testing cosmic

added git lfs support
added chromium to users
2026-04-21 06:39:09 -04:00 · 2025-02-04 22:10:59 -05:00 · 2025-02-04 21:37:27 -05:00 · 2025-02-04 21:37:27 -05:00 · 2025-02-04 21:37:27 -05:00 · 2025-02-04 21:28:10 -05:00
77 changed files with 1714 additions and 805 deletions
--- a/.github/workflows/build_systems.yml
+++ b/.github/workflows/build_systems.yml
@@ -0,0 +1,25 @@
 name: build_systems
 on:
  workflow_dispatch:
  pull_request:
  push:
    branches: [main]
 jobs:
  build:
    name: build-${{ matrix.system }}
    runs-on: self-hosted
    strategy:
      matrix:
        system:
          - "bob"
          - "jeeves"
          - "rhapsody-in-green"
    steps:
      - uses: actions/checkout@v4
      - name: Build default package
        run: "nixos-rebuild build --flake ./#${{ matrix.system }}"
      - name: copy to nix-cache
        env:
          NIX_SSHOPTS: "-vvvv"
        run: nix copy --to ssh://jeeves .#nixosConfigurations.${{ matrix.system }}.config.system.build.toplevel
--- a/.github/workflows/update-flake-lock.yml
+++ b/.github/workflows/update-flake-lock.yml
@@ -0,0 +1,22 @@
 name: update-flake-lock
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * *"
 jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@main
        with:
          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
          pr-title: "Update flake.lock"
          pr-labels: |
            dependencies
            automated
--- a/.gitignore
+++ b/.gitignore
@@ -162,4 +162,6 @@ cython_debug/
 #.idea/
 test.*
-secrets.*
+
 # syncthing
 .stfolder
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,17 @@
 keys:
  - &admin_richie age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c
  - &system_bob age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y
  - &system_jeeves age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv
  - &system_router age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv
  - &system_rhapsody age1ufnewppysaq2wwcl4ugngjz8pfzc5a35yg7luq0qmuqvctajcycs5lf6k4
 creation_rules:
  - path_regex: users/secrets\.yaml$
    key_groups:
      - age:
          - *admin_richie
          - *system_bob
          - *system_jeeves
          - *system_router
          - *system_rhapsody
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -6,7 +6,9 @@
    "advplyr",
    "ahci",
    "aioesphomeapi",
    "aiounifi",
    "alsa",
    "apiclient",
    "archlinux",
    "ashift",
    "asrouter",
@@ -16,8 +18,11 @@
    "audiobookshelf",
    "auditd",
    "autofetch",
    "autologin",
    "automations",
    "autopull",
    "autotrim",
    "autoupdate",
    "azuretools",
    "bantime",
    "bazarr",
@@ -81,6 +86,8 @@
    "globalprivacycontrol",
    "gparted",
    "gtts",
    "gutenprint",
    "hass",
    "healthreport",
    "Heatsink",
    "hediet",
@@ -89,6 +96,7 @@
    "hmac",
    "homeassistant",
    "HPKP",
    "hplip",
    "htmlaboutaddons",
    "hurlenko",
    "hwloc",
@@ -97,6 +105,7 @@
    "ioit",
    "iperf",
    "isal",
    "jellyfin",
    "jnoortheen",
    "jsbc",
    "kagi",
@@ -107,6 +116,7 @@
    "libsodium",
    "libssh",
    "libvirtd",
    "llms",
    "localtime",
    "louislam",
    "lsnew",
@@ -125,7 +135,6 @@
    "mountpoints",
    "mousewheel",
    "mtxr",
    "muninn",
    "ncdu",
    "nemo",
    "neofetch",
@@ -158,7 +167,6 @@
    "peerconnection",
    "PESKYFOX",
    "PGID",
    "photoprism",
    "pipewire",
    "pkgs",
    "plugdev",
@@ -175,8 +183,10 @@
    "PUID",
    "pulseaudio",
    "punycode",
    "pychromecast",
    "pylance",
    "pymetno",
    "pyownet",
    "qbit",
    "qbittorrent",
    "qbittorrentvpn",
@@ -184,12 +194,14 @@
    "quicksuggest",
    "radarr",
    "readahead",
    "receiveencrypted",
    "Redistributable",
    "referer",
    "REFERERS",
    "relatime",
    "Rhosts",
    "ripgrep",
    "rokuecp",
    "routable",
    "rspace",
    "rtkit",
@@ -211,6 +223,7 @@
    "sponsorblock",
    "sqltools",
    "ssdp",
    "SSHOPTS",
    "stdenv",
    "subresource",
    "substituters",
@@ -228,6 +241,7 @@
    "twimg",
    "uaccess",
    "ublock",
    "uiprotect",
    "uitour",
    "unrar",
    "unsubmitted",
@@ -235,6 +249,7 @@
    "urlclassifier",
    "usbhid",
    "usbutils",
    "useragent",
    "usernamehw",
    "userprefs",
    "vfat",
--- a/common/global/default.nix
+++ b/common/global/default.nix
@@ -2,12 +2,13 @@
  inputs,
  lib,
  outputs,
  pkgs,
  ...
 }:
 {
  imports = [
    inputs.home-manager.nixosModules.home-manager
-    ./docker.nix
+    inputs.sops-nix.nixosModules.sops
    ./fail2ban.nix
    ./fonts.nix
    ./libs.nix
@@ -19,7 +20,11 @@
    ./snapshot_manager.nix
  ];
-  boot.tmp.useTmpfs = true;
+  boot = {
    tmp.useTmpfs = true;
    kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
    zfs.package = lib.mkDefault pkgs.zfs_2_3;
  };
  hardware.enableRedistributableFirmware = true;
@@ -27,22 +32,31 @@
    useGlobalPkgs = true;
    useUserPackages = true;
    extraSpecialArgs = {inherit inputs outputs;};
    backupFileExtension = "backup";
  };
  nixpkgs = {
    overlays = builtins.attrValues outputs.overlays;
-    config = {
+    config.allowUnfree = true;
      allowUnfree = true;
    };
  };
-  services.fwupd.enable = true;
+  services = {
    # firmware update
    fwupd.enable = true;
    snapshot_manager.enable = lib.mkDefault true;
    zfs = {
      trim.enable = lib.mkDefault true;
      autoScrub.enable = lib.mkDefault true;
    };
  };
  programs.zsh.enable = true;
  security.auditd.enable = lib.mkDefault true;
-  users.mutableUsers = lib.mkDefault true;
+  users.mutableUsers = lib.mkDefault false;
  zramSwap = {
    enable = lib.mkDefault true;
--- a/common/global/fonts.nix
+++ b/common/global/fonts.nix
@@ -4,7 +4,9 @@
    fontconfig.enable = true;
    enableDefaultPackages = true;
    packages = with pkgs; [
-      nerdfonts
+      nerd-fonts.roboto-mono
      nerd-fonts.intone-mono
      nerd-fonts.symbols-only
    ];
  };
 }
--- a/common/global/nix.nix
+++ b/common/global/nix.nix
@@ -11,6 +11,21 @@ in {
        "root"
        "@wheel"
      ];
      trusted-substituters = [
        "https://cache.nixos.org"
        "https://cache.tmmworkshop.com"
        "https://nix-community.cachix.org"
      ];
      substituters = [
        "https://cache.nixos.org/?priority=2&want-mass-query=true"
        "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true"
        "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
      ];
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
      auto-optimise-store = lib.mkDefault true;
      experimental-features = [
        "nix-command"
--- a/common/global/programs.nix
+++ b/common/global/programs.nix
@@ -2,6 +2,6 @@
 {
  environment.systemPackages = with pkgs; [
    git
-    python312
+    python313
  ];
 }
--- a/common/global/snapshot_config.toml
+++ b/common/global/snapshot_config.toml
@@ -6,8 +6,8 @@ monthly = 0
 ["root_pool/home"]
 15_min = 8
-hourly = 24
+hourly = 12
-daily = 14
+daily = 1
 monthly = 0
 ["root_pool/root"]
--- a/common/optional/desktop.nix
+++ b/common/optional/desktop.nix
@@ -1,11 +1,26 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 {
  boot = {
-    kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
+    kernelPackages = pkgs.linuxPackages_6_12;
-    zfs.package = pkgs.zfs_unstable;
+    zfs.package = pkgs.zfs_2_3;
  };
  hardware.bluetooth = {
    enable = true;
    powerOnBoot = true;
  };
  # rtkit is optional but recommended for pipewire
  security.rtkit.enable = true;
  services = {
    displayManager.sddm = {
      enable = true;
      wayland.enable = true;
    };
    desktopManager.plasma6.enable = true;
    xserver = {
      enable = true;
      xkb = {
@@ -13,5 +28,15 @@
        variant = "";
      };
    };
    pulseaudio.enable = false;
    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      wireplumber.enable = true;
    };
  };
 }
--- a/common/optional/docker.nix
+++ b/common/optional/docker.nix
--- a/common/optional/printing.nix
+++ b/common/optional/printing.nix
@@ -0,0 +1,7 @@
 { pkgs, ... }:
 {
  services.printing = {
    enable = true;
    drivers = with pkgs; [ gutenprint hplip ];
  };
 }
--- a/common/optional/steam.nix
+++ b/common/optional/steam.nix
@@ -10,8 +10,13 @@
      gamescopeSession.enable = true;
      remotePlay.openFirewall = true;
      localNetworkGameTransfers.openFirewall = true;
      protontricks.enable = true;
      extraCompatPackages = with pkgs; [proton-ge-bin];
      extest.enable = true;
    };
    gamescope = {
      enable = true;
      capSysNice = true;
    };
  };
 }
--- a/common/optional/syncthing_base.nix
+++ b/common/optional/syncthing_base.nix
@@ -6,8 +6,7 @@
    overrideFolders = true;
    dataDir = "/home/richie/Syncthing";
    configDir = "/home/richie/.config/syncthing";
-    settings = {
+    settings.devices = {
      devices = {
      phone.id = "LTGPLAE-M4ZDJTM-TZ3DJGY-SLLAVWF-CQDVEVS-RGCS75T-GAPZYK3-KUM6LA5"; # cspell:disable-line
      jeeves.id = "ICRHXZW-ECYJCUZ-I4CZ64R-3XRK7CG-LL2HAAK-FGOHD22-BQA4AI6-5OAL6AG"; # cspell:disable-line
      ipad.id = "KI76T3X-SFUGV2L-VSNYTKR-TSIUV5L-SHWD3HE-GQRGRCN-GY4UFMD-CW6Z6AX"; # cspell:disable-line
@@ -15,5 +14,4 @@
      rhapsody-in-green.id = "ASL3KC4-3XEN6PA-7BQBRKE-A7JXLI6-DJT43BY-Q4WPOER-7UALUAZ-VTPQ6Q4"; # cspell:disable-line
    };
  };
  };
 }
--- a/common/optional/update.nix
+++ b/common/optional/update.nix
@@ -1,19 +1,9 @@
 { lib, ... }:
 {
  services.autopull = {
    enable = lib.mkDefault true;
    repo.dotfiles = {
      enable = lib.mkDefault true;
      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
      path = lib.mkDefault /root/dotfiles;
    };
  };
  system.autoUpgrade = {
-    enable = lib.mkDefault true;
+    enable = true;
    flags = [ "--accept-flake-config" ];
    randomizedDelaySec = "1h";
    persistent = true;
-    flake = "github:RAD-Development/nix-dotfiles";
+    flake = "github:RichieCahill/dotfiles";
  };
 }
--- a/common/optional/zerotier.nix
+++ b/common/optional/zerotier.nix
@@ -3,4 +3,9 @@
    enable = true;
    joinNetworks = [ "e4da7455b2ae64ca" ];
  };
  nix.settings = {
    trusted-substituters = [ "http://192.168.90.40:5000" ];
    substituters = [ "http://192.168.90.40:5000/?priority=1&want-mass-query=true" ];
    trusted-public-keys = [ "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA=" ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -9,11 +9,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1731643390,
+        "lastModified": 1738382607,
-        "narHash": "sha256-ckIrZY5i+b7UrxolO54pSRO9dKW7GnMYQ1uQLeWEBsU=",
+        "narHash": "sha256-ppR81tMrcQk/wHm8MmKtp3mrtYmMTgF2lxLLXYwRsOM=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "f0fa120121e9ea5c16c7b2c578fbebe37fbcab55",
+        "rev": "dc86c8feffa328d9050e039a1286e175af6d76d8",
        "type": "gitlab"
      },
      "original": {
@@ -59,11 +59,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -79,11 +79,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731604581,
+        "lastModified": 1738415006,
-        "narHash": "sha256-Qq2YZZaDTB3FZLWU/Hgh1uuWlUBl3cMLGB99bm7rFUM=",
+        "narHash": "sha256-ZlLTnqIQQ8OE6AtT+fluB642j2R9tnvxHHtpnmLjSxQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1d0862ee2d7c6f6cd720d6f32213fa425004be10",
+        "rev": "8544cd092047a7e92d0dce011108a563de7fc0f2",
        "type": "github"
      },
      "original": {
@@ -101,11 +101,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1703863825,
+        "lastModified": 1729742964,
-        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
-        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
        "type": "github"
