try to configure using nixosModules

doesn't seem like there's that much benefit?
2025-07-08 08:20:14 +00:00 · 2023-07-10 17:56:15 -06:00
116 changed files with 660 additions and 4397 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -1,20 +0,0 @@
 name: Check Build
 on:
  workflow_dispatch: # allows manual triggering
 jobs:
  check:
    name: Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v4
      - name: Check Nixpkgs Inputs
        uses: DeterminateSystems/flake-checker-action@v5
      - name: Add Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@v2
      - name: Check the Flake
        run: nix flake check
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@ -1,38 +0,0 @@
 name: Update Flake
 on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '33 3 * * 0' # runs weekly on Sunday at 03:33
 permissions:
  contents: write
  pull-requests: write
 jobs:
  lockfile:
    name: Lockfile
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v4
      - name: Check Nixpkgs Inputs
        uses: DeterminateSystems/flake-checker-action@v5
      - name: Add Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@v2
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@v19
        id: update
        with:
          pr-title: "Update flake.lock" # Title of PR to be created
          pr-labels: |                  # Labels to be set on the PR
            dependencies
            automated
      - name: Check the Flake
        run: nix flake check
      - name: Enable Pull Request Automerge
        run: gh pr merge --rebase --auto ${{ steps.update.outputs.pull-request-number }}
        env:
          GH_TOKEN: ${{ github.token }}
--- a/apps/README.md
+++ b/apps/README.md
@ -1,9 +0,0 @@
 # Apps
 These are all my miscellaneous utilies and scripts to accompany this project.
 They can be run with:
 ```
 nix run github:nmasur/dotfiles#appname
 ```
--- a/apps/encrypt-secret.nix
+++ b/apps/encrypt-secret.nix
@ -11,7 +11,7 @@
    tmpfile=$(mktemp)
    echo "''${secret}" > ''${tmpfile}
    ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-      builtins.toString ../misc/public-keys
+      builtins.toString ../public-keys
    } $tmpfile
    rm $tmpfile
  '');
--- a/apps/installer.nix
+++ b/apps/installer.nix
@ -17,8 +17,8 @@
            --foreground "#fb4934" \
            "Missing required parameter." \
            "Usage: installer -- <disk> <host>" \
-            "Example: installer -- nvme0n1 tempest" \
+            "Example: installer -- nvme0n1 desktop" \
-            "Flake example: nix run github:nmasur/dotfiles#installer -- nvme0n1 tempest"
+            "Flake example: nix run github:nmasur/dotfiles#installer -- nvme0n1 desktop"
        echo "(exiting)"
        exit 1
    fi
--- a/apps/reencrypt-secrets.nix
+++ b/apps/reencrypt-secrets.nix
@ -17,7 +17,7 @@
        --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
      echo "Encrypting ''${encryptedfile}..."
      ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-        builtins.toString ../misc/public-keys
+        builtins.toString ../public-keys
      } $tmpfile > $encryptedfile
      rm $tmpfile
    done
--- a/colorscheme/README.md
+++ b/colorscheme/README.md
@ -1,5 +0,0 @@
 # Colorschemes
 Color information for different themes is found here. The colors are sourced
 and used with [base16](https://github.com/chriskempson/base16) format
 consistently across the system.
--- a/disks/README.md
+++ b/disks/README.md
@ -1,5 +0,0 @@
 # Disks
 These are my [disko](https://github.com/nix-community/disko) configurations,
 which allow me to save desired disk formatting layouts as a declarative file so
 I don't have to remember how to format my disks later on.
--- a/docs/README.md
+++ b/docs/README.md
@ -1,4 +0,0 @@
 # Documentation
 Reference documents for some of the more complicated services and maintenance
 tasks.
--- a/docs/repair-nextcloud.md
+++ b/docs/repair-nextcloud.md
@ -1,59 +0,0 @@
 # Repairing Nextcloud
 You can run the maintenance commands like this:
 ```
 sudo -u nextcloud nextcloud-occ maintenance:mode --on
 sudo -u nextcloud nextcloud-occ maintenance:repair
 sudo -u nextcloud nextcloud-occ maintenance:mode --off
 ```
 ## Converting from SQLite to MySQL (mariadb)
 First: keep Nextcloud set to SQLite as its dbtype, and separately launch MySQL
 as a service by copying the configuration found
 [here](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/web-apps/nextcloud.nix).
 No password is necessary, since the user-based auth works with UNIX sockets.
 You can connect to the MySQL instance like this:
 ```
 sudo -u nextcloud mysql -S /run/mysqld/mysqld.sock
 ```
 Create a blank database for Nextcloud:
 ```sql
 create database nextcloud;
 ```
 Now setup the [conversion](https://docs.nextcloud.com/server/17/admin_manual/configuration_database/db_conversion.html):
 ```
 sudo -u nextcloud nextcloud-occ db:convert-type mysql nextcloud localhost nextcloud
 ```
 Ignore the password prompt. Proceed with the conversion.
 Now `config.php` will be updated but the override config from NixOS will not
 be. Now update your NixOS configuration:
 - Remove the `mysql` service you created.
 - Set `dbtype` to `mysql`.
 - Set `database.createLocally` to `true`.
 Rebuild your configuration.
 Now, make sure to enable [4-byte
 support](https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/mysql_4byte_support.html)
 in the database.
 ## Backing Up MySQL Database
 Use this mysqldump command:
 ```
 sudo -u nextcloud mysqldump -S /run/mysqld/mysqld.sock --default-character-set=utf8mb4 nextcloud > backup.sql
 ```
--- a/docs/zfs.md
+++ b/docs/zfs.md
@ -1,45 +0,0 @@
 # ZFS
 Swan runs its root on ext4. The ZFS drives are managed imperatively (this
 [disko configuration](../disks/zfs.nix) is an unused work-in-progress).
 The basic ZFS settings are managed [here](../modules/nixos/hardware/zfs.nix).
 ## Creating a New Dataset
 ```
 sudo zfs create tank/mydataset
 sudo zfs set compression=zstd tank/myzstddataset
 sudo zfs set mountpoint=/data/mydataset tank/mydataset
 ```
 ## Maintenance
 ### Get Status
 ```
 sudo zpool status
 ```
 ### Replace Disk
 ```
 sudo zdb
 sudo zpool status -g # Show by GUID
 sudo zpool offline tank <GUID>
 sudo zpool status
 # Remove old disk, insert new disk
 sudo zdb
 sudo zpool replace tank <OLD GUID> /dev/disk/by-id/<NEW PATH>
 sudo zpool status
 ```
 ## Initial Setup
 ```
 sudo zpool create tank raidz1 sda sdb sdc
 sudo zpool set ashift=12 tank
 sudo zpool set autoexpand=on tank
 sudo zpool set compression=on tank
 ```
--- a/flake.lock
+++ b/flake.lock
@ -17,22 +17,6 @@
        "type": "github"
      }
    },
    "baleia-nvim-src": {
      "flake": false,
      "locked": {
        "lastModified": 1681806450,
        "narHash": "sha256-jxRlIzWbnSj89032msc5w+2TVt7zVyzlxdXxiH1dQqY=",
        "owner": "m00qek",
        "repo": "baleia.nvim",
        "rev": "00bb4af31c8c3865b735d40ebefa6c3f07b2dd16",
        "type": "github"
      },
      "original": {
        "owner": "m00qek",
        "repo": "baleia.nvim",
        "type": "github"
      }
    },
    "bufferline-nvim-src": {
      "flake": false,
      "locked": {
@ -73,11 +57,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1691275315,
+        "lastModified": 1687517837,
-        "narHash": "sha256-9WN0IA0vNZSNxKHpy/bYvPnCw4VH/nr5iBv7c+7KUts=",
+        "narHash": "sha256-Ea+JTy6NSf+wWIFrgC8gnOnyt01xwmtDEn2KecvaBkg=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "829041cf10c4f6751a53c0a11ca2fd22ff0918d6",
+        "rev": "6460468e7a3e1290f132fee4170ebeaa127f6f32",
        "type": "github"
      },
      "original": {
@ -94,11 +78,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1690739034,
+        "lastModified": 1687598357,
-        "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=",
+        "narHash": "sha256-70ciIe8415oQnQypawaqocEaLJcI1XtkqRNmle8vsrg=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "4015740375676402a2ee6adebc3c30ea625b9a94",
+        "rev": "1e7098ee0448dc5d33df394d040f454cd42a809c",
        "type": "github"
      },
      "original": {
@ -114,11 +98,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1691196340,
+        "lastModified": 1688605308,
-        "narHash": "sha256-b1haFWCbFJkiUkeTQCkNjr8hFq/8JlMPaQwNpGlcvxI=",
+        "narHash": "sha256-B9suu7dcdX4a18loO5ul237gqIJ5/+TRuheLj8fJjwM=",
        "owner": "bandithedoge",
        "repo": "nixpkgs-firefox-darwin",
-        "rev": "6081c33185dba05da784d9f2a392861af025bf1a",
+        "rev": "78d28acf685e19d353b2ecb6c38eeb3fc624fc68",
        "type": "github"
      },
      "original": {
@ -181,11 +165,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1689068808,
+        "lastModified": 1685518550,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
        "type": "github"
      },
      "original": {
@ -194,22 +178,6 @@
        "type": "github"
      }
    },
    "hmts-nvim-src": {
      "flake": false,
      "locked": {
        "lastModified": 1691223193,
        "narHash": "sha256-Zsl4s3e4upWiU2mXKqiQcUGxslPzzebKKXfzaHiNq48=",
        "owner": "calops",
        "repo": "hmts.nvim",
        "rev": "1d40963804925754672940d07ddb250d19efec2e",
        "type": "github"
      },
      "original": {
        "owner": "calops",
        "repo": "hmts.nvim",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -217,11 +185,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1691225770,
+        "lastModified": 1687627695,
-        "narHash": "sha256-O5slH8nW8msTAqVAS5rkvdHSkjmrO+JauuSDzZCmv2M=",
+        "narHash": "sha256-6Pu7nWb52PRtUmihwuDNShDmsZiXgtXR0OARtH4DSik=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "0a014a729cdd54d9919ff36b714d047909d7a4c8",
+        "rev": "172d46d4b2677b32277d903bdf4cff77c2cc6477",
        "type": "github"
      },
      "original": {
@ -231,42 +199,6 @@
        "type": "github"
      }
    },
    "nextcloud-cookbook": {
      "flake": false,
      "locked": {
        "narHash": "sha256-XgBwUr26qW6wvqhrnhhhhcN4wkI+eXDHnNSm1HDbP6M=",
        "type": "tarball",
        "url": "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"
      }
    },
    "nextcloud-external": {
      "flake": false,
      "locked": {
        "narHash": "sha256-gY1nxqK/pHfoxW/9mE7DFtNawgdEV7a4OXpscWY14yk=",
        "type": "tarball",
        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz"
      }
    },
    "nextcloud-news": {
      "flake": false,
      "locked": {
        "narHash": "sha256-hhXPEITSbCiFs0o+TOsQnSasXBpjU9mA/OFsbzuaCPw=",
        "type": "tarball",
        "url": "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz"
      }
    },
    "nil": {
      "inputs": {
        "flake-utils": "flake-utils",
@ -313,11 +245,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1689469483,
+        "lastModified": 1687049841,
-        "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=",
+        "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c",
+        "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5",
        "type": "github"
      },
      "original": {
@ -334,11 +266,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1690133435,
+        "lastModified": 1687398392,
-        "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=",
+        "narHash": "sha256-T6kc3NMTpGJk1/dve8PGupeVcxboEb78xtTKhe3LL/A=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586",
+        "rev": "649171f56a45af13ba693c156207eafbbbf7edfe",
        "type": "github"
      },
      "original": {
@ -349,11 +281,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1691186842,
+        "lastModified": 1687502512,
-        "narHash": "sha256-wxBVCvZUwq+XS4N4t9NqsHV4E64cPVqQ2fdDISpjcw0=",
+        "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "18036c0be90f4e308ae3ebcab0e14aae0336fe42",
+        "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
        "type": "github"
      },
      "original": {
@ -365,16 +297,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1690470004,
+        "lastModified": 1686929285,
-        "narHash": "sha256-l57RmPhPz9r1LGDg/0v8bYgJO8R+GGTQZtkIxE7negU=",
+        "narHash": "sha256-WGtVzn+vGMPTXDO0DMNKVFtf+zUSqeW+KKk4Y/Ae99I=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9462344318b376e157c94fa60c20a25b913b2381",
+        "rev": "93fddcf640ceca0be331210ba3101cee9d91c13d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -382,11 +314,11 @@
    "null-ls-nvim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1688652536,
+        "lastModified": 1686871437,
-        "narHash": "sha256-6KJtj9pbvBm6fOVpnyzO2fEVC+cVrw2XtZHOgq9ieIw=",
+        "narHash": "sha256-MxIZqyRW8jStiDNXt7Bsw8peDLKpqxKEaUuIJsXkGMI=",
        "owner": "jose-elias-alvarez",
        "repo": "null-ls.nvim",
-        "rev": "db09b6c691def0038c456551e4e2772186449f35",
+        "rev": "bbaf5a96913aa92281f154b08732be2f57021c45",
        "type": "github"
      },
      "original": {
@ -397,11 +329,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1691289987,
+        "lastModified": 1687625402,
-        "narHash": "sha256-sbbDlVzxlP+bBTdhyyzJ6C0APUNU/sChuLmNU9ehkmg=",
+        "narHash": "sha256-V+vSWypmm/tGbwNXGhqzmiV7vTjV2gNCEh9N7OhNnyA=",
        "owner": "nix-community",
        "repo": "nur",
-        "rev": "cf2f5d8ad452795e5aca290c95eedc829d3da7ec",
+        "rev": "aeaf37c7538965e45700d39e6b5dc9c9a0e0749c",
        "type": "github"
      },
      "original": {
@ -430,11 +362,11 @@
    "nvim-tree-lua-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1691292370,
+        "lastModified": 1687132855,
-        "narHash": "sha256-YQRirmp8QerxwF9qdrSrUKJZiVrBb6ZWpUTfM8H7fl4=",
+        "narHash": "sha256-ZRUoCDBv8rO8ZUBUMLgo33EBbqD9+ZOSET9rkFsA++E=",
        "owner": "kyazdani42",
        "repo": "nvim-tree.lua",
-        "rev": "904f95cd9db31d1800998fa428e78e418a50181d",
+        "rev": "c3c6544ee00333b0f1d6a13735d0dd302dba4f70",
        "type": "github"
      },
      "original": {
@ -463,17 +395,12 @@
    "root": {
      "inputs": {
        "Comment-nvim-src": "Comment-nvim-src",
        "baleia-nvim-src": "baleia-nvim-src",
        "bufferline-nvim-src": "bufferline-nvim-src",
        "cmp-nvim-lsp-src": "cmp-nvim-lsp-src",
        "darwin": "darwin",
        "disko": "disko",
        "firefox-darwin": "firefox-darwin",
        "hmts-nvim-src": "hmts-nvim-src",
        "home-manager": "home-manager",
        "nextcloud-cookbook": "nextcloud-cookbook",
        "nextcloud-external": "nextcloud-external",
        "nextcloud-news": "nextcloud-news",
        "nil": "nil",
        "nix2vim": "nix2vim",
        "nixos-generators": "nixos-generators",
@ -486,15 +413,9 @@
        "telescope-nvim-src": "telescope-nvim-src",
        "telescope-project-nvim-src": "telescope-project-nvim-src",
        "toggleterm-nvim-src": "toggleterm-nvim-src",
        "tree-sitter-bash": "tree-sitter-bash",
        "tree-sitter-ini": "tree-sitter-ini",
        "tree-sitter-puppet": "tree-sitter-puppet",
        "tree-sitter-python": "tree-sitter-python",
        "tree-sitter-rasi": "tree-sitter-rasi",
        "vscode-terraform-snippets": "vscode-terraform-snippets",
        "wallpapers": "wallpapers",
-        "wsl": "wsl",
+        "wsl": "wsl"
        "zenyd-mpv-scripts": "zenyd-mpv-scripts"
      }
    },
    "rust-overlay": {
@ -602,88 +523,6 @@
        "type": "github"
      }
    },
    "tree-sitter-bash": {
      "flake": false,
      "locked": {
        "lastModified": 1688032601,
        "narHash": "sha256-gl5F3IeZa2VqyH/qFj8ey2pRbGq4X8DL5wiyvRrH56U=",
        "owner": "tree-sitter",
        "repo": "tree-sitter-bash",
        "rev": "493646764e7ad61ce63ce3b8c59ebeb37f71b841",
        "type": "github"
      },
      "original": {
        "owner": "tree-sitter",
        "repo": "tree-sitter-bash",
        "rev": "493646764e7ad61ce63ce3b8c59ebeb37f71b841",
        "type": "github"
      }
    },
    "tree-sitter-ini": {
      "flake": false,
      "locked": {
        "lastModified": 1690815608,
        "narHash": "sha256-IIpKzpA4q1jpYVZ75VZaxWHaqNt8TA427eMOui2s71M=",
        "owner": "justinmk",
        "repo": "tree-sitter-ini",
        "rev": "7f11a02fb8891482068e0fe419965d7bade81a68",
        "type": "github"
      },
      "original": {
        "owner": "justinmk",
        "repo": "tree-sitter-ini",
        "type": "github"
      }
    },
    "tree-sitter-puppet": {
      "flake": false,
      "locked": {
        "lastModified": 1690231696,
        "narHash": "sha256-YEjjy9WLwITERYqoeSVrRYnwVBIAwdc4o0lvAK9wizw=",
        "owner": "amaanq",
        "repo": "tree-sitter-puppet",
        "rev": "9ce9a5f7d64528572aaa8d59459ba869e634086b",
        "type": "github"
      },
      "original": {
        "owner": "amaanq",
        "repo": "tree-sitter-puppet",
        "type": "github"
      }
    },
    "tree-sitter-python": {
      "flake": false,
      "locked": {
        "lastModified": 1690493803,
        "narHash": "sha256-2btd/NRE6NuGNlx4cq535OrwtWXihiP3VMCJjPCiDOk=",
        "owner": "tree-sitter",
        "repo": "tree-sitter-python",
        "rev": "5af00f64af6bbf822f208243cce5cf75396fb6f5",
        "type": "github"
      },
      "original": {
        "owner": "tree-sitter",
        "repo": "tree-sitter-python",
        "rev": "5af00f64af6bbf822f208243cce5cf75396fb6f5",
        "type": "github"
      }
    },
    "tree-sitter-rasi": {
      "flake": false,
      "locked": {
        "lastModified": 1678701563,
        "narHash": "sha256-2nYZoLcrxxxiOJEySwHUm93lzMg8mU+V7LIP63ntFdA=",
        "owner": "Fymyte",
        "repo": "tree-sitter-rasi",
        "rev": "371dac6bcce0df5566c1cfebde69d90ecbeefd2d",
        "type": "github"
      },
      "original": {
        "owner": "Fymyte",
        "repo": "tree-sitter-rasi",
        "type": "github"
      }
    },
    "vscode-terraform-snippets": {
      "flake": false,
      "locked": {
@ -723,11 +562,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1690553050,
+        "lastModified": 1687279045,
-        "narHash": "sha256-pK3kF30OykL3v6P8UP6ipihlS34KoGq9SryCj3tHrFw=",
+        "narHash": "sha256-LR0dsXd/A07M61jclyBUW0wRojEQteWReKM35zoJXp0=",
        "owner": "nix-community",
        "repo": "NixOS-WSL",
-        "rev": "f7a95a37306c46b42e9ce751977c44c752fd5eca",
+        "rev": "a8486b5d191f11d571f15d80b6e265d1712d01cf",
        "type": "github"
      },
      "original": {
@ -735,22 +574,6 @@
