Net window

.claude/settings.local.json

@@ -0,0 +1,14 @@
+{
+  "permissions": {
+    "allow": [
+      "WebFetch(domain:elkowar.github.io)",
+      "WebFetch(domain:github.com)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "WebSearch",
+      "WebFetch(domain:deepwiki.com)",
+      "Bash(amdgpu_top -J -s 1000 -d 1)",
+      "Bash(amdgpu_top -J -s 1000 -n 1)",
+      "Bash(sensors -j)"
+    ]
+  }
+}

.gitea/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
   build-nixos:
     runs-on: ubuntu-latest
     steps: 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       
       - name: "Install Nix ❄️"
         uses: cachix/install-nix-action@v31
@@ -22,7 +22,7 @@ jobs:
       - uses: DeterminateSystems/flake-checker-action@v12
 
       - name: "Install Cachix ❄️"
-        uses: cachix/cachix-action@v16
+        uses: cachix/cachix-action@v17
         with:
           name: helcel
           authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"

.gitea/workflows/update.yml

@@ -13,15 +13,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Install nix
-        uses: DeterminateSystems/nix-installer-action@v20
+        uses: DeterminateSystems/nix-installer-action@v22
         with:
           github-token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
           extra_nix_config: |
             experimental-features = nix-command flakes            
       - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@v27
+        uses: DeterminateSystems/update-flake-lock@v28
         with:
           token: ${{ secrets.GT_TOKEN_FOR_UPDATES }}
           pr-title: "[chore] Update flake.lock"

.gitignore

@@ -2,3 +2,4 @@ result
 age-key.txt
 .decrypted~common.yaml
 .decrypted*
+.tmp

.sops.yaml

@@ -9,55 +9,34 @@ keys:
     - &avalon age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &valinor age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+    - &gateway age1lqvnzlendlmtwgstzrj4xzrwpatwx56k5az5au78fyg99yecwfzs3s6xn6
+    - &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
 
 creation_rules:
-  - path_regex: modules/shared/sops/private/iriy.[a-z]+
-    key_groups:
-    - age:
-      - *iriy
-      pgp:
-      - *sora
-  - path_regex: modules/shared/sops/private/avalon.[a-z]+
-    key_groups:
-    - age:
-      - *avalon
-      pgp:
-      - *sora
-  - path_regex: modules/shared/sops/private/valinor.[a-z]+
-    key_groups:
-    - age:
-      - *valinor
-      pgp:
-      - *sora
-  - path_regex: modules/shared/sops/private/asgard.[a-z]+
-    key_groups:
-    - age:
-      - *asgard
-      pgp:
-      - *sora
-
   - path_regex: modules/shared/sops/common.[a-z]+
     key_groups:
-    - age:
-      - *valinor
-      - *iriy
-      - *avalon
-      - *asgard
-      pgp:
-      - *sora
+      - age:
+          - *valinor
+          - *iriy
+          - *avalon
+          - *asgard
+          - *gateway
+        pgp:
+          - *sora
 
   - path_regex: modules/shared/sops/mock.[a-z]+
     key_groups:
-    - age:
-      - *ci
-
+      - age:
+          - *ci
+          - *sandbox
+        pgp:
+          - *sora
 
   - path_regex: modules/server/sops/server.[a-z]+
     key_groups:
-    - age:
-      - *valinor
-      - *iriy
-      - *avalon
-      - *asgard
-      pgp:
-      - *sora
+      - age:
+          - *avalon
+          - *sandbox
+
+        pgp:
+          - *sora

flake.lock

@@ -1,27 +1,5 @@
 {
   "nodes": {
-    "arion": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "haskell-flake": "haskell-flake",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1759632323,
-        "narHash": "sha256-TzLTfXxhOkR/8oOoVEAYQWb81ADGHdKsQXGicC7kR+M=",
-        "owner": "hercules-ci",
-        "repo": "arion",
-        "rev": "24658a03be2d1a6e1e02c01524775d960a82309c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "arion",
-        "type": "github"
-      }
-    },
     "base16-schemes": {
       "flake": false,
       "locked": {
@@ -45,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758805352,
-        "narHash": "sha256-BHdc43Lkayd+72W/NXRKHzX5AZ+28F3xaUs3a88/Uew=",
+        "lastModified": 1779036909,
+        "narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "c48e963a5558eb1c3827d59d21c5193622a1477c",
+        "rev": "56c666e108467d87d13508936aade6d567f2a501",
         "type": "github"
       },
       "original": {
@@ -59,28 +37,23 @@
         "type": "github"
       }
     },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "arion",
-          "nixpkgs"
-        ]
-      },
+    "flake-compat": {
+      "flake": false,
       "locked": {
-        "lastModified": 1759362264,
-        "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "758cf7296bee11f1706a574c77d072b8a7baa881",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
+        "owner": "edolstra",
+        "repo": "flake-compat",
         "type": "github"
       }
     },
-    "flake-parts_2": {
+    "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
           "nur",
@@ -101,34 +74,39 @@
         "type": "github"
       }
     },
-    "hardware": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1760106635,
-        "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=",
-        "owner": "nixos",
-        "repo": "nixos-hardware",
-        "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903",
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "repo": "nixos-hardware",
+        "owner": "numtide",
+        "repo": "flake-utils",
         "type": "github"
       }
     },
-    "haskell-flake": {
+    "hardware": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
       "locked": {
-        "lastModified": 1675296942,
-        "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
-        "owner": "srid",
-        "repo": "haskell-flake",
-        "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
+        "lastModified": 1780065812,
+        "narHash": "sha256-SCSLUKBmwlSLGQ8Xbr8PjRFtiHNk0l9ktqkcmqdBkfE=",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "b76b5639c0593e0aeb0b5879ad62d4b30596c144",
         "type": "github"
       },
       "original": {
-        "owner": "srid",
-        "ref": "0.1.0",
-        "repo": "haskell-flake",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
         "type": "github"
       }
     },
@@ -139,16 +117,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1758463745,
-        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "lastModified": 1779726825,
+        "narHash": "sha256-RUkMrREjKDQrA+dA9+xZviGAxM5W1aVdyOr/bSYpHrE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "rev": "b179bde238977f7d4454fc770b1a727eaf55111c",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-26.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -174,11 +152,11 @@
     },
     "nixUnstable": {
       "locked": {
-        "lastModified": 1759977445,
-        "narHash": "sha256-LYr4IDfuihCkFAkSYz5//gT2r1ewcWBYgd5AxPzPLIo=",
+        "lastModified": 1780030872,
+        "narHash": "sha256-u6WU/yd/o8iYQrHX3RAwO1hYa3LkoSL+WNQD0rJfJZQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2dad7af78a183b6c486702c18af8a9544f298377",
+        "rev": "e9a7635a57597d9754eccebdfc7045e6c8600e6b",
         "type": "github"
       },
       "original": {
@@ -188,22 +166,40 @@
         "type": "github"
       }
     },
-    "nixpkgs": {
+    "nixos-wsl": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1759994382,
-        "narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7",
+        "lastModified": 1780169171,
+        "narHash": "sha256-3HBYDfBgZ+ph52HS6Ks/bMMwuh2uONIT72sZ1CtLE/s=",
+        "owner": "nix-community",
+        "repo": "nixos-wsl",
+        "rev": "998b2821c30b2938637230916904ceb8757c79e8",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-25.05",
-        "repo": "nixpkgs",
+        "owner": "nix-community",
+        "repo": "nixos-wsl",
         "type": "github"
       }
     },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1767892417,
+        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1697935651,
@@ -221,31 +217,33 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1760038930,
-        "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=",
+        "lastModified": 1780203844,
+        "narHash": "sha256-K5sT4jTpGs15ADhviMKNBH38REpPf5Q6mM1+N6cArVE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3",
+        "rev": "b51242d7d43689db2f3be91bd05d5b24fbb469c4",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-26.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nur": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_2"
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1760148016,
-        "narHash": "sha256-4E/n/rcKi/Ow24jwk1kCLgAVrKzUhc7VlaKlDKrNgT4=",
+        "lastModified": 1780265777,
+        "narHash": "sha256-t/KORFHEv8Jn2vFmVfv4Zffekv+MUogI2KgtxuCcEmQ=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "5b9257bd1a5585897308817e715950fcec4f81a8",
+        "rev": "39917b7f68263188707925ffe26c9df6ef4e7d64",
         "type": "github"
       },
       "original": {
@@ -256,15 +254,16 @@
     },
     "root": {
       "inputs": {
-        "arion": "arion",
         "darwin": "darwin",
         "hardware": "hardware",
         "home-manager": "home-manager",
         "nix-colors": "nix-colors",
         "nixUnstable": "nixUnstable",
-        "nixpkgs": "nixpkgs",
+        "nixos-wsl": "nixos-wsl",
+        "nixpkgs": "nixpkgs_2",
         "nur": "nur",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "vscode-server": "vscode-server"
       }
     },
     "sops-nix": {
@@ -274,11 +273,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759635238,
-        "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=",
+        "lastModified": 1777944972,
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
         "type": "github"
       },
       "original": {
@@ -286,6 +285,42 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "vscode-server": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1770124655,
+        "narHash": "sha256-yHmd2B13EtBUPLJ+x0EaBwNkQr9LTne1arLVxT6hSnY=",
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "rev": "92ce71c3ba5a94f854e02d57b14af4997ab54ef0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -3,12 +3,15 @@
   inputs = {
     # Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable"
     nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-26.05";
     hardware.url = "github:nixos/nixos-hardware";
-    nur.url = "github:nix-community/nur";
+    nur = {
+      url = "github:nix-community/nur";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-26.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -17,39 +20,48 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    # hyprland = {
-    #   url = "github:hyprwm/Hyprland";
-    #   inputs.nixpkgs.follows = "nixpkgs";
-    # };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nix-colors.url = "github:misterio77/nix-colors";
+    nixos-wsl = {
+      url = "github:nix-community/nixos-wsl";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    arion.url = "github:hercules-ci/arion";
-    arion.inputs.nixpkgs.follows = "nixpkgs";
-
+    vscode-server = {
+      url = "github:nix-community/nixos-vscode-server";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs:
-    let gen = import ./generator.nix { inherit inputs; };
+    let
+      lib = inputs.nixpkgs.lib;
+      gen = import ./generator.nix { inherit inputs; };
+      systemsDir = ./systems;
+      isIgnoredSystemDir = name: lib.hasPrefix "_" name || lib.hasPrefix "." name;
+      systemNames = lib.attrNames (lib.filterAttrs
+        (name: type:
+          type == "directory"
+          && !isIgnoredSystemDir name
+          && builtins.pathExists (systemsDir + "/${name}/cfg.nix"))
+        (builtins.readDir systemsDir));
+      hostsByType = systemType:
+        lib.filter
+          (host: (import (systemsDir + "/${host}/cfg.nix")).syscfg.type == systemType)
+          systemNames;
+      generateHosts = systemType:
+        lib.genAttrs
+          (hostsByType systemType)
+          (host: gen.generate { inherit host; });
     in {
       devShells = import ./shells { inherit inputs; };
 
-      nixosConfigurations = {
-        valinor = gen.generate { host = "valinor"; };
-        iriy = gen.generate { host = "iriy"; };
-        efir = gen.generate { host = "efir"; };
-        avalon = gen.generate { host = "avalon"; };
-        ci = gen.generate { host = "ci"; };
-        sandbox = gen.generate { host = "sandbox"; };
-      };
-      darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
-      homeConfigurations = {
-        yomi = gen.generate { host = "example"; };
-        example = gen.generate { host = "example"; };
-      };
+      nixosConfigurations = generateHosts "nixos";
+      darwinConfigurations = generateHosts "macos";
+      homeConfigurations = generateHosts "home";
     };
 
   # ===== Unsupported/NotImplemented ======

generator.nix

@@ -5,7 +5,7 @@
       nameValuePair = name: value: { inherit name value; };
     in ({
       "nixos" = inputs.nixpkgs.lib.nixosSystem {
-        system = syscfg.syscfg.system;
+        system = "x86_64-linux";
         specialArgs = { inherit inputs; };
         modules = [
           ./modules/shared/syscfg
@@ -13,9 +13,12 @@
           ./modules/nixos
           syscfg
           ./systems/${host}
-          inputs.arion.nixosModules.arion
           inputs.sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.home-manager
+
+          inputs.nixos-wsl.nixosModules.wsl
+          inputs.vscode-server.nixosModules.default
+
           {
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
@@ -29,7 +32,6 @@
                   syscfg
                   { usercfg = userConfig; }
                   inputs.nix-colors.homeManagerModule
-                  # inputs.hyprland.homeManagerModules.default
                   inputs.sops-nix.homeManagerModules.sops
                 ];
               }) syscfg.syscfg.users);
@@ -38,7 +40,7 @@
       };
 
       "macos" = inputs.darwin.lib.darwinSystem {
-        system = syscfg.system;
+        system = "x86_64-darwin";
         modules = [
           ./modules/shared/syscfg
           ./modules/shared/sops

modules/home/base/default.nix

@@ -8,7 +8,7 @@
     username = "${config.usercfg.username}";
     homeDirectory = "/home/${config.usercfg.username}";
 
-    stateVersion = "24.11";
+    stateVersion = "26.05";
   };
 
 

modules/home/cli/git/default.nix

@@ -1,15 +1,17 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
 
   programs.git = {
     enable = true;
-    userEmail = "${config.usercfg.git.email}";
-    userName = "${config.usercfg.git.username}";
-    signing = {
-      key = "${config.usercfg.git.key}";
+    signing = lib.mkIf (config.usercfg.git.key != null) {
+      key = config.usercfg.git.key;
       signByDefault = true;
     };
     ignores = [ "*result*" ".direnv" "node_modules" ];
-    extraConfig = { core.hooksPath = "./.dev/hooks"; };
+    settings = {
+      core.hooksPath = "./.dev/hooks"; 
+      user.email = "${config.usercfg.git.email}";
+      user.name = "${config.usercfg.git.username}";
+    };
   };
 
   home.packages = with pkgs; [ tig ];

modules/home/cli/neofetch/config.jsonc

@@ -0,0 +1,147 @@
+{
+    "$schema": "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json",
+    "logo": {
+        "type": "builtin", // Logo type: auto, builtin, small, file, etc.
+        // "source": "arch",
+        "width": 10,
+        "height": 10,
+        "padding": {
+            "top": 3,
+            "left": 2,
+            "right": 2
+        },
+        "color": {
+            "1": "blue",
+            "2": "white",
+            "3": "cyan"
+        }
+    },
+    "display": { /* Display settings */},
+    "modules": [
+        "break",
+        {
+            "type": "custom",
+            "format": "\u001b[90m┌──────────────────────Hardware──────────────────────┐"
+        },
+        {
+            "type": "host",
+            "key": "󰌢  PC",
+            "keyColor": "green",
+            "format": "{2}"
+        },
+        {
+            "type": "cpu",
+            "key": "│ ├󱛠 ",
+            "keyColor": "green",
+            "format": "{1} | {4} @{6}"
+        },
+        {
+            "type": "gpu",
+            "key": "│ ├󰍹 ",
+            "keyColor": "green",
+            "format": "{2} | {7}"
+        },
+        {
+            "type": "memory",
+            "key": "│ ├󰑭 ",
+            "keyColor": "green",
+            "format": "{2}"
+        },
+        // {
+        //     "type": "disk",
+        //     "key": "└ └󰋊 ",
+        //     "keyColor": "green"
+        // },
+        {
+            "type": "custom",
+            "format": "\u001b[90m└────────────────────────────────────────────────────┘"
+        },
+        "break",
+        {
+            "type": "custom",
+            "format": "\u001b[90m┌──────────────────────Software──────────────────────┐"
+        },
+        {
+            "type": "os",
+            "key": "  OS",
+            "keyColor": "yellow",
+            "format": " {2} {8}"
+        },
+        {
+            "type": "kernel",
+            "key": "│ ├󰌽 ",
+            "keyColor": "yellow",
+            "format": "{1} {2}"
+        },
+        {
+            "type": "bios",
+            "key": "│ ├󰖡 ",
+            "keyColor": "yellow"
+        },
+        {
+            "type": "packages",
+            "key": "│ ├󰏗 ",
+            "keyColor": "yellow"
+        },
+        {
+            "type": "de",
+            "key": "󰧨  DE",
+            "keyColor": "blue",
+            "format": "{2} | {3}"
+        },
+        {
+            "type": "lm",
+            "key": "│ ├󰍁 ",
+            "keyColor": "blue",
+            "format": "{1} {2} {3}"
+        },
+        {
+            "type": "wm",
+            "key": "│ ├󱂬 ",
+            "keyColor": "blue",
+            "format": "{2} {5}"
+        },
+        {
+            "type": "custom",
+            "format": "\u001b[90m└────────────────────────────────────────────────────┘"
+        },
+        "break",
+        {
+            "type": "custom",
+            "format": "\u001b[90m┌──────────────────────Age───────────────────────────┐"
+        },
+        {
+            "type": "command",
+            "key": "  ›  OS Age  ",
+            "keyColor": "magenta",
+            "text": "birth_install=$(stat -c %W /); current=$(date +%s); time_progression=$((current - birth_install)); days_difference=$((time_progression / 86400)); echo $days_difference days"
+        },
+        {
+            "type": "command",
+            "key": "  ›  Update  ",
+            "keyColor": "magenta",
+            "text": "nixos-rebuild list-generations | awk '$NF == \"True\" {print $2, $3}' | xargs -I {} date -d \"{}\" +\"%s\" | awk '{diff=systime()-$1; printf \"%d days, %d hours, %d mins\\n\", diff/86400, (diff%86400)/3600, (diff%3600)/60}'"
+        },
+        {
+            "type": "uptime",
+            "key": "  ›  Uptime  ",
+            "keyColor": "magenta"
+        },
+        {
+            "type": "custom",
+            "format": "\u001b[90m└────────────────────────────────────────────────────┘"
+        },
+        {
+            "type": "colors",
+            "paddingLeft": 2,
+            "block": {
+                "width": 3,
+                "range": [
+                    0,
+                    15
+                ]
+            } //,
+            //"symbol": "circle"
+        },
+    ]
+}

modules/home/cli/neofetch/default.nix

@@ -1,4 +1,5 @@
 { pkgs, config, ... }: {
-  home.packages = with pkgs; [ neofetch ];
+  home.packages = with pkgs; [ fastfetch ];
   xdg.configFile."neofetch/config.conf".source = ./config.conf;
+  xdg.configFile."fastfetch/config.jsonc".source = ./config.jsonc;
 }

modules/home/cli/zsh/default.nix

@@ -9,6 +9,8 @@ in {
       "sudo" = "sudo ";
       "devsh" =
         "nix develop --profile /tmp/devsh-env ${nixflake_url}#devsh -c zsh";
+      "cdevsh" =
+        "nix develop --profile /tmp/devsh-env -c zsh";
       "nixb" = "(sudo nixos-rebuild switch --flake ${nixflake_url})";
       "nixgc" = "sudo nix-collect-garbage -d && nix-collect-garbage -d";
       "ssh" = "TERM=xterm-256color  ${pkgs.openssh}/bin/ssh";

modules/home/gui/apps/develop/default.nix

@@ -2,6 +2,6 @@
   imports = [ ./vscodium ];
 
   config = lib.mkIf (config.syscfg.make.develop) {
-    home.packages = with pkgs; [ blender godot_4 openscad-unstable bambu-studio pandoc];
+    home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc claude-code];
   };
 }

modules/home/gui/apps/develop/vscodium/default.nix

@@ -1,9 +1,8 @@
 { lib, config, pkgs, ... }: {
 
   config = lib.mkIf (config.syscfg.make.develop) {
-    programs.vscode = {
+    programs.vscodium = {
       enable = true;
-      package = pkgs.vscodium;
       #profiles.default = {
         profiles.default.extensions = with pkgs.vscode-extensions; [
           bbenoist.nix

modules/home/gui/apps/pipewire/default.nix

@@ -25,6 +25,20 @@
                 }
             }
         }
+        {   name = "libpipewire-module-loopback"
+            args = {
+                node.description = "Virtual Loopback"
+                audio.position = [ FL FR ]
+                capture.props = {
+                    media.class = "Audio/Sink"
+                    node.name = "vloopback_sink"
+                }
+                playback.props = {
+                    media.class = "Audio/Source"
+                    node.name = "vloopback_source"
+                }
+            }
+        }
       ]
     '';
   };

modules/home/gui/base/default.nix

@@ -4,10 +4,10 @@
     services.nextcloud-client.enable = true;
 
     home.packages = with pkgs; [
-      xfce.thunar
-      xfce.thunar-volman
-      xfce.thunar-archive-plugin
-      xfce.tumbler
+      thunar
+      thunar-volman
+      thunar-archive-plugin
+      tumbler
 
       telegram-desktop
       discord-canary

modules/home/gui/games/default.nix

@@ -9,11 +9,11 @@
       #games
       # steam
       gamemode
-      gamescope
-      mangohud
+      #gamescope
+      #mangohud
       prismlauncher
       openttd-jgrpp
-      bottles
+      #bottles
       lutris
       unstable.umu-launcher
       # wine

modules/home/gui/games/wow.nix

@@ -5,6 +5,7 @@
     home.packages = with pkgs;
       [
         # custom.simc
+        unstable.instawow
       ];
 
     # templates buggy currently
@@ -18,64 +19,5 @@
               "wago_addons": null
             }
         }'';
-
-# curse:master-plan
-# curse:raretrackercore-rt
-# curse:raretrackerdragonflight-rtd
-# curse:raretrackermaw-rtmw
-# curse:raretrackermechagon-rtm
-# curse:raretrackerthewarwithin-rtww
-# curse:raretrackertimelessisle-rtti
-# curse:raretrackeruldum-rtu
-# curse:raretrackervale-rtv
-# curse:raretrackerworldbosses-rtwb
-# curse:raretrackerzerethmortis-rtz
-# curse:venture-plan
-# curse:war-plan
-# github:nevcairiel/bartender4
-# github:cidan/betterbags
-# github:bigwigsmods/bigwigs
-# github:bigwigsmods/bigwigs_battleforazeroth
-# github:bigwigsmods/bigwigs_burningcrusade
-# github:bigwigsmods/bigwigs_cataclysm
-# github:bigwigsmods/bigwigs_classic
-# github:bigwigsmods/bigwigs_dragonflight
-# github:bigwigsmods/bigwigs_legion
-# github:bigwigsmods/bigwigs_mistsofpandaria
-# github:bigwigsmods/bigwigs_shadowlands
-# github:bigwigsmods/bigwigs_warlordsofdraenor
-# github:bigwigsmods/bigwigs_wrathofthelichking
-# github:nezroy/demodal
-# github:curseforge-mirror/details
-# github:edusperoni/details_elitism
-# github:curseforge-mirror/elitismhelper
-# github:michaelnpsp/grid2
-# github:jods-gh/groupfinderrio
-# github:nevcairiel/handynotes
-# github:hekili/hekili
-# github:thekrowi/krowi_achievementfilter
-# github:bigwigsmods/littlewigs
-# github:nnoggie/mythicdungeontools
-# github:tullamods/omnicc
-# github:tercioo/plater-nameplates
-# github:curseforge-mirror/quest_completist
-# github:raiderio/raiderio-addon
-# github:wowrarity/rarity
-# github:nevcairiel/shadowedunitframes
-# github:simulationcraft/simc-addon
-# github:curseforge-mirror/tomcats
-# github:weakauras/weakauras2
-# github:kemayo/wow-handynotes-battleforazerothtreasures
-# github:kemayo/wow-handynotes-dragonflight
-# github:kemayo/wow-handynotes-legiontreasures
-# github:kemayo/wow-handynotes-longforgottenhippogryph
-# github:kemayo/wow-handynotes-lostandfound
-# github:kemayo/wow-handynotes-secretfish
-# github:kemayo/wow-handynotes-shadowlandstreasures
-# github:kemayo/wow-handynotes-stygia
-# github:kemayo/wow-handynotes-treasurehunter
-# github:kemayo/wow-handynotes-warwithin
-# wowi:7032-tomtom
-
   };
 }

modules/home/gui/theme/default.nix

@@ -1,6 +1,5 @@
 { lib, config, pkgs, ... }:
 let
-  colorVariant = " black";
   gtkThemeFromScheme = import ./gtk-theme-gen.nix { inherit pkgs config; };
   wallpaperGen = import ./wallpaper-gen.nix { inherit pkgs config; };
 in {
@@ -20,6 +19,7 @@ in {
         name = "${config.colorscheme.slug}-Dark";
         package = gtkThemeFromScheme;
       };
+      gtk4.theme = config.gtk.theme; 
       iconTheme = {
         name = "tela-circle-icon-theme";
         package = pkgs.tela-circle-icon-theme;
@@ -31,7 +31,7 @@ in {
       platformTheme.name = "gtk";
     };
 
-    home.packages = [ wallpaperGen pkgs.swww ];
+    home.packages = [ wallpaperGen pkgs.awww ];
 
     xdg.configFile."script/wallpaper.sh".text = ''
       #!/bin/sh
@@ -50,7 +50,7 @@ in {
 
       IMG=$WPDIR/$(echo "$RES" | wofi --dmenu --allow-images show-icons true -theme-str '#window { width: 50%; }' -p "Choose wallpaper:")
       IMG=$(echo "$IMG" | awk -F ':' '{print $2}')
-      swww img $IMG
+      awww img $IMG
     '';
   };
 }

modules/home/gui/theme/wallpaper-gen.nix

@@ -1,40 +1,150 @@
-{ pkgs, config }:
+{ pkgs, config, lib ? pkgs.lib }:
 
 let
-  scheme = config.colorScheme;
-  colors = scheme.palette;
-  dither =
-    "atkinson"; # none | floyd-steinberg | atkinson | jjn | burkes | sierra | sierra-lite
-in pkgs.stdenv.mkDerivation rec {
-  pname = "generated-wallpaper";
-  version = "a1676fc2a0e3dfb7bf95d8a89e592830";
-  src = pkgs.fetchFromGitea {
-    domain = "git.helcel.net";
-    owner = "sora";
-    repo = "nixconfig-wallpaper";
-    rev = version;
-    sha256 = "sha256-ZhBjTaKzoiEq1ptMmNWWRPCjLJsvy9My/HuzRaDjX1c=";
+  colors = config.colorScheme.palette;
+  mediaImages = config.syscfg.media.main;
+  mediaNames = map (image: builtins.baseNameOf (toString image)) mediaImages;
+  mediaSourceDir = pkgs.linkFarm "wallpaper-media" (
+    map (image: {
+      name = builtins.baseNameOf (toString image);
+      path = image;
+    }) mediaImages
+  );
+
+  dither = "atkinson"; # none | floyd-steinberg | atkinson | jjn | burkes | sierra | sierra-lite
+  paletteSize = 0;
+
+  hexChars = "0123456789abcdef";
+  hexMap = {
+    "0" = 0; "1" = 1; "2" = 2; "3" = 3;
+    "4" = 4; "5" = 5; "6" = 6; "7" = 7;
+    "8" = 8; "9" = 9; "a" = 10; "b" = 11;
+    "c" = 12; "d" = 13; "e" = 14; "f" = 15;
   };
 
-  buildInputs = with pkgs; [ custom.repalette nodejs imagemagick gifsicle ];
+  baseColors = [
+    colors.base00
+    colors.base01
+    colors.base02
+    colors.base03
+    colors.base04
+    colors.base05
+    colors.base06
+    colors.base07
+    colors.base08
+    colors.base09
+    colors.base0A
+    colors.base0B
+    colors.base0C
+    colors.base0D
+    colors.base0E
+    colors.base0F
+  ];
 
