Use programs.ssh.askPassword

Music assistant has custom modifications they made to librespot that they haven't bothered to even try to upstream.
Thus, they require a custom librespot.  I tried and tried and tried and tried to just override the one already in nixpkgs
but I had trouble doing so despite copying the pattern already shown in nixpkgs for overriding the src of a cargo pkg
(See mopidy) but it just didn't work... Oh well. So I just patch nixpkgs instead with the new source. It works I guess.

This is about where I gave up...

```nix
nixpkgs.overlays = [
  (final: prev: {
    # Cannot use librespot upstream because music-assistant requires custom changes
    # that they never bothered to even try to uptream
    librespot = prev.librespot.overrideAttrs (oldAttrs: rec {
      src = prev.fetchFromGitHub {
        owner = "music-assistant";
        repo = "librespot";
        rev = "786cc46199e583f304a84c786acb0a9b37bc3fbd";
        sha256 = "sha256-xaOrqC8yCjF23Tz31RD3CzqZ3xxrDM6ncW1yoovEaGQ=";
      };

      cargoDeps = oldAttrs.cargoDeps.overrideAttrs (oldAttrs': {
        vendorStaging = oldAttrs'.vendorStaging.overrideAttrs {
          outputHash = "sha256-SqvJSHkyd1IicT6c4pE96dBJNNodULhpyG14HRGVWCk=";
        };
      });
    });
  })
];
```

Makefile

@@ -29,4 +29,14 @@ gc:
 # Update a flake input by name (ex: 'nixpkgs')
 .PHONY: update-input
 update-input:
-	nix flake update $(filter-out $@,$(MAKECMDGOALS))
+	nix flake update $(filter-out $@,$(MAKECMDGOALS))
+
+# Build Custom Install ISO
+.PHONY: iso
+iso:
+	nix build .#packages.x86_64-linux.iso
+
+# Deploy a host by name (ex: 's0')
+.PHONY: deploy
+deploy:
+	deploy --remote-build --boot --debug-logs --skip-checks .#$(filter-out $@,$(MAKECMDGOALS))

common/pc/chromium.nix

@@ -46,7 +46,6 @@ in
 
     # hardware accelerated video playback (on intel)
     nixpkgs.config.packageOverrides = pkgs: {
-      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
       chromium = pkgs.chromium.override {
         enableWideVine = true;
         # ungoogled = true;
@@ -61,12 +60,9 @@ in
       enable = true;
       extraPackages = with pkgs; [
         intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        # vaapiVdpau
         libvdpau-va-gl
         nvidia-vaapi-driver
       ];
-      extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ];
     };
   };
 }

common/pc/default.nix

@@ -46,11 +46,12 @@ in
       spotify
       arduino
       yt-dlp
-      jellyfin-media-player
       joplin-desktop
       config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
       lxqt.pavucontrol-qt
-      barrier
+      deskflow
+      file-roller
+      android-tools
 
       # For Nix IDE
       nixpkgs-fmt
@@ -71,15 +72,10 @@ in
     services.avahi.enable = true;
     services.avahi.nssmdns4 = true;
 
-    programs.file-roller.enable = true;
-
     # Security
     services.gnome.gnome-keyring.enable = true;
     security.pam.services.googlebot.enableGnomeKeyring = true;
 
-    # Android dev
-    programs.adb.enable = true;
-
     # Mount personal SMB stores
     services.mount-samba.enable = true;
 
@@ -94,5 +90,9 @@ in
     environment.sessionVariables.NIXOS_OZONE_WL = "1";
 
     fonts.packages = with pkgs; [ nerd-fonts.symbols-only ];
+
+    # SSH Ask pass
+    programs.ssh.enableAskPassword = true;
+    programs.ssh.askPassword = "${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass";
   };
 }

common/pc/kde.nix

@@ -15,6 +15,7 @@ in
       # kmail
       # plasma5Packages.kmail-account-wizard
       kdePackages.kate
+      kdePackages.kdeconnect-kde
     ];
   };
 }

common/pc/vscodium.nix

@@ -14,24 +14,14 @@ let
     rust-lang.rust-analyzer
     vadimcn.vscode-lldb
     tauri-apps.tauri-vscode
+    platformio.platformio-vscode-ide
+    vue.volar
   ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
-    {
-      name = "platformio-ide";
-      publisher = "platformio";
-      version = "3.1.1";
-      sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
-    }
     {
       name = "wgsl-analyzer";
       publisher = "wgsl-analyzer";
-      version = "0.8.1";
+      version = "0.12.105";
-      sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
+      sha256 = "sha256-NheEVNIa8CIlyMebAhxRKS44b1bZiWVt8PgC6r3ExMA=";
-    }
-    {
-      name = "volar";
-      publisher = "Vue";
-      version = "2.2.4";
-      sha256 = "FHS/LNjSUVfCb4SVF9naR4W0JqycWzSWiK54jfbRagA=";
     }
   ];
 

common/server/librechat.nix

@@ -3,10 +3,10 @@
 with lib;
 
 let
-  cfg = config.services.librechat;
+  cfg = config.services.librechat-container;
 in
 {
-  options.services.librechat = {
+  options.services.librechat-container = {
     enable = mkEnableOption "librechat";
     port = mkOption {
       type = types.int;
@@ -21,7 +21,7 @@ in
   config = mkIf cfg.enable {
     virtualisation.oci-containers.containers = {
       librechat = {
-        image = "ghcr.io/danny-avila/librechat:v0.7.7";
+        image = "ghcr.io/danny-avila/librechat:v0.8.1";
         environment = {
           HOST = "0.0.0.0";
           MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";

common/server/mailserver.nix

@@ -63,18 +63,28 @@ in
           "cris@runyan.org"
         ];
       };
-      certificateScheme = "acme-nginx"; # use let's encrypt for certs
+      x509.useACMEHost = config.mailserver.fqdn; # use let's encrypt for certs
+      stateVersion = 3;
     };
     age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
     age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
     age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
 
+    # Get let's encrypt cert
+    services.nginx = {
+      enable = true;
+      virtualHosts."${config.mailserver.fqdn}" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+
     # sendmail to use xxx@domain instead of xxx@mail.domain
-    services.postfix.origin = "$mydomain";
+    services.postfix.settings.main.myorigin = "$mydomain";
 
     # relay sent mail through mailgun
     # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
-    services.postfix.config = {
+    services.postfix.settings.main = {
       smtp_sasl_auth_enable = "yes";
       smtp_sasl_security_options = "noanonymous";
       smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
@@ -92,7 +102,6 @@ in
     age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
 
     # webmail
-    services.nginx.enable = true;
     services.roundcube = {
       enable = true;
       hostName = config.mailserver.fqdn;

common/server/nextcloud.nix

@@ -16,7 +16,7 @@ in
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       https = true;
-      package = pkgs.nextcloud31;
+      package = pkgs.nextcloud32;
       hostName = nextcloudHostname;
       config.dbtype = "sqlite";
       config.adminuser = "jeremy";

common/shell.nix

@@ -41,6 +41,9 @@
       # comma uses the "nix-index" package built into nixpkgs by default.
       # That package doesn't use the prebuilt nix-index database so it needs to be changed.
       comma = prev.comma.overrideAttrs (old: {
+        nativeBuildInputs = old.nativeBuildInputs ++ [
+          prev.makeWrapper
+        ];
         postInstall = ''
           wrapProgram $out/bin/comma \
             --prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}

flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750173260,
+        "lastModified": 1762618334,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749105467,
+        "lastModified": 1766051518,
-        "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
+        "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
+        "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1747046372,
+        "lastModified": 1767039857,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750779888,
+        "lastModified": 1763988335,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",
         "type": "github"
       },
       "original": {
@@ -205,16 +205,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1752208517,
+        "lastModified": 1768068402,
-        "narHash": "sha256-aRY1cYOdVdXdNjcL/Twpa27CknO7pVHxooPsBizDraE=",
+        "narHash": "sha256-bAXnnJZKJiF7Xr6eNW6+PhBf1lg2P1aFUO9+xgWkXfA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c6a01e54af81b381695db796a43360bf6db5702f",
+        "rev": "8bc5473b6bc2b6e1529a9c4040411e1199c43b4c",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "master",
         "repo": "home-manager",
         "type": "github"
       }
@@ -226,11 +226,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752346111,
+        "lastModified": 1765267181,
-        "narHash": "sha256-SVxCIYnbED0rNYSpm3QQoOhqxYRp1GuE9FkyM5Y2afs=",
+        "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "deff7a9a0aa98a08d8c7839fe2658199ce9828f8",
+        "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
         "type": "github"
       },
       "original": {
@@ -241,11 +241,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1752048960,
+        "lastModified": 1767185284,
-        "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
+        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
+        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
         "type": "github"
       },
       "original": {
@@ -257,16 +257,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1752431364,
+        "lastModified": 1768105724,
-        "narHash": "sha256-ciGIXIMq2daX5o4Tn6pnZTd1pf5FICHbqUlHu658G9c=",
+        "narHash": "sha256-0edMCoDc1VpuqDjy0oz8cDa4kjRuhXE3040sac2iZW4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fb0f0dbfd95f0e19fdeab8e0f18bf0b5cf057b68",
+        "rev": "4c41b0361812441bf3b4427195e57ab271d5167f",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-25.05",
+        "ref": "master",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -295,22 +295,19 @@
         "git-hooks": "git-hooks",
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-25_05": [
-          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1747965231,
+        "lastModified": 1766321686,
-        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
+        "narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "53007af63fade28853408370c4c600a63dd97f41",
+        "rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-25.05",
+        "ref": "master",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }

flake.nix

@@ -1,7 +1,7 @@
 {
   inputs = {
     # nixpkgs
-    nixpkgs.url = "github:NixOS/nixpkgs/release-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/master";
 
