hosts/helios: add initial disko config

2025-08-23 21:39:28 +01:00
122 changed files with 2171 additions and 2412 deletions
--- a/README.md
+++ b/README.md
@@ -5,9 +5,9 @@ System and user configuration for NixOS-based systems.
 | | |
 |-|-|
 | **Shell:** | zsh |
-| **WM:** | Niri |
+| **DE:** | GNOME |
 | **Theme:** | Adwaita |
-| **Terminal:** | kitty |
+| **Terminal:** | Ghostty |

 ## Provisioning a new host

--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -30,10 +30,17 @@
    };

    home-manager = {
-      url = "github:nix-community/home-manager/release-25.11";
+      url = "github:nix-community/home-manager/release-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    hyprland.url = "github:hyprwm/Hyprland";
+
+    hyprland-plugins = {
+      url = "github:hyprwm/hyprland-plugins";
+      inputs.hyprland.follows = "hyprland";
+    };
+
    firefox-gnome-theme = {
      url = "github:rafaelmardojai/firefox-gnome-theme";
      flake = false;
@@ -53,37 +60,28 @@
      flake = false;
    };

-    niri = {
-      url = "github:sodiboo/niri-flake";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
    nixos-hardware.url = "github:NixOS/nixos-hardware";

    nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.11";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nixpkgs.url = "nixpkgs/nixos-25.11";
+    nixpkgs.url = "nixpkgs/nixos-25.05";

    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";

    # nixpkgs-master.url = "nixpkgs";

    nixvim = {
-      url = "github:nix-community/nixvim/nixos-25.11";
+      url = "github:nix-community/nixvim/nixos-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nix-topology = {
      url = "github:oddlama/nix-topology";
      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    noctalia = {
-      url = "github:noctalia-dev/noctalia-shell";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.pre-commit-hooks.follows = "pre-commit-hooks";
    };

    pre-commit-hooks = {
@@ -105,11 +103,6 @@
      url = "github:numtide/treefmt-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-
-    zen-browser = {
-      url = "github:youwen5/zen-browser-flake";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
  };

  outputs =
@@ -120,10 +113,10 @@
    }:
    flake-parts.lib.mkFlake { inherit inputs; } {
      imports = [
+        inputs.agenix-rekey.flakeModule
        inputs.pre-commit-hooks.flakeModule
        inputs.nix-topology.flakeModule
        inputs.treefmt-nix.flakeModule
-        ./nix/agenix-rekey.nix
        ./nix/devshell.nix
        ./nix/hosts.nix
      ];
@@ -143,7 +136,7 @@
      perSystem =
        { pkgs, ... }:
        {
-          formatter = pkgs.nixfmt;
+          formatter = pkgs.nixfmt-rfc-style;

          legacyPackages = pkgs.lib.packagesFromDirectoryRecursive {
            callPackage = pkgs.callPackage;
@@ -175,7 +168,7 @@
                no-lambda-arg = true;
              };
              mdformat.enable = true;
-              nixfmt.enable = true;
+              nixfmt-rfc-style.enable = true;
              shellcheck.enable = true;
            };
          };
--- a/hosts/artemis/default.nix
+++ b/hosts/artemis/default.nix
@@ -23,13 +23,8 @@ in

  nixpkgs = {
    hostPlatform = "x86_64-linux";
-    config.permittedInsecurePackages = [
-      "qtwebengine-5.15.19"
-    ];
  };

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  boot.loader = {
    systemd-boot = {
      enable = true;
@@ -103,6 +98,10 @@ in
        enable = true;
        interfaces = [ "wlp11s0" ];
      };
+      desktop = {
+        gnome.enable = lib.mkForce false;
+        hyprland.enable = true;
+      };
    };
  };

--- a/hosts/artemis/hardware-configuration.nix
+++ b/hosts/artemis/hardware-configuration.nix
@@ -68,9 +68,8 @@ in
      "amdgpu.sched_hw_submission=4"
      "audit=0"
    ];
-    kernelPackages = pkgs.linuxPackages_6_18;
+    kernelPackages = pkgs.linuxPackages_6_15;
    supportedFilesystems = [ "ntfs" ];
-    zfs.package = pkgs.zfs_2_4;
  };

  hardware = {
--- a/hosts/artemis/ssh_host_ed25519_key.pub
+++ b/hosts/artemis/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXJmnp4LUE9AFjGHwvxAu4m/3PB2uYQ69F7wYv7cGGT
--- a/hosts/atlas/default.nix
+++ b/hosts/atlas/default.nix
@@ -9,8 +9,6 @@

  nixpkgs.hostPlatform = "x86_64-linux";

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
--- a/hosts/atlas/ssh_host_ed25519_key.pub
+++ b/hosts/atlas/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPddvpZeCUelUGsnFvx87WOqKKc+MGPU6+rx6s1ReWQl
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -6,34 +6,25 @@
 }:
 {
  imports = [
-    inputs.agenix.nixosModules.default
-    inputs.agenix-rekey.nixosModules.default
+    inputs.agenix.nixosModules.age
    inputs.home-manager.nixosModules.home-manager
    ../modules/nixos
    ../modules/nixos/impermanence.nix
  ];

-  age.rekey = {
-    masterIdentities = [ ../secrets/yubikey-nix-primary.pub ];
-    storageMode = "local";
-    generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.networking.hostName}";
-    localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.networking.hostName}";
-  };
-
  nixpkgs = {
    config.allowUnfree = true;
    overlays = [
      inputs.agenix.overlays.default
-      inputs.niri.overlays.niri
+      (import ../overlays/default.nix)
      (final: prev: {
        unstable = import inputs.nixpkgs-unstable {
          config = {
            allowUnfree = true;
          };
-          system = final.stdenv.hostPlatform.system;
+          system = final.system;
        };
      })
-      (import ../overlays/default.nix)
    ];
  };

@@ -80,10 +71,9 @@

  nix = {
    package = pkgs.nixVersions.stable;
-    settings.extra-experimental-features = [
-      "flakes"
-      "nix-command"
-    ];
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
    buildMachines = [
      {
        hostName = "10.0.1.235";
@@ -119,14 +109,13 @@
      dates = "weekly";
      options = "-d --delete-older-than 7d";
    };
-    registry.unstable.flake = inputs.nixpkgs-unstable;
  };

  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
    sharedModules = [
-      inputs.nixvim.homeModules.nixvim
+      inputs.nixvim.homeManagerModules.nixvim
      {
        home.stateVersion = config.system.stateVersion;
      }
--- a/hosts/desktop.nix
+++ b/hosts/desktop.nix
@@ -40,7 +40,7 @@
  };

  system.autoUpgrade = {
-    enable = false;
+    enable = true;
    flake = "git+ssh://git@git.vimium.com/jordan/nix-config.git";
    randomizedDelaySec = "10min";
  };
@@ -51,14 +51,10 @@
  systemd.services.NetworkManager-wait-online.enable = false;

  modules = {
+    system.desktop.gnome.enable = true;
    services.tailscale.enable = true;
  };

-  environment.pathsToLink = [
-    "/share/applications"
-    "/share/xdg-desktop-portal"
-  ];
-
  environment.systemPackages = with pkgs; [
    bind
    bmon
--- a/hosts/helios/default.nix
+++ b/hosts/helios/default.nix
@@ -1,19 +1,24 @@
 {
+  inputs,
  pkgs,
+  lib,
  ...
 }:

+let
+  inherit (lib) mkForce;
+in
 {
  imports = [
+    inputs.disko.nixosModules.disko
    ./hardware-configuration.nix
+    ./disko-config.nix
    ../desktop.nix
    ../../users/jordan
  ];

  nixpkgs.hostPlatform = "x86_64-linux";

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  boot = {
    loader.grub = {
      enable = true;
@@ -41,6 +46,10 @@
        repoPath = "ssh://b9cjl9hq@b9cjl9hq.repo.borgbase.com/./repo";
      };
    };
+    system.desktop = {
+      gnome.enable = mkForce false;
+      hyprland.enable = true;
+    };
  };

