feat: fixed more missing datasets

configurations/home-manager/eve/packages.nix

@@ -60,7 +60,7 @@ in {
         bitwarden.enable = true;
         discord.enable = true;
         makemkv.enable = true;
-        signal-desktop-bin.enable = true;
+        signal-desktop.enable = true;
         steam.enable = true;
         piper.enable = hardware.piperMouse.enable;
         krita.enable = true;

configurations/home-manager/leyla/packages/default.nix

@@ -41,6 +41,7 @@ in {
           openrgb.enable = hardware.openRGB.enable;
           via.enable = hardware.viaKeyboard.enable;
           claude-code.enable = osConfig.host.ai.enable;
+          opencode.enable = osConfig.host.ai.enable;
           davinci-resolve.enable = hardware.graphicsAcceleration.enable;
           mfoc.enable = true;
         })
@@ -49,7 +50,7 @@ in {
           android-studio.enable = true;
           makemkv.enable = true;
           discord.enable = true;
-          signal-desktop-bin.enable = true;
+          signal-desktop.enable = true;
           calibre.enable = true;
           obsidian.enable = true;
           jetbrains.idea-oss.enable = true;

configurations/home-manager/leyla/packages/vscode/default.nix

@@ -58,6 +58,9 @@ in {
 
             nearley.enable = true;
 
+            # graphql
+            graphql.enable = true;
+
             # astro development
             vscodeMdx.enable = true;
             astroVscode.enable = true;
@@ -73,11 +76,11 @@ in {
             rustAnalyzer.enable = true;
 
             # arduino development
-            platformIO.enable = true;
+            platformIO.enable = false;
 
             # claude development
             claudeDev = lib.mkIf ai-tooling-enabled {
-              enable = true;
+              enable = false;
               mcp = {
                 nixos = {
                   enable = true;

configurations/nixos/defiant/configuration.nix

@@ -67,7 +67,6 @@
   };
 
   storage = {
-    generateBase = false;
     zfs = {
       enable = true;
       notifications = {
@@ -144,6 +143,7 @@
             Endpoint = "185.230.126.146:51820";
             # Allow all traffic but use policy routing to prevent system-wide VPN
             AllowedIPs = ["0.0.0.0/0"];
+            PersistentKeepalive = 25;
           }
         ];
       };
@@ -339,7 +339,7 @@
     };
 
     actual = {
-      enable = true;
+      enable = false;
       domain = "budget.jan-leila.com";
       impermanence.enable = false;
     };

configurations/nixos/defiant/legacy-impermanence.nix

@@ -1,19 +1,32 @@
 # Legacy impermanence module for defiant
-# This module contains all the impermanence configurations that were previously
+# See legacy-storage.nix for the full incremental migration plan.
-# handled by individual service modules on the main branch. It allows us to
-# merge the storage-refactor branch into main while keeping current functionality,
-# and then migrate services one at a time to the new automated impermanence system.
 #
-# To migrate a service to the new system:
+# This file is consumed in two phases:
-# 1. Remove the service's configuration from this file
+#
-# 2. Set `impermanence.enable = true` for that service in configuration.nix
+# Phase 3 (after generateBase is enabled):
-# 3. Remove `impermanence.enable = false` from the service configuration
+#   Remove the SYSTEM-LEVEL entries marked [PHASE 3] below. These will be
+#   handled automatically by storage.nix, ssh.nix, and the impermanence module:
+#     - var-lib-private-permissions activation script
+#     - /etc/machine-id
+#     - SSH host keys
+#     - /var/lib/nixos
+#     - /var/lib/systemd/coredump
+#     - /persist/system/var/log persistence block
+#
+# Phase 4 (migrate services one at a time, any order):
+#   For each service:
+#     1. Remove the service's section marked [PHASE 4] from this file
+#     2. Remove `impermanence.enable = false` for that service in configuration.nix
+#   For jellyfin/qbittorrent, also remove the separate media persistence blocks.
+#
+# Phase 5: Delete this file once empty.
 {
   config,
   lib,
   ...
 }: {
   config = lib.mkIf config.storage.impermanence.enable {
+    # [PHASE 3] Remove this activation script after enabling generateBase
     system.activationScripts = {
       "var-lib-private-permissions" = {
         deps = ["specialfs"];
@@ -27,8 +40,28 @@
     environment.persistence."/persist/system/root" = {
       enable = true;
       hideMounts = true;
+      # [PHASE 3] Remove this files block after enabling generateBase
+      files = lib.mkMerge [
+        ["/etc/machine-id"]
+        # SSH host keys
+        (lib.mkIf config.services.openssh.enable (
+          lib.lists.flatten (
+            builtins.map (hostKey: [
+              hostKey.path
+              "${hostKey.path}.pub"
+            ])
+            config.services.openssh.hostKeys
+          )
+        ))
+      ];
       directories = lib.mkMerge [
-        # PostgreSQL
+        # [PHASE 3] Remove these system directories after enabling generateBase
+        [
+          "/var/lib/nixos"
+          "/var/lib/systemd/coredump"
+        ]
+
+        # [PHASE 4] PostgreSQL
         (lib.mkIf config.services.postgresql.enable [
           {
             directory = "/var/lib/postgresql/16";
@@ -37,7 +70,7 @@
           }
         ])
 