     # Common Utils Among flake inputs
     systems.url = "github:nix-systems/default";
@@ -19,16 +19,15 @@
 
     # Home Manager
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # Mail Server
     simple-nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        nixpkgs-25_05.follows = "nixpkgs";
         flake-compat.follows = "flake-compat";
       };
     };
@@ -118,7 +117,6 @@
                 name = "nixpkgs-patched";
                 src = nixpkgs;
                 patches = [
-                  # ./patches/gamepadui.patch
                   ./patches/dont-break-nix-serve.patch
                 ];
               };

home/googlebot.nix

@@ -19,11 +19,15 @@ in
 
   # Modern "ls" replacement
   programs.pls.enable = true;
-  programs.pls.enableFishIntegration = true;
+  programs.pls.enableFishIntegration = false;
   programs.eza.enable = true;
 
   # Graphical terminal
   programs.ghostty.enable = thisMachineIsPersonal;
+  programs.ghostty.settings = {
+    theme = "Snazzy";
+    font-size = 10;
+  };
 
   # Advanced terminal file explorer
   programs.broot.enable = true;
@@ -50,70 +54,5 @@ in
 
   programs.zed-editor = {
     enable = thisMachineIsPersonal;
-    extensions = [
-      "nix"
-      "toml"
-      "html"
-      "make"
-      "git-firefly"
-      "vue"
-      "scss"
-    ];
-
-    userSettings = {
-      assistant = {
-        enabled = true;
-        version = "2";
-        default_model = {
-          provider = "openai";
-          model = "gpt-4-turbo";
-        };
-      };
-
-      features = {
-        edit_prediction_provider = "zed";
-      };
-
-      node = {
-        path = lib.getExe pkgs.nodejs;
-        npm_path = lib.getExe' pkgs.nodejs "npm";
-      };
-
-      auto_update = false;
-
-      terminal = {
-        blinking = "off";
-        copy_on_select = false;
-      };
-
-      lsp = {
-        rust-analyzer = {
-          # binary = {
-          #   path = lib.getExe pkgs.rust-analyzer;
-          # };
-          binary = {
-            path = "/run/current-system/sw/bin/nix";
-            arguments = [ "develop" "--command" "rust-analyzer" ];
-          };
-          initialization_options = {
-            cargo = {
-              features = "all";
-            };
-          };
-        };
-      };
-
-      # tell zed to use direnv and direnv can use a flake.nix enviroment.
-      load_direnv = "shell_hook";
-
-      base_keymap = "VSCode";
-      theme = {
-        mode = "system";
-        light = "One Light";
-        dark = "Andrometa";
-      };
-      ui_font_size = 12;
-      buffer_font_size = 12;
-    };
   };
 }

machines/ephemeral/minimal.nix

@@ -7,12 +7,20 @@
     ../../common/ssh.nix
   ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "e1000"
+    "e1000e"
+    "virtio_pci"
+    "r8169"
+    "sdhci"
+    "sdhci_pci"
+    "mmc_core"
+    "mmc_block"
+  ];
   boot.kernelParams = [
-    "panic=30"
-    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
     "console=ttyS0,115200" # enable serial console
-    "console=tty1"
   ];
   boot.kernel.sysctl."vm.overcommit_memory" = "1";
 

machines/fry/default.nix

@@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # don't use remote builders
+  nix.distributedBuilds = lib.mkForce false;
+
+  nix.gc.automatic = lib.mkForce false;
+
+  environment.systemPackages = with pkgs; [
+    system76-keyboard-configurator
+  ];
+
+  services.ollama = {
+    enable = true;
+    package = pkgs.ollama-vulkan;
+    host = "127.0.0.1";
+  };
+
+  services.open-webui = {
+    enable = true;
+    host = "127.0.0.1"; # nginx proxy
+    port = 12831;
+    environment = {
+      ANONYMIZED_TELEMETRY = "False";
+      DO_NOT_TRACK = "True";
+      SCARF_NO_ANALYTICS = "True";
+      OLLAMA_API_BASE_URL = "http://localhost:${toString config.services.ollama.port}";
+    };
+  };
+
+  # nginx
+  services.nginx = {
+    enable = true;
+    openFirewall = false; # All nginx services are internal
+    virtualHosts =
+      let
+        mkHost = external: config:
+          {
+            ${external} = {
+              useACMEHost = "fry.neet.dev"; # Use wildcard cert
+              forceSSL = true;
+              locations."/" = config;
+            };
+          };
+        mkVirtualHost = external: internal:
+          mkHost external {
+            proxyPass = internal;
+            proxyWebsockets = true;
+          };
+      in
+      lib.mkMerge [
+        (mkVirtualHost "chat.fry.neet.dev" "http://localhost:${toString config.services.open-webui.port}")
+      ];
+  };
+
+  # Get wildcard cert
+  security.acme.certs."fry.neet.dev" = {
+    dnsProvider = "digitalocean";
+    credentialsFile = "/run/agenix/digitalocean-dns-credentials";
+    extraDomainNames = [ "*.fry.neet.dev" ];
+    group = "nginx";
+    dnsResolver = "1.1.1.1:53";
+    dnsPropagationCheck = false; # sadly this erroneously fails
+  };
+  age.secrets.digitalocean-dns-credentials.file = ../../secrets/digitalocean-dns-credentials.age;
+}

machines/fry/hardware-configuration.nix

@@ -0,0 +1,50 @@
+{ config, lib, pkgs, modulesPath, nixos-hardware, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    nixos-hardware.nixosModules.framework-amd-ai-300-series
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  services.fwupd.enable = true;
+
+  # boot
+  boot.loader.systemd-boot.enable = true;
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "r8169" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # thunderbolt
+  services.hardware.bolt.enable = true;
+
+  # firmware
+  firmware.x86_64.enable = true;
+
+  # disks
+  remoteLuksUnlock.enable = true;
+  boot.initrd.luks.devices."enc-pv" = {
+    device = "/dev/disk/by-uuid/d4f2f25a-5108-4285-968f-b24fb516d4f3";
+    allowDiscards = true;
+  };
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a8901bc1-8642-442a-940a-ddd3f428cd0f";
+      fsType = "btrfs";
+    };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/13E5-C9D4";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/03356a74-33f0-4a2e-b57a-ec9dfc9d85c5"; }
+    ];
+
+  # Ensures that dhcp is active during initrd (Network Manager is used post boot)
+  boot.initrd.network.udhcpc.enable = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/fry/properties.nix

@@ -0,0 +1,24 @@
+{
+  hostNames = [
+    "fry"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "personal"
+    "dns-challenge"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/Df5lG07Il7fizEgZR/T9bMlR0joESRJ7cqM9BkOyP";
+
+  userKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5/h6YySqNemA4+e+xslhspBp34ulXKembe3RoeZ5av"
+  ];
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1RC1lhP4TSL2THvKAQAH7Y/eSGQPo/MjhTsZD6CEES";
+    clearnetHost = "192.168.1.3";
+    onionHost = "z7smmigsfrabqfnxqogfogmsu36jhpsyscncmd332w5ioheblw6i4lid.onion";
+  };
+}

machines/howl/hardware-configuration.nix

@@ -6,7 +6,7 @@
     nixos-hardware.nixosModules.framework-13-7040-amd
   ];
 
-  boot.kernelPackages = pkgs.linuxPackages_6_14;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
 
   hardware.framework.amd-7040.preventWakeOnAC = true;
   services.fwupd.enable = true;

machines/ponyo/default.nix

@@ -109,6 +109,6 @@
   services.owncast.hostname = "live.neet.dev";
 
   # librechat
-  services.librechat.enable = true;
+  services.librechat-container.enable = true;
-  services.librechat.host = "chat.neet.dev";
+  services.librechat-container.host = "chat.neet.dev";
 }

machines/router/default.nix

@@ -22,8 +22,7 @@
 
   # networking.useDHCP = lib.mkForce true;
 
-  # TODO
+  networking.usePredictableInterfaceNames = false;
-  # networking.usePredictableInterfaceNames = true;
 
   powerManagement.cpuFreqGovernor = "ondemand";
 

machines/router/hardware-configuration.nix

@@ -10,8 +10,6 @@
 
   # Enable serial output
   boot.kernelParams = [
-    "panic=30"
-    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
     "console=ttyS0,115200n8" # enable serial console
   ];
   boot.loader.grub.extraConfig = "
@@ -23,6 +21,8 @@
   # firmware
   firmware.x86_64.enable = true;
   nixpkgs.config.allowUnfree = true;
+  hardware.enableRedistributableFirmware = true;
+  hardware.enableAllFirmware = true;
 
