who up grading to 26.05

git-subtree-dir: old-conf
git-subtree-mainline: 4667974392
git-subtree-split: 62a64a79a8

.helix/languages.toml

@@ -1,6 +1,11 @@
-[language-server.nil]
-command = "nil"
+[language-server.nixd]
+command = "nixd"
+# args = ["--log=debug"]
+[language-server.nixd.config.nixd]
+nixpkgs = { expr = "import (builtins.getFlake (builtins.toString ./.)).inputs.nixpkgs { }" }
+options = { nixos = { expr = "(builtins.getFlake (builtins.toString ./.)).colmenaHive.nodes.theseus.options" }}#, home-manager = { expr = "(builtins.getFlake (builtins.toString ./.)).colmenaHive.nodes.theseus.options.home-manager.users.type.getSubOptions []" } }
+
 [[language]]
 name = "nix"
 formatter = {command = "nixfmt"}
-language-servers = [ "nil" ]
+language-servers = [ "nixd" ]

flake.nix

@@ -15,12 +15,19 @@
     colmena.url = "github:zhaofengli/colmena/release-0.4.x";
     colmena.inputs.nixpkgs.follows = "nixpkgs";
 
+    
+    oldConf.url = "github:thexyno/nixos-config";
     # software
+    rust-overlay = { # https://github.com/nix-community/lanzaboote/issues/485#issuecomment-3466684727
+      url = "github:oxalica/rust-overlay";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     lanzaboote = {
       url = "github:nix-community/lanzaboote/v0.4.2";
 
       # Optional but recommended to limit the size of your system closure.
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.rust-overlay.follows = "rust-overlay";
     };
 
     zen-browser.url = "github:0xc000022070/zen-browser-flake";
@@ -33,10 +40,6 @@
     niri.inputs.nixpkgs.follows = "nixpkgs-master";
     xwayland-satellite.url = "github:Supreeeme/xwayland-satellite";
     xwayland-satellite.inputs.nixpkgs.follows = "nixpkgs-master";
-    nheko.url = "github:Nheko-Reborn/nheko";
-    nheko.flake = false;
-    mtxclient.url = "github:Nheko-Reborn/mtxclient";
-    mtxclient.flake = false;
     nix-ci.url = "git+https://git.xyno.systems/xyno/nix-ci";
     nix-ci.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -49,13 +52,23 @@
     helix.inputs.nixpkgs.follows = "nixpkgs-master";
     # csharp-language-server.url = "github:sofusa/csharp-language-server";
     # csharp-language-server.inputs.nixpkgs.follows = "nixpkgs-master";
+    
 
-    # authentik
+    # # authentik
+
+    # authentik.url = "github:nix-community/authentik-nix";
+    # authentik.inputs.nixpkgs.follows = "nixpkgs";
+    # terranix.url = "github:terranix/terranix";
+    # terranix.inputs.nixpkgs.follows = "nixpkgs";
+
+    # non flake inputs, maybe use npins in the future?
+    adw-colors.url = "github:lassekongo83/adw-colors"; 
+    adw-colors.flake = false;
+    nheko.url = "github:Nheko-Reborn/nheko";
+    nheko.flake = false;
+    mtxclient.url = "github:Nheko-Reborn/mtxclient";
+    mtxclient.flake = false;
 
-    authentik.url = "github:nix-community/authentik-nix";
-    authentik.inputs.nixpkgs.follows = "nixpkgs";
-    terranix.url = "github:terranix/terranix";
-    terranix.inputs.nixpkgs.follows = "nixpkgs";
 
   };
 
@@ -101,7 +114,7 @@
         inputs.lanzaboote.nixosModules.lanzaboote
         inputs.sops-nix.nixosModules.sops
         inputs.impermanence.nixosModules.impermanence
-        inputs.authentik.nixosModules.default
+        # inputs.authentik.nixosModules.default
         inputs.nix-index-database.nixosModules.nix-index
       ]
       ++ (import ./modules/module-list.nix);
@@ -113,11 +126,19 @@
       importConfigs =
         n:
         map (x: {
-          ${x} = {nodes, ...}: {
-            networking.hostName = x;
-            imports = modules ++ [ (./instances/${x}) ];
-            _module.args.otherNodes = lib.filterAttrs (n: v: n != x) nodes;
-          };
+          ${x} =
+            { nodes, pkgs, ... }:
+            {
+              nixpkgs.overlays = overlays;
+              nix.package = pkgs.unstable.lixPackageSets.latest.lix;
+              networking.hostName = x;
+              imports = modules ++ [ (./instances/${x}) ];
+              _module.args.otherNodes = lib.filterAttrs (n: v: n != x) nodes;
+              deployment.privilegeEscalationCommand = [
+                "run0"
+                "--unit=colmena-apply"
+              ];
+            };
         }) n;
     in
     lib.foldl' lib.recursiveUpdate { } (
@@ -130,13 +151,9 @@
                   specialArgs = { inherit inputs; };
                   nixpkgs = genPkgs "x86_64-linux";
                 };
-                deployment.privilegeEscalationCommand = [
-                  "run0"
-                  "--unit=colmena-apply"
-                ];
               }
               (importConfigs [
-                "ds9"
+                "nemesis"
                 "picard"
                 "theseus"
               ])
@@ -178,6 +195,7 @@
           devShells.${system}.default = pkgs.mkShell {
             packages = [
               pkgs.nixfmt-rfc-style
+              pkgs.nixd
               pkgs.nil
               pkgs.sops
               (pkgs.runCommand "nix-config-bin" { } ''
@@ -187,7 +205,7 @@
               pkgs.colmena
             ]
             ++ (lib.attrValues self.packages.${system});
-            SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = lib.xyno.getDirs ./instances; });
+            SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = self.colmenaHive.nodes; });
 
           };
 

hm-modules/dark-theme.nix

@@ -23,10 +23,10 @@ in
       gtk4.extraConfig.gtk-application-prefer-dark-theme = 1;
       gtk3.extraConfig.gtk-application-prefer-dark-theme = 1;
     };
-    qt = {
-      enable = true;
-      style.name = "breeze";
-    };
+    # qt = {
+    #   enable = true;
+    #   style.name = "breeze";
+    # };
 
   };
 }

hm-modules/firefox.nix

@@ -362,7 +362,7 @@ in
             "user-filters" =
               ''marketplace.visualstudio.com##+js(rpnt, script, /"(DisableVSCodeDownloadButtonEnabled|Microsoft\\.VisualStudio\\.Services\\.Gallery\\.DisableVSCodeDownloadButton)":true/, "$1":false)'';
             "hostnameSwitchesString" =
-              "no-large-media: behind-the-scene false\nno-remote-fonts: * true\nno-csp-reports: * true";
+              "no-large-media: behind-the-scene false\nno-remote-fonts: * false\nno-csp-reports: * true";
 
           };
         };

hm-modules/git.nix

@@ -9,13 +9,14 @@ in
 {
   options.xyno.git.enable = lib.mkEnableOption "xynos git config";
   config = lib.mkIf cfg.enable {
+    programs.difftastic.git.enable = true;
+    programs.difftastic.enable = true;
     programs.git = {
       enable = true;
-      difftastic.enable = true;
       lfs.enable = true;
 
       # Default configs
-      extraConfig = {
+      settings = {
         commit.gpgSign = true;
         gpg.format = "ssh";
 

hm-modules/helix.nix

@@ -22,20 +22,21 @@ in
         # nodePackages_latest.prettier
         dprint
         markdown-oxide
-        codebook
+        # codebook
         ## python
         # ruff-lsp
         # nodePackages_latest.pyright
         # inputs.csharp-language-server.packages.${pkgs.system}.csharp-language-server
       ]
       ++ (optionals cfg.withLargeLSPs [
-        netcoredbg
         nodePackages_latest.typescript-language-server
         nodePackages_latest.vscode-langservers-extracted
         typescript
         # jsonnet-language-server
         # jsonnet
         lazygit
+        ltex-ls-plus # languagetool
+        tinymist # typst lsp
 
