Use programs.ssh.askPassword

Update nixos mailserver
Update nixpkgs
2026-01-11 15:24:53 -08:00 · 2026-01-11 14:25:17 -08:00 · 2026-01-11 14:25:03 -08:00 · 2026-01-10 23:04:48 -08:00 · 2026-01-10 23:03:19 -08:00 · 2026-01-10 23:02:43 -08:00
62 changed files with 872 additions and 537 deletions
--- a/10
+++ b/10
@@ -30,3 +30,13 @@ gc:
 .PHONY: update-input
 update-input:
 	nix flake update $(filter-out $@,$(MAKECMDGOALS))
+
+# Build Custom Install ISO
+.PHONY: iso
+iso:
+	nix build .#packages.x86_64-linux.iso
+
+# Deploy a host by name (ex: 's0')
+.PHONY: deploy
+deploy:
+	deploy --remote-build --boot --debug-logs --skip-checks .#$(filter-out $@,$(MAKECMDGOALS))
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@@ -12,6 +12,13 @@
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
      ];
+
+      # Allow substituters to be offline
+      # This isn't exactly ideal since it would be best if I could set up a system
+      # so that it is an error if a derivation isn't available for any substituters
+      # and use this flag as intended for deciding if it should build missing
+      # derivations locally. See https://github.com/NixOS/nix/issues/6901
+      fallback = true;
    };
  };
 }
--- a/common/machine-info/default.nix
+++ b/common/machine-info/default.nix
@@ -199,5 +199,9 @@ in
    # perspective of a perticular machine but is instead intended for reflecting on
    # the properties of all machines as a whole system.
    thisMachine.config = config.machines.hosts.${config.networking.hostName};
+
+    # Add ssh keys from KeepassXC
+    machines.ssh.userKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILACiZO7QnB4bcmziVaUkUE0ZPMR0M/yJbbHYsHIZz9g" ];
+    machines.ssh.deployKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID58MvKGs3GDMMcN8Iyi9S59SciSrVM97wKtOvUAl3li" ];
  };
 }
--- a/common/pc/chromium.nix
+++ b/common/pc/chromium.nix
@@ -46,7 +46,6 @@ in

    # hardware accelerated video playback (on intel)
    nixpkgs.config.packageOverrides = pkgs: {
-      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
      chromium = pkgs.chromium.override {
        enableWideVine = true;
        # ungoogled = true;
@@ -61,12 +60,9 @@ in
      enable = true;
      extraPackages = with pkgs; [
        intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        # vaapiVdpau
        libvdpau-va-gl
        nvidia-vaapi-driver
      ];
-      extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ];
    };
  };
 }
--- a/common/pc/default.nix
+++ b/common/pc/default.nix
@@ -46,11 +46,12 @@ in
      spotify
      arduino
      yt-dlp
-      jellyfin-media-player
      joplin-desktop
      config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
      lxqt.pavucontrol-qt
-      barrier
+      deskflow
+      file-roller
+      android-tools

      # For Nix IDE
      nixpkgs-fmt
@@ -71,15 +72,10 @@ in
    services.avahi.enable = true;
    services.avahi.nssmdns4 = true;

-    programs.file-roller.enable = true;
-
    # Security
    services.gnome.gnome-keyring.enable = true;
    security.pam.services.googlebot.enableGnomeKeyring = true;

-    # Android dev
-    programs.adb.enable = true;
-
    # Mount personal SMB stores
    services.mount-samba.enable = true;

@@ -94,5 +90,9 @@ in
    environment.sessionVariables.NIXOS_OZONE_WL = "1";

    fonts.packages = with pkgs; [ nerd-fonts.symbols-only ];
+
+    # SSH Ask pass
+    programs.ssh.enableAskPassword = true;
+    programs.ssh.askPassword = "${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass";
  };
 }
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
@@ -15,6 +15,7 @@ in
      # kmail
      # plasma5Packages.kmail-account-wizard
      kdePackages.kate
+      kdePackages.kdeconnect-kde
    ];
  };
 }
--- a/common/pc/vscodium.nix
+++ b/common/pc/vscodium.nix
@@ -14,24 +14,14 @@ let
    rust-lang.rust-analyzer
    vadimcn.vscode-lldb
    tauri-apps.tauri-vscode
+    platformio.platformio-vscode-ide
+    vue.volar
  ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
-    {
-      name = "platformio-ide";
-      publisher = "platformio";
-      version = "3.1.1";
-      sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
-    }
    {
      name = "wgsl-analyzer";
      publisher = "wgsl-analyzer";
-      version = "0.8.1";
-      sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
-    }
-    {
-      name = "volar";
-      publisher = "Vue";
-      version = "2.2.4";
-      sha256 = "FHS/LNjSUVfCb4SVF9naR4W0JqycWzSWiK54jfbRagA=";
+      version = "0.12.105";
+      sha256 = "sha256-NheEVNIa8CIlyMebAhxRKS44b1bZiWVt8PgC6r3ExMA=";
    }
  ];

--- a/common/server/librechat.nix
+++ b/common/server/librechat.nix
@@ -3,10 +3,10 @@
 with lib;

 let
-  cfg = config.services.librechat;
+  cfg = config.services.librechat-container;
 in
 {
-  options.services.librechat = {
+  options.services.librechat-container = {
    enable = mkEnableOption "librechat";
    port = mkOption {
      type = types.int;
@@ -21,7 +21,7 @@ in
  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers = {
      librechat = {
-        image = "ghcr.io/danny-avila/librechat:v0.7.7";
+        image = "ghcr.io/danny-avila/librechat:v0.8.1";
        environment = {
          HOST = "0.0.0.0";
          MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
--- a/common/server/mailserver.nix
+++ b/common/server/mailserver.nix
@@ -63,18 +63,28 @@ in
          "cris@runyan.org"
        ];
      };
-      certificateScheme = "acme-nginx"; # use let's encrypt for certs
+      x509.useACMEHost = config.mailserver.fqdn; # use let's encrypt for certs
+      stateVersion = 3;
    };
    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
    age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;

+    # Get let's encrypt cert
+    services.nginx = {
+      enable = true;
+      virtualHosts."${config.mailserver.fqdn}" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+
    # sendmail to use xxx@domain instead of xxx@mail.domain
-    services.postfix.origin = "$mydomain";
+    services.postfix.settings.main.myorigin = "$mydomain";

    # relay sent mail through mailgun
    # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
-    services.postfix.config = {
+    services.postfix.settings.main = {
      smtp_sasl_auth_enable = "yes";
      smtp_sasl_security_options = "noanonymous";
      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
@@ -92,7 +102,6 @@ in
    age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;

    # webmail
-    services.nginx.enable = true;
    services.roundcube = {
      enable = true;
      hostName = config.mailserver.fqdn;
--- a/common/server/nextcloud.nix
+++ b/common/server/nextcloud.nix
@@ -3,28 +3,44 @@

 let
  cfg = config.services.nextcloud;
+
+  nextcloudHostname = "runyan.org";
+  collaboraOnlineHostname = "collabora.runyan.org";
+  whiteboardHostname = "whiteboard.runyan.org";
+  whiteboardPort = 3002; # Seems impossible to change
+
+  # Hardcoded public ip of ponyo... I wish I didn't need this...
+  public_ip_address = "147.135.114.130";
 in
 {
  config = lib.mkIf cfg.enable {
    services.nextcloud = {
      https = true;
-      package = pkgs.nextcloud31;
-      hostName = "neet.cloud";
+      package = pkgs.nextcloud32;
+      hostName = nextcloudHostname;
      config.dbtype = "sqlite";
      config.adminuser = "jeremy";
      config.adminpassFile = "/run/agenix/nextcloud-pw";
+
+      # Apps
      autoUpdateApps.enable = true;
+      extraAppsEnable = true;
      extraApps = with config.services.nextcloud.package.packages.apps; {
        # Want
        inherit end_to_end_encryption mail spreed;

+        # For file and document editing (collabora online and excalidraw)
+        inherit richdocuments whiteboard;
+
        # Might use
-        inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi;
+        inherit calendar qownnotesapi;

        # Try out
-        # inherit maps music news notes phonetrack polls forms;
+        # inherit bookmarks cookbook deck memories maps music news notes phonetrack polls forms;
      };
-      extraAppsEnable = true;
+
+      # Allows installing Apps from the UI (might remove later)
+      appstoreEnable = true;
    };
    age.secrets.nextcloud-pw = {
      file = ../../secrets/nextcloud-pw.age;
@@ -40,5 +56,100 @@ in
      enableACME = true;
      forceSSL = true;
    };
+
+    # collabora-online
+    # https://diogotc.com/blog/collabora-nextcloud-nixos/
+    services.collabora-online = {
+      enable = true;
+      port = 15972;
+      settings = {
+        # Rely on reverse proxy for SSL
+        ssl = {
+          enable = false;
+          termination = true;
+        };
+
+        # Listen on loopback interface only
+        net = {
+          listen = "loopback";
+          post_allow.host = [ "localhost" ];
+        };
+
+        # Restrict loading documents from WOPI Host
+        storage.wopi = {
+          "@allow" = true;
+          host = [ config.services.nextcloud.hostName ];
+        };
+
+        server_name = collaboraOnlineHostname;
+      };
+    };
+    services.nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
+        proxyWebsockets = true;
+      };
+    };
+    systemd.services.nextcloud-config-collabora =
+      let
+        wopi_url = "http://localhost:${toString config.services.collabora-online.port}";
+        public_wopi_url = "https://${collaboraOnlineHostname}";
+        wopi_allowlist = lib.concatStringsSep "," [
+          "127.0.0.1"
+          "::1"
+          public_ip_address
+        ];
+      in
+      {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "nextcloud-setup.service" "coolwsd.service" ];
+        requires = [ "coolwsd.service" ];
+        path = [
+          config.services.nextcloud.occ
+        ];
+        script = ''
+          nextcloud-occ -- config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
+          nextcloud-occ -- config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
+          nextcloud-occ -- config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
+          nextcloud-occ -- richdocuments:setup
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+        };
+      };
+
+    # Whiteboard
+    services.nextcloud-whiteboard-server = {
+      enable = true;
+      settings.NEXTCLOUD_URL = "https://${nextcloudHostname}";
+      secrets = [ "/run/agenix/whiteboard-server-jwt-secret" ];
+    };
+    systemd.services.nextcloud-config-whiteboard = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "nextcloud-setup.service" ];
+      requires = [ "coolwsd.service" ];
+      path = [
+        config.services.nextcloud.occ
+      ];
+      script = ''
+        nextcloud-occ -- config:app:set whiteboard collabBackendUrl --value="https://${whiteboardHostname}"
+        nextcloud-occ -- config:app:set whiteboard jwt_secret_key --value="$JWT_SECRET_KEY"
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = [ "/run/agenix/whiteboard-server-jwt-secret" ];
+      };
+    };
+    age.secrets.whiteboard-server-jwt-secret.file = ../../secrets/whiteboard-server-jwt-secret.age;
+    services.nginx.virtualHosts.${whiteboardHostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString whiteboardPort}";
+        proxyWebsockets = true;
+      };
+    };
  };
 }
--- a/common/shell.nix
+++ b/common/shell.nix
@@ -34,13 +34,6 @@
    io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";

    llsblk = "lsblk -o +uuid,fsType";
-
-    sudo = "doas";
-
-    ls = "pls";
-    ls2 = "eza";
-
-    explorer = "broot";
  };

  nixpkgs.overlays = [
@@ -48,6 +41,9 @@
      # comma uses the "nix-index" package built into nixpkgs by default.
      # That package doesn't use the prebuilt nix-index database so it needs to be changed.
      comma = prev.comma.overrideAttrs (old: {
+        nativeBuildInputs = old.nativeBuildInputs ++ [
+          prev.makeWrapper
+        ];
        postInstall = ''
          wrapProgram $out/bin/comma \
            --prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -31,8 +31,6 @@

