Merge remote-tracking branch 'origin'

Reviewed-on: #8

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -1 +1,5 @@
-result
+result
+.direnv
+.vscode/*
+!.vscode/settings.json
+nixos.qcow2

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "secrets"]
+	path = secrets
+	url = git@git.jan-leila.com:jan-leila/nix-config-secrets.git

.hooks/post-commit

@@ -1,3 +1,14 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash ../shell.nix
 
-git stash pop -q
+echo "restoring stashed changes"
+
+# Find the most recent pre-commit stash and restore it
+recent_stash=$(git stash list | grep "pre-commit-stash-" | head -n 1 | cut -d: -f1)
+
+if [ -n "$recent_stash" ]; then
+    echo "Found recent pre-commit stash: $recent_stash"
+    git stash pop -q "$recent_stash"
+else
+    echo "No pre-commit stash found to restore"
+fi

.hooks/post-merge

@@ -0,0 +1,32 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash ../shell.nix
+
+# Get current branch name
+current_branch=$(git branch --show-current)
+
+# Only perform actions if we're on main branch and a merge just completed
+if [ "$current_branch" = "main" ]; then
+    echo "Post-merge on main branch - running nix flake check"
+    
+    # Run nix flake check after merge into main
+    nix flake check
+    
+    if [ ! $? -eq 0 ]; then
+        echo "Warning: nix flake check failed after merge into main"
+        echo "Please fix the issues as soon as possible"
+    else
+        echo "nix flake check passed after merge"
+    fi
+    
+    # Check if there are any pre-commit stashes to restore
+    recent_stash=$(git stash list | grep "pre-commit-stash-" | head -n 1 | cut -d: -f1)
+    
+    if [ -n "$recent_stash" ]; then
+        echo "Post-merge: restoring pre-commit stash on main branch"
+        git stash pop -q "$recent_stash"
+    else
+        echo "Post-merge: no pre-commit stash to restore on main branch"
+    fi
+else
+    echo "Post-merge: no action needed on branch '$current_branch'"
+fi

.hooks/pre-commit

@@ -1,11 +1,32 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash ../shell.nix
 
-git stash -q --keep-index
+# Get current branch name
+current_branch=$(git branch --show-current)
 
-./lint.sh
+echo "stashing all uncommitted changes with named stash (excluding hooks)"
+git stash push -q --keep-index -m "pre-commit-stash-$(date +%s)" -- ':!.hooks/'
+
+# Only run nix flake check if we're on main branch
+if [ "$current_branch" = "main" ]; then
+    echo "On main branch - checking flakes all compile"
+    nix flake check
+
+    if [ ! $? -eq 0 ]; then
+        echo "Error: nix flake check failed on main branch"
+        exit 1
+    fi
+    echo "nix flake check passed"
+else
+    echo "Not on main branch - skipping nix flake check"
+fi
+
+echo "running linter"
+alejandra -q .
 
 RESULT=$?
 
+echo "adding lint changes to commit"
 git add -u
 
-exit $RESULT
+exit $RESULT

.hooks/pre-merge-commit

@@ -0,0 +1,37 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash ../shell.nix
+
+# Get the target branch (the branch being merged into)
+target_branch=""
+
+# Check if we're in the middle of a merge
+if [ -f .git/MERGE_HEAD ]; then
+    # We're in a merge, check if the current branch is main
+    current_branch=$(git branch --show-current)
+    if [ "$current_branch" = "main" ]; then
+        target_branch="main"
+    fi
+fi
+
+# If we're merging into main, run nix flake check
+if [ "$target_branch" = "main" ]; then
+    echo "Merging into main branch - running nix flake check..."
+    
+    echo "stashing all uncommitted changes with named stash (excluding hooks)"
+    git stash push -q --keep-index -m "pre-merge-stash-$(date +%s)" -- ':!.hooks/'
+
+    echo "checking flakes all compile"
+    nix flake check
+
+    if [ ! $? -eq 0 ]; then
+        echo "Error: nix flake check failed. Merge aborted."
+        echo "Please fix the issues and try merging again."
+        exit 1
+    fi
+    
+    echo "nix flake check passed. Merge can proceed."
+else
+    echo "Not merging into main branch, skipping nix flake check."
+fi
+
+exit 0

.sops.yaml

@@ -9,3 +9,11 @@ creation_rules:
     key_groups:
       - age:
         - *leyla
+  - path_regex: secrets/vpn-keys.yaml$
+    key_groups:
+      - age:
+        - *leyla
+  - path_regex: secrets/application-keys.yaml$
+    key_groups:
+      - age:
+        - *leyla

.vscode/settings.json

@@ -0,0 +1,21 @@
+{
+    "cSpell.words": [
+        "attrsets",
+        "bitwarden",
+        "forgejo",
+        "gids",
+        "headscale",
+        "hesperium",
+        "jellyfin",
+        "macvlan",
+        "nextcloud",
+        "nixos",
+        "nixpkgs",
+        "pihole",
+        "pkgs",
+        "rpool",
+        "searx",
+        "ublock",
+        "uids"
+    ]
+}

README.md

@@ -1,18 +1,27 @@
+# nix-config
+
+https://git.jan-leila.com/jan-leila/nix-config
+
+nix multi user, multi system, configuration with `sops` secret management, `home-manager`, and `nixos-anywhere` setup via `disko` with `zfs` + `impermanence`
+
 # Hosts
 
 ## Host Map
-|   Hostname  |      Device Description    |   Primary User   |    Role   |
+|   Hostname  |      Device Description    |   Primary User   |    Role   | Provisioned | Using Nix |
-| :---------: | :------------------------: | :--------------: | :-------: |
+| :---------: | :------------------------: | :--------------: | :-------: | :---------: | :-------: |
-|  `twilight` |      Desktop Computer      |      Leyla       |  Desktop  |
+|  `twilight` |      Desktop Computer      |      Leyla       |  Desktop  |     ✅      |    ✅     |
-|  `horizon`  |  13 inch Framework Laptop  |      Leyla       |  Laptop   |
+|  `horizon`  |  13 inch Framework Laptop  |      Leyla       |  Laptop   |     ✅      |    ✅     |
-|  `defiant`  |         NAS Server         |      Leyla       |  Service  |
+|  `defiant`  |         NAS Server         |      Leyla       |   Server  |     ✅      |    ✅     |
-|  `emergent` |      Desktop Computer      |       Eve        |  Laptop   |
+| `hesperium` |             Mac            |      ?????       |    Mac    |     ❌      |    ❌     |
-| `threshold` |           Laptop           |       Eve        |  Desktop  |
+|  `emergent` |      Desktop Computer      |       Eve        |  Desktop  |     ✅      |    ✅     |
+| `threshold` |           Laptop           |       Eve        |  Laptop   |     ❌      |    ❌     |
+|  `wolfram`  |          Steam Deck        |      House       |  Handheld |     ✅      |    ❌     |
+|   `ceder`   |          A5 Tablet         |      Leyla       |   Tablet  |     ✅      |    ❌     |
+|   `skate`   |          A6 Tablet         |      Leyla       |   Tablet  |     ❌      |    ❌     |
+|   `shale`   |          A6 Tablet         |       Eve        |   Tablet  |     ✅      |    ❌     |
+|   `coven`   |           Pixel 8          |      Leyla       |  Android  |     ✅      |    ❌     |
 
 # Tooling
-## Lint
-`./lint.sh`
-
 ## Rebuilding
 `./rebuild.sh`
 
@@ -22,45 +31,100 @@
 ## New host setup
 `./install.sh --target 192.168.1.130 --flake hostname`
 
+## Updating Secrets
+`sops secrets/secrets_file_here.yaml`
+
+## Inspecting a configuration
+`nix-inspect -p .`
+
 # Notes:
 
 ## Research topics
-- Look into this for rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/`
+- Look into this for auto rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/`
-- Look into this for openssh known configurations https://search.nixos.org/options?channel=unstable&from=0&size=15&sort=alpha_asc&type=packages&query=services.openssh
+- Look into this for npins https://jade.fyi/blog/pinning-nixos-with-npins/
-- Look into this for flake templates https://nix.dev/manual/nix/2.22/command-ref/new-cli/nix3-flake-init
+- https://nixos-and-flakes.thiscute.world/
-- Look into this for headscale https://carlosvaz.com/posts/setting-up-headscale-on-nixos/
+- proton mail now has an smtp server we could use that for our zfs and SMART test emails
-- Look into this for home assistant configuration https://nixos.wiki/wiki/Home_Assistant https://myme.no/posts/2021-11-25-nixos-home-assistant.html
+- VR https://lvra.gitlab.io/docs/distros/nixos/
-
-## Configuration
-set up git configuration for local development: `git config --local include.path .gitconfig`
-
-to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords.yaml` (NOTE: this depends on the SOPS_AGE_KEY_DIRECTORY environment variable being set)
 
 # Tasks:
 
+## Documentation
+- [ ] project layout
+- [ ] users file structure
+- [ ] reverse proxy design
+	- public service compatibility
+	- vpn based services compatibility
+- [ ] the choice of impermanence
+- [ ] storage module design
+	- base impermanence compatibility and structure reason
+		-	what does local vs persist mean in pool names (do we need a second layer? ephemeral, local, and persist? local exist only on this machine and is not backed up, persist is backed up to other machines (I think we need to redo the sops and torrent/media folders?))
+	- plans to possibly support btrfs in the future
+	- plans for home manager datasets
+	- plans for auto systemd service datasets
+- [ ] plans to migrate to some kind of acl structure for user management
+- [ ] plans to migrate from flakes to npins
+
+## Chores:
+- [ ] test out crab hole service
+
 ## Tech Debt
-- vscode extensions should be in own flake (make sure to add the nixpkgs.overlays in it too)
+- [ ] monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/)
-- join config for systemd.tmpfiles.rules and service directory bindings
+- [ ] migrate away from flakes and move to npins
-- monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml`
+- [ ] `host.users` should be redone so that we just extend the base `users.users` object. Right now we cant quite do this because we have weird circular dependencies with disko/impermanence (not sure which one) and home manger enabling/disabling users per devices
-- move applications in server environment into their own flakes
+
-- pihole config files
+## Broken things
-## New Features
+- [ ] figure out steam vr things?
-- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
+- [ ] whisper was having issues
-- fix pre commit hook
+
-- Flake templates
+## Data Integrity
-- home assistant virtual machine
+- [ ] zfs email after scrubbing # TODO: test this
-- searxng docker
+- [ ] SMART test with email results
-- nextcloud ???
+- [ ] zfs encryption FIDO2 2fa (look into shavee)
-- samba mounts
+- [ ] rotate sops encryption keys periodically (and somehow sync between devices?)
-- firefox declarative???
+- [ ] Secure Boot - https://github.com/nix-community/lanzaboote
-- figure out steam vr things?
+- [ ] auto turn off on power loss - nut
-- Open GL?
+- [ ] every service needs to have its own data pool
-- util functions
+- [ ] secondary server with data sync. Maybe a Pi with a usb hdd enclosure and use rtcwake to only turn on once a week to sync data over tailscale with connection initiated from pi's side. We could probably put this at LZ. Hoping for it to draw only like $1 of power a month. Initial sync should probably be done here before we move it over because that will take a while. Data should be encrypted so that devices doesn't have access to it. Project will prob cost like $1800
-- openssh known hosts
+
-- rotate sops encryption keys periodically (and somehow sync between devices?)
+## Data Access
-- zfs email after scrubbing
+- [ ] nfs export should be backed by the same values for server and client
-- headscale server (just needs to be tested)
+- [ ] samba mounts
-- mastodon server
+- [ ] offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
-- tail scale clients
+- [ ] figure out why syncthing and jellyfins permissions don't propagate downwards
-- wake on LAN
+- [ ] make radarr, sonarr, and bazarr accessible over vpn with fully qualified names via reverse proxy
-- ISO target that contains authorized keys for nixos-anywhere
+- [ ] move searx, home-assistant, actual, vikunja, jellyfin, paperless, and immich to only be accessible via vpn
+- [ ] FreeIPA/SSSD/LDAP/Kerberos to manage uid and gid's
+
+## Services
+- [ ] ntfy service for unified push
+- [ ] signal socket server
+- [ ] vikunja service for project management
+- [ ] Penpot services (need to make this custom)
+- [ ] minecraft server with old world file
+- [ ] storj server
+- [ ] Create Tor guard/relay server
+- [ ] screeps server
+- [ ] mastodon instance
+
+## DevOps
+- [ ] wake on LAN for updates
+- [ ] remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html
+- [ ] ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix
+- [ ] fix panoramax package
+- [ ] claude code MCP servers should bundle node with them so they work in all environments
+
+## Observability
+- [ ] graphana for dashboards
+- [ ] prometheus and loki for metric and log collection
+	- [ ] zfs storage usage
+	- [ ] zfs drive health status
+	- [ ] service version lag
+	- [ ] network/cpu/ram utilization
+	- [ ] http latency
+	- [ ] postgres db load
+	- [ ] nginx queries
+- [ ] ntfy.sh for push notifications
+- [ ] kuma for uptime visualization
+
+## Packages
+- [ ] Custom private fork of MultiMC

build-installer.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --flake*|-f*)
+      if [[ "$1" != *=* ]]; then shift; fi
+      flake="${1#*=}"
+      ;;
+    # --user*|-u*)
+    #   if [[ "$1" != *=* ]]; then shift; fi
+    #   user="${1#*=}"
+    #   ;;
+    --help|-h)
+      echo "--help -h: print this message"
+      echo "--flake -f: set the flake to build an installer for"
+    #   echo "--user -u: set the user to install flake as on the target system"
+      exit 0
+      ;;
+    *)
+      echo "Error: Invalid argument $1"
+      exit 1
+      ;;
+  esac
+  shift
+done
+
+flake=${flake:-"basic"}
+user=${user:-$USER}
+
+nix build .#installerConfigurations.$flake.config.system.build.isoImage

configurations/darwin/hesperium/configuration.nix

@@ -0,0 +1,16 @@
+{...}: {
+  host = {
+    users = {
+      leyla = {
+        isDesktopUser = true;
+        isTerminalUser = true;
+        isPrincipleUser = true;
+      };
+      eve.isNormalUser = false;
+    };
+  };
+
+  system.stateVersion = 5;
+
+  nixpkgs.hostPlatform = "aarch64-darwin";
+}

configurations/darwin/hesperium/default.nix

@@ -0,0 +1,5 @@
+{...}: {
+  imports = [
+    ./configuration.nix
+  ];
+}

configurations/home-manager/default.nix

@@ -0,0 +1,13 @@
+{
+  lib,
+  config,
+  osConfig,
+  ...
+}: let
+  users = config.host.users;
+in {
+  leyla = lib.mkIf users.leyla.isNormalUser (import ./leyla);
+  eve = lib.mkIf users.eve.isNormalUser (import ./eve);
+  ivy = lib.mkIf users.ivy.isNormalUser (import ./ivy);
+  git = lib.mkIf (osConfig.services.forgejo.enable or false) (import ./git);
+}

configurations/home-manager/eve/default.nix

@@ -0,0 +1,56 @@
+{osConfig, ...}: let
+  userConfig = osConfig.host.users.eve;
+in {
+  imports = [
+    ./packages.nix
+    ./gnomeconf.nix
+  ];
+
+  home = {
+    username = userConfig.name;
+    homeDirectory = osConfig.users.users.eve.home;
+
+    # This value determines the Home Manager release that your configuration is
+    # compatible with. This helps avoid breakage when a new Home Manager release
+    # introduces backwards incompatible changes.
+    #
+    # You should not change this value, even if you update Home Manager. If you do
+    # want to update the value, then make sure to first check the Home Manager
+    # release notes.
+    stateVersion = "23.11"; # Please read the comment before changing.
+
+    # Home Manager is pretty good at managing dotfiles. The primary way to manage
+    # plain files is through 'home.file'.
+    file = {
+      # # Building this configuration will create a copy of 'dotfiles/screenrc' in
+      # # the Nix store. Activating the configuration will then make '~/.screenrc' a
+      # # symlink to the Nix store copy.
+      # ".screenrc".source = dotfiles/screenrc;
+
+      # # You can also set the file content immediately.
+      # ".gradle/gradle.properties".text = ''
+      #   org.gradle.console=verbose
+      #   org.gradle.daemon.idletimeout=3600000
+      # '';
+    };
+
+    # Home Manager can also manage your environment variables through
+    # 'home.sessionVariables'. If you don't want to manage your shell through Home
+    # Manager then you have to manually source 'hm-session-vars.sh' located at
+    # either
+    #
+    #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
+    #
+    # or
+    #
+    #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
+    #
+    # or
+    #
+    #  /etc/profiles/per-user/leyla/etc/profile.d/hm-session-vars.sh
+    #
+    sessionVariables = {
+      # EDITOR = "emacs";
+    };
+  };
+}

configurations/home-manager/eve/gnomeconf.nix

@@ -0,0 +1,39 @@
+{
+  osConfig,
+  lib,
+  ...
+}: {
+  config = {
+    gnome = lib.mkMerge [
+      {
+        colorScheme = "prefer-dark";
+        accentColor = "slate";
+        clockFormat = "24h";
+        nightLight = {
+          enable = true;
+          automatic = false;
+          fromTime = 12.0;
+          toTime = 11.999999999999;
+          temperature = 2700;
+        };
+        extraWindowControls = true;
+        extensions = {
+          dash-to-panel = {
+            enable = true;
+          };
+        };
+      }
+
+      (lib.mkIf (osConfig.networking.hostName == "horizon") {
+        displayScaling = 125;
+        experimentalFeatures = {
+          scaleMonitorFramebuffer = true;
+        };
+      })
+    ];
+
+    dconf = {
+      enable = true;
+    };
+  };
+}

configurations/home-manager/eve/packages.nix

@@ -0,0 +1,87 @@
+{
+  lib,
+  pkgs,
+  config,
+  osConfig,
+  ...
+}: let
+  userConfig = osConfig.host.users.eve;
+  hardware = osConfig.host.hardware;
+in {
+  config = {
+    nixpkgs.config = {
+      allowUnfree = true;
+    };
+
+    # Packages that can be installed without any extra configuration
+    # See https://search.nixos.org/packages for all options
+    home.packages = lib.lists.optionals userConfig.isDesktopUser (
+      with pkgs; [
+        gnomeExtensions.dash-to-panel
+        claude-code
+        friture
+      ]
+    );
+
+    # Packages that need to be installed with some extra configuration
+    # See https://home-manager-options.extranix.com/ for all options
+    programs = lib.mkMerge [
+      {
+        # Let Home Manager install and manage itself.
+        home-manager.enable = true;
+      }
+      (lib.mkIf (config.user.isDesktopUser || config.user.isTerminalUser) {
+        git = {
+          enable = true;
+          settings = {
+            user.name = "Eve";
+            user.email = "evesnrobins@gmail.com";
+            init.defaultBranch = "main";
+          };
+        };
+
+        openssh = {
+          enable = true;
+          hostKeys = [
+            {
+              type = "ed25519";
+              path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
+            }
+          ];
+        };
+      })
+      (lib.mkIf config.user.isDesktopUser {
+        vscode = {
+          enable = true;
+          package = pkgs.vscodium;
+        };
+
+        firefox.enable = true;
+        bitwarden.enable = true;
+        discord.enable = true;
+        makemkv.enable = true;
+        signal-desktop-bin.enable = true;
+        steam.enable = true;
+        piper.enable = hardware.piperMouse.enable;
+        krita.enable = true;
+        ungoogled-chromium.enable = true;
+
+        inkscape.enable = true;
+        obsidian.enable = true;
+        obs-studio.enable = true;
+        kdenlive.enable = true;
+        tor-browser.enable = true;
+        olympus.enable = true;
+        libreoffice.enable = true;
+
+        claude-code.enable = osConfig.host.ai.enable;
+
+        # Windows applications that we need to figure out how to install
+        guild-wars-2.enable = false;
+        vortex.enable = false;
+        dungeon-draft.enable = false;
+        vmware-workstation.enable = true;
+      })
+    ];
+  };
+}

