fix ssl ?

Reviewed-on: #120

.gitea/workflows/build.yml

@@ -0,0 +1,38 @@
+name: Nix Build
+
+on: 
+  pull_request:
+  push:
+  workflow_run:
+    workflows: []
+    types: [completed]
+  workflow_dispatch:
+
+jobs:
+  build-nixos:
+    runs-on: ubuntu-latest
+    steps: 
+      - uses: actions/checkout@v6
+      
+      - name: "Install Nix ❄️"
+        uses: cachix/install-nix-action@v31
+
+    #  - uses: DeterminateSystems/nix-installer-action@v4
+      - uses: DeterminateSystems/magic-nix-cache-action@v13
+      - uses: DeterminateSystems/flake-checker-action@v12
+
+      - name: "Install Cachix ❄️"
+        uses: cachix/cachix-action@v17
+        with:
+          name: helcel
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+          
+
+      - name: "Build NixOS CI config ❄️"
+        run: |
+          nix build .#nixosConfigurations.ci.config.system.build.toplevel
+
+      - name: "Build NixOS Sandbox config ❄️"
+        run: |
+          nix build .#nixosConfigurations.sandbox.config.system.build.toplevel
+          

.gitea/workflows/update.yml

@@ -0,0 +1,30 @@
+name: update-flake-lock
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 2 * * 6,7'
+
+
+env:
+  USER: "runner"
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Install nix
+        uses: DeterminateSystems/nix-installer-action@v22
+        with:
+          github-token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+          extra_nix_config: |
+            experimental-features = nix-command flakes            
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@v28
+        with:
+          token: ${{ secrets.GT_TOKEN_FOR_UPDATES }}
+          pr-title: "[chore] Update flake.lock"
+          pr-labels: |
+            dependencies
+            automated    

.gitignore

@@ -1,3 +1,5 @@
 result
 age-key.txt
 .decrypted~common.yaml
+.decrypted*
+.tmp

.sops.yaml

@@ -4,43 +4,62 @@ keys:
     - &sora 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
   # Hosts
   - &hosts:
+    - &ci age13qv9dn9806paqgpjwmmkwtdzvv4qpv0ulksq0epnn8ufaxeug5zskyas3z
     - &iriy age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
     - &avalon age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &valinor age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+    - &gateway age1lqvnzlendlmtwgstzrj4xzrwpatwx56k5az5au78fyg99yecwfzs3s6xn6
+    - &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
 
 creation_rules:
-  - path_regex: modules/nixos/system/security/sops/iriy.ya?ml$
+  - path_regex: modules/shared/sops/private/iriy.[a-z]+
     key_groups:
       - age:
           - *iriy
         pgp:
           - *sora
-  - path_regex: modules/nixos/system/security/sops/avalon.ya?ml$
+  - path_regex: modules/shared/sops/private/avalon.[a-z]+
     key_groups:
       - age:
           - *avalon
         pgp:
           - *sora
-  - path_regex: modules/nixos/system/security/sops/valinor.ya?ml$
+  - path_regex: modules/shared/sops/private/valinor.[a-z]+
     key_groups:
       - age:
           - *valinor
         pgp:
           - *sora
-  - path_regex: modules/nixos/system/security/sops/asgard.ya?ml$
+  - path_regex: modules/shared/sops/private/asgard.[a-z]+
     key_groups:
       - age:
           - *asgard
         pgp:
           - *sora
 
-  - path_regex: modules/nixos/system/security/sops/common.yaml$
+  - path_regex: modules/shared/sops/common.[a-z]+
     key_groups:
       - age:
           - *valinor
           - *iriy
           - *avalon
           - *asgard
+          - *gateway
+        pgp:
+          - *sora
+
+  - path_regex: modules/shared/sops/mock.[a-z]+
+    key_groups:
+      - age:
+          - *ci
+          - *sandbox
+
+  - path_regex: modules/server/sops/server.[a-z]+
+    key_groups:
+      - age:
+          - *avalon
+          - *sandbox
+
         pgp:
           - *sora

flake.lock

@@ -1,5 +1,27 @@
 {
   "nodes": {
+    "arion": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "haskell-flake": "haskell-flake",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1770259557,
+        "narHash": "sha256-EvZ09k9+mzXAngPzU2K7oLLUDlKoT1numb4bDb3Gtl4=",
+        "owner": "hercules-ci",
+        "repo": "arion",
+        "rev": "9b24cf65c72cb0e9616e437d55e1ac8e5c6bc715",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "arion",
+        "type": "github"
+      }
+    },
     "base16-schemes": {
       "flake": false,
       "locked": {
@@ -23,11 +45,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708231718,
+        "lastModified": 1777780666,
-        "narHash": "sha256-IZdieFWvhBkxoOFMDejqLUYqD94WN6k0YSpw0DFy+4g=",
+        "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "0e6857fa1d632637488666c08e7b02c08e3178f8",
+        "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
         "type": "github"
       },
       "original": {
@@ -37,13 +59,55 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "arion",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769996383,
+        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "hardware": {
       "locked": {
-        "lastModified": 1708091350,
+        "lastModified": 1778143761,
-        "narHash": "sha256-o28BJYi68qqvHipT7V2jkWxDiMS1LF9nxUsou+eFUPQ=",
+        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "106d3fec43bcea19cb2e061ca02531d54b542ce3",
+        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
         "type": "github"
       },
       "original": {
@@ -52,6 +116,22 @@
         "type": "github"
       }
     },
+    "haskell-flake": {
+      "locked": {
+        "lastModified": 1675296942,
+        "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
+        "owner": "srid",
+        "repo": "haskell-flake",
+        "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "ref": "0.1.0",
+        "repo": "haskell-flake",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -59,112 +139,20 @@
         ]
       },
       "locked": {
-        "lastModified": 1708558280,
+        "lastModified": 1777851538,
-        "narHash": "sha256-w1ns8evB6N9VTrAojcdXLWenROtd77g3vyClrqeFdG8=",
+        "narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0b69d574162cfa6eb7919d5614a48d0185550891",
+        "rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
     },
-    "hyprland": {
-      "inputs": {
-        "hyprland-protocols": "hyprland-protocols",
-        "hyprlang": "hyprlang",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems",
-        "wlroots": "wlroots",
-        "xdph": "xdph"
-      },
-      "locked": {
-        "lastModified": 1708543581,
-        "narHash": "sha256-wvhsh4J+Q9ED8oAWG+iz5uNOw70nagF+aeetlGpLkqs=",
-        "owner": "hyprwm",
-        "repo": "Hyprland",
-        "rev": "ea3fd13e24d7d3a74cf803bef3e6133b5d708d1b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hyprwm",
-        "repo": "Hyprland",
-        "type": "github"
-      }
-    },
-    "hyprland-protocols": {
-      "inputs": {
-        "nixpkgs": [
-          "hyprland",
-          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1691753796,
-        "narHash": "sha256-zOEwiWoXk3j3+EoF3ySUJmberFewWlagvewDRuWYAso=",
-        "owner": "hyprwm",
-        "repo": "hyprland-protocols",
-        "rev": "0c2ce70625cb30aef199cb388f99e19a61a6ce03",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hyprwm",
-        "repo": "hyprland-protocols",
-        "type": "github"
-      }
-    },
-    "hyprlang": {
-      "inputs": {
-        "nixpkgs": [
-          "hyprland",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1708005943,
-        "narHash": "sha256-9TT3xk++LI5/SPYgjYX34xZ4ebR93c1uerIq+SE/ues=",
-        "owner": "hyprwm",
-        "repo": "hyprlang",
-        "rev": "aeb3e012adc7b3235335c540b214b82267c2b983",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hyprwm",
-        "repo": "hyprlang",
-        "type": "github"
-      }
-    },
-    "hyprlang_2": {
-      "inputs": {
-        "nixpkgs": [
-          "hyprland",
-          "xdph",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1704287638,
-        "narHash": "sha256-TuRXJGwtK440AXQNl5eiqmQqY4LZ/9+z/R7xC0ie3iA=",
-        "owner": "hyprwm",
-        "repo": "hyprlang",
-        "rev": "6624f2bb66d4d27975766e81f77174adbe58ec97",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hyprwm",
-        "repo": "hyprlang",
-        "type": "github"
-      }
-    },
     "nix-colors": {
       "inputs": {
         "base16-schemes": "base16-schemes",
@@ -184,18 +172,34 @@
         "type": "github"
       }
     },
-    "nixpkgs": {
+    "nixUnstable": {
       "locked": {
-        "lastModified": 1708475490,
+        "lastModified": 1778274207,
-        "narHash": "sha256-g1v0TsWBQPX97ziznfJdWhgMyMGtoBFs102xSYO4syU=",
+        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0e74ca98a74bc7270d28838369593635a5db3260",
+        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1778003029,
+        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -215,13 +219,33 @@
         "type": "github"
       }
     },
-    "nur": {
+    "nixpkgs_2": {
       "locked": {
-        "lastModified": 1708559587,
+        "lastModified": 1777954456,
-        "narHash": "sha256-LVyCfkRZlPU2B3qqSY2tDGNvh6nuFSV+LgNfB6Evas8=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nur": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1778376280,
+        "narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "e7bd3c6040c831aaf6c0fbcfab17f42420129c17",
+        "rev": "828688994167eb57628c98fd1d7e1223b079cda1",
         "type": "github"
       },
       "original": {
@@ -232,11 +256,12 @@
     },
     "root": {
       "inputs": {
+        "arion": "arion",
         "darwin": "darwin",
         "hardware": "hardware",
         "home-manager": "home-manager",
-        "hyprland": "hyprland",
         "nix-colors": "nix-colors",
+        "nixUnstable": "nixUnstable",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
         "sops-nix": "sops-nix"
@@ -246,17 +271,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1708500294,
+        "lastModified": 1777944972,
-        "narHash": "sha256-mvJIecY3tDKZh7297mqOtOuAvP7U1rqjfLNfmfkjFpU=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f6b80ab6cd25e57f297fe466ad689d8a77057c11",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
         "type": "github"
       },
       "original": {
@@ -264,70 +286,6 @@
         "repo": "sops-nix",
         "type": "github"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "type": "github"
-      }
-    },
-    "wlroots": {
-      "flake": false,
-      "locked": {
-        "host": "gitlab.freedesktop.org",
-        "lastModified": 1706359063,
-        "narHash": "sha256-5HUTG0p+nCJv3cn73AmFHRZdfRV5AD5N43g8xAePSKM=",
-        "owner": "wlroots",
-        "repo": "wlroots",
-        "rev": "00b869c1a96f300a8f25da95d624524895e0ddf2",
-        "type": "gitlab"
-      },
-      "original": {
-        "host": "gitlab.freedesktop.org",
-        "owner": "wlroots",
-        "repo": "wlroots",
-        "rev": "00b869c1a96f300a8f25da95d624524895e0ddf2",
-        "type": "gitlab"
-      }
-    },
-    "xdph": {
-      "inputs": {
-        "hyprland-protocols": [
-          "hyprland",
-          "hyprland-protocols"
-        ],
-        "hyprlang": "hyprlang_2",
-        "nixpkgs": [
-          "hyprland",
-          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1706521509,
-        "narHash": "sha256-AInZ50acOJ3wzUwGzNr1TmxGTMx+8j6oSTzz4E7Vbp8=",
-        "owner": "hyprwm",
-        "repo": "xdg-desktop-portal-hyprland",
-        "rev": "c06fd88b3da492b8f9067be021b9184f7012b5a8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hyprwm",
-        "repo": "xdg-desktop-portal-hyprland",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -1,13 +1,14 @@
 {
   description = "SoraFlake";
-
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    # Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable"
+    nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
     hardware.url = "github:nixos/nixos-hardware";
     nur.url = "github:nix-community/nur";
 
     home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -16,66 +17,31 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    hyprland = {
-      url = "github:hyprwm/Hyprland";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs-stable.follows = "nixpkgs";
     };
     nix-colors.url = "github:misterio77/nix-colors";
-
   };
 
   outputs = inputs:
-
     let gen = import ./generator.nix { inherit inputs; };
     in {
       devShells = import ./shells { inherit inputs; };
 
       nixosConfigurations = {
-        valinor = gen.generate {
+        valinor = gen.generate { host = "valinor"; };
-          type = "nixos";
+        iriy = gen.generate { host = "iriy"; };
-          system = "x86_64-linux";
+        efir = gen.generate { host = "efir"; };
-          host = "valinor";
+        avalon = gen.generate { host = "avalon"; };
-        };
+        ci = gen.generate { host = "ci"; };
-        iriy = gen.generate {
+        sandbox = gen.generate { host = "sandbox"; };
-          type = "nixos";
+        gateway = gen.generate { host = "gateway"; };
-          system = "x86_64-linux";
-          host = "iriy";
-        };
-        efir = gen.generate {
-          type = "nixos";
-          system = "x86_64-linux";
-          host = "efir";
-        };
-        avalon = gen.generate {
-          type = "nixos";
-          system = "x86_64-linux";
-          host = "avalon";
-        };
-
-      };
-      darwinConfigurations = {
-        asgard = gen.generate {
-          type = "macos";
-          system = "x86_64-darwin";
-          host = "asgard";
-        };
       };
+      darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
       homeConfigurations = {
-        yomi = gen.generate {
+        yomi = gen.generate { host = "example"; };
-          type = "home";
+        example = gen.generate { host = "example"; };
-          system = "arm-64";
-          host = "example";
-        };
-        example = gen.generate {
-          type = "home";
-          system = "-"; # supports any
-          host = "example";
-        };
       };
     };
 

generator.nix

@@ -1,51 +1,67 @@
 { inputs, ... }: {
-  generate = { type, system, host }:
+  generate = { host }:
-    ({
+    let
+      syscfg = import ./systems/${host}/cfg.nix;
+      nameValuePair = name: value: { inherit name value; };
+    in ({
       "nixos" = inputs.nixpkgs.lib.nixosSystem {
-        system = system;
+        system = syscfg.syscfg.system;
+        specialArgs = { inherit inputs; };
         modules = [
-          inputs.sops-nix.nixosModules.sops
+          ./modules/shared/syscfg
+          ./modules/shared/sops
           ./modules/nixos
+          syscfg
           ./systems/${host}
+          inputs.sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.home-manager
           {
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
             home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.sora = {
+            home-manager.users = builtins.listToAttrs (map (userConfig:
+              nameValuePair userConfig.username {
                 imports = [
+                  ./modules/shared/syscfg
+                  ./modules/shared/colors
                   ./modules/home
+                  syscfg
+                  { usercfg = userConfig; }
                   inputs.nix-colors.homeManagerModule
-                inputs.hyprland.homeManagerModules.default
+                  # inputs.hyprland.homeManagerModules.default
-                ./systems/${host}/home.nix
+                  inputs.sops-nix.homeManagerModules.sops
                 ];
-            };
+              }) syscfg.syscfg.users);
           }
         ];
       };
+
       "macos" = inputs.darwin.lib.darwinSystem {
-        system = system;
+        system = syscfg.system;
         modules = [
-          inputs.sops-nix.nixosModules.sops
+          ./modules/shared/syscfg
+          ./modules/shared/sops
+          syscfg
           ./systems/${host}
+          inputs.sops-nix.nixosModules.sops
           inputs.home-manager.darwinModules.home-manager
           {
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
             home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.sora = {
+            home-manager.users = builtins.listToAttrs (map (userConfig:
+              nameValuePair userConfig.username {
                 imports = [
                   inputs.nix-colors.homeManagerModule
-                inputs.hyprland.homeManagerModules.default
+                  inputs.sops-nix.homeManagerModules.sops
-                ./systems/${host}/home.nix
                 ];
-            };
+              }) syscfg.syscfg.users);
           }
         ];
       };
       "home" = inputs.home-manager.lib.homeManagerConfiguration {
-        modules = [ ./modules/home ./systems/${host}/home.nix ];
+        modules = [ ./modules/home ];
       };
       _ = throw "Unsupported system";
-    }.${type});
+    }.${syscfg.syscfg.type});
 }

modules/home/base/default.nix

@@ -1,12 +1,21 @@
 { lib, config, ... }: {
 
+  #environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath;
   systemd.user.startServices = "sd-switch";
   programs.home-manager.enable = true;
 
   home = {
-    username = "${config.homecfg.username}";
+    username = "${config.usercfg.username}";
-    homeDirectory = "/home/${config.homecfg.username}";
+    homeDirectory = "/home/${config.usercfg.username}";
 
