rename bocchi hosts folder to miki

2025-05-25 01:27:44 +10:00
161 changed files with 1589 additions and 3189 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
 .DS_Store
 result
--- a/README.md
+++ b/README.md
@ -1,54 +1,46 @@
-# dots
+# my little nix system
 ## overview
 <img width="60%" align="right" src="assets/linux-oneshot-launcher.webp">
-my dotfiles for NixOS, macOS or POSIX systems. primarily for systems that support [Nix](https://nixos.org) since they have declarative configuration. although dotfiles (in the stow directory) are made to keep them portable without the need for nix necessarily.
+## installation
- OS: [NixOS](https://nixos.org) and macOS
+### linux - desktop
- Shell: [fish](https://fishshell.com/)
+1. Boot up NixOS live iso on a system.
- Terminal: [Ghostty](https://ghostty.org/)
+2. Clone flake
- Browser: Firefox
+3. Make a folder for the system under hosts/
 4. Run `nixos-generate-config --dir hosts/HOSTNAME`
 6. Set LUKS encryption passphrase via `sudo nano /tmp/secret.key`
 7. Run disko `sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount /path/to/disko-config.nix`
 8. Copy over flake directory to new system
 9. Install system with `sudo nixos-install --flake .#HOSTNAME` - set a password for root
 10. Reboot into new system.
 11. Open a terminal and run `passwd`
 12. Log into normal user and configure networking via `nmtui`
 13. Apply dotfiles via `stow stow` in the base of the dotfiles directory.
 14. Download a wallpaper and apply it via `matugen image`
-linux specific:
+#### Secure boot
- Desktop: [Hyprland](https://hyprland.org/) and [Niri](https://github.com/YaLTeR/niri)
+If a system has a secure boot, install the system WITHOUT the secureboot module. Once the steps above have been completed return here.
 - Status Bar: [Waybar](https://github.com/Alexays/Waybar)
 - Launcher: [Vicinae](https://github.com/vicinaehq/vicinae)
-macOS specific:
+1.  Generate secureboot signing keys with `sudo nix run nixpkgs#sbctl create-keys`
- Launcher: [Raycast](https://www.raycast.com/)
+2.  Rebuild the system WITH the secureboot module.
- Application Firewall: [Lulu](https://objective-see.org/products/lulu.html)
+3.  Run `sudo sbctl verify` to check if SOME of the files are signed.
 4.  Reboot your system, in the UEFI enable onboarding secureboot keys, usually a setting called 'Reset to setup mode'.
 5.  Boot into your NixOS system and run `sudo sbctl enroll-keys --microsoft` to enroll your keys.
 6.  Reboot into your UEFI again and enable secure boot.
-# showcase
+### macOS
-
+1.  Install xcode developer tools, determinate nix and brew.
-<table>
+```sh
-    <tr>
+xcode-select --install
-        <td>NixOS</td>
+curl -fsSL https://install.determinate.systems/nix | sh -s -- install --determinate
-        <td>macOS</td>
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
    </tr>
    <tr>
        <td><img src="assets/linux-bocchi-fastfetch.webp"></td>
        <td><img src="assets/macos-bocchi-fastfetch.webp"></td>
    </tr>
    <tr>
        <td><img src="assets/linux-oneshot-launcher.webp"></td>
        <td><img src="assets/macos-oneshot-light.webp"></td>
    </tr>
    <tr>
        <td><img src="assets/linux-mafuyu.webp"></td>
        <td><img src="assets/macos-nene.webp"></td>
    </tr>
 </table>
 # license
 all content in this repository is licensed under the BSD0 license aka 0-Clause BSD license.
 ```
 Permission to use, copy, modify, and/or distribute this software for
 any purpose with or without fee is hereby granted.
 THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
 WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
 OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
 FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
 DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
 AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 ```
 2.  Install Nix flake to system. `nix run nix-darwin/master#darwin-rebuild -- switch`
 3.  Reboot
 4.  Install OpenUTAU `https://github.com/stakira/OpenUtau/releases/latest/download/OpenUtau-osx-x64.dmg`
 5.  Configure non-automated settings
 - set accent colour
 - set display to be spacious
 - customise spotlight settings
 - disable bluetooth
 - enable firewall
 - set wallpaper
 - enable switching workspace keybinds
--- a/assets/linux-bocchi-fastfetch.webp
+++ b/assets/linux-bocchi-fastfetch.webp
--- a/assets/linux-mafuyu.webp
+++ b/assets/linux-mafuyu.webp
--- a/assets/linux-oneshot-launcher.webp
+++ b/assets/linux-oneshot-launcher.webp
--- a/assets/macos-bocchi-fastfetch.webp
+++ b/assets/macos-bocchi-fastfetch.webp
--- a/assets/macos-nene.webp
+++ b/assets/macos-nene.webp
--- a/assets/macos-oneshot-light.webp
+++ b/assets/macos-oneshot-light.webp
--- a/backup.sh
+++ b/backup.sh
@ -1,59 +0,0 @@
 #!/bin/sh
 # stops the script immediately if any error is encountered
 set -e
 PINK="\033[35m"
 RESET="\033[0m"
 kanidm_backup() {
  # $1 = out path
  echo -e "$PINK  kanidm: backing up database$RESET"
  DATABASE_DUMP_PATH="$(mktemp)"
  chown kanidm:kanidm "$DATABASE_DUMP_PATH"
  run0 -u kanidm --unit=kanidmd sh -c "kanidmd database backup \"$DATABASE_DUMP_PATH\""
  rsync "$DATABASE_DUMP_PATH" "$1"
  rm "$DATABASE_DUMP_PATH"
  echo -e "$PINK  kanidm: DONE$RESET"
 }
 postgres_backup() {
  # $1 = database to backup
  # $2 = location to put backup
  echo -e "$PINK  postgres($1): backing up database $1 to stdout$RESET"
  run0 -u postgres pg_dump --dbname="$1" > "$2"
  echo -e "$PINK  postgres($1): DONE$RESET"
 }
 if [ "$1" = "" ]; then
  echo "$0: [BACKUP_DIR]"
  exit 1
 elif [ "$USER" != "root" ]; then
  echo "$0: rerun the script as root"
  exit 1
 fi
 case "$1" in
  /*) echo " ";;
  *) echo "$0: use absolute path for backup dir"; exit 1;;
 esac
 BACKUP_DIR="$1"
 echo -e "$PINK  using folder $BACKUP_DIR$RESET"
 mkdir --parents "$BACKUP_DIR"
 SERVICES="jellyfin radarr sonarr prowlarr uptime-kuma deluged forgejo karakeep-web karakeep-workers karakeep-browser"
 systemctl stop $SERVICES
 rsync -avP /media/ --exclude "media" --exclude "secrets" --exclude "torrents" --include "torrents/files/*" "$BACKUP_DIR"
 kanidm_backup "$BACKUP_DIR"/apps/kanidm.bak
 postgres_backup miniflux "$BACKUP_DIR"/apps/miniflux.sql
 systemctl start $SERVICES
 echo -e "\n\nBACKUP COMPLETED!"
--- a/flake.lock
+++ b/flake.lock
@ -2,11 +2,11 @@
  "nodes": {
    "crane": {
      "locked": {
-        "lastModified": 1754269165,
+        "lastModified": 1731098351,
-        "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "444e81206df3f7d92780680e45858e31d2f07a08",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
        "type": "github"
      },
      "original": {
@ -15,14 +15,35 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1746728054,
        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "ff442f5d1425feb86344c028298548024f21256d",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "latest",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1747046372,
+        "lastModified": 1696426674,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@ -34,11 +55,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1747046372,
+        "lastModified": 1733328505,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
        "type": "github"
      },
      "original": {
@ -55,11 +76,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754091436,
+        "lastModified": 1730504689,
-        "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
@ -68,6 +89,24 @@
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@ -98,11 +137,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771587792,
+        "lastModified": 1747990026,
-        "narHash": "sha256-XGFLdlLOez7f0rmjlF+1TLXyBguy8gx2aBHx/Q5JXxs=",
+        "narHash": "sha256-sG5VbID+x5+xUC+jjgHibnzg8IllVcH+K2TLmYHLPME=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "b49fc54950e251f166a2240799315033ab7a8916",
+        "rev": "e2f4ced874406541a7957f7e2b8f05a0d59a0f00",
        "type": "github"
      },
      "original": {
@ -123,16 +162,16 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1762205063,
+        "lastModified": 1737639419,
-        "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "v0.4.3",
+        "ref": "v0.4.2",
        "repo": "lanzaboote",
        "type": "github"
      }
@ -144,11 +183,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771520882,
+        "lastModified": 1748004251,
-        "narHash": "sha256-9SeTZ4Pwr730YfT7V8Azb8GFbwk1ZwiQDAwft3qAD+o=",
+        "narHash": "sha256-XodjkVWTth3A2JpBqGBkdLD9kkWn94rnv98l3xwKukg=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "6a7fdcd5839ec8b135821179eea3b58092171bcf",
+        "rev": "33220d4791784e4dd4739edd3f6c028020082f91",
        "type": "github"
      },
      "original": {
@ -182,15 +221,15 @@
    "nix-minecraft": {
      "inputs": {
        "flake-compat": "flake-compat_2",
-        "nixpkgs": "nixpkgs",
+        "flake-utils": "flake-utils",
-        "systems": "systems"
+        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1771641457,
+        "lastModified": 1748051893,
-        "narHash": "sha256-TIekRGfeCwuEmYcWex40RTx0Gd46pqmyUtxdFKb5juI=",
+        "narHash": "sha256-KV6bgVHPzb9ymVk9WDRX1lkkeoZETMbS/MyPpIOUWVo=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "c4e2b8969e09067da9d44b6b5762e1e896418f40",
+        "rev": "a600d058c19e1668db6ba759ecc4cfd154079ab5",
        "type": "github"
      },
      "original": {
@ -201,11 +240,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1769461804,
+        "lastModified": 1742889210,
-        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
+        "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
+        "rev": "698214a32beb4f4c8e3942372c694f40848b360d",
        "type": "github"
      },
      "original": {
@ -215,13 +254,29 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1771369470,
+        "lastModified": 1730741070,
-        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0182a361324364ae3f436a63005877674cf45efb",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1747744144,
        "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
        "type": "github"
      },
      "original": {
@ -241,14 +296,15 @@
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
-        ]
+        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1750779888,
+        "lastModified": 1731363552,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
        "type": "github"
      },
      "original": {
@ -259,6 +315,7 @@
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "jovian": "jovian",
        "lanzaboote": "lanzaboote",
        "nix-darwin": "nix-darwin",
@ -274,11 +331,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761791894,
+        "lastModified": 1731897198,
-        "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "59c45eb69d9222a4362673141e00ff77842cd219",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -4,79 +4,54 @@
  inputs = {
    # NixOS official package source, using the unstable branch here
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.3";
+    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.2";
    lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
    nix-darwin.url = "github:LnL7/nix-darwin";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
    disko.url = "github:nix-community/disko/latest";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    jovian.url = "github:Jovian-Experiments/Jovian-NixOS";
    jovian.inputs.nixpkgs.follows = "nixpkgs";
    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
  };
-  outputs = { self, nixpkgs, lanzaboote, nix-darwin, jovian, nix-minecraft, ... }@inputs: {
+  outputs = { self, nixpkgs, lanzaboote, nix-darwin, disko, jovian, nix-minecraft, ... }@inputs: {
    nixosConfigurations.nijika = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./hosts/nixos-common.nix
        ./modules/desktop/default.nix
        ./modules/desktop/de/hyprland.nix
        ./modules/desktop/japanese-input.nix
        ./modules/desktop/login/autologin.nix
        ./modules/applications/default.nix
        ./modules/applications/keepassxc.nix
        ./modules/games/linux.nix
        ./modules/browser/firefox.nix
        ./modules/nix/linux.nix
        ./modules/shell.nix
-        ./modules/network/avahi.nix
+        nix-minecraft.nixosModules.minecraft-servers
        { nixpkgs.overlays = [ inputs.nix-minecraft.overlay ]; }
        ./modules/games/server/minecraft/default.nix
        ./modules/services/uptime-kuma.nix
        ./modules/services/pocketid.nix
        ./modules/services/auth/kanidm.nix
        ./modules/services/caddy.nix
        ./modules/services/forgejo.nix
        ./modules/services/miniflux.nix
        ./modules/services/media/arr.nix
        ./modules/services/media/jellyfin.nix
        ./modules/services/ssh.nix
        ./modules/services/glance.nix
        ./modules/network/avahi.nix
        ./modules/network/firewall/opensnitch.nix
        ./modules/network/vpn/tailscale.nix
        ./modules/users/nico.nix
        ./modules/hardware/secureboot.nix
        ./modules/hardware/bootloader/systemd-boot.nix
        lanzaboote.nixosModules.lanzaboote
        ./hosts/nijika/configuration.nix
        disko.nixosModules.disko
      ];
    };
-    nixosConfigurations.seika = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.bocchi = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./hosts/nixos-common.nix
        ./modules/services/uptime-kuma.nix
        ./modules/services/auth/kanidm.nix
        ./modules/services/auth/tinyauth.nix
        ./modules/services/caddy.nix
        ./modules/services/forgejo.nix
        ./modules/services/miniflux.nix
        ./modules/services/karakeep.nix
        ./modules/services/media/arr.nix
        ./modules/services/media/jellyfin.nix
        ./modules/services/archiveteam-warrior.nix
        ./modules/services/samba.nix
        ./modules/hardware/restic.nix
        ./modules/network/avahi.nix
        ./modules/services/ssh.nix
        ./modules/services/dns/coredns.nix
        ./modules/services/dns/ddns-updater.nix
        ./modules/network/vpn/tailscale.nix
        ./modules/nix/linux.nix
        ./modules/shell.nix
        ./modules/users/nico.nix
        ./modules/hardware/bootloader/systemd-boot.nix
        ./hosts/seika/configuration.nix
      ];
    };
    nixosConfigurations.miki = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./hosts/nixos-common.nix
@ -84,20 +59,20 @@
        ./modules/nix/linux.nix
        ./modules/shell.nix
        ./modules/services/caddy.nix
        ./modules/services/media/jellyfin.nix
        ./modules/services/media/arr.nix
        ./modules/services/auth/tinyauth.nix
        ./modules/services/ssh.nix
        ./modules/network/vpn/tailscale.nix
        nix-minecraft.nixosModules.minecraft-servers
        { nixpkgs.overlays = [ inputs.nix-minecraft.overlay ]; }
        ./modules/games/server/minecraft/default.nix
        ./modules/games/server/minecraft/neoforge-1.21.1.nix
        ./modules/users/nico.nix
        ./modules/users/rhys.nix
-        ./hosts/miki/configuration.nix
+        ./hosts/bocchi/configuration.nix
        ./modules/hardware/bootloader/systemd-boot.nix
        ./hosts/nixos-common.nix
        disko.nixosModules.disko
      ];
    };
@ -111,8 +86,6 @@
        ./modules/games/darwin.nix
        ./modules/applications/darwin.nix
        ./modules/desktop/de/darwin.nix
        ./modules/desktop/de/yabai.nix
        ./modules/desktop/programs/sketchybar.nix
        ./modules/hardware/darwin.nix
        ./modules/nix/darwin.nix
        ./modules/network/vpn/tailscale-darwin.nix
--- a/hosts/miki/configuration.nix
+++ b/hosts/miki/configuration.nix
@ -5,24 +5,12 @@
    ./hardware-configuration.nix
  ];
-  networking.hostName = "miki";
+  networking.hostName = "bocchi";
  # gpu drivers
  hardware.graphics.enable = true;
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
  hardware.nvidia.open = false;
-  nixpkgs.config.allowUnfree = true;
+  # game servers
-  nixpkgs.config.nvidia.acceptLicense = true;
+  services.minecraft-servers.servers.velocity.enable = lib.mkForce false;
  virtualisation.oci-containers.containers.neoforge-1-21-1.ports = [ "25565:25565" ];
  virtualisation.oci-containers.containers.neoforge-1-21-1.environment.SERVER_PORT = lib.mkForce "25565";
  swapDevices = [{
    device = "/swapfile";
    size = 8*1024; # 8 GB
  }];