      },
      "original": {
@@ -120,15 +120,14 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable",
+        "nixpkgs-stable": "nixpkgs-stable"
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1731712317,
+        "lastModified": 1738343111,
-        "narHash": "sha256-NpkSAwLFTFRZx+C2yL0JCBnjnZQRs8PsWRqZ0S08Bc8=",
+        "narHash": "sha256-y9st4Y0p5ry+6QdlIGeqxAA6rbEIOO1uXdAc5jxV2Bc=",
        "owner": "lilyinstarlight",
        "repo": "nixos-cosmic",
-        "rev": "0b0e62252fb3b4e6b0a763190413513be499c026",
+        "rev": "51b9cce097da369550f45ac07879274dc8be81e4",
        "type": "github"
      },
      "original": {
@@ -139,11 +138,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1731403644,
+        "lastModified": 1738391520,
-        "narHash": "sha256-T9V7CTucjRZ4Qc6pUEV/kpgNGzQbHWfGcfK6JJLfUeI=",
+        "narHash": "sha256-6HI58PKjddsC0RA0gBQlt6ox47oH//jLUHwx05RO8g0=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "f6581f1c3b137086e42a08a906bdada63045f991",
+        "rev": "34b64e4e1ddb14e3ffc7db8d4a781396dbbab773",
        "type": "github"
      },
      "original": {
@@ -155,11 +154,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731319897,
+        "lastModified": 1738142207,
-        "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
+        "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "dc460ec76cbff0e66e269457d7b728432263166c",
+        "rev": "9d3ae807ebd2981d593cddd0080856873139aa40",
        "type": "github"
      },
      "original": {
@@ -171,11 +170,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1731716707,
+        "lastModified": 1738422722,
-        "narHash": "sha256-ykrD4v5e/i2eweFAnamAXXkk/jzhNNwPiDc9yu4MbZs=",
+        "narHash": "sha256-Q4vhtbLYWBUnjWD4iQb003Lt+N5PuURDad1BngGKdUs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3af4d5583961833ab0439b64626190951839c0bc",
+        "rev": "102a39bfee444533e6b4e8611d7e92aa39b7bec1",
        "type": "github"
      },
      "original": {
@@ -187,27 +186,27 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1731386116,
+        "lastModified": 1738163270,
-        "narHash": "sha256-lKA770aUmjPHdTaJWnP3yQ9OI1TigenUqVC3wweqZuI=",
+        "narHash": "sha256-B/7Y1v4y+msFFBW1JAdFjNvVthvNdJKiN6EGRPnqfno=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "689fed12a013f56d4c4d3f612489634267d86529",
+        "rev": "59e618d90c065f55ae48446f307e8c09565d5ab0",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1731386116,
+        "lastModified": 1735563628,
-        "narHash": "sha256-lKA770aUmjPHdTaJWnP3yQ9OI1TigenUqVC3wweqZuI=",
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "689fed12a013f56d4c4d3f612489634267d86529",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
        "type": "github"
      },
      "original": {
@@ -232,11 +231,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1723343306,
+        "lastModified": 1736884309,
-        "narHash": "sha256-/6sRkPq7/5weX2y0V8sQ29Sz35nt8kyj+BsFtkhgbJE=",
+        "narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=",
        "owner": "nix-community",
        "repo": "poetry2nix",
-        "rev": "4a1c112ff0c67f496573dc345bd0b2247818fc29",
+        "rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b",
        "type": "github"
      },
      "original": {
@@ -254,28 +253,28 @@
        "nixpkgs": "nixpkgs",
        "nixpkgs-master": "nixpkgs-master",
        "nixpkgs-stable": "nixpkgs-stable_2",
        "sops-nix": "sops-nix",
        "system_tools": "system_tools",
        "systems": "systems_3"
      }
    },
-    "rust-overlay": {
+    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixos-cosmic",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1731551344,
+        "lastModified": 1738291974,
-        "narHash": "sha256-wr8OOqgw7M1pWfe4W7WA5lErzOVMg3zvrrxx/dy/nPo=",
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
-        "owner": "oxalica",
+        "owner": "Mic92",
-        "repo": "rust-overlay",
+        "repo": "sops-nix",
-        "rev": "27570abfd3461875f11fc07c9b01c141a6332b4f",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
        "type": "github"
      },
      "original": {
-        "owner": "oxalica",
+        "owner": "Mic92",
-        "repo": "rust-overlay",
+        "repo": "sops-nix",
        "type": "github"
      }
    },
@@ -288,11 +287,11 @@
        "poetry2nix": "poetry2nix"
      },
      "locked": {
-        "lastModified": 1729617389,
+        "lastModified": 1738431375,
-        "narHash": "sha256-Q05Nhw84FprGiuQHd1ahOhKKIbxzp1rpeCqddjXUSVM=",
+        "narHash": "sha256-jk6JrgqNe0dEPxV2xX/pBVsrPDfWaa033LKcyERkHJw=",
        "owner": "RichieCahill",
        "repo": "system_tools",
-        "rev": "2a2aa711fcf67ed5e4db484e507a4a511b9b4230",
+        "rev": "36764189680c9be26192ee94da1a3f33f890ff0d",
        "type": "github"
      },
      "original": {
@@ -326,8 +325,9 @@
        "type": "github"
      },
      "original": {
-        "id": "systems",
+        "owner": "nix-systems",
-        "type": "indirect"
+        "repo": "default",
        "type": "github"
      }
    },
    "systems_3": {
@@ -354,11 +354,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1719749022,
+        "lastModified": 1730120726,
-        "narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
+        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
+        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -3,8 +3,8 @@
  nixConfig = {
    extra-substituters = [
-      "https://cache.nixos.org/?priority=1&want-mass-query=true"
+      "https://cache.nixos.org/?priority=2&want-mass-query=true"
-      "https://cache.tmmworkshop.com/?priority=1&want-mass-query=true"
+      "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true"
      "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
    ];
    extra-trusted-public-keys = [
@@ -42,6 +42,11 @@
      url = "github:lilyinstarlight/nixos-cosmic";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = {
@@ -50,6 +55,7 @@
    home-manager,
    systems,
    nixos-cosmic,
    sops-nix,
    ...
  } @ inputs: let
    inherit (self) outputs;
@@ -71,19 +77,21 @@
    nixosConfigurations = {
      bob = lib.nixosSystem {
-        modules = [./systems/bob];
+        modules = [
          ./systems/bob
        ];
        specialArgs = {inherit inputs outputs;};
      };
      jeeves = lib.nixosSystem {
-        modules = [./systems/jeeves];
+        modules = [
          ./systems/jeeves
        ];
        specialArgs = {inherit inputs outputs;};
      };
      rhapsody-in-green = lib.nixosSystem {
-        modules = [./systems/rhapsody-in-green];
+        modules = [
-        specialArgs = {inherit inputs outputs;};
+          ./systems/rhapsody-in-green
-      };
+        ];
      muninn = lib.nixosSystem {
        modules = [./systems/muninn];
        specialArgs = {inherit inputs outputs;};
      };
    };
--- a/systems/bob/default.nix
+++ b/systems/bob/default.nix
@@ -1,17 +1,22 @@
 {
  imports = [
    ../../users/richie
    ../../users/gaming
    ../../common/global
    ../../common/optional/desktop.nix
    ../../common/optional/docker.nix
    ../../common/optional/scanner.nix
    ../../common/optional/steam.nix
    ../../common/optional/syncthing_base.nix
    ../../common/optional/systemd-boot.nix
-    ../../common/optional/zerotier.nix
+    ../../common/optional/update.nix
    ../../common/optional/yubikey.nix
    ../../common/optional/zerotier.nix
    ./hardware.nix
    ./nvidia.nix
    ./syncthing.nix
    ./games.nix
    ./llms.nix
  ];
  networking = {
@@ -21,37 +26,17 @@
    networkmanager.enable = true;
  };
  hardware = {
    pulseaudio.enable = false;
    bluetooth = {
      enable = true;
      powerOnBoot = true;
    };
  };
  security.rtkit.enable = true;
  services = {
-
+    displayManager = {
-    displayManager.sddm.enable = true;
+      enable = true;
      autoLogin = {
        user = "gaming";
        enable = true;
      };
      defaultSession = "plasma";
    };
    openssh.ports = [ 262 ];
    printing.enable = true;
    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
    };
    snapshot_manager.enable = true;
    zfs = {
      trim.enable = true;
      autoScrub.enable = true;
    };
  };
  system.stateVersion = "24.05";
--- a/systems/bob/games.nix
+++ b/systems/bob/games.nix
@@ -0,0 +1,7 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    osu-lazer-bin
    jellyfin-media-player
  ];
 }
--- a/systems/bob/hardware.nix
+++ b/systems/bob/hardware.nix
@@ -26,6 +26,8 @@
        device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
        bypassWorkqueues = true;
        allowDiscards = true;
        keyFileSize = 4096;
        keyFile = "/dev/disk/by-id/usb-Samsung_Flash_Drive_FIT_0374620080067131-0:0";
      };
    };
    kernelModules = [ "kvm-amd" ];
--- a/systems/bob/llms.nix
+++ b/systems/bob/llms.nix
@@ -0,0 +1,24 @@
 {
  services = {
    ollama = {
      enable = true;
      loadModels = [ 
        "codellama:7b"
        "deepseek-r1:1.5b"
        "deepseek-r1:7b"
        "deepseek-r1:8b"
        "deepseek-r1:14b"
        "deepseek-r1:32b"
        "llama3.2:3b"
        "mistral-nemo:12b"
      ];
      acceleration = "cuda";
      openFirewall = true;
    };
    open-webui = {
      enable = true;
      openFirewall = true;
      host = "192.168.90.25";
    }; 
  }; 
 }
--- a/systems/bob/nvidia.nix
+++ b/systems/bob/nvidia.nix
@@ -5,8 +5,9 @@
    nvidia = {
      modesetting.enable = true;
      powerManagement.enable = true;
-      package = config.boot.kernelPackages.nvidiaPackages.production;
+      package = config.boot.kernelPackages.nvidiaPackages.beta;
      nvidiaSettings = true;
      open = true;
    };
    nvidia-container-toolkit.enable = true;
  };
--- a/systems/bob/syncthing.nix
+++ b/systems/bob/syncthing.nix
@@ -1,8 +1,7 @@
 {    
  services.syncthing.settings.folders = {
-    "notes" = {
+    "dotfiles" = {
-      id = "l62ul-lpweo"; # cspell:disable-line
+      path = "/home/richie/dotfiles";
      path = "/home/richie/notes";
      devices = [
        "jeeves"
        "rhapsody-in-green"
@@ -30,29 +29,5 @@
      ];
      fsWatcherEnabled = true;
    };
    "projects" = {
      id = "vyma6-lqqrz"; # cspell:disable-line
      path = "/home/richie/projects";
      devices = [
        "jeeves"
        "rhapsody-in-green"
      ];
      fsWatcherEnabled = true;
    };
    "temp" = {
      id = "bob_temp";
      path = "/home/richie/temp";
      devices = [
        "jeeves"
      ];
      fsWatcherEnabled = true;
    };
    "vault" = {
      path = "/home/richie/vault";
      devices = [
        "rhapsody-in-green"
      ];
      fsWatcherEnabled = true;
    };
  };
 }
--- a/systems/jeeves/arch_mirror.nix
+++ b/systems/jeeves/arch_mirror.nix
@@ -1,39 +0,0 @@
 { inputs, pkgs, ... }:
 let
  vars = import ./vars.nix;
 in
 {
  users = {
    users.arch-mirror = {
      isSystemUser = true;
      group = "arch-mirror";
    };
    groups.arch-mirror = {};
  };
  virtualisation.oci-containers.containers.arch_mirror = {
    image = "ubuntu/apache2:latest";
    volumes = [
      "${../../common/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
      "${vars.media_mirror}:/data"
    ];
    ports = [ "800:80" ];
    extraOptions = [ "--network=web" ];
    autoStart = true;
  };
  systemd.services.sync_mirror = {
    requires = [ "network-online.target" ];
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    description = "validates startup";
    path = [ pkgs.rsync ];
    serviceConfig = {
      Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
      Type = "simple";
