docs: Document the boxes

Add a top-level `README.md` mapping the boxes and per-machine docs under `docs/boxes/` (grouped `colony/`, `home/`, `misc/`), one file per host, VM and container documenting role, services and networking with source pointers. Also point `AGENTS.md` at the new docs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Update CI workflow to Ubuntu 26.04
2026-06-14 22:45:20 +01:00 · 2026-06-14 20:37:53 +01:00 · 2026-06-14 20:37:36 +01:00 · 2026-06-14 20:36:15 +01:00 · 2026-06-14 19:31:59 +01:00 · 2026-06-14 03:15:28 +01:00
125 changed files with 5316 additions and 2156 deletions
@@ -7,10 +7,10 @@ on:
 jobs:
  check:
    name: Check, build and cache nixfiles
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-26.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
-      - uses: cachix/install-nix-action@v27
+      - uses: cachix/install-nix-action@v31
        with:
          # Gitea will supply a token in GITHUB_TOKEN, which this action will
          # try to pass to Nix when downloading from GitHub
@@ -0,0 +1,118 @@
 # AGENTS.md
 This file provides guidance to coding agents when working with code in this repository.
 ## Overview
 Personal Nix flake managing NixOS systems and home-manager configurations for a set of
 machines ("boxes": servers, home machines, routers). It is built around a **custom module system** layered
 on top of NixOS/home-manager, not the stock flake `nixosConfigurations` pattern.
 ## Commands
 This repo provides a `numtide/devshell` (entered via `direnv` / `use flake`). The shell defines
 named commands — prefer them over raw `nix` invocations. Run a bare command name with no args to
 see its help, or browse `devshell/commands.nix` / `devshell/install.nix` / `devshell/vm-tasks.nix`.
 Common ones:
 - `fmt` — format Nix with `nixpkgs-fmt` (the canonical formatter here).
 - `build-system <host> [nix args]` — build a NixOS system's `toplevel`.
 - `build-n-switch <args>` — wraps `doas nixos-rebuild --flake .`.
 - `build-home <name>` / `home-switch` — build / switch a home-manager config.
 - `run-vm <host>` — build & boot a system as a dev VM (installs `.keys/dev.key` into the VM).
 - `build-iso` / `build-kexec` / `build-netboot <host>` — alternate build outputs via `config.my.buildAs.*`.
 - `check-system <host> [nix args]` — evaluate a system (catches eval errors without a full build).
  **Prefer this over `build-system` to validate a config change** — evaluation surfaces module/option
  errors quickly and cheaply; only do a full build when you specifically need the built artifact.
 - `deploy <host>` and `deploy-multi <hosts...>` — deploy-rs deployment (uses `.keys/deploy.key`, `--skip-checks`).
  Pass the flake-qualified node, e.g. `deploy .#git`. The deploy node name is **always** the system
  name (`deploy-rs.nix` keys nodes directly off `nixos.systems` / `home-manager.homes`); a system is
  only a deploy target when `config.my.deploy.enable` is true (defaults true; auto-disabled for dev
  VMs and containers).
 - `ssh-machine <name> [cmd]` — SSH to a NixOS system or home-manager config by name. Resolves the
  target and ssh options (identity, port) from its deploy-rs node, so it needs `my.deploy.enable`
  (same gate as `deploy`).
 - `ragenix` — edit age secrets using `.keys/dev.key` as identity (see Secrets).
 - `repl` — `nix repl .#`.
 - `update-nixpkgs` / `update-home-manager` — bump pinned inputs.
 Check everything (what CI runs): `nix flake check --no-build`.
 CI builds each attr of `.#ci.x86_64-linux` (systems, homes, packages, shell) and pushes to the
 Harmonia binary cache; see `.gitea/workflows/ci.yaml` and `ci/push-to-cache.sh`.
 ## Architecture
 ### The custom module system
 `flake.nix` does **not** call `nixosSystem` per host directly. Instead it `evalModules` over
 `./nixos`, `./home-manager`, `./deploy-rs.nix`, and the per-host files listed in the `configs`
 list in `flake.nix`. That evaluation produces a top-level config (`self.nixfiles`) from which the
 real flake outputs are derived:
 - `nixos.systems.<name>` → `nixosConfigurations.<name>`
 - `home-manager.homes.<name>` → `homeConfigurations.<name>`
 - `nixos.modules` / `home-manager.modules` → `nixosModules` / `homeModules`
 - `deploy-rs.rendered` → `deploy`
 `nixos/default.nix` and `home-manager/default.nix` define the `systemOpts` / `homeOpts` submodules
 and the `mkSystem` / `mkHome` functions that actually invoke `eval-config.nix` /
 `homeManagerConfiguration`. **To add a new host:** create a box file that sets
 `nixos.systems.<name> = { ... }`, then add its path to the `configs` list in `flake.nix`.
 ### Multiple nixpkgs channels
 Four pkgs sets are threaded everywhere as `pkgsFlakes` / `pkgs'` (and `hmFlakes` for home-manager):
 `unstable`, `stable`, `mine` (a personal nixpkgs fork), `mine-stable`. Each system/home picks its
 channel via `nixpkgs` / `home-manager` / `hmNixpkgs` options (e.g. `nixpkgs = "mine-stable"`).
 Modules receive `pkgs'` = an attrset of all channels for the current system.
 ### `lib.my` and the `my` option namespace
 `lib/default.nix` extends `lib` with a `my` attrset (helpers like `mkOpt'`, `mkBoolOpt'`,
 `mkDefault'`, `inlineModule'`, `mkDefaultSystemsPkgs`, `homeStateVersion`). It also pulls in:
 - `lib.my.net` — network/CIDR helpers from the `libnetRepo` input. Used heavily for IP math.
 - `lib.my.c` — shared constants from `lib/constants.nix` (UIDs/GIDs, kernel package selection,
  nginx snippets, per-network domains/prefixes, etc.). Reuse these rather than hardcoding.
 - `lib.my.dns` — DNS helpers (`lib/dns.nix`).
 Custom modules add options under the `my.*` namespace (e.g. `my.secrets`, `my.build`,
 `my.tmproot`, `my.server`). Use `mkOpt'`/`mkBoolOpt'` for option declarations to match style.
 ### Modules and module lists
 Module sets are registered in `nixos/modules/_list.nix` and `home-manager/modules/_list.nix`
 (name → path), which become `nixos.modules` / `home-manager.modules` and are applied to every
 system/home. To add a shared module, drop the file in `nixos/modules/` (or `home-manager/modules/`)
 and add an entry to the relevant `_list.nix`.
 ### Network assignments
 Each system declares `assignments.<name>` (in its `nixos.systems.<host>` block) with IPv4/IPv6
 addresses, gateways, domains, MTU, etc. These are aggregated into `allAssignments` (passed to every
 module) and there is an assertion that fails on duplicate IPs. Host networking
 (`networking.hostName`, `domain`) defaults from the `internal` assignment.
 ### Hosts / "boxes"
 Per-host configs live under `nixos/boxes/<host>` (some are single `.nix` files, some directories
 with nested VMs/containers under e.g. `colony/vms`). Many "systems" are VMs or containers managed
 via the `vms` / `containers` modules and the `l2mesh` VXLAN module.
 For a human-readable map of what is actually deployed (per-machine roles, services and networking),
 see `README.md` and the per-machine docs under `docs/boxes/` (grouped `docs/boxes/colony/`,
 `docs/boxes/home/`, `docs/boxes/misc/`). Keep these in sync when adding, removing or repurposing
 a machine or service.
 ## Secrets
 age-encrypted secrets in `secrets/`, managed with **ragenix**. Each module declares
 `my.secrets.files.<name>` and `my.secrets.key` (the host pubkey to encrypt for). `secrets.nix`
 (the ragenix rules file) is generated by reading every system's declared secrets and computing the
 recipient key list (always including `.keys/dev.pub`). Edit secrets with the `ragenix` devshell
 command, which supplies `.keys/dev.key` as the identity. The `.keys/` directory (dev + deploy
 private keys) is required for editing secrets, deploying, and running dev VMs.
 ## Conventions
 - Format with `nixpkgs-fmt` (`fmt`). 2-space indent, `inherit (...)` blocks at the top of `let`.
 - Prefer `lib.my` helpers (`mkOpt'`, `mkBoolOpt'`, `mkDefault'`) and `lib.my.c` constants over
  reimplementing.
 - New shared functionality → a module in `*/modules/` + entry in `_list.nix`, options under `my.*`.
 - New host → box file under `nixos/boxes/` + entry in the `configs` list in `flake.nix`.
 - Custom packages live in `pkgs/` and are registered in `pkgs/default.nix`; the overlay is exposed
  as `overlays.default`.
 - In prose and commit messages, quote code-like identifiers (commands, options, paths, package and
  attribute names) in backticks.
@@ -0,0 +1,80 @@
 # nixfiles
 Personal Nix flake managing every machine I run: hosted servers, home
 infrastructure, routers, a remote site, VPSes and personal workstations. It is
 built around a **custom module system** layered on top of NixOS and
 home-manager rather than the stock per-host `nixosConfigurations` pattern.
 For day-to-day commands and a deeper explanation of the module system,
 conventions and secrets, see [`AGENTS.md`](AGENTS.md). This README is the map of
 **what is actually deployed**; the per-machine details live under [`docs/boxes/`](docs/boxes).
 > **Note:** This documentation (the README and everything under `docs/`) is a
 > work in progress and was **agent-generated** from the repository. It may be
 > incomplete or out of date — treat the Nix configuration as the source of truth.
 ## The boxes at a glance
 Machines are grouped by deployment/location. Each group has its own directory
 under `docs/boxes/` with a `README.md` overview and one file per machine.
 | Group | What it is | Docs |
 | --- | --- | --- |
 | **colony** | Hosted dedicated server in Amsterdam (`ams1`). A VM host running the public-facing infrastructure: routing, web, git, media, object storage, chat, game servers. | [`docs/boxes/colony/`](docs/boxes/colony) |
 | **home** | Home network: a VM host (`palace`), the home routers, storage, Home Assistant, and personal desktops. | [`docs/boxes/home/`](docs/boxes/home) |
 | **misc** | Everything else: edge VPSes (`britway`, `britnet`), the remote `kelder` site, the `tower` workstation, and the installer image. | [`docs/boxes/misc/`](docs/boxes/misc) |
 ## The "big machine" pattern
 The larger sites (`colony`, `home`) all follow the same shape:
 ```
 physical host (VM host)
 ├── VM ── thing impractical to containerise (router, storage, podman host, …)
 ├── VM ── container host ──┬── NixOS container ── application
 │                          ├── NixOS container ──┬── application
 │                          │                     ├── application
 │                          │                     └── application
 │                          └── …
 └── VM ── …
 ```
 - A **physical host** (`colony`, `palace`) does little itself beyond running
  **VMs** via the custom `my.vms` module (QEMU + systemd units, LVM-backed
  disks).
 - **VMs** exist for things that are impractical to put in a container — kernel
  features, separate networking, podman/OCI workloads, foreign OSes.
 - One VM is usually a **container host** (`shill` on colony, `sfh` on home; and
  `kelder` directly). It runs **NixOS containers** via the custom `my.containers`
  module (systemd-nspawn based, each with its own address on a bridge).
 - **Most applications live in those NixOS containers.** A container isn't limited
  to a single application — it commonly hosts a **group of related applications**
  that belong together (e.g. `jackflix` runs Jellyfin, the *arr stack,
  Transmission, PhotoPrism and copyparty; `object` runs MinIO, Harmonia, HedgeDoc
  and wastebin). Each container is a first-class entry in `docs/boxes/`.
 Networking between everything is largely defined by per-system `assignments`
 (IPs/prefixes) plus an L2 VXLAN mesh (`my.vpns.l2`, AS211024) that ties the edge
 routers together. See [`AGENTS.md`](AGENTS.md) for the mechanics.
 ## Repo layout
 ```
 README.md           <- you are here
 nixos/
  boxes/            per-machine configuration ("boxes")
    colony/         colony host + its VMs (vms/) + shill's containers
    home/           palace host + its VMs, plus stream, castle
    britway/        britnet.nix, kelder/, tower/, installer.nix …
  modules/          shared NixOS modules (my.* options); registered in _list.nix
 home-manager/       home-manager modules + configs
 lib/                lib.my helpers, constants (lib.my.c), net/dns helpers
 pkgs/               custom packages (overlays.default)
 secrets/            age-encrypted secrets (ragenix)
 devshell/           devshell commands (build/deploy/check/ssh helpers)
 docs/boxes/         per-machine documentation (colony/, home/, misc/)
 ```
 A machine is wired into the flake by adding its box file to the `configs` list
 in `flake.nix`. See [`AGENTS.md`](AGENTS.md#architecture) for how `evalModules`
 turns these into `nixosConfigurations`, `homeConfigurations` and `deploy` nodes.
@@ -48,11 +48,30 @@ in
      help = "Print the ed25519 pubkey for a host";
      command = "${pkgs.openssh}/bin/ssh-keyscan -t ed25519 \"$1\" 2> /dev/null | awk '{ print $2 \" \" $3 }'";
    }
    {
      name = "ssh-machine";
      category = "utilities";
      help = "SSH to a machine by NixOS system or home-manager config name";
      command = ''
        name="$1"
        shift
        # Run from the project root so deploy's relative identity path (.keys/deploy.key) resolves
        cd "$PRJ_ROOT"
        # deploy-rs node names are the system/home name, with `@` mangled to `-at-`
        node="''${name//@/-at-}"
        # Single eval: resolve `user@host` plus merged (global + node) deploy-rs ssh options
        info="$(nix eval --raw .#deploy --apply 'd: let n = d.nodes."'"$node"'"; in "''${n.sshUser}@''${n.hostname} ''${builtins.concatStringsSep " " (d.sshOpts ++ n.sshOpts)}"')"
        target="''${info%% *}"
        opts="''${info#* }"
        # shellcheck disable=SC2086
        exec ${pkgs.openssh}/bin/ssh $opts "$target" "$@"
      '';
    }
    {
      name = "json2nix";
      category = "utilities";
      help = "Convert JSON to formatted Nix";
-      command = "nix eval --impure --expr 'builtins.fromJSON (builtins.readFile /dev/stdin)' | ${pkgs.nixfmt-rfc-style}/bin/nixfmt";
+      command = "nix eval --impure --expr 'builtins.fromJSON (builtins.readFile /dev/stdin)' | ${pkgs.nixfmt}/bin/nixfmt -";
    }
    {
@@ -73,6 +92,12 @@ in
      help = "Build NixOS configuration";
      command = ''nix build "''${@:2}" ".#nixosConfigurations.\"$1\".config.system.build.toplevel"'';
    }
    {
      name = "check-system";
      category = "utilities";
      help = "Evaluate NixOS configuration (check validity without building)";
      command = ''nix eval "''${@:2}" ".#nixosConfigurations.\"$1\".config.system.build.toplevel.drvPath"'';
    }
    {
      name = "build-n-switch";
      category = "tasks";
@@ -144,7 +169,11 @@ in
      help = "Deploy multiple flakes at once";
      command = ''
        for f in $@; do
-          deploy "$O" $f
+          if [ -n "''${O:-}" ]; then
            deploy "$O" $f
          else
            deploy $f
          fi
        done
      '';
    }
@@ -0,0 +1,68 @@
 # colony
 The hosted dedicated server in Amsterdam (`ams1`). This is the public-facing
 half of the boxes: almost everything reachable from the internet lives here.
 - **Internal domain:** `ams1.int.nul.ie`
 - **Public domain:** `nul.ie` (public services are published as `*.nul.ie`)
 - **Source:** [`nixos/boxes/colony/`](../../../nixos/boxes/colony)
 ## Shape
 `colony` is the physical VM host. It runs the VMs below; one of them (`shill`)
 is itself a NixOS container host where most applications run.
 ```
 colony (physical VM host)
 ├── estuary ── edge router / firewall / DNS / BGP
 ├── shill ──── NixOS container host ──┬── middleman    (reverse proxy, ACME, SSO)
 │                                     ├── colony-psql  (shared PostgreSQL)
 │                                     ├── vaultwarden  (password manager)
 │                                     ├── chatterbox   (Matrix + bridges)
 │                                     ├── toot         (Mastodon)
 │                                     ├── jackflix     (media stack)
 │                                     ├── object       (MinIO, Nix cache, …)
 │                                     ├── waffletail   (Tailscale subnet router)
 │                                     ├── qclk         (clock service)
 │                                     └── gam          (game servers)
 ├── whale2 ─── podman/OCI host (game servers)
 ├── git ────── Gitea + Actions runner
 ├── mail ───── Debian VM running Mailcow (not NixOS — configured out of repo)
 └── darts ──── third-party/customer VM (opaque to this repo)
 ```
 ## Machines
 | Machine | Role | Docs |
 | --- | --- | --- |
 | `colony` | Physical VM host (AMD, LVM-thin, borgthin backups → rsync.net) | [colony.md](colony.md) |
 | `estuary` | Edge router: WAN, firewall/NAT, DNS, BGP, IXP peering, WireGuard | [estuary.md](estuary.md) |
 | `shill` | NixOS container host (see containers below) | [shill.md](shill.md) |
 | `whale2` | podman/OCI host for game servers | [whale2.md](whale2.md) |
 | `git` | Gitea + Gitea Actions runner | [git.md](git.md) |
 ### shill containers
 | Container | Role | Docs |
 | --- | --- | --- |
 | `middleman` | Front-end nginx reverse proxy, ACME certs, nginx-sso, librespeed | [middleman.md](middleman.md) |
 | `colony-psql` | Shared PostgreSQL (14) for colony services | [colony-psql.md](colony-psql.md) |
 | `vaultwarden` | Vaultwarden (Bitwarden-compatible password manager) | [vaultwarden.md](vaultwarden.md) |
 | `chatterbox` | Matrix homeserver + bridges (heisenbridge, mautrix-*) | [chatterbox.md](chatterbox.md) |
 | `toot` | Bluesky PDS (Mastodon disabled) | [toot.md](toot.md) |
 | `jackflix` | Media: Jellyfin, *arr stack, Transmission, PhotoPrism, copyparty | [jackflix.md](jackflix.md) |
 | `object` | MinIO (S3), Harmonia (Nix cache), HedgeDoc, wastebin | [object.md](object.md) |
 | `waffletail` | Tailscale subnet router (advertises colony prefixes into the tailnet) | [waffletail.md](waffletail.md) |
 | `qclk` | `qclk` clock service (reachable over WireGuard) | [qclk.md](qclk.md) |
 | `gam` | Game servers (Terraria, …) | [gam.md](gam.md) |
 ## Non-NixOS VMs
 These run on `colony` but are **not** managed by this repo (no NixOS config). The
 QEMU instances are still declared in `colony`'s `my.vms.instances`, and colony's
 networking routes/firewalls traffic to them:
 - **`mail`** — a Debian VM running [Mailcow](https://mailcow.email/) (`mail.nul.ie`).
  ACME certs are pushed to it from `middleman` (see [middleman.md](middleman.md)).
 - **`darts`** — a third-party/customer VM; opaque to this repo, given a routed
  prefix and otherwise left alone.
@@ -0,0 +1,19 @@
 # chatterbox
 The Matrix homeserver (`nul.ie`) and its chat-network bridges.
 - **Source:** [`shill/containers/chatterbox.nix`](../../../nixos/boxes/colony/vms/shill/containers/chatterbox.nix)
 - **Host:** NixOS container on `shill`
 ## Role
 - **Matrix homeserver** for `server_name = "nul.ie"`.
 - **Bridges** to other chat networks:
  - `heisenbridge` (IRC),
  - `mautrix-whatsapp` (WhatsApp),
  - `mautrix-meta` / `mautrix-messenger` (Facebook Messenger / Instagram).
 - Fronted by `middleman` (federation on `:8448`).
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `chatterbox-ctr`).
@@ -0,0 +1,18 @@
 # colony-psql
 The shared PostgreSQL instance for colony. Several other containers
 (`middleman`, `chatterbox`, `toot`, `git`, …) connect here rather than each
 running their own database.
 - **Source:** [`shill/containers/colony-psql.nix`](../../../nixos/boxes/colony/vms/shill/containers/colony-psql.nix)
 - **Host:** NixOS container on `shill`
 ## Role
 - **PostgreSQL 14** serving the other colony services over the `ctrs` network.
  Consumers wait for it to be ready via the `systemdAwaitPostgres` helper.
 - netdata for monitoring.
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `colony-psql-ctr`).
@@ -0,0 +1,39 @@
 # colony (host)
 The physical dedicated server in Amsterdam and the VM host for everything in
 this group.
 - **Source:** [`nixos/boxes/colony/default.nix`](../../../nixos/boxes/colony/default.nix)
  (VM instances in [`nixos/boxes/colony/vms/default.nix`](../../../nixos/boxes/colony/vms/default.nix))
 - **nixpkgs:** `mine-stable`
 ## Role
 Bare-metal AMD host. It does little application work itself — its job is to run
 the VMs and provide them with storage, networking and backups.
 - **Virtualisation:** QEMU/KVM (`kvm-amd`, IOMMU on) via the `my.vms` module. VM
  disks are LVM logical volumes (`vm-<name>-<disk>`) in the `main` volume group;
  `estuary` additionally gets a WAN NIC by PCI passthrough.
 - **Storage:** LVM-thin (`services.lvm.boot.thin`), `/persist` for state,
  `/mnt/backup` for the local borg repo. `smartd` + `rasdaemon` for health.
 - **Backups:** `my.borgthin` snapshots the persist/data LVs of the host and its
  VMs into `/mnt/backup/main`, which is then `rsync`'d (along with LVM metadata)
  to rsync.net (`zh2855.rsync.net`).
 - **Monitoring:** netdata (with freeipmi), smartd.
 ## Networking
 - Two bridges: `base` (the colony "base" network, shared with `estuary`) and
  `vms` (the VM network). Dummy interfaces keep the bridges up so dependent VMs
  can start.
 - Default gateway / edge is `estuary`; `colony` itself holds the `routing` and
  `internal` (a.k.a. `vm`) assignments and routes container/OCI/Tailscale
  prefixes to `shill` and `whale2`.
 - `my.firewall` trusts the `vms` interface and forwards customer prefixes
  (`vm-mail`, `vm-darts`) through.
 ## VMs hosted here
 `estuary`, `shill`, `whale2`, `git` (all NixOS, documented in this directory),
 plus the non-NixOS `mail` and `darts` (see [README](README.md#non-nixos-vms)).
@@ -0,0 +1,41 @@
 # estuary
 The colony edge router and firewall — the machine that holds colony's public
 IPs and connects everything else to the internet.
 - **Source:** [`nixos/boxes/colony/vms/estuary/`](../../../nixos/boxes/colony/vms/estuary)
  (`default.nix`, `bgp.nix`, `dns.nix`, `bandwidth.nix`)
 - **nixpkgs:** `mine`
 - **Host:** VM on `colony` (gets the WAN NIC by PCI passthrough)
 ## Role
 - **Edge routing / firewall / NAT:** owns the colony public IPv4/IPv6
  (`94.142.241.x` / `2a02:898:0:20::`), does NAT and port-forwarding for the
  internal services (`my.firewall.nat.forwardPorts` driven by
  `firewallForwards`). Forwards HTTP/S to `middleman`, git to `git`, game ports
  to the OCI game servers on `whale2`, etc.
 - **BGP:** runs BIRD2 ([`bgp.nix`](../../../nixos/boxes/colony/vms/estuary/bgp.nix))
  announcing AS211024, over VLANs on the WAN link:
  - peers at the IXPs **Frys-IX**, **NL-ix** and **FogIXP**;
  - plus **iFog transit** (`ifog-transit`) — an upstream transit provider from
    iFog, **not** an IXP.
 - **DNS:** authoritative/recursive DNS ([`dns.nix`](../../../nixos/boxes/colony/vms/estuary/dns.nix)),
  redirected to port 5353 locally.
 - **VPNs:**
  - Part of the AS211024 **L2 VXLAN mesh** (`my.vpns.l2`) with `river`, `stream`
    and `britway`.
  - WireGuard endpoints for the remote `kelder` site, `hillcrest`, and
    `john-valorant`.
 - **Misc:** iperf3 server. (A bandwidth-accounting script,
  [`bandwidth.py`](../../../nixos/boxes/colony/vms/estuary/bandwidth.py), exists but
  is **legacy and not currently used**.)
 ## Networking
 - `wan` — the passed-through igb NIC (9000 MTU), carrying the upstream uplink and
  tagged IXP VLANs (`ifog` 409 → `frys-ix`/`nl-ix`/`fogixp`/`ifog-transit`).
 - `base` — colony base network; sends RAs and provides DNS to the base prefix,
  routes the VM/container/OCI/Tailscale prefixes back to `colony`.
 - `as211024` — the L2 mesh interface.
 - Assignments: `internal` (public, alt name `fw`), `base`, `as211024`.
@@ -0,0 +1,17 @@
 # gam
 A game-server container (the lightweight counterpart to the OCI game servers on
 `whale2`).
 - **Source:** [`shill/containers/gam.nix`](../../../nixos/boxes/colony/vms/shill/containers/gam.nix)
 - **Host:** NixOS container on `shill`
 ## Role
 - Hosts game servers run directly as NixOS services — currently **Terraria**
  (config/world from secrets). Exposed to the internet via `estuary`'s port
  forwards (`:7777`).
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `gam-ctr`).
@@ -0,0 +1,38 @@
 # git
 The Gitea VM — source hosting and CI for the boxes (`git.nul.ie`).
 - **Source:** [`nixos/boxes/colony/vms/git/`](../../../nixos/boxes/colony/vms/git)
  (`default.nix`, `gitea.nix`, `gitea-actions.nix`)
 - **nixpkgs:** `mine`
 - **Host:** VM on `colony`
 ## Role
 - **Gitea** ([`gitea.nix`](../../../nixos/boxes/colony/vms/git/gitea.nix)) — the Git
  forge (`git.nul.ie`). PostgreSQL-backed (the shared `colony-psql`), LFS
  enabled, with object storage backed by MinIO on `object` (a MinIO secret is
  spliced into `app.ini` at startup).
 - **Gitea Actions runner**
  ([`gitea-actions.nix`](../../../nixos/boxes/colony/vms/git/gitea-actions.nix)) — a
  Docker-mode runner (`main-docker`) using podman. Labels provide Debian/node-24
  (Trixie) and Ubuntu 26.04 images; runner config comes from the upstream
  module's `settings` option. The Actions cache lives on a dedicated disk
  (`/var/cache/gitea-runner`). Runs as a fixed `gitea-runner` user (not
  `DynamicUser`) so it can read its token.
 - **nginx** — terminates TLS for `git.nul.ie` and proxies to Gitea on `:3000`.
  ACME certs for `nul.ie` / `*.nul.ie` via the Cloudflare DNS challenge.
 - **podman** — also hosts the OCI registry/build images; `/var/lib/containers`
  is an XFS data disk.
 ## Networking
 - `vms` interface with `routing` / `internal` assignments.
 - HTTP/HTTPS forwarded in from `estuary`; podman default subnet `10.88.0.0/16` is
  allowed to forward.
 ## CI
 This runner is what executes the repo's own `.gitea/workflows/ci.yaml`, building
 each `.#ci.x86_64-linux` attribute and pushing to the Harmonia binary cache. See
 [`AGENTS.md`](../../../AGENTS.md#commands).
@@ -0,0 +1,25 @@
 # jackflix
 The media stack — acquisition, library and streaming.
 - **Source:** [`shill/containers/jackflix/`](../../../nixos/boxes/colony/vms/shill/containers/jackflix)
  (`default.nix`, `networking.nix`)
 - **Host:** NixOS container on `shill`
 ## Role
 - **Streaming:** Jellyfin.
 - **Acquisition (*arr stack):** Transmission, Jackett, FlareSolverr, Radarr,
  Sonarr, and Jellyseerr (`seerr`) for requests.
 - **Photos:** PhotoPrism (`photos.nul.ie`).
 - **File sharing:** copyparty (`:3923`) serving public + private media volumes.
 - Media lives on the shared `/mnt/media` volume (bind-mounted read-write from
  `shill`). Downloaders bind to a VPN interface
  ([`networking.nix`](../../../nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix)),
  so torrent traffic only flows while `systemd-networkd-wait-online@vpn` is up.
 - A shared `media` group (gid 2000) gives the apps coordinated access.
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `jackflix-ctr`), plus its
  own VPN interface for the download clients.
@@ -0,0 +1,63 @@
 # middleman
 The front-end reverse proxy for all public colony web services — the single
 ingress that `estuary` forwards HTTP/HTTPS to.
 - **Source:** [`shill/containers/middleman/`](../../../nixos/boxes/colony/vms/shill/containers/middleman)
  (`default.nix`, `vhosts.nix`)
 - **Host:** NixOS container on `shill`
 ## Role
 - **nginx** reverse proxy ([`vhosts.nix`](../../../nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix)
  holds the per-service vhosts) with VTS stats, fancyindex, brotli, caching, and
  a dynamic resolver pointed at `estuary` so upstreams can be re-resolved at
  runtime. It is the single public ingress for almost every web service — colony,
  home, and beyond.
 - **ACME** — issues the wildcard certificates that **its own** vhosts are served
  with (it is not a shared CA for the other boxes; `git`, `britway`, `kelder-spoder`, etc. each
  run their own ACME):
  - `nul.ie` / `*.nul.ie` (+ `*.s3.nul.ie`) via the Cloudflare DNS challenge,
  - the internal `ams1.int.nul.ie` / `*` via an `exec` challenge that calls
    `estuary`'s pdns over SSH.
  - As a one-off consumer, it then pushes the public cert to the `mail` (Mailcow)
    VM via `scp` + a remote `mailcow-ssl-reload`.
 - **nginx-sso** — single-sign-on (`sso.nul.ie`) with Google OAuth and a simple
  username/password provider; protects the SSO-gated vhosts below.
 - **librespeed** — speed-test frontend + backend (`librespeed.${domain}` /
  `speed.nul.ie`).
 ## Published vhosts
 All under `*.nul.ie` with the wildcard cert unless noted. Upstreams are addressed
 by their internal container/VM hostnames. "SSO" = gated behind nginx-sso.
 | Host(s) | Upstream | Notes |
 | --- | --- | --- |
 | `nul.ie` (default `_`) | static | landing page (CV, SSH pubkey) + Matrix/atproto `.well-known` |
 | `sso.nul.ie` | nginx-sso | SSO endpoint |
 | `pass.nul.ie` | `vaultwarden` | password manager |
 | `matrix.nul.ie` (+`:8448`) | `chatterbox` | Matrix client + federation |
 | `element.nul.ie` | element-web | Matrix web client |
 | `toot.nul.ie` | `toot` :80 | Mastodon (currently disabled — see [toot.md](toot.md)) |
 | `pds.nul.ie` | `toot` :3000 | Bluesky PDS |
 | `jackflix.nul.ie` | `jackflix` Jellyfin | streaming |
 | `torrents` / `jackett` / `radarr` / `sonarr` `.nul.ie` | `jackflix` | *arr stack (**SSO**) |
 | `gib.nul.ie` | `jackflix` Jellyseerr | requests |
 | `photos.nul.ie` | `jackflix` PhotoPrism | |
 | `stuff` / `public` / `p.nul.ie` | `jackflix` copyparty + `/mnt/media` | file sharing / index |
 | `share.nul.ie` | `object` :9090 | |
 | `minio` / `s3` / `*.s3.nul.ie` | `object` MinIO | S3 + console (Docker manifest MIME hack) |
 | `nix-cache.nul.ie` | `object` Harmonia | Nix binary cache (immutable cache headers) |
 | `md.nul.ie` / `pb.nul.ie` | `object` | HedgeDoc / wastebin |
 | `mc-map` / `mc-rail` / `mc-map-kink` `.nul.ie` | `whale2` OCI | Minecraft maps |
 | `netdata-colony.nul.ie` | many hosts :19999 | netdata fan-out (**SSO**) |
 | `pront.nul.ie` | `stream-hi` (home) | print/webcam (**SSO**) |
 | `hass.nul.ie` | `hass` (home) | Home Assistant |
 | `hass-john.nul.ie` | `john-valorant-tun` | remote HASS over WireGuard tunnel |
 ## Networking
 - `internal` assignment on the `ctrs` network; bind-mounts `/mnt/media` for
  serving static/media content.
 - nginx waits for `colony-psql` before starting (DNS bootstrap hack).
@@ -0,0 +1,24 @@
 # object
 Object storage and Nix binary cache, plus a couple of small self-hosted web
 apps.
 - **Source:** [`shill/containers/object.nix`](../../../nixos/boxes/colony/vms/shill/containers/object.nix)
 - **Host:** NixOS container on `shill`
 ## Role
 - **MinIO** — S3-compatible object storage (`s3.nul.ie` / `*.s3.nul.ie`). Backs
  several other services (Gitea LFS/artifacts, social-media uploads, …). Stored on the
  `/mnt/minio` volume (XFS, bind-mounted from `shill`).
 - **Harmonia** — serves the Nix binary cache for all the boxes (`nix-cache.nul.ie`), backed
  by the `/mnt/nix-cache` volume.
 - **atticd** — an alternative Nix cache (stores into MinIO/S3). **Currently
  disabled** — present in the config but not running.
 - **HedgeDoc** — collaborative markdown notes.
 - **wastebin** — pastebin.
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `object-ctr`).
 - `/mnt/minio` and `/mnt/nix-cache` bind-mounted read-write from `shill`.
@@ -0,0 +1,22 @@
 # qclk
 The `qclk` service container.
 - **Source:** [`shill/containers/qclk/`](../../../nixos/boxes/colony/vms/shill/containers/qclk)
 - **Host:** NixOS container on `shill`
 ## Role
 - Runs the custom `qclk` service, exposing an API that is reached over a
  dedicated WireGuard **`management`** network. Managed devices are configured as
  WireGuard peers (each gets an address in the `qclk` prefix), and AS211024
  trusted hosts are allowed to reach the API.
 - `shill` routes the `qclk` prefix to this container.
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `qclk-ctr`), plus the
  `management` WireGuard interface carrying the `qclk` prefix.
 > Check `qclk/default.nix` for the current peer list and exactly what the service
 > does — this entry intentionally stays high-level.
@@ -0,0 +1,48 @@
 # shill
 The colony **NixOS container host**. Most colony applications run as
 systemd-nspawn containers on `shill`.
 - **Source:** [`nixos/boxes/colony/vms/shill/`](../../../nixos/boxes/colony/vms/shill)
  (`default.nix`, `containers-ext.nix`, `hercules.nix`, `containers/`)
 - **nixpkgs:** `mine`
 - **Host:** VM on `colony` (large: 12 cores, 40 GiB RAM)
 ## Role
 - Runs the colony NixOS containers via `my.containers.instances`, each attached
  to the `ctrs` bridge with its own address.
 - Provides shared data volumes to those containers via bind mounts from
  LVM-backed disks: `/mnt/media` (→ `middleman`, `jackflix`), `/mnt/minio` and
  `/mnt/nix-cache` (→ `object`).
 - Acts as the router between the `vms` network and the `ctrs` container network
  (sends RAs on `ctrs`, routes Tailscale prefixes via `waffletail` and the
  `qclk` prefix via `qclk`). Includes an nftables `ct mark` hack to make
  internal DNAT return paths work.
 - Tuned sysctls for high connection counts / torrent traffic; netdata.
 ## Containers
 Defined in [`shill/containers/`](../../../nixos/boxes/colony/vms/shill/containers)
 and wired up in `shill`'s `my.containers.instances`:
 | Container | Role |
 | --- | --- |
 | [`middleman`](middleman.md) | Front-end nginx reverse proxy, ACME, nginx-sso, librespeed |
 | [`colony-psql`](colony-psql.md) | Shared PostgreSQL |
 | [`vaultwarden`](vaultwarden.md) | Password manager |
 | [`chatterbox`](chatterbox.md) | Matrix homeserver + bridges |
 | [`toot`](toot.md) | Bluesky PDS (Mastodon disabled) |
 | [`jackflix`](jackflix.md) | Media stack |
 | [`object`](object.md) | MinIO / Harmonia / HedgeDoc / wastebin |
 | [`waffletail`](waffletail.md) | Tailscale subnet router |
 | [`qclk`](qclk.md) | Clock service |
 | [`gam`](gam.md) | Game servers |
 ## Notes
 - Container systems set `my.deploy.enable = false` (they are deployed as part of
  `shill`'s container profiles, not as standalone deploy nodes) and render via
  `my.asContainer`.
 - `hercules.nix` configures Hercules CI agent bits;
  `containers-ext.nix` holds extra per-container host wiring.
@@ -0,0 +1,19 @@
 # toot
 A federated-social container. Despite the name (Mastodon = "toots"), it currently
 hosts a **Bluesky PDS**; the Mastodon instance is disabled.
 - **Source:** [`shill/containers/toot.nix`](../../../nixos/boxes/colony/vms/shill/containers/toot.nix)
 - **Host:** NixOS container on `shill`
 ## Role
 - **Bluesky PDS** (Personal Data Server) — the active service, published as
  `pds.nul.ie` (proxied by `middleman` to `:3000`).
 - **Mastodon** — **currently disabled**. The config is still present and
  `toot.nul.ie` still maps to `:80`, but the instance is not running. (It was
  backed by the shared `colony-psql` and MinIO/S3 on `object`.)
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `toot-ctr`).
@@ -0,0 +1,15 @@
 # vaultwarden
 [Vaultwarden](https://github.com/dani-garcia/vaultwarden), a Bitwarden-compatible
 password manager.
 - **Source:** [`shill/containers/vaultwarden.nix`](../../../nixos/boxes/colony/vms/shill/containers/vaultwarden.nix)
 - **Host:** NixOS container on `shill`
 ## Role
 - Runs Vaultwarden, fronted by `middleman` and published under `nul.ie`.
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `vaultwarden-ctr`).
@@ -0,0 +1,19 @@
 # waffletail
 The colony Tailscale node / subnet router.
 - **Source:** [`shill/containers/waffletail.nix`](../../../nixos/boxes/colony/vms/shill/containers/waffletail.nix)
 - **Host:** NixOS container on `shill`
 ## Role
 - Joins the Tailscale tailnet (auth key from secrets) and **advertises the colony
  prefixes** into it, acting as the subnet router so tailnet clients can reach
  colony services and vice-versa.
 - nftables rules SNAT/forward between `host0` and `tailscale0` for the colony
  v4/v6 ranges. `shill` routes the Tailscale prefixes here.
 ## Networking
 - `internal` assignment on the `ctrs` network (alt name `waffletail-ctr`); owns
  the `tailscale0` interface.
@@ -0,0 +1,27 @@
 # whale2
 A podman/OCI host on colony dedicated to game servers (kept off `shill` so the
 container churn and resource use stay isolated).
 - **Source:** [`nixos/boxes/colony/vms/whale2/`](../../../nixos/boxes/colony/vms/whale2)
  (`default.nix`, `valheim.nix`, `minecraft/`, `enshrouded.nix`)
 - **nixpkgs:** `mine`
 - **Host:** VM on `colony`
 ## Role
 - Runs OCI containers via **podman** (`virtualisation.oci-containers`, netavark
  backend) on a dedicated `colony` bridge network (`oci`) with both IPv4 and
  IPv6, so each game server gets its own routable address.
 - Game servers configured in-repo: **Valheim**, **Minecraft** (several worlds —
  see `extraAssignments`: `simpcraft`, `simpcraft-staging`, `kevcraft`,
  `kinkcraft`, `graeme`), and **Enshrouded** (currently commented out).
 - `/var/lib/containers` is an XFS data disk (project quotas).
 ## Networking
 - `vms` interface with `routing` / `internal` (alt name `oci`) assignments.
 - An `oci` bridge carrying the `prefixes.oci` v4/v6 ranges; per-game addresses
  are handed out via `extraAssignments` (`valheim-oci`, `simpcraft-oci`, …) and
  exposed to the internet through `estuary`'s port forwards.
 - Firewall trusts the `oci` interface and forwards `vms → oci`.
@@ -0,0 +1,44 @@
 # home
 The home network. A VM host (`palace`), a redundant pair of routers, a storage
 server, Home Assistant, and personal desktops.
 - **Domain:** `h.nul.ie`
 - **Source:** [`nixos/boxes/home/`](../../../nixos/boxes/home)
 ## Shape
 ```
 palace (physical VM host)
 ├── river ──── home router (HA pair with stream)
 ├── cellar ── NVMe-oF storage server (SPDK)
 └── sfh ───── NixOS container host ──┬── hass   (Home Assistant)
                                     └── unifi  (UniFi controller — defined, currently disabled)
 stream ── standalone home router (HA pair with river)
 castle ── desktop workstation (boots its disks over NVMe-oF from cellar)
 ```
 The two routers `river` (a VM on `palace`) and `stream` (standalone hardware)
 share the [`routing-common`](../../../nixos/boxes/home/routing-common) config and
 form a **keepalived/VRRP high-availability pair**: DHCP (kea), router
 advertisements (radvd), DNS with blocklists, NAT, and the AS211024 L2 mesh link
 back to colony.
 ## Machines
 | Machine | Role | Docs |
 | --- | --- | --- |
 | `palace` | Physical VM host | [palace.md](palace.md) |
 | `river` | Home router (VM; VRRP pair with `stream`) | [river.md](river.md) |
 | `cellar` | NVMe-oF storage server (SPDK) | [cellar.md](cellar.md) |
 | `sfh` | NixOS container host | [sfh.md](sfh.md) |
 | `stream` | Home router (standalone hardware; VRRP pair with `river`) | [stream.md](stream.md) |
 | `castle` | Desktop workstation | [castle.md](castle.md) |
 ### sfh containers
 | Container | Role | Docs |
 | --- | --- | --- |
 | `hass` | Home Assistant | [hass.md](hass.md) |
 | `unifi` | UniFi network controller (defined, **currently not imported**) | [unifi.md](unifi.md) |
@@ -0,0 +1,19 @@
 # castle
 A desktop workstation.
 - **Source:** [`nixos/boxes/home/castle/default.nix`](../../../nixos/boxes/home/castle/default.nix)
 ## Role
 - AMD desktop running the GUI environment (`my.gui.enable`, Sway / Wayland via
  home-manager).
 - **Diskless-style boot:** its `/nix`, `/persist` and `/home` are NVMe-oF volumes
  served by [`cellar`](cellar.md) (`/dev/nvmeof/{nix,persist,home}`). The
  networking is careful not to drop the IP used for the NVMe-oF connection.
 - Uses the `my.nvme` module for the NVMe-oF client setup.
 ## Networking
 - Sits on the home network; depends on the high-speed link to `cellar` for its
  root storage.
@@ -0,0 +1,39 @@
 # cellar
 The home storage server. Exports fast NVMe storage over the network so other
 machines (notably `castle`) can boot and run from it.
 - **Source:** [`nixos/boxes/home/palace/vms/cellar/`](../../../nixos/boxes/home/palace/vms/cellar)
  (`default.nix`, `spdk.nix`)
 - **Host:** VM on `palace` (NVMe drives passed through)
 - **Deploy address:** `192.168.68.80`
 ## Role
 - Runs **SPDK** ([`spdk.nix`](../../../nixos/boxes/home/palace/vms/cellar/spdk.nix)) as
  a userspace storage target. The kernel `nvme` driver is blacklisted so SPDK can
  drive the NVMe devices directly (attached by PCI BDF).
 - Builds a **RAID0** (`NVMeRaid`) across three NVMe drives, partitioned into three
  namespaces, and exports each as an **NVMe-oF target over RDMA** (port 4420) on
  the high-speed home network — one namespace per consumer:
  | Namespace | NQN | Consumer |
  | --- | --- | --- |
  | `NVMeRaidp1` | `nqn.2016-06.io.spdk:river` | [`river`](river.md) |
  | `NVMeRaidp2` | `nqn.2016-06.io.spdk:castle` | [`castle`](castle.md) |
  | `NVMeRaidp3` | `nqn.2016-06.io.spdk:sfh` | [`sfh`](sfh.md) |
  Each client is pinned by `hostnqn`, so `river`, `castle` and `sfh` all run their
  storage off `cellar` over the network.
 ## Networking
 - Exports on the high-speed home network (`lan-hi` / the `hi` assignment) over
  RDMA; the SPDK target waits for that link to be online before starting.
 ## Notes
 - The `ublk_*` calls in `my.spdk.debugCommands` are **only a debugging script** —
  they let you create a local ublk block device to mount and inspect the RAID on
  `cellar` itself. They are **not** how storage is exported to clients; that is the
  `nvmf` config above.
@@ -0,0 +1,18 @@
 # hass
 [Home Assistant](https://www.home-assistant.io/) — home automation.
 - **Source:** [`sfh/containers/hass.nix`](../../../nixos/boxes/home/palace/vms/sfh/containers/hass.nix)
 - **Host:** NixOS container on `sfh`
 ## Role
 - Runs Home Assistant plus supporting services in the container. The `hass-cli`
  is wired up against the local server for convenience.
 - Integrations/automations are configured here (see commit history for things
  like the "West Wood" integration).
 ## Networking
 - `internal` assignment (alt name `hass-ctr`), plus a loopback assignment
  (`hass-ctr-lo`) used internally.
@@ -0,0 +1,21 @@
 # palace (host)
 The physical VM host for the home network — the home equivalent of `colony`.
 - **Source:** [`nixos/boxes/home/palace/default.nix`](../../../nixos/boxes/home/palace/default.nix)
  (VM instances in [`palace/vms/default.nix`](../../../nixos/boxes/home/palace/vms/default.nix))
 ## Role
 - Bare-metal host whose job is to run the home VMs via the `my.vms` module:
  `river` (router), `cellar` (storage), `sfh` (container host).
 - Provides the bridged networking those VMs sit on and passes through hardware
  where needed (e.g. NVMe drives to `cellar`, NICs to `river`).
 ## VMs hosted here
 | VM | Role | Docs |
 | --- | --- | --- |
 | `river` | Home router (VRRP pair with `stream`) | [river.md](river.md) |
 | `cellar` | NVMe-oF storage server | [cellar.md](cellar.md) |
 | `sfh` | NixOS container host (Home Assistant, …) | [sfh.md](sfh.md) |
@@ -0,0 +1,25 @@
 # river
 One of the two home routers. `river` is a VM on `palace`; it forms a
 high-availability pair with the standalone `stream`.
 - **Source:** [`nixos/boxes/home/palace/vms/river.nix`](../../../nixos/boxes/home/palace/vms/river.nix),
  built from [`routing-common`](../../../nixos/boxes/home/routing-common) (instance `0`)
 - **Host:** VM on `palace`
 - **Deploy address:** `192.168.68.1`
 ## Role
 Everything in [`routing-common`](../../../nixos/boxes/home/routing-common):
 - **VRRP/keepalived** failover with `stream` (`keepalived.nix`) — one router is
  master at a time, sharing virtual IPs.
 - **DHCP** via kea (`kea.nix`), **router advertisements** via radvd
  (`radvd.nix`).
 - **DNS** (`dns.nix`) — local resolver with a blocklist
  (`dns-blocklist.txt`) and a periodic update script.
 - **NAT / firewall** for the home LAN, with policy routing.
 - **AS211024 L2 mesh** link back to colony/`estuary` (and the other edge
  routers), so home and colony networks interconnect.
 See [stream.md](stream.md) for the other half of the pair.
@@ -0,0 +1,24 @@
 # sfh
 The home **NixOS container host** ("smart from home" / home services).
 - **Source:** [`nixos/boxes/home/palace/vms/sfh/`](../../../nixos/boxes/home/palace/vms/sfh)
  (`default.nix`, `containers/`)
 - **Host:** VM on `palace`
 ## Role
 - Runs the home NixOS containers via `my.containers.instances`, in the same way
  `shill` does on colony.
 - Sits on the home network and connects to NVMe-oF storage (`cellar`) where
  needed.
 ## Containers
 Defined in [`sfh/containers/`](../../../nixos/boxes/home/palace/vms/sfh/containers)
 and imported from its `containers/default.nix`:
 | Container | Role | Docs |
 | --- | --- | --- |
 | `hass` | Home Assistant | [hass.md](hass.md) |
 | `unifi` | UniFi controller — **defined but currently commented out** of `containers/default.nix` | [unifi.md](unifi.md) |
@@ -0,0 +1,19 @@
 # stream
 One of the two home routers. `stream` is standalone hardware; it forms a
 high-availability pair with `river` (a VM on `palace`).
 - **Source:** [`nixos/boxes/home/stream.nix`](../../../nixos/boxes/home/stream.nix),
  built from [`routing-common`](../../../nixos/boxes/home/routing-common) (instance `1`)
 - **Deploy address:** `192.168.68.2`
 ## Role
 - Same [`routing-common`](../../../nixos/boxes/home/routing-common) role as
  [`river`](river.md): keepalived/VRRP, kea DHCP, radvd, DNS + blocklist, NAT and
  the AS211024 L2 mesh link to colony.
 - Additionally pulls in `mstpd` (`routing-common/mstpd.nix`) for spanning-tree on
  its bridged ports — `stream` is the one wired into the physical switching, so
  it manages the L2 topology.
 See [river.md](river.md) for the other half of the pair.
@@ -0,0 +1,23 @@
 # unifi
 The UniFi network controller.
 - **Source:** [`sfh/containers/unifi.nix`](../../../nixos/boxes/home/palace/vms/sfh/containers/unifi.nix)
 - **Host:** NixOS container on `sfh`
 ## Status
 > **Currently disabled.** The system is still defined (`nixos.systems.unifi`),
 > but its import is commented out in
 > [`sfh/containers/default.nix`](../../../nixos/boxes/home/palace/vms/sfh/containers/default.nix),
 > so it is not deployed as a container right now. Re-enable by uncommenting
 > `./unifi.nix` there.
 ## Role
 - Runs the UniFi controller (`services.unifi`) to manage the home UniFi network
  gear.
 ## Networking
 - `internal` assignment (alt name `unifi-ctr`).
@@ -0,0 +1,21 @@
 # misc
 Everything that isn't part of the `colony` or `home` sites: the edge VPSes, the
 remote `kelder` site, a workstation, and the installer image.
 | Machine | What it is | Docs |
 | --- | --- | --- |
 | `britway` | Vultr VPS (London, `lon1`): Headscale, Tailscale exit node, BGP edge, nginx | [britway.md](britway.md) |
 | `britnet` | VPS (Birmingham, `bhx1`): Tailscale/WireGuard gateway | [britnet.md](britnet.md) |
 | `kelder` | Remote site host (`hentai.engineer`): NixOS container host | [kelder.md](kelder.md) |
 | `tower` | Framework Laptop 13 (12th-gen Intel) workstation | [tower.md](tower.md) |
 | `installer` | Custom NixOS installer image | [installer.md](installer.md) |
 ## kelder containers
 `kelder` is itself a container host (like `shill`/`sfh`):
 | Container | Role | Docs |
 | --- | --- | --- |
 | `kelder-acquisition` | Media stack (Jellyfin + *arr + Transmission) | [kelder-acquisition.md](kelder-acquisition.md) |
 | `kelder-spoder` | nginx web host | [kelder-spoder.md](kelder-spoder.md) |
@@ -0,0 +1,21 @@
 # britnet
 A VPS in Birmingham (`bhx1`) acting as a Tailscale/WireGuard gateway node.
 - **Source:** [`nixos/boxes/britnet.nix`](../../../nixos/boxes/britnet.nix)
 - **Internal domain:** `bhx1.int.nul.ie`
 ## Role
 - **Tailscale node** + **WireGuard** (`wg0`) gateway: provides a second egress /
  entry point into the boxes' overlay networks.
 - nftables SNATs traffic arriving on `tailscale0` / `wg0` out of the provider
  interface (`veth0`), using the `allhost` assignment addresses.
 ## Networking
 - Provider uplink with gateways `77.74.199.1` (v4) / `2a12:ab46:5344::1` (v6).
 - `tailscale0` and `wg0` overlay interfaces; `allhost` assignment for SNAT.
 > `britnet` is a separate machine from [`britway`](britway.md) — different
 > provider/site, narrower role (gateway rather than control plane + BGP edge).
@@ -0,0 +1,27 @@
 # britway
 A Vultr VPS in London (`lon1`) acting as a network edge node: the Tailscale
 control plane, an exit node, and a BGP speaker in the AS211024 mesh.
 - **Source:** [`nixos/boxes/britway/`](../../../nixos/boxes/britway)
  (`default.nix`, `bgp.nix`, `nginx.nix`, `tailscale.nix`)
 - **Internal domain:** `lon1.int.nul.ie`
 ## Role
 - **Headscale** ([`tailscale.nix`](../../../nixos/boxes/britway/tailscale.nix)) — the
  self-hosted Tailscale control server (`hs.nul.ie`) the rest of the boxes log
  into.
 - **Tailscale node** — advertises itself as an **exit node** and advertises the
  tailnet routes, so tailnet clients can egress / reach internal prefixes via
  britway.
 - **BGP** ([`bgp.nix`](../../../nixos/boxes/britway/bgp.nix)) — part of the AS211024
  L2 VXLAN mesh (`my.vpns.l2`) alongside `estuary`, `river` and `stream`.
 - **nginx** ([`nginx.nix`](../../../nixos/boxes/britway/nginx.nix)) — reverse proxy /
  web front-end with ACME certs.
 ## Networking
 - `vultr` assignment on the provider interface; `as211024` on the mesh.
 - A `veth0`/`tailscale0` setup with SNAT so tailnet traffic egresses via the VPS
  public IP.
@@ -0,0 +1,19 @@
 # installer
 The custom NixOS installer image used to bootstrap new boxes.
 - **Source:** [`nixos/installer.nix`](../../../nixos/installer.nix)
 ## Role
 - Defines `nixos.systems.installer`, a minimal system whose `my.buildAs.*`
  outputs produce installable artifacts — primarily a bootable **ISO**
  (`isoImage`), and the same base is reused for kexec/netboot trees.
 - Build it with the devshell commands (see [`AGENTS.md`](../../../AGENTS.md#commands)):
  - `build-iso installer`
  - `build-kexec installer` / `build-netboot installer`
 - A released ISO is what `colony`'s VM definitions reference as install media; the
  `update-installer` devshell command tags a release to trigger a rebuild.
 This is a build target rather than a deployed machine — there is no running
 `installer` host.
@@ -0,0 +1,20 @@
 # kelder-acquisition
 The media stack for the `kelder` site — a slimmer cousin of colony's
 [`jackflix`](../colony/jackflix.md).
 - **Source:** [`kelder/containers/acquisition/`](../../../nixos/boxes/kelder/containers/acquisition)
  (`default.nix`, `networking.nix`)
 - **Host:** NixOS container on `kelder`
 ## Role
 - **Jellyfin** for streaming (with hardware transcoding — the `jellyfin` user is
  in the `render` group, `jellyfin-ffmpeg`).
 - **Acquisition:** Transmission, Jackett, Radarr, Sonarr.
 - Runs under the site's shared `kontent` user.
 ## Networking
 - `internal` assignment (alt name `acquisition-ctr`) on the kelder container
  network; download client networking in `networking.nix`.
@@ -0,0 +1,17 @@
 # kelder-spoder
 An nginx web host on the `kelder` site.
 - **Source:** [`kelder/containers/spoder/`](../../../nixos/boxes/kelder/containers/spoder)
  (`default.nix`, `nginx.nix`)
 - **Host:** NixOS container on `kelder`
 ## Role
 - Serves web content via **nginx** ([`nginx.nix`](../../../nixos/boxes/kelder/containers/spoder/nginx.nix)),
  with ACME-managed certificates (nginx in the `acme` group, reloads on renewal).
 - Runs under the site's shared `kontent` user.
 ## Networking
 - `internal` assignment (alt name `spoder-ctr`) on the kelder container network.
@@ -0,0 +1,24 @@
 # kelder
 A host at a remote site ("kelder" = cellar/basement), linked back to the rest of
 the other boxes over WireGuard. It is itself a **NixOS container host**.
 - **Source:** [`nixos/boxes/kelder/`](../../../nixos/boxes/kelder)
  (`default.nix`, `boot.nix`, `containers/`, `plymouth/`)
 - **Domain:** `hentai.engineer`
 ## Role
 - **Site uplink:** connects to colony's `estuary` over **WireGuard**
  (`kelder` peer; see [estuary.md](../colony/estuary.md)), so the remote site is
  reachable through the colony edge. A periodic `dns_update.py` keeps DNS current.
 - **Container host:** runs NixOS containers via `my.containers.instances`
  (`acquisition`, `spoder`).
 - Custom boot/splash (`boot.nix`, Plymouth theme in `plymouth/`).
 ## Containers
 | Container | Role | Docs |
 | --- | --- | --- |
 | `kelder-acquisition` | Media stack (Jellyfin + *arr + Transmission) | [kelder-acquisition.md](kelder-acquisition.md) |
 | `kelder-spoder` | nginx web host | [kelder-spoder.md](kelder-spoder.md) |
@@ -0,0 +1,16 @@
 # tower
 A laptop workstation — a Framework Laptop 13 (12th-gen Intel).
 - **Source:** [`nixos/boxes/tower/default.nix`](../../../nixos/boxes/tower/default.nix)
 ## Role
 - Framework Laptop 13 (12th-gen Intel) running the GUI environment
  (`my.gui.enable`) with home-manager on the `mine` channel.
 - Joins the tailnet via the self-hosted Headscale on [`britway`](britway.md)
  (`tailscale up --login-server=https://hs.nul.ie --accept-routes`).
 - Local virtualisation enabled (`kvm-intel`, IOMMU on).
 > Unlike [`castle`](../home/castle.md), `tower` lives outside the `home/` box
 > tree and boots from local disks rather than NVMe-oF.
@@ -11,11 +11,11 @@
        "systems": "systems_7"
      },
      "locked": {
-        "lastModified": 1723293904,
+        "lastModified": 1761656077,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
        "type": "github"
      },
      "original": {
@@ -31,29 +31,27 @@
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
-        "poetry2nix": "poetry2nix"
+        "pyproject-nix": "pyproject-nix"
      },
      "locked": {
-        "lastModified": 1718746012,
+        "lastModified": 1757170758,
-        "narHash": "sha256-sp9vGl3vWXvD/C2JeMDi5nbW6CkKIC3Q2JMGKwexYEs=",
+        "narHash": "sha256-FyO+Brz5eInmdAkG8B2rJAfrNGMCsDQ8BPflKV2+r5g=",
-        "ref": "refs/heads/master",
+        "owner": "devplayer0",
-        "rev": "ea24100bd4a914b9e044a2085a3785a6bd3a3833",
+        "repo": "boardie",
-        "revCount": 5,
+        "rev": "ed5fd520d5bf122871b5508dd3c1eda28d6e515d",
-        "type": "git",
+        "type": "github"
        "url": "https://git.nul.ie/dev/boardie"
      },
      "original": {
-        "type": "git",
+        "owner": "devplayer0",
-        "url": "https://git.nul.ie/dev/boardie"
+        "repo": "boardie",
        "type": "github"
      }
    },
    "borgthin": {
      "inputs": {
        "devshell": "devshell_2",
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_4",
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs_3"
          "nixpkgs-mine"
        ]
      },
      "locked": {
        "lastModified": 1732994213,
@@ -69,13 +67,49 @@
        "type": "github"
      }
    },
    "copyparty": {
      "inputs": {
        "flake-utils": "flake-utils_5",
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
      },
      "locked": {
        "lastModified": 1781351267,
        "narHash": "sha256-86HFs1K+LRlx8t4AjaMdU5qlg4O7kLz1VlnNapKZIuY=",
        "owner": "9001",
        "repo": "copyparty",
        "rev": "90639de9840d7dcc2d9000026fe547f666c1d550",
        "type": "github"
      },
      "original": {
        "owner": "9001",
        "repo": "copyparty",
        "type": "github"
      }
    },
    "crane": {
      "locked": {
-        "lastModified": 1725409566,
+        "lastModified": 1780532242,
-        "narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=",
+        "narHash": "sha256-D+BsdpxmtUwtqGoY0IXPhHgTlmqgcZKCEo1oMyn7ep0=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "7e4586bad4e3f8f97a9271def747cf58c4b68f3c",
+        "rev": "59a82a1222dd3b2080b5cc52a1a2e8d5f1b77f37",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "crane_2": {
      "locked": {
        "lastModified": 1760924934,
        "narHash": "sha256-tuuqY5aU7cUkR71sO2TraVKK2boYrdW3gCSXUkF4i44=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "c6b4d5308293d0d04fcfeee92705017537cad02f",
        "type": "github"
      },
      "original": {
@@ -93,11 +127,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1700795494,
+        "lastModified": 1744478979,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
@@ -116,11 +150,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1727447169,
+        "lastModified": 1781023725,
-        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "narHash": "sha256-Gt+qFANcrDRjl3xzidLYrAUQCd3808iuAsLwZbYYAEU=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "rev": "2ce9051767ee4d1a3c43b52ba327431783bfd463",
        "type": "github"
      },
      "original": {
@@ -150,8 +184,8 @@
    },
    "devshell-tools": {
      "inputs": {
-        "flake-utils": "flake-utils_9",
+        "flake-utils": "flake-utils_10",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
        "lastModified": 1710099997,
@@ -169,8 +203,8 @@
    },
    "devshell_2": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1671489820,
@@ -193,11 +227,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728330715,
+        "lastModified": 1768818222,
-        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
+        "narHash": "sha256-460jc0+CZfyaO8+w8JNtlClB2n4ui1RbHfPTLkpwhU8=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "rev": "255a2b1725a20d060f566e4755dbf571bbbb5f76",
        "type": "github"
      },
      "original": {
@@ -209,11 +243,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
        "type": "github"
      },
      "original": {
@@ -241,6 +275,24 @@
      }
    },
    "flake-utils_10": {
      "inputs": {
        "systems": "systems_9"
      },
      "locked": {
        "lastModified": 1709126324,
        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_11": {
      "inputs": {
        "systems": "systems_10"
      },
@@ -258,7 +310,7 @@
        "type": "github"
      }
    },
-    "flake-utils_11": {
+    "flake-utils_12": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -292,24 +344,6 @@
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_4": {
      "locked": {
        "lastModified": 1642700792,
        "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
@@ -324,7 +358,7 @@
        "type": "github"
      }
    },
-    "flake-utils_5": {
+    "flake-utils_4": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -339,7 +373,58 @@
        "type": "github"
      }
    },
    "flake-utils_5": {
      "locked": {
        "lastModified": 1678901627,
        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_6": {
      "inputs": {
        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_7": {
      "inputs": {
        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_8": {
      "inputs": {
        "systems": "systems_6"
      },
@@ -357,31 +442,16 @@
        "type": "github"
      }
    },
-    "flake-utils_7": {
+    "flake-utils_9": {
      "locked": {
        "lastModified": 1659877975,
        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_8": {
      "inputs": {
        "systems": "systems_8"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -390,21 +460,47 @@
        "type": "github"
      }
    },
-    "flake-utils_9": {
+    "harmonia": {
      "inputs": {
-        "systems": "systems_9"
+        "crane": "crane",
        "nix": "nix",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1709126324,
+        "lastModified": 1781128165,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "narHash": "sha256-97WpKZkaNAL5g7MtASLwqnrJrvrLpQRr6cXWiRNLiXQ=",
-        "owner": "numtide",
+        "owner": "nix-community",
-        "repo": "flake-utils",
+        "repo": "harmonia",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "rev": "f0dd1094cdc8d72e038cf9347cacfa9272a8f72d",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "nix-community",
-        "repo": "flake-utils",
+        "repo": "harmonia",
        "type": "github"
      }
    },
    "hass-west-wood": {
      "inputs": {
        "flake-utils": "flake-utils_7",
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
      },
      "locked": {
        "lastModified": 1781402797,
        "narHash": "sha256-pBdDca7xv1nuP0kj+gC5g5AcR/DV+9Zy3CS6uDOMdJ4=",
        "owner": "devplayer0",
        "repo": "hass-west-wood",
        "rev": "3e6ef7a9084e4053c82dea20127a775e7bcf77a5",
        "type": "github"
      },
      "original": {
        "owner": "devplayer0",
        "repo": "hass-west-wood",
        "type": "github"
      }
    },
@@ -417,11 +513,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1703113217,
+        "lastModified": 1745494811,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
@@ -437,16 +533,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1732466619,
+        "lastModified": 1781319724,
-        "narHash": "sha256-T1e5oceypZu3Q8vzICjv1X/sGs9XfJRMW5OuXHgpB3c=",
+        "narHash": "sha256-ZGuxexEMo4Xv28KJ0dX/m/PHN4oZIOnxHZpNTyrvx4M=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f3111f62a23451114433888902a55cf0692b408d",
+        "rev": "8355f0a16b2dbb06a97959a918af5b239bbe05ae",
        "type": "github"
      },
      "original": {
        "id": "home-manager",
-        "ref": "release-24.11",
+        "ref": "release-26.05",
        "type": "indirect"
      }
    },
@@ -457,11 +553,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1732884235,
+        "lastModified": 1781305496,
-        "narHash": "sha256-r8j6R3nrvwbT1aUp4EPQ1KC7gm0pu9VcV1aNaB+XG6Q=",
+        "narHash": "sha256-g8Vv4Qfc7n+lgov97REu3X6BeJtvYY0hlSUZR1GrGQQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "819f682269f4e002884702b87e445c82840c68f2",
+        "rev": "c87a39aa979acc4848016d2220c6238390d84779",
        "type": "github"
      },
      "original": {
@@ -470,12 +566,18 @@
      }
    },
    "impermanence": {
      "inputs": {
        "home-manager": [
          "home-manager-unstable"
        ],
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1731242966,
+        "lastModified": 1769548169,
-        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
+        "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
+        "rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
        "type": "github"
      },
      "original": {
@@ -484,41 +586,51 @@
        "type": "github"
      }
    },
-    "nix-github-actions": {
+    "libnetRepo": {
-      "inputs": {
+      "flake": false,
        "nixpkgs": [
          "boardie",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1703863825,
+        "lastModified": 1776595118,
-        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "narHash": "sha256-6bIEi8q5hXCHU9nApTbQXvpljMWldg3QipCD+jkOGK8=",
-        "owner": "nix-community",
+        "owner": "oddlama",
-        "repo": "nix-github-actions",
+        "repo": "nixos-extra-modules",
-        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "rev": "84207afebb794be7b53cfc9768730f37c64f4a13",
        "type": "github"
      },
      "original": {
-        "owner": "nix-community",
+        "owner": "oddlama",
-        "repo": "nix-github-actions",
+        "repo": "nixos-extra-modules",
        "type": "github"
      }
    },
    "nix": {
      "flake": false,
      "locked": {
        "lastModified": 1780652321,
        "narHash": "sha256-o/6YXRB6AbeL4SYtSHlJ9oEROl6Wmf7yheJNa3fAv2I=",
        "owner": "nixos",
        "repo": "nix",
        "rev": "d1f04a798cf4276da59567c07a3bf4a628669288",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "repo": "nix",
        "type": "github"
      }
    },
    "nixGL": {
      "inputs": {
-        "flake-utils": "flake-utils_7",
+        "flake-utils": "flake-utils_8",
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
      },
      "locked": {
-        "lastModified": 1713543440,
+        "lastModified": 1762090880,
-        "narHash": "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=",
+        "narHash": "sha256-fbRQzIGPkjZa83MowjbD2ALaJf9y6KMDdJBQMKFeY/8=",
        "owner": "nix-community",
        "repo": "nixGL",
-        "rev": "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a",
+        "rev": "b6105297e6f0cd041670c3e8628394d4ee247ed5",
        "type": "github"
      },
      "original": {
@@ -545,11 +657,11 @@
    },
    "nixpkgs-mine": {
      "locked": {
-        "lastModified": 1732985787,
+        "lastModified": 1781356656,
-        "narHash": "sha256-6rSJ9L4QywpHLi/xvpOHdTuPm6/eOJcXxnYzDbP3U1k=",
+        "narHash": "sha256-Ygkl3ZBJ434/WhwdK1FyvPMeHvNPAopg3KE/1HtcJuk=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "a28c46933ef5038fb7a2dd483b85152a539c7969",
+        "rev": "a15e20705db295f621cb5bb63613f03a9373323f",
        "type": "github"
      },
      "original": {
@@ -561,11 +673,11 @@
    },
    "nixpkgs-mine-stable": {
      "locked": {
-        "lastModified": 1732985894,
+        "lastModified": 1781356876,
-        "narHash": "sha256-YYuQQCcSF6KjgtAenZJiBmqt5jqP3UvYgC424VQ+22s=",
+        "narHash": "sha256-s8ed+zuk5wrbyhtDQpkxycAcLmhQH9umGRuVRBNKUbU=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "e0a3f4e2bbc5f7b681e344b389dcbab23f2e92a8",
+        "rev": "2eb8bacf9f641d4510fc43ba7fc0eea7dfdf5b24",
        "type": "github"
      },
      "original": {
@@ -577,26 +689,26 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1732824227,
+        "lastModified": 1780902259,
-        "narHash": "sha256-fYNXgpu1AEeLyd3fQt4Ym0tcVP7cdJ8wRoqJ+CtTRyY=",
+        "narHash": "sha256-q8yYEC5f1mFlQO9RGna4LTc9QrcvWunX6FYp83munkQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c71ad5c34d51dcbda4c15f44ea4e4aa6bb6ac1e9",
+        "rev": "bd0ff2d3eac24699c3664d5966b9ef36f388e2ca",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-24.11",
+        "ref": "nixos-26.05",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1732758367,
+        "lastModified": 1781074563,
-        "narHash": "sha256-RzaI1RO0UXqLjydtz3GAXSTzHkpb/lLD1JD8a0W4Wpo=",
+        "narHash": "sha256-md8WlXOlfnIeHeOScMTTHFyf2d6iaTwPl2apR5EQ3P4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fa42b5a5f401aab8a32bd33c9a4de0738180dc59",
+        "rev": "9ae611a455b90cf061d8f332b977e387bda8e1ca",
        "type": "github"
      },
      "original": {
@@ -606,22 +718,6 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1718632497,
        "narHash": "sha256-YtlyfqOdYMuu7gumZtK0Kg7jr4OKfHUhJkZfNUryw68=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c58b4a9118498c1055c5908a5bbe666e56abe949",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1643381941,
        "narHash": "sha256-pHTwvnN4tTsEKkWlXQ8JMY423epos8wUOhthpwJjtpc=",
@@ -637,7 +733,37 @@
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1673606088,
        "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1768564909,
        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_5": {
      "locked": {
        "lastModified": 1709309926,
        "narHash": "sha256-VZFBtXGVD9LWTecGi6eXrE0hJ/mVB3zGUlHImUs2Qak=",
@@ -653,7 +779,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1674990008,
        "narHash": "sha256-4zOyp+hFW2Y7imxIpZqZGT8CEqKmDjwgfD6BzRUE0mQ=",
@@ -669,44 +795,43 @@
        "type": "github"
      }
    },
-    "poetry2nix": {
+    "pyproject-nix": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
-        "nix-github-actions": "nix-github-actions",
+          "boardie",
-        "nixpkgs": "nixpkgs_2",
+          "nixpkgs"
-        "systems": "systems_4",
+        ]
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1718726452,
+        "lastModified": 1756395552,
-        "narHash": "sha256-w4hJSYvACz0i5XHtxc6XNyHwbxpisN13M2kA2Y7937o=",
+        "narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=",
-        "owner": "nix-community",
+        "owner": "pyproject-nix",
-        "repo": "poetry2nix",
+        "repo": "pyproject.nix",
-        "rev": "53e534a08c0cd2a9fa7587ed1c3e7f6aeb804a2c",
+        "rev": "030dffc235dcf240d918c651c78dc5f158067b51",
        "type": "github"
      },
      "original": {
-        "owner": "nix-community",
+        "owner": "pyproject-nix",
-        "repo": "poetry2nix",
+        "repo": "pyproject.nix",
        "type": "github"
      }
    },
    "ragenix": {
      "inputs": {
        "agenix": "agenix",
-        "crane": "crane",
+        "crane": "crane_2",
-        "flake-utils": "flake-utils_8",
+        "flake-utils": "flake-utils_9",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1731774781,
+        "lastModified": 1764843533,
-        "narHash": "sha256-vwsUUYOIs8J6weeSK1n1mbZf8fgvygGUMsadx0JmG70=",
+        "narHash": "sha256-ovPNJh3Yws59Z8QHXAK+JkoftpdsUh1Ifxu2k+A/xxM=",
        "owner": "devplayer0",
        "repo": "ragenix",
-        "rev": "ec4115da7b67c783b1091811e17dbcba50edd1c6",
+        "rev": "e1a7bce819be6966ff369b7c0100c2713f8a9b32",
        "type": "github"
      },
      "original": {
@@ -720,12 +845,16 @@
      "inputs": {
        "boardie": "boardie",
        "borgthin": "borgthin",
        "copyparty": "copyparty",
        "deploy-rs": "deploy-rs",
        "devshell": "devshell_3",
        "flake-utils": "flake-utils_6",
        "harmonia": "harmonia",
        "hass-west-wood": "hass-west-wood",
        "home-manager-stable": "home-manager-stable",
        "home-manager-unstable": "home-manager-unstable",
        "impermanence": "impermanence",
        "libnetRepo": "libnetRepo",
        "nixGL": "nixGL",
        "nixpkgs-mine": "nixpkgs-mine",
        "nixpkgs-mine-stable": "nixpkgs-mine-stable",
@@ -743,11 +872,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1725675754,
+        "lastModified": 1761791894,
-        "narHash": "sha256-hXW3csqePOcF2e/PYnpXj72KEYyNj2HzTrVNmS/F7Ug=",
+        "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "8cc45e678e914a16c8e224c3237fb07cf21e5e54",
+        "rev": "59c45eb69d9222a4362673141e00ff77842cd219",
        "type": "github"
      },
      "original": {
@@ -758,8 +887,8 @@
    },
    "sbt": {
      "inputs": {
-        "flake-utils": "flake-utils_11",
+        "flake-utils": "flake-utils_12",
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
        "lastModified": 1698464090,
@@ -778,18 +907,18 @@
    "sharry": {
      "inputs": {
        "devshell-tools": "devshell-tools",
-        "flake-utils": "flake-utils_10",
+        "flake-utils": "flake-utils_11",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
        "sbt": "sbt"
      },
      "locked": {
-        "lastModified": 1720592125,
+        "lastModified": 1741328331,
-        "narHash": "sha256-vR89LefkY8mBPWxDTQ8SNg6Z7/J6Yga80T4kSb6MNdk=",
+        "narHash": "sha256-OtsHm9ykxfAOMRcgFDsqFBBy5Wu0ag7eq1qmTIluVcw=",
        "owner": "eikek",
        "repo": "sharry",
-        "rev": "604b20517150599cb05dbe178cd35cd10659aa4c",
+        "rev": "6203b90f9a76357d75c108a27ad00f323d45c1d0",
        "type": "github"
      },
      "original": {
@@ -868,8 +997,9 @@
        "type": "github"
      },
      "original": {
-        "id": "systems",
+        "owner": "nix-systems",
-        "type": "indirect"
+        "repo": "default",
        "type": "github"
      }
    },
    "systems_5": {
@@ -950,17 +1080,16 @@
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
-          "boardie",
+          "harmonia",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1718522839,
+        "lastModified": 1780220602,
-        "narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
+        "narHash": "sha256-eynAfOmbmxJnkp7YewvCEbShNnnYJ9gLLqkzsYtBPeM=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
+        "rev": "db947814a175b7ca6ded66e21383d938df01c227",
        "type": "github"
      },
      "original": {
@@ -971,14 +1100,14 @@
    },
    "utils": {
      "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1701680307,
+        "lastModified": 1731533236,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -3,17 +3,22 @@
  inputs = {
    flake-utils.url = "github:numtide/flake-utils";
    # libnet.url = "github:reo101/nix-lib-net";
    libnetRepo = {
      url = "github:oddlama/nixos-extra-modules";
      flake = false;
    };
    devshell.url = "github:numtide/devshell";
    devshell.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "nixpkgs/nixos-24.11";
+    nixpkgs-stable.url = "nixpkgs/nixos-26.05";
    nixpkgs-mine.url = "github:devplayer0/nixpkgs/devplayer0";
    nixpkgs-mine-stable.url = "github:devplayer0/nixpkgs/devplayer0-stable";
    home-manager-unstable.url = "home-manager";
    home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    home-manager-stable.url = "home-manager/release-24.11";
+    home-manager-stable.url = "home-manager/release-26.05";
    home-manager-stable.inputs.nixpkgs.follows = "nixpkgs-stable";
    # Stuff used by the flake for build / deployment
@@ -25,16 +30,25 @@
    # Stuff used by systems
    impermanence.url = "github:nix-community/impermanence";
-    boardie.url = "git+https://git.nul.ie/dev/boardie";
+    impermanence.inputs.home-manager.follows = "home-manager-unstable";
    boardie.url = "github:devplayer0/boardie";
    boardie.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixGL.url = "github:nix-community/nixGL";
    nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable";
    harmonia.url = "github:nix-community/harmonia";
    # harmonia.url = "github:devplayer0/harmonia/cache-config-daemon-store";
    harmonia.inputs.nixpkgs.follows = "nixpkgs-unstable";
    # Packages not in nixpkgs
    sharry.url = "github:eikek/sharry";
    sharry.inputs.nixpkgs.follows = "nixpkgs-unstable";
    borgthin.url = "github:devplayer0/borg";
-    borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
+    # TODO: Update borgthin so this works
    # borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
    copyparty.url = "github:9001/copyparty";
    copyparty.inputs.nixpkgs.follows = "nixpkgs-unstable";
    hass-west-wood.url = "github:devplayer0/hass-west-wood";
    hass-west-wood.inputs.nixpkgs.follows = "nixpkgs-unstable";
  };
  outputs =
@@ -57,7 +71,7 @@
      # Extend a lib with extras that _must not_ internally reference private nixpkgs. flake-utils doesn't, but many
      # other flakes (e.g. home-manager) probably do internally.
      libOverlay = final: prev: {
-        my = import ./lib { lib = final; };
+        my = import ./lib { inherit inputs; lib = final; };
        flake = flake-utils.lib;
      };
      pkgsLibOverlay = final: prev: { lib = prev.lib.extend libOverlay; };
@@ -88,10 +102,11 @@
        (_: path: mkDefaultSystemsPkgs path (system: {
          overlays = [
            pkgsLibOverlay
            myPkgsOverlay
            inputs.devshell.overlays.default
            inputs.ragenix.overlays.default
-            inputs.deploy-rs.overlay
+            inputs.deploy-rs.overlays.default
            (flakePackageOverlay inputs.home-manager-unstable system)
          ];
        }))
@@ -102,6 +117,7 @@
        (_: path: mkDefaultSystemsPkgs path (_: {
          overlays = [
            pkgsLibOverlay
            myPkgsOverlay
          ];
@@ -126,6 +142,7 @@
        nixos/boxes/home/palace
        nixos/boxes/home/castle
        nixos/boxes/britway
        nixos/boxes/britnet.nix
        nixos/boxes/kelder
        # Homes
@@ -156,7 +173,7 @@
    # Platform independent stuff
    {
      nixpkgs = pkgs';
-      inherit lib nixfiles;
+      inherit inputs lib nixfiles;
      overlays.default = myPkgsOverlay;
@@ -66,7 +66,7 @@ in
        lsd = {
          enable = mkDefault true;
-          enableAliases = mkDefault true;
+          enableFishIntegration = mkDefault true;
        };
        starship = {
@@ -132,38 +132,38 @@ in
        ssh = {
          enable = mkDefault true;
-          matchBlocks = {
+          enableDefaultConfig = false;
          settings = {
            nix-dev-vm = {
-              user = "dev";
+              User = "dev";
-              hostname = "localhost";
+              HostName = "localhost";
-              port = 2222;
+              Port = 2222;
-              extraOptions = {
+              StrictHostKeyChecking = "no";
-                StrictHostKeyChecking = "no";
+              UserKnownHostsFile = "/dev/null";
                UserKnownHostsFile = "/dev/null";
              };
            };
            "rsync.net" = {
-              host = "rsyncnet";
+              Host = "rsyncnet";
-              user = "16413";
+              User = "16413";
-              hostname = "ch-s010.rsync";
+              HostName = "ch-s010.rsync";
            };
            shoe = {
-              host = "shoe.netsoc.tcd.ie shoe";
+              Host = "shoe.netsoc.tcd.ie shoe";
-              user = "netsoc";
+              User = "netsoc";
            };
            netsocBoxes = {
-              host = "cube spoon napalm gandalf saruman";
+              Host = "cube spoon napalm gandalf saruman";
-              user = "root";
+              User = "root";
            };
            "*" = {
              IdentityFile = [
                "~/.ssh/id_rsa"
                "~/.ssh/borg"
              ];
            };
          };
          extraConfig =
            ''
              IdentityFile ~/.ssh/id_rsa
              IdentityFile ~/.ssh/netsoc
              IdentityFile ~/.ssh/borg
            '';
        };
        direnv = {
@@ -226,7 +226,7 @@ in
      # Note: If globalPkgs mode is on, then these will be overridden by the NixOS equivalents of these options
      nixpkgs = {
        overlays = [
-          inputs.deploy-rs.overlay
+          inputs.deploy-rs.overlays.default
          inputs.boardie.overlays.default
          inputs.nixGL.overlays.default
        ];
@@ -0,0 +1,520 @@
 #!/usr/bin/env bash
 # Source: https://github.com/daniel3303/ClaudeCodeStatusLine
 # Single line: Model | tokens | %used | %remain | think | 5h bar @reset | 7d bar @reset | extra
 set -f  # disable globbing
 VERSION="1.4.4"
 input=$(cat)
 if [ -z "$input" ]; then
    printf "Claude"
    exit 0
 fi
 # ANSI colors matching oh-my-posh theme
 blue='\033[38;2;0;153;255m'
 orange='\033[38;2;255;176;85m'
 green='\033[38;2;0;160;0m'
 cyan='\033[38;2;46;149;153m'
 red='\033[38;2;255;85;85m'
 yellow='\033[38;2;230;200;0m'
 purple='\033[38;2;167;139;250m'
 white='\033[38;2;220;220;220m'
 dim='\033[2m'
 reset='\033[0m'
 # Format token counts (e.g., 50k / 200k)
 format_tokens() {
    local num=$1
    if [ "$num" -ge 1000000 ]; then
        awk "BEGIN {v=sprintf(\"%.1f\",$num/1000000)+0; if(v==int(v)) printf \"%dm\",v; else printf \"%.1fm\",v}"
    elif [ "$num" -ge 1000 ]; then
        awk "BEGIN {printf \"%.0fk\", $num / 1000}"
    else
        printf "%d" "$num"
    fi
 }
 # Format number with commas (e.g., 134,938)
 format_commas() {
    printf "%'d" "$1"
 }
 # Return color escape based on usage percentage
 # Usage: usage_color <pct>
 usage_color() {
    local pct=$1
    if [ "$pct" -ge 90 ]; then echo "$red"
    elif [ "$pct" -ge 70 ]; then echo "$orange"
    elif [ "$pct" -ge 50 ]; then echo "$yellow"
    else echo "$green"
    fi
 }
 # Resolve config directory: CLAUDE_CONFIG_DIR (set by alias) or default ~/.claude
 claude_config_dir="${CLAUDE_CONFIG_DIR:-$HOME/.claude}"
 # Return 0 (true) if $1 > $2 using semantic versioning
 version_gt() {
    local a="${1#v}" b="${2#v}"
    local IFS='.'
    read -r a1 a2 a3 <<< "$a"
    read -r b1 b2 b3 <<< "$b"
    a1=${a1:-0}; a2=${a2:-0}; a3=${a3:-0}
    b1=${b1:-0}; b2=${b2:-0}; b3=${b3:-0}
    [ "$a1" -gt "$b1" ] 2>/dev/null && return 0
    [ "$a1" -lt "$b1" ] 2>/dev/null && return 1
    [ "$a2" -gt "$b2" ] 2>/dev/null && return 0
    [ "$a2" -lt "$b2" ] 2>/dev/null && return 1
    [ "$a3" -gt "$b3" ] 2>/dev/null && return 0
    return 1
 }
 # ===== Extract data from JSON =====
 model_name=$(echo "$input" | jq -r '.model.display_name // "Claude"')
 model_name=$(echo "$model_name" | sed 's/ *(\([0-9.]*[kKmM]*\) context)/ \1/')  # "(1M context)" → "1M"
 # Context window
 size=$(echo "$input" | jq -r '.context_window.context_window_size // 200000')
 [ "$size" -eq 0 ] 2>/dev/null && size=200000
 # Token usage
 input_tokens=$(echo "$input" | jq -r '.context_window.current_usage.input_tokens // 0')
 cache_create=$(echo "$input" | jq -r '.context_window.current_usage.cache_creation_input_tokens // 0')
 cache_read=$(echo "$input" | jq -r '.context_window.current_usage.cache_read_input_tokens // 0')
 current=$(( input_tokens + cache_create + cache_read ))
 used_tokens=$(format_tokens $current)
 total_tokens=$(format_tokens $size)
 if [ "$size" -gt 0 ]; then
    pct_used=$(( current * 100 / size ))
 else
    pct_used=0
 fi
 pct_remain=$(( 100 - pct_used ))
 used_comma=$(format_commas $current)
 remain_comma=$(format_commas $(( size - current )))
 settings_path="$claude_config_dir/settings.json"
 effort_level=""
 stdin_effort=$(echo "$input" | jq -r '.effort.level // empty' 2>/dev/null)
 if [ -n "$stdin_effort" ]; then
    effort_level="$stdin_effort"
 elif [ -n "$CLAUDE_CODE_EFFORT_LEVEL" ]; then
    effort_level="$CLAUDE_CODE_EFFORT_LEVEL"
 elif [ -f "$settings_path" ]; then
    effort_val=$(jq -r '.effortLevel // empty' "$settings_path" 2>/dev/null)
    [ -n "$effort_val" ] && effort_level="$effort_val"
 fi
 [ -z "$effort_level" ] && effort_level="medium"
 # ===== Claude CLI version (cached, 1h TTL) =====
 cli_version_cache="/tmp/claude/statusline-cli-version"
 cli_version=""
 cli_version_max_age=3600
 if [ -f "$cli_version_cache" ]; then
    cv_mtime=$(stat -c %Y "$cli_version_cache" 2>/dev/null || stat -f %m "$cli_version_cache" 2>/dev/null)
    cv_now=$(date +%s)
    cv_age=$(( cv_now - cv_mtime ))
    if [ "$cv_age" -lt "$cli_version_max_age" ]; then
        cli_version=$(cat "$cli_version_cache" 2>/dev/null)
    fi
 fi
 if [ -z "$cli_version" ]; then
    cli_version=$(claude --version 2>/dev/null | awk '{print $1}')
    if [ -n "$cli_version" ]; then
        mkdir -p /tmp/claude 2>/dev/null
        echo "$cli_version" > "$cli_version_cache"
    fi
 fi
 # ===== Build single-line output =====
 out=""
 out+="${blue}${model_name}${reset}"
 # Current working directory
 cwd=$(echo "$input" | jq -r '.cwd // empty')
 if [ -n "$cwd" ]; then
    display_dir="${cwd##*/}"
    git_branch=$(git -C "${cwd}" rev-parse --abbrev-ref HEAD 2>/dev/null)
    out+=" ${dim}|${reset} "
    out+="${cyan}${display_dir}${reset}"
    if [ -n "$git_branch" ]; then
        out+="${dim}@${reset}${green}${git_branch}${reset}"
        git_stat=$(git -C "${cwd}" diff --numstat 2>/dev/null | awk '{a+=$1; d+=$2} END {if (a+d>0) printf "+%d -%d", a, d}')
        [ -n "$git_stat" ] && out+=" ${dim}(${reset}${green}${git_stat%% *}${reset} ${red}${git_stat##* }${reset}${dim})${reset}"
    fi
 fi
 out+=" ${dim}|${reset} "
 out+="${orange}${used_tokens}/${total_tokens}${reset} ${dim}(${reset}${green}${pct_used}%${reset}${dim})${reset}"
 out+=" ${dim}|${reset} "
 out+="effort: "
 case "$effort_level" in
    low)    out+="${dim}${effort_level}${reset}" ;;
    medium) out+="${orange}med${reset}" ;;
    high)   out+="${green}${effort_level}${reset}" ;;
    xhigh)  out+="${purple}${effort_level}${reset}" ;;
    max)    out+="${red}${effort_level}${reset}" ;;
    *)      out+="${green}${effort_level}${reset}" ;;
 esac
 # ===== Cross-platform OAuth token resolution (from statusline.sh) =====
 # Tries credential sources in order: env var → macOS Keychain → Linux creds file → GNOME Keyring
 get_oauth_token() {
    local token=""
    # 1. Explicit env var override
    if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then
        echo "$CLAUDE_CODE_OAUTH_TOKEN"
        return 0
    fi
    # 2. macOS Keychain (Claude Code appends a SHA256 hash of CLAUDE_CONFIG_DIR to the service name)
    if command -v security >/dev/null 2>&1; then
        local keychain_svc="Claude Code-credentials"
        if [ -n "$CLAUDE_CONFIG_DIR" ]; then
            local dir_hash
            dir_hash=$(echo -n "$CLAUDE_CONFIG_DIR" | shasum -a 256 | cut -c1-8)
            keychain_svc="Claude Code-credentials-${dir_hash}"
        fi
        local blob
        blob=$(security find-generic-password -s "$keychain_svc" -w 2>/dev/null)
        if [ -n "$blob" ]; then
            token=$(echo "$blob" | jq -r '.claudeAiOauth.accessToken // empty' 2>/dev/null)
            if [ -n "$token" ] && [ "$token" != "null" ]; then
                echo "$token"
                return 0
            fi
        fi
    fi
    # 3. Linux credentials file
    local creds_file="${claude_config_dir}/.credentials.json"
    if [ -f "$creds_file" ]; then
        token=$(jq -r '.claudeAiOauth.accessToken // empty' "$creds_file" 2>/dev/null)
        if [ -n "$token" ] && [ "$token" != "null" ]; then
            echo "$token"
            return 0
        fi
    fi
    # 4. GNOME Keyring via secret-tool
    if command -v secret-tool >/dev/null 2>&1; then
        local blob
        blob=$(timeout 2 secret-tool lookup service "Claude Code-credentials" 2>/dev/null)
        if [ -n "$blob" ]; then
            token=$(echo "$blob" | jq -r '.claudeAiOauth.accessToken // empty' 2>/dev/null)
            if [ -n "$token" ] && [ "$token" != "null" ]; then
                echo "$token"
                return 0
            fi
        fi
    fi
    echo ""
 }
 # ===== LINE 2 & 3: Usage limits with progress bars =====
 # First, try to use rate_limits data provided directly by Claude Code in the JSON input.
 # This is the most reliable source — no OAuth token or API call required.
 builtin_five_hour_pct=$(echo "$input" | jq -r '.rate_limits.five_hour.used_percentage // empty')
 builtin_five_hour_reset=$(echo "$input" | jq -r '.rate_limits.five_hour.resets_at // empty')
 builtin_seven_day_pct=$(echo "$input" | jq -r '.rate_limits.seven_day.used_percentage // empty')
 builtin_seven_day_reset=$(echo "$input" | jq -r '.rate_limits.seven_day.resets_at // empty')
 use_builtin=false
 if [ -n "$builtin_five_hour_pct" ] || [ -n "$builtin_seven_day_pct" ]; then
    use_builtin=true
 fi
 # Cache setup — shared across all Claude Code instances to avoid rate limits
 claude_config_dir_hash=$(echo -n "$claude_config_dir" | shasum -a 256 2>/dev/null || echo -n "$claude_config_dir" | sha256sum 2>/dev/null)
 claude_config_dir_hash=$(echo "$claude_config_dir_hash" | cut -c1-8)
 cache_file="/tmp/claude/statusline-usage-cache-${claude_config_dir_hash}.json"
 cache_max_age=60  # seconds between API calls
 mkdir -p /tmp/claude
 needs_refresh=true
 usage_data=""
 # Always load cache — used as primary source for API path, and as fallback when builtin reports zero
 if [ -f "$cache_file" ] && [ -s "$cache_file" ]; then
    cache_mtime=$(stat -c %Y "$cache_file" 2>/dev/null || stat -f %m "$cache_file" 2>/dev/null)
    now=$(date +%s)
    cache_age=$(( now - cache_mtime ))
    if [ "$cache_age" -lt "$cache_max_age" ]; then
        needs_refresh=false
    fi
    usage_data=$(cat "$cache_file" 2>/dev/null)
 fi
 # When builtin values are all zero AND reset timestamps are missing, it likely indicates
 # an API failure on Claude's side — fall through to cached data instead of displaying
 # misleading 0%. Genuine zero responses (after a billing reset) still include valid
 # resets_at timestamps, so we trust those.
 effective_builtin=false
 if $use_builtin; then
    # Trust builtin if any percentage is non-zero
    if { [ -n "$builtin_five_hour_pct" ] && [ "$(printf '%.0f' "$builtin_five_hour_pct" 2>/dev/null)" != "0" ]; } || \
       { [ -n "$builtin_seven_day_pct" ] && [ "$(printf '%.0f' "$builtin_seven_day_pct" 2>/dev/null)" != "0" ]; }; then
        effective_builtin=true
    fi
    # Also trust if reset timestamps are present — genuine zero responses include valid reset times
    if ! $effective_builtin; then
        if { [ -n "$builtin_five_hour_reset" ] && [ "$builtin_five_hour_reset" != "null" ] && [ "$builtin_five_hour_reset" != "0" ]; } || \
           { [ -n "$builtin_seven_day_reset" ] && [ "$builtin_seven_day_reset" != "null" ] && [ "$builtin_seven_day_reset" != "0" ]; }; then
            effective_builtin=true
        fi
    fi
 fi
 # Refresh API cache when stale — runs regardless of builtin rate_limits because
 # extra_usage is only exposed through the OAuth usage endpoint (not stdin JSON).
 # Throttled to cache_max_age and stampede-locked via touch for shared panes.
 if $needs_refresh; then
    touch "$cache_file"  # stampede lock: prevent parallel panes from fetching simultaneously
    token=$(get_oauth_token)
    if [ -n "$token" ] && [ "$token" != "null" ]; then
        response=$(curl -s --max-time 10 \
            -H "Accept: application/json" \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer $token" \
            -H "anthropic-beta: oauth-2025-04-20" \
            -H "User-Agent: claude-code/2.1.34" \
            "https://api.anthropic.com/api/oauth/usage" 2>/dev/null)
        # Only cache valid usage responses (not error/rate-limit JSON)
        if [ -n "$response" ] && echo "$response" | jq -e '.five_hour' >/dev/null 2>&1; then
            usage_data="$response"
            echo "$response" > "$cache_file"
        fi
    fi
    # Remove the stampede sentinel if the fetch failed to produce valid JSON —
    # otherwise an empty cache file would suppress retries for a full cache_max_age window.
    [ -f "$cache_file" ] && [ ! -s "$cache_file" ] && rm -f "$cache_file"
 fi
 # Cross-platform ISO to epoch conversion
 # Converts ISO 8601 timestamp (e.g. "2025-06-15T12:30:00Z" or "2025-06-15T12:30:00.123+00:00") to epoch seconds.
 # Properly handles UTC timestamps and converts to local time.
 iso_to_epoch() {
    local iso_str="$1"
    # Try GNU date first (Linux) — handles ISO 8601 format automatically
    local epoch
    epoch=$(date -d "${iso_str}" +%s 2>/dev/null)
    if [ -n "$epoch" ]; then
        echo "$epoch"
        return 0
    fi
    # BSD date (macOS) - handle various ISO 8601 formats
    local stripped="${iso_str%%.*}"          # Remove fractional seconds (.123456)
    stripped="${stripped%%Z}"                 # Remove trailing Z
    stripped="${stripped%%+*}"               # Remove timezone offset (+00:00)
    stripped="${stripped%%-[0-9][0-9]:[0-9][0-9]}"  # Remove negative timezone offset
    # Check if timestamp is UTC (has Z or +00:00 or -00:00)
    if [[ "$iso_str" == *"Z"* ]] || [[ "$iso_str" == *"+00:00"* ]] || [[ "$iso_str" == *"-00:00"* ]]; then
        # For UTC timestamps, parse with timezone set to UTC
        epoch=$(env TZ=UTC date -j -f "%Y-%m-%dT%H:%M:%S" "$stripped" +%s 2>/dev/null)
    else
        epoch=$(date -j -f "%Y-%m-%dT%H:%M:%S" "$stripped" +%s 2>/dev/null)
    fi
    if [ -n "$epoch" ]; then
        echo "$epoch"
        return 0
    fi
    return 1
 }
 # Format ISO reset time to compact local time
 # Usage: format_reset_time <iso_string> <style: time|datetime|date>
 format_reset_time() {
    local iso_str="$1"
    local style="$2"
    { [ -z "$iso_str" ] || [ "$iso_str" = "null" ]; } && return
    # Parse ISO datetime and convert to local time (cross-platform)
    local epoch
    epoch=$(iso_to_epoch "$iso_str")
    [ -z "$epoch" ] && return
    # Format based on style
    # Try GNU date first (Linux), then BSD date (macOS)
    # Previous implementation piped BSD date through sed/tr, which always returned
    # exit code 0 from the last pipe stage, preventing the GNU date fallback from
    # ever executing on Linux.
    local formatted=""
    case "$style" in
        time)
            formatted=$(date -d "@$epoch" +"%H:%M" 2>/dev/null) || \
            formatted=$(date -j -r "$epoch" +"%H:%M" 2>/dev/null)
            ;;
        datetime)
            formatted=$(date -d "@$epoch" +"%a %b %-d, %H:%M" 2>/dev/null) || \
            formatted=$(date -j -r "$epoch" +"%a %b %-d, %H:%M" 2>/dev/null)
            ;;
        *)
            formatted=$(date -d "@$epoch" +"%b %-d" 2>/dev/null) || \
            formatted=$(date -j -r "$epoch" +"%b %-d" 2>/dev/null)
            ;;
    esac
    [ -n "$formatted" ] && echo "$formatted"
 }
 sep=" ${dim}|${reset} "
 # Render extra_usage segment from API usage data (not available via stdin rate_limits).
 # Appends to the global $out. No-op when data is missing or is_enabled is false.
 render_extra_usage() {
    local data="$1"
    [ -z "$data" ] && return
    local enabled
    enabled=$(echo "$data" | jq -r '.extra_usage.is_enabled // false' 2>/dev/null)
    [ "$enabled" != "true" ] && return
    local pct used limit
    pct=$(echo "$data" | jq -r '.extra_usage.utilization // 0' | awk '{printf "%.0f", $1}')
    used=$(echo "$data" | jq -r '.extra_usage.used_credits // 0' | LC_NUMERIC=C awk '{printf "%.2f", $1/100}')
    limit=$(echo "$data" | jq -r '.extra_usage.monthly_limit // 0' | LC_NUMERIC=C awk '{printf "%.2f", $1/100}')
    if [ -n "$used" ] && [ -n "$limit" ] && [[ "$used" != *'$'* ]] && [[ "$limit" != *'$'* ]]; then
        local color
        color=$(usage_color "$pct")
        out+="${sep}${white}extra${reset} ${color}\$${used}/\$${limit}${reset}"
    else
        out+="${sep}${white}extra${reset} ${green}enabled${reset}"
    fi
 }
 if $effective_builtin; then
    # ---- Use rate_limits data provided directly by Claude Code in JSON input ----
    # resets_at values are Unix epoch integers in this source
    if [ -n "$builtin_five_hour_pct" ]; then
        five_hour_pct=$(printf "%.0f" "$builtin_five_hour_pct")
        five_hour_color=$(usage_color "$five_hour_pct")
        out+="${sep}${white}5h${reset} ${five_hour_color}${five_hour_pct}%${reset}"
        if [ -n "$builtin_five_hour_reset" ] && [ "$builtin_five_hour_reset" != "null" ]; then
            five_hour_reset=$(date -j -r "$builtin_five_hour_reset" +"%H:%M" 2>/dev/null || date -d "@$builtin_five_hour_reset" +"%H:%M" 2>/dev/null)
            [ -n "$five_hour_reset" ] && out+=" ${dim}@${five_hour_reset}${reset}"
        fi
    fi
    if [ -n "$builtin_seven_day_pct" ]; then
        seven_day_pct=$(printf "%.0f" "$builtin_seven_day_pct")
        seven_day_color=$(usage_color "$seven_day_pct")
        out+="${sep}${white}7d${reset} ${seven_day_color}${seven_day_pct}%${reset}"
        if [ -n "$builtin_seven_day_reset" ] && [ "$builtin_seven_day_reset" != "null" ]; then
            seven_day_reset=$(date -j -r "$builtin_seven_day_reset" +"%a %b %-d, %H:%M" 2>/dev/null || date -d "@$builtin_seven_day_reset" +"%a %b %-d, %H:%M" 2>/dev/null)
            [ -n "$seven_day_reset" ] && out+=" ${dim}@${seven_day_reset}${reset}"
        fi
    fi
    # Render extra_usage from API cache (stdin rate_limits doesn't expose it)
    render_extra_usage "$usage_data"
    # Cache builtin values so they're available as fallback when API is unavailable.
    # Convert epoch resets_at to ISO 8601 for compatibility with the API-format cache parser.
    # Preserve extra_usage from prior API response so we don't clobber it.
    _fh_reset_json="null"
    if [ -n "$builtin_five_hour_reset" ] && [ "$builtin_five_hour_reset" != "null" ] && [ "$builtin_five_hour_reset" != "0" ]; then
        _fh_iso=$(date -u -r "$builtin_five_hour_reset" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || \
                  date -u -d "@$builtin_five_hour_reset" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null)
        [ -n "$_fh_iso" ] && _fh_reset_json="\"$_fh_iso\""
    fi
    _sd_reset_json="null"
    if [ -n "$builtin_seven_day_reset" ] && [ "$builtin_seven_day_reset" != "null" ] && [ "$builtin_seven_day_reset" != "0" ]; then
        _sd_iso=$(date -u -r "$builtin_seven_day_reset" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || \
                  date -u -d "@$builtin_seven_day_reset" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null)
        [ -n "$_sd_iso" ] && _sd_reset_json="\"$_sd_iso\""
    fi
    _extra_json=$(echo "$usage_data" | jq -c '.extra_usage // null' 2>/dev/null)
    [ -z "$_extra_json" ] && _extra_json="null"
    printf '{"five_hour":{"utilization":%s,"resets_at":%s},"seven_day":{"utilization":%s,"resets_at":%s},"extra_usage":%s}' \
        "${builtin_five_hour_pct:-0}" "$_fh_reset_json" \
        "${builtin_seven_day_pct:-0}" "$_sd_reset_json" \
        "$_extra_json" > "$cache_file" 2>/dev/null
 elif [ -n "$usage_data" ] && echo "$usage_data" | jq -e '.five_hour' >/dev/null 2>&1; then
    # ---- Fall back: API-fetched usage data ----
    # ---- 5-hour (current) ----
    five_hour_pct=$(echo "$usage_data" | jq -r '.five_hour.utilization // 0' | awk '{printf "%.0f", $1}')
    five_hour_reset_iso=$(echo "$usage_data" | jq -r '.five_hour.resets_at // empty')
    five_hour_reset=$(format_reset_time "$five_hour_reset_iso" "time")
    five_hour_color=$(usage_color "$five_hour_pct")
    out+="${sep}${white}5h${reset} ${five_hour_color}${five_hour_pct}%${reset}"
    [ -n "$five_hour_reset" ] && out+=" ${dim}@${five_hour_reset}${reset}"
    # ---- 7-day (weekly) ----
    seven_day_pct=$(echo "$usage_data" | jq -r '.seven_day.utilization // 0' | awk '{printf "%.0f", $1}')
    seven_day_reset_iso=$(echo "$usage_data" | jq -r '.seven_day.resets_at // empty')
    seven_day_reset=$(format_reset_time "$seven_day_reset_iso" "datetime")
    seven_day_color=$(usage_color "$seven_day_pct")
    out+="${sep}${white}7d${reset} ${seven_day_color}${seven_day_pct}%${reset}"
    [ -n "$seven_day_reset" ] && out+=" ${dim}@${seven_day_reset}${reset}"
    render_extra_usage "$usage_data"
 else
    # No valid usage data — show placeholders
    out+="${sep}${white}5h${reset} ${dim}-${reset}"
    out+="${sep}${white}7d${reset} ${dim}-${reset}"
 fi
 # ===== Update check (cached, 24h TTL) =====
 # Set STATUSLINE_CHECK_UPDATES=false to disable the update check (no network calls).
 update_line=""
 if [ "${STATUSLINE_CHECK_UPDATES:-true}" != "false" ]; then
    version_cache_file="/tmp/claude/statusline-version-cache.json"
    version_cache_max_age=86400  # 24 hours
    version_needs_refresh=true
    version_data=""
    if [ -f "$version_cache_file" ]; then
        vc_mtime=$(stat -c %Y "$version_cache_file" 2>/dev/null || stat -f %m "$version_cache_file" 2>/dev/null)
        vc_now=$(date +%s)
        vc_age=$(( vc_now - vc_mtime ))
        if [ "$vc_age" -lt "$version_cache_max_age" ]; then
            version_needs_refresh=false
        fi
        version_data=$(cat "$version_cache_file" 2>/dev/null)
    fi
    if $version_needs_refresh; then
        touch "$version_cache_file" 2>/dev/null
        vc_response=$(curl -s --max-time 5 \
            -H "Accept: application/vnd.github+json" \
            "https://api.github.com/repos/daniel3303/ClaudeCodeStatusLine/releases/latest" 2>/dev/null)
        if [ -n "$vc_response" ] && echo "$vc_response" | jq -e '.tag_name' >/dev/null 2>&1; then
            version_data="$vc_response"
            echo "$vc_response" > "$version_cache_file"
        elif [ ! -s "$version_cache_file" ]; then
            rm -f "$version_cache_file" 2>/dev/null
        fi
    fi
    if [ -n "$version_data" ]; then
        latest_tag=$(echo "$version_data" | jq -r '.tag_name // empty')
        if [ -n "$latest_tag" ] && version_gt "$latest_tag" "$VERSION"; then
            update_line="\n${dim}Update available: ${latest_tag} → Tell Claude: \"Find my installed status bar and update it\"${reset}"
        fi
    fi
 fi
 # Append CLI version as last segment
 if [ -n "$cli_version" ]; then
    out+=" ${dim}|${reset} ${orange}v${cli_version}${reset}"
 fi
 # Output
 printf "%b" "$out$update_line"
 exit 0
@@ -1,7 +1,8 @@
 { lib, pkgs', pkgs, config, ... }:
 let
-  inherit (lib) genAttrs mkIf mkMerge mkForce mapAttrs mkOptionDefault;
+  inherit (lib) genAttrs mkIf mkMerge mkForce mapAttrs mkOptionDefault mkDefault;
-  inherit (lib.my) mkBoolOpt';
+  inherit (lib.my) mkOpt' mkBoolOpt';
  inherit (lib.my.c) pubDomain;
  cfg = config.my.gui;
@@ -15,24 +16,42 @@ let
    url = "https://distro.ibiblio.org/slitaz/sources/packages/d/doom1.wad";
    hash = "sha256-HX1DvlAeZ9kn5BXguPPinDvzMHXoWXIYFvZSpSbKx3E=";
  };
  subwaySurfers = pkgs.fetchurl {
    url = "https://p.${pubDomain}/video/subway-surfers-smol.mkv";
    hash = "sha256-fMe7TDRNTymRHIJOi7qG3trzu4GP8a3gCDz+FMkX1dY=";
  };
  minecraftParkour = pkgs.fetchurl {
    url = "https://p.${pubDomain}/video/minecraft-parkour-smol.mkv";
    hash = "sha256-723pRm4AsIjY/WFUyAHzTJp+JvH4Pn5hvzF9wHTnOPA=";
  };
-  doomsaver = pkgs.runCommand "doomsaver" {
+  genLipsum = pkgs.writeScript "lipsum" ''
-    inherit (pkgs) windowtolayer;
+    #!${pkgs.python3.withPackages (ps: [ ps.python-lorem ])}/bin/python
    import lorem
    print(lorem.get_paragraph(count=5, sep='\n\n'))
  '';
  doomsaver' = brainrotTextCommand: pkgs.runCommand "doomsaver" {
    inherit (pkgs) windowtolayer tmux terminaltexteffects;
    chocoDoom = pkgs.chocolate-doom2xx;
    ffmpeg = pkgs.ffmpeg-full;
    python = pkgs.python3.withPackages (ps: [ ps.filelock ]);
    inherit doomWad;
    enojy = ./enojy.jpg;
    inherit brainrotTextCommand subwaySurfers minecraftParkour;
  } ''
    mkdir -p "$out"/bin
    substituteAll ${./screensaver.py} "$out"/bin/doomsaver
    chmod +x "$out"/bin/doomsaver
  '';
  doomsaver = doomsaver' cfg.screensaver.brainrotTextCommand;
 in
 {
-  options.my.gui = {
+  options.my.gui = with lib.types; {
    enable = mkBoolOpt' true "Enable settings and packages meant for graphical systems";
    manageGraphical = mkBoolOpt' false "Configure the graphical session";
    standalone = mkBoolOpt' false "Enable settings for fully Nix managed systems";
    screensaver.brainrotTextCommand = mkOpt' (either path str) genLipsum "Command to generate brainrot text.";
  };
  config = mkIf cfg.enable (mkMerge [
@@ -44,7 +63,7 @@ in
            font.package
            nerd-fonts.sauce-code-pro
            nerd-fonts.droid-sans-mono
-            noto-fonts-emoji
+            noto-fonts-color-emoji
            grim
            slurp
@@ -60,10 +79,11 @@ in
            jp2a
            terminaltexteffects
            screenfetch
-            neofetch
+            fastfetch
            cmatrix
            doomsaver
            ffmpeg-full
            xournalpp
          ];
        };
@@ -102,12 +122,6 @@ in
            };
          };
          termite = {
            enable = true;
            font = "${font.name} ${toString font.size}";
            backgroundColor = "rgba(0, 0, 0, 0.8)";
          };
          foot = {
            enable = true;
            settings = {
@@ -141,6 +155,19 @@ in
              };
            };
          };
          claude-code = {
            enable = true;
            settings = {
              model = "opus";
              theme = "auto";
              statusLine = {
                type = "command";
                command = ./claude-statusline.sh;
                padding = 0;
              };
            };
          };
        };
      }
@@ -367,6 +394,10 @@ in
            name = "Numix";
            package = pkgs.numix-gtk-theme;
          };
          gtk4.theme = {
            name = "Numix";
            package = pkgs.numix-gtk-theme;
          };
          iconTheme = {
            name = "Numix";
            package = pkgs.numix-icon-theme;
@@ -395,29 +426,53 @@ in
              device_type = "computer";
            };
          };
          easyeffects = {
            enable = mkDefault false;
            preset = mkDefault "moar-bass";
            extraPresets = {
              moar-bass = {
                output = {
                  "bass_enhancer#0" = {
                    amount = 3;
                    blend = 0;
                    bypass = false;
                    floor = 20;
                    floor-active = false;
                    harmonics = 8.5;
                    input-gain = 0;
                    output-gain = 0;
                    scope = 100;
                  };
                  blocklist = [ ];
                  plugins_order = [ "bass_enhancer#0" ];
                };
              };
            };
          };
        };
        programs = {
          git = {
            enable = true;
-            diff-so-fancy.enable = true;
+            settings = {
-            userEmail = "jackos1998@gmail.com";
+              user = {
-            userName = "Jack O'Sullivan";
+                email = "jackos1998@gmail.com";
-            lfs.enable = true;
+                name = "Jack O'Sullivan";
-            extraConfig = {
+              };
              pull.rebase = true;
            };
            lfs.enable = true;
          };
          diff-so-fancy.enable = true;
          waybar = import ./waybar.nix { inherit lib pkgs config font; };
          rofi = {
            package = pkgs.rofi-wayland;
            enable = true;
            font = "${font.name} ${toString font.size}";
-            plugins = with pkgs; (map (p: p.override { rofi-unwrapped = rofi-wayland-unwrapped; }) [
+            plugins = with pkgs; [
              rofi-calc
-            ]) ++ [
+              rofi-emoji
              rofi-emoji-wayland
            ];
            extraConfig = {
              modes = "window,run,ssh,filebrowser,calc,emoji";
@@ -474,6 +529,7 @@ in
          userDirs = {
            enable = true;
            createDirectories = true;
            setSessionVariables = true;
            desktop = "$HOME/desktop";
            documents = "$HOME/documents";
            download = "$HOME/downloads";
@@ -73,7 +73,7 @@ class TTESaver(Screensaver):
    def wait(self):
        while self.running:
-            effect_cmd = ['tte', random.choice(self.effects)]
+            effect_cmd = ['@terminaltexteffects@/bin/tte', random.choice(self.effects)]
            print(f"$ {self.cmd} | {' '.join(effect_cmd)}")
            content = subprocess.check_output(self.cmd, shell=True, env=self.env, stderr=subprocess.DEVNULL)
@@ -86,6 +86,51 @@ class TTESaver(Screensaver):
        self.running = False
        self.proc.terminate()
 class FFmpegCACASaver(Screensaver):
    @staticmethod
    def command(video, size):
        return ['@ffmpeg@/bin/ffmpeg', '-hide_banner', '-loglevel', 'error',
                '-stream_loop', '-1', '-i', video,
                '-pix_fmt', 'rgb24', '-window_size', f'{size}x{size}',
                '-f', 'caca', '-']
    def __init__(self, video, weight=2):
        cols, lines = os.get_terminal_size()
        # IDK if it's reasonable to do this as "1:1"
        size = lines - 4
        super().__init__(
            self.command(video, size),
            env={'CACA_DRIVER': 'ncurses'},
            weight=weight,
        )
    def stop(self):
        super().stop(kill=True)
 class BrainrotStorySaver(Screensaver):
    def __init__(self, video, text_command, weight=2):
        cols, lines = os.get_terminal_size()
        video_size = lines - 1
        video_command = ' '.join(FFmpegCACASaver.command(video, video_size))
        text_command = (
            f'while true; do {text_command} | '
            f'@terminaltexteffects@/bin/tte --wrap-text --canvas-width=80 --canvas-height={video_size//2} --anchor-canvas=c '
            'print --final-gradient-stops=ffffff; clear; done' )
        self.tmux_session = f'screensaver-{os.urandom(4).hex()}'
        super().__init__(
            ['@tmux@/bin/tmux', 'new-session', '-s', self.tmux_session, '-n', 'brainrot',
             text_command, ';', 'split-window', '-hbl', str(lines), video_command],
            # ['sh', '-c', text_command],
            env={
                'CACA_DRIVER': 'ncurses',
                'SHELL': '/bin/sh',
            },
            weight=weight,
        )
    def stop(self):
        subprocess.check_call(['@tmux@/bin/tmux', 'kill-session', '-t', self.tmux_session])
 class MultiSaver:
    savers = [
        DoomSaver(0),
@@ -100,6 +145,9 @@ class MultiSaver:
        TTESaver('ss -nltu'),
        TTESaver('ss -ntu'),
        TTESaver('jp2a --width=100 @enojy@'),
        BrainrotStorySaver('@subwaySurfers@', '@brainrotTextCommand@'),
        BrainrotStorySaver('@minecraftParkour@', '@brainrotTextCommand@'),
    ]
    state_filename = 'screensaver.json'
@@ -13,6 +13,7 @@ rec {
      kea = 404;
      keepalived_script = 405;
      photoprism = 406;
      copyparty = 408;
    };
    gids = {
      matrix-syncv3 = 400;
@@ -22,12 +23,14 @@ rec {
      kea = 404;
      keepalived_script = 405;
      photoprism = 406;
      adbusers = 407;
      copyparty = 408;
    };
  };
  kernel = {
-    lts = pkgs: pkgs.linuxKernel.packages.linux_6_6;
+    lts = pkgs: pkgs.linuxKernel.packages.linux_6_18;
-    latest = pkgs: pkgs.linuxKernel.packages.linux_6_12;
+    latest = pkgs: pkgs.linuxKernel.packages.linux_7_0;
  };
  nginx = rec {
@@ -139,6 +142,16 @@ rec {
        v4 = subnet 8 4 all.v4;
      };
      p2pTunnels = {
        v4 = subnet 8 5 all.v4;
      };
      hillcrest = {
        v4 = subnet 6 0 p2pTunnels.v4;
      };
      john-valorant = {
        v4 = subnet 6 1 p2pTunnels.v4;
      };
      cust = {
        v4 = subnet 8 100 all.v4; # single ip for routing only
        v6 = "2a0e:97c0:4d2:2000::/56";
@@ -199,10 +212,28 @@ rec {
        port = 25566;
        dst = aa.simpcraft-staging-oci.internal.ipv4.address;
      }
      {
        port = 25567;
        dst = aa.kevcraft-oci.internal.ipv4.address;
      }
      {
        port = 25568;
        dst = aa.kinkcraft-oci.internal.ipv4.address;
      }
      {
        port = 25569;
        dst = aa.graeme-oci.internal.ipv4.address;
      }
      # RCON... unsafe?
      # {
      #   port = 25575;
      #   dst = aa.simpcraft-oci.internal.ipv4.address;
      # }
      {
-        port = 25575;
+        port = 7777;
-        dst = aa.simpcraft-oci.internal.ipv4.address;
+        dst = aa.gam.internal.ipv4.address;
      }
      {
@@ -227,6 +258,21 @@ rec {
        dst = aa.simpcraft-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = 25567;
        dst = aa.kevcraft-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = 25568;
        dst = aa.kinkcraft-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = 25569;
        dst = aa.graeme-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = 15636;
@@ -244,6 +290,12 @@ rec {
        dst = aa.qclk.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = 7777;
        dst = aa.gam.internal.ipv4.address;
        proto = "udp";
      }
    ];
    fstrimConfig = {
@@ -267,8 +319,8 @@ rec {
      "stream"
    ];
    routersPubV4 = [
-      "109.255.31.155"
+      "109.255.108.88"
-      "109.255.252.63"
+      "109.255.108.121"
    ];
    prefixes = with lib.my.net.cidr; rec {
@@ -334,6 +386,20 @@ rec {
    assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06";
  };
  britnet = {
    domain = "bhx1.int.${pubDomain}";
    pubV4 = "77.74.199.67";
    vpn = {
      port = 51820;
    };
    prefixes = with lib.my.net.cidr; rec {
      vpn = {
        v4 = "10.200.0.0/24";
        v6 = "fdfb:5ebf:6e84::/64";
      };
    };
  };
  tailscale = {
    prefix = {
      v4 = "100.64.0.0/10";
@@ -378,6 +444,15 @@ rec {
      ctrs.v4 = subnet 4 0 all.v4;
    };
  };
  hillcrest = {
    vpn.port = 51822;
  };
  john-valorant = {
    vpn.port = 51823;
  };
  sshKeyFiles = {
    me = ../.keys/me.pub;
    deploy = ../.keys/deploy.pub;
@@ -1,11 +1,11 @@
-{ lib }:
+{ inputs, lib }:
 let
  inherit (builtins) length match elemAt filter replaceStrings substring;
  inherit (lib)
    genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
    mkOption mkOverride mkForce mkIf mergeEqualOption optional
    showWarnings concatStringsSep flatten unique optionalAttrs
-    mkBefore toLower;
+    mkBefore toLower splitString last;
  inherit (lib.flake) defaultSystems;
 in
 rec {
@@ -23,7 +23,7 @@ rec {
  attrsToNVList = mapAttrsToList nameValuePair;
-  inherit (import ./net.nix { inherit lib; }) net;
+  inherit ((import "${inputs.libnetRepo}/lib/netu.nix" { inherit lib; }).lib) net;
  dns = import ./dns.nix { inherit lib; };
  c = import ./constants.nix { inherit lib; };
@@ -53,7 +53,7 @@ rec {
    in mkApp "${app}/bin/${app.meta.mainProgram}";
  flakePackageOverlay' = flake: pkg: system: (final: prev:
    let
-      pkg' = if pkg != null then flake.packages.${system}.${pkg} else flake.defaultPackage.${system};
+      pkg' = if pkg != null then flake.packages.${system}.${pkg} else flake.packages.${system}.default;
      name = if pkg != null then pkg else pkg'.name;
    in
    {
@@ -248,12 +248,13 @@ rec {
  in
  {
    trivial = prev.trivial // {
-      release = "24.12:u-${prev.trivial.release}";
+      release = "26.06:u-${prev.trivial.release}";
-      codeName = "Epic";
+      codeName = "Irritating";
      revisionWithDefault = default: self.rev or default;
      versionSuffix = ".${date}.${revCode self}:u-${revCode pkgsFlake}";
    };
  };
  upstreamRelease = last (splitString "-" lib.trivial.release);
  netbootKeaClientClasses = { tftpIP, hostname, systems }:
  let
@@ -0,0 +1,191 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britnet) domain pubV4 prefixes;
 in
 {
  nixos.systems.britnet = {
    system = "x86_64-linux";
    nixpkgs = "mine";
    assignments = {
      allhost = {
        inherit domain;
        ipv4 = {
          address = pubV4;
          mask = 24;
          gateway = "77.74.199.1";
        };
        ipv6 = {
          address = "2a12:ab46:5344:99::a";
          gateway = "2a12:ab46:5344::1";
        };
      };
      vpn = {
        ipv4 = {
          address = net.cidr.host 1 prefixes.vpn.v4;
          gateway = null;
        };
        ipv6.address = net.cidr.host 1 prefixes.vpn.v6;
      };
    };
    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
      let
        inherit (lib) mkMerge mkForce;
        inherit (lib.my) networkdAssignment;
      in
      {
        imports = [
          "${modulesPath}/profiles/qemu-guest.nix"
        ];
        config = mkMerge [
          {
            boot = {
              initrd.availableKernelModules = [
                "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sr_mod" "virtio_blk"
              ];
              loader = {
                systemd-boot.enable = false;
                grub = {
                  enable = true;
                  device = "/dev/vda";
                };
              };
            };
            fileSystems = {
              "/boot" = {
                device = "/dev/disk/by-uuid/457444a1-81dd-4934-960c-650ad16c92b5";
                fsType = "ext4";
              };
              "/nix" = {
                device = "/dev/disk/by-uuid/992c0c79-5be6-45b6-bc30-dc82e3ec082a";
                fsType = "ext4";
              };
              "/persist" = {
                device = "/dev/disk/by-uuid/f020a955-54d5-4098-98ba-d3615781d96a";
                fsType = "ext4";
                neededForBoot = true;
              };
            };
            environment = {
              systemPackages = with pkgs; [
                wireguard-tools
              ];
            };
            services = {
              iperf3 = {
                enable = true;
                openFirewall = true;
              };
              tailscale = {
                enable = true;
                authKeyFile = config.age.secrets."tailscale-auth.key".path;
                openFirewall = true;
                interfaceName = "tailscale0";
                extraUpFlags = [
                  "--operator=${config.my.user.config.name}"
                  "--login-server=https://hs.nul.ie"
                  "--netfilter-mode=off"
                  "--advertise-exit-node"
                  "--accept-routes=false"
                ];
              };
            };
            networking = { inherit domain; };
            systemd.network = {
              netdevs = {
                "30-wg0" = {
                  netdevConfig = {
                    Name = "wg0";
                    Kind = "wireguard";
                  };
                  wireguardConfig = {
                    PrivateKeyFile = config.age.secrets."britnet/wg.key".path;
                    ListenPort = lib.my.c.britnet.vpn.port;
                  };
                  wireguardPeers = [
                    {
                      PublicKey = "EfPwREfZ/q3ogHXBIqFZh4k/1NRJRyq4gBkBXtegNkE=";
                      AllowedIPs = [
                        (net.cidr.host 10 prefixes.vpn.v4)
                        (net.cidr.host 10 prefixes.vpn.v6)
                      ];
                    }
                  ];
                };
              };
              links = {
                "10-veth0" = {
                  matchConfig.PermanentMACAddress = "00:db:d9:62:68:1a";
                  linkConfig.Name = "veth0";
                };
              };
              networks = {
                "20-veth0" = mkMerge [
                  (networkdAssignment "veth0" assignments.allhost)
                  {
                    dns = [ "1.1.1.1" "1.0.0.1" ];
                    routes = [
                      {
                        # Gateway is on a different network for some reason...
                        Destination = "2a12:ab46:5344::1";
                        Scope = "link";
                      }
                    ];
                  }
                ];
                "30-wg0" = mkMerge [
                  (networkdAssignment "wg0" assignments.vpn)
                  {
                    networkConfig.IPv6AcceptRA = mkForce false;
                  }
                ];
              };
            };
            my = {
              server.enable = true;
              secrets = {
                key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJIEx+1EC/lN6WKIaOB+O5LJgVHRK962YpZEPQg/m78O";
                files = {
                  "tailscale-auth.key" = {};
                  "britnet/wg.key" = {
                    owner = "systemd-network";
                  };
                };
              };
              firewall = {
                udp.allowed = [ lib.my.c.britnet.vpn.port ];
                trustedInterfaces = [ "tailscale0" ];
                extraRules = ''
                  table inet filter {
                    chain forward {
                      iifname wg0 oifname veth0 accept
                    }
                  }
                  table inet nat {
                    chain postrouting {
                      iifname { tailscale0, wg0 } oifname veth0 snat ip to ${assignments.allhost.ipv4.address}
                      iifname { tailscale0, wg0 } oifname veth0 snat ip6 to ${assignments.allhost.ipv6.address}
                    }
                  }
                '';
              };
            };
          }
        ];
      };
  };
 }
@@ -11,23 +11,24 @@ in
  config = {
    my = {
      secrets.files."britway/bgp-password-vultr.conf" = {
-        owner = "bird2";
+        owner = "bird";
-        group = "bird2";
+        group = "bird";
      };
    };
    environment.etc."bird/vultr-password.conf".source = config.age.secrets."britway/bgp-password-vultr.conf".path;
    systemd = {
-      services.bird2.after = [ "systemd-networkd-wait-online@veth0.service" ];
+      services.bird.after = [ "systemd-networkd-wait-online@veth0.service" ];
      network = {
        config.networkConfig.ManageForeignRoutes = false;
      };
    };
    services = {
-      bird2 = {
+      bird = {
        enable = true;
        package = pkgs.bird2;
        preCheckConfig = ''
          echo '"dummy"' > vultr-password.conf
        '';
@@ -9,11 +9,6 @@ in
  config = {
    my = {
      secrets.files = {
        "dhparams.pem" = {
          owner = "acme";
          group = "acme";
          mode = "440";
        };
        "britway/cloudflare-credentials.conf" = {
          owner = "acme";
          group = "acme";
@@ -45,7 +40,7 @@ in
            "*.${pubDomain}"
          ];
          dnsProvider = "cloudflare";
-          credentialsFile = config.age.secrets."britway/cloudflare-credentials.conf".path;
+          environmentFile = config.age.secrets."britway/cloudflare-credentials.conf".path;
        };
      };
    };
@@ -58,7 +53,6 @@ in
        logError = "stderr info";
        recommendedTlsSettings = true;
        serverTokens = true;
        sslDhparam = config.age.secrets."dhparams.pem".path;
        # Based on recommended*Settings, but probably better to be explicit about these
        appendHttpConfig = ''
@@ -4,22 +4,6 @@ let
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britway) prefixes domain;
  # Can't use overrideAttrs because we need to override `vendorHash` within `buildGoModule`
  headscale' = (pkgs.headscale.override {
    buildGoModule = args: pkgs.buildGoModule (args // rec {
      version = "0.23.0-alpha12";
      src = pkgs.fetchFromGitHub {
        owner = "juanfont";
        repo = "headscale";
        rev = "v${version}";
        hash = "sha256-kZZK0cXnFARxblSMz01TDcBbTorkHGAwGpR+a4/mYfU=";
      };
      patches = [];
      vendorHash = "sha256-EorT2AVwA3usly/LcNor6r5UIhLCdj3L4O4ilgTIC2o=";
      doCheck = false;
    });
  });
  advRoutes = concatStringsSep "," [
    lib.my.c.home.prefixes.all.v4
    lib.my.c.home.prefixes.all.v6
@@ -52,6 +36,7 @@ in
          noise.private_key_path = "/var/lib/headscale/noise_private.key";
          prefixes = with lib.my.c.tailscale.prefix; { inherit v4 v6; };
          dns = {
            override_local_dns = false;
            # Use IPs that will route inside the VPN to prevent interception
            # (e.g. DNS rebinding filtering)
            nameservers.split = {
@@ -8,8 +8,9 @@ in
 {
  config = {
    services = {
-      bird2 = {
+      bird = {
        enable = true;
        package = pkgs.bird2;
        # TODO: Clean up and modularise
        config = ''
          define OWNAS = 211024;
@@ -232,59 +233,88 @@ in
            neighbor 2a07:cd40:1::9 as 202413;
          }
-          protocol bgp ixp4_frysix_rs1 from ixp_bgp4 {
+          protocol bgp ixp4_frysix_rs3 from ixp_bgp4 {
-            description "Frys-IX route server 1 (IPv4)";
+            description "Frys-IX route server 3 (IPv4)";
-            neighbor 185.1.203.253 as 56393;
+            neighbor 185.1.160.255 as 56393;
          }
-          protocol bgp ixp6_frysix_rs1 from ixp_bgp6 {
+          protocol bgp ixp6_frysix_rs3 from ixp_bgp6 {
-            description "Frys-IX route server 1 (IPv6)";
+            description "Frys-IX route server 3 (IPv6)";
-            neighbor 2001:7f8:10f::dc49:253 as 56393;
+            neighbor 2001:7f8:10f::dc49:1 as 56393;
          }
-          protocol bgp ixp4_frysix_rs2 from ixp_bgp4 {
+          protocol bgp ixp4_frysix_rs4 from ixp_bgp4 {
-            description "Frys-IX route server 2 (IPv4)";
+            description "Frys-IX route server 4 (IPv4)";
-            neighbor 185.1.203.254 as 56393;
+            neighbor 185.1.161.0 as 56393;
          }
-          protocol bgp ixp6_frysix_rs2 from ixp_bgp6 {
+          protocol bgp ixp6_frysix_rs4 from ixp_bgp6 {
-            description "Frys-IX route server 2 (IPv6)";
+            description "Frys-IX route server 4 (IPv6)";
-            neighbor 2001:7f8:10f::dc49:254 as 56393;
+            neighbor 2001:7f8:10f::dc49:2 as 56393;
          }
          protocol bgp peer4_frysix_luje from peer_bgp4 {
            description "LUJE.net (on Frys-IX, IPv4)";
-            neighbor 185.1.203.152 as 212855;
+            neighbor 185.1.160.152 as 212855;
          }
          protocol bgp peer6_frysix_luje from peer_bgp6 {
            description "LUJE.net (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::3:3f95:152 as 212855;
          }
          protocol bgp peer4_frysix_he from peer_bgp4 {
            description "Hurricane Electric (on Frys-IX, IPv4)";
-            neighbor 185.1.203.154 as 6939;
+            neighbor 185.1.160.154 as 6939;
          }
-          protocol bgp peer4_frysix_cloudflare from peer_bgp4 {
+
-            description "Cloudflare (on Frys-IX, IPv4)";
+          protocol bgp peer4_frysix_cloudflare1 from peer_bgp4 {
-            neighbor 185.1.203.217 as 13335;
+            description "Cloudflare 1 (on Frys-IX, IPv4)";
            neighbor 185.1.160.217 as 13335;
          }
-          protocol bgp peer6_frysix_cloudflare from peer_bgp6 {
+          protocol bgp peer4_frysix_cloudflare2 from peer_bgp4 {
-            description "Cloudflare (on Frys-IX, IPv6)";
+            description "Cloudflare 2 (on Frys-IX, IPv4)";
            neighbor 185.1.160.109 as 13335;
          }
          protocol bgp peer6_frysix_cloudflare1 from peer_bgp6 {
            description "Cloudflare 1 (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::3417:217 as 13335;
          }
          protocol bgp peer6_frysix_cloudflare2 from peer_bgp6 {
            description "Cloudflare 2 (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::3417:109 as 13335;
          }
          protocol bgp peer4_frysix_jurrian from peer_bgp4 {
            description "AS212635 aka jurrian (on Frys-IX, IPv4)";
-            neighbor 185.1.203.134 as 212635;
+            neighbor 185.1.160.134 as 212635;
          }
          protocol bgp peer6_frysix_jurrian from peer_bgp6 {
            description "AS212635 aka jurrian (on Frys-IX, IPv6)";
            neighbor 2001:7f8:10f::3:3e9b:134 as 212635;
          }
          protocol bgp peer4_nlix_meta1 from peer_bgp4 {
            description "Meta 1 (on NL-ix, IPv4)";
            neighbor 193.239.116.147 as 32934;
          }
          protocol bgp peer4_nlix_meta2 from peer_bgp4 {
            description "Meta 2 (on NL-ix, IPv4)";
            neighbor 193.239.116.148 as 32934;
          }
          protocol bgp peer6_nlix_meta1 from peer_bgp6 {
            description "Meta 1 (on NL-ix, IPv6)";
            neighbor 2001:7f8:13::a503:2934:1 as 32934;
          }
          protocol bgp peer6_nlix_meta2 from peer_bgp6 {
            description "Meta 2 (on NL-ix, IPv6)";
            neighbor 2001:7f8:13::a503:2934:2 as 32934;
          }
          protocol bgp peer4_frysix_meta1 from peer_bgp4 {
            description "Meta 1 (on Frys-IX, IPv4)";
-            neighbor 185.1.203.225 as 32934;
+            neighbor 185.1.160.225 as 32934;
          }
          protocol bgp peer4_frysix_meta2 from peer_bgp4 {
            description "Meta 2 (on Frys-IX, IPv4)";
-            neighbor 185.1.203.226 as 32934;
+            neighbor 185.1.160.226 as 32934;
          }
          protocol bgp peer6_frysix_meta1 from peer_bgp6 {
            description "Meta 1 (on Frys-IX, IPv6)";
@@ -317,36 +347,36 @@ in
            ipv6 { preference (PREFIXP-1); };
          }
-          protocol bgp peer4_nlix_cloudflare1 from peer_bgp4 {
+          # protocol bgp peer4_nlix_cloudflare1 from peer_bgp4 {
-            description "Cloudflare NL-ix 1 (IPv4)";
+          #   description "Cloudflare NL-ix 1 (IPv4)";
-            neighbor 193.239.117.14 as 13335;
+          #   neighbor 193.239.117.14 as 13335;
-            ipv4 { preference (PREFPEER-1); };
+          #   ipv4 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer4_nlix_cloudflare2 from peer_bgp4 {
+          # protocol bgp peer4_nlix_cloudflare2 from peer_bgp4 {
-            description "Cloudflare NL-ix 2 (IPv4)";
+          #   description "Cloudflare NL-ix 2 (IPv4)";
-            neighbor 193.239.117.114 as 13335;
+          #   neighbor 193.239.117.114 as 13335;
-            ipv4 { preference (PREFPEER-1); };
+          #   ipv4 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer4_nlix_cloudflare3 from peer_bgp4 {
+          # protocol bgp peer4_nlix_cloudflare3 from peer_bgp4 {
-            description "Cloudflare NL-ix 3 (IPv4)";
+          #   description "Cloudflare NL-ix 3 (IPv4)";
-            neighbor 193.239.118.138 as 13335;
+          #   neighbor 193.239.118.138 as 13335;
-            ipv4 { preference (PREFPEER-1); };
+          #   ipv4 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
+          # protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
-            description "Cloudflare NL-ix 1 (IPv6)";
+          #   description "Cloudflare NL-ix 1 (IPv6)";
-            neighbor 2001:7f8:13::a501:3335:1 as 13335;
+          #   neighbor 2001:7f8:13::a501:3335:1 as 13335;
-            ipv6 { preference (PREFPEER-1); };
+          #   ipv6 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
+          # protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
-            description "Cloudflare NL-ix 2 (IPv6)";
+          #   description "Cloudflare NL-ix 2 (IPv6)";
-            neighbor 2001:7f8:13::a501:3335:2 as 13335;
+          #   neighbor 2001:7f8:13::a501:3335:2 as 13335;
-            ipv6 { preference (PREFPEER-1); };
+          #   ipv6 { preference (PREFPEER-1); };
-          }
+          # }
-          protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
+          # protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
-            description "Cloudflare NL-ix 3 (IPv6)";
+          #   description "Cloudflare NL-ix 3 (IPv6)";
-            neighbor 2001:7f8:13::a501:3335:3 as 13335;
+          #   neighbor 2001:7f8:13::a501:3335:3 as 13335;
-            ipv6 { preference (PREFPEER-1); };
+          #   ipv6 { preference (PREFPEER-1); };
-          }
+          # }
          protocol bgp peer4_nlix_jurrian from peer_bgp4 {
            description "AS212635 aka jurrian (on NL-ix, IPv4)";
            neighbor 193.239.117.55 as 212635;
@@ -104,11 +104,9 @@ in
              lvm = {
                dmeventd.enable = true;
              };
-              resolved = {
+              resolved.settings.Resolve = {
-                llmnr = "false";
+                LLMNR = false;
-                extraConfig = ''
+                MulticastDNS = false;
                  MulticastDNS=false
                '';
              };
              netdata.enable = true;
@@ -171,6 +169,44 @@ in
                    ];
                  };
                }
                {
                  "30-hillcrest" = {
                    netdevConfig = {
                      Name = "hillcrest";
                      Kind = "wireguard";
                    };
                    wireguardConfig = {
                      PrivateKeyFile = config.age.secrets."estuary/hillcrest-wg.key".path;
                      ListenPort = lib.my.c.hillcrest.vpn.port;
                    };
                    wireguardPeers = [
                      {
                        PublicKey = "+67Ks+ZRk1ssNCfg5BFKmIE9NtLasAxRE6XMqufx5GY=";
                        AllowedIPs = [ (net.cidr.host 2 prefixes.hillcrest.v4) ];
                        PersistentKeepalive = 25;
                      }
                    ];
                  };
                }
                {
                  "30-john-valorant" = {
                    netdevConfig = {
                      Name = "john-valorant";
                      Kind = "wireguard";
                    };
                    wireguardConfig = {
                      PrivateKeyFile = config.age.secrets."estuary/john-valorant-wg.key".path;
                      ListenPort = lib.my.c.john-valorant.vpn.port;
                    };
                    wireguardPeers = [
                      {
                        PublicKey = "xyqKF0yOAv1bObN1paL2vATFh77pdFfvN+JmuAxaTCk=";
                        AllowedIPs = [ (net.cidr.host 2 prefixes.john-valorant.v4) ];
                        PersistentKeepalive = 25;
                      }
                    ];
                  };
                }
              ];
              links = {
@@ -218,7 +254,7 @@ in
              in
              mkMerge
              [
-                (mkIXPConfig "frys-ix" "185.1.203.196/24" "2001:7f8:10f::3:3850:196/64")
+                (mkIXPConfig "frys-ix" "185.1.160.196/23" "2001:7f8:10f::3:3850:196/64")
                (mkIXPConfig "nl-ix" "193.239.116.145/22" "2001:7f8:13::a521:1024:1/64")
                (mkIXPConfig "fogixp" "185.1.147.159/24" "2001:7f8:ca:1::159/64")
              {
@@ -346,6 +382,26 @@ in
                    }
                  ];
                };
                "95-hillcrest" = {
                  matchConfig.Name = "hillcrest";
                  address = [ "${net.cidr.host 1 prefixes.hillcrest.v4}/32" ];
                  routes = [
                    {
                      Destination = net.cidr.host 2 prefixes.hillcrest.v4;
                      Scope = "link";
                    }
                  ];
                };
                "95-john-valorant" = {
                  matchConfig.Name = "john-valorant";
                  address = [ "${net.cidr.host 1 prefixes.john-valorant.v4}/32" ];
                  routes = [
                    {
                      Destination = net.cidr.host 2 prefixes.john-valorant.v4;
                      Scope = "link";
                    }
                  ];
                };
              } ];
            };
@@ -356,6 +412,12 @@ in
                  "estuary/kelder-wg.key" = {
                    owner = "systemd-network";
                  };
                  "estuary/hillcrest-wg.key" = {
                    owner = "systemd-network";
                  };
                  "estuary/john-valorant-wg.key" = {
                    owner = "systemd-network";
                  };
                  "l2mesh/as211024.key" = {};
                };
              };
@@ -367,7 +429,13 @@ in
                };
              };
              firewall = {
-                udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
+                udp.allowed = [
                  5353
                  lib.my.c.kelder.vpn.port
                  lib.my.c.hillcrest.vpn.port
                  lib.my.c.john-valorant.vpn.port
                ];
                tcp.allowed = [ 5353 "bgp" ];
                nat = {
                  enable = true;
@@ -399,8 +467,12 @@ in
                      ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
                      ${matchInet "tcp dport { http, https } accept" "git"}
-                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept
+                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport 25565 accept
                      ip6 daddr ${aa.simpcraft-staging-oci.internal.ipv6.address} tcp dport 25565 accept
                      ip6 daddr ${aa.kevcraft-oci.internal.ipv6.address} tcp dport 25567 accept
                      ip6 daddr ${aa.kinkcraft-oci.internal.ipv6.address} tcp dport 25568 accept
                      ip6 daddr ${aa.graeme-oci.internal.ipv6.address} tcp dport 25569 accept
                      ip6 daddr ${aa.gam.internal.ipv6.address} tcp dport 7777 accept
                      return
                    }
                    chain routing-udp {
@@ -408,6 +480,10 @@ in
                      ip6 daddr ${aa.waffletail.internal.ipv6.address} udp dport 41641 accept
                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} udp dport 25565 accept
                      ip6 daddr ${aa.enshrouded-oci.internal.ipv6.address} udp dport { 15636-15637 } accept
                      ip6 daddr ${aa.kevcraft-oci.internal.ipv6.address} udp dport 25567 accept
                      ip6 daddr ${aa.kinkcraft-oci.internal.ipv6.address} udp dport 25568 accept
                      ip6 daddr ${aa.graeme-oci.internal.ipv6.address} udp dport 25569 accept
                      ip6 daddr ${aa.gam.internal.ipv6.address} udp dport 7777 accept
                      return
                    }
                    chain filter-routing {
@@ -428,7 +504,7 @@ in
                      iifname { wan, as211024, $ixps } oifname base jump filter-routing
                      oifname $ixps jump ixp
                      iifname base oifname { base, wan, $ixps } accept
-                      oifname { as211024, kelder } accept
+                      oifname { as211024, kelder, hillcrest, john-valorant } accept
                    }
                    chain output {
                      oifname ifog ether type != vlan reject
@@ -440,6 +516,8 @@ in
                      ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
                    }
                    chain postrouting {
                      oifname hillcrest snat ip to ${net.cidr.host 1 prefixes.hillcrest.v4}
                      oifname john-valorant snat ip to ${net.cidr.host 1 prefixes.john-valorant.v4}
                      ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
                    }
                  }
@@ -14,7 +14,7 @@ in
          owner = "pdns";
          group = "pdns";
        };
-        "estuary/pdns/recursor.conf" = {
+        "estuary/pdns/recursor.yml" = {
          owner = "pdns-recursor";
          group = "pdns-recursor";
        };
@@ -31,7 +31,7 @@ in
      pdns.recursor = {
        enable = true;
-        extraSettingsFile = config.age.secrets."estuary/pdns/recursor.conf".path;
+        extraSettingsFile = config.age.secrets."estuary/pdns/recursor.yml".path;
      };
    };
@@ -44,45 +44,55 @@ in
      };
      pdns-recursor = {
        dns = {
          address = [
            "127.0.0.1" "::1"
            assignments.base.ipv4.address assignments.base.ipv6.address
          ];
          allowFrom = [
            "127.0.0.0/8" "::1/128"
            prefixes.all.v4 prefixes.all.v6
          ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
        };
        settings = {
-          query-local-address = [
+          incoming = {
-            assignments.internal.ipv4.address
+            listen = [
-            assignments.internal.ipv6.address
+              "127.0.0.1" "::1"
-            assignments.base.ipv6.address
+              assignments.base.ipv4.address assignments.base.ipv6.address
-          ];
+            ];
-          forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
+            allow_from = [
              "127.0.0.0/8" "::1/128"
              prefixes.all.v4 prefixes.all.v6
            ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
-          # DNS NOTIFY messages override TTL
+            # DNS NOTIFY messages override TTL
-          allow-notify-for = authZones;
+            allow_notify_for = authZones;
-          allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+            allow_notify_from = [ "127.0.0.0/8" "::1/128" ];
          };
-          webserver = true;
+          outgoing = {
-          webserver-address = "::";
+            source_address = [
-          webserver-allow-from = [ "127.0.0.1" "::1" ];
+              assignments.internal.ipv4.address
              assignments.internal.ipv6.address
              assignments.base.ipv6.address
            ];
          };
-          lua-dns-script = pkgs.writeText "pdns-script.lua" ''
+          recursor = {
-            function preresolve(dq)
+            forward_zones = map (z: {
-              if dq.qname:equal("nix-cache.nul.ie") then
+              zone = z;
-                dq:addAnswer(pdns.CNAME, "http.${config.networking.domain}.")
+              forwarders = [ "127.0.0.1:5353" ];
-                dq.rcode = 0
+            }) authZones;
-                dq.followupFunction = "followCNAMERecords"
+
-                return true
+            lua_dns_script = pkgs.writeText "pdns-script.lua" ''
              function preresolve(dq)
                if dq.qname:equal("nix-cache.nul.ie") then
                  dq:addAnswer(pdns.CNAME, "http.${config.networking.domain}.")
                  dq.rcode = 0
                  dq.followupFunction = "followCNAMERecords"
                  return true
                end
                return false
              end
            '';
          };
-              return false
+          webservice = {
-            end
+            webserver = true;
-          '';
+            address = "::";
            allow_from = [ "127.0.0.1" "::1" ];
          };
        };
      };
    };
@@ -154,6 +164,14 @@ in
            simpcraft-staging IN A ${assignments.internal.ipv4.address}
            simpcraft-staging IN AAAA ${allAssignments.simpcraft-staging-oci.internal.ipv6.address}
            enshrouded IN A ${assignments.internal.ipv4.address}
            kevcraft IN A ${assignments.internal.ipv4.address}
            kevcraft IN AAAA ${allAssignments.kevcraft-oci.internal.ipv6.address}
            kinkcraft IN A ${assignments.internal.ipv4.address}
            kinkcraft IN AAAA ${allAssignments.kinkcraft-oci.internal.ipv6.address}
            graeme IN A ${assignments.internal.ipv4.address}
            graeme IN AAAA ${allAssignments.graeme-oci.internal.ipv6.address}
            terraria IN A ${assignments.internal.ipv4.address}
            terraria IN AAAA ${allAssignments.gam.internal.ipv6.address}
            mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
            mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
@@ -167,6 +185,9 @@ in
            jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
            jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}
            hillcrest-tun IN A ${net.cidr.host 2 prefixes.hillcrest.v4}
            john-valorant-tun IN A ${net.cidr.host 2 prefixes.john-valorant.v4}
            $TTL 3
            _acme-challenge IN LUA TXT @@FILE@@
@@ -4,7 +4,7 @@ let
  inherit (lib) mkMerge mkDefault;
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
-  inherit (lib.my.c.colony) domain prefixes;
+  inherit (lib.my.c.colony) domain prefixes firewallForwards;
  inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
 in
 {
@@ -95,7 +95,7 @@ in
                    "*.${pubDomain}"
                  ];
                  dnsProvider = "cloudflare";
-                  credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
+                  environmentFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
                };
              };
            };
@@ -111,7 +111,6 @@ in
                recommendedTlsSettings = true;
                clientMaxBodySize = "0";
                serverTokens = true;
                sslDhparam = config.age.secrets."dhparams.pem".path;
                # Based on recommended*Settings, but probably better to be explicit about these
                appendHttpConfig = ''
@@ -182,11 +181,6 @@ in
              secrets = {
                key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+KINpHLMduBuW96JzfSRDLUzkI+XaCBghu5/wHiW5R";
                files = {
                  "dhparams.pem" = {
                    owner = "acme";
                    group = "acme";
                    mode = "440";
                  };
                  "middleman/cloudflare-credentials.conf" = {
                    owner = "acme";
                    group = "acme";
@@ -197,6 +191,7 @@ in
              firewall = {
                tcp.allowed = [ 19999 "http" "https" ];
                nat.forwardPorts."${allAssignments.estuary.internal.ipv4.address}" = firewallForwards allAssignments;
                extraRules = ''
                  table inet filter {
                    chain forward {
@@ -1,19 +1,7 @@
 { lib, pkgs, config, ... }:
 let
  inherit (builtins) toJSON;
  inherit (lib) mkForce;
  inherit (lib.my.c) pubDomain;
  cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
    container = {
      network = "podman";
      privileged = true;
    };
    cache = {
      enabled = true;
      dir = "/var/cache/gitea-runner";
    };
  });
 in
 {
  config = {
@@ -30,8 +18,8 @@ in
          enable = true;
          name = "main-docker";
          labels = [
-            "debian-node-bullseye:docker://node:18-bullseye"
+            "debian-node-trixie:docker://node:24-trixie"
-            "ubuntu-22.04:docker://git.nul.ie/dev/actions-ubuntu:22.04"
+            "ubuntu-26.04:docker://git.nul.ie/dev/actions-ubuntu:26.04"
          ];
          url = "https://git.${pubDomain}";
          tokenFile = config.age.secrets."gitea/actions-runner.env".path;
@@ -39,6 +27,14 @@ in
            runner = {
              timeout = "8h";
            };
            container = {
              network = "podman";
              privileged = true;
            };
            cache = {
              enabled = true;
              dir = "/var/cache/gitea-runner";
            };
          };
        };
      };
@@ -66,7 +62,6 @@ in
          DynamicUser = mkForce false;
          User = "gitea-runner";
          Group = "gitea-runner";
          ExecStart = mkForce "${config.services.gitea-actions-runner.package}/bin/act_runner -c ${cfgFile} daemon";
        };
      };
    };
@@ -13,6 +13,7 @@ in
    "/var/lib/machines/jam" = {
      device = "/mnt/jam";
      options = [ "bind" ];
      fsType = "none";
    };
  };
@@ -198,44 +198,72 @@ in
            mautrix-whatsapp = {
              enable = true;
              # package = pkgs.mautrix-whatsapp.overrideAttrs (o: rec {
              #   version = "26.05";
              #   tag = "v0.2605.0";
              #   src = pkgs.fetchFromGitHub {
              #     owner = "mautrix";
              #     repo = "whatsapp";
              #     inherit tag;
              #     hash = "sha256-WlVfGQoP9e/wl98hUJei8O2JMcOKijoEY8XuU/z69Qk=";
              #   };
              #   vendorHash = "sha256-Hi/dZHJHoTTCnxLXgbkcYzuzis4fl5kxb5wMd9fKTY8=";
              # });
              environmentFile = config.age.secrets."chatterbox/mautrix-whatsapp.env".path;
              settings = {
                database = {
                  type = "postgres";
                  uri = "$MAU_WAPP_PSQL_URI";
                };
                homeserver = {
                  address = "http://localhost:8008";
                  domain = "nul.ie";
                };
                appservice = {
                  database = {
                    type = "postgres";
                    uri = "$MAU_WAPP_PSQL_URI";
                  };
                  id = "whatsapp2";
                  bot = {
                    username = "whatsapp2";
                    displayname = "WhatsApp Bridge Bot";
                  };
                  username_template = "wapp2_{{.}}";
                };
                bridge = {
                  username_template = "wapp2_{{.}}";
                  displayname_template = "{{or .BusinessName .PushName .JID}} (WA)";
                  personal_filtering_spaces = true;
                  delivery_receipts = true;
                  allow_user_invite = true;
                  url_previews = true;
                  command_prefix = "!wa";
                  login_shared_secret_map."nul.ie" = "$MAU_WAPP_DOUBLE_PUPPET_TOKEN";
                  encryption = {
                    allow = true;
                    default = true;
                    require = true;
                  };
                  permissions = {
                    "@dev:nul.ie" = "admin";
                  };
                };
                double_puppet = {
                  secrets."nul.ie" = "$MAU_WAPP_DOUBLE_PUPPET_TOKEN";
                };
                encryption = {
                  allow = true;
                  default = true;
                  require = true;
                  pickle_key = "maunium.net/go/mautrix-whatsapp";
                };
                matrix = {
                  delivery_receipts = true;
                };
                network = {
                  displayname_template = ''{{or .BusinessName .PushName .FullName .Phone "Unknown user"}} (WA)'';
                  url_previews = true;
                };
              };
            };
            # mautrix-meta.package = pkgs.mautrix-meta.overrideAttrs (o: rec {
            #   version = "26.05.1";
            #   tag = "v0.2605.1";
            #   src = pkgs.fetchFromGitHub {
            #     owner = "mautrix";
            #     repo = "meta";
            #     inherit tag;
            #     hash = "sha256-zpolDtwGulDTiojJPnkj9O0D5b4rgPYQX6A28rvuvM0=";
            #   };
            #   vendorHash = "sha256-+i45bXBhlXPXX24VMS9IJLLX+i4VPnqy5RAH4j88sTA=";
            # });
            mautrix-meta.instances = {
              messenger = {
                enable = true;
@@ -243,45 +271,49 @@ in
                dataDir = "mautrix-messenger";
                environmentFile = config.age.secrets."chatterbox/mautrix-messenger.env".path;
                settings = {
                  database = {
                    type = "postgres";
                    uri = "$MAU_FBM_PSQL_URI";
                  };
                  homeserver = {
                    address = "http://localhost:8008";
                    domain = "nul.ie";
                  };
                  appservice = {
                    database = {
                      type = "postgres";
                      uri = "$MAU_FBM_PSQL_URI";
                    };
                    id = "fbm2";
                    bot = {
                      username = "messenger2";
                      displayname = "Messenger Bridge Bot";
                      avatar = "mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak";
                    };
                    username_template = "fbm2_{{.}}";
                  };
                  network = {
                    mode = "messenger";
                    displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (FBM)'';
                  };
                  bridge = {
                    username_template = "fbm2_{{.}}";
                    personal_filtering_spaces = true;
-                    delivery_receipts = true;
+                    # management_room_text.welcome = "Hello, I'm a Messenger bridge bot.";
                    management_room_text.welcome = "Hello, I'm a Messenger bridge bot.";
                    command_prefix = "!fbm";
                    login_shared_secret_map."nul.ie" = "$MAU_FBM_DOUBLE_PUPPET_TOKEN";
                    backfill = {
-                      history_fetch_pages = 5;
+                      enabled = true;
                    };
                    encryption = {
                      allow = true;
                      default = true;
                      require = true;
                    };
                    permissions = {
                      "@dev:nul.ie" = "admin";
                    };
                  };
                  double_puppet = {
                    secrets."nul.ie" = "$MAU_FBM_DOUBLE_PUPPET_TOKEN";
                  };
                  encryption = {
                    allow = true;
                    default = true;
                    require = true;
                  };
                  matrix = {
                    delivery_receipts = true;
                  };
                };
              };
@@ -291,45 +323,50 @@ in
                dataDir = "mautrix-instagram";
                environmentFile = config.age.secrets."chatterbox/mautrix-instagram.env".path;
                settings = {
                  database = {
                    type = "postgres";
                    uri = "$MAU_IG_PSQL_URI";
                  };
                  homeserver = {
                    address = "http://localhost:8008";
                    domain = "nul.ie";
                  };
                  appservice = {
                    database = {
                      type = "postgres";
                      uri = "$MAU_IG_PSQL_URI";
                    };
                    id = "instagram";
                    bot = {
                      username = "instagram";
                      displayname = "Instagram Bridge Bot";
                      avatar = "mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv";
                    };
                    username_template = "ig_{{.}}";
                  };
                  network = {
                    mode = "instagram";
                    displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (IG)'';
                  };
                  bridge = {
                    username_template = "ig_{{.}}";
                    personal_filtering_spaces = true;
-                    delivery_receipts = true;
+                    # management_room_text.welcome = "Hello, I'm an Instagram bridge bot.";
                    management_room_text.welcome = "Hello, I'm an Instagram bridge bot.";
                    command_prefix = "!ig";
                    login_shared_secret_map."nul.ie" = "$MAU_IG_DOUBLE_PUPPET_TOKEN";
                    backfill = {
-                      history_fetch_pages = 5;
+                      enabled = true;
                    };
                    encryption = {
                      allow = true;
                      default = true;
                      require = true;
                    };
                    permissions = {
                      "@dev:nul.ie" = "admin";
                      "@adzerq:nul.ie" = "user";
                    };
                  };
                  double_puppet = {
                    secrets."nul.ie" = "$MAU_IG_DOUBLE_PUPPET_TOKEN";
                  };
                  encryption = {
                    allow = true;
                    default = true;
                    require = true;
                  };
                  matrix = {
                    delivery_receipts = true;
                  };
                };
              };
            };
@@ -9,5 +9,6 @@
    ./toot.nix
    ./waffletail.nix
    ./qclk
    ./gam.nix
  ];
 }
@@ -0,0 +1,72 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.colony) domain prefixes;
 in
 {
  nixos.systems.gam = { config, ... }: {
    system = "x86_64-linux";
    nixpkgs = "mine";
    rendered = config.configuration.config.my.asContainer;
    assignments = {
      internal = {
        name = "gam-ctr";
        inherit domain;
        ipv4.address = net.cidr.host 11 prefixes.ctrs.v4;
        ipv6 = {
          iid = "::11";
          address = net.cidr.host 11 prefixes.ctrs.v6;
        };
      };
    };
    configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
    let
      inherit (lib) mkMerge mkIf mkForce;
      inherit (lib.my) networkdAssignment;
    in
    {
      config = mkMerge [
        {
          my = {
            deploy.enable = false;
            server.enable = true;
            secrets = {
              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvDlH3nT1kve741gBluYmn5KQs8yz7FAEt8qLt+f0K6";
              files = {
                "gam/terraria.conf" = {
                  owner = "terraria";
                  group = "terraria";
                };
              };
            };
          };
          systemd = {
            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
          };
          services = {
            terraria = {
              enable = true;
              noUPnP = true;
              messageOfTheDay = "sup gamers";
              autoCreatedWorldSize = "large";
              worldPath = "/var/lib/terraria/NotWorld.wld";
              configFile = config.age.secrets."gam/terraria.conf".path;
              openFirewall = true;
            };
          };
        }
        (mkIf config.my.build.isDevVM {
          virtualisation = {
            forwardPorts = [ ];
          };
        })
      ];
    };
  };
 }
@@ -23,7 +23,7 @@ in
      };
    };
-    configuration = { lib, pkgs, config, ... }:
+    configuration = { lib, pkgs, config, allAssignments, ... }:
    let
      inherit (lib) mkForce;
    in
@@ -39,8 +39,18 @@ in
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUv1ntVrZv5ripsKpcOAnyDQX2PHjowzyhqWK10Ml53";
            files = {
              "jackflix/photoprism-pass.txt" = {};
              "jackflix/copyparty-pass.txt" = {
                owner = "copyparty";
                group = "copyparty";
              };
            };
          };
          firewall = {
            tcp.allowed = [
              3923
            ];
          };
        };
        users = with lib.my.c.ids; {
@@ -50,21 +60,26 @@ in
            transmission.extraGroups = [ "media" ];
            radarr.extraGroups = [ "media" ];
            sonarr.extraGroups = [ "media" ];
-            jellyseerr = {
+            seerr = {
              isSystemUser = true;
              uid = uids.jellyseerr;
-              group = "jellyseerr";
+              group = "seerr";
            };
            photoprism = {
              isSystemUser = true;
              uid = uids.photoprism;
              group = "photoprism";
            };
            copyparty = {
              uid = uids.copyparty;
              extraGroups = [ "media" ];
            };
          };
          groups = {
            media.gid = 2000;
-            jellyseerr.gid = gids.jellyseerr;
+            seerr.gid = gids.jellyseerr;
            photoprism.gid = gids.photoprism;
            copyparty.gid = gids.copyparty;
          };
        };
@@ -73,13 +88,15 @@ in
            jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
            transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
-            radarr.serviceConfig.UMask = "0002";
+            radarr.serviceConfig.UMask = mkForce "0002";
-            sonarr.serviceConfig.UMask = "0002";
+            radarr.path = with pkgs; [ ffmpeg ];
-            jellyseerr.serviceConfig = {
+            sonarr.serviceConfig.UMask = mkForce "0002";
            sonarr.path = with pkgs; [ ffmpeg ];
            seerr.serviceConfig = {
              # Needs to be able to read its secrets
              DynamicUser = mkForce false;
-              User = "jellyseerr";
+              User = "seerr";
-              Group = "jellyseerr";
+              Group = "seerr";
            };
            # https://github.com/NixOS/nixpkgs/issues/258793#issuecomment-1748168206
@@ -94,19 +111,12 @@ in
          };
        };
        nixpkgs.config.permittedInsecurePackages = [
          # FIXME: This is needed for Sonarr
          "aspnetcore-runtime-wrapped-6.0.36"
          "aspnetcore-runtime-6.0.36"
          "dotnet-sdk-wrapped-6.0.428"
          "dotnet-sdk-6.0.428"
        ];
        services = {
          netdata.enable = true;
          transmission = {
            enable = true;
            package = pkgs.transmission_4;
            downloadDirPermissions = null;
            performanceNetParameters = true;
            settings = {
@@ -131,10 +141,11 @@ in
            };
          };
          flaresolverr.enable = true;
          jackett.enable = true;
          radarr.enable = true;
          sonarr.enable = true;
-          jellyseerr = {
+          seerr = {
            enable = true;
            openFirewall = true;
          };
@@ -158,6 +169,50 @@ in
              PHOTOPRISM_DATABASE_DRIVER = "sqlite";
            };
          };
          copyparty = {
            enable = true;
            package = pkgs.copyparty.override {
              withMagic = true;
            };
            settings = {
              name = "dev-stuff";
              no-reload = true;
              j = 8; # cores
              http-only = true;
              xff-src =
                with allAssignments.middleman.internal;
                [ "${ipv4.address}/32" prefixes.ctrs.v6 ];
              rproxy = 1; # get if from x-forwarded-for
              magic = true; # enable checking file magic on upload
              hist = "/var/cache/copyparty";
              shr = "/share"; # enable share creation
              ed = true; # enable dotfiles
              chmod-f = "664";
              chmod-d = "775";
              e2dsa = true; # file indexing
              e2t = true; # metadata indexing
              og-ua = "(Discord|Twitter|Slack)bot"; # embeds
              theme = 6;
            };
            accounts.dev.passwordFile = config.age.secrets."jackflix/copyparty-pass.txt".path;
            volumes = {
              "/" = {
                path = "/mnt/media/public";
                access = {
                  A = "dev";
                  "r." = "*";
                };
                flags = {
                  shr_who = "no"; # no reason to have shares here
                };
              };
              "/priv" = {
                path = "/mnt/media/stuff";
                access.A = "dev"; # dev has admin access
              };
            };
          };
        };
      };
    };
@@ -12,7 +12,7 @@ let
  };
  # Forwarded in AirVPN config
-  transmissionPeerPort = 47016;
+  transmissionPeerPort = 28457;
 in
 {
  config = mkMerge [
@@ -40,11 +40,6 @@ in
            secrets = {
              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQM9U1e/XcUCyMJITrpAHjAGahpqkZCmtX6pJkYzuks";
              files = {
                "dhparams.pem" = {
                  owner = "acme";
                  group = "acme";
                  mode = "440";
                };
                "pdns-file-records.key" = {
                  owner = "acme";
                  group = "acme";
@@ -72,6 +67,13 @@ in
            firewall = {
              tcp.allowed = [ "http" "https" 8448 ];
              extraRules = ''
                table inet nat {
                  chain postrouting {
                    oifname host0 snat ip6 to ${assignments.internal.ipv6.address}
                  }
                }
              '';
            };
            nginx-sso = {
@@ -169,7 +171,7 @@ in
                    "*.${config.networking.domain}"
                  ];
                  dnsProvider = "exec";
-                  credentialsFile =
+                  environmentFile =
                  let
                    script = pkgs.writeShellScript "lego-update-int.sh" ''
                      case "$1" in
@@ -200,7 +202,7 @@ in
                    "*.s3.${pubDomain}"
                  ];
                  dnsProvider = "cloudflare";
-                  credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
+                  environmentFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
                  postRun =
                  let
                    sshKey = config.age.secrets."middleman/mailcow-ssh.key".path;
@@ -249,8 +251,10 @@ in
                valid = "5s";
              };
              proxyResolveWhileRunning = true;
              sslDhparam = config.age.secrets."dhparams.pem".path;
              appendConfig = ''
                worker_processes auto;
              '';
              # Based on recommended*Settings, but probably better to be explicit about these
              appendHttpConfig = ''
                ${baseHttpConfig}
@@ -49,6 +49,7 @@ let
    "/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
    "/.well-known/nodeinfo".return = "301 https://toot.nul.ie$request_uri";
    "/.well-known/host-meta".return = "301 https://toot.nul.ie$request_uri";
    "/.well-known/atproto-did".return = "301 https://pds.nul.ie$request_uri";
  };
 in
 {
@@ -79,6 +80,10 @@ in
                  sha256 = "018wh6ps19n7323fi44njzj9yd4wqslc90dykbwfyscv7bgxhlar";
                };
              }
              {
                name = "ssh.pub";
                path = lib.my.c.sshKeyFiles.me;
              }
            ];
          }
          wellKnown
@@ -322,6 +327,15 @@ in
        useACMEHost = pubDomain;
      };
      "pds.nul.ie" = {
        locations."/" = {
          proxyPass = "http://toot-ctr.${domain}:3000";
          proxyWebsockets = true;
          extraConfig = proxyHeaders;
        };
        useACMEHost = pubDomain;
      };
      "share.${pubDomain}" = {
        locations."/" = {
          proxyPass = "http://object-ctr.${domain}:9090";
@@ -333,16 +347,13 @@ in
      "stuff.${pubDomain}" = {
        locations."/" = {
-          basicAuthFile = config.age.secrets."middleman/htpasswd".path;
+          proxyPass = "http://jackflix-ctr.${domain}:3923";
          root = "/mnt/media/stuff";
          extraConfig = ''
            fancyindex on;
            fancyindex_show_dotfiles on;
          '';
        };
        useACMEHost = pubDomain;
      };
      "public.${pubDomain}" = {
        onlySSL = false;
        addSSL = true;
        serverAliases = [ "p.${pubDomain}" ];
        locations."/" = {
          root = "/mnt/media/public";
@@ -363,6 +374,11 @@ in
        useACMEHost = pubDomain;
      };
      "mc-map-kink.${pubDomain}" = {
        locations."/".proxyPass = "http://kinkcraft-oci.${domain}:8100";
        useACMEHost = pubDomain;
      };
      "librespeed.${domain}" = {
        locations."/".proxyPass = "http://localhost:8989";
      };
@@ -413,6 +429,22 @@ in
        }
        (ssoServer "generic")
      ];
      "hass.${pubDomain}" = {
        locations."/" = {
          proxyPass = "http://hass-ctr.${home.domain}:8123";
          proxyWebsockets = true;
          extraConfig = proxyHeaders;
        };
        useACMEHost = pubDomain;
      };
      "hass-john.${pubDomain}" = {
        locations."/" = {
          proxyPass = "http://john-valorant-tun.${domain}:8123";
          proxyWebsockets = true;
          extraConfig = proxyHeaders;
        };
        useACMEHost = pubDomain;
      };
    };
    minio =
@@ -35,6 +35,7 @@ in
            "/var/lib/harmonia" = {
              device = "/mnt/nix-cache";
              options = [ "bind" ];
              fsType = "none";
            };
          };
@@ -89,12 +90,17 @@ in
            {
              users = {
                harmonia = {
                isSystemUser = true;
                group = "harmonia";
                  shell = pkgs.bashInteractive;
                  openssh.authorizedKeys.keyFiles = [
                    lib.my.c.sshKeyFiles.harmonia
                  ];
                };
              };
              groups = {
                harmonia = { };
              };
            }
          ];
@@ -127,13 +133,24 @@ in
                  };
                }
              ];
-              harmonia = {
+
-                environment.NIX_REMOTE = "/var/lib/harmonia";
+              harmonia-dev = {
                # environment.RUST_LOG = mkForce "trace";
                # serviceConfig = {
                #   StateDirectory = "harmonia";
                #   DynamicUser = mkForce false;
                # };
              };
              harmonia-daemon = {
                # environment.RUST_LOG = mkForce "trace";
                preStart = ''
-                  ${config.nix.package}/bin/nix store ping
+                  ${config.nix.package}/bin/nix store info --store /var/lib/harmonia
                '';
                serviceConfig = {
                  User = "harmonia";
                  Group = "harmonia";
                  StateDirectory = "harmonia";
                  DynamicUser = mkForce false;
                };
              };
            };
@@ -145,6 +162,9 @@ in
            ];
          };
          # TODO/FIXME: this is bad...
          nixpkgs.config.permittedInsecurePackages = [ "minio-2025-10-15T17-29-55Z" ];
          services = {
            minio = {
              enable = true;
@@ -235,11 +255,20 @@ in
              };
            };
-            harmonia = {
+            harmonia-dev = {
-              enable = true;
+              daemon = {
-              signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
+                enable = true;
-              settings = {
+                storeDir = "/nix/store";
-                priority = 30;
+                dbPath = "/var/lib/harmonia/nix/var/nix/db/db.sqlite";
              };
              cache = {
                enable = true;
                signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
                settings = {
                  priority = 30;
                  virtual_nix_store = "/nix/store";
                  real_nix_store = "/var/lib/harmonia/nix/store";
                };
              };
            };
@@ -26,6 +26,8 @@ in
    let
      inherit (lib) mkMerge mkIf genAttrs;
      inherit (lib.my) networkdAssignment systemdAwaitPostgres;
      pdsPort = 3000;
    in
    {
      config = mkMerge [
@@ -36,7 +38,7 @@ in
            secrets = {
              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";
-              files = genAttrs
+              files = (genAttrs
                (map (f: "toot/${f}") [
                  "postgres-password.txt"
                  "secret-key.txt"
@@ -48,7 +50,12 @@ in
                (_: with config.services.mastodon; {
                  owner = user;
                  inherit group;
-                });
+                })) // {
                  "toot/pds.env" = {
                    owner = "pds";
                    group = "pds";
                  };
                };
            };
            firewall = {
@@ -56,6 +63,7 @@ in
                19999
                "http"
                pdsPort
              ];
            };
          };
@@ -79,7 +87,7 @@ in
            netdata.enable = true;
            mastodon = mkMerge [
              rec {
-                enable = true;
+                enable = false;
                localDomain = extraConfig.WEB_DOMAIN; # for nginx config
                extraConfig = {
                  LOCAL_DOMAIN = "nul.ie";
@@ -87,7 +95,9 @@ in
                };
                secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;
-                otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
+                # TODO: This was removed at some point.
                # If we want to bring Mastodon back, this will probably need to be addressd.
                # otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
                vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;
                vapidPublicKeyFile = toString (pkgs.writeText
                  "vapid-pubkey.txt"
@@ -155,6 +165,32 @@ in
                };
              };
            };
            bluesky-pds = {
              enable = true;
              environmentFiles = [ config.age.secrets."toot/pds.env".path ];
              settings = {
                PDS_HOSTNAME = "pds.nul.ie";
                PDS_PORT = pdsPort;
                PDS_BLOBSTORE_DISK_LOCATION = null;
                PDS_BLOBSTORE_S3_BUCKET = "pds";
                PDS_BLOBSTORE_S3_ENDPOINT = "https://s3.nul.ie/";
                PDS_BLOBSTORE_S3_REGION = "eu-central-1";
                PDS_BLOBSTORE_S3_ACCESS_KEY_ID = "pds";
                PDS_BLOB_UPLOAD_LIMIT = "52428800";
                PDS_EMAIL_FROM_ADDRESS = "pds@nul.ie";
                PDS_DID_PLC_URL = "https://plc.directory";
                PDS_INVITE_REQUIRED = "true";
                PDS_BSKY_APP_VIEW_URL = "https://api.bsky.app";
                PDS_BSKY_APP_VIEW_DID = "did:web:api.bsky.app";
                PDS_REPORT_SERVICE_URL = "https://mod.bsky.app";
                PDS_REPORT_SERVICE_DID = "did:plc:ar7c4by46qjdydhdevvrndac";
                PDS_CRAWLERS = "https://bsky.network";
              };
            };
          };
        }
        (mkIf config.my.build.isDevVM {
@@ -217,6 +217,7 @@ in
                  toot = {};
                  waffletail = {};
                  qclk = {};
                  gam = {};
                };
              in
              mkMerge [
@@ -53,6 +53,9 @@ in
      simpcraft-oci = 3;
      simpcraft-staging-oci = 4;
      enshrouded-oci = 5;
      kevcraft-oci = 6;
      kinkcraft-oci = 7;
      graeme-oci = 8;
    };
    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@@ -112,7 +115,7 @@ in
              };
              containers.containersConf.settings.network = {
                network_backend = "netavark";
-                firewall_driver = "none";
+                firewall_driver = mkForce "none";
              };
            };
@@ -5,12 +5,13 @@ let
  # devplayer0
  op = "6d7d971b-ce10-435b-85c5-c99c0d8d288c";
  kev = "703b378a-09f9-4c1d-9876-1c9305728c49";
  whitelist = concatStringsSep "," [
    op
    "dcd2ecb9-2b5e-49cb-9d4f-f5a76162df56" # Elderlypug
    "fcb26db2-c3ce-41aa-b588-efec79d37a8a" # Jesthral_
    "1d366062-12c0-4e29-aba7-6ab5d8c6bb05" # shr3kas0ras
-    "703b378a-09f9-4c1d-9876-1c9305728c49" # OROURKEIRE
+    kev
    "f105bbe6-eda6-4a13-a8cf-894e77cab77b" # Adzerq
    "1fc94979-41fb-497a-81e9-34ae24ca537a" # johnnyscrims
    "d53c91df-b6e6-4463-b106-e8427d7a8d01" # BossLonus
@@ -104,6 +105,130 @@ in
      #     ''--network=colony:${dockerNetAssignment allAssignments "simpcraft-staging-oci"}''
      #   ];
      # };
      kevcraft = {
        # 2025.2.1-java21-alpine
        image = "itzg/minecraft-server@sha256:57e319c15e9fee63f61029a65a33acc3de85118b21a2b4bb29f351cf4a915027";
        environment = {
          TYPE = "VANILLA";
          VERSION = "1.20.1";
          SERVER_PORT = "25567";
          QUERY_PORT = "25567";
          EULA = "true";
          ENABLE_QUERY = "true";
          ENABLE_RCON = "true";
          MOTD = "§4§k----- §9K§ae§bv§cc§dr§ea§ff§6t §4§k-----";
          ICON = "/ext/icon.png";
          EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
          WHITELIST = whitelist;
          EXISTING_OPS_FILE = "SYNCHRONIZE";
          OPS = concatStringsSep "," [ op kev ];
          DIFFICULTY = "normal";
          SPAWN_PROTECTION = "0";
          # VIEW_DISTANCE = "20";
          MAX_MEMORY = "4G";
          TZ = "Europe/Dublin";
        };
        environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
        volumes = [
          "kevcraft_data:/data"
          "${./kev.png}:/ext/icon.png:ro"
        ];
        extraOptions = [
          ''--network=colony:${dockerNetAssignment allAssignments "kevcraft-oci"}''
        ];
      };
      kinkcraft = {
        # 2025.5.1-java21-alpine
        image = "itzg/minecraft-server@sha256:de26c7128e3935f3be48fd30283f0b5a6da1b3d9f1a10c9f92502ee1ba072f7b";
        environment = {
          TYPE = "MODRINTH";
          SERVER_PORT = "25568";
          QUERY_PORT = "25568";
          EULA = "true";
          ENABLE_QUERY = "true";
          ENABLE_RCON = "true";
          MOTD = "§4§k----- §9K§ai§bn§ck§dc§er§fa§6f§5t §4§k-----";
          ICON = "/ext/icon.png";
          EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
          WHITELIST = whitelist;
          EXISTING_OPS_FILE = "SYNCHRONIZE";
          OPS = op;
          DIFFICULTY = "normal";
          SPAWN_PROTECTION = "0";
          VIEW_DISTANCE = "20";
          MAX_MEMORY = "6G";
          MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/NGutsQSd/Simpcraft-0.2.1.mrpack";
          TZ = "Europe/Dublin";
        };
        environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
        volumes = [
          "kinkcraft_data:/data"
          "${./icon.png}:/ext/icon.png:ro"
        ];
        extraOptions = [
          ''--network=colony:${dockerNetAssignment allAssignments "kinkcraft-oci"}''
        ];
      };
      graeme = {
        # 2026.2.1-java21-alpine
        image = "itzg/minecraft-server@sha256:82adaddfe0156f07c34228f1c1065cdbd298abc174de0a9961abb068b11beebb";
        environment = {
          TYPE = "VANILLA";
          SERVER_PORT = "25569";
          QUERY_PORT = "25569";
          EULA = "true";
          ENABLE_QUERY = "true";
          ENABLE_RCON = "false";
          MOTD = "§4§k----- §9G§ar§ba§ce§dm§ee §4§k-----";
          ICON = "/ext/icon.png";
          EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
          WHITELIST = concatStringsSep "," [
            op
            "fffa146c-0bc8-421c-9e3a-3635c0aca2ea" # Scarlehh
            "1ea05f48-76cc-4034-bcd3-2fa1fc5a7375" # Dario
            "4bf837b1-01db-4491-a0e0-700d98542833" # JoeSpencer
            "d07a9554-1b05-4b0b-b558-27e4a86e1f53" # AmyClover
          ];
          EXISTING_OPS_FILE = "SYNCHRONIZE";
          OPS = op;
          DIFFICULTY = "hard";
          SPAWN_PROTECTION = "0";
          VIEW_DISTANCE = "20";
          MAX_MEMORY = "4G";
          TZ = "Europe/Dublin";
        };
        volumes = [
          "graeme_data:/data"
          "${./graeme.png}:/ext/icon.png:ro"
        ];
        extraOptions = [
          ''--network=colony:${dockerNetAssignment allAssignments "graeme-oci"}''
        ];
      };
    };
    services = {
@@ -109,11 +109,7 @@ in
          };
          fstrim.enable = true;
-          resolved = {
+          resolved.settings.Resolve.LLMNR = mkForce true;
            enable = true;
            extraConfig = mkForce "";
            dnssec = "false";
          };
          pipewire.extraConfig.pipewire = {
            "10-buffer"."context.properties" = {
@@ -122,13 +118,14 @@ in
            };
          };
          blueman.enable = true;
          avahi.enable = true;
        };
        programs = {
          virt-manager.enable = true;
          wireshark = {
            enable = true;
-            package = pkgs.wireshark-qt;
+            package = pkgs.wireshark;
          };
        };
        virtualisation.libvirtd.enable = true;
@@ -150,6 +147,7 @@ in
          mstflint
          qperf
          ethtool
          android-tools
        ];
        nix = {
@@ -164,6 +162,7 @@ in
          network = {
            netdevs = mkMerge [
              (mkVLAN "lan-hi" vlans.hi)
              (mkVLAN "lan-lo" vlans.lo)
            ];
            links = {
              "10-et2.5g" = {
@@ -185,7 +184,7 @@ in
            networks = {
              "30-et100g" = {
                matchConfig.Name = "et100g";
-                vlan = [ "lan-hi" ];
+                vlan = [ "lan-hi" "lan-lo" ];
                networkConfig.IPv6AcceptRA = false;
              };
              "40-lan-hi" = mkMerge [
@@ -193,6 +192,22 @@ in
                # So we don't drop the IP we use to connect to NVMe-oF!
                { networkConfig.KeepConfiguration = "static"; }
              ];
              "45-lan-lo" = {
                matchConfig.Name = "lan-lo";
                networkConfig = {
                  DHCP = "ipv4";
                  IPv6AcceptRA = true;
                  UseDomains = false;
                };
                dhcpV4Config = {
                  UseDNS = false;
                  UseGateway = false;
                };
                ipv6AcceptRAConfig = {
                  UseDNS = false;
                  UseGateway = false;
                };
              };
            };
          };
        };
@@ -215,8 +230,15 @@ in
                ];
              };
              programs = {
                claude-code = {
                  enable = true;
                };
              };
              services = {
                blueman-applet.enable = true;
                easyeffects.enable = true;
              };
              wayland.windowManager.sway = {
@@ -188,6 +188,13 @@
                hostBDF = "44:00.4";
              };
            };
            qemuFlags = [
              "device qemu-xhci,id=xhci"
              # Front-right port?
              "device usb-host,hostbus=1,hostport=4"
              # Front-left port
              "device usb-host,hostbus=1,hostport=3"
            ];
          };
        };
      };
@@ -1,5 +1,6 @@
 {
  imports = [
-    ./unifi.nix
+    # ./unifi.nix
    ./hass.nix
  ];
 }
@@ -0,0 +1,263 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.home) domain prefixes vips hiMTU;
 in
 {
  nixos.systems.hass = { config, ... }: {
    system = "x86_64-linux";
    nixpkgs = "mine";
    rendered = config.configuration.config.my.asContainer;
    assignments = {
      hi = {
        name = "hass-ctr";
        altNames = [ "frigate" ];
        inherit domain;
        mtu = hiMTU;
        ipv4 = {
          address = net.cidr.host 103 prefixes.hi.v4;
          mask = 22;
          gateway = vips.hi.v4;
        };
        ipv6 = {
          iid = "::5:3";
          address = net.cidr.host (65536*5+3) prefixes.hi.v6;
        };
      };
      lo = {
        name = "hass-ctr-lo";
        inherit domain;
        mtu = 1500;
        ipv4 = {
          address = net.cidr.host 103 prefixes.lo.v4;
          mask = 21;
          gateway = null;
        };
        ipv6 = {
          iid = "::5:3";
          address = net.cidr.host (65536*5+3) prefixes.lo.v6;
        };
      };
    };
    configuration = { lib, config, pkgs, assignments, allAssignments, ... }:
    let
      inherit (lib) mkMerge mkIf mkForce;
      inherit (lib.my) networkdAssignment;
      hassCli = pkgs.writeShellScriptBin "hass-cli" ''
        export HASS_SERVER="http://localhost:${toString config.services.home-assistant.config.http.server_port}"
        export HASS_TOKEN="$(< ${config.age.secrets."hass/cli-token.txt".path})"
        exec ${pkgs.home-assistant-cli}/bin/hass-cli "$@"
      '';
    in
    {
      config = {
        my = {
          deploy.enable = false;
          server.enable = true;
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpYX2WbYwUqHp8bFFf0eHFrqrR8xp8IheguA054F8V4";
            files = {
              "hass/cli-token.txt" = {
                owner = config.my.user.config.name;
              };
            };
          };
          firewall = {
            tcp.allowed = [ "http" 1883 ];
          };
        };
        environment = {
          systemPackages = with pkgs; [
            usbutils
            hassCli
          ];
        };
        systemd = {
          network.networks = {
            "80-container-host0" = networkdAssignment "host0" assignments.hi;
            "80-container-lan-lo" = networkdAssignment "lan-lo" assignments.lo;
          };
        };
        services = {
          mosquitto = {
            enable = true;
            listeners = [
              {
                omitPasswordAuth = true;
                settings = {
                  allow_anonymous = true;
                };
              }
            ];
          };
          go2rtc = {
            enable = true;
            settings = {
              streams = {
                reolink_living_room = [
                  # "http://reolink-living-room.${domain}/flv?port=1935&app=bcs&stream=channel0_main.bcs&user=admin#video=copy#audio=copy#audio=opus"
                  "rtsp://admin:@reolink-living-room:554/h264Preview_01_main"
                ];
                webcam_office = [
                  "ffmpeg:device?video=/dev/video0&video_size=1024x576#video=h264"
                ];
              };
            };
          };
          frigate = {
            enable = true;
            hostname = "frigate.${domain}";
            settings = {
              mqtt = {
                enabled = true;
                host = "localhost";
                topic_prefix = "frigate";
              };
              cameras = {
                reolink_living_room = {
                  ffmpeg.inputs = [
                    {
                      path = "rtsp://127.0.0.1:8554/reolink_living_room";
                      input_args = "preset-rtsp-restream";
                      roles = [ "record" "detect" ];
                    }
                  ];
                  detect = {
                    enabled = false;
                  };
                  record = {
                    enabled = true;
                    retain.days = 1;
                  };
                };
                webcam_office = {
                  ffmpeg.inputs = [
                    {
                      path = "rtsp://127.0.0.1:8554/webcam_office";
                      input_args = "preset-rtsp-restream";
                      roles = [ "record" "detect" ];
                    }
                  ];
                  detect.enabled = false;
                  record = {
                    enabled = true;
                    retain.days = 1;
                  };
                };
              };
            };
          };
          home-assistant =
          let
            cfg = config.services.home-assistant;
            pyirishrail = ps: ps.buildPythonPackage rec {
              pname = "pyirishrail";
              version = "0.0.2";
              src = pkgs.fetchFromGitHub {
                owner = "ttroy50";
                repo = "pyirishrail";
                tag = version;
                hash = "sha256-NgARqhcXP0lgGpgBRiNtQaSn9JcRNtCcZPljcL7t3Xc=";
              };
              dependencies = with ps; [
                requests
              ];
              pyproject = true;
              build-system = [ ps.setuptools ];
            };
          in
          {
            enable = true;
            extraComponents = [
              "default_config"
              "esphome"
              "google_translate"
              "met"
              "zha"
              "denonavr"
              "webostv"
              "androidtv_remote"
              "heos"
              "mqtt"
              "wled"
            ];
            extraPackages = python3Packages: with python3Packages; [
              zlib-ng
              isal
              gtts
              (pyirishrail python3Packages)
            ];
            customComponents = with pkgs.home-assistant-custom-components; [
              alarmo
              frigate
              west_wood_club
            ];
            configWritable = false;
            openFirewall = true;
            config = {
              default_config = {};
              homeassistant = {
                name = "Home";
                unit_system = "metric";
                currency = "EUR";
                country = "IE";
                time_zone = "Europe/Dublin";
                external_url = "https://hass.${pubDomain}";
                internal_url = "http://hass-ctr.${domain}:${toString cfg.config.http.server_port}";
              };
              http = {
                use_x_forwarded_for = true;
                trusted_proxies = with allAssignments.middleman.internal; [
                  ipv4.address
                  ipv6.address
                ];
                ip_ban_enabled = false;
              };
              automation = "!include automations.yaml";
              script = "!include scripts.yaml";
              scene = "!include scenes.yaml";
              sensor = [
                {
                  platform = "irish_rail_transport";
                  name = "To Work from Home";
                  station = "Glenageary";
                  stops_at = "Dublin Connolly";
                  direction = "Northbound";
                }
                {
                  platform = "irish_rail_transport";
                  name = "To Home from Work";
                  station = "Dublin Connolly";
                  stops_at = "Glenageary";
                  direction = "Southbound";
                }
              ];
            };
          };
        };
      };
    };
  };
 }
@@ -55,8 +55,8 @@ in
          unifi = {
            enable = true;
            openFirewall = true;
-            unifiPackage = pkgs.unifi8;
+            unifiPackage = pkgs.unifi;
-            mongodbPackage = pkgs.mongodb-6_0;
+            mongodbPackage = pkgs.mongodb-7_0;
          };
        };
      };
@@ -29,7 +29,7 @@ in
    configuration = { lib, modulesPath, pkgs, config, assignments, allAssignments, ... }:
    let
-      inherit (lib) mapAttrs mkMerge;
+      inherit (lib) mapAttrs mkMerge mkForce;
      inherit (lib.my) networkdAssignment;
      inherit (lib.my.c) networkd;
      inherit (lib.my.c.home) domain;
@@ -83,6 +83,12 @@ in
          };
        };
        environment = {
          systemPackages = with pkgs; [
            usbutils
          ];
        };
        systemd.network = {
          links = {
            "10-lan-hi" = {
@@ -105,6 +111,13 @@ in
                MTUBytes = toString lib.my.c.home.hiMTU;
              };
            };
            "10-lan-lo-ctrs" = {
              matchConfig = {
                Driver = "virtio_net";
                PermanentMACAddress = "52:54:00:a5:7e:93";
              };
              linkConfig.Name = "lan-lo-ctrs";
            };
          };
          networks = {
@@ -118,9 +131,29 @@ in
              linkConfig.RequiredForOnline = "no";
              networkConfig = networkd.noL3;
            };
            "30-lan-lo-ctrs" = {
              matchConfig.Name = "lan-lo-ctrs";
              linkConfig.RequiredForOnline = "no";
              networkConfig = networkd.noL3;
            };
          };
        };
        systemd.nspawn = {
          hass = {
            networkConfig = {
              MACVLAN = mkForce "lan-hi-ctrs:host0 lan-lo-ctrs:lan-lo";
            };
          };
        };
        systemd.services = {
          "systemd-nspawn@hass".serviceConfig.DeviceAllow = [
            "char-ttyUSB rw"
            "char-video4linux rw"
          ];
        };
        my = {
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAaav5Se1E/AbqEXmADryVszYfNDscyP6jrWioN57R7";
@@ -141,7 +174,17 @@ in
          containers.instances =
          let
            instances = {
-              unifi = {};
+              # unifi = {};
              hass = {
                bindMounts = {
                  "/dev/bus/usb/001/002".readOnly = false;
                  "/dev/video0".readOnly = false;
                  "/dev/serial/by-id/usb-Nabu_Casa_Home_Assistant_Connect_ZBT-1_ce549704fe38ef11a2c2e5d154516304-if00-port0" = {
                    readOnly = false;
                    mountPoint = "/dev/ttyUSB0";
                  };
                };
              };
            };
          in
          mkMerge [
@@ -121,11 +121,9 @@ in
          };
          services = {
-            resolved = {
+            resolved.settings.Resolve = {
-              llmnr = "false";
+              LLMNR = false;
-              extraConfig = ''
+              MulticastDNS = false;
                MulticastDNS=false
              '';
            };
            iperf3 = {
@@ -141,8 +139,8 @@ in
                  onState = [ "configured" ];
                  script = ''
                  #!${pkgs.runtimeShell}
-                  if [ $IFACE = "wan-ifb" ]; then
+                  if [ "$IFACE" = "wan-ifb" ]; then
-                    ${pkgs.iproute2}/bin/tc filter add dev wan parent ffff: matchall action mirred egress redirect dev $IFACE
+                    ${pkgs.iproute2}/bin/tc filter add dev wan parent ffff: matchall action mirred egress redirect dev "$IFACE"
                  fi
                  '';
                };
@@ -0,0 +1,74 @@
 # Blocklist for LG WebOS Services (US)
 ad.lgappstv.com
 ibis.lgappstv.com
 info.lgsmartad.com
 lgtvsdp.com
 ngfts.lge.com
 rdx2.lgtvsdp.com
 smartshare.lgtvsdp.com
 lgappstv.com
 us.ad.lgsmartad.com
 us.ibs.lgappstv.com
 us.info.lgsmartad.com
 us.lgtvsdp.com
 # Community Contributions
 lgad.cjpowercast.com
 edgesuite.net
 yumenetworks.com
 smartclip.net
 smartclip.com
 # Non-US Entries
 rdx2.lgtvsdp.com
 info.lgsmartad.com
 ibs.lgappstv.com
 lgtvsdp.com
 lgappstv.com
 smartshare.lgtvsdp.com
 # Full Block for Europe and Other Regions
 de.ad.lgsmartad.com
 de.emp.lgsmartplatform.com
 de.ibs.lgappstv.com
 de.info.lgsmartad.com
 de.lgeapi.com
 de.lgtvsdp.com
 de.rdx2.lgtvsdp.com
 eu.ad.lgsmartad.com
 eu.ibs.lgappstv.com
 eu.info.lgsmartad.com
 app-lgwebos.pluto.tv
 it.lgtvsdp.com
 it.lgeapi.com
 it.emp.lgsmartplatform.com
 # LG ThinQ Services
 eic.common.lgthinq.com
 eic.iotservice.lgthinq.com
 eic.service.lgthinq.com
 eic.ngfts.lge.com
 eic.svc-lgthinq-com.aws-thinq-prd.net
 eic.cdpsvc.lgtvcommon.com
 eic.cdpbeacon.lgtvcommon.com
 eic.cdplauncher.lgtvcommon.com
 eic.homeprv.lgtvcommon.com
 eic.lgtviot.com
 eic.nudge.lgtvcommon.com
 eic.rdl.lgtvcommon.com
 eic.recommend.lgtvcommon.com
 eic.service.lgtvcommon.com
 gb-lgeapi-com.esi-prd.net
 gb.lgeapi.com
 lgtvonline.lge.com
 lg-channelplus-de-beacons.xumo.com
 lg-channelplus-de-mds.xumo.com
 lg-channelplus-eu-beacons.xumo.com
 lg-channelplus-eu-mds.xumo.com
 kr-op-v2.lgthinqhome.com
 ngfts.lge.com
 noti.lgthinq.com
 objectcontent.lgthinq.com
 # Update Server Block
 #snu.lge.com
@@ -19,7 +19,7 @@ in
          owner = "pdns";
          group = "pdns";
        };
-        "home/pdns/recursor.conf" = {
+        "home/pdns/recursor.yml" = {
          owner = "pdns-recursor";
          group = "pdns-recursor";
        };
@@ -28,52 +28,78 @@ in
      pdns.recursor = {
        enable = true;
-        extraSettingsFile = config.age.secrets."home/pdns/recursor.conf".path;
+        extraSettingsFile = config.age.secrets."home/pdns/recursor.yml".path;
      };
    };
    services = {
      pdns-recursor = {
        dns = {
          address = [
            "127.0.0.1" "::1"
            assignments.hi.ipv4.address assignments.hi.ipv6.address
            assignments.lo.ipv4.address assignments.lo.ipv6.address
          ];
          allowFrom = [
            "127.0.0.0/8" "::1/128"
            prefixes.hi.v4 prefixes.hi.v6
            prefixes.lo.v4 prefixes.lo.v6
          ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
        };
        settings = {
-          query-local-address = [
+          incoming = {
-            "0.0.0.0"
+            listen = [
-            "::"
+              "127.0.0.1" "::1"
-          ];
+              assignments.hi.ipv4.address assignments.hi.ipv6.address
-          forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
+              assignments.lo.ipv4.address assignments.lo.ipv6.address
            ];
            allow_from = [
              "127.0.0.0/8" "::1/128"
              prefixes.hi.v4 prefixes.hi.v6
              prefixes.lo.v4 prefixes.lo.v6
            ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
-          # DNS NOTIFY messages override TTL
+            # DNS NOTIFY messages override TTL
-          allow-notify-for = authZones;
+            allow_notify_for = authZones;
-          allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+            allow_notify_from = [ "127.0.0.0/8" "::1/128" ];
          };
-          webserver = true;
+          outgoing = {
-          webserver-address = "::";
+            source_address = [ "0.0.0.0" "::" ];
-          webserver-allow-from = [ "127.0.0.1" "::1" ];
+          };
-          lua-dns-script = pkgs.writeText "pdns-script.lua" ''
+          recursor = {
-            -- Disney+ doesn't like our IP space...
+            forward_zones = map (z: {
-            function preresolve(dq)
+              zone = z;
-              local name = dq.qname:toString()
+              forwarders = [ "127.0.0.1:5353" ];
-              if dq.qtype == pdns.AAAA and (string.find(name, "disneyplus") or string.find(name, "disney-plus") or string.find(name , "disney.api")) then
+            }) authZones;
-                dq.rcode = 0
+
-                return true
+            lua_dns_script = pkgs.writeText "pdns-script.lua" ''
              blocklist = newDS()
              function preresolve(dq)
                local name = dq.qname:toString()
                -- Disney+ doesn't like our IP space...
                if dq.qtype == pdns.AAAA and (string.find(name, "disneyplus") or string.find(name, "disney-plus") or string.find(name , "disney.api")) then
                  dq.rcode = 0
                  return true
                end
                if blocklist:check(dq.qname) then
                  if dq.qtype == pdns.A then
                    dq:addAnswer(dq.qtype, "127.0.0.1")
                  elseif dq.qtype == pdns.AAAA then
                    dq:addAnswer(dq.qtype, "::1")
                  end
                  return true
                end
                return false
              end
-              return false
+              for line in io.lines("${./dns-blocklist.txt}") do
-            end
+                entry = line:gsub("%s+", "")
-          '';
+                if entry ~= "" and string.sub(entry, 1, 1) ~= "#" then
                  blocklist:add(entry)
                end
              end
            '';
          };
          webservice = {
            webserver = true;
            address = "::";
            allow_from = [ "127.0.0.1" "::1" ];
          };
        };
      };
    };
@@ -206,6 +232,9 @@ in
            ups IN A ${net.cidr.host 20 prefixes.lo.v4}
            palace-kvm IN A ${net.cidr.host 21 prefixes.lo.v4}
            reolink-living-room IN A ${net.cidr.host 45 prefixes.lo.v4}
            nixlight IN A ${net.cidr.host 46 prefixes.lo.v4}
            ${lib.my.dns.fwdRecords {
              inherit allAssignments names;
              domain = config.networking.domain;
@@ -2,7 +2,7 @@
 import argparse
 import subprocess
-import CloudFlare
+import cloudflare
 def main():
    parser = argparse.ArgumentParser(description='Cloudflare DNS update script')
@@ -19,17 +19,22 @@ def main():
    if args.api_token_file:
        with open(args.api_token_file) as f:
            cf_token = f.readline().strip()
    cf = cloudflare.Cloudflare(api_token=cf_token)
-    cf = CloudFlare.CloudFlare(token=cf_token)
+    zones = list(cf.zones.list(name=args.zone))
    zones = cf.zones.get(params={'name': args.zone})
    assert zones, f'Zone {args.zone} not found'
-    records = cf.zones.dns_records.get(zones[0]['id'], params={'name': args.record})
+    assert len(zones) == 1, f'More than one zone found for {args.zone}'
    zone = zones[0]
    records = list(cf.dns.records.list(zone_id=zone.id, name=args.record, type='A'))
    assert records, f'Record {args.record} not found in zone {args.zone}'
    assert len(records) == 1, f'More than one record found for {args.record}'
    record = records[0]
    print(f'Updating {args.record} -> {address}')
-    cf.zones.dns_records.patch(
+    cf.dns.records.edit(
-        zones[0]['id'], records[0]['id'],
+        zone_id=zone.id, dns_record_id=record.id, name=args.record,
-        data={'type': 'A', 'name': args.record, 'content': address})
+        type='A', content=address)
 if __name__ == '__main__':
    main()
@@ -132,6 +132,59 @@ in
                  hw-address = "24:8a:07:a8:fe:3a";
                  ip-address = net.cidr.host 40 prefixes.lo.v4;
                }
                {
                  # avr
                  hw-address = "8c:a9:6f:30:03:6b";
                  ip-address = net.cidr.host 41 prefixes.lo.v4;
                }
                {
                  # tv
                  hw-address = "00:a1:59:b8:4d:86";
                  ip-address = net.cidr.host 42 prefixes.lo.v4;
                }
                {
                  # android tv
                  hw-address = "b8:7b:d4:95:c6:74";
                  ip-address = net.cidr.host 43 prefixes.lo.v4;
                }
                {
                  # hass-panel
                  hw-address = "80:30:49:cd:d7:51";
                  ip-address = net.cidr.host 44 prefixes.lo.v4;
                }
                {
                  # reolink-living-room
                  hw-address = "ec:71:db:30:69:a4";
                  ip-address = net.cidr.host 45 prefixes.lo.v4;
                }
                {
                  # nixlight
                  hw-address = "00:4b:12:3b:d3:14";
                  ip-address = net.cidr.host 46 prefixes.lo.v4;
                }
              ];
            }
            {
              id = 3;
              subnet = prefixes.untrusted.v4;
              interface = "lan-untrusted";
              option-data = [
                {
                  name = "routers";
                  data = vips.untrusted.v4;
                }
                {
                  name = "domain-name-servers";
                  data = "1.1.1.1, 1.0.0.1";
                }
              ];
              pools = [
                {
                  pool = if index == 0
                    then "192.168.80.10 - 192.168.80.127"
                    else "192.168.80.128 - 192.168.80.250";
                }
              ];
            }
          ];
@@ -20,10 +20,7 @@ let
  };
  vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}";
-  vrrpIPs = family: concatMap (vlan: (optional (family == "v6") {
+  vrrpIPs = family: concatMap (vlan: [
      addr = "fe80::1/64";
      dev = vlanIface vlan;
    }) ++ [
    {
      addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}";
      dev = vlanIface vlan;
@@ -64,6 +61,9 @@ in
        v4 = mkVRRP "v4" 51;
        v6 = (mkVRRP "v6" 52) // {
          extraConfig = ''
            virtual_ipaddress_excluded {
              ${concatMapStringsSep "\n" (vlan: "fe80::1/64 dev ${vlanIface vlan}") (attrNames vips)}
            }
            notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root
            notify_backup "${config.systemd.package}/bin/systemctl stop radvd.service" root
          '';
@@ -24,8 +24,8 @@ in
        onState = [ "routable" ];
        script = ''
          #!${pkgs.runtimeShell}
-          if [ $IFACE = "lan" ]; then
+          if [ "$IFACE" = "lan" ]; then
-            ${mstpd}/sbin/mstpctl setforcevers $IFACE rstp
+            ${mstpd}/sbin/mstpctl setforcevers "$IFACE" rstp
          fi
        '';
      };
@@ -45,12 +45,12 @@
        services = {
          mjpg-streamer = {
-            enable = true;
+            enable = false;
            inputPlugin = "input_uvc.so";
            outputPlugin = "output_http.so -w @www@ -n -p 5050";
          };
          octoprint = {
-            enable = true;
+            enable = false;
            host = "::";
            extraConfig = {
              plugins = {
@@ -29,7 +29,7 @@ in
        hardware.graphics = {
          enable = true;
          extraPackages = with pkgs; [
-            vaapiIntel
+            intel-vaapi-driver
            intel-ocl
          ];
        };
@@ -73,8 +73,8 @@ in
              RootDirectory = lib.mkForce "";
            };
-            radarr.serviceConfig.UMask = "0002";
+            radarr.serviceConfig.UMask = lib.mkForce "0002";
-            sonarr.serviceConfig.UMask = "0002";
+            sonarr.serviceConfig.UMask = lib.mkForce "0002";
          };
        };
@@ -89,6 +89,7 @@ in
        services = {
          transmission = {
            enable = true;
            package = pkgs.transmission_4;
            downloadDirPermissions = null;
            performanceNetParameters = true;
            settings = {
@@ -60,7 +60,7 @@ in
                "*.${domain}"
              ];
              dnsProvider = "cloudflare";
-              credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
+              environmentFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
            };
          };
        };
@@ -88,16 +88,18 @@ in
        };
        services = {
-          resolved.extraConfig = mkForce "";
+          resolved.settings.Resolve = mkForce { };
          nextcloud = {
            enable = true;
-            package = pkgs.nextcloud29;
+            # TODO: Might need to do some bullshit to go from Nextcloud 28 (?) to 32
            package = pkgs.nextcloud32;
            datadir = "/mnt/storage/nextcloud";
            hostName = "cloud.${domain}";
            https = true;
            config = {
              adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
              dbtype = "sqlite";
            };
            settings = {
              updatechecker = false;
@@ -13,11 +13,6 @@ in
          owner = "nginx";
          group = "nginx";
        };
        "dhparams.pem" = {
          owner = "acme";
          group = "acme";
          mode = "440";
        };
      };
      firewall = {
@@ -35,7 +30,6 @@ in
        recommendedTlsSettings = true;
        clientMaxBodySize = "0";
        serverTokens = true;
        sslDhparam = config.age.secrets."dhparams.pem".path;
        # Based on recommended*Settings, but probably better to be explicit about these
        appendHttpConfig = ''
@@ -99,12 +99,6 @@
            };
          };
          resolved = {
            enable = true;
            extraConfig = mkForce "";
            dnssec = "false";
          };
          fprintd.enable = true;
          blueman.enable = true;
@@ -118,7 +112,7 @@
          steam.enable = true;
          wireshark = {
            enable = true;
-            package = pkgs.wireshark-qt;
+            package = pkgs.wireshark;
          };
        };
@@ -23,7 +23,7 @@ let
      pkgs = pkgs'.${config'.nixpkgs}.${config'.system};
      allPkgs = mapAttrs (_: p: p.${config'.system}) pkgs';
-      modules' = [ hmFlakes.${config'.home-manager}.nixosModule ] ++ (attrValues cfg.modules);
+      modules' = [ hmFlakes.${config'.home-manager}.nixosModules.default ] ++ (attrValues cfg.modules);
    in
    # Import eval-config ourselves since the flake now force-sets lib
    import "${pkgsFlake}/nixos/lib/eval-config.nix" {
@@ -31,8 +31,10 @@
            server.enable = true;
          };
          image = {
            baseName = "jackos-installer";
          };
          isoImage = {
            isoBaseName = "jackos-installer";
            volumeID = "jackos-${config.system.nixos.release}-${pkgs.stdenv.hostPlatform.uname.processor}";
            edition = "devplayer0";
            appendToMenuLabel = " /dev/player0 Installer";
@@ -97,7 +99,7 @@
          # Enable wpa_supplicant, but don't start it by default.
          networking.wireless.enable = mkDefault true;
-          networking.wireless.userControlled.enable = true;
+          networking.wireless.userControlled = true;
          systemd.services.wpa_supplicant.wantedBy = mkForce [];
          # Tell the Nix evaluator to garbage collect more aggressively.
@@ -14,7 +14,7 @@
    network = ./network.nix;
    pdns = ./pdns.nix;
    nginx-sso = ./nginx-sso.nix;
-    gui = ./gui.nix;
+    gui = ./gui;
    l2mesh = ./l2mesh.nix;
    borgthin = ./borgthin.nix;
    nvme = ./nvme;
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ inputs, lib, pkgs, config, ... }:
 let
  inherit (builtins) substring match;
  inherit (lib)
@@ -127,7 +127,9 @@ in
    enable = mkBoolOpt' false "Whether to enable borgthin jobs";
    lvmPackage = mkOpt' package pkgs.lvm2 "Packge containing LVM tools";
    thinToolsPackage = mkOpt' package pkgs.thin-provisioning-tools "Package containing thin-provisioning-tools";
-    package = mkOpt' package pkgs.borgthin "borgthin package";
+    # Really we should use the version from the overlay, but the package is quite far behind...
    # Not bothering to update until Borg 2.0 releases
    package = mkOpt' package inputs.borgthin.packages.${config.nixpkgs.system}.borgthin "borgthin package";
    jobs = mkOpt' (attrsOf jobType) { } "borgthin jobs";
  };
@@ -221,8 +221,8 @@ in
      memorySize = dummyOption;
      qemu.options = dummyOption;
    };
    image.baseName = dummyOption;
    isoImage = {
      isoBaseName = dummyOption;
      volumeID = dummyOption;
      edition = dummyOption;
      appendToMenuLabel = dummyOption;
@@ -9,9 +9,11 @@ in
  };
  imports = [
-    inputs.impermanence.nixosModule
+    inputs.impermanence.nixosModules.default
    inputs.ragenix.nixosModules.age
    inputs.sharry.nixosModules.default
    inputs.copyparty.nixosModules.default
    inputs.harmonia.nixosModules.harmonia
  ];
  config = mkMerge [
@@ -36,6 +38,15 @@ in
          enable = mkDefault true;
          wheelNeedsPassword = mkDefault false;
        };
        # TODO: Add this to fix login 
        # pam = {
        #   services = {
        #     kmscon.rules. = mkIf config.services.kmscon.config.libseat {
        #     };
        #   };
        # };
      };
      nix = {
@@ -65,10 +76,13 @@ in
      };
      nixpkgs = {
        overlays = [
-          inputs.deploy-rs.overlay
+          inputs.deploy-rs.overlays.default
          inputs.sharry.overlays.default
-          inputs.borgthin.overlays.default
+          # TODO: Re-enable when borgthin is updated
          # inputs.borgthin.overlays.default
          inputs.boardie.overlays.default
          inputs.copyparty.overlays.default
          inputs.hass-west-wood.overlays.default
        ];
        config = {
          allowUnfree = true;
@@ -135,6 +149,7 @@ in
          bash-completion
          git
          unzip
          tcpdump
        ]
        (mkIf config.services.netdata.enable [ netdata ])
      ];
@@ -152,16 +167,14 @@ in
      };
      services = {
-        kmscon = {
+        # TODO: Remove if-else when 26.11 releases
-          # As it turns out, kmscon hasn't been updated in years and has some bugs...
+        kmscon = if (config.system.nixos.release == "26.06:u-26.11") then {
          enable = mkDefault false;
-          hwRender = mkDefault true;
+          config = {
-          extraOptions = "--verbose";
+            hwaccel = config.hardware.graphics.enable;
-          extraConfig =
+            font-name = "SauceCodePro Nerd Font Mono";
-            ''
+          };
-              font-name=SauceCodePro Nerd Font Mono
+        } else { };
            '';
        };
        getty.greetingLine = mkDefault' ''<<< Welcome to ${config.system.nixos.distroName} ${config.system.nixos.label} (\m) - \l >>>'';
        openssh = {
@@ -242,7 +255,7 @@ in
      };
    }
    (mkIf config.services.kmscon.enable {
-      fonts.fonts = with pkgs; [
+      fonts.packages = with pkgs; [
        nerd-fonts.sauce-code-pro
      ];
    })
@@ -15,6 +15,7 @@ let
    passAsFile = [ "code" ];
    code = ''
      #include <stdio.h>
      #include <stdlib.h>
      #include <signal.h>
      #include <unistd.h>
      #include <systemd/sd-daemon.h>
@@ -45,8 +45,9 @@ let
        journalctl -o cat --no-pager -n 0 -f -u "$unit" &
        jPid=$!
        # shellcheck disable=SC2329
        cleanup() {
          # shellcheck disable=SC2317
          kill "$jPid"
        }
        trap cleanup EXIT
@@ -1,9 +1,15 @@
 { lib, pkgs, config, ... }:
 let
-  inherit (lib) optional mkIf mkDefault mkMerge;
+  inherit (lib) optional mkIf mkDefault mkMerge mkOverride;
  inherit (lib.my) mkBoolOpt';
  cfg = config.my.gui;
  androidUdevRules = pkgs.runCommand "udev-rules-android" {
    rulesFile = ./android-udev.rules;
  } ''
    install -D "$rulesFile" "$out"/lib/udev/rules.d/51-android.rules
  '';
 in
 {
  options.my.gui = with lib.types; {
@@ -26,12 +32,29 @@ in
      pam.services.swaylock-plugin = {};
    };
    users = {
      groups = {
        adbusers.gid = lib.my.c.ids.gids.adbusers;
      };
    };
    environment.systemPackages = with pkgs; [
      # for pw-jack
      pipewire.jack
      swaylock-plugin
    ];
    services = {
      resolved = {
        settings.Resolve = {
          FallbackDNS = mkOverride 99 (
            "1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google " +
            "1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google " +
            "2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google " +
            "2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google" );
          LLMNR = "resolve";
        };
      };
      pipewire = {
        enable = true;
        alsa.enable = true;
@@ -44,8 +67,12 @@ in
      gnome = {
        gnome-keyring.enable = true;
      };
      udisks2.enable = true;
      udev = {
        packages = [
          androidUdevRules
        ];
        extraRules = ''
          # Nvidia
          SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="wheel"
@@ -67,7 +94,7 @@ in
      gyre-fonts # TrueType substitutes for standard PostScript fonts
      liberation_ttf
      unifont
-      noto-fonts-emoji
+      noto-fonts-color-emoji
    ];
    xdg = {
@@ -88,5 +115,13 @@ in
        ];
      };
    };
    my = {
      user = {
        config = {
          extraGroups = [ "adbusers" ];
        };
      };
    };
  };
 }
@@ -5,19 +5,10 @@ let
  cfg = config.my.netboot;
  ipxe = pkgs.ipxe.overrideAttrs (o: rec {
    version = "1.21.1-unstable-2024-06-27";
    src = pkgs.fetchFromGitHub {
      owner = "ipxe";
      repo = "ipxe";
      rev = "b66e27d9b29a172a097c737ab4d378d60fe01b05";
      hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
    };
  });
  tftpRoot = pkgs.linkFarm "tftp-root" [
    {
      name = "ipxe-x86_64.efi";
-      path = "${ipxe}/ipxe.efi";
+      path = "${pkgs.ipxe}/ipxe.efi";
    }
  ];
  menuFile = pkgs.runCommand "menu.ipxe" {
@@ -26,23 +17,25 @@ let
    substituteAll ${./menu.ipxe} "$out"
  '';
-  bootBuilder = pkgs.substituteAll {
+  bootBuilder = pkgs.replaceVarsWith {
    src = ./netboot-loader-builder.py;
    isExecutable = true;
-    inherit (pkgs) python3;
+    replacements = {
-    bootspecTools = pkgs.bootspec;
+      inherit (pkgs) python3;
-    nix = config.nix.package.out;
+      bootspecTools = pkgs.bootspec;
      nix = config.nix.package.out;
-    inherit (config.system.nixos) distroName;
+      inherit (config.system.nixos) distroName;
-    systemName = config.system.name;
+      systemName = config.system.name;
-    inherit (cfg.client) configurationLimit;
+      inherit (cfg.client) configurationLimit;
-    checkMountpoints = pkgs.writeShellScript "check-mountpoints" ''
+      checkMountpoints = pkgs.writeShellScript "check-mountpoints" ''
-      if ! ${pkgs.util-linuxMinimal}/bin/findmnt /boot > /dev/null; then
+        if ! ${pkgs.util-linuxMinimal}/bin/findmnt /boot > /dev/null; then
-        echo "/boot is not a mounted partition. Is the path configured correctly?" >&2
+          echo "/boot is not a mounted partition. Is the path configured correctly?" >&2
-        exit 1
+          exit 1
-      fi
+        fi
-    '';
+      '';
    };
  };
 in
 {
@@ -0,0 +1,48 @@
 From 7f75d320f6d8ac7ec5185b2145da87f698aec273 Mon Sep 17 00:00:00 2001
 From: Michael Brown <mcb30@ipxe.org>
 Date: Mon, 2 Sep 2024 12:24:57 +0100
 Subject: [PATCH] [etherfabric] Fix use of uninitialised variable in
 falcon_xaui_link_ok()
 The link status check in falcon_xaui_link_ok() reads from the
 FCN_XX_CORE_STAT_REG_MAC register only on production hardware (where
 the FPGA version reads as zero), but modifies the value and writes
 back to this register unconditionally.  This triggers an uninitialised
 variable warning on newer versions of gcc.
 Fix by assuming that the register exists only on production hardware,
 and so moving the "modify-write" portion of the "read-modify-write"
 operation to also be covered by the same conditional check.
 Signed-off-by: Michael Brown <mcb30@ipxe.org>
 ---
 src/drivers/net/etherfabric.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)
 diff --git a/src/drivers/net/etherfabric.c b/src/drivers/net/etherfabric.c
 index b40596beae7..be30b71f79f 100644
 --- a/src/drivers/net/etherfabric.c
 +++ b/src/drivers/net/etherfabric.c
@@ -2225,13 +2225,16 @@ falcon_xaui_link_ok ( struct efab_nic *efab )
 		sync = ( sync == FCN_XX_SYNC_STAT_DECODE_SYNCED );
 		link_ok = align_done && sync;
 -	}
 -	/* Clear link status ready for next read */
 -	EFAB_SET_DWORD_FIELD ( reg, FCN_XX_COMMA_DET, FCN_XX_COMMA_DET_RESET );
 -	EFAB_SET_DWORD_FIELD ( reg, FCN_XX_CHARERR, FCN_XX_CHARERR_RESET);
 -	EFAB_SET_DWORD_FIELD ( reg, FCN_XX_DISPERR, FCN_XX_DISPERR_RESET);
 -	falcon_xmac_writel ( efab, &reg, FCN_XX_CORE_STAT_REG_MAC );
 +		/* Clear link status ready for next read */
 +		EFAB_SET_DWORD_FIELD ( reg, FCN_XX_COMMA_DET,
 +				       FCN_XX_COMMA_DET_RESET );
 +		EFAB_SET_DWORD_FIELD ( reg, FCN_XX_CHARERR,
 +				       FCN_XX_CHARERR_RESET );
 +		EFAB_SET_DWORD_FIELD ( reg, FCN_XX_DISPERR,
 +				       FCN_XX_DISPERR_RESET );
 +		falcon_xmac_writel ( efab, &reg, FCN_XX_CORE_STAT_REG_MAC );
 +	}
 	has_phyxs = ( efab->phy_op->mmds & ( 1 << MDIO_MMD_PHYXS ) );
 	if ( link_ok && has_phyxs ) {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
jackos1998	a7ea91f529	docs: Document the boxes Add a top-level `README.md` mapping the boxes and per-machine docs under `docs/boxes/` (grouped `colony/`, `home/`, `misc/`), one file per host, VM and container documenting role, services and networking with source pointers. Also point `AGENTS.md` at the new docs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-14 22:45:20 +01:00
jackos1998	90cc2d53f1	Update CI workflow to Ubuntu 26.04 CI / Check, build and cache nixfiles (push) Successful in 46m23s Details	2026-06-14 20:37:53 +01:00
jackos1998	b044504938	nixos/git: Update Gitea Actions runner Bump runner labels to node 24 / Trixie and Ubuntu 26.04. The upstream module now generates the runner config from the `settings` option and wires `ExecStart` itself, so drop the hand-written config file and `ExecStart` override. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-14 20:37:36 +01:00
jackos1998	98ccc23ef5	devshell: Add `check-system` and `ssh-machine` utilities `check-system` evaluates a NixOS config without building it; `ssh-machine` SSHs to a system or home by name, resolving the target and ssh options from its `deploy-rs` node. Document both in `AGENTS.md`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-14 20:36:15 +01:00
jackos1998	d7e8ca52a0	Add AGENTS.md Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-14 19:31:59 +01:00
jackos1998	f1cc0fa25c	nixos/estuary: Add Meta NL-ix peering CI / Check, build and cache nixfiles (push) Has been cancelled Details	2026-06-14 03:15:28 +01:00
jackos1998	43828ad34c	nixos/hass: Add West Wood integration CI / Check, build and cache nixfiles (push) Has been cancelled Details	2026-06-14 03:08:33 +01:00
jackos1998	36d7e4a7e3	home-manager/gui: Add Claude status line	2026-06-14 03:08:00 +01:00
jackos1998	2f7d5d3908	nixos/castle: Add claude...	2026-06-14 00:24:05 +01:00
jackos1998	f3a0ca3f57	devshell: Allow deploy-multi without options CI / Check, build and cache nixfiles (push) Has been cancelled Details	2026-06-13 22:11:23 +01:00
jackos1998	023b3f6605	nixos/tmproot: Add manpage cache	2026-06-13 21:53:29 +01:00
jackos1998	ecd3a46591	home-manager/gui: Add easyeffects CI / Check, build and cache nixfiles (push) Failing after 1h52m48s Details	2026-06-13 20:42:12 +01:00
jackos1998	6bcca599e2	devshell: Fix `json2nix` warning	2026-06-13 20:36:46 +01:00
jackos1998	93529c578b	"Release" 26.06 Irritating CI / Check, build and cache nixfiles (push) Successful in 2h20m51s Details	2026-06-13 16:00:18 +01:00
jackos1998	bb32784962	nixos/jackflix: Update external port CI / Check, build and cache nixfiles (push) Successful in 1h11m55s Details	2026-06-06 19:48:02 +01:00
jackos1998	6ffa35c414	nixos/chatterbox: Bump mautrix bridges CI / Check, build and cache nixfiles (push) Successful in 1h14m35s Details	2026-06-01 20:19:51 +01:00
jackos1998	3cc5448410	nixos/user: Add to group `disk` CI / Check, build and cache nixfiles (push) Successful in 1h4m36s Details	2026-04-18 21:50:36 +01:00
jackos1998	ee4178ee2d	nixos/chatterbox: Update mautrix-whatsapp to 26.03 CI / Check, build and cache nixfiles (push) Successful in 1h7m26s Details	2026-04-12 18:36:06 +01:00
jackos1998	2bf18319c9	nixos/routing-common: Fix keepalived link-local addresses CI / Check, build and cache nixfiles (push) Successful in 1h17m1s Details	2026-03-16 15:12:46 +00:00
jackos1998	a394b9124a	nixos/routing-common: Fix Cloudflare	2026-03-16 13:37:16 +00:00
jackos1998	5bc48d33a3	nixos: Add tcpdump on all machines	2026-03-16 13:33:08 +00:00
jackos1998	365ef5d49d	Update nixpkgs for terraria-server CI / Check, build and cache nixfiles (push) Successful in 1h3m49s Details	2026-03-10 21:27:14 +00:00
jackos1998	0206d52fa2	nixos/netboot: Remove pinned iPXE CI / Check, build and cache nixfiles (push) Successful in 1h15m47s Details	2026-03-08 14:36:07 +00:00
jackos1998	5526e07e65	Update harmonia CI / Check, build and cache nixfiles (push) Failing after 2h25m26s Details	2026-03-07 17:09:50 +00:00
jackos1998	dde682390f	nixos/castle: Add lan-lo CI / Check, build and cache nixfiles (push) Failing after 6m27s Details	2026-03-04 21:30:53 +00:00
jackos1998	4ec59a64ce	nixos/home/routing-common: Add DHCP pool for untrusted LAN	2026-03-03 20:15:45 +00:00
jackos1998	c9c788e261	nixos/estuary: Add john-valorant CI / Check, build and cache nixfiles (push) Failing after 6m15s Details	2026-03-01 22:57:03 +00:00
jackos1998	21c24216b4	nixos/whale2: Update Graeme difficulty CI / Check, build and cache nixfiles (push) Failing after 6m28s Details	2026-02-17 22:47:25 +00:00
jackos1998	2ecd350fcc	nixos/whale2: Update graeme whitelist	2026-02-17 21:54:02 +00:00
jackos1998	3aa873d52a	nixos/whale2: Add graeme CI / Check, build and cache nixfiles (push) Failing after 6m31s Details	2026-02-16 22:49:22 +00:00
jackos1998	0a8ad18de8	nixos/jackflix: Add ffmpeg CI / Check, build and cache nixfiles (push) Failing after 6m16s Details	2026-02-15 19:56:54 +00:00
jackos1998	b6b94fea5a	Update nixpkgs-mine for Terraria 1.4.5.5 CI / Check, build and cache nixfiles (push) Failing after 6m18s Details	2026-02-11 22:16:07 +00:00
jackos1998	de9762b272	shill: Add Terraria server CI / Check, build and cache nixfiles (push) Failing after 7m4s Details	2026-02-09 00:06:13 +00:00
jackos1998	8d1f4d51d0	nixos/deploy-rs: Fix systemd-util shellcheck	2026-02-08 21:17:00 +00:00
jackos1998	f1dc04ec4b	Update inputs CI / Check, build and cache nixfiles (push) Failing after 6m18s Details	2026-01-20 15:13:27 +00:00
jackos1998	7951c777cb	nixos/sfh: Disable unifi CI / Check, build and cache nixfiles (push) Successful in 1h13m56s Details	2025-12-06 21:59:34 +00:00
jackos1998	b031840f81	nixos/object: Fix harmonia CI / Check, build and cache nixfiles (push) Failing after 3h13m40s Details	2025-12-06 15:39:47 +00:00
jackos1998	45861bef08	"Release" 25.11 Hooray	2025-12-06 15:18:36 +00:00
jackos1998	4433395125	nixos/chatterbox: Restore old WhatsApp display name template CI / Check, build and cache nixfiles (push) Failing after 19s Details	2025-12-04 10:06:06 +00:00
jackos1998	3306aaab5e	nixos/chatterbox: Upgrade mautrix bridges to v25.11	2025-12-04 10:06:06 +00:00
jackos1998	4480302c65	nixos/estuary: Remove old Frys-IX subnet CI / Check, build and cache nixfiles (push) Failing after 21s Details	2025-12-01 22:41:13 +00:00
jackos1998	be7fb5a243	home-manager/common: Fix overlays CI / Check, build and cache nixfiles (push) Successful in 2h39m0s Details	2025-10-06 10:54:12 +01:00
jackos1998	25758bae08	nixos/middleman: SNAT IPv6 to assigned address CI / Check, build and cache nixfiles (push) Successful in 2h38m2s Details	2025-10-01 11:10:41 +01:00
jackos1998	7bfe9ad697	nixos/estuary: Add hillcrest WireGuard CI / Check, build and cache nixfiles (push) Successful in 2h27m17s Details	2025-09-27 02:24:35 +01:00
jackos1998	7db5e18974	nixos/jackflix: copyparty: Move `/pub` to `/` and put stuff at `/priv` CI / Check, build and cache nixfiles (push) Successful in 2h25m8s Details	2025-09-09 14:34:54 +01:00
jackos1998	20b7da74bf	nixos/jackflix: Remove unnecessary insecure packages exception CI / Check, build and cache nixfiles (push) Successful in 2h28m59s Details	2025-09-08 23:29:51 +01:00
jackos1998	adaf8b6a83	nixos/jackflix: Add copyparty	2025-09-08 23:28:31 +01:00
jackos1998	1f145334f3	nixos/britway: Disable `override_local_dns` for headscale CI / Check, build and cache nixfiles (push) Failing after 12m38s Details	2025-09-08 21:29:20 +01:00
jackos1998	abf9f1b465	home-manager/gui: Add ffmpeg CI / Check, build and cache nixfiles (push) Successful in 2h30m16s Details	2025-09-06 21:56:19 +01:00
jackos1998	f0740741a4	nixos/home/routing-common: Fix mstpd shellcheck CI / Check, build and cache nixfiles (push) Successful in 2h44m21s Details	2025-09-06 21:40:05 +01:00
jackos1998	0c0b66b8db	nixos/jackflix: Add FlareSolverr	2025-09-06 19:49:12 +01:00
jackos1998	bdf3c04595	nixos/git: Add NAT rules	2025-09-06 19:35:33 +01:00
jackos1998	02795a6ee4	nixos/nvme: Specify Host NQN on command line CI / Check, build and cache nixfiles (push) Failing after 2h24m47s Details	2025-09-06 18:02:18 +01:00
jackos1998	8fa4a7ee60	"Release" 25.09 Giving CI / Check, build and cache nixfiles (push) Failing after 31m46s Details	2025-09-06 17:14:09 +01:00
jackos1998	773674d879	nixos/chatterbox: Add adzerq to Instagram bridge CI / Check, build and cache nixfiles (push) Failing after 29m47s Details	2025-07-23 19:42:35 +01:00
jackos1998	12c5ca126d	nixos/middleman: kinkcraft Bluemap CI / Check, build and cache nixfiles (push) Failing after 30m2s Details	2025-06-07 23:28:20 +01:00
jackos1998	b38a2a07e2	nixos/estuary: Update FrysIX BGP config to new /23 CI / Check, build and cache nixfiles (push) Failing after 30m16s Details	2025-06-03 11:06:58 +01:00
jackos1998	0dc474887f	Add kinkcraft Minecraft server CI / Check, build and cache nixfiles (push) Failing after 30m20s Details	2025-05-29 20:51:56 +01:00
jackos1998	c8bd63ec3e	nixos: Add nixlight static IP and WLED hass integration CI / Check, build and cache nixfiles (push) Failing after 29m45s Details	2025-05-26 23:25:05 +01:00
jackos1998	d7522f3f97	nixos/whale2: Op kev in kevcraft CI / Check, build and cache nixfiles (push) Failing after 30m31s Details	2025-04-24 22:04:45 +01:00
jackos1998	58c76f822f	home-manager/gui: Use `tmux kill-session` in brainrot screensavers CI / Check, build and cache nixfiles (push) Failing after 29m19s Details	2025-04-14 13:27:01 +01:00
jackos1998	31bcde23b8	nixos/gui: Enable udisks2 CI / Check, build and cache nixfiles (push) Failing after 5m13s Details	2025-04-07 23:18:29 +01:00
jackos1998	fc2fa0666e	nixos/middleman: Increase `worker_processes` CI / Check, build and cache nixfiles (push) Failing after 5m10s Details	2025-03-28 16:42:54 +00:00
jackos1998	854cc48479	home-manager/gui: Add Brainrot story mode screensaver CI / Check, build and cache nixfiles (push) Failing after 29m6s Details	2025-03-28 11:01:46 +00:00
jackos1998	85a4b124e5	pkgs: Remove own terminaltexteffects CI / Check, build and cache nixfiles (push) Failing after 5m7s Details	2025-03-27 11:58:36 +00:00
jackos1998	f322f3ebac	home-manager/gui: Longer and looping brainrot screensavers CI / Check, build and cache nixfiles (push) Failing after 29m7s Details	2025-03-25 10:56:08 +00:00
jackos1998	bc74fb4968	home-manager/gui: Add brainrot screensavers CI / Check, build and cache nixfiles (push) Failing after 30m15s Details	2025-03-24 15:09:46 +00:00
jackos1998	584abd4991	nixos/home/hass: Add USB webcam CI / Check, build and cache nixfiles (push) Successful in 1h12m19s Details	2025-03-15 01:43:44 +00:00
jackos1998	05074a1fd9	nixos/home/hass: Basic Reolink camera setup CI / Check, build and cache nixfiles (push) Has been cancelled Details	2025-03-15 01:07:12 +00:00
jackos1998	69060dfbff	nixos/home/routing-common: Add static lease for hass-panel	2025-03-14 22:53:36 +00:00
jackos1998	8e288a9e2a	nixos/home/hass: Include scenes.yaml CI / Check, build and cache nixfiles (push) Successful in 1h17m11s Details	2025-03-14 17:48:18 +00:00
jackos1998	bb03b6fa76	nixos/home/hass: Add HEOS CI / Check, build and cache nixfiles (push) Successful in 1h0m24s Details	2025-03-12 01:55:46 +00:00
jackos1998	fd92cfae6e	nixos/home/hass: Include scripts.yaml CI / Check, build and cache nixfiles (push) Successful in 1h1m12s Details	2025-03-11 14:35:10 +00:00
jackos1998	25267d09a2	nixos/home/hass: Add androidtv_remote and alarmo CI / Check, build and cache nixfiles (push) Successful in 59m46s Details	2025-03-11 02:12:16 +00:00
jackos1998	f02f538ab2	nixos/home/routing-common: Add media DHCP reservations	2025-03-10 22:33:48 +00:00
jackos1998	d319657680	nixos/netboot: Use older iPXE with patch CI / Check, build and cache nixfiles (push) Successful in 1h3m31s Details	2025-03-10 22:23:08 +00:00
jackos1998	dff5a4e6d8	nixos/home/hass: Add Irish Rail integration CI / Check, build and cache nixfiles (push) Successful in 1h9m21s Details	2025-03-10 14:04:22 +00:00
jackos1998	2a8ced0fec	nixos/home/routing-common: Add DNS blocklist CI / Check, build and cache nixfiles (push) Successful in 1h6m52s Details	2025-03-10 10:46:21 +00:00
jackos1998	36c7096120	nixos/home/hass: Home Assistant CLI and automation fix CI / Check, build and cache nixfiles (push) Successful in 2h47m3s Details	2025-03-10 01:28:14 +00:00
jackos1998	adfcf2f848	nixos/home/hass: Initial Home Assistant setup CI / Check, build and cache nixfiles (push) Has been cancelled Details	2025-03-09 22:59:59 +00:00
jackos1998	a3870a4293	nixos/home/sfh: Introduce hass container CI / Check, build and cache nixfiles (push) Has been cancelled Details	2025-03-09 20:07:28 +00:00
jackos1998	8f4b61fc2b	Update inputs	2025-03-09 20:00:35 +00:00
jackos1998	44e3a3011a	nixos/stream: Disable octoprint for now CI / Check, build and cache nixfiles (push) Failing after 3m16s Details	2025-03-02 14:21:31 +00:00
jackos1998	45c972cca9	lib: Update public IPs	2025-03-02 13:40:22 +00:00
jackos1998	7bd5b8cbdf	nixos/whale2: Add kevcraft CI / Check, build and cache nixfiles (push) Failing after 2m33s Details	2025-02-18 17:15:03 +00:00
jackos1998	d1eb9cc981	nixos/toot: Add BlueSky PDS CI / Check, build and cache nixfiles (push) Failing after 3m4s Details	2025-01-31 14:54:40 +00:00
jackos1998	7a2ebf6872	nixos: Add ADB stuff CI / Check, build and cache nixfiles (push) Successful in 1h3m46s Details	2025-01-26 18:33:04 +00:00
jackos1998	72b8bd089c	nixos/uk: Add WireGuard VPN for access CI / Check, build and cache nixfiles (push) Successful in 1h15m33s Details	2025-01-22 19:19:03 +00:00
jackos1998	cff229f487	nixos: Add britway CI / Check, build and cache nixfiles (push) Successful in 1h3m58s Details	2025-01-19 23:58:51 +00:00
jackos1998	f3ac3cd67f	nixos/middleman: Add pubkey and HTTP access to p.nul.ie CI / Check, build and cache nixfiles (push) Successful in 51m34s Details	2025-01-16 15:20:57 +00:00