  # so safe!!!!
  nixpkgs.config.permittedInsecurePackages = [
    "broadcom-sta-6.30.223.271-59-6.12.65"
  ];
 }
--- a/hosts/nijika/configuration.nix
+++ b/hosts/nijika/configuration.nix
@ -2,6 +2,7 @@
 {
  imports = [
    ./disko.nix
    ./hardware-configuration.nix
  ];
@ -17,6 +18,9 @@
    # see: https://github.com/NixOS/nixpkgs/issues/356535
 #    intel-compute-runtime-legacy1 
    vpl-gpu-rt # QSV on 11th gen or newer
    intel-media-sdk # QSV up to 11th gen
    intel-ocl # OpenCL support
  ];
  services.logind.lidSwitchExternalPower = "ignore";
 }
--- a/hosts/nijika/disko.nix
+++ b/hosts/nijika/disko.nix
@ -0,0 +1,61 @@
 { ... }:
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "root";
                passwordFile = "/tmp/secret.key";
                settings = {
                  allowDiscards = true;
                };
 #                additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
                content = {
                  type = "btrfs";
                  extraArgs = [ "-f" ];
                  subvolumes = {
                    "/root" = {
                      mountpoint = "/";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/home" = {
                      mountpoint = "/home";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/nix" = {
                      mountpoint = "/nix";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/swap" = {
                      mountpoint = "/.swapvol";
                      swap.swapfile.size = "1G";
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/nijika/hardware-configuration.nix
+++ b/hosts/nijika/hardware-configuration.nix
@ -8,44 +8,17 @@
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" =
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-    { device = "/dev/mapper/root";
+  # (the default) this is the recommended approach. When using systemd-networkd it's
-      fsType = "btrfs";
+  # still possible to use this option, but it's recommended to use it in conjunction
-      options = [ "subvol=root" ];
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-    };
+  networking.useDHCP = lib.mkDefault true;
-
+  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/4a0361b6-b3b4-48dd-a089-babdfa072fc2";
  fileSystems."/nix" =
    { device = "/dev/mapper/root";
      fsType = "btrfs";
      options = [ "subvol=nix" ];
    };
  fileSystems."/.swapvol" =
    { device = "/dev/mapper/root";
      fsType = "btrfs";
      options = [ "subvol=swap" ];
    };
  fileSystems."/home" =
    { device = "/dev/mapper/root";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/CF57-9CF0";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
--- a/hosts/nixos-common.nix
+++ b/hosts/nixos-common.nix
@ -6,6 +6,7 @@
 {
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  # Networking
--- a/hosts/seika/configuration.nix
+++ b/hosts/seika/configuration.nix
@ -1,19 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  networking.hostName = "seika";
  hardware.graphics.enable = true;
  environment.sessionVariables.LIBVA_DRIVER_NAME = "iHD";
  hardware.graphics.extraPackages = with pkgs; [
    intel-media-driver # For Broadwell (2014) or newer processors. LIBVA_DRIVER_NAME=iHD
    libva-vdpau-driver # Previously vaapiVdpau
    intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
  ];
  services.logind.settings.Login.HandleLidSwitchExternalPower = "ignore";
 }
--- a/hosts/seika/hardware-configuration.nix
+++ b/hosts/seika/hardware-configuration.nix
@ -1,56 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
      fsType = "btrfs";
      options = [ "subvol=@root" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
      fsType = "btrfs";
      options = [ "subvol=@home" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
      fsType = "btrfs";
      options = [ "subvol=@nix" ];
    };
  fileSystems."/media" =
    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
      fsType = "btrfs";
      options = [ "subvol=@media" ];
    };
  fileSystems."/swap" =
    { device = "/dev/disk/by-uuid/120b2057-ed32-40c0-b838-25e5713cc5d6";
      fsType = "btrfs";
      options = [ "subvol=@swap" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/E89A-EECA";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/modules/applications/1password.nix
+++ b/modules/applications/1password.nix
@ -1,19 +0,0 @@
 { config, ...}:
 {
  programs._1password.enable = true;
  programs._1password-gui = {
    enable = true;
    polkitPolicyOwners = [ "nico" ];
  };
  # browser extensions
  programs.firefox.policies.ExtensionSettings."{d634138d-c276-4fc8-924b-40a0ea21d284}" = {
    installation_mode = "force_installed";
    install_url = "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi";
  };
  programs.chromium.extensions = [
    "aeblfdkhhhdcdjpifhhbdiojplfjncoa" # 1Password
  ];
 }
--- a/modules/applications/darwin.nix
+++ b/modules/applications/darwin.nix
@ -5,30 +5,27 @@
  # dock
  system.defaults.dock.persistent-apps = [
-    "/Applications/Zen.app"
+    "/Applications/Firefox.app"
    "/Applications/Ghostty.app"
-    "/System/Applications/Music.app"
+    "/Applications/Nix Apps/Spotify.app"
-    "/Applications/Nix Apps/KeePassXC.app"
+    "/Applications/Grayjay.app"
-    { spacer.small = true; }
+    "/Applications/Infuse.app"
    "/System/Applications/Messages.app"
-    "/Applications/Signal.app"
+    "/Applications/Nix Apps/Vesktop.app"
-    "/Applications/Nix Apps/Discord.app"
+
    "/Applications/Nix Apps/UTM.app"
    "/System/Applications/Mail.app"
    { spacer.small = true; }
    "/Applications/Nix Apps/Obsidian.app"
-    "/Applications/Nix Apps/Anki.app"
+    "/Applications/1Password.app"
    "/Applications/Reeder.app"
    { spacer.small = true; }
    "/Applications/OBS.app"
    "/Applications/Nix Apps/Audacity.app"
    "/Applications/Affinity.app"
    "/Applications/GIMP.app"
    "/Applications/Krita.app"
-#    "/Applications/Blender.app"
+    "/Applications/Blender.app"
-#    "/Applications/OpenUTAU.app"
+    "/Applications/OpenUTAU.app"
    { spacer.small = true; }
  ];
  # homebrew pkgs
@ -36,27 +33,28 @@
    enable = true;
    onActivation.cleanup = "zap";
    casks = [
-      "zen"
+      "firefox"
      "ghostty"
      "krita"
      "blender"
      "obs"
      "grayjay"
      "gimp"
-      "signal"
+      "1password"
      "soulseek"
      "musicbrainz-picard"
      "affinity"
      "the-unarchiver"
      "battery"
      "linearmouse"
      "alt-tab"
      "easy-move+resize"
      "lulu"
-    ];
+      "rectangle"
    brews = [
      "mas"
    ];
    masApps = {
      "Infuse" = 1136220934;
      "Reeder Classic" = 1529448980;
    };
  };
  # hotkey daemon
  services.skhd.enable = true;
 }
--- a/modules/applications/default.nix
+++ b/modules/applications/default.nix
@ -2,31 +2,25 @@
 {
  environment.systemPackages = with pkgs; [
    spotify
    audacity
    obsidian
    ani-cli
-    (discord.override {
+    vesktop
-      withVencord = true;
+    _1password-cli
    })
    yt-dlp
  ] ++ lib.optionals pkgs.stdenv.isLinux (with pkgs; [  
    mpv
    ghostty
    thunderbird
    krita
    openutau
    obs-studio
    blender
-    gimp3
+    gimp
-    signal-desktop-bin
+    _1password-gui
    anki
    newsflash
    nicotine-plus
    picard
    whipper
  ]) ++ lib.optionals pkgs.stdenv.isDarwin (with pkgs; [
    iina
    utm
    raycast
    anki-bin
    keepassxc
  ]);
 }
--- a/modules/applications/keepassxc.nix
+++ b/modules/applications/keepassxc.nix
@ -1,16 +0,0 @@
 { config, pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    keepassxc
  ];
  # browser extensions
  programs.firefox.policies.ExtensionSettings."keepassxc-browser@keepassxc.org" = {
    installation_mode = "force_installed";
    install_url = "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi";
  };
  programs.chromium.extensions = [
    "oboonakemofpalcgghocfoadofidjkkk" # KeePassXC
  ];
 }
--- a/modules/browser/chromium.nix
+++ b/modules/browser/chromium.nix
@ -1,19 +0,0 @@
 { config, pkgs, ... }:
 {
  environment.systemPackages = [
    pkgs.chromium # not enabled through programs.chromium.enable
  ];
  programs.chromium = {
    enable = true;
    enablePlasmaBrowserIntegration = if (config.services.desktopManager.plasma6.enable == true) then true else false;
    extensions = [
      "ddkjiahejlhfcafbddmgiahcphecmpfh" # ublock origin lite
      "eimadpbcbfnmbkopoojfekhnkhdbieeh" # dark reader
      "mnjggcdmjocbbbhaepdhchncahnbgone" # sponsorblock
      "fnaicdffflnofjppbagibeoednhnbjhg" # floccus bookmark sync
    ];
  };
 }
--- a/modules/browser/firefox.nix
+++ b/modules/browser/firefox.nix
@ -8,18 +8,6 @@
        installation_mode = "force_installed";
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
      };
      "gdpr@cavi.au.dk" = {
        installation_mode = "force_installed";
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
      };
      "{cb31ec5d-c49a-4e5a-b240-16c767444f62}" = {
        installation_mode = "force_installed";
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/indie-wiki-buddy/latest.xpi";
      };
      "myallychou@gmail.com" = {
        installation_mode = "force_installed";
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/youtube-recommended-videos/latest.xpi";
      };
      "@testpilot-containers" = {
        installation_mode = "force_installed";
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/multi-account-containers/latest.xpi";
@ -32,9 +20,13 @@
        installation_mode = "force_installed";
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/temporarytabcontainer/latest.xpi";
      };
-      "sponsorBlocker@ajay.app" = {
+      "keepassxc-browser@keepassxc.org" = {
        installation_mode = "force_installed";
-        install_url = "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi";
      };
      "pywalfox@frewacom.org" = {
        installation_mode = "force_installed";
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/pywalfox/latest.xpi";
      };
    };
@ -132,5 +124,15 @@
    // use same search engine (duckduckgo) for private browsing
    lockPref("browser.search.separatePrivateDefault", false);
    // stop extensions connecting to the internet
    lockPref(
      "extensions.webextensions.base-content-security-policy",
      "default-src 'none'; script-src 'none'; object-src 'none';"
    );
    lockPref(
      "extensions.webextensions.base-content-security-policy.v3",
      "default-src 'none'; script-src 'none'; object-src 'none';"
    );
  '';
 }
--- a/modules/desktop/de/aerospace.nix
+++ b/modules/desktop/de/aerospace.nix
@ -1,13 +0,0 @@