-  configurePhase = ''
-    echo "${colors.base00},${colors.base01},\
-          ${colors.base02},${colors.base03},\
-          ${colors.base04},${colors.base05},\
-          ${colors.base06},${colors.base07},\
-          ${colors.base08},${colors.base09},\
-          ${colors.base0A},${colors.base0B},\
-          ${colors.base0C},${colors.base0D},\
-          ${colors.base0E},${colors.base0F}" > palette.in
-  '';
+  round = x: builtins.floor (x + 0.5);
+  clamp = x:
+    if x < 0 then 0 else if x > 255 then 255 else x;
+  parseHexByte = byte:
+    let
+      hi = hexMap.${builtins.substring 0 1 byte};
+      lo = hexMap.${builtins.substring 1 1 byte};
+    in
+    hi * 16 + lo;
+  hexToRgb = hex:
+    let
+      clean = lib.toLower (lib.removePrefix "#" hex);
+    in
+    {
+      r = parseHexByte (builtins.substring 0 2 clean);
+      g = parseHexByte (builtins.substring 2 2 clean);
+      b = parseHexByte (builtins.substring 4 2 clean);
+    };
+  componentToHex = value:
+    let
+      bounded = clamp value;
+      hi = builtins.div bounded 16;
+      lo = bounded - hi * 16;
+    in
+    "${builtins.substring hi 1 hexChars}${builtins.substring lo 1 hexChars}";
+  rgbToHex = color: "${componentToHex color.r}${componentToHex color.g}${componentToHex color.b}";
+
+  getTint = c: weight: round (c + (255 - c) * weight);
+  getShade = c: weight: round (c * weight);
+  tint = color: weight: {
+    r = getTint color.r weight;
+    g = getTint color.g weight;
+    b = getTint color.b weight;
+  };
+  shade = color: weight: {
+    r = getShade color.r weight;
+    g = getShade color.g weight;
+    b = getShade color.b weight;
+  };
+  genPalette = color:
+    let
+      tints =
+        if paletteSize == 0
+        then [ ]
+        else lib.genList (i: tint color ((i + 1.0) / paletteSize)) paletteSize;
+      shades =
+        if paletteSize == 0
+        then [ ]
+        else lib.genList (i: shade color (i * 1.0 / paletteSize)) paletteSize;
+    in
+    lib.reverseList tints ++ [ color ] ++ lib.reverseList shades;
+  keepColor = color:
+    let
+      sum = color.r + color.g + color.b;
+    in
+    sum > 0 && sum < 765;
+
+  paletteColors = lib.concatMap (hex: lib.filter keepColor (genPalette (hexToRgb hex))) baseColors;
+  paletteHex = lib.concatStringsSep "," (map rgbToHex paletteColors);
+  gifPaletteFile = pkgs.writeText "wallpaper-gifpalette.txt" (
+    lib.concatMapStringsSep "\n" (color: "${toString color.r} ${toString color.g} ${toString color.b}") paletteColors
+  );
+
+  buildCommands =
+    lib.concatMapStringsSep "\n" (name:
+      let
+        source = "${mediaSourceDir}/${name}";
+        target = "build/${name}";
+      in
+      if lib.hasSuffix ".gif" (lib.toLower name) then ''
+        gifsicle --use-colormap ${lib.escapeShellArg (toString gifPaletteFile)} < ${lib.escapeShellArg source} > ${lib.escapeShellArg target}
+      '' else ''
+        repalette ${lib.escapeShellArg source} ${lib.escapeShellArg target} -p ${lib.escapeShellArg paletteHex} --dither ${lib.escapeShellArg dither}
+      ''
+    ) mediaNames;
+in
+assert lib.assertMsg
+  (builtins.length mediaNames == builtins.length (lib.unique mediaNames))
+  "syscfg.media.main contains duplicate basenames, which would collide in generated wallpaper output.";
+pkgs.stdenv.mkDerivation {
+  pname = "generated-wallpaper";
+  version = "local";
+  dontUnpack = true;
+
+  nativeBuildInputs = with pkgs; [
+    custom.repalette
+    gifsicle
+  ];
 
   buildPhase = ''
-    make DITHER=${dither} PALETTE_SIZE=0 all
+    runHook preBuild
+
+    mkdir -p build
+    ${buildCommands}
+
+    runHook postBuild
   '';
 
   installPhase = ''
+    runHook preInstall
+
     mkdir -p $out/share/wallpaper
-    cp -r build/* $out/share/wallpaper/
+    cp -r build/. $out/share/wallpaper/
+
+    runHook postInstall
   '';
 }

modules/home/wayland/apps/dunst/default.nix

@@ -46,7 +46,7 @@
           min_icon_size = 32;
           max_icon_size = 64;
 
-          icon_path =
+          icon_path = lib.mkForce 
             "${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/status:${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/device ";
           icon_theme = "Tela-circle-dark";
           enable_recursive_icon_lookup = "true";

modules/home/wayland/apps/eww/bar/css/_colors.scss

@@ -0,0 +1,29 @@
+$base00: #000000;
+$base01: #060a0f;
+$base02: #212c38;
+$base03: #3f5268;
+$base04: #617b9a;
+$base05: #90a7c1;
+$base06: #c9d3df;
+$base07: #fcfcfc;
+$base08: #ffac56;
+$base09: #feea74;
+$base0A: #bffe8a;
+$base0B: #4cfefa;
+$base0C: #62acfd;
+$base0D: #9b9bfd;
+$base0E: #fe9bda;
+$base0F: #fc8999;
+
+
+$fg: $base07;
+$bg0: $base00;
+$bg1: $base01;
+
+$border-color: $base03;
+$border-color-focus: $base04;
+$border-radius: 8px;
+$border-width: 2px;
+
+$gaps-screen: 8px;
+$gaps-window: 4px;

modules/home/wayland/apps/eww/bar/css/_net.scss

@@ -1,8 +1,24 @@
+// Bar icons
+.net-icon      { font-size: 14px; padding: 3pt 0; }
+.net-active    { color: $base07; }
+.net-dim       { color: $base02; }
+.blt-on        { color: $base07; }
+.blt-connected { color: $base0D; }
 
-.net {
-    color: $base07;
-}
+// Popup window section accents
+.wifi-accent { background-color: $base0C; }
+.eth-accent  { background-color: $base0B; }
+.blt-accent  { background-color: $base0D; }
 
-.blt {
-    color: $base0C;
-}
+// Netinfo rows
+.netinfo-row   { margin-bottom: 3pt; }
+.netinfo-label { font-size: 0.72em; color: $base04; min-width: 60px; }
+.netinfo-value { font-size: 0.72em; color: $base05; }
+.netinfo-dim   { font-size: 0.72em; color: $base03; margin-bottom: 4pt; }
+
+// Bluetooth device list
+.bt-device-row  { margin-bottom: 4pt; }
+.bt-device-name { font-size: 0.78em; color: $base05; }
+.bt-device-btn  { padding: 2pt 6pt; border-radius: $border-radius; font-size: 1em; }
+.bt-btn-on  { color: $base0D; }
+.bt-btn-off { color: $base03; }

modules/home/wayland/apps/eww/bar/css/_sys.scss

@@ -1,69 +1,186 @@
 
-.cpubar {
-color: $base0C;
-}
-
-.gpubar {
-color: $base0E;
-}
-
-.membar {
-color: $base08;
-}
-    
-.batbar {
-color: $base0B;
-}
-
-.cpubar,
-.gpubar,
-.membar,
-.batbar {
-    background-color: $bg0;
-    margin: $gaps-window 0;
-}
-
-.cpu-core-usage, .gpu-core-usage, .memory-usage {
-    background-color: $bg0;
-    border-radius: $border-radius;
-    padding: 2pt;
-    margin: 1pt;
-
-}
-
-.cpu-core-usage trough * {
-    background-color: $base0C;
-    border-radius: $border-radius;
-    padding: 2pt;
-}
-.gpu-core-usage trough * {
-    background-color: $base0E;
-    border-radius: $border-radius;
-    padding: 2pt;
-}
-
-.memory-usage trough * {
-    background-color: $base08;
-    border-radius: $border-radius;
-    padding: 2pt;
-}
-
-
-.spacer {
-    color: $bg1;
-    padding: $gaps-window;
-    margin:0;
+// Bar module rings
+.cpubar { color: $base0C; }
+.gpubar { color: $base0E; }
+.membar { color: $base08; }
+.batbar { color: $base0B; }
+
+.cpubar, .gpubar, .membar, .batbar {
+  background-color: $bg0;
+  margin: $gaps-window 0;
 }
 
+// Window
 .sys-win {
-    // @include window;
-    // background-color: $bg1;
-    // color: $fg;
-    // margin: $gaps-win;
-    padding: 5pt;
+  padding: 10pt;
+}
+
+.sys-section {
+  margin-bottom: 0;
+}
+
+.sys-section-header {
+  margin-bottom: 10pt;
 }
 
 .sys-label {
-    font-weight: bolder;
-    color: $base04;
+  font-size: 0.72em;
+  font-weight: bold;
+  letter-spacing: 0.14em;
+  color: $base05;
+}
+
+.section-accent {
+  min-width: 3px;
+  border-radius: 2px;
+  margin-right: 8pt;
+}
+
+.cpu-accent { background-color: $base0C; }
+.gpu-accent { background-color: $base0E; }
+.ram-accent { background-color: $base08; }
+.bat-accent { background-color: $base0B; }
+
+.section-sep {
+  background-color: $base02;
+  min-height: 2px;
+  margin: 6pt 0 10pt 0;
+}
+
+.sys-sublabel {
+  font-size: 0.72em;
+  color: $base04;
+  margin-right: 8pt;
+}
+
+// CPU grid
+.cpu-usage-ring {
+  color: $base0C;
+  background-color: $bg0;
+  margin: 3pt;
+}
+
+// Inner freq ring — margin shrinks it inside overlay for concentric effect
+// 0% = cpu min freq, 100% = cpu max freq
+.cpu-freq-ring {
+  color: $base0D;
+  background-color: $bg0;
+  margin: 12px;
+}
+
+.cpu-core-label {
+  font-size: 0.7em;
+  color: $base05;
+}
+
+// GPU rings
+.gpu-ring {
+  color: $base0E;
+  background-color: $bg0;
+  margin: 3pt;
+}
+
+.gpu-freq-ring {
+  color: $base0D;
+  background-color: $bg0;
+  margin: 13px;
+}
+
+.gpu-ring-value {
+  font-size: 0.82em;
+  font-weight: bold;
+  color: $base05;
+}
+
+.gpu-ring-label {
+  font-size: 0.62em;
+  color: $base04;
+  margin-top: 2pt;
+}
+
+// GPU stats row
+.gpu-stats-row {
+  margin-top: 6pt;
+  margin-bottom: 2pt;
+}
+
+.gpu-stat-value {
+  font-size: 0.85em;
+  font-weight: bold;
+  color: $base05;
+}
+
+.gpu-stat-label {
+  font-size: 0.62em;
+  color: $base04;
+}
+
+// VRAM bar
+.vram-row {
+  margin-top: 6pt;
+}
+
+.vram-bar {
+  background-color: $bg0;
+  border-radius: $border-radius;
+  padding: 4pt;
+}
+
+.vram-bar trough * {
+  background-color: $base0E;
+  border-radius: $border-radius;
+}
+
+.vram-usage-label {
+  font-size: 0.62em;
+  color: $base04;
+  margin-top: 2pt;
+}
+
+// RAM ring
+.ram-ring {
+  color: $base08;
+  background-color: $bg0;
+  margin: 4pt;
+}
+
+.ram-cached-ring {
+  color: $base02;
+  background-color: transparent;
+  margin: 4pt;
+}
+
+.ram-used-label {
+  font-size: 0.95em;
+  font-weight: bold;
+  color: $base05;
+}
+
+.ram-total-label {
+  font-size: 0.72em;
+  color: $base04;
+}
+
+// Swap ring
+.swap-ring {
+  color: $base09;
+  background-color: $bg0;
+  margin: 3pt;
+}
+
+.swap-section-label {
+  font-size: 0.62em;
+  color: $base04;
+  margin-top: 2pt;
+}
+
+// Battery ring
+.bat-ring {
+  background-color: $bg0;
+  margin: 4pt;
+}
+
+.bat-ring-label {
+  font-size: 0.7em;
+  color: $base05;
 }

modules/home/wayland/apps/eww/bar/eww.yuck

@@ -7,6 +7,7 @@
 
 (include "windows/calendar.yuck")
 (include "windows/sys.yuck")
+(include "windows/net.yuck")
 (include "windows/radio.yuck")
 (include "windows/powermenu.yuck")
 
@@ -48,7 +49,7 @@
 
 
 (defwindow bar
-    :monitor 1
+    :monitor 0
     :geometry (geometry
       :x "0%"
       :y "0%"

modules/home/wayland/apps/eww/bar/modules/clock.yuck

@@ -5,8 +5,8 @@
     (eventbox
       :onhover "${EWW_CMD} update date_rev=true"
       :onhoverlost "${EWW_CMD} update date_rev=false"
-      :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle calendar)"
-      :onrightclick "(sleep 0.1 && ${EWW_CMD} open --toggle powermenu)"
+      :onclick "(sleep 0.1 && eww-open-on-current-screen calendar --toggle)"
+      :onrightclick "(sleep 0.1 && eww-open-on-current-screen powermenu --toggle)"
       (box
         :class "datetime"
         (overlay

modules/home/wayland/apps/eww/bar/modules/net.yuck

@@ -1,17 +1,25 @@
-(deflisten net :initial '{"name":"","icon":""}'"scripts/net/net")
+(deflisten net
+  :initial '{"wifi":{"connected":false,"icon":"󰤮","ssid":""},"ethernet":{"connected":false}}'
+  "scripts/net/net")
+
+(deflisten bluetooth
+  :initial '{"powered":false,"connected":false,"device":""}'
+  "scripts/net/bluetooth")
 
 (defwidget net-mod []
   (module
-    (box
-      :orientation "v"
-      (button
-        :class "net"
-        :tooltip {net.name}
-        {net.icon})
-
-      (button
-        :class "blt"
-        (label :class "icon-text" :text "B"))
-    )
-  )
-)
+    (eventbox
+      :onclick "(sleep 0.1 && eww-open-on-current-screen net --toggle)"
+    (box :orientation "v"
+      (label
+        :class "net-icon ${net.ethernet.connected ? 'net-active' : 'net-dim'}"
+        :tooltip {net.ethernet.connected ? "Ethernet: Connected" : "Ethernet: Disconnected"}
+        :text "󰈀")
+      (label
+        :class "net-icon ${net.wifi.connected ? 'net-active' : 'net-dim'}"
+        :tooltip {net.wifi.connected ? "WiFi: ${net.wifi.ssid}" : "WiFi: Disconnected"}
+        :text {net.wifi.icon})
+      (label
+        :class "net-icon ${bluetooth.connected ? 'blt-connected' : bluetooth.powered ? 'blt-on' : 'net-dim'}"
+        :tooltip {bluetooth.connected ? "Bluetooth: ${bluetooth.device}" : bluetooth.powered ? "Bluetooth: On" : "Bluetooth: Off"}
+        :text {bluetooth.connected ? "󰂱" : bluetooth.powered ? "󰂯" : "󰂲"})))))

modules/home/wayland/apps/eww/bar/modules/sys.yuck

@@ -1,42 +1,33 @@
 (deflisten cpu :initial '{}' "scripts/sys/cpu")
-(deflisten gpu :initial '{"devices":[{"GRBM2":{}}]}' "scripts/sys/gpu")
-(deflisten memory :initial '{"human":{"used":"0G","total":"0G"},"used":0.0,"total":1.0}' "scripts/sys/memory")
+(deflisten gpu :initial '{"gfx_pct":0,"mem_pct":0,"media_pct":0,"sclk":0,"mclk":0,"sclk_pct":0,"mclk_pct":0,"vclk":0,"vclk_pct":0,"temp":0,"power":0,"vram_used":0,"vram_total":1}' "scripts/sys/gpu")
+(deflisten memory :initial '{"human":{"used":"0G","total":"0G","cached":"0G"},"used":0.0,"total":1.0,"cached":0.0}' "scripts/sys/memory")
 
 (deflisten battery :initial '{"visible":false,"percentage":0.0,"color":"#FFFFFF"}' "scripts/sys/battery")
 
 (defwidget sys-mod []
   (module
     (eventbox
-      :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle sys)"
-      (box
-        :orientation "v"
-          (circular-progress
-            :value {EWW_CPU.avg}
-            :class "cpubar"
-            :thickness 6
-            (label :class "icon-text" :text "C"))
-
-          (circular-progress
-            :value {gpu.devices[0].GRBM2?.CommandProcessor-Graphics?.value?:0}
-            :class "gpubar"
-            :thickness 6
-            (label :class "icon-text" :text "G"))
+      :onclick "(sleep 0.1 && eww-open-on-current-screen sys --toggle)"
+      (box :orientation "v"
+        (circular-progress
+          :value {EWW_CPU.avg}
+          :class "cpubar"
+          :width 28 :height 28 :thickness 6
+          :tooltip "CPU ${round(EWW_CPU.avg, 0)}%")
+        (circular-progress
+          :value {gpu.gfx_pct}
+          :class "gpubar"
+          :width 28 :height 28 :thickness 6
+          :tooltip "GPU ${round(gpu.gfx_pct, 0)}%")
         (circular-progress
           :value {100*memory.used/memory.total}
           :class "membar"
-          :thickness 6
-          :tooltip "${memory.human.used} / ${memory.human.total}"
-          (label :class "icon-text" :text "M"))
-
+          :width 28 :height 28 :thickness 6
+          :tooltip "RAM ${memory.human.used} / ${memory.human.total}")
         (circular-progress
           :value {battery.percentage}
           :class "batbar"
           :visible {battery.visible}
           :style "color: ${battery.color};"
-          :thickness 6
-          :tooltip "${battery.status} @ ${battery.wattage}"
-          (label :class "icon-text" :text "B"))
-      )
-    )
-  )
-)
+          :width 28 :height 28 :thickness 6
+          :tooltip "Bat ${round(battery.percentage, 0)}% · ${battery.status} @ ${battery.wattage}")))))

modules/home/wayland/apps/eww/bar/modules/workspaces.yuck

@@ -3,13 +3,14 @@
 (defwidget workspace-mod []
   	(module
   	  	(eventbox
-		:onscroll "echo {} | sed -e \"s/up/-1/g\" -e \"s/down/+1/g\" | xargs hyprctl dispatch workspace"
+			:onscroll "echo {} | sed -e 's/up/-1/' -e 's/down/+1/' | xargs -I % hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '%' }))\""
+
 			(box
 				:class "module workspaces"
 				:orientation "v"
 				(for ws in workspace
 					(button
-						:onclick "hyprctl dispatch workspace ${ws.number}"
+						:onclick "hyprctl  eval \"hl.dispatch(hl.dsp.focus({ workspace = '${ws.number}' }))\""
 						(label 
 							:show-truncated false
 							:class "icon-text  ${ws.color}"

modules/home/wayland/apps/eww/bar/scripts/net/bluetooth

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+emit() {
+  local powered=false connected=false device=""
+
+  if bluetoothctl show 2>/dev/null | grep -q "Powered: yes"; then
+    powered=true
+    while IFS= read -r line; do
+      mac=$(echo "$line" | awk '{ print $2 }')
+      info=$(bluetoothctl info "$mac" 2>/dev/null)
+      if echo "$info" | grep -q "Connected: yes"; then
+        device=$(echo "$info" | awk -F': ' '/^\tName:/ { print $2; exit }')
+        connected=true
+        break
+      fi
+    done < <(bluetoothctl devices 2>/dev/null)
+  fi
+
+  printf '{"powered":%s,"connected":%s,"device":"%s"}\n' "$powered" "$connected" "$device"
+}
+
+emit
+bluetoothctl monitor 2>/dev/null | while IFS= read -r line; do
+  case "$line" in
+    *"Powered"*|*"Connected"*|*"Device"*) emit ;;
+  esac
+done

modules/home/wayland/apps/eww/bar/scripts/net/bt-devices

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+emit() {
+  local first=true arr=""
+  while IFS= read -r line; do
+    local mac name connected
+    mac=$(echo "$line" | awk '{ print $2 }')
+    name=$(echo "$line" | awk '{ $1=$2=""; sub(/^ +/, ""); print }')
+    info=$(bluetoothctl info "$mac" 2>/dev/null)
+    connected=$(echo "$info" | grep -q "Connected: yes" && echo true || echo false)
+    $first || arr="${arr},"
+    arr="${arr}{\"mac\":\"${mac}\",\"name\":\"${name}\",\"connected\":${connected}}"
+    first=false
+  done < <(bluetoothctl devices 2>/dev/null)
+  echo "[${arr}]"
+}
+
+emit
+bluetoothctl monitor 2>/dev/null | while IFS= read -r line; do
+  case "$line" in
+    *"Powered"*|*"Connected"*|*"Device"*) emit ;;
+  esac
+done

modules/home/wayland/apps/eww/bar/scripts/net/bt-toggle

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+mac="$1"
+if bluetoothctl info "$mac" 2>/dev/null | grep -q "Connected: yes"; then
+  bluetoothctl disconnect "$mac"
+else
+  bluetoothctl connect "$mac"
+fi

modules/home/wayland/apps/eww/bar/scripts/net/net

@@ -1,73 +1,47 @@
-#!/usr/bin/env zsh
+#!/usr/bin/env bash
 
-function get_time_ms {
-  date -u +%s%3N
+get_wifi_iface() {
+  awk 'NR > 2 { gsub(":", "", $1); print $1; exit }' /proc/net/wireless
 }
 
-icons=("󰤯" "󰤟" "󰤢" "󰤥" "󰤨")
-
-function toggle() {
-  status=$(rfkill | grep wlan | awk '{print $4}')
-
-  if [ "$status" = "unblocked" ]; then
-    rfkill block wlan
-  else
-    rfkill unblock wlan
-  fi
+signal_icon() {
+  local dbm="$1"
+  if [ -z "$dbm" ]; then echo "󰤮"; return; fi
+  if   [ "$dbm" -ge -50 ]; then echo "󰤨"
+  elif [ "$dbm" -ge -60 ]; then echo "󰤥"
+  elif [ "$dbm" -ge -70 ]; then echo "󰤢"
+  elif [ "$dbm" -ge -80 ]; then echo "󰤟"
+  else echo "󰤯"; fi
 }
 
-function gen_wifi() {
-  signal=$(cat /proc/net/wireless | head -n3 | tail -n1 | awk '{print $3}')
-  level=$(awk -v n="$signal" 'BEGIN{print int((n-1)/20)}')
-  if [ "$level" -gt 4 ]; then
-    level=4
+make_content() {
+  local wifi_iface eth_iface
+
+  wifi_iface=$(get_wifi_iface)
+  eth_iface=$(ip link | awk '/^[0-9]+: en[po]/ { gsub(":",""); print $2; exit }')
+
+  # Ethernet
+  local eth_connected=false
+  if [ -n "$eth_iface" ]; then
+    eth_state=$(ip link show "$eth_iface" 2>/dev/null | awk '/state/ { print $9 }')
+    [ "$eth_state" = "UP" ] && eth_connected=true
   fi
 
-  icon=${icons[$level]}
-  ip="-"
-  class="net-connected"
-  name_raw=$(wpa_cli status | grep \^ssid= | sed 's/ssid=//g')
-  name=$(printf "%s" $name_raw)
-}
-
-function gen_ethernet() {
-  icon="󰈀"
-  class="net-connected"
-  ip=""
-  name=Wired
-}
-
-function make_content() {
-  local ethernet wifi
-  ethernet=$(ip link | rg "^[0-9]+: en[po]+" | head -n1 | sed 's/[a-zA-Z0-9_,><:\ -]*state //g' | sed 's/ mode [a-zA-Z0-9 ]*//g')
-  wifi=$(wpa_cli status | rg "^wpa_state=" | sed 's/wpa_state=//g')
-
-  # test ethernet first
-  if [[ $ethernet == "UP" ]]; then
-    gen_ethernet
-  elif [[ $wifi == "COMPLETED" ]]; then
-    gen_wifi
-  else
-    icon="󰤮"
-    ip="-"
-    class="net-disconnected"
-    name="Disconnected"
+  # WiFi — use IP presence as connection indicator (more reliable than wpa_cli)
+  local wifi_connected=false wifi_icon="󰤮" wifi_ssid=""
+  if [ -n "$wifi_iface" ] && ip -4 addr show "$wifi_iface" 2>/dev/null | grep -q "inet "; then
+    wifi_connected=true
+    wifi_ssid=$(wpa_cli -g "/run/wpa_supplicant/$wifi_iface" status 2>/dev/null \
+      | awk -F= '/^ssid=/ { print $2 }')
+    signal=$(awk -v iface="$wifi_iface" '$1 == iface ":" { gsub(/\./, "", $4); print $4; exit }' /proc/net/wireless)
+    wifi_icon=$(signal_icon "$signal")
   fi
 
-  echo '{"icon": "'$icon'", "name": "'$name'", "ip": "'$ip'", "class": "'$class'"}'
+  printf '{"wifi":{"connected":%s,"icon":"%s","ssid":"%s"},"ethernet":{"connected":%s}}\n' \
+    "$wifi_connected" "$wifi_icon" "$wifi_ssid" "$eth_connected"
 }
 
