treewide: format markdown

flake.nix: add treefmt-nix
flake.lock: Update
2025-08-15 21:38:30 +01:00 · 2025-08-15 21:37:06 +01:00 · 2025-08-15 21:17:58 +01:00 · 2025-08-15 21:05:59 +01:00 · 2025-08-15 20:18:32 +01:00 · 2025-08-15 20:17:57 +01:00
40 changed files with 1508 additions and 636 deletions
--- a/README.md
+++ b/README.md
@@ -10,10 +10,12 @@ System and user configuration for NixOS-based systems.
 | **Terminal:** | Ghostty |
 ## Provisioning a new host
 > [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) is the module used
 > for provisioning
 Generate a new SSH host key in "$temp/etc/ssh" as per [this guide](https://nix-community.github.io/nixos-anywhere/howtos/secrets.html#example-decrypting-an-openssh-host-key-with-pass).
 ```
 ssh-keygen -t ed25519 -f /tmp/ssh_host_ed25519_key
 ```
@@ -29,6 +31,7 @@ Create a new directory under `hosts/` with a system configuration and disk layou
 Boot the NixOS installer (or any Linux distribution) on the target.
 Then run:
 ```
 nix run github:nix-community/nixos-anywhere -- \
  --disk-encryption-keys /tmp/secret.key /tmp/secret.key \
@@ -40,15 +43,19 @@ nix run github:nix-community/nixos-anywhere -- \
 ### Post install
 If backups are configured, you'll need to run:
 ```
 borgmatic init --encryption repokey-blake2
 ```
 then restart `borgmatic`.
 To join the Tailscale network, run:
 ```
 tailscale up --login-server https://headscale.vimium.net
 ```
 then visit the URL, SSH onto `vps1` and run `headscale --user mesh nodes register --key <key>`.
 The new node can optionally be given a friendly name with `headscale node rename -i <index> <hostname>`.
--- a/flake.lock
+++ b/flake.lock
@@ -3,16 +3,20 @@
    "agenix": {
      "inputs": {
        "darwin": "darwin",
-        "home-manager": "home-manager",
+        "home-manager": [
-        "nixpkgs": "nixpkgs",
+          "nixpkgs"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1750173260,
+        "lastModified": 1754433428,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
        "type": "github"
      },
      "original": {
@@ -21,6 +25,32 @@
        "type": "github"
      }
    },
    "agenix-rekey": {
      "inputs": {
        "devshell": "devshell",
        "flake-parts": "flake-parts",
        "nixpkgs": [
          "nixpkgs"
        ],
        "pre-commit-hooks": [
          "pre-commit-hooks"
        ],
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
        "lastModified": 1754492276,
        "narHash": "sha256-cCtleJZQY5eWPYRGl5x63BZ2rfOik4pLveCveH+tmvM=",
        "owner": "oddlama",
        "repo": "agenix-rekey",
        "rev": "69ed7833c0e4e6a677a20894d8f12876b9e2bedb",
        "type": "github"
      },
      "original": {
        "owner": "oddlama",
        "repo": "agenix-rekey",
        "type": "github"
      }
    },
    "aquamarine": {
      "inputs": {
        "hyprutils": [
@@ -41,11 +71,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750372185,
+        "lastModified": 1753216019,
-        "narHash": "sha256-lVBKxd9dsZOH1fA6kSE5WNnt8e+09fN+NL/Q3BjTWHY=",
+        "narHash": "sha256-zik7WISrR1ks2l6T1MZqZHb/OqroHdJnSnAehkE0kCk=",
        "owner": "hyprwm",
        "repo": "aquamarine",
-        "rev": "7cef49d261cbbe537e8cb662485e76d29ac4cbca",
+        "rev": "be166e11d86ba4186db93e10c54a141058bdce49",
        "type": "github"
      },
      "original": {
@@ -95,7 +125,9 @@
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
@@ -112,6 +144,68 @@
        "type": "github"
      }
    },
    "devshell": {
      "inputs": {
        "nixpkgs": [
          "agenix-rekey",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1728330715,
        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "devshell_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1741473158,
        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "devshell_3": {
      "inputs": {
        "nixpkgs": [
          "nix-topology",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1728330715,
        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -119,11 +213,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750903843,
+        "lastModified": 1754971456,
-        "narHash": "sha256-Ng9+f0H5/dW+mq/XOKvB9uwvGbsuiiO6HrPdAcVglCs=",
+        "narHash": "sha256-p04ZnIBGzerSyiY2dNGmookCldhldWAu03y0s3P8CB0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "83c4da299c1d7d300f8c6fd3a72ac46cb0d59aae",
+        "rev": "8246829f2e675a46919718f9a64b71afe3bfb22d",
        "type": "github"
      },
      "original": {
@@ -135,11 +229,11 @@
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1748383148,
+        "lastModified": 1754312136,
-        "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=",
+        "narHash": "sha256-9veVYpPCwKNjIK5gOigl5nEUN6tmrSHXUv4bVZkRuOE=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
-        "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf",
+        "rev": "6f173d0873dd33c5653dee89a831af3e49db3e36",
        "type": "github"
      },
      "original": {
@@ -167,11 +261,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1747046372,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -199,11 +293,11 @@
    "flake-compat_4": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1747046372,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -213,6 +307,45 @@
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "agenix-rekey",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1733312601,
        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
        "lastModified": 1754487366,
        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "nixvim",
@@ -220,11 +353,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749398372,
+        "lastModified": 1754091436,
-        "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
+        "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
+        "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
        "type": "github"
      },
      "original": {
@@ -237,6 +370,24 @@
      "inputs": {
        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@@ -362,36 +513,15 @@
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1745494811,
+        "lastModified": 1753592768,
-        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1750792728,
        "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557",
        "type": "github"
      },
      "original": {
@@ -417,11 +547,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749155331,
+        "lastModified": 1753964049,
-        "narHash": "sha256-XR9fsI0zwLiFWfqi/pdS/VD+YNorKb3XIykgTg4l1nA=",
+        "narHash": "sha256-lIqabfBY7z/OANxHoPeIrDJrFyYy9jAM4GQLzZ2feCM=",
        "owner": "hyprwm",
        "repo": "hyprcursor",
-        "rev": "45fcc10b4c282746d93ec406a740c43b48b4ef80",
+        "rev": "44e91d467bdad8dcf8bbd2ac7cf49972540980a5",
        "type": "github"
      },
      "original": {
@@ -446,11 +576,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750371717,
+        "lastModified": 1754305013,
-        "narHash": "sha256-cNP+bVq8m5x2Rl6MTjwfQLCdwbVmKvTH7yqVc1SpiJM=",
+        "narHash": "sha256-u+M2f0Xf1lVHzIPQ7DsNCDkM1NYxykOSsRr4t3TbSM4=",
        "owner": "hyprwm",
        "repo": "hyprgraphics",
-        "rev": "15c6f8f3a567fec9a0f732cd310a7ff456deef88",
+        "rev": "4c1d63a0f22135db123fc789f174b89544c6ec2d",
        "type": "github"
      },
      "original": {
@@ -469,17 +599,17 @@
        "hyprlang": "hyprlang",
        "hyprutils": "hyprutils",
        "hyprwayland-scanner": "hyprwayland-scanner",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs",
        "pre-commit-hooks": "pre-commit-hooks",
        "systems": "systems_3",
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1750848152,
+        "lastModified": 1755277479,
-        "narHash": "sha256-m7DxFbU9YgPxFlQ6iH6zDreXT3IfUVxZZAdkdvN9yz8=",
+        "narHash": "sha256-LrXtv1RIEds93j+OiSEvYFVX4fcGk2vrEzva19oxvco=",
        "owner": "hyprwm",
        "repo": "Hyprland",
-        "rev": "f4f090e4b2f9f0bba5408cbd135d2fff1990be1d",
+        "rev": "edc473e8b0c14e768445422080af9978d132bff6",
        "type": "github"
      },
      "original": {
@@ -505,11 +635,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750799801,
+        "lastModified": 1755183521,
-        "narHash": "sha256-Oqn6gHIVfgkzzuigwNk9UZbgKdyzAzU/JoywB6z1O+M=",
+        "narHash": "sha256-wrP8TM2lb2x0+PyTc7Uc3yfVBeIlYW7+hFeG14N9Cr8=",
        "owner": "hyprwm",
        "repo": "hyprland-plugins",
-        "rev": "c1fdf38bfcd716130ce022cf21a1fca7582482d1",
+        "rev": "c1ddebb423acc7c88653c04de5ddafee64dac89a",
        "type": "github"
      },
      "original": {
@@ -598,11 +728,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750371812,
+        "lastModified": 1753819801,
-        "narHash": "sha256-D868K1dVEACw17elVxRgXC6hOxY+54wIEjURztDWLk8=",
+        "narHash": "sha256-tHe6XeNeVeKapkNM3tcjW4RuD+tB2iwwoogWJOtsqTI=",
        "owner": "hyprwm",
        "repo": "hyprland-qtutils",
-        "rev": "b13c7481e37856f322177010bdf75fccacd1adc8",
+        "rev": "b308a818b9dcaa7ab8ccab891c1b84ebde2152bc",
        "type": "github"
      },
      "original": {
