 5; + weight = 0; + ttl = 3600; + } + { + service = "_imaps"; + proto = "_tcp"; + port = 993; + target = "${globals.services.mailserver.subDomain}"; + priority = 5; + weight = 0; + ttl = 3600; + } + ]; + + MX = [ + { + preference = 10; + exchange = "${globals.services.mailserver.subDomain}"; + } + ]; + + DKIM = [ + { + selector = "mail"; + k = "rsa"; + p = config.repo.secrets.local.dns.mailserver.dkim-public; + ttl = 10800; + } + ]; + + TXT = [ + (with spf; strict [ "a:${globals.services.mailserver.subDomain}.${globals.domains.main}" ]) + "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}" + ]; + + DMARC = [ + { + p = "none"; + ttl = 10800; + } + ]; + + subdomains = config.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords // { + "www".CNAME = [ "${globals.domains.main}." ]; + "_acme-challenge".CNAME = [ "${config.repo.secrets.local.dns.acme-challenge-domain}." ]; + "soa" = host proxyAddress4 proxyAddress6; + "srv" = host proxyAddress4 proxyAddress6; + }; + } +#+end_src +**** Minecraft +:PROPERTIES: +:CUSTOM_ID: h:948d4f4e-b752-4e2e-b8a9-35d9d7f246c6 +:END: + +#+begin_src nix-ts :tangle modules/nixos/server/minecraft/default.nix + { lib, config, pkgs, globals, dns, confLib, ... }: + let + inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6; + inherit (config.swarselsystems) mainUser; + worldName = "${mainUser}craft"; + in + { + options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + config = lib.mkIf config.swarselmodules.server.${serviceName} { + + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + + topology.self.services.${serviceName}.info = "https://${serviceDomain}"; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + + networking.firewall.allowedTCPPorts = [ servicePort ]; + + environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [ + { directory = serviceDir; mode = "0755"; } + ]; + + systemd.services.minecraft-swarselcraft = { + description = "Minecraft Server"; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + User = "root"; + WorkingDirectory = "${serviceDir}/${worldName}"; + + ExecStart = "${lib.getExe pkgs.temurin-jre-bin-17} @user_jvm_args.txt @libraries/net/minecraftforge/forge/1.20.1-47.2.20/unix_args.txt nogui"; + + Restart = "always"; + RestartSec = 30; + StandardInput = "null"; + }; + + wantedBy = [ "multi-user.target" ]; + }; + + + }; + + } +#+end_src +**** Mailserver +:PROPERTIES: +:CUSTOM_ID: h:64cbeb7e-0773-4eb5-8e52-6b97c8f685e2 +:END: + +#+begin_src nix-ts :tangle modules/nixos/server/mailserver.nix + { lib, config, globals, dns, confLib, ... }: + let + inherit (config.swarselsystems) sopsFile; + inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceDomain serviceProxy proxyAddress4 proxyAddress6; + inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 user3; + baseDomain = globals.domains.main; + in + { + options = { + swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + }; + config = lib.mkIf config.swarselmodules.server.${serviceName} { + + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + + sops.secrets = { + user1-hashed-pw = { inherit sopsFile; owner = serviceUser; }; + user2-hashed-pw = { inherit sopsFile; owner = serviceUser; }; + user3-hashed-pw = { inherit sopsFile; owner = serviceUser; }; + }; + + environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [ + { directory = "/var/vmail"; user = serviceUser; group = serviceGroup; mode = "0770"; } + { directory = "/var/sieve"; user = serviceUser; group = serviceGroup; mode = "0770"; } + { directory = "/var/dkim"; user = "rspamd"; group = "rspamd"; mode = "0700"; } + { directory = serviceDir; user = serviceUser; group = serviceGroup; mode = "0700"; } + { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; } + { directory = "/var/lib/rspamd"; user = "rspamd"; group = "rspamd"; mode = "0700"; } + { directory = "/var/lib/roundcube"; user = "roundcube"; group = "roundcube"; mode = "0700"; } + { directory = "/var/lib/redis-rspamd"; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; } + { directory = "/var/lib/postfix"; user = "root"; group = "root"; mode = "0755"; } + { directory = "/var/lib/knot-resolver"; user = "knot-resolver"; group = "knot-resolver"; mode = "0770"; } + ]; + + mailserver = { + enable = true; + stateVersion = 3; + fqdn = serviceDomain; + domains = [ baseDomain ]; + indexDir = "${serviceDir}/indices"; + openFirewall = true; + certificateScheme = "acme"; + dmarcReporting.enable = true; + + loginAccounts = { + "${user1}@${baseDomain}" = { + hashedPasswordFile = config.sops.secrets.user1-hashed-pw.path; + aliases = [ + "${alias1_1}@${baseDomain}" + "${alias1_2}@${baseDomain}" + "${alias1_3}@${baseDomain}" + "${alias1_4}@${baseDomain}" + ]; + }; + "${user2}@${baseDomain}" = { + hashedPasswordFile = config.sops.secrets.user2-hashed-pw.path; + aliases = [ + "${alias2_1}@${baseDomain}" + ]; + sendOnly = true; + }; + "${user3}@${baseDomain}" = { + hashedPasswordFile = config.sops.secrets.user3-hashed-pw.path; + aliases = [ + "@${baseDomain}" + ]; + catchAll = [ + baseDomain + ]; + }; + }; + }; + + services.roundcube = { + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = serviceDomain; + extraConfig = '' + $config['imap_host'] = "ssl://${config.mailserver.fqdn}"; + $config['smtp_host'] = "ssl://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + configureNginx = true; + }; + + # the rest of the ports are managed by snm + networking.firewall.allowedTCPPorts = [ 80 servicePort ]; + + nodes.${serviceProxy}.services.nginx = { + virtualHosts = { + "${serviceDomain}" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/".recommendedSecurityHeaders = false; + "~ ^/(SQL|bin|config|logs|temp|vendor)/".recommendedSecurityHeaders = false; + "~ ^/(CHANGELOG.md|INSTALL|LICENSE|README.md|SECURITY.md|UPGRADING|composer.json|composer.lock)".recommendedSecurityHeaders = false; + "~* \\.php(/|$)".recommendedSecurityHeaders = false; + }; + }; + }; + }; + + }; + } +#+end_src +**** Attic (nix binary cache) +:PROPERTIES: +:CUSTOM_ID: h:092593d2-0ca0-4f86-9951-6127a3594e25 +:END: + +Generate the attic server token using =openssl genrsa -traditional 4096 | base64 -w0= + +# Copy and paste from the atticd output +$ attic login local http://localhost:8080 eyJ... +✍️ Configuring server "local" + +$ attic cache create hello +✨ Created cache "hello" on "local" + +#+begin_src nix-ts :tangle modules/nixos/server/attic.nix + { lib, config, globals, dns, confLib, ... }: + let + inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6; + inherit (config.swarselsystems) mainUser isPublic sopsFile; + serviceDB = "atticd"; + in + { + options = { + swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + }; + config = lib.mkIf config.swarselmodules.server.${serviceName} { + + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + + sops = lib.mkIf (!isPublic) { + secrets = { + attic-server-token = { inherit sopsFile; }; + attic-garage-access-key = { inherit sopsFile; }; + attic-garage-secret-key = { inherit sopsFile; }; + }; + templates = { + "attic.env" = { + content = '' + ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.sops.placeholder.attic-server-token} + AWS_ACCESS_KEY_ID=${config.sops.placeholder.attic-garage-access-key} + AWS_SECRET_ACCESS_KEY=${config.sops.placeholder.attic-garage-secret-key} + ''; + }; + }; + }; + + services.atticd = { + enable = true; + environmentFile = config.sops.templates."attic.env".path; + settings = { + listen = "[::]:${builtins.toString servicePort}"; + api-endpoint = "https://${serviceDomain}/"; + allowed-hosts = [ + serviceDomain + ]; + require-proof-of-possession = false; + compression = { + type = "zstd"; + level = 3; + }; + database.url = "postgresql:///atticd?host=/run/postgresql"; + + storage = + if config.swarselmodules.server.garage then { + type = "s3"; + region = mainUser; + bucket = serviceName; + # attic must be patched to never serve pre-signed s3 urls directly + # otherwise it will redirect clients to this localhost endpoint + endpoint = "http://127.0.0.1:3900"; + } else { + type = "local"; + path = serviceDir; + # attic must be patched to never serve pre-signed s3 urls directly + # otherwise it will redirect clients to this localhost endpoint + }; + + garbage-collection = { + interval = "1 day"; + default-retention-period = "3 months"; + }; + + chunking = { + nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # 64 KiB + + min-size = 16 * 1024; # 16 KiB + avg-size = 64 * 1024; # 64 KiB + max-size = 256 * 1024; # 256 KiBize = 262144; + }; + }; + }; + + services.postgresql = { + enable = true; + enableTCPIP = true; + ensureDatabases = [ serviceDB ]; + ensureUsers = [ + { + name = serviceDB; + ensureDBOwnership = true; + } + ]; + }; + + systemd.services.atticd = lib.mkIf config.swarselmodules.server.garage { + requires = [ "garage.service" ]; + after = [ "garage.service" ]; + }; + + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -11493,6 +13939,9 @@ Generate the rpc token using =openssl rand -hex 32=. locations = { "/" = { proxyPass = "http://${serviceName}"; + extraConfig = '' + client_max_body_size 0; + ''; }; }; }; @@ -11571,6 +14020,48 @@ TODO: evaluate whether I should keep using this structure. #+end_src +**** Niri +:PROPERTIES: +:CUSTOM_ID: h:58162d08-3ded-441d-861e-2ebf30e32538 +:END: + +Auto login for the initial session. + +#+begin_src nix-ts :tangle modules/nixos/optional/niri.nix + { inputs, lib, config, pkgs, ... }: + let + moduleName = "niri"; + in + { + imports = [ + inputs.niri-flake.nixosModules.niri + ]; + options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings"; + config = lib.mkIf config.swarselmodules.${moduleName} { + + environment.systemPackages = with pkgs; [ + wl-clipboard + wayland-utils + libsecret + cage + gamescope + xwayland-satellite-unstable + ]; + + + programs.niri = { + enable = true; + package = pkgs.niri-unstable; # the actual niri that will be installed and used + }; + } // { + niri-flake.cache.enable = true; + programs.niri = { + package = null; + }; + }; + } +#+end_src + **** gaming :PROPERTIES: :CUSTOM_ID: h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431 @@ -11579,10 +14070,16 @@ TODO: evaluate whether I should keep using this structure. This opens a few gaming ports and installs the steam configuration suite for gaming. There are more options in [[#h:84fd7029-ecb6-4131-9333-289982f24ffa][Gaming]] (home-manager side). #+begin_src nix-ts :tangle modules/nixos/optional/gaming.nix - { pkgs, lib, config, ... }: + { self, pkgs, config, ... }: { - options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings"; - config = lib.mkIf config.swarselmodules.optional.gaming { + config = { + + home-manager.users."${config.swarselsystems.mainUser}" = { + imports = [ + "${self}/modules/home/optional/gaming.nix" + ]; + }; + programs.steam = { enable = true; package = pkgs.steam; @@ -11633,8 +14130,7 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl #+begin_src nix-ts :tangle modules/nixos/optional/virtualbox.nix { lib, config, pkgs, ... }: { - options.swarselmodules.optional.virtualbox = lib.mkEnableOption "optional VBox settings"; - config = lib.mkIf config.swarselmodules.optional.virtualbox { + config = { # specialisation = { # VBox.configuration = { virtualisation.virtualbox = { @@ -11678,11 +14174,10 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl This sets the VirtualBox configuration. Guest should not be enabled if not direly needed, it will make rebuilds unbearably slow. #+begin_src nix-ts :tangle modules/nixos/optional/vmware.nix - { lib, config, ... }: + _: { - options.swarselmodules.optional.vmware = lib.mkEnableOption "optional vmware settings"; - config = lib.mkIf config.swarselmodules.optional.vmware { + config = { virtualisation.vmware.host.enable = true; virtualisation.vmware.guest.enable = true; }; @@ -11697,10 +14192,9 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using. #+begin_src nix-ts :tangle modules/nixos/optional/nswitch-rcm.nix - { lib, config, pkgs, ... }: + { pkgs, ... }: { - options.swarselmodules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings"; - config = lib.mkIf config.swarselmodules.optional.nswitch-rcm { + config = { services.nswitch-rcm = { enable = true; package = pkgs.fetchurl { @@ -11720,10 +14214,16 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using. This holds configuration that is specific to framework laptops. #+begin_src nix-ts :tangle modules/nixos/optional/framework.nix - { lib, config, ... }: + { self, config, ... }: { - options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings"; - config = lib.mkIf config.swarselmodules.optional.framework { + config = { + + home-manager.users."${config.swarselsystems.mainUser}" = { + imports = [ + "${self}/modules/home/optional/framework.nix" + ]; + }; + services = { fwupd = { enable = true; @@ -11755,10 +14255,9 @@ This holds configuration that is specific to framework laptops. :END: #+begin_src nix-ts :tangle modules/nixos/optional/amdcpu.nix - { lib, config, ... }: + _: { - options.swarselmodules.optional.amdcpu = lib.mkEnableOption "optional amd cpu settings"; - config = lib.mkIf config.swarselmodules.optional.amdcpu { + config = { hardware = { cpu.amd.updateMicrocode = true; }; @@ -11773,10 +14272,9 @@ This holds configuration that is specific to framework laptops. #+begin_src nix-ts :tangle modules/nixos/optional/amdgpu.nix - { lib, config, ... }: + _: { - options.swarselmodules.optional.amdgpu = lib.mkEnableOption "optional amd gpu settings"; - config = lib.mkIf config.swarselmodules.optional.amdgpu { + config = { hardware = { amdgpu = { opencl.enable = true; @@ -11799,7 +14297,6 @@ This holds configuration that is specific to framework laptops. #+begin_src nix-ts :tangle modules/nixos/optional/hibernation.nix { lib, config, ... }: { - options.swarselmodules.optional.hibernation = lib.mkEnableOption "optional amd gpu settings"; options.swarselsystems = { hibernation = { offset = lib.mkOption { @@ -11812,7 +14309,7 @@ This holds configuration that is specific to framework laptops. }; }; }; - config = lib.mkIf config.swarselmodules.optional.hibernation { + config = { boot = { kernelParams = [ "resume_offset=${builtins.toString config.swarselsystems.hibernation.offset}" @@ -11830,23 +14327,6 @@ This holds configuration that is specific to framework laptops. } #+end_src -**** BTRFS -:PROPERTIES: -:CUSTOM_ID: h:86fb3236-9e18-43f0-8a08-3a2acd61cc98 -:END: - -#+begin_src nix-ts :tangle modules/nixos/optional/btrfs.nix - { lib, config, ... }: - { - options.swarselmodules.btrfs = lib.mkEnableOption "optional btrfs settings"; - config = lib.mkIf config.swarselmodules.btrfs { - boot = { - supportedFilesystems = lib.mkIf config.swarselsystems.isBtrfs [ "btrfs" ]; - }; - }; - } -#+end_src - **** work :PROPERTIES: :CUSTOM_ID: h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf @@ -11863,7 +14343,7 @@ When setting up a new machine: #+end_src #+begin_src nix-ts :tangle modules/nixos/optional/work.nix - { self, lib, pkgs, config, configName, ... }: + { self, lib, pkgs, config, ... }: let inherit (config.swarselsystems) mainUser homeDir; iwd = config.networking.networkmanager.wifi.backend == "iwd"; @@ -11871,18 +14351,24 @@ When setting up a new machine: sopsFile = self + /secrets/work/secrets.yaml; in { - options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings"; options.swarselsystems = { hostName = lib.mkOption { type = lib.types.str; - default = configName; + default = config.node.name; }; fqdn = lib.mkOption { type = lib.types.str; default = ""; }; }; - config = lib.mkIf config.swarselmodules.optional.work { + config = { + + home-manager.users."${config.swarselsystems.mainUser}" = { + imports = [ + "${self}/modules/home/optional/work.nix" + ]; + }; + sops = let secretNames = [ @@ -12099,21 +14585,38 @@ When setting up a new machine: } #+end_src +**** Uni + +#+begin_src nix-ts :tangle modules/nixos/optional/uni.nix :noweb yes + { self, config, ... }: + { + config = { + + home-manager.users."${config.swarselsystems.mainUser}" = { + imports = [ + "${self}/modules/home/optional/work.nix" + ]; + }; + }; + } + +#+end_src + **** microvm-host +:PROPERTIES: +:CUSTOM_ID: h:ded3276e-3e97-4863-a29e-b978d8aae1c9 +:END: Some standard options that should be set for every microvm host. #+begin_src nix-ts :tangle modules/nixos/optional/microvm-host.nix - { lib, config, ... }: + { config, lib, ... }: { - options = { - swarselmodules.optional.microvmHost = lib.mkEnableOption "optional microvmHost settings"; - }; - # imports = [ - # inputs.microvm.nixosModules.host - # ]; + # imports = [ + # inputs.microvm.nixosModules.host + # ]; - config = lib.mkIf (config.guests != {}) { + config = lib.mkIf (config.guests != { }) { microvm = { hypervisor = lib.mkDefault "qemu"; @@ -12123,25 +14626,84 @@ Some standard options that should be set for every microvm host. #+end_src **** microvm-guest +:PROPERTIES: +:CUSTOM_ID: h:46419b40-c40b-4b55-ac6f-a30169322bd6 +:END: Some standard options that should be set vor every microvm guest. We set the default #+begin_src nix-ts :tangle modules/nixos/optional/microvm-guest.nix - { lib, config, ... }: + _: { - options.swarselmodules.optional.microvmGuest = lib.mkEnableOption "optional microvmGuest settings"; # imports = [ # inputs.microvm.nixosModules.microvm - # "${self}/profiles/nixos" - # "${self}/modules/nixos" # ]; - config = lib.mkIf config.swarselmodules.optional.microvmGuest - { - }; + + config = + { }; } #+end_src +**** systemd-networkd (server) + +Some standard options that should be set vor every microvm guest. We set the default + +#+begin_src nix-ts :tangle modules/nixos/optional/systemd-networkd-server.nix + { lib, config, globals, ... }: + { + networking = { + useDHCP = lib.mkForce false; + useNetworkd = true; + dhcpcd.enable = false; + renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) ( + config.repo.secrets.local.networking.networks or { } + ); + }; + boot.initrd.systemd.network = { + enable = true; + networks."10-${config.swarselsystems.server.localNetwork}" = config.systemd.network.networks."10-${config.swarselsystems.server.localNetwork}"; + }; + + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = + let + netConfig = config.repo.secrets.local.networking; + in + { + "10-${config.swarselsystems.server.localNetwork}" = { + address = [ + "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv4}" + "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv6}" + ]; + routes = [ + { + Gateway = netConfig.defaultGateway6; + GatewayOnLink = true; + } + { + Gateway = netConfig.defaultGateway4; + GatewayOnLink = true; + } + ]; + networkConfig = { + IPv6PrivacyExtensions = true; + IPv6AcceptRA = false; + }; + matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac; + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + }; + } + +#+end_src + + ** Home-manager :PROPERTIES: :CUSTOM_ID: h:08ded95b-9c43-475d-a0b2-fc088a512287 @@ -12161,6 +14723,9 @@ The general structure here is the same as in the [[#h:6da812f5-358c-49cb-aff2-0a #+end_src *** Steps to setup/upgrade home-manager only +:PROPERTIES: +:CUSTOM_ID: h:360f9da1-334e-4b04-b049-45085db8f10c +:END: Steps to get a home-manager only setup up and running: #+begin_src markdown :noweb-ref homemanageronlysetup :exports both :results html @@ -12224,7 +14789,7 @@ This section sets up all the imports that are used in the home-manager section. } #+end_src -**** General home-manager-settings +**** General home-manager-settings (nix) :PROPERTIES: :CUSTOM_ID: h:4af4f67f-7c48-4754-b4bd-6800e3a66664 :END: @@ -12232,112 +14797,123 @@ This section sets up all the imports that are used in the home-manager section. Again, we adapt =nix= to our needs, enable the home-manager command for non-NixOS machines (NixOS machines are using it as a module) and setting user information that I always keep the same. #+begin_src nix-ts :tangle modules/home/common/settings.nix - { self, outputs, lib, pkgs, config, ... }: - let - inherit (config.swarselsystems) mainUser flakePath isNixos isLinux; - in - { - options.swarselmodules.general = lib.mkEnableOption "general nix settings"; - config = - let - nix-version = "2_30"; - in - lib.mkIf config.swarselmodules.general { - nix = lib.mkIf (!config.swarselsystems.isNixos) { - package = lib.mkForce pkgs.nixVersions."nix_${nix-version}"; - # extraOptions = '' - # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins - # extra-builtins-file = ${self + /nix/extra-builtins.nix} - # ''; - extraOptions = + { self, outputs, lib, pkgs, config, globals, confLib, ... }: + let + inherit (config.swarselsystems) mainUser flakePath isNixos isLinux; + inherit (confLib.getConfig.repo.secrets.common) atticPublicKey; + in + { + options.swarselmodules.general = lib.mkEnableOption "general nix settings"; + config = let - nix-plugins = pkgs.nix-plugins.override { - nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; - }; + nix-version = "2_30"; in - '' + lib.mkIf config.swarselmodules.general { + nix = lib.mkIf (!config.swarselsystems.isNixos) { + package = lib.mkForce pkgs.nixVersions."nix_${nix-version}"; + # extraOptions = '' + # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins + # extra-builtins-file = ${self + /nix/extra-builtins.nix} + # ''; + extraOptions = + let + nix-plugins = pkgs.nix-plugins.override { + nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; + }; + in + '' plugin-files = ${nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - ''; - settings = { - experimental-features = [ - "nix-command" - "flakes" - "ca-derivations" - "cgroups" - "pipe-operators" - ]; - trusted-users = [ "@wheel" "${mainUser}" ]; - connect-timeout = 5; - bash-prompt-prefix = "$SHLVL:\\w "; - bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; - fallback = true; - min-free = 128000000; - max-free = 1000000000; - auto-optimise-store = true; - warn-dirty = false; - max-jobs = 1; - use-cgroups = lib.mkIf isLinux true; - }; - }; - - nixpkgs = lib.mkIf (!isNixos) { - overlays = [ - outputs.overlays.default - (final: prev: - let - additions = final: _: import "${self}/pkgs/config" { - inherit self config lib; - pkgs = final; - homeConfig = config; + extra-builtins-file = ${self + /nix/extra-builtins.nix} + ''; + settings = { + experimental-features = [ + "nix-command" + "flakes" + "ca-derivations" + "cgroups" + "pipe-operators" + ]; + substituters = [ + "https://${globals.services.attic.domain}/${mainUser}" + ]; + trusted-public-keys = [ + atticPublicKey + ]; + trusted-users = [ + "@wheel" + "${mainUser}" + (lib.mkIf config.swarselmodules.server.ssh-builder "builder") + ]; + connect-timeout = 5; + bash-prompt-prefix = "$SHLVL:\\w "; + bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; + fallback = true; + min-free = 128000000; + max-free = 1000000000; + auto-optimise-store = true; + warn-dirty = false; + max-jobs = 1; + use-cgroups = lib.mkIf isLinux true; }; - in - additions final prev - ) - ]; - config = { - allowUnfree = true; - }; - }; + }; - programs = { - # home-manager.enable = lib.mkIf (!isNixos) true; - man = { - enable = true; - generateCaches = true; - }; - }; + nixpkgs = lib.mkIf (!isNixos) { + overlays = [ + outputs.overlays.default + (final: prev: + let + additions = final: _: import "${self}/pkgs/config" { + inherit self config lib; + pkgs = final; + homeConfig = config; + }; + in + additions final prev + ) + ]; + config = { + allowUnfree = true; + }; + }; - targets.genericLinux.enable = lib.mkIf (!isNixos) true; + programs = { + # home-manager.enable = lib.mkIf (!isNixos) true; + man = { + enable = true; + generateCaches = true; + }; + }; - home = { - username = lib.mkDefault mainUser; - homeDirectory = lib.mkDefault "/home/${mainUser}"; - stateVersion = lib.mkDefault "23.05"; - keyboard.layout = "us"; - sessionVariables = { - FLAKE = "/home/${mainUser}/.dotfiles"; - }; - extraOutputsToInstall = [ - "doc" - "info" - "devdoc" - ]; - packages = lib.mkIf (!isNixos) [ - (pkgs.symlinkJoin { - name = "home-manager"; - buildInputs = [ pkgs.makeWrapper ]; - paths = [ pkgs.home-manager ]; - postBuild = '' - wrapProgram $out/bin/home-manager \ - --append-flags '--flake ${flakePath}#$(hostname)' - ''; - }) - ]; - }; - }; + targets.genericLinux.enable = lib.mkIf (!isNixos) true; - } + home = { + username = lib.mkDefault mainUser; + homeDirectory = lib.mkDefault "/home/${mainUser}"; + stateVersion = lib.mkDefault "23.05"; + keyboard.layout = "us"; + sessionVariables = { + FLAKE = "/home/${mainUser}/.dotfiles"; + }; + extraOutputsToInstall = [ + "doc" + "info" + "devdoc" + ]; + packages = lib.mkIf (!isNixos) [ + (pkgs.symlinkJoin { + name = "home-manager"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.home-manager ]; + postBuild = '' + wrapProgram $out/bin/home-manager \ + --append-flags '--flake ${flakePath}#$(hostname)' + ''; + }) + ]; + }; + }; + + } #+end_src **** nixGL @@ -12429,6 +15005,9 @@ This holds packages that I can use as provided, or with small modifications (as # ssh login using idm opkssh + # cache + attic-client + # dict (aspellWithDicts (dicts: with dicts; [ de en en-computers en-science ])) @@ -12464,7 +15043,6 @@ This holds packages that I can use as provided, or with small modifications (as nix-inspect nixpkgs-review manix - comma # shellscripts shfmt @@ -12663,8 +15241,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at options.swarselmodules.sops = lib.mkEnableOption "sops settings"; config = lib.optionalAttrs (inputs ? sops) { sops = { - age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml"; + age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml"; validateSopsFiles = false; }; @@ -12678,7 +15256,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at :END: #+begin_src nix-ts :tangle modules/home/common/yubikey.nix - { lib, config, inputs, nixosConfig ? config, ... }: + { lib, config, inputs, confLib, ... }: let inherit (config.swarselsystems) homeDir; in @@ -12689,8 +15267,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) { ids = [ - nixosConfig.repo.secrets.common.yubikeys.dev1 - nixosConfig.repo.secrets.common.yubikeys.dev2 + confLib.getConfig.repo.secrets.common.yubikeys.dev1 + confLib.getConfig.secrets.common.yubikeys.dev2 ]; }; } // lib.optionalAttrs (inputs ? sops) { @@ -12709,10 +15287,10 @@ I use sops-nix to handle secrets that I want to have available on my machines at It is very convenient to have SSH aliases in place for machines that I use. This is mainly used for some server machines and some university clusters. We also enable agent forwarding to have our Yubikey SSH key accessible on the remote host. #+begin_src nix-ts :tangle modules/home/common/ssh.nix - { lib, config, nixosConfig ? config, ... }: + { inputs, lib, config, confLib, ... }: { options.swarselmodules.ssh = lib.mkEnableOption "ssh settings"; - config = lib.mkIf config.swarselmodules.ssh { + config = lib.mkIf config.swarselmodules.ssh ({ programs.ssh = { enable = true; enableDefaultConfig = false; @@ -12729,13 +15307,17 @@ It is very convenient to have SSH aliases in place for machines that I use. This serverAliveCountMax = 3; hashKnownHosts = false; userKnownHostsFile = "~/.ssh/known_hosts"; - controlMaster = "no"; + controlMaster = "auto"; controlPath = "~/.ssh/master-%r@%n:%p"; - controlPersist = "no"; + controlPersist = "5m"; }; - } // nixosConfig.repo.secrets.common.ssh.hosts; + } // confLib.getConfig.repo.secrets.common.ssh.hosts; }; - }; + } // lib.optionalAttrs (inputs ? sops) { + sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { + builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; }; + }; + }); } #+end_src @@ -12940,11 +15522,11 @@ Also in firefox `about:config > toolkit.legacyUserProfileCustomizations.styleshe Sets environment variables. Here I am only setting the EDITOR variable, most variables are set in the [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] section. #+begin_src nix-ts :tangle modules/home/common/env.nix - { lib, config, nixosConfig ? config, ... }: + { lib, config, confLib, globals, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; - inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; - inherit (nixosConfig.repo.secrets.common) fullName openrouterApi; + inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; + inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; + inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain; inherit (config.swarselsystems) isPublic homeDir; DISPLAY = ":0"; @@ -12958,7 +15540,14 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var } // (lib.optionalAttrs (!isPublic) { }); systemd.user.sessionVariables = { DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; + FLAKE = "${config.home.homeDirectory}/.dotfiles"; } // lib.optionalAttrs (!isPublic) { + SWARSEL_DOMAIN = globals.domains.main; + SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain; + SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain; + SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain; + SWARSEL_INSTA_DOMAIN = instaDomain; + SWARSEL_SPORT_DOMAIN = sportDomain; SWARSEL_MAIL1 = address1; SWARSEL_MAIL2 = address2; SWARSEL_MAIL3 = address3; @@ -12971,7 +15560,7 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var SWARSEL_CAL3NAME = source3-name; SWARSEL_FULLNAME = fullName; SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses; - GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path; + GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path; OPENROUTER_API_KEY = openrouterApi; }; }; @@ -13085,7 +15674,7 @@ This section is for programs that require no further configuration. zsh Integrat :CUSTOM_ID: h:64dbbb9e-8097-4c1b-813c-8c10cf9b9748 :END: -nix-index provides a way to find out which packages are provided by which derivations. By default it also comes with a replacement for =command-not-found.sh=, however, the implementation is based on a channel based setup. I like consistency, so I replace the command with one that provides a flakes-based output. +nix-index provides a way to find out which packages are provided by which derivations. By default it also comes with a replacement for =command-not-found.sh=, however, the implementation is based on a channel based setup. I like consistency, so I replace the command with one that provides a flakes-based output. This also uses the =nix-index-with-full-db= from the nix-index-database input thanks to its overlay. #+begin_src nix-ts :tangle modules/home/common/nix-index.nix { self, lib, config, pkgs, ... }: @@ -13104,17 +15693,22 @@ nix-index provides a way to find out which packages are provided by which deriva in { + enable = true; package = pkgs.symlinkJoin { name = "nix-index"; paths = [ commandNotFound ]; }; }; + programs.nix-index-database.comma.enable = true; }; } #+end_src **** nix-your-shell +:PROPERTIES: +:CUSTOM_ID: h:3fd72021-e174-49d0-a42e-58f6ed3682f2 +:END: #+begin_src nix-ts :tangle modules/home/common/nix-your-shell.nix { lib, config, ... }: @@ -13217,6 +15811,7 @@ Eza provides me with a better =ls= command and some other useful aliases. programs.atuin = { enable = true; enableZshIntegration = true; + enableBashIntegration = true; settings = { auto_sync = true; sync_frequency = "5m"; @@ -13235,10 +15830,10 @@ Eza provides me with a better =ls= command and some other useful aliases. Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]]. #+begin_src nix-ts :tangle modules/home/common/git.nix - { lib, config, globals, minimal, nixosConfig ? config, ... }: + { lib, config, globals, minimal, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (confLib.getConfig.repo.secrets.common.mail) address1; + inherit (confLib.getConfig.repo.secrets.common) fullName; gitUser = globals.user.name; in @@ -13522,7 +16117,7 @@ lib.mkMerge [ zshConfigEarlyInit zshConfig ]; Currently I only use it as before with =initExtra= though. #+begin_src nix-ts :tangle modules/home/common/zsh.nix - { config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }: + { config, pkgs, lib, minimal, inputs, globals, confLib, ... }: let inherit (config.swarselsystems) flakePath isNixos; crocDomain = globals.services.croc.domain; @@ -13591,7 +16186,10 @@ Currently I only use it as before with =initExtra= though. }; history = { expireDuplicatesFirst = true; - path = "$HOME/.histfile"; + append = true; + ignoreSpace = true; + ignoreDups = true; + path = "${config.home.homeDirectory}/.histfile"; save = 100000; size = 100000; }; @@ -13648,8 +16246,8 @@ Currently I only use it as before with =initExtra= though. ''; sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) { CROC_RELAY = crocDomain; - CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})"; - GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; + CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})"; + GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins"; # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox"; }; @@ -13665,7 +16263,39 @@ Currently I only use it as before with =initExtra= though. } #+end_src +**** bash +:PROPERTIES: +:CUSTOM_ID: h:ab30e218-665c-46ad-9708-9d92ebc34fed +:END: + + +#+begin_src nix-ts :tangle modules/home/common/bash.nix + { config, lib, ... }: + { + options.swarselmodules.bash = lib.mkEnableOption "bash settings"; + config = lib.mkIf config.swarselmodules.bash { + + programs.bash = { + enable = true; + # needed for remote builders + bashrcExtra = lib.mkIf (!config.swarselsystems.isNixos) '' + export PATH="/nix/var/nix/profiles/default/bin:$PATH" + ''; + historyFile = "${config.home.homeDirectory}/.histfile"; + historySize = 100000; + historyFileSize = 100000; + historyControl = [ + "ignoreboth" + ]; + }; + }; + } +#+end_src + **** zellij +:PROPERTIES: +:CUSTOM_ID: h:87a28654-8377-41c9-8e6c-2d488e62575f +:END: ***** Main config :PROPERTIES: :CUSTOM_ID: h:00de4901-631c-4b4c-86ce-d9d6e62ed8c7 @@ -13730,6 +16360,9 @@ Currently I only use it as before with =initExtra= though. } #+end_src ***** Keybinds +:PROPERTIES: +:CUSTOM_ID: h:f65f9574-3b50-472d-8e24-2023271d1887 +:END: #+begin_src nix-ts :tangle modules/home/common/zellij-keybinds.nix { lib, config, ... }: { @@ -14991,10 +17624,10 @@ Currently I only use it as before with =initExtra= though. Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here. #+begin_src nix-ts :tangle modules/home/common/mail.nix - { lib, config, inputs, nixosConfig ? config, ... }: + { lib, config, inputs, globals, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; + inherit (confLib.getConfig.repo.secrets.common) fullName; inherit (config.swarselsystems) xdgDir; in { @@ -15116,24 +17749,43 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl maildirBasePath = "Mail"; accounts = { swarsel = { - address = address4; - userName = address4-user; - realName = fullName; - passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}"; - smtp = { - host = address4-host; - port = 587; - tls = { - enable = true; - useStartTls = true; - }; + imap = { + host = globals.services.mailserver.domain; + port = 993; + tls.enable = true; # SSL/TLS }; - mu.enable = false; + smtp = { + host = globals.services.mailserver.domain; + port = 465; + tls.enable = true; # SSL/TLS + }; + thunderbird = { + enable = true; + profiles = [ "default" ]; + }; + address = address4; + userName = address4; + realName = fullName; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}"; + mu.enable = true; msmtp = { enable = true; }; mbsync = { - enable = false; + enable = true; + create = "maildir"; + expunge = "both"; + patterns = [ "*" ]; + extraConfig = { + channel = { + Sync = "All"; + }; + account = { + Timeout = 120; + PipelineDepth = 1; + AuthMechs = "LOGIN"; + }; + }; }; }; @@ -15143,7 +17795,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address1; userName = address1; realName = fullName; - passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}"; gpg = { key = "0x76FD3810215AE097"; signByDefault = true; @@ -15157,7 +17809,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address2; userName = address2; realName = address2-name; - passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}"; } defaultSettings; @@ -15167,7 +17819,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address3; userName = address3; realName = address3-name; - passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}"; + passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}"; } defaultSettings; @@ -15306,12 +17958,14 @@ Lastly, I am defining some more packages here that the parser has problems findi secrets = { fever-pw = { path = "${homeDir}/.emacs.d/.fever"; }; emacs-radicale-pw = { }; + github-forge-token = { }; }; templates = { authinfo = { path = "${homeDir}/.emacs.d/.authinfo"; content = '' machine ${globals.services.radicale.domain} login ${radicaleUser} password ${config.sops.placeholder.emacs-radicale-pw} + machine api.github.com login ${mainUser}^forge password ${config.sops.placeholder.github-forge-token} ''; }; }; @@ -15995,6 +18649,9 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi #+end_src ***** blueman-applet +:PROPERTIES: +:CUSTOM_ID: h:06aceb90-3b97-4d77-9e13-b1a8af26dd50 +:END: #+begin_src nix-ts :tangle modules/home/common/blueman-applet.nix { lib, config, ... }: @@ -16007,6 +18664,9 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi #+end_src ***** network-manager-applet +:PROPERTIES: +:CUSTOM_ID: h:67907a83-40ed-49ad-9fa7-bcc0b9cf5936 +:END: #+begin_src nix-ts :tangle modules/home/common/network-manager-applet.nix { lib, config, ... }: @@ -16020,6 +18680,9 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi #+end_src ***** obsidian service for tray +:PROPERTIES: +:CUSTOM_ID: h:7f943057-e0c8-4dbd-9875-67e55bc74a47 +:END: #+begin_src nix-ts :tangle modules/home/common/obsidian-tray.nix { lib, config, ... }: @@ -16052,6 +18715,9 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi #+end_src ***** anki service for tray +:PROPERTIES: +:CUSTOM_ID: h:872deae6-dc31-44ac-9c4a-95720fce0a53 +:END: Sets up a systemd user service for anki that does not stall the shutdown process. Note that the outcommented =ExecStart= does not work because the home-manager anki package builds a separate anki package that - I think - cannot be referenced as no such expression exists in the module. @@ -16095,6 +18761,9 @@ Sets up a systemd user service for anki that does not stall the shutdown process #+end_src ***** element service for tray +:PROPERTIES: +:CUSTOM_ID: h:2d0f1a35-cff5-4c24-b104-e431c05ae563 +:END: #+begin_src nix-ts :tangle modules/home/common/element-tray.nix { lib, config, pkgs, ... }: @@ -16127,6 +18796,9 @@ Sets up a systemd user service for anki that does not stall the shutdown process #+end_src ***** vesktop service for tray +:PROPERTIES: +:CUSTOM_ID: h:ea741a3c-982e-4e23-8ecf-b30193a5c326 +:END: #+begin_src nix-ts :tangle modules/home/common/vesktop-tray.nix { lib, config, pkgs, ... }: @@ -16159,6 +18831,9 @@ Sets up a systemd user service for anki that does not stall the shutdown process #+end_src ***** syncthing service for tray +:PROPERTIES: +:CUSTOM_ID: h:5e7c606f-628a-4849-94e9-359d7b75f228 +:END: #+begin_src nix-ts :tangle modules/home/common/syncthing-tray.nix { lib, config, pkgs, ... }: @@ -16293,7 +18968,7 @@ I am currently using SwayFX, which adds some nice effects to sway, like rounded Currently, I am too lazy to explain every option here, but most of it is very self-explaining in any case. #+begin_src nix-ts :tangle modules/home/common/sway.nix - { config, lib, vars, nixosConfig ? config, ... }: + { config, lib, vars, confLib, ... }: let eachOutput = _: monitor: { inherit (monitor) name; @@ -16676,7 +19351,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se export XDG_CURRENT_DESKTOP=sway; export XDG_SESSION_DESKTOP=sway; export _JAVA_AWT_WM_NONREPARENTING=1; - export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path}; + export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path}; '' + vars.waylandExports; # extraConfigEarly = " # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK @@ -16723,226 +19398,6 @@ Currently, I am too lazy to explain every option here, but most of it is very se } #+end_src -**** Niri -:PROPERTIES: -:CUSTOM_ID: h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb -:END: - -#+begin_src nix-ts :tangle modules/home/common/niri.nix - { config, pkgs, lib, vars, ... }: - { - options.swarselmodules.niri = lib.mkEnableOption "niri settings"; - config = lib.mkIf config.swarselmodules.niri { - - programs.niri = { - package = pkgs.niri-unstable; # which package to use for niri validation - settings = { - xwayland-satellite = { - enable = true; - path = "${lib.getExe pkgs.xwayland-satellite-unstable}"; - }; - prefer-no-csd = true; - layer-rules = [ - { matches = [{ namespace = "^notifications$"; }]; block-out-from = "screencast"; } - { matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; } - ]; - window-rules = [ - { - matches = [{ app-id = ".*"; }]; - opacity = 0.95; - default-column-width = { proportion = 0.5; }; - shadow = { - enable = true; - draw-behind-window = true; - }; - geometry-corner-radius = { top-left = 2.0; top-right = 2.0; bottom-left = 2.0; bottom-right = 2.0; }; - } - { matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; } - { matches = [{ app-id = "Gimp"; }]; opacity = 1.0; } - { matches = [{ app-id = "firefox"; }]; opacity = 0.99; } - { matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; } - { matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; } - { matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; } - { matches = [{ app-id = "^blueman$"; }]; open-floating = true; } - { matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; } - { matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; } - { matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } - # { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } - { matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } - # { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } - { matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; } - { matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screencast"; } - { matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; } - { matches = [{ title = "^Add$"; }]; open-floating = true; } - { matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; } - { matches = [{ title = "Syncthing Tray"; }]; open-floating = true; } - { matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; } - { matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; } - { matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } - { matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } - ]; - environment = { - DISPLAY = ":0"; - } // vars.waylandSessionVariables; - screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png"; - input = { - mod-key = "Super"; - keyboard = { - xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - }; - mouse = { - natural-scroll = false; - }; - touchpad = { - enable = true; - tap = true; - tap-button-map = "left-right-middle"; - natural-scroll = true; - scroll-method = "two-finger"; - click-method = "clickfinger"; - disabled-on-external-mouse = true; - drag = true; - drag-lock = false; - dwt = true; - dwtp = true; - }; - }; - cursor = { - hide-after-inactive-ms = 2000; - hide-when-typing = true; - }; - layout = { - background-color = "transparent"; - border = { - enable = true; - width = 1; - }; - focus-ring = { - enable = false; - }; - gaps = 5; - }; - binds = with config.lib.niri.actions; let - sh = spawn "sh" "-c"; - in - { - - # "Mod+Super_L" = spawn "killall -SIGUSR1 .waybar-wrapped"; - "Mod+z".action = spawn "killall -SIGUSR1 .waybar-wrapped"; - "Mod+Shift+t".action = toggle-window-rule-opacity; - # "Mod+Escape".action = "mode $exit"; - "Mod+m".action = focus-workspace-previous; - "Mod+Shift+Space".action = toggle-window-floating; - "Mod+Shift+f".action = toggle-windowed-fullscreen; - "Mod+q".action = close-window; - "Mod+f".action = spawn "firefox"; - "Mod+Space".action = spawn "fuzzel"; - "Mod+Shift+c".action = spawn "qalculate-gtk"; - "Mod+Ctrl+p".action = spawn "1password" "--quick-acces"; - "Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm"; - "Mod+h".action = sh ''hyprpicker | wl-copy''; - # "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png"; - # "Mod+s".action = screenshot { show-pointer = false; }; - "Mod+s".action.screenshot = { show-pointer = false; }; - # "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"; - # "Mod+Shift+s".action = screenshot-window { write-to-disk = true; }; - "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; }; - # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv"; - - "Mod+e".action = sh "emacsclient -nquc -a emacs -e '(dashboard-open)'"; - "Mod+c".action = sh "emacsclient -ce '(org-capture)'"; - "Mod+t".action = sh "emacsclient -ce '(org-agenda)'"; - "Mod+Shift+m".action = sh "emacsclient -ce '(mu4e)'"; - "Mod+Shift+a".action = sh "emacsclient -ce '(swarsel/open-calendar)'"; - - "Mod+a".action = spawn "swarselcheck-niri" "-s"; - "Mod+x".action = spawn "swarselcheck-niri" "-k"; - "Mod+d".action = spawn "swarselcheck-niri" "-d"; - "Mod+w".action = spawn "swarselcheck-niri" "-e"; - - "Mod+p".action = spawn "pass-fuzzel"; - "Mod+o".action = spawn "pass-fuzzel" "--otp"; - "Mod+Shift+p".action = spawn "pass-fuzzel" "--type"; - "Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type"; - - "Mod+Left".action = focus-column-or-monitor-left; - "Mod+Right".action = focus-column-or-monitor-right; - "Mod+Down".action = focus-window-or-workspace-down; - "Mod+Up".action = focus-window-or-workspace-up; - "Mod+Shift+Left".action = move-column-left; - "Mod+Shift+Right".action = move-column-right; - "Mod+Shift+Down".action = move-window-down-or-to-workspace-down; - "Mod+Shift+Up".action = move-window-up-or-to-workspace-up; - # "Mod+Ctrl+Shift+c".action = "reload"; - # "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower"; - # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'"; - # "Mod+r".action = "mode resize"; - # "Mod+Return".action = "exec kitty"; - "Mod+Return".action = spawn "swarselzellij"; - "XF86AudioRaiseVolume".action = spawn "swayosd-client" "--output-volume" "raise"; - "XF86AudioLowerVolume".action = spawn "swayosd-client" "--output-volume" "lower"; - "XF86AudioMute".action = spawn "swayosd-client" "--output-volume" "mute-toggle"; - "XF86MonBrightnessUp".action = spawn "swayosd-client" "--brightness raise"; - "XF86MonBrightnessDown".action = spawn "swayosd-client" "--brightness lower"; - "XF86Display".action = spawn "wl-mirror" "eDP-1"; - "Mod+Escape".action = spawn "wlogout"; - "Mod+Equal".action = set-column-width "+10%"; - "Mod+Minus".action = set-column-width "-10%"; - - "Mod+1".action = focus-workspace 1; - "Mod+2".action = focus-workspace 2; - "Mod+3".action = focus-workspace 3; - "Mod+4".action = focus-workspace 4; - "Mod+5".action = focus-workspace 5; - "Mod+6".action = focus-workspace 6; - "Mod+7".action = focus-workspace 7; - "Mod+8".action = focus-workspace 8; - "Mod+9".action = focus-workspace 9; - "Mod+0".action = focus-workspace 0; - - "Mod+Shift+1".action = move-column-to-index 1; - "Mod+Shift+2".action = move-column-to-index 2; - "Mod+Shift+3".action = move-column-to-index 3; - "Mod+Shift+4".action = move-column-to-index 4; - "Mod+Shift+5".action = move-column-to-index 5; - "Mod+Shift+6".action = move-column-to-index 6; - "Mod+Shift+7".action = move-column-to-index 7; - "Mod+Shift+8".action = move-column-to-index 8; - "Mod+Shift+9".action = move-column-to-index 9; - "Mod+Shift+0".action = move-column-to-index 0; - }; - spawn-at-startup = [ - # { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; } - # { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; } - # { command = [ "anki" ]; } - # { command = [ "obsidian" ]; } - # { command = [ "nm-applet" ]; } - { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; } - ]; - workspaces = { - # "01-Main" = { - # name = "Scratchpad"; - # }; - "99-Scratchpad" = { - name = ""; - }; - }; - }; - }; - - } // { - programs.niri = lib.mkIf (!config.swarselmodules.niri) { - package = null; - config = null; - settings = null; - }; - }; - } -#+end_src - **** Kanshi :PROPERTIES: :CUSTOM_ID: h:eb94df98-2bcd-4555-9f88-e252f93b924f @@ -17134,9 +19589,9 @@ When setting up a new machine: This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways. #+begin_src nix-ts :tangle modules/home/common/gammastep.nix - { lib, config, nixosConfig ? config, ... }: + { lib, config, confLib, ... }: let - inherit (nixosConfig.repo.secrets.common.location) latitude longitude; + inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude; in { options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings"; @@ -17183,12 +19638,15 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** Obsidian +:PROPERTIES: +:CUSTOM_ID: h:ffd97152-63ce-41a0-a40e-c78ba3eb6722 +:END: #+begin_src nix-ts :tangle modules/home/common/obsidian.nix - { lib, config, pkgs, nixosConfig ? config, ... }: + { lib, config, pkgs, confLib, ... }: let moduleName = "obsidian"; - inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters; + inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters; name = "Main"; in { @@ -17341,10 +19799,13 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** Anki +:PROPERTIES: +:CUSTOM_ID: h:6f2839dc-c681-4697-8e93-4ef191362434 +:END: #+begin_src nix-ts :tangle modules/home/common/anki.nix - { lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }: + { lib, config, pkgs, globals, inputs, confLib, ... }: let moduleName = "anki"; inherit (config.swarselsystems) isPublic isNixos; @@ -17369,11 +19830,11 @@ This service changes the screen hue at night. I am not sure if that really does syncMedia = true; autoSyncMediaMinutes = 5; url = "https://${globals.services.ankisync.domain}"; - usernameFile = nixosConfig.sops.secrets.anki-user.path; + usernameFile = confLib.getConfig.sops.secrets.anki-user.path; # this is not the password but the syncKey # get it by logging in or out, saving preferences and then # show details on the "settings wont be saved" dialog - keyFile = nixosConfig.sops.secrets.anki-pw.path; + keyFile = confLib.getConfig.sops.secrets.anki-pw.path; }; addons = let @@ -17413,10 +19874,13 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** Element-desktop +:PROPERTIES: +:CUSTOM_ID: h:add71e84-43ff-40c7-9173-de43a13bbae6 +:END: #+begin_src nix-ts :tangle modules/home/common/element.nix - { lib, config, ... }: + { lib, config, globals, ... }: let moduleName = "element-desktop"; in @@ -17428,7 +19892,7 @@ This service changes the screen hue at night. I am not sure if that really does settings = { default_server_config = { "m.homeserver" = { - base_url = "https://swatrix.swarsel.win/"; + base_url = "https://${globals.services.matrix.domain}/"; }; }; UIFeature = { @@ -17448,13 +19912,16 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** Hexchat +:PROPERTIES: +:CUSTOM_ID: h:812cedcd-520e-417e-8923-aaae5ff5e316 +:END: #+begin_src nix-ts :tangle modules/home/common/hexchat.nix - { lib, config, nixosConfig ? config, ... }: + { lib, config, confLib, ... }: let moduleName = "hexchat"; - inherit (nixosConfig.repo.secrets.common.irc) irc_nick1; + inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1; in { options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings"; @@ -17471,6 +19938,9 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** obs-studio +:PROPERTIES: +:CUSTOM_ID: h:ef995044-6833-40d6-825b-64063c00a790 +:END: #+begin_src nix-ts :tangle modules/home/common/obs-studio.nix @@ -17490,6 +19960,9 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** spotify-player +:PROPERTIES: +:CUSTOM_ID: h:b99d62a1-4560-429f-81c1-29fc544a46fb +:END: #+begin_src nix-ts :tangle modules/home/common/spotify-player.nix { lib, config, ... }: @@ -17508,6 +19981,9 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** vesktop +:PROPERTIES: +:CUSTOM_ID: h:f5e191c5-b8c0-4f66-aa38-9cbfb1619058 +:END: #+begin_src nix-ts :tangle modules/home/common/vesktop.nix { lib, pkgs, config, ... }: @@ -17593,6 +20069,9 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** batsignal +:PROPERTIES: +:CUSTOM_ID: h:b30fcdf0-93d8-4600-a267-e210bec8e680 +:END: #+begin_src nix-ts :tangle modules/home/common/batsignal.nix { lib, config, ... }: @@ -17623,6 +20102,9 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** autotiling +:PROPERTIES: +:CUSTOM_ID: h:a7bac755-510c-424b-b964-18fb9e4a6667 +:END: #+begin_src nix-ts :tangle modules/home/common/autotiling.nix { lib, config, ... }: @@ -17642,6 +20124,9 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** swayidle +:PROPERTIES: +:CUSTOM_ID: h:2e23f3d9-ab65-4f2f-912f-dc236189c457 +:END: #+begin_src nix-ts :tangle modules/home/common/swayidle.nix { lib, config, pkgs, ... }: @@ -17681,6 +20166,9 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** swaylock +:PROPERTIES: +:CUSTOM_ID: h:8e508f62-d3e4-48bc-8bce-641bf38a0106 +:END: #+begin_src nix-ts :tangle modules/home/common/swaylock.nix { lib, config, pkgs, ... }: @@ -17707,9 +20195,12 @@ This service changes the screen hue at night. I am not sure if that really does #+end_src **** opkssh +:PROPERTIES: +:CUSTOM_ID: h:99bde2b8-ab38-4082-b06b-4afde9d06228 +:END: #+begin_src nix-ts :tangle modules/home/common/opkssh.nix - { lib, config, ... }: + { lib, config, globals, ... }: let moduleName = "opkssh"; in @@ -17724,7 +20215,7 @@ This service changes the screen hue at night. I am not sure if that really does providers = [ { alias = "kanidm"; - issuer = "https://sso.swarsel.win/oauth2/openid/opkssh"; + issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh"; client_id = "opkssh"; scopes = "openid email profile"; redirect_uris = [ @@ -17835,6 +20326,230 @@ Akin to the [[#h:f9aa9af0-9b8d-43ff-901d-9ffccdd70589][Optional]] NixOS modules. } #+end_src +**** Niri +:PROPERTIES: +:CUSTOM_ID: h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb +:END: + +#+begin_src nix-ts :tangle modules/home/optional/niri.nix + { inputs, config, pkgs, lib, vars, ... }: + { + imports = [ + inputs.niri-flake.homeModules.niri + ]; + options.swarselmodules.niri = lib.mkEnableOption "niri settings"; + config = lib.mkIf config.swarselmodules.niri + { + + programs.niri = { + package = pkgs.niri-unstable; # which package to use for niri validation + settings = { + xwayland-satellite = { + enable = true; + path = "${lib.getExe pkgs.xwayland-satellite-unstable}"; + }; + prefer-no-csd = true; + layer-rules = [ + { matches = [{ namespace = "^notifications$"; }]; block-out-from = "screencast"; } + { matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; } + ]; + window-rules = [ + { + matches = [{ app-id = ".*"; }]; + opacity = 0.95; + default-column-width = { proportion = 0.5; }; + shadow = { + enable = true; + draw-behind-window = true; + }; + geometry-corner-radius = { top-left = 2.0; top-right = 2.0; bottom-left = 2.0; bottom-right = 2.0; }; + } + { matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; } + { matches = [{ app-id = "Gimp"; }]; opacity = 1.0; } + { matches = [{ app-id = "firefox"; }]; opacity = 0.99; } + { matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; } + { matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; } + { matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; } + { matches = [{ app-id = "^blueman$"; }]; open-floating = true; } + { matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; } + { matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; } + { matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } + # { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } + { matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } + # { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } + { matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; } + { matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screencast"; } + { matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; } + { matches = [{ title = "^Add$"; }]; open-floating = true; } + { matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; } + { matches = [{ title = "Syncthing Tray"; }]; open-floating = true; } + { matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; } + { matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; } + { matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } + { matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } + ]; + environment = { + DISPLAY = ":0"; + } // vars.waylandSessionVariables; + screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png"; + input = { + mod-key = "Super"; + keyboard = { + xkb = { + layout = "us"; + variant = "altgr-intl"; + }; + }; + mouse = { + natural-scroll = false; + }; + touchpad = { + enable = true; + tap = true; + tap-button-map = "left-right-middle"; + natural-scroll = true; + scroll-method = "two-finger"; + click-method = "clickfinger"; + disabled-on-external-mouse = true; + drag = true; + drag-lock = false; + dwt = true; + dwtp = true; + }; + }; + cursor = { + hide-after-inactive-ms = 2000; + hide-when-typing = true; + }; + layout = { + background-color = "transparent"; + border = { + enable = true; + width = 1; + }; + focus-ring = { + enable = false; + }; + gaps = 5; + }; + binds = with config.lib.niri.actions; let + sh = spawn "sh" "-c"; + in + { + + # "Mod+Super_L" = spawn "killall -SIGUSR1 .waybar-wrapped"; + "Mod+z".action = spawn "killall -SIGUSR1 .waybar-wrapped"; + "Mod+Shift+t".action = toggle-window-rule-opacity; + # "Mod+Escape".action = "mode $exit"; + "Mod+m".action = focus-workspace-previous; + "Mod+Shift+Space".action = toggle-window-floating; + "Mod+Shift+f".action = toggle-windowed-fullscreen; + "Mod+q".action = close-window; + "Mod+f".action = spawn "firefox"; + "Mod+Space".action = spawn "fuzzel"; + "Mod+Shift+c".action = spawn "qalculate-gtk"; + "Mod+Ctrl+p".action = spawn "1password" "--quick-acces"; + "Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm"; + "Mod+h".action = sh ''hyprpicker | wl-copy''; + # "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png"; + # "Mod+s".action = screenshot { show-pointer = false; }; + "Mod+s".action.screenshot = { show-pointer = false; }; + # "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"; + # "Mod+Shift+s".action = screenshot-window { write-to-disk = true; }; + "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; }; + # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv"; + + "Mod+e".action = sh "emacsclient -nquc -a emacs -e '(dashboard-open)'"; + "Mod+c".action = sh "emacsclient -ce '(org-capture)'"; + "Mod+t".action = sh "emacsclient -ce '(org-agenda)'"; + "Mod+Shift+m".action = sh "emacsclient -ce '(mu4e)'"; + "Mod+Shift+a".action = sh "emacsclient -ce '(swarsel/open-calendar)'"; + + "Mod+a".action = spawn "swarselcheck-niri" "-s"; + "Mod+x".action = spawn "swarselcheck-niri" "-k"; + "Mod+d".action = spawn "swarselcheck-niri" "-d"; + "Mod+w".action = spawn "swarselcheck-niri" "-e"; + + "Mod+p".action = spawn "pass-fuzzel"; + "Mod+o".action = spawn "pass-fuzzel" "--otp"; + "Mod+Shift+p".action = spawn "pass-fuzzel" "--type"; + "Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type"; + + "Mod+Left".action = focus-column-or-monitor-left; + "Mod+Right".action = focus-column-or-monitor-right; + "Mod+Down".action = focus-window-or-workspace-down; + "Mod+Up".action = focus-window-or-workspace-up; + "Mod+Shift+Left".action = move-column-left; + "Mod+Shift+Right".action = move-column-right; + "Mod+Shift+Down".action = move-window-down-or-to-workspace-down; + "Mod+Shift+Up".action = move-window-up-or-to-workspace-up; + # "Mod+Ctrl+Shift+c".action = "reload"; + # "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower"; + # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'"; + # "Mod+r".action = "mode resize"; + # "Mod+Return".action = "exec kitty"; + "Mod+Return".action = spawn "swarselzellij"; + "XF86AudioRaiseVolume".action = spawn "swayosd-client" "--output-volume" "raise"; + "XF86AudioLowerVolume".action = spawn "swayosd-client" "--output-volume" "lower"; + "XF86AudioMute".action = spawn "swayosd-client" "--output-volume" "mute-toggle"; + "XF86MonBrightnessUp".action = spawn "swayosd-client" "--brightness raise"; + "XF86MonBrightnessDown".action = spawn "swayosd-client" "--brightness lower"; + "XF86Display".action = spawn "wl-mirror" "eDP-1"; + "Mod+Escape".action = spawn "wlogout"; + "Mod+Equal".action = set-column-width "+10%"; + "Mod+Minus".action = set-column-width "-10%"; + + "Mod+1".action = focus-workspace 1; + "Mod+2".action = focus-workspace 2; + "Mod+3".action = focus-workspace 3; + "Mod+4".action = focus-workspace 4; + "Mod+5".action = focus-workspace 5; + "Mod+6".action = focus-workspace 6; + "Mod+7".action = focus-workspace 7; + "Mod+8".action = focus-workspace 8; + "Mod+9".action = focus-workspace 9; + "Mod+0".action = focus-workspace 0; + + "Mod+Shift+1".action = move-column-to-index 1; + "Mod+Shift+2".action = move-column-to-index 2; + "Mod+Shift+3".action = move-column-to-index 3; + "Mod+Shift+4".action = move-column-to-index 4; + "Mod+Shift+5".action = move-column-to-index 5; + "Mod+Shift+6".action = move-column-to-index 6; + "Mod+Shift+7".action = move-column-to-index 7; + "Mod+Shift+8".action = move-column-to-index 8; + "Mod+Shift+9".action = move-column-to-index 9; + "Mod+Shift+0".action = move-column-to-index 0; + }; + spawn-at-startup = [ + # { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; } + # { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; } + # { command = [ "anki" ]; } + # { command = [ "obsidian" ]; } + # { command = [ "nm-applet" ]; } + { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; } + ]; + workspaces = { + # "01-Main" = { + # name = "Scratchpad"; + # }; + "99-Scratchpad" = { + name = ""; + }; + }; + }; + }; + + } // { + programs.niri = lib.mkIf (!config.swarselmodules.niri) { + package = null; + config = null; + settings = null; + }; + }; + } +#+end_src + **** Gaming :PROPERTIES: :CUSTOM_ID: h:84fd7029-ecb6-4131-9333-289982f24ffa @@ -17843,13 +20558,12 @@ Akin to the [[#h:f9aa9af0-9b8d-43ff-901d-9ffccdd70589][Optional]] NixOS modules. The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming]]. #+begin_src nix-ts :tangle modules/home/optional/gaming.nix - { lib, config, pkgs, nixosConfig ? config, ... }: + { config, pkgs, confLib, ... }: let inherit (config.swarselsystems) isNixos; in { - options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings"; - config = lib.mkIf config.swarselmodules.optional.gaming { + config = { # specialisation = { # gaming.configuration = { home.packages = with pkgs; [ @@ -17889,7 +20603,7 @@ The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming gamescope umu-launcher ]; - steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam; + steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam; winePackages = with pkgs; [ wineWow64Packages.waylandFull ]; @@ -17920,397 +20634,428 @@ When setting up a new machine: #+end_src #+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes - { self, inputs, config, pkgs, lib, vars, nixosConfig ? config, ... }: + { self, inputs, config, pkgs, lib, vars, confLib, ... }: let inherit (config.swarselsystems) homeDir mainUser; - inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses; - inherit (nixosConfig.repo.secrets.local.work) mailAddress; + inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; + inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; certsSopsFile = self + /secrets/certs/secrets.yaml; in { - options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings"; - config = lib.mkIf config.swarselmodules.optional.work - ({ - home = { - packages = with pkgs; [ - stable.teams-for-linux - shellcheck - dig - docker - postman - # rclone - libguestfs-with-appliance - prometheus.cli - tigervnc - # openstackclient + options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption; + config = { + home = { + packages = with pkgs; [ + stable.teams-for-linux + shellcheck + dig + docker + postman + # rclone + libguestfs-with-appliance + prometheus.cli + tigervnc + # openstackclient - vscode + vscode + dev.antigravity - rustdesk-vbc + rustdesk-vbc + ]; + sessionVariables = { + AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path; + }; + }; + systemd.user.sessionVariables = { + DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; + } // lib.optionalAttrs (!config.swarselsystems.isPublic) { + SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; + SWARSEL_MAIL_WORK = lib.mkForce mailAddress; + }; + + accounts.email.accounts.work = + let + inherit (confLib.getConfig.repo.secrets.local.work) mailName; + in + { + primary = false; + address = mailAddress; + userName = mailAddress; + realName = mailName; + passwordCommand = "pizauth show work"; + imap = { + host = "outlook.office365.com"; + port = 993; + tls.enable = true; # SSL/TLS + }; + smtp = { + host = "outlook.office365.com"; + port = 587; + tls = { + enable = true; # SSL/TLS + useStartTls = true; + }; + }; + thunderbird = { + enable = true; + profiles = [ "default" ]; + settings = id: { + "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth + "mail.server.server_${id}.authMethod" = 10; # oauth + # "toolkit.telemetry.enabled" = false; + # "toolkit.telemetry.rejected" = true; + # "toolkit.telemetry.prompted" = 2; + }; + }; + msmtp = { + enable = true; + extraConfig = { + auth = "xoauth2"; + host = "outlook.office365.com"; + protocol = "smtp"; + port = "587"; + tls = "on"; + tls_starttls = "on"; + from = "${mailAddress}"; + user = "${mailAddress}"; + passwordeval = "pizauth show work"; + }; + }; + mu.enable = true; + mbsync = { + enable = true; + expunge = "both"; + patterns = [ "INBOX" ]; + extraConfig = { + account = { + AuthMechs = "XOAUTH2"; + }; + }; + }; + }; + + # wayland.windowManager.sway.config = { + # output = { + # "Applied Creative Technology Transmitter QUATTRO201811" = { + # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; + # }; + # "Hewlett Packard HP Z24i CN44250RDT" = { + # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; + # }; + # "HP Inc. HP 732pk CNC4080YL5" = { + # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; + # }; + # }; + # }; + + wayland.windowManager.sway = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; + in + { + config = { + keybindings = + let + inherit (config.wayland.windowManager.sway.config) modifier; + in + { + "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; + "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; + }; + }; + }; + + stylix = { + targets.firefox.profileNames = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; + in + [ + "${user1}" + "${user2}" + "${user3}" + "work" ]; - sessionVariables = { - AWS_CA_BUNDLE = nixosConfig.sops.secrets.harica-root-ca.path; + }; + + programs = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; + in + { + openstackclient = { + enable = true; + inherit clouds; }; - }; - systemd.user.sessionVariables = { - DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; - } // lib.optionalAttrs (!config.swarselsystems.isPublic) { - SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; - SWARSEL_MAIL_WORK = lib.mkForce mailAddress; - }; - - accounts.email.accounts.work = - let - inherit (nixosConfig.repo.secrets.local.work) mailName; - in - { - primary = false; - address = mailAddress; - userName = mailAddress; - realName = mailName; - passwordCommand = "pizauth show work"; - imap = { - host = "outlook.office365.com"; - port = 993; - tls.enable = true; # SSL/TLS - }; - smtp = { - host = "outlook.office365.com"; - port = 587; - tls = { - enable = true; # SSL/TLS - useStartTls = true; - }; - }; - thunderbird = { - enable = true; - profiles = [ "default" ]; - settings = id: { - "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth - "mail.server.server_${id}.authMethod" = 10; # oauth - # "toolkit.telemetry.enabled" = false; - # "toolkit.telemetry.rejected" = true; - # "toolkit.telemetry.prompted" = 2; - }; - }; - msmtp = { - enable = true; - extraConfig = { - auth = "xoauth2"; - host = "outlook.office365.com"; - protocol = "smtp"; - port = "587"; - tls = "on"; - tls_starttls = "on"; - from = "${mailAddress}"; - user = "${mailAddress}"; - passwordeval = "pizauth show work"; - }; - }; - mu.enable = true; - mbsync = { - enable = true; - expunge = "both"; - patterns = [ "INBOX" ]; - extraConfig = { - account = { - AuthMechs = "XOAUTH2"; - }; - }; - }; + awscli = { + enable = true; + package = pkgs.stable24_05.awscli2; + # settings = { + # "default" = { }; + # "profile s3-imagebuilder-prod" = { }; + # }; + # credentials = { + # "s3-imagebuilder-prod" = { + # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; + # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; + # }; + # }; }; + git.settings.user.email = lib.mkForce gitMail; - # wayland.windowManager.sway.config = { - # output = { - # "Applied Creative Technology Transmitter QUATTRO201811" = { - # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; - # }; - # "Hewlett Packard HP Z24i CN44250RDT" = { - # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; - # }; - # "HP Inc. HP 732pk CNC4080YL5" = { - # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; - # }; - # }; - # }; - - wayland.windowManager.sway = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; - in - { - config = { - keybindings = - let - inherit (config.wayland.windowManager.sway.config) modifier; - in - { - "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; - "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; - }; + zsh = { + shellAliases = { + dssh = "ssh -l ${user1Long}"; + cssh = "ssh -l ${user2Long}"; + wssh = "ssh -l ${user3Long}"; }; - }; - - stylix = { - targets.firefox.profileNames = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; - in - [ - "${user1}" - "${user2}" - "${user3}" - "work" + cdpath = [ + "~/Documents/Work" ]; - }; - - programs = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; - in - { - openstackclient = { - enable = true; - inherit clouds; - }; - awscli = { - enable = true; - package = pkgs.stable24_05.awscli2; - # settings = { - # "default" = { }; - # "profile s3-imagebuilder-prod" = { }; - # }; - # credentials = { - # "s3-imagebuilder-prod" = { - # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; - # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; - # }; - # }; - }; - git.settings.user.email = lib.mkForce gitMail; - - zsh = { - shellAliases = { - dssh = "ssh -l ${user1Long}"; - cssh = "ssh -l ${user2Long}"; - wssh = "ssh -l ${user3Long}"; - }; - cdpath = [ - "~/Documents/Work" - ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = path1; - }; - - sessionVariables = { - VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})"; - VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})"; - GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})"; - GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})"; - GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})"; - GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})"; - GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})"; - GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})"; - GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})"; - GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})"; - }; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = path1; }; - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; - - firefox = { - profiles = - let - isDefault = false; - in - { - "${user1}" = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "${site1}|${site2}"; - }; - } - vars.firefox; - "${user2}" = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "${site3}"; - }; - } - vars.firefox; - "${user3}" = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - vars.firefox; - work = lib.recursiveUpdate - { - inherit isDefault; - id = 4; - settings = { - "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; - }; - } - vars.firefox; - }; - }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; + sessionVariables = { + VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})"; + VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})"; + GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})"; + GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})"; + GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})"; + GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})"; + GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})"; + GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})"; + GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})"; + GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})"; }; }; - services = { - kanshi = { - settings = [ + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in { - # seminary room - output = { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - }; - } - { - # work main screen - output = { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.0; - mode = "3840x2160"; - }; - } - { - # work side screen - output = { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - }; - } - { - profile = { + "${user1}" = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "${site1}|${site2}"; + }; + } + vars.firefox; + "${user2}" = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "${site3}"; + }; + } + vars.firefox; + "${user3}" = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + vars.firefox; + work = lib.recursiveUpdate + { + inherit isDefault; + id = 4; + settings = { + "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; + }; + } + vars.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + + services = { + kanshi = { + settings = [ + { + # seminary room + output = { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + }; + } + { + # work main screen + output = { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.0; + mode = "3840x2160"; + }; + } + { + # work side screen + output = { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + }; + } + { + profile = { + name = "lidopen"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + ]; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.5; + position = "1462,0"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "90"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in + { name = "lidopen"; exec = [ "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" ]; outputs = [ { criteria = config.swarselsystems.sharescreen; status = "enable"; - scale = 1.5; - position = "1462,0"; + scale = 1.7; + position = "2560,0"; } { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; scale = 1.0; - mode = "1920x1200"; - transform = "90"; - position = "-2480,0"; + mode = "1280x720"; + position = "10000,10000"; } ]; }; - } - { - profile = - let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; - in + } + { + profile = { + name = "lidclosed"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + ]; + outputs = [ { - name = "lidopen"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" - ]; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.7; - position = "2560,0"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - { - profile = { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in + { name = "lidclosed"; exec = [ - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" ]; outputs = [ { @@ -18318,272 +21063,241 @@ When setting up a new machine: status = "disable"; } { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; scale = 1.0; - mode = "1920x1200"; - transform = "270"; - position = "-2480,0"; + mode = "1280x720"; + position = "10000,10000"; } ]; }; - } - { - profile = - let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; - in - { - name = "lidclosed"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" - ]; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - ]; - }; - }; - - systemd.user.services = { - pizauth.Service = { - ExecStartPost = [ - "${pkgs.toybox}/bin/sleep 1" - "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" - ]; - }; - - teams-applet = { - Unit = { - Description = "teams applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" - ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; - }; - }; - - onepassword-applet = { - Unit = { - Description = "1password applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" - ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = "${pkgs._1password-gui}/bin/1password"; - }; - }; - - }; - - services.pizauth = { - enable = true; - extraConfig = '' - auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; - error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; - token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; - ''; - accounts = { - work = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}"; - }; - }; - - }; - - xdg = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; - in - { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; - }; - }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_work = { - name = "Firefox (work)"; - genericName = "Firefox work"; - exec = "firefox -p work"; - inherit terminal categories icon; - }; - "firefox_${user1}" = { - name = "Firefox (${user1})"; - genericName = "Firefox ${user1}"; - exec = "firefox -p ${user1}"; - inherit terminal categories icon; - }; - - "firefox_${user2}" = { - name = "Firefox (${user2})"; - genericName = "Firefox ${user2}"; - exec = "firefox -p ${user2}"; - inherit terminal categories icon; - }; - - "firefox_${user3}" = { - name = "Firefox (${user3})"; - genericName = "Firefox ${user3}"; - exec = "firefox -p ${user3}"; - inherit terminal categories icon; - }; - - - }; - }; - swarselsystems = { - startup = [ - # { command = "nextcloud --background"; } - # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } - # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } - # { command = "anki"; } - # { command = "obsidian"; } - # { command = "nm-applet"; } - # { command = "feishin"; } - # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } - # { command = "1password"; } + } ]; - monitors = { - work_back_middle = rec { - name = "LG Electronics LG Ultra HD 0x000305A6"; - mode = "2560x1440"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-10"; - output = name; - }; - work_front_left = rec { - name = "LG Electronics LG Ultra HD 0x0007AB45"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-7"; - output = name; - }; - work_back_right = rec { - name = "HP Inc. HP Z32 CN41212T55"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-3"; - output = name; - }; - work_middle_middle_main = rec { - name = "HP Inc. HP 732pk CNC4080YL5"; - mode = "3840x2160"; - scale = "1"; - position = "-1280,0"; - workspace = "11:M"; - # output = "DP-8"; - output = name; - }; - work_middle_middle_side = rec { - name = "Hewlett Packard HP Z24i CN44250RDT"; - mode = "1920x1200"; - transform = "270"; - scale = "1"; - position = "-2480,0"; - workspace = "12:S"; - # output = "DP-9"; - output = name; - }; - work_seminary = rec { - name = "Applied Creative Technology Transmitter QUATTRO201811"; - mode = "1280x720"; - scale = "1"; - position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse - workspace = "14:T"; - # output = "DP-4"; - output = name; - }; - }; - inputs = { - "1133:45081:MX_Master_2S_Keyboard" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { - # dwt = "enabled"; - # tap = "enabled"; - # natural_scroll = "enabled"; - # middle_emulation = "enabled"; - # drag_lock = "disabled"; - # }; - "1133:50504:Logitech_USB_Receiver" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - "1133:45944:MX_KEYS_S" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; + }; + }; + + systemd.user.services = { + pizauth.Service = { + ExecStartPost = [ + "${pkgs.toybox}/bin/sleep 1" + "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" + ]; + }; + + teams-applet = { + Unit = { + Description = "teams applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; }; - }; - } // lib.optionalAttrs (inputs ? sops) { - sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { - harica-root-ca = { - sopsFile = certsSopsFile; - path = "${homeDir}/.aws/certs/harica-root.pem"; - owner = mainUser; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }; }; - }); + onepassword-applet = { + Unit = { + Description = "1password applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; + }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = "${pkgs._1password-gui}/bin/1password"; + }; + }; + + }; + + services.pizauth = { + enable = true; + extraConfig = '' + auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; + error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; + token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; + ''; + accounts = { + work = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}"; + }; + }; + + }; + + xdg = + let + inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; + in + { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + }; + }; + desktopEntries = + let + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; + in + { + firefox_work = { + name = "Firefox (work)"; + genericName = "Firefox work"; + exec = "firefox -p work"; + inherit terminal categories icon; + }; + "firefox_${user1}" = { + name = "Firefox (${user1})"; + genericName = "Firefox ${user1}"; + exec = "firefox -p ${user1}"; + inherit terminal categories icon; + }; + + "firefox_${user2}" = { + name = "Firefox (${user2})"; + genericName = "Firefox ${user2}"; + exec = "firefox -p ${user2}"; + inherit terminal categories icon; + }; + + "firefox_${user3}" = { + name = "Firefox (${user3})"; + genericName = "Firefox ${user3}"; + exec = "firefox -p ${user3}"; + inherit terminal categories icon; + }; + + + }; + }; + swarselsystems = { + startup = [ + # { command = "nextcloud --background"; } + # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } + # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } + # { command = "anki"; } + # { command = "obsidian"; } + # { command = "nm-applet"; } + # { command = "feishin"; } + # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } + # { command = "1password"; } + ]; + monitors = { + work_back_middle = rec { + name = "LG Electronics LG Ultra HD 0x000305A6"; + mode = "2560x1440"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-10"; + output = name; + }; + work_front_left = rec { + name = "LG Electronics LG Ultra HD 0x0007AB45"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-7"; + output = name; + }; + work_back_right = rec { + name = "HP Inc. HP Z32 CN41212T55"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-3"; + output = name; + }; + work_middle_middle_main = rec { + name = "HP Inc. HP 732pk CNC4080YL5"; + mode = "3840x2160"; + scale = "1"; + position = "-1280,0"; + workspace = "11:M"; + # output = "DP-8"; + output = name; + }; + work_middle_middle_side = rec { + name = "Hewlett Packard HP Z24i CN44250RDT"; + mode = "1920x1200"; + transform = "270"; + scale = "1"; + position = "-2480,0"; + workspace = "12:S"; + # output = "DP-9"; + output = name; + }; + work_seminary = rec { + name = "Applied Creative Technology Transmitter QUATTRO201811"; + mode = "1280x720"; + scale = "1"; + position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse + workspace = "14:T"; + # output = "DP-4"; + output = name; + }; + }; + inputs = { + "1133:45081:MX_Master_2S_Keyboard" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { + # dwt = "enabled"; + # tap = "enabled"; + # natural_scroll = "enabled"; + # middle_emulation = "enabled"; + # drag_lock = "disabled"; + # }; + "1133:50504:Logitech_USB_Receiver" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + "1133:45944:MX_KEYS_S" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + }; + + }; + } // lib.optionalAttrs (inputs ? sops) { + sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { + harica-root-ca = { + sopsFile = certsSopsFile; + path = "${homeDir}/.aws/certs/harica-root.pem"; + owner = mainUser; + }; + }; + + }; } @@ -18595,29 +21309,27 @@ When setting up a new machine: :END: #+begin_src nix-ts :tangle modules/home/optional/uni.nix :noweb yes - { config, lib, nixosConfig ? config, ... }: + { confLib, ... }: { - options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings"; - config = lib.mkIf config.swarselmodules.optional.uni - { - services.pizauth = { - enable = true; - accounts = { - uni = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}"; - }; + config = { + services.pizauth = { + enable = true; + accounts = { + uni = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}"; }; }; }; + }; } #+end_src @@ -18630,10 +21342,9 @@ When setting up a new machine: This holds configuration that is specific to framework laptops. #+begin_src nix-ts :tangle modules/home/optional/framework.nix - { lib, config, ... }: + _: { - options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings"; - config = lib.mkIf config.swarselmodules.optional.framework { + config = { swarselsystems = { inputs = { "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = { @@ -18665,6 +21376,26 @@ TODO: check which of these can be replaced but builtin functions. { self, config, lib, ... }: { options.swarselsystems = { + proxyHost = lib.mkOption { + type = lib.types.str; + default = config.node.name; + }; + isBastionTarget = lib.mkOption { + type = lib.types.bool; + default = false; + }; + isCloud = lib.mkOption { + type = lib.types.bool; + default = false; + }; + isServer = lib.mkOption { + type = lib.types.bool; + default = config.swarselsystems.isCloud; + }; + isClient = lib.mkOption { + type = lib.types.bool; + default = config.swarselsystems.isLaptop; + }; withHomeManager = lib.mkOption { type = lib.types.bool; default = true; @@ -18698,7 +21429,7 @@ TODO: check which of these can be replaced but builtin functions. isBtrfs = lib.mkEnableOption "use btrfs filesystem"; sopsFile = lib.mkOption { type = lib.types.str; - default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml"; + default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml"; }; homeDir = lib.mkOption { type = lib.types.str; @@ -18987,6 +21718,43 @@ In short, the options defined here are passed to the modules systems using =_mod } #+end_src +*** Config Library (confLib) +:PROPERTIES: +:CUSTOM_ID: h:a33322d5-014a-4072-a4a5-91bc71c343b8 +:END: +#+begin_src nix-ts :noweb yes :tangle modules/shared/config-lib.nix + { config, lib, globals, nixosConfig ? null, ... }: + { + _module.args = { + confLib = rec { + + addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost"; + + domainDefault = service: config.repo.secrets.common.services.domains.${service}; + proxyDefault = config.swarselsystems.proxyHost; + + getConfig = if nixosConfig == null then config else nixosConfig; + + gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec { + servicePort = port; + serviceName = name; + specificServiceName = "${name}-${config.node.name}"; + serviceUser = user; + serviceGroup = group; + serviceDomain = domain; + baseDomain = lib.swarselsystems.getBaseDomain domain; + subDomain = lib.swarselsystems.getSubDomain domain; + serviceDir = dir; + serviceAddress = address; + serviceProxy = proxy; + proxyAddress4 = globals.hosts.${proxy}.wanAddress4; + proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null; + }; + }; + }; + } +#+end_src + *** Packages :PROPERTIES: :CUSTOM_ID: h:64a5cc16-6b16-4802-b421-c67ccef853e1 @@ -18997,6 +21765,9 @@ This is the central station for self-defined packages. These are all referenced Note: The structure of generating the packages was changed in commit =2cf03a3 refactor: package and module generation=. That commit can be checked out in order to see a simpler version of achieving the same thing. *** Packages (flake) +:PROPERTIES: +:CUSTOM_ID: h:2803e3ab-b746-46c0-bcc4-051a23185bc3 +:END: #+begin_src nix-ts :tangle pkgs/flake/default.nix { self, lib, pkgs, ... }: @@ -19086,6 +21857,9 @@ This app allows me, in conjunction with my Yubikey, to quickly enter passwords w #+end_src **** quickpass +:PROPERTIES: +:CUSTOM_ID: h:62b9c8cd-b585-4e93-8352-2bfa4a76aec9 +:END: #+begin_src shell :tangle files/scripts/quickpass.sh :mkdirp yes shopt -s nullglob globstar @@ -19679,6 +22453,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man ssh_port="22" persist_dir="" disk_encryption=0 + disk_encryption_args="" + no_disko_deps="false" temp=$(mktemp -d) function help_and_exit() { @@ -19698,6 +22474,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man echo " Default='${target_user}'." echo " --port specify the ssh port to use for remote access. Default=${ssh_port}." echo " --debug Enable debug mode." + echo " --no-disko-deps Upload only disk script and not dependencies (for use on low ram)." echo " -h | --help Print this help." exit 0 } @@ -19751,14 +22528,14 @@ This program sets up a new NixOS host remotely. It also takes care of secret man SOPS_FILE=".sops.yaml" sed -i "{ - # Remove any * and & entries for this host - /[*&]$key_name/ d; - # Inject a new age: entry - # n matches the first line following age: and p prints it, then we transform it while reusing the spacing - /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; - # Inject a new hosts or user: entry - /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} - }" $SOPS_FILE + # Remove any * and & entries for this host + /[*&]$key_name/ d; + # Inject a new age: entry + # n matches the first line following age: and p prints it, then we transform it while reusing the spacing + /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; + # Inject a new hosts or user: entry + /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} + }" $SOPS_FILE green "Updating .sops.yaml" cd - } @@ -19785,6 +22562,9 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift ssh_port=$1 ;; + --no-disko-deps) + no_disko_deps="true" + ;; --debug) set -x ;; @@ -19802,6 +22582,12 @@ This program sets up a new NixOS host remotely. It also takes care of secret man help_and_exit fi + LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)" + if [[ $LOCKED == "true" ]]; then + red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING" + exit + fi + green "~SwarselSystems~ remote installer" green "Reading system information for $target_hostname ..." @@ -19812,6 +22598,11 @@ This program sets up a new NixOS host remotely. It also takes care of secret man if [[ $CRYPTED == "true" ]]; then green "Encryption: ✓" disk_encryption=1 + disk_encryption_args=( + --disk-encryption-keys + /tmp/disko-password + /tmp/disko-password + ) else red "Encryption: X" disk_encryption=0 @@ -19904,7 +22695,14 @@ This program sets up a new NixOS host remotely. It also takes care of secret man # ------------------------ green "Deploying minimal NixOS installation on $target_destination" - nix run github:nix-community/nixos-anywhere/1.10.0 -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination" + + if [[ $no_disko_deps == "true" ]]; then + green "Building without disko dependencies (using custom kexec)" + nix run github:nix-community/nixos-anywhere/1.10.0 -- "${disk_encryption_args[@]}" --no-disko-deps --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" --kexec "$(nix build --print-out-paths .#packages."$target_arch".swarsel-kexec)/swarsel-kexec-$target_arch.tar.gz" root@"$target_destination" + else + green "Building with disko dependencies (using nixos-images kexec)" + nix run github:nix-community/nixos-anywhere/1.10.0 -- "${disk_encryption_args[@]}" --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination" + fi echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts" ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true @@ -19976,8 +22774,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then green "Adding ssh host fingerprints for git{lab,hub}" - $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts" - $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts" + $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts" + $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts" fi # -------------------------- @@ -20946,6 +23744,9 @@ This programs simply runs ssh-keygen on the last host that I tried to ssh into. } #+end_src **** endme +:PROPERTIES: +:CUSTOM_ID: h:abbd18a2-73ae-4ee4-8487-06fef23638bb +:END: Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session. @@ -20963,6 +23764,9 @@ Sometimes my DE crashes after putting it to suspend - to be precise, it happens #+end_src **** git-replace +:PROPERTIES: +:CUSTOM_ID: h:e1330feb-4a9b-4e6d-9d15-6d2adb5879d2 +:END: This script allows for quick git replace of a string. @@ -21036,6 +23840,9 @@ This script allows for quick git replace of a string. #+end_src *** Packages (config) +:PROPERTIES: +:CUSTOM_ID: h:c01a91b8-b751-4978-b987-733de63c8211 +:END: #+begin_src nix-ts :tangle pkgs/config/default.nix { self, homeConfig, lib, pkgs, ... }: @@ -21052,6 +23859,9 @@ This script allows for quick git replace of a string. #+end_src **** cdr +:PROPERTIES: +:CUSTOM_ID: h:78d17941-68b3-4b36-b378-3282ae2178b8 +:END: #+begin_src nix-ts :tangle pkgs/config/cdr/default.nix @@ -21131,7 +23941,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a lowBattery = lib.mkDefault false; network = lib.mkDefault true; networkDevices = lib.mkDefault true; - niri = lib.mkDefault false; nix-ld = lib.mkDefault true; nvd = lib.mkDefault true; packages = lib.mkDefault true; @@ -21140,6 +23949,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a ppd = lib.mkDefault true; programs = lib.mkDefault true; pulseaudio = lib.mkDefault true; + remotebuild = lib.mkDefault true; security = lib.mkDefault true; sops = lib.mkDefault true; stylix = lib.mkDefault true; @@ -21207,31 +24017,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src -**** Optionals - -#+begin_src nix-ts :tangle profiles/nixos/optionals/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; - config = lib.mkIf config.swarselprofiles.optionals { - swarselmodules = { - optional = { - gaming = lib.mkDefault true; - virtualbox = lib.mkDefault true; - nswitch-rcm = lib.mkDefault true; - }; - }; - - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - optionals = lib.mkDefault true; - }; - }; - }; - - } - -#+end_src **** Hotel :PROPERTIES: :CUSTOM_ID: h:b79fbb59-9cf2-48eb-b469-2589223dda95 @@ -21291,87 +24076,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src -**** Work -:PROPERTIES: -:CUSTOM_ID: h:cb3631a8-9c1b-42f2-ab01-502c7b4c273d -:END: - -#+begin_src nix-ts :tangle profiles/nixos/work/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; - config = lib.mkIf config.swarselprofiles.work { - swarselmodules = { - optional = { - work = lib.mkDefault true; - }; - }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - work = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - -**** Uni -:PROPERTIES: -:CUSTOM_ID: h:87a83b10-3c2f-407c-89aa-922ad77748a4 -:END: - -#+begin_src nix-ts :tangle profiles/nixos/uni/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; - config = lib.mkIf config.swarselprofiles.uni { - # swarselmodules = { - # optional = { - # uni = lib.mkDefault true; - # }; - # }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - uni = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - -**** Framework -:PROPERTIES: -:CUSTOM_ID: h:eb272c99-842a-4095-bc65-283562749300 -:END: - -#+begin_src nix-ts :tangle profiles/nixos/framework/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; - config = lib.mkIf config.swarselprofiles.framework { - swarselmodules = { - optional = { - framework = lib.mkDefault true; - }; - }; - home-manager.users."${config.swarselsystems.mainUser}" = { - swarselprofiles = { - framework = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - **** Server :PROPERTIES: :CUSTOM_ID: h:dfc076fd-ee74-4663-b164-653370c52b75 @@ -21409,6 +24113,9 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src **** Router +:PROPERTIES: +:CUSTOM_ID: h:f3af356a-e732-471b-b8b3-37dcd70297d5 +:END: #+begin_src nix-ts :tangle profiles/nixos/router/default.nix :mkdirp yes { lib, config, ... }: @@ -21479,7 +24186,6 @@ This holds modules that are to be used on most hosts. These are also the most im kitty = lib.mkDefault true; mail = lib.mkDefault true; mako = lib.mkDefault true; - niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; @@ -21520,6 +24226,9 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src **** DGX Spark +:PROPERTIES: +:CUSTOM_ID: h:6d30ef28-ee26-4954-90f6-53c33dee9217 +:END: #+begin_src nix-ts :tangle profiles/home/dgxspark/default.nix :mkdirp yes { lib, config, ... }: @@ -21532,6 +24241,7 @@ This holds modules that are to be used on most hosts. These are also the most im atuin = lib.mkDefault true; autotiling = lib.mkDefault false; batsignal = lib.mkDefault false; + bash = lib.mkDefault true; blueman-applet = lib.mkDefault true; desktop = lib.mkDefault false; direnv = lib.mkDefault true; @@ -21553,7 +24263,6 @@ This holds modules that are to be used on most hosts. These are also the most im kitty = lib.mkDefault true; mail = lib.mkDefault false; mako = lib.mkDefault false; - niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; @@ -21592,28 +24301,6 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src -**** Optionals -:PROPERTIES: -:CUSTOM_ID: h:0554a271-f8ec-4885-b46f-2a02dfd967bd -:END: - -#+begin_src nix-ts :tangle profiles/home/optionals/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; - config = lib.mkIf config.swarselprofiles.optionals { - swarselmodules = { - optional = { - gaming = lib.mkDefault true; - uni = lib.mkDefault true; - }; - }; - }; - - } - -#+end_src - **** Minimal :PROPERTIES: :CUSTOM_ID: h:26512487-8c29-4b92-835b-d67394c3f5ef @@ -21690,93 +24377,6 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src -**** toto -:PROPERTIES: -:CUSTOM_ID: h:e1d4f141-af11-448a-9796-fc822a8f77ec -:END: - -#+begin_src nix-ts :tangle profiles/home/toto/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.toto = lib.mkEnableOption "is this a toto (setup) host"; - config = lib.mkIf config.swarselprofiles.toto { - swarselmodules = { - general = lib.mkDefault true; - sops = lib.mkDefault true; - ssh = lib.mkDefault true; - kitty = lib.mkDefault true; - git = lib.mkDefault true; - }; - }; - - } - -#+end_src - -**** Work -:PROPERTIES: -:CUSTOM_ID: h:7b091523-a5b0-48b6-8b03-4dc2405e2d81 -:END: - -#+begin_src nix-ts :tangle profiles/home/work/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; - config = lib.mkIf config.swarselprofiles.work { - swarselmodules = { - optional = { - work = lib.mkDefault true; - }; - }; - }; - - } - -#+end_src - -**** Uni -:PROPERTIES: -:CUSTOM_ID: h:56f509b9-3271-4212-b5ea-482dbe288bda -:END: - -#+begin_src nix-ts :tangle profiles/home/uni/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; - config = lib.mkIf config.swarselprofiles.uni { - swarselmodules = { - optional = { - uni = lib.mkDefault true; - }; - }; - }; - - } - -#+end_src - -**** Framework -:PROPERTIES: -:CUSTOM_ID: h:712b9d7f-16c0-42b3-b02b-6d79ee15cfcc -:END: - -#+begin_src nix-ts :tangle profiles/home/framework/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; - config = lib.mkIf config.swarselprofiles.framework { - swarselmodules = { - optional = { - framework = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - **** Local Server :PROPERTIES: :CUSTOM_ID: h:8027b858-369e-4f12-bbaf-f15eeee3d904 @@ -21943,6 +24543,9 @@ In this section I define extra functions that I need. Some of these functions I Since I am rebinding the =C-z= hotkey for emacs-evil-state toggling, I want to have a function that still lets me perform this action quickly. +We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]]. + + #+begin_src emacs-lisp ;; -*- lexical-binding: t; -*- @@ -21959,7 +24562,9 @@ Since I am rebinding the =C-z= hotkey for emacs-evil-state toggling, I want to h :CUSTOM_ID: h:1e0ee570-e509-4ecb-a3af-b75543731bb0 :END: -I often find myself bouncing between two buffers when I do not want to use a window split. This funnction simply jumps to the last used buffer. +I often find myself bouncing between two buffers when I do not want to use a window split. This function simply jumps to the last used buffer. + +We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]]. #+begin_src emacs-lisp @@ -22048,6 +24653,8 @@ The below function avoids these problems. Originally I used the function =duplic However, this function does not work on regions. Later, I found a solution implemented by [[https://github.com/bbatsov/crux][crux]]. I do not need the whole package, so I just extracted the three functions I needed from it. +We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]]. + #+begin_src emacs-lisp (defun crux-get-positions-of-line-or-region () @@ -22215,6 +24822,13 @@ This function was found here: [[https://www.reddit.com/r/emacs/comments/re31i6/h #+end_src **** Magit: List directories using vertico/consult +:PROPERTIES: +:CUSTOM_ID: h:1f8bfddf-a12a-49c8-beaa-97baa47abb9f +:END: + +At work and when working on private projects, I often have to jump between several git repositories. This function fires up a picker that gets me to the magit overview page of that repository. + +We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]]. #+begin_src emacs-lisp @@ -22314,6 +24928,8 @@ Normally emacs cycles between three states: However, I want to be able to fold a single heading consistently. +We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]]. + #+begin_src emacs-lisp (defun org-fold-outer () @@ -22375,6 +24991,63 @@ These functions are used here: [[#h:5653d693-ecca-4c95-9633-66b9e3241070][Corfu] #+end_src +**** Insert link to another header in org file +:PROPERTIES: +:CUSTOM_ID: h:06e70e44-502b-4a49-8b48-63c511f1c377 +:END: + +When writing this file, I often want to refer to a different section of the file. One way to do this is to =C-x O= (consult-org-heading) to get to said heading, then =C=c s= (org-store-link), finally =C-o= (evil-jump-backward) to get back to the origin and insert the link using =C-c C-l= (org-insert-link). + +These two scripts just let me do all of this in one step. I have styled the picker in a way that is similar to consult-org-heading. + +We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]]. + +#+begin_src emacs-lisp + + (defun swarsel/org-colorize-outline (parents raw) + (let* ((palette ["#58B6ED" "#8BD49C" "#33CED8" "#4B9CCC" + "yellow" "orange" "salmon" "red"]) + (n (length parents)) + (colored-parents + (cl-mapcar + (lambda (p i) + (propertize p 'face `(:foreground ,(aref palette (mod i (length palette))) :weight bold))) + parents + (number-sequence 0 (1- n))))) + (concat + (when parents + (string-join colored-parents "/")) + (when parents "/") + (propertize raw 'face `(:foreground ,(aref palette (mod n (length palette))) + :weight bold))))) + + (defun swarsel/org-insert-link-to-heading () + (interactive) + (let ((candidates '())) + (org-map-entries + (lambda () + (let* ((raw (org-get-heading t t t t)) + (parents (org-get-outline-path t)) + (m (copy-marker (point))) + (colored (swarsel/org-colorize-outline parents raw))) + (push (cons colored m) candidates)))) + + (let* ((choice (completing-read "Heading: " (mapcar #'car candidates))) + (marker (cdr (assoc choice candidates))) + id raw-heading) + (unless marker + (user-error "No marker for heading??")) + + (save-excursion + (goto-char marker) + (setq id (prot-org--id-get)) + (setq raw-heading (org-get-heading t t t t))) + + (insert (org-link-make-string (format "#%s" id) + raw-heading))))) + +#+end_src + *** Custom Keybindings :PROPERTIES: :CUSTOM_ID: h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5 @@ -22484,6 +25157,7 @@ I also define some keybinds to some combinations directly. Those are used mostly "" 'swarsel/last-buffer "M-\\" 'indent-region "M-r" 'swarsel/consult-magit-repos + "M-i" 'swarsel/org-insert-link-to-heading "" 'yank "" 'kill-region "" 'kill-ring-save @@ -22501,19 +25175,19 @@ I also define some keybinds to some combinations directly. Those are used mostly :CUSTOM_ID: h:07951589-54ba-4e3e-bd7b-4106cd22ff6a :END: -In this section I setup some aliases that I use for various directories on my system. Some of these are actually used for magit repository finding etc., but many of them serve no real use and I need to clean this up someday. +In this section I setup some aliases that I use for various directories on my system. This is just to prevent setting the same stuff too often. #+begin_src emacs-lisp ;; set Nextcloud directory for journals etc. (setq swarsel-emacs-directory "~/.emacs.d" - swarsel-dotfiles-directory "~/.dotfiles" + swarsel-dotfiles-directory (getenv "FLAKE") swarsel-swarsel-org-filepath (expand-file-name "SwarselSystems.org" swarsel-dotfiles-directory) swarsel-tasks-org-file "Tasks.org" swarsel-archive-org-file "Archive.org" - swarsel-work-projects-directory "~/Documents/Work" - swarsel-private-projects-directory "~/Documents/Private" + swarsel-work-projects-directory (getenv "DOCUMENT_DIR_WORK") + swarsel-private-projects-directory (getenv "DOCUMENT_DIR_PRIV") ) #+end_src @@ -22589,7 +25263,7 @@ Here I set up some things that are too minor to put under other categories. ;; use UTF-8 everywhere (set-language-environment "UTF-8") - (profiler-start 'cpu) + ;; (profiler-start 'cpu) ;; set default font size (defvar swarsel/default-font-size 130) (setq swarsel-standard-font "FiraCode Nerd Font Mono" @@ -22886,6 +25560,8 @@ This minor-mode adds functionality for doing better surround-commands; for examp :CUSTOM_ID: h:df6729b6-2135-4070-bcab-a6a26f0fb2c4 :END: +This makes it so that when setting a mark in evil mode (using =m =), it creates a visual marker at that place that reminds me what the key for that marker position is (the marker is of course not part of the text of the document, and is hence not saved). + #+begin_src emacs-lisp (use-package evil-visual-mark-mode @@ -22913,11 +25589,12 @@ This adds support for tree-sitter objects. This allows for the following chords: (define-key evil-outer-text-objects-map "a" (evil-textobj-tree-sitter-get-textobj ("if_statement.outer" "conditional.outer" "loop.outer") '((python-mode . ((if_statement.outer) @if_statement.outer)) (python-ts-mode . ((if_statement.outer) @if_statement.outer))))) #+end_src -**** evil-textobj-tree-sitter +**** evil-numbers :PROPERTIES: :CUSTOM_ID: h:06002ad2-686a-42c5-82d7-61f1340e262d :END: +A very simple package that brings back the vim possibility of incrementing/decrementing numbers. I do not need it often, but it is nice to have. #+begin_src emacs-lisp @@ -22929,7 +25606,7 @@ This adds support for tree-sitter objects. This allows for the following chords: :CUSTOM_ID: h:e888d7a7-1755-4109-af11-5358b8cf140e :END: -This should setup a wordlist that can be used as a dictionary. However, for some reason this does not work, and I will need to further investigate this issue. +This sets up a wordlist that is, for example, used in completions. When coding, I do not really need this, but it is sometimes useful when writing prose. #+begin_src emacs-lisp @@ -22996,7 +25673,7 @@ This section loads the base icons used in my configuration. I am using =nerd-ico Used in: - [[#h:b190d512-bfb5-42ec-adec-8d86bab726ce][Vertico and friends]] -- [[#h:5653d693-ecca-4c95-9633-66b9e3241070][IN USE Corfu]] +- [[#h:5653d693-ecca-4c95-9633-66b9e3241070][Corfu]] #+begin_src emacs-lisp @@ -23027,9 +25704,9 @@ This minor mode allows mixing fixed and variable pitch fonts within the same buf :CUSTOM_ID: h:ed585848-875a-4673-910c-d2e1901dd95b :END: -Here I set up the modeline with some information that I find useful. Specficially I am using the doom modeline. Most informations I disable for it, except for the cursor information (row + column) as well as a widget for =mu4e= and git information. +Here I set up the modeline with some information that I find useful. I was using the doom modeline for a while. Most informations I disabled for it, except for the cursor information (row + column) as well as a widget for =mu4e= and git information. -I have currently disabled this in favor of [[#h:80ed2431-9c9a-4bfc-a3c0-08a2a058d208][mini-modeline]]. +I have currently disabled this in favor of [[#h:80ed2431-9c9a-4bfc-a3c0-08a2a058d208][mini-modeline]], which saves more screen space and holds only the information I really need. #+begin_src emacs-lisp @@ -23049,7 +25726,16 @@ I have currently disabled this in favor of [[#h:80ed2431-9c9a-4bfc-a3c0-08a2a058 :CUSTOM_ID: h:80ed2431-9c9a-4bfc-a3c0-08a2a058d208 :END: -I have found that the doom-modeline, while very useful, consumes too much screen space for my liking. This modeline takes a more minimalistic approach. +I have found that the doom-modeline, while very useful, consumes too much screen space for my liking. This modeline takes a more minimalistic approach. The only information that is shown is: + +- the line number +- state of the file (whether it is saved etc.) +- the name of the file +- the percentage of the cursor in the file +- the major mode of the file +- the current evil mode + +This is really the perfect solution for me, but it might not be for everyone. #+begin_src emacs-lisp @@ -23091,21 +25777,16 @@ I have found that the doom-modeline, while very useful, consumes too much screen :CUSTOM_ID: h:b190d512-bfb5-42ec-adec-8d86bab726ce :END: -This set of packages uses the default emacs completion framework and works together to provide a very nice user experience: +This set of packages uses the default emacs completion framework and works together to provide a very nice user experience. -- Vertico simply provides a vertically stacking completion -- Marginalia adds more information to completion results -- Orderless allows for fuzzy matching -- Consult provides better implementations for several user functions, e.g. =consult-line= or =consult-outline= -- Embark allows acting on the results in the minibuffer while the completion is still ongoing - this is extremely useful since it allows to, for example, read the documentation for several functions without closing the help search. It can also collect the results of a grep operation into a seperate buffer that edits the result in their original location. - -Nerd icons is originally enabled here: [[#h:eb0ea526-a83a-4664-b3a1-2b40d3a31493][Icons]] ***** vertico :PROPERTIES: :CUSTOM_ID: h:d7c7f597-f870-4e01-8f7e-27dd31dd245d :END: +Vertico simply provides a vertically stacking completion framework. + #+begin_src emacs-lisp (setq read-buffer-completion-ignore-case t @@ -23148,6 +25829,8 @@ This package allows for =Ido=-like directory navigation. :CUSTOM_ID: h:211fc0bd-0d64-4577-97d8-6abc94435f04 :END: +Orderless allows for fuzzy matching. + When first installing orderless, I often times faced the problem, that when editing long files and calling =consult-line=, Emacs would hang when changing a search term in the middle (e.g. from =servicse.xserver= to =servic.xserver= in order to fix the typo). The below orderless rules have a more strict matching that has a positive impact on performance. #+begin_src emacs-lisp @@ -23175,6 +25858,7 @@ When first installing orderless, I often times faced the problem, that when edit :PROPERTIES: :CUSTOM_ID: h:49ab82bf-812d-4fbe-a5b6-d3ad703fe32c :END: +Consult provides better implementations for several user functions, e.g. =consult-line= or =consult-outline=. The big winner here are the convenient keybinds being setup here for general use. Also, I setup vim-navigation for minibuffer completions. =consult-buffer= is set twice because I am still used to that weird =C-M-j= command that I chose for =ivy-switch-buffer= when I first started using Emacs. I want to move to the other command but for now it is not feasible to delete the other one. @@ -23202,6 +25886,7 @@ The big winner here are the convenient keybinds being setup here for general use :PROPERTIES: :CUSTOM_ID: h:1c564ee5-ccd7-48be-b69a-d963400c4704 :END: +Embark allows acting on the results in the minibuffer while the completion is still ongoing - this is extremely useful since it allows to, for example, read the documentation for several functions without closing the help search. It can also collect the results of a grep operation into a seperate buffer that edits the result in their original location. I have stripped down the embark keybinds heavily. It is very useful to me even in it's current state, but it quickly becomes overwhelming. =embark-dwim= acts on a candidate without closing the minibuffer, which is very useful. =embark-act= lets the user choose from all actions, but has an overwhelming interface. @@ -23244,6 +25929,7 @@ Provides previews for embark. :PROPERTIES: :CUSTOM_ID: h:f32040a4-882f-4e6b-97f1-a0105c44c034 :END: +Marginalia adds more information to completion results. I set the annotation-mode of marginalia to =heavy=. This gives even more information on the stuff that you are looking at. One thing I am missing from ivy is the highlighting on =mode=-commands based on the current state of the mode. Also, I do not understand all the shorthands used by marginalia yet. @@ -23264,6 +25950,7 @@ I set the annotation-mode of marginalia to =heavy=. This gives even more informa :END: As stated above, this simply provides nerd-icons to the completion framework. +It is originally enabled here: [[#h:eb0ea526-a83a-4664-b3a1-2b40d3a31493][Icons]] #+begin_src emacs-lisp @@ -23397,6 +26084,8 @@ This places little angled indicators on the fringe of a window which indicate bu This defines the authentication sources used by =org-calfw= ([[#h:c760f04e-622f-4b3e-8916-53ca8cce6edc][Calendar]]) and [[#h:1a8585ed-d9f2-478f-a132-440ada1cde2c][Forge]]. +This file is written using home-manager [[#h:d87d80fd-2ac7-4f29-b338-0518d06b4deb][sops]] in [[#h:c05d1b64-7110-4151-b436-46bc447113b4][Home-manager: Emacs]] + #+begin_src emacs-lisp ;; (setq auth-sources '( "~/.emacs.d/.caldav" "~/.emacs.d/.authinfo.gpg") @@ -23681,7 +26370,9 @@ This just makes org-mode a little bit more beautiful, mostly by making the =begi :CUSTOM_ID: h:4e11a845-a7bb-4eb5-b4ce-5b2f52e07425 :END: -Recently I have grown fond of holding presentations using Emacs :) +Recently I have grown fond of holding presentations using Emacs. + +When holding presentations, I think it is important to not have too many distractions on your slides. org-present just shows a plain background, is very responsive, and it is still an org buffer (so you can e.g. run source block codes while in the presentation). #+begin_src emacs-lisp @@ -23790,6 +26481,11 @@ Recently I have grown fond of holding presentations using Emacs :) #+end_src **** Render markdown blocks as body to expand noweb blocks +:PROPERTIES: +:CUSTOM_ID: h:d4137200-7f91-43d9-9550-e0b6bfda1683 +:END: + +I have written this function to allow me to get a preview of the information that is gathered throughout the file and aggregated in [[#h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a][Manual steps when setting up a new machine]]. Normally, running a markdown source block does nothing in Emacs. Hence, I just let it return the output, which inserts the noweb-ref blocks. #+begin_src emacs-lisp (defun org-babel-execute:markdown (body params) @@ -23801,7 +26497,9 @@ Recently I have grown fond of holding presentations using Emacs :) :CUSTOM_ID: h:406c2ecc-0e3e-4d9f-9ae3-3eb1f8b87d1b :END: -This adds a rudimentary nix-mode to Emacs. I have not really tried this out, as I am mostly editing nix-files in org-mode anyways. +This adds a nix mode to Emacs. This has become increasingly useful since I have added [[#h:cd552ba1-4db1-4605-8ead-4fcb6a466826][lsp-mode in org-src blocks]], because since that time, I am now able to actually make use of major modes while I theoretically stay in org-mode. + +It supports all functions that I normally need. Note that getting completions for flake inputs is a bit finnicky and I am not quite fond of it yet. #+begin_src emacs-lisp @@ -23849,7 +26547,7 @@ This adds a rudimentary nix-mode to Emacs. I have not really tried this out, as :CUSTOM_ID: h:e8074881-3441-4abd-b25b-358a87e7984f :END: -This adds support for Hashicorp Configuration Language. I need this at work. +This adds support for Hashicorp Configuration Language. Used at work, it is mostly a [[#h:7834adb0-fbd3-4136-bdb7-6dbc9a083296][Terraform Mode]] that does not support autoformatting upon save. It still is nice :) #+begin_src emacs-lisp @@ -23864,7 +26562,7 @@ This adds support for Hashicorp Configuration Language. I need this at work. :CUSTOM_ID: h:c9e3ffd7-4fb1-4a04-8563-92ceec4b4410 :END: -This adds support for Groovy, which I specifically need to work with Jenkinsfiles. I need this at work. +This adds support for Groovy, which I specifically need to work with Jenkinsfiles. Similar to [[id:7aa9803f-b419-40fa-aafc-4bb934c8f687][HCL Mode]], it just provides some nice functions. #+begin_src emacs-lisp @@ -23879,6 +26577,8 @@ This adds support for Groovy, which I specifically need to work with Jenkinsfile :CUSTOM_ID: h:77fa79d8-81d5-46f2-82f9-8e2922538d44 :END: +This is supposed to provide auto-completion when turned on. Of course I cannot globally turn this on since it would run in any =.yaml= file then, but even when manually started, it seems to do nothing. This would be nice at work. + #+begin_src emacs-lisp @@ -23890,7 +26590,7 @@ This adds support for Groovy, which I specifically need to work with Jenkinsfile :CUSTOM_ID: h:534d8729-4422-4f0c-9ae6-d3737d4a6dd3 :END: -This adds support for Dockerfiles. I need this at work. +This adds support for Dockerfiles in a similar way to [[id:ebd53be9-c38a-4a0f-a7b4-eee30a0074fc][Jenkinsfile/Groovy]]. #+begin_src emacs-lisp @@ -23903,7 +26603,7 @@ This adds support for Dockerfiles. I need this at work. :CUSTOM_ID: h:7834adb0-fbd3-4136-bdb7-6dbc9a083296 :END: -This adds support for Terraform configuration files. I need this at work. +This adds support for Terraform configuration files. This is basically the same as the [[id:7aa9803f-b419-40fa-aafc-4bb934c8f687][HCL Mode]] mode as the languages are very similar. #+begin_src emacs-lisp @@ -23921,7 +26621,9 @@ This adds support for Terraform configuration files. I need this at work. :CUSTOM_ID: h:5ca7484b-b9d6-4023-88d1-a1e37d5df249 :END: -Adds functions for formatting nix code. +Adds functions for formatting nix code. I make huge use of this using the chords =C- o b= (org-babel-mark-block) and then =C- o n= (nixpkgs-fmt-region). This is what I use to keep my nix org-src-blocks formatted. However, using [[id:a67adf2f-20ce-49d6-ba6b-0341ca3d9972][org-mode: Upon-save actions (Auto-tangle, export to html, formatting)]], the resulting tangled files will be formatted in any case. + +Note that for files that are not managed using this file (which there should normally not be many of), we can still use =nix fmt= for running treefmt for formatting and checks. #+begin_src emacs-lisp @@ -23934,7 +26636,7 @@ Adds functions for formatting nix code. :CUSTOM_ID: h:489a71c4-38af-44a3-a9ef-8b1ed1ee4ac4 :END: -Adds functions for formatting shellscripts. +Adds functions for formatting shellscripts. Similarly to [[id:460a47fd-cddc-4080-9eba-6724fc63606e][nix formatting]]m I use this using the chords =C- o b= (org-babel-mark-block) and then =C- o s= (shfmt-region). This is what I use to keep shell script blocks formatted in this file. This is also handled by treefmt, but still, I want this file to stay organized as well. #+begin_src emacs-lisp @@ -23954,6 +26656,8 @@ Adds functions for formatting shellscripts. :CUSTOM_ID: h:734dc40a-a2c4-4839-b884-cb99b81aa6fe :END: +Adds a mode for markdown, specifically MultiMarkdown, which allows me to render LaTeX and other nice things. + #+begin_src emacs-lisp (setq markdown-command "pandoc") @@ -23972,6 +26676,8 @@ Adds functions for formatting shellscripts. :CUSTOM_ID: h:8d90fe51-0b32-423a-a159-4f853bc29b68 :END: +Allows me to render LaTeX just where I write it. I do not need this as much anymore, but during my studies this was very valuable to me. + #+begin_src emacs-lisp (add-hook 'markdown-mode-hook @@ -23987,6 +26693,8 @@ Adds functions for formatting shellscripts. :CUSTOM_ID: h:a83c5820-2016-44ae-90a0-4756bb471c01 :END: +This adds elfeed, a neat RSS reader for Emacs. I use this as a client for [[#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d][FreshRSS]]. While I read most of my feeds on my phone (using Capy Reader), it is still good to have an Emacs-native reader as well. Some time ago I was still running a separate Emacs instance on my server: [[id:0e07e2fb-adc4-4fd8-9b54-0a59338a471e][Emacs elfeed (RSS Server)]]. This instance would then sync the read feeds to other instances. This was very brittle however and is only left as a historical note. + #+begin_src emacs-lisp (use-package elfeed) @@ -24006,9 +26714,13 @@ Adds functions for formatting shellscripts. (setq elfeed-protocol-enabled-protocols '(fever)) (setq elfeed-protocol-fever-update-unread-only t) (setq elfeed-protocol-fever-fetch-category-as-tag t) - (setq elfeed-protocol-feeds '(("fever+https://Swarsel@signpost.swarsel.win" - :api-url "https://signpost.swarsel.win/api/fever.php" - :password-file "~/.emacs.d/.fever"))) + + (let ((domain (getenv "SWARSEL_RSS_DOMAIN"))) + (setq elfeed-protocol-feeds + `((,(concat "fever+https://Swarsel@" domain) + :api-url ,(concat "https://" domain "/api/fever.php") + :password-file "~/.emacs.d/.fever")))) + (define-key elfeed-show-mode-map (kbd ";") 'visual-fill-column-mode) (define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next) @@ -24024,7 +26736,7 @@ Adds functions for formatting shellscripts. :CUSTOM_ID: h:87453f1c-8ea5-4d0a-862d-8973d5bc5405 :END: -This is the ripgrep command for Emacs. +This is the ripgrep package for Emacs. #+begin_src emacs-lisp @@ -24038,7 +26750,7 @@ This is the ripgrep command for Emacs. Tree-sitter is a parsing library integrated into Emacs to provide better syntax highlighting and code analysis. It generates concrete syntax trees for source code, enabling more accurate and efficient text processing. Emacs' tree-sitter integration enhances language support, offering features like incremental parsing and precise syntax-aware editing. This improves the development experience by providing robust and dynamic syntax features, making it easier for me to navigate and manipulate code. -In order to update the language grammars, run the next command below. +In order to update the language grammars, run the next command below. NOTE: since we now load =epkgs.treesit-grammars.with-all-grammars= in [[#h:c05d1b64-7110-4151-b436-46bc447113b4][Home-manager: Emacs]], we actually never run this anymore. I leave it here however for a potential future reader. For safety, I still instruct treesit to install missing grammars on the fly. #+begin_src emacs-lisp :tangle no :export both @@ -24191,7 +26903,7 @@ projectile is useful for keeping track of your git projects within Emacs. I most magit is the best git utility I have ever used - it has a beautiful interface and is very verbose. Here I mostly just setup the list of repositories that I want to expost to magit. -Also, Emacs needs a little extra love to accept my Yubikey for git commits etc. We also set that here. +Also, Emacs needs a little extra love to accept my Yubikey for git commits etc. We set that here: [[id:59df9a4c-2a1f-466b-abe2-fbb8524cd0ed][Yubikey support]]. #+begin_src emacs-lisp @@ -24209,7 +26921,7 @@ Also, Emacs needs a little extra love to accept my Yubikey for git commits etc. :CUSTOM_ID: h:d78709dd-4f79-441c-9166-76f61f90359a :END: -The following settings are needed to make sure emacs works for magit commits and pushes. It is not a beautiful solution since commiting uses pinentry-emacs and pushing uses pinentry-gtk2, but it works for now at least. +The following settings are needed to make sure emacs works for magit commits and pushes. It is not a beautiful solution since commiting uses pinentry-emacs and pushing uses pinentry-gtk2, but it works for now at least. This works especially well since I have switched from =pinentry-gtk3= to =pinentry-waypromt=. #+begin_src emacs-lisp @@ -24237,6 +26949,8 @@ NOTE: Make sure to configure a GitHub token before using this package! create classic token with repo; user; read:org permissions (2)machine api.github.com login USERNAME^forge password 012345abcdef... + The above is handled by [[id:ebb558ed-883a-486f-a6f5-8b283eb735a3][Home-manager: Emacs]] and only here as a historical note. Forge lets me interact with non-core git objects like issues and pull requests from within emacs. + #+begin_src emacs-lisp (use-package forge @@ -24590,6 +27304,8 @@ company is now disabled since it seems that corfu runs just fine with lsp-mode a :CUSTOM_ID: h:cd552ba1-4db1-4605-8ead-4fcb6a466826 :END: +This incredible function allows to start a sub-pane in a org-file while in a source-block that spins up a lsp-server. In practise that allows me to use a nix lsp when editing complex blocks in my config. The only bother is that we have to add the modes where it should run manually to =org-babel-lang-list=, but that is a small price to pay for the usefulness that it brings. + #+begin_src emacs-lisp ;; thanks to https://tecosaur.github.io/emacs-config/config.html#lsp-support-src (cl-defmacro lsp-org-babel-enable (lang) @@ -24627,6 +27343,8 @@ company is now disabled since it seems that corfu runs just fine with lsp-mode a :CUSTOM_ID: h:f7bc590b-9f91-4f6a-8ffe-93e1dea90a61 :END: +This is another lsp-implementation for Emacs using multi-threading, so this should be the least blocking one. Still, in general I prefer [[#h:6cf0310b-2fdf-45f0-9845-4704649777eb][eglot]]. + #+begin_src emacs-lisp @@ -24882,6 +27600,9 @@ This adds the simple utility of sending desktop notifications whenever a new mai #+end_src **** Work: Signing Mails (S/MIME, smime) +:PROPERTIES: +:CUSTOM_ID: h:3584632a-9d6d-4ba6-8aa5-e1383581993c +:END: Used to automatically sign messages sent from my work email address using S/MIME certificate. @@ -24924,7 +27645,7 @@ This provides a beautiful calender to emacs. :init ;; set org-caldav-sync-initalization (setq swarsel-caldav-synced 0) - ;; (setq org-caldav-url "https://schedule.swarsel.win/swarsel/calendar") + ;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar") ;; (setq org-caldav-calendars ;; '((:calendar-id "personal" ;; :inbox "~/Calendars/leon_cal.org"))) @@ -24998,59 +27719,66 @@ This sets up the =dashboard=, which is really quite useless. But, it looks cool :config (dashboard-setup-startup-hook) ;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*"))) - (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal - dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package - dashboard-set-file-icons t - dashboard-items '((recents . 5) - (projects . 5) - (agenda . 5)) - dashboard-set-footer nil - dashboard-banner-logo-title "Welcome to SwarsEmacs!" - dashboard-image-banner-max-height 300 - dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" - dashboard-projects-backend 'projectile - dashboard-projects-switch-function 'magit-status - dashboard-set-navigator t - dashboard-startupify-list '(dashboard-insert-banner - dashboard-insert-newline - dashboard-insert-banner-title - dashboard-insert-newline - dashboard-insert-navigator - dashboard-insert-newline - dashboard-insert-init-info - dashboard-insert-items - ) - dashboard-navigator-buttons - `(;; line1 - ((,"" - "SwarselSocial" - "Browse Swarsele" - (lambda (&rest _) (browse-url "instagram.com/Swarsele"))) - (,"" - "SwarselSound" - "Browse SwarselSound" - (lambda (&rest _) (browse-url "sound.swarsel.win")) ) - (,"" - "SwarselSwarsel" - "Browse Swarsel" - (lambda (&rest _) (browse-url "github.com/Swarsel")) ) - (,"" - "SwarselStash" - "Browse SwarselStash" - (lambda (&rest _) (browse-url "stash.swarsel.win")) ) - (,"󰫑" - "SwarselSport" - "Browse SwarselSports" - (lambda (&rest _) (browse-url "social.parkour.wien/@Lenno"))) - ) - ( - (,"󱄅" - "swarsel.win" - "Browse swarsel.win" - (lambda (&rest _) (browse-url "swarsel.win"))) - ) - ))) + (let ((files-domain (getenv "SWARSEL_FILES_DOMAIN")) + (music-domain (getenv "SWARSEL_MUSIC_DOMAIN")) + (insta-domain (getenv "SWARSEL_INSTA_DOMAIN")) + (sport-domain (getenv "SWARSEL_SPORT_DOMAIN")) + (swarsel-domain (getenv "SWARSEL_DOMAIN")) + ) + (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal + dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package + dashboard-set-file-icons t + dashboard-items '((recents . 