-if [ "$1" = "toggle" ]; then
-  toggle
-else
-  last_time=$(get_time_ms)
+make_content
+ip monitor | while read -r _; do
   make_content
-  ip monitor | while read -r _; do
-    current_time=$(get_time_ms)
-    delta=$((current_time - last_time))
-    if [[ $delta -gt 50 ]]; then
-      make_content
-      last_time=$(get_time_ms)
-    fi
-  done
-fi
+done

modules/home/wayland/apps/eww/bar/scripts/net/netinfo

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+get_wifi_iface() {
+  awk 'NR > 2 { gsub(":", "", $1); print $1; exit }' /proc/net/wireless
+}
+
+freq_band() {
+  local f="$1"
+  if   [ "$f" -ge 6000 ] 2>/dev/null; then echo "6 GHz"
+  elif [ "$f" -ge 5000 ] 2>/dev/null; then echo "5 GHz"
+  elif [ "$f" -ge 2400 ] 2>/dev/null; then echo "2.4 GHz"
+  else echo ""; fi
+}
+
+wifi_gen_label() {
+  case "$1" in
+    7) echo "Wi-Fi 7" ;; 6) echo "Wi-Fi 6" ;;
+    5) echo "Wi-Fi 5" ;; 4) echo "Wi-Fi 4" ;;
+    *) echo "" ;;
+  esac
+}
+
+make_content() {
+  local wifi_iface eth_iface
+  wifi_iface=$(get_wifi_iface)
+  eth_iface=$(ip link | awk '/^[0-9]+: en[po]/ { gsub(":",""); print $2; exit }')
+
+  local wifi_ssid="" wifi_ip="" wifi_freq=0 wifi_band="" wifi_gen="" wifi_signal=0
+  if [ -n "$wifi_iface" ] && ip -4 addr show "$wifi_iface" 2>/dev/null | grep -q "inet "; then
+    local wpa
+    wpa=$(wpa_cli -g "/run/wpa_supplicant/$wifi_iface" status 2>/dev/null)
+    wifi_ssid=$(echo "$wpa"    | awk -F= '/^ssid=/            { print $2 }')
+    wifi_ip=$(ip -4 addr show "$wifi_iface" | awk '/inet / { print $2 }')
+    wifi_freq=$(echo "$wpa"   | awk -F= '/^freq=/             { print $2 }')
+    local gen
+    gen=$(echo "$wpa"         | awk -F= '/^wifi_generation=/  { print $2 }')
+    wifi_band=$(freq_band "$wifi_freq")
+    wifi_gen=$(wifi_gen_label "$gen")
+    wifi_signal=$(awk -v iface="$wifi_iface" \
+      '$1 == iface ":" { gsub(/\./, "", $4); print $4; exit }' /proc/net/wireless)
+  fi
+
+  local eth_ip="" eth_speed="" eth_state="down"
+  if [ -n "$eth_iface" ]; then
+    eth_state=$(ip link show "$eth_iface" 2>/dev/null | awk '/state/ { print tolower($9) }')
+    if [ "$eth_state" = "up" ]; then
+      eth_ip=$(ip -4 addr show "$eth_iface" | awk '/inet / { print $2 }')
+      local spd
+      spd=$(cat /sys/class/net/"$eth_iface"/speed 2>/dev/null)
+      [ "${spd:-0}" -gt 0 ] 2>/dev/null && eth_speed="${spd} Mbps"
+    fi
+  fi
+
+  # shellcheck disable=SC2059
+  printf '{"wifi":{"ssid":"%s","ip":"%s","freq":%s,"band":"%s","gen":"%s","signal":%s},' \
+    "$wifi_ssid" "$wifi_ip" "${wifi_freq:-0}" "$wifi_band" "$wifi_gen" "${wifi_signal:-0}"
+  printf '"ethernet":{"state":"%s","ip":"%s","speed":"%s","interface":"%s"}}\n' \
+    "$eth_state" "$eth_ip" "$eth_speed" "${eth_iface:-}"
+}
+
+make_content
+ip monitor | while read -r _; do
+  make_content
+done

modules/home/wayland/apps/eww/bar/scripts/sys/cpugrid

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+COLS=4
+declare -A prev_idle prev_total
+
+emit_grid() {
+  local rows=() row_items=()
+  while IFS= read -r line; do
+    [[ $line =~ ^cpu([0-9]+) ]] || continue
+    local core="${BASH_REMATCH[1]}"
+    read -ra f <<< "$line"
+    local idle=$(( f[4] + f[5] ))
+    local total=0
+    for x in "${f[@]:1}"; do (( total += x )); done
+
+    local usage="0.0"
+    if [[ -n "${prev_total[$core]+x}" ]]; then
+      local dt=$(( total - prev_total[$core] ))
+      local di=$(( idle  - prev_idle[$core]  ))
+      (( dt > 0 )) && usage=$(awk "BEGIN{printf \"%.1f\", 100*(1-$di/$dt)}")
+    fi
+    prev_idle[$core]=$idle
+    prev_total[$core]=$total
+
+    local freq=0
+    local fpath="/sys/devices/system/cpu/cpu${core}/cpufreq/scaling_cur_freq"
+    [[ -r $fpath ]] && freq=$(( $(< "$fpath") / 1000 ))
+
+    row_items+=("{\"core\":$core,\"usage\":$usage,\"freq\":$freq}")
+
+    if (( ${#row_items[@]} == COLS )); then
+      local row; printf -v row '%s,' "${row_items[@]}"; row="${row%,}"
+      rows+=("[$row]")
+      row_items=()
+    fi
+  done < /proc/stat
+
+  if (( ${#row_items[@]} > 0 )); then
+    local row; printf -v row '%s,' "${row_items[@]}"; row="${row%,}"
+    rows+=("[$row]")
+  fi
+
+  local out; printf -v out '%s,' "${rows[@]}"; out="${out%,}"
+  echo "[$out]"
+}
+
+while true; do
+  emit_grid
+  sleep 2
+done

modules/home/wayland/apps/eww/bar/scripts/sys/cputemp

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+dir=$(grep -rl k10temp /sys/class/hwmon/*/name 2>/dev/null | head -1 | xargs dirname)
+awk '{printf "%.0f\n", $1/1000}' "$dir/temp1_input"

modules/home/wayland/apps/eww/bar/scripts/sys/gpu

@@ -1,3 +1,22 @@
-#!/usr/bin/env zsh
-
-amdgpu_top -J -s 5000 | sed 's/ //g' 
+#!/usr/bin/env bash
+amdgpu_top -J -s 5000 | jq -c --unbuffered '.devices[0] | {
+  gfx_pct:   (.gpu_activity.GFX.value // 0),
+  mem_pct:   (.gpu_activity.Memory.value // 0),
+  media_pct: (.gpu_activity.MediaEngine.value // 0),
+  sclk:      (.Sensors.GFX_SCLK.value // 0),
+  mclk:      (.Sensors.GFX_MCLK.value // 0),
+  sclk_pct:  (if (.Info["GPU Clock"].max != .Info["GPU Clock"].min) then
+                100 * ((.Sensors.GFX_SCLK.value // 0) - .Info["GPU Clock"].min) / (.Info["GPU Clock"].max - .Info["GPU Clock"].min)
+              else 0 end),
+  mclk_pct:  (if (.Info["Memory Clock"].max != .Info["Memory Clock"].min) then
+                100 * ((.Sensors.GFX_MCLK.value // 0) - .Info["Memory Clock"].min) / (.Info["Memory Clock"].max - .Info["Memory Clock"].min)
+              else 0 end),
+  vclk:      (.gpu_metrics.average_vclk_frequency // 0),
+  vclk_pct:  (if (.Info["GPU Clock"].max > 0) then
+                100 * (.gpu_metrics.average_vclk_frequency // 0) / .Info["GPU Clock"].max
+              else 0 end),
+  temp:       (.Sensors["Edge Temperature"].value // 0),
+  power:      (.Sensors["Average Power"].value // 0),
+  vram_used:  (.VRAM["Total VRAM Usage"].value // 0),
+  vram_total: (.VRAM["Total VRAM"].value // 1)
+}'

modules/home/wayland/apps/eww/bar/scripts/sys/memory

@@ -8,5 +8,6 @@ human() {
 
 free --si -s 3 | rg --line-buffered Mem | while read -r line; do
   used=$(echo "$line" | awk '{print $3}')
-  echo '{"human": { "total": "'$(human "$total")'", "used": "'$(human "$used")'"}, "total": "'$total'" , "used": "'$used'"}'
+  cached=$(echo "$line" | awk '{print $6}')
+  echo '{"human": {"total": "'$(human "$total")'", "used": "'$(human "$used")'", "cached": "'$(human "$cached")'"}, "total": "'$total'", "used": "'$used'", "cached": "'$cached'"}'
 done

modules/home/wayland/apps/eww/bar/scripts/sys/swap

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+free --si | awk '/Swap/ {
+  used=$3; total=$2
+  u = sprintf("%.1fG", used/1000000)
+  t = sprintf("%.1fG", total/1000000)
+  printf "{\"used\":%d,\"total\":%d,\"human\":{\"used\":\"%s\",\"total\":\"%s\"}}\n", used, total, u, t
+}'

modules/home/wayland/apps/eww/bar/windows/calendar.yuck

@@ -1,5 +1,5 @@
 (defwindow calendar
-  :monitor 1
+  :monitor 0
   :geometry (geometry
     :x "0%"
     :y "0%"

modules/home/wayland/apps/eww/bar/windows/net.yuck

@@ -0,0 +1,82 @@
+
+(defpoll netinfo
+  :interval "5s"
+  :initial '{"wifi":{"ssid":"","ip":"","freq":0,"band":"","gen":"","signal":0},"ethernet":{"state":"down","ip":"","speed":"","interface":""}}'
+  "scripts/net/netinfo")
+
+(deflisten bt-devices
+  :initial "[]"
+  "scripts/net/bt-devices")
+
+; --- Shared row widget ---
+
+(defwidget netinfo-row [label value]
+  (box :orientation "h" :space-evenly false :class "netinfo-row"
+    (label :class "netinfo-label" :halign "start" :text label)
+    (label :class "netinfo-value" :halign "end" :hexpand true :text value)))
+
+; --- WiFi ---
+
+(defwidget wifi-net-section []
+  (box :orientation "v" :space-evenly false :class "sys-section"
+    (section-header :title "WiFi" :accent "wifi-accent")
+    (box :orientation "v" :space-evenly false
+      :visible {net.wifi.connected}
+      (netinfo-row :label "SSID"   :value {netinfo.wifi.ssid})
+      (netinfo-row :label "IP"     :value {netinfo.wifi.ip})
+      (netinfo-row :label "Signal" :value "${net.wifi.icon}  ${netinfo.wifi.signal} dBm")
+      (netinfo-row :label "Freq"   :value "${netinfo.wifi.freq} MHz · ${netinfo.wifi.band} · ${netinfo.wifi.gen}"))
+    (label :class "netinfo-dim" :halign "start"
+      :visible {!net.wifi.connected}
+      :text "Not connected")))
+
+; --- Ethernet ---
+
+(defwidget ethernet-net-section []
+  (box :orientation "v" :space-evenly false :class "sys-section"
+    (section-header :title "Ethernet" :accent "eth-accent")
+    (box :orientation "v" :space-evenly false
+      :visible {net.ethernet.connected}
+      (netinfo-row :label "Interface" :value {netinfo.ethernet.interface})
+      (netinfo-row :label "IP"        :value {netinfo.ethernet.ip})
+      (netinfo-row :label "Speed"     :value {netinfo.ethernet.speed}))
+    (label :class "netinfo-dim" :halign "start"
+      :visible {!net.ethernet.connected}
+      :text "No carrier")))
+
+; --- Bluetooth ---
+
+(defwidget bt-device-row [device]
+  (box :orientation "h" :space-evenly false :class "bt-device-row" :valign "center"
+    (label :class "bt-device-name" :hexpand true :halign "start" :text {device.name})
+    (button
+      :class "bt-device-btn ${device.connected ? 'bt-btn-on' : 'bt-btn-off'}"
+      :onclick "scripts/net/bt-toggle ${device.mac}"
+      :tooltip {device.connected ? "Disconnect" : "Connect"}
+      (label :text {device.connected ? "󰂱" : "󰂯"}))))
+
+(defwidget bluetooth-net-section []
+  (box :orientation "v" :space-evenly false :class "sys-section"
+    (section-header :title "Bluetooth" :accent "blt-accent")
+    (box :orientation "v" :space-evenly false
+      (for device in {bt-devices}
+        (bt-device-row :device {device})))))
+
+; --- Root ---
+
+(defwidget net-win []
+  (box :class "sys-win" :space-evenly false :orientation "v"
+    (wifi-net-section)
+    (box :class "section-sep")
+    (ethernet-net-section)
+    (box :class "section-sep")
+    (bluetooth-net-section)))
+
+(defwindow net
+  :monitor 0
+  :stacking "overlay"
+  :geometry (geometry
+    :x "0%" :y "0%"
+    :anchor "bottom right"
+    :width "300px" :height "0px")
+  (window (net-win)))

modules/home/wayland/apps/eww/bar/windows/powermenu.yuck

@@ -25,7 +25,7 @@
                                 
         (powermenu_entry    :label "Sign out" 
                             :icon "󰗼" 
-                            :onclick "hyprctl dispatch exit 0")
+                            :onclick "hyprctl eval \"hl.dispatch(hl.dsp.exit())\"")
 
         (powermenu_entry    :label "Cancel" 
                             :icon "󰅖" 
@@ -34,7 +34,7 @@
 )
 
 (defwindow powermenu
-    :monitor 1
+    :monitor 0
     :stacking "overlay"
     :geometry (geometry 
                     :anchor "center"

modules/home/wayland/apps/eww/bar/windows/radio.yuck

@@ -2,7 +2,7 @@
 (defvar radio_rev false)
 
 (defwindow radio
-  :monitor 1
+  :monitor 0
   :geometry (geometry
     :x "0%"
     :y "0%"
@@ -100,7 +100,7 @@
     (box
       :orientation "v"
       (button
-        :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle --no-daemonize radio)"
+        :onclick "(sleep 0.1 && eww-open-on-current-screen radio --toggle --no-daemonize)"
         (label 
           :show-truncated false
           :class "icon-text" 

modules/home/wayland/apps/eww/bar/windows/sys.yuck

@@ -1,140 +1,222 @@
 
+(defpoll swap :interval "5s" "scripts/sys/swap")
+
+(defpoll cpu-freq-min :interval "60s"
+  "awk '{print $1/1000}' /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq")
+(defpoll cpu-freq-max :interval "60s"
+  "awk '{print $1/1000}' /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq")
+(defpoll cpu-temp :interval "2s"
+  "scripts/sys/cputemp")
+(defpoll cpu-freq-avg :interval "2s"
+  "awk '{sum+=$1; count++} END {printf \"%.1f\", sum/count/1000000}' /sys/devices/system/cpu/cpu*/cpufreq/scaling_cur_freq")
+
+(deflisten cpu-grid :initial '[[{"core":0,"usage":0,"freq":0}]]'
+  "bash scripts/sys/cpugrid")
+
+; --- Shared ---
+
+(defwidget section-header [title accent]
+  (box :orientation "h" :space-evenly false :valign "center" :class "sys-section-header"
+    (box :class "section-accent ${accent}")
+    (label :class "sys-label" :text title)))
+
+; --- CPU ---
+
+(defwidget cpu-core-cell [core]
+  (overlay
+    (circular-progress
+      :width 60 :height 60
+      :value {core.usage}
+      :start-at 0
+      :clockwise true
+      :thickness 7
+      :class "cpu-usage-ring")
+    (circular-progress
+      :value {100 * (core.freq - cpu-freq-min) / (cpu-freq-max - cpu-freq-min)}
+      :start-at 0
+      :clockwise true
+      :thickness 4
+      :class "cpu-freq-ring")
+    (box :halign "center" :valign "center"
+      (label :class "cpu-core-label" :text "${core.core}"))
+  )
+)
+
 (defwidget cpu-sys-win []
-  (box
-    :orientation "v"
-    :space-evenly false
-    (box :class "sys-label" "CPU")
-    (box
-      :orientation "v"
-      (for core in {EWW_CPU.cores}
-        (box
-          :space-evenly false
-          :class "cpu-core ${core.core}"
-          (progress
-            :value {core.usage}
-            :orientation "h"
-            :flipped true
-            :class "cpu-core-usage"
-            :tooltip "${core.core} @ ${core.freq}Mhz"
-          )
-        )
-      )
-    )
+  (box :orientation "v" :space-evenly false :class "sys-section"
+    (section-header :title "CPU" :accent "cpu-accent")
+    (box :orientation "v" :space-evenly false :halign "center"
+      (for row in {cpu-grid}
+        (box :orientation "h" :space-evenly false
+          (for core in {row}
+            (cpu-core-cell :core {core})))))
+    (box :orientation "h" :space-evenly true :class "gpu-stats-row"
+      (box :orientation "v" :halign "center" :space-evenly false
+        (label :class "gpu-stat-value" :text "${cpu-temp}°C")
+        (label :class "gpu-stat-label" :text "temp"))
+      (box :orientation "v" :halign "center" :space-evenly false
+        (label :class "gpu-stat-value" :text "${cpu-freq-avg}GHz")
+        (label :class "gpu-stat-label" :text "avg clk"))
+      (box :orientation "v" :halign "center" :space-evenly false
+        (label :class "gpu-stat-value" :text "${round(EWW_CPU.avg, 0)}%")
+        (label :class "gpu-stat-label" :text "usage")))
   )
 )
 
+; --- GPU ---
+
 (defwidget gpu-sys-win []
-  (box
-    :orientation "v"
-    :space-evenly false
-    (box :class "sys-label" "GPU")
-    (progress
-      :value {gpu.devices[0].GRBM2?.CommandProcessor-Compute?.value?:0.0}
-      :orientation "h"
-      :flipped true
-      :class "gpu-core-usage"
-      :tooltip "Compute"
-    )    
-    (progress
-      :value {gpu.devices[0].GRBM2?.CommandProcessor-Fetcher?.value?:0.0}
-      :orientation "h"
-      :flipped true
-      :class "gpu-core-usage"
-      :tooltip "Fetcher"
-    )
-    (progress
-      :value {gpu.devices[0].GRBM2?.CommandProcessor-Graphics?.value?:0.0}
-      :orientation "h"
-      :flipped true
-      :class "gpu-core-usage"
-      :tooltip "Graphics"
-    )
-    (box :class "spacer")
-    (progress
-      :value {gpu.devices[0]?.gpu_activity?.GFX?.value?:0.0}
-      :orientation "h"
-      :flipped true
-      :class "gpu-core-usage"
-      :tooltip "GFX"
-    )    
-    (progress
-      :value {gpu.devices[0]?.gpu_activity?.Memory?.value?:0.0}
-      :orientation "h"
-      :flipped true
-      :class "gpu-core-usage"
-      :tooltip "Memory"
-    )
-    (progress
-      :value {gpu.devices[0]?.gpu_activity?.MediaEngine?.value?:0.0}
-      :orientation "h"
-      :flipped true
-      :class "gpu-core-usage"
-      :tooltip "Media"
-    )
-    (box :class "spacer")
-    (progress
-      :value {100*(gpu.devices[0]?.VRAM?.TotalVRAMUsage?.value?:0.0)/(gpu.devices[0]?.VRAM?.TotalVRAM?.value?:1.0)}
-      :orientation "h"
-      :flipped true
-      :class "gpu-core-usage"
-      :tooltip "VRAM"
+  (box :orientation "v" :space-evenly false :class "sys-section"
+    (section-header :title "GPU" :accent "gpu-accent")
+    (box :orientation "h" :space-evenly true
+      ; GFX — outer: activity%, inner: clock% of range
+      (box :orientation "v" :space-evenly false :halign "center"
+        (overlay
+          (circular-progress :width 68 :height 68
+            :value {gpu.gfx_pct}
+            :start-at 0 :clockwise true :thickness 7
+            :class "gpu-ring"
+            :tooltip "GFX  ${round(gpu.gfx_pct, 1)}%\nClock  ${gpu.sclk} MHz (${round(gpu.sclk_pct, 0)}% of range)")
+          (circular-progress
+            :value {gpu.sclk_pct}
+            :start-at 0 :clockwise true :thickness 4
+            :class "gpu-freq-ring")
+          (box :halign "center" :valign "center"
+            (label :class "gpu-ring-value" :text "${round(gpu.gfx_pct, 0)}%")))
+        (label :class "gpu-ring-label" :text "GFX" :halign "center"))
+      ; Memory — outer: activity%, inner: memory clock% of range
+      (box :orientation "v" :space-evenly false :halign "center"
+        (overlay
+          (circular-progress :width 68 :height 68
+            :value {gpu.mem_pct}
+            :start-at 0 :clockwise true :thickness 7
+            :class "gpu-ring"
+            :tooltip "Memory  ${round(gpu.mem_pct, 1)}%\nClock  ${gpu.mclk} MHz (${round(gpu.mclk_pct, 0)}% of range)")
+          (circular-progress
+            :value {gpu.mclk_pct}
+            :start-at 0 :clockwise true :thickness 4
+            :class "gpu-freq-ring")
+          (box :halign "center" :valign "center"
+            (label :class "gpu-ring-value" :text "${round(gpu.mem_pct, 0)}%")))
+        (label :class "gpu-ring-label" :text "Mem" :halign "center"))
+      ; Media — outer: activity%, inner: video clock% of GPU clock max
+      (box :orientation "v" :space-evenly false :halign "center"
+        (overlay
+          (circular-progress :width 68 :height 68
+            :value {gpu.media_pct}
+            :start-at 0 :clockwise true :thickness 7
+            :class "gpu-ring"
+            :tooltip "Media Engine  ${round(gpu.media_pct, 1)}%\nVideo Clock  ${gpu.vclk} MHz")
+          (circular-progress
+            :value {gpu.vclk_pct}
+            :start-at 0 :clockwise true :thickness 4
+            :class "gpu-freq-ring")
+          (box :halign "center" :valign "center"
+            (label :class "gpu-ring-value" :text "${round(gpu.media_pct, 0)}%")))
+        (label :class "gpu-ring-label" :text "Med" :halign "center")))
+    (box :orientation "v" :space-evenly false :class "vram-row"
+      (progress
+        :value {100 * gpu.vram_used / gpu.vram_total}
+        :orientation "h" :flipped true :hexpand true
+        :class "vram-bar"
+        :tooltip "VRAM  ${round(100 * gpu.vram_used / gpu.vram_total, 1)}%")
+      (box :orientation "h" :space-evenly false
+        (label :class "vram-usage-label" :halign "start" :hexpand true :text "VRAM")
+        (label :class "vram-usage-label" :halign "end"
+          :text "${round(gpu.vram_used / 1024, 1)} / ${round(gpu.vram_total / 1024, 1)} GiB")))
+    (box :orientation "h" :space-evenly true :class "gpu-stats-row"
+      (box :orientation "v" :halign "center" :space-evenly false
+        (label :class "gpu-stat-value" :text "${gpu.temp}°C")
+        (label :class "gpu-stat-label" :text "temp"))
+      (box :orientation "v" :halign "center" :space-evenly false
+        (label :class "gpu-stat-value" :text "${gpu.power}W")
+        (label :class "gpu-stat-label" :text "power")))
+  )
+)
+
+; --- RAM ---
+
+(defwidget ram-sys-win []
+  (box :orientation "v" :space-evenly false :class "sys-section"
+    (section-header :title "RAM" :accent "ram-accent")
+    (box :orientation "h" :space-evenly false :halign "center" :spacing 16 :valign "center"
+      (overlay
+        (circular-progress
+          :width 88 :height 88
+          :value {100*memory.used/memory.total}
+          :start-at 0
+          :clockwise true
+          :thickness 9
+          :class "ram-ring"
+          :tooltip "RAM\nUsed   ${memory.human.used} / ${memory.human.total}\nCached ${memory.human.cached}")
+        (circular-progress
+          :value {100*memory.cached/memory.total}
+          :start-at {100*memory.used/memory.total}
+          :clockwise true
+          :thickness 9
+          :class "ram-cached-ring")
+        (box :orientation "v" :valign "center" :halign "center" :space-evenly false
+          (label :class "ram-used-label" :text "${memory.human.used}")
+          (label :class "ram-total-label" :text "${memory.human.total}")))
+      (box :orientation "v" :space-evenly false :halign "center" :valign "center"
+        (overlay
+          (circular-progress
+            :width 60 :height 60
+            :value {100*swap.used/swap.total}
+            :start-at 0 :clockwise true :thickness 7
+            :class "swap-ring"
+            :tooltip "Swap\n${swap.human.used} / ${swap.human.total}")
+          (box :orientation "v" :valign "center" :halign "center" :space-evenly false
+            (label :class "ram-used-label" :text "${swap.human.used}")
+            (label :class "ram-total-label" :text "${swap.human.total}"))))
     )
   )
 )
 
-(defwidget ram-sys-win []
-  (box
-    :orientation "v"
-    :space-evenly false
-    (box :class "sys-label" "RAM")
-    (progress
-      :value {100*memory.used/memory.total}
-      :orientation "h"
-      :flipped true
-      :class "memory-usage"
-      :tooltip "RAM"
-    )
+; --- Battery ---
+
+(defwidget bat-sys-win [] 
+  (box :orientation "v" :space-evenly false :class "sys-section" :visible {battery.visible}
+    (section-header :title "Battery" :accent "bat-accent")
+    (overlay
+      (circular-progress
+        :width 60 :height 60
+        :value {battery.percentage}
+        :start-at 0
+        :clockwise true
+        :thickness 6
+        :class "bat-ring"
+        :style "color: ${battery.color};"
+        :tooltip "Battery  ${round(battery.percentage, 0)}%\n${battery.status} @ ${battery.wattage}")
+      (label :class "bat-ring-label"
+        :text "${round(battery.percentage, 0)}%"))
   )
 )
 
+; --- Root ---
+
 (defwidget sys-win []
   (box
     :class "sys-win"
     :space-evenly false
-    :orientation "h"
-    (box
-      :space-evenly false
-      :orientation "v"
-      (cpu-sys-win)
-      (box :class "spacer")
-      (box :class "spacer")
-      (gpu-sys-win)
-      (box :class "spacer")
-      (box :class "spacer")
-      (ram-sys-win)
-    )
-    (box
-      :visible {battery.visible}
-      :height 200
-      (graph
-        :height 200
-        :value {battery.percentage}
-        :time-range "30min"
-        :min "0.0"
-        :max "100.0"
-        :dynamic true
-      )
-    )
+    :orientation "v"
+    (cpu-sys-win)
+    (box :class "section-sep")
+    (gpu-sys-win)
+    (box :class "section-sep")
+    (ram-sys-win)
+    (box :class "section-sep" :visible {battery.visible})
+    (bat-sys-win)
   )
 )
 
 (defwindow sys
-  :monitor 1
+  :monitor 0
   :stacking "overlay"
   :geometry (geometry
     :x "0%"
     :y "0%"
-  	:anchor "bottom right"
-    :width "0px"
+    :anchor "bottom right"
+    :width "320px"
     :height "0px")
   (window (sys-win)))

modules/home/wayland/apps/eww/default.nix

@@ -1,7 +1,21 @@
-{ lib, config, pkgs, ... }: {
+{ lib, config, pkgs, ... }:
+let
+  openOnCurrentScreen = pkgs.writeShellScriptBin "eww-open-on-current-screen" ''
+    window="$1"
+    shift
+
+    screen="$(hyprctl monitors -j | ${lib.getExe pkgs.jq} -r '.[] | select(.focused == true) | .name' | head -n1)"
+
+    if [ -n "$screen" ]; then
+      exec ${lib.getExe pkgs.eww} open "$window" --screen "$screen" "$@"
+    fi
+
+    exec ${lib.getExe pkgs.eww} open "$window" "$@"
+  '';
+in {
 
   config = lib.mkIf (config.usercfg.wm == "Wayland") {
-    home.packages = with pkgs; [ eww jq jaq custom.amdgpu_top ];
+    home.packages = with pkgs; [ eww jq jaq custom.amdgpu_top openOnCurrentScreen ];
 
     xdg.configFile."eww" = {
       source = lib.cleanSourceWith {

modules/home/wayland/apps/waybar/default.nix

@@ -146,8 +146,8 @@ in {
             "9" = [ ];
             "10" = [ ];
           };
-          "on-scroll-up" = "hyprctl dispatch workspace r-1";
-          "on-scroll-down" = "hyprctl dispatch workspace r+1";
+          "on-scroll-up" = "hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '-1' }))\"";
+          "on-scroll-down" = "hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '+1' }))\"";
         };
 
         "backlight" = {
@@ -232,7 +232,7 @@ in {
         "custom/powermenu" = {
           "format" = "{icon}";
           "format-icons" = [ "󰐥" ];
-          "on-click" = "eww open powermenu";
+          "on-click" = "eww-open-on-current-screen powermenu";
           "tooltip" = false;
         };
         "tray" = {

modules/home/wayland/base/default.nix

@@ -34,7 +34,7 @@ in {
       glib
 
       brightnessctl
-      swww
+      awww
     ];
 
     xdg.mimeApps = {

modules/home/wayland/hyprland/config.nix

@@ -1,233 +1,331 @@
-{ lib, config, pkgs, ... }: {
-  config = lib.mkIf (config.usercfg.wm == "Wayland") {
+{ lib, config, pkgs, ... }: let
+  lua = lib.generators.mkLuaInline;
 
+  bind = keys: dispatcher: { _args = [ keys dispatcher ]; };
+  bindOpts = keys: dispatcher: opts: { _args = [ keys dispatcher opts ]; };
+
+  dsp = {
+    exec = cmd: lua ''hl.dsp.exec_cmd("${cmd}")'';
+    close = lua "hl.dsp.window.close()";
+    exit = lua "hl.dsp.exit()";
+    float = lua ''hl.dsp.window.float({ action = "toggle" })'';
+    fullscreen = lua "hl.dsp.window.fullscreen()";
+    pseudo = lua "hl.dsp.window.pseudo()";
+    layout = msg: lua ''hl.dsp.layout("${msg}")'';
+    focus = dir: lua ''hl.dsp.focus({ direction = "${dir}" })'';
+    swap = dir: lua ''hl.dsp.window.swap({ direction = "${dir}" })'';
+    toggleSpecial = name: lua ''hl.dsp.workspace.toggle_special("${name}")'';
+    moveToSpecial = name: lua ''hl.dsp.window.move({ workspace = "special:${name}" })'';
+    focusWorkspace = ws: lua ''hl.dsp.focus({ workspace = "${toString ws}" })'';
+    moveToWorkspace = ws: lua ''hl.dsp.window.move({ workspace = "${toString ws}", follow = false})'';
+    drag = lua "hl.dsp.window.drag()";
+    resize = lua "hl.dsp.window.resize()";
+  };
+  
+
+  startupScript = pkgs.writeShellScriptBin "hyprland-start" ''
+    awww-daemon &
+
+    sleep 2
+    keepassxc &
+    firefox &
+    jellyfin-mpv-shim &
+    easyeffects --gapplication-service &
+
+    sleep 2
+    nextcloud &
+    # telegram-desktop &
+    # discord &
+  '';
+in {
+  config = lib.mkIf (config.usercfg.wm == "Wayland") {
     wayland.windowManager.hyprland = {
       enable = true;
       xwayland.enable = true;
-      extraConfig = ''
-        monitor=,preferred,auto,auto
-        env=bitdepth,10
-        input {
-            kb_layout = us, ru
-            kb_variant = intl, phonetic
-            kb_options = grp:ctrls_toggle
+      configType = "lua";
+      settings = {
+        on = {
+          _args = [
+            "hyprland.start"
+            (lua ''
+              function()
+                hl.exec_cmd("dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP")
+                hl.exec_cmd("${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1")
+                hl.exec_cmd("wl-paste --type text --watch cliphist store")
+                hl.exec_cmd("wl-paste --type image --watch cliphist store")
+                hl.exec_cmd("swayidle -w timeout 600 'swaylock' before-sleep 'swaylock'")
+                hl.exec_cmd("${lib.getExe startupScript}")
+                hl.exec_cmd("[workspace special:magic silent] kitty --title flying_kitty")
+              end'')
+          ];
+        };
 
-            follow_mouse = 1
+        monitor = [{
+          output = "";
+          mode = "preferred";
+          position = "auto";
+          scale = "auto";
+          bitdepth = 10;
+        }];
+        #Fullscreen HDR is possible without the hdr cm setting if "render:cm_auto_hdr" is enabled.
 
