Improve gamescope session

Don't ntfy for logrotate failures and add container names to ntfy alerts
Add gamescope (steam) login option
2026-03-14 18:30:00 -07:00 · 2026-03-13 20:00:11 -07:00 · 2026-03-09 22:32:10 -07:00 · 2026-03-09 21:54:59 -07:00 · 2026-03-08 21:02:50 -07:00 · 2026-03-08 12:43:19 -07:00
22 changed files with 367 additions and 87 deletions
--- a/README.md
+++ b/README.md
@@ -1,16 +1,26 @@
 # NixOS Configuration

-A NixOS flake managing multiple machines with role-based configuration, agenix secrets, and sandboxed dev workspaces.
+A NixOS flake managing multiple machines with role-based configuration, agenix secrets, sandboxed dev workspaces, and self-hosted services.

 ## Layout

 - `/common` - shared configuration imported by all machines
  - `/boot` - bootloaders, CPU microcode, remote LUKS unlock over Tor
-  - `/network` - Tailscale, VPN tunneling via PIA
+  - `/network` - Tailscale, PIA VPN with leak-proof containers, sandbox networking
  - `/pc` - desktop/graphical config (enabled by the `personal` role)
-  - `/server` - service definitions and extensions
+  - `/server` - self-hosted service definitions (Gitea, Matrix, Nextcloud, media stack, etc.)
  - `/sandboxed-workspace` - isolated dev environments (VM, container, or Incus)
+  - `/ntfy` - push notification integration (service failures, SSH logins, ZFS alerts)
+  - `binary-cache.nix` - nix binary cache configuration (nixos.org, cachix, self-hosted atticd)
+  - `nix-builder.nix` - distributed build delegation across machines
+  - `backups.nix` - snapshot-aware restic backups to Backblaze B2
 - `/machines` - per-machine config (`default.nix`, `hardware-configuration.nix`, `properties.nix`)
+  - `fry` - personal desktop
+  - `howl` - personal laptop
+  - `ponyo` - web/mail server (Gitea, Nextcloud, LibreChat, mail)
+  - `storage/s0` - storage/media server (Jellyfin, Home Assistant, monitoring, productivity apps)
+  - `zoidberg` - media center
+  - `ephemeral` - minimal config for building install ISOs and kexec images
 - `/secrets` - agenix-encrypted secrets, decryptable by machines based on their roles
 - `/home` - Home Manager user config
 - `/lib` - custom library functions extending nixpkgs lib
@@ -25,8 +35,14 @@ A NixOS flake managing multiple machines with role-based configuration, agenix s

 **Remote LUKS unlock over Tor** — Machines with encrypted root disks can be unlocked remotely via SSH. An embedded Tor hidden service starts in the initrd so the machine is reachable even without a known IP, using a separate SSH host key for the boot environment.

-**VPN containers** — A `vpn-container` module spins up an ephemeral NixOS container with a PIA WireGuard tunnel. The host creates the WireGuard interface and authenticates with PIA, then hands it off to the container's network namespace. This ensures that the container can **never** have direct internet access. Leakage is impossible.
+**VPN containers** — A `pia-vpn` module provides leak-proof VPN networking for containers. The host creates a WireGuard interface and runs tinyproxy on a bridge network for PIA API bootstrap. A dedicated VPN container authenticates with PIA via the proxy, configures WireGuard, and masquerades bridge traffic through the tunnel. Service containers default-route exclusively through the VPN container — leakage is impossible by network topology. Supports port forwarding with automatic port assignment.

-**Sandboxed workspaces** — Isolated dev environments backed by microVMs (cloud-hypervisor), systemd-nspawn containers, or Incus. Each workspace gets a static IP on a NAT'd bridge, auto-generated SSH host keys, shell aliases for management, and comes pre-configured with Claude Code. The sandbox network blocks access to the local LAN while allowing internet.
+**Sandboxed workspaces** — Isolated dev environments backed by microVMs (cloud-hypervisor), systemd-nspawn containers, or Incus. Each workspace gets a static IP on a NAT'd bridge (`192.168.83.0/24`), auto-generated SSH host keys, shell aliases for management, and comes pre-configured with Claude Code. The sandbox network blocks access to the local LAN while allowing internet.

