Update interface names because usePredictableInterfaceNames is now off

Possible memos fix
Fix tinyproxy starting before VPN bridge is configured
2026-03-01 14:09:01 -08:00 · 2026-03-01 13:32:35 -08:00 · 2026-03-01 13:20:56 -08:00
31 changed files with 148 additions and 581 deletions
--- a/.gitea/scripts/build-and-cache.sh
+++ b/.gitea/scripts/build-and-cache.sh
@@ -26,4 +26,4 @@ paths=$(echo "$toplevels" \
      and .value.narSize >= 524288
    ) | .key] | unique[]')
 echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
-echo "$paths" | xargs attic push -j 1 local:nixos
+echo "$paths" | xargs attic push local:nixos
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -85,3 +85,17 @@ When adding or removing a web-facing service, update both:
 - Always use `--no-link` when running `nix build`
 - Don't use `nix build --dry-run` unless you only need evaluation — it skips the actual build
 - Avoid `2>&1` on nix commands — it can cause error output to be missed
+
+## Git Worktrees
+
+When the user asks you to "start a worktree" or work in a worktree, **do not create one manually** with `git worktree add`. Instead, tell the user to start a new session with:
+
+```bash
+claude --worktree <name>
+```
+
+This is the built-in Claude Code worktree workflow. It creates the worktree at `.claude/worktrees/<name>/` with a branch `worktree-<name>` and starts a new Claude session inside it. Cleanup is handled automatically on exit.
+
+When instructed to work in a git worktree (e.g., via `isolation: "worktree"` on a subagent), you **MUST** do so. If you are unable to create or use a git worktree, you **MUST** stop work immediately and report the failure to the user. Do not fall back to working in the main working tree.
+
+When applying work from a git worktree back to the main branch, commit in the worktree first, then use `git cherry-pick` from the main working tree to bring the commit over. Do not use `git checkout` or `git apply` to copy files directly. Do **not** automatically apply worktree work to the main branch — always ask the user for approval first.
--- a/README.md
+++ b/README.md
@@ -1,26 +1,16 @@
 # NixOS Configuration

-A NixOS flake managing multiple machines with role-based configuration, agenix secrets, sandboxed dev workspaces, and self-hosted services.
+A NixOS flake managing multiple machines with role-based configuration, agenix secrets, and sandboxed dev workspaces.

 ## Layout

 - `/common` - shared configuration imported by all machines
  - `/boot` - bootloaders, CPU microcode, remote LUKS unlock over Tor
-  - `/network` - Tailscale, PIA VPN with leak-proof containers, sandbox networking
+  - `/network` - Tailscale, VPN tunneling via PIA
  - `/pc` - desktop/graphical config (enabled by the `personal` role)
-  - `/server` - self-hosted service definitions (Gitea, Matrix, Nextcloud, media stack, etc.)
+  - `/server` - service definitions and extensions
  - `/sandboxed-workspace` - isolated dev environments (VM, container, or Incus)
-  - `/ntfy` - push notification integration (service failures, SSH logins, ZFS alerts)
-  - `binary-cache.nix` - nix binary cache configuration (nixos.org, cachix, self-hosted atticd)
-  - `nix-builder.nix` - distributed build delegation across machines
-  - `backups.nix` - snapshot-aware restic backups to Backblaze B2
 - `/machines` - per-machine config (`default.nix`, `hardware-configuration.nix`, `properties.nix`)
-  - `fry` - personal desktop
-  - `howl` - personal laptop
-  - `ponyo` - web/mail server (Gitea, Nextcloud, LibreChat, mail)
-  - `storage/s0` - storage/media server (Jellyfin, Home Assistant, monitoring, productivity apps)
-  - `zoidberg` - media center
-  - `ephemeral` - minimal config for building install ISOs and kexec images
 - `/secrets` - agenix-encrypted secrets, decryptable by machines based on their roles
 - `/home` - Home Manager user config
 - `/lib` - custom library functions extending nixpkgs lib
@@ -35,14 +25,8 @@ A NixOS flake managing multiple machines with role-based configuration, agenix s

 **Remote LUKS unlock over Tor** — Machines with encrypted root disks can be unlocked remotely via SSH. An embedded Tor hidden service starts in the initrd so the machine is reachable even without a known IP, using a separate SSH host key for the boot environment.

-**VPN containers** — A `pia-vpn` module provides leak-proof VPN networking for containers. The host creates a WireGuard interface and runs tinyproxy on a bridge network for PIA API bootstrap. A dedicated VPN container authenticates with PIA via the proxy, configures WireGuard, and masquerades bridge traffic through the tunnel. Service containers default-route exclusively through the VPN container — leakage is impossible by network topology. Supports port forwarding with automatic port assignment.
+**VPN containers** — A `vpn-container` module spins up an ephemeral NixOS container with a PIA WireGuard tunnel. The host creates the WireGuard interface and authenticates with PIA, then hands it off to the container's network namespace. This ensures that the container can **never** have direct internet access. Leakage is impossible.

-**Sandboxed workspaces** — Isolated dev environments backed by microVMs (cloud-hypervisor), systemd-nspawn containers, or Incus. Each workspace gets a static IP on a NAT'd bridge (`192.168.83.0/24`), auto-generated SSH host keys, shell aliases for management, and comes pre-configured with Claude Code. The sandbox network blocks access to the local LAN while allowing internet.
+**Sandboxed workspaces** — Isolated dev environments backed by microVMs (cloud-hypervisor), systemd-nspawn containers, or Incus. Each workspace gets a static IP on a NAT'd bridge, auto-generated SSH host keys, shell aliases for management, and comes pre-configured with Claude Code. The sandbox network blocks access to the local LAN while allowing internet.

