theme

Stylix's qt target sets QT_STYLE_OVERRIDE=kvantum and writes qt6ct/qt5ct
configs with style=kvantum. plasmashell/KWin crash with a fatal
'module kvantum is not installed' QML error because the kvantum Qt style
plugin is not available in the Plasma session.

- stylix: targets.qt.enable = false (stops QT_STYLE_OVERRIDE=kvantum)
- plasma: remove kvantum package, add widgetStyle=Breeze as belt-and-suspenders

.gitignore

@@ -1,5 +1,14 @@
 hosts/nas/*.conf
 hosts/nas/*.users
-result
+result*
 *.raw
-.codegpt
+.codegpt
+.direnv
+shell.nix
+.vscode
+**/*/*.py
+.envrc
+.DS_Store
+*.qcow2
+keys
+iso-*

.sops.yaml

@@ -1,75 +1,92 @@
 # See https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml
 keys:
+  - &matt-pgp CBCB9B18A6B8930B0B6ABFD1CCB8CBEB30633684
   - &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
-  - &matt_pi4 age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u
   - &matt_pi5 age1wpvfpv5n32lruk7c0da4uaeapsmhjxdvg8z4ljehn06l6g2y0e0sum404l
   - &desktop age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
   - &admin age1pm3fehmmk0vmnrscz9vm96rakn46aaldr5ydpscmde3v9x0k3faswwdzxs
   - &jallen-nas age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
-  - &pi4 age1ykkjw57t3z3deup3gtp7dujyaslskn74e0d9hsmqaha2pj3rvazqgndw5a
   - &pi5 age1t2d5scrukk0guva5sr97a8tge5j8kd865adezrcru7p269pzwvpsamkgje
   - &deck age1c8qw59ffcq9l77gfmtyc3djtvt3md0u6dwhrjcgsm98ntyf72ufqugj7cg
   - &steamdeck age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0
-  - &matt_macbook-pro age1xg6mvj3x6s3t8058c6rsk3q4kskvm6nsffwckxkkjzhyn7r6tczqgkj23p
-  - &macbook-pro age1rdn39ywgzmc8wlsl5lrfe77e652wzjmjx58gx4k2ydghd35kdqvqscrf3h
+  - &matt_macbook-pro age12gu9hqhd56yl5x3t5yenkn9yg57du08h77vzjqsmnu5hdppne38qcur5a0
+  - &macbook-pro age1t7378n8kmd3f32fkye2gw3jj6qswv3exjdx0dq8kl0xra3tmcdnsvddq3u
+  - &nuc age102el4snus37dj807rwvsmlvwu2sg2d8rw3vfmtntgczfkz04l9nshetcq0
+  - &admin_nuc age1yn82e39pxt0d0pgny34ux4lkge4ff7wxvsye8ragvwngehemt4ps27phyw
+  - &matt_allyx age18z4ctyyj7eq0cmt23eelfzjuacq4fa6hsplyg779d3rdg7ac2q5q2njxqh
+  - &allyx age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
-    - age:
-      - *matt
-      - *matt_pi4
-      - *matt_pi5
-      - *desktop
-      - *admin
-      - *jallen-nas
-      - *pi4
-      - *pi5
-      - *deck
-      - *steamdeck
-      - *matt_macbook-pro
-      - *macbook-pro
+      - pgp:
+          - *matt-pgp
+        age:
+          - *matt
+          - *matt_pi5
+          - *desktop
+          - *admin
+          - *jallen-nas
+          - *pi5
+          - *deck
+          - *steamdeck
+          - *matt_macbook-pro
+          - *macbook-pro
+          - *admin_nuc
+          - *nuc
+          - *matt_allyx
+          - *allyx
   - path_regex: nas-secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
-    - age:
-      - *matt
-      - *desktop
-      - *admin
-      - *jallen-nas
+      - pgp:
+          - *matt-pgp
+        age:
+          - *matt
+          - *desktop
+          - *admin
+          - *jallen-nas
   - path_regex: desktop-secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
-    - age:
-      - *matt
-      - *desktop
-      - *admin
-      - *jallen-nas
-  - path_regex: steamdeck-secrets/[^/]+\.(yaml|json|env|ini)$
+      - pgp:
+          - *matt-pgp
+        age:
+          - *matt
+          - *desktop
+          - *admin
+          - *jallen-nas
+  - path_regex: allyx-secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
-    - age:
-      - *matt
-      - *desktop
-      - *deck
-      - *steamdeck
-      - *admin
-      - *jallen-nas
-  - path_regex: pi4-secrets/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - age:
-      - *matt
-      - *matt_pi4
-      - *matt_pi5
-      - *desktop
-      - *pi4
-      - *pi5
-      - *admin
-      - *jallen-nas
+      - pgp:
+          - *matt-pgp
+        age:
+          - *matt
+          - *desktop
+          - *deck
+          - *steamdeck
+          - *admin
+          - *jallen-nas
+          - *matt_allyx
+          - *allyx
   - path_regex: pi5-secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
-    - age:
-      - *matt
-      - *matt_pi4
-      - *matt_pi5
-      - *desktop
-      - *pi4
-      - *pi5
-      - *admin
-      - *jallen-nas
+      - pgp:
+          - *matt-pgp
+        age:
+          - *matt
+          - *matt_pi5
+          - *desktop
+          - *pi5
+          - *admin
+          - *jallen-nas
+  - path_regex: mac-secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - pgp:
+          - *matt-pgp
+        age:
+          - *matt
+          - *matt_pi5
+          - *desktop
+          - *pi5
+          - *admin
+          - *jallen-nas
+          - *matt_macbook-pro
+          - *macbook-pro

AGENTS.md

@@ -0,0 +1,303 @@
+# Agent Guide
+
+## Directory Structure
+
+```
+/etc/nixos/
+├── flake.nix                    # Main flake configuration
+├── flake.lock                   # Locked versions
+├── AGENTS.md                    # This file
+├── treefmt.nix                  # Code formatting config
+├── qemu.nix                     # QEMU testing config
+│
+├── systems/                     # System configurations by architecture
+│   ├── aarch64-linux/
+│   │   ├── macbook-pro-nixos/   # Apple Silicon MacBook
+│   │   │   ├── default.nix
+│   │   │   ├── boot.nix
+│   │   │   ├── services.nix     # logind, gdm, gnome, flatpak, etc.
+│   │   │   ├── filesystems.nix
+│   │   │   ├── hardware-configuration.nix
+│   │   │   └── firmware/        # Asahi firmware
+│   │   └── pi5/                 # Raspberry Pi 5
+│   │       ├── default.nix
+│   │       ├── boot.nix
+│   │       ├── adguard.nix
+│   │       └── sops.nix
+│   ├── x86_64-linux/
+│   │   ├── matt-nixos/          # Desktop AMD system
+│   │   │   ├── default.nix
+│   │   │   ├── boot.nix
+│   │   │   ├── filesystems.nix
+│   │   │   ├── sops.nix
+│   │   │   └── services/
+│   │   │       ├── lsfg-vk/
+│   │   │       ├── ratbagd/
+│   │   │       └── restic/
+│   │   ├── allyx/               # ASUS ROG Ally X
+│   │   │   ├── default.nix
+│   │   │   └── boot.nix
+│   │   ├── nuc-nixos/           # Intel NUC
+│   │   ├── jallen-nas/          # NAS server
+│   │   └── iso-minimal/
+│   └── aarch64-darwin/
+│       └── macbook-pro/         # macOS (nix-darwin)
+│
+├── homes/                       # Home-manager configurations
+│   ├── aarch64-linux/
+│   │   └── matt@macbook-pro-nixos/
+│   │       └── default.nix
+│   ├── x86_64-linux/
+│   └── aarch64-darwin/
+│
+├── modules/                     # Shared modules
+│   ├── nixos/                   # NixOS system modules
+│   ├── home/                    # Home-manager modules
+│   └── darwin/                  # nix-darwin modules
+│
+├── packages/                    # Custom package overlays
+│   ├── omnissa/
+│   ├── bcachefs/
+│   ├── raspberrypi/
+│   ├── comfyui/
+│   ├── homeassistant/
+│   ├── librepods-beta/
+│   └── ...
+│
+└── secrets/                     # SOPS secrets
+    ├── secrets.yaml             # Master key config
+    └── *-secrets.yaml          # Per-host secrets
+```
+
+## System Configurations
+
+### macbook-pro-nixos (Apple Silicon MacBook)
+- **Path**: `systems/aarch64-linux/macbook-pro-nixos/`
+- **Key files**:
+  - `services.nix:72-81` - logind/sleep settings
+  - `default.nix` - main config, imports all parts
+  - `boot.nix` - systemd-boot, kernel params
+- **Features**: Asahi Linux, GNOME, Hyprland option, battery management
+
+### matt-nixos (AMD Desktop)
+- **Path**: `systems/x86_64-linux/matt-nixos/`
+- **Features**: AMD GPU (LACT), GNOME, gaming, Lanzaboote
+
+### allyx (ASUS ROG Ally X)
+- **Path**: `systems/x86_64-linux/allyx/`
+- **Features**: Jovian NixOS, Steam, handheld-daemon, AMD GPU
+
+### pi5 (Raspberry Pi 5)
+- **Path**: `systems/aarch64-linux/pi5/`
+- **Features**: Headless, AdGuard, Docker, static IP, UEFI boot
+
+### jallen-nas (NAS Server)
+- **Path**: `systems/x86_64-linux/jallen-nas/`
+- **Features**: Headless, VPN, bcachefs, restic backups
+
+## NixOS Modules (`modules/nixos/`)
+
+### Desktop Environments
+- `desktop/gnome/default.nix` - GNOME configuration
+- `desktop/hyprland/default.nix` - Hyprland configuration
+- `desktop/cosmic/default.nix` - Cosmic DE configuration
+
+### Hardware
+- `hardware/amd/default.nix` - AMD GPU (LACT)
+- `hardware/nvidia/default.nix` - NVIDIA GPU
+- `hardware/battery/default.nix` - Battery management
+- `hardware/raspberry-pi/` - Raspberry Pi support
+
+### Boot & System
+- `boot/common/` - Common boot settings
+- `boot/lanzaboote/` - Lanzaboote (secure boot)
+- `boot/systemd-boot/` - Systemd-boot config
+- `boot/plymouth/` - Plymouth splash screen
+
+### Networking
+- `network/default.nix` - Network configuration (hostname, firewall, NM)
+- `network/options.nix` - Network module options
+
+### Other Services
+- `headless/default.nix` - Headless server config (watchdog, no suspend)
+- `gaming/default.nix` - Steam, Gamescope, Gamemode
+- `programs/default.nix` - System programs (nix-index, gnupg, etc.)
+
+## Home-Manager Modules (`modules/home/`)
+
+### Programs
+- `programs/waybar/` - Wayland bar
+- `programs/hyprland/` - Hyprland config
+- `programs/kitty/` - Kitty terminal
+- `programs/wofi/` - Wofi launcher
+- `programs/wlogout/` - Logout menu
+- `programs/btop/` - System monitor
+- `programs/git/` - Git configuration
+- `programs/zsh/` - Zsh configuration
+- `programs/mako/` - Notification daemon
+
+### Desktop
+- `desktop/gnome/` - GNOME settings
+- `desktop/stylix/` - Stylix theming
+
+### Services
+- `services/sops/` - SOPS integration
+
+## Custom Packages (`packages/`)
+
+- `omnissa/` - Omnissa Horizon client
+- `bcachefs/` - Bcachefs tools
+- `raspberrypi/` - Raspberry Pi firmware/tools
+- `comfyui/` - ComfyUI packages
+- `homeassistant/` - Home Assistant components
+- `librepods-beta/` - LibrePODS beta (AirPods support)
+
+## Common Patterns
+
+### Enable a desktop environment
+```nix
+${namespace}.desktop.gnome.enable = true;
+${namespace}.desktop.hyprland.enable = true;
+```
+
+### Enable SOPS
+```nix
+${namespace}.sops.enable = true;
+```
+
+### Enable headless mode
+```nix
+${namespace}.headless.enable = true;
+```
+
+### System imports
+```nix
+imports = [
+  ./boot.nix
+  ./filesystems.nix
+  ./hardware-configuration.nix
+  ./services.nix
+];
+```
+
+### Namespace options (flake.nix:253)
+```nix
+namespace = "mjallen";
+```
+
+## SOPS Secrets
+
+Secrets are encrypted with SOPS. Each system has its own secrets file:
+- `secrets/mac-secrets.yaml` - macbook-pro-nixos
+- `secrets/pi5-secrets.yaml` - pi5
+- `secrets/allyx-secrets.yaml` - allyx
+- `secrets/nuc-secrets.yaml` - nuc-nixos
+- `secrets/nas-secrets.yaml` - jallen-nas
+
+## Flake Inputs (flake.nix)
+
+Key inputs:
+- `nixpkgs-unstable` - Unstable channel
+- `nixpkgs-stable` - Stable channel (25.11)
+- `home-manager-unstable` - Home-manager
+- `nixos-apple-silicon` - Apple Silicon support
+- `nixos-hardware` - Common hardware configs
+- `disko` - Disk partitioning
+- `sops-nix` - Secrets management
+- `lanzaboote` - Secure boot
+- `jovian` - Steam Deck support (allyx)
+
+## Lib Module (`lib/`)
+
+Custom utility library exposed via `lib.mjallen.*` through Snowfall Lib. Used for creating modules and managing versions.
+
+### Directory Structure
+```
+lib/
+├── default.nix          # Entry point: exports module, file, versioning
+├── README.md            # Detailed documentation
+├── module/              # Module creation helpers
+│   └── default.nix
+├── file/                # File/path utilities
+│   └── default.nix
+└── versioning/          # Multi-source version pinning
+    └── default.nix
+```
+
+### Module Utilities (`lib.mjallen.module`)
+
+**`mkModule`** - Create NixOS service modules with standardized options:
+```nix
+lib.mjallen.module.mkModule {
+  config, name, description, options, moduleConfig, domain ? "services"
+}
+```
+Standard options: `enable`, `port`, `reverseProxy`, `firewall`, `createUser`, `configureDb`, `redis`, `puid`, `pgid`, `timeZone`, etc.
+
+**`mkContainerService`** - For Podman/OCI containers (auto-generates container definition):
+```nix
+lib.mjallen.module.mkContainerService {
+  config, name, image, internalPort, description, options, volumes, environment
+}
+```
+
+**`mkSopsEnvFile`** - Generate SOPS secrets + template env-file:
+```nix
+lib.mjallen.module.mkSopsEnvFile {
+  secrets, name, content, restartUnit, owner, group, mode, sopsFile
+}
+```
+
+**Option Helpers:**
+- `mkOpt type default description` - Standard option
+- `mkBoolOpt default description` - Boolean option
+- `mkReverseProxyOpt name` - Caddy reverse proxy sub-options
+
+**Convenience Shorthands:**
+- `enabled` = `{ enable = true; }`
+- `disabled` = `{ enable = false; }`
+
+### Home Manager Utilities
+
+**`mkHomeModule`** - Create Home Manager modules:
+```nix
+lib.mjallen.module.mkHomeModule {
+  config, domain, name, description, options, moduleConfig
+}
+```
+
+### File Utilities (`lib.mjallen.file`)
+
+- `readFile path` - Read file contents
+- `pathExists path` - Check if path exists
+- `safeImport path default` - Safe Nix import
+- `getFile relativePath` - Get path relative to flake root
+- `importModulesRecursive path` - Recursively discover Nix modules
+- `scanSystems systemsPath` - Discover system configurations
+- `filterNixOSSystems systems` - Filter for Linux systems
+- `filterDarwinSystems systems` - Filter for macOS systems
+- `scanHomes homesPath` - Parse home-manager configurations
+
+### Versioning Utilities (`lib.mjallen.versioning`)
+
+For packages with `version.json` (multi-variant source pinning):
+
+- `selectVariant spec variantName system` - Select variant from spec
+- `render value variables` - Template substitution (`${var}`)
+- `mkSrc pkgs comp variables` - Build single source
+- `mkAllSources pkgs selected` - Build all sources for selected variant
+
+See `lib/versioning/default.nix` for full API and `docs/version.schema.json` for schema.
+
+### Usage in Packages
+
+Create `packages/<name>/version.json` with variant definitions, then use:
+```nix
+let
+  versioning = inputs.self.lib.mjallen.versioning;
+  spec = inputs.self.lib.mjallen.file.readFile ./version.json;
+  selected = versioning.selectVariant spec variantName system;
+  sources = versioning.mkAllSources pkgs selected;
+in
+# Use sources.componentName for each source
+```

README.md

@@ -1,50 +1,245 @@
-# nixOS Config
+# NixOS Configuration Repository
 
-### Common Files
-* [flake.nix](./flake.nix)
-* [impermenance.nix](./share/impermanence/default.nix)
-* [share](./share)
-* [overlays](./overlays)
+This repository contains my personal NixOS configurations for multiple systems, managed using [Snowfall Lib](https://github.com/snowfallorg/lib) and the Nix Flakes system.
+
+## Overview
+
+This repository provides a centralized, declarative configuration for all my systems, including:
+
+- Desktop PC (AMD)
+- NAS server
+- Steam Deck
+- Intel NUC
+- Raspberry Pi 4
+- Raspberry Pi 5
+- MacBook Pro (NixOS on Apple Silicon)
+- MacBook Pro (Darwin/macOS)
+
+## Repository Structure
+
+```
+.
+├── checks/                # Pre-commit hooks and other checks
+├── flake.nix              # Main flake configuration
+├── homes/                 # Home-manager configurations for users
+│   ├── aarch64-darwin/    # macOS home configurations
+│   ├── aarch64-linux/     # ARM Linux home configurations
+│   └── x86_64-linux/      # x86 Linux home configurations
+├── modules/               # Reusable configuration modules
+│   ├── home/              # Home-manager modules
+│   └── nixos/             # NixOS system modules
+├── overlays/              # Nixpkgs overlays
+├── packages/              # Custom package definitions
+├── secrets/               # Encrypted secrets (managed with sops-nix)
+└── systems/               # System-specific configurations
+    ├── aarch64-darwin/    # macOS system configurations
+    ├── aarch64-linux/     # ARM Linux system configurations
+    └── x86_64-linux/      # x86 Linux system configurations
+```
+
+## Key Features
+
+- **Modular Design**: Reusable modules for various system components
+- **Multi-System Support**: Configurations for different hardware platforms
+- **Home Manager Integration**: User environment management
+- **Secret Management**: Encrypted secrets with sops-nix
+- **Disk Management**: Declarative disk partitioning with disko
+- **State Management**: Persistent state management with impermanence
+- **Desktop Environments**: Support for GNOME, Hyprland, and COSMIC
+- **Hardware-Specific Optimizations**: Tailored configurations for different hardware
+
+## Key Technologies
+
+- [Nix](https://nixos.org/) and [NixOS](https://nixos.org/)
+- [Nix Flakes](https://nixos.wiki/wiki/Flakes)
+- [Snowfall Lib](https://github.com/snowfallorg/lib)
+- [Home Manager](https://github.com/nix-community/home-manager)
+- [sops-nix](https://github.com/Mic92/sops-nix)
+- [disko](https://github.com/nix-community/disko)
+- [impermanence](https://github.com/nix-community/impermanence)
+- [lanzaboote](https://github.com/nix-community/lanzaboote) (Secure Boot)
+
+## Notable System Configurations
 
 ### Desktop
-* [boot.nix](./hosts/desktop/boot.nix)
-* [configuration.nix](./hosts/desktop/configuration.nix)
-* [hardware-configuration.nix](./hosts/desktop/hardware-configuration.nix)
-* [filesystems.nix](./hosts/desktop/filesystems.nix)
-* [home.nix](./hosts/desktop/home.nix)
-* [sops.nix](./hosts/desktop/sops.nix)
-* [specialisations.hyprland](./hosts/desktop/hyprland)
-* [specialisations.gnome](./hosts/desktop/gnome)
-* [specialisations.cosmic](./hosts/desktop/cosmic)
+
+A powerful AMD-based desktop with gaming capabilities, featuring:
+- AMD CPU and GPU optimizations
+- Multiple desktop environment options (GNOME, Hyprland, COSMIC)
+- Gaming setup with Steam and related tools
 
 ### NAS
-* [boot.nix](./hosts/nas/boot.nix)
-* [configuration.nix](./hosts/nas/configuration.nix)
-* [hardware-configuration.nix](./hosts/nas/hardware-configuration.nix)
-* [impermenance.nix](./hosts/nas/impermenance.nix)
-* [apps.nix](./hosts/desktop/apps.nix)
-* [home.nix](./hosts/desktop/home.nix)
-* [networking.nix](./hosts/desktop/networking.nix)
-* [services.nix](./hosts/desktop/services.nix)
-* [sops.nix](./hosts/desktop/sops.nix)
-* [ups.nix](./hosts/desktop/ups.nix)
-* [samba](./modules/samba)
-* nas-apps
-    * [arrs](./hosts/nas/apps/arrs/default.nix)
-    * [free-games-claimer](./modules/apps/free-games-claimer)
-    * [jackett](./modules/apps/jackett)
-    * [jellyfin](./hosts/nas/apps/jellyfin/default.nix)
-    * [jellyseerr](./hosts/nas/apps/jellyseerr/default.nix)
-    * [jackett](./modules/apps/manyfold)
-    * [mariadb](./modules/apps/mariadb)
-    * [mealie](./modules/apps/mealie)
-    * [nextcloud+onlyoffice](./hosts/nas/apps/nextcloud/default.nix)
-    * [ollama](./hosts/nas/apps/ollama/default.nix)
-    * [paperless](./hosts/nas/apps/paperless/default.nix)
-    * [tdarr](./modules/apps/tdarr)
-    * [traefik](./hosts/nas/apps/traefik/default.nix)
-    * [wireguard](./modules/apps/your-spotify)
 
-### Raspberry Pi 4
-* [configuration.nix](./hosts/pi4/configuration.nix)
-* [hardware-configuration.nix](./hosts/pi4/hardware-configuration.nix)
+A home server with various self-hosted services:
+- Media management (Jellyfin, Jellyseerr)
+- Download automation (Sonarr, Radarr, etc.)
+- Document management (Paperless)
+- File sharing (Samba, Nextcloud)
+- AI services (Ollama)
+
+### Raspberry Pi
+
+Configurations for both Pi 4 and Pi 5:
+- Hardware-specific optimizations
+- Disk partitioning suitable for ARM devices
+- Bluetooth and wireless support
+
+### Steam Deck
+
+Custom NixOS configuration for the Steam Deck:
+- Integration with Jovian for Steam Deck compatibility
+- Gaming optimizations
+- Steam ROM Manager
+
+### MacBook Pro
+
+Configurations for both:
+- NixOS on Apple Silicon
+- nix-darwin for macOS
+
+## Usage
+
+### Building a System Configuration
+
+```bash
+# Build and activate a system configuration
+sudo nixos-rebuild switch --flake .#hostname
+```
+
+### Building a Home Configuration
+
+```bash
+# Build and activate a home configuration
+home-manager switch --flake .#username@hostname
+```
+
+## Secrets Management
+
+Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix). Each secret file is encrypted with [age](https://age-encryption.org/), using the SSH host key (`/etc/ssh/ssh_host_ed25519_key`) of each machine as a recipient, so that machine can decrypt its own secrets at boot without any passphrase.
+
+### How age keys work
+
+sops-nix derives an age key from the machine's ed25519 SSH host key automatically. The corresponding age **public key** must be added to `.sops.yaml` before you can encrypt secrets for that machine.
+
+To get the age public key for a machine:
+
+```bash
+# On the target machine (or from its host key file):
+nix-shell -p ssh-to-age --run \
+  'ssh-keyscan localhost 2>/dev/null | ssh-to-age'
+
+# Or directly from the key file:
+nix-shell -p ssh-to-age --run \
+  'ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub'
+```
+
+### Adding a new machine
+
+1. **Get the age public key** for the new machine using the command above.
+
+2. **Add it to `.sops.yaml`**:
+   ```yaml
+   keys:
+     - &new-machine age1<public-key-here>
+   creation_rules:
+     - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+       key_groups:
+         - age:
+             - *new-machine
+             # ... existing recipients
+   ```
+
+3. **Re-encrypt all secret files** so the new machine becomes a recipient:
+   ```bash
+   find secrets/ -name '*.yaml' -exec sops updatekeys {} \;
+   ```
+
+### Adding a new secret
+
+To add a secret to an existing file:
+
+```bash
+# Edit the file interactively (sops decrypts, opens $EDITOR, re-encrypts on save)
+sops secrets/nas-secrets.yaml
+```
+
+To create a new secrets file:
+
+```bash
+sops secrets/mymachine-secrets.yaml
+```
+
+The `.sops.yaml` `creation_rules` determine which keys encrypt the file based on its path.
+
+### Generating Nebula VPN certificates
+
+The Nebula module (`mjallen.services.nebula`) expects three secrets per host under a configurable prefix:
+- `<prefix>/ca-cert` — the CA certificate (shared across all nodes)
+- `<prefix>/host-cert` — this node's signed certificate
+- `<prefix>/host-key` — this node's private key
+
+**Step 1 — Create the CA** (once per network, on a trusted machine):
+
+```bash
+nebula-cert ca -name "jallen-nebula"
+# Produces: ca.crt, ca.key
+```
+
+**Step 2 — Sign a certificate for each node**:
+
+```bash
+# Lighthouse (assign an overlay IP, e.g. 10.1.1.1)
+nebula-cert sign -name "pi5" -ip "10.1.1.1/24" \
+  -ca-crt ca.crt -ca-key ca.key \
+  -out-crt lighthouse.crt -out-key lighthouse.key
+
+# Regular node (assign a unique overlay IP, e.g. 10.1.1.2)
+nebula-cert sign -name "nas" -ip "10.1.1.2/24" \
+  -ca-crt ca.crt -ca-key ca.key \
+  -out-crt nas.crt -out-key nas.key
+```
+
+**Step 3 — Add the secrets to SOPS**:
+
+```bash
+# Edit the target host's secrets file
+sops secrets/pi5-secrets.yaml
+```
+
+Add the certificate contents under the configured prefix (e.g. `pi5/nebula`):
+
+```yaml
+pi5:
+  nebula:
+    ca-cert: |
+      <contents of ca.crt>
+    lighthouse-cert: |
+      <contents of lighthouse.crt>
+    lighthouse-key: |
+      <contents of lighthouse.key>
+```
+
+The key name for the cert/key pair matches the `hostSecretName` option (e.g. `hostSecretName = "lighthouse"` → looks for `lighthouse-cert` / `lighthouse-key`).
+
+**Step 4 — Shred the plaintext key files** once they are in SOPS:
+
+```bash
+shred -u ca.key lighthouse.key nas.key
+```
+
+> Keep `ca.crt` accessible if you need to sign more nodes later, but store `ca.key` only in SOPS.
+
+## Documentation
+
+Comprehensive documentation is available in the [docs](./docs) directory:
+
+- [Getting Started](./docs/getting-started.md) - Instructions for setting up new systems
+- [Architecture](./docs/architecture.md) - Overview of the repository structure
+- [System Configurations](./docs/systems/README.md) - Details about each system
+- [Home Assistant](./docs/home-assistant/README.md) - Home Assistant setup and automations
+- [Custom Modules](./docs/modules/README.md) - Details about reusable configuration modules
+- [Troubleshooting](./docs/troubleshooting.md) - Common issues and solutions
+
+## License
+
+This project is licensed under the MIT License - see the LICENSE file for details.

WORKAROUNDS.md

@@ -0,0 +1,383 @@
+# Workarounds, Overrides & Temporary Fixes
+
+This document tracks all known workarounds, patches, and temporary overrides in this flake.
+Each entry includes the file location, reason, and whether it is still required.
+
+**Status legend:**
+- `ACTIVE` — still required, upstream fix not available
+- `REDUNDANT` — upstream has fixed the issue; this override can be removed
+- `UPSTREAM PENDING` — waiting on an upstream PR/issue
+- `INTENTIONAL` — permanent design decision, not a workaround
+
+---
+
+## Overlays (upstream package overrides)
+
+### `overlays/cosmic-settings-daemon/default.nix`
+**Status:** `ACTIVE — UPSTREAM PENDING`
+
+`cosmic-settings-daemon 1.0.8` has a buggy `Cargo.lock` that references
+`https://github.com/pop-os/dbus-settings-bindings` at two different commits
+(`3b86984` for `cosmic-dbus-a11y`/`locale1`/`upower_dbus`, and `0fa672f8`
+for the `cosmic-settings-daemon` subcrate). `cargoSetupHook` (used by
+`fetchCargoVendor`/`cargoHash`) rejects this: *"Sources are not allowed to be
+defined multiple times."*
+
+The fix overrides `cargoDeps` with `rustPlatform.importCargoLock`, which uses
+a different vendoring strategy that handles multiple commits from the same repo.
+
+**Removal condition:** When nixpkgs updates `cosmic-settings-daemon` past 1.0.8
+with a fixed `Cargo.lock`, or applies `cargoLock` in its own package definition.
+
+---
+
+### `overlays/cosmic-applets/default.nix`
+**Status:** `ACTIVE — UPSTREAM PENDING`
+
+`cosmic-applets 1.0.8` has the same class of bug: its `Cargo.lock` references
+`https://github.com/pop-os/cosmic-settings` at two different commits (`b46a55d`
+for `cosmic-pipewire` and `cosmic-settings-sound-subscription`, and `55b502d`
+for `cosmic-settings-a11y-manager-subscription` and several other crates).
+`cargoSetupHook` rejects this with the same "Sources are not allowed to be
+defined multiple times" error.
+
+Same fix as `cosmic-settings-daemon`: overrides `cargoDeps` with
+`rustPlatform.importCargoLock`.
+
+**Removal condition:** When nixpkgs updates `cosmic-applets` past 1.0.8 with a
+fixed `Cargo.lock`, or applies `cargoLock` in its own package definition.
+
+---
+
+### ~~`overlays/waybar/default.nix`~~ — REMOVED
+**Status:** `REMOVED`
+
+Previously added `-Dexperimental=true` to waybar's meson flags. nixpkgs now
+includes `-Dexperimental=true` in its waybar definition, making the overlay
+redundant. Removed.
+
+---
+
+### `overlays/radios/default.nix`
+**Status:** `ACTIVE` (protective — needed after next `flake update`)
+
+`radios` requires `pycountry>=24.0.0,<25.0.0` (PEP 440: `^24.0.0`). The
+current locked nixpkgs has `pycountry 24.6.1` (in range), but nixpkgs HEAD
+has already bumped `pycountry` to `26.2.16`, which will break `radios` after
+the next `flake update`. The overlay applies `pythonRelaxDepsHook` to loosen
+the upper bound.
+
+**Removal condition:** When the upstream `radios` package (`frenck/python-radios`)
+or nixpkgs relaxes the pycountry version constraint.
+
+---
+
+### `overlays/redis/default.nix`
+**Status:** `INTENTIONAL`
+
+Replaces `redis` with `valkey` (the Redis community fork) globally. This is a
+deliberate preference for the open-source fork over the Redis 7.x+ license change.
+
+---
+
+### `overlays/stable/default.nix`
+**Status:** `INTENTIONAL`
+
+Injects `pkgs.stable` as an attribute pointing to the stable nixpkgs channel,
+so modules can selectively pull in stable packages. Not a workaround.
+
+---
+
+## Flake Inputs (forks and custom branches)
+
+### `nixpkgs-otbr` — `github:mrene/nixpkgs/openthread-border-router`
+**File:** `flake.nix:8`
+**Status:** `ACTIVE — UPSTREAM PENDING`
+
+`openthread-border-router` is not yet packaged in nixpkgs-unstable. A community
+member's nixpkgs fork provides the package, used by
+`modules/nixos/homeassistant/services/thread/default.nix`.
+
+The fork is ~52,000 commits behind `nixos-unstable`, so it is pulled
+only via `pkgs.callPackage` from the fork's path, not as a full channel overlay.
+
+**Removal condition:** When `openthread-border-router` is merged into nixpkgs.
+Check: https://github.com/NixOS/nixpkgs/pulls?q=openthread-border-router
+
+---
+
+### `snowfall-lib` — `github:mjallen18/snowfall-lib`
+**File:** `flake.nix:26`
+**Status:** `INTENTIONAL`
+
+Personal fork of `snowfallorg/lib` with 46 commits ahead of upstream, including:
+- `fix: pass namespace argument to overlays`
+- `fix: pass namespace argument to home-manager modules`
+- `feat: support same username across multiple targets`
+- `feat: enable per-channel configuration and fix pkgs selection`
+- Performance improvements and additional features
+
+These are custom changes required by this flake's structure that have not been
+upstreamed.
+
+---
+
+### `steam-rom-manager` — `github:mjallen18/nix-steam-rom-manager`
+**File:** `flake.nix:41`
+**Status:** `INTENTIONAL`
+
+Personal fork/packaging of nix-steam-rom-manager. The upstream
+(`nix-community/nix-steam-rom-manager`) may or may not exist; this is a
+maintained fork.
+
+---
+
+### Commented-out: `nvmd/disko` fork
+**File:** `flake.nix:59-61`
+**Status:** `REDUNDANT` (already disabled)
+
+```nix
+# the fork is needed for partition attributes support
+# url = "github:nvmd/disko/gpt-attrs";
+```
+
+A community fork of disko with GPT partition attribute support was previously
+used but has since been switched back to upstream `nix-community/disko`. The
+comment can be cleaned up if the feature is no longer needed.
+
+---
+
+## Build Fixes & postPatch
+
+### `packages/edk2-basetools/default.nix` — OpenSSL vendoring FIXME
+**File:** `packages/edk2-basetools/default.nix:50-52`
+**Status:** `UPSTREAM PENDING` (verify PR reference)
+
+```nix
+# FIXME: unvendor OpenSSL again once upstream updates
+# to a compatible version.
+# Upstream PR: https://github.com/tianocore/edk2/pull/10946
+```
+
+The comment references tianocore/edk2 PR #10946, but that PR's title is
+*"update to openssl 3.5.1"* (now merged), not an unvendoring PR. The FIXME
+comment may be referencing the wrong PR number or the issue may have evolved.
+The edk2 build still vendor-patches OpenSSL compatibility; this should be
+re-evaluated against the current edk2 upstream.
+
+**Action:** Verify whether the OpenSSL vendoring is still needed with current
+edk2, and update or remove the FIXME comment.
+
+---
+
+### `packages/bcachefs/default.nix` — Tests disabled
+**File:** `packages/bcachefs/default.nix:100`
+**Status:** `ACTIVE`
+
+```nix
+# FIXME: Try enabling this once the default linux kernel is at least 6.7
+doCheck = false; # needs bcachefs module loaded on builder
+```
+
+Tests require a live bcachefs kernel module in the build sandbox, which is
+not available. The comment mentions kernel ≥ 6.7, which is now the case
+(nixpkgs is on 6.12+), but the underlying sandbox limitation still applies —
+the build sandbox cannot load kernel modules regardless of kernel version.
+
+**Action:** The `6.7` condition is now met but irrelevant; update the comment
+to reflect that the real blocker is sandbox access to kernel modules.
+
+---
+
+### `packages/raspberrypi/linux-rpi/default.nix` — Failed kernel attempts
+**File:** `packages/raspberrypi/linux-rpi/default.nix:25-43`
+**Status:** `ACTIVE` (informational)
+
+Four newer RPi kernel versions (6.15.11 through 6.19.0-rc5) are commented out
+because they "fail for various reasons." The active version is pinned to an
+older working commit.
+
+**Action:** Periodically attempt to enable a newer kernel tag. The comments
+serve as a history of failed attempts.
+
+---
+
+### `packages/raspberrypi/linux-rpi/default.nix` — DTB aliasing hack
+**File:** `packages/raspberrypi/linux-rpi/default.nix:110-148`
+**Status:** `ACTIVE`
+
+```nix
+# Make copies of the DTBs named after the upstream names so that U-Boot finds them.
+# This is ugly as heck, but I don't know a better solution so far.
+```
+
+RPi's kernel ships DTBs with non-standard names (e.g. `bcm2708-rpi-zero-w.dtb`);
+U-Boot expects canonical upstream names (e.g. `bcm2835-rpi-zero.dtb`). DTBs
+are duplicated in `postFixup`.
+
+---
+
+### `packages/homeassistant/ha-mail-and-packages/default.nix` — Hardcoded paths
+**File:** `packages/homeassistant/ha-mail-and-packages/default.nix:25-37`
+**Status:** `ACTIVE`
+
+The upstream HA integration hard-codes paths relative to its source directory,
+which breaks in the Nix store. `postPatch` rewrites them to
+`/var/lib/homeassistant/images/`.
+
+---
+
+### `packages/homeassistant/ha-wyzeapi/default.nix` — Version pin relaxation
+**File:** `packages/homeassistant/ha-wyzeapi/default.nix:24-27`
+**Status:** `ACTIVE`
+
+Relaxes the minimum `wyzeapy` version pin from `0.5.28` to `0.5.27` to match
+the version packaged in this flake.
+
+---
+
+## Raspberry Pi — Structural Overrides
+
+### `modules/nixos/hardware/raspberry-pi/default.nix` — jemalloc 16K pages
+**File:** `modules/nixos/hardware/raspberry-pi/default.nix:458-470`
+**Status:** `ACTIVE` (structural)
+
+```nix
+# https://github.com/nvmd/nixos-raspberrypi/issues/64
+jemalloc = prev.jemalloc.overrideAttrs (old: {
+  configureFlags = ... ++ [ "${pageSizeFlag}=14" ];
+});
+```
+
+RPi5 uses 16K memory pages (2^14). jemalloc must be compiled with
+`--with-lg-page=14`, otherwise it will use incorrect page size assumptions
+and likely crash or corrupt memory.
+
+**References:** https://github.com/nvmd/nixos-raspberrypi/issues/64
+
+---
+
+### `systems/aarch64-linux/pi5/boot.nix` — 16K page kernel
+**File:** `systems/aarch64-linux/pi5/boot.nix:22-35`
+**Status:** `ACTIVE` (structural)
+
+Forces `CONFIG_ARM64_16K_PAGES=y` in the kernel config via `linux_6_19.override`.
+`ignoreConfigErrors = true` is required because some kernel config options are
+unavailable and would otherwise fail validation.
+
+---
+
+### `packages/raspberrypi/ffmpeg-rpi/default.nix` — RPi hardware codec ffmpeg
+**File:** `packages/raspberrypi/ffmpeg-rpi/default.nix`
+**Status:** `ACTIVE` (structural)
+
+Custom ffmpeg build from `jc-kynesim/rpi-ffmpeg` fork with RPi hardware codec
+support (`--enable-v4l2-request`, `--enable-sand`, etc.). Tests disabled
+(`doCheck = false`) because the `imgutils` test fails on this build.
+
+---
+
+## systemd Service Overrides
+
+### `systems/x86_64-linux/matt-nixos/default.nix` — networkd-wait-online
+**File:** `systems/x86_64-linux/matt-nixos/default.nix:78`
+**Status:** `INTENTIONAL`
+
+```nix
+systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
+```
+
+The `systemd-networkd-wait-online` service times out on this desktop,
+blocking boot. Standard workaround for desktop systems that don't require
+all interfaces to be up before proceeding.
+
+---
+
+### `systems/x86_64-linux/allyx/default.nix` — Jovian NixOS conflicts
+**File:** `systems/x86_64-linux/allyx/default.nix:121-123`
+**Status:** `ACTIVE`
+
+```nix
+systemd-networkd-wait-online.enable = lib.mkForce false;
+power-profiles-daemon.enable = lib.mkForce false;
+inputplumber.enable = lib.mkForce false;
+```
+
+On the ASUS ROG Ally X with Jovian NixOS and `handheld-daemon`:
+- `power-profiles-daemon` conflicts with `handheld-daemon`'s power management
+- `inputplumber` conflicts with `handheld-daemon`'s input handling
+- `systemd-networkd-wait-online` times out as on matt-nixos
+
+---
+
+### `modules/nixos/services/crowdsec/default.nix` — DynamicUser conflict
+**File:** `modules/nixos/services/crowdsec/default.nix:133-143`
+**Status:** `ACTIVE — UPSTREAM PENDING`
+
+```nix
+systemd.services.crowdsec.serviceConfig.DynamicUser = lib.mkForce false;
+systemd.services.crowdsec-firewall-bouncer.serviceConfig.DynamicUser = lib.mkForce false;
+systemd.services.crowdsec-firewall-bouncer-register.serviceConfig.DynamicUser = lib.mkForce false;
+```
+
+The upstream NixOS crowdsec module uses `ReadWritePaths` (not `StateDirectory`)
+on the main `crowdsec.service`, expecting `/var/lib/crowdsec` to be a real
+directory. However, `crowdsec-firewall-bouncer-register` declares
+`StateDirectory=crowdsec` with `DynamicUser=true`, which conflicts — it tries
+to create `/var/lib/private/crowdsec` and symlink `/var/lib/crowdsec` to it,
+but the directory already exists as a real path. Disabling `DynamicUser` on
+all three services resolves the conflict by using the real `crowdsec` user.
+
+Additionally, `crowdsec-firewall-bouncer-register` calls `cscli` without `-c`,
+expecting `/etc/crowdsec/config.yaml` to exist, but the upstream NixOS module
+uses a Nix store path via `-c` and never creates that file. The module works
+around this by extracting the store path at eval time.
+
+**Removal condition:** When the NixOS crowdsec module is fixed upstream to
+handle state directory ownership consistently.
+
+---
+
+## Incomplete / TODO Items
+
+These are not workarounds but known incomplete configurations:
+
+| File | Line | Description |
+|------|------|-------------|
+| `systems/x86_64-linux/jallen-nas/sops.nix` | 89, 113 | Collabora and MariaDB secrets not configured |
+| `systems/x86_64-linux/jallen-nas/apps.nix` | 47 | Authentik environment secrets file not wired up |
+| `modules/nixos/services/sparky-fitness/default.nix` | — | ~~DB passwords not yet moved to SOPS~~ — resolved; secrets now via `mkSopsEnvFile`; run `sops secrets/nas-secrets.yaml` to add real values for `jallen-nas/sparky-fitness/{db-password,api-encryption-key,auth-secret}` |
+| `modules/nixos/services/your-spotify/default.nix` | 36 | Spotify API keys not yet moved to SOPS |
+| `modules/nixos/services/booklore/default.nix` | 25 | Database password not yet a SOPS secret |
+| `packages/raspberrypi/udev-rules/default.nix` | 33 | `15-i2c-modprobe.rules` disabled; `i2cprobe` script not ported |
+| `modules/nixos/homeassistant/services/homeassistant/default.nix` | 214 | `roborock` integration marked broken |
+
+---
+
+## Kernel Boot Parameters
+
+### `systems/x86_64-linux/matt-nixos/boot.nix` — NVMe power saving
+**File:** `systems/x86_64-linux/matt-nixos/boot.nix:46-48`
+**Status:** `ACTIVE`
+
+```nix
+"nvme_core.default_ps_max_latency_us=0"
+"pcie_aspm=off"
+```
+
+NVMe SSD power-saving states cause latency/stability issues on this machine.
+Disabling ASPM and NVMe power states is a standard workaround for affected
+hardware.
+
+---
+
+### `systems/aarch64-linux/macbook-pro-nixos/boot.nix` — Fan control
+**File:** `systems/aarch64-linux/macbook-pro-nixos/boot.nix:28`
+**Status:** `ACTIVE`
+
+```nix
+"melt_my_mac=1"
+```
+
+Undocumented Asahi Linux kernel parameter that enables fan control on Apple
+Silicon Macs. The name is intentional (set by the Asahi kernel developers).

