flake.lock: Update

Flake lock file updates: • Updated input 'darwin': 'github:lnl7/nix-darwin/7220b01d679e93ede8d7b25d6f392855b81dd475' (2025-08-15) → 'github:lnl7/nix-darwin/8df64f819698c1fee0c2969696f54a843b2231e8' (2025-08-22) • Updated input 'disko': 'github:nix-community/disko/8246829f2e675a46919718f9a64b71afe3bfb22d' (2025-08-12) → 'github:nix-community/disko/4073ff2f481f9ef3501678ff479ed81402caae6d' (2025-08-18) • Updated input 'helix': 'github:helix-editor/helix/a4a2b50a50971bc43952f5f75d19a56689793a6a' (2025-08-15) → 'github:helix-editor/helix/22a3b10dd8ab907367ae1fe57d9703e22b30d391' (2025-08-22) • Updated input 'home-manager': 'github:nix-community/home-manager/2a749f4790a14f7168be67cdf6e548ef1c944e10' (2025-08-16) → 'github:nix-community/home-manager/8b55a6ac58b678199e5bba701aaff69e2b3281c0' (2025-08-23) • Updated input 'nix2vim': 'github:gytis-ivaskevicius/nix2vim/94f136cece965e33aa4ccccb4ca1af04772851f4' (2025-07-15) → 'github:gytis-ivaskevicius/nix2vim/78467c8de07719f92397179844bf75cdf2e58b83' (2025-08-16) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/fbcf476f790d8a217c3eab4e12033dc4a0f6d23c' (2025-08-14) → 'github:nixos/nixpkgs/20075955deac2583bb12f07151c2df830ef346b4' (2025-08-19) • Updated input 'nur': 'github:nix-community/nur/160c1c1c8737a0e2109b6181a191779ac2e42f7f' (2025-08-16) → 'github:nix-community/nur/1a47d83c521c098debd6d1f2c2ae313a5bb729f9' (2025-08-23)
Try to fix automatic timezone issues
2025-08-23 20:44:41 +00:00 · 2025-08-23 03:58:42 +00:00 · 2025-08-19 08:51:18 -04:00 · 2025-08-17 20:23:22 -04:00 · 2025-08-17 20:23:17 -04:00 · 2025-08-17 20:04:49 -04:00
111 changed files with 3445 additions and 515 deletions
--- a/.github/workflows/arrow-aws.yml
+++ b/.github/workflows/arrow-aws.yml
@@ -3,7 +3,7 @@ name: Arrow (AWS)
 run-name: Arrow (AWS) - ${{ inputs.rebuild && 'Rebuild and ' || '' }}${{ inputs.action == 'create' && 'Create' || ( inputs.action == 'destroy' && 'Destroy' || 'No Action' ) }}
 env:
-  TERRAFORM_DIRECTORY: hosts/arrow/aws
+  TERRAFORM_DIRECTORY: deploy/aws
  DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }}
  ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }}
  ZONE_NAME: masu.rs
--- a/.github/workflows/flame.yml
+++ b/.github/workflows/flame.yml
@@ -0,0 +1,200 @@
 name: Flame
 run-name: Flame - ${{ inputs.rebuild && 'Rebuild and ' || '' }}${{ inputs.action == 'create' && 'Create' || ( inputs.action == 'destroy' && 'Destroy' || 'No Action' ) }}
 env:
  TERRAFORM_DIRECTORY: deploy/oracle
  DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }}
  FLAME_IDENTITY_BASE64: ${{ secrets.FLAME_IDENTITY_BASE64 }}
  ZONE_NAME: masu.rs
  CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
  CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
  OCI_CLI_USER: "ocid1.user.oc1..aaaaaaaa6lro2eoxdajjypjysepvzcavq5yn4qyozjyebxdiaoqziribuqba"
  OCI_CLI_TENANCY: "ocid1.tenancy.oc1..aaaaaaaaudwr2ozedhjnrn76ofjgglgug6gexknjisd7gb7tkj3mjdp763da"
  OCI_CLI_FINGERPRINT: "dd:d0:da:6d:83:46:8b:b3:d9:45:2b:c7:56:ae:30:94"
  OCI_CLI_KEY_CONTENT: "${{ secrets.OCI_PRIVATE_KEY }}"
  TF_VAR_oci_private_key: "${{ secrets.OCI_PRIVATE_KEY }}"
  OCI_CLI_REGION: "us-ashburn-1"
 on:
  workflow_dispatch:
    inputs:
      rebuild:
        description: Rebuild Image
        type: boolean
        default: false
      action:
        description: Terraform Action
        type: choice
        required: true
        default: create
        options:
          - create
          - destroy
          - nothing
 permissions:
  id-token: write
  contents: write
 jobs:
  build-deploy:
    name: Build and Deploy
    # runs-on: ubuntu-latest
    runs-on: ubuntu-24.04-arm
    steps:
      - name: Checkout Repo Code
        uses: actions/checkout@v4
      # - name: Write OCI Key to File
      #   run: |
      #     echo "${{ env.OCI_PRIVATE_KEY_BASE64 }}" | base64 -d > OCI_PRIVATE_KEY
      # # Enable access to KVM, required to build an image
      # - name: Enable KVM group perms
      #   if: inputs.rebuild && inputs.action != 'destroy'
      #   run: |
      #       echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
      #       sudo udevadm control --reload-rules
      #       sudo udevadm trigger --name-match=kvm
      #       sudo apt-get install -y qemu-user-static
      # Install Nix
      - name: Install Nix
        # if: inputs.rebuild && inputs.action != 'destroy'
        uses: cachix/install-nix-action@v31.4.1
        with:
          enable_kvm: true
          extra_nix_config: |
            system = aarch64-linux
            system-features = aarch64-linux arm-linux kvm
      # Build the image
      - name: Build Image
        if: inputs.rebuild && inputs.action != 'destroy'
        run: nix build .#flame-qcow --system aarch64-linux
      - name: List Images
        if: inputs.rebuild && inputs.action != 'destroy'
        run: |
          ls -lh result/
          echo "IMAGE_NAME=$(ls result/nixos.qcow2) >> $GITHUB_ENV
      - name: Upload Image to S3
        if: inputs.rebuild && inputs.action != 'destroy'
        # env:
        #   AWS_ACCESS_KEY_ID: "<YOUR_OCI_ACCESS_KEY>"
        #   AWS_SECRET_ACCESS_KEY: "<YOUR_OCI_SECRET_KEY>"
        #   AWS_DEFAULT_REGION: "us-ashburn-1" # e.g., us-ashburn-1, us-phoenix-1
        #   AWS_ENDPOINT_URL: "https://masur.compat.objectstorage.us-ashburn-1.oraclecloud.com"
        uses: oracle-actions/run-oci-cli-command@v1.3.2
        with:
          command: |
            os object put \
              --namespace "idptr5akf9pf" \
              --bucket-name "noahmasur-images" \
              --name "nixos.qcow2" \
              --file "${IMAGE_NAME}" \
              --part-size 128 \ # Optional: Specify part size in MiB for multipart uploads, default is 128 MiB
              --parallel-upload-count 5 # Optional: Number of parallel uploads, default is 3
      # Login to AWS
      - name: AWS Assume Role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::286370965832:role/github_actions_admin
          aws-region: us-east-1
      # Installs the Terraform binary and some other accessory functions.
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
      # Checks whether Terraform is formatted properly. If this fails, you
      # should install the pre-commit hook.
      - name: Check Formatting
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: |
          terraform fmt -no-color -check -diff -recursive
      # Connects to remote state backend and download providers.
      - name: Terraform Init
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: terraform init -input=false
      # Deploys infrastructure or changes to infrastructure.
      - name: Terraform Apply
        if: inputs.action == 'create'
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: |
          terraform apply \
            -auto-approve \
            -input=false
      # Removes infrastructure.
      - name: Terraform Destroy
        if: inputs.action == 'destroy'
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: |
          terraform destroy \
            -auto-approve \
            -input=false
      - name: Get Host IP
        if: inputs.action == 'create'
        id: host
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: terraform output -raw host_ip
      - name: Wait on SSH
        if: inputs.action == 'create'
        run: |
          for i in $(seq 1 15); do
            if $(nc -z -w 3 ${{ steps.host.outputs.stdout }} 22); then
              exit 0
            fi
            sleep 10
          done
      - name: Write Identity Keys to Files
        if: inputs.action == 'create'
        run: |
          echo "${{ env.DEPLOY_IDENTITY_BASE64 }}" | base64 -d > deploy_ed25519
          chmod 0600 deploy_ed25519
          echo "${{ env.FLAME_IDENTITY_BASE64 }}" | base64 -d > flame_ed25519
          chmod 0600 flame_ed25519
          mkdir -pv "${HOME}/.ssh/"
          cp deploy_ed25519 "${HOME}/.ssh/id_ed25519"
      - name: Run nixos-anywhere
        if: inputs.action == 'create'
        run: |
          nix run github:nix-community/nixos-anywhere -- --flake github:nmasur/dotfiles#flame --build-on remote --no-reboot --target-host ubuntu@${{ steps.host.outputs.stdout }}
          reboot now
      - name: Wait on SSH After Reboot
        if: inputs.action == 'create'
        run: |
          for i in $(seq 1 15); do
            if $(nc -z -w 3 ${{ steps.host.outputs.stdout }} 22); then
              exit 0
            fi
            sleep 10
          done
      - name: Copy Identity File to Host
        if: inputs.action == 'create'
        run: |
          ssh -i deploy_ed25519 -o StrictHostKeyChecking=accept-new noah@${{ steps.host.outputs.stdout }} 'mkdir -pv .ssh'
          scp -i deploy_ed25519 flame_ed25519 noah@${{ steps.host.outputs.stdout }}:~/.ssh/id_ed25519
      # - name: Wipe Records
      #   if: ${{ inputs.action == 'destroy' }}
      #   run: |
      #     RECORD_ID=$(curl --request GET \
      #        --url https://api.cloudflare.com/client/v4/zones/${{ env.CLOUDFLARE_ZONE_ID }}/dns_records \
      #        --header 'Content-Type: application/json' \
      #        --header "Authorization: Bearer ${{ env.CLOUDFLARE_API_TOKEN }}" | jq -r '.result[] | select(.name == "n8n2.${{ env.ZONE_NAME }}") | .id')
      #     curl --request DELETE \
      #        --url https://api.cloudflare.com/client/v4/zones/${{ env.CLOUDFLARE_ZONE_ID }}/dns_records/${RECORD_ID} \
      #        --header 'Content-Type: application/json' \
      #        --header "Authorization: Bearer ${{ env.CLOUDFLARE_API_TOKEN }}"
--- a/README.md
+++ b/README.md
@@ -8,38 +8,38 @@ configuration may be difficult to translate to a non-Nix system.
 ## System Features
-| Feature        | Program                                             | Configuration                                 |
+| Feature        | Program                                             | Configuration                                                                     |
-|----------------|-----------------------------------------------------|-----------------------------------------------|
+|----------------|-----------------------------------------------------|-----------------------------------------------------------------------------------|
-| OS             | [NixOS](https://nixos.org)                          | [Link](./modules/nixos)                       |
+| OS             | [NixOS](https://nixos.org)                          | [Link](./platforms/nixos)                                                         |
-| Display Server | [X11](https://www.x.org/wiki/)                      | [Link](./modules/nixos/graphical/xorg.nix)    |
+| Display Server | [X11](https://www.x.org/wiki/)                      | [Link](./platforms/nixos/modules/nmasur/profiles/gui.nix)                         |
-| Compositor     | [Picom](https://github.com/yshui/picom)             | [Link](./modules/nixos/graphical/picom.nix)   |
+| Compositor     | [Picom](https://github.com/yshui/picom)             | [Link](./platforms/home-manager/modules/nmasur/presets/services/picom.nix)        |
-| Window Manager | [i3](https://i3wm.org/)                             | [Link](./modules/nixos/graphical/i3.nix)      |
+| Window Manager | [i3](https://i3wm.org/)                             | [Link](./platforms/home-manager/modules/nmasur/presets/services/i3.nix)           |
-| Panel          | [Polybar](https://polybar.github.io/)               | [Link](./modules/nixos/graphical/polybar.nix) |
+| Panel          | [Polybar](https://polybar.github.io/)               | [Link](./platforms/home-manager/modules/nmasur/presets/services/polybar.nix)      |
-| Font           | [Victor Mono](https://rubjo.github.io/victor-mono/) | [Link](./modules/nixos/graphical/fonts.nix)   |
+| Font           | [Victor Mono](https://rubjo.github.io/victor-mono/) | [Link](./platforms/home-manager/modules/nmasur/presets/fonts.nix)                 |
-| Launcher       | [Rofi](https://github.com/davatorium/rofi)          | [Link](./modules/nixos/graphical/rofi.nix)    |
+| Launcher       | [Rofi](https://github.com/davatorium/rofi)          | [Link](./platforms/home-manager/modules/nmasur/presets/programs/rofi/default.nix) |
 ## User Features
-| Feature      | Program                                                                          | Configuration                                      |
+| Feature      | Program                                                                          | Configuration                                                                 |
-|--------------|----------------------------------------------------------------------------------|----------------------------------------------------|
+|--------------|----------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
-| Dotfiles     | [Home-Manager](https://github.com/nix-community/home-manager)                    | [Link](./modules/common)                           |
+| Dotfiles     | [Home-Manager](https://github.com/nix-community/home-manager)                    | [Link](./platforms/home-manager)                                              |
-| Terminal     | [Kitty](https://sw.kovidgoyal.net/kitty/)                                        | [Link](./modules/common/applications/kitty.nix)    |
+| Terminal     | [Ghostty](https://sw.kovidgoyal.net/kitty/)                                      | [Link](./platforms/home-manager/modules/nmasur/presets/programs/ghostty.nix)  |
-| Shell        | [Fish](https://fishshell.com/)                                                   | [Link](./modules/common/shell/fish)                |
+| Shell        | [Fish](https://fishshell.com/)                                                   | [Link](./platforms/home-manager/modules/nmasur/presets/programs/fish.nix)     |
-| Shell Prompt | [Starship](https://starship.rs/)                                                 | [Link](./modules/common/shell/starship.nix)        |
+| Shell Prompt | [Starship](https://starship.rs/)                                                 | [Link](./platforms/home-manager/modules/nmasur/presets/programs/starship.nix) |
-| Colorscheme  | [Gruvbox](https://github.com/morhetz/gruvbox)                                    | [Link](./colorscheme/gruvbox/default.nix)          |
+| Colorscheme  | [Gruvbox](https://github.com/morhetz/gruvbox)                                    | [Link](./colorscheme/gruvbox/default.nix)                                     |
-| Wallpaper    | [Road](https://gitlab.com/exorcist365/wallpapers/-/blob/master/gruvbox/road.jpg) | [Link](./hosts/tempest/default.nix)                |
+| Wallpaper    | [Road](https://gitlab.com/exorcist365/wallpapers/-/blob/master/gruvbox/road.jpg) | [Link](./hosts/x86_64-linux/tempest/default.nix)                              |
-| Text Editor  | [Neovim](https://neovim.io/)                                                     | [Link](./modules/common/neovim/config)             |
+| Text Editor  | [Neovim](https://neovim.io/)                                                     | [Link](./pkgs/applications/editors/neovim/nmasur/neovim/package.nix)          |
-| Browser      | [Firefox](https://www.mozilla.org/en-US/firefox/new/)                            | [Link](./modules/common/applications/firefox.nix)  |
+| Browser      | [Firefox](https://www.mozilla.org/en-US/firefox/new/)                            | [Link](./platforms/home-manager/modules/nmasur/presets/programs/firefox.nix)  |
-| E-Mail       | [Aerc](https://aerc-mail.org/)                                                   | [Link](./modules/common/mail/aerc.nix)             |
+| E-Mail       | [Aerc](https://aerc-mail.org/)                                                   | [Link](./platforms/home-manager/modules/nmasur/presets/programs/aerc.nix)     |
-| File Manager | [Nautilus](https://wiki.gnome.org/action/show/Apps/Files)                        | [Link](./modules/common/applications/nautilus.nix) |
+| File Manager | [Nautilus](https://wiki.gnome.org/action/show/Apps/Files)                        | [Link](./platforms/home-manager/modules/nmasur/presets/programs/nautilus.nix) |
-| PDF Reader   | [Zathura](https://pwmt.org/projects/zathura/)                                    | [Link](./modules/common/applications/media.nix)    |
+| PDF Reader   | [Zathura](https://pwmt.org/projects/zathura/)                                    | [Link](./platforms/home-manager/modules/nmasur/presets/programs/zathura.nix)  |
-| Video Player | [mpv](https://mpv.io/)                                                           | [Link](./modules/common/applications/media.nix)    |
+| Video Player | [mpv](https://mpv.io/)                                                           | [Link](./platforms/home-manager/modules/nmasur/presets/programs/mpv.nix)      |
 ## macOS Features
 | Feature  | Program                                     | Configuration                        |
 |----------|---------------------------------------------|--------------------------------------|
-| Keybinds | [Hammerspoon](https://www.hammerspoon.org/) | [Link](./modules/darwin/hammerspoon) |
+| Keybinds | [Hammerspoon](https://www.hammerspoon.org/) | [Link](./platforms/home-manager/modules/nmasur/presets/services/hammerspoon/) |
 # Diagram
@@ -51,15 +51,16 @@ configuration may be difficult to translate to a non-Nix system.
 This repo contains a few more elaborate elements of configuration.
- [Neovim config](./modules/common/neovim/default.nix) generated with Nix2Vim
+- [Neovim config](./pkgs/applications/editors/neovim/nmasur/neovim/package.nix)
-and source-controlled plugins, differing based on installed LSPs, for example.
+generated with Nix2Vim and source-controlled plugins,
- [Caddy JSON](./modules/nixos/services/caddy.nix) file (routes, etc.) based
+differing based on installed LSPs, for example. - [Caddy
-dynamically on enabled services rendered with Nix.
+JSON](./platforms/nixos/modules/nmasur/presets/services/caddy.nix) file (routes,
- [Grafana config](./modules/nixos/services/grafana.nix) rendered with Nix.
+etc.) based dynamically on enabled services rendered with Nix. - [Grafana
- Custom [secrets deployment](./modules/nixos/services/secrets.nix) similar to
+config](./platforms/nixos/modules/nmasur/presets/services/grafana/grafana.nix)
-agenix.
+rendered with Nix. - Custom [secrets
- Base16 [colorschemes](./colorscheme/) applied to multiple applications,
+deployment](./platforms/nixos/modules/secrets.nix) similar to agenix. - Base16
-including Firefox userChrome.
+[colorschemes](./colorscheme/) applied to multiple applications, including
 Firefox userChrome.
 ---
--- a/deploy/oracle/main.tf
+++ b/deploy/oracle/main.tf
@@ -0,0 +1,115 @@
 terraform {
  backend "s3" {
    bucket       = "noahmasur-terraform"
    key          = "flame.tfstate"
    region       = "us-east-1"
    use_lockfile = true
  }
  required_version = ">= 1.0.0"
  required_providers {
    oci = {
      source  = "oracle/oci"
      version = "7.7.0"
    }
  }
 }
 provider "oci" {
  auth         = "APIKey"
  tenancy_ocid = var.compartment_ocid
  user_ocid    = "ocid1.user.oc1..aaaaaaaa6lro2eoxdajjypjysepvzcavq5yn4qyozjyebxdiaoqziribuqba"
  private_key  = var.oci_private_key
  fingerprint  = "dd:d0:da:6d:83:46:8b:b3:d9:45:2b:c7:56:ae:30:94"
  region       = "us-ashburn-1"
 }
 # Get the latest Ubuntu image OCID
 # We'll filter for a recent Ubuntu LTS version (e.g., 22.04 or 24.04) and pick the latest.
 # Note: Image OCIDs are region-specific. This data source helps find the correct one.
 data "oci_core_images" "ubuntu_image" {
  compartment_id   = var.compartment_ocid
  operating_system = "Canonical Ubuntu"
  # Adjust this version if you prefer a different Ubuntu LTS (e.g., "24.04")
  operating_system_version = "24.04"
  shape                    = var.instance_shape # Filter by the shape to ensure compatibility
  sort_by                  = "TIMECREATED"
  sort_order               = "DESC"
 }
 # resource "oci_core_image" "my_custom_image" {
 #   compartment_id = var.compartment_ocid
 #   display_name   = "noah-nixos"
 #   image_source_details {
 #     source_type = "objectStorageTuple" # Use this if specifying namespace, bucket, and object name
 #     # source_type  = "objectStorageUri"  # Use this if you have a pre-authenticated request URL (PAR)
 #     namespace_name = var.object_storage_namespace
 #     bucket_name    = var.object_storage_bucket_name
 #     object_name    = var.object_storage_object_name
 #     source_image_type = "QCOW2" # e.g., "QCOW2", "VMDK"
 #     # These properties help OCI understand how to launch instances from this image
 #     # Adjust based on your custom image's OS and boot mode
 #     operating_system         = "NixOS" # e.g., "CentOS", "Debian", "Windows"
 #     operating_system_version = "25.05" # e.g., "7", "11", "2019"
 #   }
 #   launch_mode = "PARAVIRTUALIZED" # Or "NATIVE", "EMULATED", "CUSTOM"
 #   # Optional: for specific launch options if your image requires them
 #   # launch_options {
 #   #   boot_volume_type = "PARAVIRTUALIZED"
 #   #   firmware         = "UEFI_64" # Or "BIOS"
 #   #   network_type     = "PARAVIRTUALIZED"
 #   # }
 #   # Time out for image import operation. Can take a while for large images.
 #   timeouts {
 #     create = "60m" # Default is 20m, often needs to be increased
 #   }
 # }
 data "oci_identity_availability_domains" "ads" {
  compartment_id = var.compartment_ocid
 }
 resource "oci_core_instance" "my_compute_instance" {
  compartment_id      = var.compartment_ocid
  availability_domain = data.oci_identity_availability_domains.ads.availability_domains[0].name
  shape               = var.instance_shape
  display_name        = var.instance_display_name
  source_details {
    source_type = "image"
    # Use the OCID of the latest Ubuntu image found by the data source
    source_id = data.oci_core_images.ubuntu_image.images[0].id
    # # Use the OCID of the newly imported custom image
    # source_id = oci_core_image.my_custom_image.id
    # Specify the boot volume size
    boot_volume_size_in_gbs = var.boot_volume_size_in_gbs
    boot_volume_vpus_per_gb = 20 # Highest free tier option
  }
  # launch_options {
  #   is_consistent_volume_naming_enabled = true              # Sets boot device path to /dev/oracleoci/oraclevda
  #   network_type                        = "PARAVIRTUALIZED" # I think this is the default?
  # }
  create_vnic_details {
    subnet_id        = oci_core_subnet.my_public_subnet.id # Use the created subnet's ID
    display_name     = "primary_vnic"
    assign_public_ip = true
    hostname_label   = "flame"
  }
  metadata = {
    ssh_authorized_keys = var.ssh_public_key
    user_data           = base64encode(var.cloud_init_script)
  }
  # Optional: For flexible shapes (e.g., VM.Standard.E4.Flex), you might need to specify OCPUs and memory
  shape_config {
    ocpus         = 4
    memory_in_gbs = 24
  }
 }
--- a/deploy/oracle/network.tf
+++ b/deploy/oracle/network.tf
@@ -0,0 +1,126 @@
 resource "oci_core_vcn" "my_vpc" {
  compartment_id = var.compartment_ocid
  display_name   = "main"
  cidr_block     = "10.0.0.0/16"
  is_ipv6enabled = false
  dns_label      = "mainvcn" # Must be unique within your tenancy
 }
 resource "oci_core_internet_gateway" "my_igw" {
  compartment_id = var.compartment_ocid
  vcn_id         = oci_core_vcn.my_vpc.id
  display_name   = "main-igw"
  enabled        = true
 }
 resource "oci_core_route_table" "my_public_route_table" {
  compartment_id = var.compartment_ocid
  vcn_id         = oci_core_vcn.my_vpc.id
  display_name   = "main-public-rt"
  # Default route to the Internet Gateway
  route_rules {
    destination       = "0.0.0.0/0"
    destination_type  = "CIDR_BLOCK"
    network_entity_id = oci_core_internet_gateway.my_igw.id
  }
 }
 resource "oci_core_security_list" "my_public_security_list" {
  compartment_id = var.compartment_ocid
  vcn_id         = oci_core_vcn.my_vpc.id
  display_name   = "main-public-sl"
  # Egress Rules (Allow all outbound traffic)
  egress_security_rules {
    destination      = "0.0.0.0/0"
    destination_type = "CIDR_BLOCK"
    protocol         = "all"
  }
  # Ingress Rules
  ingress_security_rules {
    # SSH (TCP 22)
    protocol    = "6" # TCP
    source      = "0.0.0.0/0"
    source_type = "CIDR_BLOCK"
    tcp_options {
      min = 22
      max = 22
    }
  }
  ingress_security_rules {
    # HTTP (TCP 80)
    protocol    = "6" # TCP
    source      = "0.0.0.0/0"
    source_type = "CIDR_BLOCK"
    tcp_options {
      min = 80
      max = 80
    }
  }
  ingress_security_rules {
    # HTTPS (TCP 443)
    protocol    = "6" # TCP
    source      = "0.0.0.0/0"
    source_type = "CIDR_BLOCK"
    tcp_options {
      min = 443
      max = 443
    }
  }
  ingress_security_rules {
    # Custom Minecraft
    protocol    = "6" # TCP
    source      = "0.0.0.0/0"
    source_type = "CIDR_BLOCK"
    tcp_options {
      min = 49732
      max = 49732
    }
  }
  ingress_security_rules {
    # HTTPS (UDP 443) - For QUIC or specific UDP services
    protocol    = "17" # UDP
    source      = "0.0.0.0/0"
    source_type = "CIDR_BLOCK"
    udp_options {
      min = 443
      max = 443
    }
  }
  ingress_security_rules {
    # ICMP (Ping)
    protocol    = "1" # ICMP
    source      = "0.0.0.0/0"
    source_type = "CIDR_BLOCK"
    icmp_options {
      type = 3 # Destination Unreachable (common for connectivity checks)
      code = 4 # Fragmentation needed
    }
  }
  ingress_security_rules {
    protocol    = "1" # ICMP
    source      = "0.0.0.0/0"
    source_type = "CIDR_BLOCK"
    icmp_options {
      type = 8 # Echo Request (ping)
    }
  }
 }
 resource "oci_core_subnet" "my_public_subnet" {
  compartment_id             = var.compartment_ocid
  vcn_id                     = oci_core_vcn.my_vpc.id
  display_name               = "main-public-subnet"
  cidr_block                 = "10.0.0.0/24"
  prohibit_public_ip_on_vnic = false # Allows instances in this subnet to get public IPs
  route_table_id             = oci_core_route_table.my_public_route_table.id
  security_list_ids          = [oci_core_security_list.my_public_security_list.id]
  dns_label                  = "mainsub" # Must be unique within the VCN
 }
--- a/deploy/oracle/outputs.tf
+++ b/deploy/oracle/outputs.tf
@@ -0,0 +1,19 @@
 output "host_ip" {
  description = "The public IP address of the launched instance."
