Weekly flake update: 2026-01-26 10:20 UTC

Changed the org-hugo-base-dir from an absolute path to a relative path using the home directory shortcut. This adjustment improves portability of the configuration across different environments.

TODO.md

@@ -0,0 +1,39 @@
+# Keycloak SSO Rollout (Server)
+
+## Compatible services to cover (assume up-to-date versions)
+- Gitea (OAuth2/OIDC)
+- Nextcloud (Social Login app)
+- Paperless-ngx (OIDC)
+- Mealie (OIDC v1+)
+- Jellyfin (OIDC plugin)
+- Kavita (OIDC-capable builds)
+- Readeck (OIDC-capable builds)
+- Audiobookshelf (OIDC-capable builds)
+- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed
+
+## Explicit exclusions (no SSO for now)
+- Syncplay
+- Matrix/Synapse
+- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
+- qbittorrent
+- sabnzbd
+- metube
+- multi-scrobbler
+- microbin
+- ryot
+- maloja
+- plex
+- atticd
+
+## Phased rollout plan
+1) Base identity
+   - Add Keycloak deployment/module and realm/client defaults.
+2) Gateway/proxy auth
+   - Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
+3) Native OIDC wiring
+   - Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
+4) Per-service rollout
+   - Enable per app in priority order; document client IDs/secrets and callback URLs.
+5) Verification
+   - Smoke-test login flows and cache any needed public keys/metadata.
+

config/base.nix

@@ -65,10 +65,13 @@
     groups = {
       users.gid = 100;
       piracy.gid = 985;
+      core.gid = 1251;
+      glue.gid = 6969;
     };
   };
   nixpkgs.config = {
     allowUnfree = true;
+    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ];
     permittedInsecurePackages = [
       "aspnetcore-runtime-wrapped-6.0.36"
       "aspnetcore-runtime-6.0.36"
@@ -151,6 +154,10 @@
       enable = true;
       nssmdns4 = true;
     };
+    clamav = {
+      daemon.enable = true;
+      updater.enable = true;
+    };
     openssh = {
       enable = true;
       openFirewall = true;
@@ -162,6 +169,40 @@
       };
     };
   };
-  fonts.fontconfig.enable = true;
+  fonts = {
+    fontconfig.enable = true;
+    packages =
+      let
+        customFonts = pkgs.stdenvNoCC.mkDerivation {
+          name = "custom-fonts";
+          src = inputs.fonts;
+          installPhase = ''
+            mkdir -p $out/share/fonts
+            find $src -type f \( \
+              -name "*.ttf" -o \
+              -name "*.otf" -o \
+              -name "*.woff" -o \
+              -name "*.woff2" \
+            \) -exec cp {} $out/share/fonts/ \;
+          '';
+        };
+      in
+      builtins.attrValues {
+        inherit customFonts;
+        inherit (pkgs)
+          symbola
+          comic-neue
+          cascadia-code
+          corefonts
+          ;
+        inherit (pkgs.nerd-fonts)
+          caskaydia-cove
+          open-dyslexic
+          comic-shanns-mono
+          iosevka
+          agave
+          ;
+      };
+  };
   powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
 }

config/derek.nix

@@ -0,0 +1,68 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  enableForDerek = {
+    enable = true;
+    users = "bearded_dragonn";
+  };
+in
+{
+  my = {
+    stylix = enableForDerek;
+    emacs = enableForDerek;
+    apps = {
+      art = enableForDerek;
+      gaming = enableForDerek;
+      multimedia.videoEditing = enableForDerek;
+    };
+    dev = {
+      nix = enableForDerek;
+      python = enableForDerek;
+      sh = enableForDerek;
+    };
+    shell = {
+      exercism = enableForDerek;
+      tools = enableForDerek;
+      multimedia = enableForDerek;
+    };
+  };
+  sops.secrets = lib.mkIf config.my.secureHost {
+    derek-password.neededForUsers = true;
+  };
+  services = {
+    tailscale.enable = true;
+    open-webui.enable = lib.mkForce false;
+    ollama.enable = lib.mkForce false;
+    sunshine = {
+      enable = true;
+      autoStart = false;
+      capSysAdmin = true;
+      openFirewall = true;
+    };
+  };
+  users.users.bearded_dragonn = {
+    isNormalUser = true;
+    createHome = true;
+    hashedPasswordFile = config.sops.secrets.derek-password.path;
+    packages = builtins.attrValues {
+      inherit (pkgs)
+        bottles
+        vscode
+        nextcloud-client
+        warp
+	handbrake
+        ;
+    };
+    extraGroups = [
+      "audio"
+      "video"
+      "input"
+      "games"
+    ];
+  };
+  home-manager.users.bearded_dragonn.home.stateVersion = "23.05";
+}

config/jawz.nix

@@ -61,6 +61,8 @@ in
       "scanner"
       "lp"
       "piracy"
+      "core"
+      "glue"
       "kavita"
       "video"
       "docker"

config/overlay.nix

@@ -10,6 +10,9 @@ in
 _final: prev: {
   handbrake = prev.handbrake.override { useGtk = true; };
   ripgrep = prev.ripgrep.override { withPCRE2 = true; };
+  blender = prev.blender.override { cudaSupport = true; };
+  sunshine = prev.sunshine.override { cudaSupport = true; };
+  obs-studio = prev.obs-studio.override { cudaSupport = true; };
   nautilus = prev.nautilus.overrideAttrs (old: {
     buildInputs =
       old.buildInputs
@@ -38,6 +41,15 @@ _final: prev: {
   waybar = prev.waybar.overrideAttrs (old: {
     mesonFlags = old.mesonFlags ++ [ "-Dexperimental=true" ];
   });
+  qbittorrent = prev.qbittorrent.overrideAttrs (_old: rec {
+    version = "5.1.3";
+    src = prev.fetchFromGitHub {
+      owner = "qbittorrent";
+      repo = "qBittorrent";
+      rev = "release-${version}";
+      hash = "sha256-RIItbrpkMFglO2NwbgpBhgBSk5+vdywatGVwnbWkNVQ=";
+    };
+  });
   inherit (pkgsU)
     code-cursor
     symbola

config/schemes.nix

@@ -71,7 +71,7 @@ in
     paul = mkScheme {
       color = "green";
       name = "valua";
-      polarity = "light";
+      polarity = "dark";
       image = "${wallpapers}/paul1.jpg";
       base16Scheme = {
         base00 = "#1a1f16"; # dark forest floor (was deep green-black)

config/stylix.nix

@@ -9,12 +9,19 @@ let
   schemesFile = import ./schemes.nix {
     inherit pkgs inputs;
   };
-  scheme = schemesFile.schemes.who;
+  scheme = schemesFile.schemes.space;
   cfg = config.my.stylix;
   gnomeEnabled = config.services.desktopManager.gnome.enable;
 in
 {
-  options.my.stylix.enable = lib.mkEnableOption "system-wide theming with Stylix";
+  options.my.stylix = {
+    enable = lib.mkEnableOption "system-wide theming with Stylix";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.stylix;
+      description = "Users to apply Stylix theming for";
+    };
+  };
   config = {
     stylix = {
       inherit (scheme) image polarity;
@@ -23,7 +30,7 @@ in
       targets.qt.platform = lib.mkForce "qtct";
     }
     // lib.optionalAttrs (scheme ? base16Scheme) { inherit (scheme) base16Scheme; };
-    home-manager.users.jawz = {
+    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.stylix.users (user: {
       gtk = lib.mkIf (!cfg.enable && gnomeEnabled) {
         enable = true;
         iconTheme = {
@@ -37,16 +44,16 @@ in
         inherit (cfg) enable;
         autoEnable = cfg.enable;
         iconTheme = {
-          inherit (cfg) enable;
+          enable = true;
           package = scheme.iconPackage;
           light = "Papirus-Light";
           dark = "Papirus-Dark";
         };
         targets.librewolf = {
           firefoxGnomeTheme.enable = true;
-          profileNames = [ "jawz" ];
+          profileNames = [ user ];
         };
       };
-    };
+    });
   };
 }

dotfiles/doom/custom.el

@@ -6,7 +6,7 @@
  '(flycheck-flake8-maximum-line-length 88)
  '(safe-local-variable-values
    '((org-hugo-auto-export-on-save . t)
-     (org-hugo-base-dir . /home/jawz/Development/Websites/portfolio/)
+     (org-hugo-base-dir . "~/Development/Websites/portfolio/")
      (git-commit-major-mode . git-commit-elisp-text-mode))))
 (custom-set-faces
  ;; custom-set-faces was added by Custom.

environments/gnome.nix

@@ -1,38 +1,60 @@
 {
+  config,
+  inputs,
+  lib,
   pkgs,
   ...
 }:
+let
+  cfg = config.my.environments.gnome;
+in
 {
-  qt.enable = true;
-  services = {
-    gvfs.enable = true;
-    displayManager.gdm.enable = true;
-    desktopManager.gnome.enable = true;
+  options.my.environments.gnome = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable GNOME desktop environment";
+    };
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = "jawz";
+      description = "Users to install GNOME extensions for";
+    };
   };
-  environment.gnome.excludePackages = builtins.attrValues {
-    inherit (pkgs)
-      baobab
-      cheese
-      epiphany
-      gnome-characters
-      gnome-connections
-      gnome-font-viewer
-      gnome-photos
-      # gnome-text-editor
-      gnome-tour
-      yelp
-      gnome-music
-      totem
-      ;
-  };
-  users.users.jawz.packages = builtins.attrValues {
-    inherit (pkgs.gnomeExtensions)
-      tactile # window manager
-      freon # hardware temperature monitor
-      gamemode-shell-extension # I guess I'm a gamer now?
-      burn-my-windows # special effects for when closing windows
-      pano # clipboard manager
-      pop-shell
-      ;
+  config = lib.mkIf cfg.enable {
+    qt.enable = true;
+    services = {
+      gvfs.enable = true;
+      displayManager.gdm.enable = true;
+      desktopManager.gnome.enable = true;
+    };
+    environment.gnome.excludePackages = builtins.attrValues {
+      inherit (pkgs)
+        baobab
+        cheese
+        epiphany
+        gnome-characters
+        gnome-connections
+        gnome-font-viewer
+        gnome-photos
+        # gnome-text-editor
+        gnome-tour
+        yelp
+        gnome-music
+        totem
+        ;
+    };
+    users.users = inputs.self.lib.mkUserPackages lib cfg.users (
+      builtins.attrValues {
+        inherit (pkgs.gnomeExtensions)
+          tactile # window manager
+          freon # hardware temperature monitor
+          gamemode-shell-extension # I guess I'm a gamer now?
+          burn-my-windows # special effects for when closing windows
+          pano # clipboard manager
+          pop-shell
+          ;
+      }
+    );
   };
 }

environments/hyprland.nix

@@ -112,8 +112,8 @@ in
           "${mod} SHIFT, 8, movetoworkspace, 8"
           "${mod} SHIFT, 9, movetoworkspace, 9"
           "${mod} SHIFT, 0, movetoworkspace, 10"
-          "${mod}, F3, exec, grimblast save area ~/Pictures/screenshots/$(date +'%Y-%m-%d_%H-%M-%S').png"
-          "${mod} SHIFT, F3, exec, grimblast save screen ~/Pictures/screenshots/$(date +'%Y-%m-%d_%H-%M-%S').png"
+          "${mod}, F3, exec, grimblast save area ~/Pictures/Screenshots/$(date +'%Y-%m-%d_%H-%M-%S').png"
+          "${mod} SHIFT, F3, exec, grimblast save screen ~/Pictures/Screenshots/$(date +'%Y-%m-%d_%H-%M-%S').png"
         ];
         binde = [
           "${mod} SHIFT, h, moveactive, -20 0"

flake.lock

@@ -20,11 +20,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762356719,
-        "narHash": "sha256-qwd/xdoOya1m8FENle+4hWnydCtlXUWLAW/Auk6WL7s=",
+        "lastModified": 1767024902,
+        "narHash": "sha256-sMdk6QkMDhIOnvULXKUM8WW8iyi551SWw2i6KQHbrrU=",
         "owner": "hyprwm",
         "repo": "aquamarine",
-        "rev": "6d0b3567584691bf9d8fedb5d0093309e2f979c7",
+        "rev": "b8a0c5ba5a9fbd2c660be7dd98bdde0ff3798556",
         "type": "github"
       },
       "original": {
@@ -54,28 +54,28 @@
     "base16-fish": {
       "flake": false,
       "locked": {
-        "lastModified": 1754405784,
-        "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=",
+        "lastModified": 1765809053,
+        "narHash": "sha256-XCUQLoLfBJ8saWms2HCIj4NEN+xNsWBlU1NrEPcQG4s=",
         "owner": "tomyun",
         "repo": "base16-fish",
-        "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
         "type": "github"
       },
       "original": {
         "owner": "tomyun",
         "repo": "base16-fish",
-        "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
         "type": "github"
       }
     },
     "base16-helix": {
       "flake": false,
       "locked": {
-        "lastModified": 1752979451,
-        "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=",
+        "lastModified": 1760703920,
+        "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
         "owner": "tinted-theming",
         "repo": "base16-helix",
-        "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac",
+        "rev": "d646af9b7d14bff08824538164af99d0c521b185",
         "type": "github"
       },
       "original": {
@@ -182,11 +182,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1758112371,
-        "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=",
+        "lastModified": 1764873433,
+        "narHash": "sha256-1XPewtGMi+9wN9Ispoluxunw/RwozuTRVuuQOmxzt+A=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d",
+        "rev": "f7ffd917ac0d253dbd6a3bf3da06888f57c69f92",
         "type": "github"
       },
       "original": {
@@ -198,15 +198,15 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
         "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
+        "owner": "NixOS",
         "repo": "flake-compat",
         "type": "github"
       }
@@ -216,11 +216,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1762440070,
-        "narHash": "sha256-xxdepIcb39UJ94+YydGP221rjnpkDZUlykKuF54PsqI=",
+        "lastModified": 1768135262,
+        "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "26d05891e14c88eb4a5d5bee659c0db5afb609d8",
+        "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
         "type": "github"
       },
       "original": {
@@ -234,11 +234,11 @@
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
       "locked": {
-        "lastModified": 1762440070,
-        "narHash": "sha256-xxdepIcb39UJ94+YydGP221rjnpkDZUlykKuF54PsqI=",
+        "lastModified": 1768135262,
+        "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "26d05891e14c88eb4a5d5bee659c0db5afb609d8",
+        "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
         "type": "github"
       },
       "original": {
@@ -293,11 +293,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756770412,
-        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
+        "lastModified": 1767609335,
+        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "4524271976b625a4a605beefd893f270620fd751",
+        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
         "type": "github"
       },
       "original": {
@@ -381,18 +381,20 @@
     "gnome-shell": {
       "flake": false,
       "locked": {
-        "lastModified": 1748186689,
-        "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=",
+        "host": "gitlab.gnome.org",
+        "lastModified": 1767737596,
+        "narHash": "sha256-eFujfIUQDgWnSJBablOuG+32hCai192yRdrNHTv0a+s=",
         "owner": "GNOME",
         "repo": "gnome-shell",
-        "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0",
-        "type": "github"
+        "rev": "ef02db02bf0ff342734d525b5767814770d85b49",
+        "type": "gitlab"
       },
       "original": {
+        "host": "gitlab.gnome.org",
         "owner": "GNOME",
-        "ref": "48.2",
+        "ref": "gnome-49",
         "repo": "gnome-shell",
-        "type": "github"
+        "type": "gitlab"
       }
     },
     "home-manager": {
@@ -402,15 +404,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1762787259,
-        "narHash": "sha256-t2U/GLLXHa2+kJkwnFNRVc2fEJ/lUfyZXBE5iKzJdcs=",
+        "lastModified": 1768949235,
+        "narHash": "sha256-TtjKgXyg1lMfh374w5uxutd6Vx2P/hU81aEhTxrO2cg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "37a3d97f2873e0f68711117c34d04b7c7ead8f4e",
+        "rev": "75ed713570ca17427119e7e204ab3590cc3bf2a5",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -460,11 +463,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762462052,
-        "narHash": "sha256-6roLYzcDf4V38RUMSqycsOwAnqfodL6BmhRkUtwIgdA=",
+        "lastModified": 1766946335,
+        "narHash": "sha256-MRD+Jr2bY11MzNDfenENhiK6pvN+nHygxdHoHbZ1HtE=",
         "owner": "hyprwm",
         "repo": "hyprgraphics",
-        "rev": "ffc999d980c7b3bca85d3ebd0a9fbadf984a8162",
+        "rev": "4af02a3925b454deb1c36603843da528b67ded6c",
         "type": "github"
       },
       "original": {
@@ -483,6 +486,7 @@
         "hyprlang": "hyprlang",
         "hyprutils": "hyprutils",
         "hyprwayland-scanner": "hyprwayland-scanner",
+        "hyprwire": "hyprwire",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -491,11 +495,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1762755326,
-        "narHash": "sha256-YYTzQUQDnVdtN3k40sC5kq6yL70riU8bM8cQLz38jzk=",
+        "lastModified": 1769284856,
+        "narHash": "sha256-slXgC5fwTk9E+kkm6+Oy16laDFo+whNXZKsmf4eigN8=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "0b1d690676589503f0addece30e936a240733699",
+        "rev": "c65c7614bc573c3f0150e31a31187057f48813df",
         "type": "github"
       },
       "original": {
@@ -537,11 +541,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762755186,
-        "narHash": "sha256-ZjjETUHtoEhVN7JI1Cbt3p/KcXpK8ZQaPHx7UkG1OgA=",
+        "lastModified": 1767023960,
+        "narHash": "sha256-R2HgtVS1G3KSIKAQ77aOZ+Q0HituOmPgXW9nBNkpp3Q=",
         "owner": "hyprwm",
         "repo": "hyprland-guiutils",
-        "rev": "66356e20a8ed348aa49c1b9ceace786e224225b3",
+        "rev": "c2e906261142f5dd1ee0bfc44abba23e2754c660",
         "type": "github"
       },
       "original": {
@@ -562,11 +566,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759610243,
-        "narHash": "sha256-+KEVnKBe8wz+a6dTLq8YDcF3UrhQElwsYJaVaHXJtoI=",
+        "lastModified": 1765214753,
+        "narHash": "sha256-P9zdGXOzToJJgu5sVjv7oeOGPIIwrd9hAUAP3PsmBBs=",
         "owner": "hyprwm",
         "repo": "hyprland-protocols",
-        "rev": "bd153e76f751f150a09328dbdeb5e4fab9d23622",
+        "rev": "3f3860b869014c00e8b9e0528c7b4ddc335c21ab",
         "type": "github"
       },
       "original": {
@@ -591,11 +595,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758927902,
-        "narHash": "sha256-LZgMds7M94+vuMql2bERQ6LiFFdhgsEFezE4Vn+Ys3A=",
+        "lastModified": 1764612430,
+        "narHash": "sha256-54ltTSbI6W+qYGMchAgCR6QnC1kOdKXN6X6pJhOWxFg=",
         "owner": "hyprwm",
         "repo": "hyprlang",
-        "rev": "4dafa28d4f79877d67a7d1a654cddccf8ebf15da",
+        "rev": "0d00dc118981531aa731150b6ea551ef037acddd",
         "type": "github"
       },
       "original": {
@@ -643,11 +647,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762463729,
-        "narHash": "sha256-2fYkU/mdz8WKY3dkDPlE/j6hTxIwqultsx4gMMsMns0=",
+        "lastModified": 1764592794,
+        "narHash": "sha256-7CcO+wbTJ1L1NBQHierHzheQGPWwkIQug/w+fhTAVuU=",
         "owner": "hyprwm",
         "repo": "hyprtoolkit",
-        "rev": "88483bdee5329ec985f0c8f834c519cd18cfe532",
+        "rev": "5cfe0743f0e608e1462972303778d8a0859ee63e",
         "type": "github"
       },
       "original": {
@@ -668,11 +672,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762387740,
-        "narHash": "sha256-gQ9zJ+pUI4o+Gh4Z6jhJll7jjCSwi8ZqJIhCE2oqwhQ=",
+        "lastModified": 1766253372,
+        "narHash": "sha256-1+p4Kw8HdtMoFSmJtfdwjxM4bPxDK9yg27SlvUMpzWA=",
         "owner": "hyprwm",
         "repo": "hyprutils",
-        "rev": "926689ddb9c0a8787e58c02c765a62e32d63d1f7",
+        "rev": "51a4f93ce8572e7b12b7284eb9e6e8ebf16b4be9",
         "type": "github"
       },
       "original": {
@@ -693,11 +697,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755184602,
-        "narHash": "sha256-RCBQN8xuADB0LEgaKbfRqwm6CdyopE1xIEhNc67FAbw=",
+        "lastModified": 1763640274,
+        "narHash": "sha256-Uan1Nl9i4TF/kyFoHnTq1bd/rsWh4GAK/9/jDqLbY5A=",
         "owner": "hyprwm",
         "repo": "hyprwayland-scanner",
-        "rev": "b3b0f1f40ae09d4447c20608e5a4faf8bf3c492d",
+        "rev": "f6cf414ca0e16a4d30198fd670ec86df3c89f671",
         "type": "github"
       },
       "original": {
@@ -706,6 +710,35 @@
         "type": "github"
       }
     },
+    "hyprwire": {
+      "inputs": {
+        "hyprutils": [
+          "hyprland",
+          "hyprutils"
+        ],
+        "nixpkgs": [
+          "hyprland",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767473322,
+        "narHash": "sha256-RGOeG+wQHeJ6BKcsSB8r0ZU77g9mDvoQzoTKj2dFHwA=",
+        "owner": "hyprwm",
+        "repo": "hyprwire",
+        "rev": "d5e7d6b49fe780353c1cf9a1cf39fa8970bd9d11",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "hyprwire",
+        "type": "github"
+      }
+    },
     "jawz-scripts": {
       "inputs": {
         "nixpkgs": [
@@ -714,11 +747,11 @@
         "sudoku-solver": "sudoku-solver"
       },
       "locked": {
-        "lastModified": 1762799327,
-        "narHash": "sha256-HhIC8Ucb4ZruU7Yr1gV4qGVKkhuYpAhXbRnSfAmjQoY=",
+        "lastModified": 1768598739,
+        "narHash": "sha256-xBX3qJoJowBg80ZPTZ6RvoOkcrIY/RIxBYhq9XtrN8g=",
         "ref": "refs/heads/master",
-        "rev": "6efd55712d73e65c0fb4304cfd1649723bb757ef",
-        "revCount": 120,
+        "rev": "155967f8e9b1018766bbbe85baaedde3156b79ee",
+        "revCount": 126,
         "type": "git",
         "url": "https://git.lebubu.org/jawz/scripts.git"
       },
@@ -734,11 +767,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762901399,
-        "narHash": "sha256-idaZ4k8oynnXUWTLXKPwqbLHdaPmLH1FfjsRWXUM97I=",
+        "lastModified": 1763107451,
+        "narHash": "sha256-mG2RevGmQchx7FMK4F3GowUzMmD+JVva6Zt/sZnQTeQ=",
         "ref": "refs/heads/main",
-        "rev": "0b86143646f57aa52fab5182352ca0200e824571",
-        "revCount": 18,
+        "rev": "cc9521f7a402c0339d55911f3718967ec00c2666",
+        "revCount": 22,
         "type": "git",
         "url": "https://git.lebubu.org/vibe-coded/lidarr-mb-gap.git"
       },
@@ -755,11 +788,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762740007,
-        "narHash": "sha256-CtMgV9vfm16x/0NBQmQQe/Vbv423cPWeNfBtiVYcUBk=",
+        "lastModified": 1769394251,
+        "narHash": "sha256-IkL7t/k1kbCG3LHPhZD32c80m4QHFgCZ8bVTqN79kEM=",
         "owner": "fufexan",
         "repo": "nix-gaming",
-        "rev": "8dce0b23e30b03efbdc94e8db7cb27298446e4cc",
+        "rev": "2805bc370151d38eba406f5e3bfd111b02a13bcd",
         "type": "github"
       },
       "original": {
@@ -791,11 +824,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1751903740,
-        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
+        "lastModified": 1764234087,
+        "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
+        "rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
         "type": "github"
       },
       "original": {
@@ -822,11 +855,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1761765539,
-        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",
+        "lastModified": 1765674936,
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -837,11 +870,11 @@
     },
     "nixpkgs-lib_2": {
       "locked": {
-        "lastModified": 1761765539,
-        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",
+        "lastModified": 1765674936,
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -870,27 +903,27 @@
     },
     "nixpkgs-small": {
       "locked": {
-        "lastModified": 1762800201,
-        "narHash": "sha256-uSPI4VB/GKfVeH72q3V94sHB6Spy0L5uUTxTmmZH/FQ=",
+        "lastModified": 1769373857,
+        "narHash": "sha256-IVRjQyPlY4jagm2nzROHobD8lVff4m++swbJ4Q1+kTs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "25a9ff6075a050210f8fc276a67d21399c90a797",
+        "rev": "145fdb350cfaa360ff356edf6e85430b231dd5c6",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "master",
+        "ref": "nixos-25.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1762596750,
-        "narHash": "sha256-rXXuz51Bq7DHBlfIjN7jO8Bu3du5TV+3DSADBX7/9YQ=",
+        "lastModified": 1769170682,
+        "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b6a8526db03f735b89dd5ff348f53f752e7ddc8e",
+        "rev": "c5296fdd05cfa2c187990dd909864da9658df755",
         "type": "github"
       },
       "original": {
@@ -902,16 +935,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1762800201,
-        "narHash": "sha256-uSPI4VB/GKfVeH72q3V94sHB6Spy0L5uUTxTmmZH/FQ=",
+        "lastModified": 1769089682,
+        "narHash": "sha256-9yA/LIuAVQq0lXelrZPjLuLVuZdm03p8tfmHhnDIkms=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "25a9ff6075a050210f8fc276a67d21399c90a797",
+        "rev": "078d69f03934859a181e81ba987c2bb033eebfc5",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "master",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -945,11 +978,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762800743,
-        "narHash": "sha256-6SjknGi7vOyZV2AghcYI6wzqqKTWMeFOv9JlN5YFICQ=",
+        "lastModified": 1769419322,
+        "narHash": "sha256-V9L2d2nulWyP/s5EQrt0aDbNOfOR1ZNI5apb+mUWsrc=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "32c80839213416ea24e3138f2fe18b316dff08eb",
+        "rev": "88fca3ca8ff051e269b40f9fc55b851802344702",
         "type": "github"
       },
       "original": {
@@ -970,11 +1003,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758998580,
-        "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=",
+        "lastModified": 1767886815,
+        "narHash": "sha256-pB2BBv6X9cVGydEV/9Y8+uGCvuYJAlsprs1v1QHjccA=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728",
+        "rev": "4ff84374d77ff62e2e13a46c33bfeb73590f9fef",
         "type": "github"
       },
       "original": {
@@ -993,11 +1026,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762441963,
-        "narHash": "sha256-j+rNQ119ffYUkYt2YYS6rnd6Jh/crMZmbqpkGLXaEt0=",
+        "lastModified": 1767281941,
+        "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "8e7576e79b88c16d7ee3bbd112c8d90070832885",
+        "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
         "type": "github"
       },
       "original": {
@@ -1009,11 +1042,11 @@
     "qbit_manage": {
       "flake": false,
       "locked": {
-        "lastModified": 1758160887,
-        "narHash": "sha256-cTxM3nHQQto7lpoNjShYcCbJCSYiwS9bKqw0DWAjw6A=",
+        "lastModified": 1764428351,
+        "narHash": "sha256-JCsbf2mPRhs7Mbekl946G/y/CSNSSvQBLvlwVy/Avcg=",
         "owner": "StuffAnThings",
         "repo": "qbit_manage",
-        "rev": "21812368bc5366f3388dfb21769fee1da48083c5",
+        "rev": "371627bbeb082e68f057bbe4599565c2e63a14c7",
         "type": "github"
       },
       "original": {
@@ -1052,11 +1085,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762659808,
-        "narHash": "sha256-2Kv2mANf+FRisqhpfeZ8j9firBxb23ZvEXwdcunbpGI=",
+        "lastModified": 1769314333,
+        "narHash": "sha256-+Uvq9h2eGsbhacXpuS7irYO7fFlz514nrhPCSTkASlw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "524312bc62e3f34bd9231a2f66622663d3355133",
+        "rev": "2eb9eed7ef48908e0f02985919f7eb9d33fa758f",
         "type": "github"
       },
       "original": {
@@ -1086,15 +1119,16 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1762264356,
-        "narHash": "sha256-QVfC53Ri+8n3e7Ujx9kq6all3+TLBRRPRnc6No5qY5w=",
+        "lastModified": 1769202415,
+        "narHash": "sha256-6XUTQjam/xLFGeJFj9XCo+12XSxd2iBxkAdLe6IJqiw=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "647bb8dd96a206a1b79c4fd714affc88b409e10b",
+        "rev": "296aa01b461af5146612cd26cc115c1d3e5ed4ae",
         "type": "github"
       },
       "original": {
         "owner": "danth",
+        "ref": "release-25.11",
         "repo": "stylix",
         "type": "github"
       }
@@ -1212,11 +1246,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1757716333,
-        "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=",
+        "lastModified": 1767817087,
+        "narHash": "sha256-eGE8OYoK6HzhJt/7bOiNV2cx01IdIrHL7gXgjkHRdNo=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559",
+        "rev": "bd99656235aab343e3d597bf196df9bc67429507",
         "type": "github"
       },
       "original": {
@@ -1228,11 +1262,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1757811970,
-        "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=",
+        "lastModified": 1767489635,
+        "narHash": "sha256-e6nnFnWXKBCJjCv4QG4bbcouJ6y3yeT70V9MofL32lU=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e",
+        "rev": "3c32729ccae99be44fe8a125d20be06f8d7d8184",
         "type": "github"
       },
       "original": {
@@ -1244,11 +1278,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1757811247,
-        "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=",
+        "lastModified": 1767488740,
+        "narHash": "sha256-wVOj0qyil8m+ouSsVZcNjl5ZR+1GdOOAooAatQXHbuU=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e",
+        "rev": "11abb0b282ad3786a2aae088d3a01c60916f2e40",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,19 +2,16 @@
   description = "JawZ NixOS flake setup";
   inputs = {
     flake-parts.url = "github:hercules-ci/flake-parts";
-    nixpkgs.url = "github:nixos/nixpkgs?ref=master";
-    nixpkgs-small.url = "github:nixos/nixpkgs?ref=master";
-    # nixpkgs-small.url = "github:nixos/nixpkgs?ref=nixos-25.05-small";
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.11";
+    nixpkgs-small.url = "github:nixos/nixpkgs?ref=nixos-25.11-small";
     nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
     ucodenix.url = "github:e-tho/ucodenix/ba7f0a366460e0fbea9622fc770cb982be0e4720";
     home-manager = {
-      # url = "github:nix-community/home-manager?ref=release-25.05";
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager?ref=release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     stylix = {
-      # url = "github:danth/stylix/release-25.05";
-      url = "github:danth/stylix";
+      url = "github:danth/stylix/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     doom-emacs = {

hosts/emacs/configuration.nix

@@ -21,7 +21,6 @@
     secureHost = false;
     stylix.enable = true;
     emacs.enable = true;
-    apps.fonts.enable = true;
     shell.tools.enable = true;
     services.network.enable = true;
     dev = {

hosts/miniserver/toggles.nix

@@ -1,22 +1,34 @@
 { inputs }:
 let
-  inherit (inputs.self.lib) mkEnabled mkEnabledWithProxy enableList;
+  inherit (inputs.self.lib)
+    mkEnabled
+    mkEnabledWithUsers
+    mkEnabledWithProxy
+    enableList
+    ;
 in
 {
-  emacs.enable = true;
+  emacs = {
+    enable = true;
+    users = "jawz";
+  };
+  stylix = {
+    enable = true;
+    users = "jawz";
+  };
   enableProxy = true;
   websites.portfolio.enableProxy = true;
-  apps = enableList mkEnabled [
+  apps = enableList mkEnabledWithUsers [
     "dictionaries"
   ];
   services = enableList mkEnabled [
     "network"
   ];
-  shell = enableList mkEnabled [
+  shell = enableList mkEnabledWithUsers [
     "tools"
     "multimedia"
   ];
-  dev = enableList mkEnabled [
+  dev = enableList mkEnabledWithUsers [
     "nix"
     "python"
     "sh"

hosts/server/configuration.nix

@@ -5,6 +5,9 @@
   inputs,
   ...
 }:
+let
+  lidarrMbGapId = 968;
+in
 {
   imports = [
     inputs.lidarr-mb-gap.nixosModules.lidarr-mb-gap
@@ -26,6 +29,9 @@
       22000 # syncthing relay
       3452 # sonarqube
       8448 # synapse ssl
+      8265 # tdarr
+      5173 # media map
+      51412 # qbittorrent
     ];
   };
   nix.buildMachines = [
@@ -46,13 +52,16 @@
       sopsFile = ../../secrets/env.yaml;
     };
     "private_keys/lidarr-mb-gap" =
-      lib.mkIf (config.my.secureHost && config.services.lidarr-mb-gap.enable)
-        {
-          sopsFile = ../../secrets/keys.yaml;
-          owner = config.users.users.lidarr-mb-gap.name;
-          inherit (config.users.users.lidarr-mb-gap) group;
-          path = "${config.users.users.lidarr-mb-gap.home}/.ssh/ed25519_lidarr-mb-gap";
-        };
+      let
+        cfg = config.services.lidarr-mb-gap;
+        usr = config.users.users.lidarr-mb-gap;
+      in
+      lib.mkIf (config.my.secureHost && cfg.enable) {
+        sopsFile = ../../secrets/keys.yaml;
+        owner = usr.name;
+        inherit (usr) group;
+        path = "${usr.home}/.ssh/ed25519_lidarr-mb-gap";
+      };
   };
   networking = {
     hostName = "server";
@@ -79,6 +88,13 @@
   users.users.jawz.packages = builtins.attrValues {
     inherit (pkgs) podman-compose attic-client;
   };
+  users.groups.lidarr-mb-gap.gid = lidarrMbGapId;
+  users.users.lidarr-mb-gap = {
+    uid = lidarrMbGapId;
+    isSystemUser = true;
+    group = "lidarr-mb-gap";
+    home = "/var/lib/lidarr-mb-gap";
+  };
   services = {
     btrfs.autoScrub = {
       enable = true;
@@ -89,7 +105,7 @@
     };
     lidarr-mb-gap = {
       enable = true;
-      package = inputs.lidarr-mb-gap.packages.${pkgs.system}.lidarr-mb-gap;
+      package = inputs.lidarr-mb-gap.packages.${pkgs.stdenv.hostPlatform.system}.lidarr-mb-gap;
       home = "/var/lib/lidarr-mb-gap";
       envFile = config.sops.secrets.lidarr-mb-gap.path;
       runInterval = "weekly";

hosts/server/toggles.nix

@@ -1,16 +1,23 @@
 { config, inputs }:
 let
-  inherit (inputs.self.lib) mkEnabled enableList;
+  inherit (inputs.self.lib) mkEnabled mkEnabledWithUsers enableList;
   mkEnabledIp = inputs.self.lib.mkEnabledIp config.my.ips.wg-server;
 in
 {
   mainServer = "server";
-  emacs.enable = true;
-  stylix.enable = true;
+  emacs = {
+    enable = true;
+    users = "jawz";
+  };
+  stylix = {
+    enable = true;
+    users = "jawz";
+  };
   enableProxy = true;
   enableContainers = true;
   apps.dictionaries.enable = true;
-  shell = enableList mkEnabled [
+  apps.dictionaries.users = "jawz";
+  shell = enableList mkEnabledWithUsers [
     "tools"
     "multimedia"
   ];
@@ -19,7 +26,7 @@ in
     "nvidia"
     "syncthing"
   ];
-  dev = enableList mkEnabled [
+  dev = enableList mkEnabledWithUsers [
     "nix"
     "python"
     "sh"
@@ -81,5 +88,9 @@ in
     "audiobookshelf"
     "vaultwarden"
     "readeck"
+    "keycloak"
+    "oauth2-proxy"
+    "isso"
+    "plausible"
   ];
 }

hosts/workstation/configuration.nix

@@ -22,6 +22,7 @@ in
     ../../config/base.nix
     ../../config/stylix.nix
     ../../environments/gnome.nix
+    ../../config/derek.nix
   ];
   my = import ./toggles.nix { inherit inputs; } // {
     nix.cores = 8;
@@ -31,6 +32,10 @@ in
       "nixserver"
       "nixminiserver"
     ];
+    environments.gnome.users = [
+      "jawz"
+      "bearded_dragonn"
+    ];
   };
   home-manager.users.jawz.programs = {
     vscode = {
@@ -88,8 +93,6 @@ in
         gnome-epub-thumbnailer
         podman-compose
         scrcpy
-        vlc
-        syncplay
         ;
       inherit (pkgs.libheif) out;
     };
@@ -125,7 +128,6 @@ in
     ../../secrets/ssh/root-private-ca.pem
   ];
   services = {
-    minio.enable = true;
     flatpak.enable = true;
     open-webui.enable = true;
     scx = {
@@ -145,48 +147,5 @@ in
       acceleration = "cuda";
       models = "/srv/ai/ollama";
     };
-    postgresql = {
-      enable = true;
-      package = pkgs.postgresql_17;
-      enableTCPIP = true;
-      authentication = pkgs.lib.mkOverride 10 ''
-        local   all    all                                 trust
-        host    all    all    ${config.my.localhost}/32    trust
-        host    all    all    ::1/128                      trust
-      '';
-      ensureDatabases = [ "webref" ];
-      ensureUsers = [
-        {
-          name = "webref";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-  };
-  programs.virt-manager.enable = true;
-  users.groups.libvirtd.members = [ "jawz" ];
-  virtualisation.libvirtd.enable = true;
-  systemd.services.minio-init = {
-    description = "Initialize MinIO buckets";
-    after = [ "minio.service" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      # Wait for MinIO to be ready
-      until ${pkgs.curl}/bin/curl -sf http://localhost:9000/minio/health/live > /dev/null 2>&1; do
-        echo "Waiting for MinIO..."
-        sleep 1
-      done
-
-      # Configure mc alias and create bucket
-      ${pkgs.minio-client}/bin/mc alias set local http://localhost:9000 minioadmin minioadmin || true
-      ${pkgs.minio-client}/bin/mc mb local/webref || true
-      ${pkgs.minio-client}/bin/mc anonymous set public local/webref || true
-
-      echo "MinIO initialized with webref bucket"
-    '';
   };
 }

hosts/workstation/toggles.nix

@@ -1,29 +1,37 @@
 { inputs }:
 let
-  inherit (inputs.self.lib) mkEnabled enableList;
+  inherit (inputs.self.lib) mkEnabled mkEnabledWithUsers enableList;
 in
 {
-  stylix.enable = true;
-  emacs.enable = true;
+  stylix = {
+    enable = true;
+    users = "jawz";
+  };
+  emacs = {
+    enable = true;
+    users = "jawz";
+  };
   enableContainers = true;
   servers.drpp.enable = true;
-  apps = enableList mkEnabled [
-    "art"
-    "dictionaries"
-    "fonts"
-    "gaming"
-    "switch"
-    "internet"
-    "multimedia"
-    "office"
-    "misc"
-  ];
-  dev = enableList mkEnabled [
+  apps =
+    (enableList mkEnabledWithUsers [
+      "art"
+      "dictionaries"
+      "gaming"
+      "internet"
+      "multimedia"
+      "office"
+      "misc"
+    ])
+    // {
+      switch.enable = true;
+    };
+  dev = enableList mkEnabledWithUsers [
     "nix"
     "python"
     "sh"
   ];
-  shell = enableList mkEnabled [
+  shell = enableList mkEnabledWithUsers [
     "exercism"
     "multimedia"
     "tools"

modules/apps/art.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -36,8 +37,19 @@ let
 in
 {
   options.my = {
-    apps.art.enable = lib.mkEnableOption "digital art and creative applications";
+    apps.art = {
+      enable = lib.mkEnableOption "digital art and creative applications";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.apps;
+        description = "Users to install art packages for";
+      };
+    };
     dev.gameDev.enable = lib.mkEnableOption "game development tools and engines";
   };
-  config.users.users.jawz.packages = artPackages ++ gameDevPackages;
+  config.users.users =
+    let
+      packages = artPackages ++ gameDevPackages;
+    in
+    inputs.self.lib.mkUserPackages lib config.my.apps.art.users packages;
 }

modules/apps/dictionaries.nix

@@ -1,21 +1,32 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
+let
+  packages = builtins.attrValues {
+    inherit (pkgs)
+      hunspell
+      ;
+    inherit (pkgs.hunspellDicts)
+      it_IT
+      es_MX
+      en_CA-large
+      ;
+  };
+in
 {
-  options.my.apps.dictionaries.enable = lib.mkEnableOption "dictionaries and language tools";
-  config = lib.mkIf config.my.apps.dictionaries.enable {
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs)
-        hunspell
-        ;
-      inherit (pkgs.hunspellDicts)
-        it_IT
-        es_MX
-        en_CA-large
-        ;
+  options.my.apps.dictionaries = {
+    enable = lib.mkEnableOption "dictionaries and language tools";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.apps;
+      description = "Users to install dictionaries packages for";
     };
   };
+  config = lib.mkIf config.my.apps.dictionaries.enable {
+    users.users = inputs.self.lib.mkUserPackages lib config.my.apps.dictionaries.users packages;
+  };
 }

modules/apps/fonts.nix

@@ -1,44 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  inputs,
-  ...
-}:
-let
-  customFonts = pkgs.stdenvNoCC.mkDerivation {
-    name = "custom-fonts";
-    src = inputs.fonts;
-    installPhase = ''
-      mkdir -p $out/share/fonts
-      find $src -type f \( \
-        -name "*.ttf" -o \
-        -name "*.otf" -o \
-        -name "*.woff" -o \
-        -name "*.woff2" \
-      \) -exec cp {} $out/share/fonts/ \;
-    '';
-  };
-in
-{
-  options.my.apps.fonts.enable = lib.mkEnableOption "additional fonts and typography";
-  config = lib.mkIf config.my.apps.fonts.enable {
-    nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ];
-    fonts.packages = builtins.attrValues {
-      inherit customFonts;
-      inherit (pkgs)
-        symbola
-        comic-neue
-        cascadia-code
-        corefonts
-        ;
-      inherit (pkgs.nerd-fonts)
-        caskaydia-cove
-        open-dyslexic
-        comic-shanns-mono
-        iosevka
-        agave
-        ;
-    };
-  };
-}

modules/apps/gaming.nix

@@ -1,6 +1,6 @@
 {
-  inputs,
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -23,7 +23,14 @@ in
 {
   imports = [ inputs.nix-gaming.nixosModules.platformOptimizations ];
   options.my.apps = {
-    gaming.enable = lib.mkEnableOption "gaming applications and emulators";
+    gaming = {
+      enable = lib.mkEnableOption "gaming applications and emulators";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.apps;
+        description = "Users to install gaming packages for";
+      };
+    };
     switch.enable = lib.mkEnableOption "Nintendo Switch homebrew tools";
   };
   config = lib.mkIf config.my.apps.gaming.enable {
@@ -50,23 +57,28 @@ in
       #   environmentFile = config.sops.secrets.switch-presence.path;
       # };
     };
-    users.users.jawz.packages = builtins.attrValues {
-      inherit retroarchWithCores;
-      inherit (pkgs)
-        shipwright # zelda OoT port
-        mangohud # fps & stats overlay
-        lutris # games launcher & emulator hub
-        cartridges # games launcher
-        gamemode # optimizes linux to have better gaming performance
-        heroic # install epic games
-        protonup-qt # update proton-ge
-        ns-usbloader # load games into my switch
-        # emulators
-        rpcs3 # ps3
-        cemu # wii u
-        ryubing # switch
-        prismlauncher # minecraft launcher with jdk overlays
-        ;
-    };
+    users.users =
+      let
+        packages = builtins.attrValues {
+          inherit retroarchWithCores;
+          inherit (pkgs)
+            mgba # gba emulator
+            shipwright # zelda OoT port
+            mangohud # fps & stats overlay
+            lutris # games launcher & emulator hub
+            cartridges # games launcher
+            gamemode # optimizes linux to have better gaming performance
+            heroic # install epic games
+            protonup-qt # update proton-ge
+            ns-usbloader # load games into my switch
+            # emulators
+            rpcs3 # ps3
+            cemu # wii u
+            ryubing # switch
+            prismlauncher # minecraft launcher with jdk overlays
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.apps.gaming.users packages;
   };
 }

modules/apps/internet.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -27,26 +28,39 @@ let
   krisp-patcher = pkgs.writers.writePython3Bin "krisp-patcher" krisp-settings krisp-patch;
 in
 {
-  options.my.apps.internet.enable = lib.mkEnableOption "internet browsers and communication apps";
-  config = lib.mkIf config.my.apps.internet.enable {
-    home-manager.users.jawz.programs.librewolf = import ./librewolf.nix;
-    programs.geary.enable = true;
-    users.users.jawz.packages = builtins.attrValues {
-      # inherit (inputs.zen-browser.packages.x86_64-linux) twilight;
-      inherit krisp-patcher;
-      inherit (pkgs)
-        # thunderbird # email client
-        warp # transfer files with based ppl
-        nextcloud-client # self-hosted google-drive alternative
-        fragments # beautiful torrent client
-        tor-browser # dark web, so dark!
-        telegram-desktop # furry chat
-        nicotine-plus # remember Ares?
-        discord # :3
-        vdhcoapp # video download helper assistant
-        nextcloud-talk-desktop # nextcloud talk client
-        fractal # matrix client
-        ;
+  options.my.apps.internet = {
+    enable = lib.mkEnableOption "internet browsers and communication apps";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.apps;
+      description = "Users to install internet packages for";
     };
   };
+  config = lib.mkIf config.my.apps.internet.enable {
+    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.apps.internet.users (_user: {
+      programs.librewolf = import ./librewolf.nix;
+    });
+    programs.geary.enable = true;
+    users.users =
+      let
+        packages = builtins.attrValues {
+          # inherit (inputs.zen-browser.packages.x86_64-linux) twilight;
+          inherit krisp-patcher;
+          inherit (pkgs)
+            # thunderbird # email client
+            warp # transfer files with based ppl
+            nextcloud-client # self-hosted google-drive alternative
+            fragments # beautiful torrent client
+            tor-browser # dark web, so dark!
+            telegram-desktop # furry chat
+            nicotine-plus # remember Ares?
+            discord # :3
+            vdhcoapp # video download helper assistant
+            nextcloud-talk-desktop # nextcloud talk client
+            fractal # matrix client
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.apps.internet.users packages;
+  };
 }

modules/apps/misc.nix

@@ -1,19 +1,31 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
 {
-  options.my.apps.misc.enable = lib.mkEnableOption "miscellaneous desktop applications";
-  config = lib.mkIf config.my.apps.misc.enable {
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs)
-        blanket # background noise
-        metadata-cleaner # remove any metadata and geolocation from files
-        pika-backup # backups
-        gnome-obfuscate # censor private information
-        ;
+  options.my.apps.misc = {
+    enable = lib.mkEnableOption "miscellaneous desktop applications";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.apps;
+      description = "Users to install misc packages for";
     };
   };
+  config = lib.mkIf config.my.apps.misc.enable {
+    users.users =
+      let
+        packages = builtins.attrValues {
+          inherit (pkgs)
+            blanket # background noise
+            metadata-cleaner # remove any metadata and geolocation from files
+            pika-backup # backups
+            gnome-obfuscate # censor private information
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.apps.misc.users packages;
+  };
 }

modules/apps/multimedia.nix

@@ -1,23 +1,55 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
+let
+  cfg = config.my.apps.multimedia;
+  attrValuesIf = cond: attrs: if cond then builtins.attrValues attrs else [ ];
+  multimediaPackages = attrValuesIf cfg.enable {
+    inherit (pkgs)
+      curtail # image compressor
+      easyeffects # equalizer
+      identity # compare images or videos
+      mousai # poor man shazam
+      shortwave # listen to world radio
+      tagger # tag music files
+      ;
+  };
+  videoEditingPackages = attrValuesIf cfg.videoEditing.enable {
+    inherit (pkgs)
+      davinci-resolve
+      shotcut
+      pitivi
+      ;
+    inherit (pkgs.kdePackages)
+      kdenlive
+      ;
+  };
+in
 {
-  options.my.apps.multimedia.enable = lib.mkEnableOption "multimedia applications and media players";
-  config = lib.mkIf config.my.apps.multimedia.enable {
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs)
-        recordbox # libadwaita music player
-        celluloid # video player
-        curtail # image compressor
-        easyeffects # equalizer
-        identity # compare images or videos
-        mousai # poor man shazam
-        shortwave # listen to world radio
-        tagger # tag music files
-        ;
+  options.my.apps.multimedia = {
+    enable = lib.mkEnableOption "multimedia applications and media players";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.apps;
+      description = "Users to install multimedia packages for";
+    };
+    videoEditing = {
+      enable = lib.mkEnableOption "video editing applications";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.apps;
+        description = "Users to install video editing packages for";
+      };
     };
   };
+  config = lib.mkIf (cfg.enable || cfg.videoEditing.enable) {
+    users.users = lib.mkMerge [
+      (inputs.self.lib.mkUserPackages lib cfg.users multimediaPackages)
+      (inputs.self.lib.mkUserPackages lib cfg.videoEditing.users videoEditingPackages)
+    ];
+  };
 }

modules/apps/music.nix

@@ -1,18 +1,30 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
 {
-  options.my.apps.piano.enable = lib.mkEnableOption "piano learning and music theory apps";
-  config = lib.mkIf config.my.apps.piano.enable {
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs)
-        neothesia
-        linthesia
-        timidity
-        ;
+  options.my.apps.piano = {
+    enable = lib.mkEnableOption "piano learning and music theory apps";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.apps;
+      description = "Users to install piano packages for";
     };
   };
+  config = lib.mkIf config.my.apps.piano.enable {
+    users.users =
+      let
+        packages = builtins.attrValues {
+          inherit (pkgs)
+            neothesia
+            linthesia
+            timidity
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.apps.piano.users packages;
+  };
 }

modules/apps/office.nix

@@ -1,22 +1,34 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
 {
-  options.my.apps.office.enable = lib.mkEnableOption "office applications and productivity tools";
-  config = lib.mkIf config.my.apps.office.enable {
-    environment.variables.CALIBRE_USE_SYSTEM_THEME = "1";
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs)
-        jre17_minimal # for libreoffice extensions
-        libreoffice # office, but based & european
-        calibre # ugly af eBook library manager
-        newsflash # feed reader, syncs with nextcloud
-        furtherance # I packaged this one tehee track time utility
-        # planify # let's pretend I will organize my tasks
-        ;
+  options.my.apps.office = {
+    enable = lib.mkEnableOption "office applications and productivity tools";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.apps;
+      description = "Users to install office packages for";
     };
   };
+  config = lib.mkIf config.my.apps.office.enable {
+    environment.variables.CALIBRE_USE_SYSTEM_THEME = "1";
+    users.users =
+      let
+        packages = builtins.attrValues {
+          inherit (pkgs)
+            jre17_minimal # for libreoffice extensions
+            libreoffice # office, but based & european
+            calibre # ugly af eBook library manager
+            newsflash # feed reader, syncs with nextcloud
+            furtherance # I packaged this one tehee track time utility
+            # planify # let's pretend I will organize my tasks
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.apps.office.users packages;
+  };
 }

modules/dev/cc.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -17,7 +18,14 @@ let
 in
 {
   options = {
-    my.dev.cc.enable = lib.mkEnableOption "Install C/C++ tooling globally";
+    my.dev.cc = {
+      enable = lib.mkEnableOption "Install C/C++ tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install C/C++ packages for";
+      };
+    };
     devShells.cc = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -31,6 +39,6 @@ in
     };
   };
   config = lib.mkIf config.my.dev.cc.enable {
-    users.users.jawz = { inherit packages; };
+    users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.cc.users { inherit packages; };
   };
 }

modules/dev/docker.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -14,7 +15,14 @@ let
 in
 {
   options = {
-    my.dev.docker.enable = lib.mkEnableOption "Install Docker tooling globally";
+    my.dev.docker = {
+      enable = lib.mkEnableOption "Install Docker tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Docker packages for";
+      };
+    };
     devShells.docker = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -29,7 +37,7 @@ in
   };
   config = lib.mkMerge [
     (lib.mkIf config.my.dev.docker.enable {
-      users.users.jawz = { inherit packages; };
+      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.docker.users { inherit packages; };
     })
     {
       environment.variables.DOCKER_CONFIG = "\${XDG_CONFIG_HOME}/docker";

modules/dev/emacs.nix

@@ -6,9 +6,16 @@
   ...
 }:
 {
-  options.my.emacs.enable = lib.mkEnableOption "Doom Emacs configuration";
+  options.my.emacs = {
+    enable = lib.mkEnableOption "Doom Emacs configuration";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.dev;
+      description = "Users to install Emacs packages for";
+    };
+  };
   config = lib.mkIf config.my.emacs.enable {
-    home-manager.users.jawz = {
+    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.emacs.users (_user: {
       xdg.dataFile = {
         "doom/templates/events.org".source = ../../dotfiles/doom/templates/events.org;
         "doom/templates/default.org".source = ../../dotfiles/doom/templates/default.org;
@@ -21,41 +28,46 @@
             edit = "emacsclient -t";
             e = "edit";
           };
-    };
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs.xorg) xwininfo;
-      inherit (pkgs)
-        #emacs everywhere
-        xdotool
-        xclip
-        wl-clipboard-rs
-        fd # modern find, faster searches
-        fzf # fuzzy finder! super cool and useful
-        ripgrep # modern grep
-        tree-sitter # code parsing based on symbols and shit, I do not get it
-        graphviz # graphs
-        tetex # export pdf
-        languagetool # proofreader for English
-        # lsps
-        yaml-language-server
-        markdownlint-cli
-        ;
-      inherit (pkgs.nodePackages)
-        vscode-json-languageserver
-        prettier # multi-language linter
-        ;
-    };
+    });
+    users.users =
+      let
+        packages = builtins.attrValues {
+          inherit (pkgs.xorg) xwininfo;
+          inherit (pkgs)
+            #emacs everywhere
+            xdotool
+            xclip
+            wl-clipboard-rs
+            fd # modern find, faster searches
+            fzf # fuzzy finder! super cool and useful
+            ripgrep # modern grep
+            tree-sitter # code parsing based on symbols and shit, I do not get it
+            graphviz # graphs
+            tetex # export pdf
+            languagetool # proofreader for English
+            # lsps
+            yaml-language-server
+            markdownlint-cli
+            ;
+          inherit (pkgs.nodePackages)
+            vscode-json-languageserver
+            prettier # multi-language linter
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.emacs.users packages;
     services.emacs = {
       enable = true;
       defaultEditor = true;
       package = pkgs.emacsWithDoom {
         doomDir = ../../dotfiles/doom;
-        doomLocalDir = "/home/jawz/.local/share/nix-doom";
+        doomLocalDir = "/home/${inputs.self.lib.getFirstUser config.my.emacs.users}/.local/share/nix-doom";
         tangleArgs = "--all config.org";
         extraPackages =
           epkgs:
           let
-            inherit (config.home-manager.users.jawz.programs.emacs)
+            inherit
+              (config.home-manager.users.${inputs.self.lib.getFirstUser config.my.emacs.users}.programs.emacs)
               extraPackages
               extraConfig
               ;

modules/dev/go.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -20,7 +21,14 @@ let
 in
 {
   options = {
-    my.dev.go.enable = lib.mkEnableOption "Install Go tooling globally";
+    my.dev.go = {
+      enable = lib.mkEnableOption "Install Go tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Go packages for";
+      };
+    };
     devShells.go = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -38,7 +46,7 @@ in
       environment.variables = { inherit GOPATH; };
     }
     (lib.mkIf config.my.dev.go.enable {
-      users.users.jawz = { inherit packages; };
+      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.go.users { inherit packages; };
     })
   ];
 }

modules/dev/haskell.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -18,7 +19,14 @@ let
 in
 {
   options = {
-    my.dev.haskell.enable = lib.mkEnableOption "Install Haskell tooling globally";
+    my.dev.haskell = {
+      enable = lib.mkEnableOption "Install Haskell tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Haskell packages for";
+      };
+    };
     devShells.haskell = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -33,7 +41,7 @@ in
   };
   config = lib.mkMerge [
     (lib.mkIf config.my.dev.haskell.enable {
-      users.users.jawz = { inherit packages; };
+      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.haskell.users { inherit packages; };
     })
     {
       environment.variables = {

modules/dev/javascript.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -12,7 +13,14 @@ let
 in
 {
   options = {
-    my.dev.javascript.enable = lib.mkEnableOption "Install JavaScript tooling globally";
+    my.dev.javascript = {
+      enable = lib.mkEnableOption "Install JavaScript tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install JavaScript packages for";
+      };
+    };
     devShells.javascript = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -27,16 +35,18 @@ in
   };
   config = lib.mkMerge [
     (lib.mkIf config.my.dev.javascript.enable {
-      users.users.jawz = { inherit packages; };
+      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.javascript.users { inherit packages; };
     })
     {
-      home-manager.users.jawz.xdg.configFile = {
-        "npm/npmrc".source = ../../dotfiles/npmrc;
-        "configstore/update-notifier-npm-check.json".text = builtins.toJSON {
-          optOut = false;
-          lastUpdateCheck = 1646662583446;
+      home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.dev.javascript.users (_user: {
+        xdg.configFile = {
+          "npm/npmrc".source = ../../dotfiles/npmrc;
+          "configstore/update-notifier-npm-check.json".text = builtins.toJSON {
+            optOut = false;
+            lastUpdateCheck = 1646662583446;
+          };
         };
-      };
+      });
       environment.variables = {
         NPM_CONFIG_USERCONFIG = "\${XDG_CONFIG_HOME}/npm/npmrc";
         PNPM_HOME = "\${XDG_DATA_HOME}/pnpm";

modules/dev/julia.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -11,7 +12,14 @@ let
 in
 {
   options = {
-    my.dev.julia.enable = lib.mkEnableOption "Install Julia globally";
+    my.dev.julia = {
+      enable = lib.mkEnableOption "Install Julia globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Julia packages for";
+      };
+    };
     devShells.julia = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -25,6 +33,6 @@ in
     };
   };
   config = lib.mkIf config.my.dev.julia.enable {
-    users.users.jawz = { inherit packages; };
+    users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.julia.users { inherit packages; };
   };
 }

modules/dev/nix.nix

@@ -19,7 +19,14 @@ let
 in
 {
   options = {
-    my.dev.nix.enable = lib.mkEnableOption "Install Nix tooling globally";
+    my.dev.nix = {
+      enable = lib.mkEnableOption "Install Nix tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Nix packages for";
+      };
+    };
     devShells.nix = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -33,15 +40,20 @@ in
     };
   };
   config = lib.mkIf config.my.dev.nix.enable {
-    users.users.jawz = { inherit packages; };
-    home-manager.users.jawz.programs.${shellType}.shellAliases =
-      inputs.self.lib.mergeAliases inputs.self.lib.commonAliases
-        {
-          nixformat = ''
-            deadnix -e && \
-            nix run nixpkgs#nixfmt-tree && \
-            statix fix
-          '';
-        };
+    users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.nix.users { inherit packages; };
+    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.dev.nix.users (_user: {
+      programs.${shellType}.shellAliases = inputs.self.lib.mergeAliases inputs.self.lib.commonAliases {
+        nixformat = ''
+          deadnix -e && \
+          nix run nixpkgs#nixfmt-tree && \
+          statix fix
+        '';
+        nix-push-cache = ''
+          nix build $NH_FLAKE#nixosConfigurations.${config.networking.hostName}.config.system.build.toplevel \
+          --print-out-paths --fallback --max-jobs 100 --cores 0 |
+          nix run nixpkgs#attic-client -- push lan:nixos --stdin
+        '';
+      };
+    });
   };
 }

modules/dev/python.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -30,7 +31,14 @@ let
 in
 {
   options = {
-    my.dev.python.enable = lib.mkEnableOption "Install Python tools globally";
+    my.dev.python = {
+      enable = lib.mkEnableOption "Install Python tools globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Python packages for";
+      };
+    };
     devShells.python = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -46,10 +54,12 @@ in
   };
   config = lib.mkMerge [
     (lib.mkIf config.my.dev.python.enable {
-      users.users.jawz = { inherit packages; };
+      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.python.users { inherit packages; };
     })
     {
-      home-manager.users.jawz.xdg.configFile."python/pythonrc".source = ../../dotfiles/pythonrc;
+      home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.dev.python.users (_user: {
+        xdg.configFile."python/pythonrc".source = ../../dotfiles/pythonrc;
+      });
       environment.variables.PYTHONSTARTUP = "\${XDG_CONFIG_HOME}/python/pythonrc";
     }
   ];

modules/dev/ruby.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -12,7 +13,14 @@ let
 in
 {
   options = {
-    my.dev.ruby.enable = lib.mkEnableOption "Install Ruby tooling globally";
+    my.dev.ruby = {
+      enable = lib.mkEnableOption "Install Ruby tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Ruby packages for";
+      };
+    };
     devShells.ruby = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -27,7 +35,7 @@ in
   };
   config = lib.mkMerge [
     (lib.mkIf config.my.dev.ruby.enable {
-      users.users.jawz = { inherit packages; };
+      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.ruby.users { inherit packages; };
     })
     {
       environment.variables = {

modules/dev/rust.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -17,7 +18,14 @@ let
 in
 {
   options = {
-    my.dev.rust.enable = lib.mkEnableOption "Install Rust tooling globally";
+    my.dev.rust = {
+      enable = lib.mkEnableOption "Install Rust tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Rust packages for";
+      };
+    };
     devShells.rust = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -32,7 +40,7 @@ in
   };
   config = lib.mkMerge [
     (lib.mkIf config.my.dev.rust.enable {
-      users.users.jawz = { inherit packages; };
+      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.rust.users { inherit packages; };
     })
     {
       environment.variables.CARGO_HOME = "\${XDG_DATA_HOME}/cargo";

modules/dev/sh.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -16,7 +17,14 @@ let
 in
 {
   options = {
-    my.dev.sh.enable = lib.mkEnableOption "Install shell scripting tools globally";
+    my.dev.sh = {
+      enable = lib.mkEnableOption "Install shell scripting tools globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install shell scripting packages for";
+      };
+    };
     devShells.sh = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -30,6 +38,6 @@ in
     };
   };
   config = lib.mkIf config.my.dev.sh.enable {
-    users.users.jawz = { inherit packages; };
+    users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.sh.users { inherit packages; };
   };
 }

modules/dev/zig.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -14,7 +15,14 @@ let
 in
 {
   options = {
-    my.dev.zig.enable = lib.mkEnableOption "Install Zig tooling globally";
+    my.dev.zig = {
+      enable = lib.mkEnableOption "Install Zig tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Zig packages for";
+      };
+    };
     devShells.zig = lib.mkOption {
       type = lib.types.package;
       default = pkgs.mkShell {
@@ -28,6 +36,6 @@ in
     };
   };
   config = lib.mkIf config.my.dev.zig.enable {
-    users.users.jawz = { inherit packages; };
+    users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.zig.users { inherit packages; };
   };
 }

modules/factories/mkscript.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -12,6 +13,11 @@
           enable = lib.mkEnableOption "Whether to enable this script";
           install = lib.mkEnableOption "Whether to install the script package";
           service = lib.mkEnableOption "Whether to enable the script service";
+          users = lib.mkOption {
+            type = inputs.self.lib.usersOptionType lib;
+            default = config.my.toggleUsers.scripts;
+            description = "Users to install this script for";
+          };
           name = lib.mkOption {
             type = lib.types.str;
             description = "Name of the script.";
@@ -36,10 +42,29 @@
     description = "Configuration for multiple scripts.";
   };
   config = lib.mkIf (lib.any (s: s.enable) (lib.attrValues config.my.scripts)) {
-    users.users.jawz.packages =
-      config.my.scripts
-      |> lib.mapAttrsToList (_name: script: lib.optional (script.enable && script.install) script.package)
-      |> lib.flatten;
+    users.users =
+      let
+        scriptList =
+          config.my.scripts
+          |> lib.mapAttrsToList (_name: script: lib.optional (script.enable && script.install) script)
+          |> lib.flatten;
+        userMap = lib.foldl' (
+          acc: script:
+          let
+            users = inputs.self.lib.normalizeUsers script.users;
+          in
+          lib.foldl' (
+            acc': user:
+            acc'
+            // {
+              ${user} = (acc'.${user} or [ ]) ++ [ script.package ];
+            }
+          ) acc users
+        ) { } scriptList;
+      in
+      lib.mkMerge (
+        lib.mapAttrsToList (user: packages: inputs.self.lib.mkUserPackages lib user packages) userMap
+      );
     systemd.user.services =
       config.my.scripts
       |> lib.mapAttrs' (

modules/modules.nix

@@ -52,7 +52,12 @@ in
         vps = "45.79.25.87";
         wg-vps = "10.77.0.1";
         wg-server = "10.77.0.2";
+        wg-g1 = "10.9.0.2";
+        wg-gs = "10.9.0.0";
         wg-friend1 = "10.8.0.2";
+        wg-friend2 = "10.8.0.3";
+        wg-friend3 = "10.8.0.4";
+        wg-friend4 = "10.8.0.5";
         wg-friends = "10.8.0.0";
       };
       description = "Set of IP's for all my computers.";
@@ -103,6 +108,31 @@ in
     };
     enableContainers = lib.mkEnableOption "container services (Docker/Podman)";
     enableProxy = lib.mkEnableOption "nginx reverse proxy for services";
+    toggleUsers = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.either lib.types.str (lib.types.listOf lib.types.str));
+      default = {
+        apps = "jawz";
+        dev = "jawz";
+        shell = "jawz";
+        scripts = "jawz";
+        services = "jawz";
+        stylix = "jawz";
+      };
+      description = "Map toggle categories to users. Can be a single user (string) or multiple users (list). Determines which user(s) get packages from each toggle category.";
+      example = {
+        apps = "jawz";
+        dev = "bearded_dragonn";
+        shell = "jawz";
+        gaming = [
+          "jawz"
+          "bearded_dragonn"
+        ];
+        stylix = [
+          "jawz"
+          "bearded_dragonn"
+        ];
+      };
+    };
   };
   config = {
     assertions =

modules/network/nginx.nix

@@ -7,6 +7,8 @@
 let
   proxyReverseServices = [
     "firefox-syncserver"
+    "isso"
+    "plausible"
     "readeck"
     "microbin"
     "ryot"

modules/nix/gitea-actions-runners/nixos.nix

@@ -6,11 +6,15 @@
 }:
 let
   cfg = config.my.servers.gitea;
+  id = 969;
+  gid = id;
+  uid = id;
 in
 {
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
-    users.groups.gitea-runner = { };
+    users.groups.gitea-runner = { inherit gid; };
     users.users.gitea-runner = {
+      inherit uid;
       isSystemUser = true;
       group = "gitea-runner";
       extraGroups = [

modules/scripts/update-dns.nix

@@ -11,8 +11,10 @@
       cloudflare-api.sopsFile = ../../secrets/env.yaml;
       dns = {
         sopsFile = ../../secrets/env.yaml;
-        owner = config.users.users.jawz.name;
-        inherit (config.users.users.jawz) group;
+        owner = config.users.users.${inputs.self.lib.getFirstUser config.my.scripts.update-dns.users}.name;
+        inherit (config.users.users.${inputs.self.lib.getFirstUser config.my.scripts.update-dns.users})
+          group
+          ;
       };
     };
     services.cloudflare-dyndns = {

modules/servers/audiobookshelf.nix

@@ -11,6 +11,11 @@ in
   options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     my.servers.audiobookshelf.enableSocket = true;
+    users.users.audiobookshelf = {
+      uid = 978;
+      group = "piracy";
+      isSystemUser = true;
+    };
     services.audiobookshelf = {
       inherit (cfg) enable port;
       host = cfg.ip;

modules/servers/bazarr.nix

@@ -6,11 +6,19 @@
 let
   setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.bazarr;
+  uid = 985;
 in
 {
   options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort;
-  config.services.bazarr = lib.mkIf cfg.enable {
-    inherit (cfg) enable;
-    group = "piracy";
+  config = lib.mkIf cfg.enable {
+    users.users.bazarr = {
+      inherit uid;
+      group = "piracy";
+      isSystemUser = true;
+    };
+    services.bazarr = {
+      inherit (cfg) enable;
+      group = "piracy";
+    };
   };
 }

modules/servers/gitea.nix

@@ -15,6 +15,12 @@ in
   options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets.gitea.sopsFile = ../../secrets/env.yaml;
+    users.groups.gitea.gid = 974;
+    users.users.gitea = {
+      uid = 975;
+      isSystemUser = true;
+      group = "gitea";
+    };
     services.gitea = {
       inherit (cfg) enable;
       settings = {
@@ -30,6 +36,10 @@ in
           FROM = config.my.smtpemail;
           SENDMAIL_PATH = "${pkgs.msmtp}/bin/msmtp";
         };
+        service = {
+          DISABLE_REGISTRATION = true;
+          ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        };
       };
       database = {
         socket = config.my.postgresSocket;

modules/servers/homepage/bookmarks/servers.nix

@@ -66,7 +66,7 @@
     {
       syncthing-workstation = [
         {
-          abbr = "SW";
+          abbr = "STW";
           href = "http://workstation:8384";
           description = "";
         }
@@ -75,14 +75,14 @@
     {
       syncthing-server = [
         {
-          abbr = "SS";
+          abbr = "STS";
           href = "http://server:8384";
           description = "";
         }
       ];
     }
     {
-      "music report" = [
+      music-report = [
         {
           abbr = "MR";
           href = "https://mb-report.lebubu.org";
@@ -91,7 +91,7 @@
       ];
     }
     {
-      "portfolio" = [
+      portfolio = [
         {
           abbr = "PF";
           href = "https://danilo-reyes.com";
@@ -100,7 +100,7 @@
       ];
     }
     {
-      "webref" = [
+      webref = [
         {
           abbr = "WR";
           href = "https://webref.lebubu.org";

modules/servers/isso.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.isso;
+in
+{
+  options.my.servers.isso = setup.mkOptions "isso" "comments" 8180;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    my.servers.isso.domain = "danilo-reyes.com";
+    sops.secrets.isso = {
+      sopsFile = ../../secrets/env.yaml;
+    };
+    services.isso = {
+      inherit (cfg) enable;
+      settings = {
+        guard.require-author = true;
+        server.listen = "http://${cfg.ip}:${toString cfg.port}/";
+        admin = {
+          enabled = true;
+          password = "$ISSO_ADMIN_PASSWORD";
+        };
+        general = {
+          host = "https://blog.${cfg.domain}";
+          max-age = "1h";
+          gravatar = true;
+        };
+      };
+    };
+    systemd.services.isso = {
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      serviceConfig.EnvironmentFile = config.sops.secrets.isso.path;
+    };
+  };
+}

modules/servers/jellyfin.nix

@@ -28,6 +28,11 @@ in
       pkgs.jellyfin-ffmpeg
     ]
     ++ (lib.optional cfg.enableCron [ sub-sync-path ]);
+    users.users.jellyfin = {
+      uid = 984;
+      group = "piracy";
+      isSystemUser = true;
+    };
     services = {
       jellyfin = {
         inherit (cfg) enable;

modules/servers/kavita.nix

@@ -6,6 +6,9 @@
 let
   setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.kavita;
+  id = 982;
+  gid = id;
+  uid = id;
 in
 {
   options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
@@ -14,7 +17,9 @@ in
       owner = config.users.users.kavita.name;
       inherit (config.users.users.kavita) group;
     };
+    users.groups.kavita = { inherit gid; };
     users.users.kavita = {
+      inherit uid;
       isSystemUser = true;
       group = "kavita";
       extraGroups = [

modules/servers/keycloak.nix

@@ -0,0 +1,44 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.keycloak;
+in
+{
+  options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml;
+    sops.secrets.keycloak = {
+      sopsFile = ../../secrets/env.yaml;
+      restartUnits = [ "keycloak.service" ];
+    };
+    services.keycloak = {
+      inherit (cfg) enable;
+      database = {
+        type = "postgresql";
+        host = "localhost";
+        createLocally = false;
+        username = "keycloak";
+        name = "keycloak";
+        passwordFile = config.sops.secrets.postgres-password.path;
+      };
+      settings = {
+        hostname = cfg.host;
+        hostname-strict = true;
+        hostname-strict-https = false;
+        http-enabled = true;
+        http-port = cfg.port;
+        http-host = cfg.ip;
+        proxy-headers = "xforwarded";
+      };
+    };
+    systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path;
+    services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) (
+      inputs.self.lib.proxyReverseFix cfg
+    );
+  };
+}

modules/servers/mealie.nix

@@ -17,7 +17,7 @@ in
         TZ = config.my.timeZone;
         DEFAULT_GROUP = "Home";
         BASE_URL = cfg.url;
-        API_DOCS = "false";
+        API_DOCS = "true";
         ALLOW_SIGNUP = "false";
         DB_ENGINE = "postgres";
         POSTGRES_URL_OVERRIDE = "postgresql://${cfg.name}:@/${cfg.name}?host=${config.my.postgresSocket}";
@@ -25,6 +25,13 @@ in
         WEB_CONCURRENCY = "1";
         SMTP_HOST = "smtp.gmail.com";
         SMTP_PORT = "587";
+        OIDC_AUTH_ENABLED = "true";
+        OIDC_SIGNUP_ENABLED = "true";
+        OIDC_CLIENT_ID = "mealie";
+        OIDC_ADMIN_GROUP = "/admins";
+        OIDC_USER_CLAIM = "email";
+        OIDC_PROVIDER_NAME = "keycloak";
+        OIDC_SIGNING_ALGORITHM = "RS256";
       };
       credentialsFile = config.sops.secrets.mealie.path;
     };

modules/servers/metube.nix

@@ -10,7 +10,7 @@ in
 {
   options.my.servers.metube = setup.mkOptions "metube" "bajameesta" 8881;
   config.virtualisation.oci-containers.containers.metube = lib.mkIf cfg.enable {
-    image = "ghcr.io/alexta69/metube:latest";
+    image = "ghcr.io/alexta69/metube:2026.01.02";
     ports = [ "${toString cfg.port}:8081" ];
     volumes = [
       "${config.my.containerData}/metube:/downloads"

modules/servers/nextcloud.nix

@@ -32,6 +32,9 @@ let
   pytensorflow = pkgs.python3.withPackages (ps: [ ps.tensorflow ]);
   cfg = config.my.servers.nextcloud;
   cfgC = config.my.servers.collabora;
+  id = 990;
+  gid = id;
+  uid = id;
 in
 {
   options.my.servers = {
@@ -48,8 +51,11 @@ in
       "nodejs-14.21.3"
       "openssl-1.1.1v"
     ];
+    users.groups.nextcloud = { inherit gid; };
     users.users.nextcloud = {
+      inherit uid;
       isSystemUser = true;
+      group = "nextcloud";
       extraGroups = [ "render" ];
       packages = builtins.attrValues {
         inherit exiftool pytensorflow;
@@ -65,7 +71,7 @@ in
       nextcloud = {
         enable = true;
         https = false; # vps
-        package = pkgs.nextcloud31;
+        package = pkgs.nextcloud32;
         appstoreEnable = true;
         configureRedis = true;
         extraAppsEnable = true;

modules/servers/oauth2-proxy.nix

@@ -0,0 +1,60 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.oauth2-proxy;
+  id = 967;
+  gid = id;
+  uid = id;
+in
+{
+  options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    users.groups.oauth2-proxy = { inherit gid; };
+    users.users.oauth2-proxy = {
+      inherit uid;
+      isSystemUser = true;
+      group = "oauth2-proxy";
+    };
+    sops.secrets.oauth2-proxy = {
+      sopsFile = ../../secrets/env.yaml;
+      restartUnits = [ "oauth2-proxy.service" ];
+    };
+    sops.secrets.oauth2-proxy-cookie = {
+      sopsFile = ../../secrets/secrets.yaml;
+      restartUnits = [ "oauth2-proxy.service" ];
+    };
+    services.oauth2-proxy = {
+      inherit (cfg) enable;
+      provider = "keycloak-oidc";
+      clientID = "oauth2-proxy";
+      keyFile = config.sops.secrets.oauth2-proxy.path;
+      oidcIssuerUrl = "${config.my.servers.keycloak.url}/realms/homelab";
+      httpAddress = "${cfg.ip}:${toString cfg.port}";
+      email.domains = [ "*" ];
+      cookie = {
+        name = "_oauth2_proxy";
+        secure = true;
+        expire = "168h";
+        refresh = "1h";
+        domain = ".lebubu.org";
+        secret = config.sops.secrets.oauth2-proxy-cookie.path;
+      };
+      extraConfig = {
+        skip-auth-route = [ "^/ping$" ];
+        set-xauthrequest = true;
+        pass-access-token = true;
+        pass-user-headers = true;
+        request-logging = true;
+        auth-logging = true;
+        session-store-type = "cookie";
+        skip-provider-button = true;
+        code-challenge-method = "S256";
+        whitelist-domain = [ ".lebubu.org" ];
+      };
+    };
+  };
+}

modules/servers/paperless.nix

@@ -1,21 +1,37 @@
 { lib, config, ... }:
 let
   cfg = config.my.servers.paperless;
+  inherit (config.services.paperless) port;
+  id = 315;
+  gid = id;
+  uid = id;
 in
 {
   options.my.servers.paperless.enable = lib.mkEnableOption "Paperless-ngx document management system";
   config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
-    networking.firewall.allowedTCPPorts = [ config.services.paperless.port ];
+    networking.firewall.allowedTCPPorts = [ port ];
+    users.groups.paperless = { inherit gid; };
+    users.users.paperless = {
+      inherit uid;
+      isSystemUser = true;
+      group = "paperless";
+    };
     services.paperless = {
       inherit (cfg) enable;
-      address = "0.0.0.0";
+      address = config.my.ips.server;
       consumptionDirIsPublic = true;
       consumptionDir = "/srv/pool/scans/";
       settings = {
+        PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL = "http";
+        PAPERLESS_URL = "http://${config.my.ips.server}:${builtins.toString port}";
         PAPERLESS_DBENGINE = "postgress";
         PAPERLESS_DBNAME = "paperless";
         PAPERLESS_DBHOST = config.my.postgresSocket;
         PAPERLESS_TIME_ZONE = config.my.timeZone;
+        PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
+        PAPERLESS_ACCOUNT_ALLOW_SIGNUPS = false;
+        PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = true;
+        PAPERLESS_SOCIAL_AUTO_SIGNUP = true;
         PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [
           ".DS_STORE/*"
           "desktop.ini"

modules/servers/plausible.nix

@@ -0,0 +1,27 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.plausible;
+in
+{
+  options.my.servers.plausible = setup.mkOptions "plausible" "analytics" 8439;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    sops.secrets.plausible.sopsFile = ../../secrets/secrets.yaml;
+    services.plausible = {
+      inherit (cfg) enable;
+      database.postgres.socket = config.my.postgresSocket;
+      mail.email = config.my.smtpemail;
+      server = {
+        inherit (cfg) port;
+        baseUrl = cfg.url;
+        listenAddress = cfg.ip;
+        secretKeybaseFile = config.sops.secrets.plausible.path;
+        disableRegistration = true;
+      };
+    };
+  };
+}

modules/servers/plex.nix

@@ -9,42 +9,49 @@ let
 in
 {
   options.my.servers.plex = setup.mkOptions "plex" "plex" 32400;
-  config.services = lib.mkIf (cfg.enable && config.my.secureHost) {
-    plex = {
-      inherit (cfg) enable;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    users.users.plex = {
+      uid = 193;
       group = "piracy";
+      isSystemUser = true;
     };
-    nginx = lib.mkIf cfg.enableProxy {
-      virtualHosts."${cfg.host}" = {
-        forceSSL = true;
-        enableACME = true;
-        http2 = true;
-        serverAliases = [
-          "plex.rotehaare.art"
-        ];
-        extraConfig = ''
-          # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
-          send_timeout 100m;
-          # Plex headers
-          proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
-          proxy_set_header X-Plex-Device $http_x_plex_device;
-          proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
-          proxy_set_header X-Plex-Platform $http_x_plex_platform;
-          proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
-          proxy_set_header X-Plex-Product $http_x_plex_product;
-          proxy_set_header X-Plex-Token $http_x_plex_token;
-          proxy_set_header X-Plex-Version $http_x_plex_version;
-          proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
-          proxy_set_header X-Plex-Provides $http_x_plex_provides;
-          proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
-          proxy_set_header X-Plex-Model $http_x_plex_model;
-          # Buffering off send to the client as soon as the data is received from Plex.
-          proxy_redirect off;
-          proxy_buffering off;
-        '';
-        locations."/" = {
-          proxyPass = cfg.local;
-          proxyWebsockets = true;
+    services = {
+      plex = {
+        inherit (cfg) enable;
+        group = "piracy";
+      };
+      nginx = lib.mkIf cfg.enableProxy {
+        virtualHosts."${cfg.host}" = {
+          forceSSL = true;
+          enableACME = true;
+          http2 = true;
+          serverAliases = [
+            "plex.rotehaare.art"
+          ];
+          extraConfig = ''
+            # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+            send_timeout 100m;
+            # Plex headers
+            proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
+            proxy_set_header X-Plex-Device $http_x_plex_device;
+            proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
+            proxy_set_header X-Plex-Platform $http_x_plex_platform;
+            proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
+            proxy_set_header X-Plex-Product $http_x_plex_product;
+            proxy_set_header X-Plex-Token $http_x_plex_token;
+            proxy_set_header X-Plex-Version $http_x_plex_version;
+            proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
+            proxy_set_header X-Plex-Provides $http_x_plex_provides;
+            proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
+            proxy_set_header X-Plex-Model $http_x_plex_model;
+            # Buffering off send to the client as soon as the data is received from Plex.
+            proxy_redirect off;
+            proxy_buffering off;
+          '';
+          locations."/" = {
+            proxyPass = cfg.local;
+            proxyWebsockets = true;
+          };
         };
       };
     };

modules/servers/postgres.nix

@@ -40,6 +40,8 @@ let
     "sonarqube"
     "gitea"
     "atticd"
+    "keycloak"
+    "webref"
   ];
 in
 {

modules/servers/prowlarr.nix

@@ -11,6 +11,7 @@ in
   options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
   config = lib.mkIf cfg.enable {
     users.users.prowlarr = {
+      uid = 987;
       group = "piracy";
       isSystemUser = true;
     };

modules/servers/qbittorrent.nix

@@ -7,16 +7,12 @@
 }:
 let
   inherit (inputs) qbit_manage;
-  pkgsU = import inputs.nixpkgs-unstable {
-    system = "x86_64-linux";
-    config.allowUnfree = true;
-  };
   vuetorrent = pkgs.fetchzip {
-    url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.25.0/vuetorrent.zip";
-    sha256 = "sha256-sOaQNw6AnpwNFEextgTnsjEOfpl3/lpoOZFgFOz7Bos=";
+    url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.31.0/vuetorrent.zip";
+    sha256 = "sha256-kVDnDoCoJlY2Ew71lEMeE67kNOrKTJEMqNj2OfP01qw=";
     stripRoot = true;
   };
-  qbit_manageEnv = pkgsU.python3.withPackages (
+  qbit_manageEnv = pkgs.python3.withPackages (
     ps:
     builtins.attrValues {
       inherit (ps)

modules/servers/radarr.nix

@@ -10,6 +10,11 @@ in
 {
   options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
   config = lib.mkIf cfg.enable {
+    users.users.radarr = {
+      uid = 275;
+      group = "piracy";
+      isSystemUser = true;
+    };
     services.radarr = {
       inherit (cfg) enable;
       group = "piracy";

modules/servers/ryot.nix

@@ -12,7 +12,7 @@ in
   config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
     sops.secrets.ryot.sopsFile = ../../secrets/env.yaml;
     virtualisation.oci-containers.containers.ryot = {
-      image = "ghcr.io/ignisda/ryot:v9.3.0";
+      image = "ghcr.io/ignisda/ryot:v10";
       ports = [ "${toString cfg.port}:8000" ];
       environmentFiles = [ config.sops.secrets.ryot.path ];
       environment = {

modules/servers/sonarr.nix

@@ -9,8 +9,15 @@ let
 in
 {
   options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989;
-  config.services.sonarr = lib.mkIf cfg.enable {
-    inherit (cfg) enable;
-    group = "piracy";
+  config = lib.mkIf cfg.enable {
+    users.users.sonarr = {
+      uid = 274;
+      group = "piracy";
+      isSystemUser = true;
+    };
+    services.sonarr = {
+      inherit (cfg) enable;
+      group = "piracy";
+    };
   };
 }

modules/servers/stash.nix

@@ -37,7 +37,7 @@ in
     };
     services.stash = {
       inherit (cfg) enable;
-      group = "piracy";
+      group = "glue";
       mutableSettings = true;
       username = "Suing8150";
       passwordFile = config.sops.secrets."stash/password".path;
@@ -59,12 +59,15 @@ in
         LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
       };
       serviceConfig = {
+        PrivateUsers = lib.mkForce false;
         BindReadOnlyPaths = lib.mkForce [ ];
         BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
       };
     };
     users.users.stash = {
+      uid = 974;
       isSystemUser = true;
+      group = "glue";
       packages = [ stashPythonFHS ];
     };
   };

modules/servers/synapse.nix

@@ -16,6 +16,9 @@ let
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
+  id = 224;
+  gid = id;
+  uid = id;
 in
 {
   options.my.servers = {
@@ -27,6 +30,12 @@ in
       synapse = { inherit domain; };
       element = { inherit domain; };
     };
+    users.groups.matrix-synapse = { inherit gid; };
+    users.users.matrix-synapse = {
+      inherit uid;
+      isSystemUser = true;
+      group = "matrix-synapse";
+    };
     sops.secrets = {
       synapse = {
         sopsFile = ../../secrets/env.yaml;
@@ -62,6 +71,7 @@ in
           federation_domain_whitelist = [ ];
           allow_public_rooms_without_auth = false;
           allow_public_rooms_over_federation = false;
+          registration_shared_secret = config.sops.secrets.synapse.path;
           max_upload_size = "4096M";
           tls_private_key_path = config.sops.secrets."matrix/key".path;
           tls_certificate_path = config.sops.secrets."matrix/cert".path;

modules/servers/vaultwarden.nix

@@ -7,11 +7,20 @@
 let
   cfg = config.my.servers.vaultwarden;
   setup = import ../factories/mkserver.nix { inherit lib config; };
+  id = 981;
+  gid = id;
+  uid = id;
 in
 {
   options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
   config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
     sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml;
+    users.groups.vaultwarden = { inherit gid; };
+    users.users.vaultwarden = {
+      inherit uid;
+      isSystemUser = true;
+      group = "vaultwarden";
+    };
     services.vaultwarden = {
       inherit (cfg) enable;
       dbBackend = "postgresql";

modules/services/nvidia.nix

@@ -7,10 +7,11 @@
 {
   options.my.services.nvidia.enable = lib.mkEnableOption "NVIDIA GPU drivers and CUDA";
   config = lib.mkIf config.my.services.nvidia.enable {
-    environment.variables.CUDA_CACHE_PATH = "\${XDG_CACHE_HOME}/nv";
     boot.kernelParams = lib.mkIf (config.networking.hostName == "workstation") [ "nvidia-drm.fbdev=1" ];
     services.xserver.videoDrivers = [ "nvidia" ];
+    environment.variables.CUDA_CACHE_PATH = "\${XDG_CACHE_HOME}/nv";
     hardware = {
+      nvidia-container-toolkit.enable = config.virtualisation.podman.enable;
       graphics = {
         enable = true;
         enable32Bit = true;

modules/services/printing.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -11,9 +12,20 @@ let
   ];
 in
 {
-  options.my.services.printing.enable = lib.mkEnableOption "printing services and drivers";
+  options.my.services.printing = {
+    enable = lib.mkEnableOption "printing services and drivers";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.services;
+      description = "Users to install printing packages for";
+    };
+  };
   config = lib.mkIf config.my.services.printing.enable {
-    users.users.jawz.packages = [ pkgs.simple-scan ];
+    users.users =
+      let
+        packages = [ pkgs.simple-scan ];
+      in
+      inputs.self.lib.mkUserPackages lib config.my.services.printing.users packages;
     services.printing = {
       enable = true;
       drivers = printingDrivers;

modules/services/sound.nix

@@ -1,11 +1,10 @@
 {
   config,
   lib,
-  inputs,
   ...
 }:
 {
-  imports = [ inputs.nix-gaming.nixosModules.pipewireLowLatency ];
+  # imports = [ inputs.nix-gaming.nixosModules.pipewireLowLatency ];
   options.my.services.sound.enable = lib.mkEnableOption "audio system and PipeWire";
   config = lib.mkIf config.my.services.sound.enable {
     services.pulseaudio.enable = false;
@@ -15,11 +14,12 @@
       alsa.enable = true;
       alsa.support32Bit = true;
       pulse.enable = true;
-      lowLatency = {
-        enable = true;
-        quantum = 64;
-        rate = 48000;
-      };
+      wireplumber.enable = true;
+      # lowLatency = {
+      #   enable = true;
+      #   quantum = 64;
+      #   rate = 48000;
+      # };
     };
   };
 }

modules/services/syncthing.nix

@@ -53,25 +53,33 @@ in
           user = "jawz";
           password = config.sops.secrets.syncthing_password.path;
         };
-        devices = {
-          server.id = "BG6PF7S-KATABWO-7WAZFMX-6YO7IS3-WQTMR3M-VSOSV7V-HFFMNNH-BFX2EQ4";
-          miniserver.id = "HDYEGIR-GFU7ONK-MOOJUFH-N3L3XHX-SXWN3FI-O23K6LD-BJENQK5-VIPV2AT";
-          workstation.id = "4E4KJ6M-MSTNBVF-D7CNHDW-DUTB3VR-SXKZ4NH-ZKAOMF5-V24JECJ-4STSZAA";
-          galaxy.id = "UAZ5YDV-YUFBXOY-QMS6S6R-WPIIKZI-4OPPW5L-G4OVUPO-YW5KFYY-YASRAAV";
-          phone.id = "OSOX2VZ-AO2SA3C-BFB6NKF-K6CR6WX-64TDBKW-RRKEKJ4-FKZE5CV-J2RGJAJ";
-          wg-friend1 = {
-            id = "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF";
-            addresses = [ "tcp://${config.my.ips.wg-friend1}:22000" ];
-            introducer = false;
-            autoAcceptFolders = false;
-            paused = false;
+        devices =
+          let
+            mkWgDevice = name: id: {
+              inherit id;
+              addresses = [ "tcp://${config.my.ips.${name}}:22000" ];
+              introducer = false;
+              autoAcceptFolders = false;
+              paused = false;
+            };
+          in
+          {
+            server.id = "BG6PF7S-KATABWO-7WAZFMX-6YO7IS3-WQTMR3M-VSOSV7V-HFFMNNH-BFX2EQ4";
+            miniserver.id = "HDYEGIR-GFU7ONK-MOOJUFH-N3L3XHX-SXWN3FI-O23K6LD-BJENQK5-VIPV2AT";
+            workstation.id = "4E4KJ6M-MSTNBVF-D7CNHDW-DUTB3VR-SXKZ4NH-ZKAOMF5-V24JECJ-4STSZAA";
+            galaxy.id = "UAZ5YDV-YUFBXOY-QMS6S6R-WPIIKZI-4OPPW5L-G4OVUPO-YW5KFYY-YASRAAV";
+            phone.id = "OSOX2VZ-AO2SA3C-BFB6NKF-K6CR6WX-64TDBKW-RRKEKJ4-FKZE5CV-J2RGJAJ";
+            wg-friend1 = mkWgDevice "wg-friend1" "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF";
+            wg-friend2 = mkWgDevice "wg-friend2" "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF";
+            wg-friend3 = mkWgDevice "wg-friend3" "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF";
+            wg-friend4 = mkWgDevice "wg-friend4" "7YPUQ4Y-2UVEAXI-KBQVU7R-B6R5O36-GDQPTOY-3R3OG7H-BVWVOTD-EX52VQM";
           };
-        };
         folders = {
           cache = mkMobile "~/Downloads/cache/";
-          friends = mkMobile "~/Pictures/artist/friends/";
-          forme = mkMobile "~/Pictures/art for me/";
+          friends = mkMobile "~/Pictures/Artist/friends/";
+          forme = mkMobile "~/Pictures/Art for me/";
           comfy = mkMobile "~/Development/AI/ComfyUI/output/";
+          clean = mkMobile "~/Pictures/Unorganized/unified mess/sync";
           gdl = {
             path = "~/.config/jawz/";
             ignorePerms = false;
@@ -104,7 +112,20 @@ in
             ];
           };
           friend_share = {
-            path = "~/Pictures/encrypted/friends";
+            path = "~/Pictures/Encrypted/friends";
+            ignorePerms = false;
+            type = "sendreceive";
+            devices = [
+              "server"
+              "workstation"
+              "wg-friend1"
+              "wg-friend2"
+              "wg-friend3"
+              "wg-friend4"
+            ];
+          };
+          family_share = {
+            path = "~/Pictures/Encrypted/family";
             ignorePerms = false;
             type = "sendreceive";
             devices = [

modules/shell/config.nix

@@ -1,20 +1,32 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
 {
-  options.my.shell.type = lib.mkOption {
-    type = lib.types.enum [
-      "bash"
-      "zsh"
-    ];
-    default = "bash";
-    description = "The shell to use system-wide (bash or zsh)";
+  options.my.shell = {
+    type = lib.mkOption {
+      type = lib.types.enum [
+        "bash"
+        "zsh"
+      ];
+      default = "bash";
+      description = "The shell to use system-wide (bash or zsh)";
+    };
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.shell;
+      description = "Users to configure shell for";
+    };
   };
   config = {
-    users.users.jawz.shell = pkgs.${config.my.shell.type};
+    users.users = lib.mkMerge (
+      map (user: {
+        ${user}.shell = pkgs.${config.my.shell.type};
+      }) (inputs.self.lib.normalizeUsers config.my.shell.users)
+    );
     programs.zsh.enable = config.my.shell.type == "zsh";
   };
 }

modules/shell/exercism.nix

@@ -1,17 +1,29 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
 {
-  options.my.shell.exercism.enable = lib.mkEnableOption "Exercism coding practice platform";
-  config = lib.mkIf config.my.shell.exercism.enable {
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs)
-        exercism # learn to code
-        bats # testing system, required by Exercism
-        ;
+  options.my.shell.exercism = {
+    enable = lib.mkEnableOption "Exercism coding practice platform";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.shell;
+      description = "Users to install Exercism for";
     };
   };
+  config = lib.mkIf config.my.shell.exercism.enable {
+    users.users =
+      let
+        packages = builtins.attrValues {
+          inherit (pkgs)
+            exercism # learn to code
+            bats # testing system, required by Exercism
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.shell.exercism.users packages;
+  };
 }

modules/shell/multimedia.nix

@@ -6,43 +6,62 @@
   ...
 }:
 {
-  options.my.shell.multimedia.enable = lib.mkEnableOption "multimedia CLI tools and codecs";
-  config = lib.mkIf config.my.shell.multimedia.enable {
-    sops.secrets."gallery-dl/secrets" = {
-      sopsFile = ../../secrets/gallery.yaml;
-      owner = "jawz";
-      mode = "0400";
-    };
-    home-manager.users.jawz.programs = {
-      yt-dlp = {
-        enable = true;
-        settings = {
-          embed-thumbnail = true;
-          embed-subs = true;
-          sub-langs = "all";
-          cookies-from-browser = "firefox+gnomekeyring:/home/jawz/.librewolf/jawz";
-        };
-      };
-      gallery-dl = {
-        enable = true;
-        settings = inputs.self.lib.importDotfile ../../dotfiles/gallery-dl.nix;
-      };
-      ${config.my.shell.type} = {
-        initExtra = lib.mkAfter ''
-          if [ -r "${config.sops.secrets."gallery-dl/secrets".path}" ]; then
-            set -a  # automatically export all variables
-            source "${config.sops.secrets."gallery-dl/secrets".path}"
-            set +a  # stop automatically exporting
-          fi
-        '';
-      };
-    };
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs)
-        ffmpeg # not ffmpreg, the coolest video conversion tool!
-        imagemagick # photoshop what??
-        ffpb # make ffmpeg encoding... a bit fun
-        ;
+  options.my.shell.multimedia = {
+    enable = lib.mkEnableOption "multimedia CLI tools and codecs";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.shell;
+      description = "Users to install multimedia shell tools for";
     };
   };
+  config = lib.mkIf config.my.shell.multimedia.enable {
+    sops.secrets."gallery-dl/secrets" =
+      let
+        user = inputs.self.lib.getFirstUser config.my.shell.multimedia.users;
+      in
+      {
+        sopsFile = ../../secrets/gallery.yaml;
+        owner = user;
+        mode = "0400";
+      };
+    home-manager.users =
+      inputs.self.lib.mkHomeManagerUsers lib config.my.shell.multimedia.users
+        (user: {
+          programs = {
+            yt-dlp = {
+              enable = true;
+              settings = {
+                embed-thumbnail = true;
+                embed-subs = true;
+                sub-langs = "all";
+                cookies-from-browser = "firefox+gnomekeyring:/home/${user}/.librewolf/${user}";
+              };
+            };
+            gallery-dl = {
+              enable = true;
+              settings = inputs.self.lib.importDotfile ../../dotfiles/gallery-dl.nix;
+            };
+            ${config.my.shell.type} = {
+              initExtra = lib.mkAfter ''
+                if [ -r "${config.sops.secrets."gallery-dl/secrets".path}" ]; then
+                  set -a  # automatically export all variables
+                  source "${config.sops.secrets."gallery-dl/secrets".path}"
+                  set +a  # stop automatically exporting
+                fi
+              '';
+            };
+          };
+        });
+    users.users =
+      let
+        packages = builtins.attrValues {
+          inherit (pkgs)
+            ffmpeg # not ffmpreg, the coolest video conversion tool!
+            imagemagick # photoshop what??
+            ffpb # make ffmpeg encoding... a bit fun
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.shell.multimedia.users packages;
+  };
 }

modules/shell/tools.nix

@@ -9,82 +9,91 @@ let
   shellType = config.my.shell.type;
 in
 {
-  options.my.shell.tools.enable = lib.mkEnableOption "shell tools and utilities";
-  config = lib.mkIf config.my.shell.tools.enable {
-    home-manager.users.jawz.programs = {
-      hstr.enable = true;
-      htop = {
-        enable = true;
-        package = pkgs.htop-vim;
-      };
-      eza = {
-        enable = true;
-        git = true;
-        icons = "auto";
-      };
-      zoxide = {
-        enable = true;
-        enableBashIntegration = shellType == "bash";
-        enableZshIntegration = shellType == "zsh";
-      };
-      bat = {
-        enable = true;
-        config.pager = "less -FR";
-        extraPackages = builtins.attrValues {
-          inherit (pkgs.bat-extras)
-            batman # man pages
-            batpipe # piping
-            batgrep # ripgrep
-            batdiff # this is getting crazy!
-            batwatch # probably my next best friend
-            prettybat # trans your sourcecode!
-            ;
-        };
-      };
-      password-store = {
-        enable = false;
-        package = pkgs.gopass;
-        settings = {
-          PASSWORD_STORE_AUTOCLIP = "true";
-          PASSWORD_STORE_AUTOIMPORT = "false";
-          PASSWORD_STORE_CLIPTIMEOUT = "45";
-          PASSWORD_STORE_EXPORTKEYS = "false";
-          PASSWORD_STORE_NOPAGER = "false";
-          PASSWORD_STORE_NOTIFICATIONS = "false";
-          PASSWORD_STORE_PARSING = "true";
-          PASSWORD_STORE_PATH = "/home/jawz/.local/share/pass";
-          PASSWORD_STORE_SAFECONTENT = "true";
-        };
-      };
-      ${shellType} = {
-        shellAliases = inputs.self.lib.mergeAliases inputs.self.lib.commonAliases {
-          cd = "z";
-          hh = "hstr";
-          ls = "eza --icons --group-directories-first";
-          rm = "trash";
-          b = "bat";
-          f = "fzf --multi --exact -i";
-          unique-extensions = ''
-            fd -tf | rev | cut -d. -f1 | rev |
-            tr '[:upper:]' '[:lower:]' | sort |
-            uniq --count | sort -rn'';
-        };
-      }
-      //
-        inputs.self.lib.shellConditional shellType
-          ''
-            if command -v fzf-share >/dev/null; then
-            source "$(fzf-share)/key-bindings.bash"
-            source "$(fzf-share)/completion.bash"
-            fi
-          ''
-          ''
-            if command -v fzf-share >/dev/null; then
-            source "$(fzf-share)/key-bindings.bash"
-            source "$(fzf-share)/completion.bash"
-            fi
-          '';
+  options.my.shell.tools = {
+    enable = lib.mkEnableOption "shell tools and utilities";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.shell;
+      description = "Users to install shell tools for";
     };
+  };
+  config = lib.mkIf config.my.shell.tools.enable {
+    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.shell.tools.users (user: {
+      programs = {
+        hstr.enable = true;
+        htop = {
+          enable = true;
+          package = pkgs.htop-vim;
+        };
+        eza = {
+          enable = true;
+          git = true;
+          icons = "auto";
+        };
+        zoxide = {
+          enable = true;
+          enableBashIntegration = shellType == "bash";
+          enableZshIntegration = shellType == "zsh";
+        };
+        bat = {
+          enable = true;
+          config.pager = "less -FR";
+          extraPackages = builtins.attrValues {
+            inherit (pkgs.bat-extras)
+              batman # man pages
+              batpipe # piping
+              batgrep # ripgrep
+              batdiff # this is getting crazy!
+              batwatch # probably my next best friend
+              prettybat # trans your sourcecode!
+              ;
+          };
+        };
+        password-store = {
+          enable = false;
+          package = pkgs.gopass;
+          settings = {
+            PASSWORD_STORE_AUTOCLIP = "true";
+            PASSWORD_STORE_AUTOIMPORT = "false";
+            PASSWORD_STORE_CLIPTIMEOUT = "45";
+            PASSWORD_STORE_EXPORTKEYS = "false";
+            PASSWORD_STORE_NOPAGER = "false";
+            PASSWORD_STORE_NOTIFICATIONS = "false";
+            PASSWORD_STORE_PARSING = "true";
+            PASSWORD_STORE_PATH = "/home/${user}/.local/share/pass";
+            PASSWORD_STORE_SAFECONTENT = "true";
+          };
+        };
+        ${shellType} = {
+          shellAliases = inputs.self.lib.mergeAliases inputs.self.lib.commonAliases {
+            cd = "z";
+            hh = "hstr";
+            ls = "eza --icons --group-directories-first";
+            rm = "trash";
+            b = "bat";
+            f = "fzf --multi --exact -i";
+            unique-extensions = ''
+              fd -tf | rev | cut -d. -f1 | rev |
+              tr '[:upper:]' '[:lower:]' | sort |
+              uniq --count | sort -rn'';
+          };
+        }
+        //
+          inputs.self.lib.shellConditional shellType
+            ''
+              if command -v fzf-share >/dev/null; then
+              source "$(fzf-share)/key-bindings.bash"
+              source "$(fzf-share)/completion.bash"
+              fi
+            ''
+            ''
+              if command -v fzf-share >/dev/null; then
+              source "$(fzf-share)/key-bindings.bash"
+              source "$(fzf-share)/completion.bash"
+              fi
+            '';
+      };
+    });
     programs = {
       starship.enable = true;
       tmux.enable = true;
@@ -94,21 +103,25 @@ in
         vimAlias = true;
       };
     };
-    users.users.jawz.packages = builtins.attrValues {
-      inherit (pkgs)
-        ripgrep # modern grep
-        dust # rusty du similar to gdu
-        fd # modern find, faster searches
-        fzf # fuzzy finder! super cool and useful
-        gdu # disk-space utility checker, somewhat useful
-        tealdeer # man for retards
-        trash-cli # oop! did not meant to delete that
-        jq # json parser
-        yq # yaml parser
-        smartmontools # check hard drie health
-        rmlint # amazing dupe finder that integrates well with BTRFS
-        ;
-    };
+    users.users =
+      let
+        packages = builtins.attrValues {
+          inherit (pkgs)
+            ripgrep # modern grep
+            dust # rusty du similar to gdu
+            fd # modern find, faster searches
+            fzf # fuzzy finder! super cool and useful
+            gdu # disk-space utility checker, somewhat useful
+            tealdeer # man for retards
+            trash-cli # oop! did not meant to delete that
+            jq # json parser
+            yq # yaml parser
+            smartmontools # check hard drie health
+            rmlint # amazing dupe finder that integrates well with BTRFS
+            ;
+        };
+      in
+      inputs.self.lib.mkUserPackages lib config.my.shell.tools.users packages;
     environment.variables = {
       HISTFILE = "\${XDG_STATE_HOME}/bash/history";
       LESSHISTFILE = "-";

modules/users/nixremote.nix

@@ -32,7 +32,8 @@
       groups.nixremote.gid = config.my.users.nixremote.gid;
       users.nixremote = {
         inherit (config.my.users.nixremote) home;
-        isNormalUser = true;
+        uid = 979;
+        isSystemUser = true;
         createHome = true;
         group = "nixremote";
         openssh.authorizedKeys.keyFiles = config.my.users.nixremote.authorizedKeys;

parts/core.nix

@@ -175,6 +175,13 @@ in
         inherit name;
         value.enable = true;
       };
+      mkEnabledWithUsers = name: {
+        inherit name;
+        value = {
+          enable = true;
+          users = "jawz";
+        };
+      };
       mkEnabledWithProxy = name: {
         inherit name;
         value = {
@@ -213,6 +220,44 @@ in
         windows_vm = ../secrets/ssh/ed25519_windows_vm.pub;
       };
       getSshKeys = keyNames: keyNames |> map (name: inputs.self.lib.sshKeys.${name});
+      # Helper functions for multi-user toggle support
+      normalizeUsers = users: if builtins.isString users then [ users ] else users;
+      mkUserPackages =
+        lib: users: packages:
+        lib.mkMerge (
+          map (user: {
+            ${user}.packages = packages;
+          }) (inputs.self.lib.normalizeUsers users)
+        );
+      mkUserAttrs =
+        lib: users: attrs:
+        lib.mkMerge (
+          map (user: {
+            ${user} = attrs;
+          }) (inputs.self.lib.normalizeUsers users)
+        );
+      mkHomeManagerUsers =
+        lib: users: fn:
+        lib.mkMerge (
+          map (user: {
+            ${user} = fn user;
+          }) (inputs.self.lib.normalizeUsers users)
+        );
+      getFirstUser = users: if builtins.isString users then users else (builtins.head users);
+      usersOptionType =
+        lib:
+        lib.mkOptionType {
+          name = "usersOption";
+          description = "Either a single user (string) or multiple users (list of strings)";
+          check = x: builtins.isString x || (builtins.isList x && lib.all builtins.isString x);
+          merge =
+            _loc: defs:
+            let
+              normalize = users: if builtins.isString users then [ users ] else users;
+              allUsers = lib.foldl' (acc: def: acc ++ (normalize def.value)) [ ] defs;
+            in
+            lib.unique allUsers;
+        };
     };
   };
 }

secrets/env.yaml

@@ -1,15 +1,18 @@
 gitea: ENC[AES256_GCM,data:8o+U4qFdyIhCPNlYyflQIuLHsQHtbT6G/a0OyCUeg9DtIeABXNVFhiy4iFRuIF0=,iv:AYwqDRNML1XuzwQnD4VmI4rKWYfTJjOjibrAbI5qgcA=,tag:UPL3UlETdkoFXLihEIGcSw==,type:str]
 shiori: ENC[AES256_GCM,data:tV7+1GusZvcli8dM86xOD71dc2mzcyfQwMeTh//LDb0=,iv:ED9wR6QjQgwd9Ll/UC5FK3CyYK3b0RniC/D6Y0nGEOI=,tag:X/aopMc2vhnRW2iTphFflQ==,type:str]
 flame: ENC[AES256_GCM,data:XsYRsA2xs+juWje2Od2Yl2xIvU0OS8xMrtwtcK/0NyyRrg==,iv:FR8lHsNQNCaOy4P+7BsIjNCz+H38i5RlwLYQ4fpB2+w=,tag:61EV7H04pcr1bSX4nSvlpw==,type:str]
-ryot: ENC[AES256_GCM,data:VMWf3VqcUdyJu2Ygd3XmoqGNWY/W/VJ4213ej0FrA95kAoX+S+j0+4a4B65NtW9UheDSxD1swTXebyenJCIN/tEZwH2wj9I12akNNvSDpt/LG3d1/BZ62cvLCb5n9vyE/vcXgJVfPUqmc67pYDWLpEV/vkKjpqwNH4Y8vnapVo1ytIgsjkTuBb7VFbnRPvYs6J1M0rnaTtkVhOBoRxv+Xg3pWYCgFEXdM/Pg/WKqdHpyh+tJqR74Z91Mwv6G56ZYEDQmAp+Cn+Kk2zZ+t44UAu1SQOgYXPLep+4/PgWw/vQMuyN7GNNP6TrsX3g+ONtJtkdmGu6ArcfbRAky4vM14DxlQP4xSjYSu+FDWGJL/J4TMw6IVDuw/TDVNpMrhBmZdPujYLUW1c6GCCEchBknNfw/Wt+NyTjOzCmZLVw760jY05Fa9kcW2kz+P0iAGTviY7yJZWDctP6PrVNtG1cXc4noJqV/uJ9sQmuGWCiTzaCIIZEhwRKnvjpvZNisKPhx4tctZMWm8l9gKO/TJC/SHMIhvEazmH4v0AzCiRUzdTfnWQZGTNenDrCUetztPh/UUJbLZjhFBH3QR26w/3I5oNpUzUDhfDhcEYtfWuB7ckbkXT8nyYMfe0OR16yJTfQCdnIPBhAUi1g1ZV3jFg+OhYWxk73lPiqC1ADRNh01L1k90PMMWtLXXm6aQ28cB+iQTvvgKbDrr76U8bXoZUyEl30waOQ2HT6nDG61OBUtQHTu6/cFhfhrnU6poAD/k+L7SyqcBoMYAZJN6Us1y3SKhV/3mXVKjRwSl5XZSW+ZpcRe/Cg4bonxFBYsZyY3VjK0LC4Cj8ijh4LpYWrGWtVmWOt/gg7UQPTd81A=,iv:Oa2pvfDpfPr3pqeAg2kYIzjf8KUK9ckMfbVymM78FyE=,tag:XyjYEvWo46BliYXdDH8QrQ==,type:str]
-mealie: ENC[AES256_GCM,data:RjKqDs70lWhGN0LXPp3feQfW/WtfJlR6vX++0hwGtqcA3iepEh2Ab/36YRKbsVRBkglp0u18MusTmP0LSHUpzgCn/c/5ZzzRLGL83K3aQRlg8JtdTvzvEnLQSdE=,iv:GEfa8LwpOhkqWtLk0I5F14zkHcnFjVhVaHeLSFlDkN4=,tag:lkGcFn91hVxraMHCKF7rXQ==,type:str]
 maloja: ENC[AES256_GCM,data:yCwokfD4I1Boy2NOhOTLA3dWgUVOdSzWKIEdYC0klvYu41IGcM8bM65uYFmiOtk+jHgt6j3kO/pBBlC4w/iTElphTqFyFRGdBN4fNRntAhMzqOszBZII,iv:Vf9hfNwSTBkh2cXV7Y2fv4NA8kng2M1i7BtTXJvy4u4=,tag:KLc8sP6N2/Pp/9069E3aPQ==,type:str]
-multi-scrobbler: ENC[AES256_GCM,data:ce3dd0PKm6eyD2AqWmw+8iex/tBHgMhG8ASoOMkT3c9k6kiZabpTTFTkcouMO+s42P+qjWQAUJcJlDdYVYJZbAqw8nnxLrtYmKoBknSbbWijlR//CpgfwuuAWIyGQAGVPliuxz+lR+1cf/G2mXM+FJIfp8Sliak3v/nGg3ry0bdjbOLVoBM4rS90Jrq98ZuBrjlFVhcJTKkEHtgDv8N56wWbPL/r3cTlS9MoEu2ulCSLvfu/snr8HqJ5yssAGQ==,iv:jOJulX6o3t+W6DrD6sU7amDH7JQP/JFGBI9IM8m/sXU=,tag:jFZoLpYFXj+xplbypf3nvw==,type:str]
-vaultwarden: ENC[AES256_GCM,data:NituIOyGrYALEkuwKT0RRS1gvi3wjC6ZSAfUIejfi8xoePE6vSNztJTGsRSIh4sJnRrQIiDuKTmRKZDM6AtX/oEBsNW8MVq+lWAq/vtcO7fuTriySEungmpXhQwRZD6NsXE+9283P3s6RshpA4iipmENiW2v2/uxkIXxtTguUxfX0psWYtF6mx5/hpaoNZ523OB69m6veAxD6Pmnj+pTOAORGXHldoNrxNc35WBDdndjAZICyO873tbs22VJOWD9a66BNxtfwIPYoFkuPO6QG3nnFfyPSQ==,iv:rmDJbrP+NQ5HGdRCWSYfymP8dU9WJdMEhAg80eupgeY=,tag:kdNzgWjgeqaTCjqUCc4uWw==,type:str]
-dns: ENC[AES256_GCM,data:fQN3SOm0HzOjSjTohRAD4KlXdEu5PbQc3DvK3rLC1S4G0G4HUPkgucN6vJUwVJPiY0AB+L/iLNcqCRz8OH0qNtfnikBbDicq0OfrwjnN+VzmbwmrS6AdFo6lilbxI3Jb8YwGMrQxXg0U9F2/WVLETbzICG2KpukwIER0xxQpb51OVL+2hviGV8JpWKo66S6pug628Zc+uMJXEBPSqCpz2vXHXnXWMszP6MlqVfNm/zE=,iv:DOj0e8y+2N9eRA81nlT0kS66sXWZoLSVn0NAiUkNcDY=,tag:+0Baqs6TbTAmt3lRfncE6Q==,type:str]
+oauth2-proxy: ENC[AES256_GCM,data:MnAMX4adm8joZGaxZhgMDGf/15U2tk3dE/0dHFwETIi4JdpNvG/PUHTWGmXJrUnRrFxdZaOtGUzAMF47,iv:eEoo0YM+wt2/pCcONHM9YPRj/q4fC9OQZr+ckRsmhjY=,tag:AevxpvvRt13T5w5xwzay5w==,type:str]
 cloudflare-api: ENC[AES256_GCM,data:iNUMlY8rz5yHVitpK4HGaFSK7j+c8Pm7rOQMOQGmSJ3a8ASyrtouPgLbcnoPY/jalsJYAj991dSiui+Vwqs=,iv:qWONG/KLd9/F4tqrWF5T25Zxst3bk+kOYaOFBFSBAAY=,tag:gRFxar8KS8gnX8oaCD156Q==,type:str]
 synapse: ENC[AES256_GCM,data:IR0pFwQBEM4O8mzzYXrPe2FjulSUGuitzLDLms2uovr6gEU82mCkRO/UCQOybNm03iOQeXX0Whz739kpYSGSInEyx69BNG/etH+bMu+GbYeMdrTEyXHSa7kcH4Ug,iv:Vn2ILYXnCj+Op/E2kWoxV+2ZtlxYJxO6XK3Ql41KW6w=,tag:9wogJFLlmfM5PRgPdwFlcw==,type:str]
 readeck: ENC[AES256_GCM,data:TsIkHLji37dDHQRt78SquBhoSREHDgvgbc6+M1k2MLrgMGJ/Ejfy5AZXCIp/Qj5sXDzKP4j6Y6xFvGLswCqe02XjqGCpX13gZVCFPuKr8Nq051Xg,iv:Rc/pjYP+Vd/DvLCYsfJjDrnAlAiUlZOcNeeYzE6O3UY=,tag:OvR+CXMmrUFbsrHvduhnjA==,type:str]
+keycloak: ENC[AES256_GCM,data:BmwZxuJaOB8F7zmBNAf42lkw36s5TepimtdyT2xjdGVyuHgRHbTZqeVen7/0II39qrJjko4agZJgToIZ1uhaC/gpGSoHZlib3rJozPCqmBc42nO6SOtpIO8=,iv:kPModK85937/liNk6iLIRiQ/G5yB7S7h24ZzPb8A1zo=,tag:lWvDQAHVRiBz8XZUoADKvw==,type:str]
+ryot: ENC[AES256_GCM,data:VMWf3VqcUdyJu2Ygd3XmoqGNWY/W/VJ4213ej0FrA95kAoX+S+j0+4a4B65NtW9UheDSxD1swTXebyenJCIN/tEZwH2wj9I12akNNvSDpt/LG3d1/BZ62cvLCb5n9vyE/vcXgJVfPUqmc67pYDWLpEV/vkKjpqwNH4Y8vnapVo1ytIgsjkTuBb7VFbnRPvYs6J1M0rnaTtkVhOBoRxv+Xg3pWYCgFEXdM/Pg/WKqdHpyh+tJqR74Z91Mwv6G56ZYEDQmAp+Cn+Kk2zZ+t44UAu1SQOgYXPLep+4/PgWw/vQMuyN7GNNP6TrsX3g+ONtJtkdmGu6ArcfbRAky4vM14DxlQP4xSjYSu+FDWGJL/J4TMw6IVDuw/TDVNpMrhBmZdPujYLUW1c6GCCEchBknNfw/Wt+NyTjOzCmZLVw760jY05Fa9kcW2kz+P0iAGTviY7yJZWDctP6PrVNtG1cXc4noJqV/uJ9sQmuGWCiTzaCIIZEhwRKnvjpvZNisKPhx4tctZMWm8l9gKO/TJC/SHMIhvEazmH4v0AzCiRUzdTfnWQZGTNenDrCUetztPh/UUJbLZjhFBH3QR26w/3I5oNpUzUDhfDhcEYtfWuB7ckbkXT8nyYMfe0OR16yJTfQCdnIPBhAUi1g1ZV3jFg+OhYWxk73lPiqC1ADRNh01L1k90PMMWtLXXm6aQ28cB+iQTvvgKbDrr76U8bXoZUyEl30waOQ2HT6nDG61OBUtQHTu6/cFhfhrnU6poAD/k+L7SyqcBoMYAZJN6Us1y3SKhV/3mXVKjRwSl5XZSW+ZpcRe/Cg4bonxFBYsZyY3VjK0LC4Cj8ijh4LpYWrGWtVmWOt/gg7UQPTd81A=,iv:Oa2pvfDpfPr3pqeAg2kYIzjf8KUK9ckMfbVymM78FyE=,tag:XyjYEvWo46BliYXdDH8QrQ==,type:str]
+isso: ENC[AES256_GCM,data:yfcIsfGuEH3pcpsbBZWXbxrO39AQxHYMaNDHpjhJmwQBUnWgKSWCynIDWgUm+Gjy5r/4GP373xCSiWg3ti7MMgbmqKpd2fL886mrk/7fLMocQqW4sCfWaObzwoEjDvrjDbqAaaJxP4PDcrxOUjj3MiIzQSMPY35I02tbJKTuB6WQw+DftI5Or1/H,iv:j8qp9BSWegV2lKLDlNhlTnWtYABQFPIBEuZJQNpGMjs=,tag:zsiY5crL9bVwOXtwhAeDPw==,type:str]
+mealie: ENC[AES256_GCM,data:/XRyhFGfsSF9y2UEvWIjB05LGkYx4kbl1u5ninGEnkPkbmyRfW0TXybeVKwcX/By05KkbUk+C4N00qykmo16KpI/lRytfnsQHmutST6dV1C5CB6XiPymG8WcntwOtmUiMEwm9qqgEJfoaeFfwdY+03+GFuS2cSphGe6XN8dUOTe+IjNIO4U8U2FXtvcNEsd5SohWkbnObZScKocOSFemjjKoSySwJpK64sQwVKOyIgVECuWo1asXShvmYY3iE6coB7DEk3PaS3hj5u7neN+muZrdANBZjlFxANWDhvFLX6fplRXZLS7DE0KjTqeVjC237Q==,iv:RyRG36wUkiGIZ6l9bXY2cj7jdi8SSJLrbpkOA4uRigU=,tag:frzKD0eabB8O6UH/+pJBTw==,type:str]
+multi-scrobbler: ENC[AES256_GCM,data:ce3dd0PKm6eyD2AqWmw+8iex/tBHgMhG8ASoOMkT3c9k6kiZabpTTFTkcouMO+s42P+qjWQAUJcJlDdYVYJZbAqw8nnxLrtYmKoBknSbbWijlR//CpgfwuuAWIyGQAGVPliuxz+lR+1cf/G2mXM+FJIfp8Sliak3v/nGg3ry0bdjbOLVoBM4rS90Jrq98ZuBrjlFVhcJTKkEHtgDv8N56wWbPL/r3cTlS9MoEu2ulCSLvfu/snr8HqJ5yssAGQ==,iv:jOJulX6o3t+W6DrD6sU7amDH7JQP/JFGBI9IM8m/sXU=,tag:jFZoLpYFXj+xplbypf3nvw==,type:str]
+vaultwarden: ENC[AES256_GCM,data:6PID5tUMZ6BlyddmxumG3Z4uoxDezr8OIRJPYd7SrW1kTGUaQyewIxFajngOY3r251t61IwbKe0MwWeugpi7w2kxVJN4e0WErwUZDjBPCQxukbu81kVbUzCS3VDm1TP0fKylJUPIK3bkKKHkD5XDGo22YtuhICyaPkYXNtEEs2TCAHagBuSrVVEYPbp8as7FS1j8L47XUkjaT919w298nB8s7jNo4VvaNeHFgWVdH0oRRD/VUJj7yewXaugk+mlsRMuNd9HqxpOophIHzX2B59YG3rBA6w==,iv:Xgv4OTDJNf+atQHFAvSEYMXcW65cm7wqN9VtmDHS3MU=,tag:ZN/igsxJb025HmCriLcCZQ==,type:str]
+dns: ENC[AES256_GCM,data:fQN3SOm0HzOjSjTohRAD4KlXdEu5PbQc3DvK3rLC1S4G0G4HUPkgucN6vJUwVJPiY0AB+L/iLNcqCRz8OH0qNtfnikBbDicq0OfrwjnN+VzmbwmrS6AdFo6lilbxI3Jb8YwGMrQxXg0U9F2/WVLETbzICG2KpukwIER0xxQpb51OVL+2hviGV8JpWKo66S6pug628Zc+uMJXEBPSqCpz2vXHXnXWMszP6MlqVfNm/zE=,iv:DOj0e8y+2N9eRA81nlT0kS66sXWZoLSVn0NAiUkNcDY=,tag:+0Baqs6TbTAmt3lRfncE6Q==,type:str]
 lidarr-mb-gap: ENC[AES256_GCM,data:bNzD9Nf9BWAPkm0Yk0J4MJbmo908QX9VsD+40Rngnfec9nzH4vZ2DrelxRllgT1kgnXMQzvoSgNhBwkDN4fgX73hz1FjkytTwahlO0wcY6R+tw4aokh0QYy0TVx5pZ4u1FEQOAp3IMgBsP8HOqaL/NEsEo3yb0K9iC3AfFihkLDJmVh26Pg=,iv:go0qS7/BcfcAMPkAdGWCoL61gNqBG5lWDev++y9DJ/I=,tag:LgtEyTZH8NfhfrKTcAigZw==,type:str]
 sops:
     age:
@@ -49,7 +52,7 @@ sops:
             QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb
             9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-11T23:18:34Z"
-    mac: ENC[AES256_GCM,data:i3U364pjZB5Y61Wf7ETbXhNWyfH1gw0oyPcNyT+nCIJmePh8JWiP9hnHmZfLS1BKkI2powQdezbz9R0XDvU7g2SkV8EsWmn/h3rFwbopUZbeRQ2SCoX7LGFez74l1oTPQjL8zWJVdrUtfAFgbZKSEWuz7rsDieKBVhIJwWaeePY=,iv:N4z+X3eD6jH+zQfY24qec+U6wkfhLGPm4MzY8T2Km/A=,tag:yluW5YSKMZ4Kk+wcXbkj8Q==,type:str]
+    lastmodified: "2025-12-26T03:14:55Z"
+    mac: ENC[AES256_GCM,data:gIWqEMtFkoEnFV/I4cefglnXxxr1XwON/Oiv/iHv1h5zVLvEwdGC9hyQB1KEKUEHDxWjh8GpKXn9rkZ5pncs7vZdjgiMXyVC7IAiN7uT03RfyGjPtLy7T9qqzmac2uOWLoCnda6No4VIBGG50leh5J7WDk4hKXvlm49xCwSlcLw=,iv:fVtqpXMO3klwAztFRXODLp5H9kq9LJt82Zsoq/59dTU=,tag:XTa90qDkg7ehW6xoXRwEVw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

secrets/secrets.yaml

@@ -1,11 +1,11 @@
 jawz-password: ENC[AES256_GCM,data:j5qya2z9bDESQopcBpLBktyBvIuplbq3Ql4TovdAF1BIJHcf4CAjFuCStW0axFEOST6bgJwhcZZvK4rWUyoS47eaFDp2lkiQnQ==,iv:GNEA8v0NR+PGe4yvlm4V6tTJD5NmlswRPH7JnQJUyLk=,tag:dpxDK88cAJSk+XdFF2mDww==,type:str]
-smtp-password: ENC[AES256_GCM,data:KAIn6lp6JXY39SgMPGP3tQ==,iv:Mgmo9bLT3iIGXw6THqJO6+IuPV65VXo1+vE3PrmS44Y=,tag:8urcnZtccaPJSOuHiZAp5A==,type:str]
+derek-password: ENC[AES256_GCM,data:gMX5fWnfYYUOArD6YJeyTgSHqE2KFKvTU2zNqr4YkEZx443zGYajRcuE4QRx1HXY71r/sipWpIURntBQrCksDy4rEtpKuHMeQdTfZWp5dSZU7oHcLr9MEr86kgMArFpaIELdNNprbS7Tqw==,iv:6kWIXFMNiH3Z2tAPVtylWYF+v8qeKVzk37fIpBQ486E=,tag:Akik/1gUm1R4zcGdSLWKag==,type:str]
+smtp-password: ENC[AES256_GCM,data:Reb6wDlZivAn5DVI2swNfQ==,iv:ZT4QvFXYmgFl1Ut07Yic1qnA8JvapSTfKw2DPCoQMEU=,tag:A5jIqUrmUwROS/LKbsahsQ==,type:str]
 nextcloud-adminpass: ENC[AES256_GCM,data:g0bnifEbMykPBVwMF14EhT/RWGsnEzJ6sXXmxSJ6kIVDeRr8XVRbFzusxlxAOOlseVwPT6e4Ad8=,iv:Gy0LwUNCw8gnqlwk91qguSEeufIJDtaqNNLX1vZp7vA=,tag:y8H42B1rue0X7/4nG/Whsw==,type:str]
 firefly-iii-keyfile: ENC[AES256_GCM,data:HTifd3/5apa9f0RiOh33aRRoVkRskgo/2FV9S01wQSEmKFLg2M9gNNFm6gv2/WCQvNc1,iv:4yLIQQkfqhLixQtAOsbQePNlKOrU2p6Dqw9aLPDoJrM=,tag:uSbAMCy4FWRMU+QhExAE2w==,type:str]
-resilio:
-    host: ENC[AES256_GCM,data:iITbrqpJSdM52A==,iv:8sahhsUA9iIXNlJYKAkakllQDbYVOsGuwBulK9FyvTU=,tag:zKKHwrEFUkl3Fcd0RJcIjw==,type:str]
-    user: ENC[AES256_GCM,data:31s2ihj2cN9C5Lyr2w==,iv:2MzKiRoDosawbeQ04LUKbfbSVFUUD6uUYynB6B0WNWw=,tag:GR0lXvLZAPof6WE3Verimg==,type:str]
-    password: ENC[AES256_GCM,data:codFGm4O9QkI2+hbrVK3UqwFWETXyfl9y3Q5lY6UfnIRe/IqWG8Ibly1BUlh7OjKIepXm6m35e6QPioVSiUT5Ll1SIE=,iv:QWqKyKrvm2y2UM2Ir1COxjV0jgU8jTeu9ehnyeXTwCE=,tag:Xtr+r7EphaiLjGwK5gmsMQ==,type:str]
+postgres-password: ENC[AES256_GCM,data:V0g4T1cLUFnTN94zZZR83/KVJFUDGEWVEn6nyijnver4QCELUFkNr99s9g==,iv:1ymHA0JaVC2/aHdg4TmJmuKOG8JGZRRvynrgQIGdTss=,tag:xsCVpc+HBaNeswYvzo0PaA==,type:str]
+oauth2-proxy-cookie: ENC[AES256_GCM,data:eWEgnIGcdq1aRXWokmVO9DDb+t2oAxNCwFeyOUITzHQ=,iv:x5CROKQ5arUMESWQsroC15xbtMA6/HvnArhBiGwAx6k=,tag:U5yYk1ztExZsou7gVvA8Og==,type:str]
+plausible: ENC[AES256_GCM,data:Vze/uzsB4VkmeQwqJCVwlwT2kLpFoKSKXgaCmZ2633J2L6pVpL+OxnGxiSS7dmEuWRL5HOkMOJJdFWWCUhrv+QUMpp2RQ9bjy1q6gIOtejNTYPNm6/wg+A==,iv:d+ILv3ZDpanUxDJ2IkWaZ3TC14mldafxnjL3yAE+SK0=,tag:YqhGhMtCtvwaazeN7pXQJA==,type:str]
 kavita-token: ENC[AES256_GCM,data:kt3bTZNf4S7sKfbxzXc4Q+9yTPFTKzvEaR+mysBhhdnht+FuN9o9i9liqy2pKvB7WQmPnjQ/aYEYkcPSPg0NC5NwE7lNY7kUJtyHzYm2wkKqkkDIc/aI+dHhtX1SBF99ZpWEhmgnIA2HtCpYXUjkl4pUTKgNi0cn+bb1NULMY0zHyF2f7faOOKTWatQEuG1ZvBpiNIbPbsMznfdrWe9VEKrdtMg8IkK138Cn+EOSu0mCHdU=,iv:NCjegkB9/O6xq3fdWqhyVJy5YetqIpcDmD0yyBh3XXQ=,tag:IiqZY0mhqyUHJ61DRNHPlw==,type:str]
 stash:
     password: ENC[AES256_GCM,data:ZYwrETIJ1K5RJePR9TvmPdVHpZY=,iv:nqIvm5MkSmZxgSLUpZC0Iq2QOp4lU9rh9wtE8FhO7a0=,tag:YIlj9iPGjDVewgtjq0tdag==,type:str]
@@ -52,7 +52,7 @@ sops:
             RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM
             QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-02T20:02:38Z"
-    mac: ENC[AES256_GCM,data:DnbkeF+evVTMhYTg3OU528cRQ+jBiUl7Q7JZxyGRL6USjB2OdIRxqnnCH8L36K2hSAIkKQ/kojyJs+8Pgkx5uD/qsCbGlNT9pSBU1qPdSBxqJsVPxHZmkuf/QxGtE4pgV/50xJMrVyzAetWPZuxcYVfWAPszxDZcR5XDuD+Yjk4=,iv:i2Vt6nv6etIgaaoxsbVlxEnIhIx4adOQZFeyGM/4Saw=,tag:jugPmHU78lap7Hy7RJd9pg==,type:str]
+    lastmodified: "2026-01-16T15:38:39Z"
+    mac: ENC[AES256_GCM,data:4xaoGvLq1UIdozNqQ7v+pORVPDCk+FZRsCRvZ3C5AZOwSaM+UfDYZcI32AI0K80yFyhVIrrjqylykvXghbpQGAju3mv7+7Tbn5p2gqXrB/m1FuyVe/ftw7SSn8FTGL14cdHuPPkQTvV/u7z1IfX4YAOEGqtWiEfOe4YoWT3xc3A=,iv:dygbKjQ0ljgBPyk2aEIa/Mpbs/At+UzuhYy8Sndx/nk=,tag:jYbROlRxeDxqF1YqrBGL8A==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0