-            sensitivity = 0
+        config = {
+          input = {
+            kb_layout = "us";
+            kb_variant = "intl";#, phonetic";
+            kb_options = "grp:alt_shift_toggle";
+            follow_mouse = 1;
+            sensitivity = 0;
 
-            touchpad {
-                natural_scroll=no
-                disable_while_typing=true
-                scroll_factor=1
-                disable_while_typing=0
-                tap-to-click=0
+            touchpad = {
+              natural_scroll = false;
+              scroll_factor = 1;
+              disable_while_typing = false;
+              tap_to_click = false;
+            };
+          };
+
+          misc = {
+            force_default_wallpaper = -1;
+            disable_hyprland_logo = true;
+            animate_mouse_windowdragging = false;
+            animate_manual_resizes = false;
+            vrr = 1;
+          };
+          general = {
+            gaps_in = config.colorScheme.palette.gaps-window;
+            gaps_out = config.colorScheme.palette.gaps-screen;
+            border_size = lib.toInt config.colorScheme.palette.border-width;
+            col = {
+              active_border = "rgb(${config.colorScheme.palette.base04})";
+              inactive_border = "rgb(${config.colorScheme.palette.base03})";
+            };
+            layout = "dwindle";
+          };
+
+          decoration = {
+            rounding = lib.toInt config.colorScheme.palette.border-radius;
+            inactive_opacity = 1.0;
+            active_opacity = 1.0;
+            fullscreen_opacity = 1.0;
+
+            blur = {
+              enabled = true;
+              size = 2;
+              passes = 1;
+              new_optimizations = true;
+            };
+          };
+
+          dwindle = {
+            #pseudotile = true;
+            preserve_split = true;
+          };
+          animations = {
+            enabled = true;
+          };
+
+          master = {
+            new_status = "master";
+          };
+        };
+
+        curve = [{
+          _args = [
+            "customcurve"
+            {
+              type = "bezier";
+              points = lua "{ {0.0, 0.9}, {0.1, 1.0} }";
             }
-        }
+          ];
+        }];
 
-        misc {
-            disable_hyprland_logo=true
-            animate_mouse_windowdragging=false
-            animate_manual_resizes=false
+        animation = [
+          { leaf = "windows"; enabled = true; speed = 4; bezier = "customcurve"; }
+          { leaf = "windowsOut"; enabled = true; speed = 4; bezier = "customcurve"; style = "popin 80%"; }
+          { leaf = "border"; enabled = true; speed = 10; bezier = "customcurve"; }
+          { leaf = "borderangle"; enabled = true; speed = 1; bezier = "customcurve"; }
+          { leaf = "fade"; enabled = true; speed = 4; bezier = "customcurve"; }
+          { leaf = "workspaces"; enabled = true; speed = 4; bezier = "customcurve"; }
+        ];
 
-            vrr=1
-        }
 
-        general {
-            gaps_in = ${config.colorScheme.palette.gaps-window}
-            gaps_out = ${config.colorScheme.palette.gaps-screen}
-            border_size = ${config.colorScheme.palette.border-width}
+        gesture = {
+          fingers = 3;
+          direction = "vertical";
+          action = "workspace";
+        };
 
-            col.active_border = rgb(${config.colorScheme.palette.base04})
-            col.inactive_border = rgb(${config.colorScheme.palette.base03})
-                          
-            layout = dwindle
-        }
-                        
-        decoration {
-            rounding = ${config.colorScheme.palette.border-radius}
-                          
-            blur {
-                enabled = true
-                size = 2
-                passes = 1
-                new_optimizations = true
+        window_rule = [
+          { match.title = "noshadow"; float= false;}
+          {
+            match.title = "^(flying_kitty)$";
+            float = true;
+            center = true;
+            size = "1100 600";
+            move = "{0 600}";
+            animation = "slide";
+          }
+          { match.title = "^(Volume Control)$"; float = true; }
+          { match.title = "^(Picture-in-Picture)$"; float = true; }
+          { match.title = "^(Steam)$"; float = true; }
+          # --- Chat & Workspace Assignments ---
+            { match.class = "^(org.telegram.desktop)$"; workspace = "2 silent"; }
+            { match.class = "^(discord)$"; workspace = "2 silent"; }
+            { match.class = "^(org.keepassxc.KeePassXC)$"; workspace = "8 silent"; }
+            { match.title = "^(Nextcloud)$"; workspace = "8 silent"; }
+            { match.class = "^(org.telegram.desktop)$"; match.title = "^(Media viewer)$"; float = true; center = true; }
+            { 
+              match.class = "^(Tk)$"; 
+              match.title = "^(Server Configuration)$"; 
+              workspace = "8 silent"; 
             }
-            #multisample_edges = true
+              # --- KeePassXC Dialogs ---
+            {
+              match.class = "^(org.keepassxc.KeePassXC)$";
+              match.title = "^(KeePassXC -  Access Request)$";
+              float = true;
+              pin = true;
+            }
+            {
+              match.class = "^(org.keepassxc.KeePassXC)$";
+              match.title = "^(Unlock Database - KeePassXC)$";
+              float = true;
+              pin = true;
+            }
+            # --- Generic System / File Dialogs ---
+            { match.title = "^(Open)$"; float = true; }
+            { match.title = "^(Choose Files)$"; float = true; }
+            { match.title = "^(Save As)$"; float = true; }
+            { match.title = "^(Confirm to replace files)$"; float = true; }
+            { match.title = "^(File Operation Progress)$"; float = true; }
 
-            #opactity
-            inactive_opacity = 1.0
-            active_opacity = 1.0
-            fullscreen_opacity = 1.0
+            # --- Firefox Window Rules ---
+            {
+              match.class = "^(firefox)$";
+              match.title = "^(Picture-in-Picture)$";
+              float = true;
+              pin = true;
+              suppress_event = "fullscreen";
+            }
+            {
+              match.class = "^(firefox)$";
+              match.title = "^(Firefox — Sharing Indicator)$";
+              float = true;
+              suppress_event = "fullscreen";
+            }
+            {
+              match.class = "^(firefox)$";
+              match.title = "^(Extension:.* Mozilla Firefox)$";
+              float = true;
+              suppress_event = "fullscreen";
+            }
 
-            # shadow
-            # drop_shadow = no
-            # shadow_range = 60
-            # shadow_offset = 0 5
-            # shadow_render_power = 4
-            #col.shadow = rgba(00000099)
-        }
+            # --- Telegram Media Viewer ---
+            {
+              match.class = "^(org.telegram.desktop)$";
+              match.title = "^(Media viewer)$";
+              float = true;
+              center = true;
+            }
 
-        animations {
-            enabled = true
-            bezier = customcurve, 0.0, 0.9, 0.1, 1.0
+            # --- Idle Inhibition ---
+            { match.class = "^(.*)$"; idle_inhibit = "fullscreen"; }
+            { match.class = "^(steam_app_.*)$"; idle_inhibit = "focus"; }
+            { match.class = "^(mpv)$"; idle_inhibit = "focus"; }
 
-            animation = windows, 1, 4, customcurve
-            animation = windowsOut, 1, 4, customcurve, popin 50%
-            animation = border, 1, 10, customcurve
-            animation = borderangle, 0, 1, customcurve
-            animation = fade, 1, 4, customcurve
-            animation = workspaces, 1, 4, customcurve
-        }
+        ];
 
-        dwindle {
-            pseudotile = yes
-            preserve_split = yes 
-        }
+        # windowrule = [ "noshadow, floating:0" ];
 
-        master {
-            new_status = master
-        }
+        # windowrulev2 = [
+        #   "workspace 2 silent, class:^(org.telegram.desktop)$"
+        #   "workspace 2 silent, class:^(discord)$"
+        #   "workspace 8 silent, class:^(org.keepassxc.KeePassXC)$"
+        #   "workspace 8 silent, title:^(Nextcloud)$"
+        #   "workspace 8 silent, class:^(Tk)$,title:^(Server Configuration)$"
+        #   "float,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC -  Access Request)$"
+        #   "pin,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC -  Access Request)$"
+        #   "float,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$"
+        #   "pin,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$"
+        #   "float,title:^(Open)$"
+        #   "float,title:^(Choose Files)$"
+        #   "float,title:^(Save As)$"
+        #   "float,title:^(Confirm to replace files)$"
+        #   "float,title:^(File Operation Progress)$"
+        #   "float,class:^(firefox)$,title:^(Picture-in-Picture)$"
+        #   "pin,class:^(firefox)$,title:^(Picture-in-Picture)$"
+        #   "suppressevent fullscreen,class:^(firefox)$,title:^(Picture-in-Picture)$"
+        #   "float,class:^(firefox)$,title:^(Firefox — Sharing Indicator)$"
+        #   "suppressevent fullscreen,class:^(firefox)$,title:^(Firefox — Sharing Indicator)$"
+        #   "float,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$"
+        #   "suppressevent fullscreen,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$"
+        #   "float,class:^(org.telegram.desktop)$,title:^(Media viewer)$"
+        #   "center,class:^(org.telegram.desktop)$,title:^(Media viewer)$"
+        #   "idleinhibit fullscreen, class:^(.*)"
+        #   "idleinhibit focus, class:^(steam_app_.*)$"
+        #   "idleinhibit focus, class:^(mpv)$"
+        # ];
 
-        gestures {
-            workspace_swipe = off
-        }
+        layer_rule = [ {
+          match.namespace = "^eww%-blur$";
+          blur = true;
+          ignore_alpha = 0.5;
+        }];
 
-        exec-once = eww open bar
-        #exec-once = waybar
-        exec-once = dunst
+        bind = [
+          (bind "SUPER + RETURN" (dsp.exec "kitty"))
+          (bind "SUPER + SHIFT + RETURN" (dsp.toggleSpecial "magic"))
+          (bind "SUPER + SHIFT + S" (dsp.moveToSpecial "magic"))
+          (bind "SUPER + Q" dsp.close)
+          (bind "SUPER + T" dsp.float)
+          (bind "SUPER + F" dsp.fullscreen)
+          (bind "SUPER + P" dsp.pseudo)
+          (bind "SUPER + J" (dsp.layout "togglesplit"))
+          (bind "SUPER + D" (dsp.exec "wofi -modi --show drun"))
+          (bind "SUPER + SHIFT + D" (dsp.exec "~/.config/hypr/themes/apatheia/eww/launch_bar"))
+          (bind "SUPER + V" (dsp.exec "cliphist list | wofi -dmenu | cliphist decode | wl-copy"))
+          (bind "PRINT" (dsp.exec "hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'"))
+          (bind "SUPER + L" (dsp.exec "swaylock"))
+          (bind "SUPER + left" (dsp.focus "left"))
+          (bind "SUPER + right" (dsp.focus "right"))
+          (bind "SUPER + up" (dsp.focus "up"))
+          (bind "SUPER + down" (dsp.focus "down"))
+          (bind "SUPER + mouse_down" (dsp.focusWorkspace "e+1"))
+          (bind "SUPER + mouse_up" (dsp.focusWorkspace "e-1"))
 
-        exec-once = swww init
-
-        exec-once = dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP
-        exec-once = /nix/store/$(ls -la /nix/store | grep 'polkit-gnome' | grep '4096' | awk '{print $9}' | sed -n '$p')/libexec/polkit-gnome-authentication-agent-1 & 
-
-        exec-once = wl-paste --type text --watch cliphist store #Stores only text data
-        exec-once = wl-paste --type image --watch cliphist store #Stores only image data
-
-        exec-once = swayidle -w timeout 600 'swaylock' before-sleep 'swaylock'
-
-
-        #windowrules
-        windowrule = noshadow, floating:0
-
-        windowrule = float, title:^(flying_kitty)$
-        windowrule = size 1100 600, title:^(flying_kitty)$
-        windowrule = move center, title:^(flying_kitty)$
-        windowrule = animation slide, title:^(flying_kitty)$
-        windowrule = float, title:^(Volume Control)$
-        windowrule = float, title:^(Picture-in-Picture)$
-        windowrule = float, title:^(Steam)$
-
-        windowrulev2 = workspace 2 silent, class:^(org.telegram.desktop)$
-        windowrulev2 = workspace 2 silent, class:^(discord)$
-
-        windowrulev2 = workspace 8 silent, class:^(org.keepassxc.KeePassXC)$
-        windowrulev2 = workspace 8 silent, title:^(Nextcloud)$
-        windowrulev2 = workspace 8 silent, class:^(Tk)$,title:^(Server Configuration)$
-
-        #SPECIAL FLOATERS
-        windowrulev2 = float,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC -  Access Request)$
-        windowrulev2 = pin,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC -  Access Request)$
-        windowrulev2 = float,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$
-        windowrulev2 = pin,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$
-        windowrulev2 = float,title:^(Open)$
-        windowrulev2 = float,title:^(Choose Files)$
-        windowrulev2 = float,title:^(Save As)$
-        windowrulev2 = float,title:^(Confirm to replace files)$
-        windowrulev2 = float,title:^(File Operation Progress)$
-        windowrulev2 = float,class:^(firefox)$,title:^(Picture-in-Picture)$
-        windowrulev2 = pin,class:^(firefox)$,title:^(Picture-in-Picture)$
-        windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Picture-in-Picture)$
-        windowrulev2 = float,class:^(firefox)$,title:^(Firefox — Sharing Indicator)$
-        windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Firefox — Sharing Indicator)$
-        windowrulev2 = float,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$
-        windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$
-        windowrulev2 = float,class:^(org.telegram.desktop)$,title:^(Media viewer)$
-        windowrulev2 = center,class:^(org.telegram.desktop)$,title:^(Media viewer)$
-
-        #SPECIAL NO SLEEP
-        windowrulev2 = idleinhibit fullscreen, class:^(.*)
-        windowrulev2 = idleinhibit focus, class:^(steam_app_.*)$
-        windowrulev2 = idleinhibit focus, class:^(mpv)$
-
-        layerrule = blur,^(eww-blur)
-
-        #binds
-        bind = SUPER, RETURN, exec, kitty
-
-        bind = SUPER_SHIFT, RETURN,togglespecialworkspace,
-        # bind = SUPER_SHIFT, RETURN, exec, kitty --title flying_kitty --single-instance
-        bind = SUPER, Q, killactive, 
-        bind = SUPER, T, togglefloating, 
-        bind = SUPER, F, fullscreen, 
-
-        bind = SUPER, D, exec, wofi -modi --show drun
-        bind = SUPER SHIFT,D,exec, ~/.config/hypr/themes/apatheia/eww/launch_bar 
-
-        bind = SUPER, V, exec, cliphist list | wofi -dmenu | cliphist decode | wl-copy
-        bind = , PRINT, exec, hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'
-
-        bind = SUPER, L, exec, swaylock 
-
-        bind = SUPER, left, movefocus, l
-        bind = SUPER, right, movefocus, r
-        bind = SUPER, up, movefocus, u
-        bind = SUPER, down, movefocus, d
-
-        bind = SUPER, 1, workspace, 1
-        bind = SUPER, 2, workspace, 2
-        bind = SUPER, 3, workspace, 3
-        bind = SUPER, 4, workspace, 4
-        bind = SUPER, 5, workspace, 5
-        bind = SUPER, 6, workspace, 6
-        bind = SUPER, 7, workspace, 7
-        bind = SUPER, 8, workspace, 8
-        bind = SUPER, 9, workspace, 9
-        bind = SUPER, 0, workspace, 10
-
-        bind = SUPER SHIFT, 1, movetoworkspacesilent, 1
-        bind = SUPER SHIFT, 2, movetoworkspacesilent, 2
-        bind = SUPER SHIFT, 3, movetoworkspacesilent, 3
-        bind = SUPER SHIFT, 4, movetoworkspacesilent, 4
-        bind = SUPER SHIFT, 5, movetoworkspacesilent, 5
-        bind = SUPER SHIFT, 6, movetoworkspacesilent, 6
-        bind = SUPER SHIFT, 7, movetoworkspacesilent, 7
-        bind = SUPER SHIFT, 8, movetoworkspacesilent, 8
-        bind = SUPER SHIFT, 9, movetoworkspacesilent, 9
-        bind = SUPER SHIFT, 0, movetoworkspacesilent, 10
-
-        bind = SUPER, mouse_down, workspace, e+1
-        bind = SUPER, mouse_up, workspace, e-1
-
-        bindm = SUPER, mouse:272, movewindow
-        bindm = SUPER, mouse:273, resizewindow
-        bind = , XF86AudioPlay, exec, playerctl play-pause
-        bind = , XF86AudioPrev, exec, playerctl previous
-        bind = , XF86AudioNext, exec, playerctl next
-        bind = , XF86AudioRaiseVolume, exec, amixer -q sset 'Master' 5%+
-        bind = , XF86AudioLowerVolume, exec, amixer -q sset 'Master' 5%-
-        bind = , XF86AudioMute, exec, amixer -q sset 'Master' toggle
-        bind = , XF86MonBrightnessUp, exec, brightnessctl s 5%+
-        bind = , XF86MonBrightnessDown, exec, brightnessctl s 5%-
-
-        exec-once = [workspace special silent] kitty --title flying_kitty
-        exec-once = sh ~/.config/startup.sh
-      '';
+          (bind "SUPER + 1" (dsp.focusWorkspace 1))
+          (bind "SUPER + SHIFT + 1" (dsp.moveToWorkspace 1))
+          (bind "SUPER + 2" (dsp.focusWorkspace 2))
+          (bind "SUPER + SHIFT + 2" (dsp.moveToWorkspace 2))
+          (bind "SUPER + 3" (dsp.focusWorkspace 3))
+          (bind "SUPER + SHIFT + 3" (dsp.moveToWorkspace 3))
+          (bind "SUPER + 4" (dsp.focusWorkspace 4))
+          (bind "SUPER + SHIFT + 4" (dsp.moveToWorkspace 4))
+          (bind "SUPER + 5" (dsp.focusWorkspace 5))
+          (bind "SUPER + SHIFT + 5" (dsp.moveToWorkspace 5))
+          (bind "SUPER + 6" (dsp.focusWorkspace 6))
+          (bind "SUPER + SHIFT + 6" (dsp.moveToWorkspace 6))
+          (bind "SUPER + 7" (dsp.focusWorkspace 7))
+          (bind "SUPER + SHIFT + 7" (dsp.moveToWorkspace 7))
+          (bind "SUPER + 8" (dsp.focusWorkspace 8))
+          (bind "SUPER + SHIFT + 8" (dsp.moveToWorkspace 8))
+          (bind "SUPER + 9" (dsp.focusWorkspace 9))
+          (bind "SUPER + SHIFT + 9" (dsp.moveToWorkspace 9))
+          (bind "SUPER + 0" (dsp.focusWorkspace 0))
+          (bind "SUPER + SHIFT + 0" (dsp.moveToWorkspace 0))
+          (bind "XF86AudioPlay" (dsp.exec "playerctl play-pause"))
+          (bind "XF86AudioPrev" (dsp.exec "playerctl previous"))
+          (bind "XF86AudioNext" (dsp.exec "playerctl next"))
+          (bindOpts "XF86AudioRaiseVolume" (dsp.exec "amixer -q sset 'Master' 5%+") { locked = true; repeating = true; })
+          (bindOpts "XF86AudioLowerVolume" (dsp.exec "amixer -q sset 'Master' 5%-") { locked = true; repeating = true; })
+          (bindOpts "XF86AudioMute" (dsp.exec "amixer -q sset 'Master' toggle") { locked = true; })
+          (bindOpts "XF86MonBrightnessUp" (dsp.exec "brightnessctl s 5%+") { locked = true; repeating = true; })
+          (bindOpts "XF86MonBrightnessDown" (dsp.exec "brightnessctl s 5%-") { locked = true; repeating = true; })
+          (bindOpts "SUPER + mouse:272" dsp.drag { mouse = true; })
+          (bindOpts "SUPER + mouse:273" dsp.resize { mouse = true; })
+        ];
+      };
     };
-
-    xdg.configFile."startup.sh".text = ''
-      #!/bin/sh
-      sleep 2
-      keepassxc & 
-      firefox & 
-      jellyfin-mpv-shim & 
-      easyeffects --gapplication-service &
-
-      sleep 2
-      nextcloud & 
-      #telegram-desktop&
-      #discord&
-    '';
   };
 }

modules/home/xdg/default.nix

@@ -2,12 +2,13 @@
 
   home.packages = with pkgs; [ xdg-user-dirs ];
 
+  xdg.enable = true;
   xdg.userDirs.enable = true;
   xdg.userDirs.desktop = "${config.home.homeDirectory}/desktop";
   xdg.userDirs.documents = "${config.home.homeDirectory}/desktop";
   xdg.userDirs.download = "${config.home.homeDirectory}/downloads";
   xdg.userDirs.extraConfig = {
-    XDG_MISC_DIR = "${config.home.homeDirectory}/misc";
+    MISC = "${config.home.homeDirectory}/misc";
   };
   xdg.userDirs.music = "${config.home.homeDirectory}/media/music";
   xdg.userDirs.pictures = "${config.home.homeDirectory}/media/photo";
@@ -15,5 +16,5 @@
   xdg.userDirs.templates = "${config.home.homeDirectory}/media/template";
   xdg.userDirs.videos = "${config.home.homeDirectory}/media/video";
   xdg.userDirs.createDirectories = true;
-
+  xdg.userDirs.setSessionVariables = true;
 }

modules/nixos/gui/greet/default.nix

@@ -5,7 +5,7 @@
       enable = true;
       settings = rec {
         initial_session = {
-          command = "zsh";
+          command = "start-hyprland";
           user = "${config.syscfg.defaultUser}";
         };
         default_session = initial_session;

modules/nixos/gui/xserver/default.nix

@@ -3,7 +3,7 @@
     programs.xwayland.enable = true;
     services.xserver = {
       enable = true;
-      videoDrivers = [ "amd" ];
+      videoDrivers = [ "amdgpu" ];
       xkb = {
         layout = "us";
         variant = "intl";

modules/nixos/system/default.nix

@@ -1,3 +1,23 @@
-{ ... }: {
+{ config, lib, ... }: {
   imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ];
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=512M
+    SystemMaxFileSize=64M
+    MaxRetentionSec=1month
+    RateLimitIntervalSec=30s
+    RateLimitBurst=10000
+  '';
+
+  systemd.services.systemd-user-sessions = {
+    after = lib.mkForce ([
+      "system.slice"
+      "systemd-journald.socket"
+      "sysinit.target"
+      "remote-fs.target"
+      "nss-user-lookup.target"
+      "home.mount"
+      "basic.target"
+    ] ++ map (user: "home-manager-${user.username}.service") config.syscfg.users);
+  };
 }

modules/nixos/system/hw/base/default.nix

@@ -1,4 +1,4 @@
 { ... }: {
   services.fwupd.enable = true;
-  hardware.enableAllFirmware = true;
+  hardware.enableAllFirmware = false;
 }

modules/nixos/system/hw/boot/default.nix

@@ -2,14 +2,23 @@
 let isSANDBOX = builtins.elem config.syscfg.hostname [ "sandbox" ];
 in {
   config = lib.mkIf (!isSANDBOX) {
+    boot.kernelParams = [ 
+      "async_probe=tpm*"     # Load TPM in parallel without blocking udev
+      "8250.nr_uarts=0"      # Stop scanning for old motherboard serial lines (ttyS0-S3)
+    ];
+    boot.initrd = {
+      compressor = "zstd";
+      checkJournalingFS = false;
+    };
     boot.loader = {
+      timeout = 2;
       systemd-boot = {
         enable = true;
         configurationLimit = 8;
       };
       efi = {
         canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot/efi";
+        efiSysMountPoint = "/boot";
       };
     };
   };

modules/nixos/system/hw/default.nix

@@ -1 +1 @@
-{ ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ]; }
+{ ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ./wsl ]; }

modules/nixos/system/hw/power/default.nix

@@ -15,16 +15,15 @@
     # suspend to RAM (deep) rather than `s2idle`
     boot.kernelParams = [ "mem_sleep_default=deep" ];
     # suspend-then-hibernate
-    systemd.sleep.extraConfig = ''
-      HibernateDelaySec=30m
-      SuspendState=mem
-    '';
+    systemd.sleep.settings.Sleep = {
+      HibernateDelaySec = "30m";
+      SuspendState = "mem";
+    };
 
-    services.logind.lidSwitch = "suspend-then-hibernate";
+    services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate";
     # Hibernate on power button pressed
-    services.logind.powerKey = "hibernate";
-    services.logind.powerKeyLongPress = "poweroff";
-
+    services.logind.settings.Login.HandlePowerKey = "hibernate";
+    services.logind.settings.Login.HandlePowerKeyLongPress = "poweroff";
 
     systemd.user.services.battery_monitor = {
       wants = [ "display-manager.service" ];

modules/nixos/system/hw/udev/default.nix

@@ -1,8 +1,8 @@
-{ ... }: {
+{ pkgs, ... }: {
   systemd.services.systemd-udevd.restartIfChanged = false;
 
   services.udev = {
-    packages = [ ];
+    packages = with pkgs; [ ];
     extraRules = ''
       SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0127", GROUP="plugdev", TAG+="uaccess"
       SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0118", GROUP="plugdev", TAG+="uaccess"

modules/nixos/system/hw/virt/default.nix

@@ -11,11 +11,13 @@
         dockerSocket.enable = true;
         dockerCompat = true;
         defaultNetwork.settings = {
-          dnsname.enable = true;
-          internal = true;
-          name = "internal";
+          #dnsname.enable = true;
+          dns_enabled = true;
+          #internal = true;
+          #name = "internal";
         };
       };
     };
+    virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
   };
 }

modules/nixos/system/hw/wsl/default.nix

@@ -0,0 +1,13 @@
+{ lib, config, pkgs, ... }: {
+    config = lib.mkIf (config.syscfg.extra.wsl) {
+    wsl.enable = true;
+    wsl.defaultUser = config.syscfg.defaultUser;
+    wsl.extraBin = with pkgs; [
+        { src = "${coreutils}/bin/uname"; }
+        { src = "${coreutils}/bin/dirname"; }
+        { src = "${coreutils}/bin/readlink"; }
+    ];
+    
+    wsl.wslConf.network.generateHosts = false;
+    };
+}

modules/nixos/system/network/base/default.nix

@@ -1,9 +1,34 @@
-{ config, ... }: {
+{ lib, config, ... }: {
   networking = {
     hostName = config.syscfg.hostname;
     useDHCP = true;
     nameservers = [ "1.1.1.1" "9.9.9.9" ];
+    dhcpcd = {
+      enable = true;
+      wait = "background";
+    };
 