 **Snapshot-aware backups** — Restic backups to Backblaze B2 automatically create ZFS snapshots or btrfs read-only snapshots before backing up, using mount namespaces to bind-mount frozen data over the original paths so restic records correct paths. Each backup group gets a `restic_<group>` CLI wrapper. Supports `.nobackup` marker files.
+
+**Self-hosted services** — Comprehensive service stack across ponyo and s0: Gitea (git hosting + CI), Nextcloud (files/calendar), Matrix (chat), mail server, Jellyfin/Sonarr/Radarr/Lidarr (media), Home Assistant/Zigbee2MQTT/Frigate (home automation), LibreChat (AI), Gatus (monitoring), and productivity tools (Vikunja, Actual Budget, Outline, Linkwarden, Memos).
+
+**Push notifications** — ntfy integration alerts on systemd service failures, SSH logins, and ZFS pool issues. Gatus monitors all web-facing services and sends alerts via ntfy.
+
+**Remote deployment** — deploy-rs handles remote machine deployments with boot-only or immediate activation modes. A Makefile wraps common operations (`make deploy <host>`, `make deploy-activate <host>`).
--- a/common/network/pia-vpn/service-container.nix
+++ b/common/network/pia-vpn/service-container.nix
@@ -11,6 +11,7 @@ with lib;

 let
  cfg = config.pia-vpn;
+  hostName = config.networking.hostName;

  mkContainer = name: ctr: {
    autoStart = true;
@@ -28,6 +29,9 @@ let
    config = { config, pkgs, lib, ... }: {
      imports = allModules ++ [ ctr.config ];

+      ntfy-alerts.ignoredUnits = [ "logrotate" ];
+      ntfy-alerts.hostLabel = "${hostName}/${name}";
+
      # Static IP with gateway pointing to VPN container
      networking.useNetworkd = true;
      systemd.network.enable = true;
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -6,6 +6,7 @@ with lib;

 let
  cfg = config.pia-vpn;
+  hostName = config.networking.hostName;
  scripts = import ./scripts.nix;

  # Port forwarding derived state
@@ -98,6 +99,8 @@ in

          # Route ntfy alerts through the host proxy (VPN container has no gateway on eth0)
          ntfy-alerts.curlExtraArgs = "--proxy http://${cfg.hostAddress}:${toString cfg.proxyPort}";
+          ntfy-alerts.ignoredUnits = [ "logrotate" ];
+          ntfy-alerts.hostLabel = "${hostName}/pia-vpn";

