samba

Co-authored-by: mjallen18 <matt.l.jallen@gmail.com>
Reviewed-on: #3

.gitignore

@@ -10,4 +10,5 @@ shell.nix
 .envrc
 .DS_Store
 *.qcow2
-keys
+keys
+iso-*

.sops.yaml

@@ -2,19 +2,19 @@
 keys:
   - &matt-pgp CBCB9B18A6B8930B0B6ABFD1CCB8CBEB30633684
   - &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
-  - &matt_pi4 age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u
   - &matt_pi5 age1wpvfpv5n32lruk7c0da4uaeapsmhjxdvg8z4ljehn06l6g2y0e0sum404l
   - &desktop age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
   - &admin age1pm3fehmmk0vmnrscz9vm96rakn46aaldr5ydpscmde3v9x0k3faswwdzxs
   - &jallen-nas age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
-  - &pi4 age1ykkjw57t3z3deup3gtp7dujyaslskn74e0d9hsmqaha2pj3rvazqgndw5a
   - &pi5 age1t2d5scrukk0guva5sr97a8tge5j8kd865adezrcru7p269pzwvpsamkgje
   - &deck age1c8qw59ffcq9l77gfmtyc3djtvt3md0u6dwhrjcgsm98ntyf72ufqugj7cg
   - &steamdeck age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0
-  - &matt_macbook-pro age19daqsncuzeh3j6cwk8uxp6yfj8h0qtz02jxlwwy4v8j0mfgznsvq30440g
-  - &macbook-pro age19w4zafpwnq9yhzuf8r5te2yhq7xlqj76rcgzcz935hllyrz4yvws4jn6ca
+  - &matt_macbook-pro age12gu9hqhd56yl5x3t5yenkn9yg57du08h77vzjqsmnu5hdppne38qcur5a0
+  - &macbook-pro age1t7378n8kmd3f32fkye2gw3jj6qswv3exjdx0dq8kl0xra3tmcdnsvddq3u
   - &nuc age102el4snus37dj807rwvsmlvwu2sg2d8rw3vfmtntgczfkz04l9nshetcq0
-  - &admin_nuc age102el4snus37dj807rwvsmlvwu2sg2d8rw3vfmtntgczfkz04l9nshetcq0
+  - &admin_nuc age1yn82e39pxt0d0pgny34ux4lkge4ff7wxvsye8ragvwngehemt4ps27phyw
+  - &matt_allyx age18z4ctyyj7eq0cmt23eelfzjuacq4fa6hsplyg779d3rdg7ac2q5q2njxqh
+  - &allyx age164xpf9cepfjqvcn7v5ahcaq9zmm5u3yl9t04d098e3e2zkfjcyws02rx42
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
@@ -22,12 +22,10 @@ creation_rules:
           - *matt-pgp
         age:
           - *matt
-          - *matt_pi4
           - *matt_pi5
           - *desktop
           - *admin
           - *jallen-nas
-          - *pi4
           - *pi5
           - *deck
           - *steamdeck
@@ -35,6 +33,8 @@ creation_rules:
           - *macbook-pro
           - *admin_nuc
           - *nuc
+          - *matt_allyx
+          - *allyx
   - path_regex: nas-secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
       - pgp:
@@ -53,7 +53,7 @@ creation_rules:
           - *desktop
           - *admin
           - *jallen-nas
-  - path_regex: steamdeck-secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: allyx-secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
       - pgp:
           - *matt-pgp
@@ -64,29 +64,16 @@ creation_rules:
           - *steamdeck
           - *admin
           - *jallen-nas
-  - path_regex: pi4-secrets/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-      - pgp:
-          - *matt-pgp
-        age:
-          - *matt
-          - *matt_pi4
-          - *matt_pi5
-          - *desktop
-          - *pi4
-          - *pi5
-          - *admin
-          - *jallen-nas
+          - *matt_allyx
+          - *allyx
   - path_regex: pi5-secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
       - pgp:
           - *matt-pgp
         age:
           - *matt
-          - *matt_pi4
           - *matt_pi5
           - *desktop
-          - *pi4
           - *pi5
           - *admin
           - *jallen-nas

README.md

@@ -113,6 +113,17 @@ sudo nixos-rebuild switch --flake .#hostname
 home-manager switch --flake .#username@hostname
 ```
 
+## Documentation
+
+Comprehensive documentation is available in the [docs](./docs) directory:
+
+- [Getting Started](./docs/getting-started.md) - Instructions for setting up new systems
+- [Architecture](./docs/architecture.md) - Overview of the repository structure
+- [System Configurations](./docs/systems/README.md) - Details about each system
+- [Home Assistant](./docs/home-assistant/README.md) - Home Assistant setup and automations
+- [Custom Modules](./docs/modules/README.md) - Details about reusable configuration modules
+- [Troubleshooting](./docs/troubleshooting.md) - Common issues and solutions
+
 ## License
 
 This project is licensed under the MIT License - see the LICENSE file for details.

checks/disksnstuff.sh

@@ -1,15 +1,62 @@
-mount -t tmpfs -o mode=755 none /mnt
-mkdir -p /mnt/{boot,home,root,etc,nix,var/log}
-mount /dev/sdb1 /mnt/boot
-mount /dev/sdb3 -o compress=zstd,subvol=home /mnt/home
-mount /dev/sdb3 -o compress=zstd,noatime,subvol=root /mnt/root
-mount /dev/sdb3 -o compress=zstd,noatime,subvol=etc /mnt/etc
-mount /dev/sdb3 -o compress=zstd,noatime,subvol=nix /mnt/nix
-mount /dev/sdb3 -o compress=zstd,noatime,subvol=log /mnt/var/log
+#!/usr/bin/env bash
 
-wpa_passphrase "Joey's Jungle 5G" "kR8v&3Qd" > 5g.conf
-wpa_supplicant -i wlp6s0 -c 5g.conf -B
-dhcpcd
+disk=/dev/mapper/nuc-nixos-cryptroot
 
-keyctl link @u @s
-clevis decrypt < "/etc/clevis/nas_pool.jwe" | bcachefs unlock /dev/disk/by-label/nas_pool
+# sudo mkfs.vfat "$disk"1
+# sudo bcachefs format --label ssd.ssd1 --compression=zstd --discard "$disk"
+
+sudo mount -t tmpfs -o mode=755 none /mnt
+sudo mkdir -p /mnt/{boot,home,root,etc,nix,var/log,tmp,persist}
+sudo mount /dev/disk/by-partlabel/disk-main-nuc-nixos-EFI /mnt/boot
+# sudo mkdir -p /mnt/boot/firmware
+# sudo mount "$disk"2 /mnt/boot/firmware
+# sudo mount "$disk"2 -o compress=zstd,subvol=home /mnt/home
+# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=root /mnt/root
+# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=etc /mnt/etc
+# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=nix /mnt/nix
+# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=log /mnt/var/log
+
+# bcachefs unlock -k session /dev/disk/by-partlabel/disk-main-nuc-nixos-bcachefs-root
+sudo cryptsetup open /dev/disk/by-partlabel/disk-main-nuc-nixos-cryptroot nuc-nixos-cryptroot  
+# sudo bcachefs unlock -k session "$disk"2
+# sudo mount "$disk" /mnt/tmp
+# cd /mnt/tmp
+# ls -alh
+
+# sudo bcachefs subvolume create nix
+# sudo bcachefs subvolume create etc
+# sudo bcachefs subvolume create log
+# sudo bcachefs subvolume create root
+# sudo bcachefs subvolume create persist
+# sudo bcachefs subvolume create home
+
+# ls -alh
+# cd /etc/nixos
+# sudo umount /mnt/tmp
+
+sudo mount -o noatime,X-mount.subdir=nix "$disk" /mnt/nix
+sudo mount -o noatime,X-mount.subdir=etc "$disk" /mnt/etc
+sudo mount -o noatime,X-mount.subdir=log "$disk" /mnt/var/log
+sudo mount -o noatime,X-mount.subdir=root "$disk" /mnt/root
+sudo mount -o noatime,X-mount.subdir=persist "$disk" /mnt/persist
+sudo mount -o X-mount.subdir=home "$disk" /mnt/home
+
+# tree /mnt
+
+# sudo nixos-install --flake /etc/nixos#nuc-nixos
+
+# sudo umount /mnt/boot
+# sudo umount /mnt/var/log
+# sudo umount /mnt/persist
+# sudo umount /mnt/home
+# sudo umount /mnt/root
+# sudo umount /mnt/etc
+# sudo umount /mnt/nix
+# sudo umount /mnt
+
+# wpa_passphrase "Joey's Jungle 5G" "kR8v&3Qd" > 5g.conf
+# wpa_supplicant -i wlp6s0 -c 5g.conf -B
+# dhcpcd
+
+# keyctl link @u @s
+# clevis decrypt < "/etc/clevis/nas_pool.jwe" | bcachefs unlock /dev/disk/by-label/nas_pool

docs/README.md

@@ -0,0 +1,12 @@
+# Documentation
+
+This directory contains comprehensive documentation for the NixOS configuration.
+
+## Contents
+
+- [Getting Started](./getting-started.md) - Instructions for setting up new systems
+- [System Configurations](./systems/README.md) - Detailed information about each system
+- [Home Assistant](./home-assistant/README.md) - Documentation for the Home Assistant setup
+- [Custom Modules](./modules/README.md) - Information about reusable modules
+- [Architecture](./architecture.md) - Overview of the repository architecture
+- [Troubleshooting](./troubleshooting.md) - Common issues and solutions

docs/architecture.md

@@ -0,0 +1,104 @@
+# Repository Architecture
+
+This document provides an overview of the repository architecture, explaining how the various components fit together.
+
+## Overview
+
+This NixOS configuration repository is built using [Nix Flakes](https://nixos.wiki/wiki/Flakes) and [Snowfall Lib](https://github.com/snowfallorg/lib) to provide a modular, maintainable configuration for multiple systems.
+
+## Directory Structure
+
+```
+.
+├── checks/                # Pre-commit hooks and other checks
+├── flake.nix              # Main flake configuration
+├── homes/                 # Home-manager configurations for users
+│   ├── aarch64-darwin/    # macOS home configurations
+│   ├── aarch64-linux/     # ARM Linux home configurations
+│   └── x86_64-linux/      # x86 Linux home configurations
+├── modules/               # Reusable configuration modules
+│   ├── home/              # Home-manager modules
+│   └── nixos/             # NixOS system modules
+│       ├── boot/          # Boot configuration modules
+│       ├── desktop/       # Desktop environment modules
+│       ├── hardware/      # Hardware-specific modules
+│       ├── homeassistant/ # Home Assistant modules
+│       ├── network/       # Network configuration modules
+│       ├── services/      # Service configuration modules
+│       └── ...            # Other module categories
+├── overlays/              # Nixpkgs overlays
+├── packages/              # Custom package definitions
+├── secrets/               # Encrypted secrets (managed with sops-nix)
+└── systems/               # System-specific configurations
+    ├── aarch64-darwin/    # macOS system configurations
+    ├── aarch64-linux/     # ARM Linux system configurations
+    └── x86_64-linux/      # x86 Linux system configurations
+        ├── jallen-nas/    # NAS server configuration
+        ├── matt-nixos/    # Desktop configuration
+        ├── nuc-nixos/     # NUC configuration
+        └── ...            # Other system configurations
+```
+
+## Flake Structure
+
+The `flake.nix` file defines the inputs (external dependencies) and outputs (configurations) of this repository:
+
+### Inputs
+
+- **nixpkgs-unstable**: The unstable channel of Nixpkgs
+- **nixpkgs-stable**: The stable channel of Nixpkgs (25.11)
+- **home-manager**: User environment management
+- **snowfall-lib**: Library for structuring flake repositories
+- **impermanence**: Persistent state management
+- **lanzaboote**: Secure boot implementation
+- **nixos-hardware**: Hardware-specific configurations
+- **sops-nix**: Secret management
+- **disko**: Disk partitioning and formatting
+- **And more specialized inputs**
+
+### Outputs
+
+The outputs are generated using Snowfall Lib's `mkFlake` function, which automatically discovers and assembles:
+
+- **NixOS system configurations**: For each system in the `systems/` directory
+- **Home Manager configurations**: For each configuration in the `homes/` directory
+- **Packages**: From the `packages/` directory
+- **Modules**: From the `modules/` directory
+- **Overlays**: From the `overlays/` directory
+
+## Module System
+
+The module system uses a modular approach where:
+
+1. **Common modules** are defined in `modules/nixos/` and `modules/home/`
+2. **System-specific modules** are defined in `systems/<architecture>/<hostname>/`
+
+Each module follows the NixOS module pattern, with:
+- `default.nix`: Main module implementation
+- `options.nix`: Option declarations
+
+## Integration with Snowfall Lib
+
+Snowfall Lib provides:
+1. **Automatic discovery** of modules, overlays, and packages
+2. **Consistent structure** across the repository
+3. **Common utilities** for working with flakes
+
+## Secrets Management
+
+Secrets are managed using [sops-nix](https://github.com/Mic92/sops-nix), with:
+- Encrypted secret files in the `secrets/` directory
+- `.sops.yaml` configuration file in the root
+- Key management integrated into the configuration
+
+## Deployment Process
+
+Systems are built and deployed using:
+```bash
+nixos-rebuild switch --flake .#hostname
+```
+
+This command:
+1. Evaluates the flake for the specified hostname
+2. Builds the resulting configuration
+3. Activates it on the current system

docs/getting-started.md

@@ -0,0 +1,172 @@
+# Getting Started
+
+This guide will help you get started with this NixOS configuration repository.
+
+## Prerequisites
+
+- Basic knowledge of NixOS and the Nix language
+- Git installed on your system
+- Physical access to the machine you want to configure
+
+## Initial Setup
+
+### 1. Cloning the Repository
+
+Clone this repository to your local machine:
+
+```bash
+git clone ssh://nix-apps@localhost:2222/mjallen/nix-config.git
+cd nix-config
+```
+
+### 2. Setting Up a New System
+
+#### Option 1: Using an Existing Configuration
+
+If you're setting up a new machine that should be identical to an existing configuration:
+
+1. Boot from a NixOS installation media
+2. Mount your target partitions to `/mnt`
+3. Clone this repository:
+   ```bash
+   nixos-enter
+   cd /mnt
+   mkdir -p /mnt/etc/nixos
+   git clone ssh://nix-apps@localhost:2222/mjallen/nix-config.git /mnt/etc/nixos
+   ```
+4. Install NixOS with the desired system profile:
+   ```bash
+   nixos-install --flake /mnt/etc/nixos#hostname
+   ```
+   Replace `hostname` with the target system name (e.g., `matt-nixos`, `jallen-nas`, etc.)
+
+#### Option 2: Creating a New System Configuration
+
+If you're adding a completely new system:
+
+1. Create a new directory for your system configuration:
+   ```bash
+   mkdir -p systems/$(uname -m)-linux/new-hostname
+   ```
+   
+2. Create the basic configuration files:
+   ```bash
+   cat > systems/$(uname -m)-linux/new-hostname/default.nix << EOF
+   { lib, pkgs, ... }:
+   {
+     imports = [
+       ./hardware-configuration.nix
+       # Add other needed module imports here
+     ];
+   
+     networking.hostName = "new-hostname";
+   
+     # Add your system-specific configuration here
+   }
+   EOF
+   ```
+
+3. Generate the hardware configuration:
+   ```bash
+   nixos-generate-config --no-filesystems --dir systems/$(uname -m)-linux/new-hostname/
+   ```
+
+4. Add your new system to the flake by adding it to the `hosts` section in `flake.nix`
+
+5. Build and install the configuration:
+   ```bash
+   sudo nixos-rebuild switch --flake .#new-hostname
+   ```
+
+## Secret Management
+
+### Setting Up Sops-Nix
+
+1. Create a GPG key if you don't already have one:
+   ```bash
+   gpg --full-generate-key
+   ```
+   
+2. Add your key to `.sops.yaml`:
+   ```bash
+   # Get your key fingerprint
+   gpg --list-secret-keys --keyid-format=long
+   
+   # Edit the .sops.yaml file to add your key
+   ```
+
+3. Create a new encrypted secret:
+   ```bash
+   sops secrets/newsecret.yaml
+   ```
+
+## Common Tasks
+
+### Updating the Repository
+
+```bash
+git pull
+sudo nixos-rebuild switch --flake .#hostname
+```
+
+### Adding a New Package
+
+1. For standard packages, add them to your system or home configuration:
+   ```nix
+   environment.systemPackages = with pkgs; [
+     new-package
+   ];
+   ```
+
+2. For custom packages, add them to the `packages` directory:
+   ```bash
+   mkdir -p packages/new-package
+   # Create the necessary Nix files
+   ```
+
+### Adding a New Module
+
+1. Create a new module directory:
+   ```bash
+   mkdir -p modules/nixos/new-module
+   ```
+
+2. Create the module files:
+   ```bash
+   # Create options.nix
+   cat > modules/nixos/new-module/options.nix << EOF
+   { lib, namespace, ... }:
+   with lib;
+   {
+     options.${namespace}.new-module = {
+       enable = mkEnableOption "Enable new module";
+       # Add other options here
+     };
+   }
+   EOF
+   
+   # Create default.nix
+   cat > modules/nixos/new-module/default.nix << EOF
+   { config, lib, namespace, ... }:
+   let
+     cfg = config.${namespace}.new-module;
+   in
+   {
+     imports = [ ./options.nix ];
+   
+     config = lib.mkIf cfg.enable {
+       # Add your configuration here
+     };
+   }
+   EOF
+   ```
+
+3. Import your module in your system configuration:
+   ```nix
+   imports = [
+     # ...
+     ../../../modules/nixos/new-module
+   ];
+   
+   ${namespace}.new-module.enable = true;
+   ```

docs/home-assistant/README.md

@@ -0,0 +1,188 @@
+# Home Assistant Configuration
+
+This document provides comprehensive information about the Home Assistant setup in this NixOS configuration.
+
+## Overview
+
+Home Assistant is configured as a NixOS service with custom components, integrations, and automations. The configuration uses a modular approach with separate files for different aspects of the setup.
+
+## Module Structure
+
+The Home Assistant configuration is organized in the following structure:
+
+```
+modules/nixos/homeassistant/
+├── automations/              # Automation configurations
+│   ├── lightswitch/          # Light switch automations
+│   └── motion-light/         # Motion-activated light automations
+├── default.nix               # Main module configuration
+├── options.nix               # Module options definition
+└── services/                 # Related service configurations
+    ├── govee2mqtt/           # Govee integration via MQTT
+    ├── homeassistant/        # Core Home Assistant service
+    ├── music-assistant/      # Music Assistant integration
+    ├── thread/               # Thread border router
+    └── zigbee2mqtt/          # Zigbee to MQTT bridge
+```
+
+## Installation
+
+The Home Assistant module is enabled in the system configuration by setting:
+
+```nix
+mjallen.services.home-assistant.enable = true;
+```
+
+This activates Home Assistant and related services such as MQTT, Zigbee2MQTT, and the Matter server.
+
+## Configuration Options
+
+The module provides several configuration options:
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enable` | boolean | `false` | Enable Home Assistant and related services |
+| `mosquittoPort` | integer | `1883` | Port for the MQTT broker |
+| `zigbee2mqttPort` | integer | `8080` | Port for the Zigbee2MQTT web interface |
+| `zigbeeDevicePath` | string | `/dev/ttyUSB0` | Path to the Zigbee USB device |
+
+## Core Services
+
+### Home Assistant
+
+The main Home Assistant service is configured in `services/homeassistant/default.nix` with:
+
+- PostgreSQL database backend
+- Custom components
+- Custom Lovelace modules
+- HTTPS access with authentication
+- Integration with other services
+
+### MQTT
+
+MQTT is used as a messaging protocol for various smart home devices. The Mosquitto MQTT broker is automatically configured when Home Assistant is enabled.
+
+### Zigbee2MQTT
+
+Zigbee2MQTT allows integration with Zigbee devices. It's configured with:
+
+- Automatic discovery for Home Assistant
+- OTA updates for Zigbee devices
+- Web interface for management
+
+### Thread Border Router
+
+The Thread Border Router provides integration with Thread-based devices like Matter devices.
+
+## Custom Components
+
+The following custom components are included:
+
+- `ha-anycubic` - Anycubic 3D printer integration
+- `ha-bambulab` - Bambu Lab 3D printer integration
+- `ha-bedjet` - BedJet climate control integration
+- `ha-gehome` - GE Home appliance integration
+- `ha-icloud3` - Enhanced iCloud device tracking
+- `ha-local-llm` - Local LLM integration
+- `ha-mail-and-packages` - Mail and package delivery tracking
+- `ha-nanokvm` - NanoKVM integration
+- `ha-openhasp` - openHASP integration for DIY displays
+- `ha-overseerr` - Overseerr media request integration
+- `ha-petlibro` - PetLibro pet feeder integration
+- `ha-wyzeapi` - Wyze device integration
+
+## Automations
+
+### Light Switch Automations
+
+The light switch automations handle physical switch inputs for controlling smart lights.
+
+### Motion Light Automations
+
+Motion light automations turn lights on when motion is detected and off after a period of inactivity.
+
+### Custom Automations
+
+Additional automations are placed in the `/etc/hass` directory and are included in the Home Assistant configuration. These include:
+
+- `fountain_automation.yaml` - Toggles the water dispensing mode on the Dockstream Smart RFID Fountain every 15 minutes between constant and intermittent flow.
+
+## Smart Home Devices
+
+The configuration includes support for various smart home devices:
+
+### Lighting
+
+- Various smart lights throughout the home
+
+### Climate
+
+- Smart thermostat
+- Humidifier control
+
+### Pet Care
+
+- Dockstream Smart RFID Fountain with scheduling
+- Smart pet feeders for pets named Joey and Luci
+- Litter-Robot 4 smart litter box
+
+### Media
+
+- Google Cast devices
+- Smart TVs
+- Media players
+
+### Sensors
+
+- Temperature, humidity, and motion sensors
+- Door and window sensors
+- Presence detection
+
+## Integration with Other Services
+
+Home Assistant is integrated with:
+
+- **Music Assistant** - For enhanced music streaming capabilities
+- **Govee Integration** - For Govee smart devices
+- **Matter** - For Matter-compatible devices
+
+## Adding New Automations
+
+To add a new automation:
+
+1. Create a YAML file with the automation definition
+2. Place it in `/etc/hass`
+3. The automation will be automatically included in Home Assistant
+
+Example automation format:
+
+```yaml
+alias: "Automation Name"
+description: "Description of what the automation does"
+trigger:
+  - platform: state
+    entity_id: binary_sensor.motion_sensor
+    to: "on"
+condition: []
+action:
+  - service: light.turn_on
+    target:
+      entity_id: light.living_room
+mode: single
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Zigbee Device Pairing Issues**
+   - Make sure the Zigbee coordinator is properly connected
+   - Check the Zigbee2MQTT logs for errors
+
+2. **Service Unavailable**
+   - Check if all related services are running
+   - Verify firewall rules allow access to the services
+
+3. **Database Issues**
+   - Check PostgreSQL service status
+   - Verify database connection settings

docs/home-assistant/automations.md

@@ -0,0 +1,148 @@
+# Home Assistant Automations
+
+This document details the automations configured in the Home Assistant setup.
+
+## Automation Types
+
+Automations in this configuration are managed in several ways:
+
+1. **Module-Based Automations**: Defined in Nix modules within the `modules/nixos/homeassistant/automations/` directory
+2. **YAML Automations**: Defined in YAML files and included via the `automation manual` directive
+3. **UI-Created Automations**: Created through the Home Assistant UI and stored in `automations.yaml`
+
+## Module-Based Automations
+
+### Light Switch Automations
+
+**Location**: `modules/nixos/homeassistant/automations/lightswitch/`
+
+These automations link physical light switches to smart lights:
+
+- **Bedroom Light Switch**: Controls the bedroom lights
+- **Living Room Light Switch**: Controls the living room lights
+- **Bedroom Closet Lights**: Controls the closet lights
+
+### Motion-Activated Light Automations
+
+**Location**: `modules/nixos/homeassistant/automations/motion-light/`
+
+These automations turn lights on when motion is detected and off after a period of inactivity.
+
+## YAML Automations
+
+### Fountain Cycling Automation
+
+**Location**: `/etc/nixos/fountain_automation.yaml`
+
+This automation toggles the water dispensing mode on the Dockstream Smart RFID Fountain every 15 minutes:
+
+```yaml
+alias: "Fountain Cycle Mode"
+description: "Toggles fountain water mode every 15 minutes between constant and intermittent flow"
+trigger:
+  - platform: time_pattern
+    minutes: "/15"  # Every 15 minutes
+condition: []
+action:
+  - service: select.select_next
+    target:
+      entity_id: select.dockstream_smart_rfid_fountain_water_dispensing_mode
+mode: single
+id: fountain_cycle_mode
+```
+
+This automation:
+1. Triggers every 15 minutes
+2. Uses the `select.select_next` service to toggle between the two available options:
+   - "Flowing Water (Constant)"
+   - "Intermittent Water (Scheduled)"
+
+The fountain is also configured with:
+- Water Interval: 10 minutes
+- Water Dispensing Duration: 15 minutes
+
+## Creating New Automations
+
+### Method 1: Module-Based Automation
+
+For reusable, complex automations that should be managed in code:
+
+1. Create a new directory in `modules/nixos/homeassistant/automations/`
+2. Create a `default.nix` file with the automation logic
+
+Example:
+```nix
+{ config, lib, ... }:
+{
+  config = {
+    services.home-assistant.config."automation manual" = [
+      {
+        alias = "Example Automation";
+        description = "Example automation created via Nix module";
+        trigger = [
+          {
+            platform = "state";
+            entity_id = "binary_sensor.example_sensor";
+            to = "on";
+          }
+        ];
+        action = [
+          {
+            service = "light.turn_on";
+            target.entity_id = "light.example_light";
+          }
+        ];
+        mode = "single";
+      }
+    ];
+  };
+}
+```
+
+### Method 2: YAML Automation
+
+For simpler automations:
+
+1. Create a YAML file with the automation definition
+2. Place it in `/etc/hass/`
+
+Example:
+```yaml
+alias: "Example Automation"
+description: "Example automation in YAML"
+trigger:
+  - platform: state
+    entity_id: binary_sensor.example_sensor
+    to: "on"
+action:
+  - service: light.turn_on
+    target:
+      entity_id: light.example_light
+mode: single
+```
+
+### Method 3: UI Creation
+
+For quick prototyping or simple automations:
+
+1. Go to Home Assistant UI > Settings > Automations & Scenes
+2. Click "+ Add Automation"
+3. Configure using the UI editor
+
+## Testing Automations
+
+To test an automation:
+
+1. In the Home Assistant UI, go to Developer Tools > Services
+2. Select `automation.trigger` as the service
+3. Enter the entity_id of your automation in the service data field
+4. Click "Call Service" to trigger the automation manually
+
+## Troubleshooting
+
+If an automation isn't working as expected:
+
+1. Check the Home Assistant logs for errors
+2. Verify entity names and service calls are correct
+3. Test individual triggers and actions separately
+4. Use the "Debug" section in the automation editor to trace execution

docs/home-assistant/fountain-automation.md

@@ -0,0 +1,96 @@
+# Pet Fountain Automation
+
+This document details the automation for the Dockstream Smart RFID Fountain device.
+
+## Overview
+
+The Dockstream Smart RFID Fountain is a smart pet fountain controlled through Home Assistant. A custom automation has been created to toggle the water dispensing mode between constant flow and intermittent flow every 15 minutes. This cycling helps keep the water fresh while reducing energy consumption.