 { config, pkgs, ... }:
 {
  services.aerospace.enable = true;
  services.aerospace.settings = ( builtins.fromTOML ( builtins.readFile ../../../stow/.config/aerospace/aerospace.toml ));
  homebrew.brews = [
    "FelixKratz/formulae/borders"
  ];
  environment.systemPackages = with pkgs; [
    matugen
  ];
 }
--- a/modules/desktop/de/darwin.nix
+++ b/modules/desktop/de/darwin.nix
@ -11,9 +11,6 @@
  system.defaults.NSGlobalDomain.NSDisableAutomaticTermination = true;
  system.defaults.NSGlobalDomain.NSDocumentSaveNewDocumentsToCloud = false;
  # enable ctrl+cmd to drag windows anywhere
  system.defaults.NSGlobalDomain.NSWindowShouldDragOnGesture = true;
  # hot corners
  system.defaults.dock = {
    wvous-bl-corner = 1;
@ -25,6 +22,7 @@
  # login
  system.defaults.loginwindow.GuestEnabled = false;
  system.defaults.screensaver.askForPassword = true;
  system.defaults.loginwindow.SHOWFULLNAME = true; # user needs to enter username and password to login
  # control center
  system.defaults.controlcenter = {
--- a/modules/desktop/de/hyprland.nix
+++ b/modules/desktop/de/hyprland.nix
@ -5,8 +5,11 @@
  # Optional, hint electron apps to use wayland:
  environment.sessionVariables.NIXOS_OZONE_WL = "1";
  # have portals
  xdg.portal.enable = true;
  xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
  programs.hyprlock.enable = true;
  services.hypridle.enable = true;
  environment.systemPackages = with pkgs; [
    ghostty
@ -18,15 +21,32 @@
    wl-clipboard
    brightnessctl
    helvum
-    vicinae
+    walker
    playerctl
    swaynotificationcenter
    hyprshot
    matugen
-    glib
+    pywalfox-native
    hyprshade
    hyprpolkitagent
  ];
  programs.ssh.startAgent = true;
  # enable polkit
  security.polkit.enable = true;
  systemd = {
    user.services.polkit-gnome-authentication-agent-1 = {
      description = "polkit-gnome-authentication-agent-1";
      wantedBy = [ "graphical-session.target" ];
      wants = [ "graphical-session.target" ];
      after = [ "graphical-session.target" ];
      serviceConfig = {
          Type = "simple";
          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
          Restart = "on-failure";
          RestartSec = 1;
          TimeoutStopSec = 10;
        };
    };
  };
 }
--- a/modules/desktop/de/kde.nix
+++ b/modules/desktop/de/kde.nix
@ -4,23 +4,26 @@
  services.desktopManager.plasma6.enable = true;
  environment.plasma6.excludePackages = with pkgs.kdePackages; [
    plasma-browser-integration
    konsole
    (lib.getBin qttools) # Expose qdbus in PATH
    ark
    elisa
    gwenview
    okular
    kate
    khelpcenter
    #dolphin
    baloo-widgets  # baloo information in Dolphin
    dolphin-plugins
    spectacle
    ffmpegthumbs
    krdp
-
+    gwenview
-    # gwenview
+    #xwaylandvideobridge
    # dolphin
    # spectacle
    # xwaylandvideobridge
    # kate
    # gwenview
    # ark
    # plasma-browser-integration
  ];
 }
--- a/modules/desktop/de/yabai.nix
+++ b/modules/desktop/de/yabai.nix
@ -1,20 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  services.yabai = {
    enable = true;
    enableScriptingAddition = true;
    extraConfig = builtins.readFile ../../../stow/.config/yabai/yabairc;
  };
  system.defaults.spaces.spans-displays = lib.mkForce false;
  environment.systemPackages = with pkgs; [
    skhd
    matugen
  ];
  homebrew.brews = [
    "FelixKratz/formulae/borders"
  ];
 }
--- a/modules/desktop/default.nix
+++ b/modules/desktop/default.nix
@ -5,14 +5,8 @@
    ./pipewire.nix
    ./flatpak.nix
    ./fonts.nix
    ./printing.nix
  ];
  # Enable font dir for compatability
  fonts.fontDir.enable = true;
  # enable desktop portals
  xdg.portal.enable = true;
  xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
 }
--- a/modules/desktop/fonts.nix
+++ b/modules/desktop/fonts.nix
@ -8,8 +8,6 @@
      noto-fonts-cjk-sans       # gets japanese and chinese langs
      nerd-fonts.comic-shanns-mono # programming fonts
      corefonts                 # basic web fonts
      comic-neue
    ];
  };
 }
--- a/modules/desktop/japanese-input.nix
+++ b/modules/desktop/japanese-input.nix
@ -1,24 +0,0 @@
 { config, pkgs, ... }:
 {
  i18n.inputMethod = {
    enable = true;
    type = "fcitx5";
    fcitx5.waylandFrontend = true;
    fcitx5.addons = with pkgs; [
      fcitx5-mozc
      fcitx5-gtk
    ];
  };
  i18n.inputMethod.fcitx5.settings.inputMethod = {
    GroupOrder."0" = "Default";
    "Groups/0" = {
      Name = "Default";
      "Default Layout" = "au";
      DefaultIM = "mozc";
    };
    "Groups/0/Items/0".Name = "keyboard-au";
    "Groups/0/Items/1".Name = "mozc";
  };
 }
--- a/modules/desktop/login/autologin.nix
+++ b/modules/desktop/login/autologin.nix
@ -6,11 +6,11 @@
    enable = true;
    settings = {
      initial_session = {
-        command = if (config.programs.niri.enable == true) then "${pkgs.niri}/bin/niri-session" else if (config.programs.hyprland.enable == true) then "${pkgs.hyprland}/bin/start-hyprland" else "${pkgs.zsh}/bin/zsh";
+        command = if (config.programs.niri.enable == true) then "${pkgs.niri}/bin/niri-session" else if (config.programs.hyprland.enable == true) then "${pkgs.hyprland}/bin/Hyprland" else "${pkgs.zsh}/bin/zsh";
        user = "nico";
      };
      default_session = {
-        command = "${lib.getExe pkgs.tuigreet} --asterisks --time --greeting 'nyaaa~~'";
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --asterisks --time --greeting 'nyaaa~~'";
      };
    };
  };
--- a/modules/desktop/login/plymouth.nix
+++ b/modules/desktop/login/plymouth.nix
@ -1,20 +0,0 @@
 { pkgs, ... }: {
  boot = {
    plymouth = {
      enable = true;
      theme = "bgrt";
    };
    # Enable "Silent boot"
    consoleLogLevel = 3;
    initrd.verbose = false;
    kernelParams = [
      "quiet"
      "splash"
      "boot.shell_on_fail"
      "udev.log_priority=3"
      "rd.systemd.show_status=auto"
    ];
  };
 }
--- a/modules/desktop/login/sddm.nix
+++ b/modules/desktop/login/sddm.nix
@ -1,6 +0,0 @@
 { config, ... }:
 {
  services.displayManager.sddm.enable = true;
  services.displayManager.sddm.wayland.enable = true;
 }
--- a/modules/desktop/polkit-gtk.nix
+++ b/modules/desktop/polkit-gtk.nix
@ -1,21 +0,0 @@
 { config, pkgs, ... }:
 {
  # enable polkit
  security.polkit.enable = true;
  systemd = {
    user.services.polkit-gnome-authentication-agent-1 = {
      description = "polkit-gnome-authentication-agent-1";
      wantedBy = [ "graphical-session.target" ];
      wants = [ "graphical-session.target" ];
      after = [ "graphical-session.target" ];
      serviceConfig = {
          Type = "simple";
          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
          Restart = "on-failure";
          RestartSec = 1;
          TimeoutStopSec = 10;
        };
    };
  };
 }
--- a/modules/desktop/printing.nix
+++ b/modules/desktop/printing.nix
@ -1,10 +0,0 @@
 { config, ... }:
 {
  imports = [
    ../network/avahi.nix
  ];
  services.printing.enable = true;
  services.avahi.openFirewall = true;
 }
--- a/modules/desktop/programs/sketchybar.nix
+++ b/modules/desktop/programs/sketchybar.nix
@ -1,9 +1,7 @@
 { config, lib, pkgs, ... }:
 {
  services.skhd.enable = true;
  services.sketchybar.enable = true;
  system.defaults.NSGlobalDomain._HIHideMenuBar = true;
  homebrew.brews = [
    "FelixKratz/formulae/sketchybar"
  ];
 }
--- a/modules/games/darwin.nix
+++ b/modules/games/darwin.nix
@ -4,14 +4,16 @@
  imports = [ ./default.nix ];
  homebrew.casks = [
    "whisky"
    "steam"
-    "roblox"
+    "heroic"
  ];
  system.defaults.dock.persistent-apps = [
    "/Applications/Steam.app"
    "/Applications/Heroic.app"
    "/Applications/Whisky.app"
    "${pkgs.prismlauncher}/Applications/PrismLauncher.app"
    "${pkgs.osu-lazer-bin}/Applications/osu!.app"
    { spacer.small = true; }
  ];
 }
--- a/modules/games/server/minecraft/building.nix
+++ b/modules/games/server/minecraft/building.nix
@ -3,9 +3,9 @@
 {
  services.minecraft-servers.servers.building = {
    enable = true;
-    package = pkgs.paperServers.paper-1_21_11;
+    package = pkgs.paperServers.paper-1_21_5;
    autoStart = true;
-    jvmOpts = "-Xms1024M -Xmx4096M";
+    jvmOpts = "-Xms4096M -Xmx4096M";
    serverProperties = {
      server-port = 30002;
@ -16,8 +16,8 @@
    };
    symlinks = {
-      "plugins/Worldedit.jar" = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/1u6JkXh5/versions/qYMNQYjH/worldedit-bukkit-7.3.18-beta-01.jar"; sha256 = "sha256-/TRUrwHhjnyBuCVyS34IWzvILz79RhZjS6k2DLwkUk0="; };
+      "plugins/Worldedit.jar" = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/1u6JkXh5/versions/NhJaettg/worldedit-bukkit-7.3.12-beta-01.jar"; sha256 = "sha256-NP5ALYQe6DVVAeTeDGxySKZ8sjQnLjQc8PTbDS+Lbd4="; };
-      "plugins/EssentialsX.jar" = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/hXiIvTyT/versions/Oa9ZDzZq/EssentialsX-2.21.2.jar"; sha256 = "sha256-C3WQJvAvPFR8MohvNmbbPB+Uz/c+FBrlZIMT/Q0L38Y="; };
+      "plugins/EssentialsX.jar" = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/hXiIvTyT/versions/SKQwLLoQ/EssentialsX-2.21.0.jar"; sha256 = "sha256-VwQyKlSDa5hLEQ9+Igi67RiGwu/tREa0l+Z+US/skMU="; };
    };
  };
--- a/modules/games/server/minecraft/fabric-modless.nix
+++ b/modules/games/server/minecraft/fabric-modless.nix
@ -3,9 +3,9 @@
 {
  services.minecraft-servers.servers.fabric-modless = {
    enable = true;
-    package = pkgs.fabricServers.fabric-1_21_11;
+    package = pkgs.fabricServers.fabric-1_21_5;
    autoStart = true;
-    jvmOpts = "-Xms1024M -Xmx4096M";
+    jvmOpts = "-Xms4096M -Xmx4096M";
    serverProperties = {
      server-port = 30001;
@ -15,11 +15,11 @@
    symlinks = {
      mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
-        FabricAPI = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/KhCFoeip/fabric-api-0.139.5%2B1.21.11.jar"; sha512 = "hSyedhdbLVHOoZG/zAAFuCTeQz8abeAdZyuegsocq4R4sYBnC8bEgRdE70q+yL0v86sPnBqlZEcT0G8/vMJ48A=="; };
+        FabricAPI = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/FZ4q3wQK/fabric-api-0.119.9%2B1.21.5.jar"; sha512 = "4eec629514cba71e4792c1ebf357e574713e5fdb3c01c6e7d132ed631bdeaab0b38bcab84d4ade14c6966c24f9938026da2e65c25b58cde4ce9710c49d147e87"; };
-        Chunky = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/fALzjamp/versions/bk9YUabA/Chunky-Fabric-1.4.54.jar"; sha512 = "vxX9sMDiBMKUdmxrkvDcidlulM5PcLmKxC6qRrh4Aq9Wz+tlSHePSUWx/cL+VholR39xGTfb85DiC5TBvQBsrg=="; };
+        Chunky = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/fALzjamp/versions/mhLtMoLk/Chunky-Fabric-1.4.36.jar"; sha512 = "65a201c246c95f6189a16e715d944e4a7ca7f44a8c4a39c8e6523d8c58e331d6611c78deff050cb4a2a2d80c5b8d84e3593a9b8ff961f7aee3d171a4ef7af2c7"; };