-        # Reverse Proxy (ACME)
+        # [PHASE 4] Reverse Proxy (ACME)
         (lib.mkIf config.services.reverseProxy.enable [
           {
             directory = "/var/lib/acme";
@@ -46,7 +79,7 @@
           }
         ])
 
-        # Ollama
+        # [PHASE 4] Ollama
         (lib.mkIf config.services.ollama.enable [
           {
             directory = "/var/lib/private/ollama";
@@ -56,7 +89,7 @@
           }
         ])
 
-        # Tailscale
+        # [PHASE 4] Tailscale
         (lib.mkIf config.services.tailscale.enable [
           {
             directory = "/var/lib/tailscale";
@@ -65,7 +98,7 @@
           }
         ])
 
-        # Syncthing
+        # [PHASE 4] Syncthing
         (lib.mkIf config.services.syncthing.enable [
           {
             directory = "/mnt/sync";
@@ -79,7 +112,7 @@
           }
         ])
 
-        # Fail2ban
+        # [PHASE 4] Fail2ban
         (lib.mkIf config.services.fail2ban.enable [
           {
             directory = "/var/lib/fail2ban";
@@ -88,7 +121,7 @@
           }
         ])
 
-        # Jellyfin (data/cache only - media is on separate dataset)
+        # [PHASE 4] Jellyfin (data/cache only - media is on separate dataset)
         (lib.mkIf config.services.jellyfin.enable [
           {
             directory = "/var/lib/jellyfin";
@@ -102,7 +135,7 @@
           }
         ])
 
-        # Immich
+        # [PHASE 4] Immich
         (lib.mkIf config.services.immich.enable [
           {
             directory = "/var/lib/immich";
@@ -111,7 +144,7 @@
           }
         ])
 
-        # Forgejo
+        # [PHASE 4] Forgejo
         (lib.mkIf config.services.forgejo.enable [
           {
             directory = "/var/lib/forgejo";
@@ -120,7 +153,7 @@
           }
         ])
 
-        # Actual
+        # [PHASE 4] Actual
         (lib.mkIf config.services.actual.enable [
           {
             directory = "/var/lib/private/actual";
@@ -129,7 +162,7 @@
           }
         ])
 
-        # Home Assistant
+        # [PHASE 4] Home Assistant
         (lib.mkIf config.services.home-assistant.enable [
           {
             directory = "/var/lib/hass";
@@ -138,7 +171,7 @@
           }
         ])
 
-        # Paperless
+        # [PHASE 4] Paperless
         (lib.mkIf config.services.paperless.enable [
           {
             directory = "/var/lib/paperless";
@@ -147,7 +180,7 @@
           }
         ])
 
-        # Crab-hole
+        # [PHASE 4] Crab-hole
         (lib.mkIf config.services.crab-hole.enable [
           {
             directory = "/var/lib/private/crab-hole";
@@ -156,7 +189,7 @@
           }
         ])
 
-        # qBittorrent (config only - media is on separate dataset)
+        # [PHASE 4] qBittorrent (config only - media is on separate dataset)
         (lib.mkIf config.services.qbittorrent.enable [
           {
             directory = "/var/lib/qBittorrent/";
@@ -165,7 +198,7 @@
           }
         ])
 
-        # Sonarr
+        # [PHASE 4] Sonarr
         (lib.mkIf config.services.sonarr.enable [
           {
             directory = "/var/lib/sonarr/.config/NzbDrone";
@@ -174,7 +207,7 @@
           }
         ])
 
-        # Radarr
+        # [PHASE 4] Radarr
         (lib.mkIf config.services.radarr.enable [
           {
             directory = "/var/lib/radarr/.config/Radarr";
@@ -183,7 +216,7 @@
           }
         ])
 
-        # Bazarr
+        # [PHASE 4] Bazarr
         (lib.mkIf config.services.bazarr.enable [
           {
             directory = "/var/lib/bazarr";
@@ -192,7 +225,7 @@
           }
         ])
 
-        # Lidarr
+        # [PHASE 4] Lidarr
         (lib.mkIf config.services.lidarr.enable [
           {
             directory = "/var/lib/lidarr/.config/Lidarr";
@@ -201,7 +234,7 @@
           }
         ])
 
-        # Jackett
+        # [PHASE 4] Jackett
         (lib.mkIf config.services.jackett.enable [
           {
             directory = "/var/lib/jackett/.config/Jackett";
@@ -210,7 +243,7 @@
           }
         ])
 