checks/disksnstuff.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+disk=/dev/mapper/nuc-nixos-cryptroot
+
+# sudo mkfs.vfat "$disk"1
+# sudo bcachefs format --label ssd.ssd1 --compression=zstd --discard "$disk"
+
+sudo mount -t tmpfs -o mode=755 none /mnt
+sudo mkdir -p /mnt/{boot,home,root,etc,nix,var/log,tmp,persist}
+sudo mount /dev/disk/by-partlabel/disk-main-nuc-nixos-EFI /mnt/boot
+# sudo mkdir -p /mnt/boot/firmware
+# sudo mount "$disk"2 /mnt/boot/firmware
+# sudo mount "$disk"2 -o compress=zstd,subvol=home /mnt/home
+# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=root /mnt/root
+# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=etc /mnt/etc
+# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=nix /mnt/nix
+# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=log /mnt/var/log
+
+# bcachefs unlock -k session /dev/disk/by-partlabel/disk-main-nuc-nixos-bcachefs-root
+sudo cryptsetup open /dev/disk/by-partlabel/disk-main-nuc-nixos-cryptroot nuc-nixos-cryptroot  
+# sudo bcachefs unlock -k session "$disk"2
+# sudo mount "$disk" /mnt/tmp
+# cd /mnt/tmp
+# ls -alh
+
+# sudo bcachefs subvolume create nix
+# sudo bcachefs subvolume create etc
+# sudo bcachefs subvolume create log
+# sudo bcachefs subvolume create root
+# sudo bcachefs subvolume create persist
+# sudo bcachefs subvolume create home
+
+# ls -alh
+# cd /etc/nixos
+# sudo umount /mnt/tmp
+
+sudo mount -o noatime,X-mount.subdir=nix "$disk" /mnt/nix
+sudo mount -o noatime,X-mount.subdir=etc "$disk" /mnt/etc
+sudo mount -o noatime,X-mount.subdir=log "$disk" /mnt/var/log
+sudo mount -o noatime,X-mount.subdir=root "$disk" /mnt/root
+sudo mount -o noatime,X-mount.subdir=persist "$disk" /mnt/persist
+sudo mount -o X-mount.subdir=home "$disk" /mnt/home
+
+# tree /mnt
+
+# sudo nixos-install --flake /etc/nixos#nuc-nixos
+
+# sudo umount /mnt/boot
+# sudo umount /mnt/var/log
+# sudo umount /mnt/persist
+# sudo umount /mnt/home
+# sudo umount /mnt/root
+# sudo umount /mnt/etc
+# sudo umount /mnt/nix
+# sudo umount /mnt
+
+# wpa_passphrase "Joey's Jungle 5G" "kR8v&3Qd" > 5g.conf
+# wpa_supplicant -i wlp6s0 -c 5g.conf -B
+# dhcpcd
+
+# keyctl link @u @s
+# clevis decrypt < "/etc/clevis/nas_pool.jwe" | bcachefs unlock /dev/disk/by-label/nas_pool

checks/pre-commit-hooks/default.nix

@@ -0,0 +1,39 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (inputs) pre-commit-hooks-nix;
+in
+pre-commit-hooks-nix.lib.${pkgs.stdenv.hostPlatform.system}.run {
+  src = ../..;
+  hooks = {
+    pre-commit-hook-ensure-sops = {
+      enable = true;
+      excludes = [
+        "secrets/.*\\.jwe$"
+        "secrets/.*\\.key$"
+      ];
+    };
+    treefmt = {
+      enable = lib.mkForce true;
+      settings.fail-on-change = lib.mkForce false;
+      packageOverrides.treefmt = inputs.treefmt-nix.lib.mkWrapper pkgs (
+        lib.snowfall.fs.get-file "treefmt.nix"
+      );
+    };
+    nixfmt-rfc-style = {
+      enable = true;
+      package = pkgs.nixfmt;
+    };
+    statix = {
+      enable = true;
+      args = [
+        "--config"
+        (lib.snowfall.fs.get-file "statix.toml")
+      ];
+    };
+  };
+}

docs/README.md

@@ -0,0 +1,12 @@
+# Documentation
+
+This directory contains comprehensive documentation for the NixOS configuration.
+
+## Contents
+
+- [Getting Started](./getting-started.md) - Instructions for setting up new systems
+- [System Configurations](./systems/README.md) - Detailed information about each system
+- [Home Assistant](./home-assistant/README.md) - Documentation for the Home Assistant setup
+- [Custom Modules](./modules/README.md) - Information about reusable modules
+- [Architecture](./architecture.md) - Overview of the repository architecture
+- [Troubleshooting](./troubleshooting.md) - Common issues and solutions

docs/architecture.md

@@ -0,0 +1,180 @@
+# Repository Architecture
+
+This document provides an overview of the repository architecture, explaining how the various components fit together.
+
+## Overview
+
+This NixOS configuration repository is built using [Nix Flakes](https://nixos.wiki/wiki/Flakes) and [Snowfall Lib](https://github.com/snowfallorg/lib) to provide a modular, maintainable configuration for multiple systems. The Snowfall namespace is `mjallen`, so all custom options are accessed as `mjallen.<domain>.<name>`.
+
+## Directory Structure
+
+```
+.
+├── flake.nix              # Main flake — inputs, outputs, Snowfall config
+├── flake.lock             # Locked dependency versions
+├── .sops.yaml             # SOPS key management rules
+├── treefmt.nix            # Code formatter configuration
+├── qemu.nix               # QEMU VM testing config
+│
+├── checks/                # Pre-commit hooks and CI checks
+│
+├── docs/                  # Documentation (this directory)
+│
+├── homes/                 # Home Manager configurations
+│   ├── aarch64-darwin/    # macOS user configs
+│   ├── aarch64-linux/     # ARM Linux user configs
+│   └── x86_64-linux/      # x86 Linux user configs
+│
+├── lib/                   # Custom Nix library utilities
+│   ├── module/            # mkModule, mkOpt, mkBoolOpt helpers
+│   ├── file/              # File/path utilities
+│   └── versioning/        # Package version pinning helpers
+│
+├── modules/               # Reusable configuration modules
+│   ├── home/              # Home Manager modules
+│   ├── nixos/             # NixOS system modules
+│   └── darwin/            # nix-darwin modules (macOS)
+│
+├── overlays/              # Nixpkgs overlays
+│
+├── packages/              # Custom package definitions
+│
+├── secrets/               # SOPS-encrypted secret files
+│
+└── systems/               # Per-host system configurations
+    ├── aarch64-darwin/    # macOS (nix-darwin) hosts
+    ├── aarch64-linux/     # ARM Linux hosts
+    ├── x86_64-install-iso/# Install ISO configurations
+    └── x86_64-linux/      # x86_64 Linux hosts
+```
+
+## Flake Inputs
+
+| Input | Source | Purpose |
+|---|---|---|
+| `nixpkgs-unstable` | `github:NixOS/nixpkgs/nixos-unstable` | Primary package set |
+| `nixpkgs-stable` | `github:NixOS/nixpkgs/nixos-25.11` | Stable package set |
+| `nixpkgs-otbr` | `github:mrene/nixpkgs` (fork) | OpenThread Border Router packages |
+| `home-manager-unstable` | `github:nix-community/home-manager` | User environment management |
+| `snowfall-lib` | `github:mjallen18/snowfall-lib` | Flake structure library (personal fork) |
+| `impermanence` | `github:nix-community/impermanence` | Ephemeral root filesystem support |
+| `lanzaboote` | `github:nix-community/lanzaboote/v1.0.0` | Secure Boot |
+| `nixos-hardware` | `github:NixOS/nixos-hardware` | Hardware-specific NixOS configs |
+| `sops-nix` | `github:Mic92/sops-nix` | Secret management |
+| `disko` | `github:nix-community/disko` | Declarative disk partitioning |
+| `cosmic` | `github:lilyinstarlight/nixos-cosmic` | COSMIC desktop environment |
+| `jovian` | `github:Jovian-Experiments/Jovian-NixOS` | Steam Deck / handheld support |
+| `nixos-apple-silicon` | `github:nix-community/nixos-apple-silicon` | Asahi Linux / Apple Silicon |
+| `darwin` | `github:nix-darwin/nix-darwin` | macOS system configuration |
+| `nix-homebrew` | `github:zhaofengli/nix-homebrew` | Declarative Homebrew (macOS) |
+| `stylix` | `github:nix-community/stylix` | System-wide theming |
+| `nix-vscode-extensions` | `github:nix-community/nix-vscode-extensions` | VS Code extension packages |
+| `authentik-nix` | `github:nix-community/authentik-nix` | Authentik SSO |
+| `nix-cachyos-kernel` | `github:xddxdd/nix-cachyos-kernel` | CachyOS optimised kernels |
+| `lsfg-vk` | `github:pabloaul/lsfg-vk-flake` | Lossless Scaling frame generation (Linux) |
+| `nix-index-database` | `github:nix-community/nix-index-database` | Pre-built nix-index database |
+| `steam-rom-manager` | `github:mjallen18/nix-steam-rom-manager` | Steam ROM Manager package |
+| `nix-plist-manager` | `github:sushydev/nix-plist-manager` | macOS plist management |
+| `nix-rosetta-builder` | `github:cpick/nix-rosetta-builder` | Rosetta build support (macOS) |
+| `pre-commit-hooks-nix` | `github:cachix/pre-commit-hooks.nix` | Pre-commit hooks |
+| `treefmt-nix` | `github:numtide/treefmt-nix` | Code formatting |
+
+`nixpkgs` and `home-manager` are aliases pointing to the unstable variants.
+
+## Module System
+
+### Structure
+
+All modules follow a standard Snowfall Lib pattern and are automatically discovered. Each module exposes options under the `mjallen` namespace:
+
+```nix
+# Enable a module
+mjallen.services.jellyfin.enable = true;
+mjallen.desktop.gnome.enable = true;
+mjallen.hardware.amd.enable = true;
+```
+
+### `mkModule` helper
+
+Most service modules are built with `lib.mjallen.mkModule` (`lib/module/default.nix`), which provides a standard set of options:
+
+| Option | Default | Description |
+|---|---|---|
+| `enable` | `false` | Enable/disable the module |
+| `port` | `80` | Service listen port |
+| `listenAddress` | `"0.0.0.0"` | Bind address |
+| `openFirewall` | `true` | Open firewall ports |
+| `configDir` | `/var/lib/<name>` | Config directory |
+| `dataDir` | `/var/lib/<name>/data` | Data directory |
+| `createUser` | `false` | Create a dedicated system user |
+| `configureDb` | `false` | Create a PostgreSQL database |
+| `environmentFile` | `null` | Path to an env-file |
+| `reverseProxy.enable` | `false` | Add a Caddy reverse proxy block |
+| `reverseProxy.subdomain` | `<name>` | Caddy subdomain |
+| `redis.enable` | `false` | Create a dedicated Redis instance |
+
+### NixOS modules (`modules/nixos/`)
+
+| Category | Paths | Description |
+|---|---|---|
+| Boot | `boot/common/`, `boot/lanzaboote/`, `boot/plymouth/`, `boot/systemd-boot/` | Bootloader configurations |
+| Desktop | `desktop/gnome/`, `desktop/hyprland/`, `desktop/cosmic/` | Desktop environments |
+| Development | `development/` | Dev tools, language support, containers |
+| Hardware | `hardware/amd/`, `hardware/nvidia/`, `hardware/battery/`, `hardware/raspberry-pi/`, `hardware/openrgb/`, ... | Hardware-specific configs |
+| Headless | `headless/` | Headless server profile (watchdog, no suspend) |
+| Home Assistant | `homeassistant/` | Smart home automation suite |
+| Impermanence | `impermanence/` | Ephemeral root + persistent state |
+| Monitoring | `monitoring/` | Prometheus/Grafana metrics |
+| Network | `network/` | Hostname, firewall, NetworkManager, static IP |
+| Power | `power/` | UPS support |
+| Programs | `programs/` | System-wide programs (nix-index, gnupg, etc.) |
+| Security | `security/common/`, `security/tpm/` | Common hardening, TPM unlock |
+| Services | `services/<name>/` | ~50 self-hosted service modules (see below) |
+| SOPS | `sops/` | Secret management setup |
+| System | `system/` | Miscellaneous system settings |
+| User | `user/` | User account management |
+| Virtualization | `virtualization/` | libvirt, containers |
+
+### Home Manager modules (`modules/home/`)
+
+| Category | Paths | Description |
+|---|---|---|
+| Desktop | `desktop/gnome/`, `desktop/theme/` | GNOME and theming |
+| GPG | `gpg/` | GPG agent configuration |
+| Programs | `programs/btop/`, `programs/git/`, `programs/zsh/`, `programs/kitty/`, `programs/waybar/`, `programs/hyprland/`, `programs/wofi/`, `programs/mako/`, `programs/wlogout/`, `programs/librewolf/`, `programs/opencode/`, `programs/update-checker/`, ... | User applications |
+| Services | `services/pass/` | Password store integration |
+| Shell | `shell-aliases/` | Common shell aliases |
+| SOPS | `sops/` | User-level secret integration |
+| Stylix | `stylix/` | System-wide theming |
+| User | `user/` | User environment defaults |
+
+## Secrets Management
+
+Secrets are encrypted with [SOPS](https://github.com/getsops/sops) using age keys derived from each machine's SSH host key (`/etc/ssh/ssh_host_ed25519_key`). The `.sops.yaml` file maps secret file path patterns to the set of age recipients that can decrypt them.
+
+Each host has its own secrets file:
+
+| File | Host |
+|---|---|
+| `secrets/secrets.yaml` | Shared (all hosts) |
+| `secrets/nas-secrets.yaml` | jallen-nas |
+| `secrets/pi5-secrets.yaml` | pi5 |
+| `secrets/allyx-secrets.yaml` | allyx |
+| `secrets/nuc-secrets.yaml` | nuc-nixos |
+| `secrets/mac-secrets.yaml` | macbook-pro-nixos |
+| `secrets/desktop-secrets.yaml` | matt-nixos |
+
+See the [Secrets Management](../README.md#secrets-management) section of the root README for full details on generating keys and adding secrets.
+
+## Deployment
+
+```bash
+# NixOS system
+sudo nixos-rebuild switch --flake .#hostname
+
+# macOS (nix-darwin)
+darwin-rebuild switch --flake .#hostname
+
+# Home Manager only
+home-manager switch --flake .#username@hostname
+```

docs/flake-improvements.md

@@ -0,0 +1,348 @@
+# Flake Improvement Suggestions
+
+A methodical review of the flake against what Snowfall Lib provides and what the codebase currently does. Suggestions are grouped by theme and ordered roughly from highest to lowest impact.
+
+---
+
+## 1. Flake-level: HM module registration — single source of truth via snowfall-lib fix
+
+**Root cause discovered**: Snowfall Lib's `mkFlake` previously merged `systems.modules.home` into `homes` only for standalone `homeConfigurations`. The `homes` attrset passed to `create-systems` (which builds `nixosConfigurations`) was the raw unmerged value, so `systems.modules.home` had no effect on NixOS-integrated homes.
+
+**Fix applied**: Patched the personal snowfall-lib fork (`github:mjallen18/snowfall-lib`) to extract the merge into a shared `homes-with-system-modules` binding and pass it to both `create-homes` (standalone) and `create-systems` (NixOS-integrated). `flake.lock` updated to the new commit.
+
+`modules/nixos/home/default.nix` no longer needs `sharedModules` — `systems.modules.home` in `flake.nix` is now the single authoritative list for all contexts.
+
+---
+
+## 2. Flake-level: Duplicated Darwin HM module registration
+
+**Problem**: Same issue as above for Darwin. `flake.nix:160–167` registers Darwin HM modules via `systems.modules.darwin`, but none of those are actually Home Manager modules — `nix-homebrew`, `home-manager.darwinModules.home-manager`, `nix-plist-manager`, `nix-rosetta-builder`, `nix-index-database`, and `stylix.darwinModules.stylix` are all NixOS-style Darwin system modules, not HM `sharedModules`. This is the correct place for them. The `modules/darwin/home/default.nix` module handles the Darwin-side HM bridge.
+
+**No change needed here**, but add a comment to clarify why this list stays in `flake.nix` while the `modules.home` list should move:
+
+```nix
+# Common darwin system-level modules (not HM sharedModules — those live in modules/darwin/home/)
+modules.darwin = with inputs; [ ... ];
+```
+
+---
+
+## 3. System-level: Repeated nebula lighthouse config
+
+**Problem**: Three systems (`matt-nixos`, `allyx`, `macbook-pro-nixos`) each independently spell out the same lighthouse peer config:
+
+```nix
+# Repeated verbatim in 3 files:
+lighthouses = [ "10.1.1.1" ];
+staticHostMap = {
+  "10.1.1.1" = [ "mjallen.dev:4242" ];
+};
+port = 4242;
+```
+
+**Suggestion**: Add defaults to `modules/nixos/services/nebula/default.nix` options so that non-lighthouse nodes don't need to spell this out. Since this is a personal network with one lighthouse, the defaults can encode that:
+
+```nix
+# In nebula/default.nix options:
+lighthouses = lib.mjallen.mkOpt (types.listOf types.str) [ "10.1.1.1" ]
+  "Nebula overlay IPs of lighthouse nodes";
+
+staticHostMap = lib.mjallen.mkOpt (types.attrsOf (types.listOf types.str))
+  { "10.1.1.1" = [ "mjallen.dev:4242" ]; }
+  "Static host map";
+
+port = lib.mjallen.mkOpt types.port 4242 "Nebula listen port";
+```
+
+Client systems can then reduce to:
+
+```nix
+services.nebula = {
+  enable = true;
+  secretsPrefix = "matt-nixos/nebula";
+  secretsFile = lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml";
+  hostSecretName = "matt-nixos";
+};
+```
+
+The lighthouse (`pi5`) already overrides `isLighthouse = true` and doesn't set `lighthouses`/`staticHostMap`, so it would be unaffected.
+
+---
+
+## 4. System-level: `systemd-networkd-wait-online` scattered disablement
+
+**Problem**: `systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false` appears in:
+
+- `systems/x86_64-linux/matt-nixos/default.nix:92`
+- `systems/x86_64-linux/allyx/default.nix:135`
+
+`modules/nixos/network/default.nix` already disables `NetworkManager-wait-online` and `systemd.network.wait-online`, but not `systemd-networkd-wait-online`. These are the same underlying concern.
+
+**Suggestion**: Add `systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;` unconditionally to `modules/nixos/network/default.nix` alongside the existing `NetworkManager-wait-online` disablement (line 89). Remove the per-system overrides.
+
+---
+
+## 5. System-level: `coolercontrol` and GNOME desktop environment variables
+
+**Problem**: Two systems (`matt-nixos:91`, `allyx:82`) share identical config blocks:
+
+```nix
+programs.coolercontrol.enable = true;
+
+environment.variables = {
+  GDK_SCALE = "1";
+  EDITOR = "${lib.getExe' pkgs.vscodium "codium"} --wait";
+  VISUAL = "${lib.getExe' pkgs.vscodium "codium"} --wait";
+};
+```
+
+These belong to a desktop AMD gaming profile, not to the system configs themselves.
+
+**Suggestions** (pick one or both):
+
+- **A** — Add a `coolercontrol.enable` option to `modules/nixos/hardware/amd/default.nix` (default `false`) and wire `programs.coolercontrol.enable` inside it. Each system opts in with `hardware.amd.coolercontrol.enable = true`.
+- **B** — Add `vscodium` as the default `EDITOR`/`VISUAL` to `modules/nixos/desktop/gnome/default.nix` behind a `vscodium.enable` option (default `false`). The two systems that want it set `desktop.gnome.vscodium.enable = true`.
+- **C** — Create a shared `modules/nixos/desktop/common/default.nix` (or `profiles/desktop.nix`) that both GNOME and Hyprland modules consume, and put `GDK_SCALE` there.
+
+---
+
+## 6. System-level: `networking.networkmanager.wifi.backend = "iwd"` bypass
+
+**Problem**: `matt-nixos:100` and `allyx:140` set `networking.networkmanager.wifi.backend = "iwd"` directly, bypassing the `${namespace}.network.iwd.enable` option that the `network` module already provides.
+
+Looking at `modules/nixos/network/default.nix:143–154`, enabling `cfg.iwd.enable` does set this value via `mkForce`, but it also forces `networkmanager.enable = mkForce false` — which is unwanted on these systems that use NetworkManager with the iwd backend.
+
+**Root cause**: The module conflates "use iwd" (the WiFi daemon) with "disable NetworkManager" (the connection manager). These are separate concerns. NetworkManager can use iwd as its WiFi backend while still being the connection manager.
+
+**Suggestion**: Restructure the `network` module's iwd handling:
+
+```nix
+# Instead of forcing NM off when iwd is enabled:
+networking = {
+  wireless.iwd.enable = cfg.iwd.enable;
+  networkmanager = mkIf cfg.networkmanager.enable {
+    enable = true;
+    wifi.backend = mkIf cfg.iwd.enable "iwd";
+    # ... rest of NM config
+  };
+};
+```
+
+Then the per-system lines become:
+
+```nix
+${namespace}.network = {
+  hostName = "matt-nixos";
+  iwd.enable = true;
+  networkmanager.enable = true;
+};
+```
+
+---
+
+## 7. System-level: `fileSystems."/etc".neededForBoot` not in impermanence module
+
+**Problem**: `fileSystems."/etc".neededForBoot = true` is set manually in four system configs (`nuc-nixos`, `pi5`, `jallen-nas`, `graphical`). This is a prerequisite of impermanence (tmpfs root), not a per-system choice.
+
+**Suggestion**: Add to `modules/nixos/impermanence/default.nix`:
+
+```nix
+config = mkIf cfg.enable {
+  fileSystems."/etc".neededForBoot = true;
+  # ... existing config
+};
+```
+
+Then remove the manual setting from each system. (`macbook-pro-nixos` and `matt-nixos` may already have this in their `filesystems.nix` — verify and remove duplicates there too.)
+
+---
+
+## 8. System-level: `system.stateVersion` and `time.timeZone` should be module options
+
+**Problem**: In `modules/nixos/system/default.nix`:
+
+- Line 3: `timezone = "America/Chicago"` is hardcoded
+- Line 54: `system.stateVersion = "23.11"` is hardcoded
+
+Both are set unconditionally for every system with no way to override without using `lib.mkForce`.
+
+**Suggestions**:
+
+```nix
+# modules/nixos/system/default.nix
+{ config, lib, namespace, pkgs, system, ... }:
+let
+  cfg = config.${namespace}.system;
+in
+{
+  options.${namespace}.system = {
+    timezone = lib.mkOption {
+      type = lib.types.str;
+      default = "America/Chicago";
+      description = "System timezone";
+    };
+    stateVersion = lib.mkOption {
+      type = lib.types.str;
+      default = "23.11";
+      description = "NixOS state version. Should match the version used when the system was first installed.";
+    };
+  };
+
+  config = {
+    time.timeZone = cfg.timezone;
+    system.stateVersion = cfg.stateVersion;
+    # ... packages
+  };
+}
+```
+
+This maintains the current default for all systems (no change required) while allowing any system to say `${namespace}.system.stateVersion = "24.05"` cleanly.
+
+---
+
+## 9. Module-level: Darwin and NixOS `nix` modules share ~90% of their content
+
+**Problem**: `modules/darwin/nix/default.nix` and `modules/nixos/nix/default.nix` differ only in:
+- Darwin lacks `daemonCPUSchedPolicy`/`daemonIOSchedClass`/`daemonIOSchedPriority`
+- Darwin lacks the `systemd.services.nix-gc.serviceConfig` block
+- Darwin lacks `cudaSupport`/`rocmSupport` in `nixpkgs.config`
+- Darwin's substituters list omits `attic.xuyh0120.win/lantian`
+
+Everything else — substituters, trusted keys, `warn-dirty`, `experimental-features`, `trusted-users`, `builders-use-substitutes`, `connect-timeout`, `fallback`, `log-lines`, `max-free`, `min-free`, GC settings, `optimise` — is identical.
+
+**Suggestion**: Extract a shared Nix attrset into `lib/nix-settings/default.nix` (or a plain `.nix` file imported by both):
+
+```nix
+# lib/nix-settings/default.nix
+{ lib }:
+{
+  commonSubstituters = [
+    "http://jallen-nas.local:9012/nas-cache"
+    "https://nixos-apple-silicon.cachix.org"
+    "https://nixos-raspberrypi.cachix.org"
+    "https://nix-community.cachix.org"
+    "https://cache.nixos.org/"
+  ];
+  commonTrustedPublicKeys = [ ... ];
+  commonSettings = { warn-dirty = ...; experimental-features = ...; ... };
+  commonGc = { automatic = true; options = "--delete-older-than 30d"; };
+}
+```
+
+Both modules import and spread this. The NixOS module adds scheduler policies and systemd GC service tweaks on top.
+
+---
+
+## 10. Module-level: Home SOPS configuration is inconsistent across homes
+
+**Problem**: Three different patterns are used to configure SOPS in home configs:
+
+1. **`${namespace}.sops.enable = true`** — uses the module at `modules/home/sops/default.nix` (macbook-pro-nixos home, jallen-nas home)
+2. **Inline SOPS config** — sets `sops.*` directly (allyx home, pi5 home)
+3. **Nothing** — some homes don't configure sops at all (matt-nixos home relies on system-level secrets only)
+
+The `modules/home/sops/default.nix` module already handles the `age.keyFile` path, `defaultSopsFile`, and SSH key setup. The inline patterns duplicate this.
+
+**Suggestion**: Migrate all homes that configure sops inline to use `${namespace}.sops.enable = true`. If the home needs a different `defaultSopsFile` (e.g. pi5 uses `secrets/pi5-secrets.yaml`), that should be a module option:
+
+```nix
+# modules/home/sops/default.nix — add option:
+options.${namespace}.sops = {
+  enable = lib.mkEnableOption "home sops";
+  defaultSopsFile = lib.mkOption {
+    type = lib.types.nullOr lib.types.path;
+    default = null;  # falls back to global secrets.yaml
+    description = "Override the default SOPS file for this home";
+  };
+};
+```
+
+---
+
+## 11. Module-level: `modules/nixos/home/default.nix` — `home-manager` input key coupling
+
+**Problem**: `systems.modules.nixos` in `flake.nix:147` explicitly includes `home-manager.nixosModules.home-manager`. However Snowfall Lib **automatically** injects the home-manager NixOS module when the `home-manager` input is present and there are home configurations (Snowfall Lib `system/default.nix` lines 265–270).
+
+**Suggestion**: Verify (by temporarily removing the explicit entry) whether `home-manager.nixosModules.home-manager` can be dropped from `systems.modules.nixos`. If Snowfall Lib handles this automatically, removing it eliminates the manual coupling.
+
+---
+
+## 12. System-level: `nuc-nixos` — large monolithic default.nix
+
+**Problem**: `systems/x86_64-linux/nuc-nixos/default.nix` is over 330 lines and contains everything inline: disk config, networking, Home Assistant dashboard definitions (~170 lines of inline Nix), kernel config, user setup, and services. Every other complex system (jallen-nas) already uses a split structure with `apps.nix`, `services.nix`, `nas-defaults.nix`, etc.
+
+**Suggestion**: Extract into separate files following the jallen-nas pattern:
+
+```
+systems/x86_64-linux/nuc-nixos/
+├── default.nix          # thin: imports + top-level options
+├── boot.nix             # disk/luks/filesystem config
+├── dashboard.nix        # Home Assistant dashboard card definitions
+├── services.nix         # postgres, redis, HA, OTBR etc.
+└── sops.nix             # (or reuse the shared module)
+```
+
+The dashboard in particular (currently lines ~88–260) should be isolated so HA configuration changes don't require touching system-level config.
+
+---
+
+## 13. System-level: Verify `admin@jallen-nas` steam-rom-manager double-import
+
+**Problem**: `homes/x86_64-linux/admin@jallen-nas/default.nix:16` explicitly imports `steam-rom-manager.homeManagerModules.default`. This same module is injected globally via `modules/nixos/home/default.nix:92` for all x86_64 systems (the ARM guard is `!isArm`, and jallen-nas is x86_64).
+
+**Suggestion**: Remove the explicit import from `admin@jallen-nas/default.nix`. If it was added for standalone `home-manager switch` builds (without NixOS), document that reason in a comment rather than keeping a potentially conflicting double-import.
+
+---
+
+## 14. Flake-level: `pi5` host entry with empty modules list
+
+**Problem**: `flake.nix:218–221` defines:
+
+```nix
+pi5 = {
+  modules = [ ];
+};
+```
+
+An empty modules list is the default behavior — this entry has no effect and can be removed. The comment `# disko is already in systems.modules.nixos above` is incorrect (disko is global for all systems, not specific to pi5). The comment itself is misleading.
+
+**Suggestion**: Remove the `pi5` host entry from `flake.nix` entirely. If the comment is meant to remind future maintainers that disko is global, move that context to `AGENTS.md` or a comment near the global `systems.modules.nixos` list.
+
+---
+
+## 15. Flake-level: `home-manager-stable` input is pulled in but never used
+
+**Problem**: `flake.nix:10–13` defines `home-manager-stable` but `home-manager = home-manager-unstable` is the alias (line 21). No system or module references `home-manager-stable` directly. It adds to lock file churn and evaluation time.
+
+**Suggestion**: Remove `home-manager-stable` unless there is a concrete plan to use it for a stable-channel system. If stable Home Manager support is desired in the future, add it back at that point.
+
+---
+
+## 16. Flake-level: Consider using Snowfall Lib `alias` for formatter output
+
+**Problem**: The `outputs-builder` in `flake.nix:277–280` is used only to register the `treefmt` formatter. Snowfall Lib supports an `alias` mechanism and also allows `outputs-builder` to be used, but this is the only use of `outputs-builder` in the entire flake.
+
+**Suggestion**: This is fine as-is, but note that `outputs-builder` output can be overridden by auto-discovery. Since the formatter isn't auto-discovered, `outputs-builder` is the correct approach. No change needed — but the comment on line 279 about the mjallen-lib overlay being auto-discovered is accurate and good to keep.
+
+---
+
+## Summary Table
+
+| # | Location | Type | Effort | Impact |
+|---|----------|------|--------|--------|
+| 1 | `flake.nix` | Deduplication | Low | High — removes confusing double-registration |
+| 2 | `flake.nix` | Documentation | Low | Low |
+| 3 | `nebula/default.nix` | Better defaults | Low | Medium — 3 systems simplified |
+| 4 | `network/default.nix` | Consolidation | Low | Medium — remove per-system workarounds |
+| 5 | `hardware/amd` + `desktop/gnome` | New options | Medium | Medium — DRY gaming desktop profile |
+| 6 | `network/default.nix` | Bug fix / refactor | Medium | High — current iwd handling is incorrect |
+| 7 | `impermanence/default.nix` | Consolidation | Low | Medium — remove 4 manual entries |
+| 8 | `system/default.nix` | New options | Low | Medium — allows per-system overrides cleanly |
+| 9 | `lib/` + `darwin/nix` + `nixos/nix` | Extraction | Medium | Medium — single source of truth for nix config |
+| 10 | `homes/*/` + `modules/home/sops` | Consistency | Low | Low — consistency improvement |
+| 11 | `flake.nix` | Simplification | Low | Low — possible dead entry |
+| 12 | `systems/nuc-nixos/` | Refactor | Medium | High — maintainability |
+| 13 | `homes/admin@jallen-nas` | Bug fix | Trivial | Low — potential double-import |
+| 14 | `flake.nix` | Cleanup | Trivial | Low — dead code |
+| 15 | `flake.nix` | Cleanup | Trivial | Low — reduces lock churn |
+| 16 | `flake.nix` | N/A | None | No change needed |