 **Snapshot-aware backups** — Restic backups to Backblaze B2 automatically create ZFS snapshots or btrfs read-only snapshots before backing up, using mount namespaces to bind-mount frozen data over the original paths so restic records correct paths. Each backup group gets a `restic_<group>` CLI wrapper. Supports `.nobackup` marker files.
-
-**Self-hosted services** — Comprehensive service stack across ponyo and s0: Gitea (git hosting + CI), Nextcloud (files/calendar), Matrix (chat), mail server, Jellyfin/Sonarr/Radarr/Lidarr (media), Home Assistant/Zigbee2MQTT/Frigate (home automation), LibreChat (AI), Gatus (monitoring), and productivity tools (Vikunja, Actual Budget, Outline, Linkwarden, Memos).
-
-**Push notifications** — ntfy integration alerts on systemd service failures, SSH logins, and ZFS pool issues. Gatus monitors all web-facing services and sends alerts via ntfy.
-
-**Remote deployment** — deploy-rs handles remote machine deployments with boot-only or immediate activation modes. A Makefile wraps common operations (`make deploy <host>`, `make deploy-activate <host>`).
--- a/common/network/pia-vpn/default.nix
+++ b/common/network/pia-vpn/default.nix
@@ -234,9 +234,6 @@ in
      before = [ "container@pia-vpn.service" ];
      after = [ "systemd-networkd.service" ];
      requires = [ "systemd-networkd.service" ];
-      serviceConfig.ExecStartPre = [
-        "+${pkgs.systemd}/lib/systemd/systemd-networkd-wait-online --interface=${cfg.bridgeName}:no-carrier --timeout=180"
-      ];
    };

    # WireGuard interface creation (host-side oneshot)
--- a/common/network/pia-vpn/service-container.nix
+++ b/common/network/pia-vpn/service-container.nix
@@ -11,7 +11,6 @@ with lib;

 let
  cfg = config.pia-vpn;
-  hostName = config.networking.hostName;

  mkContainer = name: ctr: {
    autoStart = true;
@@ -29,9 +28,6 @@ let
    config = { config, pkgs, lib, ... }: {
      imports = allModules ++ [ ctr.config ];

-      ntfy-alerts.ignoredUnits = [ "logrotate" ];
-      ntfy-alerts.hostLabel = "${hostName}/${name}";
-
      # Static IP with gateway pointing to VPN container
      networking.useNetworkd = true;
      systemd.network.enable = true;
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -6,7 +6,6 @@ with lib;

 let
  cfg = config.pia-vpn;
-  hostName = config.networking.hostName;
  scripts = import ./scripts.nix;

  # Port forwarding derived state
@@ -99,8 +98,6 @@ in

          # Route ntfy alerts through the host proxy (VPN container has no gateway on eth0)
          ntfy-alerts.curlExtraArgs = "--proxy http://${cfg.hostAddress}:${toString cfg.proxyPort}";
-          ntfy-alerts.ignoredUnits = [ "logrotate" ];
-          ntfy-alerts.hostLabel = "${hostName}/pia-vpn";

          # Enable forwarding so bridge traffic can go through WG
          boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@@ -229,93 +226,6 @@ in
              RandomizedDelaySec = "1m";
            };
          };
-
-          # Periodic VPN connectivity check — fails if VPN or internet is down,
-          # triggering ntfy alert via the OnFailure drop-in.
-          # Tracks failures with a counter file so only the first 3 failures per
-          # day trigger an alert (subsequent failures exit 0 to suppress noise).
-          systemd.services.pia-vpn-check = {
-            description = "Check PIA VPN connectivity";
-            after = [ "pia-vpn-setup.service" ];
-            requires = [ "pia-vpn-setup.service" ];
-
-            path = with pkgs; [ wireguard-tools iputils coreutils gawk jq ];
-
-            serviceConfig.Type = "oneshot";
-
-            script = ''
-              set -euo pipefail
-
-              COUNTER_FILE="/var/lib/pia-vpn/check-fail-count.json"
-              MAX_ALERTS=3
-
-              check_vpn() {
-                # Check that WireGuard has a peer with a recent handshake (within 3 minutes)
-                handshake=$(wg show ${cfg.interfaceName} latest-handshakes | awk '{print $2}')
-                if [ -z "$handshake" ] || [ "$handshake" -eq 0 ]; then
-                  echo "No WireGuard handshake recorded" >&2
-                  return 1
-                fi
-                now=$(date +%s)
-                age=$((now - handshake))
-                if [ "$age" -gt 180 ]; then
-                  echo "WireGuard handshake is stale (''${age}s ago)" >&2
-                  return 1
-                fi
-
-                # Verify internet connectivity through VPN tunnel
-                if ! ping -c1 -W10 1.1.1.1 >/dev/null 2>&1; then
-                  echo "Cannot reach internet through VPN" >&2
-                  return 1
-                fi
-
-                echo "PIA VPN connectivity OK (handshake ''${age}s ago)"
-                return 0
-              }
-
-              MAX_RETRIES=4
-              for attempt in $(seq 1 $MAX_RETRIES); do
-                if check_vpn; then
-                  rm -f "$COUNTER_FILE"
-                  exit 0
-                fi
-                if [ "$attempt" -lt "$MAX_RETRIES" ]; then
-                  echo "Attempt $attempt/$MAX_RETRIES failed, retrying in 5 minutes..." >&2
-                  sleep 300
-                fi
-              done
-
-              # Failed — read and update counter (reset if from a previous day)
-              today=$(date +%Y-%m-%d)
-              count=0
-              if [ -f "$COUNTER_FILE" ]; then
-                stored=$(jq -r '.date // ""' "$COUNTER_FILE")
-                if [ "$stored" = "$today" ]; then
-                  count=$(jq -r '.count // 0' "$COUNTER_FILE")
-                fi
-              fi
-              count=$((count + 1))
-              jq -n --arg date "$today" --argjson count "$count" \
-                '{"date": $date, "count": $count}' > "$COUNTER_FILE"
-
-              if [ "$count" -le "$MAX_ALERTS" ]; then
-                echo "Failure $count/$MAX_ALERTS today — alerting" >&2
-                exit 1
-              else
-                echo "Failure $count today — suppressing alert (already sent $MAX_ALERTS)" >&2
-                exit 0
-              fi
-            '';
-          };
-
-          systemd.timers.pia-vpn-check = {
-            description = "Periodic PIA VPN connectivity check";
-            wantedBy = [ "timers.target" ];
-            timerConfig = {
-              OnCalendar = "*:0/30";
-              RandomizedDelaySec = "30s";
-            };
-          };
        };
    };
  };
--- a/common/ntfy/default.nix
+++ b/common/ntfy/default.nix
@@ -5,7 +5,6 @@
    ./service-failure.nix
    ./ssh-login.nix
    ./zfs.nix
-    ./dimm-temp.nix
  ];