-        # FlareSolverr
+        # [PHASE 4] FlareSolverr
         (lib.mkIf config.services.flaresolverr.enable [
           {
             directory = "/var/lib/flaresolverr";
@@ -221,7 +254,8 @@
       ];
     };
 
-    # Jellyfin media on separate dataset (matching main)
+    # [PHASE 4 - LAST] Jellyfin media on separate dataset
+    # Requires Phase 2 media dataset merge before migrating (several days of data copy)
     environment.persistence."/persist/system/jellyfin" = lib.mkIf config.services.jellyfin.enable {
       enable = true;
       hideMounts = true;
@@ -235,7 +269,8 @@
       ];
     };
 
-    # qBittorrent media on separate dataset (matching main)
+    # [PHASE 4 - LAST] qBittorrent media on separate dataset
+    # Requires Phase 2 media dataset merge before migrating (several days of data copy)
     environment.persistence."/persist/system/qbittorrent" = lib.mkIf config.services.qbittorrent.enable {
       enable = true;
       hideMounts = true;
@@ -249,7 +284,7 @@
       ];
     };
 
-    # /var/log persistence (matching main)
+    # [PHASE 3] /var/log persistence - handled by storage.nix after generateBase
     environment.persistence."/persist/system/var/log" = {
       enable = true;
       hideMounts = true;

