fix: fixed pkg dependencies for panoramax

fix: fixed database timezone alter not working
feat: reworked databse config for panoramax
2025-09-17 15:15:07 -05:00 · 2025-09-16 12:40:19 -05:00 · 2025-09-16 12:09:41 -05:00 · 2025-09-16 10:44:00 -05:00 · 2025-09-16 10:20:00 -05:00 · 2025-09-16 10:14:33 -05:00
244 changed files with 9922 additions and 1664 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
 use flake
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,4 @@
-result
+result
 .direnv
 .vscode/*
 !.vscode/settings.json
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
 [submodule "secrets"]
 	path = secrets
 	url = git@git.jan-leila.com:jan-leila/nix-config-secrets.git
--- a/.hooks/post-commit
+++ b/.hooks/post-commit
@ -1,3 +1,6 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
 #! nix-shell -i bash ../shell.nix
 echo "restoring stashed changes"
 git stash pop -q
--- a/.hooks/pre-commit
+++ b/.hooks/pre-commit
@ -1,11 +1,22 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
 #! nix-shell -i bash ../shell.nix
 echo "stashing all uncommitted changes"
 git stash -q --keep-index
-./lint.sh
+echo "checking flakes all compile"
 nix flake check
 if [ ! $? -eq 0 ]; then
    exit 1
 fi
 echo "running linter"
 alejandra -q .
 RESULT=$?
 echo "adding lint changes to commit"
 git add -u
 exit $RESULT
--- a/.sops.yaml
+++ b/.sops.yaml
@ -9,3 +9,11 @@ creation_rules:
    key_groups:
      - age:
        - *leyla
  - path_regex: secrets/vpn-keys.yaml$
    key_groups:
      - age:
        - *leyla
  - path_regex: secrets/application-keys.yaml$
    key_groups:
      - age:
        - *leyla
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,21 @@
 {
    "cSpell.words": [
        "attrsets",
        "bitwarden",
        "forgejo",
        "gids",
        "headscale",
        "hesperium",
        "jellyfin",
        "macvlan",
        "nextcloud",
        "nixos",
        "nixpkgs",
        "pihole",
        "pkgs",
        "rpool",
        "searx",
        "ublock",
        "uids"
    ]
 }
--- a/README.md
+++ b/README.md
@ -1,3 +1,9 @@
 # nix-config
 https://git.jan-leila.com/jan-leila/nix-config
 nix multi user, multi system, configuration with `sops` secret management, `home-manager`, and `nixos-anywhere` setup via `disko` with `zfs` + `impermanence`
 # Hosts
 ## Host Map
@ -5,14 +11,17 @@
 | :---------: | :------------------------: | :--------------: | :-------: |
 |  `twilight` |      Desktop Computer      |      Leyla       |  Desktop  |
 |  `horizon`  |  13 inch Framework Laptop  |      Leyla       |  Laptop   |
-|  `defiant`  |         NAS Server         |      Leyla       |  Service  |
+|  `defiant`  |         NAS Server         |      Leyla       |   Server  |
-|  `emergent` |      Desktop Computer      |       Eve        |  Laptop   |
+| `hesperium` |             Mac            |      ?????       |    ???    |
-| `threshold` |           Laptop           |       Eve        |  Desktop  |
+|  `emergent` |      Desktop Computer      |       Eve        |  Desktop  |
 | `threshold` |           Laptop           |       Eve        |  Laptop   |
 |  `wolfram`  |         Steam Deck         |      House       |  Handheld |
 |   `ceder`   | A5 Tablet (not using nix)  |      Leyla       |   Tablet  |
 |   `skate`   | A6 Tablet (not using nix)  |      Leyla       |   Tablet  |
 |   `shale`   | A6 Tablet (not using nix)  |       Eve        |   Tablet  |
 |   `coven`   |  Pixel 8 (not using nix)   |      Leyla       |  Android  |
 # Tooling
 ## Lint
 `./lint.sh`
 ## Rebuilding
 `./rebuild.sh`
@ -22,45 +31,42 @@
 ## New host setup
 `./install.sh --target 192.168.1.130 --flake hostname`
 ## Updating Secrets
 `sops secrets/secrets_file_here.yaml`
 ## Inspecting a configuration
 `nix-inspect -p .`
 # Notes:
 ## Research topics
- Look into this for rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/`
+- Look into this for auto rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/`
- Look into this for openssh known configurations https://search.nixos.org/options?channel=unstable&from=0&size=15&sort=alpha_asc&type=packages&query=services.openssh
+- Look into this for npins https://jade.fyi/blog/pinning-nixos-with-npins/
- Look into this for flake templates https://nix.dev/manual/nix/2.22/command-ref/new-cli/nix3-flake-init
+- https://nixos-and-flakes.thiscute.world/
 - Look into this for headscale https://carlosvaz.com/posts/setting-up-headscale-on-nixos/
 - Look into this for home assistant configuration https://nixos.wiki/wiki/Home_Assistant https://myme.no/posts/2021-11-25-nixos-home-assistant.html
 ## Configuration
 set up git configuration for local development: `git config --local include.path .gitconfig`
 to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords.yaml` (NOTE: this depends on the SOPS_AGE_KEY_DIRECTORY environment variable being set)
 # Tasks:
 ## Tech Debt
- vscode extensions should be in own flake (make sure to add the nixpkgs.overlays in it too)
+- monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/)
- join config for systemd.tmpfiles.rules and service directory bindings
+- nfs export should be backed by the same values for server and client
 - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml`
 - move applications in server environment into their own flakes
 - pihole config files
 ## New Features
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
+- crab-hole
- fix pre commit hook
+- figure out why syncthing and jellyfins permissions don't propagate downwards
 - Flake templates
 - home assistant virtual machine
 - searxng docker
 - nextcloud ???
 - samba mounts
 - firefox declarative???
 - figure out steam vr things?
- Open GL?
+- auto turn off on power loss - nut
- util functions
+- zfs email after scrubbing # TODO: test this
- openssh known hosts
+- SMART test with email results
 - samba mounts
 - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
 - Create Tor guard/relay server
 - migrate away from flakes and move to npins
 - whisper
 - zfs encryption FIDO2 2fa (look into shavee)
 - Secure Boot - https://github.com/nix-community/lanzaboote
 - rotate sops encryption keys periodically (and somehow sync between devices?)
- zfs email after scrubbing
+- wake on LAN for updates
- headscale server (just needs to be tested)
+- remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html
- mastodon server
+- ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix
- tail scale clients
+- panoramax instance
- wake on LAN
+- mastodon instance
- ISO target that contains authorized keys for nixos-anywhere
+- move searx, home-assistant, actual, jellyfin, paperless, and immich to only be accessible via vpn
--- a/build-installer.sh
+++ b/build-installer.sh
@ -0,0 +1,30 @@
 #!/usr/bin/env bash
 while [ $# -gt 0 ]; do
  case "$1" in
    --flake*|-f*)
      if [[ "$1" != *=* ]]; then shift; fi
      flake="${1#*=}"
      ;;
    # --user*|-u*)
    #   if [[ "$1" != *=* ]]; then shift; fi
    #   user="${1#*=}"
    #   ;;
    --help|-h)
      echo "--help -h: print this message"
      echo "--flake -f: set the flake to build an installer for"
    #   echo "--user -u: set the user to install flake as on the target system"
      exit 0
      ;;
    *)
      echo "Error: Invalid argument $1"
      exit 1
      ;;
  esac
  shift
 done
 flake=${flake:-"basic"}
 user=${user:-$USER}
 nix build .#installerConfigurations.$flake.config.system.build.isoImage
--- a/configurations/darwin/hesperium/configuration.nix
+++ b/configurations/darwin/hesperium/configuration.nix
@ -0,0 +1,16 @@
 {...}: {
  host = {
    users = {
      leyla = {
        isDesktopUser = true;
        isTerminalUser = true;
        isPrincipleUser = true;
      };
      eve.isNormalUser = false;
    };
  };
  system.stateVersion = 5;
  nixpkgs.hostPlatform = "aarch64-darwin";
 }
--- a/configurations/darwin/hesperium/default.nix
+++ b/configurations/darwin/hesperium/default.nix
@ -0,0 +1,5 @@
 {...}: {
  imports = [
    ./configuration.nix
  ];
 }
--- a/configurations/home-manager/default.nix
+++ b/configurations/home-manager/default.nix
@ -0,0 +1,12 @@
 {
  lib,
  config,
  osConfig,
  ...
 }: let
  users = config.host.users;
 in {
  leyla = lib.mkIf users.leyla.isNormalUser (import ./leyla);
  eve = lib.mkIf users.eve.isNormalUser (import ./eve);
  git = lib.mkIf (osConfig.services.forgejo.enable or false) (import ./git);
 }
--- a/configurations/home-manager/eve/default.nix
+++ b/configurations/home-manager/eve/default.nix
@ -0,0 +1,56 @@
 {osConfig, ...}: let
  userConfig = osConfig.host.users.eve;
 in {
  imports = [
    ./packages.nix
    ./gnomeconf.nix
  ];
  home = {
    username = userConfig.name;
    homeDirectory = osConfig.users.users.eve.home;
    # This value determines the Home Manager release that your configuration is
    # compatible with. This helps avoid breakage when a new Home Manager release
    # introduces backwards incompatible changes.
    #
    # You should not change this value, even if you update Home Manager. If you do
    # want to update the value, then make sure to first check the Home Manager
    # release notes.
    stateVersion = "23.11"; # Please read the comment before changing.
    # Home Manager is pretty good at managing dotfiles. The primary way to manage
    # plain files is through 'home.file'.
    file = {
      # # Building this configuration will create a copy of 'dotfiles/screenrc' in
      # # the Nix store. Activating the configuration will then make '~/.screenrc' a
      # # symlink to the Nix store copy.
      # ".screenrc".source = dotfiles/screenrc;
      # # You can also set the file content immediately.
      # ".gradle/gradle.properties".text = ''
      #   org.gradle.console=verbose
      #   org.gradle.daemon.idletimeout=3600000
      # '';
    };
    # Home Manager can also manage your environment variables through
    # 'home.sessionVariables'. If you don't want to manage your shell through Home
    # Manager then you have to manually source 'hm-session-vars.sh' located at
    # either
    #
    #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
    #
    # or
    #
    #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
    #
    # or
    #
    #  /etc/profiles/per-user/leyla/etc/profile.d/hm-session-vars.sh
    #
    sessionVariables = {
      # EDITOR = "emacs";
    };
  };
 }
--- a/configurations/home-manager/eve/gnomeconf.nix
+++ b/configurations/home-manager/eve/gnomeconf.nix
@ -0,0 +1,12 @@
 {pkgs, ...}: {
  config = {
    dconf = {
      enable = true;
      settings = {
        "org/gnome/shell".enabled-extensions = [
          pkgs.gnomeExtensions.dash-to-panel.extensionUuid
        ];
      };
    };
  };
 }
--- a/configurations/home-manager/eve/packages.nix
+++ b/configurations/home-manager/eve/packages.nix
@ -0,0 +1,67 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: let
  userConfig = osConfig.host.users.eve;
  hardware = osConfig.host.hardware;
 in {
  config = {
    nixpkgs.config = {
      allowUnfree = true;
    };
    # Packages that can be installed without any extra configuration
    # See https://search.nixos.org/packages for all options
    home.packages = lib.lists.optionals userConfig.isDesktopUser (
      with pkgs; [
        gnomeExtensions.dash-to-panel
      ]
    );
    # Packages that need to be installed with some extra configuration
    # See https://home-manager-options.extranix.com/ for all options
    programs = lib.mkMerge [
      {
        # Let Home Manager install and manage itself.
        home-manager.enable = true;
      }
      (lib.mkIf (config.user.isDesktopUser || config.user.isTerminalUser) {
        git = {
          enable = true;
          userName = "Eve";
          userEmail = "evesnrobins@gmail.com";
          extraConfig.init.defaultBranch = "main";
        };
        openssh = {
          enable = true;
          hostKeys = [
            {
              type = "ed25519";
              path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
            }
          ];
        };
      })
      (lib.mkIf config.user.isDesktopUser {
        vscode = {
          enable = true;
          package = pkgs.vscodium;
        };
        firefox.enable = true;
        bitwarden.enable = true;
        discord.enable = true;
        makemkv.enable = true;
        signal-desktop-bin.enable = true;
        steam.enable = true;
        piper.enable = hardware.piperMouse.enable;
        krita.enable = true;
        ungoogled-chromium.enable = true;
      })
    ];
  };
 }
--- a/configurations/home-manager/git/default.nix
+++ b/configurations/home-manager/git/default.nix
@ -0,0 +1,20 @@
 {osConfig, ...}: {
  home = {
    username = osConfig.users.users.git.name;
    homeDirectory = osConfig.users.users.git.home;
    # This value determines the Home Manager release that your configuration is
    # compatible with. This helps avoid breakage when a new Home Manager release
    # introduces backwards incompatible changes.
    #
    # You should not change this value, even if you update Home Manager. If you do
    # want to update the value, then make sure to first check the Home Manager
    # release notes.
    stateVersion = "23.11"; # Please read the comment before changing.
  };
  programs.ssh.extraConfig = ''
    AuthorizedKeysFile
    /var/lib/forgejo/.ssh/authorized_keys
  '';
 }
--- a/configurations/home-manager/leyla/dconf.nix
+++ b/configurations/home-manager/leyla/dconf.nix
@ -0,0 +1,89 @@
 {pkgs, ...}: {
  config = {
    gnome = {
      extraWindowControls = true;
      colorScheme = "prefer-dark";
      clockFormat = "24h";
      extensions = [
        pkgs.gnomeExtensions.dash-to-dock
      ];
      hotkeys = {
        "Open Terminal" = {
          binding = "<Super>t";
          command = "kgx";
        };
      };
    };
    dconf = {
      enable = true;
      settings = {
        "org/gnome/shell/extensions/dash-to-dock" = {
          "dock-position" = "LEFT";
          "intellihide-mode" = "ALL_WINDOWS";
          "show-trash" = false;
          "require-pressure-to-show" = false;
          "show-mounts" = false;
        };
        "org/gnome/shell" = {
          favorite-apps = ["org.gnome.Nautilus.desktop" "firefox.desktop" "codium.desktop" "steam.desktop" "org.gnome.Console.desktop"];
          # app-picker-layout =
          #   builtins.map (
          #     applications:
          #       lib.hm.gvariant (builtins.listToAttrs (lib.lists.imap0 (i: v: lib.attrsets.nameValuePair v (lib.hm.gvariant.mkVariant "{'position': <${i}>}")) applications))
          #   ) [
          #     [
          #       "org.gnome.Nautilus.desktop"
          #       "bitwarden.desktop"
          #       "firefox.desktop"
          #       "torbrowser.desktop"
          #       "chromium-browser.desktop"
          #       "codium.desktop"
          #       "idea-community.desktop"
          #       "org.gnome.TextEditor.desktop"
          #       "dbeaver.desktop"
          #       "bruno.desktop"
          #       "anki.desktop"
          #       "obsidian.desktop"
          #       "signal-desktop.desktop"
          #       "discord.desktop"
          #       "gimp.desktop"
          #       "org.inkscape.Inkscape.desktop"
          #       "org.kde.krita.desktop"
          #       "davinci-resolve.desktop"
          #       "com.obsproject.Studio.desktop"
          #       "org.freecad.FreeCAD.desktop"
          #       "makemkv.desktop"
          #       "easytag.desktop"
          #       "transmission-gtk.desktop"
          #     ]
          #     [
          #       "SteamVR.desktop"
          #       "Beat Saber.desktop"
          #       "Noun Town.desktop"
          #       "WEBFISHING.desktop"
          #       "Factorio.desktop"
          #     ]
          #     [
          #       "org.gnome.Settings.desktop"
          #       "org.gnome.SystemMonitor.desktop"
          #       "org.gnome.Snapshot.desktop"
          #       "org.gnome.Usage.desktop"
          #       "org.gnome.DiskUtility.desktop"
          #       "org.gnome.Evince.desktop"
          #       "org.gnome.fonts.desktop"
          #       "noisetorch.desktop"
          #       "nvidia-settings.desktop"
          #       "OpnRGB.desktop"
          #       "org.freedesktop.Piper.desktop"
          #       "via-nativia.desktop"
          #       "protonvpn-app.desktop"
          #       "simple-scan.desktop"
          #     ]
          #   ];
        };
      };
    };
  };
 }
--- a/configurations/home-manager/leyla/default.nix
+++ b/configurations/home-manager/leyla/default.nix
@ -0,0 +1,94 @@
 {
  pkgs,
  config,
  osConfig,
  ...
 }: {
  imports = [
    ./packages
    ./i18n.nix
    ./impermanence.nix
    ./dconf.nix
  ];
  config = {
    # Home Manager needs a bit of information about you and the paths it should
    # manage.
    home = {
      username = osConfig.host.users.leyla.name;
      homeDirectory = osConfig.users.users.leyla.home;
      # This value determines the Home Manager release that your configuration is
      # compatible with. This helps avoid breakage when a new Home Manager release
      # introduces backwards incompatible changes.
      #
      # You should not change this value, even if you update Home Manager. If you do
      # want to update the value, then make sure to first check the Home Manager
      # release notes.
      stateVersion = "23.11"; # Please read the comment before changing.
      # Home Manager is pretty good at managing dotfiles. The primary way to manage
      # plain files is through 'home.file'.
      file = {
        # # Building this configuration will create a copy of 'dotfiles/screenrc' in
        # # the Nix store. Activating the configuration will then make '~/.screenrc' a
        # # symlink to the Nix store copy.
        # ".screenrc".source = dotfiles/screenrc;
        # # You can also set the file content immediately.
        # ".gradle/gradle.properties".text = ''
        #   org.gradle.console=verbose
        #   org.gradle.daemon.idletimeout=3600000
        # '';
        "${config.xdg.configHome}/user-dirs.dirs" = {
          force = true;
          text = ''
            # This file is written by xdg-user-dirs-update
            # If you want to change or add directories, just edit the line you're
            # interested in. All local changes will be retained on the next run.
            # Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
            # homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
            # absolute path. No other format is supported.
            #
            XDG_DESKTOP_DIR="$HOME/desktop"
            XDG_DOWNLOAD_DIR="$HOME/downloads"
            XDG_DOCUMENTS_DIR="$HOME/documents"
            XDG_TEMPLATES_DIR="$HOME/documents/templates"
            XDG_MUSIC_DIR="$HOME/documents/music"
            XDG_PICTURES_DIR="$HOME/documents/photos"
            XDG_VIDEOS_DIR="$HOME/documents/videos"
            XDG_PUBLICSHARE_DIR="$HOME/documents/public"
          '';
        };
      };
      keyboard.layout = "us,it,de";
      # Home Manager can also manage your environment variables through
      # 'home.sessionVariables'. If you don't want to manage your shell through Home
      # Manager then you have to manually source 'hm-session-vars.sh' located at
      # either
      #
      #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
      #
      # or
      #
      #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
      #
      # or
      #
      #  /etc/profiles/per-user/leyla/etc/profile.d/hm-session-vars.sh
      #
      sessionVariables = {
        # EDITOR = "emacs";
      };
    };
    # TODO: move this into a fonts module
    home.packages = with pkgs; [
      aileron
      nerd-fonts.open-dyslexic
    ];
    fonts.fontconfig.enable = true;
  };
 }
--- a/configurations/home-manager/leyla/i18n.nix
+++ b/configurations/home-manager/leyla/i18n.nix
@ -0,0 +1,12 @@
 {...}: {
  i18n = {
    defaultLocale = "en_IE.UTF-8";
    extraLocaleSettings = {
      # LC_ADDRESS = "en_IE.UTF-8"; # lets just get used to this one now
      # LC_TELEPHONE = "en_IE.UTF-8"; # lets just get used to this one now
      LC_MONETARY = "en_US.UTF-8"; # to be changed once I move
      LC_PAPER = "en_US.UTF-8"; # convenient for american printers until I move
    };
  };
 }
--- a/configurations/home-manager/leyla/impermanence.nix
+++ b/configurations/home-manager/leyla/impermanence.nix
@ -0,0 +1,21 @@
 {
  lib,
  config,
  osConfig,
  ...