-    stateVersion = "23.11";
+    stateVersion = "24.11";
   };
+
+
+  #SOPS
+  # sops.defaultSopsFile = ./sops/${config.usercfg.username}.yaml;
+  # sops.age.keyFile = "/var/lib/sops-nix/age-key.txt";
+  # sops.age.generateKey = true;
+  # sops.secrets."github_user_key" = { };
+  # sops.secrets."curse_forge_key" = { };
 }

modules/home/base/sops/sora.yaml

@@ -0,0 +1,69 @@
+curse_forge_key: ENC[AES256_GCM,data:PhhwPhUys/WDzXb40iFlrUcwFEJVzi49vDlm5Hpc7IUwbBiQI1Zvi6115THMvarnGESDyouPfoZP0wha,iv:x//EzR4QwdD0UxqV97yUepc39DopoqiDT21unpF9R2E=,tag:5jM1EibWo0wI+PS70+kb/Q==,type:str]
+github_user_key: ENC[AES256_GCM,data:RvBsQjWGd2qRCvBzcpMv8FIXGY/GiPd9o0x2Oq+NlbXxR2NMqNBNLw==,iv:99AcmOWFft7XQAn7YrGjZuCvz0M5wUkYeInsWwyeUFM=,tag:wkw2YQGi9j/8XtOFd8KhdQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraWFDRFUxQ2l5OWV1OXNK
+            UExEbWZkM0kzVk1rZG4yY3pBLzdMVWVJS0UwCnhlWFJ5T2lZUXJyNkg1ejQxaU1t
+            L3F2RUhldTY3N2xXL0hwczNKRzNjcncKLS0tIEkycHoxcDBGNyt2V3RDY29wNGVp
+            TGg5Rk05VkRsaXM1Q0NxMmtMajRORDAKqjFldiAYJKjmnkeDkwanjYvhL6645DZ5
+            dVXExjqO/DG733ge8HFyKzpfpkzRymV1giUwxBdII1dd0mJ2ncINeA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UkRjblIvYStZUzQyRHA1
+            ZGVXeHhrN0kyVkxZdms5U3gwVFlPMW12MVJjCjRkVURpZXBzb0tYenB4dGxKamh6
+            VXVBMmo1Ujkvd2VTRExyWE5MbVJaclUKLS0tIDVhRkYzZmEzUG00Q2IwOWZUMVVt
+            ODVIbytpcjN1cVMyaG1qVVdkRmtaMzQKNsvD9DpK/raDBob+IcuNk72tQDts36kJ
+            QhtoLy8MvUymi49PdEWrgyf68w5XwRO/U4iINhR0qzm0glg/XcyHjA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJc3hKWkk3ckNOY2UyTVhG
+            MmtLaEd0K04yaGxiOUoxMXkzOEFnYis4VkhnCktDRFM2bS8vb05OWDdwa0RwRlNO
+            cmlZemtxVGZ6S0tNTDV1cmE1N0pVWnMKLS0tIE9EZllycHJpcEY2R1pwOFhOZEU3
+            L01IcytDd3BPb0VOTW9DQ2lUdUVJS0kKiD+C+3mK1b/eIwCEFanFgYGLNk3JNPQ7
+            i1UqzbHVxSd0q/YVwdKAcj0jA6EezGm275tgq7IVsy2sHkvRMaEDtQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweVU3TkxFZzRnd2I2clN2
+            ZTlTWmhwQkhVc1hnOXFvZVVDSWpHMVh1TGtrCkc3M1pUTnZCMHpvYXB5ZVhreGxa
+            ZVY2cG5Ja2ltL3k2Q1VEalc5TTNFMXcKLS0tIGd5UWl0RGVXT211Zm51dlB6WFZ1
+            STRtTVpVTCtVZ1FUNENqWFFVNTNuaVUKN6HRiZjTdENeif8dJ29urBxPXDaosjjY
+            InN4Ko6YUaGfvB1DTrKIzrxOpsHS+XjisoGfT71tJwwEOoREklEO/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-23T18:05:22Z"
+    mac: ENC[AES256_GCM,data:YSi2xIwz50VxUDL3QzGVUwRWUgZhvudSLCKgwIbWm8gkuAJ/V2sVRhJNVQJ1YvLO44ob5hmrgR4wSnOdAbS7FrpbLcJuoYBjVUTDjy+j6otnIDxEcYeciHhZ1pV/OiydBmJC+lZ4+SRdWdokL2HaXRKgc9QT9e/MdAbFIzI1x90=,iv:8rj8yEqHTMgoGu31RVskYizmROB/5I0ajZJ/EcmlVfE=,tag:PILFCyXY8sXYGxCEHS7qCg==,type:str]
+    pgp:
+        - created_at: "2023-04-20T10:20:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA6R3Y9nD7qMBAQ/8CVWQaYKfOzvPIllZyyWpUjHRLLXaR8MNJ8U5WI/tdwdN
+            9UScDYJFuYRW7Q9s4Mt961kBGpaHqe9MUZBxUDlYX59+EN3FbO/eMQ5OqI05ESmL
+            TvZB4+S9C5o73nuypSDNvYz+Lgq6DO25ZPhXdtPhx2DE4G31/wft/LpxhjalIjI8
+            MU0Dv22R4qC+glJbe4GIF2IJ8XoxnnzjiGeSqiyv0QIBM0SzOtA5sKwNohWBnW7g
+            7vxOTm5+kyzG0dDjt3tFApgPDaA1wjofzhRuuveF52VBsuIA2opFdpqkyICvK6rn
+            NB5kUaPlY6A0m+n0oHSfY5wm/AnHNE4Oob/ifumAaB0EAJVUTRauI5M8SeJF0ya1
+            U0IQ9N2lb7Y6q4pqHywIa6fnylsqCfxInAYKMuslRq8f9t/qakb4/MYcnPrwpzjw
+            73/naiNoJmG6NVTkM52qTtOqZAmsaQd5cigTuPW2Z2CJq1yLZEVGSSd1DUGUjBDK
+            nQGucpVVVpD+ifrIPz+Iqwy+5NoZZm/Oa9pKJGFzqXinnDNZaqtgpmTw9QxcSeaP
+            VvGZG9CDd89MtAm1VQyuqi1bQ2faq3G0xNrLl7xUsfmjx4ofW+JXR87OzvGfLPhu
+            Sjl3kS9j5/MEBRBg3n9gNkgSu5Sy3ilhckY3yjTgAT9Gw2giDhCiUXi1/7KrGprS
+            UQHPCSsjyWsyuYVa3lAP/WPdVclc4WOdfYcetUCXBVP7LQr0bq+IG+2J0nnY3mDt
+            Va5k4sP1qu6Ecrs2JioQ1V2H+VmcrRykBWnMXl1tDSWKMA==
+            =pS8X
+            -----END PGP MESSAGE-----
+          fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

modules/home/cli/git/default.nix

@@ -1,15 +1,17 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
 
   programs.git = {
     enable = true;
-    userEmail = "${config.homecfg.git.email}";
+    signing = lib.mkIf (config.usercfg.git.key != null) {
-    userName = "${config.homecfg.git.username}";
+      key = config.usercfg.git.key;
-    signing = {
-      key = "${config.homecfg.git.key}";
       signByDefault = true;
     };
     ignores = [ "*result*" ".direnv" "node_modules" ];
-    extraConfig = { core.hooksPath = "./.dev/hooks"; };
+    settings = {
+      core.hooksPath = "./.dev/hooks"; 
+      user.email = "${config.usercfg.git.email}";
+      user.name = "${config.usercfg.git.username}";
+    };
   };
 
   home.packages = with pkgs; [ tig ];

modules/home/cli/other/default.nix

@@ -12,7 +12,7 @@
     cbonsai
     pipes-rs
     cmatrix
-    cava
+    #cava
     sl
   ];
 }

modules/home/cli/zsh/default.nix

@@ -9,10 +9,16 @@ in {
       "sudo" = "sudo ";
       "devsh" =
         "nix develop --profile /tmp/devsh-env ${nixflake_url}#devsh -c zsh";
+      "cdevsh" =
+        "nix develop --profile /tmp/devsh-env -c zsh";
       "nixb" = "(sudo nixos-rebuild switch --flake ${nixflake_url})";
       "nixgc" = "sudo nix-collect-garbage -d && nix-collect-garbage -d";
       "ssh" = "TERM=xterm-256color  ${pkgs.openssh}/bin/ssh";
       "top" = "btop";
     };
+    initContent = ''
+      sopsu() {nix-shell -p sops --run "sops updatekeys $1";}
+      sopsn() {nix-shell -p sops --run "sops $1";}
+    '';
   };
 }

modules/home/default.nix

@@ -1 +1 @@
-{ ... }: { imports = [ ./base ./cli ./gui ./homecfg ./wayland ./xdg ./xorg ]; }
+{ ... }: { imports = [ ./base ./cli ./gui ./wayland ./xdg ./xorg ]; }

modules/home/gui/apps/default.nix

@@ -1,3 +1,3 @@
 { ... }: {
-  imports = [ ./develop ./firefox ./images ./mpv ./pipewire ./vosk ./zathura ];
+  imports = [ ./develop ./firefox ./images ./mpv ./pipewire ./zathura ];
 }

modules/home/gui/apps/develop/default.nix

@@ -1,7 +1,7 @@
 { lib, config, pkgs, ... }: {
   imports = [ ./vscodium ];
 
-  config = lib.mkIf (config.homecfg.make.develop) {
+  config = lib.mkIf (config.syscfg.make.develop) {
-    home.packages = with pkgs; [ blender godot_4 ];
+    home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc claude-code];
   };
 }

modules/home/gui/apps/develop/vscodium/default.nix

@@ -1,17 +1,20 @@
 { lib, config, pkgs, ... }: {
 
-  config = lib.mkIf (config.homecfg.make.develop) {
+  config = lib.mkIf (config.syscfg.make.develop) {
     programs.vscode = {
       enable = true;
       package = pkgs.vscodium;
-      extensions = with pkgs.vscode-extensions; [
+      #profiles.default = {
+        profiles.default.extensions = with pkgs.vscode-extensions; [
           bbenoist.nix
           esbenp.prettier-vscode
           golang.go
           ms-python.vscode-pylance
           ms-vscode.cpptools
           dbaeumer.vscode-eslint
+          continue.continue 
         ];
+      #};
     };
   };
 }

modules/home/gui/apps/firefox/default.nix

@@ -1,5 +1,5 @@
 { lib, config, ... }: {
-  config = lib.mkIf (config.homecfg.make.gui) {
+  config = lib.mkIf (config.syscfg.make.gui) {
     programs.firefox = {
       enable = true;
       profiles = {

modules/home/gui/apps/images/default.nix

@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }: {
 
-  config = lib.mkIf (config.homecfg.make.gui) {
+  config = lib.mkIf (config.syscfg.make.gui) {
     programs.imv.enable = true;
 
     programs.obs-studio.enable = true;

modules/home/gui/apps/mpv/default.nix

@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }: {
 
-  config = lib.mkIf (config.homecfg.make.gui) {
+  config = lib.mkIf (config.syscfg.make.gui) {
     programs.mpv = {
       enable = true;
       scripts = with pkgs; [ mpvScripts.mpris ];

modules/home/gui/apps/pipewire/default.nix

@@ -1,6 +1,6 @@
 { lib, config, ... }: {
 
-  config = lib.mkIf (config.homecfg.make.gui) {
+  config = lib.mkIf (config.syscfg.make.gui) {
     xdg.configFile."pipewire/pipewire-pulse.conf.d/desktop.conf".text = ''
       context.modules = [
         {   name = libpipewire-module-loopback
@@ -25,6 +25,20 @@
                 }
             }
         }
+        {   name = "libpipewire-module-loopback"
+            args = {
+                node.description = "Virtual Loopback"
+                audio.position = [ FL FR ]
+                capture.props = {
+                    media.class = "Audio/Sink"
+                    node.name = "vloopback_sink"
+                }
+                playback.props = {
+                    media.class = "Audio/Source"
+                    node.name = "vloopback_source"
+                }
+            }
+        }
       ]
     '';
   };

modules/home/gui/apps/vosk/default.nix

@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }: {
 
-  config = lib.mkIf (config.homecfg.make.gui) {
+  config = lib.mkIf (config.syscfg.make.gui) {
     home.packages = with pkgs; [
       custom.vosk.base
       jq

modules/home/gui/apps/zathura/default.nix

@@ -1,6 +1,6 @@
 { lib, config, ... }: {
 
-  config = lib.mkIf (config.homecfg.make.gui) {
+  config = lib.mkIf (config.syscfg.make.gui) {
     programs.zathura = {
       enable = true;
       extraConfig = ''

modules/home/gui/base/default.nix

@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }: {
 
-  config = lib.mkIf (config.homecfg.make.gui) {
+  config = lib.mkIf (config.syscfg.make.gui) {
     services.nextcloud-client.enable = true;
 
     home.packages = with pkgs; [
@@ -10,8 +10,11 @@
       xfce.tumbler
 
       telegram-desktop
+      discord-canary
       pavucontrol
       keepassxc
+      nextcloud-client
+
       gramps
     ];
   };

modules/home/gui/games/default.nix

@@ -1,20 +1,22 @@
-{ lib, config, pkgs, ... }: {
+{ inputs, lib, config, pkgs, ... }: {
 
-  imports = [ ./openttd.nix ];
+  imports = [ ./openttd.nix ./wow.nix ];
 
-  config = lib.mkIf (config.homecfg.make.game) {
+  config = lib.mkIf (config.syscfg.make.game) {
 
     home.packages = with pkgs; [
-      # custom.simc
 
       #games
-      steam
+      # steam
       gamemode
-      gamescope
+      #gamescope
-      mangohud
+      #mangohud
       prismlauncher
       openttd-jgrpp
-      bottles
+      #bottles
+      lutris
+      unstable.umu-launcher
+      # wine
     ];
   };
 

modules/home/gui/games/openttd.nix

@@ -1,6 +1,6 @@
 { lib, config, ... }: {
 
-  config = lib.mkIf (config.homecfg.make.game) {
+  config = lib.mkIf (config.syscfg.make.game) {
     xdg.configFile."openttd/openttd.cfg".text = ''
       [misc]
       display_opt = SHOW_TOWN_NAMES|SHOW_STATION_NAMES|SHOW_SIGNS|FULL_ANIMATION|FULL_DETAIL|WAYPOINTS|SHOW_COMPETITOR_SIGNS

modules/home/gui/games/wow.nix

@@ -0,0 +1,23 @@
+{ pkgs, lib, config, sops, ... }: {
+
+  config = lib.mkIf (config.syscfg.make.game) {
+
+    home.packages = with pkgs;
+      [
+        # custom.simc
+        unstable.instawow
+      ];
+
+    # templates buggy currently
+    #xdg.configFile."instawow/config.json" = ''${config.sops.templates."instawow_config.json".path}'';
+    sops.templates."instawow_config.json".content = ''
+       {
+            "auto_update_check": true,
+            "access_tokens": {
+              "cfcore": "${config.sops.placeholder.curse_forge_key}",
+              "github": "${config.sops.placeholder.github_user_key}",
+              "wago_addons": null
+            }
+        }'';
+  };
+}

modules/home/gui/theme/default.nix

@@ -5,7 +5,7 @@ let
   wallpaperGen = import ./wallpaper-gen.nix { inherit pkgs config; };
 in {
 
-  config = lib.mkIf (config.homecfg.make.gui) {
+  config = lib.mkIf (config.syscfg.make.gui) {
     home.pointerCursor = {
       package = pkgs.bibata-cursors;
       name = "Bibata-Modern-Classic";
@@ -17,7 +17,7 @@ in {
     gtk = {
       enable = true;
       theme = {
-        name = "${config.colorscheme.slug}";
+        name = "${config.colorscheme.slug}-Dark";
         package = gtkThemeFromScheme;
       };
       iconTheme = {
@@ -28,7 +28,7 @@ in {
 
     qt = {
       enable = true;
-      platformTheme = "gtk";
+      platformTheme.name = "gtk";
     };
 
     home.packages = [ wallpaperGen pkgs.swww ];

modules/home/gui/theme/gtk-theme-gen.nix

@@ -9,60 +9,89 @@ let
 in pkgs.stdenv.mkDerivation rec {
   name = "generated-gtk-theme-${scheme.slug}";
   src = pkgs.fetchFromGitHub {
-    owner = "nana-4";
+    owner = "vinceliuice";
-    repo = "materia-theme";
+    repo = "Orchis-theme";
-    rev = "6e5850388a25f424b8193fe4523504d1dc364175";
+    rev = "5b73376721cf307101e22d7031c1f4b1344d1f63";
-    sha256 = "sha256-I6hpH0VTmftU4+/pRbztuTQcBKcOFBFbNZXJL/2bcgU=";
+    sha256 = "sha256-+2/CsgJ+rdDpCp+r5B/zys3PtFgtnu+ohTEUOtJNd1Y=";
   };
-  buildInputs = with pkgs; [
-    sassc
-    bc
-    which
-    rendersvg
-    meson
-    ninja
-    nodePackages.sass
-    gtk4.dev
-    optipng
-  ];
-  phases = [ "unpackPhase" "installPhase" ];
-  installPhase = ''
-    HOME=/build
-    chmod 777 -R .
-    patchShebangs .
-    mkdir -p $out/share/themes
-    mkdir bin
-    sed -e 's/handle-horz-.*//' -e 's/handle-vert-.*//' -i ./src/gtk-2.0/assets.txt
 