+
+## Fountain Configuration
+
+The Dockstream Smart RFID Fountain has the following settings in Home Assistant:
+
+| Setting | Entity ID | Value | Description |
+|---------|-----------|-------|-------------|
+| Water Dispensing Mode | `select.dockstream_smart_rfid_fountain_water_dispensing_mode` | Toggles between modes | Controls how water flows |
+| Water Interval | `number.dockstream_smart_rfid_fountain_water_interval` | 10 minutes | Time between water dispensing in intermittent mode |
+| Water Dispensing Duration | `number.dockstream_smart_rfid_fountain_water_dispensing_duration` | 15 minutes | How long water flows in intermittent mode |
+| Cleaning Cycle | `number.dockstream_smart_rfid_fountain_cleaning_cycle` | 14 days | Reminder interval for cleaning |
+
+## Available Modes
+
+The fountain supports two water dispensing modes:
+
+1. **Flowing Water (Constant)** - Water flows continuously
+2. **Intermittent Water (Scheduled)** - Water flows according to the interval and duration settings
+
+## Automation Details
+
+The fountain cycling automation is defined in `/etc/nixos/fountain_automation.yaml`:
+
+```yaml
+alias: "Fountain Cycle Mode"
+description: "Toggles fountain water mode every 15 minutes between constant and intermittent flow"
+trigger:
+  - platform: time_pattern
+    minutes: "/15"  # Every 15 minutes
+condition: []
+action:
+  - service: select.select_next
+    target:
+      entity_id: select.dockstream_smart_rfid_fountain_water_dispensing_mode
+mode: single
+id: fountain_cycle_mode
+```
+
+### How It Works
+
+1. **Trigger**: The automation runs every 15 minutes based on the time pattern trigger
+2. **Action**: It uses the `select.select_next` service to toggle to the next available option
+3. **Mode**: Set to "single" to prevent multiple executions if triggers overlap
+
+## Installation
+
+The automation is included in Home Assistant via the `automation manual` directive in the Home Assistant configuration:
+
+```yaml
+"automation manual" = "!include_dir_merge_list /etc/hass";
+```
+
+The YAML file needs to be placed in the `/etc/hass` directory to be loaded.
+
+## Testing
+
+To manually test the automation:
+
+1. In Home Assistant UI, go to Developer Tools > Services
+2. Select `automation.trigger` as the service
+3. Enter the following service data:
+   ```yaml
+   entity_id: automation.fountain_cycle_mode
+   ```
+4. Click "Call Service" to trigger the automation
+
+## Customizing
+
+To adjust the cycling interval:
+
+1. Edit the YAML file at `/etc/nixos/fountain_automation.yaml`
+2. Change the `minutes` value in the trigger section (e.g., from `"/15"` to `"/30"` for every 30 minutes)
+3. Save the file
+4. Restart Home Assistant or reload automations
+
+To adjust fountain settings:
+
+1. In Home Assistant UI, go to Settings > Devices & Services
+2. Find the Dockstream Smart RFID Fountain device
+3. Adjust the water interval or dispensing duration settings
+
+## Troubleshooting
+
+If the automation is not working as expected:
+
+1. Check that the entity ID is correct and the fountain is online
+2. Verify that Home Assistant is including the automation file correctly
+3. Look for errors in the Home Assistant logs related to the automation or the fountain
+4. Try manually controlling the fountain to ensure it responds to commands

docs/modules/README.md

@@ -0,0 +1,116 @@
+# Custom Modules
+
+This directory contains documentation for the custom modules used in this NixOS configuration.
+
+## Module Types
+
+The repository uses two main types of modules:
+
+1. **NixOS Modules** - System-level configurations in `modules/nixos/`
+2. **Home Manager Modules** - User-level configurations in `modules/home/`
+
+## NixOS Modules
+
+These modules configure the system-level aspects of NixOS:
+
+- [Boot Modules](./boot.md) - Boot loader and kernel configurations
+- [Desktop Modules](./desktop.md) - Desktop environment configurations
+- [Development Modules](./development.md) - Development tools and environments
+- [Hardware Modules](./hardware.md) - Hardware-specific configurations
+- [Home Assistant Modules](./homeassistant.md) - Home automation configuration
+- [Networking Modules](./network.md) - Network configuration and services
+- [Security Modules](./security.md) - Security-related configurations
+- [Services Modules](./services.md) - Various service configurations
+- [System Modules](./system.md) - General system configurations
+- [Virtualization Modules](./virtualization.md) - Virtualization and containerization
+
+## Home Manager Modules
+
+These modules configure user environments:
+
+- [Applications](./home/applications.md) - User applications
+- [Desktop](./home/desktop.md) - User desktop environments
+- [Development](./home/development.md) - User development environments
+- [Media](./home/media.md) - Media applications
+- [Shell](./home/shell.md) - Shell configurations
+
+## Module Structure
+
+Each module follows a standard structure:
+
+```
+modules/nixos/example-module/
+├── default.nix       # Main implementation
+├── options.nix       # Option declarations
+└── submodule/        # Optional submodules
+    └── default.nix   # Submodule implementation
+```
+
+### default.nix
+
+The `default.nix` file contains the main implementation of the module:
+
+```nix
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.example-module;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = lib.mkIf cfg.enable {
+    # Module implementation when enabled
+  };
+}
+```
+
+### options.nix
+
+The `options.nix` file declares the module's configuration options:
+
+```nix
+{ lib, namespace, ... }:
+with lib;
+let
+  inherit (lib.${namespace}) mkOpt;
+in
+{
+  options.${namespace}.example-module = {
+    enable = mkEnableOption "enable example module";
+    # Other option declarations
+  };
+}
+```
+
+## Using Modules
+
+To use a module in your system configuration:
+
+1. Enable the module in your system configuration:
+
+```nix
+{ config, ... }:
+{
+  mjallen.example-module = {
+    enable = true;
+    # Other options
+  };
+}
+```
+
+## Creating New Modules
+
+To create a new module:
+
+1. Create a new directory in `modules/nixos/` or `modules/home/`
+2. Create `default.nix` and `options.nix` files
+3. Implement your module functionality
+4. Import the module in your system configuration
+
+See the [Getting Started](../getting-started.md) guide for more details on creating modules.

docs/modules/homeassistant.md

@@ -0,0 +1,190 @@
+# Home Assistant Module
+
+This document details the Home Assistant module configuration.
+
+## Module Structure
+
+The Home Assistant module is organized in the following structure:
+
+```
+modules/nixos/homeassistant/
+├── automations/              # Automation configurations
+│   ├── lightswitch/          # Light switch automations
+│   └── motion-light/         # Motion-activated light automations
+├── default.nix               # Main module configuration
+├── options.nix               # Module options definition
+└── services/                 # Related service configurations
+    ├── govee2mqtt/           # Govee integration via MQTT
+    ├── homeassistant/        # Core Home Assistant service
+    ├── music-assistant/      # Music Assistant integration
+    ├── thread/               # Thread border router
+    └── zigbee2mqtt/          # Zigbee to MQTT bridge
+```
+
+## Module Options
+
+The module is configured through options defined in `options.nix`:
+
+```nix
+options.${namespace}.services.home-assistant = {
+  enable = mkEnableOption "enable home-assistant";
+  mosquittoPort = mkOpt types.int 1883 "Port for MQTT";
+  zigbee2mqttPort = mkOpt types.int 8080 "Port for zigbee2mqtt web interface";
+  zigbeeDevicePath = mkOpt types.str "/dev/ttyUSB0" "Path to zigbee usb device";
+};
+```
+
+## Main Configuration
+
+The main module configuration in `default.nix` includes:
+
+1. **Activation Scripts** - For setting up custom components
+2. **Service Configurations** - For Matter, PostgreSQL, etc.
+3. **Firewall Rules** - For allowing required ports
+
+```nix
+config = lib.mkIf cfg.enable {
+  # Activation script for custom components
+  system.activationScripts.installCustomComponents = ''
+    chown -R hass:hass ${config.services.home-assistant.configDir}
+    chmod -R 750 ${config.services.home-assistant.configDir}
+  '';
+
+  # Service configurations
+  services = {
+    matter-server.enable = true;
+    postgresql = {
+      enable = false;
+      ensureDatabases = [ "hass" ];
+      ensureUsers = [
+        {
+          name = "hass";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+
+  # Firewall rules
+  networking.firewall.allowedTCPPorts = [
+    cfg.mosquittoPort
+    cfg.zigbee2mqttPort
+    8095 # music-assistant
+    8097 # home-assistant
+    5580 # matter-server
+  ];
+};
+```
+
+## Home Assistant Service
+
+The core Home Assistant service configuration in `services/homeassistant/default.nix` includes:
+
+1. **Package Selection** - Using the standard Home Assistant package
+2. **Component Configuration** - Enabling required components
+3. **Custom Components** - Adding custom components from packages
+4. **Lovelace Modules** - Adding custom UI components
+5. **Integration Configuration** - Setting up integrations with other systems
+
+```nix
+services.home-assistant = {
+  enable = true;
+  package = pkgs.home-assistant;
+  openFirewall = true;
+  configDir = "/var/lib/homeassistant";
+  configWritable = true;
+  
+  # Components
+  extraComponents = [
+    "mqtt"
+    "zha"
+    "homekit"
+    # ... many more components
+  ];
+  
+  # Custom components
+  customComponents = [
+    # ... custom components
+  ];
+  
+  # Lovelace modules
+  customLovelaceModules = [
+    # ... custom UI modules
+  ];
+  
+  # Configuration
+  config = {
+    # ... Home Assistant configuration
+  };
+};
+```
+
+## Related Services
+
+### Zigbee2MQTT
+
+The Zigbee2MQTT service in `services/zigbee2mqtt/default.nix` connects Zigbee devices to MQTT:
+
+```nix
+services.zigbee2mqtt = {
+  enable = true;
+  settings = {
+    mqtt = {
+      server = "mqtt://localhost:${toString cfg.mosquittoPort}";
+    };
+    serial = {
+      port = cfg.zigbeeDevicePath;
+    };
+    # ... additional settings
+  };
+};
+```
+
+### MQTT
+
+MQTT is configured as a dependency for the Home Assistant module.
+
+### Thread Border Router
+
+The Thread Border Router in `services/thread/default.nix` provides Thread network connectivity for Matter devices.
+
+## Automations
+
+The module includes predefined automations in the `automations/` directory:
+
+1. **Light Switch Automations** - For controlling lights via physical switches
+2. **Motion Light Automations** - For motion-activated lighting
+
+## Using the Module
+
+To use this module in a system configuration:
+
+```nix
+{ config, ... }:
+{
+  mjallen.services.home-assistant = {
+    enable = true;
+    # Optional: customize ports and device paths
+    mosquittoPort = 1883;
+    zigbee2mqttPort = 8080;
+    zigbeeDevicePath = "/dev/ttyUSB0";
+  };
+}
+```
+
+## Extending the Module
+
+### Adding Custom Components
+
+To add a custom component:
+
+1. Add the package to `packages/`
+2. Add it to the `customComponents` list in `services/homeassistant/default.nix`
+
+### Adding Custom Automations
+
+To add a custom automation:
+
+1. Create a new directory in `automations/`
+2. Implement the automation in `default.nix`
+3. Import it in the system configuration

docs/systems/README.md

@@ -0,0 +1,22 @@
+# System Configurations
+
+This directory contains documentation for each system configuration in this repository.
+
+## Systems
+
+- [Desktop (matt-nixos)](./matt-nixos.md) - Main desktop computer
+- [NAS (jallen-nas)](./jallen-nas.md) - Home server and NAS
+- [NUC (nuc-nixos)](./nuc-nixos.md) - Intel NUC
+- [Raspberry Pi 5](./pi5.md) - Raspberry Pi 5
+- [MacBook Pro (nixOS)](./macbook-pro-nixos.md) - MacBook Pro running NixOS
+
+## Common Configuration
+
+All systems share certain common configurations through the modules system. These include:
+
+- Base system configuration
+- User management
+- Network configuration
+- Security settings
+
+Each system then adds its specific configurations on top of these common modules.

docs/systems/jallen-nas.md

@@ -0,0 +1,101 @@
+# NAS Server (jallen-nas)
+
+This document describes the configuration for the NAS server system.
+
+## Hardware
+
+The NAS server is built on AMD hardware:
+
+- CPU: AMD processor
+- Hardware-specific modules:
+  - `nixos-hardware.nixosModules.common-pc`
+  - `nixos-hardware.nixosModules.common-cpu-amd`
+  - `nixos-hardware.nixosModules.common-cpu-amd-pstate`
+  - `nixos-hardware.nixosModules.common-hidpi`
+
+## Services
+
+The NAS hosts various services:
+
+### Media Services
+
+- **Jellyfin** - Media server
+- **Jellyseerr** - Media request manager
+- **Sonarr** - TV show management
+- **Radarr** - Movie management
+- **Lidarr** - Music management
+- **Bazarr** - Subtitle management
+- **Music Assistant** - Music streaming integration with Home Assistant
+
+### Download Services
+
+- **Transmission** - Torrent client
+- **NZBGet** - Usenet downloader
+- **Prowlarr** - Indexer manager
+
+### Document Management
+
+- **Paperless-ngx** - Document management system
+
+### File Sharing
+
+- **Samba** - Windows file sharing
+- **Nextcloud** - Self-hosted cloud storage
+
+### AI Services
+
+- **Ollama** - Local AI model hosting
+
+### Smart Home
+
+- **Home Assistant** - Smart home controller
+- **Zigbee2MQTT** - Zigbee device integration
+- **MQTT** - Message broker for IoT devices
+- **Thread Border Router** - Thread network for smart home devices
+
+## Storage Configuration
+
+The NAS uses multiple storage devices:
+
+1. **System Drive** - For the operating system
+2. **Data Drives** - Configured as a storage array for media and data
+
+## Network Configuration
+
+The NAS is configured with:
+
+- Static IP address
+- Firewall rules for the various services
+- Tailscale for secure remote access
+
+## Backup Strategy
+
+The NAS implements a comprehensive backup strategy:
+
+1. **System Backup** - Regular backups of the NixOS configuration
+2. **Data Backup** - Backups of important data to secondary storage
+3. **Off-site Backup** - Critical data is backed up off-site
+
+## Usage and Management
+
+### Accessing Services
+
+Most services are available through a reverse proxy, which provides:
+- HTTPS access
+- Authentication via Authentik
+- Subdomain-based routing
+
+### Adding Storage
+
+To add additional storage to the NAS:
+
+1. Add the physical drive to the system
+2. Update the disko configuration
+3. Rebuild the system with `nixos-rebuild switch`
+
+### Monitoring
+
+The system can be monitored through:
+- Prometheus metrics
+- Grafana dashboards
+- Home Assistant sensors

docs/troubleshooting.md

@@ -0,0 +1,213 @@
+# Troubleshooting Guide
+
+This guide provides solutions for common issues that may arise when using this NixOS configuration.
+
+## System Issues
+
+### Failed System Build
+
+**Problem**: `nixos-rebuild switch` fails with an error.
+
+**Solutions**:
+
+1. **Syntax Errors**:
+   - Check the error message for file and line number information
+   - Verify the syntax in the mentioned file
+   - Common issues include missing semicolons, curly braces, or mismatched quotes
+
+2. **Missing Dependencies**:
+   - If the error mentions a missing package or dependency:
+     ```
+     git pull  # Update to the latest version
+     nix flake update  # Update the flake inputs
+     ```
+
+3. **Conflicting Modules**:
+   - Look for modules that might be configuring the same options incompatibly
+   - Disable one of the conflicting modules or adjust their configurations
+
+4. **Disk Space Issues**:
+   - Check available disk space with `df -h`
+   - Clear old generations: `sudo nix-collect-garbage -d`
+
+### Boot Issues
+
+**Problem**: System fails to boot after a configuration change.
+
+**Solutions**:
+
+1. **Boot into a Previous Generation**:
+   - At the boot menu, select an older generation
+   - Once booted, revert the problematic change:
+     ```
+     cd /etc/nixos
+     git revert HEAD  # Or edit the files directly
+     sudo nixos-rebuild switch
+     ```
+
+2. **Boot from Installation Media**:
+   - Boot from a NixOS installation media
+   - Mount your system:
+     ```
+     sudo mount /dev/disk/by-label/nixos /mnt
+     sudo mount /dev/disk/by-label/boot /mnt/boot  # If separate boot partition
+     ```
+   - Chroot into your system:
+     ```
+     sudo nixos-enter --root /mnt
+     cd /etc/nixos
+     git revert HEAD  # Or edit the files directly
+     nixos-rebuild switch --install-bootloader
+     ```
+
+## Home Assistant Issues
+
+### Home Assistant Fails to Start
+
+**Problem**: Home Assistant service fails to start.
+
+**Solutions**:
+
+1. **Check Service Status**:
+   ```
+   systemctl status home-assistant
+   journalctl -u home-assistant -n 100
+   ```
+
+2. **Database Issues**:
+   - Check PostgreSQL is running: `systemctl status postgresql`
+   - Verify database connection settings in Home Assistant configuration
+
+3. **Permission Issues**:
+   - Check ownership and permissions on config directory:
+     ```
+     ls -la /var/lib/homeassistant
+     sudo chown -R hass:hass /var/lib/homeassistant
+     sudo chmod -R 750 /var/lib/homeassistant
+     ```
+
+4. **Custom Component Issues**:
+   - Try disabling custom components to isolate the issue:
+     - Edit `modules/nixos/homeassistant/services/homeassistant/default.nix`
+     - Comment out the `customComponents` section
+     - Rebuild: `sudo nixos-rebuild switch`
+
+### Zigbee Device Connection Issues
+
+**Problem**: Zigbee devices fail to connect or are unstable.
+
+**Solutions**:
+
+1. **Verify Device Path**:
+   - Check the Zigbee coordinator is properly detected:
+     ```
+     ls -la /dev/ttyUSB*
+     ```
+   - Update the device path if needed:
+     - Edit your system configuration
+     - Set `mjallen.services.home-assistant.zigbeeDevicePath` to the correct path
+     - Rebuild: `sudo nixos-rebuild switch`
+
+2. **Interference Issues**:
+   - Move the Zigbee coordinator away from other wireless devices
+   - Try a USB extension cable to improve positioning
+   - Change Zigbee channel in Zigbee2MQTT configuration
+
+3. **Reset Zigbee2MQTT**:
+   ```
+   systemctl restart zigbee2mqtt
+   ```
+
+### Automation Issues
+
+**Problem**: Automations don't run as expected.
+
+**Solutions**:
+
+1. **Check Automation Status**:
+   - In Home Assistant UI, verify the automation is enabled
+   - Check Home Assistant logs for automation execution errors
+
+2. **Entity Issues**:
+   - Verify entity IDs are correct
+   - Check if entities are available/connected
+   - Test direct service calls to verify entity control works
+
+3. **Trigger Issues**:
+   - Test the automation manually via Developer Tools > Services
+   - Use `automation.trigger` service with the automation's entity_id
+
+## Flake Issues
+
+### Flake Input Update Errors
+
+**Problem**: `nix flake update` fails or causes issues.
+
+**Solutions**:
+
+1. **Selective Updates**:
+   - Update specific inputs instead of all at once:
+     ```
+     nix flake lock --update-input nixpkgs
+     ```
+
+2. **Rollback Flake Lock**:
+   - If an update causes issues, revert to previous flake.lock:
+     ```
+     git checkout HEAD^ -- flake.lock
+     ```
+
+3. **Pin to Specific Revisions**:
+   - In `flake.nix`, pin problematic inputs to specific revisions:
+     ```nix
+     nixpkgs-stable.url = "github:NixOS/nixpkgs/5233fd2ba76a3accb05f88b08917450363be8899";
+     ```
+
+## Secret Management Issues
+
+### Sops Decryption Errors
+
+**Problem**: Sops fails to decrypt secrets.
+
+**Solutions**:
+
+1. **Key Issues**:
+   - Verify your GPG key is available and unlocked
+   - Check `.sops.yaml` includes your key fingerprint
+
+2. **Permission Issues**:
+   - Check file permissions on secret files
+   - Make sure the user running `nixos-rebuild` has access to the GPG key
+
+## Network Issues
+
+### Firewall Blocks Services
+
+**Problem**: Services are not accessible due to firewall rules.
+
+**Solutions**:
+
+1. **Check Firewall Status**:
+   ```
+   sudo nix-shell -p iptables --run "iptables -L"
+   ```
+
+2. **Verify Firewall Configuration**:
+   - Check if ports are properly allowed in the configuration
+   - Add missing ports if necessary
+
+3. **Temporary Disable Firewall** (for testing only):
+   ```
+   sudo systemctl stop firewall
+   # After testing
+   sudo systemctl start firewall
+   ```
+
+## Getting Help
+
+If you encounter an issue not covered in this guide:
+
+1. Check the NixOS Wiki: https://nixos.wiki/
+2. Search the NixOS Discourse forum: https://discourse.nixos.org/
+3. Join the NixOS Matrix/Discord community for real-time help
+4. File an issue in the repository if you believe you've found a bug

docs/version.schema.json

@@ -0,0 +1,208 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://example.invalid/version.schema.json",
+  "title": "Unified Package Version Schema",
+  "description": "Schema for a unified version.json used by packages/",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schemaVersion",
+    "sources"
+  ],
+  "properties": {
+    "schemaVersion": {
+      "type": "integer",
+      "enum": [1],
+      "description": "Schema version. Start at 1; bump on breaking changes."
+    },
+    "variables": {
+      "type": "object",
+      "description": "Common variables available for template substitution in string fields.",
+      "additionalProperties": {
+        "type": "string"
+      }
+    },
+    "defaultVariant": {
+      "type": "string",
+      "description": "Optional default variant name for consumers."
+    },
+    "sources": {
+      "type": "object",
+      "description": "Base component sources keyed by component name.",
+      "minProperties": 1,
+      "additionalProperties": {
+        "$ref": "#/$defs/SourceSpec"
+      }
+    },
+    "variants": {
+      "type": "object",
+      "description": "Optional variants/channels/flavors; each overlays the base.",
+      "additionalProperties": {
+        "$ref": "#/$defs/VariantSpec"
+      }
+    },
+    "notes": {
+      "type": "object",
+      "description": "Optional free-form human notes/documentation.",
+      "additionalProperties": true
+    }
+  },
+  "$defs": {
+    "SourceSpecBase": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "fetcher": {
+          "type": "string",
+          "enum": ["github", "git", "url", "pypi", "none"],
+          "description": "Fetcher type for this source."
+        },
+        "hash": {
+          "type": "string",
+          "pattern": "^sha[0-9]+-",
+          "description": "SRI hash for the fetched artifact. Required unless fetcher is 'none'."
+        },
+        "version": {
+          "type": "string",
+          "description": "Optional version string metadata for this component."
+        },
+        "extra": {
+          "type": "object",
+          "description": "Optional free-form metadata for consumer logic.",
+          "additionalProperties": true
+        },
+
+        "owner": { "type": "string", "description": "GitHub owner/org (github fetcher)." },
+        "repo":  { "type": "string", "description": "GitHub repository (github fetcher)." },
+        "tag":   { "type": "string", "description": "Git tag (github fetcher). Mutually exclusive with 'rev'." },
+        "rev":   { "type": "string", "description": "Commit revision (github/git fetchers)." },
+        "submodules": { "type": "boolean", "description": "Whether to fetch submodules (github/git fetchers)." },
+
+        "url": { "type": "string", "description": "Final URL (url fetcher). May be templated." },
+        "urlTemplate": { "type": "string", "description": "Template for URL (url fetcher); supports ${var}." },
+
+        "name": { "type": "string", "description": "PyPI dist name (pypi fetcher)." }
+      }
+    },
+
+    "SourceSpec": {
+      "allOf": [
+        { "$ref": "#/$defs/SourceSpecBase" },
+        {
+          "if": {
+            "properties": { "fetcher": { "const": "github" } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "required": ["owner", "repo"],
+            "oneOf": [
+              { "required": ["tag"] },
+              { "required": ["rev"] }
+            ]
+          }
+        },
+        {
+          "if": {
+            "properties": { "fetcher": { "const": "git" } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "required": ["url", "rev"]
+          }
+        },
+        {
+          "if": {
+            "properties": { "fetcher": { "const": "url" } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "oneOf": [
+              { "required": ["url"] },
+              { "required": ["urlTemplate"] }
+            ]
+          }
+        },
+        {
+          "if": {
+            "properties": { "fetcher": { "const": "pypi" } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "required": ["name", "version"]
+          }
+        },
+        {
+          "if": {
+            "properties": { "fetcher": { "enum": ["github", "git", "url", "pypi"] } },
+            "required": ["fetcher"]
+          },
+          "then": {
+            "required": ["hash"]
+          }
+        }
+      ]
+    },
+
+    "SourceOverride": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Partial override of a source within a variant. All fields optional.",
+      "properties": {
+        "fetcher": { "type": "string", "enum": ["github", "git", "url", "pypi", "none"] },
+        "hash":    { "type": "string", "pattern": "^sha[0-9]+-" },
+        "version": { "type": "string" },
+        "extra":   { "type": "object", "additionalProperties": true },
+
+        "owner": { "type": "string" },
+        "repo":  { "type": "string" },
+        "tag":   { "type": "string" },
+        "rev":   { "type": "string" },
+        "submodules": { "type": "boolean" },
+
+        "url":         { "type": "string" },
+        "urlTemplate": { "type": "string" },
+
+        "name": { "type": "string" }
+      }
+    },
+
+    "VariantSpec": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "inherits": {
+          "type": "string",
+          "description": "Optional base variant to inherit from."
+        },
+        "variables": {
+          "type": "object",
+          "description": "Variant-level variables that overlay top-level variables.",
+          "additionalProperties": { "type": "string" }
+        },
+        "sources": {
+          "type": "object",
+          "description": "Per-component overrides for this variant.",
+          "additionalProperties": { "$ref": "#/$defs/SourceOverride" }
+        },
+        "platforms": {
+          "type": "object",
+          "description": "Optional per-system overrides to support differing hashes/fields by platform.",
+          "additionalProperties": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "sources": {
+                "type": "object",
+                "additionalProperties": { "$ref": "#/$defs/SourceOverride" }
+              },
+              "variables": {
+                "type": "object",
+                "additionalProperties": { "type": "string" }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

echo

@@ -1 +0,0 @@
-{"text": "\ue312  49\u00b0F", "tooltip": "             Overcast 49\u00b0\n<span foreground=\"#585858\" font-weight=\"bold\">     .--.    </span>Feels like: 49\u00b0\n<span foreground=\"#585858\" font-weight=\"bold\">  .-(    ).  </span>Wind: 2mph \u2199\n<span foreground=\"#585858\" font-weight=\"bold\"> (___.__)__) </span>Humidity: 80%\n             Moon phase: Waxing Crescent \ud83c\udf12\n\nToday, <b>Mon Nov 24 2025</b>\n\uf2c7 53\u00b0F \uf2ca 38\u00b0F\ue34c 07:23 AM \ue34d 04:36 PM\n03 PM \udb81\udd95 52\u00b0 Partly Cloudy , Overcast 33%, Sunshine 73%\n06 PM \ue313 44\u00b0 Mist, Overcast 83%, Sunshine 8%\n09 PM \ue313 43\u00b0 Fog, Overcast 93%, Sunshine 5%\nTomorrow, <b>Tue Nov 25 2025</b>\n\uf2c7 43\u00b0F \uf2ca 34\u00b0F\ue34c 07:24 AM \ue34d 04:36 PM\n12 AM \ue313 43\u00b0 Fog, Fog 6%, Overcast 81%, Sunshine 19%\n03 AM \ue313 42\u00b0 Fog, Overcast 89%, Sunshine 8%\n06 AM \ue313 41\u00b0 Fog, Fog 6%, Overcast 92%, Sunshine 11%\n09 AM \ue313 40\u00b0 Fog, Fog 6%, Overcast 88%, Sunshine 5%\n12 PM \ue317 39\u00b0 Moderate rain at times, Overcast 90%, Rain 100%\n03 PM \ue308 34\u00b0 Light rain, Overcast 93%, Rain 100%\n06 PM \ue318 31\u00b0 Moderate rain, Overcast 88%, Rain 100%\n09 PM \ue31a 24\u00b0 Moderate snow, Overcast 89%, Rain 100%, Snow 100%\n<b>Wed Nov 26 2025</b>\n\uf2c7 36\u00b0F \uf2ca 25\u00b0F\ue34c 07:26 AM \ue34d 04:35 PM\n12 AM \ue312 21\u00b0 Overcast , Overcast 87%, Sunshine 8%\n03 AM \ue312 14\u00b0 Overcast , Frost 25%, Overcast 94%, Sunshine 13%\n06 AM \ue312 11\u00b0 Overcast , Frost 80%, Overcast 89%, Sunshine 8%\n09 AM \ue312 13\u00b0 Overcast , Frost 79%, Overcast 80%, Sunshine 5%\n12 PM \ue33d 18\u00b0 Cloudy , Frost 77%, Overcast 89%, Sunshine 17%\n03 PM \ue30d 24\u00b0 Sunny, Frost 29%, Sunshine 90%\n06 PM \udb81\udd94 22\u00b0 Clear , Frost 78%, Sunshine 94%\n09 PM \udb83\udf31 15\u00b0 Partly Cloudy , Frost 85%, Overcast 39%, Sunshine 83%\n"}

flake.nix

@@ -1,43 +1,64 @@
 {
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  inputs = rec {
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
     nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
 
-    # The name "snowfall-lib" is required due to how Snowfall Lib processes your
-    # flake's inputs.