  # TODO: Old ssh keys I will remove some day...
  machines.ssh.userKeys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -14,11 +14,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750173260,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
        "type": "github"
      },
      "original": {
@@ -101,11 +101,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749105467,
-        "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
+        "lastModified": 1766051518,
+        "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
+        "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
        "type": "github"
      },
      "original": {
@@ -117,11 +117,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
        "type": "github"
      },
      "original": {
@@ -163,11 +163,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750779888,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "lastModified": 1763988335,
+        "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",
        "type": "github"
      },
      "original": {
@@ -205,16 +205,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1752208517,
-        "narHash": "sha256-aRY1cYOdVdXdNjcL/Twpa27CknO7pVHxooPsBizDraE=",
+        "lastModified": 1768068402,
+        "narHash": "sha256-bAXnnJZKJiF7Xr6eNW6+PhBf1lg2P1aFUO9+xgWkXfA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "c6a01e54af81b381695db796a43360bf6db5702f",
+        "rev": "8bc5473b6bc2b6e1529a9c4040411e1199c43b4c",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "master",
        "repo": "home-manager",
        "type": "github"
      }
@@ -226,11 +226,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752346111,
-        "narHash": "sha256-SVxCIYnbED0rNYSpm3QQoOhqxYRp1GuE9FkyM5Y2afs=",
+        "lastModified": 1765267181,
+        "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "deff7a9a0aa98a08d8c7839fe2658199ce9828f8",
+        "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
        "type": "github"
      },
      "original": {
@@ -241,11 +241,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1752048960,
-        "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
+        "lastModified": 1767185284,
+        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
+        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
        "type": "github"
      },
      "original": {
@@ -257,16 +257,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1752162966,
-        "narHash": "sha256-3MxxkU8ZXMHXcbFz7UE4M6qnIPTYGcE/7EMqlZNnVDE=",
+        "lastModified": 1768105724,
+        "narHash": "sha256-0edMCoDc1VpuqDjy0oz8cDa4kjRuhXE3040sac2iZW4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "10e687235226880ed5e9f33f1ffa71fe60f2638a",
+        "rev": "4c41b0361812441bf3b4427195e57ab271d5167f",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -295,22 +295,19 @@
        "git-hooks": "git-hooks",
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "nixpkgs-25_05": [
-          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1747965231,
-        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
+        "lastModified": 1766321686,
+        "narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "53007af63fade28853408370c4c600a63dd97f41",
+        "rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-25.05",
+        "ref": "master",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,7 @@
 {
  inputs = {
    # nixpkgs
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/master";

    # Common Utils Among flake inputs
    systems.url = "github:nix-systems/default";
@@ -19,16 +19,15 @@

    # Home Manager
    home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    # Mail Server
    simple-nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
      inputs = {
        nixpkgs.follows = "nixpkgs";
-        nixpkgs-25_05.follows = "nixpkgs";
        flake-compat.follows = "flake-compat";
      };
    };
@@ -118,7 +117,6 @@
                name = "nixpkgs-patched";
                src = nixpkgs;
                patches = [
-                  # ./patches/gamepadui.patch
                  ./patches/dont-break-nix-serve.patch
                ];
              };
--- a/home/googlebot.nix
+++ b/home/googlebot.nix
@@ -19,10 +19,15 @@ in

  # Modern "ls" replacement
  programs.pls.enable = true;
+  programs.pls.enableFishIntegration = false;
  programs.eza.enable = true;

  # Graphical terminal
  programs.ghostty.enable = thisMachineIsPersonal;
+  programs.ghostty.settings = {
+    theme = "Snazzy";
+    font-size = 10;
+  };

  # Advanced terminal file explorer
  programs.broot.enable = true;
@@ -41,72 +46,13 @@ in
  # tldr: Simplified, example based and community-driven man pages.
  programs.tealdeer.enable = true;

+  home.shellAliases = {
+    sudo = "doas";
+    ls2 = "eza";
+    explorer = "broot";
+  };
+
  programs.zed-editor = {
    enable = thisMachineIsPersonal;
-    extensions = [
-      "nix"
-      "toml"
-      "html"
-      "make"
-      "git-firefly"
-      "vue"
-      "scss"
-    ];
-
-    userSettings = {
-      assistant = {
-        enabled = true;
-        version = "2";
-        default_model = {
-          provider = "openai";
-          model = "gpt-4-turbo";
-        };
-      };
-
-      features = {
-        edit_prediction_provider = "zed";
-      };
-
-      node = {
-        path = lib.getExe pkgs.nodejs;
-        npm_path = lib.getExe' pkgs.nodejs "npm";
-      };
-
-      auto_update = false;
-
-      terminal = {
-        blinking = "off";
-        copy_on_select = false;
-      };
-
-      lsp = {
-        rust-analyzer = {
-          # binary = {
-          #   path = lib.getExe pkgs.rust-analyzer;
-          # };
-          binary = {
-            path = "/run/current-system/sw/bin/nix";
-            arguments = [ "develop" "--command" "rust-analyzer" ];
-          };
-          initialization_options = {
-            cargo = {
-              features = "all";
-            };
-          };
-        };
-      };
-
-      # tell zed to use direnv and direnv can use a flake.nix enviroment.
-      load_direnv = "shell_hook";
-
-      base_keymap = "VSCode";
-      theme = {
-        mode = "system";
-        light = "One Light";
-        dark = "Andrometa";
-      };
-      ui_font_size = 12;
-      buffer_font_size = 12;
-    };
  };
 }
--- a/machines/ephemeral/minimal.nix
+++ b/machines/ephemeral/minimal.nix
@@ -7,12 +7,20 @@
    ../../common/ssh.nix
  ];

-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "e1000"
+    "e1000e"
+    "virtio_pci"
+    "r8169"
+    "sdhci"
+    "sdhci_pci"
+    "mmc_core"
+    "mmc_block"
+  ];
  boot.kernelParams = [
-    "panic=30"
-    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0,115200" # enable serial console
-    "console=tty1"
  ];
  boot.kernel.sysctl."vm.overcommit_memory" = "1";

--- a/machines/fry/default.nix
+++ b/machines/fry/default.nix
@@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # don't use remote builders
+  nix.distributedBuilds = lib.mkForce false;
+
+  nix.gc.automatic = lib.mkForce false;
+
+  environment.systemPackages = with pkgs; [
+    system76-keyboard-configurator
+  ];
+
+  services.ollama = {
+    enable = true;
+    package = pkgs.ollama-vulkan;
+    host = "127.0.0.1";
+  };
+
+  services.open-webui = {
+    enable = true;
+    host = "127.0.0.1"; # nginx proxy
+    port = 12831;
+    environment = {
+      ANONYMIZED_TELEMETRY = "False";
+      DO_NOT_TRACK = "True";
+      SCARF_NO_ANALYTICS = "True";
+      OLLAMA_API_BASE_URL = "http://localhost:${toString config.services.ollama.port}";
+    };
+  };
+
+  # nginx
+  services.nginx = {
+    enable = true;
+    openFirewall = false; # All nginx services are internal
+    virtualHosts =
+      let
+        mkHost = external: config:
+          {
+            ${external} = {
+              useACMEHost = "fry.neet.dev"; # Use wildcard cert
+              forceSSL = true;
+              locations."/" = config;
+            };
+          };
+        mkVirtualHost = external: internal:
+          mkHost external {
+            proxyPass = internal;
+            proxyWebsockets = true;
+          };
+      in
+      lib.mkMerge [
+        (mkVirtualHost "chat.fry.neet.dev" "http://localhost:${toString config.services.open-webui.port}")
+      ];
+  };
+
+  # Get wildcard cert
+  security.acme.certs."fry.neet.dev" = {
+    dnsProvider = "digitalocean";
+    credentialsFile = "/run/agenix/digitalocean-dns-credentials";
+    extraDomainNames = [ "*.fry.neet.dev" ];
+    group = "nginx";
+    dnsResolver = "1.1.1.1:53";
+    dnsPropagationCheck = false; # sadly this erroneously fails
+  };
+  age.secrets.digitalocean-dns-credentials.file = ../../secrets/digitalocean-dns-credentials.age;
+}
--- a/machines/fry/hardware-configuration.nix
+++ b/machines/fry/hardware-configuration.nix
@@ -0,0 +1,50 @@
+{ config, lib, pkgs, modulesPath, nixos-hardware, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    nixos-hardware.nixosModules.framework-amd-ai-300-series
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  services.fwupd.enable = true;
+
+  # boot
+  boot.loader.systemd-boot.enable = true;
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "r8169" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # thunderbolt
+  services.hardware.bolt.enable = true;
+
+  # firmware
+  firmware.x86_64.enable = true;
+
+  # disks
+  remoteLuksUnlock.enable = true;
+  boot.initrd.luks.devices."enc-pv" = {
+    device = "/dev/disk/by-uuid/d4f2f25a-5108-4285-968f-b24fb516d4f3";
+    allowDiscards = true;
+  };
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a8901bc1-8642-442a-940a-ddd3f428cd0f";
+      fsType = "btrfs";
+    };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/13E5-C9D4";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/03356a74-33f0-4a2e-b57a-ec9dfc9d85c5"; }
+    ];
+
+  # Ensures that dhcp is active during initrd (Network Manager is used post boot)
+  boot.initrd.network.udhcpc.enable = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/fry/properties.nix
+++ b/machines/fry/properties.nix
@@ -0,0 +1,24 @@
+{
+  hostNames = [
+    "fry"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "personal"
+    "dns-challenge"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/Df5lG07Il7fizEgZR/T9bMlR0joESRJ7cqM9BkOyP";
+
+  userKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5/h6YySqNemA4+e+xslhspBp34ulXKembe3RoeZ5av"
+  ];
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1RC1lhP4TSL2THvKAQAH7Y/eSGQPo/MjhTsZD6CEES";
+    clearnetHost = "192.168.1.3";
+    onionHost = "z7smmigsfrabqfnxqogfogmsu36jhpsyscncmd332w5ioheblw6i4lid.onion";
+  };
+}
--- a/machines/howl/properties.nix
+++ b/machines/howl/properties.nix
@@ -15,10 +15,6 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPnLt84bKhUgFxjQf10+Htro9Lo1Pabqm8mGalBUniv"
  ];

-  deployKeys = [
-    # TODO
-  ];
-
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0N80r0Sl2WlJaUqfxZPkOtYyGumFazkIqq7eq3Gd2o";
    onionHost = "ll6yjnkh4psmfwmtkmqoutl4gq4elqzbmjxv4s6gpgoavyi3kwhjvnqd.onion";
--- a/machines/ponyo/default.nix
+++ b/machines/ponyo/default.nix
@@ -78,7 +78,7 @@
  services.postgresql.package = pkgs.postgresql_15;

  # iodine DNS-based vpn
-  services.iodine.server.enable = true;
+  # services.iodine.server.enable = true;

  # proxied web services
  services.nginx.enable = true;
@@ -95,12 +95,12 @@
    root = "/var/www/tmp";
  };

-  # redirect runyan.org to github
-  services.nginx.virtualHosts."runyan.org" = {
+  # redirect neet.cloud to nextcloud instance on runyan.org
+  services.nginx.virtualHosts."neet.cloud" = {
    enableACME = true;
    forceSSL = true;
    extraConfig = ''
-      rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
+      return 302 https://runyan.org$request_uri;
    '';
  };

@@ -109,6 +109,6 @@
  services.owncast.hostname = "live.neet.dev";

  # librechat
-  services.librechat.enable = true;
-  services.librechat.host = "chat.neet.dev";
+  services.librechat-container.enable = true;
+  services.librechat-container.host = "chat.neet.dev";
 }
--- a/machines/router/default.nix
+++ b/machines/router/default.nix
@@ -22,8 +22,7 @@

  # networking.useDHCP = lib.mkForce true;

-  # TODO
-  # networking.usePredictableInterfaceNames = true;
+  networking.usePredictableInterfaceNames = false;

  powerManagement.cpuFreqGovernor = "ondemand";

--- a/machines/router/hardware-configuration.nix
+++ b/machines/router/hardware-configuration.nix
@@ -10,8 +10,6 @@

  # Enable serial output
  boot.kernelParams = [
-    "panic=30"
-    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0,115200n8" # enable serial console
  ];
  boot.loader.grub.extraConfig = "
@@ -23,6 +21,8 @@
  # firmware
  firmware.x86_64.enable = true;
  nixpkgs.config.allowUnfree = true;
+  hardware.enableRedistributableFirmware = true;
+  hardware.enableAllFirmware = true;