 }: {
  config = lib.mkIf osConfig.host.impermanence.enable {
    home.persistence."/persist/home/leyla" = {
      directories = [
        "desktop"
        "downloads"
        "documents"
      ];
      files = [
        ".bash_history" # keep shell history around
        "${config.xdg.dataHome}/recently-used.xbel" # gnome recently viewed files
      ];
      allowOther = true;
    };
  };
 }
--- a/configurations/home-manager/leyla/packages/default.nix
+++ b/configurations/home-manager/leyla/packages/default.nix
@ -0,0 +1,91 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: let
  hardware = osConfig.host.hardware;
 in {
  imports = [
    ./vscode
    ./firefox.nix
    ./direnv.nix
    ./openssh.nix
    ./git.nix
    ./makemkv.nix
  ];
  config = lib.mkMerge [
    {
      programs = lib.mkMerge [
        {
          # Let Home Manager install and manage itself.
          home-manager.enable = true;
        }
        (lib.mkIf (config.user.isTerminalUser || config.user.isDesktopUser) {
          bash.enable = true;
          git.enable = true;
          openssh.enable = true;
        })
        (lib.mkIf config.user.isDesktopUser {
          bitwarden.enable = true;
          obs-studio.enable = hardware.graphicsAcceleration.enable;
          qbittorrent.enable = true;
          prostudiomasters.enable = true;
          protonvpn-gui.enable = true;
          dbeaver-bin.enable = true;
          bruno.enable = true;
          piper.enable = hardware.piperMouse.enable;
          proxmark3.enable = true;
          openrgb.enable = hardware.openRGB.enable;
          via.enable = hardware.viaKeyboard.enable;
          claude-code.enable = osConfig.host.ai.enable;
          davinci-resolve.enable = hardware.graphicsAcceleration.enable;
          mfoc.enable = true;
        })
        (lib.mkIf (hardware.directAccess.enable && config.user.isDesktopUser) {
          anki.enable = true;
          makemkv.enable = true;
          discord.enable = true;
          signal-desktop-bin.enable = true;
          calibre.enable = true;
          obsidian.enable = true;
          jetbrains.idea-community.enable = true;
          vscode.enable = true;
          firefox.enable = true;
          steam.enable = true;
          krita.enable = true;
          ungoogled-chromium.enable = true;
          libreoffice.enable = true;
          mapillary-uploader.enable = true;
          inkscape.enable = true;
          gimp.enable = true;
          freecad.enable = true;
          onionshare.enable = true;
          pdfarranger.enable = true;
          picard.enable = true;
          qflipper.enable = true;
          openvpn.enable = true;
          noisetorch.enable = true;
          tor-browser.enable = true;
          gdx-liftoff.enable = true;
        })
      ];
    }
    (lib.mkIf config.user.isTerminalUser {
      home.packages = with pkgs; [
        # command line tools
        sox
        yt-dlp
        ffmpeg
        imagemagick
      ];
    })
    (lib.mkIf config.user.isDesktopUser {
      nixpkgs.config = {
        allowUnfree = true;
      };
    })
  ];
 }
--- a/configurations/home-manager/leyla/packages/direnv.nix
+++ b/configurations/home-manager/leyla/packages/direnv.nix
@ -0,0 +1,22 @@
 {
  lib,
  config,
  osConfig,
  ...
 }: let
  userConfig = osConfig.host.users.leyla;
 in {
  config = lib.mkIf userConfig.isDesktopUser {
    programs = {
      direnv = {
        enable = true;
        enableBashIntegration = true;
        nix-direnv.enable = true;
        config = {
          global.hide_env_diff = true;
          whitelist.exact = ["${config.home.homeDirectory}/documents/code/nix-config"];
        };
      };
    };
  };
 }
--- a/configurations/home-manager/leyla/packages/firefox.nix
+++ b/configurations/home-manager/leyla/packages/firefox.nix
@ -0,0 +1,344 @@
 {
  lib,
  pkgs,
  inputs,
  ...
 }: {
  config = {
    programs.firefox = {
      profiles.leyla = {
        settings = {
          "browser.search.defaultenginename" = "Searx";
          "browser.search.order.1" = "Searx";
        };
        search = {
          force = true;
          default = "Searx";
          engines = {
            "Nix Packages" = {
              urls = [
                {
                  template = "https://search.nixos.org/packages";
                  params = [
                    {
                      name = "type";
                      value = "packages";
                    }
                    {
                      name = "query";
                      value = "{searchTerms}";
                    }
                  ];
                }
              ];
              icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
              definedAliases = ["@np"];
            };
            "NixOS Wiki" = {
              urls = [{template = "https://nixos.wiki/index.php?search={searchTerms}";}];
              icon = "https://nixos.wiki/favicon.png";
              updateInterval = 24 * 60 * 60 * 1000; # every day
              definedAliases = ["@nw"];
            };
            "Searx" = {
              urls = [{template = "https://search.jan-leila.com/?q={searchTerms}";}];
              icon = "https://nixos.wiki/favicon.png";
              updateInterval = 24 * 60 * 60 * 1000; # every day
              definedAliases = ["@searx"];
            };
          };
        };
        extensions.packages = with inputs.firefox-addons.packages.${pkgs.system}; [
          bitwarden
          terms-of-service-didnt-read
          multi-account-containers
          shinigami-eyes
          ublock-origin
          sponsorblock
          dearrow
          df-youtube
          return-youtube-dislikes
          privacy-badger
          decentraleyes
          clearurls
          localcdn
          snowflake
          deutsch-de-language-pack
          dictionary-german
          tab-session-manager
          # (
          #   buildFirefoxXpiAddon rec {
          #     pname = "italiano-it-language-pack";
          #     version = "132.0.20241110.231641";
          #     addonId = "langpack-it@firefox.mozilla.org";
          #     url = "https://addons.mozilla.org/firefox/downloads/file/4392453/italiano_it_language_pack-${version}.xpi";
          #     sha256 = "";
          #     meta = with lib;
          #     {
          #       description = "Firefox Language Pack for Italiano (it) – Italian";
          #       license = licenses.mpl20;
          #       mozPermissions = [];
          #       platforms = platforms.all;
          #     };
          #   }
          # )
          # (
          #   buildFirefoxXpiAddon rec {
          #     pname = "dizionario-italiano";
          #     version = "5.1";
          #     addonId = "it-IT@dictionaries.addons.mozilla.org";
          #     url = "https://addons.mozilla.org/firefox/downloads/file/1163874/dizionario_italiano-${version}.xpi";
          #     sha256 = "";
          #     meta = with lib;
          #     {
          #       description = "Add support for Italian to spellchecking";
          #       license = licenses.gpl3;
          #       mozPermissions = [];
          #       platforms = platforms.all;
          #     };
          #   }
          # )
        ];
        settings = {
          # Disable irritating first-run stuff
          "browser.disableResetPrompt" = true;
          "browser.download.panel.shown" = true;
          "browser.feeds.showFirstRunUI" = false;
          "browser.messaging-system.whatsNewPanel.enabled" = false;
          "browser.rights.3.shown" = true;
          "browser.shell.checkDefaultBrowser" = false;
          "browser.shell.defaultBrowserCheckCount" = 1;
          "browser.startup.homepage_override.mstone" = "ignore";
          "browser.uitour.enabled" = false;
          "startup.homepage_override_url" = "";
          "trailhead.firstrun.didSeeAboutWelcome" = true;
          "browser.bookmarks.restore_default_bookmarks" = false;
          "browser.bookmarks.addedImportButton" = true;
          "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
          # Usage Experience
          "browser.startup.homepage" = "about:home";
          "browser.download.useDownloadDir" = false;
          "browser.uiCustomization.state" = builtins.toJSON {
            "currentVersion" = 20;
            "newElementCount" = 6;
            "dirtyAreaCache" = [
              "nav-bar"
              "PersonalToolbar"
              "toolbar-menubar"
              "TabsToolbar"
              "unified-extensions-area"
              "vertical-tabs"
            ];
            "placements" = {
              "widget-overflow-fixed-list" = [];
              "unified-extensions-area" = [
                # bitwarden
                "_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action"
                "ublock0_raymondhill_net-browser-action"
                "sponsorblocker_ajay_app-browser-action"
                "dearrow_ajay_app-browser-action"
                "jid1-mnnxcxisbpnsxq_jetpack-browser-action"
                "_testpilot-containers-browser-action"
                "addon_simplelogin-browser-action"
                "_74145f27-f039-47ce-a470-a662b129930a_-browser-action"
                "jid1-bofifl9vbdl2zq_jetpack-browser-action"
                "dfyoutube_example_com-browser-action"
                "_b86e4813-687a-43e6-ab65-0bde4ab75758_-browser-action"
                "_762f9885-5a13-4abd-9c77-433dcd38b8fd_-browser-action"
                "_b11bea1f-a888-4332-8d8a-cec2be7d24b9_-browse-action"
                "jid0-3guet1r69sqnsrca5p8kx9ezc3u_jetpack-browser-action"
              ];
              "nav-bar" = [
                "back-button"
                "forward-button"
                "stop-reload-button"
                "urlbar-container"
                "downloads-button"
                "unified-extensions-button"
                "reset-pbm-toolbar-button"
              ];
              "toolbar-menubar" = [
                "menubar-items"
              ];
              "TabsToolbar" = [
                "firefox-view-button"
                "tabbrowser-tabs"
                "new-tab-button"
                "alltabs-button"
              ];
              "vertical-tabs" = [];
              "PersonalToolbar" = [
                "import-button"
                "personal-bookmarks"
              ];
            };
            "seen" = [
              "save-to-pocket-button"
              "developer-button"
              "privacy_privacy_com-browser-action"
              "sponsorblocker_ajay_app-browser-action"
              "ublock0_raymondhill_net-browser-action"
              "addon_simplelogin-browser-action"
              "dearrow_ajay_app-browser-action"
              "_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action"
              "_74145f27-f039-47ce-a470-a662b129930a_-browser-action"
              "jid1-bofifl9vbdl2zq_jetpack-browser-action"
              "dfyoutube_example_com-browser-action"
              "_testpilot-containers-browser-action"
              "_b86e4813-687a-43e6-ab65-0bde4ab75758_-browser-action"
              "jid1-mnnxcxisbpnsxq_jetpack-browser-action"
              "_762f9885-5a13-4abd-9c77-433dcd38b8fd_-browser-action"
              "_b11bea1f-a888-4332-8d8a-cec2be7d24b9_-browser-action"
              "jid0-3guet1r69sqnsrca5p8kx9ezc3u_jetpack-browser-action"
            ];
          };
          "browser.newtabpage.activity-stream.feeds.topsites" = false;
          "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
          "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false;
          "browser.newtabpage.blocked" = lib.genAttrs [
            # Facebook
            "4gPpjkxgZzXPVtuEoAL9Ig=="
            # Reddit
            "gLv0ja2RYVgxKdp0I5qwvA=="
            # Amazon
            "K00ILysCaEq8+bEqV/3nuw=="
            # Twitter
            "T9nJot5PurhJSy8n038xGA=="
          ] (_: 1);
          "identity.fxaccounts.enabled" = false;
          # Security
          "privacy.trackingprotection.enabled" = true;
          "dom.security.https_only_mode" = true;
          "extensions.formautofill.addresses.enabled" = false;
          "extensions.formautofill.creditCards.enabled" = false;
          "signon.rememberSignons" = false;
          "privacy.sanitize.sanitizeOnShutdown" = true;
          "privacy.clearOnShutdown_v2.cache" = true;
          "privacy.clearOnShutdown_v2.cookiesAndStorage" = true;
          "privacy.clearOnShutdown_v2.historyFormDataAndDownloads" = true;
          "urlclassifier.trackingSkipURLs" = "";
          "urlclassifier.features.socialtracking.skipURLs" = "";
          "dom.security.https_only_mode_pbm" = true;
          "dom.security.https_only_mode_error_page_user_suggestions" = true;
          # Disable telemetry
          "app.shield.optoutstudies.enabled" = false;
          "browser.discovery.enabled" = false;
          "browser.newtabpage.activity-stream.feeds.telemetry" = false;
          "browser.newtabpage.activity-stream.telemetry" = false;
          "browser.ping-centre.telemetry" = false;
          "datareporting.healthreport.service.enabled" = false;
          "datareporting.healthreport.uploadEnabled" = false;
          "datareporting.policy.dataSubmissionEnabled" = false;
          "datareporting.sessions.current.clean" = true;
          "devtools.onboarding.telemetry.logged" = false;
          "toolkit.telemetry.archive.enabled" = false;
          "toolkit.telemetry.bhrPing.enabled" = false;
          "toolkit.telemetry.enabled" = false;
          "toolkit.telemetry.firstShutdownPing.enabled" = false;
          "toolkit.telemetry.hybridContent.enabled" = false;
          "toolkit.telemetry.newProfilePing.enabled" = false;
          "toolkit.telemetry.prompted" = 2;
          "toolkit.telemetry.rejected" = true;
          "toolkit.telemetry.reportingpolicy.firstRun" = false;
          "toolkit.telemetry.server" = "";
          "toolkit.telemetry.shutdownPingSender.enabled" = false;
          "toolkit.telemetry.unified" = false;
          "toolkit.telemetry.unifiedIsOptIn" = false;
          "toolkit.telemetry.updatePing.enabled" = false;
        };
        bookmarks = {
          force = true;
          settings = [
            {
              name = "Media";
              url = "https://media.jan-leila.com/";
              keyword = "";
              tags = [""];
            }
            {
              name = "Photos";
              url = "https://photos.jan-leila.com";
              keyword = "";
              tags = [""];
            }
            {
              name = "Git";
              url = "https://git.jan-leila.com/";
              keyword = "";
              tags = [""];
            }
            {
              name = "Home Automation";
              url = "https://home.jan-leila.com/";
              keyword = "";
              tags = [""];
            }
            {
              name = "Mail";
              url = "https://mail.protonmail.com";
              keyword = "";
              tags = [""];
            }
            {
              name = "Open Street Map";
              url = "https://www.openstreetmap.org/";
              keyword = "";
              tags = [""];
            }
            {
              name = "Password Manager";
              url = "https://vault.bitwarden.com/";
              keyword = "";
              tags = [""];
            }
            {
              name = "Mastodon";
              url = "https://mspsocial.net";
              keyword = "";
              tags = [""];
            }
            {
              name = "Linked In";
              url = "https://www.linkedin.com/";
              keyword = "";
              tags = [""];
            }
            {
              name = "Job Search";
              url = "https://www.jobsinnetwork.com/?state=cleaned_history&language%5B%5D=en&query=react&locations.countryCode%5B%5D=IT&locations.countryCode%5B%5D=DE&locations.countryCode%5B%5D=NL&experience%5B%5D=medior&experience%5B%5D=junior&page=1";
              keyword = "";
              tags = [""];
            }
            {
              name = "React Docs";
              url = "https://react.dev/";
              keyword = "";
              tags = [""];
            }
            # Template
            # {
            #   name = "";
            #   url = "";
            #   keyword = "";
            #   tags = [""];
            # }
          ];
        };
      };
    };
  };
 }
--- a/configurations/home-manager/leyla/packages/git.nix
+++ b/configurations/home-manager/leyla/packages/git.nix
@ -0,0 +1,11 @@
 {...}: {
  config = {
    programs = {
      git = {
        userName = "Leyla Becker";
        userEmail = "git@jan-leila.com";
        extraConfig.init.defaultBranch = "main";
      };
    };
  };
 }
--- a/configurations/home-manager/leyla/packages/makemkv.nix
+++ b/configurations/home-manager/leyla/packages/makemkv.nix
@ -0,0 +1,17 @@
 {
  config,
  inputs,
  ...
 }: {
  config = {
    sops.secrets = {
      "application-keys/makemkv" = {
        sopsFile = "${inputs.secrets}/application-keys.yaml";
      };
    };
    programs.makemkv = {
      appKeyFile = config.sops.placeholder."application-keys/makemkv";
      destinationDir = "/home/leyla/downloads/makemkv";
    };
  };
 }
--- a/configurations/home-manager/leyla/packages/openssh.nix
+++ b/configurations/home-manager/leyla/packages/openssh.nix
@ -0,0 +1,23 @@
 {
  config,
  osConfig,
  ...