-        Ferritecore = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/uXXizFIs/versions/eRLwt73x/ferritecore-8.0.3-fabric.jar"; sha512 = "vmAFQ+SZtZKG+UCfRkl1cK3FGTmuY+qhKsKeZ3jaJ9jHxs0LM0DYvMocyZzmF3mxqPUrmQ+eTpqTqpxkgpBSMQ=="; };
+        Ferritecore = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/uXXizFIs/versions/CtMpt7Jr/ferritecore-8.0.0-fabric.jar"; sha512 = "131b82d1d366f0966435bfcb38c362d604d68ecf30c106d31a6261bfc868ca3a82425bb3faebaa2e5ea17d8eed5c92843810eb2df4790f2f8b1e6c1bdc9b7745"; };
-        NoChatReports = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/qQyHxfxd/versions/78RjC1gi/NoChatReports-FABRIC-1.21.10-v2.16.0.jar"; sha512 = "ObLyhPc/gpABK4ucxwCF1ZZoVH/HtOxDqzTkvKazmmaR++MrwzJuQDU7qcFqBjIOUoGDFb53eZparVJjcMvHcw=="; };
+        NoChatReports = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/qQyHxfxd/versions/CHlHxkvf/NoChatReports-FABRIC-1.21.5-v2.12.0.jar"; sha512 = "c0825db25672cf8b50face51ec8a6bedb4be50b374a2537640a433c98817bc07c177485e93ab8cee9e3f7bfb1d2eb1460309e818b411764c92426b552487a9f7"; };
-        FabricProxyLite = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/8dI2tmqs/versions/nR8AIdvx/FabricProxy-Lite-2.11.0.jar"; sha512 = "wuHZJ59vGaVh+TS4RlQLKKAzWGtLQZucGqJ6xD/8j60s5g4hKhVAbl+jkH/17L5a96XtsYOp7mc3pB5GSuwTdQ=="; };
+        FabricProxyLite = pkgs.fetchurl { url = "https://cdn.modrinth.com/data/8dI2tmqs/versions/AQhF7kvw/FabricProxy-Lite-2.9.0.jar"; sha512 = "3044f36df7e83021210a7c318def18a95b5dbf5e3230bb72a3ddb42ebdda33f248c6d12efcee1240ff0c54600d68d147afa105d04ee37a90acb9409619c89848"; };
      });
    };
  };
@ -27,6 +27,11 @@
  services.minecraft-servers.servers.velocity.symlinks."velocity.toml".value = {
    servers = {
      fabric-modless = "127.0.0.1:30001";
      # In what order we should try servers when a player logs in or is kicked from a server.
      try = [
          "fabric-modless"
      ];
    };
  };
 }
--- a/modules/games/server/minecraft/forge-1.19.2.nix
+++ b/modules/games/server/minecraft/forge-1.19.2.nix
@ -22,6 +22,11 @@
  services.minecraft-servers.servers.velocity.symlinks."velocity.toml".value = {
    servers = {
      forge-1-19-2 = "127.0.0.1:30004";
      # In what order we should try servers when a player logs in or is kicked from a server.
      try = [
          "forge-1-19-2"
      ];
    };
  };
 }
--- a/modules/games/server/minecraft/neoforge-1.21.1.nix
+++ b/modules/games/server/minecraft/neoforge-1.21.1.nix
@ -10,8 +10,7 @@
      TYPE = "NEOFORGE";
      VERSION = "1.21.1";
      EULA = "TRUE";
-      INIT_MEMORY = "1G";
+      MEMORY = "4G";
      MAX_MEMORY = "6G";
      SERVER_PORT = "30005";
      UID = "992";
@ -22,6 +21,11 @@
  services.minecraft-servers.servers.velocity.symlinks."velocity.toml".value = {
    servers = {
      neoforge-1-21-1 = "127.0.0.1:30005";
      # In what order we should try servers when a player logs in or is kicked from a server.
      try = [
          "neoforge-1-21-1"
      ];
    };
  };
 }
--- a/modules/games/server/minecraft/velocity.nix
+++ b/modules/games/server/minecraft/velocity.nix
@ -6,10 +6,10 @@
    package = pkgs.velocityServers.velocity;
    autoStart = true;
    openFirewall = true;
-    jvmOpts = "-Xms128M -Xmx1024M";
+    jvmOpts = "-Xms256M -Xmx1024M";
    symlinks = {
-      "plugins/Luckperms.jar" = pkgs.fetchurl { url = "https://download.luckperms.net/1610/velocity/LuckPerms-Velocity-5.5.21.jar"; sha512 = "xAUogBzYUF71CuutcUPM1QJLVel/6Ihzui1Ksbdrd5qeGDqecULdHJtMNsLCM6XQJndGgBTrGv4xljLzVQsx7A=="; };
+      "plugins/Luckperms.jar" = pkgs.fetchurl { url = "https://download.luckperms.net/1575/velocity/LuckPerms-Velocity-5.4.158.jar"; sha512 = "07b649db2d2c9f16791d706621dcb606d05bbc1125fa65765e7d4cf4b45778a84f65ca4ad8e461ff146646805072852322cfbd91d66699af5e895d00b233648f"; };
-      "plugins/Velocitab.jar" = pkgs.fetchurl { url = "https://hangarcdn.papermc.io/plugins/William278/Velocitab/versions/1.7.9/VELOCITY/Velocitab-1.7.9.jar"; sha512 = "2okGzE0QJz8RTOmVCZHBizokEuTwVvKRPwr6JhJUg5kpsWWhkF+k+XCMzI5aMwSbDy7+2W3NE1qvbfFZHAKdsw=="; };
+      "plugins/Velocitab.jar" = pkgs.fetchurl { url = "https://hangarcdn.papermc.io/plugins/William278/Velocitab/versions/1.7.5/VELOCITY/Velocitab-1.7.5.jar"; sha512 = "ExyxRVbkzgVRTOZC9yRrwJbNpRnD1aFZa/QlMmBHAjLMXYmM/Q7lRMGtQs3dyrjBI06Z9e01ZaOmTTa2RbtNew=="; };
      "plugins/Message.jar" = pkgs.fetchurl { url = "https://hangarcdn.papermc.io/plugins/OskarsMC-Plugins/message/versions/1.4.0/VELOCITY/message-1.4.0-all.jar"; sha512 = "62503339714d7d26d71a98b2036cd04e91c9049567a033441d904a5f3190177bdc41dcd5183e6c51eb083a143edbfaf50642d44c99c1b83e7a3546a3654305c8"; };
      "plugins/Send.jar" = pkgs.fetchurl { url = "https://github.com/OskarsMC-Plugins/send/releases/download/3.0.0/send-3.0.0.jar"; sha512 = "aff03bb13804cd01ecd649d283bfdb0b3411cb4df045670328a43f53a05f7386a76a536c4fcbbd3cdc718aa300f2ab2940c7437a181e31fa9f1c9c0e591896ab"; };
@ -21,7 +21,7 @@
      config-version = "2.7";
      bind = "0.0.0.0:25565";
-      motd = "<gray>A velocity server.\n<gray>hosted on <light_purple>${config.networking.hostName}<gray>.";
+      motd = "<#09add3>A Velocity Server";
      show-max-players = 500; # displayed maximum players, not an actual cap
      online-mode = true;
      force-key-authentication = true;
@ -42,7 +42,6 @@
          headers = [ "<gray>" ];
          footers = [ "<gray>connected to <light_purple>%server%<gray>" ];
          format = "<white>%prefix%%username% <gray>%server%";
          send_scoreboard_packets = true;
          nametag.prefix = "%prefix%";
          nametag.suffix = "";
          sorting_placeholders = [
@ -64,7 +63,7 @@
      messages = {
        message-sent = "<light_purple>✉</light_purple> <gray><sender></gray> <dark_gray>→</dark_gray> <gray><receiver></gray> <white><message></white>";
-        message-received = "<light_purple>✉</light_purple> <gray><sender></gray> <dark_gray>→</dark_gray> <gray><receiver></gray> <white><message></white>";
+        message-received = "<light_purple>✉</light_purple> <gray><receiver></gray> <dark_gray>→</dark_gray> <gray><sender></gray> <white><message></white>";
        message-socialspy = "<light_purple>✉ spy</light_purple>  <gray><sender></gray> <dark_gray>→</dark_gray> <gray><receiver></gray> <white><message></white>";
      };
--- a/modules/hardware/bootloader/limine.nix
+++ b/modules/hardware/bootloader/limine.nix
@ -1,23 +0,0 @@
 { config, pkgs, ... }:
 {
  boot.loader.limine = {
    enable = true;
    validateChecksums = true;
    panicOnChecksumMismatch = true;
    enableEditor = false;
    extraEntries =
 ''
 /memtest86
  protocol: chainload
  path: boot():///efi/memtest86/memtest86.efi
 '';
    additionalFiles = { 
      "efi/memtest86/memtest86.efi" = "${pkgs.memtest86-efi}/BOOTX64.efi";
    };
    secureBoot.enable = true;
  };
 }
--- a/modules/hardware/bootloader/systemd-boot.nix
+++ b/modules/hardware/bootloader/systemd-boot.nix
@ -1,9 +0,0 @@
 { config, ... }:
 {
  boot.loader.systemd-boot = {
    enable = true;
  };
  boot.loader.timeout = 0;
 }
--- a/modules/hardware/darwin.nix
+++ b/modules/hardware/darwin.nix
@ -14,6 +14,10 @@
      "Ethernet Adaptor"
      "Thunderbolt Ethernet"
    ];
    dns = [
      "1.1.1.1"
    ];
  };
  # keyboard
--- a/modules/hardware/restic.nix
+++ b/modules/hardware/restic.nix
@ -1,66 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  services.restic.backups."${config.networking.hostName}-server" = {
    initialize = false;
    paths = [
      "/media"
    ];
    exclude = [
      "/media/secrets"
      "/media/torrents"
      "/media/media"
      ".cache*"
      ".DS_Store"
      "logs"
    ];
    checkOpts = [
      "--with-cache" # just to make checks faster
    ];
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
      "--keep-yearly 10"
    ];
    timerConfig = {
      OnBootSec = "5m"; # lets wifi connect before starting backups
      OnCalendar = "daily";
      Persistent = true;
    };
    # backup postgres databases, kind of hacky but
    # i think its the only way to do it without needing
    # another backup repo
    backupPrepareCommand = ''
      rm -f /media/apps/postgres # -f doesn't error if doesn't exist
      touch /media/apps/postgres
      chmod 600 /media/apps/postgres
      ${lib.getExe pkgs.sudo} -u postgres ${config.services.postgresql.package}/bin/pg_dumpall > /media/apps/postgres
    '';
    backupCleanupCommand = ''
      rm /media/apps/postgres
    '';
    # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#other-services-via-rclone
    # put something like : "rclone:onedrive:restic" to use as the remote
    #
    # sudo nix run nixpkgs#rclone -- config
    repositoryFile = "/media/secrets/restic-repo";
    # the passphrase used 
    passwordFile = "/media/secrets/restic-password";
  };
  systemd.tmpfiles.rules = [
    "f /media/secrets/restic-repo 0400 root root"
    "f /media/secrets/restic-password 0400 root root"
  ];
 }
--- a/modules/network/avahi.nix
+++ b/modules/network/avahi.nix
@ -3,7 +3,6 @@
 {
  services.avahi = {
    enable = true;
-    nssmdns4 = true;
+    nssmdns = true;
    nssmdns6 = true;
  };
 }
--- a/modules/network/ddclient.nix
+++ b/modules/network/ddclient.nix
@ -1,8 +0,0 @@
 { config, ... }:
 {
  services.ddclient = {
    enable = true;
    configFile = "/root/nixos/secrets/ddclient.conf";
  };
 }
--- a/modules/network/firewall/opensnitch.nix
+++ b/modules/network/firewall/opensnitch.nix
@ -10,8 +10,6 @@
    };
    rules = {
      #
      # system services
      "systemd-timesyncd" = {
        "name" = "systemd-timesyncd";
        "enabled" = true;
@ -20,8 +18,8 @@
        "operator" = {
          "type" = "simple";
          "sensitive" = false;
-          "operand" = "lists.domains";
+          "operand" = "process.path";
-          "data" = builtins.toFile "systemd-timesyncd-opensnitch-rules" (lib.strings.concatStringsSep "\n" config.networking.timeServers);
+          "data" = "${pkgs.systemd}/lib/systemd/systemd-timesyncd";
        };
      };
      "nsncd" = {
@ -36,157 +34,6 @@
          "data" = "${pkgs.nsncd}/bin/nsncd";
        };
      };
      "tailscale" =  {
        "name" = "tailscale";
        "enabled" = true;
        "action" = "allow";
        "duration" = "always";
        "operator" = {
          "operand" = "process.path";
          "type" = "simple";
          "sensitive" = false;
          "data" = "${pkgs.tailscale}/bin/.tailscaled-wrapped";
        };
      };
      "avahi-daemon" =  {
