hosts/vps1: update home host

hosts/{odyssey,pi}: move home-assistant to odyssey
flake.lock: Update
2025-11-15 14:19:40 +00:00 · 2025-11-15 13:54:04 +00:00 · 2025-11-15 13:40:27 +00:00 · 2025-11-15 13:32:11 +00:00 · 2025-11-15 13:31:52 +00:00 · 2025-11-15 08:10:10 +00:00
89 changed files with 1499 additions and 440 deletions
--- a/README.md
+++ b/README.md
@@ -5,9 +5,9 @@ System and user configuration for NixOS-based systems.
 | | |
 |-|-|
 | **Shell:** | zsh |
-| **DE:** | GNOME |
+| **WM:** | Hyprland |
 | **Theme:** | Adwaita |
-| **Terminal:** | Ghostty |
+| **Terminal:** | kitty |
 ## Provisioning a new host
--- a/flake.lock
+++ b/flake.lock
@@ -12,11 +12,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1754433428,
+        "lastModified": 1762618334,
-        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
        "type": "github"
      },
      "original": {
@@ -38,11 +38,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1754492276,
+        "lastModified": 1759699908,
-        "narHash": "sha256-cCtleJZQY5eWPYRGl5x63BZ2rfOik4pLveCveH+tmvM=",
+        "narHash": "sha256-kYVGY8sAfqwpNch706Fy2+/b+xbtfidhXSnzvthAhIQ=",
        "owner": "oddlama",
        "repo": "agenix-rekey",
-        "rev": "69ed7833c0e4e6a677a20894d8f12876b9e2bedb",
+        "rev": "42362b12f59978aabf3ec3334834ce2f3662013d",
        "type": "github"
      },
      "original": {
@@ -71,11 +71,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753216019,
+        "lastModified": 1762356719,
-        "narHash": "sha256-zik7WISrR1ks2l6T1MZqZHb/OqroHdJnSnAehkE0kCk=",
+        "narHash": "sha256-qwd/xdoOya1m8FENle+4hWnydCtlXUWLAW/Auk6WL7s=",
        "owner": "hyprwm",
        "repo": "aquamarine",
-        "rev": "be166e11d86ba4186db93e10c54a141058bdce49",
+        "rev": "6d0b3567584691bf9d8fedb5d0093309e2f979c7",
        "type": "github"
      },
      "original": {
@@ -131,11 +131,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1749105467,
+        "lastModified": 1762286984,
-        "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
+        "narHash": "sha256-9I2H9x5We6Pl+DBYHjR1s3UT8wgwcpAH03kn9CqtdQc=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
+        "rev": "9c870f63e28ec1e83305f7f6cb73c941e699f74f",
        "type": "github"
      },
      "original": {
@@ -172,11 +172,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741473158,
+        "lastModified": 1762521437,
-        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
+        "narHash": "sha256-RXN+lcx4DEn3ZS+LqEJSUu/HH+dwGvy0syN7hTo/Chg=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
+        "rev": "07bacc9531f5f4df6657c0a02a806443685f384a",
        "type": "github"
      },
      "original": {
@@ -213,11 +213,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755519972,
+        "lastModified": 1762276996,
-        "narHash": "sha256-bU4nqi3IpsUZJeyS8Jk85ytlX61i4b0KCxXX9YcOgVc=",
+        "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "4073ff2f481f9ef3501678ff479ed81402caae6d",
+        "rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
        "type": "github"
      },
      "original": {
@@ -229,11 +229,11 @@
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1755874650,
+        "lastModified": 1759418614,
-        "narHash": "sha256-ClHCtrzwU6TIfK0qOzAsfPY4swrpbZ8SwUpBpVwphaY=",
+        "narHash": "sha256-0E3TqvXAy81qeM/jZXWWOTZ14Hs1RT7o78UyZM+Jbr4=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
-        "rev": "6fafa0409ad451b90db466f900b7549a1890bf1a",
+        "rev": "afd438034bf91089cfeb9e6b5cb987bdf5442d0f",
        "type": "github"
      },
      "original": {
@@ -332,11 +332,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1754487366,
+        "lastModified": 1762980239,
-        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da",
        "type": "github"
      },
      "original": {
@@ -353,11 +353,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754091436,
+        "lastModified": 1762440070,
-        "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
+        "narHash": "sha256-xxdepIcb39UJ94+YydGP221rjnpkDZUlykKuF54PsqI=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
+        "rev": "26d05891e14c88eb4a5d5bee659c0db5afb609d8",
        "type": "github"
      },
      "original": {
@@ -517,11 +517,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755928099,
+        "lastModified": 1758463745,
-        "narHash": "sha256-OILVkfhRCm8u18IZ2DKR8gz8CVZM2ZcJmQBXmjFLIfk=",
+        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "4a44fb9f7555da362af9d499817084f4288a957f",
+        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
        "type": "github"
      },
      "original": {
@@ -576,11 +576,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754305013,
+        "lastModified": 1762462052,
-        "narHash": "sha256-u+M2f0Xf1lVHzIPQ7DsNCDkM1NYxykOSsRr4t3TbSM4=",
+        "narHash": "sha256-6roLYzcDf4V38RUMSqycsOwAnqfodL6BmhRkUtwIgdA=",
        "owner": "hyprwm",
        "repo": "hyprgraphics",
-        "rev": "4c1d63a0f22135db123fc789f174b89544c6ec2d",
+        "rev": "ffc999d980c7b3bca85d3ebd0a9fbadf984a8162",
        "type": "github"
      },
      "original": {
@@ -594,8 +594,8 @@
        "aquamarine": "aquamarine",
        "hyprcursor": "hyprcursor",
        "hyprgraphics": "hyprgraphics",
        "hyprland-guiutils": "hyprland-guiutils",
        "hyprland-protocols": "hyprland-protocols",
        "hyprland-qtutils": "hyprland-qtutils",
        "hyprlang": "hyprlang",
        "hyprutils": "hyprutils",
        "hyprwayland-scanner": "hyprwayland-scanner",
@@ -605,11 +605,11 @@
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1755883465,
+        "lastModified": 1763071594,
-        "narHash": "sha256-/yviTS9piazXoZAmnN0dXnYjDAFvooBnzJfPw2Gi30Y=",
+        "narHash": "sha256-s5FF0rQE6UIBAUfqk5ZqGedU3bhW0OvXfmz5lzJGurY=",
        "owner": "hyprwm",
        "repo": "Hyprland",
-        "rev": "0d45b277d6c750377b336034b8adc53eae238d91",
+        "rev": "43527d363472b52f17dd9f9f4f87ec25cbf8a399",
        "type": "github"
      },
      "original": {
@@ -618,6 +618,52 @@
        "type": "github"
      }
    },
    "hyprland-guiutils": {
      "inputs": {
        "aquamarine": [
          "hyprland",
          "aquamarine"
        ],
        "hyprgraphics": [
          "hyprland",
          "hyprgraphics"
        ],
        "hyprlang": [
          "hyprland",
          "hyprlang"
        ],
        "hyprtoolkit": "hyprtoolkit",
        "hyprutils": [
          "hyprland",
          "hyprutils"
        ],
        "hyprwayland-scanner": [
          "hyprland",
          "hyprwayland-scanner"
        ],
        "nixpkgs": [
          "hyprland",
          "nixpkgs"
        ],
        "systems": [
          "hyprland",
          "systems"
        ]
      },
      "locked": {
        "lastModified": 1762755186,
        "narHash": "sha256-ZjjETUHtoEhVN7JI1Cbt3p/KcXpK8ZQaPHx7UkG1OgA=",
        "owner": "hyprwm",
        "repo": "hyprland-guiutils",
        "rev": "66356e20a8ed348aa49c1b9ceace786e224225b3",
        "type": "github"
      },
      "original": {
        "owner": "hyprwm",
        "repo": "hyprland-guiutils",
        "type": "github"
      }
    },
    "hyprland-plugins": {
      "inputs": {
        "hyprland": [
@@ -635,11 +681,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755183521,
+        "lastModified": 1762989208,
-        "narHash": "sha256-wrP8TM2lb2x0+PyTc7Uc3yfVBeIlYW7+hFeG14N9Cr8=",
+        "narHash": "sha256-NBTbKW0MVIMFCjAqeoJWkg5iUucAZ9jS4Lbyax6rIBE=",
        "owner": "hyprwm",
        "repo": "hyprland-plugins",
-        "rev": "c1ddebb423acc7c88653c04de5ddafee64dac89a",
+        "rev": "befb2670803cf7c1b9f0323449c8d9ccdaa485e2",
        "type": "github"
      },
      "original": {
@@ -660,11 +706,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749046714,
+        "lastModified": 1759610243,
-        "narHash": "sha256-kymV5FMnddYGI+UjwIw8ceDjdeg7ToDVjbHCvUlhn14=",
+        "narHash": "sha256-+KEVnKBe8wz+a6dTLq8YDcF3UrhQElwsYJaVaHXJtoI=",
        "owner": "hyprwm",
        "repo": "hyprland-protocols",
-        "rev": "613878cb6f459c5e323aaafe1e6f388ac8a36330",
+        "rev": "bd153e76f751f150a09328dbdeb5e4fab9d23622",
        "type": "github"
      },
      "original": {
@@ -673,74 +719,6 @@
        "type": "github"
      }
    },
    "hyprland-qt-support": {
      "inputs": {
        "hyprlang": [
          "hyprland",
          "hyprland-qtutils",
          "hyprlang"
        ],
        "nixpkgs": [
          "hyprland",
          "hyprland-qtutils",
          "nixpkgs"
        ],
        "systems": [
          "hyprland",
          "hyprland-qtutils",
          "systems"
        ]
      },
      "locked": {
        "lastModified": 1749154592,
        "narHash": "sha256-DO7z5CeT/ddSGDEnK9mAXm1qlGL47L3VAHLlLXoCjhE=",
        "owner": "hyprwm",
        "repo": "hyprland-qt-support",
        "rev": "4c8053c3c888138a30c3a6c45c2e45f5484f2074",
        "type": "github"
      },
      "original": {
        "owner": "hyprwm",
        "repo": "hyprland-qt-support",
        "type": "github"
      }
    },
    "hyprland-qtutils": {
      "inputs": {
        "hyprland-qt-support": "hyprland-qt-support",
        "hyprlang": [
          "hyprland",
          "hyprlang"
        ],
        "hyprutils": [
          "hyprland",
          "hyprland-qtutils",
          "hyprlang",
          "hyprutils"
        ],
        "nixpkgs": [
          "hyprland",
          "nixpkgs"
        ],
        "systems": [
          "hyprland",
          "systems"
        ]
      },
      "locked": {
        "lastModified": 1753819801,
        "narHash": "sha256-tHe6XeNeVeKapkNM3tcjW4RuD+tB2iwwoogWJOtsqTI=",
        "owner": "hyprwm",
        "repo": "hyprland-qtutils",
        "rev": "b308a818b9dcaa7ab8ccab891c1b84ebde2152bc",
        "type": "github"
      },
      "original": {
        "owner": "hyprwm",
        "repo": "hyprland-qtutils",
        "type": "github"
      }
    },
    "hyprlang": {
      "inputs": {
        "hyprutils": [
@@ -757,11 +735,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753622892,
+        "lastModified": 1758927902,
-        "narHash": "sha256-0K+A+gmOI8IklSg5It1nyRNv0kCNL51duwnhUO/B8JA=",
+        "narHash": "sha256-LZgMds7M94+vuMql2bERQ6LiFFdhgsEFezE4Vn+Ys3A=",
        "owner": "hyprwm",
        "repo": "hyprlang",
-        "rev": "23f0debd2003f17bd65f851cd3f930cff8a8c809",
+        "rev": "4dafa28d4f79877d67a7d1a654cddccf8ebf15da",
        "type": "github"
      },
      "original": {
@@ -770,6 +748,58 @@
        "type": "github"
      }
    },
    "hyprtoolkit": {
      "inputs": {
        "aquamarine": [
          "hyprland",
          "hyprland-guiutils",
          "aquamarine"
        ],
        "hyprgraphics": [
          "hyprland",
          "hyprland-guiutils",
          "hyprgraphics"
        ],
        "hyprlang": [
          "hyprland",
          "hyprland-guiutils",
          "hyprlang"
        ],
        "hyprutils": [
          "hyprland",
          "hyprland-guiutils",
          "hyprutils"
        ],
        "hyprwayland-scanner": [
          "hyprland",
          "hyprland-guiutils",
          "hyprwayland-scanner"
        ],
        "nixpkgs": [
          "hyprland",
          "hyprland-guiutils",
          "nixpkgs"
        ],
        "systems": [
          "hyprland",
          "hyprland-guiutils",
          "systems"
        ]
      },
      "locked": {
        "lastModified": 1762463729,
        "narHash": "sha256-2fYkU/mdz8WKY3dkDPlE/j6hTxIwqultsx4gMMsMns0=",
        "owner": "hyprwm",
        "repo": "hyprtoolkit",
        "rev": "88483bdee5329ec985f0c8f834c519cd18cfe532",
        "type": "github"
      },
      "original": {
        "owner": "hyprwm",
        "repo": "hyprtoolkit",
        "type": "github"
      }
    },
    "hyprutils": {
      "inputs": {
        "nixpkgs": [
@@ -782,11 +812,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754481650,
+        "lastModified": 1762387740,