        "repo": "NixOS-WSL",
        "type": "github"
      }
    },
    "zenyd-mpv-scripts": {
      "flake": false,
      "locked": {
        "lastModified": 1650625438,
        "narHash": "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=",
        "owner": "zenyd",
        "repo": "mpv-scripts",
        "rev": "19ea069abcb794d1bf8fac2f59b50d71ab992130",
        "type": "github"
      },
      "original": {
        "owner": "zenyd",
        "repo": "mpv-scripts",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -75,10 +75,6 @@
      url = "github:jose-elias-alvarez/null-ls.nvim";
      flake = false;
    };
    baleia-nvim-src = {
      url = "github:m00qek/baleia.nvim";
      flake = false;
    };
    Comment-nvim-src = {
      url = "github:numToStr/Comment.nvim/v0.8.0";
      flake = false;
@ -111,68 +107,23 @@
      url = "github:run-at-scale/vscode-terraform-doc-snippets";
      flake = false;
    };
    hmts-nvim-src = {
      url = "github:calops/hmts.nvim";
      flake = false;
    };
    # Tree-Sitter Grammars
    tree-sitter-bash = {
      # Fix: bash highlighting doesn't work as of this commit:
      # https://github.com/NixOS/nixpkgs/commit/49cce41b7c5f6b88570a482355d9655ca19c1029
      url =
        "github:tree-sitter/tree-sitter-bash/493646764e7ad61ce63ce3b8c59ebeb37f71b841";
      flake = false;
    };
    tree-sitter-python = {
      # Fix: invalid node in position. Broken as of this commit (replaced with newer):
      # https://github.com/NixOS/nixpkgs/commit/8ec3627796ecc899e6f47f5bf3c3220856ead9c5
      url =
        "github:tree-sitter/tree-sitter-python/5af00f64af6bbf822f208243cce5cf75396fb6f5";
      flake = false;
    };
    tree-sitter-ini = {
      url = "github:justinmk/tree-sitter-ini";
      flake = false;
    };
    tree-sitter-puppet = {
      url = "github:amaanq/tree-sitter-puppet";
      flake = false;
    };
    tree-sitter-rasi = {
      url = "github:Fymyte/tree-sitter-rasi";
      flake = false;
    };
    # MPV Scripts
    zenyd-mpv-scripts = {
      url = "github:zenyd/mpv-scripts";
      flake = false;
    };
    # Nextcloud Apps
    nextcloud-news = {
      url =
        "https://github.com/nextcloud/news/releases/download/22.0.0/news.tar.gz";
      flake = false;
    };
    nextcloud-external = {
      url =
        "https://github.com/nextcloud-releases/external/releases/download/v5.2.0/external-v5.2.0.tar.gz";
      flake = false;
    };
    nextcloud-cookbook = {
      url =
        "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz";
      flake = false;
    };
  };
-  outputs = { nixpkgs, ... }@inputs:
+  outputs = { self, nixpkgs, ... }@inputs:
    let
      # Common overlays to always use
      overlays = [
        inputs.nur.overlay
        inputs.nix2vim.overlay
        (import ./overlays/neovim-plugins.nix inputs)
        (import ./overlays/calibre-web.nix)
        (import ./overlays/disko.nix inputs)
        (import ./overlays/tree-sitter.nix inputs)
      ];
      # Global configuration for my systems
      globals = let baseName = "masu.rs";
      in rec {
@ -183,7 +134,8 @@
        mail.server = "noahmasur.com";
        mail.imapHost = "imap.purelymail.com";
        mail.smtpHost = "smtp.purelymail.com";
-        dotfilesRepo = "https://github.com/nmasur/dotfiles";
+        dotfilesRepo = "git@github.com:nmasur/dotfiles";
        nixpkgs.overlays = overlays;
        hostnames = {
          git = "git.${baseName}";
          metrics = "metrics.${baseName}";
@ -196,20 +148,6 @@
        };
      };
      # Common overlays to always use
      overlays = [
        inputs.nur.overlay
        inputs.nix2vim.overlay
        (import ./overlays/neovim-plugins.nix inputs)
        (import ./overlays/calibre-web.nix)
        (import ./overlays/disko.nix inputs)
        (import ./overlays/tree-sitter.nix inputs)
        (import ./overlays/caddy.nix inputs)
        (import ./overlays/mpv-scripts.nix inputs)
        (import ./overlays/nextcloud-apps.nix inputs)
        (import ./overlays/betterlockscreen.nix)
      ];
      # System types to support.
      supportedSystems =
        [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
@ -219,20 +157,26 @@
    in rec {
      nixosModules = {
        globals = { config }: { config = globals; };
        common = import ./modules/common;
        nixos = import ./modules/nixos;
        darwin = import ./modules/darwin;
      };
      # Contains my full system builds, including home-manager
      # nixos-rebuild switch --flake .#tempest
      nixosConfigurations = {
-        tempest = import ./hosts/tempest { inherit inputs globals overlays; };
+        tempest = import ./hosts/tempest { inherit self; };
-        hydra = import ./hosts/hydra { inherit inputs globals overlays; };
+        hydra = import ./hosts/hydra { inherit self; };
-        flame = import ./hosts/flame { inherit inputs globals overlays; };
+        flame = import ./hosts/flame { inherit self; };
-        swan = import ./hosts/swan { inherit inputs globals overlays; };
+        swan = import ./hosts/swan { inherit self; };
      };
      # Contains my full Mac system builds, including home-manager
      # darwin-rebuild switch --flake .#lookingglass
      darwinConfigurations = {
-        lookingglass =
+        lookingglass = import ./hosts/lookingglass { inherit self; };
          import ./hosts/lookingglass { inherit inputs globals overlays; };
      };
      # For quickly applying home-manager settings with:
@ -248,10 +192,8 @@
      diskoConfigurations = { root = import ./disks/root.nix; };
      packages = let
-        aws = system:
+        aws = system: import ./hosts/aws { inherit self system; };
-          import ./hosts/aws { inherit inputs globals overlays system; };
+        staff = system: import ./hosts/staff { inherit self system; };
        staff = system:
          import ./hosts/staff { inherit inputs globals overlays system; };
        neovim = system:
          let pkgs = import nixpkgs { inherit system overlays; };
          in import ./modules/common/neovim/package {
@ -286,24 +228,6 @@
        });
      checks = forAllSystems (system:
        let pkgs = import nixpkgs { inherit system overlays; };
        in {
          neovim = pkgs.runCommand "neovim-check-health" {
            buildInputs = [ inputs.self.packages.${system}.neovim ];
          } ''
            mkdir -p $out
            export HOME=$TMPDIR
            nvim -c "checkhealth" -c "write $out/health.log" -c "quitall"
            # Check for errors inside the health log
            if $(grep "ERROR" $out/health.log); then
              cat $out/health.log
              exit 1
            fi
          '';
        });
      # Templates for starting other projects quickly
      templates = rec {
        default = basic;
--- a/hosts/README.md
+++ b/hosts/README.md
@ -1,7 +1,5 @@
 # Hosts
 These are the individual machines managed by this flake.
 | Host                                       | Purpose             |
 | ---                                        | ---                 |
 | [aws](./aws/default.nix)                   | AWS AMI             |
--- a/hosts/aws/default.nix
+++ b/hosts/aws/default.nix
@ -1,13 +1,14 @@
-{ inputs, system, globals, overlays, ... }:
+{ self, system, ... }:
-inputs.nixos-generators.nixosGenerate {
+self.inputs.nixos-generators.nixosGenerate {
  inherit system;
  format = "amazon";
  modules = [
-    globals
+    self.inputs.home-manager.nixosModules.home-manager
-    inputs.home-manager.nixosModules.home-manager
+    self.nixosModules.globals
    self.nixosModules.common
    self.nixosModules.nixos
    {
      nixpkgs.overlays = overlays;
      networking.hostName = "sheep";
      gui.enable = false;
      theme.colors = (import ../../colorscheme/gruvbox).dark;
@ -17,9 +18,6 @@ inputs.nixos-generators.nixosGenerate {
      # AWS settings require this
      permitRootLogin = "prohibit-password";
    }
    ../../modules/common
    ../../modules/nixos
    ../../modules/nixos/services/sshd.nix
  ] ++ [
    # Required to fix diskSize errors during build
    ({ ... }: { amazonImage.sizeMB = 16 * 1024; })
--- a/hosts/flame/default.nix
+++ b/hosts/flame/default.nix
@ -3,66 +3,56 @@
 # How to install:
 # https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
 # These days, probably use nixos-anywhere instead.
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.nixpkgs.lib.nixosSystem {
+self.inputs.nixpkgs.lib.nixosSystem {
  system = "aarch64-linux";
  specialArgs = { };
  modules = [
-    globals
+    self.inputs.home-manager.nixosModules.home-manager
-    inputs.home-manager.nixosModules.home-manager
+    self.nixosModules.globals
-    ../../modules/common
+    self.nixosModules.common
-    ../../modules/nixos
+    self.nixosModules.nixos
    {
      nixpkgs.overlays = overlays;
      # Hardware
      server = true;
      networking.hostName = "flame";
-      # Not sure what's necessary but too afraid to remove anything
+      imports =
-      imports = [ (inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
+        [ (self.inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
      boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" ];
      # File systems must be declared in order to boot
      # This is the root filesystem containing NixOS
      # I forgot to set a clean label for it
      fileSystems."/" = {
        device = "/dev/disk/by-uuid/e1b6bd50-306d-429a-9f45-78f57bc597c3";
        fsType = "ext4";
      };
      # This is the boot filesystem for systemd-boot
      fileSystems."/boot" = {
        device = "/dev/disk/by-uuid/D5CA-237A";
        fsType = "vfat";
      };
      # Theming
      # Server doesn't require GUI
      gui.enable = false;
      # Still require colors for programs like Neovim, K9S
      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
      # Disable passwords, only use SSH key
      publicKey =
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
      # Programs and services
      cloudflare.enable = true; # Proxy traffic with Cloudflare
      dotfiles.enable = true; # Clone dotfiles
      neovim.enable = true;
-      giteaRunner.enable = true;
+
      services.caddy.enable = true;
      services.grafana.enable = true;
-      services.openssh.enable = true;
+      services.prometheus.enable = true;
      services.victoriametrics.enable = true;
      services.gitea.enable = true;
      services.vaultwarden.enable = true;
      services.minecraft-server.enable = true; # Setup Minecraft server
      # Allows private remote access over the internet
      cloudflareTunnel = {
        enable = true;
        id = "bd250ee1-ed2e-42d2-b627-039f1eb5a4d2";
@ -71,6 +61,8 @@ inputs.nixpkgs.lib.nixosSystem {
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK/6oyVqjFGX3Uvrc3VS8J9sphxzAnRzKC85xgkHfYgR3TK6qBGXzHrknEj21xeZrr3G2y1UsGzphWJd9ZfIcdA= open-ssh-ca@cloudflareaccess.org";
      };
      giteaRunner.enable = true;
      # Nextcloud backup config
      backup.s3 = {
        endpoint = "s3.us-west-002.backblazeb2.com";
@ -78,10 +70,6 @@ inputs.nixpkgs.lib.nixosSystem {
        accessKeyId = "0026b0e73b2e2c80000000005";
      };
      # Disable passwords, only use SSH key
      publicKey =
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
      # # Wireguard config for Transmission
      # wireguard.enable = true;
      # networking.wireguard.interfaces.wg0 = {
@ -111,6 +99,9 @@ inputs.nixpkgs.lib.nixosSystem {
      # # VPN port forwarding
      # services.transmission.settings.peer-port = 57599;
      # # Grant access to Transmission directories from Jellyfin
      # users.users.jellyfin.extraGroups = [ "transmission" ];
    }
  ];
 }
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@ -1,28 +1,27 @@
 # The Hydra
 # System configuration for WSL
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.nixpkgs.lib.nixosSystem {
+self.inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
  specialArgs = { };
  modules = [
-    ../../modules/common
+    self.inputs.wsl.nixosModules.wsl
-    ../../modules/nixos
+    self.inputs.home-manager.nixosModules.home-manager
-    ../../modules/wsl
+    self.nixosModules.globals
-    globals
+    self.nixosModules.common
-    inputs.wsl.nixosModules.wsl
+    self.nixosModules.nixos
-    inputs.home-manager.nixosModules.home-manager
+    self.nixosModules.wsl
    {
      networking.hostName = "hydra";
      nixpkgs.overlays = overlays;
      identityFile = "/home/${globals.user}/.ssh/id_ed25519";
      gui.enable = false;
      theme = {
        colors = (import ../../colorscheme/gruvbox).dark;
        dark = true;
      };
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
      wsl = {
        enable = true;
        wslConf.automount.root = "/mnt";
--- a/hosts/lookingglass/default.nix
+++ b/hosts/lookingglass/default.nix
@ -1,46 +1,46 @@
 # The Looking Glass
 # System configuration for my work Macbook
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.darwin.lib.darwinSystem {
+self.inputs.darwin.lib.darwinSystem {
  system = "x86_64-darwin";
  specialArgs = { };
  modules = [
-    ../../modules/common
+    self.inputs.home-manager.darwinModules.home-manager
-    ../../modules/darwin
+    self.nixosModules.common
-    (globals // rec {
+    self.nixosModules.darwin
-      user = "Noah.Masur";
+    ({ config, lib, ... }: {
-      gitName = "Noah-Masur_1701";
+      config = rec {
-      gitEmail = "${user}@take2games.com";
+        user = lib.mkForce "Noah.Masur";
-    })
+        gitName = lib.mkForce "Noah-Masur_1701";
-    inputs.home-manager.darwinModules.home-manager
+        gitEmail = lib.mkForce "${user}@take2games.com";
-    {
+        nixpkgs.overlays = [ self.inputs.firefox-darwin.overlay ];
-      nixpkgs.overlays = [ inputs.firefox-darwin.overlay ] ++ overlays;
+        networking.hostName = "lookingglass";
-      networking.hostName = "lookingglass";
+        identityFile = "/Users/${user}/.ssh/id_ed25519";
-      identityFile = "/Users/Noah.Masur/.ssh/id_ed25519";
+        gui.enable = true;
-      gui.enable = true;
+        theme = {
-      theme = {
+          colors = (import ../../colorscheme/gruvbox-dark).dark;
-        colors = (import ../../colorscheme/gruvbox-dark).dark;
+          dark = true;
-        dark = true;
+        };
        mail.user = globals.user;
        charm.enable = true;
        neovim.enable = true;
        mail.enable = true;
        mail.aerc.enable = true;
        mail.himalaya.enable = false;
        kitty.enable = true;
        discord.enable = true;
        firefox.enable = true;
        dotfiles.enable = true;
        nixlang.enable = true;
        terraform.enable = true;
        python.enable = true;
        lua.enable = true;
        kubernetes.enable = true;
        _1password.enable = true;
        slack.enable = true;
      };
-      mail.user = globals.user;
+    })
      charm.enable = true;
      neovim.enable = true;
      mail.enable = true;
      mail.aerc.enable = true;
      mail.himalaya.enable = false;
      kitty.enable = true;
      discord.enable = true;
      firefox.enable = true;
      dotfiles.enable = true;
      nixlang.enable = true;
      terraform.enable = true;
      python.enable = true;
      lua.enable = true;
      kubernetes.enable = true;
      _1password.enable = true;
      slack.enable = true;
    }
  ];
 }
--- a/hosts/staff/default.nix
+++ b/hosts/staff/default.nix
@ -1,31 +1,32 @@
 # The Staff
 # ISO configuration for my USB drive
-{ inputs, system, overlays, ... }:
+{ self, system, ... }:
-inputs.nixos-generators.nixosGenerate {
+self.inputs.nixos-generators.nixosGenerate {
  inherit system;
  format = "install-iso";
-  modules = [{
+  modules = [
-    nixpkgs.overlays = overlays;
+    self.nixosModules.global
-    networking.hostName = "staff";
+    self.nixosModules.common
-    users.extraUsers.root.openssh.authorizedKeys.keys = [
+    self.nixosModules.nixos
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s"
+    ({ config, pkgs, ... }: {
-    ];
+      networking.hostName = "staff";
-    services.openssh = {
+      users.extraUsers.root.openssh.authorizedKeys.keys = [
-      enable = true;
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s"
-      ports = [ 22 ];
+      ];
-      allowSFTP = true;
+      services.openssh = {
-      settings = {
+        enable = true;
-        GatewayPorts = "no";
+        ports = [ 22 ];
-        X11Forwarding = false;
+        allowSFTP = true;
-        PasswordAuthentication = false;
+        settings = {
-        PermitRootLogin = "yes";
+          GatewayPorts = "no";
          X11Forwarding = false;
          PasswordAuthentication = false;
          PermitRootLogin = "yes";
        };
      };
-    };
+      environment.systemPackages = with pkgs; [
    environment.systemPackages =
      let pkgs = import inputs.nixpkgs { inherit system overlays; };
      in with pkgs; [
        git
        vim
        wget
@ -35,9 +36,10 @@ inputs.nixos-generators.nixosGenerate {
          colors = (import ../../colorscheme/gruvbox).dark;
        })
      ];
-    nix.extraOptions = ''
+      nix.extraOptions = ''
-      experimental-features = nix-command flakes
+        experimental-features = nix-command flakes
-      warn-dirty = false
+        warn-dirty = false
-    '';
+      '';
-  }];
+    })
  ];
 }
--- a/hosts/swan/default.nix
+++ b/hosts/swan/default.nix
@ -1,26 +1,22 @@
 # The Swan
 # System configuration for my home NAS server
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.nixpkgs.lib.nixosSystem {
+self.inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
  specialArgs = { };
  modules = [
-    globals
+    self.inputs.home-manager.nixosModules.home-manager
-    inputs.home-manager.nixosModules.home-manager
+    self.inputs.disko.nixosModules.disko
-    inputs.disko.nixosModules.disko
+    self.nixosModules.globals
-    ../../modules/common
+    self.nixosModules.common
-    ../../modules/nixos
+    self.nixosModules.nixos
    {
      nixpkgs.overlays = overlays;
      # Hardware
      server = true;
      physical = true;
      networking.hostName = "swan";
      # Not sure what's necessary but too afraid to remove anything
      boot.initrd.availableKernelModules =
        [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