-    cat > /build/gtk-colors << EOF
+  nativeBuildInputs = with pkgs; [ gtk3 sassc ];
-      BG=${scheme.palette.base00}
+  buildInputs = with pkgs; [ gnome-themes-extra ];
-      FG=${scheme.palette.base07}
+  propagatedUserEnvPkgs = with pkgs; [ gtk-engine-murrine ];
-      HDR_BG=${scheme.palette.base00}
+
-      HDR_FG=${scheme.palette.base07}
+  preInstall = ''
-      SEL_BG=${scheme.palette.base03}
+    mkdir -p $out/share/themes
-      SEL_FG=${scheme.palette.base07}
+    cat > src/_sass/_color-palette-${scheme.slug}.scss << 'EOF'
-      TXT_BG=${scheme.palette.base01}
+      $red-light: #${scheme.palette.low0F};
-      TXT_FG=${scheme.palette.base07}
+      $red-dark: #${scheme.palette.high0F};
-      BTN_BG=${scheme.palette.base01}
+
-      BTN_FG=${scheme.palette.base07}
+      $pink-light: #${scheme.palette.low0E};
-      HDR_BTN_BG=${scheme.palette.base01}
+      $pink-dark: #${scheme.palette.high0E};
-      HDR_BTN_FG=${scheme.palette.base07}
+
-      MENU_BG=${scheme.palette.base00}
+      $purple-light: #${scheme.palette.low0D};
-      MENU_FG=${scheme.palette.base07}
+      $purple-dark: #${scheme.palette.high0D};
-      ACCENT_BG=${scheme.palette.base0C}
+
-      ACCENT_FG=${scheme.palette.base00}
+      $blue-light: #${scheme.palette.low0C};
-      MATERIA_SURFACE=${scheme.palette.base01}
+      $blue-dark: #${scheme.palette.high0C};
-      MATERIA_VIEW=${scheme.palette.base00}
+
-      WM_BORDER_FOCUS=${scheme.palette.base02}
+      $teal-light: #${scheme.palette.low0B};
-      WM_BORDER_UNFOCUS=${scheme.palette.base02}
+      $teal-dark: #${scheme.palette.high0B};
-      UNITY_DEFAULT_LAUNCHER_STYLE=False
+
-      ROUNDNESS=7
+      $green-light: #${scheme.palette.low0A};
-      NAME=${scheme.slug}
+      $green-dark: #${scheme.palette.high0A};
-      MATERIA_STYLE_COMPACT=True
+      $sea-light: #${scheme.palette.alt_low0B};
+      $sea-dark: #${scheme.palette.alt_high0B};
+
+      $yellow-light: #${scheme.palette.low09};
+      $yellow-dark: #${scheme.palette.low09};
+
+      $orange-light: #${scheme.palette.low08};
+      $orange-dark: #${scheme.palette.high08};
+
+      $grey-050: #${scheme.palette.base07};
+      $grey-100: #${scheme.palette.base07};
+      $grey-150: #${scheme.palette.base06};
+      $grey-200: #${scheme.palette.base06};
+      $grey-250: #${scheme.palette.base05};
+      $grey-300: #${scheme.palette.base05};
+      $grey-350: #${scheme.palette.base04};
+      $grey-400: #${scheme.palette.base04};
+      $grey-450: #${scheme.palette.base03};
+      $grey-500: #${scheme.palette.base03};
+      $grey-550: #${scheme.palette.base02};
+      $grey-600: #${scheme.palette.base02};
+      $grey-650: #${scheme.palette.base02};
+      $grey-700: #${scheme.palette.base01};
+      $grey-750: #${scheme.palette.base01};
+      $grey-800: #${scheme.palette.base01};
+      $grey-850: #${scheme.palette.base00};
+      $grey-900: #${scheme.palette.base00};
+      $grey-950: #${scheme.palette.base00};
+
+      $white: #${scheme.palette.base07};
+      $black: #${scheme.palette.base00};
+
+      $button-close: #${scheme.palette.base0F};
+      $button-max: #${scheme.palette.base0A};
+      $button-min: #${scheme.palette.base08};
     EOF
 
-    echo "Changing colours:"
+    sed -i "/\@import/s/color-palette-default/color-palette-${scheme.slug}/" src/_sass/_tweaks.scss
-    ./change_color.sh -o ${scheme.slug} /build/gtk-colors -i False -t "$out/share/themes"
+    sed -i "/\$colorscheme:/s/default/${scheme.slug}/" src/_sass/_tweaks.scss
-    chmod 555 -R .
+
   '';
+
+  installPhase = ''
+    runHook preInstall
+    bash install.sh -d $out/share/themes \
+      -t default \
+      -n ${scheme.slug} \
+      -c ${scheme.variant} \
+      -s standard \
+      --tweaks primary \
+      --round ${scheme.palette.border-radius}px
+
+    runHook postInstall
+  '';
+
 }

modules/home/homecfg/default.nix

@@ -1,43 +0,0 @@
-{ inputs, lib, config, ... }:
-with lib; {
-  options.homecfg = {
-    username = mkOption { type = types.str; };
-    wm = mkOption {
-      type = types.enum [ "Wayland" "X11" ];
-      default = "Wayland";
-    };
-    make = {
-      cli = mkOption {
-        type = types.bool;
-        default = true;
-      };
-      gui = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      develop = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      game = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      power = mkOption {
-        type = types.bool;
-        default = false;
-      };
-    };
-    git = {
-      username = mkOption { type = types.str; };
-      email = mkOption { type = types.str; };
-      key = mkOption { type = types.str; };
-    };
-  };
-
-  imports = with inputs; [
-    nix-colors.homeManagerModules.default
-    ../../shared/colors
-  ];
-
-}

modules/home/wayland/apps/dunst/default.nix

@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }: {
 
-  config = lib.mkIf (config.homecfg.wm == "Wayland") {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
     home.packages = with pkgs; [ libnotify ];
     services.dunst = {
       enable = true;

modules/home/wayland/apps/eww/bar/css/_clock.scss

@@ -17,7 +17,8 @@ calendar {
     font-weight: bold;
   }
 
-  .button {
+  label {
+    font-size: 20pt;
     color: $base0C;
   }
 
@@ -35,9 +36,6 @@ calendar {
   margin-top: -4pt;
 }
 
-.minute, .hour, .day, .month {
-  font-size: 20pt;
-}
 
 .date {
   color: $base0C;
@@ -47,5 +45,4 @@ calendar {
 
 .datetime {
   padding: $gaps-window;
-  
 }

modules/home/wayland/apps/eww/bar/css/_systray.scss

@@ -0,0 +1,35 @@
+.tray * {
+    padding: $border-width 0px;
+}
+.tray menu {
+    background-color: $base01;
+    color: $base07;
+    @include border-radius;
+    @include border-active;
+
+
+	padding: 10px 0px;
+
+	>menuitem {
+        margin: 2px $border-width;
+		padding: 0px 10px;
+
+		&:disabled label {
+			color: $base04;
+		}
+
+		&:hover {
+			background-color: $base0C;
+		}
+	}
+
+	separator {
+		background-color: $base03;
+		padding-top: 1px;
+        margin:10px 0px;
+
+		&:last-child {
+			padding: unset;
+		}
+	}
+}

modules/home/wayland/apps/eww/bar/eww.scss

@@ -13,6 +13,8 @@
 }
 
 @mixin border-active {
+  border-width: $border-width;
+  border-style: solid;
   border-color: $base04;
 }
 
@@ -99,6 +101,9 @@ tooltip {
 }
 .modevent:hover {
   @include border-active;
+  border-right-style: none;
+  border-bottom-right-radius: 0;
+  border-top-right-radius: 0;
 }
 
 .modinner {
@@ -115,6 +120,7 @@ tooltip {
 @import 'css/clock';
 @import 'css/radio';
 @import 'css/powermenu';
+@import 'css/systray';
 
 
 /* BAR */

modules/home/wayland/apps/eww/bar/eww.yuck

@@ -2,6 +2,7 @@
 
 (include "modules/sys.yuck")
 (include "modules/net.yuck")
+(include "modules/systray.yuck")
 (include "modules/clock.yuck")
 
 (include "windows/calendar.yuck")
@@ -26,6 +27,7 @@
     :valign "end"
     (sys-mod)
     (net-mod)
+    (systray-mod)
     (clock-mod)))
 
 (defwidget center []
@@ -46,7 +48,7 @@
 
 
 (defwindow bar
-    :monitor 0
+    :monitor 1
     :geometry (geometry
       :x "0%"
       :y "0%"

modules/home/wayland/apps/eww/bar/modules/clock.yuck

@@ -5,28 +5,30 @@
     (eventbox
       :onhover "${EWW_CMD} update date_rev=true"
       :onhoverlost "${EWW_CMD} update date_rev=false"
+      :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle calendar)"
+      :onrightclick "(sleep 0.1 && ${EWW_CMD} open --toggle powermenu)"
       (box
         :class "datetime"
         (overlay
           (box
             :orientation "v"
-            (button
+            (label :show-truncated false 
-              :class "hour" hour)
+              :class "hour" 
-            (button
+              :text {hour})
-              :class "minute" minute))
+            (label :show-truncated false
+            :class "minute"
+              :text {minute}))
           (revealer
             :reveal date_rev
             (box
               :class "date"
               :orientation "v"
-              (button
+              (label :show-truncated "false" 
-                :onclick "${EWW_CMD} open --toggle calendar"
+                :class "day"
-                :onrightclick "${EWW_CMD} open --toggle powermenu"
+                :text {day})
-                :class "day" day)
+              (label :show-truncated "false"
-              (button
+                :class "month" 
-                :onclick "${EWW_CMD} open --toggle calendar"
+                :text {month}))
-                :onrightclick "${EWW_CMD} open --toggle powermenu"
-                :class "month" month))
           )
         )
       )

modules/home/wayland/apps/eww/bar/modules/sys.yuck

@@ -6,9 +6,8 @@
 
 (defwidget sys-mod []
   (module
-    (button
+    (eventbox
-      :class "module"
+      :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle sys)"
-      :onclick "${EWW_CMD} open --toggle sys"
       (box
         :orientation "v"
           (circular-progress
@@ -22,7 +21,6 @@
             :class "gpubar"
             :thickness 6
             (label :class "icon-text" :text "G"))
-
         (circular-progress
           :value {100*memory.used/memory.total}
           :class "membar"

modules/home/wayland/apps/eww/bar/modules/systray.yuck

@@ -0,0 +1,15 @@
+
+(defwidget systray-mod []
+  (module
+    (box
+      :orientation "v"
+      (systray
+        :class "tray"
+        :space-evenly "true"
+        :orientation "v"
+        :icon-size 20
+        :prepend-new "false"
+        )
+    )
+  )
+)

modules/home/wayland/apps/eww/bar/modules/workspaces.yuck

@@ -11,6 +11,7 @@
 					(button
 						:onclick "hyprctl dispatch workspace ${ws.number}"
 						(label 
+							:show-truncated false
 							:class "icon-text  ${ws.color}"
 							:text `${ws.focused ? "󰜗" : "󰝥"}`
 						)

modules/home/wayland/apps/eww/bar/scripts/workspaces

@@ -64,7 +64,7 @@ done
 generate
 
 # main loop
-socat -u UNIX-CONNECT:/tmp/hypr/"$HYPRLAND_INSTANCE_SIGNATURE"/.socket2.sock - | rg --line-buffered "workspace|mon(itor)?" | while read -r line; do
+socat -u UNIX-CONNECT:$XDG_RUNTIME_DIR/hypr/"$HYPRLAND_INSTANCE_SIGNATURE"/.socket2.sock - | rg --line-buffered "workspace|mon(itor)?" | while read -r line; do
   case ${line%>>*} in
   "workspace")
     focusedws=${line#*>>}

modules/home/wayland/apps/eww/bar/windows/calendar.yuck

@@ -1,5 +1,5 @@
 (defwindow calendar
-  :monitor 0
+  :monitor 1
   :geometry (geometry
     :x "0%"
     :y "0%"

modules/home/wayland/apps/eww/bar/windows/powermenu.yuck

@@ -34,7 +34,7 @@
 )
 
 (defwindow powermenu
-    :monitor 0
+    :monitor 1
     :stacking "overlay"
     :geometry (geometry 
                     :anchor "center"

modules/home/wayland/apps/eww/bar/windows/radio.yuck

@@ -2,7 +2,7 @@
 (defvar radio_rev false)
 
 (defwindow radio
-  :monitor 0
+  :monitor 1
   :geometry (geometry
     :x "0%"
     :y "0%"
@@ -100,8 +100,11 @@
     (box
       :orientation "v"
       (button
-        :onclick "${EWW_CMD} open --toggle --no-daemonize radio"
+        :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle --no-daemonize radio)"
-        (label :class "icon-text" :text "󰝚")
+        (label 
+          :show-truncated false
+          :class "icon-text" 
+          :text "󰝚")
       )
     )
   )

modules/home/wayland/apps/eww/bar/windows/sys.yuck

@@ -129,7 +129,7 @@
 )
 
 (defwindow sys
-  :monitor 0
+  :monitor 1
   :stacking "overlay"
   :geometry (geometry
     :x "0%"

modules/home/wayland/apps/eww/default.nix

@@ -1,7 +1,7 @@
 { lib, config, pkgs, ... }: {
 
-  config = lib.mkIf (config.homecfg.wm == "Wayland") {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
-    home.packages = with pkgs; [ eww-wayland jaq custom.amdgpu_top ];
+    home.packages = with pkgs; [ eww jq jaq custom.amdgpu_top ];
 
     xdg.configFile."eww" = {
       source = lib.cleanSourceWith {

modules/home/wayland/apps/kanshi/default.nix

@@ -1,58 +1,73 @@
-{ ... }: {
+{ config, lib, ... }: {
 
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
     services.kanshi = {
       enable = true;
       systemdTarget = "graphical-session.target";
-    profiles = {
+      settings = [
-      tower_0 = {
-        outputs = [{
-          criteria = "CEX CX133 0x00000001";
-          mode = "1920x1200@59.972";
-          position = "0,0";
-          scale = 1.0;
-          status = "enable";
-        }];
-      };
-      tower_1 = {
-        outputs = [{
-          criteria = "AOC 16G3 1DDP7HA000348";
-          mode = "1920x1080@144.000";
-          position = "0,0";
-          status = "enable";
-          scale = 1.0;
-          adaptiveSync = true;
-        }];
-      };
-      tower_2 = {
-        outputs = [
         {
-            criteria = "AOC 16G3 1DDP7HA000348";
+          profile.name = "tower_0";
-            mode = "1920x1080@144.000";
+          profile.outputs = [
+            {
+              criteria = "AOC 24E1W1 GNSKCHA086899";
+              mode = "1920x1080@60.000";
               position = "0,0";
               status = "enable";
               scale = 1.0;
               adaptiveSync = true;
             }
             {
-            criteria = "CEX CX133 0x00000001";
+              criteria = "AOC 24E1W1 GNSKBHA080346";
-            mode = "1920x1200@59.972";
+              mode = "1920x1080@60.000";
-            position = "0,1080";
+              position = "1920,0";
-            scale = 1.0;
               status = "enable";
+              scale = 1.0;
+              adaptiveSync = true;
             }
           ];
-      };
+        }
-      laptop_0 = {
+        {
-        outputs = [{
+          profile.name = "tower_1";
+          profile.outputs = [
+            {
+              criteria = "AOC 24E1W1 GNSKCHA086899";
+              mode = "1920x1080@60.000";
+              position = "0,0";
+              status = "enable";
+              scale = 1.0;
+              adaptiveSync = true;
+            }
+            {
+              criteria = "AOC 24E1W1 GNSKBHA080346";
+              mode = "1920x1080@60.000";
+              position = "0,0";
+              status = "enable";
+              scale = 1.0;
+              adaptiveSync = true;
+            }
+            {
+              criteria = "LG UNKNOWN_TBD";
+              mode = "1920x1080@144.000";
+              position = "0,0";
+              status = "enable";
+              scale = 1.0;
+              adaptiveSync = true;
+            }
+          ];
+        }
+        {
+          profile.name = "laptop_0";
+          profile.outputs = [{
             criteria = "LG Display 0x060A Unknown";
             mode = "1920x1080@60.020";
             position = "0,0";
             scale = 1.0;
             status = "enable";
           }];
-      };
+        }
-      laptop_1 = {
+        {
-        outputs = [
+          profile.name = "laptop_1";
+          profile.outputs = [
             {
               criteria = "CEX CX133 0x00000001";
               mode = "2560x1600@59.972";
@@ -68,9 +83,10 @@
               status = "enable";
             }
           ];
-      };
+        }
-      laptop_2 = {
+        {
-        outputs = [
+          profile.name = "laptop_2";
+          profile.outputs = [
             {
               criteria = "AOC 16G3 1DDP7HA000348";
               mode = "1920x1080@144.000";
@@ -87,7 +103,8 @@
               status = "enable";
             }
           ];
-      };
+        }
+      ];
     };
   };
 }

modules/home/wayland/apps/waybar/default.nix

@@ -17,7 +17,7 @@ let
       ''
     }/bin/waybar-${name}";
 in {
-  config = lib.mkIf (config.homecfg.wm == "Wayland") {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
 
     home.packages = [ pkgs.custom.amdgpu_top pkgs.jq ];
 

modules/home/wayland/apps/waylock/default.nix

@@ -1,10 +1,12 @@
 { lib, pkgs, config, ... }: {
-  config = lib.mkIf (config.homecfg.wm == "Wayland") {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
 
     home.packages = with pkgs; [ swayidle swaylock-effects ];
 
     xdg.configFile."swaylock/config".text = ''
       screenshots
+      grace-no-mouse
+      grace-no-touch
       grace=5
       effect-pixelate=5
       fade-in=0.2

modules/home/wayland/apps/wofi/default.nix

@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }: {
 
-  config = lib.mkIf (config.homecfg.wm == "Wayland") {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
     home.packages = with pkgs; [ wofi ];
     xdg.configFile."wofi/config".text = ''
       width=280

modules/home/wayland/base/default.nix

@@ -11,14 +11,18 @@ let
     '';
   };
 in {
-  config = lib.mkIf (config.homecfg.wm == "Wayland") {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
 
     home.packages = with pkgs; [
       dbus-hyprland-environment
       wayland
 
-      grim
+      hyprpicker
+      
+      hyprshot
       slurp
+      satty
+
       swappy
       cliphist
       wl-clipboard
@@ -42,6 +46,8 @@ in {
           [ "discord-402572971681644545.desktop" ];
         "x-scheme-handler/discord-696343075731144724" =
           [ "discord-696343075731144724.desktop" ];
+        "x-scheme-handler/tg" = [ "org.telegram.desktop.desktop" ];
+        "x-scheme-handler/tonsite" = [ "org.telegram.desktop.desktop" ];
         "x-scheme-handler/http" = [ "firefox.desktop" ];
         "x-scheme-handler/https" = [ "firefox.desktop" ];
         "x-scheme-handler/chrome" = [ "firefox.desktop" ];

modules/home/wayland/hyprland/config.nix

@@ -1,11 +1,12 @@
 { lib, config, pkgs, ... }: {
-  config = lib.mkIf (config.homecfg.wm == "Wayland") {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
+
     wayland.windowManager.hyprland = {
       enable = true;
       xwayland.enable = true;
       extraConfig = ''
         monitor=,preferred,auto,auto
-
+        env=bitdepth,10
         input {
             kb_layout = us, ru
             kb_variant = intl, phonetic
@@ -13,7 +14,7 @@
 
             follow_mouse = 1
 
-            sensitivity = 0 # -0.5 # -1.0 - 1.0, 0 means no modification.
+            sensitivity = 0
                         
             touchpad {
                 natural_scroll=no
@@ -60,10 +61,10 @@
             fullscreen_opacity = 1.0
                                       