-        "narHash": "sha256-6u6HdEFJh5gY6VfyMQbhP7zDdVcqOrCDTkbiHJmAtMI=",
+        "narHash": "sha256-gQ9zJ+pUI4o+Gh4Z6jhJll7jjCSwi8ZqJIhCE2oqwhQ=",
        "owner": "hyprwm",
        "repo": "hyprutils",
-        "rev": "df6b8820c4a0835d83d0c7c7be86fbc555f1f7fd",
+        "rev": "926689ddb9c0a8787e58c02c765a62e32d63d1f7",
        "type": "github"
      },
      "original": {
@@ -807,11 +837,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1751897909,
+        "lastModified": 1755184602,
-        "narHash": "sha256-FnhBENxihITZldThvbO7883PdXC/2dzW4eiNvtoV5Ao=",
+        "narHash": "sha256-RCBQN8xuADB0LEgaKbfRqwm6CdyopE1xIEhNc67FAbw=",
        "owner": "hyprwm",
        "repo": "hyprwayland-scanner",
-        "rev": "fcca0c61f988a9d092cbb33e906775014c61579d",
+        "rev": "b3b0f1f40ae09d4447c20608e5a4faf8bf3c492d",
        "type": "github"
      },
      "original": {
@@ -849,16 +879,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1748294338,
+        "lastModified": 1754860581,
-        "narHash": "sha256-FVO01jdmUNArzBS7NmaktLdGA5qA3lUMJ4B7a05Iynw=",
+        "narHash": "sha256-EM0IE63OHxXCOpDHXaTyHIOk2cNvMCGPqLt/IdtVxgk=",
        "owner": "NuschtOS",
        "repo": "ixx",
-        "rev": "cc5f390f7caf265461d4aab37e98d2292ebbdb85",
+        "rev": "babfe85a876162c4acc9ab6fb4483df88fa1f281",
        "type": "github"
      },
      "original": {
        "owner": "NuschtOS",
-        "ref": "v0.0.8",
+        "ref": "v0.1.1",
        "repo": "ixx",
        "type": "github"
      }
@@ -866,11 +896,11 @@
    "kvlibadwaita": {
      "flake": false,
      "locked": {
-        "lastModified": 1710621848,
+        "lastModified": 1757782301,
-        "narHash": "sha256-xBl6zmpqTAH5MIT5iNAdW6kdOcB5MY0Dtrb95hdYpwA=",
+        "narHash": "sha256-jCXME6mpqqWd7gWReT04a//2O83VQcOaqIIXa+Frntc=",
        "owner": "GabePoel",
        "repo": "KvLibadwaita",
-        "rev": "87c1ef9f44ec48855fd09ddab041007277e30e37",
+        "rev": "1f4e0bec44b13dabfa1fe4047aa8eeaccf2f3557",
        "type": "github"
      },
      "original": {
@@ -891,11 +921,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752093877,
+        "lastModified": 1762088663,
-        "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=",
+        "narHash": "sha256-rpCvFan9Dji1Vw4HfVqYdfWesz5sKZE3uSgYR9gRreA=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633",
+        "rev": "c15f569794a0f1a437850d0ac81675bcf23ca6cb",
        "type": "github"
      },
      "original": {
@@ -906,11 +936,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1755330281,
+        "lastModified": 1762847253,
-        "narHash": "sha256-aJHFJWP9AuI8jUGzI77LYcSlkA9wJnOIg4ZqftwNGXA=",
+        "narHash": "sha256-BWWnUUT01lPwCWUvS0p6Px5UOBFeXJ8jR+ZdLX8IbrU=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "3dac8a872557e0ca8c083cdcfc2f218d18e113b0",
+        "rev": "899dc449bc6428b9ee6b3b8f771ca2b0ef945ab9",
        "type": "github"
      },
      "original": {
@@ -946,11 +976,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1754725699,
+        "lastModified": 1762363567,
-        "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
+        "narHash": "sha256-YRqMDEtSMbitIMj+JLpheSz0pwEr0Rmy5mC7myl17xs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
+        "rev": "ae814fd3904b621d8ab97418f1d0f2eb0d3716f4",
        "type": "github"
      },
      "original": {
@@ -978,11 +1008,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1753579242,
+        "lastModified": 1761765539,
-        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",
        "type": "github"
      },
      "original": {
@@ -993,11 +1023,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1755615617,
+        "lastModified": 1762977756,
-        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
+        "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
+        "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",
        "type": "github"
      },
      "original": {
@@ -1008,11 +1038,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1755704039,
+        "lastModified": 1763049705,
-        "narHash": "sha256-gKlP0LbyJ3qX0KObfIWcp5nbuHSb5EHwIvU6UcNBg2A=",
+        "narHash": "sha256-A5LS0AJZ1yDPTa2fHxufZN++n8MCmtgrJDtxFxrH4S8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9cb344e96d5b6918e94e1bca2d9f3ea1e9615545",
+        "rev": "3acb677ea67d4c6218f33de0db0955f116b7588c",
        "type": "github"
      },
      "original": {
@@ -1031,11 +1061,11 @@
        "systems": "systems_6"
      },
      "locked": {
-        "lastModified": 1755727480,
+        "lastModified": 1762722066,
-        "narHash": "sha256-eb9N7XFj1zirk+D2KV+rn/CjmVHDISlxhtZCWZEVpkM=",
+        "narHash": "sha256-Kph9HBaDqN0dOvsb8fnhoyj4mpxF6RfoqzVqXxvpzVY=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "6df0b97b39baa1c0b3002b051f307aed68e17d1b",
+        "rev": "b36fcf1d64e782488fc6296eaa4f26d6cae4e090",
        "type": "github"
      },
      "original": {
@@ -1055,11 +1085,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753771532,
+        "lastModified": 1761730856,
-        "narHash": "sha256-Pmpke0JtLRzgdlwDC5a+aiLVZ11JPUO5Bcqkj0nHE/k=",
+        "narHash": "sha256-t1i5p/vSWwueZSC0Z2BImxx3BjoUDNKyC2mk24krcMY=",
        "owner": "NuschtOS",
        "repo": "search",
-        "rev": "2a65adaf2c0c428efb0f4a2bc406aab466e96a06",
+        "rev": "e29de6db0cb3182e9aee75a3b1fd1919d995d85b",
        "type": "github"
      },
      "original": {
@@ -1078,11 +1108,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754416808,
+        "lastModified": 1762441963,
-        "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
+        "narHash": "sha256-j+rNQ119ffYUkYt2YYS6rnd6Jh/crMZmbqpkGLXaEt0=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
+        "rev": "8e7576e79b88c16d7ee3bbd112c8d90070832885",
        "type": "github"
      },
      "original": {
@@ -1100,11 +1130,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755879220,
+        "lastModified": 1763032142,
-        "narHash": "sha256-2KZl6cU5rzEwXKMW369kLTzinJXXkF3TRExA6qEeVbc=",
+        "narHash": "sha256-M+2QBQoC0lzkCdUQRXylR2RkcT6BCRfW3KDs+c/IGLw=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "3ff4596663c8cbbffe06d863ee4c950bce2c3b78",
+        "rev": "84255025dee4c8701a99fbff65ac3c9095952f99",
        "type": "github"
      },
      "original": {
@@ -1143,11 +1173,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1755887038,
+        "lastModified": 1763213908,
-        "narHash": "sha256-HoEMwFfR3rwNxwJjFCbj3rfW8k6EabHuMJAZOwsT95c=",
+        "narHash": "sha256-VnsvhCOO2h1HRLG+wbmYlKrAQL5HnmvkE+aHcZ8YS/M=",
        "ref": "refs/heads/master",
-        "rev": "9e47b557087ebde3a30c9f97189d110c29d144fd",
+        "rev": "2a17f8af388cd87d12d6340c3601d35ca330956f",
-        "revCount": 40,
+        "revCount": 42,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
@@ -1249,11 +1279,11 @@
    "thunderbird-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1755861050,
+        "lastModified": 1757216698,
-        "narHash": "sha256-oLmw1VRrmbuLwT5errG3lT85K0jLII/aQ32VtdJ+1xM=",
+        "narHash": "sha256-aQAlgHsBAS+DdyYDlYhW/xT86xIu9FO8yJEzSCVaSBg=",
        "owner": "rafaelmardojai",
        "repo": "thunderbird-gnome-theme",
-        "rev": "b1fbb41db5718c23667bd9b40268b8e7317634fd",
+        "rev": "8b9a19eb188b3ede65e8f12a11637bbd56e4f4d7",
        "type": "github"
      },
      "original": {
@@ -1290,11 +1320,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755934250,
+        "lastModified": 1762938485,
-        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
+        "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
+        "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4",
        "type": "github"
      },
      "original": {
@@ -1349,11 +1379,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753633878,
+        "lastModified": 1761431178,
-        "narHash": "sha256-js2sLRtsOUA/aT10OCDaTjO80yplqwOIaLUqEe0nMx0=",
+        "narHash": "sha256-xzjC1CV3+wpUQKNF+GnadnkeGUCJX+vgaWIZsnz9tzI=",
        "owner": "hyprwm",
        "repo": "xdg-desktop-portal-hyprland",
-        "rev": "371b96bd11ad2006ed4f21229dbd1be69bed3e8a",
+        "rev": "4b8801228ff958d028f588f0c2b911dbf32297f9",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -113,10 +113,10 @@
    }:
    flake-parts.lib.mkFlake { inherit inputs; } {
      imports = [
        inputs.agenix-rekey.flakeModule
        inputs.pre-commit-hooks.flakeModule
        inputs.nix-topology.flakeModule
        inputs.treefmt-nix.flakeModule
        ./nix/agenix-rekey.nix
        ./nix/devshell.nix
        ./nix/hosts.nix
      ];
--- a/hosts/artemis/default.nix
+++ b/hosts/artemis/default.nix
@@ -25,6 +25,8 @@ in
    hostPlatform = "x86_64-linux";
  };
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  boot.loader = {
    systemd-boot = {
      enable = true;
@@ -100,7 +102,7 @@ in
      };
      desktop = {
        gnome.enable = lib.mkForce false;
-        hyprland.enable = true;
+        hyprland.enable = false;
      };
    };
  };
--- a/hosts/artemis/hardware-configuration.nix
+++ b/hosts/artemis/hardware-configuration.nix
@@ -68,7 +68,7 @@ in
      "amdgpu.sched_hw_submission=4"
      "audit=0"
    ];
-    kernelPackages = pkgs.linuxPackages_6_15;
+    kernelPackages = pkgs.linuxPackages_6_17;
    supportedFilesystems = [ "ntfs" ];
  };
--- a/hosts/artemis/ssh_host_ed25519_key.pub
+++ b/hosts/artemis/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXJmnp4LUE9AFjGHwvxAu4m/3PB2uYQ69F7wYv7cGGT
--- a/hosts/atlas/default.nix
+++ b/hosts/atlas/default.nix
@@ -9,6 +9,8 @@
  nixpkgs.hostPlatform = "x86_64-linux";
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
--- a/hosts/atlas/ssh_host_ed25519_key.pub
+++ b/hosts/atlas/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPddvpZeCUelUGsnFvx87WOqKKc+MGPU6+rx6s1ReWQl
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -6,17 +6,24 @@
 }:
 {
  imports = [
-    inputs.agenix.nixosModules.age
+    inputs.agenix.nixosModules.default
    inputs.agenix-rekey.nixosModules.default
    inputs.home-manager.nixosModules.home-manager
    ../modules/nixos
    ../modules/nixos/impermanence.nix
  ];
  age.rekey = {
    masterIdentities = [ ../secrets/yubikey-nix-primary.pub ];
    storageMode = "local";
    generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.networking.hostName}";
    localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.networking.hostName}";
  };
  nixpkgs = {
    config.allowUnfree = true;
    overlays = [
      inputs.agenix.overlays.default
      (import ../overlays/default.nix)
      (final: prev: {
        unstable = import inputs.nixpkgs-unstable {
          config = {
@@ -25,6 +32,7 @@
          system = final.system;
        };
      })
      (import ../overlays/default.nix)
    ];
  };
@@ -109,6 +117,7 @@
      dates = "weekly";
      options = "-d --delete-older-than 7d";
    };
    registry.unstable.flake = inputs.nixpkgs-unstable;
  };
  home-manager = {
--- a/hosts/desktop.nix
+++ b/hosts/desktop.nix
@@ -40,7 +40,7 @@
  };
  system.autoUpgrade = {
-    enable = true;
+    enable = false;
    flake = "git+ssh://git@git.vimium.com/jordan/nix-config.git";
    randomizedDelaySec = "10min";
  };
--- a/hosts/helios/default.nix
+++ b/hosts/helios/default.nix
@@ -16,6 +16,8 @@ in
  nixpkgs.hostPlatform = "x86_64-linux";
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  boot = {
    loader.grub = {
      enable = true;
--- a/hosts/helios/ssh_host_ed25519_key.pub
+++ b/hosts/helios/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2tDij7eTDbljl6Crz4i7qrM0lgp8U2T9ZMXt7VQPT/
--- a/hosts/hypnos/default.nix
+++ b/hosts/hypnos/default.nix
@@ -22,6 +22,8 @@
    };
  };
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
--- a/hosts/hypnos/ssh_host_ed25519_key.pub
+++ b/hosts/hypnos/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGlbvy+4QHbveFbS6r9S0JWUVHeI/MgYLyGtfpZqJ/3
--- a/hosts/library/ai.nix
+++ b/hosts/library/ai.nix
@@ -1,19 +1,22 @@
 {
  inputs,
  config,
  pkgs,
  ...