5) + (projects . 5) + (agenda . 5)) + dashboard-set-footer nil + dashboard-banner-logo-title "Welcome to SwarsEmacs!" + dashboard-image-banner-max-height 300 + dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" + dashboard-projects-backend 'projectile + dashboard-projects-switch-function 'magit-status + dashboard-set-navigator t + dashboard-startupify-list '(dashboard-insert-banner + dashboard-insert-newline + dashboard-insert-banner-title + dashboard-insert-newline + dashboard-insert-navigator + dashboard-insert-newline + dashboard-insert-init-info + dashboard-insert-items + ) + dashboard-navigator-buttons + `(;; line1 + ((,"" + "SwarselSocial" + "Browse Swarsele" + (lambda (&rest _) (browse-url ,insta-domain))) + + (,"" + "SwarselSound" + "Browse SwarselSound" + (lambda (&rest _) (browse-url ,(concat "https://" music-domain))) ) + (,"" + "SwarselSwarsel" + "Browse Swarsel" + (lambda (&rest _) (browse-url "https://github.com/Swarsel")) ) + (,"" + "SwarselStash" + "Browse SwarselStash" + (lambda (&rest _) (browse-url ,(concat "https://" files-domain))) ) + (,"󰫑" + "SwarselSport" + "Browse SwarselSports" + (lambda (&rest _) (browse-url ,sport-domain))) + ) + ( + (,"󱄅" + ,swarsel-domain + ,(concat "Browse " main-domain) + (lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain)))) + ) + )))) #+end_src @@ -25153,6 +27881,9 @@ This sets up the =dashboard=, which is really quite useless. But, it looks cool This sections is no longer used really. An introduction can be found in [[#h:bcc3ebbe-df8a-46bd-b42d-73aad6fc66e5][Structure of this file]] under the historical note. The little noweb-ref blocks that I still use are found in [[#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02][Hosts]] and [[#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32][Services]]. ** General steps when setting up a new machine +:PROPERTIES: +:CUSTOM_ID: h:cc04139d-e9b7-48fe-8e21-fb43aac35b88 +:END: These general steps are needed when setting up a new machine and do not fit into another block well: @@ -25162,6 +27893,9 @@ These general steps are needed when setting up a new machine and do not fit into #+end_src ** Current patches and fixes +:PROPERTIES: +:CUSTOM_ID: h:e1798163-5d88-4776-aa44-57ed2df92e45 +:END: These are current deviations from the standard settings that I take while some things are broken upstream @@ -25929,8 +28663,11 @@ This file defines a few workflows that I often need to run when working on my co sync USER HOST: rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/ - bootstrap DEST CONFIG ARCH="x86_64-linux": - nix develop .#deploy --command zsh -c "swarsel-bootstrap -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}" + secrets USER HOST: + rsync -rltv -e "ssh -l {{USER}}" /var/tmp/nix-import-encrypted/1000/ {{USER}}@{{HOST}}:/var/tmp/nix-import-encrypted/0 + + bootstrap DEST CONFIG ARCH="x86_64-linux" NODISKODEPS="": + nix develop .#deploy --command zsh -c "swarsel-bootstrap {{NODISKODEPS}} -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}" #+end_src ** aspell.conf @@ -26849,8 +29586,10 @@ The double source block is intended here to circumvent a org-babel convenience w transform-origin: 0px calc(0px - var(--tab-min-height) - var(--tab-block-margin) * 2); transform: rotateX(89.9deg); } - #mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel)) ~ toolbox #urlbar[popover], - /* swarsel: removed :hover from below line */ + + :root[window-modal-open] #urlbar[popover], + #mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel), > #tab-group-editor > [panelopen]) ~ toolbox #urlbar[popover], + /* swarsel: removed :hover from below line */ #navigator-toolbox:is(:focus-within,[movingtab]) #urlbar[popover], #urlbar-container > #urlbar[popover]:is([focused],[open]){ pointer-events: auto; @@ -26858,9 +29597,11 @@ The double source block is intended here to circumvent a org-babel convenience w transition-delay: 33ms; transform: rotateX(0deg); } - #mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel)) ~ toolbox, + + :root[window-modal-open] #navigator-toolbox, + #mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel), > #tab-group-editor > [panelopen]) ~ toolbox, #navigator-toolbox:has(#urlbar:is([open],[focus-within])), - /* swarsel: removed :hover from below line */ + /* swarsel: removed :hover from below line */ #navigator-toolbox:is(:focus-within,[movingtab]){ transition-delay: 33ms !important; transform: rotateX(0); @@ -26869,8 +29610,7 @@ The double source block is intended here to circumvent a org-babel convenience w /* This makes things like OS menubar/taskbar show the toolbox when hovered in maximized windows. ,* Unfortunately it also means that other OS native surfaces (such as context menu on macos) ,* and other always-on-top applications will trigger toolbox to show up. */ - @media (-moz-bool-pref: "userchrome.autohide-toolbox.unhide-by-native-ui.enabled"), - -moz-pref("userchrome.autohide-toolbox.unhide-by-native-ui.enabled"){ + @media -moz-pref("userchrome.autohide-toolbox.unhide-by-native-ui.enabled"){ :root[sizemode="maximized"]:not(:hover){ #navigator-toolbox:not(:-moz-window-inactive), #urlbar[popover]:not(:-moz-window-inactive){ @@ -26900,13 +29640,9 @@ The double source block is intended here to circumvent a org-babel convenience w padding-block: calc(min(4px,(var(--urlbar-container-height) - var(--urlbar-height)) / 2) + var(--urlbar-container-padding)) !important; } - /* Uncomment this if tabs toolbar is hidden with hide_tabs_toolbar.css */ - /*#titlebar{ margin-bottom: -9px }*/ - /* Uncomment the following for compatibility with tabs_on_bottom.css - this isn't well tested though */ /* #navigator-toolbox{ flex-direction: column; display: flex; } - #titlebar{ order: 2 } ,*/ #+end_src diff --git a/files/emacs/init.el b/files/emacs/init.el index 5ada956..26d3439 100644 --- a/files/emacs/init.el +++ b/files/emacs/init.el @@ -236,6 +236,48 @@ create a new one." (add-hook 'minibuffer-setup-hook #'swarsel/minibuffer-setup-hook) (add-hook 'minibuffer-exit-hook #'swarsel/minibuffer-exit-hook) +(defun swarsel/org-colorize-outline (parents raw) + (let* ((palette ["#58B6ED" "#8BD49C" "#33CED8" "#4B9CCC" + "yellow" "orange" "salmon" "red"]) + (n (length parents)) + (colored-parents + (cl-mapcar + (lambda (p i) + (propertize p 'face `(:foreground ,(aref palette (mod i (length palette))) :weight bold))) + parents + (number-sequence 0 (1- n))))) + (concat + (when parents + (string-join colored-parents "/")) + (when parents "/") + (propertize raw 'face `(:foreground ,(aref palette (mod n (length palette))) + :weight bold))))) + +(defun swarsel/org-insert-link-to-heading () + (interactive) + (let ((candidates '())) + (org-map-entries + (lambda () + (let* ((raw (org-get-heading t t t t)) + (parents (org-get-outline-path t)) + (m (copy-marker (point))) + (colored (swarsel/org-colorize-outline parents raw))) + (push (cons colored m) candidates)))) + + (let* ((choice (completing-read "Heading: " (mapcar #'car candidates))) + (marker (cdr (assoc choice candidates))) + id raw-heading) + (unless marker + (user-error "No marker for heading??")) + + (save-excursion + (goto-char marker) + (setq id (prot-org--id-get)) + (setq raw-heading (org-get-heading t t t t))) + + (insert (org-link-make-string (format "#%s" id) + raw-heading))))) + ;; Make ESC quit prompts (global-set-key (kbd "") 'keyboard-escape-quit) @@ -334,6 +376,7 @@ create a new one." "" 'swarsel/last-buffer "M-\\" 'indent-region "M-r" 'swarsel/consult-magit-repos + "M-i" 'swarsel/org-insert-link-to-heading "" 'yank "" 'kill-region "" 'kill-ring-save @@ -348,12 +391,12 @@ create a new one." ;; set Nextcloud directory for journals etc. (setq swarsel-emacs-directory "~/.emacs.d" - swarsel-dotfiles-directory "~/.dotfiles" + swarsel-dotfiles-directory (getenv "FLAKE") swarsel-swarsel-org-filepath (expand-file-name "SwarselSystems.org" swarsel-dotfiles-directory) swarsel-tasks-org-file "Tasks.org" swarsel-archive-org-file "Archive.org" - swarsel-work-projects-directory "~/Documents/Work" - swarsel-private-projects-directory "~/Documents/Private" + swarsel-work-projects-directory (getenv "DOCUMENT_DIR_WORK") + swarsel-private-projects-directory (getenv "DOCUMENT_DIR_PRIV") ) ;; Change the user-emacs-directory to keep unwanted things out of ~/.emacs.d @@ -384,7 +427,7 @@ create a new one." ;; use UTF-8 everywhere (set-language-environment "UTF-8") -(profiler-start 'cpu) +;; (profiler-start 'cpu) ;; set default font size (defvar swarsel/default-font-size 130) (setq swarsel-standard-font "FiraCode Nerd Font Mono" @@ -1158,9 +1201,13 @@ create a new one." (setq elfeed-protocol-enabled-protocols '(fever)) (setq elfeed-protocol-fever-update-unread-only t) (setq elfeed-protocol-fever-fetch-category-as-tag t) -(setq elfeed-protocol-feeds '(("fever+https://Swarsel@signpost.swarsel.win" - :api-url "https://signpost.swarsel.win/api/fever.php" - :password-file "~/.emacs.d/.fever"))) + +(let ((domain (getenv "SWARSEL_RSS_DOMAIN"))) + (setq elfeed-protocol-feeds + `((,(concat "fever+https://Swarsel@" domain) + :api-url ,(concat "https://" domain "/api/fever.php") + :password-file "~/.emacs.d/.fever")))) + (define-key elfeed-show-mode-map (kbd ";") 'visual-fill-column-mode) (define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next) @@ -1668,7 +1715,7 @@ create a new one." :init ;; set org-caldav-sync-initalization (setq swarsel-caldav-synced 0) - ;; (setq org-caldav-url "https://schedule.swarsel.win/swarsel/calendar") + ;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar") ;; (setq org-caldav-calendars ;; '((:calendar-id "personal" ;; :inbox "~/Calendars/leon_cal.org"))) @@ -1731,59 +1778,66 @@ create a new one." :config (dashboard-setup-startup-hook) ;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*"))) - (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal - dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package - dashboard-set-file-icons t - dashboard-items '((recents . 5) - (projects . 5) - (agenda . 5)) - dashboard-set-footer nil - dashboard-banner-logo-title "Welcome to SwarsEmacs!" - dashboard-image-banner-max-height 300 - dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" - dashboard-projects-backend 'projectile - dashboard-projects-switch-function 'magit-status - dashboard-set-navigator t - dashboard-startupify-list '(dashboard-insert-banner - dashboard-insert-newline - dashboard-insert-banner-title - dashboard-insert-newline - dashboard-insert-navigator - dashboard-insert-newline - dashboard-insert-init-info - dashboard-insert-items - ) - dashboard-navigator-buttons - `(;; line1 - ((,"" - "SwarselSocial" - "Browse Swarsele" - (lambda (&rest _) (browse-url "instagram.com/Swarsele"))) - (,"" - "SwarselSound" - "Browse SwarselSound" - (lambda (&rest _) (browse-url "sound.swarsel.win")) ) - (,"" - "SwarselSwarsel" - "Browse Swarsel" - (lambda (&rest _) (browse-url "github.com/Swarsel")) ) - (,"" - "SwarselStash" - "Browse SwarselStash" - (lambda (&rest _) (browse-url "stash.swarsel.win")) ) - (,"󰫑" - "SwarselSport" - "Browse SwarselSports" - (lambda (&rest _) (browse-url "social.parkour.wien/@Lenno"))) - ) - ( - (,"󱄅" - "swarsel.win" - "Browse swarsel.win" - (lambda (&rest _) (browse-url "swarsel.win"))) - ) - ))) + (let ((files-domain (getenv "SWARSEL_FILES_DOMAIN")) + (music-domain (getenv "SWARSEL_MUSIC_DOMAIN")) + (insta-domain (getenv "SWARSEL_INSTA_DOMAIN")) + (sport-domain (getenv "SWARSEL_SPORT_DOMAIN")) + (swarsel-domain (getenv "SWARSEL_DOMAIN")) + ) + (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal + dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package + dashboard-set-file-icons t + dashboard-items '((recents . 5) + (projects . 5) + (agenda . 5)) + dashboard-set-footer nil + dashboard-banner-logo-title "Welcome to SwarsEmacs!" + dashboard-image-banner-max-height 300 + dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" + dashboard-projects-backend 'projectile + dashboard-projects-switch-function 'magit-status + dashboard-set-navigator t + dashboard-startupify-list '(dashboard-insert-banner + dashboard-insert-newline + dashboard-insert-banner-title + dashboard-insert-newline + dashboard-insert-navigator + dashboard-insert-newline + dashboard-insert-init-info + dashboard-insert-items + ) + dashboard-navigator-buttons + `(;; line1 + ((,"" + "SwarselSocial" + "Browse Swarsele" + (lambda (&rest _) (browse-url ,insta-domain))) + + (,"" + "SwarselSound" + "Browse SwarselSound" + (lambda (&rest _) (browse-url ,(concat "https://" music-domain))) ) + (,"" + "SwarselSwarsel" + "Browse Swarsel" + (lambda (&rest _) (browse-url "https://github.com/Swarsel")) ) + (,"" + "SwarselStash" + "Browse SwarselStash" + (lambda (&rest _) (browse-url ,(concat "https://" files-domain))) ) + (,"󰫑" + "SwarselSport" + "Browse SwarselSports" + (lambda (&rest _) (browse-url ,sport-domain))) + ) + ( + (,"󱄅" + ,swarsel-domain + ,(concat "Browse " main-domain) + (lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain)))) + ) + )))) (use-package vterm :ensure t) diff --git a/files/firefox/chrome/userChrome.css b/files/firefox/chrome/userChrome.css index bbe2d57..c616488 100644 --- a/files/firefox/chrome/userChrome.css +++ b/files/firefox/chrome/userChrome.css @@ -60,8 +60,10 @@ See the above repository for updates as well as full license text. */ transform-origin: 0px calc(0px - var(--tab-min-height) - var(--tab-block-margin) * 2); transform: rotateX(89.9deg); } -#mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel)) ~ toolbox #urlbar[popover], -/* swarsel: removed :hover from below line */ + +:root[window-modal-open] #urlbar[popover], +#mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel), > #tab-group-editor > [panelopen]) ~ toolbox #urlbar[popover], + /* swarsel: removed :hover from below line */ #navigator-toolbox:is(:focus-within,[movingtab]) #urlbar[popover], #urlbar-container > #urlbar[popover]:is([focused],[open]){ pointer-events: auto; @@ -69,9 +71,11 @@ See the above repository for updates as well as full license text. */ transition-delay: 33ms; transform: rotateX(0deg); } -#mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel)) ~ toolbox, + +:root[window-modal-open] #navigator-toolbox, +#mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel), > #tab-group-editor > [panelopen]) ~ toolbox, #navigator-toolbox:has(#urlbar:is([open],[focus-within])), -/* swarsel: removed :hover from below line */ + /* swarsel: removed :hover from below line */ #navigator-toolbox:is(:focus-within,[movingtab]){ transition-delay: 33ms !important; transform: rotateX(0); @@ -80,8 +84,7 @@ See the above repository for updates as well as full license text. */ /* This makes things like OS menubar/taskbar show the toolbox when hovered in maximized windows. * Unfortunately it also means that other OS native surfaces (such as context menu on macos) * and other always-on-top applications will trigger toolbox to show up. */ -@media (-moz-bool-pref: "userchrome.autohide-toolbox.unhide-by-native-ui.enabled"), - -moz-pref("userchrome.autohide-toolbox.unhide-by-native-ui.enabled"){ +@media -moz-pref("userchrome.autohide-toolbox.unhide-by-native-ui.enabled"){ :root[sizemode="maximized"]:not(:hover){ #navigator-toolbox:not(:-moz-window-inactive), #urlbar[popover]:not(:-moz-window-inactive){ @@ -111,11 +114,7 @@ See the above repository for updates as well as full license text. */ padding-block: calc(min(4px,(var(--urlbar-container-height) - var(--urlbar-height)) / 2) + var(--urlbar-container-padding)) !important; } -/* Uncomment this if tabs toolbar is hidden with hide_tabs_toolbar.css */ - /*#titlebar{ margin-bottom: -9px }*/ - /* Uncomment the following for compatibility with tabs_on_bottom.css - this isn't well tested though */ /* #navigator-toolbox{ flex-direction: column; display: flex; } -#titlebar{ order: 2 } */ diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index a59ae37..4c4fef3 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -8,6 +8,8 @@ target_user="swarsel" ssh_port="22" persist_dir="" disk_encryption=0 +disk_encryption_args="" +no_disko_deps="false" temp=$(mktemp -d) function help_and_exit() { @@ -27,6 +29,7 @@ function help_and_exit() { echo " Default='${target_user}'." echo " --port specify the ssh port to use for remote access. Default=${ssh_port}." echo " --debug Enable debug mode." + echo " --no-disko-deps Upload only disk script and not dependencies (for use on low ram)." echo " -h | --help Print this help." exit 0 } @@ -80,14 +83,14 @@ function update_sops_file() { SOPS_FILE=".sops.yaml" sed -i "{ - # Remove any * and & entries for this host - /[*&]$key_name/ d; - # Inject a new age: entry - # n matches the first line following age: and p prints it, then we transform it while reusing the spacing - /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; - # Inject a new hosts or user: entry - /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} - }" $SOPS_FILE + # Remove any * and & entries for this host + /[*&]$key_name/ d; + # Inject a new age: entry + # n matches the first line following age: and p prints it, then we transform it while reusing the spacing + /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; + # Inject a new hosts or user: entry + /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} + }" $SOPS_FILE green "Updating .sops.yaml" cd - } @@ -114,6 +117,9 @@ while [[ $# -gt 0 ]]; do shift ssh_port=$1 ;; + --no-disko-deps) + no_disko_deps="true" + ;; --debug) set -x ;; @@ -131,6 +137,12 @@ if [[ $target_arch == "" || $target_destination == "" || $target_hostname == "" help_and_exit fi +LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)" +if [[ $LOCKED == "true" ]]; then + red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING" + exit +fi + green "~SwarselSystems~ remote installer" green "Reading system information for $target_hostname ..." @@ -141,6 +153,11 @@ CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.sw if [[ $CRYPTED == "true" ]]; then green "Encryption: ✓" disk_encryption=1 + disk_encryption_args=( + --disk-encryption-keys + /tmp/disko-password + /tmp/disko-password + ) else red "Encryption: X" disk_encryption=0 @@ -233,7 +250,14 @@ $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "$ # ------------------------ green "Deploying minimal NixOS installation on $target_destination" -nix run github:nix-community/nixos-anywhere/1.10.0 -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination" + +if [[ $no_disko_deps == "true" ]]; then + green "Building without disko dependencies (using custom kexec)" + nix run github:nix-community/nixos-anywhere/1.10.0 -- "${disk_encryption_args[@]}" --no-disko-deps --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" --kexec "$(nix build --print-out-paths .#packages."$target_arch".swarsel-kexec)/swarsel-kexec-$target_arch.tar.gz" root@"$target_destination" +else + green "Building with disko dependencies (using nixos-images kexec)" + nix run github:nix-community/nixos-anywhere/1.10.0 -- "${disk_encryption_args[@]}" --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination" +fi echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts" ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true @@ -305,8 +329,8 @@ $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519 if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then green "Adding ssh host fingerprints for git{lab,hub}" - $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts" - $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts" + $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts" + $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts" fi # -------------------------- diff --git a/flake.lock b/flake.lock index 2c8ba1c..de60846 100644 --- a/flake.lock +++ b/flake.lock @@ -35,119 +35,6 @@ "type": "github" } }, - "base16-fish_2": { - "flake": false, - "locked": { - "lastModified": 1754405784, - "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=", - "owner": "tomyun", - "repo": "base16-fish", - "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", - "type": "github" - }, - "original": { - "owner": "tomyun", - "repo": "base16-fish", - "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", - "type": "github" - } - }, - "base16-fish_3": { - "flake": false, - "locked": { - "lastModified": 1622559957, - "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", - "owner": "tomyun", - "repo": "base16-fish", - "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", - "type": "github" - }, - "original": { - "owner": "tomyun", - "repo": "base16-fish", - "type": "github" - } - }, - "base16-fish_4": { - "flake": false, - "locked": { - "lastModified": 1622559957, - "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", - "owner": "tomyun", - "repo": "base16-fish", - "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", - "type": "github" - }, - "original": { - "owner": "tomyun", - "repo": "base16-fish", - "type": "github" - } - }, - "base16-fish_5": { - "flake": false, - "locked": { - "lastModified": 1622559957, - "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", - "owner": "tomyun", - "repo": "base16-fish", - "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", - "type": "github" - }, - "original": { - "owner": "tomyun", - "repo": "base16-fish", - "type": "github" - } - }, - "base16-fish_6": { - "flake": false, - "locked": { - "lastModified": 1622559957, - "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", - "owner": "tomyun", - "repo": "base16-fish", - "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", - "type": "github" - }, - "original": { - "owner": "tomyun", - "repo": "base16-fish", - "type": "github" - } - }, - "base16-fish_7": { - "flake": false, - "locked": { - "lastModified": 1622559957, - "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", - "owner": "tomyun", - "repo": "base16-fish", - "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", - "type": "github" - }, - "original": { - "owner": "tomyun", - "repo": "base16-fish", - "type": "github" - } - }, - "base16-fish_8": { - "flake": false, - "locked": { - "lastModified": 1622559957, - "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", - "owner": "tomyun", - "repo": "base16-fish", - "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", - "type": "github" - }, - "original": { - "owner": "tomyun", - "repo": "base16-fish", - "type": "github" - } - }, "base16-helix": { "flake": false, "locked": { @@ -164,118 +51,6 @@ "type": "github" } }, - "base16-helix_2": { - "flake": false, - "locked": { - "lastModified": 1752979451, - "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=", - "owner": "tinted-theming", - "repo": "base16-helix", - "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-helix", - "type": "github" - } - }, - "base16-helix_3": { - "flake": false, - "locked": { - "lastModified": 1752979451, - "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=", - "owner": "tinted-theming", - "repo": "base16-helix", - "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-helix", - "type": "github" - } - }, - "base16-helix_4": { - "flake": false, - "locked": { - "lastModified": 1752979451, - "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=", - "owner": "tinted-theming", - "repo": "base16-helix", - "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-helix", - "type": "github" - } - }, - "base16-helix_5": { - "flake": false, - "locked": { - "lastModified": 1752979451, - "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=", - "owner": "tinted-theming", - "repo": "base16-helix", - "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-helix", - "type": "github" - } - }, - "base16-helix_6": { - "flake": false, - "locked": { - "lastModified": 1752979451, - "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=", - "owner": "tinted-theming", - "repo": "base16-helix", - "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-helix", - "type": "github" - } - }, - "base16-helix_7": { - "flake": false, - "locked": { - "lastModified": 1748408240, - "narHash": "sha256-9M2b1rMyMzJK0eusea0x3lyh3mu5nMeEDSc4RZkGm+g=", - "owner": "tinted-theming", - "repo": "base16-helix", - "rev": "6c711ab1a9db6f51e2f6887cc3345530b33e152e", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-helix", - "type": "github" - } - }, - "base16-helix_8": { - "flake": false, - "locked": { - "lastModified": 1748408240, - "narHash": "sha256-9M2b1rMyMzJK0eusea0x3lyh3mu5nMeEDSc4RZkGm+g=", - "owner": "tinted-theming", - "repo": "base16-helix", - "rev": "6c711ab1a9db6f51e2f6887cc3345530b33e152e", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-helix", - "type": "github" - } - }, "base16-vim": { "flake": false, "locked": { @@ -293,251 +68,6 @@ "type": "github" } }, - "base16-vim_2": { - "flake": false, - "locked": { - "lastModified": 1732806396, - "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - } - }, - "base16-vim_3": { - "flake": false, - "locked": { - "lastModified": 1732806396, - "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - } - }, - "base16-vim_4": { - "flake": false, - "locked": { - "lastModified": 1732806396, - "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - } - }, - "base16-vim_5": { - "flake": false, - "locked": { - "lastModified": 1732806396, - "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - } - }, - "base16-vim_6": { - "flake": false, - "locked": { - "lastModified": 1732806396, - "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - } - }, - "base16-vim_7": { - "flake": false, - "locked": { - "lastModified": 1732806396, - "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - } - }, - "base16-vim_8": { - "flake": false, - "locked": { - "lastModified": 1732806396, - "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-vim", - "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", - "type": "github" - } - }, - "base16_2": { - "inputs": { - "fromYaml": "fromYaml_2" - }, - "locked": { - "lastModified": 1755819240, - "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", - "owner": "SenchoPens", - "repo": "base16.nix", - "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "base16.nix", - "type": "github" - } - }, - "base16_3": { - "inputs": { - "fromYaml": "fromYaml_3" - }, - "locked": { - "lastModified": 1755819240, - "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", - "owner": "SenchoPens", - "repo": "base16.nix", - "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "base16.nix", - "type": "github" - } - }, - "base16_4": { - "inputs": { - "fromYaml": "fromYaml_4" - }, - "locked": { - "lastModified": 1755819240, - "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", - "owner": "SenchoPens", - "repo": "base16.nix", - "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "base16.nix", - "type": "github" - } - }, - "base16_5": { - "inputs": { - "fromYaml": "fromYaml_5" - }, - "locked": { - "lastModified": 1755819240, - "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", - "owner": "SenchoPens", - "repo": "base16.nix", - "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "base16.nix", - "type": "github" - } - }, - "base16_6": { - "inputs": { - "fromYaml": "fromYaml_6" - }, - "locked": { - "lastModified": 1746562888, - "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", - "owner": "SenchoPens", - "repo": "base16.nix", - "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "base16.nix", - "type": "github" - } - }, - "base16_7": { - "inputs": { - "fromYaml": "fromYaml_7" - }, - "locked": { - "lastModified": 1746562888, - "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", - "owner": "SenchoPens", - "repo": "base16.nix", - "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "base16.nix", - "type": "github" - } - }, - "base16_8": { - "inputs": { - "fromYaml": "fromYaml_8" - }, - "locked": { - "lastModified": 1746562888, - "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", - "owner": "SenchoPens", - "repo": "base16.nix", - "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "base16.nix", - "type": "github" - } - }, "blank": { "locked": { "lastModified": 1625557891, @@ -553,133 +83,29 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "crane": { "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", + "lastModified": 1763938834, + "narHash": "sha256-j8iB0Yr4zAvQLueCZ5abxfk6fnG/SJ5JnGUziETjwfg=", "owner": "ipetkov", "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_10": { - "locked": { - "lastModified": 1750266157, - "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=", - "owner": "ipetkov", - "repo": "crane", - "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_11": { - "locked": { - "lastModified": 1750266157, - "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=", - "owner": "ipetkov", - "repo": "crane", - "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_12": { - "locked": { - "lastModified": 1750266157, - "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=", - "owner": "ipetkov", - "repo": "crane", - "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_13": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_14": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_15": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_16": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_17": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", + "rev": "d9e753122e51cee64eb8d2dddfe11148f339f5a2", "type": "github" }, "original": { @@ -690,8 +116,8 @@ }, "crane_2": { "inputs": { - "flake-compat": "flake-compat_4", - "flake-utils": "flake-utils_5", + "flake-compat": "flake-compat_5", + "flake-utils": "flake-utils_7", "nixpkgs": [ "nixos-extra-modules", "nixt", @@ -730,340 +156,16 @@ "type": "github" } }, - "crane_4": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_5": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_6": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_7": { - "locked": { - "lastModified": 1754269165, - "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", - "owner": "ipetkov", - "repo": "crane", - "rev": "444e81206df3f7d92780680e45858e31d2f07a08", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_8": { - "locked": { - "lastModified": 1750266157, - "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=", - "owner": "ipetkov", - "repo": "crane", - "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_9": { - "locked": { - "lastModified": 1750266157, - "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=", - "owner": "ipetkov", - "repo": "crane", - "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, "devshell": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", + "lastModified": 1762521437, + "narHash": "sha256-RXN+lcx4DEn3ZS+LqEJSUu/HH+dwGvy0syN7hTo/Chg=", "owner": "numtide", "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_10": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_11": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", - "owner": "numtide", - "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_12": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_13": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", - "owner": "numtide", - "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_14": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_15": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", - "owner": "numtide", - "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_16": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_17": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", - "owner": "numtide", - "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_18": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", + "rev": "07bacc9531f5f4df6657c0a02a806443685f384a", "type": "github" }, "original": { @@ -1143,297 +245,16 @@ "type": "github" } }, - "devshell_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", - "owner": "numtide", - "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", - "owner": "numtide", - "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_9": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", - "owner": "numtide", - "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, "disko": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1761899396, - "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", + "lastModified": 1763651264, + "narHash": "sha256-8vvwZbw0s7YvBMJeyPVpWke6lg6ROgtts5N2/SMCcv4=", "owner": "nix-community", "repo": "disko", - "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "disko_2": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758287904, - "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=", - "owner": "nix-community", - "repo": "disko", - "rev": "67ff9807dd148e704baadbd4fd783b54282ca627", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "disko_3": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758287904, - "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=", - "owner": "nix-community", - "repo": "disko", - "rev": "67ff9807dd148e704baadbd4fd783b54282ca627", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "disko_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758287904, - "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=", - "owner": "nix-community", - "repo": "disko", - "rev": "67ff9807dd148e704baadbd4fd783b54282ca627", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "disko_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1757508292, - "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=", - "owner": "nix-community", - "repo": "disko", - "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "disko_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1753140376, - "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", - "owner": "nix-community", - "repo": "disko", - "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "disko_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751854533, - "narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=", - "owner": "nix-community", - "repo": "disko", - "rev": "16b74a1e304197248a1bc663280f2548dbfcae3c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "disko_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751854533, - "narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=", - "owner": "nix-community", - "repo": "disko", - "rev": "16b74a1e304197248a1bc663280f2548dbfcae3c", + "rev": "e86a89079587497174ccab6d0d142a65811a4fd9", "type": "github" }, "original": { @@ -1474,11 +295,28 @@ "type": "github" } }, + "dns": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1759510210, + "narHash": "sha256-rR3BuhcSyQ3bQ0rS14I53O7gWzlPEs15skl1TWx+TeI=", + "owner": "kirelagin", + "repo": "dns.nix", + "rev": "f3cb11f642d4fa6224e2b1ddfd2c3ba42e9ffea2", + "type": "github" + }, + "original": { + "owner": "kirelagin", + "repo": "dns.nix", + "type": "github" + } + }, "emacs-overlay": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ], + "nixpkgs": "nixpkgs_4", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -1497,184 +335,9 @@ "type": "github" } }, - "emacs-overlay_2": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_4" - }, - "locked": { - "lastModified": 1760432944, - "narHash": "sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "aba8daa237dc07a3bb28a61c252a718e8eb38057", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, - "emacs-overlay_3": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_7" - }, - "locked": { - "lastModified": 1759770590, - "narHash": "sha256-ex/JTut0wrrVHFWwNIuBAlnR71R7dletYxcJEH9NYAw=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "4e4ed8f8beda9d47887cf4411720cb8a83a43e90", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, - "emacs-overlay_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_10" - }, - "locked": { - "lastModified": 1758705066, - "narHash": "sha256-CFVYMyz/p4c/w0E2BLz/dCmjl4zfJRUS+ERUJmaZj+E=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "d8da68a0986380aca8ee9d277dfc4bcb0761a278", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, - "emacs-overlay_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_13" - }, - "locked": { - "lastModified": 1757927471, - "narHash": "sha256-odfHgmioy0yGxiAFTnAq7SMYTLUv1JApKES5i2KfS4c=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "6302a8a5904203bc18532e71b3d61f4b324d20fb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, - "emacs-overlay_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_16" - }, - "locked": { - "lastModified": 1754705618, - "narHash": "sha256-JYwLLpnzJz0+ihJrwZUTAodx2+iBPWfnmfhJy3lpSw4=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "c5aea4616a2c482eb3f1765f90de9771ba1d134a", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, - "emacs-overlay_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_19" - }, - "locked": { - "lastModified": 1751908357, - "narHash": "sha256-7JeYhMYTdfzHsFfGZRUM+t0nx4HdYa3oaMH2B/qz9MA=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "8e4ecd7c43c5e061dd2fc4d9d1994ec4d67cab2e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, - "emacs-overlay_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_21" - }, - "locked": { - "lastModified": 1751908357, - "narHash": "sha256-7JeYhMYTdfzHsFfGZRUM+t0nx4HdYa3oaMH2B/qz9MA=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "8e4ecd7c43c5e061dd2fc4d9d1994ec4d67cab2e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, "fenix": { "inputs": { - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_14", "rust-analyzer-src": "rust-analyzer-src" }, "locked": { @@ -1707,118 +370,6 @@ "type": "github" } }, - "firefox-gnome-theme_2": { - "flake": false, - "locked": { - "lastModified": 1758112371, - "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", - "type": "github" - }, - "original": { - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "type": "github" - } - }, - "firefox-gnome-theme_3": { - "flake": false, - "locked": { - "lastModified": 1758112371, - "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", - "type": "github" - }, - "original": { - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "type": "github" - } - }, - "firefox-gnome-theme_4": { - "flake": false, - "locked": { - "lastModified": 1756083905, - "narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=", - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808", - "type": "github" - }, - "original": { - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "type": "github" - } - }, - "firefox-gnome-theme_5": { - "flake": false, - "locked": { - "lastModified": 1756083905, - "narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=", - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808", - "type": "github" - }, - "original": { - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "type": "github" - } - }, - "firefox-gnome-theme_6": { - "flake": false, - "locked": { - "lastModified": 1748383148, - "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", - "type": "github" - }, - "original": { - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "type": "github" - } - }, - "firefox-gnome-theme_7": { - "flake": false, - "locked": { - "lastModified": 1748383148, - "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", - "type": "github" - }, - "original": { - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "type": "github" - } - }, - "firefox-gnome-theme_8": { - "flake": false, - "locked": { - "lastModified": 1748383148, - "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", - "type": "github" - }, - "original": { - "owner": "rafaelmardojai", - "repo": "firefox-gnome-theme", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -1835,183 +386,7 @@ "type": "github" } }, - "flake-compat_10": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_11": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_12": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_13": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_14": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_15": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_16": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_17": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_18": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_19": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_20": { "flake": false, "locked": { "lastModified": 1747046372, @@ -2027,199 +402,7 @@ "type": "github" } }, - "flake-compat_21": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_22": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_23": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_24": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_25": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_26": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_27": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_28": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_29": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_30": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_31": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_32": { "flake": false, "locked": { "lastModified": 1696426674, @@ -2254,11 +437,11 @@ "flake-compat_5": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -2268,38 +451,6 @@ } }, "flake-compat_6": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_7": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_8": { "flake": false, "locked": { "lastModified": 1696426674, @@ -2315,14 +466,30 @@ "type": "github" } }, - "flake-compat_9": { + "flake-compat_7": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_8": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "type": "github" }, "original": { @@ -2336,11 +503,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1760948891, - "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", + "lastModified": 1763759067, + "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", + "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0", "type": "github" }, "original": { @@ -2349,454 +516,7 @@ "type": "github" } }, - "flake-parts_10": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_11": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_12": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_6" - }, - "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_13": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754091436, - "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_14": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_7" - }, - "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, - "flake-parts_15": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_16": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_17": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_8" - }, - "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_18": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754091436, - "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_19": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_9" - }, - "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754091436, - "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_20": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_21": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_22": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_10" - }, - "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_23": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754091436, - "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_24": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_11" - }, - "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, - "flake-parts_25": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_26": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_27": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_12" - }, - "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_28": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754091436, - "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_29": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_13" - }, - "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, - "flake-parts_3": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -2814,238 +534,7 @@ "type": "github" } }, - "flake-parts_30": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_31": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751413152, - "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_32": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_14" - }, - "locked": { - "lastModified": 1751413152, - "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_33": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_34": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_15" - }, - "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, - "flake-parts_35": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_36": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_37": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_16" - }, - "locked": { - "lastModified": 1751413152, - "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_38": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_39": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_17" - }, - "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, - "flake-parts_4": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_3" }, @@ -3062,16 +551,9 @@ "type": "indirect" } }, - "flake-parts_40": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", "nur", "nixpkgs" ] @@ -3090,218 +572,7 @@ "type": "github" } }, - "flake-parts_41": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_42": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_18" - }, - "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_43": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_19" - }, - "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_44": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_20" - }, - "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_45": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_21" - }, - "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_46": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_22" - }, - "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_47": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_23" - }, - "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_48": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_24" - }, - "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_49": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_25" - }, - "locked": { - "lastModified": 1760948891, - "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-parts_5": { - "inputs": { - "nixpkgs-lib": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_50": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_26" - }, - "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_6": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -3322,7 +593,7 @@ "type": "github" } }, - "flake-parts_7": { + "flake-parts_6": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_4" }, @@ -3340,46 +611,22 @@ "type": "github" } }, - "flake-parts_8": { - "inputs": { - "nixpkgs-lib": [ - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754091436, - "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_9": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_5" - }, - "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, "flake-utils": { + "locked": { + "lastModified": 1614513358, + "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "inputs": { "systems": "systems" }, @@ -3397,387 +644,9 @@ "type": "github" } }, - "flake-utils_10": { - "inputs": { - "systems": "systems_12" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_11": { - "inputs": { - "systems": "systems_13" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_12": { - "inputs": { - "systems": "systems_16" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_13": { - "inputs": { - "systems": "systems_17" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_14": { - "inputs": { - "systems": "systems_20" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_15": { - "inputs": { - "systems": "systems_21" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_16": { - "inputs": { - "systems": "systems_24" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_17": { - "inputs": { - "systems": "systems_25" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_18": { - "inputs": { - "systems": "systems_28" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_19": { - "inputs": { - "systems": "systems_29" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_20": { - "inputs": { - "systems": "systems_31" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_21": { - "inputs": { - "systems": "systems_32" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_22": { - "inputs": { - "systems": "systems_36" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_23": { - "inputs": { - "systems": "systems_39" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_24": { - "inputs": { - "systems": "systems_43" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_25": { - "inputs": { - "systems": "systems_47" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_26": { - "inputs": { - "systems": "systems_51" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_27": { - "inputs": { - "systems": "systems_56" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_28": { - "inputs": { - "systems": "systems_61" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_29": { - "inputs": { - "systems": "systems_66" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "flake-utils_3": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -3794,56 +663,8 @@ } }, "flake-utils_4": { - "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { "inputs": { - "systems": "systems_6" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_7": { - "inputs": { - "systems": "systems_7" + "systems": "systems_3" }, "locked": { "lastModified": 1726560853, @@ -3859,9 +680,9 @@ "type": "github" } }, - "flake-utils_8": { + "flake-utils_5": { "inputs": { - "systems": "systems_8" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -3877,9 +698,39 @@ "type": "github" } }, - "flake-utils_9": { + "flake-utils_6": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_7": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { "inputs": { - "systems": "systems_11" + "systems": "systems_10" }, "locked": { "lastModified": 1731533236, @@ -3911,250 +762,29 @@ "type": "github" } }, - "fromYaml_2": { - "flake": false, - "locked": { - "lastModified": 1731966426, - "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", - "owner": "SenchoPens", - "repo": "fromYaml", - "rev": "106af9e2f715e2d828df706c386a685698f3223b", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "fromYaml", - "type": "github" - } - }, - "fromYaml_3": { - "flake": false, - "locked": { - "lastModified": 1731966426, - "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", - "owner": "SenchoPens", - "repo": "fromYaml", - "rev": "106af9e2f715e2d828df706c386a685698f3223b", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "fromYaml", - "type": "github" - } - }, - "fromYaml_4": { - "flake": false, - "locked": { - "lastModified": 1731966426, - "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", - "owner": "SenchoPens", - "repo": "fromYaml", - "rev": "106af9e2f715e2d828df706c386a685698f3223b", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "fromYaml", - "type": "github" - } - }, - "fromYaml_5": { - "flake": false, - "locked": { - "lastModified": 1731966426, - "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", - "owner": "SenchoPens", - "repo": "fromYaml", - "rev": "106af9e2f715e2d828df706c386a685698f3223b", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "fromYaml", - "type": "github" - } - }, - "fromYaml_6": { - "flake": false, - "locked": { - "lastModified": 1731966426, - "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", - "owner": "SenchoPens", - "repo": "fromYaml", - "rev": "106af9e2f715e2d828df706c386a685698f3223b", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "fromYaml", - "type": "github" - } - }, - "fromYaml_7": { - "flake": false, - "locked": { - "lastModified": 1731966426, - "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", - "owner": "SenchoPens", - "repo": "fromYaml", - "rev": "106af9e2f715e2d828df706c386a685698f3223b", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "fromYaml", - "type": "github" - } - }, - "fromYaml_8": { - "flake": false, - "locked": { - "lastModified": 1731966426, - "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", - "owner": "SenchoPens", - "repo": "fromYaml", - "rev": "106af9e2f715e2d828df706c386a685698f3223b", - "type": "github" - }, - "original": { - "owner": "SenchoPens", - "repo": "fromYaml", - "type": "github" - } - }, - "fw-fanctrl": { + "git-hooks": { "inputs": { - "flake-compat": "flake-compat_13", + "flake-compat": [ + "simple-nixos-mailserver", + "flake-compat" + ], + "gitignore": "gitignore_5", "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", + "simple-nixos-mailserver", "nixpkgs" ] }, "locked": { - "lastModified": 1758793578, - "narHash": "sha256-+7U2+A7saK1M6TWYJTtey4IX49SMOPlxpLnEBxJ7TtM=", - "owner": "Swarsel", - "repo": "fw-fanctrl", - "rev": "7ccb75900c70a93ee61f16a2da5b6ef36d7fc60f", + "lastModified": 1763319842, + "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", "type": "github" }, "original": { - "owner": "Swarsel", - "ref": "packaging/nix", - "repo": "fw-fanctrl", - "type": "github" - } - }, - "fw-fanctrl_2": { - "inputs": { - "flake-compat": "flake-compat_17", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1757943948, - "narHash": "sha256-rvXWg0baAoSTj2FXghf11muq5rnI/N9QsHBAHwBAGyU=", - "owner": "Swarsel", - "repo": "fw-fanctrl", - "rev": "96c7d0b120f218eac27a472795cd50228e6447ce", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "packaging/nix", - "repo": "fw-fanctrl", - "type": "github" - } - }, - "fw-fanctrl_3": { - "inputs": { - "flake-compat": "flake-compat_21", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1743661097, - "narHash": "sha256-ZSx9BdbW+/4k3Pmecl7ZhpHXnpreuAgYxrRaJC8VmuU=", - "owner": "TamtamHero", - "repo": "fw-fanctrl", - "rev": "473575cd1753cb4ec429ea085975e48d32970894", - "type": "github" - }, - "original": { - "owner": "TamtamHero", - "ref": "packaging/nix", - "repo": "fw-fanctrl", - "type": "github" - } - }, - "fw-fanctrl_4": { - "inputs": { - "flake-compat": "flake-compat_25", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1743661097, - "narHash": "sha256-ZSx9BdbW+/4k3Pmecl7ZhpHXnpreuAgYxrRaJC8VmuU=", - "owner": "TamtamHero", - "repo": "fw-fanctrl", - "rev": "473575cd1753cb4ec429ea085975e48d32970894", - "type": "github" - }, - "original": { - "owner": "TamtamHero", - "ref": "packaging/nix", - "repo": "fw-fanctrl", - "type": "github" - } - }, - "fw-fanctrl_5": { - "inputs": { - "flake-compat": "flake-compat_29", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1743661097, - "narHash": "sha256-ZSx9BdbW+/4k3Pmecl7ZhpHXnpreuAgYxrRaJC8VmuU=", - "owner": "TamtamHero", - "repo": "fw-fanctrl", - "rev": "473575cd1753cb4ec429ea085975e48d32970894", - "type": "github" - }, - "original": { - "owner": "TamtamHero", - "ref": "packaging/nix", - "repo": "fw-fanctrl", + "owner": "cachix", + "repo": "git-hooks.nix", "type": "github" } }, @@ -4162,261 +792,7 @@ "inputs": { "nixpkgs": [ "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_10": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_11": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_12": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_13": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_14": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_15": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_16": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_17": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_18": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_19": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "pre-commit-hooks", + "pre-commit", "nixpkgs" ] }, @@ -4456,175 +832,6 @@ "type": "github" } }, - "gitignore_20": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_21": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_22": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_23": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_24": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_25": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, "gitignore_3": { "inputs": { "nixpkgs": [ @@ -4671,102 +878,8 @@ "gitignore_5": { "inputs": { "nixpkgs": [ - "swarsel", - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nix-topology", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_9": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nix-topology", - "pre-commit-hooks", + "simple-nixos-mailserver", + "git-hooks", "nixpkgs" ] }, @@ -4787,137 +900,20 @@ "gnome-shell": { "flake": false, "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", + "host": "gitlab.gnome.org", + "lastModified": 1762869044, + "narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" + "rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad", + "type": "gitlab" }, "original": { + "host": "gitlab.gnome.org", "owner": "GNOME", - "ref": "48.2", + "ref": "gnome-49", "repo": "gnome-shell", - "type": "github" - } - }, - "gnome-shell_2": { - "flake": false, - "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", - "owner": "GNOME", - "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" - }, - "original": { - "owner": "GNOME", - "ref": "48.2", - "repo": "gnome-shell", - "type": "github" - } - }, - "gnome-shell_3": { - "flake": false, - "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", - "owner": "GNOME", - "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" - }, - "original": { - "owner": "GNOME", - "ref": "48.2", - "repo": "gnome-shell", - "type": "github" - } - }, - "gnome-shell_4": { - "flake": false, - "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", - "owner": "GNOME", - "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" - }, - "original": { - "owner": "GNOME", - "ref": "48.2", - "repo": "gnome-shell", - "type": "github" - } - }, - "gnome-shell_5": { - "flake": false, - "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", - "owner": "GNOME", - "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" - }, - "original": { - "owner": "GNOME", - "ref": "48.2", - "repo": "gnome-shell", - "type": "github" - } - }, - "gnome-shell_6": { - "flake": false, - "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", - "owner": "GNOME", - "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" - }, - "original": { - "owner": "GNOME", - "ref": "48.2", - "repo": "gnome-shell", - "type": "github" - } - }, - "gnome-shell_7": { - "flake": false, - "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", - "owner": "GNOME", - "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" - }, - "original": { - "owner": "GNOME", - "ref": "48.2", - "repo": "gnome-shell", - "type": "github" - } - }, - "gnome-shell_8": { - "flake": false, - "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", - "owner": "GNOME", - "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" - }, - "original": { - "owner": "GNOME", - "ref": "48.2", - "repo": "gnome-shell", - "type": "github" + "type": "gitlab" } }, "haumea": { @@ -4965,190 +961,6 @@ "type": "github" } }, - "home-manager_10": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709445365, - "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_11": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754756528, - "narHash": "sha256-W1jYKMetZSOHP5m2Z5Wokdj/ct17swPHs+MiY2WT1HQ=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "3ec1cd9a0703fbd55d865b7fd2b07d08374f0355", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_12": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709445365, - "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_13": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751824240, - "narHash": "sha256-aDDC0CHTlL7QDKWWhdbEgVPK6KwWt+ca0QkmHYZxMzI=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "fd9e55f5fac45a26f6169310afca64d56b681935", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_14": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709445365, - "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_15": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751824240, - "narHash": "sha256-aDDC0CHTlL7QDKWWhdbEgVPK6KwWt+ca0QkmHYZxMzI=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "fd9e55f5fac45a26f6169310afca64d56b681935", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_16": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709445365, - "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "home-manager_2": { "inputs": { "nixpkgs": [ @@ -5170,166 +982,6 @@ "type": "github" } }, - "home-manager_3": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760571159, - "narHash": "sha256-Y086n2U0kN9HjOo+UScwQDS27gKMiIlT6vDehvlmdAg=", - "owner": "JuneStepp", - "repo": "home-manager", - "rev": "ce469fb711fe3a3e83d8f350d7ac6353ffcfe8db", - "type": "github" - }, - "original": { - "owner": "JuneStepp", - "ref": "anki-fix-booleans", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nix-on-droid", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709445365, - "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1759761710, - "narHash": "sha256-6ZG7VZZsbg39gtziGSvCJKurhIahIuiCn+W6TGB5kOU=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "929535c3082afdf0b18afec5ea1ef14d7689ff1c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709445365, - "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758692005, - "narHash": "sha256-bNRMXWSLM4K9cF1YaHYjLol60KIAWW4GzAoJDp5tA0w=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "6ce2e18007ff022db41d9cc042f8838e8c51ed66", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709445365, - "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_9": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1757920978, - "narHash": "sha256-Mv16aegXLulgyDunijP6SPFJNm8lSXb2w3Q0X+vZ9TY=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "11cc5449c50e0e5b785be3dfcb88245232633eb8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "impermanence": { "locked": { "lastModified": 1737831083, @@ -5345,111 +997,6 @@ "type": "github" } }, - "impermanence_2": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, - "impermanence_3": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, - "impermanence_4": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, - "impermanence_5": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, - "impermanence_6": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, - "impermanence_7": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, - "impermanence_8": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, "incl": { "inputs": { "nixlib": [ @@ -5476,179 +1023,16 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs", - "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "nixpkgs": "nixpkgs_5", + "pre-commit": "pre-commit", "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1756744479, - "narHash": "sha256-EyZXusK/wRD3V9vDh00W2Re3Eg8UQ+LjVBQrrH9dq1U=", + "lastModified": 1763975256, + "narHash": "sha256-IhdDL+0YwlLz5Ty0EnAxWN/btemN9FxcQbYs/V/8jvs=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "747b7912f49e2885090c83364d88cf853a020ac1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lanzaboote", - "type": "github" - } - }, - "lanzaboote_2": { - "inputs": { - "crane": "crane_3", - "flake-compat": "flake-compat_7", - "flake-parts": "flake-parts_8", - "nixpkgs": "nixpkgs_10", - "pre-commit-hooks-nix": "pre-commit-hooks-nix_2", - "rust-overlay": "rust-overlay_3" - }, - "locked": { - "lastModified": 1756744479, - "narHash": "sha256-EyZXusK/wRD3V9vDh00W2Re3Eg8UQ+LjVBQrrH9dq1U=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "747b7912f49e2885090c83364d88cf853a020ac1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lanzaboote", - "type": "github" - } - }, - "lanzaboote_3": { - "inputs": { - "crane": "crane_4", - "flake-compat": "flake-compat_10", - "flake-parts": "flake-parts_13", - "nixpkgs": "nixpkgs_18", - "pre-commit-hooks-nix": "pre-commit-hooks-nix_3", - "rust-overlay": "rust-overlay_4" - }, - "locked": { - "lastModified": 1756744479, - "narHash": "sha256-EyZXusK/wRD3V9vDh00W2Re3Eg8UQ+LjVBQrrH9dq1U=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "747b7912f49e2885090c83364d88cf853a020ac1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lanzaboote", - "type": "github" - } - }, - "lanzaboote_4": { - "inputs": { - "crane": "crane_5", - "flake-compat": "flake-compat_14", - "flake-parts": "flake-parts_18", - "nixpkgs": "nixpkgs_26", - "pre-commit-hooks-nix": "pre-commit-hooks-nix_4", - "rust-overlay": "rust-overlay_5" - }, - "locked": { - "lastModified": 1756744479, - "narHash": "sha256-EyZXusK/wRD3V9vDh00W2Re3Eg8UQ+LjVBQrrH9dq1U=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "747b7912f49e2885090c83364d88cf853a020ac1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lanzaboote", - "type": "github" - } - }, - "lanzaboote_5": { - "inputs": { - "crane": "crane_6", - "flake-compat": "flake-compat_18", - "flake-parts": "flake-parts_23", - "nixpkgs": "nixpkgs_34", - "pre-commit-hooks-nix": "pre-commit-hooks-nix_5", - "rust-overlay": "rust-overlay_6" - }, - "locked": { - "lastModified": 1756744479, - "narHash": "sha256-EyZXusK/wRD3V9vDh00W2Re3Eg8UQ+LjVBQrrH9dq1U=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "747b7912f49e2885090c83364d88cf853a020ac1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lanzaboote", - "type": "github" - } - }, - "lanzaboote_6": { - "inputs": { - "crane": "crane_7", - "flake-compat": "flake-compat_22", - "flake-parts": "flake-parts_28", - "nixpkgs": "nixpkgs_42", - "pre-commit-hooks-nix": "pre-commit-hooks-nix_6", - "rust-overlay": "rust-overlay_7" - }, - "locked": { - "lastModified": 1754297745, - "narHash": "sha256-aD6/scLN3L4ZszmNbhhd3JQ9Pzv1ScYFphz14wHinfs=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "892cbdca865d6b42f9c0d222fe309f7720259855", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lanzaboote", - "type": "github" - } - }, - "lanzaboote_7": { - "inputs": { - "crane": "crane_8", - "flake-compat": "flake-compat_26", - "flake-parts": "flake-parts_33", - "nixpkgs": "nixpkgs_50", - "pre-commit-hooks-nix": "pre-commit-hooks-nix_7", - "rust-overlay": "rust-overlay_8" - }, - "locked": { - "lastModified": 1751381593, - "narHash": "sha256-js1XwtJpYhvQrrTaVzViybpztkHJVZ63aXOlFAcTENM=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "f4eb75540307c2b33521322c04b7fea74e48a66f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lanzaboote", - "type": "github" - } - }, - "lanzaboote_8": { - "inputs": { - "crane": "crane_9", - "flake-compat": "flake-compat_30", - "flake-parts": "flake-parts_38", - "nixpkgs": "nixpkgs_58", - "pre-commit-hooks-nix": "pre-commit-hooks-nix_8", - "rust-overlay": "rust-overlay_9" - }, - "locked": { - "lastModified": 1751381593, - "narHash": "sha256-js1XwtJpYhvQrrTaVzViybpztkHJVZ63aXOlFAcTENM=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "f4eb75540307c2b33521322c04b7fea74e48a66f", + "rev": "6803b15c4ab9df2dcc478254b4adb55524746ac7", "type": "github" }, "original": { @@ -5659,65 +1043,16 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ], + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_6", "spectrum": "spectrum" }, "locked": { - "lastModified": 1762030278, - "narHash": "sha256-7p3blvxYNqOHQqpW4+MzcwxLh0ur0QtNXzNuquDyDxQ=", + "lastModified": 1763928900, + "narHash": "sha256-4+5LVMFWSUppY5yvFFdV+T8Lc/rgSYEGx38/9Y20+EI=", "owner": "astro", "repo": "microvm.nix", - "rev": "062a1d49f12d194855dbb87285a323f58ddfa725", - "type": "github" - }, - "original": { - "owner": "astro", - "repo": "microvm.nix", - "type": "github" - } - }, - "microvm_2": { - "inputs": { - "flake-utils": "flake-utils_6", - "nixpkgs": [ - "swarsel", - "nixpkgs" - ], - "spectrum": "spectrum_2" - }, - "locked": { - "lastModified": 1760236243, - "narHash": "sha256-u2HvURFrR6UnPbCltTOWQBvX6N8XSpCE5m0p4c8UOKA=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "67c23f6fc72e78cc4b8e46b8b9b1d3982d27bee4", - "type": "github" - }, - "original": { - "owner": "astro", - "repo": "microvm.nix", - "type": "github" - } - }, - "microvm_3": { - "inputs": { - "flake-utils": "flake-utils_9", - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ], - "spectrum": "spectrum_3" - }, - "locked": { - "lastModified": 1759708185, - "narHash": "sha256-s8bRMSQVILQlhbBqCKBFtIcsxbcuH2oX35JJ7FHw4BI=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "901c80e256d41f63d8036b042d1675c745c1a617", + "rev": "e3e222005b29a78f85128573f3c6f09a11270c91", "type": "github" }, "original": { @@ -5791,159 +1126,17 @@ "inputs": { "niri-stable": "niri-stable", "niri-unstable": "niri-unstable", - "nixpkgs": [ - "nixpkgs" - ], + "nixpkgs": "nixpkgs_7", "nixpkgs-stable": "nixpkgs-stable_2", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1762026425, - "narHash": "sha256-7eDtQrr+CRZ1pLjJ6Bx7Ab9pUIowXJ7ooqEh6p3jIn8=", + "lastModified": 1763995371, + "narHash": "sha256-Cbekq2OAWevdTayYMO7SCf05aGHPZ236MTyCkKyYZOs=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "342730d4f8e109f3506932d2be1c8f9ab19a7039", - "type": "github" - }, - "original": { - "owner": "sodiboo", - "repo": "niri-flake", - "type": "github" - } - }, - "niri-flake_2": { - "inputs": { - "niri-stable": "niri-stable_2", - "niri-unstable": "niri-unstable_2", - "nixpkgs": [ - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_5", - "xwayland-satellite-stable": "xwayland-satellite-stable_2", - "xwayland-satellite-unstable": "xwayland-satellite-unstable_2" - }, - "locked": { - "lastModified": 1760432014, - "narHash": "sha256-shqc+38nKs/XS2scgJV8KP5/D0PWAXYYgf5nT6BfHNE=", - "owner": "sodiboo", - "repo": "niri-flake", - "rev": "f2aa74f5d28fed7fca48cd4bea4c0803699c0f6c", - "type": "github" - }, - "original": { - "owner": "sodiboo", - "repo": "niri-flake", - "type": "github" - } - }, - "niri-flake_3": { - "inputs": { - "niri-stable": "niri-stable_3", - "niri-unstable": "niri-unstable_3", - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_8", - "xwayland-satellite-stable": "xwayland-satellite-stable_3", - "xwayland-satellite-unstable": "xwayland-satellite-unstable_3" - }, - "locked": { - "lastModified": 1759711756, - "narHash": "sha256-gdX1IM8MT3vTqLSXLDc9HNg30EcHkAgUXeNh4UpcyYU=", - "owner": "sodiboo", - "repo": "niri-flake", - "rev": "372ecde34b3af73ae523d4b055f5bcdab00b5ee6", - "type": "github" - }, - "original": { - "owner": "sodiboo", - "repo": "niri-flake", - "type": "github" - } - }, - "niri-flake_4": { - "inputs": { - "niri-stable": "niri-stable_4", - "niri-unstable": "niri-unstable_4", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_11", - "xwayland-satellite-stable": "xwayland-satellite-stable_4", - "xwayland-satellite-unstable": "xwayland-satellite-unstable_4" - }, - "locked": { - "lastModified": 1758697829, - "narHash": "sha256-1pO4A16ssvjHNyHilpvxo15mBkAifCSOiLs3hBlrYdU=", - "owner": "sodiboo", - "repo": "niri-flake", - "rev": "9dbeb8f613d2da107bff8375c2db7182a2bb79bb", - "type": "github" - }, - "original": { - "owner": "sodiboo", - "repo": "niri-flake", - "type": "github" - } - }, - "niri-flake_5": { - "inputs": { - "niri-stable": "niri-stable_5", - "niri-unstable": "niri-unstable_5", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_14", - "xwayland-satellite-stable": "xwayland-satellite-stable_5", - "xwayland-satellite-unstable": "xwayland-satellite-unstable_5" - }, - "locked": { - "lastModified": 1757870947, - "narHash": "sha256-0N8w6SB6a68kWioFmlr+KfwfG44KVjPjJIBSQKNdNhE=", - "owner": "sodiboo", - "repo": "niri-flake", - "rev": "8e9b1a571399104e42d8fa5de6c28c63bff0c16a", - "type": "github" - }, - "original": { - "owner": "sodiboo", - "repo": "niri-flake", - "type": "github" - } - }, - "niri-flake_6": { - "inputs": { - "niri-stable": "niri-stable_6", - "niri-unstable": "niri-unstable_6", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_17", - "xwayland-satellite-stable": "xwayland-satellite-stable_6", - "xwayland-satellite-unstable": "xwayland-satellite-unstable_6" - }, - "locked": { - "lastModified": 1754797984, - "narHash": "sha256-t2WFkdB2qUyZt5rdqmJ340kqhvQWWOCJBJIc1nQ/Hg4=", - "owner": "sodiboo", - "repo": "niri-flake", - "rev": "647a310f1eaa59abec8aa215ff69d8979195425e", + "rev": "c4fb0f9d13fadf1b3c33e693509d8cdcbbd7d08e", "type": "github" }, "original": { @@ -5969,179 +1162,14 @@ "type": "github" } }, - "niri-stable_2": { - "flake": false, - "locked": { - "lastModified": 1756556321, - "narHash": "sha256-RLD89dfjN0RVO86C/Mot0T7aduCygPGaYbog566F0Qo=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "01be0e65f4eb91a9cd624ac0b76aaeab765c7294", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "ref": "v25.08", - "repo": "niri", - "type": "github" - } - }, - "niri-stable_3": { - "flake": false, - "locked": { - "lastModified": 1756556321, - "narHash": "sha256-RLD89dfjN0RVO86C/Mot0T7aduCygPGaYbog566F0Qo=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "01be0e65f4eb91a9cd624ac0b76aaeab765c7294", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "ref": "v25.08", - "repo": "niri", - "type": "github" - } - }, - "niri-stable_4": { - "flake": false, - "locked": { - "lastModified": 1756556321, - "narHash": "sha256-RLD89dfjN0RVO86C/Mot0T7aduCygPGaYbog566F0Qo=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "01be0e65f4eb91a9cd624ac0b76aaeab765c7294", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "ref": "v25.08", - "repo": "niri", - "type": "github" - } - }, - "niri-stable_5": { - "flake": false, - "locked": { - "lastModified": 1756556321, - "narHash": "sha256-RLD89dfjN0RVO86C/Mot0T7aduCygPGaYbog566F0Qo=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "01be0e65f4eb91a9cd624ac0b76aaeab765c7294", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "ref": "v25.08", - "repo": "niri", - "type": "github" - } - }, - "niri-stable_6": { - "flake": false, - "locked": { - "lastModified": 1748151941, - "narHash": "sha256-z4viQZLgC2bIJ3VrzQnR+q2F3gAOEQpU1H5xHtX/2fs=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "8ba57fcf25d2fc9565131684a839d58703f1dae7", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "ref": "v25.05.1", - "repo": "niri", - "type": "github" - } - }, "niri-unstable": { "flake": false, "locked": { - "lastModified": 1761888958, - "narHash": "sha256-YgArUHI81Esn6fOCwVSrMI2G4RI3f3BPbRbPWsJubAc=", + "lastModified": 1763990232, + "narHash": "sha256-RdtlZ+nufSwEgNsF0yuTOO2eGpn87Qm9b3tRQPsibH4=", "owner": "YaLTeR", "repo": "niri", - "rev": "e2576879216a39e5c45b9d2906531bc2065e724c", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "repo": "niri", - "type": "github" - } - }, - "niri-unstable_2": { - "flake": false, - "locked": { - "lastModified": 1760426302, - "narHash": "sha256-HEeX0wTT2DTRAgADnOmcyk7k/J8KlFosBpFp0yIVfm0=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "87dc96fa69738b5d57562a0a556efa7def138539", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "repo": "niri", - "type": "github" - } - }, - "niri-unstable_3": { - "flake": false, - "locked": { - "lastModified": 1759395653, - "narHash": "sha256-sv9J1z6CrTPf9lRJLyCN90fZVdQz7LFeX7pIlInH8BQ=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "ba6e5e082a79901dc89b0d49c5da1b769d652aec", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "repo": "niri", - "type": "github" - } - }, - "niri-unstable_4": { - "flake": false, - "locked": { - "lastModified": 1758691861, - "narHash": "sha256-CYgoGrY/Fx+hjzp8graTxJw1M7mn1f2jBkK26M04T0s=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "e837e39623457dc5ad29c34a5ce4d4616e5fbf1e", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "repo": "niri", - "type": "github" - } - }, - "niri-unstable_5": { - "flake": false, - "locked": { - "lastModified": 1757832020, - "narHash": "sha256-SCdus7r4IS8l3jzF8mcMFMlDvACTdmDCcsPnGUEqll0=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "e6a8ad38479eb179dc7301755316f993e3e872ea", - "type": "github" - }, - "original": { - "owner": "YaLTeR", - "repo": "niri", - "type": "github" - } - }, - "niri-unstable_6": { - "flake": false, - "locked": { - "lastModified": 1754742008, - "narHash": "sha256-Tp0FG7VpLudVEC622d91z2hbdfPLCXxw0Nv43iNN4O0=", - "owner": "YaLTeR", - "repo": "niri", - "rev": "67361f88fd01974ebee4cf80f0e29c87d805cc39", + "rev": "45b45ac29d654c0e6759ab996c69dfde40053536", "type": "github" }, "original": { @@ -6152,184 +1180,14 @@ }, "nix-darwin": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1762022020, - "narHash": "sha256-tNj4SqLu87rV3z2Pf1Zr3vC93zYyMuLif1qLhHmQl64=", + "lastModified": 1763505477, + "narHash": "sha256-nJRd4LY2kT3OELfHqdgWjvToNZ4w+zKCMzS2R6z4sXE=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "fc4e3dbe4039f8ff4fc303e50491ca8ba009ffd4", - "type": "github" - }, - "original": { - "owner": "lnl7", - "repo": "nix-darwin", - "type": "github" - } - }, - "nix-darwin_2": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760338583, - "narHash": "sha256-IGwy02SH5K2hzIFrKMRsCmyvwOwWxrcquiv4DbKL1S4=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "9a9ab01072f78823ca627ae5e895e40d493c3ecf", - "type": "github" - }, - "original": { - "owner": "lnl7", - "repo": "nix-darwin", - "type": "github" - } - }, - "nix-darwin_3": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758805352, - "narHash": "sha256-BHdc43Lkayd+72W/NXRKHzX5AZ+28F3xaUs3a88/Uew=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "c48e963a5558eb1c3827d59d21c5193622a1477c", - "type": "github" - }, - "original": { - "owner": "lnl7", - "repo": "nix-darwin", - "type": "github" - } - }, - "nix-darwin_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758447883, - "narHash": "sha256-yGA6MV0E4JSEXqLTb4ZZkmdJZcoQ8HUzihRRX12Bvpg=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "25381509d5c91bbf3c30e23abc6d8476d2143cd1", - "type": "github" - }, - "original": { - "owner": "lnl7", - "repo": "nix-darwin", - "type": "github" - } - }, - "nix-darwin_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1757430124, - "narHash": "sha256-MhDltfXesGH8VkGv3hmJ1QEKl1ChTIj9wmGAFfWj/Wk=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "830b3f0b50045cf0bcfd4dab65fad05bf882e196", - "type": "github" - }, - "original": { - "owner": "lnl7", - "repo": "nix-darwin", - "type": "github" - } - }, - "nix-darwin_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751313918, - "narHash": "sha256-HsJM3XLa43WpG+665aGEh8iS8AfEwOIQWk3Mke3e7nk=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "e04a388232d9a6ba56967ce5b53a8a6f713cdfcf", - "type": "github" - }, - "original": { - "owner": "lnl7", - "repo": "nix-darwin", - "type": "github" - } - }, - "nix-darwin_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751313918, - "narHash": "sha256-HsJM3XLa43WpG+665aGEh8iS8AfEwOIQWk3Mke3e7nk=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "e04a388232d9a6ba56967ce5b53a8a6f713cdfcf", - "type": "github" - }, - "original": { - "owner": "lnl7", - "repo": "nix-darwin", - "type": "github" - } - }, - "nix-darwin_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751313918, - "narHash": "sha256-HsJM3XLa43WpG+665aGEh8iS8AfEwOIQWk3Mke3e7nk=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "e04a388232d9a6ba56967ce5b53a8a6f713cdfcf", + "rev": "3bda9f6b14161becbd07b3c56411f1670e19b9b5", "type": "github" }, "original": { @@ -6361,195 +1219,6 @@ "type": "github" } }, - "nix-formatter-pack_2": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nix-on-droid", - "nixpkgs" - ], - "nmd": "nmd_3", - "nmt": "nmt_2" - }, - "locked": { - "lastModified": 1705252799, - "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=", - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5", - "type": "github" - }, - "original": { - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "type": "github" - } - }, - "nix-formatter-pack_3": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ], - "nmd": "nmd_5", - "nmt": "nmt_3" - }, - "locked": { - "lastModified": 1705252799, - "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=", - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5", - "type": "github" - }, - "original": { - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "type": "github" - } - }, - "nix-formatter-pack_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ], - "nmd": "nmd_7", - "nmt": "nmt_4" - }, - "locked": { - "lastModified": 1705252799, - "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=", - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5", - "type": "github" - }, - "original": { - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "type": "github" - } - }, - "nix-formatter-pack_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ], - "nmd": "nmd_9", - "nmt": "nmt_5" - }, - "locked": { - "lastModified": 1705252799, - "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=", - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5", - "type": "github" - }, - "original": { - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "type": "github" - } - }, - "nix-formatter-pack_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ], - "nmd": "nmd_11", - "nmt": "nmt_6" - }, - "locked": { - "lastModified": 1705252799, - "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=", - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5", - "type": "github" - }, - "original": { - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "type": "github" - } - }, - "nix-formatter-pack_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ], - "nmd": "nmd_13", - "nmt": "nmt_7" - }, - "locked": { - "lastModified": 1705252799, - "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=", - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5", - "type": "github" - }, - "original": { - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "type": "github" - } - }, - "nix-formatter-pack_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs" - ], - "nmd": "nmd_15", - "nmt": "nmt_8" - }, - "locked": { - "lastModified": 1705252799, - "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=", - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5", - "type": "github" - }, - "original": { - "owner": "Gerschtli", - "repo": "nix-formatter-pack", - "type": "github" - } - }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -6557,11 +1226,11 @@ ] }, "locked": { - "lastModified": 1761451000, - "narHash": "sha256-qBJL6xEIjqYq9zOcG2vf2nPTeVBppNJzvO0LuQWMwMo=", + "lastModified": 1763870992, + "narHash": "sha256-NPyc76Wxmv/vAsXJ8F+/8fXECHYcv2YGSqdiSHp/F/A=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "ed6b293161b378a7368cda38659eb8d3d9a0dac4", + "rev": "d7423982c7a26586aa237d130b14c8b302c7a367", "type": "github" }, "original": { @@ -6570,171 +1239,23 @@ "type": "github" } }, - "nix-index-database_2": { + "nix-minecraft": { "inputs": { - "nixpkgs": [ - "swarsel", - "nixpkgs" - ] + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1760241904, - "narHash": "sha256-OD7QnaGEVNdukYEbJbUNWPsvnDrpbZOZxVIk6Pt9Jhw=", - "owner": "nix-community", - "repo": "nix-index-database", - "rev": "c9f5ea45f25652ec2f771f9426ccacb21cbbaeaa", + "lastModified": 1763776632, + "narHash": "sha256-mvumw4Djwi6BgMKVKw5cpNt8a80+h/LvPy2AHOtzBzE=", + "owner": "Infinidoge", + "repo": "nix-minecraft", + "rev": "e6d3b589d9f1f869e68142f44654e59fcb47390c", "type": "github" }, "original": { - "owner": "nix-community", - "repo": "nix-index-database", - "type": "github" - } - }, - "nix-index-database_3": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1759637156, - "narHash": "sha256-8NI1SqntLfKl6Q0Luemc3aIboezSJElofUrqipF5g78=", - "owner": "nix-community", - "repo": "nix-index-database", - "rev": "0ca69684091aa3a6b1fe994c4afeff305b15e915", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-index-database", - "type": "github" - } - }, - "nix-index-database_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758427679, - "narHash": "sha256-xwjWRJTKDCjQ0iwfh7WhDhgcS0Wt3d1Yscg83mKBCn4=", - "owner": "nix-community", - "repo": "nix-index-database", - "rev": "fd2569ca2ef7d69f244cd9ffcb66a0540772ff85", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-index-database", - "type": "github" - } - }, - "nix-index-database_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1757822619, - "narHash": "sha256-3HIpe3P2h1AUPYcAH9cjuX0tZOqJpX01c0iDwoUYNZ8=", - "owner": "nix-community", - "repo": "nix-index-database", - "rev": "050a5feb5d1bb5b6e5fc04a7d3d816923a87c9ea", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-index-database", - "type": "github" - } - }, - "nix-index-database_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754195341, - "narHash": "sha256-YL71IEf2OugH3gmAsxQox6BJI0KOcHKtW2QqT/+s2SA=", - "owner": "nix-community", - "repo": "nix-index-database", - "rev": "b7fcd4e26d67fca48e77de9b0d0f954b18ae9562", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-index-database", - "type": "github" - } - }, - "nix-index-database_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751774635, - "narHash": "sha256-DuOznGdgMxeSlPpUu6Wkq0ZD5e2Cfv9XRZeZlHWMd1s=", - "owner": "nix-community", - "repo": "nix-index-database", - "rev": "85686025ba6d18df31cc651a91d5adef63378978", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-index-database", - "type": "github" - } - }, - "nix-index-database_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751774635, - "narHash": "sha256-DuOznGdgMxeSlPpUu6Wkq0ZD5e2Cfv9XRZeZlHWMd1s=", - "owner": "nix-community", - "repo": "nix-index-database", - "rev": "85686025ba6d18df31cc651a91d5adef63378978", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-index-database", + "owner": "Infinidoge", + "repo": "nix-minecraft", "type": "github" } }, @@ -6742,9 +1263,7 @@ "inputs": { "home-manager": "home-manager_2", "nix-formatter-pack": "nix-formatter-pack", - "nixpkgs": [ - "nixpkgs" - ], + "nixpkgs": "nixpkgs_10", "nixpkgs-docs": "nixpkgs-docs", "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap", "nmd": "nmd_2" @@ -6764,376 +1283,19 @@ "type": "github" } }, - "nix-on-droid_2": { - "inputs": { - "home-manager": "home-manager_4", - "nix-formatter-pack": "nix-formatter-pack_2", - "nixpkgs": [ - "swarsel", - "nixpkgs" - ], - "nixpkgs-docs": "nixpkgs-docs_2", - "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap_2", - "nmd": "nmd_4" - }, - "locked": { - "lastModified": 1720396533, - "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=", - "owner": "nix-community", - "repo": "nix-on-droid", - "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "nix-on-droid", - "type": "github" - } - }, - "nix-on-droid_3": { - "inputs": { - "home-manager": "home-manager_6", - "nix-formatter-pack": "nix-formatter-pack_3", - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-docs": "nixpkgs-docs_3", - "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap_3", - "nmd": "nmd_6" - }, - "locked": { - "lastModified": 1720396533, - "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=", - "owner": "nix-community", - "repo": "nix-on-droid", - "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "nix-on-droid", - "type": "github" - } - }, - "nix-on-droid_4": { - "inputs": { - "home-manager": "home-manager_8", - "nix-formatter-pack": "nix-formatter-pack_4", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-docs": "nixpkgs-docs_4", - "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap_4", - "nmd": "nmd_8" - }, - "locked": { - "lastModified": 1720396533, - "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=", - "owner": "nix-community", - "repo": "nix-on-droid", - "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "nix-on-droid", - "type": "github" - } - }, - "nix-on-droid_5": { - "inputs": { - "home-manager": "home-manager_10", - "nix-formatter-pack": "nix-formatter-pack_5", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-docs": "nixpkgs-docs_5", - "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap_5", - "nmd": "nmd_10" - }, - "locked": { - "lastModified": 1720396533, - "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=", - "owner": "nix-community", - "repo": "nix-on-droid", - "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "nix-on-droid", - "type": "github" - } - }, - "nix-on-droid_6": { - "inputs": { - "home-manager": "home-manager_12", - "nix-formatter-pack": "nix-formatter-pack_6", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-docs": "nixpkgs-docs_6", - "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap_6", - "nmd": "nmd_12" - }, - "locked": { - "lastModified": 1720396533, - "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=", - "owner": "nix-community", - "repo": "nix-on-droid", - "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "nix-on-droid", - "type": "github" - } - }, - "nix-on-droid_7": { - "inputs": { - "home-manager": "home-manager_14", - "nix-formatter-pack": "nix-formatter-pack_7", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-docs": "nixpkgs-docs_7", - "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap_7", - "nmd": "nmd_14" - }, - "locked": { - "lastModified": 1720396533, - "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=", - "owner": "nix-community", - "repo": "nix-on-droid", - "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "nix-on-droid", - "type": "github" - } - }, - "nix-on-droid_8": { - "inputs": { - "home-manager": "home-manager_16", - "nix-formatter-pack": "nix-formatter-pack_8", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "nixpkgs-docs": "nixpkgs-docs_8", - "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap_8", - "nmd": "nmd_16" - }, - "locked": { - "lastModified": 1720396533, - "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=", - "owner": "nix-community", - "repo": "nix-on-droid", - "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "nix-on-droid", - "type": "github" - } - }, "nix-topology": { "inputs": { "devshell": "devshell_2", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_2", + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_11", "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1752093877, - "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=", + "lastModified": 1762088663, + "narHash": "sha256-rpCvFan9Dji1Vw4HfVqYdfWesz5sKZE3uSgYR9gRreA=", "owner": "oddlama", "repo": "nix-topology", - "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633", - "type": "github" - }, - "original": { - "owner": "oddlama", - "repo": "nix-topology", - "type": "github" - } - }, - "nix-topology_2": { - "inputs": { - "devshell": "devshell_6", - "flake-utils": "flake-utils_7", - "nixpkgs": "nixpkgs_11", - "pre-commit-hooks": "pre-commit-hooks_4" - }, - "locked": { - "lastModified": 1752093877, - "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=", - "owner": "oddlama", - "repo": "nix-topology", - "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633", - "type": "github" - }, - "original": { - "owner": "oddlama", - "repo": "nix-topology", - "type": "github" - } - }, - "nix-topology_3": { - "inputs": { - "devshell": "devshell_8", - "flake-utils": "flake-utils_10", - "nixpkgs": "nixpkgs_19", - "pre-commit-hooks": "pre-commit-hooks_6" - }, - "locked": { - "lastModified": 1752093877, - "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=", - "owner": "oddlama", - "repo": "nix-topology", - "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633", - "type": "github" - }, - "original": { - "owner": "oddlama", - "repo": "nix-topology", - "type": "github" - } - }, - "nix-topology_4": { - "inputs": { - "devshell": "devshell_10", - "flake-utils": "flake-utils_12", - "nixpkgs": "nixpkgs_27", - "pre-commit-hooks": "pre-commit-hooks_8" - }, - "locked": { - "lastModified": 1752093877, - "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=", - "owner": "oddlama", - "repo": "nix-topology", - "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633", - "type": "github" - }, - "original": { - "owner": "oddlama", - "repo": "nix-topology", - "type": "github" - } - }, - "nix-topology_5": { - "inputs": { - "devshell": "devshell_12", - "flake-utils": "flake-utils_14", - "nixpkgs": "nixpkgs_35", - "pre-commit-hooks": "pre-commit-hooks_10" - }, - "locked": { - "lastModified": 1752093877, - "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=", - "owner": "oddlama", - "repo": "nix-topology", - "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633", - "type": "github" - }, - "original": { - "owner": "oddlama", - "repo": "nix-topology", - "type": "github" - } - }, - "nix-topology_6": { - "inputs": { - "devshell": "devshell_14", - "flake-utils": "flake-utils_16", - "nixpkgs": "nixpkgs_43", - "pre-commit-hooks": "pre-commit-hooks_12" - }, - "locked": { - "lastModified": 1752093877, - "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=", - "owner": "oddlama", - "repo": "nix-topology", - "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633", - "type": "github" - }, - "original": { - "owner": "oddlama", - "repo": "nix-topology", - "type": "github" - } - }, - "nix-topology_7": { - "inputs": { - "devshell": "devshell_16", - "flake-utils": "flake-utils_18", - "nixpkgs": "nixpkgs_51", - "pre-commit-hooks": "pre-commit-hooks_14" - }, - "locked": { - "lastModified": 1744142264, - "narHash": "sha256-h5KyodobZm8dx/HSNN+basgdmjxrQxudjrss4gAQpZk=", - "owner": "oddlama", - "repo": "nix-topology", - "rev": "f49121cbbf4a86c560638ade406d99ee58deb7aa", - "type": "github" - }, - "original": { - "owner": "oddlama", - "repo": "nix-topology", - "type": "github" - } - }, - "nix-topology_8": { - "inputs": { - "devshell": "devshell_18", - "flake-utils": "flake-utils_20", - "nixpkgs": "nixpkgs_59", - "pre-commit-hooks": "pre-commit-hooks_16" - }, - "locked": { - "lastModified": 1744142264, - "narHash": "sha256-h5KyodobZm8dx/HSNN+basgdmjxrQxudjrss4gAQpZk=", - "owner": "oddlama", - "repo": "nix-topology", - "rev": "f49121cbbf4a86c560638ade406d99ee58deb7aa", + "rev": "c15f569794a0f1a437850d0ac81675bcf23ca6cb", "type": "github" }, "original": { @@ -7179,148 +1341,15 @@ }, "nixgl": { "inputs": { - "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_3" - }, - "locked": { - "lastModified": 1752054764, - "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=", - "owner": "guibou", - "repo": "nixGL", - "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5", - "type": "github" - }, - "original": { - "owner": "guibou", - "repo": "nixGL", - "type": "github" - } - }, - "nixgl_2": { - "inputs": { - "flake-utils": "flake-utils_8", + "flake-utils": "flake-utils_5", "nixpkgs": "nixpkgs_12" }, "locked": { - "lastModified": 1752054764, - "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=", + "lastModified": 1762090880, + "narHash": "sha256-fbRQzIGPkjZa83MowjbD2ALaJf9y6KMDdJBQMKFeY/8=", "owner": "guibou", "repo": "nixGL", - "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5", - "type": "github" - }, - "original": { - "owner": "guibou", - "repo": "nixGL", - "type": "github" - } - }, - "nixgl_3": { - "inputs": { - "flake-utils": "flake-utils_11", - "nixpkgs": "nixpkgs_20" - }, - "locked": { - "lastModified": 1752054764, - "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=", - "owner": "guibou", - "repo": "nixGL", - "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5", - "type": "github" - }, - "original": { - "owner": "guibou", - "repo": "nixGL", - "type": "github" - } - }, - "nixgl_4": { - "inputs": { - "flake-utils": "flake-utils_13", - "nixpkgs": "nixpkgs_28" - }, - "locked": { - "lastModified": 1752054764, - "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=", - "owner": "guibou", - "repo": "nixGL", - "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5", - "type": "github" - }, - "original": { - "owner": "guibou", - "repo": "nixGL", - "type": "github" - } - }, - "nixgl_5": { - "inputs": { - "flake-utils": "flake-utils_15", - "nixpkgs": "nixpkgs_36" - }, - "locked": { - "lastModified": 1752054764, - "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=", - "owner": "guibou", - "repo": "nixGL", - "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5", - "type": "github" - }, - "original": { - "owner": "guibou", - "repo": "nixGL", - "type": "github" - } - }, - "nixgl_6": { - "inputs": { - "flake-utils": "flake-utils_17", - "nixpkgs": "nixpkgs_44" - }, - "locked": { - "lastModified": 1752054764, - "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=", - "owner": "guibou", - "repo": "nixGL", - "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5", - "type": "github" - }, - "original": { - "owner": "guibou", - "repo": "nixGL", - "type": "github" - } - }, - "nixgl_7": { - "inputs": { - "flake-utils": "flake-utils_19", - "nixpkgs": "nixpkgs_52" - }, - "locked": { - "lastModified": 1751696036, - "narHash": "sha256-hXq4IOgSdAAaF/9q/2U8TBDL7aXZyQmtq4wl6USZjKo=", - "owner": "guibou", - "repo": "nixGL", - "rev": "d47b0db35dfa693c10f7c378043dcc6121d3f4ec", - "type": "github" - }, - "original": { - "owner": "guibou", - "repo": "nixGL", - "type": "github" - } - }, - "nixgl_8": { - "inputs": { - "flake-utils": "flake-utils_21", - "nixpkgs": "nixpkgs_60" - }, - "locked": { - "lastModified": 1751696036, - "narHash": "sha256-hXq4IOgSdAAaF/9q/2U8TBDL7aXZyQmtq4wl6USZjKo=", - "owner": "guibou", - "repo": "nixGL", - "rev": "d47b0db35dfa693c10f7c378043dcc6121d3f4ec", + "rev": "b6105297e6f0cd041670c3e8628394d4ee247ed5", "type": "github" }, "original": { @@ -7344,118 +1373,11 @@ "type": "github" } }, - "nixlib_2": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixlib_3": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixlib_4": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixlib_5": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixlib_6": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixlib_7": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixlib_8": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, "nixos-extra-modules": { "inputs": { "devshell": "devshell_3", - "flake-parts": "flake-parts_3", - "nixpkgs": [ - "nixpkgs" - ], + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs_13", "nixt": "nixt", "pre-commit-hooks": "pre-commit-hooks_2" }, @@ -7469,6 +1391,7 @@ }, "original": { "owner": "oddlama", + "ref": "main", "repo": "nixos-extra-modules", "type": "github" } @@ -7476,184 +1399,7 @@ "nixos-generators": { "inputs": { "nixlib": "nixlib", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixos-generators_2": { - "inputs": { - "nixlib": "nixlib_2", - "nixpkgs": [ - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixos-generators_3": { - "inputs": { - "nixlib": "nixlib_3", - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixos-generators_4": { - "inputs": { - "nixlib": "nixlib_4", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixos-generators_5": { - "inputs": { - "nixlib": "nixlib_5", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixos-generators_6": { - "inputs": { - "nixlib": "nixlib_6", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixos-generators_7": { - "inputs": { - "nixlib": "nixlib_7", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixos-generators_8": { - "inputs": { - "nixlib": "nixlib_8", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] + "nixpkgs": "nixpkgs_15" }, "locked": { "lastModified": 1751903740, @@ -7671,11 +1417,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1761933221, - "narHash": "sha256-rNHeoG3ZrA94jczyLSjxCtu67YYPYIlXXr0uhG3wNxM=", + "lastModified": 1762847253, + "narHash": "sha256-BWWnUUT01lPwCWUvS0p6Px5UOBFeXJ8jR+ZdLX8IbrU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "7467f155fcba189eb088a7601f44fbef7688669b", + "rev": "899dc449bc6428b9ee6b3b8f771ca2b0ef945ab9", "type": "github" }, "original": { @@ -7685,253 +1431,83 @@ "type": "github" } }, - "nixos-hardware_2": { + "nixos-images": { + "inputs": { + "nixos-stable": "nixos-stable", + "nixos-unstable": "nixos-unstable" + }, "locked": { - "lastModified": 1760106635, - "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903", + "lastModified": 1763686321, + "narHash": "sha256-csmQ+rYF54VReDExlDQynz4rPgdu5nb+fzDDPB/HJkM=", + "owner": "Swarsel", + "repo": "nixos-images", + "rev": "f4744a931548edb964a7d0e4678ca9d56a7f158e", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", + "owner": "Swarsel", + "ref": "main", + "repo": "nixos-images", "type": "github" } }, - "nixos-hardware_3": { + "nixos-stable": { "locked": { - "lastModified": 1759582739, - "narHash": "sha256-spZegilADH0q5OngM86u6NmXxduCNv5eX9vCiUPhOYc=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "3441b5242af7577230a78ffb03542add264179ab", - "type": "github" + "lastModified": 1749237914, + "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", + "ref": "nixos-25.05", + "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", + "shallow": true, + "type": "git", + "url": "https://github.com/NixOS/nixpkgs" }, "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" + "ref": "nixos-25.05", + "shallow": true, + "type": "git", + "url": "https://github.com/NixOS/nixpkgs" } }, - "nixos-hardware_4": { + "nixos-unstable": { "locked": { - "lastModified": 1758663926, - "narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1", - "type": "github" + "lastModified": 1749401433, + "narHash": "sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc=", + "ref": "nixpkgs-unstable", + "rev": "08fcb0dcb59df0344652b38ea6326a2d8271baff", + "shallow": true, + "type": "git", + "url": "https://github.com/NixOS/nixpkgs" }, "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" - } - }, - "nixos-hardware_5": { - "locked": { - "lastModified": 1757891025, - "narHash": "sha256-NfiTk59huy/YK9H4W4wVwRYyiP2u86QqROM5KK4f5F4=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "4c38a024fa32e61db2be8573e5282b15d9733a79", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" - } - }, - "nixos-hardware_6": { - "locked": { - "lastModified": 1754564048, - "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" - } - }, - "nixos-hardware_7": { - "locked": { - "lastModified": 1751432711, - "narHash": "sha256-136MeWtckSHTN9Z2WRNRdZ8oRP3vyx3L8UxeBYE+J9w=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "497ae1357f1ac97f1aea31a4cb74ad0d534ef41f", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" - } - }, - "nixos-hardware_8": { - "locked": { - "lastModified": 1751432711, - "narHash": "sha256-136MeWtckSHTN9Z2WRNRdZ8oRP3vyx3L8UxeBYE+J9w=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "497ae1357f1ac97f1aea31a4cb74ad0d534ef41f", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" + "ref": "nixpkgs-unstable", + "shallow": true, + "type": "git", + "url": "https://github.com/NixOS/nixpkgs" } }, "nixpkgs": { "locked": { - "lastModified": 1754243818, - "narHash": "sha256-sEPw2W01UPf0xNGnMGNZIaE1XHkk7O+lLLetYEXVZHk=", + "lastModified": 1763934636, + "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c460617dfb709a67d18bb31e15e455390ee4ee1c", + "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-dev": { "locked": { - "lastModified": 1762578095, - "narHash": "sha256-uW5Ff1H/lVvsKcNXtU7COQifqnRQ5i/YTEPGQwundNQ=", + "lastModified": 1763648956, + "narHash": "sha256-JBATYs0HPlATioA2kYFwUAsnzWv9Bd2tXqeCOr/ix6I=", "owner": "Swarsel", "repo": "nixpkgs", - "rev": "a99a76ccf7bfbb8c5d6129e6ff69413c6db55c1a", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-dev_2": { - "locked": { - "lastModified": 1761589965, - "narHash": "sha256-ZtypYmGwo7wUOo88UKVAdUZCYCpvFM8O0bEmI7+NW5k=", - "owner": "Swarsel", - "repo": "nixpkgs", - "rev": "ed3254fbd834e5bfbf6bc9586d57307a92f1a269", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-dev_3": { - "locked": { - "lastModified": 1759233809, - "narHash": "sha256-ww6JlKuclxzcBb+cb4GCnVw4PtI+7xd3J9/ctINWKeA=", - "owner": "Swarsel", - "repo": "nixpkgs", - "rev": "d3e334a2a4f9d50568bf03ec62cd445faac7ce9e", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-dev_4": { - "locked": { - "lastModified": 1758012660, - "narHash": "sha256-f3jC14FeFhapXEKzk4Hfy3LXxZ2PIpmCxciVniHXSLA=", - "owner": "Swarsel", - "repo": "nixpkgs", - "rev": "3c0bb56bf5189fd91ead7e1443976301a42fac37", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-dev_5": { - "locked": { - "lastModified": 1758012660, - "narHash": "sha256-f3jC14FeFhapXEKzk4Hfy3LXxZ2PIpmCxciVniHXSLA=", - "owner": "Swarsel", - "repo": "nixpkgs", - "rev": "3c0bb56bf5189fd91ead7e1443976301a42fac37", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-dev_6": { - "locked": { - "lastModified": 1756088794, - "narHash": "sha256-aBaRmk3lNNUm/1H1Jf6hA8miLg3HsYEhcuxUXTGa2gw=", - "owner": "Swarsel", - "repo": "nixpkgs", - "rev": "2d9f8b36adb25667fbc313f141444dea4d496850", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-dev_7": { - "locked": { - "lastModified": 1752736260, - "narHash": "sha256-90Gt98hmw/20aOAd7KaSW6otXu7MOBctRmI9RlXD/s0=", - "owner": "Swarsel", - "repo": "nixpkgs", - "rev": "169c3483f7c06fbb58c9346e4d9d112c8aa7827e", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-dev_8": { - "locked": { - "lastModified": 1752440522, - "narHash": "sha256-CInQkEG3f8XwIBQxYFhuFCT+T++JPstThfifAMD0yRk=", - "owner": "Swarsel", - "repo": "nixpkgs", - "rev": "1f569e3bd49502cb4ec312214662d93619cf2c54", + "rev": "230b56741730ede84e7e488d11cb34044f5b54c7", "type": "github" }, "original": { @@ -7957,118 +1533,6 @@ "type": "github" } }, - "nixpkgs-docs_2": { - "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-docs_3": { - "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-docs_4": { - "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-docs_5": { - "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-docs_6": { - "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-docs_7": { - "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-docs_8": { - "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-for-bootstrap": { "locked": { "lastModified": 1720244366, @@ -8085,118 +1549,6 @@ "type": "github" } }, - "nixpkgs-for-bootstrap_2": { - "locked": { - "lastModified": 1720244366, - "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - } - }, - "nixpkgs-for-bootstrap_3": { - "locked": { - "lastModified": 1720244366, - "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - } - }, - "nixpkgs-for-bootstrap_4": { - "locked": { - "lastModified": 1720244366, - "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - } - }, - "nixpkgs-for-bootstrap_5": { - "locked": { - "lastModified": 1720244366, - "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - } - }, - "nixpkgs-for-bootstrap_6": { - "locked": { - "lastModified": 1720244366, - "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - } - }, - "nixpkgs-for-bootstrap_7": { - "locked": { - "lastModified": 1720244366, - "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - } - }, - "nixpkgs-for-bootstrap_8": { - "locked": { - "lastModified": 1720244366, - "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", - "type": "github" - } - }, "nixpkgs-kernel": { "locked": { "lastModified": 1748026106, @@ -8214,270 +1566,13 @@ "type": "github" } }, - "nixpkgs-kernel_2": { - "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - }, - "original": { - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - } - }, - "nixpkgs-kernel_3": { - "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - }, - "original": { - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - } - }, - "nixpkgs-kernel_4": { - "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - }, - "original": { - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - } - }, - "nixpkgs-kernel_5": { - "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - }, - "original": { - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - } - }, - "nixpkgs-kernel_6": { - "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - }, - "original": { - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - } - }, - "nixpkgs-kernel_7": { - "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - }, - "original": { - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - } - }, - "nixpkgs-kernel_8": { - "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - }, - "original": { - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - } - }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1761765539, + "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_10": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_11": { - "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - } - }, - "nixpkgs-lib_12": { - "locked": { - "lastModified": 1753579242, - "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_13": { - "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - } - }, - "nixpkgs-lib_14": { - "locked": { - "lastModified": 1751159883, - "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_15": { - "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - } - }, - "nixpkgs-lib_16": { - "locked": { - "lastModified": 1751159883, - "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_17": { - "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - } - }, - "nixpkgs-lib_18": { - "locked": { - "lastModified": 1753579242, - "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_19": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", "type": "github" }, "original": { @@ -8498,111 +1593,6 @@ "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" } }, - "nixpkgs-lib_20": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_21": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_22": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_23": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_24": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_25": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_26": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, "nixpkgs-lib_3": { "locked": { "lastModified": 1719876945, @@ -8630,72 +1620,6 @@ "type": "github" } }, - "nixpkgs-lib_5": { - "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - } - }, - "nixpkgs-lib_6": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_7": { - "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - } - }, - "nixpkgs-lib_8": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_9": { - "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1760139962, @@ -8728,118 +1652,6 @@ "type": "github" } }, - "nixpkgs-stable24_05_2": { - "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_05_3": { - "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_05_4": { - "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_05_5": { - "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_05_6": { - "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_05_7": { - "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_05_8": { - "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable24_11": { "locked": { "lastModified": 1751274312, @@ -8856,125 +1668,13 @@ "type": "github" } }, - "nixpkgs-stable24_11_2": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_11_3": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_11_4": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_11_5": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_11_6": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_11_7": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable24_11_8": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable25_05": { "locked": { - "lastModified": 1761597516, - "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", + "lastModified": 1763622513, + "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", + "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b", "type": "github" }, "original": { @@ -8984,221 +1684,13 @@ "type": "github" } }, - "nixpkgs-stable_10": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_11": { - "locked": { - "lastModified": 1758589230, - "narHash": "sha256-zMTCFGe8aVGTEr2RqUi/QzC1nOIQ0N1HRsbqB4f646k=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d1d883129b193f0b495d75c148c2c3a7d95789a0", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_12": { - "locked": { - "lastModified": 1758589230, - "narHash": "sha256-zMTCFGe8aVGTEr2RqUi/QzC1nOIQ0N1HRsbqB4f646k=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d1d883129b193f0b495d75c148c2c3a7d95789a0", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_13": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_14": { - "locked": { - "lastModified": 1757810152, - "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a094440e02a699be5c57453a092a8baf569bdad", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_15": { - "locked": { - "lastModified": 1757810152, - "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a094440e02a699be5c57453a092a8baf569bdad", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_16": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_17": { - "locked": { - "lastModified": 1754689972, - "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_18": { - "locked": { - "lastModified": 1754689972, - "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_19": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1761597516, - "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", + "lastModified": 1763622513, + "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_20": { - "locked": { - "lastModified": 1751741127, - "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "29e290002bfff26af1db6f64d070698019460302", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_21": { - "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_22": { - "locked": { - "lastModified": 1751741127, - "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "29e290002bfff26af1db6f64d070698019460302", + "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b", "type": "github" }, "original": { @@ -9210,107 +1702,11 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1761597516, - "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", + "lastModified": 1763622513, + "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_4": { - "locked": { - "lastModified": 1760139962, - "narHash": "sha256-4xggC56Rub3WInz5eD7EZWXuLXpNvJiUPahGtMkwtuc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7e297ddff44a3cc93673bb38d0374df8d0ad73e4", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_5": { - "locked": { - "lastModified": 1760139962, - "narHash": "sha256-4xggC56Rub3WInz5eD7EZWXuLXpNvJiUPahGtMkwtuc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7e297ddff44a3cc93673bb38d0374df8d0ad73e4", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_6": { - "locked": { - "lastModified": 1760139962, - "narHash": "sha256-4xggC56Rub3WInz5eD7EZWXuLXpNvJiUPahGtMkwtuc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7e297ddff44a3cc93673bb38d0374df8d0ad73e4", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_7": { - "locked": { - "lastModified": 1759580034, - "narHash": "sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3bcc93c5f7a4b30335d31f21e2f1281cba68c318", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_8": { - "locked": { - "lastModified": 1759580034, - "narHash": "sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3bcc93c5f7a4b30335d31f21e2f1281cba68c318", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_9": { - "locked": { - "lastModified": 1759580034, - "narHash": "sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3bcc93c5f7a4b30335d31f21e2f1281cba68c318", + "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b", "type": "github" }, "original": { @@ -9322,16 +1718,15 @@ }, "nixpkgs_10": { "locked": { - "lastModified": 1754243818, - "narHash": "sha256-sEPw2W01UPf0xNGnMGNZIaE1XHkk7O+lLLetYEXVZHk=", + "lastModified": 1764086288, + "narHash": "sha256-S223/Mc4Ax75PfWySz8b44jjAnz36jUk4U+XiCfMy9I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c460617dfb709a67d18bb31e15e455390ee4ee1c", + "rev": "c4fd5c5627b75a9aa111ccd2ac4f86906f32af2a", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -9369,465 +1764,21 @@ }, "nixpkgs_13": { "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", - "owner": "nixos", + "lastModified": 1763966396, + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_14": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_15": { - "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_16": { - "locked": { - "lastModified": 1760164275, - "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "362791944032cb532aabbeed7887a441496d5e6e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_17": { - "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_18": { - "locked": { - "lastModified": 1754243818, - "narHash": "sha256-sEPw2W01UPf0xNGnMGNZIaE1XHkk7O+lLLetYEXVZHk=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c460617dfb709a67d18bb31e15e455390ee4ee1c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_19": { - "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_20": { - "locked": { - "lastModified": 1746378225, - "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "93e8cdce7afc64297cfec447c311470788131cd9", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_21": { - "locked": { - "lastModified": 1759381078, - "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_22": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_23": { - "locked": { - "lastModified": 1759381078, - "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_24": { - "locked": { - "lastModified": 1759570798, - "narHash": "sha256-kbkzsUKYzKhuvMOuxt/aTwWU2mnrwoY964yN3Y4dE98=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0d4f673a88f8405ae14484e6a1ea870e0ba4ca26", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_25": { - "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_26": { - "locked": { - "lastModified": 1754243818, - "narHash": "sha256-sEPw2W01UPf0xNGnMGNZIaE1XHkk7O+lLLetYEXVZHk=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c460617dfb709a67d18bb31e15e455390ee4ee1c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_27": { - "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_28": { - "locked": { - "lastModified": 1746378225, - "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "93e8cdce7afc64297cfec447c311470788131cd9", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_29": { - "locked": { - "lastModified": 1758427187, - "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1746378225, - "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "93e8cdce7afc64297cfec447c311470788131cd9", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_30": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_31": { - "locked": { - "lastModified": 1758427187, - "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_32": { - "locked": { - "lastModified": 1758262103, - "narHash": "sha256-aBGl3XEOsjWw6W3AHiKibN7FeoG73dutQQEqnd/etR8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "12bd230118a1901a4a5d393f9f56b6ad7e571d01", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_33": { - "locked": { - "lastModified": 1756819007, - "narHash": "sha256-12V64nKG/O/guxSYnr5/nq1EfqwJCdD2+cIGmhz3nrE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "aaff8c16d7fc04991cac6245bee1baa31f72b1e1", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_34": { - "locked": { - "lastModified": 1754243818, - "narHash": "sha256-sEPw2W01UPf0xNGnMGNZIaE1XHkk7O+lLLetYEXVZHk=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c460617dfb709a67d18bb31e15e455390ee4ee1c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_35": { - "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_36": { - "locked": { - "lastModified": 1746378225, - "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "93e8cdce7afc64297cfec447c311470788131cd9", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_37": { - "locked": { - "lastModified": 1757745802, - "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_38": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_39": { - "locked": { - "lastModified": 1757745802, - "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { "locked": { "lastModified": 1677063315, "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", @@ -9843,13 +1794,13 @@ "type": "github" } }, - "nixpkgs_40": { + "nixpkgs_15": { "locked": { - "lastModified": 1757746433, - "narHash": "sha256-fEvTiU4s9lWgW7mYEU/1QUPirgkn+odUBTaindgiziY=", + "lastModified": 1763934636, + "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6d7ec06d6868ac6d94c371458fc2391ded9ff13d", + "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261", "type": "github" }, "original": { @@ -9859,29 +1810,93 @@ "type": "github" } }, - "nixpkgs_41": { + "nixpkgs_16": { "locked": { - "lastModified": 1756819007, - "narHash": "sha256-12V64nKG/O/guxSYnr5/nq1EfqwJCdD2+cIGmhz3nrE=", - "owner": "NixOS", + "lastModified": 1763835633, + "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "aaff8c16d7fc04991cac6245bee1baa31f72b1e1", + "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs_42": { + "nixpkgs_17": { "locked": { - "lastModified": 1754243818, - "narHash": "sha256-sEPw2W01UPf0xNGnMGNZIaE1XHkk7O+lLLetYEXVZHk=", + "lastModified": 1720957393, + "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_18": { + "locked": { + "lastModified": 1763835633, + "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_19": { + "locked": { + "lastModified": 1763934636, + "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c460617dfb709a67d18bb31e15e455390ee4ee1c", + "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1763934636, + "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_20": { + "locked": { + "lastModified": 1763553727, + "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "094318ea16502a7a81ce90dd3638697020f030a2", "type": "github" }, "original": { @@ -9891,92 +1906,13 @@ "type": "github" } }, - "nixpkgs_43": { + "nixpkgs_21": { "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "lastModified": 1763618868, + "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_44": { - "locked": { - "lastModified": 1746378225, - "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "93e8cdce7afc64297cfec447c311470788131cd9", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_45": { - "locked": { - "lastModified": 1754498491, - "narHash": "sha256-erbiH2agUTD0Z30xcVSFcDHzkRvkRXOQ3lb887bcVrs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c2ae88e026f9525daf89587f3cbee584b92b6134", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_46": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_47": { - "locked": { - "lastModified": 1754498491, - "narHash": "sha256-erbiH2agUTD0Z30xcVSFcDHzkRvkRXOQ3lb887bcVrs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c2ae88e026f9525daf89587f3cbee584b92b6134", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_48": { - "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942", "type": "github" }, "original": { @@ -9986,13 +1922,13 @@ "type": "github" } }, - "nixpkgs_49": { + "nixpkgs_22": { "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", + "lastModified": 1763966396, + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", "type": "github" }, "original": { @@ -10002,45 +1938,13 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_23": { "locked": { - "lastModified": 1761907660, - "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_50": { - "locked": { - "lastModified": 1751203939, - "narHash": "sha256-omYD+H5LlSihz2DRfv90I8Oeo7JNEwvcHPHX+6nMIM4=", + "lastModified": 1762977756, + "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "650e71cbf76de8dd16f5648a96981b726c4ef8fe", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_51": { - "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", "type": "github" }, "original": { @@ -10050,28 +1954,13 @@ "type": "github" } }, - "nixpkgs_52": { + "nixpkgs_24": { "locked": { - "lastModified": 1746378225, - "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", + "lastModified": 1763966396, + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "93e8cdce7afc64297cfec447c311470788131cd9", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_53": { - "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", "type": "github" }, "original": { @@ -10081,502 +1970,7 @@ "type": "github" } }, - "nixpkgs_54": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_55": { - "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_56": { - "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_57": { - "locked": { - "lastModified": 1748460289, - "narHash": "sha256-7doLyJBzCllvqX4gszYtmZUToxKvMUrg45EUWaUYmBg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_58": { - "locked": { - "lastModified": 1751203939, - "narHash": "sha256-omYD+H5LlSihz2DRfv90I8Oeo7JNEwvcHPHX+6nMIM4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "650e71cbf76de8dd16f5648a96981b726c4ef8fe", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_59": { - "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_6": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_60": { - "locked": { - "lastModified": 1746378225, - "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "93e8cdce7afc64297cfec447c311470788131cd9", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_61": { - "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_62": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_63": { - "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_64": { - "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_65": { - "locked": { - "lastModified": 1748460289, - "narHash": "sha256-7doLyJBzCllvqX4gszYtmZUToxKvMUrg45EUWaUYmBg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_66": { - "locked": { - "lastModified": 1750865895, - "narHash": "sha256-p2dWAQcLVzquy9LxYCZPwyUdugw78Qv3ChvnX755qHA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "61c0f513911459945e2cb8bf333dc849f1b976ff", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_67": { - "locked": { - "lastModified": 1750865895, - "narHash": "sha256-p2dWAQcLVzquy9LxYCZPwyUdugw78Qv3ChvnX755qHA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "61c0f513911459945e2cb8bf333dc849f1b976ff", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_68": { - "locked": { - "lastModified": 1755615617, - "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "20075955deac2583bb12f07151c2df830ef346b4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_69": { - "locked": { - "lastModified": 1750865895, - "narHash": "sha256-p2dWAQcLVzquy9LxYCZPwyUdugw78Qv3ChvnX755qHA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "61c0f513911459945e2cb8bf333dc849f1b976ff", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_7": { - "locked": { - "lastModified": 1761907660, - "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_70": { - "locked": { - "lastModified": 1757745802, - "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_71": { - "locked": { - "lastModified": 1754800730, - "narHash": "sha256-HfVZCXic9XLBgybP0318ym3cDnGwBs/+H5MgxFVYF4I=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "641d909c4a7538f1539da9240dedb1755c907e40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_72": { - "locked": { - "lastModified": 