configurations/home-manager/git/default.nix

@@ -0,0 +1,22 @@
+{osConfig, ...}: {
+  impermanence.fallbackPersistence.enable = false;
+
+  home = {
+    username = osConfig.users.users.git.name;
+    homeDirectory = osConfig.users.users.git.home;
+
+    # This value determines the Home Manager release that your configuration is
+    # compatible with. This helps avoid breakage when a new Home Manager release
+    # introduces backwards incompatible changes.
+    #
+    # You should not change this value, even if you update Home Manager. If you do
+    # want to update the value, then make sure to first check the Home Manager
+    # release notes.
+    stateVersion = "23.11"; # Please read the comment before changing.
+  };
+
+  programs.ssh.extraConfig = ''
+    AuthorizedKeysFile
+    /var/lib/forgejo/.ssh/authorized_keys
+  '';
+}

configurations/home-manager/ivy/default.nix

@@ -0,0 +1,55 @@
+{osConfig, ...}: let
+  userConfig = osConfig.host.users.ivy;
+in {
+  imports = [
+    ./packages.nix
+  ];
+
+  home = {
+    username = userConfig.name;
+    homeDirectory = osConfig.users.users.ivy.home;
+
+    # This value determines the Home Manager release that your configuration is
+    # compatible with. This helps avoid breakage when a new Home Manager release
+    # introduces backwards incompatible changes.
+    #
+    # You should not change this value, even if you update Home Manager. If you do
+    # want to update the value, then make sure to first check the Home Manager
+    # release notes.
+    stateVersion = "23.11"; # Please read the comment before changing.
+
+    # Home Manager is pretty good at managing dotfiles. The primary way to manage
+    # plain files is through 'home.file'.
+    file = {
+      # # Building this configuration will create a copy of 'dotfiles/screenrc' in
+      # # the Nix store. Activating the configuration will then make '~/.screenrc' a
+      # # symlink to the Nix store copy.
+      # ".screenrc".source = dotfiles/screenrc;
+
+      # # You can also set the file content immediately.
+      # ".gradle/gradle.properties".text = ''
+      #   org.gradle.console=verbose
+      #   org.gradle.daemon.idletimeout=3600000
+      # '';
+    };
+
+    # Home Manager can also manage your environment variables through
+    # 'home.sessionVariables'. If you don't want to manage your shell through Home
+    # Manager then you have to manually source 'hm-session-vars.sh' located at
+    # either
+    #
+    #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
+    #
+    # or
+    #
+    #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
+    #
+    # or
+    #
+    #  /etc/profiles/per-user/ivy/etc/profile.d/hm-session-vars.sh
+    #
+    sessionVariables = {
+      # EDITOR = "emacs";
+    };
+  };
+}

configurations/home-manager/ivy/packages.nix

@@ -0,0 +1,73 @@
+{
+  lib,
+  pkgs,
+  config,
+  osConfig,
+  ...
+}: {
+  config = {
+    nixpkgs.config = {
+      allowUnfree = true;
+    };
+
+    # Programs that need to be installed with some extra configuration
+    programs = lib.mkMerge [
+      {
+        # Let Home Manager install and manage itself.
+        home-manager.enable = true;
+      }
+      (lib.mkIf (config.user.isDesktopUser || config.user.isTerminalUser) {
+        # git = {
+        #   enable = true;
+        #   userName = "Ivy";
+        #   userEmail = "ivy@example.com"; # Update this with actual email
+        #   extraConfig.init.defaultBranch = "main";
+        # };
+
+        openssh = {
+          enable = true;
+          hostKeys = [
+            {
+              type = "ed25519";
+              path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
+            }
+          ];
+        };
+      })
+      (lib.mkIf config.user.isDesktopUser {
+        vscode = {
+          enable = true;
+          package = pkgs.vscodium;
+          mutableExtensionsDir = false;
+
+          profiles.default = {
+            enableUpdateCheck = false;
+            enableExtensionUpdateCheck = false;
+
+            extraExtensions = {
+              # Cline extension (Claude AI assistant)
+              claudeDev.enable = true;
+              # Auto Rename Tag
+              autoRenameTag.enable = true;
+              # Live Server
+              liveServer.enable = true;
+            };
+
+            extensions = let
+              extension-pkgs = pkgs.nix-vscode-extensions.forVSCodeVersion config.programs.vscode.package.version;
+            in (
+              with extension-pkgs.open-vsx; [
+                streetsidesoftware.code-spell-checker
+              ]
+            );
+          };
+        };
+
+        firefox.enable = true;
+        discord.enable = true;
+        signal-desktop-bin.enable = true;
+        claude-code.enable = true;
+      })
+    ];
+  };
+}

configurations/home-manager/leyla/dconf.nix

@@ -0,0 +1,101 @@
+{...}: {
+  config = {
+    gnome = {
+      extraWindowControls = true;
+      colorScheme = "prefer-dark";
+      clockFormat = "24h";
+      nightLight = {
+        enable = true;
+        automatic = false;
+        fromTime = 12.0;
+        toTime = 11.999999999999;
+        temperature = 2700;
+      };
+      extensions = {
+        dash-to-dock = {
+          enable = true;
+          options = {
+            "dock-position" = "LEFT";
+            "intellihide-mode" = "ALL_WINDOWS";
+            "show-trash" = false;
+            "require-pressure-to-show" = false;
+            "show-mounts" = false;
+          };
+        };
+      };
+      hotkeys = {
+        "Open Terminal" = {
+          binding = "<Super>t";
+          command = "kgx";
+        };
+        "Open Firefox" = {
+          binding = "<Super>f";
+          command = "firefox";
+        };
+      };
+    };
+
+    dconf = {
+      enable = true;
+      settings = {
+        "org/gnome/shell" = {
+          favorite-apps = ["org.gnome.Nautilus.desktop" "firefox.desktop" "codium.desktop" "steam.desktop" "org.gnome.Console.desktop"];
+          # app-picker-layout =
+          #   builtins.map (
+          #     applications:
+          #       lib.hm.gvariant (builtins.listToAttrs (lib.lists.imap0 (i: v: lib.attrsets.nameValuePair v (lib.hm.gvariant.mkVariant "{'position': <${i}>}")) applications))
+          #   ) [
+          #     [
+          #       "org.gnome.Nautilus.desktop"
+          #       "bitwarden.desktop"
+          #       "firefox.desktop"
+          #       "torbrowser.desktop"
+          #       "chromium-browser.desktop"
+          #       "codium.desktop"
+          #       "idea-community.desktop"
+          #       "org.gnome.TextEditor.desktop"
+          #       "dbeaver.desktop"
+          #       "bruno.desktop"
+          #       "anki.desktop"
+          #       "obsidian.desktop"
+          #       "signal-desktop.desktop"
+          #       "discord.desktop"
+          #       "gimp.desktop"
+          #       "org.inkscape.Inkscape.desktop"
+          #       "org.kde.krita.desktop"
+          #       "davinci-resolve.desktop"
+          #       "com.obsproject.Studio.desktop"
+          #       "org.freecad.FreeCAD.desktop"
+          #       "makemkv.desktop"
+          #       "easytag.desktop"
+          #       "transmission-gtk.desktop"
+          #     ]
+          #     [
+          #       "SteamVR.desktop"
+          #       "Beat Saber.desktop"
+          #       "Noun Town.desktop"
+          #       "WEBFISHING.desktop"
+          #       "Factorio.desktop"
+          #     ]
+          #     [
+          #       "org.gnome.Settings.desktop"
+          #       "org.gnome.SystemMonitor.desktop"
+          #       "org.gnome.Snapshot.desktop"
+          #       "org.gnome.Usage.desktop"
+          #       "org.gnome.DiskUtility.desktop"
+          #       "org.gnome.Evince.desktop"
+          #       "org.gnome.fonts.desktop"
+          #       "noisetorch.desktop"
+          #       "nvidia-settings.desktop"
+          #       "OpnRGB.desktop"
+          #       "org.freedesktop.Piper.desktop"
+          #       "via-nativia.desktop"
+          #       "protonvpn-app.desktop"
+          #       "simple-scan.desktop"
+          #     ]
+          #   ];
+        };
+      };
+    };
+  };
+}

configurations/home-manager/leyla/default.nix

@@ -0,0 +1,95 @@
+{
+  pkgs,
+  config,
+  osConfig,
+  ...
+}: {
+  imports = [
+    ./packages
+    ./i18n.nix
+    ./impermanence.nix
+    ./dconf.nix
+  ];
+
+  config = {
+    impermanence.enable = osConfig.host.impermanence.enable;
+
+    # Home Manager needs a bit of information about you and the paths it should
+    # manage.
+    home = {
+      username = osConfig.host.users.leyla.name;
+      homeDirectory = osConfig.users.users.leyla.home;
+
+      # This value determines the Home Manager release that your configuration is
+      # compatible with. This helps avoid breakage when a new Home Manager release
+      # introduces backwards incompatible changes.
+      #
+      # You should not change this value, even if you update Home Manager. If you do
+      # want to update the value, then make sure to first check the Home Manager
+      # release notes.
+      stateVersion = "23.11"; # Please read the comment before changing.
+
+      # Home Manager is pretty good at managing dotfiles. The primary way to manage
+      # plain files is through 'home.file'.
+      file = {
+        # # Building this configuration will create a copy of 'dotfiles/screenrc' in
+        # # the Nix store. Activating the configuration will then make '~/.screenrc' a
+        # # symlink to the Nix store copy.
+        # ".screenrc".source = dotfiles/screenrc;
+
+        # # You can also set the file content immediately.
+        # ".gradle/gradle.properties".text = ''
+        #   org.gradle.console=verbose
+        #   org.gradle.daemon.idletimeout=3600000
+        # '';
+        "${config.xdg.configHome}/user-dirs.dirs" = {
+          force = true;
+          text = ''
+            # This file is written by xdg-user-dirs-update
+            # If you want to change or add directories, just edit the line you're
+            # interested in. All local changes will be retained on the next run.
+            # Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
+            # homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
+            # absolute path. No other format is supported.
+            #
+            XDG_DESKTOP_DIR="$HOME/desktop"
+            XDG_DOWNLOAD_DIR="$HOME/downloads"
+            XDG_DOCUMENTS_DIR="$HOME/documents"
+            XDG_TEMPLATES_DIR="$HOME/documents/templates"
+            XDG_MUSIC_DIR="$HOME/documents/music"
+            XDG_PICTURES_DIR="$HOME/documents/photos"
+            XDG_VIDEOS_DIR="$HOME/documents/videos"
+            XDG_PUBLICSHARE_DIR="$HOME/documents/public"
+          '';
+        };
+      };
+
+      keyboard.layout = "us,it,de";
+
+      # Home Manager can also manage your environment variables through
+      # 'home.sessionVariables'. If you don't want to manage your shell through Home
+      # Manager then you have to manually source 'hm-session-vars.sh' located at
+      # either
+      #
+      #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
+      #
+      # or
+      #
+      #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
+      #
+      # or
+      #
+      #  /etc/profiles/per-user/leyla/etc/profile.d/hm-session-vars.sh
+      #
+      sessionVariables = {
+        # EDITOR = "emacs";
+      };
+    };
+
+    # TODO: move this into a fonts module
+    home.packages = with pkgs; [
+      aileron
+    ];
+    fonts.fontconfig.enable = true;
+  };
+}

configurations/home-manager/leyla/i18n.nix

@@ -0,0 +1,12 @@
+{...}: {
+  i18n = {
+    defaultLocale = "en_IE.UTF-8";
+
+    extraLocaleSettings = {
+      # LC_ADDRESS = "en_IE.UTF-8"; # lets just get used to this one now
+      # LC_TELEPHONE = "en_IE.UTF-8"; # lets just get used to this one now
+      LC_MONETARY = "en_US.UTF-8"; # to be changed once I move
+      LC_PAPER = "en_US.UTF-8"; # convenient for american printers until I move
+    };
+  };
+}

configurations/home-manager/leyla/impermanence.nix

@@ -0,0 +1,20 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  config = lib.mkIf (config.impermanence.enable) {
+    home.persistence."/persist/home/leyla" = {
+      directories = [
+        "desktop"
+        "downloads"
+        "documents"
+      ];
+      files = [
+        ".bash_history" # keep shell history around
+        "${config.xdg.dataHome}/recently-used.xbel" # gnome recently viewed files
+      ];
+      allowOther = true;
+    };
+  };
+}

configurations/home-manager/leyla/packages/default.nix

@@ -0,0 +1,91 @@
+{
+  lib,
+  pkgs,
+  config,
+  osConfig,
+  ...
+}: let
+  hardware = osConfig.host.hardware;
+in {
+  imports = [
+    ./vscode
+    ./firefox
+    ./direnv.nix
+    ./openssh.nix
+    ./git.nix
+    ./makemkv.nix
+  ];
+
+  config = lib.mkMerge [
+    {
+      programs = lib.mkMerge [
+        {
+          # Let Home Manager install and manage itself.
+          home-manager.enable = true;
+        }
+        (lib.mkIf (config.user.isTerminalUser || config.user.isDesktopUser) {
+          bash.enable = true;
+          git.enable = true;
+          openssh.enable = true;
+        })
+        (lib.mkIf config.user.isDesktopUser {
+          bitwarden.enable = true;
+          obs-studio.enable = hardware.graphicsAcceleration.enable;
+          qbittorrent.enable = true;
+          prostudiomasters.enable = true;
+          protonvpn-gui.enable = true;
+          dbeaver-bin.enable = true;
+          bruno.enable = true;
+          piper.enable = hardware.piperMouse.enable;
+          proxmark3.enable = true;
+          openrgb.enable = hardware.openRGB.enable;
+          via.enable = hardware.viaKeyboard.enable;
+          claude-code.enable = osConfig.host.ai.enable;
+          davinci-resolve.enable = hardware.graphicsAcceleration.enable;
+          mfoc.enable = true;
+        })
+        (lib.mkIf (hardware.directAccess.enable && config.user.isDesktopUser) {
+          anki.enable = true;
+          makemkv.enable = true;
+          discord.enable = true;
+          signal-desktop-bin.enable = true;
+          calibre.enable = true;
+          obsidian.enable = true;
+          jetbrains.idea-community.enable = true;
+          vscode.enable = true;
+          firefox.enable = true;
+          steam.enable = true;
+          krita.enable = true;
+          ungoogled-chromium.enable = true;
+          libreoffice.enable = true;
+          mapillary-uploader.enable = true;
+          inkscape.enable = true;
+          gimp.enable = true;
+          freecad.enable = true;
+          onionshare.enable = true;
+          pdfarranger.enable = true;
+          picard.enable = true;
+          qflipper.enable = true;
+          openvpn.enable = true;
+          noisetorch.enable = true;
+          tor-browser.enable = true;
+          gdx-liftoff.enable = true;
+        })
+      ];
+    }
+    (lib.mkIf config.user.isTerminalUser {
+      home.packages = with pkgs; [
+        # command line tools
+        sox
+        yt-dlp
+        ffmpeg
+        imagemagick
+      ];
+    })
+    (lib.mkIf config.user.isDesktopUser {
+      nixpkgs.config = {
+        allowUnfree = true;
+      };
+    })
+  ];
+}

configurations/home-manager/leyla/packages/direnv.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  config,
+  osConfig,
+  ...
+}: let
+  userConfig = osConfig.host.users.leyla;
+in {
+  config = lib.mkIf userConfig.isDesktopUser {
+    programs = {
+      direnv = {
+        enable = true;
+        enableBashIntegration = true;
+        nix-direnv.enable = true;
+        config = {
+          global.hide_env_diff = true;
+          whitelist.exact = ["${config.home.homeDirectory}/documents/code/nix-config"];
+        };
+      };
+    };
+  };
+}

configurations/home-manager/leyla/packages/firefox/bookmarks.nix

@@ -0,0 +1,155 @@
+{...}: {
+  programs.firefox = {
+    profiles.leyla = {
+      bookmarks = {
+        force = true;
+        settings = [
+          # Personal Services
+          {
+            name = "Media";
+            url = "https://media.jan-leila.com/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Photos";
+            url = "https://photos.jan-leila.com";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Git";
+            url = "https://git.jan-leila.com/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Home Automation";
+            url = "https://home.jan-leila.com/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Search";
+            url = "https://search.jan-leila.com/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Budget";
+            url = "https://budget.jan-leila.com/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Documents";
+            url = "https://documents.jan-leila.com/";
+            keyword = "";
+            tags = [""];
+          }
+
+          # Defiant Server Services
+          {
+            name = "QBittorrent";
+            url = "http://defiant:8084";
+            keyword = "";
+            tags = ["defiant"];
+          }
+          {
+            name = "Sonarr";
+            url = "http://defiant:8989";
+            keyword = "";
+            tags = ["defiant"];
+          }
+          {
+            name = "Radarr";
+            url = "http://defiant:7878";
+            keyword = "";
+            tags = ["defiant"];
+          }
+          {
+            name = "Bazarr";
+            url = "http://defiant:6767";
+            keyword = "";
+            tags = ["defiant"];
+          }
+          {
+            name = "Lidarr";
+            url = "http://defiant:8686";
+            keyword = "";
+            tags = ["defiant"];
+          }
+          {
+            name = "Jackett";
+            url = "http://defiant:9117";
+            keyword = "";
+            tags = ["defiant"];
+          }
+          {
+            name = "Crab-hole DNS";
+            url = "http://defiant:8085";
+            keyword = "";
+            tags = ["defiant"];
+          }
+
+          # External Services
+          {
+            name = "Mail";
+            url = "https://mail.protonmail.com";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Open Street Map";
+            url = "https://www.openstreetmap.org/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Password Manager";
+            url = "https://vault.bitwarden.com/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Mastodon";
+            url = "https://mspsocial.net";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Linked In";
+            url = "https://www.linkedin.com/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Job Search";
+            url = "https://www.jobsinnetwork.com/?state=cleaned_history&language%5B%5D=en&query=react&locations.countryCode%5B%5D=IT&locations.countryCode%5B%5D=DE&locations.countryCode%5B%5D=NL&experience%5B%5D=medior&experience%5B%5D=junior&page=1";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "React Docs";
+            url = "https://react.dev/";
+            keyword = "";
+            tags = [""];
+          }
+          {
+            name = "Cyberia Matrix";
+            url = "https://chat.cyberia.club";
+            keyword = "";
+            tags = [""];
+          }
+          # Template
+          # {
+          #   name = "";
+          #   url = "";
+          #   keyword = "";
+          #   tags = [""];
+          # }
+        ];
+      };
+    };
+  };
+}

configurations/home-manager/leyla/packages/firefox/default.nix

@@ -0,0 +1,18 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = [
+    ./firefox.nix
+    ./bookmarks.nix
+    ./harden.nix
+  ];
+
+  config = {
+    programs.firefox = {
+      enable = true;
+    };
+  };
+}