        "name" = "avahi-daemon";
        "enabled" = true;
        "action" = "allow";
        "duration" = "always";
        "operator" = {
          "operand" = "process.path";
          "type" = "simple";
          "sensitive" = false;
          "data" = "${pkgs.avahi}/bin/avahi-daemon";
        };
      };
      #
      # services
      "prowlarr" =  {
        "name" = "prowlarr";
        "enabled" = true;
        "action" = "allow";
        "duration" = "always";
        "operator" = {
          "type" = "list";
          "operand" = "list";
          "list" = [
            {
              "operand" = "process.path";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${pkgs.prowlarr}/lib/prowlarr/Prowlarr";
            }
            {
              "operand" = "user.name";
              "type" = "simple";
              "sensitive" = false;
              "data" = "prowlarr";
            }
          ];
        };
      };
      "sonarr" =  {
        "name" = "sonarr";
        "enabled" = true;
        "action" = "allow";
        "duration" = "always";
        "operator" = {
          "type" = "list";
          "operand" = "list";
          "list" = [
            {
              "operand" = "process.path";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${pkgs.sonarr}/lib/sonarr/Sonarr";
            }
            {
              "operand" = "user.name";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${config.services.sonarr.user}";
            }
          ];
        };
      };
      "radarr" =  {
        "name" = "radarr";
        "enabled" = true;
        "action" = "allow";
        "duration" = "always";
        "operator" = {
          "type" = "list";
          "operand" = "list";
          "list" = [
            {
              "operand" = "process.path";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${pkgs.radarr}/lib/radarr/Radarr";
            }
            {
              "operand" = "user.name";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${config.services.radarr.user}";
            }
          ];
        };
      };
      "forgejo" =  {
        "name" = "forgejo";
        "enabled" = true;
        "action" = "allow";
        "duration" = "always";
        "operator" = {
          "type" = "list";
          "operand" = "list";
          "list" = [
            {
              "operand" = "process.path";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${pkgs.forgejo-lts}/bin/.forgejo-wrapped";
            }
            {
              "operand" = "user.name";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${config.services.forgejo.user}";
            }
          ];
        };
      };
      "caddy" =  {
        "name" = "caddy";
        "enabled" = true;
        "action" = "allow";
        "duration" = "always";
        "operator" = {
          "type" = "list";
          "operand" = "list";
          "list" = [
            {
              "operand" = "process.path";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${pkgs.caddy}/bin/caddy";
            }
            {
              "operand" = "user.name";
              "type" = "simple";
              "sensitive" = false;
              "data" = "${config.services.caddy.user}";
            }
          ];
        };
      };
      #
      # desktop applications
      "firefox" = {
        "name" = "firefox";
        "enabled" = true;
--- a/modules/network/vpn/tailscale-darwin.nix
+++ b/modules/network/vpn/tailscale-darwin.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 {
-  homebrew.masApps = {
+  homebrew.casks = [
-    "Tailscale" = 1475387142;
+    "tailscale"
-  };
+  ];
 }
--- a/modules/network/vpn/tailscale.nix
+++ b/modules/network/vpn/tailscale.nix
@ -2,8 +2,4 @@
 {
  services.tailscale.enable = true;
  services.tailscale.extraSetFlags = [
    "--advertise-exit-node"
  ];
  services.tailscale.useRoutingFeatures = "server";
 }
--- a/modules/services/dns/adguardhome.nix
+++ b/modules/services/dns/adguardhome.nix
@ -3,7 +3,7 @@
 {
  services.adguardhome = {
    enable = true;
-    mutableSettings = false;
+    mutableSettings = true;
    extraArgs = [ "--web-addr" "0.0.0.0:3003" ];
    settings = {
@ -27,17 +27,6 @@
      filtering = {
        protection_enabled = true;
        filtering_enabled = true;
        rewrites = [
          {
            domain = "nijika.astolfo.org";
            answer = "100.105.94.30";
          }
          {
            domain = "*.nijika.astolfo.org";
            answer = "100.105.94.30";
          }
        ];
      };
      # The following notation uses map
--- a/modules/services/archiveteam-warrior.nix
+++ b/modules/services/archiveteam-warrior.nix
@ -1,14 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers.archiveteam-warrior = {
    image = "atdr.meo.ws/archiveteam/warrior-dockerfile";
    ports = [ "8001:8001" ];
    environment = {
      "CONCURRENT_ITEMS" = "5";
      "DOWNLOADER" = "astolfo";
      "SELECTED_PROJECT" = "auto";
    };
  };
 }
--- a/modules/services/auth/kanidm.nix
+++ b/modules/services/auth/kanidm.nix
@ -2,11 +2,11 @@
 {
  services.kanidm = {
-    server.enable = true;
+    enableServer = true;
-    unix.enable = false;
+    enablePam = false;
-    package = pkgs.kanidm_1_9;
+    package = pkgs.kanidm_1_5;
-    server.settings = {
+    serverSettings = {
      bindaddress = "127.0.0.1:8443";
      ldapbindaddress = "0.0.0.0:636";
      domain = "${config.homelab.authDomain}";
@ -14,12 +14,6 @@
      tls_chain = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/cert.pem";
      tls_key = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/key.pem";
      online_backup = {
        schedule =  "00 22 * * *";
        path = "/media/apps/kanidm";
        versions = 14;
      };
    };
  };
@ -30,10 +24,11 @@
    dnsProvider = "cloudflare";
    dnsResolver = "1.1.1.1:53";
    dnsPropagationCheck = true;
    environmentFile = /var/lib/caddy/secret;
  };
  services.caddy.virtualHosts."${config.homelab.authDomain}" = {
-    useACMEHost = config.services.kanidm.server.settings.domain;
+    useACMEHost = config.services.kanidm.serverSettings.domain;
    extraConfig = ''
      reverse_proxy https://localhost:8443 {
        header_up Host "${config.homelab.authDomain}:8443"
--- a/modules/services/auth/tinyauth.nix
+++ b/modules/services/auth/tinyauth.nix
@ -1,47 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers.tinyauth = {
    image = "ghcr.io/steveiliop56/tinyauth:v4";
    ports = [
      "3009:3000"
    ];
    environment = {
      "APP_URL" = "https://tinyauth.${config.homelab.domain}";
      "PROVIDERS_KANIDM_CLIENT_ID" = "tinyauth";
      "PROVIDERS_KANIDM_AUTH_URL" = "https://${config.homelab.authDomain}/ui/oauth2";
      "PROVIDERS_KANIDM_TOKEN_URL" = "https://${config.homelab.authDomain}/oauth2/token";
      "PROVIDERS_KANIDM_USER_INFO_URL" = "https://${config.homelab.authDomain}/oauth2/openid/tinyauth/userinfo";
      "PROVIDERS_KANIDM_REDIRECT_URL" = "https://tinyauth.${config.homelab.domain}/api/oauth/callback/kanidm";
      "PROVIDERS_KANIDM_SCOPES" = "openid email profile groups";
      "PROVIDERS_KANIDM_NAME" = "${config.homelab.authDomain}";
    };
  environmentFiles = [
      # set variable PROVIDERS_KANIDM_CLIENT_SECRET here
      /media/secrets/tinyauth
    ];
  };
  systemd.tmpfiles.rules = [
    "f /media/secrets/tinyauth 0400 root root"
  ];
  services.caddy.extraConfig = ''
    (tinyauth_forwarder) {
      forward_auth 127.0.0.1:3009 {
        uri /api/auth/caddy
      }
    }
  '';
  services.caddy.virtualHosts."tinyauth.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:3009
    '';
  };
 }
--- a/modules/services/caddy.nix
+++ b/modules/services/caddy.nix
@ -22,19 +22,11 @@
    services.caddy = {
      enable = true;
      extraConfig = ''
      (block_non_private_ips) {
        @non_private_ips not remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48 private_ranges
        abort @non_private_ips
      }
      '';
    };
    security.acme = {
      acceptTerms = true;
      defaults.email = "hello@astolfo.org";
      defaults.environmentFile = /media/secrets/acme;
      defaults.profile = "shortlived";
      certs."${config.homelab.domain}" = {
        group = config.services.caddy.group;
@ -44,11 +36,8 @@
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1:53";
        dnsPropagationCheck = true;
        environmentFile = /var/lib/caddy/secret;
      };
    };
    systemd.tmpfiles.rules = [
      "f /media/secrets/acme 0400 acme acme"
    ];
  };
 }
--- a/modules/services/dns/coredns.nix
+++ b/modules/services/dns/coredns.nix
@ -1,25 +0,0 @@
 { config, ... }:
 {
  services.coredns = {
    enable = true;
    config = ''
      .:53 {
        hosts {
          100.100.144.4 seika.astolfo.org
          fallthrough
        }
        # rewrite the CNAME to itself so hosts rule apply
        rewrite cname exact seika.astolfo.org. seika.astolfo.org.
        forward . 1.1.1.1
        log
        errors
      }
    '';
  };
  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
 }
--- a/modules/services/dns/ddns-updater.nix
+++ b/modules/services/dns/ddns-updater.nix
@ -1,16 +0,0 @@
 { config, ... }:
 {
  services.ddns-updater = {
    enable = true;
    environment = {
      SERVER_ENABLED="no";
      # setup dynamic dns provider here
      # https://wiki.nixos.org/wiki/Dynamic_DNS
      # https://github.com/qdm12/ddns-updater/blob/master/docs/cloudflare.md
      CONFIG_FILEPATH = "/media/secrets/ddns-updater.json";
      PERIOD = "5m";
    };
  };
 }
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -3,20 +3,22 @@
 {
  services.forgejo = {
    enable = true;
-    stateDir = "/media/apps/git";
+    stateDir = "/var/lib/forgejo";
-    repositoryRoot = "${config.services.forgejo.stateDir}/repos";
+    repositoryRoot = "${config.services.forgejo.stateDir}/repositories";
    database.createDatabase = true;
    settings = {
      session.COOKIE_SECURE = true;
      server = {
-        DOMAIN = "git.${config.homelab.publicDomain}";
+        DOMAIN = "git.${config.homelab.domain}";
        ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
        SSH_PORT = 22;
 #        PROTOCOL = "https";
        HTTP_PORT = 3000;
      };
      security.REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
      service = {
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
        SHOW_REGISTRATION_BUTTON = false;
@ -25,11 +27,15 @@
    };
  };
-  security.acme.certs."${config.services.forgejo.settings.server.DOMAIN}" = {
+  # configure anubis to prevent AI scrapers from overloading the git server.