  value       = oci_core_instance.my_compute_instance.public_ip
 }
 output "instance_id" {
  description = "The OCID of the launched instance."
  value       = oci_core_instance.my_compute_instance.id
 }
 output "vpc_ocid" {
  description = "The OCID of the created VCN."
  value       = oci_core_vcn.my_vpc.id
 }
 output "subnet_ocid" {
  description = "The OCID of the created public subnet."
  value       = oci_core_subnet.my_public_subnet.id
 }
--- a/deploy/oracle/variables.tf
+++ b/deploy/oracle/variables.tf
@@ -0,0 +1,63 @@
 variable "boot_volume_size_in_gbs" {
  description = "The size of the boot volume in GBs."
  type        = number
  default     = 150
 }
 variable "cloud_init_script" {
  description = "A cloud-init script to run on instance launch."
  type        = string
  default     = <<-EOF
              #!/bin/bash
              echo "Hello from cloud-init!" > /home/ubuntu/cloud-init-output.txt
              EOF
 }
 variable "compartment_ocid" {
  description = "The OCID of the compartment where the instance will be created."
  type        = string
  default     = "ocid1.tenancy.oc1..aaaaaaaaudwr2ozedhjnrn76ofjgglgug6gexknjisd7gb7tkj3mjdp763da"
 }
 variable "instance_display_name" {
  description = "A user-friendly name for the instance."
  type        = string
  default     = "noah-nixos"
 }
 variable "instance_shape" {
  description = "The shape of the OCI compute instance."
  type        = string
  default     = "VM.Standard.A1.Flex" # Example shape. Choose one available in your region/AD.
 }
 variable "object_storage_namespace" {
  description = "Your OCI Object Storage namespace (usually your tenancy name)."
  type        = string
  default     = "idptr5akf9pf"
 }
 variable "object_storage_bucket_name" {
  description = "The name of the Object Storage bucket where your custom image is located."
  type        = string
  default     = "noahmasur-images"
 }
 variable "object_storage_object_name" {
  description = "The object name (file name) of your custom image in Object Storage."
  type        = string
  default     = "nixos.qcow2"
 }
 variable "oci_private_key" {
  type        = string
  description = "API private key for Oracle Cloud management"
  sensitive   = true
 }
 variable "ssh_public_key" {
  description = "Your public SSH key content."
  type        = string
  # default     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s personal"
  default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpPU2G9rSF8Q6waH62IJexDCQ6lY+8ZyVufGE3xMDGw actions-deploy"
 }
--- a/flake.lock
+++ b/flake.lock
@@ -22,11 +22,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1742013980,
+        "lastModified": 1755825449,
-        "narHash": "sha256-34YbfwABU5nb0F5eaaJE3ujldaNDhmyxw7CWqhXJV08=",
+        "narHash": "sha256-XkiN4NM9Xdy59h69Pc+Vg4PxkSm9EWl6u7k6D5FZ5cM=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "9175b4bb5f127fb7b5784b14f7e01abff24c378f",
+        "rev": "8df64f819698c1fee0c2969696f54a843b2231e8",
        "type": "github"
      },
      "original": {
@@ -43,11 +43,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741786315,
+        "lastModified": 1755519972,
-        "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
+        "narHash": "sha256-bU4nqi3IpsUZJeyS8Jk85ytlX61i4b0KCxXX9YcOgVc=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
+        "rev": "4073ff2f481f9ef3501678ff479ed81402caae6d",
        "type": "github"
      },
      "original": {
@@ -76,11 +76,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1733328505,
+        "lastModified": 1747046372,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -135,11 +135,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1705309234,
+        "lastModified": 1731533236,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -148,6 +148,27 @@
        "type": "github"
      }
    },
    "helix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
        "lastModified": 1755869734,
        "narHash": "sha256-d9hwkPwlpbih4DVbsV0zrK5i2J6cRT7ifrDYK5LZQs8=",
        "owner": "helix-editor",
        "repo": "helix",
        "rev": "22a3b10dd8ab907367ae1fe57d9703e22b30d391",
        "type": "github"
      },
      "original": {
        "owner": "helix-editor",
        "repo": "helix",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -155,11 +176,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741955947,
+        "lastModified": 1755914636,
-        "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=",
+        "narHash": "sha256-VJ+Gm6YsHlPfUCpmRQxvdiZW7H3YPSrdVOewQHAhZN8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4",
+        "rev": "8b55a6ac58b678199e5bba701aaff69e2b3281c0",
        "type": "github"
      },
      "original": {
@@ -180,11 +201,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1739821351,
+        "lastModified": 1742156590,
-        "narHash": "sha256-QlVtMzAhECs9Esq3txqVW7/vM78ipB5IcI8uyCbTP7A=",
+        "narHash": "sha256-aTM/2CrNN5utdVEQGsOA+kl4UozgH7VPLBQL5OXtBrg=",
        "owner": "hraban",
        "repo": "mac-app-util",
-        "rev": "c00d5b21ca1fdab8acef65e696795f0f15ec1158",
+        "rev": "341ede93f290df7957047682482c298e47291b4d",
        "type": "github"
      },
      "original": {
@@ -193,58 +214,6 @@
        "type": "github"
      }
    },
    "nextcloud-cookbook": {
      "flake": false,
      "locked": {
        "lastModified": 1726214817,
        "narHash": "sha256-Pfa+Xbopg20os+pnGgg+wpEX1MI5fz5JMb0K4a8rBhs=",
        "type": "tarball",
        "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.2/cookbook-0.11.2.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.2/cookbook-0.11.2.tar.gz"
      }
    },
    "nextcloud-external": {
      "flake": false,
      "locked": {
        "lastModified": 1729501365,
        "narHash": "sha256-OV6HhFBzmnQBO5btGEnqmKlaUMY7/t2Qm3XebclpBlM=",
        "type": "tarball",
        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.5.2/external-v5.5.2.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.5.2/external-v5.5.2.tar.gz"
      }
    },
    "nextcloud-news": {
      "flake": false,
      "locked": {
        "lastModified": 1729667622,
        "narHash": "sha256-pnvyMZQ+NYMgH0Unfh5S19HdZSjnghgoUDAoi2KIXNI=",
        "type": "tarball",
        "url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha12/news.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha12/news.tar.gz"
      }
    },
    "nextcloud-snappymail": {
      "flake": false,
      "locked": {
        "lastModified": 1728502660,
        "narHash": "sha256-oCw6Brs85rINBHvz3UJXheyLVqvA3RgPXG03b30Fx7E=",
        "type": "tarball",
        "url": "https://snappymail.eu/repository/nextcloud/snappymail-2.38.2-nextcloud.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://snappymail.eu/repository/nextcloud/snappymail-2.38.2-nextcloud.tar.gz"
      }
    },
    "nix2vim": {
      "inputs": {
        "flake-utils": "flake-utils_2",
@@ -253,11 +222,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740943170,
+        "lastModified": 1755344765,
-        "narHash": "sha256-A0F7T/euSMen004cVQN/ZkMpLkgLXDs+mq/merhd+0Y=",
+        "narHash": "sha256-k/Cvh/mzb5lSvilKdgwNBCyAyYmD8YPr1nc0sTSgwxI=",
        "owner": "gytis-ivaskevicius",
        "repo": "nix2vim",
-        "rev": "a562f32ff2393d0ed198103c65a3035bcdf83d4d",
+        "rev": "78467c8de07719f92397179844bf75cdf2e58b83",
        "type": "github"
      },
      "original": {
@@ -289,11 +258,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740947705,
+        "lastModified": 1751903740,
-        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
+        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
+        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
        "type": "github"
      },
      "original": {
@@ -304,11 +273,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1742069588,
+        "lastModified": 1755615617,
-        "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
+        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
+        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
        "type": "github"
      },
      "original": {
@@ -334,20 +303,35 @@
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1728538411,
        "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nur": {
      "inputs": {
        "flake-parts": "flake-parts",
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1742145955,
+        "lastModified": 1755918818,
-        "narHash": "sha256-ju1J45e22ebpLH3eSm0ZZYg7WHkN01ryTFv+4UNwCOA=",
+        "narHash": "sha256-a7k/fml8k4CxIcVW26luwqVl3lsRMNXBRCyC8uSF0GA=",
        "owner": "nix-community",
        "repo": "nur",
-        "rev": "d6ba59dd58ebe6c184f955e1d3a4bbca9484c018",
+        "rev": "1a47d83c521c098debd6d1f2c2ae313a5bb729f9",
        "type": "github"
      },
      "original": {
@@ -360,21 +344,58 @@
      "inputs": {
        "darwin": "darwin",
        "disko": "disko",
        "helix": "helix",
        "home-manager": "home-manager",
        "mac-app-util": "mac-app-util",
        "nextcloud-cookbook": "nextcloud-cookbook",
        "nextcloud-external": "nextcloud-external",
        "nextcloud-news": "nextcloud-news",
        "nextcloud-snappymail": "nextcloud-snappymail",
        "nix2vim": "nix2vim",
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable",
        "nur": "nur",
        "wsl": "wsl",
        "zellij-switch": "zellij-switch",
        "zenyd-mpv-scripts": "zenyd-mpv-scripts"
      }
    },
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
          "helix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1740623427,
        "narHash": "sha256-3SdPQrZoa4odlScFDUHd4CUPQ/R1gtH4Mq9u8CBiK8M=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "d342e8b5fd88421ff982f383c853f0fc78a847ab",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "rust-overlay_2": {
      "inputs": {
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1736476219,
        "narHash": "sha256-+qyv3QqdZCdZ3cSO/cbpEY6tntyYjfe1bB12mdpNFaY=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "de30cc5963da22e9742bbbbb9a3344570ed237b9",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1689347925,
@@ -405,24 +426,18 @@
        "type": "github"
      }
    },
-    "treefmt-nix": {
+    "systems_3": {
      "inputs": {
        "nixpkgs": [
          "nur",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1733222881,
+        "lastModified": 1681028828,
-        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "treefmt-nix",
+        "repo": "default",
-        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "treefmt-nix",
+        "repo": "default",
        "type": "github"
      }
    },
@@ -434,11 +449,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741870048,
+        "lastModified": 1755261305,
-        "narHash": "sha256-odXRdNZGdXg1LmwlAeWL85kgy/FVHsgKlDwrvbR2BsU=",
+        "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=",
        "owner": "nix-community",
        "repo": "NixOS-WSL",
-        "rev": "5d76001e33ee19644a598ad80e7318ab0957b122",
+        "rev": "203a7b463f307c60026136dd1191d9001c43457f",
        "type": "github"
      },
      "original": {
@@ -447,6 +462,28 @@
        "type": "github"
      }
    },
    "zellij-switch": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay_2",
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1742588229,
        "narHash": "sha256-IPg0pBw0ciF+xl6viq3nK+dvZoDZrfBDui7dkPLz258=",
        "owner": "mostafaqanbaryan",
        "repo": "zellij-switch",
        "rev": "0e3c303c19890ccb03589230ac5a7c4307e573e4",
        "type": "github"
      },
      "original": {
        "owner": "mostafaqanbaryan",
        "repo": "zellij-switch",
        "type": "github"
      }
    },
    "zenyd-mpv-scripts": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@@ -64,29 +64,41 @@
      flake = false;
    };
-    # Nextcloud Apps
+    # Zellij Switcher
-    nextcloud-news = {
+    zellij-switch = {
-      # https://github.com/nextcloud/news/releases
+      url = "github:mostafaqanbaryan/zellij-switch";
-      url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha12/news.tar.gz";
+      inputs.nixpkgs.follows = "nixpkgs";
      flake = false;
    };
-    nextcloud-external = {
+
-      # https://github.com/nextcloud-releases/external/releases
+    # Text editor
-      url = "https://github.com/nextcloud-releases/external/releases/download/v5.5.2/external-v5.5.2.tar.gz";
+    helix = {
-      flake = false;
+      url = "github:helix-editor/helix";
-    };
+      inputs.nixpkgs.follows = "nixpkgs";
    nextcloud-cookbook = {
      # https://github.com/christianlupus-nextcloud/cookbook-releases/releases/
      url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.2/cookbook-0.11.2.tar.gz";
      flake = false;
    };
    nextcloud-snappymail = {
      # https://github.com/the-djmaze/snappymail/releases
      # https://snappymail.eu/repository/nextcloud
      url = "https://snappymail.eu/repository/nextcloud/snappymail-2.38.2-nextcloud.tar.gz";
      # url = "https://github.com/nmasur/snappymail-nextcloud/releases/download/v2.36.3/snappymail-2.36.3-nextcloud.tar.gz";
      flake = false;
    };
    # # Nextcloud Apps
    # nextcloud-news = {
    #   # https://github.com/nextcloud/news/releases
    #   url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha12/news.tar.gz";
    #   flake = false;
    # };
    # nextcloud-external = {
    #   # https://github.com/nextcloud-releases/external/releases
    #   url = "https://github.com/nextcloud-releases/external/releases/download/v5.5.2/external-v5.5.2.tar.gz";
    #   flake = false;
    # };
    # nextcloud-cookbook = {
    #   # https://github.com/christianlupus-nextcloud/cookbook-releases/releases/
    #   url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.2/cookbook-0.11.2.tar.gz";
    #   flake = false;
    # };
    # nextcloud-snappymail = {
    #   # https://github.com/the-djmaze/snappymail/releases
    #   # https://snappymail.eu/repository/nextcloud
    #   url = "https://snappymail.eu/repository/nextcloud/snappymail-2.38.2-nextcloud.tar.gz";
    #   # url = "https://github.com/nmasur/snappymail-nextcloud/releases/download/v2.36.3/snappymail-2.36.3-nextcloud.tar.gz";
    #   flake = false;
    # };
  };
  outputs =
@@ -99,6 +111,7 @@
        in
        {
          audiobooks = "read.${baseName}";
          bookmarks = "keep.${baseName}";
          books = "books.${baseName}";
          budget = "money.${baseName}";
          content = "cloud.${baseName}";
@@ -109,12 +122,15 @@
          influxdb = "influxdb.${baseName}";
          irc = "irc.${baseName}";
          mail = "noahmasur.com";
          mathesar = "mathesar.${baseName}";
          metrics = "metrics.${baseName}";
          minecraft = "minecraft.${baseName}";
          n8n = "n8n.${baseName}";
          navidrome = "music.${baseName}";
          notifications = "ntfy.${baseName}";
          paperless = "paper.${baseName}";
          photos = "photos.${baseName}";
          postgresql = "pg.${baseName}";
          prometheus = "prom.${baseName}";
          secrets = "vault.${baseName}";
          smtp = "smtp.purelymail.com";
@@ -127,28 +143,33 @@
    rec {
      lib = import ./lib inputs;
      flattenAttrset = attrs: builtins.foldl' lib.mergeAttrs { } (builtins.attrValues attrs);
-      nixosConfigurations = builtins.mapAttrs (
+      nixosConfigurations = flattenAttrset (
        system: hosts:
        builtins.mapAttrs (
-          name: module:
+          system: hosts:
-          lib.buildNixos {
+          builtins.mapAttrs (
-            inherit system module;
+            name: module:
-            specialArgs = { inherit hostnames; };
+            lib.buildNixos {
-          }
+              inherit system module;
-        ) hosts
+              specialArgs = { inherit hostnames; };
-      ) lib.linuxHosts;
+            }
          ) hosts
        ) lib.linuxHosts
      );
-      darwinConfigurations = builtins.mapAttrs (
+      darwinConfigurations = flattenAttrset (
        system: hosts:
        builtins.mapAttrs (
-          name: module:
+          system: hosts:
-          lib.buildDarwin {
+          builtins.mapAttrs (
-            inherit system module;
+            name: module:
-            specialArgs = { inherit hostnames; };
+            lib.buildDarwin {
-          }
+              inherit system module;
-        ) hosts
+              specialArgs = { inherit hostnames; };
-      ) lib.darwinHosts;
+            }
          ) hosts
        ) lib.darwinHosts
      );
      homeModules = builtins.mapAttrs (
        system: hosts:
@@ -157,16 +178,18 @@
        ) hosts
      ) lib.hosts;
-      homeConfigurations = builtins.mapAttrs (
+      homeConfigurations = flattenAttrset (
        system: hosts:
        builtins.mapAttrs (
-          name: module:
+          system: hosts:
-          lib.buildHome {
+          builtins.mapAttrs (
-            inherit system module;
+            name: module:
-            specialArgs = { inherit hostnames; };
+            lib.buildHome {
-          }
+              inherit system module;
-        ) hosts
+              specialArgs = { inherit hostnames; };
-      ) homeModules;
+            }
          ) hosts
        ) homeModules
      );
      # Disk formatting, only used once
      diskoConfigurations = {
@@ -174,33 +197,48 @@
      };
      generators = builtins.mapAttrs (
        # x86_64-linux = { arrow = ...; swan = ...; }
        system: hosts:
-        builtins.mapAttrs (name: module: {
+        (lib.concatMapAttrs (name: module: {
-          aws = lib.generateImage {
+          "${name}-aws" = lib.generateImage {
            inherit system module;
            format = "amazon";
            specialArgs = { inherit hostnames; };
          };
-          iso = lib.generateImage {
+          "${name}-iso" = lib.generateImage {
            inherit system module;
            format = "iso";
            specialArgs = { inherit hostnames; };
          };
-        }) hosts
+          "${name}-qcow" = lib.generateImage {
-      ) lib.linuxHosts;
+            inherit system module;
            format = "qcow-efi";
            specialArgs = { inherit hostnames; };
            # extraModules = [ "${nixpkgs}/nixos/modules/virtualisation/oci-image.nix" ];
          };
        }) hosts)
      ) lib.linuxHosts # x86_64-linux = { arrow = ...; swan = ...; }
      ;
      # packages =
      #   lib.forSystems lib.linuxSystems (
      #     system: generateImagesForHosts system // lib.pkgsBySystem.${system}.nmasur
      #   )
      #   // lib.forSystems lib.darwinSystems (system: lib.pkgsBySystem.${system}.nmasur);
      packages = lib.forAllSystems (
        system:
-        # Get the configurations that we normally use
+        # Share the custom packages that I have placed under the nmasur namespace
-        {
+        lib.pkgsBySystem.${system}.nmasur
          nixosConfigurations = nixosConfigurations.${system};
          darwinConfigurations = darwinConfigurations.${system};
          homeConfigurations = homeConfigurations.${system};
          generators = generators.${system};
        }
        //
-          # Get the custom packages that I have placed under the nmasur namespace
+          # Share generated images for each relevant host
-          lib.pkgsBySystem.${system}.nmasur
+          (if (lib.hasInfix "linux" system) then generators.${system} else { })
        # //
        #   # Oracle
        #   {
        #     flame-oci = nixosConfigurations.flame.config.system.build.OCIImage;
        #   }
      );
      # Development environments
@@ -245,6 +283,6 @@
      );
      # Templates for starting other projects quickly
-      templates = (import ./templates nixpkgs.lib);
+      templates = (import ./templates { inherit lib; });
    };
 }
--- a/hosts/aarch64-darwin/lookingglass/default.nix
+++ b/hosts/aarch64-darwin/lookingglass/default.nix
@@ -21,6 +21,7 @@ rec {
    nmasur.settings = {
      username = nmasur.settings.username;
      fullName = nmasur.settings.fullName;
      host = "lookingglass";
    };
    nmasur.profiles = {
      common.enable = true;
--- a/hosts/aarch64-linux/flame/default.nix
+++ b/hosts/aarch64-linux/flame/default.nix
@@ -23,30 +23,32 @@ rec {
    nmasur.settings = {
      username = nmasur.settings.username;
      fullName = nmasur.settings.fullName;
      host = networking.hostName;
    };
    nmasur.profiles = {
      common.enable = true;
      linux-base.enable = true;
      power-user.enable = true;
    };
    nmasur.presets.programs.helix.enable = true;
    home.stateVersion = "23.05";
  };
  system.stateVersion = "23.05";
  # File systems must be declared in order to boot
-  # This is the root filesystem containing NixOS
+  # # This is the root filesystem containing NixOS
-  # I forgot to set a clean label for it
+  # # I forgot to set a clean label for it
-  fileSystems."/" = {
+  # fileSystems."/" = {
-    device = "/dev/disk/by-uuid/e1b6bd50-306d-429a-9f45-78f57bc597c3";
+  #   device = "/dev/disk/by-uuid/e1b6bd50-306d-429a-9f45-78f57bc597c3";
-    fsType = "ext4";
+  #   fsType = "ext4";
-  };
+  # };
-  # This is the boot filesystem for systemd-boot
+  # # This is the boot filesystem for systemd-boot
-  fileSystems."/boot" = {
+  # fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/D5CA-237A";
+  #   device = "/dev/disk/by-uuid/D5CA-237A";
-    fsType = "vfat";
+  #   fsType = "vfat";
-  };
+  # };
  # Allows private remote access over the internet
  nmasur.presets.services.cloudflared = {
@@ -56,4 +58,111 @@ rec {
      ca = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK/6oyVqjFGX3Uvrc3VS8J9sphxzAnRzKC85xgkHfYgR3TK6qBGXzHrknEj21xeZrr3G2y1UsGzphWJd9ZfIcdA= open-ssh-ca@cloudflareaccess.org";
    };
  };
  # Taken from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/oci-common.nix
  # fileSystems."/" = {
  #   device = "/dev/disk/by-label/nixos";
  #   fsType = "ext4";
  #   autoResize = true;
  # };
  # fileSystems."/boot" = {
  #   device = "/dev/disk/by-label/ESP";
  #   fsType = "vfat";
  # };
  boot.loader.efi.canTouchEfiVariables = false;
  boot.loader.grub = {
    device = "nodev";
    splashImage = null;
    extraConfig = ''
      serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
      terminal_input --append serial
      terminal_output --append serial
    '';
    efiInstallAsRemovable = true;
    efiSupport = true;
  };
  boot.loader.systemd-boot.enable = false;
  # https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/configuringntpservice.htm#Configuring_the_Oracle_Cloud_Infrastructure_NTP_Service_for_an_Instance
  networking.timeServers = [ "169.254.169.254" ];
  boot.growPartition = true;
  boot.kernelParams = [
    "net.ifnames=0"
    "nvme.shutdown_timeout=10"
    "nvme_core.shutdown_timeout=10"
    "libiscsi.debug_libiscsi_eh=1"
    "crash_kexec_post_notifiers"
    # aarch64-linux
    "console=ttyAMA0,115200n8"
    # VNC console
    "console=tty1"
  ];
  boot.initrd.availableKernelModules = [
    "virtio_net"
    "virtio_pci"
    "virtio_mmio"
    "virtio_blk"
    "virtio_scsi"
    "9p"
    "9pnet_virtio"
  ];
  boot.initrd.kernelModules = [
    "virtio_balloon"
    "virtio_console"
    "virtio_rng"
    "virtio_gpu"
  ];
  networking.useDHCP = true;
  # networking = {
  #   defaultGateway = "10.0.0.1";
  #   interfaces.eth0 = {
  #     ipAddress = throw "set your own";
  #     prefixLength = 24;
  #   };
  # };
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        # device = "/dev/oracleoci/oraclevda"; # Consistent volume naming
        device = "/dev/sda"; # Consistent volume naming
        content = {
          type = "gpt";
          partitions = {
            boot = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
              };
            };
            root = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
          };
        };
      };
    };
  };
  # # Otherwise the instance may not have a working network-online.target,
  # # making the fetch-ssh-keys.service fail
  # networking.useNetworkd = true;
 }
--- a/hosts/x86_64-darwin/readme.md
+++ b/hosts/x86_64-darwin/readme.md
@@ -0,0 +1 @@
 # No x86 Darwin Hosts Currently
--- a/hosts/x86_64-linux/arrow/default.nix
+++ b/hosts/x86_64-linux/arrow/default.nix
@@ -19,6 +19,7 @@ rec {
    nmasur.settings = {
      username = nmasur.settings.username;
      fullName = nmasur.settings.fullName;
      host = networking.hostName;
    };
    nmasur.profiles = {
      common.enable = true;
@@ -29,4 +30,18 @@ rec {
  system.stateVersion = "23.05";
  # These filesystems are ignored by nixos-generators
  # This is the root filesystem containing NixOS
  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
    fsType = "ext4";
  };
  # This is the boot filesystem for Grub
  fileSystems."/boot" = {
    device = "/dev/disk/by-label/boot";
    fsType = "vfat";
  };
 }
--- a/hosts/x86_64-linux/hydra/default.nix
+++ b/hosts/x86_64-linux/hydra/default.nix
@@ -19,6 +19,7 @@ rec {
    nmasur.settings = {
      username = nmasur.settings.username;
      fullName = nmasur.settings.fullName;
      host = networking.hostName;
    };
    nmasur.profiles = {
      common.enable = true;
@@ -30,4 +31,24 @@ rec {
  system.stateVersion = "23.05";
  # This is the root filesystem containing NixOS
  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
    fsType = "ext4";
  };
  # This is the boot filesystem for Grub
  fileSystems."/boot" = {
    device = "/dev/disk/by-label/boot";
    fsType = "vfat";
  };
  # Not sure what's necessary but too afraid to remove anything
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "ahci"
    "nvme"
    "usb_storage"
    "sd_mod"
  ];
 }
--- a/hosts/x86_64-linux/staff/default.nix
+++ b/hosts/x86_64-linux/staff/default.nix
@@ -23,6 +23,7 @@ rec {
    nmasur.settings = {
      username = nmasur.settings.username;
      fullName = nmasur.settings.fullName;
      host = networking.hostName;
    };
    nmasur.profiles = {
      common.enable = true;
@@ -41,6 +42,9 @@ rec {
  # Not sure what's necessary but too afraid to remove anything
  # File systems must be declared in order to boot
  # Required to have a boot loader to work
  boot.loader.systemd-boot.enable = true;
  # This is the root filesystem containing NixOS
  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
--- a/hosts/x86_64-linux/swan/default.nix
+++ b/hosts/x86_64-linux/swan/default.nix
@@ -21,10 +21,12 @@ rec {
    nmasur.settings = {
      username = nmasur.settings.username;
      fullName = nmasur.settings.fullName;
      host = networking.hostName;
    };
    nmasur.profiles = {
      common.enable = true;
      linux-base.enable = true;
      power-user.enable = true;
    };
    home.stateVersion = "23.05";
  };
--- a/hosts/x86_64-linux/tempest/default.nix
+++ b/hosts/x86_64-linux/tempest/default.nix
@@ -23,6 +23,7 @@ rec {
    nmasur.settings = {
      username = nmasur.settings.username;
      fullName = nmasur.settings.fullName;
      host = networking.hostName;
    };
    nmasur.profiles = {
      common.enable = true;
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -66,6 +66,8 @@ lib
  overlays = [
    inputs.nur.overlays.default
    inputs.nix2vim.overlay
    inputs.zellij-switch.overlays.default
    inputs.helix.overlays.default
  ] ++ (importOverlays ../overlays);