      User = "arch-mirror";
      Group = "arch-mirror";
      ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror";
    };
  };
 }
--- a/systems/jeeves/default.nix
+++ b/systems/jeeves/default.nix
@@ -1,20 +1,17 @@
 let
  vars = import ./vars.nix;
 in
 {
  imports = [
    ../../users/richie
    ../../common/global
    ../../common/optional/docker.nix
    ../../common/optional/ssh_decrypt.nix
    ../../common/optional/syncthing_base.nix
    ../../common/optional/zerotier.nix
    ./arch_mirror.nix
    ./docker
    ./services
    ./hardware.nix
    ./home_assistant.nix
    ./networking.nix
    ./programs.nix
-    ./services.nix
+    ./runners
    ./syncthing.nix
  ];
@@ -27,31 +24,9 @@ in
  services = {
    openssh.ports = [ 629 ];
    nix-serve = {
      enable = true;
      secretKeyFile = "${vars.storage_secrets}/services/nix-cache/cache-priv-key.pem";
      openFirewall = true;
    };
    plex = {
      enable = true;
      dataDir = vars.media_plex;
      openFirewall = true;
    };
    smartd.enable = true;
-    snapshot_manager = {
+    snapshot_manager.path = ./snapshot_config.toml;
      enable = true;
      path = ./snapshot_config.toml;
    };
    sysstat.enable = true;
    zfs = {
      trim.enable = true;
      autoScrub.enable = true;
    };
  };
  system.stateVersion = "24.05";
--- a/systems/jeeves/docker/audiobookshelf.nix
+++ b/systems/jeeves/docker/audiobookshelf.nix
@@ -1,19 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers.audiobookshelf = {
    image = "ghcr.io/advplyr/audiobookshelf:latest";
    volumes = [
      "${vars.media_docker_configs}/audiobookshelf:/config"
      "${vars.media_docker_configs}/audiobookshelf:/metadata"
      "${vars.storage_library}/audiobooks:/audiobooks"
      "${vars.storage_library}/books:/books"
    ];
    environment = {
      TZ = "America/New_York";
    };
    extraOptions = [ "--network=web" ];
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/filebrowser.nix
+++ b/systems/jeeves/docker/filebrowser.nix
@@ -1,15 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers.filebrowser = {
    image = "hurlenko/filebrowser:latest";
    extraOptions = [ "--network=web" ];
    volumes = [
      "/zfs:/data"
      "${vars.media_docker_configs}/filebrowser:/config"
    ];
    autoStart = true;
    user = "1000:users";
  };
 }
--- a/systems/jeeves/docker/grafana.nix
+++ b/systems/jeeves/docker/grafana.nix
@@ -1,12 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers.grafana = {
    image = "grafana/grafana-enterprise:latest";
    volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
    user = "600:600";
    extraOptions = [ "--network=web" ];
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/photoprism.nix
+++ b/systems/jeeves/docker/photoprism.nix
@@ -1,53 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers.photoprism = {
    image = "photoprism/photoprism:latest";
    volumes = [ 
      "${vars.media_docker_configs}/photoprism:/photoprism/storage"
      "${vars.storage_photos}/originals:/photoprism/originals"
      "${vars.storage_photos}/import:/photoprism/import"
    ];
    environment = {
      PHOTOPRISM_ADMIN_USER="admin";
      PHOTOPRISM_AUTH_MODE="password";
      PHOTOPRISM_DISABLE_TLS="false";
      PHOTOPRISM_DEFAULT_TLS="true";
      PHOTOPRISM_ORIGINALS_LIMIT="30000";
      PHOTOPRISM_HTTP_COMPRESSION="gzip";
      PHOTOPRISM_LOG_LEVEL="info";
      PHOTOPRISM_READONLY="false";
      PHOTOPRISM_EXPERIMENTAL="false";
      PHOTOPRISM_DISABLE_CHOWN="false";
      PHOTOPRISM_DISABLE_WEBDAV="false";
      PHOTOPRISM_DISABLE_SETTINGS="false";
      PHOTOPRISM_DISABLE_TENSORFLOW="false";
      PHOTOPRISM_DISABLE_FACES="false";
      PHOTOPRISM_DISABLE_CLASSIFICATION="false";
      PHOTOPRISM_DISABLE_VECTORS="false";
      PHOTOPRISM_DISABLE_RAW="false";
      PHOTOPRISM_RAW_PRESETS="false";
      PHOTOPRISM_SIDECAR_YAML="true";
      PHOTOPRISM_BACKUP_ALBUMS="true";
      PHOTOPRISM_BACKUP_DATABASE="true";
      PHOTOPRISM_BACKUP_SCHEDULE="daily";
      PHOTOPRISM_INDEX_SCHEDULE="";
      PHOTOPRISM_AUTO_INDEX="300";
      PHOTOPRISM_AUTO_IMPORT= "-1";
      PHOTOPRISM_DETECT_NSFW="false";
      PHOTOPRISM_UPLOAD_NSFW="true";
      PHOTOPRISM_DATABASE_DRIVER="sqlite";
      PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App";
      PHOTOPRISM_SITE_DESCRIPTION="";
      PHOTOPRISM_SITE_AUTHOR="";
      PHOTOPRISM_UID="600";
      PHOTOPRISM_GID="600";
      # PHOTOPRISM_UMASK: 0000
    };
    environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
    autoStart = true;
    extraOptions = [ "--network=web" ];
  };
 }
--- a/systems/jeeves/docker/postgresql.nix
+++ b/systems/jeeves/docker/postgresql.nix
@@ -1,32 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  users = {
    users.postgres = {
      isSystemUser = true;
      group = "postgres";
      uid = 999;
    };
    groups.postgres = {
      gid = 999;
    };
  };
  # virtualisation.oci-containers.containers = {
  #   postgres = {
  #     image = "postgres:16";
  #     ports = [ "5432:5432" ];
  #     volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
  #     environment = {
  #       POSTGRES_USER = "admin";
  #       POSTGRES_DB = "archive";
  #       POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
  #     };
  #     environmentFiles = [/root/secrets/docker/postgres];
  #     autoStart = true;
  #     user = "postgres:postgres";
  #   };
  # };
 }
--- a/systems/jeeves/docker/prowlarr.nix
+++ b/systems/jeeves/docker/prowlarr.nix
@@ -1,17 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  networking.firewall.allowedTCPPorts = [ 9696 ];
  virtualisation.oci-containers.containers.prowlarr = {
    image = "ghcr.io/linuxserver/prowlarr:latest";
    ports = [ "9696:9696" ];
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
    };
    volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/qbit.nix
+++ b/systems/jeeves/docker/qbit.nix
@@ -4,10 +4,10 @@ in
 {
  networking.firewall = {
    allowedTCPPorts = [ 6881 8082 29432 ]; 
-    allowedUDPPorts = [ 6881 ];
+    allowedUDPPorts = [ 6881 29432 ];
  };
  virtualisation.oci-containers.containers.qbit = {
-    image = "ghcr.io/linuxserver/qbittorrent:latest";
+    image = "ghcr.io/linuxserver/qbittorrent:5.0.2";
    ports = [
      "6881:6881"
      "6881:6881/udp"
--- a/systems/jeeves/docker/qbitvpn.nix
+++ b/systems/jeeves/docker/qbitvpn.nix
@@ -7,7 +7,8 @@ in
    allowedUDPPorts = [ 6882 ];
  };
  virtualisation.oci-containers.containers.qbitvpn = {
-    image = "binhex/arch-qbittorrentvpn:latest";
+    image = "binhex/arch-qbittorrentvpn:5.0.3-1-01";
    devices = [ "/dev/net/tun:/dev/net/tun" ];
    extraOptions = [ "--cap-add=NET_ADMIN" ];
    ports = [
      "6882:6881"
--- a/systems/jeeves/docker/reverse_proxy.nix
+++ b/systems/jeeves/docker/reverse_proxy.nix
@@ -1,40 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers = {
    haproxy = {
      image = "haproxy:latest";
      user = "600:600";
      environment = {
        TZ = "Etc/EST";
      };
      volumes = [
        "${vars.storage_secrets}/docker/cloudflare.pem:/etc/ssl/certs/cloudflare.pem"
        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
      ];
      dependsOn = [
        "arch_mirror"
        "audiobookshelf"
        "filebrowser"
        "grafana"
        "photoprism"
        "uptime_kuma"
      ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
    cloud_flare_tunnel = {
      image = "cloudflare/cloudflared:latest";
      user = "600:600";
      cmd = [
        "tunnel"
        "run"
      ];
      environmentFiles = ["${vars.storage_secrets}/docker/cloud_flare_tunnel"];
      dependsOn = [ "haproxy" ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
  };
 }
--- a/systems/jeeves/docker/share.nix
+++ b/systems/jeeves/docker/share.nix
@@ -0,0 +1,15 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers.share = {
    image = "ubuntu/apache2:2.4-22.04_beta";
    ports = [ "8091:80" ];
    volumes = [
      "${../../../common/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
      "${vars.media_share}:/data"
    ];
    extraOptions = [ "--network=web" ];
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/sonarr.nix
+++ b/systems/jeeves/docker/sonarr.nix
@@ -1,21 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  networking.firewall.allowedTCPPorts = [ 9696 8989 ];
  virtualisation.oci-containers.containers.sonarr = {
    image = "ghcr.io/linuxserver/sonarr:latest";
    ports = [ "8989:8989" ];
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
    };
    volumes = [
      "${vars.media_docker_configs}/sonarr:/config"
      "${vars.storage_plex}/tv:/tv"
      "${vars.torrenting_qbitvpn}:/data"
    ];
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/uptime_kuma.nix
+++ b/systems/jeeves/docker/uptime_kuma.nix
@@ -4,7 +4,8 @@ in
 {
  virtualisation.oci-containers.containers = {
    uptime_kuma = {
-      image = "louislam/uptime-kuma:latest";
+      ports = [ "3001:3001" ];
      image = "louislam/uptime-kuma:1.23.16-debian";
      volumes = [
        "${vars.media_docker_configs}/uptime_kuma:/app/data"
        "/var/run/docker.sock:/var/run/docker.sock"
--- a/systems/jeeves/home_assistant.nix
+++ b/systems/jeeves/home_assistant.nix
@@ -1,49 +0,0 @@
 {
  services.home-assistant = {
    enable = true;
    openFirewall = true;
    config = {
      http = {
        server_port = 8123;
        server_host = [
          "192.168.95.14"
          "192.168.90.40"
          "192.168.98.4"
        ];
        use_x_forwarded_for = true;
        trusted_proxies = "172.100.0.4";
      };
      homeassistant = {
        time_zone = "America/New_York";
        unit_system = "imperial";
        temperature_unit = "F";
      };
      assist_pipeline = { };
      backup = { };
      bluetooth = { };
      config = { };
      dhcp = { };
      energy = { };
      history = { };
      homeassistant_alerts = { };
      image_upload = { };
      logbook = { };
      media_source = { };
      mobile_app = { };
      ssdp = { };
      sun = { };
      webhook = { };
      zeroconf = { };
    };
    extraPackages =
      python3Packages: with python3Packages; [
        psycopg2
        gtts
        aioesphomeapi
        esphome-dashboard-api
        bleak-esphome
        pymetno
      ];
    extraComponents = [ "isal" ];
  };
 }
--- a/systems/jeeves/networking.nix
+++ b/systems/jeeves/networking.nix
@@ -18,13 +18,21 @@
        };
        vlanConfig.Id = 20;
      };
      "21-internal-ioit-vlan" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "internal-ioit-vlan";
        };
        vlanConfig.Id = 21;
      };
    };
    networks = {
      "10-1GB_Primary" = {
        matchConfig.Name = "enp98s0f0";
-        DHCP = "yes";
+        address = [ "192.168.95.14/24" ];
-        vlan = [ "ioit-vlan" ];
+        routes = [{ Gateway = "192.168.95.1"; }];
        vlan = [ "ioit-vlan" "internal-ioit-vlan" ];
        linkConfig.RequiredForOnline = "routable";
      };
      "10-1GB_Secondary" = {
@@ -44,6 +52,10 @@
        matchConfig.Name = "ioit-vlan";
        DHCP = "yes";
      };
      "41-internal-ioit-vlan" = {
        matchConfig.Name = "internal-ioit-vlan";
        DHCP = "yes";
      };
    };
  };
--- a/systems/jeeves/runners/default.nix
+++ b/systems/jeeves/runners/default.nix
@@ -0,0 +1,27 @@
 { pkgs, ... }:
 {
  imports = [ ./nix_builder.nix ];
  users = {
    users.github-runners = {
      shell = pkgs.bash;
      isSystemUser = true;
      group = "github-runners";
      uid = 601;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/S8i+BNX/12JNKg+5EKGX7Aqimt5KM+ve3wt/SyWuO github-runners" # cspell:disable-line