   # boot
   bios = {
@@ -31,20 +31,18 @@
   };
 
   # disks
-  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
   fileSystems."/" =
     {
-      device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
+      device = "/dev/disk/by-uuid/6aa7f79e-bef8-4b0f-b22c-9d1b3e8ac94b";
-      fsType = "btrfs";
+      fsType = "ext4";
     };
   fileSystems."/boot" =
     {
-      device = "/dev/disk/by-uuid/d97f324f-3a2e-4b84-ae2a-4b3d1209c689";
+      device = "/dev/disk/by-uuid/14dfc562-0333-4ddd-b10c-4eeefe1cd05f";
       fsType = "ext3";
     };
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/45bf58dd-67eb-45e4-9a98-246e23fa7abd"; }];
+    [{ device = "/dev/disk/by-uuid/adf37c64-3b54-480c-a9a7-099d61c6eac7"; }];
 
   nixpkgs.hostPlatform = "x86_64-linux";
 }

machines/router/properties.nix

@@ -0,0 +1,17 @@
+{
+  hostNames = [
+    "router"
+    "192.168.6.159"
+    "192.168.3.1"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "server"
+    "wireless"
+    "router"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDCMhEvWJxFBNyvpyuljv5Uun8AdXCxBK9HvPBRe5x6";
+}

machines/router/properties.nix.disabled

@@ -1,21 +0,0 @@
-{
-  hostNames = [
-    "router"
-    "192.168.1.228"
-  ];
-
-  arch = "x86_64-linux";
-
-  systemRoles = [
-    "server"
-    "wireless"
-    "router"
-  ];
-
-  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
-
-  remoteUnlock = {
-    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
-    onionHost = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
-  };
-}

machines/router/router.nix

@@ -31,8 +31,10 @@ in
     networking.bridges = {
       br0 = {
         interfaces = [
-          "enp2s0"
+          "eth2"
-          "wlp4s0"
+          # "wlp4s0"
+          # "wlan1"
+          "wlan0"
           "wlan1"
         ];
       };
@@ -64,142 +66,173 @@ in
 
     services.dnsmasq = {
       enable = true;
-      extraConfig = ''
+      settings = {
         # sensible behaviours
-        domain-needed
+        domain-needed = true;
-        bogus-priv
+        bogus-priv = true;
-        no-resolv
+        no-resolv = true;
 
         # upstream name servers
-        server=1.1.1.1
+        server = [
-        server=8.8.8.8
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
 
         # local domains
-        expand-hosts
+        expand-hosts = true;
-        domain=home
+        domain = "home";
-        local=/home/
+        local = "/home/";
 
         # Interfaces to use DNS on
-        interface=br0
+        interface = "br0";
 
         # subnet IP blocks to use DHCP on
-        dhcp-range=${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h
+        dhcp-range = "${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h";
-      '';
+      };
     };
 
     services.hostapd = {
       enable = true;
       radios = {
-        # 2.4GHz
+        # Simple 2.4GHz AP
-        wlp4s0 = {
+        wlan0 = {
-          band = "2g";
-          noScan = true;
-          channel = 6;
           countryCode = "US";
-          wifi4 = {
+          networks.wlan0 = {
-            capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
+            ssid = "CXNK00BF9176-1";
-          };
+            authentication.saePasswords = [{ passwordFile = "/run/agenix/hostapd-pw-CXNK00BF9176"; }];
-          wifi5 = {
-            operatingChannelWidth = "20or40";
-            capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
-          };
-          wifi6 = {
-            enable = true;
-            singleUserBeamformer = true;
-            singleUserBeamformee = true;
-            multiUserBeamformer = true;
-            operatingChannelWidth = "20or40";
-          };
-          networks = {
-            wlp4s0 = {
-              ssid = "CXNK00BF9176";
-              authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
-            };
-            # wlp4s0-1 = {
-            #   ssid = "- Experimental 5G Tower by AT&T";
-            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
-            # };
-            # wlp4s0-2 = {
-            #   ssid = "FBI Surveillance Van 2";
-            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
-            # };
-          };
-          settings = {
-            he_oper_centr_freq_seg0_idx = 8;
-            vht_oper_centr_freq_seg0_idx = 8;
           };
         };
 
-        # 5GHz
+        # WiFi 5 (5GHz) with two advertised networks
         wlan1 = {
           band = "5g";
-          noScan = true;
+          channel = 0;
-          channel = 128;
           countryCode = "US";
-          wifi4 = {
+          networks.wlan1 = {
-            capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
+            ssid = "CXNK00BF9176-1";
-          };
+            authentication.saePasswords = [{ passwordFile = "/run/agenix/hostapd-pw-CXNK00BF9176"; }];
-          wifi5 = {
-            operatingChannelWidth = "160";
-            capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
-          };
-          wifi6 = {
-            enable = true;
-            singleUserBeamformer = true;
-            singleUserBeamformee = true;
-            multiUserBeamformer = true;
-            operatingChannelWidth = "160";
-          };
-          networks = {
-            wlan1 = {
-              ssid = "CXNK00BF9176";
-              authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
-            };
-            # wlan1-1 = {
-            #   ssid = "- Experimental 5G Tower by AT&T";
-            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
-            # };
-            # wlan1-2 = {
-            #   ssid = "FBI Surveillance Van 5";
-            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
-            # };
-          };
-          settings = {
-            vht_oper_centr_freq_seg0_idx = 114;
-            he_oper_centr_freq_seg0_idx = 114;
           };
         };
       };
     };
-    age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
     age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
 
-    hardware.firmware = [
+    # wlan0 5Ghz 00:0a:52:08:38:32
-      pkgs.mt7916-firmware
+    # wlp4s0 2.4Ghz 00:0a:52:08:38:33
-    ];
 
-    nixpkgs.overlays = [
+    # services.hostapd = {
-      (self: super: {
+    #   enable = true;
-        mt7916-firmware = pkgs.stdenvNoCC.mkDerivation {
+    #   radios = {
-          pname = "mt7916-firmware";
+    #     # 2.4GHz
-          version = "custom-feb-02-23";
+    #     wlp4s0 = {
-          src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674
+    #       band = "2g";
-          dontBuild = true;
+    #       noScan = true;
-          installPhase = ''
+    #       channel = 6;
-            for i in \
+    #       countryCode = "US";
-              mt7916_eeprom.bin \
+    #       wifi4 = {
-              mt7916_rom_patch.bin \
+    #         capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
-              mt7916_wa.bin \
+    #       };
-              mt7916_wm.bin;
+    #       wifi5 = {
-            do
+    #         operatingChannelWidth = "20or40";
-              install -D -pm644 $i $out/lib/firmware/mediatek/$i
+    #         capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
-            done
+    #       };
-          '';
+    #       wifi6 = {
-          meta = with lib; {
+    #         enable = true;
-            license = licenses.unfreeRedistributableFirmware;
+    #         singleUserBeamformer = true;
-          };
+    #         singleUserBeamformee = true;
-        };
+    #         multiUserBeamformer = true;
-      })
+    #         operatingChannelWidth = "20or40";
-    ];
+    #       };
+    #       networks = {
+    #         wlp4s0 = {
+    #           ssid = "CXNK00BF9176";
+    #           authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
+    #         };
+    #         # wlp4s0-1 = {
+    #         #   ssid = "- Experimental 5G Tower by AT&T";
+    #         #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+    #         # };
+    #         # wlp4s0-2 = {
+    #         #   ssid = "FBI Surveillance Van 2";
+    #         #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+    #         # };
+    #       };
+    #       settings = {
+    #         he_oper_centr_freq_seg0_idx = 8;
+    #         vht_oper_centr_freq_seg0_idx = 8;
+    #       };
+    #     };
+
+    #     # 5GHz
+    #     wlan1 = {
+    #       band = "5g";
+    #       noScan = true;
+    #       channel = 128;
+    #       countryCode = "US";
+    #       wifi4 = {
+    #         capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
+    #       };
+    #       wifi5 = {
+    #         operatingChannelWidth = "160";
+    #         capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
+    #       };
+    #       wifi6 = {
+    #         enable = true;
+    #         singleUserBeamformer = true;
+    #         singleUserBeamformee = true;
+    #         multiUserBeamformer = true;
+    #         operatingChannelWidth = "160";
+    #       };
+    #       networks = {
+    #         wlan1 = {
+    #           ssid = "CXNK00BF9176";
+    #           authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
+    #         };
+    #         # wlan1-1 = {
+    #         #   ssid = "- Experimental 5G Tower by AT&T";
+    #         #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+    #         # };
+    #         # wlan1-2 = {
+    #         #   ssid = "FBI Surveillance Van 5";
+    #         #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+    #         # };
+    #       };
+    #       settings = {
+    #         vht_oper_centr_freq_seg0_idx = 114;
+    #         he_oper_centr_freq_seg0_idx = 114;
+    #       };
+    #     };
+    #   };
+    # };
+    # age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
+    # age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
+
+    # hardware.firmware = [
+    #   pkgs.mt7916-firmware
+    # ];
+
+    # nixpkgs.overlays = [
+    #   (self: super: {
+    #     mt7916-firmware = pkgs.stdenvNoCC.mkDerivation {
+    #       pname = "mt7916-firmware";
+    #       version = "custom-feb-02-23";
+    #       src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674
+    #       dontBuild = true;
+    #       installPhase = ''
+    #         for i in \
+    #           mt7916_eeprom.bin \
+    #           mt7916_rom_patch.bin \
+    #           mt7916_wa.bin \
+    #           mt7916_wm.bin;
+    #         do
+    #           install -D -pm644 $i $out/lib/firmware/mediatek/$i
+    #         done
+    #       '';
+    #       meta = with lib; {
+    #         license = licenses.unfreeRedistributableFirmware;
+    #       };
+    #     };
+    #   })
+    # ];
   };
 }