       ]);
     programs.helix = {
@@ -107,8 +108,7 @@ in
         keys = {
           normal = {
             space."=" = ":fmt";
-            "C-g" =
-              ":sh tmux popup -d \"#{pane_current_path}\" -xC -yC -w80%% -h80%% -E lazygit";
+            "C-g" = ":sh tmux popup -d \"#{pane_current_path}\" -xC -yC -w80%% -h80%% -E lazygit";
             "C-t" = ":sh tmux split-window -v -l '35%%'";
             "C-h" = ":sh tmux select-pane -t '{left-of}'";
             "C-l" = ":sh tmux select-pane -t '{right-of}'";
@@ -143,55 +143,143 @@ in
         language-server.csharp = {
           command = "csharp-language-server";
         };
-        language-server.codebook = {
-          command = "codebook-lsp";
-          args = ["serve"];
-        };
-        language = flatten [
-          (map
-            (x: {
-              name = x;
-              language-servers = [
-                "typescript-language-server"
-                "eslint"
-              ];
-              #formatter = { command = "dprint"; args = [ "fmt" "--stdin" x ]; };
-              # formatter = { command = "prettier"; args = [ "--parser" "typescript" ]; };
-            })
-            [
-              "typescript"
-              "javascript"
-              "jsx"
-              "tsx"
-            ]
-          )
-          {
-            name = "nix";
-            formatter = {
-              command = "nixpkgs-fmt";
-            };
-          }
-          {
-            name = "python";
-            language-servers = [
-              "pyright"
-              "ruff"
+        language-server.ltex = {
+          command = "ltex-ls-plus";
+          config = {
+            additionalRules.motherTongue = "de-DE";
+            additionalRules.enablePickyRules = true;
+            language = [
+              "en-US"
+              "de-DE"
             ];
-          }
-          {
-            name = "markdown";
-            language-servers = ["codebook"];
-          }
-          {
-            name = "c-sharp";
-            language-servers = [ "csharp" ];
-            formatter = {
-              command = "dotnet";
-              args = [ "csharpier" ];
-            };
+          };
+        };
+        language-server.tinymist = {
+          command = "tinymist";
+        };
+        # language-server.nil = {
+        #   command = "nil";
+        #   config.nil.nix = {
+        #     maxMemoryMB = 5120;
+        #     flake = {
+        #       autoEvalInputs = true;
+        #       autoArchive = true;
+        #     };
+        #   };
+        # };
+        language =
+          let
+            applySingleConfig =
+              languages: config:
+              let
+                applied =
+                  foldl'
+                    (
+                      acc: l:
+                      if (any (x: l.name == x) config.languages) then
+                        {
+                          done = acc.done ++ [
+                            (mkMerge [
+                              l
+                              config.conf
+                            ])
+                          ];
+                          notFound = filter (x: x != l.name) acc.notFound;
+                        }
+                      else
+                        {
+                          done = acc.done ++ [ l ];
+                          notFound = acc.notFound;
+                        }
+                    )
+                    {
+                      done = [ ];
+                      notFound = config.languages;
+                    }
+                    languages;
+              in
+              applied.done ++ (map (x: { name = x; } // config.conf) applied.notFound);
+            applyConfs = lspConfs: languages: foldl' applySingleConfig languages lspConfs;
+          in
+          applyConfs
+            [
+              {
+                languages = [
+                  "typescript"
+                  "javascript"
+                  "jsx"
+                  "tsx"
+                ];
+                conf = {
+                  language-servers = [
+                    "typescript-language-server"
+                    "eslint"
+                  ];
+                };
+              }
+              {
+                languages = [
+                  "markdown"
+                  "typst"
+                  "bibtex"
+                  "comment"
+                  "latex"
+                  "html"
+                ];
+                conf = {
+                  language-servers = [
+                    "ltex"
+                  ];
+                };
+              }
+            ]
+            [
+              {
+                name = "__common__";
+                scope = "source.__common__";
+                file-types = [ ];
+                language-servers = [
+                  "ltex"
+                ];
+              }
+              # {
+              #   name = "nix";
+              #   language-servers = [
+              #     "nixd"
+              #   ];
+              #   formatter = {
+              #     command = "nixpkgs-fmt";
+              #   };
+              # }
+              {
+                name = "python";
+                language-servers = [
+                  "pyright"
+                  "ruff"
+                ];
+              }
+              {
+                name = "markdown";
+                language-servers = [
+                  "markdown-oxide"
+                ];
+              }
+              {
+                name = "typst";
+                language-servers = [
+                  "tinymist"
+                ];
+              }
+              {
+                name = "c-sharp";
+                language-servers = [ "csharp" ];
+                formatter = {
+                  command = "dotnet";
+                  args = [ "csharpier" ];
+                };
 
-          }
-        ];
+              }
+            ];
       };
     };
   };

hm-modules/mpv.nix

@@ -14,6 +14,11 @@ in
     programs.mpv = {
       enable = true;
       scripts = with pkgs.mpvScripts; [ mpv-webm sponsorblock ];
+      config = {
+        profile = "gpu-hq";
+        ytdl-format = "bestvideo[width<=1920]+bestaudio";
+        cache-secs = 1200;
+      };
     };
 
   };

instances/ds9/configuration.nix

@@ -1,36 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-{
-  nixpkgs.system = "x86_64-linux";
-  imports = [
-    ./hardware-configuration.nix
-    ./services/attic.nix
-    ./services/immich.nix
-    ./services/jellyfin.nix
-    ./services/paperless.nix
-    ./services/ytdl-sub.nix
-
-  ];
-  time.timeZone = "Europe/Berlin";
-
-  networking.hostId = "7b4c2932";
-  
-  xyno.presets.cli.enable = true;
-  xyno.presets.server.enable = true;
-  xyno.services.wireguard.enable = true;
-  xyno.services.caddy.enable = true;
-  xyno.services.monitoring.enable = true;
-  xyno.services.authentik.enable = true;
-  xyno.presets.home-manager.enable = true;
-  xyno.system.user.enable = true;
-  xyno.networking.networkd = {
-    enable = true;
-  };
-
-
-  system.stateVersion = "24.11";
-}

instances/ds9/default.nix

@@ -1,11 +0,0 @@
-{
-  imports = [ ./configuration.nix ];
-  xyno.services.monitoring.prometheusServer = true;
-  xyno.meta = {
-    sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7";
-  };
-  xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
-  deployment = {
-    targetHost = "ds9.hailsatan.eu";
-  };
-}

instances/ds9/hardware-configuration.nix

@@ -1,59 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
-
-  boot.lanzaboote = {
-    enable = true;
-    pkiBundle = "/var/lib/sbctl";
-  };
-  boot.loader.systemd-boot.enable = lib.mkForce false;
-
-
-
-  boot.initrd.availableKernelModules = [ "r8169" "ahci" "vfio-pci" "xhci_pci" "ehci_pci" "nvme" "usbhid" "sd_mod" "sr_mod" ];
-  boot.kernelModules = [ "kvm-amd" ];
-  nix.settings.max-jobs = lib.mkDefault 12;
-  powerManagement.powertop.enable = true;
-  powerManagement.cpuFreqGovernor = "powersave";
-  powerManagement.scsiLinkPolicy = "min_power";
-
-  services.zfs.autoScrub.enable = true;
-
-  services.sanoid.datasets."rpool/content/safe/data/media" = { };
-  services.sanoid.enable = true;
-  services.sanoid.interval = "0/8:00:00";
-
-  swapDevices = [{ device = "/dev/disk/by-id/nvme-eui.000000000000000100a075202c247839-part1"; randomEncryption = true; }];
-  fileSystems."/boot".device = "/dev/disk/by-uuid/149F-23AA";
-
-
-  fileSystems."/" = {
-    device = "spool/safe/persist";
-    fsType = "zfs";
-  };
-  fileSystems."/nix" = {
-    device = "spool/local/nix";
-    fsType = "zfs";
-  };
-  fileSystems."/var/log" = {
-    device = "spool/local/journal";
-    fsType = "zfs";
-  };
-  fileSystems."/data" = {
-    device = "rpool/content/safe/data";
-    fsType = "zfs";
-  };
-  fileSystems."/data/media" = {
-    device = "rpool/content/safe/data/media";
-    fsType = "zfs";
-  };
-  fileSystems."/backups" = {
-    device = "rpool/content/local/backups";
-    fsType = "zfs";
-  };
-
-}

instances/nemesis/configuration.nix

@@ -0,0 +1,121 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+{
+  nixpkgs.system = "x86_64-linux";
+  imports = [
+    ./hardware-configuration.nix
+    # ./services/attic.nix
+    # ./services/immich.nix
+    # ./services/jellyfin.nix
+    # ./services/paperless.nix
+    # ./services/ytdl-sub.nix
+
+  ];
+  time.timeZone = "Europe/Berlin";
+  networking.hostId = "7b4c2932";
+
+  containers.ds9 = {
+    autoStart = true;
+    timeoutStartSec = "10000000min";
+    privateNetwork = true;
+    enableTun = true;
+    additionalCapabilities = [
+      "CAP_NET_ADMIN"
+      "CAP_MKNOD"
+      "CAP_BPF"
+      "CAP_DAC_READ_SEARCH"
+      "CAP_SYS_RESOURCE"
+      "CAP_SYS_ADMIN"
+    ];
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.100.11";
+    # hostAddress6 = "fc00::1";
+    # localAddress6 = "fc00::2";
+
+    path = inputs.oldConf.nixosConfigurations.ds9.config.system.build.toplevel;
+
+    bindMounts = {
+      "/data" = {
+        hostPath = "/data";
+        isReadOnly = false;
+      };
+      "/backups" = {
+        hostPath = "/backups";
+        isReadOnly = false;
+      };
+      "/persistent" = {
+        hostPath = "/oldds9/persistent";
+        isReadOnly = false;
+      };
+      "/var/lib/containers" = {
+        hostPath = "/oldds9/persistent/var/lib/containers";
+        isReadOnly = false;
+      };
+    };
+  };
+  networking.nat.enable = true;
+  networking.nat.enableIPv6 = true;
+  networking.nat.internalInterfaces = [ "ve-+" ];
+  networking.nat.externalInterface = "enp1s0f1"; # TODO: changeme
+
+  services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.rule =
+    lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`)";
+  # services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.tls.options = "old";
+  services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router-robotstxt.rule =
+    lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`) && Path(`/robots.txt`)";
+  xyno.services.traefik = {
+    enable = true;
+    simpleProxy.oldds9 = {
+      host = "*.hailsatan.eu";
+      internal = "http://192.168.100.11";
+    };
+  };
+
+  users.users.root.password = "hunter2";
+
+  systemd.services."dyndns-refresh" = {
+    script = ''
+      set -eu
+      export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin
+      ${pkgs.bash}/bin/bash ${config.sops.secrets.dyndns.path}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+    startAt = "*:0/10";
+  };
+  sops.secrets.dyndns = {
+    sopsFile = ./secrets/dyndns.yaml;
+  };
+
+  xyno.presets.cli.enable = true;
+  xyno.presets.server.enable = true;
+  xyno.impermanence.enable = true;
+  # xyno.services.wireguard.enable = true;
+  # xyno.services.caddy.enable = true;
+  # xyno.services.monitoring.enable = true;
+  # xyno.services.authentik.enable = true;
+  xyno.presets.home-manager.enable = true;
+  xyno.system.user.enable = true;
+  xyno.networking.networkd = {
+    enable = true;
+  };
+  networking.useDHCP = lib.mkForce false;
+  networking.interfaces."enp1s0f1" = {
+    useDHCP = true;
+    tempAddress = "enabled";
+  };
+  systemd.network.networks."40-enp1s0f1" = {
+    networkConfig = {
+      IPv6AcceptRA = true;
+    };
+  };
+
+  system.stateVersion = "25.11";
+}