-    firewall = { enable = true; };
+    extraHosts = ''
+      ${lib.concatStringsSep "\n" config.syscfg.extra.hosts}
+    '';
+
+    proxy = lib.mkIf (config.syscfg.extra.proxy.domain != "") {
+      default = "http://${config.syscfg.extra.proxy.domain}:${config.syscfg.extra.proxy.port or "8080"}";
+      noProxy = "${config.syscfg.extra.proxy.noProxy}";
+    };
+
+
+    firewall = { 
+      enable = true;
+      allowedUDPPorts = 
+        (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++ 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
+        [ ];
+
+      allowedTCPPorts = 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
+        (if (config.syscfg.server != false) then [ 5432 6379 8181 ] else [ ]) ++ 
+        [ ];
+    };
   };
 }

modules/nixos/system/network/wifi/default.nix

@@ -3,6 +3,7 @@
     networking.supplicant = {
       "${config.syscfg.net.wlp.nif}" = {
         configFile.path = config.sops.secrets.wifi.path;
+        userControlled.enable = true;
         extraConf = ''
           network={
               ssid="test"

modules/nixos/system/network/wireguard/default.nix

@@ -1,4 +1,12 @@
-{ config, lib, ... }: {
+{ config, lib, pkgs, ... }: let
+
+  isValidPeer = p: 
+    (p ? syscfg.net.wg.enable) && 
+    (p.syscfg.net.wg.enable == true) && 
+    (p.syscfg.net.wg.pubkey != config.syscfg.net.wg.pubkey);
+  activePeers = builtins.filter isValidPeer config.syscfg.peers;
+in
+{
   config = lib.mkIf (config.syscfg.net.wg.enable) {
     networking.wireguard = {
       enable = true;
@@ -9,14 +17,35 @@
             config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
           listenPort = 1515;
           mtu = 1340;
-          peers = [{
-            allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
-            endpoint = "vpn.helcel.net:1515";
-            publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
-            persistentKeepalive = 30;
-          }];
+          peers = 
+            if (config.syscfg.server ? wireguard && config.syscfg.server.wireguard) then
+              map (p: {
+                name = p.syscfg.hostname;
+                publicKey = p.syscfg.net.wg.pubkey;
+                allowedIPs = [ p.syscfg.net.wg.ip4 p.syscfg.net.wg.ip6 ];
+              }) activePeers
+            else
+              [{
+                allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+                name = "vpn-helcel";
+                endpoint = "vpn.helcel.net:1515";
+                publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+                persistentKeepalive = 30;
+              }];
         };
       };
     };
+
+    systemd.services."wireguard-wg0-peer-vpn-helcel" = {
+      after = [ "network-online.target" "nss-lookup.target" ];
+      bindsTo = [ "network-online.target" ];
+      wantedBy = lib.mkForce [ "network-online.target" ];
+      before =  lib.mkForce [ ];
+      serviceConfig = {
+        Restart = "on-failure";
+        RestartSec = "10s";          # Wait 2 seconds before retrying the domain query
+      };
+      startLimitIntervalSec = 0;  
+    };
   };
 }

modules/nixos/system/nix/default.nix

@@ -37,5 +37,12 @@
       ];
     };
   };
+  programs.nix-ld = {
+    enable = true;
+    libraries = with pkgs; [
+      libx11 libxcb libxi libxext libxkbfile xcbutilcursor
+      libpng libdrm libpulseaudio nss nspr expat libbsd
+    ];
+  };
   system.stateVersion = "24.11";
 }

modules/nixos/tools/debug/default.nix

@@ -1,12 +1,9 @@
 { pkgs, config, lib, ... }: {
 
   config = lib.mkIf (config.syscfg.make.develop) {
-    programs.adb.enable = true;
-    services.udev.packages = [
-      pkgs.android-udev-rules
-    ];
+
     programs.wireshark.enable = true;
 
-    environment.systemPackages = with pkgs; [ wget dconf wireshark ];
+    environment.systemPackages = with pkgs; [ wget dconf wireshark mtr android-tools ];
   };
 }

modules/nixos/tools/default.nix

@@ -1,64 +1,4 @@
 { pkgs, ... }: {
-  imports = [ ./debug ./develop ];
+  imports = [ ./debug ./develop ./telegraf ];
 
-  # services.telegraf = {
-  #     enable = true;
-  #     extraConfig = {
-  #         agent = {
-  #             interval = "10s";
-  #             round_interval = true;
-  #             metric_batch_size = 1000;
-  #             metric_buffer_limit = 10000;
-  #             collection_jitter = "0s";
-  #             flush_interval = "10s";
-  #             flush_jitter = "0s";
-  #             precision = "";
-  #             hostname = "valinor";
-  #             omit_hostname = false;
-  #         };
-
-  #         inputs.cpu = {
-  #             percpu = true;
-  #             totalcpu = true;
-  #             collect_cpu_time = false;
-  #             report_active = false;
-  #         };
-
-  #         inputs.mem = {};
-  #         inputs.swap = {};
-  #         inputs.system = {};
-  #         inputs.disk = {
-  #             ignore_fs = ["tmpfs" "devtmpfs" "devfs"];
-  #         };
-
-  #         inputs.net = {};
-  #         inputs.netstat = {};
-
-  #         inputs.ping = {
-  #             urls = ["8.8.8.8" "8.8.4.4"];
-  #             count = 4;
-  #             interval = "60s";
-  #             binary = "${pkgs.iputils.out}/bin/ping";
-  #         };
-
-  #         inputs.internet_speed = {
-  #             interval = "2m";
-  #         };
-
-  #         inputs.net_response = {
-  #             protocol = "tcp";
-  #             address = "google.com:80";
-  #             timeout = "5s";
-  #             read_timeout = "5s";
-  #             interval = "30s";
-  #         };
-
-  #         outputs.influxdb_v2 = {
-  #             urls = [""];
-  #             token = "";
-  #             organization = "";
-  #             bucket = "";
-  #         };
-  #     };
-  # };
 }

modules/nixos/tools/develop/default.nix

@@ -6,7 +6,15 @@ let
     includeEmulator = false;
   };
 in {
+
+  imports = [ ./ollama ];
   config = lib.mkIf (config.syscfg.make.develop) {
+
+    services.vscode-server = lib.mkIf (config.syscfg.extra.wsl) {
+      enable = true;
+      enableFHS = true;
+    };
+
     environment.systemPackages = with pkgs;
       [
         # android-tools

modules/nixos/tools/develop/ollama/default.nix

@@ -0,0 +1,15 @@
+{ lib, config, pkgs, ... }: 
+let 
+ ollamaPkg = pkgs.ollama-vulkan;
+in{
+
+  config = lib.mkIf (config.syscfg.make.develop) {
+    services.ollama = {
+        enable = true;
+        package = ollamaPkg;
+        loadModels = [ ];
+        syncModels = true;
+    };
+    environment.systemPackages = with pkgs; [ ollamaPkg ];
+  };
+}

modules/nixos/tools/telegraf/default.nix

@@ -0,0 +1,365 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.syscfg.monitoring.telegraf;
+  hasCollector = name: builtins.elem name cfg.collectors;
+  dockerGroups =
+    lib.optionals (cfg.enable && hasCollector "docker" && config.virtualisation.podman.enable) [ "podman" ]
+    ++ lib.optionals (cfg.enable && hasCollector "docker" && config.virtualisation.docker.enable) [ "docker" ];
+  amdgpuMetricsScript = pkgs.writeShellScript "telegraf-amdgpu-metrics" ''
+    set -euo pipefail
+    ${lib.getExe pkgs.custom.amdgpu_top} -J -n 1 | ${lib.getExe pkgs.jq} -r '
+      def maybe_int($name; $value):
+        if $value == null then empty else "\($name)=\(($value | floor))i" end;
+      def maybe_float($name; $value):
+        if $value == null then empty else "\($name)=\($value)" end;
+      .devices
+      | to_entries[]
+      | [
+          maybe_int("utilization_gpu"; (.value.gpu_activity.GFX.value // .value.GRBM2["Command Processor -  Graphics"].value // 0)),
+          maybe_int("utilization_media"; .value.gpu_activity.MediaEngine.value),
+          maybe_int("utilization_memory"; .value.gpu_activity.Memory.value),
+          maybe_float("temperature_edge"; .value.Sensors["Edge Temperature"].value),
+          maybe_float("power_draw"; .value.gpu_metrics.average_socket_power.value)
+        ] as $fields
+      | map(select(length > 0)) as $nonempty
+      | select(($nonempty | length) > 0)
+      | "amdgpu,card=\(.key) " + ($nonempty | join(","))
+    '
+  '';
+  baseConfig = {
+    agent = {
+      interval = cfg.interval;
+      round_interval = true;
+      metric_batch_size = 1000;
+      metric_buffer_limit = 10000;
+      flush_interval = cfg.interval;
+      hostname = config.syscfg.hostname;
+      omit_hostname = false;
+    };
+    global_tags = {
+      host = config.syscfg.hostname;
+    };
+  };
+  inputsConfig = lib.mkMerge [
+    (lib.mkIf (hasCollector "cpu") {
+      inputs.cpu = {
+        percpu = true;
+        totalcpu = true;
+        collect_cpu_time = false;
+        report_active = false;
+        fielddrop = [
+          "usage_guest"
+          "usage_guest_nice"
+          "usage_irq"
+          "usage_nice"
+          "usage_softirq"
+          "usage_steal"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "mem") {
+      inputs.mem = {
+        fielddrop = [
+          "available_percent"
+          "commit_limit"
+          "committed_as"
+          "high_free"
+          "high_total"
+          "huge_page_size"
+          "huge_pages_free"
+          "huge_pages_total"
+          "low_free"
+          "low_total"
+          "mapped"
+          "page_tables"
+          "slab"
+          "sreclaimable"
+          "sunreclaim"
+          "swap_cached"
+          "swap_free"
+          "swap_total"
+          "vmalloc_chunk"
+          "vmalloc_total"
+          "vmalloc_used"
+          "write_back"
+          "write_back_tmp"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "swap") {
+      inputs.swap = {
+        fielddrop = [
+          "free"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "system") {
+      inputs.system = {
+        fielddrop = [
+          "n_physical_cpus"
+          "n_unique_users"
+          "uptime_format"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "disk") {
+      inputs.disk = {
+        ignore_fs = [ "tmpfs" "devtmpfs" "devfs" "overlay" "squashfs" ];
+        fielddrop = [
+          "free"
+          "inodes_free"
+          "inodes_total"
+          "inodes_used"
+          "inodes_used_percent"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "diskio") {
+      inputs.diskio = {
+        skip_serial_number = true;
+        fielddrop = [
+          "io_svctm"
+          "iops_in_progress"
+          "merged_reads"
+          "merged_writes"
+          "weighted_io_time"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "kernel") {
+      inputs.kernel = {
+        fielddrop = [
+          "boot_time"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "net") {
+      inputs.net = {
+        fielddrop = [
+          "bytes_recv"
+          "bytes_sent"
+          "speed"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "netstat") {
+      inputs.netstat = {
+        fielddrop = [
+          "tcp_close"
+          "tcp_close_wait"
+          "tcp_closing"
+          "tcp_fin_wait1"
+          "tcp_fin_wait2"
+          "tcp_last_ack"
+          "tcp_none"
+          "tcp_syn_recv"
+          "tcp_syn_sent"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "processes") {
+      inputs.processes = {
+        fielddrop = [
+          "dead"
+          "idle"
+          "paging"
+          "stopped"
+          "unknown"
+          "zombies"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "temp") {
+      inputs.temp = { };
+    })
+    (lib.mkIf (hasCollector "mdstat") {
+      inputs.mdstat = { };
+    })
+    (lib.mkIf (hasCollector "smart") {
+      inputs.smart = {
+        use_sudo = true;
+        attributes = true;
+      };
+    })
+    (lib.mkIf (hasCollector "docker") {
+      inputs.docker = [
+        {
+          endpoint = "unix:///var/run/docker.sock";
+          timeout = "5s";
+          perdevice_include = [ ];
+          total_include = [ ];
+          docker_label_exclude = [ "*" ];
+          tagexclude = [
+            "container_image"
+            "container_status"
+            "container_version"
+            "engine_host"
+            "server_version"
+          ];
+          namedrop = [
+            "docker_container_health"
+            "docker_container_mem"
+            "docker_container_status"
+          ];
+          fielddrop = [
+            "memory_total"
+            "n_cpus"
+            "n_goroutines"
+            "n_listener_events"
+            "n_used_file_descriptors"
+            "server_version"
+          ];
+        }
+        {
+          endpoint = "unix:///var/run/docker.sock";
+          timeout = "5s";
+          perdevice_include = [ ];
+          total_include = [ ];
+          docker_label_exclude = [ "*" ];
+          tagexclude = [
+            "container_image"
+            "container_status"
+            "container_version"
+            "engine_host"
+            "server_version"
+          ];
+          namepass = [ "docker_container_mem" ];
+          fielddrop = [
+            "active_anon"
+            "active_file"
+            "container_id"
+            "hierarchical_memory_limit"
+            "inactive_anon"
+            "inactive_file"
+            "mapped_file"
+            "max_usage"
+            "pgfault"
+            "pgmajfault"
+            "pgpgin"
+            "pgpgout"
+            "rss_huge"
+            "total_active_anon"
+            "total_active_file"
+            "total_cache"
+            "total_inactive_anon"
+            "total_inactive_file"
+            "total_mapped_file"
+            "total_pgfault"
+            "total_pgmajfault"
+            "total_pgpgin"
+            "total_pgpgout"
+            "total_rss"
+            "total_rss_huge"
+            "total_unevictable"
+            "total_writeback"
+            "unevictable"
+            "writeback"
+          ];
+        }
+      ];
+    })
+    (lib.mkIf (hasCollector "systemd_units") {
+      inputs.systemd_units = {
+        pattern = "*";
+        unittype = "service";
+        details = true;
+        timeout = "5s";
+      };
+    })
+    (lib.mkIf (hasCollector "ping") {
+      inputs.ping = {
+        urls = [ "1.1.1.1" ];
+        count = 4;
+        interval = "60s";
+        timeout = 5.0;
+        binary = "${pkgs.iputils}/bin/ping";
+        fielddrop = [
+          "packets_received"
+          "packets_transmitted"
+        ];
+      };
+    })
+    (lib.mkIf (hasCollector "internet_speed") {
+      inputs.internet_speed = {
+        interval = "30m";
+        cache = true;
+        memory_saving_mode = true;
+      };
+    })
+    (lib.mkIf (hasCollector "gpu" || hasCollector "nix") {
+      inputs.exec =
+        lib.optionals (hasCollector "gpu") [{
+          commands = [ amdgpuMetricsScript ];
+          timeout = "5s";
+          data_format = "influx";
+        }]
+        ++ lib.optionals (hasCollector "nix") [{
+          commands = [
+            (pkgs.writeShellScript "telegraf-nix-metrics" ''
+              set -euo pipefail
+
+              current="$(${lib.getExe pkgs.nixos-rebuild} list-generations | ${lib.getExe pkgs.gawk} '$NF == "True" {print $1 "|" $2 " " $3; exit}')"
+              [ -n "$current" ]
+
+              generation="''${current%%|*}"
+              build_datetime="''${current#*|}"
+              build_timestamp="$(${lib.getExe' pkgs.coreutils "date"} -d "$build_datetime" +%s)"
+              now="$(${lib.getExe' pkgs.coreutils "date"} +%s)"
+              store_bytes="$(${lib.getExe pkgs.nix} path-info --json --json-format 1 --all --offline --no-pretty | ${lib.getExe pkgs.jq} -r 'map(.narSize // 0) | add // 0')"
+              current_system_bytes="$(${lib.getExe pkgs.nix} path-info --json --json-format 1 --closure-size /run/current-system --offline --no-pretty | ${lib.getExe pkgs.jq} -r 'to_entries[0].value.closureSize // 0')"
+
+              printf 'nix generation=%si,configured_packages=%si,store_bytes=%si,current_system_bytes=%si,build_timestamp=%si,seconds_since_build=%si,build_datetime="%s"\n' \
+                "$generation" \
+                ${toString (builtins.length config.environment.systemPackages)} \
+                "$store_bytes" \
+                "$current_system_bytes" \
+                "$build_timestamp" \
+                "$((now - build_timestamp))" \
+                "$build_datetime"
+            '')
+          ];
+          interval = "1h";
+          timeout = "30s";
+          data_format = "influx";
+        }];
+    })
+  ];
+  outputsConfig = lib.mkMerge [{
+      outputs.influxdb_v3 = {
+        urls = cfg.outputs;
+        token = "$INFLUX_TOKEN";#config.sops.secrets.telegraf.path;
+        database = "telegraf";
+      };
+    }
+  ];
+in {
+  config = lib.mkIf cfg.enable {
+    services.telegraf = {
+      enable = true;
+      environmentFiles = [ config.sops.secrets.telegraf.path ];
+      extraConfig = lib.mkMerge [
+        baseConfig
+        inputsConfig
+        outputsConfig
+        cfg.extraConfig
+      ];
+    };
+
+    users.users.telegraf.extraGroups = dockerGroups;
+
+    systemd.services.telegraf = {
+      path =
+        lib.optionals (hasCollector "smart") [ pkgs.smartmontools pkgs.nvme-cli ]
+        ++ lib.optionals (hasCollector "gpu") [ pkgs.custom.amdgpu_top pkgs.jq ];
+      serviceConfig.SupplementaryGroups = dockerGroups;
+    };
+
+    security.sudo.extraRules = lib.optionals (hasCollector "smart") [{
+      users = [ "telegraf" ];
+      commands = [{
+        command = "${pkgs.smartmontools}/bin/smartctl";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+  };
+}

modules/server/containers/apps/.template.nix

@@ -0,0 +1,54 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "EXAMPLE";
+    tag = "0.0.0";
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "echo 1" ];
+      ExposedPorts = {  };
+    };
+  }; 
+  settings = pkgs.writeText "settings.yaml" ...;
+  templateData = builder.mkData { name = "template"; dir = "template"; vars = {
+      _ARGUMENT = "template";
+    };
+  };
+in {
+  requires = {
+    secrets = [ ];
+    databases = [ ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config.path}/example/";
+      mode = "0444";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        # imageStream = image;
+        image = "....:${version}";
+        port = 8080;
+        secret = name;
+        extraEnv = { };
+        overrides = {
+          cmd = [ ];
+          volumes = [ ];
+         };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."EXAMPLE".path;
+      script = pkgs.writeShellScript "setup" ''
+        ...
+      '';
+    };
+  };
+}

modules/server/containers/apps/.todo.md

@@ -0,0 +1,8 @@
+# Missing
+
+RSS: TTRSS / FreshRSS
+Monitoring: Telegraf + InfluxDB
+https://github.com/tarampampam/error-pages ?
+kavita + mylar ? kapowarr ?
+
+- Transmission Cfg and API/Token handling

modules/server/containers/apps/authentik.nix

@@ -0,0 +1,149 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "2026.2.2";
+  serverCfg = config.syscfg.server;
+  mediaCfg = config.syscfg.media;
+  authentikBackground = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
+  logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
+  logoIcoFileName = builtins.baseNameOf (toString mediaCfg.logo.ico);
+  backgroundFileName = builtins.baseNameOf (toString authentikBackground);
+  logoSvgMount = "/data/media/public/branding/${logoSvgFileName}";
+  logoIcoMount = "/data/media/public/branding/${logoIcoFileName}";
+  backgroundMount = "/data/media/public/branding/${backgroundFileName}";
+  authentikData = builder.mkData { 
+    name = "authentik"; dir = "authentik"; vars = {
+      AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
+      COOKIE_DOMAIN = "${serverCfg.domain}";
+      AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+      AUTHENTIK_BRANDING_TITLE = if containerCfg.extra ? name then containerCfg.extra.name else "authentik";
+      AUTHENTIK_BRANDING_LOGO = "branding/${logoSvgFileName}";
+      AUTHENTIK_BRANDING_FAVICON = "branding/${logoIcoFileName}";
+      AUTHENTIK_BRANDING_BACKGROUND = "branding/${backgroundFileName}";
+    } 
+    // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?freshrss then { FRESHRSS_DOMAIN = "${serverCfg.containers.freshrss.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?homepage then { HOMEPAGE_DOMAIN = "${serverCfg.containers.homepage.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
+  };
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config.path}/authentik";
+      owner = "1000:1000";
+      dirs = ["media" "templates"];
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/goauthentik/server:${version}";
+        port = 9000;
+        secret = name;
+        extraEnv = {
+          AUTHENTIK_DISABLE_STARTUP_ANALYTICS="true";
+          AUTHENTIK_ERROR_REPORTING__ENABLED="false";
+          AUTHENTIK_WEB__WORKERS="1";
+          AUTHENTIK_WORKER__PROCESSES="1";
+          AUTHENTIK_WORKER__THREADS="2";
+          AUTHENTIK_REDIS__HOST = builder.host;
+          AUTHENTIK_POSTGRESQL__HOST = builder.host;
+          AUTHENTIK_POSTGRESQL__USER = "authentik_user";
+          AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
+          AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
+          AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+        } // lib.optionalAttrs (serverCfg.mail.server != null) {
+          AUTHENTIK_EMAIL__HOST = serverCfg.mail.server;
+          AUTHENTIK_EMAIL__PORT = "587";
+          AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
+          AUTHENTIK_EMAIL__USE_TLS = "true";
+          AUTHENTIK_EMAIL__USE_SSL = "false";
+          AUTHENTIK_EMAIL__TIMEOUT = "10";
+          AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
+        };
+        overrides = {
+          environmentFiles =  [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
+        
+          cmd = [ "server" ];
+          volumes = [
+            "${serverCfg.path.config.path}/authentik/media:/media"
+            "${serverCfg.path.config.path}/authentik/templates:/templates"
+            "${authentikData}:/blueprints/custom:ro"
+            "${mediaCfg.logo.svg}:${logoSvgMount}:ro"
+            "${mediaCfg.logo.ico}:${logoIcoMount}:ro"
+            "${authentikBackground}:${backgroundMount}:ro"
+          ];
+        };
+      };
+
+      worker = builder.mkContainer {
+        image = "ghcr.io/goauthentik/server:${version}";
+        secret = name;
+        extraEnv = {
+          AUTHENTIK_DISABLE_STARTUP_ANALYTICS="true";
+          AUTHENTIK_ERROR_REPORTING__ENABLED="false";
+          AUTHENTIK_WEB__WORKERS="1";
+          AUTHENTIK_WORKER__PROCESSES="1";
+          AUTHENTIK_WORKER__THREADS="2";
+          AUTHENTIK_REDIS__HOST = builder.host;
+          AUTHENTIK_POSTGRESQL__HOST = builder.host;
+          AUTHENTIK_POSTGRESQL__USER = "authentik_user";
+          AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
+          AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
+          AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+        };
+        overrides = {
+          cmd = [ "worker" ];
+          volumes = [
+            "${serverCfg.path.config.path}/authentik/media:/media"
+            "${serverCfg.path.config.path}/authentik/templates:/templates"
+            "${authentikData}:/blueprints/custom:ro"
+            "${mediaCfg.logo.svg}:${logoSvgMount}:ro"
+            "${mediaCfg.logo.ico}:${logoIcoMount}:ro"
+            "${authentikBackground}:${backgroundMount}:ro"
+          ];
+        };
+      };
+
+      ldap = builder.mkContainer {
+        image = "ghcr.io/goauthentik/ldap:${version}";
+        secret = name;
+        extraEnv = {
+          AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}"; 
+          AUTHENTIK_INSECURE = "false"; 
+        };
+      };
+    };
+
+    setup = {
+      trigger = "worker";
+      script = pkgs.writeShellScript "setup" ''
+        # Define the command wrapper
+        AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
+
+        $AK apply_blueprint /blueprints/custom/authentik.yaml
+        $AK apply_blueprint /blueprints/custom/branding.yaml
+        $AK apply_blueprint /blueprints/custom/traefik.yaml
+        $AK apply_blueprint /blueprints/custom/ldap.yaml
+
+        ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
+        ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
+        ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
+        ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
+        ${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
+        ${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
+
+        echo "Completed Authentik Setup"
+      '';
+    };
+  };
+}

modules/server/containers/apps/calibre.nix

@@ -0,0 +1,42 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+in {
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "crocodilestick/calibre-web-automated:${version}";
+        port = 8083;
+      #   secret = name;
+        extraEnv = {
+          CWA_PORT_OVERRIDE = "8083";
+
+          PUID = "1000";
+          PGID = "1000";
+          #HARDCOVER_TOKEN= ....
+          TRUSTED_PROXY_COUNT= "1";
+        };
+          extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`)";
+          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik) then "authentik" else "";
+          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.book.path}:/calibre-library"
+            "${serverCfg.path.dlComplete.path}:/cwa-book-ingest"
+          ];
+        };
+      };
+    };
+  };
+
+  # curl 'https://books.test.helcel.net/admin/ajaxconfig' \
+  # -X POST 
+  # -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'
+  # --data-raw 'csrf_token=${CSRF_TOKEN}&config_certfile=&config_keyfile=&config_updatechannel=0&config_trustedhosts=&config_log_level=20&config_logfile=%2Fdev%2Fstdout&config_access_logfile=%2Fconfig%2Faccess.log&config_embed_metadata=on&config_uploading=on&config_upload_formats=m4b%2Cacsm%2Cdoc%2Cpdf%2Cmp3%2Codt%2Ccbr%2Crtf%2Clit%2Cprc%2Cm4a%2Cdjv%2Cfb2%2Copus%2Cdocx%2Cazw3%2Cepub%2Cdjvu%2Cwav%2Ccb7%2Ccbz%2Cmp4%2Ckfx-zip%2Cmobi%2Ccbt%2Cogg%2Ckfx%2Ckepub%2Ctxt%2Cazw%2Chtml%2Cflac&config_external_port=8083&config_goodreads_api_key=&config_hardcover_token=&config_use_https=on&config_reverse_proxy_login_header_name=&config_login_type=1&config_ldap_provider_url=sso.test.helcel.net&config_ldap_port=389&config_ldap_encryption=0&config_ldap_cacert_path=&config_ldap_cert_path=&config_ldap_key_path=&config_ldap_authentication=2&config_ldap_serv_username=cn%3Dldap-service%2Cou%3Dusers%2C%24%7BLDAP_DC_DOMAIN%7D&config_ldap_serv_password_e=%24DEFAULT_LDAP_PASSWORD&config_ldap_dn=%24%7BLDAP_DC_DOMAIN%7D&config_ldap_user_object=(memberOf%3Dcn%3Dcloud%2Cou%3Dgroups%2C%24%7BLDAP_DC_DOMAIN%7D)&config_ldap_openldap=on&config_ldap_auto_create_users=on&config_ldap_group_object_filter=(memberOf%3Dcn%3Dcloud%2Cou%3Dgroups%2C%24%7BLDAP_DC_DOMAIN%7D)&config_ldap_group_name=cloud&config_ldap_group_members_field=memberUid&ldap_import_user_filter=0&config_ldap_member_user_object=&config_generic_oauth_metadata_url=&config_generic_oauth_server_url=&config_generic_oauth_auth_url=&config_generic_oauth_token_url=&config_generic_oauth_userinfo_url=&config_generic_oauth_scope=email+openid+profile&config_oauth_redirect_host=&config_generic_oauth_client_id=&config_generic_oauth_client_secret=&config_generic_oauth_username_mapper=preferred_username&config_generic_oauth_email_mapper=email&config_generic_oauth_admin_group=admin&config_generic_oauth_login_button=OpenID+Connect&config_1_oauth_client_id=&config_1_oauth_client_secret=&config_2_oauth_client_id=&config_2_oauth_client_secret=&config_binariesdir=%2Fusr%2Fbin&config_calibre=&config_kepubifypath=%2Fusr%2Fbin%2Fkepubify&config_rarfile_location=%2Fusr%2Fbin%2Funrar&config_enable_oauth_group_admin_management=on&config_ratelimiter=on&config_limiter_uri=&config_limiter_options=&config_check_extensions=on&config_session=1&config_password_policy=on&config_password_min_length=8&config_password_number=on&config_password_lower=on&config_password_upper=on&config_password_character=on&config_password_special=on'
+}

modules/server/containers/apps/collabora.nix

@@ -0,0 +1,37 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+version = "latest";
+serverCfg = config.syscfg.server;
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "collabora/code:${version}";
+        port = 9980;
+        secret = name;
+        extraEnv = {
+          "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
+          "server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
+          "username" = "collabora_user";
+          "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
+          "VIRTUAL_PORT" = "9980";
+          "VIRTUAL_PROTO" = "http";
+          "DONT_GEN_SSL_CERT" = "true";
+          "RESOLVE_TO_PROXY_IP" = "true";
+          "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
+          "dictionaries" = "en fr de jp no";
+        };
+        
+        overrides = {
+          volumes = [
+            "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
+            "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/ethercalc.nix