  # System types to support.
@@ -186,7 +188,15 @@ lib
    amazon = {
      aws.enable = true;
    };
-    iso = { };
+    iso = {
      nmasur.profiles.wsl.enable = lib.mkForce false;
      boot.loader.grub.enable = lib.mkForce false;
    };
    qcow-efi = {
      nmasur.profiles.wsl.enable = lib.mkForce false;
      boot.loader.grub.enable = lib.mkForce false;
      fileSystems."/boot".device = lib.mkForce "/dev/disk/by-label/ESP";
    };
  };
  generateImage =
@@ -198,6 +208,7 @@ lib
    }:
    inputs.nixos-generators.nixosGenerate {
      inherit system format;
      pkgs = pkgsBySystem.${system};
      modules = [
        inputs.home-manager.nixosModules.home-manager
        inputs.disko.nixosModules.disko
--- a/modules/common/shell/work.nix
+++ b/modules/common/shell/work.nix
@@ -0,0 +1,67 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  home-manager.users.${config.user} = lib.mkIf pkgs.stdenv.isDarwin {
    home.packages =
      let
        ldap_scheme = "ldaps";
        magic_prefix = "take";
        ldap_port = 3269;
        jq_parse = pkgs.writeShellScriptBin "ljq" ''
          jq --slurp \
            --raw-input 'split("\n\n")|map(split("\n")|map(select(.[0:1]!="#" and length>0)) |select(length > 0)|map(capture("^(?<key>[^:]*:?): *(?<value>.*)") |if .key[-1:.key|length] == ":" then .key=.key[0:-1]|.value=(.value|@base64d) else . end)| group_by(.key) | map({key:.[0].key,value:(if .|length > 1 then [.[].value] else .[].value end)}) | from_entries)' | jq -r 'del(.[].thumbnailPhoto)'
        '';
        ldap_script = pkgs.writeShellScriptBin "ldap" ''
          if ! [ "$LDAP_HOST" ]; then
              echo "No LDAP_HOST specified!"
              exit 1
          fi
          SEARCH_FILTER="$@"
          ldapsearch -LLL \
              -B -o ldif-wrap=no \
              -E pr=5000/prompt \
              -H "${ldap_scheme}://''${LDAP_HOST}:${builtins.toString ldap_port}" \
              -D "${pkgs.lib.toUpper magic_prefix}2\\${pkgs.lib.toLower config.user}" \
              -w "$(${pkgs._1password-cli}/bin/op item get T2 --fields label=password --reveal)" \
              -b "dc=''${LDAP_HOST//./,dc=}" \
              -s "sub" -x "(cn=''${SEARCH_FILTER})" \
              | ${jq_parse}/bin/ljq
        '';
        ldapm_script = pkgs.writeShellScriptBin "ldapm" ''
          if ! [ "$LDAP_HOST" ]; then
              echo "No LDAP_HOST specified!"
              exit 1
          fi
          ${ldap_script}/bin/ldap "$@" | jq '[ .[].memberOf] | add'
        '';
        ldapg_script = pkgs.writeShellScriptBin "ldapg" ''
          if ! [ "$LDAP_HOST" ]; then
              echo "No LDAP_HOST specified!"
              exit 1
          fi
          ${ldap_script}/bin/ldap "$@" | jq '[ .[].member] | add'
        '';
        ldapl_script = pkgs.writeShellScriptBin "ldapl" ''
          if ! [ "$LDAP_HOST" ]; then
              echo "No LDAP_HOST specified!"
              exit 1
          fi
          ${ldap_script}/bin/ldap "*$@*" | jq -r '.[].name'
        '';
      in
      [
        ldap_script
        ldapm_script
        ldapg_script
        ldapl_script
        jq_parse
      ];
  };
 }
--- a/modules/darwin/homebrew.nix
+++ b/modules/darwin/homebrew.nix
@@ -0,0 +1,56 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  # Homebrew - Mac-specific packages that aren't in Nix
  config = lib.mkIf pkgs.stdenv.isDarwin {
    # # Requires Homebrew to be installed
    system.activationScripts.preActivation.text = ''
      if ! xcode-select --version 2>/dev/null; then
        $DRY_RUN_CMD xcode-select --install
      fi
      if ! /opt/homebrew/bin/brew --version 2>/dev/null; then
        $DRY_RUN_CMD /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
      fi
    '';
    # Add homebrew paths to CLI path
    home-manager.users.${config.user}.home.sessionPath = [
      "/opt/homebrew/bin/"
      "/opt/homebrew/opt/trash/bin/"
    ];
    homebrew = {
      enable = true;
      onActivation = {
        autoUpdate = false; # Don't update during rebuild
        cleanup = "zap"; # Uninstall all programs not declared
        upgrade = true;
      };
      global = {
        brewfile = true; # Run brew bundle from anywhere
        lockfiles = false; # Don't save lockfile (since running from anywhere)
      };
      brews = [
        "trash" # Delete files and folders to trash instead of rm
      ];
      casks = [
        "1password" # 1Password will not launch from Nix on macOS
        # "gitify" # Git notifications in menu bar (downgrade manually from 4.6.1)
        "keybase" # GUI on Nix not available for macOS
        # "logitech-g-hub" # Mouse and keyboard management
        "logitune" # Logitech webcam firmware
        "meetingbar" # Show meetings in menu bar
        "scroll-reverser" # Different scroll style for mouse vs. trackpad
        "notunes" # Don't launch Apple Music with the play button
        "steam" # Not packaged for Nixon macOS
        "epic-games" # Not packaged for Nix
      ];
    };
  };
 }
--- a/pkgs/applications/editors/neovim/nmasur/neovim/config/colors.nix
+++ b/pkgs/applications/editors/neovim/nmasur/neovim/config/colors.nix
@@ -9,7 +9,7 @@
  # Sets Neovim colors based on Nix colorscheme
  options.colors = lib.mkOption {
-    type = lib.types.attrsOf lib.types.str;
+    type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
    description = "Attrset of base16 colorscheme key value pairs.";
    default = {
      # Nord
@@ -32,7 +32,7 @@
    };
  };
-  config = {
+  config = lib.mkIf (config.colors != null) {
    plugins = [ pkgs.vimPlugins.base16-nvim ];
    setup.base16-colorscheme = config.colors;
--- a/pkgs/applications/editors/neovim/nmasur/neovim/config/lsp.nix
+++ b/pkgs/applications/editors/neovim/nmasur/neovim/config/lsp.nix
@@ -8,9 +8,9 @@
 {
  # Terraform optional because non-free
-  options.terraform = lib.mkEnableOption "Whether to enable Terraform LSP";
+  options.enableTerraform = lib.mkEnableOption "Whether to enable Terraform LSP";
-  options.github = lib.mkEnableOption "Whether to enable GitHub features";
+  options.enableGithub = lib.mkEnableOption "Whether to enable GitHub features";
-  options.kubernetes = lib.mkEnableOption "Whether to enable Kubernetes features";
+  options.enableKubernetes = lib.mkEnableOption "Whether to enable Kubernetes features";
  config = {
    plugins = [
@@ -54,7 +54,7 @@
    use.lspconfig.terraformls.setup = dsl.callWith {
      cmd =
-        if config.terraform then
+        if config.enableTerraform then
          [
            "${pkgs.terraform-ls}/bin/terraform-ls"
            "serve"
@@ -93,7 +93,7 @@
        nix = [ "nixfmt" ];
        rust = [ "rustfmt" ];
        sh = [ "shfmt" ];
-        terraform = if config.terraform then [ "terraform_fmt" ] else [ ];
+        terraform = if config.enableTerraform then [ "terraform_fmt" ] else [ ];
        hcl = [ "hcl" ];
      };
      formatters = {
@@ -110,7 +110,7 @@
            "-ci"
          ];
        };
-        terraform_fmt.command = if config.terraform then "${pkgs.terraform}/bin/terraform" else "";
+        terraform_fmt.command = if config.enableTerraform then "${pkgs.terraform}/bin/terraform" else "";
        hcl.command = "${pkgs.hclfmt}/bin/hclfmt";
      };
    };
--- a/pkgs/applications/editors/neovim/nmasur/neovim/config/toggleterm.nix
+++ b/pkgs/applications/editors/neovim/nmasur/neovim/config/toggleterm.nix
@@ -18,7 +18,7 @@
  lua = ''
    ${builtins.readFile ./toggleterm.lua}
-    ${if config.github then (builtins.readFile ./github.lua) else ""}
+    ${if config.enableGithub then (builtins.readFile ./github.lua) else ""}
-    ${if config.kubernetes then (builtins.readFile ./kubernetes.lua) else ""}
+    ${if config.enableKubernetes then (builtins.readFile ./kubernetes.lua) else ""}
  '';
 }
--- a/pkgs/applications/editors/neovim/nmasur/neovim/package.nix
+++ b/pkgs/applications/editors/neovim/nmasur/neovim/package.nix
@@ -29,9 +29,9 @@
 {
  pkgs,
  colors ? null,
-  terraform ? false,
+  enableTerraform ? false,
-  github ? false,
+  enableGithub ? false,
-  kubernetes ? false,
+  enableKubernetes ? false,
  ...
 }:
@@ -41,9 +41,9 @@ pkgs.neovimBuilder {
  package = pkgs.neovim-unwrapped;
  inherit
    colors
-    terraform
+    enableTerraform
-    github
+    enableGithub
-    kubernetes
+    enableKubernetes
    ;
  imports = [
    ./config/align.nix
--- a/pkgs/mathesar/package.nix
+++ b/pkgs/mathesar/package.nix
@@ -0,0 +1,295 @@
 {
  runtimeShell,
  python313,
  python313Packages,
  fetchFromGitHub,
  fetchPypi,
  fetchurl,
  gettext,
  unzip,
  ...
 }:
 let
  django-modern-rpc = python313Packages.buildPythonPackage rec {
    pname = "django_modern_rpc";
    version = "1.1.0";
    src = fetchPypi {
      inherit pname version;
      hash = "sha256-+LBIfkBxe9lvfZIqPI2lFSshTZBL1NpmCWBAgToyJns=";
    };
    doCheck = false;
    pyproject = true;
    build-system = [
      python313Packages.setuptools
      python313Packages.wheel
      python313Packages.poetry-core
    ];
  };
  django-property-filter = python313Packages.buildPythonPackage rec {
    pname = "django_property_filter";
    version = "1.3.0";
    src = fetchPypi {
      inherit pname version;
      hash = "sha256-dpsF4hm0S4lQ6tIRJ0bXgPjWTr1fq1NSCZP0M6L4Efk=";
    };
    doCheck = false;
    pyproject = true;
    build-system = [
      python313Packages.setuptools
      python313Packages.wheel
      python313Packages.django
      python313Packages.django-filter
    ];
  };
  django-fernet-encrypted-fields = python313Packages.buildPythonPackage rec {
    pname = "django-fernet-encrypted-fields";
    version = "0.3.0";
    src = fetchPypi {
      inherit pname version;
      hash = "sha256-OAMb2vFySm6IXuE3zGaivX3DcmxDjhiep+RHmewLqbM=";
    };
    doCheck = false;
    pyproject = true;
    build-system = [
      python313Packages.setuptools
      python313Packages.wheel
    ];
    propagatedBuildInputs = with python313Packages; [
      django
      cryptography
    ];
  };
  drf-access-policy = python313Packages.buildPythonPackage rec {
    pname = "drf-access-policy";
    version = "1.5.0";
    src = fetchPypi {
      inherit pname version;
      hash = "sha256-EsahQYIgjUBUSi/W8GXbc7pvYLPRJ6kpJg6A3RkrjL8=";
    };
    doCheck = false;
    pyproject = true;
    build-system = [
      python313Packages.setuptools
      python313Packages.wheel
    ];
    propagatedBuildInputs = with python313Packages; [
      pyparsing
      djangorestframework
    ];
  };
  pythonPkg = python313.override {
    self = python313;
    packageOverrides = pyfinal: pyprev: {
      inherit
        django-modern-rpc
        django-property-filter
        django-fernet-encrypted-fields
        drf-access-policy
        # psycopg-binary
        ;
    };
  };
  python = pythonPkg.withPackages (
    ps: with ps; [
      gunicorn
      django
      clevercsv
      django
      dj-database-url
      django-filter
      django-modern-rpc
      django-property-filter
      djangorestframework
      django-fernet-encrypted-fields
      drf-access-policy
      frozendict
      gunicorn
      psycopg
      # psycopg-binary
      psycopg2-binary
      requests
      sqlalchemy
      whitenoise
    ]
  );
  staticAssets = fetchurl {
    url = "https://github.com/mathesar-foundation/mathesar/releases/download/0.2.2/static_files.zip";
    sha256 = "sha256-1X2zFpCSwilUxhqHlCw/tg8C5zVcVL6CxDa9yh0ylGA=";
  };
 in
 python313Packages.buildPythonApplication rec {
  pname = "mathesar";
  version = "0.2.2";
  src = fetchFromGitHub {
    owner = "mathesar-foundation";
    repo = "mathesar";
    rev = version;
    sha256 = "sha256-LHxFJpPV0GJfokSPzfZQO44bBg/+QjXsk04Ry9uhUAs=";
  };
  format = "other";
  nativeBuildInputs = [ unzip ];
  propagatedBuildInputs = [
    python.pkgs.gunicorn
    python.pkgs.django
  ];
  buildInputs = [
    gettext
  ];
  dependencies = [
    pythonPkg.pkgs.clevercsv
    pythonPkg.pkgs.django
    pythonPkg.pkgs.dj-database-url
    pythonPkg.pkgs.django-filter
    pythonPkg.pkgs.django-modern-rpc
    pythonPkg.pkgs.django-property-filter
    pythonPkg.pkgs.djangorestframework
    pythonPkg.pkgs.django-fernet-encrypted-fields
    pythonPkg.pkgs.drf-access-policy
    pythonPkg.pkgs.frozendict
    pythonPkg.pkgs.gunicorn
    pythonPkg.pkgs.psycopg
    pythonPkg.pkgs.psycopg2-binary
    pythonPkg.pkgs.requests
    pythonPkg.pkgs.sqlalchemy
    pythonPkg.pkgs.whitenoise
  ];
  # Manually unzip the extra zip file into a temporary directory
  postUnpack = ''
    mkdir -p $TMPDIR/unzipped
    unzip ${staticAssets} -d $TMPDIR/unzipped
  '';
  # Override the default build phase to prevent it from looking for setup.py
  # Add any non-Python build commands here if needed (e.g., building frontend assets)
  buildPhase = ''
    runHook preBuild
    echo "Skipping standard Python build phase; application files copied in installPhase."
    # If you had frontend assets to build, you'd run the command here, e.g.:
    # npm install
    # npm run build
    runHook postBuild
  '';
  # This copies the application code into the Nix store output
  installPhase = ''
    runHook preInstall
    # Destination: python's site-packages directory within $out
    # This makes 'import mathesar', 'import db', etc. work more easily.
    INSTALL_PATH="$out/lib/${python.libPrefix}/site-packages/${pname}"
    mkdir -p "$INSTALL_PATH"
    echo "Copying application code to $INSTALL_PATH"
    # Copy all essential source directories needed at runtime
    # Adjust this list based on mathesar's actual structure and runtime needs!
    cp -r mathesar "$INSTALL_PATH/"
    cp -r db "$INSTALL_PATH/"
    cp -r config "$INSTALL_PATH/"
    cp -r translations "$INSTALL_PATH/"
    cp -r mathesar_ui "$INSTALL_PATH/" # If needed
    # Copy the management script
    cp manage.py "$INSTALL_PATH/"
    # Copy assets from unzipped directory
    mkdir -p "$INSTALL_PATH/mathesar/static/mathesar"
    cp -r $TMPDIR/unzipped/static_files/* "$INSTALL_PATH/mathesar/static/mathesar"
    # Create wrapper scripts in $out/bin for easy execution
    mkdir -p $out/bin
    # Wrapper for manage.py
    # It ensures the app code is in PYTHONPATH and runs manage.py
    echo "Creating manage.py wrapper..."
    cat <<EOF > $out/bin/mathesar-manage
    #!${python.interpreter}
    import os
    import sys
    # Add the installation path to the Python path
    sys.path.insert(0, "$INSTALL_PATH")
    # Set DJANGO_SETTINGS_MODULE environment variable if required by mathesar
    # You might need to adjust 'config.settings.production' to the actual settings file used
    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'config.settings.production')
    # Change directory to where manage.py is, if necessary for relative paths
    # os.chdir("$INSTALL_PATH")
    print(f"Running manage.py from: $INSTALL_PATH/manage.py")
    print(f"Python path includes: $INSTALL_PATH")
    print(f"Executing with args: {sys.argv[1:]}")
    # Find manage.py and execute it
    manage_py_path = os.path.join("$INSTALL_PATH", "manage.py")
    if not os.path.exists(manage_py_path):
        print(f"Error: manage.py not found at {manage_py_path}", file=sys.stderr)
        sys.exit(1)
    # Prepare arguments for execute_from_command_line
    # The first argument should be the script name itself
    argv = [manage_py_path] + sys.argv[1:]
    try:
        from django.core.management import execute_from_command_line
        execute_from_command_line(argv)
    except Exception as e:
        print(f"Error executing manage.py: {e}", file=sys.stderr)
        # Optionally re-raise or exit with error
        import traceback
        traceback.print_exc()
        sys.exit(1)
    EOF
    chmod +x $out/bin/mathesar-manage
    # Wrapper for install
    echo "Creating install wrapper..."
    cat <<EOF > $out/bin/mathesar-install
    #!${runtimeShell}
    # Add the app to the Python Path
    export PYTHONPATH="$INSTALL_PATH:\${"PYTHONPATH:-"}"
    # Set Django settings module if needed
    export DJANGO_SETTINGS_MODULE='config.settings.production'
    # Change to the app directory
    cd "$INSTALL_PATH"
    ${python}/bin/python -m mathesar.install
    EOF
    chmod +x $out/bin/mathesar-install
    # Wrapper for gunicorn (example)
    # Assumes mathesar uses a standard wsgi entry point, e.g., config/wsgi.py
    # Adjust 'config.wsgi:application' if necessary
    echo "Creating gunicorn wrapper..."