instances/nemesis/default.nix

@@ -0,0 +1,11 @@
+{
+  imports = [ ./configuration.nix ];
+  # xyno.services.monitoring.prometheusServer = true;
+  xyno.meta = {
+    sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7";
+  };
+  # xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
+  deployment = {
+    targetHost = "10.0.0.2";
+  };
+}

instances/nemesis/hardware-configuration.nix

@@ -0,0 +1,150 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
+
+  # boot.lanzaboote = {
+  #   enable = true;
+  #   pkiBundle = "/var/lib/sbctl";
+  # };
+  # boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.systemd-boot.enable = true;
+
+  boot.initrd.availableKernelModules = [
+    "r8169"
+    "ahci"
+    "vfio-pci"
+    "xhci_pci"
+    "ehci_pci"
+    "nvme"
+    "usbhid"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.kernelModules = [ "kvm-amd" ];
+  nix.settings.max-jobs = lib.mkDefault 12;
+  powerManagement.powertop.enable = true;
+  powerManagement.cpuFreqGovernor = "powersave";
+  powerManagement.scsiLinkPolicy = "min_power";
+
+  services.zfs.autoScrub.enable = true;
+
+  services.sanoid.datasets."rpool/content/safe/data/media" = { };
+  services.sanoid.datasets."rpool/content/safe/data" = { };
+  services.sanoid.datasets."spool/nemesis/persistent" = { };
+  services.sanoid.enable = true;
+  services.sanoid.interval = "0/8:00:00";
+
+  # boot.initrd.systemd = {
+  #   enable = true;
+  # };
+  boot.initrd.network = {
+    enable = true;
+    postCommands = ''
+      zpool import rpool
+      zpool import spool
+      echo "zfs load-key -a; killall zfs" >> /root/.profile
+    '';
+    ssh = {
+      enable = true;
+      port = 2222;
+      hostKeys = [
+        "/persistent/initrd/ssh_host_rsa_key"
+        "/persistent/initrd/ssh_host_ed25519_key"
+      ];
+      authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj" # TODO
+      ];
+
+    };
+
+  };
+
+  # swapDevices = [
+  #   {
+  #     device = "/dev/disk/by-id/nvme-eui.000000000000000100a075202c247839-part1";
+  #     randomEncryption = true;
+  #   }
+  # ];
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/149F-23AA";
+    fsType = "vfat";
+    options = [
+      "noauto"
+      "x-systemd.automount"
+    ];
+  };
+
+  zramSwap.enable = true;
+  zramSwap.writebackDevice = "/dev/zvol/spool/nemesis/zswap";
+
+  fileSystems."/persistent/var/lib/postgres" = {
+    # has things of https://wiki.archlinux.org/title/ZFS#Databases set
+    device = "spool/nemesis/postgres";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+  fileSystems."/persistent" = {
+    device = "spool/nemesis/persistent";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+  fileSystems."/var/log" = lib.mkForce {
+    device = "spool/nemesis/varlog";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+  fileSystems."/nix" = {
+    device = "spool/local/nix";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+
+  fileSystems."/data" = {
+    device = "rpool/content/safe/data";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+  fileSystems."/data/media" = {
+    device = "rpool/content/safe/data/media";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+  fileSystems."/backups" = {
+    device = "rpool/content/local/backups";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+
+  fileSystems."/oldds9/persistent" = {
+    device = "spool/safe/persist";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+  fileSystems."/oldds9/persistent/var/lib/containers" = {
+    device = "spool/safe/containers";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+  fileSystems."/oldds9/varlog" = {
+    device = "spool/local/journal";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "size=8G" ];
+    neededForBoot = true;
+  };
+
+}

instances/nemesis/secrets/dyndns.yaml

@@ -0,0 +1,38 @@
+dyndns: ENC[AES256_GCM,data:yDDTTBimaFcd/MG+eSbYmOHq/Ij0fAoz0zDY+C4bv7ZNn1yAA6C8DE3fXnvAvWhatLLSbRGDxHRRm7JuAHOfGGisN9cXwL+fkB7rZMVZemaL2wrOAQxyzHDEeZnZHRwsVGYhAmTsbUCVLi4CyzjRHGbCLZtZ8b+DzT0644uTi9IQovcLrWun62KMt7yjFS+Wb85XItMrIk4gJRCOhllrAXKY/z0idgv8GCNRDsDsmKL8arfcWzo2+bU/Uqhqt1Md6++jySPNPxwwcORYUudqQM63N0g47jSnmbXJ11XRRq6ZBQJaHhx25YOj2WiDH1382Kn71hnnObWS8HcXI3pwAg51mQ7Wlu+Mlt/3iZjOS1ble4IrQGItLVQUqWjyKSLvTbPfe6P/AuQ9VFGLZ7VGhVUAuyum727bx7jg1oQmqETrkL9BwaW/2FsBCVfKobgBOM6s/XMO07dOrzkO14BxOgM7zcILkz0J3IClXDOnK+Qtqe9d0E4JiSItk1hlL+PI256dGt3J2oHHAZTNOhCn1f3/t1nwkDaPM379LhVHVGhGNFtPkwp1itAQPe/zY6apHCOrcd4sti7QjVssW+ekWjMGqIC0D41aw5oRUhE0pGSwVzVTwrxqc/IiLag8UxjFpBEWO9826I5qD3LQhH+sAfsrcBp9SeRrrt5icNbqLhKDxeB2,iv:Bj9aQZ8X1j5tV+iRPwFQ9NvNaxtlaRn6u60qqzHmWmw=,tag:gDKAPd8FEomSwyiT3yy2iw==,type:str]
+sops:
+    lastmodified: "2025-11-24T15:13:32Z"
+    mac: ENC[AES256_GCM,data:f+3n2Xc7jU+qW+vHk98BTgwLwVHTXzWHMjLwNr3Y3Pp8VIQf8d8iF8QwhDFPWN1uqsxsb/XD48CXbd5AwxuVcgcSM7FIHkjfIn0pHRk0jTAkXTxjWIwg9pqnGAZ5B/fA8XAvcyPpE299gMYzU2soAL11DZtrEVVXJWN2sD5IlL8=,iv:Uykx2R6xO/KW1XP0Nm8GyaoepmdU96AfGQQhLz6BlNQ=,tag:bqe0gZF6WhQg55NhWyNC5A==,type:str]
+    pgp:
+        - created_at: "2025-11-24T13:05:23Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hL4DAAAAAAAAAAASBAMEDMeIdplYrk7VppUFRCTcB7Pv+xnVKSLhhSoN6kqbHXqA
+            YYv8o4AbT9bf1+L9wywA+Eg55tj8aocse/tdRQWTymy4+8grb/sm0oZQT22T51JP
+            mWxhWIX+sliCqHnS/W2tuVLyDzAiJ/Tg19kOc576OH1z6f2HMIM7yvADoKupfqIw
+            rbwo0G8CdZCW1hzutCnC2mD4Op2BxK1b26oZdNA06y+BMHHefyDTl/wXwiNQKWiq
+            0l4BoaYNx2ma5ZTSBk7YNeIXikwM3XtZnUZU+V17EgClNbxhmTRc0h7fmeprjYcW
+            zETvhSIm+JFTR0mdQsrDvTs7kt+PnaYptoM0CHaYCHTq48pyYKL3Gm0NtCAHuFc3
+            =UlnU
+            -----END PGP MESSAGE-----
+          fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
+        - created_at: "2025-11-24T15:13:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv/SQPw9p1r4Sg9zYTyX1n3n6xJzhr+hEGLwwGhcmJh8mup
+            D9n+aaZU4WK2Huha8Jd1bNqNo3J9UpqQMIaexfd64HoVdDHCxBzfThiMvgwpQ30a
+            kTQqC0DGkLaFM5W8IVOremwjhLzrTBesu8ny8CasQYJ0tZ+QFU51OvxD4q0r9OLT
+            BcCGqDsKZ3HDr7OIi4FsqdZRfxinJ+zteK93uxA+fB8Hkxok2g7Z2A5Nv2cOo54X
+            NJxwsCN4l2Hs8MaVMTC+KGASn87m+Q1xwcVD7ujPmGGjMYb84j2sBn0DP3mNQh7y
+            89jz6HPbq9goF++Sp172bwswmJwZLVCWkgvzQo+szfCqGnq6LTlG9JaVswkkSz7N
+            z9kvF6L2dg7N2XlkLLP9UnxMkNxUrA615LvSn/z9AA7Dp6ay7TCsOeSWrz5m7+PF
+            VVfTp4PN3y7hsZXvWWk1eqsOaThI5GY7N7W6aQlNmvhibjw7FJEF4Iv4FBJsOD23
+            vYv+38yn377hnimtzoVt0lgBFtO8QhedShEvVjROUNjjEE2WB2jpP5/wZVIsrefs
+            tl87MAyLedE/Zs5MByubb0buC2jifQnkxsA1QSvbZB2/NTi/SLSPeCMdFrVkYdcG
+            hP8cp1HkI81F
+            =iDKg
+            -----END PGP MESSAGE-----
+          fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