machines/storage/s0/default.nix

@@ -104,6 +104,7 @@
 
     services.transmission = {
       enable = true;
+      package = pkgs.transmission_4;
       performanceNetParameters = true;
       user = "public_data";
       group = "public_data";
@@ -179,15 +180,10 @@
   # I could not figure out how to allow the container to access the encoder
   services.jellyfin.enable = true;
   users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
-  nixpkgs.config.packageOverrides = pkgs: {
-    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
-  };
   hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [
       intel-media-driver
-      vaapiIntel
-      vaapiVdpau
       libvdpau-va-gl
       intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
     ];
@@ -237,7 +233,7 @@
             globalRedirect = "s0.neet.dev";
           };
         }
-        (mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
+        (mkVirtualHost "ha.s0.neet.dev" "http://localhost:${toString config.services.home-assistant.config.http.server_port}")
         (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
         (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
         {
@@ -251,6 +247,10 @@
         (mkVirtualHost "sandman.s0.neet.dev" "http://192.168.9.14:3000") # es
         (mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
         (mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget
+        (mkVirtualHost "linkwarden.s0.neet.dev" "http://localhost:${toString config.services.linkwarden.port}")
+        (mkVirtualHost "memos.s0.neet.dev" "http://localhost:${toString config.services.memos.settings.MEMOS_PORT}")
+        (mkVirtualHost "outline.s0.neet.dev" "http://localhost:${toString config.services.outline.port}")
+        (mkVirtualHost "languagetool.s0.neet.dev" "http://localhost:${toString config.services.languagetool.port}")
       ];
 
     tailscaleAuth = {
@@ -271,6 +271,11 @@
         "zigbee.s0.neet.dev"
         "vacuum.s0.neet.dev"
         "todo.s0.neet.dev"
+        "budget.s0.neet.dev"
+        "linkwarden.s0.neet.dev"
+        # "memos.s0.neet.dev" # messes up memos /auth route
+        # "outline.s0.neet.dev" # messes up outline /auth route
+        "languagetool.s0.neet.dev"
       ];
       expectedTailnet = "koi-bebop.ts.net";
     };
@@ -314,5 +319,54 @@
 
   services.actual.enable = true;
 
+  services.linkwarden = {
+    enable = true;
+    enableRegistration = true;
+    port = 41709;
+    environment.NEXTAUTH_URL = "https://linkwarden.s0.neet.dev/api/v1/auth";
+    environmentFile = "/run/agenix/linkwarden-environment";
+  };
+  age.secrets.linkwarden-environment.file = ../../../secrets/linkwarden-environment.age;
+  services.meilisearch = {
+    enable = true;
+    package = pkgs.meilisearch;
+  };
+
+  services.flaresolverr = {
+    enable = true;
+    port = 48072;
+  };
+
+  services.memos = {
+    enable = true;
+    settings.MEMOS_PORT = "57643";
+  };
+
+  services.outline = {
+    enable = true;
+    forceHttps = false; # https through nginx
+    port = 43933;
+    publicUrl = "https://outline.s0.neet.dev";
+    storage.storageType = "local";
+    smtp = {
+      secure = true;
+      fromEmail = "robot@runyan.org";
+      username = "robot@runyan.org";
+      replyEmail = "robot@runyan.org";
+      host = "mail.neet.dev";
+      port = 465;
+      passwordFile = "/run/agenix/robots-email-pw";
+    };
+  };
+  age.secrets.robots-email-pw = {
+    file = ../../../secrets/robots-email-pw.age;
+    owner = config.services.outline.user;
+  };
+
+  services.languagetool = {
+    enable = true;
+    port = 60613;
+  };
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }

machines/storage/s0/frigate.nix

@@ -84,6 +84,11 @@ lib.mkMerge [
     services.frigate = {
       enable = true;
       hostname = frigateHostname;
+
+      # Sadly this fails because it doesn't support frigate's var substition format
+      # which is critical... so what's even the point of it then?
+      checkConfig = false;
+
       settings = {
         mqtt = {
           enabled = true;

machines/storage/s0/hardware-configuration.nix

@@ -58,43 +58,48 @@
     };
   swapDevices = [ ];
 
+  ### networking ###
+
+  # systemd.network.enable = true;
   networking = {
-    dhcpcd.enable = false;
+    # useNetworkd = true;
+    dhcpcd.enable = true;
+    interfaces."eth0".useDHCP = true;
+    interfaces."eth1".useDHCP = false;
+    interfaces."main@eth1".useDHCP = true;
+    interfaces."iot@eth1".useDHCP = true;
+    interfaces."management@eth1".useDHCP = true;
 
     vlans = {
+      main = {
+        id = 5;
+        interface = "eth1";
+      };
       iot = {
         id = 2;
         interface = "eth1";
       };
+      management = {
+        id = 4;
+        interface = "eth1";
+      };
     };
 
-    interfaces.eth1.ipv4.addresses = [{
+    # interfaces.eth1.ipv4.addresses = [{
-      address = "192.168.1.2";
+    #   address = "192.168.1.2";
-      prefixLength = 21;
+    #   prefixLength = 21;
-    }];
+    # }];
-    interfaces.iot.ipv4.addresses = [{
+    # interfaces.iot.ipv4.addresses = [{
-      address = "192.168.9.8";
+    #   address = "192.168.9.8";
-      prefixLength = 22;
+    #   prefixLength = 22;
-    }];
+    # }];
 
-    defaultGateway = "192.168.1.1";
+    defaultGateway = {
-    nameservers = [ "1.1.1.1" "8.8.8.8" ];
+      # interface = "eth1";
+      address = "192.168.1.1";
+    };
+    # nameservers = [ "1.1.1.1" "8.8.8.8" ];
   };
 
-  # networking = {
-  #   vlans = {
-  #     iot = {
-  #       id = 2;
-  #       interface = "eth1";
-  #     };
-  #   };
-
-  #   defaultGateway = {
-  #     interface = "eth1";
-  #     address = "192.168.1.1";
-  #     metric = 10; # always use this route as default gateway
-  #   };
-  # };
-
   powerManagement.cpuFreqGovernor = "powersave";
 }

machines/storage/s0/home-automation.nix

@@ -15,13 +15,20 @@
     ];
   };
   networking.firewall.allowedTCPPorts = [
-    1883 # mqtt
+    # mqtt
+    1883
+
+    # Must be exposed so some local devices (such as HA voice preview) can pair with home assistant
+    config.services.home-assistant.config.http.server_port
+
+    # Music assistant (must be exposed so local devices can fetch the audio stream from it)
+    8095
+    8097
   ];
 
   services.zigbee2mqtt = {
     enable = true;
     settings = {
-      homeassistant = true;
       permit_join = false;
       serial = {
         adapter = "ember";
@@ -75,12 +82,23 @@
       "homekit_controller"
       "zha"
       "bluetooth"
+      "whisper"
+      "piper"
+      "wyoming"
+      "tts"
+      "music_assistant"
+      "openai_conversation"
     ];
     config = {
       # Includes dependencies for a basic setup
       # https://www.home-assistant.io/integrations/default_config/
       default_config = { };
 
+      homeassistant = {
+        external_url = "https://ha.s0.neet.dev";
+        internal_url = "http://192.168.1.2:${toString config.services.home-assistant.config.http.server_port}";
+      };
+
       # Enable reverse proxy support
       http = {
         use_x_forwarded_for = true;
@@ -105,4 +123,33 @@
       };
     };
   };
+
+  services.wyoming.faster-whisper.servers."hass" = {
+    enable = true;
+    uri = "tcp://0.0.0.0:45785";
+    model = "distil-small.en";
+    language = "en";
+  };
+
+  services.wyoming.piper.servers."hass" = {
+    enable = true;
+    uri = "tcp://0.0.0.0:45786";
+    voice = "en_US-joe-medium";
+  };
+
+  services.music-assistant = {
+    enable = true;
+    providers = [
+      "hass"
+      "hass_players"
+      "jellyfin"
+      "radiobrowser"
+      "spotify"
+    ];
+  };
+  networking.hosts = {
+    # Workaround for broken spotify api integration
+    # https://github.com/librespot-org/librespot/issues/1527#issuecomment-3167094158
+    "0.0.0.0" = [ "apresolve.spotify.com" ];
+  };
 }

machines/storage/s0/properties.nix

@@ -15,6 +15,9 @@
     "frigate"
     "zigbee"
     "media-server"
+    "linkwarden"
+    "outline"
+    "dns-challenge"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

machines/zoidberg/default.nix

@@ -20,10 +20,6 @@
     );
   services.mount-samba.enable = true;
 
-  # Login DE Option: RetroArch
-  services.xserver.desktopManager.retroarch.enable = true;
-  services.xserver.desktopManager.retroarch.package = pkgs.retroarchFull;
-
   # wireless xbox controller support
   hardware.xone.enable = true;
   boot.kernelModules = [ "xone-wired" "xone-dongle" ];
@@ -39,28 +35,6 @@
     "L+    /opt/rocm/hip   -    -    -     -    ${pkgs.rocmPackages.clr}"
   ];
 