 }: {
  config = {
    programs = {
      openssh = {
        authorizedKeys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHeItmt8TRW43uNcOC+eIurYC7Eunc0V3LGocQqLaYj leyla@horizon"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILimFIW2exEH/Xo7LtXkqgE04qusvnPNpPWSCeNrFkP leyla@defiant"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBiZkg1c2aaNHiieBX4cEziqvJVj9pcDfzUrKU/mO0I leyla@twilight"
        ];
        hostKeys = [
          {
            type = "ed25519";
            path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
          }
        ];
      };
    };
  };
 }
--- a/configurations/home-manager/leyla/packages/vscode/default.nix
+++ b/configurations/home-manager/leyla/packages/vscode/default.nix
@ -0,0 +1,119 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: let
  nix-development-enabled = osConfig.host.nix-development.enable;
  ai-tooling-enabled = osConfig.host.ai.enable;
 in {
  imports = [
    ./user-words.nix
  ];
  config = lib.mkIf config.user.isDesktopUser {
    programs = {
      bash.shellAliases = {
        code = "codium";
      };
      vscode = {
        package = pkgs.vscodium;
        mutableExtensionsDir = false;
        profiles.default = {
          enableUpdateCheck = false;
          enableExtensionUpdateCheck = false;
          userSettings = lib.mkMerge [
            {
              "javascript.updateImportsOnFileMove.enabled" = "always";
              "editor.tabSize" = 2;
              "editor.insertSpaces" = false;
            }
          ];
          extraExtensions = {
            # vs code feel
            oneDark.enable = true;
            atomKeybindings.enable = true;
            openRemoteSsh.enable = true;
            # html development
            autoRenameTag.enable = true;
            liveServer.enable = true;
            # js development
            es7ReactJsSnippets.enable = true;
            tauriVscode.enable = true;
            vscodeEslint.enable = true;
            vscodeJest.enable = true;
            vitest.enable = true;
            vscodeStandard.enable = true;
            vscodeStylelint.enable = true;
            nearley.enable = true;
            # astro development
            vscodeMdx.enable = true;
            astroVscode.enable = true;
            # nix development
            alejandra.enable = nix-development-enabled;
            nixIde.enable = nix-development-enabled;
            # go development
            go.enable = true;
            # claude development
            claudeDev = lib.mkIf ai-tooling-enabled {
              enable = true;
              mcp = {
                nixos.enable = true;
                eslint = {
                  enable = true;
                  autoApprove = {
                    lint-files = true;
                  };
                };
                vitest = {
                  enable = true;
                  autoApprove = {
                    list_tests = true;
                    run_tests = true;
                    analyze_coverage = true;
                  };
                };
                sleep = {
                  enable = true;
                  timeout = 18000; # 5 hours to match claude codes timeout
                  autoApprove = {
                    sleep = true;
                  };
                };
              };
            };
            # misc extensions
            evenBetterToml.enable = true;
            direnv.enable = config.programs.direnv.enable;
            conventionalCommits.enable = true;
          };
          extensions = let
            extension-pkgs = pkgs.nix-vscode-extensions.forVSCodeVersion config.programs.vscode.package.version;
          in (
            with extension-pkgs.open-vsx; [
              # vs code feel extensions
              streetsidesoftware.code-spell-checker
              streetsidesoftware.code-spell-checker-german
              streetsidesoftware.code-spell-checker-italian
            ]
          );
        };
      };
    };
  };
 }
--- a/configurations/home-manager/leyla/packages/vscode/user-words.nix
+++ b/configurations/home-manager/leyla/packages/vscode/user-words.nix
@ -0,0 +1,126 @@
 {
  pkgs,
  lib,
  ...
 }: {
  config.programs.vscode.profiles.default.userSettings = {
    "cSpell.userWords" = [
      "leyla"
    ];
    "cSpell.languageSettings" = [
      {
        "languageId" = "nix";
        "locale" = "*";
        "dictionaries" = [
          "applications"
          "ai-words"
          "nix-words"
          # We need to include all other dictionaries in the nix language settings because they exist in this file
          # TODO: see if there is a way to make this only apply for this file
          "js-words"
        ];
      }
      {
        "languageId" = "javascript,typescript,js,ts";
        "locale" = "*";
        "dictionaries" = [
          "js-words"
        ];
      }
    ];
    "cSpell.customDictionaries" = {
      applications = {
        name = "applications";
        description = "application names";
        path = pkgs.writeText "applications.txt" (lib.strings.concatLines [
          "ollama"
          "syncthing"
          "immich"
          "sonos"
          "makemkv"
          "hass"
          "qbittorent"
          "prostudiomasters"
          "protonmail"
          "pulseaudio"
        ]);
      };
      ai-words = {
        name = "ai-words";
        description = "common words used for ai development";
        path = pkgs.writeText "ai-words.txt" (lib.strings.concatLines [
          "ollama"
          "deepseek"
          "qwen"
        ]);
      };
      nix-words = {
        name = "nix-words";
        description = "words used in nix configurations";
        path = pkgs.writeText "nix-words.txt" (lib.strings.concatLines [
          "pname"
          "direnv"
          "tmpfiles"
          "Networkd"
          "networkmanager"
          "dialout"
          "adbusers"
          "authkey"
          "netdevs"
          "atomix"
          "geary"
          "gedit"
          "hitori"
          "iagno"
          "alsa"
          "timezoned"
          "pipewire"
          "rtkit"
          "disko"
          "ashift"
          "autotrim"
          "canmount"
          "mountpoint"
          "xattr"
          "acltype"
          "relatime"
          "keyformat"
          "keylocation"
          "vdevs"
          # codium extensions
          "akamud"
          "onedark"
          "jeanp"
          "dsznajder"
          "dbaeumer"
          "orta"
          "tauri"
          "unifiedjs"
          "tamasfe"
          "pinage"
          "jnoortheen"
          "kamadorueda"
          "karyfoundation"
          "nearley"
          # nix.optimise is spelled wrong
          "optimise"
        ]);
      };
      js-words = {
        name = "js-words";
        description = "words used in js development";
        path = pkgs.writeText "js-words.txt" (lib.strings.concatLines [
          "webdav"
        ]);
      };
    };
  };
 }
--- a/configurations/installer/basic/configuration.nix
+++ b/configurations/installer/basic/configuration.nix
@ -0,0 +1,19 @@
 {
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")];
  systemd.services.sshd.wantedBy = pkgs.lib.mkForce ["multi-user.target"];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AaAeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee username@host"
  ];
  isoImage.squashfsCompression = "gzip -Xcompression-level 1";
  networking.hostName = "installer";
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/configurations/installer/basic/default.nix
+++ b/configurations/installer/basic/default.nix
@ -0,0 +1,5 @@
 {...}: {
  imports = [
    ./configuration.nix
  ];
 }
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@ -0,0 +1,337 @@
 # server nas
 {
  inputs,
  config,
  ...
 }: {
  sops.secrets = {
    "vpn-keys/tailscale-authkey/defiant" = {
      sopsFile = "${inputs.secrets}/vpn-keys.yaml";
    };
    "vpn-keys/proton-wireguard/defiant-p2p" = {
      sopsFile = "${inputs.secrets}/vpn-keys.yaml";
      mode = "0640";
      owner = "root";
      group = "systemd-network";
    };
    "services/zfs_smtp_token" = {
      sopsFile = "${inputs.secrets}/defiant-services.yaml";
    };
    "services/paperless_password" = {
      sopsFile = "${inputs.secrets}/defiant-services.yaml";
      mode = "0700";
      owner = "paperless";
      group = "paperless";
    };
  };
  host = {
    users = {
      leyla = {
        isDesktopUser = true;
        isTerminalUser = true;
        isPrincipleUser = true;
      };
    };
    impermanence.enable = true;
    storage = {
      enable = true;
      encryption = true;
      notifications = {
        enable = true;
        host = "smtp.protonmail.ch";
        port = 587;
        to = "leyla@jan-leila.com";
        user = "noreply@jan-leila.com";
        tokenFile = config.sops.secrets."services/zfs_smtp_token".path;
      };
      pool = {
        # We are having to boot off of the nvm cache drive because I cant figure out how to boot via the HBA
        bootDrives = ["nvme-Samsung_SSD_990_PRO_4TB_S7KGNU0X907881F"];
        vdevs = [
          [
            "ata-ST18000NE000-3G6101_ZVTCXVEB"
            "ata-ST18000NE000-3G6101_ZVTCXWSC"
            "ata-ST18000NE000-3G6101_ZVTD10EH"
            "ata-ST18000NT001-3NF101_ZVTE0S3Q"
            "ata-ST18000NT001-3NF101_ZVTEF27J"
            "ata-ST18000NE000-3G6101_ZVTJ7359"
          ]
          # TODO: this needs to be configured manually
          [
            "ata-ST4000NE001-2MA101_WS2275P3"
            "ata-ST4000NE001-2MA101_WS227B9F"
            "ata-ST4000NE001-2MA101_WS227CEW"
            "ata-ST4000NE001-2MA101_WS227CYN"
            "ata-ST4000NE001-2MA101_WS23TBWV"
            "ata-ST4000NE001-2MA101_WS23TC5F"
          ]
        ];
        cache = [
          "nvme-Samsung_SSD_990_PRO_4TB_S7KGNU0X907881F"
        ];
      };
    };
    network_storage = {
      enable = true;
      directories = [
        {
          folder = "leyla_documents";
          user = "leyla";
          group = "leyla";
          bind = "/home/leyla/documents";
        }
        {
          folder = "eve_documents";
          user = "eve";
          group = "eve";
        }
        {
          folder = "users_documents";
          user = "root";
          group = "users";
        }
        {
          folder = "media";
          user = "jellyfin";
          group = "jellyfin_media";
          bind = config.services.jellyfin.media_directory;
        }
      ];
      nfs = {
        enable = true;
        directories = ["leyla_documents" "eve_documents" "users_documents" "media"];
      };
    };
    reverse_proxy = {
      enable = true;
      enableACME = true;
      hostname = "jan-leila.com";
    };
    postgres = {
      extraUsers = {
        leyla = {
          isAdmin = true;
        };
      };
    };
  };
  systemd.network = {
    enable = true;
    netdevs = {
      "10-bond0" = {
        netdevConfig = {
          Kind = "bond";
          Name = "bond0";
        };
        bondConfig = {
          Mode = "802.3ad";
          TransmitHashPolicy = "layer3+4";
        };
      };
      # "20-wg0" = {
      #   netdevConfig = {
      #     Kind = "wireguard";
      #     Name = "wg0";
      #   };
      #   wireguardConfig = {
      #     PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
      #     ListenPort = 51820;
      #   };
      #   wireguardPeers = [
      #     {
      #       PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
      #       Endpoint = "185.230.126.146:51820";
      #       AllowedIPs = ["0.0.0.0/0"];
      #     }
      #   ];
      # };
    };
    networks = {
      "40-bond0" = {
        matchConfig.Name = "bond0";
        linkConfig = {
          RequiredForOnline = "degraded-carrier";
          RequiredFamilyForOnline = "any";
        };
        networkConfig.DHCP = "yes";
        address = [
          "192.168.1.10/32"
        ];
        gateway = ["192.168.1.1"];
        dns = ["192.168.1.1"];
      };
      # For some reason this isn't working. It looks like traffic goes out and comes back but doesn't get correctly routed back to the wg interface on the return trip
      # debugging steps:
      # try sending data on the interface `ping -I wg0 8.8.8.8`
      # view all traffic on the interface `sudo tshark -i wg0`
      # see what applications are listening to port 14666 (thats what we currently have qbittorent set up to use) `ss -tuln | grep 14666`
      # "50-wg0" = {
      #   matchConfig.Name = "wg0";
      #   networkConfig = {
      #     DHCP = "no";
      #   };
      #   address = [
      #     "10.2.0.2/32"
      #   ];
      #   # routes = [
      #   #   {
      #   #     Destination = "10.2.0.2/32";
      #   #     Gateway = "10.2.0.1";
      #   #   }
      #   # ];
      # };
    };
  };
  # limit arc usage to 50gb because ollama doesn't play nice with zfs using up all of the memory
  boot.kernelParams = ["zfs.zfs_arc_max=53687091200"];
  services = {
    # temp enable desktop environment for setup
    # Enable the X11 windowing system.
    xserver.enable = true;
    # Enable the GNOME Desktop Environment.
    displayManager = {
      gdm.enable = true;
    };
    desktopManager = {
      gnome.enable = true;
    };
    ollama = {
      enable = true;
      exposePort = true;
      acceleration = false;
      environmentVariables = {
        OLLAMA_KEEP_ALIVE = "24h";
      };
      loadModels = [
        # conversation models
        "llama3.1:8b"
        "deepseek-r1:8b"
        "deepseek-r1:32b"
        "deepseek-r1:70b"
        # auto complete models
        "qwen2.5-coder:1.5b-base"
        "qwen2.5-coder:7b"
        "deepseek-coder:6.7b"
        "deepseek-coder:33b"
        # agent models
        "qwen3:8b"
        "qwen3:32b"
        "qwen3:235b-a22b"
        "qwen3-coder:30b"
        "qwen3-coder:30b-a3b-fp16"
        # embedding models
        "nomic-embed-text:latest"
      ];
    };
    tailscale = {
      enable = true;
      authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/defiant".path;
      useRoutingFeatures = "server";
      extraUpFlags = [
        "--advertise-exit-node"
        "--advertise-routes=192.168.0.0/24"
        "--accept-dns=false"
      ];
      extraSetFlags = [
        "--advertise-exit-node"
        "--advertise-routes=192.168.0.0/24"
        "--accept-dns=false"
      ];
    };
    syncthing.enable = true;
    fail2ban.enable = true;
    jellyfin = {
      enable = true;
      subdomain = "media";
      extraSubdomains = ["jellyfin"];
    };
    immich = {
      enable = true;
      subdomain = "photos";
    };
    forgejo = {
      enable = true;
      subdomain = "git";
    };
    searx = {
      enable = true;
      subdomain = "search";
    };
    actual = {
      enable = false;
      subdomain = "budget";
    };
    home-assistant = {
      enable = true;
      subdomain = "home";
      openFirewall = true;
      database = "postgres";
      extensions = {
        sonos.enable = true;
        jellyfin.enable = true;
        wyoming.enable = false; # Temporarily disabled due to dependency conflict in wyoming-piper
      };
    };
    paperless = {
      enable = true;
      subdomain = "documents";
      passwordFile = config.sops.secrets."services/paperless_password".path;
    };
    panoramax = {
      enable = true;
    };
    qbittorrent = {
      enable = true;
      mediaDir = "/srv/qbittorent";
      openFirewall = true;
      webuiPort = 8084;
    };
  };
  # disable computer sleeping
  systemd.targets = {
    sleep.enable = false;
    suspend.enable = false;
    hibernate.enable = false;
    hybrid-sleep.enable = false;
  };
  services.displayManager.gdm.autoSuspend = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/configurations/nixos/defiant/default.nix
+++ b/configurations/nixos/defiant/default.nix
@ -0,0 +1,7 @@
 # server nas
 {...}: {
  imports = [
    ./hardware-configuration.nix
    ./configuration.nix
  ];
 }
--- a/configurations/nixos/defiant/hardware-configuration.nix
+++ b/configurations/nixos/defiant/hardware-configuration.nix
@ -4,79 +4,57 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    ../hardware-common.nix
  ];
  boot = {
    initrd = {
-      availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "usb_storage" "sd_mod"];
+      availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "nvme" "usb_storage" "sd_mod"];
      kernelModules = [];
    };
    kernelModules = ["kvm-amd"];
    extraModulePackages = [];
    # Bootloader.
    loader = {
      systemd-boot.enable = true;
      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot";
      };
    };
    supportedFilesystems = ["zfs"];
-    zfs.extraPools = ["zroot"];
+    zfs.extraPools = ["rpool"];
  };
  swapDevices = [];
  networking = {
    hostId = "c51763d6";
    hostName = "defiant"; # Define your hostname.
    hostId = "c51763d6";
    useNetworkd = true;
  };
  systemd.network = {
    enable = true;
    netdevs = {
      "10-bond0" = {
        netdevConfig = {
          Kind = "bond";
          Name = "bond0";
        };
        bondConfig = {
          Mode = "802.3ad";
          TransmitHashPolicy = "layer3+4";
        };
      };
    };
    networks = {
-      "30-enp4s0" = {
+      "30-eno1" = {
-        matchConfig.Name = "enp4s0";
+        matchConfig.Name = "eno1";
        networkConfig.Bond = "bond0";
        DHCP = "no";
      };
-      "30-enp5s0" = {
+      "30-eno2" = {
-        matchConfig.Name = "enp5s0";
+        matchConfig.Name = "eno2";
        networkConfig.Bond = "bond0";
        DHCP = "no";
      };
      "40-bond0" = {
        matchConfig.Name = "bond0";
        linkConfig.RequiredForOnline = "carrier";
        networkConfig.LinkLocalAddressing = "no";
        DHCP = "ipv4";
        address = [
          # configure addresses including subnet mask
          "192.168.1.10/24"
          # TODO: ipv6 address configuration
        ];
      };
    };
  };
  networking.networkmanager.enable = true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware = {
    # TODO: hardware graphics
--- a/configurations/nixos/emergent/configuration.nix
+++ b/configurations/nixos/emergent/configuration.nix
@ -0,0 +1,160 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 {
  lib,
  pkgs,
  ...
 }: {
  imports = [
    ./nvidia-drivers.nix
  ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  # networking.hostName = "nixos"; # Define your hostname.
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkb.options in tty.
  # };
  # Enable the X11 windowing system.
  services.xserver.enable = true;
  # Enable wacom touchscreen device
  services.xserver.wacom.enable = true;
  # installed opentabletdriver
  hardware.opentabletdriver.enable = true;
  # Enable the GNOME Desktop Environment.
  services.displayManager.gdm.enable = true;
  services.desktopManager.gnome.enable = true;
  host = {
    users = {
      eve = {
        isDesktopUser = true;
        isTerminalUser = true;
        isPrincipleUser = true;
      };
    };
    hardware = {
      piperMouse.enable = true;
    };
    storage = {
      enable = true;
      pool = {
        mode = "";
        drives = ["wwn-0x5000039fd0cf05eb"];
      };
    };
  };
  # Configure keymap in X11
  # services.xserver.xkb.layout = "us";
  # services.xserver.xkb.options = "eurosign:e,caps:escape";
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  # services.pulseaudio.enable = true;
  # OR
  # services.pipewire = {
  #   enable = true;
  #   pulse.enable = true;
  # };
  # Enable touchpad support (enabled default in most desktopManager).
  # services.libinput.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.alice = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  #   packages = with pkgs; [
  #     tree
  #   ];
  # };
  # programs.firefox.enable = true;
  nixpkgs.config.allowUnfree = true;
  # Packages that can be installed without any extra configuration
  # See https://search.nixos.org/packages for all options
  environment.systemPackages = with pkgs; [
    wget
  ];
  # Packages that need to be installed with some extra configuration
  # See https://search.nixos.org/options for all options
  programs = {};
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  networking = {
    networkmanager.enable = true;
    useDHCP = lib.mkDefault true;
    hostId = "7e35eb97"; # arbitrary id number generated via this command: `head -c4 /dev/urandom | od -A none -t x4`
    hostName = "emergent"; # Define your hostname.
  };
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "25.05"; # Did you read the comment?
 }
--- a/configurations/nixos/emergent/default.nix
+++ b/configurations/nixos/emergent/default.nix
@ -0,0 +1,7 @@
 # evs desktop
 {...}: {
  imports = [
    ./configuration.nix
    ./hardware-configuration.nix
  ];
 }
--- a/configurations/nixos/emergent/hardware-configuration.nix
+++ b/configurations/nixos/emergent/hardware-configuration.nix
@ -0,0 +1,32 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  swapDevices = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp42s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/configurations/nixos/emergent/nvidia-drivers.nix
+++ b/configurations/nixos/emergent/nvidia-drivers.nix
@ -0,0 +1,51 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  # Enable OpenGL
  hardware.graphics = {
    enable = true;
  };
  # Load nvidia driver for Xorg and Wayland
  services = {
    xserver = {
      # Load nvidia driver for Xorg and Wayland
      videoDrivers = ["nvidia"];
    };
    # Use X instead of wayland
    displayManager.gdm.wayland = false;
  };
  hardware.nvidia = {
    # Modesetting is required.
    modesetting.enable = true;
    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
    # Enable this if you have graphical corruption issues or application crashes after waking
    # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
    # of just the bare essentials.
    powerManagement.enable = true;
    # Fine-grained power management. Turns off GPU when not in use.
    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
    powerManagement.finegrained = false;
    # Use the NVidia open source kernel module (not to be confused with the
    # independent third-party "nouveau" open source driver).
    # Support is limited to the Turing and later architectures. Full list of
    # supported GPUs is at:
    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
    # Only available from driver 515.43.04+
    open = true;
    # Enable the Nvidia settings menu,
    # accessible via `nvidia-settings`.
    nvidiaSettings = true;
    # Optionally, you may need to select the appropriate driver version for your specific GPU.
    package = config.boot.kernelPackages.nvidiaPackages.stable;
  };
 }
--- a/configurations/nixos/horizon/configuration.nix
+++ b/configurations/nixos/horizon/configuration.nix
@ -0,0 +1,157 @@
 {
  lib,
  pkgs,
  config,
  inputs,
  ...