  system.stateVersion = "22.11";
--- a/hosts/helios/disko-config.nix
+++ b/hosts/helios/disko-config.nix
@@ -0,0 +1,101 @@
+{ ... }:
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-SanDisk_Ultra_II_480GB_162224802391";
+        content = {
+          type = "gpt";
+          partitions = {
+            MBR = {
+              size = "1M";
+              type = "EF02"; # For GRUB MBR
+            };
+            boot = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "rpool";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      rpool = {
+        type = "zpool";
+        options = {
+          ashift = "12";
+        };
+        rootFsOptions = {
+          compression = "zstd";
+          acltype = "posix";
+          atime = "off";
+          xattr = "sa";
+          dnodesize = "auto";
+          mountpoint = "none";
+          canmount = "off";
+          devices = "off";
+          exec = "off";
+          setuid = "off";
+        };
+        datasets = {
+          "local" = {
+            type = "zfs_fs";
+          };
+          "local/root" = {
+            type = "zfs_fs";
+            mountpoint = "/";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/";
+              exec = "on";
+              setuid = "on";
+            };
+            postCreateHook = "zfs snapshot rpool/local/root@blank";
+          };
+          "local/nix" = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/nix";
+              exec = "on";
+              setuid = "on";
+            };
+          };
+          "local/state" = {
+            type = "zfs_fs";
+            mountpoint = "/state";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/state";
+            };
+          };
+          "safe" = {
+            type = "zfs_fs";
+          };
+          "safe/persist" = {
+            type = "zfs_fs";
+            mountpoint = "/persist";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/persist";
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/helios/ssh_host_ed25519_key.pub
+++ b/hosts/helios/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2tDij7eTDbljl6Crz4i7qrM0lgp8U2T9ZMXt7VQPT/
--- a/hosts/hypnos/0001-Add-apple_set_os-EFI-boot-service.patch
+++ b/hosts/hypnos/0001-Add-apple_set_os-EFI-boot-service.patch
@@ -0,0 +1,101 @@
+From d310ddee0fb8e7a5a8b89668c6cb8f9dc863ce94 Mon Sep 17 00:00:00 2001
+From: Jordan Holt <jordan@vimium.com>
+Date: Sun, 28 Apr 2024 15:59:52 +0100
+Subject: [PATCH] Add apple_set_os EFI boot service
+
+---
+ drivers/firmware/efi/libstub/x86-stub.c | 59 +++++++++++++++++++++++++
+ include/linux/efi.h                     |  1 +
+ 2 files changed, 60 insertions(+)
+
+diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
+index d5a8182cf..be722c43a 100644
+--- a/drivers/firmware/efi/libstub/x86-stub.c
+++ b/drivers/firmware/efi/libstub/x86-stub.c
+@@ -449,6 +449,63 @@ static void setup_graphics(struct boot_params *boot_params)
+ 	}
+ }
+
+typedef struct {
+	u64 version;
+	void (*set_os_version) (const char *os_version);
+	void (*set_os_vendor) (const char *os_vendor);
+} apple_set_os_interface_t;
+
+static efi_status_t apple_set_os()
+{
+	apple_set_os_interface_t *set_os;
+	efi_guid_t set_os_guid = APPLE_SET_OS_PROTOCOL_GUID;
+	efi_status_t status;
+	void **handles;
+	unsigned long i, nr_handles, size = 0;
+
+	status = efi_bs_call(locate_handle, EFI_LOCATE_BY_PROTOCOL,
+			     &set_os_guid, NULL, &size, handles);
+
+	if (status == EFI_BUFFER_TOO_SMALL) {
+		status = efi_bs_call(allocate_pool, EFI_LOADER_DATA,
+				     size, &handles);
+
+		if (status != EFI_SUCCESS)
+			return status;
+
+		status = efi_bs_call(locate_handle, EFI_LOCATE_BY_PROTOCOL,
+				     &set_os_guid, NULL, &size, handles);
+	}
+
+	if (status != EFI_SUCCESS)
+		goto free_handle;
+
+	nr_handles = size / sizeof(void *);
+	for (i = 0; i < nr_handles; i++) {
+		void *h = handles[i];
+
+		status = efi_bs_call(handle_protocol, h,
+				     &set_os_guid, &set_os);
+
+		if (status != EFI_SUCCESS || !set_os)
+			continue;
+
+		if (set_os->version > 0) {
+			efi_bs_call((unsigned long)set_os->set_os_version,
+					"Mac OS X 10.9");
+		}
+
+		if (set_os->version >= 2) {
+			efi_bs_call((unsigned long)set_os->set_os_vendor,
+					"Apple Inc.");
+		}
+	}
+
+free_handle:
+	efi_bs_call(free_pool, uga_handle);
+
+	return status;
+}
+
+ static void __noreturn efi_exit(efi_handle_t handle, efi_status_t status)
+ {
+@@ -951,6 +1008,8 @@ void __noreturn efi_stub_entry(efi_handle_t handle,
+
+ 	setup_unaccepted_memory();
+
+	apple_set_os();
+
+ 	status = exit_boot(boot_params, handle);
+ 	if (status != EFI_SUCCESS) {
+ 		efi_err("exit_boot() failed!\n");
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index d59b0947f..81158014f 100644
+--- a/include/linux/efi.h
+++ b/include/linux/efi.h
+@@ -385,6 +385,7 @@ void efi_native_runtime_setup(void);
+ #define EFI_MEMORY_ATTRIBUTES_TABLE_GUID	EFI_GUID(0xdcfa911d, 0x26eb, 0x469f,  0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20)
+ #define EFI_CONSOLE_OUT_DEVICE_GUID		EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4,  0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d)
+ #define APPLE_PROPERTIES_PROTOCOL_GUID		EFI_GUID(0x91bd12fe, 0xf6c3, 0x44fb,  0xa5, 0xb7, 0x51, 0x22, 0xab, 0x30, 0x3a, 0xe0)
+#define APPLE_SET_OS_PROTOCOL_GUID		EFI_GUID(0xc5c5da95, 0x7d5c, 0x45e6,  0xb2, 0xf1, 0x3f, 0xd5, 0x2b, 0xb1, 0x00, 0x77)
+ #define EFI_TCG2_PROTOCOL_GUID			EFI_GUID(0x607f766c, 0x7455, 0x42be,  0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
+ #define EFI_TCG2_FINAL_EVENTS_TABLE_GUID	EFI_GUID(0x1e2ed096, 0x30e2, 0x4254,  0xbd, 0x89, 0x86, 0x3b, 0xbe, 0xf8, 0x23, 0x25)
+ #define EFI_LOAD_FILE_PROTOCOL_GUID		EFI_GUID(0x56ec3091, 0x954c, 0x11d2,  0x8e, 0x3f, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
+--
+2.42.0
--- a/hosts/hypnos/README.md
+++ b/hosts/hypnos/README.md
@@ -24,24 +24,16 @@ Apple SSD SM0512F | `/dev/sda1` (EFI, 256 MiB, NixOS Boot) <br> `/dev/sda2` (ZFS
 rpool/
 ├── local
 │   ├── nix
+│   └── tmp
+├── system
 │   ├── root
-│   └── state
-└── safe
-    └── persist
+│   └── var
+└── user
+    └── home
 ```

 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.

-#### Impermanence
-
-This machine uses [impermanence](https://github.com/nix-community/impermanence) and is rolled back to a clean state on each reboot.
-
-Mountpoint | Persists across reboots? | Backed up?
--- | --- | ---
-`/` | No | Yes
-`/state` | Yes | No
-`/persist` | Yes | Yes
-
 ### Networks

 - DHCP on `10.0.1.0/24` subnet.
--- a/hosts/hypnos/default.nix
+++ b/hosts/hypnos/default.nix
@@ -4,113 +4,48 @@
  pkgs,
  ...
 }:
-let
-  inherit (lib)
-    mkForce
-    ;
-in
+
 {
  imports = [
    inputs.disko.nixosModules.disko
    ./hardware-configuration.nix
    ./disko-config.nix
    ../desktop.nix
-    ../../modules/nixos/deterministic-ids.nix
    ../../users/jordan
  ];

  nixpkgs = {
    hostPlatform = "x86_64-linux";
    config = {
-      permittedInsecurePackages = [ "broadcom-sta-6.30.223.271-59-6.12.63" ];
+      nvidia.acceptLicense = true;
+      permittedInsecurePackages = [ "broadcom-sta-6.30.223.271-57-6.12.41" ];
    };
  };

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    initrd.systemd = {
-      enable = true;
-      extraBin.cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
-      services."zfs-import-rpool".after = [ "cryptsetup.target" ];
-    };
-    tmp.useTmpfs = true;
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
  };

-  console.earlySetup = true;
+  networking.hostId = "cf791898";

-  systemd.network.enable = true;
-  systemd.network.wait-online.enable = false;
-
-  networking = {
-    hostId = "cf791898";
-    useNetworkd = true;
-    dhcpcd.enable = false;
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        22 # SSH
-      ];
+  # nvidia 470 driver doesn't work with Wayland
+  services = {
+    xserver = {
+      displayManager.gdm.wayland = lib.mkForce false;
+      videoDrivers = [ "nvidia" ];
+    };
+    displayManager = {
+      defaultSession = "gnome-xorg";
    };
-  };
-
-  services.resolved = {
-    enable = true;
-    dnssec = "false";
-    fallbackDns = [
-      "9.9.9.9"
-      "2620:fe::fe"
-      "1.1.1.1"
-      "2606:4700:4700::1111"
-    ];
-    llmnr = "false";
-    extraConfig = ''
-      MulticastDNS=false
-    '';
  };

  # Workaround for label rendering bug in GTK4 with nvidia 470 driver
  environment.sessionVariables.GSK_RENDERER = "gl";

-  environment.persistence."/persist".enable = mkForce true;
-  environment.persistence."/state".enable = mkForce true;
-
-  modules = {
-    system.desktop.gnome.enable = mkForce false;
-  };
-
-  services.openssh.settings.PermitRootLogin = mkForce "prohibit-password";
-
-  users = {
-    users = {
-      root = {
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
-        ];
-      };
-    };
-  };
-
-  users.deterministicIds =
-    let
-      uidGid = id: {
-        uid = id;
-        gid = id;
-      };
-    in
-    {
-      systemd-oom = uidGid 999;
-      systemd-coredump = uidGid 998;
-      sshd = uidGid 997;
-      nscd = uidGid 996;
-      polkituser = uidGid 995;
-      rtkit = uidGid 994;
-      lpadmin = uidGid 993;
-    };
+  environment.systemPackages = [
+    pkgs.moonlight-qt
+  ];

  system.stateVersion = "22.11";
 }
--- a/hosts/hypnos/disko-config.nix
+++ b/hosts/hypnos/disko-config.nix
@@ -8,32 +8,20 @@
        content = {
          type = "gpt";
          partitions = {
-            efi = {
+            ESP = {
              size = "256M";
-              type = "ef00";
+              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
              };
            };
-            swap = {
-              size = "8G";
-              content = {
-                type = "swap";
-                randomEncryption = true;
-              };
-            };
-            rpool = {
+            zfs = {
              size = "100%";
              content = {
-                type = "luks";
-                name = "rpool_ata-APPLE_SSD_SM0512F_S1K5NYBF736152";
-                settings.allowDiscards = true;
-                content = {
-                  type = "zfs";
-                  pool = "rpool";
-                };
+                type = "zfs";
+                pool = "rpool";
              };
            };
          };
@@ -47,59 +35,87 @@
          ashift = "12";
        };
        rootFsOptions = {
-          compression = "zstd";
-          acltype = "posix";
-          atime = "off";
-          xattr = "sa";
-          dnodesize = "auto";
-          mountpoint = "none";
          canmount = "off";
-          devices = "off";
-          exec = "off";
-          setuid = "off";
+          mountpoint = "none";
+          dnodesize = "auto";
+          xattr = "sa";
        };
+        postCreateHook = "zfs snapshot rpool@blank";
        datasets = {
-          "local" = {
+          local = {
            type = "zfs_fs";
-          };
-          "local/root" = {
-            type = "zfs_fs";