@@ -627,11 +757,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750371198,
+        "lastModified": 1753622892,
-        "narHash": "sha256-/iuJ1paQOBoSLqHflRNNGyroqfF/yvPNurxzcCT0cAE=",
+        "narHash": "sha256-0K+A+gmOI8IklSg5It1nyRNv0kCNL51duwnhUO/B8JA=",
        "owner": "hyprwm",
        "repo": "hyprlang",
-        "rev": "cee01452bca58d6cadb3224e21e370de8bc20f0b",
+        "rev": "23f0debd2003f17bd65f851cd3f930cff8a8c809",
        "type": "github"
      },
      "original": {
@@ -652,11 +782,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750371096,
+        "lastModified": 1754481650,
-        "narHash": "sha256-JB1IeJ41y7kWc/dPGV6RMcCUM0Xj2NEK26A2Ap7EM9c=",
+        "narHash": "sha256-6u6HdEFJh5gY6VfyMQbhP7zDdVcqOrCDTkbiHJmAtMI=",
        "owner": "hyprwm",
        "repo": "hyprutils",
-        "rev": "38f3a211657ce82a1123bf19402199b67a410f08",
+        "rev": "df6b8820c4a0835d83d0c7c7be86fbc555f1f7fd",
        "type": "github"
      },
      "original": {
@@ -677,11 +807,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750371869,
+        "lastModified": 1751897909,
-        "narHash": "sha256-lGk4gLjgZQ/rndUkzmPYcgbHr8gKU5u71vyrjnwfpB4=",
+        "narHash": "sha256-FnhBENxihITZldThvbO7883PdXC/2dzW4eiNvtoV5Ao=",
        "owner": "hyprwm",
        "repo": "hyprwayland-scanner",
-        "rev": "aa38edd6e3e277ae6a97ea83a69261a5c3aab9fd",
+        "rev": "fcca0c61f988a9d092cbb33e906775014c61579d",
        "type": "github"
      },
      "original": {
@@ -749,13 +879,38 @@
        "type": "github"
      }
    },
    "nix-topology": {
      "inputs": {
        "devshell": "devshell_3",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
        "pre-commit-hooks": [
          "pre-commit-hooks"
        ]
      },
      "locked": {
        "lastModified": 1752093877,
        "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=",
        "owner": "oddlama",
        "repo": "nix-topology",
        "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633",
        "type": "github"
      },
      "original": {
        "owner": "oddlama",
        "repo": "nix-topology",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1750837715,
+        "lastModified": 1754564048,
-        "narHash": "sha256-2m1ceZjbmgrJCZ2PuQZaK4in3gcg3o6rZ7WK6dr5vAA=",
+        "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "98236410ea0fe204d0447149537a924fb71a6d4f",
+        "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
        "type": "github"
      },
      "original": {
@@ -775,11 +930,11 @@
        "nixpkgs-25_05": "nixpkgs-25_05"
      },
      "locked": {
-        "lastModified": 1747965231,
+        "lastModified": 1755110674,
-        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
+        "narHash": "sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "53007af63fade28853408370c4c600a63dd97f41",
+        "rev": "f5936247dbdb8501221978562ab0b302dd75456c",
        "type": "gitlab"
      },
      "original": {
@@ -791,11 +946,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1745391562,
+        "lastModified": 1754725699,
-        "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
+        "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
+        "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
        "type": "github"
      },
      "original": {
@@ -821,13 +976,28 @@
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "lastModified": 1753579242,
        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1750776420,
+        "lastModified": 1755186698,
-        "narHash": "sha256-/CG+w0o0oJ5itVklOoLbdn2dGB0wbZVOoDm4np6w09A=",
+        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "30a61f056ac492e3b7cdcb69c1e6abdcf00e39cf",
+        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
        "type": "github"
      },
      "original": {
@@ -838,43 +1008,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1743014863,
+        "lastModified": 1755078291,
-        "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=",
+        "narHash": "sha256-Hu/gTDoi4uy6TAKISPHQusSMy8U6xUbLSDjKBYdhDIY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f",
+        "rev": "3385ca0cd7e14c1a1eb80401fe011705ff012323",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1750365781,
        "narHash": "sha256-XE/lFNhz5lsriMm/yjXkvSZz5DfvKJLUjsS6pP8EC50=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "08f22084e6085d19bcfb4be30d1ca76ecb96fe54",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1750838302,
        "narHash": "sha256-aVkL3/yu50oQzi2YuKo0ceiCypVZpZXYd2P2p1FMJM4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "7284e2decc982b81a296ab35aa46e804baaa1cfe",
        "type": "github"
      },
      "original": {
@@ -885,19 +1023,19 @@
    },
    "nixvim": {
      "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_3",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nuschtosSearch": "nuschtosSearch",
-        "systems": "systems_5"
+        "systems": "systems_6"
      },
      "locked": {
-        "lastModified": 1750512587,
+        "lastModified": 1754262585,
-        "narHash": "sha256-kZqTQEARUkkKDFhECd0MGU4wXCJcxCdh5WeM/yD6oI4=",
+        "narHash": "sha256-Yz5dJ0VzGRzSRHdHldsWQbuFYmtP3NWNreCvPfCi9CI=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "b04bcdcbba4aa648903e065ad1907a97d4f7aee9",
+        "rev": "ab1b5962e1ca90b42de47e1172e0d24ca80e6256",
        "type": "github"
      },
      "original": {
@@ -909,7 +1047,7 @@
    },
    "nuschtosSearch": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "ixx": "ixx",
        "nixpkgs": [
          "nixvim",
@@ -917,11 +1055,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749730855,
+        "lastModified": 1753771532,
-        "narHash": "sha256-L3x2nSlFkXkM6tQPLJP3oCBMIsRifhIDPMQQdHO5xWo=",
+        "narHash": "sha256-Pmpke0JtLRzgdlwDC5a+aiLVZ11JPUO5Bcqkj0nHE/k=",
        "owner": "NuschtOS",
        "repo": "search",
-        "rev": "8dfe5879dd009ff4742b668d9c699bc4b9761742",
+        "rev": "2a65adaf2c0c428efb0f4a2bc406aab466e96a06",
        "type": "github"
      },
      "original": {
@@ -940,11 +1078,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749636823,
+        "lastModified": 1754416808,
-        "narHash": "sha256-WUaIlOlPLyPgz9be7fqWJA5iG6rHcGRtLERSCfUDne4=",
+        "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "623c56286de5a3193aa38891a6991b28f9bab056",
+        "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
        "type": "github"
      },
      "original": {
@@ -962,11 +1100,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750779888,
+        "lastModified": 1754416808,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
        "type": "github"
      },
      "original": {
@@ -978,33 +1116,38 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "agenix-rekey": "agenix-rekey",
        "deploy-rs": "deploy-rs",
        "devshell": "devshell_2",
        "disko": "disko",
        "firefox-gnome-theme": "firefox-gnome-theme",
        "flake-parts": "flake-parts_2",
        "gitea-github-theme": "gitea-github-theme",
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager",
        "hyprland": "hyprland",
        "hyprland-plugins": "hyprland-plugins",
        "impermanence": "impermanence",
        "kvlibadwaita": "kvlibadwaita",
        "nix-topology": "nix-topology",
        "nixos-hardware": "nixos-hardware",
        "nixos-mailserver": "nixos-mailserver",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nixvim": "nixvim",
        "pre-commit-hooks": "pre-commit-hooks_2",
        "secrets": "secrets",
-        "thunderbird-gnome-theme": "thunderbird-gnome-theme"
+        "thunderbird-gnome-theme": "thunderbird-gnome-theme",
        "treefmt-nix": "treefmt-nix_2"
      }
    },
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1750611706,
+        "lastModified": 1753994653,
-        "narHash": "sha256-bKhQ+lAaNtfpTUR3fysCdbnMfYT5PJ4diiM9EkHMdHI=",
+        "narHash": "sha256-kVd17w6oo9dbZfgZXMMPEssspp8vAr32G5U8VnfuIFc=",
        "ref": "refs/heads/master",
-        "rev": "ae16fda90546dde6c014a4f91a5443bce4dce234",
+        "rev": "e0cb8c5b8de3f61fbef13c80219715f2e3e5ffb5",
-        "revCount": 34,
+        "revCount": 39,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
@@ -1088,14 +1231,29 @@
        "type": "github"
      }
    },
    "systems_6": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "thunderbird-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1732643121,
+        "lastModified": 1754507270,
-        "narHash": "sha256-i0Uo5EN45rlGuR85hvPet43zW/thOQTwHypVg9shTHU=",
+        "narHash": "sha256-zADBsXqIkxy519sK/2mnZ/lcTQSA/3iXwdkXCVNqUVY=",
        "owner": "rafaelmardojai",
        "repo": "thunderbird-gnome-theme",
-        "rev": "1994e7ec0649053e2a0811973245758d41e33f5f",
+        "rev": "a9ee1a2c8a1dfce700250a4ce3ce7f88dff43300",
        "type": "github"
      },
      "original": {
@@ -1104,6 +1262,47 @@
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "agenix-rekey",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1735135567,