          # Enable forwarding so bridge traffic can go through WG
          boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@@ -226,6 +229,93 @@ in
              RandomizedDelaySec = "1m";
            };
          };
+
+          # Periodic VPN connectivity check — fails if VPN or internet is down,
+          # triggering ntfy alert via the OnFailure drop-in.
+          # Tracks failures with a counter file so only the first 3 failures per
+          # day trigger an alert (subsequent failures exit 0 to suppress noise).
+          systemd.services.pia-vpn-check = {
+            description = "Check PIA VPN connectivity";
+            after = [ "pia-vpn-setup.service" ];
+            requires = [ "pia-vpn-setup.service" ];
+
+            path = with pkgs; [ wireguard-tools iputils coreutils gawk jq ];
+
+            serviceConfig.Type = "oneshot";
+
+            script = ''
+              set -euo pipefail
+
+              COUNTER_FILE="/var/lib/pia-vpn/check-fail-count.json"
+              MAX_ALERTS=3
+
+              check_vpn() {
+                # Check that WireGuard has a peer with a recent handshake (within 3 minutes)
+                handshake=$(wg show ${cfg.interfaceName} latest-handshakes | awk '{print $2}')
+                if [ -z "$handshake" ] || [ "$handshake" -eq 0 ]; then
+                  echo "No WireGuard handshake recorded" >&2
+                  return 1
+                fi
+                now=$(date +%s)
+                age=$((now - handshake))
+                if [ "$age" -gt 180 ]; then
+                  echo "WireGuard handshake is stale (''${age}s ago)" >&2
+                  return 1
+                fi
+
+                # Verify internet connectivity through VPN tunnel
+                if ! ping -c1 -W10 1.1.1.1 >/dev/null 2>&1; then
+                  echo "Cannot reach internet through VPN" >&2
+                  return 1
+                fi
+
+                echo "PIA VPN connectivity OK (handshake ''${age}s ago)"
+                return 0
+              }
+
+              MAX_RETRIES=4
+              for attempt in $(seq 1 $MAX_RETRIES); do
+                if check_vpn; then
+                  rm -f "$COUNTER_FILE"
+                  exit 0
+                fi
+                if [ "$attempt" -lt "$MAX_RETRIES" ]; then
+                  echo "Attempt $attempt/$MAX_RETRIES failed, retrying in 5 minutes..." >&2
+                  sleep 300
+                fi
+              done
+
+              # Failed — read and update counter (reset if from a previous day)
+              today=$(date +%Y-%m-%d)
+              count=0
+              if [ -f "$COUNTER_FILE" ]; then
+                stored=$(jq -r '.date // ""' "$COUNTER_FILE")
+                if [ "$stored" = "$today" ]; then
+                  count=$(jq -r '.count // 0' "$COUNTER_FILE")
+                fi
+              fi
+              count=$((count + 1))
+              jq -n --arg date "$today" --argjson count "$count" \
+                '{"date": $date, "count": $count}' > "$COUNTER_FILE"
+
+              if [ "$count" -le "$MAX_ALERTS" ]; then
+                echo "Failure $count/$MAX_ALERTS today — alerting" >&2
+                exit 1
+              else
+                echo "Failure $count today — suppressing alert (already sent $MAX_ALERTS)" >&2
+                exit 0
+              fi
+            '';
+          };
+
+          systemd.timers.pia-vpn-check = {
+            description = "Periodic PIA VPN connectivity check";
+            wantedBy = [ "timers.target" ];
+            timerConfig = {
+              OnCalendar = "*:0/30";
+              RandomizedDelaySec = "30s";
+            };
+          };
        };
    };
  };
--- a/common/ntfy/default.nix
+++ b/common/ntfy/default.nix
@@ -5,6 +5,7 @@
    ./service-failure.nix
    ./ssh-login.nix
    ./zfs.nix
+    ./dimm-temp.nix
  ];

  options.ntfy-alerts = {
@@ -25,6 +26,12 @@
      default = [ ];
      description = "Unit names to skip failure notifications for.";
    };
+
+    hostLabel = lib.mkOption {
+      type = lib.types.str;
+      default = config.networking.hostName;
+      description = "Label used in ntfy alert titles to identify this host/container.";
+    };
  };

  config = lib.mkIf config.thisMachine.hasRole."ntfy" {
--- a/common/ntfy/dimm-temp.nix
+++ b/common/ntfy/dimm-temp.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.ntfy-alerts;
+  hasNtfy = config.thisMachine.hasRole."ntfy";
+
+  checkScript = pkgs.writeShellScript "dimm-temp-check" ''
+    PATH="${lib.makeBinPath [ pkgs.lm_sensors pkgs.gawk pkgs.coreutils pkgs.curl ]}"
+
+    threshold=55
+    hot=""
+    summary=""
+
+    while IFS= read -r line; do
+      case "$line" in
+        spd5118-*)
+          chip="$line"
+          ;;
+        *temp1_input:*)
+          temp="''${line##*: }"
+          whole="''${temp%%.*}"
+          summary="''${summary:+$summary, }$chip: ''${temp}°C"
+          if [ "$whole" -ge "$threshold" ]; then
+            hot="$hot"$'\n'"  $chip: ''${temp}°C"
+          fi
+          ;;
+      esac
+    done < <(sensors -u 'spd5118-*' 2>/dev/null)
+
+    echo "$summary"
+
+    if [ -n "$hot" ]; then
+      message="DIMM temperature above ''${threshold}°C on ${config.networking.hostName}:$hot"
+
+      curl \
+        --fail --silent --show-error \
+        --max-time 30 --retry 3 \
+        -H "Authorization: Bearer $NTFY_TOKEN" \
+        -H "Title: High DIMM temperature on ${config.networking.hostName}" \
+        -H "Priority: high" \
+        -H "Tags: thermometer" \
+        -d "$message" \
+        "${cfg.serverUrl}/service-failures"
+
+      echo "$message" >&2
+    fi
+  '';
+in
+{
+  options.ntfy-alerts.dimmTempCheck.enable = lib.mkEnableOption "DDR5 DIMM temperature monitoring via spd5118";
+
+  config = lib.mkIf (cfg.dimmTempCheck.enable && hasNtfy) {
+    systemd.services.dimm-temp-check = {
+      description = "Check DDR5 DIMM temperatures and alert on overheating";
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = "/run/agenix/ntfy-token";
+        ExecStart = checkScript;
+      };
+    };
+
+    systemd.timers.dimm-temp-check = {
+      description = "Periodic DDR5 DIMM temperature check";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*:0/5";
+        Persistent = true;
+      };
+    };
+  };
+}
--- a/common/ntfy/service-failure.nix
+++ b/common/ntfy/service-failure.nix
@@ -32,7 +32,7 @@ in
            --max-time 30 --retry 3 \
            ${cfg.curlExtraArgs} \
            -H "Authorization: Bearer $NTFY_TOKEN" \
-            -H "Title: Service failure on ${config.networking.hostName}" \
+            -H "Title: Service failure on ${cfg.hostLabel}" \
            -H "Priority: high" \
            -H "Tags: rotating_light" \
            -H "Message: Unit $unit failed at $(date +%c)" \
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
@@ -9,6 +9,14 @@ in
    services.displayManager.sddm.wayland.enable = true;
    services.desktopManager.plasma6.enable = true;