 }: {
  imports = [
    inputs.nixos-hardware.nixosModules.framework-11th-gen-intel
  ];
  nixpkgs.config.allowUnfree = true;
  boot = {
    initrd = {
      availableKernelModules = ["usb_storage" "sd_mod"];
    };
    kernelModules = ["sg"];
    # Bootloader.
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
  };
  host = {
    users = {
      leyla = {
        isDesktopUser = true;
        isTerminalUser = true;
        isPrincipleUser = true;
      };
      eve.isDesktopUser = true;
    };
    hardware = {
      directAccess.enable = true;
    };
    ai = {
      enable = true;
      models = {
        "Llama 3.1 8B" = {
          model = "llama3.1:8b";
          roles = ["chat" "edit" "apply"];
          apiBase = "http://defiant:11434";
        };
        "Deepseek Coder:6.7B" = {
          model = "deepseek-coder:6.7b";
          roles = ["chat" "edit" "apply"];
          apiBase = "http://defiant:11434";
        };
        "Deepseek Coder:33B" = {
          model = "deepseek-coder:33b";
          roles = ["chat" "edit" "apply"];
          apiBase = "http://defiant:11434";
        };
        "Deepseek r1:8B" = {
          model = "deepseek-r1:8b";
          roles = ["chat"];
          apiBase = "http://defiant:11434";
        };
        "Deepseek r1:32B" = {
          model = "deepseek-r1:32b";
          roles = ["chat"];
          apiBase = "http://defiant:11434";
        };
        "qwen2.5-coder:1.5b-base" = {
          model = "qwen2.5-coder:1.5b-base";
          roles = ["autocomplete"];
          apiBase = "http://defiant:11434";
        };
        "nomic-embed-text:latest" = {
          model = "nomic-embed-text:latest";
          roles = ["embed"];
          apiBase = "http://defiant:11434";
        };
      };
    };
  };
  environment.systemPackages = with pkgs; [
    cachefilesd
    webtoon-dl
  ];
  services.cachefilesd.enable = true;
  programs = {
    adb.enable = true;
  };
  networking = {
    networkmanager.enable = true;
    hostName = "horizon"; # Define your hostname.
  };
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware = {
    graphics.enable = true;
  };
  sops.secrets = {
    "vpn-keys/tailscale-authkey/horizon" = {
      sopsFile = "${inputs.secrets}/vpn-keys.yaml";
    };
  };
  services = {
    # sudo fprintd-enroll
    fprintd = {
      enable = true;
    };
    # firmware update tool
    fwupd = {
      enable = true;
    };
    tailscale = {
      enable = true;
      authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/horizon".path;
      useRoutingFeatures = "client";
    };
    syncthing.enable = true;
    ollama = {
      enable = true;
      loadModels = [
        "llama3.1:8b"
      ];
    };
  };
  # Enable network-online.target for better network dependency handling
  systemd.services.NetworkManager-wait-online.enable = true;
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/configurations/nixos/horizon/default.nix
+++ b/configurations/nixos/horizon/default.nix
@ -0,0 +1,8 @@
 # leyla laptop
 {...}: {
  imports = [
    ./configuration.nix
    ./hardware-configuration.nix
    # ./network-mount.nix
  ];
 }
--- a/configurations/nixos/horizon/hardware-configuration.nix
+++ b/configurations/nixos/horizon/hardware-configuration.nix
@ -0,0 +1,45 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = ["kvm-intel"];
  boot.extraModulePackages = [];
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/866d422b-f816-4ad9-9846-791839cb9337";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/E138-65B5";
      fsType = "vfat";
    };
  };
  swapDevices = [
    {device = "/dev/disk/by-uuid/be98e952-a072-4c3a-8c12-69500b5a2fff";}
  ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/configurations/nixos/horizon/network-mount.nix
+++ b/configurations/nixos/horizon/network-mount.nix
@ -0,0 +1,76 @@
 {...}: {
  boot.supportedFilesystems = ["nfs"];
  fileSystems = {
    "/mnt/leyla_documents" = {
      device = "defiant:/exports/leyla_documents";
      fsType = "nfs";
      options = [
        "x-systemd.automount"
        "noauto"
        "noatime"
        "nofail"
        "soft"
        "intr" # Allow interruption of NFS calls
        "timeo=30" # 3 second timeout (30 deciseconds)
        "retrans=2" # Only 2 retries before giving up
        "x-systemd.idle-timeout=300" # 5 minute idle timeout for mobile
        "x-systemd.device-timeout=15" # 15 second device timeout
        "bg" # Background mount - don't block boot
        "fsc" # Enable caching
        "_netdev" # Network device - wait for network
        "x-systemd.requires=network-online.target" # Require network to be online
        "x-systemd.after=network-online.target" # Start after network is online
        "x-systemd.mount-timeout=30" # 30 second mount timeout
      ];
    };
    "/mnt/users_documents" = {
      device = "defiant:/exports/users_documents";
      fsType = "nfs";
      options = [
        "x-systemd.automount"
        "noauto"
        "nofail"
        "soft"
        "intr"
        "timeo=30"
        "retrans=2"
        "x-systemd.idle-timeout=300"
        "x-systemd.device-timeout=15"
        "bg"
        "fsc"
        "_netdev"
        "x-systemd.requires=network-online.target"
        "x-systemd.after=network-online.target"
        "x-systemd.mount-timeout=30"
      ];
    };
    "/mnt/media" = {
      device = "defiant:/exports/media";
      fsType = "nfs";
      options = [
        "x-systemd.automount"
        "noauto"
        "noatime"
        "nofail"
        "soft"
        "intr"
        "timeo=30"
        "retrans=2"
        "x-systemd.idle-timeout=300"
        "x-systemd.device-timeout=15"
        "bg"
        # Mobile-optimized read settings
        "rsize=8192" # Smaller read size for mobile
        "wsize=8192" # Smaller write size for mobile
        "fsc"
        "_netdev"
        "x-systemd.requires=network-online.target"
        "x-systemd.after=network-online.target"
        "x-systemd.mount-timeout=30"
      ];
    };
  };
 }
--- a/configurations/nixos/twilight/configuration.nix
+++ b/configurations/nixos/twilight/configuration.nix
@ -0,0 +1,160 @@
 {
  inputs,
  config,
  pkgs,
  ...
 }: {
  imports = [
    ./monitors.nix
  ];
  nixpkgs.config.allowUnfree = true;
  boot.initrd.availableKernelModules = ["usb_storage"];
  boot.kernelModules = ["sg"];
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };
  sops.secrets = {
    "vpn-keys/tailscale-authkey/twilight" = {
      sopsFile = "${inputs.secrets}/vpn-keys.yaml";
    };
  };
  host = {
    users = {
      leyla = {
        isDesktopUser = true;
        isTerminalUser = true;
        isPrincipleUser = true;
      };
      eve.isDesktopUser = true;
    };
    hardware = {
      piperMouse.enable = true;
      viaKeyboard.enable = true;
      openRGB.enable = true;
      graphicsAcceleration.enable = true;
      directAccess.enable = true;
    };
    ai = {
      enable = true;
      # TODO: benchmark twilight against defiant and prune this list of models that are faster on defiant
      models = {
        # conversation models
        "Llama 3.1 8B" = {
          model = "lamma3.1:8b";
          roles = ["chat" "edit" "apply"];
        };
        "deepseek-r1:8b" = {
          model = "deepseek-r1:8b";
          roles = ["chat" "edit" "apply"];
        };
        "deepseek-r1:32b" = {
          model = "deepseek-r1:32b";
          roles = ["chat" "edit" "apply"];
        };
        # auto complete models
        "qwen2.5-coder:1.5b-base" = {
          model = "qwen2.5-coder:1.5b-base";
          roles = ["autocomplete"];
        };
        "qwen2.5-coder:7b" = {
          model = "qwen2.5-coder:7b";
          roles = ["autocomplete"];
        };
        "deepseek-coder:6.7b" = {
          model = "deepseek-coder:6.7b";
          roles = ["autocomplete"];
        };
        "deepseek-coder:33b" = {
          model = "deepseek-coder:33b";
          roles = ["autocomplete"];
        };
        # agent models
        "qwen3:32b" = {
          model = "qwen3:32b";
          roles = ["chat" "edit" "apply"];
        };
        # embedding models
        "nomic-embed-text:latest" = {
          model = "nomic-embed-text:latest";
          roles = ["embed"];
        };
      };
    };
  };
  services = {
    ollama = {
      enable = true;
      exposePort = true;
      loadModels = [
        # conversation models
        "llama3.1:8b"
        "deepseek-r1:8b"
        "deepseek-r1:32b"
        # auto complete models
        "qwen2.5-coder:1.5b-base"
        "qwen2.5-coder:7b"
        "deepseek-coder:6.7b"
        "deepseek-coder:33b"
        # agent models
        "qwen3:32b"
        # embedding models
        "nomic-embed-text:latest"
      ];
    };
    tailscale = {
      enable = true;
      authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/twilight".path;
      useRoutingFeatures = "both";
      extraUpFlags = [
        "--advertise-exit-node"
        "--advertise-routes=192.168.0.0/24"
      ];
      extraSetFlags = [
        "--advertise-exit-node"
        "--advertise-routes=192.168.0.0/24"
      ];
    };
    syncthing.enable = true;
  };
  # Enable network-online.target for better network dependency handling
  systemd.services.NetworkManager-wait-online.enable = true;
  environment.systemPackages = with pkgs; [
    cachefilesd
  ];
  hardware.steam-hardware.enable = true; # Provides udev rules for controller, HTC vive, and Valve Index
  networking = {
    networkmanager.enable = true;
    hostName = "twilight"; # Define your hostname.
  };
  # enabled virtualisation for docker
  # virtualisation.docker.enable = true;
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/configurations/nixos/twilight/default.nix
+++ b/configurations/nixos/twilight/default.nix
@ -0,0 +1,9 @@
 # leyla desktop
 {...}: {
  imports = [
    ./configuration.nix
    ./hardware-configuration.nix
    ./nvidia-drivers.nix
    # ./network-mount.nix
  ];
 }
--- a/configurations/nixos/twilight/hardware-configuration.nix
+++ b/configurations/nixos/twilight/hardware-configuration.nix
@ -0,0 +1,42 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = ["kvm-amd"];
  boot.extraModulePackages = [];
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/8be49c65-2b57-48f1-b74d-244d26061adb";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/3006-3867";
      fsType = "vfat";
      options = ["fmask=0022" "dmask=0022"];
    };
  };
  swapDevices = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/configurations/nixos/twilight/monitors.nix
+++ b/configurations/nixos/twilight/monitors.nix
@ -1,28 +1,4 @@
-# leyla laptop
+{pkgs, ...}: {
 {
  config,
  pkgs,
  inputs,
  ...
 }: {
  imports = [
    inputs.home-manager.nixosModules.default
    inputs.sops-nix.nixosModules.sops
    ./hardware-configuration.nix
    ../../enviroments/client
  ];
  users = {
    leyla = {
      isFullUser = true;
      hasGPU = true;
    };
    ester.isFullUser = true;
    eve.isFullUser = true;
  };
  systemd.tmpfiles.rules = [
    "L+ /run/gdm/.config/monitors.xml - - - - ${pkgs.writeText "gdm-monitors.xml" ''
      <monitors version="2">
@ -220,18 +196,4 @@
      </monitors>
    ''}"
  ];
  # enabled virtualisation for docker
  # virtualisation.docker.enable = true;
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/configurations/nixos/twilight/network-mount.nix
+++ b/configurations/nixos/twilight/network-mount.nix
@ -0,0 +1,72 @@
 {...}: {
  boot.supportedFilesystems = ["nfs"];
  fileSystems = {
    "/mnt/leyla_documents" = {
      device = "defiant:/exports/leyla_documents";
      fsType = "nfs";
      options = [
        "x-systemd.automount"
        "noauto"
        "noatime"
        "nofail"
        "soft"
        "intr" # Allow interruption of NFS calls
        "timeo=50" # 5 second timeout (50 deciseconds) - longer than mobile
        "retrans=3" # 3 retries for desktop
        "x-systemd.idle-timeout=600" # 10 minute idle timeout for desktop
        "x-systemd.device-timeout=30" # 30 second device timeout
        "bg" # Background mount - don't block boot
        "fsc" # Enable caching
        "_netdev" # Network device - wait for network
        "x-systemd.requires=network-online.target" # Require network to be online
        "x-systemd.after=network-online.target" # Start after network is online
      ];
    };
    "/mnt/users_documents" = {
      device = "defiant:/exports/users_documents";
      fsType = "nfs";
      options = [
        "x-systemd.automount"
        "noauto"
        "nofail"
        "soft"
        "intr"
        "timeo=50"
        "retrans=3"
        "x-systemd.idle-timeout=600"
        "bg"
        "fsc"
        "_netdev"
        "x-systemd.requires=network-online.target"
        "x-systemd.after=network-online.target"
      ];
    };
    "/mnt/media" = {
      device = "defiant:/exports/media";
      fsType = "nfs";
      options = [
        "x-systemd.automount"
        "noauto"
        "noatime"
        "nofail"
        "soft"
        "intr"
        "timeo=50"
        "retrans=3"
        "x-systemd.idle-timeout=600"
        "x-systemd.device-timeout=30"
        "bg"
        # Desktop-optimized read settings
        "rsize=32768" # Larger read size for desktop
        "wsize=32768" # Larger write size for desktop
        "fsc"
        "_netdev"
        "x-systemd.requires=network-online.target"
        "x-systemd.after=network-online.target"
      ];
    };
  };
 }
--- a/configurations/nixos/twilight/nvidia-drivers.nix
+++ b/configurations/nixos/twilight/nvidia-drivers.nix
@ -0,0 +1,47 @@
 {config, ...}: {
  services = {
    xserver = {
      # Load nvidia driver for Xorg and Wayland
      videoDrivers = ["nvidia"];
    };
    # Use X instead of wayland for gaming reasons
    displayManager.gdm.wayland = false;
  };
  hardware = {
    # Enable OpenGL
    graphics.enable = true;
    # install graphics drivers
    nvidia = {
      # Modesetting is required.
      modesetting.enable = true;
      # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
      # Enable this if you have graphical corruption issues or application crashes after waking
      # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
      # of just the bare essentials.
      powerManagement.enable = true;
      # Fine-grained power management. Turns off GPU when not in use.
      # Experimental and only works on modern Nvidia GPUs (Turing or newer).
      powerManagement.finegrained = false;
      # Use the NVidia open source kernel module (not to be confused with the
      # independent third-party "nouveau" open source driver).
      # Support is limited to the Turing and later architectures. Full list of
      # supported GPUs is at:
      # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
      # Only available from driver 515.43.04+
      # Currently alpha-quality/buggy, so false is currently the recommended setting.
      open = true;
      # Enable the Nvidia settings menu,
      # accessible via `nvidia-settings`.
      nvidiaSettings = true;
      # Optionally, you may need to select the appropriate driver version for your specific GPU.
      package = config.boot.kernelPackages.nvidiaPackages.production;
    };
  };
 }
--- a/configurations/syncthing/default.nix
+++ b/configurations/syncthing/default.nix
@ -0,0 +1,119 @@
 {config, ...}: {
  folders = {
    leyla_documents = {
      id = "hvrj0-9bm1p";
    };
    leyla_calendar = {
      id = "8oatl-1rv6w";
    };
    leyla_supernote_notes = {
      id = "dwbuv-zffnf";
    };
    eve_records = {
      id = "by6at-d4h9n";
    };
    share = {
      id = "73ot0-cxmkx";
    };
  };
  devices = {
    defiant = {
      id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR";
      folders = {
        leyla_documents = {
          folder = config.folders.leyla_documents;
          path = "/mnt/sync/leyla/documents";
        };
        leyla_calendar = {
          folder = config.folders.leyla_calendar;
          path = "/mnt/sync/leyla/calendar";
        };
        leyla_supernote_notes = {
          folder = config.folders.leyla_supernote_notes;
          path = "/mnt/sync/leyla/notes";
        };
        eve_records = {
          folder = config.folders.eve_records;
          path = "/mnt/sync/eve/records";
        };
        share = {
          folder = config.folders.share;
          path = "/mnt/sync/default/share";
        };
      };
    };
    twilight = {
      id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN";
      folders = {
        leyla_documents = {
          folder = config.folders.leyla_documents;
          path = "/mnt/sync/leyla/documents";
        };
        share = {
          folder = config.folders.share;
          path = "/mnt/sync/default/share";
        };
      };
    };
    horizon = {
      id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS";
      folders = {
        leyla_documents = {
          folder = config.folders.leyla_documents;
          path = "/mnt/sync/leyla/documents";
        };
        share = {
          folder = config.folders.share;
          path = "/mnt/sync/default/share";
        };
      };
    };
    coven = {
      id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5";
      folders = {
        leyla_documents = {
          folder = config.folders.leyla_documents;
        };
        share = {
          folder = config.folders.share;
        };
      };
    };
    ceder = {
      id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA";
      folders = {
        share = {
          folder = config.folders.share;
        };
        leyla_documents = {
          folder = config.folders.leyla_documents;
        };
        leyla_calendar = {
          folder = config.folders.leyla_calendar;
        };
        leyla_notes = {
          folder = config.folders.leyla_supernote_notes;
        };
      };
    };
    emergent = {
      id = "6MIDMKJ-7IFHXVX-FIR3YTB-KVE75LN-PA6IOTN-I257LWR-MMC4K6C-5H4SHQN";
      folders = {
        eve_records = {
          folder = config.folders.eve_records;
        };
        share = {
          folder = config.folders.share;
        };
      };
    };
    shale = {
      id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM";
      folders = {
        share = {
          folder = config.folders.share;
        };
      };
    };
  };
 }
--- a/const/sops_age_key_directory.nix
+++ b/const/sops_age_key_directory.nix
@ -0,0 +1 @@
 "/var/lib/sops-nix"
--- a/enviroments/client/default.nix
+++ b/enviroments/client/default.nix
@ -1,57 +0,0 @@
 {pkgs, ...}: {
  imports = [
    ../common
  ];
  services = {
    # Enable CUPS to print documents.
    printing.enable = true;
    xserver = {
      # Enable the X11 windowing system.
      enable = true;
      # Enable the GNOME Desktop Environment.
      displayManager.gdm.enable = true;
      desktopManager = {
        gnome.enable = true;
        xterm.enable = false;
      };
      # Get rid of xTerm
      excludePackages = [pkgs.xterm];
      # Configure keymap in X11
      xkb = {
        layout = "us,it,de";
        variant = "";
      };
    };
    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      # If you want to use JACK applications, uncomment this
      #jack.enable = true;
      # use the example session manager (no others are packaged yet so this is enabled by default,
      # no need to redefine it in your config for now)
      #media-session.enable = true;
    };
  };