-    domain = "${config.services.forgejo.settings.server.DOMAIN}";
+  services.anubis.instances.forgejo = {
-    dnsProvider = "cloudflare";
+    enable = true;
-    dnsResolver = "1.1.1.1:53";
+    settings = {
-    dnsPropagationCheck = true;
+      TARGET = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";
      SERVE_ROBOTS_TXT = true;
      BIND_NETWORK = "tcp";
      BIND = ":3333";
    };
  };
  # forgejo has user keys under its own .ssh/authorizedKeys file.
@ -37,10 +43,13 @@
  # in order to only allow that to the forgejo user as it has "/var"
  services.openssh.authorizedKeysInHomedir = lib.mkForce true;
-  services.caddy.virtualHosts."${config.services.forgejo.settings.server.DOMAIN}" = {
+  services.caddy.virtualHosts."git.${config.homelab.domain}" = {
-    useACMEHost = config.services.forgejo.settings.server.DOMAIN;
+    useACMEHost = config.homelab.domain;
    extraConfig = ''
-      reverse_proxy http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+      reverse_proxy http://127.0.0.1${toString config.services.anubis.instances.forgejo.settings.BIND} {
        header_up X-Real-Ip {remote_host}
        header_up X-Http-Version {http.request.proto}
      }
    '';
  };
 }
--- a/modules/services/glance.nix
+++ b/modules/services/glance.nix
@ -107,7 +107,6 @@
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8888
      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/karakeep.nix
+++ b/modules/services/karakeep.nix
@ -1,38 +1,35 @@
 { config, ... }:
 {
-  services.karakeep = {
+  virtualisation.oci-containers.containers.karakeep = {
-    enable = true;
+    image = "ghcr.io/karakeep-app/karakeep:release";
-    extraEnvironment = {
+    volumes = [ "/var/lib/karakeep/data:/data" ];
-      PORT = "8023";
+    ports = [ "8023:3000" ];
    environment = {
      DATA_DIR = "/data"; # dont change
-      OAUTH_WELLKNOWN_URL = "https://${config.homelab.authDomain}/oauth2/openid/karakeep/.well-known/openid-configuration";
+      OAUTH_WELLKNOWN_URL = "https://auth.${config.homelab.domain}/.well-known/openid-configuration";
-      OAUTH_PROVIDER_NAME = "${config.homelab.domain}";
+      OAUTH_PROVIDER_NAME = "PocketID";
      NEXTAUTH_URL = "https://karakeep.${config.homelab.domain}";
      DISABLE_PASSWORD_AUTH	= "true";
      OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
    };
-    # put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file
+    environmentFiles = [
-    # https://docs.karakeep.app/configuration/environment-variables#authentication--signup
+      # put the environment variable NEXTAUTH_SECRET in here
-    environmentFile = "/media/secrets/karakeep";
+      # with a randomly generated string. gen with `openssl rand -base64 36`
-  };
+      /var/lib/karakeep/nextauth-secret
-  systemd.tmpfiles.rules = [
+      # https://pocket-id.org/docs/client-examples/hoarder
-    "f /media/secrets/karakeep 0400 karakeep karakeep"
+      /var/lib/karakeep/oidc
-  ];
+    ];
  fileSystems."/var/lib/karakeep" = {
    device = "/media/apps/karakeep";
    options = [ "bind" ];
  };
  services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8023
      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/linkding.nix
+++ b/modules/services/linkding.nix
@ -1,61 +0,0 @@
 { config, ... }:
 {
  virtualisation.oci-containers.containers.linkding = {
    image = "sissbruecker/linkding:latest";
    ports = [ "9090:9090" ];
    volumes = [ "/var/lib/linkding/data:/data" ];
    environmentFiles = [
      # create superuser account before initially signing in
      # https://linkding.link/options/#oidc-and-ld_superuser_name
      # include following environment variables:
      #   OIDC_RP_CLIENT_SECRET - set to oidc client secret
      /var/lib/linkding/oidc
    ];
    environment = {
      # Can be used to run linkding under a context path, for example: linkding/
      # Must end with a slash `/`
      "LD_CONTEXT_PATH"="";
      # Username of the initial superuser to create, leave empty to not create one
      "LD_SUPERUSER_NAME"="";
      # Option to disable background tasks
      "LD_DISABLE_BACKGROUND_TASKS"="False";
      # Option to disable URL validation for bookmarks completely
      "LD_DISABLE_URL_VALIDATION"="False";
      # List of trusted origins from which to accept POST requests
      # See docs/Options.md for more details
      "LD_CSRF_TRUSTED_ORIGINS"="";
      # OIDC
      "LD_ENABLE_OIDC" = "True";
      "OIDC_OP_AUTHORIZATION_ENDPOINT"="https://${config.homelab.authDomain}/ui/oauth2";
      "OIDC_OP_TOKEN_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/token";
      "OIDC_OP_USER_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/openid/linkding/userinfo";
      "OIDC_OP_JWKS_ENDPOINT"="https://${config.homelab.authDomain}/oauth2/openid/linkding/public_key.jwk";
      "OIDC_RP_SIGN_ALGO"="ES256";
      "OIDC_RP_CLIENT_ID"="linkding";
      # Database settings
      # These are currently only required for configuring PostreSQL.
      # By default, linkding uses SQLite for which you don't need to configure anything.
      # Database engine, can be sqlite (default) or postgres
      "LD_DB_ENGINE"="sqlite";
      # Database name (default: linkding)
      "LD_DB_DATABASE"="";
      # Username to connect to the database server  (default: linkding)
      "LD_DB_USER"="";
      # Password to connect to the database server
      "LD_DB_PASSWORD"="";
    };
  };
  services.caddy.virtualHosts."bookmark.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:9090
      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/media/arr.nix
+++ b/modules/services/media/arr.nix
@ -3,95 +3,83 @@
 {
  users.groups.media = {};
-  #
+  # Finding/Requesting downloading
  # Downloading movies
  services.radarr = {
    enable = true;
    openFirewall = false;
-    dataDir = "/media/apps/radarr";
+    dataDir = "/var/lib/radarr";
    group = "media";
  };
  services.caddy.virtualHosts."radarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      # For tinyauth
      reverse_proxy http://localhost:7878 {
        header_up -X-Forwarded-For
      }
      import block_non_private_ips
      import tinyauth_forwarder *
    '';
  };
  #
  # Downloading shows
  services.sonarr = {
    enable = true;
    openFirewall = false;
-    dataDir = "/media/apps/sonarr";
+    dataDir = "/var/lib/sonarr";
    group = "media";
  };
  services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8989 {
        header_up -X-Forwarded-For
      }
      import block_non_private_ips
      import tinyauth_forwarder *
    '';
  };
  #
  # Managing Torrent sources
  services.prowlarr = {
    enable = true;
    openFirewall = false;
    dataDir = "/media/apps/prowlarr";
  };
-  services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = {
+  services.bazarr = {
-    useACMEHost = config.homelab.domain;
+    enable = true;
-    extraConfig = ''
+    openFirewall = false;
-      reverse_proxy http://localhost:9696 {
+    group = "media";
        header_up -X-Forwarded-For
      }
      import tinyauth_forwarder *
      import block_non_private_ips
    '';
  };
-  #
+  # Downloading files
  # Downloading torrents
  services.deluge = {
    enable = true;
    dataDir = "/media/apps/deluge";
    web.enable = true;
    web.openFirewall = false;
    group = "media";
  };
  # Requesting Frontend
  services.jellyseerr = {
    enable = true;
    port = 5055;
    openFirewall = false;
    package = pkgs.jellyseerr;
  };
  services.caddy.virtualHosts."radarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:7878
    '';
  };
  services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8989
    '';
  };
  services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:9696
    '';
  };
  services.caddy.virtualHosts."bazarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:6767
    '';
  };
  services.caddy.virtualHosts."deluge.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
-      reverse_proxy http://localhost:8112 {
+      reverse_proxy http://localhost:8112
        header_up -X-Forwarded-For
      }
      import tinyauth_forwarder *
      import block_non_private_ips
    '';
  };
-
+  services.caddy.virtualHosts."jellyseer.${config.homelab.domain}" = {
-  # setup network samba share
+    useACMEHost = config.homelab.domain;
-  services.samba.settings = {
+    extraConfig = ''
-    "media" = {
+      reverse_proxy http://localhost:5055
-      "path" = "/media/media";
+    '';
      "valid users" = "@users";
      "force user" = "nobody";
      "public" = "no";
      "read only" = "yes";
    };
  };
 }
--- a/modules/services/media/jellyfin.nix
+++ b/modules/services/media/jellyfin.nix
@ -6,7 +6,6 @@
    enable = true;
    openFirewall = false;
    group = "media";
    dataDir = "/media/apps/jellyfin";
  };
  users.users.jellyfin.extraGroups = [ "render" "video" ];
@ -15,7 +14,6 @@
 #    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8096
      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/miniflux.nix
+++ b/modules/services/miniflux.nix
@ -10,7 +10,7 @@
    # OAUTH2_CLIENT_ID = "<client ID>";
    # OAUTH2_CLIENT_SECRET = "<client secret>";
    # https://pocket-id.org/docs/client-examples/miniflux/
-    adminCredentialsFile = /media/secrets/miniflux;
+    adminCredentialsFile = /var/lib/miniflux/oidc;
    config = {
      LISTEN_ADDR = "0.0.0.0:8021";
@ -33,7 +33,7 @@
      FILTER_ENTRY_MAX_AGE_DAYS = 1825; # 5 years
      FORCE_REFRESH_INTERVAL = 30;
-      POLLING_FREQUENCY = 180;
+      POLLING_FREQUENCY = 60;
      OAUTH2_PROVIDER = "oidc";
      OAUTH2_REDIRECT_URL = "https://rss.${config.homelab.domain}/oauth2/oidc/callback";
@ -44,15 +44,10 @@
    };
  };
  systemd.tmpfiles.rules = [
    "f /media/secrets/miniflux 0400 root root"
  ];
  services.caddy.virtualHosts."rss.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8021
      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/pocketid.nix
+++ b/modules/services/pocketid.nix
@ -19,7 +19,6 @@
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8025
      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@ -1,17 +0,0 @@
 { config, ... }:
 {
  services.samba = {
    enable = true;
    openFirewall = true;
    settings = {
      global = {
        "workgroup" = "WORKGROUP";
        "server string" = "${config.networking.hostName}";
        "netbios name" = "${config.networking.hostName}";
        "security" = "user";
      };
    };
  };
 }
--- a/modules/services/ssh.nix
+++ b/modules/services/ssh.nix
@ -6,6 +6,7 @@
    enable = true;
    allowSFTP = true;
    openFirewall = true;
    authorizedKeysInHomedir = false;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
--- a/modules/services/uptime-kuma.nix
+++ b/modules/services/uptime-kuma.nix
@ -9,15 +9,6 @@
    };
  };
  systemd.tmpfiles.rules = [
    "d /media/apps/uptime-kuma 0700 root root"
  ];
  fileSystems."/var/lib/private/uptime-kuma" = {
    device = "/media/apps/uptime-kuma";
    options = [ "bind" ];
  };
  services.caddy.virtualHosts."status.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
--- a/modules/shell.nix
+++ b/modules/shell.nix
@ -4,11 +4,8 @@
  programs.zsh.enable = true;
  programs.zsh.promptInit = ( builtins.readFile ../stow/.zshrc );
  programs.fish.enable = true;
  environment.systemPackages = with pkgs; [
    neovim
    yazi
    git
    zoxide
    tlrc
--- a/modules/users/alex.nix
+++ b/modules/users/alex.nix
@ -1,9 +0,0 @@
 { config, lib, pkgs, ...}:
 {
  users.users.alex = {
    description = "Alexander";
    isNormalUser = true;
    extraGroups = [ ];
  };
 }
--- a/modules/users/nico.nix
+++ b/modules/users/nico.nix
@ -4,10 +4,10 @@
  users.users.nico = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
-    shell = pkgs.fish;
+    shell = pkgs.zsh;
  };
  users.users.nico.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFs7CxmkYo58hRm9bGdg7J3500tChjMz/KaDBs0fw975"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzUJnqCpbRxggjyIZo4KWnTyHobPdi/xXkN1/n/yIMD"
  ];
 }
--- a/modules/users/rhys.nix
+++ b/modules/users/rhys.nix
@ -9,6 +9,6 @@
  users.users.rhys.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0Pce0wQKV+wI7rCIiUZgqqkiodTXZ6fMiZezLy9uZk" # laptop
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmLm9HwZXDbySVupNHPlGMtm6Vwx4nxVp2tsGvuSLUr" # phone
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+HNs1/r4LMQsfpqXhU7396q5zL9hvfcNdiQSUTIl4R" # phone
  ];
 }
--- a/modules/virtualisation/virt-manager.nix
+++ b/modules/virtualisation/virt-manager.nix
@ -1,8 +0,0 @@
 { config, ... }:
 {
  virtualisation.libvirtd.enable = true;
  programs.virt-manager.enable = true;
  services.qemuGuest.enable = true;
  services.spice-vdagentd.enable = true;  # enable copy and paste between host and guest
