testing cosmic

Flake lock file updates:

• Updated input 'firefox-addons':
    'gitlab:rycee/nur-expressions/9a96d7b0485be4654b6f2237efeccb1144d1ba54?dir=pkgs/firefox-addons&narHash=sha256-YDDKpj1j9MqGZgrugfu8mQWjpiy4r7fZ1FMJL58NasM%3D' (2025-01-25)
  → 'gitlab:rycee/nur-expressions/dc86c8feffa328d9050e039a1286e175af6d76d8?dir=pkgs/firefox-addons&narHash=sha256-ppR81tMrcQk/wHm8MmKtp3mrtYmMTgF2lxLLXYwRsOM%3D' (2025-02-01)
• Updated input 'home-manager':
    'github:nix-community/home-manager/daf04c5950b676f47a794300657f1d3d14c1a120?narHash=sha256-5HGG09bh/Yx0JA8wtBMAzt0HMCL1bYZ93x4IqzVExio%3D' (2025-01-24)
  → 'github:nix-community/home-manager/8544cd092047a7e92d0dce011108a563de7fc0f2?narHash=sha256-ZlLTnqIQQ8OE6AtT%2BfluB642j2R9tnvxHHtpnmLjSxQ%3D' (2025-02-01)
• Updated input 'nixos-cosmic':
    'github:lilyinstarlight/nixos-cosmic/e277b9162637a85f45c4564d687729797f560637?narHash=sha256-5/8KyhEtPLXqmE5CygvMSZZUw8wHcq/bFh1ckTtDDcA%3D' (2025-01-25)
  → 'github:lilyinstarlight/nixos-cosmic/51b9cce097da369550f45ac07879274dc8be81e4?narHash=sha256-y9st4Y0p5ry%2B6QdlIGeqxAA6rbEIOO1uXdAc5jxV2Bc%3D' (2025-01-31)
• Updated input 'nixos-cosmic/nixpkgs-stable':
    'github:NixOS/nixpkgs/035f8c0853c2977b24ffc4d0a42c74f00b182cd8?narHash=sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I%3D' (2025-01-23)
  → 'github:NixOS/nixpkgs/59e618d90c065f55ae48446f307e8c09565d5ab0?narHash=sha256-B/7Y1v4y%2BmsFFBW1JAdFjNvVthvNdJKiN6EGRPnqfno%3D' (2025-01-29)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/dfad538f751a5aa5d4436d9781ab27a6128ec9d4?narHash=sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4%3D' (2025-01-24)
  → 'github:nixos/nixos-hardware/34b64e4e1ddb14e3ffc7db8d4a781396dbbab773?narHash=sha256-6HI58PKjddsC0RA0gBQlt6ox47oH//jLUHwx05RO8g0%3D' (2025-02-01)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/825479c345a7f806485b7f00dbe3abb50641b083?narHash=sha256-nU6AezEX4EuahTO1YopzueAXfjFfmCHylYEFCagduHU%3D' (2025-01-24)
  → 'github:nixos/nixpkgs/9d3ae807ebd2981d593cddd0080856873139aa40?narHash=sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9%2BWC4%3D' (2025-01-29)
• Updated input 'nixpkgs-master':
    'github:nixos/nixpkgs/8504e3c64d7ad6943f9e684cc3fe83ad443a009b?narHash=sha256-RFDB7DV2TTh/2dX2X8IRUOeKTxUiFmnHg82IV2OEZf0%3D' (2025-01-26)
  → 'github:nixos/nixpkgs/102a39bfee444533e6b4e8611d7e92aa39b7bec1?narHash=sha256-Q4vhtbLYWBUnjWD4iQb003Lt%2BN5PuURDad1BngGKdUs%3D' (2025-02-01)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4?narHash=sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw%3D' (2025-01-20)
  → 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7?narHash=sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320%3D' (2025-01-31)
• Updated input 'system_tools':
    'github:RichieCahill/system_tools/a643f2e67492901e3975aeab603f4a71f54e645d?narHash=sha256-agiofvmeAjAzQxs3HXe0ruKwgws0PECBjc8HlTkgDlc%3D' (2025-01-20)
  → 'github:RichieCahill/system_tools/a697bd3df11ba40afd40d6324a39859c91b7bb78?narHash=sha256-wC8hJvhdFdrEtzc7HMWyXNtQbS3CVyOjUUpEHtxOlJg%3D' (2025-01-31)

.github/workflows/build_systems.yml

@@ -0,0 +1,25 @@
+name: build_systems
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  build:
+    name: build-${{ matrix.system }}
+    runs-on: self-hosted
+    strategy:
+      matrix:
+        system:
+          - "bob"
+          - "jeeves"
+          - "rhapsody-in-green"
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build default package
+        run: "nixos-rebuild build --flake ./#${{ matrix.system }}"
+      - name: copy to nix-cache
+        env:
+          NIX_SSHOPTS: "-vvvv"
+        run: nix copy --to ssh://jeeves .#nixosConfigurations.${{ matrix.system }}.config.system.build.toplevel

.github/workflows/update-flake-lock.yml

@@ -0,0 +1,22 @@
+name: update-flake-lock
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@main
+        with:
+          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+          pr-title: "Update flake.lock"
+          pr-labels: |
+            dependencies
+            automated

.gitignore

@@ -160,3 +160,8 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+test.*
+
+# syncthing
+.stfolder

.sops.yaml

@@ -0,0 +1,17 @@
+keys:
+  - &admin_richie age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c
+
+  - &system_bob age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y
+  - &system_jeeves age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv
+  - &system_router age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv
+  - &system_rhapsody age1ufnewppysaq2wwcl4ugngjz8pfzc5a35yg7luq0qmuqvctajcycs5lf6k4
+
+creation_rules:
+  - path_regex: users/secrets\.yaml$
+    key_groups:
+      - age:
+          - *admin_richie
+          - *system_bob
+          - *system_jeeves
+          - *system_router
+          - *system_rhapsody

.vscode/settings.json

@@ -1,27 +1,49 @@
 {
   "cSpell.words": [
     "aboutwelcome",
+    "acltype",
+    "addstr",
+    "advplyr",
     "ahci",
+    "aioesphomeapi",
+    "aiounifi",
     "alsa",
+    "apiclient",
+    "archlinux",
+    "ashift",
     "asrouter",
+    "attroff",
+    "attron",
+    "audiobooks",
+    "audiobookshelf",
     "auditd",
     "autofetch",
+    "autologin",
+    "automations",
     "autopull",
+    "autotrim",
+    "autoupdate",
     "azuretools",
     "bantime",
+    "bazarr",
+    "binhex",
     "bitwarden",
+    "blkdiscard",
     "breakpad",
     "btop",
     "cachix",
+    "canmount",
     "captivedetect",
     "cgroupdriver",
     "charliermarsh",
+    "cloudflared",
     "codezombiech",
     "compactmode",
     "Compat",
     "contentblocking",
     "cookiebanners",
     "crlite",
+    "cryptsetup",
     "darkreader",
     "datareporting",
     "davidanson",
@@ -32,44 +54,72 @@
     "diffie",
     "direnv",
     "dmask",
+    "dnodesize",
     "dotfiles",
     "drawio",
     "eamodio",
     "endlessh",
     "errorlens",
     "esbenp",
+    "esphome",
     "extest",
     "fastforwardteam",
     "FASTFOX",
+    "ffmpegthumbnailer",
+    "filebot",
+    "filebrowser",
     "fileroller",
     "findbar",
+    "Fira",
     "fmask",
+    "fontconfig",
     "formfill",
     "foxundermoon",
     "FULLSCREEN",
+    "fwupd",
     "fxaccounts",
     "gamemode",
     "gamescope",
+    "getch",
+    "getmaxyx",
     "ghdeploy",
     "globalprivacycontrol",
     "gparted",
+    "gtts",
+    "gutenprint",
+    "hass",
     "healthreport",
     "Heatsink",
     "hediet",
     "hexeditor",
     "hicolor",
     "hmac",
+    "homeassistant",
     "HPKP",
+    "hplip",
     "htmlaboutaddons",
+    "hurlenko",
     "hwloc",
+    "INITDB",
+    "iocharset",
+    "ioit",
     "iperf",
+    "isal",
+    "jellyfin",
     "jnoortheen",
     "jsbc",
+    "kagi",
+    "kuma",
+    "levelname",
     "libglvnd",
     "libmysqlclient",
     "libsodium",
     "libssh",
     "libvirtd",
+    "llms",
+    "localtime",
+    "louislam",
+    "lsnew",
     "luks",
     "lynis",
     "mangohud",
@@ -78,46 +128,82 @@
     "maxtime",
     "mechatroner",
     "mediainfo",
+    "mklabel",
+    "mkpart",
     "modesetting",
+    "mountpoint",
+    "mountpoints",
     "mousewheel",
     "mtxr",
     "ncdu",
     "nemo",
     "neofetch",
+    "nerdfonts",
+    "netdev",
+    "netdevs",
+    "Networkd",
     "networkmanager",
     "newtabpage",
     "nixos",
     "nixpkgs",
     "nmap",
+    "noauto",
+    "noecho",
     "nonsponsored",
+    "Noto",
     "nvme",
     "OCSP",
     "oderwat",
+    "oneshot",
     "optimise",
     "optoutstudies",
     "overalljails",
     "overscroll",
+    "overseerr",
     "pbmode",
     "pciutils",
+    "pcscd",
     "pdfjs",
     "peerconnection",
     "PESKYFOX",
+    "PGID",
     "pipewire",
     "pkgs",
     "plugdev",
+    "poppler",
+    "posixacl",
+    "primarycache",
+    "prismlauncher",
     "privatebrowsing",
+    "PRIVOXY",
+    "prowlarr",
     "proxychains",
     "prusa",
+    "psycopg",
+    "PUID",
     "pulseaudio",
     "punycode",
+    "pychromecast",
     "pylance",
+    "pymetno",
+    "pyownet",
+    "qbit",
+    "qbittorrent",
+    "qbittorrentvpn",
+    "qbitvpn",
     "quicksuggest",
+    "radarr",
     "readahead",
+    "receiveencrypted",
     "Redistributable",
     "referer",
     "REFERERS",
+    "relatime",
     "Rhosts",
     "ripgrep",
+    "rokuecp",
+    "routable",
+    "rspace",
     "rtkit",
     "rycee",
     "safebrowsing",
@@ -129,30 +215,41 @@
     "signon",
     "Signons",
     "skia",
+    "smartd",
     "smartmontools",
     "SMOOTHFOX",
     "socialtracking",
+    "sonarr",
     "sponsorblock",
     "sqltools",
+    "ssdp",
+    "SSHOPTS",
     "stdenv",
     "subresource",
     "substituters",
     "supermaven",
+    "sysstat",
     "tabmanager",
     "tamasfe",
     "tiktok",
     "timonwong",
+    "tmmworkshop",
+    "Tmpfs",
     "topsites",
     "topstories",
+    "torrenting",
     "twimg",
     "uaccess",
     "ublock",
+    "uiprotect",
     "uitour",
+    "unrar",
     "unsubmitted",
     "urlbar",
     "urlclassifier",
     "usbhid",
     "usbutils",
+    "useragent",
     "usernamehw",
     "userprefs",
     "vfat",
@@ -161,12 +258,20 @@
     "vpnpromourl",
     "webchannel",
     "WEBRTC",
+    "WEBUI",
     "wireshark",
+    "Workqueues",
+    "xattr",
     "xhci",
+    "yazi",
+    "yubikey",
+    "yubioath",
     "yzhang",
+    "zeroconf",
     "zerotier",
     "zerotierone",
     "zoxide",
+    "zram",
     "zstd"
   ]
 }

common/global/default.nix

@@ -0,0 +1,65 @@
+{
+  inputs,
+  lib,
+  outputs,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    inputs.sops-nix.nixosModules.sops
+    ./fail2ban.nix
+    ./fonts.nix
+    ./libs.nix
+    ./locale.nix
+    ./nh.nix
+    ./nix.nix
+    ./programs.nix
+    ./ssh.nix
+    ./snapshot_manager.nix
+  ];
+
+  boot = {
+    tmp.useTmpfs = true;
+    kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
+    zfs.package = lib.mkDefault pkgs.zfs_2_3;
+  };
+
+  hardware.enableRedistributableFirmware = true;
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {inherit inputs outputs;};
+    backupFileExtension = "backup";
+  };
+
+  nixpkgs = {
+    overlays = builtins.attrValues outputs.overlays;
+    config.allowUnfree = true;
+  };
+
+  services = {
+    # firmware update
+    fwupd.enable = true;
+
+    snapshot_manager.enable = lib.mkDefault true;
+
+    zfs = {
+      trim.enable = lib.mkDefault true;
+      autoScrub.enable = lib.mkDefault true;
+    };
+  };
+
+  programs.zsh.enable = true;
+
+  security.auditd.enable = lib.mkDefault true;
+
+  users.mutableUsers = lib.mkDefault false;
+
+  zramSwap = {
+    enable = lib.mkDefault true;
+    priority = 1000;
+  };
+}

common/global/fonts.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  fonts = {
+    fontconfig.enable = true;
+    enableDefaultPackages = true;
+    packages = with pkgs; [
+      nerd-fonts.roboto-mono
+      nerd-fonts.intone-mono
+      nerd-fonts.symbols-only
+    ];
+  };
+}

common/global/nix.nix

@@ -0,0 +1,43 @@
+{
+  inputs,
+  lib,
+  ...
+}: let
+  flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+in {
+  nix = {
+    settings = {
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      trusted-substituters = [
+        "https://cache.nixos.org"
+        "https://cache.tmmworkshop.com"
+        "https://nix-community.cachix.org"
+      ];
+      substituters = [
+        "https://cache.nixos.org/?priority=2&want-mass-query=true"
+        "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true"
+        "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      auto-optimise-store = lib.mkDefault true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "ca-derivations"
+      ];
+      warn-dirty = false;
+      flake-registry = ""; # disable global flake registries
+    };
+
+    # Add each flake input as a registry and nix_path
+    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
+    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+}

common/global/programs.nix

@@ -2,6 +2,6 @@
 {
   environment.systemPackages = with pkgs; [
     git
-    python312
+    python313
   ];
 }

common/global/snapshot_config.toml

@@ -0,0 +1,29 @@
+["default"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/home"]
+15_min = 8
+hourly = 12
+daily = 1
+monthly = 0
+
+["root_pool/root"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/nix"]
+15_min = 4
+hourly = 0
+daily = 0
+monthly = 0
+
+["root_pool/var"]
+15_min = 8
+hourly = 24
+daily = 30
+monthly = 6

common/global/snapshot_manager.nix

@@ -0,0 +1,44 @@
+{ inputs, pkgs, lib, config, ... }:
+let
+  cfg = config.services.snapshot_manager;
+in
+{
+  options = {
+    services.snapshot_manager = {
+      enable = lib.mkOption {
+        default = true;
+        example = true;
+        description = "Whether to enable k3s-net.";
+        type = lib.types.bool;
+      };
+      path = lib.mkOption {
+        type = lib.types.path;
+        description = "Path that needs to be updated via git pull";
+        default = ./snapshot_config.toml;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd = {
+      services."snapshot_manager" = {
+        description = "ZFS Snapshot Manager";
+        requires = [ "zfs-import.target" ];
+        after = [ "zfs-import.target" ];
+        path = [ pkgs.zfs ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/snapshot_manager --config-file='${cfg.path}'";
+        };
+      };
+      timers."snapshot_manager" = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "15m";
+          OnUnitActiveSec = "15m";
+          Unit = "snapshot_manager.service";
+        };
+      };
+    };
+  };
+}

common/optional/desktop.nix

@@ -0,0 +1,42 @@
+{ pkgs, ... }:
+{
+  boot = {
+    kernelPackages = pkgs.linuxPackages_6_12;
+    zfs.package = pkgs.zfs_2_3;
+  };
+
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+  };
+
+  # rtkit is optional but recommended for pipewire
+  security.rtkit.enable = true;
+
+  services = {
+    displayManager.sddm = {
+      enable = true;
+      wayland.enable = true;
+    };
+
+    desktopManager.plasma6.enable = true;
+
+    xserver = {
+      enable = true;
+      xkb = {
+        layout = "us";
+        variant = "";
+      };
+    };
+
+    pulseaudio.enable = false;
+
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      wireplumber.enable = true;
+    };
+  };
+}