    cat <<EOF > $out/bin/mathesar-gunicorn
    #!${runtimeShell}
    # Add the app to the Python Path
    export PYTHONPATH="$INSTALL_PATH:\${"PYTHONPATH:-"}"
    # Set Django settings module if needed
    export DJANGO_SETTINGS_MODULE='config.settings.production'
    # Change to the app directory if gunicorn needs it
    # cd "$INSTALL_PATH"
    # Execute gunicorn, passing along any arguments
    # Ensure the gunicorn package is in propagatedBuildInputs
    exec ${python}/bin/gunicorn config.wsgi:application "\$@"
    EOF
    chmod +x $out/bin/mathesar-gunicorn
    runHook postInstall
  '';
 }
--- a/pkgs/misc/bypass-paywalls-clean/package.nix
+++ b/pkgs/misc/bypass-paywalls-clean/package.nix
@@ -5,11 +5,11 @@
 pkgs.stdenv.mkDerivation rec {
  pname = "bypass-paywalls-clean";
-  version = "4.0.6.1";
+  version = "4.1.1.4";
  src = builtins.fetchGit {
-    url = "https://gitflic.ru/project/magnolia1234/bpc_uploads.git";
+    url = "https://git.masu.rs/noah/bpc-uploads.git";
    ref = "main";
-    rev = "85a367220f5ae2181354f65fb1093e2f1ac9e417";
+    rev = "9166b13355721b047878f259e04c2e9b476b4210";
  };
  preferLocalBuild = true;
  allowSubstitutes = true;
--- a/pkgs/prometheus-actual-exporter/package.nix
+++ b/pkgs/prometheus-actual-exporter/package.nix
@@ -0,0 +1,91 @@
 {
  lib,
  fetchFromGitHub,
  nodejs_20,
  buildNpmPackage,
  nodePackages,
  python3,
  gcc,
  gnumake,
 }:
 let
 in
 buildNpmPackage (finalAttrs: rec {
  pname = "prometheus-actual-exporter";
  version = "1.1.5";
  src = fetchFromGitHub {
    owner = "sakowicz";
    repo = "actual-budget-prometheus-exporter";
    tag = version;
    hash = "sha256-DAmWr1HngxAjhOJW9OnMfDqpxBcZT+Tpew/w/YYJIYU=";
  };
  patches = [ ./tsconfig.patch ];
  npmDepsHash = "sha256-N8xqRYFelolNGTEhG22M7KJ7B5U/uW7o+/XfLF8rHMg=";
  nativeBuildInputs = [
    nodejs_20
    nodePackages.typescript
    python3
    nodePackages.node-gyp
    gcc
    gnumake
  ];
  postPatch = ''
    echo "Removing better-sqlite3 install script before npm install"
    sed -i '/"install"/d' node_modules/better-sqlite3/package.json || true
    sed -i '/"install"/d' package.json || true
  '';
  preBuild = ''
    echo "Disabling prebuilt install script from better-sqlite3"
    find node_modules/better-sqlite3 -name package.json -exec sed -i '/"install"/d' {} +
    rm -f node_modules/better-sqlite3/build/Release/better_sqlite3.node || true
  '';
  buildPhase = ''
    # export npm_config_build_from_source=true
    # export npm_config_unsafe_perm=true
    # export BINARY_SITE=none
    # export PATH=${nodePackages.node-gyp}/bin:$PATH
    # export npm_config_node_gyp=${nodePackages.node-gyp}/bin/node-gyp
    # npm rebuild better-sqlite3 --build-from-source --verbose
    npm run build
  '';
  installPhase = ''
    mkdir -p $out/{bin,lib}
    cp -r . $out/lib/prometheus-actual-exporter
    makeWrapper ${lib.getExe nodejs_20} $out/bin/prometheus-actual-exporter \
      --add-flags "$out/lib/prometheus-actual-exporter/dist/app.js"
  '';
  postInstall = ''
    echo "Removing prebuilt .node and rebuilding better-sqlite3"
    export npm_config_build_from_source=true
    export npm_config_unsafe_perm=true
    export BINARY_SITE=none
    export PATH=${nodePackages.node-gyp}/bin:$PATH
    export npm_config_node_gyp=${nodePackages.node-gyp}/bin/node-gyp
    sed -i '/"install"/d' node_modules/better-sqlite3/package.json
    rm -f node_modules/better-sqlite3/build/Release/better_sqlite3.node || true
    npm rebuild better-sqlite3 --build-from-source --verbose
  '';
  meta = {
    description = "Prometheus exporter for Actual Budget";
    homepage = "https://github.com/sakowicz/actual-budget-prometheus-exporter";
    mainProgram = "prometheus-actual-exporter";
  };
 })
--- a/pkgs/prometheus-actual-exporter/tsconfig.patch
+++ b/pkgs/prometheus-actual-exporter/tsconfig.patch
@@ -0,0 +1,12 @@
 diff --git a/tsconfig.json b/tsconfig.json
 index 5106135..3a340f6 100644
 --- a/tsconfig.json
 +++ b/tsconfig.json
@@ -8,5 +8,6 @@
     "skipLibCheck": true,
     "lib": ["es2020"],
     "outDir": "./dist"
 -  }
 +  },
 +  "include": ["src/**/*", "app.ts"]
 }
--- a/pkgs/slsk-batchdl/nuget-deps.nix
+++ b/pkgs/slsk-batchdl/nuget-deps.nix
@@ -0,0 +1,248 @@
 { fetchNuGet }:
 [
  (fetchNuGet {
    pname = "AngleSharp";
    version = "1.2.0";
    hash = "sha256-l8+Var9o773VL6Ybih3boaFf9sYjS7eqtLGd8DCIPsk=";
  })
  (fetchNuGet {
    pname = "EmbedIO";
    version = "3.5.2";
    hash = "sha256-e6GfVHXxYeUw3ntCrHokNoAS6mXArO7+vdMeUFnsSo8=";
  })
  (fetchNuGet {
    pname = "Goblinfactory.ProgressBar";
    version = "1.0.0";
    hash = "sha256-tV3Fw792zfYhB2dN97VKXBwS5eypqKExgAJy+bcDo8I=";
  })
  (fetchNuGet {
    pname = "Google.Apis";
    version = "1.69.0";
    hash = "sha256-/9JN0CZIFZnmGS69ki38RlNzQiwp4yO0MFDeRk1slsg=";
  })
  (fetchNuGet {
    pname = "Google.Apis.Auth";
    version = "1.69.0";
    hash = "sha256-T6n3hc+KpgHNqQQeJLOmgHQWkjBvnhIob5giHabREV8=";
  })
  (fetchNuGet {
    pname = "Google.Apis.Core";
    version = "1.69.0";
    hash = "sha256-IW1AOY8o6hHkrc/tINsS/VCOUrOSoXb6OCSEF6gamkc=";
  })
  (fetchNuGet {
    pname = "Google.Apis.YouTube.v3";
    version = "1.69.0.3680";
    hash = "sha256-3aNScBqmchnDkLejK5HYHiLVVDexrFUtZ6xe8cGP28M=";
  })
  (fetchNuGet {
    pname = "HtmlAgilityPack";
    version = "1.11.72";
    hash = "sha256-MRt7yj6+/ORmr2WBERpQ+1gMRzIaPFKddHoB4zZmv2k=";
  })
  (fetchNuGet {
    pname = "Microsoft.ApplicationInsights";
    version = "2.22.0";
    hash = "sha256-mUQ63atpT00r49ca50uZu2YCiLg3yd6r3HzTryqcuEA=";
  })
  (fetchNuGet {
    pname = "Microsoft.AspNetCore.App.Ref";
    version = "6.0.36";
    hash = "sha256-9jDkWbjw/nd8yqdzVTagCuqr6owJ/DUMi4BlUZT4hWU=";
  })
  (fetchNuGet {
    pname = "Microsoft.Bcl.AsyncInterfaces";
    version = "9.0.1";
    hash = "sha256-A3W2Hvhlf1ODx1NYWHwUyziZOGMaDPvXHZ/ubgNLYJA=";
  })
  (fetchNuGet {
    pname = "Microsoft.CodeCoverage";
    version = "17.9.0";
    hash = "sha256-OaGa4+jRPHs+T+p/oekm2Miluqfd2IX8Rt+BmUx8kr4=";
  })
  (fetchNuGet {
    pname = "Microsoft.CSharp";
    version = "4.7.0";
    hash = "sha256-Enknv2RsFF68lEPdrf5M+BpV1kHoLTVRApKUwuk/pj0=";
  })
  (fetchNuGet {
    pname = "Microsoft.NET.Test.Sdk";
    version = "17.9.0";
    hash = "sha256-q/1AJ7eNlk02wvN76qvjl2xBx5iJ+h5ssiE/4akLmtI=";
  })
  (fetchNuGet {
    pname = "Microsoft.NETCore.App.Host.linux-x64";
    version = "6.0.36";
    hash = "sha256-VFRDzx7LJuvI5yzKdGmw/31NYVbwHWPKQvueQt5xc10=";
  })
  (fetchNuGet {
    pname = "Microsoft.NETCore.App.Ref";
    version = "6.0.36";
    hash = "sha256-9LZgVoIFF8qNyUu8kdJrYGLutMF/cL2K82HN2ywwlx8=";
  })
  (fetchNuGet {
    pname = "Microsoft.Testing.Extensions.Telemetry";
    version = "1.5.3";
    hash = "sha256-bIXwPSa3jkr2b6xINOqMUs6/uj/r4oVFM7xq3uVIZDU=";
  })
  (fetchNuGet {
    pname = "Microsoft.Testing.Extensions.TrxReport.Abstractions";
    version = "1.5.3";
    hash = "sha256-IfMRfcyaIKEMRtx326ICKtinDBEfGw/Sv8ZHawJ96Yc=";
  })
  (fetchNuGet {
    pname = "Microsoft.Testing.Extensions.VSTestBridge";
    version = "1.5.3";
    hash = "sha256-XpM/yFjhLSsuzyDV+xKubs4V1zVVYiV05E0+N4S1h0g=";
  })
  (fetchNuGet {
    pname = "Microsoft.Testing.Platform";
    version = "1.5.3";
    hash = "sha256-y61Iih6w5D79dmrj2V675mcaeIiHoj1HSa1FRit2BLM=";
  })
  (fetchNuGet {
    pname = "Microsoft.Testing.Platform.MSBuild";
    version = "1.5.3";
    hash = "sha256-YspvjE5Jfi587TAfsvfDVJXNrFOkx1B3y1CKV6m7YLY=";
  })
  (fetchNuGet {
    pname = "Microsoft.TestPlatform.ObjectModel";
    version = "17.12.0";
    hash = "sha256-3XBHBSuCxggAIlHXmKNQNlPqMqwFlM952Av6RrLw1/w=";
  })
  (fetchNuGet {
    pname = "Microsoft.TestPlatform.ObjectModel";
    version = "17.9.0";
    hash = "sha256-iiXUFzpvT8OWdzMj9FGJDqanwHx40s1TXVY9l3ii+s0=";
  })
  (fetchNuGet {
    pname = "Microsoft.TestPlatform.TestHost";
    version = "17.9.0";
    hash = "sha256-1BZIY1z+C9TROgdTV/tq4zsPy7Q71GQksr/LoMKAzqU=";
  })
  (fetchNuGet {
    pname = "MSTest.Analyzers";
    version = "3.7.3";
    hash = "sha256-6mNfHtx9FBWA6/QrRUepwbxXWG/54GRyeZYazDiMacg=";
  })
  (fetchNuGet {
    pname = "MSTest.TestAdapter";
    version = "3.7.3";
    hash = "sha256-3O/AXeS+3rHWstinivt73oa0QDp+xQpTc9p46EF+Mtc=";
  })
  (fetchNuGet {
    pname = "MSTest.TestFramework";
    version = "3.7.3";
    hash = "sha256-RweCMMf14GI6HqjDIP68JM67IaJKYQTZy0jk5Q4DFxs=";
  })
  (fetchNuGet {
    pname = "Newtonsoft.Json";
    version = "13.0.1";
    hash = "sha256-K2tSVW4n4beRPzPu3rlVaBEMdGvWSv/3Q1fxaDh4Mjo=";
  })
  (fetchNuGet {
    pname = "Newtonsoft.Json";
    version = "13.0.3";
    hash = "sha256-hy/BieY4qxBWVVsDqqOPaLy1QobiIapkbrESm6v2PHc=";
  })
  (fetchNuGet {
    pname = "SmallestCSVParser";
    version = "1.1.1";
    hash = "sha256-64E87w+4FcQtYsFIOMGGmYmjXVGBwsBqgLVb7p0wc04=";
  })
  (fetchNuGet {
    pname = "Soulseek";
    version = "7.1.0";
    hash = "sha256-n6LUNuPmmy9QYNNALR0ObYyR9LJalf0H8P+SKnoqfFc=";
  })
  (fetchNuGet {
    pname = "SpotifyAPI.Web";
    version = "7.2.1";
    hash = "sha256-gbTLJaj7DSXZQlo0xpegZ8HLruMe6WmDyD8+l6YE3hg=";
  })
  (fetchNuGet {
    pname = "SpotifyAPI.Web.Auth";
    version = "7.2.1";
    hash = "sha256-uzpyPlXNCuSHrcK4SKH0ydY2HlDKXU51W5ahk2Oqu98=";
  })
  (fetchNuGet {
    pname = "System.Buffers";
    version = "4.5.1";
    hash = "sha256-wws90sfi9M7kuCPWkv1CEYMJtCqx9QB/kj0ymlsNaxI=";
  })
  (fetchNuGet {
    pname = "System.CodeDom";
    version = "7.0.0";
    hash = "sha256-7IPt39cY+0j0ZcRr/J45xPtEjnSXdUJ/5ai3ebaYQiE=";
  })
  (fetchNuGet {
    pname = "System.Diagnostics.DiagnosticSource";
    version = "5.0.0";
    hash = "sha256-6mW3N6FvcdNH/pB58pl+pFSCGWgyaP4hfVtC/SMWDV4=";
  })
  (fetchNuGet {
    pname = "System.IO.Pipelines";
    version = "9.0.1";
    hash = "sha256-CnmDanknCGbNnoDjgZw62M/Grg8IMTJDa8x3P07UR2A=";
  })
  (fetchNuGet {
    pname = "System.Management";
    version = "7.0.2";
    hash = "sha256-bJ21ILQfbHb8mX2wnVh7WP/Ip7gdVPIw+BamQuifTVY=";
  })
  (fetchNuGet {
    pname = "System.Memory";
    version = "4.5.5";
    hash = "sha256-EPQ9o1Kin7KzGI5O3U3PUQAZTItSbk9h/i4rViN3WiI=";
  })
  (fetchNuGet {
    pname = "System.Memory";
    version = "4.6.0";
    hash = "sha256-OhAEKzUM6eEaH99DcGaMz2pFLG/q/N4KVWqqiBYUOFo=";
  })
  (fetchNuGet {
    pname = "System.Reflection.Metadata";
    version = "1.6.0";
    hash = "sha256-JJfgaPav7UfEh4yRAQdGhLZF1brr0tUWPl6qmfNWq/E=";
  })
  (fetchNuGet {
    pname = "System.Runtime.CompilerServices.Unsafe";
    version = "6.0.0";
    hash = "sha256-bEG1PnDp7uKYz/OgLOWs3RWwQSVYm+AnPwVmAmcgp2I=";
  })
  (fetchNuGet {
    pname = "System.Text.Encodings.Web";
    version = "9.0.1";
    hash = "sha256-iuAVcTiiZQLCZjDfDqdLLPHqZdZqvFabwLFHiVYdRJo=";
  })
  (fetchNuGet {
    pname = "System.Text.Json";
    version = "9.0.1";
    hash = "sha256-2dqE+Mx5eJZ8db74ofUiUXHOSxDCmXw5n9VC9w4fUr0=";
  })
  (fetchNuGet {
    pname = "System.Threading.Tasks.Extensions";
    version = "4.6.0";
    hash = "sha256-OwIB0dpcdnyfvTUUj6gQfKW2XF2pWsQhykwM1HNCHqY=";
  })
  (fetchNuGet {
    pname = "System.ValueTuple";
    version = "4.5.0";
    hash = "sha256-niH6l2fU52vAzuBlwdQMw0OEoRS/7E1w5smBFoqSaAI=";
  })
  (fetchNuGet {
    pname = "TagLibSharp";
    version = "2.3.0";
    hash = "sha256-PD9bVZiPaeC8hNx2D+uDUf701cCaMi2IRi5oPTNN+/w=";
  })
  (fetchNuGet {
    pname = "Unosquare.Swan.Lite";
    version = "3.1.0";
    hash = "sha256-PL8N3CqIz/wku8/mkRMC3X868Byv47C20/rBLBhkS3o=";
  })
  (fetchNuGet {
    pname = "YoutubeExplode";
    version = "6.5.4";
    hash = "sha256-5sexIiBj5XP9rP5DA0NQ+vHJ9lpjwp00EvVux901WLc=";
  })
 ]
--- a/pkgs/slsk-batchdl/package.nix
+++ b/pkgs/slsk-batchdl/package.nix
@@ -0,0 +1,39 @@
 {
  lib,
  buildDotnetModule,
  fetchFromGitHub,
  dotnetCorePackages,
 }:
 buildDotnetModule rec {
  pname = "slsk-batchdl";
  version = "2.4.7";
  src = fetchFromGitHub {
    owner = "fiso64";
    repo = "slsk-batchdl";
    rev = "v${version}";
    sha256 = "sha256-P7V7YJUA1bkfp13Glb1Q+NJ7iTya/xgO1TM88z1Nddc=";
  };
  projectFile = "slsk-batchdl/slsk-batchdl.csproj";
  nugetDeps = ./nuget-deps.nix;
  dotnet-sdk = dotnetCorePackages.sdk_8_0;
  dotnet-runtime = dotnetCorePackages.runtime_8_0;
  # Patch the project file to use .NET 8
  postPatch = ''
    substituteInPlace slsk-batchdl/slsk-batchdl.csproj \
      --replace-fail "net6.0" "net8.0"
  '';
  doCheck = false;
  meta = with lib; {
    description = "A batch downloader for Soulseek";
    homepage = "https://github.com/fiso64/slsk-batchdl";
    platforms = platforms.linux;
    mainProgram = "slsk-batchdl";
  };
 }
--- a/pkgs/tools/misc/ocr/ocr.sh
+++ b/pkgs/tools/misc/ocr/ocr.sh
@@ -8,7 +8,7 @@ TEXT_FILE="/tmp/ocr.txt"
 IMAGE_FILE="/tmp/ocr.png"
 function notify-send() {
-    /usr/bin/osascript -e "display notification \"$2\" with title \"OCR\""
+  /usr/bin/osascript -e "display notification \"$2\" with title \"OCR\""
 }
 PATH="/usr/local/bin/:$PATH"
@@ -32,8 +32,8 @@ STATUS=$?
 # specify /tmp/ocr.txt as the file path, tesseract would out the text to
 # /tmp/ocr.txt.txt
 cd /tmp || {
-    echo "Failed to jump to directory."
+  echo "Failed to jump to directory."
-    exit 1
+  exit 1
 }
 tesseract "$IMAGE_FILE" "${TEXT_FILE//\.txt/}"
@@ -41,8 +41,8 @@ tesseract "$IMAGE_FILE" "${TEXT_FILE//\.txt/}"
 # of lines in the file
 LINES=$(wc -l <$TEXT_FILE)
 if [ "$LINES" -eq 0 ]; then
-    notify-send "ocr" "no text was detected"
+  notify-send "ocr" "no text was detected"
-    exit 1
+  exit 1
 fi
 # Copy text to clipboard
--- a/platforms/generators/aws/default.nix
+++ b/platforms/generators/aws/default.nix
@@ -21,10 +21,12 @@ in
    virtualisation.diskSize = lib.mkDefault (16 * 1024); # In MB
    boot.kernelPackages = lib.mkDefault pkgs.linuxKernel.packages.linux_6_6;
-    boot.loader.systemd-boot.enable = false;
+    boot.loader.systemd-boot.enable = lib.mkForce false;
-    boot.loader.efi.canTouchEfiVariables = false;
+    boot.loader.efi.canTouchEfiVariables = lib.mkForce false; # Default, conflicts with tempest
    services.amazon-ssm-agent.enable = lib.mkDefault true;
    users.users.ssm-user.extraGroups = [ "wheel" ];
-
+    services.udisks2.enable = lib.mkForce false; # Off by default already; conflicts with gvfs for nautilus
    boot.loader.grub.device = lib.mkForce "/dev/xvda"; # Default, conflicts with tempest
    boot.loader.grub.efiSupport = lib.mkForce false; # Default, conflicts with tempest
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/aerc.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/aerc.nix
@@ -18,6 +18,7 @@ in
    home.packages = with pkgs; [
      w3m # Render HTML
      dante # Socksify for rendering HTML
      aba # Address book
    ];
    programs.aerc = {
@@ -110,6 +111,7 @@ in
          "<C-j>" = ":next-part<Enter>";
          J = ":next <Enter>";
          K = ":prev<Enter>";
          aa = ":pipe -m aba parse --all<Enter>";
        };
        "view::passthrough" = {
@@ -183,6 +185,10 @@ in
          "audio/*" = "${pkgs.mpv}/bin/mpv -";
          "image/*" = "${pkgs.feh}/bin/feh -";
        };
        compose = {
          editor = config.home.sessionVariables.EDITOR;
          address-book-cmd = "aba ls \"%s\"";
        };
      };
    };
    accounts.email.accounts.home.aerc = {
@@ -199,19 +205,28 @@ in
      exec = "${lib.getExe config.nmasur.presets.services.i3.terminal} aerc %u";
    };
    xsession.windowManager.i3.config.keybindings = lib.mkIf pkgs.stdenv.isLinux {
-      "${config.xsession.windowManager.i3.config.modifier}+Shift+e" = "exec ${
+      "${config.xsession.windowManager.i3.config.modifier}+Shift+e" =
-        # Don't name the script `aerc` or it will affect grep
+        let
-        builtins.toString (
+          terminal = config.nmasur.presets.services.i3.terminal;
-          pkgs.writeShellScript "focus-mail.sh" ''
+          startupCommand =
-            count=$(ps aux | grep -c aerc)
+            if terminal == pkgs.wezterm then
-            if [ "$count" -eq 1 ]; then
+              "start --class com.noah.aerc -- aerc"
-                i3-msg "exec --no-startup-id ${lib.getExe config.nmasur.presets.services.i3.terminal} start --class aerc -- aerc"
+            else
-                sleep 0.25
+              "--class=com.noah.aerc --command=aerc";
-            fi
+        in
-            i3-msg "[class=aerc] focus"
+        "exec ${
-          ''
+          # Don't name the script `aerc` or it will affect grep
-        )
+          builtins.toString (
-      }";
+            pkgs.writeShellScript "focus-mail.sh" ''
              count=$(ps aux | grep -c aerc)
              if [ "$count" -eq 1 ]; then
                  i3-msg "exec --no-startup-id ${lib.getExe terminal} ${startupCommand}"
                  sleep 0.25
              fi
              i3-msg "[class=com.noah.aerc] focus"
            ''
          )
        }";
    };
    programs.fish.shellAbbrs = {
--- a/platforms/home-manager/modules/nmasur/presets/programs/atuin.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/atuin.nix
@@ -15,6 +15,7 @@ in
  config = lib.mkIf cfg.enable {
    programs.atuin = {
      enable = true;
      daemon.enable = true;
      flags = [
        "--disable-up-arrow"
        "--disable-ctrl-r"
@@ -33,6 +34,7 @@ in
        secrets_filter = true;
        enter_accept = false;
        keymap_mode = "vim-normal";
        records = true; # Sync v2
      };
    };
--- a/platforms/home-manager/modules/nmasur/presets/programs/aws-ssh/aws-ssh.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/aws-ssh/aws-ssh.nix
@@ -0,0 +1,19 @@
 { config, lib, ... }:
 let
  cfg = config.nmasur.presets.programs.aws-ssh;
 in
 {
  options.nmasur.presets.programs.aws-ssh.enable = lib.mkEnableOption "AWS SSH tools";
  config = lib.mkIf cfg.enable {
    # Ignore wine directories in searches
    home.file.".ssh/aws-ssm-ssh-proxy-command.sh" = {
      text = builtins.readFile ./aws-ssm-ssh-proxy-command.sh;
      executable = true;
    };
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/aws-ssh/aws-ssm-ssh-proxy-command.sh
+++ b/platforms/home-manager/modules/nmasur/presets/programs/aws-ssh/aws-ssm-ssh-proxy-command.sh
@@ -0,0 +1,69 @@
 #!/usr/bin/env bash
 set -eu
 ################################################################################
 #
 # For documentation see https://github.com/qoomon/aws-ssm-ssh-proxy-command
 #
 ################################################################################
 getInstanceId() {
  local instance_name="$1"
  local instance_id=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=${instance_name}" --query "Reservations[].Instances[?State.Name == 'running'].InstanceId" --output text)
  echo "${instance_id}"
 }
 instance_name="$1"
 ssh_user="$2"
 ssh_port="$3"
 ssh_public_key_path="$4"
 ec2InstanceIdPattern='^m?i-[0-9a-f]{8,17}$'
 if [[ $instance_name =~ $ec2InstanceIdPattern ]]; then
  instance_id=$instance_name
 else
  instance_id=$(getInstanceId "$instance_name")
  if [[ -z $instance_id ]]; then
    echo "Found no running instances with name \"${instance_name}\"."