-  # System wide barrier instance
-  # systemd.services.barrier-sddm = {
-  #   description = "Barrier mouse/keyboard share";
-  #   requires = [ "display-manager.service" ];
-  #   after = [ "network.target" "display-manager.service" ];
-  #   wantedBy = [ "multi-user.target" ];
-  #   serviceConfig = {
-  #     Restart = "always";
-  #     RestartSec = 10;
-  #     # todo use user/group
-  #   };
-  #   path = with pkgs; [ barrier doas ];
-  #   script = ''
-  #     # Wait for file to show up. "display-manager.service" finishes a bit too soon
-  #     while ! [ -e /run/sddm/* ]; do sleep 1; done;
-  #     export XAUTHORITY=$(ls /run/sddm/*)
-  #     # Disable crypto is fine because tailscale is E2E encrypting better than barrier could anyway
-  #     barrierc -f --disable-crypto --name zoidberg ray.koi-bebop.ts.net
-  #   '';
-  # };
-
-  # Login into X11 plasma so barrier works well
   services.displayManager.defaultSession = "plasma";
 
   users.users.cris = {
@@ -89,19 +63,17 @@
   };
 
   environment.systemPackages = with pkgs; [
-    jellyfin-media-player
     config.services.xserver.desktopManager.kodi.package
     spotify
-    retroarchFull
   ];
 
   # Command and Conquer Ports
   networking.firewall.allowedUDPPorts = [ 4321 27900 ];
   networking.firewall.allowedTCPPorts = [ 6667 28910 29900 29920 ];
 
-  nixpkgs.config.rocmSupport = true;
   services.ollama = {
     enable = true;
-    acceleration = "rocm";
+    package = pkgs.ollama-vulkan;
+    host = "127.0.0.1";
   };
 }

patches/dont-break-nix-serve.patch

@@ -1,8 +1,8 @@
 diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix
-index 49f8ed673816..643b59d68dde 100644
+index f8d8f64e55da..39326d094118 100644
 --- a/nixos/modules/services/video/frigate.nix
 +++ b/nixos/modules/services/video/frigate.nix
-@@ -482,10 +482,6 @@ in
+@@ -609,10 +609,6 @@ in
            };
          };
          extraConfig = ''

patches/gamepadui.patch

@@ -1,13 +0,0 @@
-diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix
-index 29c449c16946..f6c728eb7f0c 100644
---- a/nixos/modules/programs/steam.nix
-+++ b/nixos/modules/programs/steam.nix
-@@ -11,7 +11,7 @@ let
-   in
-     pkgs.writeShellScriptBin "steam-gamescope" ''
-       ${builtins.concatStringsSep "\n" exports}
--      gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -tenfoot -pipewire-dmabuf
-+      gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -gamepadui -steamdeck -pipewire-dmabuf &> /tmp/steamlog
-     '';
- 
-   gamescopeSessionFile =

secrets/binary-cache-private-key.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 hPp1nw dZ1pOYqyxK0awMVafHue3ZiIlp05HX55NSKntOu5Pj8
+-> ssh-ed25519 hPp1nw qfzeHTN5gk0CDb3Fmwak0InkJkxvlS5foxkuTKIvPTY
-Bp/pL8GpeZEKwhUtW39wlOI9NgAiwsdx8GUEs5XOTAM
+lEwEcGfpiJQae3mSD2yLfGFm97FZD6K5tOzBHRzT8/Q
--> ssh-ed25519 w3nu8g l0cyESgnc/n96dSu7X8ik5yYRU+orwe00Eh2ECLM2HA
+-> ssh-ed25519 ZDy34A uS/CLVSyXkRIWlPEgtFn0NK6QFKZCeLHvT7Z1509Hjg
-Tf52gbAN8pSJPgWrkuqox/7QgXvqZLuBkcgz2JNiMsw
+TpW6Y5iRXu7YpDbQV63m+3/LtqIujX54kiXH0ddqF9I
--> ssh-ed25519 evqvfg /pq9eugzrP8Gc9qcr2fRHvtxGM8/OQOb88/17QfD92k
+-> ssh-ed25519 w3nu8g IEC1wZ/EO+CHOvED3nQHPos7LDuiyivIqo3DKAOqZC4
-Cw3vwK9Qc8CBNNnKeHC8ntDlPpSXyTuNovbQ34ww1qc
+XAh21OtD2A8psVBsGYXBY9oBf/woIxkIEMv2VMAYucg
---- wfwVOuRJ+5fgM0sU9394zZ0KtmKEARMlMBTVaowz01w
+-> ssh-ed25519 evqvfg DC9pQv6Jknsi532+px3q5m1HAeYHje0MeZSdPoD0JXA
-矒%9ùŽ:þË;Û[ƒÁ°r³‹	<09>à]óß)l¸wÄÜ!ù Ÿèâ(íÐBÕò?„ÍÒO‚Žª?ù„16˜*¬½Ì.&šH<C5A1>ÓFáX54§Á7‘íöÌó¶·=ˆäwT˜RÖHõLi‚ªÅP{Mà!2Þ¨v®<76>„-gf-P`$*ˆÄ(
+rbXOmY3keN63YZL+kfpmZ9sOlOxWa+GVqgYBKURckvk
-žLo‹â9i
+--- kIbVnf+2GlZRu1BGVi1zlHEIbuBxUX3/jvAHvwNtO88
+Óûy]3â(@Žíº¡äÊÛ2v»ñÀéÔmwãÌП@ñÆPf†Êˆ:[ïƇצ!ãžQ¦<51>Å ’Ö<E28099>÷J0²á¸Oþ§KØCþjÐ#;VåWåŽduŒÇ<C592>† Äiƒ?×g£c<C2A3>†<EFBFBD>ˆr>Ïú‹\«¦ü´5@ÓqÙ<71>ÎH22-dË«¸<C2AB>¿ÄPœ5 <20>|>ŒÜu

secrets/frigate-credentials.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 hPp1nw z8hVbU48K+xyH8zxVXjy7sE35GcdSTeGIu/ywdtRBkQ
+-> ssh-ed25519 hPp1nw MMPi5i5lVf/mcXOraMoErj12pjLWQppVTc18kMFTskM
-ynwH7Jug9yK4iCLYIwUn5paYQISWDVYTkq+7rklAW8Y
+eez7lnpUwseCP/5MZRxjyPZ11gfLHBYPPGEUXUftrAU
--> ssh-ed25519 w3nu8g hP/IbrLUi/tvOOu5pRKWGIfbiGnQofR/s7V9kUcMUzs
+-> ssh-ed25519 ZDy34A dzbWYENdNUIHId+2XUt+gLpnw8xaVsSHrWfIhhBTYBI
-kZLewvTi5JQ5enF5Bl7wiGUJ2W3THTQVXkyXhLM/Xqg
+NszPXqq/beWLE9pKMhbXYSEB3WDaU2EPy66yPC+oU+Y
--> ssh-ed25519 evqvfg s+mq+Pr3fCKSm6dG+p7tF1piR6KZztgH/j0+0S9W7i4
+-> ssh-ed25519 w3nu8g HjJYUyssutwK+bO120fPZoycsIEdLL0gnX1UDMHJKlY
-T9KzT/+WK/XOeuWIyf2/eNQz/ytmOYzAjzzZmlY2Ppg
+jjr1bEAD4HHN1Hbdtj8VR6CqfkTHXZ6huJQ1fnp83s4
---- A4sCAKn9DQwaSQIdyRYe9XwKvMosCLmdP7RQId7l6vA
+-> ssh-ed25519 evqvfg nNibZIdrlMqQXZYT+qFPyd8uB1gZgDjPdfIS7RRjJCM
-›BQ{™Uœƒ¢þi&
º°ÞV,çÝÜ93÷¸ñl`™<Ê‹(à½îÇÆ×-«=ÇÒivÒ
+5LNiRyVpkJr4x1CtV+FRsLF+Tk1KUQDFIrTBQVw3N5c
-Ò&7»Ë#&Íÿì͇ß¿Ûee™<65>š€Kˆiç Ì×à–Â[e¶û·Þ®‹lD?¥œU-Nÿ‚pÐ,þ¤cן-
+--- 7dJKHwTqDkiiZaojRRK0mpxWopbhLwydPwFXtden9iI
+'oºé¹òîÌä<C38C>:Ö=1õ¶Bc×°V­d	qâÀ‚=Þÿ¸¸°µï뎀ˆÔjÿ`ǦÎéÏÎ&åÂ@Ûó½Ç5RQØ´’Ûh™ÞOÉÓÅPŽá£Cv7ü<37>A ûw£s±¸¥QÀR<C380>Ù­O<C2AD>M‘"Wèí*<2A>sÝߤâ×a`Æp¬