-    snowfall-lib = {
-      url = "github:mjallen18/lib";
-      inputs.nixpkgs.follows = "nixpkgs";
+    # Fork required: openthread-border-router is not yet in nixpkgs-unstable.
+    # Used by modules/nixos/homeassistant/services/thread/default.nix
+    nixpkgs-otbr.url = "github:mrene/nixpkgs/openthread-border-router";
+
+    home-manager-stable = {
+      url = "github:nix-community/home-manager/release-25.11";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
     };
 
-    chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
-
-    home-manager = {
+    home-manager-unstable = {
       url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
+    nixpkgs = nixpkgs-unstable;
+    home-manager = home-manager-unstable;
+
+    # The name "snowfall-lib" is required due to how Snowfall Lib processes your
+    # flake's inputs. Using a personal fork for custom changes.
+    snowfall-lib = {
+      url = "github:mjallen18/snowfall-lib";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    # nixos-generators = {
+    #   url = "github:nix-community/nixos-generators";
+    #   inputs.nixpkgs.follows = "nixpkgs";
+    # };
+
     impermanence.url = "github:nix-community/impermanence";
 
-    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.3";
+    lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0";
 
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
     sops-nix.url = "github:Mic92/sops-nix";
 
+    nix-cachyos-kernel.url = "github:xddxdd/nix-cachyos-kernel/release";
+
     steam-rom-manager = {
       url = "github:mjallen18/nix-steam-rom-manager";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
     };
 
-    cosmic.url = "github:lilyinstarlight/nixos-cosmic";
+    cosmic = {
+      url = "github:lilyinstarlight/nixos-cosmic";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
 
-    authentik-nix.url = "github:nix-community/authentik-nix";
-
-    nixai.url = "github:olafkfreund/nix-ai-help";
+    authentik-nix = {
+      url = "github:nix-community/authentik-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     disko = {
       # the fork is needed for partition attributes support
@@ -46,11 +67,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    nixos-raspberrypi.url = "github:mjallen18/nixos-raspberrypi";
-
-    jovian.url = "github:Jovian-Experiments/Jovian-NixOS";
-
-    darwin.url = "github:LnL7/nix-darwin";
+    darwin.url = "github:nix-darwin/nix-darwin/master";
 
     nix-homebrew.url = "github:zhaofengli/nix-homebrew";
 
@@ -66,7 +83,10 @@
 
     nixos-apple-silicon.url = "github:nix-community/nixos-apple-silicon";
 
-    pre-commit-hooks-nix.url = "github:cachix/pre-commit-hooks.nix";
+    pre-commit-hooks-nix = {
+      url = "github:cachix/pre-commit-hooks.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";
@@ -96,6 +116,11 @@
       url = "github:nix-community/stylix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    jovian = {
+      url = "github:Jovian-Experiments/Jovian-NixOS";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   # We will handle this in the next section.
@@ -110,12 +135,17 @@
       # Nix files to a separate directory.
       src = ./.;
 
+      overlays = with inputs; [
+        nix-vscode-extensions.overlays.default
+        nix-cachyos-kernel.overlays.default
+      ];
+
       # Add a module to a specific host.
       systems = {
         # common modules
         modules.nixos = with inputs; [
+          # nix-cachyos-kernel.nixosModules.default
           authentik-nix.nixosModules.default
-          chaotic.nixosModules.default
           disko.nixosModules.disko
           impermanence.nixosModules.impermanence
           lanzaboote.nixosModules.lanzaboote
@@ -125,6 +155,11 @@
           stylix.nixosModules.stylix
         ];
 
+        modules.home = with inputs; [
+          nix-index-database.homeManagerModules.nix-index
+          steam-rom-manager.homeManagerModules.default
+        ];
+
         # common darwin modules
         modules.darwin = with inputs; [
           nix-homebrew.darwinModules.nix-homebrew
@@ -144,7 +179,7 @@
             modules = with inputs; [
               nixos-hardware.nixosModules.common-cpu-amd
               nixos-hardware.nixosModules.common-cpu-amd-pstate
-              nixos-hardware.nixosModules.common-cpu-amd-zenpower
+              # nixos-hardware.nixosModules.common-cpu-amd-zenpower
               nixos-hardware.nixosModules.common-gpu-amd
               nixos-hardware.nixosModules.common-hidpi
               nixos-hardware.nixosModules.common-pc
@@ -156,30 +191,13 @@
           #                      NAS                             #
           # ######################################################
           jallen-nas = {
+            # home-manager is already in systems.modules.nixos above
             modules = with inputs; [
               nixos-hardware.nixosModules.common-pc
               nixos-hardware.nixosModules.common-cpu-amd
               nixos-hardware.nixosModules.common-cpu-amd-pstate
-              nixos-hardware.nixosModules.common-cpu-amd-zenpower
+              # nixos-hardware.nixosModules.common-cpu-amd-zenpower
               nixos-hardware.nixosModules.common-hidpi
-              home-manager.nixosModules.home-manager
-            ];
-          };
-
-          # ######################################################
-          #                   Steamdeck                          #
-          # ######################################################
-          steamdeck = {
-            modules = with inputs; [
-              disko.nixosModules.disko
-              jovian.nixosModules.jovian
-              nixos-hardware.nixosModules.common-cpu-amd
-              nixos-hardware.nixosModules.common-cpu-amd-pstate
-              nixos-hardware.nixosModules.common-cpu-amd-zenpower
-              nixos-hardware.nixosModules.common-gpu-amd
-              nixos-hardware.nixosModules.common-hidpi
-              nixos-hardware.nixosModules.common-pc
-              lsfg-vk.nixosModules.default
             ];
           };
 
@@ -187,53 +205,23 @@
           #                      NUC                             #
           # ######################################################
           nuc-nixos = {
+            # disko is already in systems.modules.nixos above
             modules = with inputs; [
-              disko.nixosModules.disko
               nixos-hardware.nixosModules.common-cpu-amd
               nixos-hardware.nixosModules.common-cpu-amd-pstate
-              nixos-hardware.nixosModules.common-cpu-amd-zenpower
+              # nixos-hardware.nixosModules.common-cpu-amd-zenpower
               nixos-hardware.nixosModules.common-gpu-amd
               nixos-hardware.nixosModules.common-hidpi
               nixos-hardware.nixosModules.common-pc
             ];
           };
 
-          # ######################################################
-          #                      Pi4                             #
-          # ######################################################
-          pi4 = {
-            specialArgs = {
-              nixpkgs = inputs.nixpkgs-stable;
-            };
-            modules = with inputs; [
-              disko.nixosModules.disko
-              nixos-raspberrypi.nixosModules.raspberry-pi-4.base
-              nixos-raspberrypi.nixosModules.raspberry-pi-4.display-vc4
-              nixos-raspberrypi.nixosModules.nixpkgs-rpi
-              nixos-raspberrypi.nixosModules.trusted-nix-caches
-              nixos-raspberrypi.lib.inject-overlays
-              nixos-raspberrypi.lib.inject-overlays-global
-            ];
-          };
-
           # ######################################################
           #                      Pi5                             #
           # ######################################################
           pi5 = {
-            specialArgs = {
-              nixpkgs = inputs.nixpkgs-stable;
-            };
-            modules = with inputs; [
-              disko.nixosModules.disko
-              nixos-raspberrypi.nixosModules.raspberry-pi-5.base
-              nixos-raspberrypi.nixosModules.raspberry-pi-5.display-vc4
-              nixos-raspberrypi.nixosModules.raspberry-pi-5.bluetooth
-              nixos-raspberrypi.nixosModules.raspberry-pi-5.page-size-16k
-              nixos-raspberrypi.nixosModules.nixpkgs-rpi
-              nixos-raspberrypi.nixosModules.trusted-nix-caches
-              nixos-raspberrypi.lib.inject-overlays
-              nixos-raspberrypi.lib.inject-overlays-global
-            ];
+            # disko is already in systems.modules.nixos above
+            modules = [ ];
           };
 
           # ######################################################
@@ -245,11 +233,23 @@
               lsfg-vk.nixosModules.default
             ];
           };
-        };
 
-        overlays = with inputs; [
-          nix-vscode-extensions.overlays.default
-        ];
+          # ######################################################
+          #                     AllyX                            #
+          # ######################################################
+          allyx = {
+            modules = with inputs; [
+              nixos-hardware.nixosModules.common-cpu-amd
+              nixos-hardware.nixosModules.common-cpu-amd-pstate
+              # nixos-hardware.nixosModules.common-cpu-amd-zenpower
+              nixos-hardware.nixosModules.common-gpu-amd
+              nixos-hardware.nixosModules.common-hidpi
+              nixos-hardware.nixosModules.common-pc
+              lsfg-vk.nixosModules.default
+              jovian.nixosModules.jovian
+            ];
+          };
+        };
       };
 
       # Configure Snowfall Lib, all of these settings are optional.
@@ -270,22 +270,17 @@
 
       channels-config = {
         allowUnfree = true;
+        allowUnsupportedSystem = true;
         permittedInsecurePackages = [
           # ...
-          "libsoup-2.74.3"
-          "mbedtls-2.28.10"
+          # "libsoup-2.74.3"
+          # "mbedtls-2.28.10"
         ];
       };
 
       outputs-builder = channels: {
         formatter = inputs.treefmt-nix.lib.mkWrapper channels.nixpkgs ./treefmt.nix;
-
-        # Add mjallen-lib to the flake outputs
-        overlays = {
-          mjallen-lib = _final: _prev: {
-            mjallen-lib = (import ./lib { inherit inputs; }).mjallen-lib;
-          };
-        };
+        # mjallen-lib overlay is auto-discovered from overlays/mjallen-lib/default.nix
       };
     };
 }

homes/aarch64-darwin/mattjallen@macbook-pro/default.nix

@@ -15,7 +15,9 @@ let
     age
     cpufetch
     deadnix
-    nixfmt-rfc-style
+    iproute2mac
+    nebula
+    nixfmt
     nodePackages.nodejs
     uv
     sops
@@ -41,219 +43,219 @@ in
     };
   };
 
-  programs.nix-plist-manager = {
-    enable = true;
-    options = {
-      applications = {
-        finder = {
-          settings = {
-            general = {
-              showTheseItemsOnTheDesktop = {
-                hardDisks = false;
-                externalDisks = true;
-                cdsDvdsAndiPods = false;
-                connectedServers = false;
-              };
-              openFoldersInTabsInsteadOfNewWindows = true;
-            };
-            sidebar = {
-              recentTags = true;
-            };
-            advanced = {
-              removeItemsFromTheTrashAfter30Days = true;
-              showAllFilenameExtensions = true;
-              showWarningBeforeChangingAnExtension = true;
-              showWarningBeforeRemovingFromiCloudDrive = true;
-              showWarningBeforeEmptyingTheTrash = true;
-              keepFoldersOnTop = {
-                inWindowsWhenSortingByName = true;
-                onDesktop = true;
-              };
-              whenPerformingASearch = "Search This Mac";
-            };
-          };
-          menuBar = {
-            view = {
-              showTabBar = true;
-              showSidebar = true;
-              showPathBar = true;
-              showStatusBar = true;
-            };
-          };
-        };
-        systemSettings = {
-          appearance = {
-            appearance = "Dark";
-            accentColor = "Multicolor";
-            # clickInTheScrollBarTo = "Jump to the next page";
-            sidebarIconSize = "Medium";
-            showScrollBars = "When scrolling";
-          };
-          controlCenter = {
-            wifi = true;
-            bluetooth = true;
-            airdrop = true;
-            stageManager = true;
-            focusModes = "active";
-            screenMirroring = "active";
-            display = "never";
-            sound = "always";
-            nowPlaying = "active";
-            accessibilityShortcuts = "unset";
-            musicRecognition = {
-              showInMenuBar = false;
-              showInControlCenter = true;
-            };
-            hearing = "unset";
-            fastUserSwitching = {
-              showInMenuBar = false;
-              showInControlCenter = true;
-            };
-            keyboardBrightness = {
-              showInMenuBar = false;
-              showInControlCenter = true;
-            };
-            battery = {
-              showInMenuBar = false;
-              showInControlCenter = false;
-            };
-            batteryShowPercentage = true;
-            # menuBarOnly = {
-            #   spotlight = false;
-            #   siri = true;
-            # };
-            # automaticallyHideAndShowTheMenuBar = "In Full Screen Only";
-          };
-          desktopAndDock = {
-            desktopAndStageManager = {
-              showItems = {
-                onDesktop = true;
-                inStageManager = true;
-              };
-              clickWallpaperToRevealDesktop = "Always";
-              stageManager = false;
-              showRecentAppsInStageManager = true;
-              showWindowsFromAnApplication = "All at Once";
-            };
-            dock = {
-              animateOpeningApplications = true;
-              automaticallyHideAndShowTheDock = enabled;
-              doubleClickAWindowsTitleBarTo = "Minimize";
-              magnification = disabled;
-              minimizeWindowsIntoApplicationIcon = true;
-              minimizeWindowsUsing = "Genie Effect";
-              positionOnScreen = "Bottom";
-              showIndicatorsForOpenApplications = true;
-              showSuggestedAndRecentAppsInDock = false;
-              size = 64; # 16 - 128
-              #     persistentApps = [
-              #       { app = "/Applications/Clock.app"; }
-              #       { folder = "/Applications"; }
-              #       { app = "/Applications/Safari.app"; }
-              #       { app = "/Applications/Firefox.app"; }
-              #       { app = "/Applications/Tabby.app"; }
-              #       { app = "/Applications/Termius.app"; }
-              #       { app = "/Applications/Muic.app"; }
-              #       { app = "/Applications/Vesktop.app"; }
-              #       { app = "/Applications/Messages.app"; }
-              #       { app = "/Applications/Calendar.app"; }
-              #       { app = "/Applications/Reminders.app"; }
-              #       { app = "/Applications/Notes.app"; }
-              #       { app = "/Applications/Weather.app"; }
-              #       { app = "/Applications/Maps.app"; }
-              #       { app = "/Applications/App Store.app"; }
-              #       { app = "/Applications/System Settings.app"; }
-              #       { app = "/Applications/ChatGPT.app"; }
-              #       { app = "/Applications/Nextcloud.app"; }
-              #       { app = "/Applications/VSCodium.app"; }
-              #       { app = "/Applications/Omnissa Horizon Client.app"; }
-              #       { app = "/Applications/Proton Pass.app"; }
-              #       { app = "/Applications/OrcaSlicer.app"; }
-              #       { app = "/Applications/AlDente.app"; }
-              #     ];
-              #     persistentOthers = [
-              #       "~/Downloads"
-              #     ];
-            };
-            hotCorners = {
-              # ["-" "Mission Control" "Application Windows" "Desktop" "Start Screen Saver" "Disable Screen Saver" "Dashboard" "Put Display to Sleep" "Launchpad" "Notification Center" "Lock Screen" "Quick Note"]
-              topLeft = "-";
-              topRight = "-";
-              bottomLeft = "-";
-              bottomRight = "-";
-            };
-            missionControl = {
-              automaticallyRearrangeSpacesBasedOnMostRecentUse = true;
-              displaysHaveSeparateSpaces = true;
-              dragWindowsToTopOfScreenToEnterMissionControl = true;
-              groupWindowsByApplication = true;
-              whenSwitchingToAnApplicationSwitchToAspaceWithOpenWindowsForTheApplication = true;
-            };
-            widgets = {
-              showWidgets = {
-                onDesktop = true;
-                inStageManager = true;
-              };
-              widgetStyle = "Automatic";
-              useIphoneWidgets = true;
-            };
-            windows = {
-              askToKeepChangesWhenClosingDocuments = true;
-              closeWindowsWhenQuittingAnApplication = true;
-              dragWindowsToScreenEdgesToTile = true;
-              dragWindowsToMenuBarToFillScreen = true;
-              holdOptionKeyWhileDraggingWindowsToTile = true;
-              preferTabsWhenOpeningDocuments = "In Full Screen";
-              tiledWindowsHaveMargin = false;
-            };
-          };
-          focus = {
-            shareAcrossDevices = true;
-          };
-          # general.dateAndTime."24HourTime" = false;
-          notifications = {
-            notificationCenter = {
-              showPreviews = "When Unlocked";
-              summarizeNotifications = true;
-            };
-          };
-          sound = {
-            soundEffects = {
-              alertSound = "Boop";
-              alertVolume = 0.7;
-              playFeedbackWhenVolumeIsChanged = true;
-              playUserInterfaceSoundEffects = true;
-            };
-          };
-          spotlight = {
-            helpAppleImproveSearch = false;
-            # searchResults = {
-            #   applications = true;
-            #   calculator = true;
-            #   contacts = true;
-            #   conversion = true;
-            #   definition = true;
-            #   developer = true;
-            #   documents = true;
-            #   eventsAndReminders = true;
-            #   folders = true;
-            #   fonts = false;
-            #   images = true;
-            #   mailAndMessages = true;
-            #   movies = true;
-            #   music = true;
-            #   other = false;
-            #   pdfDocuments = true;
-            #   presentations = true;
-            #   siriSuggestions = false;
-            #   systemSettings = true;
-            #   tips = false;
-            #   websites = true;
-          };
-        };
-      };
-    };
-  };
+  # programs.nix-plist-manager = {
+  #   enable = true;
+  #   options = {
+  #     applications = {
+  #       finder = {
+  #         settings = {
+  #           general = {
+  #             showTheseItemsOnTheDesktop = {
+  #               hardDisks = false;
+  #               externalDisks = true;
+  #               cdsDvdsAndiPods = false;
+  #               connectedServers = false;
+  #             };
+  #             openFoldersInTabsInsteadOfNewWindows = true;
+  #           };
+  #           sidebar = {
+  #             recentTags = true;
+  #           };
+  #           advanced = {
+  #             removeItemsFromTheTrashAfter30Days = true;
+  #             showAllFilenameExtensions = true;
+  #             showWarningBeforeChangingAnExtension = true;
+  #             showWarningBeforeRemovingFromiCloudDrive = true;
+  #             showWarningBeforeEmptyingTheTrash = true;
+  #             keepFoldersOnTop = {
+  #               inWindowsWhenSortingByName = true;
+  #               onDesktop = true;
+  #             };
+  #             whenPerformingASearch = "Search This Mac";
+  #           };
+  #         };
+  #         menuBar = {
+  #           view = {
+  #             showTabBar = true;
+  #             showSidebar = true;
+  #             showPathBar = true;
+  #             showStatusBar = true;
+  #           };
+  #         };
+  #       };
+  #       systemSettings = {
+  #         appearance = {
+  #           appearance = "Dark";
+  #           accentColor = "Multicolor";
+  #           # clickInTheScrollBarTo = "Jump to the next page";
+  #           sidebarIconSize = "Medium";
+  #           showScrollBars = "When scrolling";
+  #         };
+  #         controlCenter = {
+  #           wifi = true;
+  #           bluetooth = true;
+  #           airdrop = true;
+  #           stageManager = true;
+  #           focusModes = "active";
+  #           screenMirroring = "active";
+  #           display = "never";
+  #           sound = "always";
+  #           nowPlaying = "active";
+  #           accessibilityShortcuts = "unset";
+  #           musicRecognition = {
+  #             showInMenuBar = false;
+  #             showInControlCenter = true;
+  #           };
+  #           hearing = "unset";
+  #           fastUserSwitching = {
+  #             showInMenuBar = false;
+  #             showInControlCenter = true;
+  #           };
+  #           keyboardBrightness = {
+  #             showInMenuBar = false;
+  #             showInControlCenter = true;
+  #           };
+  #           battery = {
+  #             showInMenuBar = false;
+  #             showInControlCenter = false;
+  #           };
+  #           batteryShowPercentage = true;
+  #           # menuBarOnly = {
+  #           #   spotlight = false;
+  #           #   siri = true;
+  #           # };
+  #           # automaticallyHideAndShowTheMenuBar = "In Full Screen Only";
+  #         };
+  #         desktopAndDock = {
+  #           desktopAndStageManager = {
+  #             showItems = {
+  #               onDesktop = true;
+  #               inStageManager = true;
+  #             };
+  #             clickWallpaperToRevealDesktop = "Always";
+  #             stageManager = false;
+  #             showRecentAppsInStageManager = true;
+  #             showWindowsFromAnApplication = "All at Once";
+  #           };
+  #           dock = {
+  #             animateOpeningApplications = true;
+  #             automaticallyHideAndShowTheDock = enabled;
+  #             doubleClickAWindowsTitleBarTo = "Minimize";
+  #             magnification = disabled;
+  #             minimizeWindowsIntoApplicationIcon = true;
+  #             minimizeWindowsUsing = "Genie Effect";
+  #             positionOnScreen = "Bottom";
+  #             showIndicatorsForOpenApplications = true;
+  #             showSuggestedAndRecentAppsInDock = false;
+  #             size = 64; # 16 - 128
+  #             #     persistentApps = [
+  #             #       { app = "/Applications/Clock.app"; }
+  #             #       { folder = "/Applications"; }
+  #             #       { app = "/Applications/Safari.app"; }
+  #             #       { app = "/Applications/Firefox.app"; }
+  #             #       { app = "/Applications/Tabby.app"; }
+  #             #       { app = "/Applications/Termius.app"; }
+  #             #       { app = "/Applications/Muic.app"; }
+  #             #       { app = "/Applications/Vesktop.app"; }
+  #             #       { app = "/Applications/Messages.app"; }
+  #             #       { app = "/Applications/Calendar.app"; }
+  #             #       { app = "/Applications/Reminders.app"; }
+  #             #       { app = "/Applications/Notes.app"; }
+  #             #       { app = "/Applications/Weather.app"; }
+  #             #       { app = "/Applications/Maps.app"; }
+  #             #       { app = "/Applications/App Store.app"; }
+  #             #       { app = "/Applications/System Settings.app"; }
+  #             #       { app = "/Applications/ChatGPT.app"; }
+  #             #       { app = "/Applications/Nextcloud.app"; }
+  #             #       { app = "/Applications/VSCodium.app"; }
+  #             #       { app = "/Applications/Omnissa Horizon Client.app"; }
+  #             #       { app = "/Applications/Proton Pass.app"; }
+  #             #       { app = "/Applications/OrcaSlicer.app"; }
+  #             #       { app = "/Applications/AlDente.app"; }
+  #             #     ];
+  #             #     persistentOthers = [
+  #             #       "~/Downloads"
+  #             #     ];
+  #           };
+  #           hotCorners = {
+  #             # ["-" "Mission Control" "Application Windows" "Desktop" "Start Screen Saver" "Disable Screen Saver" "Dashboard" "Put Display to Sleep" "Launchpad" "Notification Center" "Lock Screen" "Quick Note"]
+  #             topLeft = "-";
+  #             topRight = "-";
+  #             bottomLeft = "-";
+  #             bottomRight = "-";
+  #           };
+  #           missionControl = {
+  #             automaticallyRearrangeSpacesBasedOnMostRecentUse = true;
+  #             displaysHaveSeparateSpaces = true;
+  #             dragWindowsToTopOfScreenToEnterMissionControl = true;
+  #             groupWindowsByApplication = true;
+  #             whenSwitchingToAnApplicationSwitchToAspaceWithOpenWindowsForTheApplication = true;
+  #           };
+  #           widgets = {
+  #             showWidgets = {
+  #               onDesktop = true;
+  #               inStageManager = true;
+  #             };
+  #             widgetStyle = "Automatic";
+  #             useIphoneWidgets = true;
+  #           };
+  #           windows = {
+  #             askToKeepChangesWhenClosingDocuments = true;
+  #             closeWindowsWhenQuittingAnApplication = true;
+  #             dragWindowsToScreenEdgesToTile = true;
+  #             dragWindowsToMenuBarToFillScreen = true;
+  #             holdOptionKeyWhileDraggingWindowsToTile = true;
+  #             preferTabsWhenOpeningDocuments = "In Full Screen";
+  #             tiledWindowsHaveMargin = false;
+  #           };
+  #         };
+  #         focus = {
+  #           shareAcrossDevices = true;
+  #         };
+  #         # general.dateAndTime."24HourTime" = false;
+  #         notifications = {
+  #           notificationCenter = {
+  #             showPreviews = "When Unlocked";
+  #             summarizeNotifications = true;
+  #           };
+  #         };
+  #         sound = {
+  #           soundEffects = {
+  #             alertSound = "Boop";
+  #             alertVolume = 0.7;
+  #             playFeedbackWhenVolumeIsChanged = true;
+  #             playUserInterfaceSoundEffects = true;
+  #           };
+  #         };
+  #         spotlight = {
+  #           helpAppleImproveSearch = false;
+  #           # searchResults = {
+  #           #   applications = true;
+  #           #   calculator = true;
+  #           #   contacts = true;
+  #           #   conversion = true;
+  #           #   definition = true;
+  #           #   developer = true;
+  #           #   documents = true;
+  #           #   eventsAndReminders = true;
+  #           #   folders = true;
+  #           #   fonts = false;
+  #           #   images = true;
+  #           #   mailAndMessages = true;
+  #           #   movies = true;
+  #           #   music = true;
+  #           #   other = false;
+  #           #   pdfDocuments = true;
+  #           #   presentations = true;
+  #           #   siriSuggestions = false;
+  #           #   systemSettings = true;
+  #           #   tips = false;
+  #           #   websites = true;
+  #         };
+  #       };
+  #     };
+  #   };
+  # };
 
   # Manage bug in compilations - who uses manpages in 2024 anyways? :P
   manual.manpages = enabled;

homes/aarch64-linux/matt@macbook-pro-nixos/default.nix

@@ -6,12 +6,6 @@
 }:
 let
   inherit (lib.${namespace}) enabled disabled;
-  shellAliases = {
-    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
-    update-switch = "sudo nixos-rebuild switch --max-jobs 10 --build-host admin@10.0.1.3";
-    update-flake = "nix flake update mac-nixpkgs mac-nixos-apple-silicon mac-home-manager mac-impermanence mac-sops-nix --flake /etc/nixos";
-    update-nas = "nixos-rebuild switch --use-remote-sudo --target-host admin@10.0.1.3 --build-host admin@10.0.1.3 --flake ~/nix-config#jallen-nas";
-  };
   # Displays
   display = {
     input = "eDP-1";
@@ -26,8 +20,9 @@ in
   home.stateVersion = "23.11";
 
   ${namespace} = {
+    desktop.gnome = enabled;
     programs.hyprland = {
-      enable = true;
+      enable = false;
       primaryDisplay = "eDP-1";
       debug.disableScaleChecks = true;
 
@@ -57,7 +52,7 @@ in
       ];
 
       windowRule = [
-        "size 2160 3356, tag:horizonrdp"
+        # "size 2160 3356, tag:horizonrdp"
       ];
 
       hyprpaper = {
@@ -67,31 +62,29 @@ in
       keybinds = {
         bind = [
           "$mod, A, exec, chromium --app=\"https://music.apple.com\""
+
+          "SHIFT, XF86MonBrightnessUp, exec, lightctl -D kbd_backlight up"
+          "SHIFT, XF86MonBrightnessDown, exec, lightctl -D kbd_backlight down"
         ];
       };
 
       defaultApps = {
         browser = pkgs.firefox;
       };
+
+      extraConfig = ''
+        exec-once = brightnessctl -d kbd_backlight s 50%
+      '';
     };
     programs = {
       btop = enabled;
-      kitty = {
-        enable = true;
-      };
-      mako = {
-        enable = true;
-      };
-      nwg-dock = enabled;
-      nwg-drawer = enabled;
-      nwg-panel = {
-        enable = true;
-        defaultApps = {
-          browser = pkgs.firefox;
-        };
-      };
+      kitty = disabled;
+      mako = disabled;
+      nwg-dock = disabled;
+      nwg-drawer = disabled;
+      nwg-panel = disabled;
       waybar = {
-        enable = true;
+        enable = false;
 
         layer = "bottom";
 
@@ -125,24 +118,58 @@ in
 
         windowOffset = 75;
       };
-      wlogout = enabled;
-      wofi = enabled;
+      wlogout = disabled;
+      wofi = disabled;
     };
   };
 
-  home.packages = with pkgs; [
-    pkgs.${namespace}.bolt-launcher
-    pkgs.${namespace}.librepods
+  home.packages =
+    with pkgs.${namespace};
+    [
+      # librepods
+      librepods-beta
+    ]
+    ++ (with pkgs; [
+      bolt-launcher
+      iw
+      iwd
+      orca-slicer
+      vscodium
 
-    iw
-    iwd
-    orca-slicer
-    vscodium
-  ];
+      gnomeExtensions.notch-clock-offset
+    ]);
+
+  services = {
+    kdeconnect = {
+      enable = lib.mkForce true;
+      indicator = lib.mkForce true;
+    };
+  };
 
   programs = {
     password-store = enabled;
+  };
 
-    zsh.shellAliases = shellAliases;
+  dconf = {
+    enable = true;
+    settings = {
+      "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0".name =  "Keyboard Backlight +";
+      "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0".binding = "<Super>MonBrightnessUp";
+      "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0".command = "brightnessctl -d kbd_backlight s +10";
+      "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1".name =  "Keyboard Backlight -";
+      "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1".binding = "<Super>MonBrightnessDown";
+      "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1".command = "brightnessctl -d kbd_backlight s 10-";
+
+      "org/gnome/shell".enabled-extensions = [
+        "notch-clock-offset@christophbrill.de"
+      ];
+
+      "org/gnome/shell/extensions/notch-clock-offset".percent = 40;
+
+      "org/gnome/settings-daemon/plugins/media-keys".custom-keybindings = [
+        "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/"
+        "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/"
+      ];
+    };
   };
 }

homes/aarch64-linux/matt@pi4/default.nix

@@ -1,69 +0,0 @@
-{ lib, namespace, ... }:
-let
-  inherit (lib.${namespace}) enabled disabled;
-in
-{
-  home.username = "matt";
-
-  ${namespace} = {
-    shell-aliases = {
-      enable = true;
-      flakeInputs = [
-        "pi4-nixpkgs"
-        "pi4-home-manager"
-        "pi4-impermanence"
-        "pi4-sops-nix"
-        "pi4-nixos-hardware"
-        "pi4-nixos-raspberrypi"
-        "pi4-disko"
-      ];
-    };
-  };
-
-  sops = {
-    age.keyFile = "/home/matt/.config/sops/age/keys.txt";
-    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
-    validateSopsFiles = false;
-    secrets = {
-      "ssh-keys-public/pi4" = {
-        path = "/home/matt/.ssh/id_ed25519.pub";
-        mode = "0644";
-      };
-      "ssh-keys-private/pi4" = {
-        path = "/home/matt/.ssh/id_ed25519";
-        mode = "0600";
-      };
-      #     "ssh-keys-public/desktop-nixos" = {
-      #       path = "/home/matt/.ssh/authorized_keys";
-      #       mode = "0600";
-      #     };
-
-      #     "ssh-keys-public/desktop-nixos-root" = {
-      #       path = "/home/matt/.ssh/authorized_keys2";
-      #       mode = "0600";
-      #     };
-
-      #     "ssh-keys-public/desktop-windows" = {
-      #       path = "/home/matt/.ssh/authorized_keys3";
-      #       mode = "0600";
-      #     };
-
-      #     "ssh-keys-public/macbook-macos" = {
-      #       path = "/home/matt/.ssh/authorized_keys4";
-      #       mode = "0600";
-      #     };
-    };
-  };
-
-  programs = {
-    mangohud = lib.mkForce enabled;
-  };
-
-  services = {
-    nextcloud-client = lib.mkForce disabled;
-    kdeconnect = {
-      enable = false;
-      indicator = false;
-    };
-  };
-}

homes/aarch64-linux/matt@pi5/default.nix

@@ -5,14 +5,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
-  shellAliases = {
-    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
-    update-switch = "sudo nixos-rebuild switch --max-jobs 10 --build-host admin@10.0.1.3";
-    update-flake = "nix flake update pi5-nixpkgs pi5-home-manager pi5-impermanence pi5-nixos-hardware pi5-sops-nix nixos-raspberrypi --flake /etc/nixos";
-    update-nas = "nixos-rebuild switch --use-remote-sudo --target-host admin@10.0.1.3 --build-host admin@10.0.1.3 --flake ~/nix-config#jallen-nas";
-    nas-ssh = "kitten ssh admin@10.0.1.3";
-  };
+  inherit (lib.${namespace}) disabled;
 in
 {
 
@@ -57,10 +50,6 @@ in
     };
   };
 
-  programs = {
-    zsh.shellAliases = shellAliases;
-  };
-
   services = {
     nextcloud-client = lib.mkForce disabled;
     kdeconnect = {

homes/aarch64-linux/root@macbook-pro-nixos/default.nix

@@ -4,7 +4,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) disabled;
 in
 {
   home.username = "root";

homes/aarch64-linux/root@pi5/default.nix

@@ -4,7 +4,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) disabled;
 in
 {
   home.username = "root";

homes/x86_64-linux/admin@jallen-nas/default.nix

@@ -1,22 +1,28 @@
-{ pkgs, namespace, ... }:
 {
-  home.username = "admin";
+  pkgs,
+  config,
+  namespace,
+  ...