  options.ntfy-alerts = {
@@ -20,18 +19,6 @@
      default = "";
      description = "Extra arguments to pass to curl (e.g. --proxy http://host:port).";
    };
-
-    ignoredUnits = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [ ];
-      description = "Unit names to skip failure notifications for.";
-    };
-
-    hostLabel = lib.mkOption {
-      type = lib.types.str;
-      default = config.networking.hostName;
-      description = "Label used in ntfy alert titles to identify this host/container.";
-    };
  };

  config = lib.mkIf config.thisMachine.hasRole."ntfy" {
--- a/common/ntfy/dimm-temp.nix
+++ b/common/ntfy/dimm-temp.nix
@@ -1,73 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.ntfy-alerts;
-  hasNtfy = config.thisMachine.hasRole."ntfy";
-
-  checkScript = pkgs.writeShellScript "dimm-temp-check" ''
-    PATH="${lib.makeBinPath [ pkgs.lm_sensors pkgs.gawk pkgs.coreutils pkgs.curl ]}"
-
-    threshold=55
-    hot=""
-    summary=""
-
-    while IFS= read -r line; do
-      case "$line" in
-        spd5118-*)
-          chip="$line"
-          ;;
-        *temp1_input:*)
-          temp="''${line##*: }"
-          whole="''${temp%%.*}"
-          summary="''${summary:+$summary, }$chip: ''${temp}°C"
-          if [ "$whole" -ge "$threshold" ]; then
-            hot="$hot"$'\n'"  $chip: ''${temp}°C"
-          fi
-          ;;
-      esac
-    done < <(sensors -u 'spd5118-*' 2>/dev/null)
-
-    echo "$summary"
-
-    if [ -n "$hot" ]; then
-      message="DIMM temperature above ''${threshold}°C on ${config.networking.hostName}:$hot"
-
-      curl \
-        --fail --silent --show-error \
-        --max-time 30 --retry 3 \
-        -H "Authorization: Bearer $NTFY_TOKEN" \
-        -H "Title: High DIMM temperature on ${config.networking.hostName}" \
-        -H "Priority: high" \
-        -H "Tags: thermometer" \
-        -d "$message" \
-        "${cfg.serverUrl}/service-failures"
-
-      echo "$message" >&2
-    fi
-  '';
-in
-{
-  options.ntfy-alerts.dimmTempCheck.enable = lib.mkEnableOption "DDR5 DIMM temperature monitoring via spd5118";
-
-  config = lib.mkIf (cfg.dimmTempCheck.enable && hasNtfy) {
-    systemd.services.dimm-temp-check = {
-      description = "Check DDR5 DIMM temperatures and alert on overheating";
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" ];
-      serviceConfig = {
-        Type = "oneshot";
-        EnvironmentFile = "/run/agenix/ntfy-token";
-        ExecStart = checkScript;
-      };
-    };
-
-    systemd.timers.dimm-temp-check = {
-      description = "Periodic DDR5 DIMM temperature check";
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnCalendar = "*:0/5";
-        Persistent = true;
-      };
-    };
-  };
-}
--- a/common/ntfy/service-failure.nix
+++ b/common/ntfy/service-failure.nix
@@ -14,14 +14,6 @@ in
        EnvironmentFile = "/run/agenix/ntfy-token";
        ExecStart = "${pkgs.writeShellScript "ntfy-failure-notify" ''
          unit="$1"
-          # Prevent infinite recursion if this service itself fails
-          [[ "$unit" == ntfy-failure@* ]] && exit 0
-          ignored_units=(${lib.concatMapStringsSep " " (u: lib.escapeShellArg u) cfg.ignoredUnits})
-          for ignored in "''${ignored_units[@]}"; do
-            if [[ "$unit" == "$ignored" ]]; then
-              exit 0
-            fi
-          done
          logfile=$(mktemp)
          trap 'rm -f "$logfile"' EXIT
          ${pkgs.systemd}/bin/journalctl -u "$unit" -n 50 --no-pager -o short > "$logfile" 2>/dev/null \
@@ -32,7 +24,7 @@ in
            --max-time 30 --retry 3 \
            ${cfg.curlExtraArgs} \
            -H "Authorization: Bearer $NTFY_TOKEN" \
-            -H "Title: Service failure on ${cfg.hostLabel}" \
+            -H "Title: Service failure on ${config.networking.hostName}" \
            -H "Priority: high" \
            -H "Tags: rotating_light" \
            -H "Message: Unit $unit failed at $(date +%c)" \
@@ -48,7 +40,7 @@ in
        mkdir -p $out/lib/systemd/system/service.d
        cat > $out/lib/systemd/system/service.d/ntfy-on-failure.conf <<'EOF'
        [Unit]
-        OnFailure=ntfy-failure@%N.service
+        OnFailure=ntfy-failure@%p.service
        EOF
      '')
    ];
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
@@ -9,14 +9,6 @@ in
    services.displayManager.sddm.wayland.enable = true;
    services.desktopManager.plasma6.enable = true;

-    services.displayManager.sessionPackages = [
-      pkgs.plasma-bigscreen
-    ];
-
-    # Bigscreen binaries must be on PATH for autostart services, KCMs, and
-    # internal plasmashell launches (settings, input handler, envmanager, etc.)
-    environment.systemPackages = [ pkgs.plasma-bigscreen ];
-
    # kde apps
    users.users.googlebot.packages = with pkgs; [
      # akonadi
--- a/common/pc/steam.nix
+++ b/common/pc/steam.nix
@@ -8,29 +8,6 @@ in
    programs.steam.enable = true;
    hardware.steam-hardware.enable = true; # steam controller