      ];
    };
    groups.github-runners.gid = 601;
  };
  services.nix_builder.containers = {
    nix-builder-0.enable = true;
    nix-builder-1.enable = true;
    nix-builder-2.enable = true;
    nix-builder-3.enable = true;
    nix-builder-4.enable = true;
    nix-builder-5.enable = true;
  };
 }
--- a/systems/jeeves/runners/nix_builder.nix
+++ b/systems/jeeves/runners/nix_builder.nix
@@ -0,0 +1,83 @@
 { config, lib, ... }:
 with lib;
 let
  vars = import ../vars.nix;
 in
 {
  options.services.nix_builder.containers = mkOption {
    type = types.attrsOf (types.submodule ({ name, ... }: {
      options.enable = mkEnableOption "GitHub runner container";
    }));
    default = {};
    description = "GitHub runner container configurations";
  };
  config.containers = mapAttrs (name: cfg:
    mkIf cfg.enable {
      autoStart = true;
      bindMounts = {
        "/storage" = {
          mountPoint = "/zfs/media/github-runners/${name}";
          isReadOnly = false;
        };
        "/secrets".mountPoint = "${vars.storage_secrets}/services/github-runners/${name}";
        "ssh-keys".mountPoint = "${vars.storage_secrets}/services/github-runners/id_ed25519_github-runners";
      };
      config = { config, pkgs, lib, ... }: {
          nix.settings = {
            trusted-substituters = [
              "https://cache.nixos.org"
              "https://cache.tmmworkshop.com"
              "https://nix-community.cachix.org"
            ];
            substituters = [
              "https://cache.nixos.org/?priority=2&want-mass-query=true"
              "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true"
              "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
            ];
            trusted-public-keys = [
              "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
              "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA="
              "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
            ];
            experimental-features = [
              "flakes"
              "nix-command"
            ];
          };
          programs.ssh.extraConfig = ''
            Host jeeves
              Port 629
              User github-runners
              HostName 192.168.95.14
              IdentityFile ${vars.storage_secrets}/services/github-runners/id_ed25519_github-runners
              StrictHostKeyChecking no
              UserKnownHostsFile /dev/null
          '';
          services.github-runners.${name} = {
            enable = true;
            replace = true;
            workDir = "/zfs/media/github-runners/${name}";
            url = "https://github.com/RichieCahill/dotfiles";
            extraLabels = [ "nixos" ];
            tokenFile = "${vars.storage_secrets}/services/github-runners/${name}";
            user = "github-runners";
            group = "github-runners";
            extraPackages = with pkgs; [ nixos-rebuild openssh ];
          };
          users = {
            users.github-runners = {
              shell = pkgs.bash;
              isSystemUser = true;
              group = "github-runners";
              uid = 601;
            };
            groups.github-runners.gid = 601;
          };
          system.stateVersion = "24.11";
      };
    }
  ) config.services.nix_builder.containers;
 }
--- a/systems/jeeves/scripts/zfs.sh
+++ b/systems/jeeves/scripts/zfs.sh
@@ -18,11 +18,12 @@ sudo zpool add torrenting -o ashift=12 special
 # media datasets
 sudo zfs create -o compression=zstd-9 media/docker
 sudo zfs create -o recordsize=1M -o compression=zstd-19 media/library
-sudo zfs create -o exec=off media/minio
+sudo zfs create -o compression=zstd-9 -o sync=disabled media/github-runners
 sudo zfs create -o exec=off media/mirror
 sudo zfs create -o copies=3 media/notes
 sudo zfs create -o recordsize=16k -o primarycache=metadata -o mountpoint=/zfs/media/database/photoprism_mariadb media/photoprism_mariadb
 sudo zfs create -o compression=zstd-9 media/plex
 sudo zfs create -o compression=zstd-9 media/services
 sudo zfs create -o compression=zstd-19 media/home_assistant
 sudo zfs create -o exec=off media/share
 sudo zfs create -o recordsize=16k -o primarycache=metadata -o mountpoint=/zfs/media/database/postgres media/postgres
 # storage datasets
--- a/systems/jeeves/services/audiobookshelf.nix
+++ b/systems/jeeves/services/audiobookshelf.nix
@@ -0,0 +1,13 @@
 { lib, ... }:
 let
  vars = import ../vars.nix;
 in
 {
  services.audiobookshelf = {
    enable = true;
    openFirewall = true;
    host = "192.168.90.40";
  };
  systemd.services.audiobookshelf.serviceConfig.WorkingDirectory = lib.mkForce "${vars.media_docker_configs}/audiobookshelf";
  users.users.audiobookshelf.home = lib.mkForce "${vars.media_docker_configs}/audiobookshelf";
 }
--- a/systems/jeeves/services/cloud_flare_tunnel.nix
+++ b/systems/jeeves/services/cloud_flare_tunnel.nix
@@ -0,0 +1,18 @@
 { pkgs, ... }:
 let
  vars = import ../vars.nix;
 in
 {
  systemd.services.cloud_flare_tunnel = {
    description = "cloud_flare_tunnel proxy's traffic through cloudflare";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "simple";
      EnvironmentFile = "${vars.storage_secrets}/docker/cloud_flare_tunnel";
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared --no-autoupdate tunnel run";
      Restart = "on-failure";
    };
  };
 }
--- a/systems/jeeves/services/default.nix
+++ b/systems/jeeves/services/default.nix
@@ -0,0 +1,9 @@
 { lib, ... }:
 {
  imports =
    let
      files = builtins.attrNames (builtins.readDir ./.);
      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
    in
    map (file: ./. + "/${file}") nixFiles;
 }
--- a/systems/jeeves/services/duckdns.nix
+++ b/systems/jeeves/services/duckdns.nix
@@ -0,0 +1,10 @@
 let
  vars = import ../vars.nix;
 in
 {
  services.duckdns = {
    enable = true;
    tokenFile = "${vars.storage_secrets}/services/duckdns/token";
    domainsFile = "${vars.storage_secrets}/services/duckdns/domains";
  };
 }
--- a/systems/jeeves/services/filebrowser.nix
+++ b/systems/jeeves/services/filebrowser.nix
@@ -0,0 +1,23 @@
 {
  pkgs,
  ...
 }:
 let
  vars = import ../vars.nix;
 in
 {
  networking.firewall.allowedTCPPorts = [ 8080 ];
  systemd.services.filebrowser = {
    description = "filebrowser";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "simple";
      User = "richie";
      Group = "users";
      ExecStart = "${pkgs.filebrowser}/bin/filebrowser --root=/zfs --address=0.0.0.0 --database=${vars.media_docker_configs}/filebrowser/filebrowser.db";
      Restart = "on-failure";
    };
  };
 }
--- a/systems/jeeves/services/haproxy.cfg
+++ b/systems/jeeves/services/haproxy.cfg
@@ -22,50 +22,52 @@ defaults
 #Application Setup
 frontend ContentSwitching
  bind *:80
-  bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
+  bind *:443 ssl crt /zfs/storage/secrets/docker/cloudflare.pem
  mode  http
  # tmmworkshop.com
  acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
  acl host_cache  hdr(host) -i cache.tmmworkshop.com
  acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
-  acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
+  acl host_homeassistant  hdr(host) -i homeassistant.tmmworkshop.com
-  acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
+  acl host_jellyfin  hdr(host) -i jellyfin.tmmworkshop.com
-  acl host_photoprism  hdr(host) -i photoprism.tmmworkshop.com
+  acl host_share  hdr(host) -i share.tmmworkshop.com
  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
  use_backend audiobookshelf_nodes if host_audiobookshelf
  use_backend cache_nodes  if host_cache
  use_backend filebrowser_nodes  if host_filebrowser
-  use_backend grafana_nodes  if host_grafana
+  use_backend homeassistant_nodes  if host_homeassistant
-  use_backend mirror_nodes   if host_mirror
+  use_backend jellyfin if host_jellyfin
-  use_backend photoprism_nodes  if host_photoprism
+  use_backend share_nodes  if host_share
  use_backend uptime_kuma_nodes  if host_uptime_kuma
 backend audiobookshelf_nodes
  mode http
-  server server audiobookshelf:80
+  server server 192.168.90.40:8000
 backend cache_nodes
  mode http
  server server 192.168.90.40:5000
 backend grafana_nodes
  mode http
  server server grafana:3000
 backend filebrowser_nodes
  mode http
-  server server filebrowser:8080
+  server server 192.168.90.40:8080
-backend mirror_nodes
+backend homeassistant_nodes
  mode http
-  server server arch_mirror:80
+  server server 192.168.95.14:8123
-backend photoprism_nodes
+backend jellyfin
    option httpchk
    option forwardfor
    http-check send meth GET uri /health
    http-check expect string Healthy
    server jellyfin 192.168.95.14:8096
 backend share_nodes
  mode http
-  server server photoprism:2342
+  server server 192.168.95.14:8091
 backend uptime_kuma_nodes
  mode http
-  server server uptime_kuma:3001
+  server server 192.168.95.14:3001
--- a/systems/jeeves/services/haproxy.nix
+++ b/systems/jeeves/services/haproxy.nix
@@ -0,0 +1,8 @@
 {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.haproxy = {
    enable = true;
    config = builtins.readFile ./haproxy.cfg;
  };
 }
--- a/systems/jeeves/services/home_assistant.nix
+++ b/systems/jeeves/services/home_assistant.nix
@@ -0,0 +1,70 @@
 let
  vars = import ../vars.nix;
 in
 {
  services ={
    home-assistant = {
      enable = true;
      openFirewall = true;
      configDir = vars.media_home_assistant;
      config = {
        http = {
          server_port = 8123;
          server_host = [
            "192.168.95.14"
            "192.168.90.40"
            "192.168.98.4"
          ];
          use_x_forwarded_for = true;
          trusted_proxies = "192.168.95.0/24";
        };
        homeassistant = {
          time_zone = "America/New_York";
          unit_system = "us_customary";
          temperature_unit = "F";
        };
        assist_pipeline = { };
        backup = { };
        bluetooth = { };
        config = { };
        dhcp = { };
        energy = { };
        history = { };
        homeassistant_alerts = { };
        image_upload = { };
        logbook = { };
        media_source = { };
        mobile_app = { };
        ssdp = { };
        sun = { };
        webhook = { };
        zeroconf = { };
        automation = "!include automations.yaml";
        script = "!include scripts.yaml";
        scene = "!include scenes.yaml";
        group = "!include groups.yaml";
      };
      extraPackages =
        python3Packages: with python3Packages; [
          aioesphomeapi
          aiounifi
          bleak-esphome
          esphome-dashboard-api
          gtts
          jellyfin-apiclient-python
          psycopg2
          pymetno
          pyownet
          rokuecp
          uiprotect
          wakeonlan
        ];
      extraComponents = [ "isal" ];
    };
    esphome = {
        enable = true;
        openFirewall = true;
        address = "192.168.90.40";
    };
  };
 }
--- a/systems/jeeves/services/jellyfin.nix
+++ b/systems/jeeves/services/jellyfin.nix
@@ -0,0 +1,10 @@
 let
  vars = import ../vars.nix;
 in
 {
  services.jellyfin = {
    enable = true;
    openFirewall = true;
    dataDir = "${vars.media_services}/jellyfin";
  };
 }
--- a/systems/jeeves/services/nix_serve.nix
+++ b/systems/jeeves/services/nix_serve.nix
@@ -0,0 +1,10 @@
 let
  vars = import ../vars.nix;
 in
 {
  services.nix-serve = {
    enable = true;
    secretKeyFile = "${vars.storage_secrets}/services/nix-cache/cache-priv-key.pem";
    openFirewall = true;
  };
 }
--- a/systems/jeeves/services/systemd.nix
+++ b/systems/jeeves/services/systemd.nix
@@ -4,7 +4,7 @@
  ...