docs/getting-started.md

@@ -0,0 +1,175 @@
+# Getting Started
+
+This guide will help you get started with this NixOS configuration repository.
+
+## Prerequisites
+
+- Basic knowledge of NixOS and the Nix language
+- Git installed on your system
+- Physical or SSH access to the target machine
+
+## Cloning the Repository
+
+```bash
+git clone ssh://nix-apps@localhost:2222/mjallen/nix-config.git
+cd nix-config
+```
+
+## Installing on a New Machine
+
+### Option 1: Using an existing system configuration
+
+If the machine matches an existing configuration (e.g. reinstalling `jallen-nas`):
+
+1. Boot from a NixOS installation ISO
+2. Partition and mount disks (or use `disko`):
+   ```bash
+   nix run github:nix-community/disko -- --mode disko /path/to/disko-config.nix
+   ```
+3. Clone this repo into the target:
+   ```bash
+   mkdir -p /mnt/etc/nixos
+   git clone <repo-url> /mnt/etc/nixos
+   ```
+4. Install:
+   ```bash
+   nixos-install --flake /mnt/etc/nixos#hostname
+   ```
+
+### Option 2: Adding a new system configuration
+
+1. **Create the system directory** under the appropriate architecture:
+   ```bash
+   mkdir -p systems/x86_64-linux/new-hostname
+   ```
+
+2. **Write the configuration** — at minimum a `default.nix`:
+   ```nix
+   { namespace, ... }:
+   {
+     mjallen = {
+       sops.enable = true;
+       network.hostName = "new-hostname";
+       user.name = "admin";
+     };
+   }
+   ```
+
+3. **Generate hardware configuration** (on the target machine):
+   ```bash
+   nixos-generate-config --no-filesystems --dir systems/x86_64-linux/new-hostname/
+   ```
+
+4. **Add SOPS secrets** for the new host — see [Secrets Management](../README.md#secrets-management).
+
+5. **Build and switch**:
+   ```bash
+   sudo nixos-rebuild switch --flake .#new-hostname
+   ```
+
+## Day-to-Day Usage
+
+### Applying configuration changes
+
+```bash
+# On the local machine
+sudo nixos-rebuild switch --flake .#$(hostname)
+
+# On a remote machine
+nixos-rebuild switch --flake .#hostname --target-host user@host --use-remote-sudo
+```
+
+### Updating flake inputs
+
+```bash
+# Update all inputs
+nix flake update
+
+# Update a single input
+nix flake lock --update-input nixpkgs
+
+# Apply after updating
+sudo nixos-rebuild switch --flake .#$(hostname)
+```
+
+### Garbage collection
+
+```bash
+# Remove old generations and unreferenced store paths
+sudo nix-collect-garbage -d
+
+# Keep the last N generations
+sudo nix-collect-garbage --delete-older-than 30d
+```
+
+## Enabling a Module
+
+Most functionality is exposed through the `mjallen` namespace. To enable a module, set it in the system's `default.nix` (or a relevant sub-file):
+
+```nix
+mjallen = {
+  desktop.gnome.enable = true;
+  hardware.amd.enable = true;
+  gaming.enable = true;
+
+  services.jellyfin = {
+    enable = true;
+    port = 8096;
+    reverseProxy.enable = true;
+  };
+};
+```
+
+See [Custom Modules](./modules/README.md) for the full list of available modules and options.
+
+## Adding a New Service Module
+
+1. **Create the module directory**:
+   ```bash
+   mkdir -p modules/nixos/services/my-service
+   ```
+
+2. **Write `default.nix`** using the `mkModule` helper:
+   ```nix
+   { config, lib, namespace, pkgs, ... }:
+   let
+     name = "my-service";
+     nebulaConfig = lib.${namespace}.mkModule {
+       inherit config name;
+       description = "my service description";
+       options = { };
+       moduleConfig = {
+         services.my-service = {
+           enable = true;
+           port   = config.${namespace}.services.${name}.port;
+         };
+       };
+     };
+   in
+   { imports = [ nebulaConfig ]; }
+   ```
+
+3. **Enable it** in a system configuration:
+   ```nix
+   mjallen.services.my-service = {
+     enable = true;
+     port   = 1234;
+   };
+   ```
+
+## Adding a New Package
+
+1. Create a directory under `packages/`:
+   ```bash
+   mkdir packages/my-package
+   ```
+
+2. Write a `default.nix` that returns a derivation. The package will be available as `pkgs.mjallen.my-package` in all configurations.
+
+## Secrets
+
+See the [Secrets Management](../README.md#secrets-management) section of the root README for:
+- How age keys are derived from SSH host keys
+- Adding a new machine as a SOPS recipient
+- Adding/editing secrets
+- Generating Nebula VPN certificates

docs/home-assistant/README.md

@@ -0,0 +1,188 @@
+# Home Assistant Configuration
+
+This document provides comprehensive information about the Home Assistant setup in this NixOS configuration.
+
+## Overview
+
+Home Assistant is configured as a NixOS service with custom components, integrations, and automations. The configuration uses a modular approach with separate files for different aspects of the setup.
+
+## Module Structure
+
+The Home Assistant configuration is organized in the following structure:
+
+```
+modules/nixos/homeassistant/
+├── automations/              # Automation configurations
+│   ├── lightswitch/          # Light switch automations
+│   └── motion-light/         # Motion-activated light automations
+├── default.nix               # Main module configuration
+├── options.nix               # Module options definition
+└── services/                 # Related service configurations
+    ├── govee2mqtt/           # Govee integration via MQTT
+    ├── homeassistant/        # Core Home Assistant service
+    ├── music-assistant/      # Music Assistant integration
+    ├── thread/               # Thread border router
+    └── zigbee2mqtt/          # Zigbee to MQTT bridge
+```
+
+## Installation
+
+The Home Assistant module is enabled in the system configuration by setting:
+
+```nix
+mjallen.services.home-assistant.enable = true;
+```
+
+This activates Home Assistant and related services such as MQTT, Zigbee2MQTT, and the Matter server.
+
+## Configuration Options
+
+The module provides several configuration options:
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enable` | boolean | `false` | Enable Home Assistant and related services |
+| `mosquittoPort` | integer | `1883` | Port for the MQTT broker |
+| `zigbee2mqttPort` | integer | `8080` | Port for the Zigbee2MQTT web interface |
+| `zigbeeDevicePath` | string | `/dev/ttyUSB0` | Path to the Zigbee USB device |
+
+## Core Services
+
+### Home Assistant
+
+The main Home Assistant service is configured in `services/homeassistant/default.nix` with:
+
+- PostgreSQL database backend
+- Custom components
+- Custom Lovelace modules
+- HTTPS access with authentication
+- Integration with other services
+
+### MQTT
+
+MQTT is used as a messaging protocol for various smart home devices. The Mosquitto MQTT broker is automatically configured when Home Assistant is enabled.
+
+### Zigbee2MQTT
+
+Zigbee2MQTT allows integration with Zigbee devices. It's configured with:
+
+- Automatic discovery for Home Assistant
+- OTA updates for Zigbee devices
+- Web interface for management
+
+### Thread Border Router
+
+The Thread Border Router provides integration with Thread-based devices like Matter devices.
+
+## Custom Components
+
+The following custom components are included:
+
+- `ha-anycubic` - Anycubic 3D printer integration
+- `ha-bambulab` - Bambu Lab 3D printer integration
+- `ha-bedjet` - BedJet climate control integration
+- `ha-gehome` - GE Home appliance integration
+- `ha-icloud3` - Enhanced iCloud device tracking
+- `ha-local-llm` - Local LLM integration
+- `ha-mail-and-packages` - Mail and package delivery tracking
+- `ha-nanokvm` - NanoKVM integration
+- `ha-openhasp` - openHASP integration for DIY displays
+- `ha-overseerr` - Overseerr media request integration
+- `ha-petlibro` - PetLibro pet feeder integration
+- `ha-wyzeapi` - Wyze device integration
+
+## Automations
+
+### Light Switch Automations
+
+The light switch automations handle physical switch inputs for controlling smart lights.
+
+### Motion Light Automations
+
+Motion light automations turn lights on when motion is detected and off after a period of inactivity.
+
+### Custom Automations
+
+Additional automations are placed in the `/etc/hass` directory and are included in the Home Assistant configuration. These include:
+
+- `fountain_automation.yaml` - Toggles the water dispensing mode on the Dockstream Smart RFID Fountain every 15 minutes between constant and intermittent flow.
+
+## Smart Home Devices
+
+The configuration includes support for various smart home devices:
+
+### Lighting
+
+- Various smart lights throughout the home
+
+### Climate
+
+- Smart thermostat
+- Humidifier control
+
+### Pet Care
+
+- Dockstream Smart RFID Fountain with scheduling
+- Smart pet feeders for pets named Joey and Luci
+- Litter-Robot 4 smart litter box
+
+### Media
+
+- Google Cast devices
+- Smart TVs
+- Media players
+
+### Sensors
+
+- Temperature, humidity, and motion sensors
+- Door and window sensors
+- Presence detection
+
+## Integration with Other Services
+
+Home Assistant is integrated with:
+
+- **Music Assistant** - For enhanced music streaming capabilities
+- **Govee Integration** - For Govee smart devices
+- **Matter** - For Matter-compatible devices
+
+## Adding New Automations
+
+To add a new automation:
+
+1. Create a YAML file with the automation definition
+2. Place it in `/etc/hass`
+3. The automation will be automatically included in Home Assistant
+
+Example automation format:
+
+```yaml
+alias: "Automation Name"
+description: "Description of what the automation does"
+trigger:
+  - platform: state
+    entity_id: binary_sensor.motion_sensor
+    to: "on"
+condition: []
+action:
+  - service: light.turn_on
+    target:
+      entity_id: light.living_room
+mode: single
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Zigbee Device Pairing Issues**
+   - Make sure the Zigbee coordinator is properly connected
+   - Check the Zigbee2MQTT logs for errors
+
+2. **Service Unavailable**
+   - Check if all related services are running
+   - Verify firewall rules allow access to the services
+
+3. **Database Issues**
+   - Check PostgreSQL service status
+   - Verify database connection settings

docs/home-assistant/automations.md

@@ -0,0 +1,148 @@
+# Home Assistant Automations
+
+This document details the automations configured in the Home Assistant setup.
+
+## Automation Types
+
+Automations in this configuration are managed in several ways:
+
+1. **Module-Based Automations**: Defined in Nix modules within the `modules/nixos/homeassistant/automations/` directory
+2. **YAML Automations**: Defined in YAML files and included via the `automation manual` directive
+3. **UI-Created Automations**: Created through the Home Assistant UI and stored in `automations.yaml`
+
+## Module-Based Automations
+
+### Light Switch Automations
+
+**Location**: `modules/nixos/homeassistant/automations/lightswitch/`
+
+These automations link physical light switches to smart lights:
+
+- **Bedroom Light Switch**: Controls the bedroom lights
+- **Living Room Light Switch**: Controls the living room lights
+- **Bedroom Closet Lights**: Controls the closet lights
+
+### Motion-Activated Light Automations
+
+**Location**: `modules/nixos/homeassistant/automations/motion-light/`
+
+These automations turn lights on when motion is detected and off after a period of inactivity.
+
+## YAML Automations
+
+### Fountain Cycling Automation
+
+**Location**: `/etc/nixos/fountain_automation.yaml`
+
+This automation toggles the water dispensing mode on the Dockstream Smart RFID Fountain every 15 minutes:
+
+```yaml
+alias: "Fountain Cycle Mode"
+description: "Toggles fountain water mode every 15 minutes between constant and intermittent flow"
+trigger:
+  - platform: time_pattern
+    minutes: "/15"  # Every 15 minutes
+condition: []
+action:
+  - service: select.select_next
+    target:
+      entity_id: select.dockstream_smart_rfid_fountain_water_dispensing_mode
+mode: single
+id: fountain_cycle_mode
+```
+
+This automation:
+1. Triggers every 15 minutes
+2. Uses the `select.select_next` service to toggle between the two available options:
+   - "Flowing Water (Constant)"
+   - "Intermittent Water (Scheduled)"
+
+The fountain is also configured with:
+- Water Interval: 10 minutes
+- Water Dispensing Duration: 15 minutes
+
+## Creating New Automations
+
+### Method 1: Module-Based Automation
+
+For reusable, complex automations that should be managed in code:
+
+1. Create a new directory in `modules/nixos/homeassistant/automations/`
+2. Create a `default.nix` file with the automation logic
+
+Example:
+```nix
+{ config, lib, ... }:
+{
+  config = {
+    services.home-assistant.config."automation manual" = [
+      {
+        alias = "Example Automation";
+        description = "Example automation created via Nix module";
+        trigger = [
+          {
+            platform = "state";
+            entity_id = "binary_sensor.example_sensor";
+            to = "on";
+          }
+        ];
+        action = [
+          {
+            service = "light.turn_on";
+            target.entity_id = "light.example_light";
+          }
+        ];
+        mode = "single";
+      }
+    ];
+  };
+}
+```
+
+### Method 2: YAML Automation
+
+For simpler automations:
+
+1. Create a YAML file with the automation definition
+2. Place it in `/etc/hass/`
+
+Example:
+```yaml
+alias: "Example Automation"
+description: "Example automation in YAML"
+trigger:
+  - platform: state
+    entity_id: binary_sensor.example_sensor
+    to: "on"
+action:
+  - service: light.turn_on
+    target:
+      entity_id: light.example_light
+mode: single
+```
+
+### Method 3: UI Creation
+
+For quick prototyping or simple automations:
+
+1. Go to Home Assistant UI > Settings > Automations & Scenes
+2. Click "+ Add Automation"
+3. Configure using the UI editor
+
+## Testing Automations
+
+To test an automation:
+
+1. In the Home Assistant UI, go to Developer Tools > Services
+2. Select `automation.trigger` as the service
+3. Enter the entity_id of your automation in the service data field
+4. Click "Call Service" to trigger the automation manually
+
+## Troubleshooting
+
+If an automation isn't working as expected:
+
+1. Check the Home Assistant logs for errors
+2. Verify entity names and service calls are correct
+3. Test individual triggers and actions separately
+4. Use the "Debug" section in the automation editor to trace execution

docs/home-assistant/fountain-automation.md

@@ -0,0 +1,96 @@
+# Pet Fountain Automation
+
+This document details the automation for the Dockstream Smart RFID Fountain device.
+
+## Overview
+
+The Dockstream Smart RFID Fountain is a smart pet fountain controlled through Home Assistant. A custom automation has been created to toggle the water dispensing mode between constant flow and intermittent flow every 15 minutes. This cycling helps keep the water fresh while reducing energy consumption.
+
+## Fountain Configuration
+
+The Dockstream Smart RFID Fountain has the following settings in Home Assistant:
+
+| Setting | Entity ID | Value | Description |
+|---------|-----------|-------|-------------|
+| Water Dispensing Mode | `select.dockstream_smart_rfid_fountain_water_dispensing_mode` | Toggles between modes | Controls how water flows |
+| Water Interval | `number.dockstream_smart_rfid_fountain_water_interval` | 10 minutes | Time between water dispensing in intermittent mode |
+| Water Dispensing Duration | `number.dockstream_smart_rfid_fountain_water_dispensing_duration` | 15 minutes | How long water flows in intermittent mode |
+| Cleaning Cycle | `number.dockstream_smart_rfid_fountain_cleaning_cycle` | 14 days | Reminder interval for cleaning |
+
+## Available Modes
+
+The fountain supports two water dispensing modes:
+
+1. **Flowing Water (Constant)** - Water flows continuously
+2. **Intermittent Water (Scheduled)** - Water flows according to the interval and duration settings
+
+## Automation Details
+
+The fountain cycling automation is defined in `/etc/nixos/fountain_automation.yaml`:
+
+```yaml
+alias: "Fountain Cycle Mode"
+description: "Toggles fountain water mode every 15 minutes between constant and intermittent flow"
+trigger:
+  - platform: time_pattern
+    minutes: "/15"  # Every 15 minutes
+condition: []
+action:
+  - service: select.select_next
+    target:
+      entity_id: select.dockstream_smart_rfid_fountain_water_dispensing_mode
+mode: single
+id: fountain_cycle_mode
+```
+
+### How It Works
+
+1. **Trigger**: The automation runs every 15 minutes based on the time pattern trigger
+2. **Action**: It uses the `select.select_next` service to toggle to the next available option
+3. **Mode**: Set to "single" to prevent multiple executions if triggers overlap
+
+## Installation
+
+The automation is included in Home Assistant via the `automation manual` directive in the Home Assistant configuration:
+
+```yaml
+"automation manual" = "!include_dir_merge_list /etc/hass";
+```
+
+The YAML file needs to be placed in the `/etc/hass` directory to be loaded.
+
+## Testing
+
+To manually test the automation:
+
+1. In Home Assistant UI, go to Developer Tools > Services
+2. Select `automation.trigger` as the service
+3. Enter the following service data:
+   ```yaml
+   entity_id: automation.fountain_cycle_mode
+   ```
+4. Click "Call Service" to trigger the automation
+
+## Customizing
+
+To adjust the cycling interval:
+
+1. Edit the YAML file at `/etc/nixos/fountain_automation.yaml`
+2. Change the `minutes` value in the trigger section (e.g., from `"/15"` to `"/30"` for every 30 minutes)
+3. Save the file
+4. Restart Home Assistant or reload automations
+
+To adjust fountain settings:
+
+1. In Home Assistant UI, go to Settings > Devices & Services
+2. Find the Dockstream Smart RFID Fountain device
+3. Adjust the water interval or dispensing duration settings
+
+## Troubleshooting
+
+If the automation is not working as expected:
+
+1. Check that the entity ID is correct and the fountain is online
+2. Verify that Home Assistant is including the automation file correctly
+3. Look for errors in the Home Assistant logs related to the automation or the fountain
+4. Try manually controlling the fountain to ensure it responds to commands

docs/modules/README.md

@@ -0,0 +1,295 @@
+# Custom Modules
+
+This directory contains documentation for the custom modules used in this NixOS configuration.
+
+## Overview
+
+Modules are split into three categories:
+
+- **NixOS modules** (`modules/nixos/`) — system-level configuration
+- **Home Manager modules** (`modules/home/`) — user-level configuration
+- **Darwin modules** (`modules/darwin/`) — macOS-specific configuration
+
+All modules are auto-discovered by Snowfall Lib and expose options under the `mjallen` namespace.
+
+## NixOS Modules
+
+### Boot (`modules/nixos/boot/`)
+
+| Module | Description |
+|---|---|
+| `boot/common/` | Shared boot defaults (quiet boot, Plymouth) |
+| `boot/lanzaboote/` | Secure Boot via Lanzaboote |
+| `boot/systemd-boot/` | systemd-boot (non-secure-boot systems) |
+| `boot/plymouth/` | Plymouth splash screen |
+
+### Desktop (`modules/nixos/desktop/`)
+
+| Module | Description |
+|---|---|
+| `desktop/gnome/` | GNOME desktop environment |
+| `desktop/hyprland/` | Hyprland compositor |
+| `desktop/cosmic/` | COSMIC desktop environment |
+
+### Development (`modules/nixos/development/`)
+
+Enables development tools and language support. Options:
+
+```nix
+mjallen.development = {
+  enable           = true;
+  includeLanguages = [ "python" "c" ];
+  includeContainers = true;
+};
+```
+
+### Hardware (`modules/nixos/hardware/`)
+
+| Module | Description |
+|---|---|
+| `hardware/amd/` | AMD GPU (AMDGPU driver, LACT) |
+| `hardware/nvidia/` | NVIDIA GPU |
+| `hardware/battery/` | Battery charge threshold management |
+| `hardware/raspberry-pi/` | Raspberry Pi hardware support and DT overlays |
+| `hardware/openrgb/` | OpenRGB for LED control |
+| `hardware/btrfs/` | btrfs-specific settings |
+| `hardware/common/` | Common hardware defaults |
+
+### Headless (`modules/nixos/headless/`)
+
+Server profile — disables suspend/hibernate, enables systemd watchdog, no display manager.
+
+```nix
+mjallen.headless.enable = true;
+```
+
+### Home Assistant (`modules/nixos/homeassistant/`)
+
+Full smart home stack. See [Home Assistant docs](../home-assistant/README.md) for details.
+
+```nix
+mjallen.services.home-assistant.enable = true;
+```
+
+### Impermanence (`modules/nixos/impermanence/`)
+
+Ephemeral root filesystem with explicit persistence declarations.
+
+```nix
+mjallen.impermanence = {
+  enable           = true;
+  extraDirectories = [ { directory = "/var/lib/myapp"; user = "myapp"; } ];
+};
+```
+
+### Monitoring (`modules/nixos/monitoring/`)
+
+Prometheus metrics and Grafana dashboards.
+
+```nix
+mjallen.monitoring.enable = true;
+```
+
+### Network (`modules/nixos/network/`)
+
+Hostname, firewall, NetworkManager profiles, static IP configuration.
+
+```nix
+mjallen.network = {
+  hostName = "my-host";
+  ipv4 = {
+    method    = "manual";
+    address   = "10.0.1.5/24";
+    gateway   = "10.0.1.1";
+    dns       = "1.1.1.1";
+    interface = "eth0";
+  };
+  firewall = {
+    enable          = true;
+    allowedTCPPorts = [ 80 443 ];
+  };
+};
+```
+
+### Power (`modules/nixos/power/`)
+
+UPS (NUT) support.
+
+```nix
+mjallen.power.ups.enable = true;
+```
+
+### Security (`modules/nixos/security/`)
+
+| Module | Description |
+|---|---|
+| `security/common/` | Common hardening (kernel params, etc.) |
+| `security/tpm/` | TPM2 — Clevis disk unlock |
+
+### Services (`modules/nixos/services/`)
+
+~50 self-hosted service modules, all built with `mkModule`. Each exposes at minimum `enable`, `port`, `reverseProxy`, and `openFirewall`. Common usage pattern:
+
+```nix
+mjallen.services.jellyfin = {
+  enable         = true;
+  port           = 8096;
+  reverseProxy.enable = true;
+};
+```
+
+Available services:
+
+`actual`, `ai`, `appimage`, `arrs`, `attic`, `authentik`, `authentikRac`, `booklore`, `caddy`, `calibre`, `calibre-web`, `cockpit`, `code-server`, `collabora`, `coturn`, `crowdsec`, `dispatcharr`, `free-games-claimer`, `gitea`, `glance`, `glances`, `grafana`, `guacd`, `headscale`, `immich`, `jellyfin`, `jellyseerr`, `lubelogger`, `manyfold`, `matrix`, `minecraft`, `mongodb`, `nebula`, `netbootxyz`, `nextcloud`, `ntfy`, `onlyoffice`, `opencloud`, `orca`, `paperless`, `paperless-ai`, `protonmail-bridge`, `restic`, `samba`, `sparky-fitness`, `sparky-fitness-server`, `sunshine`, `tdarr`, `termix`, `tunarr`, `unmanic`, `uptime-kuma`, `wyoming`, `your-spotify`
+
+#### Nebula VPN (`services/nebula/`)
+
+Unified module for both lighthouse and node roles:
+
+```nix
+# Lighthouse
+mjallen.services.nebula = {
+  enable         = true;
+  isLighthouse   = true;
+  port           = 4242;
+  secretsPrefix  = "pi5/nebula";
+  secretsFile    = lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml";
+  hostSecretName = "lighthouse";
+};
+
+# Node
+mjallen.services.nebula = {
+  enable         = true;
+  port           = 4242;
+  lighthouses    = [ "10.1.1.1" ];
+  staticHostMap  = { "10.1.1.1" = [ "mjallen.dev:4242" ]; };
+  secretsPrefix  = "mymachine/nebula";
+  secretsFile    = lib.snowfall.fs.get-file "secrets/mymachine-secrets.yaml";
+  hostSecretName = "mymachine";
+};
+```
+
+See [Secrets Management](../../README.md#generating-nebula-vpn-certificates) for how to generate the required certificates.
+
+### SOPS (`modules/nixos/sops/`)
+
+Configures sops-nix to decrypt secrets using the machine's SSH host key as an age key.
+
+```nix
+mjallen.sops = {
+  enable       = true;
+  sshKeyPaths  = [ "/etc/ssh/ssh_host_ed25519_key" ];  # default
+};
+```
+
+### User (`modules/nixos/user/`)
+
+System user account management.
+
+```nix
+mjallen.user = {
+  name         = "matt";
+  mutableUsers = false;
+  extraGroups  = [ "docker" "video" ];
+};
+```
+
+---
+
+## Home Manager Modules
+
+### Desktop
+
+| Module | Description |
+|---|---|
+| `desktop/gnome/` | GNOME user settings (extensions, keybindings, etc.) |
+| `desktop/theme/` | Theme configuration |
+
+### Programs
+
+| Module | Description |
+|---|---|
+| `programs/btop/` | btop system monitor |
+| `programs/code/` | VS Code / VSCodium settings |
+| `programs/git/` | Git user config |
+| `programs/hyprland/` | Hyprland compositor config |
+| `programs/kitty/` | Kitty terminal config |
+| `programs/librewolf/` | LibreWolf browser settings |
+| `programs/mako/` | Mako notification daemon |
+| `programs/nwg-dock/` | nwg-dock panel |
+| `programs/nwg-drawer/` | nwg-drawer app launcher |
+| `programs/nwg-panel/` | nwg-panel bar |
+| `programs/opencode/` | OpenCode AI coding assistant |
+| `programs/update-checker/` | Automatic flake update checker |
+| `programs/waybar/` | Waybar status bar |
+| `programs/wlogout/` | Logout menu |
+| `programs/wofi/` | Wofi launcher |
+| `programs/zsh/` | Zsh shell config |
+
+### Other
+
+| Module | Description |
+|---|---|
+| `gpg/` | GPG agent configuration |
+| `services/pass/` | Password store |
+| `shell-aliases/` | Common shell aliases |
+| `sops/` | User-level SOPS secrets |
+| `stylix/` | System-wide theming (colours, fonts, wallpaper) |
+| `user/` | User environment defaults |
+
+---
+
+## Module Development
+
+### Using `mkModule`
+
+The `lib.mjallen.mkModule` helper (`lib/module/default.nix`) creates a fully-featured NixOS module from a minimal spec:
+
+```nix
+{ config, lib, namespace, pkgs, ... }:
+let
+  name = "my-service";
+  cfg  = config.${namespace}.services.${name};
+
+  serviceConfig = lib.${namespace}.mkModule {
+    inherit config name;
+    description = "my service";
+    options = {
+      # extra options beyond the standard set
+      myOption = lib.${namespace}.mkOpt lib.types.str "default" "Description";
+    };
+    moduleConfig = {
+      services.my-service = {
+        enable = true;
+        port   = cfg.port;
+      };
+    };
+  };
+in
+{ imports = [ serviceConfig ]; }
+```
+
+Standard options provided by `mkModule` for free: `enable`, `port`, `listenAddress`, `openFirewall`, `configDir`, `dataDir`, `createUser`, `configureDb`, `environmentFile`, `reverseProxy.*`, `redis.*`, `extraEnvironment`, `hashedPassword`, `puid`, `pgid`, `timeZone`.
+
+### Using `mkContainerService`
+
+For Podman/OCI container services, use `mkContainerService` instead:
+
+```nix
+lib.${namespace}.mkContainerService {
+  inherit config name;
+  image        = "ghcr.io/example/my-app:latest";
+  internalPort = 8080;
+  volumes      = [ "${cfg.configDir}:/config" ];
+};
+```
+
+### Option helpers
+
+```nix
+lib.mjallen.mkOpt      types.str "default" "description"
+lib.mjallen.mkBoolOpt  false "description"
+lib.mjallen.mkOpt'     types.int 80        # no description
+lib.mjallen.enabled                         # { enable = true; }
+lib.mjallen.disabled                        # { enable = false; }
+```

docs/modules/homeassistant.md

@@ -0,0 +1,190 @@
+# Home Assistant Module
+
+This document details the Home Assistant module configuration.
+
+## Module Structure
+
+The Home Assistant module is organized in the following structure:
+
+```
+modules/nixos/homeassistant/
+├── automations/              # Automation configurations
+│   ├── lightswitch/          # Light switch automations
+│   └── motion-light/         # Motion-activated light automations
+├── default.nix               # Main module configuration
+├── options.nix               # Module options definition
+└── services/                 # Related service configurations
+    ├── govee2mqtt/           # Govee integration via MQTT
+    ├── homeassistant/        # Core Home Assistant service
+    ├── music-assistant/      # Music Assistant integration
+    ├── thread/               # Thread border router
+    └── zigbee2mqtt/          # Zigbee to MQTT bridge
+```
+
+## Module Options
+
+The module is configured through options defined in `options.nix`:
+
+```nix
+options.${namespace}.services.home-assistant = {
+  enable = mkEnableOption "enable home-assistant";
+  mosquittoPort = mkOpt types.int 1883 "Port for MQTT";
+  zigbee2mqttPort = mkOpt types.int 8080 "Port for zigbee2mqtt web interface";
+  zigbeeDevicePath = mkOpt types.str "/dev/ttyUSB0" "Path to zigbee usb device";
+};
+```
+
+## Main Configuration
+
+The main module configuration in `default.nix` includes:
+
+1. **Activation Scripts** - For setting up custom components
+2. **Service Configurations** - For Matter, PostgreSQL, etc.
+3. **Firewall Rules** - For allowing required ports
+
+```nix
+config = lib.mkIf cfg.enable {
+  # Activation script for custom components
+  system.activationScripts.installCustomComponents = ''
+    chown -R hass:hass ${config.services.home-assistant.configDir}
+    chmod -R 750 ${config.services.home-assistant.configDir}
+  '';
+
+  # Service configurations
+  services = {
+    matter-server.enable = true;
+    postgresql = {
+      enable = false;
+      ensureDatabases = [ "hass" ];
+      ensureUsers = [
+        {
+          name = "hass";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+
+  # Firewall rules
+  networking.firewall.allowedTCPPorts = [
+    cfg.mosquittoPort
+    cfg.zigbee2mqttPort
+    8095 # music-assistant
+    8097 # home-assistant
+    5580 # matter-server
+  ];
+};
+```
+
+## Home Assistant Service
+
+The core Home Assistant service configuration in `services/homeassistant/default.nix` includes:
+
+1. **Package Selection** - Using the standard Home Assistant package
+2. **Component Configuration** - Enabling required components
+3. **Custom Components** - Adding custom components from packages
+4. **Lovelace Modules** - Adding custom UI components
+5. **Integration Configuration** - Setting up integrations with other systems
+
+```nix
+services.home-assistant = {
+  enable = true;
+  package = pkgs.home-assistant;
+  openFirewall = true;
+  configDir = "/var/lib/homeassistant";
+  configWritable = true;
+  
+  # Components
+  extraComponents = [
+    "mqtt"
+    "zha"
+    "homekit"
+    # ... many more components
+  ];
+  
+  # Custom components
+  customComponents = [
+    # ... custom components
+  ];
+  
+  # Lovelace modules
+  customLovelaceModules = [
+    # ... custom UI modules
+  ];
+  
+  # Configuration
+  config = {
+    # ... Home Assistant configuration
+  };
+};
+```
+
+## Related Services
+
+### Zigbee2MQTT
+
+The Zigbee2MQTT service in `services/zigbee2mqtt/default.nix` connects Zigbee devices to MQTT:
+
+```nix
+services.zigbee2mqtt = {
+  enable = true;
+  settings = {
+    mqtt = {
+      server = "mqtt://localhost:${toString cfg.mosquittoPort}";
+    };
+    serial = {
+      port = cfg.zigbeeDevicePath;
+    };
+    # ... additional settings
+  };
+};
+```
+
+### MQTT
+
+MQTT is configured as a dependency for the Home Assistant module.
+
+### Thread Border Router
+
+The Thread Border Router in `services/thread/default.nix` provides Thread network connectivity for Matter devices.
+
+## Automations
+
+The module includes predefined automations in the `automations/` directory:
+
+1. **Light Switch Automations** - For controlling lights via physical switches
+2. **Motion Light Automations** - For motion-activated lighting
+
+## Using the Module
+
+To use this module in a system configuration:
+
+```nix
+{ config, ... }:
+{
+  mjallen.services.home-assistant = {
+    enable = true;
+    # Optional: customize ports and device paths
+    mosquittoPort = 1883;
+    zigbee2mqttPort = 8080;
+    zigbeeDevicePath = "/dev/ttyUSB0";
+  };
+}
+```
+
+## Extending the Module
+
+### Adding Custom Components
+
+To add a custom component:
+
+1. Add the package to `packages/`
+2. Add it to the `customComponents` list in `services/homeassistant/default.nix`
+
+### Adding Custom Automations
+
+To add a custom automation:
+
+1. Create a new directory in `automations/`
+2. Implement the automation in `default.nix`
+3. Import it in the system configuration

docs/systems/README.md

@@ -0,0 +1,37 @@
+# System Configurations
+
+This directory contains documentation for each system configuration in this repository.
+
+## Systems
+
+| Host | Architecture | OS | Role |
+|---|---|---|---|
+| [matt-nixos](./matt-nixos.md) | x86_64-linux | NixOS | Primary AMD desktop |
+| [jallen-nas](./jallen-nas.md) | x86_64-linux | NixOS | Home server / NAS |
+| [nuc-nixos](./nuc-nixos.md) | x86_64-linux | NixOS | Intel NUC — Home Assistant hub |
+| [allyx](./allyx.md) | x86_64-linux | NixOS | ASUS ROG Ally X handheld |
+| [pi5](./pi5.md) | aarch64-linux | NixOS | Raspberry Pi 5 — network services |
+| [macbook-pro-nixos](./macbook-pro-nixos.md) | aarch64-linux | NixOS (Asahi) | Apple Silicon MacBook Pro |
+| [macbook-pro](./macbook-pro.md) | aarch64-darwin | nix-darwin | macOS on the same MacBook Pro |
+
+There are also two ISO targets (`x86_64-install-iso/graphical`, `x86_64-linux/iso-minimal`) used for installation media builds.
+
+## Network
+
+All hosts are on the `10.0.1.0/24` LAN with static IPs:
+
+| Host | LAN IP | Overlay (Nebula) |
+|---|---|---|
+| pi5 | 10.0.1.2 | 10.1.1.1 (lighthouse) |
+| jallen-nas | 10.0.1.3 | 10.1.1.x (node) |
+| nuc-nixos | 10.0.1.4 | — |
+
+## Common Configuration
+
+All systems share:
+- SOPS secret management (age keys from SSH host keys)
+- Impermanence (ephemeral root, explicit persistence)
+- Nix flake-based configuration via Snowfall Lib
+- The `mjallen` module namespace
+
+Each system then layers its own modules and hardware configuration on top.

docs/systems/allyx.md

@@ -0,0 +1,57 @@
+# ASUS ROG Ally X (allyx)
+
+`systems/x86_64-linux/allyx/`
+
+## Hardware
+
+- **Device**: ASUS ROG Ally X handheld gaming PC
+- **CPU/GPU**: AMD (LACT, CoolerControl)
+- **Disk**: NVMe with LUKS encryption
+- **Security**: Lanzaboote (Secure Boot)
+
+## Key Features
+
+- Jovian NixOS for Steam Deck-compatible experience
+- Steam auto-starts into Game Mode on boot
+- Decky Loader for Steam Deck plugins
+- Handheld Daemon for power/TDP/fan control
+- GNOME available as a desktop session (selectable from Steam)
+- SDDM (Wayland) as display manager — GDM disabled
+- Gaming enabled (Gamemode, Gamescope, etc.)
+- AMD GPU management via LACT
+- CoolerControl for fan curves
+- iwd as the Wi-Fi backend
+- Impermanence (ephemeral root)
+
+## Jovian NixOS
+
+The allyx uses [Jovian NixOS](https://github.com/Jovian-Experiments/Jovian-NixOS) to provide Steam Deck compatibility:
+
+```nix
+jovian.steam = {
+  enable        = true;
+  autoStart     = true;
+  desktopSession = "gnome";  # fall-through desktop session
+};
+
+jovian.decky-loader = {
+  enable         = true;
+  extraPackages  = [ pkgs.python3 pkgs.systemd ];
+};
+```
+
+## Network
+
+- **Hostname**: allyx
+- **Wi-Fi backend**: iwd (via NetworkManager)
+
+## Configuration Files
+
+| File | Purpose |
+|---|---|
+| `default.nix` | Main config — Jovian, gaming, hardware |
+| `boot.nix` | Lanzaboote, kernel |
+
+## Secrets
+
+Secrets are in `secrets/allyx-secrets.yaml`, encrypted for: `matt`, `desktop`, `deck`, `steamdeck`, `admin`, `jallen-nas`, `matt_allyx`, `allyx`.