  # Enable sound with pipewire.
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  environment.systemPackages = with pkgs; [
    # helvetica font
    aileron
    cachefilesd
    gnomeExtensions.dash-to-dock
  ];
 }
--- a/enviroments/common/default.nix
+++ b/enviroments/common/default.nix
@ -1,155 +0,0 @@
 {pkgs, ...}: {
  imports = [
    ../../users
  ];
  nix = {
    settings = {
      experimental-features = ["nix-command" "flakes"];
      trusted-users = ["leyla"];
    };
    gc.automatic = true;
  };
  # Enable networking
  networking.networkmanager.enable = true;
  # Set your time zone.
  time.timeZone = "America/Chicago";
  i18n.defaultLocale = "en_US.UTF-8";
  i18n.extraLocaleSettings = {
    LC_ADDRESS = "en_US.UTF-8";
    LC_IDENTIFICATION = "en_US.UTF-8";
    LC_MEASUREMENT = "en_US.UTF-8";
    LC_MONETARY = "en_US.UTF-8";
    LC_NAME = "en_US.UTF-8";
    LC_NUMERIC = "en_US.UTF-8";
    LC_PAPER = "en_US.UTF-8";
    LC_TELEPHONE = "en_US.UTF-8";
    LC_TIME = "en_US.UTF-8";
  };
  users = {
    users = {
      leyla = {
        uid = 1000;
        description = "Leyla";
        group = "leyla";
      };
      ester = {
        uid = 1001;
        description = "Ester";
        group = "ester";
      };
      eve = {
        uid = 1002;
        description = "Eve";
        group = "eve";
      };
      jellyfin = {
        uid = 2000;
        group = "jellyfin";
        isSystemUser = true;
      };
      forgejo = {
        uid = 2002;
        group = "forgejo";
        isSystemUser = true;
      };
      pihole = {
        uid = 2003;
        group = "pihole";
        isSystemUser = true;
      };
    };
    groups = {
      leyla = {
        gid = 1000;
        members = ["lelya"];
      };
      ester = {
        gid = 1001;
        members = ["ester"];
      };
      eve = {
        gid = 1002;
        members = ["eve"];
      };
      users = {
        gid = 100;
        members = ["leyla" "ester" "eve"];
      };
      jellyfin = {
        gid = 2000;
        members = ["jellyfin" "leyla"];
      };
      jellyfin_media = {
        gid = 2001;
        members = ["jellyfin" "leyla" "ester" "eve"];
      };
      forgejo = {
        gid = 2002;
        members = ["forgejo" "leyla"];
      };
      pihole = {
        gid = 2003;
        members = ["pihole" "leyla"];
      };
    };
  };
  services = {
    openssh = {
      enable = true;
      ports = [22];
      settings = {
        PasswordAuthentication = false;
        AllowUsers = ["leyla"]; # Allows all users by default. Can be [ "user1" "user2" ]
        UseDns = true;
        X11Forwarding = false;
      };
    };
  };
  environment.sessionVariables = rec {
    SOPS_AGE_KEY_DIRECTORY = "/var/lib/sops-nix";
    SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt";
  };
  sops = {
    defaultSopsFormat = "yaml";
    gnupg.sshKeyPaths = [];
    age = {
      keyFile = "/var/lib/sops-nix/key.txt";
      sshKeyPaths = [];
      # generateKey = true;
    };
  };
  # List packages installed in system profile.
  environment.systemPackages = with pkgs; [
    wget
    # version control
    git
    # system debuging tools
    iputils
    dnsutils
  ];
 }
--- a/enviroments/server/default.nix
+++ b/enviroments/server/default.nix
@ -1,258 +0,0 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: {
  imports = [
    ../common
  ];
  options = {
    domains = {
      base_domain = lib.mkOption {
        type = lib.types.str;
      };
      headscale = {
        subdomain = lib.mkOption {
          type = lib.types.str;
          description = "subdomain of base domain that headscale will be hosted at";
          default = "headscale";
        };
      };
      jellyfin = {
        subdomain = lib.mkOption {
          type = lib.types.str;
          description = "subdomain of base domain that jellyfin will be hosted at";
          default = "jellyfin";
        };
        hostname = lib.mkOption {
          type = lib.types.str;
          description = "hosname that jellyfin will be hosted at";
          default = "${config.domains.jellyfin.subdomain}.${config.domains.base_domain}";
        };
      };
      forgejo = {
        subdomain = lib.mkOption {
          type = lib.types.str;
          description = "subdomain of base domain that foregjo will be hosted at";
          default = "forgejo";
        };
        hostname = lib.mkOption {
          type = lib.types.str;
          description = "hosname that forgejo will be hosted at";
          default = "${config.domains.forgejo.subdomain}.${config.domains.base_domain}";
        };
      };
    };
  };
  config = {
    sops.secrets = {
      "services/pi-hole" = {
        sopsFile = ../../secrets/defiant-services.yaml;
      };
    };
    # Runtime
    virtualisation.podman = {
      enable = true;
      autoPrune.enable = true;
      dockerCompat = true;
      defaultNetwork.settings = {
        # Required for container networking to be able to use names.
        dns_enabled = true;
      };
    };
    virtualisation.oci-containers.backend = "podman";
    virtualisation.oci-containers.containers.pihole = {
      image = "pihole/pihole:2024.07.0";
      hostname = "pihole";
      volumes = [
        "/home/pihole:/etc/pihole:rw" # TODO; set this based on configs
        "${config.sops.secrets."services/pi-hole".path}:/var/lib/pihole/webpassword.txt"
      ];
      environment = {
        TZ = config.time.timeZone;
        WEBPASSWORD_FILE = "/var/lib/pihole/webpassword.txt";
        PIHOLE_UID = toString config.users.users.pihole.uid;
        PIHOLE_GID = toString config.users.groups.pihole.gid;
      };
      log-driver = "journald";
      extraOptions = [
        "--ip=192.168.1.201" # TODO: set this to some ip address from configs
        "--network=macvlan"
      ];
    };
    systemd = {
      tmpfiles.rules = [
        "d /home/jellyfin 755 jellyfin jellyfin -"
        "d /home/jellyfin/media 775 jellyfin jellyfin_media -"
        "d /home/jellyfin/config 750 jellyfin jellyfin -"
        "d /home/jellyfin/cache 755 jellyfin jellyfin_media -"
        "d /home/forgejo 750 forgejo forgejo -"
        "d /home/forgejo/data 750 forgejo forgejo -"
        "d /home/pihole 750 pihole pihole -"
      ];
      services = {
        "podman-pihole" = {
          serviceConfig = {
            Restart = lib.mkOverride 500 "always";
          };
          after = [
            "podman-network-macvlan.service"
          ];
          requires = [
            "podman-network-macvlan.service"
          ];
          partOf = [
            "podman-compose-root.target"
          ];
          wantedBy = [
            "podman-compose-root.target"
          ];
        };
        "podman-network-macvlan" = {
          path = [ pkgs.podman ];
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
            ExecStop = "podman network rm -f macvlan";
          };
          # TODO: check subnet against pi-hole ip address
          # TODO: make lan configurable
          # TODO: make parent interface configurable
          script = ''
            podman network inspect macvlan || podman network create --driver macvlan --subnet 192.168.1.0/24 --gateway 192.168.1.1 --opt parent=bond0 macvlan
          '';
          partOf = [ "podman-compose-root.target" ];
          wantedBy = [ "podman-compose-root.target" ];
        };
      };
      # disable computer sleeping
      targets = {
        sleep.enable = false;
        suspend.enable = false;
        hibernate.enable = false;
        hybrid-sleep.enable = false;
        # Root service
        # When started, this will automatically create all resources and start
        # the containers. When stopped, this will teardown all resources.
        "podman-compose-root" = {
          unitConfig = {
            Description = "Root target for podman targets.";
          };
          wantedBy = [ "multi-user.target" ];
        };
      };
    };
    services = {
      # DNS stub needs to be disabled so pi hole can bind
      # resolved.extraConfig = "DNSStubListener=no";
      nfs.server = {
        enable = true;
        exports = ''
          /home/leyla 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt)
          /home/eve   192.168.1.0/22(rw,sync,no_subtree_check,crossmnt)
          /home/ester 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt)
          /home/users 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt)
        '';
      };
      postgresql = {
        enable = true;
        ensureDatabases = ["forgejo"];
        identMap = ''
          # ArbitraryMapName systemUser DBUser
          superuser_map      root      postgres
          superuser_map      postgres  postgres
          superuser_map      forgejo   forgejo
        '';
        # configuration here lets users access the db that matches their name and lets user postgres access everything
        authentication = pkgs.lib.mkOverride 10 ''
          # type database DBuser   auth-method  optional_ident_map
          local sameuser  all     peer        map=superuser_map
        '';
      };
      headscale = {
        enable = true;
        address = "0.0.0.0";
        port = 8080;
        settings = {
          server_url = "http://${config.domains.headscale.subdomain}.${config.domains.base_domain}";
          dns_config.base_domain = config.domains.base_domain;
          logtail.enabled = false;
        };
      };
      jellyfin = {
        enable = true;
        user = "jellyfin";
        group = "jellyfin";
        dataDir = "/home/jellyfin/config"; # location on existing server: /home/docker/jellyfin/config
        cacheDir = "/home/jellyfin/cache"; # location on existing server: /home/docker/jellyfin/cache
      };
      forgejo = {
        enable = true;
        database.type = "postgres";
        lfs.enable = true;
        settings = {
          server = {
            DOMAIN = config.domains.forgejo.hostname;
            HTTP_PORT = 8081;
          };
          service.DISABLE_REGISTRATION = true;
        };
        stateDir = "/home/forgejo/data";
      };
      nginx = {
        enable = false; # TODO: enable this when you want to test all the configs
        virtualHosts = {
          ${config.domains.headscale.hostname} = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://localhost:${toString config.services.headscale.port}";
              proxyWebsockets = true;
            };
          };
          ${config.domains.jellyfin.hostname} = {
            forceSSL = true;
            enableACME = true;
            locations."/".proxyPass = "http://localhost:8096";
          };
          ${config.domains.forgejo.hostname} = {
            forceSSL = true;
            enableACME = true;
            locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
          };
        };
      };
    };
    security.acme = {
      acceptTerms = true;
      defaults.email = "jan-leila@protonmail.com";
    };
    networking.firewall.allowedTCPPorts = [53 2049 3000 8081];
    environment.systemPackages = [
      config.services.headscale.package
      pkgs.jellyfin
      pkgs.jellyfin-web
      pkgs.jellyfin-ffmpeg
    ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,23 @@
 {
  "nodes": {
    "devshell": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1741473158,
        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -7,11 +25,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726842196,
+        "lastModified": 1757508292,
-        "narHash": "sha256-u9h03JQUuQJ607xmti9F9Eh6E96kKUAGP+aXWgwm70o=",
+        "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "51994df8ba24d5db5459ccf17b6494643301ad28",
+        "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a",
        "type": "github"
      },
      "original": {
@ -20,14 +38,35 @@
        "type": "github"
      }
    },
-    "flake-compat": {
+    "firefox-addons": {
-      "flake": false,
+      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1696426674,
+        "dir": "pkgs/firefox-addons",
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1757995413,
        "narHash": "sha256-vaU/7/PXoym6vnspGxhR29V9klGe9iy9zmp6x7w38f8=",
        "owner": "rycee",
        "repo": "nur-expressions",
        "rev": "4ae8996b3e139926c784acd22824cde46cd28833",
        "type": "gitlab"
      },
      "original": {
        "dir": "pkgs/firefox-addons",
        "owner": "rycee",
        "repo": "nur-expressions",
        "type": "gitlab"
      }
    },
    "flake-compat": {
      "locked": {
        "lastModified": 1747046372,
        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@ -41,11 +80,29 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -61,11 +118,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726863345,
+        "lastModified": 1757997814,
-        "narHash": "sha256-fjbKe1/UJpLT6tQLAKJ/djJFdnmAh2kkdsgmylyFrQA=",
+        "narHash": "sha256-F+1aoG+3NH4jDDEmhnDUReISyq6kQBBuktTUqCUWSiw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "dfe4d334b172071e7189d971ddecd3a7f811b48d",
+        "rev": "5820376beb804de9acf07debaaff1ac84728b708",
        "type": "github"
      },
      "original": {
@ -74,20 +131,97 @@
        "type": "github"
      }
    },
-    "nix-vscode-extensions": {
+    "impermanence": {
      "locked": {
        "lastModified": 1737831083,
        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
        "owner": "nix-community",
        "repo": "impermanence",
        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "impermanence",
        "type": "github"
      }
    },
    "mcp-nixos": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "devshell": "devshell",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1726796602,
+        "lastModified": 1755372538,
-        "narHash": "sha256-rYMcODISSljSETcqUUTMo++ZEa1CC6Xx6d3xuydishM=",
+        "narHash": "sha256-iWhsf1Myk6RyQ7IuNf4bWI3Sqq9pgmhKvEisCXtkxyw=",
        "owner": "utensils",
        "repo": "mcp-nixos",
        "rev": "46b4d4d3d6421bfbadc415532ef74433871e1cda",
        "type": "github"
      },
      "original": {
        "owner": "utensils",
        "repo": "mcp-nixos",
        "type": "github"
      }
    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1757430124,
        "narHash": "sha256-MhDltfXesGH8VkGv3hmJ1QEKl1ChTIj9wmGAFfWj/Wk=",
        "owner": "LnL7",
        "repo": "nix-darwin",
        "rev": "830b3f0b50045cf0bcfd4dab65fad05bf882e196",
        "type": "github"
      },
      "original": {
        "owner": "LnL7",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "nix-syncthing": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1741849924,
        "narHash": "sha256-5vyb1H6HtW24QVqfI56P4QVQP6vHh1jS9ULwnunCO94=",
        "ref": "main",
        "rev": "86bcb200c83b6a5d13b3583126b9d8dc6770613a",
        "revCount": 6,
        "type": "git",
        "url": "https://git.jan-leila.com/jan-leila/nix-syncthing"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.jan-leila.com/jan-leila/nix-syncthing"
      }
    },
    "nix-vscode-extensions": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1757987448,
        "narHash": "sha256-ltDT7EIfLHV42p99HnDfDviC8jN7tcOed1qsLEFypl8=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "91dea80194080f017c6edf84fd94e33f6c12aec3",
+        "rev": "e496568b0e69d9d54c8cfef96ed1370952ad9786",
        "type": "github"
      },
      "original": {
@ -98,11 +232,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1726724509,
+        "lastModified": 1757943327,
-        "narHash": "sha256-sVeAM1tgVi52S1e29fFBTPUAFSzgQwgLon3CrztXGm8=",
+        "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "10d5e0ecc32984c1bf1a9a46586be3451c42fd94",
+        "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05",
        "type": "github"
      },
      "original": {
@ -114,43 +248,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1726755586,
+        "lastModified": 1722073938,
-        "narHash": "sha256-PmUr/2GQGvFTIJ6/Tvsins7Q43KTMvMFhvG6oaYK+Wk=",
+        "narHash": "sha256-OpX0StkL8vpXyWOGUD6G+MA26wAXK6SpT94kLJXo6B4=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "c04d5652cfa9742b1d519688f65d1bbccea9eb7e",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1725762081,
        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
+        "rev": "e36e9f57337d0ff0cf77aceb58af4c805472bfae",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1725534445,
        "narHash": "sha256-Yd0FK9SkWy+ZPuNqUgmVPXokxDgMJoGuNpMEtkfcf84=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "9bb1e7571aadf31ddb4af77fc64b2d59580f9a39",
        "type": "github"
      },
      "original": {
@ -160,27 +262,68 @@
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1757745802,
        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "flake-compat": "flake-compat",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "mcp-nixos": "mcp-nixos",
        "nix-darwin": "nix-darwin",
        "nix-syncthing": "nix-syncthing",
        "nix-vscode-extensions": "nix-vscode-extensions",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
-        "sops-nix": "sops-nix"
+        "secrets": "secrets",
        "sops-nix": "sops-nix",
        "steam-fetcher": "steam-fetcher"
      }
    },
    "secrets": {
      "flake": false,
      "locked": {
        "lastModified": 1752531440,
        "narHash": "sha256-04tQ3EUrtmZ7g6fVUkZC4AbAG+Z7lng79qU3jsiqWJY=",
        "ref": "refs/heads/main",
        "rev": "f016767c13aa36dde91503f7a9f01bdd02468045",
        "revCount": 20,
        "type": "git",
        "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
      },
      "original": {
        "type": "git",
        "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
      }
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
-        "nixpkgs-stable": "nixpkgs-stable"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1726524647,
+        "lastModified": 1758007585,
-        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
+        "narHash": "sha256-HYnwlbY6RE5xVd5rh0bYw77pnD8lOgbT4mlrfjgNZ0c=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
+        "rev": "f77d4cfa075c3de66fc9976b80e0c4fc69e2c139",
        "type": "github"
      },
      "original": {
@ -189,6 +332,26 @@
        "type": "github"
      }
    },
    "steam-fetcher": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1714795926,
        "narHash": "sha256-PkgC9jqoN6cJ8XYzTA2PlrWs7aPJkM3BGiTxNqax0cA=",
        "owner": "nix-community",
        "repo": "steam-fetcher",
        "rev": "12f66eafb7862d91b3e30c14035f96a21941bd9c",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "steam-fetcher",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -203,6 +366,21 @@
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -5,75 +5,184 @@
    # base packages
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    # encrypt files that contain secreats that I would like to not encrypt
+    # lix-module = {
-    sops-nix.url = "github:Mic92/sops-nix";
+    #   url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.3-1.tar.gz";
    #   inputs.nixpkgs.follows = "nixpkgs";
    # };
-    # declairtive disk configuration
+    # secret encryption
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # self hosted repo of secrets file to further protect files in case of future encryption vulnerabilities
    secrets = {
      url = "git+ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git";
      flake = false;
    };
    # common config for syncthing
    nix-syncthing = {
      url = "git+https://git.jan-leila.com/jan-leila/nix-syncthing?ref=main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # disk configurations
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    # managment per user
+    # delete your darlings
    impermanence = {
      url = "github:nix-community/impermanence";
    };
    nix-darwin = {
      url = "github:LnL7/nix-darwin";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # users home directories
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    # repo of hardware configs for prebuilt systems
+    # firefox extensions
-    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # vscode extensions
    nix-vscode-extensions = {
      url = "github:nix-community/nix-vscode-extensions";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # pregenerated hardware configurations
    nixos-hardware = {
      url = "github:NixOS/nixos-hardware/master";
    };
    # this is just here so that we have a lock on it for our dev shells
    flake-compat = {
      url = "github:edolstra/flake-compat";
    };
    steam-fetcher = {
      url = "github:nix-community/steam-fetcher";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # MCP NixOS server for Claude Dev
    mcp-nixos = {
      url = "github:utensils/mcp-nixos";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = {
    self,
    nixpkgs,
-    disko,
+    sops-nix,
-    nixos-hardware,
+    nix-syncthing,
    home-manager,
    impermanence,
    ...
