nixos/jackflix: copyparty: Move /pub to / and put stuff at /priv

nixos/jackflix: Remove unnecessary insecure packages exception
nixos/jackflix: Add copyparty
2025-09-09 14:34:54 +01:00 · 2025-09-08 23:29:51 +01:00 · 2025-09-08 23:28:31 +01:00 · 2025-09-08 21:29:20 +01:00 · 2025-09-06 21:56:19 +01:00 · 2025-09-06 21:40:05 +01:00
53 changed files with 1252 additions and 1836 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -8,7 +8,7 @@
          "ragenix",
          "nixpkgs"
        ],
-        "systems": "systems_7"
+        "systems": "systems_6"
      },
      "locked": {
        "lastModified": 1723293904,
@@ -31,29 +31,27 @@
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
-        "poetry2nix": "poetry2nix"
+        "pyproject-nix": "pyproject-nix"
      },
      "locked": {
-        "lastModified": 1718746012,
+        "lastModified": 1757170758,
-        "narHash": "sha256-sp9vGl3vWXvD/C2JeMDi5nbW6CkKIC3Q2JMGKwexYEs=",
+        "narHash": "sha256-FyO+Brz5eInmdAkG8B2rJAfrNGMCsDQ8BPflKV2+r5g=",
-        "ref": "refs/heads/master",
+        "owner": "devplayer0",
-        "rev": "ea24100bd4a914b9e044a2085a3785a6bd3a3833",
+        "repo": "boardie",
-        "revCount": 5,
+        "rev": "ed5fd520d5bf122871b5508dd3c1eda28d6e515d",
-        "type": "git",
+        "type": "github"
        "url": "https://git.nul.ie/dev/boardie"
      },
      "original": {
-        "type": "git",
+        "owner": "devplayer0",
-        "url": "https://git.nul.ie/dev/boardie"
+        "repo": "boardie",
        "type": "github"
      }
    },
    "borgthin": {
      "inputs": {
        "devshell": "devshell_2",
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_4",
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs_3"
          "nixpkgs-mine"
        ]
      },
      "locked": {
        "lastModified": 1732994213,
@@ -69,6 +67,27 @@
        "type": "github"
      }
    },
    "copyparty": {
      "inputs": {
        "flake-utils": "flake-utils_5",
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
      },
      "locked": {
        "lastModified": 1757362872,
        "narHash": "sha256-juUSWjxX8y2gueU34BpkQipUlhZRFJNLFccdprle0iM=",
        "owner": "9001",
        "repo": "copyparty",
        "rev": "e09f3c9e2c3dccf8f3912539e04dd840b10b51ee",
        "type": "github"
      },
      "original": {
        "owner": "9001",
        "repo": "copyparty",
        "type": "github"
      }
    },
    "crane": {
      "locked": {
        "lastModified": 1725409566,
@@ -116,11 +135,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1727447169,
+        "lastModified": 1756719547,
-        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "narHash": "sha256-N9gBKUmjwRKPxAafXEk1EGadfk2qDZPBQp4vXWPHINQ=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "rev": "125ae9e3ecf62fb2c0fd4f2d894eb971f1ecaed2",
        "type": "github"
      },
      "original": {
@@ -169,8 +188,8 @@
    },
    "devshell_2": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1671489820,
@@ -193,11 +212,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1735644329,
+        "lastModified": 1741473158,
-        "narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=",
+        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "f7795ede5b02664b57035b3b757876703e2c3eac",
+        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
        "type": "github"
      },
      "original": {
@@ -209,11 +228,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
        "type": "github"
      },
      "original": {
@@ -242,7 +261,7 @@
    },
    "flake-utils_10": {
      "inputs": {
-        "systems": "systems_10"
+        "systems": "systems_9"
      },
      "locked": {
        "lastModified": 1705309234,
@@ -292,24 +311,6 @@
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_4": {
      "locked": {
        "lastModified": 1642700792,
        "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
@@ -324,7 +325,7 @@
        "type": "github"
      }
    },
-    "flake-utils_5": {
+    "flake-utils_4": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -339,9 +340,24 @@
        "type": "github"
      }
    },
    "flake-utils_5": {
      "locked": {
        "lastModified": 1678901627,
        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_6": {
      "inputs": {
-        "systems": "systems_6"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1731533236,
@@ -358,12 +374,15 @@
      }
    },
    "flake-utils_7": {
      "inputs": {
        "systems": "systems_5"
      },
      "locked": {
-        "lastModified": 1659877975,
+        "lastModified": 1731533236,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -374,7 +393,7 @@
    },
    "flake-utils_8": {
      "inputs": {
-        "systems": "systems_8"
+        "systems": "systems_7"
      },
      "locked": {
        "lastModified": 1710146030,
@@ -392,7 +411,7 @@
    },
    "flake-utils_9": {
      "inputs": {
-        "systems": "systems_9"
+        "systems": "systems_8"
      },
      "locked": {
        "lastModified": 1709126324,
@@ -437,16 +456,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1739757849,
+        "lastModified": 1756679287,
-        "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
+        "narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
+        "rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
        "type": "github"
      },
      "original": {
        "id": "home-manager",
-        "ref": "release-24.11",
+        "ref": "release-25.05",
        "type": "indirect"
      }
    },
@@ -457,11 +476,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741457641,
+        "lastModified": 1757075491,
-        "narHash": "sha256-HIoSAfme6BReJI8wbtZxSuALfI21OqagDPlbGkeVX0c=",
+        "narHash": "sha256-a+NMGl5tcvm+hyfSG2DlVPa8nZLpsumuRj1FfcKb2mQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2c87a6475fba12c9eb04ccb7375da0e32da48dc1",
+        "rev": "f56bf065f9abedc7bc15e1f2454aa5c8edabaacf",
        "type": "github"
      },
      "original": {
@@ -484,25 +503,19 @@
        "type": "github"
      }
    },
-    "nix-github-actions": {
+    "libnetRepo": {
-      "inputs": {
+      "flake": false,
        "nixpkgs": [
          "boardie",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1703863825,
+        "lastModified": 1745053097,
-        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "narHash": "sha256-BEW57utyWCqP4U+MzCXFqbvEC8LE3iZv5dsPMrmTJ9Q=",
-        "owner": "nix-community",
+        "owner": "oddlama",
-        "repo": "nix-github-actions",
+        "repo": "nixos-extra-modules",
-        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "rev": "7565d8554b0fc9d621851150e7939d34a3a8cd6c",
        "type": "github"
      },
      "original": {
-        "owner": "nix-community",
+        "owner": "oddlama",
-        "repo": "nix-github-actions",
+        "repo": "nixos-extra-modules",
        "type": "github"
      }
    },
@@ -514,11 +527,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1713543440,
+        "lastModified": 1752054764,
-        "narHash": "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=",
+        "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=",
        "owner": "nix-community",
        "repo": "nixGL",
-        "rev": "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a",
+        "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5",
        "type": "github"
      },
      "original": {
@@ -545,11 +558,11 @@
    },
    "nixpkgs-mine": {
      "locked": {
-        "lastModified": 1741543477,
+        "lastModified": 1757173087,
-        "narHash": "sha256-CIXkalXwVcUFxb2TF33j45GlWWVHGmHu0GaMvVM/f6M=",
+        "narHash": "sha256-NYXuC8xUUbvtwbaC1aLdpQKHzQtQ2XB3VkK0hfYTPd8=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "811543d59a6dec53bd025bb17be0896f3c37c03a",
+        "rev": "06e4c8cd503ed73806744b39368393df38b36bb7",
        "type": "github"
      },
      "original": {
@@ -561,11 +574,11 @@
    },
    "nixpkgs-mine-stable": {
      "locked": {
-        "lastModified": 1741456679,
+        "lastModified": 1757173155,
-        "narHash": "sha256-5f6f3yFT4+KDV02PXlKxhJ7ig++oa+NzGwlW8vxWPHk=",
+        "narHash": "sha256-aDNAiQQsrgS/coVOqLbtILpOUouE6jp/wqAsO8Dta/o=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "c82613e3e6a22d4cc1e80e1e91bea15c601dbbe7",
+        "rev": "8a1a03f2d17918a6d51746371031a8fe4014c549",
        "type": "github"
      },
      "original": {
@@ -577,26 +590,26 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1741332913,
+        "lastModified": 1757020766,
-        "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=",
+        "narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "20755fa05115c84be00b04690630cb38f0a203ad",
+        "rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1741246872,
+        "lastModified": 1756787288,
-        "narHash": "sha256-Q6pMP4a9ed636qilcYX8XUguvKl/0/LGXhHcRI91p0U=",
+        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "10069ef4cf863633f57238f179a0297de84bd8d3",
+        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
        "type": "github"
      },
      "original": {
@@ -606,22 +619,6 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1718632497,
        "narHash": "sha256-YtlyfqOdYMuu7gumZtK0Kg7jr4OKfHUhJkZfNUryw68=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c58b4a9118498c1055c5908a5bbe666e56abe949",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1643381941,
        "narHash": "sha256-pHTwvnN4tTsEKkWlXQ8JMY423epos8wUOhthpwJjtpc=",
@@ -637,6 +634,20 @@
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1673606088,
        "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1709309926,
@@ -669,25 +680,24 @@
        "type": "github"
      }
    },
-    "poetry2nix": {
+    "pyproject-nix": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
-        "nix-github-actions": "nix-github-actions",
+          "boardie",
-        "nixpkgs": "nixpkgs_2",
+          "nixpkgs"
-        "systems": "systems_4",
+        ]
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1718726452,
+        "lastModified": 1756395552,
-        "narHash": "sha256-w4hJSYvACz0i5XHtxc6XNyHwbxpisN13M2kA2Y7937o=",
+        "narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=",
-        "owner": "nix-community",
+        "owner": "pyproject-nix",
-        "repo": "poetry2nix",
+        "repo": "pyproject.nix",
-        "rev": "53e534a08c0cd2a9fa7587ed1c3e7f6aeb804a2c",
+        "rev": "030dffc235dcf240d918c651c78dc5f158067b51",
        "type": "github"
      },
      "original": {
-        "owner": "nix-community",
+        "owner": "pyproject-nix",
-        "repo": "poetry2nix",
+        "repo": "pyproject.nix",
        "type": "github"
      }
    },
@@ -720,12 +730,14 @@
      "inputs": {
        "boardie": "boardie",
        "borgthin": "borgthin",
        "copyparty": "copyparty",
        "deploy-rs": "deploy-rs",
        "devshell": "devshell_3",
        "flake-utils": "flake-utils_6",
        "home-manager-stable": "home-manager-stable",
        "home-manager-unstable": "home-manager-unstable",
        "impermanence": "impermanence",
        "libnetRepo": "libnetRepo",
        "nixGL": "nixGL",
        "nixpkgs-mine": "nixpkgs-mine",
        "nixpkgs-mine-stable": "nixpkgs-mine-stable",
@@ -813,21 +825,6 @@
        "type": "github"
      }
    },
    "systems_10": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
@@ -868,8 +865,9 @@
        "type": "github"
      },
      "original": {
-        "id": "systems",
+        "owner": "nix-systems",
-        "type": "indirect"
+        "repo": "default",
        "type": "github"
      }
    },
    "systems_5": {
@@ -947,38 +945,16 @@
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "boardie",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1718522839,
        "narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "utils": {
      "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1701680307,
+        "lastModified": 1731533236,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -3,17 +3,22 @@
  inputs = {
    flake-utils.url = "github:numtide/flake-utils";
    # libnet.url = "github:reo101/nix-lib-net";
    libnetRepo = {
      url = "github:oddlama/nixos-extra-modules";
      flake = false;
    };
    devshell.url = "github:numtide/devshell";
    devshell.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "nixpkgs/nixos-24.11";
+    nixpkgs-stable.url = "nixpkgs/nixos-25.05";
    nixpkgs-mine.url = "github:devplayer0/nixpkgs/devplayer0";
    nixpkgs-mine-stable.url = "github:devplayer0/nixpkgs/devplayer0-stable";
    home-manager-unstable.url = "home-manager";
    home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    home-manager-stable.url = "home-manager/release-24.11";
+    home-manager-stable.url = "home-manager/release-25.05";
    home-manager-stable.inputs.nixpkgs.follows = "nixpkgs-stable";
    # Stuff used by the flake for build / deployment
@@ -25,7 +30,7 @@
    # Stuff used by systems
    impermanence.url = "github:nix-community/impermanence";
-    boardie.url = "git+https://git.nul.ie/dev/boardie";
+    boardie.url = "github:devplayer0/boardie";
    boardie.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixGL.url = "github:nix-community/nixGL";
    nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable";
@@ -34,7 +39,10 @@
    sharry.url = "github:eikek/sharry";
    sharry.inputs.nixpkgs.follows = "nixpkgs-unstable";
    borgthin.url = "github:devplayer0/borg";
-    borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
+    # TODO: Update borgthin so this works
    # borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
    copyparty.url = "github:9001/copyparty";
    copyparty.inputs.nixpkgs.follows = "nixpkgs-unstable";
  };
  outputs =
@@ -57,7 +65,7 @@
      # Extend a lib with extras that _must not_ internally reference private nixpkgs. flake-utils doesn't, but many
      # other flakes (e.g. home-manager) probably do internally.
      libOverlay = final: prev: {
-        my = import ./lib { lib = final; };
+        my = import ./lib { inherit inputs; lib = final; };
        flake = flake-utils.lib;
      };
      pkgsLibOverlay = final: prev: { lib = prev.lib.extend libOverlay; };
@@ -88,10 +96,11 @@
        (_: path: mkDefaultSystemsPkgs path (system: {
          overlays = [
            pkgsLibOverlay
            myPkgsOverlay
            inputs.devshell.overlays.default
            inputs.ragenix.overlays.default
-            inputs.deploy-rs.overlay
+            inputs.deploy-rs.overlays.default
            (flakePackageOverlay inputs.home-manager-unstable system)
          ];
        }))
@@ -102,6 +111,7 @@
        (_: path: mkDefaultSystemsPkgs path (_: {
          overlays = [
            pkgsLibOverlay
            myPkgsOverlay
          ];
@@ -157,7 +167,7 @@
    # Platform independent stuff
    {
      nixpkgs = pkgs';
-      inherit lib nixfiles;
+      inherit inputs lib nixfiles;
      overlays.default = myPkgsOverlay;
--- a/home-manager/modules/common.nix
+++ b/home-manager/modules/common.nix
@@ -66,7 +66,7 @@ in
        lsd = {
          enable = mkDefault true;
-          enableAliases = mkDefault true;
+          enableFishIntegration = mkDefault true;
        };
        starship = {
@@ -132,6 +132,8 @@ in
        ssh = {
          enable = mkDefault true;
          # TODO: Set after 25.11 releases
          # enableDefaultConfig = false;
          matchBlocks = {
            nix-dev-vm = {
              user = "dev";
@@ -226,6 +228,8 @@ in
      # Note: If globalPkgs mode is on, then these will be overridden by the NixOS equivalents of these options
      nixpkgs = {
        overlays = [
          inputs.libnet.overlays.default
          inputs.deploy-rs.overlay
          inputs.boardie.overlays.default
          inputs.nixGL.overlays.default
--- a/home-manager/modules/gui/default.nix
+++ b/home-manager/modules/gui/default.nix
@@ -1,7 +1,8 @@
 { lib, pkgs', pkgs, config, ... }:
 let
  inherit (lib) genAttrs mkIf mkMerge mkForce mapAttrs mkOptionDefault;
-  inherit (lib.my) mkBoolOpt';
+  inherit (lib.my) mkOpt' mkBoolOpt';
  inherit (lib.my.c) pubDomain;
  cfg = config.my.gui;
@@ -15,24 +16,42 @@ let
    url = "https://distro.ibiblio.org/slitaz/sources/packages/d/doom1.wad";
    hash = "sha256-HX1DvlAeZ9kn5BXguPPinDvzMHXoWXIYFvZSpSbKx3E=";
  };
  subwaySurfers = pkgs.fetchurl {
    url = "https://p.${pubDomain}/video/subway-surfers-smol.mkv";
    hash = "sha256-fMe7TDRNTymRHIJOi7qG3trzu4GP8a3gCDz+FMkX1dY=";
  };
  minecraftParkour = pkgs.fetchurl {
    url = "https://p.${pubDomain}/video/minecraft-parkour-smol.mkv";
    hash = "sha256-723pRm4AsIjY/WFUyAHzTJp+JvH4Pn5hvzF9wHTnOPA=";
  };
-  doomsaver = pkgs.runCommand "doomsaver" {
+  genLipsum = pkgs.writeScript "lipsum" ''
-    inherit (pkgs) windowtolayer;
+    #!${pkgs.python3.withPackages (ps: [ ps.python-lorem ])}/bin/python
    import lorem
    print(lorem.get_paragraph(count=5, sep='\n\n'))
  '';
  doomsaver' = brainrotTextCommand: pkgs.runCommand "doomsaver" {
    inherit (pkgs) windowtolayer tmux terminaltexteffects;
    chocoDoom = pkgs.chocolate-doom2xx;
    ffmpeg = pkgs.ffmpeg-full;
    python = pkgs.python3.withPackages (ps: [ ps.filelock ]);
    inherit doomWad;
    enojy = ./enojy.jpg;
    inherit brainrotTextCommand subwaySurfers minecraftParkour;
  } ''
    mkdir -p "$out"/bin
    substituteAll ${./screensaver.py} "$out"/bin/doomsaver
    chmod +x "$out"/bin/doomsaver
  '';
  doomsaver = doomsaver' cfg.screensaver.brainrotTextCommand;
 in
 {
-  options.my.gui = {
+  options.my.gui = with lib.types; {
    enable = mkBoolOpt' true "Enable settings and packages meant for graphical systems";
    manageGraphical = mkBoolOpt' false "Configure the graphical session";
    standalone = mkBoolOpt' false "Enable settings for fully Nix managed systems";
    screensaver.brainrotTextCommand = mkOpt' (either path str) genLipsum "Command to generate brainrot text.";
  };
  config = mkIf cfg.enable (mkMerge [
@@ -64,6 +83,7 @@ in
            cmatrix
            doomsaver
            ffmpeg-full
            xournalpp
          ];
        };
--- a/home-manager/modules/gui/screensaver.py
+++ b/home-manager/modules/gui/screensaver.py
@@ -73,7 +73,7 @@ class TTESaver(Screensaver):
    def wait(self):
        while self.running:
-            effect_cmd = ['tte', random.choice(self.effects)]
+            effect_cmd = ['@terminaltexteffects@/bin/tte', random.choice(self.effects)]
            print(f"$ {self.cmd} | {' '.join(effect_cmd)}")
            content = subprocess.check_output(self.cmd, shell=True, env=self.env, stderr=subprocess.DEVNULL)
@@ -86,6 +86,51 @@ class TTESaver(Screensaver):
        self.running = False
        self.proc.terminate()
 class FFmpegCACASaver(Screensaver):
    @staticmethod
    def command(video, size):
        return ['@ffmpeg@/bin/ffmpeg', '-hide_banner', '-loglevel', 'error',
                '-stream_loop', '-1', '-i', video,
                '-pix_fmt', 'rgb24', '-window_size', f'{size}x{size}',
                '-f', 'caca', '-']
    def __init__(self, video, weight=2):
        cols, lines = os.get_terminal_size()
        # IDK if it's reasonable to do this as "1:1"
        size = lines - 4
        super().__init__(
            self.command(video, size),
            env={'CACA_DRIVER': 'ncurses'},
            weight=weight,
        )
    def stop(self):
        super().stop(kill=True)
 class BrainrotStorySaver(Screensaver):
    def __init__(self, video, text_command, weight=2):
        cols, lines = os.get_terminal_size()
        video_size = lines - 1
        video_command = ' '.join(FFmpegCACASaver.command(video, video_size))
        text_command = (
            f'while true; do {text_command} | '
            f'@terminaltexteffects@/bin/tte --wrap-text --canvas-width=80 --canvas-height={video_size//2} --anchor-canvas=c '
            'print --final-gradient-stops=ffffff; clear; done' )
        self.tmux_session = f'screensaver-{os.urandom(4).hex()}'
        super().__init__(
            ['@tmux@/bin/tmux', 'new-session', '-s', self.tmux_session, '-n', 'brainrot',
             text_command, ';', 'split-window', '-hbl', str(lines), video_command],
            # ['sh', '-c', text_command],
            env={
                'CACA_DRIVER': 'ncurses',
                'SHELL': '/bin/sh',
            },
            weight=weight,
        )
    def stop(self):
        subprocess.check_call(['@tmux@/bin/tmux', 'kill-session', '-t', self.tmux_session])
 class MultiSaver:
    savers = [
        DoomSaver(0),
@@ -100,6 +145,9 @@ class MultiSaver:
        TTESaver('ss -nltu'),
        TTESaver('ss -ntu'),
        TTESaver('jp2a --width=100 @enojy@'),
        BrainrotStorySaver('@subwaySurfers@', '@brainrotTextCommand@'),
        BrainrotStorySaver('@minecraftParkour@', '@brainrotTextCommand@'),
    ]
    state_filename = 'screensaver.json'
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -13,6 +13,7 @@ rec {
      kea = 404;
      keepalived_script = 405;
      photoprism = 406;
      copyparty = 408;
    };
    gids = {
      matrix-syncv3 = 400;
@@ -23,12 +24,13 @@ rec {
      keepalived_script = 405;
      photoprism = 406;
      adbusers = 407;
      copyparty = 408;
    };
  };
  kernel = {
    lts = pkgs: pkgs.linuxKernel.packages.linux_6_12;
-    latest = pkgs: pkgs.linuxKernel.packages.linux_6_13;
+    latest = pkgs: pkgs.linuxKernel.packages.linux_6_16;
  };
  nginx = rec {
@@ -204,6 +206,10 @@ rec {
        port = 25567;
        dst = aa.kevcraft-oci.internal.ipv4.address;
      }
      {
        port = 25568;
        dst = aa.kinkcraft-oci.internal.ipv4.address;
      }
      # RCON... unsafe?
      # {
@@ -236,6 +242,12 @@ rec {
      {
        port = 25567;
        dst = aa.kevcraft-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = 25568;
        dst = aa.kinkcraft-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -1,11 +1,11 @@
-{ lib }:
+{ inputs, lib }:
 let
  inherit (builtins) length match elemAt filter replaceStrings substring;
  inherit (lib)
    genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
    mkOption mkOverride mkForce mkIf mergeEqualOption optional
    showWarnings concatStringsSep flatten unique optionalAttrs
-    mkBefore toLower;
+    mkBefore toLower splitString last;
  inherit (lib.flake) defaultSystems;
 in
 rec {
@@ -23,7 +23,7 @@ rec {
  attrsToNVList = mapAttrsToList nameValuePair;
-  inherit (import ./net.nix { inherit lib; }) net;
+  inherit ((import "${inputs.libnetRepo}/lib/netu.nix" { inherit lib; }).lib) net;
  dns = import ./dns.nix { inherit lib; };
  c = import ./constants.nix { inherit lib; };
@@ -248,12 +248,13 @@ rec {
  in
  {
    trivial = prev.trivial // {
-      release = "25.03:u-${prev.trivial.release}";
+      release = "25.09:u-${prev.trivial.release}";
-      codeName = "Frick";
+      codeName = "Giving";
      revisionWithDefault = default: self.rev or default;
      versionSuffix = ".${date}.${revCode self}:u-${revCode pkgsFlake}";
    };
  };
  upstreamRelease = last (splitString "-" lib.trivial.release);
  netbootKeaClientClasses = { tftpIP, hostname, systems }:
  let
--- a/lib/net.nix
+++ b/lib/net.nix
--- a/nixos/boxes/britway/tailscale.nix
+++ b/nixos/boxes/britway/tailscale.nix
@@ -4,22 +4,6 @@ let
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britway) prefixes domain;
  # Can't use overrideAttrs because we need to override `vendorHash` within `buildGoModule`
  headscale' = (pkgs.headscale.override {
    buildGoModule = args: pkgs.buildGoModule (args // rec {
      version = "0.23.0-alpha12";
      src = pkgs.fetchFromGitHub {
        owner = "juanfont";
        repo = "headscale";
        rev = "v${version}";
        hash = "sha256-kZZK0cXnFARxblSMz01TDcBbTorkHGAwGpR+a4/mYfU=";
      };
      patches = [];
      vendorHash = "sha256-EorT2AVwA3usly/LcNor6r5UIhLCdj3L4O4ilgTIC2o=";
      doCheck = false;
    });
  });
  advRoutes = concatStringsSep "," [
    lib.my.c.home.prefixes.all.v4
    lib.my.c.home.prefixes.all.v6
@@ -52,6 +36,7 @@ in
          noise.private_key_path = "/var/lib/headscale/noise_private.key";
          prefixes = with lib.my.c.tailscale.prefix; { inherit v4 v6; };
          dns = {
            override_local_dns = false;
            # Use IPs that will route inside the VPN to prevent interception
            # (e.g. DNS rebinding filtering)
            nameservers.split = {
--- a/nixos/boxes/colony/vms/estuary/bgp.nix
+++ b/nixos/boxes/colony/vms/estuary/bgp.nix
@@ -251,42 +251,88 @@ in
            neighbor 2001:7f8:10f::dc49:254 as 56393;
          }
          protocol bgp ixp4_frysix_rs3 from ixp_bgp4 {
            description "Frys-IX route server 3 (IPv4)";
            neighbor 185.1.160.255 as 56393;
          }
          protocol bgp ixp6_frysix_rs3 from ixp_bgp6 {
            description "Frys-IX route server 3 (IPv6)";
            neighbor 2001:7f8:10f::dc49:1 as 56393;
          }
          protocol bgp ixp4_frysix_rs4 from ixp_bgp4 {
            description "Frys-IX route server 4 (IPv4)";
            neighbor 185.1.161.0 as 56393;
          }
          protocol bgp ixp6_frysix_rs4 from ixp_bgp6 {
            description "Frys-IX route server 4 (IPv6)";
            neighbor 2001:7f8:10f::dc49:2 as 56393;
          }
          protocol bgp peer4_frysix_luje from peer_bgp4 {
            description "LUJE.net (on Frys-IX, IPv4)";
-            neighbor 185.1.203.152 as 212855;
+            neighbor 185.1.160.152 as 212855;
          }
          protocol bgp peer6_frysix_luje from peer_bgp6 {
            description "LUJE.net (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::3:3f95:152 as 212855;
          }
          protocol bgp peer4_frysix_he from peer_bgp4 {
            description "Hurricane Electric (on Frys-IX, IPv4)";
-            neighbor 185.1.203.154 as 6939;
+            neighbor 185.1.160.154 as 6939;
          }
-          protocol bgp peer4_frysix_cloudflare from peer_bgp4 {
+
-            description "Cloudflare (on Frys-IX, IPv4)";
+          protocol bgp peer4_frysix_cloudflare1_old from peer_bgp4 {
            description "Cloudflare 1 (on Frys-IX, IPv4)";
            neighbor 185.1.203.217 as 13335;
          }
-          protocol bgp peer6_frysix_cloudflare from peer_bgp6 {
+          protocol bgp peer4_frysix_cloudflare2_old from peer_bgp4 {
-            description "Cloudflare (on Frys-IX, IPv6)";
+            description "Cloudflare 2 (on Frys-IX, IPv4)";
            neighbor 185.1.203.109 as 13335;
          }
          protocol bgp peer4_frysix_cloudflare1 from peer_bgp4 {
            description "Cloudflare 1 (on Frys-IX, IPv4)";
            neighbor 185.1.160.217 as 13335;
          }
          protocol bgp peer4_frysix_cloudflare2 from peer_bgp4 {
            description "Cloudflare 2 (on Frys-IX, IPv4)";
            neighbor 185.1.160.109 as 13335;
          }
          protocol bgp peer6_frysix_cloudflare1 from peer_bgp6 {
            description "Cloudflare 1 (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::3417:217 as 13335;
          }
          protocol bgp peer6_frysix_cloudflare2 from peer_bgp6 {
            description "Cloudflare 2 (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::3417:109 as 13335;
          }
          protocol bgp peer4_frysix_jurrian from peer_bgp4 {
            description "AS212635 aka jurrian (on Frys-IX, IPv4)";
-            neighbor 185.1.203.134 as 212635;
+            neighbor 185.1.160.134 as 212635;
          }
          protocol bgp peer6_frysix_jurrian from peer_bgp6 {
            description "AS212635 aka jurrian (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::3:3e9b:134 as 212635;
          }
-          protocol bgp peer4_frysix_meta1 from peer_bgp4 {
+
          protocol bgp peer4_frysix_meta1_old from peer_bgp4 {
            description "Meta 1 (on Frys-IX, IPv4)";
            neighbor 185.1.203.225 as 32934;
          }
-          protocol bgp peer4_frysix_meta2 from peer_bgp4 {
+          protocol bgp peer4_frysix_meta2_old from peer_bgp4 {
            description "Meta 2 (on Frys-IX, IPv4)";
            neighbor 185.1.203.226 as 32934;
          }
          protocol bgp peer4_frysix_meta1 from peer_bgp4 {
            description "Meta 1 (on Frys-IX, IPv4)";
            neighbor 185.1.160.225 as 32934;
          }
          protocol bgp peer4_frysix_meta2 from peer_bgp4 {
            description "Meta 2 (on Frys-IX, IPv4)";
            neighbor 185.1.160.226 as 32934;
          }
          protocol bgp peer6_frysix_meta1 from peer_bgp6 {
            description "Meta 1 (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::80a6:225 as 32934;
@@ -318,36 +364,36 @@ in
            ipv6 { preference (PREFIXP-1); };
          }
-          protocol bgp peer4_nlix_cloudflare1 from peer_bgp4 {
+          # protocol bgp peer4_nlix_cloudflare1 from peer_bgp4 {
-            description "Cloudflare NL-ix 1 (IPv4)";
+          #   description "Cloudflare NL-ix 1 (IPv4)";
-            neighbor 193.239.117.14 as 13335;
+          #   neighbor 193.239.117.14 as 13335;
-            ipv4 { preference (PREFPEER-1); };
+          #   ipv4 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer4_nlix_cloudflare2 from peer_bgp4 {
+          # protocol bgp peer4_nlix_cloudflare2 from peer_bgp4 {
-            description "Cloudflare NL-ix 2 (IPv4)";
+          #   description "Cloudflare NL-ix 2 (IPv4)";
-            neighbor 193.239.117.114 as 13335;
+          #   neighbor 193.239.117.114 as 13335;
-            ipv4 { preference (PREFPEER-1); };
+          #   ipv4 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer4_nlix_cloudflare3 from peer_bgp4 {
+          # protocol bgp peer4_nlix_cloudflare3 from peer_bgp4 {
-            description "Cloudflare NL-ix 3 (IPv4)";
+          #   description "Cloudflare NL-ix 3 (IPv4)";
-            neighbor 193.239.118.138 as 13335;
+          #   neighbor 193.239.118.138 as 13335;
-            ipv4 { preference (PREFPEER-1); };
+          #   ipv4 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
+          # protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
-            description "Cloudflare NL-ix 1 (IPv6)";
+          #   description "Cloudflare NL-ix 1 (IPv6)";
-            neighbor 2001:7f8:13::a501:3335:1 as 13335;
+          #   neighbor 2001:7f8:13::a501:3335:1 as 13335;
-            ipv6 { preference (PREFPEER-1); };
+          #   ipv6 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
+          # protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
-            description "Cloudflare NL-ix 2 (IPv6)";
+          #   description "Cloudflare NL-ix 2 (IPv6)";
-            neighbor 2001:7f8:13::a501:3335:2 as 13335;
+          #   neighbor 2001:7f8:13::a501:3335:2 as 13335;
-            ipv6 { preference (PREFPEER-1); };
+          #   ipv6 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
+          # protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
-            description "Cloudflare NL-ix 3 (IPv6)";
+          #   description "Cloudflare NL-ix 3 (IPv6)";
-            neighbor 2001:7f8:13::a501:3335:3 as 13335;
+          #   neighbor 2001:7f8:13::a501:3335:3 as 13335;
-            ipv6 { preference (PREFPEER-1); };
+          #   ipv6 { preference (PREFPEER-1); };
-          }
+          # }
          protocol bgp peer4_nlix_jurrian from peer_bgp4 {
            description "AS212635 aka jurrian (on NL-ix, IPv4)";
            neighbor 193.239.117.55 as 212635;
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -219,6 +219,9 @@ in
              mkMerge
              [
                (mkIXPConfig "frys-ix" "185.1.203.196/24" "2001:7f8:10f::3:3850:196/64")
                # FrysIX is migrating to a /23
                { "85-frys-ix".address = [ "185.1.160.196/23" ]; }
                (mkIXPConfig "nl-ix" "193.239.116.145/22" "2001:7f8:13::a521:1024:1/64")
                (mkIXPConfig "fogixp" "185.1.147.159/24" "2001:7f8:ca:1::159/64")
              {
@@ -402,6 +405,7 @@ in
                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport 25565 accept
                      ip6 daddr ${aa.simpcraft-staging-oci.internal.ipv6.address} tcp dport 25565 accept
                      ip6 daddr ${aa.kevcraft-oci.internal.ipv6.address} tcp dport 25567 accept
                      ip6 daddr ${aa.kinkcraft-oci.internal.ipv6.address} tcp dport 25568 accept
                      return
                    }
                    chain routing-udp {
@@ -410,6 +414,7 @@ in
                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} udp dport 25565 accept
                      ip6 daddr ${aa.enshrouded-oci.internal.ipv6.address} udp dport { 15636-15637 } accept
                      ip6 daddr ${aa.kevcraft-oci.internal.ipv6.address} udp dport 25567 accept
                      ip6 daddr ${aa.kinkcraft-oci.internal.ipv6.address} udp dport 25568 accept
                      return
                    }
                    chain filter-routing {
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -14,7 +14,7 @@ in
          owner = "pdns";
          group = "pdns";
        };
-        "estuary/pdns/recursor.conf" = {
+        "estuary/pdns/recursor.yml" = {
          owner = "pdns-recursor";
          group = "pdns-recursor";
        };
@@ -31,7 +31,7 @@ in
      pdns.recursor = {
        enable = true;
-        extraSettingsFile = config.age.secrets."estuary/pdns/recursor.conf".path;
+        extraSettingsFile = config.age.secrets."estuary/pdns/recursor.yml".path;
      };
    };
@@ -44,34 +44,37 @@ in
      };
      pdns-recursor = {
-        dns = {
+        yaml-settings = {
-          address = [
+          incoming = {
            listen = [
              "127.0.0.1" "::1"
              assignments.base.ipv4.address assignments.base.ipv6.address
            ];
-          allowFrom = [
+            allow_from = [
              "127.0.0.0/8" "::1/128"
              prefixes.all.v4 prefixes.all.v6
            ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
            # DNS NOTIFY messages override TTL
            allow_notify_for = authZones;
            allow_notify_from = [ "127.0.0.0/8" "::1/128" ];
          };
-        settings = {
+          outgoing = {
-          query-local-address = [
+            source_address = [
              assignments.internal.ipv4.address
              assignments.internal.ipv6.address
              assignments.base.ipv6.address
            ];
-          forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
+          };
-          # DNS NOTIFY messages override TTL
+          recursor = {
-          allow-notify-for = authZones;
+            forward_zones = map (z: {
-          allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+              zone = z;
              forwarders = [ "127.0.0.1:5353" ];
            }) authZones;
-          webserver = true;
+            lua_dns_script = pkgs.writeText "pdns-script.lua" ''
          webserver-address = "::";
          webserver-allow-from = [ "127.0.0.1" "::1" ];
          lua-dns-script = pkgs.writeText "pdns-script.lua" ''
              function preresolve(dq)
                if dq.qname:equal("nix-cache.nul.ie") then
                  dq:addAnswer(pdns.CNAME, "http.${config.networking.domain}.")
@@ -84,6 +87,13 @@ in
              end
            '';
          };
          webservice = {
            webserver = true;
            address = "::";
            allow_from = [ "127.0.0.1" "::1" ];
          };
        };
      };
    };
@@ -156,6 +166,8 @@ in
            enshrouded IN A ${assignments.internal.ipv4.address}
            kevcraft IN A ${assignments.internal.ipv4.address}
            kevcraft IN AAAA ${allAssignments.kevcraft-oci.internal.ipv6.address}
            kinkcraft IN A ${assignments.internal.ipv4.address}
            kinkcraft IN AAAA ${allAssignments.kinkcraft-oci.internal.ipv6.address}
            mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
            mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
--- a/nixos/boxes/colony/vms/git/default.nix
+++ b/nixos/boxes/colony/vms/git/default.nix
@@ -4,7 +4,7 @@ let
  inherit (lib) mkMerge mkDefault;
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
-  inherit (lib.my.c.colony) domain prefixes;
+  inherit (lib.my.c.colony) domain prefixes firewallForwards;
  inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
 in
 {
@@ -197,6 +197,7 @@ in
              firewall = {
                tcp.allowed = [ 19999 "http" "https" ];
                nat.forwardPorts."${allAssignments.estuary.internal.ipv4.address}" = firewallForwards allAssignments;
                extraRules = ''
                  table inet filter {
                    chain forward {
--- a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
+++ b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
@@ -328,6 +328,7 @@ in
                    };
                    permissions = {
                      "@dev:nul.ie" = "admin";
                      "@adzerq:nul.ie" = "user";
                    };
                  };
                };
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
@@ -23,7 +23,7 @@ in
      };
    };
-    configuration = { lib, pkgs, config, ... }:
+    configuration = { lib, pkgs, config, allAssignments, ... }:
    let
      inherit (lib) mkForce;
    in
@@ -39,10 +39,20 @@ in
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUv1ntVrZv5ripsKpcOAnyDQX2PHjowzyhqWK10Ml53";
            files = {
              "jackflix/photoprism-pass.txt" = {};
              "jackflix/copyparty-pass.txt" = {
                owner = "copyparty";
                group = "copyparty";
              };
            };
          };
          firewall = {
            tcp.allowed = [
              3923
            ];
          };
        };
        users = with lib.my.c.ids; {
          users = {
            "${config.my.user.config.name}".extraGroups = [ "media" ];
@@ -60,11 +70,16 @@ in
              uid = uids.photoprism;
              group = "photoprism";
            };
            copyparty = {
              uid = uids.copyparty;
              extraGroups = [ "media" ];
            };
          };
          groups = {
            media.gid = 2000;
            jellyseerr.gid = gids.jellyseerr;
            photoprism.gid = gids.photoprism;
            copyparty.gid = gids.copyparty;
          };
        };
@@ -94,14 +109,6 @@ in
          };
        };
        nixpkgs.config.permittedInsecurePackages = [
          # FIXME: This is needed for Sonarr
          "aspnetcore-runtime-wrapped-6.0.36"
          "aspnetcore-runtime-6.0.36"
          "dotnet-sdk-wrapped-6.0.428"
          "dotnet-sdk-6.0.428"
        ];
        services = {
          netdata.enable = true;
@@ -131,6 +138,7 @@ in
            };
          };
          flaresolverr.enable = true;
          jackett.enable = true;
          radarr.enable = true;
          sonarr.enable = true;
@@ -158,6 +166,50 @@ in
              PHOTOPRISM_DATABASE_DRIVER = "sqlite";
            };
          };
          copyparty = {
            enable = true;
            package = pkgs.copyparty.override {
              withMagic = true;
            };
            settings = {
              name = "dev-stuff";
              no-reload = true;
              j = 8; # cores
              http-only = true;
              xff-src =
                with allAssignments.middleman.internal;
                [ "${ipv4.address}/32" prefixes.ctrs.v6 ];
              rproxy = 1; # get if from x-forwarded-for
              magic = true; # enable checking file magic on upload
              hist = "/var/cache/copyparty";
              shr = "/share"; # enable share creation
              ed = true; # enable dotfiles
              chmod-f = 664;
              chmod-d = 775;
              e2dsa = true; # file indexing
              e2t = true; # metadata indexing
              og-ua = "(Discord|Twitter|Slack)bot"; # embeds
              theme = 6;
            };
            accounts.dev.passwordFile = config.age.secrets."jackflix/copyparty-pass.txt".path;
            volumes = {
              "/" = {
                path = "/mnt/media/public";
                access = {
                  A = "dev";
                  "r." = "*";
                };
                flags = {
                  shr_who = "no"; # no reason to have shares here
                };
              };
              "/priv" = {
                path = "/mnt/media/stuff";
                access.A = "dev"; # dev has admin access
              };
            };
          };
        };
      };
    };
--- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
@@ -251,6 +251,9 @@ in
              proxyResolveWhileRunning = true;
              sslDhparam = config.age.secrets."dhparams.pem".path;
              appendConfig = ''
                worker_processes auto;
              '';
              # Based on recommended*Settings, but probably better to be explicit about these
              appendHttpConfig = ''
                ${baseHttpConfig}
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -347,12 +347,7 @@ in
      "stuff.${pubDomain}" = {
        locations."/" = {
-          basicAuthFile = config.age.secrets."middleman/htpasswd".path;
+          proxyPass = "http://jackflix-ctr.${domain}:3923";
          root = "/mnt/media/stuff";
          extraConfig = ''
            fancyindex on;
            fancyindex_show_dotfiles on;
          '';
        };
        useACMEHost = pubDomain;
      };
@@ -379,6 +374,11 @@ in
        useACMEHost = pubDomain;
      };
      "mc-map-kink.${pubDomain}" = {
        locations."/".proxyPass = "http://kinkcraft-oci.${domain}:8100";
        useACMEHost = pubDomain;
      };
      "librespeed.${domain}" = {
        locations."/".proxyPass = "http://localhost:8989";
      };
@@ -429,6 +429,14 @@ in
        }
        (ssoServer "generic")
      ];
      "hass.${pubDomain}" = {
        locations."/" = {
          proxyPass = "http://hass-ctr.${home.domain}:8123";
          proxyWebsockets = true;
          extraConfig = proxyHeaders;
        };
        useACMEHost = pubDomain;
      };
    };
    minio =
--- a/nixos/boxes/colony/vms/shill/containers/toot.nix
+++ b/nixos/boxes/colony/vms/shill/containers/toot.nix
@@ -87,7 +87,7 @@ in
            netdata.enable = true;
            mastodon = mkMerge [
              rec {
-                enable = true;
+                enable = false;
                localDomain = extraConfig.WEB_DOMAIN; # for nginx config
                extraConfig = {
                  LOCAL_DOMAIN = "nul.ie";
@@ -95,7 +95,9 @@ in
                };
                secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;
-                otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
+                # TODO: This was removed at some point.
                # If we want to bring Mastodon back, this will probably need to be addressd.
                # otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
                vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;
                vapidPublicKeyFile = toString (pkgs.writeText
                  "vapid-pubkey.txt"
@@ -164,7 +166,7 @@ in
              };
            };
-            pds = {
+            bluesky-pds = {
              enable = true;
              environmentFiles = [ config.age.secrets."toot/pds.env".path ];
              settings = {
--- a/nixos/boxes/colony/vms/whale2/default.nix
+++ b/nixos/boxes/colony/vms/whale2/default.nix
@@ -54,6 +54,7 @@ in
      simpcraft-staging-oci = 4;
      enshrouded-oci = 5;
      kevcraft-oci = 6;
      kinkcraft-oci = 7;
    };
    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
--- a/nixos/boxes/colony/vms/whale2/minecraft/default.nix
+++ b/nixos/boxes/colony/vms/whale2/minecraft/default.nix
@@ -5,12 +5,13 @@ let
  # devplayer0
  op = "6d7d971b-ce10-435b-85c5-c99c0d8d288c";
  kev = "703b378a-09f9-4c1d-9876-1c9305728c49";
  whitelist = concatStringsSep "," [
    op
    "dcd2ecb9-2b5e-49cb-9d4f-f5a76162df56" # Elderlypug
    "fcb26db2-c3ce-41aa-b588-efec79d37a8a" # Jesthral_
    "1d366062-12c0-4e29-aba7-6ab5d8c6bb05" # shr3kas0ras
-    "703b378a-09f9-4c1d-9876-1c9305728c49" # OROURKEIRE
+    kev
    "f105bbe6-eda6-4a13-a8cf-894e77cab77b" # Adzerq
    "1fc94979-41fb-497a-81e9-34ae24ca537a" # johnnyscrims
    "d53c91df-b6e6-4463-b106-e8427d7a8d01" # BossLonus
@@ -124,7 +125,7 @@ in
          EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
          WHITELIST = whitelist;
          EXISTING_OPS_FILE = "SYNCHRONIZE";
-          OPS = op;
+          OPS = concatStringsSep "," [ op kev ];
          DIFFICULTY = "normal";
          SPAWN_PROTECTION = "0";
          # VIEW_DISTANCE = "20";
@@ -144,6 +145,47 @@ in
          ''--network=colony:${dockerNetAssignment allAssignments "kevcraft-oci"}''
        ];
      };
      kinkcraft = {
        # 2025.5.1-java21-alpine
        image = "itzg/minecraft-server@sha256:de26c7128e3935f3be48fd30283f0b5a6da1b3d9f1a10c9f92502ee1ba072f7b";
        environment = {
          TYPE = "MODRINTH";
          SERVER_PORT = "25568";
          QUERY_PORT = "25568";
          EULA = "true";
          ENABLE_QUERY = "true";
          ENABLE_RCON = "true";
          MOTD = "§4§k----- §9K§ai§bn§ck§dc§er§fa§6f§5t §4§k-----";
          ICON = "/ext/icon.png";
          EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
          WHITELIST = whitelist;
          EXISTING_OPS_FILE = "SYNCHRONIZE";
          OPS = op;
          DIFFICULTY = "normal";
          SPAWN_PROTECTION = "0";
          VIEW_DISTANCE = "20";
          MAX_MEMORY = "6G";
          MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/NGutsQSd/Simpcraft-0.2.1.mrpack";
          TZ = "Europe/Dublin";
        };
        environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
        volumes = [
          "kinkcraft_data:/data"
          "${./icon.png}:/ext/icon.png:ro"
        ];
        extraOptions = [
          ''--network=colony:${dockerNetAssignment allAssignments "kinkcraft-oci"}''
        ];
      };
    };
    services = {
--- a/nixos/boxes/home/palace/vms/default.nix
+++ b/nixos/boxes/home/palace/vms/default.nix
@@ -188,6 +188,13 @@
                hostBDF = "44:00.4";
              };
            };
            qemuFlags = [
              "device qemu-xhci,id=xhci"
              # Front-right port?
              "device usb-host,hostbus=1,hostport=4"
              # Front-left port
              "device usb-host,hostbus=1,hostport=3"
            ];
          };
        };
      };
--- a/nixos/boxes/home/palace/vms/sfh/containers/default.nix
+++ b/nixos/boxes/home/palace/vms/sfh/containers/default.nix
@@ -1,5 +1,6 @@
 {
  imports = [
    ./unifi.nix
    ./hass.nix
  ];
 }
--- a/nixos/boxes/home/palace/vms/sfh/containers/hass.nix
+++ b/nixos/boxes/home/palace/vms/sfh/containers/hass.nix
@@ -0,0 +1,262 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.home) domain prefixes vips hiMTU;
 in
 {
  nixos.systems.hass = { config, ... }: {
    system = "x86_64-linux";
    nixpkgs = "mine";
    rendered = config.configuration.config.my.asContainer;
    assignments = {
      hi = {
        name = "hass-ctr";
        altNames = [ "frigate" ];
        inherit domain;
        mtu = hiMTU;
        ipv4 = {
          address = net.cidr.host 103 prefixes.hi.v4;
          mask = 22;
          gateway = vips.hi.v4;
        };
        ipv6 = {
          iid = "::5:3";
          address = net.cidr.host (65536*5+3) prefixes.hi.v6;
        };
      };
      lo = {
        name = "hass-ctr-lo";
        inherit domain;
        mtu = 1500;
        ipv4 = {
          address = net.cidr.host 103 prefixes.lo.v4;
          mask = 21;
          gateway = null;
        };
        ipv6 = {
          iid = "::5:3";
          address = net.cidr.host (65536*5+3) prefixes.lo.v6;
        };
      };
    };
    configuration = { lib, config, pkgs, assignments, allAssignments, ... }:
    let
      inherit (lib) mkMerge mkIf mkForce;
      inherit (lib.my) networkdAssignment;
      hassCli = pkgs.writeShellScriptBin "hass-cli" ''
        export HASS_SERVER="http://localhost:${toString config.services.home-assistant.config.http.server_port}"
        export HASS_TOKEN="$(< ${config.age.secrets."hass/cli-token.txt".path})"
        exec ${pkgs.home-assistant-cli}/bin/hass-cli "$@"
      '';
    in
    {
      config = {
        my = {
          deploy.enable = false;
          server.enable = true;
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpYX2WbYwUqHp8bFFf0eHFrqrR8xp8IheguA054F8V4";
            files = {
              "hass/cli-token.txt" = {
                owner = config.my.user.config.name;
              };
            };
          };
          firewall = {
            tcp.allowed = [ "http" 1883 ];
          };
        };
        environment = {
          systemPackages = with pkgs; [
            usbutils
            hassCli
          ];
        };
        systemd = {
          network.networks = {
            "80-container-host0" = networkdAssignment "host0" assignments.hi;
            "80-container-lan-lo" = networkdAssignment "lan-lo" assignments.lo;
          };
        };
        services = {
          mosquitto = {
            enable = true;
            listeners = [
              {
                omitPasswordAuth = true;
                settings = {
                  allow_anonymous = true;
                };
              }
            ];
          };
          go2rtc = {
            enable = true;
            settings = {
              streams = {
                reolink_living_room = [
                  # "http://reolink-living-room.${domain}/flv?port=1935&app=bcs&stream=channel0_main.bcs&user=admin#video=copy#audio=copy#audio=opus"
                  "rtsp://admin:@reolink-living-room:554/h264Preview_01_main"
                ];
                webcam_office = [
                  "ffmpeg:device?video=/dev/video0&video_size=1024x576#video=h264"
                ];
              };
            };
          };
          frigate = {
            enable = true;
            hostname = "frigate.${domain}";
            settings = {
              mqtt = {
                enabled = true;
                host = "localhost";
                topic_prefix = "frigate";
              };
              cameras = {
                reolink_living_room = {
                  ffmpeg.inputs = [
                    {
                      path = "rtsp://127.0.0.1:8554/reolink_living_room";
                      input_args = "preset-rtsp-restream";
                      roles = [ "record" "detect" ];
                    }
                  ];
                  detect = {
                    enabled = false;
                  };
                  record = {
                    enabled = true;
                    retain.days = 1;
                  };
                };
                webcam_office = {
                  ffmpeg.inputs = [
                    {
                      path = "rtsp://127.0.0.1:8554/webcam_office";
                      input_args = "preset-rtsp-restream";
                      roles = [ "record" "detect" ];
                    }
                  ];
                  detect.enabled = false;
                  record = {
                    enabled = true;
                    retain.days = 1;
                  };
                };
              };
            };
          };
          home-assistant =
          let
            cfg = config.services.home-assistant;
            pyirishrail = ps: ps.buildPythonPackage rec {
              pname = "pyirishrail";
              version = "0.0.2";
              src = pkgs.fetchFromGitHub {
                owner = "ttroy50";
                repo = "pyirishrail";
                tag = version;
                hash = "sha256-NgARqhcXP0lgGpgBRiNtQaSn9JcRNtCcZPljcL7t3Xc=";
              };
              dependencies = with ps; [
                requests
              ];
              pyproject = true;
              build-system = [ ps.setuptools ];
            };
          in
          {
            enable = true;
            extraComponents = [
              "default_config"
              "esphome"
              "google_translate"
              "met"
              "zha"
              "denonavr"
              "webostv"
              "androidtv_remote"
              "heos"
              "mqtt"
              "wled"
            ];
            extraPackages = python3Packages: with python3Packages; [
              zlib-ng
              isal
              gtts
              (pyirishrail python3Packages)
            ];
            customComponents = with pkgs.home-assistant-custom-components; [
              alarmo
              frigate
            ];
            configWritable = false;
            openFirewall = true;
            config = {
              default_config = {};
              homeassistant = {
                name = "Home";
                unit_system = "metric";
                currency = "EUR";
                country = "IE";
                time_zone = "Europe/Dublin";
                external_url = "https://hass.${pubDomain}";
                internal_url = "http://hass-ctr.${domain}:${toString cfg.config.http.server_port}";
              };
              http = {
                use_x_forwarded_for = true;
                trusted_proxies = with allAssignments.middleman.internal; [
                  ipv4.address
                  ipv6.address
                ];
                ip_ban_enabled = false;
              };
              automation = "!include automations.yaml";
              script = "!include scripts.yaml";
              scene = "!include scenes.yaml";
              sensor = [
                {
                  platform = "irish_rail_transport";
                  name = "To Work from Home";
                  station = "Glenageary";
                  stops_at = "Dublin Connolly";
                  direction = "Northbound";
                }
                {
                  platform = "irish_rail_transport";
                  name = "To Home from Work";
                  station = "Dublin Connolly";
                  stops_at = "Glenageary";
                  direction = "Southbound";
                }
              ];
            };
          };
        };
      };
    };
  };
 }
--- a/nixos/boxes/home/palace/vms/sfh/containers/unifi.nix
+++ b/nixos/boxes/home/palace/vms/sfh/containers/unifi.nix
@@ -55,8 +55,8 @@ in
          unifi = {
            enable = true;
            openFirewall = true;
-            unifiPackage = pkgs.unifi8;
+            unifiPackage = pkgs.unifi;
-            mongodbPackage = pkgs.mongodb-6_0;
+            mongodbPackage = pkgs.mongodb-7_0;
          };
        };
      };
--- a/nixos/boxes/home/palace/vms/sfh/default.nix
+++ b/nixos/boxes/home/palace/vms/sfh/default.nix
@@ -29,7 +29,7 @@ in
    configuration = { lib, modulesPath, pkgs, config, assignments, allAssignments, ... }:
    let
-      inherit (lib) mapAttrs mkMerge;
+      inherit (lib) mapAttrs mkMerge mkForce;
      inherit (lib.my) networkdAssignment;
      inherit (lib.my.c) networkd;
      inherit (lib.my.c.home) domain;
@@ -83,6 +83,12 @@ in
          };
        };
        environment = {
          systemPackages = with pkgs; [
            usbutils
          ];
        };
        systemd.network = {
          links = {
            "10-lan-hi" = {
@@ -105,6 +111,13 @@ in
                MTUBytes = toString lib.my.c.home.hiMTU;
              };
            };
            "10-lan-lo-ctrs" = {
              matchConfig = {
                Driver = "virtio_net";
                PermanentMACAddress = "52:54:00:a5:7e:93";
              };
              linkConfig.Name = "lan-lo-ctrs";
            };
          };
          networks = {
@@ -118,8 +131,28 @@ in
              linkConfig.RequiredForOnline = "no";
              networkConfig = networkd.noL3;
            };
            "30-lan-lo-ctrs" = {
              matchConfig.Name = "lan-lo-ctrs";
              linkConfig.RequiredForOnline = "no";
              networkConfig = networkd.noL3;
            };
          };
        };
        systemd.nspawn = {
          hass = {
            networkConfig = {
              MACVLAN = mkForce "lan-hi-ctrs:host0 lan-lo-ctrs:lan-lo";
            };
          };
        };
        systemd.services = {
          "systemd-nspawn@hass".serviceConfig.DeviceAllow = [
            "char-ttyUSB rw"
            "char-video4linux rw"
          ];
        };
        my = {
          secrets = {
@@ -142,6 +175,16 @@ in
          let
            instances = {
              # unifi = {};
              hass = {
                bindMounts = {
                  "/dev/bus/usb/001/002".readOnly = false;
                  "/dev/video0".readOnly = false;
                  "/dev/serial/by-id/usb-Nabu_Casa_Home_Assistant_Connect_ZBT-1_ce549704fe38ef11a2c2e5d154516304-if00-port0" = {
                    readOnly = false;
                    mountPoint = "/dev/ttyUSB0";
                  };
                };
              };
            };
          in
          mkMerge [
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -141,8 +141,8 @@ in
                  onState = [ "configured" ];
                  script = ''
                  #!${pkgs.runtimeShell}
-                  if [ $IFACE = "wan-ifb" ]; then
+                  if [ "$IFACE" = "wan-ifb" ]; then
-                    ${pkgs.iproute2}/bin/tc filter add dev wan parent ffff: matchall action mirred egress redirect dev $IFACE
+                    ${pkgs.iproute2}/bin/tc filter add dev wan parent ffff: matchall action mirred egress redirect dev "$IFACE"
                  fi
                  '';
                };
--- a/nixos/boxes/home/routing-common/dns-blocklist.txt
+++ b/nixos/boxes/home/routing-common/dns-blocklist.txt
@@ -0,0 +1,74 @@
 # Blocklist for LG WebOS Services (US)
 ad.lgappstv.com
 ibis.lgappstv.com
 info.lgsmartad.com
 lgtvsdp.com
 ngfts.lge.com
 rdx2.lgtvsdp.com
 smartshare.lgtvsdp.com
 lgappstv.com
 us.ad.lgsmartad.com
 us.ibs.lgappstv.com
 us.info.lgsmartad.com
 us.lgtvsdp.com
 # Community Contributions
 lgad.cjpowercast.com
 edgesuite.net
 yumenetworks.com
 smartclip.net
 smartclip.com
 # Non-US Entries
 rdx2.lgtvsdp.com
 info.lgsmartad.com
 ibs.lgappstv.com
 lgtvsdp.com
 lgappstv.com
 smartshare.lgtvsdp.com
 # Full Block for Europe and Other Regions
 de.ad.lgsmartad.com
 de.emp.lgsmartplatform.com
 de.ibs.lgappstv.com
 de.info.lgsmartad.com
 de.lgeapi.com
 de.lgtvsdp.com
 de.rdx2.lgtvsdp.com
 eu.ad.lgsmartad.com
 eu.ibs.lgappstv.com
 eu.info.lgsmartad.com
 app-lgwebos.pluto.tv
 it.lgtvsdp.com
 it.lgeapi.com
 it.emp.lgsmartplatform.com
 # LG ThinQ Services
 eic.common.lgthinq.com
 eic.iotservice.lgthinq.com
 eic.service.lgthinq.com
 eic.ngfts.lge.com
 eic.svc-lgthinq-com.aws-thinq-prd.net
 eic.cdpsvc.lgtvcommon.com
 eic.cdpbeacon.lgtvcommon.com
 eic.cdplauncher.lgtvcommon.com
 eic.homeprv.lgtvcommon.com
 eic.lgtviot.com
 eic.nudge.lgtvcommon.com
 eic.rdl.lgtvcommon.com
 eic.recommend.lgtvcommon.com
 eic.service.lgtvcommon.com
 gb-lgeapi-com.esi-prd.net
 gb.lgeapi.com
 lgtvonline.lge.com
 lg-channelplus-de-beacons.xumo.com
 lg-channelplus-de-mds.xumo.com
 lg-channelplus-eu-beacons.xumo.com
 lg-channelplus-eu-mds.xumo.com
 kr-op-v2.lgthinqhome.com
 ngfts.lge.com
 noti.lgthinq.com
 objectcontent.lgthinq.com
 # Update Server Block
 #snu.lge.com
--- a/nixos/boxes/home/routing-common/dns.nix
+++ b/nixos/boxes/home/routing-common/dns.nix
@@ -19,7 +19,7 @@ in
          owner = "pdns";
          group = "pdns";
        };
-        "home/pdns/recursor.conf" = {
+        "home/pdns/recursor.yml" = {
          owner = "pdns-recursor";
          group = "pdns-recursor";
        };
@@ -28,53 +28,79 @@ in
      pdns.recursor = {
        enable = true;
-        extraSettingsFile = config.age.secrets."home/pdns/recursor.conf".path;
+        extraSettingsFile = config.age.secrets."home/pdns/recursor.yml".path;
      };
    };
    services = {
      pdns-recursor = {
-        dns = {
+        yaml-settings = {
-          address = [
+          incoming = {
            listen = [
              "127.0.0.1" "::1"
              assignments.hi.ipv4.address assignments.hi.ipv6.address
              assignments.lo.ipv4.address assignments.lo.ipv6.address
            ];
-          allowFrom = [
+            allow_from = [
              "127.0.0.0/8" "::1/128"
              prefixes.hi.v4 prefixes.hi.v6
              prefixes.lo.v4 prefixes.lo.v6
            ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
        };
        settings = {
          query-local-address = [
            "0.0.0.0"
            "::"
          ];
          forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
            # DNS NOTIFY messages override TTL
-          allow-notify-for = authZones;
+            allow_notify_for = authZones;
-          allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+            allow_notify_from = [ "127.0.0.0/8" "::1/128" ];
          };
-          webserver = true;
+          outgoing = {
-          webserver-address = "::";
+            source_address = [ "0.0.0.0" "::" ];
-          webserver-allow-from = [ "127.0.0.1" "::1" ];
+          };
          recursor = {
            forward_zones = map (z: {
              zone = z;
              forwarders = [ "127.0.0.1:5353" ];
            }) authZones;
            lua_dns_script = pkgs.writeText "pdns-script.lua" ''
              blocklist = newDS()
          lua-dns-script = pkgs.writeText "pdns-script.lua" ''
            -- Disney+ doesn't like our IP space...
              function preresolve(dq)
                local name = dq.qname:toString()
                -- Disney+ doesn't like our IP space...
                if dq.qtype == pdns.AAAA and (string.find(name, "disneyplus") or string.find(name, "disney-plus") or string.find(name , "disney.api")) then
                  dq.rcode = 0
                  return true
                end
                if blocklist:check(dq.qname) then
                  if dq.qtype == pdns.A then
                    dq:addAnswer(dq.qtype, "127.0.0.1")
                  elseif dq.qtype == pdns.AAAA then
                    dq:addAnswer(dq.qtype, "::1")
                  end
                  return true
                end
                return false
              end
              for line in io.lines("${./dns-blocklist.txt}") do
                entry = line:gsub("%s+", "")
                if entry ~= "" and string.sub(entry, 1, 1) ~= "#" then
                  blocklist:add(entry)
                end
              end
            '';
          };
          webservice = {
            webserver = true;
            address = "::";
            allow_from = [ "127.0.0.1" "::1" ];
          };
        };
      };
    };
@@ -206,6 +232,9 @@ in
            ups IN A ${net.cidr.host 20 prefixes.lo.v4}
            palace-kvm IN A ${net.cidr.host 21 prefixes.lo.v4}
            reolink-living-room IN A ${net.cidr.host 45 prefixes.lo.v4}
            nixlight IN A ${net.cidr.host 46 prefixes.lo.v4}
            ${lib.my.dns.fwdRecords {
              inherit allAssignments names;
              domain = config.networking.domain;
--- a/nixos/boxes/home/routing-common/kea.nix
+++ b/nixos/boxes/home/routing-common/kea.nix
@@ -132,6 +132,37 @@ in
                  hw-address = "24:8a:07:a8:fe:3a";
                  ip-address = net.cidr.host 40 prefixes.lo.v4;
                }
                {
                  # avr
                  hw-address = "8c:a9:6f:30:03:6b";
                  ip-address = net.cidr.host 41 prefixes.lo.v4;
                }
                {
                  # tv
                  hw-address = "00:a1:59:b8:4d:86";
                  ip-address = net.cidr.host 42 prefixes.lo.v4;
                }
                {
                  # android tv
                  hw-address = "b8:7b:d4:95:c6:74";
                  ip-address = net.cidr.host 43 prefixes.lo.v4;
                }
                {
                  # hass-panel
                  hw-address = "80:30:49:cd:d7:51";
                  ip-address = net.cidr.host 44 prefixes.lo.v4;
                }
                {
                  # reolink-living-room
                  hw-address = "ec:71:db:30:69:a4";
                  ip-address = net.cidr.host 45 prefixes.lo.v4;
                }
                {
                  # nixlight
                  hw-address = "00:4b:12:3b:d3:14";
                  ip-address = net.cidr.host 46 prefixes.lo.v4;
                }
              ];
            }
          ];
--- a/nixos/boxes/home/routing-common/mstpd.nix
+++ b/nixos/boxes/home/routing-common/mstpd.nix
@@ -24,8 +24,8 @@ in
        onState = [ "routable" ];
        script = ''
          #!${pkgs.runtimeShell}
-          if [ $IFACE = "lan" ]; then
+          if [ "$IFACE" = "lan" ]; then
-            ${mstpd}/sbin/mstpctl setforcevers $IFACE rstp
+            ${mstpd}/sbin/mstpctl setforcevers "$IFACE" rstp
          fi
        '';
      };
--- a/nixos/boxes/kelder/containers/spoder/default.nix
+++ b/nixos/boxes/kelder/containers/spoder/default.nix
@@ -92,7 +92,8 @@ in
          nextcloud = {
            enable = true;
-            package = pkgs.nextcloud29;
+            # TODO: Might need to do some bullshit to go from Nextcloud 28 (?) to 30
            package = pkgs.nextcloud30;
            datadir = "/mnt/storage/nextcloud";
            hostName = "cloud.${domain}";
            https = true;
--- a/nixos/installer.nix
+++ b/nixos/installer.nix
@@ -31,8 +31,10 @@
            server.enable = true;
          };
          image = {
            baseName = "jackos-installer";
          };
          isoImage = {
            isoBaseName = "jackos-installer";
            volumeID = "jackos-${config.system.nixos.release}-${pkgs.stdenv.hostPlatform.uname.processor}";
            edition = "devplayer0";
            appendToMenuLabel = " /dev/player0 Installer";
--- a/nixos/modules/borgthin.nix
+++ b/nixos/modules/borgthin.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ inputs, lib, pkgs, config, ... }:
 let
  inherit (builtins) substring match;
  inherit (lib)
@@ -127,7 +127,9 @@ in
    enable = mkBoolOpt' false "Whether to enable borgthin jobs";
    lvmPackage = mkOpt' package pkgs.lvm2 "Packge containing LVM tools";
    thinToolsPackage = mkOpt' package pkgs.thin-provisioning-tools "Package containing thin-provisioning-tools";
-    package = mkOpt' package pkgs.borgthin "borgthin package";
+    # Really we should use the version from the overlay, but the package is quite far behind...
    # Not bothering to update until Borg 2.0 releases
    package = mkOpt' package inputs.borgthin.packages.${config.nixpkgs.system}.borgthin "borgthin package";
    jobs = mkOpt' (attrsOf jobType) { } "borgthin jobs";
  };
--- a/nixos/modules/build.nix
+++ b/nixos/modules/build.nix
@@ -221,8 +221,8 @@ in
      memorySize = dummyOption;
      qemu.options = dummyOption;
    };
    image.baseName = dummyOption;
    isoImage = {
      isoBaseName = dummyOption;
      volumeID = dummyOption;
      edition = dummyOption;
      appendToMenuLabel = dummyOption;
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -12,6 +12,7 @@ in
    inputs.impermanence.nixosModule
    inputs.ragenix.nixosModules.age
    inputs.sharry.nixosModules.default
    inputs.copyparty.nixosModules.default
  ];
  config = mkMerge [
@@ -65,10 +66,12 @@ in
      };
      nixpkgs = {
        overlays = [
-          inputs.deploy-rs.overlay
+          inputs.deploy-rs.overlays.default
          inputs.sharry.overlays.default
-          inputs.borgthin.overlays.default
+          # TODO: Re-enable when borgthin is updated
          # inputs.borgthin.overlays.default
          inputs.boardie.overlays.default
          inputs.copyparty.overlays.default
        ];
        config = {
          allowUnfree = true;
--- a/nixos/modules/containers.nix
+++ b/nixos/modules/containers.nix
@@ -15,6 +15,7 @@ let
    passAsFile = [ "code" ];
    code = ''
      #include <stdio.h>
      #include <stdlib.h>
      #include <signal.h>
      #include <unistd.h>
      #include <systemd/sd-daemon.h>
--- a/nixos/modules/gui/default.nix
+++ b/nixos/modules/gui/default.nix
@@ -56,6 +56,7 @@ in
      gnome = {
        gnome-keyring.enable = true;
      };
      udisks2.enable = true;
      udev = {
        packages = [
--- a/nixos/modules/netboot/default.nix
+++ b/nixos/modules/netboot/default.nix
@@ -15,8 +15,8 @@ let
      hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
    };
-    # Newer GCC requires this upstream patch
+    # This upstream patch (in newer versions) is needed for newer GCC
-    patches = (if (o ? patches) then o.patches else [ ]) ++ [ ./fix-uninitialised-var.patch ];
+    patches = (if (o ? patches) then o.patches else []) ++ [ ./fix-uninitialised-var.patch ];
  });
  tftpRoot = pkgs.linkFarm "tftp-root" [
    {
@@ -30,10 +30,11 @@ let
    substituteAll ${./menu.ipxe} "$out"
  '';
-  bootBuilder = pkgs.substituteAll {
+  bootBuilder = pkgs.replaceVarsWith {
    src = ./netboot-loader-builder.py;
    isExecutable = true;
    replacements = {
      inherit (pkgs) python3;
      bootspecTools = pkgs.bootspec;
      nix = config.nix.package.out;
@@ -48,6 +49,7 @@ let
        fi
      '';
    };
  };
 in
 {
  options.my.netboot = with lib.types; {
--- a/nixos/modules/network.nix
+++ b/nixos/modules/network.nix
@@ -12,16 +12,6 @@ in
        useNetworkd = mkDefault true;
      };
      systemd = {
        additionalUpstreamSystemUnits = mkIf (config.system.nixos.release == "24.12:u-24.11") [