configurations/home-manager/leyla/packages/firefox/firefox.nix

@@ -0,0 +1,191 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  programs.firefox = {
+    profiles.leyla = {
+      settings = {
+        "browser.search.defaultenginename" = "Searx";
+        "browser.search.order.1" = "Searx";
+      };
+
+      search = {
+        force = true;
+        default = "Searx";
+        engines = {
+          "Nix Packages" = {
+            urls = [
+              {
+                template = "https://search.nixos.org/packages";
+                params = [
+                  {
+                    name = "type";
+                    value = "packages";
+                  }
+                  {
+                    name = "query";
+                    value = "{searchTerms}";
+                  }
+                ];
+              }
+            ];
+            icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
+            definedAliases = ["@np"];
+          };
+          "NixOS Wiki" = {
+            urls = [{template = "https://nixos.wiki/index.php?search={searchTerms}";}];
+            icon = "https://nixos.wiki/favicon.png";
+            updateInterval = 24 * 60 * 60 * 1000; # every day
+            definedAliases = ["@nw"];
+          };
+          "Searx" = {
+            urls = [{template = "https://search.jan-leila.com/?q={searchTerms}";}];
+            icon = "https://nixos.wiki/favicon.png";
+            updateInterval = 24 * 60 * 60 * 1000; # every day
+            definedAliases = ["@searx"];
+          };
+        };
+      };
+
+      extensions.packages = with inputs.firefox-addons.packages.${pkgs.stdenv.hostPlatform.system}; [
+        bitwarden
+        terms-of-service-didnt-read
+        multi-account-containers
+        shinigami-eyes
+
+        ublock-origin
+        sponsorblock
+        dearrow
+        df-youtube
+        return-youtube-dislikes
+
+        privacy-badger
+        decentraleyes
+        clearurls
+        localcdn
+
+        snowflake
+
+        pkgs.firefox-extensions.deutsch-de-language-pack
+        dictionary-german
+
+        tab-session-manager
+
+        pkgs.firefox-extensions.italiano-it-language-pack
+        pkgs.firefox-extensions.dizionario-italiano
+      ];
+
+      settings = {
+        # Disable irritating first-run stuff
+        "browser.disableResetPrompt" = true;
+        "browser.download.panel.shown" = true;
+        "browser.feeds.showFirstRunUI" = false;
+        "browser.messaging-system.whatsNewPanel.enabled" = false;
+        "browser.rights.3.shown" = true;
+        "browser.shell.checkDefaultBrowser" = false;
+        "browser.shell.defaultBrowserCheckCount" = 1;
+        "browser.startup.homepage_override.mstone" = "ignore";
+        "browser.uitour.enabled" = false;
+        "startup.homepage_override_url" = "";
+        "trailhead.firstrun.didSeeAboutWelcome" = true;
+        "browser.bookmarks.restore_default_bookmarks" = false;
+        "browser.bookmarks.addedImportButton" = true;
+        "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
+
+        # Usage Experience
+        "browser.startup.homepage" = "about:home";
+        "browser.download.useDownloadDir" = false;
+        "browser.uiCustomization.state" = builtins.toJSON {
+          "currentVersion" = 20;
+          "newElementCount" = 6;
+          "dirtyAreaCache" = [
+            "nav-bar"
+            "PersonalToolbar"
+            "toolbar-menubar"
+            "TabsToolbar"
+            "unified-extensions-area"
+            "vertical-tabs"
+          ];
+          "placements" = {
+            "widget-overflow-fixed-list" = [];
+            "unified-extensions-area" = [
+              # bitwarden
+              "_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action"
+              "ublock0_raymondhill_net-browser-action"
+              "sponsorblocker_ajay_app-browser-action"
+              "dearrow_ajay_app-browser-action"
+              "jid1-mnnxcxisbpnsxq_jetpack-browser-action"
+              "_testpilot-containers-browser-action"
+              "addon_simplelogin-browser-action"
+              "_74145f27-f039-47ce-a470-a662b129930a_-browser-action"
+              "jid1-bofifl9vbdl2zq_jetpack-browser-action"
+              "dfyoutube_example_com-browser-action"
+              "_b86e4813-687a-43e6-ab65-0bde4ab75758_-browser-action"
+              "_762f9885-5a13-4abd-9c77-433dcd38b8fd_-browser-action"
+              "_b11bea1f-a888-4332-8d8a-cec2be7d24b9_-browse-action"
+              "jid0-3guet1r69sqnsrca5p8kx9ezc3u_jetpack-browser-action"
+            ];
+            "nav-bar" = [
+              "back-button"
+              "forward-button"
+              "stop-reload-button"
+              "urlbar-container"
+              "downloads-button"
+              "unified-extensions-button"
+              "reset-pbm-toolbar-button"
+            ];
+            "toolbar-menubar" = [
+              "menubar-items"
+            ];
+            "TabsToolbar" = [
+              "firefox-view-button"
+              "tabbrowser-tabs"
+              "new-tab-button"
+              "alltabs-button"
+            ];
+            "vertical-tabs" = [];
+            "PersonalToolbar" = [
+              "import-button"
+              "personal-bookmarks"
+            ];
+          };
+          "seen" = [
+            "save-to-pocket-button"
+            "developer-button"
+            "privacy_privacy_com-browser-action"
+            "sponsorblocker_ajay_app-browser-action"
+            "ublock0_raymondhill_net-browser-action"
+            "addon_simplelogin-browser-action"
+            "dearrow_ajay_app-browser-action"
+            "_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action"
+            "_74145f27-f039-47ce-a470-a662b129930a_-browser-action"
+            "jid1-bofifl9vbdl2zq_jetpack-browser-action"
+            "dfyoutube_example_com-browser-action"
+            "_testpilot-containers-browser-action"
+            "_b86e4813-687a-43e6-ab65-0bde4ab75758_-browser-action"
+            "jid1-mnnxcxisbpnsxq_jetpack-browser-action"
+            "_762f9885-5a13-4abd-9c77-433dcd38b8fd_-browser-action"
+            "_b11bea1f-a888-4332-8d8a-cec2be7d24b9_-browser-action"
+            "jid0-3guet1r69sqnsrca5p8kx9ezc3u_jetpack-browser-action"
+          ];
+        };
+        "browser.newtabpage.activity-stream.feeds.topsites" = false;
+        "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+        "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false;
+        "browser.newtabpage.blocked" = lib.genAttrs [
+          # Facebook
+          "4gPpjkxgZzXPVtuEoAL9Ig=="
+          # Reddit
+          "gLv0ja2RYVgxKdp0I5qwvA=="
+          # Amazon
+          "K00ILysCaEq8+bEqV/3nuw=="
+          # Twitter
+          "T9nJot5PurhJSy8n038xGA=="
+        ] (_: 1);
+        "identity.fxaccounts.enabled" = false;
+      };
+    };
+  };
+}

configurations/home-manager/leyla/packages/firefox/harden.nix

@@ -0,0 +1,50 @@
+{...}: {
+  programs.firefox = {
+    profiles.leyla = {
+      settings = {
+        # Security
+        "privacy.trackingprotection.enabled" = true;
+        "dom.security.https_only_mode" = true;
+        "dom.security.https_only_mode_pbm" = true;
+        "dom.security.https_only_mode_error_page_user_suggestions" = true;
+
+        # Privacy & Data Protection
+        "extensions.formautofill.addresses.enabled" = false;
+        "extensions.formautofill.creditCards.enabled" = false;
+        "signon.rememberSignons" = false;
+        "privacy.sanitize.sanitizeOnShutdown" = true;
+        "privacy.clearOnShutdown_v2.cache" = true;
+        "privacy.clearOnShutdown_v2.cookiesAndStorage" = true;
+        "privacy.clearOnShutdown_v2.historyFormDataAndDownloads" = true;
+        "urlclassifier.trackingSkipURLs" = "";
+        "urlclassifier.features.socialtracking.skipURLs" = "";
+
+        # Disable telemetry and data collection
+        "app.shield.optoutstudies.enabled" = false;
+        "browser.discovery.enabled" = false;
+        "browser.newtabpage.activity-stream.feeds.telemetry" = false;
+        "browser.newtabpage.activity-stream.telemetry" = false;
+        "browser.ping-centre.telemetry" = false;
+        "datareporting.healthreport.service.enabled" = false;
+        "datareporting.healthreport.uploadEnabled" = false;
+        "datareporting.policy.dataSubmissionEnabled" = false;
+        "datareporting.sessions.current.clean" = true;
+        "devtools.onboarding.telemetry.logged" = false;
+        "toolkit.telemetry.archive.enabled" = false;
+        "toolkit.telemetry.bhrPing.enabled" = false;
+        "toolkit.telemetry.enabled" = false;
+        "toolkit.telemetry.firstShutdownPing.enabled" = false;
+        "toolkit.telemetry.hybridContent.enabled" = false;
+        "toolkit.telemetry.newProfilePing.enabled" = false;
+        "toolkit.telemetry.prompted" = 2;
+        "toolkit.telemetry.rejected" = true;
+        "toolkit.telemetry.reportingpolicy.firstRun" = false;
+        "toolkit.telemetry.server" = "";
+        "toolkit.telemetry.shutdownPingSender.enabled" = false;
+        "toolkit.telemetry.unified" = false;
+        "toolkit.telemetry.unifiedIsOptIn" = false;
+        "toolkit.telemetry.updatePing.enabled" = false;
+      };
+    };
+  };
+}

configurations/home-manager/leyla/packages/git.nix

@@ -0,0 +1,13 @@
+{...}: {
+  config = {
+    programs = {
+      git = {
+        settings = {
+          user.name = "Leyla Becker";
+          user.email = "git@jan-leila.com";
+          init.defaultBranch = "main";
+        };
+      };
+    };
+  };
+}

configurations/home-manager/leyla/packages/makemkv.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  inputs,
+  ...
+}: {
+  config = {
+    sops.secrets = {
+      "application-keys/makemkv" = {
+        sopsFile = "${inputs.secrets}/application-keys.yaml";
+      };
+    };
+    programs.makemkv = {
+      appKeyFile = config.sops.placeholder."application-keys/makemkv";
+      destinationDir = "/home/leyla/downloads/makemkv";
+    };
+  };
+}

configurations/home-manager/leyla/packages/openssh.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  osConfig,
+  ...
+}: {
+  config = {
+    programs = {
+      openssh = {
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHeItmt8TRW43uNcOC+eIurYC7Eunc0V3LGocQqLaYj leyla@horizon"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILimFIW2exEH/Xo7LtXkqgE04qusvnPNpPWSCeNrFkP leyla@defiant"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBiZkg1c2aaNHiieBX4cEziqvJVj9pcDfzUrKU/mO0I leyla@twilight"
+        ];
+        hostKeys = [
+          {
+            type = "ed25519";
+            path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
+          }
+        ];
+      };
+    };
+  };
+}

configurations/home-manager/leyla/packages/vscode/default.nix

@@ -0,0 +1,136 @@
+{
+  lib,
+  pkgs,
+  config,
+  osConfig,
+  ...
+}: let
+  nix-development-enabled = osConfig.host.nix-development.enable;
+  ai-tooling-enabled = osConfig.host.ai.enable;
+in {
+  imports = [
+    ./user-words.nix
+  ];
+
+  config = lib.mkIf config.user.isDesktopUser {
+    programs = {
+      bash.shellAliases = {
+        code = "codium";
+      };
+
+      vscode = {
+        package = pkgs.vscodium;
+
+        mutableExtensionsDir = false;
+
+        profiles.default = {
+          enableUpdateCheck = false;
+          enableExtensionUpdateCheck = false;
+
+          userSettings = lib.mkMerge [
+            {
+              "javascript.updateImportsOnFileMove.enabled" = "always";
+              "editor.tabSize" = 2;
+              "editor.insertSpaces" = false;
+              # "terminal.integrated.fontFamily" = "'Droid Sans Mono', 'monospace', monospace";
+            }
+          ];
+
+          extraExtensions = {
+            # vs code feel
+            oneDark.enable = true;
+            atomKeybindings.enable = true;
+            openRemoteSsh.enable = true;
+            # openDyslexicFont.enable = false;
+
+            # html development
+            autoRenameTag.enable = true;
+            liveServer.enable = true;
+
+            # js development
+            es7ReactJsSnippets.enable = true;
+            tauriVscode.enable = true;
+            vscodeEslint.enable = true;
+            vscodeJest.enable = true;
+            vitest.enable = true;
+            vscodeStandard.enable = true;
+            vscodeStylelint.enable = true;
+
+            nearley.enable = true;
+
+            # astro development
+            vscodeMdx.enable = true;
+            astroVscode.enable = true;
+
+            # nix development
+            alejandra.enable = nix-development-enabled;
+            nixIde.enable = nix-development-enabled;
+
+            # go development
+            go.enable = true;
+
+            # rust development
+            rustAnalyzer.enable = true;
+
+            # claude development
+            claudeDev = lib.mkIf ai-tooling-enabled {
+              enable = true;
+              mcp = {
+                nixos = {
+                  enable = true;
+                  autoApprove = {
+                    nixos_search = true;
+                    nixos_info = true;
+                    home_manager_search = true;
+                    home_manager_info = true;
+                    darwin_search = true;
+                    darwin_info = true;
+                    nixos_flakes_search = true;
+                  };
+                };
+                eslint = {
+                  enable = true;
+                  autoApprove = {
+                    lint-files = true;
+                  };
+                };
+                vitest = {
+                  enable = true;
+                  autoApprove = {
+                    list_tests = true;
+                    run_tests = true;
+                    analyze_coverage = true;
+                    set_project_root = true;
+                  };
+                };
+                sleep = {
+                  enable = true;
+                  timeout = 18000; # 5 hours to match claude codes timeout
+                  autoApprove = {
+                    sleep = true;
+                  };
+                };
+              };
+            };
+
+            # misc extensions
+            evenBetterToml.enable = true;
+            direnv.enable = config.programs.direnv.enable;
+            conventionalCommits.enable = true;
+          };
+
+          extensions = let
+            extension-pkgs = pkgs.nix-vscode-extensions.forVSCodeVersion config.programs.vscode.package.version;
+          in (
+            with extension-pkgs.open-vsx; [
+              # vs code feel extensions
+              streetsidesoftware.code-spell-checker
+              streetsidesoftware.code-spell-checker-german
+              streetsidesoftware.code-spell-checker-italian
+            ]
+          );
+        };
+      };
+    };
+  };
+}

configurations/home-manager/leyla/packages/vscode/user-words.nix

@@ -0,0 +1,126 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  config.programs.vscode.profiles.default.userSettings = {
+    "cSpell.userWords" = [
+      "leyla"
+    ];
+
+    "cSpell.languageSettings" = [
+      {
+        "languageId" = "nix";
+        "locale" = "*";
+        "dictionaries" = [
+          "applications"
+          "ai-words"
+          "nix-words"
+
+          # We need to include all other dictionaries in the nix language settings because they exist in this file
+          # TODO: see if there is a way to make this only apply for this file
+          "js-words"
+        ];
+      }
+      {
+        "languageId" = "javascript,typescript,js,ts";
+        "locale" = "*";
+        "dictionaries" = [
+          "js-words"
+        ];
+      }
+    ];
+
+    "cSpell.customDictionaries" = {
+      applications = {
+        name = "applications";
+        description = "application names";
+        path = pkgs.writeText "applications.txt" (lib.strings.concatLines [
+          "ollama"
+          "syncthing"
+          "immich"
+          "sonos"
+          "makemkv"
+          "hass"
+          "qbittorent"
+          "prostudiomasters"
+          "protonmail"
+          "pulseaudio"
+        ]);
+      };
+
+      ai-words = {
+        name = "ai-words";
+        description = "common words used for ai development";
+        path = pkgs.writeText "ai-words.txt" (lib.strings.concatLines [
+          "ollama"
+          "deepseek"
+          "qwen"
+        ]);
+      };
+
+      nix-words = {
+        name = "nix-words";
+        description = "words used in nix configurations";
+        path = pkgs.writeText "nix-words.txt" (lib.strings.concatLines [
+          "pname"
+          "direnv"
+          "tmpfiles"
+          "Networkd"
+          "networkmanager"
+          "dialout"
+          "adbusers"
+          "authkey"
+          "netdevs"
+          "atomix"
+          "geary"
+          "gedit"
+          "hitori"
+          "iagno"
+          "alsa"
+          "timezoned"
+          "pipewire"
+          "rtkit"
+          "disko"
+          "ashift"
+          "autotrim"
+          "canmount"
+          "mountpoint"
+          "xattr"
+          "acltype"
+          "relatime"
+          "keyformat"
+          "keylocation"
+          "vdevs"
+
+          # codium extensions
+          "akamud"
+          "onedark"
+          "jeanp"
+          "dsznajder"
+          "dbaeumer"
+          "orta"
+          "tauri"
+          "unifiedjs"
+          "tamasfe"
+          "pinage"
+          "jnoortheen"
+          "kamadorueda"
+          "karyfoundation"
+          "nearley"
+
+          # nix.optimise is spelled wrong
+          "optimise"
+        ]);
+      };
+
+      js-words = {
+        name = "js-words";
+        description = "words used in js development";
+        path = pkgs.writeText "js-words.txt" (lib.strings.concatLines [
+          "webdav"
+        ]);
+      };
+    };
+  };
+}

configurations/installer/basic/configuration.nix

@@ -0,0 +1,19 @@
+{
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")];
+
+  systemd.services.sshd.wantedBy = pkgs.lib.mkForce ["multi-user.target"];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AaAeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee username@host"
+  ];
+
+  isoImage.squashfsCompression = "gzip -Xcompression-level 1";
+
+  networking.hostName = "installer";
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