docs/systems/jallen-nas.md

@@ -0,0 +1,104 @@
+# NAS Server (jallen-nas)
+
+`systems/x86_64-linux/jallen-nas/`
+
+## Hardware
+
+- **CPU**: AMD (x86_64)
+- **GPU**: AMD (LACT for fan/power control)
+- **Disk**: NVMe system drive + bcachefs NAS pool
+- **Security**: TPM2 (Clevis disk unlock), Lanzaboote (Secure Boot)
+
+## Key Features
+
+- bcachefs storage pool mounted at `/media/nas/main`
+- Clevis-based TPM disk unlock at boot (no passphrase required)
+- Impermanence — root is ephemeral; state persists to `/media/nas/main/persist`
+- Samba shares (Windows file sharing, Time Machine)
+- Nebula VPN node (overlay peer, lighthouse at pi5)
+- ~40 self-hosted services behind a Caddy reverse proxy
+- Authentik SSO protecting most web UIs
+- CrowdSec for intrusion detection
+- Restic backups
+
+## Network
+
+- **LAN IP**: 10.0.1.3 (static, `enp197s0`)
+- **Gateway**: 10.0.1.1
+- **Nebula**: overlay peer, lighthouse at `mjallen.dev:4242`
+
+## Storage
+
+| Mount | Filesystem | Description |
+|---|---|---|
+| `/media/nas/main` | bcachefs | Primary NAS pool (media, appdata, documents) |
+| `/media/nas/test` | bcachefs | Secondary test pool |
+
+### Samba Shares
+
+| Share | Time Machine |
+|---|---|
+| `3d_printer` | no |
+| `Backup` | no |
+| `Documents` | no |
+| `isos` | no |
+| `app_data` | no |
+| `TimeMachine` | yes (max 1 TB) |
+
+## Enabled Services
+
+| Service | Port | Notes |
+|---|---|---|
+| Caddy | 443/80 | Reverse proxy for all services |
+| Authentik | 9000 | SSO / identity provider |
+| Attic | 9012 | Nix binary cache (`cache.mjallen.dev`) |
+| Immich | 2283 | Photo management |
+| Jellyfin | 8096 | Media server |
+| Jellyseerr | 5055 | Media request manager |
+| Nextcloud | 9988 | Cloud storage |
+| Paperless | 28981 | Document management |
+| Paperless AI | 28982 | AI-assisted document tagging |
+| Gitea | 3000 | Self-hosted Git |
+| Matrix | 8448 | Matrix homeserver |
+| Ntfy | 2586 | Push notifications |
+| Glance | 5555 | Dashboard |
+| Immich | 2283 | Photo library |
+| Uptime Kuma | 3001 | Uptime monitoring |
+| Code Server | 4444 | VS Code in the browser |
+| Cockpit | 9090 | System management UI |
+| Collabora | 9980 | Online office suite |
+| CrowdSec | 8181 | Intrusion detection |
+| Glances | 61208 | System stats |
+| Coturn | 3478 | TURN/STUN server |
+| Nebula | 4242 | Overlay VPN node |
+| Restic | 8008 | Backup service |
+| Sunshine | 47989 | Remote desktop (Moonlight) |
+| Unmanic | 8265 | Media transcoding |
+| Lubelogger | 6754 | Vehicle maintenance log |
+| Manyfold | 3214 | 3D model library |
+| Booklore | 6066 | Book library |
+| Tunarr | 8000 | Virtual TV channels |
+| Termix | 7777 | Web terminal |
+| Sparky Fitness | 3004/3010 | Fitness tracking |
+| Protonmail Bridge | 1025/1143 | SMTP/IMAP bridge |
+| Arrs | various | Sonarr, Radarr, etc. |
+| AI | various | Ollama, etc. |
+| Wyoming | various | Voice assistant pipeline |
+
+## Configuration Files
+
+| File | Purpose |
+|---|---|
+| `default.nix` | Main config — network, hardware, filesystems, packages |
+| `apps.nix` | All service enable/disable declarations |
+| `nas-defaults.nix` | Sets `configDir`/`dataDir` defaults for all services |
+| `boot.nix` | Lanzaboote, kernel, initrd |
+| `services.nix` | Home Assistant, samba, and other platform services |
+| `users.nix` | User accounts (`admin`, `nix-apps`) |
+| `sops.nix` | Secret declarations |
+| `vpn.nix` | Nebula VPN configuration |
+| `disabled.nix` | Services explicitly disabled |
+
+## Secrets
+
+Secrets are in `secrets/nas-secrets.yaml`, encrypted for: `matt`, `desktop`, `admin`, `jallen-nas`.

docs/systems/macbook-pro-nixos.md

@@ -0,0 +1,69 @@
+# MacBook Pro — NixOS / Asahi Linux (macbook-pro-nixos)
+
+`systems/aarch64-linux/macbook-pro-nixos/`
+
+## Hardware
+
+- **Device**: Apple Silicon MacBook Pro (M-series)
+- **OS**: NixOS via [Asahi Linux](https://asahilinux.org/) (`nixos-apple-silicon`)
+- **Boot**: Asahi boot chain (not traditional EFI)
+
+## Key Features
+
+- Asahi Linux kernel with full Apple Silicon support (sound, GPU, etc.)
+- GNOME as the primary desktop; Hyprland available but disabled
+- x86_64 emulation via binfmt (enables running x86 binaries)
+- Waydroid and libvirtd available (Waydroid disabled by default)
+- Battery management — charge threshold set via `macsmc-battery`
+- Omnissa Horizon client (custom package) for remote desktop
+- Distrobox for containerised Linux environments
+- iwd as the Wi-Fi backend
+
+## x86_64 Emulation
+
+```nix
+nix.settings.extra-platforms = [ "x86_64-linux" ];
+boot.binfmt.emulatedSystems   = [ "x86_64-linux" ];
+```
+
+This allows building and running x86_64 packages on the ARM host.
+
+## Asahi Hardware
+
+The Asahi hardware module provides:
+- Firmware loading from `./firmware/`
+- Sound setup (`setupAsahiSound = true`)
+- Apple-specific kernel patches and device drivers
+
+Useful packages installed:
+`asahi-bless`, `asahi-btsync`, `asahi-nvram`, `asahi-wifisync`, `apfs-fuse`, `apfsprogs`, `muvm`, `fex`
+
+## Network
+
+- **Hostname**: macbook-pro-nixos
+- **Wi-Fi backend**: iwd (via NetworkManager)
+- Firewall: extra rules for multicast (ports 1990, 2021)
+
+## Battery Management
+
+```nix
+mjallen.hardware.battery = {
+  enable = true;
+  chargeLimitPath = "/sys/class/power_supply/macsmc-battery/charge_control_end_threshold";
+};
+```
+
+## Configuration Files
+
+| File | Purpose |
+|---|---|
+| `default.nix` | Main config — Asahi hardware, users, network |
+| `boot.nix` | Asahi boot configuration |
+| `filesystems.nix` | Disk layout |
+| `hardware-configuration.nix` | Generated hardware config |
+| `services.nix` | logind, GDM, GNOME, Flatpak, power settings |
+| `firmware/` | Asahi firmware blobs |
+
+## Secrets
+
+Secrets are in `secrets/mac-secrets.yaml`, encrypted for: `matt`, `matt_pi5`, `desktop`, `pi5`, `admin`, `jallen-nas`, `matt_macbook-pro`, `macbook-pro`.

docs/systems/macbook-pro.md

@@ -0,0 +1,40 @@
+# MacBook Pro — macOS / nix-darwin (macbook-pro)
+
+`systems/aarch64-darwin/macbook-pro/`
+
+## Overview
+
+This is the [nix-darwin](https://github.com/nix-darwin/nix-darwin) configuration for the same MacBook Pro running macOS. It provides declarative macOS system management alongside Homebrew.
+
+## Key Features
+
+- Touch ID for `sudo`
+- Declarative Homebrew (casks and formulae managed via `nix-homebrew`)
+- `nh` for easy NixOS/darwin rebuilds
+- `attic-client` for accessing the Nix binary cache
+- `macpm` for Apple Silicon power monitoring
+- Rosetta builder available (disabled, on-demand)
+- Linux builder available (disabled)
+
+## Configuration Files
+
+| File | Purpose |
+|---|---|
+| `default.nix` | Main config — packages, users, environment |
+| `homebrew.nix` | Declarative Homebrew casks and formulae |
+| `programs.nix` | macOS program settings |
+| `system.nix` | System defaults (dock, finder, etc.) |
+
+## User
+
+- **Username**: `mattjallen`
+- **Home**: `/Users/mattjallen`
+- **Flake path**: `/Users/mattjallen/nix-config` (set via `NH_OS_FLAKE`)
+
+## Rebuilding
+
+```bash
+darwin-rebuild switch --flake .#macbook-pro
+# or using nh:
+nh darwin switch
+```

docs/systems/matt-nixos.md

@@ -0,0 +1,50 @@
+# Desktop (matt-nixos)
+
+`systems/x86_64-linux/matt-nixos/`
+
+## Hardware
+
+- **CPU**: AMD
+- **GPU**: AMD (LACT for fan/power control, OpenRGB)
+- **Disk**: NVMe with LUKS encryption (disko)
+- **Security**: TPM2, Lanzaboote (Secure Boot)
+
+## Key Features
+
+- GNOME as the primary desktop (Hyprland available but disabled)
+- COSMIC available as a specialisation (`nixos-rebuild switch --specialisation cosmic`)
+- Gaming — Steam, Gamemode, Gamescope, Lossless Scaling (`lsfg-vk`)
+- AMD GPU management via LACT
+- CoolerControl for fan curves
+- Impermanence (ephemeral root)
+- iwd as the Wi-Fi backend
+- VSCodium as `$EDITOR`/`$VISUAL`
+
+## Desktop Specialisations
+
+| Specialisation | Description |
+|---|---|
+| *(default)* | GNOME |
+| `cosmic` | COSMIC DE (enables `mjallen.desktop.cosmic`, disables GNOME/Hyprland) |
+
+## Network
+
+- **Hostname**: matt-nixos
+- **Wi-Fi backend**: iwd (via NetworkManager)
+
+## Configuration Files
+
+| File | Purpose |
+|---|---|
+| `default.nix` | Main config |
+| `boot.nix` | Lanzaboote, kernel |
+| `filesystems.nix` | Disk layout |
+| `sops.nix` | Secret declarations |
+| `wifi-fixer.nix` | NetworkManager Wi-Fi workaround |
+| `services/lsfg-vk/` | Lossless Scaling frame generation |
+| `services/ratbagd/` | Gaming mouse config (libratbag) |
+| `services/restic/` | Restic backup jobs |
+
+## Secrets
+
+Secrets are in `secrets/desktop-secrets.yaml`, encrypted for: `matt`, `desktop`, `admin`, `jallen-nas`.

docs/systems/nuc-nixos.md

@@ -0,0 +1,57 @@
+# Intel NUC (nuc-nixos)
+
+`systems/x86_64-linux/nuc-nixos/`
+
+## Hardware
+
+- **Device**: Intel NUC
+- **Disk**: btrfs with LUKS encryption
+- **Security**: TPM2, Lanzaboote (Secure Boot)
+- **Kernel**: CachyOS `linux-cachyos-lto` (x86_64-v4 build)
+
+## Key Features
+
+- Headless server (no display manager, watchdog enabled)
+- Home Assistant — the primary smart home controller
+- OpenThread Border Router (OTBR) for Matter/Thread devices
+- Impermanence (ephemeral root, persistent state for HA and related services)
+- btrfs filesystem (unlike the bcachefs-based NAS and Pi5)
+
+## Network
+
+- **LAN IP**: 10.0.1.4 (static, `enp2s0`)
+- **Gateway / DNS**: 10.0.1.1
+- **Firewall**: 1883 (MQTT), 8880/8881 (OTBR), 8192
+
+## Services
+
+| Service | Port | Description |
+|---|---|---|
+| Home Assistant | 8097 | Smart home controller |
+| Mosquitto (MQTT) | 1883 | IoT message broker |
+| Zigbee2MQTT | 8080 | Zigbee device bridge |
+| Music Assistant | 8095 | Music streaming |
+| OTBR | 8880/8881 | OpenThread Border Router (Matter/Thread) |
+| ESPHome | — | ESP microcontroller firmware |
+| PostgreSQL | — | HA database backend |
+
+## Persistent Directories
+
+The following directories survive reboots via impermanence:
+
+- `/esphome`
+- `/var/lib/homeassistant`
+- `/var/lib/mosquitto`
+- `/var/lib/music-assistant`
+- `/var/lib/postgresql`
+- `/var/lib/zigbee2mqtt`
+
+## Configuration Files
+
+| File | Purpose |
+|---|---|
+| `default.nix` | All config in one file — HA, OTBR, network, hardware, impermanence |
+
+## Secrets
+
+Secrets are in `secrets/nuc-secrets.yaml`, encrypted for: `nuc`, `admin_nuc`, `matt`, `admin`, `jallen-nas`.

docs/systems/pi5.md

@@ -0,0 +1,62 @@
+# Raspberry Pi 5 (pi5)
+
+`systems/aarch64-linux/pi5/`
+
+## Hardware
+
+- **Board**: Raspberry Pi 5
+- **Boot**: UEFI (via `rpi5-uefi`)
+- **Storage**: bcachefs
+- **Connectivity**: Ethernet (`end0`); Wi-Fi and Bluetooth disabled via device tree overlays
+
+## Key Features
+
+- Headless server (no display, no desktop)
+- Nebula VPN **lighthouse** — the central relay for the `jallen-nebula` overlay network
+- AdGuard Home DNS server (port 53)
+- Docker
+- Impermanence (ephemeral root)
+- Extensive Raspberry Pi device tree overlays configured (I²C, SPI, UART, SDIO, etc.)
+
+## Network
+
+- **LAN IP**: 10.0.1.2 (static, `end0`)
+- **Gateway**: 10.0.1.1
+- **DNS**: 1.1.1.1
+- **Nebula**: lighthouse at `10.1.1.1`, listening on UDP 4242 (public: `mjallen.dev:4242`)
+- Firewall: TCP/UDP 53 open (DNS)
+
+## Nebula Lighthouse
+
+The pi5 acts as the Nebula VPN lighthouse for the whole network. All other Nebula nodes connect to it to discover peers.
+
+```nix
+mjallen.services.nebula = {
+  enable         = true;
+  isLighthouse   = true;
+  port           = 4242;
+  secretsPrefix  = "pi5/nebula";
+  secretsFile    = lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml";
+  hostSecretName = "lighthouse";
+};
+```
+
+## Services
+
+| Service | Port | Description |
+|---|---|---|
+| AdGuard Home | 53 | DNS ad-blocking |
+| Nebula | 4242 (UDP) | VPN lighthouse |
+
+## Configuration Files
+
+| File | Purpose |
+|---|---|
+| `default.nix` | Main config |
+| `boot.nix` | UEFI boot, kernel |
+| `adguard.nix` | AdGuard Home configuration |
+| `sops.nix` | Secret declarations (SSH keys, system keys) |
+
+## Secrets
+
+Secrets are in `secrets/pi5-secrets.yaml`, encrypted for: `matt`, `matt_pi5`, `desktop`, `pi5`, `admin`, `jallen-nas`.

docs/troubleshooting.md

@@ -0,0 +1,217 @@
+# Troubleshooting Guide
+
+Common issues and solutions for this NixOS configuration.
+
+## Build Failures
+
+### `nixos-rebuild switch` fails
+
+1. **Syntax error** — the error message includes the file and line number. Common causes: missing `;`, unmatched `{`, wrong type passed to an option.
+
+2. **Evaluation error** — read the full error trace. Often caused by a module option receiving the wrong type, or a missing `cfg.enable` guard.
+
+3. **Fetch failure** — a flake input or package source can't be downloaded. Check network connectivity, or try:
+   ```bash
+   nix flake update --update-input <input-name>
+   ```
+
+4. **Disk space** — build sandbox fills up. Free space:
+   ```bash
+   sudo nix-collect-garbage -d
+   df -h /nix
+   ```
+
+### Assertion failures
+
+If you see `assertion failed`, read the `message` field. For example:
+```
+error: assertion failed at …/nebula/sops.nix
+  mjallen.services.nebula.secretsPrefix must be set
+```
+Set the required option in the system configuration.
+
+## Boot Issues
+
+### System won't boot after a config change
+
+1. At the boot menu, select a previous generation.
+2. Once booted, revert the change:
+   ```bash
+   cd /etc/nixos
+   git revert HEAD
+   sudo nixos-rebuild switch --flake .#$(hostname)
+   ```
+
+### Booting from installation media to recover
+
+```bash
+# Mount the system (adjust device paths as needed)
+sudo mount /dev/disk/by-label/nixos /mnt
+sudo mount /dev/disk/by-label/boot /mnt/boot
+
+# Chroot in
+sudo nixos-enter --root /mnt
+cd /etc/nixos
+
+# Revert and rebuild
+git revert HEAD
+nixos-rebuild switch --flake .#hostname --install-bootloader
+```
+
+### Lanzaboote / Secure Boot issues
+
+If Secure Boot enrolment fails or the system won't verify:
+
+```bash
+# Check enrolled keys
+sbctl status
+
+# Re-enrol if needed (run as root)
+sbctl enrol-keys --microsoft
+
+# Sign bootloader files manually
+sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi
+```
+
+## SOPS / Secrets Issues
+
+### `secret not found` or permission denied at boot
+
+1. Verify the secret key path matches what's declared in the module's `sops.nix`.
+2. Check the secret exists in the SOPS file:
+   ```bash
+   sops --decrypt secrets/nas-secrets.yaml | grep "the-key"
+   ```
+3. Check the `owner`/`group` set on the secret matches the service user.
+
+### Can't decrypt — wrong age key
+
+The machine's age key is derived from `/etc/ssh/ssh_host_ed25519_key`. If the host key was regenerated, the age key changed and existing secrets can no longer be decrypted.
+
+To fix: re-encrypt the secrets file with the new public key:
+```bash
+# Get the new public key
+nix-shell -p ssh-to-age --run 'ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub'
+
+# Update .sops.yaml with the new key, then:
+sops updatekeys secrets/nas-secrets.yaml
+```
+
+### Adding a new secret to an existing file
+
+```bash
+sops secrets/nas-secrets.yaml
+# Editor opens with decrypted YAML — add your key, save, sops re-encrypts
+```
+
+## Nebula VPN Issues
+
+### Peers can't connect
+
+1. Verify the lighthouse is reachable on its public address:
+   ```bash
+   nc -zvu mjallen.dev 4242
+   ```
+2. Check the nebula service on both hosts:
+   ```bash
+   systemctl status nebula@jallen-nebula
+   journalctl -u nebula@jallen-nebula -n 50
+   ```
+3. Confirm the CA cert, host cert, and host key are all present and owned by the `nebula-jallen-nebula` user:
+   ```bash
+   ls -la /run/secrets/pi5/nebula/
+   ```
+4. Verify the host cert was signed by the same CA as the other nodes:
+   ```bash
+   nebula-cert verify -ca ca.crt -crt host.crt
+   ```
+
+### Certificate expired
+
+Re-sign the host certificate:
+```bash
+nebula-cert sign -name "hostname" -ip "10.1.1.x/24" \
+  -ca-crt ca.crt -ca-key ca.key \
+  -out-crt host.crt -out-key host.key
+# Update SOPS, rebuild
+```
+
+## Impermanence Issues
+
+### Service fails because its data directory is missing after reboot
+
+If a service stores state in a path that isn't in the persistence list, it will be wiped on reboot. Add it to `impermanence.extraDirectories`:
+
+```nix
+mjallen.impermanence.extraDirectories = [
+  { directory = "/var/lib/my-service"; user = "my-service"; group = "my-service"; mode = "0750"; }
+];
+```
+
+Then move the existing data if needed:
+```bash
+cp -a /var/lib/my-service /persist/var/lib/my-service
+```
+
+## Flake Input Issues
+
+### Input update breaks a build
+
+Roll back the specific input:
+```bash
+git checkout HEAD^ -- flake.lock
+```
+
+Or pin the input to a specific revision in `flake.nix`:
+```nix
+nixpkgs-unstable.url = "github:NixOS/nixpkgs/abc123def";
+```
+
+## Service Issues
+
+### Service won't start
+
+```bash
+systemctl status <service>
+journalctl -u <service> -n 100 --no-pager
+```
+
+### Caddy reverse proxy not routing
+
+1. Check that `reverseProxy.enable = true` is set on the service.
+2. Verify the subdomain matches: `reverseProxy.subdomain = "myapp"` → `myapp.mjallen.dev`.
+3. Check Caddy logs:
+   ```bash
+   journalctl -u caddy -n 50
+   ```
+
+### PostgreSQL database missing for a service
+
+If `configureDb = true` is set, the database is created automatically. If it's missing:
+```bash
+sudo -u postgres createdb my-service
+sudo -u postgres psql -c "GRANT ALL ON DATABASE my-service TO my-service;"
+```
+
+## Network Issues
+
+### Firewall blocking a service
+
+Check which ports are open:
+```bash
+sudo nft list ruleset | grep accept
+```
+
+Add ports in the system config:
+```nix
+mjallen.network.firewall.allowedTCPPorts = [ 8080 ];
+```
+
+Or if using `mkModule`, set `openFirewall = true` (it's the default).
+
+## Getting Help
+
+- NixOS manual: `nixos-help` or https://nixos.org/manual/nixos/stable/
+- NixOS Wiki: https://nixos.wiki/
+- NixOS Discourse: https://discourse.nixos.org/
+- Nix package search: https://search.nixos.org/packages

docs/version.schema.json

@@ -0,0 +1,208 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://example.invalid/version.schema.json",
+  "title": "Unified Package Version Schema",
+  "description": "Schema for a unified version.json used by packages/",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schemaVersion",
+    "sources"
+  ],
+  "properties": {
+    "schemaVersion": {
+      "type": "integer",
+      "enum": [1],
+      "description": "Schema version. Start at 1; bump on breaking changes."
+    },
+    "variables": {
+      "type": "object",
+      "description": "Common variables available for template substitution in string fields.",
+      "additionalProperties": {
+        "type": "string"
+      }
+    },
+    "defaultVariant": {
+      "type": "string",
+      "description": "Optional default variant name for consumers."
+    },
+    "sources": {
+      "type": "object",
+      "description": "Base component sources keyed by component name.",
+      "minProperties": 1,
+      "additionalProperties": {
+        "$ref": "#/$defs/SourceSpec"
+      }
+    },
+    "variants": {
+      "type": "object",
+      "description": "Optional variants/channels/flavors; each overlays the base.",
+      "additionalProperties": {
+        "$ref": "#/$defs/VariantSpec"
+      }
+    },
+    "notes": {
+      "type": "object",
+      "description": "Optional free-form human notes/documentation.",
+      "additionalProperties": true
+    }
+  },
+  "$defs": {
+    "SourceSpecBase": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "fetcher": {
+          "type": "string",
+          "enum": ["github", "git", "url", "pypi", "none"],
+          "description": "Fetcher type for this source."
+        },
+        "hash": {
+          "type": "string",
+          "pattern": "^sha[0-9]+-",
+          "description": "SRI hash for the fetched artifact. Required unless fetcher is 'none'."
+        },
+        "version": {
+          "type": "string",
+          "description": "Optional version string metadata for this component."
+        },
+        "extra": {
+          "type": "object",
+          "description": "Optional free-form metadata for consumer logic.",
+          "additionalProperties": true
+        },
+
+        "owner": { "type": "string", "description": "GitHub owner/org (github fetcher)." },
+        "repo":  { "type": "string", "description": "GitHub repository (github fetcher)." },
+        "tag":   { "type": "string", "description": "Git tag (github fetcher). Mutually exclusive with 'rev'." },
+        "rev":   { "type": "string", "description": "Commit revision (github/git fetchers)." },
+        "submodules": { "type": "boolean", "description": "Whether to fetch submodules (github/git fetchers)." },
+
+        "url": { "type": "string", "description": "Final URL (url fetcher). May be templated." },
+        "urlTemplate": { "type": "string", "description": "Template for URL (url fetcher); supports ${var}." },
+
+        "name": { "type": "string", "description": "PyPI dist name (pypi fetcher)." }
+      }
+    },
+
+    "SourceSpec": {
+      "allOf": [
+        { "$ref": "#/$defs/SourceSpecBase" },
+        {
+          "if": {
+            "properties": { "fetcher": { "const": "github" } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "required": ["owner", "repo"],
+            "oneOf": [
+              { "required": ["tag"] },
+              { "required": ["rev"] }
+            ]
+          }
+        },
+        {
+          "if": {
+            "properties": { "fetcher": { "const": "git" } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "required": ["url", "rev"]
+          }
+        },
+        {
+          "if": {
+            "properties": { "fetcher": { "const": "url" } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "oneOf": [
+              { "required": ["url"] },
+              { "required": ["urlTemplate"] }
+            ]
+          }
+        },
+        {
+          "if": {
+            "properties": { "fetcher": { "const": "pypi" } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "required": ["name", "version"]
+          }
+        },
+        {
+          "if": {
+            "properties": { "fetcher": { "enum": ["github", "git", "url", "pypi"] } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "required": ["hash"]
+          }
+        }
+      ]
+    },
+
+    "SourceOverride": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Partial override of a source within a variant. All fields optional.",
+      "properties": {
+        "fetcher": { "type": "string", "enum": ["github", "git", "url", "pypi", "none"] },
+        "hash":    { "type": "string", "pattern": "^sha[0-9]+-" },
+        "version": { "type": "string" },
+        "extra":   { "type": "object", "additionalProperties": true },
+
+        "owner": { "type": "string" },
+        "repo":  { "type": "string" },
+        "tag":   { "type": "string" },
+        "rev":   { "type": "string" },
+        "submodules": { "type": "boolean" },
+
+        "url":         { "type": "string" },
+        "urlTemplate": { "type": "string" },
+
+        "name": { "type": "string" }
+      }
+    },
+
+    "VariantSpec": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "inherits": {
+          "type": "string",
+          "description": "Optional base variant to inherit from."
+        },
+        "variables": {
+          "type": "object",
+          "description": "Variant-level variables that overlay top-level variables.",
+          "additionalProperties": { "type": "string" }
+        },
+        "sources": {
+          "type": "object",
+          "description": "Per-component overrides for this variant.",
+          "additionalProperties": { "$ref": "#/$defs/SourceOverride" }
+        },
+        "platforms": {
+          "type": "object",
+          "description": "Optional per-system overrides to support differing hashes/fields by platform.",
+          "additionalProperties": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "sources": {
+                "type": "object",
+                "additionalProperties": { "$ref": "#/$defs/SourceOverride" }
+              },
+              "variables": {
+                "type": "object",
+                "additionalProperties": { "type": "string" }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

homes/aarch64-darwin/mattjallen@macbook-pro/default.nix

@@ -0,0 +1,66 @@
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) enabled disabled;
+  shellAliases = {
+    update-switch = "darwin-rebuild switch --flake ~/nix-config";
+    update-flake = "nix flake update ~/nix-config";
+    ducks = "du -cksh * | sort -hr | head -n 15";
+  };
+  packages = with pkgs; [
+    age
+    cpufetch
+    deadnix
+    iproute2mac
+    nebula
+    nixfmt
+    nodePackages.nodejs
+    uv
+    sops
+    tree
+    wget
+  ];
+in
+{
+  # Home Manager needs a bit of information about you and the
+  # paths it should manage.
+  home = {
+    username = "mattjallen";
+    homeDirectory = "/Users/mattjallen";
+    packages = lib.mkForce packages;
+    sessionVariables = {
+      NH_DARWIN_FLAKE = lib.mkForce "/Users/mattjallen/nix-config";
+    };
+  };
+
+  programs = {
+    zsh = {
+      shellAliases = shellAliases;
+    };
+  };
+
+  # Manage bug in compilations - who uses manpages in 2024 anyways? :P
+  manual.manpages = enabled;
+
+  # Override defaults that arent supported
+  programs = {
+    mangohud = lib.mkForce disabled;
+
+    nh = {
+      flake = lib.mkForce "/Users/mattjallen/nix-config";
+    };
+  };
+
+  services = {
+    pass-secret-service = lib.mkForce disabled;
+    nextcloud-client = lib.mkForce disabled;
+    kdeconnect = {
+      enable = false;
+      indicator = false;
+    };
+  };
+}

homes/aarch64-linux/matt@macbook-pro-nixos/default.nix

@@ -0,0 +1,184 @@
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) enabled disabled;
+  # Displays
+  display = {
+    input = "eDP-1";
+    resolution = "3456x2234";
+    refreshRate = "60.00000";
+  };
+in
+{
+
+  home.username = "matt";
+  home.homeDirectory = "/home/matt";
+  home.stateVersion = "23.11";
+
+  ${namespace} = {
+    desktop.plasma = lib.mkForce enabled;
+    programs.hyprland = {
+      enable = false;
+      primaryDisplay = "eDP-1";
+      debug.disableScaleChecks = true;
+
+      monitorv2 = [
+        {
+          name = display.input;
+          mode = "${display.resolution}@${display.refreshRate}";
+          position = "0x0";
+          scale = 1.25;
+          extra = [
+            "bitdepth"
+            "10"
+            "cm"
+            "hdr"
+            "sdrbrightness"
+            "1.2"
+            "sdrsaturation"
+            "0.98"
+          ];
+        }
+      ];
+
+      workspace = [
+        "name:firefox, monitor:${display.input}, default:false, special, class:(.*firefox.*)"
+        "name:discord, monitor:${display.input}, default:true, special, title:(.*vesktop.*), title:(.*Apple Music.*)"
+        "name:steam, monitor:${display.input}, default:false, special, class:(.*[Ss]team.*)"
+      ];
+
+      windowRule = [
+        # "size 2160 3356, tag:horizonrdp"
+      ];
+
+      hyprpaper = {
+        wallpaperPath = "/run/wallpaper.jpg";
+      };
+
+      keybinds = {
+        bind = [
+          "$mod, A, exec, chromium --app=\"https://music.apple.com\""
+
+          "SHIFT, XF86MonBrightnessUp, exec, lightctl -D kbd_backlight up"
+          "SHIFT, XF86MonBrightnessDown, exec, lightctl -D kbd_backlight down"
+        ];
+      };
+
+      defaultApps = {
+        browser = pkgs.firefox;
+      };
+
+      extraConfig = ''
+        exec-once = brightnessctl -d kbd_backlight s 50%
+      '';
+    };
+    programs = {
+      btop = enabled;
+      kitty = disabled;
+      mako = disabled;
+      nwg-dock = disabled;
+      nwg-drawer = disabled;
+      nwg-panel = disabled;
+      opencode = enabled;
+      thunderbird = enabled;
+      waybar = {
+        enable = false;
+
+        layer = "bottom";
+
+        temperature = {
+          cpu = enabled;
+          gpu = enabled;
+        };
+
+        extraModules = {
+          "custom/lights" = {
+            tooltip = false;
+            exec = "waybar-hass --get_light light.living_room_lights";
+            interval = "once";
+            format = "{text}"; # "󱉓";
+            on-click = "waybar-hass --toggle_light light.living_room_lights";
+            return-type = "json";
+          };
+        };
+
+        extraModulesStyle = ''
+          #custom-lights {
+            color: @base0C;
+            opacity: 0.85;
+            background-color: @base00;
+          }
+
+          #custom-lights:hover {
+            background: @base03;
+          }
+        '';
+
+        windowOffset = 75;
+      };
+      wlogout = disabled;
+      wofi = disabled;
+    };
+
+    services = {
+      protonmail = enabled;
+    };
+  };
+
+  sops = {
+    secrets = {
+      "protonmail-password" = {
+        sopsFile = (lib.snowfall.fs.get-file "secrets/mac-secrets.yaml");
+      };
+    };
+  };
+
+  home.packages =
+    with pkgs.${namespace};
+    [
+      # librepods
+      librepods-beta
+    ]
+    ++ (with pkgs; [
+      bolt-launcher
+      iw
+      iwd
+      orca-slicer
+      vscodium
+
+    ]);
+
+  # Override the shared Plasma panel to add a standalone battery widget
+  # (laptop-specific — not needed on desktop systems)
+  programs.plasma.panels = lib.mkForce [
+    {
+      location = "bottom";
+      floating = true;
+      height = 44;
+      widgets = [
+        "org.kde.plasma.kickoff"
+        "org.kde.plasma.icontasks"
+        "org.kde.plasma.marginsseparator"
+        { battery = { }; }
+        "org.kde.plasma.systemtray"
+        "org.kde.plasma.digitalclock"
+      ];
+    }
+  ];
+
+  services = {
+    kdeconnect = {
+      enable = lib.mkForce true;
+      indicator = lib.mkForce true;
+    };
+  };
+
+  programs = {
+    password-store = enabled;
+  };
+
+}

homes/aarch64-linux/matt@pi5/default.nix

@@ -1,29 +1,19 @@
-{ pkgs, lib, config, ... }:
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
 let
-  shellAliases = {
-    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
-    update-switch = "sudo nixos-rebuild switch --max-jobs 10 --build-host admin@10.0.1.3";
-    update-flake = "nix flake update pi5-nixpkgs pi5-home-manager pi5-impermanence pi5-nixos-hardware pi5-sops-nix nixos-raspberrypi --flake /etc/nixos";
-    update-nas = "nixos-rebuild switch --use-remote-sudo --target-host admin@10.0.1.3 --build-host admin@10.0.1.3 --flake ~/nix-config#jallen-nas";
-    nas-ssh = "kitten ssh admin@10.0.1.3";
-  };
+  inherit (lib.${namespace}) disabled;
 in
 {
-  imports = [
-    ../../share/home/defaults.nix
-    ../../share/home/git.nix
-    ../../share/home/gnome.nix
-    ../../share/home/librewolf.nix
-    ../../share/home/shell.nix
-    ../../share/home/vscode.nix
-  ];
 
   home.username = "matt";
 
+  ${namespace}.sops.enable = true;
+
   sops = {
-    age.keyFile = "/home/matt/.config/sops/age/keys.txt";
-    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
-    validateSopsFiles = false;
     secrets = {
       "ssh-keys-public/pi5" = {
         path = "/home/matt/.ssh/id_ed25519.pub";
@@ -59,7 +49,11 @@ in
     };
   };
 