             # shadow
-            drop_shadow = no
+            # drop_shadow = no
-            shadow_range = 60
+            # shadow_range = 60
-            shadow_offset = 0 5
+            # shadow_offset = 0 5
-            shadow_render_power = 4
+            # shadow_render_power = 4
             #col.shadow = rgba(00000099)
         }
                         
@@ -85,12 +86,10 @@
         }
 
         master {
-            new_is_master = true
+            new_status = master
         }
 
-        gestures {
+        gesture = 3, vertical, workspace
-            workspace_swipe = off
-        }
                         
         exec-once = eww open bar
         #exec-once = waybar
@@ -145,6 +144,11 @@
         windowrulev2 = float,class:^(org.telegram.desktop)$,title:^(Media viewer)$
         windowrulev2 = center,class:^(org.telegram.desktop)$,title:^(Media viewer)$
 
+        #SPECIAL NO SLEEP
+        windowrulev2 = idleinhibit fullscreen, class:^(.*)
+        windowrulev2 = idleinhibit focus, class:^(steam_app_.*)$
+        windowrulev2 = idleinhibit focus, class:^(mpv)$
+
         layerrule = blur,^(eww-blur)
 
         #binds
@@ -160,7 +164,7 @@
         bind = SUPER SHIFT,D,exec, ~/.config/hypr/themes/apatheia/eww/launch_bar 
 
         bind = SUPER, V, exec, cliphist list | wofi -dmenu | cliphist decode | wl-copy
-        bind =  , Print, exec, grim -g "$(slurp -d)" - | swappy -f -
+        bind = , PRINT, exec, hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'
 
         bind = SUPER, L, exec, swaylock 
 

modules/home/wayland/hyprland/default.nix

@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }: {
   imports = [ ./config.nix ];
-  config = lib.mkIf (config.homecfg.wm == "Wayland") {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
     wayland.windowManager.hyprland = { enable = true; };
   };
 }

modules/home/xorg/bspwm/config.nix

@@ -1,5 +1,5 @@
 { lib, config, ... }: {
-  config = lib.mkIf (config.homecfg.wm == "X11") {
+  config = lib.mkIf (config.usercfg.wm == "X11") {
     xsession.windowManager.bspwm.extraConfig = ''
           #! /bin/bash
 
@@ -110,7 +110,7 @@
       telegram-desktop &
       nextcloud &
       jellyfin-mpv-shim &
-      flameshot &
+      #flameshot &
 
       sleep 2
 
@@ -265,7 +265,7 @@
 
       # Screenshots
       Print
-      	flameshot gui
+      	hyprshot -m region
 
       # Lock Desktop
       super + l

modules/home/xorg/bspwm/default.nix

@@ -2,10 +2,10 @@
 
   imports = [ ./config.nix ./script.nix ./xressources.nix ];
 
-  config = lib.mkIf (config.homecfg.wm == "X11") {
+  config = lib.mkIf (config.usercfg.wm == "X11") {
     xsession.windowManager.bspwm = { enable = true; };
     services.sxhkd = { enable = true; };
-    home.packages = with pkgs; [ xrandr arandr flameshot xtrlock i3lock ];
+    home.packages = with pkgs; [ xrandr arandr hyprshot xtrlock i3lock ];
 
   };
 }

modules/home/xorg/bspwm/script.nix

@@ -1,5 +1,5 @@
 { lib, config, ... }: {
-  config = lib.mkIf (config.homecfg.wm == "X11") {
+  config = lib.mkIf (config.usercfg.wm == "X11") {
     xdg.configFile."script/lock.sh".text = ''
       #!/bin/bash
       TMPBG=/tmp/screen.png

modules/home/xorg/bspwm/xressources.nix

@@ -1,5 +1,5 @@
 { lib, config, ... }: {
-  config = lib.mkIf (config.homecfg.wm == "X11") {
+  config = lib.mkIf (config.usercfg.wm == "X11") {
     xresources.extraConfig = ''
 
       #define white #ffffff

modules/nixos/default.nix

@@ -1 +1 @@
-{ ... }: { imports = [ ./cli ./gui ./hostcfg ./system ./tools ./users ]; }
+{ ... }: { imports = [ ./cli ./gui ./system ./tools ./users ]; }

modules/nixos/gui/audio/default.nix

@@ -1,10 +1,10 @@
 { lib, config, pkgs, ... }:
-let cfg = config.hostcfg.make.gui;
+let cfg = config.syscfg.make.gui;
 in {
   config = lib.mkIf cfg {
-    sound.enable = true;
+    # sound.enable = true;
-    hardware.pulseaudio.enable = false;
     security.rtkit.enable = true;
+    services.pulseaudio.enable = false; #25.05 change to services
     services.pipewire = {
       enable = true;
       alsa.enable = true;
@@ -13,6 +13,6 @@ in {
       # wireplumber.enable = true;
     };
 
-    environment.systemPackages = with pkgs; [ easyeffects ];
+    environment.systemPackages = with pkgs; [ easyeffects alsa-utils ];
   };
 }

modules/nixos/gui/games/default.nix

@@ -1,10 +1,13 @@
 { lib, config, pkgs, ... }:
-let cfg = config.hostcfg.make.game;
+let cfg = config.syscfg.make.game;
 in {
   config = lib.mkIf cfg {
     programs.steam = {
       enable = true;
       remotePlay.openFirewall = true;
+      extraCompatPackages = with pkgs;  [proton-ge-bin];
     };
+    programs.gamemode.enable = true;
+
   };
 }

modules/nixos/gui/greet/default.nix

@@ -1,14 +1,12 @@
-{ lib, config, pkgs, ... }:
+{ lib, config, pkgs, ... }: {
-let cfg = config.hostcfg.make.gui;
+  config = lib.mkIf (config.syscfg.make.gui) {
-in {
-  config = lib.mkIf cfg {
 
     services.greetd = {
       enable = true;
       settings = rec {
         initial_session = {
           command = "zsh";
-          user = "${config.hostcfg.username}";
+          user = "${config.syscfg.defaultUser}";
         };
         default_session = initial_session;
       };

modules/nixos/gui/xserver/default.nix

@@ -1,7 +1,6 @@
-{ lib, config, pkgs, ... }:
+{ lib, config, pkgs, ... }: {
-let cfg = config.hostcfg.make.gui;
+  config = lib.mkIf (config.syscfg.make.gui) {
-in {
+    programs.xwayland.enable = true;
-  config = lib.mkIf cfg {
     services.xserver = {
       enable = true;
       videoDrivers = [ "amd" ];

modules/nixos/hostcfg/default.nix

@@ -1,48 +0,0 @@
-{ lib, config, ... }:
-with lib; {
-  options.hostcfg = {
-    hostname = mkOption { type = types.str; };
-    username = mkOption { type = types.str; };
-    make = {
-      cli = mkOption {
-        type = types.bool;
-        default = true;
-      };
-      gui = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      virt = mkOption {
-        type = types.bool;
-        default = true;
-      };
-      power = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      game = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      develop = mkOption {
-        type = types.bool;
-        default = false;
-      };
-    };
-    net = {
-      wlp = {
-        enable = mkOption { type = types.bool; };
-        nif = mkOption { type = types.str; };
-      };
-      wg = {
-        enable = mkOption {
-          type = types.bool;
-          default = true;
-        };
-        ip4 = mkOption { type = types.str; };
-        ip6 = mkOption { type = types.str; };
-        pk = mkOption { type = types.str; };
-      };
-    };
-  };
-}

modules/nixos/system/default.nix

@@ -1,3 +1,9 @@
 { ... }: {
   imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ];
+
+  # services.journald.extraConfig = ''
+  #   LineMax=128K
+  #   SystemMaxUse=512M
+  #   SystemMaxFileSize=128M
+  # '';
 }

modules/nixos/system/hw/base/default.nix

@@ -1,4 +1,4 @@
 { ... }: {
-  services.fwupd.enable = false; # Note: run inside a nix-shell
+  services.fwupd.enable = true;
   hardware.enableAllFirmware = true;
 }

modules/nixos/system/hw/boot/default.nix

@@ -1,4 +1,7 @@
-{ ... }: {
+{ lib, config, ... }:
+let isSANDBOX = builtins.elem config.syscfg.hostname [ "sandbox" ];
+in {
+  config = lib.mkIf (!isSANDBOX) {
     boot.loader = {
       systemd-boot = {
         enable = true;
@@ -6,7 +9,8 @@
       };
       efi = {
         canTouchEfiVariables = true;
-      efiSysMountPoint = "/boot/efi";
+        efiSysMountPoint = "/boot";
+      };
     };
   };
 }

modules/nixos/system/hw/default.nix

@@ -1 +1 @@
-{ ... }: { imports = [ ./base ./boot ./fs ./opengl ./power ./udev ./virt ]; }
+{ ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ]; }

modules/nixos/system/hw/graphics/default.nix

@@ -0,0 +1,4 @@
+{ ... }: {
+  hardware.graphics.enable = true;
+  hardware.graphics.enable32Bit = true;
+}

modules/nixos/system/hw/opengl/default.nix

@@ -1,5 +0,0 @@
-{ ... }: {
-  hardware.opengl.enable = true;
-  hardware.opengl.driSupport = true;
-  hardware.opengl.driSupport32Bit = true;
-}

modules/nixos/system/hw/power/default.nix

@@ -1,7 +1,5 @@
-{ lib, config, pkgs, ... }:
+{ lib, config, pkgs, ... }: {
-let cfg = config.hostcfg.make.power;
+  config = lib.mkIf (config.syscfg.make.power) {
-in {
-  config = lib.mkIf cfg {
     services.tlp = {
       enable = true;
       settings = {
@@ -9,9 +7,24 @@ in {
         STOP_CHARGE_THRESH_BAT0 = 90;
         CPU_SCALING_GOVERNOR_ON_AC = "performance";
         CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
+        MEM_SLEEP_ON_BAT = "deep";
       };
     };
     
+    powerManagement.enable = true;
+    # suspend to RAM (deep) rather than `s2idle`
+    boot.kernelParams = [ "mem_sleep_default=deep" ];
+    # suspend-then-hibernate
+    systemd.sleep.extraConfig = ''
+      HibernateDelaySec=30m
+      SuspendState=mem
+    '';
+
+    services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate";
+    # Hibernate on power button pressed
+    services.logind.settings.Login.HandlePowerKey = "hibernate";
+    services.logind.settings.Login.HandlePowerKeyLongPress = "poweroff";
+
     systemd.user.services.battery_monitor = {
       wants = [ "display-manager.service" ];
       wantedBy = [ "graphical-session.target" ];

modules/nixos/system/hw/virt/default.nix

@@ -1,20 +1,23 @@
-{ lib, config, pkgs, ... }:
+{ lib, config, pkgs, ... }: {
-let cfg = config.hostcfg.make.virt;
+  config = lib.mkIf (config.syscfg.make.virt) {
-in {
+    #environment.systemPackages = [ pkgs.qemu ];
-  config = lib.mkIf cfg {
-
-    environment.systemPackages = [ pkgs.qemu ];
     virtualisation = {
-      libvirtd.enable = true;
+      #libvirtd.enable = true;
       # waydroid.enable = true;
       # lxd.enable = true;
-      docker = {
+      docker.enable = false;
+      podman = {
         enable = true;
-        rootless = {
+        dockerSocket.enable = true;
-          enable = true;
+        dockerCompat = true;
-          setSocketVariable = true;
+        defaultNetwork.settings = {
+          #dnsname.enable = true;
+          dns_enabled = true;
+          #internal = true;
+          #name = "internal";
         };
       };
     };
+    virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
   };
 }

modules/nixos/system/network/base/default.nix

@@ -1,9 +1,20 @@
 { config, ... }: {
   networking = {
-    hostName = config.hostcfg.hostname;
+    hostName = config.syscfg.hostname;
     useDHCP = true;
     nameservers = [ "1.1.1.1" "9.9.9.9" ];
 
-    firewall = { enable = true; };
+    firewall = { 
+      enable = true;
+      allowedUDPPorts = 
+        (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++ 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
+        [ ];
+
+      allowedTCPPorts = 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
+        (if (config.syscfg.server != false) then [ 5432 6379 ] else [ ]) ++ 
+        [ ];
+    };
   };
 }

modules/nixos/system/network/bluetooth/default.nix

@@ -1,5 +1,7 @@
-{ pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
+  config = lib.mkIf (config.syscfg.net.ble.enable) {
     hardware.bluetooth.enable = true;
     services.blueman.enable = true;
     environment.systemPackages = with pkgs; [ bluez bluez-tools ];
+  };
 }

modules/nixos/system/network/wifi/default.nix

@@ -1,9 +1,7 @@
-{ lib, config, ... }:
+{ lib, config, ... }: {
-let cfg = config.hostcfg.net.wlp;
+  config = lib.mkIf (config.syscfg.net.wlp.enable) {
-in {
-  config = lib.mkIf cfg.enable {
     networking.supplicant = {
-      "${cfg.nif}" = {
+      "${config.syscfg.net.wlp.nif}" = {
         configFile.path = config.sops.secrets.wifi.path;
         extraConf = ''
           network={

modules/nixos/system/network/wireguard/default.nix

@@ -1,13 +1,31 @@
-{ config, ... }: {
+{ config, lib, pkgs, ... }: let
+
+  isValidPeer = p: 
+    (p ? syscfg.net.wg.enable) && 
+    (p.syscfg.net.wg.enable == true) && 
+    (p.syscfg.net.wg.pubkey != config.syscfg.net.wg.pubkey);
+  activePeers = builtins.filter isValidPeer config.syscfg.peers;
+in
+{
+  config = lib.mkIf (config.syscfg.net.wg.enable) {
     networking.wireguard = {
       enable = true;
       interfaces = {
         wg0 = {
-        ips = [ config.hostcfg.net.wg.ip4 config.hostcfg.net.wg.ip6 ];
+          ips = [ config.syscfg.net.wg.ip4 config.syscfg.net.wg.ip6 ];
-        privateKeyFile = config.hostcfg.net.wg.pk;
+          privateKeyFile =
+            config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
           listenPort = 1515;
           mtu = 1340;
-        peers = [{
+          peers = 
+            if (config.syscfg.server ? wireguard && config.syscfg.server.wireguard) then
+              map (p: {
+                name = p.syscfg.hostname;
+                publicKey = p.syscfg.net.wg.pubkey;
+                allowedIPs = [ p.syscfg.net.wg.ip4 p.syscfg.net.wg.ip6 ];
+              }) activePeers
+            else
+              [{
                 allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
                 endpoint = "vpn.helcel.net:1515";
                 publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
@@ -16,4 +34,9 @@
         };
       };
     };
+    systemd.services."wireguard-wg0" = {
+      after = [ "network-online.target" "nss-lookup.target" ];
+      wants = [ "network-online.target" "nss-lookup.target" ];
+    };
+  };
 }

modules/nixos/system/nix/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{ inputs, pkgs, ... }: {
   nixpkgs.config = {
     permittedInsecurePackages = [ ];
     allowUnfree = true;
@@ -8,9 +8,9 @@
     };
 