+}:
+{
+  home = {
+    username = "admin";
+    packages =
+      with pkgs;
+      [
+        heroic
+        python3
+        python3Packages.requests
+        python3Packages.mcp
+        jq
+      ]
+      ++ (with pkgs.${namespace}; [
+        moondeck-buddy
+      ]);
+  };
 
   ${namespace} = {
-    shell-aliases = {
-      enable = true;
-      buildHost = ""; # NAS builds locally
-      flakeInputs = [
-        "nas-nixpkgs"
-        "nas-authentik-nix"
-        "nas-cosmic"
-        "nas-home-manager"
-        "nas-impermanence"
-        "nas-lanzaboote"
-        "nas-nixos-hardware"
-        "nas-sops-nix"
-      ];
-    };
+    sops.enable = true;
   };
 
   sops = {
@@ -24,6 +30,10 @@
     defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
     validateSopsFiles = false;
     secrets = {
+      # NOTE: add the following key to secrets/secrets.yaml via `sops secrets/secrets.yaml`
+      # before deploying:  hass-mcp/token: <your HA long-lived access token>
+      "hass-mcp/token" = { };
+
       "ssh-keys-public/jallen-nas" = {
         path = "/home/admin/.ssh/id_ed25519.pub";
         mode = "0644";
@@ -52,9 +62,25 @@
         mode = "0600";
       };
     };
+
+    templates."hass-mcp.env" = {
+      path = "/home/admin/.config/sops/hass-mcp.env";
+      mode = "0600";
+      content = ''
+        HA_URL=http://nuc-nixos.local:8123
+        HA_TOKEN=${config.sops.placeholder."hass-mcp/token"}
+      '';
+    };
   };
 
   programs = {
+    bash = {
+      shellAliases = {
+        "llama-status" =
+          "curl -s http://localhost:8127/health 2>/dev/null && echo 'LLaMA.cpp server is running' || echo 'LLaMA.cpp server is not responding'";
+      };
+    };
+
     neovim = {
       enable = true;
       viAlias = true;
@@ -68,6 +94,101 @@
         }
       ];
     };
-  };
+    steam-rom-manager = {
+      enable = true;
+      steamUsername = "mjallen18";
 
+      # Optional: override default paths if needed
+      environmentVariables = {
+        romsDirectory = "/home/admin/Emulation/roms";
+        steamDirectory = "/home/admin/.local/share/Steam";
+      };
+
+      emulators = {
+        "Non-SRM Shortcuts" = {
+          enable = true;
+          parserType = "Non-SRM Shortcuts";
+          extraArgs = "";
+        };
+      };
+    };
+
+    opencode = {
+      enable = true;
+      enableMcpIntegration = true;
+      settings = {
+        provider = {
+          nas = {
+            npm = "@ai-sdk/openai-compatible";
+            name = "llama-server (local)";
+            options = {
+              baseURL = "http://jallen-nas.local:8127/v1";
+            };
+            models = {
+              Qwen3-Coder-Next-Q4_0 = {
+                name = "Qwen3 Coder (local)";
+                modalities = {
+                  input = [
+                    "image"
+                    "text"
+                  ];
+                  output = [ "text" ];
+                };
+                limit = {
+                  context = 262144;
+                  output = 262144;
+                };
+              };
+              # "GLM-4.7-Flash-REAP-23B-A3B-UD-Q3_K_XL": {
+              #   "name": "GLM 4.7 Flash (local)",
+              #   "modalities": { "input": ["image", "text"], "output": ["text"] },
+              #   "limit": {
+              #     "context": 262144,
+              #     "output": 262144
+              #   }
+              # };
+              # "Nemotron-3-Nano-30B-A3B-IQ4_XS": {
+              #   "name": "Nemotron-3-Nano (local)",
+              #   "modalities": { "input": ["image", "text"], "output": ["text"] },
+              #   "limit": {
+              #     "context": 262144,
+              #     "output": 262144
+              #   }
+              # };
+            };
+          };
+        };
+      };
+    };
+
+    mcp = {
+      enable = true;
+      servers = {
+        nixos = {
+          command = "nix";
+          args = [
+            "run"
+            "github:utensils/mcp-nixos"
+            "--"
+          ];
+        };
+        hass-mcp = {
+          # Token is read at runtime from a sops-rendered env file.
+          # The wrapper script sources ~/.config/sops/hass-mcp.env before launching uvx.
+          command = "bash";
+          args = [
+            "-c"
+            "set -a; source ${"\${HOME}"}/.config/sops/hass-mcp.env; set +a; exec uvx hass-mcp"
+          ];
+        };
+        mcp-server-code-runner = {
+          command = "npm";
+          args = [
+            "-y"
+            "mcp-server-code-runner@latest"
+          ];
+        };
+      };
+    };
+  };
 }

homes/x86_64-linux/admin@nuc-nixos/default.nix

@@ -1,18 +1,15 @@
-{ pkgs, ... }:
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
 let
-  shellAliases = {
-    update-boot = "sudo nixos-rebuild boot --max-jobs 10";
-    update-switch = "sudo nixos-rebuild switch --max-jobs 10";
-    update-flake = "nix flake update nas-nixpkgs nas-authentik-nix nas-cosmic nas-crowdsec nas-home-manager nas-impermanence nas-lanzaboote nas-nixos-hardware nas-sops-nix --flake /etc/nixos";
-  };
+  inherit (lib.${namespace}) disabled;
 in
 {
   home.username = "admin";
 
-  programs = {
-    zsh.shellAliases = shellAliases;
-  };
-
   # Configure systemd user service for protonmail-bridge
   systemd.user.services.protonmail-bridge = {
     Service = {
@@ -24,9 +21,17 @@ in
   };
 
   services = {
+    nextcloud-client = lib.mkForce disabled;
+    kdeconnect = {
+      enable = false;
+      indicator = false;
+    };
     protonmail-bridge = {
       enable = true;
-      extraPackages = with pkgs; [ pass libsecret ];
+      extraPackages = with pkgs; [
+        pass
+        libsecret
+      ];
     };
   };
 }

homes/x86_64-linux/deck@steamdeck/default.nix

@@ -1,84 +0,0 @@
-{ lib, pkgs, namespace, ... }:
-let
-  inherit (lib.${namespace}) enabled disabled;
-  shellAliases = {
-    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
-    update-switch = "sudo nixos-rebuild switch --max-jobs 10";
-    update-flake = "nix flake update steamdeck-nixpkgs steamdeck-chaotic steamdeck-home-manager steamdeck-impermanence steamdeck-jovian steamdeck-lanzaboote steamdeck-nixos-hardware steamdeck-sops-nix steamdeck-steam-rom-manager --flake /etc/nixos";
-    nas-ssh = "ssh admin@10.0.1.3";
-  };
-in
-{
-  home.username = "deck";
-
-  ${namespace}.desktop.gnome = enabled;
-
-  sops = {
-    age.keyFile = "/home/deck/.config/sops/age/keys.txt";
-    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
-    validateSopsFiles = false;
-    secrets = {
-      "ssh-keys-public/deck" = {
-        path = "/home/deck/.ssh/id_ed25519.pub";
-        mode = "0644";
-      };
-      "ssh-keys-private/deck" = {
-        path = "/home/deck/.ssh/id_ed25519";
-        mode = "0600";
-      };
-    };
-  };
-
-  programs = {
-    steam-rom-manager = {
-      enable = true;
-      steamUsername = "mjallen18";
-
-      # Optional: override default paths if needed
-      environmentVariables = {
-        romsDirectory = "/home/deck/Emulation/roms";
-        steamDirectory = "/home/deck/.local/share/Steam";
-      };
-
-      emulators = {
-        ryujinx = enabled;
-
-        dolphin-gamecube = {
-          enable = true;
-          package = pkgs.dolphin-emu;
-          romFolder = "gc";
-          fileTypes = [
-            ".iso"
-            ".ISO"
-            ".gcm"
-            ".GCM"
-            ".ciso"
-            ".CISO"
-            "rvz"
-          ];
-          extraArgs = "-b -e \"\${filePath}\"";
-        };
-
-        pcsx2 = enabled;
-        mgba = enabled;
-
-        "Non-SRM Shortcuts" = {
-          enable = true;
-          parserType = "Non-SRM Shortcuts";
-          extraArgs = "";
-        };
-      };
-    };
-
-    zsh.shellAliases = shellAliases;
-  };
-
-  home.packages = with pkgs; [
-    dolphin-emu
-    heroic
-    mgba
-    prismlauncher
-    ryubing
-    omnissa-horizon-client
-  ];
-}

homes/x86_64-linux/matt@allyx/default.nix

@@ -0,0 +1,89 @@
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) enabled;
+in
+{
+  home.username = "matt";
+
+  ${namespace}.desktop.gnome = enabled;
+
+  sops = {
+    age.keyFile = "/home/matt/.config/sops/age/keys.txt";
+    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
+    validateSopsFiles = false;
+    secrets = {
+      "ssh-keys-public/matt" = {
+        path = "/home/matt/.ssh/id_ed25519.pub";
+        mode = "0644";
+      };
+      "ssh-keys-private/matt" = {
+        path = "/home/matt/.ssh/id_ed25519";
+        mode = "0600";
+      };
+    };
+  };
+
+  programs = {
+    steam-rom-manager = {
+      enable = true;
+      steamUsername = "mjallen18";
+
+      environmentVariables = {
+        romsDirectory = "/media/sdcard/Emulation/roms";
+        steamDirectory = "/home/matt/.local/share/Steam";
+      };
+
+      enabledProviders = [ "sgdb" "steamCDN" ];
+      imageProviderSettings.sgdb = {
+        nsfw             = false;
+        humor            = false;
+        imageMotionTypes = [ "static" ];
+      };
+
+      emulators = {
+        # --- Nintendo ---
+        ryujinx.enable    = true;   # Switch  (ryubing fork)
+        yuzu.enable       = true;   # Switch  (eden fork)
+        dolphin-emu.enable = true;  # GameCube / Wii
+        cemu.enable       = true;   # Wii U
+        melonDS.enable    = true;   # DS
+        citra.enable      = true;   # 3DS  (azahar fork)
+        mgba.enable       = true;   # Game Boy / GBC
+        mgba-gba.enable   = true;   # Game Boy Advance
+
+        # --- Sony ---
+        duckstation.enable = false;  # PS1
+        pcsx2.enable       = true;  # PS2
+        rpcs3.enable       = true;  # PS3
+        ppsspp.enable      = true;  # PSP
+
+        # --- Microsoft ---
+        xemu.enable       = true;   # Xbox
+
+        # --- Platform parsers (no ROM scanning; artwork only / launcher integration) ---
+        "Non-SRM Shortcuts".enable = true;
+      };
+    };
+  };
+
+  home.packages =
+    with pkgs;
+    [
+      dolphin-emu
+      heroic
+      mgba
+      moonlight-qt
+      prismlauncher
+      ryubing
+      omnissa-horizon-client
+    ]
+    ++ (with pkgs.${namespace}; [
+      discord-krisp
+      # librepods-beta
+    ]);
+}

homes/x86_64-linux/matt@matt-nixos/default.nix

@@ -2,7 +2,6 @@
   lib,
   pkgs,
   namespace,
-  config,
   ...
 }:
 let
@@ -17,7 +16,6 @@ let
     resolution = "3840x2160";
     refreshRate = "240.00000";
   };
-  theme = config.mjallen.theme.palette;
 in
 {
   home.username = "matt";
@@ -30,9 +28,11 @@ in
       enable = true;
     };
 
+    desktop.gnome = enabled;
+
     programs = {
       hyprland = {
-        enable = true;
+        enable = false;
         primaryDisplay = "DP-1";
 
         monitorv2 = [
@@ -42,14 +42,14 @@ in
             position = "0x0";
             scale = 1.0;
             extra = [
-              "bitdepth"
-              "10"
-              "cm"
-              "hdr"
-              "sdrbrightness"
-              "1.2"
-              "sdrsaturation"
-              "0.98"
+              # "bitdepth"
+              # "10"
+              # "cm"
+              # "hdredid"
+              # "sdrbrightness"
+              # "1.2"
+              # "sdrsaturation"
+              # "0.98"
             ];
           }
           {
@@ -58,14 +58,14 @@ in
             position = "3840x0";
             scale = 1.0;
             extra = [
-              "bitdepth"
-              "10"
-              "cm"
-              "hdr"
-              "sdrbrightness"
-              "1.5"
-              "sdrsaturation"
-              "0.98"
+              # "bitdepth"
+              # "10"
+              # "cm"
+              # "hdredid"
+              # "sdrbrightness"
+              # "1.5"
+              # "sdrsaturation"
+              # "0.98"
             ];
           }
         ];
@@ -77,7 +77,7 @@ in
         ];
 
         windowRule = [
-          "size 2160 7680, tag:horizonrdp"
+          "match:tag horizonrdp, size 2160 7680"
         ];
 
         autostartCommands = [
@@ -104,18 +104,13 @@ in
         };
       };
       btop = enabled;
-      kitty = enabled;
-      mako = enabled;
-      nwg-dock = enabled;
-      nwg-drawer = enabled;
-      nwg-panel = {
-        enable = true;
-        defaultApps = {
-          browser = pkgs.firefox;
-        };
-      };
+      kitty = disabled;
+      mako = disabled;
+      nwg-dock = disabled;
+      nwg-drawer = disabled;
+      nwg-panel = disabled;
       waybar = {
-        enable = true;
+        enable = false;
 
         layer = "bottom";
 
@@ -149,8 +144,8 @@ in
           }
         '';
       };
-      wlogout = enabled;
-      wofi = enabled;
+      wlogout = disabled;
+      wofi = disabled;
     };
   };
 
@@ -165,34 +160,35 @@ in
     password-store = enabled;
   };
 
-  home.packages = with pkgs; [
-    pkgs.${namespace}.bolt-launcher
-    pkgs.${namespace}.librepods
-
-    bottles
-    compose2nix
-    discord
-    distrobox
-    heroic
-    omnissa-horizon-client
-    jq
-    lutris
-    lzip
-    morph
-    orca-slicer
-    piper
-    prismlauncher
-    protontricks
-    protonvpn-gui
-    python3
-    runelite
-    smile
-    unigine-heaven
-    via
-    virt-manager
-    vorta
-    waydroid-helper
-  ];
+  home.packages =
+    with pkgs;
+    [
+      bolt-launcher
+      clevis
+      compose2nix
+      distrobox
+      heroic
+      home-manager
+      omnissa-horizon-client
+      jq
+      lzip
+      morph
+      orca-slicer
+      piper
+      prismlauncher
+      protontricks
+      protonvpn-gui
+      runelite
+      smile
+      via
+      virt-manager
+      vorta
+      waydroid-helper
+    ]
+    ++ (with pkgs.${namespace}; [
+      discord-krisp
+      # librepods
+    ]);
 
   specialisation = {
     "cosmic".configuration = {

homes/x86_64-linux/nixos@iso-minimal/default.nix

@@ -0,0 +1,18 @@
+{
+  lib,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) disabled;
+in
+{
+  home.username = "nixos";
+  services = {
+    nextcloud-client = lib.mkForce disabled;
+    kdeconnect = {
+      enable = false;
+      indicator = false;
+    };
+  };
+}

homes/x86_64-linux/root@allyx/default.nix

@@ -4,7 +4,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) disabled;
 in
 {
   home.username = "root";

homes/x86_64-linux/root@iso-minimal/default.nix

@@ -4,7 +4,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) disabled;
 in
 {
   home.username = "root";

homes/x86_64-linux/root@jallen-nas/default.nix

@@ -4,7 +4,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) disabled;
 in
 {
   home.username = "root";

homes/x86_64-linux/root@matt-nixos/default.nix

@@ -4,7 +4,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) disabled;
 in
 {
   home.username = "root";

homes/x86_64-linux/root@nuc-nixos/default.nix

@@ -4,7 +4,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) disabled;
 in
 {
   home.username = "root";

lib/default.nix

@@ -15,5 +15,11 @@
 
     # Import examples
     examples = import ./examples { inherit inputs; };
+
+    # Import versioning utilities
+    versioning = import ./versioning {
+      lib = inputs.nixpkgs.lib;
+      inherit inputs;
+    };
   };
 }

lib/examples/file-utils.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 let
-  inherit (lib.mjallen.file)
+  inherit (lib.${namespace}.file)
     readFile
     pathExists
     safeImport

lib/examples/home-sops.nix

@@ -2,10 +2,11 @@
   config,
   lib,
   pkgs,
+  namespace,
   ...
 }:
 let
-  inherit (lib.mjallen.module) mkModule mkOpt;
+  inherit (lib.${namespace}.module) mkModule mkOpt;
 in
 mkModule {
   name = "sops";
@@ -23,13 +24,16 @@ mkModule {
     ];
 
     sops = {
-      inherit (config.mjallen.sops) defaultSopsFile;
+      inherit (config.${namespace}.sops) defaultSopsFile;
       defaultSopsFormat = "yaml";
 
       age = {
         generateKey = true;
         keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
-        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ config.mjallen.sops.sshKeyPaths;
+        sshKeyPaths = [
+          "${config.home.homeDirectory}/.ssh/id_ed25519"
+        ]
+        ++ config.${namespace}.sops.sshKeyPaths;
       };
     };
   };

lib/examples/reverseproxy.nix

@@ -1,7 +1,7 @@
 # Example usage of the reverse proxy utilities
-{ lib, ... }:
+{ lib, namespace, ... }:
 let
-  inherit (lib.mjallen-lib.reverseproxy)
+  inherit (lib.${namespace} - lib.reverseproxy)
     mkReverseProxy
     mkReverseProxies
     templates

lib/examples/sops.nix

@@ -1,6 +1,11 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
 let
-  inherit (lib.mjallen.module) mkModule mkOpt mkBoolOpt;
+  inherit (lib.${namespace}.module) mkModule mkOpt mkBoolOpt;
 in
 mkModule {
   name = "sops";
@@ -22,18 +27,18 @@ mkModule {
   };
   config = {
     sops = {
-      inherit (config.mjallen.sops) defaultSopsFile validateSopsFiles;
+      inherit (config.${namespace}.sops) defaultSopsFile validateSopsFiles;
 
       age = {
-        inherit (config.mjallen.sops) generateAgeKey;
+        inherit (config.${namespace}.sops) generateAgeKey;
 
         keyFile =
-          if config.mjallen.sops.ageKeyPath != null then
-            config.mjallen.sops.ageKeyPath
+          if config.${namespace}.sops.ageKeyPath != null then
+            config.${namespace}.sops.ageKeyPath
           else
-            "${config.users.users.${config.mjallen.user.name}.home}/.config/sops/age/keys.txt";
+            "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
 
-        sshKeyPaths = config.mjallen.sops.sshKeyPaths;
+        sshKeyPaths = config.${namespace}.sops.sshKeyPaths;
       };
     };
   };

lib/examples/system-utils.nix

@@ -1,6 +1,6 @@
-{ inputs, ... }:
+{ inputs, namespace, ... }:
 let
-  inherit (inputs.self.mjallen-lib.system.common)
+  inherit (inputs.self.${namespace} - lib.system.common)
     mkExtendedLib
     mkNixpkgsConfig
     mkHomeConfigs
@@ -13,10 +13,10 @@ in
   nixosConfigurations =
     let
       # Get all systems
-      allSystems = inputs.self.mjallen-lib.file.scanSystems ../systems;
+      allSystems = inputs.self.${namespace} - lib.file.scanSystems ../systems;
 
       # Filter for NixOS systems
-      nixosSystems = inputs.self.mjallen-lib.file.filterNixOSSystems allSystems;
+      nixosSystems = inputs.self.${namespace} - lib.file.filterNixOSSystems allSystems;
     in
     inputs.nixpkgs.lib.mapAttrs' (
       _name:
@@ -74,7 +74,7 @@ in
             # Import all nixos modules recursively
             ../${system}/${hostname}
           ]
-          ++ (extendedLib.mjallen.file.importModulesRecursive ../modules/nixos);
+          ++ (extendedLib.${namespace}.file.importModulesRecursive ../modules/nixos);
         };
       }
     ) nixosSystems;
@@ -83,7 +83,7 @@ in
   homeConfigurations =
     let
       # Get all homes
-      allHomes = inputs.self.mjallen-lib.file.scanHomes ../homes;
+      allHomes = inputs.self.${namespace} - lib.file.scanHomes ../homes;
     in
     inputs.nixpkgs.lib.mapAttrs' (
       _name:
@@ -125,7 +125,7 @@ in
             # Import the home configuration
             path
           ]
-          ++ (extendedLib.mjallen.file.importModulesRecursive ../modules/home);
+          ++ (extendedLib.${namespace}.file.importModulesRecursive ../modules/home);
         };
       }
     ) allHomes;

lib/module/default.nix

@@ -1,4 +1,8 @@
-{ inputs }:
+{
+  inputs,
+  lib,
+  namespace,
+}:
 let
   inherit (inputs.nixpkgs.lib)
     mapAttrs
@@ -28,28 +32,161 @@ rec {
       name,
       description ? "",
       options ? { },
-      config ? { },
+      moduleConfig ? { },
+      domain ? "services",
+      config,
+      serviceName ? name,
     }:
+    let
+      cfg = config.${namespace}.${domain}.${name};
+
+      upstreamUrl =
+        if cfg.reverseProxy.upstreamUrl != null then
+          cfg.reverseProxy.upstreamUrl
+        else
+          "http://127.0.0.1:${toString cfg.port}";
+
+      fqdn = "${cfg.reverseProxy.subdomain}.${cfg.reverseProxy.domain}";
+
+      defaultConfig = {
+        # Caddy reverse proxy: when reverseProxy.enable = true, contribute this
+        # service's named-matcher block into the shared wildcard virtual host.