+    services.displayManager.sessionPackages = [
+      pkgs.plasma-bigscreen
+    ];
+
+    # Bigscreen binaries must be on PATH for autostart services, KCMs, and
+    # internal plasmashell launches (settings, input handler, envmanager, etc.)
+    environment.systemPackages = [ pkgs.plasma-bigscreen ];
+
    # kde apps
    users.users.googlebot.packages = with pkgs; [
      # akonadi
--- a/common/pc/steam.nix
+++ b/common/pc/steam.nix
@@ -8,6 +8,29 @@ in
    programs.steam.enable = true;
    hardware.steam-hardware.enable = true; # steam controller

+    # Login DE Option: Steam Gamescope (Steam Deck-like session)
+    programs.gamescope = {
+      enable = true;
+    };
+    programs.steam.gamescopeSession = {
+      enable = true;
+      args = [
+        "--hdr-enabled"
+        "--hdr-itm-enabled"
+        "--adaptive-sync"
+      ];
+      steamArgs = [
+        "-steamos3"
+        "-gamepadui"
+        "-pipewire-dmabuf"
+      ];
+      env = {
+        STEAM_ENABLE_VOLUME_HANDLER = "1";
+        STEAM_DISABLE_AUDIO_DEVICE_SWITCHING = "1";
+      };
+    };
+    environment.systemPackages = [ pkgs.gamescope-wsi ];
+
    users.users.googlebot.packages = [
      pkgs.steam
    ];
--- a/common/server/gatus.nix
+++ b/common/server/gatus.nix
@@ -270,6 +270,16 @@ in
            ];
            alerts = [{ type = "ntfy"; }];
          }
+          {
+            name = "Music Assistant";
+            group = "s0";
+            url = "http://s0.koi-bebop.ts.net:8095";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
          {
            name = "Vikunja";
            group = "s0";
@@ -320,16 +330,7 @@ in
            ];
            alerts = [{ type = "ntfy"; }];
          }
-          {
-            name = "LanguageTool";
-            group = "s0";
-            url = "https://languagetool.s0.neet.dev";
-            interval = "5m";
-            conditions = [
-              "[STATUS] == 200"
-            ];
-            alerts = [{ type = "ntfy"; }];
-          }
+
          {
            name = "Unifi";
            group = "s0";
--- a/common/server/gitea-actions-runner.nix
+++ b/common/server/gitea-actions-runner.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, allModules, ... }:

 # Gitea Actions Runner inside a NixOS container.
 # The container shares the host's /nix/store (read-only) and nix-daemon socket,
@@ -8,7 +8,7 @@

 let
  thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
-  hostOverlays = config.nixpkgs.overlays;
+  hostName = config.networking.hostName;
  containerName = "gitea-runner";
  giteaRunnerUid = 991;
  giteaRunnerGid = 989;
@@ -32,8 +32,10 @@ in
      };

      config = { config, lib, pkgs, ... }: {
-        system.stateVersion = "25.11";
-        nixpkgs.overlays = hostOverlays;
+        imports = allModules;
+
+        ntfy-alerts.ignoredUnits = [ "logrotate" ];
+        ntfy-alerts.hostLabel = "${hostName}/${containerName}";

        services.gitea-actions-runner.instances.inst = {
          enable = true;
--- a/common/server/ntfy.nix
+++ b/common/server/ntfy.nix
@@ -18,6 +18,7 @@ in
      auth-default-access = "deny-all";
      behind-proxy = true;
      enable-login = true;
+      attachment-expiry-duration = "48h";
    };

    # backups
--- a/machines/fry/hardware-configuration.nix
+++ b/machines/fry/hardware-configuration.nix
@@ -18,7 +18,7 @@
  boot.extraModulePackages = [ ];

  # thunderbolt
-  services.hardware.bolt.enable = true;
+  services.hardware.bolt.enable = false;

  # firmware
  firmware.x86_64.enable = true;
--- a/machines/howl/hardware-configuration.nix
+++ b/machines/howl/hardware-configuration.nix
@@ -22,7 +22,7 @@
  boot.extraModulePackages = [ ];

  # thunderbolt
-  services.hardware.bolt.enable = true;
+  services.hardware.bolt.enable = false;

  # firmware
  firmware.x86_64.enable = true;
--- a/machines/storage/s0/dashy.nix
+++ b/machines/storage/s0/dashy.nix
@@ -401,6 +401,15 @@
            statusCheck = false;
            id = "5_4201_sandman";
          };
+          music-assistant = {
+            title = "Music Assistant";
+            description = "s0:8095";
+            icon = "hl-music-assistant";
+            url = "http://s0.koi-bebop.ts.net:8095";
+            target = "sametab";
+            statusCheck = false;
+            id = "6_4201_music-assistant";
+          };
        };
        haList = [
          haItems.home-assistant
@@ -409,6 +418,7 @@
          haItems.frigate
          haItems.valetudo
          haItems.sandman
+          haItems.music-assistant
        ];
      in
      {
@@ -474,15 +484,6 @@
            statusCheck = false;
            id = "4_5301_outline";
          };
-          languagetool = {
-            title = "LanguageTool";
-            description = "languagetool.s0.neet.dev";
-            icon = "hl-languagetool";
-            url = "https://languagetool.s0.neet.dev";
-            target = "sametab";
-            statusCheck = false;
-            id = "5_5301_languagetool";
-          };
        };
        prodList = [
          prodItems.vikunja
@@ -490,7 +491,6 @@
          prodItems.linkwarden
          prodItems.memos
          prodItems.outline
-          prodItems.languagetool
        ];
      in
      {
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@@ -10,6 +10,7 @@
  networking.hostName = "s0";

  ntfy-alerts.ignoredUnits = [ "logrotate" ];
+  ntfy-alerts.dimmTempCheck.enable = true;

  # system.autoUpgrade.enable = true;

@@ -142,30 +143,6 @@
        services.lidarr.enable = true;
        services.lidarr.user = "public_data";
        services.lidarr.group = "public_data";
-        services.recyclarr = {
-          enable = true;
-          configuration = {
-            radarr.radarr_main = {
-              api_key = {
-                _secret = "/run/credentials/recyclarr.service/radarr-api-key";
-              };
-              base_url = "http://localhost:7878";
-              quality_definition.type = "movie";
-            };
-            sonarr.sonarr_main = {
-              api_key = {
-                _secret = "/run/credentials/recyclarr.service/sonarr-api-key";
-              };
-              base_url = "http://localhost:8989";
-              quality_definition.type = "series";
-            };
-          };
-        };
-
-        systemd.services.recyclarr.serviceConfig.LoadCredential = [
-          "radarr-api-key:/run/agenix/radarr-api-key"
-          "sonarr-api-key:/run/agenix/sonarr-api-key"
-        ];

        users.groups.public_data.gid = 994;
        users.users.public_data = {
@@ -176,8 +153,6 @@
      };
    };
  };
-  age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
-  age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;