-            mountpoint = "/";
            options = {
-              canmount = "noauto";
-              mountpoint = "/";
-              exec = "on";
-              setuid = "on";
+              mountpoint = "none";
            };
-            postCreateHook = "zfs snapshot rpool/local/root@blank";
          };
          "local/nix" = {
            type = "zfs_fs";
            mountpoint = "/nix";
            options = {
-              canmount = "noauto";
-              mountpoint = "/nix";
-              exec = "on";
-              setuid = "on";
+              atime = "off";
+              mountpoint = "legacy";
            };
          };
-          "local/state" = {
+          "local/tmp" = {
            type = "zfs_fs";
-            mountpoint = "/state";
+            mountpoint = "/tmp";
            options = {
-              canmount = "noauto";
-              mountpoint = "/state";
+              setuid = "off";
+              devices = "off";
+              mountpoint = "legacy";
            };
          };
-          "safe" = {
+          system = {
            type = "zfs_fs";
-          };
-          "safe/persist" = {
-            type = "zfs_fs";
-            mountpoint = "/persist";
+            mountpoint = "/";
            options = {
-              canmount = "noauto";
-              mountpoint = "/persist";
+              mountpoint = "legacy";
+            };
+          };
+          "system/var" = {
+            type = "zfs_fs";
+            mountpoint = "/var";
+            options = {
+              mountpoint = "legacy";
+            };
+          };
+          "system/var/tmp" = {
+            type = "zfs_fs";
+            mountpoint = "/var/tmp";
+            options = {
+              devices = "off";
+              mountpoint = "legacy";
+            };
+          };
+          "system/var/log" = {
+            type = "zfs_fs";
+            mountpoint = "/var/log";
+            options = {
+              compression = "on";
+              acltype = "posix";
+              mountpoint = "legacy";
+            };
+          };
+          user = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "none";
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              keylocation = "file:///tmp/secret.key";
+            };
+            # use this to read the key during boot
+            postCreateHook = ''
+              zfs set keylocation="prompt" "rpool/$name";
+            '';
+          };
+          "user/home" = {
+            type = "zfs_fs";
+            mountpoint = "/home";
+            options = {
+              setuid = "off";
+              devices = "off";
+              mountpoint = "legacy";
            };
          };
        };
--- a/hosts/hypnos/hardware-configuration.nix
+++ b/hosts/hypnos/hardware-configuration.nix
@@ -30,6 +30,7 @@
    ];
    extraModulePackages = [
      config.boot.kernelPackages.broadcom_sta
+      config.boot.kernelPackages.nvidiaPackages.legacy_470
    ];
  };

@@ -39,6 +40,11 @@

  hardware = {
    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    nvidia = {
+      package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+      modesetting.enable = true;
+      powerManagement.enable = true;
+    };
    graphics = {
      enable = true;
      extraPackages = with pkgs; [
--- a/hosts/hypnos/ssh_host_ed25519_key.pub
+++ b/hosts/hypnos/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGlbvy+4QHbveFbS6r9S0JWUVHeI/MgYLyGtfpZqJ/3
--- a/hosts/library/ai.nix
+++ b/hosts/library/ai.nix
@@ -1,22 +1,19 @@
 {
+  inputs,
  config,
  pkgs,
  ...
 }:

-let
-  stateDir = "/var/lib/open-webui";
-in
 {
-  age.secrets.open-webui-env = {
-    rekeyFile = ./secrets/open-webui-env.age;
+  age.secrets."files/services/open-webui/envfile" = {
+    file = "${inputs.secrets}/files/services/open-webui/envfile.age";
  };

  services.open-webui = {
    enable = true;
    package = pkgs.unstable.open-webui;
    port = 8081;
-    host = "0.0.0.0";
    environment =
      let
        clientId = "open-webui";
@@ -32,33 +29,10 @@ in
        OFFLINE_MODE = "True";
        OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
        OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";
-
-        # Fix from https://github.com/NixOS/nixpkgs/pull/431395
-        STATIC_DIR = "${stateDir}/static";
-        DATA_DIR = "${stateDir}/data";
-        HF_HOME = "${stateDir}/hf_home";
-        SENTENCE_TRANSFORMERS_HOME = "${stateDir}/transformers_home";
      };
-    environmentFile = config.age.secrets.open-webui-env.path;
+    environmentFile = config.age.secrets."files/services/open-webui/envfile".path;
  };

-  # Fix from https://github.com/NixOS/nixpkgs/pull/432897
-  systemd.services.open-webui.preStart = ''
-    if [ -d "${stateDir}/data" ] && [ -n "$(ls -A "${stateDir}/data" 2>/dev/null)" ]; then
-      exit 0
-    fi
-
-    mkdir -p "${stateDir}/data"
-
-    [ -f "${stateDir}/webui.db" ] && mv "${stateDir}/webui.db" "${stateDir}/data/"
-
-    for dir in cache uploads vector_db; do
-      [ -d "${stateDir}/$dir" ] && mv "${stateDir}/$dir" "${stateDir}/data/"
-    done
-
-    exit 0
-  '';
-
  modules.services.borgmatic.directories = [
    "/var/lib/private/open-webui"
  ];
--- a/hosts/library/default.nix
+++ b/hosts/library/default.nix
@@ -17,8 +17,6 @@

  nixpkgs.hostPlatform = "x86_64-linux";

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  boot = {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
--- a/hosts/library/jellyfin.nix
+++ b/hosts/library/jellyfin.nix
@@ -8,7 +8,7 @@
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
-      libva-vdpau-driver
+      vaapiVdpau
    ];
  };

--- a/hosts/library/jellysearch.nix
+++ b/hosts/library/jellysearch.nix
@@ -13,7 +13,7 @@
  services.meilisearch = {
    enable = true;
    package = pkgs.meilisearch;
-    masterKeyFile = config.age.secrets."files/services/meilisearch/envfile".path;
+    masterKeyEnvironmentFile = config.age.secrets."files/services/meilisearch/envfile".path;
  };

  users.users.jellysearch = {
--- a/hosts/library/nginx.nix
+++ b/hosts/library/nginx.nix
@@ -33,6 +33,25 @@
            '';
          };
        };
+        "chat.ai.vimium.com" = {
+          listen = [
+            {
+              addr = "127.0.0.1";
+              port = 8001;
+            }
+          ];
+          locations."/" = {
+            proxyPass = "http://localhost:8081";
+            extraConfig = proxyConfig + ''
+              # Disable proxy buffering for better streaming response from models
+              proxy_buffering off;
+
+              # Increase max request size for large attachments and long audio messages
+              client_max_body_size 20M;
+              proxy_read_timeout 10m;
+            '';
+          };
+        };
        "jellyfin.vimium.com" = {
          default = true;
          listen = [
--- a/hosts/library/secrets/open-webui-env.age
+++ b/hosts/library/secrets/open-webui-env.age
@@ -1,10 +0,0 @@
-age-encryption.org/v1
-> piv-p256 a1N2XA AqHsJTdBE6LT9QJK7Dek6b3zA/PaqAmma7uRdKHdQQym
-KMB+yq8M+eej5pg7MHFBqzYhQhVnrPpTevDVo1RZn5Q
-> m;#M[T-grease > G>`e0C&G OS
-ichBG8145Jl9vthZfVHcznJmi+c81HHZfd7UGzdfP7TR1wp9ub6IXiqK9KRe7ga7
-N3osvWzwiwCI5oN0NA
--- ILq3bk5+xuZ4CV7J/rQkYBMz5wG2dHzn+G+cvEqUSRw
-j
-æìXÖ+âÊrýá±jÏüÃZW¢¡p¶Âñk‡%Ç—xdC5mÍ§ '[ˆæwÂxáé›¸ã#ÃûËO<18>Ì7<C38C>bC'8ÑÖ3÷bñ{_Ç%_êês&„žªÑ¹rrÚÁ¦ž,
-5L8‚yCØOÅ6oîÆÙk}ˆÏ_®Üižm¾u3|Šf	5°Õ5ãêA¾Vê>¢+âúªóE=¹»è«E²’ÇaE¿-ÉÔ<>^•»Q›¬j…ƒš•7¯6Pì»böàE8*4ß„
--- a/hosts/library/ssh_host_ed25519_key.pub
+++ b/hosts/library/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBP+SH4lzFTE29y9HfjkaO7Ino5OqEws5UXcnBFoo76C
--- a/hosts/mail/default.nix
+++ b/hosts/mail/default.nix
@@ -14,8 +14,6 @@

  nixpkgs.hostPlatform = "x86_64-linux";

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  networking = {
    hostId = "08ac2f14";
    firewall = {
--- a/hosts/mail/ssh_host_ed25519_key.pub
+++ b/hosts/mail/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGLHtC0JmFfct+lYl0EjgphutmeYY8BWDctY3+/TsO6L
--- a/hosts/odyssey/aws.env
+++ b/hosts/odyssey/aws.env
@@ -1 +0,0 @@
-AWS_REGION=us-east-1
--- a/hosts/odyssey/comfyui-docker.nix
+++ b/hosts/odyssey/comfyui-docker.nix
@@ -1,35 +0,0 @@
-{
-  hardware.graphics.enable32Bit = true;
-  hardware.nvidia-container-toolkit.enable = true;
-
-  virtualisation.docker.enable = true;
-
-  virtualisation.oci-containers = {
-    backend = "docker";
-    containers = {
-      comfyui = {
-        image = "ghcr.io/clsferguson/comfyui-docker:latest";
-        autoStart = true;
-        ports = [ "8188:8188" ];
-        extraOptions = [
-          "--device=nvidia.com/gpu=all"
-          "--ipc=host"
-        ];
-        volumes = [
-          "/home/jordan/ComfyUI/user:/app/ComfyUI/user"
-          "/home/jordan/ComfyUI/custom_nodes:/app/ComfyUI/custom_nodes"
-          "/home/jordan/ComfyUI/models:/app/ComfyUI/models:rw"
-          "/home/jordan/ComfyUI/input:/app/ComfyUI/input:rw"
-          "/home/jordan/ComfyUI/output:/app/ComfyUI/output:rw"
-        ];
-        environment = {
-          TZ = "Europe/London";
-          PUID = "1000";
-          PGID = "1000";
-          COMFY_AUTO_INSTALL = "1";
-          FORCE_SAGE_ATTENTION = "1";
-        };
-      };
-    };
-  };
-}
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@@ -1,4 +1,5 @@
 {
+  lib,
  pkgs,
  ...
 }:
@@ -6,9 +7,7 @@
 {
  imports = [
    ./hardware-configuration.nix
-    ./comfyui-docker.nix
    ./gitea-runner.nix
-    ./home-assistant
    ./nix-serve.nix
    ../desktop.nix
    ../../users/jordan
@@ -21,8 +20,6 @@
    };
  };

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  boot.loader = {
    systemd-boot = {
      enable = true;
@@ -53,41 +50,6 @@
    capSysAdmin = true;
  };

-  environment.systemPackages = with pkgs; [
-    yubikey-manager
-    age-plugin-yubikey
-  ];
-
-  services.udev.packages = with pkgs; [
-    libfido2
-  ];
-
-  services.pcscd.enable = true;
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "hostmaster@vimium.com";
-      dnsProvider = "route53";
-      dnsResolver = "9.9.9.9";
-      credentialFiles = {
-        AWS_SHARED_CREDENTIALS_FILE = "/home/jordan/projects/vimium/infra/credentials";
-      };
-      environmentFile = ./aws.env;
-    };
-    certs = {
-      "vimium.com" = {
-        extraDomainNames = [ "*.vimium.com" ];
-      };
-    };
-  };
-
-  # We actually use the home-manager module to add the actual portal config,
-  # but need this so relevant implementations are found
-  environment.pathsToLink = [
-    "/share/xdg-desktop-portal"
-  ];
-
  modules = {
    hardware.presonus-studio.enable = true;
    services = {
@@ -105,6 +67,10 @@
        repoPath = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo";
      };
    };
+    system.desktop = {
+      gnome.enable = lib.mkForce false;
+      hyprland.enable = true;
+    };
  };

  system.stateVersion = "22.11";
--- a/hosts/odyssey/hardware-configuration.nix
+++ b/hosts/odyssey/hardware-configuration.nix