          # TODO: NixOS has its own version of this, but with `network` instead of `networkd`. Is this just a typo? It
          # hasn't been updated in 2 years...
          # This has been done upstream now :)
          # TODO: Remove when 25.05 releases
          "systemd-networkd-wait-online@.service"
        ];
      };
      services.resolved = {
        domains = [ config.networking.domain ];
        # Explicitly unset fallback DNS (Nix module will not allow for a blank config)
--- a/nixos/modules/nvme/default.nix
+++ b/nixos/modules/nvme/default.nix
@@ -4,19 +4,6 @@ let
  inherit (lib.my) mkOpt';
  cfg = config.my.nvme;
  nvme-cli = pkgs.nvme-cli.override {
    libnvme = pkgs.libnvme.overrideAttrs (o: rec {
      # TODO: Remove when 1.11.1 releases (see https://github.com/linux-nvme/libnvme/pull/914)
      version = "1.11.1";
      src = pkgs.fetchFromGitHub {
        owner = "linux-nvme";
        repo = "libnvme";
        rev = "v${version}";
        hash = "sha256-CEGr7PDOVRi210XvICH8iLYDKn8S9bGruBO4tycvsT8=";
      };
      patches = (if (o ? patches) then o.patches else [ ]) ++ [ ./libnvme-hostconf.patch ];
    });
  };
  hostNQN = "nqn.2014-08.org.nvmexpress:uuid:${cfg.uuid}";
  etc = prefix: {
@@ -36,7 +23,7 @@ in
  config = mkIf (cfg.uuid != null) {
    environment = {
      systemPackages = [
-        nvme-cli
+        pkgs.nvme-cli
      ];
      etc = etc "";
    };
@@ -52,10 +39,6 @@ in
            ip = "${iproute2}/bin/ip";
            nvme = "${nvme-cli}/bin/nvme";
          };
          extraConfig = ''
            DefaultTimeoutStartSec=20
            DefaultDeviceTimeoutSec=20
          '';
          network = {
            enable = true;
@@ -70,14 +53,25 @@ in
            serviceConfig = {
              Type = "oneshot";
-              ExecStart = "${nvme-cli}/bin/nvme connect -t rdma -a ${cfg.boot.address} -n ${cfg.boot.nqn}";
+              ExecStart = "${pkgs.nvme-cli}/bin/nvme connect -t rdma -a ${cfg.boot.address} -n ${cfg.boot.nqn} -q ${hostNQN}";
              Restart = "on-failure";
              RestartSec = 10;
            };
            wantedBy = [ "initrd-root-device.target" ];
          };
        # TODO: Remove when 25.11 releases
        } // (if (lib.versionAtLeast lib.my.upstreamRelease "25.11") then {
          settings.Manager = {
            DefaultTimeoutStartSec = 20;
            DefaultDeviceTimeoutSec = 20;
          };
        } else {
          extraConfig = ''
            DefaultTimeoutStartSec=20
            DefaultDeviceTimeoutSec=20
          '';
        });
      };
    };
  };
--- a/nixos/modules/pdns.nix
+++ b/nixos/modules/pdns.nix
@@ -1,7 +1,7 @@
 { lib, pkgs, config, ... }:
 let
  inherit (builtins) isList;
-  inherit (lib) mkMerge mkIf mkDefault mapAttrsToList concatMapStringsSep concatStringsSep;
+  inherit (lib) mkMerge mkIf mkDefault mapAttrsToList concatMapStringsSep concatStringsSep getExe;
  inherit (lib.my) mkBoolOpt' mkOpt';
  # Yoinked from nixos/modules/services/networking/pdns-recursor.nix
@@ -165,7 +165,7 @@ let
  extraSettingsOpt = with lib.types; mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
  baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings);
-  baseRecursorSettings = pkgs.writeText "pdns-recursor.conf" (settingsToLines config.services.pdns-recursor.settings);
+  baseRecursorSettings = (pkgs.formats.yaml { }).generate "pdns-recursor.yaml" config.services.pdns-recursor.yaml-settings;
  generateSettings = type: base: dst: if (cfg."${type}".extraSettingsFile != null) then ''
    oldUmask="$(umask)"
    umask 006
@@ -174,6 +174,14 @@ let
  '' else ''
    cp "${base}" "${dst}"
  '';
  generateYamlSettings = type: base: dst: if (cfg."${type}".extraSettingsFile != null) then ''
    oldUmask="$(umask)"
    umask 006
    ${getExe pkgs.yaml-merge} "${base}" "${cfg."${type}".extraSettingsFile}" > "${dst}"
    umask "$oldUmask"
  '' else ''
    cp "${base}" "${dst}"
  '';
  namedConf = pkgs.writeText "pdns-named.conf" ''
    options {
@@ -315,9 +323,9 @@ in
    (mkIf cfg.recursor.enable {
      systemd.services.pdns-recursor = {
        preStart = ''
-          ${generateSettings "recursor" baseRecursorSettings "/run/pdns-recursor/recursor.conf"}
+          ${generateYamlSettings "recursor" baseRecursorSettings "/run/pdns-recursor/recursor.yml"}
        '';
-        serviceConfig.ExecStart = [ "" "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=/run/pdns-recursor" ];
+        serviceConfig.ExecStart = [ "" "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=/run/pdns-recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no" ];
      };
      services.pdns-recursor = {
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -551,7 +551,7 @@ in
          ];
        });
      })
-      (mkIf (config.services ? "pds" && config.services.pds.enable) {
+      (mkIf (config.services ? "bluesky-pds" && config.services.bluesky-pds.enable) {
        my.tmproot.persistence.config.directories = [
          {
            directory = "/var/lib/pds";
@@ -561,6 +561,48 @@ in
          }
        ];
      })
      (mkIf config.services.home-assistant.enable {
        my.tmproot.persistence.config.directories = [
          {
            directory = config.services.home-assistant.configDir;
            mode = "0750";
            user = "hass";
            group = "hass";
          }
        ];
      })
      (mkIf config.services.frigate.enable {
        my.tmproot.persistence.config.directories = [
          {
            directory = "/var/lib/frigate";
            mode = "0755";
            user = "frigate";
            group = "frigate";
          }
          {
            directory = "/var/cache/frigate";
            mode = "0755";
            user = "frigate";
            group = "frigate";
          }
        ];
      })
      (mkIf config.services.copyparty.enable {
        my.tmproot.persistence.config.directories = [
          {
            directory = "/var/lib/copyparty";
            mode = "0755";
            user = "copyparty";
            group = "copyparty";
          }
          {
            directory = "/var/cache/copyparty";
            mode = "0755";
            user = "copyparty";
            group = "copyparty";
          }
        ];
      })
    ]))
  ]);
--- a/pkgs/chocolate-doom2xx/default.nix
+++ b/pkgs/chocolate-doom2xx/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, autoreconfHook, pkg-config, SDL, SDL_mixer, SDL_net
+{ lib, stdenv, autoreconfHook, pkg-config, SDL1, SDL_mixer, SDL_net
 , fetchFromGitHub, fetchpatch, python3 }:
 stdenv.mkDerivation rec {
@@ -35,7 +35,7 @@ stdenv.mkDerivation rec {
    # for documentation
    python3
  ];
-  buildInputs = [ (SDL.override { cacaSupport = true; }) SDL_mixer SDL_net ];
+  buildInputs = [ (SDL1.override { cacaSupport = true; }) SDL_mixer SDL_net ];
  enableParallelBuilding = true;
  meta = {
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -11,5 +11,4 @@ in
  chocolate-doom2xx = callPackage ./chocolate-doom2xx { };
  windowtolayer = callPackage ./windowtolayer.nix { };
  swaylock-plugin = callPackage ./swaylock-plugin.nix { };
  terminaltexteffects = callPackage ./terminaltexteffects.nix { };
 }
--- a/pkgs/terminaltexteffects.nix
+++ b/pkgs/terminaltexteffects.nix
@@ -1,19 +0,0 @@
 { lib
 , python3Packages
 , fetchPypi
 }:
 python3Packages.buildPythonApplication rec {
  pname = "terminaltexteffects";
  version = "0.10.1";
  pyproject = true;
  src = fetchPypi {
    inherit pname version;
    hash = "sha256-NyWPfdgLeXAxKPJOzB7j4aT+zjrURN59CGcv0Vt99y0=";
  };
  build-system = with python3Packages; [
    poetry-core
  ];
 }
--- a/pkgs/windowtolayer.nix
+++ b/pkgs/windowtolayer.nix
@@ -1,18 +1,25 @@
 { lib
 , fetchFromGitLab
 , rustPlatform
 , python3
 , rustfmt
 }:
 rustPlatform.buildRustPackage rec {
  pname = "windowtolayer";
-  version = "a5b89c3c";
+  version = "97ebd079";
  nativeBuildInputs = [
    python3
    rustfmt
  ];
  src = fetchFromGitLab {
    domain = "gitlab.freedesktop.org";
    owner = "mstoeckl";
    repo = pname;
-    rev = "a5b89c3c047297fd574932860a6c89e9ea02ba5d";
+    rev = "97ebd0790b13bf00afb0c53a768397882fd2e831";
-    hash = "sha256-rssL2XkbTqUvJqfUFhzULeE4/VBzjeBC5iZWSJ8MJ+M=";
+    hash = "sha256-XjbhZEoE5NPBofyJe7OSsE7MWgzjyRjBqiEzaQEuRrU=";
  };
-  cargoHash = "sha256-XHmLsx9qdjlBz4xJFFiO24bR9CMw1o5368K+YMpMIBA=";
+  cargoHash = "sha256-M0BVSUEFGvjgX+vSpwzvaEGs0i80XOTCzvbV4SzYpLc=";
 }
--- a/secrets/estuary/pdns/recursor.conf.age
+++ b/secrets/estuary/pdns/recursor.conf.age
@@ -1,12 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyA4bGQr
 dzJZbU4reWI1Sk45QTR3UkRoc0NvaDBFcUwrVWlCYWUrcWtYZGpNCm1PWjVzRVlt
 UDFKY2ZSZTg4S2pVZ0pDNzR1WklYQ3pEclJZLy9kKzdGTGsKLT4gWDI1NTE5IHFO
 TXVRK2d3azg2cHpRanhUNXp6YnRsZW1MUDJqc3l1bnNYNUhHaTIzMVkKWXp1M09H
 TnJIazRmb0tOSnE1Q0E1dERiaHZCQkh2YzE1cS9zRUhwaEovMAotPiBzPj5nLWdy
 ZWFzZQozSThRWnJCcVFFRHpoSi9tZnZMdnJoRlFud2VISHBHSThMem9qZVVWdS9C
 VFBDVEVzbUVCdFU2Qy9PaGdyc0FaCmk3UFZma2ZiR3hmWG1sa053bDBnY04yZ1VZ
 TW9jZwotLS0gMDVSaE5aakxHenFPVXpXa1JxczlWQ2x2VGNuQzdwaWZFTTFTaUp6
 cnRmZwoomylfwjD5A3N21/mk1Wtt8f4bsK747iZz7KT34kqmoX597rbGYxyip5lg
 VLZV6CY4LLRjnnSKoC2hIXU0dgudAmvxhztuaQ42fOc=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/estuary/pdns/recursor.yml.age
+++ b/secrets/estuary/pdns/recursor.yml.age
@@ -0,0 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyB0RnVq
 RUpSZy9qZ29DemdnWjdscHMvelRYUGF0YVZlNDFtdzFRdVljbGpZCjdWcE50ck44
 NVBsbVk3SmR6cHhHdkJ0TWI2S2ppOUtnK3pMK28xeTc0KzgKLT4gWDI1NTE5IHIy
 SEUxOCtjK3VFMEozblB1T00yRTE3c3dRSXIydmJHdmEvL25yMStOUVEKbE1XdU4z
 L1lLcEJWY2w2WXRWbmVIN0ZBRVl1R1dhNk10MWtheTRCYjloZwotPiBXXXRKcS1n
 cmVhc2UgRUBEWyBwamZsOVQKZ09pVGdWUG02WmxUcGNBN3RnbE42V05xRDE2azMr
 WHd3VEt0NmwvZnI1dXdiSjNvaStsNTZmUEhwbUp5cVlieQpSYmhUVm1GbEJVdXo3
 ZwotLS0gSkFZMFdiRHBjWFJsR3pqcytYZkEza3dsZ0ZyaDkxdmliZ3RUOFErUXlt