  # jellyfin
  # jellyfin cannot run in the vpn container and use hardware encoding
@@ -253,7 +228,6 @@
        (mkVirtualHost "linkwarden.s0.neet.dev" "http://localhost:${toString config.services.linkwarden.port}")
        (mkVirtualHost "memos.s0.neet.dev" "http://localhost:${toString config.services.memos.settings.MEMOS_PORT}")
        (mkVirtualHost "outline.s0.neet.dev" "http://localhost:${toString config.services.outline.port}")
-        (mkVirtualHost "languagetool.s0.neet.dev" "http://localhost:${toString config.services.languagetool.port}")
      ];

    tailscaleAuth = {
@@ -277,7 +251,6 @@
        "linkwarden.s0.neet.dev"
        # "memos.s0.neet.dev" # messes up memos /auth route
        # "outline.s0.neet.dev" # messes up outline /auth route
-        "languagetool.s0.neet.dev"
      ];
      expectedTailnet = "koi-bebop.ts.net";
    };
@@ -367,10 +340,5 @@
    owner = config.services.outline.user;
  };

-  services.languagetool = {
-    enable = true;
-    port = 60613;
-  };
-
  boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }
--- a/machines/zoidberg/default.nix
+++ b/machines/zoidberg/default.nix
@@ -5,10 +5,6 @@
    ./hardware-configuration.nix
  ];

-  # Login DE Option: Steam
-  programs.steam.gamescopeSession.enable = true;
-  # programs.gamescope.capSysNice = true;
-
  # Login DE Option: Kodi
  services.xserver.desktopManager.kodi.enable = true;
  services.xserver.desktopManager.kodi.package =
@@ -35,7 +31,7 @@
    "L+    /opt/rocm/hip   -    -    -     -    ${pkgs.rocmPackages.clr}"
  ];

-  services.displayManager.defaultSession = "plasma";
+  services.displayManager.defaultSession = "plasma-bigscreen-wayland";

  users.users.cris = {
    isNormalUser = true;
@@ -54,10 +50,10 @@
    uid = 1002;
  };