instances/picard/configuration.nix

@@ -20,7 +20,7 @@
   xyno.presets.server.enable = true;
   xyno.presets.cli.enable = true;
   xyno.services.wireguard.enable = true;
-  xyno.services.caddy.enable = true;
+  # xyno.services.caddy.enable = true;
   xyno.services.monitoring.enable = true;
   xyno.presets.home-manager.enable = true;
   xyno.system.user.enable = true;

instances/theseus/configuration.nix

@@ -12,6 +12,35 @@ let
   '';
 in
 {
+  # containers.podmantest = {
+  #   privateNetwork = true;
+  #   enableTun = true;
+  #   additionalCapabilities = [
+  #     "CAP_NET_ADMIN"
+  #     "CAP_MKNOD"
+  #     "CAP_BPF"
+  #     "CAP_DAC_READ_SEARCH"
+  #     "CAP_SYS_RESOURCE"
+  #     "CAP_SYS_ADMIN"
+  #   ];
+  #   hostAddress = "192.168.100.10";
+  #   localAddress = "192.168.100.11";
+  #   config =
+  #     { ... }:
+  #     {
+  #       virtualisation.oci-containers.containers.test = {
+  #         image = "docker.io/library/nginx";
+  #         ports = [
+  #           "80:80"
+  #           "443:443"
+  #         ];
+  #       };
+  #     };
+  # };
+  # networking.nat.enable = true;
+  # networking.nat.internalInterfaces = [ "ve-+" ];
+  # networking.nat.externalInterface = "enp195s0f4u1u3";
+
   nixpkgs.system = "x86_64-linux";
   imports = [ ./hardware-configuration.nix ];
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
@@ -48,7 +77,7 @@ in
     pandoc
     tectonic
     rquickshare
-    supersonic-wayland
+    unstable.supersonic-wayland
     nheko
     anki-bin
     gimp3
@@ -64,14 +93,15 @@ in
 
   time.timeZone = "Europe/Berlin";
 
-
   # orcaslicer
   networking.firewall.allowedTCPPorts = [
     1880
     2021
+    4711
   ];
   networking.firewall.allowedUDPPorts = [
     1880
+    5353
     2021
   ];
 

instances/theseus/hardware-configuration.nix

@@ -16,7 +16,7 @@
     "${inputs.nixos-hardware}/framework/13-inch/7040-amd"
   ];
   hardware.framework.laptop13.audioEnhancement.enable = true;
-  # hardware.framework.laptop13.audioEnhancement.hideRawDevice = false;
+  hardware.framework.laptop13.audioEnhancement.hideRawDevice = false;
   services.fwupd.enable = true;
 
   boot.initrd.availableKernelModules = [

modules/desktop/audio.nix

@@ -229,9 +229,39 @@ in
           ];
         };
       };
+      configPackages = [
+        (pkgs.writeTextDir "share/pipewire/pipewire.conf.d/snapcast-discover.conf" ''
+          context.modules = [
+    {
+        name = libpipewire-module-snapcast-discover
+        args = {
+             snapcast.discover-local = true
+             stream.rules = [
+                 {
+                     matches = [
+                        {
+                            snapcast.ip = "~.*"
+                        }
+                     ]
+                     actions = {
+                         create-stream = {
+                             # node.name = "Snapcast"
+                             # snapcast.stream-name = "default"
+                         }
+                     }
+                 }
+             ]
+        }
+    }
+]
+
+        '')
+
+      ];
       wireplumber.extraConfig."98-bluetooth"."wireplumber.settings"."bluetooth.autoswitch-to-headset-profile" =
         false;
-      wireplumber.configPackages = mapAttrsToList (n: v: eqPkg v) cfg.eq;
+      wireplumber.configPackages = mapAttrsToList (n: v: eqPkg v) cfg.eq ++ [
+      ];
     };
 
   };

modules/desktop/fcitx5.nix

@@ -1,27 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-let
-  cfg = config.xyno.desktop.fcitx5;
-in
-{
-  options.xyno.desktop.fcitx5.enable = lib.mkEnableOption "enable fcitx5 input daemon thing";
-  config = lib.mkIf cfg.enable {
-    i18n.inputMethod = {
-      type = "fcitx5";
-      enable = true;
-      fcitx5.addons = with pkgs; [
-        fcitx5-table-other
-      ];
-      fcitx5.waylandFrontend = true;
-      fcitx5.quickPhrase = {
-        ":pleading:" = "🥺";
-        ":pointing_right:" = "👉";
-        ":pointing_left:" = "👈";
-      };
-    };
-  };
-}

modules/desktop/ibus.nix

@@ -0,0 +1,81 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.xyno.desktop.ibus;
+in
+{
+  options.xyno.desktop.ibus.enable = mkEnableOption "enable ibus input daemon thing";
+  options.xyno.desktop.ibus.wantedBy = mkOption {
+    type = types.str;
+    default = "niri.service";
+  };
+  config = mkIf cfg.enable {
+    services.libinput.enable = true;
+
+    # just... enable ibus as input method and maybe now we have consistent unicode input everywhere
+    # fuck qt tbh
+    i18n.inputMethod = {
+      enable = true;
+      package = pkgs.ibus;
+      # ibus.engines = with pkgs.ibus-engines; [ uniemoji ];
+    };
+    # home-manager.sharedModules = [
+    #   (
+    #     { lib, ... }:
+    #     {
+    #       dconf.settings = {
+    #         "org/gnome/desktop/input-sources" = {
+    #           sources = [
+    #             (lib.hm.gvariant.mkTuple [
+    #               "xkb"
+    #               "us"
+    #             ])
+    #             (lib.hm.gvariant.mkTuple [
+    #               "ibus"
+    #               "libpinyin"
+    #             ])
+    #             (lib.hm.gvariant.mkTuple [
+    #               "ibus"
+    #               "mozc-jp"
+    #             ])
+    #           ];
+    #         };
+    #       };
+    #     }
+    #   )
+    # ];
+
+    systemd.user.services."org.freedesktop.IBus.session.generic".wantedBy = [ cfg.wantedBy ];
+    systemd.packages = [ pkgs.ibus ];
+    # systemd.user.services.ibus =
+    #   let
+    #     ibusPackage = config.i18n.inputMethod.package;
+    #   in
+    #   assert hasPrefix "ibus-with-plugins" ibusPackage.name;
+    #   {
+    #     # panel is weird...
+    #     # default is ${ibusPackage}/libexec/ibus-ui-gtk3 which works but sends a notification that it's misconfigured
+    #     # wayland support can be enabled with --enable-wayland-im but that segfaults (possible due to zwp_input_method_v1 not being available?)
+    #     script = ''
+    #       exec ${ibusPackage}/bin/ibus-daemon --xim --replace --panel '${ibusPackage}/libexec/ibus-ui-gtk3'
+    #     '';
+    #     serviceConfig = {
+    #       Type = "dbus";
+    #       BusName = "org.freedesktop.IBus";
+    #       Restart = "on-abnormal";
+    #     };
+    #     unitConfig = {
+    #       CollectMode = "inactive-or-failed";
+    #     };
+    #     # yeah we hardcoding this now, fuck it
+    #     wantedBy = [ cfg.wantedBy ];
+    #     partOf = [ "graphical-session.target" ];
+    #   };
+
+  };
+}

modules/desktop/niri.nix

@@ -14,6 +14,8 @@ let
     "KeePassXC"
     "org.gnome.NautilusPreviewer"
     "io.github.Qalculate.qalculate-qt"
+    "ibus-ui-emojier"
+    "ibus-ui-gtk3"
   ];
   matchFloat = concatStringsSep "\n" (
     map (x: ''
@@ -52,20 +54,22 @@ in
         value = 1;
       }
     ];
-    home-manager.users.${config.xyno.system.user.name} = mkIf config.xyno.presets.home-manager.enable (
-      { ... }:
-      {
-        xyno.dark-theme.enable = true;
-        # home.file.".config/xdg-desktop-portal-termfilechooser/config".text = ''
-        #   [filechooser]
-        #   cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
-        #   default_dir=$HOME
-        #   env=TERMCMD=footclient --app-id floating-alacritty
-        #   open_mode = suggested
-        #   save_mode = suggested
-        # '';
-      }
-    );
+    home-manager.sharedModules = [
+      (
+        { ... }:
+        {
+          xyno.dark-theme.enable = true;
+          # home.file.".config/xdg-desktop-portal-termfilechooser/config".text = ''
+          #   [filechooser]
+          #   cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
+          #   default_dir=$HOME
+          #   env=TERMCMD=footclient --app-id floating-alacritty
+          #   open_mode = suggested
+          #   save_mode = suggested
+          # '';
+        }
+      )
+    ];
 