  # boot
  bios = {
@@ -31,20 +31,18 @@
  };

  # disks
-  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
  fileSystems."/" =
    {
-      device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
-      fsType = "btrfs";
+      device = "/dev/disk/by-uuid/6aa7f79e-bef8-4b0f-b22c-9d1b3e8ac94b";
+      fsType = "ext4";
    };
  fileSystems."/boot" =
    {
-      device = "/dev/disk/by-uuid/d97f324f-3a2e-4b84-ae2a-4b3d1209c689";
+      device = "/dev/disk/by-uuid/14dfc562-0333-4ddd-b10c-4eeefe1cd05f";
      fsType = "ext3";
    };
  swapDevices =
-    [{ device = "/dev/disk/by-uuid/45bf58dd-67eb-45e4-9a98-246e23fa7abd"; }];
+    [{ device = "/dev/disk/by-uuid/adf37c64-3b54-480c-a9a7-099d61c6eac7"; }];

  nixpkgs.hostPlatform = "x86_64-linux";
 }
--- a/machines/router/properties.nix
+++ b/machines/router/properties.nix
@@ -0,0 +1,17 @@
+{
+  hostNames = [
+    "router"
+    "192.168.6.159"
+    "192.168.3.1"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "server"
+    "wireless"
+    "router"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDCMhEvWJxFBNyvpyuljv5Uun8AdXCxBK9HvPBRe5x6";
+}
--- a/machines/router/properties.nix.disabled
+++ b/machines/router/properties.nix.disabled
@@ -1,21 +0,0 @@
-{
-  hostNames = [
-    "router"
-    "192.168.1.228"
-  ];
-
-  arch = "x86_64-linux";
-
-  systemRoles = [
-    "server"
-    "wireless"
-    "router"
-  ];
-
-  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
-
-  remoteUnlock = {
-    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
-    onionHost = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
-  };
-}
--- a/machines/router/router.nix
+++ b/machines/router/router.nix
@@ -31,8 +31,10 @@ in
    networking.bridges = {
      br0 = {
        interfaces = [
-          "enp2s0"
-          "wlp4s0"
+          "eth2"
+          # "wlp4s0"
+          # "wlan1"
+          "wlan0"
          "wlan1"
        ];
      };
@@ -64,142 +66,173 @@ in

    services.dnsmasq = {
      enable = true;
-      extraConfig = ''
+      settings = {
        # sensible behaviours
-        domain-needed
-        bogus-priv
-        no-resolv
+        domain-needed = true;
+        bogus-priv = true;
+        no-resolv = true;

        # upstream name servers
-        server=1.1.1.1
-        server=8.8.8.8
+        server = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];

        # local domains
-        expand-hosts
-        domain=home
-        local=/home/
+        expand-hosts = true;
+        domain = "home";
+        local = "/home/";

        # Interfaces to use DNS on
-        interface=br0
+        interface = "br0";

        # subnet IP blocks to use DHCP on
-        dhcp-range=${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h
-      '';
+        dhcp-range = "${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h";
+      };
    };

    services.hostapd = {
      enable = true;
      radios = {
-        # 2.4GHz
-        wlp4s0 = {
-          band = "2g";
-          noScan = true;
-          channel = 6;
+        # Simple 2.4GHz AP
+        wlan0 = {
          countryCode = "US";
-          wifi4 = {
-            capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
-          };
-          wifi5 = {
-            operatingChannelWidth = "20or40";
-            capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
-          };
-          wifi6 = {
-            enable = true;
-            singleUserBeamformer = true;
-            singleUserBeamformee = true;
-            multiUserBeamformer = true;
-            operatingChannelWidth = "20or40";
-          };
-          networks = {
-            wlp4s0 = {
-              ssid = "CXNK00BF9176";
-              authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
-            };
-            # wlp4s0-1 = {
-            #   ssid = "- Experimental 5G Tower by AT&T";
-            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
-            # };
-            # wlp4s0-2 = {
-            #   ssid = "FBI Surveillance Van 2";
-            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
-            # };
-          };
-          settings = {
-            he_oper_centr_freq_seg0_idx = 8;
-            vht_oper_centr_freq_seg0_idx = 8;
+          networks.wlan0 = {
+            ssid = "CXNK00BF9176-1";
+            authentication.saePasswords = [{ passwordFile = "/run/agenix/hostapd-pw-CXNK00BF9176"; }];
          };
        };

-        # 5GHz
+        # WiFi 5 (5GHz) with two advertised networks
        wlan1 = {
          band = "5g";
-          noScan = true;
-          channel = 128;
+          channel = 0;
          countryCode = "US";
-          wifi4 = {
-            capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
-          };
-          wifi5 = {
-            operatingChannelWidth = "160";
-            capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
-          };
-          wifi6 = {
-            enable = true;
-            singleUserBeamformer = true;
-            singleUserBeamformee = true;
-            multiUserBeamformer = true;
-            operatingChannelWidth = "160";
-          };
-          networks = {
-            wlan1 = {
-              ssid = "CXNK00BF9176";
-              authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
-            };
-            # wlan1-1 = {
-            #   ssid = "- Experimental 5G Tower by AT&T";
-            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
-            # };
-            # wlan1-2 = {
-            #   ssid = "FBI Surveillance Van 5";
-            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
-            # };
-          };
-          settings = {
-            vht_oper_centr_freq_seg0_idx = 114;
-            he_oper_centr_freq_seg0_idx = 114;
+          networks.wlan1 = {
+            ssid = "CXNK00BF9176-1";
+            authentication.saePasswords = [{ passwordFile = "/run/agenix/hostapd-pw-CXNK00BF9176"; }];
          };
        };
      };
    };
-    age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
    age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;

-    hardware.firmware = [
-      pkgs.mt7916-firmware
-    ];
+    # wlan0 5Ghz 00:0a:52:08:38:32
+    # wlp4s0 2.4Ghz 00:0a:52:08:38:33

-    nixpkgs.overlays = [
-      (self: super: {
-        mt7916-firmware = pkgs.stdenvNoCC.mkDerivation {
-          pname = "mt7916-firmware";
-          version = "custom-feb-02-23";
-          src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674
-          dontBuild = true;
-          installPhase = ''
-            for i in \
-              mt7916_eeprom.bin \
-              mt7916_rom_patch.bin \
-              mt7916_wa.bin \
-              mt7916_wm.bin;
-            do
-              install -D -pm644 $i $out/lib/firmware/mediatek/$i
-            done
-          '';
-          meta = with lib; {
-            license = licenses.unfreeRedistributableFirmware;
-          };
-        };
-      })
-    ];
+    # services.hostapd = {
+    #   enable = true;
+    #   radios = {
+    #     # 2.4GHz
+    #     wlp4s0 = {
+    #       band = "2g";
+    #       noScan = true;
+    #       channel = 6;
+    #       countryCode = "US";
+    #       wifi4 = {
+    #         capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
+    #       };
+    #       wifi5 = {
+    #         operatingChannelWidth = "20or40";
+    #         capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
+    #       };
+    #       wifi6 = {
+    #         enable = true;
+    #         singleUserBeamformer = true;
+    #         singleUserBeamformee = true;
+    #         multiUserBeamformer = true;
+    #         operatingChannelWidth = "20or40";
+    #       };
+    #       networks = {
+    #         wlp4s0 = {
+    #           ssid = "CXNK00BF9176";
+    #           authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
+    #         };
+    #         # wlp4s0-1 = {
+    #         #   ssid = "- Experimental 5G Tower by AT&T";
+    #         #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+    #         # };
+    #         # wlp4s0-2 = {
+    #         #   ssid = "FBI Surveillance Van 2";
+    #         #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+    #         # };
+    #       };
+    #       settings = {
+    #         he_oper_centr_freq_seg0_idx = 8;
+    #         vht_oper_centr_freq_seg0_idx = 8;
+    #       };
+    #     };
+
+    #     # 5GHz
+    #     wlan1 = {
+    #       band = "5g";
+    #       noScan = true;
+    #       channel = 128;
+    #       countryCode = "US";
+    #       wifi4 = {
+    #         capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
+    #       };
+    #       wifi5 = {
+    #         operatingChannelWidth = "160";
+    #         capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
+    #       };
+    #       wifi6 = {
+    #         enable = true;
+    #         singleUserBeamformer = true;
+    #         singleUserBeamformee = true;
+    #         multiUserBeamformer = true;
+    #         operatingChannelWidth = "160";
+    #       };
+    #       networks = {
+    #         wlan1 = {
+    #           ssid = "CXNK00BF9176";
+    #           authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
+    #         };
+    #         # wlan1-1 = {
+    #         #   ssid = "- Experimental 5G Tower by AT&T";
+    #         #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+    #         # };
+    #         # wlan1-2 = {
+    #         #   ssid = "FBI Surveillance Van 5";
+    #         #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+    #         # };
+    #       };
+    #       settings = {
+    #         vht_oper_centr_freq_seg0_idx = 114;
+    #         he_oper_centr_freq_seg0_idx = 114;
+    #       };
+    #     };
+    #   };
+    # };
+    # age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
+    # age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
+
+    # hardware.firmware = [
+    #   pkgs.mt7916-firmware
+    # ];
+
+    # nixpkgs.overlays = [
+    #   (self: super: {
+    #     mt7916-firmware = pkgs.stdenvNoCC.mkDerivation {
+    #       pname = "mt7916-firmware";
+    #       version = "custom-feb-02-23";
+    #       src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674
+    #       dontBuild = true;
+    #       installPhase = ''
+    #         for i in \
+    #           mt7916_eeprom.bin \
+    #           mt7916_rom_patch.bin \
+    #           mt7916_wa.bin \
+    #           mt7916_wm.bin;
+    #         do
+    #           install -D -pm644 $i $out/lib/firmware/mediatek/$i
+    #         done
+    #       '';
+    #       meta = with lib; {
+    #         license = licenses.unfreeRedistributableFirmware;
+    #       };
+    #     };
+    #   })
+    # ];
  };
 }
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@@ -20,13 +20,13 @@
    secretKeyFile = "/run/agenix/binary-cache-private-key";
  };
  age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
-  users.users.cache-push = {
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
-  };
-  nix.settings = {
-    trusted-users = [ "cache-push" ];
-  };
+  # users.users.cache-push = {
+  #   isNormalUser = true;
+  #   openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
+  # };
+  # nix.settings = {
+  #   trusted-users = [ "cache-push" ];
+  # };

  services.iperf3.enable = true;
  services.iperf3.openFirewall = true;
@@ -104,6 +104,7 @@

    services.transmission = {
      enable = true;
+      package = pkgs.transmission_4;
      performanceNetParameters = true;
      user = "public_data";
      group = "public_data";
@@ -179,15 +180,10 @@
  # I could not figure out how to allow the container to access the encoder
  services.jellyfin.enable = true;
  users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
-  nixpkgs.config.packageOverrides = pkgs: {
-    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
-  };
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver
-      vaapiIntel
-      vaapiVdpau
      libvdpau-va-gl
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
    ];
@@ -237,7 +233,7 @@
            globalRedirect = "s0.neet.dev";
          };
        }
-        (mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
+        (mkVirtualHost "ha.s0.neet.dev" "http://localhost:${toString config.services.home-assistant.config.http.server_port}")
        (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
        (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
        {
@@ -251,6 +247,10 @@
        (mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es
        (mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
        (mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget
+        (mkVirtualHost "linkwarden.s0.neet.dev" "http://localhost:${toString config.services.linkwarden.port}")
+        (mkVirtualHost "memos.s0.neet.dev" "http://localhost:${toString config.services.memos.settings.MEMOS_PORT}")
+        (mkVirtualHost "outline.s0.neet.dev" "http://localhost:${toString config.services.outline.port}")
+        (mkVirtualHost "languagetool.s0.neet.dev" "http://localhost:${toString config.services.languagetool.port}")
      ];

    tailscaleAuth = {
@@ -271,6 +271,11 @@
        "zigbee.s0.neet.dev"
        "vacuum.s0.neet.dev"
        "todo.s0.neet.dev"
+        "budget.s0.neet.dev"
+        "linkwarden.s0.neet.dev"
+        # "memos.s0.neet.dev" # messes up memos /auth route
+        # "outline.s0.neet.dev" # messes up outline /auth route
+        "languagetool.s0.neet.dev"
      ];
      expectedTailnet = "koi-bebop.ts.net";
    };
@@ -314,5 +319,54 @@

  services.actual.enable = true;