-    # Login DE Option: Steam Gamescope (Steam Deck-like session)
-    programs.gamescope = {
-      enable = true;
-    };
-    programs.steam.gamescopeSession = {
-      enable = true;
-      args = [
-        "--hdr-enabled"
-        "--hdr-itm-enabled"
-        "--adaptive-sync"
-      ];
-      steamArgs = [
-        "-steamos3"
-        "-gamepadui"
-        "-pipewire-dmabuf"
-      ];
-      env = {
-        STEAM_ENABLE_VOLUME_HANDLER = "1";
-        STEAM_DISABLE_AUDIO_DEVICE_SWITCHING = "1";
-      };
-    };
-    environment.systemPackages = [ pkgs.gamescope-wsi ];
-
    users.users.googlebot.packages = [
      pkgs.steam
    ];
--- a/common/server/gatus.nix
+++ b/common/server/gatus.nix
@@ -270,16 +270,6 @@ in
            ];
            alerts = [{ type = "ntfy"; }];
          }
-          {
-            name = "Music Assistant";
-            group = "s0";
-            url = "http://s0.koi-bebop.ts.net:8095";
-            interval = "5m";
-            conditions = [
-              "[STATUS] == 200"
-            ];
-            alerts = [{ type = "ntfy"; }];
-          }
          {
            name = "Vikunja";
            group = "s0";
@@ -330,7 +320,16 @@ in
            ];
            alerts = [{ type = "ntfy"; }];
          }
-
+          {
+            name = "LanguageTool";
+            group = "s0";
+            url = "https://languagetool.s0.neet.dev";
+            interval = "5m";
+            conditions = [
+              "[STATUS] == 200"
+            ];
+            alerts = [{ type = "ntfy"; }];
+          }
          {
            name = "Unifi";
            group = "s0";
--- a/common/server/gitea-actions-runner.nix
+++ b/common/server/gitea-actions-runner.nix
@@ -1,4 +1,4 @@
-{ config, lib, allModules, ... }:
+{ config, lib, ... }:

 # Gitea Actions Runner inside a NixOS container.
 # The container shares the host's /nix/store (read-only) and nix-daemon socket,
@@ -8,7 +8,6 @@

 let
  thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
-  hostName = config.networking.hostName;
  containerName = "gitea-runner";
  giteaRunnerUid = 991;
  giteaRunnerGid = 989;
@@ -32,10 +31,7 @@ in
      };

      config = { config, lib, pkgs, ... }: {
-        imports = allModules;
-
-        ntfy-alerts.ignoredUnits = [ "logrotate" ];
-        ntfy-alerts.hostLabel = "${hostName}/${containerName}";
+        system.stateVersion = "25.11";

        services.gitea-actions-runner.instances.inst = {
          enable = true;
--- a/common/server/nextcloud.nix
+++ b/common/server/nextcloud.nix
@@ -17,7 +17,7 @@ in
  config = lib.mkIf cfg.enable {
    services.nextcloud = {
      https = true;
-      package = pkgs.nextcloud33;
+      package = pkgs.nextcloud32;
      hostName = nextcloudHostname;
      config.dbtype = "sqlite";
      config.adminuser = "jeremy";
--- a/common/server/ntfy.nix
+++ b/common/server/ntfy.nix
@@ -18,7 +18,6 @@ in
      auth-default-access = "deny-all";
      behind-proxy = true;
      enable-login = true;
-      attachment-expiry-duration = "48h";
    };

    # backups
--- a/common/server/unifi.nix
+++ b/common/server/unifi.nix
@@ -13,15 +13,6 @@ in
    services.unifi.unifiPackage = pkgs.unifi;
    services.unifi.mongodbPackage = pkgs.mongodb-7_0;