common/optional/printing.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [ gutenprint hplip ];
+  };
+}

common/optional/scanner.nix

@@ -0,0 +1,6 @@
+{
+  hardware.sane = {
+    enable = true;
+    drivers.scanSnap.enable = true;
+  };
+}

common/optional/steam.nix

@@ -10,8 +10,13 @@
       gamescopeSession.enable = true;
       remotePlay.openFirewall = true;
       localNetworkGameTransfers.openFirewall = true;
+      protontricks.enable = true;
       extraCompatPackages = with pkgs; [proton-ge-bin];
       extest.enable = true;
     };
+    gamescope = {
+      enable = true;
+      capSysNice = true;
+    };
   };
 }

common/optional/syncthing_base.nix

@@ -0,0 +1,17 @@
+{
+  services.syncthing = {
+    enable = true;
+    user = "richie";
+    overrideDevices = true;
+    overrideFolders = true;
+    dataDir = "/home/richie/Syncthing";
+    configDir = "/home/richie/.config/syncthing";
+    settings.devices = {
+      phone.id = "LTGPLAE-M4ZDJTM-TZ3DJGY-SLLAVWF-CQDVEVS-RGCS75T-GAPZYK3-KUM6LA5"; # cspell:disable-line
+      jeeves.id = "ICRHXZW-ECYJCUZ-I4CZ64R-3XRK7CG-LL2HAAK-FGOHD22-BQA4AI6-5OAL6AG"; # cspell:disable-line
+      ipad.id = "KI76T3X-SFUGV2L-VSNYTKR-TSIUV5L-SHWD3HE-GQRGRCN-GY4UFMD-CW6Z6AX"; # cspell:disable-line
+      bob.id = "CJIAPEJ-VO74RR4-F75VU6M-QNZAMYG-FYUJG7Y-6AT62HJ-355PRPL-PJFETAZ"; # cspell:disable-line
+      rhapsody-in-green.id = "ASL3KC4-3XEN6PA-7BQBRKE-A7JXLI6-DJT43BY-Q4WPOER-7UALUAZ-VTPQ6Q4"; # cspell:disable-line
+    };
+  };
+}

common/optional/update.nix

@@ -0,0 +1,9 @@
+{
+  system.autoUpgrade = {
+    enable = true;
+    flags = [ "--accept-flake-config" ];
+    randomizedDelaySec = "1h";
+    persistent = true;
+    flake = "github:RichieCahill/dotfiles";
+  };
+}

common/optional/yubikey.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  services.pcscd.enable = true;
+
+  environment.systemPackages = [ pkgs.yubioath-flutter ];
+}

common/optional/zerotier.nix

@@ -0,0 +1,11 @@
+{
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [ "e4da7455b2ae64ca" ];
+  };
+  nix.settings = {
+    trusted-substituters = [ "http://192.168.90.40:5000" ];
+    substituters = [ "http://192.168.90.40:5000/?priority=1&want-mass-query=true" ];
+    trusted-public-keys = [ "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA=" ];
+  };
+}

flake.lock

@@ -9,11 +9,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1725940994,
-        "narHash": "sha256-PCj5WMvCMg2g8gBNf3izt4rPu5b5Mi/7zxmXHit3N3U=",
+        "lastModified": 1738382607,
+        "narHash": "sha256-ppR81tMrcQk/wHm8MmKtp3mrtYmMTgF2lxLLXYwRsOM=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "93857a3619db67e72f5012ce3cb001e402b86dbe",
+        "rev": "dc86c8feffa328d9050e039a1286e175af6d76d8",
         "type": "gitlab"
       },
       "original": {
@@ -39,28 +39,6 @@
         "type": "github"
       }
     },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixos-cosmic",
-          "nix-update",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1719994518,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "locked": {
         "lastModified": 1629284811,
@@ -81,11 +59,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -101,11 +79,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725948275,
-        "narHash": "sha256-4QOPemDQ9VRLQaAdWuvdDBhh+lEUOAnSMHhdr4nS1mk=",
+        "lastModified": 1738415006,
+        "narHash": "sha256-ZlLTnqIQQ8OE6AtT+fluB642j2R9tnvxHHtpnmLjSxQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e5fa72bad0c6f533e8d558182529ee2acc9454fe",
+        "rev": "8544cd092047a7e92d0dce011108a563de7fc0f2",
         "type": "github"
       },
       "original": {
@@ -123,11 +101,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703863825,
-        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
         "owner": "nix-community",
         "repo": "nix-github-actions",
-        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
         "type": "github"
       },
       "original": {
@@ -136,45 +114,20 @@
         "type": "github"
       }
     },
-    "nix-update": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "nixpkgs": [
-          "nixos-cosmic",
-          "nixpkgs"
-        ],
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1725635983,
-        "narHash": "sha256-haSfwdurfltqQ/7YEmDcmWLnWwvAgelIHnXsHG34P1k=",
-        "owner": "lilyinstarlight",
-        "repo": "nix-update",
-        "rev": "ed54a7546affb3f8c9c3e10a6fa6fdb21756ec8f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lilyinstarlight",
-        "repo": "nix-update",
-        "type": "github"
-      }
-    },
     "nixos-cosmic": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "nix-update": "nix-update",
         "nixpkgs": [
           "nixpkgs"
         ],
-        "nixpkgs-stable": "nixpkgs-stable",
-        "rust-overlay": "rust-overlay"
+        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1725932078,
-        "narHash": "sha256-IATccCX01KHY3QDYmpCMu70WRWxJH4V7z9vp71RlSAs=",
+        "lastModified": 1738343111,
+        "narHash": "sha256-y9st4Y0p5ry+6QdlIGeqxAA6rbEIOO1uXdAc5jxV2Bc=",
         "owner": "lilyinstarlight",
         "repo": "nixos-cosmic",
-        "rev": "0452cc841e9b30160ae48db636164fb7a6d6bb72",
+        "rev": "51b9cce097da369550f45ac07879274dc8be81e4",
         "type": "github"
       },
       "original": {
@@ -185,11 +138,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1725885300,
-        "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
+        "lastModified": 1738391520,
+        "narHash": "sha256-6HI58PKjddsC0RA0gBQlt6ox47oH//jLUHwx05RO8g0=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
+        "rev": "34b64e4e1ddb14e3ffc7db8d4a781396dbbab773",
         "type": "github"
       },
       "original": {
@@ -201,11 +154,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1725634671,
-        "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
+        "lastModified": 1738142207,
+        "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
+        "rev": "9d3ae807ebd2981d593cddd0080856873139aa40",
         "type": "github"
       },
       "original": {
@@ -215,29 +168,45 @@
         "type": "github"
       }
     },
+    "nixpkgs-master": {
+      "locked": {
+        "lastModified": 1738422722,
+        "narHash": "sha256-Q4vhtbLYWBUnjWD4iQb003Lt+N5PuURDad1BngGKdUs=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "102a39bfee444533e6b4e8611d7e92aa39b7bec1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1725826545,
-        "narHash": "sha256-L64N1rpLlXdc94H+F6scnrbuEu+utC03cDDVvvJGOME=",
+        "lastModified": 1738163270,
+        "narHash": "sha256-B/7Y1v4y+msFFBW1JAdFjNvVthvNdJKiN6EGRPnqfno=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f4c846aee8e1e29062aa8514d5e0ab270f4ec2f9",
+        "rev": "59e618d90c065f55ae48446f307e8c09565d5ab0",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1725826545,
-        "narHash": "sha256-L64N1rpLlXdc94H+F6scnrbuEu+utC03cDDVvvJGOME=",
+        "lastModified": 1735563628,
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f4c846aee8e1e29062aa8514d5e0ab270f4ec2f9",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
         "type": "github"
       },
       "original": {
@@ -259,14 +228,14 @@
           "nixpkgs"
         ],
         "systems": "systems_2",
-        "treefmt-nix": "treefmt-nix_2"
+        "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1723343306,
-        "narHash": "sha256-/6sRkPq7/5weX2y0V8sQ29Sz35nt8kyj+BsFtkhgbJE=",
+        "lastModified": 1736884309,
+        "narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=",
         "owner": "nix-community",
         "repo": "poetry2nix",
-        "rev": "4a1c112ff0c67f496573dc345bd0b2247818fc29",
+        "rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b",
         "type": "github"
       },
       "original": {
@@ -282,29 +251,30 @@
         "nixos-cosmic": "nixos-cosmic",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-stable": "nixpkgs-stable_2",
+        "sops-nix": "sops-nix",
         "system_tools": "system_tools",
         "systems": "systems_3"
       }
     },
-    "rust-overlay": {
+    "sops-nix": {
       "inputs": {
         "nixpkgs": [
-          "nixos-cosmic",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1725848835,
-        "narHash": "sha256-u4lCr+tOEWhsFiww5G04U5jUNzaQJi0/ZMIDGiLeT14=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "2ef910a6276a2f34513d18f2f826a8dea72c3b3f",
+        "lastModified": 1738291974,
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
         "type": "github"
       },
       "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
+        "owner": "Mic92",
+        "repo": "sops-nix",
         "type": "github"
       }
     },
@@ -317,11 +287,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1725312414,
-        "narHash": "sha256-IWztoUBuZjqw5Mti/CJvvPvAHNpCfnZVS/gGNMdQUhQ=",
+        "lastModified": 1738431375,
+        "narHash": "sha256-jk6JrgqNe0dEPxV2xX/pBVsrPDfWaa033LKcyERkHJw=",
         "owner": "RichieCahill",
         "repo": "system_tools",
-        "rev": "632a465087f5b9ab7d6efc125bebfe6af57c1d58",
+        "rev": "36764189680c9be26192ee94da1a3f33f890ff0d",
         "type": "github"
       },
       "original": {
@@ -355,8 +325,9 @@
         "type": "github"
       },
       "original": {
-        "id": "systems",
-        "type": "indirect"
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
       }
     },
     "systems_3": {
@@ -375,28 +346,6 @@
       }
     },
     "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixos-cosmic",
-          "nix-update",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1719887753,
-        "narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "treefmt-nix_2": {
       "inputs": {
         "nixpkgs": [
           "system_tools",
@@ -405,11 +354,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719749022,
-        "narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
+        "lastModified": 1730120726,
+        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
+        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,11 +3,13 @@
 
   nixConfig = {
     extra-substituters = [
-      "https://cache.nixos.org/?priority=1&want-mass-query=true"
+      "https://cache.nixos.org/?priority=2&want-mass-query=true"
+      "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true"
       "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
     ];
     extra-trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
     ];
@@ -16,6 +18,7 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs-master.url = "github:nixos/nixpkgs/master";
     systems.url = "github:nix-systems/default-linux";
 
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
@@ -39,6 +42,11 @@
       url = "github:lilyinstarlight/nixos-cosmic";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {
@@ -47,6 +55,7 @@
     home-manager,
     systems,
     nixos-cosmic,
+    sops-nix,
     ...
   } @ inputs: let
     inherit (self) outputs;
@@ -68,11 +77,21 @@
 
     nixosConfigurations = {
       bob = lib.nixosSystem {
-        modules = [./systems/bob];
+        modules = [
+          ./systems/bob
+        ];
         specialArgs = {inherit inputs outputs;};
       };
       jeeves = lib.nixosSystem {
-        modules = [./systems/jeeves];
+        modules = [
+          ./systems/jeeves
+        ];
+        specialArgs = {inherit inputs outputs;};
+      };
+      rhapsody-in-green = lib.nixosSystem {
+        modules = [
+          ./systems/rhapsody-in-green
+        ];
         specialArgs = {inherit inputs outputs;};
       };
     };

overlays/default.nix

@@ -6,4 +6,11 @@
       config.allowUnfree = true;
     };
   };
+  # When applied, the master nixpkgs set (declared in the flake inputs) will be accessible through 'pkgs.master'
+  master = final: _prev: {
+    master = import inputs.nixpkgs-master {
+      system = final.system;
+      config.allowUnfree = true;
+    };
+  };
 }

systems/bob/default.nix

@@ -1,103 +1,42 @@
-{
-  inputs,
-  ...
-}:
 {
   imports = [
-    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
     ../../users/richie
-    ../common/global
-    ../common/optional/desktop.nix
-    ../common/optional/steam.nix
-    ../common/optional/syncthing_base.nix
-    ../common/optional/systemd-boot.nix
-    ../common/optional/zerotier.nix
+    ../../users/gaming
+    ../../common/global
+    ../../common/optional/desktop.nix
+    ../../common/optional/docker.nix
+    ../../common/optional/scanner.nix
+    ../../common/optional/steam.nix
+    ../../common/optional/syncthing_base.nix
+    ../../common/optional/systemd-boot.nix
+    ../../common/optional/update.nix
+    ../../common/optional/yubikey.nix
+    ../../common/optional/zerotier.nix
     ./hardware.nix
     ./nvidia.nix
+    ./syncthing.nix
+    ./games.nix
+    ./llms.nix
   ];
 
   networking = {
     hostName = "bob";
-    networkmanager.enable = true;
     hostId = "7c678a41";
+    firewall.enable = true;
+    networkmanager.enable = true;
   };
 
-  hardware = {
-    pulseaudio.enable = false;
-    bluetooth = {
-      enable = true;
-      powerOnBoot = true;
-    };
-  };
-
-  security.rtkit.enable = true;
-
   services = {
-
-    displayManager.sddm.enable = true;
+    displayManager = {
+      enable = true;
+      autoLogin = {
+        user = "gaming";
+        enable = true;
+      };
+      defaultSession = "plasma";
+    };
 
     openssh.ports = [ 262 ];
-
-    printing.enable = true;
-
-    pipewire = {
-      enable = true;
-      alsa.enable = true;
-      alsa.support32Bit = true;
-      pulse.enable = true;
-    };
-
-    syncthing.settings.folders = {
-      "notes" = {
-        id = "l62ul-lpweo"; # cspell:disable-line
-        path = "/home/richie/notes";
-        devices = [
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "books" = {
-        id = "6uppx-vadmy"; # cspell:disable-line
-        path = "/home/richie/books";
-        devices = [
-          "phone"
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "important" = {
-        id = "4ckma-gtshs"; # cspell:disable-line
-        path = "/home/richie/important";
-        devices = [
-          "phone"
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "music" = {
-        id = "vprc5-3azqc"; # cspell:disable-line
-        path = "/home/richie/music";
-        devices = [
-          "ipad"
-          "phone"
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "projects" = {
-        id = "vyma6-lqqrz"; # cspell:disable-line
-        path = "/home/richie/projects";
-        devices = [
-          "jeeves"
-        ];
-        fsWatcherEnabled = true;
-      };
-    };
-
-    zfs = {
-      trim.enable = true;
-      autoScrub.enable = true;
-    };
   };
 
   system.stateVersion = "24.05";

systems/bob/games.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    osu-lazer-bin
+    jellyfin-media-player
+  ];
+}

systems/bob/hardware.nix

@@ -22,8 +22,12 @@
         "sd_mod"
       ];
       kernelModules = [ ];
-      luks.devices = {
-        "luks-root-pool-nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
+      luks.devices."luks-root-pool-nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2" = {
+        device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
+        bypassWorkqueues = true;
+        allowDiscards = true;
+        keyFileSize = 4096;
+        keyFile = "/dev/disk/by-id/usb-Samsung_Flash_Drive_FIT_0374620080067131-0:0";
       };
     };
     kernelModules = [ "kvm-amd" ];

systems/bob/llms.nix

@@ -0,0 +1,24 @@
+{
+  services = {
+    ollama = {
+      enable = true;
+      loadModels = [ 
+        "codellama:7b"
+        "deepseek-r1:1.5b"
+        "deepseek-r1:7b"
+        "deepseek-r1:8b"
+        "deepseek-r1:14b"
+        "deepseek-r1:32b"
+        "llama3.2:3b"
+        "mistral-nemo:12b"
+      ];
+      acceleration = "cuda";
+      openFirewall = true;
+    };
+    open-webui = {
+      enable = true;
+      openFirewall = true;
+      host = "192.168.90.25";
+    }; 
+  }; 
+}