  } @ inputs: let
-    forEachSystem = nixpkgs.lib.genAttrs [
+    util = import ./util {inherit inputs;};
-      "aarch64-darwin"
+    forEachPkgs = util.forEachPkgs;
      "aarch64-linux"
      "x86_64-darwin"
      "x86_64-linux"
    ];
    forEachPkgs = lambda: forEachSystem (system: lambda nixpkgs.legacyPackages.${system});
  in {
    packages = forEachPkgs (pkgs: import ./pkgs {inherit pkgs;});
-    nixosConfigurations = {
+    mkNixosInstaller = util.mkNixosInstaller;
-      # Leyla Laptop
+    mkNixosSystem = util.mkNixosSystem;
-      horizon = nixpkgs.lib.nixosSystem {
+    mkDarwinSystem = util.mkDarwinSystem;
-        specialArgs = {inherit inputs;};
+    mkHome = util.mkHome;
-        modules = [
+    syncthingConfiguration = util.syncthingConfiguration;
-          ./hosts/horizon/configuration.nix
+
-          inputs.home-manager.nixosModules.default
+    installerSystems = {
-          nixos-hardware.nixosModules.framework-11th-gen-intel
+      basic = mkNixosInstaller "basic" [];
        ];
      };
      # Leyla Desktop
      twilight = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs;};
        modules = [
          ./hosts/twilight/configuration.nix
          inputs.home-manager.nixosModules.default
        ];
      };
      # NAS Service
      defiant = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs;};
        modules = [
          disko.nixosModules.disko
          ./hosts/defiant/disko-config.nix
          ./hosts/defiant/configuration.nix
        ];
      };
    };
    nixosSystems = {
      horizon = mkNixosSystem "horizon";
      twilight = mkNixosSystem "twilight";
      defiant = mkNixosSystem "defiant";
      emergent = mkNixosSystem "emergent";
    };
    darwinSystems = {
      hesperium = mkDarwinSystem "hesperium";
    };
    homeSystems = {
      # stand alone home manager configurations here:
      # name = mkHome "name"
    };
    systemsHomes = nixpkgs.lib.attrsets.mergeAttrsList (
      nixpkgs.lib.attrsets.mapAttrsToList (hostname: system: (
        nixpkgs.lib.attrsets.mapAttrs' (user: _: {
          name = "${user}@${hostname}";
          value = mkHome {
            user = user;
            host = hostname;
            system = system.pkgs.hostPlatform.system;
            osConfig = system.config;
          };
        })
        system.config.home-manager.users
      ))
      (nixosSystems // darwinSystems)
    );
    homeConfigurations =
      systemsHomes
      // homeSystems;
  in {
    formatter = forEachPkgs (system: pkgs: pkgs.alejandra);
    # templates = import ./templates;
    devShells = forEachPkgs (system: pkgs: {
      default = pkgs.mkShell {
        packages = with pkgs; [
          # for version controlling this repo
          git
          # for formatting code in this repo
          alejandra
          # for editing secrets in the secrets repo
          sops
          # for viewing configuration options defined in this repo
          nix-inspect
          # for installing flakes from this repo onto other systems
          nixos-anywhere
          # for updating disko configurations
          disko
          # for viewing dconf entries
          dconf-editor
          # for MCP NixOS server support in development
          inputs.mcp-nixos.packages.${system}.default
        ];
        SOPS_AGE_KEY_DIRECTORY = import ./const/sops_age_key_directory.nix;
        shellHook = ''
          git config core.hooksPath .hooks
        '';
      };
    });
    installerConfigurations = installerSystems;
    nixosConfigurations = nixosSystems;
    darwinConfigurations = darwinSystems;
    homeConfigurations = homeConfigurations;
    syncthingConfiguration = syncthingConfiguration;
  };
 }
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@ -1,65 +0,0 @@
 # server nas
 {
  config,
  pkgs,
  inputs,
  ...
 }: {
  imports = [
    inputs.home-manager.nixosModules.default
    inputs.sops-nix.nixosModules.sops
    ./hardware-configuration.nix
    ../../enviroments/server
  ];
  users.leyla.isThinUser = true;
  boot.loader.grub = {
    enable = true;
    zfsSupport = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  domains = {
    base_domain = "jan-leila.com";
    headscale.subdomain = "vpn";
    jellyfin.subdomain = "media";
    forgejo.subdomain = "git";
  };
  services = {
    zfs = {
      autoScrub.enable = true;
      autoSnapshot.enable = true;
    };
    # temp enable desktop enviroment for setup
    # Enable the X11 windowing system.
    xserver = {
      enable = true;
      # Enable the GNOME Desktop Environment.
      displayManager = {
        gdm.enable = true;
      };
      desktopManager = {
        gnome.enable = true;
        xterm.enable = false;
      };
      # Get rid of xTerm
      excludePackages = [pkgs.xterm];
    };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/defiant/disko-config.nix
+++ b/hosts/defiant/disko-config.nix
@ -1,136 +0,0 @@
 {lib, ...}: let
  bootDisk = devicePath: {
    type = "disk";
    device = devicePath;
    content = {
      type = "gpt";
      partitions = {
        boot = {
          size = "1M";
          type = "EF02"; # for grub MBR
        };
        ESP = {
          size = "1G";
          type = "EF00";
          content = {
            type = "filesystem";
            format = "vfat";
            mountpoint = "/boot";
          };
        };
      };
    };
  };
  zfsDisk = devicePath: {
    type = "disk";
    device = devicePath;
    content = {
      type = "gpt";
      partitions = {
        zfs = {
          size = "100%";
          content = {
            type = "zfs";
            pool = "zroot";
          };
        };
      };
    };
  };
  cacheDisk = devicePath: swapSize: {
    type = "disk";
    device = devicePath;
    content = {
      type = "gpt";
      partitions = {
        encryptedSwap = {
          size = swapSize;
          content = {
            type = "swap";
            randomEncryption = true;
            discardPolicy = "both";
            resumeDevice = true;
          };
        };
        zfs = {
          size = "100%";
          content = {
            type = "zfs";
            pool = "zroot";
          };
        };
      };
    };
  };
 in {
  disko.devices = {
    disk = {
      boot = bootDisk "/dev/disk/by-path/pci-0000:23:00.3-usb-0:1:1.0-scsi-0:0:0:0";
      hd_13_tb_a = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB";
      hd_13_tb_b = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC";
      hd_13_tb_c = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH";
      # ssd_2_tb_a = cacheDisk "64G" "/dev/disk/by-id/XXX";
    };
    zpool = {
      zroot = {
        type = "zpool";
        mode = {
          topology = {
            type = "topology";
            vdev = [
              {
                # should this only mirror for this inital config with 3 drives we will used raidz2 for future configs???
                mode = "mirror";
                members = [
                  "hd_13_tb_a"
                  "hd_13_tb_b"
                  "hd_13_tb_c"
                ];
              }
            ];
            cache = [];
            # cache = [ "ssd_2_tb_a" ];
          };
        };
        options = {
          ashift = "12";
        };
        rootFsOptions = {
          encryption = "on";
          keyformat = "hex";
          keylocation = "prompt";
          compression = "lz4";
          xattr = "sa";
          acltype = "posixacl";
          "com.sun:auto-snapshot" = "false";
        };
        mountpoint = "/";
        postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot@blank$' || zfs snapshot zroot@blank";
        datasets = {
          "nix" = {
            type = "zfs_fs";
            mountpoint = "/nix";
          };
          "home" = {
            type = "zfs_fs";
            mountpoint = "/mnt/home";
            options = {
              "com.sun:auto-snapshot" = "true";
            };
          };
          "var" = {
            type = "zfs_fs";
            mountpoint = "/var";
          };
        };
      };
    };
  };
 }
--- a/hosts/hardware-common.nix
+++ b/hosts/hardware-common.nix
@ -1,15 +0,0 @@
 {lib, ...}: {
  options = {
    hardware = {
      piperMouse = {
        enable = lib.mkEnableOption "host has a piper mouse";
      };
      viaKeyboard = {
        enable = lib.mkEnableOption "host has a via keyboard";
      };
      openRGB = {
        enable = lib.mkEnableOption "host has open rgb hardware";
      };
    };
  };
 }
--- a/hosts/horizon/configuration.nix
+++ b/hosts/horizon/configuration.nix
@ -1,49 +0,0 @@
 # leyla laptop
 {
  config,
  pkgs,
  inputs,
  ...
 }: {
  imports = [
    inputs.home-manager.nixosModules.default
    inputs.sops-nix.nixosModules.sops
    ./hardware-configuration.nix
    ../../enviroments/client
  ];
  users = {
    leyla.isFullUser = true;
    ester.isFullUser = true;
    eve.isFullUser = true;
  };
  # enabled virtualisation for docker
  virtualisation.docker = {
    enable = true;
    rootless = {
      enable = true;
      setSocketVariable = true;
    };
  };
  users.extraGroups.docker.members = ["leyla"];
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/horizon/hardware-configuration.nix
+++ b/hosts/horizon/hardware-configuration.nix
@ -1,106 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    ../hardware-common.nix
  ];
  boot = {
    initrd = {
      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
      kernelModules = [];
    };
    kernelModules = ["kvm-intel" "sg"];
    extraModulePackages = [];
    # Bootloader.
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
  };
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/866d422b-f816-4ad9-9846-791839cb9337";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/E138-65B5";
      fsType = "vfat";
    };
    "/mnt/leyla_home" = {
      device = "defiant:/home/leyla";
      fsType = "nfs";
      options = ["x-systemd.automount" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
    };
    "/mnt/eve_home" = {
      device = "defiant:/home/eve";
      fsType = "nfs";
      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
    };
    "/mnt/ester_home" = {
      device = "defiant:/home/ester";
      fsType = "nfs";
      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
    };
    "/mnt/users_home" = {
      device = "defiant:/home/users";
      fsType = "nfs";
      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
    };
    # "/mnt/legacy_leyla_home" =
    #   {
    #     device = "server.arpa:/home/leyla";
    #     fsType = "nfs";
    #     options = [ "x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc" ];
    #   };
    # "/mnt/legacy_share_home" =
    #   {
    #     device = "server.arpa:/home/share";
    #     fsType = "nfs";
    #     options = [ "x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc" ];
    #   };
    # "/mnt/legacy_docker_home" =
    #   {
    #     device = "server.arpa:/home/docker";
    #     fsType = "nfs";
    #     options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
    #   };
  };
  services.cachefilesd.enable = true;
  swapDevices = [
    {device = "/dev/disk/by-uuid/be98e952-a072-4c3a-8c12-69500b5a2fff";}
  ];
  networking = {
    useDHCP = lib.mkDefault true;
    hostName = "horizon"; # Define your hostname.
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware = {
    graphics.enable = true;
    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  };
 }
--- a/hosts/twilight/hardware-configuration.nix
+++ b/hosts/twilight/hardware-configuration.nix
@ -1,125 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    ../hardware-common.nix
  ];
  boot = {
    initrd = {
      availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
      kernelModules = [];
    };
    kernelModules = ["kvm-amd" "sg"];
    extraModulePackages = [];
    # Bootloader.
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
  };
  services.xserver = {
    # Load nvidia driver for Xorg and Wayland
    videoDrivers = ["nvidia"];
    # Use X instead of wayland for gaming reasons
    displayManager.gdm.wayland = false;
  };
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/8be49c65-2b57-48f1-b74d-244d26061adb";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/3006-3867";
      fsType = "vfat";
      options = ["fmask=0022" "dmask=0022"];
    };
    "/mnt/leyla_home" = {
      device = "server.arpa:/home/leyla";
      fsType = "nfs";
      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
    };
    "/mnt/share_home" = {
      device = "server.arpa:/home/share";
      fsType = "nfs";
      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
    };
    "/mnt/docker_home" = {
      device = "server.arpa:/home/docker";
      fsType = "nfs";
      options = ["x-systemd.automount" "noauto" "x-systemd.idle-timeout=600"];
    };
  };
  swapDevices = [];
  networking = {
    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
    # (the default) this is the recommended approach. When using systemd-networkd it's
    # still possible to use this option, but it's recommended to use it in conjunction
    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
    useDHCP = lib.mkDefault true;
    hostName = "twilight"; # Define your hostname.
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware = {
    piperMouse.enable = true;
    viaKeyboard.enable = true;
    openRGB.enable = true;
    # Enable OpenGL
    graphics.enable = true;
    # install graphics drivers
    nvidia = {
      # Modesetting is required.
      modesetting.enable = true;
      # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
      # Enable this if you have graphical corruption issues or application crashes after waking
      # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
      # of just the bare essentials.
      powerManagement.enable = false;
      # Fine-grained power management. Turns off GPU when not in use.
      # Experimental and only works on modern Nvidia GPUs (Turing or newer).
      powerManagement.finegrained = false;
      # Use the NVidia open source kernel module (not to be confused with the
      # independent third-party "nouveau" open source driver).
      # Support is limited to the Turing and later architectures. Full list of
      # supported GPUs is at:
      # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
      # Only available from driver 515.43.04+
      # Currently alpha-quality/buggy, so false is currently the recommended setting.
      open = false;
      # Enable the Nvidia settings menu,
      # accessible via `nvidia-settings`.
      nvidiaSettings = true;
      # Optionally, you may need to select the appropriate driver version for your specific GPU.
      package = config.boot.kernelPackages.nvidiaPackages.production;
    };
    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  };
 }
--- a/install.sh
+++ b/install.sh
@ -39,6 +39,7 @@ if [ -z ${flake} ]; then
 	exit 1;
 fi
 # TODO: we might not need to copy the key over here anymore?
 temp=$(mktemp -d)
 # Function to cleanup temporary directory on exit
 cleanup() {
@ -51,4 +52,4 @@ mkdir -p $temp$SOPS_AGE_KEY_DIRECTORY
 cp -r $SOPS_AGE_KEY_DIRECTORY/* $temp$SOPS_AGE_KEY_DIRECTORY
 # commit number in this is because the main branch of nixos-anywhere is broken right now
-nix run github:nix-community/nixos-anywhere/b3b6bfebba35d55fba485ceda588984dec74c54f -- --extra-files $temp --flake ".#$flake" ${user:-nixos}@$target
+nixos-anywhere --extra-files $temp --flake ".#$flake" ${user:-nixos}@$target
--- a/lint.sh
+++ b/lint.sh
@ -1,3 +0,0 @@
 #!/usr/bin/env bash
 nix run git+https://github.com/kamadorueda/alejandra -- -q .
--- a/modules/common-modules/default.nix
+++ b/modules/common-modules/default.nix
@ -0,0 +1,7 @@
 # this folder is for modules that are common between nixos, home-manager, and darwin
 {...}: {
  imports = [
    ./overlays
    ./pkgs
  ];
 }
--- a/modules/common-modules/overlays/default.nix
+++ b/modules/common-modules/overlays/default.nix
@ -0,0 +1,7 @@
 # this folder is for derivation overlays
 {inputs, ...}: {
  nixpkgs.overlays = [
    inputs.steam-fetcher.overlays.default
    inputs.nix-vscode-extensions.overlays.default
  ];
 }
--- a/modules/common-modules/pkgs/codium-extensions/ai-code.nix
+++ b/modules/common-modules/pkgs/codium-extensions/ai-code.nix
@ -0,0 +1,42 @@
 {
  buildNpmPackage,
  vscode-utils,
  pkgs,
  ...
 }: let
  version = "0.0.1";
  pname = "ai-code";
  publisher = "jan-leila";
  vsix = buildNpmPackage {
    inherit version pname;
    src = builtins.fetchGit {
      url = "ssh://git@git.jan-leila.com/jan-leila/ai-code.git";
      rev = "d48e01713021dbb30de0ebbee2cfaf99e4e9b5a6";
    };
    npmDepsHash = "sha256-kjMyEnT3dz0yH5Ydh+aGoFDocKpBYGRmfnwbEdvvgpY=";
    nativeBuildInputs = with pkgs; [
      vsce
    ];
    buildPhase = ''
      ${pkgs.vsce}/bin/vsce package -o ${pname}.zip
    '';
    installPhase = ''
      mkdir -p $out
      mv ${pname}.zip $out/${pname}.zip
    '';
  };
 in
  vscode-utils.buildVscodeExtension {
    inherit pname version;
    src = "${vsix}/${pname}.zip";
    vscodeExtUniqueId = "${publisher}.${pname}";
    vscodeExtPublisher = publisher;
    vscodeExtName = pname;
  }
--- a/modules/common-modules/pkgs/codium-extensions/default.nix
+++ b/modules/common-modules/pkgs/codium-extensions/default.nix
@ -0,0 +1,3 @@
 {pkgs, ...}: {
  ai-code = pkgs.callPackage ./ai-code.nix {};
 }
--- a/modules/common-modules/pkgs/default.nix
+++ b/modules/common-modules/pkgs/default.nix
@ -0,0 +1,43 @@
 {pkgs, ...}: {
  imports = [
    ./python
  ];
  nixpkgs.overlays = [
    (final: prev: {
      webtoon-dl =
        pkgs.callPackage
        ./webtoon-dl.nix
        {};
    })
    # TODO: this package always needs to be called with the --in-process-gpu flag for some reason, can we automate that?
    (final: prev: {
      prostudiomasters =
        pkgs.callPackage
        ./prostudiomasters.nix
        {};
    })
    (final: prev: {
      noita_entangled_worlds = pkgs.callPackage ./noita-entangled-worlds.nix {};
    })
    (final: prev: {
      gdx-liftoff = pkgs.callPackage ./gdx-liftoff.nix {};
    })
    (final: prev: {
      codium-extensions = pkgs.callPackage ./codium-extensions {};
    })
    (final: prev: {
      mapillary-uploader = pkgs.callPackage ./mapillary-uploader.nix {};
    })
    (final: prev: {
      panoramax = pkgs.python3.pkgs.callPackage ./panoramax.nix {};
    })
    (final: prev: {
      sgblur = pkgs.python3.pkgs.callPackage ./sgblur.nix {};
    })
    (final: prev: {
      # Override h3 C library to version 4.3.0
      h3 = pkgs.callPackage ./h3-c-lib.nix {};
    })
  ];
 }
--- a/modules/common-modules/pkgs/gdx-liftoff.nix
+++ b/modules/common-modules/pkgs/gdx-liftoff.nix
@ -0,0 +1,44 @@
 {
  stdenv,
  fetchurl,
  makeWrapper,
  jdk,
  lib,
  xorg,
  libGL,
  ...