        "narHash": "sha256-8T3K5amndEavxnludPyfj3Z1IkcFdRpR23q+T0BVeZE=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "9e09d30a644c57257715902efbb3adc56c79cf28",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1754847726,
        "narHash": "sha256-2vX8QjO5lRsDbNYvN9hVHXLU6oMl+V/PsmIiJREG4rE=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "7d81f6fb2e19bf84f1c65135d1060d829fae2408",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "utils": {
      "inputs": {
        "systems": "systems_2"
@@ -1150,11 +1349,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750372504,
+        "lastModified": 1753633878,
-        "narHash": "sha256-VBeZb1oqZM1cqCAZnFz/WyYhO8aF/ImagI7WWg/Z3Og=",
+        "narHash": "sha256-js2sLRtsOUA/aT10OCDaTjO80yplqwOIaLUqEe0nMx0=",
        "owner": "hyprwm",
        "repo": "xdg-desktop-portal-hyprland",
-        "rev": "400308fc4f9d12e0a93e483c2e7a649e12af1a92",
+        "rev": "371b96bd11ad2006ed4f21229dbd1be69bed3e8a",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -2,166 +2,176 @@
  description = "NixOS system configuration";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-25.05";
+    agenix = {
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+      url = "github:ryantm/agenix";
-    # nixpkgs-master.url = "nixpkgs";
+      inputs.home-manager.follows = "nixpkgs";
-    agenix.url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
-    deploy-rs.url = "github:serokell/deploy-rs";
+    };
    agenix-rekey = {
      url = "github:oddlama/agenix-rekey";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.pre-commit-hooks.follows = "pre-commit-hooks";
    };
    deploy-rs = {
      url = "github:serokell/deploy-rs";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    devshell = {
      url = "github:numtide/devshell";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager = {
      url = "github:nix-community/home-manager/release-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    hyprland.url = "github:hyprwm/Hyprland";
    hyprland-plugins = {
      url = "github:hyprwm/hyprland-plugins";
      inputs.hyprland.follows = "hyprland";
    };
    firefox-gnome-theme = {
      url = "github:rafaelmardojai/firefox-gnome-theme";
      flake = false;
    };
    flake-parts.url = "github:hercules-ci/flake-parts";
    gitea-github-theme = {
      url = "git+ssh://git@git.vimium.com/jordan/gitea-github-theme.git?ref=main";
      flake = false;
    };
    impermanence.url = "github:nix-community/impermanence";
    kvlibadwaita = {
      url = "github:GabePoel/KvLibadwaita";
      flake = false;
    };
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    nixos-mailserver = {
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs.url = "nixpkgs/nixos-25.05";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
    # nixpkgs-master.url = "nixpkgs";
    nixvim = {
      url = "github:nix-community/nixvim/nixos-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-topology = {
      url = "github:oddlama/nix-topology";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.pre-commit-hooks.follows = "pre-commit-hooks";
    };
    pre-commit-hooks = {
      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    secrets = {
      url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
      flake = false;
    };
    thunderbird-gnome-theme = {
      url = "github:rafaelmardojai/thunderbird-gnome-theme";
      flake = false;
    };
    treefmt-nix = {
      url = "github:numtide/treefmt-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
-    inputs@{ self, nixpkgs, ... }:
+    inputs@{
-    let
+      nixpkgs,
-      inherit (nixpkgs) lib;
+      flake-parts,
-
+      ...
-      domain = "mesh.vimium.net";
+    }:
-      forEachSystem = lib.genAttrs [
+    flake-parts.lib.mkFlake { inherit inputs; } {
-        "x86_64-linux"
+      imports = [
-        "aarch64-linux"
+        inputs.agenix-rekey.flakeModule
        inputs.pre-commit-hooks.flakeModule
        inputs.nix-topology.flakeModule
        inputs.treefmt-nix.flakeModule
        ./nix/devshell.nix
        ./nix/hosts.nix
      ];
      mkDeployNode = hostName: {
        hostname = "${hostName}.${domain}";
-        profiles.system = {
+      flake = {
-          user = "root";
+        overlays = nixpkgs.lib.packagesFromDirectoryRecursive {
-          path =
+          callPackage = path: overrides: import path;
-            inputs.deploy-rs.lib.${
+          directory = ./overlays;
              self.nixosConfigurations.${hostName}.config.system.build.toplevel.system
            }.activate.nixos
              self.nixosConfigurations.${hostName};
        };
      };
    in
    {
      overlays = lib.packagesFromDirectoryRecursive {
        callPackage = path: overrides: import path;
        directory = ./overlays;
      };
-      legacyPackages = forEachSystem (
+      systems = [
-        system:
+        "aarch64-linux"
-        lib.packagesFromDirectoryRecursive {
+        "x86_64-linux"
          callPackage = nixpkgs.legacyPackages.${system}.callPackage;
          directory = ./pkgs;
        }
      );
      nixosConfigurations = lib.pipe ./hosts [
        builtins.readDir
        (lib.filterAttrs (name: value: value == "directory"))
        (lib.mapAttrs (
          name: value:
          lib.nixosSystem {
            specialArgs = { inherit inputs; };
            modules = [
              {
                networking = {
                  inherit domain;
                  hostName = name;
                };
              }
              ./hosts/${name}
            ];
          }
        ))
      ];
-      checks =
+      perSystem =
-        builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib
+        { pkgs, ... }:
-        // (forEachSystem (system: {
+        {
-          pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
+          formatter = pkgs.nixfmt-rfc-style;
-            src = ./.;
+
-            hooks = {
+          legacyPackages = pkgs.lib.packagesFromDirectoryRecursive {
-              check-case-conflicts.enable = true;
+            callPackage = pkgs.callPackage;
-              check-executables-have-shebangs.enable = true;
+            directory = ./pkgs;
-              check-merge-conflicts.enable = true;
+          };
          pre-commit = {
            settings = {
              excludes = [ "pkgs/libcamera-rpi/libcamera-rpi-ipa-priv-key.pem" ];
              hooks = {
                check-case-conflicts.enable = true;
                check-executables-have-shebangs.enable = true;
                check-merge-conflicts.enable = true;
                detect-private-keys.enable = true;
                end-of-file-fixer.enable = true;
                fix-byte-order-marker.enable = true;
                mixed-line-endings.enable = true;
                treefmt.enable = true;
                trim-trailing-whitespace.enable = true;
              };
            };
          };
          treefmt = {
            projectRootFile = "flake.nix";
            programs = {
              deadnix = {
                enable = true;
-                settings = {
+                no-lambda-arg = true;
                  noLambdaArg = true;
                };
              };
-              detect-private-keys.enable = true;
+              mdformat.enable = true;
              end-of-file-fixer.enable = true;
              fix-byte-order-marker.enable = true;
              mixed-line-endings.enable = true;
              nixfmt-rfc-style.enable = true;
-              trim-trailing-whitespace.enable = true;
+              shellcheck.enable = true;
            };
            excludes = [ "pkgs/libcamera-rpi/libcamera-rpi-ipa-priv-key.pem" ];
          };
        }));
      formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
      devShells = forEachSystem (system: {
        default = nixpkgs.legacyPackages.${system}.mkShell {
          inherit (self.checks.${system}.pre-commit-check) shellHook;
          buildInputs = [
            inputs.agenix.packages.${system}.agenix
            inputs.deploy-rs.packages.${system}.deploy-rs
          ] ++ self.checks.${system}.pre-commit-check.enabledPackages;
        };
      });
      deploy = {
        magicRollback = true;
        autoRollback = true;
        sshUser = "root";
        nodes = lib.genAttrs [
          "mail"
          "pi"
          "skycam"
          "vps1"
        ] mkDeployNode;
      };
    };
 }
--- a/hosts/artemis/README.md
+++ b/hosts/artemis/README.md
@@ -0,0 +1,41 @@
 # Artemis
 ## Overview
 Couch gaming PC and media centre
 ## Specs
 - CPU - AMD Ryzen 7 9800X3D @ 4.70GHz
 - Chipset - AMD B850
 - Memory - 64 GB DDR5
 - Motherboard - ASUS ROG STRIX B850-I Gaming WiFi
 - GPU - AMD Radeon 7900 XTX
 - Case - MCPRUE Apollo S v4
 ### Disks
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 WD Black SN850X | `/dev/nvme0n1p1` (EFI, 500 MiB, NixOS Boot) <br> `/dev/nvme0n1p2` (ZFS, 4 TiB, NixOS Root)
 #### ZFS pool layout
 ```
 rpool/
 ├── local
 │   ├── nix
 │   └── tmp
 ├── system
 │   ├── root
 │   └── var
 └── user
    └── home
 ```
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `artemis.mesh.vimium.net`.