 }:
 let
  stateDir = "/var/lib/open-webui";
 in
 {
-  age.secrets."files/services/open-webui/envfile" = {
+  age.secrets.open-webui-env = {
-    file = "${inputs.secrets}/files/services/open-webui/envfile.age";
+    rekeyFile = ./secrets/open-webui-env.age;
  };
  services.open-webui = {
    enable = true;
    package = pkgs.unstable.open-webui;
    port = 8081;
    host = "0.0.0.0";
    environment =
      let
        clientId = "open-webui";
@@ -29,10 +32,33 @@
        OFFLINE_MODE = "True";
        OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
        OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";
        # Fix from https://github.com/NixOS/nixpkgs/pull/431395
        STATIC_DIR = "${stateDir}/static";
        DATA_DIR = "${stateDir}/data";
        HF_HOME = "${stateDir}/hf_home";
        SENTENCE_TRANSFORMERS_HOME = "${stateDir}/transformers_home";
      };
-    environmentFile = config.age.secrets."files/services/open-webui/envfile".path;
+    environmentFile = config.age.secrets.open-webui-env.path;
  };
  # Fix from https://github.com/NixOS/nixpkgs/pull/432897
  systemd.services.open-webui.preStart = ''
    if [ -d "${stateDir}/data" ] && [ -n "$(ls -A "${stateDir}/data" 2>/dev/null)" ]; then
      exit 0
    fi
    mkdir -p "${stateDir}/data"
    [ -f "${stateDir}/webui.db" ] && mv "${stateDir}/webui.db" "${stateDir}/data/"
    for dir in cache uploads vector_db; do
      [ -d "${stateDir}/$dir" ] && mv "${stateDir}/$dir" "${stateDir}/data/"
    done
    exit 0
  '';
  modules.services.borgmatic.directories = [
    "/var/lib/private/open-webui"
  ];
--- a/hosts/library/default.nix
+++ b/hosts/library/default.nix
@@ -17,6 +17,8 @@
  nixpkgs.hostPlatform = "x86_64-linux";
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  boot = {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
--- a/hosts/library/nginx.nix
+++ b/hosts/library/nginx.nix
@@ -33,25 +33,6 @@
            '';
          };
        };
        "chat.ai.vimium.com" = {
          listen = [
            {
              addr = "127.0.0.1";
              port = 8001;
            }
          ];
          locations."/" = {
            proxyPass = "http://localhost:8081";
            extraConfig = proxyConfig + ''
              # Disable proxy buffering for better streaming response from models
              proxy_buffering off;
              # Increase max request size for large attachments and long audio messages
              client_max_body_size 20M;
              proxy_read_timeout 10m;
            '';
          };
        };
        "jellyfin.vimium.com" = {
          default = true;
          listen = [
--- a/hosts/library/secrets/open-webui-env.age
+++ b/hosts/library/secrets/open-webui-env.age
@@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> piv-p256 a1N2XA AqHsJTdBE6LT9QJK7Dek6b3zA/PaqAmma7uRdKHdQQym
 KMB+yq8M+eej5pg7MHFBqzYhQhVnrPpTevDVo1RZn5Q
 -> m;#M[T-grease > G>`e0C&G OS
 ichBG8145Jl9vthZfVHcznJmi+c81HHZfd7UGzdfP7TR1wp9ub6IXiqK9KRe7ga7
 N3osvWzwiwCI5oN0NA
 --- ILq3bk5+xuZ4CV7J/rQkYBMz5wG2dHzn+G+cvEqUSRw
 j
 <EFBFBD><EFBFBD>X<EFBFBD>+<2B><>r<EFBFBD><1E><>j<EFBFBD><6A><EFBFBD>ZW<16><>p<EFBFBD><70><EFBFBD>k<EFBFBD>%ǗxdC5mͧ '[<5B><>w<EFBFBD>x<EFBFBD>雸<EFBFBD>#<23><><EFBFBD>O<18><14>7<EFBFBD>bC'8<><38>3<EFBFBD>b<EFBFBD>{_<>%_<><5F>s&<26><><EFBFBD>ѹrr<72><07><><EFBFBD>,
 5L8<EFBFBD>yC<EFBFBD>O<EFBFBD>6o<EFBFBD><EFBFBD><EFBFBD>k}<7D><17>_<EFBFBD><5F>i<EFBFBD>m<EFBFBD>u3|<7C>f	5<><35>5<EFBFBD><35>A<EFBFBD>V<EFBFBD>><3E>+<2B><><EFBFBD><EFBFBD>E=<3D><><11><>E<EFBFBD><45><EFBFBD>aE<61>-<2D>Ԑ^<5E><>Q<EFBFBD><51>j<EFBFBD><6A><EFBFBD><EFBFBD>7<EFBFBD>6P<36><50>b<EFBFBD><62>E8*4߄
--- a/hosts/library/ssh_host_ed25519_key.pub
+++ b/hosts/library/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBP+SH4lzFTE29y9HfjkaO7Ino5OqEws5UXcnBFoo76C
--- a/hosts/mail/default.nix
+++ b/hosts/mail/default.nix
@@ -14,6 +14,8 @@
  nixpkgs.hostPlatform = "x86_64-linux";
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  networking = {
    hostId = "08ac2f14";
    firewall = {
--- a/hosts/mail/ssh_host_ed25519_key.pub
+++ b/hosts/mail/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGLHtC0JmFfct+lYl0EjgphutmeYY8BWDctY3+/TsO6L
--- a/hosts/odyssey/comfyui-docker.nix
+++ b/hosts/odyssey/comfyui-docker.nix
@@ -0,0 +1,34 @@
 {
  hardware.graphics.enable32Bit = true;
  hardware.nvidia-container-toolkit.enable = true;
  virtualisation.docker.enable = true;
  virtualisation.oci-containers = {
    backend = "docker";
    containers = {
      comfyui = {
        image = "ghcr.io/clsferguson/comfyui-docker:latest";
        autoStart = true;
        ports = [ "8188:8188" ];
        extraOptions = [
          "--device=nvidia.com/gpu=all"
          "--ipc=host"
        ];
        volumes = [
          "/home/jordan/ComfyUI/user:/app/ComfyUI/user"
          "/home/jordan/ComfyUI/custom_nodes:/app/ComfyUI/custom_nodes"
          "/home/jordan/ComfyUI/models:/app/ComfyUI/models:rw"
          "/home/jordan/ComfyUI/input:/app/ComfyUI/input:rw"
          "/home/jordan/ComfyUI/output:/app/ComfyUI/output:rw"
        ];
        environment = {
          TZ = "Europe/London";
          PUID = "1000";
          PGID = "1000";
          COMFY_AUTO_INSTALL = "1";
        };
      };
    };
  };
 }
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@@ -7,7 +7,9 @@
 {
  imports = [
    ./hardware-configuration.nix
    ./comfyui-docker.nix
    ./gitea-runner.nix
    ./home-assistant
    ./nix-serve.nix
    ../desktop.nix
    ../../users/jordan
@@ -20,6 +22,8 @@
    };
  };
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  boot.loader = {
    systemd-boot = {
      enable = true;
@@ -50,6 +54,17 @@
    capSysAdmin = true;
  };
  environment.systemPackages = with pkgs; [
    yubikey-manager
    age-plugin-yubikey
  ];
  services.udev.packages = with pkgs; [
    libfido2
  ];
  services.pcscd.enable = true;
  modules = {
    hardware.presonus-studio.enable = true;
    services = {
--- a/hosts/odyssey/hardware-configuration.nix
+++ b/hosts/odyssey/hardware-configuration.nix
@@ -44,6 +44,7 @@
      powerManagement.enable = true;
      nvidiaSettings = false;
    };
    nvidia-container-toolkit.enable = true;
  };
  powerManagement.cpuFreqGovernor = "schedutil";
--- a/hosts/odyssey/home-assistant/dashboards.nix
+++ b/hosts/odyssey/home-assistant/dashboards.nix
@@ -0,0 +1,63 @@
 {
  ...
 }:
 {
  /**
    *******************
    - Service Dashboard for stats (energy usage, bandwidth etc.)
    - Dashboard fragment per room
    - Tablet in each room can display just its associated fragment
    - Per user dynamic dashboard that shows the dashboard fragment for the room
      you are in using Bluetooth presence detection
    Rooms: [Auto, Bedroom, Kitchen, Living Room, Office]
    Shared: Date/time, Guest Override action, Weather, Air quality
    Bedroom:
    - Temperature
    - Minimal Lights action
    - Individual light cards
    - Sheets last changed
    - Plant last watered
    Kitchen:
    - Temperature
    - Individual light cards
    - Water filter age
    Living Room:
    - Temperature
    - Turn TV on action
      * dynamic card to start Movie Mode
    - Individual light cards
    - Plant last watered
    Office:
    - Temperature
    - Individual light cards
    - Bandwidth usage
    - Computer stats
    Primary IEEE address: 00:12:4B:00:29:E8:B1:9E
    Random inspiration words:
    - "Temp Disable Office Motion"
    - "Main Lights {Bright,Dim,Warm}"
    - "Robot Vacuum"
    - "Living Room TV"
    - "Morning wakeup"
    - "Going to sleep early"
    - "Take out bins"
    - "Video Conference"
    - "Gaming"
    - Monitor power usage to tell when something has started/stopped
    - Vibration sensor for kitchen drawer
    - Todo list for dinner schedule
    - Air quality sensor in kitchen
    - Notification to close vents when outdoor air quality is bad
    - "TV Lights Lock" - don't auto dim-lights on play/pause
    *********************
  */
 }
--- a/hosts/odyssey/home-assistant/default.nix
+++ b/hosts/odyssey/home-assistant/default.nix
@@ -244,6 +244,7 @@
      "wake_on_lan"
      "water_heater"
      "weather"
      "webostv"
      "websocket_api"
      "wled"
      "workday"
--- a/hosts/odyssey/home-assistant/floorplan/default.nix
+++ b/hosts/odyssey/home-assistant/floorplan/default.nix
--- a/hosts/odyssey/home-assistant/floorplan/style.css
+++ b/hosts/odyssey/home-assistant/floorplan/style.css
--- a/hosts/odyssey/home-assistant/mqtt.nix
+++ b/hosts/odyssey/home-assistant/mqtt.nix
--- a/hosts/odyssey/ssh_host_ed25519_key.pub
+++ b/hosts/odyssey/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJre8/cjdoUnbTu0x4ClTITcq4lq+FjpEyJBbLbOlox7
--- a/hosts/pi/README.md
+++ b/hosts/pi/README.md
@@ -27,3 +27,4 @@ SD card | `/dev/mmcblk0` (ext4, NixOS Root)
 - HDMI to ONKYO HT-R990
 - S/PDIF to ONKYO HT-R990
 - Ethernet to ONKYO HT-R990
 - Ethernet to LG TV
--- a/hosts/pi/default.nix
+++ b/hosts/pi/default.nix
@@ -8,13 +8,14 @@
  imports = [
    inputs.nixos-hardware.nixosModules.raspberry-pi-4
    ./hardware-configuration.nix
    ./home-assistant
    ./snapcast.nix
    ../server.nix
  ];
  nixpkgs.hostPlatform = "aarch64-linux";
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  hardware = {
    raspberry-pi."4" = {
      apply-overlays-dtmerge.enable = true;
@@ -129,14 +130,25 @@
    };
  };
-  # Connection to ONKYO HT-R990
+  networking.interfaces = {
-  networking.interfaces.end0 = {
+    # Connection to ONKYO HT-R990
-    ipv4.addresses = [
+    end0 = {
-      {
+      ipv4.addresses = [
-        address = "172.16.0.1";
+        {
-        prefixLength = 30;
+          address = "172.16.0.1";
-      }
+          prefixLength = 30;
-    ];
+        }
      ];
    };
    # Connection to LG TV
    enp1s0u2 = {
      ipv4.addresses = [
        {
          address = "172.16.1.1";
          prefixLength = 30;
        }
      ];
    };
  };
  environment.systemPackages = with pkgs; [
--- a/hosts/pi/snapcast.nix
+++ b/hosts/pi/snapcast.nix
@@ -18,7 +18,7 @@
  };
  services.snapserver = {
-    enable = true;
+    enable = false;
    streams = {
      default = {
        type = "file";
--- a/hosts/pi/ssh_host_ed25519_key.pub
+++ b/hosts/pi/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYv5V6Lr1Er1dljwmunurIz1Q3Ce5FsFSxtUOW6aO9J
--- a/hosts/skycam/default.nix
+++ b/hosts/skycam/default.nix
@@ -11,6 +11,8 @@
  nixpkgs.hostPlatform = "aarch64-linux";
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  networking = {
    hostId = "731d1660";
    firewall = {
--- a/hosts/skycam/ssh_host_ed25519_key.pub
+++ b/hosts/skycam/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv5+HwcRetBxtQZXpGbYv22S4prJu9bYCzKTSoMCl8D
--- a/hosts/vps1/README.md
+++ b/hosts/vps1/README.md
@@ -6,8 +6,8 @@ VPS hosted in OVH.
 ## Specs
- CPU - ??
+- CPU - 4 vCores
- Memory - ??