 }:
 stdenv.mkDerivation rec {
  pname = "gdx-liftoff";
  version = "1.13.5.1";
  src = fetchurl {
    url = "https://github.com/libgdx/gdx-liftoff/releases/download/v${version}/gdx-liftoff-${version}.jar";
    hash = "sha256-9vCXGNGwI/P4VmcdIzTv2GPAX8bZb7nkfopaRAf6yMA=";
  };
  dontUnpack = true;
  nativeBuildInputs = [makeWrapper];
  runtimeDependencies = lib.makeLibraryPath [
    # glfw
    libGL
    xorg.libX11
    xorg.libXcursor
    xorg.libXext
    xorg.libXrandr
    xorg.libXxf86vm
  ];
  installPhase = ''
    runHook preInstall
    install -Dm644 $src $out/lib/gdx-liftoff-${version}.jar
    makeWrapper ${lib.getExe jdk} $out/bin/gdx-liftoff-${version} \
      --append-flags "-jar $out/lib/gdx-liftoff-${version}.jar"\
      ${lib.optionalString stdenv.hostPlatform.isLinux "--prefix LD_LIBRARY_PATH : ${runtimeDependencies}"}
    runHook postInstall
  '';
 }
--- a/modules/common-modules/pkgs/h3-c-lib.nix
+++ b/modules/common-modules/pkgs/h3-c-lib.nix
@ -0,0 +1,36 @@
 {
  lib,
  stdenv,
  fetchFromGitHub,
  cmake,
  doxygen,
 }:
 stdenv.mkDerivation rec {
  pname = "h3";
  version = "4.3.0";
  src = fetchFromGitHub {
    owner = "uber";
    repo = "h3";
    rev = "v${version}";
    hash = "sha256-DUILKZ1QvML6qg+WdOxir6zRsgTvk+En6yjeFf6MQBg=";
  };
  nativeBuildInputs = [
    cmake
    doxygen
  ];
  cmakeFlags = [
    "-DBUILD_SHARED_LIBS=ON"
    "-DBUILD_TESTING=OFF"
  ];
  meta = with lib; {
    homepage = "https://github.com/uber/h3";
    description = "Hexagonal hierarchical geospatial indexing system";
    license = licenses.asl20;
    maintainers = [];
    platforms = platforms.all;
  };
 }
--- a/modules/common-modules/pkgs/mapillary-uploader.nix
+++ b/modules/common-modules/pkgs/mapillary-uploader.nix
@ -0,0 +1,42 @@
 {
  lib,
  fetchurl,
  appimageTools,
 }: let
  pname = "mapillary-uploader";
  version = "4.7.2"; # Based on the application output
  src = fetchurl {
    url = "https://tools.mapillary.com/uploader/download/linux";
    name = "mapillary-uploader.AppImage";
    sha256 = "sha256-Oyx7AIdA/2mwBaq7UzXOoyq/z2SU2sViMN40sY2RCQw=";
  };
  appimageContents = appimageTools.extractType2 {
    inherit pname version src;
  };
 in
  appimageTools.wrapType2 {
    inherit pname version src;
    extraInstallCommands = ''
      # Install desktop file
      install -Dm644 ${appimageContents}/mapillary-desktop-uploader.desktop $out/share/applications/mapillary-uploader.desktop
      # Install icon
      install -Dm644 ${appimageContents}/usr/share/icons/hicolor/0x0/apps/mapillary-desktop-uploader.png $out/share/pixmaps/mapillary-uploader.png
      # Fix desktop file paths
      substituteInPlace $out/share/applications/mapillary-uploader.desktop \
        --replace 'Exec=AppRun' 'Exec=${pname}'
    '';
    meta = with lib; {
      description = "Mapillary Desktop Uploader - Upload street-level imagery to Mapillary";
      homepage = "https://www.mapillary.com/";
      license = licenses.unfree; # Mapillary's license terms
      maintainers = [];
      platforms = ["x86_64-linux"];
      sourceProvenance = with sourceTypes; [binaryNativeCode];
    };
  }
--- a/modules/common-modules/pkgs/noita-entangled-worlds.nix
+++ b/modules/common-modules/pkgs/noita-entangled-worlds.nix
@ -0,0 +1,46 @@
 # not working yet
 {
  pkgs,
  rustPlatform,
  fetchFromGitHub,
  ...
 }: let
  version = "1.5.3";
  repo = fetchFromGitHub {
    owner = "IntQuant";
    repo = "noita_entangled_worlds";
    rev = "v${version}";
    hash = "sha256-frrpD0aWTeDbZYtp15R+quUUAZf7OvHlbSLtGJJtAqk=";
  };
 in
  rustPlatform.buildRustPackage {
    name = "noita-proxy-${version}";
    src = repo + "/noita-proxy";
    prePatch = ''
      substituteInPlace Cargo.toml \
          --replace "path = \"../shared\"" "path = \"${repo + "/shared"}\""
    '';
    nativeBuildInputs = with pkgs; [
      pkg-config
      python3
      cmake
    ];
    buildInputs = with pkgs; [
      openssl
      openssl.dev
      libpulseaudio
      libjack2
      alsa-lib
      xorg.libxcb
      xorg.libxcb.dev
      libopus
    ];
    propagatedBuildInputs = with pkgs; [
      steamworks-sdk-redist
    ];
    runtimeDependencies = with pkgs; [
      steamworks-sdk-redist
    ];
    doCheck = false;
    cargoHash = "sha256-TzUS6d6PopgGf2i1yVaXaXdzNrvfSz+Gv67BAtxYmb4=";
  }
--- a/modules/common-modules/pkgs/panoramax.nix
+++ b/modules/common-modules/pkgs/panoramax.nix
@ -0,0 +1,105 @@
 {
  lib,
  fetchFromGitLab,
  buildPythonPackage,
  flit-core,
  flask,
  pillow,
  requests,
  python-dotenv,
  authlib,
  sentry-sdk,
  python-dateutil,
  dateparser,
  croniter,
  pydantic,
  flask-cors,
  flask-compress,
  flask-babel,
  flasgger,
  yoyo-migrations,
  psycopg,
  psycopg-pool,
  tzdata,
  email-validator,
  pydantic-extra-types,
  python-multipart,
  fs,
  fs-s3fs,
  geopic-tag-reader,
  pygeofilter,
  pygeoif,
  rfeed,
  geojson-pydantic,
  ...
 }: let
  pname = "geovisio";
  version = "2.10.0";
  repo = fetchFromGitLab {
    owner = "panoramax";
    repo = "server/api";
    rev = version;
    hash = "sha256-kCLcrOe7jJdIfmWWOmxQ5dOj8ZG2B7s0qFpHXs02B/E=";
  };
 in
  buildPythonPackage {
    inherit pname version;
    pyproject = true;
    src = repo;
    build-system = [
      flit-core
    ];
    dependencies = [
      flask
      pillow
      requests
      python-dotenv
      authlib
      sentry-sdk
      python-dateutil
      dateparser
      croniter
      pydantic
      flask-cors
      flask-compress
      flask-babel
      flasgger
      yoyo-migrations
      psycopg
      psycopg-pool
      tzdata
      email-validator
      pydantic-extra-types
      python-multipart
      fs
      fs-s3fs
      geopic-tag-reader
      pygeofilter
      pygeoif
      rfeed
      geojson-pydantic
      # Missing from nixpkgs - may need custom packages:
      # flask-executor
    ];
    # Skip tests as they may require network access or specific setup
    doCheck = false;
    # Disable runtime dependencies check as many dependencies are not available in nixpkgs
    dontCheckRuntimeDeps = true;
    # Disable imports check as many dependencies are not available in nixpkgs
    pythonImportsCheck = [];
    meta = with lib; {
      description = "Panoramax API client and tools for street-level imagery platform";
      homepage = "https://gitlab.com/panoramax/server/api";
      license = licenses.mit;
      maintainers = [];
      platforms = platforms.all;
    };
  }
--- a/modules/common-modules/pkgs/prostudiomasters.nix
+++ b/modules/common-modules/pkgs/prostudiomasters.nix
@ -0,0 +1,14 @@
 {
  fetchurl,
  appimageTools,
 }: let
  pname = "prostudiomasters";
  version = "2.5.6";
  src = fetchurl {
    url = "https://download.prostudiomasters.com/linux/ProStudioMasters-${version}.AppImage";
    hash = "sha256-7owOwdcucFfl+JsVj+Seau2KOz0J4P/ep7WrBSNSmbs=";
  };
 in
  appimageTools.wrapType2 {
    inherit pname version src;
  }
--- a/modules/common-modules/pkgs/python/default.nix
+++ b/modules/common-modules/pkgs/python/default.nix
@ -0,0 +1,18 @@
 {...}: {
  nixpkgs.overlays = [
    (final: prev: {
      python3 = prev.python3.override {
        packageOverrides = pythonPrev: pythonFinal: {
          h3 = pythonPrev.callPackage ./h3.nix {h3 = final.h3;};
          pygeofilter = pythonPrev.callPackage ./pygeofilter.nix {};
          pygeoif = pythonPrev.callPackage ./pygeoif.nix {};
          rfeed = pythonPrev.callPackage ./rfeed.nix {};
          pyexiv2 = pythonPrev.callPackage ./pyexiv2.nix {};
          geojson-pydantic = pythonPrev.callPackage ./geojson-pydantic.nix {};
          geopic-tag-reader = pythonPrev.callPackage ./geopic-tag-reader.nix {};
        };
      };
      python3Packages = final.python3.pkgs;
    })
  ];
 }
--- a/modules/common-modules/pkgs/python/geojson-pydantic.nix
+++ b/modules/common-modules/pkgs/python/geojson-pydantic.nix
@ -0,0 +1,48 @@
 {
  lib,
  fetchPypi,
  buildPythonPackage,
  flit-core,
  pydantic,
  geojson,
  ...
 }: let
  pname = "geojson_pydantic";
  version = "2.0.0";
 in
  buildPythonPackage {
    inherit pname version;
    pyproject = true;
    src = fetchPypi {
      inherit pname version;
      hash = "sha256-ti6LRFAt0a1Ri19zkDWoGSSnb5gMvbOk6JFu+RO+JC4=";
    };
    build-system = [
      flit-core
    ];
    dependencies = [
      pydantic
      geojson
    ];
    # Skip tests as they may require specific setup
    doCheck = false;
    # Disable runtime dependencies check
    dontCheckRuntimeDeps = true;
    # Basic imports check
    pythonImportsCheck = ["geojson_pydantic"];
    meta = with lib; {
      description = "Pydantic models for GeoJSON objects";
      homepage = "https://github.com/developmentseed/geojson-pydantic";
      license = licenses.mit;
      maintainers = [];
      platforms = platforms.all;
    };
  }
--- a/modules/common-modules/pkgs/python/geopic-tag-reader.nix
+++ b/modules/common-modules/pkgs/python/geopic-tag-reader.nix
@ -0,0 +1,70 @@
 {
  lib,
  fetchFromGitLab,
  buildPythonPackage,
  flit-core,
  typer,
  xmltodict,
  timezonefinder,
  pytz,
  types-pytz,
  types-python-dateutil,
  rtree,
  python-dateutil,
  pyexiv2,
  ...
 }: let
  pname = "geopic-tag-reader";
  version = "1.8.0";
 in
  buildPythonPackage {
    inherit pname version;
    pyproject = true;
    src = fetchFromGitLab {
      owner = "panoramax";
      repo = "server/geo-picture-tag-reader";
      rev = version;
      sha256 = "0lzf5xxxcdqmq28bpvgpkxf5jxmh2nawwa4rl4yg04bdsi16rf1j";
    };
    build-system = [
      flit-core
    ];
    dependencies = [
      typer
      xmltodict
      pyexiv2
      timezonefinder
      pytz
      types-pytz
      types-python-dateutil
      rtree
    ];
    optional-dependencies = {
      write-exif = [
        python-dateutil
        types-python-dateutil
      ];
    };
    # Skip tests as they may require network access or specific setup
    doCheck = false;
    # Disable runtime dependencies check as some dependencies might have issues
    dontCheckRuntimeDeps = true;
    # Disable imports check initially to avoid dependency issues
    pythonImportsCheck = [];
    meta = with lib; {
      description = "GeoPic Tag Reader - Python library to read and write standardized metadata from geolocated pictures EXIF metadata";
      homepage = "https://gitlab.com/panoramax/server/geo-picture-tag-reader";
      license = licenses.mit;
      maintainers = [];
      platforms = platforms.all;
    };
  }
--- a/modules/common-modules/pkgs/python/h3.nix
+++ b/modules/common-modules/pkgs/python/h3.nix
@ -0,0 +1,81 @@
 {
  autoPatchelfHook,
  buildPythonPackage,
  cmake,
  cython,
  fetchFromGitHub,
  h3,
  lib,
  ninja,
  numpy,
  pytestCheckHook,
  pytest-cov-stub,
  scikit-build-core,
  stdenv,
 }:
 buildPythonPackage rec {
  pname = "h3";
  version = "4.3.1";
  pyproject = true;
  # pypi version does not include tests
  src = fetchFromGitHub {
    owner = "uber";
    repo = "h3-py";
    tag = "v${version}";
    hash = "sha256-zt7zbBgSp2P9q7mObZeQZpW9Szip62dAYdPZ2cGTmi4=";
  };
  dontConfigure = true;
  nativeCheckInputs = [
    pytestCheckHook
    pytest-cov-stub
  ];
  build-system =
    [
      scikit-build-core
      cmake
      cython
      ninja
    ]
    ++ lib.optionals stdenv.hostPlatform.isLinux [
      # On Linux the .so files ends up referring to libh3.so instead of the full
      # Nix store path. I'm not sure why this is happening! On Darwin it works
      # fine.
      autoPatchelfHook
    ];
  # This is not needed per-se, it's only added for autoPatchelfHook to work
  # correctly. See the note above ^^
  buildInputs = lib.optionals stdenv.hostPlatform.isLinux [h3];
  dependencies = [numpy];
  # The following prePatch replaces the h3lib compilation with using the h3 packaged in nixpkgs.
  #
  # - Remove the h3lib submodule.
  # - Patch CMakeLists to avoid building h3lib, and use h3 instead.
  prePatch = let
    cmakeCommands = ''
      include_directories(${lib.getDev h3}/include/h3)
      link_directories(${h3}/lib)
    '';
  in ''
    rm -r src/h3lib
    substituteInPlace CMakeLists.txt \
      --replace-fail "add_subdirectory(src/h3lib)" "${cmakeCommands}" \
      --replace-fail "\''${CMAKE_CURRENT_BINARY_DIR}/src/h3lib/src/h3lib/include/h3api.h" "${lib.getDev h3}/include/h3/h3api.h"
  '';
  # Extra check to make sure we can import it from Python
  pythonImportsCheck = ["h3"];
  meta = {
    homepage = "https://github.com/uber/h3-py";
    description = "Hierarchical hexagonal geospatial indexing system";
    license = lib.licenses.asl20;
    maintainers = [lib.maintainers.kalbasit];
  };
 }
--- a/modules/common-modules/pkgs/python/pyexiv2.nix
+++ b/modules/common-modules/pkgs/python/pyexiv2.nix
@ -0,0 +1,49 @@
 {
  lib,
  fetchFromGitHub,
  buildPythonPackage,
  exiv2,
  boost,
  pybind11,
  setuptools,
  ...
 }: let
  pname = "pyexiv2";
  version = "2.15.3";
 in
  buildPythonPackage {
    inherit pname version;
    pyproject = true;
    build-system = [setuptools];
    src = fetchFromGitHub {
      owner = "LeoHsiao1";
      repo = "pyexiv2";
      rev = "v${version}";
      sha256 = "sha256-83bFMaoXncvhRJNcCgkkC7B29wR5pjuLO/EdkQdqxxo=";
    };
    buildInputs = [
      exiv2
      boost
    ];
    nativeBuildInputs = [
      pybind11
    ];
    # Skip tests as they may require specific test images
    doCheck = false;
    # Disable runtime dependencies check initially
    dontCheckRuntimeDeps = true;
    meta = with lib; {
      description = "Python binding to the library exiv2";
      homepage = "https://github.com/LeoHsiao1/pyexiv2";
      license = licenses.gpl3Plus;
      maintainers = [];
      platforms = platforms.linux;
    };
  }
--- a/modules/common-modules/pkgs/python/pygeofilter.nix
+++ b/modules/common-modules/pkgs/python/pygeofilter.nix
@ -0,0 +1,52 @@
 {
  lib,
  fetchPypi,
  buildPythonPackage,
  setuptools,
  wheel,
  lark,
  python-dateutil,
  shapely,
  ...
 }: let
  pname = "pygeofilter";
  version = "0.3.1";
 in
  buildPythonPackage {
    inherit pname version;
    pyproject = true;
    src = fetchPypi {
      inherit pname version;
      hash = "sha256-+SvAYiCZ+H/os23nq92GBZ1hWontYIInNwgiI6V44VA=";
    };
    build-system = [
      setuptools
      wheel
    ];
    dependencies = [
      lark
      python-dateutil
      shapely
    ];
    # Skip tests as they may require specific setup
    doCheck = false;
    # Disable runtime dependencies check
    dontCheckRuntimeDeps = true;
    # Basic imports check
    pythonImportsCheck = ["pygeofilter"];
    meta = with lib; {
      description = "A pure Python parser implementation of OGC filtering standards";
      homepage = "https://github.com/geopython/pygeofilter";
      license = licenses.mit;
      maintainers = [];
      platforms = platforms.all;
    };
  }
--- a/modules/common-modules/pkgs/python/pygeoif.nix
+++ b/modules/common-modules/pkgs/python/pygeoif.nix
@ -0,0 +1,48 @@
 {
  lib,
  fetchPypi,
  buildPythonPackage,
  setuptools,
  wheel,
  typing-extensions,
  ...