configurations/nixos/defiant/legacy-storage.nix

@@ -1,20 +1,131 @@
 # Legacy storage configuration for defiant
-# This file manually defines ZFS datasets matching the main branch structure
+# This file manually defines ZFS datasets matching the existing on-disk layout
-# to allow incremental migration to the new storage module.
+# to allow incremental migration to the new storage module (generateBase = true).
 #
-# Datasets from main branch:
+# ============================================================================
-# - local/                    - ephemeral parent
+# INCREMENTAL MIGRATION PLAN
-# - local/home/leyla          - ephemeral user home
+# ============================================================================
-# - local/system/nix          - nix store
+#
-# - local/system/root         - root filesystem (rolled back on boot)
+# Current disk usage (for reference):
-# - local/system/sops         - sops age key
+#   rpool/local/system/nix           ~26G   (renamed in place, no copy)
-# - persist/                  - persistent parent
+#   rpool/local/system/sops          ~328K  (renamed in place, no copy)
-# - persist/home/leyla        - persistent user home
+#   rpool/persist/system/jellyfin    ~32T   (renamed in place, no copy)
-# - persist/system/jellyfin   - jellyfin media
+#   rpool/persist/system/qbittorrent ~6.5T  (copied into media dataset, ~6.5T temp)
-# - persist/system/qbittorrent - qbittorrent media
+#   rpool free space                 ~30T
-# - persist/system/root       - persistent root data
+#
-# - persist/system/var/log    - log persistence
+# Phase 1: Migrate base datasets on disk (boot from live USB or rescue)
+#   All operations in this phase are instant renames -- no data is copied.
+#
+#   Unlock the pool:
+#     zfs load-key -a
+#
+#   Step 1a: Move nix and sops out of local/ (they go to persist/local/)
+#     The -p flag auto-creates the parent datasets.
+#
+#     zfs rename -p rpool/local/system/nix rpool/persist/local/nix
+#     zfs rename -p rpool/local/system/sops rpool/persist/local/system/sops
+#
+#   Step 1b: Rename local/ -> ephemeral/ (takes remaining children with it)
+#     zfs rename rpool/local rpool/ephemeral
+#     # This moves: local/system/root -> ephemeral/system/root
+#     #             local/home/leyla  -> ephemeral/home/leyla
+#
+#   Step 1c: Recreate blank snapshots on ephemeral datasets
+#     zfs destroy rpool/ephemeral/system/root@blank
+#     zfs snapshot rpool/ephemeral/system/root@blank
+#     zfs destroy rpool/ephemeral/home/leyla@blank
+#     zfs snapshot rpool/ephemeral/home/leyla@blank
+#
+#   Step 1d: Move persist/ children under persist/replicate/
+#     zfs create -o canmount=off rpool/persist/replicate
+#     zfs create -o canmount=off rpool/persist/replicate/system
+#     zfs rename rpool/persist/system/root rpool/persist/replicate/system/root
+#     zfs rename rpool/persist/system/var rpool/persist/replicate/system/var
+#     zfs rename rpool/persist/home/leyla rpool/persist/replicate/home
+#     # Clean up the now-empty home parent
+#     zfs destroy rpool/persist/home
+#     # NOTE: Do NOT destroy rpool/persist/system -- it still contains
+#     # persist/system/jellyfin and persist/system/qbittorrent which are
+#     # migrated in Phase 2.
+#
+#   Verify the new layout:
+#     zfs list -r rpool -o name,used,mountpoint
+#
+# Phase 2: Merge media into a single dataset (do this last)
+#   Strategy: Rename the jellyfin dataset to become the shared media dataset
+#   (zero copy, instant), then copy qbittorrent data into it (~6.5T copy).
+#   This avoids duplicating the 32T jellyfin dataset.
+#
+#   Step 2a: Rename jellyfin dataset to the shared media name
+#     zfs rename rpool/persist/system/jellyfin rpool/persist/replicate/system/media
+#
+#   Step 2b: Copy qbittorrent data into the media dataset
+#     This copies ~6.5T and may take several hours/days depending on disk speed.
+#     The qbittorrent data is not critical to back up so no snapshot needed.
+#
+#     systemctl stop qbittorrent
+#     rsync -avPHAX /persist/system/qbittorrent/ /persist/replicate/system/media/
+#
+#   Step 2c: Verify the data and clean up
+#     ls -la /persist/replicate/system/media/
+#     zfs destroy rpool/persist/system/qbittorrent
+#     # persist/system should now be empty, clean it up:
+#     zfs destroy rpool/persist/system
+#
+# Phase 3: Enable generateBase
+#   In the nix config:
+#     - Delete this file (legacy-storage.nix) and remove its import from default.nix
+#     - Remove [PHASE 3] entries from legacy-impermanence.nix:
+#       - var-lib-private-permissions activation script
+#       - /etc/machine-id, SSH host keys (files block)
+#       - /var/lib/nixos, /var/lib/systemd/coredump (directories)
+#       - /persist/system/var/log persistence block
+#     These are now handled automatically by storage.nix and ssh.nix.
+#   Rebuild and verify:
+#     sudo nixos-rebuild switch --flake .#defiant
+#     # Verify mounts:  findmnt -t fuse.bindfs,fuse
+#     # Verify persist: ls /persist/replicate/system/root/var/lib/nixos
+#     # Verify boot:    reboot and confirm system comes up cleanly
+#
+# Phase 4: Migrate services (one at a time, any order)
+#   For each service (except jellyfin/qbittorrent):
+#     1. Remove the service's [PHASE 4] section from legacy-impermanence.nix
+#     2. Remove `impermanence.enable = false` for that service in configuration.nix
+#     3. Rebuild: sudo nixos-rebuild switch --flake .#defiant
+#     4. Verify: systemctl status <service>, check the service's data is intact
+#   No data migration is needed -- the data already lives on the renamed
+#   dataset at the new path.
+#
+#   Migrate jellyfin and qbittorrent LAST (after Phase 2 media merge):
+#     1. Remove [PHASE 4 - LAST] jellyfin entries from legacy-impermanence.nix
+#     2. Remove [PHASE 4 - LAST] qbittorrent entries from legacy-impermanence.nix
+#     3. Remove `impermanence.enable = false` for both in configuration.nix
+#     4. Rebuild: sudo nixos-rebuild switch --flake .#defiant
+#     5. Verify: systemctl status jellyfin qbittorrent
+#
+# Phase 5: Cleanup
+#   Once all services are migrated and legacy-impermanence.nix is empty:
+#     - Delete legacy-impermanence.nix and remove its import from default.nix
+#     - Rebuild: sudo nixos-rebuild switch --flake .#defiant
+#
+# ============================================================================
+#
+# Current on-disk dataset layout:
+#   rpool/local/                    - ephemeral parent
+#   rpool/local/home/leyla          - ephemeral user home (rolled back on boot)
+#   rpool/local/system/nix          - nix store
+#   rpool/local/system/root         - root filesystem (rolled back on boot)
+#   rpool/local/system/sops         - sops age key
+#   rpool/persist/                  - persistent parent
+#   rpool/persist/home/leyla        - persistent user home
+#   rpool/persist/system/jellyfin   - jellyfin media
+#   rpool/persist/system/qbittorrent - qbittorrent media
+#   rpool/persist/system/root       - persistent root data
+#   rpool/persist/system/var/log    - log persistence
 {lib, ...}: {
+  # Disable automatic base dataset generation so we can define them manually
+  storage.generateBase = false;
+
   # Manually define ZFS datasets matching main's structure
   storage.zfs.datasets = {
     # Ephemeral datasets (local/)
@@ -47,7 +158,7 @@
     };
     "local/system/sops" = {
       type = "zfs_fs";
-      mount = "/persist/sops";
+      mount = "/var/lib/sops-nix";
     };
 
     # Persistent datasets (persist/)
@@ -87,9 +198,10 @@
     };
   };
 
-  # Boot commands to rollback ephemeral root on boot
+  # Boot commands to rollback ephemeral root and user homes on boot
   boot.initrd.postResumeCommands = lib.mkAfter ''
     zfs rollback -r rpool/local/system/root@blank
+    zfs rollback -r rpool/local/home/leyla@blank
   '';
 