+        # The TLS block stays in the caddy module itself; all services merge
+        # their handle blocks into the same "*.${domain}" extraConfig via the
+        # lines type (which concatenates automatically).
+        services.caddy.virtualHosts."*.${cfg.reverseProxy.domain}" = lib.mkIf cfg.reverseProxy.enable {
+          extraConfig = ''
+            @${name} host ${fqdn}
+            handle @${name} {
+              reverse_proxy ${upstreamUrl}
+              ${cfg.reverseProxy.extraCaddyConfig}
+            }
+          '';
+        };
+
+        # Open firewall
+        networking.firewall = lib.mkIf cfg.openFirewall {
+          allowedTCPPorts = [ cfg.port ];
+          allowedUDPPorts = [ cfg.port ];
+        };
+
+        users = lib.mkIf cfg.createUser {
+          users.${name} = {
+            isSystemUser = true;
+            group = name;
+            home = cfg.configDir;
+          };
+          groups.${name} = { };
+        };
+
+        systemd.services.${serviceName} = {
+          requires = [
+            "media-nas-main.mount"
+            # "openvpn-us.protonvpn.udp.service"
+          ];
+          after = lib.mkForce [
+            "media-nas-main.mount"
+            # "openvpn-us.protonvpn.udp.service"
+          ];
+          # serviceConfig = {
+          #   NetworkNamespacePath = lib.mkIf cfg.enableVpn "/run/netns/vpn";
+          #   # Consider also setting DNS *inside* the netns (see note below).
+          # };
+        };
+
+        services = {
+          postgresql = lib.mkIf cfg.configureDb {
+            enable = true;
+            ensureDatabases = [ name ];
+            ensureUsers = [
+              {
+                name = name;
+                ensureDBOwnership = true;
+              }
+            ];
+          };
+          redis.servers.${name} = lib.mkIf cfg.redis.enable {
+            enable = true;
+            port = cfg.redis.port;
+          };
+        };
+
+        # systemd.tmpfiles.rules = [
+        #   "d ${cfg.configDir} 0700 ${name} ${name} - -"
+        #   # "d ${cfg.configDir}/server-files 0775 ${name} ${name} - -"
+        #   # "d ${cfg.configDir}/user-files 0775 ${name} ${name} - -"
+        # ];
+      };
+    in
     { lib, ... }:
     {
-      options.mjallen.${name} = lib.mkOption {
+      imports = [
+        # defaultConfig and moduleConfig are kept as separate inline modules so
+        # the NixOS module system handles all merging (mkIf, mkForce, mkMerge,
+        # etc.) correctly, rather than merging raw attrsets with // or
+        # recursiveUpdate which can silently clobber mkIf wrappers.
+        { config = lib.mkIf cfg.enable defaultConfig; }
+        { config = lib.mkIf cfg.enable moduleConfig; }
+      ];
+
+      options.${namespace}.${domain}.${name} = lib.mkOption {
         type = lib.types.submodule {
           options = {
             enable = lib.mkEnableOption description;
+
+            port = mkOpt types.int 80 "Port for ${name} to be hosted on";
+
+            configDir = mkOpt types.str "/media/nas/main/appdata" "Path to the config dir";
+
+            dataDir = mkOpt types.str "/media/nas/main" "Path to the data dir";
+
+            createUser = mkBoolOpt false "create a user for this module/service";
+
+            configureDb = mkBoolOpt false "Manage db for this service";
+
+            environmentFile = mkOpt types.str "" "Environment File";
+
+            puid = mkOpt types.str "911" "default user id";
+
+            pgid = mkOpt types.str "1000" "default group id";
+
+            timeZone = mkOpt types.str "America/Chicago" "default timezone";
+
+            listenAddress = mkOpt types.str "0.0.0.0" "Environment File";
+
+            openFirewall = mkBoolOpt true "Open the firewall";
+
+            enableVpn = mkBoolOpt true "Enable routing through VPN";
+
+            redis = {
+              enable = lib.mkEnableOption "enable redis";
+
+              port = mkOpt types.int 80 "Port for ${name} redis to be hosted on";
+            };
+
+            hashedPassword =
+              mkOpt (types.nullOr types.str)
+                "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"
+                "Hashed password for code-server authentication";
+
+            extraEnvironment =
+              mkOpt (types.attrsOf types.str) { }
+                "Extra environment variables for code-server";
+
+            reverseProxy = mkReverseProxyOpt name;
           }
           // options;
         };
         default = { };
       };
-
-      config = lib.mkIf config.mjallen.${name}.enable config;
     };
 
+  # container
   mkContainer =
     {
       name,
       localAddress ? "127.0.0.1",
-      ports ? [ "80" ],
+      ports ? [ 80 ],
       bindMounts ? { },
       config ? { },
     }:
@@ -101,12 +238,21 @@ rec {
 
   mkBoolOpt' = mkOpt' types.bool;
 
-  mkReverseProxyOpt = {
-    enable = mkBoolOpt false "Enable reverse proxy support";
+  mkReverseProxyOpt = name: {
+    enable = mkBoolOpt false "Enable Caddy reverse proxy for this service";
 
-    subdomain = mkOpt types.str "" "subdomain of the service";
+    subdomain = mkOpt types.str name "Subdomain for the service (default: service name)";
 
-    middlewares = mkOpt (types.listOf types.str) [ ] "List of middlewares to use";
+    domain = mkOpt types.str "mjallen.dev" "Base domain for the reverse proxy";
+
+    # Override the upstream URL if the backend is not on localhost at cfg.port.
+    # Leave empty to use http://127.0.0.1:<port> automatically.
+    upstreamUrl =
+      mkOpt (types.nullOr types.str) null
+        "Override upstream URL (e.g. for services on a different host). Defaults to http://127.0.0.1:<port>.";
+
+    # Extra Caddyfile directives inserted inside the virtual host block.
+    extraCaddyConfig = mkOpt types.lines "" "Extra Caddyfile directives for this virtual host block";
   };
 
   # Standard enable/disable patterns

lib/system/common.nix

@@ -1,4 +1,4 @@
-{ inputs }:
+{ inputs, namespace }:
 let
   inherit (inputs.nixpkgs.lib) filterAttrs mapAttrs';
 in
@@ -7,7 +7,7 @@ in
     flake: nixpkgs:
     nixpkgs.lib.extend (
       _final: _prev: {
-        mjallen = flake.mjallen-lib;
+        mjallen = flake.${namespace} - lib;
       }
     );
 
@@ -30,7 +30,7 @@ in
       hostname,
     }:
     let
-      inherit (flake.mjallen-lib.file) scanHomes;
+      inherit (flake.${namespace} - lib.file) scanHomes;
       homesPath = ../../homes;
       allHomes = scanHomes homesPath;
     in
@@ -59,7 +59,7 @@ in
           sharedModules = [
             { _module.args.lib = extendedLib; }
           ]
-          ++ (extendedLib.mjallen.file.importModulesRecursive ../../modules/home);
+          ++ (extendedLib.${namespace}.file.importModulesRecursive ../../modules/home);
           users = mapAttrs' (_name: homeConfig: {
             name = homeConfig.username;
             value = {

lib/versioning/default.nix

@@ -0,0 +1,212 @@
+{
+  lib,
+  inputs,
+  system ? "aarch64-linux",
+}:
+let
+  pkgs = inputs.nixpkgs.legacyPackages.${system};
+in
+let
+  inherit (builtins)
+    isAttrs
+    isList
+    isString
+    hasAttr
+    getAttr
+    attrNames
+    toString
+    replaceStrings
+    ;
+
+  mapAttrs = lib.mapAttrs;
+  recursiveUpdate = lib.recursiveUpdate;
+
+  # Deep-merge attrsets (right-biased).
+  deepMerge = a: b: recursiveUpdate a b;
+
+  # Merge component sources: base.sources overlaid by overrides (component-wise deep merge).
+  mergeSources =
+    baseSources: overrides:
+    baseSources
+    // mapAttrs (
+      name: ov: if hasAttr name baseSources then deepMerge (getAttr name baseSources) ov else ov
+    ) overrides;
+
+  # Apply a single variant overlay (variables + sources).
+  applyVariantOnce =
+    selected: variant:
+    let
+      vVars = if variant ? variables then variant.variables else { };
+      vSrcs = if variant ? sources then variant.sources else { };
+    in
+    {
+      variables = selected.variables // vVars;
+      sources = mergeSources selected.sources vSrcs;
+    };
+
+  # Apply platform-specific overrides if present for the given system.
+  applyPlatforms =
+    selected: variant: system:
+    if system == null || !(variant ? platforms) || !(hasAttr system variant.platforms) then
+      selected
+    else
+      let
+        p = variant.platforms.${system};
+        pVars = if p ? variables then p.variables else { };
+        pSrcs = if p ? sources then p.sources else { };
+      in
+      {
+        variables = selected.variables // pVars;
+        sources = mergeSources selected.sources pSrcs;
+      };
+
+  # Resolve variant chain via inherits (ancestor first), then apply platforms.
+  resolveVariant =
+    spec: baseSelected: variantName: system:
+    if variantName == null || !(spec ? variants) || !(hasAttr variantName spec.variants) then
+      baseSelected
+    else
+      let
+        v = spec.variants.${variantName};
+        parentSelected =
+          if v ? inherits then resolveVariant spec baseSelected v.inherits system else baseSelected;
+        withVariant = applyVariantOnce parentSelected v;
+      in
+      applyPlatforms withVariant v system;
+
+  # Render ${var} substitutions in any string within attrs/lists.
+  renderValue =
+    value: vars:
+    if isString value then
+      let
+        keys = attrNames vars;
+        patterns = map (k: "\${" + k + "}") keys;
+        replacements = map (k: toString (getAttr k vars)) keys;
+      in
+      replaceStrings patterns replacements value
+    else if isAttrs value then
+      mapAttrs (_: v: renderValue v vars) value
+    else if isList value then
+      map (v: renderValue v vars) value
+    else
+      value;
+
+  # Decide fetcher for URL type based on optional extra.unpack hint.
+  useFetchZip = comp: comp ? extra && comp.extra ? unpack && comp.extra.unpack == "zip";
+
+  # Build a single src from a rendered component spec.
+  mkSrcFromRendered =
+    comp:
+    let
+      fetcher = if comp ? fetcher then comp.fetcher else "none";
+    in
+    if fetcher == "github" then
+      pkgs.fetchFromGitHub (
+        {
+          owner = comp.owner;
+          repo = comp.repo;
+          # Allow tag as rev (ignore null/empty tag)
+          rev = if comp ? tag && comp.tag != null && comp.tag != "" then comp.tag else comp.rev;
+          fetchSubmodules = if comp ? submodules then comp.submodules else false;
+          hash = comp.hash;
+        }
+        // lib.optionalAttrs (comp ? name) { name = comp.name; }
+      )
+    else if fetcher == "git" then
+      pkgs.fetchgit {
+        url = comp.url;
+        rev = comp.rev;
+        fetchSubmodules = if comp ? submodules then comp.submodules else false;
+        hash = comp.hash;
+      }
+    else if fetcher == "url" then
+      let
+        url = if comp ? url then comp.url else comp.urlTemplate;
+      in
+      if useFetchZip comp then
+        pkgs.fetchzip (
+          {
+            inherit url;
+            hash = comp.hash;
+          }
+          // lib.optionalAttrs (comp ? extra && comp.extra ? stripRoot) { stripRoot = comp.extra.stripRoot; }
+        )
+      else
+        pkgs.fetchurl {
+          inherit url;
+          hash = comp.hash;
+        }
+    else if fetcher == "pypi" then
+      pkgs.python3Packages.fetchPypi {
+        pname = comp.name;
+        version = comp.version;
+        hash = comp.hash;
+      }
+    else
+      # fetcher == "none": pass-through (e.g., linux version/hash consumed by custom logic)
+      comp;
+
+in
+rec {
+  /*
+    Select a variant from a loaded version.json specification.
+
+    Usage:
+      let selected = versioning.selectVariant spec variantName system;
+      - spec: attrset from lib.importJSON ./version.json
+      - variantName: string or null (when null, uses spec.defaultVariant if present)
+      - system: string like "x86_64-linux" or null (to apply platforms overrides)
+  */
+  selectVariant =
+    spec: variantName: system:
+    let
+      chosen =
+        if variantName != null then
+          variantName
+        else
+          (if spec ? defaultVariant then spec.defaultVariant else null);
+      baseSelected = {
+        variables = if spec ? variables then spec.variables else { };
+        sources = if spec ? sources then spec.sources else { };
+      };
+    in
+    resolveVariant spec baseSelected chosen system;
+
+  /*
+    Render ${var} template substitutions across any value using provided variables.
+    Strings, attrsets, and lists are traversed.
+  */
+  render = value: variables: renderValue value variables;
+
+  /*
+    Render a component with variables and then build its src (or pass-through for fetcher "none").
+    Prefer using mkAllSources, which handles rendering for all components.
+  */
+  mkSrc =
+    comp: variables:
+    let
+      rendered = renderValue comp variables;
+    in
+    mkSrcFromRendered rendered;
+
+  /*
+    Produce an attrset of all sources for a selected spec:
+      mkAllSources selected
+    Where:
+      selected = selectVariant spec variantName system
+    Returns:
+      { componentName = src | renderedComp (for "none"); ... }
+  */
+  mkAllSources =
+    selected:
+    mapAttrs (
+      _name: comp:
+      if comp ? fetcher && comp.fetcher == "none" then
+        renderValue comp selected.variables
+      else
+        mkSrc (renderValue comp selected.variables) selected.variables
+    ) selected.sources;
+
+  # Expose deepMerge for convenience (right-biased).
+  inherit deepMerge;
+}

modules/darwin/home/default.nix

@@ -35,9 +35,6 @@
       # Pass inputs so external modules can access them
       extraSpecialArgs = {
         inherit inputs namespace;
-        overlays = with inputs; [
-          nix-vscode-extensions.overlays.default
-        ];
       };
 
       # Make ALL external HM modules available globally

modules/darwin/nix/default.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+{
+  nix = {
+    settings = {
+      # extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
+      substituters = [
+        "http://jallen-nas.local:9012/nas-cache"
+        "https://nixos-apple-silicon.cachix.org"
+        "https://nixos-raspberrypi.cachix.org"
+        "https://nix-community.cachix.org"
+        "https://cache.nixos.org/"
+      ];
+      trusted-public-keys = [
+        "nas-cache:eK0eRVAt9QNwbkLIyOo9N5Z5+zi6ukI4mSlL196C7Yg="
+        "nixos-apple-silicon.cachix.org-1:8psDu5SA5dAD7qA0zMy5UT292TxeEPzIz8VVEr2Js20="
+        "nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      warn-dirty = lib.mkForce false;
+      experimental-features = lib.mkForce [
+        "nix-command"
+        "flakes"
+      ];
+      trusted-users = [
+        "@wheel"
+        "@admin"
+      ];
+
+      builders-use-substitutes = true;
+      connect-timeout = lib.mkDefault 5;
+      fallback = true;
+      log-lines = lib.mkDefault 25;
+
+      max-free = lib.mkDefault (3000 * 1024 * 1024);
+      min-free = lib.mkDefault (512 * 1024 * 1024);
+    };
+    # Garbage collect automatically every week
+    gc = {
+      automatic = lib.mkDefault true;
+      options = lib.mkDefault "--delete-older-than 30d";
+    };
+
+    optimise.automatic = lib.mkDefault true;
+  };
+
+  nixpkgs = {
+    config = {
+      cudaSupport = lib.mkDefault config.${namespace}.hardware.nvidia.enable;
+      rocmSupport = lib.mkDefault config.${namespace}.hardware.amd.enable;
+      allowUnsupportedSystem = true;
+    };
+  };
+}

modules/home/desktop/gnome/default.nix

@@ -2,10 +2,11 @@
   config,
   lib,
   pkgs,
+  namespace,
   ...
 }:
 let
-  cfg = config.mjallen.desktop.gnome;
+  cfg = config.${namespace}.desktop.gnome;
 in
 {
   imports = [ ./options.nix ];
@@ -22,7 +23,9 @@ in
       gnomeExtensions.bing-wallpaper-changer
       gnomeExtensions.dash-to-dock
       gnomeExtensions.dash-to-panel
+      gnomeExtensions.caffeine
       gnomeExtensions.gsconnect
+      gnomeExtensions.nasa-apod
       gnomeExtensions.random-wallpaper
       gnomeExtensions.tiling-assistant
       gnomeExtensions.user-themes
@@ -34,17 +37,22 @@ in
     dconf = {
       enable = true;
       settings = {
-        "org/gnome/desktop/interface".clock-format = "12h";
-        "org/gnome/desktop/interface".color-scheme = "prefer-dark";
-        "org/gnome/desktop/interface".cursor-theme = lib.mkDefault "macOS";
-        "org/gnome/desktop/interface".enable-hot-corners = false;
-        "org/gnome/desktop/interface".font-antialiasing = "grayscale";
-        "org/gnome/desktop/interface".font-hinting = "slight";
-        "org/gnome/desktop/interface".gtk-theme = lib.mkDefault "Colloid-Dark";
-        "org/gnome/desktop/interface".icon-theme = lib.mkDefault "Colloid-Dark";
+        "io/missioncenter/MissionCenter".performance-page-cpu-graph = 2; # logical processors
+        "org/gnome/desktop/interface" = {
+          clock-format = "12h";
+          color-scheme = "prefer-dark";
+          cursor-theme = lib.mkDefault "macOS";
+          enable-hot-corners = false;
+          font-antialiasing = "grayscale";
+          font-hinting = "slight";
+          gtk-theme = lib.mkDefault "Colloid-Dark";
+          icon-theme = lib.mkDefault "Colloid-Dark";
+        };
         "org/gnome/desktop/peripherals/mouse".accel-profile = "flat";
-        "org/gnome/desktop/peripherals/touchpad".two-finger-scrolling-enabled = true;
-        "org/gnome/desktop/peripherals/touchpad".tap-to-click = true;
+        "org/gnome/desktop/peripherals/touchpad" = {
+          two-finger-scrolling-enabled = true;
+          tap-to-click = true;
+        };
         "org/gnome/mutter".experimental-features = [
           "scale-monitor-framebuffer"
           "variable-refresh-rate"
@@ -53,20 +61,36 @@ in
         "org/gnome/shell".enabled-extensions = [
           "allowlockedremotedesktop@kamens.us"
           "appindicatorsupport@rgcjonas.gmail.com"
+          "caffeine@patapon.info"
           "user-theme@gnome-shell-extensions.gcampax.github.com"
           "tiling-assistant@leleat-on-github"
           "dash-to-dock@micxgx.gmail.com"
           "BingWallpaper@ineffable-gmail.com"
           "gsconnect@andyholmes.github.io"
         ];
-        "org/gnome/shell/extensions/bingwallpaper".override-lockscreen-blur = true;
-        "org/gnome/shell/extensions/bingwallpaper".random-mode-enabled = true;
-        "org/gnome/shell/extensions/bingwallpaper".revert-to-current-image = false;
-        "org/gnome/shell/extensions/dash-to-panel".primary-monitor = 1;
-        "org/gnome/shell/extensions/dash-to-panel".multi-monitors = false;
-        "org/gnome/shell/extensions/gsconnect".id = "4db35bd2-0dcd-42a3-9f77-ef3e8bb83182";
-        "org/gnome/shell/extensions/gsconnect".name = "matt-nixos";
+        "org/gnome/shell/extensions/bingwallpaper" = {
+          override-lockscreen-blur = true;
+          random-mode-enabled = false;
+          selected-image = "current";
+          revert-to-current-image = false;
+        };
+        "org/gnome/shell/extensions/caffeine" = {
+          enable-fullscreen = true;
+          enable-mpris = true;
+          inhibit-apps = [
+            "horizon-client.desktop"
+          ];
+        };
+        "org/gnome/shell/extensions/dash-to-panel" = {
+          primary-monitor = 1;
+          multi-monitors = false;
+        };
+        "org/gnome/shell/extensions/gsconnect" = {
+          id = "4db35bd2-0dcd-42a3-9f77-ef3e8bb83182";
+          name = "matt-nixos";
+        };
         "org/gnome/shell/extensions/user-theme".name = lib.mkDefault "Colloid-Dark";
+        "org/gnome/system/location".enabled = true;
         "org/gtk/settings/file-chooser".clock-format = "12h";
       };
     };

modules/home/desktop/gnome/options.nix

@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 {
-  options.mjallen.desktop.gnome = {
+  options.${namespace}.desktop.gnome = {
     enable = mkEnableOption "enable gnome settings";
   };
 }

modules/home/home/default.nix

@@ -4,10 +4,12 @@
   pkgs,
   namespace,
   hasDestopEnvironment ? true,
+  system,
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) enabled;
+  isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
 in
 {
   home = {
@@ -19,10 +21,13 @@ in
         age
         clinfo
         cpufetch
+        dbus
         deadnix
         lm_sensors
         nano
-        nixfmt-rfc-style
+        nebula
+        nix-prefetch-scripts
+        nixfmt
         pciutils
         protonup-ng
         rsync
@@ -38,15 +43,23 @@ in
       ++ (
         if hasDestopEnvironment then
           [
-            chromium
+            boxbuddy
+            stable.chromium
             firefox
             gamescope
             gamescope-wsi
             gparted
-            goverlay
             mission-center
+            parted
             vesktop
-          ]
+          ] ++ (
+            if !isArm then 
+              [
+                # goverlay
+                # winboat
+              ]
+            else [ ]
+          )
         else
           [ ]
       );
@@ -56,7 +69,10 @@ in
 
   programs = {
     nix-index-database.comma = enabled;
-    btop = lib.mkDefault enabled;
+    btop = {
+      enable = lib.mkDefault true;
+      package = pkgs.unstable.btop;
+    };
     fastfetch = lib.mkDefault enabled;
     home-manager = lib.mkDefault enabled;
     java = {
@@ -125,11 +141,12 @@ in
   };
 
   services = {
-    nextcloud-client.enable = lib.mkDefault hasDestopEnvironment;
+    nextcloud-client.enable = false; # lib.mkDefault hasDestopEnvironment;
     pass-secret-service = lib.mkDefault enabled;
     kdeconnect = {
       enable = lib.mkDefault hasDestopEnvironment;
-      indicator = lib.mkDefault true;
+      indicator = lib.mkDefault hasDestopEnvironment;
+      package = pkgs.kdePackages.kdeconnect-kde;
     };
   };
 }

modules/home/programs/btop/default.nix

@@ -1,7 +1,12 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
 with lib;
 let
-  cfg = config.mjallen.programs.btop;
+  cfg = config.${namespace}.programs.btop;
 in
 {
   imports = [ ./options.nix ];

modules/home/programs/btop/options.nix

@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 {
-  options.mjallen.programs.btop = {
+  options.${namespace}.programs.btop = {
     enable = mkEnableOption "enable btop";
   };
 }

modules/home/programs/code/default.nix

@@ -8,6 +8,7 @@
 }:
 let
   isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
+  isDarwin = ("aarch64-darwin" == system);
 
   x86_only = with pkgs; [
     vscode-extensions.redhat.vscode-xml
@@ -46,38 +47,37 @@ in
               vscode-extensions.redhat.vscode-yaml
               vscode-extensions.yy0931.vscode-sqlite3-editor
 
-              # open-remote-ssh
-              # nix-vscode-extensions.open-vsx.jeanp413.open-remote-ssh
-              open-remote-ssh
+              nix-vscode-extensions.open-vsx.jeanp413.open-remote-ssh
             ]
-            ++ (if !isArm then x86_only else [ ])
-            ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
-              {
-                name = "copilot-mcp";
-                publisher = "automatalabs";
-                version = "0.0.49";
-                sha256 = "sha256-+G2OQl5SCN7bh7MzGdYiRclIZefBE7lWnGg1kNpCvnA=";
-              }
-              {
-                name = "mcp-server-runner";
-                publisher = "zebradev";
-                version = "0.1.0";
-                sha256 = "sha256-StydVt3VzQUSS/pYp76jnIwtZlEj8gWAGzOARs93J+E=";
-              }
-              {
-                name = "claude-dev";
-                publisher = "saoudrizwan";
-                version = "3.17.9";
-                sha256 = "sha256-y3bFtMe5vZrO3DFb31KDvkzjD2jM76wK89mKhgJXC70=";
-              }
-            ];
+            ++ (if !isArm then x86_only else [ ]);
+            # ++ (if !isDarwin then [ open-remote-ssh ] else [ ]);
+            # ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
+            #   {
+            #     name = "copilot-mcp";
+            #     publisher = "automatalabs";
+            #     version = "0.0.49";
+            #     sha256 = "sha256-+G2OQl5SCN7bh7MzGdYiRclIZefBE7lWnGg1kNpCvnA=";
+            #   }
+            #   {
+            #     name = "mcp-server-runner";
+            #     publisher = "zebradev";
+            #     version = "0.1.0";
+            #     sha256 = "sha256-StydVt3VzQUSS/pYp76jnIwtZlEj8gWAGzOARs93J+E=";
+            #   }
+            #   {
+            #     name = "claude-dev";
+            #     publisher = "saoudrizwan";
+            #     version = "3.17.9";
+            #     sha256 = "sha256-y3bFtMe5vZrO3DFb31KDvkzjD2jM76wK89mKhgJXC70=";
+            #   }
+            # ];
 
           userSettings = {
 
+            "database-client.autoSync" = true;
+
             "editor" = {
               "defaultFormatter" = "brettm12345.nixfmt-vscode";
-              "fontFamily" = "fira-code-nerd, FiraCode Nerd Font, Consolas, 'Courier New', monospace";
-              "fontLigatures" = true;
               "renderWhitespace" = "all";
             };
 
@@ -86,6 +86,10 @@ in
               "confirmDragAndDrop" = false;
             };
 
+            "extensions." = {
+              "autoCheckUpdates" = false;
+            };
+
             "git" = {
               "confirmSync" = false;
               "enableSmartCommit" = true;
@@ -141,6 +145,8 @@ in
 
             "security.workspace.trust.untrustedFiles" = "open";
 
+            "update.mode" = "none";
+
             "workbench" = {
               "colorCustomizations" = null;
               "editorAssociations" = {
@@ -154,8 +160,8 @@ in
       };
     };
     direnv = {
-      enable = false;
-      nix-direnv.enable = false;
+      enable = true;
+      nix-direnv.enable = true;
       enableZshIntegration = true;
     };
   };

modules/home/programs/hyprland/avizo.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  namespace,
+  lib,
+  ...
+}:
+let
+  cfg = config.${namespace}.programs.hyprland;
+in
+{
+  config = lib.mkIf cfg.enable {
+    services.avizo = {
+      enable = true;
+      settings = {
+        default = {
+          time = 1.0;
+          y-offset = 0.5;
+          fade-in = 0.1;
+          fade-out = 0.2;
+          padding = 10;
+        };
+      };
+    };
+  };
+}

modules/home/programs/hyprland/default.nix

@@ -2,15 +2,17 @@
   config,
   lib,
   pkgs,
+  namespace,
   ...