systems/bob/nvidia.nix

@@ -5,8 +5,9 @@
     nvidia = {
       modesetting.enable = true;
       powerManagement.enable = true;
-      package = config.boot.kernelPackages.nvidiaPackages.production;
+      package = config.boot.kernelPackages.nvidiaPackages.beta;
       nvidiaSettings = true;
+      open = true;
     };
     nvidia-container-toolkit.enable = true;
   };

systems/bob/syncthing.nix

@@ -0,0 +1,33 @@
+{    
+  services.syncthing.settings.folders = {
+    "dotfiles" = {
+      path = "/home/richie/dotfiles";
+      devices = [
+        "jeeves"
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "important" = {
+      id = "4ckma-gtshs"; # cspell:disable-line
+      path = "/home/richie/important";
+      devices = [
+        "phone"
+        "jeeves"
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "music" = {
+      id = "vprc5-3azqc"; # cspell:disable-line
+      path = "/home/richie/music";
+      devices = [
+        "ipad"
+        "phone"
+        "jeeves"
+        "rhapsody-in-green"
+      ];
+      fsWatcherEnabled = true;
+    };
+  };
+}

systems/common/global/default.nix

@@ -1,41 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  outputs,
-  ...
-}:
-{
-  imports = [
-    inputs.home-manager.nixosModules.home-manager
-    ./docker.nix
-    ./fail2ban.nix
-    ./libs.nix
-    ./locale.nix
-    ./nh.nix
-    ./nix.nix
-    ./programs.nix
-    ./ssh.nix
-  ];
-
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-
-  security.auditd.enable = lib.mkDefault true;
-
-  programs = {
-    zsh.enable = true;
-    fish.enable = true;
-  };
-
-  users.mutableUsers = lib.mkDefault true;
-
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    extraSpecialArgs = {inherit inputs outputs;};
-  };
-
-  nixpkgs.config.allowUnfree = true;
-
-  hardware.enableRedistributableFirmware = true;
-}

systems/common/global/nix.nix

@@ -1,28 +0,0 @@
-{
-  inputs,
-  lib,
-  ...
-}: let
-  flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
-in {
-  nix = {
-    settings = {
-      trusted-users = [
-        "root"
-        "@wheel"
-      ];
-      auto-optimise-store = lib.mkDefault true;
-      experimental-features = [
-        "nix-command"
-        "flakes"
-        "ca-derivations"
-      ];
-      warn-dirty = false;
-      flake-registry = ""; # disable global flake registries
-    };
-
-    # Add each flake input as a registry and nix_path
-    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
-    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
-  };
-}

systems/common/optional/desktop.nix

@@ -1,12 +0,0 @@
-{
-  services = {
-    desktopManager.plasma6.enable = true;
-    xserver = {
-      enable = true;
-      xkb = {
-        layout = "us";
-        variant = "";
-      };
-    };
-  };
-}

systems/common/optional/syncthing_base.nix

@@ -1,18 +0,0 @@
-{
-  services.syncthing = {
-    enable = true;
-    user = "richie";
-    overrideDevices = true;
-    overrideFolders = true;
-    dataDir = "/home/richie/Syncthing";
-    configDir = "/home/richie/.config/syncthing";
-    settings = {
-      devices = {
-        phone.id = "LTGPLAE-M4ZDJTM-TZ3DJGY-SLLAVWF-CQDVEVS-RGCS75T-GAPZYK3-KUM6LA5"; # cspell:disable-line
-        jeeves.id = "RCDU465-AIQRBEJ-VWC4EZF-2AMXABC-F3S4NFW-QA4ZUAQ-OVNUBLI-BUJJTA2"; # cspell:disable-line
-        ipad.id = "KI76T3X-SFUGV2L-VSNYTKR-TSIUV5L-SHWD3HE-GQRGRCN-GY4UFMD-CW6Z6AX"; # cspell:disable-line
-        bob.id = "CJIAPEJ-VO74RR4-F75VU6M-QNZAMYG-FYUJG7Y-6AT62HJ-355PRPL-PJFETAZ"; # cspell:disable-line
-      };
-    };
-  };
-}

systems/common/optional/update.nix

@@ -1,19 +0,0 @@
-{ lib, ... }:
-{
-  services.autopull = {
-    enable = lib.mkDefault true;
-    repo.dotfiles = {
-      enable = lib.mkDefault true;
-      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
-      path = lib.mkDefault /root/dotfiles;
-    };
-  };
-
-  system.autoUpgrade = {
-    enable = lib.mkDefault true;
-    flags = [ "--accept-flake-config" ];
-    randomizedDelaySec = "1h";
-    persistent = true;
-    flake = "github:RAD-Development/nix-dotfiles";
-  };
-}

systems/common/optional/zerotier.nix

@@ -1,6 +0,0 @@
-{
-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [ "e4da7455b2ae64ca" ];
-  };
-}

systems/jeeves/arch_mirror.nix

@@ -1,29 +0,0 @@
-{ inputs, pkgs, ... }:
-let
-  vars = import ./vars.nix;
-in
-{
-  virtualisation.oci-containers.containers.arch_mirror = {
-    image = "ubuntu/apache2:latest";
-    volumes = [
-      "${../common/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
-      "${vars.media_mirror}:/data"
-    ];
-    ports = [ "800:80" ];
-    extraOptions = [ "--network=web" ];
-    autoStart = true;
-  };
-
-  systemd.services.sync_mirror = {
-    requires = [ "network-online.target" ];
-    after = [ "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-    description = "validates startup";
-    path = [ pkgs.rsync ];
-    serviceConfig = {
-      Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
-      Type = "simple";
-      ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror";
-    };
-  };
-}

systems/jeeves/default.nix

@@ -1,21 +1,18 @@
-{ config, pkgs, ... }:
-let
-  vars = import ./vars.nix;
-in
 {
   imports = [
     ../../users/richie
-    ../common/global
-    ../common/optional/ssh_decrypt.nix
-    ../common/optional/syncthing_base.nix
-    ../common/optional/systemd-boot.nix
-    ../common/optional/zerotier.nix
-    ./arch_mirror.nix
+    ../../common/global
+    ../../common/optional/docker.nix
+    ../../common/optional/ssh_decrypt.nix
+    ../../common/optional/syncthing_base.nix
+    ../../common/optional/zerotier.nix
     ./docker
+    ./services
     ./hardware.nix
     ./networking.nix
     ./programs.nix
-    ./services.nix
+    ./runners
+    ./syncthing.nix
   ];
 
   boot.zfs.extraPools = [
@@ -27,89 +24,10 @@ in
   services = {
     openssh.ports = [ 629 ];
 
-    plex = {
-      enable = true;
-      dataDir = vars.media_plex;
-    };
-
     smartd.enable = true;
 
-    sysstat.enable = true;
-
-    syncthing.guiAddress = "192.168.90.40:8384";
-    syncthing.settings.folders = {
-      "notes" = {
-        id = "l62ul-lpweo"; # cspell:disable-line
-        path = vars.media_notes;
-        devices = [
-          "bob"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "books" = {
-        id = "6uppx-vadmy"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/books";
-        devices = [
-          "bob"
-          "phone"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "important" = {
-        id = "4ckma-gtshs"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/important";
-        devices = [
-          "bob"
-          "phone"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "music" = {
-        id = "vprc5-3azqc"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/music";
-        devices = [
-          "bob"
-          "ipad"
-          "phone"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "projects" = {
-        id = "vyma6-lqqrz"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/projects";
-        devices = [
-          "bob"
-        ];
-        fsWatcherEnabled = true;
-      };
-    };
-
-    zfs = {
-      trim.enable = true;
-      autoScrub.enable = true;
-    };
+    snapshot_manager.path = ./snapshot_config.toml;
   };
-  systemd = {
-    services."snapshot_manager" = {
-      description = "ZFS Snapshot Manager";
-      requires = [ "zfs-import.target" ];
-      after = [ "zfs-import.target" ];
-      serviceConfig = {
-        Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs";
-        Type = "oneshot";
-        ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'";
-      };
-    };
-    timers."snapshot_manager" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnBootSec = "15m";
-        OnUnitActiveSec = "15m";
-        Unit = "snapshot_manager.service";
-      };
-    };
-  };
-
 
   system.stateVersion = "24.05";
 }

systems/jeeves/docker/filebrowser.nix

@@ -1,15 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers.filebrowser = {
-    image = "hurlenko/filebrowser:latest";
-    extraOptions = [ "--network=web" ];
-    volumes = [
-      "/zfs:/data"
-      "${vars.media_docker_configs}/filebrowser:/config"
-    ];
-    autoStart = true;
-    user = "1000:users";
-  };
-}

systems/jeeves/docker/haproxy.cfg

@@ -1,68 +0,0 @@
-global
-  log stdout format raw local0
-  # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
-  stats timeout 30s
-
-defaults
-  log global
-  mode http
-  retries 3
-  maxconn 2000
-  timeout connect 5s
-  timeout client 50s
-  timeout server 50s
-  timeout http-request 10s
-  timeout http-keep-alive 2s
-  timeout queue 5s
-  timeout tunnel 2m
-  timeout client-fin 1s
-  timeout server-fin 1s
-
-
-#Application Setup
-frontend ContentSwitching
-  bind *:80
-  bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
-  mode  http
-  # tmmworkshop.com
-  acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
-  acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
-  acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
-  acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
-  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
-  acl host_overseerr  hdr(host) -i overseerr.tmmworkshop.com
-
-  use_backend mirror_nodes   if host_mirror
-  use_backend dndrules_nodes if host_dndrules
-  use_backend grafana_nodes  if host_grafana
-  use_backend filebrowser_nodes  if host_filebrowser
-  use_backend uptime_kuma_nodes  if host_uptime_kuma
-  use_backend overseerr_nodes  if host_overseerr
-
-backend mirror_nodes
-  mode http
-  server server arch_mirror:80
-
-backend mirror_rsync
-  mode http
-  server server arch_mirror:873
-
-backend grafana_nodes
-  mode http
-  server server grafana:3000
-
-backend dndrules_nodes
-  mode http
-  server server dnd_file_server:80
-
-backend filebrowser_nodes
-  mode http
-  server server filebrowser:8080
-
-backend uptime_kuma_nodes
-  mode http
-  server server uptime_kuma:3001
-
-backend overseerr_nodes
-  mode http
-  server server overseerr:5055

systems/jeeves/docker/internal.nix

@@ -1,144 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    qbit = {
-      image = "ghcr.io/linuxserver/qbittorrent:latest";
-      ports = [
-        "6881:6881"
-        "6881:6881/udp"
-        "8082:8082"
-        "29432:29432"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbit:/config"
-        "${vars.torrenting_qbit}:/data"
-      ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-        WEBUI_PORT = "8082";
-      };
-      autoStart = true;
-    };
-    qbitvpn = {
-      image = "binhex/arch-qbittorrentvpn:latest";
-      extraOptions = [ "--cap-add=NET_ADMIN" ];
-      ports = [
-        "6882:6881"
-        "6882:6881/udp"
-        "8081:8081"
-        "8118:8118"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbitvpn:/config"
-        "${vars.torrenting_qbitvpn}:/data"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-      environment = {
-        WEBUI_PORT = "8081";
-        PUID = "600";
-        PGID = "100";
-        VPN_ENABLED = "yes";
-        VPN_CLIENT = "openvpn";
-        STRICT_PORT_FORWARD = "yes";
-        ENABLE_PRIVOXY = "yes";
-        LAN_NETWORK = "192.168.90.0/24";
-        NAME_SERVERS = "1.1.1.1,1.0.0.1";
-        UMASK = "000";
-        DEBUG = "false";
-        DELUGE_DAEMON_LOG_LEVEL = "debug";
-        DELUGE_WEB_LOG_LEVEL = "debug";
-      };
-      environmentFiles = [/root/secrets/docker/qbitvpn];
-      autoStart = true;
-    };
-    bazarr = {
-      image = "ghcr.io/linuxserver/bazarr:latest";
-      ports = [ "6767:6767" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/bazarr:/config"
-        "${vars.storage_plex}/movies:/movies"
-        "${vars.storage_plex}/tv:/tv"
-      ];
-      autoStart = true;
-    };
-    prowlarr = {
-      image = "ghcr.io/linuxserver/prowlarr:latest";
-      ports = [ "9696:9696" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
-      autoStart = true;
-    };
-    radarr = {
-      image = "ghcr.io/linuxserver/radarr:latest";
-      ports = [ "7878:7878" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/radarr:/config"
-        "${vars.storage_plex}/movies:/movies"
-        "${vars.torrenting_qbitvpn}:/data"
-      ];
-      autoStart = true;
-    };
-    sonarr = {
-      image = "ghcr.io/linuxserver/sonarr:latest";
-      ports = [ "8989:8989" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/sonarr:/config"
-        "${vars.storage_plex}/tv:/tv"
-        "${vars.torrenting_qbitvpn}:/data"
-      ];
-      autoStart = true;
-    };
-    overseerr = {
-      image = "ghcr.io/linuxserver/overseerr";
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.media_docker_configs}/overseerr:/config" ];
-      dependsOn = [
-        "radarr"
-        "sonarr"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    whisper = {
-      image = "ghcr.io/linuxserver/faster-whisper:latest";
-      ports = [ "10300:10300" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-        WHISPER_MODEL = "tiny-int8";
-        WHISPER_LANG = "en";
-        WHISPER_BEAM = "1";
-      };
-      volumes = [ "${vars.media_docker_configs}/whisper:/config" ];
-      autoStart = true;
-    };
-  };
-}

systems/jeeves/docker/postgresql.nix

@@ -1,32 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  users = {
-    users.postgres = {
-      isSystemUser = true;
-      group = "postgres";
-      uid = 999;
-    };
-    groups.postgres = {
-      gid = 999;
-    };
-  };
-
-  virtualisation.oci-containers.containers = {
-    postgres = {
-      image = "postgres:16";
-      ports = [ "5432:5432" ];
-      volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
-      environment = {
-        POSTGRES_USER = "admin";
-        POSTGRES_DB = "archive";
-        POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
-      };
-      environmentFiles = [/root/secrets/docker/postgres];
-      autoStart = true;
-      user = "postgres:postgres";
-    };
-  };
-
-}

systems/jeeves/docker/qbit.nix

@@ -0,0 +1,29 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 6881 8082 29432 ]; 
+    allowedUDPPorts = [ 6881 29432 ];
+  };
+  virtualisation.oci-containers.containers.qbit = {
+    image = "ghcr.io/linuxserver/qbittorrent:5.0.2";
+    ports = [
+      "6881:6881"
+      "6881:6881/udp"
+      "8082:8082"
+      "29432:29432"
+    ];
+    volumes = [
+      "${vars.media_docker_configs}/qbit:/config"
+      "${vars.torrenting_qbit}:/data"
+    ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+      WEBUI_PORT = "8082";
+    };
+    autoStart = true;
+  };
+}

systems/jeeves/docker/qbitvpn.nix

@@ -0,0 +1,42 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 6882 8081 8118 ];
+    allowedUDPPorts = [ 6882 ];
+  };
+  virtualisation.oci-containers.containers.qbitvpn = {
+    image = "binhex/arch-qbittorrentvpn:5.0.3-1-01";
+    devices = [ "/dev/net/tun:/dev/net/tun" ];
+    extraOptions = [ "--cap-add=NET_ADMIN" ];
+    ports = [
+      "6882:6881"
+      "6882:6881/udp"
+      "8081:8081"
+      "8118:8118"
+    ];
+    volumes = [
+      "${vars.media_docker_configs}/qbitvpn:/config"
+      "${vars.torrenting_qbitvpn}:/data"
+      "/etc/localtime:/etc/localtime:ro"
+    ];
+    environment = {
+      WEBUI_PORT = "8081";
+      PUID = "600";
+      PGID = "100";
+      VPN_ENABLED = "yes";
+      VPN_CLIENT = "openvpn";
+      STRICT_PORT_FORWARD = "yes";
+      ENABLE_PRIVOXY = "yes";
+      LAN_NETWORK = "192.168.90.0/24";
+      NAME_SERVERS = "1.1.1.1,1.0.0.1";
+      UMASK = "000";
+      DEBUG = "false";
+      DELUGE_DAEMON_LOG_LEVEL = "debug";
+      DELUGE_WEB_LOG_LEVEL = "debug";
+    };
+    environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/share.nix