 }
--- a/stow/.config/aerospace/aerospace.toml
+++ b/stow/.config/aerospace/aerospace.toml
@ -1,172 +0,0 @@
 # You can use it to add commands that run after AeroSpace startup.
 # Available commands : https://nikitabobko.github.io/AeroSpace/commands
 after-startup-command = [
  'exec-and-forget borders active_color=0xfff74f9e inactive_color=0xffffa8f1 width=6.0',
  'exec-and-forget sh ~/.cache/matugen-jankyborders.sh',
  'exec-and-forget sketchybar'
 ]
 # Notify Sketchybar about workspace change
 exec-on-workspace-change = ['/bin/bash', '-c',
    'sketchybar --trigger aerospace_workspace_change FOCUSED_WORKSPACE=$AEROSPACE_FOCUSED_WORKSPACE'
 ]
 # Start AeroSpace at login - breaks nix darwin
 start-at-login = false
 # Normalizations. See: https://nikitabobko.github.io/AeroSpace/guide#normalization
 enable-normalization-flatten-containers = true
 enable-normalization-opposite-orientation-for-nested-containers = true
 # See: https://nikitabobko.github.io/AeroSpace/guide#layouts
 # The 'accordion-padding' specifies the size of accordion padding
 # You can set 0 to disable the padding feature
 accordion-padding = 30
 # Possible values: tiles|accordion
 default-root-container-layout = 'tiles'
 # Possible values: horizontal|vertical|auto
 # 'auto' means: wide monitor (anything wider than high) gets horizontal orientation,
 #               tall monitor (anything higher than wide) gets vertical orientation
 default-root-container-orientation = 'auto'
 # Mouse follows focus when focused monitor changes
 # Drop it from your config, if you don't like this behavior
 # See https://nikitabobko.github.io/AeroSpace/guide#on-focus-changed-callbacks
 # See https://nikitabobko.github.io/AeroSpace/commands#move-mouse
 # Fallback value (if you omit the key): on-focused-monitor-changed = []
 on-focused-monitor-changed = ['move-mouse monitor-lazy-center']
 # You can effectively turn off macOS "Hide application" (cmd-h) feature by toggling this flag
 # Useful if you don't use this macOS feature, but accidentally hit cmd-h or cmd-alt-h key
 # Also see: https://nikitabobko.github.io/AeroSpace/goodies#disable-hide-app
 automatically-unhide-macos-hidden-apps = true
 # Possible values: (qwerty|dvorak|colemak)
 # See https://nikitabobko.github.io/AeroSpace/guide#key-mapping
 [key-mapping]
 preset = 'qwerty'
 # Gaps between windows (inner-*) and between monitor edges (outer-*).
 # Possible values:
 # - Constant:     gaps.outer.top = 8
 # - Per monitor:  gaps.outer.top = [{ monitor.main = 16 }, { monitor."some-pattern" = 32 }, 24]
 #                 In this example, 24 is a default value when there is no match.
 #                 Monitor pattern is the same as for 'workspace-to-monitor-force-assignment'.
 #                 See:
 #                 https://nikitabobko.github.io/AeroSpace/guide#assign-workspaces-to-monitors
 [gaps]
    inner.horizontal = 12
    inner.vertical =   12
    outer.left =       12
    outer.bottom =     12
    outer.top =        6
    outer.right =      12
 [[on-window-detected]]
    if.app-id = 'com.objective-see.lulu.app'
    check-further-callbacks = true
    run = 'layout floating'
 [mode.main.binding]
 # All possible keys:
 # - Letters.        a, b, c, ..., z
 # - Numbers.        0, 1, 2, ..., 9
 # - Keypad numbers. keypad0, keypad1, keypad2, ..., keypad9
 # - F-keys.         f1, f2, ..., f20
 # - Special keys.   minus, equal, period, comma, slash, backslash, quote, semicolon,
 #                   backtick, leftSquareBracket, rightSquareBracket, space, enter, esc,
 #                   backspace, tab, pageUp, pageDown, home, end, forwardDelete,
 #                   sectionSign (ISO keyboards only, european keyboards only)
 # - Keypad special. keypadClear, keypadDecimalMark, keypadDivide, keypadEnter, keypadEqual,
 #                   keypadMinus, keypadMultiply, keypadPlus
 # - Arrows.         left, down, up, right
 # All possible modifiers: cmd, alt, ctrl, shift
 # All possible commands: https://nikitabobko.github.io/AeroSpace/commands
 # App keybinds
 alt-shift-f = 'exec-and-forget open ~'
 alt-shift-b = 'exec-and-forget /Applications/Zen.app/Contents/MacOS/zen --new-window'
 alt-s       = 'exec-and-forget screencapture -i -c'
 alt-shift-w       = 'exec-and-forget $HOME/.config/aerospace/toggle-tiling.sh off'
 # Layout
 # See: https://nikitabobko.github.io/AeroSpace/commands#layout
 alt-c = 'layout tiles horizontal vertical'
 alt-comma = 'layout accordion horizontal vertical'
 alt-space = 'layout floating tiling'
 alt-f = 'fullscreen'
 # Moving Focus
 # See: https://nikitabobko.github.io/AeroSpace/commands#focus
 alt-h = 'focus left'
 alt-j = 'focus down'
 alt-k = 'focus up'
 alt-l = 'focus right'
 # Moving windows
 # See: https://nikitabobko.github.io/AeroSpace/commands#move
 alt-shift-h = 'move left'
 alt-shift-j = 'move down'
 alt-shift-k = 'move up'
 alt-shift-l = 'move right'
 alt-ctrl-h = 'join-with left'
 alt-ctrl-j = 'join-with down'
 alt-ctrl-k = 'join-with up'
 alt-ctrl-l = 'join-with right'
 # Resizing Windows
 # See: https://nikitabobko.github.io/AeroSpace/commands#resize
 alt-minus = 'resize smart -50'
 alt-equal = 'resize smart +50'
 # See: https://nikitabobko.github.io/AeroSpace/commands#workspace
 alt-1 = 'workspace 1'
 alt-2 = 'workspace 2'
 alt-3 = 'workspace 3'
 alt-4 = 'workspace 4'
 alt-5 = 'workspace 5'
 alt-6 = 'workspace 6'
 alt-7 = 'workspace 7'
 alt-8 = 'workspace 8'
 alt-9 = 'workspace 9'
 # See: https://nikitabobko.github.io/AeroSpace/commands#move-node-to-workspace
 alt-shift-1 = 'move-node-to-workspace --focus-follows-window 1'
 alt-shift-2 = 'move-node-to-workspace --focus-follows-window 2'
 alt-shift-3 = 'move-node-to-workspace --focus-follows-window 3'
 alt-shift-4 = 'move-node-to-workspace --focus-follows-window 4'
 alt-shift-5 = 'move-node-to-workspace --focus-follows-window 5'
 alt-shift-6 = 'move-node-to-workspace --focus-follows-window 6'
 alt-shift-7 = 'move-node-to-workspace --focus-follows-window 7'
 alt-shift-8 = 'move-node-to-workspace --focus-follows-window 8'
 alt-shift-9 = 'move-node-to-workspace --focus-follows-window 9'
 # See: https://nikitabobko.github.io/AeroSpace/commands#workspace-back-and-forth
 alt-tab = 'workspace-back-and-forth'
 # See: https://nikitabobko.github.io/AeroSpace/commands#mode
 # See: https://nikitabobko.github.io/AeroSpace/guide#binding-modes
 alt-shift-semicolon = 'mode service'
 [mode.service.binding]
 esc = ['reload-config', 'mode main']
 r = ['flatten-workspace-tree', 'mode main'] # reset layout
 f = ['layout floating tiling', 'mode main'] # Toggle between floating and tiling layout
 backspace = ['close-all-windows-but-current', 'mode main']
 alt-shift-h = ['join-with left', 'mode main']
 alt-shift-j = ['join-with down', 'mode main']
 alt-shift-k = ['join-with up', 'mode main']
 alt-shift-l = ['join-with right', 'mode main']
 down = 'volume down'
 up = 'volume up'
 shift-down = ['volume set 0', 'mode main']
--- a/stow/.config/aerospace/toggle-tiling.sh
+++ b/stow/.config/aerospace/toggle-tiling.sh
@ -1,45 +0,0 @@
 #!/bin/sh
 disableTiling () { 
  defaults write com.apple.dock orientation bottom
  defaults write com.apple.dock autohide -bool FALSE
  defaults write com.apple.finder CreateDesktop true
  killall Finder Dock sketchybar borders
  aerospace enable off # fails when script called from aerospace directly, bin not in path
  /run/current-system/sw/bin/aerospace enable off
  osascript -e 'tell application "System Events"
    tell dock preferences
        set properties to {autohide menu bar:false, autohide:false}
    end tell
  end tell' -e 'tell application "System Events" to set visible of (every application process whose visible is true and name is not "Finder") to false'
 }
 enableTiling () { 
  aerospace enable on
  sketchybar & disown
  sh ~/.cache/matugen-jankyborders.sh & disown
  defaults write com.apple.dock orientation right
  defaults write com.apple.dock autohide -bool FALSE
  defaults write com.apple.finder CreateDesktop false
  killall Dock Finder
  osascript -e '
  tell application "System Events"
      tell dock preferences
          set properties to {autohide menu bar:true, autohide:true}
      end tell
  end tell
 '
 }
 if [ "$1" = "on" ]; then
  enableTiling
 elif [ "$1" = "off" ]; then
  disableTiling
 else
  echo "$0: [on|off]"
 fi
--- a/stow/.config/fastfetch/ascii.txt
+++ b/stow/.config/fastfetch/ascii.txt
@ -0,0 +1,19 @@
 $4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀$3⡀$4  ⡣⠨⡂⠄⠠⠠⠠⡀⡂⠄⠄⠄⢄⢀⢀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠀⠀⠀⠀⠀⢀⠠⠨ $3⡡$4⢪⠂⡃⠔⡨⠨⡨⠨⡐⠌⠌⢌⠊⠔⡐⡐⡡⢂⢑⢐⠄⠠⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠀⠄⠄⢆⠁⡀⠨⠨⡐⡐$3⢅$4⠊⠄⠕⡐⠡⡂⡑⠄⢅⠅⠕⡨⢈⢂⢂⠢⢂⠅⡂⡪⠨$3⡀$4⠂⠠⠀⢠⠠⢒⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠀⠀⠀⡠⠊⢄⠅⢅⢂⠎⡐$3⡡$4⢑⠡⠊⢔⠐⡌⢌⢂⠪⢐⠌⠔⡐⡡⠨⠂⠌⡂⡂$3⠅$4⢌⠢⠐⠐⠣⡘⣸⢈⠢⠐⠀⠀⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠀⠠⢁⠢⡡⠡⢊⢐⠔⡡⢂$3⠊$4⠔⡨⢌⢂⠕⡨⠐⠄⢕⢐⠜⠌⠔⡐⡡⠕⠡⠠$3⠠$4⡈⢀⠈⢀⠐⠈⠄⡇⠢⡡⢑⠒⠐⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠠⡁⡪⢐⠌⢌⢂⢆⡇⡢⢂⠕⡁⡪⢂⢢⢑⢐⠅⡕⠕⠁⢕⠡⢑⢐⠒⢱⠡⢑$3⠡$4⠨⢂⠌⠢⢐⠄⠘⡌⢌⢂⠅⢪⢀⠀⠀⠀⠀⠀⠀
 $4⠀⠀⡢⢊⠔⢡⠪⡐⠔⡮⣺⢐⢐⠌⠔⠅⠕⢕⢐⢅$1⠘⠁⡀⠂$4⡇⠌⡂⠎$1⡀$4⡌⢌⢂⠅$3⠕$4⠡⠨⢊⠔⡈⡂⡰⢐⢐⠅⠅⡀⠁⠄⠀⠀⠀⠀