@ -33,54 +29,35 @@ inputs.nixpkgs.lib.nixosSystem {
        "amdgpu.cik_support=1"
        "amdgpu.dc=1"
      ];
      # Required binary blobs to boot on this machine
      hardware.enableRedistributableFirmware = true;
      # Prioritize efficiency over performance
      powerManagement.cpuFreqGovernor = "powersave";
      # Allow firmware updates
      hardware.cpu.intel.updateMicrocode = true;
      # ZFS
      zfs.enable = true;
      # Generated with: head -c 8 /etc/machine-id
      networking.hostId = "600279f4"; # Random ID required for ZFS
      # Sets root ext4 filesystem instead of declaring it manually
      disko = {
        enableConfig = true;
        devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });
      };
      # Automatically load the ZFS pool on boot
      boot.zfs.extraPools = [ "tank" ];
      # Theming
      # Server doesn't require GUI
      gui.enable = false;
      # Still require colors for programs like Neovim, K9S
      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
      # Programs and services
      neovim.enable = true;
      cloudflare.enable = true;
      dotfiles.enable = true;
      arrs.enable = true;
-      services.bind.enable = true;
+
      services.caddy.enable = true;
      services.jellyfin.enable = true;
      services.nextcloud.enable = true;
      services.calibre-web.enable = true;
-      services.openssh.enable = true;
+      services.prometheus.enable = true;
      services.prometheus.enable = false;
      services.vmagent.enable = true;
      services.samba.enable = true;
      # Allows private remote access over the internet
      cloudflareTunnel = {
        enable = true;
        id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
@ -89,7 +66,6 @@ inputs.nixpkgs.lib.nixosSystem {
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
      };
      # Send regular backups and litestream for DBs to an S3-like bucket
      backup.s3 = {
        endpoint = "s3.us-west-002.backblazeb2.com";
        bucket = "noahmasur-backup";
--- a/hosts/tempest/default.nix
+++ b/hosts/tempest/default.nix
@ -1,41 +1,28 @@
 # The Tempest
 # System configuration for my desktop
-{ inputs, globals, overlays, ... }:
+{ self, ... }:
-inputs.nixpkgs.lib.nixosSystem {
+self.inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
  modules = [
-    globals
+    self.inputs.home-manager.nixosModules.home-manager
-    inputs.home-manager.nixosModules.home-manager
+    self.nixosModules.globals
-    ../../modules/common
+    self.nixosModules.common
-    ../../modules/nixos
+    self.nixosModules.nixos
    {
      nixpkgs.overlays = overlays;
      # Hardware
      physical = true;
      networking.hostName = "tempest";
      # Not sure what's necessary but too afraid to remove anything
      boot.initrd.availableKernelModules =
        [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
      # Graphics and VMs
      boot.initrd.kernelModules = [ "amdgpu" ];
      boot.kernelModules = [ "kvm-amd" ];
      services.xserver.videoDrivers = [ "amdgpu" ];
      # Required binary blobs to boot on this machine
      hardware.enableRedistributableFirmware = true;
      # Prioritize performance over efficiency
      powerManagement.cpuFreqGovernor = "performance";
      # Allow firmware updates
      hardware.cpu.amd.updateMicrocode = true;
      # Helps reduce GPU fan noise under idle loads
      hardware.fancontrol.enable = true;
      hardware.fancontrol.config = ''
        # Configuration file generated by pwmconfig, changes will be lost
@ -52,35 +39,28 @@ inputs.nixpkgs.lib.nixosSystem {
        MAXPWM=hwmon0/pwm1=240
      '';
      # File systems must be declared in order to boot
      # This is the root filesystem containing NixOS
      fileSystems."/" = {
        device = "/dev/disk/by-label/nixos";
        fsType = "ext4";
      };
      # This is the boot filesystem for Grub
      fileSystems."/boot" = {
        device = "/dev/disk/by-label/boot";
        fsType = "vfat";
      };
-      # Secrets must be prepared ahead before deploying
+      # Must be prepared ahead
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
+      identityFile = "/home/${globals.user}/.ssh/id_ed25519";
      passwordHash = self.inputs.nixpkgs.lib.fileContents ../../password.sha512;
      # Theming
      # Turn on all features related to desktop and graphical applications
      gui.enable = true;
      # Set the system-wide theme, also used for non-graphical programs
      theme = {
        colors = (import ../../colorscheme/gruvbox-dark).dark;
        dark = true;
      };
-      wallpaper = "${inputs.wallpapers}/gruvbox/road.jpg";
+      wallpaper = "${self.inputs.wallpapers}/gruvbox/road.jpg";
-      gtk.theme.name = inputs.nixpkgs.lib.mkDefault "Adwaita-dark";
+      gtk.theme.name = self.inputs.nixpkgs.lib.mkDefault "Adwaita-dark";
      # Programs and services
      charm.enable = true;
@ -109,11 +89,7 @@ inputs.nixpkgs.lib.nixosSystem {
        leagueoflegends.enable = true;
        ryujinx.enable = true;
      };
      services.vmagent.enable = true; # Enables Prometheus metrics
      services.openssh.enable =
        true; # Required for Cloudflare tunnel and identity file
      # Allows private remote access over the internet
      cloudflareTunnel = {
        enable = true;
        id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
@ -122,11 +98,6 @@ inputs.nixpkgs.lib.nixosSystem {
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPY6C0HmdFCaxYtJxFr3qV4/1X4Q8KrYQ1hlme3u1hJXK+xW+lc9Y9glWHrhiTKilB7carYTB80US0O47gI5yU4= open-ssh-ca@cloudflareaccess.org";
      };
      # Allows requests to force machine to wake up
      # This network interface might change, needs to be set specifically for each machine.
      # Or set usePredictableInterfaceNames = false
      networking.interfaces.enp5s0.wakeOnLan.enable = true;
    }
  ];
 }
--- a/misc/README.md
+++ b/misc/README.md
@ -1,21 +0,0 @@
 # Miscellaneous
 These files contain important data sourced by the configuration, or simply
 information to store for safekeeping later.
 ---
 Creating hashed password for [password.sha512](./password.sha512):
 ```
 mkpasswd -m sha-512
 ```
 ---
 Getting key for [public-keys](./public-keys):
 ```
 ssh-keyscan -t ed25519 <hostname>
 ```
--- a/misc/libratbag-profile
+++ b/misc/libratbag-profile
@ -1,23 +0,0 @@
 Profile 1: (active)
 Name: n/a
 Report Rate: 1000Hz
 Resolutions:
  0: 400dpi (active) (default)
  1: 800dpi
  2: 1600dpi
  3: 2400dpi
  4: 0dpi
 Button: 0 is mapped to 'button 1'
 Button: 1 is mapped to 'button 2'
 Button: 2 is mapped to 'button 3'
 Button: 3 is mapped to 'button 4'
 Button: 4 is mapped to 'button 5'
 Button: 5 is mapped to macro '↕F11'
 Button: 6 is mapped to macro '↕VOLUMEDOWN'
 Button: 7 is mapped to macro '↕VOLUMEUP'
 Button: 8 is mapped to 'unknown'
 Button: 9 is mapped to 'wheel-right'
 Button: 10 is mapped to 'wheel-left'
 LED: 0, depth: monochrome, mode: on, color: 000000
 LED: 1, depth: monochrome, mode: on, color: 000000
 LED: 2, depth: monochrome, mode: on, color: 000000
--- a/modules/README.md
+++ b/modules/README.md
@ -5,5 +5,4 @@
 | [common](./common/default.nix) | User programs and OS-agnostic configuration |
 | [darwin](./darwin/default.nix) | macOS-specific configuration                |
 | [nixos](./nixos/default.nix)   | NixOS-specific configuration                |
 | [wsl](./wsl/default.nix)       | WSL-specific configuration                  |
--- a/modules/common/applications/firefox.nix
+++ b/modules/common/applications/firefox.nix
@ -73,7 +73,6 @@
            "media.ffmpeg.vaapi.enabled" =
              true; # Enable hardware video acceleration
            "cookiebanners.ui.desktop.enabled" = true; # Reject cookie popups
            "svg.context-properties.content.enabled" = true; # Sidebery styling
          };
          userChrome = ''
            :root {
--- a/modules/common/applications/kitty.nix
+++ b/modules/common/applications/kitty.nix
@ -28,22 +28,13 @@
      programs.rofi.terminal =
        lib.mkIf pkgs.stdenv.isLinux "${pkgs.kitty}/bin/kitty";
      # Display images in the terminal
      programs.fish.shellAliases = {
        icat = "kitty +kitten icat";
        ssh = "kitty +kitten ssh";
      };
      programs.kitty = {
        enable = true;
        environment = { };
        extraConfig = "";
        font.size = 14;
        keybindings = {
          # Use shift+enter to complete text suggestions in fish
          "shift+enter" = "send_text all \\x1F";
          # Easy fullscreen toggle (for macOS)
          "super+f" = "toggle_fullscreen";
        };
        settings = {
@ -94,6 +85,7 @@
          # Scrollback
          scrolling_lines = 10000;
          scrollback_pager_history_size = 10; # MB
          scrollback_pager = "${pkgs.neovim}/bin/nvim -c 'normal G'";
          # Window
          window_padding_width = 6;
@ -101,7 +93,7 @@
          tab_bar_edge = "top";
          tab_bar_style = "slant";
-          # Disable audio
+          # Audio
          enable_audio_bell = false;
        };
      };
--- a/modules/common/applications/media.nix
+++ b/modules/common/applications/media.nix
@ -22,8 +22,8 @@
        enable = true;
        bindings = { };
        config = {
-          image-display-duration = 2; # For cycling through images
+          image-display-duration = 2;
-          hwdec = "auto-safe"; # Attempt to use GPU decoding for video
+          hwdec = "auto-safe";
        };
        scripts = [
@ -31,11 +31,25 @@
          pkgs.mpvScripts.autoload
          # Delete current file after quitting
-          pkgs.mpvScripts.mpv-delete-file
+          (pkgs.stdenv.mkDerivation rec {
            pname = "mpv-delete-file";
            version = "0.1"; # made-up
            src = pkgs.fetchFromGitHub {
              owner = "zenyd";
              repo = "mpv-scripts";
              rev = "19ea069abcb794d1bf8fac2f59b50d71ab992130";
              sha256 = "sha256-OBCuzCtgfSwj0i/rBNranuu4LRc47jObwQIJgQQoerg=";
            } + "/delete_file.lua";
            dontBuild = true;
            dontUnpack = true;
            installPhase =
              "install -Dm644 ${src} $out/share/mpv/scripts/delete_file.lua";
            passthru.scriptName = "delete_file.lua";
          })
        ];
      };
-      # Set default programs for opening PDFs and other media
+      # Set default for opening PDFs
      xdg.mimeApps = {
        associations.added = {
          "application/pdf" = [ "pwmt.zathura-cb.desktop" ];
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@ -59,7 +59,7 @@
    };
    dotfilesRepo = lib.mkOption {
      type = lib.types.str;
-      description = "Link to dotfiles repository HTTPS URL.";
+      description = "Link to dotfiles repository.";
    };
    unfreePackages = lib.mkOption {
      type = lib.types.listOf lib.types.str;
--- a/modules/common/mail/default.nix
+++ b/modules/common/mail/default.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
-  imports = [ ./himalaya.nix ./aerc.nix ./system.nix ];
+  imports = [ ./himalaya.nix ./aerc.nix ];
  options = {
    mail.enable = lib.mkEnableOption "Mail service.";
@ -27,31 +27,15 @@
    home-manager.users.${config.user} = {
      programs.mbsync = { enable = true; };
      # Automatically check for mail and keep files synced locally
      services.mbsync = lib.mkIf pkgs.stdenv.isLinux {
        enable = true;
        frequency = "*:0/5";
        postExec = "${pkgs.notmuch}/bin/notmuch new";
      };
      # Used to watch for new mail and trigger sync
      services.imapnotify.enable = pkgs.stdenv.isLinux;
-
+      programs.notmuch.enable = true;
      # Allows sending email from CLI/sendmail
      programs.msmtp.enable = true;
      # Better local mail search
      programs.notmuch = {
        enable = true;
        new.ignore = [ ".mbsyncstate.lock" ".mbsyncstate.journal" ];
      };
      accounts.email = {
        # Where email files are stored
        maildirBasePath = "${config.homePath}/mail";
        accounts = {
          home = let address = "${config.mail.user}@${config.mail.server}";
          in {
@ -64,17 +48,13 @@
              "hey"
              "admin"
            ];
            # Options for contact completion
            alot = { };
-
+            flavor = "plain";
            imap = {
              host = config.mail.imapHost;
              port = 993;
              tls.enable = true;
            };
            # Watch for mail and run notifications or sync
            imapnotify = {
              enable = true;
              boxes = [ "Inbox" ];
@ -83,11 +63,7 @@
                config.home-manager.users.${config.user}.services.dunst.enable
                "${pkgs.libnotify}/bin/notify-send 'New mail arrived'";
            };
            # Name of the directory in maildir for this account
            maildir = { path = "main"; };
            # Bi-directional syncing options for local files
            mbsync = {
              enable = true;
              create = "both";
@ -98,17 +74,12 @@
                CopyArrivalDate = "yes"; # Sync time of original message
              };
            };
            # Enable indexing
            notmuch.enable = true;
            # Used to login and send and receive emails
            passwordCommand =
-              "${pkgs.age}/bin/age --decrypt --identity ~/.ssh/id_ed25519 ${
+              "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
                pkgs.writeText "mailpass.age"
                (builtins.readFile ../../../private/mailpass.age)
              }";
            smtp = {
              host = config.mail.smtpHost;
              port = 465;
--- a/modules/common/mail/system.nix
+++ b/modules/common/mail/system.nix
@ -1,34 +0,0 @@
 { config, pkgs, lib, ... }: {
  config = lib.mkIf (config.mail.enable || config.server) {
    home-manager.users.${config.user} = {
      programs.msmtp.enable = true;
      # The system user for sending automatic notifications
      accounts.email.accounts.system =
        let address = "system@${config.mail.server}";
        in {
          userName = address;
          realName = "NixOS System";
          primary = !config.mail.enable; # Only primary if mail not enabled
          inherit address;
          passwordCommand =
            "${pkgs.age}/bin/age --decrypt --identity ${config.identityFile} ${
              pkgs.writeText "mailpass-system.age"
              (builtins.readFile ../../../private/mailpass-system.age)
            }";
          msmtp.enable = true;
          smtp = {
            host = config.mail.smtpHost;
            port = 465;
            tls.enable = true;
          };
        };
    };
  };
 }
--- a/modules/common/neovim/config/align.nix
+++ b/modules/common/neovim/config/align.nix
@ -1,7 +1,4 @@
 { pkgs, ... }: {
  # Plugin for aligning text programmatically
  plugins = [ pkgs.vimPlugins.tabular ];
  lua = ''
    -- Align
--- a/modules/common/neovim/config/bufferline.nix
+++ b/modules/common/neovim/config/bufferline.nix
@ -1,7 +1,4 @@
 { pkgs, ... }: {
  # Shows buffers in a VSCode-style tab layout
  plugins = [
    pkgs.vimPlugins.bufferline-nvim
    pkgs.vimPlugins.vim-bbye # Better closing of buffers
--- a/modules/common/neovim/config/colors.nix
+++ b/modules/common/neovim/config/colors.nix
@ -1,7 +1,5 @@
 { pkgs, lib, config, ... }: {
  # Sets Neovim colors based on Nix colorscheme
  options.colors = lib.mkOption {
    type = lib.types.attrsOf lib.types.str;
    description = "Attrset of base16 colorscheme key value pairs.";
--- a/modules/common/neovim/config/completion.nix
+++ b/modules/common/neovim/config/completion.nix
@ -24,14 +24,12 @@
      end
    '';
    # Enable Luasnip snippet completion
    snippet.expand = dsl.rawLua ''
      function(args)
          require("luasnip").lsp_expand(args.body)
      end
    '';
    # Basic completion keybinds
    mapping = {
      "['<C-n>']" = dsl.rawLua
        "require('cmp').mapping.select_next_item({ behavior = require('cmp').SelectBehavior.Insert })";
@ -66,26 +64,24 @@
      '';
    };
    # These are where the completion engine gets its suggestions
    sources = [
-      { name = "nvim_lua"; } # Fills in common Neovim lua functions
+      { name = "nvim_lua"; }
-      { name = "nvim_lsp"; } # LSP results
+      { name = "nvim_lsp"; }
-      { name = "luasnip"; } # Snippets
+      { name = "luasnip"; }
-      { name = "path"; } # Shell completion from current PATH
+      { name = "path"; }
      {
-        name = "buffer"; # Grep for text from the current text buffer
+        name = "buffer";
        keyword_length = 3;
        max_item_count = 10;
      }
      {
-        name = "rg"; # Grep for text from the current directory
+        name = "rg";
        keyword_length = 6;
        max_item_count = 10;
        option = { additional_arguments = "--ignore-case"; };
      }
    ];
    # Styling of the completion menu
    formatting = {
      fields = [ "kind" "abbr" "menu" ];
      format = dsl.rawLua ''
--- a/modules/common/neovim/config/misc.nix
+++ b/modules/common/neovim/config/misc.nix
@ -7,14 +7,11 @@
    pkgs.vimPlugins.comment-nvim # Smart comment commands
    pkgs.vimPlugins.glow-nvim # Markdown preview popup
    pkgs.vimPlugins.nvim-colorizer-lua # Hex color previews
    pkgs.vimPlugins.which-key-nvim # Keybind helper
  ];
  # Initialize some plugins
  setup.Comment = { };
  setup.colorizer = { };
  setup.glow = { };
  setup.which-key = { };
  vim.o = {
    termguicolors = true; # Set to truecolor
@ -44,17 +41,11 @@
    relativenumber = true; # Relative numbers instead of absolute
  };
  # For which-key-nvim
  vim.o.timeout = true;
  vim.o.timeoutlen = 300;
  # Better backup, swap and undo storage
  vim.o.backup = true; # Easier to recover and more secure
  vim.bo.swapfile = false; # Instead of swaps, create backups
  vim.bo.undofile = true; # Keeps undos after quit
-  vim.o.backupdir =
+  vim.o.backupdir = dsl.rawLua ''vim.fn.stdpath("cache") .. "/backup"'';
    dsl.rawLua ''vim.fn.expand("~/.local/state/nvim/backup//")'';
  vim.o.undodir = dsl.rawLua ''vim.fn.expand("~/.local/state/nvim/undo//")'';
  # Required for nvim-cmp completion
  vim.opt.completeopt = [ "menu" "menuone" "noselect" ];
--- a/modules/common/neovim/config/syntax.nix
+++ b/modules/common/neovim/config/syntax.nix
@ -22,8 +22,6 @@
    pkgs.vimPlugins.playground # Tree-sitter experimenting