-    # The upstream module sets KillSignal=SIGCONT so systemd doesn't interfere
-    # with UniFi's self-managed shutdown. But UniFi's Java process crashes during
-    # shutdown (Spring context already closed) leaving mongod orphaned in the
-    # cgroup. With the default KillMode=control-group, mongod only gets SIGCONT
-    # (a no-op) and runs until the 5min timeout triggers SIGKILL.
-    # KillMode=mixed sends SIGCONT to the main process but SIGTERM to remaining
-    # children, giving mongod a clean shutdown instead of SIGKILL.
-    systemd.services.unifi.serviceConfig.KillMode = "mixed";
-
    networking.firewall = lib.mkIf cfg.openMinimalFirewall {
      allowedUDPPorts = [
        3478 # STUN
--- a/flake.lock
+++ b/flake.lock
@@ -53,11 +53,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775848625,
-        "narHash": "sha256-y2/PYZu+yAeG+ueAuhjeeAWHOSvZMJfPiNs7pQJ/Wbc=",
+        "lastModified": 1772252645,
+        "narHash": "sha256-SVP3BYv/tY19P7mh0aG2Pgq4M/CynQEnV4y+57Ed91g=",
        "owner": "sadjow",
        "repo": "claude-code-nix",
-        "rev": "2a665ed3a46cb363630df50150ecf47f45a1d893",
+        "rev": "42c9207e79f1e6b8b95b54a64c10452275717466",
        "type": "github"
      },
      "original": {
@@ -186,11 +186,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774959120,
-        "narHash": "sha256-Pzk6UbueeWy9WFiDY6iA1aHid+2AMzkS6gg2x2cSkz4=",
+        "lastModified": 1769939035,
+        "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "c06f90f1eb6569bdaf6a4a10cb7e66db4454ac2a",
+        "rev": "a8ca480175326551d6c4121498316261cbb5b260",
        "type": "github"
      },
      "original": {
@@ -228,11 +228,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775781825,
-        "narHash": "sha256-L5yKTpR+alrZU2XYYvIxCeCP4LBHU5jhwSj7H1VAavg=",
+        "lastModified": 1772380461,
+        "narHash": "sha256-O3ukj3Bb3V0Tiy/4LUfLlBpWypJ9P0JeUgsKl2nmZZY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e35c39fca04fee829cecdf839a50eb9b54d8a701",
+        "rev": "f140aa04d7d14f8a50ab27f3691b5766b17ae961",
        "type": "github"
      },
      "original": {
@@ -250,11 +250,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1775847073,
-        "narHash": "sha256-OyRZOIQZZQNrIDN40jrhY1SFTzTNYURT5MPhZZchSbY=",
+        "lastModified": 1772338235,
+        "narHash": "sha256-9XcwtSIL/c+pkC3SBNuxCJuSktFOBV1TLvvkhekyB8I=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "239045c84aa62c2ce1349fa4c1ceae9eb6ce9e85",
+        "rev": "9d1ff9b53532908a5eba7707931c9093508b6b92",
        "type": "github"
      },
      "original": {
@@ -270,11 +270,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775365369,
-        "narHash": "sha256-DgH5mveLoau20CuTnaU5RXZWgFQWn56onQ4Du2CqYoI=",
+        "lastModified": 1772341813,
+        "narHash": "sha256-/PQ0ubBCMj/MVCWEI/XMStn55a8dIKsvztj4ZVLvUrQ=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "cef5cf82671e749ac87d69aadecbb75967e6f6c3",
+        "rev": "a2051ff239ce2e8a0148fa7a152903d9a78e854f",
        "type": "github"
      },
      "original": {
@@ -285,11 +285,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1775490113,
-        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
+        "lastModified": 1771969195,
+        "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
+        "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
        "type": "github"
      },
      "original": {
@@ -301,11 +301,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1772198003,
+        "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61",
        "type": "github"
      },
      "original": {
@@ -344,11 +344,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775244324,
-        "narHash": "sha256-TSAozmLyWCRbUJu6tXQvhTjsDKNj9q1CsEqwhhh9kMU=",
+        "lastModified": 1772064816,
+        "narHash": "sha256-ks1D9Rtmopd5F/8ENjEUJpSYYMxv603/v6TRen9Hq54=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "c45a1e4385e81b937b353ee4ce97f5cfd60ceff2",
+        "rev": "ea4dc17f4bc0f65eed082fa394509e4543072b56",
        "type": "gitlab"
      },
      "original": {
@@ -361,11 +361,11 @@
    "spectrum": {
      "flake": false,
      "locked": {
-        "lastModified": 1772189877,
-        "narHash": "sha256-i1p90Rgssb//aNiTDFq46ZG/fk3LmyRLChtp/9lddyA=",
+        "lastModified": 1759482047,
+        "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
        "ref": "refs/heads/main",
-        "rev": "fe39e122d898f66e89ffa17d4f4209989ccb5358",
-        "revCount": 1255,
+        "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
+        "revCount": 996,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -115,8 +115,6 @@
                ];

                networking.hostName = hostname;
-                # Query with: nixos-version --configuration-revision
-                system.configurationRevision = self.rev or self.dirtyRev or "unknown";

                home-manager.useGlobalPkgs = true;
                home-manager.useUserPackages = true;
@@ -139,6 +137,7 @@
                src = nixpkgs;
                patches = [
                  ./patches/dont-break-nix-serve.patch
+                  ./patches/libreoffice-noto-fonts-subset.patch
                ];
              };
              patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
--- a/machines/fry/hardware-configuration.nix
+++ b/machines/fry/hardware-configuration.nix
@@ -18,7 +18,7 @@
  boot.extraModulePackages = [ ];

  # thunderbolt
-  services.hardware.bolt.enable = false;
+  services.hardware.bolt.enable = true;

  # firmware
  firmware.x86_64.enable = true;
--- a/machines/howl/hardware-configuration.nix
+++ b/machines/howl/hardware-configuration.nix
@@ -22,7 +22,7 @@
  boot.extraModulePackages = [ ];

  # thunderbolt
-  services.hardware.bolt.enable = false;
+  services.hardware.bolt.enable = true;

  # firmware
  firmware.x86_64.enable = true;
--- a/machines/storage/s0/dashy.nix
+++ b/machines/storage/s0/dashy.nix
@@ -401,15 +401,6 @@
            statusCheck = false;
            id = "5_4201_sandman";
          };
-          music-assistant = {
-            title = "Music Assistant";
-            description = "s0:8095";
-            icon = "hl-music-assistant";
-            url = "http://s0.koi-bebop.ts.net:8095";
-            target = "sametab";
-            statusCheck = false;
-            id = "6_4201_music-assistant";
-          };
        };
        haList = [
          haItems.home-assistant
@@ -418,7 +409,6 @@
          haItems.frigate
          haItems.valetudo
          haItems.sandman
-          haItems.music-assistant
        ];
      in
      {
@@ -484,6 +474,15 @@
            statusCheck = false;
            id = "4_5301_outline";
          };
+          languagetool = {
+            title = "LanguageTool";
+            description = "languagetool.s0.neet.dev";
+            icon = "hl-languagetool";
+            url = "https://languagetool.s0.neet.dev";
+            target = "sametab";
+            statusCheck = false;
+            id = "5_5301_languagetool";
+          };
        };
        prodList = [
          prodItems.vikunja
@@ -491,6 +490,7 @@
          prodItems.linkwarden
          prodItems.memos
          prodItems.outline
+          prodItems.languagetool
        ];
      in
      {
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@@ -9,9 +9,6 @@

  networking.hostName = "s0";

-  ntfy-alerts.ignoredUnits = [ "logrotate" ];
-  ntfy-alerts.dimmTempCheck.enable = true;
-
  # system.autoUpgrade.enable = true;

  nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
@@ -143,6 +140,30 @@
        services.lidarr.enable = true;
        services.lidarr.user = "public_data";
        services.lidarr.group = "public_data";
+        services.recyclarr = {
+          enable = true;
+          configuration = {
+            radarr.radarr_main = {
+              api_key = {
+                _secret = "/run/credentials/recyclarr.service/radarr-api-key";
+              };
+              base_url = "http://localhost:7878";
+              quality_definition.type = "movie";
+            };
+            sonarr.sonarr_main = {
+              api_key = {
+                _secret = "/run/credentials/recyclarr.service/sonarr-api-key";
+              };
+              base_url = "http://localhost:8989";
+              quality_definition.type = "series";
+            };
+          };
+        };
+
+        systemd.services.recyclarr.serviceConfig.LoadCredential = [
+          "radarr-api-key:/run/agenix/radarr-api-key"
+          "sonarr-api-key:/run/agenix/sonarr-api-key"
+        ];

        users.groups.public_data.gid = 994;
        users.users.public_data = {
@@ -153,6 +174,8 @@
      };
    };
  };
+  age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
+  age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;