 }:
 let
-  vars = import ./vars.nix;
+  vars = import ../vars.nix;
 in
 {
  systemd = {
@@ -13,7 +13,7 @@ in
        description = "maintains /zfs/storage/plex permissions";
        serviceConfig = {
          Type = "oneshot";
-          ExecStart = "${pkgs.bash}/bin/bash ${./scripts/plex_permission.sh}";
+          ExecStart = "${pkgs.bash}/bin/bash ${../scripts/plex_permission.sh}";
        };
      };
      startup_validation = {
@@ -25,7 +25,7 @@ in
        serviceConfig = {
          EnvironmentFile = "${vars.storage_secrets}/services/server-validation";
          Type = "oneshot";
-          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeeves";
+          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_system --config-file='${./validate_system.toml}'";
        };
      };
    };
--- a/systems/jeeves/services/validate_system.toml
+++ b/systems/jeeves/services/validate_system.toml
@@ -0,0 +1,13 @@
 zpool = ["root_pool", "storage", "torrenting", "media"]
 services = [
    "audiobookshelf",
    "cloud_flare_tunnel",
    "haproxy",
    "docker-qbit",
    "docker-qbitvpn",
    "docker-uptime_kuma",
    "docker",
    "filebrowser",
    "home-assistant",
    "jellyfin",
 ]
--- a/systems/jeeves/syncthing.nix
+++ b/systems/jeeves/syncthing.nix
@@ -2,13 +2,18 @@ let
  vars = import ./vars.nix;
 in
 {
  networking.firewall.allowedTCPPorts = [ 8384 ]; 
  services.syncthing = {
    guiAddress = "192.168.90.40:8384";
-    settings.folders = {
+    settings = {
-      "bob_temp" = {
+      devices.davids-server.id = "7GXTDGR-AOXFW2O-K6J7NM3-XYZNRRW-AKHAFWM-GBOWUPQ-OA6JIWD-ER7RDQL"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/bob_temp";
+      folders = {
        "dotfiles" = {
          path = "/home/richie/dotfiles";
          devices = [
-          "jeeves"
+            "bob"
            "rhapsody-in-green"
          ];
          fsWatcherEnabled = true;
        };
@@ -16,8 +21,8 @@ in
          id = "l62ul-lpweo"; # cspell:disable-line
          path = vars.media_notes;
          devices = [
          "bob"
            "rhapsody-in-green"
            "davids-server"
          ];
          fsWatcherEnabled = true;
        };
@@ -46,7 +51,6 @@ in
          id = "vyma6-lqqrz"; # cspell:disable-line
          path = "${vars.storage_syncthing}/projects";
          devices = [
          "bob"
            "rhapsody-in-green"
          ];
          fsWatcherEnabled = true;
@@ -58,6 +62,68 @@ in
          ];
          fsWatcherEnabled = true;
        };
        "vault" = {
          path = "/home/richie/vault";
          devices = [
            "rhapsody-in-green"
            "davids-server"
          ];
          fsWatcherEnabled = true;
        };
        "backup" = {
          path = "${vars.storage_syncthing}/backup";
          devices = [
            "davids-server"
          ];
          fsWatcherEnabled = true;
        };
        # 
        "davids-backup1" = {
          id = "8229p-8z3tm"; # cspell:disable-line
          path = "${vars.storage_syncthing}/davids_backups/1";
          devices = [
            "davids-server"
          ];
          fsWatcherEnabled = true;
          type = "receiveencrypted";
        };
        "davids-backup2" = {
          id = "iciw3-dp6ao"; # cspell:disable-line
          path = "${vars.storage_syncthing}/davids_backups/2";
          devices = [
            "davids-server"
          ];
          fsWatcherEnabled = true;
          type = "receiveencrypted";
        };
        "davids-backup3" = {
          id = "9si6m-bnkjb"; # cspell:disable-line
          path = "${vars.storage_syncthing}/davids_backups/3";
          devices = [
            "davids-server"
          ];
          fsWatcherEnabled = true;
          type = "receiveencrypted";
        };
        "davids-backup4" = {
          id = "qjyfy-uupj4"; # cspell:disable-line
          path = "${vars.storage_syncthing}/davids_backups/4";
          devices = [
            "davids-server"
          ];
          fsWatcherEnabled = true;
          type = "receiveencrypted";
        };
        "davids-backup5" = {
          id = "fm4h5-emsu2"; # cspell:disable-line
          path = "${vars.storage_syncthing}/davids_backups/5";
          devices = [
            "davids-server"
          ];
          fsWatcherEnabled = true;
          type = "receiveencrypted";
        };
      };
    };
  };
 }
--- a/systems/jeeves/vars.nix
+++ b/systems/jeeves/vars.nix
@@ -10,8 +10,11 @@ in
  media_docker = "${zfs_media}/docker";
  media_docker_configs = "${zfs_media}/docker/configs";
  media_mirror = "${zfs_media}/mirror";
  media_share = "${zfs_media}/share";
  media_services = "${zfs_media}/services";  
  media_notes = "${zfs_media}/notes";
  media_plex = "${zfs_media}/plex";
  media_home_assistant = "${zfs_media}/home_assistant";
  # storage
  storage_main = "${zfs_storage}/main";
  storage_photos = "${zfs_storage}/photos";
--- a/systems/muninn/default.nix
+++ b/systems/muninn/default.nix
@@ -1,52 +0,0 @@
 {
  imports = [
    ../../users/richie
    ../../common/global
    ../../common/optional/desktop.nix
    ../../common/optional/steam.nix
    ../../common/optional/systemd-boot.nix
    ./hardware.nix
  ];
  networking = {
    hostName = "muninn";
    hostId = "a43179c5";
    firewall.enable = true;
    networkmanager.enable = true;
  };
  hardware = {
    pulseaudio.enable = false;
    bluetooth = {
      enable = true;
      powerOnBoot = true;
    };
  };
  security.rtkit.enable = true;
  services = {
    displayManager.sddm.enable = true;
    openssh.ports = [ 262 ];
    printing.enable = true;
    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
    };
    snapshot_manager.enable = true;
    zfs = {
      trim.enable = true;
      autoScrub.enable = true;
    };
  };
  system.stateVersion = "24.05";
 }
--- a/systems/muninn/hardware.nix
+++ b/systems/muninn/hardware.nix
@@ -1,63 +0,0 @@
 { config, lib, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot = {
    initrd = {
      availableKernelModules = [
        "nvme"
        "xhci_pci"
        "thunderbolt"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ ];
      luks.devices."luks-root-pool-nvme-INTEL_SSDPEKKW256G7_BTPY63820XBH256D-part2" = {
        device = "/dev/disk/by-id/nvme-INTEL_SSDPEKKW256G7_BTPY63820XBH256D-part2";
        bypassWorkqueues = true;
        allowDiscards = true;
        keyFileSize = 4096;
        keyFile = "/dev/disk/by-id/usb-SanDisk_Ultra_T_C_4C530001020919102244-0:0";
      };
    };
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
    "/" = lib.mkDefault {
      device = "root_pool/root";
      fsType = "zfs";
    };
    "/home" = {
      device = "root_pool/home";
      fsType = "zfs";
    };
    "/nix" = {
      device = "root_pool/nix";
      fsType = "zfs";
    };
    "/var" = {
      device = "root_pool/var";
      fsType = "zfs";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/12CE-A600";
      fsType = "vfat";
      options = [
        "fmask=0077"
        "dmask=0077"
      ];
    };
  };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/systems/rhapsody-in-green/default.nix
+++ b/systems/rhapsody-in-green/default.nix
@@ -4,6 +4,8 @@
    ../../users/richie
    ../../common/global
    ../../common/optional/desktop.nix
    ../../common/optional/docker.nix
    ../../common/optional/steam.nix
    ../../common/optional/syncthing_base.nix
    ../../common/optional/systemd-boot.nix
    ../../common/optional/yubikey.nix
@@ -11,6 +13,7 @@
    ./hardware.nix
    ./syncthing.nix
    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
    inputs.nixos-cosmic.nixosModules.default
  ];
  networking = {
@@ -20,37 +23,10 @@
    networkmanager.enable = true;
  };
  hardware = {
    pulseaudio.enable = false;
    bluetooth = {
      enable = true;
      powerOnBoot = true;
    };
  };
  security.rtkit.enable = true;
  services = {
    displayManager.sddm.enable = true;
    openssh.ports = [ 922 ];
-    printing.enable = true;
+    desktopManager.cosmic.enable = true;  
    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
    };
    snapshot_manager.enable = true;
    zfs = {
      trim.enable = true;
      autoScrub.enable = true;
    };
  };
  system.stateVersion = "24.05";
--- a/systems/rhapsody-in-green/syncthing.nix
+++ b/systems/rhapsody-in-green/syncthing.nix
@@ -1,10 +1,17 @@
 {    
  services.syncthing.settings.folders = {
    "dotfiles" = {
      path = "/home/richie/dotfiles";
      devices = [
        "jeeves"
        "bob"
      ];
      fsWatcherEnabled = true;
    };
    "notes" = {
      id = "l62ul-lpweo"; # cspell:disable-line
      path = "/home/richie/notes";
      devices = [
        "bob"
        "jeeves"
      ];
      fsWatcherEnabled = true;
@@ -34,7 +41,6 @@
      id = "vyma6-lqqrz"; # cspell:disable-line
      path = "/home/richie/projects";
      devices = [
        "bob"
        "jeeves"
      ];
      fsWatcherEnabled = true;
@@ -50,7 +56,7 @@
    "vault" = {
      path = "/home/richie/vault";
      devices = [
-        "bob"
+        "jeeves"
      ];
      fsWatcherEnabled = true;
    };
--- a/tools/installer.py
+++ b/tools/installer.py
@@ -2,8 +2,10 @@
 from __future__ import annotations
 import curses
 import logging
 import sys
 from collections import defaultdict
 from os import getenv
 from pathlib import Path
 from random import getrandbits
@@ -109,7 +111,9 @@ def create_zfs_pool(pool_disks: Sequence[str], mnt_dir: str) -> None:
        "-O normalization=formD "
        "-O relatime=on "
        "-O xattr=sa "
-        "-O mountpoint=none "
+        "-O mountpoint=legacy "
        "-O compression=zstd "
        "-O atime=off "
        "root_pool "
    )
    if len(pool_disks) == 1:
@@ -127,26 +131,100 @@ def create_zfs_pool(pool_disks: Sequence[str], mnt_dir: str) -> None:
 def create_zfs_datasets() -> None:
    """Create ZFS datasets."""
    default_options = "-o compression=zstd -o atime=off -o mountpoint=legacy"
    bash_wrapper(f"zfs create {default_options} -o canmount=noauto root_pool/root")
    for dataset in ("home", "var"):
        bash_wrapper(f"zfs create {default_options} root_pool/{dataset}")
    bash_wrapper("zfs create -o canmount=noauto -o reservation=10G root_pool/root")
    bash_wrapper("zfs create root_pool/home")
    bash_wrapper("zfs create root_pool/var -o reservation=1G")
    bash_wrapper("zfs create -o compression=zstd-9 -o reservation=10G root_pool/nix")
    datasets = bash_wrapper("zfs list -o name")
-    expected_datasets = {"root_pool/root", "root_pool/home", "root_pool/var"}
+    expected_datasets = {
        "root_pool/root",
        "root_pool/home",
        "root_pool/var",
        "root_pool/nix",
    }
    missing_datasets = expected_datasets.difference(datasets.splitlines())
    if missing_datasets:
        logging.critical(f"Failed to create pools {missing_datasets}")
        sys.exit(1)
 def get_cpu_manufacturer() -> str:
    """Get the CPU manufacturer."""
    output = bash_wrapper("cat /proc/cpuinfo")
    id_vendor = {"AuthenticAMD": "amd", "GenuineIntel": "intel"}
    for line in output.splitlines():
        if "vendor_id" in line:
            return id_vendor[line.split(": ")[1].strip()]
 def get_boot_drive_id(disk: str) -> str:
    """Get the boot drive ID."""
    output = bash_wrapper(f"lsblk -o UUID {disk}-part1")
    return output.splitlines()[1]
 def create_nix_hardware_file(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
    """Create a NixOS hardware file."""