 }:
 with lib;
 let
-  cfg = config.mjallen.programs.hyprland;
+  cfg = config.${namespace}.programs.hyprland;
   drawer = "nwg-drawer -fm nautilus -term kitty -mb 10 -mt 10 -ml 10 -mr 10 -pbuseicontheme -i ${config.stylix.icons.dark}";
 in
 {
   imports = [
+    ./avizo.nix
     ./options.nix
   ];
 
@@ -62,14 +64,13 @@ in
           wl-clipboard
           wlogout
           wlroots
-          xorg.xhost
+          xhost
           xsettingsd
           xwayland
-
-          pkgs.mjallen.pipewire-python
         ]
         ++ (if cfg.notificationDaemon == "mako" then [ mako ] else [ dunst ])
         ++ (if cfg.launcher == "wofi" then [ wofi ] else [ rofi ])
+        ++ (with pkgs.${namespace}; [ pipewire-python ])
       );
 
     # Session variables
@@ -89,7 +90,7 @@ in
       NIXOS_XDG_OPEN_USE_PORTAL = "1";
       QT_AUTO_SCREEN_SCALE_FACTOR = "1";
       QT_QPA_PLATFORM = "wayland-egl";
-      QT_QPA_PLATFORMTHEME = "gtk3";
+      QT_QPA_PLATFORMTHEME = lib.mkDefault "gtk3";
       QT_SCALE_FACTOR = "1";
       QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
       SDL_VIDEODRIVER = "wayland";
@@ -111,22 +112,12 @@ in
         enable = true;
         settings = {
           preload = [ cfg.hyprpaper.wallpaperPath ];
-          wallpaper =
-            let
-              useMonitorV2 = (lib.versionAtLeast pkgs.hyprland.version "0.40.0") && (cfg.monitorv2 != [ ]);
-              names =
-                if useMonitorV2 then
-                  map (m: m.name) cfg.monitorv2
-                else
-                  [
-                    cfg.display1.input
-                    cfg.display2.input
-                  ];
-            in
-            if cfg.hyprpaper.usePerMonitor then
-              map (n: "${n}, ${cfg.hyprpaper.wallpaperPath}") names
-            else
-              [ ", ${cfg.hyprpaper.wallpaperPath}" ];
+          wallpaper = [
+            {
+              monitor = "";
+              path = cfg.hyprpaper.wallpaperPath;
+            }
+          ];
           splash = false;
         };
       };
@@ -171,18 +162,18 @@ in
       hyprlock = {
         enable = true;
         settings = {
-          background = [
+          background = mkForce [
             {
               monitor = "";
               path = "/run/wallpaper.jpg"; # supports png, jpg, webp (no animations, though)
-              color = mkForce "rgba(25, 20, 20, 1.0)";
+              color = mkDefault "rgba(25, 20, 20, 1.0";
 
               # all these options are taken from hyprland, see https://wiki.hyprland.org/Configuring/Variables/#blur for explanations
-              blur_passes = mkForce "3"; # 0 disables blurring
-              blur_size = mkForce "7";
+              blur_passes = mkDefault "3"; # 0 disables blurring
+              blur_size = mkDefault "7";
               noise = "0.0117";
               contrast = "0.8916";
-              brightness = mkForce "0.8172";
+              brightness = mkDefault "0.8172";
               vibrancy = "0.1696";
               vibrancy_darkness = "0.0";
             }
@@ -224,7 +215,7 @@ in
               halign = "center";
               valign = "center";
             }
-            # weather 
+            # weather
             {
               monitor = cfg.primaryDisplay;
               text = "cmd[update:30000] waybar-weather --hyprlock";
@@ -235,7 +226,7 @@ in
               halign = "right";
               valign = "bottom";
             }
-            # media 
+            # media
             {
               monitor = cfg.primaryDisplay;
               text = "cmd[update:1000] waybar-media";
@@ -250,9 +241,9 @@ in
           # user box
           shape = [
             {
-              monitor = "";
+              monitor = cfg.primaryDisplay;
               size = "200, 50";
-              color = "rgba(46, 52, 64, .25)";
+              color = "rgba(46, 52, 64, .25";
               rounding = -1;
               border_size = "0";
               position = "0, 0";
@@ -419,23 +410,20 @@ in
           ++ cfg.keybinds.bindm;
 
           bindel = [
-            ", XF86AudioRaiseVolume, exec, wpctl set-volume -l 1.5 @DEFAULT_AUDIO_SINK@ 5%+"
-            ", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
+            ", XF86AudioRaiseVolume, exec, volumectl -u up"
+            ", XF86AudioLowerVolume, exec, volumectl -u down"
           ]
           ++ cfg.keybinds.bindel;
 
           bindl = [
-            ", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
+            ", XF86AudioMute, exec, volumectl toggle-mute"
             ", XF86AudioPlay, exec, playerctl play-pause"
             ", XF86AudioPrev, exec, playerctl previous"
             ", XF86AudioNext, exec, playerctl next"
-            ", XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"
+            ", XF86AudioMicMute, exec, volumectl -m toggle-mute"
 
-            ", XF86MonBrightnessUp, exec, brightnessctl set +5%"
-            ", XF86MonBrightnessDown, exec, brightnessctl set 5%-"
-
-            "$mod, XF86MonBrightnessUp, exec, brightnessctl -d kbd_backlight set +10%"
-            "$mod, XF86MonBrightnessDown, exec, brightnessctl -d kbd_backlight set 10%-"
+            ", XF86MonBrightnessUp, exec, lightctl up"
+            ", XF86MonBrightnessDown, exec, lightctl down"
           ]
           ++ cfg.keybinds.bindl;
 
@@ -528,80 +516,78 @@ in
           workspace = cfg.workspace;
 
           windowrule = [
-            "float, title:(file_progress)"
-            "float, title:(.*[Cc]onfirm.*)"
-            "float, title:(.*[Dd]ialog.*)"
-            "float, title:(.*[Dd]ownload.*)"
-            "float, title:(.*[Nn]otification.*)"
-            "float, title:(.*[Ee]rror.*)"
-            "float, title:(.*[Ss]plash.*)"
-            "float, title:(.*[Cc]onfirmreset.*)"
-            "float, title:(.*[Ss]ign [Ii]n - .*)"
-            "float, title:(.*[Oo]pen [Ff]ile.*)"
-            "float, title:(.*branchdialog.*)"
-            "float, class:(.*pavucontrol.*)"
-            "move onscreen cursor 0% 0%, class:(.*pavucontrol.*)"
-            "float, class:(.*[Oo]verskride.*)"
-            "float, class:(.*FileRoller.*)"
-            "float, class:(.*wlogout.*)"
-            "idleinhibit stayfocused, title:(.*mpv.*)"
+            "match:title file_progress, float 1"
+            "match:title .*[Cc]onfirm.*, float 1"
+            "match:title .*[Dd]ialog.*, float 1"
+            "match:title .*[Dd]ownload.*, float 1"
+            "match:title .*[Nn]otification.*, float 1"
+            "match:title .*[Ee]rror.*, float 1"
+            "match:title .*[Ss]plash.*, float 1"
+            "match:title .*[Cc]onfirmreset.*, float 1"
+            "match:title .*[Ss]ign [Ii]n - .*, float 1"
+            "match:title .*[Oo]pen [Ff]ile.*, float 1"
+            "match:title .*branchdialog.*, float 1"
+            "match:class .*pavucontrol.*, float 1"
+            "match:class .*pavucontrol.*, move onscreen cursor 0% 0%"
+            "match:class .*[Oo]verskride.*, float 1"
+            "match:class .*FileRoller.*, float 1"
+            "match:class .*wlogout.*, float 1"
+            "match:title .*mpv.*, idle_inhibit stayfocused"
 
-            "float, class:(.*nm-connection-editor.*)"
-            "move onscreen cursor 0% 0%, class:(.*nm-connection-editor.*)"
+            "match:class .*nm-connection-editor.*, float 1"
+            "match:class .*nm-connection-editor.*, move onscreen cursor 0% 0%"
 
-            "float, title:(Media viewer)"
-            "float, class:(it.mijorus.smile),title:(Smile)"
-            "float, class:(.blueman-manager-wrapped)$,title:(Bluetooth Devices)"
+            "match:title Media viewer, float 1"
+            "match:class it.mijorus.smile),match:title Smile, float 1"
+            "match:class .blueman-manager-wrapped)$,match:title Bluetooth Devices, float 1"
             # Picture in picture windows
-            "float, title:(.*Picture-in-Picture.*)"
-            "pin, title::(.*Picture-in-Picture.*)"
+            "match:title .*Picture-in-Picture.*, float 1"
+            "match:title .*Picture-in-Picture.*, pin 1"
 
             # discord/vesktop
-            # "workspace: name:discord, class:(.*vesktop)"
-            # "float, class:(.*vesktop),title:(.*Discord Popout.*)"
-            # "pin, class:(.*vesktop),title:(.*Discord Popout.*)"
+            # "workspace: name:discord, match:class .*vesktop"
+            # "match:class .*vesktop),match:title .*Discord Popout.*, float 1"
+            # "pin, match:class .*vesktop),match:title .*Discord Popout.*"
 
             # Music
-            # "workspace: name:discord, class:(Apple Music.*)"
+            # "workspace: name:discord, match:class Apple Music.*"
 
             # Steam
-            "float, class:(.*[Ss]team), title:(.*[Ss]team.*)$"
-            "workspace name:steam silent, class:(.*[Ss]team), title:(.*[Ss]team.*)$"
-            "tile, class:(.*[Ss]team), title:(.*[Ss]team.*)$"
-            "float, class:(.*steam),title:(.*Friends List.*)"
+            "match:class .*[Ss]team, match:title .*[Ss]team.*, float 1"
+            "match:class .*[Ss]team, match:title .*[Ss]team.*, workspace name:steam silent"
+            "match:class .*[Ss]team, match:title .*[Ss]team.*, tile 1"
+            "match:class .*steam,match:title .*Friends List.*, float 1"
 
             # Code
-            "pin, class:(.*codium.*),title:(Save As)"
-            "float, class:(.*codium.*),title:(Save As)"
-            "float, class:(xdg-desktop-portal-gtk),title:(Open Workspace from File)"
+            "match:class .*codium.*, match:title Save As, pin 1"
+            "match:class .*codium.*, match:title Save As, float 1"
+            "match:class xdg-desktop-portal-gtk, match:title Open Workspace from File, float 1"
 
             # Game Tearing??? https://wiki.hypr.land/Configuring/Tearing/
-            "immediate, class:(.*gamescope)"
+            "match:class .*gamescope.*, idle_inhibit fullscreen, content game, immediate 1"
+            "match:xdg_tag proton-game, idle_inhibit fullscreen, content game, immediate 1"
+            "match:class steam_app_.*, idle_inhibit fullscreen, content game, immediate 1"
 
             # vmware
             # this tag will set the below options to the vdi window
             # this will have it auto open as a 2160x7680 window
             # and makes multi-monitor work
-            "tag +horizonrdp, class:(.*[Hh]orizon-client),title:(USPS Next VDI)"
+            "match:class .*[Hh]orizon-client, match:title USPS Next VDI, tag +horizonrdp"
 
-            "noanim, tag:horizonrdp"
-            "noblur, tag:horizonrdp"
-            "norounding, tag:horizonrdp"
-            "noshadow, tag:horizonrdp"
-            "immediate, tag:horizonrdp"
-            "allowsinput, tag:horizonrdp"
-            "noborder, tag:horizonrdp"
-            "nodim, tag:horizonrdp"
-            "nomaxsize, tag:horizonrdp"
-            "renderunfocused, tag:horizonrdp"
-            "idleinhibit, tag:horizonrdp"
-            "float, tag:horizonrdp"
+            "match:tag horizonrdp, no_anim 1"
+            "match:tag horizonrdp, no_blur 1"
+            "match:tag horizonrdp, rounding 0"
+            "match:tag horizonrdp, no_shadow 1"
+            "match:tag horizonrdp, immediate 1"
+            "match:tag horizonrdp, allows_input 1"
+            "match:tag horizonrdp, border_size 0"
+            "match:tag horizonrdp, max_size 2160 7680"
+            "match:tag horizonrdp, min_size 1920 1080"
+            "match:tag horizonrdp, render_unfocused 1"
+            "match:tag horizonrdp, idle_inhibit 1"
+            "match:tag horizonrdp, float 1"
             # float the vmware window cause its annoying to use in fullscreen
-            "float, class:(.*[Hh]orizon-client),title:([Oo]mnissa [Hh]orizon [Cc]lient)"
-
-            "tag +waydroid, class:([Ww]aydroid.*)"
-            "float, tag:waydroid"
-            "pin, tag:waydroid"
+            "match:class .*[Hh]orizon-client),match:title [Oo]mnissa [Hh]orizon [Cc]lient, float 1"
           ]
           ++ cfg.windowRule;
 
@@ -696,12 +682,12 @@ in
             sensitivity = 0; # -1.0 - 1.0, 0 means no modification.
           };
 
-          experimental = {
-            xx_color_management_v4 = true;
-          };
+          # experimental = {
+          #   xx_color_management_v4 = true;
+          # };
 
           debug = {
-            full_cm_proto = cfg.debug.fullCmProto;
+            # full_cm_proto = cfg.debug.fullCmProto;
             disable_logs = cfg.debug.disableLogs;
             disable_scale_checks = cfg.debug.disableScaleChecks;
           };

modules/home/programs/hyprland/options.nix

@@ -1,7 +1,12 @@
-{ lib, pkgs, ... }:
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
 with lib;
 {
-  options.mjallen.programs.hyprland = {
+  options.${namespace}.programs.hyprland = {
     enable = mkEnableOption "enable hyprland";
 
     primaryDisplay = mkOption {
@@ -148,7 +153,7 @@ with lib;
 
     extraConfig = mkOption {
       type = with types; str;
-      default = '''';
+      default = "";
       description = "Any extra configuration options";
     };
 
@@ -204,7 +209,7 @@ with lib;
       type = with types; listOf str;
       default = [
         "nwg-look -a"
-        "nwg-dock-hyprland -d"
+        "nwg-dock-hyprland -x"
       ];
       description = "Commands to run via Hyprland exec-once";
     };

modules/home/programs/kitty/default.nix

@@ -1,7 +1,12 @@
-{ lib, config, ... }:
+{
+  lib,
+  config,
+  namespace,
+  ...
+}:
 with lib;
 let
-  cfg = config.mjallen.programs.kitty;
+  cfg = config.${namespace}.programs.kitty;
 in
 {
   imports = [ ./options.nix ];
@@ -12,7 +17,7 @@ in
       shellIntegration.enableZshIntegration = true;
 
       settings = {
-        bold_font = "auto"; 
+        bold_font = "auto";
         italic_font = "auto";
         bold_italic_font = "auto";
         mouse_hide_wait = "2.0";

modules/home/programs/kitty/options.nix

@@ -1,10 +1,7 @@
 { lib, namespace, ... }:
 with lib;
-let
-  inherit (lib.${namespace}) mkOpt;
-in
 {
-  options.mjallen.programs.kitty = {
+  options.${namespace}.programs.kitty = {
     enable = mkEnableOption "enable kitty terminal";
   };
 }

modules/home/programs/mako/default.nix

@@ -1,7 +1,12 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
 with lib;
 let
-  cfg = config.mjallen.programs.mako;
+  cfg = config.${namespace}.programs.mako;
 in
 {
   imports = [ ./options.nix ];

modules/home/programs/mako/options.nix

@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 {
-  options.mjallen.programs.mako = {
+  options.${namespace}.programs.mako = {
     enable = mkEnableOption "enable mako";
 
     fontName = mkOption {

modules/home/programs/nwg-dock/default.nix

@@ -2,12 +2,12 @@
   config,
   lib,
   pkgs,
+  namespace,
   ...
 }:
 with lib;
 let
-  cfg = config.mjallen.programs.nwg-dock;
-  palette = import cfg.theme.file;
+  cfg = config.${namespace}.programs.nwg-dock;
 in
 {
   imports = [ ./options.nix ];
@@ -16,6 +16,79 @@ in
     home.packages = with pkgs; [ nwg-dock-hyprland ];
 
     home.file = {
+      ".config/nwg-dock-hyprland/config.json".text = ''
+        {
+          "position": "bottom",
+          "anchor": "center",
+          "margin": 12,
+          "icon_size": 48,
+          "icon_size_hover": 64,
+          "spacing": 6,
+          "padding": 8,
+          "autohide": false,
+          "autohide_timeout": 0.3,
+          "exclusive": true,
+          "layer": "top",
+          "height": 72,
+          "background_alpha": 0.55,
+          "rounded_corners": 16,
+          "show_labels": false,
+          "show_running": true,
+          "show_pinned": true,
+          "pinned": [
+            "firefox.desktop",
+            "org.wezfurlong.wezterm.desktop",
+            "codium.desktop",
+            "org.gnome.Nautilus.desktop"
+          ]
+        }
+      '';
+
+      ".config/nwg-dock-hyprland/style.css".text = ''
+        window {
+          background: #36364f;
+          border-radius: 10px;
+          border-style: none;
+          border-width: 1px;
+          border-color: rgba(156, 142, 122, 0.7)
+        }
+
+        #box {
+          /* Define attributes of the box surrounding icons here */
+          padding: 10px
+        }
+
+        #active {
+          /* This is to underline the button representing the currently active window */
+          border-bottom: solid 1px;
+          border-color: rgba(255, 255, 255, 0.3)
+        }
+
+        button, image {
+          background: none;
+          border-style: none;
+          box-shadow: none;
+          color: #999
+        }
+
+        button {
+          padding: 4px;
+          margin-left: 4px;
+          margin-right: 4px;
+          color: #eee;
+          font-size: 12px
+        }
+
+        button:hover {
+          background-color: rgba(255, 255, 255, 0.15);
+          border-radius: 2px;
+        }
+
+        button:focus {
+          box-shadow: none
+        }
+      '';
+
       ".config/nwg-dock-hyprland/drawer.css".text = ''
         window {
           background: ${config.lib.stylix.colors.base00};

modules/home/programs/nwg-dock/options.nix

@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 {
-  options.mjallen.programs.nwg-dock = {
+  options.${namespace}.programs.nwg-dock = {
     enable = mkEnableOption "enable nwg-dock";
   };
 }

modules/home/programs/nwg-drawer/default.nix

@@ -2,12 +2,12 @@
   config,
   lib,
   pkgs,
+  namespace,
   ...
 }:
 with lib;
 let
-  cfg = config.mjallen.programs.nwg-drawer;
-  palette = import cfg.theme.file;
+  cfg = config.${namespace}.programs.nwg-drawer;
 in
 {
   imports = [ ./options.nix ];

modules/home/programs/nwg-drawer/options.nix

@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 {
-  options.mjallen.programs.nwg-drawer = {
+  options.${namespace}.programs.nwg-drawer = {
     enable = mkEnableOption "enable nwg-drawer";
   };
 }

modules/home/programs/nwg-panel/default.nix

@@ -1,7 +1,12 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
 with lib;
 let
-  cfg = config.mjallen.programs.nwg-panel;
+  cfg = config.${namespace}.programs.nwg-panel;
 in
 {
   imports = [ ./options.nix ];

modules/home/programs/nwg-panel/options.nix

@@ -1,7 +1,12 @@
-{ lib, pkgs, ... }:
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
 with lib;
 {
-  options.mjallen.programs.nwg-panel = {
+  options.${namespace}.programs.nwg-panel = {
     enable = mkEnableOption "enable nwg-panel";
 
     defaultApps = mkOption {

modules/home/programs/onlyoffice/default.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  isArm = builtins.match "aarch64*" system != null;
+  isArm = "aarch64-linux" == system;
 in
 {
   programs.onlyoffice = {

modules/home/programs/update-checker/default.nix

@@ -0,0 +1,290 @@
+{
+  config,
+  namespace,
+  pkgs,
+  ...
+}:
+let
+  git-token = config.sops.secrets."github-token".path;
+
+  update-checker = pkgs.writeScriptBin "update-checker" ''
+    #!/usr/bin/env nix-shell
+    #! nix-shell -i python3 --pure
+    #! nix-shell -p python3 python3Packages.pygithub python3Packages.feedparser python3Packages.requests nix-prefetch-scripts nix
+
+    import os
+    import json
+    import subprocess
+    from github import Github
+    from github import Auth
+    import feedparser
+    import requests
+
+    token = None
+
+    with open('${git-token}', 'r') as token_file:
+        token = token_file.readline()
+
+    auth = Auth.Token(token)
+
+    def check_github(owner, repo, version):
+        try:
+            release = None
+            result = None
+            prefetch = None
+            ghub = Github(auth=auth)
+            print('  getting repo ' + owner + '/' + repo)
+            repo = ghub.get_repo(owner + '/' + repo)
+            if '-b' in version:
+                release = repo.get_releases()[0]
+                latest_version = release.name
+            else:
+                try:
+                    release = repo.get_latest_release()
+                    latest_version = release.tag_name
+                except:
+                    tags = repo.get_tags()
+                    try:
+                        if tags is not None:
+                            latest_version = tags[0].name
+                    except:
+                        commits = repo.get_commits()
+                        latest_version = commits[0].sha
+
+            if latest_version is not None:
+
+                if latest_version.replace('v',''\'') != version.replace('v',''\''):
+                    print('  update found')
+                    print('  Current version: ' + version)
+                    print('  Latest version: ' + latest_version)
+                    result = subprocess.check_output(['nix-prefetch-git', '--quiet', repo.clone_url, '--rev', latest_version])
+                    prefetch = json.loads(result)
+                    print('  New hash: ' + prefetch.get('hash'))
+                else:
+                    print('  no update')
+            ghub.close()
+        except Exception as e:
+            print(e)
+
+    def check_codeberg(owner, repo, version):
+        feed = feedparser.parse('https://codeberg.org/{0}/{1}/releases.rss'.format(owner, repo))
+        if feed.status == 200:
+            entry = feed.entries[0]
+            if entry.title.replace('v',''\'') != version.replace('v',''\''):
+                print('  update found')
+                print('  Current version: ' + version)
+                print('  Latest version: ' + entry.title)
+                sha256 = subprocess.check_output(['nix-prefetch-url', url.replace(''\'''\${version}', entry.title.replace('v', ''\''))])
+                prefetch = subprocess.check_output(['nix', 'hash', 'convert', '--hash-algo', 'sha256', str(sha256.decode('utf-8').strip())])
+                print('  New hash: ' + prefetch.decode('utf-8').strip())
+            else:
+                print('  no update')
+
+    def check_open_vsx(publisher, name, version):
+        open_vsx = requests.get('https://open-vsx.org/api/' + publisher + '/' + name)
+        if open_vsx.status_code == 200:
+            extension = open_vsx.json()
+            latest_version = extension.get('version')
+            url = extension.get('files').get('download')
+            if latest_version.replace('v',''\'') != version.replace('v',''\''):
+                print('  update found')
+                print('  Current version: ' + version)
+                print('  Latest version: ' + latest_version)
+                sha256 = subprocess.check_output(['nix-prefetch-url', url])
+                prefetch = subprocess.check_output(['nix', 'hash', 'convert', '--hash-algo', 'sha256', str(sha256.decode('utf-8').strip())])
+                print('  New hash: ' + prefetch.decode('utf-8').strip())
+            else:
+                print('  no update')
+
+    def parse_nix(package_spec):
+        version = None
+        url = None
+        current_hash = None
+        owner = None
+        repo = None
+        pname = None
+        name = None
+        publisher = None
+        for line in package_spec.readlines():
+            if 'owner = "' in line and owner is None:
+                owner = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+            if 'repo = "' in line and repo is None:
+                repo = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+            if 'version = "' in line and version is None:
+                version = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+            if 'rev = "' in line and ''\'''\${version}' not in line:
+                version = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+            if 'url = "' in line and url is None:
+                url = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+            if 'sha256 = "' in line or ' hash = "' in line and current_hash is None:
+                current_hash = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+            if 'pname = "' in line and pname is None:
+                pname = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+            if ' name = "' in line and name is None:
+                name = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+            if 'publisher = "' in line and publisher is None:
+                publisher = line.split(' = ')[-1].replace('"', ''\'').replace(';\n', ''\'')
+
+        if url is None and repo is not None:
+            if 'pname' in repo:
+                repo = repo.replace(''\'''\${pname}', pname)
+            url = 'https://github.com/{0}/{1}/releases/tag/{2}'.format(owner, repo, version)
+
+        if url is not None and repo is None and 'github' in url:
+            owner = url.split('github.com/')[-1].split('/')[0]
+            repo = url.split('github.com/')[-1].split('/')[1]
+
+        if url is not None and repo is None and 'codeberg' in url:
+            owner = url.split('codeberg.org/')[-1].split('/')[0]
+            repo = url.split('codeberg.org/')[-1].split('/')[1]
+
+        if url is not None and version is None:
+            version = url.split('/')[-1].replace('.tar.gz', ''\'')
+
+        if url is not None and publisher is not None:
+            url = url.replace(''\'''\${publisher}', publisher).replace(''\'''\${name}', name)
+
+        return url, current_hash, owner, repo, pname, name, publisher, version
+
+    def parse_json(json_versions, flavor=''\''):
+        versions = json.load(json_versions)
+        linux_versions = versions.get('linux')
+        config_versions = versions.get('config')
+        patch_versions = versions.get('patches')
+        zfs_versions = versions.get('zfs')
+                
+        check_kernel(linux_versions, flavor)
+        check_cachy_config(config_versions, flavor)
+        check_patch_versions(patch_versions, flavor)
+        check_zfs_versions(zfs_versions, flavor)
+
+    def check_kernel(linux_versions, flavor=''\''):
+        srcinfo = requests.get('https://raw.githubusercontent.com/CachyOS/linux-cachyos/master/linux-cachyos' + flavor + '/.SRCINFO')
+        for line in srcinfo.text.split('\n'):
+            if 'pkgver = ' in line:
+                kernel_version = line.split('=')[-1].strip()
+                if kernel_version[-2:] == '.0':
+                    kernel_version = kernel_version[:-2]
+                if flavor in [''\'', '-lts', '-server', '-gcc', '-hardened']:
+                    release_src = 'https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-' + kernel_version + '.tar.xz'
+                if flavor == '-rc':
+                    release_src = 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/snapshot/linux-' + kernel_version.replace('.rc', '-rc') + '.tar.gz'
+        sha256 = subprocess.check_output(['nix-prefetch-url', release_src])
+        prefetch = subprocess.check_output(['nix', 'hash', 'convert', '--hash-algo', 'sha256', str(sha256.decode('utf-8').strip())])
+        current_version = linux_versions.get('version')
+        current_hash = linux_versions.get('hash')
+        latest_hash = prefetch.decode('utf-8').strip()
+        print('  Checking linux versions...')
+        if current_hash != latest_hash:
+            print('    Current rev: ' + current_version)
+            print('    Current hash: ' + current_hash)
+            print('    New rev: ' + kernel_version)
+            print('    New hash: ' + latest_hash)
+        else:
+            print('    no update')
+
+    def check_cachy_config(config_versions, flavor=''\''):
+        result = subprocess.check_output(['nix-prefetch-git', '--quiet', 'https://github.com/CachyOS/linux-cachyos.git'])
+        prefetch = json.loads(result)
+        current_version = config_versions.get('rev')
+        latest_version = prefetch.get('rev')
+        print('  Checking config versions...')
+        if current_version != latest_version:
+            print('    Current rev: ' + current_version)
+            print('    New rev: ' + latest_version)
+            print('    New hash: ' + prefetch.get('hash'))
+        else:
+            print('    no update')
+
+    def check_patch_versions(patch_versions, flavor=''\''):
+        result = subprocess.check_output(['nix-prefetch-git', '--quiet', 'https://github.com/CachyOS/kernel-patches.git'])
+        prefetch = json.loads(result)
+        current_version = patch_versions.get('rev')
+        latest_version = prefetch.get('rev')
+        print('  Checking patch versions...')