secrets/gitea-actions-runner-token.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 hPp1nw bo+iestejjHIx0accmbyOgLJPRH5xMugtfwKgax+DCU
+-> ssh-ed25519 hPp1nw CSR2HrrPUfaeOgAa3vt4yuQOrqyu0qnFBmTT2O4Rdnc
-smaxrCeUgUu9a5mnFlDBbTbw7gNFcLi6mVb3px8gYk0
+nYiiPmn/4Qmrc5VOK+/mmtzKD9xdvEF6SmRiPi/aFqs
--> ssh-ed25519 w3nu8g bhpGV/Yfqfl7mrBgjCgVZEJIsRjXVOmQ2rU7dh+FQzw
+-> ssh-ed25519 ZDy34A cmlgkgy5QvYYn6nHymo0u723S470qvUFt0Ubp6ggKj8
-2irMVi9Vx3/PZT4fqYfcnU7q7wRCtUFOUPZ/X6fQuXw
+8ACCrqGCkVbuFMNoGKMd67oMtZWhQHBigU7Tdqoqy80
--> ssh-ed25519 evqvfg aic8EzOuwt6ojUoHaAlhy0IWmSzuOvXjBQrK/QSS2Vs
+-> ssh-ed25519 w3nu8g GWytr1KtsXVQt6CKqqdjH92/Lc7aBjqa2N80oqeOdwU
-tfw0GyfsovxlMeySyQULMECEoiEjPtdkoQ4OP/t9K9s
+c9GfCkKIaxMgsKWplXIQjiB5c6UE+UkRd4xlg1I5JSA
---- uNvusvjFFt4Fza4a/hmns/tWm9LTE4fULWJ/1Gg3Izc
+-> ssh-ed25519 evqvfg K4Z7DqPilKW9kEfFLDzJ7c2G6PvjRhxhCTEuw0Tw8hU
-Ax­™ €¶;²þ¼[§²oÿ’®“'Lâ@«ö·^<5E>~9\jvCúUϳ$¦§hqÉ<>ú2–Ht?y\vËÈŒ<C388>ð`K!®7Yàï7Ôü

+QsVD2iKObcP7HyVCXn9gPWvewn2Jm/OYLA1Eu6MRP1k
+--- DGe/5H+9vk1EGj/mkUnvzk4VC5JVDIwVeaD78EHRiiI
+êPŸËÓ²ûªÒÖ duÀÉr†¿"KÇ"©„M¬áÆ©xó3 ®²Æ ú™*J.Y_ÃíT%<25>tµ(ÿYʵ´8/Qa©r]ÍmÑÿÒ–¤º‘

secrets/hashed-email-pw.age

@@ -1,9 +1,12 @@
 age-encryption.org/v1
--> ssh-ed25519 6AT2/g kXgY0gJW/LpFYNukKCxa/Dhht4hxmoht+CIENXngW3U
+-> ssh-ed25519 6AT2/g BLyjF65Y/bq9gkAuzl2PZmL7Ge1BTf6MQ/J+04fwwCA
-OFTjvs35H2HLGENEChI9fEowlvp6W7hTWFNRZ1PziW0
+mdGmV3lmTPhVmORAVtJucy5EaNmOiCkZqdw+in8r8+E
--> ssh-ed25519 w3nu8g jWZ0COxc+hFs7bVNTKcWa7oBmLqPmlqktpZ0gpwIUEo
+-> ssh-ed25519 ZDy34A h7f7GMXKCzuVnoIai84+gNq18XqxOPQLt2a4tmmQSxs
-xf4aKirzqHUWppJghPwyCj6SzPntH5gxcP3ch659RIU
+RMoh4ecaEFybnE1ObWFZFHJKrIO3SbRynyDBljfSRAY
--> ssh-ed25519 evqvfg KR2lx8vs0Eseh37tLtcfDDXE2BoyxCr91vqlnpJraA4
+-> ssh-ed25519 w3nu8g XubNz2enRmr1uNZlErXBJngZrY52fJC4AUIbsaTh8yE
-5HiO7QB7sAC0YlDgkq4gOH0Pp83et9+0UPS8+BA+juk
+w5w3FK30UqLok7VeG8wILcyXeAIrf/Uzbf7AnHPfYAw
---- vt6f6yWyfunZS7pihgt97hFccp0hqlkOeLWdfsq5SAo
+-> ssh-ed25519 evqvfg 9UkiG9r2b0ZJwN6DPL+j08YKjBOx2x6jrJlzg+N79lk
-Z+äœm8¬¸vÕ[ïg_K×s™¼8·1hÙÅ1šüžü¤ã´»=@.„2À=ºÛ2?—<>µ¤8\‹›f§3oy÷ga8¾(.•²?¶8m–¹t‹ã<E280B9>,½]«ú
+nmpBD/vZ7h3pAzeL8CO2oABTeA5iujG9Vr4aUgWaO0E
+--- 00dECq/aOgxAgnD19UdntMCzn27Iywp4bQoyAaKJ3yw
+»ŽlŸ÷ƒƒÔrñ,ð’DžgFOíþrÍ=éŒUCR‰wW÷Æ	Ô­Ï*þA$÷³åÝÓeV
+RH ¶T
<01>ISK·é

secrets/pia-login.age

@@ -1,12 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 6AT2/g nn9O3nzI2M9+vKJ3qoKL3xs29iYp2n01xTrmtdbzs1k
+-> ssh-ed25519 6AT2/g MrkHK56b1uQIiMoSrGmCun5QzwFWQiCFZjHQuAkdBlc
-atqBqI77ADuCnV04skh/2KCco5Pgwlz0vSnruiI0dzU
+ipK76P2VS5c00f3n468l+VsTndtEUwHtJTOhR1Zntew
--> ssh-ed25519 hPp1nw tBTDeKMPoCpuoQNdnHdggQdpeYYRXhtJZqCA+o5CPkg
+-> ssh-ed25519 hPp1nw iVISLjddu2lJpNPXewFDmjhORkkzBNUBmq33n2l9yXg
-q5BYRcZYY8oGot4F5fhx6hZfVpClvOTycQ6kMTXykqk
+4oOAaQpnWNsVXfDEK4rclKhAwv8xnE3EUS7PF44/GYc
--> ssh-ed25519 w3nu8g C80+Mp8qRkpSfJBCH3XduSv/oT2bJ6TqVxkyh1NfRFo
+-> ssh-ed25519 ZDy34A gZY++iCMswmQVkKiIUUuuR8srojCpykELGpa0mqHMFA
-9EEh97C2uFzP3a8DB+4YEgjqJyoa97rRT9tXEFGbMFE
+MSpvndXZY7Gm8VUQUdn/x39dVOsJ0d77H4zN0Ct+b1Q
--> ssh-ed25519 evqvfg qByh1A/4ylqHIuvvMqHl0lGBxwWIlwz+pGDdox6zJXE
+-> ssh-ed25519 w3nu8g mnrSRjcTax6g1PHvOwCV/Al6AWkCwiRwMnuZg4vPHys
-Ubym3YKOcekSR+O6dLD+322Kgk3152WDW+Tsu32MYY8
+S2V1O0GF7wipp9Bg+7PA6z4WNbK/zv015AM1SfA/Jrg
---- 4QA63y/d1AXP95G6MHZLJlVyB8LSPVO886QcT2j2tVo
+-> ssh-ed25519 evqvfg 8M2kGsTS/cd0daAr87u0QqS6RH00O1zkSjYdXTxjYGU
-~H«;ùœe¹g<C2B9>7Á7+e|µ!ÿk0à€e•hšì?³k^m¯kDPõ}Ê\<iißv[ÆzOÚ÷sýSe¾ƒŸëTØ>Ë£¨+ŒÙ	ü®¯ÏÁáš5[Âíåä
+uCUwdJFCdFWWlQPpINjf4dAIYZ/pa8tfz8pVjDLPJF0
-Éÿ§7ˆ
+--- iyh7GvKqnNeyIgedqWGQMtYfXJGo1RphDpzuDXJbp1k
+#/Þ¿ «[4èAã<±Ëi×òæ˜ækÞfÓÕ

secrets/radarr-api-key.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 hPp1nw Uhd03cBQ85Yw4FjsXkBDfrcAsTBVVOFVFrnU7sPbTXY
+-> ssh-ed25519 hPp1nw gfVRDt7ReEnz10WvPa8UfBBnsRsiw7sxxXQMuXRnCVs
-/5XIXty9cNwNPV/MXdjoOttmKMXt6PB0/7OMSl7scZ0
+slBNX9Yc1qSu1P5ioNDNLPd97NGE/LWPS/A+u9QGo4E
--> ssh-ed25519 w3nu8g CzC59hO2YLD+Bbzvi62KXvFlyPXrx/OD8hVeQH3hfFU
+-> ssh-ed25519 ZDy34A e5MSY5qDP6WuEgbiK0p5esMQJBb3ScVpb15Ff8sTQgQ
-V7OtV9QjRYNg2+kMk1K4V9RWb8AsgkQ4OlIRs7hwYyo
+9nsimoUQncnbfiu13AnFWZXcpaiySUYdS1eH5O/3Fgg
--> ssh-ed25519 evqvfg XTSo+9xdmL57Mkc7NNw3Xy1kJrE0Sc+81h+OEHfiCVc
+-> ssh-ed25519 w3nu8g op1KSUhJgM6w/nlaUssQDiraQpVzgnWd//JMu2vFgms
-PguEYlZkPMMiMaEpK+gamgl7V9/gaEUpUuV8O8tIUVs
+KvEaJfsB7Qkf+PnzFJdZ3wAxm2qj23IS8RRxyuGN2G4
---- 81iRaeiLWHHzFBoWSa6JFdp9mkKZ1TT9mdRXZaQ4N0M
+-> ssh-ed25519 evqvfg 9L6pFuqkcChZq/W4zkATXm1Y76SEK+S4SyaiSlJd+C4
-‹»J
+j/UWJvo4Cr/UDfaN2milpJ6rU0w1EWdTAzV3SlrCcW8
+--- bdG4zC5dx6cSPetH3DNeHEk6EYCJ5TXGrn8OhUMknNU
+/¶ø+ÏpñR[¤àJ-*‚@ÌÿŸx0Ú©ò-ä.*&T·™~-i	2€eƒ¡`@ëQ8š<l™àQK0AÕ§