    pkgs.vimPlugins.nginx-vim
    pkgs.vimPlugins.vim-helm
    pkgs.baleia-nvim # Clean ANSI from kitty scrollback
    # pkgs.hmts-nvim # Tree-sitter injections for home-manager
    (pkgs.vimUtils.buildVimPluginFrom2Nix {
      pname = "nmasur";
      version = "0.1";
--- a/modules/common/neovim/config/telescope.nix
+++ b/modules/common/neovim/config/telescope.nix
@ -1,7 +1,5 @@
 { pkgs, dsl, ... }: {
  # Telescope is a fuzzy finder that can work with different sub-plugins
  plugins = [
    pkgs.vimPlugins.telescope-nvim
    pkgs.vimPlugins.project-nvim
--- a/modules/common/neovim/config/toggleterm.lua
+++ b/modules/common/neovim/config/toggleterm.lua
@ -12,8 +12,6 @@ vim.api.nvim_create_autocmd("TermOpen", {
    end,
 })
 -- These are all the different types of terminals we can trigger
 local terminal = require("toggleterm.terminal").Terminal
 local basicterminal = terminal:new()
--- a/modules/common/neovim/config/toggleterm.nix
+++ b/modules/common/neovim/config/toggleterm.nix
@ -1,7 +1,5 @@
 { pkgs, dsl, ... }: {
  # Toggleterm provides a floating terminal inside the editor for quick access
  plugins = [ pkgs.vimPlugins.toggleterm-nvim ];
  use.toggleterm.setup = dsl.callWith {
--- a/modules/common/neovim/config/tree.nix
+++ b/modules/common/neovim/config/tree.nix
@ -1,7 +1,5 @@
 { pkgs, dsl, ... }: {
  # This plugin creates a side drawer for navigating the current project
  plugins = [ pkgs.vimPlugins.nvim-tree-lua pkgs.vimPlugins.nvim-web-devicons ];
  # Disable netrw eagerly
@ -12,16 +10,16 @@
  };
  setup.nvim-tree = {
-    disable_netrw = true; # Disable the built-in file manager
+    disable_netrw = true;
-    hijack_netrw = true; # Works as the file manager
+    hijack_netrw = true;
-    sync_root_with_cwd = true; # Change project whenever currend dir changes
+    sync_root_with_cwd = true;
-    respect_buf_cwd = true; # Change to exact location of focused buffer
+    respect_buf_cwd = true;
-    update_focused_file = { # Change project based on the focused buffer
+    update_focused_file = {
      enable = true;
      update_root = true;
      ignore_list = { };
    };
-    diagnostics = { # Enable LSP and linter integration
+    diagnostics = {
      enable = true;
      icons = {
        hint = "";
@ -30,7 +28,7 @@
        error = "";
      };
    };
-    renderer = { # Show files with changes vs. current commit
+    renderer = {
      icons = {
        glyphs = {
          git = {
@ -45,7 +43,6 @@
        };
      };
    };
    # Set keybinds and initialize program
    on_attach = dsl.rawLua ''
      function (bufnr)
        local api = require('nvim-tree.api')
@ -61,7 +58,7 @@
        vim.keymap.set('n', 'v', api.node.open.vertical, opts('Open: Vertical Split'))
      end
    '';
-    view = { # Set look and feel
+    view = {
      width = 30;
      hide_root_folder = false;
      side = "left";
@ -70,7 +67,6 @@
    };
  };
  # Toggle the sidebar
  lua = ''
    vim.keymap.set("n", "<Leader>e", ":NvimTreeFindFileToggle<CR>", { silent = true })
  '';
--- a/modules/common/neovim/default.nix
+++ b/modules/common/neovim/default.nix
@ -18,16 +18,11 @@ in {
        home.packages = [ neovim ];
        # Use Neovim as the editor for git commit messages
        programs.git.extraConfig.core.editor = "nvim";
        # Set Neovim as the default app for text editing and manual pages
        home.sessionVariables = {
          EDITOR = "nvim";
          MANPAGER = "nvim +Man!";
        };
        # Create quick aliases for launching Neovim
        programs.fish = {
          shellAliases = { vim = "nvim"; };
          shellAbbrs = {
@ -36,20 +31,12 @@ in {
            vll = "nvim -c 'Telescope oldfiles'";
          };
        };
        programs.kitty.settings.scrollback_pager = lib.mkForce ''
          ${neovim}/bin/nvim -c 'setlocal nonumber nolist showtabline=0 foldcolumn=0|Man!' -c "autocmd VimEnter * normal G" -'';
        # Set Neovim as the kitty terminal "scrollback" (vi mode) option.
        # Requires removing some of the ANSI escape codes that are sent to the
        # scrollback using sed and baleia, as well as removing several
        # unnecessary features.
        programs.kitty.settings.scrollback_pager = ''
          $SHELL -c 'sed -r "s/[[:cntrl:]]\]133;[AC]..//g" | ${neovim}/bin/nvim -c "setlocal nonumber norelativenumber nolist laststatus=0" -c "lua baleia = require(\"baleia\").setup({}); baleia.once(0)" -c "map <silent> q :qa!<CR>" -c "autocmd VimEnter * normal G"' '';
        # Create a desktop option for launching Neovim from a file manager
        # (Requires launching the terminal and then executing Neovim)
        xdg.desktopEntries.nvim = lib.mkIf pkgs.stdenv.isLinux {
          name = "Neovim wrapper";
          exec = "kitty nvim %F";
          mimeType = [ "text/plain" "text/markdown" ];
        };
        xdg.mimeApps.defaultApplications = lib.mkIf pkgs.stdenv.isLinux {
          "text/plain" = [ "nvim.desktop" ];
@ -58,6 +45,9 @@ in {
      };
    # # Used for icons in Vim
    # fonts.fonts = with pkgs; [ nerdfonts ];
  };
 }
--- a/modules/common/neovim/lua/keybinds.lua
+++ b/modules/common/neovim/lua/keybinds.lua
@ -39,7 +39,7 @@ key("n", "<Leader>fs", ":write<CR>")
 key("n", "<Leader>fd", ":lcd %:p:h<CR>", { silent = true })
 key("n", "<Leader>fu", ":lcd ..<CR>", { silent = true })
 key("n", "<Leader><Tab>", ":b#<CR>", { silent = true })
-key("n", "<Leader>gr", ":!gh browse %<CR><CR>", { silent = true })
+key("n", "<Leader>gr", ":!gh repo view -w<CR><CR>", { silent = true })
 key("n", "<Leader>tt", [[<Cmd>exe 'edit $NOTES_PATH/journal/'.strftime("%Y-%m-%d_%a").'.md'<CR>]])
 key("n", "<Leader>jj", ":!journal<CR>:e<CR>")
--- a/modules/common/repositories/dotfiles.nix
+++ b/modules/common/repositories/dotfiles.nix
@ -1,7 +1,5 @@
 { config, pkgs, lib, ... }: {
  # Allows me to make sure I can work on my dotfiles locally
  options.dotfiles.enable = lib.mkEnableOption "Clone dotfiles.";
  config = lib.mkIf config.dotfiles.enable {
@ -16,8 +14,13 @@
          [ "writeBoundary" ] ''
            if [ ! -d "${config.dotfilesPath}" ]; then
                $DRY_RUN_CMD mkdir --parents $VERBOSE_ARG $(dirname "${config.dotfilesPath}")
-                $DRY_RUN_CMD ${pkgs.git}/bin/git \
+
-                    clone ${config.dotfilesRepo} "${config.dotfilesPath}"
+                # Force HTTPS because anonymous SSH doesn't work
                GIT_CONFIG_COUNT=1 \
                    GIT_CONFIG_KEY_0="url.https://github.com/.insteadOf" \
                    GIT_CONFIG_VALUE_0="git@github.com:" \
                    $DRY_RUN_CMD \
                    ${pkgs.git}/bin/git clone ${config.dotfilesRepo} "${config.dotfilesPath}"
            fi
          '';
--- a/modules/common/repositories/notes.nix
+++ b/modules/common/repositories/notes.nix
@ -1,8 +1,5 @@
 { config, ... }: {
  # This is just a placeholder as I expect to interact with my notes in a
  # certain location
  home-manager.users.${config.user} = {
    home.sessionVariables = {
--- a/modules/common/shell/bash/scripts/docker-cleanup.sh
+++ b/modules/common/shell/bash/scripts/docker-cleanup.sh
@ -1,26 +0,0 @@
 #!/bin/sh
 # Stop all containers
 if [ "$(docker ps -a -q)" ]; then
    echo "Stopping docker containers..."
    docker stop "$(docker ps -a -q)"
 else
    echo "No running docker containers."
 fi
 # Remove all stopped containers
 if [ "$(docker ps -a -q)" ]; then
    echo "Removing docker containers..."
    docker rm "$(docker ps -a -q)"
 else
    echo "No stopped docker containers."
 fi
 # Remove all untagged images
 if docker images | grep -q "^<none>"; then
    docker rmi "$(docker images | grep "^<none>" | awk '{print $3}')"
 else
    echo "No untagged docker images."
 fi
 echo "Cleaned up docker."
--- a/modules/common/shell/charm.nix
+++ b/modules/common/shell/charm.nix
@ -1,7 +1,5 @@
 { config, pkgs, lib, ... }: {
  # Convenience utilities from charm.sh
  options.charm.enable = lib.mkEnableOption "Charm utilities.";
  config.home-manager.users.${config.user} = lib.mkIf config.charm.enable {
--- a/modules/common/shell/direnv.nix
+++ b/modules/common/shell/direnv.nix
@ -1,6 +1,5 @@
 { config, ... }: {
  # Enables quickly entering Nix shells when changing directories
  home-manager.users.${config.user}.programs.direnv = {
    enable = true;
    nix-direnv.enable = true;
--- a/modules/common/shell/fish/default.nix
+++ b/modules/common/shell/fish/default.nix
@ -1,7 +1,8 @@
 { config, pkgs, lib, ... }: {
  users.users.${config.user}.shell = pkgs.fish;
-  programs.fish.enable = true; # Needed for LightDM to remember username
+  programs.fish.enable =
    true; # Needed for LightDM to remember username (TODO: fix)
  home-manager.users.${config.user} = {
@ -11,14 +12,8 @@
    programs.fish = {
      enable = true;
      shellAliases = {
        # Version of bash which works much better on the terminal
        bash = "${pkgs.bashInteractive}/bin/bash";
-
+        ls = "exa";
        # Use exa instead of ls for fancier output
        ls = "exa --group";
        # Move files to XDG trash on the commandline
        trash = lib.mkIf pkgs.stdenv.isLinux "${pkgs.trash-cli}/bin/trash-put";
      };
      functions = {
--- a/modules/common/shell/fzf.nix
+++ b/modules/common/shell/fzf.nix
@ -1,7 +1,5 @@
 { config, ... }: {
  # FZF is a fuzzy-finder for the terminal
  home-manager.users.${config.user} = {
    programs.fzf.enable = true;
--- a/modules/common/shell/nixpkgs.nix
+++ b/modules/common/shell/nixpkgs.nix
@ -73,9 +73,6 @@
      path = builtins.toString pkgs.path;
    };
    # For security, only allow specific users
    settings.allowed-users = [ "@wheel" config.user ];
  };
 }
--- a/modules/common/shell/utilities.nix
+++ b/modules/common/shell/utilities.nix
@ -23,7 +23,6 @@ in {
        dig # DNS lookup
        fd # find
        htop # Show system processes
        killall # Force quit
        inetutils # Includes telnet, whois
        jq # JSON manipulation
        lf # File viewer
@ -35,9 +34,6 @@ in {
        tree # View directory hierarchy
        vimv-rs # Batch rename files
        unzip # Extract zips
        dua # File sizes (du)
        du-dust # Disk usage tree (ncdu)
        duf # Basic disk information (df)
      ];
      programs.zoxide.enable = true; # Shortcut jump command
@ -56,6 +52,10 @@ in {
        };
      };
      programs.fish.shellAbbrs = {
        cat = "bat"; # Swap cat with bat
      };
      programs.fish.functions = {
        ping = {
          description = "Improved ping";
--- a/modules/darwin/hammerspoon.nix
+++ b/modules/darwin/hammerspoon.nix
@ -20,22 +20,12 @@
        };
      xdg.configFile."hammerspoon/Spoons/MoveWindow.spoon".source =
        ./hammerspoon/Spoons/MoveWindow.spoon;
      home.activation.reloadHammerspoon =
        config.home-manager.users.${config.user}.lib.dag.entryAfter
        [ "writeBoundary" ] ''
          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.reload()"
          $DRY_RUN_CMD sleep 1
          $DRY_RUN_CMD /usr/local/bin/hs -c "hs.console.clearConsole()"
        '';
    };
    homebrew.casks = [ "hammerspoon" ];
    system.activationScripts.postUserActivation.text = ''
      defaults write org.hammerspoon.Hammerspoon MJConfigFile "~/.config/hammerspoon/init.lua"
      sudo killall Dock
    '';
  };
--- a/modules/darwin/hammerspoon/init.lua
+++ b/modules/darwin/hammerspoon/init.lua
@ -2,4 +2,3 @@ hs.loadSpoon("ControlEscape"):start() -- Load Hammerspoon bits from https://gith
 hs.loadSpoon("Launcher"):init()
 hs.loadSpoon("DismissAlerts"):init()
 hs.loadSpoon("MoveWindow"):init()
 hs.ipc.cliInstall() -- Install Hammerspoon CLI program
--- a/modules/nixos/applications/calibre.nix
+++ b/modules/nixos/applications/calibre.nix
@ -14,8 +14,6 @@
      home.packages = with pkgs; [ calibre ];
      # home.sessionVariables = { CALIBRE_USE_DARK_PALETTE = 1; };
    };
    # Forces Calibre to use dark mode
    environment.sessionVariables = { CALIBRE_USE_DARK_PALETTE = "1"; };
  };
 }
--- a/modules/nixos/applications/nautilus.nix
+++ b/modules/nixos/applications/nautilus.nix
@ -18,14 +18,12 @@
    home-manager.users.${config.user} = {
      # Quick button for launching nautilus
      xsession.windowManager.i3.config.keybindings = {
        "${
          config.home-manager.users.${config.user}.xsession.windowManager.i3.config.modifier
        }+n" = "exec --no-startup-id ${pkgs.gnome.nautilus}/bin/nautilus";
      };
      # Generates a QR code and previews it with sushi
      programs.fish.functions = {
        qr = {
          body =
@ -33,7 +31,7 @@
        };
      };
-      # Set Nautilus as default for opening directories
+      # Set default for opening directories
      xdg.mimeApps = {
        associations.added."inode/directory" = [ "org.gnome.Nautilus.desktop" ];
        # associations.removed = {
@ -42,7 +40,6 @@
        defaultApplications."inode/directory" =
          lib.mkBefore [ "org.gnome.Nautilus.desktop" ];
      };
    };
    # # Set default for opening directories
@ -53,13 +50,6 @@
    #     lib.mkForce [ "org.gnome.Nautilus.desktop" ];
    # };
    # Delete Trash files older than 1 week
    systemd.user.services.empty-trash = {
      description = "Empty Trash on a regular basis";
      wantedBy = [ "default.target" ];
      script = "${pkgs.trash-cli}/bin/trash-empty 7";
    };
  };
 }
--- a/modules/nixos/graphical/fonts.nix
+++ b/modules/nixos/graphical/fonts.nix
@ -6,7 +6,7 @@ in {
  config = lib.mkIf (config.gui.enable && pkgs.stdenv.isLinux) {
-    fonts.packages = with pkgs; [
+    fonts.fonts = with pkgs; [
      victor-mono # Used for Vim and Terminal
      (nerdfonts.override { fonts = [ "Hack" ]; }) # For Polybar, Rofi
    ];
--- a/modules/nixos/graphical/polybar.nix
+++ b/modules/nixos/graphical/polybar.nix
@ -36,7 +36,7 @@
            module-margin = 1;
            modules-left = "i3";
            modules-center = "xwindow";
-            modules-right = "mailcount network pulseaudio date power";
+            modules-right = "mailcount pulseaudio date power";
            cursor-click = "pointer";
            cursor-scroll = "ns-resize";
            enable-ipc = true;
@ -106,14 +106,8 @@
            interval = 10;
            format = "<label>";
            exec = builtins.toString (pkgs.writeShellScript "mailcount.sh" ''
-              ${pkgs.notmuch}/bin/notmuch new --quiet 2>&1>/dev/null
+              ${pkgs.notmuch}/bin/notmuch new > /dev/null
-              UNREAD=$(
+              UNREAD=$(${pkgs.notmuch}/bin/notmuch count is:inbox and is:unread and folder:main/Inbox)
                  ${pkgs.notmuch}/bin/notmuch count \
                      is:inbox and \
                      is:unread and \
                      folder:main/Inbox \
                      2>/dev/null
              )
              if [ $UNREAD = "0" ]; then
                echo ""
              else
@ -124,16 +118,6 @@
              "i3-msg 'exec --no-startup-id kitty --class aerc aerc'; sleep 0.15; i3-msg '[class=aerc] focus'";
          };
          "module/network" = {
            type = "internal/network";
            interface-type = "wired";
            interval = 3;
            accumulate-stats = true;
            format-connected = "<label-connected>";
            format-disconnected = "<label-disconnected>";
            label-connected = "";
            label-disconnected = "";
          };
          "module/pulseaudio" = {
            type = "internal/pulseaudio";
            # format-volume-prefix = "VOL ";
@ -143,10 +127,10 @@
            # label-volume-background = colors.background;
            format-volume-foreground = config.theme.colors.base0B;
            label-volume = "%percentage%%";
-            label-muted = "󰝟 ---";
+            label-muted = "ﱝ ---";
            label-muted-foreground = config.theme.colors.base03;
            ramp-volume-0 = "";
-            ramp-volume-1 = "󰕾";
+            ramp-volume-1 = "墳";
            ramp-volume-2 = "";
            click-right = config.audioSwitchCommand;
          };
--- a/modules/nixos/graphical/rofi/themes/prompt.rasi
+++ b/modules/nixos/graphical/rofi/themes/prompt.rasi
@ -4,13 +4,14 @@
 */
@import "common.rasi"
 * {
-  font: @prompt-text-font;
+  font: @text-font;
 }
 #window {
  height: @prompt-window-height;
  width: @prompt-window-width;
  children: [ inputbar, horibox ];
  border: @prompt-window-border;
  border-color: @accent;
 }
 #inputbar {
  enabled: false;
@ -18,6 +19,8 @@
 #prompt {
  padding: @prompt-prompt-padding;
  margin: @prompt-prompt-margin;
  background-color: @accent;
  text-color: @background-light;
 }
 #listview {
  padding: @prompt-listview-padding;
@ -28,3 +31,19 @@
  font: @prompt-text-font;
  padding: @prompt-element-padding;
 }
 element.alternate.active,
 element.normal.active,
 element.alternate.urgent,
 element.normal.urgent {
  background-color: @background-light;
  text-color: @foreground;
 }
 element.selected.urgent {
  background-color: @off;
  text-color: @background;
 }
 element.selected.active {
  background-color: @on;
  text-color: @background;
 }
--- a/modules/nixos/graphical/xorg.nix
+++ b/modules/nixos/graphical/xorg.nix
@ -40,7 +40,6 @@
          greeters.gtk.theme = gtkTheme;
          # Show default user
          # Also make sure /var/lib/AccountsService/users/<user> has SystemAccount=false
          extraSeatDefaults = ''
            greeter-hide-users = false
          '';
--- a/modules/nixos/hardware/boot.nix
+++ b/modules/nixos/hardware/boot.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
-  boot.loader = lib.mkIf (config.physical && !config.server) {
+  boot.loader = lib.mkIf config.physical {
    grub = {
      enable = true;
--- a/modules/nixos/hardware/keyboard.nix
+++ b/modules/nixos/hardware/keyboard.nix
@ -15,12 +15,7 @@
    # Use capslock as escape and/or control
    services.keyd = {
      enable = true;
-      keyboards = {
+      settings = { main = { capslock = "overload(control, esc)"; }; };
        default = {
          ids = [ "*" ];
          settings = { main = { capslock = "overload(control, esc)"; }; };
        };
      };
    };
    # Enable num lock on login
--- a/modules/nixos/hardware/networking.nix
+++ b/modules/nixos/hardware/networking.nix
@ -1,8 +1,13 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
  config = lib.mkIf config.physical {
-    networking.useDHCP = true;