1758427187, - "narHash": "sha256-pHpxZ/IyCwoTQPtFIAG2QaxuSm8jWzrzBGjwQZIttJc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "554be6495561ff07b6c724047bdd7e0716aa7b46", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_73": { - "locked": { - "lastModified": 1754800730, - "narHash": "sha256-HfVZCXic9XLBgybP0318ym3cDnGwBs/+H5MgxFVYF4I=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "641d909c4a7538f1539da9240dedb1755c907e40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_74": { - "locked": { - "lastModified": 1759381078, - "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_75": { - "locked": { - "lastModified": 1759733170, - "narHash": "sha256-TXnlsVb5Z8HXZ6mZoeOAIwxmvGHp1g4Dw89eLvIwKVI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "8913c168d1c56dc49a7718685968f38752171c3b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_76": { - "locked": { - "lastModified": 1754800730, - "narHash": "sha256-HfVZCXic9XLBgybP0318ym3cDnGwBs/+H5MgxFVYF4I=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "641d909c4a7538f1539da9240dedb1755c907e40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_77": { - "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_78": { - "locked": { - "lastModified": 1759733170, - "narHash": "sha256-TXnlsVb5Z8HXZ6mZoeOAIwxmvGHp1g4Dw89eLvIwKVI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "8913c168d1c56dc49a7718685968f38752171c3b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_79": { - "locked": { - "lastModified": 1754800730, - "narHash": "sha256-HfVZCXic9XLBgybP0318ym3cDnGwBs/+H5MgxFVYF4I=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "641d909c4a7538f1539da9240dedb1755c907e40", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_8": { - "locked": { - "lastModified": 1760596604, - "narHash": "sha256-J/i5K6AAz/y5dBePHQOuzC7MbhyTOKsd/GLezSbEFiM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3cbe716e2346710d6e1f7c559363d14e11c32a43", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_80": { - "locked": { - "lastModified": 1761907660, - "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_81": { - "locked": { - "lastModified": 1759733170, - "narHash": "sha256-TXnlsVb5Z8HXZ6mZoeOAIwxmvGHp1g4Dw89eLvIwKVI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "8913c168d1c56dc49a7718685968f38752171c3b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_82": { + "nixpkgs_25": { "locked": { "lastModified": 1761236834, "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=", @@ -10592,7 +1986,23 @@ "type": "github" } }, - "nixpkgs_83": { + "nixpkgs_26": { + "locked": { + "lastModified": 1751274312, + "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_27": { "locked": { "lastModified": 1754800730, "narHash": "sha256-HfVZCXic9XLBgybP0318ym3cDnGwBs/+H5MgxFVYF4I=", @@ -10608,13 +2018,28 @@ "type": "github" } }, - "nixpkgs_9": { + "nixpkgs_3": { "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", + "lastModified": 1764086288, + "narHash": "sha256-S223/Mc4Ax75PfWySz8b44jjAnz36jUk4U+XiCfMy9I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", + "rev": "c4fd5c5627b75a9aa111ccd2ac4f86906f32af2a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1763966396, + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", "type": "github" }, "original": { @@ -10624,9 +2049,89 @@ "type": "github" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1763678758, + "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "117cc7f94e8072499b0a7aa4c52084fa4e11cc9b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1763966396, + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_7": { + "locked": { + "lastModified": 1763966396, + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_8": { + "locked": { + "lastModified": 1763934636, + "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_9": { + "locked": { + "lastModified": 1748929857, + "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixt": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": [ "nixos-extra-modules", "nixpkgs" @@ -10664,164 +2169,6 @@ "type": "gitlab" } }, - "nmd_10": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs-docs" - ], - "scss-reset": "scss-reset_5" - }, - "locked": { - "lastModified": 1705050560, - "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", - "owner": "~rycee", - "repo": "nmd", - "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", - "type": "sourcehut" - }, - "original": { - "owner": "~rycee", - "repo": "nmd", - "type": "sourcehut" - } - }, - "nmd_11": { - "flake": false, - "locked": { - "lastModified": 1666190571, - "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", - "owner": "rycee", - "repo": "nmd", - "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmd", - "type": "gitlab" - } - }, - "nmd_12": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs-docs" - ], - "scss-reset": "scss-reset_6" - }, - "locked": { - "lastModified": 1705050560, - "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", - "owner": "~rycee", - "repo": "nmd", - "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", - "type": "sourcehut" - }, - "original": { - "owner": "~rycee", - "repo": "nmd", - "type": "sourcehut" - } - }, - "nmd_13": { - "flake": false, - "locked": { - "lastModified": 1666190571, - "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", - "owner": "rycee", - "repo": "nmd", - "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmd", - "type": "gitlab" - } - }, - "nmd_14": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs-docs" - ], - "scss-reset": "scss-reset_7" - }, - "locked": { - "lastModified": 1705050560, - "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", - "owner": "~rycee", - "repo": "nmd", - "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", - "type": "sourcehut" - }, - "original": { - "owner": "~rycee", - "repo": "nmd", - "type": "sourcehut" - } - }, - "nmd_15": { - "flake": false, - "locked": { - "lastModified": 1666190571, - "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", - "owner": "rycee", - "repo": "nmd", - "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmd", - "type": "gitlab" - } - }, - "nmd_16": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs-docs" - ], - "scss-reset": "scss-reset_8" - }, - "locked": { - "lastModified": 1705050560, - "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", - "owner": "~rycee", - "repo": "nmd", - "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", - "type": "sourcehut" - }, - "original": { - "owner": "~rycee", - "repo": "nmd", - "type": "sourcehut" - } - }, "nmd_2": { "inputs": { "nixpkgs": [ @@ -10844,142 +2191,6 @@ "type": "sourcehut" } }, - "nmd_3": { - "flake": false, - "locked": { - "lastModified": 1666190571, - "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", - "owner": "rycee", - "repo": "nmd", - "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmd", - "type": "gitlab" - } - }, - "nmd_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nix-on-droid", - "nixpkgs-docs" - ], - "scss-reset": "scss-reset_2" - }, - "locked": { - "lastModified": 1705050560, - "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", - "owner": "~rycee", - "repo": "nmd", - "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", - "type": "sourcehut" - }, - "original": { - "owner": "~rycee", - "repo": "nmd", - "type": "sourcehut" - } - }, - "nmd_5": { - "flake": false, - "locked": { - "lastModified": 1666190571, - "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", - "owner": "rycee", - "repo": "nmd", - "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmd", - "type": "gitlab" - } - }, - "nmd_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs-docs" - ], - "scss-reset": "scss-reset_3" - }, - "locked": { - "lastModified": 1705050560, - "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", - "owner": "~rycee", - "repo": "nmd", - "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", - "type": "sourcehut" - }, - "original": { - "owner": "~rycee", - "repo": "nmd", - "type": "sourcehut" - } - }, - "nmd_7": { - "flake": false, - "locked": { - "lastModified": 1666190571, - "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", - "owner": "rycee", - "repo": "nmd", - "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmd", - "type": "gitlab" - } - }, - "nmd_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nix-on-droid", - "nixpkgs-docs" - ], - "scss-reset": "scss-reset_4" - }, - "locked": { - "lastModified": 1705050560, - "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", - "owner": "~rycee", - "repo": "nmd", - "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", - "type": "sourcehut" - }, - "original": { - "owner": "~rycee", - "repo": "nmd", - "type": "sourcehut" - } - }, - "nmd_9": { - "flake": false, - "locked": { - "lastModified": 1666190571, - "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", - "owner": "rycee", - "repo": "nmd", - "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmd", - "type": "gitlab" - } - }, "nmt": { "flake": false, "locked": { @@ -10996,118 +2207,6 @@ "type": "gitlab" } }, - "nmt_2": { - "flake": false, - "locked": { - "lastModified": 1648075362, - "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", - "owner": "rycee", - "repo": "nmt", - "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmt", - "type": "gitlab" - } - }, - "nmt_3": { - "flake": false, - "locked": { - "lastModified": 1648075362, - "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", - "owner": "rycee", - "repo": "nmt", - "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmt", - "type": "gitlab" - } - }, - "nmt_4": { - "flake": false, - "locked": { - "lastModified": 1648075362, - "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", - "owner": "rycee", - "repo": "nmt", - "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmt", - "type": "gitlab" - } - }, - "nmt_5": { - "flake": false, - "locked": { - "lastModified": 1648075362, - "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", - "owner": "rycee", - "repo": "nmt", - "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmt", - "type": "gitlab" - } - }, - "nmt_6": { - "flake": false, - "locked": { - "lastModified": 1648075362, - "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", - "owner": "rycee", - "repo": "nmt", - "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmt", - "type": "gitlab" - } - }, - "nmt_7": { - "flake": false, - "locked": { - "lastModified": 1648075362, - "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", - "owner": "rycee", - "repo": "nmt", - "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmt", - "type": "gitlab" - } - }, - "nmt_8": { - "flake": false, - "locked": { - "lastModified": 1648075362, - "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", - "owner": "rycee", - "repo": "nmt", - "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmt", - "type": "gitlab" - } - }, "nosys": { "locked": { "lastModified": 1668010795, @@ -11125,141 +2224,8 @@ }, "nswitch-rcm-nix": { "inputs": { - "flake-parts": "flake-parts_4", - "nixpkgs": "nixpkgs_6" - }, - "locked": { - "lastModified": 1721304043, - "narHash": "sha256-8mY9tdjo44E23xGMcUFA2a1tUcEpz7oK5upuZZ9v5SU=", - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "rev": "b45dc5d673631c97a4b8379926de89a66561d6dc", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "type": "github" - } - }, - "nswitch-rcm-nix_2": { - "inputs": { - "flake-parts": "flake-parts_9", - "nixpkgs": "nixpkgs_14" - }, - "locked": { - "lastModified": 1721304043, - "narHash": "sha256-8mY9tdjo44E23xGMcUFA2a1tUcEpz7oK5upuZZ9v5SU=", - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "rev": "b45dc5d673631c97a4b8379926de89a66561d6dc", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "type": "github" - } - }, - "nswitch-rcm-nix_3": { - "inputs": { - "flake-parts": "flake-parts_14", - "nixpkgs": "nixpkgs_22" - }, - "locked": { - "lastModified": 1721304043, - "narHash": "sha256-8mY9tdjo44E23xGMcUFA2a1tUcEpz7oK5upuZZ9v5SU=", - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "rev": "b45dc5d673631c97a4b8379926de89a66561d6dc", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "type": "github" - } - }, - "nswitch-rcm-nix_4": { - "inputs": { - "flake-parts": "flake-parts_19", - "nixpkgs": "nixpkgs_30" - }, - "locked": { - "lastModified": 1721304043, - "narHash": "sha256-8mY9tdjo44E23xGMcUFA2a1tUcEpz7oK5upuZZ9v5SU=", - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "rev": "b45dc5d673631c97a4b8379926de89a66561d6dc", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "type": "github" - } - }, - "nswitch-rcm-nix_5": { - "inputs": { - "flake-parts": "flake-parts_24", - "nixpkgs": "nixpkgs_38" - }, - "locked": { - "lastModified": 1721304043, - "narHash": "sha256-8mY9tdjo44E23xGMcUFA2a1tUcEpz7oK5upuZZ9v5SU=", - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "rev": "b45dc5d673631c97a4b8379926de89a66561d6dc", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "type": "github" - } - }, - "nswitch-rcm-nix_6": { - "inputs": { - "flake-parts": "flake-parts_29", - "nixpkgs": "nixpkgs_46" - }, - "locked": { - "lastModified": 1721304043, - "narHash": "sha256-8mY9tdjo44E23xGMcUFA2a1tUcEpz7oK5upuZZ9v5SU=", - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "rev": "b45dc5d673631c97a4b8379926de89a66561d6dc", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "type": "github" - } - }, - "nswitch-rcm-nix_7": { - "inputs": { - "flake-parts": "flake-parts_34", - "nixpkgs": "nixpkgs_54" - }, - "locked": { - "lastModified": 1721304043, - "narHash": "sha256-8mY9tdjo44E23xGMcUFA2a1tUcEpz7oK5upuZZ9v5SU=", - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "rev": "b45dc5d673631c97a4b8379926de89a66561d6dc", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": "nswitch-rcm-nix", - "type": "github" - } - }, - "nswitch-rcm-nix_8": { - "inputs": { - "flake-parts": "flake-parts_39", - "nixpkgs": "nixpkgs_62" + "flake-parts": "flake-parts_3", + "nixpkgs": "nixpkgs_17" }, "locked": { "lastModified": 1721304043, @@ -11277,218 +2243,15 @@ }, "nur": { "inputs": { - "flake-parts": "flake-parts_5", - "nixpkgs": "nixpkgs_7" + "flake-parts": "flake-parts_4", + "nixpkgs": "nixpkgs_18" }, "locked": { - "lastModified": 1762033460, - "narHash": "sha256-RXBIqO8fcw/kiveRGxFVA+j6hPJkB6ikg0I1/pueud0=", + "lastModified": 1763996502, + "narHash": "sha256-pJGdiniI2GntAsMSLBo8sNmb61XJ7Jl9vLayMl57qUo=", "owner": "nix-community", "repo": "NUR", - "rev": "c5403cdf368174b0792dd0a155f8e5bc8f0bade7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_10": { - "inputs": { - "flake-parts": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "flake-parts" - ], - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756961635, - "narHash": "sha256-hETvQcILTg5kChjYNns1fD5ELdsYB/VVgVmBtqKQj9A=", - "owner": "nix-community", - "repo": "NUR", - "rev": "6ca27b2654ac55e3f6e0ca434c1b4589ae22b370", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_11": { - "inputs": { - "flake-parts": "flake-parts_30", - "nixpkgs": "nixpkgs_47" - }, - "locked": { - "lastModified": 1754726338, - "narHash": "sha256-Zz4zAgAvgXwAzkJuhuoYFpQ9eJs/vtaYCso+rfwahsw=", - "owner": "nix-community", - "repo": "NUR", - "rev": "ab1e2e53a418b3907f87c24ce277975438f1bd78", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_12": { - "inputs": { - "flake-parts": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "flake-parts" - ], - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751906969, - "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", - "owner": "nix-community", - "repo": "NUR", - "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_13": { - "inputs": { - "flake-parts": "flake-parts_35", - "nixpkgs": "nixpkgs_55" - }, - "locked": { - "lastModified": 1751906969, - "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", - "owner": "nix-community", - "repo": "NUR", - "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_14": { - "inputs": { - "flake-parts": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "flake-parts" - ], - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1748730660, - "narHash": "sha256-5LKmRYKdPuhm8j5GFe3AfrJL8dd8o57BQ34AGjJl1R0=", - "owner": "nix-community", - "repo": "NUR", - "rev": "2c0bc52fe14681e9ef60e3553888c4f086e46ecb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_15": { - "inputs": { - "flake-parts": "flake-parts_40", - "nixpkgs": "nixpkgs_63" - }, - "locked": { - "lastModified": 1751906969, - "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", - "owner": "nix-community", - "repo": "NUR", - "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_16": { - "inputs": { - "flake-parts": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "flake-parts" - ], - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix_2" - }, - "locked": { - "lastModified": 1748730660, - "narHash": "sha256-5LKmRYKdPuhm8j5GFe3AfrJL8dd8o57BQ34AGjJl1R0=", - "owner": "nix-community", - "repo": "NUR", - "rev": "2c0bc52fe14681e9ef60e3553888c4f086e46ecb", + "rev": "dad4410a04874ea636c9ebae579b74342f04ea20", "type": "github" }, "original": { @@ -11522,169 +2285,6 @@ "type": "github" } }, - "nur_3": { - "inputs": { - "flake-parts": "flake-parts_10", - "nixpkgs": "nixpkgs_15" - }, - "locked": { - "lastModified": 1760434122, - "narHash": "sha256-PICj8/WLB+WSVv6d09i9n0pY2jobzDLhDijebTmwslQ=", - "owner": "nix-community", - "repo": "NUR", - "rev": "53775ebf6ee76abaa2a4462393ea26b1bbe6f655", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_4": { - "inputs": { - "flake-parts": [ - "swarsel", - "stylix", - "flake-parts" - ], - "nixpkgs": [ - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758998580, - "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", - "owner": "nix-community", - "repo": "NUR", - "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_5": { - "inputs": { - "flake-parts": "flake-parts_15", - "nixpkgs": "nixpkgs_23" - }, - "locked": { - "lastModified": 1759783224, - "narHash": "sha256-QTsVtR+MhvH6QTFcn31Jubm7qXltInAhTFdtsPifcbA=", - "owner": "nix-community", - "repo": "NUR", - "rev": "9d6e275d4f74ac272aef29fb9845ea7da6559de6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_6": { - "inputs": { - "flake-parts": [ - "swarsel", - "swarsel", - "stylix", - "flake-parts" - ], - "nixpkgs": [ - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758998580, - "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", - "owner": "nix-community", - "repo": "NUR", - "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_7": { - "inputs": { - "flake-parts": "flake-parts_20", - "nixpkgs": "nixpkgs_31" - }, - "locked": { - "lastModified": 1758706012, - "narHash": "sha256-Gee6jqg2BLBwG6uv/U7xEQRuBobbKJOLIm5/KfpcYq4=", - "owner": "nix-community", - "repo": "NUR", - "rev": "8f016c352545dc7d55969e1ab3f1dc2f01cdb3e4", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_8": { - "inputs": { - "flake-parts": [ - "swarsel", - "swarsel", - "swarsel", - "stylix", - "flake-parts" - ], - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756961635, - "narHash": "sha256-hETvQcILTg5kChjYNns1fD5ELdsYB/VVgVmBtqKQj9A=", - "owner": "nix-community", - "repo": "NUR", - "rev": "6ca27b2654ac55e3f6e0ca434c1b4589ae22b370", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nur_9": { - "inputs": { - "flake-parts": "flake-parts_25", - "nixpkgs": "nixpkgs_39" - }, - "locked": { - "lastModified": 1757935448, - "narHash": "sha256-dIk3hiBlSsHZJViknedzOyTb7VjHFmty6d2P59/DRi4=", - "owner": "nix-community", - "repo": "NUR", - "rev": "b8ed69c1bcb6c358bb1df56e2a2e64323f6572c6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, "paisano": { "inputs": { "nixpkgs": [ @@ -11799,9 +2399,32 @@ "type": "github" } }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1763741496, + "narHash": "sha256-uIRqs/H18YEtMOn1OkbnPH+aNTwXKx+iU3qnxEkVUd0=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "20e71a403c5de9ce5bd799031440da9728c1cda1", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "gitignore": "gitignore_2", "nixpkgs": [ "nix-topology", @@ -11826,535 +2449,9 @@ "type": "github" } }, - "pre-commit-hooks-nix": { - "inputs": { - "flake-compat": [ - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks-nix_2": { - "inputs": { - "flake-compat": [ - "swarsel", - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore_5", - "nixpkgs": [ - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks-nix_3": { - "inputs": { - "flake-compat": [ - "swarsel", - "swarsel", - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore_8", - "nixpkgs": [ - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks-nix_4": { - "inputs": { - "flake-compat": [ - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore_11", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks-nix_5": { - "inputs": { - "flake-compat": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore_14", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks-nix_6": { - "inputs": { - "flake-compat": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore_17", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks-nix_7": { - "inputs": { - "flake-compat": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore_20", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks-nix_8": { - "inputs": { - "flake-compat": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore_23", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_10": { - "inputs": { - "flake-compat": "flake-compat_19", - "gitignore": "gitignore_15", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ], - "nixpkgs-stable": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730797577, - "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_11": { - "inputs": { - "flake-compat": "flake-compat_20", - "gitignore": "gitignore_16", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1757588530, - "narHash": "sha256-tJ7A8mID3ct69n9WCvZ3PzIIl3rXTdptn/lZmqSS95U=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "b084b2c2b6bc23e83bbfe583b03664eb0b18c411", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_12": { - "inputs": { - "flake-compat": "flake-compat_23", - "gitignore": "gitignore_18", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ], - "nixpkgs-stable": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730797577, - "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_13": { - "inputs": { - "flake-compat": "flake-compat_24", - "gitignore": "gitignore_19", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754416808, - "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_14": { - "inputs": { - "flake-compat": "flake-compat_27", - "gitignore": "gitignore_21", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ], - "nixpkgs-stable": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730797577, - "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_15": { - "inputs": { - "flake-compat": "flake-compat_28", - "gitignore": "gitignore_22", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_16": { - "inputs": { - "flake-compat": "flake-compat_31", - "gitignore": "gitignore_24", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ], - "nixpkgs-stable": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730797577, - "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_17": { - "inputs": { - "flake-compat": "flake-compat_32", - "gitignore": "gitignore_25", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, "pre-commit-hooks_2": { "inputs": { - "flake-compat": "flake-compat_5", + "flake-compat": "flake-compat_6", "gitignore": "gitignore_3", "nixpkgs": [ "nixos-extra-modules", @@ -12377,183 +2474,16 @@ }, "pre-commit-hooks_3": { "inputs": { - "flake-compat": "flake-compat_6", + "flake-compat": "flake-compat_7", "gitignore": "gitignore_4", - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs_19" }, "locked": { - "lastModified": 1760663237, - "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=", + "lastModified": 1763988335, + "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_4": { - "inputs": { - "flake-compat": "flake-compat_8", - "gitignore": "gitignore_6", - "nixpkgs": [ - "swarsel", - "nix-topology", - "nixpkgs" - ], - "nixpkgs-stable": [ - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730797577, - "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_5": { - "inputs": { - "flake-compat": "flake-compat_9", - "gitignore": "gitignore_7", - "nixpkgs": [ - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760392170, - "narHash": "sha256-WftxJgr2MeDDFK47fQKywzC72L2jRc/PWcyGdjaDzkw=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "46d55f0aeb1d567a78223e69729734f3dca25a85", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_6": { - "inputs": { - "flake-compat": "flake-compat_11", - "gitignore": "gitignore_9", - "nixpkgs": [ - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ], - "nixpkgs-stable": [ - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730797577, - "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_7": { - "inputs": { - "flake-compat": "flake-compat_12", - "gitignore": "gitignore_10", - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1759523803, - "narHash": "sha256-PTod9NG+i3XbbnBKMl/e5uHDBYpwIWivQ3gOWSEuIEM=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "cfc9f7bb163ad8542029d303e599c0f7eee09835", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_8": { - "inputs": { - "flake-compat": "flake-compat_15", - "gitignore": "gitignore_12", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ], - "nixpkgs-stable": [ - "swarsel", - "swarsel", - "swarsel", - "nix-topology", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730797577, - "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_9": { - "inputs": { - "flake-compat": "flake-compat_16", - "gitignore": "gitignore_13", - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1758108966, - "narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b", + "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce", "type": "github" }, "original": { @@ -12566,6 +2496,7 @@ "inputs": { "devshell": "devshell", "disko": "disko", + "dns": "dns", "emacs-overlay": "emacs-overlay", "flake-parts": "flake-parts", "home-manager": "home-manager", @@ -12575,13 +2506,15 @@ "niri-flake": "niri-flake", "nix-darwin": "nix-darwin", "nix-index-database": "nix-index-database", + "nix-minecraft": "nix-minecraft", "nix-on-droid": "nix-on-droid", "nix-topology": "nix-topology", "nixgl": "nixgl", "nixos-extra-modules": "nixos-extra-modules", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_5", + "nixos-images": "nixos-images", + "nixpkgs": "nixpkgs_16", "nixpkgs-dev": "nixpkgs-dev", "nixpkgs-kernel": "nixpkgs-kernel", "nixpkgs-stable": "nixpkgs-stable_3", @@ -12591,16 +2524,16 @@ "nswitch-rcm-nix": "nswitch-rcm-nix", "nur": "nur", "pre-commit-hooks": "pre-commit-hooks_3", + "simple-nixos-mailserver": "simple-nixos-mailserver", + "smallpkgs": "smallpkgs", "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix", "stylix": "stylix", - "swarsel": "swarsel", - "swarsel-modules": "swarsel-modules_6", - "swarsel-nix": "swarsel-nix_3", - "systems": "systems_64", - "treefmt-nix": "treefmt-nix_3", - "vbc-nix": "vbc-nix_8", - "zjstatus": "zjstatus_8" + "swarsel-nix": "swarsel-nix", + "systems": "systems_8", + "treefmt-nix": "treefmt-nix", + "vbc-nix": "vbc-nix", + "zjstatus": "zjstatus" } }, "rust-analyzer-src": { @@ -12628,207 +2561,11 @@ ] }, "locked": { - "lastModified": 1754189623, - "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=", + "lastModified": 1763865987, + "narHash": "sha256-DJpzM8Jz3B0azJcAoF+YFHr8rEbxYLJ0wy1kWZ29HOw=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_10": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "zjstatus", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750905536, - "narHash": "sha256-Mo7yXM5IvMGNvJPiNkFsVT2UERmnvjsKgnY6UyDdySQ=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "2fa7c0aabd15fa0ccc1dc7e675a4fcf0272ad9a1", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_11": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "zjstatus", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750905536, - "narHash": "sha256-Mo7yXM5IvMGNvJPiNkFsVT2UERmnvjsKgnY6UyDdySQ=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "2fa7c0aabd15fa0ccc1dc7e675a4fcf0272ad9a1", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_12": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "zjstatus", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750905536, - "narHash": "sha256-Mo7yXM5IvMGNvJPiNkFsVT2UERmnvjsKgnY6UyDdySQ=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "2fa7c0aabd15fa0ccc1dc7e675a4fcf0272ad9a1", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_13": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "zjstatus", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754880555, - "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_14": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "zjstatus", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754880555, - "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_15": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "zjstatus", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754880555, - "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_16": { - "inputs": { - "nixpkgs": [ - "swarsel", - "zjstatus", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754880555, - "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_17": { - "inputs": { - "nixpkgs": [ - "zjstatus", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754880555, - "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", + "rev": "042d905c01a6eec3bcae8530dacb19cda9758a63", "type": "github" }, "original": { @@ -12873,170 +2610,16 @@ "rust-overlay_3": { "inputs": { "nixpkgs": [ - "swarsel", - "lanzaboote", + "zjstatus", "nixpkgs" ] }, "locked": { - "lastModified": 1754189623, - "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=", + "lastModified": 1754880555, + "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754189623, - "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754189623, - "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754189623, - "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754189623, - "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_8": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751165203, - "narHash": "sha256-3QhlpAk2yn+ExwvRLtaixWsVW1q3OX3KXXe0l8VMLl4=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "90f547b90e73d3c6025e66c5b742d6db51c418c3", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_9": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751165203, - "narHash": "sha256-3QhlpAk2yn+ExwvRLtaixWsVW1q3OX3KXXe0l8VMLl4=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "90f547b90e73d3c6025e66c5b742d6db51c418c3", + "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", "type": "github" }, "original": { @@ -13061,254 +2644,55 @@ "type": "github" } }, - "scss-reset_2": { - "flake": false, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_8", + "git-hooks": "git-hooks", + "nixpkgs": "nixpkgs_20" + }, "locked": { - "lastModified": 1631450058, - "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=", - "owner": "andreymatin", - "repo": "scss-reset", - "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91", - "type": "github" + "lastModified": 1763564778, + "narHash": "sha256-HSWMOylEaTtVgzIjpTbjcjVLXHDwNyV081eVUBfAcMs=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "4987d275a90392347f84923cd4cd8efcf0aa7a22", + "type": "gitlab" }, "original": { - "owner": "andreymatin", - "repo": "scss-reset", - "type": "github" + "owner": "simple-nixos-mailserver", + "ref": "master", + "repo": "nixos-mailserver", + "type": "gitlab" } }, - "scss-reset_3": { - "flake": false, + "smallpkgs": { "locked": { - "lastModified": 1631450058, - "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=", - "owner": "andreymatin", - "repo": "scss-reset", - "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91", + "lastModified": 1749401433, + "narHash": "sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "08fcb0dcb59df0344652b38ea6326a2d8271baff", "type": "github" }, "original": { - "owner": "andreymatin", - "repo": "scss-reset", - "type": "github" - } - }, - "scss-reset_4": { - "flake": false, - "locked": { - "lastModified": 1631450058, - "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=", - "owner": "andreymatin", - "repo": "scss-reset", - "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91", - "type": "github" - }, - "original": { - "owner": "andreymatin", - "repo": "scss-reset", - "type": "github" - } - }, - "scss-reset_5": { - "flake": false, - "locked": { - "lastModified": 1631450058, - "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=", - "owner": "andreymatin", - "repo": "scss-reset", - "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91", - "type": "github" - }, - "original": { - "owner": "andreymatin", - "repo": "scss-reset", - "type": "github" - } - }, - "scss-reset_6": { - "flake": false, - "locked": { - "lastModified": 1631450058, - "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=", - "owner": "andreymatin", - "repo": "scss-reset", - "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91", - "type": "github" - }, - "original": { - "owner": "andreymatin", - "repo": "scss-reset", - "type": "github" - } - }, - "scss-reset_7": { - "flake": false, - "locked": { - "lastModified": 1631450058, - "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=", - "owner": "andreymatin", - "repo": "scss-reset", - "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91", - "type": "github" - }, - "original": { - "owner": "andreymatin", - "repo": "scss-reset", - "type": "github" - } - }, - "scss-reset_8": { - "flake": false, - "locked": { - "lastModified": 1631450058, - "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=", - "owner": "andreymatin", - "repo": "scss-reset", - "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91", - "type": "github" - }, - "original": { - "owner": "andreymatin", - "repo": "scss-reset", + "narHash": "sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "08fcb0dcb59df0344652b38ea6326a2d8271baff", "type": "github" } }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_21" }, "locked": { - "lastModified": 1760998189, - "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "lastModified": 1763870012, + "narHash": "sha256-AHxFfIu73SpNLAOZbu/AvpLhZ/Szhx6gRPj9ufZtaZA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "sops-nix_2": { - "inputs": { - "nixpkgs": "nixpkgs_16" - }, - "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "sops-nix_3": { - "inputs": { - "nixpkgs": "nixpkgs_24" - }, - "locked": { - "lastModified": 1759635238, - "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "sops-nix_4": { - "inputs": { - "nixpkgs": "nixpkgs_32" - }, - "locked": { - "lastModified": 1758425756, - "narHash": "sha256-L3N8zV6wsViXiD8i3WFyrvjDdz76g3tXKEdZ4FkgQ+Y=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "e0fdaea3c31646e252a60b42d0ed8eafdb289762", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "sops-nix_5": { - "inputs": { - "nixpkgs": "nixpkgs_40" - }, - "locked": { - "lastModified": 1757847158, - "narHash": "sha256-TumOaykhZO8SOs/faz6GQhqkOcFLoQvESLSF1cJ4mZc=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "ee6f91c1c11acf7957d94a130de77561ec24b8ab", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "sops-nix_6": { - "inputs": { - "nixpkgs": "nixpkgs_48" - }, - "locked": { - "lastModified": 1754328224, - "narHash": "sha256-glPK8DF329/dXtosV7YSzRlF4n35WDjaVwdOMEoEXHA=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "49021900e69812ba7ddb9e40f9170218a7eca9f4", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "sops-nix_7": { - "inputs": { - "nixpkgs": "nixpkgs_56" - }, - "locked": { - "lastModified": 1751606940, - "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "sops-nix_8": { - "inputs": { - "nixpkgs": "nixpkgs_64" - }, - "locked": { - "lastModified": 1751606940, - "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d", + "rev": "4e7d74d92398b933cc0e0e25af5b0836efcfdde3", "type": "github" }, "original": { @@ -13333,171 +2717,17 @@ "url": "https://spectrum-os.org/git/spectrum" } }, - "spectrum_2": { - "flake": false, - "locked": { - "lastModified": 1759482047, - "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", - "ref": "refs/heads/main", - "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", - "revCount": 996, - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - }, - "original": { - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - } - }, - "spectrum_3": { - "flake": false, - "locked": { - "lastModified": 1759482047, - "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", - "ref": "refs/heads/main", - "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", - "revCount": 996, - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - }, - "original": { - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - } - }, "spicetify-nix": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems_4" + "nixpkgs": "nixpkgs_22", + "systems": "systems_5" }, "locked": { - "lastModified": 1761452941, - "narHash": "sha256-yy+9lSj40cWS4awLqjQ5H5/7/SOf9ZarOgTzH8GHkRk=", + "lastModified": 1763985453, + "narHash": "sha256-vUqODgLIjeyHN7DP8dVx7oH9yB/L8qcxpN//4EmMQcM=", "owner": "Gerg-l", "repo": "spicetify-nix", - "rev": "20a56cfc4dc794ade2e8d4346cc4a5adcd1bb512", - "type": "github" - }, - "original": { - "owner": "Gerg-l", - "repo": "spicetify-nix", - "type": "github" - } - }, - "spicetify-nix_2": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nixpkgs" - ], - "systems": "systems_9" - }, - "locked": { - "lastModified": 1760243311, - "narHash": "sha256-LNrok211+WWlMGWqpGPpnGcnWhyo5SfvMv62uDiLzoI=", - "owner": "Gerg-l", - "repo": "spicetify-nix", - "rev": "93f1d45e48191a0b24c5c15e5cf369566ff75be9", - "type": "github" - }, - "original": { - "owner": "Gerg-l", - "repo": "spicetify-nix", - "type": "github" - } - }, - "spicetify-nix_3": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_14" - }, - "locked": { - "lastModified": 1759638324, - "narHash": "sha256-bj0L3n2UWE/DjqFjsydWsSzO74+dqUA4tiOX4At6LbM=", - "owner": "Gerg-l", - "repo": "spicetify-nix", - "rev": "c39a58510e55c4970e57176ab14b722a978e5f01", - "type": "github" - }, - "original": { - "owner": "Gerg-l", - "repo": "spicetify-nix", - "type": "github" - } - }, - "spicetify-nix_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_18" - }, - "locked": { - "lastModified": 1758584568, - "narHash": "sha256-FDxTheW6ynpbro/8eTZHhAY7J+HOf0jXeXq3jrJDcS8=", - "owner": "Gerg-l", - "repo": "spicetify-nix", - "rev": "9e9e48ca16628bf09a02bc5449d4b0761e15eebd", - "type": "github" - }, - "original": { - "owner": "Gerg-l", - "repo": "spicetify-nix", - "type": "github" - } - }, - "spicetify-nix_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_22" - }, - "locked": { - "lastModified": 1757824114, - "narHash": "sha256-cyVbc8UxyWKAuXOgqLggil2mXLZWY0wyfBWYqUwgYjM=", - "owner": "Gerg-l", - "repo": "spicetify-nix", - "rev": "d23584b2000b7f7a59a1764ff9ab93b89444bfd9", - "type": "github" - }, - "original": { - "owner": "Gerg-l", - "repo": "spicetify-nix", - "type": "github" - } - }, - "spicetify-nix_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_26" - }, - "locked": { - "lastModified": 1754196919, - "narHash": "sha256-0zATw65mNql9H8e7HWVBPpijMSbDVeK7JNivRBcUScM=", - "owner": "Gerg-l", - "repo": "spicetify-nix", - "rev": "24fcb94f7792ab755b933e1c9516996530ac1fbd", + "rev": "89cd40c646ec5b12e5c20c0e18f082e7629d4819", "type": "github" }, "original": { @@ -13517,7 +2747,7 @@ "blank": "blank", "devshell": "devshell_4", "dmerge": "dmerge", - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_6", "incl": "incl", "makes": [ "nixos-extra-modules", @@ -13591,11 +2821,11 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_6", + "flake-parts": "flake-parts_5", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_23", "nur": "nur_2", - "systems": "systems_5", + "systems": "systems_6", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -13603,11 +2833,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1761840967, - "narHash": "sha256-alE8Vesztx3tPxXpJURtYWD8x1cXaU/x+10Q6hbgGBY=", + "lastModified": 1763845141, + "narHash": "sha256-o8TKdZluj/yC8qPIVNe2g4qopyFmQglH52+lvQx82kE=", "owner": "danth", "repo": "stylix", - "rev": "c33226f205aeab42a170913cd1f8bc3428b7e6b1", + "rev": "adc650610085adbe130b9860d5bdb869f96050af", "type": "github" }, "original": { @@ -13616,412 +2846,11 @@ "type": "github" } }, - "stylix_2": { - "inputs": { - "base16": "base16_2", - "base16-fish": "base16-fish_2", - "base16-helix": "base16-helix_2", - "base16-vim": "base16-vim_2", - "firefox-gnome-theme": "firefox-gnome-theme_2", - "flake-parts": "flake-parts_11", - "gnome-shell": "gnome-shell_2", - "nixpkgs": "nixpkgs_17", - "nur": "nur_4", - "systems": "systems_10", - "tinted-foot": "tinted-foot_2", - "tinted-kitty": "tinted-kitty_2", - "tinted-schemes": "tinted-schemes_2", - "tinted-tmux": "tinted-tmux_2", - "tinted-zed": "tinted-zed_2" - }, - "locked": { - "lastModified": 1760350849, - "narHash": "sha256-JqcM5Pkm5q1c9D5zpINJsN1yCB4Vq1cL12ZuFyo32T4=", - "owner": "danth", - "repo": "stylix", - "rev": "7b4957d716f4fb615bf0e37d3b23c112579b1408", - "type": "github" - }, - "original": { - "owner": "danth", - "repo": "stylix", - "type": "github" - } - }, - "stylix_3": { - "inputs": { - "base16": "base16_3", - "base16-fish": "base16-fish_3", - "base16-helix": "base16-helix_3", - "base16-vim": "base16-vim_3", - "firefox-gnome-theme": "firefox-gnome-theme_3", - "flake-parts": "flake-parts_16", - "gnome-shell": "gnome-shell_3", - "nixpkgs": "nixpkgs_25", - "nur": "nur_6", - "systems": "systems_15", - "tinted-foot": "tinted-foot_3", - "tinted-kitty": "tinted-kitty_3", - "tinted-schemes": "tinted-schemes_3", - "tinted-tmux": "tinted-tmux_3", - "tinted-zed": "tinted-zed_3" - }, - "locked": { - "lastModified": 1759690047, - "narHash": "sha256-Vlpa0d1xOgPO9waHwxJNi6LcD2PYqB3EjwLRtSxXlHc=", - "owner": "danth", - "repo": "stylix", - "rev": "09022804b2bcd217f3a41a644d26b23d30375d12", - "type": "github" - }, - "original": { - "owner": "danth", - "repo": "stylix", - "type": "github" - } - }, - "stylix_4": { - "inputs": { - "base16": "base16_4", - "base16-fish": "base16-fish_4", - "base16-helix": "base16-helix_4", - "base16-vim": "base16-vim_4", - "firefox-gnome-theme": "firefox-gnome-theme_4", - "flake-parts": "flake-parts_21", - "gnome-shell": "gnome-shell_4", - "nixpkgs": "nixpkgs_33", - "nur": "nur_8", - "systems": "systems_19", - "tinted-foot": "tinted-foot_4", - "tinted-kitty": "tinted-kitty_4", - "tinted-schemes": "tinted-schemes_4", - "tinted-tmux": "tinted-tmux_4", - "tinted-zed": "tinted-zed_4" - }, - "locked": { - "lastModified": 1758698745, - "narHash": "sha256-IonbUp7KTYzXS1UGraXPAa7QJFgLJrAZGswE5CfUILU=", - "owner": "danth", - "repo": "stylix", - "rev": "799c811ac53ef9820dd007b6ddf33390964c6bef", - "type": "github" - }, - "original": { - "owner": "danth", - "repo": "stylix", - "type": "github" - } - }, - "stylix_5": { - "inputs": { - "base16": "base16_5", - "base16-fish": "base16-fish_5", - "base16-helix": "base16-helix_5", - "base16-vim": "base16-vim_5", - "firefox-gnome-theme": "firefox-gnome-theme_5", - "flake-parts": "flake-parts_26", - "gnome-shell": "gnome-shell_5", - "nixpkgs": "nixpkgs_41", - "nur": "nur_10", - "systems": "systems_23", - "tinted-foot": "tinted-foot_5", - "tinted-kitty": "tinted-kitty_5", - "tinted-schemes": "tinted-schemes_5", - "tinted-tmux": "tinted-tmux_5", - "tinted-zed": "tinted-zed_5" - }, - "locked": { - "lastModified": 1757360005, - "narHash": "sha256-VwzdFEQCpYMU9mc7BSQGQe5wA1MuTYPJnRc9TQCTMcM=", - "owner": "danth", - "repo": "stylix", - "rev": "834a743c11d66ea18e8c54872fbcc72ce48bc57f", - "type": "github" - }, - "original": { - "owner": "danth", - "repo": "stylix", - "type": "github" - } - }, - "stylix_6": { - "inputs": { - "base16": "base16_6", - "base16-fish": "base16-fish_6", - "base16-helix": "base16-helix_6", - "base16-vim": "base16-vim_6", - "firefox-gnome-theme": "firefox-gnome-theme_6", - "flake-parts": "flake-parts_31", - "gnome-shell": "gnome-shell_6", - "nixpkgs": "nixpkgs_49", - "nur": "nur_12", - "systems": "systems_27", - "tinted-foot": "tinted-foot_6", - "tinted-kitty": "tinted-kitty_6", - "tinted-schemes": "tinted-schemes_6", - "tinted-tmux": "tinted-tmux_6", - "tinted-zed": "tinted-zed_6" - }, - "locked": { - "lastModified": 1754597531, - "narHash": "sha256-OpC9/PBIuL2WEJUkcuD/wVxI8r+3o6f5RylSIefjHo4=", - "owner": "danth", - "repo": "stylix", - "rev": "63bb34a66ad7d1af2e95ee20dd675896b2074c32", - "type": "github" - }, - "original": { - "owner": "danth", - "repo": "stylix", - "type": "github" - } - }, - "stylix_7": { - "inputs": { - "base16": "base16_7", - "base16-fish": "base16-fish_7", - "base16-helix": "base16-helix_7", - "base16-vim": "base16-vim_7", - "firefox-gnome-theme": "firefox-gnome-theme_7", - "flake-parts": "flake-parts_36", - "gnome-shell": "gnome-shell_7", - "nixpkgs": "nixpkgs_57", - "nur": "nur_14", - "systems": "systems_30", - "tinted-foot": "tinted-foot_7", - "tinted-kitty": "tinted-kitty_7", - "tinted-schemes": "tinted-schemes_7", - "tinted-tmux": "tinted-tmux_7", - "tinted-zed": "tinted-zed_7" - }, - "locked": { - "lastModified": 1751906932, - "narHash": "sha256-vRZH3bq24I/heef0AIFnaBmDGdQSpTmyjT4vtpa7qqk=", - "owner": "danth", - "repo": "stylix", - "rev": "c538d1a3571386eaaca31aef7bb5fd5c155327b0", - "type": "github" - }, - "original": { - "owner": "danth", - "repo": "stylix", - "type": "github" - } - }, - "stylix_8": { - "inputs": { - "base16": "base16_8", - "base16-fish": "base16-fish_8", - "base16-helix": "base16-helix_8", - "base16-vim": "base16-vim_8", - "firefox-gnome-theme": "firefox-gnome-theme_8", - "flake-parts": "flake-parts_41", - "gnome-shell": "gnome-shell_8", - "nixpkgs": "nixpkgs_65", - "nur": "nur_16", - "systems": "systems_33", - "tinted-foot": "tinted-foot_8", - "tinted-kitty": "tinted-kitty_8", - "tinted-schemes": "tinted-schemes_8", - "tinted-tmux": "tinted-tmux_8", - "tinted-zed": "tinted-zed_8" - }, - "locked": { - "lastModified": 1751906932, - "narHash": "sha256-vRZH3bq24I/heef0AIFnaBmDGdQSpTmyjT4vtpa7qqk=", - "owner": "danth", - "repo": "stylix", - "rev": "c538d1a3571386eaaca31aef7bb5fd5c155327b0", - "type": "github" - }, - "original": { - "owner": "danth", - "repo": "stylix", - "type": "github" - } - }, - "swarsel": { - "inputs": { - "devshell": "devshell_5", - "disko": "disko_2", - "emacs-overlay": "emacs-overlay_2", - "flake-parts": "flake-parts_7", - "home-manager": "home-manager_3", - "impermanence": "impermanence_2", - "lanzaboote": "lanzaboote_2", - "microvm": "microvm_2", - "niri-flake": "niri-flake_2", - "nix-darwin": "nix-darwin_2", - "nix-index-database": "nix-index-database_2", - "nix-on-droid": "nix-on-droid_2", - "nix-topology": "nix-topology_2", - "nixgl": "nixgl_2", - "nixos-generators": "nixos-generators_2", - "nixos-hardware": "nixos-hardware_2", - "nixpkgs": "nixpkgs_13", - "nixpkgs-dev": "nixpkgs-dev_2", - "nixpkgs-kernel": "nixpkgs-kernel_2", - "nixpkgs-stable": "nixpkgs-stable_6", - "nixpkgs-stable24_05": "nixpkgs-stable24_05_2", - "nixpkgs-stable24_11": "nixpkgs-stable24_11_2", - "nswitch-rcm-nix": "nswitch-rcm-nix_2", - "nur": "nur_3", - "pre-commit-hooks": "pre-commit-hooks_5", - "sops-nix": "sops-nix_2", - "spicetify-nix": "spicetify-nix_2", - "stylix": "stylix_2", - "swarsel": "swarsel_2", - "swarsel-modules": "swarsel-modules_5", - "swarsel-nix": "swarsel-nix_2", - "systems": "systems_59", - "vbc-nix": "vbc-nix_7", - "zjstatus": "zjstatus_7" - }, - "locked": { - "lastModified": 1762037797, - "narHash": "sha256-5tDtggBgcwLvUPbXUo2Jwu4cXKPXxCaUZ9KArrr9uXQ=", - "owner": "Swarsel", - "repo": ".dotfiles", - "rev": "40b42028d2e56e091d6b687c252ce2c86fb03f5f", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": ".dotfiles", - "type": "github" - } - }, - "swarsel-modules": { - "inputs": { - "flake-parts": "flake-parts_42", - "nixpkgs": "nixpkgs_68", - "systems": "systems_40" - }, - "locked": { - "lastModified": 1756088962, - "narHash": "sha256-YkCFGvVfT3TcXTIhnzctUCft5Do8NIwTGqwToKUMY3Y=", - "owner": "Swarsel", - "repo": "swarsel-modules", - "rev": "f1ceec3b17ed4b009ee9bac92c14308f57bcedb7", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "swarsel-modules", - "type": "github" - } - }, - "swarsel-modules_2": { - "inputs": { - "flake-parts": "flake-parts_43", - "nixpkgs": "nixpkgs_70", - "systems": "systems_44" - }, - "locked": { - "lastModified": 1756090249, - "narHash": "sha256-agns3Ql6JdfJw6esJ7OX7302HWzE2mWOepm5ZDU0E4U=", - "owner": "Swarsel", - "repo": "swarsel-modules", - "rev": "43262a7b53ee0e0c9646e46f0a60cd50845e908d", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "swarsel-modules", - "type": "github" - } - }, - "swarsel-modules_3": { - "inputs": { - "flake-parts": "flake-parts_44", - "nixpkgs": "nixpkgs_72", - "systems": "systems_48" - }, - "locked": { - "lastModified": 1757950182, - "narHash": "sha256-+dfxuorjUbaTvn+GNJMyCTbJjUVkkGTEIIaWpK2lGWM=", - "owner": "Swarsel", - "repo": "swarsel-modules", - "rev": "161c215217c9d6037658b00eebca9d420a44a733", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "swarsel-modules", - "type": "github" - } - }, - "swarsel-modules_4": { - "inputs": { - "flake-parts": "flake-parts_45", - "nixpkgs": "nixpkgs_74", - "systems": "systems_52" - }, - "locked": { - "lastModified": 1757950182, - "narHash": "sha256-+dfxuorjUbaTvn+GNJMyCTbJjUVkkGTEIIaWpK2lGWM=", - "owner": "Swarsel", - "repo": "swarsel-modules", - "rev": "161c215217c9d6037658b00eebca9d420a44a733", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "swarsel-modules", - "type": "github" - } - }, - "swarsel-modules_5": { - "inputs": { - "flake-parts": "flake-parts_47", - "nixpkgs": "nixpkgs_77", - "systems": "systems_57" - }, - "locked": { - "lastModified": 1757950182, - "narHash": "sha256-+dfxuorjUbaTvn+GNJMyCTbJjUVkkGTEIIaWpK2lGWM=", - "owner": "Swarsel", - "repo": "swarsel-modules", - "rev": "161c215217c9d6037658b00eebca9d420a44a733", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "swarsel-modules", - "type": "github" - } - }, - "swarsel-modules_6": { - "inputs": { - "flake-parts": "flake-parts_49", - "nixpkgs": "nixpkgs_80", - "systems": "systems_62" - }, - "locked": { - "lastModified": 1757950182, - "narHash": "sha256-+dfxuorjUbaTvn+GNJMyCTbJjUVkkGTEIIaWpK2lGWM=", - "owner": "Swarsel", - "repo": "swarsel-modules", - "rev": "161c215217c9d6037658b00eebca9d420a44a733", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "swarsel-modules", - "type": "github" - } - }, "swarsel-nix": { "inputs": { - "flake-parts": "flake-parts_46", - "nixpkgs": "nixpkgs_75", - "systems": "systems_53" + "flake-parts": "flake-parts_6", + "nixpkgs": "nixpkgs_24", + "systems": "systems_7" }, "locked": { "lastModified": 1760190732, @@ -14038,342 +2867,6 @@ "type": "github" } }, - "swarsel-nix_2": { - "inputs": { - "flake-parts": "flake-parts_48", - "nixpkgs": "nixpkgs_78", - "systems": "systems_58" - }, - "locked": { - "lastModified": 1760190732, - "narHash": "sha256-Bxn/5+MCKOzR9LgUyHDhxCU3eejxz+hfsAT9Sqqz6B0=", - "owner": "Swarsel", - "repo": "swarsel-nix", - "rev": "f0ab1f68c94d777aa7d0a8f23745cb9aa8172fd4", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "swarsel-nix", - "type": "github" - } - }, - "swarsel-nix_3": { - "inputs": { - "flake-parts": "flake-parts_50", - "nixpkgs": "nixpkgs_81", - "systems": "systems_63" - }, - "locked": { - "lastModified": 1760190732, - "narHash": "sha256-Bxn/5+MCKOzR9LgUyHDhxCU3eejxz+hfsAT9Sqqz6B0=", - "owner": "Swarsel", - "repo": "swarsel-nix", - "rev": "f0ab1f68c94d777aa7d0a8f23745cb9aa8172fd4", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "ref": "main", - "repo": "swarsel-nix", - "type": "github" - } - }, - "swarsel_2": { - "inputs": { - "devshell": "devshell_7", - "disko": "disko_3", - "emacs-overlay": "emacs-overlay_3", - "flake-parts": "flake-parts_12", - "home-manager": "home-manager_5", - "impermanence": "impermanence_3", - "lanzaboote": "lanzaboote_3", - "microvm": "microvm_3", - "niri-flake": "niri-flake_3", - "nix-darwin": "nix-darwin_3", - "nix-index-database": "nix-index-database_3", - "nix-on-droid": "nix-on-droid_3", - "nix-topology": "nix-topology_3", - "nixgl": "nixgl_3", - "nixos-generators": "nixos-generators_3", - "nixos-hardware": "nixos-hardware_3", - "nixpkgs": "nixpkgs_21", - "nixpkgs-dev": "nixpkgs-dev_3", - "nixpkgs-kernel": "nixpkgs-kernel_3", - "nixpkgs-stable": "nixpkgs-stable_9", - "nixpkgs-stable24_05": "nixpkgs-stable24_05_3", - "nixpkgs-stable24_11": "nixpkgs-stable24_11_3", - "nswitch-rcm-nix": "nswitch-rcm-nix_3", - "nur": "nur_5", - "pre-commit-hooks": "pre-commit-hooks_7", - "sops-nix": "sops-nix_3", - "spicetify-nix": "spicetify-nix_3", - "stylix": "stylix_3", - "swarsel": "swarsel_3", - "swarsel-modules": "swarsel-modules_4", - "swarsel-nix": "swarsel-nix", - "systems": "systems_54", - "vbc-nix": "vbc-nix_6", - "zjstatus": "zjstatus_6" - }, - "locked": { - "lastModified": 1760219467, - "narHash": "sha256-DcbzT2+6RElOsaaToQAoYnHLEBqFm0pomLaOhgxyHZ4=", - "owner": "Swarsel", - "repo": ".dotfiles", - "rev": "95fa226b9e70df2b7f78cdd630583c842a38e822", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": ".dotfiles", - "type": "github" - } - }, - "swarsel_3": { - "inputs": { - "devshell": "devshell_9", - "disko": "disko_4", - "emacs-overlay": "emacs-overlay_4", - "flake-parts": "flake-parts_17", - "fw-fanctrl": "fw-fanctrl", - "home-manager": "home-manager_7", - "impermanence": "impermanence_4", - "lanzaboote": "lanzaboote_4", - "niri-flake": "niri-flake_4", - "nix-darwin": "nix-darwin_4", - "nix-index-database": "nix-index-database_4", - "nix-on-droid": "nix-on-droid_4", - "nix-topology": "nix-topology_4", - "nixgl": "nixgl_4", - "nixos-generators": "nixos-generators_4", - "nixos-hardware": "nixos-hardware_4", - "nixpkgs": "nixpkgs_29", - "nixpkgs-dev": "nixpkgs-dev_4", - "nixpkgs-kernel": "nixpkgs-kernel_4", - "nixpkgs-stable": "nixpkgs-stable_12", - "nixpkgs-stable24_05": "nixpkgs-stable24_05_4", - "nixpkgs-stable24_11": "nixpkgs-stable24_11_4", - "nswitch-rcm-nix": "nswitch-rcm-nix_4", - "nur": "nur_7", - "pre-commit-hooks": "pre-commit-hooks_9", - "sops-nix": "sops-nix_4", - "spicetify-nix": "spicetify-nix_4", - "stylix": "stylix_4", - "swarsel": "swarsel_4", - "swarsel-modules": "swarsel-modules_3", - "systems": "systems_49", - "vbc-nix": "vbc-nix_5", - "zjstatus": "zjstatus_5" - }, - "locked": { - "lastModified": 1758869406, - "narHash": "sha256-TulduD1ANpUvR9WNm3Hci+crvfTETd0Y3RevczQR8SQ=", - "owner": "Swarsel", - "repo": ".dotfiles", - "rev": "a896d5eb5db719b7539825d355ab1bb8ec563b4b", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": ".dotfiles", - "type": "github" - } - }, - "swarsel_4": { - "inputs": { - "devshell": "devshell_11", - "disko": "disko_5", - "emacs-overlay": "emacs-overlay_5", - "flake-parts": "flake-parts_22", - "fw-fanctrl": "fw-fanctrl_2", - "home-manager": "home-manager_9", - "impermanence": "impermanence_5", - "lanzaboote": "lanzaboote_5", - "niri-flake": "niri-flake_5", - "nix-darwin": "nix-darwin_5", - "nix-index-database": "nix-index-database_5", - "nix-on-droid": "nix-on-droid_5", - "nix-topology": "nix-topology_5", - "nixgl": "nixgl_5", - "nixos-generators": "nixos-generators_5", - "nixos-hardware": "nixos-hardware_5", - "nixpkgs": "nixpkgs_37", - "nixpkgs-dev": "nixpkgs-dev_5", - "nixpkgs-kernel": "nixpkgs-kernel_5", - "nixpkgs-stable": "nixpkgs-stable_15", - "nixpkgs-stable24_05": "nixpkgs-stable24_05_5", - "nixpkgs-stable24_11": "nixpkgs-stable24_11_5", - "nswitch-rcm-nix": "nswitch-rcm-nix_5", - "nur": "nur_9", - "pre-commit-hooks": "pre-commit-hooks_11", - "sops-nix": "sops-nix_5", - "spicetify-nix": "spicetify-nix_5", - "stylix": "stylix_5", - "swarsel": "swarsel_5", - "swarsel-modules": "swarsel-modules_2", - "systems": "systems_45", - "vbc-nix": "vbc-nix_4", - "zjstatus": "zjstatus_4" - }, - "locked": { - "lastModified": 1758712194, - "narHash": "sha256-ySYaSpCWBd0tlhnuJJY9XqcUNGXrACGMXVhTiigThhg=", - "owner": "Swarsel", - "repo": ".dotfiles", - "rev": "355cf03bd13a9325bb8ef10912900fe3623771ac", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": ".dotfiles", - "type": "github" - } - }, - "swarsel_5": { - "inputs": { - "devshell": "devshell_13", - "disko": "disko_6", - "emacs-overlay": "emacs-overlay_6", - "flake-parts": "flake-parts_27", - "fw-fanctrl": "fw-fanctrl_3", - "home-manager": "home-manager_11", - "impermanence": "impermanence_6", - "lanzaboote": "lanzaboote_6", - "niri-flake": "niri-flake_6", - "nix-darwin": "nix-darwin_6", - "nix-index-database": "nix-index-database_6", - "nix-on-droid": "nix-on-droid_6", - "nix-topology": "nix-topology_6", - "nixgl": "nixgl_6", - "nixos-generators": "nixos-generators_6", - "nixos-hardware": "nixos-hardware_6", - "nixpkgs": "nixpkgs_45", - "nixpkgs-dev": "nixpkgs-dev_6", - "nixpkgs-kernel": "nixpkgs-kernel_6", - "nixpkgs-stable": "nixpkgs-stable_18", - "nixpkgs-stable24_05": "nixpkgs-stable24_05_6", - "nixpkgs-stable24_11": "nixpkgs-stable24_11_6", - "nswitch-rcm-nix": "nswitch-rcm-nix_6", - "nur": "nur_11", - "pre-commit-hooks": "pre-commit-hooks_13", - "sops-nix": "sops-nix_6", - "spicetify-nix": "spicetify-nix_6", - "stylix": "stylix_6", - "swarsel": "swarsel_6", - "swarsel-modules": "swarsel-modules", - "systems": "systems_41", - "vbc-nix": "vbc-nix_3", - "zjstatus": "zjstatus_3" - }, - "locked": { - "lastModified": 1756257870, - "narHash": "sha256-Hd4fEVT1CMgcHezEIM0EEsB8oRXGbz24D4LbkVRtTHQ=", - "owner": "Swarsel", - "repo": ".dotfiles", - "rev": "0848f04326bc9630f8081f37582d3fa146e0ef94", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": ".dotfiles", - "type": "github" - } - }, - "swarsel_6": { - "inputs": { - "devshell": "devshell_15", - "disko": "disko_7", - "emacs-overlay": "emacs-overlay_7", - "flake-parts": "flake-parts_32", - "fw-fanctrl": "fw-fanctrl_4", - "home-manager": "home-manager_13", - "impermanence": "impermanence_7", - "lanzaboote": "lanzaboote_7", - "nix-darwin": "nix-darwin_7", - "nix-index-database": "nix-index-database_7", - "nix-on-droid": "nix-on-droid_7", - "nix-topology": "nix-topology_7", - "nixgl": "nixgl_7", - "nixos-generators": "nixos-generators_7", - "nixos-hardware": "nixos-hardware_7", - "nixpkgs": "nixpkgs_53", - "nixpkgs-dev": "nixpkgs-dev_7", - "nixpkgs-kernel": "nixpkgs-kernel_7", - "nixpkgs-stable": "nixpkgs-stable_20", - "nixpkgs-stable24_05": "nixpkgs-stable24_05_7", - "nixpkgs-stable24_11": "nixpkgs-stable24_11_7", - "nswitch-rcm-nix": "nswitch-rcm-nix_7", - "nur": "nur_13", - "pre-commit-hooks": "pre-commit-hooks_15", - "sops-nix": "sops-nix_7", - "stylix": "stylix_7", - "swarsel": "swarsel_7", - "systems": "systems_37", - "vbc-nix": "vbc-nix_2", - "zjstatus": "zjstatus_2" - }, - "locked": { - "lastModified": 1754349779, - "narHash": "sha256-7iNPObM2jj2vMW/vADukJv7v5/pm0Y06jE5AH4WBWYg=", - "owner": "Swarsel", - "repo": ".dotfiles", - "rev": "9577cdf243bee1062bb05ca378f7bcf834569baa", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": ".dotfiles", - "type": "github" - } - }, - "swarsel_7": { - "inputs": { - "devshell": "devshell_17", - "disko": "disko_8", - "emacs-overlay": "emacs-overlay_8", - "flake-parts": "flake-parts_37", - "fw-fanctrl": "fw-fanctrl_5", - "home-manager": "home-manager_15", - "impermanence": "impermanence_8", - "lanzaboote": "lanzaboote_8", - "nix-darwin": "nix-darwin_8", - "nix-index-database": "nix-index-database_8", - "nix-on-droid": "nix-on-droid_8", - "nix-topology": "nix-topology_8", - "nixgl": "nixgl_8", - "nixos-generators": "nixos-generators_8", - "nixos-hardware": "nixos-hardware_8", - "nixpkgs": "nixpkgs_61", - "nixpkgs-dev": "nixpkgs-dev_8", - "nixpkgs-kernel": "nixpkgs-kernel_8", - "nixpkgs-stable": "nixpkgs-stable_22", - "nixpkgs-stable24_05": "nixpkgs-stable24_05_8", - "nixpkgs-stable24_11": "nixpkgs-stable24_11_8", - "nswitch-rcm-nix": "nswitch-rcm-nix_8", - "nur": "nur_15", - "pre-commit-hooks": "pre-commit-hooks_17", - "sops-nix": "sops-nix_8", - "stylix": "stylix_8", - "systems": "systems_34", - "vbc-nix": "vbc-nix", - "zjstatus": "zjstatus" - }, - "locked": { - "lastModified": 1752459314, - "narHash": "sha256-M5HXx+T6MZpMyjsQL2i8k4BHmX5SsYYHaS612/7pOnk=", - "owner": "Swarsel", - "repo": ".dotfiles", - "rev": "21c1067572f4469a6f889a63b422a75a5972730f", - "type": "github" - }, - "original": { - "owner": "Swarsel", - "repo": ".dotfiles", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, @@ -14404,141 +2897,6 @@ "type": "github" } }, - "systems_11": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_12": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_13": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_14": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_15": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_16": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_17": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_18": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_19": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_2": { "locked": { "lastModified": 1681028828, @@ -14554,156 +2912,6 @@ "type": "github" } }, - "systems_20": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_21": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_22": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_23": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_24": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_25": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_26": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_27": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_28": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_29": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_3": { "locked": { "lastModified": 1681028828, @@ -14719,156 +2927,6 @@ "type": "github" } }, - "systems_30": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_31": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_32": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_33": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_34": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_35": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_36": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_37": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_38": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_39": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_4": { "locked": { "lastModified": 1681028828, @@ -14884,156 +2942,6 @@ "type": "github" } }, - "systems_40": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_41": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_42": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_43": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_44": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_45": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_46": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_47": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_48": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_49": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_5": { "locked": { "lastModified": 1681028828, @@ -15049,156 +2957,6 @@ "type": "github" } }, - "systems_50": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_51": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_52": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_53": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_54": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_55": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_56": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_57": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_58": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_59": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_6": { "locked": { "lastModified": 1681028828, @@ -15214,111 +2972,6 @@ "type": "github" } }, - "systems_60": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_61": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_62": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_63": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_64": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_65": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_66": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_7": { "locked": { "lastModified": 1681028828, @@ -15351,16 +3004,16 @@ }, "systems_9": { "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default", + "repo": "default-linux", "type": "github" } }, @@ -15381,125 +3034,6 @@ "type": "github" } }, - "tinted-foot_2": { - "flake": false, - "locked": { - "lastModified": 1726913040, - "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - } - }, - "tinted-foot_3": { - "flake": false, - "locked": { - "lastModified": 1726913040, - "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - } - }, - "tinted-foot_4": { - "flake": false, - "locked": { - "lastModified": 1726913040, - "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - } - }, - "tinted-foot_5": { - "flake": false, - "locked": { - "lastModified": 1726913040, - "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - } - }, - "tinted-foot_6": { - "flake": false, - "locked": { - "lastModified": 1726913040, - "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - } - }, - "tinted-foot_7": { - "flake": false, - "locked": { - "lastModified": 1726913040, - "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - } - }, - "tinted-foot_8": { - "flake": false, - "locked": { - "lastModified": 1726913040, - "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - } - }, "tinted-kitty": { "flake": false, "locked": { @@ -15516,118 +3050,6 @@ "type": "github" } }, - "tinted-kitty_2": { - "flake": false, - "locked": { - "lastModified": 1735730497, - "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", - "owner": "tinted-theming", - "repo": "tinted-kitty", - "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-kitty", - "type": "github" - } - }, - "tinted-kitty_3": { - "flake": false, - "locked": { - "lastModified": 1735730497, - "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", - "owner": "tinted-theming", - "repo": "tinted-kitty", - "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-kitty", - "type": "github" - } - }, - "tinted-kitty_4": { - "flake": false, - "locked": { - "lastModified": 1735730497, - "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", - "owner": "tinted-theming", - "repo": "tinted-kitty", - "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-kitty", - "type": "github" - } - }, - "tinted-kitty_5": { - "flake": false, - "locked": { - "lastModified": 1735730497, - "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", - "owner": "tinted-theming", - "repo": "tinted-kitty", - "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-kitty", - "type": "github" - } - }, - "tinted-kitty_6": { - "flake": false, - "locked": { - "lastModified": 1735730497, - "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", - "owner": "tinted-theming", - "repo": "tinted-kitty", - "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-kitty", - "type": "github" - } - }, - "tinted-kitty_7": { - "flake": false, - "locked": { - "lastModified": 1735730497, - "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", - "owner": "tinted-theming", - "repo": "tinted-kitty", - "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-kitty", - "type": "github" - } - }, - "tinted-kitty_8": { - "flake": false, - "locked": { - "lastModified": 1735730497, - "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", - "owner": "tinted-theming", - "repo": "tinted-kitty", - "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-kitty", - "type": "github" - } - }, "tinted-schemes": { "flake": false, "locked": { @@ -15644,118 +3066,6 @@ "type": "github" } }, - "tinted-schemes_2": { - "flake": false, - "locked": { - "lastModified": 1757716333, - "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", - "owner": "tinted-theming", - "repo": "schemes", - "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "schemes", - "type": "github" - } - }, - "tinted-schemes_3": { - "flake": false, - "locked": { - "lastModified": 1757716333, - "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", - "owner": "tinted-theming", - "repo": "schemes", - "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "schemes", - "type": "github" - } - }, - "tinted-schemes_4": { - "flake": false, - "locked": { - "lastModified": 1754779259, - "narHash": "sha256-8KG2lXGaXLUE0F/JVwLQe7kOVm21IDfNEo0gfga5P4M=", - "owner": "tinted-theming", - "repo": "schemes", - "rev": "097d751b9e3c8b97ce158e7d141e5a292545b502", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "schemes", - "type": "github" - } - }, - "tinted-schemes_5": { - "flake": false, - "locked": { - "lastModified": 1754779259, - "narHash": "sha256-8KG2lXGaXLUE0F/JVwLQe7kOVm21IDfNEo0gfga5P4M=", - "owner": "tinted-theming", - "repo": "schemes", - "rev": "097d751b9e3c8b97ce158e7d141e5a292545b502", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "schemes", - "type": "github" - } - }, - "tinted-schemes_6": { - "flake": false, - "locked": { - "lastModified": 1750770351, - "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=", - "owner": "tinted-theming", - "repo": "schemes", - "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "schemes", - "type": "github" - } - }, - "tinted-schemes_7": { - "flake": false, - "locked": { - "lastModified": 1748180480, - "narHash": "sha256-7n0XiZiEHl2zRhDwZd/g+p38xwEoWtT0/aESwTMXWG4=", - "owner": "tinted-theming", - "repo": "schemes", - "rev": "87d652edd26f5c0c99deda5ae13dfb8ece2ffe31", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "schemes", - "type": "github" - } - }, - "tinted-schemes_8": { - "flake": false, - "locked": { - "lastModified": 1748180480, - "narHash": "sha256-7n0XiZiEHl2zRhDwZd/g+p38xwEoWtT0/aESwTMXWG4=", - "owner": "tinted-theming", - "repo": "schemes", - "rev": "87d652edd26f5c0c99deda5ae13dfb8ece2ffe31", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "schemes", - "type": "github" - } - }, "tinted-tmux": { "flake": false, "locked": { @@ -15772,118 +3082,6 @@ "type": "github" } }, - "tinted-tmux_2": { - "flake": false, - "locked": { - "lastModified": 1757811970, - "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", - "owner": "tinted-theming", - "repo": "tinted-tmux", - "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-tmux", - "type": "github" - } - }, - "tinted-tmux_3": { - "flake": false, - "locked": { - "lastModified": 1757811970, - "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", - "owner": "tinted-theming", - "repo": "tinted-tmux", - "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-tmux", - "type": "github" - } - }, - "tinted-tmux_4": { - "flake": false, - "locked": { - "lastModified": 1754788770, - "narHash": "sha256-LAu5nBr7pM/jD9jwFc6/kyFY4h7Us4bZz7dvVvehuwo=", - "owner": "tinted-theming", - "repo": "tinted-tmux", - "rev": "fb2175accef8935f6955503ec9dd3c973eec385c", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-tmux", - "type": "github" - } - }, - "tinted-tmux_5": { - "flake": false, - "locked": { - "lastModified": 1754788770, - "narHash": "sha256-LAu5nBr7pM/jD9jwFc6/kyFY4h7Us4bZz7dvVvehuwo=", - "owner": "tinted-theming", - "repo": "tinted-tmux", - "rev": "fb2175accef8935f6955503ec9dd3c973eec385c", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-tmux", - "type": "github" - } - }, - "tinted-tmux_6": { - "flake": false, - "locked": { - "lastModified": 1751159871, - "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=", - "owner": "tinted-theming", - "repo": "tinted-tmux", - "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-tmux", - "type": "github" - } - }, - "tinted-tmux_7": { - "flake": false, - "locked": { - "lastModified": 1748740859, - "narHash": "sha256-OEM12bg7F4N5WjZOcV7FHJbqRI6jtCqL6u8FtPrlZz4=", - "owner": "tinted-theming", - "repo": "tinted-tmux", - "rev": "57d5f9683ff9a3b590643beeaf0364da819aedda", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-tmux", - "type": "github" - } - }, - "tinted-tmux_8": { - "flake": false, - "locked": { - "lastModified": 1748740859, - "narHash": "sha256-OEM12bg7F4N5WjZOcV7FHJbqRI6jtCqL6u8FtPrlZz4=", - "owner": "tinted-theming", - "repo": "tinted-tmux", - "rev": "57d5f9683ff9a3b590643beeaf0364da819aedda", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-tmux", - "type": "github" - } - }, "tinted-zed": { "flake": false, "locked": { @@ -15900,178 +3098,9 @@ "type": "github" } }, - "tinted-zed_2": { - "flake": false, - "locked": { - "lastModified": 1757811247, - "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", - "owner": "tinted-theming", - "repo": "base16-zed", - "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-zed", - "type": "github" - } - }, - "tinted-zed_3": { - "flake": false, - "locked": { - "lastModified": 1757811247, - "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", - "owner": "tinted-theming", - "repo": "base16-zed", - "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-zed", - "type": "github" - } - }, - "tinted-zed_4": { - "flake": false, - "locked": { - "lastModified": 1755613540, - "narHash": "sha256-zBFrrTxHLDMDX/OYxkCwGGbAhPXLi8FrnLhYLsSOKeY=", - "owner": "tinted-theming", - "repo": "base16-zed", - "rev": "937bada16cd3200bdbd3a2f5776fc3b686d5cba0", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-zed", - "type": "github" - } - }, - "tinted-zed_5": { - "flake": false, - "locked": { - "lastModified": 1755613540, - "narHash": "sha256-zBFrrTxHLDMDX/OYxkCwGGbAhPXLi8FrnLhYLsSOKeY=", - "owner": "tinted-theming", - "repo": "base16-zed", - "rev": "937bada16cd3200bdbd3a2f5776fc3b686d5cba0", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-zed", - "type": "github" - } - }, - "tinted-zed_6": { - "flake": false, - "locked": { - "lastModified": 1751158968, - "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=", - "owner": "tinted-theming", - "repo": "base16-zed", - "rev": "86a470d94204f7652b906ab0d378e4231a5b3384", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-zed", - "type": "github" - } - }, - "tinted-zed_7": { - "flake": false, - "locked": { - "lastModified": 1725758778, - "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=", - "owner": "tinted-theming", - "repo": "base16-zed", - "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-zed", - "type": "github" - } - }, - "tinted-zed_8": { - "flake": false, - "locked": { - "lastModified": 1725758778, - "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=", - "owner": "tinted-theming", - "repo": "base16-zed", - "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-zed", - "type": "github" - } - }, "treefmt-nix": { "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733222881, - "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49717b5af6f80172275d47a418c9719a31a78b53", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_2": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "stylix", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733222881, - "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49717b5af6f80172275d47a418c9719a31a78b53", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_3": { - "inputs": { - "nixpkgs": "nixpkgs_82" + "nixpkgs": "nixpkgs_25" }, "locked": { "lastModified": 1762938485, @@ -16089,192 +3118,8 @@ }, "vbc-nix": { "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_35" - }, - "locked": { - "lastModified": 1742477270, - "narHash": "sha256-u78SeVemHqEkN6J+PieL1Kymu+n7LWiTPrUXNd+uePA=", - "ref": "main", - "rev": "0525ad64e2729077ed2cf313d2022e8b8c51153f", - "revCount": 2, - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - } - }, - "vbc-nix_2": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_38" - }, - "locked": { - "lastModified": 1742477270, - "narHash": "sha256-u78SeVemHqEkN6J+PieL1Kymu+n7LWiTPrUXNd+uePA=", - "ref": "main", - "rev": "0525ad64e2729077ed2cf313d2022e8b8c51153f", - "revCount": 2, - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - } - }, - "vbc-nix_3": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_42" - }, - "locked": { - "lastModified": 1742477270, - "narHash": "sha256-u78SeVemHqEkN6J+PieL1Kymu+n7LWiTPrUXNd+uePA=", - "ref": "main", - "rev": "0525ad64e2729077ed2cf313d2022e8b8c51153f", - "revCount": 2, - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - } - }, - "vbc-nix_4": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_46" - }, - "locked": { - "lastModified": 1742477270, - "narHash": "sha256-u78SeVemHqEkN6J+PieL1Kymu+n7LWiTPrUXNd+uePA=", - "ref": "main", - "rev": "0525ad64e2729077ed2cf313d2022e8b8c51153f", - "revCount": 2, - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - } - }, - "vbc-nix_5": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_50" - }, - "locked": { - "lastModified": 1742477270, - "narHash": "sha256-u78SeVemHqEkN6J+PieL1Kymu+n7LWiTPrUXNd+uePA=", - "ref": "main", - "rev": "0525ad64e2729077ed2cf313d2022e8b8c51153f", - "revCount": 2, - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - } - }, - "vbc-nix_6": { - "inputs": { - "nixpkgs": [ - "swarsel", - "swarsel", - "nixpkgs" - ], - "systems": "systems_55" - }, - "locked": { - "lastModified": 1742477270, - "narHash": "sha256-u78SeVemHqEkN6J+PieL1Kymu+n7LWiTPrUXNd+uePA=", - "ref": "main", - "rev": "0525ad64e2729077ed2cf313d2022e8b8c51153f", - "revCount": 2, - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - } - }, - "vbc-nix_7": { - "inputs": { - "nixpkgs": [ - "swarsel", - "nixpkgs" - ], - "systems": "systems_60" - }, - "locked": { - "lastModified": 1742477270, - "narHash": "sha256-u78SeVemHqEkN6J+PieL1Kymu+n7LWiTPrUXNd+uePA=", - "ref": "main", - "rev": "0525ad64e2729077ed2cf313d2022e8b8c51153f", - "revCount": 2, - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@github.com/vbc-it/vbc-nix.git" - } - }, - "vbc-nix_8": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems_65" + "nixpkgs": "nixpkgs_26", + "systems": "systems_9" }, "locked": { "lastModified": 1742477270, @@ -16308,179 +3153,14 @@ "type": "github" } }, - "xwayland-satellite-stable_2": { - "flake": false, - "locked": { - "lastModified": 1755491097, - "narHash": "sha256-m+9tUfsmBeF2Gn4HWa6vSITZ4Gz1eA1F5Kh62B0N4oE=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "388d291e82ffbc73be18169d39470f340707edaa", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "ref": "v0.7", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-stable_3": { - "flake": false, - "locked": { - "lastModified": 1755491097, - "narHash": "sha256-m+9tUfsmBeF2Gn4HWa6vSITZ4Gz1eA1F5Kh62B0N4oE=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "388d291e82ffbc73be18169d39470f340707edaa", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "ref": "v0.7", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-stable_4": { - "flake": false, - "locked": { - "lastModified": 1755491097, - "narHash": "sha256-m+9tUfsmBeF2Gn4HWa6vSITZ4Gz1eA1F5Kh62B0N4oE=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "388d291e82ffbc73be18169d39470f340707edaa", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "ref": "v0.7", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-stable_5": { - "flake": false, - "locked": { - "lastModified": 1755491097, - "narHash": "sha256-m+9tUfsmBeF2Gn4HWa6vSITZ4Gz1eA1F5Kh62B0N4oE=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "388d291e82ffbc73be18169d39470f340707edaa", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "ref": "v0.7", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-stable_6": { - "flake": false, - "locked": { - "lastModified": 1748488455, - "narHash": "sha256-IiLr1alzKFIy5tGGpDlabQbe6LV1c9ABvkH6T5WmyRI=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "3ba30b149f9eb2bbf42cf4758d2158ca8cceef73", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "ref": "v0.6", - "repo": "xwayland-satellite", - "type": "github" - } - }, "xwayland-satellite-unstable": { "flake": false, "locked": { - "lastModified": 1761622056, - "narHash": "sha256-fBrUszJXmB4MY+wf3QsCnqWHcz7u7fLq0QMAWCltIQg=", + "lastModified": 1763704521, + "narHash": "sha256-ceYEV6PnvUN8Zixao4gpPuN+VT3B0SlAXKuPNHZhqUY=", "owner": "Supreeeme", "repo": "xwayland-satellite", - "rev": "0728d59ff6463a502e001fb090f6eb92dbc04756", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-unstable_2": { - "flake": false, - "locked": { - "lastModified": 1759707084, - "narHash": "sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "a9188e70bd748118b4d56a529871b9de5adb9988", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-unstable_3": { - "flake": false, - "locked": { - "lastModified": 1759707084, - "narHash": "sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "a9188e70bd748118b4d56a529871b9de5adb9988", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-unstable_4": { - "flake": false, - "locked": { - "lastModified": 1758577423, - "narHash": "sha256-sB2GAOjhjoWnjU6A/uHNJiY6O3UeztV5pJAN2g1FkXU=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "03368548ba745e17a85bd631613a59cb2d8469a4", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-unstable_5": { - "flake": false, - "locked": { - "lastModified": 1757179758, - "narHash": "sha256-TIvyWzRt1miQj6Cf5Wy8Qz43XIZX7c4vTVwRLAT5S4Y=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "970728d0d9d1eada342bb8860af214b601139e58", - "type": "github" - }, - "original": { - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "type": "github" - } - }, - "xwayland-satellite-unstable_6": { - "flake": false, - "locked": { - "lastModified": 1754533920, - "narHash": "sha256-fCZ68Yud1sUCq6UNXj0SDyiBgVA8gJUE+14ZFGsFJG8=", - "owner": "Supreeeme", - "repo": "xwayland-satellite", - "rev": "e0d1dad25a158551ab58547b2ece4b7d5a19929c", + "rev": "f379ff5722a821212eb59ada9cf8e51cb3654aad", "type": "github" }, "original": { @@ -16514,157 +3194,10 @@ }, "zjstatus": { "inputs": { - "crane": "crane_10", - "flake-utils": "flake-utils_22", - "nixpkgs": "nixpkgs_66", - "rust-overlay": "rust-overlay_10" - }, - "locked": { - "lastModified": 1750957292, - "narHash": "sha256-2CYTG+jxP5e7GHAj1t5aMsgb0Rom4jdOb3rsdLKpVNA=", - "owner": "dj95", - "repo": "zjstatus", - "rev": "abd848f23eff00d21ec09278072111d97dfd7fe6", - "type": "github" - }, - "original": { - "owner": "dj95", - "repo": "zjstatus", - "type": "github" - } - }, - "zjstatus_2": { - "inputs": { - "crane": "crane_11", - "flake-utils": "flake-utils_23", - "nixpkgs": "nixpkgs_67", - "rust-overlay": "rust-overlay_11" - }, - "locked": { - "lastModified": 1750957292, - "narHash": "sha256-2CYTG+jxP5e7GHAj1t5aMsgb0Rom4jdOb3rsdLKpVNA=", - "owner": "dj95", - "repo": "zjstatus", - "rev": "abd848f23eff00d21ec09278072111d97dfd7fe6", - "type": "github" - }, - "original": { - "owner": "dj95", - "repo": "zjstatus", - "type": "github" - } - }, - "zjstatus_3": { - "inputs": { - "crane": "crane_12", - "flake-utils": "flake-utils_24", - "nixpkgs": "nixpkgs_69", - "rust-overlay": "rust-overlay_12" - }, - "locked": { - "lastModified": 1753722377, - "narHash": "sha256-L9CujCLS4PmpEhGKqezD4DognRNcYDz/oAL7T8jqCxk=", - "owner": "dj95", - "repo": "zjstatus", - "rev": "f6c28d9b780891afa693d1b9be4384b16ae7a578", - "type": "github" - }, - "original": { - "owner": "dj95", - "repo": "zjstatus", - "type": "github" - } - }, - "zjstatus_4": { - "inputs": { - "crane": "crane_13", - "flake-utils": "flake-utils_25", - "nixpkgs": "nixpkgs_71", - "rust-overlay": "rust-overlay_13" - }, - "locked": { - "lastModified": 1757256304, - "narHash": "sha256-qANK2Hwhi4Nbpcsy6lunncyt725gthaSX/0dLluBxtw=", - "owner": "dj95", - "repo": "zjstatus", - "rev": "e2ea91819408f0b0dd7ee15249341cace6eb09cc", - "type": "github" - }, - "original": { - "owner": "dj95", - "repo": "zjstatus", - "type": "github" - } - }, - "zjstatus_5": { - "inputs": { - "crane": "crane_14", - "flake-utils": "flake-utils_26", - "nixpkgs": "nixpkgs_73", - "rust-overlay": "rust-overlay_14" - }, - "locked": { - "lastModified": 1757256304, - "narHash": "sha256-qANK2Hwhi4Nbpcsy6lunncyt725gthaSX/0dLluBxtw=", - "owner": "dj95", - "repo": "zjstatus", - "rev": "e2ea91819408f0b0dd7ee15249341cace6eb09cc", - "type": "github" - }, - "original": { - "owner": "dj95", - "repo": "zjstatus", - "type": "github" - } - }, - "zjstatus_6": { - "inputs": { - "crane": "crane_15", - "flake-utils": "flake-utils_27", - "nixpkgs": "nixpkgs_76", - "rust-overlay": "rust-overlay_15" - }, - "locked": { - "lastModified": 1757256304, - "narHash": "sha256-qANK2Hwhi4Nbpcsy6lunncyt725gthaSX/0dLluBxtw=", - "owner": "dj95", - "repo": "zjstatus", - "rev": "e2ea91819408f0b0dd7ee15249341cace6eb09cc", - "type": "github" - }, - "original": { - "owner": "dj95", - "repo": "zjstatus", - "type": "github" - } - }, - "zjstatus_7": { - "inputs": { - "crane": "crane_16", - "flake-utils": "flake-utils_28", - "nixpkgs": "nixpkgs_79", - "rust-overlay": "rust-overlay_16" - }, - "locked": { - "lastModified": 1757256304, - "narHash": "sha256-qANK2Hwhi4Nbpcsy6lunncyt725gthaSX/0dLluBxtw=", - "owner": "dj95", - "repo": "zjstatus", - "rev": "e2ea91819408f0b0dd7ee15249341cace6eb09cc", - "type": "github" - }, - "original": { - "owner": "dj95", - "repo": "zjstatus", - "type": "github" - } - }, - "zjstatus_8": { - "inputs": { - "crane": "crane_17", - "flake-utils": "flake-utils_29", - "nixpkgs": "nixpkgs_83", - "rust-overlay": "rust-overlay_17" + "crane": "crane_3", + "flake-utils": "flake-utils_8", + "nixpkgs": "nixpkgs_27", + "rust-overlay": "rust-overlay_3" }, "locked": { "lastModified": 1761162625, diff --git a/flake.nix b/flake.nix index 363b431..944e25f 100644 --- a/flake.nix +++ b/flake.nix @@ -11,100 +11,57 @@ }; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1"; nixpkgs-dev.url = "github:Swarsel/nixpkgs/main"; nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs-stable24_11.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs-stable25_05.url = "github:NixOS/nixpkgs/nixos-25.05"; - systems.url = "github:nix-systems/default"; - swarsel-modules.url = "github:Swarsel/swarsel-modules/main"; - swarsel-nix.url = "github:Swarsel/swarsel-nix/main"; + home-manager = { # url = "github:nix-community/home-manager"; url = "github:Swarsel/home-manager/main"; inputs.nixpkgs.follows = "nixpkgs"; }; - swarsel.url = "github:Swarsel/.dotfiles"; - emacs-overlay = { - # url = "github:nix-community/emacs-overlay"; - url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; + nix-index-database = { + url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + + # emacs-overlay.url = "github:nix-community/emacs-overlay"; + emacs-overlay.url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; + swarsel-nix.url = "github:Swarsel/swarsel-nix/main"; + systems.url = "github:nix-systems/default"; nur.url = "github:nix-community/NUR"; nixgl.url = "github:guibou/nixGL"; stylix.url = "github:danth/stylix"; sops-nix.url = "github:Mic92/sops-nix"; lanzaboote.url = "github:nix-community/lanzaboote"; - nix-on-droid = { - url = "github:nix-community/nix-on-droid/release-24.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixos-generators = { - url = "github:nix-community/nixos-generators"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - nswitch-rcm-nix = { - url = "github:Swarsel/nswitch-rcm-nix"; - }; - nix-index-database = { - url = "github:nix-community/nix-index-database"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - disko = { - url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05"; + nixos-generators.url = "github:nix-community/nixos-generators"; + nixos-images.url = "github:Swarsel/nixos-images/main"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nswitch-rcm-nix.url = "github:Swarsel/nswitch-rcm-nix"; + disko.url = "github:nix-community/disko"; impermanence.url = "github:nix-community/impermanence"; - zjstatus = { - url = "github:dj95/zjstatus"; - }; - # has been upstreamed - # fw-fanctrl = { - # # url = "github:TamtamHero/fw-fanctrl/packaging/nix"; - # url = "github:Swarsel/fw-fanctrl/packaging/nix"; - # inputs.nixpkgs.follows = "nixpkgs"; - # }; - nix-darwin = { - url = "github:lnl7/nix-darwin"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - pre-commit-hooks = { - url = "github:cachix/git-hooks.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - vbc-nix = { - url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + zjstatus.url = "github:dj95/zjstatus"; + nix-darwin.url = "github:lnl7/nix-darwin"; + pre-commit-hooks.url = "github:cachix/git-hooks.nix"; + vbc-nix.url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; nix-topology.url = "github:oddlama/nix-topology"; flake-parts.url = "github:hercules-ci/flake-parts"; - devshell = { - url = "github:numtide/devshell"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - spicetify-nix = { - url = "github:Gerg-l/spicetify-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - niri-flake = { - url = "github:sodiboo/niri-flake"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixos-extra-modules = { - url = "github:oddlama/nixos-extra-modules"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - microvm = { - url = "github:astro/microvm.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + devshell.url = "github:numtide/devshell"; + spicetify-nix.url = "github:Gerg-l/spicetify-nix"; + niri-flake.url = "github:sodiboo/niri-flake"; + nixos-extra-modules.url = "github:oddlama/nixos-extra-modules/main"; + microvm.url = "github:astro/microvm.nix"; treefmt-nix.url = "github:numtide/treefmt-nix"; - + dns.url = "github:kirelagin/dns.nix"; + nix-minecraft.url = "github:Infinidoge/nix-minecraft"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; }; + outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { diff --git a/hosts/home/aarch64-linux/treehouse/default.nix b/hosts/home/aarch64-linux/treehouse/default.nix index 459976e..90acf4b 100644 --- a/hosts/home/aarch64-linux/treehouse/default.nix +++ b/hosts/home/aarch64-linux/treehouse/default.nix @@ -1,4 +1,4 @@ -{ self, ... }: +{ self, pkgs, ... }: { imports = [ @@ -16,11 +16,15 @@ }; }; + home.packages = with pkgs; [ + attic-client + ]; # programs.zsh.initContent = " # export GPG_TTY=\"$(tty)\" # export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) # gpgconf --launch gpg-agent # "; + swarselmodules.pii = true; swarselsystems = { isLaptop = false; diff --git a/hosts/nixos/aarch64-linux/belchsfactory/default.nix b/hosts/nixos/aarch64-linux/belchsfactory/default.nix new file mode 100644 index 0000000..cd85107 --- /dev/null +++ b/hosts/nixos/aarch64-linux/belchsfactory/default.nix @@ -0,0 +1,58 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + node.lockFromBootstrapping = lib.mkForce false; + + topology.self = { + icon = "devices.cloud-server"; + }; + swarselmodules.server.nginx = false; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/sda"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + server = { + garage = { + data_dir = { + capacity = "150G"; + path = "/var/lib/garage/data"; + }; + keys = { + nixos = [ + "attic" + ]; + }; + buckets = [ + "attic" + ]; + }; + }; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + ssh-builder = lib.mkDefault true; + postgresql = lib.mkDefault true; + attic = lib.mkDefault true; + garage = lib.mkDefault true; + }; + +} diff --git a/hosts/nixos/aarch64-linux/belchsfactory/disk-config.nix b/hosts/nixos/aarch64-linux/belchsfactory/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosts/nixos/aarch64-linux/belchsfactory/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix b/hosts/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosts/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc new file mode 100644 index 0000000..efc25e8 --- /dev/null +++ b/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:8qaX0CjyxK8qoAyVyxwfXlejWyGSY579EVmmUCi9PPyB5LyPjfDvXxlRFCOlC6eYbSJ1AWLqqZ6yYgZaimUHkOTh7dL+D4wSkmGeRnxZoQhq9n9sYZPJUfqEhMwEGxlrAvchXJuruZG+Tp9+Ev0if9f9J9qdU1y+yLGQxc2vnibMg2uxdpfYjHaDWa9bybRQZxINkD//um8uxkRs0xvWgZu63ReQZMPjx9K3vNtdJTZsW5+ZUB368QA2mnry2Zf60PWJT/+NsNKIwyzjhUNJ/eTFxjNJ4zPj/AnXFezfGvpVu6XFYsLk5uPb3XfpUlCj4mTVvmVlA40lf4rOhyoRRAW8d28puJArBf3nPzIkWQUfmFwO5EE3qPDkjMlaRa/RdRx0dvrbLDv7Ujt1XaK8bl3Vkz77oumCYFPV7J4mAeu3/LFBAoWKik6Wj8WQE+QwUWo=,iv:ZQaOO2Blpqn+Xnzt4fcPu+rNAvEdluwJEYRxPVItLcU=,tag:rKJ5g27ZK1wCpcyCVfffpA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-11-28T14:15:06Z", + "mac": "ENC[AES256_GCM,data:TxnVPtRHzUEr9StM3RlOgqD11036yM74HL1Q8ZkNSU89geAaUoDj8LJD1QKglDT5UNzfKeaZD4DT6bqill+H5FUuonOgLPxNoFKMyWhppQkMWM5F/bw8JUulacmE28b2Rd5zRVOYe3TkE11kMAbxRD+CvqEFBrLsZAndr9QdfUc=,iv:uzjzk1FUN52oAE0cuw7OLLmMRxE/VLQ+tUExxYQjwTQ=,tag:+BOG6wRb0h/jhyy7l8ZA/A==,type:str]", + "pgp": [ + { + "created_at": "2025-11-25T18:32:49Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Mi33CAnGK/475xmMlZn2P4aR2iFjWFms6XU540JZnfQi\nF6/bjq1otgxGlnR6x3zhPQU3whCQIv538UeiYWMoS8oPxj5b5eF33agihYaCq2wx\nHv4p0+hOJMl2SJPCHfmTkClqYGYMOzTPe1g6oiY0N3FWVoiWXdbWNkIGVNjgkedz\n5f9JPFWn6iB/Z07qUMwG2OOzh8ZPlh/PgNCBrCVMUYrD/FrAck389uMw4yHFz8AV\n3ETnx2gHFTwL5F8H7x3uVungoBVCJk+NpXiKS6nVKwH4jliydiU2ZClSzjHpCqCW\nd365MCahC67IkuCkWhwuPwDaKIk7Qw4rZaLybcad5/TQ0zT+XCm6/2DYIYTj2gip\nqrBDZxHZhkpYcArjckWDRchO9t9E/c3qJfD1Zxi6fBz0vu2WcCuTT8Qd6Zn+DlMb\nVr0D2LPlZGRJ+kM9xuZXaY1bGNAA2POvLn698prPuTkMNxidQEhPNuNy4PlYKXAP\nFfRzJ5zFUneW19j8SgL6BxfLoYDFWkoHIutNDH5H290MJqnFDUrQ5bQn8odM+1OL\noJ1AchHN3J0J5aa2Z8X0NSVN7N0TmU3xVZ1GmfdqbH+3V+OR3NMgJ/FKMQEutT56\nAsBc7tSHtJGaRS9plJ+RryuPRRnqGmRkS3vVmBkrD+pY/TwUbXUBKjEOWhq9uwiF\nAgwDC9FRLmchgYQBEACD1XnsK/sTsgtvt69H/aBHWVIWQNTmdhwJBUHmqkusFhPf\nXxfGN+bvapWulYI+Wb4LAQQbUhMmz8drPnWpCEobS3LSeU8CDD3wBrGAJubI7YLK\nttn4oB7XK5mrg9SIQ8M8kOElv19oCMudkX8dRs4gs0TBO6jbr7/lsiyL/sN3Ylk+\nnyORFeSgE9vVcvJ8QnIF+MQXF9Re61zJFqjXiDMEklzbHHVeLzS5IlYgJoDvV3Gg\n9lTtvdO/FV5JtjFeYI16rjPb7ip/KtljU5pBM8wp6VU4Dre0VsRBgztm279g+WaL\nDJuf6lmfwNSk66tiLpsaJoEu7A+UhLURI10cv92E7fydbGRZMgSjK6ZK4Ue6WH1U\nYQJenngZPXcRcqfCeTVTjzG6ikL3aCfvbuJ3/oT8Y8oBA5Ch2PG7fWAJMMUVIFAM\nLO8KqCSdRCoJrJ69s8iyBycOhPhMiwLZU2HLlMux/kLq5OB2JMGm8P4nxoXTp9Dz\n2TPoPigZritYHsIXZ3cM2iR3OL3AiotKlaIp74ElUeuc0K+Bcp1C//OtKTPuYGnc\n0ttC/dx3c9vv6W80JJ6i7bCRoDiuGrrdx783ly2br4VLDFSaS8rNbrM5ccSTVImw\nUFxZO9rLO0n7N6z4hlgrKw3G1SWKYqbgOVXxIog7st8JvmPLQZYjEuH9Xwq6WdJc\nAU2esxsAaDKyIPHg+DAXOPBagzU1tBKFYtwaiFVDqYk5gNE/2hAnKcuU7O3sua1q\ntsgL2kY8VSHcFFv8N6FhDYPdCrDgAwOtJSZGf7uV92q7/vbMWx+vGq/7FaQ=\n=m1sm\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/nixos/aarch64-linux/liliputsteps/default.nix b/hosts/nixos/aarch64-linux/liliputsteps/default.nix new file mode 100644 index 0000000..dc866d7 --- /dev/null +++ b/hosts/nixos/aarch64-linux/liliputsteps/default.nix @@ -0,0 +1,41 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + mainUser = "jump"; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = false; + bastion = true; + # ssh = false; + }; + + # users.users.swarsel.enable = lib.mkForce false; + # home-manager.users.swarsel.enable = lib.mkForce false +} diff --git a/hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix b/hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix b/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc new file mode 100644 index 0000000..bd5dbdf --- /dev/null +++ b/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:GntHmFTkr7OKUlAVPP1aPeGJEoM1/W9xoZzdXG/udBrKB8eadaOsdsT9/I4Q4zydLnAUZAb+k+/pu3inqiGPClNWU0LUMj7wTwPuVe57EyLaO2oaN4z2nvWhJnwfatvdLrFICz3MN7XLnpEe3D+3ovN2hmys1pd6cAJtEKDtmLJ3RNAhEXrMwOZ0MSzylApoi9yXULH8PqNBX7jPOZYYZ0jlnIbZB267Ln19ES0bZcK7L0608NdB+Q3xb3TQ+oSfnvsdxKyPkPqjxAto40feG97UYVW6AgYV1KlRp9etjEhIRZgn1qDvigGM/Y4HLgLxPM83h79LIVHDj1OySMyYR4bfwAR1U+Ij2nX0Wv6Q/nKx0Nmghen40AqLYp762ACLVRd30DALthhtMxhsiYIT6za3dNFRNnL1Lfss1+IwDm+XHBehBQsjXbs06nZcQURfszW03Y9KH1h5ePIS93gmkdUyH5Ya1JT609s8faukz4fcNmnXlZcnCW4fUawW3YS1zpWPGDNm54GFI06vii5JuVORrf6m2HJEIyYSzeYASC+rZOfEF8gXGjyaeh/B9nAzSq2Q/Nfm+fsceXfOkhD+ZD/nYg+whYPPfA38B5oWvwnSNRNipJLYVvdLLd6M9pTV2FHuEsFKpXwumuwMAhl287jpDVb5B6gYPnWm4zOXYX3KXd68KVFNOGCC1XrrlqVBwQqraozD+1e77eCK4OEyF8R2Wt+mCFDwrMp5hKiiFCHEX67RYqWwmZVx2hS1bovBfacoXknUaSQnfpUd5GYIVYqonyqo6cdn6LKR/0d+7wR+JuL+PO83XcEQvegfHXAXmxIEzPdsL2PqVWGL2B/qyyAZGb3hoY7hmrpEeCCefYhSkxewVDCuvL7xLBCFjq0PsPJw0CqYE0KDIgXxcGLQ5f+pn6O07YDfN+7PVPrPAaN/UTwd+2Xa9UfVELdKKhAWiywsiDCUVO9vkpvgSoYYSrtB8Ceg3RXWohbO8VrjF6UhUxnslAw8TBnBx4FtaSuI73UiJnkg9V1es47NmOA7,iv:JYRzdtAYu24aWIL/hfWLbkS8xpcPw3ylZROuuUMVmIY=,tag:Ot7G/QiTLhmnlYe7Z9aOTQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU5HTGhyL0ZBRXkzZ3hq\ndzBMd1JZTktZbWNFMGRzcXhFK3RHb090cFdBCmpMa0FNMWFCenBjYk9FaDIrTkFS\nSnN6S210ejN5SVVhd2FWRG1SUHB4WWcKLS0tIDV2K0h1QWxwUXkwVnZlYnR6eEtl\nUVR0UGJOR1hadUtNcjYyWE9wblAwWFUKVM+J/pqtZFADYTQHfWCdvPzlhtgR6zAy\nu0EWk77+K2J0GeBuDr1W5yblUCknht6WZCJZcO6fW7AuWSQK3e/EVA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-01T16:51:40Z", + "mac": "ENC[AES256_GCM,data:SWLGPgFcdiGSvN5BTmE8Nq7+pBiNJM05H1hhqJY6wJqYZehKhQrQRj6/DSlYWPvYE/DdWo5Tiuc3RNY3NANwhki+7kl0OBxHoaHqBgOTa96rdPwe6V3s55v++jtm0xg/qLHEPCqrKqw/aiBAQLJkDOh/IykeEXBMW3S6EM+aQ0U=,iv:2wn4jQHdWWhIzOyGhZxow8WG6W0VgA2gwhb5X+k9ja0=,tag:8g4wQb0u7vbIPkVX8Ey0eA==,type:str]", + "pgp": [ + { + "created_at": "2025-12-01T15:59:42Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cl6I+s/JLwwTCX7WKdzeOIkrsK9DpY3pXBuzoZRSRSJE\nwFJO99Uc7/uH1DSsEB/25CWI6eWx7k6l7YDbcbXQgi5ZNoAt7BePeCu2LK/3coZB\nJe4SManP0sPqxrSd92Tnm6Zl9EL4cJ/5D2C2RBTWOaOtZHR8gyxx5+rzCotCoTXA\nJseGE4B8r/M0O7PAS9+oD14AwCndhuvkmFOq0Y1/wXldV6yCdgc//0oJBSTCBJUZ\nYMSQLovEYGvF9bFfpWYU8J53WqlGn7QKVccDN0/gfi8IVGVZGccUA58VaVqkzR41\ndYlRZ/sjtd+VXmOg8Fx79bOlzTn+RBCp9y+q5yKnzUKGe0/Lrnt6+j7+ieIowi76\npBd0bEaoh6wqdCJ7GSjsj5kdSXRop3Ae0ff+J0pBQNctehpcWj5/TpeA1zyslwEC\nD1B/KVN+Gh0XBCg636dUkt2E4NPNDckSRuvTLy+8IkTm7aQqTjqDu3WUOSPzZiZK\nBUGZWwXAS+xPPMH26X6gPTfZj+7Gdv6yxTVIwkphDbWfihxIP//WNbKX1QN4VSHf\nCmoPOrriIdgZ7d2olZEJxPgEVzavkRkiMSFQbQgzjx5Af3ccdav3mxlubjXldmpe\n689Joj8cgBPg1Yfk/yl7tVK9TFJgYXTqKfsXwscrSlsV+dRAN0pHuq1uo9cTE/SF\nAgwDC9FRLmchgYQBEADCJ5IVMNp+PgUDOiajCfpNq3/HsntzIWG0tIjCb5L9TFWQ\nMA2LQWhcU5CRBh7Sakf8IFi/U40SD+dILUh8JR/7g2i9mCS+1e0pkUwSIYxzAI+z\nQeycuyOrdQJFrk+nFbTdZVAerElxew/wQUiC2uoI8tA5+XyNeNfipaptPh9FpFuz\nXhFbkZDJ4kapGzsAn4FgUdmdqAgZ5n2W46WAmDmVKM0W1F0zZdkBEdkEKkv1gRpZ\nRntb/mVEiGAdXv6yAzvHrxgIBkxazzstRmCMXa252RUIakXqvkP1vw7B6ChSFQR+\nq9WNo9x0EYXivd/+ROjHT7WNhEToWems/3CQpQd1LEFXajLdpAWd875acqhBJqtY\nkpKqUG5F4JmTZ7hMuGI0g30nOofMtmFhDX/gCpJ97lEudHyNrHe0KWaQAwtRknz+\nrcPrZQmGRRcf4xcBVe/EDUNlkp9fPWEhFAwKMsVkkvCAADZbvdhLR6URJMmUj5KG\nOuwglHnSOMxCovAQUd3vCtNkkAnRPNOW/WMThr+qfjq8oKdDIaYBxjzjSz1FIsho\nKiz4W3flRzUcALjKTXadQl/jJEhpP3C6Ivh0d29SiKyrWG+Y4KlDIRctub9UjH46\nb2wqbnBzSrC8u9xJINIB4yryXsZiQyP5b39guSKIPjURebus7LBxq+0I7Z1OptJe\nAYk5htmFDe9Sgc+Do1L0kdxjblaoWOc0OiwYshQ9cMv+/IsU0U6T7w2A+8QkzPFc\nGVEmrW1Jyz2O3eMpq/Nl2IsmPDYTEPqhkRtAshBuYsoZJUz73/EovcSxyJ2moA==\n=o5Pw\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/nixos/aarch64-linux/moonside/default.nix b/hosts/nixos/aarch64-linux/moonside/default.nix index 692c684..1c3cf3f 100644 --- a/hosts/nixos/aarch64-linux/moonside/default.nix +++ b/hosts/nixos/aarch64-linux/moonside/default.nix @@ -11,7 +11,6 @@ in sops = { age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; secrets = { wireguard-private-key = { inherit sopsFile; }; wireguard-home-preshared-key = { inherit sopsFile; }; @@ -138,9 +137,16 @@ in isBtrfs = true; isNixos = true; isLinux = true; + server = { + restic = { + bucketName = "SwarselMoonside"; + paths = [ + "/persist/opt/minecraft" + ]; + }; + }; syncthing = { serviceDomain = config.repo.secrets.common.services.domains.syncthing3; - serviceIP = "localhost"; }; }; } // lib.optionalAttrs (!minimal) { @@ -155,6 +161,8 @@ in shlink = true; slink = true; syncthing = true; + minecraft = true; + restic = true; diskEncryption = lib.mkForce false; }; } diff --git a/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc index 086c4d7..dd4cf5e 100644 --- a/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc +++ b/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:RTj0FFJudZusWh2SuAPBHhpYEU20GmWbeZZSCG/vKCz83iUEJxpZ0lSDm71BN1Di7sz+VchcbWxkUjc+SV9paFOtuRKMPynW5n/HTyp/ub3y8oPUN4AjxiRnvfzh8Qxd/vnmxd6lSh2HxMlOqJURN0JY3D3g+tpHyTIvFUWef6HgzLNZCXDnP3HJzbIY53VPj9f+DsdxtFwU5OHkWd8gH2D4XuPPetN0Iv2HaR9+dvlVrbKEXgElgdENkU+ED78TFxvabk1hqPZqXhsfORF/5RpwF15ip5iSlVWPTwMdBREqCsHRiA+u5F9nwJ5C70U1wz39J40CJoa9oihIxyAmN3dktD0JuY0jiqyxwTRFZXYh7Ioe4CksaET0P7LbTa7+BpctgoBqvmnhM3ZDNcSZMNcCbtX98V30UqEPBoTn3kRYvg/1C1SycR96bVW/AiHMiIzD93dNw2gUWdyQX9xtHvgdxLo3U20pJhjMEcsk9V98H6lPiLp3lltrjAX35RsG5R629W8/WVOGoUQn9nX/y6m9VFKoUPf8/M7tvlxDT9A/QBQQvShdA4AM0K8mdNzb85ac5In+43gWDRXWQPPf72e5gL5nPIqPcZvAcoLHsYFH5ebr7VUaUbHm890jQDoNvtezZ1w9nRlZNGVTwdvwWB3rfzorzwCAKLhkFv6ATUYimP0tiHPOz0MxTQKXg12rtyPXbh8bwjhg0kdIlwljAYnYUKiX7SVSeYq7TQksQIiH83JwxCGrL4xjMWZhNkrg3KQUrEMHHaMbNCZvb5M2nMceBo6eA2zi5qYA9sLVnLTrlwx+3Wl7uFBv+9Z+8qvGg3adpGrtJTJjVf+cig01gzao5WrJtT9q4YD1tOHnWfBhwI9/3ny2A0WlyjlY/fS8WUiOmyhl/6N+ukdffzDZQOcTGf1QD0zO+9FYPqYhxr8eGKRHAB0R81Q5y+ORTLwXJ7EhRIK2f45FJisRIsiR+VTsI2cqy7n9HtubY8jQPxLMLnxuUqTu/OjtUMCcbJO8iqYDxWf6NlCZuTaLsQuUPWvO5uUelQpDmN6HhxSGKD9XG4M7/zCuCWNhKWoH0Z9xfw==,iv:Bs1fdmD4jbM/9hiPHxu+yENrVrwFsmhJ5J38W5+4PtM=,tag:UBpHq3ldgdVORaRxuswzVQ==,type:str]", + "data": "ENC[AES256_GCM,data:jGfSfCOqW+p24TaH0vlcNImiY/Pu9YhdIwri4N4RvG64f1fmfNV3z6LmoShCYBfIWF2P7DvOa92dPY2ek9UiC1bEmiMtc/scpGxpir4WNuMLUtMWb0IGmnhtzq7fRAH5FkYLJBSW7pAgVsoajRGbo8Dbk5Dqcm75Pfj2YcC79oAckYt3vSzBcskgJ+ccdCfJ6vDlnAilay/GatZbIQmbEefOi9Rplfln8Ounj/hH+Z6zat04+rI5Lj8bTPu7NOeUlUmgoApuJSFafTb3zgxqnvQL5axOgIaJqiXFWhIf5httmu0mjhJupMXxt14IXgKe+ESAZFF8hWHHUNOpE8gEt5tPRQ1hqA7eHoGSYCrEQK9rSXRweO9LCfGV1+UduXgX1hKgwKDS4A5u69MvcpXQoSYX33ZzuwY7tbykb1tbEb3jN2BOSCBB2ZKHRfsTMqAHTE1RekcBArMxp7+8BkM/oww8RTMJ3I8tcU3QAr/LoFvKwvfIVrbT9gSlKSZUeoBc0WMzmRdjXhAZmQe2pb/TOFmPm31ih/E98zKA8PXhNrqjzEVN99lfn/NKsOLd9a8LXK8XoTTueTWqENEdJRx6dHpWuqBy5GdkrDVCRzgiO3Hpkwg56nPmCGoD5o1IgnRLJItNYrIRejIRaISjlefpezCMYIGMIx+CusvAwiOuuWT6kNfDnaK1U4P3Ndk39lsz8Eg2GMruc4VZ3kpTCeQdvbl/jmFwNMPtzJYooiDualIAL95iZU+RW/K+2g3ZA/Q/gJrc+hB6I+z3PzMod5015Oj0FG97XQzn2TeBD1fuO8UtyxSNajGD3ZK3Laa5QrSNUrzlf7YONSn98Z8OqKsAz+D/vnr0Lg4kjrrhYvN6GpR/QqMnNZT7m4d/oxACDycao6ZUDNE/dvuXSA4nSJp+5cxDXjgSMhnOgS7/gCiLhEBkLwzwdexT/e5vGcqqMmyeMK8vSFsPpRoPv26nsyRalwctY2ClX5KrEEckHNf+p9djB7eJDyLxXkPRLm0yp3dcmcEyk0tUffpcJ6zqWnlm46yfAf29fmIJfQWJ8ehSY+bYwDnx2LmCPcfH+sRSSV2Y1Ay22ry9rVJU88SuRdSPsHOitCuu0TQU56Su0wG24ilh6Bq4Dk+0JxlL3wyPWsnoaYvaRiJ6cs3j0tTwwxepbwiakLzWnVcqHDSoQ+Bn0T4CmcF5ztmpuLZSe/UXA48k77JmbT8vne0ig+kVfRuKhG+qV6g+GnxTIPPXGzQ1hWTS3Fg8YBMt1XYyjX3xa218agvPwLhCru1v3dAfHKk6N8G6SN6EN78RQmJApjSHAGFO,iv:a18hH0e5s4BTTlVIkQT34z8a2jELj59ZHhBbb93o3t0=,tag:sj4baRiZic6sWnJXjhL7TQ==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-10T23:16:52Z", - "mac": "ENC[AES256_GCM,data:CuwVt8/XKRMUHs1rh7Yf4Bk5tWXqTz0HXUiEEjuLhj1TRuMWs6aTC1h9uTMoybP+FmjKeRTar1E8dgUmoheFUGaBFqxd1Kx/FmNeJVLhUOPgmT9XOIjEjTNnzOoaMsYvfhP+AnLKgx+CfOsLnLMOqdKEggx1t5jNfiI2rXqOdfI=,iv:4Mc3WcgMg3z99dERJk+EF4hPpgGZo4mfMt6X45zgp5I=,tag:MP0YDtR1Wq3088WVzXS+8A==,type:str]", + "lastmodified": "2025-11-27T14:12:09Z", + "mac": "ENC[AES256_GCM,data:6CqpegjS90H6fAllBsvz3d/y4MpNyMUo+v1sby4hHHw36GlQvnULHuv8dhXrlYaE+L21aoz1RITl7IEtNl/R8zjGh8b0dGIc2iUa2M5dNvHNPMTuucAEQPuEEvTiwI72winpEkdB86fHFFHvBwHwmlNVFJYx5b9bNlpjCofewQI=,iv:qOv8s8j5jOtcoKzgN/HkXvIsS/sk/DFZ4lcEKBLsrKA=,tag:ifXbcFGzpJ+DSJPkvaX0pw==,type:str]", "pgp": [ { "created_at": "2025-06-13T20:12:55Z", diff --git a/hosts/nixos/aarch64-linux/stoicclub/default.nix b/hosts/nixos/aarch64-linux/stoicclub/default.nix new file mode 100644 index 0000000..217d272 --- /dev/null +++ b/hosts/nixos/aarch64-linux/stoicclub/default.nix @@ -0,0 +1,39 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + swarselmodules.server.nginx = false; + + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + isBastionTarget = true; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nsd = true; + nginx = false; + }; +} diff --git a/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix b/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix b/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc new file mode 100644 index 0000000..e292b25 --- /dev/null +++ b/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:4C3fdXBKI/x/7B56b2n6OshGRaGgwYc4HQv4CRgXi+Y83hQj6wfbcqA55Xm9cXOfGAm2NNGIcUrVyuGHKlur7lUkvoNYe+a5A4GEkXVxiAoJKGcHa2nqfmR+GQJRAE6gNm9wgUL24CfKonEb09NgFBFfL7srXtkU8R1TMduUiYvzH7eNy45jQnWdQ3xgNYkb65iIZ3KCkcbjKrlOtN1Qu8+PuQmMl175gUVJcaLmpMgsz5IPetyHUWIkmqjgwhim4CyTZGwOaQW376Xq2mZUf9IOhdqLyR8GcKFLsY/GLDzp1eGfx9xUpAu3NMmjblHDdIyRcv0EjS+Cj/EUQwTrw3R2szXAb1m33sIVyloGT8RyVsu1J+RSIQOEKpVLaTxsCoulIfyBj5h9vajMVFdMmyqAFPJTVF8fNmy57VuBiDR1WYY5WT2QkBwe4A5ZZLpRmudeZAqEjD+R8Itcin4Ce8K4LtkpfLZeCUpnoaWk1u0CH5QuFCyd+s2+S2DBnFqfBmhTVzEtwXyd6zEeLo+LGCh2Eu2XwYi+DV5Xfdp4leTwEXQ+63MB2ZtOQkoxT6pi/w1rSlEcVknJJIc0HRhrRSx685i29qmcWGfjw765ECxCM2RKJKdwtYHwyLQGyTkGgzNlWr/EzskD7wwtanR0K0NUBS3MGbBaSmeI+bJ+B1ld2n7Efp1eg8AdMz/VHywvFQpS6HY5ItPCWNcDB9DMerUQINO1EtP1Dd57vafzQGGcduUKW+ywuwUdOU/XTXPaVP7VWdX9EFIlv/RMK4UX/l3Yy/Vf6iciT45zouIgoFECRe59Uz0185BHTn9xeE9oYGiLfKzlnxhNpXNaNmYGVRxKxKwfMNrA+hRtuoGrD0uE/Ev6F5ytMYMZGsQ5D6TJOHXPfAVWo5MzPA1Q2dgoCF9zZvYgCaOcSZTntoJY9X1MiwMkYIbtOtTQ4jJOI9DfXX+kOp/fejHrQEyAasCvh2zxCW2FjMckREdqtYxPEDsHGc8+0BDGgj+00a5wC19U60jolvdLsUwy41inmirgxBMaQhuavMXEpFXT0hEecZfJn8eJqPVPDVLC8LvlB+C593ByHeoR3VOIfFVv3bgCP+cQudAR+U/b8YO4gSpuVV4WF7JXLCwRCi0Flw7EzAuhuR9JYd8GKUEDctGmAYiPy1YiQCLFnAWmZvHQ2q6TeVDTQ5LPmjqM1b4iqoqn3AHhMu9HWswy4LFNujZblSo0hSHRZ+2P/+Xjrgfz2d3QF66ngEjW1tanw7hxGmiZJXXyPN+2bdB04B8ZnL/gBzQ2661fGYGYCBU=,iv:mU4ydooaOySi7MTe+b/DGfs1fzpDXbkASUo1cDsh4O8=,tag:Jh18+kJPLJFlGx5HymywOw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzY0QVQ4ZUxxZkdhQ2Zn\nOHpmTnRaR0R3cXh2Z2JFM1RDVDB2QnE3M3prCm43NjQyOS93UTZKaUlUUmhVcTdG\nUWp1YU1kVmZPc0tBN2FMY2FFVkI1a0UKLS0tIFovZi9FQlhMaXpvcnRYN2FiSm16\nTzJESjNyZ1NzajJRNDR6ZTd2TitoQTgKe2hC6OpYIzgqzhmeJuHWe0yXNE+/Ek26\nGt7s1B6OKnrj+S3es84ePOjAbLHr/ez282b/h0y55ws4R7jMemUIrQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-01T12:12:55Z", + "mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]", + "pgp": [ + { + "created_at": "2025-11-20T01:03:05Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//eTxMD8ZbwJUqVsi1IKK2qdprLTjE0rqdDue+OvP0V+Ns\n1uTnw+b2UBykbIofXcG4P61OxAFdEs8whiIdffQtkDTkOgzV9IQCBOSGxZGEJXMe\nrl5BZLlF98JZ5R15v8V8vMwWwtC90GZ7gZLDV+yZz40Zqm3mTrFz/3PERukwu4Gb\nLTJDOsGmpooyI8KnrIsBhfEwo7/ouAayuKQfvt2i2Tngk9Em73R91BlpcxsOEmqr\n5KWA4GCsjUOmZZKLj2vyENPgQh8t8bP5fGJ3Rf4J1MCWAB89omcE0aRWId/l5sdA\n/Nxinh3xQsiXHPzPLZQ+UjHs+MjNdUoZapoDBP84j2tHsSxh0RMRhlHpESDWq3Mm\n1acWrChyyds6Lz5ZqkioqvAZ3lslS0kPdQqfsLzYWBhA9kLOIJKYfat+vxsAPwAa\n6kceXtxSzUpThtDUPDibjomn7Mrj7ZoHhiJZup/M27glf/V4P3zk+ctpXMSIE7Ia\nQ/jgRDzpcs+u05RsP32jFbCAfi//WxRo77MoxGMJxDhYibBp+aRkFAgVYiElhxbt\n/NedcIAHSJZFyDPm0wn411+DPnUTPn9D9LCkmSG68ZeGDGZJl7Sz3bJ3obWWecTG\nBjqxMZVwRuU2gdg1IwempP9u1dP0Q+g8B3veui/gczGx3J5kvNv8hnUBTeUl2EyF\nAgwDC9FRLmchgYQBD/oCciOvXMrH9/hWIIYb1sKiuCmgdVfs7H0q92XdVNgkbPRz\nXAakX7dl5cZt748u/eCHlGUGr4q7yA1tDx9Vm/J+O2HljN3lBVCbm7HP+YcI+5g0\nvvxr0cIPtr5CXlZz6hJjTgzE4HfEKagGdjgllbHYBB+0rtq/2pZTa20fG0w4coeI\nB/D0iVFwyuM3Wxt/7gXpPtI+m/3qt8QoFIGsZkck7X5hdJwGF4DD5jKxYB28s5Hc\n4ZBG19jezjMIVJUGE58TTVDTvZvJ5Vaw2RizV8DRkFS3q0UIOapOESpZiRnoOqA1\nDQpAU26RSEj8wlYsgNrVWUpdwlYs5e3EWYNkGROTRSB/dGcCSVF31A76W7af+6uv\nwZdMCrAGlD4GBj/yojdnqstfB2Jxu99VubcImWKfaJEXYx5xoREGmK9+t896GJi+\nE8mjiMOMRZFV2n2nwTxAFMaiDJ+VpKpKGVKCOSDwqsePhY/A4kb+N1nnhutmSl/v\n1SCDDvC9+jYNLUC1IaJfFOrNClA43IdJELOAavRx2t1RdyfyOx3D8rrWhF4+NB9Z\nlAc2e7hOoP/OEtf4YjZWq3dQtWSdwePWBxD9xyvF/kEmd2NcezqdfggH3g84qBxy\nUxBDD3ojMMAXlkPU3hRiDeLd1mHxDizVxqYkIYDSeAKtuv2ECH8y7/mv3sKrFtJe\nAQvSMW7gOmIdtQaIpsXHMxzXf+Nv0l3dZeWYD/TnVvoeVOaRQ9dHrtl3J0U9UN3j\nBOJdFaptlS4SIRkva6v6srrM7dXKvjR6IabdzaWl098VW9RFD+YGJ6ZhuQ+zOA==\n=l0k2\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix new file mode 100644 index 0000000..8a30e09 --- /dev/null +++ b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix @@ -0,0 +1,36 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = false; + }; + +} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix b/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix b/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc new file mode 100644 index 0000000..e82a9a3 --- /dev/null +++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:G3Q+Hn7QkvBZeXzNR+0Bax+Va5sK5E0K3hNTkdsNJx4C6pIwrBEBOt3IKv/c00QhpAnPqo9gbKqWU9gv7I56nEOwVtVH3lrMlbxNl9LIiSv9SvSxVkTOow2msSJV/U+1KpjNQ/LnOo2Fxebfz1yiRtgi7hSazzqzIazZAFBldlKkjLR5SFCG8t5s/nccqZU+cLmS7hJDS5LtgW1XeunqUY7jnKuh7gT2I6fPsu15Vy+YeKLmYIt0a20bWGePBIlyiGRtpnMgtIt5gk5+OpSndO8P/GMgUzRwRZEL1b8U57jbhkPLdnwwy/iV6rEFCD9i6qB0ufVW/euc+y5mN0dx8op9FwJVzkJhUIIy9Qbbc8WOjjjWlwbKJNkWfYX7pTtx+xfBKuPF+IwaoMS9j+C3etkoYe5QCr9YGYM5Xer/HL0otYNacQU5S0VqPBzDnLu7NxzB4i22,iv:aFPDBmZasoqEFCbhrRtA2QMB27khuT3rdfCGAafjov0=,tag:GQGuHL5aYPc98tzc6Bb5mA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-01T22:45:54Z", + "mac": "ENC[AES256_GCM,data:b2sWPq+S5qqSM6lON+9A//LehgR7Wy7x8EfqeiFOFo9RT3niwaKjfp/Jnf6nKbXF43XM4dsn+dIX52fgxyd0KVLnJTqinhz97sSSs7hYFdXa2FGRhI+VwmuGVvr2ylAJODQgTn+MD7I+s/3DTfh6h0V47IZvxrUpYgg7tJrxzBc=,iv:g4XVN24+COVtRQPzTiI4iki1crjBUVc7vpnJ/vucd2A=,tag:gcnfSvPWvLqG2wTZELRMsg==,type:str]", + "pgp": [ + { + "created_at": "2025-12-01T23:06:36Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RhpX1uVa49yA8FIfj/y/2C92Z7iBl+l1TGjaYMnuLAp5\nYybqAHwi1gzbnhKvpqO3ndm7qHNwbPBuYBDhu1ZDkQnzyzIthx3JA2G+je4Jem+N\nF8XWUglO+lEUpHD62s9JdOSS2dNRHSd/mcu/GV+k0/DzkXDn3TzzOciKBLn1u03+\n6T3mipG5cm00EEstR+iX46FSzOPX3M2+hYY+HY9rQa1RKUrUUsBBdCEYWgMsQOA9\nDGyweibxkcyxIGZIc882gxa06QxM07ON7NuZjW7vvUz3k7CI3bf5IBfaCvDywaDL\n0AKeTAVGVLnzdapZoP9lZmu6T639wu8BKMxSHiGeUenOrhs/Gl+CA2iCU5XimZCw\nbwPvKRbOGLu2eiBL/BHEMg1XpRw6bh24o3vNIchGRqDKbXICgkKr2gXhvli3qPrH\nCXokXF48e51bERfr9YWi0ryW5tgVEMwyubRi85cYnslwqfT78xzKMNRwF8wJ6PxG\ngwT6bEJ/f7QzXkw9VPY2HbaBBhe7XUBRDhLnV5sPBiZW2JDOt9rXH1LqWQLo7Ot6\nLWvOicAtmY5vnRIm9x1pPFKipmTWj7NzRCLEq5yt0borQsPO5RTC6fvhL/1Lpe1B\nzjAIjJBfQptEn4xjA0unZk6x45UDp9KpJz5zdKF43DSvGOkEF8NuTdEXNpeYHzCF\nAgwDC9FRLmchgYQBEADA36phB2C1d2DvEzi7AB7lK5gGExmaYSCzMJkSfjNQ4SO5\nwMhvRZZyIf5PT9wdJ6hCtOSqqhh0cubmZadrFnz/qjXLVSv9aTD4PFshF5lYgT0x\n2GkiIOkrVZ6vuP6/iIW/p+CqztDymVRR6DAhNNX6gx2NARdhii2K/hitW0QejoJk\nWY07qUIb2z0fPVp5TfAf3Nr87u3faYr0usW8GGABFA7IzJwCK1VA1284UZm4zj6Z\naHm+0wK/1g7Ck2sjzbhqzK3HlZVKd6lBIhmwdzcG1y0Ua5L7PIauLR6ArZkFD3WO\naHyyZ5hyNmoyOMjuTvPCIhiZ3T+aQK2f8pzyOApEWX4piCNhIvcSSy9AQ/f5hvVd\nWLG68dIMnmOWYxHX68jdNttSCcc9oJKNboOPKDdmEblZxGx5HZpYYL7X+Q0JKoMO\nqCXVc7GlIVLX0GghAvgC9Xww8XMQTWgJJJAVOa0tlTDJ4ybvCiyy850+ZPTevlHV\nfvlKSSCGHtjVIuZ5b+jMtBqg0aPDY0OqNFSvJ6x6wk0uICMesv2LNAKF7tUkMvHF\ncHljW96IOLocW96bwVR+nQG7U/ZY7/P6+2Nva8AgbrCd0erEZ/2lIvRV4IEzCk2g\nVzuzg+7pjkh1iHYUX+VX6CbyIPyx2Ic+VNaMrbqtC1YiPK6Bx+SF3eYHw9DYJ9Jc\nASJeqALtG3vg/TOKZwOfTp1GNvSExTUKqhEHpcCCty1UxIpNCPByvvsUqY0Q63DA\nyJ4TVO1QLCLwKz8nK8NWSRGrZ29jNJfAjcNDV/FrPiFqSPHVAErd4Vnbeu8=\n=Yn71\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/nixos/x86_64-linux/bakery/default.nix b/hosts/nixos/x86_64-linux/bakery/default.nix index 98252bc..3927663 100644 --- a/hosts/nixos/x86_64-linux/bakery/default.nix +++ b/hosts/nixos/x86_64-linux/bakery/default.nix @@ -10,6 +10,10 @@ in ./disk-config.nix ./hardware-configuration.nix + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + ]; swarselsystems = { @@ -31,7 +35,6 @@ in isSwap = true; rootDisk = "/dev/nvme0n1"; swapSize = "4G"; - hostName = config.node.name; }; home-manager.users."${primaryUser}" = { diff --git a/hosts/nixos/x86_64-linux/eagleland/default.nix b/hosts/nixos/x86_64-linux/eagleland/default.nix new file mode 100644 index 0000000..baa5bd5 --- /dev/null +++ b/hosts/nixos/x86_64-linux/eagleland/default.nix @@ -0,0 +1,38 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "2vCPU, 4GB Ram"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isCloud = true; + isSwap = true; + swapSize = "4G"; + rootDisk = "/dev/sda"; + isBtrfs = true; + isNixos = true; + isLinux = true; + proxyHost = "eagleland"; + }; +} // lib.optionalAttrs (!minimal) { + + swarselmodules.server.mailserver = true; + + swarselprofiles = { + server = true; + }; + +} diff --git a/hosts/nixos/x86_64-linux/eagleland/disk-config.nix b/hosts/nixos/x86_64-linux/eagleland/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosts/nixos/x86_64-linux/eagleland/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/x86_64-linux/eagleland/hardware-configuration.nix b/hosts/nixos/x86_64-linux/eagleland/hardware-configuration.nix new file mode 100644 index 0000000..8dc40ba --- /dev/null +++ b/hosts/nixos/x86_64-linux/eagleland/hardware-configuration.nix @@ -0,0 +1,18 @@ +{ lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc new file mode 100644 index 0000000..7407819 --- /dev/null +++ b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:nIgv3b+6o5Ce9X9xZtBK62f6dgsAGLPqq7aVFCw2qjD9UiHCrAY9vTn5NSW2O2pbLAfx6h7falS3/0yU+AkJ2H3zhxBy7ZxQ0m9dLoQGrYY/E9Z45xZmdFRxtzexCaxr2DxbP8haJKomQ22cHk07HGsrEZ/CFGkyjRxUr3Y4rewgZPBXahVtM75mWbNpVGApc8cs/W4JbjuXw3qlCQcACz8sZVPHKCjbEypypo6nTmU7NO7worrAJ2QgU75oGJ9g96wp9paFMEDofVp2Y25IVYReGg8T1Qi/kTcZzfzGfSpEwnQBB/ZCW6gNYhMK3shfB8DxKy6+romVXm1K+/0yUmwsCM8xC5zJX0GsO8Uu63YFrW/Y2E6aYZfBHdIgfy4lYOFKC2o0ixirw9EO8HyfsDt47QYB970vLPjYZfKNAZBgltbV3KPsOHxmgiZbTbAl0cb9zRc+jV2voH9T5VhFiUWdfaLBY1HUAVAjU7h62uZoCsi1HWyAroEROKS96npTD+3/vHehYuEGBf1IxYnLwHnKeqsr/Bqoukf3OecOH2EkMTTFQ7E0k9s0keRypoHmeYIh2a3dRcaXXbNEgiAMfabhgUh1NNcYKSZhcIekN8WN8azXjbVIrfEakJ8S+PUf5fJdspN/3Ppm06fDLv7yLHnLc8Eae2COOR8vYKIo3Onu4doxNjisfpHujLXYaCGhWpINEGWF7fkeC1B7,iv:v9MxvhcHg+P00UnOWujSgVlMNcOnDm/gK8kNcN54E2E=,tag:XnPMzsDeGJMt9yv6GnFzqg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-11-28T10:50:22Z", + "mac": "ENC[AES256_GCM,data:lwkkp8YSzX8NM7E65kmPpF/q9Vn+FnCTeePLswDH6AVgndo/7QOy0GtJeXmiwt2YsA4AhRqxexWl2R8tjEysP35pyfQJ4vEkVi+V2tEnoLgftriNJzpoeVuRNXLxTPhPezOZgAcTDDL4yyqJXpcFj0PE1DPHKxazT28BoilaBYE=,iv:3dcAqkw/y6rAPL8wb5iewz37S4xszYFGHxvQiQ98sLk=,tag:SEmbptei6GrTXXyb7zwrIg==,type:str]", + "pgp": [ + { + "created_at": "2025-11-23T15:25:41Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+OOUtfNq9RBpm1/AbgTjenkcsRwzvyxMQ+VfT7AN/OjEH\naYaVnoU+IYoUJIw8u0zfFuJGyhcU862pMN+isngqNNZiEqY8C9rP4+l82Ks4qLU2\nanUk8HPcUc7bQC19zoSpl5MIeppV4SNC5OAph+YKVcj95l6OFw1EieptfhRFtTps\nwUKMf3p9FC/ndxjDG6Rxro7RQsETJgZ3DE3tRFPsBzMiC3sf+fsOzFgVyABqYZ1k\nDr+pkdBzGB3LXOyeDJWK38DxY/NEEfDgdSGLC6ntQ8eS9fbcNajT6FUwH2uwHJ4y\niWT6Q8z+XFjh3Z458tZhcnBGv6AKGeQ/QG9z+0DALKkkmij+vJqRAGjJxur6XM3K\nf0anUMXLeCINcLEa+Wv7inYJaPXu2NSmqtd1yYYXoAbVcnmzmgW9D2in+JnG5urQ\nCq0MEALyp1axExIaD3BHrFIaK9IX2PO1E/PLDng8AtGEx5Fn//OQX0Wt/yB2eEk2\n3uubPz1a1eMfRz1pK5CFOpJoZ8bmyg5n4g/5MgVgoxzA5nhjfMYD/HD8EG3ta8PI\nrQZhtlg7C+5nEsNevD4RPmzO7z1JdqJGMIWPPUJKZ7WozA5192aAw6HVKdtI4FH7\nXv4KY+GcmUvsKhpaWidW7vsY4MWSfn4m6Ybg2vqHsCUjj5fHVHF9BeKQecIcTTyF\nAgwDC9FRLmchgYQBD/4mfMCt5Ez8WITcru+pwlMHCeSUOxfftsydqdtt/gZ2oJTH\nhMMN2A26x3LXIfZ8IA6to6ldxQLfj3gDF8H+akHbRyndrA1V0U+EhoNZ/DYECkNB\nx8xtrJwsY47siT7sWlounXqnQr5E4nfSfDOsfSv04aUyyUsMqdjFRVY1/b5BCkoJ\nOptFJJjdosfmGfsHCGYvqj0XNycVQj3ioYEwOdDMlZ8riSyRTRPL9UAfgFeQ5swG\n1I1qWaF2+8KUk01wQwmwYLKs1JUnVOl6Uy4XpHbcZcCEIW3VVnwxFVCYcHwhDXWT\n4YGeGFfosuthL4AjJ2EmNKLq+sUxmD7ANS2E561+0BDAakQ3Z0eA/wpJ6VWQtfV0\n05tw6zS3BWwTi5fiiN4JvXqnj+8aT1PBtgxrCeDCjQ36KGViLzDsZOCMNYcr1EZI\nEFMTmaUDFWtoHQKi7ZU+oiRGGfZdnbh0icCsnBecePo4//LaCvBn6lA+vFBmuHLo\nZ2Idh5JSYFoEvhdX3j+sO0dOqzQdDEDy6+Y3S3T4vuSB3w5k1B5c3EDseKfLHUY/\nhgAIxO7rtELyhlFODMmEOzLWwOfxq/5ar/izxkdQS5HPNyVXT6SKikTGmI2z8Uw3\njyCaXv7ny5IVG/kR5aTP+DIHhichcpxJk7j+wZfZV/g8O2PWQpYXfxr36gSo49Je\nARJUBGaEVAhqoNfaHCUbvHCSbbI2yKY+sliX3p7MmcMdy/cvKyowQUuw/FYtdbGD\nHwCe6GZZzHWJZkX3nju3zhOy3gBDBDB1fbF4W0VjsjOwYjy/7MNMVH0eXli20Q==\n=qkvc\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc index 46aaa21..15fe6cb 100644 --- a/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:RwbQZyqU0OjA/wD3o0HppPWFjfHNAHsGF8DzdJrXZLlE5RPUigHWtMLcX+2bNd0DpS3r7WHCSyiu+mmg6GWFiE6wAOBU1Q19BpQ8k3oTt8sP3N4/5PfzYcXlHRfwxmB9/pv8YCi5+cOU5ExWiQ+kC767UbgPIC2ugUD6tkP14KkhW0EGgEhF3elBfOGrSHGgjltgIFMYm/WKZjM=,iv:EBpghMcCGd/wow68V3zoDfzwywDGwmlqn3btNHrfxbk=,tag:jvSZyRIQ7BmQdKc6YEBIZQ==,type:str]", + "data": "ENC[AES256_GCM,data:trvZ+abrf69YhdmIQ1ekgDW82PtPnJkC5bfvh6lABb1BBkPWZk8Ds7Ug4CtulspitB/Spwd0ksGHSuEpk7Xg9V+5O9nm4/8JWWh7EF4qKWeRiwqj/dpfHTtTQPOzywHQFwLg6EWS3wSwUu60dZqJ8f36rvr+KAZc71jZayZmm3TIpeDaMsCAyO+TrfzeKM8AYN4uUVr30raquNjd2XzGgufE3FFCQdo4yhvzVGHGq0+wrZGr,iv:Yx4RkCBSkB4gK1dnMGudPwPP6moR4/7ovDZ77f1WL9o=,tag:9tTUU6ax2K2CqKjxHn2ZaQ==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VHAxaWdiV1VlWEY2UktF\ncE96UHJnWGNpY0ZFUmZVSi9xSXpBMmI2S1VFCjB6cWtDTTJrNFhZRC9yUHRYdUpS\naytwOUJ4NTRxTmJmc0R0Wmh5dFVKbzQKLS0tIHQ2NUtqRjh6MVF6VHJFSHVFTFFD\nNWh0MDVjekFDUWZvTUZNK0Z4M0lJbVEKGZk1BvZsNTkIor5rTcpi2UE4W/BqNMWU\nIAe3irNN6p1si2zebrCEyiaJYuaVn7uYVwXcscJlNTfkr9szm8TjSA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-10T01:10:14Z", - "mac": "ENC[AES256_GCM,data:NSUKiOFGZyTb9U6e8cJoOJPAMfnk5iuw7pLK0JJzdwf4pI1aMSqjSDylQ5EqqbdFKZKRmaIjjHSpcJep6q0TRFA6wOznHWyv/UCECGwqZrS3EXgcQF5lZl7NVXPPSsMZgPReEVQcMtMivatPrfksEeCaam4WC/M+dqd2d2RrOXI=,iv:KnBNepDoaQeQ9MSrSN6dkrbS6YqkMYMpmXFd5v+oWoI=,tag:vPhsazyi8d3ugGoW8Z1Asg==,type:str]", + "lastmodified": "2025-11-23T18:19:50Z", + "mac": "ENC[AES256_GCM,data:IA71SHchjrqqU5tRlJ4Ozgx2rRxhKE42CsC7ygBLdAZcyZs+7iMpskYejIue8+JXto7zJxe38UbolnLOaTkHzSVGJkKMYQQQ/sXoDtaWlsYTN648ug4zAbgN1neifNnG+756abcg9NEuJRXBhXDzqmAecHkzv6U0HW9LHPO9W1s=,iv:dEiu6FnSqALXDOtpCZ3FiQ8D6GU0FjQAFA12SPaSIAY=,tag:/SXghsNzu8ceOQk/2w8e7w==,type:str]", "pgp": [ { "created_at": "2025-11-11T17:51:27Z", diff --git a/hosts/nixos/x86_64-linux/pyramid/default.nix b/hosts/nixos/x86_64-linux/pyramid/default.nix index 1d5b350..d5e9942 100644 --- a/hosts/nixos/x86_64-linux/pyramid/default.nix +++ b/hosts/nixos/x86_64-linux/pyramid/default.nix @@ -10,15 +10,16 @@ in ./disk-config.nix ./hardware-configuration.nix - ]; + "${self}/modules/nixos/optional/amdcpu.nix" + "${self}/modules/nixos/optional/amdgpu.nix" + "${self}/modules/nixos/optional/framework.nix" + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/hibernation.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + "${self}/modules/nixos/optional/work.nix" - swarselmodules = { - optional = { - amdcpu = true; - amdgpu = true; - hibernation = true; - }; - }; + ]; swarselsystems = { lowResolution = "1280x800"; @@ -67,9 +68,5 @@ in } // lib.optionalAttrs (!minimal) { swarselprofiles = { personal = true; - optionals = true; - work = true; - uni = true; - framework = true; }; } diff --git a/hosts/nixos/x86_64-linux/summers/default.nix b/hosts/nixos/x86_64-linux/summers/default.nix index ebc92ff..347a7d0 100644 --- a/hosts/nixos/x86_64-linux/summers/default.nix +++ b/hosts/nixos/x86_64-linux/summers/default.nix @@ -1,9 +1,11 @@ -{ inputs, lib, config, minimal, nodes, globals, ... }: +{ self, inputs, lib, config, minimal, nodes, globals, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix + + "${self}/modules/nixos/optional/microvm-host.nix" ]; boot = { @@ -30,9 +32,6 @@ }; swarselmodules = { - optional = { - microvmHost = true; - }; server = { diskEncryption = lib.mkForce false; # TODO: disable nfs = false; diff --git a/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix index a08c95c..7363993 100644 --- a/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix +++ b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix @@ -1,5 +1,8 @@ -{ lib, minimal, ... }: +{ self, lib, minimal, ... }: { + imports = [ + "${self}/modules/nixos/optional/microvm-guest.nix" + ]; swarselsystems = { info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM"; @@ -11,12 +14,6 @@ server = false; }; - swarselmodules = { - optional = { - microvmGuest = false; - }; - }; - microvm = { mem = 1024 * 4; vcpu = 2; diff --git a/hosts/nixos/x86_64-linux/winters/default.nix b/hosts/nixos/x86_64-linux/winters/default.nix index b991df4..2fb27c2 100644 --- a/hosts/nixos/x86_64-linux/winters/default.nix +++ b/hosts/nixos/x86_64-linux/winters/default.nix @@ -25,13 +25,28 @@ isBtrfs = false; isLinux = true; isNixos = true; - server.garage = { - data_dir = [ - { + proxyHost = "moonside"; + server = { + restic = { + bucketName = "SwarselWinters"; + paths = [ + "/Vault/data/paperless" + "/Vault/data/koillection" + "/Vault/data/postgresql" + "/Vault/data/firefly-iii" + "/Vault/data/radicale" + "/Vault/data/matrix-synapse" + "/Vault/Eternor/Paperless" + "/Vault/Eternor/Bilder" + "/Vault/Eternor/Immich" + ]; + }; + garage = { + data_dir = { capacity = "200G"; - path = "/Vault/data/garage/main"; - } - ]; + path = "/Vault/data/garage/data"; + }; + }; }; }; diff --git a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc index 0c94b81..1c519c5 100644 --- a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:dwoz+/DxlUbk05hmg/EwtmUkuD759sQ4iVbjHqcPpY9y2l/gzuPSJT2CMI2GbZs5SKhtlqoqZ5jHG3LwcQjgulmYHB2ThJR4ALi7usJm08q0UfMirnm6mPxjnhdhJXdO6YQ4LaRyP81txSphrl28eJwp2efz3rkUp8nAA3keL6MLZsBkdOXujOJhpreTr1mprWTA6U8aRWFBW7Y1vWvxAH3dtQ03XhYXM88pY6k+HKMvcXSsiDhvwnxG/+UYvSIHcanmboCJDYbgXZECnIGsar7ZOmbsZ3GM6X37qPJpxNmUjc4OoRaJJCcn6saH8kOJkx2rxMyzgMryuGdBq4R/m2JsvDoCPDh+gKO+luCI+hH/iduxnDgYjZAQ2gv3Q14MGNe9nvPWVfiRXXzqRf/8vDXjpnD2FFKmMSqiCvPJHRL52uwO3R2zYUrUfQgDN0Jk6nII8B64l+l69Q8Mod1J5nEMwoUOihhOsjaz6TMIUo6b0GKvxZG04Noyd7S+KuxZe1BsrxSnn7REt6qyQKqAHnMYVXpBmOxOpzhAhOrBIOz6LuqHPzmooQukuBDH/Ej2rC5hLBAFW7mvHIcTqo9sJFbnT3lYYtwLSlHBE3R26vud9pG8K2SuVdy2MWJMpLscR48V9r3nAbWsXKXLZALW38z33/UMfzTJ4g4L7Eo/4E5RXlihyL5/p8ISsoQdf6Uj718pVPTToBRBbIEMOSoJ4ntPoVxQbcpdrGO9zrqqPeZWQSE1JM8anGeZVqeMEVmZJxIbfquX8eMKJrkTroa/9HysuIi0O311F/kntoCtDOYCd3mYPcT8UnZHW3wuG7lqYRd15i/eaMhj3z1eTWoZ40R8w+2TaQB+TjyoLoGGzHvyktI5UkYiaMwa2FoFz40tz5YdZ8aODLQhwJc1mv3Fm0VLudXm7NUcfc4tr35EKbDg1wKtUS13VMSHjbi8ANbTB3nBvpBsPKtD12BTqaP4Q0HJipdnDbcwas/MoG27rFO5+q8+cb82IgjSpCeekrIgUY1wsnOyR3j3ByITp8jfmCRMF1vjKifKr0pgREF1dW59VQ33TvUyjfveQV0ixeV+vM9QueQsUVFzeqYTagsPSM/Czx/UNo8hyG1ze0p+acoOb257Q/Um8nkj3iNPAzx3WN6IdjJkpN1Ldp1SvU5qd3o3DDcSw2ztz8usBkH91BrBaV9MYGH/FSM/HL2CfTZoZodP1VqKFi1Hl3pHHyPEagvoJp1ayUZqmymKu4x1wFxC5FMUXjWUwWZZx1PIOwOtf8pLqVd6FySJlwG/MA4Bfxcnc+eSZ1EYcuHU3ziGbtGiB0eqWXA0fhUwIHHUFnV7H8NoRaJnbDS+kviFdTQKvoF3OmymEwhaq/Oak0ZQk8NLHC7KTQ6xVCb7bBtLpkBdXFE3YB5ltXvEYvSL02qX9i6oBf8GRi4Tl+k6zca6QVJzHG4hU8Nh3cxXBmF2IIY4JiKy0YlsVXCg7OHEWMEl4qT09dAsrDcKQC205YRF7XO8AXimENFQM2Nr/moadk2SF3D2DuJEE2HnSBk4H2tVlMNns32MpTFBZwbf3JOIHJV9CFyVSjhjuNjVjMK4vVdpnEzhmnaKjDqMnuRGNZmrl6p8gKM26KlWcYpIclQkPxy1pY1iFINxGH4YEGdAztpx1YhBkQNkQT492InrPA/PE5XFStP4WsKsLW72lhSVgH8D27S76yGihXyaVXXfd0VF5Fx/gUnbd7fph4Vi1VtFonhfK+ctHg==,iv:aQoC+pr7OoTyTT0FE4MbENfzfJ0Beq1Lsz9G1jnFQPs=,tag:JuYmfDP2foCVDH8CwfL4fQ==,type:str]", + "data": "ENC[AES256_GCM,data:vevuVfscWMiD3Lzc/bAS+jAqpzgkfBfcFAB7ChacGaj/PJfoi5AzpmlkDhm11GBcvUXcveMnbLbQexaF3dgPVwvbD9xr6e+mcMJjIry5c5a5wOcZkyGxXgPuPg415An9AQrO56XeTTSaUL+ScQB3kv6eIyzCtxZag7pRLnOgwFuGYqfwcDIcX8QHCc0ijf3XLPaM6dEgiFYDeOMFhOF4+Z8/d9eHoEQ3tOkWTmkoVqZFz80ZicEraliWnWMvCBhRLKo3gb7KFRce/AAEZQaS3CZOJz7v7var4Ds1+PZnU282aSU/xsY5Dq1vOrsZuoYqXA5WrdC9HaXAYLGaGFCzLwRTAfJvigV4PNwOePskCSa/qRlOGpyO1t1B01Y4pghdERNlS+1ltEz8nKVfIi4DR6dKy8NIhLl3huJQy6KHsLrjDHnmxeypo2sJ+NeyuNTKqwJo9x3krcIBt8SaUoFIDkBgshcDCp2eBcKvRIOFIa8r3rsxQ7gwG3YV7hS+NR0nwsUXodGXVzrdehDNddr+mI4GEMl8TTP9sdVSaPhKpN+QB3GGGoYwX2HJYXdY9CKIIlYcgFiDfPz9x4HqGnGfSpeB6QgTK40pmRmG6jQyIFZiW+hQBS4XHtKQ8CJx4zUNpiUArYzustw6riPkfYDex21SzsUIjpRYxB8uGHFvJlJVgr4FkQQg6frebKf2EjIhjc9Mjdw+g7cGb5+WavUfy+fIXztYwRI0l8aftosfCMdGsSChntKCymz0kpGREx00HF5blA6oyifHaVxRYoqraxCwbe+p1RTFlGonaYtb0gBWpdrQU+24HVQU1rMhc8HFHPjcWofE/ymEPkhRzkxIXMmNQFi/18KvZWoy2qOVtPmsEc4mOVRtC6w9AZZpcxI9CXhhuyDZlJ/k4bJzkZFrcNW8I7OjEXTNmsYkzJDSVzD3Od/1zhubU8LYZBBXuejzeH0TXNsXbS6tQXCJ2D7Gzrcx8LpXL/a1IjAUmIXguVtPT9nGallXO9jHV9g7GGjF7weTaEMb/eNSuLgQOpq8vziN1XLWhVo0WEQ8zU97KSVJS5moaTEPAEUlHC4PfM3AQHpWMW4EL7FZu5r1yw+EDOUA4k9u9HIVbn5XVZbWb18aVVkYZoulLIVU7I74LJlYE/BSYhGzp6Ff1k6qzPNTbVgXEtiNuLQKa//8gHoQUCsu019MEVAU4LhZ+nt4genG4qFUTuBujTriO4Vhdel9Qsoq95FLXDzdwRInUzfUhbLli/rKv+LDW7wIdh/peWslq5XkWBeMqJC97OSGzM/MaWIzzMY68FjCJfYX6I2nskFD1xZiECKukn0LV/wqQhrkmUuyG6RsZGAZuOoStWJMs8v+x+ZIMHzg1jItXO2ozt8P73EvdgOExJi5/aSf8sQwX7H5lesDtnGYU5+xV9k6R8icsIqG/TLuFAiqK1hmFQv7H/9pFkRq1LUXFmJXoKDfDByG6xUjMeyYOwT6yLShhH3MMWvh3yjflwzGo7uTU1BTpNbKT0LEh3Q9C1txZ0uKROhWKu70iH+kHRFVlhUbyYpZovu3BPB3WDhLiLuXIOss5+dVv5RBSYUtxpzp7Oq7mbMRIGCY1hOVCiCcUEvcXXiQ8JBCklWUEEJ15BAIewetgDiVci4USgZZYrALplmSFkKTZbFjYEIrf3ghKFXfVTkMixRmzTHoxKpYXzvB3TZnkmAXVhvJbGEiHsAaHpcfycAXygQAWsIFYzYSDrqYXmRhwEy/A5cqy8dYx+UA3bBAi4v0QPMoro3UtdI2ipM=,iv:+QSRj/TyZl6xbwLDbuwb83RkBiLUi85VYcpss8Jn8fk=,tag:uPqu0GaUGmChLweOGN10yQ==,type:str]", "sops": { "age": [ { @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-10T01:10:47Z", - "mac": "ENC[AES256_GCM,data:2gKEGIYctY7g7mL7lay1T7XmxGdsRzz/dIC1p98zDTnIoBrq5mf5CV/FjAGi5jDsmEMoCSUTWFaT/0Wq3nmRC+OyjL3/Hsit+HJDBVbyf/mY+zs2UQd3KVYoxmpDeAJ1E9s8ygxEu5lJGzacWbJ9BggKUUnywXYfNg0fS7ntjUw=,iv:5xedOuJ3VFm4pEjXyVBM9Iwe5pK1dYP4nTRkk7exrvo=,tag:sEVygcLMqkI9CWQDjoaEqQ==,type:str]", + "lastmodified": "2025-11-23T18:03:21Z", + "mac": "ENC[AES256_GCM,data:8KSKQH7qF2vLnR17a3XhYGAqYq4YNgf7XEkpeNVHD39Aj8MzdlsGPr9vI2o/N1yTpQyJrPW1ntKVvI9rHwcJhm5nyaQiHVwKHWcxcn7li6AeztV4HUqwKxQwf3MHfZ4fhWJrI7NYAuMAbmK6epa/ROGsIGnT6vQh3SImcn+Kkcg=,iv:dT8dBuSsYRxGe93/9ie/6/X4Ru5NDycz2pgMVI83wbc=,tag:r1mPjG/JOQsRDzCktIlisQ==,type:str]", "pgp": [ { "created_at": "2025-08-24T23:36:17Z", diff --git a/index.html b/index.html index 73a386f..ad5d0e2 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configurationo @@ -209,8 +209,8 @@
  • 1.4. Hosts
  • 1.5. Programs
  • 1.6. Services
    • -
  • 1.7. Manual steps when setting up a new machine
    • -
  • 1.8. Current issues
    • +
  • 1.7. Manual steps when setting up a new machine
    • +
  • 1.8. Current issues
  • 2. flake.nix @@ -229,7 +229,7 @@
  • 2.7. Topology
  • 2.8. Devshell (checks)
  • 2.9. Templates
    • -
  • 2.10. Formatter
    • +
  • 2.10. Formatter (treefmt-nix)
  • 2.11. TODO Modules
  • 2.12. Apps
  • 2.13. Overlays
    • @@ -269,28 +269,28 @@
  • 3.1.2.3.2. hardware-configuration
    • -
  • 3.1.2.4. Summers (Server: ASUS Z10PA-D8) +
  • 3.1.2.4. Summers (Server: ASUS Z10PA-D8)
    • -
  • 3.1.2.5. Hintbooth (Router: HUNSN RM02) +
  • 3.1.2.5. Hintbooth (Router: HUNSN RM02)
  • 3.1.2.6. machpizza (MacBook Pro)
  • 3.1.2.7. Magicant (Phone)
    • -
  • 3.1.2.8. Treehouse (DGX Spark)
    • +
  • 3.1.2.8. Treehouse (DGX Spark)
  • 3.1.3. Virtual hosts @@ -302,6 +302,27 @@
  • 3.1.3.1.3. disko
    • +
  • 3.1.3.2. Belchsfactory (OCI) + +
    • +
  • 3.1.3.3. Milkywell (OCI) + +
    • +
  • 3.1.3.4. Eagleland (Hetzner) + +
  • 3.1.4. Utility hosts @@ -313,12 +334,13 @@
  • 3.1.4.2. TODO Drugstore (ISO installer config)
    • -
  • 3.1.4.3. Hotel (Demo Physical/VM) +
  • 3.1.4.3. Brick Road (kexec image)
    • +
  • 3.1.4.4. Hotel (Demo Physical/VM)
    • @@ -406,9 +428,9 @@
  • 3.2.3.4. nfs/samba (smb)
  • 3.2.3.5. NGINX
  • 3.2.3.6. ssh
    • -
  • 3.2.3.7. Network settings
    • -
  • 3.2.3.8. Disk encryption
    • -
  • 3.2.3.9. Router
    • +
  • 3.2.3.7. Network settings
    • +
  • 3.2.3.8. Disk encryption
    • +
  • 3.2.3.9. Router
  • 3.2.3.10. kavita
  • 3.2.3.11. jellyfin
  • 3.2.3.12. navidrome
    • @@ -441,8 +463,13 @@
  • 3.2.3.39. slink
  • 3.2.3.40. Snipe-IT
  • 3.2.3.41. Homebox
    • -
  • 3.2.3.42. OPKSSH
    • -
  • 3.2.3.43. Garage
    • +
  • 3.2.3.42. OPKSSH
    • +
  • 3.2.3.43. Garage
    • +
  • 3.2.3.44. nsd (dns)
    • +
  • 3.2.3.45. nsd (dns) - site1
    • +
  • 3.2.3.46. Minecraft
    • +
  • 3.2.3.47. Mailserver
    • +
  • 3.2.3.48. Attic (nix binary cache)
  • 3.2.4. Darwin @@ -462,20 +489,20 @@
  • 3.2.5.8. Hibernation
  • 3.2.5.9. BTRFS
  • 3.2.5.10. work
    • -
  • 3.2.5.11. microvm-host
    • -
  • 3.2.5.12. microvm-guest
    • +
  • 3.2.5.11. microvm-host
    • +
  • 3.2.5.12. microvm-guest
  • 3.3. Home-manager
  • 4.4.2. Nix Mode
    • @@ -813,7 +843,7 @@
  • 4.4.40. Calendar
    • @@ -828,8 +858,8 @@
  • 5. Appendix A: Noweb-Ref blocks
  • 6. Appendix B: Supplementary Files @@ -881,7 +911,7 @@