secrets/restic-password.age

@@ -1,22 +1,29 @@
 age-encryption.org/v1
--> ssh-ed25519 N7drjg h72jFNLd4ZN5yXXUi1Xue729YQvbThfceBU/R1JiCG4
+-> ssh-ed25519 qEbiMg CX8Y/Si5PzI0enQNfUIAJG5JxqPRLmpHZn2qbnOdqEk
-F6xaYW7iV+jipI9pe8NMNC+yzkajkmqP73qnhFS14Wc
+RtBaY00wl7B+gz9uSxYiNFj9Jf5D18LFvD3XjcqXg00
--> ssh-ed25519 jQaHAA EXEQ0bA8ThyKJp4VNHNB/umpNjn95/fxF9qkB/QZh0g
+-> ssh-ed25519 N7drjg 1bVVPpaqoAb9AGsb8lWCP5nBTVO3nRwCmK2X6M4eCn4
-ZgRc7ts3pdYCtp61XCvDvhHpHfzk2HFJiGtnon0RkkY
+SW4KXrdN0uulfVGDp5zx351v7+HyIQ2dAP2VB1Yjxx8
--> ssh-ed25519 w3nu8g 55b2qTh8v2dK6qFEgbMLiVxydRTWnMmjB5eWdZb3mGQ
+-> ssh-ed25519 jQaHAA ocZpVZtXwnbZWC5RlrPmDtUnRpCnGaJLjCx3IKENJjw
-uD8vs1yZLo/N44tIufP3U0j7otoINC4di0w7/a6OW8I
+x5AUP4Q1Odls9RWdtUtDBWAEbbiOaRwnBiI4+FJUhnA
--> ssh-ed25519 evqvfg Ad0vjBYZYIYxYmWrultbybzIcHOEfIIL5VlqHeyFPGM
+-> ssh-ed25519 ZDy34A JBwwmjzcV7UFHRky6rOF5jFVMxsj0SmLfCEPPzD8qBc
-z1AbX6Htc0hPs7fW8/Cvkfg4Y9qnblpZwRchfGQQVL8
+ESDhUTfMFVqTfyMpIcx2E4Fg1iRljqXA3kkaaBH5NRI
--> ssh-ed25519 WBT1Hw sgwJnWYXwYcAHLmis6LBIwItj5TQUVyV/Jd3NPkWTx4
+-> ssh-ed25519 w3nu8g 32W6EjkjvobPZAV/+2dtZJWW1Xz5yEW1Y+xuPssHPyY
-ctNVx7Xt+87XPV5WhYKjhEv3sXje+U6I/z86jRg4P2s
+DeoxVYTuxkFfV7JFk+PweykeN5z7+GM3IPbzJ9Aze/U
--> ssh-ed25519 6AT2/g uoBlZvOrDV/FqwmPZQmfMzB3P5+DEh7SUJKv8zHBdi0
+-> ssh-ed25519 evqvfg /71B+elrbVgtDqNTPNHiIIWUCoLMh7Nw45ZxfhZSaSA
-xTQzs5CrIREQY2ZinXxZLHfztuVJGsmaqi84TrLzQYA
+z/c5GQKyJ0i7lJh6Fl2cuwrI876BKZGY4+ruPHazg7g
--> ssh-ed25519 hPp1nw uFdt4FE8a1jrHsWuDLs75z0wty8aY6Af+YddkEnGI0I
+-> ssh-ed25519 WBT1Hw /9VARjhq1i3zt8SAJ3KwXz4jDSzNID056rzOeZzdXHk
-1j9iSxYdBg0w6Nto3LKEhvCmGWr/5G6q1XvEmwA/l10
+81JSPCyru+4wS1USnTaVcO+l0t8d/WHkzC3idgXE6T8
--> ssh-ed25519 w3nu8g TvyzrbvTGPjmDZpdwQ8em28uGKmeJt4quEzXXq+rN1g
+-> ssh-ed25519 6AT2/g fLTmQkkH94zZBIef5LyH/v/m1s30E2Yy6AiQEtBjaxo
-rIg9JEkJyuZfQh2FLKzII0f0AUMFcohsmSNdE32nCuQ
+Hx5/ld4RO/Wd4KWX+cAzets9rCAYGorEIJU6FUEavWY
--> ssh-ed25519 evqvfg c13RC6NMmyisYeQ1+znITs9USfwH44fDbzAe4TU/Ryo
+-> ssh-ed25519 r848+g XZtbfc7x3XWiUyjDyqEbJyziovGiY16qendRDtR113s
-72WBsNn7sQb3Gc6MP8Obyc3p8xTQqTwTcqNQxAAvNFo
+fO+QDGyAukeMT/fQrs3YQfIIoXTIb/DgGYRlw0nEyqU
---- zZkMOe3zuxaJswYkKepDQpA8bLMt53zMRx3lkJiSvew
+-> ssh-ed25519 hPp1nw kRQYgbHSM5mVEilZA1CSYbgvSriFJyBP9vUnwQTk2D4
-ê<=CÛM2Zª,tÀáI‹p	Y ÉÌz<C38C>oâQ»«ìS#ÿ'#ì:„Ƕ“`›ƒn9–5<E28093>§zŸ¢¡–Å–‘?X­F6á<>»Ël1Æ+ãqê5PjÜä
+LQdVdVO4MjvB4/hTVwgtLG+Amg6WbQwEaBlgMVVFSqI
-Döû=~IÚ
+-> ssh-ed25519 ZDy34A ZJsdPqw9MjPUH5hr0Heug25ZKtzCmnykDmiMEW6b9iY
+kgN2CU+jrY5SNCKXmhsw/H5kGg+zEiYDUSrG9URA28o
+-> ssh-ed25519 w3nu8g JxgCPagw/jHEEMxuU+Q9aZylQlRtmkrutly80aU/QQA
+C64qkcYda7plc0eNDc6hk0Lf3tRMNrUR5QlEpeEiflY
+-> ssh-ed25519 evqvfg wx4dPODWj1le9AuzS+M+CufWd52ySy9WfOIPdB+w/Ag
+QyLJBNCtLVwpp3cIcO5NUHMaDNc3duUQeMGH2SQBPck
+--- HgYMHuLleFiKLGaf8buXjOHpUiVhgeL1NaJwyRNHAdY
+êR*÷í÷; cßÕPò*“ýÞŠäœl©’#葇J‹]
çu­SŠKr}ž¡:'4·#Käù0P45‹EÒVªo

secrets/secrets.nix

@@ -17,7 +17,7 @@ with roles;
   "cris-hashed-email-pw.age".publicKeys = email-server;
   "sasl_relay_passwd.age".publicKeys = email-server;
   "hashed-robots-email-pw.age".publicKeys = email-server;
-  "robots-email-pw.age".publicKeys = gitea;
+  "robots-email-pw.age".publicKeys = gitea ++ outline;
 
   # nix binary cache
   # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
@@ -38,6 +38,7 @@ with roles;
   # services
   "searx.age".publicKeys = nobody;
   "wolframalpha.age".publicKeys = dailybot;
+  "linkwarden-environment.age".publicKeys = linkwarden;
 
   # hostapd
   "hostapd-pw-experimental-tower.age".publicKeys = nobody;
@@ -54,7 +55,7 @@ with roles;
   "librechat-env-file.age".publicKeys = librechat;
 
   # For ACME DNS Challenge
-  "digitalocean-dns-credentials.age".publicKeys = server;
+  "digitalocean-dns-credentials.age".publicKeys = dns-challenge;
 
