nixos/tower: Add brightness keybinds

2024-10-26 20:19:53 +01:00
50 changed files with 608 additions and 637 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -6,7 +6,7 @@ on:

 jobs:
  check:
-    name: Check, build and cache nixfiles
+    name: Check, build and cache Nix flake
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
@@ -25,23 +25,15 @@ jobs:
            extra-trusted-public-keys = nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4=

      - name: Check flake
-        run: nix flake check --no-build
-
-      - name: Build (and cache) the world
+        run: nix flake check
+      - name: Build the world
        id: build
+        run: |
+          path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
+          echo "path=$path" >> "$GITHUB_OUTPUT"
+
+      - name: Push to cache
        env:
          HARMONIA_SSH_KEY: ${{ secrets.HARMONIA_SSH_KEY }}
        run: |
-          nix eval --json --apply "builtins.attrNames" .#ci.x86_64-linux | jq -cr '.[]' | while read job; do
-            echo "::group::Build $job"
-            nix build --no-link .#ci.x86_64-linux."$job"
-            echo "::endgroup::"
-
-            echo "::group::Cache $job"
-            ci/push-to-cache.sh "$(nix eval --raw .#ci.x86_64-linux."$job")"
-            echo "::endgroup::"
-          done
-
-          echo "Building and caching CI derivation"
-          nix build --no-link .#ciDrv.x86_64-linux
-          UPDATE_PROFILE=1 ci/push-to-cache.sh "$(nix eval --raw .#ciDrv.x86_64-linux)"
+          ci/push-to-cache.sh "${{ steps.build.outputs.path }}"
--- a/ci/push-to-cache.sh
+++ b/ci/push-to-cache.sh
@@ -22,10 +22,8 @@ path="$1"
 echo "Pushing $path to cache..."
 nix copy --no-check-sigs --to "$STORE_URI" "$path"

-if [ -n "$UPDATE_PROFILE" ]; then
-  echo "Updating profile..."
-  remote_cmd nix-env -p "$REMOTE_STORE"/nix/var/nix/profiles/nixfiles --set "$path"
+echo "Updating profile..."
+remote_cmd nix-env -p "$REMOTE_STORE"/nix/var/nix/profiles/nixfiles --set "$path"

-  echo "Collecting garbage..."
-  remote_cmd nix-collect-garbage --delete-older-than 60d
-fi
+echo "Collecting garbage..."
+remote_cmd nix-collect-garbage --delete-older-than 30d
--- a/devshell/commands.nix
+++ b/devshell/commands.nix
@@ -77,12 +77,7 @@ in
      name = "build-n-switch";
      category = "tasks";
      help = "Shortcut to nixos-rebuild for this flake";
-      command = ''
-        # HACK: Upstream changes in Git + Nix makes this necessary
-        # https://github.com/NixOS/nix/issues/10202
-        doas git config --global --add safe.directory "$PWD"
-        doas nixos-rebuild --flake . "$@"
-      '';
+      command = ''doas nixos-rebuild --flake . "$@"'';
    }
    {
      name = "run-vm";
@@ -120,17 +115,29 @@ in
      help = "Build home-manager configuration";
      command = ''nix build "''${@:2}" ".#homeConfigurations.\"$1\".activationPackage"'';
    }
+    {
+      name = "update-inputs";
+      category = "tasks";
+      help = "Update flake inputs";
+      command = ''
+        args=()
+        for f in "$@"; do
+          args+=(--update-input "$f")
+        done
+        nix flake lock "''${args[@]}"
+      '';
+    }
    {
      name = "update-nixpkgs";
      category = "tasks";
      help = "Update nixpkgs flake inputs";
-      command = ''nix flake update nixpkgs-{unstable,stable,mine,mine-stable}'';
+      command = ''update-inputs nixpkgs-{unstable,stable,mine,mine-stable}'';
    }
    {
      name = "update-home-manager";
      category = "tasks";
      help = "Update home-manager flake inputs";
-      command = ''nix flake update home-manager-{unstable,stable}'';
+      command = ''update-inputs home-manager-{unstable,stable}'';
    }
    {
      name = "update-installer";
--- a/devshell/default.nix
+++ b/devshell/default.nix
@@ -11,7 +11,7 @@ in

    NIX_USER_CONF_FILES = toString (pkgs.writeText "nix.conf"
      ''
-        experimental-features = nix-command flakes ca-derivations
+        experimental-features = nix-command flakes ca-derivations repl-flake
        connect-timeout = 5
        fallback = true
        ${lib.my.c.nix.cache.conf}
--- a/flake.lock
+++ b/flake.lock
@@ -8,14 +8,14 @@
          "ragenix",
          "nixpkgs"
        ],
-        "systems": "systems_7"
+        "systems": "systems_8"
      },
      "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "lastModified": 1707830867,
+        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
        "type": "github"
      },
      "original": {
@@ -24,10 +24,36 @@
        "type": "github"
      }
    },
+    "attic": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs-stable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1720542474,
+        "narHash": "sha256-aKjJ/4l2I9+wNGTaOGRsuS3M1+IoTibqgEMPDikXm04=",
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "rev": "6139576a3ce6bb992e0f6c3022528ec233e45f00",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
    "boardie": {
      "inputs": {
        "devshell": "devshell",
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
@@ -50,17 +76,17 @@
    "borgthin": {
      "inputs": {
        "devshell": "devshell_2",
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_6",
        "nixpkgs": [
          "nixpkgs-mine"
        ]
      },
      "locked": {
-        "lastModified": 1732994213,
-        "narHash": "sha256-3v8cTsPB+TIdWmc1gmRNd0Mi0elpfi39CXRsA/2x/Oo=",
+        "lastModified": 1692446555,
+        "narHash": "sha256-Uzl8TiGKVBCjwYhkprSwbcu8xlcQwnDNIqsk9rM+P9w=",
        "owner": "devplayer0",
        "repo": "borg",
-        "rev": "795f5009445987d42f32de1b49fdeb2d88326a64",
+        "rev": "44a3dc19b014ebc8d33db0b3e145ed7bfc9a0cb7",
        "type": "github"
      },
      "original": {
@@ -70,12 +96,39 @@
      }
    },
    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
      "locked": {
-        "lastModified": 1725409566,
-        "narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=",
+        "lastModified": 1717025063,
+        "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "7e4586bad4e3f8f97a9271def747cf58c4b68f3c",
+        "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "crane_2": {
+      "inputs": {
+        "nixpkgs": [
+          "ragenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1708794349,
+        "narHash": "sha256-jX+B1VGHT0ruHHL5RwS8L21R6miBn4B6s9iVyUJsJJY=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "2c94ff9a6fbeb9f3ea0107f28688edbe9c81deaa",
        "type": "github"
      },
      "original": {
@@ -109,18 +162,18 @@
    },
    "deploy-rs": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1727447169,
-        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "lastModified": 1718194053,
+        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
        "type": "github"
      },
      "original": {
@@ -131,7 +184,7 @@
    },
    "devshell": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
@@ -150,7 +203,7 @@
    },
    "devshell-tools": {
      "inputs": {
-        "flake-utils": "flake-utils_9",
+        "flake-utils": "flake-utils_11",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
@@ -169,7 +222,7 @@
    },
    "devshell_2": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_5",
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
@@ -188,16 +241,17 @@
    },
    "devshell_3": {
      "inputs": {
+        "flake-utils": "flake-utils_7",
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
      },
      "locked": {
-        "lastModified": 1728330715,
-        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
+        "lastModified": 1713532798,
+        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
        "type": "github"
      },
      "original": {
@@ -207,6 +261,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@@ -223,6 +293,90 @@
      }
    },
    "flake-utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_10": {
+      "inputs": {
+        "systems": "systems_9"
+      },
+      "locked": {
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_11": {
+      "inputs": {
+        "systems": "systems_10"
+      },
+      "locked": {
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_12": {
+      "inputs": {
+        "systems": "systems_11"
+      },
+      "locked": {
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_13": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
      "inputs": {
        "systems": "systems"
      },
@@ -240,40 +394,7 @@
        "type": "github"
      }
    },
-    "flake-utils_10": {
-      "inputs": {
-        "systems": "systems_10"
-      },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_11": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
+    "flake-utils_3": {
      "inputs": {
        "systems": "systems_2"
      },
@@ -291,7 +412,7 @@
        "type": "github"
      }
    },
-    "flake-utils_3": {
+    "flake-utils_4": {
      "inputs": {
        "systems": "systems_3"
      },
@@ -309,7 +430,7 @@
        "type": "github"
      }
    },
-    "flake-utils_4": {
+    "flake-utils_5": {
      "locked": {
        "lastModified": 1642700792,
        "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
@@ -324,7 +445,7 @@
        "type": "github"
      }
    },
-    "flake-utils_5": {
+    "flake-utils_6": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -339,31 +460,16 @@
        "type": "github"
      }
    },
-    "flake-utils_6": {
+    "flake-utils_7": {
      "inputs": {
        "systems": "systems_6"
      },
      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_7": {
-      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
@@ -374,7 +480,7 @@
    },
    "flake-utils_8": {
      "inputs": {
-        "systems": "systems_8"
+        "systems": "systems_7"
      },
      "locked": {
        "lastModified": 1710146030,
@@ -391,15 +497,12 @@
      }
    },
    "flake-utils_9": {
-      "inputs": {
-        "systems": "systems_9"
-      },
      "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
@@ -437,16 +540,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1732466619,
-        "narHash": "sha256-T1e5oceypZu3Q8vzICjv1X/sGs9XfJRMW5OuXHgpB3c=",
+        "lastModified": 1719827415,
+        "narHash": "sha256-pvh+1hStXXAZf0sZ1xIJbWGx4u+OGBC1rVx6Wsw0fBw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f3111f62a23451114433888902a55cf0692b408d",
+        "rev": "f2e3c19867262dbe84fdfab42467fc8dd83a2005",
        "type": "github"
      },
      "original": {
        "id": "home-manager",
-        "ref": "release-24.11",
+        "ref": "release-23.11",
        "type": "indirect"
      }
    },
@@ -457,11 +560,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1732884235,
-        "narHash": "sha256-r8j6R3nrvwbT1aUp4EPQ1KC7gm0pu9VcV1aNaB+XG6Q=",
+        "lastModified": 1720734513,
+        "narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "819f682269f4e002884702b87e445c82840c68f2",
+        "rev": "90ae324e2c56af10f20549ab72014804a3064c7f",
        "type": "github"
      },
      "original": {
@@ -471,11 +574,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1731242966,
-        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
+        "lastModified": 1719091691,
+        "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
+        "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
        "type": "github"
      },
      "original": {
@@ -508,7 +611,7 @@
    },
    "nixGL": {
      "inputs": {
-        "flake-utils": "flake-utils_7",
+        "flake-utils": "flake-utils_9",
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
@@ -545,11 +648,11 @@
    },
    "nixpkgs-mine": {
      "locked": {
-        "lastModified": 1732985787,
-        "narHash": "sha256-6rSJ9L4QywpHLi/xvpOHdTuPm6/eOJcXxnYzDbP3U1k=",
+        "lastModified": 1724669894,
+        "narHash": "sha256-oHDWt37dN3Bq12E016HDw0rnjBlRg51hg66b7qG6cro=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "a28c46933ef5038fb7a2dd483b85152a539c7969",
+        "rev": "01d95eaee35f63ed8e48dedb573f48a1a3028f88",
        "type": "github"
      },
      "original": {
@@ -561,11 +664,11 @@
    },
    "nixpkgs-mine-stable": {
      "locked": {
-        "lastModified": 1732985894,
-        "narHash": "sha256-YYuQQCcSF6KjgtAenZJiBmqt5jqP3UvYgC424VQ+22s=",
+        "lastModified": 1720987393,
+        "narHash": "sha256-aq1reu43552gD+QRyxAMlimAX9+YbGpAIyw82jg0eWY=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "e0a3f4e2bbc5f7b681e344b389dcbab23f2e92a8",
+        "rev": "154ab603fb2b794b437f233853aeb3c75f101049",
        "type": "github"
      },
      "original": {
@@ -577,26 +680,26 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1732824227,
-        "narHash": "sha256-fYNXgpu1AEeLyd3fQt4Ym0tcVP7cdJ8wRoqJ+CtTRyY=",
+        "lastModified": 1720535198,
+        "narHash": "sha256-zwVvxrdIzralnSbcpghA92tWu2DV2lwv89xZc8MTrbg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c71ad5c34d51dcbda4c15f44ea4e4aa6bb6ac1e9",
+        "rev": "205fd4226592cc83fd4c0885a3e4c9c400efabb5",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-24.11",
+        "ref": "nixos-23.11",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1732758367,
-        "narHash": "sha256-RzaI1RO0UXqLjydtz3GAXSTzHkpb/lLD1JD8a0W4Wpo=",
+        "lastModified": 1723175592,
+        "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fa42b5a5f401aab8a32bd33c9a4de0738180dc59",
+        "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
        "type": "github"
      },
      "original": {
@@ -671,7 +774,7 @@
    },
    "poetry2nix": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_4",
        "nix-github-actions": "nix-github-actions",
        "nixpkgs": "nixpkgs_2",
        "systems": "systems_4",
@@ -694,19 +797,19 @@
    "ragenix": {
      "inputs": {
        "agenix": "agenix",
-        "crane": "crane",
-        "flake-utils": "flake-utils_8",
+        "crane": "crane_2",
+        "flake-utils": "flake-utils_10",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1731774781,
-        "narHash": "sha256-vwsUUYOIs8J6weeSK1n1mbZf8fgvygGUMsadx0JmG70=",
+        "lastModified": 1725195663,
+        "narHash": "sha256-vnmQ0tMkQpiOW5xvM9WVVDLr4OjYKquq0iOaAlPriqA=",
        "owner": "devplayer0",
        "repo": "ragenix",
-        "rev": "ec4115da7b67c783b1091811e17dbcba50edd1c6",
+        "rev": "58820d99352a5e7067ec98374b8c4519c8e225b6",
        "type": "github"
      },
      "original": {
@@ -718,11 +821,12 @@
    },
    "root": {
      "inputs": {
+        "attic": "attic",
        "boardie": "boardie",
        "borgthin": "borgthin",
        "deploy-rs": "deploy-rs",
        "devshell": "devshell_3",
-        "flake-utils": "flake-utils_6",
+        "flake-utils": "flake-utils_8",
        "home-manager-stable": "home-manager-stable",
        "home-manager-unstable": "home-manager-unstable",
        "impermanence": "impermanence",
@@ -737,17 +841,21 @@
    },
    "rust-overlay": {
      "inputs": {
+        "flake-utils": [
+          "ragenix",
+          "flake-utils"
+        ],
        "nixpkgs": [
          "ragenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1725675754,
-        "narHash": "sha256-hXW3csqePOcF2e/PYnpXj72KEYyNj2HzTrVNmS/F7Ug=",
+        "lastModified": 1708740535,
+        "narHash": "sha256-NCTw235XwSDbeTAtAwg/hOeNOgwYhVq7JjDdbkOgBeA=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "8cc45e678e914a16c8e224c3237fb07cf21e5e54",
+        "rev": "9b24383d77f598716fa0cbb8b48c97249f5ee1af",
        "type": "github"
      },
      "original": {
@@ -758,7 +866,7 @@
    },
    "sbt": {
      "inputs": {
-        "flake-utils": "flake-utils_11",
+        "flake-utils": "flake-utils_13",
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
@@ -778,7 +886,7 @@
    "sharry": {
      "inputs": {
        "devshell-tools": "devshell-tools",
-        "flake-utils": "flake-utils_10",
+        "flake-utils": "flake-utils_12",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
@@ -828,6 +936,21 @@
        "type": "github"
      }
    },
+    "systems_11": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@@ -7,13 +7,13 @@
    devshell.inputs.nixpkgs.follows = "nixpkgs-unstable";