    -This file has 104733 words spanning 27960 lines and was last revised on 2025-11-19 15:22:29 +0100. +This file has 113366 words spanning 30228 lines and was last revised on 2025-11-27 16:49:14 +0100.

    @@ -950,7 +980,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-19 15:22:29 +0100) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-27 16:49:14 +0100)

    • @@ -962,7 +992,7 @@ system-configuration-options 
    ---prefix=/nix/store/3ncyph43ppsx6dnx46faxr5dmv9g8ym7-emacs-git-pgtk-20251013.0 --disable-build-details --with-modules --with-pgtk --disable-gc-mark-trace --with-compress-install --with-toolkit-scroll-bars --with-native-compilation --without-imagemagick --with-mailutils --without-small-ja-dic --with-tree-sitter --without-xinput2 --without-xwidgets --with-dbus --with-selinux
+--prefix=/nix/store/al2a1g9wz4w7ixx0d7ain2myhchxiv74-emacs-git-pgtk-20251013.0 --disable-build-details --with-modules --with-pgtk --disable-gc-mark-trace --with-compress-install --with-toolkit-scroll-bars --with-native-compilation --without-imagemagick --with-mailutils --without-small-ja-dic --with-tree-sitter --without-xinput2 --without-xwidgets --with-dbus --with-selinux
    @@ -1184,24 +1214,26 @@ Here I give a brief overview over the hostmachines that I am using. This is held

    -
    | Name               | Hardware                                            | Use                                                  |
-|--------------------|-----------------------------------------------------|------------------------------------------------------|
-|💻 **pyramid**      | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                          |
-|💻 **bakery**       | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                      |
-|💻 **machpizza**    | MacBook Pro 2016                                    | MacOS reference and build sandbox                    |
-|🏠 **treehouse**    | NVIDIA DGX Spark                                    | Workstation, AI playground and home-manager reference|
-|🖥️ **winters**      | ASRock J4105-ITX, 32GB RAM                          | Secondary homeserver and data storgae                |
-|🖥️ **summers**      | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Main homeserver running microvms, data storage       |
-|🖥️ **hintbooth**    | HUNSN RM02, 8GB RAM                                 | Router                                               |
-|☁️ **milkywell**    | Oracle Cloud: VM.Standard.E2.1.Micro                | Server for lightweight synchronization tasks         |
-|☁️ **moonside**     | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services  |
-|☁️ **belchsfactory**| Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Hydra builder and nix binary cache                   |
-|☁️ **monkeycave**   | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Gaming server                                        |
-|☁️ **eagleland**    | Hetzner Cloud: CX23                                 | Mail server                                          |
-|📱 **magicant**     | Samsung Galaxy Z Flip 6                             | Phone                                                |
-|💿 **drugstore**    | -                                                   | ISO installer configuration                          |
-|❔ **chaotheatre**  | -                                                   | Demo config for checking out my configurtion         |
-|❔ **toto**         | -                                                   | Helper configuration for bootstrapping a new system  |
+
    | Name                | Hardware                                            | Use                                                 |
+|---------------------|-----------------------------------------------------|-----------------------------------------------------|
+|💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                         |
+|💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                     |
+|💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                   |
+|🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference   |
+|🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, datastorage  |
+|🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                      |
+|🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                              |
+|☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative dns server                            |
+|☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                         |
+|☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                       |
+|☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                          |
+|☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services     |
+|☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binarycache                   |
+|📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                               |
+|💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts     |
+|💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines |
+|❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration     |
+|❔ **toto**          | -                                                   | Helper configuration for testing purposes           |
    @@ -1258,9 +1290,9 @@ Here I give a brief overview over the hostmachines that I am using. This is held -
    -

    1.7. Manual steps when setting up a new machine

    -
    +
    +

    1.7. Manual steps when setting up a new machine

    +
    These steps are required when setting up a normal NixOS host:
 
@@ -1335,9 +1367,9 @@ If the new machine is home-manager only, perform these steps:
   3) `home-manager --extra-experimental-features 'nix-command flakes' switch --flake .#$(hostname) --show-trace`
    -
    -

    1.8. Current issues

    -
    +
    +

    1.8. Current issues

    +
    Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
 
@@ -1519,100 +1551,57 @@ This provides devshell support for flake-parts
   };
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1";
     nixpkgs-dev.url = "github:Swarsel/nixpkgs/main";
     nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version
     nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
     nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05";
     nixpkgs-stable24_11.url = "github:NixOS/nixpkgs/nixos-24.11";
     nixpkgs-stable25_05.url = "github:NixOS/nixpkgs/nixos-25.05";
-    systems.url = "github:nix-systems/default";
-    swarsel-modules.url = "github:Swarsel/swarsel-modules/main";
-    swarsel-nix.url = "github:Swarsel/swarsel-nix/main";
+
     home-manager = {
       # url = "github:nix-community/home-manager";
       url = "github:Swarsel/home-manager/main";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    swarsel.url = "github:Swarsel/.dotfiles";
-    emacs-overlay = {
-      # url = "github:nix-community/emacs-overlay";
-      url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D";
+    nix-index-database = {
+      url = "github:nix-community/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # emacs-overlay.url = "github:nix-community/emacs-overlay";
+    emacs-overlay.url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D";
+    swarsel-nix.url = "github:Swarsel/swarsel-nix/main";
+    systems.url = "github:nix-systems/default";
     nur.url = "github:nix-community/NUR";
     nixgl.url = "github:guibou/nixGL";
     stylix.url = "github:danth/stylix";
     sops-nix.url = "github:Mic92/sops-nix";
     lanzaboote.url = "github:nix-community/lanzaboote";
-    nix-on-droid = {
-      url = "github:nix-community/nix-on-droid/release-24.05";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nixos-generators = {
-      url = "github:nix-community/nixos-generators";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nixos-hardware = {
-      url = "github:NixOS/nixos-hardware/master";
-    };
-    nswitch-rcm-nix = {
-      url = "github:Swarsel/nswitch-rcm-nix";
-    };
-    nix-index-database = {
-      url = "github:nix-community/nix-index-database";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    disko = {
-      url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05";
+    nixos-generators.url = "github:nix-community/nixos-generators";
+    nixos-images.url = "github:Swarsel/nixos-images/main";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    nswitch-rcm-nix.url = "github:Swarsel/nswitch-rcm-nix";
+    disko.url = "github:nix-community/disko";
     impermanence.url = "github:nix-community/impermanence";
-    zjstatus = {
-      url = "github:dj95/zjstatus";
-    };
-    # has been upstreamed
-    # fw-fanctrl = {
-    #   # url = "github:TamtamHero/fw-fanctrl/packaging/nix";
-    #   url = "github:Swarsel/fw-fanctrl/packaging/nix";
-    #   inputs.nixpkgs.follows = "nixpkgs";
-    # };
-    nix-darwin = {
-      url = "github:lnl7/nix-darwin";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    pre-commit-hooks = {
-      url = "github:cachix/git-hooks.nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    vbc-nix = {
-      url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    zjstatus.url = "github:dj95/zjstatus";
+    nix-darwin.url = "github:lnl7/nix-darwin";
+    pre-commit-hooks.url = "github:cachix/git-hooks.nix";
+    vbc-nix.url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main";
     nix-topology.url = "github:oddlama/nix-topology";
     flake-parts.url = "github:hercules-ci/flake-parts";
-    devshell = {
-      url = "github:numtide/devshell";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    spicetify-nix = {
-      url = "github:Gerg-l/spicetify-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    niri-flake = {
-      url = "github:sodiboo/niri-flake";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nixos-extra-modules = {
-      url = "github:oddlama/nixos-extra-modules";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    microvm = {
-      url = "github:astro/microvm.nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    devshell.url = "github:numtide/devshell";
+    spicetify-nix.url = "github:Gerg-l/spicetify-nix";
+    niri-flake.url = "github:sodiboo/niri-flake";
+    nixos-extra-modules.url = "github:oddlama/nixos-extra-modules/main";
+    microvm.url = "github:astro/microvm.nix";
     treefmt-nix.url = "github:numtide/treefmt-nix";
-
+    dns.url = "github:kirelagin/dns.nix";
+    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
   };
+
   outputs =
     inputs:
     inputs.flake-parts.lib.mkFlake { inherit inputs; } {
@@ -1829,7 +1818,7 @@ let
             ) 4;
           subnetMask = lib.concatStringsSep "." (map toString octets);
         in
-          subnetMask;
+        subnetMask;
 
       mkIfElseList = p: yes: no: lib.mkMerge [
         (lib.mkIf p yes)
@@ -1838,6 +1827,23 @@ let
 
       mkIfElse = p: yes: no: if p then yes else no;
 
+      getSubDomain = domain:
+        let
+          parts = builtins.split "\\." domain;
+          domainParts = builtins.filter (x: builtins.isString x && x != "") parts;
+        in
+        if builtins.length domainParts > 0
+        then builtins.head domainParts
+        else "";
+
+      getBaseDomain = domain:
+        let
+          parts = builtins.split "\\." domain;
+          domainParts = builtins.filter (x: builtins.isString x && x != "") parts;
+          baseParts = builtins.tail domainParts;
+        in
+        builtins.concatStringsSep "." baseParts;
+
       pkgsFor = lib.genAttrs (import systems) (system:
         import inputs.nixpkgs {
           inherit system;
@@ -1969,7 +1975,7 @@ Lastly, in order make this actually available to my configurations, i use the 
 
    # adapted from https://github.com/oddlama/nix-config/blob/main/nix/globals.nix
-{ self, inputs, ... }:
+{ inputs, ... }:
 {
   flake = { config, lib, ... }:
     {
@@ -2085,41 +2091,48 @@ The rest of the outputs either define or help define the actual configurations:
           };
           modules = [
             inputs.disko.nixosModules.disko
-            inputs.sops-nix.nixosModules.sops
+            inputs.home-manager.nixosModules.home-manager
             inputs.impermanence.nixosModules.impermanence
             inputs.lanzaboote.nixosModules.lanzaboote
-            inputs.nix-topology.nixosModules.default
-            inputs.home-manager.nixosModules.home-manager
-            inputs.stylix.nixosModules.stylix
-            inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
-            # inputs.swarsel-modules.nixosModules.default
-            inputs.swarsel-nix.nixosModules.default
-            inputs.niri-flake.nixosModules.niri
             inputs.microvm.nixosModules.host
             inputs.microvm.nixosModules.microvm
+            inputs.niri-flake.nixosModules.niri
+            inputs.nix-index-database.nixosModules.nix-index
+            inputs.nix-minecraft.nixosModules.minecraft-servers
+            inputs.nix-topology.nixosModules.default
+            inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
+            inputs.simple-nixos-mailserver.nixosModules.default
+            inputs.sops-nix.nixosModules.sops
+            inputs.stylix.nixosModules.stylix
+            inputs.swarsel-nix.nixosModules.default
             (inputs.nixos-extra-modules + "/modules/guests")
+            (inputs.nixos-extra-modules + "/modules/interface-naming.nix")
             "${self}/hosts/nixos/${arch}/${configName}"
             "${self}/profiles/nixos"
             "${self}/modules/nixos"
             {
+              _module.args.dns = inputs.dns;
 
               microvm.guest.enable = lib.mkDefault false;
 
+              networking.hostName = lib.swarselsystems.mkStrong configName;
+
               node = {
                 name = lib.mkForce configName;
                 secretsDir = ../hosts/nixos/${arch}/${configName}/secrets;
+                lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
               };
 
               swarselprofiles = {
-                minimal = lib.mkIf minimal (lib.mkDefault true);
+                minimal = lib.mkIf minimal (lib.swarselsystems.mkStrong true);
               };
 
               swarselmodules.server = {
-                ssh = lib.mkIf (!minimal) (lib.mkDefault true);
+                ssh = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
               };
 
               swarselsystems = {
-                mainUser = lib.mkDefault "swarsel";
+                mainUser = lib.swarselsystems.mkStrong "swarsel";
               };
             }
           ];
@@ -2714,7 +2727,7 @@ Otherwise, I define the function mkTemplates here which builds a na
    -

    2.10. Formatter

    +

    2.10. Formatter (treefmt-nix)

    Defines a formatter that can be called using nix flake format. While a nice utility, I have stronger tools to perform this job. @@ -2740,6 +2753,21 @@ Defines a formatter that can be called using nix flake format. Whil }; deadnix.enable = true; statix.enable = true; + shfmt = { + enable = true; + indent_size = 4; + simplify = true; + # needed to replicate what my Emacs shfmt does + # there is no builtin option for space-redirects + package = pkgs.symlinkJoin { + name = "shfmt"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.shfmt ]; + postBuild = '' + wrapProgram $out/bin/shfmt --append-flags '-sr' + ''; + }; + }; shellcheck.enable = true; }; settings.formatter.shellcheck.options = [ @@ -2965,7 +2993,9 @@ in // (inputs.nur.overlays.default final prev) // (inputs.emacs-overlay.overlay final prev) // (inputs.nix-topology.overlays.default final prev) + // (inputs.nix-index-database.overlays.nix-index final prev) // (inputs.nixgl.overlay final prev) + // (inputs.nix-minecraft.overlay final prev) // (inputs.nixos-extra-modules.overlays.default final prev) ) (modifications final prev); @@ -2996,19 +3026,32 @@ This is an improvement to what I did earlier, where I did not use nixos-ge { perSystem = { pkgs, system, ... }: { - # nix build --print-out-paths --no-link .#images.<target-system>.live-iso - packages.live-iso = inputs.nixos-generators.nixosGenerate { - inherit pkgs; - specialArgs = { inherit self; }; - modules = [ - inputs.home-manager.nixosModules.home-manager - "${self}/install/installer-config.nix" - ]; - format = + packages = { + # nix build --print-out-paths --no-link .#live-iso + live-iso = inputs.nixos-generators.nixosGenerate { + inherit pkgs; + specialArgs = { inherit self; }; + modules = [ + inputs.home-manager.nixosModules.home-manager + "${self}/install/installer-config.nix" + ]; + format = + { + x86_64-linux = "install-iso"; + aarch64-linux = "sd-aarch64-installer"; + }.${system}; + }; + + # nix build --print-out-paths --no-link .#pnap-kexec --system <system> + swarsel-kexec = (inputs.smallpkgs.legacyPackages.${system}.nixos [ { - x86_64-linux = "install-iso"; - aarch64-linux = "sd-aarch64-installer"; - }.${system}; + imports = [ "${self}/install/kexec.nix" ]; + _file = __curPos.file; + system.kexec-installer.name = "swarsel-kexec"; + } + inputs.nixos-images.nixosModules.kexec-installer + ]).config.system.build.kexecInstallerTarball; + }; }; } @@ -3803,7 +3846,7 @@ This is my main server that I run at home. It handles most tasks that require bi

    3.1.2.3.1. Main Configuration
    -
    { lib, minimal, ... }:
+
    { lib, config, minimal, ... }:
 {
 
   imports = [
@@ -3830,13 +3873,29 @@ This is my main server that I run at home. It handles most tasks that require bi
     isBtrfs = false;
     isLinux = true;
     isNixos = true;
-    server.garage = {
-      data_dir = [
-        {
+    proxyHost = "moonside";
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+      restic = {
+        bucketName = "SwarselWinters";
+        paths = [
+          "/Vault/data/paperless"
+          "/Vault/data/koillection"
+          "/Vault/data/postgresql"
+          "/Vault/data/firefly-iii"
+          "/Vault/data/radicale"
+          "/Vault/data/matrix-synapse"
+          "/Vault/Eternor/Paperless"
+          "/Vault/Eternor/Bilder"
+          "/Vault/Eternor/Immich"
+        ];
+      };
+      garage = {
+        data_dir = {
           capacity = "200G";
-          path = "/Vault/data/garage/main";
-        }
-      ];
+          path = "/Vault/data/garage/data";
+        };
+      };
     };
   };
 
@@ -3940,13 +3999,13 @@ This is my main server that I run at home. It handles most tasks that require bi
    -
    -
    3.1.2.4. Summers (Server: ASUS Z10PA-D8)
    -
    +
    +
    3.1.2.4. Summers (Server: ASUS Z10PA-D8)
    +
    -
    -
    3.1.2.4.1. Main Configuration
    -
    +
    +
    3.1.2.4.1. Main Configuration
    +
    { inputs, lib, config, minimal, nodes, globals, ... }:
 {
@@ -4053,9 +4112,9 @@ This is my main server that I run at home. It handles most tasks that require bi
    -
    -
    3.1.2.4.2. hardware-configuration
    -
    +
    +
    3.1.2.4.2. hardware-configuration
    +
    { config, lib, modulesPath, ... }:
 
@@ -4089,9 +4148,9 @@ This is my main server that I run at home. It handles most tasks that require bi
    -
    -
    3.1.2.4.3. disko
    -
    +
    +
    3.1.2.4.3. disko
    +
    { lib, config, ... }:
 let
@@ -4215,13 +4274,13 @@ in
    -
    -
    3.1.2.4.4. Guests
    -
    +
    +
    3.1.2.4.4. Guests
    +
    -
    -3.1.2.4.4.1. Guest 1 -
    +
    +3.1.2.4.4.1. Guest 1 +
    { lib, minimal, ... }:
 {
@@ -4255,15 +4314,15 @@ in
    -
    -
    3.1.2.5. Hintbooth (Router: HUNSN RM02)
    -
    +
    +
    3.1.2.5. Hintbooth (Router: HUNSN RM02)
    +
    -
    -
    3.1.2.5.1. Main Configuration
    -
    +
    +
    3.1.2.5.1. Main Configuration
    +
    -
    { lib, minimal,  ... }:
+
    { lib, config, minimal,  ... }:
 {
 
   imports = [
@@ -4283,6 +4342,9 @@ in
     rootDisk = "/dev/sda";
     swapSize = "8G";
     networkKernelModules = [ "igb" ];
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+    };
   };
 
 } // lib.optionalAttrs (!minimal) {
@@ -4304,9 +4366,9 @@ in
    -
    -
    3.1.2.5.2. hardware-configuration
    -
    +
    +
    3.1.2.5.2. hardware-configuration
    +
    { config, lib, modulesPath, ... }:
 
@@ -4336,9 +4398,9 @@ in
    -
    -
    3.1.2.5.3. disko
    -
    +
    +
    3.1.2.5.3. disko
    +
    { lib, config, ... }:
 let
@@ -4557,11 +4619,11 @@ My phone. I use only a minimal config for remote debugging here.
    -
    -
    3.1.2.8. Treehouse (DGX Spark)
    -
    +
    +
    3.1.2.8. Treehouse (DGX Spark)
    +
    -
    { self, ... }:
+
    { self, pkgs, ... }:
 {
 
   imports = [
@@ -4579,11 +4641,15 @@ My phone. I use only a minimal config for remote debugging here.
     };
   };
 
+  home.packages = with pkgs; [
+    attic-client
+  ];
   # programs.zsh.initContent = "
   #   export GPG_TTY=\"$(tty)\"
   # export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
   # gpgconf --launch gpg-agent
   #       ";
+  swarselmodules.pii = true;
 
   swarselsystems = {
     isLaptop = false;
@@ -4642,7 +4708,6 @@ in
 
   sops = {
     age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-    # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
     secrets = {
       wireguard-private-key = { inherit sopsFile; };
       wireguard-home-preshared-key = { inherit sopsFile; };
@@ -4769,9 +4834,18 @@ in
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
+    proxyHost = "moonside";
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+      restic = {
+        bucketName = "SwarselMoonside";
+        paths = [
+          "/persist/opt/minecraft"
+        ];
+      };
+    };
     syncthing = {
       serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
-      serviceIP = "localhost";
     };
   };
 } // lib.optionalAttrs (!minimal) {
@@ -4786,6 +4860,8 @@ in
     shlink = true;
     slink = true;
     syncthing = true;
+    minecraft = true;
+    restic = true;
     diskEncryption = lib.mkForce false;
   };
 }
@@ -4946,6 +5022,706 @@ in
 }
 
 
+
    
+
    +
    +
    +
    +
    +
    3.1.3.2. Belchsfactory (OCI)
    +
    +
    +
    +
    3.1.3.2.1. Main Configuration
    +
    +
    +
    { lib, config, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+  ];
+
+  node.lockFromBootstrapping = lib.mkForce false;
+
+  topology.self = {
+    icon = "devices.cloud-server";
+  };
+  swarselmodules.server.nginx = false;
+
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = true;
+    isSwap = false;
+    rootDisk = "/dev/sda";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    isCloud = true;
+    proxyHost = "belchsfactory";
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+      garage = {
+        data_dir = {
+          capacity = "150G";
+          path = "/var/lib/garage/data";
+        };
+        keys = {
+          nixos = [
+            "attic"
+          ];
+        };
+        buckets = [
+          "attic"
+        ];
+      };
+    };
+  };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
+  };
+
+  swarselmodules.server = {
+    postgresql = lib.mkDefault true;
+    attic = lib.mkDefault true;
+    garage = lib.mkDefault true;
+  };
+
+}
+
+
    +
    +
    +
    +
    +
    3.1.3.2.2. hardware-configuration
    +
    +
    +
    { lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
+}
+
    +
    +
    +
    +
    +
    3.1.3.2.3. disko
    +
    +
    +
    { lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
+
+
    +
    +
    +
    +
    +
    +
    3.1.3.3. Milkywell (OCI)
    +
    +
    +
    +
    3.1.3.3.1. Main Configuration
    +
    +
    +
    { lib, config, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+  ];
+  node.lockFromBootstrapping = false;
+  sops = {
+    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+
+  topology.self = {
+    icon = "devices.cloud-server";
+  };
+
+  networking = {
+    domain = "subnet03112148.vcn03112148.oraclevcn.com";
+    firewall = {
+      allowedTCPPorts = [ 53 ];
+    };
+  };
+
+  system.stateVersion = "23.11";
+
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "VM.Standard.E2.1.Micro";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = false;
+    isSwap = true;
+    swapSize = "8G";
+    rootDisk = "/dev/sda";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+    };
+  };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
+  };
+
+}
+
+
    +
    +
    +
    +
    +
    3.1.3.3.2. hardware-configuration
    +
    +
    +
    { lib, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
+      kernelModules = [ "dm-snapshot" ];
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
+
+
    +
    +
    +
    +
    +
    3.1.3.3.3. disko
    +
    +
    +
    { lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
+
    +
    +
    +
    +
    +
    +
    3.1.3.4. Eagleland (Hetzner)
    +
    +
    +
    +
    3.1.3.4.1. Main Configuration
    +
    +
    +
    { lib, config, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+  ];
+
+  topology.self = {
+    icon = "devices.cloud-server";
+  };
+
+  networking = {
+    useDHCP = lib.mkForce false;
+    useNetworkd = true;
+    dhcpcd.enable = false;
+    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
+      config.repo.secrets.local.networking.networks or { }
+    );
+  };
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {
+      inherit (config.systemd.network.networks) "10-wan";
+    };
+  };
+
+  systemd = {
+    network = {
+      enable = true;
+      wait-online.enable = false;
+      networks =
+        let
+          netConfig = config.repo.secrets.local.networking;
+        in
+        {
+          "10-wan" = {
+            address = [
+              "${netConfig.wanAddress4}/32"
+              "${netConfig.wanAddress6}/64"
+            ];
+            gateway = [ "fe80::1" ];
+            routes = [
+              { Destination = netConfig.defaultGateway4; }
+              {
+                Gateway = netConfig.defaultGateway4;
+                GatewayOnLink = true;
+              }
+            ];
+            matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
+            networkConfig.IPv6PrivacyExtensions = "yes";
+            linkConfig.RequiredForOnline = "routable";
+          };
+        };
+    };
+  };
+
+  swarselmodules.server.mailserver = true;
+
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "2vCPU, 4GB Ram";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = true;
+    isCloud = true;
+    isSwap = true;
+    swapSize = "4G";
+    rootDisk = "/dev/sda";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    proxyHost = "eagleland";
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+    };
+  };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
+  };
+
+}
+
+
    +
    +
    +
    +
    +
    3.1.3.4.2. hardware-configuration
    +
    +
    +
    { lib, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
+
+
    +
    +
    +
    +
    +
    3.1.3.4.3. disko
    +
    +
    +
    { lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
    @@ -5335,12 +6111,117 @@ in } + +
    +
    +
    +
    +
    3.1.4.3. Brick Road (kexec image)
    +
    +
    +
    { lib, pkgs, modulesPath, options, ... }:
+{
+  disabledModules = [
+    # This module adds values to multiple lists (systemPackages, supportedFilesystems)
+    # which are impossible/unpractical to remove, so we disable the entire module.
+    "profiles/base.nix"
+  ];
+
+  imports = [
+    # reduce closure size by removing perl
+    "${modulesPath}/profiles/perlless.nix"
+    # FIXME: we still are left with nixos-generate-config due to nixos-install-tools
+    { system.forbiddenDependenciesRegexes = lib.mkForce [ ]; }
+  ];
+
+  config = {
+    networking.hostName = "brickroad";
+
+    system = {
+      # nixos-option is mainly useful for interactive installations
+      tools.nixos-option.enable = false;
+      # among others, this prevents carrying a stdenv with gcc in the image
+      extraDependencies = lib.mkForce [ ];
+    };
+    # prevents shipping nixpkgs, unnecessary if system is evaluated externally
+    nix.registry = lib.mkForce { };
+
+    # would pull in nano
+    programs.nano.enable = false;
+
+    # prevents strace
+    environment = {
+      defaultPackages = lib.mkForce [
+        pkgs.parted
+        pkgs.gptfdisk
+        pkgs.e2fsprogs
+      ];
+
+      systemPackages = with pkgs; [
+        cryptsetup.bin
+      ];
+
+      # Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs.
+      ldso32 = null;
+    };
+
+    # included in systemd anyway
+    systemd.sysusers.enable = true;
+
+    # normal users are not allowed with sys-users
+    # see https://github.com/NixOS/nixpkgs/pull/328926
+    users.users.nixos = {
+      isSystemUser = true;
+      isNormalUser = lib.mkForce false;
+      shell = "/run/current-system/sw/bin/bash";
+      group = "nixos";
+    };
+    users.groups.nixos = { };
+
+    security = {
+      # we have still run0 from systemd and most of the time we just use root
+      sudo.enable = false;
+      polkit.enable = lib.mkForce false;
+      # introduces x11 dependencies
+      pam.services.su.forwardXAuth = lib.mkForce false;
+    };
+
+    documentation = {
+      enable = false;
+      man.enable = false;
+      nixos.enable = false;
+      info.enable = false;
+      doc.enable = false;
+    };
+
+    services = {
+      # no dependency on x11
+      dbus.implementation = "broker";
+      # we prefer root as this is also what we use in nixos-anywhere
+      getty.autologinUser = lib.mkForce "root";
+      # included in systemd anyway
+      userborn.enable = false;
+    };
+
+
+
+    # we are missing this from base.nix
+    boot.supportedFilesystems = [
+      "ext4"
+      "btrfs"
+      "xfs"
+    ];
+  } // lib.optionalAttrs (options.hardware ? firmwareCompression) {
+    hardware.firmwareCompression = "xz";
+  };
+}
+
    -
    3.1.4.3. Hotel (Demo Physical/VM)
    +
    3.1.4.4. Hotel (Demo Physical/VM)

    This is just a demo host. It applies all the configuration found in the common parts of the flake, but disables all secrets-related features (as they would not work without the proper SSH keys). @@ -5351,7 +6232,7 @@ I also set the WLR_RENDERER_ALLOW_SOFTWARE=1 to allow this configur

    -
    3.1.4.3.1. Main configuration
    +
    3.1.4.4.1. Main configuration
    { self, config, pkgs, lib, minimal, ... }:
@@ -5421,7 +6302,7 @@ in
    -
    3.1.4.3.2. disko
    +
    3.1.4.4.2. disko
    # NOTE: ... is needed because dikso passes diskoFile
@@ -5557,7 +6438,7 @@ in
    -
    3.1.4.3.3. NixOS dummy options configuration
    +
    3.1.4.4.3. NixOS dummy options configuration
    _:
@@ -5568,7 +6449,7 @@ in
    -
    3.1.4.3.4. home-manager dummy options configuration
    +
    3.1.4.4.4. home-manager dummy options configuration
    _:
@@ -5821,13 +6702,31 @@ in
 
           services = mkOption {
             type = types.attrsOf (
-              types.submodule {
+              types.submodule (serviceSubmod: {
                 options = {
                   domain = mkOption {
                     type = types.str;
                   };
+                  subDomain = mkOption {
+                    readOnly = true;
+                    type = types.str;
+                    default = lib.swarselsystems.getSubDomain serviceSubmod.config.domain;
+                  };
+                  baseDomain = mkOption {
+                    readOnly = true;
+                    type = types.str;
+                    default = lib.swarselsystems.getBaseDomain serviceSubmod.config.domain;
+                  };
+                  proxyAddress4 = mkOption {
+                    type = types.nullOr types.str;
+                    default = null;
+                  };
+                  proxyAddress6 = mkOption {
+                    type = types.nullOr types.str;
+                    default = null;
+                  };
                 };
-              }
+              })
             );
           };
 
@@ -5870,6 +6769,12 @@ in
                   defaultGateway6 = mkOption {
                     type = types.nullOr types.net.ipv6;
                   };
+                  wanAddress4 = mkOption {
+                    type = types.nullOr types.net.ipv4;
+                  };
+                  wanAddress6 = mkOption {
+                    type = types.nullOr types.net.ipv6;
+                  };
                 };
               }
             );
@@ -5913,6 +6818,10 @@ in
         description = "Node Name.";
         type = lib.types.str;
       };
+      lockFromBootstrapping = lib.mkOption {
+        description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
+        type = lib.types.bool;
+      };
     };
   };
 }
@@ -5950,6 +6859,7 @@ in
         github-nixpkgs-review-token = { owner = mainUser; };
       }) // (lib.optionalAttrs modules.emacs {
         emacs-radicale-pw = { owner = mainUser; };
+        github-forge-token = { owner = mainUser; };
       }) // (lib.optionalAttrs modules.optional.work {
         harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
       }) // (lib.optionalAttrs modules.anki {
@@ -6036,8 +6946,10 @@ A breakdown of the flags being set:
 
 
 
    
-
    { self, lib, pkgs, config, outputs, inputs, minimal, ... }:
+
    { self, lib, pkgs, config, outputs, inputs, minimal, globals, ... }:
 let
+  inherit (config.swarselsystems) mainUser;
+  inherit (config.repo.secrets.common) atticPublicKey;
   settings = if minimal then { } else {
     environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
       assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
@@ -6074,7 +6986,8 @@ let
         channel.enable = false;
         registry = rec {
           nixpkgs.flake = inputs.nixpkgs;
-          swarsel.flake = inputs.swarsel;
+          # swarsel.flake = inputs.swarsel;
+          swarsel.flake = self;
           n = nixpkgs;
           s = swarsel;
         };
@@ -6095,7 +7008,7 @@ in
     (lib.recursiveUpdate
       {
         sops.secrets.github-api-token = lib.mkIf (!minimal) {
-          sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+          owner = mainUser;
         };
 
         nix =
@@ -6112,6 +7025,12 @@ in
                 "cgroups"
                 "pipe-operators"
               ];
+              substituters = [
+                "https://${globals.services.attic.domain}/${mainUser}"
+              ];
+              trusted-public-keys = [
+                atticPublicKey
+              ];
               trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
             };
             # extraOptions = ''
@@ -6192,7 +7111,6 @@ We enable the use of home-manager as a NixoS module. A nice trick h
         inputs.nix-index-database.homeModules.nix-index
         inputs.sops-nix.homeManagerModules.sops
         inputs.spicetify-nix.homeManagerModules.default
-        # inputs.swarsel-modules.homeModules.default
         inputs.swarsel-nix.homeModules.default
         {
           imports = [
@@ -6235,14 +7153,11 @@ For that reason, make sure that sops-nix is properly working before
 
    
 
 
    
-
    { self, pkgs, config, lib, globals, minimal, ... }:
-let
-  sopsFile = self + /secrets/general/secrets.yaml;
-in
+
    { pkgs, config, lib, globals, minimal, ... }:
 {
   options.swarselmodules.users = lib.mkEnableOption "user config";
   config = lib.mkIf config.swarselmodules.users {
-    sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
+    sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
 
     users = {
       mutableUsers = lib.mkIf (!minimal) false;
@@ -6566,6 +7481,7 @@ in
       hideMounts = true;
       directories =
         [
+          "/root/.dotfiles"
           "/etc/nix"
           "/etc/NetworkManager/system-connections"
           "/var/lib/nixos"
@@ -6658,8 +7574,9 @@ Mostly used to install some compilers and lsp's that I want to have available wh
 
       libsForQt5.qt5.qtwayland
 
-      # nix package database
-      nix-index
+      # do not do this! clashes with the flake
+      # nix-index
+
       nixos-generators
 
       # commit hooks
@@ -6675,6 +7592,9 @@ Mostly used to install some compilers and lsp's that I want to have available wh
       # better make for general tasks
       just
 
+      # sops
+      ssh-to-age
+      sops
 
       # keyboards
       qmk
@@ -6944,7 +7864,7 @@ Here I only enable networkmanager and a few default networks. The r
 
    
 
 
    
-
    { self, lib, pkgs, config, ... }:
+
    { self, lib, pkgs, config, globals, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
   clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
@@ -6996,7 +7916,7 @@ in
     networking = {
       inherit (config.swarselsystems) hostName;
       hosts = {
-        "192.168.178.24" = [ "store.swarsel.win" ];
+        "${globals.networks.home-lan.hosts.winters.ipv4}" = [ globals.services.transmission.domain ];
       };
       wireless.iwd = {
         enable = true;
@@ -7273,9 +8193,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at
     sops = {
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      # defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
-      defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
 
       validateSopsFiles = false;
 
@@ -8394,7 +9313,6 @@ in
   config = lib.mkIf config.swarselmodules.server.packages {
     environment.systemPackages = with pkgs; [
       gnupg
-      nix-index
       nvd
       nix-output-monitor
       ssh-to-age
@@ -8565,6 +9483,7 @@ in
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      directories = [ { directory = "/var/lib/acme"; } ];
       files = [ dhParamsPathBase ];
     };
 
@@ -8589,28 +9508,52 @@ in
         '';
       };
     };
-    system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
-      deps = [ "generateDHParams" "users" "groups" ];
-    };
-    system.activationScripts."generateDHParams" =
-      {
-        text = ''
-          set -eu
-
-          ${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}
-          ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}
-
-          if [ ! -f "${dhParamsPathBase}" ]; then
-            ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096
-            chmod 0644 ${dhParamsPath}
-            chown ${serviceUser}:${serviceGroup} ${dhParamsPath}
-          fi
-        '';
-        deps = [
-          "etc"
-          (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
-        ];
+    systemd.services.generateDHParams = {
+      before = [ "nginx.service" ];
+      requiredBy = [ "nginx.service" ];
+      after = [ "local-fs.target" ];
+      requires = [ "local-fs.target" ];
+      serviceConfig = {
+        Type = "oneshot";
       };
+
+      script = ''
+        set -eu
+
+        install -d -m 0755 ${sslBasePath}
+        ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}
+
+        if [ ! -f "${dhParamsPath}" ]; then
+          ${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
+          chmod 0644 "${dhParamsPath}"
+          chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
+        else
+          echo 'Already generated DHParams'
+        fi
+      '';
+    };
+
+    # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
+    #   deps = [ "generateDHParams" "users" "groups" ];
+    # };
+    # system.activationScripts."generateDHParams" =
+    #   {
+    #     text = ''
+    #       set -eu
+
+    #       ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else "${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}"}
+
+    #       if [ ! -f "${dhParamsPath}" ]; then
+    #         ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096
+    #         chmod 0644 ${dhParamsPath}
+    #         chown ${serviceUser}:${serviceGroup} ${dhParamsPath}
+    #       fi
+    #     '';
+    #     deps = [
+    #       (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
+    #       (lib.mkIf (!config.swarselsystems.isImpermanence) "etc")
+    #     ];
+    #   };
   };
 }
 
    
@@ -8661,22 +9604,35 @@ Here I am forcing startWhenNeeded to false so that the value will n
 
    
 
    
 
    
-
    
-
    3.2.3.7. Network settings
    
-
    
+
    
+
    3.2.3.7. Network settings
    
+
    
+
    
+Generate hostId using head -c4 /dev/urandom | od -A none -t x4
+
    
+
 
    
 
    { lib, config, ... }:
+let
+  inherit (config.swarselsystems.server) localNetwork;
+in
 {
   options.swarselmodules.server.network = lib.mkEnableOption "enable server network config";
+  options.swarselsystems.server.localNetwork = lib.mkOption {
+    type = lib.types.str;
+    default = "home";
+  };
   config = lib.mkIf config.swarselmodules.server.network {
 
-    globals.networks.home.hosts.${config.node.name} = {
-      inherit (config.repo.secrets.local.networking.networks.home) id;
-      mac = config.repo.secrets.local.networking.networks.home.mac or null;
+    globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = {
+      inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id;
+      mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null;
     };
 
     globals.hosts.${config.node.name} = {
       inherit (config.repo.secrets.local.networking) defaultGateway4;
+      wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null;
+      wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null;
     };
 
     networking = {
@@ -8695,9 +9651,9 @@ Here I am forcing startWhenNeeded to false so that the value will n
 
    
 
    
 
    
-
    
-
    3.2.3.8. Disk encryption
    
-
    
+
    
+
    3.2.3.8. Disk encryption
    
+
    
 
    
 The hostkey can be generated with ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key.
 Use lspci -v | grep -iA8 'network\|ethernet' to supposedly find out which kernel module is needed for networking in initrd. However I prefer a different approach:
@@ -8712,75 +9668,11 @@ Use lspci -nn | grep -i network to find out manufacturer info:
    - +
    +04:00.0 Network controller [0280]: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter [14c3:0616]
+
    --- -- -- -- -- -- -- -- -- -- -- -- -- -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    04:00.0Networkcontroller[0280]:MEDIATEKCorp.MT7922802.11axPCIExpressWirelessNetworkAdapter[14c3:0616]
    6a:00.0Ethernetcontroller[0200]:IntelCorporationI210GigabitNetworkConnection[8086:1533](rev03) 
    -

    From the last bracket you then find out the correct kernel module:

    @@ -8884,11 +9776,16 @@ From the last bracket you then find out the correct kernel module: 
    { self, pkgs, lib, config, globals, minimal, ... }:
 let
-  localIp = globals.networks.home.hosts.${config.node.name}.ipv4;
-  subnetMask = globals.networks.home.subnetMask4;
+  localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
+  subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4;
   gatewayIp = globals.hosts.${config.node.name}.defaultGateway4;
 
-  hostKeyPath = "/etc/secrets/initrd/ssh_host_ed25519_key";
+  hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key";
+  hostKeyPath =
+    if config.swarselsystems.isImpermanence then
+      "/persist/${hostKeyPathBase}"
+    else
+      "${hostKeyPathBase}";
 in
 {
   options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config";
@@ -8898,35 +9795,40 @@ in
   };
   config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) {
 
+
+    system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
+      deps = [ "ensureInitrdHostkey" ];
+    };
     system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) {
       text = ''
         [[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath}
       '';
-      deps = [ "users" ];
+      deps = [
+        "etc"
+      ];
     };
 
     environment.persistence."/persist" = lib.mkIf (config.swarselsystems.isImpermanence && (config.swarselprofiles.server || minimal)) {
-      files = [ hostKeyPath ];
+      files = [ hostKeyPathBase ];
     };
 
-    boot = lib.mkIf (config.swarselprofiles.server || minimal) {
-      kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [
+    boot = lib.mkIf (!config.swarselsystems.isLaptop) {
+      kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [
         "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
       ];
       initrd = {
         availableKernelModules = config.swarselsystems.networkKernelModules;
         network = {
           enable = true;
-          udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true;
           flushBeforeStage2 = true;
           ssh = {
             enable = true;
             port = 2222; # avoid hostkey changed nag
-            authorizedKeyFiles = [
-              (self + /secrets/keys/ssh/yubikey.pub)
-              (self + /secrets/keys/ssh/magicant.pub)
+            authorizedKeys = [
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
             ];
-            hostKeys = [ hostKeyPath ];
+            hostKeys = [ hostKeyPathBase ];
           };
           # postCommands = ''
           #   echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
@@ -8936,23 +9838,24 @@ in
           initrdBin = with pkgs; [
             cryptsetup
           ];
-          services = {
-            unlock-luks = {
-              wantedBy = [ "initrd.target" ];
-              after = [ "network.target" ];
-              before = [ "systemd-cryptsetup@cryptroot.service" ];
-              path = [ "/bin" ];
+          # NOTE: the below does put the text into /root/.profile, but the command will not be run
+          # services = {
+          #   unlock-luks = {
+          #     wantedBy = [ "initrd.target" ];
+          #     after = [ "network.target" ];
+          #     before = [ "systemd-cryptsetup@cryptroot.service" ];
+          #     path = [ "/bin" ];
 
-              serviceConfig = {
-                Type = "oneshot";
-                RemainAfterExit = true;
-              };
+          #     serviceConfig = {
+          #       Type = "oneshot";
+          #       RemainAfterExit = true;
+          #     };
 
-              script = ''
-                echo "systemctl default" >> /root/.profile
-              '';
-            };
-          };
+          #     script = ''
+          #       echo "systemctl default" >> /root/.profile
+          #     '';
+          #   };
+          # };
         };
       };
     };
@@ -8963,9 +9866,9 @@ in
    -
    -
    3.2.3.9. Router
    -
    +
    +
    3.2.3.9. Router
    +
    { lib, config, ... }:
 let
@@ -9031,15 +9934,11 @@ in
 
    3.2.3.10. kavita
    
 
    
 
    
-
    { self, lib, config, pkgs, globals, ... }:
+
    { self, lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
 
-  servicePort = 8080;
-  serviceName = "kavita";
-  serviceUser = "kavita";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -9048,6 +9947,10 @@ in
       calibre
     ];
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
     };
@@ -9061,7 +9964,11 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -9071,7 +9978,7 @@ in
       dataDir = "/Vault/data/${serviceName}";
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9105,23 +10012,26 @@ in
 
    3.2.3.11. jellyfin
    
 
    
 
    
-
    { pkgs, lib, config, globals, ... }:
+
    { pkgs, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 8096;
-  serviceName = "jellyfin";
-  serviceUser = "jellyfin";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "video" "render" "users" ];
     };
+
     nixpkgs.config.packageOverrides = pkgs: {
       intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
     };
+
     hardware.graphics = {
       enable = true;
       extraPackages = with pkgs; [
@@ -9133,7 +10043,11 @@ in
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -9141,7 +10055,7 @@ in
       openFirewall = true; # this works only for the default ports
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9176,18 +10090,18 @@ in
 
    3.2.3.12. navidrome
    
 
    
 
    
-
    { pkgs, config, lib, globals, ... }:
+
    { pkgs, config, lib, globals, dns, confLib, ... }:
 let
-  servicePort = 4040;
-  serviceName = "navidrome";
-  serviceUser = "navidrome";
-  serviceGroup = serviceUser;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     environment.systemPackages = with pkgs; [
       pciutils
       alsa-utils
@@ -9217,7 +10131,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.snapserver = {
       enable = true;
@@ -9281,7 +10198,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9343,12 +10260,9 @@ in
 
    3.2.3.13. spotifyd
    
 
    
 
    
-
    { lib, config, ... }:
+
    { lib, config, confLib, ... }:
 let
-  servicePort = 1025;
-  serviceName = "spotifyd";
-  serviceUser = "spotifyd";
-  serviceGroup = serviceUser;
+  inherit (confLib.gen { name = "spotifyd"; port = 1025; }) servicePort serviceName serviceUser serviceGroup;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -9402,14 +10316,10 @@ in
 
    3.2.3.14. mpd
    
 
    
 
    
-
    { self, lib, config, pkgs, ... }:
+
    { self, lib, config, pkgs, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 3254;
-  serviceUser = "mpd";
-  serviceGroup = serviceUser;
-  serviceName = "mpd";
+  inherit (confLib.gen { name = "mpd"; port = 3254; }) servicePort serviceName serviceUser serviceGroup;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -9504,10 +10414,11 @@ in
 
    3.2.3.16. postgresql
    
 
    
 
    
-
    { config, lib, pkgs, ... }:
+
    { config, lib, pkgs, confLib, ... }:
 let
-  serviceName = "postgresql";
+  inherit (confLib.gen { name = "postgresql"; port = 3254; }) serviceName;
   postgresVersion = 14;
+  postgresDirPrefix = if config.swarselsystems.isCloud then "/var/lib" else "/Vault/data" ;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -9516,9 +10427,13 @@ in
       ${serviceName} = {
         enable = true;
         package = pkgs."postgresql_${builtins.toString postgresVersion}";
-        dataDir = "/Vault/data/${serviceName}/${builtins.toString postgresVersion}";
+        dataDir = "${postgresDirPrefix}/${serviceName}/${builtins.toString postgresVersion}";
       };
     };
+    environment.persistence."/persist".directories = lib.mkIf (config.swarselsystems.isImpermanence && config.swarselsystems.isCloud) [
+      { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
+    ];
+
   };
 }
 
    
@@ -9529,15 +10444,10 @@ in
 
    3.2.3.17. matrix
    
 
    
 
    
-
    { lib, config, pkgs, globals, ... }:
+
    { lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 8008;
-  serviceName = "matrix";
-  serviceDomain = config.repo.secrets.common.services.domains.matrix;
-  serviceUser = "matrix-synapse";
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   federationPort = 8448;
   whatsappPort = 29318;
@@ -9555,6 +10465,11 @@ in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     environment.systemPackages = with pkgs; [
       matrix-synapse
       lottieconverter
@@ -9622,7 +10537,10 @@ in
       };
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       postgresql = {
@@ -9821,7 +10739,7 @@ in
     # messages out after a while.
 
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9885,17 +10803,11 @@ in
 
    3.2.3.18. nextcloud
    
 
    
 
    
-
    { pkgs, lib, config, globals, ... }:
+
    { pkgs, lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.repo.secrets.local.nextcloud) adminuser;
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 80;
-  serviceUser = "nextcloud";
-  serviceGroup = serviceUser;
-  serviceName = "nextcloud";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   nextcloudVersion = "32";
 in
@@ -9903,13 +10815,19 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops.secrets = {
       nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
-
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -9937,7 +10855,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9971,24 +10889,28 @@ in
 
    3.2.3.19. immich
    
 
    
 
    
-
    { lib, pkgs, config, globals, ... }:
+
    { lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  servicePort = 3001;
-  serviceUser = "immich";
-  serviceName = "immich";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "video" "render" "users" ];
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -10002,9 +10924,9 @@ in
       };
     };
 
-    networking.firewall.allowedTCPPorts = [ 3001 ];
+    networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -10057,16 +10979,10 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of 
 
    
 
 
    
-
    { lib, pkgs, config, globals, ... }:
+
    { lib, pkgs, config, dns, globals, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 28981;
-  serviceUser = "paperless";
-  serviceGroup = serviceUser;
-  serviceName = "paperless";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   tikaPort = 9998;
   gotenbergPort = 3002;
@@ -10076,6 +10992,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
     };
@@ -10087,7 +11007,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -10157,7 +11080,7 @@ in
                      )
     '';
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -10196,10 +11119,9 @@ in
 
    3.2.3.21. transmission
    
 
    
 
    
-
    { self, pkgs, lib, config, ... }:
+
    { self, pkgs, lib, config, confLib, ... }:
 let
-  serviceName = "transmission";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+  inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain;
 
   lidarrUser = "lidarr";
   lidarrGroup = lidarrUser;
@@ -10385,17 +11307,12 @@ in
 
    3.2.3.22. syncthing
    
 
    
 
    
-
    { lib, config, configName, globals, ... }:
+
    { lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems.syncthing) serviceDomain;
-  inherit (config.swarselsystems.syncthing) serviceIP;
+  inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
-  servicePort = 8384;
-  serviceUser = "syncthing";
-  serviceGroup = serviceUser;
-  serviceName = "syncthing";
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
-  specificServiceName = "syncthing-${configName}";
+  specificServiceName = "${serviceName}-${config.node.name}";
 
   cfg = config.services.${serviceName};
   devices = config.swarselsystems.syncthing.syncDevices;
@@ -10409,10 +11326,6 @@ in
         type = lib.types.str;
         default = config.repo.secrets.common.services.domains.syncthing1;
       };
-      serviceIP = lib.mkOption {
-        type = lib.types.str;
-        default = "${serviceAddress}";
-      };
       syncDevices = lib.mkOption {
         type = lib.types.listOf lib.types.str;
         default = [ "magicant" "winters" "pyramid" "moonside@oracle" ];
@@ -10438,6 +11351,10 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
       group = serviceGroup;
@@ -10448,7 +11365,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services."${specificServiceName}".domain = serviceDomain;
+    globals.services.${specificServiceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = rec {
       enable = true;
@@ -10504,11 +11424,11 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${specificServiceName} = {
           servers = {
-            "${serviceIP}:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
@@ -10539,6 +11459,7 @@ in
 
    
 
    
 This manages backups for my pictures and obsidian files.
+Note: you still need to run restic-<name> init once on the host to get the bucket running.
 
    
 
 
    
@@ -10548,6 +11469,14 @@ let
 in
 {
   options.swarselmodules.server.restic = lib.mkEnableOption "enable restic backups on server";
+  options.swarselsystems.server.restic = {
+    bucketName = lib.mkOption {
+      type = lib.types.str;
+    };
+    paths = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+    };
+  };
   config = lib.mkIf config.swarselmodules.server.restic {
 
     sops = {
@@ -10570,20 +11499,10 @@ in
       in
       {
         backups = {
-          SwarselWinters = {
+          "${config.swarselsystems.server.restic.bucketName}" = {
             environmentFile = config.sops.templates."restic-env".path;
             passwordFile = config.sops.secrets.resticpw.path;
-            paths = [
-              "/Vault/data/paperless"
-              "/Vault/data/koillection"
-              "/Vault/data/postgresql"
-              "/Vault/data/firefly-iii"
-              "/Vault/data/radicale"
-              "/Vault/data/matrix-synapse"
-              "/Vault/Eternor/Paperless"
-              "/Vault/Eternor/Bilder"
-              "/Vault/Eternor/Immich"
-            ];
+            inherit (config.swarselsystems.server.restic) paths;
             pruneOpts = [
               "--keep-daily 3"
               "--keep-weekly 2"
@@ -10617,14 +11536,9 @@ This section exposes several metrics that I use to check the health of my server
 
    
 
 
    
-
    { self, lib, config, globals, ... }:
+
    { self, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 3000;
-  serviceUser = "grafana";
-  serviceGroup = serviceUser;
-  serviceName = "grafana";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   prometheusPort = 9090;
   prometheusUser = "prometheus";
@@ -10640,6 +11554,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -10676,7 +11594,11 @@ in
     networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ];
 
     topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -10825,7 +11747,7 @@ in
     };
 
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         "${grafanaUpstream}" = {
           servers = {
@@ -10875,17 +11797,23 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w
 
    
 
 
    
-
    { pkgs, lib, config, globals, ... }:
+
    { pkgs, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 8088;
-  serviceName = "jenkins";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
     services.jenkins = {
       enable = true;
       withCLI = true;
@@ -10895,7 +11823,7 @@ in
       home = "/Vault/apps/${serviceName}";
     };
 
-    services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -10934,10 +11862,9 @@ This was an approach of hosting an RSS server from within emacs. That would have
 
    
 
 
    
-
    { lib, config, ... }:
+
    { lib, config, confLib, ... }:
 let
-  serviceName = "emacs";
-  servicePort = 9812;
+  inherit (confLib.gen { name = "emacs"; port = 9812; }) servicePort serviceName;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} server on server";
@@ -10978,14 +11905,9 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
 
    
 
 
    
-
    { self, lib, config, globals, ... }:
+
    { self, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 80;
-  serviceName = "freshrss";
-  serviceUser = "freshrss";
-  serviceGroup = serviceName;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   inherit (config.swarselsystems) sopsFile;
 in
@@ -10993,6 +11915,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
       group = serviceGroup;
@@ -11034,7 +11960,10 @@ in
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} =
       let
@@ -11054,7 +11983,7 @@ in
     #   config.sops.templates.freshrss-env.path
     # ];
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -11092,16 +12021,10 @@ in
 
    3.2.3.28. forgejo (git server)
    
 
    
 
    
-
    { lib, config, pkgs, globals, ... }:
+
    { lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 3004;
-  serviceUser = "forgejo";
-  serviceGroup = serviceUser;
-  serviceName = "forgejo";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   kanidmDomain = globals.services.kanidm.domain;
 in
@@ -11109,6 +12032,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
     users.users.${serviceUser} = {
@@ -11122,7 +12049,10 @@ in
       kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -11223,7 +12153,7 @@ in
         '';
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -11258,14 +12188,10 @@ in
 
    3.2.3.29. Anki Sync Server
    
 
    
 
    
-
    { self, lib, config, globals, ... }:
+
    { self, lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 27701;
-  serviceName = "ankisync";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   ankiUser = globals.user.name;
 in
@@ -11273,6 +12199,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
     sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
@@ -11283,7 +12213,10 @@ in
       info = "https://${serviceDomain}";
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.anki-sync-server = {
       enable = true;
@@ -11298,7 +12231,7 @@ in
       ];
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -11346,19 +12279,13 @@ To get other URLs (token, etc.), use 
-
    { self, lib, pkgs, config, globals, ... }:
+
    { self, lib, pkgs, config, globals, dns, confLib, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
   inherit (config.swarselsystems) sopsFile;
+  inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
-  servicePort = 8300;
-  serviceUser = "kanidm";
-  serviceGroup = serviceUser;
-  serviceName = "kanidm";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
-
-  oauth2ProxyDomain = globals.services.oauth2Proxy.domain;
+  oauth2ProxyDomain = globals.services.oauth2-proxy.domain;
   immichDomain = globals.services.immich.domain;
   paperlessDomain = globals.services.paperless.domain;
   forgejoDomain = globals.services.forgejo.domain;
@@ -11385,6 +12312,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       group = serviceGroup;
       isSystemUser = true;
@@ -11410,7 +12341,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
       files = [
@@ -11418,17 +12352,22 @@ in
         keyPathBase
       ];
     };
-
-    system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
-      deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
-    };
-    system.activationScripts."generateSSLCert-${serviceName}" =
+    systemd.services."generateSSLCert-${serviceName}" =
       let
         daysValid = 3650;
         renewBeforeDays = 365;
       in
       {
-        text = ''
+        before = [ "${serviceName}.service" ];
+        requiredBy = [ "${serviceName}.service" ];
+        after = [ "local-fs.target" ];
+        requires = [ "local-fs.target" ];
+
+        serviceConfig = {
+          Type = "oneshot";
+        };
+
+        script = ''
           set -eu
 
           ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
@@ -11437,16 +12376,18 @@ in
           ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
 
           need_gen=0
-          if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
+          if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
             need_gen=1
           else
-            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
+            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
             end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
             now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
             seconds_left=$(( end_epoch - now_epoch ))
             days_left=$(( seconds_left / 86400 ))
             if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
               need_gen=1
+            else
+              echo 'Certificate exists and is still valid'
             fi
           fi
 
@@ -11462,12 +12403,58 @@ in
             chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
           fi
         '';
-        deps = [
-          "etc"
-          (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
-        ];
       };
 
+
+    # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
+    #   deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
+    # };
+    # system.activationScripts."generateSSLCert-${serviceName}" =
+    #   let
+    #     daysValid = 3650;
+    #     renewBeforeDays = 365;
+    #   in
+    #   {
+    #     text = ''
+    #       set -eu
+
+    #       ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
+    #       ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
+    #       ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
+    #       ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
+
+    #       need_gen=0
+    #       if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
+    #         need_gen=1
+    #       else
+    #         enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
+    #         end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
+    #         now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
+    #         seconds_left=$(( end_epoch - now_epoch ))
+    #         days_left=$(( seconds_left / 86400 ))
+    #         if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
+    #           need_gen=1
+    #         fi
+    #       fi
+
+    #       if [ "$need_gen" -eq 1 ]; then
+    #         ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
+    #           -keyout "${keyPath}" \
+    #           -out "${certPath}" \
+    #           -subj "/CN=${serviceDomain}" \
+    #           -addext "subjectAltName=DNS:${serviceDomain}"
+
+    #         chmod 0644 "${certPath}"
+    #         chmod 0600 "${keyPath}"
+    #         chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
+    #       fi
+    #     '';
+    #     deps = [
+    #       "etc"
+    #       (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
+    #     ];
+    #   };
+
     services = {
       ${serviceName} = {
         package = pkgs.kanidmWithSecretProvisioning_1_7;
@@ -11674,7 +12661,7 @@ in
       ${serviceName}.serviceConfig.RestartSec = "30";
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -11708,13 +12695,9 @@ in
 
    3.2.3.31. oauth2-proxy
    
 
    
 
    
-
    { lib, config, globals, ... }:
+
    { lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 3004;
-  serviceUser = "oauth2-proxy";
-  serviceGroup = serviceUser;
-  serviceName = "oauth2-proxy";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+  inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   kanidmDomain = globals.services.kanidm.domain;
   mainDomain = globals.domains.main;
@@ -11833,6 +12816,10 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         "oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -11854,7 +12841,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services.oauth2Proxy.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -11905,11 +12895,11 @@ in
       };
     };
 
-    services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
-            "localhost:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
@@ -11940,14 +12930,9 @@ in
 
    3.2.3.32. Firefly-III
    
 
    
 
    
-
    { self, lib, config, globals, ... }:
+
    { self, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 80;
-  serviceUser = "firefly-iii";
-  serviceGroup = serviceUser;
-  serviceName = "firefly-iii";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   nginxGroup = "nginx";
 
@@ -11958,6 +12943,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users = {
       groups.${serviceGroup} = { };
       users.${serviceUser} = {
@@ -11978,7 +12967,11 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -12020,7 +13013,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -12060,15 +13053,10 @@ in
 
    3.2.3.33. Koillection
    
 
    
 
    
-
    { self, lib, config, globals, ... }:
+
    { self, lib, config, globals, dns, confLib, ... }:
 let
-  serviceUser = "koillection";
+  inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
   serviceDB = "koillection";
-  serviceName = "koillection";
-  servicePort = 2282;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceDir = "/Vault/data/koillection";
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
 
   postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
   postgresPort = config.services.postgresql.settings.port; # 5432
@@ -12080,6 +13068,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
     sops.secrets = {
       koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
       koillection-env-file = { inherit sopsFile; };
@@ -12090,7 +13082,11 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     virtualisation.oci-containers.containers = {
       koillection = {
@@ -12166,7 +13162,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -12202,19 +13198,24 @@ in
 
    3.2.3.34. Atuin
    
 
    
 
    
-
    { lib, config, globals, ... }:
+
    { lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 8888;
-  serviceName = "atuin";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -12224,7 +13225,7 @@ in
       openRegistration = false;
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -12260,23 +13261,21 @@ in
 
    3.2.3.35. Radicale
    
 
    
 
    
-
    { self, lib, config, globals, ... }:
+
    { self, lib, config, globals, dns, confLib, ... }:
 let
+  inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
   sopsFile = self + /secrets/winters/secrets2.yaml;
 
-  servicePort = 8000;
-  serviceName = "radicale";
-  serviceUser = "radicale";
-  serviceGroup = serviceUser;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
-
   cfg = config.services.${serviceName};
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
 
@@ -12297,7 +13296,11 @@ in
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -12350,7 +13353,7 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -12387,8 +13390,9 @@ in
 
    3.2.3.36. croc
    
 
    
 
    
-
    { self, lib, config, pkgs, ... }:
+
    { self, lib, config, pkgs, dns, globals, confLib, ... }:
 let
+  inherit (confLib.gen { name = "croc"; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
   servicePorts = [
     9009
     9010
@@ -12396,8 +13400,6 @@ let
     9012
     9013
   ];
-  serviceName = "croc";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
   inherit (config.swarselsystems) sopsFile;
 
@@ -12407,6 +13409,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         croc-password = { inherit sopsFile; };
@@ -12428,7 +13434,10 @@ in
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -12463,13 +13472,9 @@ in
 
    3.2.3.37. microbin
    
 
    
 
    
-
    { self, lib, config, ... }:
+
    { self, lib, config, dns, globals, confLib, ... }:
 let
-  servicePort = 8777;
-  serviceName = "microbin";
-  serviceUser = "microbin";
-  serviceGroup = serviceUser;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+  inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   inherit (config.swarselsystems) sopsFile;
 
@@ -12479,6 +13484,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users = {
       groups.${serviceGroup} = { };
 
@@ -12514,7 +13523,11 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -12566,11 +13579,11 @@ in
       { directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
     ];
 
-    services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
-            "localhost:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
@@ -12602,12 +13615,9 @@ in
 
    3.2.3.38. shlink
    
 
    
 
    
-
    { self, lib, config, ... }:
+
    { self, lib, config, dns, globals, confLib, ... }:
 let
-  servicePort = 8081;
-  serviceName = "shlink";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceDir = "/var/lib/shlink";
+  inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink";}) servicePort serviceName serviceDomain serviceDir serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
 
@@ -12619,6 +13629,10 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         shlink-api = { inherit sopsFile; };
@@ -12684,13 +13698,17 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
 
-    services.nginx = {
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
-            "localhost:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
@@ -12726,12 +13744,9 @@ Deployment notes:
 
 
 
    
-
    { self, lib, config, ... }:
+
    { self, lib, config, dns, globals, confLib, ... }:
 let
-  servicePort = 3000;
-  serviceName = "slink";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceDir = "/var/lib/slink";
+  inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink";}) servicePort serviceName serviceDomain serviceDir serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
 in
@@ -12741,6 +13756,10 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     virtualisation.oci-containers.containers.${serviceName} = {
       image = "anirdev/slink@${containerRev}";
       environment = {
@@ -12785,13 +13804,17 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/shlink.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
 
-    services.nginx = {
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
-            "localhost:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
@@ -12825,25 +13848,23 @@ in
 
    3.2.3.40. Snipe-IT
    
 
    
 
    
-
    { self, lib, config, globals, ... }:
+
    { self, lib, config, globals, dns, confLib, ... }:
 let
+  inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
   sopsFile = self + /secrets/winters/secrets2.yaml;
 
   serviceDB = "snipeit";
 
-  servicePort = 80;
-  serviceName = "snipeit";
-  serviceUser = "snipeit";
-  serviceGroup = serviceUser;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
-
   mysqlPort = 3306;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         snipe-it-appkey = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -12851,7 +13872,11 @@ in
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.snipe-it = {
       enable = true;
@@ -12870,7 +13895,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -12904,19 +13929,24 @@ in
 
    3.2.3.41. Homebox
    
 
    
 
    
-
    { lib, pkgs, config, globals, ... }:
+
    { lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  servicePort = 7745;
-  serviceName = "homebox";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -12932,7 +13962,7 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -12962,15 +13992,13 @@ in
 
    
 
    
 
    
-
    
-
    3.2.3.42. OPKSSH
    
-
    
+
    
+
    3.2.3.42. OPKSSH
    
+
    
 
    
-
    { lib, config, globals, ... }:
+
    { lib, config, globals, confLib, ... }:
 let
-  serviceName = "opkssh";
-  serviceUser = "opksshuser";
-  serviceGroup = serviceUser;
+  inherit (confLib.gen { name = "opkssh"; user = "opksshuser"; group = "opksshuser"; }) serviceName serviceUser serviceGroup;
 
   kanidmDomain = globals.services.kanidm.domain;
 
@@ -13008,92 +14036,885 @@ in
 
    
 
    
 
    
-
    
-
    3.2.3.43. Garage
    
-
    
+
    
+
    3.2.3.43. Garage
    
+
    
+
    
+Garage acts as my s3 endpoint. I use it on two of my servers:
+
    
+
+
 
    
 Generate the admin token using openssl rand -base64 32.
 Generate the rpc token using openssl rand -hex 32.
 