@@ -44,7 +44,6 @@
      powerManagement.enable = true;
      nvidiaSettings = false;
    };
-    nvidia-container-toolkit.enable = true;
  };

  powerManagement.cpuFreqGovernor = "schedutil";
--- a/hosts/odyssey/home-assistant/dashboards.nix
+++ b/hosts/odyssey/home-assistant/dashboards.nix
@@ -1,63 +0,0 @@
-{
-  ...
-}:
-
-{
-  /**
-    *******************
-    - Service Dashboard for stats (energy usage, bandwidth etc.)
-    - Dashboard fragment per room
-    - Tablet in each room can display just its associated fragment
-    - Per user dynamic dashboard that shows the dashboard fragment for the room
-      you are in using Bluetooth presence detection
-
-    Rooms: [Auto, Bedroom, Kitchen, Living Room, Office]
-
-    Shared: Date/time, Guest Override action, Weather, Air quality
-
-    Bedroom:
-    - Temperature
-    - Minimal Lights action
-    - Individual light cards
-    - Sheets last changed
-    - Plant last watered
-
-    Kitchen:
-    - Temperature
-    - Individual light cards
-    - Water filter age
-
-    Living Room:
-    - Temperature
-    - Turn TV on action
-      * dynamic card to start Movie Mode
-    - Individual light cards
-    - Plant last watered
-
-    Office:
-    - Temperature
-    - Individual light cards
-    - Bandwidth usage
-    - Computer stats
-
-    Primary IEEE address: 00:12:4B:00:29:E8:B1:9E
-
-    Random inspiration words:
-    - "Temp Disable Office Motion"
-    - "Main Lights {Bright,Dim,Warm}"
-    - "Robot Vacuum"
-    - "Living Room TV"
-    - "Morning wakeup"
-    - "Going to sleep early"
-    - "Take out bins"
-    - "Video Conference"
-    - "Gaming"
-    - Monitor power usage to tell when something has started/stopped
-    - Vibration sensor for kitchen drawer
-    - Todo list for dinner schedule
-    - Air quality sensor in kitchen
-    - Notification to close vents when outdoor air quality is bad
-    - "TV Lights Lock" - don't auto dim-lights on play/pause
-    *********************
-  */
-}
--- a/hosts/odyssey/ssh_host_ed25519_key.pub
+++ b/hosts/odyssey/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJre8/cjdoUnbTu0x4ClTITcq4lq+FjpEyJBbLbOlox7
--- a/hosts/pi/README.md
+++ b/hosts/pi/README.md
@@ -27,4 +27,3 @@ SD card | `/dev/mmcblk0` (ext4, NixOS Root)
 - HDMI to ONKYO HT-R990
 - S/PDIF to ONKYO HT-R990
 - Ethernet to ONKYO HT-R990
- Ethernet to LG TV
--- a/hosts/pi/default.nix
+++ b/hosts/pi/default.nix
@@ -8,14 +8,13 @@
  imports = [
    inputs.nixos-hardware.nixosModules.raspberry-pi-4
    ./hardware-configuration.nix
+    ./home-assistant
    ./snapcast.nix
    ../server.nix
  ];

  nixpkgs.hostPlatform = "aarch64-linux";

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  hardware = {
    raspberry-pi."4" = {
      apply-overlays-dtmerge.enable = true;
@@ -100,7 +99,7 @@
      ];
    };
    firmware = with pkgs; [
-      linux-firmware
+      firmwareLinuxNonfree
      wireless-regdb
    ];
  };
@@ -130,25 +129,14 @@
    };
  };

-  networking.interfaces = {
-    # Connection to ONKYO HT-R990
-    end0 = {
-      ipv4.addresses = [
-        {
-          address = "172.16.0.1";
-          prefixLength = 30;
-        }
-      ];
-    };
-    # Connection to LG TV
-    enp1s0u2 = {
-      ipv4.addresses = [
-        {
-          address = "172.16.1.1";
-          prefixLength = 30;
-        }
-      ];
-    };
+  # Connection to ONKYO HT-R990
+  networking.interfaces.end0 = {
+    ipv4.addresses = [
+      {
+        address = "172.16.0.1";
+        prefixLength = 30;
+      }
+    ];
  };

  environment.systemPackages = with pkgs; [
--- a/hosts/odyssey/home-assistant/default.nix
+++ b/hosts/odyssey/home-assistant/default.nix
@@ -124,13 +124,13 @@
      "folder_watcher"
      "forecast_solar"
      "frontend"
-      # "gdacs"
+      "gdacs"
      "generic"
      "generic_hygrostat"
      "generic_thermostat"
      "geo_json_events"
      "geo_location"
-      # "geo_rss_events"
+      "geo_rss_events"
      "github"
      "group"
      "hardware"
@@ -244,7 +244,6 @@
      "wake_on_lan"
      "water_heater"
      "weather"
-      "webostv"
      "websocket_api"
      "wled"
      "workday"
--- a/hosts/odyssey/home-assistant/floorplan/default.nix
+++ b/hosts/odyssey/home-assistant/floorplan/default.nix
--- a/hosts/odyssey/home-assistant/floorplan/style.css
+++ b/hosts/odyssey/home-assistant/floorplan/style.css
--- a/hosts/odyssey/home-assistant/mqtt.nix
+++ b/hosts/odyssey/home-assistant/mqtt.nix
--- a/hosts/pi/snapcast.nix
+++ b/hosts/pi/snapcast.nix
@@ -18,7 +18,15 @@
  };

  services.snapserver = {
-    enable = false;
+    enable = true;
+    streams = {
+      default = {
+        type = "file";
+        location = "/var/lib/snapserver/test.wav";
+        sampleFormat = "44100:16:2";
+        codec = "flac";
+      };
+    };
  };

  systemd.services.snapclient = {
--- a/hosts/pi/ssh_host_ed25519_key.pub
+++ b/hosts/pi/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYv5V6Lr1Er1dljwmunurIz1Q3Ce5FsFSxtUOW6aO9J
--- a/hosts/skycam/default.nix
+++ b/hosts/skycam/default.nix
@@ -11,8 +11,6 @@

  nixpkgs.hostPlatform = "aarch64-linux";

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  networking = {
    hostId = "731d1660";
    firewall = {
--- a/hosts/skycam/hardware-configuration.nix
+++ b/hosts/skycam/hardware-configuration.nix
@@ -78,7 +78,7 @@
        ];
    };
    firmware = with pkgs; [
-      linux-firmware
+      firmwareLinuxNonfree
    ];
  };

--- a/hosts/skycam/ssh_host_ed25519_key.pub
+++ b/hosts/skycam/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv5+HwcRetBxtQZXpGbYv22S4prJu9bYCzKTSoMCl8D
--- a/hosts/vps1/README.md
+++ b/hosts/vps1/README.md
@@ -6,8 +6,8 @@ VPS hosted in OVH.

 ## Specs

- CPU - 4 vCores
- Memory - 4 GB
+- CPU - ??
+- Memory - ??

 ### Disks

--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -12,7 +12,6 @@
    ./matrix.nix
    ./nginx.nix
    ./photoprism.nix
-    ./vaultwarden.nix
    ../server.nix
  ];

@@ -20,8 +19,6 @@
    hostPlatform = "x86_64-linux";
  };

-  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
-
  networking = {
    hostId = "08bf6db3";
    firewall = {
--- a/hosts/vps1/headscale.nix
+++ b/hosts/vps1/headscale.nix
@@ -36,7 +36,7 @@ in
          {
            name = "home.mesh.vimium.net";
            type = "A";
-            value = "100.64.0.5";
+            value = "100.64.0.7";
          }
        ];
        magic_dns = true;
@@ -60,7 +60,7 @@ in
      forceSSL = true;
      enableACME = true;
      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
        proxyWebsockets = true;
      };
    };
--- a/hosts/vps1/kanidm.nix
+++ b/hosts/vps1/kanidm.nix
@@ -6,27 +6,14 @@
 let
  baseDomain = "vimium.com";
  domain = "auth.${baseDomain}";
-
-  mkRandomSecret = {
-    generator.script = "alnum";
-    mode = "440";
-    group = "kanidm";
-  };
 in
 {
-  age.secrets.kanidm-admin-password = mkRandomSecret;
-  age.secrets.kanidm-idm-admin-password = mkRandomSecret;
-
-  age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
-  age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
-  age.secrets.kanidm-oauth2-vaultwarden = mkRandomSecret;
-
  services.kanidm =
    let
      uri = "https://${domain}";
    in
    {
-      package = pkgs.unstable.kanidmWithSecretProvisioning_1_7;
+      package = pkgs.unstable.kanidm;
      enableClient = true;
      enableServer = true;
      clientSettings = {
@@ -41,92 +28,8 @@ in
        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
        version = "2";
      };
-      provision = {
-        enable = true;
-        adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
-        idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
-
-        persons.jordan = {
-          displayName = "Jordan Holt";
-          legalName = "Jordan Holt";
-          mailAddresses = [
-            "jordan@vimium.com"
-          ];
-          groups = [
-            "gitea_admins"
-            "gitea_users"
-            "jellyfin_admins"
-            "jellyfin_users"
-            "open-webui_admins"
-            "open-webui_users"
-            "vaultwarden_users"
-          ];
-        };
-
-        groups."gitea_admins" = { };
-        groups."gitea_users" = { };
-        systems.oauth2.gitea = {
-          displayName = "Gitea";
-          originUrl = "https://git.vimium.com/user/oauth2/Vimium/callback";
-          originLanding = "https://git.vimium.com/";
-          basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
-          scopeMaps."gitea_users" = [
-            "openid"
-            "email"
-            "profile"
-          ];
-          allowInsecureClientDisablePkce = true;
-          preferShortUsername = true;
-          claimMaps.groups = {
-            joinType = "array";
-            valuesByGroup."gitea_admins" = [ "admin" ];
-          };
-        };
-
-        groups."jellyfin_admins" = { };
-        groups."jellyfin_users" = { };
-
-        groups."open-webui_admins" = { };
-        groups."open-webui_users" = { };
-        systems.oauth2.open-webui = {
-          displayName = "Open WebUI";
-          originUrl = "https://chat.ai.vimium.com/oauth/oidc/callback";
-          originLanding = "https://chat.ai.vimium.com/";
-          basicSecretFile = config.age.secrets.kanidm-oauth2-open-webui.path;
-          scopeMaps."open-webui_users" = [
-            "openid"
-            "email"
-            "profile"
-          ];
-          allowInsecureClientDisablePkce = true;
-          claimMaps.groups = {
-            joinType = "array";
-            valuesByGroup."open-webui_admins" = [ "admin" ];
-          };
-        };
-
-        groups."vaultwarden_users" = { };
-        systems.oauth2.vaultwarden = {
-          displayName = "Vaultwarden";
-          originUrl = "https://vaultwarden.vimium.com/identity/connect/oidc-signin";
-          originLanding = "https://vaultwarden.vimium.com/";
-          basicSecretFile = config.age.secrets.kanidm-oauth2-vaultwarden.path;
-          scopeMaps."vaultwarden_users" = [
-            "openid"
-            "email"
-            "profile"
-          ];
-        };
-      };
    };

-  # LDAP server binds to tailscale network interface
-  systemd.services.kanidm = {
-    requires = [ "tailscaled.service" ];
-    after = [ "tailscaled.service" ];
-    serviceConfig.RestartSec = "60";
-  };
-
  services.nginx.virtualHosts = {
    "${domain}" = {
      useACMEHost = "${domain}";
--- a/hosts/vps1/matrix.nix
+++ b/hosts/vps1/matrix.nix
@@ -1,5 +1,4 @@
 {
-  inputs,
  config,
  lib,
  pkgs,
@@ -27,69 +26,33 @@ let
  };
  matrixServerConfig."m.server" = "${matrixSubdomain}:443";
  commonBridgeSettings = bridge: {
-    database = lib.mkIf usePostgresql {
-      type = "postgres";
-      uri = "postgresql:///${bridge}?host=/run/postgresql";
+    appservice = {
+      database = lib.mkIf usePostgresql {
+        type = "postgres";
+        uri = "postgresql:///${bridge}?host=/run/postgresql";
+      };
    };
    bridge = {