@@ -0,0 +1,42 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  ethercalc_exe = pkgs.ethercalc;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "ethercalc";
+    tag = ethercalc_exe.version;
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.data.path}/ethercalc/";
+      mode = "0666";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 8080;
+        secret = name;
+        extraEnv = {
+          ETHERCALC_PORT = "8080";
+          #CONNECT TO REDIS
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.data.path}/ethercalc:/data"
+          ];
+         };
+      };
+    };
+  };
+}

modules/server/containers/apps/etherpad.nix

@@ -0,0 +1,129 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  etherpad_exe = pkgs.etherpad-lite;
+  settings = pkgs.writeText"settings.json" (builtins.toJSON {
+    title= "\${TITLE:Etherpad}";
+    showRecentPads = "\${SHOW_RECENT_PADS:true}";
+    favicon = "\${FAVICON:null}";
+    publicURL = "\${PUBLIC_URL:null}";
+    skinName = "\${SKIN_NAME:colibris}";
+    skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
+    ip = "\${IP:0.0.0.0}";
+    port = "\${PORT:9001}";
+    showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
+    enableMetrics = "\${ENABLE_METRICS:true}";
+    updates.tier = "off";
+    cleanup.enabled = false;
+    gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
+    authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
+    enableDarkMode = "\${ENABLE_DARK_MODE:true}";
+    enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
+    dbType = "\${DB_TYPE:dirty}";
+    dbSettings = {
+      host =       "\${DB_HOST:undefined}";
+      port =       "\${DB_PORT:undefined}";
+      database =   "\${DB_NAME:undefined}";
+      user =       "\${DB_USER:undefined}";
+      password =   "\${DB_PASS:undefined}";
+      charset =    "\${DB_CHARSET:undefined}";
+      filename =   "\${DB_FILENAME:var/dirty.db}";
+      collection = "\${DB_COLLECTION:undefined}";
+      url =        "\${DB_URL:undefined}";
+    };
+    defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
+    padOptions = {
+      noColors =         "\${PAD_OPTIONS_NO_COLORS:false}";
+      showControls =     "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
+      showChat =         "\${PAD_OPTIONS_SHOW_CHAT:true}";
+      showLineNumbers =  "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
+      useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
+      userName =         "\${PAD_OPTIONS_USER_NAME:null}";
+      userColor =        "\${PAD_OPTIONS_USER_COLOR:null}";
+      rtl =              "\${PAD_OPTIONS_RTL:false}";
+      alwaysShowChat =   "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
+      chatAndUsers =     "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
+      lang =             "\${PAD_OPTIONS_LANG:null}";
+      fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
+      enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
+    };
+
+    requireSession = "\${REQUIRE_SESSION:false}";
+    editOnly = "\${EDIT_ONLY:false}";
+    minify = "\${MINIFY:true}";
+    requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
+    requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
+    trustProxy = "\${TRUST_PROXY:true}";
+    ep_headerauth.username_header = "X-authentik-username";
+    users.admin = {
+      password = "\${ADMIN_PASSWORD:null}";
+      is_admin = true;
+    };
+    socketTransportProtocols = ["websocket" "polling"];
+    socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
+    indentationOnNewLine = true;
+
+    loglevel = "\${LOGLEVEL:INFO}";
+    lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
+  });
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "etherpad";
+    tag = etherpad_exe.version;
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config.path}/etherpad/";
+      mode = "0444";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 8080;
+        secret = name;
+        extraEnv = {
+          TITLE = "Pad";
+          PORT ="8080";
+          DB_TYPE = "postgres";
+          DB_HOST = builder.host;
+          DB_NAME = "etherpad_db";
+          DB_USER = "etherpad_user";
+          TRUST_PROXY = "true";
+          DB_CHARSET = "utf8mb4";
+          DEFAULT_PAD_TEXT = "";
+          PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
+          PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
+          SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+        };
+        overrides = {
+          cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
+          volumes = [
+            "${settings}:/etc/etherpad/settings.json"
+            "${serverCfg.path.config.path}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
+          ];
+         };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."ETHERPAD".path;
+      script = pkgs.writeShellScript "setup" ''
+        echo "$APIKEY" > ${serverCfg.path.config.path}/etherpad/APIKEY.txt
+        chmod 444 ${serverCfg.path.config.path}/etherpad/APIKEY.txt
+      '';
+    };
+  };
+}

modules/server/containers/apps/favicon.nix

@@ -0,0 +1,284 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  serverCfg = config.syscfg.server;
+  mediaCfg = config.syscfg.media;
+  palette = serverCfg.colorScheme.palette or { };
+  port = 8080;
+  assetSize = 64;
+  cacheMode = containerCfg.extra.cacheMode or "off";
+  cacheControl =
+    if cacheMode == "disk" then
+      containerCfg.extra.cacheControl or "public, max-age=3600"
+    else if cacheMode == "off" then
+      "no-store"
+    else
+      throw "favicon cacheMode must be either `off` or `disk`";
+  priority = toString (containerCfg.extra.priority or 2147482647);
+  logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
+  logoSvgMount = "/assets/${logoSvgFileName}";
+  ensureAttrSet = field: value:
+    if builtins.isAttrs value then
+      value
+    else
+      throw "favicon `${field}` must be an attribute set";
+  resolveColor = value:
+    if value == null then null
+    else if !builtins.isString value then
+      throw "favicon color values must be strings"
+    else if lib.hasPrefix "#" value then
+      value
+    else
+      let
+        paletteValue = lib.attrByPath [ value ] (throw "Unknown favicon color reference `${value}`") palette;
+      in
+      if builtins.isString paletteValue then
+        if lib.hasPrefix "#" paletteValue then
+          paletteValue
+        else
+          "#${paletteValue}"
+      else
+        throw "favicon palette reference `${value}` must resolve to a string";
+  normalizeProfile = profile:
+    let
+      normalizedProfile = ensureAttrSet "profile" profile;
+      bg =
+        if normalizedProfile ? bg then resolveColor normalizedProfile.bg
+        else if normalizedProfile ? background then resolveColor normalizedProfile.background
+        else null;
+      fg =
+        if normalizedProfile ? fg then resolveColor normalizedProfile.fg
+        else if normalizedProfile ? foreground then resolveColor normalizedProfile.foreground
+        else null;
+    in
+    (lib.filterAttrs (name: _: !(builtins.elem name [ "bg" "background" "fg" "foreground" ])) normalizedProfile)
+    // lib.optionalAttrs (bg != null) { bg = bg; }
+    // lib.optionalAttrs (fg != null) { fg = fg; };
+  hostMappings = lib.mapAttrs (_: profile: normalizeProfile profile) (
+    ensureAttrSet "mappings" (containerCfg.extra.mappings or { })
+  );
+  defaultProfile =
+    if containerCfg.extra ? default then
+      normalizeProfile containerCfg.extra.default
+    else
+      null;
+    traefikAssetPathRegexp =
+    "^/(.*/)?"
+    + "(fav(icon)?(-[0-9]+x[0-9]+)?\\.(ico|png|svg)"
+    + "|(favicon|apple-icon)(-[0-9]+)?(\\.(ico|png))?"
+    + "|logo\\.(ico)"
+    + "|fav([0-9]+)?\\.(ico|png)"
+    + "|apple-touch-icon(-precomposed)?\\.png"
+    + "|android-chrome-[0-9]+x[0-9]+\\.png"
+    + "|mstile-[0-9]+x[0-9]+\\.png)$";
+  pythonEnv = pkgs.python3.withPackages (ps: with ps; [
+    cairosvg
+    pillow
+  ]);
+  serverScript = pkgs.writeText "favicon-server.py" ''
+    from io import BytesIO
+    import hashlib
+    import os
+    from pathlib import Path
+    import re
+    import threading
+    from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+
+    import cairosvg
+    from PIL import Image
+
+    LOGO_PATH = ${builtins.toJSON logoSvgMount}
+    LISTEN_HOST = "0.0.0.0"
+    LISTEN_PORT = ${toString port}
+    ASSET_SIZE = ${toString assetSize}
+    CACHE_MODE = ${builtins.toJSON cacheMode}
+    CACHE_CONTROL = ${builtins.toJSON cacheControl}
+    CACHE_DIR = Path("/cache")
+
+    with open(LOGO_PATH, "rb") as fh:
+        LOGO_BYTES = fh.read()
+    MAPPINGS = ${builtins.toJSON hostMappings}
+    DEFAULT_PROFILE = ${if defaultProfile == null then "None" else builtins.toJSON defaultProfile}
+    APP_DOMAIN = (${builtins.toJSON serverCfg.domain} or "").strip().lower()
+    DEFAULT_COLORS = {"bg": "#111827", "fg": "#f8fafc"}
+    LOGO_HASH = hashlib.sha256(LOGO_BYTES).hexdigest()
+    ICON_CACHE_LOCK = threading.Lock()
+
+    def _request_host(headers):
+        host = (
+            headers.get("X-Forwarded-Host")
+            or headers.get("X-Original-Host")
+            or headers.get("Host", "")
+        )
+        return (host or "").split(",", 1)[0].split(":", 1)[0].strip().lower().rstrip(".")
+
+    def _host_candidates(host):
+        candidates = []
+
+        def add(candidate):
+            if candidate and candidate not in candidates:
+                candidates.append(candidate)
+
+        add(host)
+        if APP_DOMAIN:
+            suffix = f".{APP_DOMAIN}"
+            if host.endswith(suffix):
+                add(host[: -len(suffix)].rstrip("."))
+        if "." in host:
+            add(host.split(".", 1)[0])
+
+        return candidates
+
+    def _profile_for_host(host):
+        for candidate in _host_candidates(host):
+            profile = MAPPINGS.get(candidate)
+            if profile:
+                return candidate, profile
+        return None, DEFAULT_PROFILE
+
+    def _replace_logo_fill(svg, color):
+        svg, _ = re.subn(
+            "fill:#3193f5",
+            f"fill:{color}",
+            svg,
+            flags=re.IGNORECASE,
+        )
+        return svg
+
+    def _colors(profile):
+        profile = profile or {}
+        return {
+            "bg": profile.get("bg") or profile.get("background") or DEFAULT_COLORS["bg"],
+            "fg": profile.get("fg") or profile.get("foreground") or DEFAULT_COLORS["fg"],
+        }
+
+    def _add_background(svg, color):
+        return re.sub(
+            r"(<svg\\b[^>]*>)",
+            rf'\\1<circle cx="64" cy="64" r="64" fill="{color}"/>',
+            svg,
+            count=1,
+            flags=re.IGNORECASE,
+        )
+
+    def _render_icon(colors):
+        svg = LOGO_BYTES.decode("utf-8")
+        svg = _replace_logo_fill(svg, colors["fg"])
+        svg = _add_background(svg, colors["bg"])
+
+        png = cairosvg.svg2png(
+            bytestring=svg.encode("utf-8"),
+            output_width=ASSET_SIZE,
+            output_height=ASSET_SIZE,
+        )
+        output = BytesIO()
+        with Image.open(BytesIO(png)) as image:
+            with image.convert("RGBA") as rgba:
+                rgba.save(output, format="ICO", sizes=[(ASSET_SIZE, ASSET_SIZE)])
+        return output.getvalue()
+
+    def _cache_path(colors):
+        digest = hashlib.sha256(
+            f"{ASSET_SIZE}:{LOGO_HASH}:{colors['bg']}:{colors['fg']}".encode("utf-8")
+        ).hexdigest()
+        return CACHE_DIR / f"{digest}.ico"
+
+    def _payload_for(colors):
+        if CACHE_MODE != "disk":
+            return _render_icon(colors)
+
+        cache_path = _cache_path(colors)
+        with ICON_CACHE_LOCK:
+            if cache_path.exists():
+                return cache_path.read_bytes()
+
+        payload = _render_icon(colors)
+        with ICON_CACHE_LOCK:
+            if cache_path.exists():
+                return cache_path.read_bytes()
+            CACHE_DIR.mkdir(parents=True, exist_ok=True)
+            tmp_path = cache_path.with_suffix(".tmp")
+            tmp_path.write_bytes(payload)
+            os.replace(tmp_path, cache_path)
+            return payload
+
+    class Handler(BaseHTTPRequestHandler):
+        server_version = "favicon-router/1.0"
+
+        def _serve(self, include_body):
+            host = _request_host(self.headers)
+            matched_host, profile = _profile_for_host(host)
+            if not profile:
+                self.send_error(404, "No favicon mapping for host")
+                return
+
+            colors = _colors(profile)
+            payload = _payload_for(colors)
+            self.send_response(200)
+            self.send_header("Content-Type", "image/x-icon")
+            self.send_header("Content-Length", str(len(payload)))
+            self.send_header("Cache-Control", CACHE_CONTROL)
+            self.send_header("X-Favicon-Host", host or "default")
+            self.send_header("X-Favicon-Mapping", matched_host or "default")
+            self.end_headers()
+            if include_body:
+                self.wfile.write(payload)
+
+        def do_GET(self):
+            self._serve(include_body=True)
+
+        def do_HEAD(self):
+            self._serve(include_body=False)
+
+        def log_message(self, fmt, *args):
+            print("%s - - [%s] %s" % (self.address_string(), self.log_date_time_string(), fmt % args))
+
+    if __name__ == "__main__":
+        httpd = ThreadingHTTPServer((LISTEN_HOST, LISTEN_PORT), Handler)
+        httpd.serve_forever()
+  '';
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "favicon";
+    tag = "1";
+    contents = [
+      pythonEnv
+      pkgs.cacert
+      pkgs.tzdata
+    ];
+    config = {
+      Entrypoint = [ "${pythonEnv}/bin/python3" "-u" serverScript ];
+      ExposedPorts = { "${toString port}/tcp" = { }; };
+      WorkingDir = "/";
+    };
+  };
+in {
+  runtime = {
+    paths = [
+      {
+        path = "${serverCfg.path.config.path}/favicon";
+        mode = "0755";
+        dirs = [ "cache" ];
+      }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        imageStream = image;
+        port = port;
+        extraLabels = {
+          "traefik.enable" = "true";
+          "traefik.http.routers.${name}.entrypoints" = "web-secure";
+          "traefik.http.routers.${name}.rule" = "PathRegexp(`${traefikAssetPathRegexp}`)";
+          "traefik.http.routers.${name}.priority" = priority;
+          "traefik.http.routers.${name}.tls" = "true";
+          "traefik.http.services.${name}.loadbalancer.server.port" = toString port;
+        };
+        overrides = {
+          volumes = [
+           "${serverCfg.path.config.path}/favicon/cache:/cache"
+            "${mediaCfg.logo.svg}:${logoSvgMount}:ro"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/freshrss.nix

@@ -0,0 +1,61 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [
+      {
+        path = "${serverCfg.path.config.path}/freshrss";
+        owner = "1000:1000";
+        mode = "0755";
+      }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/freshrss/freshrss:${version}";
+        port = 80;
+        
+        extraEnv = {
+          CRON_MIN = "5,35";
+          TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
+          LISTEN = "80";
+          OIDC_ENABLED = "1";
+          OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
+          OIDC_REMOTE_USER_CLAIM = "preferred_username";
+          OIDC_CLIENT_ID = "freshrss";
+          OIDC_SCOPES = "openid profile";
+          OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
+        };
+
+        overrides = {
+          environmentFiles =  [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path ];
+          volumes = ["${serverCfg.path.config.path}/freshrss:/var/www/FreshRSS/data"];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server"; # Triggers atomic environment verification on main controller
+      envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
+      script = pkgs.writeShellScript "setup-freshrss" ''
+
+        RSS="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data freshrss-server"
+        $RSS ./cli/prepare.php
+        $RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
+          --title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss_user --db-password $DB_PASSWORD --db-base freshrss_db
+        $RSS ./cli/create-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
+        $RSS ./cli/reconfigure.php
+        # $RSS ./cli/access-permissions.sh
+        
+      '';
+    };
+  };
+}

modules/server/containers/apps/frigate.nix

@@ -0,0 +1,96 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  
+  # Ensure the package is available (Nixpkgs includes frigate)
+  frigatePkg = pkgs.frigate;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "frigate";
+    tag = frigatePkg.version;
+    contents = [ 
+      pkgs.bashInteractive 
+      frigatePkg
+      pkgs.ffmpeg # Explicitly included for video stream processing
+    ];
+    config = {
+      Entrypoint = [ "${frigatePkg}/bin/frigate" ];
+      Cmd = [ "start" ];
+      ExposedPorts = {
+        "5000/tcp" = {}; # Web UI / API
+        "8554/tcp" = {}; # RTSP Feeds
+        "8555/tcp" = {}; # WebRTC
+      };
+      Env = [
+        "FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
+      ];
+    };
+  };
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    paths = [
+      {
+        path = "${serverCfg.path.config.path}/frigate/";
+        mode = "0755";
+      }
+      {
+        path = "/var/lib/frigate/storage/";
+        mode = "0755"; # Dedicated path for heavy video recordings and media
+      }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 5000;
+        secret = name;
+        extraEnv = {
+          PLUS_API_KEY = ""; # Optional: For Frigate Plus users
+        };
+        overrides = {
+          cmd = [ ];
+          volumes = [
+            "${serverCfg.path.config.path}/frigate:/config"
+            "/var/lib/frigate/storage:/media/frigate"
+            "/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
+            "/dev/dri:/dev/dri"         # Passes Intel/AMD GPU for hardware video decoding
+          ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."FRIGATE_ENV".path;
+      script = pkgs.writeShellScript "setup-frigate" ''
+        mkdir -p "${serverCfg.path.config.path}/frigate"
+        mkdir -p "/var/lib/frigate/storage"
+        
+        # Bootstrap a standard configuration layout if missing
+        if [ ! -f "${serverCfg.path.config.path}/frigate/config.yml" ]; then
+          cat <<EOF > "${serverCfg.path.config.path}/frigate/config.yml"
+mqtt:
+  enabled: False # Set to True and define host if connecting to Home Assistant
+
+database:
+  path: /config/frigate.db
+
+cameras:
+  dummy_camera: # Replace with your actual RTSP stream details
+    enabled: false
+    ffmpeg:
+      inputs:
+        - path: rtsp://127.0.0.1:554/live
+          roles:
+            - detect
+    detect:
+      enabled: false
+EOF
+        fi
+      '';
+    };
+  };
+}

modules/server/containers/apps/gitea.nix

@@ -0,0 +1,145 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "latest";
+  serverCfg = config.syscfg.server;
+
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.data.path}/gitea";
+      owner = "1000:1000";
+      dirs = ["data" "runner"];
+      mode = "0755";
+    }];
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "gitea/gitea:${version}";
+        port = 8080;
+        secret = name;
+        
+        extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
+          GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
+          GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
+          GITEA__repository__DISABLE_STARS = "true";
+          GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
+          # GITEA__ui__THEMES = "";
+          # GITEA__ui__DEFAULT_THEME = "";
+
+          # GITEA__security__SECRET_KEY = "SECRET_ENV";
+          # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
+          # GITEA__database__PASSWD = "SECRET_ENV";
+          # GITEA__mailer__PASSWD="SECRET_ENV";
+
+          GITEA__database__DB_TYPE = "postgres"; 
+          GITEA__database__HOST = builder.host;
+          GITEA__database__NAME = "gitea_db";
+          GITEA__database__USER = "gitea_user";
+
+
+          GITEA__mailer__ENABLED = "true";
+          GITEA__mailer__FROM = "";
+          GITEA__mailer__PROTOCOL = "smtps";
+          GITEA__mailer__SMTP_ADDR = "";
+          GITEA__mailer__SMTP_PORT = "";
+          GITEA__mailer__USER= "";
+
+          GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
+          GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
+          GITEA__server__PROTOCOL = "http";
+          GITEA__server__HTTP_PORT = "8080";
+          GITEA__server__LFS_START_SERVER = "true";
+          GITEA__security__INSTALL_LOCK = "true";
+
+        } // ( if serverCfg.containers?authentik then {
+          GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
+          GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
+          GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
+          GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
+          GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
+          GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
+          GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
+          GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
+          GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
+          GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
+          GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
+          GITEA__security__RREVERSE_PROXY_LIMIT = "1";
+          GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
+        } else {});
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
+          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik && containerCfg.extra?proxyauth) then "authentik" else "";
+          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+        };
+
+        overrides = {
+          volumes = [
+            "${serverCfg.path.data.path}/gitea/data:/data"
+          ];
+          ports = [ "2222:22" ]; 
+        };
+      };
+
+      runner = builder.mkContainer {
+        image = "gitea/act_runner:${version}";
+        secret = name;
+        extraEnv = { 
+          #CONFIG_FILE="/data/config.yml";
+          GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
+          GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
+        };
+
+        overrides = {
+          volumes = [
+            "${serverCfg.path.data.path}/gitea/runner:/data"
+            "/var/run/podman/podman.sock:/var/run/docker.sock"
+          ];
+        };
+      };
+    };
+
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."CUSTOM".path;
+      script = pkgs.writeShellScript "setup" ''
+        # Define the command wrapper
+        GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
+        GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
+
+        $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
+
+        touch ${serverCfg.path.data.path}/gitea/data-runner/config.yml
+
+        RUNNER_TOKEN=$($GT actions generate-runner-token)
+        $GTR register \
+          --instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
+          --token "$RUNNER_TOKEN" \
+          --name "Runner" \
+          --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
+          --no-interactive
+
+
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        $GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
+            --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
+            --user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
+            --user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
+            --admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
+            --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
+            --synchronize-users
+        ''}
+
+        echo "Completed Gitea Setup"
+      '';
+    };
+  };
+}

modules/server/containers/apps/handbrake.nix

@@ -0,0 +1,48 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  version = "latest";
+in {
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config.path}/handbrake";
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        subpath = containerCfg.subpath;
+        image = "ghcr.io/jlesage/handbrake:${version}";
+        port = 5800;
+        
+        extraEnv = {
+          USER_ID = "1000";
+          GROUP_ID = "1000";
+          AUTOMATED_CONVERSION_PRESET = "Custom/AV1 MKV 1080p30";
+          AUTOMATED_CONVERSION_FORMAT = "mkv";
+          AUTOMATED_CONVERSION_OUTPUT_SUBDIR = "SAME_AS_SRC";
+        };
+        
+        overrides = {
+          volumes = [
+            "${serverCfg.path.config.path}/handbrake:/config:rw"
+            "${serverCfg.path.dlComplete.path}:/watch:rw"
+            "${serverCfg.path.dlConverted.path}:/output:rw"
+          ];
+         };
+      };
+    };
+
+    
+    setup = {
+      trigger = "server";
+      script = pkgs.writeShellScript "setup" ''
+          mkdir -p ${serverCfg.path.data.path}/handbrake/{watch,output}
+
+      '';
+    };
+  };
+}

modules/server/containers/apps/homeassistant.nix

@@ -0,0 +1,102 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "latest";
+  serverCfg = config.syscfg.server;
+  
+in {
+  runtime = {
+    vm = {
+      portForward = [ 8123 ];
+      cfg = {cfg,...}: {
+        services.home-assistant = {
+          enable = true;
+          openFirewall = true;
+          
+          extraComponents = [
+            "matter" "thread" "cast" "zha"
+            "default_config" "met" "esphome" "radio_browser"
+            "telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin" 
+          ]  ++ (if containerCfg.extra ? components then containerCfg.extra.components else []);
+          
+
+          extraPackages = pp: with pp; [
+              python-telegram gtts
+          ];
+          lovelaceConfig = {};
+
+          config = {
+            homeassistant = {
+              name = "Home";
+              latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}";
+              longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}";
+              elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}";
+              unit_system = "metric";
+              time_zone = config.time.timeZone;
+            };
+            lovelace = { mode = "yaml"; };
+            customLovelaceModules = [];
+            
+            # default_config = {};
+            http = {
+              use_x_forwarded_for = true;
+              trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ];
+            };
+          };
+        };
+      };
+    };
+
+    containers = {
+      dummy = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "alpine:latest";
+        extraLabels = {
+          "traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123";
+        };
+        overrides = {cmd = [ "sleep" "infinity" ];};
+      };
+    };
+
+    setup = {
+      trigger = "dummy";
+      envFile = config.sops.secrets."CUSTOM".path;
+      script = pkgs.writeShellScript "setup" ''
+
+    HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+    until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do
+      sleep 5
+    done
+    sleep 5
+
+    ONBOARDING_STATUS=$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/api/onboarding" 2>/dev/null || echo "000")
+
+    if [ "$ONBOARDING_STATUS" = "200" ]; then
+      AUTH_CODE=$( ${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/api/onboarding/users" \
+        -H "Content-Type: application/json" \
+        -d '{"client_id":"'"$HASS_URL"'","name":"'"$DEFAULT_ADMIN_USERNAME"'","username":"'"$DEFAULT_ADMIN_USERNAME"'","password":"'"$DEFAULT_ADMIN_PASSWORD"'","language":"en"}' \
+        | ${pkgs.jq}/bin/jq -r '.auth_code' )
+
+      ACCESS_TOKEN=$(${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/auth/token" \
+          -H "Content-Type: application/x-www-form-urlencoded" \
+          -d "grant_type=authorization_code&code=$AUTH_CODE&client_id=$HASS_URL" \
+      | ${pkgs.jq}/bin/jq -r '.access_token' )    
+
+      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/core_config" \
+          -H "Authorization: Bearer $ACCESS_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d '{"time_zone":"${config.time.timeZone}"}' > /dev/null 2>&1 || true
+      # We can configure many more things above !
+
+      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/analytics" \
+          -H "Authorization: Bearer $ACCESS_TOKEN" \
+          -H "Content-Type: application/json" -d '{}' > /dev/null 2>&1 || true
+
+      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/integration" \
+          -H "Authorization: Bearer $ACCESS_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true
+    fi
+      '';
+    };
+  };
+}