+  services.linkwarden = {
+    enable = true;
+    enableRegistration = true;
+    port = 41709;
+    environment.NEXTAUTH_URL = "https://linkwarden.s0.neet.dev/api/v1/auth";
+    environmentFile = "/run/agenix/linkwarden-environment";
+  };
+  age.secrets.linkwarden-environment.file = ../../../secrets/linkwarden-environment.age;
+  services.meilisearch = {
+    enable = true;
+    package = pkgs.meilisearch;
+  };
+
+  services.flaresolverr = {
+    enable = true;
+    port = 48072;
+  };
+
+  services.memos = {
+    enable = true;
+    settings.MEMOS_PORT = "57643";
+  };
+
+  services.outline = {
+    enable = true;
+    forceHttps = false; # https through nginx
+    port = 43933;
+    publicUrl = "https://outline.s0.neet.dev";
+    storage.storageType = "local";
+    smtp = {
+      secure = true;
+      fromEmail = "robot@runyan.org";
+      username = "robot@runyan.org";
+      replyEmail = "robot@runyan.org";
+      host = "mail.neet.dev";
+      port = 465;
+      passwordFile = "/run/agenix/robots-email-pw";
+    };
+  };
+  age.secrets.robots-email-pw = {
+    file = ../../../secrets/robots-email-pw.age;
+    owner = config.services.outline.user;
+  };
+
+  services.languagetool = {
+    enable = true;
+    port = 60613;
+  };
+
  boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }
--- a/machines/storage/s0/frigate.nix
+++ b/machines/storage/s0/frigate.nix
@@ -84,6 +84,11 @@ lib.mkMerge [
    services.frigate = {
      enable = true;
      hostname = frigateHostname;
+
+      # Sadly this fails because it doesn't support frigate's var substition format
+      # which is critical... so what's even the point of it then?
+      checkConfig = false;
+
      settings = {
        mqtt = {
          enabled = true;
@@ -136,37 +141,16 @@ lib.mkMerge [
  }
  {
    # hardware encode/decode with amdgpu vaapi
-    systemd.services.frigate = {
-      environment.LIBVA_DRIVER_NAME = "radeonsi";
-      serviceConfig = {
-        SupplementaryGroups = [ "render" "video" ]; # for access to dev/dri/*
-        AmbientCapabilities = "CAP_PERFMON";
-      };
-    };
+    services.frigate.vaapiDriver = "radeonsi";
    services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
  }
  {
    # Coral TPU for frigate
-    services.udev.packages = [ pkgs.libedgetpu ];
-    users.groups.apex = { };
-    systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
-    systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
-
-    # Coral PCIe driver
-    boot.extraModulePackages = with config.boot.kernelPackages; [ gasket ];
-    services.udev.extraRules = ''
-      SUBSYSTEM=="apex", MODE="0660", GROUP="apex"
-    '';
-
    services.frigate.settings.detectors.coral = {
      type = "edgetpu";
      device = "pci";
    };
  }
-  {
-    # Fix bug in nixos module where cache is not cleared when starting the service because "rm" cannot be found
-    systemd.services.frigate.serviceConfig.ExecStartPre = lib.mkForce "${pkgs.bash}/bin/sh -c 'rm -f /var/cache/frigate/*.mp4'";
-  }
  {
    # Don't require authentication for frigate
    # This is ok because the reverse proxy already requires tailscale access anyway
--- a/machines/storage/s0/hardware-configuration.nix
+++ b/machines/storage/s0/hardware-configuration.nix
@@ -58,43 +58,48 @@
    };
  swapDevices = [ ];

+  ### networking ###
+
+  # systemd.network.enable = true;
  networking = {
-    dhcpcd.enable = false;
+    # useNetworkd = true;
+    dhcpcd.enable = true;
+    interfaces."eth0".useDHCP = true;
+    interfaces."eth1".useDHCP = false;
+    interfaces."main@eth1".useDHCP = true;
+    interfaces."iot@eth1".useDHCP = true;
+    interfaces."management@eth1".useDHCP = true;

    vlans = {
+      main = {
+        id = 5;
+        interface = "eth1";
+      };
      iot = {
        id = 2;
        interface = "eth1";
      };
+      management = {
+        id = 4;
+        interface = "eth1";
+      };
    };

-    interfaces.eth1.ipv4.addresses = [{
-      address = "192.168.1.2";
-      prefixLength = 21;
-    }];
-    interfaces.iot.ipv4.addresses = [{
-      address = "192.168.9.8";
-      prefixLength = 22;
-    }];
+    # interfaces.eth1.ipv4.addresses = [{
+    #   address = "192.168.1.2";
+    #   prefixLength = 21;
+    # }];
+    # interfaces.iot.ipv4.addresses = [{
+    #   address = "192.168.9.8";
+    #   prefixLength = 22;
+    # }];

-    defaultGateway = "192.168.1.1";
-    nameservers = [ "1.1.1.1" "8.8.8.8" ];
+    defaultGateway = {
+      # interface = "eth1";
+      address = "192.168.1.1";
+    };
+    # nameservers = [ "1.1.1.1" "8.8.8.8" ];
  };
-
-  # networking = {
-  #   vlans = {
-  #     iot = {
-  #       id = 2;
-  #       interface = "eth1";
-  #     };
-  #   };
-
-  #   defaultGateway = {
-  #     interface = "eth1";
-  #     address = "192.168.1.1";
-  #     metric = 10; # always use this route as default gateway
-  #   };
-  # };

  powerManagement.cpuFreqGovernor = "powersave";
 }
--- a/machines/storage/s0/home-automation.nix
+++ b/machines/storage/s0/home-automation.nix
@@ -15,13 +15,20 @@
    ];
  };
  networking.firewall.allowedTCPPorts = [
-    1883 # mqtt
+    # mqtt
+    1883
+
+    # Must be exposed so some local devices (such as HA voice preview) can pair with home assistant
+    config.services.home-assistant.config.http.server_port
+
+    # Music assistant (must be exposed so local devices can fetch the audio stream from it)
+    8095
+    8097
  ];

  services.zigbee2mqtt = {
    enable = true;
    settings = {
-      homeassistant = true;
      permit_join = false;
      serial = {
        adapter = "ember";
@@ -75,12 +82,23 @@
      "homekit_controller"
      "zha"
      "bluetooth"
+      "whisper"
+      "piper"
+      "wyoming"
+      "tts"
+      "music_assistant"
+      "openai_conversation"
    ];
    config = {
      # Includes dependencies for a basic setup
      # https://www.home-assistant.io/integrations/default_config/
      default_config = { };

+      homeassistant = {
+        external_url = "https://ha.s0.neet.dev";
+        internal_url = "http://192.168.1.2:${toString config.services.home-assistant.config.http.server_port}";
+      };
+
      # Enable reverse proxy support
      http = {
        use_x_forwarded_for = true;
@@ -105,4 +123,33 @@
      };
    };
  };
+
+  services.wyoming.faster-whisper.servers."hass" = {
+    enable = true;
+    uri = "tcp://0.0.0.0:45785";
+    model = "distil-small.en";
+    language = "en";
+  };
+
+  services.wyoming.piper.servers."hass" = {
+    enable = true;
+    uri = "tcp://0.0.0.0:45786";
+    voice = "en_US-joe-medium";
+  };
+
+  services.music-assistant = {
+    enable = true;
+    providers = [
+      "hass"
+      "hass_players"
+      "jellyfin"
+      "radiobrowser"
+      "spotify"
+    ];
+  };
+  networking.hosts = {
+    # Workaround for broken spotify api integration
+    # https://github.com/librespot-org/librespot/issues/1527#issuecomment-3167094158
+    "0.0.0.0" = [ "apresolve.spotify.com" ];
+  };
 }
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -15,6 +15,9 @@
    "frigate"
    "zigbee"
    "media-server"
+    "linkwarden"
+    "outline"
+    "dns-challenge"
  ];

  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
--- a/machines/zoidberg/default.nix
+++ b/machines/zoidberg/default.nix
@@ -20,10 +20,6 @@
    );
  services.mount-samba.enable = true;

-  # Login DE Option: RetroArch
-  services.xserver.desktopManager.retroarch.enable = true;
-  services.xserver.desktopManager.retroarch.package = pkgs.retroarchFull;
-
  # wireless xbox controller support
  hardware.xone.enable = true;
  boot.kernelModules = [ "xone-wired" "xone-dongle" ];
@@ -39,28 +35,6 @@
    "L+    /opt/rocm/hip   -    -    -     -    ${pkgs.rocmPackages.clr}"
  ];

-  # System wide barrier instance
-  # systemd.services.barrier-sddm = {
-  #   description = "Barrier mouse/keyboard share";
-  #   requires = [ "display-manager.service" ];
-  #   after = [ "network.target" "display-manager.service" ];
-  #   wantedBy = [ "multi-user.target" ];
-  #   serviceConfig = {
-  #     Restart = "always";
-  #     RestartSec = 10;
-  #     # todo use user/group
-  #   };
-  #   path = with pkgs; [ barrier doas ];
-  #   script = ''
-  #     # Wait for file to show up. "display-manager.service" finishes a bit too soon
-  #     while ! [ -e /run/sddm/* ]; do sleep 1; done;
-  #     export XAUTHORITY=$(ls /run/sddm/*)
-  #     # Disable crypto is fine because tailscale is E2E encrypting better than barrier could anyway
-  #     barrierc -f --disable-crypto --name zoidberg ray.koi-bebop.ts.net
-  #   '';
-  # };
-
-  # Login into X11 plasma so barrier works well
  services.displayManager.defaultSession = "plasma";

  users.users.cris = {
@@ -89,19 +63,17 @@
  };

  environment.systemPackages = with pkgs; [
-    jellyfin-media-player
    config.services.xserver.desktopManager.kodi.package
    spotify
-    retroarchFull
  ];

  # Command and Conquer Ports
  networking.firewall.allowedUDPPorts = [ 4321 27900 ];
  networking.firewall.allowedTCPPorts = [ 6667 28910 29900 29920 ];