-  # Auto login into Plasma in john zoidberg account
+  # Auto login into Plasma Bigscreen in john zoidberg account
  services.displayManager.sddm.settings = {
    Autologin = {
-      Session = "plasma";
+      Session = "plasma-bigscreen-wayland";
      User = "john";
    };
  };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -31,4 +31,12 @@ in
      ../patches/music-assistant-zeroconf-port.patch
    ];
  });
+
+  # Plasma Bigscreen: TV-optimized KDE shell (not yet packaged in nixpkgs)
+  plasma-bigscreen = import ./plasma-bigscreen.nix {
+    inherit (prev.kdePackages)
+      mkKdeDerivation plasma-workspace plasma-wayland-protocols
+      qtmultimedia qtwayland qtwebengine qcoro;
+    inherit (prev) lib fetchFromGitLab pkg-config sdl3 libcec wayland;
+  };
 }
--- a/overlays/plasma-bigscreen.nix
+++ b/overlays/plasma-bigscreen.nix
@@ -0,0 +1,79 @@
+{
+  mkKdeDerivation,
+  lib,
+  fetchFromGitLab,
+  pkg-config,
+  plasma-workspace,
+  qtmultimedia,
+  qtwayland,
+  qtwebengine,
+  qcoro,
+  plasma-wayland-protocols,
+  wayland,
+  sdl3,
+  libcec,
+}:
+mkKdeDerivation {
+  pname = "plasma-bigscreen";
+  version = "unstable-2026-03-07";
+
+  src = fetchFromGitLab {
+    domain = "invent.kde.org";
+    owner = "plasma";
+    repo = "plasma-bigscreen";
+    rev = "bd143fea7e386bac1652b8150a3ed3d5ef7cf93c";
+    hash = "sha256-y439IX7e0+XqxqFj/4+P5le0hA7DiwA+smDsD0UH/fI=";
+  };
+
+  patches = [
+    ../patches/plasma-bigscreen-input-handler-app-id.patch
+  ];
+
+  extraNativeBuildInputs = [ pkg-config ];
+
+  extraBuildInputs = [
+    qtmultimedia
+    qtwayland
+    qtwebengine
+    qcoro
+    plasma-wayland-protocols
+    wayland
+    sdl3
+    libcec
+  ];
+
+  # Match project version to installed Plasma release so cmake version checks pass
+  postPatch = ''
+    substituteInPlace CMakeLists.txt \
+      --replace-fail 'set(PROJECT_VERSION "6.5.80")' \
+                     'set(PROJECT_VERSION "${plasma-workspace.version}")'
+
+    # Upstream references a nonexistent startplasma-waylandsession binary.
+    # Fix this in the cmake template (before @KDE_INSTALL_FULL_LIBEXECDIR@ is substituted).
+    substituteInPlace bin/plasma-bigscreen-wayland.in \
+      --replace-fail \
+        'startplasma-wayland --xwayland --libinput --exit-with-session=@KDE_INSTALL_FULL_LIBEXECDIR@/startplasma-waylandsession' \
+        'startplasma-wayland'
+  '';
+
+  # FIXME: work around Qt 6.10 cmake API changes
+  cmakeFlags = [ "-DQT_FIND_PRIVATE_MODULES=1" ];
+
+  # QML lint fails on missing runtime-only imports (org.kde.private.biglauncher)
+  # that are only available inside a running Plasma session
+  dontQmlLint = true;
+
+  postFixup = ''
+    # Session .desktop references $out/libexec/plasma-dbus-run-session-if-needed
+    # but the binary lives in plasma-workspace
+    substituteInPlace "$out/share/wayland-sessions/plasma-bigscreen-wayland.desktop" \
+      --replace-fail \
+        "$out/libexec/plasma-dbus-run-session-if-needed" \
+        "${plasma-workspace}/libexec/plasma-dbus-run-session-if-needed"
+
+  '';
+
+  passthru.providedSessions = [ "plasma-bigscreen-wayland" ];
+
+  meta.license = with lib.licenses; [ gpl2Plus ];
+}
--- a/patches/plasma-bigscreen-input-handler-app-id.patch
+++ b/patches/plasma-bigscreen-input-handler-app-id.patch
@@ -0,0 +1,19 @@
+Use the correct app_id when pre-authorizing remote-desktop portal access.
+
+The portal's isAppMegaAuthorized() looks up the caller's specific app_id in
+the PermissionStore.  An empty string only matches apps the portal cannot
+identify; it is not a wildcard.  Since the input handler is launched via
+KIO::CommandLauncherJob with a desktopName, the portal resolves it to the
+desktop file ID, so the empty-string entry never matches.
+
+--- a/inputhandler/xdgremotedesktopsystem.cpp
+++ b/inputhandler/xdgremotedesktopsystem.cpp
+@@ -66,7 +67,7 @@
+     QDBusReply<void> reply = permissionStore.call(QStringLiteral("SetPermission"),
+                                                   QStringLiteral("kde-authorized"), // table
+                                                   true, // create table if not exists
+                                                   QStringLiteral("remote-desktop"), // id
+-                                                  QLatin1String(""), // app (empty for host applications)
+                                                  QStringLiteral("org.kde.plasma.bigscreen.inputhandler"),
+                                                   QStringList{QStringLiteral("yes")}); // permissions
+
--- a/secrets/radarr-api-key.age
+++ b/secrets/radarr-api-key.age
@@ -1,11 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 hPp1nw gfVRDt7ReEnz10WvPa8UfBBnsRsiw7sxxXQMuXRnCVs
-slBNX9Yc1qSu1P5ioNDNLPd97NGE/LWPS/A+u9QGo4E
-> ssh-ed25519 ZDy34A e5MSY5qDP6WuEgbiK0p5esMQJBb3ScVpb15Ff8sTQgQ
-9nsimoUQncnbfiu13AnFWZXcpaiySUYdS1eH5O/3Fgg
-> ssh-ed25519 w3nu8g op1KSUhJgM6w/nlaUssQDiraQpVzgnWd//JMu2vFgms
-KvEaJfsB7Qkf+PnzFJdZ3wAxm2qj23IS8RRxyuGN2G4
-> ssh-ed25519 evqvfg 9L6pFuqkcChZq/W4zkATXm1Y76SEK+S4SyaiSlJd+C4
-j/UWJvo4Cr/UDfaN2milpJ6rU0w1EWdTAzV3SlrCcW8
--- bdG4zC5dx6cSPetH3DNeHEk6EYCJ5TXGrn8OhUMknNU
-/¶ø+ÏpñR[¤àJ-*‚@ÌÿŸx0Ú©ò-ä.*&T·™~-i	2€eƒ¡`@ëQ8š<l™àQK0AÕ§
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -63,8 +63,4 @@ with roles;