-  programs = {
-    zsh.shellAliases = shellAliases;
+  services = {
+    nextcloud-client = lib.mkForce disabled;
+    kdeconnect = {
+      enable = false;
+      indicator = false;
+    };
   };
 }

homes/x86_64-linux/admin@jallen-nas/default.nix

@@ -0,0 +1,113 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) enabled;
+in
+{
+  # steam-rom-manager is also injected globally via modules/nixos/home/default.nix
+  # sharedModules for x86_64 NixOS builds.  This explicit import ensures it is
+  # also available for standalone `home-manager switch` runs (where sharedModules
+  # are not applied).  NixOS's module system deduplicates the import when both
+  # paths resolve to the same derivation.
+  imports = [
+    inputs.steam-rom-manager.homeManagerModules.default
+  ];
+
+  home = {
+    username = "admin";
+    packages =
+      with pkgs;
+      [
+        heroic
+        python3
+        python3Packages.requests
+        python3Packages.mcp
+        jq
+      ]
+      ++ (with pkgs.${namespace}; [
+        moondeck-buddy
+      ]);
+  };
+
+  ${namespace} = {
+    sops.enable = true;
+    programs.opencode = enabled;
+    #    desktop.plasma = enabled;
+  };
+
+  sops.secrets = {
+    "ssh-keys-public/jallen-nas" = {
+      path = "/home/admin/.ssh/id_ed25519.pub";
+      mode = "0644";
+    };
+    "ssh-keys-private/jallen-nas" = {
+      path = "/home/admin/.ssh/id_ed25519";
+      mode = "0600";
+    };
+    "ssh-keys-public/desktop-nixos" = {
+      path = "/home/admin/.ssh/authorized_keys";
+      mode = "0600";
+    };
+
+    "ssh-keys-public/desktop-nixos-root" = {
+      path = "/home/admin/.ssh/authorized_keys2";
+      mode = "0600";
+    };
+
+    "ssh-keys-public/desktop-windows" = {
+      path = "/home/admin/.ssh/authorized_keys3";
+      mode = "0600";
+    };
+
+    "ssh-keys-public/macbook-macos" = {
+      path = "/home/admin/.ssh/authorized_keys4";
+      mode = "0600";
+    };
+  };
+
+  programs = {
+    bash = {
+      shellAliases = {
+        "llama-status" =
+          "curl -s http://localhost:8127/health 2>/dev/null && echo 'LLaMA.cpp server is running' || echo 'LLaMA.cpp server is not responding'";
+      };
+    };
+
+    neovim = {
+      enable = true;
+      viAlias = true;
+      vimAlias = true;
+      defaultEditor = true;
+      plugins = [
+        pkgs.vimPlugins.nvim-tree-lua
+        {
+          plugin = pkgs.vimPlugins.vim-startify;
+          config = "let g:startify_change_to_vcs_root = 0";
+        }
+      ];
+    };
+    steam-rom-manager = {
+      enable = true;
+      steamUsername = "mjallen18";
+
+      # Optional: override default paths if needed
+      environmentVariables = {
+        romsDirectory = "/home/admin/Emulation/roms";
+        steamDirectory = "/home/admin/.local/share/Steam";
+      };
+
+      emulators = {
+        "Non-SRM Shortcuts" = {
+          enable = true;
+          parserType = "Non-SRM Shortcuts";
+          extraArgs = "";
+        };
+      };
+    };
+  };
+}

homes/x86_64-linux/admin@nuc-nixos/default.nix

@@ -0,0 +1,37 @@
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) disabled;
+in
+{
+  home.username = "admin";
+
+  # Configure systemd user service for protonmail-bridge
+  systemd.user.services.protonmail-bridge = {
+    Service = {
+      Environment = [
+        "GNUPGHOME=/home/admin/.gnupg"
+        "PASSWORD_STORE_DIR=/home/admin/.local/password-store"
+      ];
+    };
+  };
+
+  services = {
+    nextcloud-client = lib.mkForce disabled;
+    kdeconnect = {
+      enable = false;
+      indicator = false;
+    };
+    protonmail-bridge = {
+      enable = true;
+      extraPackages = with pkgs; [
+        pass
+        libsecret
+      ];
+    };
+  };
+}

homes/x86_64-linux/matt@allyx/default.nix

@@ -0,0 +1,90 @@
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) enabled;
+in
+{
+  home.username = "matt";
+
+  ${namespace} = {
+    desktop.gnome = enabled;
+    sops.enable = true;
+  };
+
+  sops.secrets = {
+    "ssh-keys-public/matt" = {
+      path = "/home/matt/.ssh/id_ed25519.pub";
+      mode = "0644";
+    };
+    "ssh-keys-private/matt" = {
+      path = "/home/matt/.ssh/id_ed25519";
+      mode = "0600";
+    };
+  };
+
+  programs = {
+    steam-rom-manager = {
+      enable = true;
+      steamUsername = "mjallen18";
+
+      environmentVariables = {
+        romsDirectory = "/media/sdcard/Emulation/roms";
+        steamDirectory = "/home/matt/.local/share/Steam";
+      };
+
+      enabledProviders = [
+        "sgdb"
+        "steamCDN"
+      ];
+      imageProviderSettings.sgdb = {
+        nsfw = false;
+        humor = false;
+        imageMotionTypes = [ "static" ];
+      };
+
+      emulators = {
+        # --- Nintendo ---
+        ryujinx.enable = true; # Switch  (ryubing fork)
+        yuzu.enable = true; # Switch  (eden fork)
+        dolphin-emu.enable = true; # GameCube / Wii
+        cemu.enable = true; # Wii U
+        melonDS.enable = true; # DS
+        citra.enable = true; # 3DS  (azahar fork)
+        mgba.enable = true; # Game Boy / GBC
+        mgba-gba.enable = true; # Game Boy Advance
+
+        # --- Sony ---
+        duckstation.enable = false; # PS1
+        pcsx2.enable = true; # PS2
+        rpcs3.enable = true; # PS3
+        ppsspp.enable = true; # PSP
+
+        # --- Microsoft ---
+        xemu.enable = true; # Xbox
+
+        # --- Platform parsers (no ROM scanning; artwork only / launcher integration) ---
+        "Non-SRM Shortcuts".enable = true;
+      };
+    };
+  };
+
+  home.packages =
+    with pkgs;
+    [
+      dolphin-emu
+      heroic
+      mgba
+      moonlight-qt
+      prismlauncher
+      ryubing
+      omnissa-horizon-client
+    ]
+    ++ (with pkgs.${namespace}; [
+      discord-krisp
+      # librepods-beta
+    ]);
+}

homes/x86_64-linux/matt@matt-nixos/default.nix

@@ -0,0 +1,223 @@
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) enabled disabled;
+  displayLeft = {
+    input = "DP-1";
+    resolution = "3840x2160";
+    refreshRate = "120.00000";
+  };
+  displayRight = {
+    input = "DP-2";
+    resolution = "3840x2160";
+    refreshRate = "240.00000";
+  };
+in
+{
+  home.username = "matt";
+
+  ${namespace} = {
+    sops = {
+      enable = true;
+    };
+    shell-aliases = {
+      enable = true;
+    };
+
+    desktop.plasma = enabled;
+
+    programs = {
+      thunderbird = enabled;
+      hyprland = {
+        enable = false;
+        primaryDisplay = "DP-1";
+
+        monitorv2 = [
+          {
+            name = displayLeft.input;
+            mode = "${displayLeft.resolution}@${displayLeft.refreshRate}";
+            position = "0x0";
+            scale = 1.0;
+            extra = [
+              # "bitdepth"
+              # "10"
+              # "cm"
+              # "hdredid"
+              # "sdrbrightness"
+              # "1.2"
+              # "sdrsaturation"
+              # "0.98"
+            ];
+          }
+          {
+            name = displayRight.input;
+            mode = "${displayRight.resolution}@${displayRight.refreshRate}";
+            position = "3840x0";
+            scale = 1.0;
+            extra = [
+              # "bitdepth"
+              # "10"
+              # "cm"
+              # "hdredid"
+              # "sdrbrightness"
+              # "1.5"
+              # "sdrsaturation"
+              # "0.98"
+            ];
+          }
+        ];
+
+        workspace = [
+          "name:firefox, monitor:${displayRight.input}, default:false, special, class:(.*firefox.*)"
+          "name:discord, monitor:${displayRight.input}, default:true, special, title:(.*vesktop.*), title:(.*Apple Music.*)"
+          "name:steam, monitor:${displayLeft.input}, default:false, special, class:(.*[Ss]team.*)"
+        ];
+
+        windowRule = [
+          "match:tag horizonrdp, size 2160 7680"
+        ];
+
+        autostartCommands = [
+          "[silent] firefox"
+          "[silent] discord"
+          "[silent] chromium --app=\"https://music.apple.com\""
+          "[silent] steam"
+        ];
+
+        hyprpaper = {
+          wallpaperPath = "/run/wallpaper.jpg";
+        };
+
+        keybinds = {
+          bind = [
+            "$mod, A, exec, chromium --app=\"https://music.apple.com\""
+            "$mod, C, exec, discord"
+            "$mod, G, exec, steam"
+          ];
+        };
+
+        defaultApps = {
+          browser = pkgs.firefox;
+        };
+      };
+      btop = enabled;
+      kitty = disabled;
+      mako = disabled;
+      nwg-dock = disabled;
+      nwg-drawer = disabled;
+      nwg-panel = disabled;
+      waybar = {
+        enable = false;
+
+        layer = "bottom";
+
+        network.interface = "wlp9s0";
+        temperature = {
+          cpu = enabled;
+          gpu = enabled;
+        };
+
+        extraModules = {
+          "custom/lights" = {
+            tooltip = false;
+            exec = "waybar-hass --get_light light.living_room_lights";
+            interval = "once";
+            format = "{text}"; # "󱉓";
+            on-click = "waybar-hass --toggle_light light.living_room_lights";
+            return-type = "json";
+          };
+        };
+
+        extraModulesStyle = ''
+          #custom-lights {
+            color: @base0C;
+            background-color: @base00;
+            opacity: 0.85;
+            border-left: 5px solid @base0C;
+          }
+
+          #custom-lights:hover {
+            background: @base03;
+          }
+        '';
+      };
+      wlogout = disabled;
+      wofi = disabled;
+    };
+  };
+
+  services = {
+    remmina = {
+      enable = true;
+      addRdpMimeTypeAssoc = true;
+    };
+  };
+
+  programs = {
+    password-store = enabled;
+  };
+
+  home.packages =
+    with pkgs;
+    [
+      atlauncher
+      bolt-launcher
+      clevis
+      compose2nix
+      distrobox
+      goverlay
+      heroic
+      home-manager
+      omnissa-horizon-client
+      jq
+      lzip
+      morph
+      orca-slicer
+      piper
+      prismlauncher
+      protontricks
+      protonvpn-gui
+      runelite
+      smile
+      via
+      virt-manager
+      vorta
+      waydroid-helper
+      # winboat
+    ]
+    ++ (with pkgs.${namespace}; [
+      discord-krisp
+      # librepods
+    ]);
+
+  specialisation = {
+    "gnome".configuration = {
+      ${namespace} = {
+        desktop = {
+          plasma = lib.mkForce disabled;
+          gnome = lib.mkForce enabled;
+        };
+      };
+    };
+    "cosmic".configuration = {
+      ${namespace} = {
+        desktop.plasma = lib.mkForce disabled;
+        programs = {
+          hyprland = lib.mkForce disabled;
+          kitty = lib.mkForce disabled;
+          mako = lib.mkForce disabled;
+          nwg-dock = lib.mkForce disabled;
+          nwg-drawer = lib.mkForce disabled;
+          nwg-panel = lib.mkForce disabled;
+          waybar = lib.mkForce disabled;
+          wlogout = lib.mkForce disabled;
+          wofi = lib.mkForce disabled;
+        };
+      };
+    };
+  };
+}

hosts/base/base-gui/default.nix

@@ -1,8 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./hardware.nix
-    ./programs.nix
-    ./services.nix
-  ];
-}

hosts/base/base-gui/hardware.nix

@@ -1,11 +0,0 @@
-{ lib, ... }:
-{
-  # Hardware configs
-  hardware = {
-    # Enable graphics
-    graphics = {
-      enable = lib.mkDefault true;
-      enable32Bit = lib.mkDefault true;
-    };
-  };
-}

hosts/base/base-gui/programs.nix

@@ -1,31 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  programs = {
-    nix-ld = {
-      enable = lib.mkDefault true;
-      libraries = with pkgs; [
-        alsa-lib
-        bash
-        expat
-        fontconfig
-        freetype
-        icu
-        glib
-        gtk3
-        libgcc
-        libgdiplus
-        libGL
-        libpulseaudio
-        SDL2
-        vulkan-loader
-        xorg.libX11
-        xorg.libICE
-        xorg.libSM
-        xorg.libXcursor
-        xorg.libXrandr
-        xorg.libXi
-        zlib
-      ];
-    };
-    seahorse.enable = lib.mkDefault true;
-  };}

hosts/base/base-gui/services.nix

@@ -1,17 +0,0 @@
-{ lib, ... }:
-{
-  services = {
-    kmscon.enable = lib.mkForce false;
-    
-    # configure pipewire
-    pipewire = {
-      enable = lib.mkDefault true;
-      alsa.enable = lib.mkDefault true;
-      alsa.support32Bit = lib.mkDefault true;
-      pulse.enable = lib.mkDefault true;
-    };
-
-    # Enable CUPS to print documents.
-    printing.enable = lib.mkDefault true;
-  };
-}

hosts/base/base-nogui/default.nix

@@ -1,36 +0,0 @@
-{ lib, pkgs, ... }:
-let
-  timezone = "America/Chicago";
-in
-{
-  imports = [
-    ./boot.nix
-    ./environment.nix
-    ./hardware.nix
-    ./nix-settings.nix
-    ./programs.nix
-    ./security.nix
-    ./services.nix
-  ];
-
-  # Time config
-  time = {
-    # Set your time zone.
-    timeZone = timezone;
-  };
-
-  fonts.packages = with pkgs; [
-    font-awesome
-    noto-fonts
-    noto-fonts-color-emoji
-    meslo-lgs-nf
-  ] ++ builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts);
-
-  fonts.fontconfig.defaultFonts = {
-    emoji = [
-      "Noto Color Emoji"
-    ];
-  };
-
-  system.stateVersion = "23.11";
-}

hosts/base/base-nogui/environment.nix

@@ -1,13 +0,0 @@
-{ pkgs, ... }:
-{
-  environment = {
-    systemPackages = with pkgs; [
-      attic-client
-      uutils-coreutils
-      uutils-diffutils
-      uutils-findutils
-      coreutils
-      nixd
-    ];
-  };
-}

hosts/base/base-nogui/hardware.nix

@@ -1,12 +0,0 @@
-{ lib, ... }:
-{
-  hardware = {
-    # Bluetooth
-    bluetooth.enable = lib.mkDefault true;
-
-    i2c.enable = lib.mkDefault true;
-
-    # Enable all firmware
-    enableAllFirmware = lib.mkForce true;
-  };
-}

hosts/base/base-nogui/nix-settings.nix

@@ -1,41 +0,0 @@
-{ lib, outputs, ... }:
-{
-  nix = {
-    settings = {
-      substituters = [
-        "https://nix-community.cachix.org"
-        "https://cache.nixos.org/"
-      ];
-      trusted-public-keys = [
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
-      warn-dirty = lib.mkForce false;
-      experimental-features = lib.mkForce [
-        "nix-command"
-        "flakes"
-      ];
-      trusted-users = [ "@wheel" ];
-    };
-
-    # Garbage collect automatically every week
-    gc.automatic = lib.mkDefault true;
-    gc.options = lib.mkDefault "--delete-older-than 30d";
-
-    optimise.automatic = lib.mkDefault true;
-  };
-
-  # Nixpkgs configuration
-  nixpkgs = {
-    # add unstable and stable overlays
-    overlays = [
-      outputs.overlays.nixpkgs-unstable
-      outputs.overlays.nixpkgs-stable
-    ];
-    config = {
-      allowUnfree = lib.mkForce true;
-      permittedInsecurePackages = [
-        # ...
-      ];
-    };
-  };
-}

hosts/base/base-nogui/programs.nix

@@ -1,15 +0,0 @@
-{ lib, ... }:
-{
-  programs = {
-    zsh.enable = lib.mkDefault true;
-    gnupg.agent = {
-      enable = lib.mkDefault true;
-      enableSSHSupport = lib.mkDefault true;
-    };
-    nix-index = {
-      enable = lib.mkDefault true;
-      enableBashIntegration = lib.mkDefault false;
-      enableZshIntegration = lib.mkDefault true;
-    };
-  };
-}

hosts/base/base-nogui/security.nix

@@ -1,31 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  security = {
-    rtkit.enable = lib.mkDefault true;
-
-    # configure sudo
-    sudo.enable = lib.mkDefault false;
-    sudo-rs = {
-      enable = lib.mkDefault true;
-      extraRules = [
-        {
-          commands = [
-            {
-              command = "${pkgs.systemd}/bin/systemctl suspend";
-              options = [ "NOPASSWD" ];
-            }
-            {
-              command = "${pkgs.systemd}/bin/reboot";
-              options = [ "NOPASSWD" ];
-            }
-            {
-              command = "${pkgs.systemd}/bin/poweroff";
-              options = [ "NOPASSWD" ];
-            }
-          ];
-          groups = [ "wheel" ];
-        }
-      ];
-    };
-  };
-}

hosts/base/default.nix

@@ -1,27 +0,0 @@
-# { lib, config, ... }:
-
-# let
-#   cfg = config.base;
-
-#   cosmicPath =
-#     if cfg.desktopEnvironments.cosmic.enableSpecialisation then
-#       ../../modules/desktop-environments/cosmic/specialisation.nix
-#     else
-#       ../../modules/desktop-environments/cosmic/default.nix;
-
-#   hyprlandPath =
-#     if cfg.desktopEnvironments.hyprland.enableSpecialisation then
-#       ../../modules/desktop-environments/hyprland/specialisation.nix
-#     else
-#       ../../modules/desktop-environments/hyprland/default.nix;
-
-#   extraImports = lib.optionals cfg.enable (
-#     [ ./base-nogui ]
-#     ++ lib.optional cfg.baseGui.enable ./base-gui
-#     ++ lib.optional cfg.desktopEnvironments.cosmic.enable cosmicPath
-#     ++ lib.optional cfg.desktopEnvironments.hyprland.enable hyprlandPath
-#   );
-# in
-# {
-#   imports = [ ./options.nix ] ++ extraImports;
-# }

hosts/base/options.nix

@@ -1,35 +0,0 @@
-{ lib, ... }:
-with lib;
-{
-  options.base = {
-    enable = mkEnableOption "base config";
-
-    baseGui.enable = mkOption {
-      type = types.bool;
-      default = false;
-    };
-
-    desktopEnvironments = {
-      cosmic = {
-        enable = mkOption {
-          type = types.bool;
-          default = false;
-        };
-        enableSpecialisation = mkOption {
-          type = types.bool;
-          default = false;
-        };
-      };
-      hyprland = {
-        enable = mkOption {
-          type = types.bool;
-          default = false;
-        };
-        enableSpecialisation = mkOption {
-          type = types.bool;
-          default = false;
-        };
-      };
-    };
-  };
-}

hosts/deck/boot.nix

@@ -1,76 +0,0 @@
-{ pkgs, ... }:
-let
-  kernel = pkgs.linuxPackages_cachyos;
-in
-{
-  # Configure bootloader with lanzaboot and secureboot
-  boot = {
-    consoleLogLevel = 0;
-    initrd.verbose = false;
-    kernelModules = [ "nct6775" ];
-    loader = {
-      systemd-boot = {
-        enable = false;
-        configurationLimit = 5;
-        extraInstallCommands = ''
-          ${pkgs.uutils-coreutils}/bin/uutils-echo "timeout 0
-          console-mode 1
-          default nixos-*" > /boot/loader/loader.conf
-        '';
-      };
-
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-    };
-
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/etc/secureboot";
-      settings = {
-        console-mode = "max";
-        timeout = "0"; 
-     };
-      configurationLimit = 5;
-#      extraInstallCommands = ''
-#        ${pkgs.uutils-coreutils}/bin/uutils-echo "timeout 0
-#        console-mode 1
-#        default nixos-*" > /boot/loader/loader.conf
-#      '';
-    };
-
-    plymouth = {
-      enable = true;
-    };
-
-    kernelPackages = kernel;
-
-    kernelParams = [
-      "quiet"
-      "amdgpu.ppfeaturemask=0xffffffff"
-      "splash"
-      "rd.systemd.show_status=false"
-      "rd.udev.log_level=3"
-      "udev.log_priority=3"
-      "loglevel=0"
-      "vt.global_cursor_default=0"
-      "rd.shell=0"
-      # Disable audit messages
-      "audit=0"
-      # Disable CPU mitigations messages
-      "mitigations=off"
-    ];
-    
-    bootspec.enable = true;
-  };
-  
-  # Further reduce systemd output
-  systemd = {
-    services.systemd-udev-settle.enable = false;
-    extraConfig = ''
-      ShowStatus=no
-      DefaultTimeoutStartSec=15s
-    '';
-  };
-}

hosts/deck/configuration.nix

@@ -1,100 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-{ config, lib, pkgs, ... }:
-
-{
-  imports =
-  [
-    ./boot.nix
-    ./jovian.nix
-    ./networking.nix
-    ./sops.nix
-  ];
-
-  nix = {
-    settings = {
-      substituters = [
-        "https://cache.mjallen.dev"
-      ];
-      trusted-public-keys = [
-        "cache.mjallen.dev-1:IzFmKCd8/gggI6lcCXsW65qQwiCLGFFN9t9s2iw7Lvc="
-      ];
-      builders-use-substitutes = true;
-    };
-    distributedBuilds = true;
-    buildMachines = [
-      {
-        hostName = "jalle-nas.local";
-        system = "x86_64-linux";
-        maxJobs = 10;
-        sshUser = "admin";
-        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-      }
-    ];
-  };
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users = {
-    deck = {
-      hashedPasswordFile = config.sops.secrets."steamdeck/deck-password".path;
-      isNormalUser = true;
-      extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-      openssh.authorizedKeys.keys = [
-        # macBook
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
-        # desktop windows
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
-        # desktop nixos
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
-      ];
-      packages = with pkgs; [
-        firefox
-        tree
-      ];
-      shell = pkgs.zsh;
-    };
-
-    root.shell = pkgs.zsh;
-  };
-
-  programs.coolercontrol.enable = true;
-
-  services = {
-    btrfs = {
-      autoScrub.enable = lib.mkDefault true;
-      autoScrub.fileSystems = lib.mkDefault [
-        "/nix"
-        "/root"
-        "/etc"
-        "/var/log"
-        "/home"
-      ];
-    };
-  };
-
-  chaotic.mesa-git.enable = true;
-
-  services.displayManager.gdm.enable = lib.mkForce false;
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment = {
-    systemPackages = with pkgs; [
-      fuse
-      jq
-      newt
-      sbctl
-      steam-run
-      udisks2
-      zenity
-    ];
-
-    variables = {
-      STEAM_FORCE_DESKTOPUI_SCALING = "1.0";
-      GDK_SCALE = "1";
-    };
-  };
-}
-

hosts/deck/home.nix

@@ -1,73 +0,0 @@
-{ pkgs, ... }:
-let
-  shellAliases = {
-    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
-    update-switch = "sudo nixos-rebuild switch --max-jobs 10";
-    update-flake = "nix flake update steamdeck-nixpkgs steamdeck-chaotic steamdeck-home-manager steamdeck-impermanence steamdeck-jovian steamdeck-lanzaboote steamdeck-nixos-hardware steamdeck-sops-nix steamdeck-steam-rom-manager --flake /etc/nixos";
-    nas-ssh = "ssh admin@10.0.1.3";
-  };
-in
-{
-  home.username = "deck";
-
-  sops = {
-    age.keyFile = "/home/deck/.config/sops/age/keys.txt";
-    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
-    validateSopsFiles = false;
-    secrets = {
-      "ssh-keys-public/deck" = {
-        path = "/home/deck/.ssh/id_ed25519.pub";
-        mode = "0644";
-      };
-      "ssh-keys-private/deck" = {
-        path = "/home/deck/.ssh/id_ed25519";
-        mode = "0600";
-      };
-    };
-  };
-
-  programs = {
-    steam-rom-manager = {
-      enable = true;
-      steamUsername = "mjallen18";
-      
-      # Optional: override default paths if needed
-      environmentVariables = {
-        romsDirectory = "/home/deck/Emulation/roms";
-        steamDirectory = "/home/deck/.local/share/Steam";
-      };
-      
-      emulators = {
-        ryujinx.enable = true;
-
-        dolphin-gamecube = {
-          enable = true;
-          package = pkgs.dolphin-emu;
-          romFolder = "gc";
-          fileTypes = [ ".iso" ".ISO" ".gcm" ".GCM" ".ciso" ".CISO" "rvz" ];
-          extraArgs = "-b -e \"\${filePath}\"";
-        };
-        
-        pcsx2.enable = true;
-        mgba.enable = true;
-        
-        "Non-SRM Shortcuts" = {
-          enable = true;
-          parserType = "Non-SRM Shortcuts";
-          extraArgs = "";
-        };
-      };
-    };
-
-    zsh.shellAliases = shellAliases;
-  };
-
-  home.packages = with pkgs; [
-    dolphin-emu
-    heroic
-    mgba
-    prismlauncher
-    ryujinx-greemdev
-    vmware-horizon-client
-  ];
-}

hosts/deck/jovian.nix

@@ -1,24 +0,0 @@
-{ ... }:
-{
-  jovian = {
-    steam = {
-      enable = true;
-      autoStart = true;
-      user = "deck";
-      desktopSession = "gnome";
-    };
-
-    steamos = {
-      useSteamOSConfig = true;
-    };
-
-    devices = {
-      steamdeck = {
-        enable = true;
-        enableGyroDsuService = true; # If enabled, motion data from the gyroscope can be used in Cemu with Cemuhoo
-      };
-    };
-
-    hardware.has.amd.gpu = true;
-  };
-}

hosts/deck/networking.nix

@@ -1,44 +0,0 @@
-{ config, lib, ... }:
-let
-  hostname = "steamdeck";
-  wifiSsid = "Joey's Jungle 5G";
-in
-{
-  networking = {
-    hostName = hostname;
-    networkmanager = {
-      enable = true;
-      wifi.powersave = lib.mkDefault false;
-      settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
-      ensureProfiles = {
-        environmentFiles = [
-          config.sops.secrets.wifi.path
-        ];
-
-        profiles = {
-          wifiSsid = {
-            connection = {
-              id = wifiSsid;
-              type = "wifi";
-            };
-            ipv4 = {
-              method = "auto";
-            };
-            ipv6 = {
-              addr-gen-mode = "stable-privacy";
-              method = "auto";
-            };
-            wifi = {
-              mode = "infrastructure";
-              ssid = wifiSsid;
-            };
-            wifi-security = {
-              key-mgmt = "sae";
-              psk = "$PSK";
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/deck/sops.nix

@@ -1,111 +0,0 @@
-{ config, ... }:
-let
-  user = "deck";
-in
-{
-  # Permission modes are in octal representation (same as chmod),
-  # the digits represent: user|group|others
-  # 7 - full (rwx)
-  # 6 - read and write (rw-)
-  # 5 - read and execute (r-x)
-  # 4 - read only (r--)
-  # 3 - write and execute (-wx)
-  # 2 - write only (-w-)
-  # 1 - execute only (--x)
-  # 0 - none (---)
-  # Either a user id or group name representation of the secret owner
-  # It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
-  # Either the group id or group name representation of the secret group
-  # It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
-  sops = {
-    defaultSopsFile = ../../secrets/steamdeck-secrets.yaml;
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-
-    # ------------------------------
-    # Secrets
-    # ------------------------------
-    secrets = {
-      "steamdeck/deck-password" = {
-        neededForUsers = true;
-        mode = "0600";
-        owner = config.users.users."${user}".name;
-        group = config.users.users."${user}".group;
-      };
-
-      "wifi" = {
-        sopsFile = ../../secrets/secrets.yaml;
-      };
-
-      # ------------------------------
-      # SSH keys
-      # ------------------------------
-      # "ssh-keys-public/desktop-nixos" = {
-      #   mode = "0644";
-      #   owner = config.users.users."${user}".name;
-      #   group = config.users.users."${user}".group;
-      #   restartUnits = [ "sshd.service" ];
-      # };
-      # "ssh-keys-private/desktop-nixos" = {
-      #   mode = "0600";
-      #   owner = config.users.users."${user}".name;
-      #   group = config.users.users."${user}".group;
-      #   restartUnits = [ "sshd.service" ];
-      # };
-      # "ssh-keys-public/desktop-nixos-root" = {
-      #   path = "/root/.ssh/id_ed25519.pub";
-      #   mode = "0600";
-      #   restartUnits = [ "sshd.service" ];
-      # };
-      # "ssh-keys-private/desktop-nixos-root" = {
-      #   path = "/root/.ssh/id_ed25519";
-      #   mode = "0600";
-      #   restartUnits = [ "sshd.service" ];
-      # };
-
-      # ------------------------------
-      # Secureboot keys
-      # ------------------------------
-      "secureboot/GUID" = {
-        sopsFile = ../../secrets/secrets.yaml;
-#        path = "/etc/secureboot/GUID";
-        mode = "0600";
-      };
-      "secureboot/keys/db-key" = {
-        sopsFile = ../../secrets/secrets.yaml;
-#        path = "/etc/secureboot/keys/db/db.key";
-        mode = "0600";
-      };
-      "secureboot/keys/db-pem" = {
-        sopsFile = ../../secrets/secrets.yaml;
-#        path = "/etc/secureboot/keys/db/db.pem";
-        mode = "0600";
-      };
-      "secureboot/keys/KEK-key" = {
-        sopsFile = ../../secrets/secrets.yaml;
-#        path = "/etc/secureboot/keys/KEK/KEK.key";
-        mode = "0600";
-      };
-      "secureboot/keys/KEK-pem" = {
-        sopsFile = ../../secrets/secrets.yaml;
-#        path = "/etc/secureboot/keys/KEK/KEK.pem";
-        mode = "0600";
-      };
-      "secureboot/keys/PK-key" = {
-        sopsFile = ../../secrets/secrets.yaml;
-#        path = "/etc/secureboot/keys/PK/PK.key";
-        mode = "0600";
-      };
-      "secureboot/keys/PK-pem" = {
-        sopsFile = ../../secrets/secrets.yaml;
-#        path = "/etc/secureboot/keys/PK/PK.pem";
-        mode = "0600";
-      };
-    };
-
-    # ------------------------------
-    # Templates
-    # ------------------------------
-    templates = {
-    };
-  };
-}

hosts/desktop/configuration.nix

@@ -1,125 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-{
-  lib,
-  pkgs,
-  ...
-}:
-let
-  pkgsVersion = pkgs; #.unstable;
-  environmentVariables = {
-    STEAM_FORCE_DESKTOPUI_SCALING = "1.0";
-    GDK_SCALE = "1";
-    EDITOR = "${pkgs.vscodium}/bin/codium --wait";
-    VISUAL = "${pkgs.vscodium}/bin/codium --wait";
-  };
-  systemPackages = with pkgsVersion; [
-    acpilight
-    aha
-    aspell
-    aspellDicts.en
-    aspellDicts.en-computers
-    aspellDicts.en-science
-    borgbackup
-    brightnessctl
-    # brscan5
-    ddcui
-    ddcutil
-    ddccontrol
-    ddccontrol-db
-    efibootmgr
-    kdePackages.ksvg
-    memtest86-efi
-    memtest86plus
-    os-prober
-    nil
-    qemu_full
-    rclone
-    rclone-browser
-    restic
-    restic-browser
-    restic-integrity
-    sane-frontends
-    sbctl
-    tpm2-tools
-    tpm2-tss
-    udisks2
-    unzip
-    winetricks
-  ];
-in
-{
-  imports = [
-    ./boot.nix
-    ./filesystems.nix
-    ./hardware-configuration.nix
-    ./networking.nix
-    ./nix.nix
-    ./services.nix
-    ./sops.nix
-    ./users.nix
-  ];
-
-  nix = {
-    settings = {
-      substituters = [
-        "https://cache.mjallen.dev"
-      ];
-      trusted-public-keys = [
-        "cache.mjallen.dev-1:IzFmKCd8/gggI6lcCXsW65qQwiCLGFFN9t9s2iw7Lvc="
-      ];
-    };
-  };
-
-  chaotic.mesa-git.enable = true;
-
-  # Environment configuration
-  environment = {
-    systemPackages = systemPackages;
-
-    variables = environmentVariables;
-  };
-
-  # Hardware configuration
-  hardware = {
-    # Enable the QMK firmware flashing tool.
-    keyboard = {
-      qmk.enable = true;
-    };
-
-    # Enable Sane and Brother printer support.
-    sane = {
-      enable = true;
-      brscan5.enable = false;
-      # extraBackends = [ pkgsVersion.brscan5 ];
-    };
-  };
-
-  # Common Configuration
-  share = {
-    gaming.enable = true;
-    hardware.amd = {
-      enable = lib.mkDefault true;
-      lact.enable = lib.mkDefault true;
-    };
-  };
-
-  programs.coolercontrol.enable = true;
-
-  # Time configuration
-  time = {
-    hardwareClockInLocalTime = lib.mkDefault false;
-  };
-
-  # Virtualisation configuration
-  virtualisation = {
-    libvirtd.enable = lib.mkDefault true;
-    waydroid.enable = lib.mkDefault true;
-  };
-
-  services.udev.extraRules = ''
-    KERNEL=="i2c-[0-9]*", GROUP="i2c", MODE="0660"
-  '';
-}

hosts/desktop/hardware-configuration.nix

@@ -1,95 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  modulesPath,
-  ...
-}:
-let
-  defeaultBtrfsOptions = [
-    "compress=zstd"
-    "autodefrag"
-  ];
-in 
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  fileSystems."/" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "defaults"
-      "size=25%"
-      "mode=755"
-    ];
-  };
-
-  fileSystems."/nix" = {
-    device = "/dev/disk/by-uuid/c6cf43cb-d0d2-4111-bc81-994e41b2632d";
-    fsType = "btrfs";
-    options = [
-      "subvol=nix"
-      "noatime"
-    ] ++ defeaultBtrfsOptions;
-  };
-
-  fileSystems."/etc" = {
-    device = "/dev/disk/by-uuid/c6cf43cb-d0d2-4111-bc81-994e41b2632d";
-    fsType = "btrfs";
-    options = [
-      "subvol=etc"
-      "noatime"
-    ] ++ defeaultBtrfsOptions;
-  };
-
-  fileSystems."/root" = {
-    device = "/dev/disk/by-uuid/c6cf43cb-d0d2-4111-bc81-994e41b2632d";
-    fsType = "btrfs";
-    options = [
-      "subvol=root"
-      "noatime"
-    ] ++ defeaultBtrfsOptions;
-  };
-
-  fileSystems."/var/log" = {
-    device = "/dev/disk/by-uuid/c6cf43cb-d0d2-4111-bc81-994e41b2632d";
-    fsType = "btrfs";
-    options = [
-      "subvol=log"
-      "noatime"
-    ] ++ defeaultBtrfsOptions;
-  };
-
-  fileSystems."/home" = {
-    device = "/dev/disk/by-uuid/c6cf43cb-d0d2-4111-bc81-994e41b2632d";
-    fsType = "btrfs";
-    options = [
-      "subvol=home"
-    ] ++ defeaultBtrfsOptions;
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/216E-A7AC";
-    fsType = "vfat";
-  };
-
-  swapDevices = [
-    {
-      device = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_1TB_S5P2NS0T307907H-part2";
-      randomEncryption.enable = true;
-    }
-  ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp10s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp9s0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/desktop/home.nix

@@ -1,66 +0,0 @@
-{ pkgs, ... }:
-let
-  shellAliases = {
-    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
-    update-switch = "sudo nixos-rebuild switch --max-jobs 10 --build-host admin@10.0.1.3";
-    update-flake = "nix flake update desktop-nixpkgs desktop-chaotic desktop-home-manager desktop-impermanence desktop-lanzaboote desktop-nixos-hardware desktop-sops-nix desktop-steam-rom-manager --flake /etc/nixos";
-    update-nas = "nixos-rebuild switch --use-remote-sudo --target-host admin@10.0.1.3 --build-host admin@10.0.1.3 --flake ~/nix-config#jallen-nas";
-  };
-in
-{
-  home.username = "matt";
-
-  sops = {
-    age.keyFile = "/home/matt/.config/sops/age/keys.txt";
-    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
-    validateSopsFiles = false;
-    secrets = {
-      "ssh-keys-public/desktop-nixos" = {
-        path = "/home/matt/.ssh/id_ed25519.pub";
-        mode = "0644";
-      };
-      "ssh-keys-private/desktop-nixos" = {
-        path = "/home/matt/.ssh/id_ed25519";
-        mode = "0600";
-      };
-    };
-  };
-
-  services = {
-    remmina = {
-      enable = true;
-      addRdpMimeTypeAssoc = true;
-    };
-  };
-
-  programs = {
-    password-store.enable = true;
-
-    zsh.shellAliases = shellAliases;
-  };
-
-  home.packages = with pkgs; [
-    bottles
-    unstable.compose2nix
-    discord
-    heroic
-    stable.vmware-horizon-client
-    jq
-    lutris
-    lzip
-    morph
-    orca-slicer
-    piper
-    prismlauncher
-    protontricks
-    protonvpn-gui
-    python3
-    qmk
-    smile
-    unigine-heaven
-    via
-    virt-manager
-    vorta
-    waydroid-helper
-  ];
-}

hosts/desktop/networking.nix

@@ -1,46 +0,0 @@
-{ lib, config, ... }:
-let
-  hostname = "matt-nixos";
-in
-{
-  # Networking configs
-  networking = {
-    hostName = lib.mkDefault hostname;
-
-    # Enable Network Manager
-    networkmanager = {
-      enable = lib.mkDefault true;
-      wifi.powersave = lib.mkDefault false;
-      settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
-      ensureProfiles = {
-        environmentFiles = [
-          config.sops.secrets.wifi.path
-        ];
-
-        profiles = {
-          "Joey's Jungle 6G" = {
-            connection = {
-              id = "Joey's Jungle 6G";
-              type = "wifi";
-            };
-            ipv4 = {
-              method = "auto";
-            };
-            ipv6 = {
-              addr-gen-mode = "stable-privacy";
-              method = "auto";
-            };
-            wifi = {
-              mode = "infrastructure";
-              ssid = "Joey's Jungle 6G";
-            };
-            wifi-security = {
-              key-mgmt = "sae";
-              psk = "$PSK";
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/desktop/nix.nix