--- a/hosts/artemis/default.nix
+++ b/hosts/artemis/default.nix
@@ -0,0 +1,103 @@
 {
  inputs,
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib)
    getExe
    mkForce
    ;
 in
 {
  imports = [
    inputs.disko.nixosModules.disko
    ./hardware-configuration.nix
    ./disko-config.nix
    ../desktop.nix
  ];
  nixpkgs = {
    hostPlatform = "x86_64-linux";
  };
  boot.loader = {
    systemd-boot = {
      enable = true;
      graceful = true;
    };
    efi.canTouchEfiVariables = true;
  };
  networking = {
    hostId = "4f9a2b7e";
    networkmanager.enable = mkForce false;
  };
  services.openssh.settings.PermitRootLogin = mkForce "prohibit-password";
  users = {
    users = {
      root = {
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
        ];
      };
    };
  };
  services.earlyoom = {
    enable = true;
    extraArgs = [
      "-M"
      "409600,307200"
    ]
    ++ (
      if config.swapDevices.zramSwap.enable or false then
        [
          "-S"
          "409600,307200"
        ]
      else
        [ ]
    );
  };
  services.sunshine = {
    enable = false;
    package = pkgs.unstable.sunshine;
    capSysAdmin = true;
  };
  environment = {
    systemPackages = [ pkgs.wine ];
    sessionVariables.WINE_BIN = getExe pkgs.wine;
  };
  modules = {
    services = {
      borgmatic = {
        enable = true;
        directories = [
          "/home/jordan/Documents"
        ];
        repoPath = "ssh://neafzrj7@neafzrj7.repo.borgbase.com/./repo";
      };
    };
    system = {
      wireless = {
        enable = true;
        interfaces = [ "wlp11s0" ];
      };
      desktop = {
        gnome.enable = lib.mkForce false;
        hyprland.enable = true;
      };
    };
  };
  system.stateVersion = "25.05";
 }
--- a/hosts/artemis/disko-config.nix
+++ b/hosts/artemis/disko-config.nix
@@ -0,0 +1,118 @@
 { ... }:
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_25115L4A0708";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "rpool";
              };
            };
          };
        };
      };
    };
    zpool = {
      rpool = {
        type = "zpool";
        options = {
          ashift = "12";
        };
        rootFsOptions = {
          canmount = "off";
          mountpoint = "none";
          dnodesize = "auto";
          xattr = "sa";
        };
        postCreateHook = "zfs snapshot rpool@blank";
        datasets = {
          local = {
            type = "zfs_fs";
            options = {
              mountpoint = "none";
            };
          };
          "local/nix" = {
            type = "zfs_fs";
            mountpoint = "/nix";
            options = {
              atime = "off";
              mountpoint = "legacy";
            };
          };
          "local/tmp" = {
            type = "zfs_fs";
            mountpoint = "/tmp";
            options = {
              setuid = "off";
              devices = "off";
              mountpoint = "legacy";
            };
          };
          system = {
            type = "zfs_fs";
            mountpoint = "/";
            options = {
              mountpoint = "legacy";
            };
          };
          "system/var" = {
            type = "zfs_fs";
            mountpoint = "/var";
            options = {
              mountpoint = "legacy";
            };
          };
          "system/var/tmp" = {
            type = "zfs_fs";
            mountpoint = "/var/tmp";
            options = {
              devices = "off";
              mountpoint = "legacy";
            };
          };
          "system/var/log" = {
            type = "zfs_fs";
            mountpoint = "/var/log";
            options = {
              compression = "on";
              acltype = "posix";
              mountpoint = "legacy";
            };
          };
          user = {
            type = "zfs_fs";
            options = {
              mountpoint = "none";
            };
          };
          "user/home" = {
            type = "zfs_fs";
            mountpoint = "/home";
            options = {
              setuid = "off";
              devices = "off";
              mountpoint = "legacy";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/artemis/hardware-configuration.nix
+++ b/hosts/artemis/hardware-configuration.nix
@@ -0,0 +1,121 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 let
  inherit (lib)
    getExe
    mkDefault
    mkOverride
    ;
 in
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  # Inspired by: https://github.com/Jovian-Experiments/Jovian-NixOS
  boot = {
    binfmt.registrations."DOSWin" = {
      wrapInterpreterInShell = false;
      interpreter = getExe pkgs.wine;
      recognitionType = "magic";
      offset = 0;
      magicOrExtension = "MZ";
    };
    initrd = {
      availableKernelModules = [
        "xhci_pci"
        "ehci_pci"
        "nvme"
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [
        "amdgpu"
      ];
      supportedFilesystems = [ "zfs" ];
    };
    kernel.sysctl = {
      "kernel.sched_cfs_bandwidth_slice_u" = mkDefault 3000;
      "kernel.sched_latency_ns" = mkDefault 3000000;
      "kernel.sched_min_granularity_ns" = mkDefault 300000;
      "kernel.sched_wakeup_granularity_ns" = mkDefault 500000;
      "kernel.sched_migration_cost_ns" = mkDefault 50000;
      "kernel.sched_nr_migrate" = mkDefault 128;
      "kernel.split_lock_mitigate" = mkDefault 0;
      "net.ipv4.tcp_mtu_probing" = true;
      "net.ipv4.tcp_fin_timeout" = mkDefault 5;
      "vm.max_map_count" = mkOverride 999 2147483642;
    };
    kernelModules = [
      "hid_nintendo"
      "hid_playstation"
      "kvm-amd"
      "ntsync"
    ];
    kernelParams = [
      "log_buf_len=4M"
      "amdgpu.lockup_timeout=5000,10000,10000,5000"
      "ttm.pages_min=2097152"
      "amdgpu.sched_hw_submission=4"
      "audit=0"
    ];
    kernelPackages = pkgs.linuxPackages_6_15;
    supportedFilesystems = [ "ntfs" ];
  };
  hardware = {
    bluetooth = {
      enable = true;
      powerOnBoot = true;
      settings = {
        General = {
          MultiProfile = "multiple";
          FastConnectable = true;
          # enable experimental LL privacy, experimental offload codecs
          KernelExperimental = "15c0a148-c273-11ea-b3de-0242ac130004";
        };
        LE = {
          ScanIntervalSuspend = 2240;
          ScanWindowSuspend = 224;
        };
      };
    };
    graphics = {
      enable32Bit = true;
      extraPackages = [
        pkgs.gamescope-wsi
        pkgs.vk-hdr-layer
      ];
      extraPackages32 = [ pkgs.pkgsi686Linux.gamescope-wsi ];
    };
    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    enableRedistributableFirmware = true;
  };
  powerManagement.cpuFreqGovernor = "schedutil";
  services.udev.packages = [
    (pkgs.writeTextFile {
      name = "ntsync-udev-rules";
      text = ''KERNEL=="ntsync", MODE="0660", TAG+="uaccess"'';
      destination = "/etc/udev/rules.d/70-ntsync.rules";
    })
  ];
  services.pulseaudio.enable = false;
  services.xserver.videoDrivers = [ "amdgpu" ];
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/atlas/README.md
+++ b/hosts/atlas/README.md
@@ -1,24 +1,28 @@
 # Atlas
 ## Overview
 A general purpose mini computer used for web browsing and multimedia.
 ## Specs
-* CPU - Intel Core i7-4790K @ 4.00GHz
+
-* Chipset - Intel Z97
+- CPU - Intel Core i7-4790K @ 4.00GHz
-* Memory - 8 GB DDR3
+- Chipset - Intel Z97
-* Motherboard - ASRock Z97M-ITX
+- Memory - 8 GB DDR3
-* GPU - AMD Radeon R9 290X 4GB
+- Motherboard - ASRock Z97M-ITX
-* Case - SilverStone Sugo SG13
+- GPU - AMD Radeon R9 290X 4GB
-* NIC - Intel Gigabit I218-V, Broadcom BCM4360 802.11ac
+- Case - SilverStone Sugo SG13
 - NIC - Intel Gigabit I218-V, Broadcom BCM4360 802.11ac
 ### Disks
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 Samsung SSD 850 | `/dev/sda1` (NTFS, 500 GiB, Windows XP)
 Samsung SSD 850 | `/dev/sdb1` (EFI, 500 MiB, NixOS Boot) <br> `/dev/sdb2` (ZFS, 500 GiB, NixOS Root)
 #### ZFS pool layout
 ```
 rpool/
 ├── local
@@ -34,5 +38,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `atlas.mesh.vimium.net`.
--- a/hosts/eos/README.md
+++ b/hosts/eos/README.md
@@ -1,18 +1,22 @@
 # Eos
 ## Overview
 ThinkPad X220 laptop.
 ## Specs
-* CPU - Intel Core i5-2520M @ 3.20GHz
+
-* Memory - 8 GB DDR3
+- CPU - Intel Core i5-2520M @ 3.20GHz
 - Memory - 8 GB DDR3
 ### Disks
 Device | Partitions _(filesystem, usage)_
 --- | ---
 Solid | `/dev/sda1` (EFI, NixOS Boot) <br> `/dev/sda2` (ZFS, NixOS Root)
 #### ZFS pool layout
 ```
 rpool/
 ├── local
@@ -28,5 +32,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `eos.mesh.vimium.net`.
--- a/hosts/helios/README.md
+++ b/hosts/helios/README.md
@@ -1,16 +1,19 @@
 # Helios
 ## Overview
 Dell OptiPlex 980 small form factor desktop.