-  nixpkgs.config.rocmSupport = true;
  services.ollama = {
    enable = true;
-    acceleration = "rocm";
+    package = pkgs.ollama-vulkan;
+    host = "127.0.0.1";
  };
 }
--- a/patches/dont-break-nix-serve.patch
+++ b/patches/dont-break-nix-serve.patch
@@ -1,8 +1,8 @@
 diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix
-index 49f8ed673816..643b59d68dde 100644
+index f8d8f64e55da..39326d094118 100644
 --- a/nixos/modules/services/video/frigate.nix
 +++ b/nixos/modules/services/video/frigate.nix
-@@ -482,10 +482,6 @@ in
+@@ -609,10 +609,6 @@ in
           };
         };
         extraConfig = ''
--- a/patches/gamepadui.patch
+++ b/patches/gamepadui.patch
@@ -1,13 +0,0 @@
-diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix
-index 29c449c16946..f6c728eb7f0c 100644
--- a/nixos/modules/programs/steam.nix
-+++ b/nixos/modules/programs/steam.nix
-@@ -11,7 +11,7 @@ let
-   in
-     pkgs.writeShellScriptBin "steam-gamescope" ''
-       ${builtins.concatStringsSep "\n" exports}
-      gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -tenfoot -pipewire-dmabuf
-+      gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -gamepadui -steamdeck -pipewire-dmabuf &> /tmp/steamlog
-     '';
- 
-   gamescopeSessionFile =
--- a/secrets/backblaze-s3-backups.age
+++ b/secrets/backblaze-s3-backups.age
@@ -1,24 +1,31 @@
 age-encryption.org/v1
-> ssh-ed25519 N7drjg YHZO6ENbBihFQFqRRjdWtgfX3R+qHtaJWIa54igHpEc
-HLeZDyErwJme8knPYCxuSXMmHBkz2kDI6OBG6/EtP7w
-> ssh-ed25519 yHDAQw 2YvHNNsiDJSUkKZOlhWzP4l1NfH0zTnldZV4Jjfy620
-dHM0wG9JLiQJJ+NquhPeI/xv1iEqsxRy9D//NcYTr8k
-> ssh-ed25519 jQaHAA QtNkLsgdVgJqbmxLFhaf7AIG208NXHzgBweO8L3Dc3E
-SGjvdajk9M5azgP4QcynnxKieKEJYil1T2az4hYffdM
-> ssh-ed25519 w3nu8g JuFJuOdVOc8Uk5es2rpqPVHgg+l6/K0J+MHDFuffn0A
-n7tzohV+Uvecu6GVNeht/O/dL4x6e5SVdHEzRbJg3rI
-> ssh-ed25519 dMQYog 44RRRe8M2FJWigy3d9TNaUQSM47gLDgU38F6ow1Xe2c
-uQVkQma/hZVMCMtgcelyZhscvc46LItvbcPBuJI81Ns
-> ssh-ed25519 WBT1Hw +b+2TOduL4XERN7qOYPtJ3R5w54m7VYqmyy8Smz6tXU
-TyQ+bjSK6IYSulW0rm12V+lpXYCt5kr3byaNNGJeMVc
-> ssh-ed25519 6AT2/g ZUmtQOHWmn0shq1iP3Ca7aQ74PLcqZGTprvsM/HAXR8
-eNonzRSAwNCQi0DgtVs67zCjpOYsqeLEJYBmLjuS9rI
-> ssh-ed25519 hPp1nw qzrGZr5bFvfPwWrfNIUFubvGXBT+oQo9HZQuePSbPwk
-MKNlVl3OXBYEFWiu2hbbXDQnqkV4nENG+lcLcd+H33I
-> ssh-ed25519 w3nu8g H2UDASHwHNxU74g5IbuHIDHEZYgyWNmSX7Wv/lV41HQ
-WMgKT0GZxWQoK57E9B2j8MsyOroMhWd5SiCQtZa7AIY
-> ssh-ed25519 dMQYog YkL6XApXeP9qc4pVaIHFaNmYIK/PVEKoJz5SotQbGmQ
-H+3wAxIl9Yip4xQqjhje9tL1V4m00NNSxNjH6Dbb1K8
--- vBQpXXpKzzXwpNP17r8OBqO4Q3bIS4pHqbEl4u9dB1w
-ÎL“9[íg¡dŒxgº8Ø*0‘«šœ’…·¾öWå&`*?`ÔÊIQÛ÷Ýd1*ª–ñ¶bM\‹<>D™+«)‡
-\ƒg¤hDá3#k3;Åj¾ÞŽ±Ý¾Hš·ÙF&ÙX	%6˜Bî8”¹T·fG`Q¯®âñ?[hDªö*c
+-> ssh-ed25519 qEbiMg V0tr/++dhQWcgmy46gcBm3t5qffN6N4ykabjMGdLLxg
+oCCUu3kOopP5JgYAiytDrxHOo3LVtyAu1OAmJRg1nV8
+-> ssh-ed25519 N7drjg HAu/AkGATNY7L3O2ospdN+r+KKVWD1yzi/kKmH5Fhzc
+p8Y2vToiWACE/LNXa14fbAwuc5FfgR5day8Gu1uSVL8
+-> ssh-ed25519 jQaHAA YuZH6pmrOAgzPNA2Mx7u827fYXOHJQ9XW8XR5h7XAFs
+x1urfkuEH/1hHxBDK1Y7vjQMSUpUIj7uK7EGs/GtNk4
+-> ssh-ed25519 ZDy34A AFzSzksrxlpyZfromJSB7u2HTVf7EC8Aydb7U0mQWUs
+eWffyc2OIIEBxkk3y68xSzrDbheTzKnlilEt2VoNSaI
+-> ssh-ed25519 w3nu8g MSI33XCDIZN4azrtb6hh6k6Gl1BYwaRK5/ROS6DHj10
+kg057sgb1LLkoNgzTmCdgoM35BqV2gRjk4GLIytR8ng
+-> ssh-ed25519 evqvfg Rssqwh73ihyNldaHFb65m0PGIi0VAySg7bHK8BTrHRI
+bNCBI3MvfFT88sgVFbgCaOrRozcDMISdCn9IJJeACOI
+-> ssh-ed25519 WBT1Hw y+gFWQQ/FbD1im+D6rcsGsVOYpfkgw0b2P6Gx4J+5WM
+od9fIeEqmEbMd0Bv+iI3UdUl2MtelF/Q+ew+4wKU6nw
+-> ssh-ed25519 6AT2/g +sWGzEbUwMjkY+oTFa72/wbP0VejtVpvEJocmb4ApjY
+2HipJHjD9dKzUSWdBCVkDgpUtHNaQl7WJFvEPS6fpxw
+-> ssh-ed25519 r848+g BTw707tEO/KQhhKsWgYYdGC+pdQyA4zhaHLt6BFen3E
+ldBDOfC7/8vkOS01D/solHplEeIMvArHZsJL31FMYdg
+-> ssh-ed25519 hPp1nw Sbzvkbw5FauhfNT1oQjjycUZ84c6sijyUlYgCc7bzjE
+WQJ3KW8pGB8i0I7yI0/Tr99wTCsZwEtSWpUm4CiU/wA
+-> ssh-ed25519 ZDy34A I4d/QR9LScC9NpN5upKITEc2BjJXKb4BiF/FZwpcW1Y
+r+hmbq4s4N5RuhlmTn7/SuBBdfRv/mzDbq++tbK7s2M
+-> ssh-ed25519 w3nu8g Ut4z05l9uePnZRI38zmLvcgRdvCcy+YmFkn1IiqDRk8
+64uJWpnsfmfc7z5JZnTnwHNPsp52B3/YFgIvT8Bt3GY
+-> ssh-ed25519 evqvfg a6ZizyN6wCKvPtpu2hgPeQ8YTBouC+y8iQFeaJ46Ygg
+olN0U7gzDid2EbhO4kGhhZjo7cvI/y+I7yeahrgS63Y
+--- MQfYtj3KvglxbRIcFSCtH3XdKElzS84QEfMhvcYN8ms
+†ÌØàÕFwHçŒ§¿2&öÐ+é®‘L
+çr\ÊÚ2‘<À<>q§“*Ù,
+0¥}ÌanZHÅmF5ª# \îêÎnInŽiªó)<29>ÿ´–xµKž}7cÁeð e¶å_6;–ðŽ„>e=¢„ˆÐXiK!Š~—³ú¿Ùò÷C2gS;â‡£Å8
--- a/secrets/binary-cache-private-key.age
+++ b/secrets/binary-cache-private-key.age
--- a/secrets/binary-cache-push-sshkey.age
+++ b/secrets/binary-cache-push-sshkey.age
--- a/secrets/cris-hashed-email-pw.age
+++ b/secrets/cris-hashed-email-pw.age
--- a/secrets/digitalocean-dns-credentials.age
+++ b/secrets/digitalocean-dns-credentials.age
--- a/secrets/frigate-credentials.age
+++ b/secrets/frigate-credentials.age
@@ -1,7 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 hPp1nw zOXF7NsZjm+DCYrJ+Ap2mX35JUt37CLJP1RhyOjB/XE
-ePprJM2cnhYZhP8aJUXOZeGHJm/DHlRYomWN+lFaU6w
-> ssh-ed25519 w3nu8g gjeFAbFWXyPdGauKHXAzuIP9fmaj2Oysq9fHO8q7u38
-KiMR0pgEPtsfZnYAIsH7UHNhnsB6rtsW/hqV03uS2dI
--- BPzPECz1g6vEv4OlRn6+FnWP9oq3tn6TN2o867icxYA
-}ìjºùŽ+l&þàx<C3A0>-TïÝ‹b‡ÅèØÄ·<C384>€Dg‰ñgc’*ˆ0<CB86>÷µcp
+-> ssh-ed25519 hPp1nw MMPi5i5lVf/mcXOraMoErj12pjLWQppVTc18kMFTskM
+eez7lnpUwseCP/5MZRxjyPZ11gfLHBYPPGEUXUftrAU
+-> ssh-ed25519 ZDy34A dzbWYENdNUIHId+2XUt+gLpnw8xaVsSHrWfIhhBTYBI
+NszPXqq/beWLE9pKMhbXYSEB3WDaU2EPy66yPC+oU+Y
+-> ssh-ed25519 w3nu8g HjJYUyssutwK+bO120fPZoycsIEdLL0gnX1UDMHJKlY
+jjr1bEAD4HHN1Hbdtj8VR6CqfkTHXZ6huJQ1fnp83s4
+-> ssh-ed25519 evqvfg nNibZIdrlMqQXZYT+qFPyd8uB1gZgDjPdfIS7RRjJCM
+5LNiRyVpkJr4x1CtV+FRsLF+Tk1KUQDFIrTBQVw3N5c
+--- 7dJKHwTqDkiiZaojRRK0mpxWopbhLwydPwFXtden9iI
+'oºé¹òîÌä<C38C>:Ö=1õ¶Bc×°Vd	qâÀ‚=Þÿ¸¸°µïëŽ€ˆÔjÿ`Ç¦ÎéÏÎ&åÂ@Ûó½Ç5RQØ´’Ûh™ÞOÉÓÅPŽá£Cv7ü<37>A ûw£s±¸¥QÀR<C380>ÙO<C2AD>M‘"Wèí*<2A>sÝß¤â×a`Æp¬
--- a/secrets/gitea-actions-runner-token.age
+++ b/secrets/gitea-actions-runner-token.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 WBT1Hw PbGwwDeulHF6kdh073rq0RvD1hlx6spnKNgKU+QeDAw
-7dITwSQ2p1LZuaVEzLxcGOhB97MQT2zGoRrnNUMcOFk
-> ssh-ed25519 hPp1nw Dn+5Fpme+JmRZKkCkqtCuD87p+sDYDA6OZ2aUmBkCRs
-Dgg3orXF4RYT/fHtc2tRuIhOQu48zICMqgPyV47vpf4
-> ssh-ed25519 w3nu8g dghNLDH1Tm+sm42HXDhrLFtmU4iDF1yCGrO2VSgzZjo
-71scUVrGr4c4dunAFJYKd+uJ6aYJpSWBAk9swbv+IzM
-> ssh-ed25519 dMQYog Wnl1+rh0Q3YD2s1UD0OYVm39wY/Uw1NRK3K7EFhFMls
-wXF6QBonlCalS1vI9cxzWgv1Gi+yAtYn6HrYCfpl5Nw
--- rLOoGk0iX+wuNd1CKv7g2PRd2Ic+8JHCQhrVBaF9zbE
-<EFBFBD>òüüË¤/A¦Ì(ØiHC¸@¢Þð‰h`ˆ3ªá´'	¬ÚöáDì>ð¿¤~¸ÿÁö?ÑÃMêÙ@<40>t°(“Ò@ö×¿^xÆMÉ}
+-> ssh-ed25519 hPp1nw CSR2HrrPUfaeOgAa3vt4yuQOrqyu0qnFBmTT2O4Rdnc
+nYiiPmn/4Qmrc5VOK+/mmtzKD9xdvEF6SmRiPi/aFqs
+-> ssh-ed25519 ZDy34A cmlgkgy5QvYYn6nHymo0u723S470qvUFt0Ubp6ggKj8
+8ACCrqGCkVbuFMNoGKMd67oMtZWhQHBigU7Tdqoqy80
+-> ssh-ed25519 w3nu8g GWytr1KtsXVQt6CKqqdjH92/Lc7aBjqa2N80oqeOdwU
+c9GfCkKIaxMgsKWplXIQjiB5c6UE+UkRd4xlg1I5JSA
+-> ssh-ed25519 evqvfg K4Z7DqPilKW9kEfFLDzJ7c2G6PvjRhxhCTEuw0Tw8hU
+QsVD2iKObcP7HyVCXn9gPWvewn2Jm/OYLA1Eu6MRP1k
+--- DGe/5H+9vk1EGj/mkUnvzk4VC5JVDIwVeaD78EHRiiI
+êPŸËÓ²ûªÒÖ duÀÉr†¿"KÇ"©„M¬áÆ©xó3 ®²Æ ú™*J.Y_ÃíT%<25>tµ(ÿYÊµ´8/Qa©r]ÍmÑÿÒ–¤º‘
--- a/secrets/hashed-email-pw.age
+++ b/secrets/hashed-email-pw.age
@@ -1,9 +1,12 @@
 age-encryption.org/v1
-> ssh-ed25519 6AT2/g 98/m3t8axoVBE6WzdxBtRhV2uSQKSCXwQjyxfWXPmQk
-AxV0FTvqbWfk/gf65d05PcotbEnYr4PgDQnsaYxP/MU
-> ssh-ed25519 w3nu8g jys7B4COD4iINANeSCD3BqGFoghxTmsbuXoOOIiP+wQ