+        if current_version != latest_version:
+            print('    Current rev: ' + current_version)
+            print('    New rev: ' + latest_version)
+            print('    New hash: ' + prefetch.get('hash'))
+        else:
+            print('    no update')
+
+    def kconfig_to_nix(flavor=''\''):
+        kconfig_result = subprocess.check_output(['nix', 'build', '.#nixosConfigurations.jallen-nas.pkgs.linuxPackages_cachyos' + flavor + '.kernel.kconfigToNix', '--no-link', '--print-out-paths'])
+        config_file = kconfig_result.decode('utf-8').strip()
+        if flavor == ''\'':
+            cachy_flavor = '-gcc'
+        result = subprocess.check_output(['cat', config_file])
+        with open('/etc/nixos/packages/linux-cachyos/config-nix/cachyos' + cachy_flavor + '.x86_64-linux.nix', 'w') as config:
+            config.write(result.decode('utf-8').strip())
+
+    def check_zfs_versions(zfs_versions, flavor=''\''):
+        result = requests.get('https://raw.githubusercontent.com/CachyOS/linux-cachyos/master/linux-cachyos' + flavor + '/PKGBUILD')
+        for line in result.text.split('\n'):
+            if 'git+https://github.com/cachyos/zfs.git#commit=' in line:
+                zfs_rev = line.split('zfs.git#commit=')[-1].replace('")', ''\'')
+        result = subprocess.check_output(['nix-prefetch-git', '--quiet', 'https://github.com/CachyOS/zfs.git', '--rev', zfs_rev])
+        prefetch = json.loads(result)
+        current_version = zfs_versions.get('rev')
+        latest_version = prefetch.get('rev')
+        print('  Checking zfs versions...')
+        if current_version != latest_version:
+            print('    Current rev: ' + current_version)
+            print('    New rev: ' + latest_version)
+            print('    New hash: ' + prefetch.get('hash'))
+        else:
+            print('    no update')
+
+    for (root,dirs,files) in os.walk('/etc/nixos/packages',topdown=True):
+        if 'default.nix' in files and 'versions.json' not in files:
+            print(root.split('/')[-1])
+            with open(root + '/default.nix', 'r') as package_spec:
+                url, current_hash, owner, repo, pname, name, publisher, version = parse_nix(package_spec)
+
+            if owner is not None and repo is not None and 'codeberg' in url:
+                check_codeberg(owner, repo, version)
+
+            elif owner is not None and repo is not None and 'github' in url:
+                check_github(owner, repo, version)
+
+            elif publisher is not None and 'open-vsx' in url:
+                check_open_vsx(publisher, name, version)
+
+            else:
+                if url is not None:
+                    print(url)
+        
+        if 'default.nix' in files and 'versions.json' in files:
+            with open(root + '/versions.json', 'r') as json_versions:
+                print('Checking Linux CachyOS')
+                parse_json(json_versions)
+            with open(root + '/versions-rc.json', 'r') as json_versions:
+                print('Checking Linux CachyOS RC')
+                parse_json(json_versions, '-rc')
+            with open(root + '/versions-lts.json', 'r') as json_versions:
+                print('Checking Linux CachyOS LTS')
+                parse_json(json_versions, '-lts')
+            with open(root + '/versions-hardened.json', 'r') as json_versions:
+                print('Checking Linux CachyOS Hardened')
+                parse_json(json_versions, '-hardened')
+  '';
+in
+{
+  config = {
+
+    sops = {
+      age.keyFile = "/home/${config.${namespace}.user.name}/.config/sops/age/keys.txt";
+      defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
+      validateSopsFiles = false;
+      secrets = {
+        "github-token" = { };
+      };
+      templates = {
+        ".env".content = ''
+          GITHUB_TOKEN = "${config.sops.placeholder.github-token}"
+        '';
+      };
+    };
+    home.packages = [ update-checker ];
+  };
+}

modules/home/programs/waybar/default.nix

@@ -1,7 +1,12 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
 with lib;
 let
-  cfg = config.mjallen.programs.waybar;
+  cfg = config.${namespace}.programs.waybar;
 
   baseStyle =
     if cfg.style.file != null then
@@ -383,15 +388,15 @@ in
 
               "custom/power" = {
                 format = "⏻ ";
-                tooltip =  false;
+                tooltip = false;
                 menu = "on-click";
                 menu-file = "~/.config/waybar/power_menu.xml";
                 menu-actions = {
-                    shutdown = "shutdown";
-                    reboot = "reboot";
-                    suspend = "systemctl suspend";
-                    hibernate = "systemctl hibernate";
-                    lock = "pidof hyprlock || hyprlock";
+                  shutdown = "shutdown";
+                  reboot = "reboot";
+                  suspend = "systemctl suspend";
+                  hibernate = "systemctl hibernate";
+                  lock = "pidof hyprlock || hyprlock";
                 };
               };
             }

modules/home/programs/waybar/options.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 let
   inherit (types)
@@ -13,7 +13,7 @@ let
     ;
 in
 {
-  options.mjallen.programs.waybar = {
+  options.${namespace}.programs.waybar = {
     enable = mkEnableOption "Waybar status bar";
 
     # Legacy/compat options (kept for backwards compatibility)

modules/home/programs/waybar/scripts/hass.nix

@@ -6,11 +6,13 @@
   ...
 }:
 let
-  cfg = config.mjallen.programs.waybar;
+  cfg = config.${namespace}.programs.waybar;
 
-  pythonEnv = pkgs.python3.withPackages (_ps: [
-    pkgs.${namespace}.homeassistant-api
-  ]);
+  pythonEnv = pkgs.python3.withPackages (
+    _ps: with pkgs.${namespace}; [
+      homeassistant-api
+    ]
+  );
 
   waybar-hass = pkgs.writeScriptBin "waybar-hass" ''
     #!${pythonEnv}/bin/python

modules/home/programs/waybar/scripts/weather.nix

@@ -2,10 +2,11 @@
   config,
   lib,
   pkgs,
+  namespace,
   ...
 }:
 let
-  cfg = config.mjallen.programs.waybar;
+  cfg = config.${namespace}.programs.waybar;
 
   waybar-weather = pkgs.writeScriptBin "waybar-weather" ''
     #!/usr/bin/env nix-shell

modules/home/programs/wlogout/default.nix

@@ -1,8 +1,12 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
 with lib;
 let
-  cfg = config.mjallen.programs.wlogout;
-  palette = import cfg.theme.file;
+  cfg = config.${namespace}.programs.wlogout;
 in
 {
   imports = [ ./options.nix ];

modules/home/programs/wlogout/options.nix

@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 {
-  options.mjallen.programs.wlogout = {
+  options.${namespace}.programs.wlogout = {
     enable = mkEnableOption "enable wlogout";
   };
 }

modules/home/programs/wofi/default.nix

@@ -1,8 +1,12 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
 with lib;
 let
-  cfg = config.mjallen.programs.wofi;
-  palette = import cfg.theme.file;
+  cfg = config.${namespace}.programs.wofi;
 in
 {
   imports = [ ./options.nix ];

modules/home/programs/wofi/options.nix

@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 {
-  options.mjallen.programs.wofi = {
+  options.${namespace}.programs.wofi = {
     enable = mkEnableOption "enable wofi";
 
     fontName = mkOption {

modules/home/services/pass/default.nix

@@ -1,8 +1,4 @@
 {
-  config,
-  lib,
-  pkgs,
-  namespace,
   ...
 }:
 {

modules/home/shell-aliases/default.nix

@@ -1,13 +1,14 @@
 {
   config,
   lib,
+  namespace,
   ...
 }:
 let
-  cfg = config.mjallen.shell-aliases;
+  cfg = config.${namespace}.shell-aliases;
 in
 {
-  options.mjallen.shell-aliases = {
+  options.${namespace}.shell-aliases = {
     enable = lib.mkEnableOption "Common shell aliases";
 
     buildHost = lib.mkOption {

modules/home/sops/default.nix

@@ -1,29 +1,28 @@
 {
   config,
   lib,
+  namespace,
   ...
 }:
 let
-  cfg = config.mjallen.sops;
+  cfg = config.${namespace}.sops;
 in
 {
   imports = [ ./options.nix ];
 
   config = lib.mkIf cfg.enable {
-    # sops = {
-    #   age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
-    #   defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
-    #   validateSopsFiles = false;
-    #   secrets = {
-    #     "ssh-keys-public/desktop-nixos" = {
-    #       path = "/home/${user}/.ssh/id_ed25519.pub";
-    #       mode = "0644";
-    #     };
-    #     "ssh-keys-private/desktop-nixos" = {
-    #       path = "/home/${user}/.ssh/id_ed25519";
-    #       mode = "0600";
-    #     };
-    #   };
-    # };
+    sops = {
+      age.keyFile = "/home/${config.${namespace}.user.name}/.config/sops/age/keys.txt";
+      defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
+      validateSopsFiles = false;
+      # secrets = {
+      #   "github-token" = { };
+      # };
+      # templates = {
+      #   ".env".content = ''
+      #     GITHUB_TOKEN = "${config.sops.placeholder.github-token}"
+      #   '';
+      # };
+    };
   };
 }

modules/home/sops/options.nix

@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 with lib;
 {
-  options.mjallen.sops = {
+  options.${namespace}.sops = {
     enable = mkEnableOption "enable sops";
 
     defaultSopsFile = mkOption {

modules/home/stylix/default.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  system,
+  ...
+}:
 let
   # # Pull from global theme options
   # themeSize = "standard"; # "standard" | "compact"
@@ -23,12 +28,15 @@ let
   #   schemeVariants = [ iconScheme ];
   #   colorVariants = [ iconThemeVariant ];
   # };
+  isDarwin = system == "aarch64-darwin";
 in
 {
   stylix = {
     enable = true;
+    overlays.enable = false;
     enableReleaseChecks = false;
     base16Scheme = "${pkgs.base16-schemes}/share/themes/nord.yaml";
+    polarity = "dark";
 
     cursor = {
       name = "macOS";
@@ -58,8 +66,8 @@ in
       };
 
       sizes = {
-        applications = 12;
-        desktop = 14;
+        applications = if isDarwin then 10 else 12;
+        desktop = if isDarwin then 12 else 14;
         popups = config.stylix.fonts.sizes.desktop;
         terminal = config.stylix.fonts.sizes.applications;
       };
@@ -67,9 +75,12 @@ in
 
     icons = {
       enable = true;
-      package = pkgs.colloid-icon-theme;
-      dark = "Colloid-nord-dark";
-      light = "Colloid-nord-light";
+      package = pkgs.colloid-icon-theme.override {
+        schemeVariants = [ "nord" ];
+        colorVariants = [ "default" ];
+      };
+      dark = "Colloid-Nord-Dark";
+      light = "Colloid-Nord-Light";
     };
 
     opacity = {
@@ -77,10 +88,18 @@ in
     };
 
     targets = {
-      hyprlock.enable = false;
-      gnome.enable = false;
-      # gtk.enable = false;
-      qt.enable = false;
+      hyprlock = {
+        enable = false;
+        useWallpaper = false;
+      };
+      kde.enable = false;
+      firefox = {
+        enable = false;
+        profileNames = [
+          "default"
+          "954lxlok.default"
+        ];
+      };
     };
   };
-}
+}

modules/home/user/default.nix

@@ -31,7 +31,7 @@ in
     };
     fullName = mkOption {
       type = types.str;
-      default = "Austin Horstman";
+      default = "Matt Jallen";
       description = "The full name of the user.";
     };
     home = mkOption {
@@ -41,8 +41,8 @@ in
     };
     icon = mkOption {
       type = (types.nullOr types.package);
-      default = pkgs.${namespace}.user-icon;
-      description = "The profile picture to use for the user.";
+      default = null;
+      description = "The profile picture to use for the user. Set to a package whose output is the icon file (e.g. a derivation producing a PNG).";
     };
     name = mkOption {
       type = (types.nullOr types.str);
@@ -115,8 +115,8 @@ in
           tarnow = "${getExe pkgs.gnutar} -acf ";
           untar = "${getExe pkgs.gnutar} -zxvf ";
           wget = "${getExe pkgs.wget} -c ";
-          remove-empty = ''${getExe' pkgs.findutils "find"} . -type d --empty --delete'';
-          print-empty = ''${getExe' pkgs.findutils "find"} . -type d --empty --print'';
+          remove-empty = "${getExe' pkgs.findutils "find"} . -type d --empty --delete";
+          print-empty = "${getExe' pkgs.findutils "find"} . -type d --empty --print";
           dfh = "${getExe' pkgs.coreutils "df"} -h";
           duh = "${getExe' pkgs.coreutils "du"} -h";
           usage = "${getExe' pkgs.coreutils "du"} -ah -d1 | sort -rn 2>/dev/null";
@@ -145,7 +145,7 @@ in
           myip = "${getExe pkgs.curl} ifconfig.me";
 
           # Cryptography
-          genpass = "${getExe pkgs.openssl} rand - base64 20"; # Generate a random, 20-character password
+          genpass = "${getExe pkgs.openssl} rand -base64 20"; # Generate a random, 20-character password
           sha = "shasum -a 256"; # Test checksum
         };
 

modules/nixos/boot/common/default.nix

@@ -24,6 +24,13 @@ in
   config = mkIf cfg.enable {
     boot = {
 
+      kernelModules = [ "kvm" ];
+      kernelParams = lib.mkDefault [
+        "quiet"
+        "splash"
+        "udev.log_level=3"
+      ];
+
       binfmt = lib.mkIf isArm {
         registrations."x86_64-linux" = {
           magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
@@ -36,12 +43,30 @@ in
         };
       };
 
-      supportedFilesystems = [ "bcachefs" ];
+      supportedFilesystems = {
+        bcachefs = lib.mkOverride 90 true;
+        btrfs = lib.mkOverride 90 true;
+      };
 
-      consoleLogLevel = lib.mkForce 3;
+      bcachefs.package = lib.mkOverride 90 pkgs.${namespace}.bcachefs;
+
+      consoleLogLevel = lib.mkDefault 0;
       bootspec.enable = (!isArm);
 
       initrd = {
+        verbose = lib.mkDefault false;
+        # availableKernelModules = {
+        #   bcachefs = lib.mkOverride 90 true;
+        #   btrfs = lib.mkOverride 90 true;
+        # };
+        # kernelModules = {
+        #   bcachefs = lib.mkOverride 90 true;
+        #   btrfs = lib.mkOverride 90 true;
+        # };
+        # systemd.storePaths = with pkgs; [
+        #   bcachefs-tools
+        # ];
+
         luks = mkIf cfg.yubikeyEncryption {
           devices = {
             "${config.disko.devices.disk.main.content.partitions.root.name}" = {

modules/nixos/desktop/hyprland/default.nix

@@ -58,6 +58,8 @@ in
       };
 
       gnome.gnome-keyring.enable = true;
+      geoclue2.enable = true;
+      upower.enable = true;
 
       dbus.enable = true;
       ddccontrol.enable = false;

modules/nixos/desktop/hyprland/options.nix

@@ -15,7 +15,7 @@ let
   '';
 in
 {
-  options.mjallen.desktop.hyprland = {
+  options.${namespace}.desktop.hyprland = {
     enable = mkEnableOption "enable hyprland desktop environment";
 
     wallpaperSource = mkOpt (types.enum [

modules/nixos/desktop/hyprland/wallpapers/default.nix

@@ -155,7 +155,7 @@ in
             ];
             script = ''
               ${wallpaper-command}
-              ${lib.getExe' pkgs.hyprland "hyprctl"} hyprpaper reload ,${cfg.wallpaper}
+              ${lib.getExe' pkgs.hyprland "hyprctl"} hyprpaper wallpaper ,${cfg.wallpaper},
             '';
             serviceConfig = {
               Type = "oneshot";

modules/nixos/disko/default.nix

@@ -37,14 +37,14 @@ let
     size = "100%";
     content = {
       type = cfg.filesystem;
-      # Subvolumes must set a mountpoint in order to be mounted,
-      # unless their parent is mounted
-      subvolumes = subvolumes;
     }
     // (
       if cfg.filesystem == "btrfs" then
         {
           extraArgs = [ "-f" ]; # Override existing partition
+          # Subvolumes must set a mountpoint in order to be mounted,
+          # unless their parent is mounted
+          subvolumes = subvolumes;
         }
       else
         {
@@ -64,7 +64,7 @@ let
     size = "100%";
     content = {
       type = "luks";
-      name = "cryptroot";
+      name = "${config.${namespace}.network.hostName}-cryptroot";
       extraOpenArgs = [
         "--allow-discards"
         "--perf-no_read_workqueue"
@@ -72,20 +72,21 @@ let
       ];
       settings = {
         crypttabExtraOpts = [
+          "tpm2-device=auto"
           "fido2-device=auto"
           "token-timeout=10"
         ];
       };
       content = {
         type = cfg.filesystem;
-        # Subvolumes must set a mountpoint in order to be mounted,
-        # unless their parent is mounted
-        subvolumes = subvolumes;
       }
       // (
         if cfg.filesystem == "btrfs" then
           {
             extraArgs = [ "-f" ]; # Override existing partition
+            # Subvolumes must set a mountpoint in order to be mounted,
+            # unless their parent is mounted
+            subvolumes = subvolumes;
           }
         else
           {
@@ -121,12 +122,12 @@ in
             content = {
               type = "gpt";
               partitions = {
-                FIRMWARE = lib.mkIf cfg.enableFirmware {
+                firmware = lib.mkIf cfg.firmware.enableFirmware {
                   priority = 1;
-                  name = "FIRMWARE";
+                  type = "0700";
+                  name = "${config.${namespace}.network.hostName}-FIRMWARE";
                   start = "1M";
                   end = "1G";
-                  type = "0700";
                   content = {
                     type = "filesystem";
                     format = "vfat";
@@ -135,9 +136,10 @@ in
                   };
                 };
                 ESP = {
-                  priority = if cfg.enableFirmware then 2 else 1;
+                  priority = if cfg.firmware.enableFirmware then 2 else 1;
                   type = "EF00";
                   size = "500M";
+                  name = "${config.${namespace}.network.hostName}-EFI";
                   content = {
                     type = "filesystem";
                     format = "vfat";
@@ -155,13 +157,35 @@ in
               };
             };
           };
+          # firmware = lib.mkIf cfg.firmware.enableFirmware {
+          #   device = cfg.firmware.firmwareDisk;
+          #   type = "disk";
+          #   imageSize = "1G";
+          #   content = {
+          #     type = "table";
+          #     format = "msdos";
+          #     partitions = [
+          #       {
+          #         name = "${config.${namespace}.network.hostName}-FIRMWARE";
+          #         start = "1M";
+          #         end = "1G";
+          #         content = {
+          #           type = "filesystem";
+          #           format = "vfat";
+          #           mountpoint = "/boot/firmware";
+          #           mountOptions = [ "umask=0077" ];
+          #         };
+          #       }
+          #     ];
+          #   };
+          # };
         };
 
         # configure Bcachefs
         bcachefs_filesystems = lib.mkIf (cfg.filesystem == "bcachefs") {
           mounted_subvolumes_in_multi = {
             type = "bcachefs_filesystem";
-            # passwordFile = "/etc/nixos/pool.jwe";
+            # passwordFile = "/etc/nixos/test.key";
             extraFormatArgs = [
               "--compression=${cfg.compression}"
             ];

modules/nixos/disko/options.nix

@@ -19,7 +19,10 @@ in
 
     enableLuks = mkBoolOpt false "Enable Luks";
 
-    enableFirmware = mkBoolOpt false "Enable rpi firmware part";
+    firmware = {
+      enableFirmware = mkBoolOpt false "Enable rpi firmware part";
+      firmwareDisk = mkOpt types.str "/dev/mmcblk0" "UEFI firmware disk";
+    };
 
     swapSize = mkOpt types.str "16G" "size of swap part";
 

modules/nixos/fonts/default.nix

@@ -2,10 +2,12 @@
 {
   fonts.packages = with pkgs; [
     font-awesome
+    pkgs.nerd-fonts.ubuntu
     noto-fonts
     noto-fonts-color-emoji
     meslo-lgs-nf
     pkgs.nerd-fonts.jetbrains-mono
+    rubik
   ];
   # ++ builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts); # ALL fonts
 

modules/nixos/gaming/default.nix

@@ -13,17 +13,43 @@ in
 
   config = lib.mkIf cfg.enable {
     # Network option required using sysctl to let Ubisoft Connect work as of 7-12-2023
-    boot.kernel.sysctl."net.ipv4.tcp_mtu_probing" = 1;
+    # Use mkDefault so jovian-nixos steam module (which sets this to `true`) wins.
+    boot.kernel.sysctl."net.ipv4.tcp_mtu_probing" = lib.mkDefault 1;
 
     # Configure programs
     programs.steam = {
       enable = true;
+      package = pkgs.steam.override {
+        extraPkgs =
+          _pkgs: with pkgs; [
+            libXcursor
+            libXi
+            libXinerama
+            libXScrnSaver
+            libpng
+            libpulseaudio
+            libvorbis
+            stdenv.cc.cc.lib
+            libkrb5
+            keyutils
+          ];
+      };
       # Open ports in the firewall for Steam Remote Play
       remotePlay.openFirewall = true;
       # Open ports in the firewall for Source Dedicated Server
       dedicatedServer.openFirewall = true;
-      extraCompatPackages = with pkgs; [ proton-ge-bin ];
-      gamescopeSession = {
+      extraCompatPackages =
+        with pkgs.unstable;
+        [
+          proton-ge-bin
+        ]
+        ++ (with pkgs.${namespace}; [
+          proton-cachyos
+          proton-cachyos-v3
+          proton-cachyos-v2
+          proton-cachyos-v1
+        ]);
+      gamescopeSession = lib.mkDefault {
         enable = true;
         args = [
           "-f"
@@ -45,7 +71,10 @@ in
 
       gamescope = {
         enable = true;
-        capSysNice = true;
+        # Set capSysNice = false so programs.gamescope does not create its own
+        # security.wrappers.gamescope, which conflicts with the wrapper set by
+        # jovian-nixos steam module (which already enables cap_sys_nice+pie).
+        capSysNice = false;
       };
 
       gamemode.enable = true;
@@ -61,28 +90,11 @@ in
     };
 
     environment = {
+      systemPackages = with pkgs.${namespace}; [
+      ];
       variables = {
         STEAM_FORCE_DESKTOPUI_SCALING = "1.0";
       };
     };
-
-    # Configure nixpkgs
-    nixpkgs.config.packageOverrides = pkgs: {
-      steam = pkgs.steam.override {
-        extraPkgs =
-          _pkgs: with pkgs; [
-            xorg.libXcursor
-            xorg.libXi
-            xorg.libXinerama
-            xorg.libXScrnSaver
-            libpng
-            libpulseaudio
-            libvorbis
-            stdenv.cc.cc.lib
-            libkrb5
-            keyutils
-          ];
-      };
-    };
   };
 }

modules/nixos/hardware/btrfs/default.nix

@@ -1,7 +1,12 @@
-{ lib, ... }:
+{
+  lib,
+  config,
+  namespace,
+  ...
+}:
 {
   services.btrfs = {
-    autoScrub.enable = lib.mkDefault true;
+    autoScrub.enable = lib.mkDefault (config.${namespace}.hardware.disko.filesystem == "btrfs");
     autoScrub.fileSystems = lib.mkDefault [
       "/nix"
       "/root"

modules/nixos/hardware/openrgb/default.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+let
+  hasDestopEnvironment =
+    config.${namespace}.desktop.cosmic.enable
+    || config.${namespace}.desktop.gnome.enable
+    || config.${namespace}.desktop.hyprland.enable;
+in
+{
+  config = lib.mkIf hasDestopEnvironment {
+    services.hardware.openrgb = {
+      enable = true;
+    };
+  };
+}

modules/nixos/hardware/raspberry-pi/apply-overlays-dtmerge.nix

@@ -0,0 +1,67 @@
+# modification of nixpkgs deviceTree.applyOverlays to resolve https://github.com/NixOS/nixpkgs/issues/125354
+# derived from https://github.com/NixOS/nixpkgs/blob/916ca8f2b0c208def051f8ea9760c534a40309db/pkgs/os-specific/linux/device-tree/default.nix
+{
+  lib,
+  stdenvNoCC,
+  dtc,
+  libraspberrypi,
+}:
+
+with lib;
+(
+  base: overlays':
+  stdenvNoCC.mkDerivation {
+    name = "device-tree-overlays";
+    nativeBuildInputs = [
+      dtc
+      libraspberrypi
+    ];
+    buildCommand =
+      let
+        overlays = toList overlays';
+      in
+      ''
+        mkdir -p $out
+        cd "${base}"
+        find . -type f -name '*.dtb' -print0 \
+          | xargs -0 cp -v --no-preserve=mode --target-directory "$out" --parents
+
+        for dtb in $(find "$out" -type f -name '*.dtb'); do
+          dtbCompat=$(fdtget -t s "$dtb" / compatible 2>/dev/null || true)
+          # skip files without `compatible` string
+          test -z "$dtbCompat" && continue
+
+          ${flip (concatMapStringsSep "\n") overlays (o: ''
+            overlayCompat="$(fdtget -t s "${o.dtboFile}" / compatible)"
+
+            # skip incompatible and non-matching overlays
+            if [[ ! "$dtbCompat" =~ "$overlayCompat" ]]; then
+              echo "Skipping overlay ${o.name}: incompatible with $(basename "$dtb")"
+            elif ${
+              if ((o.filter or null) == null) then
+                "false"
+              else
+                ''
+                  [[ "''${dtb//${o.filter}/}" ==  "$dtb" ]]
+                ''
+            }
+            then
+              echo "Skipping overlay ${o.name}: filter does not match $(basename "$dtb")"
+            else
+              echo -n "Applying overlay ${o.name} to $(basename "$dtb")... "
+              mv "$dtb"{,.in}
+
+              # dtmerge requires a .dtbo ext for dtbo files, otherwise it adds it to the given file implicitly
+              dtboWithExt="$TMPDIR/$(basename "${o.dtboFile}").dtbo"
+              cp -r ${o.dtboFile} "$dtboWithExt"
+
+              dtmerge "$dtb.in" "$dtb" "$dtboWithExt"
+
+              echo "ok"
+              rm "$dtb.in" "$dtboWithExt"
+            fi
+          '')}
+
+        done'';
+  }
+)

modules/nixos/hardware/raspberry-pi/audio.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.hardware.raspberry-pi.audio;
+  variant = config.${namespace}.hardware.raspberry-pi.variant;
+in
+{
+  options.${namespace}.hardware.raspberry-pi.audio = {
+    enable = lib.mkEnableOption "enable audio dt overlays";
+  };
+
+  config = lib.mkIf cfg.enable {
+    hardware.deviceTree = {
+      overlays =
+        [ ]
+        ++ (
+          with pkgs.${namespace};
+          (
+            if (variant == "5") then
+              [
+                {
+                  name = "pisound-pi5-overlay";
+                  dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-pi5-overlay.dts";
+                }
+              ]
+            else
+              [
+                {
+                  name = "pisound-overlay";
+                  dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-overlay.dts";
+                }
+              ]
+          )
+        );
+    };
+  };
+}

modules/nixos/hardware/raspberry-pi/bluetooth.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.hardware.raspberry-pi.disable-bluetooth;
+  variant = config.${namespace}.hardware.raspberry-pi.variant;
+in
+{
+  options.${namespace}.hardware.raspberry-pi.disable-bluetooth = {
+    enable = lib.mkEnableOption "enable disablewifi dt overlays";
+  };
+
+  config = lib.mkIf cfg.enable {
+    hardware.deviceTree = {
+      overlays =
+        [ ]
+        ++ (
+          if (variant == "5") then
+            [
+              {
+                name = "disable-bt-pi5-overlay";
+                dtsFile = "${
+                  pkgs.${namespace}.raspberrypi-overlays
+                }/dtbs/raspberrypi-overlays/disable-bt-pi5-overlay.dts";
+              }
+            ]
+          else
+            [
+              {
+                name = "disable-bt-overlay";
+                dtsFile = "${
+                  pkgs.${namespace}.raspberrypi-overlays
+                }/dtbs/raspberrypi-overlays/disable-bt-overlay.dts";
+              }
+            ]
+        );
+    };
+  };
+}

modules/nixos/hardware/raspberry-pi/config.nix

@@ -0,0 +1,222 @@
+# This file is a modified version of config.txt generator
+# Licensed under the terms of MIT License
+# https://raw.githubusercontent.com/nix-community/raspberry-pi-nix/refs/heads/master/rpi/config.nix
+# with modifications
+# https://raw.githubusercontent.com/nvmd/raspberry-pi-nix/refs/heads/master/rpi/config.nix
+
+{
+  lib,
+  config,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.hardware.raspberry-pi;
+
+  render-raspberrypi-config =
+    let
+
+      render-kvs =
+        kvs:
+        let
+          render-kv = k: v: if isNull v.value then k else "${k}=${toString v.value}";
+        in
+        lib.attrsets.mapAttrsToList render-kv (lib.filterAttrs (_k: v: v.enable) kvs);
+
+      render-dt-param = x: "dtparam=" + x;
+      render-dt-params = params: lib.strings.concatMapStringsSep "\n" render-dt-param (render-kvs params);
+
+      render-dt-overlay =
+        { overlay, params }:
+        lib.concatStringsSep "\n" (
+          lib.filter (x: x != "") [
+            ("dtoverlay=" + overlay)
+            (render-dt-params params)
+            "dtoverlay="
+          ]
+        );
+
+      render-options = opts: lib.strings.concatStringsSep "\n" (render-kvs opts);
+
+      render-base-dt-params = render-dt-params;
+
+      render-dt-overlays =
+        overlays:
+        lib.strings.concatMapStringsSep "\n" render-dt-overlay (
+          lib.attrsets.mapAttrsToList (overlay: params: {
+            inherit overlay;
+            inherit (params) params;
+          }) (lib.filterAttrs (_k: v: v.enable) overlays)
+        );
+
+      render-config-section =
+        conditionalFilter:
+        {
+          options,
+          base-dt-params,
+          dt-overlays,
+        }:
+        let
+          all-config = lib.concatStringsSep "\n" (
+            lib.filter (x: x != "") [
+              (render-options options)
+              (render-base-dt-params base-dt-params)
+              (render-dt-overlays dt-overlays)
+            ]
+          );
+        in
+        ''
+          [${conditionalFilter}]
+          ${all-config}
+        '';
+    in
+    conf:
+    lib.strings.concatStringsSep "\n" (
+      (lib.attrsets.mapAttrsToList render-config-section conf) ++ [ cfg.extra-config ]
+    );
+in
+{
+  options.${namespace}.hardware.raspberry-pi = {
+    config =
+      let
+        rpi-config-param = {
+          options = {
+            enable = lib.mkEnableOption "attr";
+            value = lib.mkOption {
+              type =
+                with lib.types;
+                oneOf [
+                  int
+                  str
+                  bool
+                ];
+            };
+          };
+        };
+        dt-param = {
+          options = {
+            enable = lib.mkEnableOption "attr";
+            value = lib.mkOption {
+              type =
+                with lib.types;
+                nullOr (oneOf [
+                  int
+                  str
+                  bool
+                ]);
+              default = null;
+            };
+          };
+        };
+        dt-overlay = {
+          options = {
+            enable = lib.mkEnableOption "overlay";
+            params = lib.mkOption {
+              type = with lib.types; attrsOf (submodule dt-param);
+              default = { };
+            };
+          };
+        };
+        raspberry-pi-config-options = {
+          options = {
+            options = lib.mkOption {
+              type = with lib.types; attrsOf (submodule rpi-config-param);
+              default = { };
+              description = ''
+                Common hardware configuration options, translates to
+                `<option>=<value>` in the `config.txt`.