 cwq9gj+Fg4p2D1548J+bhvJ0re9uVm9TZ9lJSqmj5tMxWRS9aN1j9BlhmK/RnEG9
 KcodvBiyqibzauS4KC18xLLu986hK2gn3857waXn/AIp+p8BIA2J9M2M
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/hass/cli-token.txt.age
+++ b/secrets/hass/cli-token.txt.age
@@ -0,0 +1,16 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFQrc2JHQSBmTlVp
 RnlKNE9ySGo4L2h3VXBXRzIyZGdqU0RtUWk4ZmJVcGNKZ3BqTmpjCjJtQjUyTmJN
 dkpsbVI3M01mQlNPSEI0U1lVeUJTMVlXUlpheGxVblhUbUkKLT4gWDI1NTE5IG5K
 K0F3QWxJaW5CbW5TZElEVklIeUJxS0JCc2IxaFI5dVZrbDc3NDZGV2MKOVR6M0k5
 eW5HWDQrT3Rtb0tIM1EyajI1V0dKbHBLb0tVNU9nb21OUjcxYwotPiA5anw6bk56
 dC1ncmVhc2UgPCVeLiZyIH4KTGFRWHBGZFBJUElONUZLb3pJeXNZeXhoakYwT3BM
 TW9kUXBhOGhNbHh1Q1RPRTlCRnhSckg5NEUxWk5MVHJucQp4YlFDcVRzK2V5bWVT
 V0xLQjN1SjVTaWNJajJaTjRrQTd2VHlMRy82TExXbAotLS0gVE5YZVhTWXl4VUN2
 WUpidkJLV1JDU0R2QkdHZE5ZbCt2K2FlbGNjK0ZlNApzDh+kgAy4SBqC51mJi+VX
 ON8wbwLVTQRs1H30eyWNzt/3MO++eS4AoZUKQZUxURwXfhV0t0zd5/MlByBsqaHR
 +W6O/9Dp8e/8GYSX3D892r1LKN0AYHgcKeKwEtJojt5CTNJS2IgU6UxZhTliqAEc
 NkfxvcoAEHhGhPOudEIX2SgjrgVGJA8MYm6/46zAolZws3TWim3NEgJpb9tWXpvi
 1f/MXuxiowplF+PqCsd1EGzpXKsvADq6Rwyxpo6CbJzrq+GhFrTHF+LRkzjWx6JE
 LUsZwDqOZUY=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/home/pdns/recursor.conf.age
+++ b/secrets/home/pdns/recursor.conf.age
@@ -1,14 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpOcUlvZyBlODZr
 RHpJcFdFaVNYM0x1d3QxVmhKTFBkMndrakFYS3FxWk00YWxXejNzCkFqWFlCWUt2
 cGluRGtxODQzbElhRWt1TGFVeTE1UU5SSkdZejJzNVdhZ3cKLT4gc3NoLWVkMjU1
 MTkgcytxUmZnIFRpeVNsT2Jqc2I4dzB3cEFWK2ZEZlpJQklWSnhJM3o0Ukhsc1lz
 REZ0VFkKWWJPckVSNlZHREJIVVgwNVNBSkpSbHRPcUxIWVo4ZTlyVkovTGRpZThL
 MAotPiBYMjU1MTkgUGxhR2d3TVh1dnJwQjNoY0pjV09halZKZFhybVk3Vjk3Tmwr
 bDd5ckp6MApBcW8zbUl1SnhmOXZwOFRNUG1EZUNacDlXdXJSbWFUeG5GNjM3eXJo
 RmR3Ci0+IDstZ3JlYXNlICRoICVbfmU2fQpFYzNyZXBxVU5jT3JSY1NFMGEzUnVF
 WFQ2MmR2SGQ0Vnd6V0VxQlp5bE5LZ2NML2hyd09LOEVPL2lGREdLR3FMCmVGN09J
 OUNscVh1d0VSdwotLS0gbTB1NnZ4Q3B6WE1KVzJjbmVwL2dEVjc4WnRXZTlYbFBG
 T3htUHBWang2awr0OgkUO6XPZji5ZBNpqGwOlwpa605t38QCmFSXvPQhvT4Gj/0+
 rUvg7zWf5Yb4c86EDD05CsqGEUQTOKEz08z0lewN5kuFfZmrYQY=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/home/pdns/recursor.yml.age
+++ b/secrets/home/pdns/recursor.yml.age
@@ -0,0 +1,14 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpOcUlvZyBJSU1V
 M1QyaWcvcFJlUlJEcDVvblJGcXJDWk11RDhCZzBkY2Qyc2lDQW5jCjJVRVBWMTZy
 SHNTZG9ZSnZ3RjRqUE9Ub3JKZERkcTZpeEhSUlppTmVsZm8KLT4gc3NoLWVkMjU1
 MTkgcytxUmZnIFFsbm1oNk1jNndoU0J3SkdFSkNhSGNVRjdQb2JSUFBnczVwdlF0
 bDVhaVUKaFBzSHF3THNiL09Ib2ZhOFlyNVY0Q1ZwOUMwczZiQW9jVlNwanRYek1P
 WQotPiBYMjU1MTkgcEppMVBpbmRGS1h5RUgwNkZPZ0dXWVpkdXlZcFc5S3dQaDA4
 THdhUm9oTQpLbUpTaVVuQ29Zc3FuQ2MyaFcvTkxVK1l1T3V0L3FZSXZBS2dlY2hM
 VUNVCi0+IENcLWdyZWFzZSAnNGJjfiB1IHB3QDpUIHsoQi57Ilw9CnkxdFRqWVZi
 ZFdHQXJwNGZuNDg2Q3cKLS0tIDJSNmthczc1U2xxSlVKZDBLc1BHNnFMV3MwK3Qr
 ckJDL204d210NW1Pb2sKCC+sa8uPupC3Rv+o12XT/wTmLsKhtaE/bbshPCDIHUFn
 cpTwpY96JsCShAjSb6n7Xt6FgTKTFt2iDsGQ6+sLp0AJ2quxRaoxmqaFVsz4p8BL
 gF0On7LgZg==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/jackflix/copyparty-pass.txt.age
+++ b/secrets/jackflix/copyparty-pass.txt.age
@@ -0,0 +1,11 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyA4Qk8z
 SkhFWWMyaGM1c2luVzZzbWNvT0ZsS09yN0w1N01oY0tldWFXZnhVCkM0YzBVZUM1
 MmRzdFlCL1o5ZTdkTjkxQ1YyQ0kwbnJ0eVRuYUpQNWw2c0EKLT4gWDI1NTE5IGli
 dkp5RjZRSmROMEtQeWJiVkt2UktxdTAwUzZBRW9XajFDblFqZ3ZVR0EKYzFubnp0
 UHo5WlViYTNwbXFBd01qM0R4Wk82MTV1TzJsVVczdGRNSFRBQQotPiAnLWdyZWFz
 ZSAuPzVDCm1SZkdDMHRjT2NBVXI5ektKZ1R3dXhMUEVRblhBdC9mclFZSitSODI0
 OHZzZThEQnlBY25lVnFTQXRaV2FIYTIKeHkrY1NRCi0tLSBhUFgvd1BUbFlJeEFO
 RWRBQzcrT0ZFMG5SZVliNlZnK2N2VDJVV05UTkhBCrZM7RtMrOVIGIpod8aU4GLn
 0KBGTSq6kE01+f1kmTZDAKHx/LhiWgHYKLxTLW4VpYnUCg==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
@@ -1,72 +1,74 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHNqUFR5ZyBaOU1F
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHNqUFR5ZyBlbHl0
-ckpVQWNGejNoQUQzaERobUNmRFMyWVFzc0Eydkh6SEVZNHU2SHhRCmc0NUJMa0lG
+S0lQbXBKVGpNNnJOUS9TSlp0U0EvYWFVanN3N0RMb1JudEdwYVQ4CnJGdklzeEFy
-SnRuZHR3dmNKem1oYXA5bHVsNWcwY0xzMTlqQUlsQWJiSFUKLT4gc3NoLWVkMjU1
+RmxjamNyUWszYjFGb0ZZbk9EQVdERERtckpqczVscjdmUE0KLT4gc3NoLWVkMjU1
-MTkgRExNZUZnIG9Ca2M0ZHJwS2I5VWJiY1ptUWJtNTdVakVGQXlteGdCRHg4c3JO
+MTkgRExNZUZnIGR4czhRYjUyU29JbnFnRk5IeXliNzZzMVMya1ZuS2tkUlFVTkxU
-cXpaSGMKTHlidkxRZ01mWVRLRVRZdWRyNTZWZDhmR0Vicy9hYmF2elg5M1FXNGF6
+aFd0VWsKenprWWQ0UEdaUGhvRlJUbnU1T2h1czZBK1dpOGwwcjJxc2p6ejV1RnM0
-UQotPiBzc2gtZWQyNTUxOSAzYkIzWmcgZE03MlRsVDQzdlF3R3F0TWppdU4yV2J3
+RQotPiBzc2gtZWQyNTUxOSAzYkIzWmcgMHB6dzVFQ3FtaWErVWNyRXo3WnNhT2NF
-N21xS0djYnQzLytKK3JBenFoawp4bk1pWDlmZ2dmOFU3djBHVlN1alJETENGMGhM
+eldUVWtOaVlWOTVwcVVaOUlGMApJUDUzNmhKbUxleTV6SjV0Zmk3dno0STVIRDIv
-eWhGSFNGUW5OenpNMFRvCi0+IHNzaC1lZDI1NTE5IHErMFhjdyA3am5WUzQ4a0xM
+SUkyd1M2Z21mdUtMUXIwCi0+IHNzaC1lZDI1NTE5IHErMFhjdyBnRFBPRnNSa0Nn
-OEpvdTVGVjNVV2tMNnRHQ2IraGdZbjd2VjcrTnJzSjA0CmoyRjI3U1R5bElhb0NL
+UTlpR1Y4OU1UQmNLRnRWaGxzU3RBV0c1bG90K2I5QUQ0CjArUFlGS1B2RkVKSEtP
-UU4wRG1VZVV2MlpFdFkrUGdNNVNsOTJjN1pmZ0kKLT4gc3NoLWVkMjU1MTkgWkIz
+ajRpUUNlMkRPN3pxaEkrZ1M3RndxRDZ6U09Wc2cKLT4gc3NoLWVkMjU1MTkgWkIz
-ZTZRIFByVVhNbzRFQ0grb29hd2x0OU9iUU5sbjU2Zld0RXExM0RHT0M1VTZ6U0kK
+ZTZRIFRPdXRTeEVvUTM1dlQzMll2VDFkUlY2eEFRcnRrc1lNeDZDbFE1a3BjaDgK
-a2lVNzZiNWkwMy9XT2lIVnQrNG52cWx1b3lNQk41WFhHenlsVDdlR1FjZwotPiBz
+MytBM0Y2Mmo2M1JOWExLQy8xTm9SR05WcmxrV2xBZ0RpeXQxeGVkZ1VZcwotPiBz
-c2gtZWQyNTUxOSBqNjdGWFEgVzZURHE4ZHZ0YWNYZ1hkbWQvdDhQbzJ0R1NMNjRv
+c2gtZWQyNTUxOSBqNjdGWFEgYUw5cnJabnhhdU9lN0NPVXVUazRnVWpzcUVtM3VR
-QkVWdkNPWFN4blNGawo2ZndJeEhsbkoxYjBXbk96bjZsMXVqeE4yMDFRaDR1K0Rq
+bWQxNVVSQTN5N3hXRQp0blhXUC94TlRPbS9Ba2N1eVM0QkNNblJBa1hJYjZ1Y1lM
-eExHNDFBNlpnCi0+IHNzaC1lZDI1NTE5IGMwVE5hUSBjQXhrenI5cTZhNkR2VnNG
+UDhWbUd5bWNVCi0+IHNzaC1lZDI1NTE5IGMwVE5hUSA0TXowVjA0N2FvcER6OEts
-VitKUzQ5QThOcFJCZytTUXRrQzFZWi9VREZ3CnZFTU5QNm84NjVGYmp4RTZTM0Js
+VTVwa0UzUEtsY005WDhmaU8zZ3VLaXQvaVRJCjB4cjJiMHVGM3hyWlg0OHhaT0lu
-cTR0WUMwd1RWS0RJNHo0dDBkS1A0NE0KLT4gc3NoLWVkMjU1MTkgbjhDcFV3IHVz
+K2NJQWVndzYrSDAyK25NMklSVUI4S28KLT4gc3NoLWVkMjU1MTkgbjhDcFV3IFNE
-Q0FiOTBIYUY5SFBLK0Zia3YxaHd4dVN4bDhjbjZYaFVKNHp6VkFOMmMKeXAzcndh
+Q1NZbnpqUkdiaktnYkxZdzZrYUVqWDEvYnMvOTJqSUpybERTNk9uQ0kKYlMzZkVu
-M2hLWUFSNlJTUXFhNnlZZGZCYnBvM1AzMVg0QWFvK05rS3ZlOAotPiBzc2gtZWQy
+SXVtaWk2WEtDMEpwZFM3ZVIyWHQwUWNOZjVRS0I0ZjN5MklHYwotPiBzc2gtZWQy
-NTUxOSBqSThSQWcgS0NRY0pKaEd2UmVXcTU5bDFYSkx6cS9KNnVXbXc1ZVpxelIy
+NTUxOSBqSThSQWcgWTZIMCtNMCtzTFpROHpBMnA3b2s2UFE2dDZGbnlxU2VxMlkz
-U2E0T2VSRQo1cTZzQWk3cDRPSjVOdFQrOWNvWDVhZlE1VTRmRjBHZ0JjTVdheFdX
+aGJFUzV6awpKNDhobHQrTCs4cUVpNE5wblJMako3bU5tVldjVDBjVlJOOHhkUTNk
-bVB3Ci0+IHNzaC1lZDI1NTE5IGhNYTRudyBPUW11MkNuQUsyelNiejl1UEhvMFJT
+NFdrCi0+IHNzaC1lZDI1NTE5IFQrc2JHQSBTbVlBTXIzQ09SOHRJakZXK3NkT1Uy
-bUxmQU5MaW1Qcy9JeUZoVzdUSzBVCmVZWHoxTFVQWmJQbDlzYXZhVkxYRSszOGdm
+RFgrUTZncSsyK3p5WlVDSFNwM2lFClErRHk4Qmp2VlIvZW8rV2lNME53ZFlIUmVC
-MktPS3ZNV1BpZFJkM25wcGsKLT4gc3NoLWVkMjU1MTkgZXlxM2RnIDZLMzQxNFMr
+bXF5RlVvV2FUM3ZmeWpaQzgKLT4gc3NoLWVkMjU1MTkgaE1hNG53IDBINGhyMDBy
-azlybFZLK05xY21DU3BOZnduOWt4Z2lDNzl4KzVtYitrbUkKcGR1OWtkVTB1czdE
+bkp0RWpTU0F6Uk1kaXllRHBHbXF2QWUwNkN1U0tEWE53VGsKdi9QRlhwRCtyQkRq
-dWdhd0U3cC82Ry8zTStkQ256N3RMQlZCbjU5bWJVbwotPiBzc2gtZWQyNTUxOSA3
+cng1Wk1rZkx2NnJTMUxGajN3b2Z3SG0zd0ptcklCZwotPiBzc2gtZWQyNTUxOSBl
-V1E5UEEgb2IyVVNmM1AwNTVnZExDTEp1NWw4S0xWK0lnWG5DQ1dQTnh3RmNuZ2x5
+eXEzZGcgcnQ4WUFMcGRtL1BvYTkxWU12WTdkT1lLRmJlZXZ4cWtHNG54QVo0dDYw
-NApNaXhzL0wxUWtHNHpWSWplRS8wSzk0cEs4S21VUnp3azlRajJNdlJ6ZEprCi0+
+RQp2NkMwbTROZTBuRUVLNEs3L3BmOTZ2S3dDL0hUbm5OaHZXbjVCRG15bExnCi0+
-IHNzaC1lZDI1NTE5IGdTeFAwUSBLWXV1VW1Pb2w0ZkpOUlNEa3dLamFGSDFJMWRq
+IHNzaC1lZDI1NTE5IDdXUTlQQSBPL0t1ZWptTm5YQXIwc3ZNUGhkaVM5QU1DMkNL
-NzVMZDRXUWY0UmVuaUhjCkNlWFUvRHByUVBEenFXTXBMZ3k5d2l2L1BaUHprYVN5
+NU1WSFlTT05KOWR3dGhJCmdTTEIrNEZma3E0UzArMndqVEgzWnVLNzl0TjhsbG9P
-ZHZmdVAvQk1lY3cKLT4gc3NoLWVkMjU1MTkgVkZjdzVnIG1IUngvcVNSM2RrSDF0
+OE9aRVk1Ung1cEkKLT4gc3NoLWVkMjU1MTkgZ1N4UDBRIGJNazFtRThSVVVvb3dP
-dkZMSlAySmxWL3VqLzJYWWs3SUZTRWpvUkQ0R0EKalMzNW5rSXJES1M5Y2tVeDRW
+RHV5WGxCbktDK3c5aEhiYkphNU4zUnVNUVNNV2sKbWZJYkNSZFMvTDI1WVg5SnJV
-bFQ2eG9zeGxSZDBZMDV0TVV2SDVManI4QQotPiBzc2gtZWQyNTUxOSBoa2J0dmcg
+bUFSY2JsNDJBc253dlN5Y2Nqdm9TbU9IawotPiBzc2gtZWQyNTUxOSBWRmN3NWcg
-WmkxUSs4MGI4Y1BrZjdSSDRQMEtGbC9LNWlDdDBKbFI4NXdjN21BS2lIRQpUZVhL
+eEo0dmRNWVpuVGdxRHpXc09tUDZldFRKcTBIMVVWcXdmVFRhZnZmenBETQpJWHVp
-c0orRXNvbGFUbE1UZlBGc3h5N01Fekh2Q3B2WjI0WXpkRWpqM1hnCi0+IHNzaC1l
+NWJNRWhacHlMbHlQcjEzdEZWdUVpbGg0N2pqMjcvTk92UDJpNUlvCi0+IHNzaC1l
-ZDI1NTE5IGV0MnpwUSA0TWlIWW1oRzgrYzJUK29XbXVyd2JETHpLUFVLeG4rRUY1
+ZDI1NTE5IGhrYnR2ZyB0SFJGRE03T3lnTUJZakVCcnQxVklPNXhzak94eU5KUzNX
-bmV1bUZPaDBNCnI0cllLZmRFMEZDWTFRV2QxL25uV1RtOHBMZVhrOXFyR0NGbjk4
+L216SCtUWEVzCmRrS2Rlc1JiNEg1KzExaUsrNHJuSDlTcU5Oa0J4QVZKVmNBRGFP
-QWwvbDgKLT4gc3NoLWVkMjU1MTkgWmJMSldBIGNiK2hGRkhZRlU3SFpURWNLY3lL
+ZWlqUjAKLT4gc3NoLWVkMjU1MTkgZXQyenBRIEFhMFVxZ3RRbk4za2t5cWtwVjVi
-VisrSW01V1lXQU8yUGN5MENNaEZwVU0KbnNGd2Y4TDZKdmFIQ21NWlZZVGQ1ZEFw
+Qm9ucVdMekVsSHEwSWlML0JIdmQ2SFkKWW5mWnQvRWlaT3hJLzJyTE5RdTNUMWNM
-MyszQ0VLOWxiSkdrWFdGWUlkOAotPiBzc2gtZWQyNTUxOSBaTnFJb2cgZ2dnRHkr
+SDB4TjVKZCtDN0tCR1NhdnRqbwotPiBzc2gtZWQyNTUxOSBaYkxKV0EgV1loMWZx
-UEs5S3FJRkpBLzZLRyt6RmdBeUcvTjJGTmhoci8xNXord3F5OAplZXRUQTF5MUtT
+OHhKelNvNzErMDc4cUE5amgycTFTem5lVmlGYTk5bUM2T2dEUQpkMVQ0VS80Y3Jt
-RG1uVmZOOENzVVZqWUFsdDFXRm93dy9OYmtVSDZTUDV3Ci0+IHNzaC1lZDI1NTE5
+QTZUVnNZV0daczM0Titvc3Q1T2JiTVZYV2tXOW4xV0VRCi0+IHNzaC1lZDI1NTE5
-IHFManF5USA5SUF1MW85T2dZNXY2cFBwOC9Wb1R6MSs5VGVOOTExUnNaM3pwci9l
+IFpOcUlvZyAzMnZ2NjR1R2R2UlJNZjNvOU9RckR0MEtnbllyYVJPSUZtUDNWSU5k
-N2pRCk1tYWRnSlAwbUNiMWdmRU0wZk5VOHZmVU5uZDlRSlJJM1pHR3VxTTNHN0kK
+U3c4Ckgza2txalJhOW14c1dGZ0VTc3EzK2NpOUJaVWhqN2lMWU9HL3hMSWlJUVkK
-LT4gc3NoLWVkMjU1MTkgQmFRbFJnIExWTm0xU0djWW9XL3ova003ZVBMTTFIS1FR
+LT4gc3NoLWVkMjU1MTkgcUxqcXlRIHMxNStVTnY1TUZJaHlXQnNTSFhXditsWnVF
-S0xYckNMRFJhZGVXM1haeDAKeTVoSC92bnhRdG93RnV4akxVRHRuVEc4Y2N3cmta
+Y2ZKRWZ5UXVPZUVKY2VjakEKV1N3ODVFYXROTzFReWE5Y1A5MkpXUjJVc00wVVd3
-UFJrTHZtU3A5RjFGdwotPiBzc2gtZWQyNTUxOSBzK3FSZmcgaGJNcUc4bFZHK3Bl
+ZUpzTC9rRGdOWUpxWQotPiBzc2gtZWQyNTUxOSBCYVFsUmcganpkWlpaWlRVQ3Vp
-cnVZV0dPWkFOTndSMU1zNlAweXZsUkZtSk1XQUoxdwpWak02bTJVWjNNMXZoenJq
+Y2hvbkpld2kzdzVtdERHajBNUTEyM0NOWlp0WkxtRQp1MEJUKzFUSW9tWjluVU9Y
-RFN0UzRvdk0xT2VzazFKcysvYk9HejYrLzRvCi0+IHNzaC1lZDI1NTE5IDYySmNj
+clBzNFpzdU83MXdGN2dJSGducnplbEd4M1JNCi0+IHNzaC1lZDI1NTE5IHMrcVJm
-QSA4KzVSYkxEUW5jaithdUNvSVpjdDJGZm90Q1IyWnBtbTZnTWNsY01pUkQwCkRa
+ZyBSRW1pZWFhQkpQRTFYTG9IZnVmWmx6S2pNUll4MGhtRFd1Y0ZhS25JNFZVCjhU
-NHRHenFIS050dXVWcWdzaElkemU4enEyUmkwU0tSMENJWHFYMlg0L0UKLT4gc3No
+UDhoOTlTUEtqbytZMjZ2NlozcnZTNXVNcVA3cU1TRmtsL1g4bEhKUzgKLT4gc3No
-LWVkMjU1MTkgL2h4L2RBIDVhY2hCcitGVjFueUsrTHpNNmEzeDFTUFdYeGZ2d1ox
+LWVkMjU1MTkgNjJKY2NBIElSSXZjc3J5cWNwOHFNV281YzBrVzc2TlVwMnRwb0NJ
-czE2TUFIS0NzVFkKU0lFcGJiQmQrMU1iYlhtNWVFZ2VZM09jOTBwUWRDdlNOKzc4
+dEdST0s4MEhmQnMKaTNEdkFjRktCZHNCY3FsWE5UbFo1R3lXSlI2NE5MR25neWJ4
-VHVEeC8wdwotPiBzc2gtZWQyNTUxOSBXekxHSEEgNlhBMHVJTTFuZHgxN3RqYkV0
+NTlsSllxWQotPiBzc2gtZWQyNTUxOSAvaHgvZEEgOExaRjJiNTJkUGFxZllSK1Uz
-SzB2elhYcm9BWmszNjRIUzhCbEpiWktFawpka1ZpK0pCMnAxTUE4UzhHeXhxcjRi
+eWxQTmtxOVFPZkVFb2w2Z0tmZVpwTndDWQpuRFlqZWdaQjZaT1BZSmllVzB5NWhY
-djNRdUxVeW90SUFENjh0UVJyeDBnCi0+IHNzaC1lZDI1NTE5IEhKL0o3QSBhNno1
+MmhHaWtZOXFERzhSRWRXWk5TR1RRCi0+IHNzaC1lZDI1NTE5IFd6TEdIQSBtZW04
-QmZWMFJ1OEdmZVRzd05qWktUM3BXaWtvV3FpckllV29hM0VWalJZClN0NVFMTDlu
+eWlNWU9JOXYvcVlsb1JXM2JKRlREeXJXNHd6MlkvazZrSzdscG5BCnZzWUFwb3lK
-Z01TaVp3ZDRURGRqSk5FazBBVXJuTzlzdFI4bWE3cUowYmsKLT4gc3NoLWVkMjU1
+dUhkcDZNakFPN0RMRG5LQzdqU1UzNlJ6eGRGSGlhYUx0YXMKLT4gc3NoLWVkMjU1
-MTkgT0VxTXNnIHBBaHl2U2hKMVJpc1FDdDRMVnRacHZ6SUh4TGwxYm9Sejh5S3FL
+MTkgSEovSjdBIDBaNzZGVkdaVWlWNk4yVW5UdnFCZ2xWUEtIc2QzQmJTMnlINVF1
-RVBheUUKQUNRZDZtN1dBcUI1TFVpenI3R0M5TC9zY3B4OEFBMXhLQjMyYmVseWEv
+V093UmsKcXNhSnlnWHQrRzVSU296NENDN29aMUN5VlRIcittdGNySGhvMHZlT0xl
-bwotPiBzc2gtZWQyNTUxOSAvRUpYdmcgZ0M3ZVdBZVlOOFNEbmFwYVcvMGtETTdy
+NAotPiBzc2gtZWQyNTUxOSBPRXFNc2cgNUFSc045eUVqQWI3MXB4Tkd2RndDS2Na
-QXZmSy9qZFVKQkROdFRVak4xSQpRREliRFFjMTl6ak45ckdEdnpReEJPS3RSbXB4
+VGJrblFLaENPVlZucFdGRGFDTQp6dlRHTnRLSFkxb1RFdmxGS09Jenh2Q25VZ2ha
-R0JxdUUxZ2wxSkUwQk5NCi0+IFgyNTUxOSBqYW5sdkVBcUJiUHltVy9mT0hYbzJ4
+QWQ4YUNjdVNJbW8vVGVrCi0+IHNzaC1lZDI1NTE5IC9FSlh2ZyBGM2lrUG1DWUx3
-bW11dmwvUGFlVkV1WlpFQ2Y1UHpNCm1OQ09yOVRSNnIxeXY0N2ltOEt3OVVYRTM2
+YndZWWdobVo3TjZHTDNabmdsa3ZHcndwUXVZSVg5T0VZCjNYdlFYSHBsWjBTWXlS
-bHV4dkJOaUFrUFhydmdTSFEKLT4gZ296LWdyZWFzZSBbcyA6IUVJKiBSYi04ClB1
+V0lSZkpwVE05eU1LcFBEbWdXWEZ0U0tSTkthQnMKLT4gWDI1NTE5IDF5SmczUWpo
-QjgzNTBMM3o1cER5RWhQa1F4YmFEOXNzQUZyOTU2SXRzYmtTODdKd1djZ3NUagot
+bkdmWS9SamxtTTF1eVJnc1QxUGJiUjQwR1VSTmdxMEtqQzAKeTF0NWp6dG1CWGNy
-LS0gRGN4Y2ZyV1g4YnFaM0JTazNZSFNOQVlzQWViU1R1ZUVpdjB0ZmNUeThvRQrn
+VVVXVGFLV3dkWWo2YTVkZmtXcHRZai9FSDVBSmJhbwotPiAmJC1ncmVhc2UgaWU3
-KRRdOMs11eAfh0452NX5E0nDyNXe/Bn3kStg7jBDKRo+JxFw4xTwgT9XeyMwzonH
+YGkpVSBNV0ZfIDM1fltQdzBcCmZYRXB1NEVMNkVqWVF3Ci0tLSB2RVRFYmVGVklB
-bci/yoXC0hSJNiGvMCu9qbnEZakb7nzQfn8KJY9+4ptjRI5zxnGRWUEDrHjNXA22
+bGFiUTBKYlMrRitvN2NnUkhScTMvWml6ZzRKU3ZIeEtvChoKB2c5roTC97pdDOi6
-UGpm6PGdBRpktySXA4wFTJL1nWxtIIRvZ/j3Njc3O78ggjhW3QtBc0VJ
+aPFIaTyOu9NZ4ESwwRjpEgB0D6GP2r7YR3CnxVyXa4sCFUnTF8dLUkABFnSeNeQZ
 M64tM6J+tZAyJa9IKaTgSqvQaGYHHYinygNvf6BShCK4nPUJu0cV6gFtqFle0MWA
 Rez5eRMFH/M2aubhwBeDyHG4WRelkt7oMVXyY6U=
 -----END AGE ENCRYPTED FILE-----
Author	SHA1	Message	Date
Jack O'Sullivan	7db5e18974	nixos/jackflix: copyparty: Move `/pub` to `/` and put stuff at `/priv` All checks were successful CI / Check, build and cache nixfiles (push) Successful in 2h25m8s Details	2025-09-09 14:34:54 +01:00
Jack O'Sullivan	20b7da74bf	nixos/jackflix: Remove unnecessary insecure packages exception All checks were successful CI / Check, build and cache nixfiles (push) Successful in 2h28m59s Details	2025-09-08 23:29:51 +01:00
Jack O'Sullivan	adaf8b6a83	nixos/jackflix: Add copyparty	2025-09-08 23:28:31 +01:00
Jack O'Sullivan	1f145334f3	nixos/britway: Disable `override_local_dns` for headscale Some checks failed CI / Check, build and cache nixfiles (push) Failing after 12m38s Details	2025-09-08 21:29:20 +01:00
Jack O'Sullivan	abf9f1b465	home-manager/gui: Add ffmpeg All checks were successful CI / Check, build and cache nixfiles (push) Successful in 2h30m16s Details	2025-09-06 21:56:19 +01:00
Jack O'Sullivan	f0740741a4	nixos/home/routing-common: Fix mstpd shellcheck All checks were successful CI / Check, build and cache nixfiles (push) Successful in 2h44m21s Details	2025-09-06 21:40:05 +01:00
Jack O'Sullivan	0c0b66b8db	nixos/jackflix: Add FlareSolverr	2025-09-06 19:49:12 +01:00
Jack O'Sullivan	bdf3c04595	nixos/git: Add NAT rules	2025-09-06 19:35:33 +01:00
Jack O'Sullivan	02795a6ee4	nixos/nvme: Specify Host NQN on command line Some checks failed CI / Check, build and cache nixfiles (push) Failing after 2h24m47s Details	2025-09-06 18:02:18 +01:00
Jack O'Sullivan	8fa4a7ee60	"Release" 25.09 Giving Some checks failed CI / Check, build and cache nixfiles (push) Failing after 31m46s Details	2025-09-06 17:14:09 +01:00
Jack O'Sullivan	773674d879	nixos/chatterbox: Add adzerq to Instagram bridge Some checks failed CI / Check, build and cache nixfiles (push) Failing after 29m47s Details	2025-07-23 19:42:35 +01:00
Jack O'Sullivan	12c5ca126d	nixos/middleman: kinkcraft Bluemap Some checks failed CI / Check, build and cache nixfiles (push) Failing after 30m2s Details	2025-06-07 23:28:20 +01:00
Jack O'Sullivan	b38a2a07e2	nixos/estuary: Update FrysIX BGP config to new /23 Some checks failed CI / Check, build and cache nixfiles (push) Failing after 30m16s Details	2025-06-03 11:06:58 +01:00
Jack O'Sullivan	0dc474887f	Add kinkcraft Minecraft server Some checks failed CI / Check, build and cache nixfiles (push) Failing after 30m20s Details	2025-05-29 20:51:56 +01:00
Jack O'Sullivan	c8bd63ec3e	nixos: Add nixlight static IP and WLED hass integration Some checks failed CI / Check, build and cache nixfiles (push) Failing after 29m45s Details	2025-05-26 23:25:05 +01:00
Jack O'Sullivan	d7522f3f97	nixos/whale2: Op kev in kevcraft Some checks failed CI / Check, build and cache nixfiles (push) Failing after 30m31s Details	2025-04-24 22:04:45 +01:00
Jack O'Sullivan	58c76f822f	home-manager/gui: Use `tmux kill-session` in brainrot screensavers Some checks failed CI / Check, build and cache nixfiles (push) Failing after 29m19s Details	2025-04-14 13:27:01 +01:00
Jack O'Sullivan	31bcde23b8	nixos/gui: Enable udisks2 Some checks failed CI / Check, build and cache nixfiles (push) Failing after 5m13s Details	2025-04-07 23:18:29 +01:00
Jack O'Sullivan	fc2fa0666e	nixos/middleman: Increase `worker_processes` Some checks failed CI / Check, build and cache nixfiles (push) Failing after 5m10s Details	2025-03-28 16:42:54 +00:00
Jack O'Sullivan	854cc48479	home-manager/gui: Add Brainrot story mode screensaver Some checks failed CI / Check, build and cache nixfiles (push) Failing after 29m6s Details	2025-03-28 11:01:46 +00:00
Jack O'Sullivan	85a4b124e5	pkgs: Remove own terminaltexteffects Some checks failed CI / Check, build and cache nixfiles (push) Failing after 5m7s Details	2025-03-27 11:58:36 +00:00
Jack O'Sullivan	f322f3ebac	home-manager/gui: Longer and looping brainrot screensavers Some checks failed CI / Check, build and cache nixfiles (push) Failing after 29m7s Details	2025-03-25 10:56:08 +00:00
Jack O'Sullivan	bc74fb4968	home-manager/gui: Add brainrot screensavers Some checks failed CI / Check, build and cache nixfiles (push) Failing after 30m15s Details	2025-03-24 15:09:46 +00:00
Jack O'Sullivan	584abd4991	nixos/home/hass: Add USB webcam All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h12m19s Details	2025-03-15 01:43:44 +00:00
Jack O'Sullivan	05074a1fd9	nixos/home/hass: Basic Reolink camera setup Some checks failed CI / Check, build and cache nixfiles (push) Has been cancelled Details	2025-03-15 01:07:12 +00:00
Jack O'Sullivan	69060dfbff	nixos/home/routing-common: Add static lease for hass-panel	2025-03-14 22:53:36 +00:00
Jack O'Sullivan	8e288a9e2a	nixos/home/hass: Include scenes.yaml All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h17m11s Details	2025-03-14 17:48:18 +00:00
Jack O'Sullivan	bb03b6fa76	nixos/home/hass: Add HEOS All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h0m24s Details	2025-03-12 01:55:46 +00:00
Jack O'Sullivan	fd92cfae6e	nixos/home/hass: Include scripts.yaml All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h1m12s Details	2025-03-11 14:35:10 +00:00
Jack O'Sullivan	25267d09a2	nixos/home/hass: Add androidtv_remote and alarmo All checks were successful CI / Check, build and cache nixfiles (push) Successful in 59m46s Details	2025-03-11 02:12:16 +00:00
Jack O'Sullivan	f02f538ab2	nixos/home/routing-common: Add media DHCP reservations	2025-03-10 22:33:48 +00:00
Jack O'Sullivan	d319657680	nixos/netboot: Use older iPXE with patch All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h3m31s Details	2025-03-10 22:23:08 +00:00
Jack O'Sullivan	dff5a4e6d8	nixos/home/hass: Add Irish Rail integration All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h9m21s Details	2025-03-10 14:04:22 +00:00
Jack O'Sullivan	2a8ced0fec	nixos/home/routing-common: Add DNS blocklist All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h6m52s Details	2025-03-10 10:46:21 +00:00
Jack O'Sullivan	36c7096120	nixos/home/hass: Home Assistant CLI and automation fix All checks were successful CI / Check, build and cache nixfiles (push) Successful in 2h47m3s Details	2025-03-10 01:28:14 +00:00
Jack O'Sullivan	adfcf2f848	nixos/home/hass: Initial Home Assistant setup Some checks failed CI / Check, build and cache nixfiles (push) Has been cancelled Details	2025-03-09 22:59:59 +00:00
Jack O'Sullivan	a3870a4293	nixos/home/sfh: Introduce hass container Some checks failed CI / Check, build and cache nixfiles (push) Has been cancelled Details	2025-03-09 20:07:28 +00:00
Jack O'Sullivan	8f4b61fc2b	Update inputs	2025-03-09 20:00:35 +00:00