+    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
    # Per-interface useDHCP will be mandatory in the future, so this generated config
    # replicates the default behaviour.
    networking.useDHCP = false;
    networking.interfaces.enp5s0.useDHCP = true;
    networking.interfaces.wlp4s0.useDHCP = true;
    networking.firewall.allowPing = lib.mkIf config.server true;
@ -10,9 +15,6 @@
    services.avahi = {
      enable = true;
      domainName = "local";
      ipv6 = false; # Should work either way
      # Resolve local hostnames using Avahi DNS
      nssmdns = true;
      publish = {
        enable = true;
        addresses = true;
@ -21,10 +23,8 @@
      };
    };
-    environment.systemPackages = [
+    # Resolve local hostnames using Avahi DNS
-      (pkgs.writeShellScriptBin "wake-tempest"
+    services.avahi.nssmdns = true;
        "${pkgs.wakeonlan}/bin/wakeonlan --ip=192.168.1.255 74:56:3C:40:37:5D")
    ];
  };
--- a/modules/nixos/hardware/server.nix
+++ b/modules/nixos/hardware/server.nix
@ -1,6 +1,6 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }: {
-  config = lib.mkIf config.server {
+  config = lib.mkIf (pkgs.stdenv.isLinux && config.server) {
    # Servers need a bootloader or they won't start
    boot.loader.systemd-boot.enable = true;
--- a/modules/nixos/hardware/sleep.nix
+++ b/modules/nixos/hardware/sleep.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
-  config = lib.mkIf (config.physical && !config.server) {
+  config = lib.mkIf config.physical {
    # Prevent wake from keyboard
    powerManagement.powerDownCommands = ''
--- a/modules/nixos/hardware/zfs.nix
+++ b/modules/nixos/hardware/zfs.nix
@ -1,21 +1,16 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }: {
  options = { zfs.enable = lib.mkEnableOption "ZFS file system."; };
-  config = lib.mkIf (config.server && config.zfs.enable) {
+  config =
    lib.mkIf (pkgs.stdenv.isLinux && config.server && config.zfs.enable) {
-    # Only use compatible Linux kernel, since ZFS can be behind
+      # Only use compatible Linux kernel, since ZFS can be behind
-    boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+      boot.kernelPackages =
-    boot.kernelParams = [ "nohibernate" ];
+        config.boot.zfs.package.latestCompatibleLinuxPackages;
-    boot.supportedFilesystems = [ "zfs" ];
+      boot.kernelParams = [ "nohibernate" ];
-    services.prometheus.exporters.zfs.enable =
+      boot.supportedFilesystems = [ "zfs" ];
      config.prometheus.exporters.enable;
    prometheus.scrapeTargets = [
      "127.0.0.1:${
        builtins.toString config.services.prometheus.exporters.zfs.port
      }"
    ];
-  };
+    };
 }
--- a/modules/nixos/services/arr.nix
+++ b/modules/nixos/services/arr.nix
@ -1,31 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }: {
 let
  arrConfig = {
    radarr = {
      exportarrPort = "9707";
      url = "localhost:7878";
      apiKey = config.secrets.radarrApiKey.dest;
    };
    sonarr = {
      exportarrPort = "9708";
      url = "localhost:8989";
      apiKey = config.secrets.sonarrApiKey.dest;
    };
    prowlarr = {
      exportarrPort = "9709";
      url = "localhost:9696";
      apiKey = config.secrets.prowlarrApiKey.dest;
    };
    sabnzbd = {
      exportarrPort = "9710";
      url = "localhost:8085";
      apiKey = config.secrets.sabnzbdApiKey.dest;
    };
  };
 in {
  options = { arrs.enable = lib.mkEnableOption "Arr services"; };
@ -70,7 +43,7 @@ in {
        }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{ dial = arrConfig.sonarr.url; }];
+          upstreams = [{ dial = "localhost:8989"; }];
        }];
      }
      {
@ -81,7 +54,7 @@ in {
        }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{ dial = arrConfig.radarr.url; }];
+          upstreams = [{ dial = "localhost:7878"; }];
        }];
      }
      {
@ -103,11 +76,7 @@ in {
        }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{
+          upstreams = [{ dial = "localhost:6767"; }];
            dial = "localhost:${
                builtins.toString config.services.bazarr.listenPort
              }";
          }];
        }];
      }
      {
@ -118,7 +87,7 @@ in {
        }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{ dial = arrConfig.sabnzbd.url; }];
+          upstreams = [{ dial = "localhost:8085"; }];
        }];
      }
      {
@ -126,83 +95,11 @@ in {
        match = [{ host = [ config.hostnames.download ]; }];
        handle = [{
          handler = "reverse_proxy";
-          upstreams = [{
+          upstreams = [{ dial = "localhost:5055"; }];
            dial =
              "localhost:${builtins.toString config.services.jellyseerr.port}";
          }];
        }];
      }
    ];
    # Enable Prometheus exporters
    systemd.services = lib.mapAttrs' (name: attrs: {
      name = "prometheus-${name}-exporter";
      value = {
        description = "Export Prometheus metrics for ${name}";
        after = [ "network.target" ];
        wantedBy = [ "${name}.service" ];
        serviceConfig = {
          Type = "simple";
          DynamicUser = true;
          ExecStart = let
            url = if name != "sabnzbd" then
              "http://${attrs.url}/${name}"
            else
              "http://${attrs.url}";
          in ''
            ${pkgs.exportarr}/bin/exportarr ${name} \
                        --url ${url} \
                        --port ${attrs.exportarrPort}'';
          EnvironmentFile =
            lib.mkIf (builtins.hasAttr "apiKey" attrs) attrs.apiKey;
          Restart = "on-failure";
          ProtectHome = true;
          ProtectSystem = "strict";
          PrivateTmp = true;
          PrivateDevices = true;
          ProtectHostname = true;
          ProtectClock = true;
          ProtectKernelTunables = true;
          ProtectKernelModules = true;
          ProtectKernelLogs = true;
          ProtectControlGroups = true;
          NoNewPrivileges = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          RemoveIPC = true;
          PrivateMounts = true;
        };
      };
    }) arrConfig;
    # Secrets for Prometheus exporters
    secrets.radarrApiKey = {
      source = ../../../private/radarr-api-key.age;
      dest = "/var/private/radarr-api";
      prefix = "API_KEY=";
    };
    secrets.sonarrApiKey = {
      source = ../../../private/sonarr-api-key.age;
      dest = "/var/private/sonarr-api";
      prefix = "API_KEY=";
    };
    secrets.prowlarrApiKey = {
      source = ../../../private/prowlarr-api-key.age;
      dest = "/var/private/prowlarr-api";
      prefix = "API_KEY=";
    };
    secrets.sabnzbdApiKey = {
      source = ../../../private/sabnzbd-api-key.age;
      dest = "/var/private/sabnzbd-api";
      prefix = "API_KEY=";
    };
    # Prometheus scrape targets
    prometheus.scrapeTargets = map (key:
      "127.0.0.1:${
        lib.attrsets.getAttrFromPath [ key "exportarrPort" ] arrConfig
      }") (builtins.attrNames arrConfig);
  };
 }
--- a/modules/nixos/services/bind.nix
+++ b/modules/nixos/services/bind.nix
@ -1,55 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  localIp = "192.168.1.218";
  localServices = [
    config.hostnames.stream
    config.hostnames.content
    config.hostnames.books
    config.hostnames.download
  ];
  mkRecord = service: "${service}       A       ${localIp}";
  localRecords = lib.concatLines (map mkRecord localServices);
 in {
  config = lib.mkIf config.services.bind.enable {
    caddy.cidrAllowlist = [ "192.168.0.0/16" ];
    services.bind = {
      cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
      forwarders = [ "1.1.1.1" "1.0.0.1" ];
      ipv4Only = true;
      # Use rpz zone as an override
      extraOptions = ''response-policy { zone "rpz"; };'';
      zones = {
        rpz = {
          master = true;
          file = pkgs.writeText "db.rpz" ''
            $TTL 60  ; 1 minute
            @       IN      SOA     localhost. root.localhost. (
                                    2023071800      ; serial
                                    1h              ; refresh
                                    30m             ; retry
                                    1w              ; expire
                                    30m             ; minimum ttl
                                    )
                    IN      NS      localhost.