    cpu_manufacturer = get_cpu_manufacturer()
    devices = ""
    if encrypt:
        disk = disks[0]
        devices = (
            f'     luks.devices."luks-root-pool-{disk.split("/")[-1]}-part2"'
            "= {\n"
            f'        device = "{disk}-part2";\n'
            "        bypassWorkqueues = true;\n"
            "        allowDiscards = true;\n"
            "      };\n"
        )
    host_id = format(getrandbits(32), "08x")
    nix_hardware = (
        "{ config, lib, modulesPath, ... }:\n"
        "{\n"
        '  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];\n\n'
        "  boot = {\n"
        "    initrd = {\n"
        '      availableKernelModules = [ \n        "ahci"\n        "ehci_pci"\n        "nvme"\n        "sd_mod"\n        "usb_storage"\n        "usbhid"\n        "xhci_pci"\n      ];\n'
        "      kernelModules = [ ];\n"
        f" {devices}"
        "    };\n"
        f'    kernelModules = [ "kvm-{cpu_manufacturer}" ];\n'
        "    extraModulePackages = [ ];\n"
        "  };\n\n"
        "  fileSystems = {\n"
        '    "/" = lib.mkDefault {\n      device = "root_pool/root";\n      fsType = "zfs";\n    };\n\n'
        '    "/home" = {\n      device = "root_pool/home";\n      fsType = "zfs";\n    };\n\n'
        '    "/var" = {\n      device = "root_pool/var";\n      fsType = "zfs";\n    };\n\n'
        '    "/nix" = {\n      device = "root_pool/nix";\n      fsType = "zfs";\n    };\n\n'
        '    "/boot" = {\n'
        f'      device = "/dev/disk/by-uuid/{get_boot_drive_id(disks[0])}";\n'
        '      fsType = "vfat";\n      options = [\n        "fmask=0077"\n        "dmask=0077"\n      ];\n    };\n  };\n\n'
        "  swapDevices = [ ];\n\n"
        "  networking.useDHCP = lib.mkDefault true;\n\n"
        '  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";\n'
        f"  hardware.cpu.{cpu_manufacturer}.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;\n"
        f'  networking.hostId = "{host_id}";\n'
        "}\n"
    )
    Path(f"{mnt_dir}/etc/nixos/hardware-configuration.nix").write_text(nix_hardware)
 def install_nixos(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
    """Install NixOS."""
    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/root {mnt_dir}")
    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/home {mnt_dir}/home")
    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/var {mnt_dir}/var")
    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/nix {mnt_dir}/nix")
    for disk in disks:
        bash_wrapper(f"mkfs.vfat -n EFI {disk}-part1")
@@ -157,43 +235,20 @@ def install_nixos(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
    bash_wrapper(f"nixos-generate-config --root {mnt_dir}")
-    host_id = format(getrandbits(32), "08x")
+    create_nix_hardware_file(mnt_dir, disks, encrypt)
    nix_hardware = Path(f"{mnt_dir}/etc/nixos/hardware-configuration.nix").read_text()
    nix_hardware = nix_hardware.replace(
        ";\n}", f';\n  networking.hostId = "{host_id}";' "\n}"
    )
    if encrypt:
        test = [
            f'    "luks-root-pool-{disk.split("/")[-1]}-part2".device = "{disk}-part2";\n'
            for disk in disks
        ]
        encrypted_disks = (
            ";\n  boot.initrd.luks.devices = {\n" f"{''.join(test)}" "  };\n" "}"
        )
        nix_hardware = nix_hardware.replace(";\n}", encrypted_disks)
    Path(f"{mnt_dir}/etc/nixos/hardware-configuration.nix").write_text(nix_hardware)
    run(("nixos-install", "--root", mnt_dir), check=True)  # noqa: S603
-def main() -> None:
+def installer(
    disks: set[str],
    swap_size: int,
    reserve: int,
    encrypt_key: str | None,
 ) -> None:
    """Main."""
    configure_logger("DEBUG")
    logging.info("Starting installation")
    disks = ("/dev/disk/by-id/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",)
    # Set swap size in GB, set to 1 if you don't want swap to take up too much space
    swap_size = 1
    reserve = 0
    encrypt_key = getenv("ENCRYPT_KEY")
    for disk in disks:
        partition_disk(disk, swap_size, reserve)
@@ -225,5 +280,403 @@ def main() -> None:
    logging.info("Installation complete")
 class Cursor:
    def __init__(self):
        self.x_position = 0
        self.y_position = 0
        self.height = 0
        self.width = 0
    def set_height(self, height: int):
        self.height = height
    def set_width(self, width: int):
        self.width = width
    def x_bounce_check(self, cursor: int) -> int:
        cursor = max(0, cursor)
        return min(self.width - 1, cursor)
    def y_bounce_check(self, cursor: int) -> int:
        cursor = max(0, cursor)
        return min(self.height - 1, cursor)
    def set_x(self, x: int):
        self.x_position = self.x_bounce_check(x)
    def set_y(self, y: int):
        self.y_position = self.y_bounce_check(y)
    def get_x(self) -> int:
        return self.x_position
    def get_y(self) -> int:
        return self.y_position
    def move_up(self):
        self.set_y(self.y_position - 1)
    def move_down(self):
        self.set_y(self.y_position + 1)
    def move_left(self):
        self.set_x(self.x_position - 1)
    def move_right(self):
        self.set_x(self.x_position + 1)
    def navigation(self, key: int) -> None:
        action = {
            curses.KEY_DOWN: self.move_down,
            curses.KEY_UP: self.move_up,
            curses.KEY_RIGHT: self.move_right,
            curses.KEY_LEFT: self.move_left,
        }
        action.get(key, lambda: None)()
 class State:
    """State class to store the state of the program."""
    def __init__(self):
        self.key = 0
        self.cursor = Cursor()
        self.swap_size = 0
        self.show_swap_input = False
        self.reserve_size = 0
        self.show_reserve_input = False
        self.selected_device_ids = set()
    def get_selected_devices(self) -> tuple[str]:
        """Get selected devices."""
        return tuple(self.selected_device_ids)
 def get_device(raw_device: str) -> dict[str, str]:
    raw_device_components = raw_device.split(" ")
    return {
        thing.split("=")[0].lower(): thing.split("=")[1].strip('"')
        for thing in raw_device_components
    }
 def get_devices() -> list[dict[str, str]]:
    """Get a list of devices."""
    # --bytes
    raw_devices = bash_wrapper("lsblk --paths --pairs").splitlines()
    return [get_device(raw_device) for raw_device in raw_devices]
 def get_device_id_mapping() -> dict[str, set[str]]:
    """Get a list of device ids.
    Returns:
        list[str]: the list of device ids
    """
    device_ids = bash_wrapper("find /dev/disk/by-id -type l").splitlines()
    device_id_mapping: dict[str, set[str]] = defaultdict(set)
    for device_id in device_ids:
        device = bash_wrapper(f"readlink -f {device_id}").strip()
        device_id_mapping[device].add(device_id)
    return device_id_mapping
 def calculate_device_menu_padding(
    devices: list[dict[str, str]], column: str, padding: int = 0
 ) -> int:
    return max(len(device[column]) for device in devices) + padding
 def draw_device_ids(
    state: State,
    row_number: int,
    menu_start_x: int,
    std_screen: curses.window,
    menu_width: list[int],
    device_ids: set[str],
 ) -> tuple[State, int]:
    for device_id in sorted(device_ids):
        row_number = row_number + 1
        if row_number == state.cursor.get_y() and state.cursor.get_x() in menu_width:
            std_screen.attron(curses.A_BOLD)
            if state.key == ord(" "):
                if device_id not in state.selected_device_ids:
                    state.selected_device_ids.add(device_id)
                else:
                    state.selected_device_ids.remove(device_id)
        if device_id in state.selected_device_ids:
            std_screen.attron(curses.color_pair(7))
        std_screen.addstr(row_number, menu_start_x, f"  {device_id}")
        std_screen.attroff(curses.color_pair(7))
        std_screen.attroff(curses.A_BOLD)
    return state, row_number
 def draw_device_menu(
    std_screen: curses.window,
    devices: list[dict[str, str]],
    device_id_mapping: dict[str, set[str]],
    state: State,
    menu_start_y: int = 0,
    menu_start_x: int = 0,
 ) -> State:
    """draw the device menu and handle user input
    Args:
        std_screen (curses.window): the curses window to draw on
        devices (list[dict[str, str]]): the list of devices to draw
        device_id_mapping (dict[str, set[str]]): the list of device ids to draw
        state (State): the state object to update
        menu_start_y (int, optional): the y position to start drawing the menu. Defaults to 0.
        menu_start_x (int, optional): the x position to start drawing the menu. Defaults to 0.
    Returns:
        State: the updated state object
    """
    padding = 2
    name_padding = calculate_device_menu_padding(devices, "name", padding)
    size_padding = calculate_device_menu_padding(devices, "size", padding)
    type_padding = calculate_device_menu_padding(devices, "type", padding)
    mountpoints_padding = calculate_device_menu_padding(devices, "mountpoints", padding)
    device_header = f"{"Name":{name_padding}}{"Size":{size_padding}}{"Type":{type_padding}}{"Mountpoints":{mountpoints_padding}}"
    menu_width = range(menu_start_x, len(device_header) + menu_start_x)
    std_screen.addstr(menu_start_y, menu_start_x, device_header, curses.color_pair(5))
    devises_list_start = menu_start_y + 1
    row_number = devises_list_start
    for device in devices:
        row_number = row_number + 1
        device_name = device["name"]
        device_row = (
            f"{device_name:{name_padding}}"
            f"{device['size']:{size_padding}}"
            f"{device['type']:{type_padding}}"
            f"{device['mountpoints']:{mountpoints_padding}}"
        )
        std_screen.addstr(row_number, menu_start_x, device_row)
        state, row_number = draw_device_ids(
            state=state,
            row_number=row_number,
            menu_start_x=menu_start_x,
            std_screen=std_screen,
            menu_width=menu_width,
            device_ids=device_id_mapping[device_name],
        )
    return state, row_number
 def debug_menu(std_screen: curses.window, key: int) -> None:
    height, width = std_screen.getmaxyx()
    width_height = "Width: {}, Height: {}".format(width, height)
    std_screen.addstr(height - 4, 0, width_height, curses.color_pair(5))
    key_pressed = f"Last key pressed: {key}"[: width - 1]
    if key == 0:
        key_pressed = "No key press detected..."[: width - 1]
    std_screen.addstr(height - 3, 0, key_pressed)
    for i in range(0, 8):
        std_screen.addstr(height - 2, i * 3, f"{i}██", curses.color_pair(i))
 def status_bar(
    std_screen: curses.window,
    cursor: Cursor,
    width: int,
    height: int,
 ) -> None:
    std_screen.attron(curses.A_REVERSE)
    std_screen.attron(curses.color_pair(3))
    status_bar = (
        f"Press 'q' to exit | STATUS BAR | Pos: {cursor.get_x()}, {cursor.get_y()}"
    )
    std_screen.addstr(height - 1, 0, status_bar)
    std_screen.addstr(height - 1, len(status_bar), " " * (width - len(status_bar) - 1))
    std_screen.attroff(curses.color_pair(3))
    std_screen.attroff(curses.A_REVERSE)
 def set_color() -> None:
    curses.start_color()
    curses.use_default_colors()
    for i in range(0, curses.COLORS):
        curses.init_pair(i + 1, i, -1)
 def get_text_input(std_screen: curses.window, prompt: str, y: int, x: int) -> str:
    curses.echo()
    std_screen.addstr(y, x, prompt)
    input_str = ""
    while True:
        key = std_screen.getch()
        if key == ord("\n"):
            break
        elif key == 27:  # ESC key
            input_str = ""
            break
        elif key in (curses.KEY_BACKSPACE, ord("\b"), 127):
            input_str = input_str[:-1]
            std_screen.addstr(y, x + len(prompt), input_str + " ")
        else:
            input_str += chr(key)
        std_screen.refresh()
    curses.noecho()
    return input_str
 def swap_size_input(
    std_screen: curses.window,
    state: State,
    swap_offset: int,
 ) -> State:
    swap_size_text = "Swap size (GB): "
    std_screen.addstr(swap_offset, 0, f"{swap_size_text}{state.swap_size}")
    if state.key == ord("\n") and state.cursor.get_y() == swap_offset:
        state.show_swap_input = True
    if state.show_swap_input:
        swap_size_str = get_text_input(std_screen, swap_size_text, swap_offset, 0)
        try:
            state.swap_size = int(swap_size_str)
            state.show_swap_input = False
        except ValueError:
            std_screen.addstr(
                swap_offset, 0, "Invalid input. Press any key to continue."