 ## Specs
-* CPU - Intel Core i7-860 @ 2.8GHz
+
-* Chipset - Intel Q57 Express
+- CPU - Intel Core i7-860 @ 2.8GHz
-* Memory - 8 GB DDR2
+- Chipset - Intel Q57 Express
-* GPU - AMD FirePro 2460
+- Memory - 8 GB DDR2
-* NIC - Intel Gigabit 82578DM
+- GPU - AMD FirePro 2460
 - NIC - Intel Gigabit 82578DM
 ### Disks
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 SanDisk Ultra II | `/dev/sda1` (ext2, 200 MiB, NixOS Boot) <br> `/dev/sda2` (ZFS, 480 GiB, NixOS Root)
@@ -19,6 +22,7 @@ SanDisk Ultra II | `/dev/sda1` (ext2, 200 MiB, NixOS Boot) <br> `/dev/sda2` (ZFS
 > an MBR partition table.
 #### ZFS pool layout
 ```
 rpool/
 ├── local
@@ -34,5 +38,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.
 ### Networks
 - DHCP on `192.168.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `helios.mesh.vimium.net`.
--- a/hosts/hypnos/README.md
+++ b/hosts/hypnos/README.md
@@ -1,21 +1,25 @@
 # Hypnos
 ## Overview
 15-inch MacBook Pro 11,3 (Mid 2014).
 ## Specs
-* CPU - Intel Core i7-4870HQ @ 2.50GHz
+
-* Memory - 16 GB DDR3
+- CPU - Intel Core i7-4870HQ @ 2.50GHz
-* GPU - Intel Iris Pro 5200
+- Memory - 16 GB DDR3
-* GPU - NVIDIA GeForce GT 750M
+- GPU - Intel Iris Pro 5200
-* NIC - Broadcom BCM43xx 802.11ac
+- GPU - NVIDIA GeForce GT 750M
 - NIC - Broadcom BCM43xx 802.11ac
 ### Disks
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 Apple SSD SM0512F | `/dev/sda1` (EFI, 256 MiB, NixOS Boot) <br> `/dev/sda2` (ZFS, 500 GiB, NixOS Root)
 #### ZFS pool layout
 ```
 rpool/
 ├── local
@@ -31,5 +35,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `hypnos.mesh.vimium.net`.
--- a/hosts/library/README.md
+++ b/hosts/library/README.md
@@ -1,21 +1,25 @@
 # Library
 ## Overview
 Media and public file server.
 ## Specs
-* CPU - AMD Ryzen 5 5600G @ 3.90GHz
+
-* Chipset - AMD B550
+- CPU - AMD Ryzen 5 5600G @ 3.90GHz
-* Memory - 64 GB DDR4
+- Chipset - AMD B550
-* Motherboard - ASRock B550M Pro4
+- Memory - 64 GB DDR4
-* Case - JMCD-12S4
+- Motherboard - ASRock B550M Pro4
 - Case - JMCD-12S4
 ### Disks
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 Samsung 970 Evo Plus | `/dev/nvme0n1p1` (EFI, 512 MiB, NixOS Boot) <br> `/dev/nvme0n1p2` (ZFS `rpool`, 200 GiB, NixOS Root)
 #### ZFS datasets
 ```
 rpool/
 ├── local
@@ -41,5 +45,6 @@ library/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind the `rpool` datasets.
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `library.mesh.vimium.net`.
--- a/hosts/library/ai.nix
+++ b/hosts/library/ai.nix
@@ -26,6 +26,7 @@
        ENABLE_OAUTH_ROLE_MANAGEMENT = "True";
        OAUTH_CLIENT_ID = clientId;
        OAUTH_PROVIDER_NAME = "Vimium";
        OFFLINE_MODE = "True";
        OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
        OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";
      };
--- a/hosts/library/nginx.nix
+++ b/hosts/library/nginx.nix
@@ -42,16 +42,14 @@
          ];
          locations."/" = {
            proxyPass = "http://localhost:8081";
-            extraConfig =
+            extraConfig = proxyConfig + ''
-              proxyConfig
+              # Disable proxy buffering for better streaming response from models
-              + ''
+              proxy_buffering off;
                # Disable proxy buffering for better streaming response from models
                proxy_buffering off;
-                # Increase max request size for large attachments and long audio messages
+              # Increase max request size for large attachments and long audio messages
-                client_max_body_size 20M;
+              client_max_body_size 20M;
-                proxy_read_timeout 10m;
+              proxy_read_timeout 10m;
-              '';
+            '';
          };
        };
        "jellyfin.vimium.com" = {
@@ -63,21 +61,20 @@
            }
          ];
          locations."/" = {
-            extraConfig =
+            extraConfig = ''
-              ''
+              # Proxy JellySearch first
-                # Proxy JellySearch first
+              if ($arg_searchTerm) {
-                if ($arg_searchTerm) {
+                proxy_pass http://localhost:5000;
-                  proxy_pass http://localhost:5000;
+                break;
-                  break;
+              }
                }
-                proxy_pass http://localhost:8096;
+              proxy_pass http://localhost:8096;
-              ''
+            ''
-              + proxyConfig
+            + proxyConfig
-              + ''
+            + ''
-                proxy_set_header Range $http_range;
+              proxy_set_header Range $http_range;
-                proxy_set_header If-Range $http_if_range;
+              proxy_set_header If-Range $http_if_range;
-              '';
+            '';
          };
          locations."/metrics" = {
            return = "404";
--- a/hosts/mail/README.md
+++ b/hosts/mail/README.md
@@ -1,17 +1,21 @@
 # Mail server
 ## Overview
 Mail server hosted in OVH.
 ## Specs
-* CPU - ??
+
-* Memory - ??
+- CPU - ??
 - Memory - ??
 ### Disks
 Device | Partitions _(filesystem, usage)_
 --- | ---
 NVMe | `/dev/sda1` (ext4, NixOS Root)
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `mail.mesh.vimium.net`.
--- a/hosts/odyssey/README.md
+++ b/hosts/odyssey/README.md
@@ -1,22 +1,26 @@
 # Odyssey
 ## Overview
 Primary workstation.
 ## Specs
-* CPU - AMD Ryzen 9 9950X3D @ 4.30GHz
+
-* Chipset - AMD X870E
+- CPU - AMD Ryzen 9 9950X3D @ 4.30GHz
-* Memory - 96 GB DDR5
+- Chipset - AMD X870E
-* Motherboard - ASUS ProArt X870E-Creator WiFi
+- Memory - 96 GB DDR5
-* GPU - NVIDIA RTX 3090
+- Motherboard - ASUS ProArt X870E-Creator WiFi
-* Case - Thermaltake A500
+- GPU - NVIDIA RTX 3090
 - Case - Thermaltake A500
 ### Disks
 Device | Partitions _(filesystem, size, usage)_
 --- | ---
 Samsung 980 Pro | `/dev/nvme0n1p1` (EFI, 512 MiB, NixOS Boot) <br> `/dev/nvme0n1p2` (ZFS, 2 TiB, NixOS Root)
 #### ZFS pool layout
 ```
 rpool/
 ├── local
@@ -32,5 +36,6 @@ rpool/
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `odyssey.mesh.vimium.net`.
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@@ -39,7 +39,8 @@
  virtualisation = {
    libvirtd.enable = true;
-    lxd.enable = true;
+    # https://github.com/NixOS/nixpkgs/issues/422385
    # lxd.enable = true;
  };
  services.sunshine = {
--- a/hosts/odyssey/hardware-configuration.nix
+++ b/hosts/odyssey/hardware-configuration.nix
@@ -34,6 +34,9 @@
      powerOnBoot = true;
    };
    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    graphics = {
      extraPackages = [ pkgs.vk-hdr-layer ];
    };
    nvidia = {
      modesetting.enable = true;
      open = true;
--- a/hosts/pi/README.md
+++ b/hosts/pi/README.md
@@ -1,19 +1,23 @@
 # Pi
 ## Overview
 Raspberry Pi 4
 ## Specs
-* SoC - Broadcom BCM2711
+
-* CPU - ARM Cortex-A72 @ 1.8 GHz
+- SoC - Broadcom BCM2711
-* Memory - 8 GB LPDDR4
+- CPU - ARM Cortex-A72 @ 1.8 GHz
 - Memory - 8 GB LPDDR4
 ### Disks
 Device | Partitions _(filesystem, usage)_
 --- | ---
 SD card | `/dev/mmcblk0` (ext4, NixOS Root)
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `pi.mesh.vimium.net`.
--- a/hosts/skycam/README.md
+++ b/hosts/skycam/README.md
@@ -1,26 +1,32 @@
 # Skycam
 ## Overview
 Raspberry Pi 4-based webcam
 ## Specs
-* SoC - Broadcom BCM2711
+
-* CPU - ARM Cortex-A72 @ 1.8 GHz
+- SoC - Broadcom BCM2711
-* Memory - 8 GB LPDDR4
+- CPU - ARM Cortex-A72 @ 1.8 GHz
 - Memory - 8 GB LPDDR4
 ### Disks
 Device | Partitions _(filesystem, usage)_
 --- | ---
 SD card | `/dev/mmcblk0` (ext4, NixOS Root)
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `skycam.mesh.vimium.net`.