modules/server/containers/apps/homepage.nix

@@ -0,0 +1,402 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+  mediaCfg = config.syscfg.media;
+  homepageExtra = containerCfg.extra or {};
+  backgroundImage = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
+  backgroundFileName = builtins.baseNameOf (toString backgroundImage);
+  backgroundMount = "/app/public/media/${backgroundFileName}";
+  latitude =
+    if homepageExtra ? latitude then homepageExtra.latitude
+    else if homepageExtra ? lat then homepageExtra.lat
+    else 47.3769;
+  longitude =
+    if homepageExtra ? longitude then homepageExtra.longitude
+    else if homepageExtra ? lon then homepageExtra.lon
+    else 8.5417;
+  extraBookmarks = homepageExtra.bookmarks or [];
+  extraServices = homepageExtra.services or [];
+
+  settings = pkgs.writers.writeYAML "settings.yaml" {
+    title = "Home";
+    description = "";
+    startUrl = "https://${containerCfg.subdomain}.${serverCfg.domain}";
+    background = {
+      image = "/media/${backgroundFileName}";
+      brightness = 50;
+      opacity = 0.5;
+      blur = "";
+    };
+    cardBlur = "xs";
+    favicon = "https://${containerCfg.subdomain}.${serverCfg.domain}/favicon.ico";
+    theme = "dark";
+    color = "slate";
+    fullWidth = true;
+    useEqualHeights = true;
+    pwa = { };
+    layout = {
+      Admin = {
+        initiallyCollapsed = true;
+        style = "row";
+        columns = 4;
+      };
+    };
+    bookmarksStyle = "icons";
+    providers = {
+      finnhub = "{{HOMEPAGE_VAR_FINNHUB}}";
+    };
+    headerStyle = "clean";
+    hideVersion = true;
+    disableUpdateCheck = true;
+    showStats = false;
+    statusStyle = "dot";
+    hideErrors = true;
+  };
+
+  widgets = pkgs.writers.writeYAML "widgets.yaml" [
+    { openmeteo = {
+        latitude = toString latitude;
+        longitude = toString longitude;
+        timezone = config.time.timeZone;
+        units = "metric";
+        cache = "15";
+      };
+    }
+    { search = {
+        provider = "custom";
+        focus = true;
+        showSearchSuggestions = true;
+        target = "_blank";
+      } // (lib.optionalAttrs (serverCfg.containers ? searxng) {
+        url = "https://${serverCfg.containers.searxng.subdomain}.${serverCfg.domain}/search?q=";
+        suggestionUrl = "https://${serverCfg.containers.searxng.subdomain}.${serverCfg.domain}/autocompleter?q=";
+      });
+    }
+    { stocks = {
+        provider = "finnhub";
+        color = true;
+        cache = 15;
+        watchlist = homepageExtra.stocks or [];
+      };
+    }
+  ];
+
+  bookmarks = pkgs.writers.writeYAML "bookmarks.yaml"  (extraBookmarks);
+
+  services = pkgs.writers.writeYAML "services.yaml" ([
+    { Media = lib.flatten [
+        (lib.optional (serverCfg.containers ? jellyfin) {
+          Jellyfin = {
+            icon = "jellyfin.png";
+            href = "https://${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://jellyfin-server:8096";
+            # widget = {
+            #   type = "jellyfin";
+            #   url = "http://jellyfin-server:8096";
+            #   key = "{{HOMEPAGE_VAR_JELLYFIN_API}}";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? invidious) {
+          Invidious = {
+            icon = "invidious.png";
+            href = "https://${serverCfg.containers.invidious.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://invidious-server:3000";
+          };
+        })
+        (lib.optional (serverCfg.containers ? calibre) {
+          Calibre = {
+            icon = "calibre.png";
+            href = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://calibre-server:8083";
+            # widget = {
+            #   type = "calibreweb";
+            #   url = "http://calibre-server:8083";
+            #   username = "?";
+            #   password = "?";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? freshrss) {
+          FreshRSS = {
+            icon = "freshrss.png";
+            href = "https://${serverCfg.containers.freshrss.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://freshrss-server:80";
+            # widget = {
+            #   type = "freshrss";
+            #   url = "http://freshrss-server:80";
+            #   username = "?";
+            #   password = "?";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? miniflux) {
+          Miniflux = {
+            icon = "miniflux.png";
+            href = "https://${serverCfg.containers.miniflux.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://miniflux-server:80";
+            # widget = {
+            #   type = "miniflux";
+            #   url = "http://miniflux-server";
+            #   key = "{{HOMEPAGE_VAR_MINIFLUX_API}}";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? suwayomi) {
+          Suwayomi = {
+            icon = "suwayomi.png";
+            href = "https://${serverCfg.containers.suwayomi.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://suwayomi-server:4567";
+            # widget = {
+            #   type = "suwayomi";
+            #   url = "http://suwayomi-server:4567";
+            # };
+          };
+        })
+      ];
+    }
+    { Cloud = lib.flatten [
+        (lib.optional (serverCfg.containers ? nextcloud) {
+          Nextcloud = {
+            icon = "nextcloud.png";
+            href = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://nextcloud-server:80";
+            # widget = {
+            #   type = "nextcloud";
+            #   url = "http://nextcloud-server:80";
+            #   key = "{{HOMEPAGE_VAR_NEXTCLOUD_API}}";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? ethercalc) {
+          Ethercalc = {
+            icon = "ethercalc.png";
+            href = "https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://ethercalc-server:8080";
+          };
+        })
+        (lib.optional (serverCfg.containers ? etherpad) {
+          Etherpad = {
+            icon = "etherpad.png";
+            href = "https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://etherpad-server:8080";
+          };
+        })
+        (lib.optional (serverCfg.containers ? collabora && false) {
+          Collabora = {
+            icon = "microsoft-office.png";
+            href = "https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://collabora-server:9980";
+          };
+        })
+        (lib.optional (serverCfg.containers ? immich) {
+          Immich = {
+            icon = "immich.png";
+            href = "https://${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://immich-server:2283";
+            # widget = {
+            #   type = "immich";
+            #   url = "http://immich-server:2283";
+            #   key = "{{HOMEPAGE_VAR_IMMICH_API}}";
+            #   version = "2";
+            # };
+          };
+        })
+      ];
+    }
+    { Home = lib.flatten [
+        (lib.optional (serverCfg.containers ? homeassistant) {
+          "Home Assistant" = {
+            icon = "home-assistant.png";
+            href = "https://${serverCfg.containers.homeassistant.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://${builder.hostIp}:8123";
+          };
+        })
+        (lib.optional (serverCfg.containers ? openhab) {
+          openHAB = {
+            icon = "openhab.png";
+            href = "https://${serverCfg.containers.openhab.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://openhab-server:8080";
+          };
+        })
+        (lib.optional (serverCfg.containers ? frigate) {
+          Frigate = {
+            icon = "frigate.png";
+            href = "https://${serverCfg.containers.frigate.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://frigate-server:5000";
+          };
+        })
+      ];
+    }
+    { Dev = lib.flatten [
+        (lib.optional (serverCfg.containers ? gitea) {
+          Gitea = {
+            icon = "gitea.png";
+            href = "https://${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://gitea-server:8080";
+            # widget = {
+            #   type = "gitea";
+            #   url = "http://gitea-server:8080";
+            #   key = "{{HOMEPAGE_VAR_GITEA_API}}";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? trmnl) {
+          TRMNL = {
+            icon = "terminal.png";
+            href = "https://${serverCfg.containers.trmnl.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://trmnl-server:8080";
+          };
+        })
+      ];
+    }
+    { Admin = lib.flatten [
+        (lib.optional (serverCfg.containers ? traefik) {
+          Traefik = {
+            icon = "traefik.png";
+            href = "https://${serverCfg.containers.traefik.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://traefik-server:8080";
+            # widget = {
+            #   type = "traefik";
+            #   url = "http://traefik-server:8080";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? authentik) {
+          Authentik = {
+            icon = "authentik.png";
+            href = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://authentik-server:9000";
+            # widget = {
+            #   type = "authentik";
+            #   url = "http://authentik-server:9000";
+            #   key = "{{HOMEPAGE_VAR_AUTHENTIK_API}}";
+            #   version = "2";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? umami) {
+          Umami = {
+            icon = "umami.png";
+            href = "https://${serverCfg.containers.umami.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://umami-server:3000";
+          };
+        })
+        (lib.optional (serverCfg.containers ? influx) {
+          Influx = {
+            icon = "grafana.png";
+            href = "https://${serverCfg.containers.influx.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://influx-ui:3000";
+          };
+        })
+        (lib.optional (serverCfg.containers ? handbrake) {
+          Handbrake = {
+            icon = "handbrake.png";
+            href = "https://${serverCfg.containers.handbrake.subdomain}.${serverCfg.domain}";
+            siteMonitor = "http://handbrake-server:5800";
+          };
+        })
+        (lib.optional (serverCfg.containers ? transmission) {
+          Transmission = {
+            icon = "transmission.png";
+            href = "https://${serverCfg.containers.transmission.subdomain}.${serverCfg.domain}/transmission";
+            siteMonitor = "http://transmission-server:9091";
+            # widget = {
+            #   type = "transmission";
+            #   url = "http://transmission-server:9091";
+            #   rpcUrl = "/transmission/";
+            # };
+          };
+        })
+        (lib.optional (serverCfg.containers ? selfmark) {
+          Selfmark = {
+            icon = "link.png";
+            href = "https://${serverCfg.containers.selfmark.subdomain}.${serverCfg.domain}/selfmark";
+            siteMonitor = "http://selfmark-server:8080/selfmark";
+          };
+        })
+        (lib.optional (serverCfg.containers ? servarr) (
+          let
+            modules = serverCfg.containers.servarr.extra.modules or [ "prowlarr" "sonarr" "radarr" "flaresolverr" ];
+          in
+            (lib.optional (builtins.elem "sonarr" modules) {
+              Sonarr = {
+                icon = "sonarr.png";
+                href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/sonarr";
+                siteMonitor = "http://servarr-sonarr:8989/sonarr";
+                # widget = {
+                #   type = "sonarr";
+                #   url = "http://servarr-sonarr:8989/sonarr";
+                #   key = "{{HOMEPAGE_VAR_SONARR_API}}";
+                # };
+              };
+            })
+            ++ (lib.optional (builtins.elem "radarr" modules) {
+              Radarr = {
+                icon = "radarr.png";
+                href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/radarr";
+                siteMonitor = "http://servarr-radarr:8989/radarr";
+                # widget = {
+                #   type = "radarr";
+                #   url = "http://servarr-radarr:8989/radarr";
+                #   key = "{{HOMEPAGE_VAR_RADARR_API}}";
+                # };
+              };
+            })
+            ++ (lib.optional (builtins.elem "lidarr" modules) {
+              Lidarr = {
+                icon = "lidarr.png";
+                href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/lidarr";
+                siteMonitor = "http://servarr-lidarr:8989/lidarr";
+                # widget = {
+                #   type = "lidarr";
+                #   url = "http://servarr-lidarr:8989/lidarr";
+                #   key = "{{HOMEPAGE_VAR_LIDARR_API}}";
+                # };
+              };
+            })
+            ++ (lib.optional (builtins.elem "prowlarr" modules) {
+              Prowlarr = {
+                icon = "prowlarr.png";
+                href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/prowlarr";
+                siteMonitor = "http://servarr-prowlarr:8989/prowlarr";
+                # widget = {
+                #   type = "prowlarr";
+                #   url = "http://servarr-prowlarr:8989/prowlarr";
+                #   key = "{{HOMEPAGE_VAR_PROWLARR_API}}";
+                # };
+              };
+            })
+        ))
+      ];
+    }
+  ] ++ extraServices);
+in {
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/gethomepage/homepage:${version}";
+        port = 3000;
+        extraEnv = {
+          HOMEPAGE_VAR_TITLE = "${serverCfg.domain}";
+          HOMEPAGE_ALLOWED_HOSTS = "${containerCfg.subdomain}.${serverCfg.domain},${builder.host}";
+        };
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}.service" = "${containerCfg.subdomain}";
+        };
+        overrides = {
+          environmentFiles = [ config.sops.secrets."CUSTOM".path ];
+          volumes = [
+            "${settings}:/app/config/settings.yaml:ro"
+            "${services}:/app/config/services.yaml:ro"
+            "${widgets}:/app/config/widgets.yaml:ro"
+            "${bookmarks}:/app/config/bookmarks.yaml:ro"
+            "${backgroundImage}:${backgroundMount}:ro"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/immich.nix

@@ -0,0 +1,106 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  version = "v2";
+  serverCfg = config.syscfg.server;
+
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config.path}/immich";
+      dirs = ["cache" "thumbs" "encoded-video"];
+      mode = "0755";
+    }{
+      path = "${serverCfg.path.data.path}/immich/";
+      dirs = ["backups"];
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/immich-app/immich-server:${version}";
+        port = 2283;
+        secret = name;
+        extraEnv = {
+          DB_HOSTNAME = builder.host;
+          REDIS_HOSTNAME = builder.host;
+          DB_USERNAME = "immich_user";
+          DB_DATABASE_NAME = "immich_db";
+          IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
+          IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
+          # IMMICH_ALLOW_SETUP = "false";
+          IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.photo.path}:/data/upload"
+            "${serverCfg.path.data.path}/immich/backups:/data/backups"
+            "${serverCfg.path.config.path}/immich/thumbs:/data/thumbs"
+            "${serverCfg.path.config.path}/immich/encoded-video:/data/encoded-video"
+          ];
+        };
+      };
+
+      ml = builder.mkContainer {
+        image = "ghcr.io/immich-app/immich-machine-learning:${version}";
+        port = 3003;
+        overrides = {
+          volumes = [
+            "${serverCfg.path.config.path}/immich/cache:/cache"
+          ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."CUSTOM".path;
+      script = pkgs.writeShellScript "setup" ''
+          PSQL="${pkgs.postgresql}/bin/psql -U postgres"
+          $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
+          $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
+          $PSQL -d "immich_db" -tAc "ALTER EXTENSION vchord UPDATE;"
+          $PSQL -d "immich_db" -tAc "ALTER EXTENSION earthdistance UPDATE;"
+
+          IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+          until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
+            sleep 5
+          done
+          ${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
+            -H "Content-Type: application/json" -H "Accept: application/json" \
+            -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
+
+          IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
+          -H "Content-Type: application/json" \
+          -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
+          | ${pkgs.jq}/bin/jq -r '.accessToken')        
+
+          ${lib.optionalString (serverCfg.containers ? authentik) ''
+          ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
+          ${pkgs.jq}/bin/jq '.oauth.enabled = true | 
+                            .oauth.autoRegister = true |
+                            .oauth.autoLaunch = true |
+                            .oauth.signingAlgorithm = "RS256" |
+                            .oauth.profileSigningAlgorithm = "RS256" |
+                            .oauth.clientId = "immich" | 
+                            .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | 
+                            .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" | 
+                            .oauth.scope = "openid profile email" |
+                            .oauth.buttonText = "Login with SSO"' | \
+          ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
+          ''}
+
+          ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
+          ${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
+                            .storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
+          ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
+          
+      '';
+    };
+  };
+}

modules/server/containers/apps/influx.nix

@@ -0,0 +1,148 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  version = "latest";
+
+  influxSource = pkgs.writers.writeYAML "influx.yaml" {
+  apiVersion = 1;
+  datasources = [
+    {
+      name = "Telegraf";
+      type = "influxdb";
+      access = "proxy";
+      url = "http://influx-db:8181";
+      jsonData = {
+        version = "SQL";
+        dbName = "telegraf";
+        httpMode = "POST";
+        insecureGrpc = true;
+      };
+      secureJsonData = {
+        token = "\${INFLUXDB_TOKEN}"; 
+      };
+      isDefault = true;
+      editable = true;
+    }
+  ];
+};
+
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config.path}/influxdb/";
+      owner = "1500:1500";
+      mode = "0755"; 
+    }{
+      path = "${serverCfg.path.data.path}/influxdb/";
+      dirs = ["data" "ui"];
+      owner = "1500:1500";
+      mode = "0755"; 
+    }];
+
+    containers = {
+      db = builder.mkContainer {
+        image = "influxdb:3-core";
+        secret = name;
+        extraEnv = {
+          INFLUXD_DB_PATH = "/db";
+          INFLUXD_CONFIG_PATH = "/config";
+        };
+        overrides = {
+          cmd = [ "influxdb3" "serve" "--node-id=node0" "--data-dir=/var/lib/influxdb3/data" "--admin-token-file=/var/lib/influxdb3/token.json" ];
+          ports = [ "8181:8181" ];
+          volumes = [
+            "${serverCfg.path.data.path}/influxdb/data:/var/lib/influxdb3/data:rw"
+            "${serverCfg.path.config.path}/influxdb/admin-token.json:/var/lib/influxdb3/token.json:ro"
+
+          ];
+        };
+      };
+
+      ui = if(containerCfg.extra?explorer) then builder.mkContainer {
+        tmpfs = true;
+        authentik = true;
+        subdomain = containerCfg.subdomain;
+        image = "influxdata/influxdb3-ui:${version}";
+        port = 8080; # 8888 is something else
+        secret = name;
+        extraEnv = {
+          DATABASE_URL = "/db/sqlite.db"; 
+          DEFAULT_INFLUX_SERVER = "http://${builder.host}:8181";
+        };
+        overrides = {
+          cmd = [ "--mode=admin" ]; 
+          volumes = [
+            "${serverCfg.path.data.path}/influxdb/ui:/db:rw"
+            "${serverCfg.path.config.path}/influxdb/:/app-root/config:rw"
+          ];
+        };
+      } else builder.mkContainer {
+        tmpfs = true;
+        authentik = true;
+        subdomain = containerCfg.subdomain;
+        image = "grafana/grafana:${version}";
+        port = 3000;
+        extraEnv = {
+          GF_SERVER_ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
+          GF_DEFAULT_INSTANCE_NAME = serverCfg.domain;
+          GF_SECURITY_ADMIN_USER = "\${DEFAULT_ADMIN_USERNAME}"; 
+          GF_SECURITY_ADMIN_PASSWORD = "\${DEFAULT_ADMIN_PASSWORD}";
+          GF_SECURITY_ADMIN_EMAIL = "\${DEFAULT_ADMIN_EMAIL}";
+          GF_SECURITY_COOKIE_SECURE = "true";
+          GF_USERS_ALLOW_SIGN_UP = "false";
+          GF_USERS_AUTO_ASSIGN_ORG = "true";
+          GF_USERS_AUTO_ASSIGN_ORG_ROLE = "true";
+          GF_AUTH_PROXY_ENABLED = "true";
+          GF_AUTH_PROXY_HEADER_NAME = "X-authentik-username";
+          GF_AUTH_PROXY_HEADER_PROPERTY = "username";
+          GF_AUTH_PROXY_AUTO_SIGN_UP = "true";
+          GF_DATABASE_TYPE = "postgres";
+          GF_DATABASE_HOST = "${builder.host}";
+          GF_DATABASE_NAME = "influx_db";
+          GF_DATABASE_USER = "influx_user";
+          GF_ANALYTICS_REPORTING_ENABLED = "false";
+          GF_CHECK_FOR_UPDATED = "false";
+          GF_LIVE_HA_ENGINE = "redis";
+          GF_LIVE_HA_ENGINE_ADRESS = "${builder.host}:6379";
+          DEFAULT_INFLUX_SERVER = "http://${builder.host}:8181";
+        };
+        overrides = { 
+          user = "1500:1500";
+          environmentFiles =  [ config.sops.secrets."INFLUX".path config.sops.secrets."CUSTOM".path ] ;
+          volumes = [
+            "${serverCfg.path.data.path}/influxdb/ui:/var/lib/grafana:rw"
+            "${influxSource}:/etc/grafana/provisioning/datasources/influx.yaml:ro"
+          ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "db";
+      envFile =  config.sops.secrets."INFLUX".path;
+      script = pkgs.writeShellScript "setup" ''
+        cat > ${serverCfg.path.config.path}/influxdb/config.json << EOF
+{
+  "DEFAULT_INFLUX_SERVER": "http://${builder.host}:8181",
+  "DEFAULT_INFLUX_DATABASE": "main",
+  "DEFAULT_API_TOKEN": "$INFLUXDB_TOKEN",
+  "DEFAULT_SERVER_NAME": "${serverCfg.domain}"
+}
+EOF
+
+      cat > ${serverCfg.path.config.path}/influxdb/admin-token.json << EOF
+{
+  "token": "$INFLUXDB_TOKEN",
+  "name": "admin",
+  "description": "Admin token for automated deployment"
+}
+EOF
+      '';
+    };
+  };
+}

modules/server/containers/apps/invidious.nix

@@ -0,0 +1,83 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+
+  patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
+    postPatch = (oldAttrs.postPatch or "") + ''
+      cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
+    '';
+  });
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.invidious.name;
+    tag = pkgs.invidious.version;
+
+    contents = [ pkgs.cacert patchedInvidious ];
+    config = {
+      Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
+      ExposedPorts = { "3000/tcp" = {}; };
+      Env = [ 
+        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      ];
+    };
+  };
+
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config.path}/invidious";
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 3000;
+        secret = name;
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
+          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
+          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+        };
+        extraEnv = {
+          INVIDIOUS_CONFIG_FILE = "/data/config.yml";
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.config.path}/invidious:/data:ro"
+          ];
+        };
+      };
+
+      companion = builder.mkContainer {
+        image = "quay.io/invidious/invidious-companion:latest";
+        port = 8282;
+        secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
+        extraOptions = [
+          "--cap-drop=all"
+          "--security-opt=no-new-privileges"
+        ];
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
+      script = pkgs.writeShellScript "setup" ''
+        export DB_HOST=${builder.host}
+        export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
+
+        ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.path.config.path}/invidious/config.yml"
+      '';
+    };
+  };
+}

modules/server/containers/apps/jellyfin.nix

@@ -0,0 +1,175 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  serverCfg = config.syscfg.server;
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+  nss = pkgs.dockerTools.fakeNss.override {
+    extraPasswdLines = [
+      "jellyfin:x:1000:1000:Jellyfin Daemon:/config/data:/bin/false"
+    ];
+    extraGroupLines = [
+      "jellyfin:x:1000:"
+    ];
+  };
+  image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
+    name = pkgs.jellyfin.name;
+    tag = pkgs.jellyfin.version;  
+    contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
+    config = {
+      User = "jellyfin:jellyfin"; 
+      Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
+      ExposedPorts = { "8096/tcp" = { }; };
+      Env = [ 
+        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      ];
+    };
+  };
+in {
+  runtime = {
+    paths = [
+      {
+        path = "${serverCfg.path.config.path}/jellyfin/";
+        owner = "1000:1000";
+        mode = "0755";
+      }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 8096;
+        extraEnv = {
+          HOME = "/config/data";
+          DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
+          JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
+          JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
+        };
+        overrides = {
+          cmd = [
+          "--datadir" "/config/data"
+          "--cachedir" "/config/cache"
+          "--configdir" "/config/config"
+          "--logdir" "/config/log" 
+          ];
+          volumes = [
+            "${serverCfg.path.film.path}:/media:ro" 
+            "${serverCfg.path.config.path}/jellyfin:/config"
+          ];
+          # If you have an Intel/AMD GPU for transcoding, add the device:
+          devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."CUSTOM".path;
+      script = pkgs.writeShellScript "setup" ''
+        JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+        until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
+          sleep 5
+        done
+        echo "Jellyfin is up. Sleeping for 20 seconds..."
+        sleep 20
+        WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
+          ${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
+        if [ "$WIZARD_COMPLETE" = "false" ]; then
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
+            -H "Content-Type: application/json" \
+            -d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
+            echo "ERROR: Failed to set startup configuration."
+            exit 1
+          fi
+          
+          if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
+            echo "ERROR: Failed to get base user."
+            exit 1
+          fi
+
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
+            -H 'accept: */*' -H "Content-Type: application/json" \
+            -d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
+            echo "ERROR: Failed to set admin user."
+            exit 1
+          fi
+
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
+            -H "Content-Type: application/json" \
+            -d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
+            echo "ERROR: Failed to configure remote access."
+            exit 1
+          fi
+
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
+            echo "ERROR: Failed to complete wizard."
+            exit 1
+          fi
+          echo "Jellyfin initialization successfully completed!"
+        fi
+
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
+          -H "Content-Type: application/json" \
+          -H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
+          -d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
+          | ${pkgs.jq}/bin/jq -r '.AccessToken')
+
+        # Verify we got a token
+        if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
+            echo "ERROR: Authentication failed."
+            exit 1
+        fi
+        if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+            "$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
+          echo "LDAP Plugin is already installed. Skipping setup."
+        else
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
+              -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+              -H "Content-Length: 0"; then
+            echo "ERROR: LDAP Plugin Setup Failed."
+            exit 1
+          fi
+
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
+              -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+              -H "Content-Length: 0"; then
+            echo "ERROR: Server failed to accept restart command."
+            exit 1
+          fi
+          sleep 1-
+          until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
+            sleep 5
+          done
+          echo "Jellyfin is up. Sleeping for 20 seconds..."
+          sleep 20
+        fi
+
+        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
+            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+            -H "Content-Type: application/json" -H 'accept: */*' \
+            -d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
+            "LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
+            "LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
+            "LdapSearchAttributes":"uid, cn, mail, displayName",
+            "LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
+            "EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
+            "EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
+            "LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
+            "EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
+          echo "ERROR: LDAP Plugin Setup Failed."
+          exit 1
+        fi
+        ''}
+
+        ${pkgs.sqlite}/bin/sqlite3 ${serverCfg.path.config.path}/jellyfin/data/data/jellyfin.db <<EOF
+INSERT OR IGNORE INTO ApiKeys (Id, AccessToken, Name, DateCreated, DateLastActivity) 
+VALUES ( 1, "$HOMEPAGE_VAR_JELLYFIN_API", 'Home', strftime('%Y-%m-%d %H:%M:%S', 'now'), strftime('%Y-%m-%d %H:%M:%S', 'now'));
+EOF
+        echo "Completed Setup"
+
+      '';
+    };
+  };
+}