@@ -0,0 +1,15 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers.share = {
+    image = "ubuntu/apache2:2.4-22.04_beta";
+    ports = [ "8091:80" ];
+    volumes = [
+      "${../../../common/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
+      "${vars.media_share}:/data"
+    ];
+    extraOptions = [ "--network=web" ];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/uptime_kuma.nix

@@ -4,7 +4,8 @@ in
 {
   virtualisation.oci-containers.containers = {
     uptime_kuma = {
-      image = "louislam/uptime-kuma:latest";
+      ports = [ "3001:3001" ];
+      image = "louislam/uptime-kuma:1.23.16-debian";
       volumes = [
         "${vars.media_docker_configs}/uptime_kuma:/app/data"
         "/var/run/docker.sock:/var/run/docker.sock"

systems/jeeves/docker/web.nix

@@ -1,56 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    grafana = {
-      image = "grafana/grafana-enterprise:latest";
-      volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
-      user = "600:600";
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    dnd_file_server = {
-      image = "ubuntu/apache2:latest";
-      volumes = [
-        "${../../common/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
-        "${vars.storage_main}/Table_Top/:/data"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    haproxy = {
-      image = "haproxy:latest";
-      user = "600:600";
-      environment = {
-        TZ = "Etc/EST";
-      };
-      volumes = [
-        "/root/secrets/docker/cloudflare.pem:/etc/ssl/certs/cloudflare.pem"
-        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
-      ];
-      dependsOn = [
-        "arch_mirror"
-        "dnd_file_server"
-        "filebrowser"
-        "grafana"
-        "overseerr"
-        "uptime_kuma"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    cloud_flare_tunnel = {
-      image = "cloudflare/cloudflared:latest";
-      user = "600:600";
-      cmd = [
-        "tunnel"
-        "run"
-      ];
-      environmentFiles = [/root/secrets/docker/cloud_flare_tunnel];
-      dependsOn = [ "haproxy" ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-  };
-}

systems/jeeves/hardware.nix

@@ -1,9 +1,26 @@
-{ config, lib,  modulesPath, ... }:
-
+{ config, lib, modulesPath, ... }:
 {
   imports =[ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot = {
+    loader = {
+      grub = {
+        enable = true;
+        zfsSupport = true;
+        efiSupport = true;
+        mirroredBoots = [
+          {
+            devices = [ "nodev" ];
+            path = "/boot0";
+          }
+          {
+            devices = [ "nodev" ];
+            path = "/boot1";
+          }
+        ];
+      };
+      efi.canTouchEfiVariables = true;
+    };
     initrd = {
       availableKernelModules = [
         "ahci"
@@ -17,8 +34,77 @@
       ];
       kernelModules = [ ];
       luks.devices = {
-        "luks-root-pool-wwn-0x500a0751e6c3c01e-part2".device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part2";
-        "luks-root-pool-wwn-0x500a0751e6c3c01c-part2".device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01c-part2";
+        # cspell:disable
+        # Root pool
+        "luks-root-pool-wwn-0x55cd2e4150f01519-part2" = {
+          device = "/dev/disk/by-id/wwn-0x55cd2e4150f01519-part2";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-root-pool-wwn-0x55cd2e4150f01556-part2" = {
+          device = "/dev/disk/by-id/wwn-0x55cd2e4150f01556-part2";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        # Media pool
+        "luks-media_pool-nvme-INTEL_SSDPEK1A118GA_BTOC14120V2J118B-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_SSDPEK1A118GA_BTOC14120V2J118B-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-media_pool-nvme-INTEL_SSDPEK1A118GA_BTOC14120WAG118B-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_SSDPEK1A118GA_BTOC14120WAG118B-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-media_pool-nvme-INTEL_SSDPE2ME012T4_CVMD5130000G1P2HGN-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_SSDPE2ME012T4_CVMD5130000G1P2HGN-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-media_pool-nvme-INTEL_SSDPE2ME012T4_CVMD5130000U1P2HGN-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_SSDPE2ME012T4_CVMD5130000U1P2HGN-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        # Storage pool
+        "luks-storage_pool-nvme-Samsung_SSD_970_EVO_Plus_2TB_S6S2NS0T834822N-part1" = {
+          device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6S2NS0T834822N-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-storage_pool-nvme-Samsung_SSD_970_EVO_Plus_2TB_S6S2NS0T834817F-part1" = {
+          device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6S2NS0T834817F-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-storage_pool-nvme-INTEL_MEMPEK1W016GA_PHBT828104DF016D-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_MEMPEK1W016GA_PHBT828104DF016D-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-storage_pool-nvme-INTEL_MEMPEK1W016GA_PHBT828105A8016D-part1" = {
+          device = "/dev/disk/by-id/nvme-INTEL_MEMPEK1W016GA_PHBT828105A8016D-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-storage_pool-wwn-0x5000cca23bc438dd-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bc438dd-part1";
+        "luks-storage_pool-wwn-0x5000cca23bd035f5-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bd035f5-part1";
+        "luks-storage_pool-wwn-0x5000cca23bd00ad6-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bd00ad6-part1";
+        "luks-storage_pool-wwn-0x5000cca23bcf313e-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bcf313e-part1";
+        "luks-storage_pool-wwn-0x5000cca23bcdf3b8-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bcdf3b8-part1";
+        "luks-storage_pool-wwn-0x5000cca23bd02746-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bd02746-part1";
+        "luks-storage_pool-wwn-0x5000cca23bcf9f89-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bcf9f89-part1";
+        "luks-storage_pool-wwn-0x5000cca23bd00ae9-part1".device = "/dev/disk/by-id/wwn-0x5000cca23bd00ae9-part1";
+        # Torrenting pool
+        "luks-torrenting_pool-wwn-0x500a0751e6c3c01e-part1" = {
+          device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part1";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+        "luks-torrenting_pool-wwn-0x5000cca264f080a3-part1".device = "/dev/disk/by-id/wwn-0x5000cca264f080a3-part1";
+        "luks-torrenting_pool-wwn-0x5000cca298c33ae5-part1".device = "/dev/disk/by-id/wwn-0x5000cca298c33ae5-part1";
+        # cspell:enable
       };
     };
     kernelModules = [ "kvm-amd" ];
@@ -36,13 +122,26 @@
       fsType = "zfs";
     };
 
+    "/nix" =
+    { device = "root_pool/nix";
+      fsType = "zfs";
+    };
+
     "/var" = {
       device = "root_pool/var";
       fsType = "zfs";
     };
 
-    "/boot" = {
-      device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part1";
+    "/boot0" = {
+      device = "/dev/disk/by-id/wwn-0x55cd2e4150f01556-part1";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+    "/boot1" = {
+      device = "/dev/disk/by-id/wwn-0x55cd2e4150f01519-part1";
       fsType = "vfat";
       options = [
         "fmask=0077"

systems/jeeves/networking.nix

@@ -2,36 +2,60 @@
   networking = {
     hostName = "jeeves";
     hostId = "0e15ce35";
-    firewall.enable = false;
+    firewall.enable = true;
     useNetworkd = true;
   };
 
   systemd.network = {
+
     enable = true;
+
+    netdevs = {
+      "20-ioit-vlan" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "ioit-vlan";
+        };
+        vlanConfig.Id = 20;
+      };
+      "21-internal-ioit-vlan" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "internal-ioit-vlan";
+        };
+        vlanConfig.Id = 21;
+      };
+    };
+
     networks = {
       "10-1GB_Primary" = {
         matchConfig.Name = "enp98s0f0";
-        DHCP = "yes";
+        address = [ "192.168.95.14/24" ];
+        routes = [{ Gateway = "192.168.95.1"; }];
+        vlan = [ "ioit-vlan" "internal-ioit-vlan" ];
+        linkConfig.RequiredForOnline = "routable";
       };
-    };
-    networks = {
       "10-1GB_Secondary" = {
         matchConfig.Name = "enp98s0f1";
         DHCP = "yes";
       };
-    };
-    networks = {
       "10-10GB_Primary" = {
         matchConfig.Name = "enp97s0f0np0";
         DHCP = "yes";
         linkConfig.RequiredForOnline = "routable";
       };
-    };
-    networks = {
       "10-10GB_Secondary" = {
         matchConfig.Name = "enp97s0f1np1";
         DHCP = "yes";
       };
+      "40-ioit-vlan" = {
+        matchConfig.Name = "ioit-vlan";
+        DHCP = "yes";
+      };
+      "41-internal-ioit-vlan" = {
+        matchConfig.Name = "internal-ioit-vlan";
+        DHCP = "yes";
+      };
     };
   };
 

systems/jeeves/runners/default.nix

@@ -0,0 +1,27 @@
+{ pkgs, ... }:
+{
+  imports = [ ./nix_builder.nix ];
+
+  users = {
+    users.github-runners = {
+      shell = pkgs.bash;
+      isSystemUser = true;
+      group = "github-runners";
+      uid = 601;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/S8i+BNX/12JNKg+5EKGX7Aqimt5KM+ve3wt/SyWuO github-runners" # cspell:disable-line
+      ];
+    };
+    groups.github-runners.gid = 601;
+  };
+  
+
+  services.nix_builder.containers = {
+    nix-builder-0.enable = true;
+    nix-builder-1.enable = true;
+    nix-builder-2.enable = true;
+    nix-builder-3.enable = true;
+    nix-builder-4.enable = true;
+    nix-builder-5.enable = true;
+  };
+}

systems/jeeves/runners/nix_builder.nix

@@ -0,0 +1,83 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  vars = import ../vars.nix;
+in
+{
+  options.services.nix_builder.containers = mkOption {
+    type = types.attrsOf (types.submodule ({ name, ... }: {
+      options.enable = mkEnableOption "GitHub runner container";
+    }));
+    default = {};
+    description = "GitHub runner container configurations";
+  };
+
+  config.containers = mapAttrs (name: cfg:
+    mkIf cfg.enable {
+      autoStart = true;
+      bindMounts = {
+        "/storage" = {
+          mountPoint = "/zfs/media/github-runners/${name}";
+          isReadOnly = false;
+        };
+        "/secrets".mountPoint = "${vars.storage_secrets}/services/github-runners/${name}";
+        "ssh-keys".mountPoint = "${vars.storage_secrets}/services/github-runners/id_ed25519_github-runners";
+      };
+      config = { config, pkgs, lib, ... }: {
+          nix.settings = {
+            trusted-substituters = [
+              "https://cache.nixos.org"
+              "https://cache.tmmworkshop.com"
+              "https://nix-community.cachix.org"
+            ];
+            substituters = [
+              "https://cache.nixos.org/?priority=2&want-mass-query=true"
+              "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true"
+              "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
+            ];
+            trusted-public-keys = [
+              "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+              "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA="
+              "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            ];
+            experimental-features = [
+              "flakes"
+              "nix-command"
+            ];
+          };
+          programs.ssh.extraConfig = ''
+            Host jeeves
+              Port 629
+              User github-runners
+              HostName 192.168.95.14
+              IdentityFile ${vars.storage_secrets}/services/github-runners/id_ed25519_github-runners
+              StrictHostKeyChecking no
+              UserKnownHostsFile /dev/null
+          '';
+          services.github-runners.${name} = {
+            enable = true;
+            replace = true;
+            workDir = "/zfs/media/github-runners/${name}";
+            url = "https://github.com/RichieCahill/dotfiles";
+            extraLabels = [ "nixos" ];
+            tokenFile = "${vars.storage_secrets}/services/github-runners/${name}";
+            user = "github-runners";
+            group = "github-runners";
+            extraPackages = with pkgs; [ nixos-rebuild openssh ];
+          };
+          users = {
+            users.github-runners = {
+              shell = pkgs.bash;
+              isSystemUser = true;
+              group = "github-runners";
+              uid = 601;
+            };
+            groups.github-runners.gid = 601;
+          };
+          system.stateVersion = "24.11";
+      };
+    }
+  ) config.services.nix_builder.containers;
+}

systems/jeeves/scripts/zfs.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# zpools
+
+# media
+sudo zpool create -o ashift=12 -O acltype=posixacl -O atime=off -O dnodesize=auto -O xattr=sa -O compression=zstd -m /zfs/media media mirror
+sudo zpool add media -o ashift=12 special mirror
+
+# storage
+sudo zpool create -o ashift=12 -O acltype=posixacl -O atime=off -O dnodesize=auto -O xattr=sa -O compression=zstd -m /zfs/storage storage
+sudo zpool add storage -o ashift=12 special mirror
+sudo zpool add storage -o ashift=12 logs mirror
+
+# torrenting
+sudo zpool create -o ashift=12 -O acltype=posixacl -O atime=off -O dnodesize=auto -O xattr=sa -O compression=zstd -m /zfs/torrenting torrenting
+sudo zpool add torrenting -o ashift=12 special
+
+# media datasets
+sudo zfs create -o compression=zstd-9 media/docker
+sudo zfs create -o recordsize=1M -o compression=zstd-19 media/library
+sudo zfs create -o compression=zstd-9 -o sync=disabled media/github-runners
+sudo zfs create -o copies=3 media/notes
+sudo zfs create -o compression=zstd-9 media/plex
+sudo zfs create -o compression=zstd-9 media/services
+sudo zfs create -o compression=zstd-19 media/home_assistant
+sudo zfs create -o exec=off media/share
+sudo zfs create -o recordsize=16k -o primarycache=metadata -o mountpoint=/zfs/media/database/postgres media/postgres
+
+# storage datasets
+sudo zfs create -o recordsize=1M -o compression=zstd-19 storage/archive
+sudo zfs create -o compression=zstd-19 storage/main
+sudo zfs create -o recordsize=16K -o compression=zstd-19 -o copies=2 storage/photos
+sudo zfs create -o recordsize=1M -o compression=zstd-19 storage/plex
+sudo zfs create -o compression=zstd-19 -o copies=3 storage/secrets
+sudo zfs create -o compression=zstd-19 storage/syncthing
+
+# torrenting datasets
+sudo zfs create -o recordsize=16K -o exec=off -o sync=disabled torrenting/qbit
+sudo zfs create -o recordsize=16K -o exec=off -o sync=disabled torrenting/qbitvpn

systems/jeeves/services/audiobookshelf.nix

@@ -0,0 +1,13 @@
+{ lib, ... }:
+let
+  vars = import ../vars.nix;
+in
+{
+  services.audiobookshelf = {
+    enable = true;
+    openFirewall = true;
+    host = "192.168.90.40";
+  };
+  systemd.services.audiobookshelf.serviceConfig.WorkingDirectory = lib.mkForce "${vars.media_docker_configs}/audiobookshelf";
+  users.users.audiobookshelf.home = lib.mkForce "${vars.media_docker_configs}/audiobookshelf";
+}

systems/jeeves/services/cloud_flare_tunnel.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+let
+  vars = import ../vars.nix;
+in
+{
+  systemd.services.cloud_flare_tunnel = {
+    description = "cloud_flare_tunnel proxy's traffic through cloudflare";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      EnvironmentFile = "${vars.storage_secrets}/docker/cloud_flare_tunnel";
+      ExecStart = "${pkgs.cloudflared}/bin/cloudflared --no-autoupdate tunnel run";
+      Restart = "on-failure";
+    };
+  };
+}
+

systems/jeeves/services/default.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  imports =
+    let
+      files = builtins.attrNames (builtins.readDir ./.);
+      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
+    in
+    map (file: ./. + "/${file}") nixFiles;
+}

systems/jeeves/services/duckdns.nix

@@ -0,0 +1,10 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  services.duckdns = {
+    enable = true;
+    tokenFile = "${vars.storage_secrets}/services/duckdns/token";
+    domainsFile = "${vars.storage_secrets}/services/duckdns/domains";
+  };
+}

systems/jeeves/services/filebrowser.nix

@@ -0,0 +1,23 @@
+{
+  pkgs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+
+  systemd.services.filebrowser = {
+    description = "filebrowser";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      User = "richie";
+      Group = "users";
+      ExecStart = "${pkgs.filebrowser}/bin/filebrowser --root=/zfs --address=0.0.0.0 --database=${vars.media_docker_configs}/filebrowser/filebrowser.db";
+      Restart = "on-failure";
+    };
+  };
+}