    
 
+
    
+If a website is to be deployed using a s3 bucket, add the corresponding files in one of two ways:
+
    
+
+
    
+either 1) use vhost addressing: aws s3 cp <local file> s3://<path to file; no bucket identifier needed> --endpoint-url https://<bucket>.<garage domain> --region swarsel
+
    
+
+
    
+or 2) use classic path addressing aws s3 cp <local file> s3://<bucket>/<path to file> --endpoint-url https://<garage domain> --region swarsel
+
    
+
 
    
-
    { self, lib, pkgs, config, configName, globals, ... }:
+
    # inspired by https://github.com/atropos112/nixos/blob/7fef652006a1c939f4caf9c8a0cb0892d9cdfe21/modules/garage.nix
+{ lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  sopsFile = self + /secrets/${configName}/secrets2.yaml;
+  inherit (confLib.gen {
+    name = "garage";
+    port = 3900;
+    domain = config.repo.secrets.common.services.domains."garage-${config.node.name}";
+  }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
-  serviceName = "garage";
-  servicePort = 3900;
-  serviceDomain = config.repo.secrets.common.services.domains."${serviceName}-${configName}";
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  cfg = lib.recursiveUpdate config.services.${serviceName} config.swarselsystems.server.${serviceName};
+  inherit (config.swarselsystems) sopsFile mainUser;
 
-  cfg = config.services.${serviceName};
+  # needs SSD
   metadata_dir = "/var/lib/garage/meta";
+  # metadata_dir = if config.swarselsystems.isCloud then "/var/lib/garage/meta" else "/Vault/data/garage/meta";
+
+  garageRpcPort = 3901;
+  garageWebPort = 3902;
+  garageAdminPort = 3903;
+  garageK2VPort = 3904;
+
+  adminDomain = "${subDomain}admin.${baseDomain}";
+  webDomain = "${subDomain}web.${baseDomain}";
 in
 {
   options = {
     swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     swarselsystems.server.${serviceName} = {
-      data_dir = lib.mkOption {
-        type = lib.types.either lib.types.path (lib.types.listOf lib.types.attrs);
-        default = "/var/lib/garage/data";
+      data_dir = {
+        path = lib.mkOption {
+          type = lib.types.str;
+          description = "Directory where Garage stores its metadata";
+        };
+        capacity = lib.mkOption {
+          type = lib.types.str;
+        };
+      };
+      buckets = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "List of buckets to create";
+      };
+      keys = lib.mkOption {
+        type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+        default = { };
+        description = "Keys and their associated buckets. Each key gets full access (read/write/owner) to its listed buckets.";
+        example = {
+          my_key_name = [ "bucket1" "bucket2" ];
+          my_other_key = [ "bucket2" "bucket3" ];
+        };
       };
     };
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+    assertions = [
+      {
+        assertion = config.swarselsystems.server.${serviceName}.buckets != [ ];
+        message = "If Garage is enabled, at least one bucket must be specified in atro.garage.buckets";
+      }
+      {
+        assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0;
+        message = "If Garage is enabled, at least one key must be specified in atro.garage.keys";
+      }
+      {
+        assertion =
+          let
+            allKeyBuckets = lib.flatten (lib.attrValues config.swarselsystems.server.${serviceName}.keys);
+            invalidBuckets = builtins.filter (bucket: !(lib.elem bucket config.swarselsystems.server.${serviceName}.buckets)) allKeyBuckets;
+          in
+          invalidBuckets == [ ];
+        message = "All buckets referenced in keys must exist in the buckets list";
+      }
+    ];
+
+    swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
+      "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "*.${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
 
     sops = {
       secrets.garage-admin-token = { inherit sopsFile; };
       secrets.garage-rpc-secret = { inherit sopsFile; };
     };
 
+    # DynamicUser cannot read above secrets
+    systemd.services.${serviceName}.serviceConfig = {
+      DynamicUser = false;
+      ProtectHome = lib.mkForce false;
+    };
+
     environment = {
       persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
-        { directory = metadata_dir; }
+        { directory = "/var/lib/garage"; }
+        (lib.mkIf config.swarselsystems.isCloud { directory = config.swarselsystems.server.${serviceName}.data_dir.path; })
       ];
       systemPackages = [
         cfg.package
       ];
     };
 
-    systemd.services.${serviceName}.serviceConfig = {
-      DynamicUser = false;
-      ProtectHome = lib.mkForce false;
+    globals.services.${specificServiceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
     };
 
+
     services.${serviceName} = {
       enable = true;
       package = pkgs.garage_2;
       settings = {
-        inherit (config.swarselsystems.${serviceName}) data_dir;
+        data_dir = [ config.swarselsystems.server.${serviceName}.data_dir ];
         inherit metadata_dir;
         db_engine = "lmdb";
-        block_size = "1MiB";
+        block_size = "128M";
         use_local_tz = false;
+        disable_scrub = true;
+        replication_factor = 1;
+        compression_level = "none";
 
-        replication_factor = 2; # Number of copies of data
+        rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}";
+        # we are not joining our nodes, just use the private ipv4
+        rpc_public_addr = "${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
 
-        rpc_bind_addr = "[::]:3901";
-        rpc_public_addr = "${config.repo.secrets.local.ipv4}:4317";
         rpc_secret_file = config.sops.secrets.garage-rpc-secret.path;
 
         s3_api = {
-          s3_region = "swarsel";
-          api_bind_addr = "0.0.0.0:${builtins.toString servicePort}";
-          root_domain = ".s3.garage.localhost";
+          s3_region = mainUser;
+          api_bind_addr = "[::]:${builtins.toString servicePort}";
+          root_domain = ".${serviceDomain}";
+        };
+
+        s3_web = {
+          bind_addr = "[::]:${builtins.toString garageWebPort}";
+          root_domain = ".${config.repo.secrets.common.services.domains."garage-web-${config.node.name}"}";
+          add_host_to_metrics = true;
         };
 
         admin = {
-          api_bind_addr = "0.0.0.0:3903";
+          api_bind_addr = "[::]:${builtins.toString garageAdminPort}";
           admin_token_file = config.sops.secrets.garage-admin-token.path;
         };
 
         k2v_api = {
-          api_bind_addr = "[::]:3904";
+          api_bind_addr = "[::]:${builtins.toString garageK2VPort}";
         };
       };
     };
 
-    nodes.moonside.services.nginx = {
+
+    systemd.services = {
+      garage-buckets = {
+        description = "Create Garage buckets";
+        after = [ "garage.service" ];
+        wants = [ "garage.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        path = [ cfg.package pkgs.gawk pkgs.coreutils ];
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          User = "root";
+          Group = "root";
+        };
+
+        script = ''
+          garage status
+
+          # Checking repeatedly with garage status until getting 0 exit code
+          while ! garage status >/dev/null 2>&1; do
+            echo "Garage not yet operational, waiting..."
+            echo "Current garage status output:"
+            garage status 2>&1 || true
+            echo "---"
+            sleep 5
+          done
+
+          # Now we check if garage status shows any failed nodes by checking for ==== FAILED NODES ====
+          while garage status | grep -q "==== FAILED NODES ===="; do
+            echo "Garage has failed nodes, waiting..."
+            echo "Current garage status output:"
+            garage status 2>&1 || true
+            echo "---"
+            sleep 5
+          done
+
+          echo "Garage is operational, proceeding with bucket management."
+
+          # Get list of existing buckets
+          existing_buckets=$(garage bucket list | tail -n +2 | awk '{print $3}' | grep -v '^$' || true)
+
+          # Create buckets that should exist
+          ${lib.concatMapStringsSep "\n" (bucket: ''
+              if [[ "$(garage bucket info ${lib.escapeShellArg bucket} 2>&1 >/dev/null)" == *"Bucket not found"* ]]; then
+                echo "Creating bucket ${lib.escapeShellArg bucket}"
+                garage bucket create ${lib.escapeShellArg bucket}
+              else
+                echo "Bucket ${lib.escapeShellArg bucket} already exists"
+              fi
+            '')
+            cfg.buckets}
+
+          # Remove buckets that shouldn't exist
+          for bucket in $existing_buckets; do
+            should_exist=false
+            ${lib.concatMapStringsSep "\n" (bucket: ''
+              if [[ "$bucket" == ${lib.escapeShellArg bucket} ]]; then
+                should_exist=true
+              fi
+            '')
+            cfg.buckets}
+
+            if [[ "$should_exist" == "false" ]]; then
+              echo "Removing bucket $bucket"
+              garage bucket delete --yes "$bucket"
+            fi
+          done
+        '';
+      };
+
+      garage-keys = {
+        description = "Create Garage keys and set permissions";
+        after = [ "garage-buckets.service" ];
+        wants = [ "garage-buckets.service" ];
+        requires = [ "garage-buckets.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        path = [ cfg.package pkgs.gawk pkgs.coreutils ];
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          User = "root";
+          Group = "root";
+        };
+
+        script = ''
+          garage key list
+          echo "Managing keys..."
+
+          # Get list of existing keys
+          existing_keys=$(garage key list | tail -n +2 | awk '{print $3}' | grep -v '^$' || true)
+
+          # Create keys that should exist
+          ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: _: ''
+              if [[ "$(garage key info ${lib.escapeShellArg keyName} 2>&1)" == *"0 matching keys"* ]]; then
+                echo "Creating key ${lib.escapeShellArg keyName}"
+                garage key create ${lib.escapeShellArg keyName}
+              else
+                echo "Key ${lib.escapeShellArg keyName} already exists"
+              fi
+            '')
+            cfg.keys)}
+
+          # Set up key permissions for buckets
+          ${lib.concatStringsSep "\n" (lib.mapAttrsToList (
+              keyName: buckets:
+                lib.concatMapStringsSep "\n" (bucket: ''
+                  echo "Granting full access to key ${lib.escapeShellArg keyName} for bucket ${lib.escapeShellArg bucket}"
+                  garage bucket allow --read --write --owner --key ${lib.escapeShellArg keyName} ${lib.escapeShellArg bucket}
+                '')
+                buckets
+            )
+            cfg.keys)}
+
+          # Remove permissions from buckets that are no longer associated with keys
+          ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: buckets: ''
+              # Get current buckets this key has access to
+              current_buckets=$(garage key info ${lib.escapeShellArg keyName} | grep -A 1000 "==== BUCKETS FOR THIS KEY ====" | tail -n +3 | awk '{print $3}' | grep -v '^$' || true)
+
+              # Remove access from buckets not in the desired list
+              for current_bucket in $current_buckets; do
+                should_have_access=false
+                ${lib.concatMapStringsSep "\n" (bucket: ''
+                  if [[ "$current_bucket" == ${lib.escapeShellArg bucket} ]]; then
+                    should_have_access=true
+                  fi
+                '')
+                buckets}
+
+                if [[ "$should_have_access" == "false" ]]; then
+                  echo "Removing access for key ${lib.escapeShellArg keyName} from bucket $current_bucket"
+                  garage bucket deny --key ${lib.escapeShellArg keyName} $current_bucket
+                fi
+              done
+            '')
+            cfg.keys)}
+
+          # Remove keys that shouldn't exist
+          for key in $existing_keys; do
+            should_exist=false
+            ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: _: ''
+              if [[ "$key" == ${lib.escapeShellArg keyName} ]]; then
+                should_exist=true
+              fi
+            '')
+            cfg.keys)}
+
+            if [[ "$should_exist" == "false" ]]; then
+              echo "Removing key $key"
+              garage key delete --yes "$key"
+            fi
+          done
+        '';
+      };
+    };
+
+    security.acme.certs."${webDomain}" = {
+      domain = "*.${webDomain}";
+    };
+
+    nodes.${serviceProxy}.services.nginx = {
+      upstreams = {
+        ${serviceName} = {
+          servers = {
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
+          };
+        };
+        "${serviceName}Web" = {
+          servers = {
+            "${serviceAddress}:${builtins.toString garageWebPort}" = { };
+          };
+        };
+        "${serviceName}Admin" = {
+          servers = {
+            "${serviceAddress}:${builtins.toString garageAdminPort}" = { };
+          };
+        };
+      };
+      virtualHosts = {
+        "${adminDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          oauth2.enable = false;
+          locations = {
+            "/" = {
+              proxyPass = "http://${serviceName}Admin";
+            };
+          };
+        };
+        "*.${webDomain}" = {
+          useACMEHost = webDomain;
+          forceSSL = true;
+          acmeRoot = null;
+          oauth2.enable = false;
+          locations = {
+            "/" = {
+              proxyPass = "http://${serviceName}Web";
+            };
+          };
+        };
+        "${serviceDomain}" = {
+          serverAliases = [ "*.${serviceDomain}" ];
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          oauth2.enable = false;
+          locations = {
+            "/" = {
+              proxyPass = "http://${serviceName}";
+              extraConfig = ''
+                client_max_body_size 0;
+              '';
+            };
+          };
+        };
+      };
+    };
+
+  };
+}
+
    
+
    
+
    
+
    
+
    
+
    3.2.3.44. nsd (dns)
    
+
    
+
    
+
    { inputs, lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName;
+  # servicePort = 53;
+  # serviceDomain = config.repo.secrets.common.services.domains."${serviceName}";
+  # serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
+
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+    swarselsystems.server.dns = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule {
+          options = {
+            subdomainRecords = lib.mkOption {
+              type = lib.types.attrsOf inputs.dns.subzone;
+              default = { };
+            };
+          };
+        }
+      );
+    };
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+    services.nsd = {
+      enable = true;
+      zones = {
+        "${globals.domains.main}" = {
+          # provideXFR = [ ... ];
+          # notify = [ ... ];
+          data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; });
+        };
+      };
+    };
+
+  };
+}
+
    
+
    
+
    
+
    
+
    
+
    3.2.3.45. nsd (dns) - site1
    
+
    
+
    
+
    { config, globals, dns, ... }:
+with dns.lib.combinators; {
+  SOA = {
+    nameServer = "soa";
+    adminEmail = "admin@${globals.domains.main}";
+    serial = 2025112101;
+  };
+
+  useOrigin = false;
+
+  NS = [
+    "soa.${globals.domains.name}."
+    "ns1.he.net"
+    "ns2.he.net"
+    "ns3.he.net"
+    "ns4.he.net"
+    "ns5.he.net"
+    "oxygen.ns.hetzner.com"
+    "pola.ns.cloudflare.com"
+  ];
+
+  A = [ "75.2.60.5" ];
+
+  SRV = [
+    {
+      service = "_matrix";
+      proto = "_tcp";
+      port = 443;
+      target = "${globals.services.matrix.baseDomain}.${globals.domains.main}";
+      priority = 10;
+      wweight = 5;
+    }
+    {
+      service = "_submissions";
+      proto = "_tcp";
+      port = 465;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_submission";
+      proto = "_tcp";
+      port = 587;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_imap";
+      proto = "_tcp";
+      port = 143;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_imaps";
+      proto = "_tcp";
+      port = 993;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+  ];
+
+  MX = [
+    {
+      preference = 10;
+      exchange = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+    }
+  ];
+
+  CNAME = [
+    {
+      cname = "www.${glovals.domains.main}";
+    }
+  ];
+
+  DKIM = [
+    {
+    selector = "mail";
+      k = "rsa";
+      p = config.repo.secrets.local.dns.mailserver.dkim-public;
+      ttl = 10800;
+    }
+  ];
+
+  DMARC = [
+    {
+      p = "none";
+      ttl = 10800;
+    }
+  ];
+
+  TXT = [
+    (with spf; strict [ "a:${globals.services.mailserver.baseDomain}.${globals.domains.main}" ])
+    "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}"
+  ];
+
+  DMARC = [
+    {
+    selector = "mail";
+      k = "rsa";
+      p = "none";
+      ttl = 10800;
+    }
+  ];
+
+  subdomains = config.swarselsystems.server.dns.${globals.domain.main}.subdomainRecords // {
+    "minecraft" = host "130.61.119.12" null;
+  };
+}
+
    
+
    
+
    
+
    
+
    
+
    3.2.3.46. Minecraft
    
+
    
+
    
+
    { lib, config, pkgs, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6;
+  inherit (config.swarselsystems) mainUser;
+  worldName = "${mainUser}craft";
+in
+{
+  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+    topology.self.services.${serviceName}.info = "https://${serviceDomain}";
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    networking.firewall.allowedTCPPorts = [ servicePort ];
+
+    environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+      { directory = serviceDir; mode = "0755"; }
+    ];
+
+    systemd.services.minecraft-swarselcraft = {
+      description = "Minecraft Server";
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      serviceConfig = {
+        User = "root";
+        WorkingDirectory = "${serviceDir}/${worldName}";
+
+        ExecStart = "${lib.getExe pkgs.temurin-jre-bin-17} @user_jvm_args.txt @libraries/net/minecraftforge/forge/1.20.1-47.2.20/unix_args.txt nogui";
+
+        Restart = "always";
+        RestartSec = 30;
+        StandardInput = "null";
+      };
+
+      wantedBy = [ "multi-user.target" ];
+    };
+
+
+  };
+
+}
+
    
+
    
+
    
+
    
+
    
+
    3.2.3.47. Mailserver
    
+
    
+
    
+
    { lib, config, globals, dns, confLib, ... }:
+let
+  inherit (config.swarselsystems) sopsFile;
+  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceDomain serviceProxy proxyAddress4 proxyAddress6;
+  inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 user3;
+  baseDomain = globals.domains.main;
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    sops.secrets = {
+      user1-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+      user2-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+      user3-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+    };
+
+    environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+      { directory = "/var/vmail"; user = serviceUser; group = serviceGroup; mode = "0770"; }
+      { directory = "/var/sieve"; user = serviceUser; group = serviceGroup; mode = "0770"; }
+      { directory = "/var/dkim"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
+      { directory = serviceDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
+      { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
+      { directory = "/var/lib/rspamd"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
+      { directory = "/var/lib/roundcube"; user = "roundcube"; group = "roundcube"; mode = "0700"; }
+      { directory = "/var/lib/redis-rspamd"; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
+      { directory = "/var/lib/postfix"; user = "root"; group = "root"; mode = "0755"; }
+      { directory = "/var/lib/knot-resolver"; user = "knot-resolver"; group = "knot-resolver"; mode = "0770"; }
+    ];
+
+    mailserver = {
+      enable = true;
+      stateVersion = 3;
+      fqdn = serviceDomain;
+      domains = [ baseDomain ];
+      indexDir = "${serviceDir}/indices";
+      openFirewall = true;
+      certificateScheme = "acme";
+      dmarcReporting.enable = true;
+
+      loginAccounts = {
+        "${user1}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user1-hashed-pw.path;
+          aliases = [
+            "${alias1_1}@${baseDomain}"
+            "${alias1_2}@${baseDomain}"
+            "${alias1_3}@${baseDomain}"
+            "${alias1_4}@${baseDomain}"
+          ];
+        };
+        "${user2}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user2-hashed-pw.path;
+          aliases = [
+            "${alias2_1}@${baseDomain}"
+          ];
+          sendOnly = true;
+        };
+        "${user3}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user3-hashed-pw.path;
+          aliases = [
+            "@${baseDomain}"
+          ];
+          catchAll = [
+            baseDomain
+          ];
+        };
+      };
+    };
+
+    services.roundcube = {
+      enable = true;
+      # this is the url of the vhost, not necessarily the same as the fqdn of
+      # the mailserver
+      hostName = serviceDomain;
+      extraConfig = ''
+        $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
+        $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+      '';
+      configureNginx = true;
+    };
+
+    # the rest of the ports are managed by snm
+    networking.firewall.allowedTCPPorts = [ 80 servicePort ];
+
+    nodes.${serviceProxy}.services.nginx = {
+      virtualHosts = {
+        "${serviceDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/".recommendedSecurityHeaders = false;
+            "~ ^/(SQL|bin|config|logs|temp|vendor)/".recommendedSecurityHeaders = false;
+            "~ ^/(CHANGELOG.md|INSTALL|LICENSE|README.md|SECURITY.md|UPGRADING|composer.json|composer.lock)".recommendedSecurityHeaders = false;
+            "~* \\.php(/|$)".recommendedSecurityHeaders = false;
+          };
+        };
+      };
+    };
+
+  };
+}
+
    
+
    
+
    
+
    
+
    
+
    3.2.3.48. Attic (nix binary cache)
    
+
    
+
    
+Generate the attic server token using openssl genrsa -traditional 4096 | base64 -w0
+
    
+
+
    
+$ attic login local http://localhost:8080 eyJ…
+✍️ Configuring server "local"
+
    
+
+
    
+$ attic cache create hello
+✨ Created cache "hello" on "local"
+
    
+
+
    
+
    { lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6;
+  inherit (config.swarselsystems) mainUser isPublic sopsFile;
+  serviceDB = "atticd";
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    sops = lib.mkIf (!isPublic) {
+      secrets = {
+        attic-server-token = { inherit sopsFile; };
+        attic-garage-access-key = { inherit sopsFile; };
+        attic-garage-secret-key = { inherit sopsFile; };
+      };
+      templates = {
+        "attic.env" = {
+          content = ''
+            ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.sops.placeholder.attic-server-token}
+            AWS_ACCESS_KEY_ID=${config.sops.placeholder.attic-garage-access-key}
+            AWS_SECRET_ACCESS_KEY=${config.sops.placeholder.attic-garage-secret-key}
+          '';
+        };
+      };
+    };
+
+    services.atticd = {
+      enable = true;
+      environmentFile = config.sops.templates."attic.env".path;
+      settings = {
+        listen = "[::]:${builtins.toString servicePort}";
+        api-endpoint = "https://${serviceDomain}/";
+        allowed-hosts = [
+          serviceDomain
+        ];
+        require-proof-of-possession = false;
+        compression = {
+          type = "zstd";
+          level = 3;
+        };
+        database.url = "postgresql:///atticd?host=/run/postgresql";
+
+        storage =
+          if config.swarselmodules.server.garage then {
+            type = "s3";
+            region = mainUser;
+            bucket = serviceName;
+            # attic must be patched to never serve pre-signed s3 urls directly
+            # otherwise it will redirect clients to this localhost endpoint
+            endpoint = "http://127.0.0.1:3900";
+          } else {
+            type = "local";
+            path = serviceDir;
+            # attic must be patched to never serve pre-signed s3 urls directly
+            # otherwise it will redirect clients to this localhost endpoint
+          };
+
+        garbage-collection = {
+          interval = "1 day";
+          default-retention-period = "3 months";
+        };
+
+        chunking = {
+          nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # 64 KiB
+
+          min-size = 16 * 1024; # 16 KiB
+          avg-size = 64 * 1024; # 64 KiB
+          max-size = 256 * 1024; # 256 KiBize = 262144;
+        };
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+      enableTCPIP = true;
+      ensureDatabases = [ serviceDB ];
+      ensureUsers = [
+        {
+          name = serviceDB;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    systemd.services.atticd = lib.mkIf config.swarselmodules.server.garage {
+      requires = [ "garage.service" ];
+      after = [ "garage.service" ];
+    };
+
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -13110,6 +14931,9 @@ in
           locations = {
             "/" = {
               proxyPass = "http://${serviceName}";
+              extraConfig = ''
+                client_max_body_size 0;
+              '';
             };
           };
         };
@@ -13744,9 +15568,9 @@ in
 
    
 
    
 
    
-
    
-
    3.2.5.11. microvm-host
    
-
    
+
    
+
    3.2.5.11. microvm-host
    
+
    
 
    
 Some standard options that should be set for every microvm host.
 
    
@@ -13772,9 +15596,9 @@ Some standard options that should be set for every microvm host.
 
    
 
    
 
    
-
    
-
    3.2.5.12. microvm-guest
    
-
    
+
    
+
    3.2.5.12. microvm-guest
    
+
    
 
    
 Some standard options that should be set vor every microvm guest. We set the default
 
    
@@ -13818,9 +15642,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.1. Steps to setup/upgrade home-manager only
    
-
    
+
    
+
    3.3.1. Steps to setup/upgrade home-manager only
    
+
    
 
    
 Steps to get a home-manager only setup up and running:
 
    
@@ -13903,16 +15727,17 @@ in
 
    
 
    
 
    
-
    3.3.2.3. General home-manager-settings
    
+
    3.3.2.3. General home-manager-settings (nix)
    
 
    
 
    
 Again, we adapt nix to our needs, enable the home-manager command for non-NixOS machines (NixOS machines are using it as a module) and setting user information that I always keep the same.
 
    
 
 
    
-
    { self, outputs, lib, pkgs, config, ... }:
+
    { self, outputs, lib, pkgs, config, globals, confLib, ... }:
 let
   inherit (config.swarselsystems) mainUser flakePath isNixos isLinux;
+  inherit (confLib.getConfig.repo.secrets.common) atticPublicKey;
 in
 {
   options.swarselmodules.general = lib.mkEnableOption "general nix settings";
@@ -13934,7 +15759,7 @@ in
             };
           in
           ''
-                  plugin-files = ${nix-plugins}/lib/nix/plugins
+            plugin-files = ${nix-plugins}/lib/nix/plugins
             extra-builtins-file = ${self + /nix/extra-builtins.nix}
           '';
         settings = {
@@ -13945,6 +15770,12 @@ in
             "cgroups"
             "pipe-operators"
           ];
+          substituters = [
+            "https://${globals.services.attic.domain}/${mainUser}"
+          ];
+          trusted-public-keys = [
+            atticPublicKey
+          ];
           trusted-users = [ "@wheel" "${mainUser}" ];
           connect-timeout = 5;
           bash-prompt-prefix = "$SHLVL:\\w ";
@@ -14119,6 +15950,9 @@ This holds packages that I can use as provided, or with small modifications (as
       # ssh login using idm
       opkssh
 
+      # cache
+      attic-client
+
       # dict
       (aspellWithDicts (dicts: with dicts; [ de en en-computers en-science ]))
 
@@ -14154,7 +15988,6 @@ This holds packages that I can use as provided, or with small modifications (as
       nix-inspect
       nixpkgs-review
       manix
-      comma
 
       # shellscripts
       shfmt
@@ -14364,8 +16197,8 @@ in
     options.swarselmodules.sops = lib.mkEnableOption "sops settings";
     config = lib.optionalAttrs (inputs ? sops)  {
       sops = {
-        age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ];
-        defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+        age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
+        defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
 
         validateSopsFiles = false;
       };
@@ -14679,6 +16512,7 @@ in
     } // (lib.optionalAttrs (!isPublic) { });
     systemd.user.sessionVariables = {
       DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
+      FLAKE = "${config.home.homeDirectory}/.dotfiles";
     } // lib.optionalAttrs (!isPublic) {
       SWARSEL_MAIL1 = address1;
       SWARSEL_MAIL2 = address2;
@@ -14809,7 +16643,7 @@ This section is for programs that require no further configuration. zsh Integrat
 
    3.3.2.14. nix-index
    
 
    
 
    
-nix-index provides a way to find out which packages are provided by which derivations. By default it also comes with a replacement for command-not-found.sh, however, the implementation is based on a channel based setup. I like consistency, so I replace the command with one that provides a flakes-based output.
+nix-index provides a way to find out which packages are provided by which derivations. By default it also comes with a replacement for command-not-found.sh, however, the implementation is based on a channel based setup. I like consistency, so I replace the command with one that provides a flakes-based output. This also uses the nix-index-with-full-db from the nix-index-database input thanks to its overlay.
 
    
 
 
    
@@ -14829,21 +16663,23 @@ nix-index provides a way to find out which packages are provided by which deriva
       in
 
         {
+
           enable = true;
           package = pkgs.symlinkJoin {
             name = "nix-index";
             paths = [ commandNotFound ];
           };
         };
+    programs.nix-index-database.comma.enable = true;
   };
 }
 
    
 
    
 
    
 
    
-
    
-
    3.3.2.15. nix-your-shell
    
-
    
+
    
+
    3.3.2.15. nix-your-shell
    
+
    
 
    
 
    { lib, config, ... }:
 let
@@ -14951,6 +16787,7 @@ in
     programs.atuin = {
       enable = true;
       enableZshIntegration = true;
+      enableBashIntegration = true;
       settings = {
         auto_sync = true;
         sync_frequency = "5m";
@@ -15350,7 +17187,10 @@ in
         };
         history = {
           expireDuplicatesFirst = true;
-          path = "$HOME/.histfile";
+          append = true;
+          ignoreSpace = true;
+          ignoreDups = true;
+          path = "${config.home.homeDirectory}/.histfile";
           save = 100000;
           size = 100000;
         };
@@ -15426,12 +17266,40 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.25. zellij
    
-
    
+
    
+
    3.3.2.25. bash
    
+
    
+
    
+
    { config, lib, ... }:
+{
+  options.swarselmodules.bash = lib.mkEnableOption "bash settings";
+  config = lib.mkIf config.swarselmodules.bash {
+
+    programs.bash = {
+      enable = true;
+      # needed for remote builders
+      bashrcExtra = lib.mkIf (!config.swarselsystems.isNixos) ''
+        export PATH="/nix/var/nix/profiles/default/bin:$PATH"
+      '';
+      historyFile = "${config.home.homeDirectory}/.histfile";
+      historySize = 100000;
+      historyFileSize = 100000;
+      historyControl = [
+        "ignoreboth"
+      ];
+    };
+  };
+}
+
    
+
    
+
    
+
    
+
    
+
    3.3.2.26. zellij
    
+
    
 
    
 
    
-
    3.3.2.25.1. Main config
    
+
    3.3.2.26.1. Main config
    
 
    
 
    
 
    { self, lib, config, pkgs, ... }:
@@ -15495,9 +17363,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.25.2. Keybinds
    
-
    
+
    
+
    3.3.2.26.2. Keybinds
    
+
    
 
    
 
    { lib, config, ... }:
 {
@@ -16649,7 +18517,7 @@ in
 
    
 
    
 
    
-
    3.3.2.26. tmux
    
+
    3.3.2.27. tmux
    
 
    
 
    
 
    { lib, config, pkgs, ... }:
@@ -16758,16 +18626,16 @@ in
 
    
 
    
 
    
-
    3.3.2.27. Mail
    
+
    3.3.2.28. Mail
    
 
    
 
    
 Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here.
 
    
 
 
    
-
    { lib, config, inputs, nixosConfig ? config, ... }:
+
    { lib, config, inputs, globals, nixosConfig ? config, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
+  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
   inherit (nixosConfig.repo.secrets.common) fullName;
   inherit (config.swarselsystems) xdgDir;
 in
@@ -16890,24 +18758,43 @@ in
             maildirBasePath = "Mail";
             accounts = {
               swarsel = {
+                imap = {
+                  host = globals.services.mailserver.domain;
+                  port = 993;
+                  tls.enable = true; # SSL/TLS
+                };
+                smtp = {
+                  host = globals.services.mailserver.domain;
+                  port = 465;
+                  tls.enable = true; # SSL/TLS
+                };
+                thunderbird = {
+                  enable = true;
+                  profiles = [ "default" ];
+                };
                 address = address4;
-                userName = address4-user;
+                userName = address4;
                 realName = fullName;
                 passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}";
-                smtp = {
-                  host = address4-host;
-                  port = 587;
-                  tls = {
-                    enable = true;
-                    useStartTls = true;
-                  };
-                };
-                mu.enable = false;
+                mu.enable = true;
                 msmtp = {
                   enable = true;
                 };
                 mbsync = {
-                  enable = false;
+                  enable = true;
+                  create = "maildir";
+                  expunge = "both";
+                  patterns = [ "*" ];
+                  extraConfig = {
+                    channel = {
+                      Sync = "All";
+                    };
+                    account = {
+                      Timeout = 120;
+                      PipelineDepth = 1;
+                      AuthMechs = "LOGIN";
+                    };
+                  };
                 };
               };
 
@@ -16962,7 +18849,7 @@ in
 
    
 
    
 
    
-
    3.3.2.28. Home-manager: Emacs
    
+
    3.3.2.29. Home-manager: Emacs
    
 
    
 
    
 By using the emacs-overlay NixOS module, I can install all Emacs packages that I want to use right through NixOS. This is done by passing my init.el file to the configuration which will then be parsed upon system rebuild, looking for use-package sections in the Elisp code. Also I define here the style of Emacs that I want to run - I am going with native Wayland Emacs here (emacs-pgtk). All of the nice options such as tree-sitter support are enabled by default, so I do not need to adjust the build process.
@@ -17084,12 +18971,14 @@ in
       secrets = {
         fever-pw = { path = "${homeDir}/.emacs.d/.fever"; };
         emacs-radicale-pw = { };
+        github-forge-token = { };
       };
       templates = {
         authinfo = {
           path = "${homeDir}/.emacs.d/.authinfo";
           content = ''
             machine ${globals.services.radicale.domain} login ${radicaleUser} password ${config.sops.placeholder.emacs-radicale-pw}
+            machine api.github.com login ${mainUser}^forge password ${config.sops.placeholder.github-forge-token}
           '';
         };
       };
@@ -17102,7 +18991,7 @@ in
 
    
 
    
 
    
-
    3.3.2.29. Waybar
    
+
    3.3.2.30. Waybar
    
 
    
 
    
 Again I am just using the first bar option here that I was able to find good understandable documentation for. Of note is that the `cpu` section's `format` is not defined here, but in section 1 (since not every machine has the same number of cores)
@@ -17458,7 +19347,7 @@ in
 
    
 
    
 
    
-
    3.3.2.30. Firefox
    
+
    3.3.2.31. Firefox
    
 
    
 
    
 Setting up firefox along with some policies that are important to me (mostly disabling telemetry related stuff as well as Pocket). I also enable some integrations that enable super useful packages, namely tridactyl and browserpass.
@@ -17637,14 +19526,14 @@ I used to build the firefox addon bypass-paywalls-clean myself here
 
    
 
    
 
    
-
    3.3.2.31. Services
    
+
    3.3.2.32. Services
    
 
    
 
    
 Services that can be defined through home-manager should be defined here.
 
    
 
    
 
    
-
    3.3.2.31.1. gnome-keyring
    
+
    3.3.2.32.1. gnome-keyring
    
 
    
 
    
 Used for storing sessions in e.g. Nextcloud
@@ -17665,7 +19554,7 @@ Used for storing sessions in e.g. Nextcloud
 
    
 
    
 
    
-
    3.3.2.31.2. KDE Connect
    
+
    3.3.2.32.2. KDE Connect
    
 
    
 
    
 This enables phone/computer communication, including sending clipboard, files etc. Sadly on Wayland many of the features are broken (like remote control).
@@ -17688,7 +19577,7 @@ This enables phone/computer communication, including sending clipboard, files et
 
    
 
    
 
    
-
    3.3.2.31.3. Mako
    
+
    3.3.2.32.3. Mako
    
 
    
 
    
 Desktop notifications!
@@ -17742,7 +19631,7 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    
 
    
 
    
-
    3.3.2.31.4. SwayOSD
    
+
    3.3.2.32.4. SwayOSD
    
 
    
 
    
 
    { lib, pkgs, config, ... }:
@@ -17761,7 +19650,7 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    
 
    
 
    
-
    3.3.2.31.5. yubikey-touch-detector
    
+
    3.3.2.32.5. yubikey-touch-detector
    
 
    
 
    
 
    { lib, config, pkgs, ... }:
@@ -17800,9 +19689,9 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    
 
    
 
    
-
    
-
    3.3.2.31.6. blueman-applet
    
-
    
+
    
+
    3.3.2.32.6. blueman-applet
    
+
    
 
    
 
    { lib, config, ... }:
 {
@@ -17815,9 +19704,9 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    
 
    
 
    
-
    
-
    3.3.2.31.7. network-manager-applet
    
-
    
+
    
+
    3.3.2.32.7. network-manager-applet
    
+
    
 
    
 
    { lib, config, ... }:
 {
@@ -17831,9 +19720,9 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    
 
    
 
    
-
    
-
    3.3.2.31.8. obsidian service for tray
    
-
    
+
    
+
    3.3.2.32.8. obsidian service for tray
    
+
    
 
    
 
    { lib, config, ... }:
 {
@@ -17866,9 +19755,9 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    
 
    
 
    
-
    
-
    3.3.2.31.9. anki service for tray
    
-
    
+
    
+
    3.3.2.32.9. anki service for tray
    
+
    
 
    
 Sets up a systemd user service for anki that does not stall the shutdown process. Note that the outcommented ExecStart does not work because the home-manager anki package builds a separate anki package that - I think - cannot be referenced as no such expression exists in the module.
 
    
@@ -17914,9 +19803,9 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 
    
 
    
 
    
-
    
-
    3.3.2.31.10. element service for tray
    
-
    
+
    
+
    3.3.2.32.10. element service for tray
    
+
    
 
    
 
    { lib, config, pkgs, ... }:
 {
@@ -17949,9 +19838,9 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 
    
 
    
 
    
-
    
-
    3.3.2.31.11. vesktop service for tray
    
-
    
+
    
+
    3.3.2.32.11. vesktop service for tray
    
+
    
 
    
 
    { lib, config, pkgs, ... }:
 {
@@ -17984,9 +19873,9 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 
    
 
    
 
    
-
    
-
    3.3.2.31.12. syncthing service for tray
    
-
    
+
    
+
    3.3.2.32.12. syncthing service for tray
    
+
    
 
    
 
    { lib, config, pkgs, ... }:
 {
@@ -18114,7 +20003,7 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 
    
 
    
 
    
-
    3.3.2.32. Sway
    
+
    3.3.2.33. Sway
    
 
    
 
    
 I am currently using SwayFX, which adds some nice effects to sway, like rounded corners and hiding the separator between title and content of a window.
@@ -18558,7 +20447,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se
 
    
 
    
 
    
-
    3.3.2.33. Niri
    
+
    3.3.2.34. Niri
    
 
    
 
    
 
    { config, pkgs, lib, vars, ... }:
@@ -18778,7 +20667,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se
 
    
 
    
 
    
-
    3.3.2.34. Kanshi
    
+
    3.3.2.35. Kanshi
    
 
    
 
    
 
    { self, lib, pkgs, config, ... }:
@@ -18888,7 +20777,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se
 
    
 
    
 
    
-
    3.3.2.35. gpg-agent
    
+
    3.3.2.36. gpg-agent
    
 
    
 
    
 Settings that are needed for the gpg-agent. Also we are enabling emacs support for unlocking my Yubikey here.
@@ -18972,7 +20861,7 @@ in
 
    
 
    
 
    
-
    3.3.2.36. gammastep
    
+
    3.3.2.37. gammastep
    
 
    
 
    
 This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways.
@@ -18998,7 +20887,7 @@ in
 
    
 
    
 
    
-
    3.3.2.37. Spicetify
    
+
    3.3.2.38. Spicetify
    
 
    
 
    
 
    { inputs, lib, config, pkgs, ... }:
@@ -19028,9 +20917,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.38. Obsidian
    
-
    
+
    
+
    3.3.2.39. Obsidian
    
+
    
 
    
 
    { lib, config, pkgs, nixosConfig ? config, ... }:
 let
@@ -19189,9 +21078,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.39. Anki
    
-
    
+
    
+
    3.3.2.40. Anki
    
+
    
 
    
 
    { lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
 let
@@ -19263,9 +21152,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.40. Element-desktop
    
-
    
+
    
+
    3.3.2.41. Element-desktop
    
+
    
 
    
 
    { lib, config, ... }:
 let
@@ -19300,9 +21189,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.41. Hexchat
    
-
    
+
    
+
    3.3.2.42. Hexchat
    
+
    
 
    
 
    { lib, config, nixosConfig ? config, ... }:
 let
@@ -19325,9 +21214,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.42. obs-studio
    
-
    
+
    
+
    3.3.2.43. obs-studio
    
+
    
 
    
 
    { lib, config, ... }:
 let
@@ -19346,9 +21235,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.43. spotify-player
    
-
    
+
    
+
    3.3.2.44. spotify-player
    
+
    
 
    
 
    { lib, config, ... }:
 let
@@ -19367,9 +21256,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.44. vesktop
    
-
    
+
    
+
    3.3.2.45. vesktop
    
+
    
 
    
 
    { lib, pkgs, config, ... }:
 let
@@ -19455,9 +21344,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.45. batsignal
    
-
    
+
    
+
    3.3.2.46. batsignal
    
+
    
 
    
 
    { lib, config, ... }:
 let
@@ -19488,9 +21377,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.46. autotiling
    
-
    
+
    
+
    3.3.2.47. autotiling
    
+
    
 
    
 
    { lib, config, ... }:
 let
@@ -19510,9 +21399,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.47. swayidle
    
-
    
+
    
+
    3.3.2.48. swayidle
    
+
    
 
    
 
    { lib, config, pkgs, ... }:
 let
@@ -19552,9 +21441,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.48. swaylock
    
-
    
+
    
+
    3.3.2.49. swaylock
    
+
    
 
    
 
    { lib, config, pkgs, ... }:
 let
@@ -19581,9 +21470,9 @@ in
 
    
 
    
 
    
-
    
-
    3.3.2.49. opkssh
    
-
    
+
    
+
    3.3.2.50. opkssh
    
+
    
 
    
 
    { lib, config, ... }:
 let
@@ -19845,6 +21734,7 @@ in
           # openstackclient
 
           vscode
+          dev.antigravity
 
           rustdesk-vbc
         ];
@@ -20573,6 +22463,14 @@ TODO: check which of these can be replaced but builtin functions.
 
    { self, config, lib, ... }:
 {
   options.swarselsystems = {
+    proxyHost = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
+    isCloud = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
     withHomeManager = lib.mkOption {
       type = lib.types.bool;
       default = true;
@@ -20606,7 +22504,7 @@ TODO: check which of these can be replaced but builtin functions.
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     sopsFile = lib.mkOption {
       type = lib.types.str;
-      default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;
@@ -20907,8 +22805,46 @@ In short, the options defined here are passed to the modules systems using 
 
    
 
    
+
    
+
    3.4.3. Config Library (confLib)
    
+
    
+
    
+
    { config, lib, globals, ... }:
+{
+  _module.args = {
+    confLib = rec {
+
+      addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4 else "localhost";
+
+      domainDefault = service: config.repo.secrets.common.services.domains.${service};
+      proxyDefault = config.swarselsystems.proxyHost;
+
+      getConfig = config;
+
+      gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec {
+        servicePort = port;
+        serviceName = name;
+        specificServiceName = "${name}-${config.node.name}";
+        serviceUser = user;
+        serviceGroup = group;
+        serviceDomain = domain;
+        baseDomain = lib.swarselsystems.getBaseDomain domain;
+        subDomain = lib.swarselsystems.getSubDomain domain;
+        serviceDir = dir;
+        serviceAddress = address;
+        serviceProxy = proxy;
+        proxyAddress4 = globals.hosts.${proxy}.wanAddress4;
+        proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
+      };
+    };
+  };
+}
+
    
+
    
+
    
+
    
 
    
-
    3.4.3. Packages
    
+
    3.4.4. Packages
    
 
    
 
    
 This is the central station for self-defined packages. These are all referenced in default.nix. Wherever possible, I am keeping the shell version of these scripts in this file as well and then read it using builtin.readFile in the NixOS configurations. This lets me keep full control in this one file but also keep the separate files uncluttered.
@@ -20919,9 +22855,9 @@ Note: The structure of generating the packages was changed in commit 2cf03
 
    
 
    
 
    
-
    
-
    3.4.4. Packages (flake)
    
-
    
+
    
+
    3.4.5. Packages (flake)
    
+
    
 
    
 
    { self, lib, pkgs, ... }:
 let
@@ -20940,7 +22876,7 @@ mkPackages packageNames pkgs
 
    
 
    
 
    
-
    3.4.4.1. pass-fuzzel
    
+
    3.4.5.1. pass-fuzzel
    
 
    
 
    
 This app allows me, in conjunction with my Yubikey, to quickly enter passwords when the need arises. Normal and TOTP passwords are supported, and they can either be printed directly or copied to the clipboard.
@@ -21013,9 +22949,9 @@ writeShellApplication {
 
    
 
    
 
    
-
    
-
    3.4.4.2. quickpass
    
-
    
+
    
+
    3.4.5.2. quickpass
    
+
    
 
    
 
    shopt -s nullglob globstar
 
@@ -21045,7 +22981,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.3. cura5
    
+
    3.4.5.3. cura5
    
 
    
 
    
 The version of cura used to be quite outdated in nixpkgs. I am fetching a newer AppImage here and use that instead.
@@ -21088,7 +23024,7 @@ writeScriptBin "cura" ''
 
    
 
    
 
    
-
    3.4.4.4. hm-specialisation
    
+
    3.4.5.4. hm-specialisation
    
 
    
 
    
 This script allows for quick git home-manager specialisation switching.
@@ -21114,7 +23050,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.5. cdw
    
+
    3.4.5.5. cdw
    
 
    
 
    
 This script allows for quick git worktree switching.
@@ -21138,7 +23074,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.6. cdb
    
+
    3.4.5.6. cdb
    
 
    
 
    
 This script allows for quick git branch switching.
@@ -21160,7 +23096,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.7. bak
    
+
    3.4.5.7. bak
    
 
    
 
    
 This script lets me quickly backup files by appending .bak to the filename.
@@ -21183,7 +23119,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.8. timer
    
+
    3.4.5.8. timer
    
 
    
 
    
 This app starts a configuratble timer and uses TTS to say something once the timer runs out.
@@ -21206,7 +23142,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.9. e
    
+
    3.4.5.9. e
    
 
    
 
    
 This is a shorthand for calling emacsclient mostly. Also, it hides the kittyterm scratchpad window that I sometimes use for calling a command quickly, in case it is on the screen. After emacs closes, the kittyterm window is then shown again if it was visible earlier.
@@ -21252,7 +23188,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.10. command-not-found
    
+
    3.4.5.10. command-not-found
    
 
    
 
    
 The normal command-not-found.sh uses the outdated nix-shell commands as suggestions. This version supplies me with the more modern nixpkgs#<name> version.
@@ -21298,7 +23234,7 @@ command_not_found_handler() {
 
    
 
    
 
    
-
    3.4.4.11. swarselcheck
    
+
    3.4.5.11. swarselcheck
    
 
    
 
    
 This app checks for different apps that I keep around in the scratchpad for quick viewing and hiding (messengers and music players mostly) and then behaves like the kittyterm hider that I described in e.
@@ -21383,7 +23319,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.12. swarselcheck-niri
    
+
    3.4.5.12. swarselcheck-niri
    
 
    
 
    
 
    while :; do
@@ -21438,7 +23374,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.13. swarselzellij
    
+
    3.4.5.13. swarselzellij
    
 
    
 
    
 
    # KITTIES=$(($(pgrep -P 1 kitty | wc -l) - 1))
@@ -21465,7 +23401,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.14. waybarupdate
    
+
    3.4.5.14. waybarupdate
    
 
    
 
    
 This scripts checks if there are uncommited changes in either my dotfile repo, my university repo, or my passfile repo. In that case a warning will be shown in waybar.
@@ -21512,7 +23448,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.15. opacitytoggle
    
+
    3.4.5.15. opacitytoggle
    
 
    
 
    
 This app quickly toggles between 5% and 0% transparency.
@@ -21539,7 +23475,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.16. fs-diff
    
+
    3.4.5.16. fs-diff
    
 
    
 
    
 This utility is used to compare the current state of the root directory with the blanket state that is stored in /root-blank (the snapshot that is restored on each reboot of an impermanence machine). Using this, I can find files that I will lose once I reboot - if there are important files in that list, I can then easily add them to the persist options.
@@ -21580,7 +23516,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.17. github-notifications
    
+
    3.4.5.17. github-notifications
    
 
    
 
    
 This utility checks if there are updated packages in nixpkgs-unstable. It does so by fully building the most recent configuration, which I do not love, but it has its merits once I am willing to switch to the newer version.
@@ -21606,7 +23542,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.18. kanshare
    
+
    3.4.5.18. kanshare
    
 
    
 
    
 This utility checks if there are updated packages in nixpkgs-unstable. It does so by fully building the most recent configuration, which I do not love, but it has its merits once I am willing to switch to the newer version.
@@ -21630,7 +23566,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.19. swarsel-bootstrap
    
+
    3.4.5.19. swarsel-bootstrap
    
 
    
 
    
 This program sets up a new NixOS host remotely. It also takes care of secret management on the new host.
@@ -21647,6 +23583,8 @@ target_user="swarsel"
 ssh_port="22"
 persist_dir=""
 disk_encryption=0
+disk_encryption_args=""
+no_disko_deps="false"
 temp=$(mktemp -d)
 
 function help_and_exit() {
@@ -21666,6 +23604,7 @@ function help_and_exit() {
     echo "                                          Default='${target_user}'."
     echo "  --port <ssh_port>                       specify the ssh port to use for remote access. Default=${ssh_port}."
     echo "  --debug                                 Enable debug mode."
+    echo "  --no-disko-deps                         Upload only disk script and not dependencies (for use on low ram)."
     echo "  -h | --help                             Print this help."
     exit 0
 }
@@ -21719,14 +23658,14 @@ function update_sops_file() {
 
     SOPS_FILE=".sops.yaml"
     sed -i "{
-                                                # Remove any * and & entries for this host
-                                                /[*&]$key_name/ d;
-                                                # Inject a new age: entry
-                                                # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
-                                                /age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
-                                                # Inject a new hosts or user: entry
-                                                /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
-                                                }" $SOPS_FILE
+                                                        # Remove any * and & entries for this host
+                                                        /[*&]$key_name/ d;
+                                                        # Inject a new age: entry
+                                                        # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
+                                                        /age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
+                                                        # Inject a new hosts or user: entry
+                                                        /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
+                                                        }" $SOPS_FILE
     green "Updating .sops.yaml"
     cd -
 }
@@ -21753,6 +23692,9 @@ while [[ $# -gt 0 ]]; do
         shift
         ssh_port=$1
         ;;
+    --no-disko-deps)
+        no_disko_deps="true"
+        ;;
     --debug)
         set -x
         ;;
@@ -21770,6 +23712,12 @@ if [[ $target_arch == "" || $target_destination == "" || $target_hostname == ""
     help_and_exit
 fi
 
+LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)"
+if [[ $LOCKED == "true" ]]; then
+    red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING"
+    exit
+fi
+
 green "~SwarselSystems~ remote installer"
 green "Reading system information for $target_hostname ..."
 
@@ -21780,6 +23728,11 @@ CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.sw
 if [[ $CRYPTED == "true" ]]; then
     green "Encryption: ✓"
     disk_encryption=1
+    disk_encryption_args=(
+        --disk-encryption-keys
+        /tmp/disko-password
+        /tmp/disko-password
+    )
 else
     red "Encryption: X"
     disk_encryption=0
@@ -21872,7 +23825,14 @@ $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "$
 # ------------------------
 
 green "Deploying minimal NixOS installation on $target_destination"
-nix run github:nix-community/nixos-anywhere/1.10.0 -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
+
+if [[ $no_disko_deps == "true" ]]; then
+    green "Building without disko dependencies (using custom kexec)"
+    nix run github:nix-community/nixos-anywhere/1.10.0 -- "${disk_encryption_args[@]}" --no-disko-deps --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" --kexec "$(nix build --print-out-paths .#packages."$target_arch".swarsel-kexec)/swarsel-kexec-$target_arch.tar.gz" root@"$target_destination"
+else
+    green "Building with disko dependencies (using nixos-images kexec)"
+    nix run github:nix-community/nixos-anywhere/1.10.0 -- "${disk_encryption_args[@]}" --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
+fi
 
 echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
 ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
@@ -22020,7 +23980,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.20. swarsel-rebuild
    
+
    3.4.5.20. swarsel-rebuild
    
 
    
 
    
 
    set -eo pipefail
@@ -22150,7 +24110,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.21. swarsel-install
    
+
    3.4.5.21. swarsel-install
    
 
    
 
    
 Autoformatting always puts the EOF with indentation, which makes shfmt check fail. When editing this block, unindent them manually.
@@ -22363,7 +24323,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.22. swarsel-postinstall
    
+
    3.4.5.22. swarsel-postinstall
    
 
    
 
    
 
    set -eo pipefail
@@ -22455,7 +24415,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.23. t2ts
    
+
    3.4.5.23. t2ts
    
 
    
 
    
 
    { name, writeShellApplication, ... }:
@@ -22473,7 +24433,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.24. ts2t
    
+
    3.4.5.24. ts2t
    
 
    
 
    
 
    { name, writeShellApplication, ... }:
@@ -22491,7 +24451,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.25. vershell
    
+
    3.4.5.25. vershell
    
 
    
 
    
 
    { name, writeShellApplication, ... }:
@@ -22509,7 +24469,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.26. eontimer
    
+
    3.4.5.26. eontimer
    
 
    
 
    
 
    { lib
@@ -22613,7 +24573,7 @@ python3.pkgs.buildPythonApplication rec {
 
    
 
    
 
    
-
    3.4.4.27. project
    
+
    3.4.5.27. project
    
 
    
 
    
 
    set -euo pipefail
@@ -22637,7 +24597,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.28. fhs
    
+
    3.4.5.28. fhs
    
 
    
 
    
 
    { name, pkgs, ... }:
@@ -22656,7 +24616,7 @@ pkgs.buildFHSEnv (base // {
 
    
 
    
 
    
-
    3.4.4.29. swarsel-displaypower
    
+
    3.4.5.29. swarsel-displaypower
    
 
    
 
    
 A crude script to power on all displays that might be attached. Needed because sometimes displays do not awake from sleep.
@@ -22681,7 +24641,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.30. swarsel-mgba
    
+
    3.4.5.30. swarsel-mgba
    
 
    
 
    
 AppImage version of mgba in which the lua scripting works.
@@ -22715,7 +24675,7 @@ appimageTools.wrapType2 {
 
    
 
    
 
    
-
    3.4.4.31. swarsel-deploy
    
+
    3.4.5.31. swarsel-deploy
    
 
    
 
    
 
    # heavily inspired from https://github.com/oddlama/nix-config/blob/d42cbde676001a7ad8a3cace156e050933a4dcc3/pkgs/deploy.nix
@@ -22847,7 +24807,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.32. swarsel-build
    
+
    3.4.5.32. swarsel-build
    
 
    
 
    
 
    { name, nix-output-monitor, writeShellApplication, ... }:
@@ -22871,7 +24831,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.33. swarsel-instantiate
    
+
    3.4.5.33. swarsel-instantiate
    
 
    
 
    
 This is a convenience function that calls nix-instantiate with a number of flags that I need in order to evaluate nix expressions in org-src blocks.
@@ -22892,7 +24852,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.4.34. sshrm
    
+
    3.4.5.34. sshrm
    
 
    
 
    
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@@ -22924,9 +24884,9 @@ writeShellApplication {
 
    
 
    
 
    
-
    
-
    3.4.4.35. endme
    
-
    
+
    
+
    3.4.5.35. endme
    
+
    
 
    
 Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
 
    
@@ -22946,9 +24906,9 @@ writeShellApplication {
 
    
 
    
 
    
-
    
-
    3.4.4.36. git-replace
    
-
    
+
    
+
    3.4.5.36. git-replace
    
+
    
 
    
 This script allows for quick git replace of a string.
 
    
@@ -23025,9 +24985,9 @@ writeShellApplication {
 
    
 
    
 
    
-
    
-
    3.4.5. Packages (config)
    
-
    
+
    
+
    3.4.6. Packages (config)
    
+
    
 
    
 
    { self, homeConfig, lib, pkgs, ... }:
 let
@@ -23043,9 +25003,9 @@ mkPackages packageNames pkgs
 
    
 
    
 
    
-
    
-
    3.4.5.1. cdr
    
-
    
+
    
+
    3.4.6.1. cdr
    
+
    
 
    
 
    { name, homeConfig, writeShellApplication, fzf, ... }:
 
@@ -23207,9 +25167,9 @@ in
 
    
 
    
 
    
-
    
-
    3.5.1.3. Optionals
    
-
    
+
    
+
    3.5.1.3. Optionals
    
+
    
 
    
 
    { lib, config, ... }:
 {
@@ -23413,9 +25373,9 @@ in
 
    
 
    
 
    
-
    
-
    3.5.1.9. Router
    
-
    
+
    
+
    3.5.1.9. Router
    
+
    
 
    
 
    { lib, config, ... }:
 {
@@ -23530,9 +25490,9 @@ in
 
    
 
    
 
    
-
    
-
    3.5.2.2. DGX Spark
    
-
    
+
    
+
    3.5.2.2. DGX Spark
    
+
    
 
    
 
    { lib, config, ... }:
 {
@@ -23544,6 +25504,7 @@ in
       atuin = lib.mkDefault true;
       autotiling = lib.mkDefault false;
       batsignal = lib.mkDefault false;
+      bash = lib.mkDefault true;
       blueman-applet = lib.mkDefault true;
       desktop = lib.mkDefault false;
       direnv = lib.mkDefault true;
@@ -23986,6 +25947,11 @@ In this section I define extra functions that I need. Some of these functions I
 Since I am rebinding the C-z hotkey for emacs-evil-state toggling, I want to have a function that still lets me perform this action quickly.
 
    
 
+
    
+We set a keybinding to this in Custom Keybindings.
+
    
+
+
 
    
 
    ;; -*- lexical-binding: t; -*-
 
@@ -24003,7 +25969,11 @@ Since I am rebinding the C-z hotkey for emacs-evil-state toggling,
 
    4.2.1.2. Switching to last used buffer
    
 
    
 
    
-I often find myself bouncing between two buffers when I do not want to use a window split. This funnction simply jumps to the last used buffer.
+I often find myself bouncing between two buffers when I do not want to use a window split. This function simply jumps to the last used buffer.
+
    
+
+
    
+We set a keybinding to this in Custom Keybindings.
 
    
 
 
    
@@ -24112,6 +26082,10 @@ The below function avoids these problems. Originally I used the function d
 However, this function does not work on regions. Later, I found a solution implemented by crux. I do not need the whole package, so I just extracted the three functions I needed from it.
 
    
 
+
    
+We set a keybinding to this in Custom Keybindings.
+
    
+
 
    
 
     (defun crux-get-positions-of-line-or-region ()
@@ -24300,9 +26274,17 @@ This function was found here: 
-
    4.2.1.9. Magit: List directories using vertico/consult
    
-
    
+
    
+
    4.2.1.9. Magit: List directories using vertico/consult
    
+
    
+
    
+At work and when working on private projects, I often have to jump between several git repositories. This function fires up a picker that gets me to the magit overview page of that repository.
+
    
+
+
    
+We set a keybinding to this in Custom Keybindings.
+
    
+
 
    
 
     (defun swarsel/consult-magit-repos ()
@@ -24423,6 +26405,10 @@ Normally emacs cycles between three states:
 However, I want to be able to fold a single heading consistently.
 
    
 
+
    
+We set a keybinding to this in Custom Keybindings.
+
    
+
 
    
 
     (defun org-fold-outer ()
@@ -24485,6 +26471,69 @@ These functions are used here: 
+
    
+
    
+
    
+
    
+
    4.2.1.16. Insert link to another header in org file
    
+
    
+
    
+When writing this file, I often want to refer to a different section of the file. One way to do this is to C-x O (consult-org-heading) to get to said heading, then C=c s (org-store-link), finally C-o (evil-jump-backward) to get back to the origin and insert the link using C-c C-l (org-insert-link).
+
    
+
+
    
+These two scripts just let me do all of this in one step. I have styled the picker in a way that is similar to consult-org-heading.
+
    
+
+
    
+We set a keybinding to this in Custom Keybindings.
+
    
+
+
    
+
    +  (defun swarsel/org-colorize-outline (parents raw)
+    (let* ((palette ["#58B6ED" "#8BD49C" "#33CED8" "#4B9CCC"
+                     "yellow" "orange" "salmon" "red"])
+           (n (length parents))
+           (colored-parents
+            (cl-mapcar
+             (lambda (p i)
+               (propertize p 'face `(:foreground ,(aref palette (mod i (length palette))) :weight bold)))
+             parents
+             (number-sequence 0 (1- n)))))
+      (concat
+       (when parents
+         (string-join colored-parents "/"))
+       (when parents "/")
+       (propertize raw 'face `(:foreground ,(aref palette (mod n (length palette)))
+                                 :weight bold)))))
+
+(defun swarsel/org-insert-link-to-heading ()
+  (interactive)
+  (let ((candidates '()))
+    (org-map-entries
+     (lambda ()
+       (let* ((raw (org-get-heading t t t t))
+              (parents (org-get-outline-path t))
+              (m (copy-marker (point)))
+              (colored (swarsel/org-colorize-outline parents raw)))
+         (push (cons colored m) candidates))))
+
+    (let* ((choice (completing-read "Heading: " (mapcar #'car candidates)))
+           (marker (cdr (assoc choice candidates)))
+           id raw-heading)
+      (unless marker
+        (user-error "No marker for heading??"))
+
+      (save-excursion
+        (goto-char marker)
+        (setq id (prot-org--id-get))
+        (setq raw-heading (org-get-heading t t t t)))
+
+      (insert (org-link-make-string (format "#%s" id)
+                                    raw-heading)))))
+
 
    
 
    
 
    
@@ -24601,6 +26650,7 @@ I also define some keybinds to some combinations directly. Those are used mostly
  "<DUMMY-m>" 'swarsel/last-buffer
  "M-\\" 'indent-region
  "M-r" 'swarsel/consult-magit-repos
+ "M-i" 'swarsel/org-insert-link-to-heading
  "<Paste>" 'yank
  "<Cut>" 'kill-region
  "<Copy>" 'kill-ring-save
@@ -24620,7 +26670,7 @@ I also define some keybinds to some combinations directly. Those are used mostly
 
    4.2.3. Directory setup / File structure
    
 
    
 
    
-In this section I setup some aliases that I use for various directories on my system. Some of these are actually used for magit repository finding etc., but many of them serve no real use and I need to clean this up someday.
+In this section I setup some aliases that I use for various directories on my system. This is just to prevent setting the same stuff too often.
 
    
 
 
    
@@ -24628,12 +26678,12 @@ In this section I setup some aliases that I use for various directories on my sy
 ;; set Nextcloud directory for journals etc.
 (setq
  swarsel-emacs-directory "~/.emacs.d"
- swarsel-dotfiles-directory "~/.dotfiles"
+ swarsel-dotfiles-directory (getenv "FLAKE")
  swarsel-swarsel-org-filepath (expand-file-name "SwarselSystems.org" swarsel-dotfiles-directory)
  swarsel-tasks-org-file "Tasks.org"
  swarsel-archive-org-file "Archive.org"
- swarsel-work-projects-directory "~/Documents/Work"
- swarsel-private-projects-directory "~/Documents/Private"
+ swarsel-work-projects-directory (getenv "DOCUMENT_DIR_WORK")
+ swarsel-private-projects-directory (getenv "DOCUMENT_DIR_PRIV")
  )
 
    
 
    
@@ -24721,7 +26771,7 @@ Here I set up some things that are too minor to put under other categories.
 
     ;; use UTF-8 everywhere
 (set-language-environment "UTF-8")
-(profiler-start 'cpu)
+;; (profiler-start 'cpu)
 ;; set default font size
 (defvar swarsel/default-font-size 130)
 (setq swarsel-standard-font "FiraCode Nerd Font Mono"
@@ -25050,6 +27100,10 @@ This minor-mode adds functionality for doing better surround-commands; for examp
 
    
 
    4.3.7.6. evil-visual-mark-mode
    
 
    
+
    
+This makes it so that when setting a mark in evil mode (using m <key>), it creates a visual marker at that place that reminds me what the key for that marker position is (the marker is of course not part of the text of the document, and is hence not saved).
+
    
+
 
    
 
     (use-package evil-visual-mark-mode
@@ -25086,8 +27140,12 @@ This adds support for tree-sitter objects. This allows for the following chords:
 
    
 
    
 
    
-
    4.3.7.8. evil-textobj-tree-sitter
    
+
    4.3.7.8. evil-numbers
    
 
    
+
    
+A very simple package that brings back the vim possibility of incrementing/decrementing numbers. I do not need it often, but it is nice to have.
+
    
+
 
    
 
     (use-package evil-numbers)
@@ -25101,7 +27159,7 @@ This adds support for tree-sitter objects. This allows for the following chords:
 
    4.3.8. ispell
    
 
    
 
    
-This should setup a wordlist that can be used as a dictionary. However, for some reason this does not work, and I will need to further investigate this issue.
+This sets up a wordlist that is, for example, used in completions. When coding, I do not really need this, but it is sometimes useful when writing prose.
 
    
 
 
    
@@ -25178,7 +27236,7 @@ Used in:
 
    
 
 
 
    
@@ -25213,11 +27271,11 @@ This minor mode allows mixing fixed and variable pitch fonts within the same buf
 
    4.3.13. Modeline
    
 
    
 
    
-Here I set up the modeline with some information that I find useful. Specficially I am using the doom modeline. Most informations I disable for it, except for the cursor information (row + column) as well as a widget for mu4e and git information.
+Here I set up the modeline with some information that I find useful. I was using the doom modeline for a while. Most informations I disabled for it, except for the cursor information (row + column) as well as a widget for mu4e and git information.
 
    
 
 
    
-I have currently disabled this in favor of mini-modeline.
+I have currently disabled this in favor of mini-modeline, which saves more screen space and holds only the information I really need.
 
    
 
 
    
@@ -25239,7 +27297,20 @@ I have currently disabled this in favor of 4.3.14. mini-modeline
 
    
 
    
-I have found that the doom-modeline, while very useful, consumes too much screen space for my liking. This modeline takes a more minimalistic approach.
+I have found that the doom-modeline, while very useful, consumes too much screen space for my liking. This modeline takes a more minimalistic approach. The only information that is shown is:
+
    
+
+
      
+
    • the line number
      • 
+
    • state of the file (whether it is saved etc.)
      • 
+
    • the name of the file
      • 
+
    • the percentage of the cursor in the file
      • 
+
    • the major mode of the file
      • 
+
    • the current evil mode
      • 
+
    
+
+
    
+This is really the perfect solution for me, but it might not be for everyone.
 
    
 
 
    
@@ -25283,24 +27354,16 @@ I have found that the doom-modeline, while very useful, consumes too much screen
 
    4.3.15.1. Vertico, Orderless, Marginalia, Consult, Embark
    
 
    
 
    
-This set of packages uses the default emacs completion framework and works together to provide a very nice user experience:
-
    
-
-
      
-
    • Vertico simply provides a vertically stacking completion
      • 
-
    • Marginalia adds more information to completion results
      • 
-
    • Orderless allows for fuzzy matching
      • 
-
    • Consult provides better implementations for several user functions, e.g. consult-line or consult-outline
      • 
-
    • Embark allows acting on the results in the minibuffer while the completion is still ongoing - this is extremely useful since it allows to, for example, read the documentation for several functions without closing the help search. It can also collect the results of a grep operation into a seperate buffer that edits the result in their original location.
      • 
-
    
-
-
    
-Nerd icons is originally enabled here: Icons
+This set of packages uses the default emacs completion framework and works together to provide a very nice user experience.
 
    
 
    
 
    
 
    4.3.15.1.1. vertico
    
 
    
+
    
+Vertico simply provides a vertically stacking completion framework.
+
    
+
 
    
 
     (setq read-buffer-completion-ignore-case t
@@ -25345,6 +27408,10 @@ This package allows for Ido-like directory navigation.
 
    
 
    4.3.15.1.3. orderless
    
 
    
+
    
+Orderless allows for fuzzy matching.
+
    
+
 
    
 When first installing orderless, I often times faced the problem, that when editing long files and calling consult-line, Emacs would hang when changing a search term in the middle (e.g. from servicse.xserver to servic.xserver in order to fix the typo). The below orderless rules have a more strict matching that has a positive impact on performance.
 
    
@@ -25375,6 +27442,10 @@ When first installing orderless, I often times faced the problem, that when edit
 
    
 
    4.3.15.1.4. consult
    
 
    
+
    
+Consult provides better implementations for several user functions, e.g. consult-line or consult-outline.
+
    
+
 
    
 The big winner here are the convenient keybinds being setup here for general use. Also, I setup vim-navigation for minibuffer completions. consult-buffer is set twice because I am still used to that weird C-M-j command that I chose for ivy-switch-buffer when I first started using Emacs. I want to move to the other command but for now it is not feasible to delete the other one.
 
    
@@ -25405,6 +27476,10 @@ The big winner here are the convenient keybinds being setup here for general use
 
    
 
    4.3.15.1.5. embark
    
 
    
+
    
+Embark allows acting on the results in the minibuffer while the completion is still ongoing - this is extremely useful since it allows to, for example, read the documentation for several functions without closing the help search. It can also collect the results of a grep operation into a seperate buffer that edits the result in their original location.
+
    
+
 
    
 I have stripped down the embark keybinds heavily. It is very useful to me even in it's current state, but it quickly becomes overwhelming. embark-dwim acts on a candidate without closing the minibuffer, which is very useful. embark-act lets the user choose from all actions, but has an overwhelming interface.
 
    
@@ -25453,6 +27528,10 @@ Provides previews for embark.
 
    
 
    4.3.15.1.7. marginalia
    
 
    
+
    
+Marginalia adds more information to completion results.
+
    
+
 
    
 I set the annotation-mode of marginalia to heavy. This gives even more information on the stuff that you are looking at. One thing I am missing from ivy is the highlighting on mode-commands based on the current state of the mode. Also, I do not understand all the shorthands used by marginalia yet.
 
    
@@ -25476,6 +27555,7 @@ I set the annotation-mode of marginalia to heavy. This gives even m
 
    
 
    
 As stated above, this simply provides nerd-icons to the completion framework.
+It is originally enabled here: Icons
 
    
 
 
    
@@ -25626,6 +27706,10 @@ This places little angled indicators on the fringe of a window which indicate bu
 This defines the authentication sources used by org-calfw (Calendar) and Forge.
 
    
 
+
    
+This file is written using home-manager sops in Home-manager: Emacs
+
    
+
 
    
 
     ;; (setq auth-sources '( "~/.emacs.d/.caldav" "~/.emacs.d/.authinfo.gpg")
@@ -25947,7 +28031,11 @@ This just makes org-mode a little bit more beautiful, mostly by making the 4.4.1.10. Presentations
 
    
 
    
-Recently I have grown fond of holding presentations using Emacs :)
+Recently I have grown fond of holding presentations using Emacs.
+
    
+
+
    
+When holding presentations, I think it is important to not have too many distractions on your slides. org-present just shows a plain background, is very responsive, and it is still an org buffer (so you can e.g. run source block codes while in the presentation).
 
    
 
 
    
@@ -26058,9 +28146,13 @@ Recently I have grown fond of holding presentations using Emacs :)
 
    
 
    
 
    
-
    
-
    4.4.1.11. Render markdown blocks as body to expand noweb blocks
    
-
    
+
    
+
    4.4.1.11. Render markdown blocks as body to expand noweb blocks
    
+
    
+
    
+I have written this function to allow me to get a preview of the information that is gathered throughout the file and aggregated in Manual steps when setting up a new machine. Normally, running a markdown source block does nothing in Emacs. Hence, I just let it return the output, which inserts the noweb-ref blocks.
+
    
+
 
    
 
    (defun org-babel-execute:markdown (body params)
   "Just return BODY unchanged, allowing noweb expansion."
@@ -26074,7 +28166,11 @@ Recently I have grown fond of holding presentations using Emacs :)
 
    4.4.2. Nix Mode
    
 
    
 
    
-This adds a rudimentary nix-mode to Emacs. I have not really tried this out, as I am mostly editing nix-files in org-mode anyways.
+This adds a nix mode to Emacs. This has become increasingly useful since I have added lsp-mode in org-src blocks, because since that time, I am now able to actually make use of major modes while I theoretically stay in org-mode.
+
    
+
+
    
+It supports all functions that I normally need. Note that getting completions for flake inputs is a bit finnicky and I am not quite fond of it yet.
 
    
 
 
    
@@ -26125,7 +28221,7 @@ This adds a rudimentary nix-mode to Emacs. I have not really tried this out, as
 
    4.4.3. HCL Mode
    
 
    
 
    
-This adds support for Hashicorp Configuration Language. I need this at work.
+This adds support for Hashicorp Configuration Language. Used at work, it is mostly a Terraform Mode that does not support autoformatting upon save. It still is nice :)
 
    
 
 
    
@@ -26143,7 +28239,7 @@ This adds support for Hashicorp Configuration Language. I need this at work.
 
    4.4.4. Jenkinsfile/Groovy
    
 
    
 
    
-This adds support for Groovy, which I specifically need to work with Jenkinsfiles. I need this at work.
+This adds support for Groovy, which I specifically need to work with Jenkinsfiles. Similar to [BROKEN LINK: 7aa9803f-b419-40fa-aafc-4bb934c8f687], it just provides some nice functions.
 
    
 
 
    
@@ -26160,6 +28256,11 @@ This adds support for Groovy, which I specifically need to work with Jenkinsfile
 
    
 
    4.4.5. Ansible
    
 
    
+
    
+This is supposed to provide auto-completion when turned on. Of course I cannot globally turn this on since it would run in any .yaml file then, but even when manually started, it seems to do nothing. This would be nice at work.
+
    
+
+
 
    
 
     (use-package ansible)
@@ -26172,7 +28273,7 @@ This adds support for Groovy, which I specifically need to work with Jenkinsfile
 
    4.4.6. Dockerfile
    
 
    
 
    
-This adds support for Dockerfiles. I need this at work.
+This adds support for Dockerfiles in a similar way to [BROKEN LINK: ebd53be9-c38a-4a0f-a7b4-eee30a0074fc].
 
    
 
 
    
@@ -26188,7 +28289,7 @@ This adds support for Dockerfiles. I need this at work.
 
    4.4.7. Terraform Mode
    
 
    
 
    
-This adds support for Terraform configuration files. I need this at work.
+This adds support for Terraform configuration files. This is basically the same as the [BROKEN LINK: 7aa9803f-b419-40fa-aafc-4bb934c8f687] mode as the languages are very similar.
 
    
 
 
    
@@ -26209,7 +28310,11 @@ This adds support for Terraform configuration files. I need this at work.
 
    4.4.8. nix formatting
    
 
    
 
    
-Adds functions for formatting nix code.
+Adds functions for formatting nix code. I make huge use of this using the chords C-<Space> o b (org-babel-mark-block) and then C-<Space> o n (nixpkgs-fmt-region). This is what I use to keep my nix org-src-blocks formatted. However, using [BROKEN LINK: a67adf2f-20ce-49d6-ba6b-0341ca3d9972], the resulting tangled files will be formatted in any case.
+
    
+
+
    
+Note that for files that are not managed using this file (which there should normally not be many of), we can still use nix fmt for running treefmt for formatting and checks.
 
    
 
 
    
@@ -26224,7 +28329,7 @@ Adds functions for formatting nix code.
 
    4.4.9. shfmt
    
 
    
 
    
-Adds functions for formatting shellscripts.
+Adds functions for formatting shellscripts. Similarly to [BROKEN LINK: 460a47fd-cddc-4080-9eba-6724fc63606e]m I use this using the chords C-<Space> o b (org-babel-mark-block) and then C-<Space> o s (shfmt-region). This is what I use to keep shell script blocks formatted in this file. This is also handled by treefmt, but still, I want this file to stay organized as well.
 
    
 
 
    
@@ -26245,6 +28350,10 @@ Adds functions for formatting shellscripts.
 
    
 
    4.4.10.1. Mode
    
 
    
+
    
+Adds a mode for markdown, specifically MultiMarkdown, which allows me to render LaTeX and other nice things.
+
    
+
 
    
 
     (setq markdown-command "pandoc")
@@ -26263,6 +28372,10 @@ Adds functions for formatting shellscripts.
 
    
 
    4.4.10.2. LaTeX in Markdown
    
 
    
+
    
+Allows me to render LaTeX just where I write it. I do not need this as much anymore, but during my studies this was very valuable to me.
+
    
+
 
    
 
     (add-hook 'markdown-mode-hook
@@ -26279,6 +28392,10 @@ Adds functions for formatting shellscripts.
 
    
 
    4.4.11. elfeed
    
 
    
+
    
+This adds elfeed, a neat RSS reader for Emacs. I use this as a client for FreshRSS. While I read most of my feeds on my phone (using Capy Reader), it is still good to have an Emacs-native reader as well. Some time ago I was still running a separate Emacs instance on my server: [BROKEN LINK: 0e07e2fb-adc4-4fd8-9b54-0a59338a471e]. This instance would then sync the read feeds to other instances. This was very brittle however and is only left as a historical note.
+
    
+
 
    
 
     (use-package elfeed)
@@ -26317,7 +28434,7 @@ Adds functions for formatting shellscripts.
 
    4.4.12. Ripgrep
    
 
    
 
    
-This is the ripgrep command for Emacs.
+This is the ripgrep package for Emacs.
 
    
 
 
    
@@ -26336,7 +28453,7 @@ Tree-sitter is a parsing library integrated into Emacs to provide better syntax
 
    
 
 
    
-In order to update the language grammars, run the next command below.
+In order to update the language grammars, run the next command below. NOTE: since we now load epkgs.treesit-grammars.with-all-grammars in Home-manager: Emacs, we actually never run this anymore. I leave it here however for a potential future reader. For safety, I still instruct treesit to install missing grammars on the fly.
 
    
 
 
    
@@ -26498,7 +28615,7 @@ magit is the best git utility I have ever used - it has a beautiful interface an
 
    
 
 
    
-Also, Emacs needs a little extra love to accept my Yubikey for git commits etc. We also set that here.
+Also, Emacs needs a little extra love to accept my Yubikey for git commits etc. We set that here: [BROKEN LINK: 59df9a4c-2a1f-466b-abe2-fbb8524cd0ed].
 
    
 
 
    
@@ -26518,7 +28635,7 @@ Also, Emacs needs a little extra love to accept my Yubikey for git commits etc.
 
    4.4.19. Yubikey support
    
 
    
 
    
-The following settings are needed to make sure emacs works for magit commits and pushes. It is not a beautiful solution since commiting uses pinentry-emacs and pushing uses pinentry-gtk2, but it works for now at least.
+The following settings are needed to make sure emacs works for magit commits and pushes. It is not a beautiful solution since commiting uses pinentry-emacs and pushing uses pinentry-gtk2, but it works for now at least. This works especially well since I have switched from pinentry-gtk3 to pinentry-waypromt.
 
    
 
 
    
@@ -26552,6 +28669,10 @@ NOTE: Make sure to configure a GitHub token before using this package!
 (1) in practice: github -<> settings -<> developer option -<>
 create classic token with repo; user; read:org permissions
 (2)machine api.github.com login USERNAMEforge password 012345abcdef…
+
    
+
+
    
+The above is handled by [BROKEN LINK: ebb558ed-883a-486f-a6f5-8b283eb735a3] and only here as a historical note. Forge lets me interact with non-core git objects like issues and pull requests from within emacs.
 
    
 
 
@@ -26955,6 +29076,10 @@ company is now disabled since it seems that corfu runs just fine with lsp-mode a
 
    
 
    4.4.32. lsp-mode in org-src blocks
    
 
    
+
    
+This incredible function allows to start a sub-pane in a org-file while in a source-block that spins up a lsp-server. In practise that allows me to use a nix lsp when editing complex blocks in my config. The only bother is that we have to add the modes where it should run manually to org-babel-lang-list, but that is a small price to pay for the usefulness that it brings.
+
    
+
 
    
 
    ;; thanks to https://tecosaur.github.io/emacs-config/config.html#lsp-support-src
 (cl-defmacro lsp-org-babel-enable (lang)
@@ -26993,6 +29118,11 @@ company is now disabled since it seems that corfu runs just fine with lsp-mode a
 
    
 
    4.4.33. lsp-bridge
    
 
    
+
    
+This is another lsp-implementation for Emacs using multi-threading, so this should be the least blocking one. Still, in general I prefer eglot.
+
    
+
+
 
    
 
     (use-package lsp-bridge
@@ -27275,9 +29405,9 @@ This adds the simple utility of sending desktop notifications whenever a new mai
 
    
 
    
 
    
-
    
-
    4.4.39.3. Work: Signing Mails (S/MIME, smime)
    
-
    
+
    
+
    4.4.39.3. Work: Signing Mails (S/MIME, smime)
    
+
    
 
    
 Used to automatically sign messages sent from my work email address using S/MIME certificate.
 
    
@@ -27560,9 +29690,9 @@ Also see `prot-window-delete-popup-frame'." command)
 This sections is no longer used really. An introduction can be found in Structure of this file under the historical note. The little noweb-ref blocks that I still use are found in Hosts and Services.
 
    
 
    
-
    
-
    5.1. General steps when setting up a new machine
    
-
    
+
    
+
    5.1. General steps when setting up a new machine
    
+
    
 
    
 These general steps are needed when setting up a new machine and do not fit into another block well:
 
    
@@ -27577,9 +29707,9 @@ These general steps are needed when setting up a new machine and do not fit into
   - `systemd-cryptenroll --fido2-device=auto /dev/`
 
    
 
    
-
    
-
    5.2. Current patches and fixes
    
-
    
+
    
+
    5.2. Current patches and fixes
    
+
    
 
    
 These are current deviations from the standard settings that I take while some things are broken upstream
 
    
@@ -28385,8 +30515,11 @@ dd DRIVE ISO:
 sync USER HOST:
   rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
 
-bootstrap DEST CONFIG ARCH="x86_64-linux":
-  nix develop .#deploy --command zsh -c "swarsel-bootstrap -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}"
+secrets USER HOST:
+  rsync -rltv -e "ssh -l {{USER}}" /var/tmp/nix-import-encrypted/1000/ {{USER}}@{{HOST}}:/var/tmp/nix-import-encrypted/0
+
+bootstrap DEST CONFIG ARCH="x86_64-linux" NODISKODEPS="":
+  nix develop .#deploy --command zsh -c "swarsel-bootstrap {{NODISKODEPS}} -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}"
 
 
    
 
    
@@ -29317,8 +31450,10 @@ See the above repository for updates as well as full license text. */
   transform-origin: 0px calc(0px - var(--tab-min-height) - var(--tab-block-margin) * 2);
   transform: rotateX(89.9deg);
 }
-#mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel)) ~ toolbox #urlbar[popover],
-/* swarsel: removed :hover from below line */
+
+:root[window-modal-open] #urlbar[popover],
+#mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel), > #tab-group-editor > [panelopen]) ~ toolbox #urlbar[popover],
+  /* swarsel: removed :hover from below line */
 #navigator-toolbox:is(:focus-within,[movingtab]) #urlbar[popover],
 #urlbar-container > #urlbar[popover]:is([focused],[open]){
   pointer-events: auto;
@@ -29326,9 +31461,11 @@ See the above repository for updates as well as full license text. */
   transition-delay: 33ms;
   transform: rotateX(0deg);
 }
-#mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel)) ~ toolbox,
+
+:root[window-modal-open] #navigator-toolbox,
+#mainPopupSet:has(> [panelopen]:not(#ask-chat-shortcuts,#selection-shortcut-action-panel,#chat-shortcuts-options-panel,#tab-preview-panel), > #tab-group-editor > [panelopen]) ~ toolbox,
 #navigator-toolbox:has(#urlbar:is([open],[focus-within])),
-/* swarsel: removed :hover from below line */
+  /* swarsel: removed :hover from below line */
 #navigator-toolbox:is(:focus-within,[movingtab]){
   transition-delay: 33ms !important;
   transform: rotateX(0);
@@ -29337,8 +31474,7 @@ See the above repository for updates as well as full license text. */
 /* This makes things like OS menubar/taskbar show the toolbox when hovered in maximized windows.
  * Unfortunately it also means that other OS native surfaces (such as context menu on macos)
  * and other always-on-top applications will trigger toolbox to show up. */
-@media (-moz-bool-pref: "userchrome.autohide-toolbox.unhide-by-native-ui.enabled"),
-       -moz-pref("userchrome.autohide-toolbox.unhide-by-native-ui.enabled"){
+@media -moz-pref("userchrome.autohide-toolbox.unhide-by-native-ui.enabled"){
   :root[sizemode="maximized"]:not(:hover){
     #navigator-toolbox:not(:-moz-window-inactive),
     #urlbar[popover]:not(:-moz-window-inactive){
@@ -29368,13 +31504,9 @@ See the above repository for updates as well as full license text. */
   padding-block: calc(min(4px,(var(--urlbar-container-height) - var(--urlbar-height)) / 2) + var(--urlbar-container-padding)) !important;
 }
 
-/* Uncomment this if tabs toolbar is hidden with hide_tabs_toolbar.css */
- /*#titlebar{ margin-bottom: -9px }*/
-
 /* Uncomment the following for compatibility with tabs_on_bottom.css - this isn't well tested though */
 /*
 #navigator-toolbox{ flex-direction: column; display: flex; }
-#titlebar{ order: 2 }
 */
 
 
    
@@ -30080,24 +32212,26 @@ Here lies defined the readme for GitHub and Forgejo:
 
   ### Hosts
 
-  | Name               | Hardware                                            | Use                                                  |
-  |--------------------|-----------------------------------------------------|------------------------------------------------------|
-  |💻 **pyramid**      | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                          |
-  |💻 **bakery**       | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                      |
-  |💻 **machpizza**    | MacBook Pro 2016                                    | MacOS reference and build sandbox                    |
-  |🏠 **treehouse**    | NVIDIA DGX Spark                                    | Workstation, AI playground and home-manager reference|
-  |🖥️ **winters**      | ASRock J4105-ITX, 32GB RAM                          | Secondary homeserver and data storgae                |
-  |🖥️ **summers**      | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Main homeserver running microvms, data storage       |
-  |🖥️ **hintbooth**    | HUNSN RM02, 8GB RAM                                 | Router                                               |
-  |☁️ **milkywell**    | Oracle Cloud: VM.Standard.E2.1.Micro                | Server for lightweight synchronization tasks         |
-  |☁️ **moonside**     | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services  |
-  |☁️ **belchsfactory**| Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Hydra builder and nix binary cache                   |
-  |☁️ **monkeycave**   | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Gaming server                                        |
-  |☁️ **eagleland**    | Hetzner Cloud: CX23                                 | Mail server                                          |
-  |📱 **magicant**     | Samsung Galaxy Z Flip 6                             | Phone                                                |
-  |💿 **drugstore**    | -                                                   | ISO installer configuration                          |
-  |❔ **chaotheatre**  | -                                                   | Demo config for checking out my configurtion         |
-  |❔ **toto**         | -                                                   | Helper configuration for bootstrapping a new system  |
+  | Name                | Hardware                                            | Use                                                 |
+  |---------------------|-----------------------------------------------------|-----------------------------------------------------|
+  |💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                         |
+  |💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                     |
+  |💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                   |
+  |🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference   |
+  |🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, datastorage  |
+  |🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                      |
+  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                              |
+  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative dns server                            |
+  |☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                         |
+  |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                       |
+  |☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                          |
+  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services     |
+  |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binarycache                   |
+  |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                               |
+  |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts     |
+  |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines |
+  |❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration     |
+  |❔ **toto**          | -                                                   | Helper configuration for testing purposes           |
   </details>
 
   ## General Nix tips & useful links
@@ -30562,7 +32696,7 @@ similarly, there exists an version that starts from the right.
 
    
 
    
 
    Author: Leon Schwarzäugl
    
-
    Created: 2025-11-19 Mi 15:22
    
+
    Created: 2025-11-27 Do 16:49
    
 
    Validate
    
 
    
 
diff --git a/install/kexec.nix b/install/kexec.nix
new file mode 100644
index 0000000..fc704d8
--- /dev/null
+++ b/install/kexec.nix
@@ -0,0 +1,96 @@
+{ lib, pkgs, modulesPath, options, ... }:
+{
+  disabledModules = [
+    # This module adds values to multiple lists (systemPackages, supportedFilesystems)
+    # which are impossible/unpractical to remove, so we disable the entire module.
+    "profiles/base.nix"
+  ];
+
+  imports = [
+    # reduce closure size by removing perl
+    "${modulesPath}/profiles/perlless.nix"
+    # FIXME: we still are left with nixos-generate-config due to nixos-install-tools
+    { system.forbiddenDependenciesRegexes = lib.mkForce [ ]; }
+  ];
+
+  config = {
+    networking.hostName = "brickroad";
+
+    system = {
+      # nixos-option is mainly useful for interactive installations
+      tools.nixos-option.enable = false;
+      # among others, this prevents carrying a stdenv with gcc in the image
+      extraDependencies = lib.mkForce [ ];
+    };
+    # prevents shipping nixpkgs, unnecessary if system is evaluated externally
+    nix.registry = lib.mkForce { };
+
+    # would pull in nano
+    programs.nano.enable = false;
+
+    # prevents strace
+    environment = {
+      defaultPackages = lib.mkForce [
+        pkgs.parted
+        pkgs.gptfdisk
+        pkgs.e2fsprogs
+      ];
+
+      systemPackages = with pkgs; [
+        cryptsetup.bin
+      ];
+
+      # Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs.
+      ldso32 = null;
+    };
+
+    # included in systemd anyway
+    systemd.sysusers.enable = true;
+
+    # normal users are not allowed with sys-users
+    # see https://github.com/NixOS/nixpkgs/pull/328926
+    users.users.nixos = {
+      isSystemUser = true;
+      isNormalUser = lib.mkForce false;
+      shell = "/run/current-system/sw/bin/bash";
+      group = "nixos";
+    };
+    users.groups.nixos = { };
+
+    security = {
+      # we have still run0 from systemd and most of the time we just use root
+      sudo.enable = false;
+      polkit.enable = lib.mkForce false;
+      # introduces x11 dependencies
+      pam.services.su.forwardXAuth = lib.mkForce false;
+    };
+
+    documentation = {
+      enable = false;
+      man.enable = false;
+      nixos.enable = false;
+      info.enable = false;
+      doc.enable = false;
+    };
+
+    services = {
+      # no dependency on x11
+      dbus.implementation = "broker";
+      # we prefer root as this is also what we use in nixos-anywhere
+      getty.autologinUser = lib.mkForce "root";
+      # included in systemd anyway
+      userborn.enable = false;
+    };
+
+
+
+    # we are missing this from base.nix
+    boot.supportedFilesystems = [
+      "ext4"
+      "btrfs"
+      "xfs"
+    ];
+  } // lib.optionalAttrs (options.hardware ? firmwareCompression) {
+    hardware.firmwareCompression = "xz";
+  };
+}
diff --git a/justfile b/justfile
index b13d397..2fa83aa 100644
--- a/justfile
+++ b/justfile
@@ -23,5 +23,8 @@ dd DRIVE ISO:
 sync USER HOST:
   rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
 
-bootstrap DEST CONFIG ARCH="x86_64-linux":
-  nix develop .#deploy --command zsh -c "swarsel-bootstrap -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}"
+secrets USER HOST:
+  rsync -rltv -e "ssh -l {{USER}}" /var/tmp/nix-import-encrypted/1000/ {{USER}}@{{HOST}}:/var/tmp/nix-import-encrypted/0
+
+bootstrap DEST CONFIG ARCH="x86_64-linux" NODISKODEPS="":
+  nix develop .#deploy --command zsh -c "swarsel-bootstrap {{NODISKODEPS}} -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}"
diff --git a/modules/home/common/anki.nix b/modules/home/common/anki.nix
index 4c857b7..995cd3a 100644
--- a/modules/home/common/anki.nix
+++ b/modules/home/common/anki.nix
@@ -1,4 +1,4 @@
-{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
+{ lib, config, pkgs, globals, inputs, confLib, ... }:
 let
   moduleName = "anki";
   inherit (config.swarselsystems) isPublic isNixos;
@@ -23,11 +23,11 @@ in
           syncMedia = true;
           autoSyncMediaMinutes = 5;
           url = "https://${globals.services.ankisync.domain}";
-          usernameFile = nixosConfig.sops.secrets.anki-user.path;
+          usernameFile = confLib.getConfig.sops.secrets.anki-user.path;
           # this is not the password but the syncKey
           # get it by logging in or out, saving preferences and then
           # show details on the "settings wont be saved" dialog
-          keyFile = nixosConfig.sops.secrets.anki-pw.path;
+          keyFile = confLib.getConfig.sops.secrets.anki-pw.path;
         };
         addons =
           let
diff --git a/modules/home/common/atuin.nix b/modules/home/common/atuin.nix
index 82383f5..f2d79ea 100644
--- a/modules/home/common/atuin.nix
+++ b/modules/home/common/atuin.nix
@@ -8,6 +8,7 @@ in
     programs.atuin = {
       enable = true;
       enableZshIntegration = true;
+      enableBashIntegration = true;
       settings = {
         auto_sync = true;
         sync_frequency = "5m";
diff --git a/modules/home/common/bash.nix b/modules/home/common/bash.nix
new file mode 100644
index 0000000..ccf99c4
--- /dev/null
+++ b/modules/home/common/bash.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+{
+  options.swarselmodules.bash = lib.mkEnableOption "bash settings";
+  config = lib.mkIf config.swarselmodules.bash {
+
+    programs.bash = {
+      enable = true;
+      # needed for remote builders
+      bashrcExtra = lib.mkIf (!config.swarselsystems.isNixos) ''
+        export PATH="/nix/var/nix/profiles/default/bin:$PATH"
+      '';
+      historyFile = "${config.home.homeDirectory}/.histfile";
+      historySize = 100000;
+      historyFileSize = 100000;
+      historyControl = [
+        "ignoreboth"
+      ];
+    };
+  };
+}
diff --git a/modules/home/common/element.nix b/modules/home/common/element.nix
index f9ba831..0398726 100644
--- a/modules/home/common/element.nix
+++ b/modules/home/common/element.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, globals, ... }:
 let
   moduleName = "element-desktop";
 in
@@ -10,7 +10,7 @@ in
       settings = {
         default_server_config = {
           "m.homeserver" = {
-            base_url = "https://swatrix.swarsel.win/";
+            base_url = "https://${globals.services.matrix.domain}/";
           };
         };
         UIFeature = {
diff --git a/modules/home/common/emacs.nix b/modules/home/common/emacs.nix
index 4fe4d82..22d01cd 100644
--- a/modules/home/common/emacs.nix
+++ b/modules/home/common/emacs.nix
@@ -109,12 +109,14 @@ in
       secrets = {
         fever-pw = { path = "${homeDir}/.emacs.d/.fever"; };
         emacs-radicale-pw = { };
+        github-forge-token = { };
       };
       templates = {
         authinfo = {
           path = "${homeDir}/.emacs.d/.authinfo";
           content = ''
             machine ${globals.services.radicale.domain} login ${radicaleUser} password ${config.sops.placeholder.emacs-radicale-pw}
+            machine api.github.com login ${mainUser}^forge password ${config.sops.placeholder.github-forge-token}
           '';
         };
       };
diff --git a/modules/home/common/env.nix b/modules/home/common/env.nix
index f2f463d..4fb6ae4 100644
--- a/modules/home/common/env.nix
+++ b/modules/home/common/env.nix
@@ -1,8 +1,8 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, globals, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
-  inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
-  inherit (nixosConfig.repo.secrets.common) fullName openrouterApi;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
+  inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
+  inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain;
   inherit (config.swarselsystems) isPublic homeDir;
 
   DISPLAY = ":0";
@@ -16,7 +16,14 @@ in
     } // (lib.optionalAttrs (!isPublic) { });
     systemd.user.sessionVariables = {
       DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
+      FLAKE = "${config.home.homeDirectory}/.dotfiles";
     } // lib.optionalAttrs (!isPublic) {
+      SWARSEL_DOMAIN = globals.domains.main;
+      SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain;
+      SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain;
+      SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain;
+      SWARSEL_INSTA_DOMAIN = instaDomain;
+      SWARSEL_SPORT_DOMAIN = sportDomain;
       SWARSEL_MAIL1 = address1;
       SWARSEL_MAIL2 = address2;
       SWARSEL_MAIL3 = address3;
@@ -29,7 +36,7 @@ in
       SWARSEL_CAL3NAME = source3-name;
       SWARSEL_FULLNAME = fullName;
       SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
-      GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path;
+      GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path;
       OPENROUTER_API_KEY = openrouterApi;
     };
   };
diff --git a/modules/home/common/gammastep.nix b/modules/home/common/gammastep.nix
index c8862c8..07d6644 100644
--- a/modules/home/common/gammastep.nix
+++ b/modules/home/common/gammastep.nix
@@ -1,6 +1,6 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
+  inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude;
 in
 {
   options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings";
diff --git a/modules/home/common/git.nix b/modules/home/common/git.nix
index 1fb7ad8..cda162b 100644
--- a/modules/home/common/git.nix
+++ b/modules/home/common/git.nix
@@ -1,7 +1,7 @@
-{ lib, config, globals, minimal, nixosConfig ? config, ... }:
+{ lib, config, globals, minimal, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1;
+  inherit (confLib.getConfig.repo.secrets.common) fullName;
 
   gitUser = globals.user.name;
 in
diff --git a/modules/home/common/hexchat.nix b/modules/home/common/hexchat.nix
index f0d813a..97f70c0 100644
--- a/modules/home/common/hexchat.nix
+++ b/modules/home/common/hexchat.nix
@@ -1,7 +1,7 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, ... }:
 let
   moduleName = "hexchat";
-  inherit (nixosConfig.repo.secrets.common.irc) irc_nick1;
+  inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1;
 in
 {
   options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
diff --git a/modules/home/common/mail.nix b/modules/home/common/mail.nix
index 690eb0d..6c46e4a 100644
--- a/modules/home/common/mail.nix
+++ b/modules/home/common/mail.nix
@@ -1,7 +1,7 @@
-{ lib, config, inputs, nixosConfig ? config, ... }:
+{ lib, config, inputs, globals, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
+  inherit (confLib.getConfig.repo.secrets.common) fullName;
   inherit (config.swarselsystems) xdgDir;
 in
 {
@@ -123,24 +123,43 @@ in
             maildirBasePath = "Mail";
             accounts = {
               swarsel = {
-                address = address4;
-                userName = address4-user;
-                realName = fullName;
-                passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}";
-                smtp = {
-                  host = address4-host;
-                  port = 587;
-                  tls = {
-                    enable = true;
-                    useStartTls = true;
-                  };
+                imap = {
+                  host = globals.services.mailserver.domain;
+                  port = 993;
+                  tls.enable = true; # SSL/TLS
                 };
-                mu.enable = false;
+                smtp = {
+                  host = globals.services.mailserver.domain;
+                  port = 465;
+                  tls.enable = true; # SSL/TLS
+                };
+                thunderbird = {
+                  enable = true;
+                  profiles = [ "default" ];
+                };
+                address = address4;
+                userName = address4;
+                realName = fullName;
+                passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}";
+                mu.enable = true;
                 msmtp = {
                   enable = true;
                 };
                 mbsync = {
-                  enable = false;
+                  enable = true;
+                  create = "maildir";
+                  expunge = "both";
+                  patterns = [ "*" ];
+                  extraConfig = {
+                    channel = {
+                      Sync = "All";
+                    };
+                    account = {
+                      Timeout = 120;
+                      PipelineDepth = 1;
+                      AuthMechs = "LOGIN";
+                    };
+                  };
                 };
               };
 
@@ -150,7 +169,7 @@ in
                   address = address1;
                   userName = address1;
                   realName = fullName;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}";
                   gpg = {
                     key = "0x76FD3810215AE097";
                     signByDefault = true;
@@ -164,7 +183,7 @@ in
                   address = address2;
                   userName = address2;
                   realName = address2-name;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}";
                 }
                 defaultSettings;
 
@@ -174,7 +193,7 @@ in
                   address = address3;
                   userName = address3;
                   realName = address3-name;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}";
                 }
                 defaultSettings;
 
diff --git a/modules/home/common/nix-index.nix b/modules/home/common/nix-index.nix
index 42aa8d1..b749bf8 100644
--- a/modules/home/common/nix-index.nix
+++ b/modules/home/common/nix-index.nix
@@ -14,11 +14,13 @@
       in
 
       {
+
         enable = true;
         package = pkgs.symlinkJoin {
           name = "nix-index";
           paths = [ commandNotFound ];
         };
       };
+    programs.nix-index-database.comma.enable = true;
   };
 }
diff --git a/modules/home/common/obsidian.nix b/modules/home/common/obsidian.nix
index 5020502..03219bc 100644
--- a/modules/home/common/obsidian.nix
+++ b/modules/home/common/obsidian.nix
@@ -1,7 +1,7 @@
-{ lib, config, pkgs, nixosConfig ? config, ... }:
+{ lib, config, pkgs, confLib, ... }:
 let
   moduleName = "obsidian";
-  inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
+  inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters;
   name = "Main";
 in
 {
diff --git a/modules/home/common/opkssh.nix b/modules/home/common/opkssh.nix
index 9d5b86d..1481701 100644
--- a/modules/home/common/opkssh.nix
+++ b/modules/home/common/opkssh.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, globals, ... }:
 let
   moduleName = "opkssh";
 in
@@ -13,7 +13,7 @@ in
         providers = [
           {
             alias = "kanidm";
-            issuer = "https://sso.swarsel.win/oauth2/openid/opkssh";
+            issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh";
             client_id = "opkssh";
             scopes = "openid email profile";
             redirect_uris = [
diff --git a/modules/home/common/packages.nix b/modules/home/common/packages.nix
index a1c84bf..e9dbb00 100644
--- a/modules/home/common/packages.nix
+++ b/modules/home/common/packages.nix
@@ -25,6 +25,9 @@
       # ssh login using idm
       opkssh
 
+      # cache
+      attic-client
+
       # dict
       (aspellWithDicts (dicts: with dicts; [ de en en-computers en-science ]))
 
@@ -60,7 +63,6 @@
       nix-inspect
       nixpkgs-review
       manix
-      comma
 
       # shellscripts
       shfmt
diff --git a/modules/home/common/settings.nix b/modules/home/common/settings.nix
index 3793cbc..c624b34 100644
--- a/modules/home/common/settings.nix
+++ b/modules/home/common/settings.nix
@@ -1,6 +1,7 @@
-{ self, outputs, lib, pkgs, config, ... }:
+{ self, outputs, lib, pkgs, config, globals, confLib, ... }:
 let
   inherit (config.swarselsystems) mainUser flakePath isNixos isLinux;
+  inherit (confLib.getConfig.repo.secrets.common) atticPublicKey;
 in
 {
   options.swarselmodules.general = lib.mkEnableOption "general nix settings";
@@ -22,7 +23,7 @@ in
             };
           in
           ''
-                  plugin-files = ${nix-plugins}/lib/nix/plugins
+            plugin-files = ${nix-plugins}/lib/nix/plugins
             extra-builtins-file = ${self + /nix/extra-builtins.nix}
           '';
         settings = {
@@ -33,7 +34,17 @@ in
             "cgroups"
             "pipe-operators"
           ];
-          trusted-users = [ "@wheel" "${mainUser}" ];
+          substituters = [
+            "https://${globals.services.attic.domain}/${mainUser}"
+          ];
+          trusted-public-keys = [
+            atticPublicKey
+          ];
+          trusted-users = [
+            "@wheel"
+            "${mainUser}"
+            (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
+          ];
           connect-timeout = 5;
           bash-prompt-prefix = "$SHLVL:\\w ";
           bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
diff --git a/modules/home/common/sops.nix b/modules/home/common/sops.nix
index abf4a38..64bbc28 100644
--- a/modules/home/common/sops.nix
+++ b/modules/home/common/sops.nix
@@ -6,8 +6,8 @@ in
   options.swarselmodules.sops = lib.mkEnableOption "sops settings";
   config = lib.optionalAttrs (inputs ? sops) {
     sops = {
-      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
 
       validateSopsFiles = false;
     };
diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix
index 562f68a..e575925 100644
--- a/modules/home/common/ssh.nix
+++ b/modules/home/common/ssh.nix
@@ -1,7 +1,7 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ inputs, lib, config, confLib, ... }:
 {
   options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
-  config = lib.mkIf config.swarselmodules.ssh {
+  config = lib.mkIf config.swarselmodules.ssh ({
     programs.ssh = {
       enable = true;
       enableDefaultConfig = false;
@@ -18,11 +18,15 @@
           serverAliveCountMax = 3;
           hashKnownHosts = false;
           userKnownHostsFile = "~/.ssh/known_hosts";
-          controlMaster = "no";
+          controlMaster = "auto";
           controlPath = "~/.ssh/master-%r@%n:%p";
-          controlPersist = "no";
+          controlPersist = "5m";
         };
-      } // nixosConfig.repo.secrets.common.ssh.hosts;
+      } // confLib.getConfig.repo.secrets.common.ssh.hosts;
     };
-  };
+  } // lib.optionalAttrs (inputs ? sops) {
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
+    };
+  });
 }
diff --git a/modules/home/common/sway.nix b/modules/home/common/sway.nix
index 12ebb83..83f894a 100644
--- a/modules/home/common/sway.nix
+++ b/modules/home/common/sway.nix
@@ -1,4 +1,4 @@
-{ config, lib, vars, nixosConfig ? config, ... }:
+{ config, lib, vars, confLib, ... }:
 let
   eachOutput = _: monitor: {
     inherit (monitor) name;
@@ -381,7 +381,7 @@ in
         export XDG_CURRENT_DESKTOP=sway;
         export XDG_SESSION_DESKTOP=sway;
         export _JAVA_AWT_WM_NONREPARENTING=1;
-        export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path};
+        export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path};
       '' + vars.waylandExports;
       # extraConfigEarly = "
       # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK
diff --git a/modules/home/common/yubikey.nix b/modules/home/common/yubikey.nix
index 3a5507b..095e90c 100644
--- a/modules/home/common/yubikey.nix
+++ b/modules/home/common/yubikey.nix
@@ -1,4 +1,4 @@
-{ lib, config, inputs, nixosConfig ? config, ... }:
+{ lib, config, inputs, confLib, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -9,8 +9,8 @@ in
 
     pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
       ids = [
-        nixosConfig.repo.secrets.common.yubikeys.dev1
-        nixosConfig.repo.secrets.common.yubikeys.dev2
+        confLib.getConfig.repo.secrets.common.yubikeys.dev1
+        confLib.getConfig.secrets.common.yubikeys.dev2
       ];
     };
   } // lib.optionalAttrs (inputs ? sops) {
diff --git a/modules/home/common/zsh.nix b/modules/home/common/zsh.nix
index 30aa13c..7f7b6e3 100644
--- a/modules/home/common/zsh.nix
+++ b/modules/home/common/zsh.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }:
+{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
 let
   inherit (config.swarselsystems) flakePath isNixos;
   crocDomain = globals.services.croc.domain;
@@ -67,7 +67,10 @@ in
         };
         history = {
           expireDuplicatesFirst = true;
-          path = "$HOME/.histfile";
+          append = true;
+          ignoreSpace = true;
+          ignoreDups = true;
+          path = "${config.home.homeDirectory}/.histfile";
           save = 100000;
           size = 100000;
         };
@@ -124,8 +127,8 @@ in
         '';
         sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) {
           CROC_RELAY = crocDomain;
-          CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})";
-          GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
+          CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})";
+          GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
           QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
           # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
         };
diff --git a/modules/home/optional/framework.nix b/modules/home/optional/framework.nix
index 9e8a9d8..3d4baab 100644
--- a/modules/home/optional/framework.nix
+++ b/modules/home/optional/framework.nix
@@ -1,7 +1,6 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
-  config = lib.mkIf config.swarselmodules.optional.framework {
+  config = {
     swarselsystems = {
       inputs = {
         "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
diff --git a/modules/home/optional/gaming.nix b/modules/home/optional/gaming.nix
index d9657db..04b2817 100644
--- a/modules/home/optional/gaming.nix
+++ b/modules/home/optional/gaming.nix
@@ -1,10 +1,9 @@
-{ lib, config, pkgs, nixosConfig ? config, ... }:
+{ config, pkgs, confLib, ... }:
 let
   inherit (config.swarselsystems) isNixos;
 in
 {
-  options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
-  config = lib.mkIf config.swarselmodules.optional.gaming {
+  config = {
     # specialisation = {
     #   gaming.configuration = {
     home.packages = with pkgs; [
@@ -44,7 +43,7 @@ in
         gamescope
         umu-launcher
       ];
-      steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam;
+      steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam;
       winePackages = with pkgs; [
         wineWow64Packages.waylandFull
       ];
diff --git a/modules/home/common/niri.nix b/modules/home/optional/niri.nix
similarity index 99%
rename from modules/home/common/niri.nix
rename to modules/home/optional/niri.nix
index 699881f..5873b62 100644
--- a/modules/home/common/niri.nix
+++ b/modules/home/optional/niri.nix
@@ -1,5 +1,8 @@
-{ config, pkgs, lib, vars, ... }:
+{ inputs, config, pkgs, lib, vars, ... }:
 {
+  imports = [
+    inputs.niri-flake.homeModules.niri
+  ];
   options.swarselmodules.niri = lib.mkEnableOption "niri settings";
   config = lib.mkIf config.swarselmodules.niri
     {
diff --git a/modules/home/optional/uni.nix b/modules/home/optional/uni.nix
index ef2d2c4..a841620 100644
--- a/modules/home/optional/uni.nix
+++ b/modules/home/optional/uni.nix
@@ -1,24 +1,22 @@
-{ config, lib, nixosConfig ? config, ... }:
+{ confLib, ... }:
 {
-  options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings";
-  config = lib.mkIf config.swarselmodules.optional.uni
-    {
-      services.pizauth = {
-        enable = true;
-        accounts = {
-          uni = {
-            authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-            tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
-            clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
-            clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
-            scopes = [
-              "https://outlook.office365.com/IMAP.AccessAsUser.All"
-              "https://outlook.office365.com/SMTP.Send"
-              "offline_access"
-            ];
-            loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}";
-          };
+  config = {
+    services.pizauth = {
+      enable = true;
+      accounts = {
+        uni = {
+          authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+          tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+          clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+          clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+          scopes = [
+            "https://outlook.office365.com/IMAP.AccessAsUser.All"
+            "https://outlook.office365.com/SMTP.Send"
+            "offline_access"
+          ];
+          loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}";
         };
       };
     };
+  };
 }
diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix
index 006638a..26b377a 100644
--- a/modules/home/optional/work.nix
+++ b/modules/home/optional/work.nix
@@ -1,394 +1,425 @@
-{ self, inputs, config, pkgs, lib, vars, nixosConfig ? config, ... }:
+{ self, inputs, config, pkgs, lib, vars, confLib, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser;
-  inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses;
-  inherit (nixosConfig.repo.secrets.local.work) mailAddress;
+  inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
+  inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
 
   certsSopsFile = self + /secrets/certs/secrets.yaml;
 in
 {
-  options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
-  config = lib.mkIf config.swarselmodules.optional.work
-    ({
-      home = {
-        packages = with pkgs; [
-          stable.teams-for-linux
-          shellcheck
-          dig
-          docker
-          postman
-          # rclone
-          libguestfs-with-appliance
-          prometheus.cli
-          tigervnc
-          # openstackclient
+  options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
+  config = {
+    home = {
+      packages = with pkgs; [
+        stable.teams-for-linux
+        shellcheck
+        dig
+        docker
+        postman
+        # rclone
+        libguestfs-with-appliance
+        prometheus.cli
+        tigervnc
+        # openstackclient
 