   # FileSystems needed for boot
@@ -99,5 +211,8 @@
     "/persist/system/var/log".neededForBoot = true;
     "/persist/system/jellyfin".neededForBoot = true;
     "/persist/system/qbittorrent".neededForBoot = true;
+    "/var/lib/sops-nix".neededForBoot = true;
+    "/persist/home/leyla".neededForBoot = true;
+    "/home/leyla".neededForBoot = true;
   };
 }

configurations/nixos/emergent/default.nix

@@ -3,5 +3,6 @@
   imports = [
     ./configuration.nix
     ./hardware-configuration.nix
+    ./legacy-storage.nix
   ];
 }

configurations/nixos/emergent/legacy-storage.nix

@@ -0,0 +1,51 @@
+# Legacy storage configuration for emergent
+# This file manually defines ZFS datasets matching the existing on-disk layout
+# to allow incremental migration to the new storage module (generateBase = true).
+#
+# Current on-disk dataset layout:
+#   rpool/local/                    - parent (canmount=off)
+#   rpool/local/system/nix          - nix store
+#   rpool/local/system/root         - root filesystem
+#
+# Migration plan:
+#   Phase 1: Rename datasets on disk (boot from live USB)
+#     zfs rename -p rpool/local/system/nix rpool/persist/local/nix
+#     zfs rename rpool/local rpool/persist/local
+#     # This moves: local/system/root -> persist/local/root (need to rename after)
+#     # Actually, since local/system/root needs to become persist/local/root:
+#     zfs rename rpool/persist/local/system/root rpool/persist/local/root
+#     zfs destroy rpool/persist/local/system  # now empty
+#     # Recreate blank snapshot:
+#     zfs destroy rpool/persist/local/root@blank
+#     zfs snapshot rpool/persist/local/root@blank
+#
+#   Phase 2: Delete this file, remove its import from default.nix, rebuild.
+{...}: {
+  # Disable automatic base dataset generation so we can define them manually
+  storage.generateBase = false;
+
+  # Manually define ZFS datasets matching the existing on-disk layout
+  storage.zfs.datasets = {
+    "local" = {
+      type = "zfs_fs";
+      mount = null;
+    };
+    "local/system/nix" = {
+      type = "zfs_fs";
+      mount = "/nix";
+      atime = "off";
+      relatime = "off";
+      snapshot = {
+        autoSnapshot = false;
+      };
+    };
+    "local/system/root" = {
+      type = "zfs_fs";
+      mount = "/";
+      snapshot = {
+        blankSnapshot = true;
+        autoSnapshot = true;
+      };
+    };
+  };
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766150702,
+        "lastModified": 1772867152,
-        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "narHash": "sha256-RIFgZ4O6Eg+5ysZ8Tqb3YvcqiRaNy440GEY22ltjRrs=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "rev": "eaafb89b56e948661d618eefd4757d9ea8d77514",
         "type": "github"
       },
       "original": {
@@ -28,11 +28,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1768500104,
+        "lastModified": 1772856163,
-        "narHash": "sha256-Xa8XJaydHKAhDCLyjdKcDKjFrGgdahNcVo1boGUdZKY=",
+        "narHash": "sha256-xD+d1+FVhKJ+oFYMTWOdVSBoXS4yeMyVZyDjMXqWEJE=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "7e517454cd248c76046c3157b56662d223de29b1",
+        "rev": "d358a550c7beac5f04fbc5a786e14af079606689",
         "type": "gitlab"
       },
       "original": {
@@ -115,11 +115,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768512489,
+        "lastModified": 1772845525,
-        "narHash": "sha256-jZi945d3e6DYhrw3K5Pew+QaL3qSgq3O6xiVaEVLgXs=",
+        "narHash": "sha256-Dp5Ir2u4jJDGCgeMRviHvEQDe+U37hMxp6RSNOoMMPc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bba859cd85b90dd9e4e6fd44b2af4aa64ae801a1",
+        "rev": "27b93804fbef1544cb07718d3f0a451f4c4cd6c0",
         "type": "github"
       },
       "original": {
@@ -129,12 +129,20 @@
       }
     },
     "impermanence": {
+      "inputs": {
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1737831083,
+        "lastModified": 1769548169,
-        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
         "type": "github"
       },
       "original": {
@@ -186,11 +194,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1767822362,
+        "lastModified": 1772769318,
-        "narHash": "sha256-rnpIDY/sy/uV+1dsW+MrFwAFE/RHg5K/6aa5k7Yt1Dc=",
+        "narHash": "sha256-RAyOW5JMXRhiREqxFPOzw80fVsYVBnOPFgBSjnJ6gbY=",
         "owner": "utensils",
         "repo": "mcp-nixos",
-        "rev": "9706014c1530ba12ff36ca8d9d1717b1e61d29db",
+        "rev": "60c1efbba0de1268b42f1144c904e6c8a9627dde",
         "type": "github"
       },
       "original": {
@@ -206,11 +214,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768220509,
+        "lastModified": 1772379624,
-        "narHash": "sha256-8wMrJP/Xk5Dkm0TxzaERLt3eGFEhHTWaJKUpK3AoL4o=",
+        "narHash": "sha256-NG9LLTWlz4YiaTAiRGChbrzbVxBfX+Auq4Ab/SWmk4A=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "7b1d394e7d9112d4060e12ef3271b38a7c43e83b",
+        "rev": "52d061516108769656a8bd9c6e811c677ec5b462",
         "type": "github"
       },
       "original": {
@@ -247,11 +255,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768443224,
+        "lastModified": 1772850876,
-        "narHash": "sha256-U2UHV+8Ygba2eFhFSnl15wMuKqNR884V2mo2fLO9wy0=",
+        "narHash": "sha256-Ga19zlfMpakCY4GMwBSOljNLOF0nEYrYBXv0hP/d4rw=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "151bb82df60a9ffcd2fef1116e4c9baf133b3ec5",
+        "rev": "22f084d4c280dfc8a9d764f7b85af38e5d69c3dc",
         "type": "github"
       },
       "original": {
@@ -262,11 +270,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1768499669,
+        "lastModified": 1771969195,
-        "narHash": "sha256-jJr/zDxu5evfQxlXtMrFFF68/RNj1UrctS/eIsay4k0=",
+        "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "7297dfc69ae9b06e984a6f69900ce25e67c76f46",
+        "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
         "type": "github"
       },
       "original": {
@@ -309,11 +317,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1768305791,
+        "lastModified": 1772773019,
-        "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=",
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
         "type": "github"
       },
       "original": {
@@ -346,11 +354,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1765628894,
+        "lastModified": 1771445312,
-        "narHash": "sha256-7q1foPZ6ZlspMNa48oRT7iMl89cvMMaWtdrJweE6B8I=",
+        "narHash": "sha256-8uOcu+ZurGx0LmGFCf87Zbj4ikhVPQtP+PuBscEBCv0=",
         "owner": "IntQuant",
         "repo": "noita_entangled_worlds",
-        "rev": "266c6871b2878cf3b6f180c6d299da88f12c9f8e",
+        "rev": "4a842f29d0e5fb8dc6df73d87f7bb8d2a16f0fc8",
         "type": "github"
       },
       "original": {
@@ -403,11 +411,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1765740994,
+        "lastModified": 1768867162,
-        "narHash": "sha256-aBs7m69yuiixzGzhUlWAAN+zBziBNII+BFEC/5mPcSI=",
+        "narHash": "sha256-NiW2gUcdhnUbYQw476HzgBz+uVjyLnz151hzCQbWBX8=",
         "ref": "refs/heads/main",
-        "rev": "6e90a73ed2e1e81ba37628fc5e5494a80d22b526",
+        "rev": "22be81505a49cd205e9b5c91f51af69c0b885ed3",
-        "revCount": 22,
+        "revCount": 23,
         "type": "git",
         "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
       },
@@ -423,11 +431,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768481291,
+        "lastModified": 1772495394,
-        "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
+        "narHash": "sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
+        "rev": "1d9b98a29a45abe9c4d3174bd36de9f28755e3ff",
         "type": "github"
       },
       "original": {