 }: let
  pname = "pygeoif";
  version = "1.5.1";
 in
  buildPythonPackage {
    inherit pname version;
    pyproject = true;
    src = fetchPypi {
      inherit pname version;
      hash = "sha256-8nprah7Lh66swrUbzFnKeb5w7RKgEE3oYBR4shPdXYE=";
    };
    build-system = [
      setuptools
      wheel
    ];
    dependencies = [
      typing-extensions
    ];
    # Skip tests as they may require specific setup
    doCheck = false;
    # Disable runtime dependencies check
    dontCheckRuntimeDeps = true;
    # Basic imports check
    pythonImportsCheck = ["pygeoif"];
    meta = with lib; {
      description = "A basic implementation of the __geo_interface__";
      homepage = "https://github.com/cleder/pygeoif";
      license = licenses.lgpl21Plus;
      maintainers = [];
      platforms = platforms.all;
    };
  }
--- a/modules/common-modules/pkgs/python/rfeed.nix
+++ b/modules/common-modules/pkgs/python/rfeed.nix
@ -0,0 +1,40 @@
 {
  lib,
  fetchPypi,
  buildPythonPackage,
  setuptools,
  python-dateutil,
 }:
 buildPythonPackage rec {
  pname = "rfeed";
  version = "1.1.1";
  pyproject = true;
  src = fetchPypi {
    inherit pname version;
    hash = "sha256-qpUG8oZrdPWjItOUoUpjwZpoJcLZR1X/GdRt0eJDSBk=";
  };
  build-system = [
    setuptools
  ];
  dependencies = [
    python-dateutil
  ];
  # No tests available in the package
  doCheck = false;
  pythonImportsCheck = [
    "rfeed"
  ];
  meta = with lib; {
    description = "RSS feed generation library for Python";
    homepage = "https://pypi.org/project/rfeed/";
    license = licenses.mit;
    maintainers = [];
    platforms = platforms.all;
  };
 }
--- a/modules/common-modules/pkgs/sgblur.nix
+++ b/modules/common-modules/pkgs/sgblur.nix
@ -0,0 +1,65 @@
 {
  lib,
  python3Packages,
  fetchFromGitHub,
  pkg-config,
  libjpeg_turbo,
  exiftran ? libjpeg_turbo,
 }:
 python3Packages.buildPythonPackage {
  pname = "sgblur";
  version = "1.0.0";
  pyproject = true;
  src = fetchFromGitHub {
    owner = "cquest";
    repo = "sgblur";
    rev = "master";
    hash = "sha256-17wpif2sa021kaa1pbkry4l1967la1qd7knhngvxblrvd7jqqz4y=";
  };
  nativeBuildInputs = [
    pkg-config
  ];
  buildInputs = [
    libjpeg_turbo
    exiftran
  ];
  build-system = with python3Packages; [
    setuptools
    wheel
  ];
  dependencies = with python3Packages; [
    # Core dependencies from pyproject.toml
    ultralytics
    # pyturbojpeg  # May need special handling
    pillow
    # uuid  # Built into Python
    # exifread
    python-multipart
    fastapi
    uvicorn
    requests
    # piexif
    pydantic-settings
    pydantic
  ];
  # Skip tests as they may require GPU or specific setup
  doCheck = false;
  # The package may have import issues due to system dependencies
  pythonImportsCheck = [];
  meta = with lib; {
    description = "Panoramax Speedy Gonzales Blurring Algorithm - AI-powered face and license plate blurring API";
    homepage = "https://github.com/cquest/sgblur";
    license = licenses.mit;
    maintainers = [];
    platforms = platforms.unix;
  };
 }
--- a/modules/common-modules/pkgs/webtoon-dl.nix
+++ b/modules/common-modules/pkgs/webtoon-dl.nix
@ -0,0 +1,18 @@
 {
  buildGoModule,
  fetchFromGitHub,
  ...
 }:
 buildGoModule rec {
  pname = "webtoon-dl";
  version = "0.0.10";
  src = fetchFromGitHub {
    owner = "robinovitch61";
    repo = "webtoon-dl";
    rev = "v${version}";
    hash = "sha256-geVb3LFPZxPQYARZnaqOr5sgaN6mqkEX5ZiLvg8mF5k=";
  };
  vendorHash = "sha256-NTqUygJ6b6kTnLUnJqxCo/URzaRouPLACEPi2Ob1s9w=";
 }
--- a/modules/darwin-modules/default.nix
+++ b/modules/darwin-modules/default.nix
@ -0,0 +1,8 @@
 # this folder container modules that are for darwin only
 {...}: {
  imports = [
    ./home-manager
    ./users.nix
    ./system.nix
  ];
 }
--- a/modules/darwin-modules/home-manager/default.nix
+++ b/modules/darwin-modules/home-manager/default.nix
@ -0,0 +1,2 @@
 # modules in this folder are to adapt home-manager modules configs to darwin-module configs
 {...}: {}
--- a/modules/darwin-modules/system.nix
+++ b/modules/darwin-modules/system.nix
@ -0,0 +1,27 @@
 {self, ...}: {
  system.configurationRevision = self.rev or self.dirtyRev or null;
  nix = {
    gc = {
      automatic = true;
      interval = [
        {
          Hour = 4;
          Minute = 15;
          Weekday = 7;
        }
      ];
      options = "--delete-older-than 7d";
    };
    optimise = {
      automatic = true;
      interval = [
        {
          Hour = 4;
          Minute = 15;
          Weekday = 7;
        }
      ];
    };
  };
 }
--- a/modules/darwin-modules/users.nix
+++ b/modules/darwin-modules/users.nix
@ -0,0 +1,16 @@
 {
  lib,
  config,
  ...
 }: let
  host = config.host;
 in {
  users = {
    users = {
      leyla = {
        name = lib.mkForce host.users.leyla.name;
        home = lib.mkForce "/home/${host.users.leyla.name}";
      };
    };
  };
 }
--- a/modules/home-manager-modules/default.nix
+++ b/modules/home-manager-modules/default.nix
@ -0,0 +1,12 @@
 # this folder container modules that are for home manager only
 {...}: {
  imports = [
    ./sops.nix
    ./user.nix
    ./flipperzero.nix
    ./i18n.nix
    ./openssh.nix
    ./gnome.nix
    ./programs
  ];
 }
--- a/modules/home-manager-modules/flipperzero.nix
+++ b/modules/home-manager-modules/flipperzero.nix
@ -0,0 +1,3 @@
 {lib, ...}: {
  options.hardware.flipperzero.enable = lib.mkEnableOption "enable flipperzero hardware";
 }
--- a/modules/home-manager-modules/gnome.nix
+++ b/modules/home-manager-modules/gnome.nix
@ -0,0 +1,106 @@
 {
  lib,
  config,
  ...
 }: {
  options.gnome = {
    extraWindowControls = lib.mkEnableOption "Should we add back in the minimize and maximize window controls?";
    clockFormat = lib.mkOption {
      type = lib.types.enum [
        "12h"
        "24h"
      ];
      default = "24h";
    };
    colorScheme = lib.mkOption {
      type = lib.types.enum [
        "default"
        "prefer-dark"
        "prefer-light"
      ];
      default = "default";
    };
    accentColor = lib.mkOption {
      type = lib.types.enum [
        "blue"
        "teal"
        "green"
        "yellow"
        "orange"
        "red"
        "pink"
        "purple"
        "slate"
      ];
      default = "blue";
    };
    extensions = lib.mkOption {
      type = lib.types.listOf lib.types.package;
      default = [];
      description = "The set of extensions to install and enable in the user environment.";
    };
    hotkeys = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
        options = {
          key = lib.mkOption {
            type = lib.types.strMatching "[a-zA-Z0-9-]+";
            default = builtins.replaceStrings [" " "/" "_"] ["-" "-" "-"] name;
          };
          name = lib.mkOption {
            type = lib.types.str;
            default = name;
          };
          binding = lib.mkOption {
            type = lib.types.str;
          };
          command = lib.mkOption {
            type = lib.types.str;
          };
        };
      }));
      default = {};
    };
  };
  config = {
    home.packages = config.gnome.extensions;
    dconf = {
      settings = lib.mkMerge [
        {
          "org/gnome/shell" = {
            disable-user-extensions = false; # enables user extensions
            enabled-extensions = builtins.map (extension: extension.extensionUuid) config.gnome.extensions;
          };
          "org/gnome/desktop/wm/preferences".button-layout = lib.mkIf config.gnome.extraWindowControls ":minimize,maximize,close";
          "org/gnome/desktop/interface".color-scheme = config.gnome.colorScheme;
          "org/gnome/desktop/interface".accent-color = config.gnome.accentColor;
          "org/gnome/desktop/interface".clock-format = config.gnome.clockFormat;
        }
        (
          lib.mkMerge (
            builtins.map (value: let
              entry = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/${value.key}";
            in {
              ${entry} = {
                binding = value.binding;
                command = value.command;
                name = value.name;
              };
              "org/gnome/settings-daemon/plugins/media-keys" = {
                custom-keybindings = [
                  "/${entry}/"
                ];
              };
            })
            (
              lib.attrsets.mapAttrsToList (_: value: value) config.gnome.hotkeys
            )
          )
        )
      ];
    };
  };
 }
--- a/modules/home-manager-modules/i18n.nix
+++ b/modules/home-manager-modules/i18n.nix
@ -0,0 +1,42 @@
 {
  lib,
  config,
  ...
 }: {
  options = {
    i18n = {
      defaultLocale = lib.mkOption {
        type = lib.types.str;
        default = "en_US.UTF-8";
        example = "nl_NL.UTF-8";
        description = ''
          The default locale.  It determines the language for program
          messages, the format for dates and times, sort order, and so on.
          It also determines the character set, such as UTF-8.
        '';
      };
      extraLocaleSettings = lib.mkOption {
        type = lib.types.attrsOf lib.types.str;
        default = {};
        example = {
          LC_MESSAGES = "en_US.UTF-8";
          LC_TIME = "de_DE.UTF-8";
        };
        description = ''
          A set of additional system-wide locale settings other than
          `LANG` which can be configured with
          {option}`i18n.defaultLocale`.
        '';
      };
    };
  };
  config = {
    home.sessionVariables =
      {
        LANG = config.i18n.defaultLocale;
      }
      // config.i18n.extraLocaleSettings;
  };
 }
--- a/modules/home-manager-modules/openssh.nix
+++ b/modules/home-manager-modules/openssh.nix
@ -0,0 +1,107 @@
 {
  pkgs,
  config,
  osConfig,
  lib,
  ...
 }: {
  options.programs.openssh = {
    enable = lib.mkEnableOption "should we enable openssh";
    authorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
    };
    hostKeys = lib.mkOption {
      type = lib.types.listOf lib.types.attrs;
      default = [];
      example = [
        {
          type = "rsa";
          bits = 4096;
          path = "${config.home.username}_${osConfig.networking.hostName}_rsa";
          rounds = 100;
          openSSHFormat = true;
        }
        {
          type = "ed25519";
          path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
          rounds = 100;
          comment = "key comment";
        }
      ];
      description = ''
        NixOS can automatically generate SSH host keys.  This option
        specifies the path, type and size of each key.  See
        {manpage}`ssh-keygen(1)` for supported types
        and sizes. Paths are relative to home directory
      '';
    };
  };
  config = lib.mkIf config.programs.openssh.enable (
    lib.mkMerge [
      (
        lib.mkIf ((builtins.length config.programs.openssh.hostKeys) != 0) {
          services.ssh-agent.enable = true;
          programs.ssh = {
            enable = true;
            enableDefaultConfig = false;
            matchBlocks = {
              "*" = {
                compression = true;
                addKeysToAgent = "confirm";
              };
            };
            extraConfig = lib.strings.concatLines (
              builtins.map (hostKey: "IdentityFile ~/.ssh/${hostKey.path}") config.programs.openssh.hostKeys
            );
          };
          systemd.user.services = builtins.listToAttrs (
            builtins.map (hostKey:
              lib.attrsets.nameValuePair "ssh-gen-keys-${hostKey.path}" {
                Install = {
                  WantedBy = ["default.target"];
                };
                Service = let
                  path = "${config.home.homeDirectory}/.ssh/${hostKey.path}";
                in {
                  Restart = "always";
                  Type = "simple";
                  ExecStart = "${
                    pkgs.writeShellScript "ssh-gen-keys" ''
                      if ! [ -s "${path}" ]; then
                          if ! [ -h "${path}" ]; then
                              rm -f "${path}"
                          fi
                          mkdir -p "$(dirname '${path}')"
                          chmod 0755 "$(dirname '${path}')"
                          ${pkgs.openssh}/bin/ssh-keygen \
                            -t "${hostKey.type}" \
                            ${lib.optionalString (hostKey ? bits) "-b ${toString hostKey.bits}"} \
                            ${lib.optionalString (hostKey ? rounds) "-a ${toString hostKey.rounds}"} \
                            ${lib.optionalString (hostKey ? comment) "-C '${hostKey.comment}'"} \
                            ${lib.optionalString (hostKey ? openSSHFormat && hostKey.openSSHFormat) "-o"} \
                            -f "${path}" \
                            -N ""
                          chown ${config.home.username} ${path}*
                          chgrp ${config.home.username} ${path}*
                      fi
                    ''
                  }";
                };
              })
            config.programs.openssh.hostKeys
          );
        }
      )
      (lib.mkIf osConfig.host.impermanence.enable {
        home.persistence."/persist${config.home.homeDirectory}" = {
          files = lib.lists.flatten (
            builtins.map (hostKey: [".ssh/${hostKey.path}" ".ssh/${hostKey.path}.pub"]) config.programs.openssh.hostKeys
          );
        };
      })
    ]
  );
 }
--- a/modules/home-manager-modules/programs/anki.nix
+++ b/modules/home-manager-modules/programs/anki.nix
@ -0,0 +1,15 @@
 {
  lib,
  config,
  osConfig,
  ...
 }: {
  config = lib.mkIf (config.programs.anki.enable && osConfig.host.impermanence.enable) {
    home.persistence."/persist${config.home.homeDirectory}" = {
      directories = [
        "${config.xdg.dataHome}/Anki2/"
      ];
      allowOther = true;
    };
  };
 }
--- a/modules/home-manager-modules/programs/bitwarden.nix
+++ b/modules/home-manager-modules/programs/bitwarden.nix
@ -0,0 +1,29 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: {
  options.programs.bitwarden = {
    enable = lib.mkEnableOption "enable bitwarden";
  };
  config = lib.mkIf config.programs.bitwarden.enable (lib.mkMerge [
    {
      home.packages = with pkgs; [
        bitwarden
      ];
    }
    (
      lib.mkIf osConfig.host.impermanence.enable {
        home.persistence."/persist${config.home.homeDirectory}" = {
          directories = [
            "${config.xdg.configHome}/Bitwarden"
          ];
          allowOther = true;
        };
      }
    )
  ]);
 }
--- a/modules/home-manager-modules/programs/bruno.nix
+++ b/modules/home-manager-modules/programs/bruno.nix
@ -0,0 +1,29 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: {
  options.programs.bruno = {
    enable = lib.mkEnableOption "enable bruno";
  };
  config = lib.mkIf config.programs.bruno.enable (lib.mkMerge [
    {
      home.packages = with pkgs; [
        bruno
      ];
    }
    (
      lib.mkIf osConfig.host.impermanence.enable {
        home.persistence."/persist${config.home.homeDirectory}" = {
          directories = [
            "${config.xdg.configHome}/bruno/"
          ];
          allowOther = true;
        };
      }
    )
  ]);
 }
--- a/modules/home-manager-modules/programs/calibre.nix
+++ b/modules/home-manager-modules/programs/calibre.nix
@ -0,0 +1,29 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: {
  options.programs.calibre = {
    enable = lib.mkEnableOption "enable calibre";
  };
  config = lib.mkIf config.programs.calibre.enable (lib.mkMerge [
    {
      home.packages = with pkgs; [
        calibre
      ];
    }
    (
      lib.mkIf osConfig.host.impermanence.enable {
        home.persistence."/persist${config.home.homeDirectory}" = {
          directories = [
            "${config.xdg.configHome}/calibre"
          ];
          allowOther = true;
        };
      }
    )
  ]);
 }
--- a/modules/home-manager-modules/programs/davinci-resolve.nix
+++ b/modules/home-manager-modules/programs/davinci-resolve.nix
@ -0,0 +1,30 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: {
  options.programs.davinci-resolve = {
    enable = lib.mkEnableOption "enable davinci-resolve";
  };
  config = lib.mkIf config.programs.davinci-resolve.enable (lib.mkMerge [
    {
      home.packages = with pkgs; [
        davinci-resolve
      ];
    }
    (
      lib.mkIf osConfig.host.impermanence.enable {
        home.persistence."/persist${config.home.homeDirectory}" = {
          directories = [
            "${config.xdg.dataHome}/DaVinciResolve"
            "${config.xdg.configHome}/blackmagic"
          ];
          allowOther = true;
        };
      }
    )
  ]);
 }
--- a/modules/home-manager-modules/programs/dbeaver.nix
+++ b/modules/home-manager-modules/programs/dbeaver.nix
@ -0,0 +1,29 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: {
  options.programs.dbeaver-bin = {
    enable = lib.mkEnableOption "enable dbeaver";
  };
  config = lib.mkIf config.programs.dbeaver-bin.enable (lib.mkMerge [
    {
      home.packages = with pkgs; [
        dbeaver-bin
      ];
    }
    (
      lib.mkIf osConfig.host.impermanence.enable {
        home.persistence."/persist${config.home.homeDirectory}" = {
          directories = [
            "${config.xdg.dataHome}/DBeaverData/"
          ];
          allowOther = true;
        };
      }
    )
  ]);
 }
--- a/modules/home-manager-modules/programs/default.nix
+++ b/modules/home-manager-modules/programs/default.nix
@ -0,0 +1,42 @@
 {...}: {
  imports = [
    ./firefox.nix
    ./signal.nix
    ./bitwarden.nix
    ./makemkv.nix
    ./obs.nix
    ./anki.nix
    ./piper.nix
    ./qbittorrent.nix
    ./discord.nix
    ./obsidian.nix
    ./prostudiomasters.nix
    ./idea.nix
    ./krita.nix
    ./protonvpn.nix
    ./calibre.nix
    ./bruno.nix
    ./dbeaver.nix
    ./steam.nix
    ./vscode
    ./ungoogled-chromium.nix
    ./libreoffice.nix
    ./mapillary-uploader.nix
    ./inkscape.nix
    ./gimp.nix
    ./proxmark3.nix
    ./freecad.nix
    ./onionshare.nix
    ./mfoc.nix
    ./pdfarranger.nix
    ./picard.nix
    ./qflipper.nix
    ./openvpn.nix
    ./noisetorch.nix
    ./openrgb.nix
    ./via.nix
    ./davinci-resolve.nix
    ./gdx-liftoff.nix
    ./tor-browser.nix
  ];
 }
--- a/modules/home-manager-modules/programs/discord.nix
+++ b/modules/home-manager-modules/programs/discord.nix
@ -0,0 +1,29 @@
 {
  lib,
  pkgs,
  config,
  osConfig,
  ...
 }: {
  options.programs.discord = {
    enable = lib.mkEnableOption "enable discord";
  };
  config = lib.mkIf config.programs.discord.enable (lib.mkMerge [
    {
      home.packages = with pkgs; [
        discord
      ];
    }
    (
      lib.mkIf osConfig.host.impermanence.enable {
        home.persistence."/persist${config.home.homeDirectory}" = {
          directories = [
            "${config.xdg.configHome}/discord/"
          ];
          allowOther = true;
        };
      }
    )
  ]);
 }
--- a/Show more
+++ b/Show more
		`@ -1,3 +0,0 @@`
			`#!/usr/bin/env bash`

			`nix run git+https://github.com/kamadorueda/alejandra -- -q .`
		`@ -0,0 +1,2 @@`
							`# modules in this folder are to adapt home-manager modules configs to darwin-module configs`
							`{...}: {}`