-          vscode
+        vscode
+        dev.antigravity
 
-          rustdesk-vbc
+        rustdesk-vbc
+      ];
+      sessionVariables = {
+        AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path;
+      };
+    };
+    systemd.user.sessionVariables = {
+      DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
+    } // lib.optionalAttrs (!config.swarselsystems.isPublic) {
+      SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
+      SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
+    };
+
+    accounts.email.accounts.work =
+      let
+        inherit (confLib.getConfig.repo.secrets.local.work) mailName;
+      in
+      {
+        primary = false;
+        address = mailAddress;
+        userName = mailAddress;
+        realName = mailName;
+        passwordCommand = "pizauth show work";
+        imap = {
+          host = "outlook.office365.com";
+          port = 993;
+          tls.enable = true; # SSL/TLS
+        };
+        smtp = {
+          host = "outlook.office365.com";
+          port = 587;
+          tls = {
+            enable = true; # SSL/TLS
+            useStartTls = true;
+          };
+        };
+        thunderbird = {
+          enable = true;
+          profiles = [ "default" ];
+          settings = id: {
+            "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
+            "mail.server.server_${id}.authMethod" = 10; # oauth
+            # "toolkit.telemetry.enabled" = false;
+            # "toolkit.telemetry.rejected" = true;
+            # "toolkit.telemetry.prompted" = 2;
+          };
+        };
+        msmtp = {
+          enable = true;
+          extraConfig = {
+            auth = "xoauth2";
+            host = "outlook.office365.com";
+            protocol = "smtp";
+            port = "587";
+            tls = "on";
+            tls_starttls = "on";
+            from = "${mailAddress}";
+            user = "${mailAddress}";
+            passwordeval = "pizauth show work";
+          };
+        };
+        mu.enable = true;
+        mbsync = {
+          enable = true;
+          expunge = "both";
+          patterns = [ "INBOX" ];
+          extraConfig = {
+            account = {
+              AuthMechs = "XOAUTH2";
+            };
+          };
+        };
+      };
+
+    # wayland.windowManager.sway.config = {
+    #   output = {
+    #     "Applied Creative Technology Transmitter QUATTRO201811" = {
+    #       bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
+    #     };
+    #     "Hewlett Packard HP Z24i CN44250RDT" = {
+    #       bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
+    #     };
+    #     "HP Inc. HP 732pk CNC4080YL5" = {
+    #       bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
+    #     };
+    #   };
+    # };
+
+    wayland.windowManager.sway =
+      let
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress;
+      in
+      {
+        config = {
+          keybindings =
+            let
+              inherit (config.wayland.windowManager.sway.config) modifier;
+            in
+            {
+              "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}";
+              "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}";
+            };
+        };
+      };
+
+    stylix = {
+      targets.firefox.profileNames =
+        let
+          inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3;
+        in
+        [
+          "${user1}"
+          "${user2}"
+          "${user3}"
+          "work"
         ];
-        sessionVariables = {
-          AWS_CA_BUNDLE = nixosConfig.sops.secrets.harica-root-ca.path;
+    };
+
+    programs =
+      let
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
+      in
+      {
+        openstackclient = {
+          enable = true;
+          inherit clouds;
         };
-      };
-      systemd.user.sessionVariables = {
-        DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
-      } // lib.optionalAttrs (!config.swarselsystems.isPublic) {
-        SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
-        SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
-      };
-
-      accounts.email.accounts.work =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) mailName;
-        in
-        {
-          primary = false;
-          address = mailAddress;
-          userName = mailAddress;
-          realName = mailName;
-          passwordCommand = "pizauth show work";
-          imap = {
-            host = "outlook.office365.com";
-            port = 993;
-            tls.enable = true; # SSL/TLS
-          };
-          smtp = {
-            host = "outlook.office365.com";
-            port = 587;
-            tls = {
-              enable = true; # SSL/TLS
-              useStartTls = true;
-            };
-          };
-          thunderbird = {
-            enable = true;
-            profiles = [ "default" ];
-            settings = id: {
-              "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
-              "mail.server.server_${id}.authMethod" = 10; # oauth
-              # "toolkit.telemetry.enabled" = false;
-              # "toolkit.telemetry.rejected" = true;
-              # "toolkit.telemetry.prompted" = 2;
-            };
-          };
-          msmtp = {
-            enable = true;
-            extraConfig = {
-              auth = "xoauth2";
-              host = "outlook.office365.com";
-              protocol = "smtp";
-              port = "587";
-              tls = "on";
-              tls_starttls = "on";
-              from = "${mailAddress}";
-              user = "${mailAddress}";
-              passwordeval = "pizauth show work";
-            };
-          };
-          mu.enable = true;
-          mbsync = {
-            enable = true;
-            expunge = "both";
-            patterns = [ "INBOX" ];
-            extraConfig = {
-              account = {
-                AuthMechs = "XOAUTH2";
-              };
-            };
-          };
+        awscli = {
+          enable = true;
+          package = pkgs.stable24_05.awscli2;
+          # settings = {
+          #   "default" = { };
+          #   "profile s3-imagebuilder-prod" = { };
+          # };
+          # credentials = {
+          #   "s3-imagebuilder-prod" = {
+          #     aws_access_key_id = "5OYXY4879EJG9I91K1B6";
+          #     credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
+          #   };
+          # };
         };
+        git.settings.user.email = lib.mkForce gitMail;
 
-      # wayland.windowManager.sway.config = {
-      #   output = {
-      #     "Applied Creative Technology Transmitter QUATTRO201811" = {
-      #       bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
-      #     };
-      #     "Hewlett Packard HP Z24i CN44250RDT" = {
-      #       bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
-      #     };
-      #     "HP Inc. HP 732pk CNC4080YL5" = {
-      #       bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
-      #     };
-      #   };
-      # };
-
-      wayland.windowManager.sway =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress;
-        in
-        {
-          config = {
-            keybindings =
-              let
-                inherit (config.wayland.windowManager.sway.config) modifier;
-              in
-              {
-                "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}";
-                "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}";
-              };
+        zsh = {
+          shellAliases = {
+            dssh = "ssh -l ${user1Long}";
+            cssh = "ssh -l ${user2Long}";
+            wssh = "ssh -l ${user3Long}";
           };
-        };
-
-      stylix = {
-        targets.firefox.profileNames =
-          let
-            inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-          in
-          [
-            "${user1}"
-            "${user2}"
-            "${user3}"
-            "work"
+          cdpath = [
+            "~/Documents/Work"
           ];
-      };
-
-      programs =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
-        in
-        {
-          openstackclient = {
-            enable = true;
-            inherit clouds;
-          };
-          awscli = {
-            enable = true;
-            package = pkgs.stable24_05.awscli2;
-            # settings = {
-            #   "default" = { };
-            #   "profile s3-imagebuilder-prod" = { };
-            # };
-            # credentials = {
-            #   "s3-imagebuilder-prod" = {
-            #     aws_access_key_id = "5OYXY4879EJG9I91K1B6";
-            #     credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
-            #   };
-            # };
-          };
-          git.settings.user.email = lib.mkForce gitMail;
-
-          zsh = {
-            shellAliases = {
-              dssh = "ssh -l ${user1Long}";
-              cssh = "ssh -l ${user2Long}";
-              wssh = "ssh -l ${user3Long}";
-            };
-            cdpath = [
-              "~/Documents/Work"
-            ];
-            dirHashes = {
-              d = "$HOME/.dotfiles";
-              w = "$HOME/Documents/Work";
-              s = "$HOME/.dotfiles/secrets";
-              pr = "$HOME/Documents/Private";
-              ac = path1;
-            };
-
-            sessionVariables = {
-              VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})";
-              VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})";
-              GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})";
-              GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})";
-              GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})";
-              GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})";
-              GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})";
-              GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})";
-              GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})";
-              GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})";
-            };
+          dirHashes = {
+            d = "$HOME/.dotfiles";
+            w = "$HOME/Documents/Work";
+            s = "$HOME/.dotfiles/secrets";
+            pr = "$HOME/Documents/Private";
+            ac = path1;
           };
 
-          ssh = {
-            matchBlocks = {
-              "${loc1}" = {
-                hostname = "${loc1}.${domain2}";
-                user = user4;
-              };
-              "${loc1}.stg" = {
-                hostname = "${loc1}.${lifecycle1}.${domain2}";
-                user = user4;
-              };
-              "${loc1}.staging" = {
-                hostname = "${loc1}.${lifecycle1}.${domain2}";
-                user = user4;
-              };
-              "${loc1}.dev" = {
-                hostname = "${loc1}.${lifecycle2}.${domain2}";
-                user = user4;
-              };
-              "${loc2}" = {
-                hostname = "${loc2}.${domain1}";
-                user = user1Long;
-              };
-              "${loc2}.stg" = {
-                hostname = "${loc2}.${lifecycle1}.${domain2}";
-                user = user1Long;
-              };
-              "${loc2}.staging" = {
-                hostname = "${loc2}.${lifecycle1}.${domain2}";
-                user = user1Long;
-              };
-              "*.${domain1}" = {
-                user = user1Long;
-              };
-            };
-          };
-
-          firefox = {
-            profiles =
-              let
-                isDefault = false;
-              in
-              {
-                "${user1}" = lib.recursiveUpdate
-                  {
-                    inherit isDefault;
-                    id = 1;
-                    settings = {
-                      "browser.startup.homepage" = "${site1}|${site2}";
-                    };
-                  }
-                  vars.firefox;
-                "${user2}" = lib.recursiveUpdate
-                  {
-                    inherit isDefault;
-                    id = 2;
-                    settings = {
-                      "browser.startup.homepage" = "${site3}";
-                    };
-                  }
-                  vars.firefox;
-                "${user3}" = lib.recursiveUpdate
-                  {
-                    inherit isDefault;
-                    id = 3;
-                  }
-                  vars.firefox;
-                work = lib.recursiveUpdate
-                  {
-                    inherit isDefault;
-                    id = 4;
-                    settings = {
-                      "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
-                    };
-                  }
-                  vars.firefox;
-              };
-          };
-
-          chromium = {
-            enable = true;
-            package = pkgs.chromium;
-
-            extensions = [
-              # 1password
-              "gejiddohjgogedgjnonbofjigllpkmbf"
-              # dark reader
-              "eimadpbcbfnmbkopoojfekhnkhdbieeh"
-              # ublock origin
-              "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-              # i still dont care about cookies
-              "edibdbjcniadpccecjdfdjjppcpchdlm"
-              # browserpass
-              "naepdomgkenhinolocfifgehidddafch"
-            ];
+          sessionVariables = {
+            VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})";
+            VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})";
+            GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})";
+            GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})";
+            GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})";
+            GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})";
+            GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})";
+            GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})";
+            GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})";
+            GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})";
           };
         };
 
-      services = {
-        kanshi = {
-          settings = [
+        ssh = {
+          matchBlocks = {
+            "${loc1}" = {
+              hostname = "${loc1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.stg" = {
+              hostname = "${loc1}.${lifecycle1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.staging" = {
+              hostname = "${loc1}.${lifecycle1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.dev" = {
+              hostname = "${loc1}.${lifecycle2}.${domain2}";
+              user = user4;
+            };
+            "${loc2}" = {
+              hostname = "${loc2}.${domain1}";
+              user = user1Long;
+            };
+            "${loc2}.stg" = {
+              hostname = "${loc2}.${lifecycle1}.${domain2}";
+              user = user1Long;
+            };
+            "${loc2}.staging" = {
+              hostname = "${loc2}.${lifecycle1}.${domain2}";
+              user = user1Long;
+            };
+            "*.${domain1}" = {
+              user = user1Long;
+            };
+          };
+        };
+
+        firefox = {
+          profiles =
+            let
+              isDefault = false;
+            in
             {
-              # seminary room
-              output = {
-                criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                scale = 1.0;
-                mode = "1280x720";
-              };
-            }
-            {
-              # work main screen
-              output = {
-                criteria = "HP Inc. HP 732pk CNC4080YL5";
-                scale = 1.0;
-                mode = "3840x2160";
-              };
-            }
-            {
-              # work side screen
-              output = {
-                criteria = "Hewlett Packard HP Z24i CN44250RDT";
-                scale = 1.0;
-                mode = "1920x1200";
-                transform = "270";
-              };
-            }
-            {
-              profile = {
+              "${user1}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 1;
+                  settings = {
+                    "browser.startup.homepage" = "${site1}|${site2}";
+                  };
+                }
+                vars.firefox;
+              "${user2}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 2;
+                  settings = {
+                    "browser.startup.homepage" = "${site3}";
+                  };
+                }
+                vars.firefox;
+              "${user3}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 3;
+                }
+                vars.firefox;
+              work = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 4;
+                  settings = {
+                    "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
+                  };
+                }
+                vars.firefox;
+            };
+        };
+
+        chromium = {
+          enable = true;
+          package = pkgs.chromium;
+
+          extensions = [
+            # 1password
+            "gejiddohjgogedgjnonbofjigllpkmbf"
+            # dark reader
+            "eimadpbcbfnmbkopoojfekhnkhdbieeh"
+            # ublock origin
+            "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+            # i still dont care about cookies
+            "edibdbjcniadpccecjdfdjjppcpchdlm"
+            # browserpass
+            "naepdomgkenhinolocfifgehidddafch"
+          ];
+        };
+      };
+
+    services = {
+      kanshi = {
+        settings = [
+          {
+            # seminary room
+            output = {
+              criteria = "Applied Creative Technology Transmitter QUATTRO201811";
+              scale = 1.0;
+              mode = "1280x720";
+            };
+          }
+          {
+            # work main screen
+            output = {
+              criteria = "HP Inc. HP 732pk CNC4080YL5";
+              scale = 1.0;
+              mode = "3840x2160";
+            };
+          }
+          {
+            # work side screen
+            output = {
+              criteria = "Hewlett Packard HP Z24i CN44250RDT";
+              scale = 1.0;
+              mode = "1920x1200";
+              transform = "270";
+            };
+          }
+          {
+            profile = {
+              name = "lidopen";
+              exec = [
+                "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+              ];
+              outputs = [
+                {
+                  criteria = config.swarselsystems.sharescreen;
+                  status = "enable";
+                  scale = 1.5;
+                  position = "1462,0";
+                }
+                {
+                  criteria = "HP Inc. HP 732pk CNC4080YL5";
+                  scale = 1.4;
+                  mode = "3840x2160";
+                  position = "-1280,0";
+                }
+                {
+                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  scale = 1.0;
+                  mode = "1920x1200";
+                  transform = "90";
+                  position = "-2480,0";
+                }
+              ];
+            };
+          }
+          {
+            profile =
+              let
+                monitor = "Applied Creative Technology Transmitter QUATTRO201811";
+              in
+              {
                 name = "lidopen";
                 exec = [
                   "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
                 ];
                 outputs = [
                   {
                     criteria = config.swarselsystems.sharescreen;
                     status = "enable";
-                    scale = 1.5;
-                    position = "1462,0";
+                    scale = 1.7;
+                    position = "2560,0";
                   }
                   {
-                    criteria = "HP Inc. HP 732pk CNC4080YL5";
-                    scale = 1.4;
-                    mode = "3840x2160";
-                    position = "-1280,0";
-                  }
-                  {
-                    criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                    criteria = "Applied Creative Technology Transmitter QUATTRO201811";
                     scale = 1.0;
-                    mode = "1920x1200";
-                    transform = "90";
-                    position = "-2480,0";
+                    mode = "1280x720";
+                    position = "10000,10000";
                   }
                 ];
               };
-            }
-            {
-              profile =
-                let
-                  monitor = "Applied Creative Technology Transmitter QUATTRO201811";
-                in
+          }
+          {
+            profile = {
+              name = "lidclosed";
+              exec = [
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+              ];
+              outputs = [
                 {
-                  name = "lidopen";
-                  exec = [
-                    "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                    "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
-                    "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
-                  ];
-                  outputs = [
-                    {
-                      criteria = config.swarselsystems.sharescreen;
-                      status = "enable";
-                      scale = 1.7;
-                      position = "2560,0";
-                    }
-                    {
-                      criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                      scale = 1.0;
-                      mode = "1280x720";
-                      position = "10000,10000";
-                    }
-                  ];
-                };
-            }
-            {
-              profile = {
+                  criteria = config.swarselsystems.sharescreen;
+                  status = "disable";
+                }
+                {
+                  criteria = "HP Inc. HP 732pk CNC4080YL5";
+                  scale = 1.4;
+                  mode = "3840x2160";
+                  position = "-1280,0";
+                }
+                {
+                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  scale = 1.0;
+                  mode = "1920x1200";
+                  transform = "270";
+                  position = "-2480,0";
+                }
+              ];
+            };
+          }
+          {
+            profile =
+              let
+                monitor = "Applied Creative Technology Transmitter QUATTRO201811";
+              in
+              {
                 name = "lidclosed";
                 exec = [
-                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
                 ];
                 outputs = [
                   {
@@ -396,271 +427,240 @@ in
                     status = "disable";
                   }
                   {
-                    criteria = "HP Inc. HP 732pk CNC4080YL5";
-                    scale = 1.4;
-                    mode = "3840x2160";
-                    position = "-1280,0";
-                  }
-                  {
-                    criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                    criteria = "Applied Creative Technology Transmitter QUATTRO201811";
                     scale = 1.0;
-                    mode = "1920x1200";
-                    transform = "270";
-                    position = "-2480,0";
+                    mode = "1280x720";
+                    position = "10000,10000";
                   }
                 ];
               };
-            }
-            {
-              profile =
-                let
-                  monitor = "Applied Creative Technology Transmitter QUATTRO201811";
-                in
-                {
-                  name = "lidclosed";
-                  exec = [
-                    "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
-                  ];
-                  outputs = [
-                    {
-                      criteria = config.swarselsystems.sharescreen;
-                      status = "disable";
-                    }
-                    {
-                      criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                      scale = 1.0;
-                      mode = "1280x720";
-                      position = "10000,10000";
-                    }
-                  ];
-                };
-            }
-          ];
-        };
-      };
-
-      systemd.user.services = {
-        pizauth.Service = {
-          ExecStartPost = [
-            "${pkgs.toybox}/bin/sleep 1"
-            "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'"
-          ];
-        };
-
-        teams-applet = {
-          Unit = {
-            Description = "teams applet";
-            Requires = [ "tray.target" ];
-            After = [
-              "graphical-session.target"
-              "tray.target"
-            ];
-            PartOf = [ "graphical-session.target" ];
-          };
-
-          Install = {
-            WantedBy = [ "graphical-session.target" ];
-          };
-
-          Service = {
-            ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
-          };
-        };
-
-        onepassword-applet = {
-          Unit = {
-            Description = "1password applet";
-            Requires = [ "tray.target" ];
-            After = [
-              "graphical-session.target"
-              "tray.target"
-            ];
-            PartOf = [ "graphical-session.target" ];
-          };
-
-          Install = {
-            WantedBy = [ "graphical-session.target" ];
-          };
-
-          Service = {
-            ExecStart = "${pkgs._1password-gui}/bin/1password";
-          };
-        };
-
-      };
-
-      services.pizauth = {
-        enable = true;
-        extraConfig = ''
-          auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
-          error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
-          token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state";
-        '';
-        accounts = {
-          work = {
-            authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-            tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
-            clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
-            clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
-            scopes = [
-              "https://outlook.office365.com/IMAP.AccessAsUser.All"
-              "https://outlook.office365.com/SMTP.Send"
-              "offline_access"
-            ];
-            loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
-          };
-        };
-
-      };
-
-      xdg =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-        in
-        {
-          mimeApps = {
-            defaultApplications = {
-              "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
-            };
-          };
-          desktopEntries =
-            let
-              terminal = false;
-              categories = [ "Application" ];
-              icon = "firefox";
-            in
-            {
-              firefox_work = {
-                name = "Firefox (work)";
-                genericName = "Firefox work";
-                exec = "firefox -p work";
-                inherit terminal categories icon;
-              };
-              "firefox_${user1}" = {
-                name = "Firefox (${user1})";
-                genericName = "Firefox ${user1}";
-                exec = "firefox -p ${user1}";
-                inherit terminal categories icon;
-              };
-
-              "firefox_${user2}" = {
-                name = "Firefox (${user2})";
-                genericName = "Firefox ${user2}";
-                exec = "firefox -p ${user2}";
-                inherit terminal categories icon;
-              };
-
-              "firefox_${user3}" = {
-                name = "Firefox (${user3})";
-                genericName = "Firefox ${user3}";
-                exec = "firefox -p ${user3}";
-                inherit terminal categories icon;
-              };
-
-
-            };
-        };
-      swarselsystems = {
-        startup = [
-          # { command = "nextcloud --background"; }
-          # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
-          # { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
-          # { command = "anki"; }
-          # { command = "obsidian"; }
-          # { command = "nm-applet"; }
-          # { command = "feishin"; }
-          # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
-          # { command = "1password"; }
+          }
         ];
-        monitors = {
-          work_back_middle = rec {
-            name = "LG Electronics LG Ultra HD 0x000305A6";
-            mode = "2560x1440";
-            scale = "1";
-            position = "5120,0";
-            workspace = "1:一";
-            # output = "DP-10";
-            output = name;
-          };
-          work_front_left = rec {
-            name = "LG Electronics LG Ultra HD 0x0007AB45";
-            mode = "3840x2160";
-            scale = "1";
-            position = "5120,0";
-            workspace = "1:一";
-            # output = "DP-7";
-            output = name;
-          };
-          work_back_right = rec {
-            name = "HP Inc. HP Z32 CN41212T55";
-            mode = "3840x2160";
-            scale = "1";
-            position = "5120,0";
-            workspace = "1:一";
-            # output = "DP-3";
-            output = name;
-          };
-          work_middle_middle_main = rec {
-            name = "HP Inc. HP 732pk CNC4080YL5";
-            mode = "3840x2160";
-            scale = "1";
-            position = "-1280,0";
-            workspace = "11:M";
-            # output = "DP-8";
-            output = name;
-          };
-          work_middle_middle_side = rec {
-            name = "Hewlett Packard HP Z24i CN44250RDT";
-            mode = "1920x1200";
-            transform = "270";
-            scale = "1";
-            position = "-2480,0";
-            workspace = "12:S";
-            # output = "DP-9";
-            output = name;
-          };
-          work_seminary = rec {
-            name = "Applied Creative Technology Transmitter QUATTRO201811";
-            mode = "1280x720";
-            scale = "1";
-            position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
-            workspace = "14:T";
-            # output = "DP-4";
-            output = name;
-          };
-        };
-        inputs = {
-          "1133:45081:MX_Master_2S_Keyboard" = {
-            xkb_layout = "us";
-            xkb_variant = "altgr-intl";
-          };
-          # "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
-          #   dwt = "enabled";
-          #   tap = "enabled";
-          #   natural_scroll = "enabled";
-          #   middle_emulation = "enabled";
-          #   drag_lock = "disabled";
-          # };
-          "1133:50504:Logitech_USB_Receiver" = {
-            xkb_layout = "us";
-            xkb_variant = "altgr-intl";
-          };
-          "1133:45944:MX_KEYS_S" = {
-            xkb_layout = "us";
-            xkb_variant = "altgr-intl";
-          };
+      };
+    };
+
+    systemd.user.services = {
+      pizauth.Service = {
+        ExecStartPost = [
+          "${pkgs.toybox}/bin/sleep 1"
+          "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'"
+        ];
+      };
+
+      teams-applet = {
+        Unit = {
+          Description = "teams applet";
+          Requires = [ "tray.target" ];
+          After = [
+            "graphical-session.target"
+            "tray.target"
+          ];
+          PartOf = [ "graphical-session.target" ];
         };
 
-      };
-    } // lib.optionalAttrs (inputs ? sops) {
-      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
-        harica-root-ca = {
-          sopsFile = certsSopsFile;
-          path = "${homeDir}/.aws/certs/harica-root.pem";
-          owner = mainUser;
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
+
+        Service = {
+          ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
         };
       };
 
-    });
+      onepassword-applet = {
+        Unit = {
+          Description = "1password applet";
+          Requires = [ "tray.target" ];
+          After = [
+            "graphical-session.target"
+            "tray.target"
+          ];
+          PartOf = [ "graphical-session.target" ];
+        };
+
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
+
+        Service = {
+          ExecStart = "${pkgs._1password-gui}/bin/1password";
+        };
+      };
+
+    };
+
+    services.pizauth = {
+      enable = true;
+      extraConfig = ''
+        auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
+        error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
+        token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state";
+      '';
+      accounts = {
+        work = {
+          authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+          tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+          clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+          clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+          scopes = [
+            "https://outlook.office365.com/IMAP.AccessAsUser.All"
+            "https://outlook.office365.com/SMTP.Send"
+            "offline_access"
+          ];
+          loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}";
+        };
+      };
+
+    };
+
+    xdg =
+      let
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3;
+      in
+      {
+        mimeApps = {
+          defaultApplications = {
+            "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
+          };
+        };
+        desktopEntries =
+          let
+            terminal = false;
+            categories = [ "Application" ];
+            icon = "firefox";
+          in
+          {
+            firefox_work = {
+              name = "Firefox (work)";
+              genericName = "Firefox work";
+              exec = "firefox -p work";
+              inherit terminal categories icon;
+            };
+            "firefox_${user1}" = {
+              name = "Firefox (${user1})";
+              genericName = "Firefox ${user1}";
+              exec = "firefox -p ${user1}";
+              inherit terminal categories icon;
+            };
+
+            "firefox_${user2}" = {
+              name = "Firefox (${user2})";
+              genericName = "Firefox ${user2}";
+              exec = "firefox -p ${user2}";
+              inherit terminal categories icon;
+            };
+
+            "firefox_${user3}" = {
+              name = "Firefox (${user3})";
+              genericName = "Firefox ${user3}";
+              exec = "firefox -p ${user3}";
+              inherit terminal categories icon;
+            };
+
+
+          };
+      };
+    swarselsystems = {
+      startup = [
+        # { command = "nextcloud --background"; }
+        # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
+        # { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
+        # { command = "anki"; }
+        # { command = "obsidian"; }
+        # { command = "nm-applet"; }
+        # { command = "feishin"; }
+        # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
+        # { command = "1password"; }
+      ];
+      monitors = {
+        work_back_middle = rec {
+          name = "LG Electronics LG Ultra HD 0x000305A6";
+          mode = "2560x1440";
+          scale = "1";
+          position = "5120,0";
+          workspace = "1:一";
+          # output = "DP-10";
+          output = name;
+        };
+        work_front_left = rec {
+          name = "LG Electronics LG Ultra HD 0x0007AB45";
+          mode = "3840x2160";
+          scale = "1";
+          position = "5120,0";
+          workspace = "1:一";
+          # output = "DP-7";
+          output = name;
+        };
+        work_back_right = rec {
+          name = "HP Inc. HP Z32 CN41212T55";
+          mode = "3840x2160";
+          scale = "1";
+          position = "5120,0";
+          workspace = "1:一";
+          # output = "DP-3";
+          output = name;
+        };
+        work_middle_middle_main = rec {
+          name = "HP Inc. HP 732pk CNC4080YL5";
+          mode = "3840x2160";
+          scale = "1";
+          position = "-1280,0";
+          workspace = "11:M";
+          # output = "DP-8";
+          output = name;
+        };
+        work_middle_middle_side = rec {
+          name = "Hewlett Packard HP Z24i CN44250RDT";
+          mode = "1920x1200";
+          transform = "270";
+          scale = "1";
+          position = "-2480,0";
+          workspace = "12:S";
+          # output = "DP-9";
+          output = name;
+        };
+        work_seminary = rec {
+          name = "Applied Creative Technology Transmitter QUATTRO201811";
+          mode = "1280x720";
+          scale = "1";
+          position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
+          workspace = "14:T";
+          # output = "DP-4";
+          output = name;
+        };
+      };
+      inputs = {
+        "1133:45081:MX_Master_2S_Keyboard" = {
+          xkb_layout = "us";
+          xkb_variant = "altgr-intl";
+        };
+        # "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
+        #   dwt = "enabled";
+        #   tap = "enabled";
+        #   natural_scroll = "enabled";
+        #   middle_emulation = "enabled";
+        #   drag_lock = "disabled";
+        # };
+        "1133:50504:Logitech_USB_Receiver" = {
+          xkb_layout = "us";
+          xkb_variant = "altgr-intl";
+        };
+        "1133:45944:MX_KEYS_S" = {
+          xkb_layout = "us";
+          xkb_variant = "altgr-intl";
+        };
+      };
+
+    };
+  } // lib.optionalAttrs (inputs ? sops) {
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      harica-root-ca = {
+        sopsFile = certsSopsFile;
+        path = "${homeDir}/.aws/certs/harica-root.pem";
+        owner = mainUser;
+      };
+    };
+
+  };
 
 }
diff --git a/modules/nixos/client/network.nix b/modules/nixos/client/network.nix
index aad336f..d878939 100644
--- a/modules/nixos/client/network.nix
+++ b/modules/nixos/client/network.nix
@@ -1,4 +1,4 @@
-{ self, lib, pkgs, config, ... }:
+{ self, lib, pkgs, config, globals, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
   clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
@@ -50,7 +50,7 @@ in
     networking = {
       inherit (config.swarselsystems) hostName;
       hosts = {
-        "192.168.178.24" = [ "store.swarsel.win" ];
+        "${globals.networks.home-lan.hosts.winters.ipv4}" = [ globals.services.transmission.domain ];
       };
       wireless.iwd = {
         enable = true;
diff --git a/modules/nixos/client/packages.nix b/modules/nixos/client/packages.nix
index b4233eb..f52bfd4 100644
--- a/modules/nixos/client/packages.nix
+++ b/modules/nixos/client/packages.nix
@@ -30,8 +30,9 @@
 
       libsForQt5.qt5.qtwayland
 
-      # nix package database
-      nix-index
+      # do not do this! clashes with the flake
+      # nix-index
+
       nixos-generators
 
       # commit hooks
@@ -47,6 +48,9 @@
       # better make for general tasks
       just
 
+      # sops
+      ssh-to-age
+      sops
 
       # keyboards
       qmk
diff --git a/modules/nixos/client/remotebuild.nix b/modules/nixos/client/remotebuild.nix
new file mode 100644
index 0000000..0ce54c3
--- /dev/null
+++ b/modules/nixos/client/remotebuild.nix
@@ -0,0 +1,85 @@
+{ lib, config, globals, ... }:
+let
+  inherit (config.swarselsystems) homeDir mainUser isClient;
+in
+{
+  options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine";
+  config = lib.mkIf config.swarselmodules.remotebuild {
+
+    sops.secrets = {
+      builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; };
+      nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; };
+    };
+
+    nix = {
+      settings.builders-use-substitutes = true;
+      distributedBuilds = true;
+      buildMachines = [
+        (lib.mkIf isClient {
+          hostName = config.repo.secrets.common.builder1-ip;
+          system = "aarch64-linux";
+          maxJobs = 20;
+          speedFactor = 10;
+        })
+        (lib.mkIf isClient {
+          hostName = globals.hosts.belchsfactory.wanAddress4;
+          system = "aarch64-linux";
+          maxJobs = 4;
+          speedFactor = 2;
+          protocol = "ssh-ng";
+        })
+        {
+          hostName = "eu.nixbuild.net";
+          system = "x86_64-linux";
+          maxJobs = 100;
+          speedFactor = 2;
+          supportedFeatures = [ "big-parallel" ];
+        }
+      ];
+    };
+    programs.ssh = {
+      knownHosts = {
+        nixbuild = {
+          hostNames = [ "eu.nixbuild.net" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
+        };
+        builder1 = lib.mkIf isClient {
+          hostNames = [ config.repo.secrets.common.builder1-ip ];
+          publicKey = config.repo.secrets.common.builder1-pubHostKey;
+        };
+        jump = lib.mkIf isClient {
+          hostNames = [ globals.hosts.liliputsteps.wanAddress4 ];
+          publicKey = config.repo.secrets.common.jump-pubHostKey;
+        };
+        builder2 = lib.mkIf isClient {
+          hostNames = [ globals.hosts.belchsfactory.wanAddress4 ];
+          publicKey = config.repo.secrets.common.builder2-pubHostKey;
+        };
+      };
+      extraConfig = ''
+        Host eu.nixbuild.net
+          ConnectTimeout 1
+          PubkeyAcceptedKeyTypes ssh-ed25519
+          ServerAliveInterval 60
+          IPQoS throughput
+          IdentityFile ${config.sops.secrets.nixbuild-net-key.path}
+      '' + lib.optionalString isClient ''
+        Host ${config.repo.secrets.common.builder1-ip}
+          ConnectTimeout 1
+          User ${mainUser}
+          IdentityFile ${config.sops.secrets.builder-key.path}
+
+        Host ${globals.hosts.belchsfactory.wanAddress4}
+          ConnectTimeout 5
+          ProxyJump ${globals.hosts.liliputsteps.wanAddress4}
+          User builder
+          IdentityFile ${config.sops.secrets.builder-key.path}
+
+        Host ${globals.hosts.liliputsteps.wanAddress4}
+          ConnectTimeout 1
+          User jump
+          IdentityFile ${config.sops.secrets.builder-key.path}
+      '';
+    };
+  };
+}
diff --git a/modules/nixos/client/sops.nix b/modules/nixos/client/sops.nix
index 2fa10eb..d0ea6f3 100644
--- a/modules/nixos/client/sops.nix
+++ b/modules/nixos/client/sops.nix
@@ -5,9 +5,8 @@
     sops = {
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      # defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
-      defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
 
       validateSopsFiles = false;
 
diff --git a/modules/nixos/client/uwsm.nix b/modules/nixos/client/uwsm.nix
index 28888f0..5c9d66e 100644
--- a/modules/nixos/client/uwsm.nix
+++ b/modules/nixos/client/uwsm.nix
@@ -13,7 +13,7 @@ in
           comment = "Sway compositor managed by UWSM";
           binPath = "/run/current-system/sw/bin/sway";
         };
-        niri = {
+        niri = lib.mkIf (config.swarselmodules ? niri) {
           prettyName = "Niri";
           comment = "Niri compositor managed by UWSM";
           binPath = "/run/current-system/sw/bin/niri-session";
diff --git a/modules/nixos/common/globals.nix b/modules/nixos/common/globals.nix
index c33aa95..9cae3d7 100644
--- a/modules/nixos/common/globals.nix
+++ b/modules/nixos/common/globals.nix
@@ -82,7 +82,8 @@ let
                 if netSubmod.config.cidrv6 == null then
                   null
                 else
-                  lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6;
+                # if we use the /32 wan address as local address directly, do not use the network address in ipv6
+                  lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6;
             };
           };
         })
@@ -114,13 +115,31 @@ in
 
           services = mkOption {
             type = types.attrsOf (
-              types.submodule {
+              types.submodule (serviceSubmod: {
                 options = {
                   domain = mkOption {
                     type = types.str;
                   };
+                  subDomain = mkOption {
+                    readOnly = true;
+                    type = types.str;
+                    default = lib.swarselsystems.getSubDomain serviceSubmod.config.domain;
+                  };
+                  baseDomain = mkOption {
+                    readOnly = true;
+                    type = types.str;
+                    default = lib.swarselsystems.getBaseDomain serviceSubmod.config.domain;
+                  };
+                  proxyAddress4 = mkOption {
+                    type = types.nullOr types.str;
+                    default = null;
+                  };
+                  proxyAddress6 = mkOption {
+                    type = types.nullOr types.str;
+                    default = null;
+                  };
                 };
-              }
+              })
             );
           };
 
@@ -163,6 +182,12 @@ in
                   defaultGateway6 = mkOption {
                     type = types.nullOr types.net.ipv6;
                   };
+                  wanAddress4 = mkOption {
+                    type = types.nullOr types.net.ipv4;
+                  };
+                  wanAddress6 = mkOption {
+                    type = types.nullOr types.net.ipv6;
+                  };
                 };
               }
             );
@@ -172,6 +197,10 @@ in
             main = mkOption {
               type = types.str;
             };
+            externalDns = mkOption {
+              type = types.listOf types.str;
+              description = "List of external dns nameservers";
+            };
           };
         };
       };
diff --git a/modules/nixos/common/home-manager-secrets.nix b/modules/nixos/common/home-manager-secrets.nix
index fd2db03..f853132 100644
--- a/modules/nixos/common/home-manager-secrets.nix
+++ b/modules/nixos/common/home-manager-secrets.nix
@@ -24,7 +24,8 @@ in
         github-nixpkgs-review-token = { owner = mainUser; };
       }) // (lib.optionalAttrs modules.emacs {
         emacs-radicale-pw = { owner = mainUser; };
-      }) // (lib.optionalAttrs modules.optional.work {
+        github-forge-token = { owner = mainUser; };
+      }) // (lib.optionalAttrs (modules ? optional-work) {
         harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
       }) // (lib.optionalAttrs modules.anki {
         anki-user = { owner = mainUser; };
diff --git a/modules/nixos/common/home-manager.nix b/modules/nixos/common/home-manager.nix
index 3b2d332..47cc879 100644
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@@ -12,7 +12,6 @@
         inputs.nix-index-database.homeModules.nix-index
         inputs.sops-nix.homeManagerModules.sops
         inputs.spicetify-nix.homeManagerModules.default
-        # inputs.swarsel-modules.homeModules.default
         inputs.swarsel-nix.homeModules.default
         {
           imports = [
diff --git a/modules/nixos/common/impermanence.nix b/modules/nixos/common/impermanence.nix
index 31f8641..e111c86 100644
--- a/modules/nixos/common/impermanence.nix
+++ b/modules/nixos/common/impermanence.nix
@@ -72,6 +72,7 @@ in
       hideMounts = true;
       directories =
         [
+          "/root/.dotfiles"
           "/etc/nix"
           "/etc/NetworkManager/system-connections"
           "/var/lib/nixos"
diff --git a/modules/nixos/common/meta.nix b/modules/nixos/common/meta.nix
index fcb79d3..93b3a90 100644
--- a/modules/nixos/common/meta.nix
+++ b/modules/nixos/common/meta.nix
@@ -11,6 +11,10 @@
         description = "Node Name.";
         type = lib.types.str;
       };
+      lockFromBootstrapping = lib.mkOption {
+        description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
+        type = lib.types.bool;
+      };
     };
   };
 }
diff --git a/modules/nixos/common/nodes.nix b/modules/nixos/common/nodes.nix
index a2d1ad7..fe667aa 100644
--- a/modules/nixos/common/nodes.nix
+++ b/modules/nixos/common/nodes.nix
@@ -34,6 +34,11 @@ let
       "nginx"
       "virtualHosts"
     ]
+    [
+      "swarselsystems"
+      "server"
+      "dns"
+    ]
   ];
 
   attrsForEachOption =
diff --git a/modules/nixos/common/settings.nix b/modules/nixos/common/settings.nix
index cdcf3a2..2ab4bbe 100644
--- a/modules/nixos/common/settings.nix
+++ b/modules/nixos/common/settings.nix
@@ -1,5 +1,7 @@
-{ self, lib, pkgs, config, outputs, inputs, minimal, ... }:
+{ self, lib, pkgs, config, outputs, inputs, minimal, globals, ... }:
 let
+  inherit (config.swarselsystems) mainUser;
+  inherit (config.repo.secrets.common) atticPublicKey;
   settings = if minimal then { } else {
     environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
       assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
@@ -36,7 +38,8 @@ let
         channel.enable = false;
         registry = rec {
           nixpkgs.flake = inputs.nixpkgs;
-          swarsel.flake = inputs.swarsel;
+          # swarsel.flake = inputs.swarsel;
+          swarsel.flake = self;
           n = nixpkgs;
           s = swarsel;
         };
@@ -56,8 +59,8 @@ in
   config = lib.mkIf config.swarselmodules.general
     (lib.recursiveUpdate
       {
-        sops.secrets.github-api-token = lib.mkIf (!minimal) {
-          sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+        sops.secrets = lib.mkIf (!minimal) {
+          github-api-token = { owner = mainUser; };
         };
 
         nix =
@@ -74,7 +77,17 @@ in
                 "cgroups"
                 "pipe-operators"
               ];
-              trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
+              substituters = [
+                "https://${globals.services.attic.domain}/${mainUser}"
+              ];
+              trusted-public-keys = [
+                atticPublicKey
+              ];
+              trusted-users = [
+                "@wheel"
+                "${config.swarselsystems.mainUser}"
+                (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
+              ];
             };
             # extraOptions = ''
             #   plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins
diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix
index b04ffd2..aada123 100644
--- a/modules/nixos/common/users.nix
+++ b/modules/nixos/common/users.nix
@@ -1,11 +1,8 @@
-{ self, pkgs, config, lib, globals, minimal, ... }:
-let
-  sopsFile = self + /secrets/general/secrets.yaml;
-in
+{ pkgs, config, lib, globals, minimal, ... }:
 {
   options.swarselmodules.users = lib.mkEnableOption "user config";
   config = lib.mkIf config.swarselmodules.users {
-    sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
+    sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
 
     users = {
       mutableUsers = lib.mkIf (!minimal) false;
diff --git a/modules/nixos/optional/amdcpu.nix b/modules/nixos/optional/amdcpu.nix
index 9051b9d..64ea60d 100644
--- a/modules/nixos/optional/amdcpu.nix
+++ b/modules/nixos/optional/amdcpu.nix
@@ -1,7 +1,6 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.amdcpu = lib.mkEnableOption "optional amd cpu settings";
-  config = lib.mkIf config.swarselmodules.optional.amdcpu {
+  config = {
     hardware = {
       cpu.amd.updateMicrocode = true;
     };
diff --git a/modules/nixos/optional/amdgpu.nix b/modules/nixos/optional/amdgpu.nix
index 7af14c6..f81461c 100644
--- a/modules/nixos/optional/amdgpu.nix
+++ b/modules/nixos/optional/amdgpu.nix
@@ -1,7 +1,6 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.amdgpu = lib.mkEnableOption "optional amd gpu settings";
-  config = lib.mkIf config.swarselmodules.optional.amdgpu {
+  config = {
     hardware = {
       amdgpu = {
         opencl.enable = true;
diff --git a/modules/nixos/optional/framework.nix b/modules/nixos/optional/framework.nix
index 5f0d00d..cade27e 100644
--- a/modules/nixos/optional/framework.nix
+++ b/modules/nixos/optional/framework.nix
@@ -1,7 +1,13 @@
-{ lib, config, ... }:
+{ self, config, ... }:
 {
-  options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
-  config = lib.mkIf config.swarselmodules.optional.framework {
+  config = {
+
+    home-manager.users."${config.swarselsystems.mainUser}" = {
+      imports = [
+        "${self}/modules/home/optional/framework.nix"
+      ];
+    };
+
     services = {
       fwupd = {
         enable = true;
diff --git a/modules/nixos/optional/gaming.nix b/modules/nixos/optional/gaming.nix
index 5f28872..09dcec1 100644
--- a/modules/nixos/optional/gaming.nix
+++ b/modules/nixos/optional/gaming.nix
@@ -1,7 +1,13 @@
-{ pkgs, lib, config, ... }:
+{ self, pkgs, config, ... }:
 {
-  options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
-  config = lib.mkIf config.swarselmodules.optional.gaming {
+  config = {
+
+    home-manager.users."${config.swarselsystems.mainUser}" = {
+      imports = [
+        "${self}/modules/home/optional/gaming.nix"
+      ];
+    };
+
     programs.steam = {
       enable = true;
       package = pkgs.steam;
diff --git a/modules/nixos/optional/hibernation.nix b/modules/nixos/optional/hibernation.nix
index d6f0758..29c9675 100644
--- a/modules/nixos/optional/hibernation.nix
+++ b/modules/nixos/optional/hibernation.nix
@@ -1,6 +1,5 @@
 { lib, config, ... }:
 {
-  options.swarselmodules.optional.hibernation = lib.mkEnableOption "optional amd gpu settings";
   options.swarselsystems = {
     hibernation = {
       offset = lib.mkOption {
@@ -13,7 +12,7 @@
       };
     };
   };
-  config = lib.mkIf config.swarselmodules.optional.hibernation {
+  config = {
     boot = {
       kernelParams = [
         "resume_offset=${builtins.toString config.swarselsystems.hibernation.offset}"
diff --git a/modules/nixos/optional/microvm-guest.nix b/modules/nixos/optional/microvm-guest.nix
index 8650fbc..a90a2cf 100644
--- a/modules/nixos/optional/microvm-guest.nix
+++ b/modules/nixos/optional/microvm-guest.nix
@@ -1,11 +1,9 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.microvmGuest = lib.mkEnableOption "optional microvmGuest settings";
   # imports = [
   #   inputs.microvm.nixosModules.microvm
-  #   "${self}/profiles/nixos"
-  #   "${self}/modules/nixos"
   # ];
-  config = lib.mkIf config.swarselmodules.optional.microvmGuest
+
+  config =
     { };
 }
diff --git a/modules/nixos/optional/microvm-host.nix b/modules/nixos/optional/microvm-host.nix
index 97a9059..2948824 100644
--- a/modules/nixos/optional/microvm-host.nix
+++ b/modules/nixos/optional/microvm-host.nix
@@ -1,10 +1,7 @@
-{ lib, config, ... }:
+{ config, lib, ... }:
 {
-  options = {
-    swarselmodules.optional.microvmHost = lib.mkEnableOption "optional microvmHost settings";
-  };
   # imports = [
-  #   inputs.microvm.nixosModules.host
+  # inputs.microvm.nixosModules.host
   # ];
 
   config = lib.mkIf (config.guests != { }) {
diff --git a/modules/nixos/client/niri.nix b/modules/nixos/optional/niri.nix
similarity index 86%
rename from modules/nixos/client/niri.nix
rename to modules/nixos/optional/niri.nix
index 4724319..80b5c5a 100644
--- a/modules/nixos/client/niri.nix
+++ b/modules/nixos/optional/niri.nix
@@ -1,8 +1,11 @@
-{ lib, config, pkgs, ... }:
+{ inputs, lib, config, pkgs, ... }:
 let
   moduleName = "niri";
 in
 {
+  imports = [
+    inputs.niri-flake.nixosModules.niri
+  ];
   options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
   config = lib.mkIf config.swarselmodules.${moduleName}
     {
diff --git a/modules/nixos/optional/nswitch-rcm.nix b/modules/nixos/optional/nswitch-rcm.nix
index 3af88db..00fb2c1 100644
--- a/modules/nixos/optional/nswitch-rcm.nix
+++ b/modules/nixos/optional/nswitch-rcm.nix
@@ -1,7 +1,6 @@
-{ lib, config, pkgs, ... }:
+{ pkgs, ... }:
 {
-  options.swarselmodules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings";
-  config = lib.mkIf config.swarselmodules.optional.nswitch-rcm {
+  config = {
     services.nswitch-rcm = {
       enable = true;
       package = pkgs.fetchurl {
diff --git a/modules/nixos/optional/systemd-networkd-server.nix b/modules/nixos/optional/systemd-networkd-server.nix
new file mode 100644
index 0000000..059072b
--- /dev/null
+++ b/modules/nixos/optional/systemd-networkd-server.nix
@@ -0,0 +1,50 @@
+{ lib, config, globals, ... }:
+{
+  networking = {
+    useDHCP = lib.mkForce false;
+    useNetworkd = true;
+    dhcpcd.enable = false;
+    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
+      config.repo.secrets.local.networking.networks or { }
+    );
+  };
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks."10-${config.swarselsystems.server.localNetwork}" = config.systemd.network.networks."10-${config.swarselsystems.server.localNetwork}";
+  };
+
+  systemd = {
+    network = {
+      enable = true;
+      wait-online.enable = false;
+      networks =
+        let
+          netConfig = config.repo.secrets.local.networking;
+        in
+        {
+          "10-${config.swarselsystems.server.localNetwork}" = {
+            address = [
+              "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv4}"
+              "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv6}"
+            ];
+            routes = [
+              {
+                Gateway = netConfig.defaultGateway6;
+                GatewayOnLink = true;
+              }
+              {
+                Gateway = netConfig.defaultGateway4;
+                GatewayOnLink = true;
+              }
+            ];
+            networkConfig = {
+              IPv6PrivacyExtensions = true;
+              IPv6AcceptRA = false;
+            };
+            matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
+            linkConfig.RequiredForOnline = "routable";
+          };
+        };
+    };
+  };
+}
diff --git a/modules/nixos/optional/uni.nix b/modules/nixos/optional/uni.nix
new file mode 100644
index 0000000..1edf3b4
--- /dev/null
+++ b/modules/nixos/optional/uni.nix
@@ -0,0 +1,11 @@
+{ self, config, ... }:
+{
+  config = {
+
+    home-manager.users."${config.swarselsystems.mainUser}" = {
+      imports = [
+        "${self}/modules/home/optional/work.nix"
+      ];
+    };
+  };
+}
diff --git a/modules/nixos/optional/virtualbox.nix b/modules/nixos/optional/virtualbox.nix
index dc5aa61..2d70471 100644
--- a/modules/nixos/optional/virtualbox.nix
+++ b/modules/nixos/optional/virtualbox.nix
@@ -1,7 +1,6 @@
 { lib, config, pkgs, ... }:
 {
-  options.swarselmodules.optional.virtualbox = lib.mkEnableOption "optional VBox settings";
-  config = lib.mkIf config.swarselmodules.optional.virtualbox {
+  config = {
     # specialisation = {
     #   VBox.configuration = {
     virtualisation.virtualbox = {
diff --git a/modules/nixos/optional/vmware.nix b/modules/nixos/optional/vmware.nix
index 4236080..d79ff04 100644
--- a/modules/nixos/optional/vmware.nix
+++ b/modules/nixos/optional/vmware.nix
@@ -1,8 +1,7 @@
-{ lib, config, ... }:
+_:
 {
 
-  options.swarselmodules.optional.vmware = lib.mkEnableOption "optional vmware settings";
-  config = lib.mkIf config.swarselmodules.optional.vmware {
+  config = {
     virtualisation.vmware.host.enable = true;
     virtualisation.vmware.guest.enable = true;
   };
diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix
index edec1bb..ccfbe7a 100644
--- a/modules/nixos/optional/work.nix
+++ b/modules/nixos/optional/work.nix
@@ -1,4 +1,4 @@
-{ self, lib, pkgs, config, configName, ... }:
+{ self, lib, pkgs, config, ... }:
 let
   inherit (config.swarselsystems) mainUser homeDir;
   iwd = config.networking.networkmanager.wifi.backend == "iwd";
@@ -6,18 +6,24 @@ let
   sopsFile = self + /secrets/work/secrets.yaml;
 in
 {
-  options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
   options.swarselsystems = {
     hostName = lib.mkOption {
       type = lib.types.str;
-      default = configName;
+      default = config.node.name;
     };
     fqdn = lib.mkOption {
       type = lib.types.str;
       default = "";
     };
   };
-  config = lib.mkIf config.swarselmodules.optional.work {
+  config = {
+
+    home-manager.users."${config.swarselsystems.mainUser}" = {
+      imports = [
+        "${self}/modules/home/optional/work.nix"
+      ];
+    };
+
     sops =
       let
         secretNames = [
diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix
index b845ad7..6c283b3 100644
--- a/modules/nixos/server/ankisync.nix
+++ b/modules/nixos/server/ankisync.nix
@@ -1,11 +1,7 @@
-{ self, lib, config, globals, ... }:
+{ self, lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 27701;
-  serviceName = "ankisync";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   ankiUser = globals.user.name;
 in
@@ -13,6 +9,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
     sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
@@ -23,7 +23,10 @@ in
       info = "https://${serviceDomain}";
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.anki-sync-server = {
       enable = true;
@@ -38,7 +41,7 @@ in
       ];
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/attic.nix b/modules/nixos/server/attic.nix
new file mode 100644
index 0000000..3cd0a69
--- /dev/null
+++ b/modules/nixos/server/attic.nix
@@ -0,0 +1,129 @@
+{ lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6;
+  inherit (config.swarselsystems) mainUser isPublic sopsFile;
+  serviceDB = "atticd";
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    sops = lib.mkIf (!isPublic) {
+      secrets = {
+        attic-server-token = { inherit sopsFile; };
+        attic-garage-access-key = { inherit sopsFile; };
+        attic-garage-secret-key = { inherit sopsFile; };
+      };
+      templates = {
+        "attic.env" = {
+          content = ''
+            ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.sops.placeholder.attic-server-token}
+            AWS_ACCESS_KEY_ID=${config.sops.placeholder.attic-garage-access-key}
+            AWS_SECRET_ACCESS_KEY=${config.sops.placeholder.attic-garage-secret-key}
+          '';
+        };
+      };
+    };
+
+    services.atticd = {
+      enable = true;
+      environmentFile = config.sops.templates."attic.env".path;
+      settings = {
+        listen = "[::]:${builtins.toString servicePort}";
+        api-endpoint = "https://${serviceDomain}/";
+        allowed-hosts = [
+          serviceDomain
+        ];
+        require-proof-of-possession = false;
+        compression = {
+          type = "zstd";
+          level = 3;
+        };
+        database.url = "postgresql:///atticd?host=/run/postgresql";
+
+        storage =
+          if config.swarselmodules.server.garage then {
+            type = "s3";
+            region = mainUser;
+            bucket = serviceName;
+            # attic must be patched to never serve pre-signed s3 urls directly
+            # otherwise it will redirect clients to this localhost endpoint
+            endpoint = "http://127.0.0.1:3900";
+          } else {
+            type = "local";
+            path = serviceDir;
+            # attic must be patched to never serve pre-signed s3 urls directly
+            # otherwise it will redirect clients to this localhost endpoint
+          };
+
+        garbage-collection = {
+          interval = "1 day";
+          default-retention-period = "3 months";
+        };
+
+        chunking = {
+          nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # 64 KiB
+
+          min-size = 16 * 1024; # 16 KiB
+          avg-size = 64 * 1024; # 64 KiB
+          max-size = 256 * 1024; # 256 KiBize = 262144;
+        };
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+      enableTCPIP = true;
+      ensureDatabases = [ serviceDB ];
+      ensureUsers = [
+        {
+          name = serviceDB;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    systemd.services.atticd = lib.mkIf config.swarselmodules.server.garage {
+      requires = [ "garage.service" ];
+      after = [ "garage.service" ];
+    };
+
+    nodes.${serviceProxy}.services.nginx = {
+      upstreams = {
+        ${serviceName} = {
+          servers = {
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
+          };
+        };
+      };
+      virtualHosts = {
+        "${serviceDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          oauth2.enable = false;
+          locations = {
+            "/" = {
+              proxyPass = "http://${serviceName}";
+              extraConfig = ''
+                client_max_body_size 0;
+              '';
+            };
+          };
+        };
+      };
+    };
+
+  };
+}
diff --git a/modules/nixos/server/atuin.nix b/modules/nixos/server/atuin.nix
index d355e6f..ab782c8 100644
--- a/modules/nixos/server/atuin.nix
+++ b/modules/nixos/server/atuin.nix
@@ -1,16 +1,21 @@
-{ lib, config, globals, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 8888;
-  serviceName = "atuin";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -20,7 +25,7 @@ in
       openRegistration = false;
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/bastion.nix b/modules/nixos/server/bastion.nix
new file mode 100644
index 0000000..3d797d7
--- /dev/null
+++ b/modules/nixos/server/bastion.nix
@@ -0,0 +1,67 @@
+{ self, lib, config, ... }:
+{
+  options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server";
+  config = lib.mkIf config.swarselmodules.server.bastion {
+
+    users = {
+      groups = {
+        jump = { };
+      };
+      users = {
+        "jump" = {
+          isNormalUser = true;
+          useDefaultShell = true;
+          group = lib.mkForce "jump";
+          createHome = lib.mkForce true;
+          openssh.authorizedKeys.keyFiles = [
+            (self + /secrets/keys/ssh/yubikey.pub)
+            (self + /secrets/keys/ssh/magicant.pub)
+            (self + /secrets/keys/ssh/builder.pub)
+          ];
+        };
+      };
+    };
+
+
+    services.openssh = {
+      enable = true;
+      startWhenNeeded = lib.mkForce false;
+      authorizedKeysInHomedir = false;
+      extraConfig = ''
+        Match User jump
+          PermitTTY no
+          X11Forwarding no
+          PermitTunnel no
+          GatewayPorts no
+          AllowAgentForwarding no
+      '';
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = lib.mkDefault "no";
+        AllowUsers = [
+          "jump"
+        ];
+      };
+      hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+
+    home-manager.users.jump.config = {
+      home.stateVersion = lib.mkDefault "23.05";
+      programs.ssh = {
+        enable = true;
+        enableDefaultConfig = false;
+        matchBlocks = {
+          "*" = {
+            forwardAgent = false;
+          };
+        } // config.repo.secrets.local.ssh.hosts;
+      };
+    };
+  };
+}
diff --git a/modules/nixos/optional/btrfs.nix b/modules/nixos/server/btrfs.nix
similarity index 100%
rename from modules/nixos/optional/btrfs.nix
rename to modules/nixos/server/btrfs.nix
diff --git a/modules/nixos/server/croc.nix b/modules/nixos/server/croc.nix
index d9c1286..bc15734 100644
--- a/modules/nixos/server/croc.nix
+++ b/modules/nixos/server/croc.nix
@@ -1,5 +1,6 @@
-{ self, lib, config, pkgs, ... }:
+{ self, lib, config, pkgs, dns, globals, confLib, ... }:
 let
+  inherit (confLib.gen { name = "croc"; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
   servicePorts = [
     9009
     9010
@@ -7,8 +8,6 @@ let
     9012
     9013
   ];
-  serviceName = "croc";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
   inherit (config.swarselsystems) sopsFile;
 
@@ -18,6 +17,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         croc-password = { inherit sopsFile; };
@@ -39,7 +42,10 @@ in
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
diff --git a/modules/nixos/server/disk-encrypt.nix b/modules/nixos/server/disk-encrypt.nix
index c1531dd..54e678a 100644
--- a/modules/nixos/server/disk-encrypt.nix
+++ b/modules/nixos/server/disk-encrypt.nix
@@ -1,10 +1,15 @@
 { self, pkgs, lib, config, globals, minimal, ... }:
 let
-  localIp = globals.networks.home.hosts.${config.node.name}.ipv4;
-  subnetMask = globals.networks.home.subnetMask4;
+  localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4;
+  subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4;
   gatewayIp = globals.hosts.${config.node.name}.defaultGateway4;
 
-  hostKeyPath = "/etc/secrets/initrd/ssh_host_ed25519_key";
+  hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key";
+  hostKeyPath =
+    if config.swarselsystems.isImpermanence then
+      "/persist/${hostKeyPathBase}"
+    else
+      "${hostKeyPathBase}";
 in
 {
   options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config";
@@ -14,35 +19,40 @@ in
   };
   config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) {
 
+
+    system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
+      deps = [ "ensureInitrdHostkey" ];
+    };
     system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) {
       text = ''
         [[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath}
       '';
-      deps = [ "users" ];
+      deps = [
+        "etc"
+      ];
     };
 
     environment.persistence."/persist" = lib.mkIf (config.swarselsystems.isImpermanence && (config.swarselprofiles.server || minimal)) {
-      files = [ hostKeyPath ];
+      files = [ hostKeyPathBase ];
     };
 
-    boot = lib.mkIf (config.swarselprofiles.server || minimal) {
-      kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [
+    boot = lib.mkIf (!config.swarselsystems.isClient) {
+      kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [
         "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
       ];
       initrd = {
         availableKernelModules = config.swarselsystems.networkKernelModules;
         network = {
           enable = true;
-          udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true;
           flushBeforeStage2 = true;
           ssh = {
             enable = true;
             port = 2222; # avoid hostkey changed nag
-            authorizedKeyFiles = [
-              (self + /secrets/keys/ssh/yubikey.pub)
-              (self + /secrets/keys/ssh/magicant.pub)
+            authorizedKeys = [
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
             ];
-            hostKeys = [ hostKeyPath ];
+            hostKeys = [ hostKeyPathBase ];
           };
           # postCommands = ''
           #   echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
@@ -52,23 +62,24 @@ in
           initrdBin = with pkgs; [
             cryptsetup
           ];
-          services = {
-            unlock-luks = {
-              wantedBy = [ "initrd.target" ];
-              after = [ "network.target" ];
-              before = [ "systemd-cryptsetup@cryptroot.service" ];
-              path = [ "/bin" ];
+          # NOTE: the below does put the text into /root/.profile, but the command will not be run
+          # services = {
+          #   unlock-luks = {
+          #     wantedBy = [ "initrd.target" ];
+          #     after = [ "network.target" ];
+          #     before = [ "systemd-cryptsetup@cryptroot.service" ];
+          #     path = [ "/bin" ];
 
-              serviceConfig = {
-                Type = "oneshot";
-                RemainAfterExit = true;
-              };
+          #     serviceConfig = {
+          #       Type = "oneshot";
+          #       RemainAfterExit = true;
+          #     };
 
-              script = ''
-                echo "systemctl default" >> /root/.profile
-              '';
-            };
-          };
+          #     script = ''
+          #       echo "systemctl default" >> /root/.profile
+          #     '';
+          #   };
+          # };
         };
       };
     };
diff --git a/modules/nixos/server/emacs.nix b/modules/nixos/server/emacs.nix
index 03e1261..311658d 100644
--- a/modules/nixos/server/emacs.nix
+++ b/modules/nixos/server/emacs.nix
@@ -1,7 +1,6 @@
-{ lib, config, ... }:
+{ lib, config, confLib, ... }:
 let
-  serviceName = "emacs";
-  servicePort = 9812;
+  inherit (confLib.gen { name = "emacs"; port = 9812; }) servicePort serviceName;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} server on server";
diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix
index c0acad1..b97ba94 100644
--- a/modules/nixos/server/firefly-iii.nix
+++ b/modules/nixos/server/firefly-iii.nix
@@ -1,11 +1,6 @@
-{ self, lib, config, globals, ... }:
+{ self, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 80;
-  serviceUser = "firefly-iii";
-  serviceGroup = serviceUser;
-  serviceName = "firefly-iii";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   nginxGroup = "nginx";
 
@@ -16,6 +11,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users = {
       groups.${serviceGroup} = { };
       users.${serviceUser} = {
@@ -36,7 +35,11 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -78,7 +81,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix
index a674078..d9d4123 100644
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@@ -1,13 +1,7 @@
-{ lib, config, pkgs, globals, ... }:
+{ lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 3004;
-  serviceUser = "forgejo";
-  serviceGroup = serviceUser;
-  serviceName = "forgejo";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   kanidmDomain = globals.services.kanidm.domain;
 in
@@ -15,6 +9,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
     users.users.${serviceUser} = {
@@ -28,7 +26,10 @@ in
       kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -129,7 +130,7 @@ in
         '';
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix
index 0375e64..d136f6c 100644
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@@ -1,11 +1,6 @@
-{ self, lib, config, globals, ... }:
+{ self, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 80;
-  serviceName = "freshrss";
-  serviceUser = "freshrss";
-  serviceGroup = serviceName;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   inherit (config.swarselsystems) sopsFile;
 in
@@ -13,6 +8,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
       group = serviceGroup;
@@ -54,7 +53,10 @@ in
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} =
       let
@@ -74,7 +76,7 @@ in
     #   config.sops.templates.freshrss-env.path
     # ];
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/garage.nix b/modules/nixos/server/garage.nix
index d537552..b84fb50 100644
--- a/modules/nixos/server/garage.nix
+++ b/modules/nixos/server/garage.nix
@@ -1,89 +1,359 @@
-{ self, lib, pkgs, config, configName, globals, ... }:
+# inspired by https://github.com/atropos112/nixos/blob/7fef652006a1c939f4caf9c8a0cb0892d9cdfe21/modules/garage.nix
+{ lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  sopsFile = self + /secrets/${configName}/secrets2.yaml;
+  inherit (confLib.gen {
+    name = "garage";
+    port = 3900;
+    domain = config.repo.secrets.common.services.domains."garage-${config.node.name}";
+  }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
-  serviceName = "garage";
-  servicePort = 3900;
-  serviceDomain = config.repo.secrets.common.services.domains."${serviceName}-${configName}";
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  cfg = lib.recursiveUpdate config.services.${serviceName} config.swarselsystems.server.${serviceName};
+  inherit (config.swarselsystems) sopsFile mainUser;
 
-  cfg = config.services.${serviceName};
+  # needs SSD
   metadata_dir = "/var/lib/garage/meta";
+  # metadata_dir = if config.swarselsystems.isCloud then "/var/lib/garage/meta" else "/Vault/data/garage/meta";
+
+  garageRpcPort = 3901;
+  garageWebPort = 3902;
+  garageAdminPort = 3903;
+  garageK2VPort = 3904;
+
+  adminDomain = "${subDomain}admin.${baseDomain}";
+  webDomain = "${subDomain}web.${baseDomain}";
 in
 {
   options = {
     swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     swarselsystems.server.${serviceName} = {
-      data_dir = lib.mkOption {
-        type = lib.types.either lib.types.path (lib.types.listOf lib.types.attrs);
-        default = "/var/lib/garage/data";
+      data_dir = {
+        path = lib.mkOption {
+          type = lib.types.str;
+          description = "Directory where Garage stores its metadata";
+        };
+        capacity = lib.mkOption {
+          type = lib.types.str;
+        };
+      };
+      buckets = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "List of buckets to create";
+      };
+      keys = lib.mkOption {
+        type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+        default = { };
+        description = "Keys and their associated buckets. Each key gets full access (read/write/owner) to its listed buckets.";
+        example = {
+          my_key_name = [ "bucket1" "bucket2" ];
+          my_other_key = [ "bucket2" "bucket3" ];
+        };
       };
     };
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+    assertions = [
+      {
+        assertion = config.swarselsystems.server.${serviceName}.buckets != [ ];
+        message = "If Garage is enabled, at least one bucket must be specified in swarselsystems.server.${serviceName}.buckets";
+      }
+      {
+        assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0;
+        message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys";
+      }
+      {
+        assertion =
+          let
+            allKeyBuckets = lib.flatten (lib.attrValues config.swarselsystems.server.${serviceName}.keys);
+            invalidBuckets = builtins.filter (bucket: !(lib.elem bucket config.swarselsystems.server.${serviceName}.buckets)) allKeyBuckets;
+          in
+          invalidBuckets == [ ];
+        message = "All buckets referenced in keys must exist in the buckets list";
+      }
+    ];
+
+    nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
+      "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "*.${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
 
     sops = {
       secrets.garage-admin-token = { inherit sopsFile; };
       secrets.garage-rpc-secret = { inherit sopsFile; };
     };
 
+    # DynamicUser cannot read above secrets
+    systemd.services.${serviceName}.serviceConfig = {
+      DynamicUser = false;
+      ProtectHome = lib.mkForce false;
+    };
+
     environment = {
       persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
-        { directory = metadata_dir; }
+        { directory = "/var/lib/garage"; }
+        (lib.mkIf config.swarselsystems.isCloud { directory = config.swarselsystems.server.${serviceName}.data_dir.path; })
       ];
       systemPackages = [
         cfg.package
       ];
     };
 
-    systemd.services.${serviceName}.serviceConfig = {
-      DynamicUser = false;
-      ProtectHome = lib.mkForce false;
+    globals.services.${specificServiceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
     };
 
+
     services.${serviceName} = {
       enable = true;
       package = pkgs.garage_2;
       settings = {
-        inherit (config.swarselsystems.${serviceName}) data_dir;
+        data_dir = [ config.swarselsystems.server.${serviceName}.data_dir ];
         inherit metadata_dir;
         db_engine = "lmdb";
-        block_size = "1MiB";
+        block_size = "128M";
         use_local_tz = false;
+        disable_scrub = true;
+        replication_factor = 1;
+        compression_level = "none";
 
-        replication_factor = 2; # Number of copies of data
+        rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}";
+        # we are not joining our nodes, just use the private ipv4
+        rpc_public_addr = "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
 
-        rpc_bind_addr = "[::]:3901";
-        rpc_public_addr = "${config.repo.secrets.local.ipv4}:4317";
         rpc_secret_file = config.sops.secrets.garage-rpc-secret.path;
 
         s3_api = {
-          s3_region = "swarsel";
-          api_bind_addr = "0.0.0.0:${builtins.toString servicePort}";
-          root_domain = ".s3.garage.localhost";
+          s3_region = mainUser;
+          api_bind_addr = "[::]:${builtins.toString servicePort}";
+          root_domain = ".${serviceDomain}";
+        };
+
+        s3_web = {
+          bind_addr = "[::]:${builtins.toString garageWebPort}";
+          root_domain = ".${config.repo.secrets.common.services.domains."garage-web-${config.node.name}"}";
+          add_host_to_metrics = true;
         };
 
         admin = {
-          api_bind_addr = "0.0.0.0:3903";
+          api_bind_addr = "[::]:${builtins.toString garageAdminPort}";
           admin_token_file = config.sops.secrets.garage-admin-token.path;
         };
 
         k2v_api = {
-          api_bind_addr = "[::]:3904";
+          api_bind_addr = "[::]:${builtins.toString garageK2VPort}";
         };
       };
     };
 
-    nodes.moonside.services.nginx = {
+
+    systemd.services = {
+      garage-buckets = {
+        description = "Create Garage buckets";
+        after = [ "garage.service" ];
+        wants = [ "garage.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        path = [ cfg.package pkgs.gawk pkgs.coreutils ];
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          User = "root";
+          Group = "root";
+        };
+
+        script = ''
+          garage status
+
+          # Checking repeatedly with garage status until getting 0 exit code
+          while ! garage status >/dev/null 2>&1; do
+            echo "Garage not yet operational, waiting..."
+            echo "Current garage status output:"
+            garage status 2>&1 || true
+            echo "---"
+            sleep 5
+          done
+
+          # Now we check if garage status shows any failed nodes by checking for ==== FAILED NODES ====
+          while garage status | grep -q "==== FAILED NODES ===="; do
+            echo "Garage has failed nodes, waiting..."
+            echo "Current garage status output:"
+            garage status 2>&1 || true
+            echo "---"
+            sleep 5
+          done
+
+          echo "Garage is operational, proceeding with bucket management."
+
+          # Get list of existing buckets
+          existing_buckets=$(garage bucket list | tail -n +2 | awk '{print $3}' | grep -v '^$' || true)
+
+          # Create buckets that should exist
+          ${lib.concatMapStringsSep "\n" (bucket: ''
+              if [[ "$(garage bucket info ${lib.escapeShellArg bucket} 2>&1 >/dev/null)" == *"Bucket not found"* ]]; then
+                echo "Creating bucket ${lib.escapeShellArg bucket}"
+                garage bucket create ${lib.escapeShellArg bucket}
+              else
+                echo "Bucket ${lib.escapeShellArg bucket} already exists"
+              fi
+            '')
+            cfg.buckets}
+
+          # Remove buckets that shouldn't exist
+          for bucket in $existing_buckets; do
+            should_exist=false
+            ${lib.concatMapStringsSep "\n" (bucket: ''
+              if [[ "$bucket" == ${lib.escapeShellArg bucket} ]]; then
+                should_exist=true
+              fi
+            '')
+            cfg.buckets}
+
+            if [[ "$should_exist" == "false" ]]; then
+              echo "Removing bucket $bucket"
+              garage bucket delete --yes "$bucket"
+            fi
+          done
+        '';
+      };
+
+      garage-keys = {
+        description = "Create Garage keys and set permissions";
+        after = [ "garage-buckets.service" ];
+        wants = [ "garage-buckets.service" ];
+        requires = [ "garage-buckets.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        path = [ cfg.package pkgs.gawk pkgs.coreutils ];
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          User = "root";
+          Group = "root";
+        };
+
+        script = ''
+          garage key list
+          echo "Managing keys..."
+
+          # Get list of existing keys
+          existing_keys=$(garage key list | tail -n +2 | awk '{print $3}' | grep -v '^$' || true)
+
+          # Create keys that should exist
+          ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: _: ''
+              if [[ "$(garage key info ${lib.escapeShellArg keyName} 2>&1)" == *"0 matching keys"* ]]; then
+                echo "Creating key ${lib.escapeShellArg keyName}"
+                garage key create ${lib.escapeShellArg keyName}
+              else
+                echo "Key ${lib.escapeShellArg keyName} already exists"
+              fi
+            '')
+            cfg.keys)}
+
+          # Set up key permissions for buckets
+          ${lib.concatStringsSep "\n" (lib.mapAttrsToList (
+              keyName: buckets:
+                lib.concatMapStringsSep "\n" (bucket: ''
+                  echo "Granting full access to key ${lib.escapeShellArg keyName} for bucket ${lib.escapeShellArg bucket}"
+                  garage bucket allow --read --write --owner --key ${lib.escapeShellArg keyName} ${lib.escapeShellArg bucket}
+                '')
+                buckets
+            )
+            cfg.keys)}
+
+          # Remove permissions from buckets that are no longer associated with keys
+          ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: buckets: ''
+              # Get current buckets this key has access to
+              current_buckets=$(garage key info ${lib.escapeShellArg keyName} | grep -A 1000 "==== BUCKETS FOR THIS KEY ====" | tail -n +3 | awk '{print $3}' | grep -v '^$' || true)
+
+              # Remove access from buckets not in the desired list
+              for current_bucket in $current_buckets; do
+                should_have_access=false
+                ${lib.concatMapStringsSep "\n" (bucket: ''
+                  if [[ "$current_bucket" == ${lib.escapeShellArg bucket} ]]; then
+                    should_have_access=true
+                  fi
+                '')
+                buckets}
+
+                if [[ "$should_have_access" == "false" ]]; then
+                  echo "Removing access for key ${lib.escapeShellArg keyName} from bucket $current_bucket"
+                  garage bucket deny --key ${lib.escapeShellArg keyName} $current_bucket
+                fi
+              done
+            '')
+            cfg.keys)}
+
+          # Remove keys that shouldn't exist
+          for key in $existing_keys; do
+            should_exist=false
+            ${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: _: ''
+              if [[ "$key" == ${lib.escapeShellArg keyName} ]]; then
+                should_exist=true
+              fi
+            '')
+            cfg.keys)}
+
+            if [[ "$should_exist" == "false" ]]; then
+              echo "Removing key $key"
+              garage key delete --yes "$key"
+            fi
+          done
+        '';
+      };
+    };
+
+    security.acme.certs."${webDomain}" = {
+      domain = "*.${webDomain}";
+    };
+
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
             "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
+        "${serviceName}Web" = {
+          servers = {
+            "${serviceAddress}:${builtins.toString garageWebPort}" = { };
+          };
+        };
+        "${serviceName}Admin" = {
+          servers = {
+            "${serviceAddress}:${builtins.toString garageAdminPort}" = { };
+          };
+        };
       };
       virtualHosts = {
+        "${adminDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          oauth2.enable = false;
+          locations = {
+            "/" = {
+              proxyPass = "http://${serviceName}Admin";
+            };
+          };
+        };
+        "*.${webDomain}" = {
+          useACMEHost = webDomain;
+          forceSSL = true;
+          acmeRoot = null;
+          oauth2.enable = false;
+          locations = {
+            "/" = {
+              proxyPass = "http://${serviceName}Web";
+            };
+          };
+        };
         "${serviceDomain}" = {
+          serverAliases = [ "*.${serviceDomain}" ];
           enableACME = true;
           forceSSL = true;
           acmeRoot = null;
@@ -91,6 +361,9 @@ in
           locations = {
             "/" = {
               proxyPass = "http://${serviceName}";
+              extraConfig = ''
+                client_max_body_size 0;
+              '';
             };
           };
         };
diff --git a/modules/nixos/server/homebox.nix b/modules/nixos/server/homebox.nix
index c1b62ab..1d1c9ea 100644
--- a/modules/nixos/server/homebox.nix
+++ b/modules/nixos/server/homebox.nix
@@ -1,16 +1,21 @@
-{ lib, pkgs, config, globals, ... }:
+{ lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  servicePort = 7745;
-  serviceName = "homebox";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -26,7 +31,7 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix
index cefa330..674ce80 100644
--- a/modules/nixos/server/immich.nix
+++ b/modules/nixos/server/immich.nix
@@ -1,21 +1,25 @@
-{ lib, pkgs, config, globals, ... }:
+{ lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  servicePort = 3001;
-  serviceUser = "immich";
-  serviceName = "immich";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "video" "render" "users" ];
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -29,9 +33,9 @@ in
       };
     };
 
-    networking.firewall.allowedTCPPorts = [ 3001 ];
+    networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/jellyfin.nix b/modules/nixos/server/jellyfin.nix
index 552f8bf..b5c078f 100644
--- a/modules/nixos/server/jellyfin.nix
+++ b/modules/nixos/server/jellyfin.nix
@@ -1,20 +1,23 @@
-{ pkgs, lib, config, globals, ... }:
+{ pkgs, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 8096;
-  serviceName = "jellyfin";
-  serviceUser = "jellyfin";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "video" "render" "users" ];
     };
+
     nixpkgs.config.packageOverrides = pkgs: {
       intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
     };
+
     hardware.graphics = {
       enable = true;
       extraPackages = with pkgs; [
@@ -26,7 +29,11 @@ in
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -34,7 +41,7 @@ in
       openFirewall = true; # this works only for the default ports
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/jenkins.nix b/modules/nixos/server/jenkins.nix
index 808bcef..f6bc9b1 100644
--- a/modules/nixos/server/jenkins.nix
+++ b/modules/nixos/server/jenkins.nix
@@ -1,14 +1,20 @@
-{ pkgs, lib, config, globals, ... }:
+{ pkgs, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 8088;
-  serviceName = "jenkins";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
     services.jenkins = {
       enable = true;
       withCLI = true;
@@ -18,7 +24,7 @@ in
       home = "/Vault/apps/${serviceName}";
     };
 
-    services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix
index 16ea0bd..5bb4472 100644
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@@ -1,16 +1,10 @@
-{ self, lib, pkgs, config, globals, ... }:
+{ self, lib, pkgs, config, globals, dns, confLib, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
   inherit (config.swarselsystems) sopsFile;
+  inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
-  servicePort = 8300;
-  serviceUser = "kanidm";
-  serviceGroup = serviceUser;
-  serviceName = "kanidm";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
-
-  oauth2ProxyDomain = globals.services.oauth2Proxy.domain;
+  oauth2ProxyDomain = globals.services.oauth2-proxy.domain;
   immichDomain = globals.services.immich.domain;
   paperlessDomain = globals.services.paperless.domain;
   forgejoDomain = globals.services.forgejo.domain;
@@ -37,6 +31,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       group = serviceGroup;
       isSystemUser = true;
@@ -62,7 +60,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
       files = [
@@ -70,17 +71,22 @@ in
         keyPathBase
       ];
     };
-
-    system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
-      deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
-    };
-    system.activationScripts."generateSSLCert-${serviceName}" =
+    systemd.services."generateSSLCert-${serviceName}" =
       let
         daysValid = 3650;
         renewBeforeDays = 365;
       in
       {
-        text = ''
+        before = [ "${serviceName}.service" ];
+        requiredBy = [ "${serviceName}.service" ];
+        after = [ "local-fs.target" ];
+        requires = [ "local-fs.target" ];
+
+        serviceConfig = {
+          Type = "oneshot";
+        };
+
+        script = ''
           set -eu
 
           ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
@@ -89,16 +95,18 @@ in
           ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
 
           need_gen=0
-          if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
+          if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
             need_gen=1
           else
-            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
+            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
             end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
             now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
             seconds_left=$(( end_epoch - now_epoch ))
             days_left=$(( seconds_left / 86400 ))
             if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
               need_gen=1
+            else
+              echo 'Certificate exists and is still valid'
             fi
           fi
 
@@ -114,12 +122,58 @@ in
             chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
           fi
         '';
-        deps = [
-          "etc"
-          (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
-        ];
       };
 
+
+    # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
+    #   deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
+    # };
+    # system.activationScripts."generateSSLCert-${serviceName}" =
+    #   let
+    #     daysValid = 3650;
+    #     renewBeforeDays = 365;
+    #   in
+    #   {
+    #     text = ''
+    #       set -eu
+
+    #       ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
+    #       ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
+    #       ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
+    #       ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
+
+    #       need_gen=0
+    #       if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
+    #         need_gen=1
+    #       else
+    #         enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
+    #         end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
+    #         now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
+    #         seconds_left=$(( end_epoch - now_epoch ))
+    #         days_left=$(( seconds_left / 86400 ))
+    #         if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
+    #           need_gen=1
+    #         fi
+    #       fi
+
+    #       if [ "$need_gen" -eq 1 ]; then
+    #         ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
+    #           -keyout "${keyPath}" \
+    #           -out "${certPath}" \
+    #           -subj "/CN=${serviceDomain}" \
+    #           -addext "subjectAltName=DNS:${serviceDomain}"
+
+    #         chmod 0644 "${certPath}"
+    #         chmod 0600 "${keyPath}"
+    #         chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
+    #       fi
+    #     '';
+    #     deps = [
+    #       "etc"
+    #       (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
+    #     ];
+    #   };
+
     services = {
       ${serviceName} = {
         package = pkgs.kanidmWithSecretProvisioning_1_7;
@@ -326,7 +380,7 @@ in
       ${serviceName}.serviceConfig.RestartSec = "30";
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix
index dfa915e..bc5decd 100644
--- a/modules/nixos/server/kavita.nix
+++ b/modules/nixos/server/kavita.nix
@@ -1,12 +1,8 @@
-{ self, lib, config, pkgs, globals, ... }:
+{ self, lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
 
-  servicePort = 8080;
-  serviceName = "kavita";
-  serviceUser = "kavita";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -15,6 +11,10 @@ in
       calibre
     ];
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
     };
@@ -28,7 +28,11 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -38,7 +42,7 @@ in
       dataDir = "/Vault/data/${serviceName}";
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix
index eb45709..1c89adf 100644
--- a/modules/nixos/server/koillection.nix
+++ b/modules/nixos/server/koillection.nix
@@ -1,12 +1,7 @@
-{ self, lib, config, globals, ... }:
+{ self, lib, config, globals, dns, confLib, ... }:
 let
-  serviceUser = "koillection";
+  inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
   serviceDB = "koillection";
-  serviceName = "koillection";
-  servicePort = 2282;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceDir = "/Vault/data/koillection";
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
 
   postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
   postgresPort = config.services.postgresql.settings.port; # 5432
@@ -18,6 +13,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
     sops.secrets = {
       koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
       koillection-env-file = { inherit sopsFile; };
@@ -28,7 +27,11 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     virtualisation.oci-containers.containers = {
       koillection = {
@@ -104,7 +107,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/mailserver.nix b/modules/nixos/server/mailserver.nix
new file mode 100644
index 0000000..06270b2
--- /dev/null
+++ b/modules/nixos/server/mailserver.nix
@@ -0,0 +1,115 @@
+{ lib, config, globals, dns, confLib, ... }:
+let
+  inherit (config.swarselsystems) sopsFile;
+  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceDomain serviceProxy proxyAddress4 proxyAddress6;
+  inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 user3;
+  baseDomain = globals.domains.main;
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    sops.secrets = {
+      user1-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+      user2-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+      user3-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+    };
+
+    environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+      { directory = "/var/vmail"; user = serviceUser; group = serviceGroup; mode = "0770"; }
+      { directory = "/var/sieve"; user = serviceUser; group = serviceGroup; mode = "0770"; }
+      { directory = "/var/dkim"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
+      { directory = serviceDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
+      { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
+      { directory = "/var/lib/rspamd"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
+      { directory = "/var/lib/roundcube"; user = "roundcube"; group = "roundcube"; mode = "0700"; }
+      { directory = "/var/lib/redis-rspamd"; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
+      { directory = "/var/lib/postfix"; user = "root"; group = "root"; mode = "0755"; }
+      { directory = "/var/lib/knot-resolver"; user = "knot-resolver"; group = "knot-resolver"; mode = "0770"; }
+    ];
+
+    mailserver = {
+      enable = true;
+      stateVersion = 3;
+      fqdn = serviceDomain;
+      domains = [ baseDomain ];
+      indexDir = "${serviceDir}/indices";
+      openFirewall = true;
+      certificateScheme = "acme";
+      dmarcReporting.enable = true;
+
+      loginAccounts = {
+        "${user1}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user1-hashed-pw.path;
+          aliases = [
+            "${alias1_1}@${baseDomain}"
+            "${alias1_2}@${baseDomain}"
+            "${alias1_3}@${baseDomain}"
+            "${alias1_4}@${baseDomain}"
+          ];
+        };
+        "${user2}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user2-hashed-pw.path;
+          aliases = [
+            "${alias2_1}@${baseDomain}"
+          ];
+          sendOnly = true;
+        };
+        "${user3}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user3-hashed-pw.path;
+          aliases = [
+            "@${baseDomain}"
+          ];
+          catchAll = [
+            baseDomain
+          ];
+        };
+      };
+    };
+
+    services.roundcube = {
+      enable = true;
+      # this is the url of the vhost, not necessarily the same as the fqdn of
+      # the mailserver
+      hostName = serviceDomain;
+      extraConfig = ''
+        $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
+        $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+      '';
+      configureNginx = true;
+    };
+
+    # the rest of the ports are managed by snm
+    networking.firewall.allowedTCPPorts = [ 80 servicePort ];
+
+    nodes.${serviceProxy}.services.nginx = {
+      virtualHosts = {
+        "${serviceDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/".recommendedSecurityHeaders = false;
+            "~ ^/(SQL|bin|config|logs|temp|vendor)/".recommendedSecurityHeaders = false;
+            "~ ^/(CHANGELOG.md|INSTALL|LICENSE|README.md|SECURITY.md|UPGRADING|composer.json|composer.lock)".recommendedSecurityHeaders = false;
+            "~* \\.php(/|$)".recommendedSecurityHeaders = false;
+          };
+        };
+      };
+    };
+
+  };
+}
diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix
index ba18600..24b4865 100644
--- a/modules/nixos/server/matrix.nix
+++ b/modules/nixos/server/matrix.nix
@@ -1,12 +1,7 @@
-{ lib, config, pkgs, globals, ... }:
+{ lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 8008;
-  serviceName = "matrix";
-  serviceDomain = config.repo.secrets.common.services.domains.matrix;
-  serviceUser = "matrix-synapse";
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   federationPort = 8448;
   whatsappPort = 29318;
@@ -24,6 +19,11 @@ in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     environment.systemPackages = with pkgs; [
       matrix-synapse
       lottieconverter
@@ -91,7 +91,10 @@ in
       };
     };
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       postgresql = {
@@ -290,7 +293,7 @@ in
     # messages out after a while.
 
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/microbin.nix b/modules/nixos/server/microbin.nix
index 1001d69..06b830f 100644
--- a/modules/nixos/server/microbin.nix
+++ b/modules/nixos/server/microbin.nix
@@ -1,10 +1,6 @@
-{ self, lib, config, ... }:
+{ self, lib, config, dns, globals, confLib, ... }:
 let
-  servicePort = 8777;
-  serviceName = "microbin";
-  serviceUser = "microbin";
-  serviceGroup = serviceUser;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+  inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   inherit (config.swarselsystems) sopsFile;
 
@@ -14,6 +10,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users = {
       groups.${serviceGroup} = { };
 
@@ -49,7 +49,11 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -101,11 +105,11 @@ in
       { directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
     ];
 
-    services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
-            "localhost:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
diff --git a/modules/nixos/server/minecraft/default.nix b/modules/nixos/server/minecraft/default.nix
new file mode 100644
index 0000000..dbb7d27
--- /dev/null
+++ b/modules/nixos/server/minecraft/default.nix
@@ -0,0 +1,50 @@
+{ lib, config, pkgs, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6;
+  inherit (config.swarselsystems) mainUser;
+  worldName = "${mainUser}craft";
+in
+{
+  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+    topology.self.services.${serviceName}.info = "https://${serviceDomain}";
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    networking.firewall.allowedTCPPorts = [ servicePort ];
+
+    environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+      { directory = serviceDir; mode = "0755"; }
+    ];
+
+    systemd.services.minecraft-swarselcraft = {
+      description = "Minecraft Server";
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      serviceConfig = {
+        User = "root";
+        WorkingDirectory = "${serviceDir}/${worldName}";
+
+        ExecStart = "${lib.getExe pkgs.temurin-jre-bin-17} @user_jvm_args.txt @libraries/net/minecraftforge/forge/1.20.1-47.2.20/unix_args.txt nogui";
+
+        Restart = "always";
+        RestartSec = 30;
+        StandardInput = "null";
+      };
+
+      wantedBy = [ "multi-user.target" ];
+    };
+
+
+  };
+
+}
diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix
index d1ee714..4a115a5 100644
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@@ -1,11 +1,6 @@
-{ self, lib, config, globals, ... }:
+{ self, lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 3000;
-  serviceUser = "grafana";
-  serviceGroup = serviceUser;
-  serviceName = "grafana";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   prometheusPort = 9090;
   prometheusUser = "prometheus";
@@ -21,6 +16,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -57,7 +56,11 @@ in
     networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ];
 
     topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -206,7 +209,7 @@ in
     };
 
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         "${grafanaUpstream}" = {
           servers = {
diff --git a/modules/nixos/server/mpd.nix b/modules/nixos/server/mpd.nix
index 0f7afc4..e5734f5 100644
--- a/modules/nixos/server/mpd.nix
+++ b/modules/nixos/server/mpd.nix
@@ -1,11 +1,7 @@
-{ self, lib, config, pkgs, ... }:
+{ self, lib, config, pkgs, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 3254;
-  serviceUser = "mpd";
-  serviceGroup = serviceUser;
-  serviceName = "mpd";
+  inherit (confLib.gen { name = "mpd"; port = 3254; }) servicePort serviceName serviceUser serviceGroup;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix
index 34b245a..e64dfd1 100644
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@@ -1,15 +1,15 @@
-{ pkgs, config, lib, globals, ... }:
+{ pkgs, config, lib, globals, dns, confLib, ... }:
 let
-  servicePort = 4040;
-  serviceName = "navidrome";
-  serviceUser = "navidrome";
-  serviceGroup = serviceUser;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     environment.systemPackages = with pkgs; [
       pciutils
       alsa-utils
@@ -39,7 +39,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.snapserver = {
       enable = true;
@@ -103,7 +106,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/network.nix b/modules/nixos/server/network.nix
index 661e76b..91e9608 100644
--- a/modules/nixos/server/network.nix
+++ b/modules/nixos/server/network.nix
@@ -1,19 +1,40 @@
 { lib, config, ... }:
+let
+  netConfig = config.repo.secrets.local.networking;
+  netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}";
+in
 {
-  options.swarselmodules.server.network = lib.mkEnableOption "enable server network config";
+  options = {
+    swarselmodules.server.network = lib.mkEnableOption "enable server network config";
+    swarselsystems.server = {
+      localNetwork = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+      };
+      netConfigName = lib.mkOption {
+        type = lib.types.str;
+        default = netName;
+        readOnly = true;
+      };
+    };
+  };
   config = lib.mkIf config.swarselmodules.server.network {
 
-    globals.networks.home.hosts.${config.node.name} = {
-      inherit (config.repo.secrets.local.networking.networks.home) id;
-      mac = config.repo.secrets.local.networking.networks.home.mac or null;
+    swarselsystems.server.localNetwork = netConfig.localNetwork or "";
+
+    globals.networks.${netName}.hosts.${config.node.name} = {
+      inherit (netConfig.networks.${netConfig.localNetwork}) id;
+      mac = netConfig.networks.${netConfig.localNetwork}.mac or null;
     };
 
     globals.hosts.${config.node.name} = {
       inherit (config.repo.secrets.local.networking) defaultGateway4;
+      wanAddress4 = netConfig.wanAddress4 or null;
+      wanAddress6 = netConfig.wanAddress6 or null;
     };
 
     networking = {
-      inherit (config.repo.secrets.local.networking) hostId;
+      inherit (netConfig) hostId;
       hostName = config.node.name;
       nftables.enable = lib.mkDefault false;
       enableIPv6 = lib.mkDefault true;
diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix
index c2d5af0..aac65d8 100644
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@@ -1,14 +1,8 @@
-{ pkgs, lib, config, globals, ... }:
+{ pkgs, lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.repo.secrets.local.nextcloud) adminuser;
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 80;
-  serviceUser = "nextcloud";
-  serviceGroup = serviceUser;
-  serviceName = "nextcloud";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   nextcloudVersion = "32";
 in
@@ -16,13 +10,19 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops.secrets = {
       nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
-
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -50,7 +50,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix
index cfe9330..a869b23 100644
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@@ -1,6 +1,6 @@
 { pkgs, lib, config, ... }:
 let
-  inherit (config.repo.secrets.common) dnsProvider;
+  inherit (config.repo.secrets.common) dnsProvider dnsBase;
   inherit (config.repo.secrets.common.mail) address3;
 
   serviceUser = "nginx";
@@ -63,9 +63,12 @@ in
     ];
 
     sops = {
-      secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+      secrets = {
+        acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+      };
       templates."certs.secret".content = ''
-        CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
+        ACME_DNS_API_BASE=${dnsBase}
+        ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token}
       '';
     };
 
@@ -85,6 +88,7 @@ in
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      directories = [{ directory = "/var/lib/acme"; }];
       files = [ dhParamsPathBase ];
     };
 
@@ -109,27 +113,51 @@ in
         '';
       };
     };
-    system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
-      deps = [ "generateDHParams" "users" "groups" ];
-    };
-    system.activationScripts."generateDHParams" =
-      {
-        text = ''
-          set -eu
-
-          ${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}
-          ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}
-
-          if [ ! -f "${dhParamsPathBase}" ]; then
-            ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096
-            chmod 0644 ${dhParamsPath}
-            chown ${serviceUser}:${serviceGroup} ${dhParamsPath}
-          fi
-        '';
-        deps = [
-          "etc"
-          (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
-        ];
+    systemd.services.generateDHParams = {
+      before = [ "nginx.service" ];
+      requiredBy = [ "nginx.service" ];
+      after = [ "local-fs.target" ];
+      requires = [ "local-fs.target" ];
+      serviceConfig = {
+        Type = "oneshot";
       };
+
+      script = ''
+        set -eu
+
+        install -d -m 0755 ${sslBasePath}
+        ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}
+
+        if [ ! -f "${dhParamsPath}" ]; then
+          ${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
+          chmod 0644 "${dhParamsPath}"
+          chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
+        else
+          echo 'Already generated DHParams'
+        fi
+      '';
+    };
+
+    # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
+    #   deps = [ "generateDHParams" "users" "groups" ];
+    # };
+    # system.activationScripts."generateDHParams" =
+    #   {
+    #     text = ''
+    #       set -eu
+
+    #       ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else "${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}"}
+
+    #       if [ ! -f "${dhParamsPath}" ]; then
+    #         ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096
+    #         chmod 0644 ${dhParamsPath}
+    #         chown ${serviceUser}:${serviceGroup} ${dhParamsPath}
+    #       fi
+    #     '';
+    #     deps = [
+    #       (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
+    #       (lib.mkIf (!config.swarselsystems.isImpermanence) "etc")
+    #     ];
+    #   };
   };
 }
diff --git a/modules/nixos/server/nsd/default.nix b/modules/nixos/server/nsd/default.nix
new file mode 100644
index 0000000..6e79fad
--- /dev/null
+++ b/modules/nixos/server/nsd/default.nix
@@ -0,0 +1,90 @@
+{ lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6;
+  inherit (config.swarselsystems) sopsFile;
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+    swarselsystems.server.dns = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule {
+          options = {
+            subdomainRecords = lib.mkOption {
+              type = lib.types.attrsOf dns.lib.types.subzone;
+              default = { };
+            };
+          };
+        }
+      );
+    };
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    sops.secrets = {
+      tsig-key = { inherit sopsFile; };
+    };
+
+    # services.resolved.enable = false;
+    networking = {
+      # nameservers = [ "1.1.1.1" "8.8.8.8" ];
+      firewall = {
+        allowedUDPPorts = [ servicePort ];
+        allowedTCPPorts = [ servicePort ];
+      };
+    };
+
+    services.nsd = {
+      enable = true;
+      keys = {
+        "${globals.domains.main}.${proxyAddress4}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
+        };
+        "${globals.domains.main}.${proxyAddress6}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
+        };
+        "${globals.domains.main}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
+        };
+      };
+      interfaces = [
+        "10.1.2.157"
+        "2603:c020:801f:a0cc::9d"
+      ];
+      zones = {
+        "${globals.domains.main}" =
+          let
+            keyName4 = "${globals.domains.main}.${proxyAddress4}";
+            keyName6 = "${globals.domains.main}.${proxyAddress6}";
+            keyName = "${globals.domains.main}";
+            transferList = [
+              "213.239.242.238 ${keyName4}"
+              "2a01:4f8:0:a101::a:1 ${keyName6}"
+              "213.133.100.103 ${keyName4}"
+              "2a01:4f8:0:1::5ddc:2 ${keyName6}"
+              "193.47.99.3 ${keyName4}"
+              "2001:67c:192c::add:a3 ${keyName6}"
+            ];
+
+          in
+          {
+            outgoingInterface = "2603:c020:801f:a0cc::9d";
+            notify = transferList ++ [
+              "216.218.130.2 ${keyName}"
+            ];
+            provideXFR = transferList ++ [
+              "216.218.133.2 ${keyName}"
+              "2001:470:600::2 ${keyName}"
+            ];
+
+            # dnssec = true;
+            data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; });
+          };
+      };
+    };
+
+  };
+}
diff --git a/modules/nixos/server/nsd/site1.nix b/modules/nixos/server/nsd/site1.nix
new file mode 100644
index 0000000..8cf0deb
--- /dev/null
+++ b/modules/nixos/server/nsd/site1.nix
@@ -0,0 +1,100 @@
+{ config, globals, dns, proxyAddress4, proxyAddress6, ... }:
+with dns.lib.combinators; {
+  SOA = {
+    nameServer = "soa";
+    adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
+    serial = 2025120201; # update this on changes for secondary dns
+  };
+
+  useOrigin = false;
+
+  NS = [
+    "soa"
+    "srv"
+  ] ++ globals.domains.externalDns;
+
+
+  A = [ config.repo.secrets.local.dns.homepage-ip ];
+
+  SRV = [
+    {
+      service = "_matrix";
+      proto = "_tcp";
+      port = 443;
+      target = "${globals.services.matrix.subDomain}";
+      priority = 10;
+      weight = 5;
+    }
+    {
+      service = "_submissions";
+      proto = "_tcp";
+      port = 465;
+      target = "${globals.services.mailserver.subDomain}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_submission";
+      proto = "_tcp";
+      port = 587;
+      target = "${globals.services.mailserver.subDomain}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_imap";
+      proto = "_tcp";
+      port = 143;
+      target = "${globals.services.mailserver.subDomain}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_imaps";
+      proto = "_tcp";
+      port = 993;
+      target = "${globals.services.mailserver.subDomain}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+  ];
+
+  MX = [
+    {
+      preference = 10;
+      exchange = "${globals.services.mailserver.subDomain}";
+    }
+  ];
+
+  DKIM = [
+    {
+      selector = "mail";
+      k = "rsa";
+      p = config.repo.secrets.local.dns.mailserver.dkim-public;
+      ttl = 10800;
+    }
+  ];
+
+  TXT = [
+    (with spf; strict [ "a:${globals.services.mailserver.subDomain}.${globals.domains.main}" ])
+    "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}"
+  ];
+
+  DMARC = [
+    {
+      p = "none";
+      ttl = 10800;
+    }
+  ];
+
+  subdomains = config.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords // {
+    "www".CNAME = [ "${globals.domains.main}." ];
+    "_acme-challenge".CNAME = [ "${config.repo.secrets.local.dns.acme-challenge-domain}." ];
+    "soa" = host proxyAddress4 proxyAddress6;
+    "srv" = host proxyAddress4 proxyAddress6;
+  };
+}
diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix
index d74a441..1c838b7 100644
--- a/modules/nixos/server/oauth2-proxy.nix
+++ b/modules/nixos/server/oauth2-proxy.nix
@@ -1,10 +1,6 @@
-{ lib, config, globals, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
-  servicePort = 3004;
-  serviceUser = "oauth2-proxy";
-  serviceGroup = serviceUser;
-  serviceName = "oauth2-proxy";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+  inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   kanidmDomain = globals.services.kanidm.domain;
   mainDomain = globals.domains.main;
@@ -123,6 +119,10 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         "oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -144,7 +144,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services.oauth2Proxy.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -195,11 +198,11 @@ in
       };
     };
 
-    services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
-            "localhost:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
diff --git a/modules/nixos/server/opkssh.nix b/modules/nixos/server/opkssh.nix
index 823102a..1cc01bc 100644
--- a/modules/nixos/server/opkssh.nix
+++ b/modules/nixos/server/opkssh.nix
@@ -1,8 +1,6 @@
-{ lib, config, globals, ... }:
+{ lib, config, globals, confLib, ... }:
 let
-  serviceName = "opkssh";
-  serviceUser = "opksshuser";
-  serviceGroup = serviceUser;
+  inherit (confLib.gen { name = "opkssh"; user = "opksshuser"; group = "opksshuser"; }) serviceName serviceUser serviceGroup;
 
   kanidmDomain = globals.services.kanidm.domain;
 
diff --git a/modules/nixos/server/packages.nix b/modules/nixos/server/packages.nix
index 6f5f744..f8d3440 100644
--- a/modules/nixos/server/packages.nix
+++ b/modules/nixos/server/packages.nix
@@ -4,7 +4,6 @@
   config = lib.mkIf config.swarselmodules.server.packages {
     environment.systemPackages = with pkgs; [
       gnupg
-      nix-index
       nvd
       nix-output-monitor
       ssh-to-age
diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix
index 005bdab..7a249a4 100644
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@@ -1,13 +1,7 @@
-{ lib, pkgs, config, globals, ... }:
+{ lib, pkgs, config, dns, globals, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 28981;
-  serviceUser = "paperless";
-  serviceGroup = serviceUser;
-  serviceName = "paperless";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
+  inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   tikaPort = 9998;
   gotenbergPort = 3002;
@@ -17,6 +11,10 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
     };
@@ -28,7 +26,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services.${serviceName}.domain = serviceDomain;
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services = {
       ${serviceName} = {
@@ -98,7 +99,7 @@ in
                      )
     '';
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/postgresql.nix b/modules/nixos/server/postgresql.nix
index 3cfa47d..f059e6f 100644
--- a/modules/nixos/server/postgresql.nix
+++ b/modules/nixos/server/postgresql.nix
@@ -1,7 +1,8 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, confLib, ... }:
 let
-  serviceName = "postgresql";
+  inherit (confLib.gen { name = "postgresql"; port = 3254; }) serviceName;
   postgresVersion = 14;
+  postgresDirPrefix = if config.swarselsystems.isCloud then "/var/lib" else "/Vault/data";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -10,8 +11,12 @@ in
       ${serviceName} = {
         enable = true;
         package = pkgs."postgresql_${builtins.toString postgresVersion}";
-        dataDir = "/Vault/data/${serviceName}/${builtins.toString postgresVersion}";
+        dataDir = "${postgresDirPrefix}/${serviceName}/${builtins.toString postgresVersion}";
       };
     };
+    environment.persistence."/persist".directories = lib.mkIf (config.swarselsystems.isImpermanence && config.swarselsystems.isCloud) [
+      { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
+    ];
+
   };
 }
diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix
index 411a3e6..b71ea61 100644
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@@ -1,20 +1,18 @@
-{ self, lib, config, globals, ... }:
+{ self, lib, config, globals, dns, confLib, ... }:
 let
+  inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
   sopsFile = self + /secrets/winters/secrets2.yaml;
 
-  servicePort = 8000;
-  serviceName = "radicale";
-  serviceUser = "radicale";
-  serviceGroup = serviceUser;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
-
   cfg = config.services.${serviceName};
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
 
@@ -35,7 +33,11 @@ in
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = {
       enable = true;
@@ -88,7 +90,7 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/restic.nix b/modules/nixos/server/restic.nix
index f668104..cb5c046 100644
--- a/modules/nixos/server/restic.nix
+++ b/modules/nixos/server/restic.nix
@@ -4,6 +4,14 @@ let
 in
 {
   options.swarselmodules.server.restic = lib.mkEnableOption "enable restic backups on server";
+  options.swarselsystems.server.restic = {
+    bucketName = lib.mkOption {
+      type = lib.types.str;
+    };
+    paths = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+    };
+  };
   config = lib.mkIf config.swarselmodules.server.restic {
 
     sops = {
@@ -26,20 +34,10 @@ in
       in
       {
         backups = {
-          SwarselWinters = {
+          "${config.swarselsystems.server.restic.bucketName}" = {
             environmentFile = config.sops.templates."restic-env".path;
             passwordFile = config.sops.secrets.resticpw.path;
-            paths = [
-              "/Vault/data/paperless"
-              "/Vault/data/koillection"
-              "/Vault/data/postgresql"
-              "/Vault/data/firefly-iii"
-              "/Vault/data/radicale"
-              "/Vault/data/matrix-synapse"
-              "/Vault/Eternor/Paperless"
-              "/Vault/Eternor/Bilder"
-              "/Vault/Eternor/Immich"
-            ];
+            inherit (config.swarselsystems.server.restic) paths;
             pruneOpts = [
               "--keep-daily 3"
               "--keep-weekly 2"
diff --git a/modules/nixos/server/shlink.nix b/modules/nixos/server/shlink.nix
index 4c61caa..1ed909c 100644
--- a/modules/nixos/server/shlink.nix
+++ b/modules/nixos/server/shlink.nix
@@ -1,9 +1,6 @@
-{ self, lib, config, ... }:
+{ self, lib, config, dns, globals, confLib, ... }:
 let
-  servicePort = 8081;
-  serviceName = "shlink";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceDir = "/var/lib/shlink";
+  inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
 
@@ -15,6 +12,10 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         shlink-api = { inherit sopsFile; };
@@ -80,13 +81,17 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/${serviceName}.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
 
-    services.nginx = {
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
-            "localhost:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
diff --git a/modules/nixos/server/slink.nix b/modules/nixos/server/slink.nix
index 1d92892..fe61faa 100644
--- a/modules/nixos/server/slink.nix
+++ b/modules/nixos/server/slink.nix
@@ -1,9 +1,6 @@
-{ self, lib, config, ... }:
+{ self, lib, config, dns, globals, confLib, ... }:
 let
-  servicePort = 3000;
-  serviceName = "slink";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceDir = "/var/lib/slink";
+  inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
   containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
 in
@@ -13,6 +10,10 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     virtualisation.oci-containers.containers.${serviceName} = {
       image = "anirdev/slink@${containerRev}";
       environment = {
@@ -57,13 +58,17 @@ in
       info = "https://${serviceDomain}";
       icon = "${self}/files/topology-images/shlink.png";
     };
-    globals.services.${serviceName}.domain = serviceDomain;
 