 ## Devices and connections
 - Camera Module 3 with wide-angle lens
 ## Building
 To generate a compressed SD card image for Skycam, run:
 `nix build '.#nixosConfigurations.skycam.config.system.build.sdImage'`
--- a/hosts/skycam/default.nix
+++ b/hosts/skycam/default.nix
@@ -28,7 +28,7 @@
      enable = true;
      settings = {
        log.level = "debug";
-        streams.rpicam = "exec:${rpicam-vid} -v1 -t0 -o- --inline --width=4608 --height=2592 --framerate=14 --codec mjpeg --quality 90 --denoise=cdn_off --sharpness 1.25 --exposure long --gain 3";
+        streams.rpicam = "exec:${rpicam-vid} -v1 -t0 -o- --inline --flush=1 --width=4608 --height=2592 --framerate=1 --codec mjpeg --quality 90 --denoise=cdn_off --sharpness 1.25 --exposure long --gain 3";
      };
    };
--- a/hosts/vps1/README.md
+++ b/hosts/vps1/README.md
@@ -1,17 +1,21 @@
 # vps1
 ## Overview
 VPS hosted in OVH.
 ## Specs
-* CPU - ??
+
-* Memory - ??
+- CPU - ??
 - Memory - ??
 ### Disks
 Device | Partitions _(filesystem, usage)_
 --- | ---
 NVMe | `/dev/sda1` (ext4, NixOS Root)
 ### Networks
 - DHCP on `10.0.1.0/24` subnet.
 - Tailscale on `100.64.0.0/10` subnet. FQDN: `vps1.mesh.vimium.net`.
--- a/hosts/vps1/coturn.nix
+++ b/hosts/vps1/coturn.nix
@@ -40,26 +40,25 @@ in
    };
  };
-  age.secrets =
+  age.secrets = {
-    {
+    "passwords/services/coturn/static-auth-secret" = {
-      "passwords/services/coturn/static-auth-secret" = {
+      file = "${inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
-        file = "${inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
+      owner = "turnserver";
-        owner = "turnserver";
+      group = "turnserver";
-        group = "turnserver";
+    };
-      };
+  }
-    }
+  // (
-    // (
+    if matrixIntegration then
-      if matrixIntegration then
+      {
-        {
+        "passwords/services/coturn/matrix-turn-config.yml" = {
-          "passwords/services/coturn/matrix-turn-config.yml" = {
+          file = "${inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
-            file = "${inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
+          owner = "matrix-synapse";
-            owner = "matrix-synapse";
+          group = "matrix-synapse";
-            group = "matrix-synapse";
+        };
-          };
+      }
-        }
+    else
-      else
+      { }
-        { }
+  );
    );
  services.coturn = {
    enable = true;
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -11,7 +11,6 @@
    ./kanidm.nix
    ./matrix.nix
    ./nginx.nix
    ./outline.nix
    ./photoprism.nix
    ../server.nix
  ];
--- a/hosts/vps1/matrix.nix
+++ b/hosts/vps1/matrix.nix
@@ -63,96 +63,95 @@ in
    };
  };
-  services.nginx.virtualHosts =
+  services.nginx.virtualHosts = {
-    {
+    "${matrixSubdomain}" = {
-      "${matrixSubdomain}" = {
+      forceSSL = true;
-        forceSSL = true;
+      enableACME = true;
-        enableACME = true;
+      listen = [
-        listen = [
+        {
-          {
+          addr = "0.0.0.0";
-            addr = "0.0.0.0";
+          port = 443;
-            port = 443;
+          ssl = true;
-            ssl = true;
+        }
-          }
+        {
-          {
+          addr = "0.0.0.0";
-            addr = "0.0.0.0";
+          port = 80;
-            port = 80;
+        }
-          }
+        {
-          {
+          addr = "0.0.0.0";
-            addr = "0.0.0.0";
+          port = 8448;
-            port = 8448;
+          ssl = true;
-            ssl = true;
+        }
-          }
+        {
-          {
+          addr = "[::1]";
-            addr = "[::1]";
+          port = 443;
-            port = 443;
+          ssl = true;
-            ssl = true;
+        }
-          }
+        {
-          {
+          addr = "[::1]";
-            addr = "[::1]";
+          port = 80;
-            port = 80;
+        }
-          }
+        {
-          {
+          addr = "[::1]";
-            addr = "[::1]";
+          port = 8448;
-            port = 8448;
+          ssl = true;
-            ssl = true;
+        }
-          }
+      ];
-        ];
+      locations = {
-        locations = {
+        "/" = {
-          "/" = {
+          proxyPass = "http://localhost:8008";
-            proxyPass = "http://localhost:8008";
+          extraConfig = ''
-            extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
              proxy_set_header X-Forwarded-For $remote_addr;
            '';
          };
          "/_matrix" = {
            proxyPass = "http://localhost:8008";
            extraConfig = ''
              proxy_set_header X-Forwarded-For $remote_addr;
              client_max_body_size 50M;
            '';
          };
          "/_synapse/client".proxyPass = "http://localhost:8008";
        };
      };
      "${serverName}" =
        let
          mkWellKnown = data: ''
            more_set_headers 'Content-Type: application/json';
            return 200 '${builtins.toJSON data}';
          '';
        in
        {
          locations."= /.well-known/matrix/server".extraConfig = (mkWellKnown matrixServerConfig);
          locations."= /.well-known/matrix/client".extraConfig = (mkWellKnown matrixClientConfig);
        };
-    }
+        "/_matrix" = {
-    // (
+          proxyPass = "http://localhost:8008";
-      if useElement then
+          extraConfig = ''
-        {
+            proxy_set_header X-Forwarded-For $remote_addr;
-          "${elementSubdomain}" = {
+            client_max_body_size 50M;
-            forceSSL = true;
+          '';
-            enableACME = true;
+        };
-            root = pkgs.unstable.element-web.override {
+        "/_synapse/client".proxyPass = "http://localhost:8008";
-              conf = {
+      };
-                default_server_config = matrixClientConfig;
+    };
-                brand = "Vimium Chat";
+    "${serverName}" =
-                branding = {
+      let
-                  auth_header_logo_url = "https://vimium.com/images/logo.svg";
+        mkWellKnown = data: ''
-                  auth_footer_links = [
+          more_set_headers 'Content-Type: application/json';
-                    {
+          return 200 '${builtins.toJSON data}';
-                      "text" = "Vimium.com";
+        '';
-                      "url" = "https://vimium.com";
+      in
-                    }
+      {
-                  ];
+        locations."= /.well-known/matrix/server".extraConfig = (mkWellKnown matrixServerConfig);
-                };
+        locations."= /.well-known/matrix/client".extraConfig = (mkWellKnown matrixClientConfig);
      };
  }
  // (
    if useElement then
      {
        "${elementSubdomain}" = {
          forceSSL = true;
          enableACME = true;
          root = pkgs.unstable.element-web.override {
            conf = {
              default_server_config = matrixClientConfig;
              brand = "Vimium Chat";
              branding = {
                auth_header_logo_url = "https://vimium.com/images/logo.svg";
                auth_footer_links = [
                  {
                    "text" = "Vimium.com";
                    "url" = "https://vimium.com";
                  }
                ];
              };
            };
          };
-        }
+        };
-      else
+      }
-        { }
+    else
-    );
+      { }
  );
  nixpkgs.config.permittedInsecurePackages = [
    "jitsi-meet-1.0.8043"
@@ -176,27 +175,25 @@ in
  );
  services.postgresql = lib.mkIf usePostgresql {
-    ensureUsers =
+    ensureUsers = [
-      [
+      {
-        {
+        name = "matrix-synapse";
          name = "matrix-synapse";
          ensureDBOwnership = true;
        }
      ]
      ++ (lib.optional bridges.signal {
        name = "mautrix-signal";
        ensureDBOwnership = true;
-      })
+      }
-      ++ (lib.optional bridges.whatsapp {
+    ]
-        name = "mautrix-whatsapp";
+    ++ (lib.optional bridges.signal {
-        ensureDBOwnership = true;
+      name = "mautrix-signal";
-      });
+      ensureDBOwnership = true;
-    ensureDatabases =
+    })
-      [
+    ++ (lib.optional bridges.whatsapp {
-        "matrix-synapse"
+      name = "mautrix-whatsapp";
-      ]
+      ensureDBOwnership = true;
-      ++ (lib.optional bridges.signal "mautrix-signal")
+    });
-      ++ (lib.optional bridges.whatsapp "mautrix-whatsapp");
+    ensureDatabases = [
      "matrix-synapse"
    ]
    ++ (lib.optional bridges.signal "mautrix-signal")
    ++ (lib.optional bridges.whatsapp "mautrix-whatsapp");
  };
  services.mautrix-signal = lib.mkIf bridges.signal {
@@ -216,6 +213,7 @@ in
        };
        mute_bridging = true;
      };
-    } // commonBridgeSettings "mautrix-whatsapp";
+    }