            localhost       A       127.0.0.1
            ${localRecords}
          '';
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 53 ];
    networking.firewall.allowedUDPPorts = [ 53 ];
  };
 }
--- a/modules/nixos/services/caddy.nix
+++ b/modules/nixos/services/caddy.nix
@ -1,72 +1,52 @@
 { config, pkgs, lib, ... }: {
  options = {
-    caddy = {
+    caddy.tlsPolicies = lib.mkOption {
-      tlsPolicies = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
-        type = lib.types.listOf lib.types.attrs;
+      description = "Caddy JSON TLS policies";
-        description = "Caddy JSON TLS policies";
+      default = [ ];
-        default = [ ];
+    };
-      };
+    caddy.routes = lib.mkOption {
-      routes = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
-        type = lib.types.listOf lib.types.attrs;
+      description = "Caddy JSON routes for http servers";
-        description = "Caddy JSON routes for http servers";
+      default = [ ];
-        default = [ ];
+    };
-      };
+    caddy.blocks = lib.mkOption {
-      blocks = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
-        type = lib.types.listOf lib.types.attrs;
+      description = "Caddy JSON error blocks for http servers";
-        description = "Caddy JSON error blocks for http servers";
+      default = [ ];
        default = [ ];
      };
      cidrAllowlist = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        description = "CIDR blocks to allow for requests";
        default = [ ];
      };
    };
  };
-  config = lib.mkIf config.services.caddy.enable {
+  config =
    lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
-    # Force Caddy to 403 if not coming from allowlisted source
+      services.caddy = {
-    caddy.cidrAllowlist = [ "127.0.0.1/32" ];
+        adapter = "''"; # Required to enable JSON
-    caddy.routes = [{
+        configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
-      match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
+          apps.http.servers.main = {
-      handle = [{
+            listen = [ ":443" ];
-        handler = "static_response";
+            routes = config.caddy.routes;
-        status_code = "403";
+            errors.routes = config.caddy.blocks;
-      }];
+            # logs = { }; # Uncomment to collect access logs
    }];
    services.caddy = {
      adapter = "''"; # Required to enable JSON
      configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
        apps.http.servers.main = {
          listen = [ ":443" ];
          routes = config.caddy.routes;
          errors.routes = config.caddy.blocks;
          logs = { }; # Uncomment to collect access logs
        };
        apps.http.servers.metrics = { }; # Enables Prometheus metrics
        apps.tls.automation.policies = config.caddy.tlsPolicies;
        logging.logs.main = {
          encoder = { format = "console"; };
          writer = {
            output = "file";
            filename = "${config.services.caddy.logDir}/caddy.log";
            roll = true;
            roll_size_mb = 1;
          };
-          level = "INFO";
+          apps.tls.automation.policies = config.caddy.tlsPolicies;
-        };
+          logging.logs.main = {
-      });
+            encoder = { format = "console"; };
            writer = {
              output = "file";
              filename = "${config.services.caddy.logDir}/caddy.log";
              roll = true;
            };
            level = "INFO";
          };
        });
      };
      networking.firewall.allowedTCPPorts = [ 80 443 ];
      networking.firewall.allowedUDPPorts = [ 443 ];
    };
    networking.firewall.allowedTCPPorts = [ 80 443 ];
    networking.firewall.allowedUDPPorts = [ 443 ];
    prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
  };
 }
--- a/modules/nixos/services/calibre.nix
+++ b/modules/nixos/services/calibre.nix
@ -30,11 +30,7 @@ in {
      match = [{ host = [ config.hostnames.books ]; }];
      handle = [{
        handler = "reverse_proxy";
-        upstreams = [{
+        upstreams = [{ dial = "localhost:8083"; }];
          dial = "localhost:${
              builtins.toString config.services.calibre-web.listen.port
            }";
        }];
        headers.request.add."X-Script-Name" = [ "/calibre-web" ];
      }];
    }];
--- a/modules/nixos/services/cloudflare.nix
+++ b/modules/nixos/services/cloudflare.nix
@ -41,10 +41,19 @@ in {
  config = lib.mkIf config.cloudflare.enable {
    # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.cidrAllowlist = cloudflareIpRanges;
+    caddy.blocks = [{
      match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
      handle = [{
        handler = "static_response";
        abort = true;
      }];
    }];
    # Tell Caddy to use Cloudflare DNS for ACME challenge validation
-    services.caddy.package = pkgs.caddy-cloudflare; # Patched overlay
+    services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
      plugins = [ "github.com/caddy-dns/cloudflare" ];
      # vendorSha256 = "sha256-K9HPZnr+hMcK5aEd1H4gEg6PXAaNrNWFvaHYm5m62JY=";
    });
    caddy.tlsPolicies = [{
      issuers = [{
        module = "acme";
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@ -3,7 +3,6 @@
  imports = [
    ./arr.nix
    ./backups.nix
    ./bind.nix
    ./caddy.nix
    ./calibre.nix
    ./cloudflare-tunnel.nix
@ -25,7 +24,6 @@
    ./sshd.nix
    ./transmission.nix
    ./vaultwarden.nix
    ./victoriametrics.nix
    ./wireguard.nix
  ];
--- a/modules/nixos/services/gitea-runner.nix
+++ b/modules/nixos/services/gitea-runner.nix
@ -10,9 +10,9 @@
      enable = true;
      labels = [
        # Provide a Debian base with NodeJS for actions
-        # "debian-latest:docker://node:18-bullseye"
+        "debian-latest:docker://node:18-bullseye"
        # Fake the Ubuntu name, because Node provides no Ubuntu builds
-        # "ubuntu-latest:docker://node:18-bullseye"
+        "ubuntu-latest:docker://node:18-bullseye"
        # Provide native execution on the host using below packages
        "native:host"
      ];
@ -31,28 +31,6 @@
      tokenFile = config.secrets.giteaRunnerToken.dest;
    };
    # Make sure the runner doesn't start until after Gitea
    systemd.services."gitea-runner-${config.networking.hostName}".after =
      [ "gitea.service" ];
    # API key needed to connect to Gitea
    secrets.giteaRunnerToken = {
      source = ../../../private/gitea-runner-token.age; # TOKEN=xyz
      dest = "${config.secretsDirectory}/gitea-runner-token";
    };
    systemd.services.giteaRunnerToken-secret = {
      requiredBy = [
        "gitea-runner-${
          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
        }.service"
      ];
      before = [
        "gitea-runner-${
          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
        }.service"
      ];
    };
  };
 }
--- a/modules/nixos/services/gitea.nix
+++ b/modules/nixos/services/gitea.nix
@ -9,7 +9,6 @@ in {
      database.type = "sqlite3";
      settings = {
        actions.ENABLED = true;
        metrics.ENABLED = true;
        repository = {
          DEFAULT_PUSH_CREATE_PRIVATE = true;
          DISABLE_HTTP_GIT = false;
@ -38,36 +37,13 @@ in {
    networking.firewall.allowedTCPPorts = [ 122 ];
    users.users.${config.user}.extraGroups = [ "gitea" ];
-    caddy.routes = [
+    caddy.routes = [{
-      {
+      match = [{ host = [ config.hostnames.git ]; }];
-        match = [{
+      handle = [{
-          host = [ config.hostnames.git ];
+        handler = "reverse_proxy";
-          path = [ "/metrics*" ];
+        upstreams = [{ dial = "localhost:3001"; }];
-        }];
+      }];
-        handle = [{
+    }];
          handler = "static_response";
          status_code = "403";
        }];
      }
      {
        match = [{ host = [ config.hostnames.git ]; }];
        handle = [{
          handler = "reverse_proxy";
          upstreams = [{
            dial = "localhost:${
                builtins.toString
                config.services.gitea.settings.server.HTTP_PORT
              }";
          }];
        }];
      }
    ];
    prometheus.scrapeTargets = [
      "127.0.0.1:${
        builtins.toString config.services.gitea.settings.server.HTTP_PORT
      }"
    ];
    ## Backup config
--- a/modules/nixos/services/grafana.nix
+++ b/modules/nixos/services/grafana.nix
--- a/modules/nixos/services/jellyfin.nix
+++ b/modules/nixos/services/jellyfin.nix
@ -5,25 +5,13 @@
    services.jellyfin.group = "media";
    users.users.jellyfin = { isSystemUser = true; };
-    caddy.routes = [
+    caddy.routes = [{
-      {
+      match = [{ host = [ config.hostnames.stream ]; }];
-        match = [{
+      handle = [{
-          host = [ config.hostnames.stream ];
+        handler = "reverse_proxy";
-          path = [ "/metrics*" ];
+        upstreams = [{ dial = "localhost:8096"; }];
-        }];
+      }];
-        handle = [{
+    }];
          handler = "static_response";
          status_code = "403";
        }];
      }
      {
        match = [{ host = [ config.hostnames.stream ]; }];
        handle = [{
          handler = "reverse_proxy";
          upstreams = [{ dial = "localhost:8096"; }];
        }];
      }
    ];
    # Create videos directory, allow anyone in Jellyfin group to manage it
    systemd.tmpfiles.rules = [
@ -47,9 +35,6 @@
    users.users.jellyfin.extraGroups =
      [ "render" "video" ]; # Access to /dev/dri
    # Requires MetricsEnable is true in /var/lib/jellyfin/config/system.xml
    prometheus.scrapeTargets = [ "127.0.0.1:8096" ];
  };
 }
--- a/modules/nixos/services/nextcloud.nix
+++ b/modules/nixos/services/nextcloud.nix
@ -3,144 +3,30 @@
  config = lib.mkIf config.services.nextcloud.enable {
    services.nextcloud = {
-      package = pkgs.nextcloud27; # Required to specify
+      package = pkgs.nextcloud26; # Required to specify
      configureRedis = true;
      datadir = "/data/nextcloud";
      database.createLocally = true;
      https = true;
      hostName = "localhost";
      maxUploadSize = "50G";
      config = {
        adminpassFile = config.secrets.nextcloud.dest;
        dbtype = "mysql";
        extraTrustedDomains = [ config.hostnames.content ];
        trustedProxies = [ "127.0.0.1" ];
      };
      extraOptions = { default_phone_region = "US"; };
      extraAppsEnable = true;
      extraApps = with config.services.nextcloud.package.packages.apps; {
        inherit calendar contacts;
        news = pkgs.nextcloudApps.news;
        external = pkgs.nextcloudApps.external;
        cookbook = pkgs.nextcloudApps.cookbook;
      };
      phpOptions = { "opcache.interned_strings_buffer" = "16"; };
    };
    # Don't let Nginx use main ports (using Caddy instead)
-    services.nginx.enable = false;
+    services.nginx.virtualHosts."localhost".listen = [{
-
+      addr = "127.0.0.1";
-    services.phpfpm.pools.nextcloud.settings = {
+      port = 8080;
-      "listen.owner" = config.services.caddy.user;
+    }];
      "listen.group" = config.services.caddy.group;
    };
    users.users.caddy.extraGroups = [ "nextcloud" ];
    # Point Caddy to Nginx
    caddy.routes = [{
      match = [{ host = [ config.hostnames.content ]; }];
      handle = [{
-        handler = "subroute";
+        handler = "reverse_proxy";
-        routes = [
+        upstreams = [{ dial = "localhost:8080"; }];
          # Sets variables and headers
          {
            handle = [
              {
                handler = "vars";
                root = config.services.nextcloud.package;
              }
              {
                handler = "headers";
                response.set.Strict-Transport-Security =
                  [ "max-age=31536000;" ];
              }
            ];
          }
          {
            match = [{ path = [ "/nix-apps*" "/store-apps*" ]; }];
            handle = [{
              handler = "vars";
              root = config.services.nextcloud.home;
            }];
          }
          # Reroute carddav and caldav traffic
          {
            match =
              [{ path = [ "/.well-known/carddav" "/.well-known/caldav" ]; }];
            handle = [{
              handler = "static_response";
              headers = { Location = [ "/remote.php/dav" ]; };
              status_code = 301;
            }];
          }
          # Block traffic to sensitive files
          {
            match = [{
              path = [
                "/.htaccess"
                "/data/*"
                "/config/*"
                "/db_structure"
                "/.xml"
                "/README"
                "/3rdparty/*"
                "/lib/*"
                "/templates/*"
                "/occ"
                "/console.php"
              ];
            }];
            handle = [{
              handler = "static_response";
              status_code = 404;
            }];
          }
          # Redirect index.php to the homepage
          {
            match = [{
              file = { try_files = [ "{http.request.uri.path}/index.php" ]; };
              not = [{ path = [ "*/" ]; }];
            }];
            handle = [{
              handler = "static_response";
              headers = { Location = [ "{http.request.orig_uri.path}/" ]; };
              status_code = 308;
            }];
          }
          # Rewrite paths to be relative
          {
            match = [{
              file = {
                split_path = [ ".php" ];
                try_files = [
                  "{http.request.uri.path}"
                  "{http.request.uri.path}/index.php"
                  "index.php"
                ];
              };
            }];
            handle = [{
              handler = "rewrite";
              uri = "{http.matchers.file.relative}";
            }];
          }
          # Send all PHP traffic to Nextcloud PHP service
          {
            match = [{ path = [ "*.php" ]; }];
            handle = [{
              handler = "reverse_proxy";
              transport = {
                protocol = "fastcgi";
                split_path = [ ".php" ];
              };
              upstreams = [{ dial = "unix//run/phpfpm/nextcloud.sock"; }];
            }];
          }
          # Finally, send the rest to the file server
          { handle = [{ handler = "file_server"; }]; }
        ];
      }];
      terminal = true;
    }];
    # Create credentials file for nextcloud
@ -159,27 +45,34 @@
    # Grant user access to Nextcloud directories
    users.users.${config.user}.extraGroups = [ "nextcloud" ];
    ## Backup config
    # Open to groups, allowing for backups
    systemd.services.phpfpm-nextcloud.serviceConfig.StateDirectoryMode =
      lib.mkForce "0770";
-    # Log metrics to prometheus
+    # Allow litestream and nextcloud to share a sqlite database
-    networking.hosts."127.0.0.1" = [ config.hostnames.content ];
+    users.users.litestream.extraGroups = [ "nextcloud" ];
-    services.prometheus.exporters.nextcloud = {
+    users.users.nextcloud.extraGroups = [ "litestream" ];
-      enable = config.prometheus.exporters.enable;
+
-      username = config.services.nextcloud.config.adminuser;
+    # Backup sqlite database with litestream
-      url = "https://${config.hostnames.content}";
+    services.litestream = {
-      passwordFile = config.services.nextcloud.config.adminpassFile;
+      settings = {
        dbs = [{
          path = "${config.services.nextcloud.datadir}/data/nextcloud.db";
          replicas = [{
            url =
              "s3://${config.backup.s3.bucket}.${config.backup.s3.endpoint}/nextcloud";
          }];
        }];
      };
    };
    # Don't start litestream unless nextcloud is up
    systemd.services.litestream = {
      after = [ "phpfpm-nextcloud.service" ];
      requires = [ "phpfpm-nextcloud.service" ];
    };
    prometheus.scrapeTargets = [
      "127.0.0.1:${