  # jellyfin
  # jellyfin cannot run in the vpn container and use hardware encoding
@@ -228,6 +251,7 @@
        (mkVirtualHost "linkwarden.s0.neet.dev" "http://localhost:${toString config.services.linkwarden.port}")
        (mkVirtualHost "memos.s0.neet.dev" "http://localhost:${toString config.services.memos.settings.MEMOS_PORT}")
        (mkVirtualHost "outline.s0.neet.dev" "http://localhost:${toString config.services.outline.port}")
+        (mkVirtualHost "languagetool.s0.neet.dev" "http://localhost:${toString config.services.languagetool.port}")
      ];

    tailscaleAuth = {
@@ -251,6 +275,7 @@
        "linkwarden.s0.neet.dev"
        # "memos.s0.neet.dev" # messes up memos /auth route
        # "outline.s0.neet.dev" # messes up outline /auth route
+        "languagetool.s0.neet.dev"
      ];
      expectedTailnet = "koi-bebop.ts.net";
    };
@@ -316,8 +341,7 @@
    enable = true;
    settings.MEMOS_PORT = "57643";
  };
-  # ReadWritePaths doesn't work with ProtectSystem=strict on ZFS submounts (/var/lib is a separate dataset)
-  systemd.services.memos.serviceConfig.ProtectSystem = lib.mkForce "full";
+  systemd.services.memos.serviceConfig.PrivateUsers = lib.mkForce false;

  services.outline = {
    enable = true;
@@ -340,5 +364,10 @@
    owner = config.services.outline.user;
  };

+  services.languagetool = {
+    enable = true;
+    port = 60613;
+  };
+
  boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }
--- a/machines/zoidberg/default.nix
+++ b/machines/zoidberg/default.nix
@@ -5,6 +5,10 @@
    ./hardware-configuration.nix
  ];

+  # Login DE Option: Steam
+  programs.steam.gamescopeSession.enable = true;
+  # programs.gamescope.capSysNice = true;
+
  # Login DE Option: Kodi
  services.xserver.desktopManager.kodi.enable = true;
  services.xserver.desktopManager.kodi.package =
@@ -31,7 +35,7 @@
    "L+    /opt/rocm/hip   -    -    -     -    ${pkgs.rocmPackages.clr}"
  ];

-  services.displayManager.defaultSession = "plasma-bigscreen-wayland";
+  services.displayManager.defaultSession = "plasma";

  users.users.cris = {
    isNormalUser = true;
@@ -50,10 +54,10 @@
    uid = 1002;
  };

-  # Auto login into Plasma Bigscreen in john zoidberg account
+  # Auto login into Plasma in john zoidberg account
  services.displayManager.sddm.settings = {
    Autologin = {
-      Session = "plasma-bigscreen-wayland";
+      Session = "plasma";
      User = "john";
    };
  };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -16,14 +16,6 @@ in
    nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ prev.writableTmpDirAsHomeHook ];
  });