-    services.nginx = {
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
+
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
-            "localhost:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
diff --git a/modules/nixos/server/snipe-it.nix b/modules/nixos/server/snipe-it.nix
index 3ae183e..aad544f 100644
--- a/modules/nixos/server/snipe-it.nix
+++ b/modules/nixos/server/snipe-it.nix
@@ -1,22 +1,20 @@
-{ self, lib, config, globals, ... }:
+{ self, lib, config, globals, dns, confLib, ... }:
 let
+  inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
   sopsFile = self + /secrets/winters/secrets2.yaml;
 
   serviceDB = "snipeit";
 
-  servicePort = 80;
-  serviceName = "snipeit";
-  serviceUser = "snipeit";
-  serviceGroup = serviceUser;
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
-
   mysqlPort = 3306;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     sops = {
       secrets = {
         snipe-it-appkey = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -24,7 +22,11 @@ in
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
-    globals.services.${serviceName}.domain = serviceDomain;
+
+    globals.services.${serviceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.snipe-it = {
       enable = true;
@@ -43,7 +45,7 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/spotifyd.nix b/modules/nixos/server/spotifyd.nix
index fd12435..e5dc58d 100644
--- a/modules/nixos/server/spotifyd.nix
+++ b/modules/nixos/server/spotifyd.nix
@@ -1,9 +1,6 @@
-{ lib, config, ... }:
+{ lib, config, confLib, ... }:
 let
-  servicePort = 1025;
-  serviceName = "spotifyd";
-  serviceUser = "spotifyd";
-  serviceGroup = serviceUser;
+  inherit (confLib.gen { name = "spotifyd"; port = 1025; }) servicePort serviceName serviceUser serviceGroup;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
diff --git a/modules/nixos/server/ssh-builder.nix b/modules/nixos/server/ssh-builder.nix
new file mode 100644
index 0000000..3791bf7
--- /dev/null
+++ b/modules/nixos/server/ssh-builder.nix
@@ -0,0 +1,35 @@
+{ self, pkgs, lib, config, ... }:
+let
+  ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" ";
+
+  wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" ''
+    case $SSH_ORIGINAL_COMMAND in
+      "nix-daemon --stdio")
+        exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio
+        ;;
+      "nix-store --serve --write")
+        exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write
+        ;;
+      *)
+        echo "Access only allowed for using the nix remote builder" 1>&2
+        exit
+    esac
+  '';
+in
+{
+  options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server";
+  config = lib.mkIf config.swarselmodules.server.ssh-builder {
+    users = {
+      groups.builder = { };
+      users.builder = {
+        useDefaultShell = true;
+        isSystemUser = true;
+        group = "builder";
+        openssh.authorizedKeys.keys = [
+          ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}''
+        ];
+      };
+    };
+
+  };
+}
diff --git a/modules/nixos/server/ssh.nix b/modules/nixos/server/ssh.nix
index a588edf..41b1e23 100644
--- a/modules/nixos/server/ssh.nix
+++ b/modules/nixos/server/ssh.nix
@@ -9,6 +9,10 @@
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
         PermitRootLogin = "yes";
+        AllowUsers = [
+          "root"
+          config.swarselsystems.mainUser
+        ];
       };
       hostKeys = [
         {
@@ -20,10 +24,12 @@
     users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
       (self + /secrets/keys/ssh/yubikey.pub)
       (self + /secrets/keys/ssh/magicant.pub)
+      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
     ];
     users.users.root.openssh.authorizedKeys.keyFiles = [
       (self + /secrets/keys/ssh/yubikey.pub)
       (self + /secrets/keys/ssh/magicant.pub)
+      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
     ];
     security.sudo.extraConfig = ''
       Defaults    env_keep+=SSH_AUTH_SOCK
diff --git a/modules/nixos/server/syncthing.nix b/modules/nixos/server/syncthing.nix
index 6eb61c6..3babd67 100644
--- a/modules/nixos/server/syncthing.nix
+++ b/modules/nixos/server/syncthing.nix
@@ -1,14 +1,9 @@
-{ lib, config, configName, globals, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems.syncthing) serviceDomain;
-  inherit (config.swarselsystems.syncthing) serviceIP;
+  inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
-  servicePort = 8384;
-  serviceUser = "syncthing";
-  serviceGroup = serviceUser;
-  serviceName = "syncthing";
-  serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
-  specificServiceName = "syncthing-${configName}";
+  specificServiceName = "${serviceName}-${config.node.name}";
 
   cfg = config.services.${serviceName};
   devices = config.swarselsystems.syncthing.syncDevices;
@@ -22,10 +17,6 @@ in
         type = lib.types.str;
         default = config.repo.secrets.common.services.domains.syncthing1;
       };
-      serviceIP = lib.mkOption {
-        type = lib.types.str;
-        default = "${serviceAddress}";
-      };
       syncDevices = lib.mkOption {
         type = lib.types.listOf lib.types.str;
         default = [ "magicant" "winters" "pyramid" "moonside@oracle" ];
@@ -51,6 +42,10 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
+      "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
       group = serviceGroup;
@@ -61,7 +56,10 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    globals.services."${specificServiceName}".domain = serviceDomain;
+    globals.services.${specificServiceName} = {
+      domain = serviceDomain;
+      inherit proxyAddress4 proxyAddress6;
+    };
 
     services.${serviceName} = rec {
       enable = true;
@@ -117,11 +115,11 @@ in
       };
     };
 
-    nodes.moonside.services.nginx = {
+    nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${specificServiceName} = {
           servers = {
-            "${serviceIP}:${builtins.toString servicePort}" = { };
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
           };
         };
       };
diff --git a/modules/nixos/server/transmission.nix b/modules/nixos/server/transmission.nix
index 64c2199..7dfcd87 100644
--- a/modules/nixos/server/transmission.nix
+++ b/modules/nixos/server/transmission.nix
@@ -1,7 +1,6 @@
-{ self, pkgs, lib, config, ... }:
+{ self, pkgs, lib, config, confLib, ... }:
 let
-  serviceName = "transmission";
-  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+  inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain;
 
   lidarrUser = "lidarr";
   lidarrGroup = lidarrUser;
diff --git a/modules/shared/config-lib.nix b/modules/shared/config-lib.nix
new file mode 100644
index 0000000..ba5e8bf
--- /dev/null
+++ b/modules/shared/config-lib.nix
@@ -0,0 +1,30 @@
+{ config, lib, globals, nixosConfig ? null, ... }:
+{
+  _module.args = {
+    confLib = rec {
+
+      addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost";
+
+      domainDefault = service: config.repo.secrets.common.services.domains.${service};
+      proxyDefault = config.swarselsystems.proxyHost;
+
+      getConfig = if nixosConfig == null then config else nixosConfig;
+
+      gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec {
+        servicePort = port;
+        serviceName = name;
+        specificServiceName = "${name}-${config.node.name}";
+        serviceUser = user;
+        serviceGroup = group;
+        serviceDomain = domain;
+        baseDomain = lib.swarselsystems.getBaseDomain domain;
+        subDomain = lib.swarselsystems.getSubDomain domain;
+        serviceDir = dir;
+        serviceAddress = address;
+        serviceProxy = proxy;
+        proxyAddress4 = globals.hosts.${proxy}.wanAddress4;
+        proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
+      };
+    };
+  };
+}
diff --git a/modules/shared/options.nix b/modules/shared/options.nix
index d73c0a2..911cf5b 100644
--- a/modules/shared/options.nix
+++ b/modules/shared/options.nix
@@ -1,6 +1,26 @@
 { self, config, lib, ... }:
 {
   options.swarselsystems = {
+    proxyHost = lib.mkOption {
+      type = lib.types.str;
+      default = config.node.name;
+    };
+    isBastionTarget = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+    isCloud = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+    isServer = lib.mkOption {
+      type = lib.types.bool;
+      default = config.swarselsystems.isCloud;
+    };
+    isClient = lib.mkOption {
+      type = lib.types.bool;
+      default = config.swarselsystems.isLaptop;
+    };
     withHomeManager = lib.mkOption {
       type = lib.types.bool;
       default = true;
@@ -34,7 +54,7 @@
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     sopsFile = lib.mkOption {
       type = lib.types.str;
-      default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;
diff --git a/nix/formatter.nix b/nix/formatter.nix
index cf3ce6a..88bb5a6 100644
--- a/nix/formatter.nix
+++ b/nix/formatter.nix
@@ -17,6 +17,22 @@
         };
         deadnix.enable = true;
         statix.enable = true;
+        shfmt = {
+          enable = true;
+          indent_size = 4;
+          simplify = true;
+          # needed to replicate what my Emacs shfmt does
+          # there is no builtin option for space-redirects
+          package = pkgs.symlinkJoin {
+            name = "shfmt";
+            buildInputs = [ pkgs.makeWrapper ];
+            paths = [ pkgs.shfmt ];
+            postBuild = ''
+              wrapProgram $out/bin/shfmt \
+              --add-flags '-sr'
+            '';
+          };
+        };
         shellcheck.enable = true;
       };
       settings.formatter.shellcheck.options = [
diff --git a/nix/globals.nix b/nix/globals.nix
index 912f24c..563a901 100644
--- a/nix/globals.nix
+++ b/nix/globals.nix
@@ -1,5 +1,5 @@
 # adapted from https://github.com/oddlama/nix-config/blob/main/nix/globals.nix
-{ self, inputs, ... }:
+{ inputs, ... }:
 {
   flake = { config, lib, ... }:
     {
diff --git a/nix/hosts.nix b/nix/hosts.nix
index 2c99f41..858322a 100644
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -15,41 +15,47 @@
           };
           modules = [
             inputs.disko.nixosModules.disko
-            inputs.sops-nix.nixosModules.sops
+            inputs.home-manager.nixosModules.home-manager
             inputs.impermanence.nixosModules.impermanence
             inputs.lanzaboote.nixosModules.lanzaboote
-            inputs.nix-topology.nixosModules.default
-            inputs.home-manager.nixosModules.home-manager
-            inputs.stylix.nixosModules.stylix
-            inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
-            # inputs.swarsel-modules.nixosModules.default
-            inputs.swarsel-nix.nixosModules.default
-            inputs.niri-flake.nixosModules.niri
             inputs.microvm.nixosModules.host
             inputs.microvm.nixosModules.microvm
+            inputs.nix-index-database.nixosModules.nix-index
+            inputs.nix-minecraft.nixosModules.minecraft-servers
+            inputs.nix-topology.nixosModules.default
+            inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
+            inputs.simple-nixos-mailserver.nixosModules.default
+            inputs.sops-nix.nixosModules.sops
+            inputs.stylix.nixosModules.stylix
+            inputs.swarsel-nix.nixosModules.default
             (inputs.nixos-extra-modules + "/modules/guests")
+            (inputs.nixos-extra-modules + "/modules/interface-naming.nix")
             "${self}/hosts/nixos/${arch}/${configName}"
             "${self}/profiles/nixos"
             "${self}/modules/nixos"
             {
+              _module.args.dns = inputs.dns;
 
               microvm.guest.enable = lib.mkDefault false;
 
+              networking.hostName = lib.swarselsystems.mkStrong configName;
+
               node = {
                 name = lib.mkForce configName;
                 secretsDir = ../hosts/nixos/${arch}/${configName}/secrets;
+                lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
               };
 
               swarselprofiles = {
-                minimal = lib.mkIf minimal (lib.mkDefault true);
+                minimal = lib.mkIf minimal (lib.swarselsystems.mkStrong true);
               };
 
               swarselmodules.server = {
-                ssh = lib.mkIf (!minimal) (lib.mkDefault true);
+                ssh = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
               };
 
               swarselsystems = {
-                mainUser = lib.mkDefault "swarsel";
+                mainUser = lib.swarselsystems.mkStrong "swarsel";
               };
             }
           ];
@@ -96,7 +102,6 @@
           };
           modules = [
             inputs.stylix.homeModules.stylix
-            inputs.niri-flake.homeModules.niri
             inputs.nix-index-database.homeModules.nix-index
             # inputs.sops-nix.homeManagerModules.sops
             inputs.spicetify-nix.homeManagerModules.default
diff --git a/nix/iso.nix b/nix/iso.nix
index 75295ad..d2c993c 100644
--- a/nix/iso.nix
+++ b/nix/iso.nix
@@ -2,19 +2,32 @@
 {
   perSystem = { pkgs, system, ... }:
     {
-      # nix build --print-out-paths --no-link .#images..live-iso
-      packages.live-iso = inputs.nixos-generators.nixosGenerate {
-        inherit pkgs;
-        specialArgs = { inherit self; };
-        modules = [
-          inputs.home-manager.nixosModules.home-manager
-          "${self}/install/installer-config.nix"
-        ];
-        format =
+      packages = {
+        # nix build --print-out-paths --no-link .#live-iso
+        live-iso = inputs.nixos-generators.nixosGenerate {
+          inherit pkgs;
+          specialArgs = { inherit self; };
+          modules = [
+            inputs.home-manager.nixosModules.home-manager
+            "${self}/install/installer-config.nix"
+          ];
+          format =
+            {
+              x86_64-linux = "install-iso";
+              aarch64-linux = "sd-aarch64-installer";
+            }.${system};
+        };
+
+        # nix build --print-out-paths --no-link .#pnap-kexec --system 
+        swarsel-kexec = (inputs.smallpkgs.legacyPackages.${system}.nixos [
           {
-            x86_64-linux = "install-iso";
-            aarch64-linux = "sd-aarch64-installer";
-          }.${system};
+            imports = [ "${self}/install/kexec.nix" ];
+            _file = __curPos.file;
+            system.kexec-installer.name = "swarsel-kexec";
+          }
+          inputs.nixos-images.nixosModules.kexec-installer
+        ]).config.system.build.kexecInstallerTarball;
+
       };
     };
 }
diff --git a/nix/lib.nix b/nix/lib.nix
index c41db61..c3f0338 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -29,6 +29,23 @@ let
 
       mkIfElse = p: yes: no: if p then yes else no;
 
+      getSubDomain = domain:
+        let
+          parts = builtins.split "\\." domain;
+          domainParts = builtins.filter (x: builtins.isString x && x != "") parts;
+        in
+        if builtins.length domainParts > 0
+        then builtins.head domainParts
+        else "";
+
+      getBaseDomain = domain:
+        let
+          parts = builtins.split "\\." domain;
+          domainParts = builtins.filter (x: builtins.isString x && x != "") parts;
+          baseParts = builtins.tail domainParts;
+        in
+        builtins.concatStringsSep "." baseParts;
+
       pkgsFor = lib.genAttrs (import systems) (system:
         import inputs.nixpkgs {
           inherit system;
@@ -61,7 +78,7 @@ let
       forEachLinuxSystem = f: lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: f pkgsFor.${system});
 
       readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}");
-      readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}"));
+      readNix = type: lib.filter (name: name != "default.nix" && name != "optional" && name != "darwin") (lib.attrNames (builtins.readDir "${self}/${type}"));
 