+      encryption = {
+        allow = true;
+        default = true;
+        require = true;
+      };
      permissions = {
        "${serverName}" = "user";
        "@jordan:${serverName}" = "admin";
      };
-    };
-    encryption = {
-      allow = true;
-      default = true;
-      require = true;
-    };
-    provisioning = {
-      shared_secret = "disable";
+      provisioning = {
+        shared_secret = "disable";
+      };
    };
    homeserver = {
      address = "https://${matrixSubdomain}";
      domain = serverName;
    };
-    double_puppet.secrets = {
-      "${serverName}" = "as_token:$MAUTRIX_DOUBLEPUPPET_TOKEN";
-    };
  };
-  proxyConfig = ''
-    proxy_set_header        Host $host;
-    proxy_set_header        X-Real-IP $remote_addr;
-    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header        X-Forwarded-Proto $scheme;
-    proxy_set_header        X-Forwarded-Host $host;
-    proxy_set_header        X-Forwarded-Server $host;
-  '';
 in
 {
-  # Backport new options from https://github.com/NixOS/nixpkgs/pull/446155
-  disabledModules = [
-    "services/matrix/mautrix-whatsapp.nix"
-  ];
-
-  imports = [
-    (inputs.nixpkgs-unstable + /nixos/modules/services/matrix/mautrix-whatsapp.nix)
-  ];
-
-  age.secrets = {
-    mautrix-doublepuppet-registration = {
-      rekeyFile = ./secrets/mautrix-doublepuppet-registration.age;
-      mode = "0440";
-      group = "matrix-synapse";
-    };
-    mautrix-signal-env = {
-      rekeyFile = ./secrets/mautrix-signal-env.age;
-      mode = "0440";
-      group = "mautrix-signal";
-    };
-    mautrix-whatsapp-env = {
-      rekeyFile = ./secrets/mautrix-whatsapp-env.age;
-      mode = "0440";
-      group = "mautrix-whatsapp";
-    };
-  };
-
  networking.firewall.allowedTCPPorts = [
    8448 # Matrix federation
  ];
@@ -136,16 +99,19 @@ in
      ];
      locations = {
        "/" = {
-          proxyPass = "http://127.0.0.1:8008";
-          extraConfig = proxyConfig;
+          proxyPass = "http://localhost:8008";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+          '';
        };
        "/_matrix" = {
-          proxyPass = "http://127.0.0.1:8008";
-          extraConfig = proxyConfig + ''
+          proxyPass = "http://localhost:8008";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
            client_max_body_size 50M;
          '';
        };
-        "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+        "/_synapse/client".proxyPass = "http://localhost:8008";
      };
    };
    "${serverName}" =
@@ -196,9 +162,6 @@ in
    enable = true;
    enableRegistrationScript = true;
    settings = {
-      app_service_config_files = [
-        config.age.secrets.mautrix-doublepuppet-registration.path
-      ];
      database.name = (if usePostgresql then "psycopg2" else "sqlite3");
      enable_metrics = false;
      enable_registration = false;
@@ -235,33 +198,23 @@ in

  services.mautrix-signal = lib.mkIf bridges.signal {
    enable = true;
-    environmentFile = config.age.secrets.mautrix-signal-env.path;
-    settings = lib.recursiveUpdate {
-      encryption = {
-        pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
-      };
-    } (commonBridgeSettings "mautrix-signal");
+    settings = commonBridgeSettings "mautrix-signal";
  };

  services.mautrix-whatsapp = lib.mkIf bridges.whatsapp {
    enable = true;
-    environmentFile = config.age.secrets.mautrix-whatsapp-env.path;
-    settings = lib.recursiveUpdate {
-      backfill = {
-        enabled = true;
-        max_initial_messags = 50;
-      };
-      encryption = {
-        pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
-      };
-      network = {
-        mute_status_broadcast = true;
+    settings = {
+      bridge = {
        history_sync = {
+          backfill = true;
          max_initial_conversations = -1;
+          message_count = 50;
          request_full_sync = true;
        };
+        mute_bridging = true;
      };
-    } (commonBridgeSettings "mautrix-whatsapp");
+    }
+    // commonBridgeSettings "mautrix-whatsapp";
  };

  environment.persistence."/persist".directories = [
--- a/hosts/vps1/nginx.nix
+++ b/hosts/vps1/nginx.nix
@@ -17,7 +17,7 @@ let
    add_header Expect-CT max-age=30 always;
    add_header Referrer-Policy strict-origin-when-cross-origin always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-    add_header Vimium-Responding-Instance edge-lhr-a0 always;
+    add_header Vimium-Responding-Instance $hostname;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options nosniff always;
  '';
@@ -82,33 +82,14 @@ in
        maxSize = "100m";
      };
    };
-    proxyResolveWhileRunning = true;
-    resolver.addresses = [ "100.100.100.100" ];
-    upstreams = {
-      jellyfin.servers = {
-        "library.mesh.vimium.net:8096" = {
-          fail_timeout = "30s";
-        };
-      };
-      open-webui.servers = {
-        "library.mesh.vimium.net:8081" = {
-          fail_timeout = "30s";
-        };
-      };
-      skycam.servers = {
-        "skycam.mesh.vimium.net:1984" = {
-          fail_timeout = "30s";
-        };
-      };
-    };
    virtualHosts = {
-      ## Proxied sites
+      ## Static sites
      "chat.ai.vimium.com" = {
        forceSSL = true;
        enableACME = true;
        extraConfig = nginxErrorPages + nginxEdgeHeaders;
        locations."/" = {
-          proxyPass = "http://open-webui";
+          proxyPass = "http://localhost:8001";
          extraConfig = ''
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
@@ -133,7 +114,7 @@ in
        enableACME = true;
        extraConfig = nginxErrorPages + nginxEdgeHeaders;
        locations."/" = {
-          proxyPass = "http://jellyfin";
+          proxyPass = "http://localhost:8000";
          extraConfig = ''
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
@@ -148,12 +129,7 @@ in
            proxy_set_header Connection "upgrade";
          '';
        };
-        locations."/metrics" = {
-          return = "404";
-        };
      };
-
-      ## Static sites
      "jdholt.com" = {
        forceSSL = true;
        enableACME = true;
@@ -164,8 +140,11 @@ in
        };
        locations."/skycam/snapshot.jpg" = {
          extraConfig = ''
-            set $args "";
-            proxy_pass http://skycam/api/frame.jpeg?src=rpicam;
+            set $backend "skycam.mesh.vimium.net:1984";
+
+            resolver 100.100.100.100;
+
+            proxy_pass http://$backend/api/frame.jpeg?src=rpicam;
            proxy_cache skycam_cache;
            proxy_cache_valid any 10s;
            proxy_ignore_headers Cache-Control Expires Set-Cookie;
@@ -185,6 +164,15 @@ in
          root = "/var/www/pki.vimium.com";
        };
      };
+      "suhailhussain.com" = {
+        forceSSL = true;
+        enableACME = true;
+        serverAliases = [ "www.suhailhussain.com" ];
+        extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
+        locations."/" = {
+          root = "/var/www/suhailhussain.com";
+        };
+      };
      "vimium.com" = {
        default = true;
        forceSSL = true;
@@ -202,7 +190,6 @@ in
        };
      };
    }
-
    ## Redirects
    // (mkRedirect "h0lt.com" "jdholt.com")
    // (mkRedirect "jordanholt.xyz" "jdholt.com")
--- a/hosts/vps1/secrets/mautrix-doublepuppet-registration.age
+++ b/hosts/vps1/secrets/mautrix-doublepuppet-registration.age
--- a/hosts/vps1/secrets/mautrix-signal-env.age
+++ b/hosts/vps1/secrets/mautrix-signal-env.age
@@ -1,9 +0,0 @@
-age-encryption.org/v1
-> piv-p256 a1N2XA AuFF7Zqic+KNiU82xDS8ItdNSnr1045DpKOyYHZgq3kE
-qNK+p6I6kR2A41d/gVyCp2b3xu7g0/rCXIL22Gal3IA
-> R.kR/-r-grease 5Q54Z B.x PMjy\
-3ajY8AoJzUB9fiDnHoFVSIPEfvgAk2VtJeHNOno9cxeK6uZ+Ve22pUWBN2cp+2Qz
-J7J9U1zQWVSOum3dDmscAVBzf4Hw2hUBZcAnZA
--- hZ4N9mXSCS3zT9R/Axb9dWVx5Lr+mLxxXuR45oehok4
-§½zó©ƒ¢âJ%ÓÍwþèðÍœŸ–ùcÛ' “«ÀK39¦´Ë¯ÀqªGøbX6<58>6±Ìšƒ¶p˜4ºmG<6D>æÕá¤ãŒÄ
-ê‡¿ë`¿8
--- a/hosts/vps1/secrets/mautrix-whatsapp-env.age
+++ b/hosts/vps1/secrets/mautrix-whatsapp-env.age
--- a/hosts/vps1/secrets/vaultwarden-env.age
+++ b/hosts/vps1/secrets/vaultwarden-env.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> piv-p256 a1N2XA A+JTQrgN4xxrQpLhyMtfq82/26DwsudKmxyE8gx9PlJU
-oZjXRvr2mza+28asKcXzSDU0em5edPpazk5dOLXrvZ8
-> )z\cT7C|-grease v>P/r|O s\(zEXaF Q ,!Y2g+NM
-ZAEVPuF8OEWWNKFP+7IUrpaDydZDAFCRnj1vOdGiBf6BzgbicAAmIF4XgBQqpE5M
-JoCzgjdKB1kLOQB2PWRfJ02L93/zFQXm
--- vcFS71G0ZZ1bU8dKgMmLMv5sUIi/TYjOu41EuDpJyXw
-:żöźŚç÷!ä-<ˇě:”śđËrg?ŻN-i’†Ş?ŤdĺZ2hÍ3ţŽ]
--- a/hosts/vps1/ssh_host_ed25519_key.pub
+++ b/hosts/vps1/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc
--- a/hosts/vps1/vaultwarden.nix
+++ b/hosts/vps1/vaultwarden.nix
@@ -1,78 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  inherit (lib)
-    mkForce
-    ;
-  baseDomain = "vimium.com";
-  domain = "vaultwarden.${baseDomain}";
-in
-{
-  age.secrets.vaultwarden-env = {
-    rekeyFile = ./secrets/vaultwarden-env.age;
-    mode = "0440";
-    group = "vaultwarden";
-  };
-
-  services.vaultwarden = {
-    enable = true;
-    dbBackend = "sqlite";
-    backupDir = "/var/cache/vaultwarden-backup";
-    config = {
-      dataFolder = mkForce "/var/lib/vaultwarden";
-      useSysLog = true;
-      webVaultEnabled = true;
-
-      rocketPort = 8222;
-
-      ssoEnabled = true;
-      ssoOnly = true;
-      ssoAuthority = "https://auth.vimium.com/oauth2/openid/vaultwarden";
-      ssoClientId = "vaultwarden";
-      signupsAllowed = false;
-      passwordIterations = 1000000;
-      invitationsAllowed = true;
-      invitationOrgName = "Vimium";
-      domain = "https://${domain}";
-    };
-    environmentFile = config.age.secrets.vaultwarden-env.path;
-  };
-
-  services.nginx.virtualHosts = {
-    "${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
-        proxyWebsockets = true;
-      };
-    };
-  };
-
-  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
-  systemd.services.vaultwarden.serviceConfig = {
-    StateDirectory = mkForce "vaultwarden";
-    RestartSec = "60";
-  };
-
-  environment.persistence."/persist".directories = [
-    {
-      directory = "/var/lib/vaultwarden";
-      user = "vaultwarden";
-      group = "vaultwarden";
-      mode = "0700";
-    }
-  ];
-
-  environment.persistence."/state".directories = [
-    {
-      directory = config.services.vaultwarden.backupDir;
-      user = "vaultwarden";
-      group = "vaultwarden";
-      mode = "0700";
-    }
-  ];
-}
--- a/hosts/vps2/default.nix
+++ b/hosts/vps2/default.nix
@@ -0,0 +1,31 @@
+{
+  inputs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    ./hardware-configuration.nix
+    ./disko-config.nix
+    ../server.nix
+  ];
+
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+  };
+
+  networking = {
+    hostId = "60de4af8";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22 # SSH
+      ];
+    };
+  };
+
+  modules.services.tailscale.isExitNode = true;
+
+  system.stateVersion = "25.05";
+}
--- a/hosts/vps2/disko-config.nix