        builtins.toString config.services.prometheus.exporters.nextcloud.port
      }"
    ];
    # Allows nextcloud-exporter to read passwordFile
    users.users.nextcloud-exporter.extraGroups =
      lib.mkIf config.services.prometheus.exporters.nextcloud.enable
      [ "nextcloud" ];
  };
--- a/modules/nixos/services/prometheus.nix
+++ b/modules/nixos/services/prometheus.nix
@ -1,58 +1,18 @@
 { config, pkgs, lib, ... }: {
  options.prometheus = {
    exporters.enable = lib.mkEnableOption "Enable Prometheus exporters";
    scrapeTargets = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = "Prometheus scrape targets";
      default = [ ];
    };
  };
  config = let
    # If hosting Grafana, host local Prometheus and listen for inbound jobs. If
    # not hosting Grafana, send remote Prometheus writes to primary host.
    isServer = config.services.grafana.enable;
-  in {
+  in lib.mkIf config.services.prometheus.enable {
    # Turn on exporters if any Prometheus scraper is running
    prometheus.exporters.enable = builtins.any (x: x) [
      config.services.prometheus.enable
      config.services.victoriametrics.enable
      config.services.vmagent.enable
    ];
    prometheus.scrapeTargets = [
      "127.0.0.1:${
        builtins.toString config.services.prometheus.exporters.node.port
      }"
      "127.0.0.1:${
        builtins.toString config.services.prometheus.exporters.systemd.port
      }"
      "127.0.0.1:${
        builtins.toString config.services.prometheus.exporters.process.port
      }"
    ];
    services.prometheus = {
-      exporters.node.enable = config.prometheus.exporters.enable;
+      exporters.node.enable = true;
      exporters.node.enabledCollectors = [ ];
      exporters.node.disabledCollectors = [ "cpufreq" ];
      exporters.systemd.enable = config.prometheus.exporters.enable;
      exporters.process.enable = config.prometheus.exporters.enable;
      exporters.process.settings.process_names = [
        # Remove nix store path from process name
        {
          name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
          cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
        }
      ];
      extraFlags = lib.mkIf isServer [ "--web.enable-remote-write-receiver" ];
      scrapeConfigs = [{
-        job_name = config.networking.hostName;
+        job_name = "local";
-        static_configs = [{ targets = config.scrapeTargets; }];
+        static_configs = [{ targets = [ "127.0.0.1:9100" ]; }];
      }];
      webExternalUrl =
        lib.mkIf isServer "https://${config.hostnames.prometheus}";
@ -68,7 +28,7 @@
        });
      remoteWrite = lib.mkIf (!isServer) [{
        name = config.networking.hostName;
-        url = "https://${config.hostnames.prometheus}/api/v1/write";
+        url = "https://${config.hostnames.prometheus}";
        basic_auth = {
          # Uses password hashed with bcrypt above
          username = "prometheus";
@ -78,26 +38,23 @@
    };
    # Create credentials file for remote Prometheus push
-    secrets.prometheus =
+    secrets.prometheus = lib.mkIf (!isServer) {
-      lib.mkIf (config.services.prometheus.enable && !isServer) {
+      source = ../../../private/prometheus.age;
-        source = ../../../private/prometheus.age;
+      dest = "${config.secretsDirectory}/prometheus";
-        dest = "${config.secretsDirectory}/prometheus";
+      owner = "prometheus";
-        owner = "prometheus";
+      group = "prometheus";
-        group = "prometheus";
+      permissions = "0440";
-        permissions = "0440";
+    };
-      };
+    systemd.services.prometheus-secret = lib.mkIf (!isServer) {
-    systemd.services.prometheus-secret =
+      requiredBy = [ "prometheus.service" ];
-      lib.mkIf (config.services.prometheus.enable && !isServer) {
+      before = [ "prometheus.service" ];
-        requiredBy = [ "prometheus.service" ];
+    };
        before = [ "prometheus.service" ];
      };
-    caddy.routes = lib.mkIf (config.services.prometheus.enable && isServer) [{
+    caddy.routes = lib.mkIf isServer [{
      match = [{ host = [ config.hostnames.prometheus ]; }];
      handle = [{
        handler = "reverse_proxy";
-        upstreams =
+        upstreams = [{ dial = "localhost:9090"; }];
          [{ dial = "localhost:${config.services.prometheus.port}"; }];
      }];
    }];
--- a/modules/nixos/services/secrets.nix
+++ b/modules/nixos/services/secrets.nix
@ -39,11 +39,6 @@
            type = lib.types.str;
            description = "Permissions expressed as octal.";
          };
          prefix = lib.mkOption {
            default = "";
            type = lib.types.str;
            description = "Prefix for secret value (for environment files).";
          };
        };
      });
      description = "Set of secrets to decrypt to disk.";
@ -70,10 +65,10 @@
        wantedBy = [ "multi-user.target" ];
        serviceConfig.Type = "oneshot";
        script = ''
-          echo "${attrs.prefix}$(
+          ${pkgs.age}/bin/age --decrypt \
-            ${pkgs.age}/bin/age --decrypt \
+            --identity ${config.identityFile} \
-                --identity ${config.identityFile} ${attrs.source}
+            --output ${attrs.dest} \
-          )" > ${attrs.dest}
+            ${attrs.source}
          chown '${attrs.owner}':'${attrs.group}' '${attrs.dest}'
          chmod '${attrs.permissions}' '${attrs.dest}'
--- a/modules/nixos/services/sshd.nix
+++ b/modules/nixos/services/sshd.nix
@ -13,8 +13,9 @@
    };
  };
-  config = lib.mkIf config.services.openssh.enable {
+  config = lib.mkIf (config.publicKey != null) {
    services.openssh = {
      enable = true;
      ports = [ 22 ];
      allowSFTP = true;
      settings = {
@ -26,7 +27,7 @@
    };
    users.users.${config.user}.openssh.authorizedKeys.keys =
-      lib.mkIf (config.publicKey != null) [ config.publicKey ];
+      [ config.publicKey ];
    # Implement a simple fail2ban service for sshd
    services.sshguard.enable = true;
--- a/modules/nixos/services/vaultwarden.nix
+++ b/modules/nixos/services/vaultwarden.nix
@ -39,11 +39,7 @@ in {
      match = [{ host = [ config.hostnames.secrets ]; }];
      handle = [{
        handler = "reverse_proxy";
-        upstreams = [{
+        upstreams = [{ dial = "localhost:8222"; }];
          dial = "localhost:${
              builtins.toString config.services.vaultwarden.config.ROCKET_PORT
            }";
        }];
        headers.request.add."X-Real-IP" = [ "{http.request.remote.host}" ];
      }];
    }];
--- a/modules/nixos/services/victoriametrics.nix
+++ b/modules/nixos/services/victoriametrics.nix
@ -1,95 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  username = "prometheus";
  prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yml" {
    scrape_configs = [{
      job_name = config.networking.hostName;
      stream_parse = true;
      static_configs = [{ targets = config.prometheus.scrapeTargets; }];
    }];
  };
  authConfig = (pkgs.formats.yaml { }).generate "auth.yml" {
    users = [{
      username = username;
      password = "%{PASSWORD}";
      url_prefix =
        "http://localhost${config.services.victoriametrics.listenAddress}";
    }];
  };
  authPort = "8427";
 in {
  config = {
    services.victoriametrics.extraOptions =
      [ "-promscrape.config=${prometheusConfig}" ];
    systemd.services.vmauth = lib.mkIf config.services.victoriametrics.enable {
      description = "VictoriaMetrics basic auth proxy";
      after = [ "network.target" ];
      startLimitBurst = 5;
      serviceConfig = {
        Restart = "on-failure";
        RestartSec = 1;
        DynamicUser = true;
        EnvironmentFile = config.secrets.vmauth.dest;
        ExecStart = ''
          ${pkgs.victoriametrics}/bin/vmauth \
                    -auth.config=${authConfig} \
                    -httpListenAddr=:${authPort}'';
      };
      wantedBy = [ "multi-user.target" ];
    };
    secrets.vmauth = lib.mkIf config.services.victoriametrics.enable {
      source = ../../../private/prometheus.age;
      dest = "${config.secretsDirectory}/vmauth";
      prefix = "PASSWORD=";
    };
    systemd.services.vmauth-secret =
      lib.mkIf config.services.victoriametrics.enable {
        requiredBy = [ "vmauth.service" ];
        before = [ "vmauth.service" ];
      };
    caddy.routes = lib.mkIf config.services.victoriametrics.enable [{
      match = [{ host = [ config.hostnames.prometheus ]; }];
      handle = [{
        handler = "reverse_proxy";
        upstreams = [{ dial = "localhost:${authPort}"; }];
      }];
    }];
    # VMAgent
    services.vmagent.prometheusConfig = prometheusConfig; # Overwritten below
    systemd.services.vmagent.serviceConfig =
      lib.mkIf config.services.vmagent.enable {
        ExecStart = lib.mkForce ''
          ${pkgs.victoriametrics}/bin/vmagent \
                  -promscrape.config=${prometheusConfig} \
                  -remoteWrite.url="https://${config.hostnames.prometheus}/api/v1/write" \
                  -remoteWrite.basicAuth.username=${username} \
                  -remoteWrite.basicAuth.passwordFile=${config.secrets.vmagent.dest}'';
      };
    secrets.vmagent = lib.mkIf config.services.vmagent.enable {
      source = ../../../private/prometheus.age;
      dest = "${config.secretsDirectory}/vmagent";
      owner = "vmagent";
      group = "vmagent";
    };
    systemd.services.vmagent-secret = lib.mkIf config.services.vmagent.enable {
      requiredBy = [ "vmagent.service" ];
      before = [ "vmagent.service" ];
    };
  };
 }
--- a/modules/nixos/services/wireguard.nix
+++ b/modules/nixos/services/wireguard.nix
@ -38,7 +38,7 @@
    };
    # Create private key file for wireguard
-    secrets.wireguard = lib.mkIf config.wireguard.enable {
+    secrets.wireguard = {
      source = ../../../private/wireguard.age;
      dest = "${config.secretsDirectory}/wireguard";
    };
--- a/modules/nixos/system/auto-upgrade.nix
+++ b/modules/nixos/system/auto-upgrade.nix
@ -1,47 +0,0 @@
 { config, pkgs, lib, ... }: {
  # This setting only applies to NixOS, different on Darwin
  nix.gc.dates = "03:03"; # Run every morning (but before upgrade)
  # Update the system daily by pointing it at the flake repository
  system.autoUpgrade = {
    enable = config.server; # Only auto upgrade servers
    dates = "03:33";
    flake = "git+${config.dotfilesRepo}";
    randomizedDelaySec = "25min";
    operation = "switch";
    allowReboot = true;
    rebootWindow = {
      lower = "00:01";
      upper = "06:00";
    };
  };
  # Create an email notification service for failed jobs
  systemd.services."notify-email@" =
    let address = "system@${config.mail.server}";
    in {
      enable = config.mail.enable;
      environment.SERVICE_ID = "%i";
      script = ''
        TEMPFILE=$(mktemp)
        echo "From: ${address}" > $TEMPFILE
        echo "To: ${address}" >> $TEMPFILE
        echo "Subject: Failure in $SERVICE_ID" >> $TEMPFILE
        echo -e "\nGot an error with $SERVICE_ID\n\n" >> $TEMPFILE
        set +e
        systemctl status $SERVICE_ID >> $TEMPFILE
        set -e
        ${pkgs.msmtp}/bin/msmtp \
            --file=${config.homePath}/.config/msmtp/config \
            --account=system \
            ${address} < $TEMPFILE
      '';
    };
  # Send an email whenever auto upgrade fails
  systemd.services.nixos-upgrade.onFailure =
    lib.mkIf config.systemd.services."notify-email@".enable
    [ "notify-email@%i.service" ];
 }
--- a/modules/nixos/system/default.nix
+++ b/modules/nixos/system/default.nix
@ -1,7 +1,6 @@
 { config, pkgs, lib, ... }: {
-  imports =
+  imports = [ ./doas.nix ./journald.nix ./user.nix ./timezone.nix ];
    [ ./auto-upgrade.nix ./doas.nix ./journald.nix ./user.nix ./timezone.nix ];
  config = lib.mkIf pkgs.stdenv.isLinux {
@ -9,6 +8,13 @@
    system.stateVersion =
      config.home-manager.users.${config.user}.home.stateVersion;
    # This setting only applies to NixOS, different on Darwin
    nix.gc.dates = "weekly";
    systemd.timers.nix-gc.timerConfig = { WakeSystem = true; };
    systemd.services.nix-gc.postStop =
      lib.mkIf (!config.server) "systemctl suspend";
  };
 }
--- a/modules/nixos/system/doas.nix
+++ b/modules/nixos/system/doas.nix
@ -13,11 +13,11 @@
      doas = {
        enable = true;
-        # No password required for trusted users
+        # No password required
        wheelNeedsPassword = false;
        # Pass environment variables from user to root
-        # Also requires specifying that we are removing password here
+        # Also requires removing password here
        extraRules = [{
          groups = [ "wheel" ];
          noPass = true;
@ -26,7 +26,6 @@
      };
    };
    # Alias sudo to doas for convenience
    home-manager.users.${config.user}.programs.fish.shellAliases = {
      sudo = "doas";
    };
--- a/modules/nixos/system/journald.nix
+++ b/modules/nixos/system/journald.nix
@ -1,7 +1,6 @@
 { ... }: {
  # How long to keep journalctl entries
  # This helps to make sure log disk usage doesn't grow too unwieldy
  services.journald.extraConfig = ''
    SystemMaxUse=100M
    MaxFileSec=1month
--- a/modules/nixos/system/user.nix
+++ b/modules/nixos/system/user.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }: {
+{ config, pkgs, lib, ... }: {
  options = {
@ -11,7 +11,7 @@
  };
-  config = {
+  config = lib.mkIf (pkgs.stdenv.isLinux) {
    # Allows us to declaritively set password
    users.mutableUsers = false;
--- a/overlays/README.md
+++ b/overlays/README.md
@ -1,7 +0,0 @@
 # Overlays
 These are pinned commits, patches, or new packages for programs in Nixpkgs used
 by this flake configuration.
 Some of them introduce new functionality, while others could be patching
 temporary issues.
--- a/overlays/betterlockscreen.nix
+++ b/overlays/betterlockscreen.nix
@ -1,4 +0,0 @@
 # Disable dunst so that it's not attempting to reach a non-existent dunst service
 _final: prev: {
  betterlockscreen = prev.betterlockscreen.override { withDunst = false; };
 }
--- a/overlays/caddy.nix
+++ b/overlays/caddy.nix
@ -1,14 +1,7 @@
-# Adds the Cloudflare DNS validation module
+{ lib, buildGo118Module, fetchFromGitHub, plugins ? [ ] }:
 inputs: _final: prev:
 let
-
+  goImports = lib.flip lib.concatMapStrings plugins (pkg: "   _ \"${pkg}\"\n");
-  plugins = [ "github.com/caddy-dns/cloudflare" ];
+  goGets = lib.flip lib.concatMapStrings plugins (pkg: "go get ${pkg}\n      ");
  goImports =
    prev.lib.flip prev.lib.concatMapStrings plugins (pkg: "   _ \"${pkg}\"\n");
  goGets = prev.lib.flip prev.lib.concatMapStrings plugins
    (pkg: "go get ${pkg}\n      ");
  main = ''
    package main
    import (
@ -20,43 +13,44 @@ let
    	caddycmd.Main()
    }
  '';
 in buildGo118Module rec {
  pname = "caddy";
  version = "2.6.4";
  runVend = true;
-in {
+  subPackages = [ "cmd/caddy" ];
  caddy-cloudflare = prev.buildGo118Module {
    pname = "caddy-cloudflare";
    version = prev.caddy.version;
    runVend = true;
-    subPackages = [ "cmd/caddy" ];
+  src = fetchFromGitHub {
    owner = "caddyserver";
    repo = "caddy";
    rev = "v${version}";
    sha256 = "sha256:3a3+nFHmGONvL/TyQRqgJtrSDIn0zdGy9YwhZP17mU0=";
  };
-    src = prev.caddy.src;
+  vendorSha256 = "sha256:CrHqJcJ0knX+txQ5qvzW4JrU8vfi3FO3M/xtislIC1M=";
-    vendorSha256 = "sha256:CrHqJcJ0knX+txQ5qvzW4JrU8vfi3FO3M/xtislIC1M=";
+  overrideModAttrs = (_: {
-
+    preBuild = ''
    overrideModAttrs = (_: {
      preBuild = ''
        echo '${main}' > cmd/caddy/main.go
        ${goGets}
      '';
      postInstall = "cp go.sum go.mod $out/ && ls $out/";
    });
    postPatch = ''
      echo '${main}' > cmd/caddy/main.go
-      cat cmd/caddy/main.go
+      ${goGets}
    '';
    postInstall = "cp go.sum go.mod $out/ && ls $out/";
  });
-    postConfigure = ''
+  postPatch = ''
-      cp vendor/go.sum ./
+    echo '${main}' > cmd/caddy/main.go
-      cp vendor/go.mod ./
+    cat cmd/caddy/main.go
-    '';
+  '';