   # Frigate (DVR)
   "frigate-credentials.age".publicKeys = frigate;

secrets/smb-secrets.age

@@ -1,17 +1,23 @@
 age-encryption.org/v1
--> ssh-ed25519 N7drjg EazSO4KSpDf7Xi3pTNdhm800ZA5EIIhMbwYp+L42yD0
+-> ssh-ed25519 qEbiMg P0wVQfRdC6s4rGpSxPSvgsens9QF+VphlX6QL91RNGk
-FDktPGF+bWrlPuwD8QNId3tUxt3kPO5JZ9GQ1B4vtPQ
+Rdum6JE/NafVt/lvd54D3leH7QnX/hZoqOoUkp58vpw
--> ssh-ed25519 jQaHAA 2UJ/6JUgZBaiVVj6Y43dIvebrozJW4kuR5xfWIWSVSA
+-> ssh-ed25519 N7drjg LRBM5kYSJGMXCiIaU/tc8kq8L8tjyzYjUb5WeKfx5Dk
-nhZ/CMdHMIN/GjFV/WMmNvRkPYcmgtjihFtNwASS/4E
+/hTFYyPv1gpKBmXJ0EanmfNZwkOg9SvCY1dhqJkSQ3k
--> ssh-ed25519 w3nu8g fLbN1n9ncJz5xW4BnmOfOMI5tdODrZGwhOczWz81NDc
+-> ssh-ed25519 jQaHAA 2niqwTr3jLx/7lDG5Yqetu3lqfU+lCYj626oZVT3XFA
-MP1Z2q1KMmvh76opIwG9ZepFiLRJBnfnGKAGSLvb38k
+NEwUSUcgsGgyeHXTtDo6HYSkX4r7NyloUP+gabOZfOI
--> ssh-ed25519 evqvfg ZgT1jg/k43AdfVIny9i3PxD0FRG3CWHEKJwL/r/VX28
+-> ssh-ed25519 ZDy34A 6NZGnadwDwPUscJdtYQywtuq3FNB0FvUDlztBnAAzBw
-Qme90RlNTtlDZcCbbxmJQ1BHphkYC1fLA7MKWTn+jEA
+so26osNIZk/7tnf8HZwJ+G8+xcyDbpZ6uoX0GJBD7uk
--> ssh-ed25519 jQaHAA C5hiPm6jr4TZa+Hl+ruODqSvl9PAx7bvhAMPiNjCe00
+-> ssh-ed25519 w3nu8g KX8U395jkHGX7LV9TXRl5OcZfcropPKrgonxJsR0MyI
-2trojxFes701L8D1XvWPQBCWJB6rwgppPcGK3jDhCBY
+KaWlP2Q44p53rqAtlojkj2EBcQH+N1EN/8pYhe92x0E
--> ssh-ed25519 w3nu8g IuWEPi/Tacoc2Oyey92eJQun4r0RGjY6GAd8oHTQ4Xk
+-> ssh-ed25519 evqvfg XCZp8XLQ10+OsDwpeBC0t2RAEhj8EG85ZvbYJ6QAeXI
-u6iVh1p2x/ACIHQO9mcVuR3Xmq2ln/F97vlYjWphvMQ
+w9PAegIWcFKtRrcuBk9ysc/qDecNyZBygVVCCzr2DAo
--> ssh-ed25519 evqvfg q1Xp4IxCTofR+RDdi1Hoy+8NOO45u1U9/m/t6eBDUhs
+-> ssh-ed25519 jQaHAA 76ePAMsQpZJO6b2CeE1rgvxhi2JEOxC+OPIW8GBEnWQ
-WkQKg8LGQoIPuICvj7KcvgF4RMyG15txHG4uFg3v7X0
+NyGlaWLtx9Vko4sDFdgsQj9oK1/gD4Y6HnVhOJfO0JE
---- 4WXmmAwvor5BDjArHN3T37/zxKOO3c8jtMaxGigAcMA
+-> ssh-ed25519 ZDy34A RrJ8q0EcqfNgg6Fk2ZrY/RiRjI+w0WFrfvHqi7r5pgU
-øж[îîj‹¿Ž U.wÁó@<40>ŸBHr7Seª/‰»x©í1;ÝÂSUÔ(¤8µ¥¸{Ì=µ¦N²Ý±’<C2B1>ø;_]ªÝVY2D‹¸";úµã×Câ•ùûì7‚§-.’¡üœ‚VÀr±
+ayHpp8FAVEIZhKTqYp1h/mL6UFSlQic7dlrHxbmharI
+-> ssh-ed25519 w3nu8g q4j19BwrZAkFCICDOdAhGFWiD6eCLJRW9faeTaJEvE0
+Av4UT5VsBvdL0cZOoaTrDOBvX91uuVIwru4WXMC+NNA
+-> ssh-ed25519 evqvfg UIsX165L2ccILCU5zFur/9IHarQn9nAaLH3nSbcJJE4
+cWztxUlKMcqx9GfAk2C+Gt/aR9ZXaXZYe9XQ3jnl3T8
+--- bMWqy/VkrJr/SmencAM0ClMc/jtY82jL2ZUYFdLK2qY
+Vã­¥=W}ØŸߥ¿•jUá¢Ctp

secrets/whiteboard-server-jwt-secret.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 6AT2/g CHRtUTrQxclfOFf+1fpKy61dpivMYz9MiLH3tdqy6VA
+-> ssh-ed25519 6AT2/g qKh6Xf7LvaAAwd4WAwkFt4am3bIFV6GUAJtAF38X5Sg
-7tmx3CPNY6T2nAD8I4bGWAN7y1OPBpWjOhmmCFqldJI
+HlIgZr0jst1ZoJaUsqM+cD/FJVHsviZyteKZu/VU9e0
--> ssh-ed25519 w3nu8g UqOMk3O+JfnzlQhymSj1u+9U8xLS93sOVVbd+JhXGBQ
+-> ssh-ed25519 ZDy34A lirRPnVNX7ZMefcCjh6jxx+Vk/nG1+8kl18jBvFGFA4
-qwYjekirvVTjEwwh0Irdy0hMHAlWkUdD5wu5Xi5GL9U
+7fXtdP0kSF+S3uPrBEHiO4riUf8/BhCaEzTFgnHTkHQ
--> ssh-ed25519 evqvfg Dhz+YpGX+IQNV6UgJq66mogX9UPY5U80YHCwgIsRIlA
+-> ssh-ed25519 w3nu8g CoUbAWX4r2jbrcAAyT2jRPY43pK27t08a+CGnnJJZ38
-BcX/9c0sUQOnfUqGY9W9IRhLM88pLNgh6/nf69AibB4
+au9ujHws04Hxv8gYlmxw8rmNUGZmsVW5ilp6MyujnxA
---- 3trZiV0MSyVswrmMNZuj4PBd3XgUUk8+4NpcJZDXW+Y
+-> ssh-ed25519 evqvfg v/onOr1hwFJVX8mvG1MyS+P6B+CC+fH8k7GgV2b22FY
-¾ÛŸ±ûA„ù¯Hã^•ó %‡…’ôÔFàÂö4Ö<>\?H£Ü9_Ôd(ñOcl‡U	[2Éí•ýtßOëm¯Mÿ¾eà¬ú+—ûØ»2&‚óSxÎŽ
+hCUNukeRnYt+dyrpGp7aUzi8Vxx72cm66lcLgxJg0UE
+--- akZhal+1DMZXmudX1sZUjH+KJhENZkgQcuUvXyMsQLA
+<EFBFBD>’ ÊOE~éoÈ,C<>€pµÐ1(Ó Ý®$S¦1‹òÄùgXÁüöàOyô¹rw°àâ-â:Ýï-ëe0i¡9ÎŒ<C38E>É(÷ÒR4[œÄ”%VA¼6@:ø—

secrets/zigbee2mqtt.yaml.age

@@ -1,9 +1,12 @@
 age-encryption.org/v1
--> ssh-ed25519 hPp1nw WkcqGYW9EwuqwdPa22bZ2yyxxSUlfZ1Y+NggCyFR/Qc
+-> ssh-ed25519 hPp1nw KENwK0yRInrVRN1Tgwvx/dJsz+z8rQenw1B4aw57v2c
-Nccy64qgRnPj+6pDRPEvHCo4TRszDL5x8NUoljvAeZ0
+ucnKJeShVBVC8LmQ6VIGTlbB0VBpBi2/lGGfW78jj1U
--> ssh-ed25519 w3nu8g gr+GjbS4lanuXX6QRpzMl/3cuLInJ+djyoSnN/tH5xM
+-> ssh-ed25519 ZDy34A Ghz/fsNQWte2tUx2+kEHcRPCBGc1orAXV9QkCbsKBzg
-md07riIXJ2eH43nL8SJFU+dThXu3kUePO/ZaV9iuS4k
+i9mr3xguDEgLL53ji38H19dkZPHqcfqTy8/S2oaht0U
--> ssh-ed25519 evqvfg rP45WmM5H7O8dFoOQHPeVDY0JqiIDYgJsPyQjh4jC1w
+-> ssh-ed25519 w3nu8g cN44HlL1Zu724p+Kyrygas3RCRTpEPOfTdzFHkLebC4
-R7VH7PhaSCRW5bUAgC0Rlic6FV0IAiqKWFA8ah4/3Q0
+BOBnfvEQLTPH6lBdSOPlYeSSdy3pohctl00lXrDs2zk
---- tyRX1o1ewWqSvvaHYQjzare0j6oW6VT1tdnqTN4Or34
+-> ssh-ed25519 evqvfg HuPgckAebGwcWYCFNvNcNwg2QpyynHuVYRNiuC2j0m0
-"T÷¶áÁÀŠ„Z»S㵈ձ7ƒÜëW—v¡¨[Êi ˜¹CÌÓÜ»Öä<@°yuƒlÊǽ’Rsò<73><C3B2>ƒ¸ä­Íí“´¬y¬`«{ò_Í
+HgJlN4gbED2FNaWr88Ocqdc1UJ3LA1n6fl/BUeXfwhI
+--- eczVQy6oXmBIj1D2v8LuR8ZJxnzyCNxn+rqF135QJJ4
+aj0<EFBFBD>žå^ÂÏ<C382>ö(ø'´¨p1
‹)F½>aíO¦€”›¶¤:Ú¢šŒÛ!û8T¬
+YÌ{ˆ‚3ɶ;Y