    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "nixpkgs/nixos-24.11";
+    nixpkgs-stable.url = "nixpkgs/nixos-23.11";
    nixpkgs-mine.url = "github:devplayer0/nixpkgs/devplayer0";
    nixpkgs-mine-stable.url = "github:devplayer0/nixpkgs/devplayer0-stable";

    home-manager-unstable.url = "home-manager";
    home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    home-manager-stable.url = "home-manager/release-24.11";
+    home-manager-stable.url = "home-manager/release-23.11";
    home-manager-stable.inputs.nixpkgs.follows = "nixpkgs-stable";

    # Stuff used by the flake for build / deployment
@@ -35,6 +35,9 @@
    sharry.inputs.nixpkgs.follows = "nixpkgs-unstable";
    borgthin.url = "github:devplayer0/borg";
    borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
+    attic.url = "github:zhaofengli/attic";
+    attic.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    attic.inputs.nixpkgs-stable.follows = "nixpkgs-stable";
  };

  outputs =
@@ -93,6 +96,7 @@
            inputs.ragenix.overlays.default
            inputs.deploy-rs.overlay
            (flakePackageOverlay inputs.home-manager-unstable system)
+            inputs.attic.overlays.default
          ];
        }))
        pkgsFlakes;
@@ -204,9 +208,8 @@
        systems' = mapAttrs' (n: v: nameValuePair "system-${n}" v) systems;
        packages' = mapAttrs' (n: v: nameValuePair "package-${n}" v) packages;
      in
-        homes' // systems' // packages' // {
+        pkgs.linkFarm "ci" (homes' // systems' // packages' // {
          inherit shell;
-        };
-      ciDrv = pkgs.linkFarm "ci" ci;
+        });
    }));
 }
--- a/home-manager/modules/gui/default.nix
+++ b/home-manager/modules/gui/default.nix
@@ -1,6 +1,6 @@
 { lib, pkgs', pkgs, config, ... }:
 let
-  inherit (lib) genAttrs mkIf mkMerge mkForce mapAttrs mkOptionDefault;
+  inherit (lib) genAttrs mkIf mkMerge mkForce;
  inherit (lib.my) mkBoolOpt';

  cfg = config.my.gui;
@@ -42,8 +42,9 @@ in
            xdg-utils

            font.package
-            nerd-fonts.sauce-code-pro
-            nerd-fonts.droid-sans-mono
+            (nerdfonts.override {
+              fonts = [ "DroidSansMono" "SourceCodePro" ];
+            })
            noto-fonts-emoji

            grim
@@ -79,7 +80,7 @@ in
          alacritty = {
            enable = true;
            settings = {
-              general.import = [ ./alacritty-xterm.toml ];
+              import = [ ./alacritty-xterm.toml ];

              font = {
                size = font.size;
@@ -98,7 +99,6 @@ in
              background_opacity = "0.65";
              tab_bar_edge = "top";
              shell_integration = "no-sudo";
-              font_features = "${font.name} -liga";
            };
          };

@@ -186,7 +186,6 @@ in
            wl-clipboard
            wev
            wdisplays
-            swaysome

            pavucontrol
            libsecret
@@ -209,36 +208,9 @@ in
        xsession.preferStatusNotifierItems = true;
        wayland = {
          windowManager = {
-            sway =
-            let
-              cfg = config.wayland.windowManager.sway.config;
-              mod = cfg.modifier;
-
-              renameWs = pkgs.writeShellScript "sway-rename-ws" ''
-                focused_ws="$(swaymsg -t get_workspaces | jq ".[] | select(.focused)")"
-                focused_num="$(jq -r ".num" <<< "$focused_ws")"
-                focused_name="$(jq -r ".name" <<< "$focused_ws")"
-                placeholder="$(sed -E 's/[0-9]+: //' <<< "$focused_name")"
-
-                name="$(rofi -dmenu -p "rename ws $focused_num" -theme+entry+placeholder "\"$placeholder\"")"
-                if [ -n "$name" ]; then
-                  swaymsg rename workspace "$focused_name" to "$focused_num: $name"
-                fi
-              '';
-              clearWsName = pkgs.writeShellScript "sway-clear-ws-name" ''
-                focused_ws="$(swaymsg -t get_workspaces | jq ".[] | select(.focused)")"
-                focused_num="$(jq -r ".num" <<< "$focused_ws")"
-                focused_name="$(jq -r ".name" <<< "$focused_ws")"
-
-                swaymsg rename workspace "$focused_name" to "$focused_num"
-              '';
-            in
-            {
+            sway = {
              enable = true;
              xwayland = true;
-              extraConfigEarly = ''
-                set $mod ${mod}
-              '';
              config = {
                input = {
                  "type:touchpad" = {
@@ -253,95 +225,31 @@ in

                modifier = "Mod4";
                terminal = "kitty";
-                keybindings = mapAttrs (k: mkOptionDefault) {
-                  "${mod}+Left" = "focus left";
-                  "${mod}+Down" = "focus down";
-                  "${mod}+Up" = "focus up";
-                  "${mod}+Right" = "focus right";
+                keybindings =
+                  let
+                    cfg = config.wayland.windowManager.sway.config;
+                    mod = cfg.modifier;
+                  in
+                  lib.mkOptionDefault {
+                    "${mod}+d" = null;
+                    "${mod}+l" = "exec ${doomsaver}/bin/doomsaver";
+                    "${mod}+x" = "exec ${cfg.menu}";
+                    "${mod}+Shift+x" = "exec rofi -show drun";
+                    "${mod}+q" = "kill";
+                    "${mod}+Shift+q" = "exec swaynag -t warning -m 'bruh you really wanna kill sway?' -b 'ye' 'systemctl --user stop graphical-session.target && swaymsg exit'";
+                    "${mod}+Shift+d" = ''exec grim - | swappy -f -'';
+                    "${mod}+Shift+s" = ''exec grim -g "$(slurp)" - | swappy -f -'';
+                    "${mod}+Shift+e" = "exec rofi -show emoji";
+                    # Config for this doesn't seem to work :/
+                    "${mod}+c" = ''exec rofi -show calc -calc-command "echo -n '{result}' | ${pkgs.wl-clipboard}/bin/wl-copy"'';

-                  "${mod}+Shift+Left" = "move left";
-                  "${mod}+Shift+Down" = "move down";
-                  "${mod}+Shift+Up" = "move up";
-                  "${mod}+Shift+Right" = "move right";
-
-                  "${mod}+b" = "splith";
-                  "${mod}+v" = "splitv";
-                  "${mod}+f" = "fullscreen toggle";
-                  "${mod}+a" = "focus parent";
-
-                  "${mod}+s" = "layout stacking";
-                  "${mod}+w" = "layout tabbed";
-                  "${mod}+e" = "layout toggle split";
-
-                  "${mod}+Shift+space" = "floating toggle";
-                  "${mod}+space" = "focus mode_toggle";
-
-                  "${mod}+1" = "workspace number 1";
-                  "${mod}+2" = "workspace number 2";
-                  "${mod}+3" = "workspace number 3";
-                  "${mod}+4" = "workspace number 4";
-                  "${mod}+5" = "workspace number 5";
-                  "${mod}+6" = "workspace number 6";
-                  "${mod}+7" = "workspace number 7";
-                  "${mod}+8" = "workspace number 8";
-                  "${mod}+9" = "workspace number 9";
-                  "${mod}+0" = "workspace number 10";
-
-                  "${mod}+Shift+1" =
-                    "move container to workspace number 1";
-                  "${mod}+Shift+2" =
-                    "move container to workspace number 2";
-                  "${mod}+Shift+3" =
-                    "move container to workspace number 3";
-                  "${mod}+Shift+4" =
-                    "move container to workspace number 4";
-                  "${mod}+Shift+5" =
-                    "move container to workspace number 5";
-                  "${mod}+Shift+6" =
-                    "move container to workspace number 6";
-                  "${mod}+Shift+7" =
-                    "move container to workspace number 7";
-                  "${mod}+Shift+8" =
-                    "move container to workspace number 8";
-                  "${mod}+Shift+9" =
-                    "move container to workspace number 9";
-                  "${mod}+Shift+0" =
-                    "move container to workspace number 10";
-
-                  "${mod}+Shift+minus" = "move scratchpad";
-                  "${mod}+minus" = "scratchpad show";
-
-                  "${mod}+Return" = "exec ${cfg.terminal}";
-                  "${mod}+r" = "mode resize";
-                  "${mod}+d" = null;
-                  "${mod}+l" = "exec ${doomsaver}/bin/doomsaver";
-                  "${mod}+q" = "kill";
-                  "${mod}+Shift+c" = "reload";
-                  "${mod}+Shift+q" = "exec swaynag -t warning -m 'bruh you really wanna kill sway?' -b 'ye' 'systemctl --user stop graphical-session.target && swaymsg exit'";
-
-                  # rofi
-                  "${mod}+x" = "exec ${cfg.menu}";
-                  "${mod}+Shift+x" = "exec rofi -show drun";
-                  "${mod}+Shift+e" = "exec rofi -show emoji";
-                  # Config for this doesn't seem to work :/
-                  "${mod}+c" = ''exec rofi -show calc -calc-command "echo -n '{result}' | ${pkgs.wl-clipboard}/bin/wl-copy"'';
-                  "${mod}+Shift+r" = "exec ${renameWs}";
-                  "${mod}+Shift+n" = "exec ${clearWsName}";
-
-                  # Screenshots
-                  "${mod}+Shift+d" = ''exec grim - | swappy -f -'';
-                  "${mod}+Shift+s" = ''exec grim -g "$(slurp)" - | swappy -f -'';
-
-                  "XF86MonBrightnessDown" = "exec ${pkgs.brightnessctl}/bin/brightnessctl set 5%-";
-                  "XF86MonBrightnessUp" = "exec ${pkgs.brightnessctl}/bin/brightnessctl set +5%";
-
-                  "XF86AudioRaiseVolume" = "exec ${pkgs.pamixer}/bin/pamixer -i 5";
-                  "XF86AudioLowerVolume" = "exec ${pkgs.pamixer}/bin/pamixer -d 5";
-                  "XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play";
-                  "XF86AudioPause" = "exec ${pkgs.playerctl}/bin/playerctl pause";
-                  "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
-                  "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
-                };
+                    "XF86AudioRaiseVolume" = "exec ${pkgs.pamixer}/bin/pamixer -i 5";
+                    "XF86AudioLowerVolume" = "exec ${pkgs.pamixer}/bin/pamixer -d 5";
+                    "XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play";
+                    "XF86AudioPause" = "exec ${pkgs.playerctl}/bin/playerctl pause";
+                    "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
+                    "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
+                  };
                keycodebindings = {
                  # keycode for XF86AudioPlayPause (no sym for some reason)
                  "172" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
@@ -350,9 +258,6 @@ in
                menu = "rofi -show run";
                bars = mkForce [ ];
              };
-              extraConfig = ''
-                include ${./swaysome.conf}
-              '';

              swaynag = {
                enable = true;
@@ -411,13 +316,11 @@ in

          waybar = import ./waybar.nix { inherit lib pkgs config font; };
          rofi = {
-            package = pkgs.rofi-wayland;
            enable = true;
            font = "${font.name} ${toString font.size}";
-            plugins = with pkgs; (map (p: p.override { rofi-unwrapped = rofi-wayland-unwrapped; }) [
+            plugins = with pkgs; [
              rofi-calc
-            ]) ++ [
-              rofi-emoji-wayland
+              rofi-emoji
            ];
            extraConfig = {
              modes = "window,run,ssh,filebrowser,calc,emoji";
--- a/home-manager/modules/gui/swaysome.conf
+++ b/home-manager/modules/gui/swaysome.conf
@@ -1,66 +0,0 @@
-# Use (un)bindcode or (un)bindsym, depending on what you used in your main sway config file.
-# The `--no-warn` setting is only added to shortcuts that exist in the default config. You may want to add or remove
-# that flag on some bindings depending on your config.
-
-
-# Change focus between workspaces
-bindsym $mod+Alt+1 exec "swaysome focus 1"
-bindsym $mod+Alt+2 exec "swaysome focus 2"
-bindsym $mod+Alt+3 exec "swaysome focus 3"
-bindsym $mod+Alt+4 exec "swaysome focus 4"
-bindsym $mod+Alt+5 exec "swaysome focus 5"
-bindsym $mod+Alt+6 exec "swaysome focus 6"
-bindsym $mod+Alt+7 exec "swaysome focus 7"
-bindsym $mod+Alt+8 exec "swaysome focus 8"
-bindsym $mod+Alt+9 exec "swaysome focus 9"
-bindsym $mod+Alt+0 exec "swaysome focus 0"
-
-# Focus workspace groups
-bindsym --no-warn $mod+1 exec "swaysome focus-group 1"
-bindsym --no-warn $mod+2 exec "swaysome focus-group 2"
-bindsym --no-warn $mod+3 exec "swaysome focus-group 3"
-bindsym --no-warn $mod+4 exec "swaysome focus-group 4"
-bindsym --no-warn $mod+5 exec "swaysome focus-group 5"
-bindsym --no-warn $mod+6 exec "swaysome focus-group 6"
-bindsym --no-warn $mod+7 exec "swaysome focus-group 7"
-bindsym --no-warn $mod+8 exec "swaysome focus-group 8"
-bindsym --no-warn $mod+9 exec "swaysome focus-group 9"
-bindsym --no-warn $mod+0 exec "swaysome focus-group 0"
-
-# Move containers between workspaces
-bindsym $mod+Alt+Shift+1 exec "swaysome move 1"
-bindsym $mod+Alt+Shift+2 exec "swaysome move 2"
-bindsym $mod+Alt+Shift+3 exec "swaysome move 3"
-bindsym $mod+Alt+Shift+4 exec "swaysome move 4"
-bindsym $mod+Alt+Shift+5 exec "swaysome move 5"
-bindsym $mod+Alt+Shift+6 exec "swaysome move 6"
-bindsym $mod+Alt+Shift+7 exec "swaysome move 7"
-bindsym $mod+Alt+Shift+8 exec "swaysome move 8"
-bindsym $mod+Alt+Shift+9 exec "swaysome move 9"
-bindsym $mod+Alt+Shift+0 exec "swaysome move 0"
-
-# Move containers to other workspace groups
-bindsym --no-warn $mod+Shift+1 exec "swaysome move-to-group 1"
-bindsym --no-warn $mod+Shift+2 exec "swaysome move-to-group 2"
-bindsym --no-warn $mod+Shift+3 exec "swaysome move-to-group 3"
-bindsym --no-warn $mod+Shift+4 exec "swaysome move-to-group 4"
-bindsym --no-warn $mod+Shift+5 exec "swaysome move-to-group 5"
-bindsym --no-warn $mod+Shift+6 exec "swaysome move-to-group 6"
-bindsym --no-warn $mod+Shift+7 exec "swaysome move-to-group 7"
-bindsym --no-warn $mod+Shift+8 exec "swaysome move-to-group 8"
-bindsym --no-warn $mod+Shift+9 exec "swaysome move-to-group 9"
-bindsym --no-warn $mod+Shift+0 exec "swaysome move-to-group 0"
-
-# Move focused container to next output
-bindsym $mod+Alt+Right exec "swaysome next-output"
-# Move focused container to previous output
-bindsym $mod+Alt+Left exec "swaysome prev-output"
-
-# Move focused workspace group to next output
-bindsym $mod+Shift+Alt+Right exec "swaysome workspace-group-next-output"
-# Move focused workspace group to previous output
-bindsym $mod+Shift+Alt+Left exec "swaysome workspace-group-prev-output"
-
-# Init workspaces for every screen
-exec "swaysome init 1"
-
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -27,7 +27,7 @@ rec {