+- Memory - 4 GB
 ### Disks
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -12,6 +12,7 @@
    ./matrix.nix
    ./nginx.nix
    ./photoprism.nix
    ./vaultwarden.nix
    ../server.nix
  ];
@@ -19,6 +20,8 @@
    hostPlatform = "x86_64-linux";
  };
  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
  networking = {
    hostId = "08bf6db3";
    firewall = {
--- a/hosts/vps1/headscale.nix
+++ b/hosts/vps1/headscale.nix
@@ -36,7 +36,7 @@ in
          {
            name = "home.mesh.vimium.net";
            type = "A";
-            value = "100.64.0.7";
+            value = "100.64.0.5";
          }
        ];
        magic_dns = true;
@@ -60,7 +60,7 @@ in
      forceSSL = true;
      enableACME = true;
      locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
        proxyWebsockets = true;
      };
    };
--- a/hosts/vps1/kanidm.nix
+++ b/hosts/vps1/kanidm.nix
@@ -6,14 +6,27 @@
 let
  baseDomain = "vimium.com";
  domain = "auth.${baseDomain}";
  mkRandomSecret = {
    generator.script = "alnum";
    mode = "440";
    group = "kanidm";
  };
 in
 {
  age.secrets.kanidm-admin-password = mkRandomSecret;
  age.secrets.kanidm-idm-admin-password = mkRandomSecret;
  age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
  age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
  age.secrets.kanidm-oauth2-vaultwarden = mkRandomSecret;
  services.kanidm =
    let
      uri = "https://${domain}";
    in
    {
-      package = pkgs.unstable.kanidm;
+      package = pkgs.unstable.kanidmWithSecretProvisioning_1_7;
      enableClient = true;
      enableServer = true;
      clientSettings = {
@@ -28,8 +41,92 @@ in
        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
        version = "2";
      };
      provision = {
        enable = true;
        adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
        idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
        persons.jordan = {
          displayName = "Jordan Holt";
          legalName = "Jordan Holt";
          mailAddresses = [
            "jordan@vimium.com"
          ];
          groups = [
            "gitea_admins"
            "gitea_users"
            "jellyfin_admins"
            "jellyfin_users"
            "open-webui_admins"
            "open-webui_users"
            "vaultwarden_users"
          ];
        };
        groups."gitea_admins" = { };
        groups."gitea_users" = { };
        systems.oauth2.gitea = {
          displayName = "Gitea";
          originUrl = "https://git.vimium.com/user/oauth2/Vimium/callback";
          originLanding = "https://git.vimium.com/";
          basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
          scopeMaps."gitea_users" = [
            "openid"
            "email"
            "profile"
          ];
          allowInsecureClientDisablePkce = true;
          preferShortUsername = true;
          claimMaps.groups = {
            joinType = "array";
            valuesByGroup."gitea_admins" = [ "admin" ];
          };
        };
        groups."jellyfin_admins" = { };
        groups."jellyfin_users" = { };
        groups."open-webui_admins" = { };
        groups."open-webui_users" = { };
        systems.oauth2.open-webui = {
          displayName = "Open WebUI";
          originUrl = "https://chat.ai.vimium.com/oauth/oidc/callback";
          originLanding = "https://chat.ai.vimium.com/";
          basicSecretFile = config.age.secrets.kanidm-oauth2-open-webui.path;
          scopeMaps."open-webui_users" = [
            "openid"
            "email"
            "profile"
          ];
          allowInsecureClientDisablePkce = true;
          claimMaps.groups = {
            joinType = "array";
            valuesByGroup."open-webui_admins" = [ "admin" ];
          };
        };
        groups."vaultwarden_users" = { };
        systems.oauth2.vaultwarden = {
          displayName = "Vaultwarden";
          originUrl = "https://vaultwarden.vimium.com/identity/connect/oidc-signin";
          originLanding = "https://vaultwarden.vimium.com/";
          basicSecretFile = config.age.secrets.kanidm-oauth2-vaultwarden.path;
          scopeMaps."vaultwarden_users" = [
            "openid"
            "email"
            "profile"
          ];
        };
      };
    };
  # LDAP server binds to tailscale network interface
  systemd.services.kanidm = {
    requires = [ "tailscaled.service" ];
    after = [ "tailscaled.service" ];
    serviceConfig.RestartSec = "60";
  };
  services.nginx.virtualHosts = {
    "${domain}" = {
      useACMEHost = "${domain}";
--- a/hosts/vps1/matrix.nix
+++ b/hosts/vps1/matrix.nix
@@ -1,4 +1,5 @@
 {
  inputs,
  config,
  lib,
  pkgs,
@@ -26,33 +27,69 @@ let
  };
  matrixServerConfig."m.server" = "${matrixSubdomain}:443";
  commonBridgeSettings = bridge: {
-    appservice = {
+    database = lib.mkIf usePostgresql {
-      database = lib.mkIf usePostgresql {
+      type = "postgres";
-        type = "postgres";
+      uri = "postgresql:///${bridge}?host=/run/postgresql";
        uri = "postgresql:///${bridge}?host=/run/postgresql";
      };
    };
    bridge = {
      encryption = {
        allow = true;
        default = true;
        require = true;
      };
      permissions = {
        "${serverName}" = "user";
        "@jordan:${serverName}" = "admin";
      };
-      provisioning = {
+    };
-        shared_secret = "disable";
+    encryption = {
-      };
+      allow = true;
      default = true;
      require = true;
    };
    provisioning = {
      shared_secret = "disable";
    };
    homeserver = {
      address = "https://${matrixSubdomain}";
      domain = serverName;
    };
    double_puppet.secrets = {
      "${serverName}" = "as_token:$MAUTRIX_DOUBLEPUPPET_TOKEN";
    };
  };
  proxyConfig = ''
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_set_header        X-Forwarded-Host $host;
    proxy_set_header        X-Forwarded-Server $host;
  '';
 in
 {
  # Backport new options from https://github.com/NixOS/nixpkgs/pull/446155
  disabledModules = [
    "services/matrix/mautrix-whatsapp.nix"
  ];
  imports = [
    (inputs.nixpkgs-unstable + /nixos/modules/services/matrix/mautrix-whatsapp.nix)
  ];
  age.secrets = {
    mautrix-doublepuppet-registration = {
      rekeyFile = ./secrets/mautrix-doublepuppet-registration.age;
      mode = "0440";
      group = "matrix-synapse";
    };
    mautrix-signal-env = {
      rekeyFile = ./secrets/mautrix-signal-env.age;
      mode = "0440";
      group = "mautrix-signal";
    };
    mautrix-whatsapp-env = {
      rekeyFile = ./secrets/mautrix-whatsapp-env.age;
      mode = "0440";
      group = "mautrix-whatsapp";
    };
  };
  networking.firewall.allowedTCPPorts = [
    8448 # Matrix federation
  ];
@@ -99,19 +136,16 @@ in
      ];
      locations = {
        "/" = {
-          proxyPass = "http://localhost:8008";
+          proxyPass = "http://127.0.0.1:8008";
-          extraConfig = ''
+          extraConfig = proxyConfig;
            proxy_set_header X-Forwarded-For $remote_addr;
          '';
        };
        "/_matrix" = {
-          proxyPass = "http://localhost:8008";
+          proxyPass = "http://127.0.0.1:8008";
-          extraConfig = ''
+          extraConfig = proxyConfig + ''
            proxy_set_header X-Forwarded-For $remote_addr;
            client_max_body_size 50M;
          '';
        };
-        "/_synapse/client".proxyPass = "http://localhost:8008";
+        "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
      };
    };
    "${serverName}" =
@@ -162,6 +196,9 @@ in
    enable = true;
    enableRegistrationScript = true;
    settings = {
      app_service_config_files = [
        config.age.secrets.mautrix-doublepuppet-registration.path
      ];
      database.name = (if usePostgresql then "psycopg2" else "sqlite3");
      enable_metrics = false;
      enable_registration = false;
@@ -198,23 +235,33 @@ in
  services.mautrix-signal = lib.mkIf bridges.signal {
    enable = true;
-    settings = commonBridgeSettings "mautrix-signal";
+    environmentFile = config.age.secrets.mautrix-signal-env.path;
    settings = lib.recursiveUpdate {
      encryption = {
        pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
      };
    } (commonBridgeSettings "mautrix-signal");
  };
  services.mautrix-whatsapp = lib.mkIf bridges.whatsapp {
    enable = true;
-    settings = {
+    environmentFile = config.age.secrets.mautrix-whatsapp-env.path;
-      bridge = {
+    settings = lib.recursiveUpdate {
      backfill = {
        enabled = true;
        max_initial_messags = 50;
      };
      encryption = {
        pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
      };
      network = {
        mute_status_broadcast = true;
        history_sync = {
          backfill = true;
          max_initial_conversations = -1;
          message_count = 50;
          request_full_sync = true;
        };
        mute_bridging = true;
      };
-    }
+    } (commonBridgeSettings "mautrix-whatsapp");
    // commonBridgeSettings "mautrix-whatsapp";
  };
  environment.persistence."/persist".directories = [
--- a/hosts/vps1/nginx.nix
+++ b/hosts/vps1/nginx.nix
@@ -82,14 +82,33 @@ in
        maxSize = "100m";
      };
    };
    proxyResolveWhileRunning = true;
    resolver.addresses = [ "100.100.100.100" ];
    upstreams = {
      jellyfin.servers = {
        "library.mesh.vimium.net:8096" = {
          fail_timeout = "30s";
        };
      };
      open-webui.servers = {
        "library.mesh.vimium.net:8081" = {
          fail_timeout = "30s";
        };
      };
      skycam.servers = {
        "skycam.mesh.vimium.net:1984" = {
          fail_timeout = "30s";
        };
      };
    };
    virtualHosts = {
-      ## Static sites
+      ## Proxied sites
      "chat.ai.vimium.com" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = nginxErrorPages + nginxEdgeHeaders;
        locations."/" = {
-          proxyPass = "http://localhost:8001";
+          proxyPass = "http://open-webui";
          extraConfig = ''
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
@@ -114,7 +133,7 @@ in
        enableACME = true;
        extraConfig = nginxErrorPages + nginxEdgeHeaders;
        locations."/" = {
-          proxyPass = "http://localhost:8000";
+          proxyPass = "http://jellyfin";
          extraConfig = ''
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
@@ -129,7 +148,12 @@ in
            proxy_set_header Connection "upgrade";
          '';
        };
        locations."/metrics" = {
          return = "404";
        };
      };
      ## Static sites
      "jdholt.com" = {
        forceSSL = true;
        enableACME = true;
@@ -140,11 +164,8 @@ in
        };
        locations."/skycam/snapshot.jpg" = {
          extraConfig = ''
-            set $backend "skycam.mesh.vimium.net:1984";
+            set $args "";
-
+            proxy_pass http://skycam/api/frame.jpeg?src=rpicam;
            resolver 100.100.100.100;
            proxy_pass http://$backend/api/frame.jpeg?src=rpicam;
            proxy_cache skycam_cache;
            proxy_cache_valid any 10s;
            proxy_ignore_headers Cache-Control Expires Set-Cookie;
@@ -164,15 +185,6 @@ in
          root = "/var/www/pki.vimium.com";
        };
      };
      "suhailhussain.com" = {
        forceSSL = true;
        enableACME = true;
        serverAliases = [ "www.suhailhussain.com" ];
        extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
        locations."/" = {
          root = "/var/www/suhailhussain.com";
        };
      };
      "vimium.com" = {
        default = true;
        forceSSL = true;
@@ -190,6 +202,7 @@ in
        };
      };
    }
    ## Redirects
    // (mkRedirect "h0lt.com" "jdholt.com")
    // (mkRedirect "jordanholt.xyz" "jdholt.com")
--- a/hosts/vps1/secrets/mautrix-doublepuppet-registration.age
+++ b/hosts/vps1/secrets/mautrix-doublepuppet-registration.age
--- a/hosts/vps1/secrets/mautrix-signal-env.age
+++ b/hosts/vps1/secrets/mautrix-signal-env.age
@@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> piv-p256 a1N2XA AuFF7Zqic+KNiU82xDS8ItdNSnr1045DpKOyYHZgq3kE
 qNK+p6I6kR2A41d/gVyCp2b3xu7g0/rCXIL22Gal3IA
 -> R.kR/-r-grease 5Q54Z B.x PMjy\
 3ajY8AoJzUB9fiDnHoFVSIPEfvgAk2VtJeHNOno9cxeK6uZ+Ve22pUWBN2cp+2Qz
 J7J9U1zQWVSOum3dDmscAVBzf4Hw2hUBZcAnZA
 --- hZ4N9mXSCS3zT9R/Axb9dWVx5Lr+mLxxXuR45oehok4
 <EFBFBD><EFBFBD>z󩃢<EFBFBD>J%<25><>w<><77><EFBFBD>͜<EFBFBD><CD9C><EFBFBD>c<15>' <20><><EFBFBD>K39<33><39>˯<EFBFBD>q<1A>G<>bX6<58>6<EFBFBD>̚<EFBFBD><CC9A>p<03>4<EFBFBD>mG<6D><14><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
 ꇿ<EFBFBD>`<60>8
--- a/hosts/vps1/secrets/mautrix-whatsapp-env.age
+++ b/hosts/vps1/secrets/mautrix-whatsapp-env.age
--- a/hosts/vps1/secrets/vaultwarden-env.age
+++ b/hosts/vps1/secrets/vaultwarden-env.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> piv-p256 a1N2XA A+JTQrgN4xxrQpLhyMtfq82/26DwsudKmxyE8gx9PlJU
 oZjXRvr2mza+28asKcXzSDU0em5edPpazk5dOLXrvZ8
 -> )z\cT7C|-grease v>P/r|O s\(zEXaF Q ,!Y2g+NM
 ZAEVPuF8OEWWNKFP+7IUrpaDydZDAFCRnj1vOdGiBf6BzgbicAAmIF4XgBQqpE5M
 JoCzgjdKB1kLOQB2PWRfJ02L93/zFQXm
 --- vcFS71G0ZZ1bU8dKgMmLMv5sUIi/TYjOu41EuDpJyXw
 :<3A><><15><><EFBFBD><7F>!<21>-<<11><1E>:<3A><><EFBFBD><EFBFBD>rg?<3F>N-i<><69><EFBFBD>?<3F>d<EFBFBD>Z2h<32>3<EFBFBD><0C>]
--- a/hosts/vps1/ssh_host_ed25519_key.pub
+++ b/hosts/vps1/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc
--- a/hosts/vps1/vaultwarden.nix
+++ b/hosts/vps1/vaultwarden.nix
@@ -0,0 +1,78 @@
 {
  config,
  lib,
  ...