systems/jeeves/services/haproxy.cfg

@@ -0,0 +1,73 @@
+global
+  log stdout format raw local0
+  # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+  stats timeout 30s
+
+defaults
+  log global
+  mode http
+  retries 3
+  maxconn 2000
+  timeout connect 5s
+  timeout client 50s
+  timeout server 50s
+  timeout http-request 10s
+  timeout http-keep-alive 2s
+  timeout queue 5s
+  timeout tunnel 2m
+  timeout client-fin 1s
+  timeout server-fin 1s
+
+
+#Application Setup
+frontend ContentSwitching
+  bind *:80
+  bind *:443 ssl crt /zfs/storage/secrets/docker/cloudflare.pem
+  mode  http
+  # tmmworkshop.com
+  acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
+  acl host_cache  hdr(host) -i cache.tmmworkshop.com
+  acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
+  acl host_homeassistant  hdr(host) -i homeassistant.tmmworkshop.com
+  acl host_jellyfin  hdr(host) -i jellyfin.tmmworkshop.com
+  acl host_share  hdr(host) -i share.tmmworkshop.com
+  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
+
+  use_backend audiobookshelf_nodes if host_audiobookshelf
+  use_backend cache_nodes  if host_cache
+  use_backend filebrowser_nodes  if host_filebrowser
+  use_backend homeassistant_nodes  if host_homeassistant
+  use_backend jellyfin if host_jellyfin
+  use_backend share_nodes  if host_share
+  use_backend uptime_kuma_nodes  if host_uptime_kuma
+
+backend audiobookshelf_nodes
+  mode http
+  server server 192.168.90.40:8000
+
+backend cache_nodes
+  mode http
+  server server 192.168.90.40:5000
+
+backend filebrowser_nodes
+  mode http
+  server server 192.168.90.40:8080
+
+backend homeassistant_nodes
+  mode http
+  server server 192.168.95.14:8123
+
+backend jellyfin
+    option httpchk
+    option forwardfor
+    http-check send meth GET uri /health
+    http-check expect string Healthy
+    server jellyfin 192.168.95.14:8096
+
+backend share_nodes
+  mode http
+  server server 192.168.95.14:8091
+
+backend uptime_kuma_nodes
+  mode http
+  server server 192.168.95.14:3001

systems/jeeves/services/haproxy.nix

@@ -0,0 +1,8 @@
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.haproxy = {
+    enable = true;
+    config = builtins.readFile ./haproxy.cfg;
+  };
+}

systems/jeeves/services/home_assistant.nix

@@ -0,0 +1,70 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  services ={
+    home-assistant = {
+      enable = true;
+      openFirewall = true;
+      configDir = vars.media_home_assistant;
+      config = {
+        http = {
+          server_port = 8123;
+          server_host = [
+            "192.168.95.14"
+            "192.168.90.40"
+            "192.168.98.4"
+          ];
+          use_x_forwarded_for = true;
+          trusted_proxies = "192.168.95.0/24";
+        };
+        homeassistant = {
+          time_zone = "America/New_York";
+          unit_system = "us_customary";
+          temperature_unit = "F";
+        };
+        assist_pipeline = { };
+        backup = { };
+        bluetooth = { };
+        config = { };
+        dhcp = { };
+        energy = { };
+        history = { };
+        homeassistant_alerts = { };
+        image_upload = { };
+        logbook = { };
+        media_source = { };
+        mobile_app = { };
+        ssdp = { };
+        sun = { };
+        webhook = { };
+        zeroconf = { };
+        automation = "!include automations.yaml";
+        script = "!include scripts.yaml";
+        scene = "!include scenes.yaml";
+        group = "!include groups.yaml";
+      };
+      extraPackages =
+        python3Packages: with python3Packages; [
+          aioesphomeapi
+          aiounifi
+          bleak-esphome
+          esphome-dashboard-api
+          gtts
+          jellyfin-apiclient-python
+          psycopg2
+          pymetno
+          pyownet
+          rokuecp
+          uiprotect
+          wakeonlan
+        ];
+      extraComponents = [ "isal" ];
+    };
+    esphome = {
+        enable = true;
+        openFirewall = true;
+        address = "192.168.90.40";
+    };
+  };
+}

systems/jeeves/services/jellyfin.nix

@@ -0,0 +1,10 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    dataDir = "${vars.media_services}/jellyfin";
+  };
+}

systems/jeeves/services/nix_serve.nix

@@ -0,0 +1,10 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = "${vars.storage_secrets}/services/nix-cache/cache-priv-key.pem";
+    openFirewall = true;
+  };
+}

systems/jeeves/services/systemd.nix

@@ -3,6 +3,9 @@
   pkgs,
   ...
 }:
+let
+  vars = import ../vars.nix;
+in
 {
   systemd = {
     services = {
@@ -10,7 +13,7 @@
         description = "maintains /zfs/storage/plex permissions";
         serviceConfig = {
           Type = "oneshot";
-          ExecStart = "${pkgs.bash}/bin/bash ${./scripts/plex_permission.sh}";
+          ExecStart = "${pkgs.bash}/bin/bash ${../scripts/plex_permission.sh}";
         };
       };
       startup_validation = {
@@ -20,9 +23,9 @@
         description = "validates startup";
         path = [ pkgs.zfs ];
         serviceConfig = {
-          EnvironmentFile = "/root/secrets/services/server-validation";
+          EnvironmentFile = "${vars.storage_secrets}/services/server-validation";
           Type = "oneshot";
-          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeeves";
+          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_system --config-file='${./validate_system.toml}'";
         };
       };
     };

systems/jeeves/services/validate_system.toml

@@ -0,0 +1,13 @@
+zpool = ["root_pool", "storage", "torrenting", "media"]
+services = [
+    "audiobookshelf",
+    "cloud_flare_tunnel",
+    "haproxy",
+    "docker-qbit",
+    "docker-qbitvpn",
+    "docker-uptime_kuma",
+    "docker",
+    "filebrowser",
+    "home-assistant",
+    "jellyfin",
+]

systems/jeeves/snapshot_config.toml

@@ -1,8 +1,32 @@
-["media/Notes"]
+["default"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/home"]
+15_min = 8
+hourly = 24
+daily = 14
+monthly = 0
+
+["root_pool/root"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/nix"]
+15_min = 4
+hourly = 0
+daily = 0
+monthly = 0
+
+["root_pool/var"]
 15_min = 8
 hourly = 24
 daily = 30
-monthly = 12
+monthly = 6
 
 ["storage/plex"]
 15_min = 6

systems/jeeves/syncthing.nix

@@ -0,0 +1,129 @@
+let
+  vars = import ./vars.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 8384 ]; 
+  
+  services.syncthing = {
+    guiAddress = "192.168.90.40:8384";
+    settings = {
+      devices.davids-server.id = "7GXTDGR-AOXFW2O-K6J7NM3-XYZNRRW-AKHAFWM-GBOWUPQ-OA6JIWD-ER7RDQL"; # cspell:disable-line
+      folders = {
+        "dotfiles" = {
+          path = "/home/richie/dotfiles";
+          devices = [
+            "bob"
+            "rhapsody-in-green"
+          ];
+          fsWatcherEnabled = true;
+        };
+        "notes" = {
+          id = "l62ul-lpweo"; # cspell:disable-line
+          path = vars.media_notes;
+          devices = [
+            "rhapsody-in-green"
+            "davids-server"
+          ];
+          fsWatcherEnabled = true;
+        };
+        "important" = {
+          id = "4ckma-gtshs"; # cspell:disable-line
+          path = "${vars.storage_syncthing}/important";
+          devices = [
+            "bob"
+            "rhapsody-in-green"
+            "phone"
+          ];
+          fsWatcherEnabled = true;
+        };
+        "music" = {
+          id = "vprc5-3azqc"; # cspell:disable-line
+          path = "${vars.storage_syncthing}/music";
+          devices = [
+            "bob"
+            "rhapsody-in-green"
+            "ipad"
+            "phone"
+          ];
+          fsWatcherEnabled = true;
+        };
+        "projects" = {
+          id = "vyma6-lqqrz"; # cspell:disable-line
+          path = "${vars.storage_syncthing}/projects";
+          devices = [
+            "rhapsody-in-green"
+          ];
+          fsWatcherEnabled = true;
+        };
+        "rhapsody-in-green_temp" = {
+          path = "${vars.storage_syncthing}/rhapsody-in-green_temp";
+          devices = [
+            "rhapsody-in-green"
+          ];
+          fsWatcherEnabled = true;
+        };
+        "vault" = {
+          path = "/home/richie/vault";
+          devices = [
+            "rhapsody-in-green"
+            "davids-server"
+          ];
+          fsWatcherEnabled = true;
+        };
+        "backup" = {
+          path = "${vars.storage_syncthing}/backup";
+          devices = [
+            "davids-server"
+          ];
+          fsWatcherEnabled = true;
+        };
+        # 
+        "davids-backup1" = {
+          id = "8229p-8z3tm"; # cspell:disable-line
+          path = "${vars.storage_syncthing}/davids_backups/1";
+          devices = [
+            "davids-server"
+          ];
+          fsWatcherEnabled = true;
+          type = "receiveencrypted";
+        };
+        "davids-backup2" = {
+          id = "iciw3-dp6ao"; # cspell:disable-line
+          path = "${vars.storage_syncthing}/davids_backups/2";
+          devices = [
+            "davids-server"
+          ];
+          fsWatcherEnabled = true;
+          type = "receiveencrypted";
+        };
+        "davids-backup3" = {
+          id = "9si6m-bnkjb"; # cspell:disable-line
+          path = "${vars.storage_syncthing}/davids_backups/3";
+          devices = [
+            "davids-server"
+          ];
+          fsWatcherEnabled = true;
+          type = "receiveencrypted";
+        };
+        "davids-backup4" = {
+          id = "qjyfy-uupj4"; # cspell:disable-line
+          path = "${vars.storage_syncthing}/davids_backups/4";
+          devices = [
+            "davids-server"
+          ];
+          fsWatcherEnabled = true;
+          type = "receiveencrypted";
+        };
+        "davids-backup5" = {
+          id = "fm4h5-emsu2"; # cspell:disable-line
+          path = "${vars.storage_syncthing}/davids_backups/5";
+          devices = [
+            "davids-server"
+          ];
+          fsWatcherEnabled = true;
+          type = "receiveencrypted";
+        };
+      };
+    };
+  };
+}

systems/jeeves/vars.nix

@@ -6,17 +6,22 @@ in
 {
   inherit zfs_media zfs_storage zfs_torrenting;
   # media
-  media_database = "${zfs_media}/syncthing/database";
+  media_database = "${zfs_media}/database";
   media_docker = "${zfs_media}/docker";
   media_docker_configs = "${zfs_media}/docker/configs";
   media_mirror = "${zfs_media}/mirror";
+  media_share = "${zfs_media}/share";
+  media_services = "${zfs_media}/services";  
   media_notes = "${zfs_media}/notes";
-  media_plex = "${zfs_media}/plex/";
-  media_scripts = "${zfs_media}/scripts";
+  media_plex = "${zfs_media}/plex";
+  media_home_assistant = "${zfs_media}/home_assistant";
   # storage
   storage_main = "${zfs_storage}/main";
+  storage_photos = "${zfs_storage}/photos";
   storage_plex = "${zfs_storage}/plex";
+  storage_secrets = "${zfs_storage}/secrets";
   storage_syncthing = "${zfs_storage}/syncthing";
+  storage_library = "${zfs_storage}/library";
   # torrenting
   torrenting_qbit = "${zfs_torrenting}/qbit";
   torrenting_qbitvpn = "${zfs_torrenting}/qbitvpn";

systems/rhapsody-in-green/default.nix

@@ -0,0 +1,33 @@
+{ inputs, ... }:
+{
+  imports = [
+    ../../users/richie
+    ../../common/global
+    ../../common/optional/desktop.nix
+    ../../common/optional/docker.nix
+    ../../common/optional/steam.nix
+    ../../common/optional/syncthing_base.nix
+    ../../common/optional/systemd-boot.nix
+    ../../common/optional/yubikey.nix
+    ../../common/optional/zerotier.nix
+    ./hardware.nix
+    ./syncthing.nix
+    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
+    inputs.nixos-cosmic.nixosModules.default
+  ];
+
+  networking = {
+    hostName = "rhapsody-in-green";
+    hostId = "6404140d";
+    firewall.enable = true;
+    networkmanager.enable = true;
+  };
+
+  services = {
+    openssh.ports = [ 922 ];
+
+    desktopManager.cosmic.enable = true;  
+  };
+
+  system.stateVersion = "24.05";
+}

systems/rhapsody-in-green/hardware.nix

@@ -0,0 +1,56 @@
+{ config, lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+      luks.devices = {
+        "luks-root-pool-nvme-Samsung_SSD_980_PRO_1TB_S5P2NU0X403203E-part2" = {
+          device = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_1TB_S5P2NU0X403203E-part2";
+          bypassWorkqueues = true;
+          allowDiscards = true;
+        };
+      };
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = lib.mkDefault {
+      device = "root_pool/root";
+      fsType = "zfs";
+    };
+    "/home" = {
+      device = "root_pool/home";
+      fsType = "zfs";
+    };
+    "/var" = {
+      device = "root_pool/var";
+      fsType = "zfs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/12CE-A600";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

systems/rhapsody-in-green/syncthing.nix

@@ -0,0 +1,64 @@
+{    
+  services.syncthing.settings.folders = {
+    "dotfiles" = {
+      path = "/home/richie/dotfiles";
+      devices = [
+        "jeeves"
+        "bob"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "notes" = {
+      id = "l62ul-lpweo"; # cspell:disable-line
+      path = "/home/richie/notes";
+      devices = [
+        "jeeves"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "important" = {
+      id = "4ckma-gtshs"; # cspell:disable-line
+      path = "/home/richie/important";
+      devices = [
+        "bob"
+        "jeeves"
+        "phone"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "music" = {
+      id = "vprc5-3azqc"; # cspell:disable-line
+      path = "/home/richie/music";
+      devices = [
+        "bob"
+        "ipad"
+        "jeeves"
+        "phone"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "projects" = {
+      id = "vyma6-lqqrz"; # cspell:disable-line
+      path = "/home/richie/projects";
+      devices = [
+        "jeeves"
+      ];
+      fsWatcherEnabled = true;
+    };
+    rhapsody-in-temp = {
+      id = "rhapsody-in-green_temp";
+      path = "/home/richie/temp";
+      devices = [
+        "jeeves"
+      ];
+      fsWatcherEnabled = true;
+    };
+    "vault" = {
+      path = "/home/richie/vault";
+      devices = [
+        "jeeves"
+      ];
+      fsWatcherEnabled = true;
+    };
+  };
+}