modules/common-modules/pkgs/cline/default.nix

@@ -0,0 +1,53 @@
+{
+  lib,
+  buildNpmPackage,
+  fetchurl,
+  ripgrep,
+  makeWrapper,
+  jq,
+  ...
+}:
+buildNpmPackage rec {
+  pname = "cline";
+  version = "2.4.2";
+
+  src = fetchurl {
+    url = "https://registry.npmjs.org/cline/-/cline-${version}.tgz";
+    hash = "sha256-2utOBC0vhoj5fR+cG+Vdo3N6+i/pNW1E4mESF/dZS/c=";
+  };
+
+  sourceRoot = "package";
+
+  postPatch = ''
+    cp ${./cline-package-lock.json} package-lock.json
+
+    # Remove @vscode/ripgrep from package.json since it tries to download
+    # a binary from GitHub during install, which fails in the nix sandbox.
+    # We provide ripgrep from nixpkgs instead via PATH wrapping.
+    # Also remove the man field since the man page is not included in the npm tarball.
+    ${jq}/bin/jq 'del(.dependencies["@vscode/ripgrep"]) | del(.man)' package.json > package.json.tmp
+    mv package.json.tmp package.json
+  '';
+
+  npmDepsHash = "sha256-oHo60ghR7A4SUT0cLmIe7glPDYBK3twJ0F71RKVrxQc=";
+
+  dontNpmBuild = true;
+
+  # Skip post-install scripts to be safe
+  npmFlags = ["--ignore-scripts"];
+
+  nativeBuildInputs = [makeWrapper jq];
+
+  # Provide ripgrep from nixpkgs since @vscode/ripgrep was removed
+  postInstall = ''
+    wrapProgram $out/bin/cline \
+      --prefix PATH : ${lib.makeBinPath [ripgrep]}
+  '';
+
+  meta = with lib; {
+    description = "Autonomous coding agent CLI - capable of creating/editing files, running commands, using the browser, and more";
+    homepage = "https://cline.bot";
+    license = licenses.asl20;
+    mainProgram = "cline";
+  };
+}