@@ -1,33 +0,0 @@
-{ lib, ... }:
-let
-  user = "matt";
-in
-{
-  nix = {
-    settings = {
-      substituters = [
-        "https://cache.mjallen.dev/nas-cache"
-      ];
-      trusted-public-keys = [
-        "nas-cache:5ibTWOXJYlKBaoNtdDEPmvdLPtfnbwf9jvdnfwi5dUs="
-      ];
-      warn-dirty = lib.mkForce false;
-      experimental-features = lib.mkForce [
-        "nix-command"
-        "flakes"
-      ];
-      trusted-users = [ user ];
-    };
-    # settings.builders-use-substitutes = true;
-    # distributedBuilds = true;
-    buildMachines = [
-      {
-        hostName = "jallen-nas.local";
-        system = "x86_64-linux";
-        maxJobs = 10;
-        sshUser = "admin";
-        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-      }
-    ];
-  };
-}

hosts/desktop/services.nix

@@ -1,108 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  pkgsVersion = pkgs; #.unstable;
-in 
-{
-  services = {
-    # Enable Flatpak
-    flatpak.enable = lib.mkDefault false;
-
-    # enable auto discovery of printers
-    avahi = {
-      enable = lib.mkDefault true;
-      nssmdns4 = lib.mkDefault true;
-      openFirewall = lib.mkDefault true;
-    };
-
-    restic.backups = {
-      jallen-nas = {
-        initialize = true;
-        createWrapper = true;
-        inhibitsSleep = true;
-        environmentFile = config.sops.templates."restic.env".path;
-        passwordFile = config.sops.secrets."desktop/restic/password".path;
-        repositoryFile = config.sops.secrets."desktop/restic/repo".path;
-        paths = [
-          "/home/matt"
-        ];
-        exclude = [
-          "/home/matt/Steam"
-          "/home/matt/Heroic"
-          "/home/matt/1TB"
-          "/home/matt/Downloads"
-          "/home/matt/Nextcloud"
-          "/home/matt/.cache"
-          "/home/matt/.local/share/Steam"
-          "/home/matt/.var/app/com.valvesoftware.Steam"
-          "/home/matt/.tmp"
-          "/home/matt/.thumbnails"
-          "/home/matt/.compose-cache"
-        ];
-      };
-      proton-drive = {
-        initialize = true;
-        createWrapper = true;
-        inhibitsSleep = true;
-        passwordFile = config.sops.secrets."desktop/restic/password".path;
-        rcloneConfigFile = "/home/matt/.config/rclone/rclone.conf";
-        repository = "rclone:proton-drive:backup-nix";
-        paths = [
-          "/home/matt"
-        ];
-        exclude = [
-          "/home/matt/Steam"
-          "/home/matt/Heroic"
-          "/home/matt/1TB"
-          "/home/matt/Downloads"
-          "/home/matt/Nextcloud"
-          "/home/matt/.cache"
-          "/home/matt/.local/share/Steam"
-          "/home/matt/.var/app/com.valvesoftware.Steam"
-          "/home/matt/.tmp"
-          "/home/matt/.thumbnails"
-          "/home/matt/.compose-cache"
-        ];
-      };
-    };
-
-    btrfs = {
-      autoScrub.enable = lib.mkDefault true;
-      autoScrub.fileSystems = lib.mkDefault [
-        "/nix"
-        "/root"
-        "/etc"
-        "/var/log"
-        "/home"
-      ];
-    };
-
-    ratbagd.enable = lib.mkDefault true;
-  };
-
-  systemd = {
-    user.services = {
-      rclone-home-proton = {
-        enable = lib.mkDefault false;
-        path = with pkgsVersion; [
-          bash
-          pkgs.rclone
-        ];
-        script = ''
-          rclone sync /home/matt proton-drive:backup-nix --exclude '/home/matt/Games/**' --exclude '/home/matt/1TB/**' --exclude '/home/matt/Downloads/**'
-        '';
-      };
-
-      rsync-home = {
-        enable = lib.mkDefault false;
-        path = with pkgsVersion; [
-          bash
-          rsync
-          openssh
-        ];
-        script = ''
-          rsync -rtpogvPlHzs --ignore-existing --exclude={'/home/matt/Games', '/home/matt/1TB', '/home/matt/Downloads/*', '/home/matt/.cache'} -e ssh /home/matt admin@10.0.1.3:/media/nas/main/backup/desktop-nix/home 
-        '';
-      };
-    };
-  };
-}

hosts/desktop/users.nix

@@ -1,26 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  user = "matt";
-  passwordFile = config.sops.secrets."desktop/matt_password".path;
-  pkgsVersion = pkgs; #.unstable;
-in 
-{
-  users.users."${user}" = {
-    isNormalUser = lib.mkDefault true;
-    extraGroups = [
-      "wheel"
-      "keys"
-      "networkmanager"
-      "ratbagd"
-      "input"
-      "scanner"
-      "lp"
-      "video"
-      "i2c"
-    ]; # Enable ‘sudo’ for the user.
-    hashedPasswordFile = passwordFile;
-    shell = pkgsVersion.zsh;
-  };
-
-  users.users.root.shell = pkgsVersion.zsh;
-}

hosts/homeassistant/automations.yaml

@@ -1,236 +0,0 @@
-- id: '1740678838632'
-  alias: Bedroom Light Switch
-  description: ''
-  triggers:
-  - domain: mqtt
-    device_id: 8b3a5a5b6faaba744c70ee940446a8af
-    type: action
-    subtype: on-press
-    trigger: device
-    id: on press
-  - domain: mqtt
-    device_id: 8b3a5a5b6faaba744c70ee940446a8af
-    type: action
-    subtype: off-press
-    trigger: device
-    id: off press
-  - domain: mqtt
-    device_id: 8b3a5a5b6faaba744c70ee940446a8af
-    type: action
-    subtype: up-press
-    trigger: device
-    id: up press
-  - domain: mqtt
-    device_id: 8b3a5a5b6faaba744c70ee940446a8af
-    type: action
-    subtype: down-press
-    trigger: device
-    id: down press
-  conditions: []
-  actions:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - on press
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          transition: 2
-          brightness_pct: 100
-          kelvin: 6004
-        target:
-          entity_id: light.bedroom_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - off press
-      sequence:
-      - action: light.turn_off
-        metadata: {}
-        data:
-          transition: 2
-        target:
-          entity_id: light.bedroom_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - up press
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          brightness_step_pct: 10
-        target:
-          entity_id: light.bedroom_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - down press
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          brightness_step_pct: -10
-        target:
-          entity_id: light.bedroom_lights
-  mode: single
-- id: '1740697291423'
-  alias: Living Rooom Lights
-  description: ''
-  triggers:
-  - domain: mqtt
-    device_id: b4fb325dfe68d4f80391417998f35843
-    type: action
-    subtype: on-press
-    trigger: device
-    id: on press
-  - domain: mqtt
-    device_id: b4fb325dfe68d4f80391417998f35843
-    type: action
-    subtype: off-press
-    trigger: device
-    id: off press
-  - domain: mqtt
-    device_id: b4fb325dfe68d4f80391417998f35843
-    type: action
-    subtype: up-press
-    trigger: device
-    id: up press
-  - domain: mqtt
-    device_id: b4fb325dfe68d4f80391417998f35843
-    type: action
-    subtype: down-press
-    trigger: device
-    id: down press
-  - domain: mqtt
-    device_id: b4fb325dfe68d4f80391417998f35843
-    type: action
-    subtype: on-hold
-    trigger: device
-    id: on-hold
-  conditions: []
-  actions:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - on press
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          transition: 2
-          brightness_pct: 100
-          kelvin: 6004
-        target:
-          entity_id:
-          - light.living_room_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - off press
-      sequence:
-      - action: light.turn_off
-        metadata: {}
-        data:
-          transition: 2
-        target:
-          entity_id:
-          - light.living_room_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - up press
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          brightness_step_pct: 10
-        target:
-          entity_id: light.living_room_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - down press
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          brightness_step_pct: -10
-        target:
-          entity_id: light.living_room_light_1
-    - conditions:
-      - condition: trigger
-        id:
-        - on-hold
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          transition: 0
-          brightness_pct: 100
-          rgb_color:
-          - 224
-          - 27
-          - 36
-        target:
-          entity_id: light.living_room_lights
-  mode: single
-- id: '1741048414771'
-  alias: Front Closet
-  description: ''
-  triggers:
-  - type: present
-    device_id: c6519ea1e715f397dbbf7b73452f9e49
-    entity_id: c3a7b8892b8b372d2c40556e770ddc68
-    domain: binary_sensor
-    trigger: device
-    for:
-      hours: 0
-      minutes: 0
-      seconds: 0
-    id: present
-  - type: not_present
-    device_id: c6519ea1e715f397dbbf7b73452f9e49
-    entity_id: c3a7b8892b8b372d2c40556e770ddc68
-    domain: binary_sensor
-    trigger: device
-    for:
-      hours: 0
-      minutes: 0
-      seconds: 5
-    id: not
-  conditions: []
-  actions:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - present
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          transition: 2
-          brightness_pct: 100
-          kelvin: 6010
-        target:
-          entity_id:
-          - light.front_closet_light_1
-          - light.front_closet_light_2
-    - conditions:
-      - condition: trigger
-        id:
-        - not
-      sequence:
-      - action: light.turn_off
-        metadata: {}
-        data:
-          transition: 2
-        target:
-          entity_id:
-          - light.front_closet_light_1
-          - light.front_closet_light_2
-  mode: single

hosts/homeassistant/automations.yaml.ori

@@ -1,576 +0,0 @@
-- id: '1692388103102'
-  alias: Weekly Backup
-  description: Create a full backup every Sunday at 3 am and store it on the NAS
-  trigger:
-  - platform: time
-    at: 03:00:00
-  condition:
-  - condition: time
-    weekday:
-    - sun
-  action:
-  - service: hassio.backup_full
-    data:
-      compressed: true
-  mode: single
-- id: '1692389901297'
-  alias: Livingroom Lights
-  description: ''
-  trigger:
-  - platform: device
-    domain: mqtt
-    device_id: 37d42431de65199af00220b43dae04c1
-    type: action
-    subtype: on_press
-    id: 'on'
-  - platform: device
-    domain: mqtt
-    device_id: 37d42431de65199af00220b43dae04c1
-    type: action
-    subtype: off_press
-    id: 'off'
-  - platform: device
-    domain: mqtt
-    device_id: 37d42431de65199af00220b43dae04c1
-    type: action
-    subtype: up_press
-    id: up
-  - platform: device
-    domain: mqtt
-    device_id: 37d42431de65199af00220b43dae04c1
-    type: action
-    subtype: down_press
-    id: down
-  - platform: device
-    domain: mqtt
-    device_id: 37d42431de65199af00220b43dae04c1
-    type: action
-    subtype: on_hold
-    id: hold
-  condition: []
-  action:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - 'on'
-      sequence:
-      - data:
-          brightness_pct: 100
-          color_temp_kelvin: 5000
-          transition: 1
-        target:
-          entity_id: light.livingroom_lights
-        action: light.turn_on
-    - conditions:
-      - condition: trigger
-        id:
-        - 'off'
-      sequence:
-      - data:
-          transition: 1
-        target:
-          entity_id: light.livingroom_lights
-        action: light.turn_off
-    - conditions:
-      - condition: trigger
-        id:
-        - hold
-      sequence:
-      - data:
-          brightness_pct: 100
-          rgb_color:
-          - 255
-          - 38
-          - 0
-          transition: 1
-        target:
-          entity_id: light.livingroom_lights
-        action: light.turn_on
-    - conditions:
-      - condition: trigger
-        id:
-        - dim up
-      sequence:
-      - data:
-          brightness_step_pct: 20
-        target:
-          entity_id: light.livingroom_lights
-        action: light.turn_on
-    - conditions:
-      - condition: trigger
-        id:
-        - dim down
-      sequence:
-      - data:
-          brightness_step_pct: -20
-        target:
-          entity_id: light.livingroom_lights
-        action: light.turn_on
-  mode: single
-- id: '1692390365798'
-  alias: Bedroom Lights
-  description: ''
-  triggers:
-  - domain: mqtt
-    device_id: a492c0abb8f14e0888df08101f77f484
-    type: action
-    subtype: off_press
-    id: 'off'
-    trigger: device
-  - domain: mqtt
-    device_id: a492c0abb8f14e0888df08101f77f484
-    type: action
-    subtype: on_press
-    id: 'on'
-    trigger: device
-  - domain: mqtt
-    device_id: a492c0abb8f14e0888df08101f77f484
-    type: action
-    subtype: up_press
-    id: up
-    trigger: device
-  - domain: mqtt
-    device_id: a492c0abb8f14e0888df08101f77f484
-    type: action
-    subtype: down_press
-    id: down
-    trigger: device
-  - domain: mqtt
-    device_id: a492c0abb8f14e0888df08101f77f484
-    type: action
-    subtype: on_hold
-    id: hold on
-    trigger: device
-  conditions: []
-  actions:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - 'on'
-      sequence:
-      - data:
-          brightness_pct: 100
-          color_temp_kelvin: 5000
-          transition: 1
-        target:
-          entity_id: light.bedroom_lights
-        action: light.turn_on
-    - conditions:
-      - condition: trigger
-        id:
-        - 'off'
-      sequence:
-      - data:
-          transition: 1
-        target:
-          entity_id:
-          - light.bedroom_lights
-        action: light.turn_off
-    - conditions:
-      - condition: trigger
-        id:
-        - up
-      sequence:
-      - device_id: 171fa001578683249ff26f2d85817fef
-        domain: light
-        entity_id: 55d41329665f60a55a732c5bbececd22
-        type: brightness_increase
-      - device_id: c92fea3d569ca668e6617a189f917a28
-        domain: light
-        entity_id: 0c8630c2b37ae9615f9cf815aaebf40f
-        type: brightness_increase
-    - conditions:
-      - condition: trigger
-        id:
-        - down
-      sequence:
-      - device_id: 171fa001578683249ff26f2d85817fef
-        domain: light
-        entity_id: 55d41329665f60a55a732c5bbececd22
-        type: brightness_decrease
-      - device_id: c92fea3d569ca668e6617a189f917a28
-        domain: light
-        entity_id: 0c8630c2b37ae9615f9cf815aaebf40f
-        type: brightness_decrease
-    - conditions:
-      - condition: trigger
-        id:
-        - hold on
-      sequence:
-      - metadata: {}
-        data:
-          rgb_color:
-          - 255
-          - 0
-          - 0
-          brightness_pct: 100
-        target:
-          entity_id: light.bedroom_lights
-        action: light.turn_on
-  mode: single
-- id: '1694441037420'
-  alias: Air Purifier Schedule
-  description: ''
-  trigger:
-  - platform: time
-    at: 07:00:00
-    id: fan off
-  - platform: time
-    at: '23:00:00'
-    id: fan on
-  condition: []
-  action:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - fan on
-      sequence:
-      - service: fan.set_percentage
-        data:
-          percentage: 100
-        target:
-          entity_id: fan.bedroom_air_purifier
-    - conditions:
-      - condition: trigger
-        id:
-        - fan off
-      sequence:
-      - service: fan.set_preset_mode
-        data:
-          preset_mode: auto
-        target:
-          entity_id: fan.bedroom_air_purifier
-  mode: single
-- id: '1705949582146'
-  alias: Ice Maker Power Schedule
-  description: ''
-  trigger:
-  - platform: time_pattern
-    hours: '*'
-    minutes: '0'
-    seconds: '0'
-  condition: []
-  action:
-  - type: toggle
-    device_id: 41c66532e23aadc4c6ac95e520e5d345
-    entity_id: bd17ac75a91e62ed7e6b148cfe33d43d
-    domain: switch
-  - alias: Set Ice Maker Light to Dim
-    device_id: 41c66532e23aadc4c6ac95e520e5d345
-    domain: select
-    entity_id: 8f4f90c62b00df9008d14f7ce8967199
-    type: select_option
-    option: 'On'
-  mode: single
-- id: '1708978401738'
-  alias: Soundbar
-  description: ''
-  trigger: []
-  condition: []
-  action:
-  - service: media_player.turn_on
-    metadata: {}
-    data: {}
-    target:
-      entity_id: media_player.soundbar
-  - service: media_player.select_source
-    metadata: {}
-    data:
-      source: wifi
-    target:
-      entity_id: media_player.soundbar
-  - service: media_player.play_media
-    metadata: {}
-    data:
-      media_content_id: media-source://radio_browser/2eff3a1f-b821-4267-9f37-f8d7e72061e4
-      media_content_type: audio/mpeg
-    target:
-      entity_id: media_player.soundbar
-  mode: single
-- id: '1711147285926'
-  alias: Grow Light Schedule
-  description: ''
-  trigger:
-  - platform: time
-    at: 07:00:00
-    id: day
-  - platform: time
-    at: '20:00:00'
-    id: night
-  condition: []
-  action:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - day
-      sequence:
-      - service: switch.turn_on
-        metadata: {}
-        data: {}
-        target:
-          entity_id: switch.grow_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - night
-      sequence:
-      - service: switch.turn_off
-        metadata: {}
-        data: {}
-        target:
-          entity_id: switch.grow_lights
-  mode: single
-- id: '1723142554607'
-  alias: Restart Luci's Box
-  description: for some reason this box sucks and needs to get reboot periodically
-  trigger:
-  - platform: time_pattern
-    hours: '*'
-  condition: []
-  action:
-  - type: turn_off
-    device_id: e7f8974c31567dddbbffb036fe8381bc
-    entity_id: e1e71e4acdfcbb6c4afdc174807ad8be
-    domain: switch
-  - delay:
-      hours: 0
-      minutes: 0
-      seconds: 1
-      milliseconds: 0
-  - type: turn_on
-    device_id: e7f8974c31567dddbbffb036fe8381bc
-    entity_id: e1e71e4acdfcbb6c4afdc174807ad8be
-    domain: switch
-  - type: turn_on
-    device_id: d5eb3c182a1ef2a231b94b09c26aed45
-    entity_id: 7106df7ebde274ac4bc2b197d5c45bea
-    domain: fan
-  - device_id: d5eb3c182a1ef2a231b94b09c26aed45
-    domain: number
-    entity_id: 59a7cd3cb2883bf6002f789c2ff4824c
-    type: set_value
-    value: 3
-  mode: single
-- id: '1724707092916'
-  alias: HASS Updates
-  description: ''
-  use_blueprint:
-    path: edwardtfn/auto_update_scheduled.yaml
-    input:
-      schedule_entity: schedule.updates
-      restart_bool: true
-- id: '1724707291994'
-  alias: IOT Battery Checker
-  description: ''
-  use_blueprint:
-    path: sbyx/low-battery-level-detection-notification-for-all-battery-sensors.yaml
-    input:
-      exclude:
-        entity_id: []
-        device_id:
-        - 66e9cee67a740e8925dae5fc9ce940f0
-        - df76e3a3e48b49e13bd3006350826740
-      actions:
-      - action: notify.persistent_notification
-        metadata: {}
-        data:
-          message: Device Battery Low
-- id: '1729708621620'
-  alias: Closet Lights
-  description: ''
-  triggers:
-  - type: present
-    device_id: 0924cbdcd24416e768caa52301db59f7
-    entity_id: e9f0acef50550033cd96155bd501b7c3
-    domain: binary_sensor
-    trigger: device
-    for:
-      hours: 0
-      minutes: 0
-      seconds: 0
-    id: Present
-  - type: not_present
-    device_id: 0924cbdcd24416e768caa52301db59f7
-    entity_id: e9f0acef50550033cd96155bd501b7c3
-    domain: binary_sensor
-    trigger: device
-    for:
-      hours: 0
-      minutes: 0
-      seconds: 0
-    id: empty
-  conditions: []
-  actions:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - Present
-      sequence:
-      - action: light.turn_on
-        metadata: {}
-        data:
-          transition: 3
-          brightness_pct: 100
-          kelvin: 5008
-        target:
-          device_id:
-          - e25128ac8fcf62af66a039cde3104760
-          - ddcfd5ea4fc5f5a88e18325b01c615db
-    - conditions:
-      - condition: trigger
-        id:
-        - empty
-      sequence:
-      - action: light.turn_off
-        metadata: {}
-        data:
-          transition: 3
-        target:
-          device_id:
-          - e25128ac8fcf62af66a039cde3104760
-          - ddcfd5ea4fc5f5a88e18325b01c615db
-  mode: single
-- id: '1729881464325'
-  alias: Bedroom Closet
-  description: ''
-  triggers:
-  - type: present
-    device_id: 28e7f211c72409fe244183219abf6ffa
-    entity_id: aa474f323868586cef62070654f36936
-    domain: binary_sensor
-    trigger: device
-    id: Present
-  - type: not_present
-    device_id: 28e7f211c72409fe244183219abf6ffa
-    entity_id: aa474f323868586cef62070654f36936
-    domain: binary_sensor
-    trigger: device
-    id: empty
-  conditions: []
-  actions:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - Present
-      sequence:
-      - type: turn_on
-        device_id: f5936d6143b7927433e9c0430c79acab
-        entity_id: f6ec42c9db2c191866a335a346b1ec44
-        domain: switch
-    - conditions:
-      - condition: trigger
-        id:
-        - empty
-      sequence:
-      - type: turn_off
-        device_id: f5936d6143b7927433e9c0430c79acab
-        entity_id: f6ec42c9db2c191866a335a346b1ec44
-        domain: switch
-  mode: single
-- id: '1740179328446'
-  alias: Living Room Lights
-  description: ''
-  triggers:
-  - domain: mqtt
-    device_id: f7482a462dc7cc05b4ceaa0d882dc469
-    type: action
-    subtype: off_press
-    trigger: device
-    id: 'off'
-  - domain: mqtt
-    device_id: f7482a462dc7cc05b4ceaa0d882dc469
-    type: action
-    subtype: on_press
-    trigger: device
-    id: 'on'
-  - domain: mqtt
-    device_id: f7482a462dc7cc05b4ceaa0d882dc469
-    type: action
-    subtype: up_press
-    trigger: device
-    id: up
-  - domain: mqtt
-    device_id: f7482a462dc7cc05b4ceaa0d882dc469
-    type: action
-    subtype: down_press
-    trigger: device
-    id: down
-  - domain: mqtt
-    device_id: f7482a462dc7cc05b4ceaa0d882dc469
-    type: action
-    subtype: on_hold
-    trigger: device
-    id: hold on
-  conditions: []
-  actions:
-  - choose:
-    - conditions:
-      - condition: trigger
-        id:
-        - 'on'
-      sequence:
-      - data:
-          brightness_pct: 100
-          color_temp_kelvin: 5000
-          transition: 1
-        action: light.turn_on
-        target:
-          entity_id: light.livingroom_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - 'off'
-      sequence:
-      - data:
-          transition: 1
-        action: light.turn_off
-        target:
-          entity_id: light.livingroom_lights
-    - conditions:
-      - condition: trigger
-        id:
-        - up
-      sequence:
-      - device_id: 8bc2033b03d5a474ca3204c5ca53e308
-        domain: light
-        entity_id: 4a3cc9043ff985e9271683e1916bd9e1
-        type: brightness_increase
-      - device_id: 8f4f51aed9b3b4284f520af25358efd9
-        domain: light
-        entity_id: f45e74498c4b6bae65aaf5adf67e29d6
-        type: brightness_increase
-    - conditions:
-      - condition: trigger
-        id:
-        - down
-      sequence:
-      - device_id: 8bc2033b03d5a474ca3204c5ca53e308
-        domain: light
-        entity_id: 4a3cc9043ff985e9271683e1916bd9e1
-        type: brightness_decrease
-      - device_id: 8bc2033b03d5a474ca3204c5ca53e308
-        domain: light
-        entity_id: 4a3cc9043ff985e9271683e1916bd9e1
-        type: brightness_decrease
-    - conditions:
-      - condition: trigger
-        id:
-        - hold on
-      sequence:
-      - metadata: {}
-        data:
-          rgb_color:
-          - 255
-          - 0
-          - 0
-          brightness_pct: 100
-        action: light.turn_on
-        target:
-          entity_id: light.livingroom_lights
-  mode: single

hosts/homeassistant/boot.nix

@@ -1,40 +0,0 @@
-{ lib, pkgs, ... }:
-let
-  kernel = pkgs.linuxPackages_latest;
-in
-{
-  # Configure bootloader with lanzaboot and secureboot
-  boot = {
-    kernelModules = [ "nct6775" ];
-    loader = {
-      systemd-boot.enable = true;
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-    };
-
-    initrd = {
-      verbose = false;
-      systemd.enable = true;
-    };
-
-    plymouth = {
-      enable = true;
-    };
-
-    kernelPackages = kernel;
-
-    kernelParams = [
-      "quiet"
-      "splash"
-    ];
-
-    consoleLogLevel = 3;
-    bootspec.enable = true;
-  };
-
-  environment.systemPackages = with pkgs; [ 
-    edk2-uefi-shell
-   ];
-}

hosts/homeassistant/configuration.nix

@@ -1,141 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-{ config, lib, pkgs, ... }:
-
-let
-  user = "hass-admin";
-  password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
-  SSID = "Joey's Jungle 5G";
-  SSIDpassword = "kR8v&3Qd"; # config.sops.templates."wifi-password".content;
-  interface = "wlp0s20f3";
-  timezone = "America/Chicago";
-  hostname = "jallen-hass";
-in
-{
-  imports = [
-    # Include the results of the hardware scan.
-    ./boot.nix
-    ./hardware-configuration.nix
-    ./impermanence.nix
-    ./homeassistant.nix
-    ../default.nix
-  ];
-
-  # Enable nix flakes and nix-command tools
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-
-  nix.settings.trusted-users = [ "@wheel" ];
-
-  # Set your time zone.
-  time.timeZone = timezone;
-
-  networking = {
-    networkmanager = {
-      enable = true;
-      
-      # Configure the static connection for eno1
-#      ensureProfiles = {
-#        profiles = {
-#          joeys-jungle = {
-#            connection = {
-#              id = "joeys-jungle";
-#              permissions = "";
-#              type = "wifi";
-#            };
-#            ipv4 = {
-#              dns-search = "";
-#              method = "auto";
-#            };
-#            ipv6 = {
-#              addr-gen-mode = "stable-privacy";
-#              dns-search = "";
-#               method = "auto";
-#            };
-#            wifi = {
-#              mac-address-blacklist = "";
-#              mode = "infrastructure";
-##              ssid = SSID;
-#            };
-#            wifi-security = {
-#              auth-alg = "open";
-#              key-mgmt = "wpa-psk";
-#              psk = SSIDpassword;
-#            };
-#          };
-#          "static-eno1" = {
-#            connection = {
-#              id = "static-eno1";
-#              type = "ethernet";
-#              interface-name = "eno1";
-#            };
-#            ipv4 = {
-#              method = "manual";
-#              addresses = "10.0.1.19/24";
-#              gateway = "10.0.1.1";
-#              dns = "10.0.1.1";
-#            };
-#          };
-#        };
-#      };
-    };
-    hostName = hostname;
-    wireless = {
-      enable = false;
-      networks."${SSID}".psk = SSIDpassword;
-      interfaces = [ interface ];
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    vim
-    htop
-    git
-    protonmail-bridge
-    pass
-    gnome-keyring
-    openssl
-  ];
-
-  services.xserver.desktopManager.surf-display = {
-    enable = true;
-    defaultWwwUri = "http://jallen-hass:8123"; # todo: external maybe for reasons???
-  };
-
-  services.openssh.enable = true;
-  services.protonmail-bridge = {
-    enable = true;
-    path = with pkgs; [ pass gnome-keyring ];
-  };
-  
-  # Enable Avahi for .local hostname resolution
-  services.avahi = {
-    enable = true;
-    nssmdns4 = true;  # For modern systems, use nssmdns4 instead of nssmdns
-    publish = {
-      enable = true;
-      addresses = true;
-      domain = true;
-      workstation = true;
-    };
-  };
-
-  users = {
-    mutableUsers = false;
-    users."${user}" = {
-      isNormalUser = lib.mkForce true;
-      initialHashedPassword = password;
-      extraGroups = [
-        "wheel"
-        "docker"
-        "network-manager"
-        "hass"
-      ];
-      shell = pkgs.zsh;
-    };
-  };
-}

hosts/homeassistant/hardware-configuration.nix

@@ -1,70 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "none";
-      fsType = "tmpfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/AB0D-A6A2";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/a6ef033d-c305-42d9-88b2-5591008b2a11";
-      fsType = "btrfs";
-      options = [ "subvol=nix" ];
-    };
-
-  fileSystems."/etc" =
-    { device = "/dev/disk/by-uuid/a6ef033d-c305-42d9-88b2-5591008b2a11";
-      fsType = "btrfs";
-      options = [ "subvol=etc" ];
-    };
-
-  fileSystems."/var/log" =
-    { device = "/dev/disk/by-uuid/a6ef033d-c305-42d9-88b2-5591008b2a11";
-      fsType = "btrfs";
-      options = [ "subvol=log" ];
-    };
-
-  fileSystems."/root" =
-    { device = "/dev/disk/by-uuid/a6ef033d-c305-42d9-88b2-5591008b2a11";
-      fsType = "btrfs";
-      options = [ "subvol=root" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/a6ef033d-c305-42d9-88b2-5591008b2a11";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/d631d42b-b70a-4579-bfb4-57412ae7c682"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/homeassistant/home.nix

@@ -1,64 +0,0 @@
-{ lib, pkgs, ... }:
-let
-  shellAliases = {
-    ll = "ls -alh";
-    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
-    update-switch = "sudo nixos-rebuild switch --max-jobs 10 --build-host admin@10.0.1.3";
-    update-flake = "sudo nix flake update ~/nix-config";
-    update-nas = "nixos-rebuild switch --use-remote-sudo --target-host admin@10.0.1.3 --build-host admin@10.0.1.3 --flake ~/nix-config#jallen-nas";
-    nas-ssh = "kitten ssh admin@10.0.1.3";
-    ducks = "du -cksh * | sort -hr | head -n 15";
-  };
-
-  gitAliases = {
-    co = "checkout";
-    ci = "commit";
-    cia = "commit --amend";
-    s = "status";
-    st = "status";
-    b = "branch";
-    p = "pull --rebase";
-    pu = "push";
-  };
-in
-{
-
-  home.username = "hass-admin";
-  home.homeDirectory = "/home/hass-admin";
-  home.stateVersion = "23.11";
-  programs.home-manager.enable = true;
-
-  programs = {
-    fish.enable = false;
-    mangohud.enable = true;
-    java.enable = true;
-
-    zsh = {
-      enable = true;
-      enableCompletion = true;
-      autosuggestion.enable = true;
-      syntaxHighlighting.enable = true;
-
-      shellAliases = shellAliases;
-
-      oh-my-zsh = {
-        enable = true;
-        plugins = [ "git" ];
-        theme = "fishy";
-      };
-    };
-  };
-
-  programs.git = {
-    enable = true;
-    userName = "mjallen18";
-    userEmail = "matt.l.jallen@gmail.com";
-    aliases = gitAliases;
-  };
-
-  home.packages = with pkgs; [
-    age
-    fastfetch
-    firefox
-  ];
-}