    exit 1
  else
    echo "Instance ID for \"${instance_name}\": \"${instance_id}\""
  fi
 fi
 REGION_SEPARATOR='--'
 if echo "$instance_id" | grep -q -e "${REGION_SEPARATOR}"; then
  export AWS_REGION="${instance_id##*"${REGION_SEPARATOR}"}"
  instance_id="${instance_id%%"$REGION_SEPARATOR"*}"
 fi
 >/dev/stderr echo "Add public key ${ssh_public_key_path} for ${ssh_user} at instance ${instance_id} for 10 seconds"
 ssh_public_key="$(cat "${ssh_public_key_path}")"
 aws ssm send-command \
  --instance-ids "${instance_id}" \
  --document-name 'AWS-RunShellScript' \
  --comment "Add an SSH public key to authorized_keys for 10 seconds" \
  --parameters commands="
  \"
    set -eu
    mkdir -p ~${ssh_user}/.ssh && cd ~${ssh_user}/.ssh
    authorized_key='${ssh_public_key} ssm-session'
    echo \\\"\${authorized_key}\\\" >> authorized_keys
    sleep 10
    (grep -v -F \\\"\${authorized_key}\\\" authorized_keys || true) > authorized_keys~
    mv authorized_keys~ authorized_keys
  \"
  "
 >/dev/stderr echo "Start ssm session to instance ${instance_id}"
 aws ssm start-session \
  --target "${instance_id}" \
  --document-name 'AWS-StartSSHSession' \
  --parameters "portNumber=${ssh_port}"
--- a/platforms/home-manager/modules/nmasur/presets/programs/direnv.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/direnv.nix
@@ -17,6 +17,9 @@ in
    programs.direnv = {
      enable = true;
      nix-direnv.enable = true;
      config = {
        global.hide_env_diff = true;
      };
    };
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/feishin.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/feishin.nix
@@ -0,0 +1,19 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.nmasur.presets.programs.feishin;
 in
 {
  options.nmasur.presets.programs.feishin.enable = lib.mkEnableOption "Feishin music player";
  config = lib.mkIf cfg.enable {
    home.packages = [ pkgs.feishin ];
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/firefox.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/firefox.nix
@@ -23,7 +23,7 @@ in
    programs.firefox = {
      enable = true;
-      package = if pkgs.stdenv.isDarwin then pkgs.firefox-unwrapped else pkgs.firefox;
+      package = pkgs.firefox;
      profiles.default = {
        id = 0;
        name = "default";
@@ -74,6 +74,8 @@ in
          "svg.context-properties.content.enabled" = true; # Sidebery styling
          "browser.tabs.hoverPreview.enabled" = false; # Disable tab previews
          "browser.tabs.hoverPreview.showThumbnails" = false; # Disable tab previews
          "browser.gesture.swipe.left" = "cmd_scrollLeft"; # Disable swipe to go back
          "browser.gesture.swipe.right" = "cmd_scrollRight"; # Disable swipe to go forward
        };
        userChrome = ''
          :root {
--- a/platforms/home-manager/modules/nmasur/presets/programs/ghostty.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/ghostty.nix
@@ -14,6 +14,10 @@ in
  options.nmasur.presets.programs.ghostty.enable = lib.mkEnableOption "Ghostty terminal";
  config = lib.mkIf cfg.enable {
    # Set the i3 terminal
    nmasur.presets.services.i3.terminal = config.programs.ghostty.package;
    programs.ghostty = {
      enable = true;
@@ -29,7 +33,19 @@ in
        macos-titlebar-style = "hidden";
        window-decoration = false;
        macos-non-native-fullscreen = true;
-        fullscreen = true;
+        quit-after-last-window-closed = lib.mkIf pkgs.stdenv.isDarwin true;
        fullscreen = if pkgs.stdenv.isDarwin then true else false;
        keybind = [
          "super+t=unbind" # Pass super-t to underlying tool (e.g. zellij tabs)
          "super+shift+]=unbind"
          "super+shift+[=unbind"
          "ctrl+tab=unbind"
          "ctrl+shift+tab=unbind"
          "ctrl+tab=text:\\x1b[9;5u"
          "ctrl+shift+tab=text:\\x1b[9;6u"
          "super+k=unbind"
          "super+shift+e=unbind"
        ];
      };
      themes."gruvbox" = {
        background = config.theme.colors.base00;
--- a/platforms/home-manager/modules/nmasur/presets/programs/git-work.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/git-work.nix
@@ -1,6 +1,5 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
@@ -66,6 +65,18 @@ in
      };
    };
    # Personal jj config
    programs.jujutsu.settings = {
      "--scope" = [
        {
          "--when".repositories = [ "~/dev/personal" ];
          user = {
            name = cfg.personal.name;
            email = cfg.personal.email;
          };
        }
      ];
    };
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/git/default.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/git/default.nix
@@ -32,7 +32,7 @@ in
      userName = cfg.name;
      userEmail = cfg.email;
      extraConfig = {
-        core.pager = "${pkgs.git}/share/git/contrib/diff-highlight/diff-highlight | less -F";
+        core.pager = "${pkgs.git}/share/git/contrib/diff-highlight/diff-highlight | less --no-init";
        interactive.difffilter = "${pkgs.git}/share/git/contrib/diff-highlight/diff-highlight";
        pager = {
          branch = "false";
--- a/platforms/home-manager/modules/nmasur/presets/programs/helix.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/helix.nix
@@ -22,6 +22,9 @@ in
    # Set Neovim as the default app for text editing and manual pages
    home.sessionVariables = {
      EDITOR = lib.mkForce "${lib.getExe pkgs.helix}";
      MANPAGER = lib.mkForce "sh -c 'col -bx | ${lib.getExe pkgs.helix}'";
      MANWIDTH = 87;
      MANROFFOPT = "-c";
    };
    # Create quick aliases for launching Helix
@@ -35,6 +38,8 @@ in
      enable = true;
      package = pkgs.helix; # pkgs.evil-helix
      languages = {
        language-server.nixd = {
@@ -45,19 +50,184 @@ in
          command = "${pkgs.fish-lsp}/bin/fish-lsp";
        };
        language-server.yaml-language-server = {
          command = lib.getExe pkgs.yaml-language-server;
        };
        language-server.marksman = {
          command = lib.getExe pkgs.marksman;
        };
        language-server.terraform-ls = {
          command = "${lib.getExe pkgs.terraform-ls} serve";
        };
        language-server.bash-language-server = {
          command = lib.getExe (
            pkgs.bash-language-server.overrideAttrs {
              buildInputs = [
                pkgs.shellcheck
                pkgs.shfmt
              ];
            }
          );
        };
        language = [
          {
            name = "nix";
            auto-format = true;
            language-servers = [ "nixd" ];
          }
          {
            name = "markdown";
            auto-format = false;
            language-servers = [ "marksman" ];
            formatter = {
              command = lib.getExe pkgs.mdformat;
              args = [ "-" ];
            };
            # Allows return key to continue the token on the next line
            comment-tokens = [
              "-"
              "+"
              "*"
              "- [ ]"
              ">"
            ];
          }
          {
            name = "tfvars";
            auto-format = true;
            language-servers = [ "terraform-ls" ];
            formatter = {
              command = lib.getExe pkgs.terraform;
              args = [
                "fmt"
                "-"
              ];
            };
          }
          {
            name = "hcl";
            auto-format = true;
            language-servers = [ "terraform-ls" ];
            formatter = {
              command = lib.getExe pkgs.terraform;
              args = [
                "fmt"
                "-"
              ];
            };
          }
          {
            name = "bash";
            auto-format = true;
          }
        ];
      };
      ignores = [
        "content/.obsidian/**"
        ".direnv/**"
      ];
      settings = {
        theme = "base16";
        keys.normal = {
          # Use the enter key to save the file
          ret = ":write";
          # Get out of multiple cursors and selection
          esc = [
            "collapse_selection"
            "keep_primary_selection"
          ];
          # Quit shortcuts
          space.q = ":quit-all";
          space.x = ":quit-all!";
          # Enable and disable inlay hints
          space.H = ":toggle lsp.display-inlay-hints";
          # Toggle floating pane
          space.t = ":sh zellij action toggle-floating-panes";
          # Today's note
          space.n = ":vsplit %sh{fish -c 'generate-today'}";
          # Open lazygit
          # Unfortunately, this breaks mouse input and the terminal after quitting Helix
          space.l = [
            ":write-all"
            ":new"
            ":insert-output ${lib.getExe pkgs.lazygit} > /dev/tty"
            ":buffer-close!"
            ":redraw"
            ":reload-all"
            ":set mouse false"
            ":set mouse true"
          ];
          # Commandline git blame
          space.B = ":echo %sh{git log -n1 --date=short --pretty=format:'%%h %%ad %%s' $(git blame -L %{cursor_line},+1 \"%{buffer_name}\" | cut -d' ' -f1)}";
          # Open yazi
          # https://github.com/sxyazi/yazi/pull/2461
          # Won't work until next Helix release
          C-y = [
            ":sh rm -f /tmp/unique-file"
            ":insert-output ${lib.getExe pkgs.yazi} %{buffer_name} --chooser-file=/tmp/unique-file"
            ":insert-output echo \\x1b[?1049h\\x1b[?2004h > /dev/tty"
            ":open %sh{cat /tmp/unique-file}"
            ":redraw"
          ];
          # Extend selection above
          X = "select_line_above";
          # Move lines up or down
          A-j = [
            "extend_to_line_bounds"
            "delete_selection"
            "paste_after"
          ];
          A-k = [
            "extend_to_line_bounds"
            "delete_selection"
            "move_line_up"
            "paste_before"
          ];
          A-S-ret = [
            "open_above"
            "normal_mode"
          ];
          A-ret = [
            "open_below"
            "normal_mode"
          ];
        };
        keys.insert = {
          # Allows not continuing the comment
          "A-ret" = [
            "insert_newline"
            "extend_to_line_bounds"
            "delete_selection"
            "insert_newline"
            "move_line_up"
            "insert_mode"
          ];
        };
        editor = {
          # Change cursors depending on the mode
          cursor-shape = {
            insert = "bar";
@@ -65,15 +235,20 @@ in
            select = "underline";
          };
          # Text width
          soft-wrap = {
            enable = true;
          };
          # View line numbers relative to the current cursors
          line-number = "relative";
          # Show hidden files
          file-picker = {
-            hidden = false;
+            hidden = false; # Show hidden files
-            git-ignore = true;
+            git-ignore = true; # Skip gitignore files
-            git-global = true;
+            git-global = true; # Skip global gitignore files
-            git-exclude = true;
+            git-exclude = true; # Skip excluded files
          };
          # Show whitespace visible to the user
@@ -89,6 +264,7 @@ in
            };
          };
        };
      };
      themes."${config.programs.helix.settings.theme}" = {
@@ -120,7 +296,7 @@ in
        "string" = config.theme.colors.base0B;
        "type" = config.theme.colors.base0A;
        "variable" = config.theme.colors.base08;
-        "variable.other.member" = config.theme.colors.base0B;
+        "variable.other.member" = config.theme.colors.base05;
        "warning" = config.theme.colors.base09;
        "markup.bold" = {
          fg = config.theme.colors.base0A;
@@ -175,7 +351,7 @@ in
          bg = config.theme.colors.base00;
        };
        "ui.cursor" = {
-          fg = config.theme.colors.base0A;
+          fg = config.theme.colors.base04;
          modifiers = [ "reversed" ];
        };
        "ui.cursor.insert" = {
@@ -187,11 +363,11 @@ in
          bg = config.theme.colors.base01;
        };
        "ui.cursor.match" = {
-          fg = config.theme.colors.base0A;
+          fg = config.theme.colors.base03;
          modifiers = [ "reversed" ];
        };
        "ui.cursor.select" = {
-          fg = config.theme.colors.base0A;
+          fg = config.theme.colors.base04;
          modifiers = [ "reversed" ];
        };
        "ui.gutter" = {
@@ -226,10 +402,10 @@ in
          bg = config.theme.colors.base01;
        };
        "ui.selection" = {
-          bg = config.theme.colors.base02;
+          bg = config.theme.colors.base01;
        };
        "ui.selection.primary" = {
-          bg = config.theme.colors.base03;
+          bg = config.theme.colors.base02;
        };
        "ui.statusline" = {
          fg = config.theme.colors.base04;
--- a/platforms/home-manager/modules/nmasur/presets/programs/jujutsu.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/jujutsu.nix
@@ -1,5 +1,6 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
@@ -22,8 +23,18 @@ in
          name = config.programs.git.userName;
          email = config.programs.git.userEmail;
        };
        ui.paginate = "never";
        # Automatically snapshot when files change
        fsmonitor.backend = "watchman";
        fsmonitor.watchman.register-snapshot-trigger = true;
      };
    };
    home.packages = [
      # Required for the fsmonitor to auto-snapshot
      pkgs.watchman
    ];
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/lazygit.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/lazygit.nix
@@ -0,0 +1,96 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.nmasur.presets.programs.lazygit;
 in
 {
  options.nmasur.presets.programs.lazygit.enable = lib.mkEnableOption "Lazygit git TUI";
  config = lib.mkIf cfg.enable {
    programs.lazygit = {
      enable = true;
      settings = {
        git.paging = {
          # useConfig = true;
          pager = "${pkgs.git}/share/git/contrib/diff-highlight/diff-highlight";
        };
        os = {
          edit = "${config.home.sessionVariables.EDITOR} {{filename}}";
          editAtLine = "${config.home.sessionVariables.EDITOR} {{filename}}:{{line}}";
          editAtLineAndWait = "${config.home.sessionVariables.EDITOR} {{filename}}:{{line}}";
          openDirInEditor = "${config.home.sessionVariables.EDITOR}";
          open = "${config.home.sessionVariables.EDITOR} {{filename}}";
        };
        customCommands = [
          {
            key = "N";
            context = "files";
            command = "git add -N {{.SelectedFile.Name}}";
          }
          {
            key = "<a-enter>";
            context = "global";
            command =
              let
                openGitUrl = pkgs.writeShellScriptBin "open-git-url" ''
                  # Try to get the remote URL using two common methods; suppress stderr for individual commands.
                  # "git remote get-url origin" is generally preferred.
                  # "git config --get remote.origin.url" is a fallback.
                  URL=$(git remote get-url origin 2>/dev/null || git config --get remote.origin.url 2>/dev/null);
                  # Check if a URL was actually found.
                  if [ -z "$URL" ]; then
                    # Send error message to stderr so it might appear in lazygit logs or notifications.
                    echo "Lazygit: Could not determine remote URL for 'origin'." >&2;
                    # Exit with an error code.
                    exit 1;
                  fi;
                  # Check if the URL is a GitHub SSH URL and convert it to HTTPS.
                  # This uses echo and grep to check for "@github.com" and then sed for transformation.
                  if echo "$URL" | grep -q "@github.com:"; then
                    # Transform git@github.com:user/repo.git to https://github.com/user/repo
                    # The first sed handles the main transformation.
                    # The second sed removes a trailing .git if present, for a cleaner URL.
                    URL=$(echo "$URL" | sed "s|git@github.com:|https://github.com/|" | sed "s|\.git$||");
                    # Optional: Log the transformation for debugging.
                    # echo "Lazygit: Transformed GitHub SSH URL to '$URL'" >&2;
                  fi;
                  # Determine the operating system.
                  OS="$(uname -s)";
                  # Optional: Echo for debugging. This might appear in lazygit logs or as a brief message.
                  # Remove " >&2" if you want to see it as a potential success message in lazygit UI (if it shows stdout).
                  # echo "Lazygit: Opening URL '$URL' on '$OS'" >&2;
                  # Execute the appropriate command to open the URL based on the OS.
                  case "$OS" in
                    Darwin*) # macOS
                      open "$URL";;
                    Linux*)  # Linux
                      xdg-open "$URL";;
                    *)       # Unsupported OS
                      echo "Lazygit: Unsupported OS ('$OS'). Could not open URL." >&2;
                      exit 1;;
                  esac
                '';
              in
              lib.getExe openGitUrl;
          }
        ];
      };
    };
    programs.fish.shellAbbrs = {
      lg = "lazygit";
    };
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/mpv.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/mpv.nix
@@ -31,5 +31,9 @@ in
        pkgs.mpvScripts.mpv-delete-file
      ];
    };
    programs.fish.shellAbbrs = {
      mpvs = "mpv --shuffle=yes";
    };
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/nixpkgs-darwin.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/nixpkgs-darwin.nix
@@ -21,6 +21,12 @@ in
  config = lib.mkIf (cfg.enable) {
    # These are useful for triggering from zellij (rather than running directly in the shell)
    nmasur.presets.programs.nixpkgs.commands.rebuildNixos = pkgs.writeShellScriptBin "rebuild-darwin" ''
      git -C ${config.nmasur.presets.programs.dotfiles.path} add --intent-to-add --all
      sudo darwin-rebuild switch --flake "${config.nmasur.presets.programs.dotfiles.path}#${config.nmasur.settings.host}"
    '';
    programs.fish = {
      shellAbbrs = lib.mkIf config.nmasur.presets.programs.dotfiles.enable {
        nr = {
@@ -34,13 +40,13 @@ in
        rebuild-darwin = {
          body = ''
            git -C ${config.nmasur.presets.programs.dotfiles.path} add --intent-to-add --all
-            echo "darwin-rebuild switch --flake ${config.nmasur.presets.programs.dotfiles.path}#lookingglass"
+            echo "sudo darwin-rebuild switch --flake ${config.nmasur.presets.programs.dotfiles.path}#lookingglass"
          '';
        };
        rebuild-darwin-offline = {
          body = ''
            git -C ${config.nmasur.presets.programs.dotfiles.path} add --intent-to-add --all
-            echo "darwin-rebuild switch --option substitute false --flake ${config.nmasur.presets.programs.dotfiles.path}#lookingglass"
+            echo "sudo darwin-rebuild switch --option substitute false --flake ${config.nmasur.presets.programs.dotfiles.path}#lookingglass"
          '';
        };
        rebuild-home = lib.mkForce {
--- a/platforms/home-manager/modules/nmasur/presets/programs/nixpkgs.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/nixpkgs.nix
@@ -11,10 +11,35 @@ in
 {
-  options.nmasur.presets.programs.nixpkgs.enable = lib.mkEnableOption "Nixpkgs presets";
+  options.nmasur.presets.programs.nixpkgs = {
    enable = lib.mkEnableOption "Nixpkgs presets";
    commands = {
      # These are useful for triggering from zellij (rather than running directly in the shell)
      rebuildHome = lib.mkOption {
        type = lib.types.package;
        default = pkgs.writeShellScriptBin "rebuild-home" ''
          git -C ${config.nmasur.presets.programs.dotfiles.path} add --intent-to-add --all
          ${lib.getExe pkgs.home-manager} switch --flake "${config.nmasur.presets.programs.dotfiles.path}#${config.nmasur.settings.host}"
        '';
      };
      rebuildNixos = lib.mkOption {
        type = lib.types.package;
        default = pkgs.writeShellScriptBin "rebuild-nixos" ''
          git -C ${config.nmasur.presets.programs.dotfiles.path} add --intent-to-add --all
          doas nixos-rebuild switch --flake ${config.nmasur.presets.programs.dotfiles.path}
        '';
      };
    };
  };
  config = lib.mkIf cfg.enable {
    home.packages = [
      pkgs.nh # Allows rebuilding with a cleaner TUI
      cfg.commands.rebuildHome
      cfg.commands.rebuildNixos
    ];
    programs.fish = {
      shellAbbrs = {
        n = "nix";
--- a/platforms/home-manager/modules/nmasur/presets/programs/notes/default.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/notes/default.nix
@@ -44,21 +44,22 @@ in
    programs.fish.functions = {
      syncnotes = {
        description = "Full git commit on notes";
-        body = builtins.readFile lib.getExe (
+        body =
-          pkgs.writers.writeFishBin "syncnotes" {
+          let
-            makeWrapperArgs = [
+            git = lib.getExe pkgs.git;
-              "--prefix"
+          in
-              "PATH"
+          # fish
-              ":"
+          ''
-              "${lib.makeBinPath [ pkgs.git ]}"
+            ${git} -C ${cfg.path} pull
-            ];
+            ${git} -C ${cfg.path} add -A
-          } builtins.readFile ./syncnotes.fish
+            ${git} -C ${cfg.path} commit -m autosync
-        );
+            ${git} -C ${cfg.path} push
          '';
      };
      note = {
        description = "Edit or create a note";
        argumentNames = "filename";
-        body = builtins.readFile lib.getExe (
+        body = lib.getExe (
          pkgs.writers.writeFishBin "note" {
            makeWrapperArgs = [
              "--prefix"
@@ -69,7 +70,44 @@ in
                pkgs.fzf
              ]}"
            ];
-          } builtins.readFile ./note.fish
+          } (builtins.readFile ./note.fish)
        );
      };
      generate-today = {
        description = "Create today's note";
        body = # fish
          ''
            set filename $(date +%Y-%m-%d_%a)
            set filepath "${cfg.path}/content/journal/$filename.md"
            if ! test -e "$filepath"
              echo -e  "---\ntitle: $(date +"%A, %B %e %Y") - $(curl "https://wttr.in/New+York+City?u&format=1")\ntags: [ journal ]\n---\n\n" > "$filepath"
            end
            echo "$filepath"
          '';
      };
      today = {
        description = "Edit or create today's note";
        body = lib.getExe (
          pkgs.writers.writeFishBin "today"
            {
              makeWrapperArgs = [
                "--prefix"
                "PATH"
                ":"
                "${lib.makeBinPath [
                  pkgs.curl
                  pkgs.helix
                ]}"
              ];
            } # fish
            ''
              set filename $(date +%Y-%m-%d_%a)
              set filepath "${cfg.path}/content/journal/$filename.md"
              if ! test -e "$filepath"
                echo -e  "---\ntitle: $(date +"%A, %B %e %Y") - $(curl "https://wttr.in/New+York+City?u&format=1")\ntags: [ journal ]\n---\n\n" > "$filepath"
              end
              hx "$filepath"
            ''
        );
      };
    };
--- a/platforms/home-manager/modules/nmasur/presets/programs/rofi/themes/common.rasi
+++ b/platforms/home-manager/modules/nmasur/presets/programs/rofi/themes/common.rasi
@@ -5,7 +5,7 @@
 * {
  /* General */
-  font:                                 "Hack Nerd Font 60";
+  font:                                 "Hack Nerd Font Mono 60";
  /* option menus: i3-layout, music, power and screenshot
   *
@@ -13,7 +13,6 @@
   * around using this character: ■
   * We then add add 100 actual padding around the icons.