   };
-  nixpkgs.overlays = import ../../../../overlays { inherit pkgs; };
+  nixpkgs.overlays = import ../../../../overlays { inherit inputs pkgs; };
   nix = {
-    package = pkgs.nixFlakes;
+    package = pkgs.nixVersions.stable;
     extraOptions = ''
       experimental-features = nix-command flakes
       warn-dirty = false
@@ -25,13 +25,17 @@
     settings = {
       auto-optimise-store = true;
       builders-use-substitutes = true;
-      substituters =
+      substituters = [
-        [ "https://hyprland.cachix.org" "https://cache.nixos.org" ];
+        "https://hyprland.cachix.org"
+        "https://cache.nixos.org"
+        "https://helcel.cachix.org"
+      ];
       trusted-public-keys = [
         "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "helcel.cachix.org-1:95s8D+N2xIHwzmkuu7jMUp9t3rtN4EimafR73jO7GLg="
       ];
     };
   };
-  system.stateVersion = "23.11";
+  system.stateVersion = "24.11";
 }

modules/nixos/system/security/default.nix

@@ -1 +1 @@
-{ ... }: { imports = [ ./gpg ./polkit ./sops ./ssh ]; }
+{ ... }: { imports = [ ./gpg ./polkit ./ssh ]; }

modules/nixos/system/security/sops/common.yaml

@@ -1,93 +0,0 @@
-valinor_ssh_priv: ENC[AES256_GCM,data:+eeVw/05eU5VW29KhT9+eGXcf+Ola2n0ISbj5Lzyj/bB/8OWDGXkqxWjgZv3cbL9v265AbyqcHfYX94BynTtMITfM6Cwz3D0EcUmIyP3rgjrJZdnksLu41a30dUjLnfVqiPwZaxxccZb6/JNAgXrg4hjkTsrCiZeSGpPl2VqECVt0tfJ3nmJwX+7C95QMvzxCw5S6CbN53AZBPmqBqzmxperc0LegMR+2lXviuqTEL2ZH3mzo0YeJQS/yCVVQL6TWx/wyM4fKD4kavg07sCAoj7E4V9RL4DY75uIbEz2+hvw9yE4nCtg2UgLu2hmragbH5ZseD/BWu+d2JGQeAnSLJBr6lZj/LGsiCe5vdnNqh2igZ9EI8Bhjv2ed2ajAxPYxJ1cAT9noxx6E+KU6sjWaSeKhLsnO/X3Ht1ADiUP4i/j39aE/4U7Gmk8Gs+3LBF0FXS88M06HV1cCKkd8RLkD0v6uKpOd6deOkKZRRGT8XzrF6JGY6fMXksF7GCqYqKhHEvU3nd3MQ/XjZuSycIr6NKdo31iezwjFCELUf2XQCIEtLe77vxfZQQ9lhddLhM7FJVDwlIuVLjN0lzrUoCywOZOG/ipenkCLDD5JmPqbkgyqFEIKpLW3weqlIFPTQblwaW724kKB80E+0lvW+0mG8oiyeqBuFufhtaUEwmg93aCzPW7wJuP7rzBm2i0FPl4Mg0f1d7iJtrHaIcnncw7vzeo+LOq1zvlcCVO3lt/JTRhTbxMEDzzQvvuRnFVExQbNCd9BKErpZAIia/l+5/PYClqapQYuBsx+Y4jUC/ct6PicSz/YtdXgTQc3jqmsLJ46R7Y3qkeaYJvsFDbTtjG1GlQdisNPZEhtkWgvyIcxl62/SSqLJr+ZxWh2ldToVpnX4g9JKcHbHyvsD/JJRsSD8fHlGBlnpXpL4onkQNbtZQ9HUBpaz6rQvp7klM5iI1trpdnv8nf3H0G54mz5c4FY81VIXcy+2nEgadhWNdKlI0rjruvXyJKUvCPmh3ZyPZPL+7rkLI+ywj+0Gz7QGKcDsOy2L1UsHSpCJGRe0ZJO8vuq1relbMF2pz5eQHa+9S3NNG/v5WNWVw4BcCaX8tfuac467mZ+sr2CKAKn+ojhBAkSVWHWg95bURX1NUpjw6d2dPSJbLjen7FDZ1NiZsvW+eNIPnuaOAIoNKW9H2XXmXagJASOnwd+BwNWWB7APlQz/YfQycDG4TjAWCg22aoTagmXoPtiqNqo0gq7NljSbq5EY2hn1RUV7umMR/cqY4XmdBsVqSwnjBtuHGQArn2QRbAYJcHkrxpAzMfJSWNx176ARBFhQDITpI8Y2ROyF+tZaOcNOYuXfAjktV7Elgt5dNypxdo4a/qFt0IkjxRF8WGGTKU3eRnC0EvaVc3xifLIcjrihqiVnB3jb58pT7lSeTH8pnuTS2+jOVphvok+8ddKd+Q5Po2yw8e0PswzPK7dYdMjNNKhbg/W41Bxf5ZKWxGZjxMbwNndzPext/+QWZqTJDw+Cf3rCMpaAU3nRSW7b5TD9fYrmajSbkzHBy9ggt1y+IofLEWlsMkiisxqnggsbVyDlxMb2q5iOFYMWtG/VPE6e5yDUVlwsd1l+Mv+vASCJW0J2i5BJzpYVTnazcQabbVeK/t3t8oA7/aO7omZxbPYDcfBAfc8+ibx3iBW4tIrwe0EvsqkdhTt4C5jpxynfBnvUL4+O5IYFSyz29EKNPZ+2RQti6tMCZYi4/IDBg93WQHGMrUd0pyANwP0vYVH8QGtD3X94nwOjoJO3GXqD3qcGsCrmBmmJtHTYBZ39KZpxxujsYDeccUuRbV9Ivq9vydkjO4fkIKCtlSFWRtkgU6cl4IxoO7alRDvJzadWrBdW5k3ubZG3qV05+iV9KSdh520YrRzxGb0yd8Ii0pgJU38oEywWyLUL9+/Ov5UZALtflS90cLANodWfzNtAxcZP6C+XR3aRyI8dZp5ZcOwwbj9aieSImLDwnC0l1cdtxSu8Iwm29/yeh4v4JXl6t1bBsTkyCoirQnkyBC3lHLCbwE3vfB34BTcChR+qWhiM92rnr6be8M89AtnEfNsdpZAWD96craURM8wfmMh9tM66gjjHyYuJbi1186x4LAtST4VZMHnw6NoG3XK5sMoVZq8jFWfUqrpS6ZMRu1UV0qL1jNbcZifwOlDgmoFXhFMZ6CGax0Up+cFPI2BJ7wGQwsTszifSXah/XgFhrOWgu9Hs5YJYbTxs26yEhG2K9j1J/4dtNdowmPI05iMynybTzrQkB8T/lVE5w9o1wumNhftyXie10+Nc8U1Ok3JugGG1CoM35eLAPTA8vHZzj6819apBCtw2vGeHio9k27164gHhsZUdAhyfC8hxmR/V857ipCchBNGg6aQOh2hVs9+4mNaap1UXGlAOJZMp/O7BNknYi6LVuGOtiS01W86pgPtCrbb8/24RHcybSLXhS4spTDf/LfBHaEWiklQHyq7YU6hsTOcmTkMNLCFuNVbPXPFze30KWtPhyZyQNYPqEwo8dZ8InN3RNBaYCMgYel7kNcmCO/0HlL1Kqjc4i2mguFiw23Tz0YRmUpwDjEe9gfOjlm9EZQs0GQQyB2gNfaoH1oyiM5yvQ9MrY9OADGpos0334ZqW9mykUpjkhrCWKLmVLAzWejbqMw1ZDq7FRa+l6Uyt+2XFPar7dta/TsWYKv6kTqoz1JHMwf5EoGEgCszcwnqkcqd5T9NHoVNwwpkEN/7axF0OqT25NSpXkAcacSHo70998jL3zbdKFVamUmpF/hN6ioniJyKAelESPym7KpjZKBEsHGTzU30t1GgsGlYUwtR07O5FnRVViDiMyQHYAq1PXa1EbCS0b7bbdMYGcExJzHvlT8VmeKnJ1RoOvKWyil2habXd+TbxEWtfAOuWtJzLYwXWKPppsq/EwKxUGNla01hVrfAbm3QNP45gDGFZ0+piA8PLNq6PNFoSlINc/6/Z3WaENpGhxL0mKS2IS/d76AzHjUV+Hw6ylFUdYEjAPp2lR5woslQnxpO5n3oKpFl3jevzJmcNJKuZZEYzGU1leyddx30hzmVMfTliybA5I1GVTIigbdKwuRWL8uYQA1mHUeO5pEPGMv1X4GcoT5BDrdcFAaU6vjhXbjVhCNcPBbjxKHisfOBUr6nx1M/n3AHndhilimrPP5adOGpG2CFqKQtINb0UmpqPQJRB488tuVE3fTPgqNi+PEES1tIumBVdt5m95p+BNHPyVwLloMeGkCVqsTid2251NSpFd/n0BVAOR0zZP1hGRRzgU2tNPK4VAVuvuPQdPw7ZUbVSe/VvphOLXAG72M27W9IbLrsnnmaNeh5ur/9fl5yI52py53z0Zrp6WNociqyeC03xzPAwmYF9BFMG+j9Kto2OfbxOCUdWxhlCGDuUqODcAsvfKNQddq4Fha0HSLjvGOtfEuWmJNTzmfIeO3vg==,iv:pTQbb6nLHJ8BXTIYdiSe4vc5+1hpNuHhQhDkIAsZ9HI=,tag:jyO99VXSsCQlQD+Hh+gtvg==,type:str]
-valinor_ssh_pub: ENC[AES256_GCM,data:c9s+tEjn+aZAjsxU7+dWmKLVc3dFdtna3ilDJrEb4k9TToyYY5VYEW6exxpbBl6MMAe98/KXgLPI5kTmq3gCqQe2dBnOB3C4f212DOmVyoYGj4AiqzU+Oo0pfg6DRw5BCjYGY7B+zJopqQgDvlIRTdJzAhQe3ZRuJFXKupVpJ+pEx56bo/memAf+BBZgIXChFrYadqze90rMmlw0D5V3L3lmTnqjoniXTXj5QoHh2f873qFAQ72+fSNlJCkasNavSiXKWVPcS3xMmgfiaffkqdO6pte1m/IgevKkKfciIOBbKskgsTZdy9iPGdELLH1wMzO45+vX3h2ATy/v5Hqq/yWlrDbvFFUKoaCb6n7/5O3MhaLwa78Uk09Dvbno2Wb8C5BBZlXBZ/BSooosDFUG/2IG8nKM+FrHJvtwgugCGa3ZQYKQr6iJ9g6tN83YRTEgKTCsZPnSNg+vXSBAib5ABHl8z7oHVB2hJFBnEn7Im99b/GRsCRD+/y9Y+4wF8nzznJgSrqInM59//EJHmwOWrHzSIpyV+cY67cCUXlkYB/ufx510XtEjijr2SOJXKmdAmme0EICkP/LY80Yrsoz2ee/A6w6ZP3HDHuxUVNeGNJvdoFhIyt9pEiRBwl7K2XKYCh/lRiE6E19EM6SmwplEM0+uAWTY+NUKZba2JSqFZLMlBFfWSLHgOHFLPatkZRUTkoNa4BOhtUlAYfuN/uHHimnL7H4O814OnjU5exqHca63VkDDhA==,iv:YT0ZN/Rt6CbMSFU1wZDbrenlwXCh7e4C06YbVL5J/VU=,tag:BqVtzOC1ViEkHHTXbgDJHw==,type:str]
-valinor_wg_priv: ENC[AES256_GCM,data:1izZF+6G2Uc2MRBH56A07lexZEkyOiiFI4zltyoZco0+Y9EPhH1nJ4sWzs0=,iv:OIBIQvMsrq93/o0r8V6eSzfU63xtCzgQFf8NKXsjRk0=,tag:wdcQOfdaoxe7Vw0QWmngwA==,type:str]
-valinor_wg_pub: ENC[AES256_GCM,data:noAhVF91HUwpU3lHl4knlmGkV0Zjbuc4TQhFhF7HjCbv1hdSycO17TDfgcw=,iv:82v169pOoCOwnOaqPTOMvtvOUJJEcXjPI9BzogC+UaI=,tag:NHIcOYD5mSnZ6kwZBAnXGg==,type:str]
-iriy_ssh_priv: ENC[AES256_GCM,data:tLViFTWE62aJ7sCHVs2OxqewFI4QQVEoMdWV6l26FBFlbP9sQC0IWhtwkYVeQ7yFRlEjiB2RWcxG9KkLZm55JqAG6dX6AocG341u68PPWgcWYxYxI2056e/NYN2dlNE9SX0ImkT41/zQIG4b/7xRsFlBKJ0LUpbzWg6Bmo1Giu66NZhLLIkVRPqH7KzvUlyBiCAiIuMlVIBomxKwmeNn3SnaVDrfCbqhXwiJvGHZE09mtZnZMVd9vIo89+4PReykVUjEI04QhnSzv+ET62yw1AOk4k7yBWykhMi+KirlNL8qoHY/HSOaqndQpHc/GzCjClcWHeBjsouTnqx7YjZ77WpiVKuFIVNK18fZIwxIqW0cwftJpfMTlOfGIhfAjIebxOc1G7tAON7BWSZQNBtM9aQ5qmF5wwYKj1m2NxtqzD6Vwhd2XubgzFPCssYs/WZcF4NeJwYE9077NrMeLjE+kP8d7IJKwDuXTA0zldFaRURzKCy+NFnHIle/Bw5V08w/FeJsWAT7SeJM2V9yGYaysBTly2eh0YtW0vHdoijhZQ95jAD9ixfHiZ2Uz60F5L2s8DJ58i46OShT6ItJ98NeSxFT/cOIZQ7jd7mxmgZdQc4uXBk2ly9zlF86gti9MLdvbugkfLKnrCoHLec/g5wWyowRfriDgqzFgzcj0tGshhLr/Y7GsIj6ZzMCbHPhEz9oEqUR7tVmBXfyEisCBdujYaUByl9EgTnLx505LpuaqYJuiPq7YULCndye3EHdQWSiVQA6ncPpcqnKgAyqsBlRXa/2dsr4XJmdIOHTRQ11m+8jJ9R6gmiGIdjj7hq/kr9tCZWPSF/Idz2ml04nw9zjlroeq2CmiPAVskKmJohpWvrD+J5tz6pQSITbiQWnq+W2/7BT5LvkIewwegyckP2hvCpnsHvT1llD6gzf5kNkoNvHnrFOjPa83WLPUO20rykyuD1+5s04vw4j2+tcKEll54kB757yWUdn7af+vs7uvthc2Wen1vXXPHoZnDVDddO2vDsNMRCl1w6NE9Ey+bsLhgZ5hwvwi+i/cGg6XHoFtRMS8PKk7kpRqS5oTMxbhI6uVy2BLz2Mtot6VxA29NV9fngxoD6VU8bcen8P6Tt+QJs9FqN5Pik3mLuaZEp8xiarSe8vDoLHv+UZVLFgDc+6LegYUttM0vHf3oKBHSX8qduJOZrZ2UlgcU4b2AKfGkpRVg4tKb73kCZi8D9R9aMA3grMK2mEPGKjqoT0DbOa+CCpC3DGUg2LkZl4jvFMfX82lU86cQscnHNh0ajFgmxmmmrDiLVpZLRroslEntuvXmj3lQgZmsyrGdQ3Wy7W2TvcbqcEt095hU9jJu1dlj73ofP+ltxxF706//OU1ToTqKOoPXhwQNmGhHLdBOflyXy/SMF5Ymvelc6FI6ct9h7y8P955ZyX/IFurX0/XUvuxtDqb8xq5Jm378W8Wuh9Zq0FRwfcagEUMo8auqzVOSHx9yB60qsLoi3WEH54/CClwOelvDhD1nCQ9Dxr4oYmfIiRUcvYDlCvgwc8ZKWb+8eTTA7+aVEZ9HhIhV2yovykYcWE8hPFUITA6lUhdEtUotq4T9UofJ8S79U6DFCUX1BdMYGKSMxOPuQ0liviVh2pnXIN+4DH0OOz828dGmb21ClkwT+kvA/80XeSxrU59XT1IGRoNjPCRxZzuLnsfCA5rrIarz8y3gbL+CFY4rsoPTWfqWR8HUg7pUapdG/FiW4HCfK+BwtLowaxyF0Kj+eTf+1EPx7ReYiHo6Yzes3XVPJid0e/DRkKqpEHSv/xQssQlq3Zqxfjg6DsTQ/dpA05VSZowe4VxouVpV2kib0HZQt77AtR1y9bznED7BDM4X2f95PiRMeYKvSqCHkhakrMCmPlboFJn5vpsvlf/k3v3zpADfwvx5DZWhRYg9WfmG2XSEXrdIHKcDqQME4Ka/yHNBvYuI3SYvrUusZcxjqPXctSRCGGEd9zfGbkA01BQ2anA/xLvWQMzgnKDHRLpQ2cQcEUi3nrrODHaYu/myo5XJDMncPVUidfC/XrnqlalnI3MD1o58fBV7UA4AO2aLEZf/59Qp6NtdUQBppdNiFqXBP3841hAg6W991Lau24S8Z5e7zAjfu/16JYA/M1NeqSkLQOFVibs6SJRIkPm4JPw+sBAwPLmZyjvlbYdk6686vRa4Ibnl3WkaozIqpioyLyujwNfv2OAK6dN26PT+xM7L/3s5xhP0K5TFDKyzqvjjI0uFP07h+xiXZuEl7nP3EfzWT8/il4aSr284vZ9Aqd0FsgfuNPuo+A12aUBmSUjuy/ComwB+/vxbkNlWtMPvkCfdS1eXImigxm5IVQ30Ba3gNTmPQhUUw0AkQPd68g5PZDN0iIx4APhXOowBUEAy/YNTGC2MHUDGo3lWNXEBbE457x/Kq/CleDlHHG2lBAPBHBC+HxdsnyvaF15cmg69IIM5YU08cILY1sxQVDXhIWBlKg9pjZU9BJVR6cdRAXccL6XXRD3P5rJUkyBS6SmTmkXnQetrrQVt07lzfApSErslPqaIGEAuPTT7brQFylvi0eWo2mXDF9oBr1BGTUEGaswz8q8DUuBXA0U3apJoFoDQbJk0uRwv0CrdK9kjGHzf4wntf3qNc6fH0foEvpMaLxsBUyvL2+2WZYNz2+rDjgOtNO5yAd4ILL4JqZKcNr1zymEtFU4WGTOHUeT7no345NZjoTn88Y+12ApWd1NtPkLfpAkuogAJOUK6LCgLPRDQIkzagGCWjDmfbc18LM2MV/4Us1TdfBzENmTHCsLDhIy7Y6fIwteJ5oUuWhTeB+MdFSO/WBhS/v1rjHfE75GXvQBZrlkknKaDwS1sJaet/0OBSWK61Sk2821V9E6qSS6U0qSNQbwlVjG4JMCXsNITICTR+uTa2cUk+PiDe6uZohu3M2B8FiiH9/XNKpyywxhCWjz9K+rt59tiHO7MbPCG7Lzi86BtEIZ2B6fFfhCdooZTE4oelhitnH3R4LXUc8kiJ6KPFINbf6yEGnskYP+aEy/3XfR1Miw3LG6+FVTvldDy5EmInPv7Dw8K074imghLYkvcuWtj6qMo+EI4rGoH39OPhqyd3tDgKVDEWOHKE3Ictt2Ci4cxedS/NieqxZf5tUHiO3YZoYyylJcJ5mU0HoVFhtfmg/GsK5mywmt6B20x8XyMBMLolcWYNMzdWgPQ1ieKb87tCgNRIOnPuwZcUGq+L+cLpRR4yhfSYPPao4dG0dxsEQJiSHnRDea71bR7URhJeo6aanwnulYwsuhji+3+XFoY+2e8wrEoJG38se1tafnd1dQHpvfiEYKTSCYuHG3uZWHvlHW06YrAwnrQrMOs+dquuQhMLK4wlsjg0MzsEZRkZ/JopxVRkjS0N1UVDQuzIZMqf6gKoiUVaC5BsjhTwcYQrMx/DFhAnhL2iGwJfuEQrrIjNVz7FLPQ==,iv:cM6fDDPdHQ0Xamv41gKvCQ3Oh70hCRaijXLA8n2rEEA=,tag:7CsbqkiNGv7W5lCrPK3CmQ==,type:str]
-iriy_ssh_pub: ENC[AES256_GCM,data:zjET00BIFhSI3/3bHO9d99VZLNqpGwWYuqhFvZAk6hYejOFRReCn3WKxXwEJh/IS8PYw1ARnj8DOpfYoRwhdofg+ap2/XMLE858B2cmgGQE5XZNftUryjmBV/WpWVECmAa/Dd6w71MACqZ9TDnt8Kkg5c0jtiGT7zg62/gMcjm/k531y1NDi4e8Jf7MFN9A/5nMpVDCpspZe42N2Lv+w0M2lhDrP4bjYTE9p7Klo27C7lt3vGahlNAjQBvx3o+309+4bSnE2hwTUkgwjN8YPx9qpV8v5XAfPEA3Syz4Qmhi6YpDnEsNPIVrmuGdNhrnprDQHJ8G04bHv51DXURf7Wtf8HSQUNVWXJoGb1jw5xzyiYEBB1Cu6VrRRHytQGtMMbQsIldoW7ISSo1jzRIPWJRMCYrY/4fneoALAXPN6u6VsYM+wtO6/1+A02KIz4uhHvt9c+iv2BNiJrwgHSdH2aY3JaOLEAI+wVQaf47WBfPIjfTzYsDx+kDNiflmBhENNWSqRnrXXLiAG0oVbbz0iuzA+C6w/gNc/t4L4foiMbeF3m9jVfFm3LrCmR1FJrGeA7ZSUAEQ6v55an+IbDMv7P9lUxgd7rsCj2M0elG2iDizV9vziFPOSJkplqzygxXZdo+In0pmRHUfWj06epacZjNdDxJHrakfhmWpGBvrwYRRp4/5p7/k2CToqj6UqedYen0S8M09JseHjNndr9/Oe2yJZYlzRhfq0ZDB1pzdVIiePcQ==,iv:nWWm3vecA7c5pv8bYrjjZk3VLHjKJI7c7ZPkK+pUqU4=,tag:Gfa5Izk6I3s/spA3GkXufQ==,type:str]
-iriy_wg_priv: ENC[AES256_GCM,data:inng2niJrTXF3ld2T5Xs9t/64oDC8haJhpK1Iajpc60hMHWbenpqGRis7NM=,iv:E/cW6iwjbC3iKulvgBD5vXsjxh9A6nGO7Acr2DXAQps=,tag:CfHqE8u87xGDkzArZg3BnA==,type:str]
-iriy_wg_pub: ENC[AES256_GCM,data:/4yPr9+NKyU/84L1heVhVa5Mzu6/9bTRciL4V8v31J99Fh5ratZDufNt8AY=,iv:1PzTUsgt1YQPQAywSQqBUVm08++EA9rTdQF/puRJMs8=,tag:ew+bmkZmlj74/mzdBPiSDA==,type:str]
-avalon_ssh_priv: ENC[AES256_GCM,data:wTAQKXU=,iv:7x+5AnmbNde6lsr+y5MlkR7KoaOUSCGTCVwLECYxPHI=,tag:DkrosVUFtURFBuqQI0LxaQ==,type:bool]
-avalon_ssh_pub: ENC[AES256_GCM,data:22S09ak=,iv:Q5SU6BQw9j4HMyohQorIeNwGL0xLx8erm10gvPpHmCc=,tag:o02ZcLBSz35sqY9INyOMRw==,type:bool]
-avalon_wg_priv: ENC[AES256_GCM,data:Urf0hCzMoyo3IiV+0zhiHGhh3vfinrMAFbX9JwFgkXiW+3+AXN2b1b785JE=,iv:TV0zwPssXOEVSxiVo0jZwFCmZJiTSXXXctFXFX0H97s=,tag:YDNaw6dRBcbyMSjXTRIJmw==,type:str]
-avalon_wg_pub: ENC[AES256_GCM,data:Lc8LIn3UX6mpN8WWum18OVI5LWjBLoW2Qles4Bv/cKP6yOfKTLXPkAYzmFU=,iv:P3UJr5aHkW07HVH0oy500HdsumZpcwwuRdRKx/Efgjo=,tag:U9G9Ja+7mS1x6no+MVptiQ==,type:str]
-asgard_ssh_priv: ENC[AES256_GCM,data:PflBgd0=,iv:OvKG6iGAtvcx7Nw/CT3mJos69ECG0k5CasZMzg/xWo8=,tag:X9iQY/nDBb5Dz9a+rnN9Rg==,type:bool]
-asgard_ssh_pub: ENC[AES256_GCM,data:+M50sSY=,iv:fWVBRPlz/ACENHhOJ5zabu0eqOAAH/AH9+HBqUZZQU8=,tag:UPdE0aLWnhj/zlXpKbdoGw==,type:bool]
-asgard_wg_priv: ENC[AES256_GCM,data:YxlKrwQ=,iv:1xnNKjzkJ0KPglLQy35i3FZ6kaJIgf7u0vT4aciDQI8=,tag:Jg5a/215Ifxj/XXMkSHwMg==,type:bool]
-asgard_wg_pub: ENC[AES256_GCM,data:7ojknU8=,iv:Rk2otESlMbnVItBS0Xo2JeoSjOiDusUnsMVMw9/4oU4=,tag:FD0S6AfDfvVgvgy0coF/Uw==,type:bool]
-efir_ssh_priv: ENC[AES256_GCM,data:lfC0LrU=,iv:QCNZWYj1bokbZwVbPanuWzljwTv8k1yRvJJYzXiffRw=,tag:1r0myqf+wk0paT3ODStB6A==,type:bool]
-efir_ssh_pub: ENC[AES256_GCM,data:s2CtFco=,iv:5ckMLWh/OrANzuN7dChi87jJqp8ulbTuhefteVijVeU=,tag:0Ojvf/u6Vs0tKiPzLnaHuQ==,type:bool]
-efir_wg_priv: ENC[AES256_GCM,data:jxmtVME=,iv:4SJC/lexF/oxgZp4QDAA+MhLU50K6G7g4IgQmbXl81s=,tag:wC7h+uCgBfGFynIZlyaOng==,type:bool]
-efir_wg_pub: ENC[AES256_GCM,data:lYCUem4=,iv:FmIo/U0Zo9O2pbiehLLbTe9bWKzRRjEJHP53zXPvhAU=,tag:nQKx887kvTKaoKIXTR+/EA==,type:bool]
-vpn_ssh_priv: ENC[AES256_GCM,data:RQhNAZg=,iv:PHdobW9HIEITGaIq86YbOFhyf7OTeTzhgjWVKo0YgNs=,tag:EhSAJz8N2OAuHC7sbvBj+w==,type:bool]
-vpn_ssh_pub: ENC[AES256_GCM,data:K7+ZMxQ=,iv:xp1ghLqP5sk91feAIxC1JpHOkCzBfYBO9rHW9ghfqAM=,tag:eX8s7hGITevnerFo1VpfRg==,type:bool]
-vpn_wg_priv: ENC[AES256_GCM,data:YS2NMqSZdH6gTQq89sWNLna6sLFIzR+uDFurFP1s+3Pe1+QP/SAiX81PZfc=,iv:Ovm3ir8ia5793yYPsKrscpqc4A6B6r270hpx9pWmR1o=,tag:asWYQrENr5ip8kHdb2mkYw==,type:str]
-vpn_wg_pub: ENC[AES256_GCM,data:orLTPlTD5Y6bimDcc+BFJytQFER2POfgcOFEk6zcKkvuq/GyU8bKgKLxuyM=,iv:TVHw+yVhlDJFz/8HYqI3qT85hGzgx+3Bj7mT0mr3dFE=,tag:EKDs8gE8RJMGQVfcYLj9Jw==,type:str]
-pgp_key: ENC[AES256_GCM,data:nEMur/Uq,iv:2KXW/AAAWDX09Ich2S6LQ7618ZBAY61KZcGkIabqCLs=,tag:Q7o8fz3dFFuqeMpzu9U/Fg==,type:str]
-wifi: ENC[AES256_GCM,data:Zw1jPS/bDDXuwk+0TV8qGwWgdQp8XcDX254lwByLLyf5YCGdBIxYWdTDkIggxHSgSmovg7TwQnIYcxvpqjzm0/nbaHiRvm1tBnO9KIKs0nQhnIdNmjxGXpW9Nv9ZGrTp9/ymNNbG3AxHUT74Eemy09jP+k3h5AsVuCMsMYv2y1Hj9O6CTzV+yU9+WmqCZaTX0PnyVRGYkhcHYTZM0V7I0zZbS5Uzk6AHXVmdTT0KL/1OJ3UlRAQbYMyYJM8gAOXLub6U3nCREBVIl9DydniWy2YTqKWeJcMTPe5JGDdPaUzOSTxNKVm0C1jkIOyfCgHMZfVlfAMXsDpbi9kl6Bwb41R2uS/w1VNCUUtnD9TJ29pdOW6sqEApbdbXri/P7ZK5ogGUhei8+Se1WJNmV/cKii7YYQpWCuGj1PKUj2NLel6loDO2+bps0ejWOkQgPED5tT0rn9Wst2SQKA6wMVjCB6vrry973Hhp4oi9jZ5b3eLnIg1G95JVT/O/2ygS4PLsS+GH8a7OzL2Vy1kYisphuC8sFp6P/aY1ye6WLR0bjaLYUiXHP95RUEDAwbPP4dwPCpsQSRdAqllWJ51c7GIb+nHOQSlDVNurQhbJXH0SD7o6yTKiEeSXoUt4q5oFSJ8GRFYOf8s7+cluKUUv8y306qHj/rh97benRxUTWmAL5/Nn/v6lez6WIhoNaD+MFg1/e5CjnaozOGXx3Ew6ZyI/avKwVk+ni+/o2+HmxTCKShpH5F7eZb3FMmgzIQNM+3C884GehtM1ffZmLlWOZN+nM+Uq3pQ26jgS3aV4AkgCHsNq+Xq+qnOaS2ocl3u/X9hQNoFqbyoS7nbcH9NMjU8NA4XhX922ij5QANj9I0sGlqI3EQ2zZV9zx2YcpY1qMjoMZXA1g0nIfCd63SWa8l8j/FuUbDknE2meFGqgGdvg2YPrgz0CINeKNwkg82xY1bUQMmkUQSyZV5X4Hs810P4IZIIypsyalEiNoS1VegUtG4a4xDLk6ZCXdhxV8bFbBHDdm9t87G0WCc+dyDZo6gvEQQ1gBBAQ3A==,iv:5mBedTqbzgrLUZ4HZGBrz+h3JAT7DUIP++TI+5j7/M8=,tag:XAWSPoSGepULdfn0W/StzQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraWFDRFUxQ2l5OWV1OXNK
-            UExEbWZkM0kzVk1rZG4yY3pBLzdMVWVJS0UwCnhlWFJ5T2lZUXJyNkg1ejQxaU1t
-            L3F2RUhldTY3N2xXL0hwczNKRzNjcncKLS0tIEkycHoxcDBGNyt2V3RDY29wNGVp
-            TGg5Rk05VkRsaXM1Q0NxMmtMajRORDAKqjFldiAYJKjmnkeDkwanjYvhL6645DZ5
-            dVXExjqO/DG733ge8HFyKzpfpkzRymV1giUwxBdII1dd0mJ2ncINeA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UkRjblIvYStZUzQyRHA1
-            ZGVXeHhrN0kyVkxZdms5U3gwVFlPMW12MVJjCjRkVURpZXBzb0tYenB4dGxKamh6
-            VXVBMmo1Ujkvd2VTRExyWE5MbVJaclUKLS0tIDVhRkYzZmEzUG00Q2IwOWZUMVVt
-            ODVIbytpcjN1cVMyaG1qVVdkRmtaMzQKNsvD9DpK/raDBob+IcuNk72tQDts36kJ
-            QhtoLy8MvUymi49PdEWrgyf68w5XwRO/U4iINhR0qzm0glg/XcyHjA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJc3hKWkk3ckNOY2UyTVhG
-            MmtLaEd0K04yaGxiOUoxMXkzOEFnYis4VkhnCktDRFM2bS8vb05OWDdwa0RwRlNO
-            cmlZemtxVGZ6S0tNTDV1cmE1N0pVWnMKLS0tIE9EZllycHJpcEY2R1pwOFhOZEU3
-            L01IcytDd3BPb0VOTW9DQ2lUdUVJS0kKiD+C+3mK1b/eIwCEFanFgYGLNk3JNPQ7
-            i1UqzbHVxSd0q/YVwdKAcj0jA6EezGm275tgq7IVsy2sHkvRMaEDtQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweVU3TkxFZzRnd2I2clN2
-            ZTlTWmhwQkhVc1hnOXFvZVVDSWpHMVh1TGtrCkc3M1pUTnZCMHpvYXB5ZVhreGxa
-            ZVY2cG5Ja2ltL3k2Q1VEalc5TTNFMXcKLS0tIGd5UWl0RGVXT211Zm51dlB6WFZ1
-            STRtTVpVTCtVZ1FUNENqWFFVNTNuaVUKN6HRiZjTdENeif8dJ29urBxPXDaosjjY
-            InN4Ko6YUaGfvB1DTrKIzrxOpsHS+XjisoGfT71tJwwEOoREklEO/A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-18T07:35:26Z"
-    mac: ENC[AES256_GCM,data:jnLJi3ZhQfeLO/GmOnUL/HuWoet83V79GGZzoqxWeImQDN9jjSAqrRPULPAREHFD+hc+n2JAW7MZrZD86jcFFy2F+wGhcDAY+25dV6d2CSi34u/dBG5ETHsn/rRV5aAOQWldna/CEpnyi69Oz/oJcQrkHDyeUWsFG/ele6aPmB4=,iv:z+zSX9W/exvEJa37VlFBJ6S2173x7KQ6qnwZw/QAp7A=,tag:ge9klDIulMFv8Szjj6+gzw==,type:str]
-    pgp:
-        - created_at: "2023-04-20T10:20:17Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            wcFMA6R3Y9nD7qMBAQ/8CVWQaYKfOzvPIllZyyWpUjHRLLXaR8MNJ8U5WI/tdwdN
-            9UScDYJFuYRW7Q9s4Mt961kBGpaHqe9MUZBxUDlYX59+EN3FbO/eMQ5OqI05ESmL
-            TvZB4+S9C5o73nuypSDNvYz+Lgq6DO25ZPhXdtPhx2DE4G31/wft/LpxhjalIjI8
-            MU0Dv22R4qC+glJbe4GIF2IJ8XoxnnzjiGeSqiyv0QIBM0SzOtA5sKwNohWBnW7g
-            7vxOTm5+kyzG0dDjt3tFApgPDaA1wjofzhRuuveF52VBsuIA2opFdpqkyICvK6rn
-            NB5kUaPlY6A0m+n0oHSfY5wm/AnHNE4Oob/ifumAaB0EAJVUTRauI5M8SeJF0ya1
-            U0IQ9N2lb7Y6q4pqHywIa6fnylsqCfxInAYKMuslRq8f9t/qakb4/MYcnPrwpzjw
-            73/naiNoJmG6NVTkM52qTtOqZAmsaQd5cigTuPW2Z2CJq1yLZEVGSSd1DUGUjBDK
-            nQGucpVVVpD+ifrIPz+Iqwy+5NoZZm/Oa9pKJGFzqXinnDNZaqtgpmTw9QxcSeaP
-            VvGZG9CDd89MtAm1VQyuqi1bQ2faq3G0xNrLl7xUsfmjx4ofW+JXR87OzvGfLPhu
-            Sjl3kS9j5/MEBRBg3n9gNkgSu5Sy3ilhckY3yjTgAT9Gw2giDhCiUXi1/7KrGprS
-            UQHPCSsjyWsyuYVa3lAP/WPdVclc4WOdfYcetUCXBVP7LQr0bq+IG+2J0nnY3mDt
-            Va5k4sP1qu6Ecrs2JioQ1V2H+VmcrRykBWnMXl1tDSWKMA==
-            =pS8X
-            -----END PGP MESSAGE-----
-          fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