hosts/homeassistant/homeassistant.nix

@@ -1,453 +0,0 @@
-{ config, pkgs, ... }:
-let
-  mosquittoPort = 1883;
-  zigbee2mqttPort = 8080;
-  # "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
-  ha-bambulab = pkgs.stdenv.mkDerivation {
-    pname = "ha-bambulab";
-    version = "v2.1.5";  # Update with correct version
-    
-    src = pkgs.fetchFromGitHub {
-      owner = "greghesp";  # Update with correct owner
-      repo = "ha-bambulab";  # Update with correct repo name
-      rev = "v2.1.5";  # Or specific tag/commit 
-      sha256 = "sha256-iVcNFdkzdMVjbQuzrTLib8fhirnc+OJdPzM60EnyVe0=";  # Replace with actual hash
-    };
-    
-    installPhase = ''
-      mkdir -p $out/custom_components
-      cp -r custom_components/bambu_lab $out/custom_components/
-    '';
-  };
-  ha-gehome = pkgs.stdenv.mkDerivation {
-    pname = "ha-gehome";
-    version = "v2025.2.1";  # Update with correct version
-    
-    src = pkgs.fetchFromGitHub {
-      owner = "simbaja";  # Update with correct owner
-      repo = "ha_gehome";  # Update with correct repo name
-      rev = "v2025.2.1";  # Or specific tag/commit 
-      sha256 = "sha256-nb+KrJoWqvhqH6E7A22xXwQzTYp7yn+hl9WRDXn95Cc=";  # Replace with actual hash
-    };
-    
-    installPhase = ''
-      mkdir -p $out/custom_components
-      cp -r custom_components/ge_home $out/custom_components/
-    '';
-  };
-  ha-mail-and-packages = pkgs.stdenv.mkDerivation {
-    pname = "Home-Assistant-Mail-And-Packages";
-    version = "0.4.2";  # Update with correct version
-    
-    src = pkgs.fetchFromGitHub {
-      owner = "moralmunky";  # Update with correct owner
-      repo = "Home-Assistant-Mail-And-Packages";  # Update with correct repo name
-      rev = "0.4.2";  # Or specific tag/commit 
-      sha256 = "sha256-5LBTlRlkSUx8DOY+F7UvUs4dzjZKdBdgnDUdK6DBdew=";  # Replace with actual hash
-    };
-    
-    installPhase = ''
-      mkdir -p $out/custom_components
-      cp -r custom_components/mail_and_packages $out/custom_components/
-    '';
-  };
-  ha-overseerr = pkgs.stdenv.mkDerivation {
-    pname = "ha-overseerr";
-    version = "0.1.42";  # Update with correct version
-    
-    src = pkgs.fetchFromGitHub {
-      owner = "vaparr";  # Update with correct owner
-      repo = "ha-overseerr";  # Update with correct repo name
-      rev = "0.1.42";  # Or specific tag/commit 
-      sha256 = "sha256-UvUowCgfay9aRV+iC/AQ9vvJzhGZbH+/1kVjxPFBKcI=";  # Replace with actual hash
-    };
-    
-    installPhase = ''
-      mkdir -p $out/custom_components
-      cp -r custom_components/overseerr $out/custom_components/
-    '';
-  };
-  ha-petlibro = pkgs.stdenv.mkDerivation {
-    pname = "ha-petlibro";
-    version = "v1.0.21.1";  # Update with correct version
-    
-    src = pkgs.fetchzip {
-      url = "https://github.com/jjjonesjr33/petlibro/archive/refs/tags/v1.0.21.1.zip";
-      sha256 = "sha256-3EckyAgWxlZeqy9g13yP2nKCcjnyVIp8EdiE/A1pNu4=";  # Replace with actual hash
-    };
-    
-    installPhase = ''
-      mkdir -p $out/custom_components
-      cp -r custom_components/petlibro $out/custom_components/
-    '';
-  };
-  ha-wyzeapi = pkgs.stdenv.mkDerivation {
-    pname = "ha-wyzeapi";
-    version = "0.1.32";  # Update with correct version
-    
-    src = pkgs.fetchzip {
-      url = "https://github.com/SecKatie/ha-wyzeapi/archive/refs/tags/0.1.32.zip";
-      sha256 = "sha256-3xUynZBEHuO2hKLYCb2sBpJAe0JF/8uKqR304Y7JQmE=";  # Replace with actual hash
-    };
-    
-    installPhase = ''
-      mkdir -p $out/custom_components
-      cp -r custom_components/wyzeapi $out/custom_components/
-    '';
-  };
-  
-  # In configuration.nix or a separate file
-  pythonSteam = pkgs.python3.withPackages (ps: [
-    (ps.buildPythonPackage rec {
-      pname = "steam";
-      version = "1.4.4";  # Check for the latest version
-      src = pkgs.fetchPypi {
-        inherit pname version;
-        sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; # Get the correct hash
-      };
-      doCheck = false;
-      propagatedBuildInputs = [ ps.requests ps.protobuf ];
-    })
-  ]);
-in
-{
-
-  services.home-assistant = {
-    enable = true;
-    openFirewall = true;
-    configWritable = true; # todo
-    extraComponents = [
-      # Components required to complete the onboarding
-      "analytics"
-      "google_translate"
-      "met"
-      "radio_browser"
-      "shopping_list"
-      # Recommended for fast zlib compression
-      # https://www.home-assistant.io/integrations/isal
-      "isal"
-      "subaru"
-      "vesync"
-      "mqtt" # Enables MQTT integration in HA
-      "ffmpeg" # Enables camera streams
-      "zha" # Enables Zigbee integration
-      "homekit"
-      "music_assistant"
-    ];
-    customComponents = with pkgs.home-assistant-custom-components; [
-      auth-header
-    ];
-    customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [
-      atomic-calendar-revive
-      bubble-card
-      button-card
-      hourly-weather
-      mini-graph-card
-      mini-media-player
-      multiple-entity-row
-      mushroom
-      vacuum-card
-      weather-chart-card
-      zigbee2mqtt-networkmap
-    ];
-    # use postgresql instead of sqlite
-    extraPackages = ps: with ps; [
-      # Core functionality
-      aiohttp
-      aiodns
-      paho-mqtt
-      pillow
-      pytz
-      pyyaml
-      sqlalchemy
-      
-      # Discovery & networking
-      zeroconf
-      netdisco
-      ifaddr
-      ssdp
-      
-      # Device protocols
-      pyserial                # Serial communications
-      bluepy                  # Bluetooth LE
-      
-      # Smart home ecosystems
-      mutagen                 # Media file metadata
-      pysonos                 # Sonos
-      pywemo                  # Belkin WeMo
-      python-miio             # Xiaomi devices
-      python-kasa             # TP-Link
-      
-      # Sensors & monitoring
-      meteocalc               # Weather calculations
-      speedtest-cli           # Internet speed
-      
-      # Visualization & UI
-      matplotlib              # Graphing
-      
-      # Security
-      bcrypt
-      cryptography
-      pyjwt
-      
-      # Media
-      ha-ffmpeg               # Camera streams
-      
-      # Specialized integrations
-      python-matter-server    # Matter protocol
-      
-      # System integrations
-      psutil                  # System monitoring
-      
-      psycopg2
-      numpy
-      hassil 
-      pyturbojpeg
-      paho-mqtt
-      pychromecast
-      pyatv 
-      python-otbr-api 
-      brother
-      pyipp
-      govee-ble
-      adguardhome
-      nextcord
-      aiogithubapi
-      jellyfin-apiclient-python
-      pylitterbot
-      dateparser
-      aionut
-      nextcloudmonitor
-      ollama
-      pynecil
-      aiopyarr
-      pysabnzbd
-      getmac
-      zigpy
-      bellows         # For Zigbee EmberZNet-based adapters
-      zigpy-xbee      # For XBee adapters
-      zigpy-deconz    # For ConBee/RaspBee adapters
-      pyicloud        # iCloud
-      pyatv           # Apple TV
-      opencv-python
-      face-recognition
-      ibeacon-ble
-      gehomesdk
-      onedrive-personal-sdk
-      python-roborock
-      pythonSteam
-      apple-weatherkit
-    ];
-    
-    config = {
-      # Includes dependencies for a basic setup
-      # https://www.home-assistant.io/integrations/default_config/
-      default_config = {};
-
-      cloud = false;
-      
-      frontend = {
-        themes = "!include_dir_merge_named themes";
-      };
-
-      "automation ui" = "!include /etc/nixos/hosts/homeassistant/automations.yaml";
-      "scene ui" = "!include /etc/nixos/hosts/homeassistant/scenes.yaml";
-      "script ui" = "!include /etc/nixos/hosts/homeassistant/scripts.yaml";
-
-      http = {
-        use_x_forwarded_for = true;
-        trusted_proxies = [
-          "172.30.33.0/24"
-          "10.0.1.3"
-          "10.0.1.0/24"
-        ];
-      };
-
-      recorder = {
-        db_url = "postgresql://@/hass";
-        purge_keep_days = 180;
-      };
-
-      auth_header = {
-        debug = false;
-        username_header = "X-authentik-username";
-      };
-
-      # https://www.home-assistant.io/integrations/ota_updater/
-      zha.zigpy_config.ota.z2m_remote_index = "https://raw.githubusercontent.com/Koenkk/zigbee-OTA/master/index.json";
-    };
-  };
-
-  # https://www.home-assistant.io/integrations/automation/
-  # systemd.tmpfiles.rules = [
-  #   "f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass"
-  # ];
-
-  # This bypasses the component validation and places it directly in HA's data directory
-  system.activationScripts.installCustomComponents = ''
-    mkdir -p ${config.services.home-assistant.configDir}/custom_components
-    cp -r ${ha-bambulab}/custom_components/bambu_lab ${config.services.home-assistant.configDir}/custom_components/
-    cp -r ${ha-gehome}/custom_components/ge_home ${config.services.home-assistant.configDir}/custom_components/
-    cp -r ${ha-mail-and-packages}/custom_components/mail_and_packages ${config.services.home-assistant.configDir}/custom_components/
-    cp -r ${ha-overseerr}/custom_components/overseerr ${config.services.home-assistant.configDir}/custom_components/
-    cp -r ${ha-petlibro}/custom_components/petlibro ${config.services.home-assistant.configDir}/custom_components/
-    cp -r ${ha-wyzeapi}/custom_components/wyzeapi ${config.services.home-assistant.configDir}/custom_components/
-
-    ln -sf /etc/nixos/hosts/homeassistant/automations.yaml ${config.services.home-assistant.configDir}/automations.yaml
-    ln -sf /etc/nixos/hosts/homeassistant/scenes.yaml ${config.services.home-assistant.configDir}/scenes.yaml
-    ln -sf /etc/nixos/hosts/homeassistant/scripts.yaml ${config.services.home-assistant.configDir}/scripts.yaml
-
-
-    chown -R hass:hass ${config.services.home-assistant.configDir}
-    chmod -R 750 ${config.services.home-assistant.configDir}
-  '';
-
-  services = {
-    postgresql = {
-      enable = true;
-      ensureDatabases = [ "hass" ];
-      ensureUsers = [{
-        name = "hass";
-        ensureDBOwnership = true;
-      }];
-    };
-
-    # Enable and configure Mosquitto MQTT broker
-    mosquitto = {
-      enable = true;
-      listeners = [
-        {
-          acl = [ "pattern readwrite #" ];
-          omitPasswordAuth = true;
-          settings.allow_anonymous = true;
-        }
-      ];
-    };
-
-    zigbee2mqtt = {
-      enable = true;
-      settings = {
-        homeassistant = {
-          enabled = config.services.home-assistant.enable;
-          # Optional: Home Assistant discovery topic (default: shown below)
-          # Note: should be different from [MQTT base topic](../mqtt.md) to prevent errors in HA software
-          discovery_topic = "homeassistant";
-          # Optional: Home Assistant status topic (default: shown below)
-          status_topic = "homeassistant/status";
-          # Optional: Experimental support for Home Assistant event entities, may break in the future (default: shown below) when enabled:
-          # - An `event` entity will be discovered for each 'action'.
-          # - The `event_type` attribute will contain the action itself, additional attributes like `button` will have further information.
-          experimental_event_entities = false;
-          # Optional: Home Assistant legacy action sensor (default: `false`), when enabled:
-          # - Zigbee2MQTT will send an empty 'action' after one has been send
-          # - A 'sensor_action' will be discovered
-          legacy_action_sensor = false;
-        };
-
-        permit_join = true;
-        # Web interface
-        frontend = {
-          port = zigbee2mqttPort;  # Choose an available port
-        };
-        # MQTT configuration
-        mqtt = {
-          base_topic = "zigbee2mqtt";
-          server = "mqtt://localhost:1883";
-          # If using authentication:
-          # user = "mqttuser";
-          # password = "your-password";
-        };
-        serial = {
-          port = "/dev/ttyUSB0";
-        };
-      };
-    };
-
-    music-assistant = {
-      enable = true;
-      providers = [
-        # "airplay" # music-assistant: airplay support is missing libraop, a library we will not package because it depends on OpenSSL 1.1.
-        "apple_music"
-        "bluesound"
-        "builtin"
-        "chromecast"
-        "deezer"
-        "dlna"
-        "fanarttv"
-        "filesystem_local"
-        "filesystem_smb"
-        "fully_kiosk"
-        "hass"
-        "hass_players"
-        "jellyfin"
-        "musicbrainz"
-        "opensubsonic"
-        "player_group"
-        "plex"
-        "qobuz"
-        "radiobrowser"
-        "siriusxm"
-        "snapcast"
-        "sonos"
-        "sonos_s1"
-        "soundcloud"
-        "spotify"
-        "template_player_provider"
-        "test"
-        "theaudiodb"
-        "tidal"
-        "tunein"
-        "ytmusic"
-      ];
-    };
-
-    # Enable AirPlay
-    pipewire = {
-      # opens UDP ports 6001-6002
-      raopOpenFirewall = true;
-
-      extraConfig.pipewire = {
-        "10-airplay" = {
-          "context.modules" = [
-            {
-              name = "libpipewire-module-raop-discover";
-
-              # increase the buffer size if you get dropouts/glitches
-              # args = {
-              #   "raop.latency.ms" = 500;
-              # };
-            }
-          ];
-        };
-      };
-    };
-  };
-
-  # Enable required hardware support for the Zigbee adapter
-  hardware.bluetooth.enable = true;  # Some adapters use Bluetooth
-  
-  # Ensure proper permissions for Zigbee USB devices
-  # services.udev.extraRules = ''
-  #   # For CC2531, CC2530, CC1352P-2, CC2538 and similar adapters
-  #   SUBSYSTEM=="tty", ATTRS{idVendor}=="0451", ATTRS{idProduct}=="16a8", SYMLINK+="zigbee", MODE="0666"
-  #   SUBSYSTEM=="tty", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="7523", SYMLINK+="zigbee", MODE="0666"
-    
-  #   # For ConBee/RaspBee by Dresden Elektronik
-  #   SUBSYSTEM=="tty", ATTRS{idVendor}=="1cf1", ATTRS{idProduct}=="0030", SYMLINK+="zigbee", MODE="0666"
-    
-  #   # For Electrolama zig-a-zig-ah (zzh!)
-  #   SUBSYSTEM=="tty", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="7523", SYMLINK+="zigbee", MODE="0666"
-  # '';
-
-  environment.systemPackages = with pkgs; [
-    mosquitto  # MQTT command-line tools
-    usbutils   # For lsusb to help identify your adapter
-  ];
-
-  networking.firewall.allowedTCPPorts = [
-    mosquittoPort
-    zigbee2mqttPort
-    8095
-    8097
-  ];
-}

hosts/homeassistant/impermanence.nix

@@ -1,57 +0,0 @@
-{ ... }:
-{
-  # Set up impernance configuration for things like bluetooth
-  # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
-
-  environment.persistence."/nix/persist/system" = {
-    hideMounts = true;
-    directories = [
-      "/var/lib/bluetooth"
-      "/var/lib/nixos"
-      "/var/lib/tailscale"
-      "/var/lib/systemd/coredump"
-      "/var/lib/zigbee2mqtt"
-      "/var/lib/postgresql"
-#      "/var/lib/music-assistant"
-      "/etc/NetworkManager/system-connections"
-      "/etc/secureboot"
-      {
-        directory = "/var/lib/private/authentik/media";
-        user = "authentik";
-        group = "authentik";
-        mode = "u=rwx,g=,o=";
-      }
-      {
-        directory = "/var/lib/hass";
-        user = "hass";
-        group = "hass";
-        mode = "u=rwx,g=,o=";
-      }
-      {
-        directory = "/var/lib/private";
-        mode = "u=rwx,g=rx,o=";
-      }
-      {
-        directory = "/var/lib/colord";
-        user = "colord";
-        group = "colord";
-        mode = "u=rwx,g=rx,o=";
-      }
-      {
-        directory = "/etc/nix";
-        user = "root";
-        group = "wheel";
-        mode = "u=rwx,g=rx,o=rx";
-      }
-    ];
-    files = [
-      "/var/cache-priv-key.pem"
-      "/etc/machine-id"
-    ];
-  };
-
-  security.sudo.extraConfig = ''
-    # rollback results in sudo lectures after each reboot
-    Defaults lecture = never
-  '';
-}

hosts/mac-nixos/apple-silicon-support/default.nix

@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./modules/default.nix
-  ];
-}

hosts/mac-nixos/apple-silicon-support/modules/boot-m1n1/default.nix

@@ -1,55 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  pkgs' = config.hardware.asahi.pkgs;
-
-  bootM1n1 = pkgs'.m1n1.override {
-    isRelease = true;
-    withTools = false;
-    customLogo = config.boot.m1n1CustomLogo;
-  };
-
-  bootUBoot = pkgs'.uboot-asahi.override {
-    m1n1 = bootM1n1;
-  };
-
-  bootFiles = {
-    "m1n1/boot.bin" = pkgs.runCommand "boot.bin" {} ''
-      cat ${bootM1n1}/build/m1n1.bin > $out
-      cat ${config.boot.kernelPackages.kernel}/dtbs/apple/*.dtb >> $out
-      cat ${bootUBoot}/u-boot-nodtb.bin.gz >> $out
-      if [ -n "${config.boot.m1n1ExtraOptions}" ]; then
-        echo '${config.boot.m1n1ExtraOptions}' >> $out
-      fi
-    '';
-  };
-in {
-  config = lib.mkIf config.hardware.asahi.enable {
-    # install m1n1 with the boot loader
-    boot.loader.grub.extraFiles = bootFiles;
-    boot.loader.systemd-boot.extraFiles = bootFiles;
-
-    # ensure the installer has m1n1 in the image
-    system.extraDependencies = lib.mkForce [ bootM1n1 bootUBoot ];
-    system.build.m1n1 = bootFiles."m1n1/boot.bin";
-  };
-
-  options.boot = {
-    m1n1ExtraOptions = lib.mkOption {
-      type = lib.types.str;
-      default = "";
-      description = ''
-        Append extra options to the m1n1 boot binary. Might be useful for fixing
-        display problems on Mac minis.
-        https://github.com/AsahiLinux/m1n1/issues/159
-      '';
-    };
-
-    m1n1CustomLogo = lib.mkOption {
-      type = lib.types.nullOr lib.types.path;
-      default = null;
-      description = ''
-        Custom logo to build into m1n1. The path must point to a 256x256 PNG.
-      '';
-    };
-  };
-}

hosts/mac-nixos/apple-silicon-support/modules/default.nix

@@ -1,92 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  imports = [
-    ./kernel
-    ./mesa
-    ./peripheral-firmware
-    ./boot-m1n1
-    ./sound
-  ];
-
-  config = let
-      cfg = config.hardware.asahi;
-    in lib.mkIf cfg.enable {
-      nixpkgs.overlays = lib.mkBefore [ cfg.overlay ];
-
-      # patch systemd-boot to boot in Apple Silicon UEFI environment.
-      # This regression only appeared in systemd 256.7.
-      # see https://github.com/NixOS/nixpkgs/pull/355290
-      # and https://github.com/systemd/systemd/issues/35026
-      systemd.package = let
-        systemdBroken = (pkgs.systemd.version == "256.7");
-
-        systemdPatched = pkgs.systemd.overrideAttrs (old: {
-          patches = let
-            oldPatches = (old.patches or []);
-            # not sure why there are non-paths in there but oh well
-            patchNames = (builtins.map (p: if ((builtins.typeOf p) == "path") then builtins.baseNameOf p else "") oldPatches);
-            fixName = "0019-Revert-boot-Make-initrd_prepare-semantically-equival.patch";
-            alreadyPatched = builtins.elem fixName patchNames;
-          in oldPatches ++ lib.optionals (!alreadyPatched) [
-            (pkgs.fetchpatch {
-              url = "https://raw.githubusercontent.com/NixOS/nixpkgs/125e99477b0ac0a54b7cddc6c5a704821a3074c7/pkgs/os-specific/linux/systemd/${fixName}";
-              hash = "sha256-UW3DZiaykQUUNcGA5UFxN+/wgNSW3ufxDDCZ7emD16o=";
-            })
-          ];
-        });
-      in if systemdBroken then systemdPatched else pkgs.systemd;
-
-      hardware.asahi.pkgs =
-        if cfg.pkgsSystem != "aarch64-linux"
-        then
-          import (pkgs.path) {
-            crossSystem.system = "aarch64-linux";
-            localSystem.system = cfg.pkgsSystem;
-            overlays = [ cfg.overlay ];
-          }
-        else pkgs;
-    };
-
-  options.hardware.asahi = {
-    enable = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-      description = ''
-        Enable the basic Asahi Linux components, such as kernel and boot setup.
-      '';
-    };
-
-    pkgsSystem = lib.mkOption {
-      type = lib.types.str;
-      default = "aarch64-linux";
-      description = ''
-        System architecture that should be used to build the major Asahi
-        packages, if not the default aarch64-linux. This allows installing from
-        a cross-built ISO without rebuilding them during installation.
-      '';
-    };
-
-    pkgs = lib.mkOption {
-      type = lib.types.raw;
-      description = ''
-        Package set used to build the major Asahi packages. Defaults to the
-        ambient set if not cross-built, otherwise re-imports the ambient set
-        with the system defined by `hardware.asahi.pkgsSystem`.
-      '';
-    };
-
-    overlay = lib.mkOption {
-      type = lib.mkOptionType {
-        name = "nixpkgs-overlay";
-        description = "nixpkgs overlay";
-        check = lib.isFunction;
-        merge = lib.mergeOneOption;
-      };
-      default = import ../packages/overlay.nix;
-      defaultText = "overlay provided with the module";
-      description = ''
-        The nixpkgs overlay for asahi packages.
-      '';
-    };
-  };
-}

hosts/mac-nixos/apple-silicon-support/modules/kernel/default.nix

@@ -1,106 +0,0 @@
-# the Asahi Linux kernel and options that must go along with it
-
-{ config, pkgs, lib, ... }:
-{
-  config = lib.mkIf config.hardware.asahi.enable {
-    boot.kernelPackages = let
-      pkgs' = config.hardware.asahi.pkgs;
-    in
-      pkgs'.linux-asahi.override {
-        _kernelPatches = config.boot.kernelPatches;
-        withRust = config.hardware.asahi.withRust;
-      };
-
-    # we definitely want to use CONFIG_ENERGY_MODEL, and
-    # schedutil is a prerequisite for using it
-    # source: https://www.kernel.org/doc/html/latest/scheduler/sched-energy.html
-    powerManagement.cpuFreqGovernor = lib.mkOverride 800 "schedutil";
-
-    boot.initrd.includeDefaultModules = false;
-    boot.initrd.availableKernelModules = [
-      # list of initrd modules stolen from
-      # https://github.com/AsahiLinux/asahi-scripts/blob/f461f080a1d2575ae4b82879b5624360db3cff8c/initcpio/install/asahi
-      "apple-mailbox"
-      "nvme_apple"
-      "pinctrl-apple-gpio"
-      "macsmc"
-      "macsmc-rtkit"
-      "i2c-pasemi-platform"
-      "tps6598x"
-      "apple-dart"
-      "dwc3"
-      "dwc3-of-simple"
-      "xhci-pci"
-      "pcie-apple"
-      "gpio_macsmc"
-      "phy-apple-atc"
-      "nvmem_apple_efuses"
-      "spi-apple"
-      "spi-hid-apple"
-      "spi-hid-apple-of"
-      "rtc-macsmc"
-      "simple-mfd-spmi"
-      "spmi-apple-controller"
-      "nvmem_spmi_mfd"
-      "apple-dockchannel"
-      "dockchannel-hid"
-      "apple-rtkit-helper"
-
-      # additional stuff necessary to boot off USB for the installer
-      # and if the initrd (i.e. stage 1) goes wrong
-      "usb-storage"
-      "xhci-plat-hcd"
-      "usbhid"
-      "hid_generic"
-    ];
-
-    boot.kernelParams = [
-      "earlycon"
-      "console=tty0"
-      "boot.shell_on_fail"
-      # Apple's SSDs are slow (~dozens of ms) at processing flush requests which
-      # slows down programs that make a lot of fsync calls. This parameter sets
-      # a delay in ms before actually flushing so that such requests can be
-      # coalesced. Be warned that increasing this parameter above zero (default
-      # is 1000) has the potential, though admittedly unlikely, risk of
-      # UNBOUNDED data corruption in case of power loss!!!! Don't even think
-      # about it on desktops!!
-      "nvme_apple.flush_interval=0"
-    ];
-
-    # U-Boot does not support EFI variables
-    boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
-
-    # U-Boot does not support switching console mode
-    boot.loader.systemd-boot.consoleMode = "0";
-
-    # GRUB has to be installed as removable if the user chooses to use it
-    boot.loader.grub = lib.mkDefault {
-      efiSupport = true;
-      efiInstallAsRemovable = true;
-      device = "nodev";
-    };
-
-    # autosuspend was enabled as safe for the PCI SD card reader
-    # "Genesys Logic, Inc GL9755 SD Host Controller [17a0:9755] (rev 01)"
-    # by recent systemd versions, but this has a "negative interaction"
-    # with our kernel/SoC and causes random boot hangs. disable it!
-    services.udev.extraHwdb = ''
-      pci:v000017A0d00009755*
-        ID_AUTOSUSPEND=0
-    '';
-  };
-
-  imports = [
-    (lib.mkRemovedOptionModule [ "hardware" "asahi" "addEdgeKernelConfig" ]
-      "All edge kernel config options are now the default.")
-  ];
-
-  options.hardware.asahi.withRust = lib.mkOption {
-    type = lib.types.bool;
-    default = false;
-    description = ''
-      Build the Asahi Linux kernel with Rust support.
-    '';
-  };
-}

hosts/mac-nixos/apple-silicon-support/modules/mesa/default.nix

@@ -1,53 +0,0 @@
-{ options, config, pkgs, lib, ... }:
-{
-  config = let
-    isMode = mode: (config.hardware.asahi.useExperimentalGPUDriver
-        && config.hardware.asahi.experimentalGPUInstallMode == mode);
-  in lib.mkIf config.hardware.asahi.enable (lib.mkMerge [
-    {
-      # required for proper DRM setup even without GPU driver
-      services.xserver.config = ''
-        Section "OutputClass"
-            Identifier "appledrm"
-            MatchDriver "apple"
-            Driver "modesetting"
-            Option "PrimaryGPU" "true"
-        EndSection
-      '';
-    }
-    (lib.mkIf config.hardware.asahi.useExperimentalGPUDriver {
-      # install the Asahi Mesa version
-      hardware.graphics.package = config.hardware.asahi.pkgs.mesa-asahi-edge;
-      # required for in-kernel GPU driver
-      hardware.asahi.withRust = true;
-    })
-  ]);
-
-  options.hardware.asahi.useExperimentalGPUDriver = lib.mkOption {
-    type = lib.types.bool;
-    default = false;
-    description = ''
-      Use the experimental Asahi Mesa GPU driver.
-
-      Do not report issues using this driver under NixOS to the Asahi project.
-    '';
-  };
-
-  # hopefully no longer used, should be deprecated eventually
-  options.hardware.asahi.experimentalGPUInstallMode = lib.mkOption {
-    type = lib.types.enum [ "driver" "replace" "overlay" ];
-    default = "replace";
-    description = ''
-      Mode to use to install the experimental GPU driver into the system.
-
-      driver: install only as a driver, do not replace system Mesa.
-        Causes issues with certain programs like Plasma Wayland.
-
-      replace (default): use replaceRuntimeDependencies to replace system Mesa with Asahi Mesa.
-        Does not work in pure evaluation context (i.e. in flakes by default).
-
-      overlay: overlay system Mesa with Asahi Mesa
-        Requires rebuilding the world.
-    '';
-  };
-}

hosts/mac-nixos/apple-silicon-support/modules/peripheral-firmware/default.nix

@@ -1,69 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  config = lib.mkIf config.hardware.asahi.enable {
-    assertions = lib.mkIf config.hardware.asahi.extractPeripheralFirmware [
-      { assertion = config.hardware.asahi.peripheralFirmwareDirectory != null;
-        message = ''
-          Asahi peripheral firmware extraction is enabled but the firmware
-          location appears incorrect.
-        '';
-      }
-    ];
-
-    hardware.firmware = let
-      pkgs' = config.hardware.asahi.pkgs;
-    in
-      lib.mkIf ((config.hardware.asahi.peripheralFirmwareDirectory != null)
-          && config.hardware.asahi.extractPeripheralFirmware) [
-        (pkgs.stdenv.mkDerivation {
-          name = "asahi-peripheral-firmware";
-
-          nativeBuildInputs = [ pkgs'.asahi-fwextract pkgs.cpio ];
-
-          buildCommand = ''
-            mkdir extracted
-            asahi-fwextract ${config.hardware.asahi.peripheralFirmwareDirectory} extracted
-
-            mkdir -p $out/lib/firmware
-            cat extracted/firmware.cpio | cpio -id --quiet --no-absolute-filenames
-            mv vendorfw/* $out/lib/firmware
-          '';
-        })
-      ];
-  };
-
-  options.hardware.asahi = {
-    extractPeripheralFirmware = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-      description = ''
-        Automatically extract the non-free non-redistributable peripheral
-        firmware necessary for features like Wi-Fi.
-      '';
-    };
-
-    peripheralFirmwareDirectory = lib.mkOption {
-      type = lib.types.nullOr lib.types.path;
-
-      default = lib.findFirst (path: builtins.pathExists (path + "/all_firmware.tar.gz")) null
-        [
-          # path when the system is operating normally
-          /boot/asahi
-          # path when the system is mounted in the installer
-          /mnt/boot/asahi
-        ];
-
-      description = ''
-        Path to the directory containing the non-free non-redistributable
-        peripheral firmware necessary for features like Wi-Fi. Ordinarily, this
-        will automatically point to the appropriate location on the ESP. Flake
-        users and those interested in maximum purity will want to copy those
-        files elsewhere and specify this manually.
-
-        Currently, this consists of the files `all-firmware.tar.gz` and
-        `kernelcache*`. The official Asahi Linux installer places these files
-        in the `asahi` directory of the EFI system partition when creating it.
-      '';
-    };
-  };
-}

hosts/mac-nixos/apple-silicon-support/modules/sound/default.nix

@@ -1,49 +0,0 @@
-{ config, options, pkgs, lib, ... }:
-
-{
-  options.hardware.asahi = {
-    setupAsahiSound = lib.mkOption {
-      type = lib.types.bool;
-      default = config.hardware.asahi.enable;
-      description = ''
-        Set up the Asahi DSP components so that the speakers and headphone jack
-        work properly and safely.
-      '';
-    };
-  };
-
-  config = let
-    cfg = config.hardware.asahi;
-  in lib.mkIf (cfg.setupAsahiSound && cfg.enable) (lib.mkMerge [
-    {
-      # can't be used by Asahi sound infrastructure
-      services.pulseaudio.enable = false;
-      # enable pipewire to run real-time and avoid audible glitches
-      security.rtkit.enable = true;
-      # set up pipewire with the supported capabilities (instead of pulseaudio)
-      # and asahi-audio configs and plugins
-      services.pipewire = {
-        enable = true;
-        alsa.enable = true;
-        pulse.enable = true;
-
-        configPackages = [ pkgs.asahi-audio ];
-
-        wireplumber = {
-          enable = true;
-
-          configPackages = [ pkgs.asahi-audio ];
-        };
-      };
-
-      # set up enivronment so that UCM configs are used as well
-      environment.variables.ALSA_CONFIG_UCM2 = "${pkgs.alsa-ucm-conf-asahi}/share/alsa/ucm2";
-      systemd.user.services.pipewire.environment.ALSA_CONFIG_UCM2 = config.environment.variables.ALSA_CONFIG_UCM2;
-      systemd.user.services.wireplumber.environment.ALSA_CONFIG_UCM2 = config.environment.variables.ALSA_CONFIG_UCM2;
-
-      # enable speakersafetyd to protect speakers
-      systemd.packages = [ pkgs.speakersafetyd ];
-      services.udev.packages = [ pkgs.speakersafetyd ];
-    }
-  ]);
-}

hosts/mac-nixos/apple-silicon-support/packages/alsa-ucm-conf-asahi/default.nix

@@ -1,22 +0,0 @@
-{ lib
-, fetchFromGitHub
-, alsa-ucm-conf
-}:
-
-(alsa-ucm-conf.overrideAttrs (oldAttrs: let
-  versionAsahi = "8";
-
-  srcAsahi = fetchFromGitHub {
-    # tracking: https://src.fedoraproject.org/rpms/alsa-ucm-asahi
-    owner = "AsahiLinux";
-    repo = "alsa-ucm-conf-asahi";
-    rev = "v${versionAsahi}";
-    hash = "sha256-FPrAzscc1ICSCQSqULaGLqG4UCq8GZU9XLV7TUSBBRM=";
-  };
-in {
-  name = "${oldAttrs.pname}-${oldAttrs.version}-asahi-${versionAsahi}";
-
-  postInstall = oldAttrs.postInstall or "" + ''
-    cp -r ${srcAsahi}/ucm2 $out/share/alsa
-  '';
-}))

hosts/mac-nixos/apple-silicon-support/packages/asahi-audio/default.nix

@@ -1,46 +0,0 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, lsp-plugins
-, bankstown-lv2
-, triforce-lv2
-}:
-
-stdenv.mkDerivation rec {
-  pname = "asahi-audio";
-  # tracking: https://src.fedoraproject.org/rpms/asahi-audio
-  version = "3.3";
-
-  src = fetchFromGitHub {
-    owner = "AsahiLinux";
-    repo = "asahi-audio";
-    rev = "v${version}";
-    hash = "sha256-p0M1pPxov+wSLT2F4G6y5NZpCXzbjZkzle+75zQ4xxU=";
-  };
-
-  preBuild = ''
-    export PREFIX=$out
-
-    readarray -t configs < <(\
-          find . \
-                -name '*.conf' -or \
-                -name '*.json' -or \
-                -name '*.lua'
-    )
-
-    substituteInPlace "''${configs[@]}" --replace \
-          "/usr/share/asahi-audio" \
-          "$out/asahi-audio"
-  '';
-
-  postInstall = ''
-    # no need to link the asahi-audio dir globally
-    mv $out/share/asahi-audio $out
-  '';
-
-  passthru.requiredLv2Packages = [
-    lsp-plugins
-    bankstown-lv2
-    triforce-lv2
-  ];
-}

hosts/mac-nixos/apple-silicon-support/packages/asahi-fwextract/default.nix

@@ -1,32 +0,0 @@
-{ lib
-, python3
-, fetchFromGitHub
-, gzip
-, gnutar
-, lzfse
-}:
-
-python3.pkgs.buildPythonApplication rec {
-  pname = "asahi-fwextract";
-  version = "0.7.8";
-
-  # tracking version: https://packages.fedoraproject.org/pkgs/asahi-installer/python3-asahi_firmware/
-  src = fetchFromGitHub {
-    owner = "AsahiLinux";
-    repo = "asahi-installer";
-    rev = "v${version}";
-    hash = "sha256-UmgHWKIRbcg9PK44YPPM4tyuEDC0+ANKO3Mzc4N9RHo=";
-  };
-
-  postPatch = ''
-    substituteInPlace asahi_firmware/img4.py \
-      --replace 'liblzfse.so' '${lzfse}/lib/liblzfse.so'
-    substituteInPlace asahi_firmware/update.py \
-      --replace '"tar"' '"${gnutar}/bin/tar"' \
-      --replace '"xf"' '"-x", "-I", "${gzip}/bin/gzip", "-f"'
-  '';
-
-  nativeBuildInputs = [ python3.pkgs.setuptools ];
-
-  doCheck = false;
-}

hosts/mac-nixos/apple-silicon-support/packages/linux-asahi/default.nix

@@ -1,104 +0,0 @@
-{ lib
-, callPackage
-, writeText
-, linuxPackagesFor
-, withRust ? true
-, _kernelPatches ? [ ]
-}:
-
-let
-  i = builtins.elemAt;
-
-  # parse <OPT> [ymn]|foo style configuration as found in a patch's extraConfig
-  # into a list of k, v tuples
-  parseExtraConfig = config:
-    let
-      lines =
-        builtins.filter (s: s != "") (lib.strings.splitString "\n" config);
-      parseLine = line: let
-        t = lib.strings.splitString " " line;
-        join = l: builtins.foldl' (a: b: "${a} ${b}")
-          (builtins.head l) (builtins.tail l);
-        v = if (builtins.length t) > 2 then join (builtins.tail t) else (i t 1);
-      in [ "CONFIG_${i t 0}" v ];
-    in map parseLine lines;
-
-  # parse <OPT>=lib.kernel.(yes|module|no)|lib.kernel.freeform "foo"
-  # style configuration as found in a patch's extraStructuredConfig into
-  # a list of k, v tuples
-  parseExtraStructuredConfig = config: lib.attrsets.mapAttrsToList
-    (k: v: [ "CONFIG_${k}" (v.tristate or v.freeform) ] ) config;
-
-  parsePatchConfig = { extraConfig ? "", extraStructuredConfig ? {}, ... }:
-    (parseExtraConfig extraConfig) ++
-    (parseExtraStructuredConfig extraStructuredConfig);
-
-  # parse CONFIG_<OPT>=[ymn]|"foo" style configuration as found in a config file
-  # into a list of k, v tuples
-  parseConfig = config:
-    let
-      parseLine = builtins.match ''(CONFIG_[[:upper:][:digit:]_]+)=(([ymn])|"([^"]*)")'';
-      # get either the [ymn] option or the "foo" option; whichever matched
-      t = l: let v = (i l 2); in [ (i l 0) (if v != null then v else (i l 3)) ];
-      lines = lib.strings.splitString "\n" config;
-    in map t (builtins.filter (l: l != null) (map parseLine lines));
-
-  origConfigfile = ./config;
-
-  linux-asahi-pkg = { stdenv, lib, fetchFromGitHub, fetchpatch, linuxKernel,
-      rustc, rust-bindgen, ... } @ args:
-    let
-      origConfigText = builtins.readFile origConfigfile;
-
-      # extraConfig from all patches in order
-      extraConfig =
-        lib.fold (patch: ex: ex ++ (parsePatchConfig patch)) [] _kernelPatches
-        ++ (lib.optional withRust [ "CONFIG_RUST" "y" ]);
-      # config file text for above
-      extraConfigText = let
-        text = k: v: if (v == "y") || (v == "m") || (v == "n")
-          then "${k}=${v}" else ''${k}="${v}"'';
-      in (map (t: text (i t 0) (i t 1)) extraConfig);
-
-      # final config as a text file path
-      configfile = if extraConfig == [] then origConfigfile else
-        writeText "config" ''
-          ${origConfigText}
-
-          # Patches
-          ${lib.strings.concatStringsSep "\n" extraConfigText}
-        '';
-      # final config as an attrset
-      configAttrs = let
-        makePair = t: lib.nameValuePair (i t 0) (i t 1);
-        configList = (parseConfig origConfigText) ++ extraConfig;
-      in builtins.listToAttrs (map makePair (lib.lists.reverseList configList));
-
-      # used to fix issues when nixpkgs gets ahead of the kernel
-      rustAtLeast = version: withRust && (lib.versionAtLeast rustc.version version);
-      bindgenAtLeast = version: withRust && (lib.versionAtLeast rust-bindgen.unwrapped.version version);
-    in
-    linuxKernel.manualConfig rec {
-      inherit stdenv lib;
-
-      version = "6.14.8-asahi";
-      modDirVersion = version;
-      extraMeta.branch = "6.14";
-
-      src = fetchFromGitHub {
-        # tracking: https://github.com/AsahiLinux/linux/tree/asahi-wip (w/ fedora verification)
-        owner = "AsahiLinux";
-        repo = "linux";
-        rev = "asahi-6.14.8-1";
-        hash = "sha256-JrWVw1FiF9LYMiOPm0QI0bg/CrZAMSSVcs4AWNDIH3Q=";
-      };
-
-      kernelPatches = [
-      ] ++ _kernelPatches;
-
-      inherit configfile;
-      config = configAttrs;
-    };
-
-  linux-asahi = (callPackage linux-asahi-pkg { });
-in lib.recurseIntoAttrs (linuxPackagesFor linux-asahi)

hosts/mac-nixos/apple-silicon-support/packages/m1n1/default.nix

@@ -1,110 +0,0 @@
-{ stdenv
-, buildPackages
-, lib
-, fetchFromGitHub
-, python3
-, dtc
-, imagemagick
-, isRelease ? false
-, withTools ? true
-, withChainloading ? false
-, customLogo ? null
-}:
-
-let
-  pyenv = python3.withPackages (p: with p; [
-    construct
-    pyserial
-  ]);
-
-  stdenvOpts = {
-    targetPlatform.system = "aarch64-none-elf";
-    targetPlatform.rust.rustcTarget = "${stdenv.hostPlatform.parsed.cpu.name}-unknown-none-softfloat";
-    targetPlatform.rust.rustcTargetSpec = "${stdenv.hostPlatform.parsed.cpu.name}-unknown-none-softfloat";
-  };
-  rust = buildPackages.rust.override {
-    stdenv = lib.recursiveUpdate buildPackages.stdenv stdenvOpts;
-  };
-  rustPackages = rust.packages.stable.overrideScope (f: p: {
-    rustc-unwrapped = p.rustc-unwrapped.override {
-      stdenv = lib.recursiveUpdate p.rustc-unwrapped.stdenv stdenvOpts;
-    };
-  });
-  rustPlatform = buildPackages.makeRustPlatform rustPackages;
-
-in stdenv.mkDerivation rec {
-  pname = "m1n1";
-  version = "1.4.21";
-
-  src = fetchFromGitHub {
-    # tracking: https://src.fedoraproject.org/rpms/m1n1
-    owner = "AsahiLinux";
-    repo = "m1n1";
-    rev = "v${version}";
-    hash = "sha256-PEjTaSwcsV8PzM9a3rDWMYXGX9FlrM0oeElrP5HYRPg=";
-    fetchSubmodules = true;
-  };
-  cargoVendorDir = ".";
-
-  makeFlags = [ "ARCH=${stdenv.cc.targetPrefix}" ]
-    ++ lib.optional isRelease "RELEASE=1"
-    ++ lib.optional withChainloading "CHAINLOADING=1";
-
-  nativeBuildInputs = [
-    dtc
-  ] ++ lib.optionals withChainloading [rustPackages.rustc rustPackages.cargo rustPlatform.cargoSetupHook]
-    ++ lib.optional (customLogo != null) imagemagick;
-
-  postPatch = ''
-    substituteInPlace proxyclient/m1n1/asm.py \
-      --replace 'aarch64-linux-gnu-' 'aarch64-unknown-linux-gnu-' \
-      --replace 'TOOLCHAIN = ""' 'TOOLCHAIN = "'$out'/toolchain-bin/"'
-  '';
-
-  preConfigure = lib.optionalString (customLogo != null) ''
-    pushd data &>/dev/null
-    ln -fs ${customLogo} bootlogo_256.png
-    if [[ "$(magick identify bootlogo_256.png)" != 'bootlogo_256.png PNG 256x256'* ]]; then
-      echo "Custom logo is not a 256x256 PNG"
-      exit 1
-    fi
-
-    rm bootlogo_128.png
-    convert bootlogo_256.png -resize 128x128 bootlogo_128.png
-    patchShebangs --build ./makelogo.sh
-    ./makelogo.sh
-    popd &>/dev/null
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    mkdir -p $out/build
-    cp build/m1n1.bin $out/build
-  '' + (lib.optionalString withTools ''
-    mkdir -p $out/{bin,script,toolchain-bin}
-    cp -r proxyclient $out/script
-    cp -r tools $out/script
-
-    for toolpath in $out/script/proxyclient/tools/*.py; do
-      tool=$(basename $toolpath .py)
-      script=$out/bin/m1n1-$tool
-      cat > $script <<EOF
-#!/bin/sh
-${pyenv}/bin/python $toolpath "\$@"
-EOF
-      chmod +x $script
-    done
-
-    GCC=${buildPackages.gcc}
-    BINUTILS=${buildPackages.binutils-unwrapped}
-
-    ln -s $GCC/bin/${stdenv.cc.targetPrefix}gcc $out/toolchain-bin/
-    ln -s $GCC/bin/${stdenv.cc.targetPrefix}ld $out/toolchain-bin/
-    ln -s $BINUTILS/bin/${stdenv.cc.targetPrefix}objcopy $out/toolchain-bin/
-    ln -s $BINUTILS/bin/${stdenv.cc.targetPrefix}objdump $out/toolchain-bin/
-    ln -s $GCC/bin/${stdenv.cc.targetPrefix}nm $out/toolchain-bin/
-  '') + ''
-    runHook postInstall
-  '';
-}