            )
            std_screen.getch()
            state.show_swap_input = False
    return state
 def reserve_size_input(
    std_screen: curses.window,
    state: State,
    reserve_offset: int,
 ) -> State:
    reserve_size_text = "reserve size (GB): "
    std_screen.addstr(reserve_offset, 0, f"{reserve_size_text}{state.reserve_size}")
    if state.key == ord("\n") and state.cursor.get_y() == reserve_offset:
        state.show_reserve_input = True
    if state.show_reserve_input:
        reserve_size_str = get_text_input(
            std_screen, reserve_size_text, reserve_offset, 0
        )
        try:
            state.reserve_size = int(reserve_size_str)
            state.show_reserve_input = False
        except ValueError:
            std_screen.addstr(
                reserve_offset, 0, "Invalid input. Press any key to continue."
            )
            std_screen.getch()
            state.show_reserve_input = False
    return state
 def draw_menu(std_screen: curses.window) -> State:
    """draw the menu and handle user input
    Args:
        std_screen (curses.window): the curses window to draw on
    Returns:
        State: the state object
    """
    # Clear and refresh the screen for a blank canvas
    std_screen.clear()
    std_screen.refresh()
    set_color()
    state = State()
    devices = get_devices()
    device_id_mapping = get_device_id_mapping()
    # Loop where k is the last character pressed
    while state.key != ord("q"):
        std_screen.clear()
        height, width = std_screen.getmaxyx()
        state.cursor.set_height(height)
        state.cursor.set_width(width)
        state.cursor.navigation(state.key)
        state, device_menu_size = draw_device_menu(
            std_screen=std_screen,
            state=state,
            devices=devices,
            device_id_mapping=device_id_mapping,
        )
        swap_offset = device_menu_size + 2
        swap_size_input(
            std_screen=std_screen,
            state=state,
            swap_offset=swap_offset,
        )
        reserve_size_input(
            std_screen=std_screen,
            state=state,
            reserve_offset=swap_offset + 1,
        )
        status_bar(std_screen, state.cursor, width, height)
        debug_menu(std_screen, state.key)
        std_screen.move(state.cursor.get_y(), state.cursor.get_x())
        std_screen.refresh()
        state.key = std_screen.getch()
    return state
 def main() -> None:
    configure_logger("DEBUG")
    state = curses.wrapper(draw_menu)
    encrypt_key = getenv("ENCRYPT_KEY")
    logging.info("installing_nixos")
    logging.info(f"disks: {state.selected_device_ids}")
    logging.info(f"swap_size: {state.swap_size}")
    logging.info(f"reserve: {state.reserve_size}")
    logging.info(f"encrypted: {bool(encrypt_key)}")
    sleep(3)
    installer(
        disks=state.get_selected_devices(),
        swap_size=state.swap_size,
        reserve=state.reserve_size,
        encrypt_key=encrypt_key,
    )
 if __name__ == "__main__":
    main()
--- a/users/gaming/default.nix
+++ b/users/gaming/default.nix
@@ -0,0 +1,31 @@
 {
  pkgs,
  config,
  ...
 }: 
 {
  sops.secrets.gaming_password = {
    sopsFile = ../secrets.yaml;
    neededForUsers = true;
  };
  users = {
    users.gaming = {
      isNormalUser = true;
      hashedPasswordFile = "${config.sops.secrets.gaming_password.path}";
      shell = pkgs.zsh;
      group = "gaming";
      extraGroups =
      [
        "audio"
        "video"
        "users"
      ];
      uid = 1100;
    };
    groups.gaming.gid = 1100;
  };
  home-manager.users.gaming = import ./systems/${config.networking.hostName}.nix; 
 }
--- a/users/gaming/home/firefox.nix
+++ b/users/gaming/home/firefox.nix
@@ -0,0 +1,249 @@
 { inputs, ... }:
 {
  programs.firefox = {
    enable = true;
    profiles.richie = {
      extensions = with inputs.firefox-addons.packages.x86_64-linux; [
        bitwarden
        darkreader
        dearrow
        fastforwardteam
        return-youtube-dislikes
        sponsorblock
        ublock-origin
      ];
      search = {
        force = true;
        default = "Google";
        order = [ "Google" ];
      };
      settings = {
        # SECTION: FASTFOX
        # GENERAL
        "content.notify.interval" = 100000;
        # GFX
        "gfx.canvas.accelerated.cache-items" = 4096;
        "gfx.canvas.accelerated.cache-size" = 512;
        "gfx.content.skia-font-cache-size" = 20;
        # DISK CACHE
        "browser.cache.jsbc_compression_level" = 3;
        # MEDIA CACHE
        "media.memory_cache_max_size" = 65536;
        "media.cache_readahead_limit" = 7200;
        "media.cache_resume_threshold" = 3600;
        # IMAGE CACHE
        "image.mem.decode_bytes_at_a_time" = 32768;
        # NETWORK
        "network.buffer.cache.size" = 262144;
        "network.buffer.cache.count" = 128;
        "network.http.max-connections" = 1800;
        "network.http.max-persistent-connections-per-server" = 10;
        "network.http.max-urgent-start-excessive-connections-per-host" = 5;
        "network.http.pacing.requests.enabled" = false;
        "network.dnsCacheExpiration" = 3600;
        "network.dns.max_high_priority_threads" = 8;
        "network.ssl_tokens_cache_capacity" = 10240;
        # SPECULATIVE LOADING
        "network.dns.disablePrefetch" = true;
        "network.prefetch-next" = false;
        "network.predictor.enabled" = false;
        # EXPERIMENTAL
        "layout.css.grid-template-masonry-value.enabled" = true;
        "dom.enable_web_task_scheduling" = true;
        "layout.css.has-selector.enabled" = true;
        "dom.security.sanitizer.enabled" = true;
        # SECTION: SECUREFOX
        # TRACKING PROTECTION
        "browser.contentblocking.category" = "strict";
        "urlclassifier.trackingSkipURLs" = "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com";
        "urlclassifier.features.socialtracking.skipURLs" = "*.instagram.com, *.twitter.com, *.twimg.com";
        "network.cookie.sameSite.noneRequiresSecure" = true;
        "browser.download.start_downloads_in_tmp_dir" = true;
        "browser.helperApps.deleteTempFileOnExit" = true;
        "browser.uitour.enabled" = false;
        "privacy.globalprivacycontrol.enabled" = true;
        # OCSP & CERTS / HPKP
        "security.OCSP.enabled" = 0;
        "security.remote_settings.crlite_filters.enabled" = true;
        "security.pki.crlite_mode" = 2;
        # SSL / TLS
        "security.ssl.treat_unsafe_negotiation_as_broken" = true;
        "browser.xul.error_pages.expert_bad_cert" = true;
        "security.tls.enable_0rtt_data" = false;
        # DISK AVOIDANCE
        "browser.privatebrowsing.forceMediaMemoryCache" = true;
        "browser.sessionstore.interval" = 60000;
        # SHUTDOWN & SANITIZING
        "privacy.history.custom" = true;
        # SEARCH / URL BAR
        "browser.search.separatePrivateDefault.ui.enabled" = true;
        "browser.urlbar.update2.engineAliasRefresh" = true;
        # PREF: restore search engine suggestions
        "browser.search.suggest.enabled" = true;
        "browser.urlbar.suggest.quicksuggest.sponsored" = false;
        "browser.urlbar.suggest.quicksuggest.nonsponsored" = false;
        "browser.formfill.enable" = false;
        "security.insecure_connection_text.enabled" = true;
        "security.insecure_connection_text.pbmode.enabled" = true;
        "network.IDN_show_punycode" = true;
        # HTTPS-FIRST POLICY
        "dom.security.https_first" = true;
        "dom.security.https_first_schemeless" = true;
        # PASSWORDS
        "signon.formlessCapture.enabled" = false;
        "signon.rememberSignons" = false;
        "signon.privateBrowsingCapture.enabled" = false;
        "network.auth.subresource-http-auth-allow" = 1;
        "editor.truncate_user_pastes" = false;
        # MIXED CONTENT + CROSS-SITE
        "security.mixed_content.block_display_content" = true;
        "security.mixed_content.upgrade_display_content" = true;
        "security.mixed_content.upgrade_display_content.image" = true;
        "pdfjs.enableScripting" = false;
        "extensions.postDownloadThirdPartyPrompt" = false;
        # HEADERS / REFERERS
        "network.http.referer.XOriginTrimmingPolicy" = 2;
        # CONTAINERS
        "privacy.userContext.ui.enabled" = true;
        # WEBRTC
        "media.peerconnection.ice.proxy_only_if_behind_proxy" = true;
        "media.peerconnection.ice.default_address_only" = true;
        # SAFE BROWSING
        "browser.safebrowsing.downloads.remote.enabled" = false;
        # MOZILLA
        # PREF: allow websites to ask you to receive site notifications
        "permissions.default.desktop-notification" = 0; # allow websites to ask
        # PREF: allow websites to ask you for your location
        "permissions.default.geo" = 0;
        "geo.provider.network.url" = "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%";
        "permissions.manager.defaultsUrl" = "";
        "webchannel.allowObject.urlWhitelist" = "";
        # TELEMETRY
        "datareporting.policy.dataSubmissionEnabled" = false;
        "datareporting.healthreport.uploadEnabled" = false;
        "toolkit.telemetry.unified" = false;
        "toolkit.telemetry.enabled" = false;
        "toolkit.telemetry.server" = "data:,";
        "toolkit.telemetry.archive.enabled" = false;
        "toolkit.telemetry.newProfilePing.enabled" = false;
        "toolkit.telemetry.shutdownPingSender.enabled" = false;
        "toolkit.telemetry.updatePing.enabled" = false;
        "toolkit.telemetry.bhrPing.enabled" = false;
        "toolkit.telemetry.firstShutdownPing.enabled" = false;
        "toolkit.telemetry.coverage.opt-out" = true;
        "toolkit.coverage.opt-out" = true;
        "toolkit.coverage.endpoint.base" = "";
        "browser.ping-centre.telemetry" = false;
        "browser.newtabpage.activity-stream.feeds.telemetry" = false;
        "browser.newtabpage.activity-stream.telemetry" = false;
        # EXPERIMENTS
        "app.shield.optoutstudies.enabled" = false;
        "app.normandy.enabled" = false;
        "app.normandy.api_url" = "";
        # CRASH REPORTS
        "breakpad.reportURL" = "";
        "browser.tabs.crashReporting.sendReport" = false;
        "browser.crashReports.unsubmittedCheck.autoSubmit2" = false;
        # DETECTION
        "captivedetect.canonicalURL" = "";
        "network.captive-portal-service.enabled" = false;
        "network.connectivity-service.enabled" = false;
        # SECTION: PESKYFOX
        # MOZILLA UI