 }:
 let
  inherit (lib)
    mkForce
    ;
  baseDomain = "vimium.com";
  domain = "vaultwarden.${baseDomain}";
 in
 {
  age.secrets.vaultwarden-env = {
    rekeyFile = ./secrets/vaultwarden-env.age;
    mode = "0440";
    group = "vaultwarden";
  };
  services.vaultwarden = {
    enable = true;
    dbBackend = "sqlite";
    backupDir = "/var/cache/vaultwarden-backup";
    config = {
      dataFolder = mkForce "/var/lib/vaultwarden";
      useSysLog = true;
      webVaultEnabled = true;
      rocketPort = 8222;
      ssoEnabled = true;
      ssoOnly = true;
      ssoAuthority = "https://auth.vimium.com/oauth2/openid/vaultwarden";
      ssoClientId = "vaultwarden";
      signupsAllowed = false;
      passwordIterations = 1000000;
      invitationsAllowed = true;
      invitationOrgName = "Vimium";
      domain = "https://${domain}";
    };
    environmentFile = config.age.secrets.vaultwarden-env.path;
  };
  services.nginx.virtualHosts = {
    "${domain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
        proxyWebsockets = true;
      };
    };
  };
  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
  systemd.services.vaultwarden.serviceConfig = {
    StateDirectory = mkForce "vaultwarden";
    RestartSec = "60";
  };
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/vaultwarden";
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "0700";
    }
  ];
  environment.persistence."/state".directories = [
    {
      directory = config.services.vaultwarden.backupDir;
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "0700";
    }
  ];
 }
--- a/hosts/vps2/default.nix
+++ b/hosts/vps2/default.nix
@@ -1,31 +0,0 @@
 {
  inputs,
  ...
 }:
 {
  imports = [
    inputs.disko.nixosModules.disko
    ./hardware-configuration.nix
    ./disko-config.nix
    ../server.nix
  ];
  nixpkgs = {
    hostPlatform = "x86_64-linux";
  };
  networking = {
    hostId = "60de4af8";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # SSH
      ];
    };
  };
  modules.services.tailscale.isExitNode = true;
  system.stateVersion = "25.05";
 }
--- a/hosts/vps2/disko-config.nix
+++ b/hosts/vps2/disko-config.nix
@@ -1,55 +0,0 @@
 { lib, ... }:
 {
  disko.devices = {
    disk.disk1 = {
      device = lib.mkDefault "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "2M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "300M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "lvm_pv";
              vg = "pool";
            };
          };
        };
      };
    };
    lvm_vg = {
      pool = {
        type = "lvm_vg";
        lvs = {
          root = {
            size = "100%FREE";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
              mountOptions = [
                "defaults"
              ];
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/vps2/hardware-configuration.nix
+++ b/hosts/vps2/hardware-configuration.nix
@@ -1,29 +0,0 @@
 {
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot = {
    initrd = {
      availableKernelModules = [
        "ata_piix"
        "uhci_hcd"
        "xen_blkfront"
        "vmw_pvscsi"
      ];
      kernelModules = [ "nvme" ];
    };
    loader.grub = {
      efiSupport = true;
      efiInstallAsRemovable = true;
    };
    tmp.cleanOnBoot = true;
  };
  zramSwap.enable = true;
 }
--- a/nix/agenix-rekey.nix
+++ b/nix/agenix-rekey.nix
@@ -0,0 +1,29 @@
 {
  inputs,
  ...
 }:
 {
  imports = [
    inputs.agenix-rekey.flakeModule
  ];
  perSystem =
    { config, ... }:
    {
      agenix-rekey.nixosConfigurations = inputs.self.nixosConfigurations;
      devshells.default = {
        commands = [
          {
            inherit (config.agenix-rekey) package;
            help = "Edit, generate, and rekey secrets";
          }
        ];
        env = [
          {
            name = "AGENIX_REKEY_ADD_TO_GIT";
            value = "true";
          }
        ];
      };
    };
 }
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -54,7 +54,6 @@
          "pi"
          "skycam"
          "vps1"
          "vps2"
        ] mkDeployNode;
      };
    };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -31,6 +31,8 @@ lib.mapAttrs (
    else
      # Namespaced package sets in regular attrsets.
      prev.${name} // value
  else if name == "vaultwarden" then
    final.callPackage value { rustPlatform = final.unstable.rustPlatform; }
  else
    final.callPackage value { }
 ) pkgs
--- a/pkgs/vaultwarden/package.nix
+++ b/pkgs/vaultwarden/package.nix
@@ -0,0 +1,65 @@
 {
  lib,
  stdenv,
  callPackage,
  rustPlatform,
  fetchFromGitHub,
  nixosTests,
  pkg-config,
  openssl,
  libiconv,
  dbBackend ? "sqlite",
  libmysqlclient,
  libpq,
 }:
 let
  webvault = callPackage ./webvault.nix { };
 in
 rustPlatform.buildRustPackage rec {
  pname = "vaultwarden";
  version = "git-" + builtins.substring 0 7 src.rev;
  src = fetchFromGitHub {
    owner = "dani-garcia";
    repo = "vaultwarden";
    rev = "a2ad1dc7c3d28834749d4b14206838d795236c27";
    sha256 = "sha256-6Qmp/Uv8hdKuL9e3tPMKgNq1ZdvRQbzM65ifmS2Z3UY=";
  };
  cargoHash = "sha256-F7we9rurJ7srz54lsuSrdoIZpkGE+4ncW3+wjEwaD7M=";
  # used for "Server Installed" version in admin panel
  env.VW_VERSION = version;
  nativeBuildInputs = [ pkg-config ];
  buildInputs = [
    openssl
  ]
  ++ lib.optionals stdenv.hostPlatform.isDarwin [
    libiconv
  ]
  ++ lib.optional (dbBackend == "mysql") libmysqlclient
  ++ lib.optional (dbBackend == "postgresql") libpq;
  buildFeatures = dbBackend;
  passthru = {
    inherit webvault;
    tests = nixosTests.vaultwarden;
    updateScript = callPackage ./update.nix { };
  };
  meta = with lib; {
    description = "Unofficial Bitwarden compatible server written in Rust";
    homepage = "https://github.com/dani-garcia/vaultwarden";
    changelog = "https://github.com/dani-garcia/vaultwarden/releases/tag/${version}";
    license = licenses.agpl3Only;
    maintainers = with maintainers; [
      dotlambda
      SuperSandro2000
    ];
    mainProgram = "vaultwarden";
  };
 }
--- a/pkgs/vaultwarden/webvault.nix
+++ b/pkgs/vaultwarden/webvault.nix
@@ -0,0 +1,83 @@
 {
  lib,
  buildNpmPackage,
  fetchFromGitHub,
  nixosTests,
  python3,
  vaultwarden,
 }:
 let
  version = "2025.8.0";
  bw_web_builds = fetchFromGitHub {
    owner = "dani-garcia";
    repo = "bw_web_builds";
    rev = "v${version}";
    hash = "sha256-93acGKO3Fq81M1wKPvIynvkTFXPQXypcMb+c4aEtxJc=";
  };
 in
 buildNpmPackage rec {
  pname = "vaultwarden-webvault";
  inherit version;
  src = fetchFromGitHub {
    owner = "vaultwarden";
    repo = "vw_web_builds";
    rev = bw_web_builds.rev;
    hash = "sha256-u51EP4I+bUcTeMqfzx1gbZMxpjalt3bpK3QGp5QEpYU=";
  };
  npmDepsHash = "sha256-wi7ZDgGKXrtueLob5OVNKCpnzC00UW9zo8KwuoyL1Bo=";
  postPatch = ''
    ln -s ${bw_web_builds}/{patches,resources} ..
  '';
  nativeBuildInputs = [
    python3
  ];
  makeCacheWritable = true;
  env = {
    ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
    npm_config_build_from_source = "true";
  };
  npmRebuildFlags = [
    # FIXME one of the esbuild versions fails to download @esbuild/linux-x64
    "--ignore-scripts"
  ];
  npmBuildScript = "dist:oss:selfhost";
  npmBuildFlags = [
    "--workspace"
    "apps/web"
  ];
  npmFlags = [ "--legacy-peer-deps" ];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/share/vaultwarden
    mv apps/web/build $out/share/vaultwarden/vault
    runHook postInstall
  '';
  passthru = {
    inherit bw_web_builds;
    tests = nixosTests.vaultwarden;
  };
  meta = with lib; {
    description = "Integrates the web vault into vaultwarden";
    homepage = "https://github.com/dani-garcia/bw_web_builds";
    changelog = "https://github.com/dani-garcia/bw_web_builds/releases/tag/v${version}";
    platforms = platforms.all;
    license = licenses.gpl3Plus;
    inherit (vaultwarden.meta) maintainers;
  };
 }
--- a/secrets/generated/vps1/kanidm-admin-password.age
+++ b/secrets/generated/vps1/kanidm-admin-password.age
@@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> piv-p256 a1N2XA A54fi3eKkgTq6VOnMm2ze+aHVpJ0NNsqT+w7nvYoznbM
 t/dRpZzqO/mX7iHLxbvzVxdmTECkRFPA5jmYfZwbMR0
 -> O_h4MVE-grease {- v~ 05B3
 Clwo0RqQmOGC24XDUIA+4MfDLlWnc3SjR8Kk0Wokqf6R5QFobU4
 --- loq7Xutgff/pptwqLMmjVA1uZwtDE1z6wsORzSgY80w
 "<22>2<EFBFBD>Q<EFBFBD>`D<> $<24>N<EFBFBD><4E><<3C><><EFBFBD>.<2E><05>=5<><35>8<EFBFBD>%g<><67>E<EFBFBD><45>l[T<>I<>y
--- a/secrets/generated/vps1/kanidm-idm-admin-password.age
+++ b/secrets/generated/vps1/kanidm-idm-admin-password.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> piv-p256 a1N2XA Aul2Rho3PfWaREBYYJr5FpyV5+eQ18GY5DT1dB9QcAH8
 wDHmswR1WRsqCrqRv6imy2oeo+FP3Z1kDpWvr/IzcUY
 -> 4-grease x K>#G$!