modules/common-modules/pkgs/default.nix

@@ -44,5 +44,8 @@
       # Override h3 C library to version 4.3.0
       h3 = pkgs.callPackage ./h3-c-lib.nix {};
     })
+    (final: prev: {
+      cline = pkgs.callPackage ./cline/default.nix {};
+    })
   ];
 }

modules/common-modules/pkgs/gdx-liftoff.nix

@@ -4,8 +4,12 @@
   makeWrapper,
   jdk,
   lib,
-  xorg,
   libGL,
+  libx11,
+  libxcursor,
+  libxext,
+  libxrandr,
+  libxxf86vm,
   ...
 }:
 stdenv.mkDerivation rec {
@@ -24,11 +28,11 @@ stdenv.mkDerivation rec {
   runtimeDependencies = lib.makeLibraryPath [
     # glfw
     libGL
-    xorg.libX11
+    libx11
-    xorg.libXcursor
+    libxcursor
-    xorg.libXext
+    libxext
-    xorg.libXrandr
+    libxrandr
-    xorg.libXxf86vm
+    libxxf86vm
   ];
 
   installPhase = ''

modules/home-manager-modules/impermanence.nix

@@ -26,8 +26,13 @@ in {
     # If impermanence is not enabled for this user but system impermanence is enabled,
     # persist the entire home directory as fallback
     (lib.mkIf (osConfig.storage.impermanence.enable && !cfg.enable && cfg.fallbackPersistence.enable) {
-      home.persistence."/persist/replicate/home" = {
+      home.persistence."${
+        if osConfig.storage.generateBase
+        then "/persist/replicate/home"
+        else "/persist/home/${config.home.username}"
+      }" = {
         directories = ["."];
+        allowOther = true;
       };
     })
   ];

modules/home-manager-modules/programs/signal.nix

@@ -4,14 +4,14 @@
   config,
   ...
 }: {
-  options.programs.signal-desktop-bin = {
+  options.programs.signal-desktop = {
     enable = lib.mkEnableOption "enable signal";
   };
 
-  config = lib.mkIf config.programs.signal-desktop-bin.enable (lib.mkMerge [
+  config = lib.mkIf config.programs.signal-desktop.enable (lib.mkMerge [
     {
       home.packages = with pkgs; [
-        signal-desktop-bin
+        signal-desktop
       ];
     }
     (

modules/home-manager-modules/programs/vscode/claudeDev.nix

@@ -10,6 +10,19 @@
 
   mcp-nixos = inputs.mcp-nixos.packages.${pkgs.stdenv.hostPlatform.system}.default;
 
+  anyProfileHasInstallTool = lib.any (
+    profile:
+      profile.extraExtensions.claudeDev.enable
+      && profile.extraExtensions.claudeDev.installTool
+  ) (lib.attrValues config.programs.vscode.profiles);
+
+  getInstallToolPackage = lib.findFirst (package: package != null) pkgs.cline (map (
+    profile:
+      if profile.extraExtensions.claudeDev.enable && profile.extraExtensions.claudeDev.installTool
+      then profile.extraExtensions.claudeDev.package
+      else null
+  ) (lib.attrValues config.programs.vscode.profiles));
+
   anyProfileHasMcpNixos = lib.any (
     profile:
       profile.extraExtensions.claudeDev.enable
@@ -69,6 +82,17 @@ in {
             default = ["saoudrizwan" "claude-dev"];
           };
 
+          installTool = lib.mkOption {
+            type = lib.types.bool;
+            default = true;
+            description = "Whether to install the cline CLI tool for subagent support when the extension is enabled";
+          };
+          package = lib.mkOption {
+            type = lib.types.package;
+            default = pkgs.cline;
+            description = "The package to install for the cline CLI tool";
+          };
+
           mcp = {
             nixos = {
               enable = lib.mkEnableOption "enable NixOS MCP server for Claude Dev";
@@ -145,6 +169,12 @@ in {
   };
 
   config = lib.mkMerge [
+    (lib.mkIf anyProfileHasInstallTool {
+      home.packages = [
+        getInstallToolPackage
+      ];
+    })
+
     (lib.mkIf anyProfileHasMcpNixos {
       home.packages = [
         mcp-nixos