+++ b/hosts/vps2/disko-config.nix
@@ -0,0 +1,55 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "2M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "300M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/vps2/hardware-configuration.nix
+++ b/hosts/vps2/hardware-configuration.nix
@@ -0,0 +1,29 @@
+{
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "xen_blkfront"
+        "vmw_pvscsi"
+      ];
+      kernelModules = [ "nvme" ];
+    };
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+    };
+    tmp.cleanOnBoot = true;
+  };
+
+  zramSwap.enable = true;
+}
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -5,6 +5,8 @@
    ./services/borgmatic.nix
    ./services/postgresql.nix
    ./services/tailscale.nix
+    ./system/desktop/gnome.nix
+    ./system/desktop/hyprland.nix
    ./system/wireless.nix
  ];
 }
--- a/modules/nixos/deterministic-ids.nix
+++ b/modules/nixos/deterministic-ids.nix
@@ -1,100 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}:
-let
-  inherit (lib)
-    concatLists
-    flip
-    mapAttrsToList
-    mkDefault
-    mkIf
-    mkOption
-    types
-    ;
-
-  cfg = config.users.deterministicIds;
-in
-{
-  options = {
-    users.deterministicIds = mkOption {
-      default = { };
-      description = ''
-        Maps a user or group name to its expected uid/gid values. If a user/group is
-        used on the system without specifying a uid/gid, this module will assign the
-        corresponding ids defined here, or show an error if the definition is missing.
-      '';
-      type = types.attrsOf (
-        types.submodule {
-          options = {
-            uid = mkOption {
-              type = types.nullOr types.int;
-              default = null;
-              description = "The uid to assign if it is missing in `users.users.<name>`.";
-            };
-            gid = mkOption {
-              type = types.nullOr types.int;
-              default = null;
-              description = "The gid to assign if it is missing in `users.groups.<name>`.";
-            };
-          };
-        }
-      );
-    };
-
-    users.users = mkOption {
-      type = types.attrsOf (
-        types.submodule (
-          { name, ... }:
-          {
-            config.uid =
-              let
-                deterministicUid = cfg.${name}.uid or null;
-              in
-              mkIf (deterministicUid != null) (mkDefault deterministicUid);
-          }
-        )
-      );
-    };
-
-    users.groups = mkOption {
-      type = types.attrsOf (
-        types.submodule (
-          { name, ... }:
-          {
-            config.gid =
-              let
-                deterministicGid = cfg.${name}.gid or null;
-              in
-              mkIf (deterministicGid != null) (mkDefault deterministicGid);
-          }
-        )
-      );
-    };
-  };
-
-  config = {
-    assertions =
-      concatLists (
-        flip mapAttrsToList config.users.users (
-          name: user: [
-            {
-              assertion = user.uid != null;
-              message = "non-deterministic uid detected for '${name}', please assign one via `users.deterministicIds`";
-            }
-            {
-              assertion = !user.autoSubUidGidRange;
-              message = "non-deterministic subUids/subGids detected for: ${name}";
-            }
-          ]
-        )
-      )
-      ++ flip mapAttrsToList config.users.groups (
-        name: group: {
-          assertion = group.gid != null;
-          message = "non-deterministic gid detected for '${name}', please assign one via `users.deterministicIds`";
-        }
-      );
-  };
-}
--- a/modules/nixos/impermanence.nix
+++ b/modules/nixos/impermanence.nix
@@ -1,14 +1,21 @@
 {
  config,
+  pkgs,
  lib,
  ...
 }:
 let
  inherit (lib)
+    attrNames
+    flip
+    isAttrs
+    mapAttrs
    mkIf
+    mkMerge
+    mkOption
    optionals
+    types
    ;
-  zfsPkg = config.boot.zfs.package;
 in
 {
  boot.zfs.forceImportRoot = false;
@@ -24,7 +31,7 @@ in
        unitConfig.DefaultDependencies = "no";
        serviceConfig = {
          Type = "oneshot";
-          ExecStart = "${zfsPkg}/bin/zfs rollback -r rpool/local/root@blank";
+          ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
        };
      };

@@ -81,4 +88,60 @@ in
  };

  users.mutableUsers = !config.environment.persistence."/persist".enable;
+
+  # For each user that has a home-manager config, merge the locally defined
+  # persistence options that we defined above.
+  imports =
+    let
+      mkUserFiles = map (
+        x: { parentDirectory.mode = "700"; } // (if isAttrs x then x else { file = x; })
+      );
+      mkUserDirs = map (x: { mode = "700"; } // (if isAttrs x then x else { directory = x; }));
+    in
+    [
+      {
+        environment.persistence = mkMerge (
+          flip map (attrNames config.home-manager.users) (
+            user:
+            let
+              hmUserCfg = config.home-manager.users.${user};
+            in
+            flip mapAttrs hmUserCfg.home.persistence (
+              _: sourceCfg: {
+                users.${user} = {
+                  files = mkUserFiles sourceCfg.files;
+                  directories = mkUserDirs sourceCfg.directories;
+                };
+              }
+            )
+          )
+        );
+      }
+    ];
+
+  home-manager.sharedModules = [
+    {
+      options.home.persistence = mkOption {
+        description = "Additional persistence config for the given source path";
+        default = { };
+        type = types.attrsOf (
+          types.submodule {
+            options = {
+              files = mkOption {
+                description = "Additional files to persist via NixOS impermanence.";
+                type = types.listOf (types.either types.attrs types.str);
+                default = [ ];
+              };
+
+              directories = mkOption {
+                description = "Additional directories to persist via NixOS impermanence.";
+                type = types.listOf (types.either types.attrs types.str);
+                default = [ ];
+              };
+            };
+          }
+        );
+      };
+    }
+  ];
 }
--- a/modules/nixos/podman.nix
+++ b/modules/nixos/podman.nix
@@ -1,4 +1,5 @@
 {
+  pkgs,
  lib,
  config,
  ...
@@ -8,7 +9,6 @@ with lib;

 let
  cfg = config.modules.podman;
-  zfsPkg = config.boot.zfs.package;
 in
 {
  options.modules.podman = {
@@ -29,7 +29,7 @@ in
          dates = "weekly";
          flags = [ "--all" ];
        };
-        extraPackages = [ zfsPkg ];
+        extraPackages = [ pkgs.zfs ];
      };

      containers.storage.settings.storage = {
--- a/modules/nixos/system/desktop/gnome.nix
+++ b/modules/nixos/system/desktop/gnome.nix
@@ -0,0 +1,80 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.modules.system.desktop.gnome;
+in
+{
+  options.modules.system.desktop.gnome = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.xserver = {
+      enable = true;
+      displayManager.gdm.enable = true;
+      desktopManager.gnome.enable = true;
+    };
+
+    services.flatpak.enable = true;
+    services.fwupd.enable = true;
+
+    programs.dconf.enable = true;
+
+    environment.systemPackages = with pkgs.unstable; [
+      adw-gtk3
+      adwaita-fonts
+      libsForQt5.qtstyleplugin-kvantum
+      morewaita-icon-theme
+      nautilus-python
+      qadwaitadecorations
+      qadwaitadecorations-qt6
+
+      ## Shell extensions
+      gnomeExtensions.appindicator
+      gnomeExtensions.arcmenu
+      gnomeExtensions.blur-my-shell
+      gnomeExtensions.burn-my-windows
+      gnomeExtensions.clipboard-indicator
+      gnomeExtensions.coverflow-alt-tab
+      gnomeExtensions.dash-to-panel
+      gnomeExtensions.desktop-cube
+      gnomeExtensions.easyScreenCast
+      gnomeExtensions.espresso
+      gnomeExtensions.fly-pie
+      gnomeExtensions.forge
+      gnomeExtensions.gsconnect
+      gnomeExtensions.gsnap
+      gnomeExtensions.hide-top-bar
+      gnomeExtensions.just-perfection
+      gnomeExtensions.media-controls
+      gnomeExtensions.mouse-follows-focus
+      # gnomeExtensions.pano (disabled due to: https://github.com/NixOS/nixpkgs/issues/369438)
+      gnomeExtensions.paperwm
+      gnomeExtensions.pip-on-top
+      gnomeExtensions.search-light
+      gnomeExtensions.smart-auto-move
+      gnomeExtensions.space-bar
+      gnomeExtensions.tiling-assistant
+      gnomeExtensions.tiling-shell
+      gnomeExtensions.todotxt
+      gnomeExtensions.vitals
+      gnomeExtensions.window-is-ready-remover
+      gnomeExtensions.worksets
+      gnomeExtensions.workspace-matrix
+    ];
+
+    environment.persistence."/persist".directories = [
+      "/etc/NetworkManager"
+      "/var/lib/AccountsService"
+      "/var/lib/NetworkManager"
+    ];
+  };
+}
--- a/modules/nixos/system/desktop/hyprland.nix
+++ b/modules/nixos/system/desktop/hyprland.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    ;
+  cfg = config.modules.system.desktop.hyprland;
+in
+{
+  options.modules.system.desktop.hyprland.enable = mkEnableOption "hyprland";
+
+  config = mkIf cfg.enable {
+    networking.networkmanager.enable = true;
+
+    programs.hyprland = {
+      enable = true;
+      withUWSM = true;
+    };
+  };
+}
--- a/nix/agenix-rekey.nix
+++ b/nix/agenix-rekey.nix
@@ -1,29 +0,0 @@
-{
-  inputs,
-  ...
-}:
-{
-  imports = [
-    inputs.agenix-rekey.flakeModule
-  ];
-
-  perSystem =
-    { config, ... }:
-    {
-      agenix-rekey.nixosConfigurations = inputs.self.nixosConfigurations;
-      devshells.default = {
-        commands = [
-          {
-            inherit (config.agenix-rekey) package;
-            help = "Edit, generate, and rekey secrets";
-          }
-        ];
-        env = [
-          {
-            name = "AGENIX_REKEY_ADD_TO_GIT";
-            value = "true";
-          }
-        ];
-      };
-    };
-}
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -54,6 +54,7 @@
          "pi"
          "skycam"
          "vps1"
+          "vps2"
        ] mkDeployNode;
      };
    };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -31,8 +31,6 @@ lib.mapAttrs (
    else
      # Namespaced package sets in regular attrsets.
      prev.${name} // value
-  else if name == "vaultwarden" then
-    final.callPackage value { rustPlatform = final.unstable.rustPlatform; }
  else
    final.callPackage value { }
 ) pkgs
--- a/pkgs/vaultwarden/package.nix
+++ b/pkgs/vaultwarden/package.nix
@@ -1,65 +0,0 @@
-{
-  lib,
-  stdenv,
-  callPackage,
-  rustPlatform,
-  fetchFromGitHub,
-  nixosTests,
-  pkg-config,
-  openssl,
-  libiconv,
-  dbBackend ? "sqlite",
-  libmysqlclient,
-  libpq,
-}:
-
-let
-  webvault = callPackage ./webvault.nix { };
-in
-
-rustPlatform.buildRustPackage rec {
-  pname = "vaultwarden";
-  version = "git-" + builtins.substring 0 7 src.rev;
-
-  src = fetchFromGitHub {
-    owner = "dani-garcia";
-    repo = "vaultwarden";
-    rev = "a2ad1dc7c3d28834749d4b14206838d795236c27";