   *                                    -12px 0px   -19px -96px */
  option-element-padding:               1% 1% 1% 1%;
  option-5-window-padding:              4% 4%;
  option-5-listview-spacing:            15px;
@@ -46,7 +45,7 @@
  layout: horizontal;
 }
 element {
-  padding: 40px 68px 43px 30px;
+  padding: 40px 62px 40px 36px;
 }
 #window {
  padding: 20px;
--- a/platforms/home-manager/modules/nmasur/presets/programs/starship.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/starship.nix
@@ -19,6 +19,7 @@ in
      enable = true;
      enableFishIntegration = true;
      enableBashIntegration = true;
      enableTransience = true; # Replace previous prompts with custom string
      settings = {
        add_newline = false; # Don't print new line at the start of the prompt
        format = lib.concatStrings [
@@ -80,6 +81,17 @@ in
        };
      };
    };
    programs.fish = {
      functions = {
        # Adjust the prompt in previous commands
        starship_transient_prompt_func = {
          body = "echo '$ '";
        };
        starship_transient_rprompt_func = {
          body = "echo ' '";
        };
      };
    };
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/programs/zellij.nix
+++ b/platforms/home-manager/modules/nmasur/presets/programs/zellij.nix
@@ -1,11 +1,21 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.nmasur.presets.programs.zellij;
  zellij-switch-to-last = pkgs.writeShellScriptBin "zellij-switch-to-last" ''
    TARGET_SESSION=$(cat ~/.local/state/zellij-last-session)
    if [ -z "$TARGET_SESSION" ]; then
      return 1
    fi
    echo "$ZELLIJ_SESSION_NAME" > ~/.local/state/zellij-last-session
    zellij pipe --plugin file:$(which zellij-switch.wasm) -- "--session $TARGET_SESSION"
  '';
 in
 {
@@ -14,75 +24,223 @@ in
  config = lib.mkIf cfg.enable {
    home.packages = [ pkgs.zellij-switch ];
    programs.fish = {
      shellAbbrs.z = "zellij";
      functions = {
        zellij-session = {
          # description = "Open a session in Zellij";
          body = # fish
            ''
              set TARGET_DIR $(zoxide query --interactive)
              if test -z $TARGET_DIR
                return 0
              end
              if test "$TARGET_DIR" = $(pwd)
                return 1
              end
              echo "$ZELLIJ_SESSION_NAME" > ~/.local/state/zellij-last-session
              zellij pipe --plugin file:$(which zellij-switch.wasm) -- "--cwd $TARGET_DIR --layout default --session $(basename $TARGET_DIR)"
            '';
        };
        gh-run = {
          body = # fish
            ''
              zellij action new-pane --start-suspended -- gh run watch
            '';
        };
      };
    };
    xdg.configFile."zellij/layouts/compact-top.kdl".text = # kdl
      ''
        layout {
          pane size=1 borderless=true {
            plugin location="compact-bar"
          }
          pane
        }
      '';
    xdg.configFile."zellij/layouts/default.kdl".text = # kdl
      ''
        layout {
            pane size=1 borderless=true {
                plugin location="tab-bar"
            }
            pane
            pane size=1 borderless=true {
                plugin location="status-bar"
            }
        }
      '';
    programs.zellij = {
      enable = true;
      # Auto start on shell init
      enableBashIntegration = true;
      enableFishIntegration = true;
      enableZshIntegration = true;
      attachExistingSession = true;
      exitShellOnExit = false;
      settings = {
        default_mode = "locked";
        # default_layout = "compact-top";
        # Remove border
        pane_frames = false;
        # Scrollback
        scrollback_editor = config.home.sessionVariables.EDITOR;
        show_startup_tips = false;
        keybinds = {
-          # _props = {
+          session = {
-          # clear-defaults = true;
+            "bind \"w\"" = {
-          # };
+              LaunchOrFocusPlugin = {
-          unbind = {
+                _args = [ "session-manager" ];
-            _args = [
+                floating = true;
-              "Ctrl g"
+                move_to_focused_tab = true;
-              "Ctrl h"
+              };
              "Ctrl n"
              "Ctrl o"
              "Ctrl p"
              "Ctrl q"
              "Ctrl s"
            ];
          };
          normal = {
            "bind \"Alt l\"" = {
              SwitchToMode = {
                _args = [ "locked" ];
              };
            };
-            "bind \"Alt p\"" = {
+          };
          scroll = {
            "bind \"e\"" = {
              EditScrollback = { };
              SwitchToMode = {
-                _args = [ "pane" ];
+                _args = [ "locked" ];
              };
            };
            "bind \"Alt t\"" = {
              SwitchToMode = {
                _args = [ "tab" ];
              };
            };
            "bind \"Alt r\"" = {
              SwitchToMode = {
                _args = [ "resize" ];
              };
            };
            "bind \"Alt m\"" = {
              SwitchToMode = {
                _args = [ "move" ];
              };
            };
            "bind \"Alt k\"" = {
              SwitchToMode = {
                _args = [ "search" ];
              };
            };
            "bind \"Alt o\"" = {
              SwitchToMode = {
                _args = [ "session" ];
              };
            };
            "bind \"Alt q\"" = {
              "Quit" = { };
            };
          };
-          locked = {
+          shared = {
-            "bind \"Alt l\"" = {
+            "bind \"Alt Shift s\"" = {
              Run = {
                _args = [
                  (lib.getExe zellij-switch-to-last)
                ];
                close_on_exit = true;
              };
            };
            "bind \"Alt Shift p\"" = {
              Run = {
                _args = [
                  "${pkgs.fish}/bin/fish"
                  "-c"
                  "zellij-session"
                ];
                close_on_exit = true;
              };
            };
            "bind \"Alt Shift h\"" = {
              Run = {
                _args = [
                  (lib.getExe config.nmasur.presets.programs.nixpkgs.commands.rebuildHome)
                ];
                # close_on_exit = false;
              };
            };
            "bind \"Alt Shift r\"" = {
              Run = {
                _args = [
                  (lib.getExe config.nmasur.presets.programs.nixpkgs.commands.rebuildNixos)
                ];
                # close_on_exit = false;
              };
            };
            "bind \"Alt Shift w\"" = {
              Run = {
                _args = [
                  (lib.getExe pkgs.gh)
                  "run"
                  "watch"
                ];
                # direction = "Right";
                # close_on_exit = false;
                # start_suspended = true;
              };
            };
            "bind \"Alt Shift l\"" = {
              Run = {
                _args = [
                  (lib.getExe pkgs.gh)
                  "run"
                  "view"
                  "--log"
                ];
              };
            };
            "bind \"Alt Shift f\"" = {
              Run = {
                _args = [
                  (lib.getExe pkgs.gh)
                  "run"
                  "view"
                  "--log-failed"
                ];
              };
            };
            "bind \"Alt Shift j\"" = {
              Run = {
                _args = [
                  (lib.getExe pkgs.lazyjj)
                ];
                close_on_exit = true;
                floating = true;
                x = "1%";
                y = "1%";
                width = "99%";
                height = "99%";
              };
            };
            "bind \"Super Shift ]\"" = {
              GoToNextTab = { };
            };
            "bind \"Super Shift [\"" = {
              GoToPreviousTab = { };
            };
            "bind \"Ctrl Tab\"" = {
              GoToNextTab = { };
            };
            "bind \"Ctrl Shift Tab\"" = {
              GoToPreviousTab = { };
            };
            "bind \"Super t\"" = lib.mkIf pkgs.stdenv.isDarwin {
              NewTab = { };
            };
            "bind \"Alt t\"" = lib.mkIf pkgs.stdenv.isLinux {
              NewTab = { };
            };
            "bind \"Super k\"" = lib.mkIf pkgs.stdenv.isDarwin {
              SwitchToMode = {
-                _args = [ "Normal" ];
+                _args = [ "scroll" ];
              };
            };
            "bind \"Super Shift e\"" = lib.mkIf pkgs.stdenv.isDarwin {
              EditScrollback = { };
              SwitchToMode = {
                _args = [ "locked" ];
              };
            };
            "bind \"Alt Shift e\"" = lib.mkIf pkgs.stdenv.isLinux {
              EditScrollback = { };
              SwitchToMode = {
                _args = [ "locked" ];
              };
            };
            "bind \"Alt l\"" = {
              MoveFocusOrTab = {
                _args = [ "Right" ];
              };
            };
            "bind \"Alt h\"" = {
              MoveFocusOrTab = {
                _args = [ "Left" ];
              };
            };
          };
@@ -90,16 +248,16 @@ in
        };
        theme = "custom";
        themes.custom = {
-          fg = "${config.theme.colors.base05}";
+          fg = "${config.theme.colors.base03}";
          bg = "${config.theme.colors.base02}";
          black = "${config.theme.colors.base00}";
          red = "${config.theme.colors.base08}";
-          green = "${config.theme.colors.base0B}";
+          green = "${config.theme.colors.base04}";
          yellow = "${config.theme.colors.base0A}";
          blue = "${config.theme.colors.base0D}";
          magenta = "${config.theme.colors.base0E}";
          cyan = "${config.theme.colors.base0C}";
-          white = "${config.theme.colors.base05}";
+          white = "${config.theme.colors.base04}";
          orange = "${config.theme.colors.base09}";
        };
      };
--- a/platforms/home-manager/modules/nmasur/presets/services/hammerspoon/Spoons/Launcher.spoon/init.lua
+++ b/platforms/home-manager/modules/nmasur/presets/services/hammerspoon/Spoons/Launcher.spoon/init.lua
@@ -105,6 +105,9 @@ function obj:init()
    self.launcher:bind("", "Z", function()
        self:switch("zoom.us.app")
    end)
    self.launcher:bind("shift", "Z", function()
        self:switch("@zed@")
    end)
 end
 function obj:switch(app)
--- a/platforms/home-manager/modules/nmasur/presets/services/hammerspoon/default.nix
+++ b/platforms/home-manager/modules/nmasur/presets/services/hammerspoon/default.nix
@@ -18,15 +18,17 @@ in
    xdg.configFile."hammerspoon/init.lua".source = ./init.lua;
    xdg.configFile."hammerspoon/Spoons/ControlEscape.spoon".source = ./Spoons/ControlEscape.spoon;
    xdg.configFile."hammerspoon/Spoons/DismissAlerts.spoon".source = ./Spoons/DismissAlerts.spoon;
-    xdg.configFile."hammerspoon/Spoons/Launcher.spoon/init.lua".source = pkgs.substituteAll {
+    xdg.configFile."hammerspoon/Spoons/Launcher.spoon/init.lua".source =
-      src = ./Spoons/Launcher.spoon/init.lua;
+      pkgs.replaceVars ./Spoons/Launcher.spoon/init.lua
-      discord = "${pkgs.discord}/Applications/Discord.app";
+        {
-      firefox = "${pkgs.firefox-unwrapped}/Applications/Firefox.app";
+          discord = "${pkgs.discord}/Applications/Discord.app";
-      ghostty = "${config.programs.ghostty.package}/Applications/Ghostty.app";
+          firefox = "${pkgs.firefox-unwrapped}/Applications/Firefox.app";
-      obsidian = "${pkgs.obsidian}/Applications/Obsidian.app";
+          ghostty = "${config.programs.ghostty.package}/Applications/Ghostty.app";
-      slack = "${pkgs.slack}/Applications/Slack.app";
+          obsidian = "${pkgs.obsidian}/Applications/Obsidian.app";
-      wezterm = "${pkgs.wezterm}/Applications/WezTerm.app";
+          slack = "${pkgs.slack}/Applications/Slack.app";
-    };
+          wezterm = "${pkgs.wezterm}/Applications/WezTerm.app";
          zed = "${pkgs.zed-editor}/Applications/Zed.app";
        };
    xdg.configFile."hammerspoon/Spoons/MoveWindow.spoon".source = ./Spoons/MoveWindow.spoon;
    home.activation.reloadHammerspoon = config.lib.dag.entryAfter [ "writeBoundary" ] ''
--- a/platforms/home-manager/modules/nmasur/presets/services/i3.nix
+++ b/platforms/home-manager/modules/nmasur/presets/services/i3.nix
@@ -94,7 +94,7 @@ in
          ws10 = "10:X";
        in
        {
-          terminal = cfg.terminal.meta.mainProgram;
+          # terminal = cfg.terminal.meta.mainProgram;
          modifier = modifier;
          assigns = {
            "${ws1}" = [ { class = "Firefox"; } ];
@@ -103,6 +103,7 @@ in
              { class = "kitty"; }
              { class = "obsidian"; }
              { class = "wezterm"; }
              { class = "ghostty"; }
            ];
            "${ws3}" = [ { class = "discord"; } ];
            "${ws4}" = [
@@ -213,9 +214,9 @@ in
              cfg.commands.lockScreen != null
            ) "exec ${cfg.commands.lockScreen}";
            "${modifier}+Mod1+h" =
-              "exec --no-startup-id ${lib.getExe cfg.terminal} -e sh -c '${pkgs.home-manager}/bin/home-manager switch --flake ${config.nmasur.presets.programs.dotfiles.path} || read'";
+              ''exec --no-startup-id ${lib.getExe cfg.terminal} --command="${pkgs.home-manager}/bin/home-manager switch --flake ${config.nmasur.presets.programs.dotfiles.path}#''${hostname} || read" '';
            "${modifier}+Mod1+r" =
-              "exec --no-startup-id ${lib.getExe cfg.terminal} -e sh -c 'doas nixos-rebuild switch --flake ${config.nmasur.presets.programs.dotfiles.path} || read'";
+              "exec --no-startup-id ${lib.getExe cfg.terminal} --command='doas nixos-rebuild switch --flake ${config.nmasur.presets.programs.dotfiles.path} || read'";
            # Window options
            "${modifier}+q" = "kill";
--- a/platforms/home-manager/modules/nmasur/presets/services/keybase.nix
+++ b/platforms/home-manager/modules/nmasur/presets/services/keybase.nix
@@ -35,5 +35,9 @@ in
        ".rgignore".text = ignorePatterns;
        ".fdignore".text = ignorePatterns;
      };
    # Ignore in zoxide
    home.sessionVariables = {
      _ZO_EXCLUDE_DIRS = "$HOME/keybase/*";
    };
  };
 }
--- a/platforms/home-manager/modules/nmasur/presets/services/polybar.nix
+++ b/platforms/home-manager/modules/nmasur/presets/services/polybar.nix
@@ -136,7 +136,15 @@ in
              fi
            ''
          );
-          click-left = "i3-msg 'exec --no-startup-id kitty --class aerc aerc'; sleep 0.15; i3-msg '[class=aerc] focus'";
+          click-left =
            let
              startupCommand =
                if config.nmasur.presets.services.i3.terminal == pkgs.wezterm then
                  "start --class aerc -- aerc"
                else
                  "--class=com.noah.aerc --command=aerc";
            in
            "i3-msg 'exec --no-startup-id ${lib.getExe config.nmasur.presets.services.i3.terminal} ${startupCommand}'; sleep 0.15; i3-msg '[class=com.noah.aerc] focus'";
        };
        "module/network" = {
          type = "internal/network";
@@ -213,12 +221,12 @@ in
          label = "%date%";
          label-foreground = config.theme.colors.base06;
          # format-background = colors.background;
-          click-right = lib.getExe config.nmasur.presets.services.i3.terminal;
+          click-right = "i3-msg 'exec --no-startup-id ${lib.getExe config.nmasur.presets.services.i3.terminal}'";
        };
        "module/power" = {
          type = "custom/text";
          content = "  ";
-          click-left = config.nmasur.presets.services.i3.commands.toggleBar;
+          click-left = config.nmasur.presets.services.i3.commands.power;
          click-right = "polybar-msg cmd restart";
          content-foreground = config.theme.colors.base04;
        };
--- a/platforms/home-manager/modules/nmasur/profiles/darwin-base.nix
+++ b/platforms/home-manager/modules/nmasur/profiles/darwin-base.nix
@@ -19,6 +19,7 @@ in
      fonts.enable = lib.mkDefault true;
      services.hammerspoon.enable = lib.mkDefault true;
      programs.nixpkgs-darwin.enable = lib.mkDefault true;
      programs.mpv.enable = lib.mkDefault true;
    };
    home.homeDirectory = lib.mkForce "/Users/${config.home.username}";
@@ -31,6 +32,8 @@ in
    # Used for aerc
    xdg.enable = lib.mkDefault pkgs.stdenv.isDarwin;
    programs.fish.shellAbbrs.t = "trash";
    # Add homebrew paths to CLI path
    home.sessionPath = [
      "/opt/homebrew/bin/"
@@ -39,6 +42,7 @@ in
    home.packages = [
      pkgs.noti # Create notifications programmatically
      pkgs.ice-bar # Menu bar hiding
    ];
  };
--- a/platforms/home-manager/modules/nmasur/profiles/experimental.nix
+++ b/platforms/home-manager/modules/nmasur/profiles/experimental.nix
@@ -17,9 +17,7 @@ in
    nmasur.presets.programs = {
      zed-editor.enable = lib.mkDefault true;
-      ghostty.enable = lib.mkDefault true;
+      jujutsu.enable = lib.mkDefault true;
      helix.enable = lib.mkDefault true;
      zellij.enable = lib.mkDefault true;
    };
    home.packages = [
@@ -35,7 +33,6 @@ in
    programs.gh-dash.enable = lib.mkDefault true;
    programs.himalaya.enable = lib.mkDefault true;
  };
 }
--- a/platforms/home-manager/modules/nmasur/profiles/linux-gui.nix
+++ b/platforms/home-manager/modules/nmasur/profiles/linux-gui.nix
@@ -23,14 +23,15 @@ in
        aerc.enable = lib.mkDefault true;
        discord.enable = lib.mkDefault true;
        dotfiles.enable = lib.mkDefault true;
        feishin.enable = lib.mkDefault true;
        firefox.enable = lib.mkDefault true;
        ghostty.enable = lib.mkDefault true;
        mpv.enable = lib.mkDefault true;
        nautilus.enable = lib.mkDefault true;
        notmuch.enable = lib.mkDefault true;
        nsxiv.enable = lib.mkDefault true;
        obsidian.enable = lib.mkDefault true;
        rofi.enable = lib.mkDefault true;
        wezterm.enable = lib.mkDefault true;
        xclip.enable = lib.mkDefault true;
        zathura.enable = lib.mkDefault true;
      };
--- a/platforms/home-manager/modules/nmasur/profiles/power-user.nix
+++ b/platforms/home-manager/modules/nmasur/profiles/power-user.nix
@@ -15,25 +15,29 @@ in
    home.packages = [
      pkgs.age # Encryption
      pkgs.bc # Calculator
      pkgs.bottom # System monitor (top)
      pkgs.delta # Fancy diffs
      pkgs.difftastic # Other fancy diffs
      pkgs.doggo # DNS client (dig)
      pkgs.du-dust # Disk usage tree (ncdu)
      pkgs.dua # File sizes (du)
      pkgs.duf # Basic disk information (df)
      pkgs.jless # JSON viewer
      pkgs.jo # JSON output
      pkgs.mpd # TUI slideshows
      pkgs.nixfmt-rfc-style # Format Nix code
      pkgs.nmasur.jqr # FZF fq JSON tool
      pkgs.nmasur.osc # Clipboard over SSH
      pkgs.qrencode # Generate qr codes
      pkgs.nmasur.ren-find # Rename files
      pkgs.nmasur.rep-grep # Replace text in files
      pkgs.pandoc # Convert text documents
      pkgs.qrencode # Generate qr codes
      pkgs.spacer # Output lines in terminal
      pkgs.tealdeer # Cheatsheets
      pkgs.tree # Print tree in terminal
      pkgs.vimv-rs # Batch rename files
-      pkgs.dua # File sizes (du)
+      pkgs.yazi # TUI file explorer
-      pkgs.du-dust # Disk usage tree (ncdu)
+
      pkgs.duf # Basic disk information (df)
      pkgs.pandoc # Convert text documents
      pkgs.mpd # TUI slideshows
      pkgs.doggo # DNS client (dig)
      pkgs.bottom # System monitor (top)
      pkgs.nmasur.jqr # FZF fq JSON tool
    ];
    programs.fish.shellAliases = {
@@ -56,14 +60,19 @@ in
      fd.enable = lib.mkDefault true;
      fish.enable = lib.mkDefault true;
      fzf.enable = lib.mkDefault true;
      ghostty.enable = lib.mkDefault true;
      git.enable = lib.mkDefault true;
      helix.enable = lib.mkDefault true;
      lazygit.enable = lib.mkDefault true;
      neovim.enable = lib.mkDefault true;
      nix-index.enable = lib.mkDefault true;
      nixpkgs.enable = lib.mkDefault true;
      notes.enable = lib.mkDefault true;
      prettyping.enable = lib.mkDefault true;
      ripgrep.enable = lib.mkDefault true;
      weather.enable = lib.mkDefault true;
      yt-dlp.enable = lib.mkDefault true;
      zellij.enable = lib.mkDefault true;
      zoxide.enable = lib.mkDefault true;
    };
--- a/platforms/home-manager/modules/nmasur/profiles/work.nix
+++ b/platforms/home-manager/modules/nmasur/profiles/work.nix
@@ -39,11 +39,14 @@ in
      pkgs.nmasur.terraform-init # Quick shortcut for initializing Terraform backend
    ];
    programs.fish.shellAliases.ec2 = "aws-ec2";
    nmasur.presets = {
      fonts.enable = lib.mkDefault true;
      programs = {
        _1password.enable = lib.mkDefault true;
        atuin.enable = lib.mkDefault true;
        aws-ssh.enable = lib.mkDefault true;
        bash.enable = lib.mkDefault true;
        bat.enable = lib.mkDefault true;
        direnv.enable = lib.mkDefault true;
@@ -52,6 +55,7 @@ in
        firefox.enable = lib.mkDefault true;
        fish.enable = lib.mkDefault true;
        fzf.enable = lib.mkDefault true;
        ghostty.enable = lib.mkDefault true;
        git-work.enable = lib.mkDefault true;
        git.enable = lib.mkDefault true;
        github.enable = lib.mkDefault true;
@@ -64,7 +68,6 @@ in
        starship.enable = lib.mkDefault true;
        terraform.enable = lib.mkDefault true;
        weather.enable = lib.mkDefault true;
        wezterm.enable = lib.mkDefault true;
      };
    };
--- a/platforms/home-manager/modules/nmasur/settings.nix
+++ b/platforms/home-manager/modules/nmasur/settings.nix
@@ -10,6 +10,10 @@
      type = lib.types.str;
      description = "Human readable name of the user";
    };
    host = lib.mkOption {
      type = lib.types.str;
      description = "Name of the host of this deployment";
    };
    hostnames = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      description = "Map of service names to FQDNs";
--- a/platforms/nix-darwin/modules/nmasur/presets/programs/homebrew.nix
+++ b/platforms/nix-darwin/modules/nmasur/presets/programs/homebrew.nix
@@ -15,7 +15,7 @@ in
  config = lib.mkIf cfg.enable {
    # Requires Homebrew to be installed
-    system.activationScripts.preUserActivation.text = ''
+    system.activationScripts.preActivation.text = ''
      if ! xcode-select --version 2>/dev/null; then
        $DRY_RUN_CMD xcode-select --install
      fi
--- a/platforms/nix-darwin/modules/nmasur/presets/services/finder.nix
+++ b/platforms/nix-darwin/modules/nmasur/presets/services/finder.nix
@@ -59,7 +59,7 @@ in
    };
    # User-level settings
-    system.activationScripts.postUserActivation.text = ''
+    system.activationScripts.postActivation.text = ''
      echo "Show the ~/Library folder"
      chflags nohidden ~/Library
    '';
--- a/platforms/nix-darwin/modules/nmasur/presets/services/hammerspoon.nix
+++ b/platforms/nix-darwin/modules/nmasur/presets/services/hammerspoon.nix
@@ -18,7 +18,7 @@ in
    homebrew.casks = [ "hammerspoon" ];
-    system.activationScripts.postUserActivation.text = ''
+    system.activationScripts.postActivation.text = ''
      defaults write org.hammerspoon.Hammerspoon MJConfigFile "${
        config.home-manager.users.${username}.xdg.configHome
      }/hammerspoon/init.lua"
--- a/platforms/nix-darwin/modules/nmasur/presets/services/menubar.nix
+++ b/platforms/nix-darwin/modules/nmasur/presets/services/menubar.nix
@@ -15,7 +15,7 @@ in
  config = lib.mkIf cfg.enable {
    # User-level settings
-    system.activationScripts.postUserActivation.text = ''
+    system.activationScripts.postActivation.text = ''
      echo "Reduce Menu Bar padding"
      defaults write -globalDomain NSStatusItemSelectionPadding -int 6
      defaults write -globalDomain NSStatusItemSpacing -int 6
--- a/platforms/nix-darwin/modules/nmasur/profiles/base.nix
+++ b/platforms/nix-darwin/modules/nmasur/profiles/base.nix
@@ -14,6 +14,8 @@ in
  config = lib.mkIf cfg.enable {
    system.primaryUser = config.nmasur.settings.username;
    nmasur.presets = {
      programs = {
        fish.enable = lib.mkDefault true;
@@ -36,6 +38,7 @@ in
    homebrew.casks = [
      "scroll-reverser" # Different scroll style for mouse vs. trackpad
      "notunes" # Don't launch Apple Music with the play button
      "topnotch" # Darkens the menu bar to complete black
    ];
  };
--- a/platforms/nix-darwin/modules/nmasur/profiles/extra.nix
+++ b/platforms/nix-darwin/modules/nmasur/profiles/extra.nix
@@ -20,5 +20,13 @@ in
      "keybase" # GUI on Nix not available for macOS
    ];
    nix.linux-builder = {
      enable = true;
      systems = [
        "x86_64-linux"
        "aarch64-linux"
      ];
    };
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/programs/slsk-batchdl.nix
+++ b/platforms/nixos/modules/nmasur/presets/programs/slsk-batchdl.nix
@@ -0,0 +1,21 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.nmasur.presets.programs.slsk-batchdl;
 in
 {
  options.nmasur.presets.programs.slsk-batchdl.enable = lib.mkEnableOption "slsk downloader";
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [
      pkgs.nmasur.slsk-batchdl
    ];
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/actualbudget.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/actualbudget.nix
@@ -1,85 +0,0 @@
 {
  config,
  lib,
  ...