  # zigbee2mqtt secrets
  "zigbee2mqtt.yaml.age".publicKeys = zigbee;
-
-  # Sonarr and Radarr secrets
-  "radarr-api-key.age".publicKeys = media-server;
-  "sonarr-api-key.age".publicKeys = media-server;
 }
--- a/secrets/sonarr-api-key.age
+++ b/secrets/sonarr-api-key.age
Author	SHA1	Message	Date
Zuckerberg	8bd9961deb	Improve gamescope session All checks were successful Check Flake / check-flake (push) Successful in 16m25s Details	2026-03-14 18:30:00 -07:00
Zuckerberg	b0f6beefac	Don't ntfy for logrotate failures and add container names to ntfy alerts	2026-03-13 20:00:11 -07:00
Zuckerberg	3d79cc84a3	Add gamescope (steam) login option All checks were successful Check Flake / check-flake (push) Successful in 6m48s Details	2026-03-09 22:32:10 -07:00
Zuckerberg	92a62e54c3	Initial KDE Plasma Bigscreen mode	2026-03-09 21:54:59 -07:00
Zuckerberg	bdec3793d0	Make PIA connection check more tollerant to hiccups All checks were successful Check Flake / check-flake (push) Successful in 15m39s Details	2026-03-08 21:02:50 -07:00
Zuckerberg	dac2820c58	Bump ntfy attachment expiry time All checks were successful Check Flake / check-flake (push) Successful in 15m28s Details	2026-03-08 12:43:19 -07:00
Zuckerberg	a84ca38b45	Disable bolt for now since I don't use it and it sometimes randomly hangs	2026-03-08 12:42:32 -07:00
Zuckerberg	1e7aa17d3d	Log DIMM temperatures on each check run All checks were successful Check Flake / check-flake (push) Successful in 3m58s Details	2026-03-05 21:31:29 -08:00
Zuckerberg	77415c30fa	Fix VPN check alert limiting to only count failures StartLimitBurst counts all starts (including successes), so the timer was getting blocked after ~15 min. Replace with a JSON counter file that resets on success and daily, only triggering OnFailure alerts for the first 3 failures per day.	2026-03-05 21:28:39 -08:00
Zuckerberg	e3f78b460c	Remove recyclarr, I'm not using it currently	2026-03-05 21:27:35 -08:00
Zuckerberg	576ee47246	Add periodic PIA VPN connectivity check All checks were successful Check Flake / check-flake (push) Successful in 4m38s Details Oneshot service + timer (every 5 min) inside the VPN container that verifies WireGuard handshake freshness and internet reachability. Fails on VPN or internet outage, triggering ntfy alert via OnFailure. Capped at 3 failures per day via StartLimitBurst.	2026-03-04 21:45:07 -08:00
Zuckerberg	335abe4e65	Add DDR5 DIMM temperature monitoring with ntfy alerts Monitors spd5118 sensors every 5 minutes and sends an ntfy notification if any DIMM exceeds 55°C. Opt-in via ntfy-alerts.dimmTempCheck.enable, enabled on s0.	2026-03-04 21:24:40 -08:00
Zuckerberg	6267def09b	Add Music Assistant to Dashy and Gatus	2026-03-04 21:23:16 -08:00
Zuckerberg	5342c920a8	Update README	2026-03-04 20:53:46 -08:00
Zuckerberg	6beaa008e1	Remove LanguageTool service	2026-03-04 20:45:32 -08:00