configurations/installer/basic/default.nix

@@ -0,0 +1,5 @@
+{...}: {
+  imports = [
+    ./configuration.nix
+  ];
+}

configurations/nixos/defiant/configuration.nix

@@ -0,0 +1,413 @@
+# server nas
+{
+  inputs,
+  config,
+  ...
+}: {
+  sops.secrets = {
+    "vpn-keys/tailscale-authkey/defiant" = {
+      sopsFile = "${inputs.secrets}/vpn-keys.yaml";
+    };
+    "vpn-keys/proton-wireguard/defiant-p2p" = {
+      sopsFile = "${inputs.secrets}/vpn-keys.yaml";
+      mode = "0640";
+      owner = "root";
+      group = "systemd-network";
+    };
+    "services/zfs_smtp_token" = {
+      sopsFile = "${inputs.secrets}/defiant-services.yaml";
+    };
+    "services/paperless_password" = {
+      sopsFile = "${inputs.secrets}/defiant-services.yaml";
+      mode = "0700";
+      owner = "paperless";
+      group = "paperless";
+    };
+  };
+
+  host = {
+    users = {
+      leyla = {
+        isDesktopUser = true;
+        isTerminalUser = true;
+        isPrincipleUser = true;
+      };
+    };
+    impermanence.enable = true;
+    storage = {
+      enable = true;
+      encryption = true;
+      notifications = {
+        enable = true;
+        host = "smtp.protonmail.ch";
+        port = 587;
+        to = "leyla@jan-leila.com";
+        user = "noreply@jan-leila.com";
+        tokenFile = config.sops.secrets."services/zfs_smtp_token".path;
+      };
+      pool = {
+        # We are having to boot off of the nvm cache drive because I cant figure out how to boot via the HBA
+        bootDrives = ["nvme-Samsung_SSD_990_PRO_4TB_S7KGNU0X907881F"];
+        vdevs = [
+          [
+            "ata-ST18000NE000-3G6101_ZVTCXVEB"
+            "ata-ST18000NE000-3G6101_ZVTCXWSC"
+            "ata-ST18000NE000-3G6101_ZVTD10EH"
+            "ata-ST18000NT001-3NF101_ZVTE0S3Q"
+            "ata-ST18000NT001-3NF101_ZVTEF27J"
+            "ata-ST18000NE000-3G6101_ZVTJ7359"
+          ]
+          [
+            "ata-ST4000NE001-2MA101_WS2275P3"
+            "ata-ST4000NE001-2MA101_WS227B9F"
+            "ata-ST4000NE001-2MA101_WS227CEW"
+            "ata-ST4000NE001-2MA101_WS227CYN"
+            "ata-ST4000NE001-2MA101_WS23TBWV"
+            "ata-ST4000NE001-2MA101_WS23TC5F"
+          ]
+        ];
+        cache = [
+          "nvme-Samsung_SSD_990_PRO_4TB_S7KGNU0X907881F"
+        ];
+      };
+    };
+    network_storage = {
+      enable = true;
+      directories = [
+        {
+          folder = "leyla_documents";
+          user = "leyla";
+          group = "leyla";
+          bind = "/home/leyla/documents";
+        }
+        {
+          folder = "eve_documents";
+          user = "eve";
+          group = "eve";
+        }
+        {
+          folder = "users_documents";
+          user = "root";
+          group = "users";
+        }
+        {
+          folder = "media";
+          user = "jellyfin";
+          group = "jellyfin_media";
+          bind = config.services.jellyfin.media_directory;
+        }
+      ];
+      nfs = {
+        enable = true;
+        directories = ["leyla_documents" "eve_documents" "users_documents" "media"];
+      };
+    };
+  };
+
+  systemd.network = {
+    enable = true;
+
+    netdevs = {
+      "10-bond0" = {
+        netdevConfig = {
+          Kind = "bond";
+          Name = "bond0";
+        };
+        bondConfig = {
+          Mode = "802.3ad";
+          TransmitHashPolicy = "layer3+4";
+        };
+      };
+
+      "20-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
+          ListenPort = 51820;
+        };
+        wireguardPeers = [
+          {
+            PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
+            Endpoint = "185.230.126.146:51820";
+            # Allow all traffic but use policy routing to prevent system-wide VPN
+            AllowedIPs = ["0.0.0.0/0"];
+          }
+        ];
+      };
+    };
+    networks = {
+      "40-bond0" = {
+        matchConfig.Name = "bond0";
+        linkConfig = {
+          RequiredForOnline = "degraded-carrier";
+          RequiredFamilyForOnline = "any";
+        };
+        networkConfig.DHCP = "yes";
+
+        address = [
+          "192.168.1.10/32"
+        ];
+
+        # Set lower priority for default gateway to allow WireGuard interface binding
+        routes = [
+          {
+            Destination = "0.0.0.0/0";
+            Gateway = "192.168.1.1";
+            Metric = 100;
+          }
+        ];
+        dns = ["192.168.1.1"];
+      };
+
+      "50-wg0" = {
+        matchConfig.Name = "wg0";
+        networkConfig = {
+          DHCP = "no";
+        };
+        address = [
+          "10.2.0.2/32"
+        ];
+        # Configure routing for application binding
+        routingPolicyRules = [
+          {
+            # Route traffic from VPN interface through VPN table
+            From = "10.2.0.2/32";
+            Table = 200;
+            Priority = 100;
+          }
+        ];
+        routes = [
+          {
+            # Direct route to VPN gateway
+            Destination = "10.2.0.1/32";
+            Scope = "link";
+          }
+          {
+            # Route VPN subnet through VPN gateway in custom table
+            Destination = "10.2.0.0/16";
+            Gateway = "10.2.0.1";
+            Table = 200;
+          }
+          {
+            # Route all traffic through VPN gateway in custom table
+            Destination = "0.0.0.0/0";
+            Gateway = "10.2.0.1";
+            Table = 200;
+          }
+        ];
+      };
+    };
+  };
+
+  # limit arc usage to 50gb because ollama doesn't play nice with zfs using up all of the memory
+  boot.kernelParams = ["zfs.zfs_arc_max=53687091200"];
+
+  # Enable policy routing and source routing for application-specific VPN binding
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.rp_filter" = 2;
+    "net.ipv4.conf.default.rp_filter" = 2;
+    "net.ipv4.conf.wg0.rp_filter" = 2;
+  };
+
+  services = {
+    # PostgreSQL database server
+    postgresql = {
+      enable = true;
+      adminUsers = ["leyla"];
+    };
+
+    # temp enable desktop environment for setup
+    # Enable the X11 windowing system.
+    xserver.enable = true;
+
+    # Enable the GNOME Desktop Environment.
+    displayManager = {
+      gdm.enable = true;
+    };
+    desktopManager = {
+      gnome.enable = true;
+    };
+
+    # Enable new reverse proxy system
+    reverseProxy = {
+      enable = true;
+      openFirewall = true;
+      acme = {
+        enable = true;
+        email = "jan-leila@protonmail.com";
+      };
+    };
+
+    ollama = {
+      enable = true;
+      exposePort = true;
+
+      acceleration = false;
+
+      environmentVariables = {
+        OLLAMA_KEEP_ALIVE = "24h";
+      };
+
+      loadModels = [
+        # conversation models
+        "llama3.1:8b"
+        "deepseek-r1:8b"
+        "deepseek-r1:32b"
+        "deepseek-r1:70b"
+
+        # auto complete models
+        "qwen2.5-coder:1.5b-base"
+        "qwen2.5-coder:7b"
+        "deepseek-coder:6.7b"
+        "deepseek-coder:33b"
+
+        # agent models
+        "qwen3:8b"
+        "qwen3:32b"
+        "qwen3:235b-a22b"
+
+        "qwen3-coder:30b"
+        "qwen3-coder:30b-a3b-fp16"
+
+        # embedding models
+        "nomic-embed-text:latest"
+      ];
+    };
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/defiant".path;
+      useRoutingFeatures = "server";
+      extraUpFlags = [
+        "--advertise-exit-node"
+        "--advertise-routes=192.168.0.0/24"
+        "--accept-dns=false"
+      ];
+      extraSetFlags = [
+        "--advertise-exit-node"
+        "--advertise-routes=192.168.0.0/24"
+        "--accept-dns=false"
+      ];
+    };
+
+    syncthing.enable = true;
+
+    fail2ban.enable = true;
+
+    jellyfin = {
+      enable = true;
+      domain = "media.jan-leila.com";
+      extraDomains = ["jellyfin.jan-leila.com"];
+    };
+
+    immich = {
+      enable = true;
+      domain = "photos.jan-leila.com";
+    };
+
+    forgejo = {
+      enable = true;
+      reverseProxy.domain = "git.jan-leila.com";
+    };
+
+    searx = {
+      enable = true;
+      domain = "search.jan-leila.com";
+    };
+
+    actual = {
+      enable = true;
+      domain = "budget.jan-leila.com";
+    };
+
+    home-assistant = {
+      enable = true;
+      domain = "home.jan-leila.com";
+      openFirewall = true;
+      postgres.enable = true;
+
+      extensions = {
+        sonos.enable = true;
+        jellyfin.enable = true;
+        wyoming.enable = false; # Temporarily disabled due to dependency conflict in wyoming-piper
+      };
+    };
+
+    paperless = {
+      enable = true;
+      domain = "documents.jan-leila.com";
+      passwordFile = config.sops.secrets."services/paperless_password".path;
+    };
+
+    panoramax = {
+      enable = false;
+      openFirewall = true;
+    };
+
+    crab-hole = {
+      enable = true;
+      port = 8085;
+      openFirewall = true;
+      show_doc = true;
+      downstreams = {
+        host = {
+          enable = true;
+          openFirewall = true;
+        };
+      };
+      upstreams.cloudFlare.enable = true;
+      blocklists.ad_malware.enable = true;
+    };
+
+    qbittorrent = {
+      enable = true;
+      mediaDir = "/srv/qbittorent";
+      openFirewall = true;
+      webuiPort = 8084;
+    };
+
+    sonarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    radarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    bazarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    lidarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    jackett = {
+      enable = true;
+      openFirewall = true;
+    };
+    flaresolverr = {
+      enable = true;
+      openFirewall = true;
+    };
+  };
+
+  # disable computer sleeping
+  systemd.targets = {
+    sleep.enable = false;
+    suspend.enable = false;
+    hibernate.enable = false;
+    hybrid-sleep.enable = false;
+  };
+  services.displayManager.gdm.autoSuspend = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

configurations/nixos/defiant/default.nix

@@ -0,0 +1,8 @@
+# server nas
+{...}: {
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+    ./packages.nix
+  ];
+}

configurations/nixos/defiant/hardware-configuration.nix

@@ -4,79 +4,57 @@
 {
   config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }: {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
-    ../hardware-common.nix
   ];
 
   boot = {
     initrd = {
-      availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "usb_storage" "sd_mod"];
+      availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "nvme" "usb_storage" "sd_mod"];
       kernelModules = [];
     };
     kernelModules = ["kvm-amd"];
     extraModulePackages = [];
 
+    # Bootloader.
+    loader = {
+      systemd-boot.enable = true;
+      efi = {
+        canTouchEfiVariables = true;
+        efiSysMountPoint = "/boot";
+      };
+    };
     supportedFilesystems = ["zfs"];
 
-    zfs.extraPools = ["zroot"];
+    zfs.extraPools = ["rpool"];
   };
 
-  swapDevices = [];
-
   networking = {
-    hostId = "c51763d6";
     hostName = "defiant"; # Define your hostname.
+    hostId = "c51763d6";
     useNetworkd = true;
   };
 
   systemd.network = {
     enable = true;
 
-    netdevs = {
-      "10-bond0" = {
-        netdevConfig = {
-          Kind = "bond";
-          Name = "bond0";
-        };
-        bondConfig = {
-          Mode = "802.3ad";
-          TransmitHashPolicy = "layer3+4";
-        };
-      };
-    };
-
     networks = {
-      "30-enp4s0" = {
+      "30-eno1" = {
-        matchConfig.Name = "enp4s0";
+        matchConfig.Name = "eno1";
         networkConfig.Bond = "bond0";
-        DHCP = "no";
       };
-      "30-enp5s0" = {
+      "30-eno2" = {
-        matchConfig.Name = "enp5s0";
+        matchConfig.Name = "eno2";
         networkConfig.Bond = "bond0";
-        DHCP = "no";
-      };
-
-      "40-bond0" = {
-        matchConfig.Name = "bond0";
-        linkConfig.RequiredForOnline = "carrier";
-        networkConfig.LinkLocalAddressing = "no";
-        DHCP = "ipv4";
-
-        address = [
-          # configure addresses including subnet mask
-          "192.168.1.10/24"
-          # TODO: ipv6 address configuration
-        ];
       };
     };
   };
 
+  networking.networkmanager.enable = true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware = {
     # TODO: hardware graphics

configurations/nixos/defiant/packages.nix

@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    ffsubsync
+    sox
+    yt-dlp
+    ffmpeg
+    imagemagick
+  ];
+}

configurations/nixos/emergent/configuration.nix

@@ -0,0 +1,167 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./nvidia-drivers.nix
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # networking.hostName = "nixos"; # Define your hostname.
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  #   useXkbConfig = true; # use xkb.options in tty.
+  # };
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+  # Enable wacom touchscreen device
+  services.xserver.wacom.enable = true;
+
+  # installed opentabletdriver
+  hardware.opentabletdriver.enable = true;
+  hardware.keyboard.qmk.enable = true;
+
+  # Enable the GNOME Desktop Environment.
+  services.displayManager.gdm.enable = true;
+  services.desktopManager.gnome.enable = true;
+
+  host = {
+    ai.enable = true;
+    users = {
+      eve = {
+        isDesktopUser = true;
+        isTerminalUser = true;
+        isPrincipleUser = true;
+      };
+    };
+    hardware = {
+      piperMouse.enable = true;
+    };
+
+    storage = {
+      enable = true;
+      pool = {
+        mode = "";
+        drives = ["wwn-0x5000039fd0cf05eb"];
+      };
+    };
+  };
+
+  services.tailscale.enable = true;
+  # We were having weird build errors so this is disabled right now
+  # error: The option `devices.emergent.folders.eve_records.path' was accessed but has no value defined. Try setting the option
+  services.syncthing.enable = false;
+
+  # Configure keymap in X11
+  # services.xserver.xkb.layout = "us";
+  # services.xserver.xkb.options = "eurosign:e,caps:escape";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # services.pulseaudio.enable = true;
+  # OR
+  # services.pipewire = {
+  #   enable = true;
+  #   pulse.enable = true;
+  # };
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.alice = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  #   packages = with pkgs; [
+  #     tree
+  #   ];
+  # };
+
+  # programs.firefox.enable = true;
+
+  nixpkgs.config.allowUnfree = true;
+
+  # Packages that can be installed without any extra configuration
+  # See https://search.nixos.org/packages for all options
+  environment.systemPackages = with pkgs; [
+    wget
+  ];
+
+  # Packages that need to be installed with some extra configuration
+  # See https://search.nixos.org/options for all options
+  programs = {};
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  networking = {
+    networkmanager.enable = true;
+    useDHCP = lib.mkDefault true;
+    hostId = "7e35eb97"; # arbitrary id number generated via this command: `head -c4 /dev/urandom | od -A none -t x4`
+    hostName = "emergent"; # Define your hostname.
+  };
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+}

configurations/nixos/emergent/default.nix

@@ -0,0 +1,7 @@
+# evs desktop
+{...}: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+  ];
+}

configurations/nixos/emergent/hardware-configuration.nix

@@ -0,0 +1,32 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp42s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

configurations/nixos/emergent/nvidia-drivers.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Enable OpenGL
+  hardware.graphics = {
+    enable = true;
+  };
+
+  # Load nvidia driver for Xorg and Wayland
+  services = {
+    xserver = {
+      # Load nvidia driver for Xorg and Wayland
+      videoDrivers = ["nvidia"];
+    };
+    # Use X instead of wayland
+    displayManager.gdm.wayland = false;
+  };
+
+  hardware.nvidia = {
+    # Modesetting is required.
+    modesetting.enable = true;
+
+    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+    # Enable this if you have graphical corruption issues or application crashes after waking
+    # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
+    # of just the bare essentials.
+    powerManagement.enable = true;
+
+    # Fine-grained power management. Turns off GPU when not in use.
+    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+    powerManagement.finegrained = false;
+
+    # Use the NVidia open source kernel module (not to be confused with the
+    # independent third-party "nouveau" open source driver).
+    # Support is limited to the Turing and later architectures. Full list of
+    # supported GPUs is at:
+    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
+    # Only available from driver 515.43.04+
+    open = true;
+
+    # Enable the Nvidia settings menu,
+    # accessible via `nvidia-settings`.
+    nvidiaSettings = true;
+
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+}

configurations/nixos/horizon/configuration.nix

@@ -0,0 +1,158 @@
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  imports = [
+    inputs.nixos-hardware.nixosModules.framework-11th-gen-intel
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["usb_storage" "sd_mod"];
+    };
+    kernelModules = ["sg"];
+
+    # Bootloader.
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  host = {
+    users = {
+      leyla = {
+        isDesktopUser = true;
+        isTerminalUser = true;
+        isPrincipleUser = true;
+      };
+      eve.isDesktopUser = true;
+      ivy.isDesktopUser = true;
+    };
+
+    hardware = {
+      directAccess.enable = true;
+    };
+
+    ai = {
+      enable = true;
+      models = {
+        "Llama 3.1 8B" = {
+          model = "llama3.1:8b";
+          roles = ["chat" "edit" "apply"];
+          apiBase = "http://defiant:11434";
+        };
+        "Deepseek Coder:6.7B" = {
+          model = "deepseek-coder:6.7b";
+          roles = ["chat" "edit" "apply"];
+          apiBase = "http://defiant:11434";
+        };
+        "Deepseek Coder:33B" = {
+          model = "deepseek-coder:33b";
+          roles = ["chat" "edit" "apply"];
+          apiBase = "http://defiant:11434";
+        };
+
+        "Deepseek r1:8B" = {
+          model = "deepseek-r1:8b";
+          roles = ["chat"];
+          apiBase = "http://defiant:11434";
+        };
+
+        "Deepseek r1:32B" = {
+          model = "deepseek-r1:32b";
+          roles = ["chat"];
+          apiBase = "http://defiant:11434";
+        };
+
+        "qwen2.5-coder:1.5b-base" = {
+          model = "qwen2.5-coder:1.5b-base";
+          roles = ["autocomplete"];
+          apiBase = "http://defiant:11434";
+        };
+
+        "nomic-embed-text:latest" = {
+          model = "nomic-embed-text:latest";
+          roles = ["embed"];
+          apiBase = "http://defiant:11434";
+        };
+      };
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    cachefilesd
+    webtoon-dl
+  ];
+  services.cachefilesd.enable = true;
+
+  programs = {
+    adb.enable = true;
+  };
+
+  networking = {
+    networkmanager.enable = true;
+    hostName = "horizon"; # Define your hostname.
+  };
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  hardware = {
+    graphics.enable = true;
+  };
+
+  sops.secrets = {
+    "vpn-keys/tailscale-authkey/horizon" = {
+      sopsFile = "${inputs.secrets}/vpn-keys.yaml";
+    };
+  };
+
+  services = {
+    # sudo fprintd-enroll
+    fprintd = {
+      enable = true;
+    };
+    # firmware update tool
+    fwupd = {
+      enable = true;
+    };
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/horizon".path;
+      useRoutingFeatures = "client";
+    };
+
+    syncthing.enable = true;
+
+    ollama = {
+      enable = true;
+      loadModels = [
+        "llama3.1:8b"
+      ];
+    };
+  };
+
+  # Enable network-online.target for better network dependency handling
+  systemd.services.NetworkManager-wait-online.enable = true;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

configurations/nixos/horizon/default.nix

@@ -0,0 +1,8 @@
+# leyla laptop
+{...}: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    # ./network-mount.nix
+  ];
+}

configurations/nixos/horizon/hardware-configuration.nix

@@ -0,0 +1,45 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/866d422b-f816-4ad9-9846-791839cb9337";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/E138-65B5";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/be98e952-a072-4c3a-8c12-69500b5a2fff";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

configurations/nixos/horizon/network-mount.nix

@@ -0,0 +1,76 @@
+{...}: {
+  boot.supportedFilesystems = ["nfs"];
+
+  fileSystems = {
+    "/mnt/leyla_documents" = {
+      device = "defiant:/exports/leyla_documents";
+      fsType = "nfs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "noatime"
+        "nofail"
+        "soft"
+        "intr" # Allow interruption of NFS calls
+        "timeo=30" # 3 second timeout (30 deciseconds)
+        "retrans=2" # Only 2 retries before giving up
+        "x-systemd.idle-timeout=300" # 5 minute idle timeout for mobile
+        "x-systemd.device-timeout=15" # 15 second device timeout
+        "bg" # Background mount - don't block boot
+        "fsc" # Enable caching
+        "_netdev" # Network device - wait for network
+        "x-systemd.requires=network-online.target" # Require network to be online
+        "x-systemd.after=network-online.target" # Start after network is online
+        "x-systemd.mount-timeout=30" # 30 second mount timeout
+      ];
+    };
+
+    "/mnt/users_documents" = {
+      device = "defiant:/exports/users_documents";
+      fsType = "nfs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "nofail"
+        "soft"
+        "intr"
+        "timeo=30"
+        "retrans=2"
+        "x-systemd.idle-timeout=300"
+        "x-systemd.device-timeout=15"
+        "bg"
+        "fsc"
+        "_netdev"
+        "x-systemd.requires=network-online.target"
+        "x-systemd.after=network-online.target"
+        "x-systemd.mount-timeout=30"
+      ];
+    };
+
+    "/mnt/media" = {
+      device = "defiant:/exports/media";
+      fsType = "nfs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "noatime"
+        "nofail"
+        "soft"
+        "intr"
+        "timeo=30"
+        "retrans=2"
+        "x-systemd.idle-timeout=300"
+        "x-systemd.device-timeout=15"
+        "bg"
+        # Mobile-optimized read settings
+        "rsize=8192" # Smaller read size for mobile
+        "wsize=8192" # Smaller write size for mobile
+        "fsc"
+        "_netdev"
+        "x-systemd.requires=network-online.target"
+        "x-systemd.after=network-online.target"
+        "x-systemd.mount-timeout=30"
+      ];
+    };
+  };
+}