modules/nixos/system/security/sops/default.nix

@@ -1,26 +0,0 @@
-{ config, pkgs, ... }:
-let keyFilePath = "/var/lib/sops-nix/age-key.txt";
-in {
-  sops.defaultSopsFile = ./common.yaml;
-  sops.age.keyFile = keyFilePath;
-  sops.age.generateKey = true;
-
-  sops.secrets.wifi = { };
-
-  sops.secrets."${config.hostcfg.hostname}_ssh_priv" = {
-    mode = "0400";
-    owner = config.users.users.sora.name;
-    group = config.users.users.sora.group;
-  };
-  sops.secrets."${config.hostcfg.hostname}_ssh_pub" = {
-    mode = "0400";
-    owner = config.users.users.sora.name;
-    group = config.users.users.sora.group;
-  };
-  sops.secrets."${config.hostcfg.hostname}_wg_priv" = { };
-  sops.secrets."${config.hostcfg.hostname}_wg_pub" = { };
-
-  environment.systemPackages = with pkgs; [ sops ];
-  environment.sessionVariables.OPS_AGE_KEY_FILE = keyFilePath;
-
-}

modules/nixos/system/security/ssh/default.nix

@@ -2,7 +2,7 @@
   programs.ssh = {
     extraConfig = ''
       IdentityFile ${
-        config.sops.secrets."${config.hostcfg.hostname}_ssh_priv".path
+        config.sops.secrets."${config.syscfg.hostname}_ssh_priv".path
       }
     '';
   };