-b7eSN5fe4szfliINOr7ZQ7AoSsIK5akmIQ6uLDabcIE
-> ssh-ed25519 dMQYog ToNUqTPYmxpz9OUcC94egELcPfHQHCErfHN6l9kSrRY
-2KoSVoWp+FH29YfH57ri2KOvhkuqYew1+PXm99e0BaI
--- Cjk3E/MjgCF45aLlFeyoGiaUEZk/QuKtsvPb6GpzD8Q
-m°å>‹“~czÆêåŒ¦†``ÜÏqX«š'ÁÎ%ôwÔž~×ÄL·eä'a±]û‹0ò´LÉÀ‰%ÍY‚TÊÓc9f¡W¶Ã^¤9ÊõÙÝ2®™æ¶ÆBÌa ƒ™ 
+-> ssh-ed25519 6AT2/g BLyjF65Y/bq9gkAuzl2PZmL7Ge1BTf6MQ/J+04fwwCA
+mdGmV3lmTPhVmORAVtJucy5EaNmOiCkZqdw+in8r8+E
+-> ssh-ed25519 ZDy34A h7f7GMXKCzuVnoIai84+gNq18XqxOPQLt2a4tmmQSxs
+RMoh4ecaEFybnE1ObWFZFHJKrIO3SbRynyDBljfSRAY
+-> ssh-ed25519 w3nu8g XubNz2enRmr1uNZlErXBJngZrY52fJC4AUIbsaTh8yE
+w5w3FK30UqLok7VeG8wILcyXeAIrf/Uzbf7AnHPfYAw
+-> ssh-ed25519 evqvfg 9UkiG9r2b0ZJwN6DPL+j08YKjBOx2x6jrJlzg+N79lk
+nmpBD/vZ7h3pAzeL8CO2oABTeA5iujG9Vr4aUgWaO0E
+--- 00dECq/aOgxAgnD19UdntMCzn27Iywp4bQoyAaKJ3yw
+»ŽlŸ÷ƒƒÔrñ,ð’DžgFOíþrÍ=éŒUCR‰wW÷Æ	ÔÏ*þA$÷³åÝÓeV
+RH ¶T<01>ISK·é
--- a/secrets/hashed-robots-email-pw.age
+++ b/secrets/hashed-robots-email-pw.age
--- a/secrets/hostapd-pw-CXNK00BF9176.age
+++ b/secrets/hostapd-pw-CXNK00BF9176.age
--- a/secrets/hostapd-pw-experimental-tower.age
+++ b/secrets/hostapd-pw-experimental-tower.age
--- a/secrets/iodine.age
+++ b/secrets/iodine.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 6AT2/g Knb25oYknkiXyMqVBR3T0sFSO4hDjWUTq3xIml/b4ig
-n7xamnrZ+SCWiKqniF3r2JvH4G8q2pJaHzF0riNEDf4
-> ssh-ed25519 w3nu8g 7+2R5RpLjBf4jjj3S8ibMquUWgRMrifziGQubwuLrhA
-3jLCalnbA3Z2jr8Zs+qrpzSoi3Jv6E5OV2binpr3Kk4
-> ssh-ed25519 dMQYog Nh2e7me0tiG7ZwQK8669VS0LCYFSH+b33I9tr8uI5CY
-7Gs1N9eZa1CGR9pczzugHbqnghqevX7kQCOeqR4q0eI
--- OzW+omJsZA/b4DMF4hdQga7JVgiEYluZok3r8JM258I
-*³²ÝPŽ†AcèÈ1·@Át¸e÷nf&ù#I7‡a‰Ûâc†ÃÀ<C383>êbDâ–~aõ]1w=Á
+-> ssh-ed25519 6AT2/g 3s+reqcb4Hu/3Z7rICFZBOkW02ibISthFAT1sveyLBo
+Eh5ynxeqqXhNbv/ASWZxzKXAzKX41uI5iJI4KqluHRI
+-> ssh-ed25519 ZDy34A cHcA2p0VrGr6jP/CUTOSU4Gef04ujh6wmJjmEWmWNE0
+wwaQnj7RABFzTbU74awlIJeHHePtO7jihNd2EUkNZPU
+-> ssh-ed25519 w3nu8g hN/fWUHspXoJmpibR4NAL3EXkKExe2tRjUzmLGK6VnE
+F1KQnGe3M8eD9hjnHLc7hqFTw9iXh7ICz0u421DuFOs
+-> ssh-ed25519 evqvfg r3AoIJ3KWCYIsV8+RTgYY+Eg+1EcBVNrX+ZRunKaug8
+KSXd4uq1/0ErZzSTPrCmY/66v4TT5PmFqv9LRSHNi9A
+--- 3bGqZANqdfEgdiUzu38n4dzPOShgGUzQGtO7l2S+hwU
+Ì?\<5C>•Öå¢aÚ'¤¤ÐÚ{˜/}ÉýÝL„:¨|¸G`†Ó+ºMÜÈY$s¸+‚Uk¥áäg‡ID¾K·
--- a/secrets/librechat-env-file.age
+++ b/secrets/librechat-env-file.age
--- a/secrets/linkwarden-environment.age
+++ b/secrets/linkwarden-environment.age
--- a/secrets/nextcloud-pw.age
+++ b/secrets/nextcloud-pw.age
--- a/secrets/oauth2-proxy-env.age
+++ b/secrets/oauth2-proxy-env.age
--- a/secrets/pia-login.age
+++ b/secrets/pia-login.age
@@ -1,11 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 6AT2/g MGKlbzVOk5+czgAOerwl+eIyOifXJm/q4UgQUXVpx1c
-43l6s4+5TSMQyO9tAg7v9Y5OdXOjKYz56lbr9Jm2r+o
-> ssh-ed25519 hPp1nw aOxni4sFPPgedUkBOuOyEWfFPJrhdTJnivIaWt5RJxM
-KNaxijzSMp7EjYKwWiAP66nPYYZK3/VXL8u+3uJt6bg
-> ssh-ed25519 w3nu8g qTAzEzQbFze35AtbvkYREw3wa7ApDN5u7RSZUXrEpms
-Dy0uGF458A9RJMvDl2XKOkEABbbRgT+eIgvb6ZOEQqg
-> ssh-ed25519 dMQYog 5DfYuGeWuN0/CO6WWbFIi7LaKl23FXYVdPROM+TFpCA
-PDBdDn+YUMKYNKFkCEfXesmkB/XUxZRK3ddQt0kqQ7g
--- JOeG87EVD+QBx6n+rMoPTOni0PyoG7xx4a2USNiapYI
-Zsý{ÅiÁ_QÂ\+ô@@Üòß¸Ã¹&_š5$¿Gt2¢rF“y×ÄQ§Iaž7ôÙÉzàgf%O(µÙ,VéÂ}ÿn|û'J¸2ø¨óQÑB
+-> ssh-ed25519 6AT2/g MrkHK56b1uQIiMoSrGmCun5QzwFWQiCFZjHQuAkdBlc
+ipK76P2VS5c00f3n468l+VsTndtEUwHtJTOhR1Zntew
+-> ssh-ed25519 hPp1nw iVISLjddu2lJpNPXewFDmjhORkkzBNUBmq33n2l9yXg
+4oOAaQpnWNsVXfDEK4rclKhAwv8xnE3EUS7PF44/GYc
+-> ssh-ed25519 ZDy34A gZY++iCMswmQVkKiIUUuuR8srojCpykELGpa0mqHMFA
+MSpvndXZY7Gm8VUQUdn/x39dVOsJ0d77H4zN0Ct+b1Q
+-> ssh-ed25519 w3nu8g mnrSRjcTax6g1PHvOwCV/Al6AWkCwiRwMnuZg4vPHys
+S2V1O0GF7wipp9Bg+7PA6z4WNbK/zv015AM1SfA/Jrg
+-> ssh-ed25519 evqvfg 8M2kGsTS/cd0daAr87u0QqS6RH00O1zkSjYdXTxjYGU
+uCUwdJFCdFWWlQPpINjf4dAIYZ/pa8tfz8pVjDLPJF0
+--- iyh7GvKqnNeyIgedqWGQMtYfXJGo1RphDpzuDXJbp1k
+#/Þ¿ «[4èAã<±Ëi×òæ˜ækÞfÓÕ
--- a/secrets/radarr-api-key.age
+++ b/secrets/radarr-api-key.age
--- a/secrets/restic-password.age
+++ b/secrets/restic-password.age
@@ -1,23 +1,29 @@
 age-encryption.org/v1
-> ssh-ed25519 N7drjg Njjfv0Etdr9U27s+wznqw5YmnKcj3lISQ2vudDPj7F0
-bw3SSPfReGSmJ5tQPv+niYn7USyZZffxvgs3J5VxiWw
-> ssh-ed25519 yHDAQw DVlCM84Q1P087cmlS+NzH/i2noLprEbfqSpvFS3Pzig
-PooFRhm8ofoTAT1UxJ3Y+0RMqK3CriwqpGrrKGfFYTs
-> ssh-ed25519 jQaHAA rfoKG06gXsXPVfNql5Kk5OBebaXsRd4vCirzPB2y0jk
-T0xv0iiWSi+FscI/OX6sT137VuiWpAS+P9XsMBT9K7Q
-> ssh-ed25519 w3nu8g 869dCSpsCphoOPZ0z6rzbI5QKieIA4M9tAyVP40P2hY
-N705ablrfdQWK2aEOFCkmdEQQmwJVcqVXOkhYIp1Z3o
-> ssh-ed25519 dMQYog ry0Qkn4YSLctLRzp1fZQ6EnbeGvv3Gge2UOsYBwbk2A
-LO1eyrU0rQJdAjZKCBr+WH2EP/juXcS7Iwrl8tZIMOM
-> ssh-ed25519 WBT1Hw NbtlJrLEcf4yO/akQyE7b9TdyM2e6m8Aj9/MzV7SliY
-JBWsIu/Aycys+uUxC2xSTE2gC0YUpC7Jkkxa0E0TfRI
-> ssh-ed25519 6AT2/g kvri9lMh7mXuJTFh15sRPhkz8+75i2YYcdZL12cLPnI
-hsJETu9Xhbfhzzf6Z3YIKFLGN+Eczgn8EqEBPQl7a1s
-> ssh-ed25519 hPp1nw sJtNVroSF/uQNwvnbLE8vXw+1e4LMu3Gurm+KM+0IwE
-wlYZUEnr1Q3TlxUAUrKAMdVWUbVWy+3+q2fw+ssIoFs
-> ssh-ed25519 w3nu8g gA7oDI/02jl+TjMjSUHZqevmHb6gSinWF4KtjDJgFF0
-KDgSWaZi99/PkKT8g5bTVHvu8EVcPBlF79APxeorABM
-> ssh-ed25519 dMQYog PDdSuky8g5OoqyF4K5N6SSa3ln6O8vlvL4viGqJ8mUc
-LWanrtAIfekuzhr+AGR8e34CD41vPI0BA8YA8YkcyBA
--- LENK2A8P2SxCmpQSI3QNCNz2RDhGwCqLQGybmD73ka8
-Ö{¹˜ô'Þú”|ãêã«ÅµÔjã.ùÄnG=ñY‰gï•‹c$T¬
+-> ssh-ed25519 qEbiMg CX8Y/Si5PzI0enQNfUIAJG5JxqPRLmpHZn2qbnOdqEk
+RtBaY00wl7B+gz9uSxYiNFj9Jf5D18LFvD3XjcqXg00
+-> ssh-ed25519 N7drjg 1bVVPpaqoAb9AGsb8lWCP5nBTVO3nRwCmK2X6M4eCn4
+SW4KXrdN0uulfVGDp5zx351v7+HyIQ2dAP2VB1Yjxx8
+-> ssh-ed25519 jQaHAA ocZpVZtXwnbZWC5RlrPmDtUnRpCnGaJLjCx3IKENJjw
+x5AUP4Q1Odls9RWdtUtDBWAEbbiOaRwnBiI4+FJUhnA
+-> ssh-ed25519 ZDy34A JBwwmjzcV7UFHRky6rOF5jFVMxsj0SmLfCEPPzD8qBc
+ESDhUTfMFVqTfyMpIcx2E4Fg1iRljqXA3kkaaBH5NRI
+-> ssh-ed25519 w3nu8g 32W6EjkjvobPZAV/+2dtZJWW1Xz5yEW1Y+xuPssHPyY
+DeoxVYTuxkFfV7JFk+PweykeN5z7+GM3IPbzJ9Aze/U
+-> ssh-ed25519 evqvfg /71B+elrbVgtDqNTPNHiIIWUCoLMh7Nw45ZxfhZSaSA
+z/c5GQKyJ0i7lJh6Fl2cuwrI876BKZGY4+ruPHazg7g
+-> ssh-ed25519 WBT1Hw /9VARjhq1i3zt8SAJ3KwXz4jDSzNID056rzOeZzdXHk
+81JSPCyru+4wS1USnTaVcO+l0t8d/WHkzC3idgXE6T8
+-> ssh-ed25519 6AT2/g fLTmQkkH94zZBIef5LyH/v/m1s30E2Yy6AiQEtBjaxo
+Hx5/ld4RO/Wd4KWX+cAzets9rCAYGorEIJU6FUEavWY
+-> ssh-ed25519 r848+g XZtbfc7x3XWiUyjDyqEbJyziovGiY16qendRDtR113s
+fO+QDGyAukeMT/fQrs3YQfIIoXTIb/DgGYRlw0nEyqU
+-> ssh-ed25519 hPp1nw kRQYgbHSM5mVEilZA1CSYbgvSriFJyBP9vUnwQTk2D4
+LQdVdVO4MjvB4/hTVwgtLG+Amg6WbQwEaBlgMVVFSqI
+-> ssh-ed25519 ZDy34A ZJsdPqw9MjPUH5hr0Heug25ZKtzCmnykDmiMEW6b9iY
+kgN2CU+jrY5SNCKXmhsw/H5kGg+zEiYDUSrG9URA28o
+-> ssh-ed25519 w3nu8g JxgCPagw/jHEEMxuU+Q9aZylQlRtmkrutly80aU/QQA
+C64qkcYda7plc0eNDc6hk0Lf3tRMNrUR5QlEpeEiflY
+-> ssh-ed25519 evqvfg wx4dPODWj1le9AuzS+M+CufWd52ySy9WfOIPdB+w/Ag
+QyLJBNCtLVwpp3cIcO5NUHMaDNc3duUQeMGH2SQBPck
+--- HgYMHuLleFiKLGaf8buXjOHpUiVhgeL1NaJwyRNHAdY
+êR*÷í÷; cßÕPò*“ýÞŠäœl©’#è‘‡J‹]çuSŠKr}ž¡:'4·#Käù0P45Â‹EÒVªo
--- a/secrets/robots-email-pw.age
+++ b/secrets/robots-email-pw.age
--- a/secrets/sasl_relay_passwd.age
+++ b/secrets/sasl_relay_passwd.age
--- a/secrets/searx.age
+++ b/secrets/searx.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,7 +17,7 @@ with roles;
  "cris-hashed-email-pw.age".publicKeys = email-server;
  "sasl_relay_passwd.age".publicKeys = email-server;
  "hashed-robots-email-pw.age".publicKeys = email-server;
-  "robots-email-pw.age".publicKeys = gitea;
+  "robots-email-pw.age".publicKeys = gitea ++ outline;