configurations/nixos/twilight/configuration.nix

@@ -0,0 +1,160 @@
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./monitors.nix
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  boot.initrd.availableKernelModules = ["usb_storage"];
+  boot.kernelModules = ["sg"];
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  sops.secrets = {
+    "vpn-keys/tailscale-authkey/twilight" = {
+      sopsFile = "${inputs.secrets}/vpn-keys.yaml";
+    };
+  };
+  host = {
+    users = {
+      leyla = {
+        isDesktopUser = true;
+        isTerminalUser = true;
+        isPrincipleUser = true;
+      };
+      eve.isDesktopUser = true;
+    };
+    hardware = {
+      piperMouse.enable = true;
+      viaKeyboard.enable = true;
+      openRGB.enable = true;
+      graphicsAcceleration.enable = true;
+      directAccess.enable = true;
+    };
+    ai = {
+      enable = true;
+      # TODO: benchmark twilight against defiant and prune this list of models that are faster on defiant
+      models = {
+        # conversation models
+        "Llama 3.1 8B" = {
+          model = "lamma3.1:8b";
+          roles = ["chat" "edit" "apply"];
+        };
+        "deepseek-r1:8b" = {
+          model = "deepseek-r1:8b";
+          roles = ["chat" "edit" "apply"];
+        };
+        "deepseek-r1:32b" = {
+          model = "deepseek-r1:32b";
+          roles = ["chat" "edit" "apply"];
+        };
+
+        # auto complete models
+        "qwen2.5-coder:1.5b-base" = {
+          model = "qwen2.5-coder:1.5b-base";
+          roles = ["autocomplete"];
+        };
+        "qwen2.5-coder:7b" = {
+          model = "qwen2.5-coder:7b";
+          roles = ["autocomplete"];
+        };
+        "deepseek-coder:6.7b" = {
+          model = "deepseek-coder:6.7b";
+          roles = ["autocomplete"];
+        };
+        "deepseek-coder:33b" = {
+          model = "deepseek-coder:33b";
+          roles = ["autocomplete"];
+        };
+
+        # agent models
+        "qwen3:32b" = {
+          model = "qwen3:32b";
+          roles = ["chat" "edit" "apply"];
+        };
+
+        # embedding models
+        "nomic-embed-text:latest" = {
+          model = "nomic-embed-text:latest";
+          roles = ["embed"];
+        };
+      };
+    };
+  };
+  services = {
+    ollama = {
+      enable = true;
+      exposePort = true;
+
+      loadModels = [
+        # conversation models
+        "llama3.1:8b"
+        "deepseek-r1:8b"
+        "deepseek-r1:32b"
+
+        # auto complete models
+        "qwen2.5-coder:1.5b-base"
+        "qwen2.5-coder:7b"
+        "deepseek-coder:6.7b"
+        "deepseek-coder:33b"
+
+        # agent models
+        "qwen3:32b"
+
+        # embedding models
+        "nomic-embed-text:latest"
+      ];
+    };
+
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/twilight".path;
+      useRoutingFeatures = "both";
+      extraUpFlags = [
+        "--advertise-exit-node"
+        "--advertise-routes=192.168.0.0/24"
+      ];
+      extraSetFlags = [
+        "--advertise-exit-node"
+        "--advertise-routes=192.168.0.0/24"
+      ];
+    };
+
+    syncthing.enable = true;
+  };
+
+  # Enable network-online.target for better network dependency handling
+  systemd.services.NetworkManager-wait-online.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    cachefilesd
+  ];
+  hardware.steam-hardware.enable = true; # Provides udev rules for controller, HTC vive, and Valve Index
+
+  networking = {
+    networkmanager.enable = true;
+    hostName = "twilight"; # Define your hostname.
+  };
+
+  # enabled virtualisation for docker
+  # virtualisation.docker.enable = true;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

configurations/nixos/twilight/default.nix

@@ -0,0 +1,9 @@
+# leyla desktop
+{...}: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ./nvidia-drivers.nix
+    # ./network-mount.nix
+  ];
+}

configurations/nixos/twilight/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/8be49c65-2b57-48f1-b74d-244d26061adb";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/3006-3867";
+      fsType = "vfat";
+      options = ["fmask=0022" "dmask=0022"];
+    };
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

configurations/nixos/twilight/monitors.nix

@@ -1,28 +1,4 @@
-# leyla laptop
+{pkgs, ...}: {
-{
-  config,
-  pkgs,
-  inputs,
-  ...
-}: {
-  imports = [
-    inputs.home-manager.nixosModules.default
-    inputs.sops-nix.nixosModules.sops
-
-    ./hardware-configuration.nix
-
-    ../../enviroments/client
-  ];
-
-  users = {
-    leyla = {
-      isFullUser = true;
-      hasGPU = true;
-    };
-    ester.isFullUser = true;
-    eve.isFullUser = true;
-  };
-
   systemd.tmpfiles.rules = [
     "L+ /run/gdm/.config/monitors.xml - - - - ${pkgs.writeText "gdm-monitors.xml" ''
       <monitors version="2">
@@ -220,18 +196,4 @@
       </monitors>
     ''}"
   ];
-
-  # enabled virtualisation for docker
-  # virtualisation.docker.enable = true;
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
 }

configurations/nixos/twilight/network-mount.nix

@@ -0,0 +1,72 @@
+{...}: {
+  boot.supportedFilesystems = ["nfs"];
+
+  fileSystems = {
+    "/mnt/leyla_documents" = {
+      device = "defiant:/exports/leyla_documents";
+      fsType = "nfs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "noatime"
+        "nofail"
+        "soft"
+        "intr" # Allow interruption of NFS calls
+        "timeo=50" # 5 second timeout (50 deciseconds) - longer than mobile
+        "retrans=3" # 3 retries for desktop
+        "x-systemd.idle-timeout=600" # 10 minute idle timeout for desktop
+        "x-systemd.device-timeout=30" # 30 second device timeout
+        "bg" # Background mount - don't block boot
+        "fsc" # Enable caching
+        "_netdev" # Network device - wait for network
+        "x-systemd.requires=network-online.target" # Require network to be online
+        "x-systemd.after=network-online.target" # Start after network is online
+      ];
+    };
+
+    "/mnt/users_documents" = {
+      device = "defiant:/exports/users_documents";
+      fsType = "nfs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "nofail"
+        "soft"
+        "intr"
+        "timeo=50"
+        "retrans=3"
+        "x-systemd.idle-timeout=600"
+        "bg"
+        "fsc"
+        "_netdev"
+        "x-systemd.requires=network-online.target"
+        "x-systemd.after=network-online.target"
+      ];
+    };
+
+    "/mnt/media" = {
+      device = "defiant:/exports/media";
+      fsType = "nfs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "noatime"
+        "nofail"
+        "soft"
+        "intr"
+        "timeo=50"
+        "retrans=3"
+        "x-systemd.idle-timeout=600"
+        "x-systemd.device-timeout=30"
+        "bg"
+        # Desktop-optimized read settings
+        "rsize=32768" # Larger read size for desktop
+        "wsize=32768" # Larger write size for desktop
+        "fsc"
+        "_netdev"
+        "x-systemd.requires=network-online.target"
+        "x-systemd.after=network-online.target"
+      ];
+    };
+  };
+}

configurations/nixos/twilight/nvidia-drivers.nix

@@ -0,0 +1,47 @@
+{config, ...}: {
+  services = {
+    xserver = {
+      # Load nvidia driver for Xorg and Wayland
+      videoDrivers = ["nvidia"];
+    };
+    # Use X instead of wayland for gaming reasons
+    displayManager.gdm.wayland = false;
+  };
+
+  hardware = {
+    # Enable OpenGL
+    graphics.enable = true;
+
+    # install graphics drivers
+    nvidia = {
+      # Modesetting is required.
+      modesetting.enable = true;
+
+      # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+      # Enable this if you have graphical corruption issues or application crashes after waking
+      # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
+      # of just the bare essentials.
+      powerManagement.enable = true;
+
+      # Fine-grained power management. Turns off GPU when not in use.
+      # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+      powerManagement.finegrained = false;
+
+      # Use the NVidia open source kernel module (not to be confused with the
+      # independent third-party "nouveau" open source driver).
+      # Support is limited to the Turing and later architectures. Full list of
+      # supported GPUs is at:
+      # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
+      # Only available from driver 515.43.04+
+      # Currently alpha-quality/buggy, so false is currently the recommended setting.
+      open = true;
+
+      # Enable the Nvidia settings menu,
+      # accessible via `nvidia-settings`.
+      nvidiaSettings = true;
+
+      # Optionally, you may need to select the appropriate driver version for your specific GPU.
+      package = config.boot.kernelPackages.nvidiaPackages.production;
+    };
+  };
+}

configurations/syncthing/default.nix

@@ -0,0 +1,119 @@
+{config, ...}: {
+  folders = {
+    leyla_documents = {
+      id = "hvrj0-9bm1p";
+    };
+    leyla_calendar = {
+      id = "8oatl-1rv6w";
+    };
+    leyla_supernote_notes = {
+      id = "dwbuv-zffnf";
+    };
+    eve_records = {
+      id = "by6at-d4h9n";
+    };
+    share = {
+      id = "73ot0-cxmkx";
+    };
+  };
+  devices = {
+    defiant = {
+      id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR";
+      folders = {
+        leyla_documents = {
+          folder = config.folders.leyla_documents;
+          path = "/mnt/sync/leyla/documents";
+        };
+        leyla_calendar = {
+          folder = config.folders.leyla_calendar;
+          path = "/mnt/sync/leyla/calendar";
+        };
+        leyla_supernote_notes = {
+          folder = config.folders.leyla_supernote_notes;
+          path = "/mnt/sync/leyla/notes";
+        };
+        eve_records = {
+          folder = config.folders.eve_records;
+          path = "/mnt/sync/eve/records";
+        };
+        share = {
+          folder = config.folders.share;
+          path = "/mnt/sync/default/share";
+        };
+      };
+    };
+    twilight = {
+      id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN";
+      folders = {
+        leyla_documents = {
+          folder = config.folders.leyla_documents;
+          path = "/mnt/sync/leyla/documents";
+        };
+        share = {
+          folder = config.folders.share;
+          path = "/mnt/sync/default/share";
+        };
+      };
+    };
+    horizon = {
+      id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS";
+      folders = {
+        leyla_documents = {
+          folder = config.folders.leyla_documents;
+          path = "/mnt/sync/leyla/documents";
+        };
+        share = {
+          folder = config.folders.share;
+          path = "/mnt/sync/default/share";
+        };
+      };
+    };
+    coven = {
+      id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5";
+      folders = {
+        leyla_documents = {
+          folder = config.folders.leyla_documents;
+        };
+        share = {
+          folder = config.folders.share;
+        };
+      };
+    };
+    ceder = {
+      id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA";
+      folders = {
+        share = {
+          folder = config.folders.share;
+        };
+        leyla_documents = {
+          folder = config.folders.leyla_documents;
+        };
+        leyla_calendar = {
+          folder = config.folders.leyla_calendar;
+        };
+        leyla_notes = {
+          folder = config.folders.leyla_supernote_notes;
+        };
+      };
+    };
+    emergent = {
+      id = "6MIDMKJ-7IFHXVX-FIR3YTB-KVE75LN-PA6IOTN-I257LWR-MMC4K6C-5H4SHQN";
+      folders = {
+        eve_records = {
+          folder = config.folders.eve_records;
+        };
+        share = {
+          folder = config.folders.share;
+        };
+      };
+    };
+    shale = {
+      id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM";
+      folders = {
+        share = {
+          folder = config.folders.share;
+        };
+      };
+    };
+  };
+}

const/sops_age_key_directory.nix

@@ -0,0 +1 @@
+"/var/lib/sops-nix"

enviroments/client/default.nix

@@ -1,57 +0,0 @@
-{pkgs, ...}: {
-  imports = [
-    ../common
-  ];
-
-  services = {
-    # Enable CUPS to print documents.
-    printing.enable = true;
-
-    xserver = {
-      # Enable the X11 windowing system.
-      enable = true;
-
-      # Enable the GNOME Desktop Environment.
-      displayManager.gdm.enable = true;
-      desktopManager = {
-        gnome.enable = true;
-        xterm.enable = false;
-      };
-
-      # Get rid of xTerm
-      excludePackages = [pkgs.xterm];
-
-      # Configure keymap in X11
-      xkb = {
-        layout = "us,it,de";
-        variant = "";
-      };
-    };
-
-    pipewire = {
-      enable = true;
-      alsa.enable = true;
-      alsa.support32Bit = true;
-      pulse.enable = true;
-      # If you want to use JACK applications, uncomment this
-      #jack.enable = true;
-
-      # use the example session manager (no others are packaged yet so this is enabled by default,
-      # no need to redefine it in your config for now)
-      #media-session.enable = true;
-    };
-  };
-
-  # Enable sound with pipewire.
-  hardware.pulseaudio.enable = false;
-  security.rtkit.enable = true;
-
-  environment.systemPackages = with pkgs; [
-    # helvetica font
-    aileron
-
-    cachefilesd
-
-    gnomeExtensions.dash-to-dock
-  ];
-}

enviroments/common/default.nix

@@ -1,155 +0,0 @@
-{pkgs, ...}: {
-  imports = [
-    ../../users
-  ];
-
-  nix = {
-    settings = {
-      experimental-features = ["nix-command" "flakes"];
-      trusted-users = ["leyla"];
-    };
-    gc.automatic = true;
-  };
-
-  # Enable networking
-  networking.networkmanager.enable = true;
-
-  # Set your time zone.
-  time.timeZone = "America/Chicago";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_US.UTF-8";
-    LC_IDENTIFICATION = "en_US.UTF-8";
-    LC_MEASUREMENT = "en_US.UTF-8";
-    LC_MONETARY = "en_US.UTF-8";
-    LC_NAME = "en_US.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
-    LC_PAPER = "en_US.UTF-8";
-    LC_TELEPHONE = "en_US.UTF-8";
-    LC_TIME = "en_US.UTF-8";
-  };
-
-  users = {
-    users = {
-      leyla = {
-        uid = 1000;
-        description = "Leyla";
-        group = "leyla";
-      };
-
-      ester = {
-        uid = 1001;
-        description = "Ester";
-        group = "ester";
-      };
-
-      eve = {
-        uid = 1002;
-        description = "Eve";
-        group = "eve";
-      };
-
-      jellyfin = {
-        uid = 2000;
-        group = "jellyfin";
-        isSystemUser = true;
-      };
-
-      forgejo = {
-        uid = 2002;
-        group = "forgejo";
-        isSystemUser = true;
-      };
-
-      pihole = {
-        uid = 2003;
-        group = "pihole";
-        isSystemUser = true;
-      };
-    };
-
-    groups = {
-      leyla = {
-        gid = 1000;
-        members = ["lelya"];
-      };
-
-      ester = {
-        gid = 1001;
-        members = ["ester"];
-      };
-
-      eve = {
-        gid = 1002;
-        members = ["eve"];
-      };
-
-      users = {
-        gid = 100;
-        members = ["leyla" "ester" "eve"];
-      };
-
-      jellyfin = {
-        gid = 2000;
-        members = ["jellyfin" "leyla"];
-      };
-
-      jellyfin_media = {
-        gid = 2001;
-        members = ["jellyfin" "leyla" "ester" "eve"];
-      };
-
-      forgejo = {
-        gid = 2002;
-        members = ["forgejo" "leyla"];
-      };
-
-      pihole = {
-        gid = 2003;
-        members = ["pihole" "leyla"];
-      };
-    };
-  };
-
-  services = {
-    openssh = {
-      enable = true;
-      ports = [22];
-      settings = {
-        PasswordAuthentication = false;
-        AllowUsers = ["leyla"]; # Allows all users by default. Can be [ "user1" "user2" ]
-        UseDns = true;
-        X11Forwarding = false;
-      };
-    };
-  };
-
-  environment.sessionVariables = rec {
-    SOPS_AGE_KEY_DIRECTORY = "/var/lib/sops-nix";
-    SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt";
-  };
-
-  sops = {
-    defaultSopsFormat = "yaml";
-    gnupg.sshKeyPaths = [];
-
-    age = {
-      keyFile = "/var/lib/sops-nix/key.txt";
-      sshKeyPaths = [];
-      # generateKey = true;
-    };
-  };
-  # List packages installed in system profile.
-  environment.systemPackages = with pkgs; [
-    wget
-
-    # version control
-    git
-
-    # system debuging tools
-    iputils
-    dnsutils
-  ];
-}