-  # Retry on push failure to work around hyper connection pool race condition.
-  # https://github.com/zhaofengli/attic/pull/246
-  attic-client = prev.attic-client.overrideAttrs (old: {
-    patches = (old.patches or [ ]) ++ [
-      ../patches/attic-client-push-retry.patch
-    ];
-  });
-
  # Add --zeroconf-port support to Spotify Connect plugin so librespot
  # binds to a fixed port that can be opened in the firewall.
  music-assistant = prev.music-assistant.overrideAttrs (old: {
@@ -31,12 +23,4 @@ in
      ../patches/music-assistant-zeroconf-port.patch
    ];
  });
-
-  # Plasma Bigscreen: TV-optimized KDE shell (not yet packaged in nixpkgs)
-  plasma-bigscreen = import ./plasma-bigscreen.nix {
-    inherit (prev.kdePackages)
-      mkKdeDerivation plasma-workspace plasma-wayland-protocols
-      qtmultimedia qtwayland qtwebengine qcoro;
-    inherit (prev) lib fetchFromGitLab pkg-config sdl3 libcec wayland;
-  };
 }
--- a/overlays/plasma-bigscreen.nix
+++ b/overlays/plasma-bigscreen.nix
@@ -1,79 +0,0 @@
-{
-  mkKdeDerivation,
-  lib,
-  fetchFromGitLab,
-  pkg-config,
-  plasma-workspace,
-  qtmultimedia,
-  qtwayland,
-  qtwebengine,
-  qcoro,
-  plasma-wayland-protocols,
-  wayland,
-  sdl3,
-  libcec,
-}:
-mkKdeDerivation {
-  pname = "plasma-bigscreen";
-  version = "unstable-2026-03-07";
-
-  src = fetchFromGitLab {
-    domain = "invent.kde.org";
-    owner = "plasma";
-    repo = "plasma-bigscreen";
-    rev = "bd143fea7e386bac1652b8150a3ed3d5ef7cf93c";
-    hash = "sha256-y439IX7e0+XqxqFj/4+P5le0hA7DiwA+smDsD0UH/fI=";
-  };
-
-  patches = [
-    ../patches/plasma-bigscreen-input-handler-app-id.patch
-  ];
-
-  extraNativeBuildInputs = [ pkg-config ];
-
-  extraBuildInputs = [
-    qtmultimedia
-    qtwayland
-    qtwebengine
-    qcoro
-    plasma-wayland-protocols
-    wayland
-    sdl3
-    libcec
-  ];
-
-  # Match project version to installed Plasma release so cmake version checks pass
-  postPatch = ''
-    substituteInPlace CMakeLists.txt \
-      --replace-fail 'set(PROJECT_VERSION "6.5.80")' \
-                     'set(PROJECT_VERSION "${plasma-workspace.version}")'
-
-    # Upstream references a nonexistent startplasma-waylandsession binary.
-    # Fix this in the cmake template (before @KDE_INSTALL_FULL_LIBEXECDIR@ is substituted).
-    substituteInPlace bin/plasma-bigscreen-wayland.in \
-      --replace-fail \
-        'startplasma-wayland --xwayland --libinput --exit-with-session=@KDE_INSTALL_FULL_LIBEXECDIR@/startplasma-waylandsession' \
-        'startplasma-wayland'
-  '';
-
-  # FIXME: work around Qt 6.10 cmake API changes
-  cmakeFlags = [ "-DQT_FIND_PRIVATE_MODULES=1" ];
-
-  # QML lint fails on missing runtime-only imports (org.kde.private.biglauncher)
-  # that are only available inside a running Plasma session
-  dontQmlLint = true;
-
-  postFixup = ''
-    # Session .desktop references $out/libexec/plasma-dbus-run-session-if-needed
-    # but the binary lives in plasma-workspace
-    substituteInPlace "$out/share/wayland-sessions/plasma-bigscreen-wayland.desktop" \
-      --replace-fail \
-        "$out/libexec/plasma-dbus-run-session-if-needed" \
-        "${plasma-workspace}/libexec/plasma-dbus-run-session-if-needed"
-
-  '';
-
-  passthru.providedSessions = [ "plasma-bigscreen-wayland" ];
-
-  meta.license = with lib.licenses; [ gpl2Plus ];
-}
--- a/patches/attic-client-push-retry.patch
+++ b/patches/attic-client-push-retry.patch
@@ -1,143 +0,0 @@
-diff --git a/attic/src/api/v1/upload_path.rs b/attic/src/api/v1/upload_path.rs
-index 5b1231e5..cb90928c 100644
--- a/attic/src/api/v1/upload_path.rs
-+++ b/attic/src/api/v1/upload_path.rs
-@@ -25,7 +25,7 @@ pub const ATTIC_NAR_INFO_PREAMBLE_SIZE: &str = "X-Attic-Nar-Info-Preamble-Size";
- /// Regardless of client compression, the server will always decompress
- /// the NAR to validate the NAR hash before applying the server-configured
- /// compression again.
-#[derive(Debug, Serialize, Deserialize)]
-+#[derive(Debug, Serialize, Deserialize, Clone)]
- pub struct UploadPathNarInfo {
-     /// The name of the binary cache to upload to.
-     pub cache: CacheName,
-diff --git a/client/src/push.rs b/client/src/push.rs
-index 309bd4b6..f3951d2b 100644
--- a/client/src/push.rs
-+++ b/client/src/push.rs
-@@ -560,57 +560,83 @@ pub async fn upload_path(
-         );
-     let bar = mp.add(ProgressBar::new(path_info.nar_size));
-     bar.set_style(style);
-    let nar_stream = NarStreamProgress::new(store.nar_from_path(path.to_owned()), bar.clone())
-        .map_ok(Bytes::from);
-
-    let start = Instant::now();
-    match api
-        .upload_path(upload_info, nar_stream, force_preamble)
-        .await
-    {
-        Ok(r) => {
-            let r = r.unwrap_or(UploadPathResult {
-                kind: UploadPathResultKind::Uploaded,
-                file_size: None,
-                frac_deduplicated: None,
-            });
-
-            let info_string: String = match r.kind {
-                UploadPathResultKind::Deduplicated => "deduplicated".to_string(),
-                _ => {
-                    let elapsed = start.elapsed();
-                    let seconds = elapsed.as_secs_f64();
-                    let speed = (path_info.nar_size as f64 / seconds) as u64;
-+    // Create a new stream for each retry attempt
-+    let bar_ref = &bar;
-+    let nar_stream = move || {
-+        NarStreamProgress::new(store.nar_from_path(path.to_owned()), bar_ref.clone())
-+            .map_ok(Bytes::from)
-+    };
-
-                    let mut s = format!("{}/s", HumanBytes(speed));
-+    let start = Instant::now();
-+    let mut retries = 0;
-+    const MAX_RETRIES: u32 = 3;
-+    const RETRY_DELAY: Duration = Duration::from_millis(250);
-
-                    if let Some(frac_deduplicated) = r.frac_deduplicated {
-                        if frac_deduplicated > 0.01f64 {
-                            s += &format!(", {:.1}% deduplicated", frac_deduplicated * 100.0);
-+    loop {
-+        let result = api
-+            .upload_path(upload_info.clone(), nar_stream(), force_preamble)
-+            .await;
-+        match result {
-+            Ok(r) => {
-+                let r = r.unwrap_or(UploadPathResult {
-+                    kind: UploadPathResultKind::Uploaded,
-+                    file_size: None,
-+                    frac_deduplicated: None,
-+                });
-+
-+                let info_string: String = match r.kind {