modules/nixos/system/xdg/default.nix

@@ -1,5 +1,6 @@
-{ pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
-
+  config = lib.mkMerge [
+    (lib.mkIf (config.syscfg.make.gui) {
       xdg.portal = {
         enable = true;
         # wlr.enable = true;
@@ -14,18 +15,23 @@
         GBM_BACKEND = "amd-drm";
         __GL_GSYNC_ALLOWED = "0";
         __GL_VRR_ALLOWED = "1";
-    WLR_DRM_NO_ATOMIC = "1";
         __GLX_VENDOR_LIBRARY_NAME = "amd";
+        WLR_DRM_NO_ATOMIC = "1";
         _JAVA_AWT_WM_NONREPARENTING = "1";
         QT_QPA_PLATFORM = "wayland";
         QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
-    GDK_BACKEND = "wayland";
+        # GDK_BACKEND = "wayland";
         WLR_NO_HARDWARE_CURSORS = "1";
         MOZ_ENABLE_WAYLAND = "1";
-    WLR_BACKEND = "vulkan";
+        # WLR_BACKEND = "vulkan";
-    WLR_RENDERER = "vulkan";
+        # WLR_RENDERER = "vulkan";
         XCURSOR_SIZE = "24";
         NIXOS_OZONE_WL = "1";
+      };
+    })
+    ({
+
+      environment.sessionVariables = rec {
         PATH = [ "$HOME/.local/bin/:$PATH" ];
         XDG_CACHE_HOME = "$HOME/.cache";
         XDG_CONFIG_HOME = "$HOME/.config";
@@ -57,4 +63,6 @@
         XDG_TEMPLATES_DIR="$HOME/media/templates"
         XDG_VIDEOS_DIR="$HOME/media/video"
       '';
+    })
+  ];
 }

modules/nixos/tools/debug/default.nix

@@ -1,6 +1,12 @@
-{ pkgs, config, ... }: {
+{ pkgs, config, lib, ... }: {
+
+  config = lib.mkIf (config.syscfg.make.develop) {
     programs.adb.enable = true;
+    # services.udev.packages = [
+    #   pkgs.android-udev-rules
+    # ];
     programs.wireshark.enable = true;
 
     environment.systemPackages = with pkgs; [ wget dconf wireshark ];
+  };
 }

modules/nixos/tools/default.nix

@@ -1 +1,64 @@
-{ ... }: { imports = [ ./debug ./develop ]; }
+{ pkgs, ... }: {
+  imports = [ ./debug ./develop ];
+
+  # services.telegraf = {
+  #     enable = true;
+  #     extraConfig = {
+  #         agent = {
+  #             interval = "10s";
+  #             round_interval = true;
+  #             metric_batch_size = 1000;
+  #             metric_buffer_limit = 10000;
+  #             collection_jitter = "0s";
+  #             flush_interval = "10s";
+  #             flush_jitter = "0s";
+  #             precision = "";
+  #             hostname = "valinor";
+  #             omit_hostname = false;
+  #         };
+
+  #         inputs.cpu = {
+  #             percpu = true;
+  #             totalcpu = true;
+  #             collect_cpu_time = false;
+  #             report_active = false;
+  #         };
+
+  #         inputs.mem = {};
+  #         inputs.swap = {};
+  #         inputs.system = {};
+  #         inputs.disk = {
+  #             ignore_fs = ["tmpfs" "devtmpfs" "devfs"];
+  #         };
+
+  #         inputs.net = {};
+  #         inputs.netstat = {};
+
+  #         inputs.ping = {
+  #             urls = ["8.8.8.8" "8.8.4.4"];
+  #             count = 4;
+  #             interval = "60s";
+  #             binary = "${pkgs.iputils.out}/bin/ping";
+  #         };
+
+  #         inputs.internet_speed = {
+  #             interval = "2m";
+  #         };
+
+  #         inputs.net_response = {
+  #             protocol = "tcp";
+  #             address = "google.com:80";
+  #             timeout = "5s";
+  #             read_timeout = "5s";
+  #             interval = "30s";
+  #         };
+
+  #         outputs.influxdb_v2 = {
+  #             urls = [""];
+  #             token = "";
+  #             organization = "";
+  #             bucket = "";
+  #         };
+  #     };
+  # };
+}

modules/nixos/tools/develop/default.nix

@@ -6,10 +6,13 @@ let
     includeEmulator = false;
   };
 in {
-  config = lib.mkIf (config.hostcfg.make.develop) {
+
-    environment.systemPackages = with pkgs; [
+  imports = [ ./ollama ];
-      android-tools
+  config = lib.mkIf (config.syscfg.make.develop) {
-      androidStudioPackages.stable
+    environment.systemPackages = with pkgs;
+      [
+        # android-tools
+        unstable.androidStudioPackages.canary
       ];
   };
 }

modules/nixos/tools/develop/ollama/default.nix

@@ -0,0 +1,16 @@
+{ lib, config, pkgs, ... }: 
+let 
+ ollamaPkg = pkgs.ollama-rocm;
+in{
+
+  config = lib.mkIf (config.syscfg.make.develop) {
+    services.ollama = {
+        enable = true;
+        package = ollamaPkg;
+        acceleration = "rocm"; 
+        loadModels = [ "deepseek-v2:lite" "qwen2.5-coder:7b" "qwen2.5-coder:1.5b" ];
+        syncModels = true;
+    };
+    environment.systemPackages = with pkgs; [ ollamaPkg ];
+  };
+}

modules/nixos/users/default.nix

@@ -1,13 +1,17 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, lib, ... }:
+let nameValuePair = name: value: { inherit name value; };
+in {
   programs.zsh.enable = true;
   users = {
     defaultUserShell = pkgs.zsh;
-    users.${config.hostcfg.username} = {
+    users = builtins.listToAttrs (map (userConfig:
+      nameValuePair userConfig.username {
         isNormalUser = true;
-      description = "${config.hostcfg.username}";
+        description = "${userConfig.username}";
         extraGroups = [
           "networkmanager"
           "wheel"
+          "dialout"
           "vboxsf"
           "adbusers"
           "libvirtd"
@@ -16,8 +20,10 @@
           "audio"
           "video"
           "docker"
+          "podman"
           "wireshark"
+          "gamemode"
         ];
-    };
+      }) config.syscfg.users);
   };
 }

modules/server/containers/apps/.template.nix

@@ -0,0 +1,46 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "EXAMPLE";
+    tag = "0.0.0";
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "echo 1" ];
+      ExposedPorts = {  };
+    };
+  };
+  templateData = builder.mkData { name = "template"; dir = "template"; vars = {
+      _ARGUMENT = "template";
+    };
+  };
+in {
+  sops = false;
+  db = false;
+  paths = [{
+    path="${serverCfg.configPath}/example/";
+    mode = "0444";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8080;
+      secret = name;
+      extraEnv = { };
+      overrides = {
+        cmd = [ ];
+        volumes = [ ];
+       };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."EXAMPLE".path;
+    script = pkgs.writeShellScript "setup" ''
+      ...
+    '';
+  };
+}

modules/server/containers/apps/.todo.md

@@ -0,0 +1,7 @@
+# Missing
+
+RSS: TTRSS / FreshRSS
+Monitoring: Telegraf + InfluxDB
+https://github.com/tarampampam/error-pages ?
+
+- Transmission Cfg and API/Token handling

modules/server/containers/apps/authentik.nix

@@ -0,0 +1,111 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "2026.2.2";
+  serverCfg = config.syscfg.server;
+  authentikData = builder.mkData { 
+    name = "authentik"; dir = "authentik"; vars = {
+      AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
+      COOKIE_DOMAIN = "${serverCfg.domain}";
+      AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+    } 
+    // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
+  };
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.configPath}/authentik/media";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.configPath}/authentik/templates";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "ghcr.io/goauthentik/server:${version}";
+      port = 9000;
+      secret = name;
+      extraEnv = {
+        AUTHENTIK_REDIS__HOST = builder.host;
+        AUTHENTIK_POSTGRESQL__HOST = builder.host;
+        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
+        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
+        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
+        AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
+        AUTHENTIK_EMAIL__PORT = "587";
+        AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
+        AUTHENTIK_EMAIL__USE_TLS = "true";
+        AUTHENTIK_EMAIL__USE_SSL = "false";
+        AUTHENTIK_EMAIL__TIMEOUT = "10";
+        AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
+        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+      };
+      overrides = {
+        cmd = [ "server" ];
+        volumes = [
+          "${serverCfg.configPath}/authentik/media:/media"
+          "${serverCfg.configPath}/authentik/templates:/templates"
+          "${authentikData}:/blueprints/custom:ro"
+        ];
+      };
+    };
+
+    worker = builder.mkContainer {
+      image = "ghcr.io/goauthentik/server:${version}";
+      secret = name;
+      extraEnv = {
+        AUTHENTIK_REDIS__HOST = builder.host;
+        AUTHENTIK_POSTGRESQL__HOST = builder.host;
+        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
+        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
+        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
+        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+      };
+      overrides = {
+        cmd = [ "worker" ];
+        volumes = [
+          "${serverCfg.configPath}/authentik/media:/media"
+          "${serverCfg.configPath}/authentik/templates:/templates"
+          "${authentikData}:/blueprints/custom:ro"
+        ];
+      };
+    };
+
+    ldap = builder.mkContainer {
+      image = "ghcr.io/goauthentik/ldap:${version}";
+      secret = name;
+      extraEnv = {
+        AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}"; 
+        AUTHENTIK_INSECURE = "false"; 
+      };
+    };
+  };
+
+  setup = {
+    trigger = "worker";
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
+
+      $AK apply_blueprint /blueprints/custom/authentik.yaml
+      $AK apply_blueprint /blueprints/custom/traefik.yaml
+      $AK apply_blueprint /blueprints/custom/ldap.yaml
+
+      ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
+      ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
+      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
+      ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
+
+      echo "Completed Authentik Setup"
+      '';
+  };
+}

modules/server/containers/apps/collabora.nix

@@ -0,0 +1,34 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+version = "latest";
+serverCfg = config.syscfg.server;
+in {
+  sops = true;
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "collabora/code:${version}";
+      port = 9980;
+      secret = name;
+      extraEnv = {
+        "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
+        "server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
+        "username" = "collabora_user";
+        "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
+        "VIRTUAL_PORT" = "9980";
+        "VIRTUAL_PROTO" = "http";
+        "DONT_GEN_SSL_CERT" = "true";
+        "RESOLVE_TO_PROXY_IP" = "true";
+        "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
+        "dictionaries" = "en fr de jp no";
+      };
+      
+      overrides = {
+        volumes = [
+          "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
+          "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
+        ];
+      };
+    };
+  };
+}

modules/server/containers/apps/ethercalc.nix

@@ -0,0 +1,39 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  ethercalc_exe = pkgs.ethercalc;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "ethercalc";
+    tag = ethercalc_exe.version;
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  sops = true;
+  paths = [{
+    path="${serverCfg.dataPath}/ethercalc/";
+    mode = "0666";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8080;
+      secret = name;
+      extraEnv = {
+        ETHERCALC_PORT = "8080";
+        #CONNECT TO REDIS
+      };
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/ethercalc:/data"
+        ];
+       };
+    };
+  };
+}

modules/server/containers/apps/etherpad.nix

@@ -0,0 +1,124 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  etherpad_exe = pkgs.etherpad-lite;
+  settings = pkgs.writeText"settings.json" (builtins.toJSON {
+    title= "\${TITLE:Etherpad}";
+    showRecentPads = "\${SHOW_RECENT_PADS:true}";
+    favicon = "\${FAVICON:null}";
+    publicURL = "\${PUBLIC_URL:null}";
+    skinName = "\${SKIN_NAME:colibris}";
+    skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
+    ip = "\${IP:0.0.0.0}";
+    port = "\${PORT:9001}";
+    showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
+    enableMetrics = "\${ENABLE_METRICS:true}";
+    updates.tier = "off";
+    cleanup.enabled = false;
+    gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
+    authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
+    enableDarkMode = "\${ENABLE_DARK_MODE:true}";
+    enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
+    dbType = "\${DB_TYPE:dirty}";
+    dbSettings = {
+      host =       "\${DB_HOST:undefined}";
+      port =       "\${DB_PORT:undefined}";
+      database =   "\${DB_NAME:undefined}";
+      user =       "\${DB_USER:undefined}";
+      password =   "\${DB_PASS:undefined}";
+      charset =    "\${DB_CHARSET:undefined}";
+      filename =   "\${DB_FILENAME:var/dirty.db}";
+      collection = "\${DB_COLLECTION:undefined}";
+      url =        "\${DB_URL:undefined}";
+    };
+    defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
+    padOptions = {
+      noColors =         "\${PAD_OPTIONS_NO_COLORS:false}";
+      showControls =     "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
+      showChat =         "\${PAD_OPTIONS_SHOW_CHAT:true}";
+      showLineNumbers =  "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
+      useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
+      userName =         "\${PAD_OPTIONS_USER_NAME:null}";
+      userColor =        "\${PAD_OPTIONS_USER_COLOR:null}";
+      rtl =              "\${PAD_OPTIONS_RTL:false}";
+      alwaysShowChat =   "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
+      chatAndUsers =     "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
+      lang =             "\${PAD_OPTIONS_LANG:null}";
+      fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
+      enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
+    };
+
+    requireSession = "\${REQUIRE_SESSION:false}";
+    editOnly = "\${EDIT_ONLY:false}";
+    minify = "\${MINIFY:true}";
+    requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
+    requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
+    trustProxy = "\${TRUST_PROXY:true}";
+    ep_headerauth.username_header = "X-authentik-username";
+    users.admin = {
+      password = "\${ADMIN_PASSWORD:null}";
+      is_admin = true;
+    };
+    socketTransportProtocols = ["websocket" "polling"];
+    socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
+    indentationOnNewLine = true;
+
+    loglevel = "\${LOGLEVEL:INFO}";
+    lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
+  });
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "etherpad";
+    tag = etherpad_exe.version;
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.configPath}/etherpad/";
+    mode = "0444";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8080;
+      secret = name;
+      extraEnv = {
+        TITLE = "Pad";
+        PORT ="8080";
+        DB_TYPE = "postgres";
+        DB_HOST = builder.host;
+        DB_NAME = "etherpad_db";
+        DB_USER = "etherpad_user";
+        TRUST_PROXY = "true";
+        DB_CHARSET = "utf8mb4";
+        DEFAULT_PAD_TEXT = "";
+        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
+        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
+        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+      };
+      overrides = {
+        cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
+        volumes = [
+          "${settings}:/etc/etherpad/settings.json"
+          "${serverCfg.configPath}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
+        ];
+       };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."ETHERPAD".path;
+    script = pkgs.writeShellScript "setup" ''
+      echo "$APIKEY" > ${serverCfg.configPath}/etherpad/APIKEY.txt
+      chmod 444 ${serverCfg.configPath}/etherpad/APIKEY.txt
+    '';
+  };
+}

modules/server/containers/apps/frigate.nix

@@ -0,0 +1,95 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  
+  # Ensure the package is available (Nixpkgs includes frigate)
+  frigatePkg = pkgs.frigate;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "frigate";
+    tag = frigatePkg.version;
+    contents = [ 
+      pkgs.bashInteractive 
+      frigatePkg
+      pkgs.ffmpeg # Explicitly included for video stream processing
+    ];
+    config = {
+      Entrypoint = [ "${frigatePkg}/bin/frigate" ];
+      Cmd = [ "start" ];
+      ExposedPorts = {
+        "5000/tcp" = {}; # Web UI / API
+        "8554/tcp" = {}; # RTSP Feeds
+        "8555/tcp" = {}; # WebRTC
+      };
+      Env = [
+        "FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
+      ];
+    };
+  };
+in {
+  sops = true; # Enabled to safeguard sensitive camera RTSP stream credentials
+  db = false;  # Internal SQLite is used by default in Frigate
+
+  paths = [
+    {
+      path = "${serverCfg.configPath}/frigate/";
+      mode = "0755";
+    }
+    {
+      path = "/var/lib/frigate/storage/";
+      mode = "0755"; # Dedicated path for heavy video recordings and media
+    }
+  ];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 5000;
+      secret = name;
+      extraEnv = {
+        PLUS_API_KEY = ""; # Optional: For Frigate Plus users
+      };
+      overrides = {
+        cmd = [ ];
+        volumes = [
+          "${serverCfg.configPath}/frigate:/config"
+          "/var/lib/frigate/storage:/media/frigate"
+          "/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
+          "/dev/dri:/dev/dri"         # Passes Intel/AMD GPU for hardware video decoding
+        ];
+      };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."FRIGATE_ENV".path;
+    script = pkgs.writeShellScript "setup-frigate" ''
+      mkdir -p "${serverCfg.configPath}/frigate"
+      mkdir -p "/var/lib/frigate/storage"
+      
+      # Bootstrap a standard configuration layout if missing
+      if [ ! -f "${serverCfg.configPath}/frigate/config.yml" ]; then
+        cat <<EOF > "${serverCfg.configPath}/frigate/config.yml"
+mqtt:
+  enabled: False # Set to True and define host if connecting to Home Assistant
+
+database:
+  path: /config/frigate.db
+
+cameras:
+  dummy_camera: # Replace with your actual RTSP stream details
+    enabled: false
+    ffmpeg:
+      inputs:
+        - path: rtsp://127.0.0.1:554/live
+          roles:
+            - detect
+    detect:
+      enabled: false
+EOF
+      fi
+    '';
+  };
+}

modules/server/containers/apps/gitea.nix

@@ -0,0 +1,145 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "latest";
+  serverCfg = config.syscfg.server;
+
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.dataPath}/gitea/data";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/gitea/data-runner";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "gitea/gitea:${version}";
+      port = 8080;
+      secret = name;
+      
+      extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
+        GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
+        GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
+        GITEA__repository__DISABLE_STARS = "true";
+        GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
+        # GITEA__ui__THEMES = "";
+        # GITEA__ui__DEFAULT_THEME = "";
+
+        # GITEA__security__SECRET_KEY = "SECRET_ENV";
+        # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
+        # GITEA__database__PASSWD = "SECRET_ENV";
+        # GITEA__mailer__PASSWD="SECRET_ENV";
+
+        GITEA__database__DB_TYPE = "postgres"; 
+        GITEA__database__HOST = builder.host;
+        GITEA__database__NAME = "gitea_db";
+        GITEA__database__USER = "gitea_user";
+
+
+        GITEA__mailer__ENABLED = "true";
+        GITEA__mailer__FROM = "";
+        GITEA__mailer__PROTOCOL = "smtps";
+        GITEA__mailer__SMTP_ADDR = "";
+        GITEA__mailer__SMTP_PORT = "";
+        GITEA__mailer__USER= "";
+
+        GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
+        GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
+        GITEA__server__PROTOCOL = "http";
+        GITEA__server__HTTP_PORT = "8080";
+        GITEA__server__LFS_START_SERVER = "true";
+        GITEA__security__INSTALL_LOCK = "true";
+
+      } // ( if serverCfg.containers?authentik then {
+        GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
+        GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
+        GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
+        GITEA__security__RREVERSE_PROXY_LIMIT = "1";
+        GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
+      } else {});
+      extraLabels = {
+        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
+        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
+        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+      };
+
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/gitea/data:/data"
+        ];
+        ports = [ "2222:22" ]; 
+      };
+    };
+
+    runner = builder.mkContainer {
+      image = "gitea/act_runner:${version}";
+      secret = name;
+      extraEnv = { 
+        CONFIG_FILE="/data/config.yml";
+        GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
+        GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
+      };
+
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/gitea/data-runner:/data"
+          "/var/run/podman/podman.sock:/var/run/docker.sock"
+        ];
+        # ports = [ "8088:8088" ]; 
+      };
+    };
+  };
+
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."CUSTOM".path;
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
+      GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
+
+      $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
+
+      touch ${serverCfg.dataPath}/gitea/data-runner/config.yml
+
+      RUNNER_TOKEN=$($GT actions generate-runner-token)
+      $GTR register \
+        --instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
+        --token "$RUNNER_TOKEN" \
+        --name "Runner" \
+        --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
+        --no-interactive
+
+
+      ${lib.optionalString (serverCfg.containers ? authentik) ''
+      $GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
+          --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
+          --user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
+          --user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
+          --admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
+          --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
+          --synchronize-users
+      ''}
+
+
+      echo "Completed Gitea Setup"
+      '';
+  };
+}

modules/server/containers/apps/handbrake.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/homeassistant.nix