enviroments/server/default.nix

@@ -1,258 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}: {
-  imports = [
-    ../common
-  ];
-
-  options = {
-    domains = {
-      base_domain = lib.mkOption {
-        type = lib.types.str;
-      };
-      headscale = {
-        subdomain = lib.mkOption {
-          type = lib.types.str;
-          description = "subdomain of base domain that headscale will be hosted at";
-          default = "headscale";
-        };
-      };
-      jellyfin = {
-        subdomain = lib.mkOption {
-          type = lib.types.str;
-          description = "subdomain of base domain that jellyfin will be hosted at";
-          default = "jellyfin";
-        };
-        hostname = lib.mkOption {
-          type = lib.types.str;
-          description = "hosname that jellyfin will be hosted at";
-          default = "${config.domains.jellyfin.subdomain}.${config.domains.base_domain}";
-        };
-      };
-      forgejo = {
-        subdomain = lib.mkOption {
-          type = lib.types.str;
-          description = "subdomain of base domain that foregjo will be hosted at";
-          default = "forgejo";
-        };
-        hostname = lib.mkOption {
-          type = lib.types.str;
-          description = "hosname that forgejo will be hosted at";
-          default = "${config.domains.forgejo.subdomain}.${config.domains.base_domain}";
-        };
-      };
-    };
-  };
-
-  config = {
-    sops.secrets = {
-      "services/pi-hole" = {
-        sopsFile = ../../secrets/defiant-services.yaml;
-      };
-    };
-
-    # Runtime
-    virtualisation.podman = {
-      enable = true;
-      autoPrune.enable = true;
-      dockerCompat = true;
-      defaultNetwork.settings = {
-        # Required for container networking to be able to use names.
-        dns_enabled = true;
-      };
-    };
-    virtualisation.oci-containers.backend = "podman";
-
-    virtualisation.oci-containers.containers.pihole = {
-      image = "pihole/pihole:2024.07.0";
-      hostname = "pihole";
-      volumes = [
-        "/home/pihole:/etc/pihole:rw" # TODO; set this based on configs
-        "${config.sops.secrets."services/pi-hole".path}:/var/lib/pihole/webpassword.txt"
-      ];
-      environment = {
-        TZ = config.time.timeZone;
-        WEBPASSWORD_FILE = "/var/lib/pihole/webpassword.txt";
-        PIHOLE_UID = toString config.users.users.pihole.uid;
-        PIHOLE_GID = toString config.users.groups.pihole.gid;
-      };
-      log-driver = "journald";
-      extraOptions = [
-        "--ip=192.168.1.201" # TODO: set this to some ip address from configs
-        "--network=macvlan"
-      ];
-    };
-
-    systemd = {
-      tmpfiles.rules = [
-        "d /home/jellyfin 755 jellyfin jellyfin -"
-        "d /home/jellyfin/media 775 jellyfin jellyfin_media -"
-        "d /home/jellyfin/config 750 jellyfin jellyfin -"
-        "d /home/jellyfin/cache 755 jellyfin jellyfin_media -"
-        "d /home/forgejo 750 forgejo forgejo -"
-        "d /home/forgejo/data 750 forgejo forgejo -"
-        "d /home/pihole 750 pihole pihole -"
-      ];
-
-      services = {
-        "podman-pihole" = {
-          serviceConfig = {
-            Restart = lib.mkOverride 500 "always";
-          };
-          after = [
-            "podman-network-macvlan.service"
-          ];
-          requires = [
-            "podman-network-macvlan.service"
-          ];
-          partOf = [
-            "podman-compose-root.target"
-          ];
-          wantedBy = [
-            "podman-compose-root.target"
-          ];
-        };
-
-        "podman-network-macvlan" = {
-          path = [ pkgs.podman ];
-          serviceConfig = {
-            Type = "oneshot";
-            RemainAfterExit = true;
-            ExecStop = "podman network rm -f macvlan";
-          };
-          # TODO: check subnet against pi-hole ip address
-          # TODO: make lan configurable
-          # TODO: make parent interface configurable
-          script = ''
-            podman network inspect macvlan || podman network create --driver macvlan --subnet 192.168.1.0/24 --gateway 192.168.1.1 --opt parent=bond0 macvlan
-          '';
-          partOf = [ "podman-compose-root.target" ];
-          wantedBy = [ "podman-compose-root.target" ];
-        };
-      };
-
-      # disable computer sleeping
-      targets = {
-        sleep.enable = false;
-        suspend.enable = false;
-        hibernate.enable = false;
-        hybrid-sleep.enable = false;
-
-        # Root service
-        # When started, this will automatically create all resources and start
-        # the containers. When stopped, this will teardown all resources.
-        "podman-compose-root" = {
-          unitConfig = {
-            Description = "Root target for podman targets.";
-          };
-          wantedBy = [ "multi-user.target" ];
-        };
-      };
-    };
-
-    services = {
-      # DNS stub needs to be disabled so pi hole can bind
-      # resolved.extraConfig = "DNSStubListener=no";
-
-      nfs.server = {
-        enable = true;
-        exports = ''
-          /home/leyla 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt)
-          /home/eve   192.168.1.0/22(rw,sync,no_subtree_check,crossmnt)
-          /home/ester 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt)
-          /home/users 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt)
-        '';
-      };
-
-      postgresql = {
-        enable = true;
-        ensureDatabases = ["forgejo"];
-        identMap = ''
-          # ArbitraryMapName systemUser DBUser
-          superuser_map      root      postgres
-          superuser_map      postgres  postgres
-          superuser_map      forgejo   forgejo
-        '';
-        # configuration here lets users access the db that matches their name and lets user postgres access everything
-        authentication = pkgs.lib.mkOverride 10 ''
-          # type database DBuser   auth-method  optional_ident_map
-          local sameuser  all     peer        map=superuser_map
-        '';
-      };
-
-      headscale = {
-        enable = true;
-        address = "0.0.0.0";
-        port = 8080;
-        settings = {
-          server_url = "http://${config.domains.headscale.subdomain}.${config.domains.base_domain}";
-          dns_config.base_domain = config.domains.base_domain;
-          logtail.enabled = false;
-        };
-      };
-
-      jellyfin = {
-        enable = true;
-        user = "jellyfin";
-        group = "jellyfin";
-        dataDir = "/home/jellyfin/config"; # location on existing server: /home/docker/jellyfin/config
-        cacheDir = "/home/jellyfin/cache"; # location on existing server: /home/docker/jellyfin/cache
-      };
-
-      forgejo = {
-        enable = true;
-        database.type = "postgres";
-        lfs.enable = true;
-        settings = {
-          server = {
-            DOMAIN = config.domains.forgejo.hostname;
-            HTTP_PORT = 8081;
-          };
-          service.DISABLE_REGISTRATION = true;
-        };
-        stateDir = "/home/forgejo/data";
-      };
-
-      nginx = {
-        enable = false; # TODO: enable this when you want to test all the configs
-        virtualHosts = {
-          ${config.domains.headscale.hostname} = {
-            forceSSL = true;
-            enableACME = true;
-            locations."/" = {
-              proxyPass = "http://localhost:${toString config.services.headscale.port}";
-              proxyWebsockets = true;
-            };
-          };
-          ${config.domains.jellyfin.hostname} = {
-            forceSSL = true;
-            enableACME = true;
-            locations."/".proxyPass = "http://localhost:8096";
-          };
-          ${config.domains.forgejo.hostname} = {
-            forceSSL = true;
-            enableACME = true;
-            locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
-          };
-        };
-      };
-    };
-
-    security.acme = {
-      acceptTerms = true;
-      defaults.email = "jan-leila@protonmail.com";
-    };
-
-    networking.firewall.allowedTCPPorts = [53 2049 3000 8081];
-
-    environment.systemPackages = [
-      config.services.headscale.package
-      pkgs.jellyfin
-      pkgs.jellyfin-web
-      pkgs.jellyfin-ffmpeg
-    ];
-  };
-}

flake.lock

@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "devshell": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1741473158,
+        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +25,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1726842196,
+        "lastModified": 1762276996,
-        "narHash": "sha256-u9h03JQUuQJ607xmti9F9Eh6E96kKUAGP+aXWgwm70o=",
+        "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "51994df8ba24d5db5459ccf17b6494643301ad28",
+        "rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
         "type": "github"
       },
       "original": {
@@ -20,14 +38,35 @@
         "type": "github"
       }
     },
-    "flake-compat": {
+    "firefox-addons": {
-      "flake": false,
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1696426674,
+        "dir": "pkgs/firefox-addons",
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1762488230,
+        "narHash": "sha256-b7FFUa+bQ8m5din6ylspTTeQvhTf7NNDwC3fPOwCkx4=",
+        "owner": "rycee",
+        "repo": "nur-expressions",
+        "rev": "05e744e2e2d174b2fd445e51ad38fb8356001a18",
+        "type": "gitlab"
+      },
+      "original": {
+        "dir": "pkgs/firefox-addons",
+        "owner": "rycee",
+        "repo": "nur-expressions",
+        "type": "gitlab"
+      }
+    },
+    "flake-compat": {
+      "locked": {
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
         "type": "github"
       },
       "original": {
@@ -41,11 +80,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -54,6 +93,39 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flakey-profile": {
+      "locked": {
+        "lastModified": 1712898590,
+        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -61,11 +133,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1726863345,
+        "lastModified": 1762463325,
-        "narHash": "sha256-fjbKe1/UJpLT6tQLAKJ/djJFdnmAh2kkdsgmylyFrQA=",
+        "narHash": "sha256-33YUsWpPyeBZEWrKQ2a1gkRZ7i0XCC/2MYpU6BVeQSU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "dfe4d334b172071e7189d971ddecd3a7f811b48d",
+        "rev": "0562fef070a1027325dd4ea10813d64d2c967b39",
         "type": "github"
       },
       "original": {
@@ -74,20 +146,133 @@
         "type": "github"
       }
     },
-    "nix-vscode-extensions": {
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "lix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1761937274,
+        "narHash": "sha256-KlELhsSq3XbemrGyQhmGurFu7m8wOEBw+8M04L7hn7A=",
+        "rev": "91867941fa73afea7869b7c71ede82e5ef8927da",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/91867941fa73afea7869b7c71ede82e5ef8927da.tar.gz?rev=91867941fa73afea7869b7c71ede82e5ef8927da"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/lix/archive/main.tar.gz"
+      }
+    },
+    "lix-module": {
       "inputs": {
-        "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
+        "flakey-profile": "flakey-profile",
+        "lix": "lix",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1726796602,
+        "lastModified": 1761960361,
-        "narHash": "sha256-rYMcODISSljSETcqUUTMo++ZEa1CC6Xx6d3xuydishM=",
+        "narHash": "sha256-FvuAw56NIVJpS3Kr8Wv9PpU4eehZMcdIVkxjStuYmqc=",
+        "ref": "refs/heads/main",
+        "rev": "c47f62187601ea2991b79a9bacdbfdf76cd29fbe",
+        "revCount": 167,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      }
+    },
+    "mcp-nixos": {
+      "inputs": {
+        "devshell": "devshell",
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760821194,
+        "narHash": "sha256-UCsJ8eDuHL14u2GFIYEY/drtZ6jht5zN/G/6QNlEy2g=",
+        "owner": "utensils",
+        "repo": "mcp-nixos",
+        "rev": "0ae453f38d0f088c31d4678da3a12b183165986f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "utensils",
+        "repo": "mcp-nixos",
+        "type": "github"
+      }
+    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762501326,
+        "narHash": "sha256-QbhsksHaIN6qU3oXhwUFbYycKX1GRxObpQSWAM5fhRY=",
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "rev": "e2b82ebd0f990a5d1b68fcc761b3d6383c86ccfd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "nix-syncthing": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1741849924,
+        "narHash": "sha256-5vyb1H6HtW24QVqfI56P4QVQP6vHh1jS9ULwnunCO94=",
+        "ref": "main",
+        "rev": "86bcb200c83b6a5d13b3583126b9d8dc6770613a",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://git.jan-leila.com/jan-leila/nix-syncthing"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.jan-leila.com/jan-leila/nix-syncthing"
+      }
+    },
+    "nix-vscode-extensions": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762480525,
+        "narHash": "sha256-7akzuLV8uKP3ym67TJoSIT5hTeC5FG8H745Y/7/7J+8=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "91dea80194080f017c6edf84fd94e33f6c12aec3",
+        "rev": "b8b0b207dc13cb7b004f9d0c1d2b76a85e9494c8",
         "type": "github"
       },
       "original": {
@@ -98,11 +283,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1726724509,
+        "lastModified": 1762463231,
-        "narHash": "sha256-sVeAM1tgVi52S1e29fFBTPUAFSzgQwgLon3CrztXGm8=",
+        "narHash": "sha256-hv1mG5j5PTbnWbtHHomzTus77pIxsc4x8VrMjc7+/YE=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "10d5e0ecc32984c1bf1a9a46586be3451c42fd94",
+        "rev": "52113c4f5cfd1e823001310e56d9c8d0699a6226",
         "type": "github"
       },
       "original": {
@@ -114,43 +299,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1726755586,
+        "lastModified": 1722073938,
-        "narHash": "sha256-PmUr/2GQGvFTIJ6/Tvsins7Q43KTMvMFhvG6oaYK+Wk=",
+        "narHash": "sha256-OpX0StkL8vpXyWOGUD6G+MA26wAXK6SpT94kLJXo6B4=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "c04d5652cfa9742b1d519688f65d1bbccea9eb7e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1725762081,
-        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
+        "rev": "e36e9f57337d0ff0cf77aceb58af4c805472bfae",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1725534445,
-        "narHash": "sha256-Yd0FK9SkWy+ZPuNqUgmVPXokxDgMJoGuNpMEtkfcf84=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "9bb1e7571aadf31ddb4af77fc64b2d59580f9a39",
         "type": "github"
       },
       "original": {
@@ -160,27 +313,68 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1762363567,
+        "narHash": "sha256-YRqMDEtSMbitIMj+JLpheSz0pwEr0Rmy5mC7myl17xs=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "ae814fd3904b621d8ab97418f1d0f2eb0d3716f4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "disko": "disko",
+        "firefox-addons": "firefox-addons",
+        "flake-compat": "flake-compat",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
+        "lix-module": "lix-module",
+        "mcp-nixos": "mcp-nixos",
+        "nix-darwin": "nix-darwin",
+        "nix-syncthing": "nix-syncthing",
         "nix-vscode-extensions": "nix-vscode-extensions",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
+        "secrets": "secrets",
         "sops-nix": "sops-nix"
       }
     },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1759945215,
+        "narHash": "sha256-xmUzOuhJl6FtTjR5++OQvSoAnXe7/VA5QFCZDyFwBXo=",
+        "ref": "refs/heads/main",
+        "rev": "444229a105445339fb028d15a8d866063c5f8141",
+        "revCount": 21,
+        "type": "git",
+        "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
+      }
+    },
     "sops-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
-        "nixpkgs-stable": "nixpkgs-stable"
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1726524647,
+        "lastModified": 1760998189,
-        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
+        "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
+        "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
         "type": "github"
       },
       "original": {
@@ -203,6 +397,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -5,75 +5,169 @@
     # base packages
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
 
-    # encrypt files that contain secreats that I would like to not encrypt
+    lix-module = {
-    sops-nix.url = "github:Mic92/sops-nix";
+      url = "git+https://git.lix.systems/lix-project/nixos-module.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    # declairtive disk configuration
+    # secret encryption
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # self hosted repo of secrets file to further protect files in case of future encryption vulnerabilities
+    secrets = {
+      url = "git+ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git";
+      flake = false;
+    };
+
+    # common config for syncthing
+    nix-syncthing = {
+      url = "git+https://git.jan-leila.com/jan-leila/nix-syncthing?ref=main";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # disk configurations
     disko = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    # managment per user
+    # delete your darlings
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
+
+    nix-darwin = {
+      url = "github:LnL7/nix-darwin";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # users home directories
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    # repo of hardware configs for prebuilt systems
+    # firefox extensions
-    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    firefox-addons = {
+      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     # vscode extensions
     nix-vscode-extensions = {
       url = "github:nix-community/nix-vscode-extensions";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # pregenerated hardware configurations
+    nixos-hardware = {
+      url = "github:NixOS/nixos-hardware/master";
+    };
+
+    # this is just here so that we have a lock on it for our dev shells
+    flake-compat = {
+      url = "github:edolstra/flake-compat";
+    };
+
+    # MCP NixOS server for Claude Dev
+    mcp-nixos = {
+      url = "github:utensils/mcp-nixos";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {
     self,
     nixpkgs,
-    disko,
+    sops-nix,
-    nixos-hardware,
+    nix-syncthing,
+    home-manager,
+    impermanence,
     ...
   } @ inputs: let
-    forEachSystem = nixpkgs.lib.genAttrs [
+    util = import ./util {inherit inputs;};
-      "aarch64-darwin"
+    forEachPkgs = util.forEachPkgs;
-      "aarch64-linux"
-      "x86_64-darwin"
-      "x86_64-linux"
-    ];
-    forEachPkgs = lambda: forEachSystem (system: lambda nixpkgs.legacyPackages.${system});
-  in {
-    packages = forEachPkgs (pkgs: import ./pkgs {inherit pkgs;});
 
-    nixosConfigurations = {
+    mkNixosSystem = util.mkNixosSystem;
-      # Leyla Laptop
+    mkDarwinSystem = util.mkDarwinSystem;
-      horizon = nixpkgs.lib.nixosSystem {
+    mkHome = util.mkHome;
-        specialArgs = {inherit inputs;};
+
-        modules = [
+    nixosSystems = {
-          ./hosts/horizon/configuration.nix
+      horizon = mkNixosSystem "horizon";
-          inputs.home-manager.nixosModules.default
+      twilight = mkNixosSystem "twilight";
-          nixos-hardware.nixosModules.framework-11th-gen-intel
+      defiant = mkNixosSystem "defiant";
-        ];
+      emergent = mkNixosSystem "emergent";
-      };
-      # Leyla Desktop
-      twilight = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs;};
-        modules = [
-          ./hosts/twilight/configuration.nix
-          inputs.home-manager.nixosModules.default
-        ];
-      };
-      # NAS Service
-      defiant = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs;};
-        modules = [
-          disko.nixosModules.disko
-          ./hosts/defiant/disko-config.nix
-          ./hosts/defiant/configuration.nix
-        ];
-      };
     };
+
+    darwinSystems = {
+      hesperium = mkDarwinSystem "hesperium";
+    };
+
+    homeSystems = {
+      # stand alone home manager configurations here:
+      # name = mkHome "name"
+    };
+
+    systemsHomes = nixpkgs.lib.attrsets.mergeAttrsList (
+      nixpkgs.lib.attrsets.mapAttrsToList (hostname: system: (
+        nixpkgs.lib.attrsets.mapAttrs' (user: _: {
+          name = "${user}@${hostname}";
+          value = mkHome {
+            user = user;
+            host = hostname;
+            system = system.pkgs.hostPlatform.system;
+            osConfig = system.config;
+          };
+        })
+        system.config.home-manager.users
+      ))
+      (nixosSystems // darwinSystems)
+    );
+
+    homeConfigurations =
+      systemsHomes
+      // homeSystems;
+  in {
+    formatter = forEachPkgs (system: pkgs: pkgs.alejandra);
+
+    # templates = import ./templates;
+
+    devShells = forEachPkgs (system: pkgs: {
+      default = pkgs.mkShell {
+        packages = with pkgs; [
+          # for version controlling this repo
+          git
+          # for formatting code in this repo
+          alejandra
+          # for editing secrets in the secrets repo
+          sops
+          # for viewing configuration options defined in this repo
+          nix-inspect
+          # for installing flakes from this repo onto other systems
+          nixos-anywhere
+          # for updating disko configurations
+          disko
+          # for viewing dconf entries
+          dconf-editor
+          # for MCP NixOS server support in development
+          inputs.mcp-nixos.packages.${system}.default
+        ];
+
+        SOPS_AGE_KEY_DIRECTORY = import ./const/sops_age_key_directory.nix;
+
+        shellHook = ''
+          git config core.hooksPath .hooks
+        '';
+      };
+    });
+
+    nixosConfigurations = nixosSystems;
+
+    darwinConfigurations = darwinSystems;
+
+    homeConfigurations = homeConfigurations;
   };
 }

hosts/defiant/configuration.nix

@@ -1,65 +0,0 @@
-# server nas
-{
-  config,
-  pkgs,
-  inputs,
-  ...
-}: {
-  imports = [
-    inputs.home-manager.nixosModules.default
-    inputs.sops-nix.nixosModules.sops
-
-    ./hardware-configuration.nix
-
-    ../../enviroments/server
-  ];
-
-  users.leyla.isThinUser = true;
-
-  boot.loader.grub = {
-    enable = true;
-    zfsSupport = true;
-    efiSupport = true;
-    efiInstallAsRemovable = true;
-  };
-
-  domains = {
-    base_domain = "jan-leila.com";
-    headscale.subdomain = "vpn";
-    jellyfin.subdomain = "media";
-    forgejo.subdomain = "git";
-  };
-
-  services = {
-    zfs = {
-      autoScrub.enable = true;
-      autoSnapshot.enable = true;
-    };
-
-    # temp enable desktop enviroment for setup
-    # Enable the X11 windowing system.
-    xserver = {
-      enable = true;
-
-      # Enable the GNOME Desktop Environment.
-      displayManager = {
-        gdm.enable = true;
-      };
-      desktopManager = {
-        gnome.enable = true;
-        xterm.enable = false;
-      };
-
-      # Get rid of xTerm
-      excludePackages = [pkgs.xterm];
-    };
-  };
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-}

hosts/defiant/disko-config.nix

@@ -1,136 +0,0 @@
-{lib, ...}: let
-  bootDisk = devicePath: {
-    type = "disk";
-    device = devicePath;
-    content = {
-      type = "gpt";
-
-      partitions = {
-        boot = {
-          size = "1M";
-          type = "EF02"; # for grub MBR
-        };
-        ESP = {
-          size = "1G";
-          type = "EF00";
-          content = {
-            type = "filesystem";
-            format = "vfat";
-            mountpoint = "/boot";
-          };
-        };
-      };
-    };
-  };
-  zfsDisk = devicePath: {
-    type = "disk";
-    device = devicePath;
-    content = {
-      type = "gpt";
-      partitions = {
-        zfs = {
-          size = "100%";
-          content = {
-            type = "zfs";
-            pool = "zroot";
-          };
-        };
-      };
-    };
-  };
-  cacheDisk = devicePath: swapSize: {
-    type = "disk";
-    device = devicePath;
-    content = {
-      type = "gpt";
-      partitions = {
-        encryptedSwap = {
-          size = swapSize;
-          content = {
-            type = "swap";
-            randomEncryption = true;
-            discardPolicy = "both";
-            resumeDevice = true;
-          };
-        };
-        zfs = {
-          size = "100%";
-          content = {
-            type = "zfs";
-            pool = "zroot";
-          };
-        };
-      };
-    };
-  };
-in {
-  disko.devices = {
-    disk = {
-      boot = bootDisk "/dev/disk/by-path/pci-0000:23:00.3-usb-0:1:1.0-scsi-0:0:0:0";
-
-      hd_13_tb_a = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB";
-      hd_13_tb_b = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC";
-      hd_13_tb_c = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH";
-
-      # ssd_2_tb_a = cacheDisk "64G" "/dev/disk/by-id/XXX";
-    };
-    zpool = {
-      zroot = {
-        type = "zpool";
-        mode = {
-          topology = {
-            type = "topology";
-            vdev = [
-              {
-                # should this only mirror for this inital config with 3 drives we will used raidz2 for future configs???
-                mode = "mirror";
-                members = [
-                  "hd_13_tb_a"
-                  "hd_13_tb_b"
-                  "hd_13_tb_c"
-                ];
-              }
-            ];
-            cache = [];
-            # cache = [ "ssd_2_tb_a" ];
-          };
-        };
-
-        options = {
-          ashift = "12";
-        };
-
-        rootFsOptions = {
-          encryption = "on";
-          keyformat = "hex";
-          keylocation = "prompt";
-          compression = "lz4";
-          xattr = "sa";
-          acltype = "posixacl";
-          "com.sun:auto-snapshot" = "false";
-        };
-
-        mountpoint = "/";
-        postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot@blank$' || zfs snapshot zroot@blank";
-
-        datasets = {
-          "nix" = {
-            type = "zfs_fs";
-            mountpoint = "/nix";
-          };
-          "home" = {
-            type = "zfs_fs";
-            mountpoint = "/mnt/home";
-            options = {
-              "com.sun:auto-snapshot" = "true";
-            };
-          };
-          "var" = {
-            type = "zfs_fs";
-            mountpoint = "/var";
-          };
-        };
-      };
-    };
-  };
-}