 }:
 let
  inherit (config.nmasur.settings) hostnames;
  cfg = config.nmasur.presets.services.actualbudget;
 in
 {
  options.nmasur.presets.services.actualbudget = {
    enable = lib.mkEnableOption "ActualBudget budgeting service";
    port = lib.mkOption {
      type = lib.types.port;
      description = "Port to use for the localhost";
      default = 5006;
    };
  };
  config = lib.mkIf cfg.enable {
    virtualisation.podman.enable = true;
    # Create a shared group for generic services
    users.groups.shared = { };
    users.users.actualbudget = {
      isSystemUser = true;
      group = "shared";
      uid = 980;
    };
    # Create budget directory, allowing others to manage it
    systemd.tmpfiles.rules = [
      "d /var/lib/actualbudget 0770 actualbudget shared"
    ];
    virtualisation.oci-containers.containers.actualbudget = {
      workdir = null;
      volumes = [ "/var/lib/actualbudget:/data" ];
      user = "${toString (builtins.toString config.users.users.actualbudget.uid)}";
      pull = "missing";
      privileged = false;
      ports = [ "127.0.0.1:${builtins.toString cfg.port}:5006" ];
      networks = [ ];
      log-driver = "journald";
      labels = {
        app = "actualbudget";
      };
      image = "ghcr.io/actualbudget/actual-server:25.1.0";
      hostname = null;
      environmentFiles = [ ];
      environment = {
        DEBUG = "actual:config"; # Enable debug logging
        ACTUAL_TRUSTED_PROXIES = builtins.concatStringsSep "," [ "127.0.0.1" ];
      };
      dependsOn = [ ];
      autoStart = true;
    };
    # Allow web traffic to Caddy
    nmasur.presets.services.caddy.routes = [
      {
        match = [ { host = [ hostnames.budget ]; } ];
        handle = [
          {
            handler = "reverse_proxy";
            upstreams = [ { dial = "localhost:${builtins.toString cfg.port}"; } ];
          }
        ];
      }
    ];
    # Configure Cloudflare DNS to point to this machine
    services.cloudflare-dyndns.domains = [ hostnames.budget ];
    # Backups
    services.restic.backups.default.paths = [ "/var/lib/actualbudget" ];
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/actualbudget/actualbudget-budget-id.age
+++ b/platforms/nixos/modules/nmasur/presets/services/actualbudget/actualbudget-budget-id.age
@@ -0,0 +1,17 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyA0VjJk
 a2c0Q1pVcEVCdjd3OE1xZ2s2a29YdjdWTUZkK1hnMFNwVTRVMVFVCkhpY2tjQmFz
 K3dzVEgrcnBuRlgyZzYwWGtiQzh6RjNtNmNUb2FSVCsxMTAKLT4gc3NoLWVkMjU1
 MTkgWXlTVU1RIFM3cVpTaVFYK1NEYitaSEtLUE5yVDhXTGNHSnN3UjdROTVDeXND
 VjFUQjAKYnF6RWtjaFZNM1cxSTJUV0p4UExoenhicGpESEk0R2Q0VncrUldwSndi
 UQotPiBzc2gtZWQyNTUxOSBuanZYNUEgOTltRmlNNFQzTWpsVVdHUXBqS1lKRldJ
 dW9kVHJqZFRrQWFTK2ZDMi8zZwpTUlRqZUkzSWlibGhMVzRwQmdldVREeGpsRTRr
 L1FUZHowdVprNlEvVVJ3Ci0+IHNzaC1lZDI1NTE5IENxSU9VQSBjeUZRdmtENUQw
 Ukoxb3NNYU5JeE1OSVBGcWhPZS9mY1BEb0tVbnB3bVdNCnRHRXhpd0dEbWZuNEg0
 a1BMdk5yc2x6Y0EzQXo1U1hwZnJuUzJ1ckt1VDAKLT4gc3NoLWVkMjU1MTkgejFP
 Y1p3IExJeHhnTlgrSXpVYkxWdnZldlR4Q1JzZE9PWFowbWJSQ1pTbkp3YWFoUzgK
 L1ErSnZ3cWVXeVU0TThPaFVsVjBTdHh1YlQ3cTduQ2xIejZScEJSZGp6MAotLS0g
 SFJpT2JlSktBaFZhdjlyOWRhLzJiT21OditjczZJcU9iMFJMUzhNdzVZMAp0yAab
 89wcmBqmuQLoFYRs/Tj+UvWa4UaXvNFGZM9zIH8WEJDxO+QviDL1NETOuI4T9X1q
 JYa7c4PAwV8KgMkdKpHVJ3sN1+Kg82UXXSCTjpRHa33OBZTC
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/actualbudget/actualbudget-password.age
+++ b/platforms/nixos/modules/nmasur/presets/services/actualbudget/actualbudget-password.age
@@ -0,0 +1,17 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBQY3lv
 SG9kNkN1S3RZdE80cWJTd0k0UkdiNmZXT085Um9Vd0FGYWpObHc0CnQvVjF4L0xu
 ajNvQkFueVREaWxLWFhyNGkvL2ZlOHdEYXdTRkowbk9WUUUKLT4gc3NoLWVkMjU1
 MTkgWXlTVU1RIE5aT3ZlMDJjNkJaZmFDV3ZKSHo5UEhnTlM5dHk1R0dYSXFNOWxJ
 OThEaGcKcmNsMVUxaTI1b0FtbFdtMzlVYVZxcnllVmlwaDRuUkR4d3BNbm12eU5x
 OAotPiBzc2gtZWQyNTUxOSBuanZYNUEgR3BmQk5Nd0E3RC9UQ1ZoWmxTNlhubjVZ
 Vi8xL3V3YTNqUVh2ZVZrRkNtawpLaWhxY1FQajJZeGJzakd3ZDhrbmd4T2JNVlUy
 dzFOMGcwRmJML3hPTzRBCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBDNTQzZ0syVHNS
 TTJPUm9OMUcyNTY5VGZkNEVESmt2eVQrSzJlUEgwS0E4ClRqbk9FTGZNRG9zSHlC
 UXQyN0N1WDN4MHNrNFgrUjdQQUc4aU8xajRVdkEKLT4gc3NoLWVkMjU1MTkgejFP
 Y1p3IHpiaEsvbCtwMlkyMWpJMS9XWExudDRpaE4xMmQ4eXIzU2RaTGd3TUg3eHMK
 anpIV01KVDdvZGI5M1dmME1KaC9jcFkrVlN4TmlXN21tUnhIYnlEMEdHcwotLS0g
 dy9LeGpiNkowQkNwOFNFeHUveGRveDRhajVtNEU3SWE0MEhOYTl6ZHM0QQq/Dg+2
 OrqL8yCAai3J8djSktSmhAc/jdbEnHVdl3943Enyrn+Zz2HcUe96RySrleCt+QxL
 Dezprhehi7jK7KmIAGOspicA0e/4GQ8txsb2fQ==
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/actualbudget/actualbudget.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/actualbudget/actualbudget.nix
@@ -0,0 +1,132 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (config.nmasur.settings) hostnames;
  cfg = config.nmasur.presets.services.actualbudget;
 in
 {
  options.nmasur.presets.services.actualbudget = {
    enable = lib.mkEnableOption "ActualBudget budgeting service";
    port = lib.mkOption {
      type = lib.types.port;
      description = "Port to use for the localhost";
      default = 5006;
    };
    prometheusPort = lib.mkOption {
      type = lib.types.port;
      description = "Port to use for prometheus actual exporter";
      default = 5007;
    };
  };
  config = lib.mkIf cfg.enable {
    services.actual = {
      enable = true;
      settings = {
        port = cfg.port;
      };
    };
    # systemd.services.prometheus-actual-exporter = {
    #   enable = true;
    #   description = "Prometheus exporter for Actual budget";
    #   serviceConfig = {
    #     DynamicUser = true;
    #     Environment = [
    #       "ACTUAL_SERVER_URL=https://${hostnames.budget}:443"
    #       "PORT=${builtins.toString cfg.prometheusPort}"
    #     ];
    #     EnvironmentFile = [
    #       config.secrets.actualbudget-password.dest
    #       config.secrets.actualbudget-budget-id.dest
    #     ];
    #     ExecStart = lib.getExe pkgs.nmasur.prometheus-actual-exporter;
    #   };
    #   wantedBy = [
    #     "multi-user.target"
    #   ];
    # };
    # Used for prometheus exporter
    virtualisation.podman.enable = true;
    # Create a shared group for generic services
    users.groups.shared = { };
    users.users.actualbudget = {
      isSystemUser = true;
      group = "shared";
      uid = 980;
    };
    virtualisation.oci-containers.containers.actualbudget-prometheus-exporter = {
      workdir = null;
      user = builtins.toString config.users.users.actualbudget.uid;
      pull = "missing";
      privileged = false;
      ports = [ "127.0.0.1:5007:3001" ];
      networks = [ ];
      log-driver = "journald";
      labels = {
        app = "actualbudget-prometheus-exporter";
      };
      image = "docker.io/sakowicz/actual-budget-prometheus-exporter:1.1.5";
      hostname = null;
      environmentFiles = [
        config.secrets.actualbudget-password.dest
        config.secrets.actualbudget-budget-id.dest
      ];
      environment = {
        ACTUAL_SERVER_URL = "https://${hostnames.budget}:443";
      };
      # dependsOn = [ "actualbudget" ];
      autoStart = true;
    };
    nmasur.presets.services.prometheus-exporters.scrapeTargets = [
      "127.0.0.1:${builtins.toString cfg.prometheusPort}"
    ];
    secrets.actualbudget-password = {
      source = ./actualbudget-password.age;
      dest = "${config.secretsDirectory}/actualbudget-password";
      owner = builtins.toString config.users.users.actualbudget.uid;
      group = builtins.toString config.users.users.actualbudget.uid;
    };
    secrets.actualbudget-budget-id = {
      source = ./actualbudget-budget-id.age;
      dest = "${config.secretsDirectory}/actualbudget-budget-id";
      owner = builtins.toString config.users.users.actualbudget.uid;
      group = builtins.toString config.users.users.actualbudget.uid;
    };
    # Allow web traffic to Caddy
    nmasur.presets.services.caddy.routes = [
      {
        match = [ { host = [ hostnames.budget ]; } ];
        handle = [
          {
            handler = "reverse_proxy";
            upstreams = [ { dial = "localhost:${builtins.toString cfg.port}"; } ];
          }
        ];
      }
    ];
    # Configure Cloudflare DNS to point to this machine
    services.cloudflare-dyndns.domains = [ hostnames.budget ];
    # Backups
    services.restic.backups.default.paths = [ "/var/lib/actual" ];
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/arr/arr.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/arr.nix
@@ -27,6 +27,11 @@ let
      url = "localhost:8989";
      apiKey = config.secrets.sonarrApiKey.dest;
    };
    lidarr = {
      exportarrPort = "9712";
      url = "localhost:8686";
      apiKey = config.secrets.lidarrApiKey.dest;
    };
    prowlarr = {
      exportarrPort = "9709";
      url = "localhost:9696";
@@ -57,6 +62,11 @@ in
    #   "dotnet-sdk-6.0.428"
    # ];
    secrets.slskd = {
      source = ./slskd.age;
      dest = "/var/private/slskd";
    };
    services = {
      bazarr = {
        enable = true;
@@ -69,6 +79,21 @@ in
        # It contains server configs and credentials
        configFile = "/data/downloads/sabnzbd/sabnzbd.ini";
      };
      slskd = {
        enable = true;
        domain = null;
        environmentFile = config.secrets.slskd.dest;
        settings = {
          shares.directories = [ ];
          directories.downloads = "/data/audio/music";
          web = {
            url_base = "/slskd";
            port = 5030;
          };
          soulseek.listen_port = 50300;
        };
        openFirewall = false;
      };
      sonarr = {
        enable = true;
      };
@@ -78,6 +103,9 @@ in
      readarr = {
        enable = true;
      };
      lidarr = {
        enable = true;
      };
    };
    # Allows shared group to read/write the sabnzbd directory
@@ -133,6 +161,20 @@ in
          }
        ];
      }
      {
        match = [
          {
            host = [ hostnames.download ];
            path = [ "/lidarr*" ];
          }
        ];
        handle = [
          {
            handler = "reverse_proxy";
            upstreams = [ { dial = arrConfig.lidarr.url; } ];
          }
        ];
      }
      {
        match = [
          {
@@ -181,6 +223,22 @@ in
          }
        ];
      }
      {
        match = [
          {
            host = [ hostnames.download ];
            path = [ "/slskd*" ];
          }
        ];
        handle = [
          {
            handler = "reverse_proxy";
            upstreams = [
              { dial = "localhost:${builtins.toString config.services.slskd.settings.web.port}"; }
            ];
          }
        ];
      }
      {
        match = [ { host = [ hostnames.download ]; } ];
        handle = [
@@ -243,7 +301,7 @@ in
      prefix = "API_KEY=";
    };
    secrets.readarrApiKey = {
-      source = ./radarr-api-key.age;
+      source = ./readarr-api-key.age;
      dest = "/var/private/readarr-api";
      prefix = "API_KEY=";
    };
@@ -252,6 +310,11 @@ in
      dest = "/var/private/sonarr-api";
      prefix = "API_KEY=";
    };
    secrets.lidarrApiKey = {
      source = ./lidarr-api-key.age;
      dest = "/var/private/lidarr-api";
      prefix = "API_KEY=";
    };
    secrets.prowlarrApiKey = {
      source = ./prowlarr-api-key.age;
      dest = "/var/private/prowlarr-api";
--- a/platforms/nixos/modules/nmasur/presets/services/arr/lidarr-api-key.age
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/lidarr-api-key.age
@@ -0,0 +1,17 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBjUGJG
 dDZiN3RkMzV2WlFUd3Vsam5IV3ZqajN2VFVvdUFiNFVIdVZRZzE0CkplWlBrRndG
 SEIxa0pGaFAzWmFEOGlIUTM2K2I0VWUyQ1pKbVcvd1I5UDAKLT4gc3NoLWVkMjU1
 MTkgWXlTVU1RIFRuVXp3dTNHaDhWNTVmN2tLd1FXaUttT1VqL2I1dktWaW45VnN2
 TlVZd2MKYlpEdWFJNmRtNWcxMDVndExIY21icjY2c252QmJnekorNnFnZHRCcHQr
 dwotPiBzc2gtZWQyNTUxOSBuanZYNUEgd3hZNDZwWDg0UnFlNndqazFNNDB0bkxx
 RTVTamR1Nk51VkREVVlRTjEybwpGVXJEUFFuYXpEQzRHeWJqRTMrUUpIYmhtT2NY
 SUQyeGwrYjBKdW9ucThjCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBVdFB6ZndMb3Zx
 dTV5L2Z1Nk9rQVRHWkozcG01cW9zZUFTUW5HaDV1TWtvCnE4MUtTV0laalIwbVNJ
 NlU0K0JJcGMyN3ZSVXpVU1BteDVIVU9BYU9ZeG8KLT4gc3NoLWVkMjU1MTkgejFP
 Y1p3IGhCbWhHbG9WWU9CR3RkTVEyNUE1akM3Q0hGZEx1cURSRitIbi9vZXRMZ3cK
 clR6bjljTU9FS0UzdC9seDlad1E1aHZ5QXNiQmRWWDc5L0NQSkRsVUYyNAotLS0g
 ZEMwTE83MWxYMUYzWVdiSXNxM1BoOEJNMzJHS3o4M1NzWXMyQWZwR3dDVQpp8Lb0
 E1vJN/UjSubXuFGT9NqLCYhc2n20m4v6sM7h4HYRh10pngyxapyN9DvUvY0maPpm
 S9afVD6V/XjxOUZ2lA==
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/arr/readarr-api-key.age
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/readarr-api-key.age
@@ -0,0 +1,17 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBRRXo3
 ZmpER1kyWC9JUld3WVVTS0owb1RRZFhzNHRtT0dickJhbnQ1UWxRCjBIR3JxbGho
 c2h0bk8vV2lta2NzcXl0OXZYTzJ0ZkhNV3lPTVl0ZjQ0b00KLT4gc3NoLWVkMjU1
 MTkgWXlTVU1RIHlMWW4zNnJCTGNwcFRxOTQrTldzRFlENGd1TG4yRFJSQlhnSHVL
 TGlWdzAKMlZ4L0thbFZQWjZ0c3pJaE1XNmRtZmNKVTIxeTkwMFFGYWxKZTRMV3h0
 VQotPiBzc2gtZWQyNTUxOSBuanZYNUEgbm5pVE0zYzNQTW15c01DRk1HeDRLVlRW
 aGpkVUFHdG13THNDL1JlbEUyawp6SWQ5Nm1veDdwbCtDbjZPUkhQU0hkRXE1b1RY
 ZkxHY0ZqMFdvcGJ6WitvCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBWeE1LaU5TRkpK
 bElLQWNidHZQeTF6Yk80ZzVlL005RTEyZzlDR2dTSGg0CkdZK2VDSGtMTE43VWRY
 ZnA0cDRKc016OVYvZGpDcDFad3o5YmpoOGhVNGsKLT4gc3NoLWVkMjU1MTkgejFP
 Y1p3IDBEV3pWVEI3QjFRUnRjK0VPZFF6U09iTHljOE9jZ1lka1lpbU9BSEtOeFUK
 RlF0WEFBMElzU1pOdDBEenUrWEhsaFkrTWpUc0gzb1hVRjVpUGpyc25FcwotLS0g
 aXhPbUtHWXc4MXJ4bUtZOWlkdVNOMmo1N1U2NXlxdU5VVXltZXh5aDRyWQoCjoWs
 rOf41MK9789YHLzXMZNbMoWt9tHGfOGZKOyPhYFq/j2d88ZLtzEHAuHKvQ561ffK
 Si0uTiTcTCyhCr/rsQ==
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/arr/slskd.age
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/slskd.age
@@ -0,0 +1,19 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBmaUlP
 QTFSRGlKbTVFalppZm9XczhOT2dKTkJpTDVDYTNGZWM2N05NTlRjCjVmUDdBb2VW
 M1BVMVlNdnoxWUNOTmkraVdhR3ZRTFJpTjMxT1duYS9HV3cKLT4gc3NoLWVkMjU1
 MTkgWXlTVU1RIFdzczRSbDgyM3ZGN2tzV1VOeTFsQUtlY00xRWNTaTU5UmxLamFm
 NDVkQVEKa3ZkUmx2RnNjSGUwWGh2ZzVqK3JwckMwdy9LMmRBeGZ3Vk5wUHFMYUc3
 RQotPiBzc2gtZWQyNTUxOSBuanZYNUEgR3lvZ054YkRaNzg5ZDZBK2NrSElndC9P
 YnFUUm83c25hYVdSU2dMSytrWQp4ZWthazZLcVFiMUpoUWp1VEZvZjhlSGxSc0ZO
 blJnelkvNlc3aDVTOGQ0Ci0+IHNzaC1lZDI1NTE5IENxSU9VQSBUTHNNTUhwaHJT
 aUlxTGwzdHhaRytzc3VpVldMb29WNGQyTUN1VXVOZmhzCnYzWjZzZ055YTJtVE1x
 UTB4VjgwMzZzNmg2dVJrUVgxNnNSTXpqbURHaUkKLT4gc3NoLWVkMjU1MTkgejFP
 Y1p3IFhvR3orWEI0dXVqdGZlbGZyb3FaZ0JGeGdvbE1RSEQwVHNMTU5MLy91WGMK
 eldiMlJGeGNJY01OeElBZVNCaTIrMlhibEFZd3pReE5JMWJyMk00Nm9xZwotLS0g
 SGpVUzFtMjdHRFlCMmJqMjJJcGl1Z3Z4ZWJXaE9leTVQL016aFAyT3BoRQoM3TpF
 3xJOKidMRbB6bqccVENPZ3Truxk7xMC99xvAL9Z0BmjxzV23Z2Fl58xOSx+p7IdE
 HWIfSrfhHqhJwanTSeFTYCGEak/e2bljgP3t2j1jNuTJAyUgRWwJg92nOIVX/Q7m
 AbhM0tSWdRD7jipqKFt6vvem+QGH0NhenSTZHdKr5gasqHVP7/10MZGSueqwj/Jm
 Q3S1ToPvVyoH8DrXlsMX37Qwxn0fVmLIdOrhEhHPLxxRrwkf7bA6Zpk/gSMT
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/bind.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/bind.nix
@@ -23,6 +23,7 @@ let
    hostnames.books
    hostnames.download
    hostnames.photos
    hostnames.audiobooks
  ];
  mkRecord = service: "${service}       A       ${localIp}";
  localRecords = lib.concatLines (map mkRecord localServices);
--- a/platforms/nixos/modules/nmasur/presets/services/caddy.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/caddy.nix
@@ -103,8 +103,9 @@ in
                  value = name;
                }) hostname_map;
              };
              metrics = { }; # Enables Prometheus metrics
            };
            apps.http.servers.metrics = { }; # Enables Prometheus metrics
            apps.tls.automation.policies = cfg.tlsPolicies;
            # Setup logging to journal and files
--- a/platforms/nixos/modules/nmasur/presets/services/calibre-web.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/calibre-web.nix
@@ -26,6 +26,7 @@ in
  config = lib.mkIf cfg.enable {
    services.calibre-web = {
      enable = true;
      openFirewall = true;
      options = {
        reverseProxyAuth.enable = false;
--- a/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare-api.age
+++ b/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare-api.age
@@ -1,17 +1,17 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBkckt3
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBKNXVz
-c1NtVEo1bm1XREk2ZE9PL1FkOFd0LzQ1R0J4TXN4VGd2clVrZ25NCjZKenFTdHFK
+RCtWVURFT2JmbUk1dXdWQjJuSVBoamVGaHZUWDNJL1pyREZyTFN3CnVpTnRKSDR5
-MWVZSXI0NXdVTkhJQXRFRFBRRnIxRHZaOHY1UWVDYW9vTm8KLT4gc3NoLWVkMjU1
+U0N3QWZ6L3hpcEVEampWSUlDTVFvWmRuWEFKVUE0bmVDZ0UKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIHBmRERwcXdGanBVV0JOczg0Q0hOa1dVM09EeGMxWmJDMm9YU2Mx
+MTkgWXlTVU1RIGJ2czRsU2RWN2RaMnc5NEZNbEhxWTNTdkEydWpjd1NVQ0k2RHFC
-djhxQkUKS2U2aHVza2JNdzltRW5wcWhqaTVPUEZoZGNWN2szQXlVYjZ3eXpwc2ZE
+anVubU0KQkhxL1kwSGt3N21OSVJwcHJCM2p0TnlOQVJ5c2VTejJoL2ZZUGk4REtL
-OAotPiBzc2gtZWQyNTUxOSBuanZYNUEgbWU0WXA4RjVZWFdPcXZ5M1UwT3lON1JD
+bwotPiBzc2gtZWQyNTUxOSBuanZYNUEgaXFJR3IrVHVNQVhjNFFmN1d3ZHhZS04r
-cGhlRXZ2NEhWMHdEMitLWERqRQpKRGgwMUhISWE1Uk1ka1dteGo0dlhZcmNjVjN6
+K0FGRXppQkE4MHZhVUI5SHBWRQpxbDdqc2RYZmo0ejBOYUFCcGtrbXVZbDBJVVRJ
-QmJBQWo0Mko4aE5jUm9rCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBLaU9sSmRzMlFG
+Q2ZlQlFtYmQ4Z3dqcGIwCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBzNlQxNGxDRlNz
-NjBYYTBYeFErNXJwZGVtZ1kvVmVCOXBDZWVoNWhDZ2hrCnE2dkJJSk8rbDRvSHYy
+amVMWjI2WFhIYTFIMDQxY1NDRXYvWU9LaUFQMVZMZjMwCm15a3lPVkkyMnZoOGx0
-bEVTdXg0VTg1RzZUNi84K1ZvOVB2aUJzNHVPRkEKLT4gc3NoLWVkMjU1MTkgejFP
+bTdYbWtZWGQzTVBJb2g4WmM5Z25tcHhKWDNZencKLT4gc3NoLWVkMjU1MTkgejFP
-Y1p3IEM0Mnlockc2SlA1bXJhdnpQNXFnQ2w5bzFSTWpIajJybTBIM3VuNTN5bFUK
+Y1p3IG1VWm1JRUUwUWhnWVMvdjdmaUZNN1F1eExXRU1xaXpzY2VFMTE3SWE3dzQK
-bXNIUVVhTzlRMUJTSEpJUURUMXZjRU5zczNjYnBUVVFmMDVEZllONjFjWQotLS0g
+SWN5b3llVU5WSk1HNW1Wc1dvVm82a1NyQVQ4NmhjRExuQzB2UGpPSGFDcwotLS0g
-NXdIUWduN2Q2eXFzNlFueFR6OWxITVBranpsNTdXaktiSFZ0TTBxRFNlNAr9JzVO
+ZkdtZ1o4KzlveDBCdkx4eFc2RGNjUjFrb1ZyZXdjZHpLVWtkN2ZaenlKOArVhdOP
-Rhx5rG7CSGdYfeMcuzye4jyE2yiVKi5TVr/qp3vbDpyDQKZLlAUSF/K0rTY9K7Rm
+2ifpmAQNOfBbQyY9UPhxPxrF7jnZ8B5jumaip8QJuh6xEYkF17tSEzTPVf6ER9wr
-ocY+y/V9ffh3LO2m1Y6BkRqWRJ7v4wcsc3jNGjDHlSB7EqnOwMCXyQAg
+OrND9IR2kbZVFAxb3/uUD9I3jegJ
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix
@@ -67,8 +67,8 @@ in
    # Tell Caddy to use Cloudflare DNS for ACME challenge validation
    services.caddy.package = pkgs.caddy.withPlugins {
-      plugins = [ "github.com/caddy-dns/cloudflare@v0.0.0-20250228175314-1fb64108d4de" ];
+      plugins = [ "github.com/caddy-dns/cloudflare@8cbec3f04d5b4a768c52941a5468c4b71436509e" ]; # v0.2.1
-      hash = "sha256-YYpsf8HMONR1teMiSymo2y+HrKoxuJMKIea5/NEykGc=";
+      hash = "sha256-2D7dnG50CwtCho+U+iHmSj2w14zllQXPjmTHr6lJZ/A=";
    };
    nmasur.presets.services.caddy.tlsPolicies = [
      {
@@ -90,11 +90,14 @@ in
        ];
      }
    ];
-    # Allow Caddy to read Cloudflare API key for DNS validation
+    systemd.services.caddy.serviceConfig = {
-    systemd.services.caddy.serviceConfig.EnvironmentFile = [
+      # Allow Caddy to read Cloudflare API key for DNS validation
-      config.secrets.cloudflare-api.dest
+      # Allow Caddy to use letsencrypt account key for TLS verification
-      config.secrets.letsencrypt-key.dest
+      EnvironmentFile = [
-    ];
+        config.secrets.letsencrypt-key.dest
        config.secrets.cloudflare-api-prefixed.dest
      ];
    };
    # Private key is used for LetsEncrypt
    secrets.letsencrypt-key = {
@@ -111,15 +114,21 @@ in
      owner = "caddy";
      group = "caddy";
    };
-
+    secrets.cloudflare-api-prefixed = {
      source = ./cloudflare-api.age;
      dest = "${config.secretsDirectory}/cloudflare-api-prefixed";
      owner = "caddy";
      group = "caddy";
      prefix = "CLOUDFLARE_API_TOKEN=";
    };
    # Wait for secret to exist
    systemd.services.caddy = {
      after = [
-        "cloudflare-api-secret.service"
+        "cloudflare-api-prefixed-secret.service"
        "letsencrypt-key-secret.service"
      ];
      requires = [
-        "cloudflare-api-secret.service"
+        "cloudflare-api-prefixed-secret.service"
        "letsencrypt-key-secret.service"
      ];
    };
@@ -148,7 +157,24 @@ in
    systemd.services.cloudflare-dyndns = lib.mkIf config.services.cloudflare-dyndns.enable {
      after = [ "cloudflare-api-secret.service" ];
      requires = [ "cloudflare-api-secret.service" ];
      script =
        let
          args = [
            "--cache-file /var/lib/cloudflare-dyndns/ip.cache"
          ]
          ++ (if config.services.cloudflare-dyndns.ipv4 then [ "-4" ] else [ "-no-4" ])
          ++ (if config.services.cloudflare-dyndns.ipv6 then [ "-6" ] else [ "-no-6" ])
          ++ lib.optional config.services.cloudflare-dyndns.deleteMissing "--delete-missing"
          ++ lib.optional config.services.cloudflare-dyndns.proxied "--proxied";
        in
        lib.mkForce ''
          export CLOUDFLARE_API_TOKEN=$(cat ''${CREDENTIALS_DIRECTORY}/apiToken)
          exec ${lib.getExe pkgs.cloudflare-dyndns} ${toString args}
        '';
    };
    # Enable the home-made service that we created for non-proxied records
    services.cloudflare-dyndns-noproxy.enable = true;
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/filebrowser.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/filebrowser.nix
@@ -13,10 +13,17 @@ in
  config = lib.mkIf cfg.enable {
-    services.filebrowser = {
+    nmasur.services.filebrowser = {
      enable = true;
      # Generate password: htpasswd -nBC 10 "" | tr -d ':\n'
      passwordHash = "$2y$10$ze1cMob0k6pnXRjLowYfZOVZWg4G.dsPtH3TohbUeEbI0sdkG9.za";
      # settings = {
      #   database = "/var/lib/filebrowser/filebrowser.db";
      #   port = 8020;
      #   address = "localhost";
      #   log = "stdout";
      #   "auth.method" = "json";
      # };
    };
    nmasur.presets.services.caddy.routes = [
--- a/platforms/nixos/modules/nmasur/presets/services/gitea.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/gitea.nix
@@ -20,6 +20,7 @@ in
      settings = {
        actions.ENABLED = true;
        metrics.ENABLED = true;