    // commonBridgeSettings "mautrix-whatsapp";
  };
 }
--- a/hosts/vps1/nginx.nix
+++ b/hosts/vps1/nginx.nix
@@ -82,126 +82,125 @@ in
        maxSize = "100m";
      };
    };
-    virtualHosts =
+    virtualHosts = {
-      {
+      ## Static sites
-        ## Static sites
+      "chat.ai.vimium.com" = {
-        "chat.ai.vimium.com" = {
+        forceSSL = true;
-          forceSSL = true;
+        enableACME = true;
-          enableACME = true;
+        extraConfig = nginxErrorPages + nginxEdgeHeaders;
-          extraConfig = nginxErrorPages + nginxEdgeHeaders;
+        locations."/" = {
-          locations."/" = {
+          proxyPass = "http://localhost:8001";
            proxyPass = "http://localhost:8001";
            extraConfig = ''
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              # Disable proxy buffering for better streaming response from models
              proxy_buffering off;
              # Increase max request size for large attachments and long audio messages
              client_max_body_size 20M;
              proxy_read_timeout 10m;
            '';
          };
        };
        "jellyfin.vimium.com" = {
          forceSSL = true;
          enableACME = true;
          extraConfig = nginxErrorPages + nginxEdgeHeaders;
          locations."/" = {
            proxyPass = "http://localhost:8000";
            extraConfig = ''
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $host;
              proxy_set_header Range $http_range;
              proxy_set_header If-Range $http_if_range;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
            '';
          };
        };
        "jdholt.com" = {
          forceSSL = true;
          enableACME = true;
          serverAliases = [ "www.jdholt.com" ];
          extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
          locations."/skycam" = {
            root = "/var/www/jdholt.com";
          };
          locations."/skycam/snapshot.jpg" = {
            extraConfig = ''
              set $backend "skycam.mesh.vimium.net:1984";
              resolver 100.100.100.100;
              proxy_pass http://$backend/api/frame.jpeg?src=rpicam;
              proxy_cache skycam_cache;
              proxy_cache_valid any 10s;
              proxy_ignore_headers Cache-Control Expires Set-Cookie;
            '';
          };
          locations."/".return = "301 https://vimium.com$request_uri";
        };
        "pki.vimium.com" = {
          addSSL = true;
          forceSSL = false;
          enableACME = true;
          extraConfig = ''
-            ${nginxErrorPages}
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            more_set_headers 'Server: Vimium';
+            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            # Disable proxy buffering for better streaming response from models
            proxy_buffering off;
            # Increase max request size for large attachments and long audio messages
            client_max_body_size 20M;
            proxy_read_timeout 10m;
          '';
          locations."/" = {
            root = "/var/www/pki.vimium.com";
          };
        };
-        "suhailhussain.com" = {
+      };
-          forceSSL = true;
+      "jellyfin.vimium.com" = {
-          enableACME = true;
+        forceSSL = true;
-          serverAliases = [ "www.suhailhussain.com" ];
+        enableACME = true;
-          extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
+        extraConfig = nginxErrorPages + nginxEdgeHeaders;
-          locations."/" = {
+        locations."/" = {
-            root = "/var/www/suhailhussain.com";
+          proxyPass = "http://localhost:8000";
-          };
+          extraConfig = ''
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
          '';
        };
-        "vimium.com" = {
+      };
-          default = true;
+      "jdholt.com" = {
-          forceSSL = true;
+        forceSSL = true;
-          enableACME = true;
+        enableACME = true;
-          serverAliases = [ "www.vimium.com" ];
+        serverAliases = [ "www.jdholt.com" ];
-          extraConfig =
+        extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
-            nginxErrorPages
+        locations."/skycam" = {
-            + nginxEdgeHeaders
+          root = "/var/www/jdholt.com";
            + nginxStrictHeaders
            + ''
              add_header Content-Security-Policy "default-src 'self' https://vimium.com https://www.vimium.com; style-src 'unsafe-inline'; object-src 'none'; upgrade-insecure-requests" always;
            '';
          locations."/" = {
            root = "/var/www/vimium.com";
          };
        };
-      }
+        locations."/skycam/snapshot.jpg" = {
-      ## Redirects
+          extraConfig = ''
-      // (mkRedirect "h0lt.com" "jdholt.com")
+            set $backend "skycam.mesh.vimium.net:1984";
-      // (mkRedirect "jordanholt.xyz" "jdholt.com")
+
-      // (mkRedirect "omnimagic.com" "vimium.com")
+            resolver 100.100.100.100;
-      // (mkRedirect "omnimagic.net" "vimium.com")
+
-      // (mkRedirect "thelostlegend.com" "suhailhussain.com")
+            proxy_pass http://$backend/api/frame.jpeg?src=rpicam;
-      // (mkRedirect "vimium.co" "vimium.com")
+            proxy_cache skycam_cache;
-      // (mkRedirect "vimium.co.uk" "vimium.com")
+            proxy_cache_valid any 10s;
-      // (mkRedirect "vimium.info" "vimium.com")
+            proxy_ignore_headers Cache-Control Expires Set-Cookie;
-      // (mkRedirect "vimium.net" "vimium.com")
+          '';
-      // (mkRedirect "vimium.org" "vimium.com")
+        };
-      // (mkRedirect "vimium.xyz" "vimium.com");
+        locations."/".return = "301 https://vimium.com$request_uri";
      };
      "pki.vimium.com" = {
        addSSL = true;
        forceSSL = false;
        enableACME = true;
        extraConfig = ''
          ${nginxErrorPages}
          more_set_headers 'Server: Vimium';
        '';
        locations."/" = {
          root = "/var/www/pki.vimium.com";
        };
      };
      "suhailhussain.com" = {
        forceSSL = true;
        enableACME = true;
        serverAliases = [ "www.suhailhussain.com" ];
        extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
        locations."/" = {
          root = "/var/www/suhailhussain.com";
        };
      };
      "vimium.com" = {
        default = true;
        forceSSL = true;
        enableACME = true;
        serverAliases = [ "www.vimium.com" ];
        extraConfig =
          nginxErrorPages
          + nginxEdgeHeaders
          + nginxStrictHeaders
          + ''
            add_header Content-Security-Policy "default-src 'self' https://vimium.com https://www.vimium.com; style-src 'unsafe-inline'; object-src 'none'; upgrade-insecure-requests" always;
          '';
        locations."/" = {
          root = "/var/www/vimium.com";
        };
      };
    }
    ## Redirects
    // (mkRedirect "h0lt.com" "jdholt.com")
    // (mkRedirect "jordanholt.xyz" "jdholt.com")
    // (mkRedirect "omnimagic.com" "vimium.com")
    // (mkRedirect "omnimagic.net" "vimium.com")
    // (mkRedirect "thelostlegend.com" "suhailhussain.com")
    // (mkRedirect "vimium.co" "vimium.com")
    // (mkRedirect "vimium.co.uk" "vimium.com")
    // (mkRedirect "vimium.info" "vimium.com")
    // (mkRedirect "vimium.net" "vimium.com")
    // (mkRedirect "vimium.org" "vimium.com")
    // (mkRedirect "vimium.xyz" "vimium.com");
  };
 }
--- a/hosts/vps1/outline.nix
+++ b/hosts/vps1/outline.nix
@@ -1,51 +0,0 @@
 {
  inputs,
  config,
  ...
 }:
 let
  domain = "outline.vimium.com";
 in
 {
  services.nginx.virtualHosts = {
    "${domain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:3000";
        extraConfig = ''
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Scheme $scheme;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_redirect off;
        '';
      };
    };
  };
  age.secrets."passwords/services/outline/oidc-client-secret" = {
    file = "${inputs.secrets}/passwords/services/outline/oidc-client-secret.age";
    owner = "outline";
    group = "outline";
  };
  services.outline = {
    enable = true;
    forceHttps = false;
    oidcAuthentication = {
      clientId = "outline";
      clientSecretFile = config.age.secrets."passwords/services/outline/oidc-client-secret".path;
      displayName = "Vimium";
      authUrl = "https://auth.vimium.com/ui/oauth2";
      tokenUrl = "https://auth.vimium.com/oauth2/token";
      userinfoUrl = "https://auth.vimium.com/oauth2/openid/outline/userinfo";
    };
    publicUrl = "https://${domain}";
    storage.storageType = "local";
  };
 }
--- a/hosts/vps2/default.nix
+++ b/hosts/vps2/default.nix
@@ -0,0 +1,31 @@
 {
  inputs,
  ...