hosts/hardware-common.nix

@@ -1,15 +0,0 @@
-{lib, ...}: {
-  options = {
-    hardware = {
-      piperMouse = {
-        enable = lib.mkEnableOption "host has a piper mouse";
-      };
-      viaKeyboard = {
-        enable = lib.mkEnableOption "host has a via keyboard";
-      };
-      openRGB = {
-        enable = lib.mkEnableOption "host has open rgb hardware";
-      };
-    };
-  };
-}

hosts/horizon/configuration.nix

@@ -1,49 +0,0 @@
-# leyla laptop
-{
-  config,
-  pkgs,
-  inputs,
-  ...
-}: {
-  imports = [
-    inputs.home-manager.nixosModules.default
-    inputs.sops-nix.nixosModules.sops
-
-    ./hardware-configuration.nix
-
-    ../../enviroments/client
-  ];
-
-  users = {
-    leyla.isFullUser = true;
-    ester.isFullUser = true;
-    eve.isFullUser = true;
-  };
-
-  # enabled virtualisation for docker
-  virtualisation.docker = {
-    enable = true;
-    rootless = {
-      enable = true;
-      setSocketVariable = true;
-    };
-  };
-  users.extraGroups.docker.members = ["leyla"];
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-}

hosts/horizon/hardware-configuration.nix

@@ -1,106 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-    ../hardware-common.nix
-  ];
-
-  boot = {
-    initrd = {
-      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
-      kernelModules = [];
-    };
-    kernelModules = ["kvm-intel" "sg"];
-    extraModulePackages = [];
-
-    # Bootloader.
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/866d422b-f816-4ad9-9846-791839cb9337";
-      fsType = "ext4";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/E138-65B5";
-      fsType = "vfat";
-    };
-
-    "/mnt/leyla_home" = {
-      device = "defiant:/home/leyla";
-      fsType = "nfs";
-      options = ["x-systemd.automount" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
-    };
-
-    "/mnt/eve_home" = {
-      device = "defiant:/home/eve";
-      fsType = "nfs";
-      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
-    };
-
-    "/mnt/ester_home" = {
-      device = "defiant:/home/ester";
-      fsType = "nfs";
-      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
-    };
-
-    "/mnt/users_home" = {
-      device = "defiant:/home/users";
-      fsType = "nfs";
-      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
-    };
-
-    # "/mnt/legacy_leyla_home" =
-    #   {
-    #     device = "server.arpa:/home/leyla";
-    #     fsType = "nfs";
-    #     options = [ "x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc" ];
-    #   };
-
-    # "/mnt/legacy_share_home" =
-    #   {
-    #     device = "server.arpa:/home/share";
-    #     fsType = "nfs";
-    #     options = [ "x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc" ];
-    #   };
-
-    # "/mnt/legacy_docker_home" =
-    #   {
-    #     device = "server.arpa:/home/docker";
-    #     fsType = "nfs";
-    #     options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
-    #   };
-  };
-
-  services.cachefilesd.enable = true;
-
-  swapDevices = [
-    {device = "/dev/disk/by-uuid/be98e952-a072-4c3a-8c12-69500b5a2fff";}
-  ];
-
-  networking = {
-    useDHCP = lib.mkDefault true;
-    hostName = "horizon"; # Define your hostname.
-  };
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-
-  hardware = {
-    graphics.enable = true;
-    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  };
-}

hosts/twilight/hardware-configuration.nix

@@ -1,125 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-    ../hardware-common.nix
-  ];
-
-  boot = {
-    initrd = {
-      availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
-      kernelModules = [];
-    };
-    kernelModules = ["kvm-amd" "sg"];
-    extraModulePackages = [];
-
-    # Bootloader.
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-  };
-
-  services.xserver = {
-    # Load nvidia driver for Xorg and Wayland
-    videoDrivers = ["nvidia"];
-
-    # Use X instead of wayland for gaming reasons
-    displayManager.gdm.wayland = false;
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/8be49c65-2b57-48f1-b74d-244d26061adb";
-      fsType = "ext4";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/3006-3867";
-      fsType = "vfat";
-      options = ["fmask=0022" "dmask=0022"];
-    };
-
-    "/mnt/leyla_home" = {
-      device = "server.arpa:/home/leyla";
-      fsType = "nfs";
-      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
-    };
-
-    "/mnt/share_home" = {
-      device = "server.arpa:/home/share";
-      fsType = "nfs";
-      options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
-    };
-
-    "/mnt/docker_home" = {
-      device = "server.arpa:/home/docker";
-      fsType = "nfs";
-      options = ["x-systemd.automount" "noauto" "x-systemd.idle-timeout=600"];
-    };
-  };
-
-  swapDevices = [];
-
-  networking = {
-    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-    # (the default) this is the recommended approach. When using systemd-networkd it's
-    # still possible to use this option, but it's recommended to use it in conjunction
-    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-    useDHCP = lib.mkDefault true;
-    hostName = "twilight"; # Define your hostname.
-  };
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-
-  hardware = {
-    piperMouse.enable = true;
-    viaKeyboard.enable = true;
-    openRGB.enable = true;
-
-    # Enable OpenGL
-    graphics.enable = true;
-
-    # install graphics drivers
-    nvidia = {
-      # Modesetting is required.
-      modesetting.enable = true;
-
-      # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
-      # Enable this if you have graphical corruption issues or application crashes after waking
-      # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
-      # of just the bare essentials.
-      powerManagement.enable = false;
-
-      # Fine-grained power management. Turns off GPU when not in use.
-      # Experimental and only works on modern Nvidia GPUs (Turing or newer).
-      powerManagement.finegrained = false;
-
-      # Use the NVidia open source kernel module (not to be confused with the
-      # independent third-party "nouveau" open source driver).
-      # Support is limited to the Turing and later architectures. Full list of
-      # supported GPUs is at:
-      # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
-      # Only available from driver 515.43.04+
-      # Currently alpha-quality/buggy, so false is currently the recommended setting.
-      open = false;
-
-      # Enable the Nvidia settings menu,
-      # accessible via `nvidia-settings`.
-      nvidiaSettings = true;
-
-      # Optionally, you may need to select the appropriate driver version for your specific GPU.
-      package = config.boot.kernelPackages.nvidiaPackages.production;
-    };
-
-    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  };
-}

install.sh

@@ -39,6 +39,7 @@ if [ -z ${flake} ]; then
 	exit 1;
 fi
 
+# TODO: we might not need to copy the key over here anymore?
 temp=$(mktemp -d)
 # Function to cleanup temporary directory on exit
 cleanup() {
@@ -51,4 +52,4 @@ mkdir -p $temp$SOPS_AGE_KEY_DIRECTORY
 cp -r $SOPS_AGE_KEY_DIRECTORY/* $temp$SOPS_AGE_KEY_DIRECTORY
 
 # commit number in this is because the main branch of nixos-anywhere is broken right now
-nix run github:nix-community/nixos-anywhere/b3b6bfebba35d55fba485ceda588984dec74c54f -- --extra-files $temp --flake ".#$flake" ${user:-nixos}@$target
+nixos-anywhere --extra-files $temp --flake ".#$flake" ${user:-nixos}@$target

lint.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-nix run git+https://github.com/kamadorueda/alejandra -- -q .

modules/common-modules/default.nix

@@ -0,0 +1,7 @@
+# this folder is for modules that are common between nixos, home-manager, and darwin
+{...}: {
+  imports = [
+    ./overlays
+    ./pkgs
+  ];
+}

modules/common-modules/overlays/default.nix

@@ -0,0 +1,6 @@
+# this folder is for derivation overlays
+{inputs, ...}: {
+  nixpkgs.overlays = [
+    inputs.nix-vscode-extensions.overlays.default
+  ];
+}

modules/common-modules/pkgs/codium-extensions/ai-code.nix

@@ -0,0 +1,42 @@
+{
+  buildNpmPackage,
+  vscode-utils,
+  pkgs,
+  ...
+}: let
+  version = "0.0.1";
+  pname = "ai-code";
+  publisher = "jan-leila";
+  vsix = buildNpmPackage {
+    inherit version pname;
+
+    src = builtins.fetchGit {
+      url = "ssh://git@git.jan-leila.com/jan-leila/ai-code.git";
+      rev = "d48e01713021dbb30de0ebbee2cfaf99e4e9b5a6";
+    };
+
+    npmDepsHash = "sha256-kjMyEnT3dz0yH5Ydh+aGoFDocKpBYGRmfnwbEdvvgpY=";
+
+    nativeBuildInputs = with pkgs; [
+      vsce
+    ];
+
+    buildPhase = ''
+      ${pkgs.vsce}/bin/vsce package -o ${pname}.zip
+    '';
+
+    installPhase = ''
+      mkdir -p $out
+      mv ${pname}.zip $out/${pname}.zip
+    '';
+  };
+in
+  vscode-utils.buildVscodeExtension {
+    inherit pname version;
+
+    src = "${vsix}/${pname}.zip";
+
+    vscodeExtUniqueId = "${publisher}.${pname}";
+    vscodeExtPublisher = publisher;
+    vscodeExtName = pname;
+  }

modules/common-modules/pkgs/codium-extensions/default.nix

@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  ai-code = pkgs.callPackage ./ai-code.nix {};
+}

modules/common-modules/pkgs/default.nix

@@ -0,0 +1,51 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = [
+    ./python
+  ];
+
+  nixpkgs.overlays = [
+    (final: prev: {
+      webtoon-dl =
+        pkgs.callPackage
+        ./webtoon-dl.nix
+        {};
+    })
+    (final: prev: {
+      prostudiomasters =
+        pkgs.callPackage
+        ./prostudiomasters.nix
+        {};
+    })
+    (final: prev: {
+      noita_entangled_worlds = pkgs.callPackage ./noita-entangled-worlds.nix {};
+    })
+    (final: prev: {
+      gdx-liftoff = pkgs.callPackage ./gdx-liftoff.nix {};
+    })
+    (final: prev: {
+      codium-extensions = pkgs.callPackage ./codium-extensions {};
+    })
+    (final: prev: {
+      firefox-extensions = pkgs.callPackage ./firefox-extensions {
+        inherit inputs;
+      };
+    })
+    (final: prev: {
+      mapillary-uploader = pkgs.callPackage ./mapillary-uploader.nix {};
+    })
+    (final: prev: {
+      panoramax = pkgs.python3.pkgs.callPackage ./panoramax.nix {};
+    })
+    (final: prev: {
+      sgblur = pkgs.python3.pkgs.callPackage ./sgblur.nix {};
+    })
+    (final: prev: {
+      # Override h3 C library to version 4.3.0
+      h3 = pkgs.callPackage ./h3-c-lib.nix {};
+    })
+  ];
+}

modules/common-modules/pkgs/firefox-extensions/default.nix

@@ -0,0 +1,17 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: let
+  inherit (inputs.firefox-addons.lib.${pkgs.stdenv.hostPlatform.system}) buildFirefoxXpiAddon;
+in {
+  italiano-it-language-pack = pkgs.callPackage ./italiano-it-language-pack.nix {
+    inherit buildFirefoxXpiAddon;
+  };
+  dizionario-italiano = pkgs.callPackage ./dizionario-italiano.nix {
+    inherit buildFirefoxXpiAddon;
+  };
+  deutsch-de-language-pack = pkgs.callPackage ./deutsch-de-language-pack.nix {
+    inherit buildFirefoxXpiAddon;
+  };
+}

modules/common-modules/pkgs/firefox-extensions/deutsch-de-language-pack.nix

@@ -0,0 +1,18 @@
+{
+  lib,
+  buildFirefoxXpiAddon,
+  ...
+}:
+buildFirefoxXpiAddon rec {
+  pname = "deutsch-de-language-pack";
+  version = "145.0.20251106.194447";
+  addonId = "langpack-de@firefox.mozilla.org";
+  url = "https://addons.mozilla.org/firefox/downloads/file/4614311/deutsch_de_language_pack-${version}.xpi";
+  sha256 = "aaaa95c29984fb3802a5e7edb6b7e5020c391d81f389b8a8133c163959ea4299";
+  meta = with lib; {
+    description = "Firefox Language Pack for Deutsch (de) – German";
+    license = licenses.mpl20;
+    mozPermissions = [];
+    platforms = platforms.all;
+  };
+}

modules/common-modules/pkgs/firefox-extensions/dizionario-italiano.nix

@@ -0,0 +1,18 @@
+{
+  lib,
+  buildFirefoxXpiAddon,
+  ...
+}:
+buildFirefoxXpiAddon rec {
+  pname = "dizionario-italiano";
+  version = "5.1";
+  addonId = "it-IT@dictionaries.addons.mozilla.org";
+  url = "https://addons.mozilla.org/firefox/downloads/file/3693497/dizionario_italiano-${version}.xpi";
+  sha256 = "90b173ffdde34a77108152a5ff51879767b1dd84e0aa0dfb7b2bab94cd2e7f53";
+  meta = with lib; {
+    description = "Add support for Italian to spellchecking";
+    license = licenses.gpl3;
+    mozPermissions = [];
+    platforms = platforms.all;
+  };
+}

modules/common-modules/pkgs/firefox-extensions/italiano-it-language-pack.nix

@@ -0,0 +1,18 @@
+{
+  lib,
+  buildFirefoxXpiAddon,
+  ...
+}:
+buildFirefoxXpiAddon rec {
+  pname = "italiano-it-language-pack";
+  version = "145.0.20251106.194447";
+  addonId = "langpack-it@firefox.mozilla.org";
+  url = "https://addons.mozilla.org/firefox/downloads/file/4614309/italiano_it_language_pack-${version}.xpi";
+  sha256 = "1eb271cedbf326543e222ba1b9a1da62fceef9d3c523ac02a098df296f155038";
+  meta = with lib; {
+    description = "Firefox Language Pack for Italiano (it) – Italian";
+    license = licenses.mpl20;
+    mozPermissions = [];
+    platforms = platforms.all;
+  };
+}

modules/common-modules/pkgs/gdx-liftoff.nix

@@ -0,0 +1,44 @@
+{
+  stdenv,
+  fetchurl,
+  makeWrapper,
+  jdk,
+  lib,
+  xorg,
+  libGL,
+  ...
+}:
+stdenv.mkDerivation rec {
+  pname = "gdx-liftoff";
+  version = "1.13.5.1";
+
+  src = fetchurl {
+    url = "https://github.com/libgdx/gdx-liftoff/releases/download/v${version}/gdx-liftoff-${version}.jar";
+    hash = "sha256-9vCXGNGwI/P4VmcdIzTv2GPAX8bZb7nkfopaRAf6yMA=";
+  };
+
+  dontUnpack = true;
+
+  nativeBuildInputs = [makeWrapper];
+
+  runtimeDependencies = lib.makeLibraryPath [
+    # glfw
+    libGL
+    xorg.libX11
+    xorg.libXcursor
+    xorg.libXext
+    xorg.libXrandr
+    xorg.libXxf86vm
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm644 $src $out/lib/gdx-liftoff-${version}.jar
+
+    makeWrapper ${lib.getExe jdk} $out/bin/gdx-liftoff-${version} \
+      --append-flags "-jar $out/lib/gdx-liftoff-${version}.jar"\
+      ${lib.optionalString stdenv.hostPlatform.isLinux "--prefix LD_LIBRARY_PATH : ${runtimeDependencies}"}
+    runHook postInstall
+  '';
+}

modules/common-modules/pkgs/h3-c-lib.nix

@@ -0,0 +1,36 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  cmake,
+  doxygen,
+}:
+stdenv.mkDerivation rec {
+  pname = "h3";
+  version = "4.3.0";
+
+  src = fetchFromGitHub {
+    owner = "uber";
+    repo = "h3";
+    rev = "v${version}";
+    hash = "sha256-DUILKZ1QvML6qg+WdOxir6zRsgTvk+En6yjeFf6MQBg=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    doxygen
+  ];
+
+  cmakeFlags = [
+    "-DBUILD_SHARED_LIBS=ON"
+    "-DBUILD_TESTING=OFF"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/uber/h3";
+    description = "Hexagonal hierarchical geospatial indexing system";
+    license = licenses.asl20;
+    maintainers = [];
+    platforms = platforms.all;
+  };
+}

modules/common-modules/pkgs/mapillary-uploader.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  fetchurl,
+  appimageTools,
+}: let
+  pname = "mapillary-uploader";
+  version = "4.7.2";
+
+  src = fetchurl {
+    url = "http://tools.mapillary.com/uploader/download/linux/${version}";
+    name = "mapillary-uploader.AppImage";
+    sha256 = "sha256-hpWdfeuhYylO+SFD3BsKI0s/xtObCDd5OcuJ6i/aEuI=";
+  };
+
+  appimageContents = appimageTools.extractType2 {
+    inherit pname version src;
+  };
+in
+  appimageTools.wrapType2 {
+    inherit pname version src;
+
+    extraInstallCommands = ''
+      # Install desktop file
+      install -Dm644 ${appimageContents}/mapillary-desktop-uploader.desktop $out/share/applications/mapillary-uploader.desktop
+
+      # Fix desktop file paths
+      substituteInPlace $out/share/applications/mapillary-uploader.desktop \
+        --replace 'Exec=AppRun' 'Exec=${pname}'
+    '';
+
+    meta = with lib; {
+      description = "Mapillary Desktop Uploader - Upload street-level imagery to Mapillary";
+      homepage = "https://www.mapillary.com/";
+      license = licenses.unfree; # Mapillary's license terms
+      maintainers = [];
+      platforms = ["x86_64-linux"];
+      sourceProvenance = with sourceTypes; [binaryNativeCode];
+    };
+  }

modules/common-modules/pkgs/noita-entangled-worlds.nix

@@ -0,0 +1,46 @@
+# not working yet
+{
+  pkgs,
+  rustPlatform,
+  fetchFromGitHub,
+  ...
+}: let
+  version = "1.5.3";
+  repo = fetchFromGitHub {
+    owner = "IntQuant";
+    repo = "noita_entangled_worlds";
+    rev = "v${version}";
+    hash = "sha256-frrpD0aWTeDbZYtp15R+quUUAZf7OvHlbSLtGJJtAqk=";
+  };
+in
+  rustPlatform.buildRustPackage {
+    name = "noita-proxy-${version}";
+    src = repo + "/noita-proxy";
+    prePatch = ''
+      substituteInPlace Cargo.toml \
+          --replace "path = \"../shared\"" "path = \"${repo + "/shared"}\""
+    '';
+    nativeBuildInputs = with pkgs; [
+      pkg-config
+      python3
+      cmake
+    ];
+    buildInputs = with pkgs; [
+      openssl
+      openssl.dev
+      libpulseaudio
+      libjack2
+      alsa-lib
+      xorg.libxcb
+      xorg.libxcb.dev
+      libopus
+    ];
+    propagatedBuildInputs = with pkgs; [
+      steamworks-sdk-redist
+    ];
+    runtimeDependencies = with pkgs; [
+      steamworks-sdk-redist
+    ];
+    doCheck = false;
+    cargoHash = "sha256-TzUS6d6PopgGf2i1yVaXaXdzNrvfSz+Gv67BAtxYmb4=";
+  }