       mkImports = names: baseDir: lib.map (name: "${self}/${baseDir}/${name}") names;
     };
diff --git a/nix/overlays.nix b/nix/overlays.nix
index 1f8fdc2..0468d04 100644
--- a/nix/overlays.nix
+++ b/nix/overlays.nix
@@ -86,7 +86,9 @@ in
               // (inputs.nur.overlays.default final prev)
               // (inputs.emacs-overlay.overlay final prev)
               // (inputs.nix-topology.overlays.default final prev)
+              // (inputs.nix-index-database.overlays.nix-index final prev)
               // (inputs.nixgl.overlay final prev)
+              // (inputs.nix-minecraft.overlay final prev)
               // (inputs.nixos-extra-modules.overlays.default final prev)
             )
             (modifications final prev);
diff --git a/profiles/home/chaostheatre/default.nix b/profiles/home/chaostheatre/default.nix
deleted file mode 100644
index 1bcb3fb..0000000
--- a/profiles/home/chaostheatre/default.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.chaostheatre = lib.mkEnableOption "is this a chaostheatre host";
-  config = lib.mkIf config.swarselprofiles.chaostheatre {
-    swarselmodules = {
-      packages = lib.mkForce true;
-      ownpackages = lib.mkForce true;
-      general = lib.mkForce true;
-      nixgl = lib.mkForce true;
-      sops = lib.mkForce true;
-      yubikey = lib.mkForce false;
-      ssh = lib.mkForce true;
-      stylix = lib.mkForce true;
-      desktop = lib.mkForce true;
-      symlink = lib.mkForce true;
-      env = lib.mkForce false;
-      programs = lib.mkForce true;
-      nix-index = lib.mkForce true;
-      direnv = lib.mkForce true;
-      eza = lib.mkForce true;
-      git = lib.mkForce false;
-      fuzzel = lib.mkForce true;
-      starship = lib.mkForce true;
-      kitty = lib.mkForce true;
-      zsh = lib.mkForce true;
-      zellij = lib.mkForce true;
-      tmux = lib.mkForce true;
-      mail = lib.mkForce false;
-      emacs = lib.mkForce true;
-      waybar = lib.mkForce true;
-      firefox = lib.mkForce true;
-      gnome-keyring = lib.mkForce true;
-      kdeconnect = lib.mkForce true;
-      mako = lib.mkForce true;
-      swayosd = lib.mkForce true;
-      yubikeytouch = lib.mkForce true;
-      sway = lib.mkForce true;
-      kanshi = lib.mkForce true;
-      gpgagent = lib.mkForce true;
-      gammastep = lib.mkForce false;
-    };
-  };
-
-}
diff --git a/profiles/home/dgxspark/default.nix b/profiles/home/dgxspark/default.nix
index a0d261a..81c41e0 100644
--- a/profiles/home/dgxspark/default.nix
+++ b/profiles/home/dgxspark/default.nix
@@ -8,6 +8,7 @@
       atuin = lib.mkDefault true;
       autotiling = lib.mkDefault false;
       batsignal = lib.mkDefault false;
+      bash = lib.mkDefault true;
       blueman-applet = lib.mkDefault true;
       desktop = lib.mkDefault false;
       direnv = lib.mkDefault true;
@@ -29,7 +30,6 @@
       kitty = lib.mkDefault true;
       mail = lib.mkDefault false;
       mako = lib.mkDefault false;
-      niri = lib.mkDefault false;
       nix-index = lib.mkDefault true;
       nixgl = lib.mkDefault true;
       nix-your-shell = lib.mkDefault true;
diff --git a/profiles/home/framework/default.nix b/profiles/home/framework/default.nix
deleted file mode 100644
index b4c28e2..0000000
--- a/profiles/home/framework/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host";
-  config = lib.mkIf config.swarselprofiles.framework {
-    swarselmodules = {
-      optional = {
-        framework = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
diff --git a/profiles/home/optionals/default.nix b/profiles/home/optionals/default.nix
deleted file mode 100644
index 697de20..0000000
--- a/profiles/home/optionals/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals";
-  config = lib.mkIf config.swarselprofiles.optionals {
-    swarselmodules = {
-      optional = {
-        gaming = lib.mkDefault true;
-        uni = lib.mkDefault true;
-      };
-    };
-  };
-
-}
diff --git a/profiles/home/personal/default.nix b/profiles/home/personal/default.nix
index e04e2af..c9ce74f 100644
--- a/profiles/home/personal/default.nix
+++ b/profiles/home/personal/default.nix
@@ -29,7 +29,6 @@
       kitty = lib.mkDefault true;
       mail = lib.mkDefault true;
       mako = lib.mkDefault true;
-      niri = lib.mkDefault false;
       nix-index = lib.mkDefault true;
       nixgl = lib.mkDefault true;
       nix-your-shell = lib.mkDefault true;
diff --git a/profiles/home/toto/default.nix b/profiles/home/toto/default.nix
deleted file mode 100644
index 2f1473a..0000000
--- a/profiles/home/toto/default.nix
+++ /dev/null
@@ -1,14 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.toto = lib.mkEnableOption "is this a toto (setup) host";
-  config = lib.mkIf config.swarselprofiles.toto {
-    swarselmodules = {
-      general = lib.mkDefault true;
-      sops = lib.mkDefault true;
-      ssh = lib.mkDefault true;
-      kitty = lib.mkDefault true;
-      git = lib.mkDefault true;
-    };
-  };
-
-}
diff --git a/profiles/home/uni/default.nix b/profiles/home/uni/default.nix
deleted file mode 100644
index e816f45..0000000
--- a/profiles/home/uni/default.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host";
-  config = lib.mkIf config.swarselprofiles.uni {
-    swarselmodules = {
-      optional = {
-        uni = lib.mkDefault true;
-      };
-    };
-  };
-
-}
diff --git a/profiles/home/work/default.nix b/profiles/home/work/default.nix
deleted file mode 100644
index a89b300..0000000
--- a/profiles/home/work/default.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.work = lib.mkEnableOption "is this a work host";
-  config = lib.mkIf config.swarselprofiles.work {
-    swarselmodules = {
-      optional = {
-        work = lib.mkDefault true;
-      };
-    };
-  };
-
-}
diff --git a/profiles/nixos/chaostheatre/default.nix b/profiles/nixos/chaostheatre/default.nix
deleted file mode 100644
index 31ce621..0000000
--- a/profiles/nixos/chaostheatre/default.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.chaostheatre = lib.mkEnableOption "is this a chaostheatre host";
-  config = lib.mkIf config.swarselprofiles.chaostheatre {
-    swarselmodules = {
-      packages = lib.mkForce true;
-      general = lib.mkForce true;
-      home-manager = lib.mkForce true;
-      xserver = lib.mkForce true;
-      users = lib.mkForce true;
-      sops = lib.mkForce true;
-      env = lib.mkForce true;
-      security = lib.mkForce true;
-      systemdTimeout = lib.mkForce true;
-      hardware = lib.mkForce true;
-      pulseaudio = lib.mkForce true;
-      pipewire = lib.mkForce true;
-      network = lib.mkForce true;
-      time = lib.mkForce true;
-      stylix = lib.mkForce true;
-      programs = lib.mkForce true;
-      zsh = lib.mkForce true;
-      syncthing = lib.mkForce true;
-      blueman = lib.mkForce true;
-      networkDevices = lib.mkForce true;
-      gvfs = lib.mkForce true;
-      interceptionTools = lib.mkForce true;
-      swayosd = lib.mkForce true;
-      ppd = lib.mkForce true;
-      yubikey = lib.mkForce false;
-      ledger = lib.mkForce true;
-      keyboards = lib.mkForce true;
-      login = lib.mkForce true;
-      nix-ld = lib.mkForce true;
-      impermanence = lib.mkForce true;
-      nvd = lib.mkForce true;
-      gnome-keyring = lib.mkForce true;
-      sway = lib.mkForce true;
-      xdg-portal = lib.mkForce true;
-      distrobox = lib.mkForce true;
-      appimage = lib.mkForce true;
-      lid = lib.mkForce true;
-      lowBattery = lib.mkForce true;
-      lanzaboote = lib.mkForce true;
-      autologin = lib.mkForce true;
-    };
-
-  };
-
-}
diff --git a/profiles/nixos/framework/default.nix b/profiles/nixos/framework/default.nix
deleted file mode 100644
index 060c3ec..0000000
--- a/profiles/nixos/framework/default.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host";
-  config = lib.mkIf config.swarselprofiles.framework {
-    swarselmodules = {
-      optional = {
-        framework = lib.mkDefault true;
-      };
-    };
-    home-manager.users."${config.swarselsystems.mainUser}" = {
-      swarselprofiles = {
-        framework = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
diff --git a/profiles/nixos/optionals/default.nix b/profiles/nixos/optionals/default.nix
deleted file mode 100644
index ddb7846..0000000
--- a/profiles/nixos/optionals/default.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals";
-  config = lib.mkIf config.swarselprofiles.optionals {
-    swarselmodules = {
-      optional = {
-        gaming = lib.mkDefault true;
-        virtualbox = lib.mkDefault true;
-        nswitch-rcm = lib.mkDefault true;
-      };
-    };
-
-    home-manager.users."${config.swarselsystems.mainUser}" = {
-      swarselprofiles = {
-        optionals = lib.mkDefault true;
-      };
-    };
-  };
-
-}
diff --git a/profiles/nixos/personal/default.nix b/profiles/nixos/personal/default.nix
index 1d8f99a..dc9583c 100644
--- a/profiles/nixos/personal/default.nix
+++ b/profiles/nixos/personal/default.nix
@@ -26,7 +26,6 @@
       lowBattery = lib.mkDefault false;
       network = lib.mkDefault true;
       networkDevices = lib.mkDefault true;
-      niri = lib.mkDefault false;
       nix-ld = lib.mkDefault true;
       nvd = lib.mkDefault true;
       packages = lib.mkDefault true;
@@ -35,6 +34,7 @@
       ppd = lib.mkDefault true;
       programs = lib.mkDefault true;
       pulseaudio = lib.mkDefault true;
+      remotebuild = lib.mkDefault true;
       security = lib.mkDefault true;
       sops = lib.mkDefault true;
       stylix = lib.mkDefault true;
diff --git a/profiles/nixos/uni/default.nix b/profiles/nixos/uni/default.nix
deleted file mode 100644
index 24fa649..0000000
--- a/profiles/nixos/uni/default.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host";
-  config = lib.mkIf config.swarselprofiles.uni {
-    # swarselmodules = {
-    #   optional = {
-    #     uni = lib.mkDefault true;
-    #   };
-    # };
-    home-manager.users."${config.swarselsystems.mainUser}" = {
-      swarselprofiles = {
-        uni = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
diff --git a/profiles/nixos/work/default.nix b/profiles/nixos/work/default.nix
deleted file mode 100644
index 0740cc4..0000000
--- a/profiles/nixos/work/default.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselprofiles.work = lib.mkEnableOption "is this a work host";
-  config = lib.mkIf config.swarselprofiles.work {
-    swarselmodules = {
-      optional = {
-        work = lib.mkDefault true;
-      };
-    };
-    home-manager.users."${config.swarselsystems.mainUser}" = {
-      swarselprofiles = {
-        work = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
diff --git a/secrets/belchsfactory/secrets.yaml b/secrets/belchsfactory/secrets.yaml
new file mode 100644
index 0000000..a199923
--- /dev/null
+++ b/secrets/belchsfactory/secrets.yaml
@@ -0,0 +1,58 @@
+#ENC[AES256_GCM,data:WqtrDDqt,iv:Ksv7cH9opsgWoXj+YnTct3VtAT6qbaAr78uaZxkN+zc=,tag:9KPeAi/JZvxjKh1w4scsdQ==,type:comment]
+#ENC[AES256_GCM,data:kwewartySAHzmyssuWFPv0XODI/njYrSXxqEE2JBJvuCsJKwZrq4+EzKOtwOlyssEpAvaxxejmb7,iv:p3KO21NvM7zfp4U0s9TVW5jfnOzvQkn06mcFgHp9xVA=,tag:sn/zQwI8EdhWb2w9F+V4rw==,type:comment]
+acme-dns-token: ENC[AES256_GCM,data:Fj1V4MMKYJdXTur3xc7EDnYGXg8GBVPx8X/I6A7bRIdm7cX63yRrtw==,iv:Gaz6xYtEkQilaQG6+5Bz2gHWN3sIRQmCqLryZZYjefM=,tag:lGu+e1u6JOdxq8l8J+6+cw==,type:str]
+#ENC[AES256_GCM,data:IaG0khKtH/NwwvpDAWwZ9kVhtxI=,iv:IFP93sRIw3Lkze3ut20VBYWxBC1/6euA+uJoggFP5SU=,tag:dq2cU1tB2MPA99BJtp0gZA==,type:comment]
+garage-rpc-secret: ENC[AES256_GCM,data:QzyqeNuJPjtG7MTyO+6f+KfquWhHbDGBJ6hrEGDh+3kg6wkCGx/0pUjeOMAaren1jMIwk1iKaAnSbq7NW1GcLA==,iv:WmCRD/kNtmBljkA78Vb5guUVrsQxdoZfRE2tNlt0iWQ=,tag:6wKCXlwbLzxvLpACJbACEg==,type:str]
+#ENC[AES256_GCM,data:guiRBJqw3HqM3e0Zw27bhc/h8sPcni0=,iv:J1Bc5LPzYdhlTUeenn8QqpBzrsoKGr+b499h8T+ilNo=,tag:kjXtd7tH5PzQLWt7EWbMaQ==,type:comment]
+garage-admin-token: ENC[AES256_GCM,data:oxUvX41iOaS7Jvfb281lPKCavwP2z5hvP94EWCp8V/2CuLbeDWJtCxrlqoA=,iv:Qk/0/yJFcUWrgiEJSh2e+cQNsfkCPv7+RETINBDsgzo=,tag:bfTEOjB1Ln/WFy5MbKYCVA==,type:str]
+#ENC[AES256_GCM,data:RB6z24ud0XkaawMtPI14nvHhRkU7pTUGezN/9L4GoAXM0M93VpMbQEouanZASg==,iv:XzDcpdIrPU/rXsqPbMPzuDRFWXvV3hkBpwntCKc604k=,tag:eBHwgiEmxipJaNB5YivyXQ==,type:comment]
+attic-garage-access-key: ENC[AES256_GCM,data:HqaStuLtg4DVVe8SFWvIfJwPFUvJL59rLjY=,iv:T7kkjyISziJ/Dv8BtF6LXfkd+wR9TRN+ZG+7jFMVK2c=,tag:Rlv71YCXV3sYgrrj1CX7Qg==,type:str]
+attic-garage-secret-key: ENC[AES256_GCM,data:XJFQN+8L5hH1wUiTyh1bwojDyQA8bp8cs8wVNYqp/5YZ58ngiuySE9WvDBP4Jxrp2kHTYXzlofcKDsh3H6AFsA==,iv:HQJwUN4dPRY40VKc7eA+O0atRss3qQ35Kg2GxWP7hYE=,tag:UWgjX+2aYm0OMWAmKRT5dQ==,type:str]
+attic-server-token: ENC[AES256_GCM,data:GzTQqXHrg0/anMVg1ffLgEcYa+2dDQKckVzOGeoopeOdO9DhP/M+r5JAbCDeqdG8l/uMQHsSkahYAkPi5EQ4WUth77E3+hLuLLd13kuJDqjPn1TWyDU82omBPeRma8lmUUo8epJlpH174Ts3CX9tYpp6yL7loqRNw315gGoYNHN0FHAGauR8fMQEXf0p/NyMWmepqf+7tCmN1WyemUyLiQZxVEzKpGCLA4mVQOpevHDd6rzS843/xinZ+FhJoJxMM9EB5I2T+poAqrGrceWOMV+yMbeu7yDnf0Q17eEFZVFa41VlsiusjjZDf5kamdrQeiVFeLBmrUNpwOu5wzqvCFgk+a3zi5Ih11cPjnZSUGsN1LL0vGsmAuOvSN+QSvFeaZHx2xiFFpzAE/5r4f4yPai/n4vhUseG2GpyFjwKLU3vuk9YaCLzwgJuUz13BGzGPL//2xZnnjMDlIHz1sH5oUhDjVa4GOjeJNYdtuJBBdiWDJlKcMbsZiyWRSVGOuXg5TLdiqpl6WwOeVSSVo0Z25u0tD6GmVcTbe5bkfbpW4LNzEE6R1Zx4XGXE0KwXdxFS9O7H/EKLSEBX3eIhLFAc7zSXf92uX8yED38bETaHklDNcpTcX3zcNDtYdARkIQdY7GPgpj6RTNNMqOsz8moG2ZvEZNRtBaodYDmacjo7GL4Sxd9XsZG0juV6ZUjaPe1RIoJAaU9wZ9O2NWuCB5M+H73+P1thFSBdJp2HOMdlpvLnInrJNNC7G2NLZMSjlE/fbL8+TwQbs7QYC6msAz53FA7FXU3w4ojN0lgdpYMv6WtgEs+c4WssGhGv7GIwNcXPnbc04JMmpYgrxM7lwZVrzShfPQR/jM5u0AZD+zTeM+X/4IB4bjcWu2b1xGEoD7/JBBqBkVDLTpkryip2utwVwXimExOwTg75evLBeYRjYUIoRM4tfjKjrlwFWx+7SnRtTZTT7UrJ7lX6dWYebqR5JDRMLGk+2tEjj4NGx8hem2n6hOfkIhnGhTAi4OhvRnMwRvEX1v6fNP3X4hksV4k8hGP99GMnmeq584Bk58W/mU0odkdMqqK7xL5tVRE7yx7Muhied+S2qu/Ujj9esmTNY3t8twd8ku3jN+wlQqGOrcJURQrCt3lwMiTuVN/cJQeE/iADWt9mFO+P5P07ZROpNGqOMIJ7TVIv4KiyPkVfpQxQpOHDp2HHIUnwXuE9e6KjM3aZfHNljyadpeBM6kyqMMHmyQs/qQ/4/dFDFZcWQnAsOVatNOkYSxbQGqfrgO6Ekw0hbFxNQlfRyTzOqNjndvdonIhiPLpcxC72TNhJmLaPNmr1ZkqCWcAz+HSVlIoDquLrP2xIvnn9tu2IFhYbmieCKCGXq2VcGesygeEO75JO2ak6ia8aT6WKzlJ60E7xV2yTmTn3Tnu8ERYQEXYbECTwPqQ008bMAvzWU5cytZU1ediMxwi2BggIAoD5H3sufO73dk9RUEHV3RBfXcJ1nXqH6LTSgdCwrjRAy0058QR9UK89vwUglJKVLNsTaM/XNhGItAGazx296tjlH9lIXtTxzi7J+qWLqfNdfi50U2NMB9Ag/w/LwU0po1NNgu6/XKWzuBOJyp8RZ4wpOY4qQvJVD+fFBeubb56HCCWKYIfYexNJ12wGAky6RV5KfrQqMjm+KfPhQOrcXmtn1EODzEiPfX+l5QqqXcqwVi/l6OnGbkC2GLmcajZJEbnXgayt4ZbPIUYe0eUEwySz+QnksqDQqDUhapa0JZ6b31Pc/UmyXAMnljy2XCca0tUyYSP2HcLpLtONacaySIbu2robQuzq8MuJlqbdk4N4EusQn/VUQGqlOPgeK0sm433+WlZy0x7Drd9xI/1lBF0khZ5VP0MHPPa1FDs6xcjL7ALj7DipV8mqZreGdbS1oT8qWVxMVYwOsXYTJTwm2TXrBYTbie6rSDOvx0H7dixr716waVvME40epQy/yHQjCO4P8k+K9q2oJqKZywVZnaPV9tS1AeMttk+ydQrzxH5SuJAuyjggtS5QUzN2QauOA1OnDfVKr7T2P3zNd5mixL9gc5c5q0+XQ0T5+fCoH2alG6hHqOxssgJFTGDwEYN8NEvqihnatIzmeIpcs2GyTUOJnvIsAEA2bTuf+XZ/t42/TDDO6S4dD0R9KvBnslgDHseMi98XKwYF6bxJNjOHyVeersP/aaMkj/lSgHuQdazW+wdiLLtVXd9iDyYz1PiQmM5wCpMZ9dCzOesUQ0A6iFEcwaPzbJaeMhGDgfyVrMa3n1K3KbKon4EGSiZsJWfKcNZ4f/yo2yDO45FP795trFR1QxithgsC6j75I5dPMUDgg/H5IBFSgsGXyLObHV6cyQFav/gyCMgqF1M+ttcX+wm3DHGufGJUZqpwmCCOyoEh5KvTvTmvhGAxoYbILIMfzxkogBC144D0atnmpUaeKoyc/Xo3OpYqOmdEEzsL1ddZSkVoR4Jd0hqtdLDY0QdyFcCbNFAZiQTlRyyUej7UXtogsirhTazWCld0YPP5fI+z8zoyT2UKuO2KfYGokbbpiQBSwn/I8qMLzDIqV0iq/JglroQCzbqSxkOuY5n1kH/c79/u3CrNzha20wgkgpM6kvg4ocZMNbkSfRU859qrVCKybEatgHz9naqCyklpA+q+dIMv9yQsJJSj3gqCGqz+eweBt337W/7/9M9WVwL62gTXL1wHgCerM8LT3lKto4Rr8WmLQboH9FXJkQ1Wmg4XguM2zvIpr4rLjHlGLG7zwUBslDnwCATs7CQQ/s/VVd5cKRapa0+3np51g/9Sp/1lmR2HRBGki6JQnmK2jyDSBd6cDpg1c7wg7CWhaWGMulf9KR5MTcKAtRrGleoIcvJBKdQCO89OykmDCKdPyhR6BkQpRLnmWzM1LmEoT8JMG6zXN22gjLet8NobCn3fNqfTa7aZsqeY2ueI1YRqQolH2X6qAy41GaekNLN8ADmeIm4/jl2Hi6WhWCL5cxoToTOqI8nWVKlF4t8DgiQbXOaC6Nz2WmrjUsCWkFjNg+dVf43jOS8QQBgEcqPMYzrt/bE5t+qIH+CaQXsudP6HawqJfFkn2c6AsoqPxEJ46niuOUmYhCpvHqFUnMKlS0qiECURrriVgN/akHT07lAOxDWPSEKbTidw7njXziHquo8Rg8BnBvsM6HLgqSEqXxA+4lXicWTcgF8zERVNcbTgUMEEqL0LGwZ4Yjoiduepeqq9N5Ip61Eni4oRoa+45GLzvUeRzgufyN2zVDVr9HZ92VPEiGlG6p3cr1QNAN9Ss/qv7v9h/j3Rns0f+z0JTI3aJrV6t0Qt43mPk8Q//BVRaUV6x97J4Pn3ueR0eCaxeHCw8qtHQEqVBxpITcEkU8+PHe6k5hYkXL/IUsvf/K6FuWnEYGo+3C0TGvvmljCtYV3QxKMI2Vz3qK1E94/aThkpJGbhm7RRJtFPtpddGMc64eW5LfUefT61c9P32v/Xr+1tksLl4u9SK4z/LltoCGw03rxZvj6U1iwo7Qm7M74/uIKQmaJjkje87bfX5VbHuq7Oem4wqDbkhq740gi+9i9vW19F1EhwCG8ii+k5pFlWy/LkEr5Qd7+WXP7OsCBxDyrs8QSJIFD8tmuDFsHcGIEUjbHFRwpa02/mSTy5Mu/LUY8sfGIkqZylk02sWrmPsgu74E0l8/E9HRo5I/mAzzuHfCosbaKx5OExqj3waurwiQ5/VaKrjQIRKI2BqWSDFylRoFX7mFZF4DdupUsjehObhSgZs9le6yZJHmN+UBEtgRHuwc7yKBBtWQp9oUI5orr+Qj7eqcMMYuIfSABlqM4geXXyDiuTQa6PdOaDguTsPrZocXkUzB/cMgbUydxdMT8LnvM2qVSQ89AXi0qvDAzm6JfON01QIwzbQ7fG5EKqAV1S7RZ+zDwyS9NzSAy35Ozlw8sccWdUTZieGeU6DR9Ipq1wNOxBEikg4ye7ps6KOeqiHGoskh92iOHO8O68f8PWOcqIrfO2/g2t6O8udBDG0lMrdoihmku4WuAJu0la69kwUQXBckFH1Ptg/GTddg+gsJvuvpiU9fUgf9GwyawtNAhGwlKoHlOsCgJompAUDXLvC11MUoCLe2Mi7uFeVm5S7UD0PGQ5Nwa4Kt8qlMjx2xuqNT9ogqxc6y49qDvlNNB3IdlN72/ty1qsesU7KTWHC+GmMIcjLDmUBeiiXPYpkysZ26tVrpMEWP3Wl9Waie3VHGf6HUQOnopzYD8v+eHj60K/1anINYlUYLcAw61Fb1Nkh5W1FvJUpEEuVmXInNff1UH1Y0DX6BEEcoo/+vEDm9p+GXc6Lc874zleOb9ugfKxGTFSeB/cm/gkm49KFf3wIrcNxNo993V8PcdP9ONLK6jON6WTIIhdF1awJqJFhaPue/d/oPn8AhkqGLB0HfYzi5JesGfxRsKA8ZFQDDs7ZlZj1C6rlPljSLhuj/NsitDZoz9umEX8cClFQ5UA34jHdLj/dXPu0cZXxUany91HAmO2PQWYiPR5hL9dtmW+WIc1ptL0dwEgXe9VR0TQ+joDO/ilfEA5/MD5+CAOL7nDSLo0ypst0IdmADEKiAgQolnU7BeV3PxmSAqLysV9S3sPXo7rH6toY6cQ41ZftzquHkkD6vCDeXHPbzXNrHgM0ZzCZD4k5DDwvHuqNLc0hoaufMNzbz1Cx1aOMc/8yJBskbWtXhRJBxKAK3iBylLNLExYCUkG7PAa7Uno/gi08R/cOC1j5HaaCB82oZd7nEjKY+jO7RFyAPjwVzQItVA+tVHJHOAh4rZyPNEoaateuhGNWRW/GGSddAOVaDkyF9Vx9KldXRVJhhMjvlfGmcB2n3MrjEyOF2dcpBISXIquMm+V4LBettQ6coQPhDLaiClW5EJLgbtUTcTB7BOjOjchYkpRZeWn8Wz5jG1axfHe9BtVcIvCP6ldK05YK5tgQ5k0foFIQRKxmiD7P31+LJwGqAMxDAyM4wPS9WTPDgXWizsIx+exT2/qEpl81kaqMvSQEFTfy+fcn1Fi+81PRWElFfUVizKaiyzH0neUXQZcJCU0wFCxqSg/BA4hy+AUJTgjz8OpODsJUzqujWQ47sUqyHObxsVDAH2B+4i/hh1iYInA/wUHJ06AoD59tP/5oZDr3GIU2o2spgAUJP6rLS77awhAnGZMxoEJFqYJGU8bBllTwrXZL5GvdwJFq+EkagoEa7uXX4WRyh0BYdvynlQhnyTQNc0BOdZlsA7QLqCx4USQSXzSxEG2N/2mUPlP/DNlENf0Un4lJkdVpSose5yWERhfKS4yBP1lsh1bAoiO+JT81z7jIOEgR/G2r5riQnSGKECy7CbYUBYU6IYI86r1Abg0eg/DEJqHOr0fCBkh2/e0tO52IUQPlneTeZrWg7jJfkr0ayZQCeqtxjj2tS9bjnBHtp9AoiIlZz3uc7HBooI7JFS4YKe/Tn+3EahCdy0IzePwSDlX0MW8DauGZHbX4nCptPD6ZFH5JYG6Xs3fdUZyffc1H67/jS37+mk1QoNMk/OiGhuu/PsFT+MGzP6UnFjDPVqZr1pIU7hQBkOsgAFVtGsyGp12BOqktQx9jKbMLeHqwUd1i/XHz7/VFtqIKSNDk2MnOirLIa9+s5fqZM3j/mZe27pQPQpUMSnqErajylcHYwelw7Pkn7r8BJKbUGLI5M08LQQHgRDNxBi+gWEB9Ro2/+7GS94TwQyzfjXmmfEr6rcQ4jBffzH8bxRvgeSIwcNHnDK/SiYCA==,iv:GP5ff3lAzUqfBliMj1J9EcMnTe/BDeEPlZY/Euqep7Q=,tag:7udaKfA4h6d2qzR9EvLALA==,type:str]
+sops:
+    age:
+        - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTEN5NkFlN3BzWVA3elRy
+            eHdlRmE3amJvZWI4OVQyT0VuQjJvWk5MYVJZCkpPc05udWZtTWpnai85MmJzUVQ3
+            TmtGZzhHbGxUWHNiL0lrUmNiNjVvMzgKLS0tIEROR1lzYm5kWE1mVDN5dHJXMkF5
+            NHZwMEl2ZWVONkNuVWprUFhsek91NzQK84WqkK9mtR4q1G2wS6gKqflEUv0VefUJ
+            jcQij+3T2O81paZytTzZNPX3JuebyyitC5KeEoz3Z99uSrCDaLuZAQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-28T17:45:56Z"
+    mac: ENC[AES256_GCM,data:t+L6NWHaZCrSbHJhFja28E0vSNGHf5hyH183J0KPL/SrJDcK/XuxwSbbCTfwMQtRiuhjprjPjH4ioqZV/eCiLEd3C3LikEwlXb7CutYknpjceNuhi3aJ5+oRVb8vwcrMAtbPKKB1ZJc7PNcRWIFk6oEF7M8NjkC92/3C4fSH9Q4=,iv:t/YjiqCEPJkyHz/W/p6T19An2Lyr8khmwsv8it/nnZM=,tag:lccvtgBMM4NgMfKwgWoeQw==,type:str]
+    pgp:
+        - created_at: "2025-11-26T12:40:31Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ/5Adw1O86oiP1IkusK1t5JcPR9lt6aZNNVwVTFzkenAQoA
+            oO23QmBYIgrsPNYdck/6EownjbfMCjaIXPiKEGoV3qy9hLk4XM0VRJNYhO+dWLSY
+            2qPoOTHuhDJeaNwJdZe/Q45+rPaYJj7lEoOWsTnNuXyQ8lZ6mDiUPUhiBUrAecFf
+            p1nKg4g6r/kYFmU9Pa7MQ58usZADj8i2zN9qOE0s7Lp0AKTHf2xh1ApIZpjntqBU
+            IHbvBlPhqDRtfJMG13+qs99NTZ8kMNHluZu9suuBuioJC9P7nqyJdB2a/izEVzpr
+            nFW6iRNxn8I2E9BgaH1r1AzhKGtVmy8WKcRQB4RFU5I9ex0qB8JThLUBl2uPDv/Z
+            0CrGH9eC2w1E1NwEyfFDowQvRoo65lNz7xgNtlFpPkJX4X9yZjJHElvVg2I0HJhH
+            XzUCsnsTanQPGzXRbVRhVDyFU0xeUa19l898Ft/lTKguOVaRcrCajXq4ACmykHA2
+            nnEoHh+25ablQiF8JIoWgLREKftdL8zCBWRlyv3i49nmlABykYWy7YJVYloTF4ow
+            k1y9JTD8JjaMT+LFU1s5j9mVPnc1byeKkHdB/Pf0R9wGtESuWdfiyOGxco1rHePi
+            i6Cnn3mEro1Ty+P1aPN/ahxCzAoFs93stF4JgebWjmOZ0R8LOn28OypzRdR91R6F
+            AgwDC9FRLmchgYQBD/0at3f5R74CdMtw0VGIT99q9VbXNpD/ZBETRsNwosWLICDf
+            wLbrlT0YHro+1mDyTcNtM9ZX8OlfppqsD+HSYxCfDIbi6dQwRT4PhB4V1ZtY241X
+            41XfMsMo83TD43JYRn+3XwLwp0ZjLmteGI8x/vVD2OoSxA/2n83+jsVHUj3bM2Yz
+            hO6aQi3dPbv0PlFjAOVzsZ04kXnCM4SiUZGNVUxOHofoPS0ISiROoBZZuB4iTSXJ
+            V87UgqZdyo8eaF6zj9iNo95yfaWJoplJFcTnzUBX4+OU4OxjiS5h3QEWeSG2fJtG
+            NCjztSkDjf/rOOrRJ0nhFC04HuOSs4ccz33RqOrWByyI11SublzcDNanLpV/lfIc
+            q5J626fFqrVanbr/zKJPNBqD+vqH8odbkx+MxntYPt4jPtj6Ijuhva7g8dUCT3n8
+            JPOCVG4oj10djmStnpazs8mCQJm9XcrOyXReQEHnKuO0J3fbvdg98QEom5KZcjY2
+            jHATK7+xCYgOEcN90PFaC+doq9467jODvCJRAj+A5kRp0AgOChlttb0C4kT+Ulc0
+            4+ydcYbRZMJy1f86f6bFCuK0+X2K8IYlJSl/lb69Et4gDdRdDHGqZY4GtbMoJ5yb
+            AVrM6VXFvQI2eEPNUJBir17QDdgdMVSktF6xg+rtEtYAjU0T6fmZTrlpL6jmdNJe
+            ATswWpOyg77HLgPrvBM3ahVwMdBPZYP4ahms3afCTWKvo9ucWSCR4LF/xMEaHZV1
+            yGEpRV0NUMU13CprYem84VFHFeu4+AFKgxeP7xHmqio3Q+v0IMiE+QvWZZ+Z4A==
+            =x3px
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
diff --git a/secrets/certs/secrets.yaml b/secrets/certs/secrets.yaml
index 6564dea..7bc7436 100644
--- a/secrets/certs/secrets.yaml
+++ b/secrets/certs/secrets.yaml
@@ -8,98 +8,143 @@ sops:
         - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOE9rY2tmekF4blBrUEpH
-            TmM2a2ozUGNvaFpDWjYrelhEdGc1RUp3Q0RjCmloQldpdDdXUlV4eEt6YjF1V3lm
-            NUxTckR3STNNRmF1dHRqTmhNOWt5cmMKLS0tIDJjVFJZUlNXQzhjVWNLQVpjOTgw
-            anhEbXNFblZpZ3hIVXNxcmhBcDRpK2MKb/Fh7QtHGBFttpzt1qSVE+1H6W2FYKXI
-            Uuly3uYxfvQXV/rtgXNP5nqtFe9rMAQYuLMgJ8SbUr7cczt57CX4VA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0p3QlY2c1dGcGIvektO
+            c1BRWWFJTndub0dxUXhlMTlreDUyUlZ5U0NjCldCamVrN24yZ1QycksxTDV4Sk9V
+            aklIT1dGVHJKL0ZWNFN6WnhJN1Z4SzQKLS0tIC9lZUI0cE5aYzBHcWlWc3FkS041
+            bTdlMU5qbHRBZ1V0ZXhjL3FKYmR0Z0EKpA48GyFC1W2+O3WL7Dgjb5dRRfkyJNFi
+            Yl3i2st6zBGH6OFJGdLlBAJ/lqw9LgHKxYbId7XcuAfMkDTNz4Fjjg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WDBMV3RUYUovS0ZmV0JJ
+            bWdqSWE1TTA4MjNvbzFtM1NoY1FsL0FIWm5nCkV5cSt5VWVzYmM1MytuTUJsVHBB
+            a2hoMTNwcXZaYzl4d3lmZUZIVDBQekUKLS0tIHlTcEFqR2pIQTBFU21EZ0h0Z3hL
+            UHN3QmtreUpUMmxTNy8vbXRnV25jRFEKTaCbReUitrOJGVncdR/VQBXmM+mTzTKj
+            HzRnYSUmuuRdkHC/ljjeYR4rkSjN4RJABX0fraKdARBfkoi+x5ulCQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM0k4SW96SXVJejBGcHJR
+            UVZneUVBT0VzZXNlazJKcU1DYWNPZGNiTFc0CmRtTEdCSkF6dTZZamhPWTF2dWlw
+            QmdNTmJ2Q2JiNXhJd3kxdTdZNXkzU1UKLS0tIHoyMEU0UUJEN3lkZDlGNjJKWjFI
+            Z3A1b1BJNVg3SDNXZ2JPUDZwOXpHTkEKv+NRRLHfnc8j4rVmBDrLdTTtNyb9sUUm
+            EhEmbKkXZfHUQtx3bYUJQeod2wd7CYGzvfrbU96xpFkTAqvUJtWAJw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdXJzVkxzZDlZaStpQm0y
+            d3lyQnFZcUNaZDdrdm1sSW1HS1Y1VkN2cmdJClVuM2Z3ckF0RWsrQ3RkN1Q4SGFF
+            M0d6THFpRDlXTXZseWJjQzU2OCtCWUEKLS0tIGJ6ajNRSmJqNVMveFBSUWF3TmRh
+            VnlXdTd0VS9RSnUwWit5M2RqYk5FVzgKLD8+uG/KUxBUTu4WFcgl187eKapyPrVq
+            0+nL/jITbzy0HA3cTdVR1b2pueKODohBdVIqD+JpPs86z8FaLro80Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcUYwUHZYNmNLYjV0WGhV
+            N09HUVo5SUpvUS92UThaV3hvVlN1Tnc4RGhBCk9HL0pXalBiMnJtSWlaOEFKNVlX
+            S3g3eTVtYXJwRy8vSGtmUDBpOGlYMGsKLS0tIDBnMkJaTnBnUGx5d0hXLzJPNWVZ
+            aHc3KzhBT2I0YkNCNkpBdWZPTDB2cm8KSwgUwcFRqWFxEqGrnTd6a7sle5SBXI3J
+            KyfOOrS1agk+nTaUJNpxLOG3aUWPSG8DBlEvP4Z1Kx5kG4e7/kRapQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRWdKL0VjSkJZRERNWWVD
+            eWNobG15RUtQUXpWMlZTYXNBbFowc3pQOEM0CndTK2cwc3ZRWGxiSjQvb2l6YXEy
+            SGdHNVQrZy9tc3k4emRBeVByZExmd1UKLS0tIEdBZFRMejVtalE0WGh0WTExM1Ay
+            R29XRC9wNE4wMUdyTTFpYkh6VnJ5NHcKEDsie612hQqxjH/IdM61a449jiSaqNvW
+            fG6x6U3GQxnjH6yM+Fn1S87c7ZihTIAPzbAmbIiTmVbv7cp8XVz/LA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTFVPMElxenJwQVBwYUlr
-            WGZOUUx2NU84WnY2VWRBQllLR3Zub3d1ZEJFCkhubngxM2phTjdtVTR2ZFB3REc3
-            NDNJNHE2OVpFaWdFVVYwOWJRajRrSDQKLS0tIHBJL2ZoTURaSGhFWDdKQ2oxcnUv
-            S1J2VmRIYTNSd3lkUTRBWXhkR2o3aVkKknm9GBqyoPCZZbN+A0PkOVnBWAq18rqX
-            SnvvX4GYiSor9H+DtPHoRkg7P2eDi8c9ISkpnXReYcRjpw1mSqFE0Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTkNHVmtwK2JOdHM1ZUJ6
+            aWhTeUxpc0pFd0tXcThYb1NkS3V4V3pwU21NClA1Y29QN29nc2dsY0Z0SmdFZUtE
+            Rk9PdUVhU3ZvSmsxcVhGU3gyMktwcnMKLS0tIGF3dEs3dnBoa1VIWUorZjJwRkJl
+            SStnREZnTGFpMmFGZ1B2MVF2RWRqN2cK5HHfMKlmLG1UQpDYr1Gg8GU3Gg+oGebE
+            y2efhe+oiIwr2uo9+zielNVAykKg2hvwUmyAXBsXsl95sIXFfN2WQw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWV05lSmRvb1JRTW1jK1dR
-            VFFEdGEzbTRuQk10YVhoeVhVL1cwQ2ZYVFZVCjhNTHB3N0s0N3NBMkRMZWNsRzVE
-            WVVZdkxBU0N2dnArY3BlYXRyUnI4QjgKLS0tIHFYai9BV0R0VTBKT0tjcDIrSUU1
-            dFlxNXJRMmdNclVMeHNNYWcxRHF4b3cK2Ql2NFSci/LJhIw3lNc+2EB7XzrLsJj/
-            gVHiXmF42v/vI59ZLuBZfY9tD53WfO4RFe89uh8gGh0JHly3DTS7nA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRXRVSk1SRzdIZkpobFV4
+            Qjg3K3NrTDRGY2VZWWNOTXhDLzlodVhTeG1FCjJvanhyN2pITnVBOXRINUtCbE10
+            TlBEK1hoRHIzRGtoSDRCQmRnZVg4RUUKLS0tIGF3Q1RKL2h1WGdSRWc4MzF1cTBE
+            K3Z2TEZycktQRC9NN3R6bVVUSE9FTE0KOtBDjkAezsWR6wfrfnrdUcpdQgnCXm+s
+            WS/RX6Q5Jw5nOSgkR5SyhHqOpalYlCnYQdE0zmW7n3C/BqnX+53T1A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwU21WTEh1cVhkSXhTNURU
-            RWl0L3hFeVp1c3VJNDg5QnlHdHpLTFEzUUFFCkVkSVNLclhDZjB4amRSR25LSjhQ
-            TG1vN3NoWFE1ZE4rSnNneUliVFV2K3cKLS0tIEx1Q0E5bG9TVk8vWS80cklZUmhU
-            MHJqSis0TWJOcTk5MXBxWW5hanMyMXcKC6o2kKTVGho9t0QZGpG1ivd33iNmNu7F
-            UTykT8tGY+rZJTGKBXRGbFXL9prXnnAhpeRywfiKq2d1MFhJwR2ing==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdXQxOWNveEtZUGkwclVp
+            aER3dERtUHZxRjBweDBYdERROVA3OTNYQTFjCjBZSEVYRGpEWFFUNnM1SU5aWjhs
+            MWNUdUt3UTQ5SUF3MVVHMW5Wam9KazAKLS0tIEtUekJPVlpyYjFzcmJ2Z200OXNs
+            N25JN3BJenVhNnhmYXdFVnZEM25mdXMKpzEJ0eqnUoiyboiy9FBeeZFBNHRrO52Y
+            RICf2lc1bx6i7fLjOhbV+ewjNk7p6ApdJPHaE6Pxa+jJ0O5vVVJjiw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqbVN0MDgzcVdPNUYyTEFu
-            cWNVVEduQ2NsTmxBelhKU2ZaK2g0TjN1U1VRClNmbXRxWjZmQW1jSkhtZ3loNFlj
-            VHlreVA5K3kvV3Q3SWFEb3JoWkRjSFUKLS0tIFlaYmlTaTdFWE5HMjBzOHFkVEFQ
-            UFlML3RpOEo4RTZEREplMFVTdm9QYzQK73riJYtOcy4Edzcf/BehAEhYPNNmMu/P
-            wbnfg79Dz2vslu81s44uc08rQdYDyp2ByS64ov4AwjYnQ4t3Hs7SgQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NEpqQjN3WkFYSlNrOUZj
+            aXNDd1JSWnlXNEJCREN0VE04QktNK1gyOHhVCnhCcWdEV2NVYk9vK0xNY1RTRVdU
+            YS9kRWMrSnE1T04yUER1eGMrM1RsS1EKLS0tIFM4dWxCRTBJNExsakxCOTBQSUxQ
+            ZjRQRTQwK0k1bzdzQVBYalBlcE5OV3cK1vkdKETqGDbsj/WMjwLmjwUz38yPXh/H
+            vjJxq20D05HNI3PdBMzZZcaaBzVqf3hx+afk3jQPxggrDiysiRNWLg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTVgzZHFISlFwMndON1Zy
-            VmRxWmUxdVhIU1dBb1FCNDFpeERQblBmNkNVCjBKalRSblFGREprZCtLaUV3bkJq
-            L09OZzJjSzdkV0J3c3cxRmNqYXluNTgKLS0tIENvQzk4UGlIeVJZa2FBS3YxQ0o4
-            aE5wcVpqRVFaUDZEbUR2ckZZUlpFbFkKF3QH10Qb+UNpRbM3JzVRCjJfz4J10aB5
-            a67zfK+4Nf1lqWMcTC72zOJo1b4OitkwOZPSHUwd37URLxA+b3F0+Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSnZNQlZVWlIrVm9HcDVa
+            Q0lCN1pKaVd1amkwdTFibU83bWlzcmdzM2xrCjU2bExsQ2JhN0laK2hocDVBUnNS
+            Y2MyTGp6WGUyUmkyc0VLa1JBSDIySHcKLS0tIHBVYXVQKzFUdEJjdGlBL2VHMldG
+            UzZhUDBCWC94b2lyWEdWeWpJK0tqcWsKH8QLyHTIIEwzUAZCTeUBbOAd78fNHlqk
+            uImJM5y/vjVw8490Uo7rkypQ5Faab+ekcWqPSj6sE/nFEBWTCKdSrA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbGFOOWpyOXY3dlpKeDgy
-            cGVpY1dkamd2RU5qWm1MVzBEUXlqV1EwRlZ3CmFyUXJ6Y1lSNlFNNSswRUc5dTVx
-            T2xQQlhzbVAxS2c3RUpxVHVYelBEYUkKLS0tIHU1SUpoZi85WG1uMitUVmFkdG91
-            bHRhZnBtUXZybm9VT2Y3TGhjbCtsSVEKfEo8jXw9wQdncX1gWev5xxz4s9XRMrX0
-            OampKe7MO30BsocF2blkgRQqJe8aZqFgZt0AvSBc7OyuI3mRZMPCBQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlNabmNqK29OQzZJWjFX
+            Sk5OM0FTcGxUVCs4OXV0VUE2dXNMVG5oZUJjCmtRR3l2SHlEd2xBQVFPcjlMMzFR
+            TCtDTmEwVS9ZMFV0Y1VOWEJGWGtSUlEKLS0tIExZUWVMWTVkUisvMEFmUy9QZ1VG
+            RnBDMFZ3TmJObElRYVg2SGFBaWxkZFEKq7un72Bpl2st9AUvAXE9rBir1mORSkAA
+            GnHQyN1tVPurKINQeAmuA8gIn7UlaIi5MxpIkaJFqmO1/6H5e7tkGg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-11-19T14:09:27Z"
     mac: ENC[AES256_GCM,data:tZ6QzVPivueZiC9Qfb3KNZAv02QatgHRNnlM+Y0iV4BZkYoBjxeDojutizvAMwUarnubUdk5I6m2OZK1mvVDZKXyI6zALX4JMeT2xYQWRHYzHpOygLhhGwTFVhV+0C4jN+eJFF2cNf9lu7NuZI9ylZSOY8I3YKUl+l0l3CkXUl4=,iv:JSGOUq+j9T/NXspn70dfu0J4ISV6vVFZUe/Z1CirrJk=,tag:Hm9N55f9qMc056nSTR1piw==,type:str]
     pgp:
-        - created_at: "2025-11-11T17:51:25Z"
+        - created_at: "2025-12-01T23:06:33Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ/+KEHJIsZn5VF+vGkqGoMmoqYcRQ+TVXeOIAA6ZM4G/VN1
-            3AEcFmq3JQo/Bjvq0pl1IQbvCzT6bNprl3ADmXeqt9x8MOoc28Qx2AJcOmfT+Gzu
-            AL2Y0zuJ54qXqgBfF+b/014Ek0fxMSPbUI8EuIPPMWuG+upQqhlcvxTr5usvO3qn
-            dfxt0R7ISwjA9pDYs3fBI+65M4eq0yrSyfsoKQLKsLRXSn3rO56vSS3jTHc3FwWD
-            0cOOrWNMdbSnAFeMsioG1sfH4LlzDG3MM96Ne49f9dv0Z9JmLFV18i85mzN75i0p
-            4cmcMC6XrHasdLXcvfob42n1PMRArOpLppf0kk3UVvNcx3xVKmCp6S39LIR++763
-            wawC22oo6rz3aFRqVqGMudWub2DamsQrnb0IQjnRP249JLROw/cd/h1LaG02ZSP5
-            zSz/TmZ1FjgO6aT8oMUQyiDCEq8BfFO6i6SQLkXxw9pfy5kqX5OGh02xLceAzTYH
-            HCTZm/DRYZw7XimA0CTw51Jd5qy0t7vddcN1bjSy3uZH4CyFn0AsDLvHo6t7xTSr
-            hZKR8ICbUUDOIi5hLskqFvtSUYIBJoH8NwcMyPukK+ZrrLOwSMWa3qB7r3NodXd0
-            NsxxFT9GiQAtD46SgATLhgHCmP5L8DlVvWv3zyYpim7VxoLW8T5s6yOkURAHWlOF
-            AgwDC9FRLmchgYQBD/9NR8LjoQkd95Qrff2NN7wU5a2QD/dSkQgLAkjWnJ+S14TU
-            zHdZPp/lorQw5pXanndDRMElZdFrfL7CKI4e4Dd3oPdOpRW9+8/7iyDrW1Pcsgz6
-            H2qAEMjLESdWswxbS8uEdX6UzYUBv3+BamedgbBj95qPtPnTaQvGCUL+kpBb7YTm
-            +Fo1tlC5fZ6jr/V3qacNeG8nFDLm1GvhWOtqNW16Dt4z3RaYBtYF7ElMXRMq11iT
-            iFMT512SN7/e8dd1jDcFg6Cw4NkU7o+6bA+gs/P7ksAJxyUqAn9elhKYSrNeSDnD
-            Vtb92/kFO5dc3CrD1F24FyD1Xe6sgqETFL6OilvEGQ/wYJ/AXu84q0ch23f0Tksm
-            kk6ZpQLd7QKgow5pLwnAbpFBS1P5cemPY6gvmUAtgYJrGLIxxtk44SVhlQeSX3lq
-            eEJT4lZTu8gzQLTnDiZWJpVTnppZhMqXV2LsWAFU2XRHpuCnAuT0HmNFbaqzzC3r
-            tWa5lZRjgzs5e+zxsRhz+OfwwtJMWZw9OAmIQiRWeitZpk0XMYGraQce2ohPQlSQ
-            RFarR7EDDevuvRnLmbhhK73of6v8Wb0J/40gZZIWVLRT1LcNBz9ueBsHwPTvvCe5
-            FFELdJcxYfIGaCINU6uwvNulS/47f1rpyCtoegNtSvzGtmc+/r2RR8emd8lMS9Jc
-            AYmI7h6C5XznEGGVtIoAkW44WhIm+Y08tbJoMevp6aRADTnEC6CY1cH3H1ZQbdp0
-            YeN6qE3d91gmxW25hsStr8Mcy0JPIflt3kxcWeASpgJnbkOgxtgxhMqYAqc=
-            =R1dw
+            hQIMAwDh3VI7VctTAQ/9HmPTBEVh2e92ES0g0sOUx7S9I1zoRFm3ONWNoaT6hld4
+            UJiKqbHMQTyjr8m2IvkzT7MhXr6fPsspAFguxdXLAD6LSeWJUkBn6IBT43ISvbkZ
+            1KrJnZHzwMjxMGe1MrBk4C17YPlAwB+CDNNehkKHWkSPfVqNurY4gtNoTrZn7HIz
+            5Npvi9d5W984CeuFoCmY+w7DbKINk0J0YkgT9zBMdfGw1cVAV5aUS5lIBqvo0YAO
+            yIQf5tbG9aCa5CL3OH0JD72GBUkODLfWFzcTpzfjYtjx1rsbu6gqkLcH1eGFqTsa
+            cQ7+A0wbB+9iDN0OXmmPNVix+uMY1yQpxMve3r34v18R9KTCvsSK9gOpk0ilg/T1
+            lBG5wFNEutJmwuXai1Zme5+MJLK0ggUQYywhYY9auGmwC74ZRtRQ48o3SsQ0HJTc
+            tLG0thDciyF/Xy2IPjqnp9vCfITnVw42ZsSIbXfHHYoEBYu4mYhqAP0pmHFzY3jE
+            rc8LzraecOslqfLVgdCPo/7moBpegIfJfCkX+gYxZKRJsuOHNiTVyFHceP2mztKu
+            F6MIVxsJsQjRnkavaHXEwNFr+X+YlzoOAid3UNzO78rKAGUw6mJ8PvLBekqw3wfI
+            zXOWNOgNR/aCUTAbSPn1VBLSM1kioGAKrs6+bAeRypmQGaYiLsDkvOU+qfNxtaKF
+            AgwDC9FRLmchgYQBD/9iq1JX0DpTayA4qSDo7i9qeET6MKK5VmrawaV2LqQpxOk/
+            dEEIT8+ZBhAGjKRIPRZdF0bgcBP92IeOOduPvcdJcRstB1va3nyeKDXkYwaBN0XY
+            FPKMrTk2hifnmlGdBzN3RWGOXURDZdhqjsR0g4M1/85//0ZA1ogFnUsqtPI07TVd
+            oKoZqdt068pgBDgAxiwA4Y6WbSSdEo2xQIQ0JTRMGnIycHGnU8UYWElEjnusGKSc
+            jpC2jzc9TUABawOjCnauExHkBp6PhPRlAbzLA7Kq7v7lLkMKQdnJ0T7kIJUd5LlS
+            7TVXSq97WvGBhtQ45cSIZTskjnXEx3TQip9gNrV+MkZ14ASOwc9Lmw1O4z6cVUte
+            IHzUELZsupE8KQPifgMOyx2Q4OQPQ/vv0CSYJwozbpK+g3XRAtsm70mSlagCtye2
+            MsNNQFfZe3vSV4o+vQfbWQ/LMxP/8YcRmh1/2q02yXS6sjW4MWiAjcW6nTRCxJbI
+            SjMKmIbGNn60MOqn+9MNHA/S12SS1yI2cTPenebbhXAbMnCOHW31D5ufr/UR7Pkm
+            xiBXOT2jROYtvFozH35OpkIPr7tV0O4riUVvPw7swlqTVrJKR67Fi7ORsGJKbztv
+            YgUuZC3679TzXyWRMGauTmOPQO1+jZ0WD1QYtKkXPpTZNLx02a0XaGcc4if3gNJc
+            ATICbOTfcwy5HkC+KcLy0KADtfrO004fSIXV4TNrdfyXNnUshnutAmZBRAilvvdG
+            OQRfyr8P0jKoZw2UUoAFEGFU2GaNg8NvCoZTOesN2BNhSVIdA6QKjnZOzBI=
+            =HuIS
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/eagleland/secrets.yaml b/secrets/eagleland/secrets.yaml
new file mode 100644
index 0000000..ec63b57
--- /dev/null
+++ b/secrets/eagleland/secrets.yaml
@@ -0,0 +1,54 @@
+#ENC[AES256_GCM,data:TeJxdPs=,iv:M76JVBlBfgjjm1SuT/0tG/98FXpkIPpGng4u4F5p07I=,tag:RXAqa2R0HmEOjW0dD1treA==,type:comment]
+#ENC[AES256_GCM,data:YczkPHAlYVsdVPPGyuByxK9wvRVbAuR6rR9rSFjMvMGxg0QUdIa/yo8o0ppe8I2ywwlLSROp3WLJ,iv:ltLRGMLZsOte9jQEi/VW4Diu/Od8kHPbzsmvPqVgLCE=,tag:YbtxLcYhvPZrC+QFfxtMrA==,type:comment]
+acme-dns-token: ENC[AES256_GCM,data:5U/74jeGpQH39kyjuVwLU3WBYk5MrCMZSFouRFRVbB5FhOkiJtqYBA==,iv:f1TgdiVVbAB+580AtQAe8mCXU0WuS9JX7AWukKbDYj4=,tag:Ut0tbtiNcV/NxfStyZA9XA==,type:str]
+#ENC[AES256_GCM,data:dZiEtGPKsbsd9g==,iv:lNgXQHx/w7pm3EUTBwyFnqv2j0T7zQ59nFLom8F0hQ8=,tag:1cF89QMfjipYZgfl08qSOA==,type:comment]
+user1-hashed-pw: ENC[AES256_GCM,data:uPyDpGOVIqE6cCyvhXIM6v8sTqEx9dV96oqMYS7fRMLiR0kYlCmgNBEeDFmTNRskqwW/WGXrOBn555ZH,iv:KbHW2mOGzOw4t9aOrKLOIobkUNLWj69dk7fFuy1x3aQ=,tag:51+qAavIiM6K256MkhBaZw==,type:str]
+user2-hashed-pw: ENC[AES256_GCM,data:+BES2HwH+Jj6wl7MVzsdmPGxp6AuiPLx+XuOpJClksm9SlbAyqATAHeNokAHmj7yLS79rJF5C3YBBtT4,iv:bSX0PLcriKal3eir24DTyePfropgVhh83U0JdR6/2Cs=,tag:TiSKjApnJg3di+77vV9l6Q==,type:str]
+user3-hashed-pw: ENC[AES256_GCM,data:sr7jv7PppT5Ub8VsvipXdZZWTZ31GFscmZ/CcHzYE4vsfIYYHpFElHGMjlbcTSLjyqfVOcXAKNvabcoO,iv:C22sZLrUUc3G80yyYr1snuwqtAa8USZd8FRtua5hllw=,tag:lu0hPo24CXNI2kE7C8g3Eg==,type:str]
+sops:
+    age:
+        - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWkxKRHJnTjFHcGlhN2Ev
+            aHphYWN6SXNNZWdNc2dBclViaUJFdW9HTUNVCnN2Q2MvMUZpMmFENlpNTVZmZFJj
+            bjFRTmtENzQ2WVpHWmc3S1BCMzZmeE0KLS0tIHRPZlNQRnZXcjMvSERuVVN5WDIr
+            SmZrb2xuVW5VVjM0b244U0lkVmlkVGcKin/6A8ONfW72fbQmvJWiNCzAZfGUtxCI
+            WV0DaPvO7sO5y7q37QxVUOxgJgF0WpKiNel4Y9E06xbl3TK6jXk2MA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-28T17:45:38Z"
+    mac: ENC[AES256_GCM,data:dQYfZvGJukraN3/rPbu4JxItMxrsEIY2mkLf3ZWmC+wNZ1qLaI+EuqmLRDicNJqQ9cGljystJvrZouUhJXQNwsg4WNck5+WAfFZ4MRevxbZre+LqFfsFi4of6b65iwRTGIahtiLApNoSI6SfcjCt28i1CIofjuQIEk8LBrBlEys=,iv:fKeo9Ot8sG6qYOBE3gt06VqoYKM1/aXMs/jj9dNNFhs=,tag:sOuhoIO4SBUITo8WfCmwaw==,type:str]
+    pgp:
+        - created_at: "2025-11-24T12:05:01Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ//XLsWCm+hQ4388h7XmawVSSjBF5dRYHUpuW35fMG/+EWj
+            8cGL9dXCBTwBMCV1tEPQikjdVdzFPfCdroeKozvdt9XEOv26sYxtUwihPsp3PDtZ
+            Mq42veeVqcd33NgfINim7DALCoF6wlh6FM8Xeg/HHcFk9T6gcnhHRWbka/nBXm5y
+            3ESVCMws+nuenmNsAp7NP6+TbF5kToSHSd5sf/S+mdo3rMIWVtdwc3Ox7RGeA2Kc
+            1AEGfkIZmrUtnCnhbE6Q89nNfmtdmQ6RFY0sPZem3Kksx5SfxLTP+QwsyUeNG402
+            ndnjCKiWLlQGkO51wgl3oobJ4KqqC1A9wMvYCIiv163bCy+jA1fsGH/OAIa3kCTb
+            sauCsLeq3ilSmzmwbWKFIi3dst+YR63XSs7aSCaZ0HnI8CCPV4TMtNkgtiVCXIGv
+            UmF5XCx7aN3cfGTbTwBzMs741HzQHSxMgKekicJS+NJC/P0DfJu/st781rFqJ536
+            FLYF9yK98kVNLrxpWlw+ayp8pP2wMmDScYjZU0Pi4Xz9y6iF0ZtJfEc/NaThKJ6l
+            K1xat17b7dTdn0H1Ncq2zhZ41nydk6+0K1zYMtjFplCwzGtTDAn7QIY2YEFf+zEF
+            A/FrEW8sjTOYbWORz3ZdH/lhd12FKEG/QFiM5UwQkINRjBO9NFLTmGXzD0C0kVOF
+            AgwDC9FRLmchgYQBD/9TYF9hq4JEshBgmUrv+6MnnuXJCYkDdPFrDWk14bAL+J/M
+            9r3hHNK/PY9OUqgVf1HRO8d/bIvAwDJhs3rhWP/el6IM5UWfkwwwx/blhTzTlbgm
+            1XjN9uPd8lAaNFDgZBKg341zxxuQa6Ikm3MCI/pyXqeOKMlxXfrkH0Lx+e4TyoBF
+            pDflamEOVJt15dQFOB9aiphTZMCmVQfV/eYfjqpRDR837/ptzQgasgk2KFvyxCkp
+            iWL/n1nN4n4lg2BYeg0EinFu9lR03VIPaWYrmYCU1XvDUbVKr3c5FbX1mcyt4PvW
+            oSCq7Gax/YCSQFy6Iv2QiPqhrnelYRuBMuXrnSz8TKfXJtsW8+R42vNc4o4iSYsj
+            ZIzBQO39YcUA01qogP0hxPSGzo1M0cWRpZaX3JbjWLwqZQoiDi9Uw482xDuxO0bx
+            TeFtekSCZTV7Mi1EdENb3J4UdgpEsviFLSsK0uSnCPkHu8MteS+FiztxusgHtH5f
+            YVhQhJ/bIp7jTheow5SZSnb+pRHbTq9GcN48k4G8l4YQZjbXRaYR0ojL//9yexCL
+            z2poLvkw0q59GgiBNudITIKSB0IJCcg3jDafMCJ8iqyBzwPzPHOL0oB+cYyMth5a
+            chufOtDAE3JEUJb8c3RXUnpIl2JScYV/IZNHDIUSpWOszCVDYZ9TUqM/+C8iV9Je
+            AeVg5jGHq5yGwhzhXgM0DJfFksCNvC6uyAJKpw8YRhNGNBt+pSvF38TMA+R1YPmd
+            yntweGKTK9Qjg4zpS0zwnDehJis/RSkNTkK66RsdVpcaMj47WOrvw3zGVqz1fg==
+            =A+L4
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
diff --git a/secrets/general/secrets.yaml b/secrets/general/secrets.yaml
index 52b8c15..bc0079d 100644
--- a/secrets/general/secrets.yaml
+++ b/secrets/general/secrets.yaml
@@ -1,7 +1,8 @@
 address1-token: ENC[AES256_GCM,data:2maU0sN0+blUbmZADtzpk2BKSg==,iv:7c+7QB2liu3UjKk0OiiwaYnlz2ysPuvhYTAsgMbsfOM=,tag:MgCOEcqQDIyNlLeTOnOvxQ==,type:str]
 address2-token: ENC[AES256_GCM,data:jZu02PAicI7u6K2P4YsXRmr9Wg==,iv:1Ry6+r8TL04Pioph8I1r0W8MU7UFbvkap378siJxYT0=,tag:Jk+RFCmEu93C3ULkrYh3Gg==,type:str]
 address3-token: ENC[AES256_GCM,data:9rotZe4tdPJpdWZMN8UMjksqlA==,iv:gVzLlM6h/+YXEi2YnJeShrczWc8Qn0lleRdJoPHbJbk=,tag:Zg59VaKgMysjYekfpbRvhw==,type:str]
-address4-token: ENC[AES256_GCM,data:q1z9P0zo8/66HZOVYv2sT1bxGsIrKSQKGcM3ouX8DaE=,iv:KJFPnQoGObsiLGH1WZFdhrg6cuasLBgbZ8sQ2jiFzEc=,tag:koqwVXnA+i27IkGSeEawkQ==,type:str]
+#ENC[AES256_GCM,data:pvNcp0qySk95V4tp8WmbPAICSoT5xyUVhbjdxjmq36bfH2wKpXCOzFlwQ5N9o1iY,iv:ykJGXAfXQ32yb3WI07VlILcKvIyXk07DQrGkuPzMazU=,tag:SRaT5AG4pwQvOp3W5SoryQ==,type:comment]
+address4-token: ENC[AES256_GCM,data:21Gy95axXTMPViM=,iv:bC1iHdVfwRJFVe2rANe8HJ4PKXFDC8XbJJzLStho22E=,tag:ZIKGbtG21Tu9vZ7up0w25w==,type:str]
 fever-pw: ENC[AES256_GCM,data:62cQ/mUFMTb63OY=,iv:RCqzwKEi7LdIegibpVe/WlTsREECy4xrqPFNini49Z8=,tag:bfmBEFj3zzmzfk4T7CfPAw==,type:str]
 main-user-hashed-pw: ENC[AES256_GCM,data:RbXaVuCd8+MTFwwRGK2aJ07clDOOt5msCsEK+384WLdeJz8fjxKJcwIsIUfqlsjKG1Ands9GINlFiCHXPFBRTjnN1ih20t6InA==,iv:pLas4FuJXz5ORvKqZmXyOp9RzKse/vUFOMbw3S1B+Wk=,tag:gkZ2C/Krf53nQiPBVnZ/rw==,type:str]
 #ENC[AES256_GCM,data:O/ceQ4r5sc3YS86n1yQYH40l,iv:Ak2QK9MCIrrT7TRGpyCTEo9e2VsyaeATWjCITqYI+7g=,tag:kcIDdMujWfs2IZIheA82ZQ==,type:comment]
@@ -22,119 +23,159 @@ croc-password: ENC[AES256_GCM,data:uz7vI2rrPi1uTKEks4IPnWOt/R6ydlp/cQ==,iv:ZE01X
 #ENC[AES256_GCM,data:qsBNKxd3Ng==,iv:1fNMDJt7vgKFSdghYBZsuDoZ1sWvzj1Zu8NmkjX6Zh8=,tag:0D7EsgN8B1z7/y4iZS/PtQ==,type:comment]
 #ENC[AES256_GCM,data:G6Xk3eWNCSbuxzy91Yx/5ZGR2OgJHhJMnRWXwxJ96DW5K+igQjIimNBW90cXqs5iztjC3q4F/YUK2IStnqCgZQi1Gye2g8uHj+1Xa0bt5LKNdjWwwfcONxcKTq37R55sgMbIwdPqi2CBZAw/fdsXfKeDNz3V+7fKzkzX8EckUGj2v27TJoR0/fHjLA==,iv:la0FjH6m9ersNIEqcXmp2kpioL2kubzU2up9wJujDTQ=,tag:GvFW4wzi4PD9HdryfNQrwQ==,type:comment]
 github-api-token: ENC[AES256_GCM,data:jUruDrTBfuqYuNXOxEtFsFkeXW6UqPvFiVNIXHVeTBaDkELSmJnz3u80rdfuVhxmRlFg8/ApiiBCB5X5sd+6Zh0JgH7mbaxVe+lta1m1wiCm1fWRBkDOuEoHt7p4pVbec/LUJOyvhWzcTcWTtW1GT96DFxKHBt8v,iv:WAWIck/gqZD6Oq/2LxS7YCD1F1FfCq+ZK1ls6sPdJQk=,tag:VTfKIICDvAsVN+7Fx4o1XA==,type:str]
-#ENC[AES256_GCM,data:vQF1i7rtfz/MBElKIN9j8N0=,iv:jf2SZpulx85yx2sHcnA3iwkiXJcHq4x1fdBUcSRuiK0=,tag:WpUNpH6/8jDvQA8zRGrdKg==,type:comment]
+#ENC[AES256_GCM,data:zoXRtodA,iv:sMz6Fu4fcWC3QqLsJlxRiEV1DcYjdvemP9cLT00SOMs=,tag:36kstVjfCHVIyw6kMTRxfA==,type:comment]
 emacs-radicale-pw: ENC[AES256_GCM,data:BIORG0geX8s1WOA=,iv:SeoVn8xHlqQGxZzHrm5I5LITMoutRnz3OygswDc96ew=,tag:C3S4a8IEvCjHgAyRrCaaRw==,type:str]
+github-forge-token: ENC[AES256_GCM,data:i2c9n5+0Ij7lag5tepbrY/vOAvRQpaY+HiuaT1WzaAOJn+xZGIOUSw==,iv:OHZCJXbNpljnpH0IObVEWc7VSB2AB0OlSCDQJFzaMl4=,tag:ExyHhfBMXiPcmDcBGRy5Yg==,type:str]
 #ENC[AES256_GCM,data:qsBNKxd3Ng==,iv:1fNMDJt7vgKFSdghYBZsuDoZ1sWvzj1Zu8NmkjX6Zh8=,tag:0D7EsgN8B1z7/y4iZS/PtQ==,type:comment]
 github-nixpkgs-review-token: ENC[AES256_GCM,data:/4ssZAEwEc9fZeR69GCvLMm4eRv4uabyDbGDGqfRUllO5DVSbZxO+A==,iv:mcARvAyPAB9pyCGFy2A/6qeZbSepHyWVNyusaQ5ze3I=,tag:o7AP6g8XHkPUaCnXK3CFig==,type:str]
 #ENC[AES256_GCM,data:PI5MX6PgK1y0lqyoYA0=,iv:25UAvFaANHFD04GRafGlCzOc5h+15YPtSES2z2tmpXw=,tag:+XLwQ01+AtGWjtsSQhQ1AQ==,type:comment]
 anki-user: ENC[AES256_GCM,data:WoGaNDAHFw==,iv:ZSjHfKMIjlgOuvGl7hVxJc1fE80nfxxXYLgsKangBCs=,tag:UP8ZI7gzOrJJjNDHovIkyg==,type:str]
 anki-pw: ENC[AES256_GCM,data:z2SCsSvZIqN2/2VK1EdmcAnl42x5A15PAiK932k3n50Vj1jczGRoSw==,iv:keQCutY4vizVzu5YzPBJLgDLveYDb2VGeEnYmO7CeQw=,tag:KGplFfC5xktNAOTbIlt+Tg==,type:str]
+#ENC[AES256_GCM,data:KCqwghIJ8tlGFxMt94svo6285cA1YRbYoeivx6A=,iv:qlZCGrCn5fU1xPQF9wfOMarU6Z7oa3mLtd1LzVzMbuI=,tag:Qq5lBtUsd3lQMx6ffk+kzQ==,type:comment]
+builder-key: ENC[AES256_GCM,data:OOoA7oRIFJwS48qs42WmIXU4vLTQLRi6Nzb6IUNXAwnj7E9Q/uzOnmJ6ZihqUr3uP3/kqICdZqkB5Lf+lwUqrPmGi8PH8c4uq3L9ZVQyRTKRWvS5biYRMd/NI1ACRevxFJygKZ/q1dH8Cf++m26Jo9On24liepQbogwIctmN8bLXuXrUYVYMcLyGb2W2uznj5Jtwyji87S1xc/TTh/IOFexPY7yAnlwSZ7IoPTOj8o/00Hny8KIwRVf0uLBmtarIS8u4kfjkFUN38X9xmzQqhITaZNRmwerb3JDbD3SYapfsyeLzkzVgsDooOniCRehX1pg7KJu/qHnFM8t7e4qZe9u4PZP08aVAS3tqChuG/Nm4fv3vnF0SwctGQsar2HDmby1IXAw3fSNCW/v/l8VY4IaRX9s7e6c95gd5NX7/CJ2CJUDb4s3e7U0SkftOUz/B1zX47xBHSibZ2Js24N6Tvq/5S4OJFwryvt57Ed+cY+zSROlJwjrTgaGcuwH3MHLfHJlA,iv:2RpiHF4b7+520UJcHVobfJs165EjgxaTATSyOx7HJik=,tag:tGddPi0YeO3E0kHl+E7uGA==,type:str]
+nixbuild-net-key: ENC[AES256_GCM,data:aAa6iyZsjH1sAb6ucSPJb2R+QiG2bTj46Csnjg58+2ngYdfuim6SzWEid8IHJV1+M0s/hVTbZWiPsU2KQ+JCdJ84as520avxs6I0URvNx+VmFi6DNGbBJJJJKdTXIKvtmLHqHobs9XtIHahQKoyUpXiSY88DcwAt4e2mUTa6olgrDv66+/fEGeexP4S7AVB0wYeegyMgWODRrA9gS/YLMxMdqk/VHuwIQpWkhxX+AY8mXkx7LalxrbtV/24qdNtr2GittrvYBAkYGWAVZYotBVKjaWVUVzqF3BU+wmg0c56OG5qtt9eD1THAqNauN3iIfUnV301S+TvVtYjpy7gOj3WzntO/kh4kD+7FnfleLXIVSLgBRc0vHhd+7HKKtVRnAINyPkyjaBpnnBa4cksBvHtI0uis0Pi+4JtObD3m+5dywTeL+HDQfHwu+7CgjvXHQYKvEaJ8z6alyXL88Q6uT2Ikaoyrkpi7OJsuIBiNbs5YzRReSfLVyepm8SAtA8UIwnMiTtgFvwGUEW19ne96,iv:2HN9X9CA1liWuY+LYqTCX6Zy3xARMS/TOL61r2UKsE8=,tag:XcPBwYrQjqhexI7u+0zXQw==,type:str]
 sops:
     age:
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNU8xU0tHWVJOYjR1UVpz
-            THlRK0FvYisyR3NqTVk1QUlhQVJGbTJROTJBCjVMQThqK3cvUGZlcU5WOEJncnM4
-            ZlcrQmdCVTZsT0t0ODhJUG4vY0JlWGMKLS0tIGpQY3hqdDA5bkhOU2I0UGVHaU5F
-            T2pYcDRMczh3c1B6cmNFMXRYM21Ea28K6An8G4+/mwC7SNYyV3cpx1AQuUsO3uKh
-            EG6oyvwcLbbqAdHkKLiDdD2bG/NNp+f9xycNyG2AH/8T6kl0fQN2gg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeU14bE1QWGlneTBhYXJy
+            eFU5WTZwVlFXTlFOMVdmZGpYNkdMNFk4M1VzClhTeW8zdkRzcUhLRkpKdWxCZnVj
+            R0JaN3RvYk4wTjMrR2JzTU1taFE2blUKLS0tIElUaEVCVDNGbGtCZUZTZ2hwNEdZ
+            ZlhHZDBROW9HQUx0RE5KSlRFNkJVM00KVKIC6Il9Vq4lwNS4Va/Zy+EciImnjEE7
+            uK9asNYPNFLWOGH8WRUYmcsDGupKBCtSJszd9+DoQ28nWo5f2DjHAg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSXA5YnZyQkJrUUI1UGp1
+            TFdPZVhTS1RwNVJ6SVhNeWV6TzhMTnZJUnpRClZuRWxPNXdWUk9GS0ZIUUVsUVdJ
+            RFNtMjVQVURWVW9iQXhWblFRQTYxVUEKLS0tIExFMFZ1eUorbmxCeGFqV0lEa0ow
+            c1VSTjFXVCt6alprYlZaZkVCUHB5R2sKGrXDZrwhZ/IZhX5EheYrM0nBMrAvzKRC
+            o9lLy+KZg/0JTZFE9iz+lPLzzPBVnrSXMSC79Tj28YKTR7xOOPTBnw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYzAyZG85d3hRaUJrajZT
+            R0crcFJNT1Z2YjZEU3BuZEJwYnhleEZBMGd3CkxnNGppRVhqRjRjbWlpaTJRdWI1
+            NVpiNVBJSW1OTWNMNGlRdFVIRW50bjQKLS0tIEQrVmlwdUkxajNtK2ZhV1l0ZXBt
+            Vnp4eDd3Y0RrUlhMbUxNcFpsTkZ3UGsKv1HuzJH4rm1onXAlV7KO0MLNIxndRVNX
+            hFFSSV4QelNtjdEmqYwGpqAuILRpZ7g2/wMLVMMQ7l978KrfL5BFZw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRlNiY2ZRYy93SFZqWlZh
+            Q1NaUFlmQVhUMVE4bVp1Smw2cGNzSDJjQzJrClFEZ3BKdEUzVTZCT2tpb2NHNGVH
+            RzR3SzhvbFNzNzB2eU1oTUZEUmlsUVUKLS0tIEVzTlRodkZWOFpoc0pFendwS3dL
+            YUV0OHJiVDY5enhUYnIyYUZ3RG0weFkKIW1K8NVG4M/YvrGYwbGL6IyaV6dX7qtV
+            tFd57d/A8A3vugzQcMCYvRuiEl1uqqId9Npof+GdS//8AhGeH/LOQQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TUVkT0xrblI4V1NXVkl3
+            am1FK2VsTTMyS0ZqT2lzTG1NYTdkS3pvNFV3CmdzakU5ZnpJdEdncEVFcXBaYVMv
+            dE5aMXlzRUVtZTJQSXJSWlArSzBtZzgKLS0tIFhxYVFWa1R1VFhDOGNyZmdPc1Rh
+            N2VRNE02ZTNxUDNVWnNMb0ttc0JEZzAKCSgy9q357fSjSjnivOEgaNmhocNpzaPK
+            TIzJqTsUoLvGBdpXa5bNSe+guuIZgZfm7PCohyKrcm1AUhFJOWZ5yQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOEVyV0ZwSWREWDFab1RB
+            VFczcWxkckk4SkVZU2Nlc1c3UDREaEpHb2dNClIzN3hsMFgwT0VuZVM5aGFKcmx2
+            azNBeXVrMGJyVmM2S0p6eWd6VHNPV2sKLS0tIE1JZVRWWTFnUjYwR3dTZUl1aCtu
+            RFpEREJhRVBacGEzRWhCY010NllET28KqGfrDBjMUogZLG8oGWxUi/J0MNql1Wb8
+            vPbOdd5PI36qAjxWEoax/WMG1LBDWxgJJva5VgI2uNoQtpo6rWHTeg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1djB6aDJRdW5zdjMrMnhJ
-            YmF2WncrazVUMWNaNXBWU2Y0TVh2S1VpbmtZCjdXQmM0RzVJK1ZNSlhwd2NvSHFO
-            UmlXZEZWRzJnSGJtdFFUQVd2aytNU00KLS0tIFhwQWQ1MnBVZllzb0VyQzJMRm9Z
-            Qk5XdXUrcloxelBlVlJuMmpJZ2liK28KNt0EMbRBErf1GExZ7QBnrvwRKozNaHQF
-            MeFiEuIRAS4vSUHz2dHo7/iyub7D//qXKt4vD6DURfCHhhoGUF1Qdg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlc1hldmx0cVJaQ3lkY2hR
+            TDcyQVJ0ampnWFdva05YTzdNZHB2VHdkR2trCmtMaDJUSEhPeUZFS2dXZjRSUEY2
+            dER0T2N5cFpNSVNtVDBtU3Avb1JwZmsKLS0tIHhJY0ErOEhUMkNjTXVCbWFSeW0x
+            WmhYaFpXVXlFTWlhNzY3eVk5bFkvK0UKVf0W1kcQr8uHyY89KW5LfZxkb5tKhsEj
+            H8SwJ2pvLuY5aRudkmnbXQwpF1i7oL17DWKcQI8qIZovxtdJqovmtg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWm15SitONndOZkVDekNl
-            ajhTQXljdllXaEJ3RVdQRm5sdFJnV0VpQ0E4Ck9nTEVSYmNDK1RUbnU0TkFabnEz
-            aHVxcTNqUGJ3cDkybHllSmRPVW9Fa2cKLS0tIDgyZjZnV3hWS3phUG1RMjU1Lzlr
-            QWZLTUV2ZVJlRXBrN3ZXZFRBaGtabE0Kgcy7XL1iCLifYHxydg29tIyPYUQ7hgd9
-            c589DNlukEn+i1J4pBkiLDnTUxDOEsUv2VJlGTRrdbFsfjU7PdvG6g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweWlhVGhyMUR5QTFlcytP
+            T1ZMSEkrbVNjdGNjZUU1VzB0Um52S3ZNd1FNCnBjRzUxMyt0VzFnQkJTWVM4YWw5
+            NFhxR1dZeENndVhkU2lkdmQ5RWpoYlkKLS0tIDYzK1pzL29jTXI4SStKYmRWQjBW
+            MWt4NmhOdWlOckIzejJTYStnV01nN28K96etySWmQwVux8Xdo8pXFmCgT9qRq4ZJ
+            X1Bl/iIKZDkeFSZjt+wunABbgG2e086xUFsiUvAXclVKBEnuUf6RDQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeGt6Nkd1TWhLc2FpZXM5
-            cEhDUWVNU0xSWjZlZFdsb3FmbGQyUVV1MGp3CmNUcG14UXpyLytNRFFVRWw5b09n
-            ZU0wMDcxZVJENWdlcVpEQU9Mdnlkd1EKLS0tIGxHSTBXWi9EQkNYL3p6NGJvU2Zo
-            cVRHeVJXTVIvaW85Skh0Ym5vRjllaFkKhuQpyhqyTz2eoQ0Mxt0/CaNHgaksrdbH
-            rBDEw0U0eXX54oQkqNZD/HUosmLO4f2EZKMhBnFaZ8LvaOV6jM9Mpw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0RjhEVkNhc3VUcm9zZXFY
+            djJ1QXc1UTJTUlltNHJpblU4TU5PQUZXM1d3CkUzWVVucWp5VGd6TmFQQ2oyaTEy
+            c21leUY1Qy9hMm9KajAyOWRCNERwVkkKLS0tIFlMeEFKRUZTZ1U5OVBvOGNpaUhQ
+            WWZPbWtyYTU1dFRoSWw5NTFRTG5IbzQKyDv4/mBPR8Ev3cGrHzHw/+nGnw39GkB3
+            YGjqlKMpfX1Y8BGlPRxCVRH0c+iQqEBxdqVwOQDC/njKGcMXMT90tA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyM3hLYnNMVS80R08xbm1s
-            YklvK05mc255bUNjc1RYbmlOblo4cXcwRTBnCnVabFR4UFpDNSs2UUNoRUpYZ1dJ
-            d2xZRlhMNGM2M2RzTEwveWh4NmRSVWMKLS0tIFZTeGY4MzFxMWppOFlseFZWcG5D
-            RkUrdDJTNmNhQkFzWTRKbnM2OElDbW8KXITNQ+SKRxIBHh8vgqq+d0u3oLejr6mP
-            OxhLohXXPXi7r2KTVTVjCu5fbDyVix/L604LvJE623ALl0pmyQq9XA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcElsLy9WV2NmNVRwTi9G
+            YWM3MHZEYUdLMmI0NENTV0JXWXlneU9iOFdJCkxUWE14ZkJtUUF1VFNFcTRRU2hj
+            YmRoUkxJcStEcFQ2eUtPSnEya25xaU0KLS0tIHlweHZlTkovRVEzNkl5ZmppeEI2
+            TTVQUGlaZzB6WjhEeFp3eUdzMGJIVWMK5dQgr7YfvilutGW5nieHcsyTQu3pxzVF
+            gYoCAmKUESrmIubSPOD0RifFBQTFObHJDU5xiDC4a+vampqH/5uOTw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLTHVXQXRGZnl0QUEzQ00r
-            cGpaS0RpYnVHVjg4cGNTdzBTMXFvTkUya3lnCmlJai8ySUxONXNnWW9BR0tKMDdr
-            RHVLTUYxY1FMSjFnaFdZSy9nekV1dWsKLS0tIEFuL3FTQ0xNOHJsSHlzR3VFT0FK
-            RE05ODd5bnFkVzlXVXlBU0FZa01nNzAKzjfkwKN4mC04r+AMNPTIt/lSMUuL/OD0
-            MGtqjZFB6vGrcqV/t0EbkZfxCqfmUeTDZgwWM2r6zhihb6Y9vTjHTA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRmpKaWM5dVNDWDJLOUlj
-            bGZiUzNWMkFkT3IzNUtqZmt6ZW5WSDVyUlUwCkx6aFIxTnNnd1N5ZkZDYldmTndX
-            T0g2Yy9tVVpHQ3FYY2RtVmhjSS83TUEKLS0tIFNTT0JUbVBqNDVvWnAyaVRhcllj
-            ZjNtSU5iYVpXQXA4QUU1YjBCU2xKaFEK+cANW7VGs7HQTmMDEY2oLG6pSBnBLFXn
-            /PpoqzxNVovh7ghFRduDcHWuJI+DBtn1axmSXF/K22WO6LG59/hr5A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTzhUM3ZOaEdoT3ZqQ2p2
+            VjBvS3RrVG11ZjVnKzVmM0grTlg0b0RKNVNzCjZhb254b3QyUHg5UFppc1o1bGZZ
+            M29yZDNvRnVKL0JqQWoxUGNKNHJXRncKLS0tIEdYWGQ0SmQwT256dGsxZEhqRGY0
+            VThvSXAvMVA3cW9qMW53Q01TdHFtZm8KoiRiL8tDLUJeLocbRIfnGWuUG/0Up5pp
+            exdFlTaLNUej8UT7UCUPZvvYN89Zq1ea110xr9Nim5zzFBErJfRPKA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QTlyeDBGa1hNek5aWnlr
-            RzlWN2dDaU9IeXovb1BGTXR1RG1ZUVdwTUVvCkRuVXFnYWpOakZYamZtdDNMRjQ0
-            ajU0VmtraEplbDU0ajZyT2psWVBrVlEKLS0tIEhXa2F6RFlsQnc5ejZETVBvOFYz
-            Wlo1WFlvZFJXZWZBVkh6UUpCRmVESFkKqbuLxX706LssJTNyvg0ghDjyJaVuYfgJ
-            X1OJbbBvHerqvOmk03biU93oo6PygdAAgkPFI7JnxvQP1U4IH45Esw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNVZ1WGR6NnJtMC80STNH
+            dFZuRC9jT0lDdGlSWlFIZmJCUEFDanNib25RCm00YVZyakl0RkRBbUM2THNaWEpC
+            K0JtaUVtM2N5NEdyeEtpTDUyTElaQTQKLS0tIHcyN1Brd2hYYTdIZDNoeDBVMjZH
+            NS9yV0dlc3lVOXNIS3dVR2pmYnNwVjAKlbBNLNA7Pl7tUg0S9X3BTICkbehkmTP/
+            mqVVce7F1Ml0dXi0t8AsxK6HyrR14ZF3QsFr2q9PgQ7qnLv9o4xzUw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-03T15:12:52Z"
-    mac: ENC[AES256_GCM,data:86AWnB2q5xv/JIyomkJOkZh4r2tj18rmNb02JINokmBv4/eRmej/sQIBeSbCj9cJhtKewECwVk8QKtwTu2sWB/hPjtxb8qnWD7MhNs7qmHOYAeYlAON4w7abcLxt0VFMKa7gd0c28qTHOkaWsLy6gDaIB/5x468FIYqsbfIiL9U=,iv:BDiKNHKTHPazwoM6bVoCf2kb/eNrJS9zy4yj3+PFdlY=,tag:6ZFtZZHvzdWp2EhOV3S7xQ==,type:str]
+    lastmodified: "2025-12-01T19:57:43Z"
+    mac: ENC[AES256_GCM,data:2CLFlduO1fsxtvF1fbH18kadQuawMwIYEjsJBvZ65tecIdjT5efPD07+czmysKWBh6FQuVPL8a3uVlqT2WUW57AjQZtxloCMAFS9m2S//I6I8GsLVccGnmudiHUdXFnt+gI1gtb6ukZMEps4m/LSqUHGSptVwqrIN2gBM6Yy9Mo=,iv:S/crBYhr2HTzMYn83bK2YYO7kwfDspF0gvkoiuI9J7o=,tag:+sO+jFMFGZSsCb7PGnlUmw==,type:str]
     pgp:
-        - created_at: "2025-11-11T17:51:26Z"
+        - created_at: "2025-12-01T23:06:34Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTARAAzM9wzRQI9IYBz9sXGG1YKIojcuhi3UnZNjOwRQeJbSsw
-            OMPY/e84m668uFaGUwOPwFkYikBCaPF3OmzNhMDqxHPUbFJN/6UA8ntLuugHrhs9
-            brpt52yYvo69znaR8iYXw/S0mL4rfLnHkc8p69RkBCk/4FrA/Jj/KImcFxZ8GDcf
-            G5dfaEmJCRfZGeyr1D7RVJ0gs3LQT9M8c9Qm/ShRQQqVlEko4rjsOmqOt6eapSuQ
-            KnlsEtYS5yZOFoBtabmlTiFgdC8vaHQ+oxI98phdRkc0xDpqZetMMVlgonbewur8
-            nVZPb+wxULeltkIIleWQx2E0D9RBi5Xu+L+vXj7jJYwUNajqama/N+1wB7DsiBeu
-            cdPjLyRcXPD5pE2qi24X1nzBiWdjef0tkJiH07MQtXA4r3PLtX8a3cCvVsecoT4D
-            0oK8dGumaXSj8NkYB/kP47hOleSYzNGWPR4iMiXYNJHhUw0Otr0GFSfjVo7s7KBi
-            6WO6tWE2VLVuolABEKQPF4sadF1fXxcv9artuzUX9MZquOvsOvEgkQnYzGIY9hio
-            2X8nyLxORpwPFmPcZ5WeVyaZ04CiM9nTiflFgt5X/rX1Mf3sKa0NkrhO3+k7lx1j
-            GjWvgiuCkgLYt0fLgyYVEj/N8jHjcCejVEsiwAoP/apvEgFylgI+YwyXOJXXz0qF
-            AgsDC9FRLmchgYQBD/jvs1GaGr52Qu1TP7IXqg353G3yZDPoPmQhdkiOKLFe5wXD
-            PaqNUNOQG4qwffuPBSfyw5XHYZN1v0SCwrNpQ24DFnT5XjVTboYl+DN4bWStrSE+
-            ZpGUy+PxvSgKY8lbvGi0+RX1NW32Gwz1cuPNQRnwS/jwCFrxgk1aCnK5+USAmNfi
-            R5+ex+Ij6+EEiMRpvNdN2ViCP2PfFMLYOR4pjvLL7i1XSPLhGxORcCyIKw8RAi+J
-            I/qP7IubG1XTsS7gm0D4Rf4eYOy9O3Qi/g+GOk8mxCXaym7hQmCcM5H+m4R85Zxy
-            EIXKGQhs2UB7JD47SJ1iY3FBFzq3jpn0wPq6piy4lJVR/+r9Zd99EcWOEjuoavE/
-            24q+Z3OB864Fks9hVl8herQbV4oGqHTQJr9Y5ScnS+7RuAV6Cy7d0nEaj/H4jBxN
-            fKpFGAJ3LkwxKfAwxximTq2lgHBtCyMably7XBc3D0Cyb1lyG5mss3tWNXRNkckL
-            yg9I64lKdEQz2Fp7qs8JDWmbhUl6eyDtGX+4KKW7lsFTbi4kvo/FgtW6m6xaP57k
-            PPOJlfDHOqZy7GR+hvaHBIgFkhvqIvJjARK5OaDyP19NMtA7qNJOwParSikkTeXl
-            XgkZGnh3ID3EJ5V9vMIYqrhhjDU5Qb/avytjEoef8GYmPb8bWd0sVODEL59T0l4B
-            u4ahb81JM4JVo+p1P+W+0gXA8uUgP9pJ7lWjNCV+oL5RWTJRaTzSwa8ywj5HjLdH
-            +M50prEhcMiDupwZXU2prEKrCIWUGpeaHK3DIJmWhbO8Hh8OCXeQ+EFfxB+Z
-            =s+4A
+            hQIMAwDh3VI7VctTARAAq+50+eWOM8TOM93JkwnSjUFLjwO17fT5jfBwWxqLRULp
+            SgO5pCfJSCr2xFgzcuS40+c/ewP8NHwI+S8Mu8lcJ6Olyx279QyZJxdKvVba46Ti
+            7Dgb31UzMQKjjOW8/nhf0JFIq6KH5HUQP+LmmQK59VEdoEnz4XYdxq7mGeJQsn26
+            E0AG5UvIKjjSrZQXbx8zojIEwE3l1t7Ipw2oTzHCalWf5at41cXyWmfIzomWHElC
+            XPwO8mjcBY5LQXDeTu2Xv0mBvFzXNBIFaEhrdphFxJIvpfl1FLefK6LKCDLhQtal
+            HNDBziTORUAnvP9JiIviSr+OUhTHTkDqSMYE6SD3SFsvQ/nArQHRin/FvPPNMVhU
+            TD0yec1VgXTJDJGe0jq+PiWNTwwnxwSRmKdXutp2DPEuv0amRGVOkeAJNSQPADOk
+            ZUGBKqjr+trvcKWReCC+gi6jMTP5N7rpjemufQ/p0pOTKmPeapTcWitqtRvAvGQ9
+            +Q59sDqTgG5w3oSAnvboDwITFil7Pr39Oiwn01btDDlGXj0+ieer1mHOT3vI+NPE
+            LSrFqUa/kMMW4+zZHGlwMoNHZbwLWHGX0O0KZFKauht3ypSsjrJbOeBIGgAq57S/
+            1U+oerlPbnCCrUTuP5Mns0Q86mEbOmQQyGMgfigJ0zFkMOlO3306T01keUv35giF
+            AgwDC9FRLmchgYQBD/4vNejy7yGJSxzL9ouoEDqEaIGx1+pzzAyU+P0GYXV4rwat
+            P6YL8a0CikYLdkjgUsVDfFV7/Ou2Q1aPBn8AGRG6eaMlaICYK1UX0xiP9196dENl
+            qxkm3zQWCfxAkgWyUFernSzzWeE1z9FgEfrTOqKaETprFVxxv5tUKVABcXHSPNqD
+            hYqllb8tL1tS2QrqvxIOcrL7KHAnRPhHimIFeByNN5lN81Z3hLFRQ1Bl3LwDPeF3
+            /kEhVjmGqzw2jEkH60Am9I6xZ2nlSimF7Bi4pcu6QCWhN7PMwWEyGxj+Qu8Osr6F
+            3ab4M2vkyTZyewUGsn9qO3CcPAHPxyvf+pyV/q87ejuE2e4wR8LYcJnk8BOKsNRJ
+            m3sJffhhmB+f58HLzy9TwvaQqMno+/KnbV118lJrdzf8iCJrlUNY62MEjBFo3QhQ
+            2rc4vJXk9VINiZlHW3y9ZXV+dTus/gHKjN137dxq/RPU9tf/1Y3Ow407fDu39DT3
+            YrAAXj3jfEK1aoTtHpLZAp563Q99NYyBQLt3C32X9YZb4VuYCXvGsi3kqjdQl/zg
+            ZxUVlB3Wzm1jhL2KPOu1SuPAT9HLwu1QdDw+kw050DNBWgeLJx9i8/U8LC05vF6z
+            VWyozdZIdIfAKnMrFOU/8pJ/lNYb6pXbIYwbpSIDslV3Cj60KWx7X6JgVUf6d9Je
+            AQZ83SkdK0sBXS3sfjwCewyY+ta7i8zWYcG8KDbW2s7hxRb05u2nYKhJZZJ5xLcK
+            eRhg3W/bMUWk1bYZ+Whz77uSIC3n/mgzIlsaRjMokiX9i0a1jXVyH4LEluPO5Q==
+            =MgE6
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/keys/ssh/builder.pub b/secrets/keys/ssh/builder.pub
new file mode 100644
index 0000000..a13b0ed
--- /dev/null
+++ b/secrets/keys/ssh/builder.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0y5NPuZhHPvXUJANrg8JQTSq2x4dP5YNIsN75PCS/h dgx
diff --git a/secrets/keys/ssh/jump.pub b/secrets/keys/ssh/jump.pub
new file mode 100644
index 0000000..45355ef
--- /dev/null
+++ b/secrets/keys/ssh/jump.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICFHUnLmDa9lK5fTTPERGp+xsGAgSNrRE7/l+F/C4vyz jump
diff --git a/secrets/liliputsteps/secrets.yaml b/secrets/liliputsteps/secrets.yaml
new file mode 100644
index 0000000..fb6586c
--- /dev/null
+++ b/secrets/liliputsteps/secrets.yaml
@@ -0,0 +1,48 @@
+jump-key: ENC[AES256_GCM,data:JLGy1LiNMjn1Kz0NmLYyiqarAj3evsoilCmiqXMc1JeZiFwLYoPiQjLYXg0b4Z77O5g71/OjRwKmocrLV3VBxo0rbw4rpnljGyZ8ehc/kyvoFQN44yGF+6EkKvVn9I8qTzwukTxCs4H7JgsjALAL8a4CGEowfXJlmZxk/a2SKsTr8qPB9XbCsUwrGBpBHa0bjIb52B/srXvKBfPAxIbWNlWdXFKuDyVJ01WNqlADj2sMAGRvI/X99o/EhyKL/3lMZ1rbSzq+RDlzKd6RFNyLM9751WRIc3xT+YHS13MYgpUu0B+2tKqJLXCSoGbRRSYlBw99JF66ns/fB3+Z/KnpoUGGfRN3S1orCnXkTp61UO8zskSIwU0MamrKGL8DM7kDJk1QLxTPU3usBZPXasTOxK4KAdOYo7nk8OvoZKtNj9xci6R9jeMfSh8CycKdxvcqsOw7vVeATUAGrml5Kf+/8AjYZdGdt2EiFL+7o0e8NgI/lkbiFzNISLBc/lrg0rk61pv/,iv:fPbPAptt3Gsgi7v1xCCHRClSJOXokBsvyCuLz/BoGP4=,tag:NhzeHRxwhQNI9HUFwLYMYg==,type:str]
+sops:
+    age:
+        - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM2J4a0pNZFRXQ0VjOFFQ
+            YVJIL3hFVlg0SlNFaXRvbkxMV3RhZm00Umg4CkszSnZLTXBXWUJHQTlmRllQRjhi
+            OENYMWRaVitPOFAvYXpJMFFYRnVYZ3MKLS0tIHk1UXhOL3FuZjZWNUxzNFdBT2E1
+            R3MrQ2IvVWxGOCtkSDBPZWF1dWdHSk0Kz+zJhpJNmHHj6npV6tQ+n4F01A93haSm
+            nyT+MAs+VxRlRNNbAih8En2uxRlzSHjFekrLLaGbVYTrRtMfLiKyvg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-01T16:49:44Z"
+    mac: ENC[AES256_GCM,data:RIz594CVnEbUw3Zugj+WO82o6yqOD4JwSFzkqFOfd0M+LOFM68tT/14D7vxPitXEPqLvJC6MHG5vQ61PgU4fG9JoIEqxjvq4AAYmSdCwmB64MCeUIr+V4/fcYrRxuRyiXC79z+rJneO7SkGCX95pfVhGjaLftzSjfiNPPsC5pps=,iv:D345cMUSPCGzrL9uWuDwAkAqz2mTvVTL3QVqHesldGk=,tag:HkBF29S1c9g68aKKSYSWhA==,type:str]
+    pgp:
+        - created_at: "2025-12-01T15:59:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ/6AsofKCzZ3PjJRHeHSt4XfdIVCCvWScjT1JuvOnq2fXIO
+            ZcgXPtVoDvd5vSv/fZed+1WJNRpiuNBdmD8cj7N+XqJotgCsQt3HwROCD1UC70Ww
+            cyHxh3MyukexrO/uIMbQ6ugtIHPVaeC7XyAOugJfHFWZG49aW9LYDkPRGluc0/zh
+            7X/p+hZFLpljfL/qdZAakBDw2V0+yt1+5JW5V57jIXRX62BRSFoHqLrasHjvDgyX
+            h3ktgaIeDL+WssV7jra0oetGsXOL8+GPpo5PVgWONrOl4FBBS1qmNRAbLkJ77KVN
+            bBDV6Oy1DLqYvv/3UcqWy5XW9VxepEVsAaR+gtLzemMQo9e+qBmhE6tNR6Gvi0y4
+            WmVqUZL/gF38sCHoYDT7oWq1cMJ7/zT9Xz5AXgXXSbtBKaxZAFs6QwZfw1rW7dj6
+            Is1lXDNCtprsvc3Kxf/R4hHWT5nVFJN4xpKT+epLnumMA1YvkhWx0uziiky4ZH+6
+            u+RkK9YZYpGdIYPg7ZK+xLmGLU0YwdIbgiyyH5Jo9JJcqgS405ftAe0iyQjHpiU4
+            0b9JvGMWPzJxWvi8rzwYcI/cfd2n7ZPchTT7KTgva9xeFbn4g1ZOlEKOWg/ZoBr4
+            WhpI1SPS9kW0huGXS1k7Dsu0GzRBmv37AEm2mVtYPYwsK0PYLKfd4XGFQnrL0euF
+            AgwDC9FRLmchgYQBD/4jbW4xGw3JC4OLE7o+GqOoAFz5c034IHiEdgStYNx1RrFm
+            m4lstvzqUNL0DFyYdMi74iBtqnnFc+KymCTxiAlKiJThosMbV2sffc7e6CI/z9/Q
+            dsssJwPhv5h8XTbDSeGDk6gEr2kyKV1+9UZky9UYASHii4uzonofnV0RO+PdgTPk
+            mp36YufsnW2yVuKpsbCdMddEXqyaSYuhsU/bMAG2orlWFqqp7kyaARNrdI9hBnYQ
+            ITZTM4pPKQ334qhqUd/JYIR4luBbmBxJgTWSe5VqWqshK7u1aHr2mfXUip43+5hA
+            mxNEp0bmR0SnczKcxiZjZK2ZN+fBTqBnPQAxzCgsBjWrCd4a3CzIDOR/Uf3rEx2W
+            ccDJWRFI+cSpjLps1BphJvgkFjd31XcplLR41R78h28Mec1bE6xHMi21XUbGrITy
+            IuOmWAv4EDwRQtnfq+9qJ2DbmA3Ldo5pNPhldH7njET0TZVvB0ugq7EIvKxiNmX1
+            kHcq0nV1udSRPr/ta/eHInBD0VbVwNhk/z13xzPGKQVkhpcgy1dJj9FeJnUXqzWt
+            7xvHCqeGXVo46YeXYXglxUvEzBtdTGdEC2NTntEGhX6dEC1gl/g1VYcPfJJlk+S4
+            RENvBpCa1Ji51ix8L6u18jT2epfbxcZcSFS/0Nv8a0IUktvOeLe6y6jdYJHYPtJc
+            AQk4Y0lgOBoqiaNtybNCd8c/rO/yQ8m+xIxmiyyghjmPGWzEX8fHrR9fE9TVY0s3
+            8iBJVVDZEwtiLiELlbce0zkdCIH4UiyyEovhP/EEwxF8BrnAXo0NnVzcDGI=
+            =2NIK
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
diff --git a/secrets/milkywell/secrets.yaml b/secrets/milkywell/secrets.yaml
deleted file mode 100644
index 1177071..0000000
--- a/secrets/milkywell/secrets.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-#ENC[AES256_GCM,data:VljHjyZqPvnVxhuoEMhGrWA=,iv:nCHj+sdhAOJx37fGFkRzfrK+PsEP+tRELBhnP3bfoIU=,tag:fH5QNt5TeM3K4nXkeIC4wA==,type:comment]
-anki-pw: ENC[AES256_GCM,data:TR3roG7I1213Lj8=,iv:bK3WIC8Q4Cm6cccXPFx4K25GRRUq7Le6bEAVdEZdNPA=,tag:LLC/agUxZT0MIKxk+TSevw==,type:str]
-#ENC[AES256_GCM,data:EUHyFduvRqc=,iv:RHW3wsx8P1V4hkwnrl456qMgi9uz/1qoSOg5AvqwmhM=,tag:p26hGYMn5fbuNJ7Qr98E0Q==,type:comment]
-kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str]
-sops:
-    age:
-        - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNN3FrdkRTeUVOR2JsRWNT
-            QTV4bUw1TXN0SVRnNUREQ3VxNzdHN0duS0hRCm1FTGh0a1UxSDlLYnNxRndWNHpP
-            Um51WDlEZm9SMklXWDhjRFBRRHRkaE0KLS0tIDlkK0xhWXAvcTZjcmt2TUJyVGJ6
-            cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY
-            UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T13:41:17Z"
-    mac: ENC[AES256_GCM,data:9SntfZTrKnCMwrQAncIcGO9qPXM4PT+ZWnmk0F6S0Lb2xx5O35/i39P9vYN/QMPMzKc5KmmLCzhictWvBE8mr4+17pfJBH0KgiAqaOm9Vgy8Zg79/xH4fCia8bwYDfKe5uNwvRwknM3u5/eXLNcr6MnkDspDYTusXhw/qTQav54=,iv:P+fHF35oMNP24vadFA/rAYDm6n0ieAMB43ovP+7vJCo=,tag:4gJqIhqRg+3P84aUgRIPbA==,type:str]
-    pgp:
-        - created_at: "2024-12-17T11:38:27Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTAQ/6AvUzw5v7J7zEN+rBs6A0CkOD4U9TG2akgch7eKkdKSB8
-            FfVOheGz/R4IvrCx328yonhx1c6oNdaKE/zlQ4TZhzAiuKcPmAjYogi03OeIsPoH
-            X58lN44KrIIp47UGD0gPSfLDVjCy0M6UoNhXiYaDcvCngoQQT7o8KKPkqNCMK3Qd
-            yomU6Te4uO9A635z6N/dUeO6vmHK2Xt3ek/AaVdGbhjPzcLRq2t6vfsTT+fP1gLZ
-            V182+fPQ7aftyH0zuNCXOxrd2VbvCY8cmq/Sqztr7V/k2Wr1V2G2RTwlYo/VIEgL
-            35Vpz0YXa/aUk27Ifvy40zscK31YH/N3UssgsCBzUHGl4JsbVntDtUrZmU/3Gi5r
-            yvz4icX4fXi/k3UyKxRcakfz+L5Lh0x/lI7+rCG/1AuxGawKxGBuBZzA4gsRNV8o
-            va1JzdxMvMDUkCx/kKCcH7Cn4vuDzmvhoLiATqWyMjjNSiBwaDL0Elc3Zydt9Y7B
-            4ZKfeYW3wPxXqsqoxfKt9X2g6UYZZXSWoXmgcXhV66uUr66aPp2qqL9p47Mlm1tp
-            TpxuGYbtPnTCp5XT+AUHzUv4oFzTt0f6cpr82og0mOjOsy6huKZzpEC4O+QV5tX9
-            aKbmSplCrcuUrELxqy1xec45N1lIHS0r5+BkIMirIrUwMDEgmkP8lBkVjyTr6ViF
-            AgwDC9FRLmchgYQBD/9ISXYyr89r9L1LchFKKSbffMn752vbUULJXa5/wY9yl3ad
-            jh9yLY//4Z317zMs1JjmVubjiwufYZvDEnHmZYdsREXzrpDTjGzdq7bg0pUp85rV
-            VXzX/1ZpQmYeCu6/DRSSHjGxbxWa5he77WtyKKhDK/uasHe6GFoSJTdi/I+/ps3K
-            mC0Famrj3QlC1G1RbyTMNUzUJO3+ggVdaDJhUIQUhQ4mYk/7p9VvmYbXUc49zyBY
-            tmkl5ULEfvwuYaDZumlfCtJwDuFBPVmZvB9c6pT1x+HD/t/+2hwpozQS88Kzvuwx
-            6MblAjZiYiA0n4tteKjELjrQbmCrz0K+/euJi5DeIspAkjzJKac8/R6poVcDPuUk
-            OlpSe2mSJDyXjpK+zS46412eIyG7FtmtXscCFaru5PKU+7PCFWkXY0gErEZEyi9Q
-            LyrKhgsKAagaNhh87Ar9Sm/NKjhkRvgqk5lHkDp13hl7y7PX9qc5/tJukK0DIJEG
-            08KGLjM6+vudjRJA0JljBNeCnlDljwcOLKNbxqVzeNQFLH7PVjOzC2O4QLJTxlE3
-            1QmPnVBewqfz4V5oQs6su52n81QTU+ywFJfhMjCr91+pqpZrh8j2fo7oMhHmR9QN
-            VYCVE61prZzV5B6rylXvk1aqyy9a1WMahBImqtsJS4xP6avNqXN41fog0B7FA9Jc
-            AexORDzza/Hp0SeiV4UQZlBpJ34HrONUiSUry9m2UZ4vbFAxBSXZdt6CVpBGHvCR
-            Dl4GxekAxaiaj2hvNNXJaVMupsMYpOCzyuUBayv0BFouCuaIFkoqOK9tAy0=
-            =pG8D
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
diff --git a/secrets/moonside/secrets.yaml b/secrets/moonside/secrets.yaml
index 493716d..08480fc 100644
--- a/secrets/moonside/secrets.yaml
+++ b/secrets/moonside/secrets.yaml
@@ -1,5 +1,6 @@
 #ENC[AES256_GCM,data:HCHFN2Q=,iv:Z3tD7Hn5eudPR9DuX6etamkpNnYB/NRYGppWdyuUDuM=,tag:tbuWEFDmh4HAyksOZOihLw==,type:comment]
-acme-dns-token: ENC[AES256_GCM,data:lW/XJCHwApvIofSZHL5h7AUPISjARfmDnpSnprDBHQYzj0u5ZlZS5A==,iv:/y3gjgC9AEU3r+l8Uq6P7DAU2C8i+qTQ9DP4t0g8ZhE=,tag:v24WRudw8NB84b3XBFupHQ==,type:str]
+#ENC[AES256_GCM,data:cEw0zCAIF5242UDWZeHCxNHVWQ18mnmaRyjd62orx2P+uq9fiaoDP39ez1Y+wGh1d+FyyYUlh2l4,iv:TfK44vaoHmvShckrn7ztRvWnEUftaMVNNf8O+c70sS0=,tag:/fDK7VrkBLrcWfbBe/A4wA==,type:comment]
+acme-dns-token: ENC[AES256_GCM,data:qajr+/1OpVno7yyt1z7cXuSFqjZ4aUW41RP6ww1ZxJ0FhZQxhF8OTA==,iv:8QxdzLc7T803XB0E7ZeVmSLnkUQICZP0Jk1zpoWjdqA=,tag:xERubWmq/vxwFk5V59o69w==,type:str]
 #ENC[AES256_GCM,data:XdLlonkGBN0b,iv:wimLW/7+a4MJCVg4zazY0ogakxXjdyPNZmZt0CzpXao=,tag:rg7FEi1qaYMkCXX+dwjFLA==,type:comment]
 wireguard-private-key: ENC[AES256_GCM,data:aBQSwDyASfVPhU+5/yT9P99DCEfgt4SvhVq/aLe+AUcXwSqMiI2DkM5THO4=,iv:iAW/OUihMXHoQpX8pX+f/mz2nclj+n/ygwYxx7PVxnQ=,tag:zhlxjoIkfa237RoFNblszw==,type:str]
 wireguard-home-preshared-key: ENC[AES256_GCM,data:yr4vO9Bn+3PJheJHbeNRHu0ozCkgxCGuKBJnb/3zzHVQAsI7GonXXQxFjBM=,iv:1r9QgfdLkXCtrRS+/2+f251FjHiAm9nf/Zfzu+CYuws=,tag:kWiXCTfj4Rrzhx+SpSp/dg==,type:str]
@@ -14,6 +15,10 @@ microbin-admin-password: ENC[AES256_GCM,data:+UyWJAsQ4Jd5iJgdepJ/m9OvkEewLKQz+A=
 microbin-uploader-password: ENC[AES256_GCM,data:20QOWTMLS7iTS/Q=,iv:EuUYcY1l4ykKjWvCA0bpXPU0033jlQ8qjYyqSuLAQl0=,tag:Ka5gWBajMdeZS25AajToiA==,type:str]
 #ENC[AES256_GCM,data:ZnMVMv6M,iv:z53BHIVvMUfYseftc6DTU9Mlb9ywEvNHv24TvIZiMFI=,tag:QdeWjrw0pmJsXYobADzA1A==,type:comment]
 shlink-api: ENC[AES256_GCM,data:XdfDJMjyhJyeqVB4RKgCdkWT2nYC/Pw21D8H/JzkGLuwGx8Q,iv:zucJGNLX8018gD34NL/BwTe0fPFucqpBtMCYXd3IGHs=,tag:/sN/ayEhUaCPmu6fS+mMHQ==,type:str]
+#ENC[AES256_GCM,data:R5mm4WAJww==,iv:6Uyb7Qtl6vt7nur/NLBlrVtKoPkF3ZjXdAhT24HW/ug=,tag:6X9b1zZbpHoEZmaYb9NQSw==,type:comment]
+resticpw: ENC[AES256_GCM,data:PcrDphqR5Pin2hM=,iv:lnMlqwyCvbH75qbL2eJYblmuFOaVMmbPHjZ5l0n2Glw=,tag:YUxadLufJ2VPghLded851A==,type:str]
+resticaccesskey: ENC[AES256_GCM,data:DOp2cFy1Y5HyXcsQ5O3nsrEOQBtlQQ3P8Q==,iv:0X6HF9kbPNDmhtENHgFeOSHln6xlCf5DNJfqavucDWI=,tag:+THGH00yBT9RhvJtENco2Q==,type:str]
+resticsecretaccesskey: ENC[AES256_GCM,data:qpPTWx16Z92cup6ACh2KQPeIk8KPasQB4e/SwxUxfA==,iv:EqWTKXXA7wyArlF+D33tKF37tz8/ORsjsWjRPYBWPqg=,tag:F21+4cL/cozDIene7UQcyA==,type:str]
 sops:
     age:
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
@@ -25,8 +30,8 @@ sops:
             bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK
             Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-12T09:24:55Z"
-    mac: ENC[AES256_GCM,data:qeBiuiK/On/NeMpjiCKeIvbQCRH0JcPFldJaTD+nHLtwNU+qpHX4y+dL/jTQrdSWxHV9+E3KmxnakEP91qZnycrSXhwSIIavNtXUP1veuv/JmHOxW6UxpJBJVDeMNe9k2AFQ3gwYEnXrisjvLDkYyqa+E+GsE7b82i3iyerpskY=,iv:jbw0OIJM3vr9SXkdAObc6JS6v4r11s6MPkg33x1sCvU=,tag:/BAMuCJgh78UgOXkTVkN7Q==,type:str]
+    lastmodified: "2025-11-28T17:44:47Z"
+    mac: ENC[AES256_GCM,data:h3skmRhVfBa/W6GB35O3sHdDLmo/4VQ3rgFbltdweDP+9qbQv+6tduRGknGiQjnyuaGGVyPlEOqfLKzYjP8Jsx+XnprblNfD75yiGckBFQaBKhd8l+hfcYVRNTrKCWkFUrYXIfCWgbrXNmq47SHn0+TBedXRw+9LoSyqsRdIJOk=,iv:Js2C7XfOD4d5fF+Otn7xJxBw0Nfh1cB7oLjyCrUA9es=,tag:4flxdWSlXyslNErlEFM2VA==,type:str]
     pgp:
         - created_at: "2025-06-13T21:18:31Z"
           enc: |-
@@ -60,4 +65,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
diff --git a/secrets/repo/globals.nix.enc b/secrets/repo/globals.nix.enc
index d6641b4..b9e9770 100644
--- a/secrets/repo/globals.nix.enc
+++ b/secrets/repo/globals.nix.enc
@@ -1,38 +1,50 @@
 {
-	"data": "ENC[AES256_GCM,data:1nK/JO8sa+N6EXpyIHBnRapOXYbtM38jnNCf/j0wIOG+0uJvQEFc1e9gIFvuvmPUpUjh6XMuEKNxvLTjFlaLiypOX3yJVTn2fiyOWSm244wcye0GRPe+RWIi+1kEPrFDBEG2JFB+9iGSx0Vf2NfBPgaVFnr4Z2TTGH/kvxiTV6KYucWQNHh+jvVKZ6vAsCP2pFWp2yhpov9l5Tj6MwyK7E46Gn7DmCAtlZcA64Nht+99Zrrfuq8byan6w8RMFR830GJvdMAAD/Vsz/6aGQfHhpJwl4L8/4WwvhQq/DuU1umI1Q7r7FosXbos6g8wTWuM3ccD7V//tFDeVkaMKJzkLkQt0JbyzansijadTYjo0I1w15iH2nySBSIrsOJauBcw3XaP6NfAC3fN1lh/fDaj5HWud5v2ginWRfJNYalfMvTkXm2E5m8SXjanGJL1bHBle4TwEDNPT8+LFIJm8gf57rQRcRlh,iv:W3xvnTblM4Aa0dzDKiWqHM6B5zmu5ddk3D4tYAVNBiY=,tag:KelbYP9xbTmDaWiPrkS+Mw==,type:str]",
+	"data": "ENC[AES256_GCM,data:q80uSaX4Xyy7mMSskw8lnCagLIci19YvQC60/jqv1O877lEDHnHXh7DlK0XcWM6pa96mISk6zILfJk/eMxG0CyR12ryBlPHtzARmcpAQspD9oRaLKEuKDqvm57BmL5J5yItapJlBKfWQwQS/pEI4HJF8+xVrX8eTsMB+pBk/HsBLl7w1VU6Ob/hlEzyn8v5QMS+nB01v/61GTPuluslneXKnHC221A8ek2lyPN/D1uj6hXnifRsuo8DoPghe5asQ3VM8mOZa2SJ4NWEvWJ7V5SLbgPLvNGi0G+XfQ1kgb4qDSdNpBlCWY2hlqEquEO9YJoLjr9jNYGMysPtnmIGPEinGF5SLDLpQomph5krAZsQPxG/oTiB89SYN9hF5SuUzSHuuRJao5hVgWj4d/KPy/xjZ5rN9dOL7c35EiCuMViH+vsYBue1ehYSww7Y+JR49ho84+sSJeEHTdpnnhtogRxbekPawBbYs9w3gXx/pUhVGZJS8QqcNLsGeEvWgDGmfbsZagQHG9Mdib5wAVp8o8O318EFoptlf2TrRK07BS/ibSc7GE6KIOde31OVamVwfAYL0p5JopQNEDuW9YStMhDQa5YhfuRCrlZFteXqXAMh775uXQge14pwtETExTE5PxI3hBWKIqrb8XP5ke+j73cx4A0VsuG6TtXf7YfWohiuRBkcojp1r0FY12jzkCOstJ2DjBFBI+5u5dF0R6SbezQ9vZs8yWbYF0kICTtZ32cEWnE/pVgdS8S9CqVsVyflpjtM/DeedkpoLh9JtN1oKSDos7+SJA+r8/ilXIhRTwb7tt3hSBw0AFkZ/rnSHOGHTBRY4T5lH5IkOqOQqAqbH0ta6hhxPoDjKzj8R2JatCnZGOLzL6tK50w/Xm80Wtj0LxDmmzmYPxCRI14nUobeFqDi1aGU4jpqKUayUHZcnTVgfURtSV/lT5QrsXdTXt1k9ywwq+1oT37D8Irk6+gaSZNcI6PQG/KpBPzmeS7r2ubrKhwhVMNlwF0QxDGR3273+AD90rAZq9niuS2yJRINXs0pImPK8y20uKDiv77B1HSpP+CpoPlikGy4jAgCqbpyrUYyYUB0O5MMZ6VK4aLwJABsE12Ef+WGC8tbtGNxGTAGm3gxRZ3/iKNl++WKZWo3khVflHWb026iYqEl5oOnUif7TVmXGbEiccjos0QoygbEtxSqeN4IxxXg2QxRh5rbfxsFiURln6lhGhjUj7SrSnbRZT6o38xdhKrLqs1zM5ss6na/9W0rHel3wmy+Ocz6UgJ8Nj412EM2dwo/oQq3k0epRLOGBJE8f86qjQAn+GZXnq0pwGq8MijhRWJDc+4uBxoYLiHrFJIy9MvqNRgQ3QRwgMXDB0psnKpybMyHd7VDWmNd7GLopEfQEv/o6Fk53ZW6rLu6l6EdS9GuZONOJsjHB7rVoUl9qi/AjXWenzZYaDrqAY6P3lDWdoNZLmV4AQu+t4EIaMz1QjLfzeDhVG/v13+hZ7UbCIOtr/FQ6hfKjZ0A6l7sfLKcuerH5AwMs9/TYEcqEppfrcAKtBK47kJiB6Vnr0uVg13D3w3PlL/8kA54xuJzQUO3+ns73yPLjjhpqt52WfyzUmhpymzNo+3EPuUC/l8GWohvdNntb0rkx0ibJA3LirgGE1IQK6qzeZNkvXVHvY1pYVV1nDRWi3HlpsA3UCMI4IxRX+brFQqM49o0cqoE7CZPnEQR3UoUg9qQ0RJpiW3BlaIPUexxdgn1j9RbUt47zQsEI7+5gvg7EYLbj9ZPEJCxUH+UkukrPESHauKXPvI1EbbUncMd2sLyxn6IX7Zili26O9vON7PM1gL/Y1s25T3meBn2CqT76Zl0HjB2Mzh4XjuDGE01Agp4BETiKrCMprZB7+mR89PQywIyaJWS1mvDSmzbaTXk4VZVqH3lpwNC4QpaxOb1ZFjj80uPKErBZ4yeLKIEVaDW1fwQyjkXWjIwHhUle3AJgnAfxsM33fvxFucjGyc91FAJgX7IhTSATnjsf3dUm9FyW4xR4RXbJ1OCuZZ9C/M8LIHZSuXYNNmjOq0D7qUiCR2Lesth6hquHCnomLDxcPtzYlUlC7ZdF71jLyaop6QWk2n3nKbURLV5Vm+DrLi3Zuy6OAy2K/MLJhKEi1LhMw9pJYbNgq1z8SGFz8O+k96JXuZnIDZxzj9zdlTOjawkCu3WCGSAOqLcvPryZqe8LYOlozyVQcDQ7d1h9fTlz5gA6a6UViH9dl7uzkR0i0srEVbhuZLw/YTM4dEANtXT9MbKE/KoqG0jmzI4vf+mAux8mgIGNTQ04AfFxG+Coghn6WHWFJtEdOOT8hCfoZxs1qJA446Q2+ACCNeZgMiT4BE3x5L+wiS7Km/7d01XV3KCuOC4P5GwkVcH0l9WToJN0ViuM2bi6uz7JcEvgCb8AiVfpLk2NCE0YAcWY8nMV+aw1hOAKvuzIwt8vptTb3TApUQ==,iv:Xbgn+Nv6py85+Sl72aYxyDgfPEGsWK4+YqiYTQ/5pw8=,tag:CInhg7J3Au9HcgIWkisiOg==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudFBlTlVWMUk4QzByRlN2\nTUcrS0VhV2xEUTc2ZkJjY3dZaTg1ZTBmNVNvCnNhY2FpQkJkQ1VZRDhTN1dUaE5M\nSTJ4WUt0SDA2Y2FSK1JENU5kVkcwNlEKLS0tIFRvV3haejQxNUJUSGd6bkJMa3hM\nVFJQUWNhaGlVenRLSDhHd0VJSDcwKzAKt+JZAK2QVUdB4Nh/xqKS1acqQy7iNMka\n/YrjK6J9CSTGUAjfMZTPXXwstVYaZCZYUnZ0xeIlRZPQw741hx4kWQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNjR2L09PalRkUTREY2lW\nSWFmL2lTRWtMOXA4Qk9kbzNicTJZV0JEM1FRClpjQmlZRGhHUDR0YlZlUW1uaUJm\nSElmZXJ5RnczVm5uZnpyejVMQkhDNlUKLS0tIFdhZzB6TGh4UkZUUktmY3ZRUXM2\nSURjZG9kVXZ0a1dCZWczV3VGTXVva3cKTGhXQjLhn3hpY72nfeu0pVCz+qzJi1gJ\n6AcGZQDKavoJaP+qadTVe8pa0Vu1NX3ILJBKigPF6OTVJY8/BaiX1Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWE8ydmNXRlBEM2lidU5k\nb01jQ0Q5TjlRZXI1YjlTTDF2N0VNZ2pJOTJFCjV5bmZuWE82UGtWSGJFWkVCbmVD\nRlJLczhwN21XSGhaaWFpVlNyWUNZem8KLS0tIGphZ0RFVUdXdUVTbDFibjR1TFp5\nQ3hvZjhaWFI2TnVzTWJ6dCt4K05lTzAK5pJgUGGCwzPO6yWyqiQuCEwYc3PrFXV9\n/fhVaRhdLJXc6/hBvWsK5vzQNe4o64AfUjS+iHyXi5m0dGINzWCDSw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnUFV1Q2pQUEJvOUtQWFZL\nNlowSmg3MGQwUTJxMFhXcFZ0aElLMEM5NWpNCk5lZkNUQzNzNnVVZCtkMzdIdStV\ndmJ1dDBwck9lVUc5MmhKekxWV3h1UGcKLS0tIC9yOHBUbzY4R1c1aXZ4N0JVZkpF\nZ0gvMnhxSXl0LytxVUVxVGV1eElIYlkKPa58QsZc7y15LJlOamtTNrWPH+EkblLX\nEI7IkmOWK/lhG9KEwG4h1+8gDS+5bHPuvqz/7+sROo/A8Ry0Tj9oWg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIODlXSjhFbmo4ZWZUWkdj\ncEVHT3N5Vjg1NnJVNzFOWEkybzVxTEtWbWhZCjRHUlo2L0U4YjZFS2tMMVM0NjJQ\nQWtLV21MWTZRWkFWVGdUNUEzK0g1TnMKLS0tIDFxaTNtQ00zbXJNQUdqVUc4QUJ5\ndWVvTGpMNVkxZmVjK2xKN3F0dE1mZTQKuw+pFE5tYe6vcTL4FrgvJs7RKKGJBNZO\nDUjlUxMB/WBR52BNuDL7kviFeLaF2HLeF4s+GkvqYugHnTBiZ5fzww==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RUM0TVJFam5lTERkSzRZ\nVmF1SmJYU3VlN0psUXlYKzVkV0VNS21UWFNzCjU2b2p3cEZod21rYVNxWDQvS0lB\neHhDTTIySzZ3TnNYTkVQU1g4ejUzOEkKLS0tIDNxaWpMV2RJQzl5T1gyOW1aT0xH\nMFU0S1FyOFZnczhETTBvZkNmQUtvcEEKO32cV09CY6x9ievHyaKNLFR2Jt1y8Pbg\nCXnpvFmXMXROoxRaDN2N4+0SRyjhzuAabyAKszOksW+iJ7fwAmuR/Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WkJ1Q3Rlcjc0QTRmallo\nRlRlclFmcXArUW04R3JEY2FWYlBBTWxscGxjCnpOcTJqN3FzR05NcTh2SytFbU1l\nbEJHZXZPdHVuODcyVjZLU1k2WEJxaHcKLS0tIEtNRnBzK29mZlZXeGdpYTRXWW1S\nZVVuQk9rQXBOZk5QQ01ucDAyelh3eEUKKmljNvAc5Af+B6x4hVlNjZZiznPu+U2/\n4cA9twbGvxJab6cU/aXLtB1yOmQMbm5sroBZ8+sqThGo1n1eBRHQDg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRFZFcWhDYkpENkhmVzhr\naGVueEFRdUxHZ2l3K24zL1pWR1VtSzUxWWx3CkVReU5FSnI2TDkwV05KaVl6cERY\ndzR2Yk8way9aNlhIZEEwNmUyOTdYYncKLS0tIFNqVHpNczhZREkweCtYWmpPcjdK\nRWdRQ1ZGa256cTJrdEloRmpGTXFDMGsKF9A40XY/cRGd4ZQXnxnlHVxAWks77j+z\nt18W7/lECC0Dt/jLMfEup9dnPyXS60C4Mz35kRNFCPXgvlIiozzyYw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMWtLZkZHRHBGK0JnQThs\nN1g2K2lQYWFmdTIyOEE4cmg4R3FnWWdldEQ0CndFbFBZOGRhWlh5QU9DWlc3MkVk\ncktUdDZjWXQ4anE1S3RsMnN4UnJOc3MKLS0tIFZlSU02eHByMzNScCs5QWdHYnlU\nWDdJcHBzQ0l2MjMxdFU4Q1c1S2pVdHcKvAzlHn0XQ3Oi5SqckELFtEWl3kOulf/U\nZ4ux4+FGfkjYbq7jiyyHL8RfLVuBRDS4MGcGYEsI0YQvmcgxBFLP2Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdGswSkh5bmZHait6Uisw\nTzRqZDUvOThVWjhHeWFUUGJzUUpWbWU4UkFJCk1pNjZjMUV6UWtHbUc2anpRcmZZ\nYTlOOTJFS2YyS1daRzJMUFZacHJiWjAKLS0tIEcveS9RckRLQ1N4dlRiaGliYW9E\ncmhXeVVnQ3RYSmJKcUs4NTVQLzMvN3cKPxFN6MiGXyXVX0ePLTioLGTxCyEUY+X2\nHJeiFKuFkDIpfdSxrPgwrWY6r8bVeLqMsepdruqUE4o0UGHVEOn7VA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMkh6ZG11ZVIzKzdocnNw\nODVzSmFlaEt3bEo5QWZCUVErRUQ5WklpUjBVCnNzZkdoSHdJNEJtYlpEV1VHNWF3\nQjAvVE9ZOWU0U01QdmdDMzU5NHA2ZWcKLS0tIHJZeGpsMVJhRFZCVnk4T0JqVExm\ndDYxU3RMNTVvUVhEdVJ1VHVybkhJaDgKOcg5MoybrReGg5Y+kVusweFcEKzc1xd9\ndhZC22Klz/va5RRS5IVnoaIj9JaDuN6p//mZGKtYhUQfr5SaiWnfHQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S2FWYzNseEkxUndRa2F6\ncW5kYzhvengrZ1pycnphQ2FFR1dYUXh4VlZFCjBPS3FhbXBvanZRNWwyYWZCSmRl\nTEs4V0NaajBkQzRxV2lJalBIVnI2bmMKLS0tIElpV0ZOU0RWWkswZ0Y4UUFiMlN6\neFRGdDIzNHA2b0lGSFFzaFZBcXNsWUkKvpYIHTeGlQ+Bqz/EcjlQ7R6I3yuwNc9l\njQQ99P3tq7bFgj4UIUDdRWaZG7PDGesEJZ6fjJEieA5o5IO3Kq0GAg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bVBGL0l0bzFiREVscjcx\nRElzN243eDRwV0g5NGMwRzdlTmk5Umd5Unl3CnBDTlV4b3Z4K0hUbFRiMmpObE4r\nSEZPampwNUxxRGMzbFBwQldWVEFIY1UKLS0tIGtzZE1NSFFWdlFHQTg3RXNwSEdM\nTnZ2R3ppbEVBeCtvaGlNWTVWZXQ0Q2MKoOLKAxiCiTrQ1gATwuqh2aphq3zWskp/\nWeQ8oqOwc4mL5nzKIJp3VzTQ+CdL2BYfDsxhsqgilSruht0tFm+Opw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibGlMSU4vUEF5UlNVZzlr\nMTMyOFY2Zi8rZFdZT1JrelZEUUZkZHFvOFdzCjVPbVovaU9nZklJQWNZeDJZNm0r\nMXBIK2hsZEY0NElxTVVMWmN6WU1Ld28KLS0tIENaallkK05SMllia3prV25hZDR2\nZDBNU0dYYnJESG1JZGpvSGp1WW9UMVEKJgfdLp7BRXvyAekecNJiaBXmxSj1qNxx\nZeHceqEkfWV/PzX+RP4LHjXTQCLEOJijbKxDmxSsYq49hC9xjZASuw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHblFPenlYNDA2WnlVdFBm\nait3bEpqR2ZUUjlOM0tMT1Q4UEpFSXpNUGxFCmtvQjVyc3RUT2pMKzdBbHNwaFUz\nelFFRVZFVzdSekY3c2M3RmJvcDR1N28KLS0tIFZBazRsTW41N0tHdXJWZnpwUUJB\nNk1iMkxZOFFDY2JtVnM4WU5KUVVEVmsKHb8PCo8cTyipymup/F8Oue5DiP+uPznd\nXbD74jiB732WPPNOrXh+wU74Uj7EpYoazvTcs4tHu30cCpbCz6cqCw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-09T22:41:57Z",
-		"mac": "ENC[AES256_GCM,data:iHmgHvT3yn5ayimvO+miRA3dA/0o4juBvBzWIXwtZyt5gSI4oJizMbRaX5coVJgeDdPsYaiQFqSnEPrPmrMIR16jdmscQLvz7X1gtdanMP++5q13jWOkiUHPC2nZy47M+36bzC2P/BHqKE782ERTGnD70VZO4a1lOa7pB32NutY=,iv:oOn9x/xf5g82GXdZ9fDxgEiUScXXfzSdEZccqFQLF4w=,tag:iEhx2Hm0yP6G/1w6cIgHIg==,type:str]",
+		"lastmodified": "2025-12-01T12:37:59Z",
+		"mac": "ENC[AES256_GCM,data:F9Ma+RYXq2sAYc+uPn2u/A6hxbhybc0wDDVVspFJNIYBu1aUi34xKjxPaPQ+H5hWJEa4V3FtUugCJnMSv63gbA9sKPdxHI/AXIUAK3f7b4aPXEs4RTAQaxuvlAz98wi8cU59BDmdzRpYxfN0+FsIeIxjT7lcDS1JIcFo3M2o6+U=,iv:qWMGQYH+DERoSiMTJ5i/eviFD0diTujCjHGK+c+U0y4=,tag:hvrPpfhzdD/g/JXLwKRrtg==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-07-02T12:10:18Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//YG1H7a2MZEWjFupRqe1jgxJMsDXq0zWdK8Wy9mHCLmEk\njFJL8xjuJGYx1tKlQKq5tLPob1NmnIr9KXwtarFrIdWY34BwqmkYSO8Vmcp7iq5U\nL0xTRX4ZWTyOpTMwsIhIrEGWd1be4HlS/QedJxOn7/D5Y+XBHf+0t+4ScE+4n4ek\nlRhSxR9OlFrmmxAjD/PHsrekgi7wX02lHhy+yKmDQ4YYL3ve6AONY3dltOFr1wk3\nQ3ffjIGegkXTiafNbAvo6joekDDIGm44lRCoaxuS/0ZbDC0IZN9EUpw7KmJvRpaW\nkYWKLLZn07CpsG5cNvZvcSMTyVi+La7WJ4Nf8x+6XzRboVcVfQ/ZnCFqUKJTIGcS\ni+UBMgNxX7PCVmbQ2pIKzn5eSk0OTwgUv4LOJzivFDc60Mk/iq2c8ptOOuzBxhR2\n/M1fs4D8QfseU3b+/2e1ysVZGpba/QxYkdgeAa3FtZz8YpgFlSHdenuljrJke28I\nqkwWEdR80jBXwZ785Ur7Uqw3Pjv0xW9hwa0s3yJ1HyL4Was0ONp2aJIW1NSRbbFv\njTVJVQOJVz+bxMla9t9cB6JmV/JxSe4Q7dkiHFxdmxug2qL9aqpXFRy0M+R6HClp\n8FjvClOhyRAOFYwjm4Ry/jY1mM33hh+KiJ9fYxAZ6ZQBonl3BdOq6/LbAwKDdC6F\nAgwDC9FRLmchgYQBD/9YHAFQvEDfzbTbJrQT4BjqRyKjgA27tA3D8MwS9Gvub91V\nJfaYbn0bc9oJBqkTEmiKw2zOTTbEC0zw18aB3rHrAc0EjYZCP9XMYQvctJo1XAKo\nZFJcCCmdKzLX6XO7rLOyjEp4J5QfdgR2NAt4NXbBH9SjqNJ29bQhR14JyYUtd+Wo\nHcypltxgX4Hd69ZHBrhY/1YVfhLOoO/vhiyCLZPFrV5HYGo7Dzrtw1aZg+RYAH5R\nixZ+ADpdVj1Tc0EwBEIzjsmJ28g8liYOeRI8g4X8/RmgJRtPerBRMxXqXxHHU0Bq\ngZpm4Aafy2NGLWPQjjjbWO3emQSkQWPtldyiYf2pSdixm8gahMK4/As3Ziu1MvIw\nMlu6TsOca2762DJfw3eWJ7DeVAVH0gDOeibPMlRVOIlqRbKOg58ZDsVMwyQaiTxC\nWa/2Do6jOIEfWGhM8MbzVuhqEvkxlUHDJjP2v50SPCBVhdI3p+im5mr9cgalwlp/\nanSR7KMC1diRz2cpePb3bHgtJGoSHRoId85Xo/mhgPQS3wJGujEUafQQRR089YF7\nLHWgahHAYX1RP0tYA9sJQxBZkc4ryCMk3R6k6HdiZsoGB5D5rJa4ufdACrgsCuML\noF/hCCulldltYNN9ZekgB1Xii5SEYku0NP4NZnA6dsoXDE7hlcy95bm09iA7StJe\nASuM1tJbFJI7eRKdg2OafM5+aVGRsJqHmYue9sD+LY7LoOK0nR6tPrL97AybKqq1\nsHwXmxhaJglwBpConTHTIIKQw0ZGUuzowFHjrTs69lLkdIOq3BP8/3cBYJAeLw==\n=P5FL\n-----END PGP MESSAGE-----",
+				"created_at": "2025-11-23T20:29:01Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//QwNJ7lhnXTXntHGRFgxzpIRgDBFe/cIjztt3FfA5tavw\nWt9+Zm3et3imgGE2n/7CrgWFobhsFLP5oEXavzea6IjyH3T+RWeW9nxCzFZrP6fQ\nOS3oEhQ/SBTUFP5xDJHz/b2oNrEMQjDXlZYoMtMQihmn6qx3fiFK+dTaCKvnH3zC\nrKH03Y1iWiK5JsKs8nn97m3x9XfT/TQSlbDe1ktlGIzh0p8zvIEJcGgbz35BkBYL\nN/RK/l+xHWnt2jLLi6vj6WFano8x3BzpVrahYA7ynKoVWQChE80TUDacaVjh64MO\nYqGUluZwTSaw1NXlaRIas2z2Rm+HEpeeNEyVUCpe/gAGOawmTAhcIgORhkIK81S6\nToiAqIWaw/i/xtH+U2M59YOPRwG9XHG9/DAEmdCsztB/AykNxOMq6xJDayu++kyY\nRXe0uYbPd3b0nGMcngBr/DTWUSuO9qcpg21d4VfmNTaLHgXY8QS+8bYTETJDqyvR\nFioAfHx+H+/la+OrLwee+CONCHGrlItSo1s4jQXW3TvbWlB19gj9XYVLU6dohrke\n1h9hr0Ia82/a+5or7RCU5Gtf8tHqueOdIfG0acv7ohtmjxtZOegSgZZfPIRpUI+X\npuLxrD1u9FFF/KaVJOERZJze4jVOHvPbr69B3OD2TJkoHXQzlCEu1E2/U/zGNz+F\nAgwDC9FRLmchgYQBEAC+7PFEa8+euceAKBBPiV6CswPFy1n+4o2E3n5DGFMxm3n/\n9O074js/c2X8km0FZLg/OQ68h5iZPX/mavCybvNOdIDUDzpEYiiYhQKThVW0Oz07\nOPxXNA1U34hv+raMlvR0Uyuync7RoMJLy3VIlqttqn9urQsusUJPYTtWpVRaojjc\nhunYPQV7XdIGJG92sCMgG8JeYLpRpDJphX232xuxt4L6BZh+Ddr0TUGmKdMbPGSo\nU50Ub1uDWWDYL0BWN8BzsuQQNDOTBMVqucG/WCr7d//x1A6CY2wz8tK0pIzyv0sa\nIF0PYAguFFZ2noT9QA64wyB4BJn8bgW7L6ohv0XfVdLK0fR59lb1A9Ar386uhaCc\nstjmijCLy9T1aN8roKM98CUUamNwPFZhv+Fb70/5qN6OLRz1SPrpZRyaaqOsiyz8\nyJCxMz0KwOSc3PsLLBVhBPr5wk2w9tB7CJxk6hCjgbugXbLXXedYtlNwXyOXb7kB\nAMjGWFw1e46pCmkpHr8e0XbKqY1lXfeBPO6y3MhrqQ7Atn61lSGGuwmsbRM0oLET\nHYNbjZexMVTxsle29eM6k6Y/MPSxLp2mwj4orPgIOXKaxletNKDgLoqnSUIhbItX\n102RMnCLptObGPmlzJ3z7xSWievOiyOtT6yY1tCQQfdWE9cHONni1TYTupY9/tJe\nATViviHLvdhJTVcj/MJY5pQ3EK/UYwxJPXZG0CWHixz1uJeZTdfJm0t++tiWlRO3\nDRZ7TIvYUsicqCj/DKrcOLpS3U9toBp2dz2tCzHwZC7u99v5YgpCl058ZEMwcw==\n=TbqJ\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc
index 48ee1ff..6e6edd2 100644
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
@@ -1,38 +1,50 @@
 {
-	"data": "ENC[AES256_GCM,data:AmILjmXaYip12IA3T3duZIb7Us6FSby/gdbumUJ69y9cU5CK84W8A5zNIv/pNorvbI/d4d4cwcIWOQJdb0vMnTx97ftaPJl5rK1TaboL+CbbZviIE6HTTnkZlutdFjjqzkv9TCcJ1Cm/Krf+/AiSX2bYujzggBMhrOpkb3Wt7iTvxpSahUZkyRLJTDkY8OJdc4uXTpZIoPEEWOF/ZXOdEYOuNvES0dGwzCLhmYBf/yWsRgr7ICRSH0k14lsQRmRa2ZGq07jNlu/f+zXtIR4UMQC732ERLFBKTdqcvFffhKYuy9xL2FNJFuCZ+FXsFtV1Y0YQYeR3B/30EHxLrqiRzF/orkA4mdFgdBqiOcTJKnOeanGF2Im0XiZj6XjoAftHINpX6SGVZOk2mgd8e5giNcMew7izQyQdwQBnG0FKaZvLFO/5YLUdRN1kdtNaDlJ634L1y5lu78TWrXlAQxor9mS5nUQEoW3i6KDOA8OQRsU4xcWAfMTOTRS9Qdgo4fBupo+kTuztRHjv9Tyb8UvMtjyqngDSsmKcURNQWM5mO48g/tP9rtRY23g1B2no//LR+NmhutR8mHjG65GbH+eqF81fI/kqMVZrbXIkZbkh8W6Hg22CZHKQMWTGP+T/25XhnE1qEFs7VlYWHdIZr2c4bMHhNmI5DqEinn2qEe/5YtQ1de+rQC/3X4Oh0+6VRaJvJ7RKkqbUFMUNrgsrrRgnmSwqlvVOykppWdHxtnbUfmjuhXM/Fk5yUWgDA0qPofmcSNAfxzCDkpc5YaNXERe+20xD98VyRvYZS+OTywes5ComCXh1vfO5NpHbPoI2NbJqgJj2Kg8QsJBCRqAMECMAK/rm/adnmCAMGqHzd0gCWyWQr+sxXQSnst+9SXKFB7hsUQYm78hO9Tj+0CJJ8gZFc9GD4RimDbxu27hDcf5ycPqTJ1PqHqHJkGXT810bT1ArGv2udWaz88PONfYmfL2kvdcZuJtYCKRVLqZnjl6MKee3HN9O/MTCxqrE7ZWhZhHTwkgqWcrKFmUMedReUdcVqn8bNkeo2jlgHKHuilRIt0nuQtSNlm1CEBzjCS+c9sE60inlJ+HOnI7ZppiiXBadI6i7MZ5+EUYibjck0vApxm1MRPonZg7j9VHJB7aXkNn2YwtDo4ihjlmCt6AZRgoBYJ+jIwaLGpM2UYEX16E8QFdSWqE1ncFH2Gz5TswqDbztLGVRplRs1Ayn9XmHSkh9mfK+SDAEFy16rnBY6QuI3Xw9g6sQ5x4Usw2m5qoJ8qxTJzzCjDndqYWMeSV4z9Q2x13EB75sK4wBlN1oLn2ubxSiunHss/4nIARDsTGHYO2ilPM5ekajN/v5J5IH5dYwE9HT2pqtbtjo5Zk3JvL8fQiWBQDufjDfYnaLn26E/iu0Xl30uYLI1NwAxvGEPOOZ6fndBPkNYz8KNq2E0A7zv4pyDqA44/uPkfWJnWeVQXoYHOGj74Cc11+bVm6s0mjv35mLTg1EadWJZgQG9I+NHMXL+uvP6RGkX4oXnVT7rQHItv0jz27MlxK8/fm+UrOgFGYX+Pq2Rwam8HN0IprzH9QAqODhuNwTe4CwWS+cIk223/5t+M2NWems2p6JKxuZ08KkPseUQnwl0Wxu9pFKYSBctlgTrJ7Dp83rwbGHKDgB5ZBimsp/uT83dJrFCp7Rpks1AnLSXo5rn6p60Do8P3JfzXhLJqi3jHp4Wl3Qu9Sejq0Z6JVPfNkf24eIbQ0rNoSi7ruybSryXPSH5EPgmN/Sx36etCJ7/3XPmSkCRg0/o7gVRjbHvuNdexyzfR2UIHvm2qzWQDiggQyj3m/JWvgsqNBBAhcIiuv6eCznRDEjOUHXLqTYiz9NUJN8H1rxCg8dCBIsLfNwDE89edU7NsIGCqepbpos5dFzOPHrr8sCYwA5Xv2amQ4PJtULHrymz/SYwkVG60UWo0rl332a7bi1CQTa+MyGjbD8OTOMvr/itUrthND81oD+q6cK6B74qtrj8E6HG24yl8vJHIO4un1ZxZkkjUGP0pIRT0vd31sxQxUU2REeq+7Q1B3N9apbr49wYK+8EVBFwyxK+Ok72BIBVvZY82kNmUhBtyIOsqhT4e+c5VQ6YqKO5W8b4F7vSCGhzkbCyddcdhxWzoSKcFv5/mAxBVqnk9aXWMs1+x8lyfANRE89qYgjmw5hONloCL2hZVL28ykGt7wGTVFL6bOjpLaa0xUrfhraEiZCHyrOlqwYz9QDjmDmsURdW4plUwJa+8J5QVu73kC0c0WZ5xwoQppw8eUS3rGt+e1PaKByNfEPD5LLd17QFBdWzdiCMlVCl9M7+gblPbSMCTfcNNnB3MoBzD/znN2pEyNlwdJaMN/+kCQKSNlRh3U4oPAutK0/S7n4A5V4ZylRVFQ/j8digntEzr64wixLfy4L4hEVXroraY9/asciAS52+kXWSdPKqWPbzPsZBTVw7+aYXlwYzHtbhN16LbNSOS79lKbS1E2vSOzwtq1iKkB9ckjdAZebgIaL6wSGQDP6MESDqsgpPwwpr0faOjOz2tc0Bh+FUA0qIHP2WUSZUmws+gurPJfsLgm9OrK8YvzClZIG4Jw0BYHE9PPYfColMic5mFVIGGEALFcc9xx4G8Mh0lqTaDbVaJONQbQ2kzbJ70TiqISlaHxCpkeyH7Hg1kHuBCOUZUUe1Nh9vyxkQoW6qzqZa2H0+j1xqMmy8tw/sB55oUOkC0SzqQkS+7HPgoD/fMB+VVsrvOJX/YCSNip9NX1u5Yf+R91LiYAWnlT5CYnseSBbwyOQgF3ud1jN1QE/tnvjj3ASy2OoQbOnNhJUnoShxMGi8PRDv4tNHDFY/FbEmmiyH4q+D8j4FYkyxZorNMfxXVdDewRQNO5ZVyoIv6PFcKPEKHRqFrCGN46yT6MvjjeLqGAHanZkGBG766bg285gWRfXnR12ZV7g3mzbet8oWkL0W2os/LPjeMjSbEgtXVTFc+nHJajPKXDxQxx2N6kYopudyNgweBILLgbeLlCSZhJhyAWLpIOvlJ1PGNnbDyY2CR+SK4XH+8S+G3RwvOSW/4dJA6GUFv+Lweqa0j+JzrhSIZnE616IlhA5AlkVHySJKbFKBV7aQqu5WtWZz0uQRZdf+xQbPhMcKOh8L6OrMCJjDibJYgHLlf5yR2MawMpX2pkzUFpheah74+V7QQd6gBq6aqvLc/GpweOaxQ3h927EuiUOC+kkr2vT/lu/25/lfhpGzbL5sT0dxPbtVhymImMBaQz7tZpf/gUUu56LJfyp/Ct7XJEKOsN7tJtuJYsLL7NcqxB4X/fZz5wPfMr4SbJMCz+0AilZCRvXfJ38/LI33phb2RNE89WbO/PSTfphNBTgO1tAouIk1bvvILz3ObHM6bmjdb7FaFuP5PpzzS17OP3Yregz02STonGg/Gwx4Bw49Je535nZShuuhbuDdW20g1Af5mYXfTusLDMorddn0G13aNPpoOxEB8vFosnJsq8gi4Bei1WMTTaeTemNEbsdqFn3/7AYbzVtIGm2JjQScZ98RNM/j0zPE6u7tCd8YOStdAtK3aHtIm6lTvYb5eP6a9kpgVHGHaqdLey4F7RQE2Q7TNWH0A0NIsSEncvxTFUuqY2ERxN5WITBhPoUyPIvyXNkdgt1iwAMeSYs+emEQFrJ8uMb+gZ2WNusCMSU4IdnlA/ndAf+0hM2giaiWZ8xMDX0CzVxjye9ijId+XXJQqpxlsLHjc+ZD6sqYFE3nQrx6YRoa0eV3qBQCnse7aWbIqt5+Y+lG6GNQRIcwC7TzOxRY/d/iorFl2lw/KbkClb3LDlaz+wyTtBB6CEggPtdGebuM/9SGzn8waMx/m3vlRgGriJSyuDlqhQAyuaBDm56/hVc1/YhByL08zYgsUtLg7Dn0Q7JmpdKs3p35fz/9IhGNa423BrMHxo+ga/nsBU9U59jZm7aBfJ1LFbA5Akls6BUi9QFE37Z9Vm8u2bS1TGPAptvIVkGN6cmhJJsNApYr0g1gPUY/bNOfE9rTat4rF2bolXLf+sf8UHK1gTJ/HOCehJqoLf/VVS4NEpmWAeP0Hjw2/4t8/e9qH/xYyNzkSqhTkUI5BHPOJo1CtjiV/0k8MxkPo2yVpfIG3gDajg7lsSrlGi+ORwJOOYWxC/IEZZz31+NbUFMl7SC+ZXWIvftZF1y3noOksT+wHYxnRXQGe1OvuyaAj6Txniq6zTwy1dieHiCjSv46JRyygGw08xexERE1n7bLtIWSZ18OsYF5gf2dc4QIYSlNXG3di+MQPbjH6P0VeI2rznXyp4AaIYIGxfT1fUP24S50HUID8M+67gtaCrrJgfW9Hy9m+HlRO2EjNgDdlyh7hFNflGJeWUZZ6alFN72lVjuWEgsI+HCodNT57CSyiYJ/FtrIQaw7FNt/XQADCz+0yM8vJB5JR9EiVjSHYsaO9Xn9KqfJyt+timVw9HdfTT49lXQn8U1qtxS3uGMkHmmcnV5Ogacjt9Y4IhUaWP58pAe2l2lEyC4MRt1LMOrPVmuYWb4zkBS0rvwpoLx8rN3ijcetpJukRIGGivXDXy+6cnGkAHx52fIPdyGC6rx2KCIPdFfUzZC3wYRoTe/liub82wZXk1ZACcGv4+myBcwE4GtPJV0gctxzryUJ0eaAxkGxvklUMGYfgeoYKYUk9YZGFhQ/HxgB7LqJnDQjKVNlpFzWxyMkYqqLAC+owj1uJ0WuMs704AjE352/73bqwgYbYnD7p7wejEYHPofqjI6RoBIJRtWREVYHdsGCdmuyLbMDA9tY/z7nA2ei6nnUG3hyb5S5M9GL9tQxWFpCFeYBJEyl9S1COmoBSqy6n5Yhk6R3N+d0rkSqGb3z+uT03IjXmKJAfcwvWZWuUWTmQ8wJsUOsCrPOx/5sbsynyvkoJWtdgZjuia2gZS50qpMJFTUUKbNkp/wx5QT9z+tMjviC8JWFXB+iBLnKiWRA38AO2a5KtyGVy39+urMApJD9/Cem3NMyKTzY8OqFreZsH4XOBa45yXNo2psEY6gfjtD9Apn3dLUMSWcjRGXq5qKMgX40KhpWgWNCc2IlBGTQ8XFN40g4sDAQ/GxBQeik3CNMMERBxTCeNEx1P2Ju502Iwt5GiHtDedy2Y5HXrUKV0GYIn15uuhPGdPTErAc1QKgKxFq9b0yC4IVzkrnKRVbqI0BSCaswAzf4TUyzkYSf8Zfs9BSb5bzu9o6eN/x1cWGJdJlI8ATZebOcMBKkooDOhZ0T+b2bW7zvZdnj4IKqklvZlnmBvGnn55QiwpvCkhmGrg5+j9Q9QiTGai9h3Xt2Y8SVZXfltwXITeW20rJfWn0s4DoyfPWqunApWv4TH6/6uF6OgJNGOM7gLnH49K7MMVs3nCAmjkE7Gggmt+zzJsuX7gI9eZF8iavga0sRTSiF635pr24wiJL6tsUFzvJ/A960hhhC+Yt19E6AmdtTn9pPIk36O27G4qwLWOehueMpmQhzG07eWiY446iJByaDztM6WoYlqPAS/uaswYUEAUwHb4eZDsRwAgSCwi/djCxKWXqAoFzVftj7dsiljLvxqN+U39EM7pWBmnPGC5fLQ==,iv:jyofVBu/fxKmEnJPR5e81m8nnbcXf9i944mGH3rbcrQ=,tag:ILjy6UClUAyJmut255ZsKg==,type:str]",
+	"data": "ENC[AES256_GCM,data:+wL1DglgGMBEfAqSj3Vgtb4HFkDa/fa0dvH5BjSUWoRSnMHC+kj6PtF6w2xVryTsxrELIkpuUdCFwHQkuMeODTXR90ZgH5CpGGkoIKEMEqvoIGj6oULysrLsSPpkhhkgpQRRs5l+EEVDbHbi7XRJtMDh9E84+ZtAk+VvdusIlvyd9D1p2+8A0/lm+Oo3Bv1lt7S1Slnj6wmwgr82SHEmtn7Rof+9jEXuT4qi9M4zT2ogYHKsNNqI9DUXp4SQmLkQ4deZjo6aqNn+Uf3mTUSUUUJ89TjYIgcajw8ukJVBh34+bQb7rCqIjNGxJyUl9rHoiakO8zjD85zH2p+vZSFlR03gVx2ZLfaGhM7EXJfhuppYDh4z5C4/G0qzfQ4iV6nh2bt48XFrRKJ+JaJYi57hYRWPQa9OTChNMV5xHIaublcJE/Z+N5GSHEprdN7jna8F0kKNg3KkD33w3fQQ6mia1icAXEBForPRhhjvxUQprygvurLv3vD55gboVFhV9UCZKlqc8gRhSEfYs+rU7zirKA51jJA2uZ290zdrIXu+pprTo40/hxvuZPbEYD4T5zWxzL8vG1MjDDHwbTegah/WYczg+9F+pj/Q+ursF3qym9BGQ6SupvILl/MFpnV6yh7Qr9iWjdF+Q1etTK2crHNsTKLx82tEjT3VxdH46XE4QTZhZJWzBh4TWfeYtuTbAB0i3mqE1l+4pXgfAYv+H50hikDflViGtiFEyjPGPPPnzq5CitWhLZW003GEIATmTPBTpbUC1oPdBuNn52pGvBob09j1Ux9IeCE5sFYm8KFuZhqjMK3hrtsiE6Yj7ey1yMVdh1o8mvLIPZbmfXdAwvYlcGD+QLTXNpDjbsPEpjdXvtnYoR6IVnqPi/pPP8Vy7vBBFOYr+UPRNuKKXbBLNZ+0GOznbC0wNWeTib1roc8t6OIizNCWv6bOQslI0PqB5nJnbdE6NZJyQg4JgzbqDiJwNx84zC6TTLvxVDdYvgY3YVJhTF4xqcpLIADRAN0/hqeLpt+0hRTQzbcEDb+mHqRiNnlAcwG0yAbvJhuOVV3curU0w/CA4ilGnTssn7D9qZyCAcVdNlU1ccZff5vOHw+Fvh9h4w7Slu6LpRAP48lr9XPIZf6bxbBR8JzMJ0rss1Gp/ufuJdkm5UVF5VOpQVv2Je2g3Kv1PFvtTzFRpK504n1VlTsiZZPHSI755iHf/tKOlsoaH0DH5ImnihWbqH1hZ6XiNKtxOc50Q1x11O8PGYlsgjinqJzJPePMVWjySNryFX+a1AErRArGLeg70R1c+2bdO51CisBOtb+m4i74WTGKaPqf7k3pIyukd5/eP2G10LPm8ICltTgXV54PbojZmbn2uadO8E5/jwEIR/JNgehrKYCXF/DWF2EQDzvR81OWeGhK0WQ3NhxRA3tRpsva+DzOqk8zj9WAjlnBQVWxex02jWUKds0g56n/s1ST2qH0DBiTNwucgyhWBCuFdalP0ymsWAM5RFtO5GyEPRfYacFFJDYwJMxAlxK2ANtO1PIf+7hWdBq8Y4/N3kNeDrMvy5UR/gofPtLKEmEBtlDe2G2caka/2S2sjlGhCD+y1DWOs4bsEa28h2wu9isT9edBGQFjpOb4q9ug+WWEFwcU5Lw3PzbH4b8IQREZuEByrEUij/30uA+UcnHadvVfOakEVtrSbQ6vLEdKez1vn2dKAG5DECLW0d7sUZcN73EbeTl2edWONn9dboHuYRbAAkrV3L2U7wr9Gj01PgXA1yjQn+bhU1FJVcX6BnATWWlq1UHaNT+taH8Lq71+zJGDIVKOIuzloNTro0aR+kPkOseN4KzQkjD9eatT41vki3RlK3sz6/qwyas4YWQH+AJ8F3XKd5U0unng66MgaxZ/lFeKg0jn04CQxc9PgeHq1vBJ4br3WltqxEnXZFCHdP7CxxFKMlMWXgrSrBUFPCxICI7xyxhS3jTouQsROfMchLGvb4/7miwPBlLkGP4Nb61CA2uqQOByh/xxn2hp7KNf+YGufjwqm0eEPVol6TcZ0OBs5Ly92v82JwsnPPnsFd5IleS+iJexE4BKAoX7catJIrJQ6GHxonbR8O4toQAR9MTgJUYtVVc+65TCjFbThXwuG/4Us9p9heSr6qA47JgZXsX2PdDA4e04rX6jLpam0W0hE8nka8JvYa0PHtnv5SmeigobgVbWqscP6mV9UyoMU59BE4zrO3ygwRIuLxvQeRHBGfrly2RVWVreiuEZIBMOBY8E710qOU4Pd4ba6utxJfcS97895ZG6BgRf4U47eFPjIun/83QixvN1g9p7Ez04IT0Uu6kE2ju2D9UJuyiCtkiqwmuvZFLkqMeRalX81z4817DK2NRvw71OWW+3fZAyBnrr68OfIQnvkHQFFdtMOYVAVMhcgTezHFMDhcFzBfXgCKUL/fdoqtNCT4fabIO870iRS50cAlpqfYSJTu0r9UD93R4eoUlCAa+tc9IR8jPhTKdh62TQcVsRIW4WXMUMV4gt7GixlHUmnSGO/4hPvdzLey4ZLVL7mjgzHsjTvQdZ2KpF2DhK728vyYWh3AP0u/e12nuiPMzuTnXhB5W1JXevcYQWbVOyKeKJ+muFO6lgVcWTWeF25VJGBjlTAzSiGgA86Ef/gZcU1t0PxMH6gnvXqpI27AmFmRvYkyHJmy3ueVyFVbhOBvisX7XmX0QISRmaQ3VFCf6bN++L9K9oQyZkzYdDcOoLupIMSVGtXBxqdLyvJs2vRuoWx8YZI2nSn8ZeKpQSvfTtLllH5aBL6tOubfKwDvp5q46xHu4rhOAilXKfbDF2PpWn5ldUL/zS1lsba/MIBos3TtGdwvpDvBvEzjcgsEe2ffs69EArL4lCQB2Q5rUvSWfLNusnV4uY7KeYLlG+M9yuQH141LlRXE+cb0UiVroE55C2kRw+5oHATR2AUygDvd8zvuQhGVr8AFM6y66BAfvQG0y8LCO6VwR57uskLXLldZuTdXh2QKLHD6ljHQJ2CP6DYrnOwyry4Y1ZccvGy4yWbgmEPW5h1SZ08TbmCDM05fyrHPe5WInbJo3DPfHLAUFXjzFwGPMHB/OSlbST5u1pppCoOl6VtJo322W3k4h/DG7TxH5xyHlMWthKp3I7Y7EsHyo47LETN+4Ibu/q2N75buKvPoXs8GFn+26p14iVw7QpmJR1u3P4T5CB5aclBBfjvv2qsshVF/IjT61KL6EKeYAqJUpvcuzQJDu0dtHl7syVK/tDucV7ATV5kv+YUM2vxaGRSJjQhRzv7ehzOIoTKPKAhfRVGY7X01fLC9i9vDchbbLXqECMeiklbohQBaSzSdKpQhlBk03+eFuV0kkHMwY4blRx/MlY4+jP/hlP3UDO0FXsI5HcWICdul3jDyiiVtnf3SPf8bLs/r+Nnh1bPTn+cxszRm3sdwMf3j2ysewLmr6yOkSqZfyMEVVOjM6O6sy9uIF3GVZmZtpTm6etZ/BdUv+Z93DMvfaSPcaB59SCYkX4DVqr5BjAEmewaqdKyA0A9vBbvI+3zQGX06BN9VEZYDvIlbh60/MY2CSSyEQeD4KkdhuuKZgKNBXGdz3XQGqZcreWo7RKo8Ezigm1tUblNNwpD3705aPRQgpfFo/1YkBSsnIrPi/LCpoEU77ILYl5eu0zcIdMXMep1mba7Y+R6dJCdgtaJK6wnLgw+u0dT2cjilMLEIFPVPAU7qU6QrloVMPUQBuHRwwogb9T1L+tK9SFzyONpchhH+YLe40X5lTmdBDnH2dZ9xUrHOjFFhrwgXaM71e7qPoXqShw4a73l+e/x9e6w//g5nNmOLizYEMm+9XqsRGEICFWKsYStXOnBz9GJhPG1TwatYlJ3fo4/gtV2qdS7HIL1TopNoHuTIGafOvRctwd9ScxYM3syjudqPt1h6utYyy3VXvpc9bzY/pZUDMFXxhiEmrH9xIjWIbEdqu1D+nRns1GuVariV/cnmkjhqi7vRwuUJ+nx66fJt+kC8RzJIt3gvHQ9IrQN47W4ylAG1JEp8iEX6k78upwyO6msrwLklS1AB5rk+L2KUDwOcbFngsPZrDPs6Ia3ALDW3oJeTdK/9m0w/V6GJiFAEAtyiGLZUQTl+A0GGQF8dglKmIGNfRFutPmlYjUi9AmDhwoEvV+nqA7NW34oAfHWlF0e4Ru9ucaSZIDrqaylpGgeMzbuGC6s/6B5f8I6mqnUqUYBXuk2kUCtcdMbOnfhzEm76DUqh/YxFJI7DR2C3rEOBrlTBFnYNRQrtRk0tqP1al4anY7Kl4dkgfG98hRwyz3AjyRfkfehhY9g2MFBc1Wu5egIjODbeX7xIef5nFrSW6x6EPko3y788lO8gYSVwde5Rs+RJDCQTJw3ZSfTbUz2ycVKTrm8phJz7FPgzEmXuKnysVuStu6nC0RVShk6LZ0C4wjNX7Wt7DjqVwxtT6R69JKs9EkCd7dfIwDr6ezphh0PasZToQo0XT61gv6lMIGFZguBwOvqFn8TKVSsG3P2llFyGrzrvTQoYP0GlE1BVe2mEr2LZQOzg9NRFltQ4mw0seI7GuQm+L5CanfjruohTvlrtyYhoCHcth4iOKpJxpAS0lcwqv68DiTN+kcAbVkfGgJgIMxV85r977aXNS4hlV7SU1DFo8dm3jTO65ppo2csj8KLcFgf1eQyo2X8dq4KNs+Vp+tGtHUsPmHGXGoVkmAyr6Pz2BDMYr5FkIirAxeq32yg29vQWJwOe5FC+gTwVUX4Tv4NT7vVRqPhkC8zHITVoCLlXo+qGvfqBLd5srNYD10bGF1Wk2iV8det08xJHIbDP41xeJsMZWolENRDgEG3Vry+u7vQ1CmTCToO7f4iKCGeDWUXj8PkBPnapZ7K7vBnePayoKjE7MJUpn9u+85BNrrmSMK9UQciIOgUAqUQDc+HHbnpmzEKTeeUUyM6QOTo/kOHFQpjJRlIRoJnWhxefBRDBSqpAKTJPIOcpxMBb9cqvlJIyrBAE0VGpPqrPcd6qSxm9Of8qa4arBfLCdu7e2AGrUmiVAjPoVNFfMnjLh/riSM9mqOFpkpiR3LTGUwDMRNbuyd2uFboc2sz5Um0ZfriOwSwXVkbClLvAH0sz4iEm8ZVrBOHmt3QghGWCnb1v3OBiB3ibp+lvaqVcV04cbb76sCCu+T01kYTX5KmueyUIS4DuehafGd13h2qjPjBjwnvm6GUc/TwyKEhwuBuodoPORatYxCutNVoufzztyytOxPl61vQhjsDPT04V65PlKnCSVL+Kx/7712pqaqc/rItfJekOUFNFE9pF721Sh2EU6vinbWGL/J6X6uDFHYEmhvJN3oBJdWdN6HRsrY+pksoG1nRRREGVxNiL4b7u8+VI/Sp88/zIAhqjz6Kwij9K1MX7ZHVXMmbDLhJLehqXXJU51NEnDr8GdokErsBuzeP31Jgt1DfbUf7wZUe5dbQ3E7dyrZvI1lnAwe50TIXZNUzjAGzs5PQyRALJsErNKSdTN9HrJcDCaX88O9jTIjaSjkATpqVnFpEbgKKAv695yg1X0l8WMXVrWXF05rXT1ybCT5EzPIapPZkjiMB8Jty9yy7swJHgQfr1TxufzpONzGw3KXTR3vDvf2kU2h//1wl2e5ChsTirGXlukKxYKljfyc1avMxqezGkiqdqPXRK/it8P2HVBEEIkOBBJIHWmjdUHLUhyOltGaEELwFNU23fZC4XysX54QbJQwYsswhAufVZOXekABk30tUd+JNJu6fsKoWUVFJUYq9RpUh9VFzf1lCEnCqlsoV6+TGqN9zscvl6xh+jDMvlGYbM0ab2foJ6i6yzdr16ELa7jH6xLNteUE9+yimDrNfuwgwTFM/FQmunFcklaWt/D7i2bsChP/apuHXtatMxCpfIwvvgBz9X5yozxPLTFIPEbNPfxx6bcatOiG9YORp/E3MO9nrYI2I+dJ8hBXxBPvXj+KKIXOBXsXonRJq3QxPNnzWS0jKPtjmSolwsqU/ayY5eLZSlQ9AjbW0Myy2HXHbetORs4YtqXCneZcFDf80p1wxqjXCIskDRL2mXPTYkqEyzpkoLNhe44h3gu9XCK1FGTlwqp7uQgYjhydvJ4Zz6wwKxRsem7vvNeuHmm5iLhsO0BWqg1PF5R42UDmw+V96tojPLkdUnBne4D9XfgC8baY2W/ClCKwF1nusbu0G0X8RnM9Fx3KTOG14ng3KwXP4liNf7DlNMwo3iFvFFy/11dXNeVHFi7WFZ3HQhnZL7nalespqwoTrJ8PFzHE3emOFYUT78alzTeGbDs/3nZk8r0JD1l6d2+u/dZ/lbFjvilKtRvOLIcQfYfbzej+UHQgaWGiPUpT1AZZG48x7VX49ky41IuTMmLjZ0wwS3B228Etu9LuxcGyHNzpRTBroOKIMTL+ld3R24bH2efVHMFxNKNUUx+p3GGkOKCJRtzgI6AjYgl32WI0RkMI6OCf/M549ygNVdXohCtGOaD8oBuxi4ngfeXN7iK+KGRxFq3W79U2HaeTKkt1H8GTYXOQYrwX+c5YMO0yZWVkge7IJFTUerDJ+d9wMDXQMgCVq6DlKxpmUYR/lGkMGgPtW9z2hLnIKxrg6XUFCZdAR3hu4Fx2RtCoGMXRLbzeFA/FdjA+rWLciubnOXGrCwjKxeMEKgqB5jGNSZQK31RNczaUcA32wrYLgo3ee73m0JxrMRhteUgh78frtXGUCd3st/XhIuISGi6PdtwykH2YOWieN9PFjBoItTPhnl9F3530N5gZ2PXgIBD5uaulx8j2lBWzYTD+W1Ihkh+UFoxxpv0kV08ZtUwdF4GIPMdeyt5LCwfyUlRDkPUb2xEOVjhX9yZRi0xrLZ2xEkPT88Lzm1egHyCFY2xF0aBg9+QIJJWSgkc3pvgMfjZG0iYq3Th9cl1sB6v1neUUW7+0WYue7BHZ5j4w0Oi4sWGLHlYP8utJW1xuvHX6SxYYlHifmvJC7Wpq4mvL2lrfI2Er2IVBvmpeqEr1/k+jHVau7umaQapuyixBk7i1sgpiWG/cTJs/rY/uxVTWDjODTP0DoWKhGhvhYS4eiKCiwqjkquK3t5SQR5Wb0hTHjeGD6EiIet21yJ/GRExS1EXdd6nWGDHm6TwTI4IDyAG5EGtshjseJepJqrlLgAMP2m60VcIDddrTVDMy19ypi0QmEQylz08aIbs9i0S2mvAwn+NAae5Mc2JXH9A6E6UfWYY71W8j5mbSxFIlptOPWJORBvrFU7xsoXL/smKgATitf+E34sznQkUjcCA6JQ5uRnRcAV3fmpjiXeGp6xsbCfcTA+SyGNB90UVfMFKMwQ3LH7lcwgdhEaXaLlY+L6oEmk5DiaP0Q2ovWzMstrcT7WkviWtf5KyJbf3hHUOwQvG99yYYpzP0b91W1JtXUdxxPuY6GfIR6dDrB5fL+uE07pgXe/SsxFI18LxYrU1dmMjlrbwM16BIZnAyo87SwrLo6Ut4URxIF1YGycSFBkhbXL1rZIBNSd2+FIVQ+raGYdxVqzg/8fbSeftkgxW4BtojBKc+dUs2SAxXurpMhz1flUgdUT9aIUWRLccwiOA7B/lN7DhW7bN/QF1MajVzPedv0Ax7BxHB82DNAK1tkBBxleNGaBo4ptC1EKWGOvzf5FPRIjX0qSjL67eG+YpZGPfo3maW8jHT/ArGob4CaiAk1ZsMtJZET1zt1a7q9XNpQCCVmIWSApAemMO7NMv6WSlMGh9hkLL4RfFJhRiuoh2I6g6A0Q3hJii2RewVJRQhQVxMo9nIatC19mhNsVtcBPH3J58Qp9I11UFWugaUkyG3BryO7gvoh9hEzVYyIGpTZN+sVB9agNQLazbu7s4DpeLPn0Ze7qw3JRwgy/kAbAY1B9+Q38A66ztvr2q0sUIR0BdHxyXLp4Oxn0U7WbEth3dAH4OYyUEpR1uRVi+br6tYiwccSHl+bDjJki9lu+tnB1Vla2J8gTzSMDjUL9oRoAKd4prX5lr7elI52+EIiel7sHaefZ8gAKfyD15FnkoqDmNaGELvEfOKYU9yfabN5b5bNufKjth1dYKt+LUGLQ9gjV4LH7ABzyqL1aFb1218+nDDNWp3pegY8TXUWnYk1N1Q2Q874HuU8mc7NH+NYrSNYzWnk2faYpDv07423Qqa8LCed10fgJaG3dMYy8UQSx3HytGR/YlpupOUo7mXP5GVJblcVz7htHeCUMuL0rMP+N/u+QatcMunnzWAZTprNYSnCK/XKGcsb0xjLfkINWvja7a7c4asQ/rBdKFZPARFRyhl95VNNnqcj2Rp,iv:cyjC5VQUr4RK2YwZMysK70viAI41VheecfIkCOAFHm0=,tag:N6GPAKgBXYdLddHPv5mtrQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOK05CODZFTWk5TkhjZnh1\nNXZjZ2ttM0VndU96Nk5oN3E2VTJhbWloNGpRCk93MkZqTldQNUZNbDJVVjVYTWJu\nZVFBTEFFMVN3cThUd3U2ekttLzJyMTAKLS0tIGFBTmNKOWZiME1hQWpLMXprRzh1\neVpFb0swSnVVRmZFclRjVkd0V0MvQlUK1JUjwmyotjEVt88K9B5EyCGSnTOBlT5g\nyD4wIMSQxm7/E+8F/o9s1aDm3PG9SM2U0A/y5Mb/TWscU34ShnDm+g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGejd4Rlhqb09hWE01czJm\nMGpuazBFcWJ6bElnQ3pMUHVVV25MYVhMSldRCi9VNm5jcTRkaUNPemZkQmtvZjNC\nL3FVbjhYT0pLV3RTVGg4d3ZQMmJ3VE0KLS0tIDRFMGJJemFNM3E2a1BabmFvNWdx\nMDBsbWVhd1puQm54SDZiNlYxT3Znam8KIcaM7GlsZS2jieYlN4bi/CX5dp+TYsQN\nXJUKYKg4+vrtZpVi9NHyFif0Hwask+vdaziogHO/xKA7KiCo+NqCNg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwOUJSMHVRR3VKcjlOeUFH\nazFYS0R4T0NnU1hzWjFYNk1qai9NYmdJaDFVCkZpUUJKeTBmbnVZTXJVZERVQm9m\nemw1V0lJb1JVRjlGcnZjZW1lNDltWGsKLS0tIHNZaks2M2tXVC93ajNYTSthTDZu\nNXc2WG5MejJ1Z0thajJDSldBSVE1b00Kusadu31IGTpzXG8/1BXjdMrUWFWm+Gew\n+c52Tbh8tm778zYb0Z6EFupjd4lVUYfn3GuyCCB8mpGteLidOeuqPw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZDBzY0pJNDdEVlNDYTgx\nb0FkZERJZE1HVEhQSUVlOEJUZjVFWVVmenhvCjJoS1hGVkxpY3czTjcrR0V5Mkds\nZSs5d0dEUmx1TnlyS3RsZmV4VWJXaXMKLS0tIHoyeGNQVEdmRWpOMlViOGdmalhI\nZzZha29SUmFaNk4xMXFDVlZaZGI3WVkKc1eB7uQChwRejq1h6F44uXeshmvsn0Aa\nCHzCJ/uGc4bx8hfY9inZ/XVh0JsGa2w1G1lSbE0heTottM2bpHad1w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQXVMRmtQbFl5Z2VTVkVT\naDBnV0cvcGp5WGtYcVZMaTc5OWlncitZTjNFCmcvY2F0Wnl4TU5tY1Y2WWlUWjNq\nL1IzWU42Y29yZGRsSnA0RTFZVUhwR0EKLS0tIFlYOEJ0U2VWc3RMNzFhT2RhYjZZ\nZkd2QndCbGV3RnpaWkYxTkRVMytqcDgKqFoTKhY6DzxBWRjuy2Qd3jWQBYlT6pFa\n9WH0t3bOtm86oIjJf8kUICmE2oRVX8OqFNIpzKD0dMoOuXgz5O1EwQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZlFKQjVCSXRSZUNVMDFs\nd1VYWVp1SkNTclg3REwyMXhlUHlBSm9OWXpRCmU1Mm9ZNW05a1lweUtsVHhLY2ZZ\nZUtaU0tLNlNva2E3VzZFVkZaamJsV3cKLS0tIFE0Nm8wSVRiRW41b1ROTGFQNFA2\nTjRVdHUvN21Vc2ZLL09KS2N3aDVhR28KYTNt5W4NlvkQgcXsJgWzhOMFXX30/DHf\njbpekMCUEd8P7rvV2IrZUUCAd7d72SysWG/1Bjud+7OvE1BLw+001w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUaU5BVGlBUUdrVzFYM0Vu\nZ0RHaUlKZzkxQS9UcXB2UnQwY1REOSsyc1YwClIya0FtU1NlRUk2amwyWnQ4Qnor\nMWpPTzJRS3FSaEU3ajA5NnVhZDJQcnMKLS0tIDRlemVKdjZ2MzVCRm4yZ0VGZjZH\nYXdJUXlOZ3R1YU16djNMUmxHb045UXcK4kvPN486Phfe8lwLU2E+QIVb3uXHo+v5\nUkxjdxWjpWV1DWFKtFzILU8f9gwYs2LNGqe/uaik/cnECqS+m050KQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Y3BuNFhyYXFJdzdkK1A0\nQytCM1ZHZ3Q1OU9IT0FEWGxnNTc0UDIyWGh3CjV3Z3o4SFlGS0VHOXlNK2pEQW5E\nRFJzMG80eWh1OStObm9GdzlXL3EvaG8KLS0tIDRMUFdFMDFyNFdWcE85Y1p1Rmph\nVHhEdkd6SUxmOFpGcVdIVEtGN1VWZHMKor1bN9dhFbjPq9uhB0Io7Ekg9fVsxANz\n6UerABKTnZcXBzoEzsUKCLGtZQPftW94gwZ18ofE6rQ0Ref/wJMpkg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZFd6NGlQMW1Jb2Vac1Jy\nam9zL2hzK085KzB0cExWNTc1RHRIRTVQMzAwCjRPekg3WGVETmc5TFYzaVAreVNB\nU2JoaHpqdnhsd1hseVUvY2V1a2E1ZHMKLS0tIGpFR0h1bDJlTnVpQ0NmazhlRStu\nUjlGZGJTYUdHU1ZwNzloQWYrYUJzNlUKns93LeJxg8zNxnWxVH2DWIjGGmWcwOHa\nRD6+2MDs0fcaTIvzLhTihVaykBZ1rvk3Nq1p7p4Zz7cyDUvwW8bO8A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldmdYY0o1YlUvbCtSZ1dB\nUzVsbWhvZXV2aDZjKzNWcVk5ZFliN3MzZ2dnClVkV0xRYTBHbXdDQ01hRERBREJj\nQ3ZQZGh3M09IUXJBRzl4OHgwc29idUEKLS0tIG5VSS8rY0g3SEVLaGpheU1YSDRO\nWGNIc1VCcitRTHUxUE8yUU8zZzVMRmcKdZlbPcCgNGz8bm39yULl6ou306ofV1Gn\n6tYYXgEb4PA/VpLSHQBOdO7uaSIb0WSfLRP1Sd75dgsT+WlhQYoHkg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcHhWQ1lVNUFpY0hhZ1Ft\nRWY1UFdidGlSN1dNSnJrTEwzQVRUUGxQTms0CmtOTE5FczYxYldVbkRvLzlLRUkw\nTFIyTFBQekM4TmNqZ0pWV012b01EOUEKLS0tIC9qdUlsSnI5S0RrRlc4aDZIc3c1\nZVprZlJtRnNrbGpzaVNrWSt1enBNT1UKHrdxe5Qf1aMbY8Ne/uqNPYhYstIKPmun\nuCMseNq4SRUYa3Jw/bUy+l0GYC9+srFFJ45inpV4XAPeaKBr4WhPgA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcnJhbjVlU2gwWU9sOWVG\naHptNlFlRUdjNWFOSkFNdVlwMWNkTWJOcVdZCkEvYTg4MDJ3TWFPdUpzOW9Ma1lN\na3NPZWtYS2FSN3dYbG4vbnE4MGpSVDQKLS0tIHEzTEV4UGdDVy9TUzRQdng5dnhj\nMnpXUUxiUE9UY0V5SXIzMXVLYnM0N0kKkesE0fgETq2RvizLIOMaJpCdcS3tThZE\n8k7cm9iNSpf43wa9Fvszu+hRiPZW9om8caZOiKid5VWBnMEQ3MYvkw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c3pxR0Rpd1doeWhsSVB4\ndWtxNHkxdkZjWHJDMW9sUFM1UnBNaS95M0RRCk5GMldwUWdhUWJJZGdSbWptQ2VE\nRHpMM1lqV202cjRrQ1N5WjBDd1kxKzAKLS0tIEZDc2VHaHBXd1loL0UrZTJJaGRk\nLzVzb1RZVmtNYkZNM1pqZHhYRWVSOGcKIH/JKbzaOlWOpt1YShHar0i5T/rd5m1w\nkx6wZ3b4dpUdN3FyPdhrjT5RWOL1BHhcpjmRdBTAHgdqRLSZfYEosw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU240VjVRZmJ5TGsrclJF\nRXRLbTRCZURtR0Z3d2E2eDNNeGRDODlXVEY4CllTeVFYbDJQWlRSS1RFLzAxSnlM\nZi9NU1c3cWo3YWRLcUJ2U2ZFWFBBVEEKLS0tIGtmZU9qSWdBT3RDeStaaFFDSWtk\ndkUzZXJwZUl4LzVxYXdidmxXRnNnclUKyAMZqCKSY/RQvTR4bbjLaPnGKwdBcHXc\nvtiVSrLdIdzMa6id/J07TJH5UesUmcp0wjU41MDa4aMBLy+cXhuBHA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdC8yODJqc2dBZzFodlJw\ndEJUejNMbVZXZm1uQ0FHeFhKd0craG14N2o4CnlvVkp6eFVLcDlnYStHaVRoajlm\nb05yZXA2aGpNaXROY2paYmpqM0dCencKLS0tIEVhMDR3d0Fla1RKY3l5cXZsNEFP\nZk9vdGl4eGxhcnBxVE91Z3ZoZ3Zzd1UKavS6iLiXL5acrtOc34OT2V/Ol6lWLtCo\nZglO7H8Agh58FRhyQUvDu+bHXTGnxWIhOnyAjJYwP3XUk0p/3E4PPA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-12T21:23:26Z",
-		"mac": "ENC[AES256_GCM,data:YX01kVU0XeEFDtZokPcpZ0rkFWFqY29L8/vEEtBv8JuooEC8+P9GArK1yrOlAh80UnQb3aJC76lVLFJIToeUmSImvJzD3YBril9YQs5NsBKCxwyroMNOMaKmR7Lzn15rfXhBCtjzeLe8ILyzTtUrW/VqwPuO4bqpqd2fdKSAVzk=,iv:QDixQGXUITr9SlQs4kJ/daUt/THafb5UB81xmw4eZIs=,tag:vC+H/fBJ7CcwL+n60QMu1Q==,type:str]",
+		"lastmodified": "2025-12-01T23:39:07Z",
+		"mac": "ENC[AES256_GCM,data:WEVxtO3Y7YI/COpOvvadujDYV66MtcKKujiE9P5mrDqqdjG8p2fLwhSNJHVJUwPyV8xAIIxCTqIA3bKmVKJ7vRCn2GQo5tRsWljNVU6g44LcXcX5wSeIgExyvUNjBppLbWsjstvfuJatAZwqDBN7eP/Ntu0R7p3wlr4IddDe/t0=,iv:es5N9A7ypxtNB9wPYT9uumwpLZg7wT/gesO5Q6njtxA=,tag:kgxsF5ZiYvM0wHDq6C19PA==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-06-13T20:13:06Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmZXyxrBEhacTQUwv9FVbGqeRHWUXrpJRybOA8pufPNnx\nLiwPK9op9HhMqfJ8uirmtsUhDg3lPCQRmnCMHpJt2Uy71SVomp9zkAQTRDFOp22E\n1SAAGEF1q4AP4YdM05iJcsxjQi7+2mufwrxxVdND+qjj4xbop5rFL2PNZUhJeCEz\nfFBdu8bL+IfHASN6xJDtgxat0shh2+hYebdDriu7JmlfvLtsTHRzsWJqNPQ45/+N\ni7LQTgkDDfCm+IDJ4sG5dJDovLCzgwiYtmRjaoRQFYGOEgPAoUcDQSYfHoCGCQ7a\naALczQHIZ4ant2kfQxcpM3nYXpCmBm+gu+VzggLMGpgYeajiquXszdLbqhHs7KqM\nsBSWpDyhNgAzr1+5nBkpkRmZTeelZQkFKukNLx9Xa0DJTTsDsnVB2AsFixqDrDnf\nb768FvRWtJgKQ/igY5sItD5qUA/mHpE/eXn8EhTdrGoFvTIxjzWuxQ+l+bHbUwqk\nHj3rJFPp1jJQshqToa/J1cASli9kOarh8+nl3/b+dfhiQ0ttpoE9W95LTsYprPfI\nMG9chQ5rOBO0Z/dQSuB33c5wrKm76dqNJG+zJht8bZxQw9lS8Ish86dZkdf8GVWP\nxPHx8A7RfLoMKI4huBXJ9uLtr1CJ9odzjTiH1zQZmpaU8ZeVvKpgjiSxM1L5OqqF\nAgwDC9FRLmchgYQBD/99rzXeVRHewJGRjIQ3tH79rmSA0teEPH42P4BJmYbStgVB\n+v0fuJ4GgPMcYDFlK2xcn2W78PU+/hgmfXwuIMkXCFv+SCKB+tgulIFmvOTrsyUl\nTQdzRisnLt+wc5+Sv6vSeOwRAwYlLrFfBBf2gtyxNDS64xelpILKCvWkLXEbI77p\nUdHRAZFesZgVv1jYVDQekHSFg4wPouWlqf28Btj5FsrDlr6/urLc5LOZEbUrXVj+\nZ61oNdC867xUyMQng/Scco58ysUWVlNDkR5mI9Utop1PPkzEMEsS5wPqw3oVlTsT\n3SqxUNAivZUakENbk6kKQmzLDwZ4ZduNJOwvopOoYHme5eC3yVjj7JpGSYmL2CsS\nHmByP1I8bCYibLOeNKiNLZ8uTdNunYuwNW3xnqOcwbPjtTlf0crfDQPB5HkYqs+F\nJw5p+UUP51Ls35MFfLf1zwiIE1WbkX3//BFTdhCgdPdXP+OZmhnDoP2VR7b0JdRx\n7IHvEDmw35s02XBDWS1fY5rJDcnaUOoyjM1EACIR3ArIuAeJr5CtzXxM3+pt4e4O\noEC1t8C7/W5DOLGgeki1lXipGHg2yZH5RSf66DjUNta1rIH4VsA5PoOShEy9dWCF\nWR018lWIFfpiRYAD3KQ2SvjuSAs8zSZW9QlXN2t1J9BM82etvR8bObhKIJE3Q9Jc\nARN4GVV0kpVwHH/kmXeoi+WcwfUVCuWQXH47Wf++UzzTJnBFUc2uQeWGQZLyb+qF\nfLb3MJwImA68QUz54a3YDaNsm1J6x4swR5bcRkUMsdozzSDInz5i0NsZrE0=\n=CQXY\n-----END PGP MESSAGE-----",
+				"created_at": "2025-11-23T20:29:17Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cXb4LCSFl87V234GULIunsSJFGmzu1fp/lwq4I9UShKy\nb0GHhheX+z+0U1+L4Qk4SeE408A4su52sRJJ3EN63+eq0+FPFxoxQH0NtfTSQcWa\nn9/sXnP8hrjnm6r64lAFd3B0HQQE/l0kqDrvU+UYAKfwomxpbdenoqQbinqX5Qgm\nY1Yqz8jIIxU064S4iiwTkLzqUi8SCPa1MCGQi9HEPxUHoVeuquNEQcs0HB34XW8Z\nxLUWSsUdpjb8NM73WArpml8XG9bHmdG0xxX1mZwK+uA552t1WDVqX9QHClGmQTdl\nPM21S8chJI1W77EjCsV6QfSicICU3RbvLSfLU0WoZ394VmZmxTGGoofpESdLVd4F\nU5ZLR2t7iXy0jb/TEeZfTGD2PPrt+hSWt5K3PIQnAb7fvLg/9fiG1LOeQlW+SZKD\nlojaMn01Dg6Rfex2qsXNrKfi/qmA3tpjeN8pIBpCg6EPlCFUzp7/cueTF9Xj/Tqk\nL+IOOFTKLECr/lQepz6rS1XRHrJtWSyksd3rt03s2Q5UqLdoiUZAYXgJAWntNMKL\nU65rKQdJZXtp99oDG+YVp9F2ZCogZN/Ac5+sUTmke66xku6dh5Qqe9MpYtAhPmQO\najMZiAeIaoaYwc8vFMGvNbJH2pmJaFrW9v4MELkTmi0EjZEPgPWCOIgUkEtKanOF\nAgwDC9FRLmchgYQBD/9eJUINu1YEtZZI8iNujEBNMlgmKjl4nVAwB3sviKvByWgx\nXxN4xptU+6gHpAeyRxwvWLhv/xGkHWAUJHkMsqMKYyXQQPAC9x4l1pq67AsNpMu7\nWcec+B8n+X3gwnmLes5H0fvdJ+gCMR32JL1PRnLnkTjeSX/JBFRG9tPZ09k0YvTw\n4ebwpYxlimxXZGR0DDRh3Jls9+YqgBzMb4EOo64SyzD1ZWUjP9addRpj4A5UpSRN\nFscy54sG1CMRzLyXYJb6AgDLVysfMq0Fgg2AgvaadmoKh82/Knf42C1K9DPqakQl\nmLyzXprvUR8mlBpWwZ5b/XIC6DuhiCz0g7dYX4XPeUxvah7PkRp3cmdWsJDCgq8V\nbwQg4Dm+k+8BZIZwRC4+3gLchhm9Jq/KtJ7iWqeVb+YQ/v+/712BiEJSANofqMQy\nmkHVksp8E/PFU9KYhG5lkQu88zVmnimfWFO7UKfIJGBBzgt0vicrSKjHPkgbb88R\nG9diNPOuXpCJJVecE5p0BEfizfDWnV7JSm9s7GNdTqglQx2KkLYJ1mijWuF1OIf/\nl1cdN8IFRI/glXC53+Wfj6D5B+lhdT1D3DG9MVGxeEyhQCDdnF7+Zy1jyDsrOpDv\naCq0MqXoa+FrtEBwlke2Dukf4RHtyBWsAg94dJuHVV0STnJbB+2T7uDDvVikvtJc\nAQw36Ni1lDO239BV5VYMDiNR7zzcLRHV+hXjlGqo4f+UbTy4jXxgQwS0z4lGn5XY\n1AKcAoNYxjuuGhgoM5Gw1ch02QFFzXWD/Bva5dLEMO/1Kqre/LM6+iUhKd0=\n=bZ7p\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
diff --git a/secrets/stoicclub/secrets.yaml b/secrets/stoicclub/secrets.yaml
new file mode 100644
index 0000000..0f27848
--- /dev/null
+++ b/secrets/stoicclub/secrets.yaml
@@ -0,0 +1,48 @@
+tsig-key: ENC[AES256_GCM,data:E6fpwErUUmyLbtSyCItzLxvrUfq2UPV//5u1VxnMMn5+TWj/PMuwjvmClEQ=,iv:KJrXIgWMMcs7riIPotAK+Qtj94o/sGKrgi7sOxVs1rU=,tag:YAyz9tEf4vC2LnJV56DMpw==,type:str]
+sops:
+    age:
+        - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMREU0eVFEbnRaVEJlRG5L
+            QjhVQ2F2WHZFaXJOM2hsOTBPMTQ2ditVMXpVClA5bndRc1YzV29NUEorSFNDNUxE
+            eEFwMnJoMHhMbDJtY0J2UnNIME1DRVEKLS0tIHN1dVNLWGRvbTRsWE1rT3c5aS96
+            VXBRUEc0eDlQOXg5YlNJSmhDL0ZiUW8KvzVC0PMvMRjBaAS9WhpYvsWc34coUupY
+            aoF/zkgPmPWj6SY1vURpgUHC5FHolHL3DYQS/SQxdOXSrXIDxlIJyQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-28T15:48:32Z"
+    mac: ENC[AES256_GCM,data:Rd9MTRKzK4AaqzPBsxztoY10pECecWjHZlQAtbQdzzdLVe2TL8hIjH8TlJ8Pju9nmS5gvb/gB2CoaQZcxJsOvYsEYVg27+B2/ITGHslkbK7ngVd8ARNYITbx/eGp9D6VIYIzPBqcz1TkNvtPIuBLZzjCnxrvhA4gX93ZEEAUknM=,iv:Lrhi7Zj2IqC1ApsRT0IwmhJHaHf3dopvi7/4etVOBuQ=,tag:fSTaLrVhJd9A87PsPV+z1A==,type:str]
+    pgp:
+        - created_at: "2025-11-28T00:26:23Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTARAAhPx3hRyNLnIXwbGsjD6lAwhdqhe1yfJikB3+kWa+vaKC
+            /WOu22h0HB8cQwzeU6+LKeieuy70fEMcE2EHh8HjTuAIoi6kCDFjXA37pEtyIKaJ
+            9uAc7EBNPOcv2TzFEnHjJXlMIRX1M4RegiZpOiZbkVkJeC7lJSe1mQhvHEqw3wmT
+            7ye3ohDvHB7y2W040AD5wymntNOO3BSxQJEVPaKo7sLmbkUSPXRCBj7H715dHyFe
+            jf6nWbAElfUVM9oSK/TiYZwVcZv4/LbexAivRrlkFmnPpQMTrTeafS8r0sUtOoDn
+            8YKuBu0JQMVFJpLA0hUrH/MIkEalbgv3DWsC5DoEEni5oQY3vC/bd0nM7P0hETop
+            wGFoBHM/kvGK8AnhcRmWy1fj15/TNrzF4uXn1Xr2tOLFrlLTor3JKCqIYTBWUIAl
+            Ve98SrZcvEdZKRqQiRyAXueJ1S4R60pCtTp6AtKxc7RyJuw6YM3VD3jcKBeIWf2l
+            UZr8yKfu24Rhy1WAe8+HT/LBzkB6/RKacBtJZVd0Ffnp8Cjaid3BJN3OQTLSSRCc
+            /t037ctWN/nSC8M/P6F/ZbSN4xEHRxT75c/qGpSBaMJgtwlD0wNIBCS9McuYD8p6
+            e74KFlmm4901fytpHJvrdeQl6IAJCPV80540z3N78cdSxfTOF4Qj4/Dr4Flcp4CF
+            AgwDC9FRLmchgYQBD/4vX3zwM6MDpwW7+zeKrAgXYsHjIj2TYz8EIJ+bIH5/sUPn
+            F+o8kZyVjAc/c4AnKcCyWz1aYR47p9iHnk7Tf3mh8+MzZ4LCkuZjKmYjlfExd3RI
+            J0upRtTak4M/k2nxfVnosYwwFJhUnJpBlIt9DIU1AcDshAHnAOOeysIsfV7ahNQB
+            iYMvk196d+2HGdIPFPIG5tgJOFqamY3TtHrPmFx5SSj1ep4V2IMPqDudZDoyMscn
+            /8dYZCgnSFBDTFY/X8ngftxaXsdyRE/0QJFjG+c2M6G5gkccfpxkNU0toAwz3m9p
+            hS3s2YYkrMem/VdkqEvGW3cHnmM3ZHAttrfO49z91nmRaWDMm2ocl4CNoAsiEmc9
+            /pQN9spgQGonDLM/yMpiuHEZNT8Pv+1YDS7kN2FlHuodsTazAi2ZoMDOrvHQhXkG
+            9mS8fgVIJncthfxwbswjz77OZo/zyF41WgYzet9Lr8g7RDegmA+nPeFIJ+EVDKXH
+            o+KMJVbRrCiGnSvcVtBXQtvhcuJLe/LWvXbnsAo18+HPqA1PyaJtuMgc3dihuddV
+            KXGtDIpiy7UFw5o2w7Plqs2T+N0wQI2MTEkKS/TdWVO5zTMoI1uPE+b5H7z56Cnj
+            Xa65aUphUxxLMN9rbVXBSfhTyZCFM+nj7fY9pFmoUgfhKSZ83j3w5XlVL6bz9tJR
+            AUc8r4d6z59EE5vsIuImiM7/jsSudYewau2wnMuli3FmYISiR6kU+bRBmm0nF6Q/
+            Kqt5nLxrcGKz2ivRxU6Hxc9D4gRaekoTkeP5J0Cr0IYt
+            =D/qK
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
diff --git a/secrets/twothreetunnel/secrets.yaml b/secrets/twothreetunnel/secrets.yaml
new file mode 100644
index 0000000..c232a83
--- /dev/null
+++ b/secrets/twothreetunnel/secrets.yaml
@@ -0,0 +1,56 @@
+#ENC[AES256_GCM,data:Zj552Ho=,iv:uOiDvsLPsT3D6A1SLgDl8jbAyz5bK8s1h7mIc6WT10k=,tag:rTD510uyO65F/qcD/UTUpw==,type:comment]
+#ENC[AES256_GCM,data:a8v9FPS8GcZOyREs74GhUpnAZlYF9Q9lRU3ZdsYERajtDiGncywKPLE61PlnH8o/h+QkkWjpsjy+,iv:Ck+7CaYym5fT4uy44b8yLw+b1FDvvjxrxql3ed+B2as=,tag:sb7vA0tVe1G+TDcJLhQ66g==,type:comment]
+acme-dns-token: ENC[AES256_GCM,data:9AvuFB/nYm2H6JK+pKY0wD658dHGZyV9w8B/+PeTKb5PkFJGlqdz0A==,iv:DeH3sRv9hCzhy38jnXVeGlAbUeXWOwf2avdINWuhJb8=,tag:jXjmtG+uoTonlXSSKLkY3g==,type:str]
+#ENC[AES256_GCM,data:/+idD/eetpnX,iv:NNXMyIt6uUfT3JVU9g39xjUL71cw5UVmESKVIf54tqc=,tag:pz+D3tUk0gWTfAirJGhlkw==,type:comment]
+wireguard-private-key: ENC[AES256_GCM,data:7cSHZL3c1P2oPPOX+HLFCDSg9gcWmdHY8LLb8kBVaRMsvRCk7gx/b2H6+Xg=,iv:YNKe76UGywvChY46X52nunFFHj3c4qJJVQRcU7bkRY0=,tag:uR4UZbtXSm6ywlVOZ4wQIg==,type:str]
+wireguard-home-preshared-key: ENC[AES256_GCM,data:YeTvFuNDs7Yb9pvzcb/tHyYeQrVJGpvKzr0l1F+4ch6F1rTpk5ad37bi9kc=,iv:bI+KSgSwbanPjKi0zV38zhXamCo6Lnu9z0PhvA1n82U=,tag:4m7rJ5K0RSkU/dGm1bRInA==,type:str]
+#ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment]
+oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str]
+kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str]
+sops:
+    age:
+        - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcDZzcEJTNE94amhZSEZk
+            Wlhkc0dXY0d5Y2Myd21YYURORlRnMDRlYTBzCkZ1UEhzSzdTZjJENzAvOHJBVFRH
+            MDBMb3VmTGhnUXhRRnpYS3p5NE5HYnMKLS0tIHpROEhpeDZQYUNJMkExTDBsNUh3
+            NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS
+            ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-01T22:42:29Z"
+    mac: ENC[AES256_GCM,data:CTOMF/JUbJjKrO/WCaNqCgNVv/XuBGu5nD7ssRplhg7Fmfpqyg6+qQylZcVO4XXQPvpXsA7VfnACe0irflx2Rh/5eULLfaL6eSVnr15CmwTxxnJatMtvnn1V6tGDX7Fs2s3xdEM0G7Zu022A7WWgibiiVzv/tH09znKuxpNIdio=,iv:iYgbJLaOM3JZK1BGV8fVsq5wrh+7hpQwUdXBbsTQEj8=,tag:cPQdmBkZ+DAlQ3xAQts6BA==,type:str]
+    pgp:
+        - created_at: "2025-12-01T23:06:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ/+O2d2BMDS3DVPfUHLD69K6VsdewczQkPoskMrS5JeQn0R
+            gDhR318J311UMClomIIrgDlbleoKS9tdC1rM3DoCaGFq4MyydK4MLy0+6wme1n3a
+            ZyOsQ1jSpdgkWUfbalbxL9/cWtQBwfahXve39L+ocqb34KT8jeLcRNZWORWAst7X
+            a6fHFp4gZrTnOjn26TJc7dJxYGWQIWk3WBYpzC8kpqkMaIemIy0FHaObNYy3DvM0
+            Z++AYqmwEYiz+tG1bVRUZ1ck/z8kR+Zv1Wg0uVM5Jmg6rArrz75xSS297euPZhO3
+            bQwEdJ2rcrdaz5LHC6zgsDrVz5LsfoTxilOwIgsqSGqOBIGAN6XttZXjjul6MVyE
+            XBlHqqrCVlLl+OCumWC0U6vr/bcGV6CaMJPE80Rh//wThtvyKVFRQey8EmJH7IGx
+            vHtfOaOScJc0sCCyXOx4HBeeGAYq0ogSRTlgK6Z+kXx/MkYRHiw6Vdrw0anmFF08
+            7lYB4SPafnEB4m2IPz1390ZSDXWGT5QmrhpnajuILIIcWwe0mNPfDbLQWF6CZALB
+            UJs0XvM/gfXhnqVnkayTXc9IrIHkLoKwyMh1g+st+d0fAYaUD2Wd9BI+zi22m4iR
+            J7Mw0bMBciO4MRIZEEFsCvuv4UzFjQ4mO9ib6LXI7y51sIJuYPkq3lllkntFdCuF
+            AgwDC9FRLmchgYQBD/9F+tb1K7aKNq73pk2YTmzH+WR2Dr3+MxNgnQlnIJMxdoTi
+            QE3C9U9UaO5ngdHbnG3ruBQKjGhLI8meFMTJatPwuOFcHPN+I3lEO+PkHGH0VkGQ
+            A1xkeFizc5l0tfTD9JpatOwaKKr1b4cERZP5hSTZ3MJsRJsykySKmLLpfmC1pZ7L
+            OWLdJ740YEPXXw76seRgZ66tKou1lADRBXAfHxmlj7yrt/MB2xg0FfPw6/i1HTlV
+            kwyobNlNO6whpgHjX16Qfcuj5YMRSDmyb+Ol5dheiA+DvoowhkijCGv04Mye10RI
+            bvjcmhVA+2lNP3tzF2duyIQi4nPDhQLcBs8djH8flKWDZOuz9Jt1QDTb4h6iJzfK
+            RkfU9j7/GjDiiksOdC0/yYgn90dGdPBI/iR890Uyuav/nwzF9Kz9aHQGPhCbwfRZ
+            gN7f3zyt9XPw7Qdyf5+zvaarg5xf8i3q6vhYZSGpOGC/ZrRdJcNfo5Sw4gVzrTOD
+            M9IGoeoyWkCHrjKPjYf8fVW8dDgMsddaT/ub8jh9OcM5YA6mrbeAGyf135mOurLd
+            PCsu/tNAA1GLImgc/MYplkPsOfC0+7fJ9gCSirXyRgT6Eir1VJLL7wE0zrPYfqdX
+            NOXYKdHQxfhtk33XlnxNJ73cJVGtBXy3B2kkM2DBHxY2Zj8ysO48zSri280RVdJc
+            ARILzsczZMXmJVYuR/r103j+doR/kMVEeH+gwhTSyj3yOgP06Ychawx4m8QrjF93
+            FfpVVia8JmpXAymJ93fO1HCzpQgZwX+BuhjfGcUoa3kr+lJjzU4571CCI84=
+            =lNG0
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml
index 9c3883a..a418558 100644
--- a/secrets/winters/secrets.yaml
+++ b/secrets/winters/secrets.yaml
@@ -7,7 +7,7 @@ mautrix-telegram-hs-token: ENC[AES256_GCM,data:bsuGGKASj65MkSri1MbZDEppRlr5qXzdR
 mautrix-telegram-api-id: ENC[AES256_GCM,data:GLaYJupsuA==,iv:EZ7i3jregI2puUAQbbkUK7OWA9Dnk0GdXRQuF/crD0Y=,tag:FL86Xji+YEkBPIm7m6sStw==,type:str]
 mautrix-telegram-api-hash: ENC[AES256_GCM,data:vikwgZLPV7YBdKlzf8+LEUnNIMx950CfBMGXKOga2cs=,iv:16+qS4L1LEKyWQKC2+a9l4OugWLJou2I2t9oRfKjS24=,tag:zhjD2dyGkqfMQlAt/LTCzw==,type:str]
 #ENC[AES256_GCM,data:3ZJfIpB7,iv:bS0q1SvUfAX8s6/R1z9IWoJ1vIitIDc2lGZUjS6P+Ao=,tag:Hc1HVrtkT6gNceN87PF/YA==,type:comment]
-acme-dns-token: ENC[AES256_GCM,data:QyOHnPFiNiOXBK41pr6XfG9KCWRysTxzW4cjuUesbGdFOOFi8W4lCQ==,iv:Iuc77X4t5V1xFPu2F1njo93l4oaciou7UfOLBm18gaM=,tag:+40ELYAGxaQfwiTKPPwI4w==,type:str]
+acme-dns-token: ENC[AES256_GCM,data:uSgEI33Pz8IsJMqtgNO5Q/HW1dRLMeGmXtJJNrbQ+PNVnAiTTRyS6Q==,iv:5ubDxwyDgEHxK/h50p2HK6S1+2TdfTUFH3yGv7/zcH4=,tag:P3b2b/h86TlgksjXB8Uccg==,type:str]
 #ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment]
 paperless-admin-pw: ENC[AES256_GCM,data:8s2WunvnlL0xE8XNN1Re6/9nBAM57AgM9g==,iv:Pol+RjNMKpNYCQWY0BZamRnob+MO/e/14jc8uArtDz4=,tag:FXRrlhR3DpZ+7lSlXb7wsw==,type:str]
 kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str]
@@ -58,8 +58,8 @@ sops:
             MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
             qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T20:28:09Z"
-    mac: ENC[AES256_GCM,data:tLAljNEDR4Ab27OXVJhvDuGmfuxE/L9KSFsJGDo25Vs3P56/HnjrI77y+ytLuf2sK/OHup7jXnlwBWUDAfNWIQzUdjIBtr/OiggkPHgWhr4rH55ayLM1IfZU1ex6MPvliz2yi0nU6jqHXoSlBCqu+hdfyTQri1EmZ9Bh811YDqs=,iv:4VmwBcmQIjQ16mwxYjgud3OUjQE0rH0wN72sAXXs3to=,tag:OQNYvxLZg+0hapvUYsexuA==,type:str]
+    lastmodified: "2025-11-28T17:45:19Z"
+    mac: ENC[AES256_GCM,data:lIdIP+Js+FzjJCoClGxqP1epl5fVkPzfJmOVauFNlXKRxx90/E3478oQHi/KbP7eFgPoy+0hAbMwnBmo/1tOKb2ky80/6IMEkbftiO7YZqy8opbSbCtj6ypOOwwPf5rgtXHn0LV+EtDQZzIBY6GhcERO6IQpFRAXeIkSGcpM3TE=,iv:sphhFBg1xgupLGQzRovea0wvsTolzfW/z+gjj9CyklM=,tag:bdo9FlPPYKdl87lsBsiEsQ==,type:str]
     pgp:
         - created_at: "2024-12-17T16:24:32Z"
           enc: |-
@@ -93,4 +93,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0