 WbQ2yy2Pkkn0BYBR+y0tPLCFTN6cKEYGEp4B+nagPf42XONM3Q4ewp5UJF25rAiJ
 LsUecsY7dvX1n9HAz6uBwMm6Xt4
 --- iPJfeOsee5HmeCB5NRHSPIywjhUrjdhsoEx9aTxbrZs
 ^ɽ$jFP	<09><>@<40><><EFBFBD>銿[|<7C><04><>N<>p2<11><><EFBFBD><EFBFBD>|[<5B><>I>><3E>%f<><66><EFBFBD><EFBFBD>֧<EFBFBD>l<EFBFBD>W<EFBFBD>!Av`<60><>2<EFBFBD><32><EFBFBD>8<>jVff<>J<1F><>
--- a/secrets/generated/vps1/kanidm-oauth2-gitea.age
+++ b/secrets/generated/vps1/kanidm-oauth2-gitea.age
@@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> piv-p256 a1N2XA A5Gj5hu1YQbUrm3IK35oDUHhnohr594lykadF+Smf+LB
 grnVZatvY80rTTQR8bZphg/25aa1cKJYUGh+jYGqi7A
 -> 0-grease 6#aWp kp fD7ks3KL -)qyQ
 FH1L4t8VAxZIOeP6bPJV3qdaBXPXGkuroABtMs7D88WzHduNjBoETZH47zekRDVM
 BAGAdcqSHuGyCp7EA4lgttN/vfA+8fAbcit/p98TTiGQbXZ4YYg
 --- KB5apFUmA/vu8OLpReNzr2zeDyig5NZ8iBXdy5XDbXM
 <EFBFBD><EFBFBD><EFBFBD>ԝrŧ)N<>S<EFBFBD><53>8<EFBFBD>X<12>s<><73><EFBFBD><EFBFBD>G<EFBFBD>x<EFBFBD>q<EFBFBD>%<25><><EFBFBD><1B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Co<43>
 <EFBFBD>S6<EFBFBD><EFBFBD>ܐ<EFBFBD>L\U<><55><EFBFBD>z<<3C>H<EFBFBD>\<5C>a<EFBFBD>;Q%<25><17>
--- a/secrets/generated/vps1/kanidm-oauth2-open-webui.age
+++ b/secrets/generated/vps1/kanidm-oauth2-open-webui.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> piv-p256 a1N2XA Ah6buspw/yLQJuiyWr0t3Phy+U3HhRY2t0SofqISzHmJ
 pVYmmBoqXD9l55DUIad9D/0h/vhXmeMauK+xaBpX0cM
 -> M)*gn$-grease _b3%6l sH|2-zq P%h
 CWIfvXf9R5QvRXzv8wv+vB8nXLk0eTxy/htCUSm2ujjw
 --- 1t/2tU8qFo9C2yH3ZtsZIp8ZMNEjrecLh2HkDVnKTx4
 <EFBFBD>\eP<65><50>,<2C><><EFBFBD>t<EFBFBD><74>V<EFBFBD>x<EFBFBD><78><EFBFBD><EFBFBD><EFBFBD><EFBFBD>A<>Ke<4B>}<7D><><EFBFBD>\]<5D>
 <EFBFBD><EFBFBD><EFBFBD>`<<3C><>b;yG<><47><EFBFBD><EFBFBD>
--- a/secrets/generated/vps1/kanidm-oauth2-vaultwarden.age
+++ b/secrets/generated/vps1/kanidm-oauth2-vaultwarden.age
--- a/secrets/rekeyed/atlas/9f3916fc5285b691931e572afdc8ac22-open-webui-api-key.age
+++ b/secrets/rekeyed/atlas/9f3916fc5285b691931e572afdc8ac22-open-webui-api-key.age
@@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 mV4Rog gj6NT+DEVJbKeGArVcbzNphmMXoXFmVPHlo+zWuI1Ek
 Wt0saIoq6RnQR1jVLHI84JMDP0rCvc1kfjSQoSHly/4
 -> t-grease <a`) :34)]ad /J) =]!RB~HB
 m7JCE0PP2H9DkOdbj/dhZATaXfIoPmocKnGkYUXnjyo99nVMMy2FSmNdZyE0KGCR
 eVkIGwJbH3HNimXst62gIxvSrFQ4a4IcO1Cv8UaMK9UjGfy731BRpg
 --- bEP7E9Ajvw0pIWFF7+QakdFigo0B+0aa0ha9/Y/OADA
 Zrի<><D5AB>0/^<5E>2<18>B
 o<EFBFBD><EFBFBD><EFBFBD>@3<01><10>~qS<71><04><><EFBFBD><0E>H	fa	<09><>S<1E>0<EFBFBD><30><EFBFBD><EFBFBD>rv<><08><>B+<2B>
--- a/secrets/rekeyed/helios/e09d8370465eb4038d032d0d84b700b1-open-webui-api-key.age
+++ b/secrets/rekeyed/helios/e09d8370465eb4038d032d0d84b700b1-open-webui-api-key.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 3xQa4Q 3I7Mpt3/StzFpy8/egW+PleMsKV/YFsw1lpzt0057ns
 Plc2u/sza/Fga8lnCMj4rH8midPdaFP+FZ1J8+pwRP8
 -> .-grease !Yk9l62 H3@'J 9Klw
 2fJgCUF22ciTm8EfYemHjA1uN1jkVGLGfcTllU8m08Ya2fUPig7ZK4fNLV3ttMc4
 uLthrVZFo1HKF2wQSMeDq+ITZItvxHg2NFxqkWRCJv4
 --- r3Fao3CQxFocTu4+9/Nh0zcCvTYQWpmRQD112YiAIwU
 [<5B>XG<58><1F>ތ<EFBFBD><DE8C><EFBFBD><08>aFa<><61>K|<7C>' <0E><>dO<64>X<EFBFBD><1C><><EFBFBD><EFBFBD><EFBFBD>G<15>LH<4C><48><EFBFBD><18><>4<EFBFBD><34>
--- a/secrets/rekeyed/hypnos/c12ed3579ec35228529211b0f518d0fe-open-webui-api-key.age
+++ b/secrets/rekeyed/hypnos/c12ed3579ec35228529211b0f518d0fe-open-webui-api-key.age
@@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 5PDipg Eic12F37CNvDBqlFV17aMYXTS/eFKEd8SYfOvKV2CGY
 Co7whyv5vxJnlELVyIZJiNmj+hATpw1/QpK2t8CtcvE
 -> >e`c+0-grease D[m[ *0=DB?=
 uPUY90BUNR6Hm0F2Q0F+dXWkUOe4cLjrAvkcxaR79km0qMgJ/C7ribHeWpK3siOe
 2zz5YA
 --- XoQX1p09n36Cqyc0sEShbtcn4wbX68ULdGNrDzX5w04
 <1B><><EFBFBD>A<EFBFBD>X<EFBFBD><58><EFBFBD><EFBFBD>f<02><>(<28>=<3D><><EFBFBD>e<EFBFBD>u<EFBFBD><EFBFBD>z@<40>V.<2E>~<1D>_I<5F>#吤#2Q;9D<39>$e<>l<EFBFBD>H<EFBFBD><48>;
 <EFBFBD>`5<><35>	
--- a/secrets/rekeyed/library/0a21efefa75a30ace89a3b082e980952-open-webui-env.age
+++ b/secrets/rekeyed/library/0a21efefa75a30ace89a3b082e980952-open-webui-env.age
@@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 QjbOZQ uJRXV06taQiHq9Um5E2FNNYo5oZP4M1mmY3OBRK7NSk
 4rcF2AJ5hsnTM1yUD37yWYtU2E7zAzHBKNVagfRgVGQ
 -> z[Ud1L%*-grease ]j 7_ ?+5
 pVP4JA8o5o5kWHoxuttfOdd2GLhCiANBrdbNXWhe7fMZy74Gsj0IX7caHcL/rNkM
 p/DF/V4Y5QUvgQ5y7F95tc36uvNzmcsKaKauk3yIdzp6+9nuu+hQ6Qbvr0liWkuR
 0pQB
 --- LeXXxszTuVoj2OE6m3yPEQe6hsQAFZkhPVXpspa40vo
 .G<><47><EFBFBD>7m<17><>m=<3D>2v<32><76><EFBFBD>ɼ<EFBFBD>[<5B><><EFBFBD>.ο'ro<72><6F><EFBFBD>9k<>Ny<4E>T<EFBFBD>uB<75><42>lnkJ]<5D>=N^3	QJ<51>:7]<5D>Y<EFBFBD><59>G<EFBFBD><47>R<EFBFBD><06><><EFBFBD>t<><74><EFBFBD>cN<63>S<7F>v<EFBFBD><76>w<EFBFBD>w`fT<16><>jڸ<6A><DAB8><EFBFBD><EFBFBD>͂X<CD82><58><EFBFBD><EFBFBD>4<EFBFBD>`<60>o<EFBFBD><6F>(<28><>K<EFBFBD>^<5E><>I3<7F>gP<67><03><>7<7F>r`V<*<2A><>9<05>ya	<09>P<EFBFBD>J<EFBFBD><4A><0B>䩏<EFBFBD>ѳ<EFBFBD>i6<69>T<EFBFBD><54>><1D>n<EFBFBD>"Qz<51><7A>`<60><><EFBFBD>|<7C><>;冼<><E586BC><14><><EFBFBD><EFBFBD>)<29>>܁ <0B><><EFBFBD>E<EFBFBD>1<EFBFBD><1A><15>NKJ<>ej<65>I<EFBFBD>
--- a/secrets/rekeyed/odyssey/c8231a45d0bb912d87bc291481a583cd-open-webui-api-key.age
+++ b/secrets/rekeyed/odyssey/c8231a45d0bb912d87bc291481a583cd-open-webui-api-key.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 jqV4bA 9vHES4DslQIplaJN4M+TnWzQxPwO0WOWnusIQxrQqh8
 oLran53jiS0hjirGdMD/akpaNCNvKY5M0+i/6ky5HNM
 -> 2ZC`)9-grease W G
 ZW4ghYvlO1xs0GHJldTD1ZdM+wXYQ4dNdZsg81dTE7VxIona+puaHU9MBq/v2+Sg
 qmqbacPFykJqeBG/uhJHYHgjbuHT8c0gTvWH3RCIQEPq
 --- fS6Rtw7zUkvtwfx1/GIHT40nzsmh5Nfj7/SG9svMXAQ
 k<EFBFBD>E8<EFBFBD>ρ<>E<>rh<><68>@<40>Z<EFBFBD>U9<55><39>n<EFBFBD><6E>tei<13><>W6Y<19>bjCĕ<43>P<01>.r<12><>˭<EFBFBD><CBAD><EFBFBD><EFBFBD><EFBFBD>>
--- a/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
+++ b/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
@@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 lOyIlA LfDvF0kXFmP4yGPz9A5uov9DbRfMeLniWQhgnYE3ZA0
 9GkGo/twG1cfOHZgRGAmAcfQlrgQ86QvgehbkleKyz0
 -> GEv|{-grease c)B+5+, \v$ piek
 hwIw75OzOhfdScMKrNZ5i+WWh5zcfMryQXdbz81yUkEjWm9P4UVOYee+zz4/PU+t
 6nEKEqvPf6RwBOzAlzx72Yi0l+onxh1CHOWRlfU
 --- dkZlSoaBUqLnMu25ocR0VwgPr190ZOmcMdxQ3KApFS0
 <1D><><ٲ<06><>}M9Gdh<64><68><EFBFBD><EFBFBD>0[<5B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̮ȼa<7F>j<EFBFBD>g<1C><><EFBFBD>:J<><4A><14>$:^<5E><><EFBFBD>O<1A>e<EFBFBD><65>@<40><>o<EFBFBD><6F>1
 <1B>r]I><3E>t<EFBFBD>?<3F>X<06>Q<EFBFBD><15>ى<EFBFBD><D989>A<EFBFBD>r)ab	<09><13><><EFBFBD>$8e<38><65><EFBFBD><EFBFBD>f<EFBFBD>ōz<02>7<EFBFBD><10><>lf)<29>|jl<6A>%<0F><>
 v-<2D><>!<21><><EFBFBD>(<28><>.qR<71><52><EFBFBD>*y<><06><><EFBFBD>X<EFBFBD>ٵ
--- a/secrets/rekeyed/vps1/3c5deb9c71bac734f22226832529aa8c-kanidm-oauth2-gitea.age
+++ b/secrets/rekeyed/vps1/3c5deb9c71bac734f22226832529aa8c-kanidm-oauth2-gitea.age
--- a/secrets/rekeyed/vps1/4cbaed0c22d9da1e2cb1a12dea1953f4-mautrix-signal-env.age
+++ b/secrets/rekeyed/vps1/4cbaed0c22d9da1e2cb1a12dea1953f4-mautrix-signal-env.age
--- a/secrets/rekeyed/vps1/6a6726d70ccca930f798a32691ce17eb-mautrix-whatsapp-env.age
+++ b/secrets/rekeyed/vps1/6a6726d70ccca930f798a32691ce17eb-mautrix-whatsapp-env.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 lOyIlA ZQWnreUg4ob9RmEKNrdJKWGRCC1k0HWc8op8ycG5uXU
 U6SEQWo1DoLxclnhkXJy3D93nuijiD4kk9qjMk61Yis
 -> b(/|-grease
 CUalICYuF4P5Ipe5C6gdrw
 --- OmIGQ6VJYZcCIkTPapXNIMJswGczS/1bp8A+AeAj0yU
 <EFBFBD>M<13>l<EFBFBD>nY<6E>K-<2D><><EFBFBD>G<EFBFBD>^\<5C><><EFBFBD><EFBFBD>k(<14>Z<EFBFBD><5A><EFBFBD><EFBFBD><EFBFBD>Z<EFBFBD>$-=(<28><><EFBFBD><07><><EFBFBD><EFBFBD>H<EFBFBD><0E><>=4<><34>ً#<23>Y<01>7<EFBFBD><37><EFBFBD>tnݍg<DD8D>p>`<60><>E<EFBFBD>B$ <20><13>0<EFBFBD><30><EFBFBD><EFBFBD>8BWO<57><06>ُ)<29>(<28><>U<EFBFBD>"Ͻ<>54U<34>G<EFBFBD><47>oȥ?<18><>u<EFBFBD>A<EFBFBD><41>
 z`<60>d3Ij`<60>Ҁ<06>SK<53><01>}$<24><><EFBFBD><EFBFBD><03>8%<25><><EFBFBD><EFBFBD><EFBFBD>9<EFBFBD><39><EFBFBD><EFBFBD><06>?1tZ<74>Av´+<2B><>J<EFBFBD><4A>ϝZ<CF9D>u<EFBFBD>ls<6C>kJ+-<2D>h<EFBFBD><68><EFBFBD><EFBFBD>
--- a/secrets/rekeyed/vps1/80ea265ad53ef54ed48c4e1d842774b1-kanidm-admin-password.age
+++ b/secrets/rekeyed/vps1/80ea265ad53ef54ed48c4e1d842774b1-kanidm-admin-password.age
@@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 lOyIlA OQXbnkBzK8DL7wJkbHWo/XUlLQHjBEVu1xMzmhB78Xc
 vGcN1v+YxXidGs7Z3hvZypklIZVF1/J6DZpx8JId/hw
 -> mfI^2]-grease ,
 2C8Bs6nnhfatjdqc/Wc
 --- tuwRBOHiF0e6lgo4bK4Ui+bjjuTf5uZJgDJnpqf1seU
 <EFBFBD>J<EFBFBD>\g<>;<1B><><EFBFBD><EFBFBD>V<0B><>qFNq[7<><37>l<EFBFBD><6C><EFBFBD><EFBFBD>f<EFBFBD><66><EFBFBD>w	<09>㝯<EFBFBD><E39DAF>i|RDL<44>R#<23><>%u-A1<41><31><><10>=<3D>A<EFBFBD><41><EFBFBD><EFBFBD>W<>c
--- a/secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age
+++ b/secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age
@@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 lOyIlA Tyyx5kyLTN9MI+Bc66Rh7RbQ+qZF0S5Y2HCTvUFRqBo
 lzPjwPDXjg8ioc4XAJewTDdzXN5QO3BeGbTVxGW1B0U
 -> *-grease >|vs MPFf.c. nm=m ^
 OHDKbCO9uIoRv9Ar2kbIENz1NLY8iUlzmV07SouSJcxNWyEAqsVzxAkLsIeQKYn5
 XbtjLv88wHhf2w
 --- 7kHTJevOeZdsk2v9qP1V7wL4/Qz8wmFgoQiPMcx56WU
 <EFBFBD>L<EFBFBD><EFBFBD>ȼam<EFBFBD><EFBFBD><EFBFBD><EFBFBD>w<EFBFBD>B]<5D><>