modules/server/containers/apps/nextcloud.nix

@@ -0,0 +1,232 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  version = "31";
+  serverCfg = config.syscfg.server;
+  mediaCfg = config.syscfg.media;
+  backgroundImage = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
+  backgroundFileName = builtins.baseNameOf (toString backgroundImage);
+  logoPngFileName = builtins.baseNameOf (toString mediaCfg.logo.png);
+  logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
+  logoIcoFileName = builtins.baseNameOf (toString mediaCfg.logo.ico);
+  logoPngMount = "/var/www/html/themes/hcl/${logoPngFileName}";
+  logoSvgMount = "/var/www/html/themes/hcl/${logoSvgFileName}";
+  logoIcoMount = "/var/www/html/themes/hcl/${logoIcoFileName}";
+  backgroundMount = "/var/www/html/themes/hcl/${backgroundFileName}";
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config.path}/nextcloud";
+      owner = "33:33";
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        image = "nextcloud:${version}";
+        port = 80;
+        secret = name;
+        extraEnv = {
+          REDIS_HOST = builder.host;
+          POSTGRES_HOST = builder.host;
+          POSTGRES_USER = "nextcloud_user";
+          POSTGRES_DB = "nextcloud_db";
+          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+          NEXTCLOUD_TRUSTED_DOMAINS = "${containerCfg.subdomain}.${serverCfg.domain} nextcloud-server";
+          OVERWRITEPROTOCOL = "https";
+          NEXTCLOUD_CLI_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
+          # SMTP_HOST = serverCfg.mail.server;
+          # SMTP_NAME = "mail_user";
+          # SMTP_PASSWORD = "mail_password";
+          # MAIL_FROM_ADDRESS = "${containerCfg.subdomain}@${serverCfg.domain}";
+          # MAIL_DOMAIN = serverCfg.mail.domain;
+          TRUSTED_PROXIES = "10.10.0.0/16 192.168.0.0/16";
+          NEXTCLOUD_DATA_DIR = "/var/www/html/data";
+        };
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "hsts-headers@docker,${containerCfg.subdomain}-caldav";
+          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
+          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
+          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
+        };
+        overrides = {
+          ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
+          volumes = [
+            "${serverCfg.path.config.path}/nextcloud:/var/www/html"
+            "${serverCfg.path.cloud.path}:/var/www/html/data"
+            "${mediaCfg.logo.png}:${logoPngMount}:ro"
+            "${mediaCfg.logo.svg}:${logoSvgMount}:ro"
+            "${mediaCfg.logo.ico}:${logoIcoMount}:ro"
+            "${backgroundImage}:${backgroundMount}:ro"
+          ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = [config.sops.secrets."CUSTOM".path config.sops.secrets."NEXTCLOUD".path ];
+      script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
+
+      echo "Waiting for Nextcloud container to start..."
+      until $OCC status > /dev/null 2>&1; do
+        sleep 2
+      done
+
+      INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
+      if [ -z "$INSTALLED" ]; then
+        echo "Running first-time setup..."
+        
+        $OCC maintenance:install \
+          --admin-user "$DEFAULT_ADMIN_USERNAME" \
+          --admin-pass "$DEFAULT_ADMIN_PASSWORD" \
+          --database "pgsql" \
+          --database-host "${builder.host}" \
+          --database-name "nextcloud_db" \
+          --database-user "nextcloud_user" \
+          --database-pass "$POSTGRES_PASSWORD" \
+          --data-dir "/var/www/html/data"
+
+
+
+      fi
+
+      echo "Applying Settings..."
+
+        $OCC config:system:set dbhost --value="${builder.host}"
+        $OCC config:system:set dbuser --value="nextcloud_user"
+        $OCC config:system:set dbpassword --value="$POSTGRES_PASSWORD"
+        $OCC config:system:set dbname --value="nextcloud_db"
+        $OCC config:system:set memcache.local --value="\OC\Memcache\Redis"
+        $OCC config:system:set memcache.locking --value="\OC\Memcache\Redis"
+        $OCC config:system:set redis --value='{"host":"${builder.host}", "port":6379, "timeout":0.0}' --type=json
+        $OCC config:system:set trusted_domains 1 --value=${containerCfg.subdomain}.${serverCfg.domain}
+        $OCC config:system:set default_phone_region --value="CH"
+        $OCC config:system:set overwriteprotocol --value="https"
+        $OCC config:app:set core backgroundjobs_mode --value="cron"
+        $OCC config:system:set maintenance_window_start --type=integer --value=1
+        $OCC config:system:set default_language --value="en"
+        $OCC config:system:set default_locale --value="en_CH"
+        $OCC config:system:set overwriteprotocol --value="https"
+        $OCC config:system:set overwrite.cli.url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
+
+        echo "Applying Apps..."
+        $OCC app:disable activity || true
+        $OCC app:disable app_api || true
+        $OCC app:disable comments || true
+        $OCC app:disable firstrunwizard || true
+        $OCC config:system:set show_first_run_wizard --type=bool --value=false
+        $OCC app:disable nextcloud_announcements || true
+        $OCC app:disable oauth2 || true
+        $OCC app:disable recommendations || true
+        $OCC app:disable sharebymail || true
+        $OCC app:disable support || true
+        $OCC app:disable survey_client || true
+        $OCC app:disable updatenotification || true
+        $OCC app:disable user_status || true
+
+        $OCC app:install calendar || true
+        $OCC app:install contacts || true
+        $OCC app:install camerarawpreviews || true
+        $OCC app:install cospend || true
+        $OCC app:install deck || true
+        $OCC app:install files_markdown || true
+        $OCC app:install forms || true
+        $OCC app:install groupfolders || true
+        $OCC app:install ownpad || true
+        $OCC app:install previewgenerator || true
+        $OCC app:install richdocuments || true
+        ${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
+        # $OCC app:install side_menu || true 
+        $OCC app:install spreed || true
+        $OCC app:install teamfolders || true
+        ${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
+
+        echo "Applying Apps Settings..."
+        $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
+        $OCC config:app:set cospend allow_federation --value="yes"
+        
+        ${lib.optionalString (serverCfg.containers ? ethercalc) ''
+        $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
+        $OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? etherpad) ''
+        $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
+        $OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? collabora) ''
+        $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}/"
+        $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}"
+        $OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        $OCC saml:config:set 1 --general-idp0_display_name="authentik"
+        $OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
+        $OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}"
+        $OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/sso/binding/redirect/"
+        $OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/slo/binding/redirect/"
+        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
+        $OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT" 
+
+        $OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
+        $OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+        $OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
+
+        $OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
+        $OCC group:add cloud || true
+        $OCC group:adduser admin $DEFAULT_ADMIN_USERNAME
+        $OCC config:app:set user_saml general-group_provisioning --value="0"
+        $OCC config:app:set user_saml general-require_provisioning_groups --value="1"
+        ''}
+        # configure side_menu ...
+        FOLDERS=$($OCC teamfolders:list --format=json)
+        ${builtins.concatStringsSep "\n" (map (name: ''
+          if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
+              $OCC teamfolders:create "${name}"
+          fi
+        '') containerCfg.extra.teamFolders or [])}
+        SERVERS=$($OCC federation:list-servers --format=json)
+        ${builtins.concatStringsSep "\n" (map (domain: ''
+          if ! echo "$SERVERS" | grep -q "${domain}"; then
+            $OCC federation:add-server "https://${domain}"
+          fi
+        '') containerCfg.extra.federatedServers or [])}
+        $OCC config:app:set systemtags allow_user_creating --value="no"
+        
+      #else
+      #    echo "Nextcloud is already installed. Skipping setup."
+      #fi
+
+      echo "Applying Theme..."
+      $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
+      ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
+      ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
+      $OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
+      $OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
+      $OCC theming:config logo "${logoPngMount}"
+      $OCC theming:config logoheader "${logoSvgMount}"
+      $OCC theming:config favicon "${logoIcoMount}"
+      $OCC theming:config background "${backgroundMount}"
+
+      $OCC config:app:set serverinfo token --value="$HOMEPAGE_VAR_NEXTCLOUD_API"
+
+      echo "Maintenance..."
+      $OCC app:update --all
+      $OCC maintenance:repair --include-expensive --no-interaction
+      $OCC db:add-missing-indices --no-interaction
+
+      echo "Completed Setup"
+      '';
+    };
+
+    cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
+  };
+}

modules/server/containers/apps/openhab.nix

@@ -0,0 +1,77 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  version = "5.1.4"; 
+
+in {
+  runtime = {
+    paths = [
+      { path="${serverCfg.path.config.path}/openhab/conf";  owner="1000:1000"; mode = "0755"; }
+      { path="${serverCfg.path.config.path}/openhab/userdata";  owner="1000:1000"; mode = "0755"; }
+      { path="${serverCfg.path.config.path}/openhab/addons";  owner="1000:1000"; mode = "0755"; }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "openhab/openhab:${version}";
+        port = 8080; 
+        extraEnv = { 
+          USER_ID = "1000";
+          GROUP_ID = "1000";
+          CRYPTO_POLICY = "unlimited";
+          OPENHAB_HTTP_PORT = "8080";
+        };
+        extraOptions = [
+          "--network=host"
+          "--cap-add=NET_ADMIN"
+          "--cap-add=NET_RAW"
+          "--no-healthcheck"
+        ];
+        overrides = {
+          volumes = [ 
+            "${serverCfg.path.config.path}/openhab/conf:/openhab/conf"
+            "${serverCfg.path.config.path}/openhab/userdata:/openhab/userdata"
+            "${serverCfg.path.config.path}/openhab/addons:/opt/openhab/addons"
+            "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro"
+          ];
+         };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = [ config.sops.secrets."CUSTOM".path ];
+      script = pkgs.writeShellScript "setup" ''
+        # Pre-generate openHAB directories on the host
+        OHAB="${pkgs.podman}/bin/podman --events-backend=none exec openhab-server /openhab/runtime/bin/client -u openhab -p habopen"
+        sleep 20
+        exit 0
+        $OHAB openhab:users add $DEFAULT_ADMIN_USERNAME $DEFAULT_ADMIN_PASSWORD administrator 
+        $OHAB feature:list
+        $OHAB openhab:addons install persistance-mapdb
+        $OHAB openhab:addons install persistance-influxdb
+
+        $OHAB openhab:addons install ui-basic
+        $OHAB openhab:addons install automation-jsscripting
+
+        $OHAB openhab:addons install binding-telegram
+        $OHAB openhab:addons install binding-matter
+        $OHAB openhab:addons install binding-mqtt
+        $OHAB openhab:addons install binding-bluetooth
+        $OHAB openhab:addons install binding-zigbee
+        $OHAB openhab:addons install binding-chromecast
+        $OHAB openhab:addons install binding-astro
+        $OHAB openhab:addons install binding-meteoblue
+        $OHAB openhab:addons install binding-publictransportswitzerland
+
+        #IF APPLE DEVICE: HomeKit (siri/apple bridge)
+        #IF UBIQUITY NET: Unifi + UnifiProtect (net/cam bridge)
+        #IF YAMAHA+EPSON: EpsonProjector + Yamaha (projector and sound)
+        #IF BAMBULAB DEVICE: BambuLab (notify print state)
+        #IF GARDENA DEVICE: Gardena (smart watering)
+        #Extra: AndroidTV/Jellyfin (Bind with lights + more)
+      '';
+    };
+  };
+}

modules/server/containers/apps/searxng.nix

@@ -0,0 +1,87 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  version = "latest";
+  serverCfg = config.syscfg.server;
+  settings = pkgs.writeText"settings.yml" (pkgs.lib.generators.toYAML {}{
+    use_default_settings = true;
+    brand = {
+        issue_url = "";
+        docs_url = "";
+        public_instances = "";
+        wiki_url = "";
+        custom = {
+            links = {
+                "Home" = "https://${serverCfg.domain}";
+                # "Status" = "https://status.${serverCfg.domain}";
+            };
+        };
+        pwa_colors = {
+            theme_color_light = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_light = "${serverCfg.colorScheme.palette.base07}";
+            theme_color_dark = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_dark = "${serverCfg.colorScheme.palette.base02}";
+            theme_color_black = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_black = "${serverCfg.colorScheme.palette.base01}";
+        };
+    };
+    general = {
+        debug = false;
+        instance_name = if containerCfg.extra ? instanceName then containerCfg.extra.instanceName else "SearXNG";
+        privacypolicy_url = false;
+        donation_url = false;
+        contact_url = false;
+        enable_metrics = false;
+    };
+    search = {
+        safe_search = 0;
+        autocomplete = if containerCfg.extra ? autocomplete then containerCfg.extra.autocomplete else "";
+        languages = [ "all" "en" "en-US" "ja" "de-CH" "fr-CH" "nb" ];
+    };
+    server = {
+        # secret_key = ""; SET BY ENV VAR
+    };
+    ui = {
+        default_locale = if containerCfg.extra ? defaultLocale then containerCfg.extra.defaultLocale else "en";
+        # query_in_title = "true";
+        #default_theme = "custom";
+        custom_css = "footer { display: none !important; }";
+    };
+    # categories_as_tabs = {
+    #     general = {};
+    #     images ={};
+    #     videos = {};
+    #     news = {};
+    #     files = {};
+    # };
+    plugins = {
+        "searx.plugins.infinite_scroll.SXNGPlugin".active = true;
+        "searx.plugins.tracker_url_remover.SXNGPlugin".active = true;
+    };
+  });
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "searxng/searxng:${version}";
+        port = 8080;
+        secret = name;
+        extraEnv = { 
+          SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
+          SEARXNG_PORT = "8080";
+          SEARXNG_BIND_ADDRESS = "[::]";
+          SEARXNG_PUBLIC_INSTANCE = "false";
+          SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
+          #SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
+        };
+        overrides = {
+          volumes = [ 
+              "${settings}:/etc/searxng/settings.yml"
+          ];
+         };
+      };
+    };
+  };
+}

modules/server/containers/apps/selfmark.nix

@@ -0,0 +1,91 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+in {
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config.path}/selfmark/";
+      owner = "1000:1000";
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        subdomain = containerCfg.subdomain;
+        subpath = containerCfg.subpath;
+        image = "ghcr.io/calibrain/shelfmark:${version}";
+        port = 8080;
+        
+        extraEnv = {
+          # HARDCOVER_API_KEY = ""; #FROM SOPS
+          # AA_DONATOR_KEY = ""; #FROM SOPS
+          # PROWLARR_API_KEY = ""; #FROM SOPS
+
+          FLASK_PORT = "8080";
+          PUID = "1000";
+          PGID = "1000";
+          USING_TOR = "false";
+          ONBOARDING = "false";
+          SUPPORTED_FORMATS = "epub,mobi,azw3,fb2,djvu,cbz,cbr,pdf";
+          SUPPORTED_AUDIOBOOK_FORMATS = "mp3, m4b";
+          BOOK_LANGUAGE = "en,fr"; # ,de,jp";
+          SEARCH_MODE = "universal";
+          AA_DEFAULT_SORT = "relevance";
+          METADATA_PROVIDER = "openlibrary";
+          INGEST_DIR = "/books";
+          BOOKS_OUTPUT_MODE = "/output";
+          FILE_ORGANIZATION = "organize";
+          TEMPLATE_RENAME = "{Author} - {Title} ({Year})";
+          TEMPLATE_ORGANIZE = "{Author}/{Title} ({Year})";
+          HARDLINK_TORRENTS = "false";
+          FILE_ORGANIZATION_AUDIOBOOK = "organize";
+          TEMPLATE_RENAME_AUDIOBOOK = "{Author} - {Title}";
+          TEMPLATE_ORGANIZE_AUDIOBOOK = "{Author}/{Title} ({Year})";
+
+          HARDCOVER_ENABLED = "true";
+          HARDCOVER_DEFAULT_SORT = "relevance";
+          OPENLIBRARY_ENABLED = "true";
+          OPENLIBRARY_DEFAULT_SORT = "relevance";
+          DIRECT_DOWNLOAD_ENABLED = "true";
+
+          USE_CF_BYPASS = "true";
+          AA_BASE_URL = "auto";
+          AA_MIRROR_URLS = "https://annas-archive.gl,https://annas-archive.pk,https://annas-archive.gd,";
+          LIBGEN_MIRROR_URLS = "https://libgen.li,https://libgen.vg,https://libgen.la,https://libgen.bz,https://libgen.gl";
+          ZLIB_MIRROR_URLS = "https://z-lib.sk,https://z-library.gs,https://z-lib.fm,https://z-lib.gd,https://z-lib.gl";
+          # WELIB_MIRROR_URLS = "https://welib.org"; #avoid
+        } // lib.optionalAttrs(containerCfg.subpath != null) {
+          BASE_PATH = "/${containerCfg.subpath}";
+          URL_BASE = "/${containerCfg.subpath}";
+        } // lib.optionalAttrs(serverCfg.containers?calibre) {
+          CALIBRE_WEB_URL = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
+        } // lib.optionalAttrs(serverCfg.containers?authentik) {
+          AUTH_METHOD = "proxy";
+          PROXY_AUTH_USER_HEADER = "X-authentik-username";
+          PROXY_AUTH_ADMIN_GROUP_HEADER = "X-authentik-groups";
+          PROXY_AUTH_ADMIN_GROUP_NAME = "admin";
+        } // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "prowlarr" serverCfg.containers.servarr.extra.modules) ({
+          PROWLARR_ENABLED = "true";
+          PROWLARR_URL = "http://servarr-prowlarr:8989";
+        } // lib.optionalAttrs(serverCfg.containers?transmission) {
+          PROWLARR_TORRENT_CLIENT = "transmission";
+          TRANSMISSION_URL = "http://transmission-server:9091";
+        }) // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "flaresolverr" serverCfg.containers.servarr.extra.modules) {
+          USING_EXTERNAL_BYPASSER = "true";
+          EXT_BYPASSER_URL = "http://servarr-flaresolverr:8191";
+          EXT_BYPASSER_PATH = "/v1";
+          EXT_BYPASSER_TIMEOUT = "60000";
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.dlIncomplete.path}:/books:rw"
+            "${serverCfg.path.dlComplete.path}:/output:rw"
+            "${serverCfg.path.config.path}/selfmark:/config:rw"
+           ];
+         };
+      };
+    };
+  };
+}

modules/server/containers/apps/suwayomi.nix

@@ -0,0 +1,54 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let
+  version = "stable"; 
+  serverCfg = config.syscfg.server;
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/suwayomi/suwayomi-server:${version}";
+        port = 4567;
+        secret = name;
+
+        extraEnv = {
+          BIND_PORT = "4567";
+          AUTH_MODE = "none";
+          WEB_UI_ENABLED = "true";
+          WEB_UI_FLAVOR = "WebUI";
+          # AUTO_DOWNLOAD_CHAPTERS = true;
+          # AUTO_DOWNLOAD_EXCLUDE_UNREAD = true;
+          # AUTO_DOWNLOAD_NEW_CHAPTERS_LIMIT = 0;
+          # AUTO_DOWNLOAD_IGNORE_REUPLOADS = false;
+          # DOWNLOAD_CONVERSIONS = {};
+          # SERVE_CONVERSIONS = {};
+          # MAX_SOURCES_IN_PARALLEL = 6;
+          # UPDATE_EXCLUDE_UNREAD = true;
+          # UPDATE_EXCLUDE_STARTED = true;
+          # UPDATE_EXCLUDE_COMPLETED = true;
+          # UPDATE_INTERVAL = 12; #Hours
+          # UPDATE_MANGA_INFO = false;
+          DATABASE_TYPE = "POSTGRESQL";
+          DATABASE_URL = "postgresql://${builder.host}/suwayomi_db";
+          DATABASE_USERNAME = "suwayomi_user";
+          FLARESOLVERR_ENABLED = lib.boolToString (builtins.elem "flaresolverr" (((config.syscfg.server.containers.servarr or {}).extra or {}).modules or []));
+          FLARESOLVERR_URL = "http://servarr-flaresolverr:8191";
+          EXTENSION_REPOS = "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]"; #https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json
+        };
+
+        overrides = {
+          volumes = [
+            "${serverCfg.path.manga.path}:/home/suwayomi/.local/share/Tachidesk/downloads"
+            # "${serverCfg.path.config.path}/suwayomi:/home/suwayomi/.local/share/Tachidesk"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/traefik.nix

@@ -0,0 +1,88 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "traefik";
+    tag = pkgs.traefik.version;
+    contents = with pkgs;[ cacert tzdata ];
+    config = {
+      Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
+      WorkingDir = "/";
+    };
+  };
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+
+    containers = {
+      server = builder.mkContainer {
+        imageStream = image;
+        subdomain = containerCfg.subdomain;
+        port = 8080;
+        secret = name;
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
+          "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
+
+
+          "traefik.http.middlewares.hsts-headers.headers.stsSeconds" = "15552000";
+          "traefik.http.middlewares.hsts-headers.headers.stsIncludeSubdomains" = "true";
+          "traefik.http.middlewares.hsts-headers.headers.stsPreload" = "true";
+          "traefik.http.middlewares.hsts-headers.headers.forceSTSHeader" = "true";
+                  
+          "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
+        } // (if serverCfg.containers?authentik then {
+          "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
+          "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
+          "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
+          "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
+        } else {}) // (if serverCfg.containers?umami then {
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
+        } else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
+          "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
+          "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
+          "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
+        } else {});
+        extraEnv = { };
+        overrides = {
+          cmd = [ 
+            "--api"
+            "--log.level=INFO"
+            "--providers.docker=true"
+            "--global.checknewversion=false"
+            "--global.sendanonymoususage=false"
+            "--api.insecure=true"
+            "--api.dashboard=true"
+            "--providers.docker.exposedByDefault=false"
+            "--entrypoints.web.address=:80"
+            "--entrypoints.web-secure.address=:443"
+            "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
+            "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+            "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
+            "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
+          ] ++ (if serverCfg.containers ? umami  then [
+            "--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
+            "--experimental.plugins.umami-feeder.version=v1.4.1"
+            "--entrypoints.web-secure.http.middlewares=umami-global@docker"
+          ] else []) ++ (if containerCfg.extra ? provider then [
+            "--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
+            "--certificatesresolvers.default.acme.dnschallenge=true"
+            "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
+            "--certificatesresolvers.default.acme.storage=/acme.json"
+          ] else if serverCfg.domain != "localhost" then [
+            "--certificatesresolvers.default.acme.httpchallenge=false"
+            "--certificatesresolvers.default.acme.tlschallenge=true"
+          ] else []);
+          ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
+          volumes = [
+            "/var/run/podman/podman.sock:/var/run/docker.sock"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/transmission.nix

@@ -0,0 +1,59 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.transmission_4.name;
+    tag = pkgs.transmission_4.version;
+    contents = [ pkgs.cacert ];
+    config = {
+        Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
+        ExposedPorts = {
+            "9091/tcp" = {};
+            "51413/tcp" = {}; "51413/udp" = {};
+        };
+    };
+  };
+in {
+  runtime = {
+    paths = [{
+        path = "${serverCfg.path.config.path}/transmission";
+        owner = "1000:1000";
+        mode = "0755";
+      }];
+
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        subdomain = containerCfg.subdomain;
+        subpath = containerCfg.subpath;
+        imageStream = image;
+        port = 9091;
+        
+        extraEnv = {
+          PUID = "1000";
+          PGID = "1000";
+          WHITELIST = "";# 127.0.0.1,::1,10.*";
+          # HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker";
+        };
+
+        overrides = {
+          volumes = [
+            "${serverCfg.path.dlComplete.path}:/downloads/complete"
+            "${serverCfg.path.dlIncomplete.path}:/downloads/incomplete"
+            "${serverCfg.path.config.path}/transmission:/config"
+          ];
+        };
+      };
+    };
+
+
+    setup = {
+      trigger = "server";
+      envFile = [ config.sops.secrets."CUSTOM".path ];
+      script = pkgs.writeShellScript "setup" ''
+
+        ${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.path.config.path}/transmission/config/settings.json"
+      '';
+    };
+  };
+}

modules/server/containers/apps/trmnl.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/umami.nix

@@ -0,0 +1,54 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  
+  # Umami image built from nixpkgs
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.umami.name;
+    tag = pkgs.umami.version;
+    contents = with pkgs; [ cacert openssl ];
+    config = {
+      # Umami in nixpkgs typically provides a binary or script to start the server
+      Entrypoint = [ "${pkgs.umami}/bin/umami-server" ];
+      ExposedPorts = { "3000/tcp" = {}; };
+      Env = [ "NODE_ENV=production" ];
+    };
+  };
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config.path}/umami/";
+      mode = "0444";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        image = "${pkgs.umami.name}:${pkgs.umami.version}"; 
+        imageStream = image;
+        port = 3000;
+        secret = name;
+        extraEnv = {
+          PORT = "3000";
+          # HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
+          DATABASE_TYPE = "postgresql";
+          REDIS_URL = "redis://${builder.host}";
+          CLIENT_IP_HEADER = "X-Forwarded-For";
+          BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
+          # DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
+
+        };
+        overrides = {
+          cmd = [ "start" ]; # Specific command for the umami binary
+         };
+      };
+    };
+  };
+}

modules/server/containers/builder.nix

@@ -0,0 +1,129 @@
+{ config, lib, pkgs, serverCfg }:
+let 
+  mkRouterName = { subdomain, subpath ? null }:
+    if subpath != null
+    then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
+    else subdomain;
+  getOr = attrs: path: default: lib.attrByPath path default attrs;
+  mkTmpfsOption = size: "--tmpfs=/tmp:rw,noexec,nosuid,size=${size}";
+  mkAuthentikLabels =
+    { subdomain
+    , subpath ? null
+    , routerName ? mkRouterName { inherit subdomain subpath; }
+    , middleware ? "authentik"
+    }:
+    lib.optionalAttrs (serverCfg.containers ? authentik) {
+      "traefik.http.routers.${routerName}.middlewares" = middleware;
+    };
+  contBuilder =
+    { image ? null, imageStream ? null, imageFile ? null
+    , secret ? null
+    , subdomain ? null, subpath?null, port ? null
+    , authentik ? false
+    , tmpfs ? false
+    , tmpfsSize ? "512m"
+    , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
+    , overrides ? { }
+    }:
+    let 
+      routerName = mkRouterName { inherit subdomain subpath; };
+      base = {
+      image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
+              else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
+      imageStream = imageStream;
+      imageFile = imageFile;
+
+      environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
+      environment = {
+        TZ = config.time.timeZone;
+      } // extraEnv;
+
+      labels = (if subdomain!=null then ({
+        "traefik.enable" = "true";
+        "traefik.http.routers.${routerName}.entrypoints" = "web-secure";
+        "traefik.http.routers.${routerName}.rule" = if subpath != null 
+          then "Host(`${subdomain}.${serverCfg.domain}`) && PathPrefix(`/${subpath}`)"
+          else "Host(`${subdomain}.${serverCfg.domain}`)";
+        "traefik.http.routers.${routerName}.tls" = "true";
+      } // lib.optionalAttrs (port!=null) {
+        "traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
+      }) else {
+        "traefik.enable" = "false";
+      })
+      // lib.optionalAttrs authentik (mkAuthentikLabels { inherit subdomain subpath routerName; })
+      // extraLabels;
+
+      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+      ]
+      ++ lib.optional tmpfs (mkTmpfsOption tmpfsSize)
+      ++ extraOptions;
+    };
+    in lib.recursiveUpdate base overrides;
+  vmBuilder = { name, vm }: ((import "${pkgs.path}/nixos/lib/eval-config.nix" {
+      system = "x86_64-linux";
+      modules = [ vm.cfg
+        ({ config, lib, modulesPath, ... }: {
+        imports = [
+          "${modulesPath}/profiles/qemu-guest.nix"
+          "${modulesPath}/virtualisation/qemu-vm.nix"
+        ];
+        networking.hostName = name;
+        networking.useDHCP = true; 
+        networking.firewall.enable = false;
+        services.qemuGuest.enable = true;
+        system.stateVersion = "26.05"; 
+        virtualisation = {
+          memorySize = vm.memory or 2048;
+          cores = vm.cores or 2;
+          forwardPorts = let
+            parsePortString = port: {
+              from = "host";
+              host.port = port;
+              guest.port = port;
+            };
+          in if (vm ? portForward && vm.portForward != null) then map parsePortString vm.portForward else [];
+        };})
+      ];
+    }).config.system.build.vm);
+in {
+  mkContainer = contBuilder;
+  mkVm = vmBuilder;
+  mkApp = name: app:
+    {
+      inherit name;
+      requires = {
+        secrets = getOr app [ "requires" "secrets" ] [ ];
+        databases = getOr app [ "requires" "databases" ] [ ];
+      };
+      exports = {
+        authentik = {
+          blueprints = getOr app [ "exports" "authentik" "blueprints" ] [ ];
+        };
+      };
+      runtime = {
+        paths = getOr app [ "runtime" "paths" ] [ ];
+        containers = getOr app [ "runtime" "containers" ] { };
+        vm = getOr app [ "runtime" "vm" ] null;
+        cron = getOr app [ "runtime" "cron" ] [ ];
+        setup = {
+          trigger = "";
+          script = null;
+          envFile = [ ];
+        } // getOr app [ "runtime" "setup" ] { };
+      };
+    };
+  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
+    mkdir -p $out
+    cp -r ${./data + "/${dir}"}/. $out/
+    find $out -type f | while read file; do
+      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
+        substituteInPlace "$file" --replace "@${n}@" "${toString v}"
+      '') vars)}
+    done
+  '';
+  host = "host.containers.internal"; 
+  hostIp =  if (config.virtualisation.podman.defaultNetwork.settings ? subnets) 
+    then (builtins.elemAt config.virtualisation.podman.defaultNetwork.settings.subnets 0).gateway
+    else "10.88.0.1"; 
+}

modules/server/containers/data/authentik/authentik.yaml

@@ -0,0 +1,70 @@
+version: 1
+metadata:
+  name: "Initial User Setup"
+  labels:
+    blueprint-type: core
+entries:
+  # Optionally, disable the default enrollment flow entirely
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "default-source-enrollment"
+    attrs:
+      designation: "enrollment"
+      enabled: false
+  # --- GROUPS ---
+  - model: authentik_core.group
+    identifiers:
+      name: "admin"
+    attrs:
+      is_superuser: true
+
+  - model: authentik_core.group
+    identifiers:
+      name: "cloud"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "dev"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "flix"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "family"
+    attrs:
+      is_superuser: false
+
+  # --- ADMIN USERS ---
+  - model: authentik_core.user
+    identifiers:
+      username: !Env DEFAULT_ADMIN_USERNAME
+    attrs:
+      name: !Env DEFAULT_ADMIN_USERNAME
+      email: !Env DEFAULT_ADMIN_EMAIL
+      password: !Env DEFAULT_ADMIN_PASSWORD
+      path: "users"
+      groups:
+        - !Find [authentik_core.group, [name, "admin"]]
+
+  # Disable the Initial Setup Flow
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "initial-setup"
+    attrs:
+      authentication: "require_superuser"
+      enabled: false
+
+  # Disable the default 'akadmin' if it exists
+  - model: authentik_core.user
+    identifiers:
+      username: "akadmin"
+    attrs:
+      is_active: false