hosts/mac-nixos/apple-silicon-support/packages/mesa-asahi-edge/default.nix

@@ -1,48 +0,0 @@
-{ lib
-, fetchFromGitLab
-, mesa
-}:
-
-(mesa.override {
-  galliumDrivers = [ "softpipe" "llvmpipe" "asahi" ];
-  vulkanDrivers = [ "swrast" "asahi" ];
-}).overrideAttrs (oldAttrs: {
-  version = "25.1.0-asahi";
-  src = fetchFromGitLab {
-    # tracking: https://pagure.io/fedora-asahi/mesa/commits/asahi
-    domain = "gitlab.freedesktop.org";
-    owner = "asahi";
-    repo = "mesa";
-    tag = "asahi-20250425";
-    hash = "sha256-3c3uewzKv5wL9BRwaVL4E3FnyA04veQwAPxfHiL7wII=";
-  };
-
-  mesonFlags =
-    let
-      badFlags = [
-        "-Dinstall-mesa-clc"
-        "-Dgallium-nine"
-        "-Dtools"
-      ];
-      isBadFlagList = f: builtins.map (b: lib.hasPrefix b f) badFlags;
-      isGoodFlag = f: !(builtins.foldl' (x: y: x || y) false (isBadFlagList f));
-    in
-    (builtins.filter isGoodFlag oldAttrs.mesonFlags) ++ [
-      # we do not build any graphics drivers these features can be enabled for
-      "-Dgallium-va=disabled"
-      "-Dgallium-vdpau=disabled"
-      "-Dgallium-xa=disabled"
-      "-Dtools=asahi"
-    ];
-
-  # replace patches with ones tweaked slightly to apply to this version
-  patches = [
-    ./opencl.patch
-  ];
-
-  postInstall = (oldAttrs.postInstall or "") + ''
-    # we don't build anything to go in this output but it needs to exist
-    touch $spirv2dxil
-    touch $cross_tools
-  '';
-})

hosts/mac-nixos/apple-silicon-support/packages/mesa-asahi-edge/opencl.patch

@@ -1,54 +0,0 @@
-diff --git a/meson.build b/meson.build
-index 07991a6..4c875b9 100644
---- a/meson.build
-+++ b/meson.build
-@@ -1900,7 +1900,7 @@ endif
-
- dep_clang = null_dep
- if with_clc or with_gallium_clover
--  llvm_libdir = dep_llvm.get_variable(cmake : 'LLVM_LIBRARY_DIR', configtool: 'libdir')
-+  llvm_libdir = get_option('clang-libdir')
-
-   dep_clang = cpp.find_library('clang-cpp', dirs : llvm_libdir, required : false)
-
-diff --git a/meson.options b/meson.options
-index 84e0f20..38ea92c 100644
---- a/meson.options
-+++ b/meson.options
-@@ -795,3 +795,10 @@ option(
-   value : false,
-   description : 'Install the drivers internal shader compilers (if needed for cross builds).'
- )
-+
-+option(
-+  'clang-libdir',
-+  type : 'string',
-+  value : '',
-+  description : 'Locations to search for clang libraries.'
-+)
-diff --git a/src/gallium/targets/opencl/meson.build b/src/gallium/targets/opencl/meson.build
-index ab2c835..a59e88e 100644
---- a/src/gallium/targets/opencl/meson.build
-+++ b/src/gallium/targets/opencl/meson.build
-@@ -56,7 +56,7 @@ if with_opencl_icd
-     configuration : _config,
-     input : 'mesa.icd.in',
-     output : 'mesa.icd',
--    install : true,
-+    install : false,
-     install_tag : 'runtime',
-     install_dir : join_paths(get_option('sysconfdir'), 'OpenCL', 'vendors'),
-   )
-diff --git a/src/gallium/targets/rusticl/meson.build b/src/gallium/targets/rusticl/meson.build
-index 2b214ad..7f91939 100644
---- a/src/gallium/targets/rusticl/meson.build
-+++ b/src/gallium/targets/rusticl/meson.build
-@@ -64,7 +64,7 @@ configure_file(
-   configuration : _config,
-   input : 'rusticl.icd.in',
-   output : 'rusticl.icd',
--  install : true,
-+  install : false,
-   install_tag : 'runtime',
-   install_dir : join_paths(get_option('sysconfdir'), 'OpenCL', 'vendors'),
- )

hosts/mac-nixos/apple-silicon-support/packages/overlay.nix

@@ -1,9 +0,0 @@
-final: prev: {
-  linux-asahi = final.callPackage ./linux-asahi { };
-  m1n1 = final.callPackage ./m1n1 { };
-  uboot-asahi = final.callPackage ./uboot-asahi { };
-  asahi-fwextract = final.callPackage ./asahi-fwextract { };
-  mesa-asahi-edge = final.callPackage ./mesa-asahi-edge { };
-  alsa-ucm-conf-asahi = final.callPackage ./alsa-ucm-conf-asahi { inherit (prev) alsa-ucm-conf; };
-  asahi-audio = final.callPackage ./asahi-audio { };
-}

hosts/mac-nixos/apple-silicon-support/packages/uboot-asahi/default.nix

@@ -1,44 +0,0 @@
-{ lib
-, fetchFromGitHub
-, buildUBoot
-, m1n1
-}:
-
-(buildUBoot rec {
-  src = fetchFromGitHub {
-    # tracking: https://pagure.io/fedora-asahi/uboot-tools/commits/main
-    owner = "AsahiLinux";
-    repo = "u-boot";
-    rev = "asahi-v2025.04-1";
-    hash = "sha256-/z37qj26AqsyEBsFT6UEN3GjG6KVsoJOoUB4s9BRDbE=";
-  };
-  version = "2025.04-1-asahi";
-
-  defconfig = "apple_m1_defconfig";
-  extraMeta.platforms = [ "aarch64-linux" ];
-  filesToInstall = [
-    "u-boot-nodtb.bin.gz"
-    "m1n1-u-boot.bin"
-  ];
-  extraConfig = ''
-    CONFIG_IDENT_STRING=" ${version}"
-    CONFIG_VIDEO_FONT_4X6=n
-    CONFIG_VIDEO_FONT_8X16=n
-    CONFIG_VIDEO_FONT_SUN12X22=n
-    CONFIG_VIDEO_FONT_16X32=y
-    CONFIG_CMD_BOOTMENU=y
-  '';
-}).overrideAttrs (o: {
-  # nixos's downstream patches are not applicable
-  patches = [ 
-  ];
-
-  # DTC= flag somehow breaks DTC compilation so we remove it
-  makeFlags = builtins.filter (s: (!(lib.strings.hasPrefix "DTC=" s))) o.makeFlags;
-
-  preInstall = ''
-    # compress so that m1n1 knows U-Boot's size and can find things after it
-    gzip -n u-boot-nodtb.bin
-    cat ${m1n1}/build/m1n1.bin arch/arm/dts/t[68]*.dtb u-boot-nodtb.bin.gz > m1n1-u-boot.bin
-  '';
-})

hosts/mac-nixos/boot.nix

@@ -1,34 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  # Use the systemd-boot EFI boot loader.
-  boot = {
-    loader = {
-      systemd-boot = {
-        enable = true;
-        configurationLimit = 15;
-        consoleMode = lib.mkDefault "max";
-      };
-      efi.canTouchEfiVariables = lib.mkForce false;
-    };
-
-    kernelParams = [
-      "apple_dcp.show_notch=1"
-    ];
-
-    extraModprobeConfig = ''
-      options hid_apple iso_layout=0
-    '';
-
-    binfmt.registrations. "x86_64-linux" = {
-      magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
-      mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
-      openBinary = true;
-      interpreter = "${pkgs.box64}/bin/box64";
-      preserveArgvZero = true; 
-      matchCredentials = true;
-      fixBinary = false;
-    };
-  };
-
-  zramSwap.enable = true;
-}

hosts/mac-nixos/configuration.nix

@@ -1,70 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-{ pkgs, lib, ... }:
-let
-  plasma = false;
-in
-{
-  imports = [
-    ./boot.nix
-    ./hardware-configuration.nix
-    ./networking.nix
-    ./services.nix
-  ];
-
-  hardware.asahi = {
-    enable = true;
-    useExperimentalGPUDriver = true;
-    peripheralFirmwareDirectory = ./firmware;
-    setupAsahiSound = true;
-  };
-
-  hardware.graphics.enable32Bit = lib.mkForce false;
-
-  nixpkgs.config.allowUnfree = true;
-  nixpkgs.config.allowUnsupportedSystem = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.matt = {
-    isNormalUser = true;
-    extraGroups = [
-      "wheel"
-      "keys"
-      "networkmanager"
-      "ratbagd"
-      "input"
-      "scanner"
-      "lp"
-      "video"
-      "i2c"
-     ]; # Enable ‘sudo’ for the user.
-    shell = pkgs.zsh;
-    packages = with pkgs; [
-      firefox
-      tree
-      git
-      box64
-      prismlauncher
-      distrobox
-    ];
-  };
-
-  virtualisation = {
-    containers.enable = true;
-    podman.enable = true;
-  };
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    micro
-    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
-    wget
-  ];
-
-  environment.sessionVariables = {
-    DBX_CONTAINER_MANAGER = "podman";
-  };
-}

hosts/mac-nixos/hardware-configuration.nix

@@ -1,78 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uas" "sdhci_pci" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "none";
-      fsType = "tmpfs";
-    };
-
-  fileSystems."/root" =
-    { device = "/dev/disk/by-uuid/adcc14fa-8bf7-4b4b-a9e4-b038993b96cc";
-      fsType = "btrfs";
-      options = [ "compress=zstd" "noatime" "subvol=root" ];
-    };
-
-  fileSystems."/etc" =
-    { device = "/dev/disk/by-uuid/adcc14fa-8bf7-4b4b-a9e4-b038993b96cc";
-      fsType = "btrfs";
-      options = [ "compress=zstd" "noatime" "subvol=etc" ];
-    };
-
-  fileSystems."/tmp" =
-    { device = "/dev/disk/by-uuid/adcc14fa-8bf7-4b4b-a9e4-b038993b96cc";
-      fsType = "btrfs";
-      options = [ "compress=zstd" "noatime" "subvol=tmp" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/adcc14fa-8bf7-4b4b-a9e4-b038993b96cc";
-      fsType = "btrfs";
-      options = [ "compress=zstd" "noatime" "subvol=nix" ];
-    };
-
-  fileSystems."/var/log" =
-    { device = "/dev/disk/by-uuid/adcc14fa-8bf7-4b4b-a9e4-b038993b96cc";
-      fsType = "btrfs";
-      options = [ "compress=zstd" "noatime" "subvol=log" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/adcc14fa-8bf7-4b4b-a9e4-b038993b96cc";
-      fsType = "btrfs";
-      options = [ "compress=zstd" "subvol=home" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/23FA-AD3E";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  swapDevices = [
-    {
-      device = "/tmp/swapfile";
-      randomEncryption.enable = true;
-    }
-  ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-}

hosts/mac-nixos/home.nix

@@ -1,14 +0,0 @@
-{ pkgs, ... }:
-{
-
-  home.username = "matt";
-  home.homeDirectory = "/home/matt";
-  home.stateVersion = "23.11";
-
-  home.packages = with pkgs; [
-    iw
-    iwd
-    orca-slicer
-    vscodium
-  ];
-}

hosts/mac-nixos/hyprland-settings.nix

@@ -1,44 +0,0 @@
-{
-  monitor = [
-    "eDP-1,3456x2234@60.00000,0x0,1.0,bitdepth,10,cm,hdr,sdrbrightness,1.2,sdrsaturation,0.98"
-  ];
-  
-  workspace = [
-    "name:firefox, monitor:eDP-1, default:false, special, class:(.*firefox.*)"
-    "name:discord, monitor:eDP-1, default:true, special, title:(.*vesktop.*), title:(.*Apple Music.*)"
-    "name:steam, monitor:eDP-1, default:false, special, class:(.*[Ss]team.*)"
-  ];
-
-  windowRule = [
-    # "tag +fakefull, fullscreen: 0"
-    # "float, tag:fakefull"
-    # "size 3356 2160, tag:fakefull"
-    # "move 100 74, tag:fakefull"
-    # "noanim, tag:fakefull"
-    # "noblur, tag:fakefull"
-    # "norounding, tag:fakefull"
-    # "noshadow, tag:fakefull"
-    # "immediate, tag:fakefull"
-    # "noborder, tag:fakefull"
-    # "nodim, tag:fakefull"
-    # "idleinhibit, tag:fakefull"
-    "size 2160 3356, tag:horizonrdp"
-  ];
-
-  waybar = {
-    modules-right = [
-      "tray"
-      "temperature"
-      "temperature#gpu"
-      "keyboard-state#capslock"
-      "keyboard-state#numlock"
-      "wireplumber#sink"
-      # "wireplumber#source"
-      "bluetooth"
-      "network"
-      "clock"
-      "battery"
-      "custom/weather"
-    ];
-  };
-}

hosts/mac-nixos/networking.nix

@@ -1,37 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  # Networking configs
-  networking = {
-    hostName = "macbook-pro-nixos";
-
-    wireless.iwd = {
-      enable = true;
-      settings = {
-        General = {
-            EnableNetworkConfiguration = true;
-        };
-        Rank = {
-          BandModifier2_4GHz = 1.0;
-          BandModifier5GHz = 5.0;
-          BandModifier6GHz = 10.0;
-        };
-        # DriverQuirks = {
-        #   PowerSaveDisable = "hci_bcm4377,brcmfmac";
-        # };
-        Network = {
-          AutoConnect = true;
-        };
-      };
-    };
-
-    # Enable Network Manager
-    networkmanager = {
-      enable = lib.mkForce false;
-      wifi = {
-        backend = lib.mkForce "iwd";
-        powersave = lib.mkDefault false;
-      };
-      settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
-    };
-  };
-}

hosts/mac-nixos/omnissa.nix

@@ -1,123 +0,0 @@
-{ stdenv
-, lib
-, buildFHSEnv
-, fetchurl
-, makeWrapper
-, gsettings-desktop-schemas
-, opensc
-, writeTextDir
-, configText ? ""
-}:
-
-let
-  version = "2503-8.15.0";
-  sysArch = "armhf";
-  mainProgram = "horizon-client";
-
-  wrapBinCommands = path: name: ''
-    makeWrapper "$out/${path}/${name}" "$out/bin/${name}_wrapper" \
-      --set GTK_THEME Adwaita \
-      --suffix XDG_DATA_DIRS : "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}" \
-      --suffix LD_LIBRARY_PATH : "$out/lib/omnissa/horizon:$out/lib/omnissa/horizon/vdpService:$out/lib/omnissa"
-  '';
-
-  omnissaHorizonClientFiles = stdenv.mkDerivation {
-    pname = "omnissa-horizon-armhf-files";
-    inherit version;
-
-    src = fetchurl {
-      url = "https://download3.omnissa.com/software/CART26FQ1_LIN_2503_TARBALL/Omnissa-Horizon-Client-Linux-2503-8.15.0-14256322247.tar.gz";
-      sha256 = "sha256-x98ITXF9xwzlPq375anQ2qBpMbZAcCqDVXBfvZPha7Q=";
-    };
-
-    nativeBuildInputs = [ makeWrapper ];
-
-    installPhase = ''
-      mkdir ext
-      tar -xzf $src
-      cd Omnissa-Horizon-Client-Linux-*/${sysArch}
-
-      mkdir -p ext
-      for archive in *.tar.gz; do
-        tar -C ext --strip-components=1 -xf "$archive"
-      done
-
-      chmod -R u+w ext/usr/lib
-
-      mkdir -p $out
-      mv ext/usr $out
-      mv ext/${sysArch}/lib $out/
-      mv ext/${sysArch}/include $out/
-
-      mkdir -p $out/lib/omnissa/horizon/pkcs11
-      ln -s ${opensc}/lib/pkcs11/opensc-pkcs11.so $out/lib/omnissa/horizon/pkcs11/libopenscpkcs11.so
-
-      chmod +x "$out/usr/bin/horizon-client"
-      ${wrapBinCommands "usr/bin" "horizon-client"}
-    '';
-  };
-
-  omnissaFHSUserEnv =
-    pname:
-    buildFHSEnv {
-      inherit pname version;
-
-      runScript = "${omnissaHorizonClientFiles}/bin/${pname}_wrapper";
-
-      targetPkgs = pkgs: with pkgs; [
-        atk
-        cairo
-        dbus
-        file
-        fontconfig
-        freetype
-        gdk-pixbuf
-        glib
-        gtk3
-        libjpeg
-        libpng
-        libpulseaudio
-        libtiff
-        libuuid
-        libv4l
-        libxml2
-        pango
-        pcsclite
-        pixman
-        udev
-        omnissaHorizonClientFiles
-        xorg.libX11
-        xorg.libXau
-        xorg.libXcursor
-        xorg.libXext
-        xorg.libXi
-        xorg.libXrandr
-        xorg.libXrender
-        xorg.libXtst
-        zlib
-
-        (writeTextDir "etc/omnissa/config" configText)
-      ];
-    };
-in
-stdenv.mkDerivation {
-  pname = "omnissa-horizon-client";
-  inherit version;
-
-  dontUnpack = true;
-
-  installPhase = ''
-    mkdir -p $out/bin
-    ln -s ${omnissaFHSUserEnv "horizon-client"}/bin/horizon-client $out/bin/
-    ln -s ${omnissaFHSUserEnv "horizon-eucusbarbitrator"}/bin/horizon-eucusbarbitrator $out/bin/
-  '';
-
-  passthru.unwrapped = omnissaHorizonClientFiles;
-
-  meta = {
-    description = "Omnissa Horizon Client for ARM";
-    homepage = "https://www.omnissa.com/products/horizon-8/";
-    license = lib.licenses.unfree;
-    platforms = [ "aarch64-linux" "armv7l-linux" ];
-  };
-}

hosts/mac-nixos/services.nix

@@ -1,83 +0,0 @@
-{ lib, ... }:
-{
-  services = {
-    auto-cpufreq = {
-      enable = true;
-      settings = {
-        # settings for when connected to a power source
-        charger = {
-          # see available governors by running: cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors
-          # preferred governor
-          governor = "performance";
-
-          # minimum cpu frequency (in kHz)
-          # example: for 800 MHz = 800000 kHz --> scaling_min_freq = 800000
-          # see conversion info: https://www.rapidtables.com/convert/frequency/mhz-to-hz.html
-          # to use this feature, uncomment the following line and set the value accordingly
-          # scaling_min_freq = 800000
-
-          # maximum cpu frequency (in kHz)
-          # example: for 1GHz = 1000 MHz = 1000000 kHz -> scaling_max_freq = 1000000
-          # see conversion info: https://www.rapidtables.com/convert/frequency/mhz-to-hz.html
-          # to use this feature, uncomment the following line and set the value accordingly
-          # scaling_max_freq = 1000000
-
-          # turbo boost setting. possible values: always, auto, never
-          turbo = "auto";
-        };
-        # settings for when using battery power
-        battery = {
-          # see available governors by running: cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors
-          # preferred governor
-          governor = "schedutil";
-
-          # minimum cpu frequency (in kHz)
-          # example: for 800 MHz = 800000 kHz --> scaling_min_freq = 800000
-          # see conversion info: https://www.rapidtables.com/convert/frequency/mhz-to-hz.html
-          # to use this feature, uncomment the following line and set the value accordingly
-          # scaling_min_freq = 800000
-
-          # maximum cpu frequency (in kHz)
-          # see conversion info: https://www.rapidtables.com/convert/frequency/mhz-to-hz.html
-          # example: for 1GHz = 1000 MHz = 1000000 kHz -> scaling_max_freq = 1000000
-          # to use this feature, uncomment the following line and set the value accordingly
-          # scaling_max_freq = 1000000
-
-          # turbo boost setting (always, auto, or never)
-          turbo = "auto";
-
-          # battery charging threshold
-          # reference: https://github.com/AdnanHodzic/auto-cpufreq/#battery-charging-thresholds
-          #enable_thresholds = true
-          #start_threshold = 20
-          #stop_threshold = 80
-        };
-      };
-    };
-  
-    displayManager = {
-      sddm = {
-        enable = lib.mkForce true;
-        wayland.enable = lib.mkForce true;
-      };
-      gdm.enable = lib.mkForce false;
-    };
-  
-    desktopManager = {
-      plasma6.enable = lib.mkForce false;
-      gnome.enable = lib.mkForce false;
-    };
-
-    logind = {
-      lidSwitch = "suspend";
-      lidSwitchExternalPower = "ignore";
-      powerKey = "suspend";
-      powerKeyLongPress = "poweroff";
-    };
-
-    # Enable Flatpak
-    flatpak.enable = lib.mkDefault false;
-
-    gvfs.enable = true;
-  };
-}

hosts/mac/configuration.nix

@@ -1,78 +0,0 @@
-{ pkgs, ... }:
-{
-  #nix run nix-darwin -- switch --flake ~/nix-config
-
-  # List packages installed in system profile. To search by name, run:
-  # $ nix-env -qaP | grep wget
-  environment.systemPackages = with pkgs; [
-    asitop
-    mas
-    python3
-    python3Packages.beautifulsoup4
-    python3Packages.requests
-    python3Packages.selenium
-    vim
-  ];
-
-  # Homebrew
-  homebrew.enable = true;
-  homebrew.casks = [
-    "spotify"
-    "protonvpn"
-    "omnissa-horizon-client"
-    "tg-pro"
-    "steam"
-    "orcaslicer"
-    "vscodium"
-    "epic-games"
-    "wine-stable"
-    "scroll-reverser"
-  ];
-
-  homebrew.masApps = {
-    Tailscale = 1475387142;
-    Infuse = 1136220934;
-    Amphetamine = 937984704;
-  };
-  # homebrew.global.autoUpdate = true;
-
-  security.pam.services.sudo_local.touchIdAuth = true;
-
-  # Auto upgrade nix package and the daemon service.
-  # services.nix-daemon.enable = true;
-  # nix.package = pkgs.nix;
-
-  # Necessary for using flakes on this system.
-  nix.settings.experimental-features = "nix-command flakes";
-
-  # Allow unfree
-  nixpkgs.config.allowUnfree = true;
-
-  # Create /etc/zshrc that loads the nix-darwin environment.
-  programs.zsh.enable = true;  # default shell on catalina
-
-  system = {
-    defaults = {
-      trackpad.Clicking = true;
-      dock.autohide = false;
-
-      NSGlobalDomain = {
-        AppleInterfaceStyle = "Dark";
-        "com.apple.mouse.tapBehavior" = 1;
-        "com.apple.keyboard.fnState" = false;
-      };
-    };
-
-    # Used for backwards compatibility, please read the changelog before changing.
-    # $ darwin-rebuild changelog
-    stateVersion = 5;
-  };
-
-  # The platform the configuration will be used on.
-  nixpkgs.hostPlatform = "aarch64-darwin";
-
-  users.users.mattjallen = {
-    name = "mattjallen";
-    home = "/Users/mattjallen";
-  };
-}

hosts/mac/home.nix

@@ -1,111 +0,0 @@
-{ ... }:
-let
-  shellAliases = {
-    update-switch = "darwin-rebuild switch --flake ~/nix-config";
-    update-flake = "nix flake update ~/nix-config";
-    ducks = "du -cksh * | sort -hr | head -n 15";
-  };
-
-  gitAliases = {
-    co = "checkout";
-    ci = "commit";
-    cia = "commit --amend";
-    s = "status";
-    st = "status";
-    b = "branch";
-    p = "pull --rebase";
-    pu = "push";
-  };
-in
-{
-  imports = [ ./trampoline-apps ];
-  # Home Manager needs a bit of information about you and the
-  # paths it should manage.
-  home.username = "mattjallen";
-  home.homeDirectory = "/Users/mattjallen";
-
-  # This value determines the Home Manager release that your
-  # configuration is compatible with. This helps avoid breakage
-  # when a new Home Manager release introduces backwards
-  # incompatible changes.
-  #
-  # You can update Home Manager without changing this value. See
-  # the Home Manager release notes for a list of state version
-  # changes in each release.
-  home.stateVersion = "23.11";
-
-  programs = {
-    # Let Home Manager install and manage itself.
-    home-manager = {
-      enable = true;
-    };
-
-    vscode = {
-      enable = true;
-    };
-
-    btop.enable = true;
-
-    zsh = {
-      enable = true;
-      enableCompletion = true;
-      autosuggestion.enable = true;
-      syntaxHighlighting.enable = true;
-
-      shellAliases = shellAliases;
-
-      oh-my-zsh = {
-        enable = true;
-        plugins = [ "git" ];
-        theme = "fishy";
-      };
-    };
-
-    librewolf = {
-      enable = true;
-      settings = {
-        "identity.fxaccounts.enabled" = true; # Enable Firefox Accounts
-        "privacy.clearOnShutdown.history" = false; # Disable clearing history on shutdown
-        "privacy.clearOnShutdown.downloads" = false; # Disable clearing downloads on shutdown
-        "privacy.clearOnShutdown.cache" = false; # Disable clearing cache on shutdown
-        "privacy.clearOnShutdown.cookiesAndStorage" = false; # Disable clearing cookies and storage on shutdown
-        "privacy.clearOnShutdown.cookies" = false; # Disable clearing cookies on shutdown
-        "privacy.clearOnShutdown_v2.cache" = false; # Disable clearing cache on shutdown
-        "privacy.clearOnShutdown_v2.cookiesAndStorage" = false; # Disable clearing cookies and storage on shutdown
-        "privacy.clearOnShutdown.formdata" = false; # Disable clearing form data on shutdown
-        "privacy.clearOnShutdown.offlineApps" = false; # Disable clearing offline apps on shutdown
-        "privacy.clearHistory.cache" = false; # Disable clearing cache on history clear
-        "privacy.clearHistory.cookiesAndStorage" = false; # Disable clearing cookies on history clear
-        "privacy.clearHistory.historyFormDataAndDownloads" = false; # Disable clearing history, form data, and downloads on history clear
-        "privacy.clearHistory.browsingHistoryAndDownloads" = false; # Disable clearing browsing history and downloads on history clear
-        "privacy.clearSiteData.cache" = false; # Disable clearing cache on site data clear
-        "privacy.clearSiteData.cookiesAndStorage" = false; # Disable clearing cookies on site data clear
-        "services.sync.prefs.sync.privacy.clearOnShutdown.cache" = true; # Enable syncing cache clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown.cookies" = true; # Enable syncing cookies clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown.downloads" = true; # Enable syncing downloads clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown.formdata" = true; # Enable syncing form data clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown.history" = true; # Enable syncing history clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown.offlineApps" = true; # Enable syncing offline apps clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown.sessions" = true; # Enable syncing sessions clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown.siteSettings" = true; # Enable syncing site settings clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown_v2.cache" = true; # Enable syncing cache clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown_v2.cookiesAndStorage" = true; # Enable syncing cookies clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown_v2.downloads" = true; # Enable syncing downloads clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown_v2.historyFormDataAndDownloads" = true; # Enable syncing form data clear on shutdown
-        "services.sync.prefs.sync.privacy.clearOnShutdown_v2.siteSettings" = true; # Enable syncing site settings clear on shutdown
-        "browser.newtabpage.activity-stream.feeds.topsites" = true; # Enable top sites on new tab page
-        "browser.newtabpage.activity-stream.topSitesRows" = 3; # Set number of rows for top sites on new tab page
-      };
-    };
-  };
-
-  programs.git = {
-    enable = true;
-    userName = "mjallen18";
-    userEmail = "matt.l.jallen@gmail.com";
-    aliases = gitAliases;
-  };
-
-  # Manage bug in compilations - who uses manpages in 2024 anyways? :P
-  manual.manpages.enable = false;
-}

hosts/mac/trampoline-apps/default.nix

@@ -1,25 +0,0 @@
-# Hook home-manager to make a trampoline for each app we install
-# from: https://github.com/nix-community/home-manager/issues/1341#issuecomment-1870352014
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib;
-{
-  config = mkIf pkgs.stdenv.hostPlatform.isDarwin {
-    # Install MacOS applications to the user Applications folder. Also update Docked applications
-    home.extraActivationPath = with pkgs; [
-      rsync
-      dockutil
-      gawk
-    ];
-    home.activation.trampolineApps = hm.dag.entryAfter [ "writeBoundary" ] ''
-      ${builtins.readFile ./lib-bash/trampoline-apps.sh}
-      fromDir="$HOME/Applications/Home Manager Apps"
-      toDir="$HOME/Applications/Home Manager Trampolines"
-      sync_trampolines "$fromDir" "$toDir"
-    '';
-  };
-}

hosts/mac/trampoline-apps/lib-bash/trampoline-apps.sh

@@ -1,131 +0,0 @@
-# Utilities not in nixpkgs.
-plutil="/usr/bin/plutil"
-killall="/usr/bin/killall"
-osacompile="/usr/bin/osacompile"
-
-copyable_app_props=(
-  "CFBundleDevelopmentRegion"
-  "CFBundleDocumentTypes"
-  "CFBundleGetInfoString"
-  "CFBundleIconFile"
-  "CFBundleIdentifier"
-  "CFBundleInfoDictionaryVersion"
-  "CFBundleName"
-  "CFBundleShortVersionString"
-  "CFBundleURLTypes"
-  "NSAppleEventsUsageDescription"
-  "NSAppleScriptEnabled"
-  "NSDesktopFolderUsageDescription"
-  "NSDocumentsFolderUsageDescription"
-  "NSDownloadsFolderUsageDescription"
-  "NSPrincipalClass"
-  "NSRemovableVolumesUsageDescription"
-  "NSServices"
-  "UTExportedTypeDeclarations"
-)
-
-function sync_icons() {
-  local from="$1"
-  local to="$2"
-  from_resources="$from/Contents/Resources/"
-  to_resources="$to/Contents/Resources/"
-
-  find "$to_resources" -name "*.icns" -delete
-  rsync --include "*.icns" --exclude "*" --recursive "$from_resources" "$to_resources"
-}
-
-function copy_paths() {
-  local from="$1"
-  local to="$2"
-  local paths=("${@:3}")
-
-  keys=$(jq -n '$ARGS.positional' --args "${paths[@]}")
-  jqfilter="to_entries |[.[]| select(.key as \$item| \$keys | index(\$item) >= 0) ] | from_entries"
-
-  temp_dir=$(mktemp -d)
-  trap 'rm -rf "$temp_dir"' EXIT
-
-  pushd $temp_dir >/dev/null
-
-  cp "$from" "orig"
-  chmod u+w "orig"
-
-  cp "$to" "bare-wrapper"
-  chmod u+w "bare-wrapper"
-
-  $plutil -convert json -- "orig"
-  $plutil -convert json -- "bare-wrapper"
-  jq --argjson keys "$keys" "$jqfilter" <"orig" >"filtered"
-  cat "bare-wrapper" "filtered" | jq -s add >"final"
-  $plutil -convert xml1 -- "final"
-
-  cp "final" "$to"
-  popd >/dev/null
-}
-
-function sync_dock() {
-  # Make sure all environment variables are cleared that might affect dockutil
-  unset SUDO_USER
-
-  # Array of applications to sync
-  declare -a apps=("$@")
-
-  # Iterate through each provided app
-  for app_path in "${apps[@]}"; do
-    if [ -d "$app_path" ]; then
-      # Extract the name of the app from the path
-      app_name=$(basename "$app_path")
-      app_name=${app_name%.*} # Remove the '.app' extension
-      resolved_path=$(realpath "$app_path")
-
-      # Find the current Dock item for the app, if it exists
-      current_dock_item=$(dockutil --list --no-restart | grep "$app_name.app" | awk -F "\t" '{print $1}' || echo "")
-
-      if [ -n "$current_dock_item" ]; then
-        # The app is currently in the Dock, attempt to replace it
-        echo "Updating $app_name in Dock..."
-        dockutil --add "$resolved_path" --replacing "$current_dock_item" --no-restart
-      else
-        # The app is not in the Dock; you might choose to add it or do nothing
-        echo "$app_name is not currently in the Dock."
-      fi
-    else
-      echo "Warning: Provided path $app_path is not valid."
-    fi
-  done
-
-  # Restart the Dock to apply changes
-  $killall Dock
-}
-
-function mktrampoline() {
-  local app="$1"
-  local trampoline="$2"
-
-  if [[ ! -d $app ]]; then
-    echo "app path is not directory."
-    return 1
-  fi
-
-  cmd="do shell script \"open '$app'\""
-  $osacompile -o "$trampoline" -e "$cmd"
-  sync_icons "$app" "$trampoline"
-  copy_paths "$(realpath "$app/Contents/Info.plist")" "$(realpath "$trampoline/Contents/Info.plist")" "${copyable_app_props[@]}"
-}
-
-function sync_trampolines() {
-  [[ ! -d "$1" ]] && echo "Source directory does not exist" && return 1
-
-  if [[ -d "$2" ]]; then
-    rm -rf "$2"
-  fi
-  mkdir -p "$2"
-
-  apps=("$1"/*.app)
-
-  for app in "${apps[@]}"; do
-    trampoline="$2/$(basename "$app")"
-    mktrampoline "$app" "$trampoline"
-  done
-  sync_dock "${apps[@]}"
-}

hosts/nas/apps.nix

@@ -1,105 +0,0 @@
-{ pkgs, lib, ... }:
-let
-  settings = import ./settings.nix;
-in
-{
-  imports = [
-    ./apps/actual
-    ./apps/arrs
-    ./apps/crowdsec
-    ./apps/excalidraw
-    ./apps/gitea
-    ./apps/immich
-    ./apps/jellyfin
-    ./apps/jellyseerr
-    ./apps/lubelogger
-    ./apps/nextcloud
-    ./apps/ollama
-    ./apps/orca
-    ./apps/paperless
-    ./apps/traefik
-    ./apps/wyoming
-    ../../modules
-  ];
-
-  nas-apps = {
-    actual = {
-      enable = true;
-      port = 3333;
-      localAddress = "10.0.3.18";
-      dataDir = "/media/nas/ssd/nix-app-data/actual";
-      reverseProxy = {
-        enable = true;
-        host = "actual.mjallen.dev";
-        middlewares = [ "crowdsec" "whitelist-geoblock" ];
-      };
-    };
-
-    arrs = {
-      enable = true;
-      localAddress = "10.0.1.51";
-      downloadsDir = "/media/nas/ssd/ssd_app_data/downloads";
-      incompleteDownloadsDir = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
-      moviesDir = "/media/nas/main/movies";
-      tvDir = "/media/nas/main/tv";
-      isosDir = "/media/nas/main/isos";
-      radarr = {
-        enable = true;
-        port = 7878;
-        dataDir = "/media/nas/ssd/nix-app-data/radarr";
-      };
-      sonarr = {
-        enable = true;
-        port = 8989;
-        dataDir = "/media/nas/ssd/nix-app-data/sonarr";
-      };
-      sabnzbd = {
-        enable = true;
-        port = 8280;
-        dataDir = "/media/nas/ssd/nix-app-data/sabnzbd";
-      };
-      deluge = {
-        enable = true;
-        port = 8112;
-      };
-      jackett = {
-        enable = true;
-        port = 9117;
-        dataDir = "/media/nas/ssd/nix-app-data/jackett";
-      };
-    };
-
-    crowdsec = {
-      enable = true;
-      port = 9898;
-      apiAddress = settings.hostAddress;
-      apiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
-      dataDir = "/media/nas/ssd/nix-app-data/crowdsec";
-    };
-
-    gitea = {
-      enable = true;
-      httpPort = 3000;
-      sshPort = 2222;
-      localAddress = "10.0.4.18";
-      dataDir = "/media/nas/ssd/nix-app-data/gitea";
-      reverseProxy = {
-        enable = true;
-        host = "gitea.mjallen.dev";
-        middlewares = [ "crowdsec" "whitelist-geoblock" ];
-      };
-    };
-
-    free-games-claimer.enable = true;
-
-    manyfold.enable = true;
-
-    orca-slicer = {
-      enable = true;
-      httpPort = "3100";
-      httpsPort = "3101";
-    };
-
-    tdarr.enable = true;
-  };
-}