 <EFBFBD><EFBFBD>m<EFBFBD>ھځ<EFBFBD><EFBFBD>Od<EFBFBD><EFBFBD>L%<25>P<EFBFBD><50>I<EFBFBD><49>'<27>X<EFBFBD><58><ko<6B>>OF<4F>j<EFBFBD>8<EFBFBD><38><EFBFBD>8s<>[<5B>(<28><>C<EFBFBD>lTd<><64><EFBFBD>H<14>[9<><39> <20><>$A<>l<EFBFBD>Pf<50>}<7D><>jCo]`<60><><EFBFBD><EFBFBD>nݢ<6E>jw*<16>Y<EFBFBD><i<>MO<4D><4F>D<18><><08>[!T#<23><>ȕX<C895>ق<EFBFBD>K<EFBFBD>X<EFBFBD>-<2D><><EFBFBD>{f<>$%<11><><EFBFBD><EFBFBD>g<>T}<7D><>k<EFBFBD>R1<52>Q?<3F><>?٭Q<D9AD><51>h<EFBFBD>W<EFBFBD> e<><65>||z<><7A>Xe<58>rD3\';<06>j<>F<><46><EFBFBD>hY
 <EFBFBD><16>R<EFBFBD>H1<48><0B>Rꑱ/*w	<09>	3ǷY"<22>{<7B><><EFBFBD>LN<1D>s"<22><1F><>7B<37>
--- a/secrets/rekeyed/vps1/a8f9724475694d2a470fc175c5a6d38e-kanidm-idm-admin-password.age
+++ b/secrets/rekeyed/vps1/a8f9724475694d2a470fc175c5a6d38e-kanidm-idm-admin-password.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 lOyIlA XbDvpING9Qe/x3sNWrqn2vqEw2SvgP79ApCrJTTGuiM
 cOaoXvYgPH7egMF1MT4gtaMHnoHWgeKeEjkwCoOQf74
 -> y''zjcK-grease J y ,CxRN3
 2kaqVO6qm24DPq5fhEN+AM+hPvW3VPHKlzuMy8SLeW/3um8bXNmFdxwzfkDoFSf3
 viYrDFmlY7+RTFt6JADBs67eYlQblBgZwTo
 --- NwBzcAYM5hOyvIsRVLYH8ez6gn8Z3yxmX8Tfz1hETz0
 <EFBFBD>g<EFBFBD>><3E>@<40><><EFBFBD>l<EFBFBD><6C>g<EFBFBD>[<5B>Rٽ<52><D9BD><EFBFBD><EFBFBD>Xv<58><76>9ߵ"<22><>\<5C>hۺU<DBBA>y<EFBFBD><79><EFBFBD><EFBFBD>4ܞO<DC9E><4F> =z<><7A>xB<78>@DzIJ<49><1F><>O<EFBFBD><4F><EFBFBD><EFBFBD><EFBFBD>M<EFBFBD><4D>LH<
--- a/secrets/rekeyed/vps1/d4527fa57d6907c78335cdabd3e84d46-kanidm-oauth2-open-webui.age
+++ b/secrets/rekeyed/vps1/d4527fa57d6907c78335cdabd3e84d46-kanidm-oauth2-open-webui.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 lOyIlA VsJu05NEZogLfeKJ8f9PiUH9RZn2RKJ+/FYOTzUOIyY
 Zd5ze/ijrlRs948f6fhCR+IN6uXpck6ejMlpyGugOfQ
 -> z+o-grease +J< ey N"
 uAedOA+JGje0EKhTuQJj+RDh98H6dqryAUe7nC2iF6t7wAT1NHFLWWfRqw3nNtMb
 Cb0pH7hECmbW0vygVD67NusZOvleB2RHng
 --- KcTuAfeh0NIBLRmtXZFlbsAAmH9Eu2KmswfZzWgaeZ8
 <EFBFBD><EFBFBD>9E<EFBFBD>QުF<EFBFBD>`i<><69><1B>o<EFBFBD><6F>~<7E><08>/<2F>V<*{<7B>'A~<7E>n0<><17><0B><>'@<40>K<EFBFBD><4B><<3C>xǽ'AJMFN<46><4E><18>#<23>$C܊=$ZH<5A>A<06>
--- a/secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age
+++ b/secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age
@@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 lOyIlA lN4CAdRzmrQqTaI75QwSyhPF34tXWvnyT3EF+wYp5H0
 z9b9Rm/zk4PHrw35EeLtx4Gyp6Nlv55SWM/OxuuqOcA
 -> CJNg-grease ^p}Pf r@D 94/&
 eM0eWh2/4FSBoFvqSvVI
 --- y0Tsd45+A1Q8XwnUee6RZJPkYiazusnxYkmBeHqru0E
 W`.)"<22>(<28><><EFBFBD>Ys<59><1F><><EFBFBD><EFBFBD>r<EFBFBD><72><EFBFBD>0<EFBFBD> <20><>r<EFBFBD>g<>Y<EFBFBD><59><EFBFBD>6<EFBFBD>P=;[Y<><59><EFBFBD>&<26>b<>R<EFBFBD><52>6Wv<57><1B>Ǡ<EFBFBD><C7A0>Æs<C386>&<26><><EFBFBD>=U
--- a/secrets/yubikey-nix-primary.pub
+++ b/secrets/yubikey-nix-primary.pub
@@ -0,0 +1,7 @@
 #       Serial: 24187788, Slot: 1
 #         Name: YubiKey Nix Primary
 #      Created: Mon, 25 Aug 2025 21:00:00 +0000
 #   PIN policy: Once   (A PIN is required once per session, if set)
 # Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
 #    Recipient: age1yubikey1qwwyem3502gqenzet20xdpjnuhhv2cezvzk590jdta9wqkw48p8gj7n4x96
 AGE-PLUGIN-YUBIKEY-13SFHZQVZDDFHVHQGGYPC3
--- a/users/guest/common/optional/graphical/jellyfin.nix
+++ b/users/guest/common/optional/graphical/jellyfin.nix
@@ -0,0 +1,20 @@
 {
  pkgs,
  ...
 }:
 {
  home.packages = with pkgs; [
    gamescope
    jellyfin-media-player
  ];
  home.persistence."/state".directories = [
    ".cache/jellyfin.org"
  ];
  home.persistence."/persist".directories = [
    ".config/jellyfin.org"
    ".local/share/jellyfinmediaplayer"
    ".local/share/Jellyfin Media Player"
  ];
 }
--- a/users/guest/common/optional/graphical/steam.nix
+++ b/users/guest/common/optional/graphical/steam.nix
@@ -8,23 +8,10 @@
    steam
  ];
-  systemd.user.services.steam-big-picture = {
+  home.persistence."/persist".directories = [
-    Unit = {
+    ".config/gamescope"
-      Description = "Steam Big Picture in Gamescope";
+    ".local/share/Steam"
-      After = [
+    ".local/share/vulkan"
-        "graphical.target"
+    ".steam"
-        "default.target"
+  ];
      ];
    };
    Service = {
      ExecStart = ''
        ${pkgs.gamescope}/bin/gamescope --rt --backend drm --steam -- \
          ${pkgs.steam}/bin/steam -pipewire-dmabuf -tenfoot
      '';
      Restart = "always";
    };
    Install = {
      WantedBy = [ "default.target" ];
    };
  };
 }
--- a/users/guest/default.nix
+++ b/users/guest/default.nix
@@ -22,11 +22,13 @@ in
    ];
    group = "users";
    isNormalUser = true;
    password = "";
    shell = pkgs.zsh;
  };
  home-manager.users.${name} = {
    imports = [
      ./common/optional/graphical/jellyfin.nix
      ./common/optional/graphical/steam.nix
      {
        home.persistence."/state" = {
@@ -36,11 +38,7 @@ in
        };
        home.persistence."/persist" = {
          directories = [
            ".config/gamescope"
            ".local/share/icons"
            ".local/share/Steam"
            ".local/share/vulkan"
            ".steam"
          ];
        };
      }
@@ -48,17 +46,140 @@ in
    ++ optional (builtins.pathExists hostFile) hostFile;
    home = {
      packages = with pkgs; [
        adwaita-fonts
      ];
      username = name;
      sessionVariables = {
        ZDOTDIR = "~/.config/zsh";
      };
      pointerCursor = {
        enable = true;
        size = 64;
        name = "macOS";
        package = pkgs.apple-cursor;
        gtk.enable = true;
        x11.enable = true;
      };
    };
    fonts.fontconfig.enable = true;
    programs.firefox = {
      enable = true;
      profiles.Default = {
        search = {
          default = "ddg";
          privateDefault = "ddg";
          force = true;
        };
        settings = {
          "layout.css.devPixelsPerPx" = 1.5;
        };
      };
    };
    programs.zsh = {
      enable = true;
      enableCompletion = true;
    };
    xdg.enable = true;
  };
-  services.getty = {
+  services.displayManager = {
-    autologinOnce = true;
+    enable = true;
-    autologinUser = "guest";
+    sessionPackages =
      let
        firefoxDesktopFile = pkgs.writeTextFile {
          name = "firefox-desktop-entry";
          destination = "/share/wayland-sessions/firefox.desktop";
          text = ''
            [Desktop Entry]
            Name=Firefox
            Comment=Desktop session for web browsing
            Exec=${pkgs.gamescope}/bin/gamescope --rt --backend drm --expose-wayland -W 3840 -H 2160 -- MOZ_ENABLE_WAYLAND=1 ${pkgs.firefox}/bin/firefox https://www.youtube.com/
            Type=Application
          '';
        };
        jellyfinDesktopFile = pkgs.writeTextFile {
          name = "jellyfin-desktop-entry";
          destination = "/share/wayland-sessions/jellyfin.desktop";
          text = ''
            [Desktop Entry]
            Name=Jellyfin
            Comment=Desktop session for music, movies, and TV
            Exec=${pkgs.gamescope}/bin/gamescope --rt --backend drm -W 3840 -H 2160 -- ${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer --scale-factor 2 --tv --fullscreen
            Type=Application
          '';
        };
        steamDesktopFile = pkgs.writeTextFile {
          name = "steam-desktop-entry";
          destination = "/share/wayland-sessions/steam.desktop";
          text = ''
            [Desktop Entry]
            Name=Steam
            Comment=Desktop session for gaming
            Exec=${pkgs.gamescope}/bin/gamescope --rt --backend drm --steam -- ${pkgs.steam}/bin/steam -pipewire-dmabuf -tenfoot
            Type=Application
          '';
        };
        firefoxSession = pkgs.symlinkJoin {
          name = "firefox-session";
          paths = [ firefoxDesktopFile ];
          passthru.providedSessions = [ "firefox" ];
        };
        jellyfinSession = pkgs.symlinkJoin {
          name = "jellyfin-session";
          paths = [ jellyfinDesktopFile ];
          passthru.providedSessions = [ "jellyfin" ];
        };
        steamSession = pkgs.symlinkJoin {
          name = "steam-session";
          paths = [ steamDesktopFile ];
          passthru.providedSessions = [ "steam" ];
        };
      in
      [
        firefoxSession
        jellyfinSession
        steamSession
      ];
  };
  services.greetd =
    let
      desktops = config.services.displayManager.sessionData.desktops;
    in
    {
      enable = true;
      settings = {
        default_session = {
          command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --sessions ${desktops}/share/xsessions:${desktops}/share/wayland-sessions";
        };
      };
    };
  # security.pam.services = {
  #   greetd.text = ''
  #     auth      requisite     pam_nologin.so
  #     auth      sufficient    pam_succeed_if.so user = ${name} quiet_success
  #     auth      required      pam_unix.so
  #
  #     account   sufficient    pam_unix.so
  #
  #     password  required      pam_deny.so
  #
  #     session   optional      pam_keyinit.so revoke
  #     session   include       login
  #   '';
  # };
  # Workaround: https://github.com/nix-community/home-manager/issues/7166
  systemd.services."home-manager-${name}".serviceConfig = {
    RemainAfterExit = "yes";
--- a/users/jordan/artemis.nix
+++ b/users/jordan/artemis.nix
@@ -13,8 +13,8 @@
  home.packages = with pkgs; [
    jellyfin-media-player
-    lutris
+    unstable.lutris
-    unstable.pcsx2
+    pcsx2
    xemu
  ];
 }
--- a/users/jordan/common/neovim.nix
+++ b/users/jordan/common/neovim.nix
@@ -1,4 +1,5 @@
 {
  osConfig,
  ...