tools/installer.py

@@ -0,0 +1,682 @@
+"""Install NixOS on a ZFS pool."""
+
+from __future__ import annotations
+
+import curses
+import logging
+import sys
+from collections import defaultdict
+from os import getenv
+from pathlib import Path
+from random import getrandbits
+from subprocess import PIPE, Popen, run
+from time import sleep
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from collections.abc import Sequence
+
+
+def configure_logger(level: str = "INFO") -> None:
+    """Configure the logger.
+    Args:
+        level (str, optional): The logging level. Defaults to "INFO".
+    """
+    logging.basicConfig(
+        level=level,
+        datefmt="%Y-%m-%dT%H:%M:%S%z",
+        format="%(asctime)s %(levelname)s %(filename)s:%(lineno)d - %(message)s",
+        handlers=[logging.StreamHandler(sys.stdout)],
+    )
+
+
+def bash_wrapper(command: str) -> str:
+    """Execute a bash command and capture the output.
+    Args:
+        command (str): The bash command to be executed.
+    Returns:
+        Tuple[str, int]: A tuple containing the output of the command (stdout) as a string,
+        the error output (stderr) as a string (optional), and the return code as an integer.
+    """
+    logging.debug(f"running {command=}")
+    # This is a acceptable risk
+    process = Popen(command.split(), stdout=PIPE, stderr=PIPE)  # noqa: S603
+    output, _ = process.communicate()
+    if process.returncode != 0:
+        error = f"Failed to run command {command=} return code {process.returncode=}"
+        raise RuntimeError(error)
+
+    return output.decode()
+
+
+def partition_disk(disk: str, swap_size: int, reserve: int = 0) -> None:
+    """Partition a disk.
+    Args:
+        disk (str): The disk to partition.
+        swap_size (int): The size of the swap partition in GB.
+            minimum value is 1.
+        reserve (int, optional): The size of the reserve partition in GB. Defaults to 0.
+            minimum value is 0.
+    """
+    logging.info(f"partitioning {disk=}")
+    swap_size = max(swap_size, 1)
+    reserve = max(reserve, 0)
+
+    bash_wrapper(f"blkdiscard -f {disk}")
+
+    if reserve > 0:
+        msg = f"Creating swap partition on {disk=} with size {swap_size=}GiB and reserve {reserve=}GiB"
+        logging.info(msg)
+
+        swap_start = swap_size + reserve
+        swap_partition = f"mkpart swap -{swap_start}GiB -{reserve}GiB "
+    else:
+        logging.info(f"Creating swap partition on {disk=} with size {swap_size=}GiB")
+        swap_start = swap_size
+        swap_partition = f"mkpart swap -{swap_start}GiB 100% "
+
+    logging.debug(f"{swap_partition=}")
+
+    create_partitions = (
+        f"parted --script --align=optimal {disk} -- "
+        "mklabel gpt "
+        "mkpart EFI 1MiB 4GiB "
+        f"mkpart root_pool 4GiB -{swap_start}GiB "
+        f"{swap_partition}"
+        "set 1 esp on"
+    )
+    bash_wrapper(create_partitions)
+
+    logging.info(f"{disk=} successfully partitioned")
+
+
+def create_zfs_pool(pool_disks: Sequence[str], mnt_dir: str) -> None:
+    """Create a ZFS pool.
+    Args:
+        disks (Sequence[str]): A tuple of disks to use for the pool.
+        mnt_dir (str): The mount directory.
+    """
+    if len(pool_disks) <= 0:
+        error = "disks must be a tuple of at least length 1"
+        raise ValueError(error)
+
+    zpool_create = (
+        "zpool create "
+        "-o ashift=12 "
+        "-o autotrim=on "
+        f"-R {mnt_dir} "
+        "-O acltype=posixacl "
+        "-O canmount=off "
+        "-O dnodesize=auto "
+        "-O normalization=formD "
+        "-O relatime=on "
+        "-O xattr=sa "
+        "-O mountpoint=legacy "
+        "-O compression=zstd "
+        "-O atime=off "
+        "root_pool "
+    )
+    if len(pool_disks) == 1:
+        zpool_create += pool_disks[0]
+    else:
+        zpool_create += "mirror "
+        zpool_create += " ".join(pool_disks)
+
+    bash_wrapper(zpool_create)
+    zpools = bash_wrapper("zpool list -o name")
+    if "root_pool" not in zpools.splitlines():
+        logging.critical("Failed to create root_pool")
+        sys.exit(1)
+
+
+def create_zfs_datasets() -> None:
+    """Create ZFS datasets."""
+
+    bash_wrapper("zfs create -o canmount=noauto -o reservation=10G root_pool/root")
+    bash_wrapper("zfs create root_pool/home")
+    bash_wrapper("zfs create root_pool/var -o reservation=1G")
+    bash_wrapper("zfs create -o compression=zstd-9 -o reservation=10G root_pool/nix")
+    datasets = bash_wrapper("zfs list -o name")
+
+    expected_datasets = {
+        "root_pool/root",
+        "root_pool/home",
+        "root_pool/var",
+        "root_pool/nix",
+    }
+    missing_datasets = expected_datasets.difference(datasets.splitlines())
+    if missing_datasets:
+        logging.critical(f"Failed to create pools {missing_datasets}")
+        sys.exit(1)
+
+
+def get_cpu_manufacturer() -> str:
+    """Get the CPU manufacturer."""
+    output = bash_wrapper("cat /proc/cpuinfo")
+
+    id_vendor = {"AuthenticAMD": "amd", "GenuineIntel": "intel"}
+
+    for line in output.splitlines():
+        if "vendor_id" in line:
+            return id_vendor[line.split(": ")[1].strip()]
+
+
+def get_boot_drive_id(disk: str) -> str:
+    """Get the boot drive ID."""
+    output = bash_wrapper(f"lsblk -o UUID {disk}-part1")
+    return output.splitlines()[1]
+
+
+def create_nix_hardware_file(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
+    """Create a NixOS hardware file."""
+
+    cpu_manufacturer = get_cpu_manufacturer()
+
+    devices = ""
+    if encrypt:
+        disk = disks[0]
+
+        devices = (
+            f'     luks.devices."luks-root-pool-{disk.split("/")[-1]}-part2"'
+            "= {\n"
+            f'        device = "{disk}-part2";\n'
+            "        bypassWorkqueues = true;\n"
+            "        allowDiscards = true;\n"
+            "      };\n"
+        )
+
+    host_id = format(getrandbits(32), "08x")
+
+    nix_hardware = (
+        "{ config, lib, modulesPath, ... }:\n"
+        "{\n"
+        '  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];\n\n'
+        "  boot = {\n"
+        "    initrd = {\n"
+        '      availableKernelModules = [ \n        "ahci"\n        "ehci_pci"\n        "nvme"\n        "sd_mod"\n        "usb_storage"\n        "usbhid"\n        "xhci_pci"\n      ];\n'
+        "      kernelModules = [ ];\n"
+        f" {devices}"
+        "    };\n"
+        f'    kernelModules = [ "kvm-{cpu_manufacturer}" ];\n'
+        "    extraModulePackages = [ ];\n"
+        "  };\n\n"
+        "  fileSystems = {\n"
+        '    "/" = lib.mkDefault {\n      device = "root_pool/root";\n      fsType = "zfs";\n    };\n\n'
+        '    "/home" = {\n      device = "root_pool/home";\n      fsType = "zfs";\n    };\n\n'
+        '    "/var" = {\n      device = "root_pool/var";\n      fsType = "zfs";\n    };\n\n'
+        '    "/nix" = {\n      device = "root_pool/nix";\n      fsType = "zfs";\n    };\n\n'
+        '    "/boot" = {\n'
+        f'      device = "/dev/disk/by-uuid/{get_boot_drive_id(disks[0])}";\n'
+        '      fsType = "vfat";\n      options = [\n        "fmask=0077"\n        "dmask=0077"\n      ];\n    };\n  };\n\n'
+        "  swapDevices = [ ];\n\n"
+        "  networking.useDHCP = lib.mkDefault true;\n\n"
+        '  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";\n'
+        f"  hardware.cpu.{cpu_manufacturer}.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;\n"
+        f'  networking.hostId = "{host_id}";\n'
+        "}\n"
+    )
+
+    Path(f"{mnt_dir}/etc/nixos/hardware-configuration.nix").write_text(nix_hardware)
+
+
+def install_nixos(mnt_dir: str, disks: Sequence[str], encrypt: bool) -> None:
+    """Install NixOS."""
+    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/root {mnt_dir}")
+    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/home {mnt_dir}/home")
+    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/var {mnt_dir}/var")
+    bash_wrapper(f"mount -o X-mount.mkdir -t zfs root_pool/nix {mnt_dir}/nix")
+
+    for disk in disks:
+        bash_wrapper(f"mkfs.vfat -n EFI {disk}-part1")
+
+    # set up mirroring afterwards if more than one disk
+    boot_partition = f"mount -t vfat -o fmask=0077,dmask=0077,iocharset=iso8859-1,X-mount.mkdir {disks[0]}-part1 {mnt_dir}/boot"
+    bash_wrapper(boot_partition)
+
+    bash_wrapper(f"nixos-generate-config --root {mnt_dir}")
+
+    create_nix_hardware_file(mnt_dir, disks, encrypt)
+
+    run(("nixos-install", "--root", mnt_dir), check=True)  # noqa: S603
+
+
+def installer(
+    disks: set[str],
+    swap_size: int,
+    reserve: int,
+    encrypt_key: str | None,
+) -> None:
+    """Main."""
+    logging.info("Starting installation")
+
+    for disk in disks:
+        partition_disk(disk, swap_size, reserve)
+
+        if encrypt_key:
+            sleep(1)
+            for command in (
+                f'printf "{encrypt_key}" | cryptsetup luksFormat --type luks2 {disk}-part2 -',
+                f'printf "{encrypt_key}" | cryptsetup luksOpen {disk}-part2 luks-root-pool-{disk.split("/")[-1]}-part2 -',
+            ):
+                run(command, shell=True, check=True)
+
+    mnt_dir = "/tmp/nix_install"  # noqa: S108
+
+    Path(mnt_dir).mkdir(parents=True, exist_ok=True)
+
+    if encrypt_key:
+        pool_disks = [
+            f'/dev/mapper/luks-root-pool-{disk.split("/")[-1]}-part2' for disk in disks
+        ]
+    else:
+        pool_disks = [f"{disk}-part2" for disk in disks]
+
+    create_zfs_pool(pool_disks, mnt_dir)
+
+    create_zfs_datasets()
+
+    install_nixos(mnt_dir, disks, encrypt_key)
+
+    logging.info("Installation complete")
+
+
+class Cursor:
+    def __init__(self):
+        self.x_position = 0
+        self.y_position = 0
+        self.height = 0
+        self.width = 0
+
+    def set_height(self, height: int):
+        self.height = height
+
+    def set_width(self, width: int):
+        self.width = width
+
+    def x_bounce_check(self, cursor: int) -> int:
+        cursor = max(0, cursor)
+        return min(self.width - 1, cursor)
+
+    def y_bounce_check(self, cursor: int) -> int:
+        cursor = max(0, cursor)
+        return min(self.height - 1, cursor)
+
+    def set_x(self, x: int):
+        self.x_position = self.x_bounce_check(x)
+
+    def set_y(self, y: int):
+        self.y_position = self.y_bounce_check(y)
+
+    def get_x(self) -> int:
+        return self.x_position
+
+    def get_y(self) -> int:
+        return self.y_position
+
+    def move_up(self):
+        self.set_y(self.y_position - 1)
+
+    def move_down(self):
+        self.set_y(self.y_position + 1)
+
+    def move_left(self):
+        self.set_x(self.x_position - 1)
+
+    def move_right(self):
+        self.set_x(self.x_position + 1)
+
+    def navigation(self, key: int) -> None:
+        action = {
+            curses.KEY_DOWN: self.move_down,
+            curses.KEY_UP: self.move_up,
+            curses.KEY_RIGHT: self.move_right,
+            curses.KEY_LEFT: self.move_left,
+        }
+
+        action.get(key, lambda: None)()
+
+
+class State:
+    """State class to store the state of the program."""
+
+    def __init__(self):
+        self.key = 0
+        self.cursor = Cursor()
+
+        self.swap_size = 0
+        self.show_swap_input = False
+
+        self.reserve_size = 0
+        self.show_reserve_input = False
+
+        self.selected_device_ids = set()
+
+    def get_selected_devices(self) -> tuple[str]:
+        """Get selected devices."""
+        return tuple(self.selected_device_ids)
+
+
+def get_device(raw_device: str) -> dict[str, str]:
+    raw_device_components = raw_device.split(" ")
+    return {
+        thing.split("=")[0].lower(): thing.split("=")[1].strip('"')
+        for thing in raw_device_components
+    }
+
+
+def get_devices() -> list[dict[str, str]]:
+    """Get a list of devices."""
+    # --bytes
+    raw_devices = bash_wrapper("lsblk --paths --pairs").splitlines()
+    return [get_device(raw_device) for raw_device in raw_devices]
+
+
+def get_device_id_mapping() -> dict[str, set[str]]:
+    """Get a list of device ids.
+    Returns:
+        list[str]: the list of device ids
+    """
+    device_ids = bash_wrapper("find /dev/disk/by-id -type l").splitlines()
+
+    device_id_mapping: dict[str, set[str]] = defaultdict(set)
+
+    for device_id in device_ids:
+        device = bash_wrapper(f"readlink -f {device_id}").strip()
+        device_id_mapping[device].add(device_id)
+
+    return device_id_mapping
+
+
+def calculate_device_menu_padding(
+    devices: list[dict[str, str]], column: str, padding: int = 0
+) -> int:
+    return max(len(device[column]) for device in devices) + padding
+
+
+def draw_device_ids(
+    state: State,
+    row_number: int,
+    menu_start_x: int,
+    std_screen: curses.window,
+    menu_width: list[int],
+    device_ids: set[str],
+) -> tuple[State, int]:
+    for device_id in sorted(device_ids):
+        row_number = row_number + 1
+        if row_number == state.cursor.get_y() and state.cursor.get_x() in menu_width:
+            std_screen.attron(curses.A_BOLD)
+            if state.key == ord(" "):
+                if device_id not in state.selected_device_ids:
+                    state.selected_device_ids.add(device_id)
+                else:
+                    state.selected_device_ids.remove(device_id)
+
+        if device_id in state.selected_device_ids:
+            std_screen.attron(curses.color_pair(7))
+
+        std_screen.addstr(row_number, menu_start_x, f"  {device_id}")
+
+        std_screen.attroff(curses.color_pair(7))
+        std_screen.attroff(curses.A_BOLD)
+
+    return state, row_number
+
+
+def draw_device_menu(
+    std_screen: curses.window,
+    devices: list[dict[str, str]],
+    device_id_mapping: dict[str, set[str]],
+    state: State,
+    menu_start_y: int = 0,
+    menu_start_x: int = 0,
+) -> State:
+    """draw the device menu and handle user input
+    Args:
+        std_screen (curses.window): the curses window to draw on
+        devices (list[dict[str, str]]): the list of devices to draw
+        device_id_mapping (dict[str, set[str]]): the list of device ids to draw
+        state (State): the state object to update
+        menu_start_y (int, optional): the y position to start drawing the menu. Defaults to 0.
+        menu_start_x (int, optional): the x position to start drawing the menu. Defaults to 0.
+    Returns:
+        State: the updated state object
+    """
+    padding = 2
+
+    name_padding = calculate_device_menu_padding(devices, "name", padding)
+    size_padding = calculate_device_menu_padding(devices, "size", padding)
+    type_padding = calculate_device_menu_padding(devices, "type", padding)
+    mountpoints_padding = calculate_device_menu_padding(devices, "mountpoints", padding)
+
+    device_header = f"{"Name":{name_padding}}{"Size":{size_padding}}{"Type":{type_padding}}{"Mountpoints":{mountpoints_padding}}"
+
+    menu_width = range(menu_start_x, len(device_header) + menu_start_x)
+
+    std_screen.addstr(menu_start_y, menu_start_x, device_header, curses.color_pair(5))
+    devises_list_start = menu_start_y + 1
+
+    row_number = devises_list_start
+
+    for device in devices:
+        row_number = row_number + 1
+        device_name = device["name"]
+        device_row = (
+            f"{device_name:{name_padding}}"
+            f"{device['size']:{size_padding}}"
+            f"{device['type']:{type_padding}}"
+            f"{device['mountpoints']:{mountpoints_padding}}"
+        )
+        std_screen.addstr(row_number, menu_start_x, device_row)
+
+        state, row_number = draw_device_ids(
+            state=state,
+            row_number=row_number,
+            menu_start_x=menu_start_x,
+            std_screen=std_screen,
+            menu_width=menu_width,
+            device_ids=device_id_mapping[device_name],
+        )
+
+    return state, row_number
+
+
+def debug_menu(std_screen: curses.window, key: int) -> None:
+    height, width = std_screen.getmaxyx()
+    width_height = "Width: {}, Height: {}".format(width, height)
+    std_screen.addstr(height - 4, 0, width_height, curses.color_pair(5))
+
+    key_pressed = f"Last key pressed: {key}"[: width - 1]
+    if key == 0:
+        key_pressed = "No key press detected..."[: width - 1]
+    std_screen.addstr(height - 3, 0, key_pressed)
+
+    for i in range(0, 8):
+        std_screen.addstr(height - 2, i * 3, f"{i}██", curses.color_pair(i))
+
+
+def status_bar(
+    std_screen: curses.window,
+    cursor: Cursor,
+    width: int,
+    height: int,
+) -> None:
+    std_screen.attron(curses.A_REVERSE)
+    std_screen.attron(curses.color_pair(3))
+
+    status_bar = (
+        f"Press 'q' to exit | STATUS BAR | Pos: {cursor.get_x()}, {cursor.get_y()}"
+    )
+    std_screen.addstr(height - 1, 0, status_bar)
+    std_screen.addstr(height - 1, len(status_bar), " " * (width - len(status_bar) - 1))
+
+    std_screen.attroff(curses.color_pair(3))
+    std_screen.attroff(curses.A_REVERSE)
+
+
+def set_color() -> None:
+    curses.start_color()
+    curses.use_default_colors()
+    for i in range(0, curses.COLORS):
+        curses.init_pair(i + 1, i, -1)
+
+
+def get_text_input(std_screen: curses.window, prompt: str, y: int, x: int) -> str:
+    curses.echo()
+    std_screen.addstr(y, x, prompt)
+    input_str = ""
+    while True:
+        key = std_screen.getch()
+        if key == ord("\n"):
+            break
+        elif key == 27:  # ESC key
+            input_str = ""
+            break
+        elif key in (curses.KEY_BACKSPACE, ord("\b"), 127):
+            input_str = input_str[:-1]
+            std_screen.addstr(y, x + len(prompt), input_str + " ")
+        else:
+            input_str += chr(key)
+        std_screen.refresh()
+    curses.noecho()
+    return input_str
+
+
+def swap_size_input(
+    std_screen: curses.window,
+    state: State,
+    swap_offset: int,
+) -> State:
+    swap_size_text = "Swap size (GB): "
+    std_screen.addstr(swap_offset, 0, f"{swap_size_text}{state.swap_size}")
+    if state.key == ord("\n") and state.cursor.get_y() == swap_offset:
+        state.show_swap_input = True
+
+    if state.show_swap_input:
+        swap_size_str = get_text_input(std_screen, swap_size_text, swap_offset, 0)
+        try:
+            state.swap_size = int(swap_size_str)
+            state.show_swap_input = False
+        except ValueError:
+            std_screen.addstr(
+                swap_offset, 0, "Invalid input. Press any key to continue."
+            )
+            std_screen.getch()
+            state.show_swap_input = False
+
+    return state
+
+
+def reserve_size_input(
+    std_screen: curses.window,
+    state: State,
+    reserve_offset: int,
+) -> State:
+    reserve_size_text = "reserve size (GB): "
+    std_screen.addstr(reserve_offset, 0, f"{reserve_size_text}{state.reserve_size}")
+    if state.key == ord("\n") and state.cursor.get_y() == reserve_offset:
+        state.show_reserve_input = True
+
+    if state.show_reserve_input:
+        reserve_size_str = get_text_input(
+            std_screen, reserve_size_text, reserve_offset, 0
+        )
+        try:
+            state.reserve_size = int(reserve_size_str)
+            state.show_reserve_input = False
+        except ValueError:
+            std_screen.addstr(
+                reserve_offset, 0, "Invalid input. Press any key to continue."
+            )
+            std_screen.getch()
+            state.show_reserve_input = False
+
+    return state
+
+
+def draw_menu(std_screen: curses.window) -> State:
+    """draw the menu and handle user input
+    Args:
+        std_screen (curses.window): the curses window to draw on
+    Returns:
+        State: the state object
+    """
+    # Clear and refresh the screen for a blank canvas
+    std_screen.clear()
+    std_screen.refresh()
+
+    set_color()
+
+    state = State()
+
+    devices = get_devices()
+
+    device_id_mapping = get_device_id_mapping()
+
+    # Loop where k is the last character pressed
+    while state.key != ord("q"):
+        std_screen.clear()
+        height, width = std_screen.getmaxyx()
+
+        state.cursor.set_height(height)
+        state.cursor.set_width(width)
+
+        state.cursor.navigation(state.key)
+
+        state, device_menu_size = draw_device_menu(
+            std_screen=std_screen,
+            state=state,
+            devices=devices,
+            device_id_mapping=device_id_mapping,
+        )
+
+        swap_offset = device_menu_size + 2
+
+        swap_size_input(
+            std_screen=std_screen,
+            state=state,
+            swap_offset=swap_offset,
+        )
+        reserve_size_input(
+            std_screen=std_screen,
+            state=state,
+            reserve_offset=swap_offset + 1,
+        )
+
+        status_bar(std_screen, state.cursor, width, height)
+
+        debug_menu(std_screen, state.key)
+
+        std_screen.move(state.cursor.get_y(), state.cursor.get_x())
+
+        std_screen.refresh()
+
+        state.key = std_screen.getch()
+
+    return state
+
+
+def main() -> None:
+    configure_logger("DEBUG")
+
+    state = curses.wrapper(draw_menu)
+
+    encrypt_key = getenv("ENCRYPT_KEY")
+
+    logging.info("installing_nixos")
+    logging.info(f"disks: {state.selected_device_ids}")
+    logging.info(f"swap_size: {state.swap_size}")
+    logging.info(f"reserve: {state.reserve_size}")
+    logging.info(f"encrypted: {bool(encrypt_key)}")
+
+    sleep(3)
+
+    installer(
+        disks=state.get_selected_devices(),
+        swap_size=state.swap_size,
+        reserve=state.reserve_size,
+        encrypt_key=encrypt_key,
+    )
+
+
+if __name__ == "__main__":
+    main()