+                <https://www.raspberrypi.com/documentation/computers/config_txt.html#common-hardware-configuration-options>
+              '';
+              example = {
+                arm_boost = {
+                  # arm_boost=1
+                  enable = true;
+                  value = true;
+                };
+              };
+            };
+            base-dt-params = lib.mkOption {
+              type = with lib.types; attrsOf (submodule dt-param);
+              default = { };
+              description = ''
+                Parameters to pass to the base DTB, translates to
+                `dtparam=<param>=<value>` in the `config.txt`.
+                <https://www.raspberrypi.com/documentation/computers/configuration.html#part3.2>
+              '';
+              example = {
+                i2c = {
+                  # dtparam=i2c=on
+                  enable = true;
+                  value = "on";
+                };
+                ant2 = {
+                  # dtparam=ant2
+                  enable = true;
+                };
+              };
+            };
+            dt-overlays = lib.mkOption {
+              type = with lib.types; attrsOf (submodule dt-overlay);
+              default = { };
+              description = ''
+                DTB overlays to enable and configure with parameters, translates to
+                ```
+                 dtoverlay=<overlay>
+                 dtparam=<param>=<value>
+                 dtoverlay=
+                ```, which is an equivalent to a more popular format of
+                `dtoverlay=<overlay>,<param>=<value>`.
+                <https://www.raspberrypi.com/documentation/computers/configuration.html#part3.1>
+              '';
+              example = {
+                vc4-kms-v3d = {
+                  # dtoverlay=vc4-kms-v3d,cma-256
+                  enable = true;
+                  params = {
+                    cma-256 = {
+                      enable = true;
+                      # value = "";
+                    };
+                  };
+                };
+                disable-bt = {
+                  # dtoverlay=disable-bt
+                  enable = true;
+                };
+              };
+            };
+          };
+        };
+      in
+      lib.mkOption {
+        type = with lib.types; attrsOf (submodule raspberry-pi-config-options);
+        description = ''
+          Configures `config.txt` file for Raspberry Pi devices.
+          The file is located on a firmware partition, usually mounted at
+          `/boot/firmware`.
+          <https://www.raspberrypi.com/documentation/computers/config_txt.html>
+        '';
+      };
+
+    extra-config = lib.mkOption {
+      type = lib.types.lines;
+      default = "";
+      description = ''
+        Extra options that will be appended to `/boot/firmware/config.txt` file.
+        For possible values, see: https://www.raspberrypi.com/documentation/computers/config_txt.html
+      '';
+    };
+
+    config-generated = lib.mkOption {
+      type = lib.types.str;
+      description = ''
+        The config file text generated by hardware.raspberry-pi.config
+      '';
+      readOnly = true;
+    };
+  };
+
+  config = {
+    ${namespace}.hardware.raspberry-pi.config-generated = render-raspberrypi-config cfg.config;
+  };
+}

modules/nixos/hardware/raspberry-pi/default.nix

@@ -7,6 +7,196 @@
 }:
 let
   cfg = config.${namespace}.hardware.raspberry-pi;
+  dt_ao_overlay = _final: prev: {
+    deviceTree = prev.deviceTree // {
+      applyOverlays = _final.callPackage ./apply-overlays-dtmerge.nix { };
+    };
+  };
+
+  # installs raspberry's firmware independent of the nixos generations
+  # sometimes referred to as "boot code"
+  raspberryPiFirmware = (
+    {
+      pkgs,
+      firmware,
+      configTxt,
+    }:
+    pkgs.replaceVarsWith {
+      src = ./generational/install-firmware.sh;
+      isExecutable = true;
+
+      replacements = {
+        inherit (pkgs) bash;
+        path = pkgs.lib.makeBinPath [
+          pkgs.coreutils
+        ];
+
+        inherit firmware configTxt;
+      };
+    }
+  );
+
+  kernelbootGenBuilder = (
+    {
+      pkgs,
+      deviceTreeInstaller,
+    }:
+    pkgs.replaceVarsWith {
+      src = ./generational/kernelboot-gen-builder.sh;
+      isExecutable = true;
+
+      replacements = {
+        inherit (pkgs) bash;
+        path = pkgs.lib.makeBinPath [
+          pkgs.coreutils
+        ];
+
+        installDeviceTree = deviceTreeInstaller;
+      };
+    }
+  );
+
+  deviceTree = (
+    {
+      pkgs,
+      firmware,
+    }:
+    pkgs.replaceVarsWith {
+      src = ./generational/install-device-tree.sh;
+      isExecutable = true;
+
+      replacements = {
+        inherit (pkgs) bash;
+        path = pkgs.lib.makeBinPath [
+          pkgs.coreutils
+        ];
+
+        inherit firmware;
+      };
+    }
+  );
+
+  mkBootloader =
+    pkgs:
+    bootloader {
+      inherit pkgs;
+      inherit (cfg) nixosGenerationsDir;
+
+      firmwareInstaller = "${raspberryPiFirmware {
+        inherit pkgs;
+        firmware = pkgs.${namespace}.raspberrypifw;
+        configTxt = pkgs.writeTextFile {
+          name = "config.txt";
+          text = ''
+            # Do not edit!
+            # This configuration file is generated from NixOS configuration
+            # options `hardware.raspberry-pi.config`.
+            # Any manual changes will be overwritten on the next configuration
+            # switch.
+            ${config.${namespace}.hardware.raspberry-pi.config-generated}
+          '';
+        };
+      }}";
+
+      nixosGenBuilder = "${kernelbootGenBuilder {
+        inherit pkgs;
+        deviceTreeInstaller =
+          let
+            cmd = deviceTree {
+              inherit pkgs;
+              firmware = cfg.firmwarePackage;
+            };
+            args = lib.optionalString (!cfg.useGenerationDeviceTree) " -r";
+          in
+          "${cmd} ${args}";
+      }}";
+
+    };
+
+  bootloader = (
+    {
+      pkgs,
+      nixosGenerationsDir,
+      firmwareInstaller,
+      nixosGenBuilder,
+    }:
+    pkgs.replaceVarsWith {
+      src = ./generational/nixos-generations-builder.sh;
+      isExecutable = true;
+
+      replacements = {
+        inherit (pkgs) bash;
+        path = pkgs.lib.makeBinPath [
+          pkgs.coreutils
+          pkgs.gnused
+        ];
+
+        # NixOS-generations -independent
+        installFirmwareBuilder = firmwareInstaller;
+        # NixOS-generations -dependent
+        inherit nixosGenerationsDir nixosGenBuilder;
+      };
+    }
+  );
+
+  # Builders used to write during system activation
+
+  ubootBuilder = import ./uboot-builder.nix {
+    inherit pkgs;
+    ubootPackage = (
+      if (cfg.variant == "5") then pkgs.${namespace}.uboot-pi5 else pkgs.${namespace}.uboot-pi4
+    );
+    firmwareBuilder = firmwarePopulateCmd;
+    extlinuxConfBuilder = config.boot.loader.generic-extlinux-compatible.populateCmd;
+  };
+
+  uefiBuilder = import ./uefi-builder.nix {
+    inherit pkgs;
+    uefiPackage = (
+      if (cfg.variant == "5") then
+        pkgs.${namespace}.uefi-rpi5
+      else
+        pkgs.${namespace}.edk2.override { MODEL = "4"; }
+    );
+    firmwareBuilder = firmwarePopulateCmd;
+  };
+
+  # Builders exposed via populateCmd, which run on the build architecture
+  populateFirmwareBuilder = import ./firmware-builder.nix {
+    pkgs = pkgs.buildPackages;
+    configTxt = pkgs.writeTextFile {
+      name = "config.txt";
+      text = ''
+        # Do not edit!
+        # This configuration file is generated from NixOS configuration
+        # options `hardware.raspberry-pi.config`.
+        # Any manual changes will be overwritten on the next configuration
+        # switch.
+        ${config.${namespace}.hardware.raspberry-pi.config-generated}
+      '';
+    };
+    firmware = pkgs.${namespace}.raspberrypifw;
+  };
+
+  firmwarePopulateCmd = "${populateFirmwareBuilder} ${firmwareBuilderArgs}";
+  firmwareBuilderArgs = lib.optionalString (!true) " -r";
+
+  # these will receive the top-level path as an argument when invoked as
+  # system.build.installBootloader
+  builder = {
+    # system.build.installBootLoader
+    uboot = "${ubootBuilder} -f /boot/firmware -b /boot -c";
+    uefi = "${uefiBuilder} -f /boot/firmware -b /boot -c";
+    kernel = builtins.concatStringsSep " " [
+      "${mkBootloader pkgs}"
+      "-g ${toString 10}"
+      "-f /boot/firmware"
+      "-c"
+    ];
+  };
+
+  # firmware: caller must provide `-c <nixos configuration>` and  `-f <firmware target path>`
+  # boot: caller must provide `-c <nixos configuration>` and `-b <boot-dir>`
 in
 {
   options.${namespace}.hardware.raspberry-pi = {
@@ -19,15 +209,82 @@ in
       ];
       description = "Raspberry Pi variant (4 or 5)";
     };
+
+    bootType = lib.mkOption {
+      type = lib.types.enum [
+        "uefi"
+        "uboot"
+        "kernel"
+      ];
+      default = "uefi";
+    };
+
+    apply-overlays-dtmerge = {
+      enable = lib.mkEnableOption "" // {
+        description = ''
+          Whether replace deviceTree.applyOverlays implementation to use dtmerge from libraspberrypi.
+          This can resolve issues with applying dtbs for the pi.
+        '';
+      };
+    };
   };
 
+  imports = [
+    ./audio.nix
+    ./bluetooth.nix
+    ./config.nix
+    ./i2c.nix
+    ./leds.nix
+    ./modesetting.nix
+    ./pwm.nix
+    ./wifi.nix
+  ];
+
   config = lib.mkIf cfg.enable {
+
+    boot = {
+      initrd.availableKernelModules = [
+        "usbhid"
+        "usb-storage"
+      ]
+      ++ (
+        if (cfg.variant == "5") then
+          [
+            "nvme"
+          ]
+        else
+          [
+            "vc4"
+            "pcie-brcmstb" # required for the pcie bus to work
+            "reset-raspberrypi" # required for vl805 firmware to load
+          ]
+      );
+      loader = {
+        # kernelFile = pkgs.stdenv.hostPlatform.linux-kernel.target;
+        generic-extlinux-compatible = {
+          enable = lib.mkDefault (if cfg.bootType == "uefi" then false else true);
+          useGenerationDeviceTree = lib.mkOverride 60 (if cfg.bootType == "uefi" then false else true);
+        };
+        systemd-boot.enable = (if cfg.bootType == "uefi" then true else false);
+        systemd-boot.extraInstallCommands =
+          let
+            bootloaderInstaller = (builder."${cfg.bootType}");
+          in
+          ''
+            ${bootloaderInstaller} -f /boot/firmware -b /boot -c
+          '';
+        grub.enable = lib.mkForce false;
+      };
+    };
+
     # Common Raspberry Pi packages
     environment.systemPackages = with pkgs; [
+      dconf
       i2c-tools
       raspberrypi-eeprom
-      raspberrypifw
-      raspberrypiWirelessFirmware
+      pkgs.${namespace}.raspberrypi-utils
+      pkgs.${namespace}.raspberrypifw
+      pkgs.${namespace}.raspberryPiWirelessFirmware
       raspberrypi-armstubs
       erofs-utils
       fex
@@ -36,37 +293,172 @@ in
     ];
 
     # Common Bluetooth configuration
-    systemd.services.btattach = {
-      before = [ "bluetooth.service" ];
-      after = [ "dev-ttyAMA0.device" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        ExecStart = "${lib.getExe' pkgs.bluez "btattach"} -B /dev/ttyAMA0 -P bcm -S 3000000";
+    systemd = {
+      services.btattach = {
+        before = [ "bluetooth.service" ];
+        after = [ "dev-ttyAMA0.device" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          ExecStart = "${lib.getExe' pkgs.bluez "btattach"} -B /dev/ttyAMA0 -P bcm -S 3000000";
+        };
       };
+
+      tmpfiles.packages = [
+        pkgs.${namespace}.udev-rules
+      ];
+    };
+
+    ${namespace}.hardware.raspberry-pi = {
+      config = {
+        all = {
+          options = {
+            os_prefix = lib.mkIf (cfg.bootType == "kernel") {
+              enable = true;
+              value = "${cfg.nixosGenerationsDir}/default/"; # "nixos/<generation-name>/"
+            };
+            kernel = lib.mkIf (cfg.bootType == "kernel" || cfg.bootType == "uboot") {
+              enable = true;
+              value = (
+                if cfg.bootType == "uboot" then
+                  "u-boot.bin"
+                else if cfg.bootType == "kernel" then
+                  "kernel.img"
+                else
+                  ""
+              );
+            };
+          };
+        };
+      };
+      extra-config =
+        let
+          # https://www.raspberrypi.com/documentation/computers/config_txt.html#initramfs
+          ramfsfile = "initrd";
+          ramfsaddr = "followkernel"; # same as 0 = "after the kernel image"
+        in
+        ''
+          [all]
+          initramfs ${ramfsfile} ${ramfsaddr}
+        '';
     };
 
     # Common hardware settings
-    hardware.i2c.enable = lib.mkDefault true;
+    hardware = {
+      deviceTree = {
+        filter = lib.mkDefault (if (cfg.variant == "5") then "bcm2712*.dtb" else "bcm2711*.dtb");
+        package = lib.mkOverride 80 config.boot.kernelPackages.kernel;
+        overlays = (
+          if (cfg.variant == "4") then
+            [
+              {
+                name = "rpi4-cpu-revision";
+                dtsText = ''
+                  /dts-v1/;
+                  /plugin/;
 
-    # Pi specific settings
-    hardware.graphics.enable32Bit = lib.mkForce false;
+                  / {
+                    compatible = "brcm,bcm2711";
 
-    # Pi specific system tags
-    system.nixos.tags = (
-      let
-        bootCfg = config.boot.loader.raspberry-pi;
-      in
-      [
-        "raspberry-pi-${bootCfg.variant}"
-        bootCfg.bootloader
+                    fragment@0 {
+                      target-path = "/";
+                      __overlay__ {
+                        system {
+                          linux,revision = <0x00d03114>;
+                        };
+                      };
+                    };
+                  };
+                '';
+              }
+            ]
+          else
+            [
+              # {
+              #   name = "bcm2712d0-overlay";
+              #   dtsFile = "${pkgs.${namespace}.raspberrypi-overlays}/dtbs/raspberrypi-overlays/bcm2712d0-overlay.dts";
+              # }
+            ]
+        );
+      };
+      firmware = [ pkgs.${namespace}.raspberryPiWirelessFirmware ];
+      graphics.enable32Bit = lib.mkForce false;
+      i2c.enable = lib.mkDefault true;
+    };
+
+    system = {
+      #build.installBootLoader = lib.mkOverride 60 (if cfg.bootType == "uefi" then (builder."uefi") else (builder."uboot")); # todo
+      #boot = {
+      #  loader = {
+      #    id = lib.mkOverride 60 (if cfg.bootType == "uefi" then "raspberrypi-uefi" else "raspberrypi-uboot"); # todo
+      #    kernelFile = pkgs.stdenv.hostPlatform.linux-kernel.target;
+      #  };
+      #};
+      # Pi specific system tags
+      nixos.tags = [
+        "raspberry-pi-${cfg.variant}"
+        # config.boot.loader.raspberry-pi.bootloader
         config.boot.kernelPackages.kernel.version
-      ]
-    );
+      ];
+    };
 
     # Common programs
     programs.kdeconnect.enable = lib.mkDefault false;
 
     # Root user shell configuration
-    users.users.root.shell = pkgs.zsh;
+    users = {
+      users.root.shell = pkgs.zsh;
+      extraGroups = {
+        gpio = { };
+        i2c = { };
+        input = { };
+        plugdev = { };
+        spi = { };
+        video = { };
+      };
+    };
+
+    services = {
+      udev.packages = [
+        pkgs.${namespace}.udev-rules
+      ];
+      xserver.extraConfig =
+        let
+          identifier = "rp1";
+          driver = "rp1-vec|rp1-dsi|rp1-dpi";
+        in
+        ''
+          Section "OutputClass"
+            Identifier "${identifier}"
+            MatchDriver "${driver}"
+            Driver "modesetting"
+            Option "PrimaryGPU" "true"
+          EndSection
+        '';
+    };
+
+    nixpkgs.overlays =
+      [ ]
+      ++ (
+        if cfg.variant == "5" then
+          [
+            (_final: prev: {
+              # https://github.com/nvmd/nixos-raspberrypi/issues/64
+              # credit for the initial version of this snippet goes to @micahcc
+              jemalloc = prev.jemalloc.overrideAttrs (old: {
+                # --with-lg-page=(log2 page_size)
+                # RPi5 (bcm2712): since our page size is 16384 (2**14), we need 14
+                configureFlags =
+                  let
+                    pageSizeFlag = "--with-lg-page";
+                  in
+                  (prev.lib.filter (flag: prev.lib.hasPrefix pageSizeFlag flag == false) old.configureFlags)
+                  ++ [ "${pageSizeFlag}=14" ];
+              });
+            })
+          ]
+        else
+          [ ]
+      )
+      ++ (if cfg.apply-overlays-dtmerge.enable then [ dt_ao_overlay ] else [ ]);
   };
 }

modules/nixos/hardware/raspberry-pi/firmware-builder.nix

@@ -0,0 +1,19 @@
+{
+  pkgs,
+  configTxt,
+  firmware ? pkgs.raspberrypifw,
+}:
+
+pkgs.replaceVarsWith {
+  src = ./firmware-builder.sh;
+  isExecutable = true;
+
+  replacements = {
+    inherit (pkgs) bash;
+    path = pkgs.lib.makeBinPath [
+      pkgs.coreutils
+    ];
+
+    inherit firmware configTxt;
+  };
+}

modules/nixos/hardware/raspberry-pi/firmware-builder.sh

@@ -0,0 +1,93 @@
+#! @bash@/bin/sh -e
+
+shopt -s nullglob
+
+export PATH=/empty:@path@
+
+usage() {
+    echo "usage: $0 -c <path-to-default-configuration> [-d <firmware-dir>] [-r]" >&2
+    exit 1
+}
+
+default=                # Default configuration
+target=/boot/firmware   # Firmware target directory
+
+while getopts "c:d:r" opt; do
+    case "$opt" in
+        c) default="$OPTARG" ;;
+        d) target="$OPTARG" ;;
+        r) useVendorDeviceTree=1 ;;
+        \?) usage ;;
+    esac
+done
+
+# Copy a file from the Nix store to $target.
+declare -A filesCopied
+
+copyForced() {
+    local src="$1"
+    local dst="$2"
+    cp $src $dst.tmp
+    mv $dst.tmp $dst
+}
+
+# Add the firmware files
+# fwdir=@firmware@/share/raspberrypi/boot/
+SRC_FIRMWARE_DIR=@firmware@/share/raspberrypi/boot
+dtb_path=$SRC_FIRMWARE_DIR
+
+echo "copying firmware..."
+
+# Device Tree
+useVendorDeviceTree=1
+if [ -n "$useVendorDeviceTree" ]; then
+    echo -n "using vendor firmware from "
+    dtb_path=$SRC_FIRMWARE_DIR
+else
+    echo -n "using default generation's kernel device tree binaries: "
+    dtb_path=$(readlink -f $default/dtbs)
+fi
+echo $dtb_path
+
+DTBS=("$dtb_path"/*.dtb)
+echo "dtbs all: $DTBS"
+for dtb in "${DTBS[@]}"; do
+# for dtb in $dtb_path/broadcom/*.dtb; do
+    dst="$target/$(basename $dtb)"
+    copyForced $dtb "$dst"
+    filesCopied[$dst]=1
+done
+
+SRC_OVERLAYS_DIR="$dtb_path/overlays"
+SRC_OVERLAYS=("$SRC_OVERLAYS_DIR"/*)
+mkdir -p $target/overlays
+for ovr in "${SRC_OVERLAYS[@]}"; do
+# for ovr in $dtb_path/overlays/*; do
+    dst="$target/overlays/$(basename $ovr)"
+    copyForced $ovr "$dst"
+    filesCopied[$dst]=1
+done
+
+# remove obsolete device tree files
+for fn in $target/*.dtb $target/overlays/*; do
+    if ! test "${filesCopied[$fn]}" = 1; then
+        rm -vf -- "$fn"
+    fi
+done
+
+
+# Boot code
+
+STARTFILES=("$SRC_FIRMWARE_DIR"/start*.elf)
+BOOTCODE="$SRC_FIRMWARE_DIR/bootcode.bin"
+FIXUPS=("$SRC_FIRMWARE_DIR"/fixup*.dat)
+for SRC in "${STARTFILES[@]}" "$BOOTCODE" "${FIXUPS[@]}"; do
+    dst="$target/$(basename $SRC)"
+    copyForced "$SRC" "$dst"
+done
+
+echo "copying config.txt..."
+# Add the config.txt
+copyForced @configTxt@ $target/config.txt
+
+echo "raspberry pi firmware installed"

modules/nixos/hardware/raspberry-pi/generational/install-device-tree.sh

@@ -0,0 +1,77 @@
+#! @bash@/bin/sh -e
+
+# shellcheck disable=SC3030,SC3043,SC3044,SC3054
+
+shopt -s nullglob
+
+export PATH=/empty:@path@
+
+usage() {
+    echo "usage: $0 -c <path-to-configuration> [-d <destination-dir>] [-r]" >&2
+    exit 1
+}
+
+generationPath=         # Path to nixos configuration/generation
+target=/boot/firmware   # Device tree files target directory
+
+while getopts "c:d:r" opt; do
+    case "$opt" in
+        c) generationPath="$OPTARG" ;;
+        d) target="$OPTARG" ;;
+        r) useVendorDeviceTree=1 ;;
+        \?) usage ;;
+    esac
+done
+
+# Copy a file from the Nix store to $target.
+declare -A filesCopied
+
+copyForced() {
+    local src="$1"
+    local dst="$2"
+
+    local dstTmp="$dst.tmp.$$"
+
+    cp "$src" "$dstTmp"
+    mv "$dstTmp" "$dst"
+}
+
+echo "$0: $@"
+echo -n "installing device tree files: "
+
+# Device Tree
+
+if [ -n "$useVendorDeviceTree" ]; then
+    echo -n "vendor firmware "
+    dtb_path=@firmware@/share/raspberrypi/boot
+else
+    echo -n "generation's kernel's "
+    dtb_path=$(readlink -f "$generationPath/dtbs")
+fi
+echo "$dtb_path"
+
+# firmware package has dtbs in its root,
+# dtbs built with kernel are in broadcom/
+DTBS=("$dtb_path"/*.dtb "$dtb_path"/broadcom/*.dtb)
+echo "all dtbs: $DTBS"
+for dtb in "${DTBS[@]}"; do
+    dst="$target/$(basename "$dtb")"
+    echo "$dtb"
+    copyForced "$dtb" "$dst"
+    filesCopied[$dst]=1
+done
+
+SRC_OVERLAYS=("$dtb_path/overlays"/*)
+mkdir -p "$target/overlays"
+for ovr in "${SRC_OVERLAYS[@]}"; do
+    dst="$target/overlays/$(basename "$ovr")"
+    copyForced "$ovr" "$dst"
+    filesCopied[$dst]=1
+done
+
+# remove obsolete device tree files
+for fn in $target/*.dtb $target/overlays/*; do
+    if ! test "${filesCopied[$fn]}" = 1; then
+        rm -vf -- "$fn"
+    fi
+done