  # nix binary cache
  # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
@@ -31,12 +31,14 @@ with roles;

  # cloud
  "nextcloud-pw.age".publicKeys = nextcloud;
+  "whiteboard-server-jwt-secret.age".publicKeys = nextcloud;
  "smb-secrets.age".publicKeys = personal ++ media-center;
  "oauth2-proxy-env.age".publicKeys = server;

  # services
  "searx.age".publicKeys = nobody;
  "wolframalpha.age".publicKeys = dailybot;
+  "linkwarden-environment.age".publicKeys = linkwarden;

  # hostapd
  "hostapd-pw-experimental-tower.age".publicKeys = nobody;
@@ -53,7 +55,7 @@ with roles;
  "librechat-env-file.age".publicKeys = librechat;

  # For ACME DNS Challenge
-  "digitalocean-dns-credentials.age".publicKeys = server;
+  "digitalocean-dns-credentials.age".publicKeys = dns-challenge;

  # Frigate (DVR)
  "frigate-credentials.age".publicKeys = frigate;
--- a/secrets/smb-secrets.age
+++ b/secrets/smb-secrets.age
@@ -1,19 +1,23 @@
 age-encryption.org/v1
-> ssh-ed25519 N7drjg x2s9QZ7Ijvg4t2peGng9/zX1ZmnGggsvWHJFHEktCgw
-o64an6DJ6Be8Jlhzn9ciQTByRAK5f2ckankCRH3y+Uw
-> ssh-ed25519 yHDAQw HYHo6anhKDnD74ab04Ql4RB8+WBA6EavYASX7532NCE
-aTp2V9g18yzUTq1ezqETj6jM2Yb1Bt5+JNkrIDT2Djs
-> ssh-ed25519 jQaHAA xGKcIQOkO/i4E2ZWZ+O4sAp7ADqCRqfRQHhKQu6yWh4
-RJnqK/t0YQrIej8fRDJGjOtQD7VvgJRfCUWR0/UYcSY
-> ssh-ed25519 w3nu8g P9DQy19TvDCi3nfOhFj73bNZEtUs1BrLubt5/BtLoU4
-Sx41bk41dQYa3eoBayUMRIHqMWaRiwXm8BqErDBSbDw
-> ssh-ed25519 dMQYog OWU92PMFo9tGtlkK9zlmMFhh81TGkYlcX1PrxZl35yc
-owDk8wWXETS+iybhTMDmQH+eBuzZRDJIlVGCwu4LqTI
-> ssh-ed25519 jQaHAA MzA8dSYZ/Ysp4ogKEEu84mal8779RgkT4Gy6rBEw+kM
-m75x/b83aP5G1vg7EXlcLizcm16fEAUAD+VNcdTMnnQ
-> ssh-ed25519 w3nu8g AAA3Me3KJgLvtQvyxLvlQ7pCnv7w73ja6Z2+3A82eGs
-+yCW7qCdjk0fiQJmH8poMoc7APKyX/PY7zZyAG1O+Yg
-> ssh-ed25519 dMQYog Dd8e6srT+EIl2PH0RP1bQVsDx+HCQjhFndx5TFyhfx8
-j7Met77pWZzK9cMTt29gWB+d9YFVH5T9qs+ulHS3kAo
--- MgOK/g5hOVkGuUNDBSgVeGc9+ndjxLEA7nKSfLJMr4s
-~Ÿ‹¬&”™)<29>ŠG®Ÿ¨‡'UÐÞzc¾uFGì(<ò¯ùçV"ƒÕ3þH0x0$•<>w$YvO3	"Ï×ðV~ÀŠ¸HÁ~XÛ]GœÆqµ®ã÷œ¢y'ãÓ*–Dê±ÏúœÕk#\ðAï<41>5ë{«Fe\~
+-> ssh-ed25519 qEbiMg P0wVQfRdC6s4rGpSxPSvgsens9QF+VphlX6QL91RNGk
+Rdum6JE/NafVt/lvd54D3leH7QnX/hZoqOoUkp58vpw
+-> ssh-ed25519 N7drjg LRBM5kYSJGMXCiIaU/tc8kq8L8tjyzYjUb5WeKfx5Dk
+/hTFYyPv1gpKBmXJ0EanmfNZwkOg9SvCY1dhqJkSQ3k
+-> ssh-ed25519 jQaHAA 2niqwTr3jLx/7lDG5Yqetu3lqfU+lCYj626oZVT3XFA
+NEwUSUcgsGgyeHXTtDo6HYSkX4r7NyloUP+gabOZfOI
+-> ssh-ed25519 ZDy34A 6NZGnadwDwPUscJdtYQywtuq3FNB0FvUDlztBnAAzBw
+so26osNIZk/7tnf8HZwJ+G8+xcyDbpZ6uoX0GJBD7uk
+-> ssh-ed25519 w3nu8g KX8U395jkHGX7LV9TXRl5OcZfcropPKrgonxJsR0MyI
+KaWlP2Q44p53rqAtlojkj2EBcQH+N1EN/8pYhe92x0E
+-> ssh-ed25519 evqvfg XCZp8XLQ10+OsDwpeBC0t2RAEhj8EG85ZvbYJ6QAeXI
+w9PAegIWcFKtRrcuBk9ysc/qDecNyZBygVVCCzr2DAo
+-> ssh-ed25519 jQaHAA 76ePAMsQpZJO6b2CeE1rgvxhi2JEOxC+OPIW8GBEnWQ
+NyGlaWLtx9Vko4sDFdgsQj9oK1/gD4Y6HnVhOJfO0JE
+-> ssh-ed25519 ZDy34A RrJ8q0EcqfNgg6Fk2ZrY/RiRjI+w0WFrfvHqi7r5pgU
+ayHpp8FAVEIZhKTqYp1h/mL6UFSlQic7dlrHxbmharI
+-> ssh-ed25519 w3nu8g q4j19BwrZAkFCICDOdAhGFWiD6eCLJRW9faeTaJEvE0
+Av4UT5VsBvdL0cZOoaTrDOBvX91uuVIwru4WXMC+NNA
+-> ssh-ed25519 evqvfg UIsX165L2ccILCU5zFur/9IHarQn9nAaLH3nSbcJJE4
+cWztxUlKMcqx9GfAk2C+Gt/aR9ZXaXZYe9XQ3jnl3T8
+--- bMWqy/VkrJr/SmencAM0ClMc/jtY82jL2ZUYFdLK2qY
+Vã¥=W}ØŸß¥¿•jUá¢Ctp
--- a/secrets/sonarr-api-key.age
+++ b/secrets/sonarr-api-key.age
--- a/secrets/whiteboard-server-jwt-secret.age
+++ b/secrets/whiteboard-server-jwt-secret.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 6AT2/g qKh6Xf7LvaAAwd4WAwkFt4am3bIFV6GUAJtAF38X5Sg
+HlIgZr0jst1ZoJaUsqM+cD/FJVHsviZyteKZu/VU9e0
+-> ssh-ed25519 ZDy34A lirRPnVNX7ZMefcCjh6jxx+Vk/nG1+8kl18jBvFGFA4
+7fXtdP0kSF+S3uPrBEHiO4riUf8/BhCaEzTFgnHTkHQ
+-> ssh-ed25519 w3nu8g CoUbAWX4r2jbrcAAyT2jRPY43pK27t08a+CGnnJJZ38
+au9ujHws04Hxv8gYlmxw8rmNUGZmsVW5ilp6MyujnxA
+-> ssh-ed25519 evqvfg v/onOr1hwFJVX8mvG1MyS+P6B+CC+fH8k7GgV2b22FY
+hCUNukeRnYt+dyrpGp7aUzi8Vxx72cm66lcLgxJg0UE
+--- akZhal+1DMZXmudX1sZUjH+KJhENZkgQcuUvXyMsQLA
+<EFBFBD>’ ÊOE~éoÈ,C<>€pµÐ1(Ó Ý®$S¦1‹òÄùgXÁüöàOyô¹rw°àâ-â:Ýï-ëe0i¡9ÎŒ<C38E>É(÷ÒR4[œÄ”%VA¼6@:ø—
--- a/secrets/wolframalpha.age
+++ b/secrets/wolframalpha.age
@@ -1,10 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 6AT2/g Kw5/he5m/XAJUNv8XEJQU+e+Ou7hCYluMXXWlHiePXY
-GkhJOzSlcC9S7bs8FuDNMvMaFU3+fQ5z+o+Pb8wllp8
-> ssh-ed25519 w3nu8g fUORtXN1ygOeV42jveCosGXR/Y6R6OG6DK7LPDBEAk8
-yFpoasbY/sl6BQp0LVBQnInA4Kxd8A8meEObU1KD108
-> ssh-ed25519 dMQYog 75qVEe6/1yOV4DDLAOGaufs3ojx1/Sc1fIQOe+Oirz0
-iDFsr6/30AHKH6hUs/WTpHEM8WQ03QMlGbtQkGrnVCU
--- islx8t7a6bShXGxvYeDVuUxkmAMtpUfr0Gp7aYrJUkI
-2Ûí4¤†7Õ
-?Õw€À<E282AC>JÁÆØv	¨º9’,ËxÅŠò¨‰¦Æ¦ñnäH?>I
+-> ssh-ed25519 6AT2/g NDsVQFHvqCl9KtbDE5oXyNsA4z9+4YiOsGHZ1m8CYW4
+6DBtl+pAuNB+PUnXSVTlVNAeFpr39dAuhOI4k9su1Hg
+-> ssh-ed25519 ZDy34A extU5azTcNDgblB36KXiLnI4oMUbb4R5BWVlXsec5GE
+D0re4GCb7KjcR1uVu+MFQe+LdaEY7xUmrYLJmgddYnQ
+-> ssh-ed25519 w3nu8g 3w4aYKO7etSZsmCGaL6bKxfrniKCnBKiRRhvPXeHlEQ
+inI1cUq5r8xM+xU+jaPD4yuZw4Q6lIZhwAztXICWu5M
+-> ssh-ed25519 evqvfg Dzb7THrNXvfpoIy1yAi2aqJSv2RQ6pvUkAgQS2f6D24
+aXlOBtqoK0xMMA+woITlbXpZoe3EVx5yQaLA24wmUfE
+--- qzPxoy3zUBEwJtCsPhi/tWxMcI8SKpxqptPTRQk4Yn0
+uS	_ô‡ÝÐ6Ÿ*+‘jòÕþëŠÍì¤©â¯½žq6÷¤Õvµ¬”…Nº‚Š´
--- a/secrets/zigbee2mqtt.yaml.age
+++ b/secrets/zigbee2mqtt.yaml.age
@@ -1,8 +1,12 @@
 age-encryption.org/v1
-> ssh-ed25519 hPp1nw TSDuPaFp/Qcz4r819X4QmU/4J2TGpoX7jCCJCdFDog0
-SwQUqEp45xMOeTkvBG6uX28kB8YWG66laYqakSgl9w4
-> ssh-ed25519 w3nu8g tLZDNE0iBgOpUB3djpNu3CgimsRc0zcds+AgctzxyQ4
-Oyz6XORsApM4vFxWyaD3bR/ApIUFPY3q4yGvtbosUIY
--- vuXlQmuOFbJhBTACN5ciH2GlOCbRCMPZdlogG2O+KOk
-Áëÿ!}UIì	p0@Xž|°þ#æ™†0HÙõò#BÇRR<52>Ù
-òùø5¾Iÿ?vX?pÝ<70>—<>fqÍ[lž¸˜xÏG7ü;UäÀOUä¶
+-> ssh-ed25519 hPp1nw KENwK0yRInrVRN1Tgwvx/dJsz+z8rQenw1B4aw57v2c
+ucnKJeShVBVC8LmQ6VIGTlbB0VBpBi2/lGGfW78jj1U
+-> ssh-ed25519 ZDy34A Ghz/fsNQWte2tUx2+kEHcRPCBGc1orAXV9QkCbsKBzg
+i9mr3xguDEgLL53ji38H19dkZPHqcfqTy8/S2oaht0U
+-> ssh-ed25519 w3nu8g cN44HlL1Zu724p+Kyrygas3RCRTpEPOfTdzFHkLebC4
+BOBnfvEQLTPH6lBdSOPlYeSSdy3pohctl00lXrDs2zk
+-> ssh-ed25519 evqvfg HuPgckAebGwcWYCFNvNcNwg2QpyynHuVYRNiuC2j0m0
+HgJlN4gbED2FNaWr88Ocqdc1UJ3LA1n6fl/BUeXfwhI
+--- eczVQy6oXmBIj1D2v8LuR8ZJxnzyCNxn+rqF135QJJ4
+aj0<EFBFBD>žå^ÂÏ<C382>ö(ø'´¨p1‹)F½>aíO¦€”›¶¤:Ú¢šŒÛ!û8T¬
+YÌ{ˆ‚3É¶;Y