 $4⠀⢐⠌⡂⢮⡫⢂⠪⡰⣝⢮⡣⢂⠅⢍⠈⡰$2⣖⣵⡗⠣$1⠁$4⢀⠀⠇⠅⡊$1⢀⠁⠀$4⠒⡰⡈⣎⢌⢊⠔⢔⠨⡐⢵⡐⡡⠨⡊⡀⠀⠀⠀⠀⠀⠀
 $4⠀⠕⠌⠂⢸⠐⢅⢊⠎⠊⡗⣱⢐⠡⡂⣜⠁$2⣜⢷⣳⢂$1⠐$4⠀⠠⠨$1⠈⡀⢀$2⠨⣫⣖⢦$4⢊⢨⢂⢂⠇⢅⠊⢜⡮⡺⡌⢌⡖⡐⠀⠀⠀⠀⠀⠀
 $4⠈⠈⠀⠀⠆⢕⠡⢢⠀⠸⢨⢚⢄⢑$1⠠⠐⠀$2⠣⣱⠑⠀$1⠄⠈⠀⠄⠂⠀⡀$2⢰⣗⣧⡉⢧$4⢐⠢⢭⠃⢅⢊⢇⠫⡫$5⡎⡢⢏⢆⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠀⠀⢕⠡⢊⢮⡂⠀⢊⠪⡢⢢$1⠀⠄⠂⢀⠀⠄⠁⡀⢈⠀⠄⠐⠀⡀$2⢇⠗⡵⠁⢵⠀$4⡽⣱⠡⡑⡌⠆⡆$5⠫⡎⡄⢸⡐⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠀⠀⡃⡊⡢⡗⠀⠀⠀⠀⢂⢕$1⠀⠄⠂⠀⠄⠐⠀⡀⠠⠀⠆⢀⠁⢀⠀⠡⠀⠄⠂$4⡸⡝⡮$5⡂⡲⠘⠈⠁⠘⠑⢀⢠⠇⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠀⠀⢐⢑⠜⠀⠀⠀⠀⠀⠀⠂$1⠈⠠⢀⢁⠀⠂⠁⢀⠠⠐⡀⠄⠐⠀⡀⢁⠐⠀⢢$4⡫⡳$5⡱⡈$3⢀⢄⠅$5⠀⠠⠀⠀⠈⠠⠀⠀⠀⠀⠀⠀
 $4⠀⠀⠀⠀⠀⢅⠅⠀⠀⠀⠀⠀⠀⠀$1⠀⠀⠀⠀⠂⣄⡁⡀⠄⠂⢀⠠⠐⠀⢄⢠⡰⡸$4⣜⠮$5⡃⡆⠀⠀$3⠁⠁$5⠀⢀⠀⠈⢀⠀⠁⠀⠄⠠⠀⡀
 $5⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⡖⡌⢣⡒⡖⡆⡎⡏⡍⠔      $5⣅⠀⠈⠀⠐⡈⠀⠀$3⠸⣪$5⠀⢠⠉⢪⠪⡱⠐
 $6⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠀⠄⠀$6⡀⣄⣼⣿⣿⡌⡆⡣⢣⡱⡣⢣⠩⡊⢆⢑⠌⢀⠝⡌$5⠌⢇⢧⢓⢄⠁⠀⠀⡀⠠⠀⠀⡀⢨⢊⠈⠀⠀⠀
 $6⠀⠀⠀⠀⠀⠀⠀⠀⠠⠁⠀⠠⠀$6⢮⣟⣔⢮⣖⢽$7⣝⢮⡢⡓⢜⣜⢮$6⢬⣀⢶⠀⠈⠑⡀⠂⢱⠁$5⡔⢔⢑⢄⢅⢀⡀⠠⡠⠐⠁⠁⠁⠀⠀⠀
 $6⠀⠀⠀⠀⠀⠀⠀⠠⠁⡀⠈⡀⠀$6⣟⣞⣞⢞⡮$7⡷⡽$8⣿⣿⣿⣿⣿$7⡽⣕$6⢷⢝⣖⡌⠀⠀⠠⠁⠠$5⠨⠢⠃⠑⠨⠢⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 $6⠀⠀⠀⠀⠀⠀⣠⣡⣾⡀⠄⠐⠀$6⢗⡷⣝⣗$7⡯⡯$8⣿⣿⣿⣿⣿⣿⣿$7⢽⢽$6⣕⣗⠀⠄⠈⢀⠀⠡⠀⠅⠀⡢⠀⢨⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
--- a/stow/.config/fastfetch/config.jsonc
+++ b/stow/.config/fastfetch/config.jsonc
@ -1,8 +1,32 @@
 {
    "logo": {
        "source": "$HOME/.config/fastfetch/ascii.txt",
        "padding": {
            "top": 2,
            "right": 6
        },
        "color": {
          "1": "38;5;231", // skin
          "4": "38;5;217", // hair
          "2": "38;5;206", // eyes
          "3": "38;5;196", // hair tie
          "5": "38;5;15", // kyubey
          "6": "38;5;212", // clothes
          "7": "38;5;241", // gem border
          "8": "38;5;219", // gem inside
          "9": "white",
        },
    },
    "display": {
        "separator": " ",
        "color": {
          "title": "38;5;206",
          "keys":  "38;5;219",
        },
    },
    "modules": [
        "break",
        "break",
        {
            "type": "title",
            "keyWidth": 10,
@ -17,12 +41,8 @@
            "key": " ",
        },
        {
-            "type": "wm",
+            "type": "packages",
-            "key": " ",
+            "key": " ",
        },
        {
            "type": "shell",
            "key": " ",
        },
        "break",
        {
@ -39,18 +59,27 @@
        },
        "break",
        {
-            "type": "packages",
+            "type": "shell",
-            "key": " ",
+            "key": " ",
        },
        {
-            "type": "media",
+            "type": "terminal",
-            "key": "󰝚 ",
+            "key": " ",
        },
        {
            "type": "wm",
            "key": " ",
        },
        {
            "type": "uptime",
            "key": " ",
        },
        {
            "type": "media",
            "key": "󰝚 ",
        },
        "break",
        "colors",
        "break",
        "colors"
    ]
 }
--- a/stow/.config/fish/.gitignore
+++ b/stow/.config/fish/.gitignore
@ -1 +0,0 @@
 fish_variables
--- a/stow/.config/fish/config.fish
+++ b/stow/.config/fish/config.fish
@ -1,92 +0,0 @@
 if status is-interactive
  # Commands to run in interactive sessions can go here
  #
  # shell prompt 
  #
  # match prompt symbol to OS logo
  if test -e /etc/os-release
    posix-source /etc/os-release
  end
  if test -e /System
    set os_icon ""
    eval "$(/opt/homebrew/bin/brew shellenv)"
  else if [ "$ID" = "nixos" ]
    set os_icon ""
  else if [ "$ID" = "debian" ]
    set os_icon ""
  else if [ "$ID" = "fedora" ]
    set os_icon ""
  else if [ "$ID" = "arch" ]
    set os_icon "󰣇"
  else
    set os_icon "\$"
  end
  # set prompt colours
  if test -e ~/.cache/zsh_colours.sh
    posix-source-universal (string replace -fra "{|}|#|\"" "" (cat ~/.cache/zsh_colours.sh) | psub)
  else
    set -Ux PRIMARY_COLOUR blue
    set -Ux SECONDARY_COLOUR purple
  end
  # construct final prompt
  function fish_prompt
    # turn os_icon red if an error occurs
    set -l prompt_icon
    if test $status -ne 0
      set prompt_icon (set_color red)"$os_icon"(set_color normal)
    else
      set prompt_icon "$os_icon"
    end
    # set ssh status
    set -l ssh_status
    if set -q SSH_CONNECTION
      set ssh_status (prompt_login)
    end
    # concatenate $HOME to a ~ eg. /home/user to ~
    set shorten_path (string replace -r "^$HOME" "~" "$PWD")
    echo (set_color $PRIMARY_COLOUR)$shorten_path $ssh_status (set_color $SECONDARY_COLOUR)$prompt_icon (set_color normal) 
  end
  #
  # shell intergration
  #
  zoxide init fish | source
  #
  # environment variables
  #
  set -gx EDITOR nvim
  set fish_greeting ""
  set HOMEBREW_AUTO_UPDATE_SECS 86400
  # xdg variables
  set -gx XDG_CONFIG_HOME "$HOME/.config"      # config
  set -gx XDG_CACHE_HOME "$HOME/.cache"        # cache
  set -gx XDG_DATA_HOME "$HOME/.local/share"  # data files eg. /usr/share
  set -gx XDG_STATE_HOME "$HOME/.local/state"  # state files eg. /var/lib
  # make apps use XDG folders
  set -gx PYTHON_HISTORY "$XDG_STATE_HOME"/python_history
  set -gx PYTHONPYCACHEPREFIX "$XDG_CACHE_HOME"/python
  set -gx PYTHONUSERBASE "$XDG_DATA_HOME"/python
  set -gx GOPATH "$XDG_STATE_HOME"/go
  set -gx GOMODCACHE "$XDG_CACHE_HOME"/go/mod
  set -gx NPM_CONFIG_USERCONFIG "$XDG_CONFIG_HOME"/npm/npmrc
  function wget --wraps=wget
    wget --hsts-file="$XDG_STATE_HOME/wget-hsts" $argv
  end
 end
--- a/stow/.config/fish/functions/cat.fish
+++ b/stow/.config/fish/functions/cat.fish
@ -1,4 +0,0 @@
 function cat --wraps=bat --description 'alias cat bat'
  bat $argv
 end
--- a/stow/.config/fish/functions/ff.fish
+++ b/stow/.config/fish/functions/ff.fish
@ -1,4 +0,0 @@
 function ff --wraps=fastfetch --description 'alias ff=fastfetch'
  fastfetch $argv
 end
--- a/stow/.config/fish/functions/ga.fish
+++ b/stow/.config/fish/functions/ga.fish
@ -1,4 +0,0 @@
 function ga --wraps='git add' --description 'alias ga=git add'
  git add $argv
 end
--- a/stow/.config/fish/functions/gc.fish
+++ b/stow/.config/fish/functions/gc.fish
@ -1,4 +0,0 @@
 function gc --wraps='git commit' --description 'alias gc=git commit'
  git commit $argv
 end
--- a/stow/.config/fish/functions/glo.fish
+++ b/stow/.config/fish/functions/glo.fish
@ -1,4 +0,0 @@
 function glo --wraps='git log' --description 'alias glo=git log'
  git log $argv
 end
--- a/stow/.config/fish/functions/gph.fish
+++ b/stow/.config/fish/functions/gph.fish
@ -1,4 +0,0 @@
 function gph --wraps='git push' --description 'alias gph=git push'
  git push $argv
 end
--- a/stow/.config/fish/functions/gpl.fish
+++ b/stow/.config/fish/functions/gpl.fish
@ -1,4 +0,0 @@
 function gpl --wraps='git pull' --description 'alias gpl=git pull'
  git pull $argv
 end
--- a/stow/.config/fish/functions/gs.fish
+++ b/stow/.config/fish/functions/gs.fish
@ -1,4 +0,0 @@
 function gs --wraps='git status' --description 'alias gs=git status'
  git status $argv
 end
--- a/stow/.config/fish/functions/la.fish
+++ b/stow/.config/fish/functions/la.fish
@ -1,4 +0,0 @@
 function la --wraps='ls -ah --color=auto' --description 'alias la=ls -ah --color=auto'
  ls -ah --color=auto $argv
 end
--- a/stow/.config/fish/functions/ll.fish
+++ b/stow/.config/fish/functions/ll.fish
@ -1,4 +0,0 @@
 function ll --wraps='ls -l' --wraps='ls -ahl --color=auto' --description 'alias ll=ls -ahl --color=auto'
  ls -ahl --color=auto $argv
 end
--- a/stow/.config/fish/functions/ls.fish
+++ b/stow/.config/fish/functions/ls.fish
@ -1,4 +0,0 @@
 function ls --description 'alias ls=ls -h --color=auto'
 command ls -h --color=auto $argv
 end
--- a/stow/.config/fish/functions/posix-source-universal.fish
+++ b/stow/.config/fish/functions/posix-source-universal.fish
@ -1,6 +0,0 @@
 function posix-source-universal
 	for i in (cat $argv)
 		set arr (echo $i |tr = \n)
  		set -Ux $arr[1] $arr[2]
 	end
 end
--- a/stow/.config/fish/functions/posix-source.fish
+++ b/stow/.config/fish/functions/posix-source.fish
@ -1,6 +0,0 @@
 function posix-source
 	for i in (cat $argv)
 		set arr (echo $i |tr = \n)
  		set -gx $arr[1] $arr[2]
 	end
 end
--- a/stow/.config/fish/functions/rm.fish
+++ b/stow/.config/fish/functions/rm.fish
@ -1,4 +0,0 @@
 function rm --wraps=trash --description 'alias rm trash'
  trash $argv
 end
--- a/stow/.config/fish/functions/v.fish
+++ b/stow/.config/fish/functions/v.fish
@ -1,4 +0,0 @@
 function v --wraps=nvim --description 'alias v nvim'
  nvim $argv
 end
--- a/stow/.config/fish/functions/vi.fish
+++ b/stow/.config/fish/functions/vi.fish
@ -1,4 +0,0 @@
 function vi --wraps=nvim --description 'alias vi nvim'
  nvim $argv
 end
--- a/stow/.config/fish/functions/vim.fish
+++ b/stow/.config/fish/functions/vim.fish
@ -1,4 +0,0 @@
 function vim --wraps=nvim --description 'alias vim nvim'
  nvim $argv
 end
--- a/stow/.config/fish/functions/y.fish
+++ b/stow/.config/fish/functions/y.fish
@ -1,8 +0,0 @@
 function y
 	set tmp (mktemp -t "yazi-cwd.XXXXXX")
 	command yazi $argv --cwd-file="$tmp"
 	if read -z cwd < "$tmp"; and [ -n "$cwd" ]; and [ "$cwd" != "$PWD" ]
 		builtin cd -- "$cwd"
 	end
 	command rm -f -- "$tmp"
 end
--- a/Show more
+++ b/Show more