        mailer.SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
        repository = {
          # Pushing to a repo that doesn't exist automatically creates one as
          # private.
@@ -94,6 +95,9 @@ in
    # Configure Cloudflare DNS to point to this machine
    services.cloudflare-dyndns.domains = [ hostnames.git ];
    # Configure DNS to point to this machine without a proxy
    nmasur.presets.services.cloudflare.noProxyDomains = [ "ssh.${hostnames.git}" ];
    # Scrape the metrics endpoint for Prometheus.
    nmasur.presets.services.prometheus-exporters.scrapeTargets = [
      "127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"
--- a/platforms/nixos/modules/nmasur/presets/services/karakeep.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/karakeep.nix
@@ -0,0 +1,46 @@
 {
  config,
  lib,
  ...
 }:
 let
  cfg = config.nmasur.presets.services.karakeep;
  inherit (config.nmasur.settings) hostnames;
 in
 {
  options.nmasur.presets.services.karakeep.enable = lib.mkEnableOption "Karakeep bookmark manager";
  config = lib.mkIf cfg.enable {
    services.karakeep = {
      enable = true;
      meilisearch.enable = true;
      extraEnvironment = {
        PORT = "5599";
        DISABLE_SIGNUPS = "true";
        DISABLE_NEW_RELEASE_CHECK = "true";
        CRAWLER_FULL_PAGE_SCREENSHOT = "true";
        CRAWLER_FULL_PAGE_ARCHIVE = "true";
      };
    };
    nmasur.presets.services.caddy.routes = [
      {
        match = [ { host = [ hostnames.bookmarks ]; } ];
        handle = [
          {
            handler = "reverse_proxy";
            upstreams = [
              { dial = "localhost:${config.services.karakeep.extraEnvironment.PORT}"; }
            ];
          }
        ];
      }
    ];
    # Configure Cloudflare DNS to point to this machine
    services.cloudflare-dyndns.domains = [ hostnames.bookmarks ];
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/litestream/litestream.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/litestream/litestream.nix
@@ -37,6 +37,7 @@ in
  config = lib.mkIf (cfg.enable) {
    users.groups.backup = { };
    users.groups.litestream = { };
    secrets.litestream-backup = {
      source = cfg.s3.accessKeySecret;
@@ -45,6 +46,7 @@ in
      permissions = "0440";
    };
    users.users.litestream.group = "litestream";
    users.users.litestream.extraGroups = [ "backup" ];
    services.litestream = {
--- a/platforms/nixos/modules/nmasur/presets/services/mathesar/mathesar-postgres.age
+++ b/platforms/nixos/modules/nmasur/presets/services/mathesar/mathesar-postgres.age
@@ -0,0 +1,17 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyA2SUsv
 d1R3Slo3UDhDUWNiTDcybU9mTzhycDNKVCtteHhwRXU4M0x5UVF3CkUvZHdISzE4
 NU9qdy9sUGxTeTJxY2huWS9zVnRzd2o0UFpxc0FjT2lDTGMKLT4gc3NoLWVkMjU1
 MTkgWXlTVU1RIG1SM3gxRzJ5RllOTXhHZC9sc1Z6U1VCc3ptTWZRYzNJQ1g4ZjRI
 d3U3RVUKekNYc0VpSUw4TVJsSGNYNElxUUcwS25oczVUWnNlUTd2SXlvYlEvcE01
 ZwotPiBzc2gtZWQyNTUxOSBuanZYNUEgc0JUZlkyY0dKWjhzVlMwTi8zS1VrVGt1
 UGJzeURtbEZ3ZWpncWZNK2x5SQpJdVNSV2NLdHBEVThtWVBhUm1GSEEvV2s0bGZB
 WFJTK0xIa01ucHBxcm1jCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBrRitXVzdvRmgz
 VW5HMHpBRStuTnRDZmlCdVRra09JNE85Wkl4bkJJWkFzCkZUeTRWK0VmL21VRlpW
 SWg5dnJ4UGw4aXZteUxyaXZUaGpxQkdQL0hXK0kKLT4gc3NoLWVkMjU1MTkgejFP
 Y1p3IE4xSlZYbmFWZlhCQ3RibFN5Z3gzMDN5cXNDQzA4UnViUk9IclBTdE4valkK
 MGx3Nkhac3NEZGh2SExUMU94NExiRlMvRndobUlJdmhBWU1CM0diL0V3ZwotLS0g
 SDhvSzRFUFdGN0ZLUm9hWWV2T2tHMVdvTHlWOEZWTkZjLzd0VE12SU9kNAp2wHsq
 uKxlrH9xXj17Zd3FAjRlSMjjVVOYZOVyiPMWY7MD7V5XVY0hCPnKpzX4RyYeTfqf
 3W2LaWecMcRtTdRLOyCqVC+1DXtCAL/DqxIWcu3Q+zDQog==
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/mathesar/mathesar.age
+++ b/platforms/nixos/modules/nmasur/presets/services/mathesar/mathesar.age
@@ -0,0 +1,17 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBJZjI5
 Y0pMd01IdVJIa2RtU3BrajNGblczeUdkWUgxdFliQmJGK2RDclhVCjVlbmRpV1Bj
 K1hMTm1HZ0pnYm05YmZ0Tm9UZjVoQ3FMM2dhVkRtV1FBZWsKLT4gc3NoLWVkMjU1
 MTkgWXlTVU1RIGxzbXA2NVRXbGxsY05hU0ZGWlU2MTNGVGozN2dycnBaNUZ4Ykxx
 UjB0d3MKcUdRampFeTdGek9FaHVrV3Y1ay8rMGh6M2NRZjVpUHdWYVJYZENmOGty
 RQotPiBzc2gtZWQyNTUxOSBuanZYNUEgamdMKzRnRldKYW9sYzJGWmR2TjRYVlRZ
 SXhKT3BrNC9XdHhpUVFQSXVROApoM3BUajhmR01VeDR1MHJhMnJFUkxCOW9DckZF
 TkhMd1BYODMrVm5PSGFJCi0+IHNzaC1lZDI1NTE5IENxSU9VQSAzbVJsT2pBTENF
 eGUrOEdHakZzb3ExMGwyMW91TEZORmpxdUJJMUJlZEJFClV2UlFlNVBxSmlaMnNs
 MTlFNzVOSjVqMVp5a1dwUVJqR3ZPRkdnY0w5dXMKLT4gc3NoLWVkMjU1MTkgejFP
 Y1p3IDcrZzhhWjh4UFVSM1loTTV1UXp2NDF1cGlLUWZ2bTN0NHJiOFhESFdJQWcK
 UFZzT2hmSTFlR0VNenVobktDN2xaZElwTWFZVklscFAvQmQyZjJiTU4wawotLS0g
 UW8vRlpmcGV1SmR1blZRK3c0eVpGeUlZMEc5eGlRcVpnbXI5UkNUelJEYwo8Na+w
 XzVV1/LPzA3kl0yDvF2b0nn1TmR903ralFbjmT2Rv/HNDVyVklIz1Jycaje8W8uV
 vZGGicSNIIZbGLEYT9fMUzY1KPoU6LUx0mgGUK2PZssHmG9mbW/Jx3R6
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/mathesar/mathesar.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/mathesar/mathesar.nix
@@ -0,0 +1,97 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (config.nmasur.settings) hostnames;
  cfg = config.nmasur.presets.services.mathesar;
 in
 {
  options.nmasur.presets.services.mathesar = {
    enable = lib.mkEnableOption "Postgres web UI";
    port = lib.mkOption {
      type = lib.types.port;
      description = "Port to use for the localhost";
      default = 8099;
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.mathesar = {
      description = "Postgres web UI";
      after = [
        "network.target"
        "postgresql.target"
      ];
      requires = [
        "mathesar-secret.service"
        "mathesar-postgres-secret.service"
      ];
      wantedBy = [ "multi-user.target" ];
      environment = {
        POSTGRES_HOST = "127.0.0.1";
        POSTGRES_DB = "mathesar_django";
        POSTGRES_USER = "mathesar";
        # POSTGRES_PASSWORD = "none";
        POSTGRES_PORT = "5432";
        ALLOWED_HOSTS = "*";
        SKIP_STATIC_COLLECTION = "true";
        DEBUG = "true";
      };
      serviceConfig = {
        Type = "simple";
        DynamicUser = true;
        StateDirectory = "mathesar";
        EnvironmentFile = [
          config.secrets.mathesar.dest
          config.secrets.mathesar-postgres.dest
        ];
      };
      preStart = "exec ${pkgs.nmasur.mathesar}/bin/mathesar-install";
      script =
        let
          args = [ "--bind=127.0.0.1:${builtins.toString cfg.port}" ];
        in
        ''
          exec ${pkgs.nmasur.mathesar}/bin/mathesar-gunicorn ${toString args}
        '';
    };
    secrets.mathesar = {
      source = ./mathesar.age;
      dest = "${config.secretsDirectory}/mathesar";
      owner = builtins.toString config.users.users.postgres.uid;
      group = builtins.toString config.users.users.postgres.uid;
    };
    secrets.mathesar-postgres = {
      source = ./mathesar-postgres.age;
      dest = "${config.secretsDirectory}/mathesar-postgres";
      owner = builtins.toString config.users.users.postgres.uid;
      group = builtins.toString config.users.users.postgres.uid;
    };
    # Allow web traffic to Caddy
    nmasur.presets.services.caddy.routes = [
      {
        match = [ { host = [ hostnames.mathesar ]; } ];
        handle = [
          {
            handler = "reverse_proxy";
            upstreams = [ { dial = "localhost:${builtins.toString cfg.port}"; } ];
          }
        ];
      }
    ];
    # Configure Cloudflare DNS to point to this machine
    services.cloudflare-dyndns.domains = [ hostnames.mathesar ];
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/victoriametrics.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/victoriametrics.nix
@@ -53,6 +53,9 @@ in
      ];
    };
    # Don't enable vmagent because we already have victoriametrics running anyway
    services.vmagent.enable = lib.mkForce false;
    systemd.services.vmauth = lib.mkIf config.services.victoriametrics.enable {
      description = "VictoriaMetrics basic auth proxy";
      after = [ "network.target" ];
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/vm-agent.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/vm-agent.nix
@@ -11,7 +11,7 @@
 let
  inherit (config.nmasur.settings) hostnames;
-  cfg = config.nmasur.presets.services.vm-agent;
+  cfg = config.nmasur.presets.services.vmagent;
  username = "prometheus";
@@ -30,8 +30,8 @@ let
 in
 {
-  options.nmasur.presets.services.vm-agent.enable =
+  options.nmasur.presets.services.vmagent.enable =
-    lib.mkEnableOption "vm-agent VictoriaMetrics collector";
+    lib.mkEnableOption "vmagent VictoriaMetrics collector";
  config = lib.mkIf cfg.enable {
--- a/platforms/nixos/modules/nmasur/presets/services/navidrome/navidrome-integrations.age
+++ b/platforms/nixos/modules/nmasur/presets/services/navidrome/navidrome-integrations.age
@@ -0,0 +1,20 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBwVzM0
 bElnSVdUTjFBT1BEWEJrUDRXMHNIVVVLbEJLNFFVcFZHcUlVcDNJCllmTWpNWDJz
 ckVyMGV2T1VUbnZHejNqOGdBdEh6TEU2MnNPeTM1aVFlaDgKLT4gc3NoLWVkMjU1
 MTkgWXlTVU1RIE1DR1BjdlZ5eUxQZlBaTXNUN2ZhcjRMSk1IcXlEMWRxRHBzL29o
 YWl5Z28KREU0YUcwZ3JrZDFNN3FBUWJDUnVoRjlSQ0x0aDVEWWhBZnVGR3pGbFBO
 SQotPiBzc2gtZWQyNTUxOSBuanZYNUEganNXRDBESFM0MGN4WjlQSmgxNlRMU2tD
 YW5LS05PNEpIakFjQW1yV3VsWQp0d0VCdUdyY1VLd0RIcmQ0RkQ5QkE5bWZhZnBk
 REIwYW5rMFl2VysxVjQwCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBnYm1TYU5rQkFH
 UDVrQ0NkVTBmV3A3ektyVWt4Y3E4V2ZwUS9KZFpkcjFBCmZtd3FBSnN4K2o4QTFE
 cEFCRHRiWjlZeDBQZFdVNmt6UkZQM3BDMlhCdkUKLT4gc3NoLWVkMjU1MTkgejFP
 Y1p3IFJoaFp1azcvbllXdUxLSVhkclh6cmgrL1psOUlqNUZjRkNvZTNIdVp4eGcK
 VWczN01seXhueEprQ3lVeE9Eazg2MGRjK0ZkMkpSQ3FoMFU2QURLZ0EzMAotLS0g
 eng3TnlPeVI5L2FCWWpVM29iRGM2Ynpnck1yZlJSbExZL1NrME5qV3Y5RQoUmoxB
 ehmbWdeYxoPQ+lNcQn6U84J2hsdB6PvEwDMLlCwwSeMJD8lJfH5MBzp4Mok2aFpM
 WPdgVtWdo5AOqOJWv8iU4HJpvcNQCiUfCKjG4DpdS1xcZcgEj1RIxPjB1z2if49s
 Vcnxe1My6ZGCu99AD9U2haJb40ZyjRotHhmDZ6TYZU277qaoWwGnDG/ZgRortN3W
 I4iS4bfn+KUflctnir5cRxcLFRDj9+ut+USHBO0hTCldckTEGFnlG8En0EjR4emH
 QNhp5oz9jJK6p+mjnJFPGXOPTVnrsRkjAfQAsUZa8DdKJw==
 -----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/navidrome/navidrome.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/navidrome/navidrome.nix
@@ -0,0 +1,49 @@
 # Navidrome is a self-hosted music streaming service. This means I can play
 # files from my server to devices.
 { config, lib, ... }:
 let
  inherit (config.nmasur.settings) hostnames;
  cfg = config.nmasur.presets.services.navidrome;
 in
 {
  options.nmasur.presets.services.navidrome.enable = lib.mkEnableOption "Navidrome music streaming";
  config = lib.mkIf cfg.enable {
    secrets.navidrome-integrations = {
      source = ./navidrome-integrations.age;
      dest = "/var/private/navidrome-integrations";
    };
    services.navidrome = {
      enable = true;
      settings = {
        MusicFolder = "/data/audio/music";
        EnableInsightsCollector = false;
      };
      environmentFile = config.secrets.navidrome-integrations.dest;
    };
    # Configure Cloudflare DNS to point to this machine
    services.cloudflare-dyndns.domains = [ hostnames.navidrome ];
    # Allow web traffic to Caddy
    nmasur.presets.services.caddy.routes = [
      {
        match = [ { host = [ hostnames.navidrome ]; } ];
        handle = [
          {
            handler = "reverse_proxy";
            upstreams = [
              { dial = "localhost:${builtins.toString config.services.navidrome.settings.Port}"; }
            ];
          }
        ];
      }
    ];
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/nextcloud/nextcloud.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/nextcloud/nextcloud.nix
@@ -17,7 +17,7 @@ in
    services.nextcloud = {
      enable = true;
-      package = pkgs.nextcloud30; # Required to specify
+      package = pkgs.nextcloud31; # Required to specify
      configureRedis = true;
      datadir = "/data/nextcloud";
      database.createLocally = true;
@@ -42,10 +42,10 @@ in
        calendar = config.services.nextcloud.package.packages.apps.calendar;
        contacts = config.services.nextcloud.package.packages.apps.contacts;
        # These apps are defined and pinned by overlay in flake.
-        news = pkgs.nextcloudApps.news;
+        # news = pkgs.nextcloudApps.news;
-        external = pkgs.nextcloudApps.external;
+        # external = pkgs.nextcloudApps.external;
-        cookbook = pkgs.nextcloudApps.cookbook;
+        # cookbook = pkgs.nextcloudApps.cookbook;
-        snappymail = pkgs.nextcloudApps.snappymail;
+        # snappymail = pkgs.nextcloudApps.snappymail;
      };
      phpOptions = {
        "opcache.interned_strings_buffer" = "16";
--- a/platforms/nixos/modules/nmasur/presets/services/paperless/paperless.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/paperless/paperless.nix
@@ -19,6 +19,7 @@ in
      passwordFile = config.secrets.paperless.dest;
      settings = {
        PAPERLESS_OCR_USER_ARGS = builtins.toJSON { invalidate_digital_signatures = true; };
        PAPERLESS_URL = "https://${hostnames.paperless}";
        # Enable if changing the path name in Caddy
        # PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
--- a/platforms/nixos/modules/nmasur/presets/services/pgweb.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/pgweb.nix
@@ -0,0 +1,82 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (config.nmasur.settings) username hostnames;
  cfg = config.nmasur.presets.services.pgweb;
 in
 {
  options.nmasur.presets.services.pgweb = {
    enable = lib.mkEnableOption "Postgres web UI";
    port = lib.mkOption {
      type = lib.types.port;
      description = "Port to use for the localhost";
      default = 8081;
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.pgweb = {
      description = "Postgres web UI";
      after = [
        "postgresql.target"
      ];
      # requires = [ "pgweb-secret.service" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "simple";
        DynamicUser = false;
        User = "postgres";
        Group = "postgres";
        StateDirectory = "pgweb";
        ExecStart =
          let
            args = [
              "--url postgres:///hippocampus?host=/run/postgresql"
            ];
          in
          "${lib.getExe pkgs.pgweb} ${toString args}";
      };
    };
    # Allow web traffic to Caddy
    nmasur.presets.services.caddy.routes = [
      {
        match = [ { host = [ hostnames.postgresql ]; } ];
        handle = [
          {
            handler = "authentication";
            providers = {
              http_basic = {
                hash = {
                  algorithm = "bcrypt";
                };
                accounts = [
                  {
                    username = username;
                    password = "$2a$14$dtzWBh7ZDNgqFIJTJO7Rxe15Y189agBiWKZFJbs4sZz7QhqGQAwJS";
                  }
                ];
              };
            };
          }
          {
            handler = "reverse_proxy";
            upstreams = [ { dial = "localhost:${builtins.toString cfg.port}"; } ];
          }
        ];
      }
    ];
    # Configure Cloudflare DNS to point to this machine
    services.cloudflare-dyndns.domains = [ hostnames.postgresql ];
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/pipewire.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/pipewire.nix
@@ -27,7 +27,7 @@ in
    # These aren't necessary, but helpful for the user
    environment.systemPackages = with pkgs; [
      pamixer # Audio control
-      volnoti # Volume notifications
+      nmasur.volnoti # Volume notifications
    ];
  };
 }
--- a/platforms/nixos/modules/nmasur/presets/services/restic/restic.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/restic/restic.nix
@@ -54,6 +54,11 @@ in
          "--keep-monthly 12"
          "--keep-yearly 100"
        ];
        timerConfig = {
          OnCalendar = "daily";
          Persistent = true;
          RandomizedDelaySec = "3h";
        };
      };
    };
--- a/platforms/nixos/modules/nmasur/presets/zfs.nix
+++ b/platforms/nixos/modules/nmasur/presets/zfs.nix
@@ -41,6 +41,7 @@ in
        "tank/generic"
        "tank/nextcloud"
        "tank/generic/git"
        "tank/images"
      ];
      # If password is requested and fails, continue to boot eventually
      passwordTimeout = 300;
--- a/Show More
+++ b/Show More