users/gaming/default.nix

@@ -0,0 +1,31 @@
+{
+  pkgs,
+  config,
+  ...
+}: 
+{
+  sops.secrets.gaming_password = {
+    sopsFile = ../secrets.yaml;
+    neededForUsers = true;
+  };
+
+  users = {
+    users.gaming = {
+      isNormalUser = true;
+      hashedPasswordFile = "${config.sops.secrets.gaming_password.path}";
+
+      shell = pkgs.zsh;
+      group = "gaming";
+      extraGroups =
+      [
+        "audio"
+        "video"
+        "users"
+      ];
+      uid = 1100;
+    };
+
+    groups.gaming.gid = 1100;
+  };
+  home-manager.users.gaming = import ./systems/${config.networking.hostName}.nix; 
+}

users/gaming/home/firefox.nix

@@ -1,8 +1,4 @@
-{
-  pkgs,
-  inputs,
-  ...
-}:
+{ inputs, ... }:
 {
   programs.firefox = {
     enable = true;
@@ -16,56 +12,13 @@
         sponsorblock
         ublock-origin
       ];
-      search.engines = {
-        "Nix Options" = {
-          urls = [
-            {
-              template = "https://search.nixos.org/options";
-              params = [
-                {
-                  name = "type";
-                  value = "packages";
-                }
-                {
-                  name = "channel";
-                  value = "unstable";
-                }
-                {
-                  name = "query";
-                  value = "{searchTerms}";
-                }
-              ];
-            }
-          ];
-          icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
-          definedAliases = [ "@o" ];
-        };
-        "Nix Packages" = {
-          urls = [
-            {
-              template = "https://search.nixos.org/packages";
-              params = [
-                {
-                  name = "type";
-                  value = "packages";
-                }
-                {
-                  name = "channel";
-                  value = "unstable";
-                }
-                {
-                  name = "query";
-                  value = "{searchTerms}";
-                }
-              ];
-            }
-          ];
-          icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
-          definedAliases = [ "@n" ];
-        };
+      search = {
+        force = true;
+        default = "Google";
+        order = [ "Google" ];
       };
-      search.force = true;
       settings = {
+
         # SECTION: FASTFOX
         # GENERAL
         "content.notify.interval" = 100000;

users/gaming/home/global.nix

@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  imports = [
+    ./programs.nix
+  ];
+
+  programs = {
+    home-manager.enable = true;
+    git.enable = true;
+  };
+
+  home = {
+    username = "gaming";
+    homeDirectory = "/home/${config.home.username}";
+    stateVersion = "24.05";
+  };
+}

users/gaming/home/programs.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    chromium
+  ];
+}

users/gaming/systems/bob.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ../home/global.nix
+    ../home/firefox.nix
+  ];
+}

users/richie/default.nix

@@ -5,27 +5,45 @@
 }: let
   ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
 in {
-  users.users.richie = {
-    isNormalUser = true;
-    shell = pkgs.zsh;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPtuYhiJHRTYhNaDmTcJOqJASk7D8mIn6u3F1IN5AFJ bob" # cspell:disable-line
-    ];
-    extraGroups =
-    [
-      "audio"
-      "video"
-      "wheel"
-    ]
-    ++ ifTheyExist [
-      "dialout"
-      "docker"
-      "libvirtd"
-      "networkmanager"
-      "plugdev"
-      "uaccess"
-      "wireshark"
-    ];
+
+  sops.secrets.richie_password = {
+    sopsFile = ../secrets.yaml;
+    neededForUsers = true;
+  };
+
+  users = {
+    users.richie = {
+      isNormalUser = true;
+
+      hashedPasswordFile = "${config.sops.secrets.richie_password.path}";
+
+      shell = pkgs.zsh;
+      group = "richie";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYZFsc9CSH03ZUP7y81AHwSyjLwFmcshVFCyxDcYhBT rhapsody-in-green" # cspell:disable-line
+      ];
+      extraGroups =
+      [
+        "audio"
+        "video"
+        "wheel"
+        "users"
+      ]
+      ++ ifTheyExist [
+        "dialout"
+        "docker"
+        "hass"
+        "libvirtd"
+        "networkmanager"
+        "plugdev"
+        "scanner"
+        "uaccess"
+        "wireshark"
+      ];
+      uid = 1000;
+    };
+
+    groups.richie.gid = 1000;
   };
 
   home-manager.users.richie = import ./systems/${config.networking.hostName}.nix; 

users/richie/home/cli/default.nix

@@ -1,8 +1,8 @@
 {
   imports = [
+    ./direnv.nix
     ./git.nix
     ./zsh.nix
-    ./direnv.nix
   ];
 
   programs.starship.enable = true;

users/richie/home/cli/git.nix

@@ -3,5 +3,10 @@
     enable = true;
     userEmail = "Richie@tmmworkshop.com";
     userName = "Richie Cahill";
+    extraConfig = {
+      pull.rebase = true;
+      color.ui = true;
+    };
+    lfs.enable = true;
   };
 }

users/richie/home/cli/zsh.nix

@@ -18,17 +18,14 @@
       ];
     };
     shellAliases = {
-      "sgc" = "sudo git -C /root/dotfiles";
-
-      ## Utilities
       "lrt" = "eza --icons -lsnew";
       "ls" = "eza";
       "ll" = "eza --long --group";
       "la" = "eza --all";
 
       "rspace" = "'for f in *\ *; do mv \"$f\" \"\${f// /_}\"; done'";
-      "rebuild" = "sudo nixos-rebuild switch --flake /home/richie/projects/dotfiles#$HOST";
-      "nix-test" = "nixos-rebuild test --flake /home/richie/projects/dotfiles";
+      "rebuild" = "sudo nixos-rebuild switch --flake /home/richie/dotfiles#$HOST";
+      "nix-test" = "nixos-rebuild test --flake /home/richie/dotfiles";
     };
   };
 }

users/richie/home/global.nix

@@ -1,37 +1,22 @@
+{ config, ... }:
 {
-  lib,
-  pkgs,
-  config,
-  ...
-}: {
   imports = [
     ./cli
     ./programs.nix
     ./ssh_config.nix
   ];
 
-  nix = {
-    package = lib.mkDefault pkgs.nix;
-    settings = {
-      experimental-features = [
-        "nix-command"
-        "flakes"
-        "ca-derivations"
-      ];
-    };
-  };
-
   programs = {
     home-manager.enable = true;
     git.enable = true;
   };
 
   home = {
-    username = lib.mkDefault "richie";
-    homeDirectory = lib.mkDefault "/home/${config.home.username}";
-    stateVersion = lib.mkDefault "24.05";
+    username = "richie";
+    homeDirectory = "/home/${config.home.username}";
+    stateVersion = "24.05";
     sessionVariables = {
-      FLAKE = "$HOME/Projects/dotfiles";
+      FLAKE = "$HOME/dotfiles";
     };
   };
 }

users/richie/home/gui/default.nix

@@ -1,26 +1,29 @@
 { pkgs, ... }:
 {
   imports = [
-    ./firefox.nix
+    ./firefox
     ./vscode
+    ./kitty.nix
   ];
 
   home.packages = with pkgs; [
-    beeper
     candy-icons
-    nemo
-    nemo-fileroller
+    chromium
     discord-canary
     gimp
     gparted
     mediainfo
+    nemo
+    nemo-fileroller
     obs-studio
     obsidian
+    prismlauncher
     proxychains
+    prusa-slicer
+    signal-desktop
     sweet-nova
     util-linux
     vlc
     zoom-us
-    prusa-slicer
   ];
 }