Author	SHA1	Message	Date
Zuckerberg	bab2df5d7e	Use programs.ssh.askPassword All checks were successful Check Flake / check-flake (push) Successful in 4m56s Details	2026-01-11 15:24:53 -08:00
Zuckerberg	adc04d1bc7	Update nixos mailserver All checks were successful Check Flake / check-flake (push) Successful in 18m38s Details	2026-01-11 14:25:17 -08:00
Zuckerberg	da9a8f8c03	Update nixpkgs	2026-01-11 14:25:03 -08:00
Zuckerberg	415cbca33e	VLAN workaround for now	2026-01-10 23:04:48 -08:00
Zuckerberg	51272a172b	Add system76-keyboard-configurator to fry	2026-01-10 23:03:19 -08:00
Zuckerberg	f053c677e8	Set up openwebui + ollama	2026-01-10 23:02:43 -08:00
Zuckerberg	c130ce6edd	Don't generate zed user config file for now	2026-01-10 22:55:31 -08:00
Zuckerberg	4718326cb6	Configure ssh-agent to work with keepassxc ssh keys	2026-01-10 22:53:28 -08:00
Zuckerberg	61698aa7e2	Add kde connect	2026-01-10 22:52:17 -08:00
Zuckerberg	e0af023ac9	barrier was removed from nixpkgs	2026-01-10 22:51:09 -08:00
Zuckerberg	c0088553ff	jellyfin-media-player was removed from nixpkgs	2026-01-10 22:49:04 -08:00
Zuckerberg	577736fcb2	Add deploy command	2026-01-10 22:46:39 -08:00
Zuckerberg	cf087b0e39	Add fry All checks were successful Check Flake / check-flake (push) Successful in 1h22m48s Details	2025-10-12 13:36:02 -07:00
Zuckerberg	cb1c4752ec	Use latest kernel on Howl	2025-10-12 13:35:23 -07:00
Zuckerberg	b77fb54dc6	Disable annoying pls shell integration	2025-10-12 13:35:02 -07:00
Zuckerberg	3d6a759827	Update nixpkgs	2025-10-12 13:33:53 -07:00
Zuckerberg	0c455baebd	Add languagetool All checks were successful Check Flake / check-flake (push) Successful in 5m13s Details	2025-08-16 19:04:10 -07:00
Zuckerberg	b58df0632a	Add outline service All checks were successful Check Flake / check-flake (push) Successful in 15m2s Details	2025-08-10 20:49:50 -07:00
Zuckerberg	4956e41285	Add memos service	2025-08-10 19:03:35 -07:00
Zuckerberg	ead6653de1	Add services to tailscale auth	2025-08-10 19:02:47 -07:00
Zuckerberg	dd4a5729d4	Workaround for broken librespot spotify api integration All checks were successful Check Flake / check-flake (push) Successful in 4m49s Details	2025-08-10 15:18:29 -07:00
Zuckerberg	f248c129c8	Open port 8095 for music assistant too	2025-08-10 15:17:52 -07:00
Zuckerberg	c011faab18	Use flaresolverr with linkwarden	2025-08-10 15:17:27 -07:00
Zuckerberg	a5d0b3b748	Bring back APU2 router for more experimentation All checks were successful Check Flake / check-flake (push) Successful in 19m21s Details	2025-08-05 19:45:50 -07:00
Zuckerberg	ed3bee2e4e	Improve minimal iso so it can boot on APU2 from sd card	2025-08-05 19:44:49 -07:00
Zuckerberg	dbde2a40f2	Add linkwarden	2025-08-05 19:42:29 -07:00
Zuckerberg	6c69d82156	Add support for Home Assistant voice (whisper + piper + cloud llm) and Music Assistant via Spotify by librespot Music assistant has custom modifications they made to librespot that they haven't bothered to even try to upstream. Thus, they require a custom librespot. I tried and tried and tried and tried to just override the one already in nixpkgs but I had trouble doing so despite copying the pattern already shown in nixpkgs for overriding the src of a cargo pkg (See mopidy) but it just didn't work... Oh well. So I just patch nixpkgs instead with the new source. It works I guess. This is about where I gave up... ```nix nixpkgs.overlays = [ (final: prev: { # Cannot use librespot upstream because music-assistant requires custom changes # that they never bothered to even try to uptream librespot = prev.librespot.overrideAttrs (oldAttrs: rec { src = prev.fetchFromGitHub { owner = "music-assistant"; repo = "librespot"; rev = "786cc46199e583f304a84c786acb0a9b37bc3fbd"; sha256 = "sha256-xaOrqC8yCjF23Tz31RD3CzqZ3xxrDM6ncW1yoovEaGQ="; }; cargoDeps = oldAttrs.cargoDeps.overrideAttrs (oldAttrs': { vendorStaging = oldAttrs'.vendorStaging.overrideAttrs { outputHash = "sha256-SqvJSHkyd1IicT6c4pE96dBJNNodULhpyG14HRGVWCk="; }; }); }); }) ]; ```	2025-08-05 19:37:50 -07:00
Zuckerberg	01b01f06b4	Stop using systemd-networkd it has some flaws with NixOS' networking I need to figure out later. It is very elegant, easy to debug/understand, and I definitely want to use it but The most significant problem is it doesn't work with NixOS containers private networking. So I'll need to figure that out or maybe it will be fixed upstream soon.	2025-08-05 19:27:29 -07:00
Zuckerberg	cf560d4e53	Downgrade Howl's kernel because newer kernels just are horrible with Howl's network card	2025-08-05 19:24:46 -07:00
Zuckerberg	8cf4957e15	Add build iso helper command	2025-08-05 19:23:42 -07:00
Zuckerberg	dc02438a63	Finally a fix DHCP+VLANs thanks to systemd-networkd All checks were successful Check Flake / check-flake (push) Successful in 3m31s Details	2025-07-22 21:20:12 -07:00
Zuckerberg	948984af2d	Set ghostty preferences All checks were successful Check Flake / check-flake (push) Successful in 22m14s Details	2025-07-18 19:46:18 -07:00
Zuckerberg	be23526c2c	Add KeepassXC keys, remove some very old user keys, and rekey All checks were successful Check Flake / check-flake (push) Successful in 1m50s Details	2025-07-16 22:01:33 -07:00
Zuckerberg	e234577268	Disable inactive cache push experiment	2025-07-16 22:00:11 -07:00
Zuckerberg	82b67ed566	Add Whiteboard app to Nextcloud All checks were successful Check Flake / check-flake (push) Successful in 2m17s Details	2025-07-16 20:49:39 -07:00
Zuckerberg	53c2e2222c	Move shell aliases	2025-07-16 20:48:26 -07:00
Zuckerberg	846da159d0	Iodine stopped working again	2025-07-16 20:47:49 -07:00
Zuckerberg	a45125421e	Add collabora online and move nextcloud domain	2025-07-16 20:46:51 -07:00
Zuckerberg	f4e40955c8	Use upstreamed pcie coral and vaapi frigate configuration All checks were successful Check Flake / check-flake (push) Successful in 12m12s Details	2025-07-13 18:04:36 -07:00
Zuckerberg	af9e462b27	Allow substituters to be offline Some checks failed Check Flake / check-flake (push) Has been cancelled Details	2025-07-13 17:54:32 -07:00
Zuckerberg	2faea9d380	Update nixpkgs and other flake inputs	2025-07-13 17:52:08 -07:00