     xdg.portal = {
       extraPortals = [
@@ -88,7 +92,16 @@ in
     environment.systemPackages = with pkgs; [
       playerctl
       xwayland-satellite
+      nirius
     ];
+    systemd.user.services.niriusd = {
+      unitConfig.PartOf = "graphical-session.target";
+      unitConfig.After = "graphical-session.target";
+      unitConfig.Requisite = "graphical-session.target";
+      serviceConfig.Restart = "on-failure";
+      wantedBy = [ "niri.service" ];
+      script = "exec ${pkgs.nirius}/bin/niriusd";
+    };
     programs.niri.enable = true;
     environment.etc."niri/config.kdl".mode = "444"; # copy file so niri detects changes
     environment.etc."niri/config.kdl".text = ''
@@ -105,11 +118,15 @@ in
         Mod+T { spawn "${cfg.term}" "tmux" "new-session" "-t" "main"; }
         Mod+Shift+T { spawn "${cfg.term}"; }
         Mod+Y { spawn "${cfg.term}" "--app-id" "floating-alacritty" "-W" "120x37" "yazi"; }
+        Mod+Shift+M { spawn "sh" "-c" "notify-send -t 3000 -a umpv umpv-paste $(wl-paste); umpv $(wl-paste)"; }
         Mod+P { spawn "keepassxc"; }
         Mod+S { spawn "qalculate-qt"; }
         Mod+Shift+N { spawn "makoctl" "dismiss" "-a"; }
         Mod+N { spawn "makoctl" "dismiss"; }
         Mod+E { spawn "makoctl" "menu" "fuzzel -d"; }
+        Mod+G { spawn "nirius" "toggle-follow-mode"; }
+        Mod+Shift+bracketleft { spawn "nirius" "scratchpad-show"; }
+        Mod+Shift+bracketright { spawn "nirius" "scratchpad-toggle"; }
         XF86AudioRaiseVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.03+"; }
         XF86AudioLowerVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.03-"; }
         XF86AudioMute        allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SINK@" "toggle"; }

modules/desktop/waybar/cal.nix

@@ -24,13 +24,14 @@ let
           UNTIL="1d"
 
           EVENT="$(
-            khal list "$SINCE" "$UNTIL" \
+            (khal list "$SINCE" "$UNTIL" \
               --day-format 'SKIPME' \
               --format "{start-end-time-style} {title:.31}{repeat-symbol}" |
               grep -v SKIPME |  # filter out headers
               grep -v -P '↦|↔ |⇥' |  # filter out continuing all day events
               grep -v '^ ' |  # exclude full-day events
               head -n 1  # show just the first
+              ) || echo ""
           )"
 
           if [ -z "$EVENT" ]; then

modules/module-list.nix

@@ -5,9 +5,9 @@
   ./desktop/audio.nix
   ./desktop/common-programs.nix
   ./desktop/easyeffects.nix
-  ./desktop/fcitx5.nix
   ./desktop/foot.nix
   ./desktop/fuzzel.nix
+  ./desktop/ibus.nix
   ./desktop/mako.nix
   ./desktop/niri.nix
   ./desktop/shikane.nix
@@ -21,17 +21,18 @@
   ./presets/common.nix
   ./presets/development.nix
   ./presets/gui.nix
-  ./presets/server.nix
   ./presets/home-manager.nix
-  ./services/authentik
-  ./services/caddy
+  ./presets/server.nix
+  # ./services/authentik
+  # ./services/caddy
+  ./services/traefik.nix
   ./services/monitoring.nix
   ./services/wireguard.nix
   ./system/impermanence.nix
   ./system/meta.nix
   ./system/user.nix
+  ./to-upstream/fido2-hid-bridge.nix
   ./user-services/khal.nix
   ./user-services/syncthing.nix
-  ./to-upstream/fido2-hid-bridge.nix
 ]
 

modules/presets/cli.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -44,6 +45,11 @@ in
       LC_COLLATE = "de_DE.UTF-8";
     };
 
+    nix.channel.enable = false;
+    nix.nixPath = [
+      "nixpkgs=${inputs.nixpkgs}"
+      "nixpkgs-master=${inputs.nixpkgs-master}"
+    ];
     nix.settings = {
       substituters = [
         # "https://cache.lix.systems"
@@ -55,6 +61,7 @@ in
         # "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
         # "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
       ];
+      
       trusted-users = lib.mkDefault [
         "root"
         "@wheel"
@@ -130,7 +137,7 @@ in
       imagemagick
       jq
       lm_sensors
-      moar
+      moor
       neofetch
       nix-output-monitor
       poppler
@@ -145,7 +152,7 @@ in
     programs.mosh.enable = true;
     environment.variables.EDITOR = "hx";
     environment.variables.VISUAL = "hx";
-    environment.variables.PAGER = "moar";
+    environment.variables.PAGER = "moor";
 
     environment.shellAliases = {
       l = "ls -alh";
@@ -161,7 +168,7 @@ in
       p = "cd ~/proj";
       ytl = ''yt-dlp -f "bv*+mergeall[vcodec=none]" --audio-multistreams'';
       sudo = "run0";
-      less = "moar";
+      less = "moor";
     };
   };
 }

modules/presets/gui.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  inputs,
   lib,
   ...
 }:
@@ -21,6 +22,7 @@ in
       pkgs.yubikey-personalization
     ];
     xyno.desktop.niri.enable = true;
+    xyno.desktop.ibus.enable = true;
     xyno.desktop.audio.enable = mkDefault true;
     xyno.user-services.khal.enable = true;
     boot.kernelPackages = mkDefault pkgs.linuxPackages_zen;
@@ -40,9 +42,60 @@ in
 
     qt = {
       enable = true;
-      style = "breeze";
-      # platformTheme = "gnome";
+      platformTheme = "qt5ct";
     };
+    home-manager.sharedModules =
+      let
+        gruvboxDarkColors = pkgs.writeText "gruvbox-dark.conf" ''
+          [ColorScheme]
+          active_colors=#ffebdbb2, #ff1d2021, #ffbdae93, #ffa89984, #ff3c3836, #ff504945, #ffebdbb2, #ffebdbb2, #ffebdbb2, #ff282828, #ff1d2021, #ff504945, #ff458588, #ff282828, #ff458588, #ffcc241d, #ff282828, #ffebdbb2, #ff1d2021, #ffebdbb2, #ffbdae93
+          disabled_colors=#ffbdae93, #ff1d2021, #ffbdae93, #ffa89984, #ff3c3836, #ff504945, #ffbdae93, #ffbdae93, #ffbdae93, #ff282828, #ff1d2021, #ff504945, #ff438184, #ff3c3836, #ff458588, #ffcc241d, #ff282828, #ffebdbb2, #ff1d2021, #ffebdbb2, #ffbdae93
+          inactive_colors=#ffebdbb2, #ff1d2021, #ffbdae93, #ffa89984, #ff3c3836, #ff504945, #ffebdbb2, #ffebdbb2, #ffebdbb2, #ff282828, #ff1d2021, #ff504945, #ff438184, #ffa89984, #ff458588, #ffcc241d, #ff282828, #ffebdbb2, #ff1d2021, #ffebdbb2, #ffbdae93
+        '';
+        qt5ctConf = pkgs.writeText "qt5ct.conf" ''
+          [Appearance]
+          color_scheme_path=${gruvboxDarkColors}
+          custom_palette=true
+          icon_theme=breeze-dark
+          standard_dialogs=xdgdesktopportal
+          style=Breeze
+
+          [Fonts]
+          fixed="Source Sans 3,12,-1,5,50,0,0,0,0,0"
+          general="Source Sans 3,12,-1,5,50,0,0,0,0,0"
+        '';
+      in
+      [
+        {
+          home.file.".config/qt5ct/qt5ct.conf".source = qt5ctConf;
+          home.file.".config/qt6ct/qt6ct.conf".source = qt5ctConf;
+          dconf = {
+            settings = {
+              "org/gnome/desktop/interface" = {
+                color-scheme = "prefer-dark";
+                gtk-theme = "adw-gtk3-dark";
+              };
+            };
+          };
+          gtk = {
+            enable = true;
+            iconTheme.name = "breeze-dark";
+            gtk4.extraConfig.gtk-application-prefer-dark-theme = 1;
+            gtk3.extraConfig.gtk-application-prefer-dark-theme = 1;
+            gtk3.theme.package = pkgs.adw-gtk3;
+            gtk3.theme.name = "adw-gtk3-dark";
+
+            gtk3.extraCss = ''
+              @import url("${inputs.adw-colors}/themes/adw-gruvbox/gtk3-dark.css");
+            '';
+            gtk4.extraCss = ''
+              @import url("${inputs.adw-colors}/themes/adw-gruvbox/gtk4-dark.css");
+            '';
+
+          };
+
+        }
+      ];
 
     programs.yazi = {
       settings.keymap.mgr.prepend_keymap = [
@@ -70,11 +123,34 @@ in
     # enable the gnome shit
     services.gnome.gnome-keyring.enable = true;
     services.gnome.gnome-online-accounts.enable = true;
-    services.gnome.core-apps.enable = true;
+    environment.systemPackages = with pkgs; [
+      gnome-calendar
+      gnome-clocks
+      gnome-font-viewer
+      mate.engrampa
+      papirus-folders
+      kdePackages.gwenview
+      kdePackages.skanlite
+      kdePackages.okular
+      kdePackages.breeze-gtk
+      kdePackages.breeze.qt5
+      kdePackages.breeze
+      kdePackages.breeze-icons
+      nautilus # for xdg portal
+    ];
     services.gnome.gcr-ssh-agent.enable = mkForce false;
-    services.gnome.sushi.enable = true;
+    # services.gnome.sushi.enable = true;
     services.gnome.gnome-settings-daemon.enable = true;
-    services.gvfs.enable = true;
+
+    programs.thunar = {
+      enable = true;
+      plugins = with pkgs.xfce; [
+        thunar-archive-plugin
+        thunar-volman
+      ];
+    };
+    services.tumbler.enable = true; # thunar image preview
+    services.gvfs.enable = true; # thunar network device mount
 
     xdg.terminal-exec = {
       enable = true;
@@ -88,35 +164,28 @@ in
       { pkgs, ... }:
       {
         xyno.mpv.enable = true;
-    #     xdg.mimeApps = {
-    #       enable = true;
-    #       defaultApplications = {
-    #         "x-scheme-handler/mailto" = [ "aerc.desktop" ];
-    #         "inode/directory" = [ "org.gnome.Nautilus.desktop" ];
-    #         "application/x-gnome-saved-search" = [ "org.gnome.Nautilus.desktop" ];
-    #         "x-scheme-handler/http" = "userapp-Zen-D2P132.desktop";
-    #         "x-scheme-handler/https" = "userapp-Zen-D2P132.desktop";
-    #         "x-scheme-handler/chrome" = "userapp-Zen-D2P132.desktop";
-    #         "text/html" = "userapp-Zen-D2P132.desktop";
-    #         "application/x-extension-htm" = "userapp-Zen-D2P132.desktop";
-    #         "application/x-extension-html" = "userapp-Zen-D2P132.desktop";
-    #         "application/x-extension-shtml" = "userapp-Zen-D2P132.desktop";
-    #         "application/xhtml+xml" = "userapp-Zen-D2P132.desktop";
-    #         "application/x-extension-xhtml" = "userapp-Zen-D2P132.desktop";
-    #         "application/x-extension-xht" = "userapp-Zen-D2P132.desktop";
-    #         "application/pdf" = "org.gnome.Evince.desktop";
+        #     xdg.mimeApps = {
+        #       enable = true;
+        #       defaultApplications = {
+        #         "x-scheme-handler/mailto" = [ "aerc.desktop" ];
+        #         "inode/directory" = [ "org.gnome.Nautilus.desktop" ];
+        #         "application/x-gnome-saved-search" = [ "org.gnome.Nautilus.desktop" ];
+        #         "x-scheme-handler/http" = "userapp-Zen-D2P132.desktop";
+        #         "x-scheme-handler/https" = "userapp-Zen-D2P132.desktop";
+        #         "x-scheme-handler/chrome" = "userapp-Zen-D2P132.desktop";
+        #         "text/html" = "userapp-Zen-D2P132.desktop";
+        #         "application/x-extension-htm" = "userapp-Zen-D2P132.desktop";
+        #         "application/x-extension-html" = "userapp-Zen-D2P132.desktop";
+        #         "application/x-extension-shtml" = "userapp-Zen-D2P132.desktop";
+        #         "application/xhtml+xml" = "userapp-Zen-D2P132.desktop";
+        #         "application/x-extension-xhtml" = "userapp-Zen-D2P132.desktop";
+        #         "application/x-extension-xht" = "userapp-Zen-D2P132.desktop";
+        #         "application/pdf" = "org.gnome.Evince.desktop";
 
-    #       };
-    #     };
+        #       };
+        #     };
       };
 
-    environment.systemPackages = with pkgs; [
-      kdePackages.breeze-gtk
-      kdePackages.breeze.qt5
-      kdePackages.breeze
-      kdePackages.breeze-icons
-    ];
-
     # fonts
     fonts.fontconfig.defaultFonts = {
       sansSerif = [

modules/services/caddy/default.nix

@@ -7,71 +7,16 @@
 with lib;
 let
   cfg = config.xyno.services.caddy;
-  wildcardMatcherStr = wildcard: hostName: content: ''
-    @${hostName} host ${hostName}.${wildcard}
-    handle @${hostName} {
-      ${content.extraConfig}
-    }
-
-  '';
-  genOneWildcard = wildcard: host: {
-    extraConfig = ''
-      # extra pre
-      ${host.extraConfigPre}
-      # block bots
-      ${optionalString host.blockBots "import blockBots"}
-      # hosts handler
-      ${concatStrings (mapAttrsToList (n: v: wildcardMatcherStr wildcard n v) host.hosts)}
-      # extra post
-      ${host.extraConfigPost}
-      abort
-    '';
+  schema = import ./json-schema.nix {
+    inherit pkgs lib;
+    schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json);
   };
-  genVHostsFromWildcard = mapAttrs' (
-    n: v: nameValuePair "*.${n}" (genOneWildcard n v)
-  ) cfg.wildcardHosts;
-  schema = import ./json-schema.nix { inherit pkgs lib; schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json); };
 in
 {
   options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin";
   options.xyno.services.caddy.config = mkOption {
-    default = {};
-    type = schema.type;
-  }; 
-  options.xyno.services.caddy.wildcardHosts = mkOption {
-    example = {
-      "hailsatan.eu" = {
-        blockBots = true;
-        hosts.md.extraConfig = ''reverse_proxy ...'';
-      };
-    };
     default = { };
-    type =
-      with types;
-      attrsOf (submodule {
-        options = {
-          blockBots = mkOption {
-            type = bool;
-            default = false;
-          };
-          extraConfigPre = mkOption {
-            type = str;
-            default = "";
-          };
-          extraConfigPost = mkOption {
-            type = str;
-            default = "";
-          };
-          hosts = mkOption {
-            default = {};
-            type = attrsOf (submodule {
-              options = {
-                extraConfig = mkOption { type = lines; };
-              };
-            });
-          };
-        };
-      });
+    type = schema.type;
   };
   config = lib.mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = [
@@ -79,34 +24,32 @@ in
       443
     ];
     networking.firewall.allowedUDPPorts = [ 443 ];
+    xyno.services.caddy.config = {
+      apps = {
+        http.metrics.per_host = true;
+        tls.automation.policies = [
+          {
+            issuers = [
+              {
+                ca = "https://acme-v02.api.letsencrypt.org/directory";
+                challenges.dns.provider = {
+                  name = "desec";
+                  token.path = ""; # TODO
+
+                };
+              }
+            ];
+            module = "acme";
+          }
+        ];
+      };
+    };
+
     services.caddy = {
       enable = true;
       package = pkgs.caddy-desec;
       adapter = "json";
       configFile = json.generate "caddy-config.json" cfg.config;
-      # virtualHosts = genVHostsFromWildcard;
-      # email = mkDefault "ssl@xyno.systems";
-      # acmeCA = mkDefault "https://acme-v02.api.letsencrypt.org/directory";
-      # globalConfig = ''
-      #   metrics {
-      #     per_host
-      #   }
-      # '';
-      # extraConfig = ''
-      #   (blockBots) {
-      #     @botForbidden header_regexp User-Agent "(?i)AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT|ChatGPT-User|Claude-Web|ClaudeBot|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|Google-Extended|GPTBot|ImagesiftBot|magpie-crawler|omgili|Omgilibot|peer39_crawler|PerplexityBot|YouBot"
-
-      #     handle @botForbidden   {
-      #       redir https://hil-speed.hetzner.com/10GB.bin
-      #     }
-      #     handle /robots.txt {
-      #       respond <<TXT
-      #       User-Agent: *
-      #       Disallow: /
-      #       TXT 200
-      #     }
-      #   }
-      # '';
     };
     xyno.services.monitoring.exporters.caddy = 2019;
 

modules/services/caddy/json-schema.nix

@@ -36,6 +36,11 @@ let
     in
     result;
   deref = x: if x ? "$ref" then getRef x."$ref" else x;
+  fileSubmod = types.submodule {
+    options.path = mkOption {
+      type = types.pathWith { inStore = false; absolute = true; };
+    };
+  };
   buildOptionType =
     {
       spec,
@@ -43,7 +48,8 @@ let
       ...
     }:
     let
-      strType = if spec ? enum then types.enum spec.enum else types.str;
+      
+      strType = if spec ? enum then types.enum spec.enum else (types.either types.str fileSubmod);
       objType = types.submodule {
         freeformType = json.type;
         options = submoduleOptions { inherit spec depth; };

modules/services/kanidm.nix

@@ -0,0 +1,88 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (lib.types) str nullOr pathWith;
+  absPath = pathWith {
+    inStore = false;
+    absolute = true;
+  };
+  cfg = config.xyno.services.kanidm;
+in
+{
+  options.xyno.services.kanidm.enable = mkEnableOption "enables kanidm";
+  options.xyno.services.kanidm.domain = mkOption {
+    default = "idm.xyno.systems";
+    type = str;
+  };
+  options.xyno.services.kanidm.isReplica = mkEnableOption "replica";
+  options.xyno.services.kanidm.setupTraefik = mkEnableOption "traefik";
+
+  options.xyno.services.kanidm.tls = {
+    keyPem = mkOption {
+      type = nullOr absPath;
+      default = null;
+      description = "autogenerated if unset";
+    };
+    certPem = mkOption {
+      default = "/run/generated/kanidm-tls/cert.pem";
+      type = absPath;
+    };
+  };
+  config = mkIf cfg.enable {
+    services.kanidm = {
+      enableServer = true;
+      enableClient = true;
+      adminPasswordFile = config.sops.secrets."kanidm.password".path;
+      provision = {
+        adminPasswordFile = config.sops.secrets."kanidm.password".path;
+      };
+      serverSettings = {
+        tls_key = if cfg.tls.keyPem != null then cfg.tls.keyPem else "/run/generated/key.pem";
+        tls_chain = cfg.tls.certPem;
+        bindaddress = "127.0.0.3:8443";
+      };
+    };
+    xyno.services.traefik.simpleProxy = mkIf cfg.setupTraefik {
+      host = cfg.domain;
+      internal = "https://127.0.0.3:8443";
+      transport = "kanidm-https";
+    };
+    services.traefik.dynamicConfigOptions.http = mkIf cfg.setupTraefik {
+      serversTransports."kanidm-https" = {
+        serverName = cfg.domain;
+        certificates = [
+          cfg.certPem
+        ];
+      };
+    };
+
+    systemd.services.generate-kanidm-tls = mkIf (cfg.tls.keyPem == null) {
+      serviceConfig = {
+        User = "root";
+        Group = "kanidm";
+      };
+      wantedBy = [
+        "kanidm.service"
+        "traefik.service"
+      ];
+      script = ''
+        mkdir -p /run/generated/kanidm-tls
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey ed25519 -noenc -subj "/CN=generated.${cfg.domain}" -addext "subjectAltName=DNS:${cfg.domain}" -keyout /run/generated/key.pem -out /run/generated/cert.pem
+      '';
+    };
+    sops.secrets."kanidm.password" = {
+      sopsFile = ../../instances/${config.networking.hostName}/secrets/kanidm.yaml;
+    };
+    # sops.templates."kanidm.env".content = ''
+    #   DESEC_TOKEN=${config.sops.placeholder.desec_token}
+    #   DESEC_PROPAGATION_TIMEOUT=1200
+    # '';
+    # sops.templates."kanidm.env".reloadUnits = [ "kanidm.service" ];
+
+  };
+}

modules/services/monitoring.nix

@@ -9,17 +9,21 @@ with lib;
 let
   cfg = config.xyno.services.monitoring;
 
-  firstInstanceWithPromServer = if cfg.prometheusServer then config.networking.hostName else (builtins.head (
-    attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes))
-  )).config.networking.hostName;
-  vmBasicAuthUsername = "xyno-monitoring";
+  # firstInstanceWithPromServer =
+  #   if cfg.prometheusServer then
+  #     config.networking.hostName
+  #   else
+  #     (builtins.head (
+  #       attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes))
+  #     )).config.networking.hostName;
+  # vmBasicAuthUsername = "xyno-monitoring";
 in
 {
   options.xyno.services.monitoring.enable =
     mkEnableOption "enables monitoring (prometheus exporters and stuff)";
   options.xyno.services.monitoring.remoteWriteUrl = mkOption {
     type = types.str;
-    default = "http://${firstInstanceWithPromServer}.${config.xyno.services.wireguard.monHostsDomain}:8428/api/v1/write";
+    default = "https://metrics.xyno.systems/api/v1/write";
     description = "where prometheus metrics should be pushed to";
   };
   options.xyno.services.monitoring.prometheusServer = mkOption {
@@ -44,8 +48,9 @@ in
         enabledCollectors = [ "systemd" ];
       };
       xyno.services.monitoring.exporters.node = config.services.prometheus.exporters.node.port;
+      # TODO: oauth2 with client per host -> kanidm -> oauth2-proxy -> victoriametrics server
       services.vmagent = {
-        remoteWrite.url = cfg.remoteWriteUrl;
+        remoteWrite.url = if cfg.prometheusServer then "http://localhost:8428/api/v1/write" else cfg.remoteWriteUrl;
         remoteWrite.basicAuthUsername = vmBasicAuthUsername;
         remoteWrite.basicAuthPasswordFile = config.sops.secrets."victoriametrics/basicAuthPassword".path;
 
@@ -84,7 +89,9 @@ in
         ];
       };
 
-      services.grafana.declarativePlugins = with pkgs.grafanaPlugins; [ victoriametrics-metrics-datasource ];
+      services.grafana.declarativePlugins = with pkgs.grafanaPlugins; [
+        victoriametrics-metrics-datasource
+      ];
 
     })
   ];

modules/services/traefik.nix

@@ -0,0 +1,197 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.xyno.services.traefik;
+  simpleProxyOpts = lib.mapAttrsToList (
+    n: v:
+    let
+      router = "simpleproxy-${n}-router";
+      service = "simpleproxy-${n}-service";
+      spl = lib.splitString "." v.host;
+      certDomain =
+        if (builtins.length spl) > 2 then lib.concatStringsSep "." (builtins.tail spl) else spl;
+    in
+    {
+      routers."${router}-robotstxt" = {
+        service = "robotstxt";
+        rule = "Host(`${v.host}`) && Path(`/robots.txt`)";
+        tls.certResolver = "letsencrypt";
+        tls.domains = [
+          {
+            main = certDomain;
+            sans = [ "*.${certDomain}" ];
+          }
+        ];
+
+      };
+      routers.${router} = {
+        inherit service;
+        rule = "Host(`${v.host}`)";
+        tls.certResolver = "letsencrypt";
+        tls.domains = [
+          {
+            main = certDomain;
+            sans = [ "*.${certDomain}" ];
+          }
+        ];
+      };
+      services.${service} = {
+        loadBalancer.servers = [
+          { url = v.internal; }
+        ];
+        loadBalancer.serverTransport = lib.mkIf (v.transport != null) v.transport;
+      };
+      services.robotstxt = {
+        loadBalancer.servers = [
+          { url = "http://127.0.0.2:8080"; }
+        ];
+      };
+    }
+  ) cfg.simpleProxy;
+in
+{
+  options.xyno.services.traefik.enable = lib.mkEnableOption "enables traefik";
+  options.xyno.services.traefik.noBots = lib.mkOption {
+    type = lib.types.bool;
+    default = true;
+  };
+  options.xyno.services.traefik.simpleProxy = lib.mkOption {
+    example = {
+      "example" = {
+        host = "example.org";
+        middlewares = [ "meow" ];
+        internal = "http://127.0.0.1:8080";
+      };
+    };
+    default = { };
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        options = {
+          middlewares = lib.mkOption {
+            type = lib.types.nullOr (lib.types.listOf lib.types.str);
+          };
+          internal = lib.mkOption {
+            type = lib.types.str;
+          };
+          host = lib.mkOption {
+            type = lib.types.str;
+          };
+          transport = lib.mkOption {
+            type = lib.types.nullOr lib.types.anything;
+            default = null;
+          };
+
+        };
+      }
+    );
+
+  };
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = lib.mkIf cfg.noBots true;
+      defaultListen = lib.mkIf cfg.noBots [
+        {
+          addr = "127.0.0.2";
+          port = 8080;
+        }
+      ];
+      virtualHosts._.default =  true;
+      virtualHosts._.locations."/".root = pkgs.writeTextFile {
+        name = "robots.txt";
+        destination = "/robots.txt";
+        text = ''
+          User-agent: *
+          Disallow: /
+        '';
+      };
+    };
+    services.traefik = {
+      enable = true;
+      environmentFiles = [
+        config.sops.templates."traefik.env".path
+      ];
+      staticConfigOptions = {
+        metrics = lib.mkIf config.xyno.services.monitoring.enable {
+          otlp.http.endpoint = "http://localhost:8429/v1/metrics";
+        };
+        entryponits.web = {
+          address = ":80";
+          redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+            permanent = true;
+          };
+        };
+        entrypoints.websecure = {
+          address = ":443";
+          http.tls.certResolver = "letsencrypt";
+          http3 = { };
+
+        };
+        log.level = "INFO";
+        certificatesResolvers.letsencrypt.acme = {
+          email = "ssl@xyno.systems";
+          caServer = "https://acme-v02.api.letsencrypt.org/directory";
+          dnsChallenge = {
+            resolvers = [ "8.8.8.8" "1.1.1.1" ];
+            provider = "desec";
+          };
+        };
+      };
+      dynamicConfigOptions = {
+        http = lib.mkMerge simpleProxyOpts;
+        # tls.options.default = {
+        #   # mozilla modern
+        #   minVersion = "VersionTLS13";
+        #   curvePreferences = [
+        #     "X25519"
+        #     "CurveP256"
+        #     "CurveP384"
+        #   ];
+        # };
+        # tls.options.old = {
+        #   # mozilla intermediate
+        #   minVersion = "VersionTLS12";
+        #   curvePreferences = [
+        #     "X25519"
+        #     "CurveP256"
+        #     "CurveP384"
+        #   ];
+        #   cipherSuites = [
+        #     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        #     "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+        #     "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+        #     "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+        #     "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
+        #     "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+        #   ];
+
+        # };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+    networking.firewall.allowedUDPPorts = [ 443 ];
+    xyno.impermanence.directories = [ config.services.traefik.dataDir ];
+    sops.secrets."desec_token" = {
+    };
+    sops.templates."traefik.env".content = ''
+      DESEC_TOKEN=${config.sops.placeholder.desec_token}
+      DESEC_PROPAGATION_TIMEOUT=1200
+      LEGO_DISABLE_CNAME_SUPPORT=true
+    '';
+    sops.templates."traefik.env".reloadUnits = [ "traefik.service" ];
+    # services.borgmatic.settings.traefikql_databases = [
+    #   {
+    #     name = "all"; # gets run as root anyways so can log in
+    #   }
+    # ];
+
+  };
+}

modules/system/impermanence.nix

@@ -21,24 +21,25 @@ in
 {
   options.xyno.impermanence = {
     enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)";
-    files = lib.mkOption { type = lib.types.listOf lib.types.str; };
-    directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+    files = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; };
+    directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
     user = {
-      files = lib.mkOption { type = lib.types.listOf lib.types.str; };
-      directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
+      directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
     };
     # have a seperate impermanence tree for "cache" files that can just be deleted if wanted
     cache = {
-      files = lib.mkOption { type = lib.types.listOf lib.types.str; };
-      directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
+      directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
       user = {
-        files = lib.mkOption { type = lib.types.listOf lib.types.str; };
-        directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+        files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
+        directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
       };
 
     };
   };
   config = lib.mkIf cfg.enable {
+    users.mutableUsers = false;
     xyno.impermanence.files = [
       "/etc/machine-id" # systemd/zfs unhappy otherwise
     ];
@@ -47,6 +48,7 @@ in
       "/var/lib/systemd/coredump"
       "/etc/ssh" # host keys
       "/var/lib/sbctl" # lanzaboote
+      "/var/lib/nixos"
 
     ];
     xyno.impermanence.user.directories = [

modules/system/meta.nix

@@ -1,6 +1,6 @@
 {lib,...}: with lib;{
   options.xyno.meta = {
-    sopsKey = mkOption { type = types.text; };
+    sopsKey = mkOption { type = types.str; };
   };
   config = {
     sops.defaultSopsFile = ../../secrets/common.yaml;

overlays/default.nix

@@ -28,15 +28,5 @@ inputs: self: super: {
   python-uhid = super.callPackage ../packages/uhid.nix {};
   caddy-desec = super.callPackage ../packages/caddy-desec.nix {};
 
-  # todo: remove on next supersonic release
-  supersonic-wayland = super.supersonic-wayland.overrideAttrs (old: {
-    patches = (if old?patches then old.patches else []) ++ [
-      (self.fetchpatch2 {
-        url = "https://github.com/dweymouth/supersonic/commit/ee742cf34ef7225d345c16354d9c21d72a41bf4a.patch";
-        hash = "sha256-kSeEbzrfJ4Pe8JC4rIWlSmADOcjrCRBNWlcO8VfVnn4=";
-      })
-    ];
-    vendorHash = "sha256-Sh3PxRwb6ElSeWzdvIQ+nD9VVGlpUDwxG7nAoGWPTRQ=";
-  });
 
 }

secrets/common.yaml

@@ -1,17 +1,18 @@
 victoriametrics:
     basicAuthPassword: ENC[AES256_GCM,data:5QuhkQ344qDYzhGZBJimaX94C6oxgYBRZw4MSlycdgs6zRAudMIu/HF1gpjythQpait81jMpFhIn57w433s7QQ==,iv:gytJ63cBaJseCis7gEPmOX6LeddNloQsTjc1SnS56jo=,tag:Jn6TevGsBEeHxYmVHy896w==,type:str]
+desec_token: ENC[AES256_GCM,data:3aqlfpAEMyOSNGdLXm4lc0VZajduPkTYkYd+WA==,iv:sktNkKWaD/hjsQpSJzAZeCvwYXfvkhQ2A44BKedCZRg=,tag:XbxIr09c60V0PMDitSOD/w==,type:str]
 wg:
     psk: ENC[AES256_GCM,data:Anpe6IxtzsqZyvas+ddV3yjJozdZgZOl2KG/Z4YtWUB5gAVLtxsQKc/WA/M=,iv:j/A5k2VXbdqUDXEd1WRfJYdb3DsUZ1B9gPHCpDpRjmw=,tag:KQGi1O5iP2+nQccgBzytSQ==,type:str]
 msmtp:
     host: ENC[AES256_GCM,data:YxiLT5t2H52IZvB02Pjntvg=,iv:nuMPI6fuvQ4U0+xj3SF27ZO/b2knKUsO6jCf9aJqQa4=,tag:9DucIq+LUozuPLL3s8UjDQ==,type:str]
-    port: ENC[AES256_GCM,data:zbe7,iv:cwoK0oCIzwmQ6xHFX94KDfd7Fu+pC96c9+AnK/KpQp4=,tag:IfsCHk0SpBeQ4bD0WXyQcw==,type:int]
+    port: ENC[AES256_GCM,data:W7L1,iv:q2TQTGTxOWCWqgjTBmVKarVbe+mNd/rwAupXJOl4WYQ=,tag:xW/GUGCIfn466icpIvyvCQ==,type:str]
     from: ENC[AES256_GCM,data:QpUgsghc7e5OFJO8afzx6bt1,iv:ffrlbqFu2p5/uwv5MN9rf7iZSmfozYSwr3WkEvXNZhA=,tag:B3g+6WexBw6j6EgukX5LDg==,type:str]
     user: ENC[AES256_GCM,data:H2OxJp6q1QCxBxIXThXrj+SU,iv:Cu7KFDaiqM0cuofnqkLnE6Zb6ufLw6wQRSk1pthDAAo=,tag:oM1VefUo9kK8k7lHKnxOjA==,type:str]
     password: ENC[AES256_GCM,data:mAgsvDPzt8f/RB/2T8nrd+KUcuxUGIdCBDs5sFla5x0=,iv:qndiiKTuSpbf/gtNXPaZ6AnHHwzZ7IPJrDFriM7bKwE=,tag:5j+gjpaxIu03x1lBkRMLhQ==,type:str]
     aliases: ENC[AES256_GCM,data:fOZRYZ8rVs3IXhiS+VaP54gF4bir66oIZvb7ZfKV,iv:bsmh1ZCwERZuHrvORP68hj5Gz7j3+K6ZW8BR3/IQVQg=,tag:jWozmXpjk3JHCINSgP4KGg==,type:str]
 sops:
-    lastmodified: "2025-09-06T16:50:17Z"
-    mac: ENC[AES256_GCM,data:QdWLok9IBqTaO3StKRiAXcMIZSV5YJQoYY+3cZZ7xARbmvn5cDqnapv3HIJju7v5V48tNG3aXy1nJHG4kKVuDIMd7s7PPjLL1k0dEsnTs4YwE8XugZX86nXuSUZeUuQNfnR9sFOKho/o/I9W5hCp0IcEgo+Bs1dD3IvYxuv6Nzk=,iv:IHEDtI6lo76qPgBvBETg/SiT/tfFivN8r8J7tt93IbQ=,tag:ifW8UVaf5r8Y9HUUtCkAQQ==,type:str]
+    lastmodified: "2025-11-24T11:48:22Z"
+    mac: ENC[AES256_GCM,data:wA4AwEX67amH4UneZqV03PnaLUscUnj4VAmOqzjOTA9dKAV3KzFwD4NqRs2Dy8ap6kOOIS67gZ+3WV8QySyLT84zhEPSjB6M1FURV+LQjd4nc5EBP4Y67osy/QGB4U0d6shHt1sTFmHG2dJvTB7sPDSlRvgDhHE/ApcWuNFUfTY=,iv:Umacpqk+Zge9a9tlSsfjz1mcQvtequK8K4qLVJu8PCg=,tag:H09qfzM/xyn7TLkPCgtS6Q==,type:str]
     pgp:
         - created_at: "2025-09-06T16:37:33Z"
           enc: |-
@@ -63,4 +64,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

sops.nix

@@ -12,7 +12,7 @@ let
     "0D98D5964AC8BB1CA034CE4EC456133700066642" # xyno main gpg key
   ];
   keysPerHost = (
-    mapAttrs (n: v: (toList v.sopsKey)) (filterAttrs (n: v: v ? sopsKey) instanceConfigs)
+    mapAttrs (n: v: (toList v.config.xyno.meta.sopsKey)) (filterAttrs (n: v: v.config.xyno.meta.sopsKey != null) instanceConfigs)
   );
   desktopHostNames = [ "theseus" ];