        "browser.privatebrowsing.vpnpromourl" = "";
        "extensions.getAddons.showPane" = false;
        "extensions.htmlaboutaddons.recommendations.enabled" = false;
        "browser.discovery.enabled" = false;
        "browser.shell.checkDefaultBrowser" = false;
        "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = false;
        "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = false;
        "browser.preferences.moreFromMozilla" = false;
        "browser.tabs.tabmanager.enabled" = false;
        "browser.aboutConfig.showWarning" = false;
        "browser.aboutwelcome.enabled" = false;
        # THEME ADJUSTMENTS
        "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
        "browser.compactmode.show" = true;
        "browser.display.focus_ring_on_anything" = true;
        "browser.display.focus_ring_style" = 0;
        "browser.display.focus_ring_width" = 0;
        "layout.css.prefers-color-scheme.content-override" = 2;
        # COOKIE BANNER HANDLING
        "cookiebanners.service.mode" = 1;
        "cookiebanners.service.mode.privateBrowsing" = 1;
        # FULLSCREEN NOTICE
        "full-screen-api.transition-duration.enter" = "0 0";
        "full-screen-api.transition-duration.leave" = "0 0";
        "full-screen-api.warning.delay" = -1;
        "full-screen-api.warning.timeout" = 0;
        # URL BAR
        "browser.urlbar.suggest.calculator" = true;
        "browser.urlbar.unitConversion.enabled" = true;
        "browser.urlbar.trending.featureGate" = false;
        # NEW TAB PAGE
        "browser.newtabpage.activity-stream.feeds.topsites" = false;
        "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
        # POCKET
        "extensions.pocket.enabled" = false;
        # DOWNLOADS
        "browser.download.always_ask_before_handling_new_types" = true;
        "browser.download.manager.addToRecentDocs" = false;
        # PDF
        "browser.download.open_pdf_attachments_inline" = true;
        # TAB BEHAVIOR
        "browser.bookmarks.openInTabClosesMenu" = false;
        "browser.menu.showViewImageInfo" = true;
        "findbar.highlightAll" = true;
        "layout.word_select.eat_space_to_next_word" = false;
        # SECTION: MY OVERRIDES
        "browser.startup.homepage" = "https://google.com";
        "identity.fxaccounts.enabled" = false;
        # SECTION SMOOTHFOX
        # OPTION: SHARPEN SCROLLING                                                           *
        "apz.overscroll.enabled" = true; # DEFAULT NON-LINUX
        "mousewheel.min_line_scroll_amount" = 10; # 10-40; adjust this number to your liking; default=5
        "general.smoothScroll.mouseWheel.durationMinMS" = 80; # default=50
        "general.smoothScroll.currentVelocityWeighting" = "0.15"; # default=.25
        "general.smoothScroll.stopDecelerationWeighting" = "0.6"; # default=.4
      };
    };
  };
 }
--- a/users/gaming/home/global.nix
+++ b/users/gaming/home/global.nix
@@ -0,0 +1,17 @@
 { config, ... }:
 {
  imports = [
    ./programs.nix
  ];
  programs = {
    home-manager.enable = true;
    git.enable = true;
  };
  home = {
    username = "gaming";
    homeDirectory = "/home/${config.home.username}";
    stateVersion = "24.05";
  };
 }
--- a/users/gaming/home/programs.nix
+++ b/users/gaming/home/programs.nix
@@ -0,0 +1,6 @@
 { pkgs, ... }:
 {
  home.packages = with pkgs; [
    chromium
  ];
 }
--- a/users/richie/systems/muninn.nix
+++ b/users/richie/systems/muninn.nix
@@ -1,6 +1,6 @@
 {
  imports = [
    ../home/global.nix
-    ../home/gui
+    ../home/firefox.nix
  ];
 }
--- a/users/richie/default.nix
+++ b/users/richie/default.nix
@@ -5,12 +5,21 @@
 }: let
  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
 in {
-  users.users.richie = {
+
  sops.secrets.richie_password = {
    sopsFile = ../secrets.yaml;
    neededForUsers = true;
  };
  users = {
    users.richie = {
      isNormalUser = true;
      hashedPasswordFile = "${config.sops.secrets.richie_password.path}";
      shell = pkgs.zsh;
      group = "richie";
      openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPtuYhiJHRTYhNaDmTcJOqJASk7D8mIn6u3F1IN5AFJ bob" # cspell:disable-line
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYZFsc9CSH03ZUP7y81AHwSyjLwFmcshVFCyxDcYhBT rhapsody-in-green" # cspell:disable-line
      ];
      extraGroups =
@@ -23,6 +32,7 @@ in {
      ++ ifTheyExist [
        "dialout"
        "docker"
        "hass"
        "libvirtd"
        "networkmanager"
        "plugdev"
@@ -33,8 +43,7 @@ in {
      uid = 1000;
    };
-  users.groups.richie = {
+    groups.richie.gid = 1000;
    gid = 1000;
  };
  home-manager.users.richie = import ./systems/${config.networking.hostName}.nix; 
--- a/users/richie/home/cli/git.nix
+++ b/users/richie/home/cli/git.nix
@@ -3,5 +3,10 @@
    enable = true;
    userEmail = "Richie@tmmworkshop.com";
    userName = "Richie Cahill";
    extraConfig = {
      pull.rebase = true;
      color.ui = true;
    };
    lfs.enable = true;
  };
 }
--- a/users/richie/home/cli/zsh.nix
+++ b/users/richie/home/cli/zsh.nix
@@ -18,17 +18,14 @@
      ];
    };
    shellAliases = {
      "sgc" = "sudo git -C /root/dotfiles";
      ## Utilities
      "lrt" = "eza --icons -lsnew";
      "ls" = "eza";
      "ll" = "eza --long --group";
      "la" = "eza --all";
      "rspace" = "'for f in *\ *; do mv \"$f\" \"\${f// /_}\"; done'";
-      "rebuild" = "sudo nixos-rebuild switch --flake /home/richie/projects/dotfiles#$HOST";
+      "rebuild" = "sudo nixos-rebuild switch --flake /home/richie/dotfiles#$HOST";
-      "nix-test" = "nixos-rebuild test --flake /home/richie/projects/dotfiles";
+      "nix-test" = "nixos-rebuild test --flake /home/richie/dotfiles";
    };
  };
 }
--- a/users/richie/home/global.nix
+++ b/users/richie/home/global.nix
@@ -1,37 +1,22 @@
 { config, ... }:
 {
  lib,
  pkgs,
  config,
  ...
 }: {
  imports = [
    ./cli
    ./programs.nix
    ./ssh_config.nix
  ];
  nix = {
    package = lib.mkDefault pkgs.nix;
    settings = {
      experimental-features = [
        "nix-command"
        "flakes"
        "ca-derivations"
      ];
    };
  };
  programs = {
    home-manager.enable = true;
    git.enable = true;
  };
  home = {
-    username = lib.mkDefault "richie";
+    username = "richie";
-    homeDirectory = lib.mkDefault "/home/${config.home.username}";
+    homeDirectory = "/home/${config.home.username}";
-    stateVersion = lib.mkDefault "24.05";
+    stateVersion = "24.05";
    sessionVariables = {
-      FLAKE = "$HOME/Projects/dotfiles";
+      FLAKE = "$HOME/dotfiles";
    };
  };
 }
--- a/users/richie/home/gui/default.nix
+++ b/users/richie/home/gui/default.nix
@@ -3,10 +3,12 @@
  imports = [
    ./firefox
    ./vscode
    ./kitty.nix
  ];
  home.packages = with pkgs; [
    candy-icons
    chromium
    discord-canary
    gimp
    gparted
--- a/users/richie/home/gui/firefox/search_engines.nix
+++ b/users/richie/home/gui/firefox/search_engines.nix
@@ -78,7 +78,7 @@
        }
      ];
      icon = ./github.svg;
-      definedAliases = [ "@n" ];
+      definedAliases = [ "@g" ];
    };
  };
 }
--- a/users/richie/home/gui/kitty.nix
+++ b/users/richie/home/gui/kitty.nix
@@ -0,0 +1,12 @@
 {pkgs, ...}: {
  programs.kitty = {
    enable = true;
    font.name = "IntoneMono Nerd Font";
    settings = {
      allow_remote_control = "no";
      shell = "${pkgs.zsh}/bin/zsh";
      wayland_titlebar_color = "background";
    };
    themeFile = "VSCode_Dark";
  };
 }
--- a/users/richie/home/programs.nix
+++ b/users/richie/home/programs.nix
@@ -14,6 +14,7 @@
    jq
    ncdu
    neofetch
    ouch
    p7zip
    poppler
    rar
@@ -35,7 +36,7 @@
    wget
    # python
    poetry
-    python312
+    python313
    ruff
    # Rust packages
    trunk
--- a/users/secrets.yaml
+++ b/users/secrets.yaml
@@ -0,0 +1,58 @@
 richie_password: ENC[AES256_GCM,data:DMi3M8aqrQ60APIofr8wJMh+VZ14hLRxz6jWZgzswr0pV/QVSX53ShBFr90ruO3mucOLYv0l+bI31covfqMAhXWBJp9wUgtC2Q==,iv:qgtn30hZfIL4dBnQSLkjbo7zPJA4m9TR0f52sTFc0v4=,tag:ydLbcGyXjv0fE+4b5ECX5w==,type:str]
 gaming_password: ENC[AES256_GCM,data:i692UsQaCOjE4V1y9d8yYDlK+TRMIprCHJkhl1UBZRMqe9a2LTUtmbbn/xlCYQd2tADJvn+dkx1jLfV4CqaqWOj5YSUFfpgsEw==,iv:3Y7hXQcmpzNN7hF+BDvO52uFB4o5D0dHvxemJ0ZoSIM=,tag:zzLGNDVAMCs2GPMqXp2BtQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqR1lUREVMR3hyTTFNZ3U0
            NkFkY202RGtMS0taTjRnOEd4OGlsZ1VORUhFCnIxUlV1eS81N0U1NXpOcWYxSUU0
            WER1cFY3a2lWU01tTUQ2Vk5VK2JmSDAKLS0tIHUxL3F5UWZ2aUwxd2JXZG5ybE9w
            d29oZ1poZU5ZTlgxMmlsVWpoMUtFYjAKdRoXdqxfxyOL++pP0izdUuZngMcF24ne
            OJ6kVJexJF9Hu9InwPeDtRboMhMi01gt6L5a47hOX5FUsi+4HbeVLQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWmJZWDZtWFJaTCtmdVNG
            QkNiK1hFdWlnVFp0ZG01V1A3cFdtU2xGN1NBCm1oeXlLT3NYMC9lZDlHSnJGQUc1
            RnppNjc0QnBqSW5XTWUxZExBMHhORDQKLS0tIHpJNDJBU25COGR2dlg5em5YcGZB
            VTBqRjhZWkdmdVdoa0V0VmIzdm5hbTgKEa9hW6jU538meU2Sm//b7OUBqqjAHHL5
            rluVCSMcrcoVtui0mB8vMoKeh6/n/qRLe38a/puvAj0q/PolN9ZEhA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVlp4clVEb3Y4d0hzSEtW
            dUMyb3V1aHlMS0Fvc0lGU3doRjE3SVFrNVdFCkpTQ1k2RTBIb2tzQ3UxajlPSWhY
            ZzkwUWlDYWROZXpHMlFVaTM0MFlpMXcKLS0tIFNUN1QyRk41WkhPblZMbVFXNkZi
            N1RkUVc0N0hIaUs3RXpXTWpDZTBOUXcKgOW6IV1mh3q8NT2Ky9EKlywWBaaCn5ML
            bhfmmvt1Fndh2ys3poxODjNDiow34VxwhS+Ou0HsxsJ7zu7VvmPh0w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnOXR6SWh2SlBWdjZVL3F1
            ckd4N3JKNkkzYWtlRWN2QUFob3FJRkxQU1RNClllMDFMRE80ODROZDR3Y2g0Z2xs
            aXJORTI1azEzbnhJMkZiNmNKZDBsOVUKLS0tIHZjV3BXaG9WVzNzVDZHYVdmOFdM
            S3hZMkgvYkl5Ky9uYmpjVHpFUlMwYTgKIHxHRPMgEAgQNXg5lK2QkdBjMcamlxSp
            HEoT/APYI/NN3V2l7mgfiH/fn2FXGdd3Ct5mqwp25GUYIp45zN3pqA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ufnewppysaq2wwcl4ugngjz8pfzc5a35yg7luq0qmuqvctajcycs5lf6k4
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXSnNxaDVSbUJ2Y1NSc0hV
            TWhzNzNRWTNhV1BBMFhPeVQ5eHkzb3Bkams4Ck1YdDExcU1WdExEQ0M1VXZpUzBV
            L0xSTENrOEZlOU1XUHNUbEtHbURSK1UKLS0tIEJkaE9QOUdzN1VDbWFTSWd6RkY4
            UzQzWEFtSDJwR201cmZoeXh5T0RmSk0KWLOpw5cWbtnfVP/ISa7n1vZchoD+nxmn
            7yr7igpEIro0Sd238KinOQYswVaT0NHB9p1dSW/mN+aGQliSNLzkDQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-01-07T20:13:43Z"
    mac: ENC[AES256_GCM,data:Q5fmv+MRVYGUQ4j+28CcGWHmgT1178N+haVS9xa0c99OKuPZdfSndAG0QVDhh/jYq+7zXs6zzLtBjB+egkoDfxJXfJOmg3E46UMO3vDHaEcIZD16ZbWJaz4Z/+yabqhDURKtgfGiu4xPv3OtGbwcP5kud17WcHNfY/LT+Y+LSD8=,iv:y3K3kCroIh+RTplUe4tM8B9rbLgIHCbE6FJawngam8Q=,tag:2VTIWlLp4cOwm18BfIlz5g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.2