modules/common-modules/pkgs/panoramax.nix

@@ -0,0 +1,105 @@
+{
+  lib,
+  fetchFromGitLab,
+  buildPythonPackage,
+  flit-core,
+  flask,
+  pillow,
+  requests,
+  python-dotenv,
+  authlib,
+  sentry-sdk,
+  python-dateutil,
+  dateparser,
+  croniter,
+  pydantic,
+  flask-cors,
+  flask-compress,
+  flask-babel,
+  flasgger,
+  yoyo-migrations,
+  psycopg,
+  psycopg-pool,
+  tzdata,
+  email-validator,
+  pydantic-extra-types,
+  python-multipart,
+  fs,
+  fs-s3fs,
+  geopic-tag-reader,
+  pygeofilter,
+  pygeoif,
+  rfeed,
+  geojson-pydantic,
+  ...
+}: let
+  pname = "geovisio";
+  version = "2.10.0";
+  repo = fetchFromGitLab {
+    owner = "panoramax";
+    repo = "server/api";
+    rev = version;
+    hash = "sha256-kCLcrOe7jJdIfmWWOmxQ5dOj8ZG2B7s0qFpHXs02B/E=";
+  };
+in
+  buildPythonPackage {
+    inherit pname version;
+
+    pyproject = true;
+
+    src = repo;
+
+    build-system = [
+      flit-core
+    ];
+
+    dependencies = [
+      flask
+      pillow
+      requests
+      python-dotenv
+      authlib
+      sentry-sdk
+      python-dateutil
+      dateparser
+      croniter
+      pydantic
+      flask-cors
+      flask-compress
+      flask-babel
+      flasgger
+      yoyo-migrations
+      psycopg
+      psycopg-pool
+      tzdata
+      email-validator
+      pydantic-extra-types
+      python-multipart
+      fs
+      fs-s3fs
+      geopic-tag-reader
+      pygeofilter
+      pygeoif
+      rfeed
+      geojson-pydantic
+      # Missing from nixpkgs - may need custom packages:
+      # flask-executor
+    ];
+
+    # Skip tests as they may require network access or specific setup
+    doCheck = false;
+
+    # Disable runtime dependencies check as many dependencies are not available in nixpkgs
+    dontCheckRuntimeDeps = true;
+
+    # Disable imports check as many dependencies are not available in nixpkgs
+    pythonImportsCheck = [];
+
+    meta = with lib; {
+      description = "Panoramax API client and tools for street-level imagery platform";
+      homepage = "https://gitlab.com/panoramax/server/api";
+      license = licenses.mit;
+      maintainers = [];
+      platforms = platforms.all;
+    };
+  }

modules/common-modules/pkgs/prostudiomasters.nix

@@ -0,0 +1,33 @@
+{
+  fetchurl,
+  appimageTools,
+  writeShellScript,
+}: let
+  pname = "prostudiomasters";
+  version = "2.5.6";
+  src = fetchurl {
+    url = "https://download.prostudiomasters.com/linux/ProStudioMasters-${version}.AppImage";
+    hash = "sha256-7owOwdcucFfl+JsVj+Seau2KOz0J4P/ep7WrBSNSmbs=";
+  };
+
+  # Create the base AppImage wrapper
+  baseApp = appimageTools.wrapType2 {
+    inherit pname version src;
+  };
+
+  # Create a wrapper script that automatically adds the --in-process-gpu flag
+  wrapper = writeShellScript "prostudiomasters-wrapper" ''
+    exec ${baseApp}/bin/prostudiomasters --in-process-gpu "$@"
+  '';
+in
+  # Override the base app to use our wrapper script
+  baseApp.overrideAttrs (oldAttrs: {
+    buildCommand =
+      oldAttrs.buildCommand
+      + ''
+        # Replace the original binary with our wrapper
+        rm $out/bin/prostudiomasters
+        cp ${wrapper} $out/bin/prostudiomasters
+        chmod +x $out/bin/prostudiomasters
+      '';
+  })

modules/common-modules/pkgs/python/default.nix

@@ -0,0 +1,18 @@
+{...}: {
+  nixpkgs.overlays = [
+    (final: prev: {
+      python3 = prev.python3.override {
+        packageOverrides = pythonPrev: pythonFinal: {
+          h3 = pythonPrev.callPackage ./h3.nix {h3 = final.h3;};
+          pygeofilter = pythonPrev.callPackage ./pygeofilter.nix {};
+          pygeoif = pythonPrev.callPackage ./pygeoif.nix {};
+          rfeed = pythonPrev.callPackage ./rfeed.nix {};
+          pyexiv2 = pythonPrev.callPackage ./pyexiv2.nix {};
+          geojson-pydantic = pythonPrev.callPackage ./geojson-pydantic.nix {};
+          geopic-tag-reader = pythonPrev.callPackage ./geopic-tag-reader.nix {};
+        };
+      };
+      python3Packages = final.python3.pkgs;
+    })
+  ];
+}

modules/common-modules/pkgs/python/geojson-pydantic.nix

@@ -0,0 +1,48 @@
+{
+  lib,
+  fetchPypi,
+  buildPythonPackage,
+  flit-core,
+  pydantic,
+  geojson,
+  ...
+}: let
+  pname = "geojson_pydantic";
+  version = "2.0.0";
+in
+  buildPythonPackage {
+    inherit pname version;
+
+    pyproject = true;
+
+    src = fetchPypi {
+      inherit pname version;
+      hash = "sha256-ti6LRFAt0a1Ri19zkDWoGSSnb5gMvbOk6JFu+RO+JC4=";
+    };
+
+    build-system = [
+      flit-core
+    ];
+
+    dependencies = [
+      pydantic
+      geojson
+    ];
+
+    # Skip tests as they may require specific setup
+    doCheck = false;
+
+    # Disable runtime dependencies check
+    dontCheckRuntimeDeps = true;
+
+    # Basic imports check
+    pythonImportsCheck = ["geojson_pydantic"];
+
+    meta = with lib; {
+      description = "Pydantic models for GeoJSON objects";
+      homepage = "https://github.com/developmentseed/geojson-pydantic";
+      license = licenses.mit;
+      maintainers = [];
+      platforms = platforms.all;
+    };
+  }

modules/common-modules/pkgs/python/geopic-tag-reader.nix

@@ -0,0 +1,70 @@
+{
+  lib,
+  fetchFromGitLab,
+  buildPythonPackage,
+  flit-core,
+  typer,
+  xmltodict,
+  timezonefinder,
+  pytz,
+  types-pytz,
+  types-python-dateutil,
+  rtree,
+  python-dateutil,
+  pyexiv2,
+  ...
+}: let
+  pname = "geopic-tag-reader";
+  version = "1.8.0";
+in
+  buildPythonPackage {
+    inherit pname version;
+
+    pyproject = true;
+
+    src = fetchFromGitLab {
+      owner = "panoramax";
+      repo = "server/geo-picture-tag-reader";
+      rev = version;
+      sha256 = "0lzf5xxxcdqmq28bpvgpkxf5jxmh2nawwa4rl4yg04bdsi16rf1j";
+    };
+
+    build-system = [
+      flit-core
+    ];
+
+    dependencies = [
+      typer
+      xmltodict
+      pyexiv2
+      timezonefinder
+      pytz
+      types-pytz
+      types-python-dateutil
+      rtree
+    ];
+
+    optional-dependencies = {
+      write-exif = [
+        python-dateutil
+        types-python-dateutil
+      ];
+    };
+
+    # Skip tests as they may require network access or specific setup
+    doCheck = false;
+
+    # Disable runtime dependencies check as some dependencies might have issues
+    dontCheckRuntimeDeps = true;
+
+    # Disable imports check initially to avoid dependency issues
+    pythonImportsCheck = [];
+
+    meta = with lib; {
+      description = "GeoPic Tag Reader - Python library to read and write standardized metadata from geolocated pictures EXIF metadata";
+      homepage = "https://gitlab.com/panoramax/server/geo-picture-tag-reader";
+      license = licenses.mit;
+      maintainers = [];
+      platforms = platforms.all;
+    };
+  }

modules/common-modules/pkgs/python/h3.nix

@@ -0,0 +1,81 @@
+{
+  autoPatchelfHook,
+  buildPythonPackage,
+  cmake,
+  cython,
+  fetchFromGitHub,
+  h3,
+  lib,
+  ninja,
+  numpy,
+  pytestCheckHook,
+  pytest-cov-stub,
+  scikit-build-core,
+  stdenv,
+}:
+buildPythonPackage rec {
+  pname = "h3";
+  version = "4.3.1";
+  pyproject = true;
+
+  # pypi version does not include tests
+  src = fetchFromGitHub {
+    owner = "uber";
+    repo = "h3-py";
+    tag = "v${version}";
+    hash = "sha256-zt7zbBgSp2P9q7mObZeQZpW9Szip62dAYdPZ2cGTmi4=";
+  };
+
+  dontConfigure = true;
+
+  nativeCheckInputs = [
+    pytestCheckHook
+    pytest-cov-stub
+  ];
+
+  build-system =
+    [
+      scikit-build-core
+      cmake
+      cython
+      ninja
+    ]
+    ++ lib.optionals stdenv.hostPlatform.isLinux [
+      # On Linux the .so files ends up referring to libh3.so instead of the full
+      # Nix store path. I'm not sure why this is happening! On Darwin it works
+      # fine.
+      autoPatchelfHook
+    ];
+
+  # This is not needed per-se, it's only added for autoPatchelfHook to work
+  # correctly. See the note above ^^
+  buildInputs = lib.optionals stdenv.hostPlatform.isLinux [h3];
+
+  dependencies = [numpy];
+
+  # The following prePatch replaces the h3lib compilation with using the h3 packaged in nixpkgs.
+  #
+  # - Remove the h3lib submodule.
+  # - Patch CMakeLists to avoid building h3lib, and use h3 instead.
+  prePatch = let
+    cmakeCommands = ''
+      include_directories(${lib.getDev h3}/include/h3)
+      link_directories(${h3}/lib)
+    '';
+  in ''
+    rm -r src/h3lib
+    substituteInPlace CMakeLists.txt \
+      --replace-fail "add_subdirectory(src/h3lib)" "${cmakeCommands}" \
+      --replace-fail "\''${CMAKE_CURRENT_BINARY_DIR}/src/h3lib/src/h3lib/include/h3api.h" "${lib.getDev h3}/include/h3/h3api.h"
+  '';
+
+  # Extra check to make sure we can import it from Python
+  pythonImportsCheck = ["h3"];
+
+  meta = {
+    homepage = "https://github.com/uber/h3-py";
+    description = "Hierarchical hexagonal geospatial indexing system";
+    license = lib.licenses.asl20;
+    maintainers = [lib.maintainers.kalbasit];
+  };
+}

modules/common-modules/pkgs/python/pyexiv2.nix

@@ -0,0 +1,49 @@
+{
+  lib,
+  fetchFromGitHub,
+  buildPythonPackage,
+  exiv2,
+  boost,
+  pybind11,
+  setuptools,
+  ...
+}: let
+  pname = "pyexiv2";
+  version = "2.15.3";
+in
+  buildPythonPackage {
+    inherit pname version;
+
+    pyproject = true;
+    build-system = [setuptools];
+
+    src = fetchFromGitHub {
+      owner = "LeoHsiao1";
+      repo = "pyexiv2";
+      rev = "v${version}";
+      sha256 = "sha256-83bFMaoXncvhRJNcCgkkC7B29wR5pjuLO/EdkQdqxxo=";
+    };
+
+    buildInputs = [
+      exiv2
+      boost
+    ];
+
+    nativeBuildInputs = [
+      pybind11
+    ];
+
+    # Skip tests as they may require specific test images
+    doCheck = false;
+
+    # Disable runtime dependencies check initially
+    dontCheckRuntimeDeps = true;
+
+    meta = with lib; {
+      description = "Python binding to the library exiv2";
+      homepage = "https://github.com/LeoHsiao1/pyexiv2";
+      license = licenses.gpl3Plus;
+      maintainers = [];
+      platforms = platforms.linux;
+    };
+  }

modules/common-modules/pkgs/python/pygeofilter.nix

@@ -0,0 +1,52 @@
+{
+  lib,
+  fetchPypi,
+  buildPythonPackage,
+  setuptools,
+  wheel,
+  lark,
+  python-dateutil,
+  shapely,
+  ...
+}: let
+  pname = "pygeofilter";
+  version = "0.3.1";
+in
+  buildPythonPackage {
+    inherit pname version;
+
+    pyproject = true;
+
+    src = fetchPypi {
+      inherit pname version;
+      hash = "sha256-+SvAYiCZ+H/os23nq92GBZ1hWontYIInNwgiI6V44VA=";
+    };
+
+    build-system = [
+      setuptools
+      wheel
+    ];
+
+    dependencies = [
+      lark
+      python-dateutil
+      shapely
+    ];
+
+    # Skip tests as they may require specific setup
+    doCheck = false;
+
+    # Disable runtime dependencies check
+    dontCheckRuntimeDeps = true;
+
+    # Basic imports check
+    pythonImportsCheck = ["pygeofilter"];
+
+    meta = with lib; {
+      description = "A pure Python parser implementation of OGC filtering standards";
+      homepage = "https://github.com/geopython/pygeofilter";
+      license = licenses.mit;
+      maintainers = [];
+      platforms = platforms.all;
+    };
+  }

modules/common-modules/pkgs/python/pygeoif.nix

@@ -0,0 +1,48 @@
+{
+  lib,
+  fetchPypi,
+  buildPythonPackage,
+  setuptools,
+  wheel,
+  typing-extensions,
+  ...
+}: let
+  pname = "pygeoif";
+  version = "1.5.1";
+in
+  buildPythonPackage {
+    inherit pname version;
+
+    pyproject = true;
+
+    src = fetchPypi {
+      inherit pname version;
+      hash = "sha256-8nprah7Lh66swrUbzFnKeb5w7RKgEE3oYBR4shPdXYE=";
+    };
+
+    build-system = [
+      setuptools
+      wheel
+    ];
+
+    dependencies = [
+      typing-extensions
+    ];
+
+    # Skip tests as they may require specific setup
+    doCheck = false;
+
+    # Disable runtime dependencies check
+    dontCheckRuntimeDeps = true;
+
+    # Basic imports check
+    pythonImportsCheck = ["pygeoif"];
+
+    meta = with lib; {
+      description = "A basic implementation of the __geo_interface__";
+      homepage = "https://github.com/cleder/pygeoif";
+      license = licenses.lgpl21Plus;
+      maintainers = [];
+      platforms = platforms.all;
+    };
+  }

modules/common-modules/pkgs/python/rfeed.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  fetchPypi,
+  buildPythonPackage,
+  setuptools,
+  python-dateutil,
+}:
+buildPythonPackage rec {
+  pname = "rfeed";
+  version = "1.1.1";
+  pyproject = true;
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-qpUG8oZrdPWjItOUoUpjwZpoJcLZR1X/GdRt0eJDSBk=";
+  };
+
+  build-system = [
+    setuptools
+  ];
+
+  dependencies = [
+    python-dateutil
+  ];
+
+  # No tests available in the package
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "rfeed"
+  ];
+
+  meta = with lib; {
+    description = "RSS feed generation library for Python";
+    homepage = "https://pypi.org/project/rfeed/";
+    license = licenses.mit;
+    maintainers = [];
+    platforms = platforms.all;
+  };
+}

modules/common-modules/pkgs/sgblur.nix

@@ -0,0 +1,65 @@
+{
+  lib,
+  python3Packages,
+  fetchFromGitHub,
+  pkg-config,
+  libjpeg_turbo,
+  exiftran ? libjpeg_turbo,
+}:
+python3Packages.buildPythonPackage {
+  pname = "sgblur";
+  version = "1.0.0";
+
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "cquest";
+    repo = "sgblur";
+    rev = "master";
+    hash = "sha256-17wpif2sa021kaa1pbkry4l1967la1qd7knhngvxblrvd7jqqz4y=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    libjpeg_turbo
+    exiftran
+  ];
+
+  build-system = with python3Packages; [
+    setuptools
+    wheel
+  ];
+
+  dependencies = with python3Packages; [
+    # Core dependencies from pyproject.toml
+    ultralytics
+    # pyturbojpeg  # May need special handling
+    pillow
+    # uuid  # Built into Python
+    # exifread
+    python-multipart
+    fastapi
+    uvicorn
+    requests
+    # piexif
+    pydantic-settings
+    pydantic
+  ];
+
+  # Skip tests as they may require GPU or specific setup
+  doCheck = false;
+
+  # The package may have import issues due to system dependencies
+  pythonImportsCheck = [];
+
+  meta = with lib; {
+    description = "Panoramax Speedy Gonzales Blurring Algorithm - AI-powered face and license plate blurring API";
+    homepage = "https://github.com/cquest/sgblur";
+    license = licenses.mit;
+    maintainers = [];
+    platforms = platforms.unix;
+  };
+}

modules/common-modules/pkgs/webtoon-dl.nix

@@ -0,0 +1,18 @@
+{
+  buildGoModule,
+  fetchFromGitHub,
+  ...
+}:
+buildGoModule rec {
+  pname = "webtoon-dl";
+  version = "0.0.10";
+
+  src = fetchFromGitHub {
+    owner = "robinovitch61";
+    repo = "webtoon-dl";
+    rev = "v${version}";
+    hash = "sha256-geVb3LFPZxPQYARZnaqOr5sgaN6mqkEX5ZiLvg8mF5k=";
+  };
+
+  vendorHash = "sha256-NTqUygJ6b6kTnLUnJqxCo/URzaRouPLACEPi2Ob1s9w=";
+}

modules/darwin-modules/default.nix

@@ -0,0 +1,8 @@
+# this folder container modules that are for darwin only
+{...}: {
+  imports = [
+    ./home-manager
+    ./users.nix
+    ./system.nix
+  ];
+}

modules/darwin-modules/home-manager/default.nix

@@ -0,0 +1,2 @@
+# modules in this folder are to adapt home-manager modules configs to darwin-module configs
+{...}: {}

modules/darwin-modules/system.nix

@@ -0,0 +1,27 @@
+{self, ...}: {
+  system.configurationRevision = self.rev or self.dirtyRev or null;
+
+  nix = {
+    gc = {
+      automatic = true;
+      interval = [
+        {
+          Hour = 4;
+          Minute = 15;
+          Weekday = 7;
+        }
+      ];
+      options = "--delete-older-than 7d";
+    };
+    optimise = {
+      automatic = true;
+      interval = [
+        {
+          Hour = 4;
+          Minute = 15;
+          Weekday = 7;
+        }
+      ];
+    };
+  };
+}

modules/darwin-modules/users.nix

@@ -0,0 +1,16 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  host = config.host;
+in {
+  users = {
+    users = {
+      leyla = {
+        name = lib.mkForce host.users.leyla.name;
+        home = lib.mkForce "/home/${host.users.leyla.name}";
+      };
+    };
+  };
+}

modules/home-manager-modules/default.nix

@@ -0,0 +1,13 @@
+# this folder container modules that are for home manager only
+{...}: {
+  imports = [
+    ./sops.nix
+    ./user.nix
+    ./flipperzero.nix
+    ./i18n.nix
+    ./impermanence.nix
+    ./openssh.nix
+    ./gnome.nix
+    ./programs
+  ];
+}