-    sha256 = "sha256-6Qmp/Uv8hdKuL9e3tPMKgNq1ZdvRQbzM65ifmS2Z3UY=";
-  };
-
-  cargoHash = "sha256-F7we9rurJ7srz54lsuSrdoIZpkGE+4ncW3+wjEwaD7M=";
-
-  # used for "Server Installed" version in admin panel
-  env.VW_VERSION = version;
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [
-    openssl
-  ]
-  ++ lib.optionals stdenv.hostPlatform.isDarwin [
-    libiconv
-  ]
-  ++ lib.optional (dbBackend == "mysql") libmysqlclient
-  ++ lib.optional (dbBackend == "postgresql") libpq;
-
-  buildFeatures = dbBackend;
-
-  passthru = {
-    inherit webvault;
-    tests = nixosTests.vaultwarden;
-    updateScript = callPackage ./update.nix { };
-  };
-
-  meta = with lib; {
-    description = "Unofficial Bitwarden compatible server written in Rust";
-    homepage = "https://github.com/dani-garcia/vaultwarden";
-    changelog = "https://github.com/dani-garcia/vaultwarden/releases/tag/${version}";
-    license = licenses.agpl3Only;
-    maintainers = with maintainers; [
-      dotlambda
-      SuperSandro2000
-    ];
-    mainProgram = "vaultwarden";
-  };
-}
--- a/pkgs/vaultwarden/webvault.nix
+++ b/pkgs/vaultwarden/webvault.nix
@@ -1,83 +0,0 @@
-{
-  lib,
-  buildNpmPackage,
-  fetchFromGitHub,
-  nixosTests,
-  python3,
-  vaultwarden,
-}:
-
-let
-  version = "2025.8.0";
-
-  bw_web_builds = fetchFromGitHub {
-    owner = "dani-garcia";
-    repo = "bw_web_builds";
-    rev = "v${version}";
-    hash = "sha256-93acGKO3Fq81M1wKPvIynvkTFXPQXypcMb+c4aEtxJc=";
-  };
-
-in
-buildNpmPackage rec {
-  pname = "vaultwarden-webvault";
-  inherit version;
-
-  src = fetchFromGitHub {
-    owner = "vaultwarden";
-    repo = "vw_web_builds";
-    rev = bw_web_builds.rev;
-    hash = "sha256-u51EP4I+bUcTeMqfzx1gbZMxpjalt3bpK3QGp5QEpYU=";
-  };
-
-  npmDepsHash = "sha256-wi7ZDgGKXrtueLob5OVNKCpnzC00UW9zo8KwuoyL1Bo=";
-
-  postPatch = ''
-    ln -s ${bw_web_builds}/{patches,resources} ..
-  '';
-
-  nativeBuildInputs = [
-    python3
-  ];
-
-  makeCacheWritable = true;
-
-  env = {
-    ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
-    npm_config_build_from_source = "true";
-  };
-
-  npmRebuildFlags = [
-    # FIXME one of the esbuild versions fails to download @esbuild/linux-x64
-    "--ignore-scripts"
-  ];
-
-  npmBuildScript = "dist:oss:selfhost";
-
-  npmBuildFlags = [
-    "--workspace"
-    "apps/web"
-  ];
-
-  npmFlags = [ "--legacy-peer-deps" ];
-
-  installPhase = ''
-    runHook preInstall
-    mkdir -p $out/share/vaultwarden
-    mv apps/web/build $out/share/vaultwarden/vault
-    runHook postInstall
-  '';
-
-  passthru = {
-    inherit bw_web_builds;
-    tests = nixosTests.vaultwarden;
-  };
-
-  meta = with lib; {
-    description = "Integrates the web vault into vaultwarden";
-    homepage = "https://github.com/dani-garcia/bw_web_builds";
-    changelog = "https://github.com/dani-garcia/bw_web_builds/releases/tag/v${version}";
-    platforms = platforms.all;
-    license = licenses.gpl3Plus;
-    inherit (vaultwarden.meta) maintainers;
-  };
-}
--- a/secrets/generated/vps1/kanidm-admin-password.age
+++ b/secrets/generated/vps1/kanidm-admin-password.age
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> piv-p256 a1N2XA A54fi3eKkgTq6VOnMm2ze+aHVpJ0NNsqT+w7nvYoznbM
-t/dRpZzqO/mX7iHLxbvzVxdmTECkRFPA5jmYfZwbMR0
-> O_h4MVE-grease {- v~ 05B3
-Clwo0RqQmOGC24XDUIA+4MfDLlWnc3SjR8Kk0Wokqf6R5QFobU4
--- loq7Xutgff/pptwqLMmjVA1uZwtDE1z6wsORzSgY80w
-"¯2ÑQœ`D„ $ÐNÑÃ<å<>Ä.•Ò=5ŸÊ8‘%g†±E¶òl[T˜Iùy
--- a/secrets/generated/vps1/kanidm-idm-admin-password.age
+++ b/secrets/generated/vps1/kanidm-idm-admin-password.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> piv-p256 a1N2XA Aul2Rho3PfWaREBYYJr5FpyV5+eQ18GY5DT1dB9QcAH8
-wDHmswR1WRsqCrqRv6imy2oeo+FP3Z1kDpWvr/IzcUY
-> 4-grease x K>#G$!
-WbQ2yy2Pkkn0BYBR+y0tPLCFTN6cKEYGEp4B+nagPf42XONM3Q4ewp5UJF25rAiJ
-LsUecsY7dvX1n9HAz6uBwMm6Xt4
--- iPJfeOsee5HmeCB5NRHSPIywjhUrjdhsoEx9aTxbrZs
-^É½$jFP	®ä@¦ÈÆéŠ¿[|Òÿ«N´p2Æåà–|[ðÞI>>‡%f ©ç„Ö§´l¡W‘!Av`¬ß2‰¨Ù8³jVffÀJÎÛ
--- a/secrets/generated/vps1/kanidm-oauth2-gitea.age
+++ b/secrets/generated/vps1/kanidm-oauth2-gitea.age
@@ -1,9 +0,0 @@
-age-encryption.org/v1
-> piv-p256 a1N2XA A5Gj5hu1YQbUrm3IK35oDUHhnohr594lykadF+Smf+LB
-grnVZatvY80rTTQR8bZphg/25aa1cKJYUGh+jYGqi7A
-> 0-grease 6#aWp kp fD7ks3KL -)qyQ
-FH1L4t8VAxZIOeP6bPJV3qdaBXPXGkuroABtMs7D88WzHduNjBoETZH47zekRDVM
-BAGAdcqSHuGyCp7EA4lgttN/vfA+8fAbcit/p98TTiGQbXZ4YYg
--- KB5apFUmA/vu8OLpReNzr2zeDyig5NZ8iBXdy5XDbXM
-ƒ€æÔ<EFBFBD>rÅ§)NäSð•8óXÒsÏÇçàGÌx<C38C>qÀ%®éÎ½²<C2BD>ˆ¿ëéCoÚ
-©S6óÀÜ<EFBFBD>³L\U˜ðÙz<ûHª\ÖaÉ;Q%Ú‘
--- a/secrets/generated/vps1/kanidm-oauth2-open-webui.age
+++ b/secrets/generated/vps1/kanidm-oauth2-open-webui.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> piv-p256 a1N2XA Ah6buspw/yLQJuiyWr0t3Phy+U3HhRY2t0SofqISzHmJ
-pVYmmBoqXD9l55DUIad9D/0h/vhXmeMauK+xaBpX0cM
-> M)*gn$-grease _b3%6l sH|2-zq P%h
-CWIfvXf9R5QvRXzv8wv+vB8nXLk0eTxy/htCUSm2ujjw
--- 1t/2tU8qFo9C2yH3ZtsZIp8ZMNEjrecLh2HkDVnKTx4
-Û\ePŽŽ,<2C>üÏtª¨V—xû‘ý“è¤AÎKe´}üÆÍ\]Û
-âÛ÷`<Çÿb;yGÛë‰À
--- a/secrets/generated/vps1/kanidm-oauth2-vaultwarden.age
+++ b/secrets/generated/vps1/kanidm-oauth2-vaultwarden.age
--- a/secrets/rekeyed/atlas/703d7f8fd1a8bc71327f3011304a78a9-nix-access-tokens.age
+++ b/secrets/rekeyed/atlas/703d7f8fd1a8bc71327f3011304a78a9-nix-access-tokens.age
--- a/secrets/rekeyed/atlas/9f3916fc5285b691931e572afdc8ac22-open-webui-api-key.age
+++ b/secrets/rekeyed/atlas/9f3916fc5285b691931e572afdc8ac22-open-webui-api-key.age
@@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 mV4Rog gj6NT+DEVJbKeGArVcbzNphmMXoXFmVPHlo+zWuI1Ek
-Wt0saIoq6RnQR1jVLHI84JMDP0rCvc1kfjSQoSHly/4
-> t-grease <a`) :34)]ad /J) =]!RB~HB
-m7JCE0PP2H9DkOdbj/dhZATaXfIoPmocKnGkYUXnjyo99nVMMy2FSmNdZyE0KGCR
-eVkIGwJbH3HNimXst62gIxvSrFQ4a4IcO1Cv8UaMK9UjGfy731BRpg
--- bEP7E9Ajvw0pIWFF7+QakdFigo0B+0aa0ha9/Y/OADA
-ZrÕ«ö‰0/^´2µB
-oÒÀ’@3±¡~qSò‰–û¥H	fa	¤¨Sœ0Àˆ•ŸrvŠ«ÑB+¿
--- a/secrets/rekeyed/helios/4aaa7a0f1b4819f7b6fb076ab42afcb5-nix-access-tokens.age
+++ b/secrets/rekeyed/helios/4aaa7a0f1b4819f7b6fb076ab42afcb5-nix-access-tokens.age
--- a/secrets/rekeyed/helios/e09d8370465eb4038d032d0d84b700b1-open-webui-api-key.age
+++ b/secrets/rekeyed/helios/e09d8370465eb4038d032d0d84b700b1-open-webui-api-key.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 3xQa4Q 3I7Mpt3/StzFpy8/egW+PleMsKV/YFsw1lpzt0057ns
-Plc2u/sza/Fga8lnCMj4rH8midPdaFP+FZ1J8+pwRP8
-> .-grease !Yk9l62 H3@'J 9Klw
-2fJgCUF22ciTm8EfYemHjA1uN1jkVGLGfcTllU8m08Ya2fUPig7ZK4fNLV3ttMc4
-uLthrVZFo1HKF2wQSMeDq+ITZItvxHg2NFxqkWRCJv4
--- r3Fao3CQxFocTu4+9/Nh0zcCvTYQWpmRQD112YiAIwU
-[µXG¹àÞŒ¡ÑÝ€aFa‘‹K|Å' øËdOµX§ ¨éúùGÁLHÿ€’©<>4¥<34>
--- a/secrets/rekeyed/hypnos/59884012552f74517db9f43d996a8b80-nix-access-tokens.age
+++ b/secrets/rekeyed/hypnos/59884012552f74517db9f43d996a8b80-nix-access-tokens.age
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 5PDipg VUUf0H5YtcvVIQGHWSRUjCCWJFC8uyifg9jb3dcKQEM
-2u40LYxerTKD200Mkp/UhMFDwRQy/u74lpFa7JG783g
-> vSi-grease xC k Y9 7n3c
-WC+dOm6hxAlN9zTouhlfHvZCHfJaGnqOMa5jSIw
--- 0ywtnNEFe21IGFUvzuzK0dO65YKZCymavaqHOmKB9iQ
-Lš\_%£™ø%2{ÀˆSªžè eMî‡c¹8ˆÝHzÂ`zžà×<C3A0>LTJ1öðm6JE¡pñd`žÍÁMfÙâ5Äî½ü×ðKAØ<Vb‹ù_¿‘ÉÇ¬hæÖí¶o# “‚Ôa€ªóí¸ñ7j„„q>ùW.¤ C«ŸðÏ:Ü¿K•¸«©q]_U•–#‘/M=×-PÓ¦
--- a/secrets/rekeyed/hypnos/c12ed3579ec35228529211b0f518d0fe-open-webui-api-key.age
+++ b/secrets/rekeyed/hypnos/c12ed3579ec35228529211b0f518d0fe-open-webui-api-key.age
@@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 5PDipg Eic12F37CNvDBqlFV17aMYXTS/eFKEd8SYfOvKV2CGY
-Co7whyv5vxJnlELVyIZJiNmj+hATpw1/QpK2t8CtcvE
-> >e`c+0-grease D[m[ *0=DB?=
-uPUY90BUNR6Hm0F2Q0F+dXWkUOe4cLjrAvkcxaR79km0qMgJ/C7ribHeWpK3siOe
-2zz5YA
--- XoQX1p09n36Cqyc0sEShbtcn4wbX68ULdGNrDzX5w04
-üš»AñXÖÓÄÝf’³(ã=<3D>†ÒeÈuÏÂ˜Æz@ V.ù~Ê_Ié#å<>¤#2Q;9DÅ$el®H<C2AE>Ã;
-‘`5âÂ	
--- a/secrets/rekeyed/library/0a21efefa75a30ace89a3b082e980952-open-webui-env.age
+++ b/secrets/rekeyed/library/0a21efefa75a30ace89a3b082e980952-open-webui-env.age
@@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 QjbOZQ uJRXV06taQiHq9Um5E2FNNYo5oZP4M1mmY3OBRK7NSk
-4rcF2AJ5hsnTM1yUD37yWYtU2E7zAzHBKNVagfRgVGQ
-> z[Ud1L%*-grease ]j 7_ ?+5
-pVP4JA8o5o5kWHoxuttfOdd2GLhCiANBrdbNXWhe7fMZy74Gsj0IX7caHcL/rNkM
-p/DF/V4Y5QUvgQ5y7F95tc36uvNzmcsKaKauk3yIdzp6+9nuu+hQ6Qbvr0liWkuR
-0pQB
--- LeXXxszTuVoj2OE6m3yPEQe6hsQAFZkhPVXpspa40vo
-.GËî®7m¨m=Æ2vªúùÉ¼®[÷ÿá.Î¿'roù¢9kõNy½TúuB¢èlnkJ]¶=N^3	QJà:7]–YëþG¬ RÔˆ€¿tš€¿cNÑSžvÕ×wÿw`fT¤¸jÚ¸Ýö—«Í‚X¯ÈÊý4ï`èoí<6F>(—ÇKê^”ÅI3ógP‹ð”7²r`V<*êí9ïya	¼PÒJ<C392>Þ¬ä©<C3A4>‡Ñ³éi6ÃT¯þ>Þnâ"QzƒÅ`š…ù|èÌ;å†¼¸Í¾™Ïý)‡>Ü<> ÿßòEâ1ª†ˆNKJ‡ejªI<C2AA>
--- a/secrets/rekeyed/odyssey/c8231a45d0bb912d87bc291481a583cd-open-webui-api-key.age
+++ b/secrets/rekeyed/odyssey/c8231a45d0bb912d87bc291481a583cd-open-webui-api-key.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 jqV4bA 9vHES4DslQIplaJN4M+TnWzQxPwO0WOWnusIQxrQqh8
-oLran53jiS0hjirGdMD/akpaNCNvKY5M0+i/6ky5HNM
-> 2ZC`)9-grease W G
-ZW4ghYvlO1xs0GHJldTD1ZdM+wXYQ4dNdZsg81dTE7VxIona+puaHU9MBq/v2+Sg
-qmqbacPFykJqeBG/uhJHYHgjbuHT8c0gTvWH3RCIQEPq
--- fS6Rtw7zUkvtwfx1/GIHT40nzsmh5Nfj7/SG9svMXAQ
-käE8ÙÏ<EFBFBD>ôEƒrhé”@ìZ•U9›ën›¡teiŸËW6YèbjCÄ•·PÍ.rÝÁË“<C2AD>÷Ìæ>
--- a/secrets/rekeyed/odyssey/ff372013878d923f3800ea9583fb6063-nix-access-tokens.age
+++ b/secrets/rekeyed/odyssey/ff372013878d923f3800ea9583fb6063-nix-access-tokens.age
--- a/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
+++ b/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
@@ -1,10 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lOyIlA LfDvF0kXFmP4yGPz9A5uov9DbRfMeLniWQhgnYE3ZA0
-9GkGo/twG1cfOHZgRGAmAcfQlrgQ86QvgehbkleKyz0
-> GEv|{-grease c)B+5+, \v$ piek
-hwIw75OzOhfdScMKrNZ5i+WWh5zcfMryQXdbz81yUkEjWm9P4UVOYee+zz4/PU+t
-6nEKEqvPf6RwBOzAlzx72Yi0l+onxh1CHOWRlfU
--- dkZlSoaBUqLnMu25ocR0VwgPr190ZOmcMdxQ3KApFS0
-ƒþ<Ù²õŒ}M9Gdhœú’³0[ù¹ú¡²¯Ì®È¼ažjÅg–…¨:JÀ»Æ$:^èä€OÓeêø@÷žoé‡1
-¤r]I>†tü?°XãQÙ•Ù‰¡„A¯r)ab	§’”Ü$8e“ˆ<E2809C>½f¥Å<C2A5>zÍ7ÓÜÁlf)Õ|jl“%öâ
-v-òá!ª‘•(ÕÙ.qR…ÚÙ*yŽÁ¿¿XªÙµ
--- a/secrets/rekeyed/vps1/3c5deb9c71bac734f22226832529aa8c-kanidm-oauth2-gitea.age
+++ b/secrets/rekeyed/vps1/3c5deb9c71bac734f22226832529aa8c-kanidm-oauth2-gitea.age
--- a/secrets/rekeyed/vps1/4cbaed0c22d9da1e2cb1a12dea1953f4-mautrix-signal-env.age
+++ b/secrets/rekeyed/vps1/4cbaed0c22d9da1e2cb1a12dea1953f4-mautrix-signal-env.age
--- a/secrets/rekeyed/vps1/6a6726d70ccca930f798a32691ce17eb-mautrix-whatsapp-env.age
+++ b/secrets/rekeyed/vps1/6a6726d70ccca930f798a32691ce17eb-mautrix-whatsapp-env.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lOyIlA ZQWnreUg4ob9RmEKNrdJKWGRCC1k0HWc8op8ycG5uXU
-U6SEQWo1DoLxclnhkXJy3D93nuijiD4kk9qjMk61Yis
-> b(/|-grease
-CUalICYuF4P5Ipe5C6gdrw
--- OmIGQ6VJYZcCIkTPapXNIMJswGczS/1bp8A+AeAj0yU
-¡MÜlànY›K-ç‹ÝG·^\Žõêèk(—ZØþ•˜·Z›$-=(<28>¢å¨·ÅßHú¤Õ=4ŸÌÙ‹#ƒYÑ7òø‡tnÝ<6E>gØp>`ÄÈE©B$ Â÷0Œ<30>¥ž8BWOá°Ù<C2B0>) (ŸüU®"Ï½î54U²Gþ‰oÈ¥?¯ðu§Aôâ
-z`¥d3Ij`†Ò€¬SK¤Û}$ì×ã®<03>8%Ž·Á—ë9ÈÙÀ÷½?1tZ¤AvÂ´+ê¢Jœ”Ï<E2809D>Z¥u˜lsôkJ+-Îhœ‚–µ
--- a/secrets/rekeyed/vps1/80ea265ad53ef54ed48c4e1d842774b1-kanidm-admin-password.age
+++ b/secrets/rekeyed/vps1/80ea265ad53ef54ed48c4e1d842774b1-kanidm-admin-password.age