 }:
@@ -10,6 +11,17 @@
    viAlias = true;
    vimAlias = true;
    extraConfigLua = ''
      if vim.g.neovide then
        vim.g.neovide_opacity = 0.8
        vim.g.neovide_normal_opacity = 0.8
        -- vim.g.neovide_cursor_vfx_mode = "pixiedust"
        vim.g.neovide_floating_blur_amount_x = 2.0
        vim.g.neovide_floating_blur_amount_y = 2.0
        vim.g.neovide_floating_corner_radius = 0.2
      end
    '';
    opts = {
      number = true;
      tabstop = 2;
@@ -34,14 +46,88 @@
      providers.wl-copy.enable = true;
    };
    colorschemes.onedark = {
      enable = true;
      settings = {
        style = "darker";
        transparent = true;
      };
    };
    plugins.cmp = {
      enable = true;
      autoEnableSources = true;
      settings = {
        sources = [
          { name = "nvim_lsp"; }
          { name = "path"; }
          { name = "buffer"; }
        ];
        mapping = {
          "<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
          "<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
          "<CR>" = "cmp.mapping.confirm({ select = true })";
        };
      };
    };
    plugins.codecompanion = {
      enable = true;
      settings = {
        adapters = {
          http.opts.show_defaults = false;
          openwebui.__raw = ''
            function()
              return require("codecompanion.adapters").extend("openai_compatible", {
                name = "openwebui",
                formatted_name = "Open WebUI",
                opts = {
                  stream = true,
                  tools = true,
                  vision = false,
                },
                url = "''${url}''${chat_endpoint}",
                env = {
                  api_key = "cmd:cat ${osConfig.age.secrets.open-webui-api-key.path}",
                  url = "https://chat.ai.vimium.com",
                  chat_endpoint = "/api/chat/completions",
                  models_endpoint = "/api/models",
                },
                headers = {
                  ["Content-Type"] = "application/json",
                  Authorization = "Bearer ''${api_key}",
                },
                schema = {
                  model = {
                    default = "openai/gpt-5-chat",
                  },
                },
              })
            end
          '';
        };
        strategies = {
          chat = {
            adapter = "openwebui";
          };
          inline = {
            adapter = "openwebui";
          };
          cmd = {
            adapter = "openwebui";
          };
        };
      };
    };
    plugins.comment.enable = true;
    plugins.hmts.enable = true;
    plugins.lightline.enable = true;
    plugins.luasnip.enable = true;
    plugins.lsp = {
      enable = true;
      servers = {
@@ -63,24 +149,9 @@
      };
    };
-    plugins.nvim-autopairs.enable = true;
+    plugins.luasnip.enable = true;
-    plugins.cmp = {
+    plugins.nvim-autopairs.enable = true;
      enable = true;
      autoEnableSources = true;
      settings = {
        sources = [
          { name = "nvim_lsp"; }
          { name = "path"; }
          { name = "buffer"; }
        ];
        mapping = {
          "<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
          "<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
          "<CR>" = "cmp.mapping.confirm({ select = true })";
        };
      };
    };
    plugins.telescope = {
      enable = true;
@@ -115,18 +186,41 @@
    plugins.vim-surround.enable = true;
    plugins.visual-multi.enable = true;
    plugins.web-devicons.enable = true;
-    # plugins.gitsigns.enable = true;
+    plugins.yazi.enable = true;
-    # plugins.gitgutter.enable = true;
+
-    # plugins.goyo.enable = true;
+    plugins.zen-mode.enable = true;
    # plugins.actions-preview.enable = true;
    # plugins.aerial.enable = true;
    # plugins.arrow.enable = true;
    # plugins.blink.enable = true;
    # plugins.bufferline.enable = true;
    # plugins.fidget.enable = true;
    # plugins.flash.enable = true;
    # plugins.fugitive.enable = true;
    # plugins.fzf-lua.enable = true;
    # plugins.gitsigns.enable = true;
    # plugins.gitgutter.enable = true;
    # plugins.glance.enable = true;
    # plugins.hop.enable = true;
    # plugins.improved-search.enable = true;
    # plugins.goto-preview.enable = true;
    # plugins.kulala.enable = true;
    # plugins.neo-tree.enable = true;
    # plugins.none-ls.enable = true;
-    # plugins.nvim-tree.enable = true;
+    # plugins.nvim-dap.enable = true;
    # plugins.nvim-dbee.enable = true;
    # plugins.nvim-neoclip.enable = true;
    # plugins.oil.enable = true;
    # plugins.persisted.enable = true;
    # plugins.precognition.enable = true;
    # plugins.project-nvim.enable = true;
    # plugins.tardis.enable = true;
    # plugins.typescript-tools.enable = true;
  };
  home.sessionVariables.EDITOR = "nvim";
--- a/users/jordan/common/optional/graphical/firefox.nix
+++ b/users/jordan/common/optional/graphical/firefox.nix
@@ -8,6 +8,39 @@
  programs.firefox = {
    enable = true;
    policies = {
      DisableFirefoxAccounts = true;
      DisableFirefoxStudies = true;
      DisableTelemetry = true;
      DisableFeedbackCommands = true;
      DisablePocket = true;
      DisableSetDesktopBackground = true;
      DontCheckDefaultBrowser = true;
      NoDefaultBookmarks = true;
      SkipTermsOfUse = true;
      GenerativeAI = {
        Chatbot = false;
        LinkPreviews = false;
        TabGroups = false;
      };
      ExtensionSettings = {
        "uBlock0@raymondhill.net" = {
          installation_mode = "force_installed";
          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
          private_browsing = true;
        };
      };
      SearchEngines = {
        Default = "DuckDuckGo";
        Remove = [
          "Amazon.com"
          "Bing"
          "eBay"
          "Google"
          "Perplexity"
        ];
      };
    };
    profiles.Default = {
      search = {
        default = "ddg";
@@ -47,6 +80,9 @@
        "browser.urlbar.suggest.calculator" = true;
        "browser.urlbar.trending.featureGate" = false;
        "browser.urlbar.unitConversion.enabled" = true;
        "browser.aboutConfig.showWarning" = false;
        "browser.aboutwelcome.enabled" = false;
        "browser.shell.checkDefaultBrowser" = false;
        "cookiebanners.service.mode" = 1;
        "cookiebanners.service.mode.privateBrowsing" = 1;
        "network.IDN_show_punycode" = true;
@@ -99,6 +135,7 @@
        ## Privacy
        "dom.private-attribution.submission.enabled" = false;
        # "privacy.resistFingerprinting" = true;
        "privacy.resistFingerprinting.randomization.daily_reset.enabled" = true;
        "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts" = false;
        "privacy.trackingprotection.enabled" = true;
        "privacy.trackingprotection.pbmode.enabled" = true;
@@ -135,6 +172,13 @@
        "dom.webnotifications.serviceworker.enabled" = false;
        "permissions.default.desktop-notification" = 2;
        ## ML
        "browser.ml.enable" = false;
        "browser.ml.chat.enable" = false;
        "browser.ml.chat.menu" = false;
        "browser.ml.linkpreview.enable" = false;
        "browser.tabs.groups.smart.enabled" = false;
        ## DOM / JavaScript
        # "dom.event.clipboardevents.enabled" = false;
        "middlemouse.paste" = false;
@@ -202,6 +246,31 @@
        "plugin.state.flash" = 0;
        "plugin.state.java" = 0;
        # Fullscreen
        "full-screen-api.transition-duration.enter" = "0 0";
        "full-screen-api.transition-duration.leave" = "0";
        "full-screen-api.warning.timeout" = 0;
        # Update management
        "app.update.auto" = false;
        "app.update.background.enabled" = false;
        "app.update.url" = "";
        # Sync
        "services.sync.engine.addresses" = false;
        "services.sync.engine.creditcards" = false;
        "services.sync.engine.addons" = false;
        "services.sync.engine.bookmarks" = false;
        "services.sync.engine.history" = false;
        "services.sync.engine.passwords" = false;
        "services.sync.engine.prefs" = false;
        "services.sync.engine.tabs" = false;
        "identity.fxaccounts.enabled" = false;
        # Notifications and CFR
        "browser.messaging-system.whatsNewPanel.enabled" = false;
        "browser.cfr.enabled" = false;
        ## Misc
        "browser.selfsupport.url" = "";
      };
--- a/users/jordan/common/optional/graphical/hyprland/default.nix
+++ b/users/jordan/common/optional/graphical/hyprland/default.nix
@@ -61,8 +61,8 @@ in
    portalPackage =
      inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
    plugins = [
-      pkgs.unstable.hyprlandPlugins.hyprbars
+      # pkgs.unstable.hyprlandPlugins.hyprbars
-      pkgs.unstable.hyprlandPlugins.hypr-dynamic-cursors
+      # pkgs.unstable.hyprlandPlugins.hypr-dynamic-cursors
    ];
    settings = {
      general = {
@@ -77,7 +77,7 @@ in
      plugin = {
        dynamic-cursors = {
-          enabled = true;
+          enabled = false;
          mode = "none";
          shake = {
            enabled = true;
@@ -85,7 +85,7 @@ in
        };
        hyprbars = {
-          enabled = true;
+          enabled = false;
          bar_height = 20;
          bar_blur = true;
        };
@@ -299,7 +299,15 @@ in
    enable = true;
    settings = {
      background = "#000000";
-      background_opacity = 0.7;
+      background_opacity = 0.8;
    };
  };
  programs.neovide = {
    enable = true;
    package = pkgs.unstable.neovide;
    settings = {
      font.size = 16.0;
    };
  };
--- a/users/jordan/common/optional/graphical/hyprland/waybar.css
+++ b/users/jordan/common/optional/graphical/hyprland/waybar.css
@@ -3,7 +3,88 @@
 }
 window#waybar {
-  border-radius: 1em;
+  background: linear-gradient(
    to bottom,
    rgba(118, 118, 118, 0.78) 0%,
    rgba(50, 50, 50, 0.78) 50%,
    rgba(0, 0, 0, 0.74) 50%,
    rgba(0, 0, 0, 0.76) 100%
  );
  border-top: 1px solid rgba(71, 71, 71, 0.90);
  border-bottom: 1px solid rgba(0, 0, 0, 0.97);
  box-shadow: inset 0px 1px 0px 0px rgba(158, 158, 158, 0.90);
  text-shadow: black 0px 0px 2px;
  color: white;
 }
 #workspaces button {
  margin: 2px;
  background: linear-gradient(
    to bottom,
    rgba(255, 255, 255, 0.35) 0%,
    rgba(255, 255, 255, 0.11) 50%,
    rgba(255, 255, 255, 0) 50%
  );
  border: 1px solid rgba(0, 0, 0, 0.37);
  border-radius: 4px;
  box-shadow: inset 0px 1px 0px 0px rgba(255, 255, 255, 0.25);
  text-shadow: black 0px 0px 2px;
  color: white;
 }
 #workspaces button:hover {
  background:
    linear-gradient(
      to bottom,
      rgba(255, 255, 255, 0.35) 0%,
      rgba(255, 255, 255, 0.17) 50%,
      rgba(255, 255, 255, 0) 50%
    ),
    radial-gradient(
      ellipse 80% 80% at 50% 110%,
      rgba(44, 126, 204, 1) 0%,
      rgba(44, 126, 204, 0) 80%
    );
 }
 #workspaces button.active {
  background: linear-gradient(
    to bottom,
    rgba(0, 0, 0, 0.40) 0%,
    rgba(0, 0, 0, 0.38) 50%,
    rgba(0, 0, 0, 0.55) 50%
  );
  box-shadow: inset 0px 1px 0px 0px rgb(0, 0, 0);
 }
 #workspaces button.active:hover {
  background:
    linear-gradient(
      to bottom,
      rgba(0, 0, 0, 0.40) 0%,
      rgba(0, 0, 0, 0.38) 50%,
      rgba(0, 0, 0, 0.55) 50%
    ),
    radial-gradient(
      ellipse 80% 80% at 50% 120%,
      rgba(43, 143, 189, 1) 0%,
      rgba(43, 143, 189, 0) 80%
    );
 }
 #workspaces button.urgent {
  background:
    linear-gradient(
      to bottom,
      rgba(255, 255, 255, 0.35) 0%,
      rgba(255, 255, 255, 0.11) 50%,
      rgba(255, 255, 255, 0) 50%
    ),
    radial-gradient(
      ellipse 80% 80% at 50% 100%,
      rgba(199, 128, 14, 1) 0%,
      rgba(170, 75, 12, 0) 100%
    );
 }
 .modules-left {
--- a/users/jordan/common/optional/graphical/hyprland/waybar.nix
+++ b/users/jordan/common/optional/graphical/hyprland/waybar.nix
@@ -8,9 +8,8 @@
    settings = [
      {
        layer = "top";
-        position = "top";
+        position = "bottom";
        height = 30;
        margin = "10 20 0 20";
        spacing = 10;
        modules-left = [
--- a/users/jordan/common/shell.nix
+++ b/users/jordan/common/shell.nix
@@ -174,6 +174,7 @@ in
    mcfly.enable = true;
    navi.enable = true;
    nix-index.enable = true;
    yazi.enable = true;
  };
  home.persistence."/persist" = {
@@ -189,10 +190,12 @@ in
    bat
    btop
    fd
    file
    jq
    ncdu
    nix-zsh-completions
-    nnn
+    p7zip-rar
    ripgrep
    unzip
  ];
 }
--- a/users/jordan/default.nix
+++ b/users/jordan/default.nix
@@ -15,6 +15,11 @@ in
 {
  age.secrets."passwords/users/jordan".file = "${inputs.secrets}/passwords/users/jordan.age";
  age.secrets.open-webui-api-key = {
    rekeyFile = ./secrets/open-webui-api-key.age;
    owner = "jordan";
  };
  users.users.${name} = {
    description = "Jordan Holt";
    extraGroups = [
--- a/users/jordan/odyssey.nix
+++ b/users/jordan/odyssey.nix
@@ -24,10 +24,10 @@
    inkscape
    jellyfin-media-player
    krita
-    lutris
+    unstable.lutris
    mkvtoolnix
    # obs-studio
-    unstable.pcsx2
+    pcsx2
    qbittorrent
    xemu
  ];
--- a/users/jordan/secrets/open-webui-api-key.age
+++ b/users/jordan/secrets/open-webui-api-key.age
@@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> piv-p256 a1N2XA AnYGGZaNhtGzK2rbiM3Nfom6xfUq5qTv7fUMDVl1jb+J
 gu1Rpzq2gIB6uopM3tNl3CAb0Xyweu8DA61Unku56m0
 -> x]n-grease R"L{e% Q(Dh['$p ,KZz C
 JKGsU9abzhI9Qly1rrkbXqYl947wcA
 --- jZDJChrb2qWPWvG0aFUDNOJGx+fowthXvwyuMI77drI
 Ѐ6{_<><5F><EFBFBD><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F> <20><><EFBFBD>S<EFBFBD>	ǅ<><C785><EFBFBD>+<2B><>!<21><><><7F>A<EFBFBD><41><19>ܠ<EFBFBD>A<EFBFBD>y<EFBFBD>
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXJmnp4LUE9AFjGHwvxAu4m/3PB2uYQ69F7wYv7cGGT`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPddvpZeCUelUGsnFvx87WOqKKc+MGPU6+rx6s1ReWQl`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2tDij7eTDbljl6Crz4i7qrM0lgp8U2T9ZMXt7VQPT/`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGlbvy+4QHbveFbS6r9S0JWUVHeI/MgYLyGtfpZqJ/3`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBP+SH4lzFTE29y9HfjkaO7Ino5OqEws5UXcnBFoo76C`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGLHtC0JmFfct+lYl0EjgphutmeYY8BWDctY3+/TsO6L`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJre8/cjdoUnbTu0x4ClTITcq4lq+FjpEyJBbLbOlox7`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYv5V6Lr1Er1dljwmunurIz1Q3Ce5FsFSxtUOW6aO9J`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv5+HwcRetBxtQZXpGbYv22S4prJu9bYCzKTSoMCl8D`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc`