initial config commit

flake.lock

@@ -0,0 +1,341 @@
+{
+  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1750173260,
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749398372,
+        "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751589297,
+        "narHash": "sha256-3q35cq6BPuwIRL3IoVKYPc72r3OleeuRyf4YAPjEqzA=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "83f978812c37511ef2ffaf75ffa72160483f738a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "ixx": {
+      "inputs": {
+        "flake-utils": [
+          "nixvim",
+          "nuschtosSearch",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixvim",
+          "nuschtosSearch",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748294338,
+        "narHash": "sha256-FVO01jdmUNArzBS7NmaktLdGA5qA3lUMJ4B7a05Iynw=",
+        "owner": "NuschtOS",
+        "repo": "ixx",
+        "rev": "cc5f390f7caf265461d4aab37e98d2292ebbdb85",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NuschtOS",
+        "ref": "v0.0.8",
+        "repo": "ixx",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1751271578,
+        "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1682134069,
+        "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "nixvim": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nuschtosSearch": "nuschtosSearch",
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1751492444,
+        "narHash": "sha256-26NgRXwhNM2x4hrok0C3CqSf2v0vi9byONNON5PzbHQ=",
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "rev": "239d331bb48673dfd00d7187654892471cd60d44",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "type": "github"
+      }
+    },
+    "nuschtosSearch": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "ixx": "ixx",
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749730855,
+        "narHash": "sha256-L3x2nSlFkXkM6tQPLJP3oCBMIsRifhIDPMQQdHO5xWo=",
+        "owner": "NuschtOS",
+        "repo": "search",
+        "rev": "8dfe5879dd009ff4742b668d9c699bc4b9761742",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NuschtOS",
+        "repo": "search",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "agenix": "agenix",
+        "home-manager": "home-manager_2",
+        "nixpkgs": "nixpkgs",
+        "nixvim": "nixvim",
+        "vscode-server": "vscode-server"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "vscode-server": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1750353031,
+        "narHash": "sha256-Bx7DOPLhkr8Z60U9Qw4l0OidzHoqLDKQH5rDV5ef59A=",
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "rev": "4ec4859b12129c0436b0a471ed1ea6dd8a317993",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,51 @@
+{
+  description = "NixOS configuration";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixvim = {
+      url = "github:nix-community/nixvim";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    vscode-server.url = "github:nix-community/nixos-vscode-server";
+  };
+
+  outputs =
+    { nixpkgs, agenix, ... }@inputs:
+    let
+      commonSystem =
+        {
+          hostName ? "nixos",
+          userName ? "will",
+          system ? "x86_64-linux",
+        }:
+        nixpkgs.lib.nixosSystem {
+          modules = [ ./hosts/${hostName}/configuration.nix ];
+          specialArgs = {
+            inherit inputs;
+            inherit hostName;
+            inherit userName;
+            inherit system;
+          };
+          inherit system;
+        };
+    in
+    {
+      nixosConfigurations = {
+        desktop = commonSystem { hostName = "desktop"; };
+        laptop = commonSystem { hostName = "laptop"; };
+        server = commonSystem {
+          hostName = "server";
+          userName = "srv";
+        };
+      };
+    };
+}

hosts/desktop/configuration.nix

@@ -0,0 +1,42 @@
+{
+  pkgs,
+  hostName,
+  inputs,
+  userName,
+  ...
+}:
+{
+  imports = [
+    ../../modules/nixos/default.nix
+    ./hardware-configuration.nix
+  ];
+
+  # reusable modules
+
+  amd-gpu.enable = true;
+  desktop.enable = true;
+  external-speakers.enable = true;
+  gaming.enable = true;
+  link2c.enable = true;
+
+  # config
+
+  boot.initrd.luks.devices."luks-b164af31-c1c3-4b4e-83c8-eb39802c2027".device =
+    "/dev/disk/by-uuid/b164af31-c1c3-4b4e-83c8-eb39802c2027";
+
+  services.btrfs.autoScrub.enable = true;
+
+  system.stateVersion = "24.11";
+
+  i18n.extraLocaleSettings.LC_ALL = "en_AU.UTF-8";
+
+  users.users.${userName} = {
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+      "scanner"
+      "lp"
+    ];
+    isNormalUser = true;
+  };
+}

hosts/desktop/hardware-configuration.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usbhid"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/8ac17d03-8db2-455f-b73a-06d73022a079";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."luks-bf3ff3bf-7210-4c50-a6bc-feb5bdb6fa0d".device =
+    "/dev/disk/by-uuid/bf3ff3bf-7210-4c50-a6bc-feb5bdb6fa0d";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3854-4FAE";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  fileSystems."/media/games" = {
+    device = "/dev/disk/by-uuid/ea672712-282d-4421-bf34-c9a249a9b275";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "subvol=games"
+    ];
+  };
+
+  fileSystems."/media/hoard" = {
+    device = "/dev/disk/by-uuid/ea672712-282d-4421-bf34-c9a249a9b275";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "subvol=hoard"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/000dc4be-b250-4870-9284-b761486e8cea"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/desktop/home.nix

@@ -0,0 +1,19 @@
+{
+  userName,
+  ...
+}:
+{
+  imports = [ ../../modules/home-manager/default.nix ];
+
+  # reusable modules
+
+  desktop.enable = true;
+
+  # config
+
+  home = {
+    username = "${userName}";
+    homeDirectory = "/home/will";
+    stateVersion = "24.11";
+  };
+}

hosts/laptop/configuration.nix

@@ -0,0 +1,38 @@
+{
+  pkgs,
+  hostName,
+  inputs,
+  userName,
+  ...
+}:
+{
+  imports = [
+    ../../modules/nixos/default.nix
+    ./hardware-configuration.nix
+  ];
+
+  # reusable modules
+
+  amd-gpu.enable = true;
+  desktop.enable = true;
+  networkmanager.enable = true;
+
+  # config
+
+  boot.initrd.luks.devices."luks-433a5889-6f18-4c9a-8d99-db02af39bdee".device =
+    "/dev/disk/by-uuid/433a5889-6f18-4c9a-8d99-db02af39bdee";
+
+  system.stateVersion = "24.11";
+
+  i18n.extraLocaleSettings.LC_ALL = "en_AU.UTF-8";
+
+  users.users.${userName} = {
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+      "scanner"
+      "lp"
+    ];
+    isNormalUser = true;
+  };
+}

hosts/laptop/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/cdb8d2dd-a466-4c53-8c42-f00af5e85d81";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."luks-67930062-ceb2-4d9a-83d9-dfad48287a00".device = "/dev/disk/by-uuid/67930062-ceb2-4d9a-83d9-dfad48287a00";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/CFBE-B36B";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7d677650-2504-4df0-8631-d7a7ff325e35"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/laptop/home.nix

@@ -0,0 +1,19 @@
+{
+  userName,
+  ...
+}:
+{
+  imports = [ ../../modules/home-manager/default.nix ];
+
+  # reusable modules
+
+  desktop.enable = true;
+
+  # config
+
+  home = {
+    username = "${userName}";
+    homeDirectory = "/home/will";
+    stateVersion = "24.11";
+  };
+}

hosts/server/configuration.nix

@@ -0,0 +1,42 @@
+{
+  pkgs,
+  hostName,
+  inputs,
+  userName,
+  ...
+}:
+{
+  imports = [
+    ../../modules/nixos/default.nix
+    ./hardware-configuration.nix
+  ];
+
+  # reusable modules
+
+  borgbackup-srv.enable = true;
+  intel-gpu.enable = true;
+  server.enable = true;
+
+  # config
+
+  networking.hostName = "${hostName}";
+
+  services.openssh.enable = true;
+
+  system.stateVersion = "24.11";
+
+  users = {
+    groups.${userName} = { };
+    users.${userName} = {
+      extraGroups = [
+        "wheel"
+        "docker"
+      ];
+      home = "/home/srv";
+      isNormalUser = true;
+      shell = pkgs.bash;
+    };
+  };
+
+  virtualisation.docker.enable = true;
+}

hosts/server/hardware-configuration.nix

@@ -0,0 +1,58 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/f202dcb2-1af3-4841-b0a7-303b18e68421";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/E591-819C";
+    fsType = "vfat";
+    options = [
+      "fmask=0767"
+      "dmask=0767"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/8e471996-8a5d-4782-b87f-83f2b3839f53"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/server/home.nix

@@ -0,0 +1,13 @@
+{
+  userName,
+  ...
+}:
+{
+  imports = [ ../../modules/home-manager/default.nix ];
+
+  home = {
+    username = "${userName}";
+    homeDirectory = "/home/srv";
+    stateVersion = "24.11";
+  };
+}

modules/home-manager/bundles/desktop.nix

@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+let
+  feature = "desktop";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    alacritty.enable = true;
+    zellij.enable = true;
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/home-manager/default.nix

@@ -0,0 +1,14 @@
+{ lib, ... }:
+let
+  featureBundler =
+    featuresDir:
+    map (name: featuresDir + "/${name}") (builtins.attrNames (builtins.readDir featuresDir));
+in
+{
+  imports = (featureBundler ./bundles) ++ (featureBundler ./features);
+
+  bash.enable = lib.mkDefault true;
+  gh.enable = lib.mkDefault true;
+  git.enable = lib.mkDefault true;
+  zoxide.enable = lib.mkDefault true;
+}

modules/home-manager/features/alacritty.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "alacritty";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    programs.alacritty = {
+      enable = true;
+      theme = "catppuccin_mocha";
+      settings = {
+        window.startup_mode = "fullscreen";
+        terminal.shell = {
+          program = "zellij";
+          args = [
+            "-l"
+            "welcome"
+          ];
+        };
+        font = {
+          normal = {
+            family = "JetBrainsMono Nerd Font";
+            style = "Regular";
+          };
+          bold = {
+            family = "JetBrainsMono Nerd Font";
+            style = "Bold";
+          };
+          italic = {
+            family = "JetBrainsMono Nerd Font";
+            style = "italic";
+          };
+          bold_italic = {
+            family = "JetBrainsMono Nerd Font";
+            style = "bold_italic";
+          };
+          size = 13;
+        };
+      };
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/home-manager/features/bash.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+let
+  feature = "bash";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    programs.bash.enable = true;
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/home-manager/features/gh.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "gh";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    programs.gh = {
+      enable = true;
+      settings = {
+        git_protocol = "ssh";
+        editor = "nvim";
+      };
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/home-manager/features/git.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "git";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    programs.${feature} = {
+      enable = true;
+
+      userName = "wi11-holdsworth";
+      userEmail = "83637728+wi11-holdsworth@users.noreply.github.com";
+
+      aliases = {
+        a = "add";
+        aa = "add .";
+        ap = "add -p";
+        c = "commit --verbose";
+        ca = "commit -a --verbose";
+        cm = "commit -m";
+        cam = "commit -a -m";
+        m = "commit --amend --verbose";
+        d = "diff";
+        ds = "diff --stat";
+        dc = "diff --cached";
+        s = "status -s";
+        co = "checkout";
+        cob = "checkout -b";
+        ps = "push";
+        pl = "pull";
+      };
+
+      extraConfig = {
+        init.defaultBranch = "main";
+
+        core.editor = "nvim";
+
+        push.autoSetupRemote = true;
+
+        pull.rebase = false;
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/home-manager/features/zellij.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "zellij";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    programs.zellij = {
+      enable = true;
+      settings = {
+        theme = "catppuccin-mocha";
+        show_startup_tips = false;
+      };
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/home-manager/features/zoxide.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "zoxide";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    programs.zoxide = {
+      enable = true;
+      enableBashIntegration = true;
+      options = [
+        "--cmd j"
+      ];
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/bundles/desktop.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "desktop";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    pipewire.enable = true;
+    print-and-scan.enable = true;
+    plasma.enable = true;
+
+    environment.systemPackages =
+      with pkgs;
+      [
+        beeper
+        brave
+        calibre
+        cameractrls-gtk3
+        firefox
+        jellyfin-media-player
+        kiwix
+        libreoffice
+        nixfmt-rfc-style
+        obsidian
+        vlc
+        vscode
+      ]
+      ++ (with pkgs.kdePackages; [
+        skanlite
+        ktorrent
+        kzones
+      ]);
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/bundles/server.nix

@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+let
+  feature = "server";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    couchdb.enable = true;
+    flaresolverr.enable = true;
+    homepage-dashboard.enable = true;
+    immich.enable = true;
+    jellyfin.enable = true;
+    lidarr.enable = true;
+    miniflux.enable = true;
+    nginx.enable = true;
+    ntfy-sh.enable = true;
+    paperless.enable = true;
+    prowlarr.enable = true;
+    radarr.enable = true;
+    sonarr.enable = true;
+    stirling-pdf.enable = true;
+    transmission.enable = true;
+    vaultwarden.enable = true;
+    vscode-server.enable = true;
+    webdav.enable = true;
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/default.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+let
+  featureBundler =
+    featuresDir:
+    map (name: featuresDir + "/${name}") (builtins.attrNames (builtins.readDir featuresDir));
+in
+{
+  imports = (featureBundler ./bundles) ++ (featureBundler ./features);
+
+  agenix.enable = lib.mkDefault true;
+  direnv.enable = lib.mkDefault true;
+  fonts.enable = lib.mkDefault true;
+  home-manager.enable = lib.mkDefault true;
+  localisation.enable = lib.mkDefault true;
+  nh.enable = lib.mkDefault true;
+  nix-settings.enable = lib.mkDefault true;
+  nixpkgs.enable = lib.mkDefault true;
+  nixvim.enable = lib.mkDefault true;
+  shell.enable = lib.mkDefault true;
+  starship.enable = lib.mkDefault true;
+  systemd-boot.enable = lib.mkDefault true;
+  tailscale.enable = lib.mkDefault true;
+
+  # cli utils
+  environment.systemPackages = with pkgs; [
+    bat
+    dust
+    eza
+    fd
+    lazygit
+    nom
+    ripgrep-all
+    spotdl
+  ];
+}

modules/nixos/features/agenix.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  inputs,
+  lib,
+  system,
+  userName,
+  ...
+}:
+let
+  feature = "agenix";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    age.identityPaths = [ "/home/${userName}/.ssh/id_ed25519" ];
+    environment.systemPackages = [ inputs.agenix.packages.${system}.default ];
+  };
+
+  imports = [ inputs.agenix.nixosModules.default ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/amd-gpu.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "amd-gpu";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+
+    # load graphics drivers before anything else
+    boot.initrd.kernelModules = [ "amdgpu" ];
+
+    hardware.graphics = {
+      enable = true;
+      enable32Bit = true;
+      extraPackages = with pkgs; [ amdvlk ];
+    };
+
+    services.xserver.videoDrivers = [ "amdgpu" ];
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/borgbackup-srv.nix

@@ -0,0 +1,104 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "borgbackup-srv";
+
+  secret = "borgbackup";
+  notify =
+    {
+      tag,
+      msg,
+      location,
+    }:
+    ''
+      ${pkgs.curl}/bin/curl -H "X-Tags: ${tag},BorgBackup,Server,${location}"  -d "${msg}" ${config.services.ntfy-sh.settings.base-url}/backups
+    '';
+  notifySuccess =
+    location:
+    notify {
+      tag = "tada";
+      msg = "Backup succeeded";
+      inherit location;
+    };
+  notifyFailure =
+    location:
+    notify {
+      tag = "tada";
+      msg = "Backup failed, check logs";
+      inherit location;
+    };
+
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services.borgbackup.jobs =
+      let
+        srv = location: {
+          paths = "/srv";
+
+          compression = "auto,zstd";
+
+          startAt = "*-*-* 04:00:00 Australia/Melbourne";
+
+          prune.keep = {
+            daily = 7;
+            weekly = 4;
+            monthly = 6;
+          };
+
+          postHook = ''
+            if [ $exitStatus -eq 0 ]; then
+              ${notifySuccess location}
+            else
+              ${notifyFailure location}
+            fi
+          '';
+        };
+
+      in
+      {
+        onsite = srv "onsite" // {
+          repo = "/repo";
+          exclude = [ "/srv/immich" ];
+
+          encryption.mode = "repokey-blake2";
+          encryption.passCommand = "cat ${config.age.secrets.borgbackup-server-onsite.path}";
+
+          removableDevice = true;
+        };
+
+        offsite = srv "offsite" // {
+          repo = "vuc5c3xq@vuc5c3xq.repo.borgbase.com:repo";
+
+          encryption.mode = "repokey-blake2";
+          encryption.passCommand = "cat ${config.age.secrets.borgbackup-server-offsite.path}";
+
+          environment.BORG_RSH = "ssh -i /home/srv/.ssh/id_ed25519";
+        };
+      };
+
+    # onsite drive
+    services.udisks2.enable = true;
+
+    fileSystems."/repo" = {
+      device = "/dev/sdb1";
+      fsType = "vfat";
+    };
+
+    # secrets
+    age.secrets = {
+      "${secret}-server-onsite" = {
+        file = ../../../secrets/${secret}-server-onsite.age;
+      };
+      "${secret}-server-offsite" = {
+        file = ../../../secrets/${secret}-server-offsite.age;
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/couchdb.nix

@@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "couchdb";
+  port = "5984";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        databaseDir = "/srv/couchdb";
+        viewIndexDir = "/srv/couchdb";
+        configFile = "/srv/couchdb";
+        port = lib.toInt port;
+        extraConfig = {
+          chttpd = {
+            require_valid_user = true;
+            enable_cors = true;
+            max_http_request_size = 4294967296;
+          };
+
+          chttpd_auth.require_valid_user = true;
+
+          httpd = {
+            WWW-Authenticate = ''Basic realm="couchdb"'';
+            enable_cors = true;
+          };
+
+          couchdb.max_document_size = 50000000;
+
+          cors = {
+            credentials = true;
+            origins = ''
+              app://obsidian.md,capacitor://localhost,http://localhost,https://localhost,capacitor://couchdb.fi33.buzz,http://couchdb.fi33.buzz,https://couchdb.fi33.buzz
+            '';
+          };
+        };
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/direnv.nix

@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "direnv";
+in
+{
+  config = lib.mkIf config.${feature}.enable { programs.${feature}.enable = true; };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/external-speakers.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "external-speakers";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    boot.extraModprobeConfig = ''
+      options snd_hda_intel power_save=0
+    '';
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/flaresolverr.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "flaresolverr";
+  port = "5011";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        port = lib.toInt port;
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/fonts.nix

@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "fonts";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    fonts.packages = with pkgs; [ nerd-fonts.jetbrains-mono ];
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/gaming.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "gaming";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    environment.systemPackages = with pkgs; [
+      heroic
+      lutris
+      mangohud
+      nexusmods-app
+      protonup-qt
+      wine
+      wine64
+      winetricks
+      prismlauncher
+    ];
+
+    programs = {
+      gamemode.enable = true;
+      steam = {
+        enable = true;
+        gamescopeSession.enable = true;
+      };
+    };
+
+    # latest kernel
+    boot.kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/home-manager.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  hostName,
+  inputs,
+  lib,
+  userName,
+  ...
+}:
+let
+  feature = "home-manager";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    home-manager = {
+      users.${userName} = import ../../../hosts/${hostName}/home.nix;
+      backupFileExtension = "backup";
+      extraSpecialArgs = {
+        inherit userName;
+      };
+      useGlobalPkgs = true;
+      useUserPackages = true;
+    };
+  };
+
+  imports = [ inputs.home-manager.nixosModules.home-manager ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/homepage-dashboard.nix

@@ -0,0 +1,268 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "homepage-dashboard";
+  port = "5004";
+  genSecrets =
+    secrets:
+    lib.genAttrs secrets (secret: {
+      file = ../../../secrets/${secret}.age;
+    });
+  insertSecrets =
+    secrets:
+    lib.genAttrs secrets (secret: ''
+      secret=$(cat "${config.age.secrets.${secret}.path}")
+      configFile=/etc/homepage-dashboard/services.yaml
+      ${pkgs.gnused}/bin/sed -i "s#@${secret}@#$secret#" "$configFile"
+    '');
+
+  secrets = [
+    "immich"
+    "jellyfin"
+    "lidarr"
+    "miniflux"
+    "paperless"
+    "prowlarr"
+    "radarr"
+    "sonarr"
+  ];
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    system.activationScripts = insertSecrets secrets;
+    age.secrets = genSecrets secrets;
+
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        listenPort = lib.toInt port;
+        allowedHosts = "${feature}.fi33.buzz";
+        services = [
+          {
+            "Media Management" = [
+              {
+                "Lidarr" = {
+                  "icon" = "lidarr.png";
+                  "href" = "https://lidarr.fi33.buzz/";
+                  "widget" = {
+                    "type" = "lidarr";
+                    "url" = "https://lidarr.fi33.buzz/";
+                    "key" = "@lidarr@";
+                    "enableQueue" = true;
+                  };
+                };
+              }
+              {
+                "Prowlarr" = {
+                  "icon" = "prowlarr.png";
+                  "href" = "https://prowlarr.fi33.buzz/";
+                  "widget" = {
+                    "type" = "prowlarr";
+                    "url" = "https://prowlarr.fi33.buzz/";
+                    "key" = "@prowlarr@";
+                  };
+                };
+              }
+              {
+                "Radarr" = {
+                  "icon" = "radarr.png";
+                  "href" = "https://radarr.fi33.buzz/";
+                  "widget" = {
+                    "type" = "radarr";
+                    "url" = "https://radarr.fi33.buzz/";
+                    "key" = "@radarr@";
+                    "enableQueue" = true;
+                  };
+                };
+              }
+              {
+                "Sonarr" = {
+                  "icon" = "sonarr.png";
+                  "href" = "https://sonarr.fi33.buzz/";
+                  "widget" = {
+                    "type" = "sonarr";
+                    "url" = "https://sonarr.fi33.buzz/";
+                    "key" = "@sonarr@";
+                    "enableQueue" = true;
+                  };
+                };
+              }
+            ];
+          }
+          {
+            "Media Streaming" = [
+              {
+                "Immich" = {
+                  "icon" = "immich.png";
+                  "href" = "https://immich.fi33.buzz/";
+                  "widget" = {
+                    "type" = "immich";
+                    "fields" = [
+                      "users"
+                      "photos"
+                      "videos"
+                      "storage"
+                    ];
+                    "url" = "https://immich.fi33.buzz/";
+                    "version" = 2;
+                    "key" = "@immich@";
+                  };
+                };
+              }
+              {
+                "Jellyfin" = {
+                  "icon" = "jellyfin.png";
+                  "href" = "https://jellyfin.fi33.buzz/";
+                  "widget" = {
+                    "type" = "jellyfin";
+                    "url" = "https://jellyfin.fi33.buzz/";
+                    "key" = "@jellyfin@";
+                    "enableBlocks" = true;
+                    "enableNowPlaying" = true;
+                    "enableUser" = true;
+                    "showEpisodeNumber" = true;
+                    "expandOneStreamToTwoRows" = false;
+                  };
+                };
+              }
+              {
+                "Miniflux" = {
+                  "icon" = "miniflux.png";
+                  "href" = "https://miniflux.fi33.buzz/";
+                  "widget" = {
+                    "type" = "miniflux";
+                    "url" = "https://miniflux.fi33.buzz/";
+                    "key" = "@miniflux@";
+                  };
+                };
+              }
+              {
+                "Paperless" = {
+                  "icon" = "paperless.png";
+                  "href" = "https://paperless.fi33.buzz/";
+                  "widget" = {
+                    "type" = "paperlessngx";
+                    "url" = "https://paperless.fi33.buzz/";
+                    "username" = "admin";
+                    "password" = "@paperless@";
+                  };
+                };
+              }
+            ];
+          }
+          {
+            "Cloud Services" = [
+              {
+                "CouchDB" = {
+                  "icon" = "couchdb.png";
+                  "href" = "https://couchdb.fi33.buzz/_utils/";
+                };
+              }
+              {
+                "Ntfy" = {
+                  "icon" = "ntfy.png";
+                  "href" = "https://ntfy-sh.fi33.buzz/";
+                };
+              }
+              {
+                "Stirling PDF" = {
+                  "icon" = "stirling-pdf.png";
+                  "href" = "https://stirling-pdf.fi33.buzz/";
+                };
+              }
+              {
+                "Transmission" = {
+                  "icon" = "transmission.png";
+                  "href" = "https://transmission.fi33.buzz/";
+                };
+              }
+              {
+                "Vaultwarden" = {
+                  "icon" = "vaultwarden.png";
+                  "href" = "https://vaultwarden.fi33.buzz/";
+                };
+              }
+            ];
+          }
+        ];
+        settings = {
+          title = "Mission Control";
+          theme = "dark";
+          color = "neutral";
+          headerStyle = "clean";
+          layout = [
+            {
+              "Media Streaming" = {
+                style = "row";
+                columns = 4;
+                useEqualHeights = true;
+              };
+            }
+            {
+              "Media Management" = {
+                style = "row";
+                columns = 4;
+                useEqualHeights = true;
+              };
+            }
+            {
+              "Cloud Services" = {
+                style = "row";
+                columns = 3;
+              };
+            }
+          ];
+          quicklaunch.searchDescriptions = true;
+          disableUpdateCheck = true;
+          showStats = true;
+          statusStyle = "dot";
+        };
+        widgets = [
+          {
+            search = {
+              provider = [
+                "duckduckgo"
+                "brave"
+              ];
+              focus = true;
+              showSearchSuggestions = true;
+              target = "_blank";
+            };
+          }
+          {
+            resources = {
+              cpu = true;
+              memory = true;
+              disk = "/";
+              cputemp = true;
+              tempmin = 0;
+              tempmax = 100;
+              units = "metric";
+              network = true;
+              uptime = true;
+            };
+          }
+        ];
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/immich.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "immich";
+  port = "2283";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services.${feature} = {
+      enable = true;
+      port = builtins.fromJSON "${port}";
+      mediaLocation = "/srv/${feature}";
+    };
+
+    # reverse proxy
+    services.nginx = {
+      clientMaxBodySize = "50000M";
+
+      virtualHosts."${feature}.fi33.buzz" = {
+        forceSSL = true;
+        useACMEHost = "fi33.buzz";
+        locations."/" = {
+          proxyPass = "http://[::1]:${port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/intel-gpu.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "intel-gpu";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    hardware = {
+      enableAllFirmware = true;
+      graphics = {
+        enable = true;
+        extraPackages = with pkgs; [
+          intel-media-driver
+          libva-vdpau-driver
+          intel-compute-runtime
+          vpl-gpu-rt
+          intel-ocl
+        ];
+      };
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/jellyfin.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  userName,
+  ...
+}:
+let
+  feature = "jellyfin";
+  port = "8096";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        dataDir = "/srv/jellyfin";
+        group = "media";
+      };
+
+      # reverse proxy
+      nginx.virtualHosts."${feature}.fi33.buzz" = {
+        forceSSL = true;
+        useACMEHost = "fi33.buzz";
+        locations."/".proxyPass = "http://localhost:${port}";
+      };
+    };
+
+    # use intel iGP
+    systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD";
+    environment.sessionVariables = {
+      LIBVA_DRIVER_NAME = "iHD";
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/lidarr.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "lidarr";
+  port = "5012";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        dataDir = "/srv/lidarr";
+        settings.server.port = lib.toInt port;
+        group = "media";
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/link2c.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "link2c";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services.udev.extraRules = ''
+      ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="2e1a", ATTR{idProduct}=="4c03", TEST=="power/control", ATTR{power/control}="on"
+    '';
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/localisation.nix

@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+let
+  feature = "localisation";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    i18n = {
+      defaultLocale = "en_AU.UTF-8";
+      supportedLocales = [
+        "en_US.UTF-8/UTF-8"
+        "en_AU.UTF-8/UTF-8"
+      ];
+    };
+
+    time.timeZone = "Australia/Melbourne";
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/miniflux.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "miniflux";
+  port = "5010";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    age.secrets.miniflux-creds.file = ../../../secrets/miniflux-creds.age;
+
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        adminCredentialsFile = config.age.secrets.miniflux-creds.path;
+        config = {
+          BASE_URL = "https://miniflux.fi33.buzz";
+          LISTEN_ADDR = "localhost:${port}";
+        };
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/networkmanager.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  hostName,
+  ...
+}:
+let
+  feature = "networkmanager";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    networking = {
+      hostName = "${hostName}";
+      networkmanager.enable = true;
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/nginx.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "nginx";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    age.secrets."api-porkbun" = {
+      file = ../../../secrets/api-porkbun.age;
+    };
+
+    services.${feature} = {
+      enable = true;
+
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+
+      virtualHosts."*.fi33.buzz" = {
+        forceSSL = true;
+        useACMEHost = "fi33.buzz";
+        locations."/".index = "index.html";
+      };
+    };
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "wi11@duck.com";
+      certs."fi33.buzz" = {
+        domain = "fi33.buzz";
+        extraDomainNames = [ "*.fi33.buzz" ];
+        group = "${feature}";
+        dnsProvider = "porkbun";
+        dnsPropagationCheck = true;
+        credentialsFile = config.age.secrets."api-porkbun".path;
+      };
+    };
+
+    users.users.${feature}.extraGroups = [ "acme" ];
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/nh.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  userName,
+  ...
+}:
+let
+  feature = "nh";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    programs.${feature} = {
+      enable = true;
+      # clean.enable = true;
+      flake = "/home/${userName}/.dots";
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/nix-settings.nix

@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+let
+  feature = "nix-settings";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    nix = {
+      optimise.automatic = true;
+      settings = {
+        experimental-features = [
+          "nix-command"
+          "flakes"
+        ];
+        trusted-users = [
+          "will"
+          "srv"
+        ];
+      };
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/nixpkgs.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+let
+  feature = "nixpkgs";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    nixpkgs.config.allowUnfree = true;
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/nixvim.nix

@@ -0,0 +1,57 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+let
+  feature = "nixvim";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    environment.variables.EDITOR = "nvim";
+    programs.${feature} = {
+      enable = true;
+      opts = {
+        shiftwidth = 2;
+        number = true;
+        relativenumber = true;
+        autoindent = true;
+        tabstop = 2;
+        expandtab = true;
+      };
+      colorschemes.catppuccin = {
+        enable = true;
+        settings.background.dark = "mocha";
+      };
+      plugins = {
+        cmp = {
+          enable = true;
+          autoEnableSources = true;
+        };
+        cmp-nvim-lsp.enable = true;
+        cmp_luasnip.enable = true;
+        cmp-treesitter.enable = true;
+        cmp-async-path.enable = true;
+        cmp-npm.enable = true;
+        cmp-emoji.enable = true;
+        cmp-dictionary.enable = true;
+        cmp-calc.enable = true;
+        lsp = {
+          enable = true;
+          servers.nixd.enable = true;
+        };
+        lsp-format.enable = true;
+        autoclose.enable = true;
+        lualine.enable = true;
+        luasnip.enable = true;
+        treesitter.enable = true;
+        lastplace.enable = true;
+      };
+    };
+  };
+
+  imports = [ inputs.nixvim.nixosModules.nixvim ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/ntfy-sh.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "ntfy-sh";
+  port = "5002";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        settings = {
+          base-url = "https://${feature}.fi33.buzz";
+          listen-http = ":${port}";
+          behind-proxy = true;
+        };
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/paperless.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "paperless";
+  port = "5013";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        dataDir = "/srv/paperless";
+        database.createLocally = true;
+        passwordFile = config.age.secrets.paperless.path;
+        port = lib.toInt port;
+        settings = {
+          PAPERLESS_URL = "https://paperless.fi33.buzz";
+        };
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    age.secrets.paperless.file = ../../../secrets/paperless.age;
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/pipewire.nix

@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+let
+  feature = "pipewire";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    security.rtkit.enable = true;
+
+    services.pipewire = {
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      enable = true;
+      jack.enable = true;
+      pulse.enable = true;
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/plasma.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+let
+  feature = "plasma";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      desktopManager.plasma6.enable = true;
+      displayManager.sddm = {
+        enable = true;
+        wayland.enable = true;
+      };
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/print-and-scan.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "print-and-scan";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    hardware.sane = {
+      enable = true;
+      extraBackends = [ pkgs.hplip ];
+    };
+    services = {
+      avahi = {
+        enable = true;
+        nssmdns4 = true;
+        openFirewall = true;
+      };
+      printing = {
+        enable = true;
+        drivers = [ pkgs.hplip ];
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/prowlarr.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "prowlarr";
+  port = "5009";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        dataDir = "/srv/prowlarr";
+        settings.server.port = lib.toInt port;
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/radarr.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "radarr";
+  port = "5007";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        dataDir = "/srv/radarr";
+        settings.server.port = lib.toInt port;
+        group = "media";
+
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/shell.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+let
+  feature = "shell";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    environment.shellAliases = {
+      g = "lazygit";
+      ns = "nh os switch";
+      rf = "nix flake init --template 'https://flakehub.com/f/the-nix-way/dev-templates/*#rust' && direnv allow";
+      vi = "nvim";
+      vim = "nvim";
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/sonarr.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "sonarr";
+  port = "5006";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        dataDir = "/srv/sonarr";
+        settings.server.port = lib.toInt port;
+        group = "media";
+
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/starship.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "starship";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    programs.starship = {
+      enable = true;
+      settings.character = {
+        success_symbol = "[%](bold green) ";
+        error_symbol = "[%](bold red) ";
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/stirling-pdf.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "stirling-pdf";
+  port = "5003";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        environment = {
+          SERVER_PORT = lib.toInt port;
+        };
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/systemd-boot.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+let
+  feature = "systemd-boot";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    boot.loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/tailscale.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "tailscale";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      ${feature}.enable = true;
+      nginx.tailscaleAuth.enable = true;
+    };
+
+    networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/transmission.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  feature = "transmission";
+  port = "5008";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      transmission = {
+        enable = true;
+        package = pkgs.transmission_4;
+        settings = {
+          download-dir = "/media/Downloads";
+          rpc-host-whitelist-config.${feature}.enable = false;
+          rpc-port = lib.toInt port;
+          rpc-whitelist-enable = false;
+        };
+        group = "media";
+        webHome = pkgs.flood-for-transmission;
+      };
+
+      # reverse proxy
+      nginx.virtualHosts."${feature}.fi33.buzz" = {
+        forceSSL = true;
+        useACMEHost = "fi33.buzz";
+        locations."/".proxyPass = "http://localhost:${port}";
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/vaultwarden.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+let
+  feature = "vaultwarden";
+  port = "5001";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services.${feature} = {
+      enable = true;
+      backupDir = "/srv/${feature}";
+      config = {
+        rocketPort = "${port}";
+        domain = "https://${feature}.fi33.buzz";
+        signupsAllowed = false;
+        invitationsAllowed = false;
+        showPasswordHint = false;
+        useSyslog = true;
+        extendedLogging = true;
+        adminTokenFile = "${config.age.secrets.vaultwarden-admin.path}";
+      };
+    };
+
+    # reverse proxy
+    services.nginx.virtualHosts."${feature}.fi33.buzz" = {
+      forceSSL = true;
+      useACMEHost = "fi33.buzz";
+      locations."/" = {
+        proxyPass = "http://localhost:${port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    # secrets
+    age.secrets = {
+      "vaultwarden-admin" = {
+        file = ../../../secrets/vaultwarden-admin.age;
+        owner = "${feature}";
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/nixos/features/vscode-server.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+let
+  feature = "vscode-server";
+in
+{
+  config = lib.mkIf config.${feature}.enable { services.${feature}.enable = true; };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+
+  imports = [ inputs.${feature}.nixosModules.default ];
+}

modules/nixos/features/webdav.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "webdav";
+  port = "5000";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+        settings = {
+          address = "127.0.0.1";
+          port = lib.toInt port;
+          permissions = "R";
+          directory = "/srv/webdav";
+          modify = true;
+          users = [
+            {
+              username = "admin";
+              password = "{bcrypt}$2a$10$Buai6WtOhE7NoSNKNzcJ1OEJNFWyUzp6Y6b8i9pvdvIFNw8OaxCGm";
+              permissions = "CRUD";
+            }
+          ];
+        };
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/templates/feature.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+let
+  feature = "feature";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+
+  };
+
+  imports = [ ];
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

modules/templates/web-feature.nix

@@ -0,0 +1,29 @@
+{ config, lib, ... }:
+let
+  feature = "feature";
+  port = "port";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    services = {
+      # service
+      ${feature} = {
+        enable = true;
+      };
+
+      # reverse proxy
+      nginx = {
+        virtualHosts."${feature}.fi33.buzz" = {
+          forceSSL = true;
+          useACMEHost = "fi33.buzz";
+          locations."/" = {
+            proxyPass = "http://localhost:${port}";
+            # proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}

secrets/api-porkbun.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ 3IfuOhEd6O3fwpovZNGe5phUxEyawaNLQaghm2CMICs
+F7V16p9va1ghnBlPxeRgzub2YdGnw0vv8Kb5WfPtl6Y
+-> ssh-ed25519 qLT+DQ cL8BORJ2yfk0KFFDNagXi1W7XYZVdKj0cU/XsW7chCs
+fJ0Qd5pH7+i82OAtBUA0WthOOAA8pEaqnxKhpkwCH00
+--- sHXToVDlsHDq/eZERrUOAkM+u1tIRpNGzOLjrk1nnYg
+®ÂôÙ#tñ/!í7eß6¹'
G„ü9[,À§„½:ÿÁcä$ŽÊ è-×¥+b”6£ÁѺÕ×8jÜ×9”º©U-e°ä<C2B0>‰ÛÂÈÂÞ»p¨õ­Š7ilE¼ºR±>â‘wûØ—Q
üV˜q<CB9C>Û×Í>#›óuÍâåÓêν%}ÊPXL‹O迵!~êE’ì'¢h´IGqãÑÌûÿÌNéÉð±<C3B0>'jQšçDZœr&´%+›
+Dë°i¦gÝf»Ôê¨ÚÇ~nðõ55ÂÏÚ

secrets/borgbackup-server-offsite.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ 3edXTIF3R9FV6nFioGmKfQj3KUhgHcBiLZqWvGYHTHA
+whktnDd+FVRedb24p115Es/Z9VRHGUfuKP0ZnZckcH8
+-> ssh-ed25519 qLT+DQ RFxxvDwvEzCYWce3sgFpwpuMucStRCxcZJVl8IaCVl4
+KdhOmU1bdunFZaEZ/rNEXz0USSKpQJefYQkaKmQwPy0
+--- Xqxy50Tk669XG4bJFo+Jn4iM3q5r43WykXJRPjGaRRo
+*—phž<C382>	ÜhÁª<C381>„Ÿ@†]jU£à
+öªã„£‹¦Y£¡–c½òˆoŒíÕ÷;R]ÙVë7@—Üä(’Ê_QZ<>VDH¬hÜ*f¿

secrets/jellyfin.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ 5qUkcfVKMNSjnj55IEE50uzBq4+nnttmZTiTKhgvBgc
+QacHV/T7u4mxq34XOtRNT2vK5ETKqBd7YGlaYC3hWuY
+-> ssh-ed25519 qLT+DQ iHIJ4YA/0hQ10X2lKYCWmzJWgcD3WtMEMcAmEN/KV0Y
+aMzsYlzcJTRTaA8qfynGaEtwAj727UCJC/vERY8R+Fo
+--- WmYMmCznOaPQJzltI7W77lJZr6UQ+z8AMlxSCo/flsc
+ËkùV!JR¶€>¹Üh¡@G®þß}*›¸ÈÇ›3ðZÂÜrhò8G‹ÏT$3yb<0B>u<œâ™ôíy÷î÷¿h

secrets/lidarr.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ aofrkfDuwx1bcL0LS0MnuXCUceWSYa6++idgsymaBzM
+LBopXJq9soUEpXKx40FVdauI9czX3myTUozOTpn9ftQ
+-> ssh-ed25519 qLT+DQ 5VVHAXAB1jLcjEfDDMZG9ydkiXTbtV39C/yvPwqz2wk
+81MdOmmwlnuKYqUrFhOuumuvcg8IiatpQw+FSxVFMPU
+--- EZKJh4tnM2BIm2sJg3qXedcMWkwrDXY3zsaleD55/J4
+þ{ƒs°¢<W%oWs««¦jáñ&¤Î”žKèÓk³<6B>®N›m–«"QÚøÆ_×­}Áq`j9«C×Ë2ZÓñÒ

secrets/paperless.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ 9i8bOq3woX+NlmieWSmeoelNqN08i4ad2mGSCPjjlxk
+GeEpaT+tQJe6Eqg9jdLkYUtMuWedB3oE8RsOw4ZtMrA
+-> ssh-ed25519 qLT+DQ AsPmSML5ZJMt80pCK4MQGLJ5y1ZXHkroEIWKdz6u4j0
+OZoIeyoaVTg49UoEZIE8kwW44GsOp9vNAgf+FYFcuzM
+--- EwP5WtBaG4lRoXtufF7P+arMMM1+012GjQCfWNnUG08
+<EFBFBD>×JB:+žyË
¡QÕv
ÛJ-FËbH¬öûk…à*Y±a™p=㧮mŸQŸÞ]íéíßþêÓW	žE‹\W58îY_AfO¼¼¢í¦<C3AD>™ýþ/?ef(f[Úˆ=`”Ý‚É6N:

secrets/prowlarr.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ gydFv7SFOTuqfbV/QK56L6paj9dVOHmMYxKzUfDD3mw
+8Z20yv4cN75PJNsHE8dUGmLHi0c70GHskBd+TohSgLo
+-> ssh-ed25519 qLT+DQ 6xlhv9/VqZjYaFM7FveP0DGnBcWUlvqRAQIAg0cLED8
+YLQ/q4kb3H8aNfsH+fzPfNw/WSOfUg7+VVw3ak7s2tk
+--- 2w8MZjzFiUgK8kS8bcpz/AzqzGe+lwXVDZkhXU7qGwM
+U»xZP7,«ã‹‚
+Ø Ã;‚£ÁÎÈ®šµåW&=<3D>
Œ<0C>kaMò¯Äµe©Zp
9ú gqÅä‰8íN

secrets/radarr.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ g0eAUUsmYBJ8Ir+ECB9DM2KixJ7DIdOKneM77753mmE
+qrV3Kc4QW/qOZgzMsSbDP0UD0tvhU+Nh7lb6++Dl9BA
+-> ssh-ed25519 qLT+DQ i4kT7QhcHmg2J3ga1X4sPbIhXUUoojifVBtD1QGN/xA
+993ZM4b4Kd+KAECzEsZ6nusH3u04Kb7AgMbaGNRuhfc
+--- MUcReVbWsOjhsPZYioCIggNQ3gG2DItj5O+ZXNl5JHE
+œ:Î<>¯ÐY¥<59>·$9nÃ]‰lØ
²ø³=³áwÄ~RgÎûàY¬(“Ç<E2809C>¹ùwf°½Ñ‚#Uß½ôí«‡Ù°7õ

secrets/secrets.nix

@@ -0,0 +1,23 @@
+let
+  srv = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOeV0NxqIGIXXgLYE6ntkHE4PARceZBp1FTI7kKLBbk8";
+  will = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPHAnTQP77HQ/8nbf1oX7xftfKYtbH6MSh83wic0qdBy";
+  users = [
+    srv    will];
+
+in
+{
+  "api-porkbun.age".publicKeys = users;
+  "api-miniflux.age".publicKeys = users;
+  "borgbackup-server-offsite.age".publicKeys = users;
+  "borgbackup-server-onsite.age".publicKeys = users;
+  "immich.age".publicKeys = users;
+  "jellyfin.age".publicKeys = users;
+  "jellyseerr.age".publicKeys = users;
+  "lidarr.age".publicKeys = users;
+  "miniflux-creds.age".publicKeys = users;
+  "paperless.age".publicKeys = users;
+  "prowlarr.age".publicKeys = users;
+  "radarr.age".publicKeys = users;
+  "sonarr.age".publicKeys = users;
+  "vaultwarden-admin.age".publicKeys = users;
+}

secrets/sonarr.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ DlFSpGarWh5dC0MoHatf1qNojLzoOLXIifmBBYwxxGA
+dwlHzXfNnCx8cpzPdYI3/sfB4upMGccm+MGfi7L9JCQ
+-> ssh-ed25519 qLT+DQ k9u/7jfgXO8KbtbZkR0p3iB7hsK54Xb7CEpBLAD9tQM
+XQf+ChnVB0G4uE2SoBdr8wfGg1SAbml2I0zVsw0/hrQ
+--- 1/KKI5MPgjg/5A9sKHAn22f7u78Jb6i0HjkIdVwPV6I
+)ŸÛÈ ¦fÌÇMúOÆÂ8Á²ž¡õÎ6;¼¨l̆ÎËCjÙI8KßÝ!Hõ¶yAÐã…ÓêKž3'ü~Û

secrets/vaultwarden-admin.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 LtK9yQ 5Z2mArRLMaq8n3kGmFj9R5fsKjy0AiQNjZYgmET6Yxs
+3eoWHlMxHOtCg6AB5ukISj8QMTw/pt6LEJbu0WeArlw
+-> ssh-ed25519 qLT+DQ 7PZMhnh3+wLwd8CAEPMe6IfdQ7SA0880DHbTFRIKhVw
+IpZw5NiQILBxZLlsp7jV+aigvpHE4PFSfAgZJHe5Kz8
+--- jstgcHlkJkaS9g047sPIgiaOK3uuBKt9jhPN3XyUxLo
+`Y°JèÒ+U	ZÝ\áNa}•ÿ¦nüð<C3BC>0ðo<C3B0>a¼¸Á[7Í×HžË•1SãÎõÇŒg枆‘6–½t4ãGš,
ÞF<C39E>€%^Ý”ËÚˆ»!ß3=í¸À7“Ü\Ü0ÅUG0;(1å´¼± …-*6¤=b•Ô¬Ž~”jäð[;<3B>é‡ÊgÍÜsÄ/òØ
+ÆSu‡ÑE}óÕøÐrTÛÔÜî<É