-+                    UploadPathResultKind::Deduplicated => "deduplicated".to_string(),
-+                    _ => {
-+                        let elapsed = start.elapsed();
-+                        let seconds = elapsed.as_secs_f64();
-+                        let speed = (path_info.nar_size as f64 / seconds) as u64;
-+
-+                        let mut s = format!("{}/s", HumanBytes(speed));
-+
-+                        if let Some(frac_deduplicated) = r.frac_deduplicated {
-+                            if frac_deduplicated > 0.01f64 {
-+                                s += &format!(", {:.1}% deduplicated", frac_deduplicated * 100.0);
-+                            }
-                         }
-+
-+                        s
-                     }
-+                };
-
-                    s
-+                mp.suspend(|| {
-+                    eprintln!(
-+                        "✅ {} ({})",
-+                        path.as_os_str().to_string_lossy(),
-+                        info_string
-+                    );
-+                });
-+                bar.finish_and_clear();
-+
-+                return Ok(());
-+            }
-+            Err(e) => {
-+                if retries < MAX_RETRIES {
-+                    retries += 1;
-+                    mp.suspend(|| {
-+                        eprintln!(
-+                            "❕ {}: Upload failed, retrying ({}/{})...",
-+                            path.as_os_str().to_string_lossy(),
-+                            retries,
-+                            MAX_RETRIES
-+                        );
-+                    });
-+                    tokio::time::sleep(RETRY_DELAY).await;
-+                    continue;
-                 }
-            };
-
-            mp.suspend(|| {
-                eprintln!(
-                    "✅ {} ({})",
-                    path.as_os_str().to_string_lossy(),
-                    info_string
-                );
-            });
-            bar.finish_and_clear();
-+                mp.suspend(|| {
-+                    eprintln!("❌ {}: {}", path.as_os_str().to_string_lossy(), e);
-+                });
-+                bar.finish_and_clear();
-
-            Ok(())
-        }
-        Err(e) => {
-            mp.suspend(|| {
-                eprintln!("❌ {}: {}", path.as_os_str().to_string_lossy(), e);
-            });
-            bar.finish_and_clear();
-            Err(e)
-+                return Err(e);
-+            }
-         }
-     }
- }
--- a/patches/libreoffice-noto-fonts-subset.patch
+++ b/patches/libreoffice-noto-fonts-subset.patch
@@ -0,0 +1,16 @@
+Fix notoSubset glob for noto-fonts >= 2026.02.01.
+
+noto-fonts switched from variable fonts (NotoSansArabic[wdth,wght].ttf)
+to static fonts (NotoSansArabic.ttf). The old glob pattern only matched
+files with brackets in the name, causing the cp to fail.
+
+--- a/pkgs/applications/office/libreoffice/default.nix
+++ b/pkgs/applications/office/libreoffice/default.nix
+@@ -191,7 +191,7 @@
+     runCommand "noto-fonts-subset" { } ''
+       mkdir -p "$out/share/fonts/noto/"
+       ${concatMapStrings (x: ''
+-        cp "${noto-fonts}/share/fonts/noto/NotoSans${x}["*.[ot]tf "$out/share/fonts/noto/"
+        cp "${noto-fonts}/share/fonts/noto/NotoSans${x}"*.[ot]tf "$out/share/fonts/noto/"
+       '') suffixes}
+     '';
--- a/patches/plasma-bigscreen-input-handler-app-id.patch
+++ b/patches/plasma-bigscreen-input-handler-app-id.patch
@@ -1,19 +0,0 @@
-Use the correct app_id when pre-authorizing remote-desktop portal access.
-
-The portal's isAppMegaAuthorized() looks up the caller's specific app_id in
-the PermissionStore.  An empty string only matches apps the portal cannot
-identify; it is not a wildcard.  Since the input handler is launched via
-KIO::CommandLauncherJob with a desktopName, the portal resolves it to the
-desktop file ID, so the empty-string entry never matches.
-
--- a/inputhandler/xdgremotedesktopsystem.cpp
-+++ b/inputhandler/xdgremotedesktopsystem.cpp
-@@ -66,7 +67,7 @@
-     QDBusReply<void> reply = permissionStore.call(QStringLiteral("SetPermission"),
-                                                   QStringLiteral("kde-authorized"), // table
-                                                   true, // create table if not exists
-                                                   QStringLiteral("remote-desktop"), // id
-                                                  QLatin1String(""), // app (empty for host applications)
-+                                                  QStringLiteral("org.kde.plasma.bigscreen.inputhandler"),
-                                                   QStringList{QStringLiteral("yes")}); // permissions
-
--- a/secrets/radarr-api-key.age
+++ b/secrets/radarr-api-key.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw gfVRDt7ReEnz10WvPa8UfBBnsRsiw7sxxXQMuXRnCVs
+slBNX9Yc1qSu1P5ioNDNLPd97NGE/LWPS/A+u9QGo4E
+-> ssh-ed25519 ZDy34A e5MSY5qDP6WuEgbiK0p5esMQJBb3ScVpb15Ff8sTQgQ
+9nsimoUQncnbfiu13AnFWZXcpaiySUYdS1eH5O/3Fgg
+-> ssh-ed25519 w3nu8g op1KSUhJgM6w/nlaUssQDiraQpVzgnWd//JMu2vFgms
+KvEaJfsB7Qkf+PnzFJdZ3wAxm2qj23IS8RRxyuGN2G4
+-> ssh-ed25519 evqvfg 9L6pFuqkcChZq/W4zkATXm1Y76SEK+S4SyaiSlJd+C4
+j/UWJvo4Cr/UDfaN2milpJ6rU0w1EWdTAzV3SlrCcW8
+--- bdG4zC5dx6cSPetH3DNeHEk6EYCJ5TXGrn8OhUMknNU
+/¶ø+ÏpñR[¤àJ-*‚@ÌÿŸx0Ú©ò-ä.*&T·™~-i	2€eƒ¡`@ëQ8š<l™àQK0AÕ§
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -63,4 +63,8 @@ with roles;

  # zigbee2mqtt secrets
  "zigbee2mqtt.yaml.age".publicKeys = zigbee;
+
+  # Sonarr and Radarr secrets
+  "radarr-api-key.age".publicKeys = media-server;
+  "sonarr-api-key.age".publicKeys = media-server;
 }
--- a/secrets/sonarr-api-key.age
+++ b/secrets/sonarr-api-key.age
Author	SHA1	Message	Date
Zuckerberg	5a8daad590	Update interface names because usePredictableInterfaceNames is now off Some checks failed Check Flake / check-flake (push) Failing after 14m3s Details	2026-03-01 14:09:01 -08:00
Zuckerberg	07f31b66eb	Possible memos fix Some checks failed Check Flake / check-flake (push) Failing after 33m12s Details	2026-03-01 13:32:35 -08:00
Zuckerberg	674e6f1d3c	Fix tinyproxy starting before VPN bridge is configured Some checks failed Check Flake / check-flake (push) Has been cancelled Details tinyproxy binds to the bridge IP but had no ordering dependency on systemd-networkd, so it could start before the bridge existed.	2026-03-01 13:20:56 -08:00