@@ -0,0 +1,43 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.home-assistant.name;
+    tag = pkgs.home-assistant.version;
+    contents = [  ];
+    config = {
+      Entrypoint = [ "${pkgs.home-assistant}/bin/hass" ];
+      ExposedPorts = {
+        "8123/tcp" = {};
+      };
+    };
+  };
+in {
+  sops = true;
+  db = false;
+  
+  paths = [{
+    path = "${serverCfg.configPath}/homeassistant/";
+    mode = "0755"; 
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8123;
+      secret = name;
+      extraEnv = {
+        TZ = config.time.timeZone or "UTC";
+      };
+      overrides = {
+        cmd = [ "--config" "/config" ];
+        volumes = [
+          "${serverCfg.configPath}/homeassistant/:/config"
+          "/run/dbus:/run/dbus:ro" # Required for Bluetooth/mDNS service discovery
+        ];
+      };
+    };
+  };
+
+}

modules/server/containers/apps/immich.nix

@@ -0,0 +1,97 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  version = "v2";
+  serverCfg = config.syscfg.server;
+
+in {
+  sops = true;
+  db = true;
+
+  paths = [{
+    path = "${serverCfg.configPath}/immich/cache";
+    mode = "0750";
+  }{
+    path = "${serverCfg.dataPath}/immich/";
+    mode = "0755";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "ghcr.io/immich-app/immich-server:${version}";
+      port = 2283;
+      secret = name;
+      extraEnv = {
+        DB_HOSTNAME = builder.host;
+        REDIS_HOSTNAME = builder.host;
+        DB_USERNAME = "immich_user";
+        DB_DATABASE_NAME = "immich_db";
+        IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
+        IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
+        # IMMICH_ALLOW_SETUP = "false";
+        # IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
+      };
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/immich:/data"
+        ];
+      };
+    };
+
+    ml = builder.mkContainer {
+      image = "ghcr.io/immich-app/immich-machine-learning:${version}";
+      port = 3003;
+      overrides = {
+        volumes = [
+          "${serverCfg.configPath}/immich/cache:/cache"
+        ];
+      };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."CUSTOM".path;
+    script = pkgs.writeShellScript "setup" ''
+        PSQL="${pkgs.postgresql}/bin/psql -U postgres"
+        $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
+        $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
+
+        mkdir -p ${serverCfg.dataPath}/immich/{upload,library,thumbs,encoded-video,profile,backups}
+
+        IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+        until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
+          sleep 5
+        done
+        ${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
+          -H "Content-Type: application/json" -H "Accept: application/json" \
+          -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
+
+        IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
+        -H "Content-Type: application/json" \
+        -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
+        | ${pkgs.jq}/bin/jq -r '.accessToken')        
+
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
+        ${pkgs.jq}/bin/jq '.oauth.enabled = true | 
+                          .oauth.autoRegister = true |
+                          .oauth.autoLaunch = true |
+                          .oauth.signingAlgorithm = "RS256" |
+                          .oauth.profileSigningAlgorithm = "RS256" |
+                          .oauth.clientId = "immich" | 
+                          .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | 
+                          .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" | 
+                          .oauth.scope = "openid profile email" |
+                          .oauth.buttonText = "Login with SSO"' | \
+        ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
+        ''}
+
+        ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
+        ${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
+                          .storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
+        ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
+        
+    '';
+  };
+}

modules/server/containers/apps/influx.nix

@@ -0,0 +1,45 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  influxPkg = pkgs.influxdb2;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = influxPkg.name;
+    tag = influxPkg.version;
+    contents = [ ];
+    config = {
+      Entrypoint = [ "${influxPkg}/bin/influxd" ];
+      ExposedPorts = {
+        "8086/tcp" = {}; # Combined Engine and UI port
+      };
+    };
+  };
+in {
+  sops = true; # Highly recommended for initial admin passwords and setup tokens
+  db = false;  # Using InfluxDB directly as the primary database
+  
+  paths = [{
+    path = "${serverCfg.configPath}/influxdb/";
+    mode = "0700"; # Strict database permissions
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8086;
+      secret = name;
+      extraEnv = {
+        INFLUXD_CONFIG_PATH = "var/lib/influxdb2/config";
+        INFLUXD_BOLT_PATH = "/var/lib/influxdb2/influxdb.bolt";
+        INFLUXD_ENGINE_PATH = "/var/lib/influxdb2/engine";
+      };
+      overrides = {
+        volumes = [
+          "${serverCfg.configPath}/influxdb/:/var/lib/influxdb2"
+        ];
+      };
+    };
+  };
+
+}

modules/server/containers/apps/invidious.nix

@@ -0,0 +1,78 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+
+  patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
+    postPatch = (oldAttrs.postPatch or "") + ''
+      cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
+    '';
+  });
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.invidious.name;
+    tag = pkgs.invidious.version;
+
+    contents = [ pkgs.cacert patchedInvidious ];
+    config = {
+      Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
+      ExposedPorts = { "3000/tcp" = {}; };
+      Env = [ 
+        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      ];
+    };
+  };
+
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.configPath}/invidious";
+    mode = "0755";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 3000;
+      secret = name;
+      extraLabels = {
+        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
+        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
+        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+      };
+      extraEnv = {
+        INVIDIOUS_CONFIG_FILE = "/data/config.yml";
+      };
+      overrides = {
+        volumes = [
+          "${serverCfg.configPath}/invidious:/data:ro"
+        ];
+      };
+    };
+
+    companion = builder.mkContainer {
+      image = "quay.io/invidious/invidious-companion:latest";
+      port = 8282;
+      secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
+      extraOptions = [
+        "--cap-drop=all"
+        "--security-opt=no-new-privileges"
+      ];
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
+    script = pkgs.writeShellScript "setup" ''
+      export DB_HOST=${builder.host}
+      export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
+
+      ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.configPath}/invidious/config.yml"
+    '';
+  };
+}

modules/server/containers/apps/jellyfin.nix

@@ -0,0 +1,177 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  serverCfg = config.syscfg.server;
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+  nss = pkgs.dockerTools.fakeNss.override {
+    extraPasswdLines = [
+      "jellyfin:x:1000:1000:Jellyfin Daemon:/config/data:/bin/false"
+    ];
+    extraGroupLines = [
+      "jellyfin:x:1000:"
+    ];
+  };
+  image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
+    name = pkgs.jellyfin.name;
+    tag = pkgs.jellyfin.version;  
+    contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
+    config = {
+      User = "jellyfin:jellyfin"; 
+      Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
+      ExposedPorts = { "8096/tcp" = { }; };
+      Env = [ 
+        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      ];
+    };
+  };
+in {
+  paths = [
+    {
+      path = "${serverCfg.dataPath}/media/";
+      owner = "1000:1000";
+      mode = "0755";
+    }
+    {
+      path = "${serverCfg.configPath}/jellyfin/";
+      owner = "1000:1000";
+      mode = "0755";
+    }
+  ];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8096;
+      extraEnv = {
+        HOME = "/config/data";
+        DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
+        JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
+        JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
+      };
+      extraOptions = [
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+      ];
+      overrides = {
+        cmd = [
+        "--datadir" "/config/data"
+        "--cachedir" "/config/cache"
+        "--configdir" "/config/config"
+        "--logdir" "/config/log" 
+        ];
+        volumes = [
+          "${serverCfg.dataPath}/media:/media:ro" 
+          "${serverCfg.configPath}/jellyfin:/config"
+        ];
+        # If you have an Intel/AMD GPU for transcoding, add the device:
+        devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
+      };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."CUSTOM".path;
+    script = pkgs.writeShellScript "setup" ''
+      JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+      until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
+        sleep 5
+      done
+      echo "Jellyfin is up. Sleeping for 20 seconds..."
+      sleep 20
+      WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
+        ${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
+      if [ "$WIZARD_COMPLETE" = "false" ]; then
+        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
+          -H "Content-Type: application/json" \
+          -d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
+          echo "ERROR: Failed to set startup configuration."
+          exit 1
+        fi
+        
+        if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
+          echo "ERROR: Failed to get base user."
+          exit 1
+        fi
+
+        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
+          -H 'accept: */*' -H "Content-Type: application/json" \
+          -d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
+          echo "ERROR: Failed to set admin user."
+          exit 1
+        fi
+
+        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
+          -H "Content-Type: application/json" \
+          -d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
+          echo "ERROR: Failed to configure remote access."
+          exit 1
+        fi
+
+        if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
+          echo "ERROR: Failed to complete wizard."
+          exit 1
+        fi
+        echo "Jellyfin initialization successfully completed!"
+      fi
+
+      ${lib.optionalString (serverCfg.containers ? authentik) ''
+      JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
+        -H "Content-Type: application/json" \
+        -H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
+        -d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
+        | ${pkgs.jq}/bin/jq -r '.AccessToken')
+
+      # Verify we got a token
+      if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
+          echo "ERROR: Authentication failed."
+          exit 1
+      fi
+      if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+          "$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
+        echo "LDAP Plugin is already installed. Skipping setup."
+      else
+        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
+            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+            -H "Content-Length: 0"; then
+          echo "ERROR: LDAP Plugin Setup Failed."
+          exit 1
+        fi
+
+        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
+            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+            -H "Content-Length: 0"; then
+          echo "ERROR: Server failed to accept restart command."
+          exit 1
+        fi
+        sleep 1-
+        until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
+          sleep 5
+        done
+        echo "Jellyfin is up. Sleeping for 20 seconds..."
+        sleep 20
+      fi
+
+      if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
+          -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+          -H "Content-Type: application/json" -H 'accept: */*' \
+          -d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
+          "LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
+          "LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
+          "LdapSearchAttributes":"uid, cn, mail, displayName",
+          "LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
+          "EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
+          "EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
+          "LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
+          "EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
+        echo "ERROR: LDAP Plugin Setup Failed."
+        exit 1
+      fi
+      ''}
+
+      echo "Completed Setup"
+
+    '';
+  };
+
+}

modules/server/containers/apps/nextcloud.nix

@@ -0,0 +1,199 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+version = "31";
+serverCfg = config.syscfg.server;
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.dataPath}/nextcloud/www";
+    owner = "33:33";
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/nextcloud/data";
+    owner = "33:33";
+    mode = "0755";
+    backup = true;
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "nextcloud:${version}";
+      port = 80;
+      secret = name;
+      extraEnv = {
+        REDIS_HOST = builder.host;
+        POSTGRES_HOST = builder.host;
+        POSTGRES_USER = "nextcloud_user";
+        POSTGRES_DB = "nextcloud_db";
+        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+        "NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.domain}";
+        "SMTP_HOST" = serverCfg.mailServer;
+        "SMTP_NAME" = "mail_user";
+        "SMTP_PASSWORD" = "mail_password";
+        "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.domain}";
+        "MAIL_DOMAIN" = serverCfg.mailDomain;
+        "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
+      };
+      extraLabels = {
+        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
+        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
+        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
+        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
+        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
+        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
+      };
+      extraOptions = [
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+      ];
+      overrides = {
+        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
+        volumes = [
+          "${serverCfg.dataPath}/nextcloud/www:/var/www/html"
+          "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
+        ];
+      };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
+
+      echo "Waiting for Nextcloud container to start..."
+      until $OCC status > /dev/null 2>&1; do
+        sleep 2
+      done
+
+      INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
+      if [ -z "$INSTALLED" ]; then
+        echo "Running first-time setup..."
+        
+        $OCC maintenance:install \
+          --admin-user "$DEFAULT_ADMIN_USERNAME" \
+          --admin-pass "$DEFAULT_ADMIN_PASSWORD"
+      fi
+      if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
+        rm -f "/tmp/force-nextcloud-setup"
+        echo "Applying Settings..."
+        
+        $OCC config:system:set default_phone_region --value="CH"
+        $OCC config:system:set overwriteprotocol --value="https"
+        $OCC config:app:set core backgroundjobs_mode --value="cron"
+        $OCC config:system:set maintenance_window_start --type=integer --value=1
+        $OCC config:system:set default_language --value="en"
+        $OCC config:system:set default_locale --value="en_CH"
+
+        echo "Applying Apps..."
+        $OCC app:disable activity || true
+        $OCC app:disable app_api || true
+        $OCC app:disable comments || true
+        $OCC app:disable firstrunwizard || true
+        $OCC config:system:set show_first_run_wizard --type=bool --value=false
+        $OCC app:disable nextcloud_announcements || true
+        $OCC app:disable oauth2 || true
+        $OCC app:disable recommendations || true
+        $OCC app:disable sharebymail || true
+        $OCC app:disable support || true
+        $OCC app:disable survey_client || true
+        $OCC app:disable updatenotification || true
+        $OCC app:disable user_status || true
+
+        $OCC app:install calendar || true
+        $OCC app:install calendar || true
+        $OCC app:install contacts || true
+        $OCC app:install camerarawpreviews || true
+        $OCC app:install cospend || true
+        $OCC app:install deck || true
+        $OCC app:install files_markdown || true
+        $OCC app:install forms || true
+        $OCC app:install groupfolders || true
+        $OCC app:install ownpad || true
+        $OCC app:install previewgenerator || true
+        $OCC app:install richdocuments || true
+        ${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
+        # $OCC app:install side_menu || true 
+        $OCC app:install spreed || true
+        $OCC app:install teamfolders || true
+        ${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
+
+        echo "Applying Apps Settings..."
+        $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
+        $OCC config:app:set cospend allow_federation --value="yes"
+        
+        ${lib.optionalString (serverCfg.containers ? ethercalc) ''
+        $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
+        $OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? etherpad) ''
+        $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
+        $OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? collabora) ''
+        $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}/"
+        $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}"
+        $OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        $OCC saml:config:set 1 --general-idp0_display_name="authentik"
+        $OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
+        $OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}"
+        $OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/sso/binding/redirect/"
+        $OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/slo/binding/redirect/"
+        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
+        $OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT" 
+
+        $OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
+        $OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+        $OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
+
+        $OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
+        $OCC group:add admin || true
+        $OCC group:add cloud || true
+        $OCC config:app:set user_saml general-group_provisioning --value="0"
+        $OCC config:app:set user_saml general-require_provisioning_groups --value="1"
+        ''}
+        # configure side_menu ...
+        FOLDERS=$($OCC teamfolders:list --format=json)
+        ${builtins.concatStringsSep "\n" (map (name: ''
+          if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
+              $OCC teamfolders:create "${name}"
+          fi
+        '') containerCfg.extra.teamFolders or [])}
+        SERVERS=$($OCC federation:list-servers --format=json)
+        ${builtins.concatStringsSep "\n" (map (domain: ''
+          if ! echo "$SERVERS" | grep -q "${domain}"; then
+            $OCC federation:add-server "https://${domain}"
+          fi
+        '') containerCfg.extra.federatedServers or [])}
+        $OCC config:app:set systemtags allow_user_creating --value="no"
+        
+        echo "Applying Theme..."
+        $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
+        ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
+        ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
+        $OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
+        $OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
+
+        #$OCC theming:config logo {serverCfg.colorScheme.logo}
+        #$OCC theming:config logoheader {serverCfg.colorScheme.logo}
+        #$OCC theming:config background {serverCfg.colorScheme.bg}
+            
+      else
+          echo "Nextcloud is already installed. Skipping setup."
+      fi
+
+      echo "Maintenance..."
+      $OCC app:update --all
+      $OCC maintenance:repair --include-expensive --no-interaction
+      $OCC db:add-missing-indices --no-interaction
+
+      echo "Completed Setup"
+    '';
+  };
+
+  cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
+}