 }:
 {
  imports = [
    inputs.disko.nixosModules.disko
    ./hardware-configuration.nix
    ./disko-config.nix
    ../server.nix
  ];
  nixpkgs = {
    hostPlatform = "x86_64-linux";
  };
  networking = {
    hostId = "60de4af8";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # SSH
      ];
    };
  };
  modules.services.tailscale.isExitNode = true;
  system.stateVersion = "25.05";
 }
--- a/hosts/vps2/disko-config.nix
+++ b/hosts/vps2/disko-config.nix
@@ -0,0 +1,55 @@
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "2M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "300M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "lvm_pv";
              vg = "pool";
            };
          };
        };
      };
    };
    lvm_vg = {
      pool = {
        type = "lvm_vg";
        lvs = {
          root = {
            size = "100%FREE";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
              mountOptions = [
                "defaults"
              ];
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/vps2/hardware-configuration.nix
+++ b/hosts/vps2/hardware-configuration.nix
@@ -0,0 +1,29 @@
 {
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot = {
    initrd = {
      availableKernelModules = [
        "ata_piix"
        "uhci_hcd"
        "xen_blkfront"
        "vmw_pvscsi"
      ];
      kernelModules = [ "nvme" ];
    };
    loader.grub = {
      efiSupport = true;
      efiInstallAsRemovable = true;
    };
    tmp.cleanOnBoot = true;
  };
  zramSwap.enable = true;
 }
--- a/modules/nixos/services/tailscale.nix
+++ b/modules/nixos/services/tailscale.nix
@@ -17,6 +17,14 @@ in
      default = false;
      example = true;
    };
    isExitNode = lib.mkOption {
      default = false;
      example = true;
    };
    useExitNode = lib.mkOption {
      default = false;
      example = true;
    };
    restrictSSH = lib.mkOption {
      default = true;
      example = true;
@@ -37,7 +45,8 @@ in
      extraUpFlags = [
        "--login-server"
        headscale
-      ];
+      ]
      ++ (if cfg.isExitNode then [ "--advertise-exit-node" ] else [ ]);
    };
    services.openssh.openFirewall = !cfg.restrictSSH;
--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@@ -0,0 +1,24 @@
 { inputs, ... }:
 {
  imports = [
    inputs.devshell.flakeModule
  ];
  perSystem =
    { config, pkgs, ... }:
    {
      devshells.default = {
        commands = [
          {
            package = config.treefmt.build.wrapper;
            help = "Format all files";
          }
          {
            package = pkgs.deploy-rs;
            name = "deploy";
            help = "Deploy this nix-config to remote hosts";
          }
        ];
      };
    };
 }
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -0,0 +1,60 @@
 {
  inputs,
  ...
 }:
 {
  flake =
    { config, lib, ... }:
    let
      domain = "mesh.vimium.net";
      mkDeployNode = hostName: {
        hostname = "${hostName}.${domain}";
        profiles.system = {
          user = "root";
          path =
            inputs.deploy-rs.lib.${
              config.nixosConfigurations.${hostName}.config.system.build.toplevel.system
            }.activate.nixos
              config.nixosConfigurations.${hostName};
        };
      };
    in
    {
      nixosConfigurations = lib.pipe ../hosts [
        builtins.readDir
        (lib.filterAttrs (name: value: value == "directory"))
        (lib.mapAttrs (
          name: value:
          inputs.nixpkgs.lib.nixosSystem {
            specialArgs = { inherit inputs; };
            modules = [
              {
                networking = {
                  inherit domain;
                  hostName = name;
                };
              }
              ../hosts/${name}
            ];
          }
        ))
      ];
      deploy = {
        magicRollback = true;
        autoRollback = true;
        sshUser = "root";
        nodes = lib.genAttrs [
          "artemis"
          "mail"
          "pi"
          "skycam"
          "vps1"
          "vps2"
        ] mkDeployNode;
      };
    };
 }
--- a/pkgs/libcamera-rpi/package.nix
+++ b/pkgs/libcamera-rpi/package.nix
@@ -24,11 +24,9 @@ libcamera.overrideAttrs (old: {
    ./patches/libcamera-no-timeout.patch
  ];
-  postPatch =
+  postPatch = old.postPatch + ''
-    old.postPatch
+    patchShebangs src/py/libcamera
-    + ''
+  '';
      patchShebangs src/py/libcamera
    '';
  preBuild = ''
    ninja src/ipa-priv-key.pem
--- a/pkgs/vk-hdr-layer/package.nix
+++ b/pkgs/vk-hdr-layer/package.nix
@@ -0,0 +1,44 @@
 {
  stdenv,
  fetchFromGitHub,
  lib,
  meson,
  ninja,
  pkg-config,
  vulkan-headers,
  vulkan-loader,
  wayland-scanner,
  wayland,
  xorg,
 }:
 stdenv.mkDerivation (finalAttrs: {
  pname = "vk-hdr-layer";
  version = "303e0c69e1d33acd95158d92b1fc652fb5b85399";
  src = fetchFromGitHub {
    owner = "Zamundaaa";
    repo = "VK_hdr_layer";
    rev = "303e0c69e1d33acd95158d92b1fc652fb5b85399";
    fetchSubmodules = true;
    hash = "sha256-NsC44Ifl/fAHvFqP7NLrVZ71Y+x5mBEkv+r43HN5yn4=";
  };
  nativeBuildInputs = [
    meson
    ninja
    pkg-config
  ];
  buildInputs = [
    vulkan-headers
    vulkan-loader
    wayland
    wayland-scanner
    xorg.libX11
  ];
  meta = {
    description = "Vulkan layer utilizing a small color management / HDR protocol for experimentation";
    homepage = "https://github.com/Zamundaaa/VK_hdr_layer";
    license = lib.licenses.mit;
  };
 })
--- a/users/jordan/artemis.nix
+++ b/users/jordan/artemis.nix
@@ -0,0 +1,20 @@
 {
  pkgs,
  ...
 }:
 {
  imports = [
    ./common/optional/graphical/firefox.nix
    ./common/optional/graphical/fonts.nix
    ./common/optional/graphical/hyprland
    ./common/optional/graphical/mimeapps.nix
  ];
  home.packages = with pkgs; [
    jellyfin-media-player
    lutris
    unstable.pcsx2
    xemu
  ];
 }
--- a/users/jordan/common/optional/graphical/fonts.nix
+++ b/users/jordan/common/optional/graphical/fonts.nix
@@ -13,5 +13,6 @@
    nerd-fonts.terminess-ttf
    nerd-fonts.ubuntu-mono
    sf-pro
    vista-fonts
  ];
 }
--- a/users/jordan/common/optional/graphical/hyprland/default.nix
+++ b/users/jordan/common/optional/graphical/hyprland/default.nix
@@ -20,30 +20,29 @@ let
  concatMapAttrsStringSep =
    sep: f: attrs:
    concatStringsSep sep (attrValues (mapAttrs f attrs));
-  globalVariables =
+  globalVariables = {
-    {
+    _JAVA_AWT_WM_NONREPARENTING = "1";
-      _JAVA_AWT_WM_NONREPARENTING = "1";
+    GDK_BACKEND = "wayland";
-      GDK_BACKEND = "wayland";
+    MOZ_ENABLE_WAYLAND = "1";
-      MOZ_ENABLE_WAYLAND = "1";
+    NIXOS_OZONE_WL = "1";
-      NIXOS_OZONE_WL = "1";
+    QT_QPA_PLATFORM = "wayland";
-      QT_QPA_PLATFORM = "wayland";
+    QT_STYLE_OVERRIDE = "kvantum";
-      QT_STYLE_OVERRIDE = "kvantum";
+    QT_WAYLAND_DECORATION = "adwaita";
-      QT_WAYLAND_DECORATION = "adwaita";
+    QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
-      QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    SDL_VIDEODRIVER = "wayland";
-      SDL_VIDEODRIVER = "wayland";
+    XDG_SESSION_TYPE = "wayland";
-      XDG_SESSION_TYPE = "wayland";
+  }
-    }
+  // (
-    // (
+    if elem "nvidia" osConfig.services.xserver.videoDrivers then
-      if elem "nvidia" osConfig.services.xserver.videoDrivers then
+      {
-        {
+        GBM_BACKEND = "nvidia-drm";
-          GBM_BACKEND = "nvidia-drm";
+        GSK_RENDERER =
-          GSK_RENDERER =
+          if versionOlder osConfig.hardware.nvidia.package.version "570" then "ngl" else "vulkan";
-            if versionOlder osConfig.hardware.nvidia.package.version "570" then "ngl" else "vulkan";
+        LIBVA_DRIVER_NAME = "nvidia";
-          LIBVA_DRIVER_NAME = "nvidia";
+      }
-        }
+    else
-      else
+      { }
-        { }
+  );
    );
  hyprVariables = {
    AQ_DRM_DEVICES = "/dev/dri/card0:/dev/dri/card1";
  };
@@ -111,6 +110,10 @@ in
        no_update_news = true;
      };
      experimental = {
        xx_color_management_v4 = true;
      };
      decoration = {
        rounding = 10;
@@ -161,7 +164,10 @@ in
        ];
      };
-      monitor = "desc:Dell Inc. DELL U3219Q HPTP413, preferred, auto, 1";
+      monitor = [
        "desc:Dell Inc. DELL U3219Q HPTP413, preferred, auto, 1, vrr, 0, bitdepth, 10, cm, hdr"
        "desc:LG Electronics LG TV SSCR2, 3840x2160@60, 0x0, 1, vrr, 0, bitdepth, 10, cm, hdr"
      ];
      input = {
        kb_layout = "us";
--- a/users/jordan/common/shell.nix
+++ b/users/jordan/common/shell.nix
@@ -181,6 +181,7 @@ in
    btop
    fd
    jq
    ncdu
    nix-zsh-completions
    nnn
    ripgrep
--- a/users/jordan/default.nix
+++ b/users/jordan/default.nix
@@ -42,7 +42,8 @@ in
      ./common/pass.nix
      ./common/shell.nix
      ./common/ssh.nix
-    ] ++ optional (builtins.pathExists hostFile) hostFile;
+    ]
    ++ optional (builtins.pathExists hostFile) hostFile;
    home = {
      username = name;