users/richie/home/gui/firefox/default.nix

@@ -0,0 +1,250 @@
+{ inputs, ... }:
+{
+  imports = [ ./search_engines.nix ];
+
+  programs.firefox = {
+    enable = true;
+    profiles.richie = {
+      extensions = with inputs.firefox-addons.packages.x86_64-linux; [
+        bitwarden
+        darkreader
+        dearrow
+        fastforwardteam
+        return-youtube-dislikes
+        sponsorblock
+        ublock-origin
+      ];
+      search = {
+        force = true;
+        default = "kagi";
+        order = [ "kagi" "DuckDuckGo" "Google" ];
+      };
+      settings = {
+        # SECTION: FASTFOX
+        # GENERAL
+        "content.notify.interval" = 100000;
+
+        # GFX
+        "gfx.canvas.accelerated.cache-items" = 4096;
+        "gfx.canvas.accelerated.cache-size" = 512;
+        "gfx.content.skia-font-cache-size" = 20;
+
+        # DISK CACHE
+        "browser.cache.jsbc_compression_level" = 3;
+
+        # MEDIA CACHE
+        "media.memory_cache_max_size" = 65536;
+        "media.cache_readahead_limit" = 7200;
+        "media.cache_resume_threshold" = 3600;
+
+        # IMAGE CACHE
+        "image.mem.decode_bytes_at_a_time" = 32768;
+
+        # NETWORK
+        "network.buffer.cache.size" = 262144;
+        "network.buffer.cache.count" = 128;
+        "network.http.max-connections" = 1800;
+        "network.http.max-persistent-connections-per-server" = 10;
+        "network.http.max-urgent-start-excessive-connections-per-host" = 5;
+        "network.http.pacing.requests.enabled" = false;
+        "network.dnsCacheExpiration" = 3600;
+        "network.dns.max_high_priority_threads" = 8;
+        "network.ssl_tokens_cache_capacity" = 10240;
+
+        # SPECULATIVE LOADING
+        "network.dns.disablePrefetch" = true;
+        "network.prefetch-next" = false;
+        "network.predictor.enabled" = false;
+
+        # EXPERIMENTAL
+        "layout.css.grid-template-masonry-value.enabled" = true;
+        "dom.enable_web_task_scheduling" = true;
+        "layout.css.has-selector.enabled" = true;
+        "dom.security.sanitizer.enabled" = true;
+
+        # SECTION: SECUREFOX
+        # TRACKING PROTECTION
+        "browser.contentblocking.category" = "strict";
+        "urlclassifier.trackingSkipURLs" = "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com";
+        "urlclassifier.features.socialtracking.skipURLs" = "*.instagram.com, *.twitter.com, *.twimg.com";
+        "network.cookie.sameSite.noneRequiresSecure" = true;
+        "browser.download.start_downloads_in_tmp_dir" = true;
+        "browser.helperApps.deleteTempFileOnExit" = true;
+        "browser.uitour.enabled" = false;
+        "privacy.globalprivacycontrol.enabled" = true;
+
+        # OCSP & CERTS / HPKP
+        "security.OCSP.enabled" = 0;
+        "security.remote_settings.crlite_filters.enabled" = true;
+        "security.pki.crlite_mode" = 2;
+
+        # SSL / TLS
+        "security.ssl.treat_unsafe_negotiation_as_broken" = true;
+        "browser.xul.error_pages.expert_bad_cert" = true;
+        "security.tls.enable_0rtt_data" = false;
+
+        # DISK AVOIDANCE
+        "browser.privatebrowsing.forceMediaMemoryCache" = true;
+        "browser.sessionstore.interval" = 60000;
+
+        # SHUTDOWN & SANITIZING
+        "privacy.history.custom" = true;
+
+        # SEARCH / URL BAR
+        "browser.search.separatePrivateDefault.ui.enabled" = true;
+        "browser.urlbar.update2.engineAliasRefresh" = true;
+        # PREF: restore search engine suggestions
+        "browser.search.suggest.enabled" = true;
+        "browser.urlbar.suggest.quicksuggest.sponsored" = false;
+        "browser.urlbar.suggest.quicksuggest.nonsponsored" = false;
+        "browser.formfill.enable" = false;
+        "security.insecure_connection_text.enabled" = true;
+        "security.insecure_connection_text.pbmode.enabled" = true;
+        "network.IDN_show_punycode" = true;
+
+        # HTTPS-FIRST POLICY
+        "dom.security.https_first" = true;
+        "dom.security.https_first_schemeless" = true;
+
+        # PASSWORDS
+        "signon.formlessCapture.enabled" = false;
+        "signon.rememberSignons" = false;
+        "signon.privateBrowsingCapture.enabled" = false;
+        "network.auth.subresource-http-auth-allow" = 1;
+        "editor.truncate_user_pastes" = false;
+
+        # MIXED CONTENT + CROSS-SITE
+        "security.mixed_content.block_display_content" = true;
+        "security.mixed_content.upgrade_display_content" = true;
+        "security.mixed_content.upgrade_display_content.image" = true;
+        "pdfjs.enableScripting" = false;
+        "extensions.postDownloadThirdPartyPrompt" = false;
+
+        # HEADERS / REFERERS
+        "network.http.referer.XOriginTrimmingPolicy" = 2;
+
+        # CONTAINERS
+        "privacy.userContext.ui.enabled" = true;
+
+        # WEBRTC
+        "media.peerconnection.ice.proxy_only_if_behind_proxy" = true;
+        "media.peerconnection.ice.default_address_only" = true;
+
+        # SAFE BROWSING
+        "browser.safebrowsing.downloads.remote.enabled" = false;
+
+        # MOZILLA
+        # PREF: allow websites to ask you to receive site notifications
+        "permissions.default.desktop-notification" = 0; # allow websites to ask
+        # PREF: allow websites to ask you for your location
+        "permissions.default.geo" = 0;
+        "geo.provider.network.url" = "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%";
+        "permissions.manager.defaultsUrl" = "";
+        "webchannel.allowObject.urlWhitelist" = "";
+
+        # TELEMETRY
+        "datareporting.policy.dataSubmissionEnabled" = false;
+        "datareporting.healthreport.uploadEnabled" = false;
+        "toolkit.telemetry.unified" = false;
+        "toolkit.telemetry.enabled" = false;
+        "toolkit.telemetry.server" = "data:,";
+        "toolkit.telemetry.archive.enabled" = false;
+        "toolkit.telemetry.newProfilePing.enabled" = false;
+        "toolkit.telemetry.shutdownPingSender.enabled" = false;
+        "toolkit.telemetry.updatePing.enabled" = false;
+        "toolkit.telemetry.bhrPing.enabled" = false;
+        "toolkit.telemetry.firstShutdownPing.enabled" = false;
+        "toolkit.telemetry.coverage.opt-out" = true;
+        "toolkit.coverage.opt-out" = true;
+        "toolkit.coverage.endpoint.base" = "";
+        "browser.ping-centre.telemetry" = false;
+        "browser.newtabpage.activity-stream.feeds.telemetry" = false;
+        "browser.newtabpage.activity-stream.telemetry" = false;
+
+        # EXPERIMENTS
+        "app.shield.optoutstudies.enabled" = false;
+        "app.normandy.enabled" = false;
+        "app.normandy.api_url" = "";
+
+        # CRASH REPORTS
+        "breakpad.reportURL" = "";
+        "browser.tabs.crashReporting.sendReport" = false;
+        "browser.crashReports.unsubmittedCheck.autoSubmit2" = false;
+
+        # DETECTION
+        "captivedetect.canonicalURL" = "";
+        "network.captive-portal-service.enabled" = false;
+        "network.connectivity-service.enabled" = false;
+
+        # SECTION: PESKYFOX
+        # MOZILLA UI
+        "browser.privatebrowsing.vpnpromourl" = "";
+        "extensions.getAddons.showPane" = false;
+        "extensions.htmlaboutaddons.recommendations.enabled" = false;
+        "browser.discovery.enabled" = false;
+        "browser.shell.checkDefaultBrowser" = false;
+        "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = false;
+        "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = false;
+        "browser.preferences.moreFromMozilla" = false;
+        "browser.tabs.tabmanager.enabled" = false;
+        "browser.aboutConfig.showWarning" = false;
+        "browser.aboutwelcome.enabled" = false;
+
+        # THEME ADJUSTMENTS
+        "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+        "browser.compactmode.show" = true;
+        "browser.display.focus_ring_on_anything" = true;
+        "browser.display.focus_ring_style" = 0;
+        "browser.display.focus_ring_width" = 0;
+        "layout.css.prefers-color-scheme.content-override" = 2;
+
+        # COOKIE BANNER HANDLING
+        "cookiebanners.service.mode" = 1;
+        "cookiebanners.service.mode.privateBrowsing" = 1;
+
+        # FULLSCREEN NOTICE
+        "full-screen-api.transition-duration.enter" = "0 0";
+        "full-screen-api.transition-duration.leave" = "0 0";
+        "full-screen-api.warning.delay" = -1;
+        "full-screen-api.warning.timeout" = 0;
+
+        # URL BAR
+        "browser.urlbar.suggest.calculator" = true;
+        "browser.urlbar.unitConversion.enabled" = true;
+        "browser.urlbar.trending.featureGate" = false;
+
+        # NEW TAB PAGE
+        "browser.newtabpage.activity-stream.feeds.topsites" = false;
+        "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
+
+        # POCKET
+        "extensions.pocket.enabled" = false;
+
+        # DOWNLOADS
+        "browser.download.always_ask_before_handling_new_types" = true;
+        "browser.download.manager.addToRecentDocs" = false;
+
+        # PDF
+        "browser.download.open_pdf_attachments_inline" = true;
+
+        # TAB BEHAVIOR
+        "browser.bookmarks.openInTabClosesMenu" = false;
+        "browser.menu.showViewImageInfo" = true;
+        "findbar.highlightAll" = true;
+        "layout.word_select.eat_space_to_next_word" = false;
+
+        # SECTION: MY OVERRIDES
+        "browser.startup.homepage" = "https://google.com";
+        "identity.fxaccounts.enabled" = false;
+
+        # SECTION SMOOTHFOX
+        # OPTION: SHARPEN SCROLLING                                                           *
+        "apz.overscroll.enabled" = true; # DEFAULT NON-LINUX
+        "mousewheel.min_line_scroll_amount" = 10; # 10-40; adjust this number to your liking; default=5
+        "general.smoothScroll.mouseWheel.durationMinMS" = 80; # default=50
+        "general.smoothScroll.currentVelocityWeighting" = "0.15"; # default=.25
+        "general.smoothScroll.stopDecelerationWeighting" = "0.6"; # default=.4
+      };
+    };
+  };
+}

users/richie/home/gui/firefox/github.svg

@@ -0,0 +1,3 @@
+<svg width="32" height="32" viewBox="0 0 32 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M16 0C7.16 0 0 7.16 0 16C0 23.08 4.58 29.06 10.94 31.18C11.74 31.32 12.04 30.84 12.04 30.42C12.04 30.04 12.02 28.78 12.02 27.44C8 28.18 6.96 26.46 6.64 25.56C6.46 25.1 5.68 23.68 5 23.3C4.44 23 3.64 22.26 4.98 22.24C6.24 22.22 7.14 23.4 7.44 23.88C8.88 26.3 11.18 25.62 12.1 25.2C12.24 24.16 12.66 23.46 13.12 23.06C9.56 22.66 5.84 21.28 5.84 15.16C5.84 13.42 6.46 11.98 7.48 10.86C7.32 10.46 6.76 8.82 7.64 6.62C7.64 6.62 8.98 6.2 12.04 8.26C13.32 7.9 14.68 7.72 16.04 7.72C17.4 7.72 18.76 7.9 20.04 8.26C23.1 6.18 24.44 6.62 24.44 6.62C25.32 8.82 24.76 10.46 24.6 10.86C25.62 11.98 26.24 13.4 26.24 15.16C26.24 21.3 22.5 22.66 18.94 23.06C19.52 23.56 20.02 24.52 20.02 26.02C20.02 28.16 20 29.88 20 30.42C20 30.84 20.3 31.34 21.1 31.18C27.42 29.06 32 23.06 32 16C32 7.16 24.84 0 16 0V0Z" fill="white"/>
+</svg>

users/richie/home/gui/firefox/search_engines.nix

@@ -0,0 +1,84 @@
+{ pkgs, ... }:
+{
+  programs.firefox.profiles.richie.search.engines = {
+    "Nix Options" = {
+      urls = [
+        {
+          template = "https://search.nixos.org/options";
+          params = [
+            {
+              name = "type";
+              value = "packages";
+            }
+            {
+              name = "channel";
+              value = "unstable";
+            }
+            {
+              name = "query";
+              value = "{searchTerms}";
+            }
+          ];
+        }
+      ];
+      icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
+      definedAliases = [ "@o" ];
+    };
+    "Nix Packages" = {
+      urls = [
+        {
+          template = "https://search.nixos.org/packages";
+          params = [
+            {
+              name = "type";
+              value = "packages";
+            }
+            {
+              name = "channel";
+              value = "unstable";
+            }
+            {
+              name = "query";
+              value = "{searchTerms}";
+            }
+          ];
+        }
+      ];
+      icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
+      definedAliases = [ "@n" ];
+    };
+    "kagi" = {
+      urls = [
+        {
+          template = "https://kagi.com/search?";
+          params = [
+            {
+              name = "q";
+              value = "{searchTerms}";
+            }
+          ];
+        }
+      ];
+      icon = ./kagi.png;
+    };
+    github = {
+      urls = [
+        {
+          template = "https://github.com/search?";
+          params = [
+            {
+              name = "q";
+              value = "{searchTerms}";
+            }
+            {
+              name = "type";
+              value = "code";
+            }
+          ];
+        }
+      ];
+      icon = ./github.svg;
+      definedAliases = [ "@g" ];
+    };
+  };
+}

users/richie/home/gui/kitty.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}: {
+  programs.kitty = {
+    enable = true;
+    font.name = "IntoneMono Nerd Font";
+    settings = {
+      allow_remote_control = "no";
+      shell = "${pkgs.zsh}/bin/zsh";
+      wayland_titlebar_color = "background";
+    };
+    themeFile = "VSCode_Dark";
+  };
+}

users/richie/home/programs.nix

@@ -5,14 +5,24 @@
     bat
     btop
     eza
+    fd
+    ffmpegthumbnailer
+    fzf
     git
     gnupg
+    imagemagick
+    jq
     ncdu
     neofetch
+    ouch
+    p7zip
+    poppler
     rar
     ripgrep
     starship
     tmux
+    unzip
+    yazi
     zoxide
     # system info
     hwloc
@@ -26,7 +36,7 @@
     wget
     # python
     poetry
-    python312
+    python313
     ruff
     # Rust packages
     trunk

users/richie/systems/rhapsody-in-green.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ../home/global.nix
+    ../home/gui
+  ];
+}

users/secrets.yaml

@@ -0,0 +1,58 @@
+richie_password: ENC[AES256_GCM,data:DMi3M8aqrQ60APIofr8wJMh+VZ14hLRxz6jWZgzswr0pV/QVSX53ShBFr90ruO3mucOLYv0l+bI31covfqMAhXWBJp9wUgtC2Q==,iv:qgtn30hZfIL4dBnQSLkjbo7zPJA4m9TR0f52sTFc0v4=,tag:ydLbcGyXjv0fE+4b5ECX5w==,type:str]
+gaming_password: ENC[AES256_GCM,data:i692UsQaCOjE4V1y9d8yYDlK+TRMIprCHJkhl1UBZRMqe9a2LTUtmbbn/xlCYQd2tADJvn+dkx1jLfV4CqaqWOj5YSUFfpgsEw==,iv:3Y7hXQcmpzNN7hF+BDvO52uFB4o5D0dHvxemJ0ZoSIM=,tag:zzLGNDVAMCs2GPMqXp2BtQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqR1lUREVMR3hyTTFNZ3U0
+            NkFkY202RGtMS0taTjRnOEd4OGlsZ1VORUhFCnIxUlV1eS81N0U1NXpOcWYxSUU0
+            WER1cFY3a2lWU01tTUQ2Vk5VK2JmSDAKLS0tIHUxL3F5UWZ2aUwxd2JXZG5ybE9w
+            d29oZ1poZU5ZTlgxMmlsVWpoMUtFYjAKdRoXdqxfxyOL++pP0izdUuZngMcF24ne
+            OJ6kVJexJF9Hu9InwPeDtRboMhMi01gt6L5a47hOX5FUsi+4HbeVLQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWmJZWDZtWFJaTCtmdVNG
+            QkNiK1hFdWlnVFp0ZG01V1A3cFdtU2xGN1NBCm1oeXlLT3NYMC9lZDlHSnJGQUc1
+            RnppNjc0QnBqSW5XTWUxZExBMHhORDQKLS0tIHpJNDJBU25COGR2dlg5em5YcGZB
+            VTBqRjhZWkdmdVdoa0V0VmIzdm5hbTgKEa9hW6jU538meU2Sm//b7OUBqqjAHHL5
+            rluVCSMcrcoVtui0mB8vMoKeh6/n/qRLe38a/puvAj0q/PolN9ZEhA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVlp4clVEb3Y4d0hzSEtW
+            dUMyb3V1aHlMS0Fvc0lGU3doRjE3SVFrNVdFCkpTQ1k2RTBIb2tzQ3UxajlPSWhY
+            ZzkwUWlDYWROZXpHMlFVaTM0MFlpMXcKLS0tIFNUN1QyRk41WkhPblZMbVFXNkZi
+            N1RkUVc0N0hIaUs3RXpXTWpDZTBOUXcKgOW6IV1mh3q8NT2Ky9EKlywWBaaCn5ML
+            bhfmmvt1Fndh2ys3poxODjNDiow34VxwhS+Ou0HsxsJ7zu7VvmPh0w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnOXR6SWh2SlBWdjZVL3F1
+            ckd4N3JKNkkzYWtlRWN2QUFob3FJRkxQU1RNClllMDFMRE80ODROZDR3Y2g0Z2xs
+            aXJORTI1azEzbnhJMkZiNmNKZDBsOVUKLS0tIHZjV3BXaG9WVzNzVDZHYVdmOFdM
+            S3hZMkgvYkl5Ky9uYmpjVHpFUlMwYTgKIHxHRPMgEAgQNXg5lK2QkdBjMcamlxSp
+            HEoT/APYI/NN3V2l7mgfiH/fn2FXGdd3Ct5mqwp25GUYIp45zN3pqA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ufnewppysaq2wwcl4ugngjz8pfzc5a35yg7luq0qmuqvctajcycs5lf6k4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXSnNxaDVSbUJ2Y1NSc0hV
+            TWhzNzNRWTNhV1BBMFhPeVQ5eHkzb3Bkams4Ck1YdDExcU1WdExEQ0M1VXZpUzBV
+            L0xSTENrOEZlOU1XUHNUbEtHbURSK1UKLS0tIEJkaE9QOUdzN1VDbWFTSWd6RkY4
+            UzQzWEFtSDJwR201cmZoeXh5T0RmSk0KWLOpw5cWbtnfVP/ISa7n1vZchoD+nxmn
+            7yr7igpEIro0Sd238KinOQYswVaT0NHB9p1dSW/mN+aGQliSNLzkDQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-07T20:13:43Z"
+    mac: ENC[AES256_GCM,data:Q5fmv+MRVYGUQ4j+28CcGWHmgT1178N+haVS9xa0c99OKuPZdfSndAG0QVDhh/jYq+7zXs6zzLtBjB+egkoDfxJXfJOmg3E46UMO3vDHaEcIZD16ZbWJaz4Z/+yabqhDURKtgfGiu4xPv3OtGbwcP5kud17WcHNfY/LT+Y+LSD8=,iv:y3K3kCroIh+RTplUe4tM8B9rbLgIHCbE6FJawngam8Q=,tag:2VTIWlLp4cOwm18BfIlz5g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2