-    meta = with prev.lib; {
+  postConfigure = ''
-      homepage = "https://caddyserver.com";
+    cp vendor/go.sum ./
-      description =
+    cp vendor/go.mod ./
-        "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
+  '';
-      license = licenses.asl20;
+
-      maintainers = with maintainers; [ Br1ght0ne techknowlogick ];
+  meta = with lib; {
-    };
+    homepage = "https://caddyserver.com";
    description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
    license = licenses.asl20;
    maintainers = with maintainers; [ Br1ght0ne techknowlogick ];
  };
 }
--- a/overlays/mpv-scripts.nix
+++ b/overlays/mpv-scripts.nix
@ -1,17 +0,0 @@
 inputs: _final: prev: {
  mpvScripts = prev.mpvScripts // {
    # Delete current file after quitting
    mpv-delete-file = prev.stdenv.mkDerivation rec {
      pname = "mpv-delete-file";
      version = "0.1"; # made-up
      src = inputs.zenyd-mpv-scripts + "/delete_file.lua";
      dontBuild = true;
      dontUnpack = true;
      installPhase =
        "install -Dm644 ${src} $out/share/mpv/scripts/delete_file.lua";
      passthru.scriptName = "delete_file.lua";
    };
  };
 }
--- a/overlays/neovim-plugins.nix
+++ b/overlays/neovim-plugins.nix
@ -7,35 +7,37 @@ let
  # Use nixpkgs vimPlugin but with source directly from plugin author
  withSrc = pkg: src: pkg.overrideAttrs (_: { inherit src; });
-  # Package plugin - for plugins not found in nixpkgs at all
+  # Package plugin - disabling until in use
-  plugin = pname: src:
+  # plugin = pname: src:
-    prev.vimUtils.buildVimPluginFrom2Nix {
+  #   prev.vimUtils.buildVimPluginFrom2Nix {
-      inherit pname src;
+  #     inherit pname src;
-      version = "master";
+  #     version = "master";
-    };
+  #   };
 in {
  nil = inputs.nil.packages.${prev.system}.nil;
  vscode-terraform-snippets = inputs.vscode-terraform-snippets;
-  nvim-lspconfig = withSrc prev.vimPlugins.nvim-lspconfig inputs.nvim-lspconfig;
+  nvim-lspconfig =
-  cmp-nvim-lsp = withSrc prev.vimPlugins.cmp-nvim-lsp inputs.cmp-nvim-lsp;
+    (withSrc prev.vimPlugins.nvim-lspconfig inputs.nvim-lspconfig);
-  null-ls-nvim = withSrc prev.vimPlugins.null-ls-nvim inputs.null-ls-nvim;
+  cmp-nvim-lsp = (withSrc prev.vimPlugins.cmp-nvim-lsp inputs.cmp-nvim-lsp);
-  comment-nvim = withSrc prev.vimPlugins.comment-nvim inputs.comment-nvim;
+  null-ls-nvim = (withSrc prev.vimPlugins.null-ls-nvim inputs.null-ls-nvim);
  comment-nvim = (withSrc prev.vimPlugins.comment-nvim inputs.comment-nvim);
  nvim-treesitter =
-    withSrc prev.vimPlugins.nvim-treesitter inputs.nvim-treesitter;
+    (withSrc prev.vimPlugins.nvim-treesitter inputs.nvim-treesitter);
-  telescope-nvim = withSrc prev.vimPlugins.telescope-nvim inputs.telescope-nvim;
+  telescope-nvim =
-  telescope-project-nvim = withSrc prev.vimPlugins.telescope-project-nvim
+    (withSrc prev.vimPlugins.telescope-nvim inputs.telescope-nvim);
-    inputs.telescope-project-nvim;
+  telescope-project-nvim = (withSrc prev.vimPlugins.telescope-project-nvim
    inputs.telescope-project-nvim);
  toggleterm-nvim =
-    withSrc prev.vimPlugins.toggleterm-nvim inputs.toggleterm-nvim;
+    (withSrc prev.vimPlugins.toggleterm-nvim inputs.toggleterm-nvim);
  bufferline-nvim =
-    withSrc prev.vimPlugins.bufferline-nvim inputs.bufferline-nvim;
+    (withSrc prev.vimPlugins.bufferline-nvim inputs.bufferline-nvim);
-  nvim-tree-lua = withSrc prev.vimPlugins.nvim-tree-lua inputs.nvim-tree-lua;
+  nvim-tree-lua = (withSrc prev.vimPlugins.nvim-tree-lua inputs.nvim-tree-lua);
-  # Packaging plugins entirely with Nix
+  # Packaging plugins with Nix
-  baleia-nvim = plugin "baleia-nvim" inputs.baleia-nvim-src;
+  # comment-nvim = plugin "comment-nvim" comment-nvim-src;
-  hmts-nvim = plugin "hmts-nvim" inputs.hmts-nvim-src;
+  # plenary-nvim = plugin "plenary-nvim" plenary-nvim-src;
 }
--- a/overlays/nextcloud-apps.nix
+++ b/overlays/nextcloud-apps.nix
@ -1,18 +0,0 @@
 inputs: _final: prev: {
  nextcloudApps = {
    news = prev.fetchNextcloudApp {
      url = inputs.nextcloud-news.outPath;
      sha256 = inputs.nextcloud-news.narHash;
    };
    external = prev.fetchNextcloudApp {
      url = inputs.nextcloud-external.outPath;
      sha256 = inputs.nextcloud-external.narHash;
    };
    cookbook = prev.fetchNextcloudApp {
      url = inputs.nextcloud-cookbook.outPath;
      sha256 = inputs.nextcloud-cookbook.narHash;
    };
  };
 }
--- a/overlays/tree-sitter.nix
+++ b/overlays/tree-sitter.nix
@ -1,32 +1,46 @@
 # Fix: bash highlighting doesn't work as of this commit:
 # https://github.com/NixOS/nixpkgs/commit/49cce41b7c5f6b88570a482355d9655ca19c1029
 inputs: _final: prev: {
  tree-sitter-grammars = prev.tree-sitter-grammars // {
    # Fix: bash highlighting doesn't work as of this commit:
    # https://github.com/NixOS/nixpkgs/commit/49cce41b7c5f6b88570a482355d9655ca19c1029
    tree-sitter-bash = prev.tree-sitter-grammars.tree-sitter-bash.overrideAttrs
-      (old: { src = inputs.tree-sitter-bash; });
+      (old: {
-
+        src = prev.fetchFromGitHub {
-    # Fix: invalid node in position. Broken as of this commit (replaced with newer):
+          owner = "tree-sitter";
-    # https://github.com/NixOS/nixpkgs/commit/8ec3627796ecc899e6f47f5bf3c3220856ead9c5
+          repo = "tree-sitter-bash";
-    tree-sitter-python =
+          rev = "493646764e7ad61ce63ce3b8c59ebeb37f71b841";
-      prev.tree-sitter-grammars.tree-sitter-python.overrideAttrs
+          sha256 = "sha256-gl5F3IeZa2VqyH/qFj8ey2pRbGq4X8DL5wiyvRrH56U=";
-      (old: { src = inputs.tree-sitter-python; });
+        };
-
+      });
    # Add grammars not in nixpks
    tree-sitter-ini = prev.tree-sitter.buildGrammar {
      language = "ini";
      version = "1.0.0";
-      src = inputs.tree-sitter-ini;
+      src = prev.fetchFromGitHub {
        owner = "justinmk";
        repo = "tree-sitter-ini";
        rev = "1a0ce072ebf3afac7d5603d9a95bb7c9a6709b44";
        sha256 = "sha256-pPtKokpTgjoNzPW4dRkOnyzBBJFeJj3+CW3LbHSKsmU=";
      };
    };
    tree-sitter-puppet = prev.tree-sitter.buildGrammar {
      language = "puppet";
      version = "1.0.0";
-      src = inputs.tree-sitter-puppet;
+      src = prev.fetchFromGitHub {
        owner = "amaanq";
        repo = "tree-sitter-puppet";
        rev = "v1.0.0";
        sha256 = "sha256-vk5VJZ9zW2bBuc+DM+fwFyhM1htZGeLlmkjMAH66jBA=";
      };
    };
    tree-sitter-rasi = prev.tree-sitter.buildGrammar {
      language = "rasi";
      version = "0.1.1";
-      src = inputs.tree-sitter-rasi;
+      src = prev.fetchFromGitHub {
        owner = "Fymyte";
        repo = "tree-sitter-rasi";
        rev = "371dac6bcce0df5566c1cfebde69d90ecbeefd2d";
        sha256 = "sha256-2nYZoLcrxxxiOJEySwHUm93lzMg8mU+V7LIP63ntFdA=";
      };
    };
  };
--- a/misc/password.sha512
+++ b/misc/password.sha512
--- a/private/backup.age
+++ b/private/backup.age
@ -1,15 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBhNzEr
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBkOVNs
-aFRkQ3luWWhBbmdTTEtNOGc0c3ZPcTlRbktxd2xQZHFyMDF1c1ZVCkMwWDF5UlJH
+NklGeTFxTTQzQ2t5WVUvVzREVnk3WjB0ZnUwdGo5Wk5Zc2RVeVJJCnBFbHcvUzdi
-RTBhMXI0ZEhkQm5takh0QUpiZm5rbTk3M3REdUhQV0lOdmMKLT4gc3NoLWVkMjU1
+SG5xeTg2dU9oRUtiYXk3cERJOC9zbitrZ1hxZ0RJWDVYNmcKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIHdGOVptZzNIRlp1NUlFY1k2b1FtN3JRczMrZ054ZlhUbVlvRVVS
+MTkgWXlTVU1RIElNNkFMYkRoYXpPV1RtWEhrdUJCbXczd05tTG5QNi8wVktYQmZn
-NEZCaTQKUmMwWFBBVDdBMlBpekVCSC9EMERHdXlKNGpubXRmY0FxalRxbTNnREky
+eTlWbTgKUVVrb21mTTNzZ1d6cE0yU2l4SVhqbkNyUEpLSHJyUEMyS1pLNGloTlpK
-ZwotPiBzc2gtZWQyNTUxOSBuanZYNUEgeGhzMDRONFJjMEJZWUlDeHp6SHZERXJS
+cwotPiBzc2gtZWQyNTUxOSBuanZYNUEgRU5LM2FKNEZ3Y1dDOW02VFU4bnNuZHpE
-VjNLb25adVJ2V0MxMm9DUE5Gawo2RlhSNDY3K2oyQ2VGZ3p1MHRreU0ydmZjRkZQ
+QzBLMlBhVnY3aGIrZDNhOUNWcwpSMHNsYTRlNFc5V0NsQ1h2VGFqUHNBVkxTVXdz
-bHZsbkxXdzNsN1A2alBBCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBqL2FWZis5N2l6
+dGx6bWFwR1FFU2JNdmlBCi0tLSB6b3dpRmFURm0veFRFRitpbmZoOWJFcU8rbHJk
-T0lYUVRBcDBWQ0sxRFd5V3JydzVTVUZZaDZyL1ZGaUJvClRPazdXOWM5MUhrLys4
+OXVIbGpUSWNFdWZmczVNCrodWjz8yVOdHHcVH9s2gOJfDrZFCP7L14RdGs9UW/Iw
-OWp2SVg5S0pnVE51MzRwMU1hRThKVFJZSHJzY1kKLS0tIGl1UjBtUzhVZTArZkVt
+JaJr5YblUiqTfKJiCN8dnCve3oCUlIY6K+yrBh5GaNbiwOgCzzZO5BGXEqoUSnux
-RVhMMlJNQVlBS0Z5bTByQ1hpSGQvZVprL29oS0UKZGsWBbEUiDIJhoBOEaLF7cnW
+ltmV1UI4
 FMcg1pxgmlioqsRbKdcYlZWEKDYUa0ZctJEYo0m+eGxilTV/qctyiEIYsoKU1t0Y
 +kCTYQk+RbtKfQ7xEStmJ2cdZDE=
 -----END AGE ENCRYPTED FILE-----
--- a/private/cloudflare-api.age
+++ b/private/cloudflare-api.age
@ -1,15 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBRckNo
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyByWGJS
-MkttVHF3WWhKMGtCY1ZoL251SlhEb0YxUEZSSDBLVHhQK3o1QW1rCkp5WHFTb0xE
+SmJlSVhZcUx5Y3JhVXYxUVhUbmp2QjNXeUxYL1EwNThJelRoTVNvCjFsU0gyaWNJ
-amRrM05XRGxzMkRPUWx3Z1BVMFRsRGxvemRLckZEY0E0QmMKLT4gc3NoLWVkMjU1
+SEJpNVpYWm1TL24yeHNLaWNIdU9FdWw2d3p6UVVMSEYwT28KLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIEhrV0E4b3VkOUZwYjBXTkF3UUhVVklLWXF0QkpYRjErY1l2dnFh
+MTkgWXlTVU1RIEV4NU1sOENFK1NvUWlZL1NmUCtUM2RRQmd1c2pnb3p6V3Bsc3pC
-VWZvVkEKUGd2VGtVaEFqc0lpZS9Jd0pSQ2IydHBUN1JWTGE4MzZZT2RXRUt2eVFI
+UVdYV3cKYmFkR0EwNVpRbzJBb2Z4RmpXSGVyK3BkLzd6TTMvQWRRK3BtRXZDUjVZ
-YwotPiBzc2gtZWQyNTUxOSBuanZYNUEgelFPWGtneFhDWmFoc2FIL0RwejZuS3Zr
+UQotPiBzc2gtZWQyNTUxOSBuanZYNUEgMG9rU0lzTU1iV1grOTNzZS85cldQZGE5
-ZzBUREMvTUtpYlNqdmV0cHBscwpOMitLS1NoVkZwYmZFcnJRWkRWVFJ4Sm1oTmhG
+Ym9nVkRvNC9OMUFBbStNT1BBOApucnl1Z0w1Y1RRU3grS0Z0TjNNRXcwVnVqeDFF
-WHRjaWQvZWNLcVl5ZURvCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBRMTdyOTRWV3NQ
+VGc3Mm93UFc0YXoweVBBCi0tLSBvTnpCc3hBVU81dkpBRzV2L3NWTlZaV2QxUVNZ
-T1I0Wk1jOE5KSVFFaUEwTm9iRElCd1pscG80czF1U0E4CmREU3BNVklzOXZKVFFp
+KzJwcUI2QUl2NEY0R1p3CmDvQwsKrtmTJliCxHv+LSoIV8jYpQJ7I2LJSH9uP89N
-UWRoYXp2UXRxR2ZhbzlYSng5akV5Zy9hZC9uWHcKLS0tIFFjdE5KN2lxMFQ2emJh
+7wbAwGjv/Uxk7gnMn5EqQuFKZeOl8LLhKEprmVqVZqlkgbpaaaWud/4xNKu9v5h
-d1NwRm8xaHpZNGxQbFUzSTh3MWxJRXViUjVBUFkKr/OxDAiV2XR3YZDdT1DSPUPk
+lWuY1sYd
 XQrbpI/urpfXPyQAzXH2IwqRU2H56JHH2Q+z1OK6/BDzpxyFf1HmK/N9p/00osK5
 WPeBVcNDMmWD/RlgEyooxyajK6Q=
 -----END AGE ENCRYPTED FILE-----
--- a/private/cloudflared-flame.age
+++ b/private/cloudflared-flame.age
@ -1,17 +1,15 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyB6R2Vp
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBQVzVy
-T2d4eDRDdGdIZVdZelRUY09oRWtwTFpDbGFEKytiOGxxQjgwakRrCnBveWptbm5P
+ZmRldHhVenI3RVdOQXkyQ3pQUWM3N2l0bFBqT3ozakp3Nk5nS1dVCmoxb1lzVWd1
-Q2lkaG4vSWZkS0RjM0VuUWtsalovZkJVamJzV1pWbGlDTzAKLT4gc3NoLWVkMjU1
+YWZ0UWd4TExELzJ1cElsQ0o2L1g4TVBpZW16TmxvT05GaFEKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIEtuMnZvcGExWmJZU0tsdTJXa0ljeXYzOEJKV1Qrc0xNSnE0emJI
+MTkgWXlTVU1RIDR2TjdhbG1MelVVTXF3WUhFRWZKRGVoYUNwdy9hc05uajg2enlY
-czdQbjgKM0NFc29UZTFUbVVrbFIzUDZhUlkrbGxSSXl6SldnYXh6a0hXSVlHQ25v
+S0x5eWcKSlM2YjFCRi9yN3ozVkhScXM5S0dNRnhpeisvNlE1Q09CNVFvN0YwL2JR
-TQotPiBzc2gtZWQyNTUxOSBuanZYNUEgc3R0Qjh0Vy9mSnR1eE5rajU5ZG56OFVR
+NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgMEJtR2JpVk5PZnRpOUVuZHZJTDI3Z0Fa
-UUNLYmJyVHYxcUlsbzlTVGRUNApzcW4xVXp3dTVaVmhnVXdoUnZ2MlNESnUvVVk0
+UUdwWXFLT1gxZ0c3WFBlU2dDawpreE0yYUxoUktveGF5NXE4VHRva1hNdjdpYmZn
-ZkRFVVBhdjZsMzhHRzZvCi0+IHNzaC1lZDI1NTE5IENxSU9VQSA1MW8wdXBYdXBl
+R08wQ0l6cXpvYmhRMXRvCi0tLSB0UmFTdVBlR3NTSkVzdGtzOTdmSFVERC85dU1z
-VjM3Ukc4U2tSWFc2WDJaVWo3aldvazgwckJBZXVKbkFVCjFaaHhENHVQOWx3Q25F
+cHdMVFdYSTFWUGRDTm1nCrengYn1phCUDmVH29uRjKMLNDIucrpi1s4t8ciQ3ILG
-NnBnSXNJRjlwWk0zLzY1NVE2Z1M3dFhLMzVBT2sKLS0tIDk4TTBhNHpjS2lPRTlk
+sz605ztO3UUlm4SQTJnXmktRDBlLu/xICzEo5okkNl9HwK7s2Ok2DAoz8K/KeFbS
-VllRbmV4YU9xYUtEaVNWRVRrb2ZheSthWTAxcVEK9nC0bUWE1W8lmXZABR8IJAnI
+65K3a3RcZEdWryZyu/N12HAqu5FDw0wIbvLJP4X+EcpUJXYHr8FluLUSEQg+sORW
-to/at+EBAj4gV+UvTpqBmQ9xy5q9ih+L9VH+WolUQg5To5nzSKDbhwybzwEj1YUd
+FnL5tr1vK32ZQY4GIHZXh4hQbNoZo1v2ezkcK21siDkeA3e3PT6Bi0I90nuXS9Pc
-5Oqm1waFqasvLe4tNkNZ1aEVbc5VFY6OBCw3nVRESVR8AeuDnL8rRZyYpZjEwCZu
+0rZFZeYlNtI1Y4aeg6NEWytt
 Qay0cQUSJPJQIKES/UzSrUj+HAw2LxPPAZ9xrDa+QuU36RfPHzmAoVMZ82MxtLxf
 vLgxoUM9INybdIoBncihj90U+o8PC8Mud2DBm/FGkx0=
 -----END AGE ENCRYPTED FILE-----
--- a/private/cloudflared-swan.age
+++ b/private/cloudflared-swan.age
@ -1,17 +1,15 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyA0bkg4
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBDL0tZ
-WkZTODJsOFN0RGtzQ0F5RzhmQ0ViUDBobXEvVFFidXNtNTRaSFI4CjBraW5mUmgy
+TG9JTEdCMkJ2SnRvaFVLalZIM05JWEc1U0JSK0Q5aEg3TTRscVhRCjhJRGJYL3M5
-QzJPOStxdmRXSVY4NlNkZUUrcThGUUhpZUFxVm0yVENoNVkKLT4gc3NoLWVkMjU1
+T24yRGVQZG1heTJveU1qWCthZ1RJVkRtTksxVGhhR3dIMWcKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIDc4MCttZk5aUlNoVjZZY2RwVW54SE8xT2gyYk5KSXFFQjFjT2ln
+MTkgWXlTVU1RIGk2RDZjMEtDblNDcCtvRnFkNnQ1elEzUkdyWWg3M1hNcXBTaEdN
-aUNhZ1UKSTJzdTJTTXBPZTVYVXRMb1M0c3FtSDlyd2MvdVdHYURMSHV1WUF0TTZT
+VGtLM2sKK09Sa3NZNnc3SWlHRXBjcVE0Z3ZHSnY0Zk5pS2UyQ3NSMWh2VzNJeTNm
-MAotPiBzc2gtZWQyNTUxOSBuanZYNUEgeEd6Zy9CYWRKUFNjUHRZd3ZEMmR4VCtK
+NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgWDhkN1B6ajNYcTBGeCtlbHhacnB4Ly9a
-cGR5UWdFSmRyLy9iblpJNVRtbworVEdkL01YazZyZHA0NmRXKzl1NTIyM0FZK2hW
+ejJCSVhPcndST0dkN1VZZE1nRQpKeUhCWEk1RkdjajlFMFgzajdmclB3a3FORkp5
-emlKWGhiUjl1T3lpcVhZCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBBN21XTy9qQldX
+ZTRQK3JXcWE0YUIvL2UwCi0tLSBBYkFQcmwvM0hZbEtBWG1oVUZ5NVhoT2p3U2pF
-enRxcE5pSVl2YXQwckIyQ1NueG5lbk1neGpDdThkSm5ZCm9HZlB2dWpSUWkrZUht
+VzhGL25La2lJRElDL0o4CtVNQVuouGOOXtVTwdeBd4+CJyglCjFoDoOpXdH35fni
-S21wMDE4anZrMUdSUUdnTFJmWnhXUks2ZmhyQzAKLS0tIE5JekNmSkdjUHcxeDdP
+Azr6JyfKbBlcavrghACWVDem24WIKq7uh9BSL2yHd+sj4umDybuCk9RZWmLgSaHV
-YVpLODlCemZkallwODRlOVVaOEk0UEVYY0Nxd00Km4HzHO0ciIVLi9jVf1WL0v70
+g7Y3jiHa/NTvqd+Wr0PBas4TcOLcICQ0rg9gWnYH+QQDdnv+At4Eqp2/X1ztTI8O
-9tdZZIXF1aklkmvwpKZyIBSJc2cDm583czRyrhy5/W2h2xLYSOXdL0NVKJyVgJj2
+PRJr7O6HJJasPZSsQldjs3O3fMiLiYPSywCTmgU/gstnv2YhbA3m4vhqOeRskuNg
-Y8Iq3+nLStZ8p0TL9MuFyY5HXkQpJzFeIrdFRj2vcQPVP1txZd90se8WrUP4k/9h
+X0qAd8jso4Bo7jHohmLLzl1c
 xrC+MHllDYR5lDXhAUhS42y746Ixm3iabVlPDzcccPJS7nvT4w5HBwkhWaVvb1/1
 cHD2guHpi4e3BbT5ozKADmOHajfjRy+j+gwFTl0AjGg=
 -----END AGE ENCRYPTED FILE-----
--- a/private/cloudflared-tempest.age
+++ b/private/cloudflared-tempest.age
@ -1,17 +1,15 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBEVnpD
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyB1VnBt
-S3FrMlhVZXpEZ1IzMVJpTGh3UnUyaEo0VU5iR01JL0dKVWpCUGpjCmdoWHUzRzBh
+RTV5eWc3RDNUR2lOWFRaMlgzREQyMlcvUFNxV0N2Vm9lVVZKOUZ3ClJjaWtYZjR5
-NCtMK25aNG8rVktpcDFkVW9yd1dOSExxNUo5RG9CWDgyUzgKLT4gc3NoLWVkMjU1
+ZTB4L2M4MFB0UThaMzlRT3JkUEE1N3RrSUlpZnRFbmFDdWcKLT4gc3NoLWVkMjU1
-MTkgWXlTVU1RIE41U2Y5QUwxZVYxTEVCVlczMjlUWmxYbG5oOEd1YnR2UUJOZ0hG
+MTkgWXlTVU1RIE5iTUs1ak9VZjRIRGpLMWtDcVB0RjVFRW8vOENQZlkzeGhsYmFB
-ZU9GemMKaS9pYzQvSG1yR242UDlFQ2M4U0F0YjlHSzZBOUtvRCsybmhOclJkZkI1
+QzJ6Z00KZmcvZ0hYMjN1bGZwY3NvMjlCbnpHUWVjdVU4cnBGcDQxTU8wZ0EyQXdU
-OAotPiBzc2gtZWQyNTUxOSBuanZYNUEgUVdES1BCdFljL2JRTzJSSWpFcWw2b2hQ
+MAotPiBzc2gtZWQyNTUxOSBuanZYNUEgazRzK2ZnSUZNWURoKzZMZmM4VTlDbVBh
-MFZqZTlyWC8rSzZ6RnI3ckdHbwo0cnBDNHdVNWFlMmxCZEVHWW9Tb2ZQMXc3WGw4
+WGc4MlE5TGFiN1MzV01FT1oyQQppRUhUNjdlQURNQm8rR0JOOUJFNm9vaXhPTXFW
-WUszNUc5aTk2MDVERXRrCi0+IHNzaC1lZDI1NTE5IENxSU9VQSB6VXJBMit0UytG
+U2lJU09jWVA0TDRrVHY4Ci0tLSBudWJTclRTek1RWHYzYzA4aTduODB0NUNWbVVP
-N1l4cHd6cTZudlBzWEcvNkhHVldOMnQvK2JWWVh4VGhJCmh0VVUrd0dEMk9XNVlD
+cUIyVzJncWhDS053d25nCneJhp1QT1v+dAguW9wAKDgWST59KNBgbY01jkf1IqXc
-eERYc1VtdjBHUEZZQ0pNWjF1aXRmUTFZc0phaDAKLS0tIHhVVTFDcjVucElUOHlw
+FbmkctPIMggim3uCBqjzBboYvf+dtt0Fcu9aiB+4YmGUeQNb+9mdPweXoHmVrego
-T0VMUWVTL0R5ek16VmlDY1dZWGk2aWV3TjdQMVkKbBB/Ixe0nuEQ4WkOguVk6oRI
+XygVsbuSP4xKWtIJhBJ/3/jEK9LqBtv+owdUIxbw5Ci6A0JvSu+tnUj5oAgMyT2z
-h7gasRs0CYNvKoIjAf66tJ4IC6CumJIo2JRkH0CU94nOJhPqdPL5VS2IrJOznrWY
+YrGRK9plQZteeUkMcd6+anSEUpP45lzfz/T7loD9ViCbPHRuUFgwkwUcRGjQStm3
-bZolkeTJxq+IDUZVTNk6b/7TSmhPsKNgAZZdEQp+HSwz3sy1wZIBTkc7Lxml0Vvy
+pnx9bi8N4ac599f4KqInm5gd
 pBjh36wBjPLYJy69KAxsI13YYlT8gGw6dHQutBlVRzH6zL+To8TQ/TMDAwKHxkJA
 6Bv3SyF5AvVYtJhnhT2Ic9fmkbbkohes6illUlpZTPU=
 -----END AGE ENCRYPTED FILE-----
--- a/Show More
+++ b/Show More