modules/home-manager-modules/programs/vscode/default.nix

@@ -26,5 +26,6 @@
     ./direnv.nix
     ./conventionalCommits.nix
     ./openDyslexicFont.nix
+    ./graphql.nix
   ];
 }

modules/home-manager-modules/programs/vscode/go.nix

@@ -21,6 +21,13 @@ in {
         extensions = [
           config.extraExtensions.go.extension
         ];
+        userSettings = {
+          "go.alternateTools" = {
+            "gopls" = "gopls";
+          };
+          "go.toolsManagement.autoUpdate" = false;
+          "go.useLanguageServer" = true;
+        };
       };
     }));
   };

modules/home-manager-modules/programs/vscode/graphql.nix

@@ -0,0 +1,27 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  pkgsRepositories = pkgs.nix-vscode-extensions.forVSCodeVersion config.programs.vscode.package.version;
+  pkgsRepository = pkgsRepositories.open-vsx;
+in {
+  options.programs.vscode.profiles = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.submodule ({config, ...}: {
+      options = {
+        extraExtensions.graphql = {
+          enable = lib.mkEnableOption "should the graphql highlighting extension for vscode be enabled";
+          extension = lib.mkPackageOption pkgsRepository "vscode-graphql" {
+            default = ["graphql" "vscode-graphql-syntax"];
+          };
+        };
+      };
+      config = lib.mkIf config.extraExtensions.graphql.enable {
+        extensions = [
+          config.extraExtensions.graphql.extension
+        ];
+      };
+    }));
+  };
+}

modules/home-manager-modules/programs/vscode/platformIO.nix

@@ -21,6 +21,9 @@ in {
         extensions = [
           config.extraExtensions.platformIO.extension
         ];
+        userSettings = {
+          "platformio-ide.useBuiltinPIOCore" = false;
+        };
       };
     }));
   };

modules/nixos-modules/storage/impermanence.nix

@@ -81,6 +81,9 @@ in {
 
       programs.fuse.userAllowOther = true;
 
+      # Suppress sudo lecture on every boot since impermanence wipes the lecture status file
+      security.sudo.extraConfig = "Defaults lecture=never";
+
       fileSystems =
         lib.mapAttrs' (
           datasetName: dataset:

modules/nixos-modules/storage/storage.nix

@@ -153,7 +153,7 @@ in {
           config.storage.datasets.replicate)
       ];
     })
-    (lib.mkIf (config.storage.zfs.enable && !config.storage.impermanence.enable) {
+    (lib.mkIf (config.storage.zfs.enable && !config.storage.impermanence.enable && config.storage.generateBase) {
       storage.datasets = {
         # Base organizational datasets (only needed when impermanence is disabled)
         local = {

modules/nixos-modules/storage/zfs.nix

@@ -9,6 +9,12 @@ args @ {
   # Hash function for disk names (max 27 chars to fit GPT limitations)
   hashDisk = drive: (builtins.substring 0 27 (builtins.hashString "sha256" drive));
 
+  # Map "stripe" to "" for disko compatibility (disko uses "" for stripe mode)
+  diskoPoolMode =
+    if config.storage.zfs.pool.mode == "stripe"
+    then ""
+    else config.storage.zfs.pool.mode;
+
   # Helper to flatten vdevs into list of devices with names
   allVdevDevices = lib.lists.flatten (builtins.map (
       vdev:
@@ -212,10 +218,10 @@ in {
       # in
       #   diskWarnings ++ datasetWarnings;
 
-      # services.zfs = {
+      services.zfs = {
-      #   autoScrub.enable = true;
+        autoScrub.enable = true;
-      #   autoSnapshot.enable = true;
+        autoSnapshot.enable = true;
-      # };
+      };
 
       # # Configure disko for ZFS setup
       disko.devices = {
@@ -260,7 +266,7 @@ in {
                 type = "topology";
                 vdev =
                   builtins.map (vdev: {
-                    mode = config.storage.zfs.pool.mode;
+                    mode = diskoPoolMode;
                     members = builtins.map (device: hashDisk device.device) vdev;
                   })
                   config.storage.zfs.pool.vdevs;

modules/nixos-modules/users.nix

@@ -409,10 +409,13 @@ in {
         );
 
         # Post resume commands to rollback user home datasets to blank snapshots
-        boot.initrd.postResumeCommands = lib.mkAfter (
+        # Only add these when generateBase is true -- when false, the legacy
+        # storage config is responsible for providing rollback commands with
+        # the correct (old) dataset paths.
+        boot.initrd.postResumeCommands = lib.mkIf config.storage.generateBase (lib.mkAfter (
           lib.strings.concatLines (builtins.map (user: "zfs rollback -r rpool/ephemeral/home/${user.name}@blank")
             normalUsers)
-        );
+        ));
 
         # TODO: I don't think we need this anymore but I have not tested it
         # Create persist home directories with proper permissions