  kernel = {
    lts = pkgs: pkgs.linuxKernel.packages.linux_6_6;
-    latest = pkgs: pkgs.linuxKernel.packages.linux_6_12;
+    latest = pkgs: pkgs.linuxKernel.packages.linux_6_9;
  };

  nginx = rec {
@@ -228,17 +228,6 @@ rec {
        proto = "udp";
      }

-      {
-        port = 15636;
-        dst = aa.enshrouded-oci.internal.ipv4.address;
-        proto = "udp";
-      }
-      {
-        port = 15637;
-        dst = aa.enshrouded-oci.internal.ipv4.address;
-        proto = "udp";
-      }
-
      {
        port = qclk.wgPort;
        dst = aa.qclk.internal.ipv4.address;
@@ -267,7 +256,7 @@ rec {
      "stream"
    ];
    routersPubV4 = [
-      "109.255.31.155"
+      "80.111.122.16"
      "109.255.252.63"
    ];

--- a/lib/default.nix
+++ b/lib/default.nix
@@ -248,8 +248,8 @@ rec {
  in
  {
    trivial = prev.trivial // {
-      release = "24.12:u-${prev.trivial.release}";
-      codeName = "Epic";
+      release = "24.07:u-${prev.trivial.release}";
+      codeName = "Diffed";
      revisionWithDefault = default: self.rev or default;
      versionSuffix = ".${date}.${revCode self}:u-${revCode pkgsFlake}";
    };
--- a/nixos/boxes/britway/default.nix
+++ b/nixos/boxes/britway/default.nix
@@ -106,7 +106,7 @@ in
                  {
                    matchConfig.Name = "as211024";
                    networkConfig.IPv6AcceptRA = mkForce false;
-                    routes = [
+                    routes = map (r: { routeConfig = r; }) [
                      {
                        Destination = lib.my.c.colony.prefixes.all.v4;
                        Gateway = allAssignments.estuary.as211024.ipv4.address;
@@ -123,7 +123,7 @@ in
                        Table = "ts-extra";
                      }
                    ];
-                    routingPolicyRules = [
+                    routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
                      {
                        IncomingInterface = "tailscale0";
                        To = lib.my.c.colony.prefixes.all.v6;
--- a/nixos/boxes/britway/nginx.nix
+++ b/nixos/boxes/britway/nginx.nix
@@ -80,7 +80,7 @@ in
              };
            };

-            "hs.${pubDomain}" = {
+            "ts.${pubDomain}" = {
              locations."/" = {
                proxyPass = "http://localhost:${toString config.services.headscale.port}";
                proxyWebsockets = true;
--- a/nixos/boxes/britway/tailscale.nix
+++ b/nixos/boxes/britway/tailscale.nix
@@ -1,11 +1,10 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
-  inherit (lib) concatStringsSep;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britway) prefixes domain;

  # Can't use overrideAttrs because we need to override `vendorHash` within `buildGoModule`
-  headscale' = (pkgs.headscale.override {
+  headscale = (pkgs.headscale.override {
    buildGoModule = args: pkgs.buildGoModule (args // rec {
      version = "0.23.0-alpha12";
      src = pkgs.fetchFromGitHub {
@@ -20,10 +19,6 @@ let
    });
  });

-  advRoutes = concatStringsSep "," [
-    lib.my.c.home.prefixes.all.v4
-    lib.my.c.home.prefixes.all.v6
-  ];
  pubNameservers = [
    "1.1.1.1"
    "1.0.0.1"
@@ -41,20 +36,21 @@ in
    services = {
      headscale = {
        enable = true;
+        package = headscale;
        settings = {
          disable_check_updates = true;
          unix_socket_permission = "0770";
-          server_url = "https://hs.${pubDomain}";
+          server_url = "https://ts.${pubDomain}";
          database = {
            type = "sqlite3";
            sqlite.path = "/var/lib/headscale/db.sqlite3";
          };
          noise.private_key_path = "/var/lib/headscale/noise_private.key";
          prefixes = with lib.my.c.tailscale.prefix; { inherit v4 v6; };
-          dns = {
+          dns_config = {
            # Use IPs that will route inside the VPN to prevent interception
            # (e.g. DNS rebinding filtering)
-            nameservers.split = {
+            restricted_nameservers = {
              "${domain}" = pubNameservers;
              "${lib.my.c.colony.domain}" = with allAssignments.estuary.base; [
                ipv4.address ipv6.address
@@ -68,6 +64,7 @@ in
            };
            magic_dns = true;
            base_domain = "ts.${pubDomain}";
+            override_local_dns = false;
          };
          oidc = {
            only_start_if_oidc_is_available = true;
@@ -87,10 +84,9 @@ in
        interfaceName = "tailscale0";
        extraUpFlags = [
          "--operator=${config.my.user.config.name}"
-          "--login-server=https://hs.nul.ie"
+          "--login-server=https://ts.nul.ie"
          "--netfilter-mode=off"
          "--advertise-exit-node"
-          "--advertise-routes=${advRoutes}"
          "--accept-routes=false"
        ];
      };
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@@ -252,10 +252,10 @@ in
                  };
                  ipv6Prefixes = [
                    {
-                      Prefix = prefixes.vms.v6;
+                      ipv6PrefixConfig.Prefix = prefixes.vms.v6;
                    }
                  ];
-                  routes = [
+                  routes = map (r: { routeConfig = r; }) [
                    {
                      Destination = prefixes.ctrs.v4;
                      Gateway = allAssignments.shill.routing.ipv4.address;
@@ -327,10 +327,10 @@ in
                };
                ipv6Prefixes = [
                  {
-                    Prefix = prefixes.mail.v6;
+                    ipv6PrefixConfig.Prefix = prefixes.mail.v6;
                  }
                ];
-                routes = [
+                routes = map (r: { routeConfig = r; }) [
                  {
                    Destination = prefixes.mail.v4;
                    Scope = "link";
@@ -350,10 +350,10 @@ in
                };
                ipv6Prefixes = [
                  {
-                    Prefix = prefixes.darts.v6;
+                    ipv6PrefixConfig.Prefix = prefixes.darts.v6;
                  }
                ];
-                routes = [
+                routes = map (r: { routeConfig = r; }) [
                  {
                    Destination = prefixes.darts.v4;
                    Scope = "link";
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -164,9 +164,11 @@ in
                    };
                    wireguardPeers = [
                      {
-                        PublicKey = "7N9YdQaCMWWIwAnW37vrthm9ZpbnG4Lx3gheHeRYz2E=";
-                        AllowedIPs = [ allAssignments.kelder.estuary.ipv4.address ];
-                        PersistentKeepalive = 25;
+                        wireguardPeerConfig = {
+                          PublicKey = "7N9YdQaCMWWIwAnW37vrthm9ZpbnG4Lx3gheHeRYz2E=";
+                          AllowedIPs = [ allAssignments.kelder.estuary.ipv4.address ];
+                          PersistentKeepalive = 25;
+                        };
                      }
                    ];
                  };
@@ -276,51 +278,52 @@ in
                    };
                    ipv6Prefixes = [
                      {
-                        Prefix = prefixes.base.v6;
+                        ipv6PrefixConfig.Prefix = prefixes.base.v6;
                      }
                    ];
-                    routes = flatten ([
-                      {
-                        Destination = prefixes.vip1;
-                        Gateway = allAssignments.colony.routing.ipv4.address;
-                      }
-                      {
-                        Destination = prefixes.vip3;
-                        Gateway = allAssignments.colony.routing.ipv4.address;
-                      }
-                      {
-                        Destination = prefixes.darts.v4;
-                        Gateway = allAssignments.colony.routing.ipv4.address;
-                      }
-                      {
-                        Destination = prefixes.cust.v6;
-                        Gateway = allAssignments.colony.internal.ipv6.address;
-                      }
+                    routes = map (r: { routeConfig = r; }) (flatten
+                      ([
+                        {
+                          Destination = prefixes.vip1;
+                          Gateway = allAssignments.colony.routing.ipv4.address;
+                        }
+                        {
+                          Destination = prefixes.vip3;
+                          Gateway = allAssignments.colony.routing.ipv4.address;
+                        }
+                        {
+                          Destination = prefixes.darts.v4;
+                          Gateway = allAssignments.colony.routing.ipv4.address;
+                        }
+                        {
+                          Destination = prefixes.cust.v6;
+                          Gateway = allAssignments.colony.internal.ipv6.address;
+                        }

-                      {
-                        Destination = lib.my.c.tailscale.prefix.v4;
-                        Gateway = allAssignments.colony.routing.ipv4.address;
-                      }
-                      {
-                        Destination = lib.my.c.tailscale.prefix.v6;
-                        Gateway = allAssignments.colony.internal.ipv6.address;
-                      }
+                        {
+                          Destination = lib.my.c.tailscale.prefix.v4;
+                          Gateway = allAssignments.colony.routing.ipv4.address;
+                        }
+                        {
+                          Destination = lib.my.c.tailscale.prefix.v6;
+                          Gateway = allAssignments.colony.internal.ipv6.address;
+                        }

-                      {
-                        Destination = prefixes.qclk.v4;
-                        Gateway = allAssignments.colony.routing.ipv4.address;
-                      }
-                    ] ++
-                    (map (pName: [
-                      {
-                        Gateway = allAssignments.colony.routing.ipv4.address;
-                        Destination = prefixes."${pName}".v4;
-                      }
-                      {
-                        Destination = prefixes."${pName}".v6;
-                        Gateway = allAssignments.colony.internal.ipv6.address;
-                      }
-                    ]) [ "vms" "ctrs" "oci" ]));
+                        {
+                          Destination = prefixes.qclk.v4;
+                          Gateway = allAssignments.colony.routing.ipv4.address;
+                        }
+                      ] ++
+                      (map (pName: [
+                        {
+                          Gateway = allAssignments.colony.routing.ipv4.address;
+                          Destination = prefixes."${pName}".v4;
+                        }
+                        {
+                          Destination = prefixes."${pName}".v6;
+                          Gateway = allAssignments.colony.internal.ipv6.address;
+                        }
+                      ]) [ "vms" "ctrs" "oci" ])));
                  }
                ];

@@ -329,7 +332,7 @@ in
                  {
                    matchConfig.Name = "as211024";
                    networkConfig.IPv6AcceptRA = mkForce false;
-                    routes = [
+                    routes = map (r: { routeConfig = r; }) [
                      {
                        Destination = lib.my.c.home.prefixes.all.v4;
                        Gateway = lib.my.c.home.vips.as211024.v4;
@@ -341,8 +344,10 @@ in
                  matchConfig.Name = "kelder";
                  routes = [
                    {
-                      Destination = allAssignments.kelder.estuary.ipv4.address;
-                      Scope = "link";
+                      routeConfig = {
+                        Destination = allAssignments.kelder.estuary.ipv4.address;
+                        Scope = "link";
+                      };
                    }
                  ];
                };
@@ -407,7 +412,6 @@ in
                      ip6 daddr ${aa.valheim-oci.internal.ipv6.address} udp dport { 2456-2457 } accept
                      ip6 daddr ${aa.waffletail.internal.ipv6.address} udp dport 41641 accept
                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} udp dport 25565 accept
-                      ip6 daddr ${aa.enshrouded-oci.internal.ipv6.address} udp dport { 15636-15637 } accept
                      return
                    }
                    chain filter-routing {
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -153,7 +153,6 @@ in
            simpcraft IN AAAA ${allAssignments.simpcraft-oci.internal.ipv6.address}
            simpcraft-staging IN A ${assignments.internal.ipv4.address}
            simpcraft-staging IN AAAA ${allAssignments.simpcraft-staging-oci.internal.ipv6.address}
-            enshrouded IN A ${assignments.internal.ipv4.address}

            mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
            mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
--- a/nixos/boxes/colony/vms/git/gitea-actions.nix
+++ b/nixos/boxes/colony/vms/git/gitea-actions.nix
@@ -35,11 +35,6 @@ in
          ];
          url = "https://git.${pubDomain}";
          tokenFile = config.age.secrets."gitea/actions-runner.env".path;
-          settings = {
-            runner = {
-              timeout = "8h";
-            };
-          };
        };
      };
    };
--- a/nixos/boxes/colony/vms/shill/containers-ext.nix
+++ b/nixos/boxes/colony/vms/shill/containers-ext.nix
@@ -47,10 +47,10 @@ in
        };
        ipv6Prefixes = [
          {
-            Prefix = prefixes.jam.v6;
+            ipv6PrefixConfig.Prefix = prefixes.jam.v6;
          }
        ];
-        routes = [
+        routes = map (r: { routeConfig = r; }) [
          {
            Destination = prefixes.jam.v4;
            Scope = "link";
--- a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
+++ b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
@@ -50,6 +50,11 @@ in
                  group = "matrix-synapse";
                };

+                "chatterbox/syncv3.env" = {
+                  owner = "matrix-syncv3";
+                  group = "matrix-syncv3";
+                };
+
                "chatterbox/mautrix-whatsapp.env" = {
                  owner = "mautrix-whatsapp";
                  group = "mautrix-whatsapp";
@@ -75,21 +80,32 @@ in
              matrix-synapse.extraGroups = [
                "mautrix-whatsapp"
              ];
+              matrix-syncv3 = {
+                isSystemUser = true;
+                uid = uids.matrix-syncv3;
+                group = "matrix-syncv3";
+              };
+            };
+            groups = {
+              matrix-syncv3.gid = gids.matrix-syncv3;
            };
-            groups = { };
          };

          systemd = {
            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
-            services = { } // (genAttrs [ "mautrix-whatsapp" "mautrix-meta-messenger" "mautrix-meta-instagram" ] (_: {
+            services = {
+              matrix-sliding-sync.serviceConfig = {
+                # Needs to be able to read its secrets
+                DynamicUser = mkForce false;
+                User = "matrix-syncv3";
+                Group = "matrix-syncv3";
+              };
+            } // (genAttrs [ "mautrix-whatsapp" "mautrix-meta-messenger" "mautrix-meta-instagram" ] (_: {
              # ffmpeg needed to convert GIFs to video
              path = with pkgs; [ ffmpeg ];
            }));
          };

-          # TODO/FIXME: https://github.com/NixOS/nixpkgs/issues/336052
-          nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
-
          services = {
            netdata.enable = true;
            matrix-synapse = {
@@ -177,10 +193,20 @@ in
                app_service_config_files = [
                  "/var/lib/heisenbridge/registration.yml"
                  config.age.secrets."chatterbox/doublepuppet.yaml".path
+                  "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"
                ];
              };

            };
+            matrix-sliding-sync = {
+              enable = true;
+              createDatabase = false;
+              environmentFile = config.age.secrets."chatterbox/syncv3.env".path;
+              settings = {
+                SYNCV3_BINDADDR = "[::]:8009";
+                SYNCV3_SERVER = "http://localhost:8008";
+              };
+            };

            heisenbridge = {
              enable = true;
@@ -259,12 +285,10 @@ in
                      avatar = "mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak";
                    };
                  };
-                  network = {
-                    mode = "messenger";
-                    displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (FBM)'';
-                  };
+                  meta.mode = "messenger";
                  bridge = {
                    username_template = "fbm2_{{.}}";
+                    displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (FBM)'';
                    personal_filtering_spaces = true;
                    delivery_receipts = true;
                    management_room_text.welcome = "Hello, I'm a Messenger bridge bot.";
@@ -307,12 +331,10 @@ in
                      avatar = "mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv";
                    };
                  };
-                  network = {
-                    mode = "instagram";
-                    displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (IG)'';
-                  };
+                  meta.mode = "instagram";
                  bridge = {
                    username_template = "ig_{{.}}";
+                    displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (IG)'';
                    personal_filtering_spaces = true;
                    delivery_receipts = true;
                    management_room_text.welcome = "Hello, I'm an Instagram bridge bot.";
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
@@ -94,14 +94,6 @@ in
          };
        };

-        nixpkgs.config.permittedInsecurePackages = [
-          # FIXME: This is needed for Sonarr
-          "aspnetcore-runtime-wrapped-6.0.36"
-          "aspnetcore-runtime-6.0.36"
-          "dotnet-sdk-wrapped-6.0.428"
-          "dotnet-sdk-6.0.428"
-        ];
-
        services = {
          netdata.enable = true;

--- a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
@@ -71,12 +71,14 @@ in
              RouteTable = routeTable;
            };
            wireguardPeers = [
-              # AirVPN NL
              {
-                Endpoint = "2a00:1678:1337:2329:e5f:35d4:4404:ef9f:1637";
-                PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
-                PresharedKeyFile = config.age.secrets."${pskFile}".path;
-                AllowedIPs = [ "0.0.0.0/0" "::/0" ];
+                # AirVPN NL
+                wireguardPeerConfig = {
+                  Endpoint = "2a00:1678:1337:2329:e5f:35d4:4404:ef9f:1637";
+                  PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+                  PresharedKeyFile = config.age.secrets."${pskFile}".path;
+                  AllowedIPs = [ "0.0.0.0/0" "::/0" ];
+                };
              }
            ];
          };
@@ -92,7 +94,7 @@ in
              matchConfig.Name = "vpn";
              address = [ "10.182.97.37/32" "fd7d:76ee:e68f:a993:735d:ef5e:6907:b122/128" ];
              dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
-              routingPolicyRules = [
+              routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
                {
                  Family = "both";
                  SuppressPrefixLength = 0;
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -35,6 +35,7 @@ let
      # For clients
      (mkWellKnown "matrix/client" (toJSON {
        "m.homeserver".base_url = "https://matrix.nul.ie";
+        "org.matrix.msc3575.proxy".url = "https://matrix-syncv3.nul.ie";
      }))
    ];
  };
@@ -181,6 +182,10 @@ in
        ];
        useACMEHost = pubDomain;
      };
+      "matrix-syncv3.${pubDomain}" = {
+        locations."/".proxyPass = "http://chatterbox-ctr.${domain}:8009";
+        useACMEHost = pubDomain;
+      };

      "element.${pubDomain}" =
      let
--- a/nixos/boxes/colony/vms/shill/containers/object.nix
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -216,7 +216,7 @@ in

            atticd = {
              enable = false;
-              environmentFile = config.age.secrets."object/atticd.env".path;
+              credentialsFile = config.age.secrets."object/atticd.env".path;
              settings = {
                listen = "[::]:8069";
                allowed-hosts = [ "nix-cache.${pubDomain}" ];
@@ -237,7 +237,7 @@ in

            harmonia = {
              enable = true;
-              signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
+              signKeyPath = config.age.secrets."nix-cache.key".path;
              settings = {
                priority = 30;
              };
--- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
+++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
@@ -99,8 +99,6 @@ in
            };

            borgbackup.jobs.vaultwarden = {
-              readWritePaths = [ "/var/lib/borgbackup" "/var/cache/borgbackup" ];
-
              paths = [ vwData ];
              repo = "zh2855@zh2855.rsync.net:borg/vaultwarden2";
              doInit = true;
--- a/nixos/boxes/colony/vms/shill/containers/waffletail.nix
+++ b/nixos/boxes/colony/vms/shill/containers/waffletail.nix
@@ -86,7 +86,7 @@ in
            interfaceName = "tailscale0";
            extraUpFlags = [
              "--operator=${config.my.user.config.name}"
-              "--login-server=https://hs.nul.ie"
+              "--login-server=https://ts.nul.ie"
              "--netfilter-mode=off"
              "--advertise-exit-node"
              "--advertise-routes=${advRoutes}"
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -140,10 +140,10 @@ in
                    };
                    ipv6Prefixes = [
                      {
-                        Prefix = prefixes.ctrs.v6;
+                        ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
                      }
                    ];
-                    routes = [
+                    routes = map (r: { routeConfig = r; }) [
                      {
                        Destination = lib.my.c.tailscale.prefix.v4;
                        Gateway = allAssignments.waffletail.internal.ipv4.address;
--- a/nixos/boxes/colony/vms/whale2/default.nix
+++ b/nixos/boxes/colony/vms/whale2/default.nix
@@ -52,7 +52,6 @@ in
      valheim-oci = 2;
      simpcraft-oci = 3;
      simpcraft-staging-oci = 4;
-      enshrouded-oci = 5;
    };

    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@@ -67,7 +66,6 @@ in

          ./valheim.nix
          ./minecraft
-          # ./enshrouded.nix
        ];

        config = mkMerge [
--- a/nixos/boxes/colony/vms/whale2/enshrouded.nix
+++ b/nixos/boxes/colony/vms/whale2/enshrouded.nix
@@ -1,35 +0,0 @@
-{ lib, config, allAssignments, ... }:
-let
-  inherit (lib) concatStringsSep;
-  inherit (lib.my) dockerNetAssignment;
-in
-{
-  config = {
-    virtualisation.oci-containers.containers = {
-      enshrouded = {
-        image = "sknnr/enshrouded-dedicated-server@sha256:f163e8ba9caa2115d8a0a7b16c3696968242fb6fba82706d9a77a882df083497";
-
-        environment = {
-          SERVER_NAME = "UWUshrouded";
-          # SERVER_IP = "::"; # no IPv6?? :(
-          TZ = "Europe/Dublin";
-        };
-        environmentFiles = [ config.age.secrets."whale2/enshrouded.env".path ];
-
-        volumes = [
-          "enshrouded:/home/steam/enshrouded/savegame"
-        ];
-
-        extraOptions = [
-          ''--network=colony:${dockerNetAssignment allAssignments "enshrouded-oci"}''
-        ];
-      };
-    };
-
-    my = {
-      secrets.files = {
-        "whale2/enshrouded.env" = {};
-      };
-    };
-  };
-}
--- a/nixos/boxes/colony/vms/whale2/minecraft/default.nix
+++ b/nixos/boxes/colony/vms/whale2/minecraft/default.nix
@@ -123,7 +123,6 @@ in
          within = "12H";
          hourly = 48;
        };
-        readWritePaths = [ "/var/lib/borgbackup" "/var/cache/borgbackup" ];

        # Avoid Minecraft poking the files while we back up
        preHook = rconCommand "save-off";
--- a/nixos/boxes/home/castle/default.nix
+++ b/nixos/boxes/home/castle/default.nix
@@ -36,7 +36,7 @@ in
          cpu = {
            amd.updateMicrocode = true;
          };
-          graphics.extraPackages = with pkgs; [
+          opengl.extraPackages = with pkgs; [
            intel-media-driver
          ];
          bluetooth.enable = true;
--- a/nixos/boxes/home/palace/vms/sfh/containers/unifi.nix
+++ b/nixos/boxes/home/palace/vms/sfh/containers/unifi.nix
@@ -56,7 +56,6 @@ in
            enable = true;
            openFirewall = true;
            unifiPackage = pkgs.unifi8;
-            mongodbPackage = pkgs.mongodb-6_0;
          };
        };
      };
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -1,6 +1,7 @@
 index: { lib, allAssignments, ... }:
 let
  inherit (builtins) elemAt;
+  inherit (lib) concatStringsSep;
  inherit (lib.my) net mkVLAN;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.home) domain vlans prefixes vips routers routersPubV4;
@@ -150,6 +151,28 @@ in
            };

            nginx.enable = true;
+
+            tailscale =
+            let
+              advRoutes = concatStringsSep "," [
+                prefixes.all.v4
+                prefixes.all.v6
+              ];
+            in
+            {
+              enable = true;
+              authKeyFile = config.age.secrets."tailscale-auth.key".path;
+              openFirewall = true;
+              interfaceName = "tailscale0";
+              extraUpFlags = [
+                "--operator=${config.my.user.config.name}"
+                "--login-server=https://ts.nul.ie"
+                "--netfilter-mode=off"
+                "--advertise-exit-node"
+                "--advertise-routes=${advRoutes}"
+                "--accept-routes=false"
+              ];
+            };
          };

          networking = { inherit domain; };
@@ -227,7 +250,7 @@ in
                  networkConfig = networkd.noL3;
                  extraConfig = ''
                    [CAKE]
-                    Bandwidth=490M
+                    Bandwidth=235M
                    RTTSec=50ms
                    PriorityQueueingPreset=besteffort
                    # DOCSIS preset
@@ -251,7 +274,7 @@ in
                    extraConfig = ''
                      [CAKE]
                      Parent=root
-                      Bandwidth=48M
+                      Bandwidth=24M
                      RTTSec=50ms
                    '';
                  }
@@ -276,20 +299,11 @@ in
                  {
                    matchConfig.Name = "as211024";
                    networkConfig.IPv6AcceptRA = mkForce false;
-                    routes = [
+                    routes = map (r: { routeConfig = r; }) [
                      {
                        Destination = lib.my.c.colony.prefixes.all.v4;
                        Gateway = allAssignments.estuary.as211024.ipv4.address;
                      }
-
-                      {
-                        Destination = lib.my.c.tailscale.prefix.v4;
-                        Gateway = allAssignments.britway.as211024.ipv4.address;
-                      }
-                      {
-                        Destination = lib.my.c.tailscale.prefix.v6;
-                        Gateway = allAssignments.britway.as211024.ipv6.address;
-                      }
                    ];
                  }
                ];
@@ -301,7 +315,7 @@ in

              {
                "60-lan-hi" = {
-                  routes = [
+                  routes = map (r: { routeConfig = r; }) [
                    {
                      Destination = elemAt routersPubV4 otherIndex;
                      Gateway = net.cidr.host (otherIndex + 1) prefixes.hi.v4;
@@ -316,6 +330,7 @@ in
            secrets = {
              files = {
                "l2mesh/as211024.key" = {};
+                "tailscale-auth.key" = {};
              };
            };

@@ -325,7 +340,7 @@ in
              };
            };
            firewall = {
-              trustedInterfaces = [ "lan-hi" "lan-lo" ];
+              trustedInterfaces = [ "lan-hi" "lan-lo" "tailscale0" ];
              udp.allowed = [ 5353 ];
              tcp.allowed = [ 5353 ];
              nat = {
--- a/nixos/boxes/home/routing-common/keepalived.nix
+++ b/nixos/boxes/home/routing-common/keepalived.nix
@@ -61,7 +61,12 @@ in
        v6Alive = pingScriptFor "v6" [ "2606:4700:4700::1111" "2001:4860:4860::8888" "2600::" ];
      };
      vrrpInstances = {
-        v4 = mkVRRP "v4" 51;
+        v4 = mkVRRP "v4" 51 // {
+          extraConfig = ''
+            notify_master "${config.systemd.package}/bin/systemctl start tailscaled.service" root
+            notify_backup "${config.systemd.package}/bin/systemctl stop tailscaled.service" root
+          '';
+        };
        v6 = (mkVRRP "v6" 52) // {
          extraConfig = ''
            notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root
--- a/nixos/boxes/kelder/containers/acquisition/default.nix
+++ b/nixos/boxes/kelder/containers/acquisition/default.nix
@@ -26,7 +26,7 @@ in

      config = {
        # Hardware acceleration for Jellyfin
-        hardware.graphics = {
+        hardware.opengl = {
          enable = true;
          extraPackages = with pkgs; [
            vaapiIntel
@@ -78,14 +78,6 @@ in
          };
        };

-        nixpkgs.config.permittedInsecurePackages = [
-          # FIXME: This is needed for Sonarr
-          "aspnetcore-runtime-wrapped-6.0.36"
-          "aspnetcore-runtime-6.0.36"
-          "dotnet-sdk-wrapped-6.0.428"
-          "dotnet-sdk-6.0.428"
-        ];
-
        services = {
          transmission = {
            enable = true;
--- a/nixos/boxes/kelder/containers/acquisition/networking.nix
+++ b/nixos/boxes/kelder/containers/acquisition/networking.nix
@@ -73,12 +73,14 @@ in
              RouteTable = routeTable;
            };
            wireguardPeers = [
-              # AirVPN IE
              {
-                Endpoint = "146.70.94.2:1637";
-                PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
-                PresharedKeyFile = config.age.secrets."${pskFile}".path;
-                AllowedIPs = [ "0.0.0.0/0" "::/0" ];
+                # AirVPN IE
+                wireguardPeerConfig = {
+                  Endpoint = "146.70.94.2:1637";
+                  PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+                  PresharedKeyFile = config.age.secrets."${pskFile}".path;
+                  AllowedIPs = [ "0.0.0.0/0" "::/0" ];
+                };
              }
            ];
          };
@@ -95,7 +97,7 @@ in
              matchConfig.Name = "vpn";
              address = [ "10.161.170.28/32" "fd7d:76ee:e68f:a993:b12d:6d15:c80a:9516/128" ];
              dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
-              routingPolicyRules = [
+              routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
                {
                  Family = "both";
                  SuppressPrefixLength = 0;
--- a/nixos/boxes/kelder/default.nix
+++ b/nixos/boxes/kelder/default.nix
@@ -121,7 +121,8 @@ in

            samba = {
              enable = true;
-              settings = {
+              enableNmbd = true;
+              shares = {
                storage = {
                  path = "/mnt/storage";
                  browseable = "yes";
@@ -130,8 +131,6 @@ in
                  "directory mask" = "0775";
                };
              };
-
-              nmbd.enable = true;
            };
            samba-wsdd.enable = true;

@@ -181,10 +180,12 @@ in
                  };
                  wireguardPeers = [
                    {
-                      PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
-                      Endpoint = "${allAssignments.estuary.internal.ipv4.address}:${toString lib.my.c.kelder.vpn.port}";
-                      AllowedIPs = [ "0.0.0.0/0" ];
-                      PersistentKeepalive = 25;
+                      wireguardPeerConfig = {
+                        PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
+                        Endpoint = "${allAssignments.estuary.internal.ipv4.address}:${toString lib.my.c.kelder.vpn.port}";
+                        AllowedIPs = [ "0.0.0.0/0" ];
+                        PersistentKeepalive = 25;
+                      };
                    }
                  ];
                };
@@ -212,7 +213,7 @@ in
                  address = with assignments.estuary; [
                    (with ipv4; "${address}/${toString mask}")
                  ];
-                  routingPolicyRules = [
+                  routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
                    {
                      Family = "both";
                      SuppressPrefixLength = 0;
--- a/nixos/boxes/tower/default.nix
+++ b/nixos/boxes/tower/default.nix
@@ -14,7 +14,7 @@
          cpu = {
            intel.updateMicrocode = true;
          };
-          graphics.extraPackages = with pkgs; [
+          opengl.extraPackages = with pkgs; [
            intel-media-driver
          ];
          bluetooth.enable = true;
@@ -177,7 +177,7 @@
              programs = {
                fish = {
                  shellAbbrs = {
-                    tsup = "doas tailscale up --login-server=https://hs.nul.ie --accept-routes";
+                    tsup = "doas tailscale up --login-server=https://ts.nul.ie --accept-routes";
                  };
                };
              };
@@ -190,6 +190,10 @@
                config = {
                  input."1:1:AT_Translated_Set_2_keyboard".xkb_layout = "ie";
                  output.eDP-1.scale = "1";
+                  keybindings = {
+                    "XF86MonBrightnessDown" = "exec ${pkgs.brightnessctl}/bin/brightnessctl set 5%-";
+                    "XF86MonBrightnessUp" = "exec ${pkgs.brightnessctl}/bin/brightnessctl set +5%";
+                  };
                };
              };

--- a/nixos/installer.nix
+++ b/nixos/installer.nix
@@ -61,8 +61,8 @@
          };

          networking = {
-            # Will be set dynamically, but need something to satisfy `/etc/os-release` stuff
-            hostName = "installer";
+            # Will be set dynamically
+            hostName = "";
            useNetworkd = false;
          };

--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -12,6 +12,7 @@ in
    inputs.impermanence.nixosModule
    inputs.ragenix.nixosModules.age
    inputs.sharry.nixosModules.default
+    inputs.attic.nixosModules.atticd
  ];

  config = mkMerge [
@@ -40,7 +41,6 @@ in

      nix = {
        package = pkgs'.mine.nix;
-        channel.enable = false;
        settings = with lib.my.c.nix; {
          trusted-users = [ "@wheel" ];
          experimental-features = [ "nix-command" "flakes" "ca-derivations" ];
@@ -145,10 +145,7 @@ in
        fish.enable = mkDefault true;
        # TODO: This is expecting to look up the channel for the database...
        command-not-found.enable = mkDefault false;
-        vim = {
-          enable = true;
-          defaultEditor = true;
-        };
+        vim.defaultEditor = true;
      };

      services = {
@@ -243,7 +240,9 @@ in
    }
    (mkIf config.services.kmscon.enable {
      fonts.fonts = with pkgs; [
-        nerd-fonts.sauce-code-pro
+        (nerdfonts.override {
+          fonts = [ "SourceCodePro" ];
+        })
      ];
    })
  ];
--- a/nixos/modules/gui.nix
+++ b/nixos/modules/gui.nix
@@ -12,7 +12,7 @@ in

  config = mkIf cfg.enable {
    hardware = {
-      graphics.enable = mkDefault true;
+      opengl.enable = mkDefault true;
    };

    systemd = {
@@ -53,8 +53,6 @@ in
          SUBSYSTEM=="usb", ATTR{idVendor}=="057e", MODE="0664", GROUP="wheel"
          # FT
          SUBSYSTEM=="usb", ATTR{idVendor}=="0403", MODE="0664", GROUP="wheel"
-          # /dev/player0
-          SUBSYSTEM=="usb", ATTR{idVendor}=="6969", MODE="0664", GROUP="wheel"
        '';
      };
    };
--- a/nixos/modules/l2mesh.nix
+++ b/nixos/modules/l2mesh.nix
@@ -44,8 +44,10 @@ let
      toString (mesh.baseMTU - overhead);

      bridgeFDBs = mapAttrsToList (n: peer: {
-        MACAddress = "00:00:00:00:00:00";
-        Destination = peer.addr;
+        bridgeFDBConfig = {
+          MACAddress = "00:00:00:00:00:00";
+          Destination = peer.addr;
+        };
      }) otherPeers;
    };
  };
--- a/nixos/modules/netboot/default.nix
+++ b/nixos/modules/netboot/default.nix
@@ -5,19 +5,10 @@ let

  cfg = config.my.netboot;

-  ipxe = pkgs.ipxe.overrideAttrs (o: rec {
-    version = "1.21.1-unstable-2024-06-27";
-    src = pkgs.fetchFromGitHub {
-      owner = "ipxe";
-      repo = "ipxe";
-      rev = "b66e27d9b29a172a097c737ab4d378d60fe01b05";
-      hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
-    };
-  });
  tftpRoot = pkgs.linkFarm "tftp-root" [
    {
      name = "ipxe-x86_64.efi";
-      path = "${ipxe}/ipxe.efi";
+      path = "${pkgs.ipxe}/ipxe.efi";
    }
  ];
  menuFile = pkgs.runCommand "menu.ipxe" {
--- a/nixos/modules/nvme/default.nix
+++ b/nixos/modules/nvme/default.nix
@@ -5,15 +5,7 @@ let

  cfg = config.my.nvme;
  nvme-cli = pkgs.nvme-cli.override {
-    libnvme = pkgs.libnvme.overrideAttrs (o: rec {
-      # TODO: Remove when 1.11.1 releases (see https://github.com/linux-nvme/libnvme/pull/914)
-      version = "1.11.1";
-      src = pkgs.fetchFromGitHub {
-        owner = "linux-nvme";
-        repo = "libnvme";
-        rev = "v${version}";
-        hash = "sha256-CEGr7PDOVRi210XvICH8iLYDKn8S9bGruBO4tycvsT8=";
-      };
+    libnvme = pkgs.libnvme.overrideAttrs (o: {
      patches = (if (o ? patches) then o.patches else [ ]) ++ [ ./libnvme-hostconf.patch ];
    });
  };
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -147,15 +147,6 @@ in
            "/var/lib/systemd"

            { directory = "/root/.cache/nix"; mode = "0700"; }
-            # Including these unconditionally due to infinite recursion problems...
-            {
-              directory = "/etc/lvm/archive";
-              mode = "0700";
-            }
-            {
-              directory = "/etc/lvm/backup";
-              mode = "0700";
-            }
          ];
          files = [
            "/etc/machine-id"
@@ -269,6 +260,18 @@ in
        my.tmproot.persistence.config.files =
          concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys;
      })
+      (mkIf config.services.lvm.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = "/etc/lvm/archive";
+            mode = "0700";
+          }
+          {
+            directory = "/etc/lvm/backup";
+            mode = "0700";
+          }
+        ];
+      })
      (mkIf (config.security.acme.certs != { }) {
        my.tmproot.persistence.config.directories = [
          {
@@ -537,20 +540,6 @@ in
        ];
      })
      (persistSimpleSvc "octoprint")
-      (mkIf (config.services.borgbackup.jobs != { }) {
-        my.tmproot.persistence.config.directories = [
-          "/var/lib/borgbackup"
-          "/var/cache/borgbackup"
-        ];
-
-        services.borgbackup.package = pkgs.borgbackup.overrideAttrs (o: {
-          makeWrapperArgs = o.makeWrapperArgs ++ [
-            "--set-default BORG_BASE_DIR /var/lib/borgbackup"
-            "--set-default BORG_CONFIG_DIR /var/lib/borgbackup/config"
-            "--set-default BORG_CACHE_DIR /var/cache/borgbackup"
-          ];
-        });
-      })
    ]))
  ]);

--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -8,6 +8,7 @@ in
  vfio-pci-bind = callPackage ./vfio-pci-bind.nix { };
  librespeed-go = callPackage ./librespeed-go.nix { };
  # modrinth-app = callPackage ./modrinth-app { };
+  glfw-minecraft = callPackage ./glfw-minecraft { };
  chocolate-doom2xx = callPackage ./chocolate-doom2xx { };
  windowtolayer = callPackage ./windowtolayer.nix { };
  swaylock-plugin = callPackage ./swaylock-plugin.nix { };
--- a/pkgs/glfw-minecraft/default.nix
+++ b/pkgs/glfw-minecraft/default.nix
@@ -0,0 +1,6 @@
+{ lib, glfw-wayland-minecraft, ... }:
+glfw-wayland-minecraft.overrideAttrs (o: {
+  patches = [
+    ./suppress-wayland-errors.patch
+  ];
+})
--- a/pkgs/glfw-minecraft/suppress-wayland-errors.patch
+++ b/pkgs/glfw-minecraft/suppress-wayland-errors.patch
@@ -0,0 +1,43 @@
+diff --git a/src/wl_window.c b/src/wl_window.c
+index 7c509896..db9a6451 100644
+--- a/src/wl_window.c
+++ b/src/wl_window.c
+@@ -2115,25 +2115,21 @@ void _glfwSetWindowTitleWayland(_GLFWwindow* window, const char* title)
+ void _glfwSetWindowIconWayland(_GLFWwindow* window,
+                                int count, const GLFWimage* images)
+ {
+-    _glfwInputError(GLFW_FEATURE_UNAVAILABLE,
+-                    "Wayland: The platform does not support setting the window icon");
+    fprintf(stderr, "!!! Ignoring Error: Wayland: The platform does not support setting the window icon\n");
+ }
+ 
+ void _glfwGetWindowPosWayland(_GLFWwindow* window, int* xpos, int* ypos)
+ {
+     // A Wayland client is not aware of its position, so just warn and leave it
+     // as (0, 0)
+-
+-    _glfwInputError(GLFW_FEATURE_UNAVAILABLE,
+-                    "Wayland: The platform does not provide the window position");
+    fprintf(stderr, "!!! Ignoring Error: Wayland: The platform does not provide the window position\n");
+ }
+ 
+ void _glfwSetWindowPosWayland(_GLFWwindow* window, int xpos, int ypos)
+ {
+     // A Wayland client can not set its position, so just warn
+ 
+-    _glfwInputError(GLFW_FEATURE_UNAVAILABLE,
+-                    "Wayland: The platform does not support setting the window position");
+    fprintf(stderr, "!!! Ignoring Error: Wayland: The platform does not support setting the window position\n");
+ }
+ 
+ void _glfwGetWindowSizeWayland(_GLFWwindow* window, int* width, int* height)
+@@ -2359,8 +2355,7 @@ void _glfwRequestWindowAttentionWayland(_GLFWwindow* window)
+ 
+ void _glfwFocusWindowWayland(_GLFWwindow* window)
+ {
+-    _glfwInputError(GLFW_FEATURE_UNAVAILABLE,
+-                    "Wayland: The platform does not support setting the input focus");
+    fprintf(stderr, "!!! Ignoring Error: Wayland: The platform does not support setting the input focus\n");
+ }
+ 
+ void _glfwSetWindowMonitorWayland(_GLFWwindow* window,
--- a/secrets/chatterbox/syncv3.env.age
+++ b/secrets/chatterbox/syncv3.env.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBQMEJB
+VVhIL2ViVUx1Ym9IbFV1UW52NjZYMmJlYmpjY0RuMzhiclJVS0ZnCkY5dEZHTHlC
+K29uamorWWNJSVV0VlVJNG1VNm9GQ3VPdldJRDNSODVoOVUKLT4gWDI1NTE5IEM0
+UVQvLzFYRTRRMldWSnNnd3V3aXJTeS8vZ1hkdENYVHk1QVVaQVEyQnMKVmN4OUFH
+WCtVSW9tREV5RExycnFJejk5UW91dzd5Rm8vcFBTT0ZCdytFWQotPiBCPC0lLTJW
+LS1ncmVhc2UgRSBjOlg5a0pdQSBSb2YKN0pkalY4VlFDMm8vZzJpQUV4TmdSRHA2
+dnB4UzJaWTRXeDdmKzFrUGVMSEFlbFhlNFFycFRQU005d1I2Si9VUQpHbDVxcGxn
+SVdjZzduSGluYlZnY3lmZmtnOWJYKzkydDhKU0VCNmNvV0EKLS0tIGdaUkpGNy9P
+Y3BGVGVJenJkTG51c3Z3WFU0eTFXT09pSVFseGRLMmxJVU0KhH9EjbL0zv821Yox
+FXc54SXGEkq97qPi3xIoPydWd3FbIuftAhe0xPFGfUOO5/zDni4h+PoNJs2hnkOK
+kHhxtaOj1S6RulI/eYLK/fJjl2aRrTaRFN0TGhFwz5X8HOQe2+Qrq/9wT7pyzOFU
+LsMwe71OhTjA5XrBTawU9QkWjPx2LZyb/WEkzlLOCGoHTUm4X03xY/1UeHVYZt2k
+wbLses0JHK1h2ttWnO5y68LovZWJqFdIjoCCkgfo0nNUD5i+e51xEju9OBJMngj+
+LnPb6YCqFh4Fxy09WORD0A==
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/tailscale-auth.key.age
+++ b/secrets/tailscale-auth.key.age
@@ -1,14 +1,18 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyByYlJn
-aERLcEhadS9jVUlyUmgxWEk5K0U2cE9WUlhCc0ZXbzhDRnZLTERvCmo2Vy9XeFhq
-NTcwdG5PZjlDb1JIM3BYWEVzMlBFWHFmRWt2dkF2OEQ2TDQKLT4gc3NoLWVkMjU1
-MTkgT0VxTXNnIHROaUlGUExERTZFaU5QL3dBcFpQVWNobGQwSEZ1YTU3NXJkekRi
-c0RUMGsKUHg4V0hIdFJ0aGxwOTFhaVB6MUdVWE0wUFgrMjI2am5uZlhWL09ObjhB
-VQotPiBYMjU1MTkgTWwyQjZjcUFYQ01KUHpoajRrVkpZd0czSzVrMTZxdjVHaHRh
-bERCSjBqSQpYOXJibDZPM2Z6bkNCSGpMRExZT21UTzU0N0RiT2FNM0l3N1pnRkl6
-WUJBCi0+IE0qLWdyZWFzZSB6TDVwIGRiQm0gajFFIEVqUXcKU3pEOFBqRVQ0dDZi
-REszS1h0T2FnOFF6cHBrN2xtOHdEQkIrCi0tLSBTM3EwNHhDaEo1eldDOTN5dzQz
-Q3Rpeno1K25KRU15L01wU21tczNmdlVJCqHBdFLovtLJGH9IY86pvc3xhpoLnfI/
-OVAF5RdpR9T2oNCr3oAiVURkPocYXLHnbjZhLKoj3uDoSZAE52VN9l05jhyX1wwY
-/Vfnp48kP8xfbQ==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBtay96
+encxaVJmQWhqenRmVjZkdDVFdnNINENTT0RLUGxsUkdoK1pvMjBjCjUycDh3ZTAr
+QnN5MkdaY1ozR1pRNGVVL0pQZWtYMXd0dlo3cnNiQWhjSkUKLT4gc3NoLWVkMjU1
+MTkgWk5xSW9nIDIvNFZURjZQeW4wRkpqZS9YRXhhRFYwMmx3Mks4czJidFo3elht
+ZVhBejQKTXpqUGVHcytSbENoc3hQZ01wcXBQMklMNU1XTnp4TmtvenFoaGphS3Qz
+MAotPiBzc2gtZWQyNTUxOSBzK3FSZmcgV2J4TlhYQXVwdisyWmF1QTkzUXUvNEVt
+ZTRoM0ppQVdFZDFsUCtYbnlUUQpqWmYxYTZ3ZnFVYk5SSWN5QUt4MFlUMFFrdDUx
+MjF6b1lDbkVaMElnLzNNCi0+IHNzaC1lZDI1NTE5IE9FcU1zZyByNWNDQkRmMHlD
+NFExRVk3MHhjYnREcXh2ZmVDMnNEaE5lWks2azlHTEVnCnNXQm94eTJPVk1mYmxZ
+U1RqRTE1bDVHNFY2c0VQS1QyQWx6TGRYL01HRzAKLT4gWDI1NTE5IFMrZnlnNTQ1
+UFdQZ0RnRUdiMkNTaXhjRnVFcUpULzJveFNyd2FGcmVJaDAKU2hzZ0NxYzU4ZEgv
+VnRqNlJIRmFHSisyWWlaTGVtbDFITHljWGt2b0V3bwotPiBbNFpCbn0tZ3JlYXNl
+IDxDeCBKbiBBP0ImJCBQClJBV2gwUy9ldUU0MUFPczFRTXVEeHR4akZqTEEKLS0t
+IFY1Z0V5Z1Z2U0Q4alFmaFV5bnY3QjRxOTlkTWRRL0hVTlRiWWk2MWdXdVkKS8oI
+z3Eyu1ZdBwLrTINoorZTBBgx8vp5iIdUevCg4dyH3WnkW/DHXZuuRGSH6xiSAroH
+JI5toFkwp3ZHWcodcYNvyP7ECRBsTyuCk7aRPgnZ
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/whale2/enshrouded.env.age
+++ b/secrets/whale2/enshrouded.env.age
@@ -1,12 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9FSlh2ZyBQc3dL
-bkttTXJPWnZzYVJ6OUc2cjJvZWJLWHk2QXYvRU9TL3RBTmFmQ1dNClRtaUwvcDJa
-c3h6eXpPR3dKSVZDVHJzNjR4b0Y5K3Zadk5vTkZiZS9RYkEKLT4gWDI1NTE5IE9R
-Y0g2bEJsNmdLaVJteDJaakFMZEdxRU55N2pNbzhkakxuRVFmdVN0ajQKZXZrRHdu
-WFFwMUFkUmJQbm9ONlFRWGdMWmtsWHlOaWVjMGtMdVM1YmdoUQotPiAwIm5PWS1n
-cmVhc2UgUUosbyl4CkFIWDA4L3YwOFBYVUFMZnB6U3VkNFJQVFlEMThVeTV4bHlu
-QmF2TFBobmtJS1hERUtSZld2UEZyb29nNEdGdWEKenliMmhQL1VrY2dFS3VzSEZB
-dm1jT2xOQkxnbCtBV21WT3ZMVjl0WEpPWQotLS0gckNCZEp3VU56eTFFR1ZzbTc3
-WTRIcVZGY0Z1YlNUS3l0cWJ1TW5YUjF6SQoqTDq/up9Q3tQnNJdsnfiwYqA5LW6G
-nKJXGbpnt3dpXxv/1+KRgF6pVKVQtyNFncQW7SC6K4uFw7iv6A==
-----END AGE ENCRYPTED FILE-----