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lOyIlA OQXbnkBzK8DL7wJkbHWo/XUlLQHjBEVu1xMzmhB78Xc
-vGcN1v+YxXidGs7Z3hvZypklIZVF1/J6DZpx8JId/hw
-> mfI^2]-grease ,
-2C8Bs6nnhfatjdqc/Wc
--- tuwRBOHiF0e6lgo4bK4Ui+bjjuTf5uZJgDJnpqf1seU
-½J´\gù;ü†èòV½·qFNq[7ÏålŒ¯ðÅf¢˜°w	æã<C3A6>¯•<C2AF>i|RDLóR#œÀ%u-A1š£Â–âþ=€A†ÿöºW„c
--- a/secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age
+++ b/secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age
@@ -1,10 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lOyIlA Tyyx5kyLTN9MI+Bc66Rh7RbQ+qZF0S5Y2HCTvUFRqBo
-lzPjwPDXjg8ioc4XAJewTDdzXN5QO3BeGbTVxGW1B0U
-> *-grease >|vs MPFf.c. nm=m ^
-OHDKbCO9uIoRv9Ar2kbIENz1NLY8iUlzmV07SouSJcxNWyEAqsVzxAkLsIeQKYn5
-XbtjLv88wHhf2w
--- 7kHTJevOeZdsk2v9qP1V7wL4/Qz8wmFgoQiPMcx56WU
-ÀLòÖÈ¼amèüé°w½B]Ðý
-¦ÔmÁÚ¾Ú<EFBFBD>ÌåOd‘øL%ÐPó¿IÎÐ'•X·’<koÞ>OFÏj¥8‘ÿÇ8s®[€(Á¢CàlTd’ ¦HÖ[9ýÐ …§$AÊl¦Pf¹}äÁjCo]`ÏÙÊÁnÝ¢õjw*ÔY <iùMOç¨Dš×À[!T#¼§È•X<E280A2>Ù‚¿KëXà-ƒè×{fÃ$%«<>›¤gT}<7D>Ók•R1ºQ?þƒ?ÙQ¾®hW· eÍà||zï—Xe‡rD3\';°j‚FÙþËhY
-¨øRùH1‚ÄRê‘±/*w	‘	3Ç·Y"¼{’§îLNÙs"«ˆÖ7Bô
--- a/secrets/rekeyed/vps1/a8f9724475694d2a470fc175c5a6d38e-kanidm-idm-admin-password.age
+++ b/secrets/rekeyed/vps1/a8f9724475694d2a470fc175c5a6d38e-kanidm-idm-admin-password.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lOyIlA XbDvpING9Qe/x3sNWrqn2vqEw2SvgP79ApCrJTTGuiM
-cOaoXvYgPH7egMF1MT4gtaMHnoHWgeKeEjkwCoOQf74
-> y''zjcK-grease J y ,CxRN3
-2kaqVO6qm24DPq5fhEN+AM+hPvW3VPHKlzuMy8SLeW/3um8bXNmFdxwzfkDoFSf3
-viYrDFmlY7+RTFt6JADBs67eYlQblBgZwTo
--- NwBzcAYM5hOyvIsRVLYH8ez6gn8Z3yxmX8Tfz1hETz0
-¡g>ð@‘ÉýlÖægè[‚RÙ½„ó™€XvŽÊ9ßµ"<22>ë\ÒhÛºU…y›¬ÁÚ4ÜžO¼½ =zˆÃxBé@DzIJÆ’åO•åÑü«M„ LH<
--- a/secrets/rekeyed/vps1/d4527fa57d6907c78335cdabd3e84d46-kanidm-oauth2-open-webui.age
+++ b/secrets/rekeyed/vps1/d4527fa57d6907c78335cdabd3e84d46-kanidm-oauth2-open-webui.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lOyIlA VsJu05NEZogLfeKJ8f9PiUH9RZn2RKJ+/FYOTzUOIyY
-Zd5ze/ijrlRs948f6fhCR+IN6uXpck6ejMlpyGugOfQ
-> z+o-grease +J< ey N"
-uAedOA+JGje0EKhTuQJj+RDh98H6dqryAUe7nC2iF6t7wAT1NHFLWWfRqw3nNtMb
-Cb0pH7hECmbW0vygVD67NusZOvleB2RHng
--- KcTuAfeh0NIBLRmtXZFlbsAAmH9Eu2KmswfZzWgaeZ8
-íƒ9EœQÞªF¡`iÝÙ´oŠä~éõ/þV<*{°'A~”n0ÁÕôø'@œKý¿<øxÇ½'AJMFN®ûÁ#»$CÜŠ=$ZH¼AØ
--- a/secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age
+++ b/secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lOyIlA lN4CAdRzmrQqTaI75QwSyhPF34tXWvnyT3EF+wYp5H0
-z9b9Rm/zk4PHrw35EeLtx4Gyp6Nlv55SWM/OxuuqOcA
-> CJNg-grease ^p}Pf r@D 94/&
-eM0eWh2/4FSBoFvqSvVI
--- y0Tsd45+A1Q8XwnUee6RZJPkYiazusnxYkmBeHqru0E
-W`.)"<22>(¸ƒÖYs·²ãóûrœ¡²0ÊÂ“ ƒŸrÇg‘Y‰‡»6®P=;[YÞì±&¼bŒR¿ð6WvÑèÇ ¿÷Ã†sö&» <C2BB>=U
--- a/secrets/yubikey-nix-primary.pub
+++ b/secrets/yubikey-nix-primary.pub
@@ -1,7 +0,0 @@
-#       Serial: 24187788, Slot: 1
-#         Name: YubiKey Nix Primary
-#      Created: Mon, 25 Aug 2025 21:00:00 +0000
-#   PIN policy: Once   (A PIN is required once per session, if set)
-# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
-#    Recipient: age1yubikey1qwwyem3502gqenzet20xdpjnuhhv2cezvzk590jdta9wqkw48p8gj7n4x96
-AGE-PLUGIN-YUBIKEY-13SFHZQVZDDFHVHQGGYPC3
--- a/users/guest/common/optional/graphical/jellyfin.nix
+++ b/users/guest/common/optional/graphical/jellyfin.nix
@@ -1,20 +0,0 @@
-{
-  pkgs,
-  ...
-}:
-{
-  home.packages = with pkgs; [
-    gamescope
-    jellyfin-media-player
-  ];
-
-  home.persistence."/state".directories = [
-    ".cache/jellyfin.org"
-  ];
-
-  home.persistence."/persist".directories = [
-    ".config/jellyfin.org"
-    ".local/share/jellyfinmediaplayer"
-    ".local/share/Jellyfin Media Player"
-  ];
-}
--- a/users/guest/common/optional/graphical/steam.nix
+++ b/users/guest/common/optional/graphical/steam.nix
@@ -8,10 +8,23 @@
    steam
  ];

-  home.persistence."/persist".directories = [
-    ".config/gamescope"
-    ".local/share/Steam"
-    ".local/share/vulkan"
-    ".steam"
-  ];
+  systemd.user.services.steam-big-picture = {
+    Unit = {
+      Description = "Steam Big Picture in Gamescope";
+      After = [
+        "graphical.target"
+        "default.target"
+      ];
+    };
+    Service = {
+      ExecStart = ''
+        ${pkgs.gamescope}/bin/gamescope --rt --backend drm --steam -- \
+          ${pkgs.steam}/bin/steam -pipewire-dmabuf -tenfoot
+      '';
+      Restart = "always";
+    };
+    Install = {
+      WantedBy = [ "default.target" ];
+    };
+  };
 }
--- a/users/guest/default.nix
+++ b/users/guest/default.nix
@@ -22,13 +22,11 @@ in
    ];
    group = "users";
    isNormalUser = true;
-    password = "";
    shell = pkgs.zsh;
  };

  home-manager.users.${name} = {
    imports = [
-      ./common/optional/graphical/jellyfin.nix
      ./common/optional/graphical/steam.nix
      {
        home.persistence."/state" = {
@@ -38,7 +36,11 @@ in
        };
        home.persistence."/persist" = {
          directories = [
+            ".config/gamescope"
            ".local/share/icons"
+            ".local/share/Steam"
+            ".local/share/vulkan"
+            ".steam"
          ];
        };
      }
@@ -46,140 +48,17 @@ in
    ++ optional (builtins.pathExists hostFile) hostFile;

    home = {
-      packages = with pkgs; [
-        adwaita-fonts
-      ];
      username = name;
-      sessionVariables = {
-        ZDOTDIR = "~/.config/zsh";
-      };
-      pointerCursor = {
-        enable = true;
-        size = 64;
-        name = "macOS";
-        package = pkgs.apple-cursor;
-        gtk.enable = true;
-        x11.enable = true;
-      };
-    };
-
-    fonts.fontconfig.enable = true;
-
-    programs.firefox = {
-      enable = true;
-      profiles.Default = {
-        search = {
-          default = "ddg";
-          privateDefault = "ddg";
-          force = true;
-        };
-        settings = {
-          "layout.css.devPixelsPerPx" = 1.5;
-        };
-      };
-    };
-
-    programs.zsh = {
-      enable = true;
-      enableCompletion = true;
    };

    xdg.enable = true;
  };

-  services.displayManager = {
-    enable = true;
-    sessionPackages =
-      let
-        firefoxDesktopFile = pkgs.writeTextFile {
-          name = "firefox-desktop-entry";
-          destination = "/share/wayland-sessions/firefox.desktop";
-          text = ''
-            [Desktop Entry]
-            Name=Firefox
-            Comment=Desktop session for web browsing
-            Exec=${pkgs.gamescope}/bin/gamescope --rt --backend drm --expose-wayland -W 3840 -H 2160 -- MOZ_ENABLE_WAYLAND=1 ${pkgs.firefox}/bin/firefox https://www.youtube.com/
-            Type=Application
-          '';
-        };
-
-        jellyfinDesktopFile = pkgs.writeTextFile {
-          name = "jellyfin-desktop-entry";
-          destination = "/share/wayland-sessions/jellyfin.desktop";
-          text = ''
-            [Desktop Entry]
-            Name=Jellyfin
-            Comment=Desktop session for music, movies, and TV
-            Exec=${pkgs.gamescope}/bin/gamescope --rt --backend drm -W 3840 -H 2160 -- ${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer --scale-factor 2 --tv --fullscreen
-            Type=Application
-          '';
-        };
-
-        steamDesktopFile = pkgs.writeTextFile {
-          name = "steam-desktop-entry";
-          destination = "/share/wayland-sessions/steam.desktop";
-          text = ''
-            [Desktop Entry]
-            Name=Steam
-            Comment=Desktop session for gaming
-            Exec=${pkgs.gamescope}/bin/gamescope --rt --backend drm --steam -- ${pkgs.steam}/bin/steam -pipewire-dmabuf -tenfoot
-            Type=Application
-          '';
-        };
-
-        firefoxSession = pkgs.symlinkJoin {
-          name = "firefox-session";
-          paths = [ firefoxDesktopFile ];
-          passthru.providedSessions = [ "firefox" ];
-        };
-
-        jellyfinSession = pkgs.symlinkJoin {
-          name = "jellyfin-session";
-          paths = [ jellyfinDesktopFile ];
-          passthru.providedSessions = [ "jellyfin" ];
-        };
-
-        steamSession = pkgs.symlinkJoin {
-          name = "steam-session";
-          paths = [ steamDesktopFile ];
-          passthru.providedSessions = [ "steam" ];
-        };
-      in
-      [
-        firefoxSession
-        jellyfinSession
-        steamSession
-      ];
+  services.getty = {
+    autologinOnce = true;
+    autologinUser = "guest";
  };

-  services.greetd =
-    let
-      desktops = config.services.displayManager.sessionData.desktops;
-    in
-    {
-      enable = true;
-      settings = {
-        default_session = {
-          command = "${pkgs.tuigreet}/bin/tuigreet --time --sessions ${desktops}/share/xsessions:${desktops}/share/wayland-sessions";
-        };
-      };
-    };
-
-  # security.pam.services = {
-  #   greetd.text = ''
-  #     auth      requisite     pam_nologin.so
-  #     auth      sufficient    pam_succeed_if.so user = ${name} quiet_success
-  #     auth      required      pam_unix.so
-  #
-  #     account   sufficient    pam_unix.so
-  #
-  #     password  required      pam_deny.so
-  #
-  #     session   optional      pam_keyinit.so revoke
-  #     session   include       login
-  #   '';
-  # };
-
  # Workaround: https://github.com/nix-community/home-manager/issues/7166
  systemd.services."home-manager-${name}".serviceConfig = {
    RemainAfterExit = "yes";
--- a/users/jordan/artemis.nix
+++ b/users/jordan/artemis.nix
@@ -7,13 +7,14 @@
  imports = [
    ./common/optional/graphical/firefox.nix
    ./common/optional/graphical/fonts.nix
+    ./common/optional/graphical/hyprland
    ./common/optional/graphical/mimeapps.nix
  ];

  home.packages = with pkgs; [
-    # jellyfin-media-player
-    unstable.lutris
-    pcsx2
+    jellyfin-media-player
+    lutris
+    unstable.pcsx2
    xemu
  ];
 }
--- a/users/jordan/atlas.nix
+++ b/users/jordan/atlas.nix
@@ -6,11 +6,11 @@
 {
  imports = [
    ./common/optional/graphical/firefox.nix
-    ./common/optional/graphical/niri.nix
+    ./common/optional/graphical/gnome.nix
  ];

  home.packages = with pkgs; [
-    # jellyfin-media-player
+    jellyfin-media-player
    qbittorrent
  ];
 }
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXJmnp4LUE9AFjGHwvxAu4m/3PB2uYQ69F7wYv7cGGT`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPddvpZeCUelUGsnFvx87WOqKKc+MGPU6+rx6s1ReWQl`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2tDij7eTDbljl6Crz4i7qrM0lgp8U2T9ZMXt7VQPT/`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGlbvy+4QHbveFbS6r9S0JWUVHeI/MgYLyGtfpZqJ/3`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBP+SH4lzFTE29y9HfjkaO7Ino5OqEws5UXcnBFoo76C`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGLHtC0JmFfct+lYl0EjgphutmeYY8BWDctY3+/TsO6L`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJre8/cjdoUnbTu0x4ClTITcq4lq+FjpEyJBbLbOlox7`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYv5V6Lr1Er1dljwmunurIz1Q3Ce5FsFSxtUOW6aO9J`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv5+HwcRetBxtQZXpGbYv22S4prJu9bYCzKTSoMCl8D`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc`