54 changed files with 586 additions and 1509 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,8 +3,6 @@ result
 result-*
 .direnv/
 oci-trantor/
 tailscale-tailnet/
 cloudflare-baduhaidev
 # Personal notes and temporary files
 todo.md
--- a/devShells.nix
+++ b/devShells.nix
@ -1,15 +1,15 @@
-{ inputs, ... }:
+{ ... }:
 {
  perSystem =
-    { pkgs, system, ... }:
+    { pkgs, ... }:
    {
      devShells.default = pkgs.mkShell {
        packages = with pkgs; [
-          inputs.agenix.packages.${system}.default
+          agenix-cli
          deploy-rs
          nil
-          nixfmt
+          nixfmt-rfc-style
        ];
      };
    };
--- a/hosts/io/disko.nix
+++ b/hosts/io/disko.nix
@ -1,8 +1,4 @@
 { inputs, ... }:
 {
  imports = [ inputs.disko.nixosModules.default ];
  disko.devices.disk.main = {
    type = "disk";
    device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
--- a/hosts/trantor/disko.nix
+++ b/hosts/trantor/disko.nix
@ -1,11 +1,7 @@
 { inputs, ... }:
 {
  imports = [ inputs.disko.nixosModules.default ];
  disko.devices.disk.main = {
    type = "disk";
-    device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20";
+    device = "/dev/disk/by-id/scsi-36067d367fe184830a89bbe708c7b1066";
    content = {
      type = "gpt";
      partitions = {
@ -31,7 +27,8 @@
          name = "root";
          size = "100%";
          content = {
-            type = "btrfs";
+            type = "filesystem";
            format = "btrfs";
            extraArgs = [ "-f" ];
            subvolumes = {
              "@root" = {
--- a/diskoConfigurations.nix
+++ b/diskoConfigurations.nix
@ -0,0 +1,12 @@
 { inputs, ... }:
 {
  imports = [
    inputs.disko.flakeModule
  ];
  flake.diskoConfigurations = {
    io.modules = [ ./disko/io.nix ];
    trantor.modules = [ ./disko/trantor.nix ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -5,7 +5,7 @@
    flake-parts.url = "github:hercules-ci/flake-parts";
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
    home-manager = {
      url = "github:nix-community/home-manager/master";
@ -49,10 +49,6 @@
      url = "github:terranix/terranix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-ai-tools.url = "github:numtide/llm-agents.nix";
    vicinae.url = "github:vicinaehq/vicinae";
  };
  outputs =
@ -66,6 +62,7 @@
      imports = [
        ./deploy.nix
        ./devShells.nix
        ./diskoConfigurations.nix
        ./homeConfigurations.nix
        ./nixosConfigurations.nix
        ./nixosModules.nix
--- a/hosts/alexandria/firewall.nix
+++ b/hosts/alexandria/firewall.nix
@ -0,0 +1,11 @@
 { ... }:
 {
  networking.firewall = {
    allowedTCPPorts = [
      80
      443
    ];
    allowedUDPPorts = [ ];
  };
 }
--- a/hosts/alexandria/forgejo.nix
+++ b/hosts/alexandria/forgejo.nix
@ -0,0 +1,35 @@
 {
  config,
  lib,
  inputs,
  ...
 }:
 let
  utils = import ../../utils.nix { inherit inputs lib; };
  inherit (utils) mkNginxVHosts;
 in
 {
  services.forgejo = {
    enable = true;
    repositoryRoot = "/data/forgejo";
    settings = {
      session.COOKIE_SECURE = true;
      server = {
        PROTOCOL = "http+unix";
        DOMAIN = "git.baduhai.dev";
        ROOT_URL = "https://git.baduhai.dev";
        OFFLINE_MODE = true; # disable use of CDNs
        SSH_DOMAIN = "baduhai.dev";
      };
      log.LEVEL = "Warn";
      mailer.ENABLED = false;
      actions.ENABLED = false;
    };
  };
  services.nginx.virtualHosts = mkNginxVHosts {
    acmeHost = "baduhai.dev";
    domains."git.baduhai.dev".locations."/".proxyPass =
      "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
  };
 }
--- a/hosts/alexandria/jellyfin.nix
+++ b/hosts/alexandria/jellyfin.nix
@ -10,6 +10,7 @@ in
  };
  services.nginx.virtualHosts = mkNginxVHosts {
    acmeHost = "baduhai.dev";
    domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
  };
 }
--- a/hosts/alexandria/kanidm.nix
+++ b/hosts/alexandria/kanidm.nix
@ -1,83 +0,0 @@
 {
  config,
  lib,
  inputs,
  pkgs,
  ...
 }:
 let
  utils = import ../../utils.nix { inherit inputs lib; };
  inherit (utils) mkNginxVHosts;
  kanidmCertDir = "/var/lib/kanidm/certs";
 in
 {
  services.kanidm = {
    enableServer = true;
    enableClient = true;
    package = pkgs.kanidm;
    serverSettings = {
      domain = "auth.baduhai.dev";
      origin = "https://auth.baduhai.dev";
      bindaddress = "127.0.0.1:8443";
      ldapbindaddress = "127.0.0.1:636";
      trust_x_forward_for = true;
      # Use self-signed certificates for internal TLS
      tls_chain = "${kanidmCertDir}/cert.pem";
      tls_key = "${kanidmCertDir}/key.pem";
    };
    clientSettings = {
      uri = "https://auth.baduhai.dev";
    };
  };
  services.nginx.virtualHosts = mkNginxVHosts {
    domains."auth.baduhai.dev" = {
      locations."/" = {
        proxyPass = "https://127.0.0.1:8443";
        extraConfig = ''
          proxy_ssl_verify off;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Host $host;
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 636 ];
  # Generate self-signed certificates for kanidm's internal TLS
  systemd.services.kanidm-generate-certs = {
    description = "Generate self-signed TLS certificates for Kanidm";
    wantedBy = [ "multi-user.target" ];
    before = [ "kanidm.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      mkdir -p ${kanidmCertDir}
      if [ ! -f ${kanidmCertDir}/key.pem ]; then
        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \
          -keyout ${kanidmCertDir}/key.pem \
          -out ${kanidmCertDir}/cert.pem \
          -days 3650 -nodes \
          -subj "/CN=localhost" \
          -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
        chown -R kanidm:kanidm ${kanidmCertDir}
        chmod 600 ${kanidmCertDir}/key.pem
        chmod 644 ${kanidmCertDir}/cert.pem
      fi
    '';
  };
  # Ensure certificate generation runs before kanidm starts
  systemd.services.kanidm = {
    after = [ "kanidm-generate-certs.service" ];
    wants = [ "kanidm-generate-certs.service" ];
  };
 }
--- a/hosts/alexandria/librespeed.nix
+++ b/hosts/alexandria/librespeed.nix
@ -0,0 +1,30 @@
 {
  config,
  lib,
  inputs,
  ...
 }:
 let
  utils = import ../../utils.nix { inherit inputs lib; };
  inherit (utils) mkNginxVHosts;
 in
 {
  virtualisation.oci-containers.containers."librespeed" = {
    image = "lscr.io/linuxserver/librespeed:latest";
    environment = {
      TZ = "America/Bahia";
    };
    ports = [ "127.0.0.1:58080:80" ];
    extraOptions = [
      "--pull=newer"
      "--label=io.containers.autoupdate=registry"
    ];
  };
  services.nginx.virtualHosts = mkNginxVHosts {
    acmeHost = "baduhai.dev";
    domains."speedtest.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:58080/";
  };
 }
--- a/hosts/alexandria/nextcloud.nix
+++ b/hosts/alexandria/nextcloud.nix
@ -24,13 +24,7 @@ in
      database.createLocally = true;
      maxUploadSize = "16G";
      extraApps = {
-        inherit (config.services.nextcloud.package.packages.apps)
+        inherit (config.services.nextcloud.package.packages.apps) calendar contacts notes;
          calendar
          contacts
          notes
          tasks
          user_oidc
          ;
      };
      extraAppsEnable = true;
      caching = {
@ -41,7 +35,6 @@ in
        trusted_proxies = [ "127.0.0.1" ];
        default_phone_region = "BR";
        maintenance_window_start = "4";
        allow_local_remote_servers = true;
        enabledPreviewProviders = [
          "OC\\Preview\\BMP"
          "OC\\Preview\\EMF"
@ -78,6 +71,7 @@ in
    };
    nginx.virtualHosts = mkNginxVHosts {
      acmeHost = "baduhai.dev";
      domains."cloud.baduhai.dev" = { };
    };
  };
--- a/hosts/alexandria/nginx.nix
+++ b/hosts/alexandria/nginx.nix
@ -7,15 +7,7 @@
 let
  utils = import ../../utils.nix { inherit inputs lib; };
-  inherit (utils) mkNginxVHosts services;
+  inherit (utils) mkNginxVHosts;
  # Get all unique domains from shared services that have LAN IPs (served by this host)
  localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services));
  # Generate ACME cert configs for all local domains
  acmeCerts = lib.genAttrs localDomains (domain: {
    group = "nginx";
  });
 in
 {
@ -27,7 +19,9 @@ in
      dnsProvider = "cloudflare";
      credentialsFile = config.age.secrets.cloudflare.path;
    };
-    certs = acmeCerts;
+    certs."baduhai.dev" = {
      extraDomainNames = [ "*.baduhai.dev" ];
    };
  };
  services.nginx = {
@ -36,21 +30,14 @@ in
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
-    virtualHosts = {
+    virtualHosts = mkNginxVHosts {
-      "_" = {
+      acmeHost = "baduhai.dev";
-        default = true;
+      domains."_".locations."/".return = "444";
        locations."/".return = "444";
      };
    };
  };
  users.users.nginx.extraGroups = [ "acme" ];
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  age.secrets.cloudflare = {
    file = ../../secrets/cloudflare.age;
    owner = "nginx";
--- a/hosts/alexandria/unbound.nix
+++ b/hosts/alexandria/unbound.nix
@ -1,58 +0,0 @@
 { inputs, lib, ... }:
 let
  utils = import ../../utils.nix { inherit inputs lib; };
 in
 {
  services.unbound = {
    enable = true;
    enableRootTrustAnchor = true;
    settings = {
      server = {
        interface = [
          "0.0.0.0"
          "::"
        ];
        access-control = [
          "127.0.0.0/8 allow"
          "192.168.0.0/16 allow"
          "::1/128 allow"
        ];
        num-threads = 2;
        msg-cache-size = "50m";
        rrset-cache-size = "100m";
        cache-min-ttl = 300;
        cache-max-ttl = 86400;
        prefetch = true;
        prefetch-key = true;
        hide-identity = true;
        hide-version = true;
        so-rcvbuf = "1m";
        so-sndbuf = "1m";
        # LAN-only DNS records
        local-zone = ''"baduhai.dev." transparent'';
        local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'')
          (lib.filter (e: e ? lanIP) utils.services);
      };
      forward-zone = [
        {
          name = ".";
          forward-addr = [
            "1.1.1.1@853#cloudflare-dns.com"
            "1.0.0.1@853#cloudflare-dns.com"
          ];
          forward-tls-upstream = true;
        }
      ];
    };
  };
  networking.firewall = {
    allowedTCPPorts = [ 53 ];
    allowedUDPPorts = [ 53 ];
  };
 }
--- a/hosts/alexandria/vaultwarden.nix
+++ b/hosts/alexandria/vaultwarden.nix
@ -20,6 +20,7 @@ in
  };
  services.nginx.virtualHosts = mkNginxVHosts {
    acmeHost = "baduhai.dev";
    domains."pass.baduhai.dev".locations."/".proxyPass =
      "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
  };
--- a/hosts/io/hardware-configuration.nix
+++ b/hosts/io/hardware-configuration.nix
@ -2,12 +2,15 @@
  config,
  lib,
  modulesPath,
-  inputs,
+  self,
  ...
 }:
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    self.diskoConfigurations.io
  ];
  boot = {
    initrd = {
--- a/hosts/io/services.nix
+++ b/hosts/io/services.nix
@ -49,7 +49,6 @@
      };
    };
    upower.enable = true;
    power-profiles-daemon.enable = true;
  };
  # TODO: remove once gmodena/nix-flatpak/issues/45 fixed
--- a/hosts/modules/ai.nix
+++ b/hosts/modules/ai.nix
@ -1,11 +0,0 @@
 { inputs, pkgs, ... }:
 {
  environment.systemPackages =
    (with pkgs; [claude-desktop]) ++
    (with inputs.nix-ai-tools.packages.${pkgs.system}; [
      claude-code
      claudebox
      opencode
    ]);
 }
--- a/hosts/modules/common/openssh.nix
+++ b/hosts/modules/common/openssh.nix
@ -4,8 +4,10 @@
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "no";
    extraConfig = ''
      PrintLastLog no
    '';
  };
  programs.fish.interactiveShellInit = ''
    if set -q SSH_CONNECTION
      neofetch
    end
  '';
 }
--- a/hosts/modules/common/programs.nix
+++ b/hosts/modules/common/programs.nix
@ -25,16 +25,6 @@
  programs = {
    command-not-found.enable = false;
-    fish = {
+    fish.enable = true;
      enable = true;
      interactiveShellInit = ''
        set fish_greeting
        if set -q SSH_CONNECTION
          export TERM=xterm-256color
          clear
          fastfetch
        end
      '';
    };
  };
 }
--- a/hosts/modules/common/users.nix
+++ b/hosts/modules/common/users.nix
@ -10,9 +10,8 @@
        "wheel"
      ];
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
      ];
      hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
    };
--- a/hosts/modules/desktop/desktop.nix
+++ b/hosts/modules/desktop/desktop.nix
@ -20,6 +20,7 @@
    systemPackages = with pkgs; [
      ### Web ###
      bitwarden-desktop
      brave
      fragments
      nextcloud-client
      tor-browser
@ -31,8 +32,9 @@
      aspellDicts.en
      aspellDicts.en-computers
      aspellDicts.pt_BR
      libreoffice
      onlyoffice-desktopeditors
      papers
      presenterm
      rnote
      ### Graphics & Design ###
      gimp
@ -85,15 +87,6 @@
    flatpak = {
      enable = true;
      packages = [
        ### Office & Productivity ###
        rec {
          appId = "com.collabora.Office";
          sha256 = "1im6s8p6wvj2hblr4mhn1g2rry77giccsi6mk76nk8d6bjp1fwa4";
          bundle = "${pkgs.fetchurl {
            url = "https://cdn.collaboraoffice.com/collaboraoffice-v25.04.7.2_final.flatpak";
            inherit sha256;
          }}";
        }
        ### Graphics & Design ###
        "com.boxy_svg.BoxySVG"
        rec {
--- a/hosts/modules/dev.nix
+++ b/hosts/modules/dev.nix
@ -2,17 +2,19 @@
 {
  environment.systemPackages = with pkgs; [
    android-tools
    bat
    claude-code
    lazygit
    fd
    fzf
    glow
-    nixfmt
+    nixfmt-rfc-style
    nix-init
    nix-output-monitor
    ripgrep
  ];
  programs.adb.enable = true;
  users.users.user.extraGroups = [ "adbusers" ];
 }
--- a/hosts/modules/ephemeral.nix
+++ b/hosts/modules/ephemeral.nix
@ -10,14 +10,12 @@
    enable = true;
    rootDevice =
      if config.networking.hostName == "trantor" then
-        "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2"
+        "/dev/disk/by-id/scsi-36067d367fe184830a89bbe708c7b1066"
      else
        "/dev/mapper/cryptroot";
    rootSubvolume = "@root";
  };
  fileSystems."/persistent".neededForBoot = true;
  environment.persistence.main = {
    persistentStoragePath = "/persistent";
    files = [
--- a/hosts/modules/gaming.nix
+++ b/hosts/modules/gaming.nix
@ -6,6 +6,7 @@
    heroic
    mangohud
    prismlauncher
    protonup
    steam-run
  ];
--- a/hosts/modules/libvirtd.nix
+++ b/hosts/modules/libvirtd.nix
@ -1,15 +1,10 @@
 { ... }:
 {
-  virtualisation = {
+  virtualisation.libvirtd.enable = true;
    libvirtd.enable = true;
    spiceUSBRedirection.enable = true;
  };
  programs.virt-manager.enable = true;
  networking.firewall.trustedInterfaces = [ "virbr0" ];
  users.users.user.extraGroups = [
    "libvirt"
    "libvirtd"
--- a/hosts/trantor/boot.nix
+++ b/hosts/trantor/boot.nix
@ -1,6 +1,3 @@
 {
-  boot = {
+  boot.initrd.systemd.enable = true;
    initrd.systemd.enable = true;
    loader.efi.efiSysMountPoint = "/boot/efi";
  };
 }
--- a/hosts/trantor/fail2ban.nix
+++ b/hosts/trantor/fail2ban.nix
@ -1,23 +0,0 @@
 { config, pkgs, ... }:
 {
  services.fail2ban = {
    enable = true;
    maxretry = 5;
    ignoreIP = [
      "127.0.0.0/8"
      "::1"
      "10.0.0.0/8"
      "172.16.0.0/12"
      "192.168.0.0/16"
      "100.64.0.0/10"
    ];
    bantime = "1h";
    bantime-increment = {
      enable = true;
      multipliers = "1 2 4 8 16 32 64";
      maxtime = "10000h";
      overalljails = true;
    };
  };
 }
--- a/hosts/trantor/forgejo.nix
+++ b/hosts/trantor/forgejo.nix
@ -1,72 +0,0 @@
 {
  config,
  lib,
  inputs,
  ...
 }:
 let
  utils = import ../../utils.nix { inherit inputs lib; };
  inherit (utils) mkNginxVHosts;
 in
 {
  services = {
    forgejo = {
      enable = true;
      settings = {
        session.COOKIE_SECURE = true;
        server = {
          PROTOCOL = "http+unix";
          DOMAIN = "git.baduhai.dev";
          ROOT_URL = "https://git.baduhai.dev";
          OFFLINE_MODE = true; # disable use of CDNs
          SSH_DOMAIN = "git.baduhai.dev";
        };
        log.LEVEL = "Warn";
        mailer.ENABLED = false;
        actions.ENABLED = false;
        service.DISABLE_REGISTRATION = true;
        oauth2_client = {
          ENABLE_AUTO_REGISTRATION = true;
          UPDATE_AVATAR = true;
          ACCOUNT_LINKING = "login";
          USERNAME = "preferred_username";
        };
      };
    };
    nginx.virtualHosts = mkNginxVHosts {
      domains."git.baduhai.dev".locations."/".proxyPass =
        "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
    };
    fail2ban.jails.forgejo = {
      settings = {
        enabled = true;
        filter = "forgejo";
        maxretry = 3;
        findtime = "10m";
        bantime = "1h";
      };
    };
  };
  environment = {
    etc."fail2ban/filter.d/forgejo.conf".text = ''
      [Definition]
      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
      ignoreregex =
      journalmatch = _SYSTEMD_UNIT=forgejo.service
    '';
    persistence.main.directories = [
      {
        directory = config.services.forgejo.stateDir;
        inherit (config.services.forgejo) user group;
        mode = "0700";
      }
    ];
  };
  # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
  systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
 }
--- a/hosts/trantor/hardware-configuration.nix
+++ b/hosts/trantor/hardware-configuration.nix
@ -1,18 +1,29 @@
 {
  lib,
  modulesPath,
  self,
  ...
 }:
 {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    self.diskoConfigurations.trantor
  ];
-  boot.initrd.availableKernelModules = [
+  boot = {
    kernelModules = [ ];
    extraModulePackages = [ ];
    initrd = {
      availableKernelModules = [
        "xhci_pci"
        "virtio_pci"
        "virtio_scsi"
        "usbhid"
      ];
      kernelModules = [ ];
    };
  };
  networking.useDHCP = lib.mkDefault true;
--- a/hosts/trantor/nginx.nix
+++ b/hosts/trantor/nginx.nix
@ -1,61 +0,0 @@
 {
  config,
  lib,
  inputs,
  ...
 }:
 let
  utils = import ../../utils.nix { inherit inputs lib; };
  inherit (utils) mkNginxVHosts services;
  # Get all unique domains from shared services on trantor (host = "trantor")
  localDomains = lib.unique (
    map (s: s.domain) (lib.filter (s: s.host == "trantor") services)
  );
  # Generate ACME cert configs for all local domains
  acmeCerts = lib.genAttrs localDomains (domain: {
    group = "nginx";
  });
 in
 {
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "baduhai@proton.me";
      dnsResolver = "1.1.1.1:53";
      dnsProvider = "cloudflare";
      credentialsFile = config.age.secrets.cloudflare.path;
    };
    certs = acmeCerts;
  };
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "_" = {
        default = true;
        locations."/".return = "444";
      };
    };
  };
  users.users.nginx.extraGroups = [ "acme" ];
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  age.secrets.cloudflare = {
    file = ../../secrets/cloudflare.age;
    owner = "nginx";
    group = "nginx";
  };
 }
--- a/hosts/trantor/openssh.nix
+++ b/hosts/trantor/openssh.nix
@ -1,23 +0,0 @@
 { ... }:
 {
  services = {
    openssh = {
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };
    };
    fail2ban.jails.sshd = {
      settings = {
        enabled = true;
        port = "ssh";
        filter = "sshd";
        logpath = "/var/log/auth.log";
        maxretry = 3;
        findtime = "10m";
        bantime = "1h";
      };
    };
  };
 }
--- a/hosts/trantor/unbound.nix
+++ b/hosts/trantor/unbound.nix
@ -1,58 +0,0 @@
 { inputs, lib, ... }:
 let
  utils = import ../../utils.nix { inherit inputs lib; };
 in
 {
  services.unbound = {
    enable = true;
    enableRootTrustAnchor = true;
    settings = {
      server = {
        interface = [
          "0.0.0.0"
          "::"
        ];
        access-control = [
          "127.0.0.0/8 allow"
          "100.64.0.0/10 allow" # Tailscale CGNAT range
          "::1/128 allow"
          "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
        ];
        num-threads = 2;
        msg-cache-size = "50m";
        rrset-cache-size = "100m";
        cache-min-ttl = 300;
        cache-max-ttl = 86400;
        prefetch = true;
        prefetch-key = true;
        hide-identity = true;
        hide-version = true;
        so-rcvbuf = "1m";
        so-sndbuf = "1m";
        # Tailnet DNS records from shared services
        local-zone = ''"baduhai.dev." transparent'';
        local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services;
      };
      forward-zone = [
        {
          name = ".";
          forward-addr = [
            "1.1.1.1@853#cloudflare-dns.com"
            "1.0.0.1@853#cloudflare-dns.com"
          ];
          forward-tls-upstream = true;
        }
      ];
    };
  };
  networking.firewall = {
    allowedTCPPorts = [ 53 ];
    allowedUDPPorts = [ 53 ];
  };
 }
--- a/nixosConfigurations.nix
+++ b/nixosConfigurations.nix
@ -10,7 +10,6 @@ in
      hostname = "rotterdam";
      tags = [
        "desktop"
        "ai"
        "bluetooth"
        "dev"
        "ephemeral"
@ -26,7 +25,6 @@ in
      hostname = "io";
      tags = [
        "desktop"
        "ai"
        "bluetooth"
        "dev"
        "ephemeral"
@ -38,8 +36,9 @@ in
    alexandria = mkHost {
      hostname = "alexandria";
      tags = [
-        "server"
+        # "server" TODO: uncomment when 25.11 is out.
        "fwupd"
        "podman"
      ];
    };
--- a/overlays.nix
+++ b/overlays.nix
@ -4,7 +4,6 @@
  flake.overlays = {
    default = final: prev: {
      base16-schemes = inputs.self.packages.${final.system}.base16-schemes;
      claude-desktop = inputs.self.packages.${final.system}.claude-desktop;
      fastfetch = inputs.self.packages.${final.system}.fastfetch;
      hm-cli = inputs.self.packages.${final.system}.hm-cli;
      kwrite = inputs.self.packages.${final.system}.kwrite;
--- a/packages.nix
+++ b/packages.nix
@ -1,18 +1,11 @@
-{ inputs, ... }:
+{ ... }:
 {
  perSystem =
-    { system, ... }:
+    { pkgs, system, ... }:
    let
      pkgs = import inputs.nixpkgs {
        inherit system;
        config.allowUnfree = true;
      };
    in
    {
      packages = {
        base16-schemes = pkgs.callPackage ./packages/base16-schemes.nix { };
        claude-desktop = pkgs.callPackage ./packages/claude-desktop.nix { };
        fastfetch = pkgs.callPackage ./packages/fastfetch.nix { };
        hm-cli = pkgs.callPackage ./packages/hm-cli.nix { };
        kwrite = pkgs.callPackage ./packages/kwrite.nix { };
--- a/packages/claude-desktop.nix
+++ b/packages/claude-desktop.nix
@ -1,221 +0,0 @@
 {
  lib,
  stdenv,
  fetchurl,
  makeWrapper,
  makeDesktopItem,
  copyDesktopItems,
  p7zip,
  unzip,
  electron,
  nodejs,
  asar,
  graphicsmagick,
 }:
 let
  pname = "claude-desktop";
  version = "1.0.1768"; # Updated based on extracted nupkg
  srcs.x86_64-linux = fetchurl {
    url = "https://downloads.claude.ai/releases/win32/x64/1.0.1768/Claude-67d01376d0e9d08b328455f6db9e63b0d603506a.exe";
    hash = "sha256-x76Qav38ya3ObpWIq3dDowo79LgvVquMfaZeH8M1LUk=;";
  };
  src =
    srcs.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
  # Stub implementation for claude-native module
  claudeNativeStub = ''
    // Stub implementation of claude-native using KeyboardKey enum values
    const KeyboardKey = { 
      Backspace: 43, Tab: 280, Enter: 261, Shift: 272, Control: 61, Alt: 40, 
      CapsLock: 56, Escape: 85, Space: 276, PageUp: 251, PageDown: 250, 
      End: 83, Home: 154, LeftArrow: 175, UpArrow: 282, RightArrow: 262, 
      DownArrow: 81, Delete: 79, Meta: 187 
    };
    Object.freeze(KeyboardKey);
    module.exports = { 
      getWindowsVersion: () => "10.0.0", 
      setWindowEffect: () => {}, 
      removeWindowEffect: () => {}, 
      getIsMaximized: () => false, 
      flashFrame: () => {}, 
      clearFlashFrame: () => {}, 
      showNotification: () => {}, 
      setProgressBar: () => {}, 
      clearProgressBar: () => {}, 
      setOverlayIcon: () => {}, 
      clearOverlayIcon: () => {}, 
      KeyboardKey 
    };
  '';
 in
 stdenv.mkDerivation rec {
  inherit pname version src;
  nativeBuildInputs = [
    makeWrapper
    copyDesktopItems
    p7zip
    unzip
    nodejs
    graphicsmagick
  ];
  buildInputs = [
    electron
  ];
  desktopItems = [
    (makeDesktopItem {
      name = "claude-desktop";
      desktopName = "Claude";
      comment = "AI assistant from Anthropic";
      exec = "claude-desktop %u";
      icon = "claude-desktop";
      categories = [
        "Network"
        "Chat"
        "Office"
      ];
      mimeTypes = [ "x-scheme-handler/claude" ];
      startupNotify = true;
      startupWMClass = "Claude";
    })
  ];
  unpackPhase = ''
    runHook preUnpack
    # Extract the Windows installer - use -y to auto-overwrite
    7z x -y $src -o./extracted
    # The installer contains a NuGet package
    if [ -f ./extracted/AnthropicClaude-*-full.nupkg ]; then
      echo "Found NuGet package, extracting..."
      # NuGet packages are just zip files
      unzip -q ./extracted/AnthropicClaude-*-full.nupkg -d ./nupkg
      # Extract app.asar to modify it
      if [ -f ./nupkg/lib/net45/resources/app.asar ]; then
        echo "Extracting app.asar..."
        ${asar}/bin/asar extract ./nupkg/lib/net45/resources/app.asar ./app
        # Also copy the unpacked resources
        if [ -d ./nupkg/lib/net45/resources/app.asar.unpacked ]; then
          cp -r ./nupkg/lib/net45/resources/app.asar.unpacked/* ./app/
        fi
        # Copy additional resources
        mkdir -p ./app/resources
        mkdir -p ./app/resources/i18n
        cp ./nupkg/lib/net45/resources/Tray* ./app/resources/ || true
        cp ./nupkg/lib/net45/resources/*-*.json ./app/resources/i18n/ || true
      fi
    else
      echo "NuGet package not found"
      ls -la ./extracted/
      exit 1
    fi
    runHook postUnpack
  '';
  buildPhase = ''
    runHook preBuild
    # Replace the Windows-specific claude-native module with a stub
    if [ -d ./app/node_modules/claude-native ]; then
      echo "Replacing claude-native module with Linux stub..."
      rm -rf ./app/node_modules/claude-native/*.node
      cat > ./app/node_modules/claude-native/index.js << 'EOF'
    ${claudeNativeStub}
    EOF
    fi
    # Fix the title bar detection (from aaddrick script)
    echo "Fixing title bar detection..."
    SEARCH_BASE="./app/.vite/renderer/main_window/assets"
    if [ -d "$SEARCH_BASE" ]; then
      TARGET_FILE=$(find "$SEARCH_BASE" -type f -name "MainWindowPage-*.js" | head -1)
      if [ -n "$TARGET_FILE" ]; then
        echo "Found target file: $TARGET_FILE"
        # Replace patterns like 'if(!VAR1 && VAR2)' with 'if(VAR1 && VAR2)'
        sed -i -E 's/if\(!([a-zA-Z]+)[[:space:]]*&&[[:space:]]*([a-zA-Z]+)\)/if(\1 \&\& \2)/g' "$TARGET_FILE"
        echo "Title bar fix applied"
      fi
    fi
    runHook postBuild
  '';
  installPhase = ''
    runHook preInstall
    mkdir -p $out/lib/claude-desktop
    # Repack the modified app as app.asar
    cd ./app
    ${asar}/bin/asar pack . ../app.asar
    cd ..
    # Copy resources
    mkdir -p $out/lib/claude-desktop/resources
    cp ./app.asar $out/lib/claude-desktop/resources/
    # Create app.asar.unpacked directory with the stub
    mkdir -p $out/lib/claude-desktop/resources/app.asar.unpacked/node_modules/claude-native
    cat > $out/lib/claude-desktop/resources/app.asar.unpacked/node_modules/claude-native/index.js << 'EOF'
    ${claudeNativeStub}
    EOF
    # Copy other resources
    if [ -d ./nupkg/lib/net45/resources ]; then
      cp ./nupkg/lib/net45/resources/*.png $out/lib/claude-desktop/resources/ 2>/dev/null || true
      cp ./nupkg/lib/net45/resources/*.ico $out/lib/claude-desktop/resources/ 2>/dev/null || true
      cp ./nupkg/lib/net45/resources/*.json $out/lib/claude-desktop/resources/ 2>/dev/null || true
    fi
    # Create wrapper script
    makeWrapper ${electron}/bin/electron $out/bin/claude-desktop \
      --add-flags "$out/lib/claude-desktop/resources/app.asar" \
      --set DISABLE_AUTOUPDATER 1 \
      --set NODE_ENV production
    # Extract and install icons in multiple sizes
    if [ -f ./extracted/setupIcon.ico ]; then
      echo "Converting and installing icons..."
      # Count frames in the ICO file and extract each one
      frame_count=$(gm identify ./extracted/setupIcon.ico | wc -l)
      for i in $(seq 0 $((frame_count - 1))); do
        gm convert "./extracted/setupIcon.ico[$i]" "./extracted/setupIcon-$i.png" 2>/dev/null || true
      done
      # Loop through converted icons and install them by size
      for img in ./extracted/setupIcon-*.png; do
        if [ -f "$img" ]; then
          size=$(gm identify -format "%wx%h" "$img")
          # Skip smallest icons (16x16 and 32x32) as they're too low quality
          if [ "$size" != "16x16" ] && [ "$size" != "32x32" ]; then
            mkdir -p "$out/share/icons/hicolor/$size/apps"
            cp "$img" "$out/share/icons/hicolor/$size/apps/claude-desktop.png"
          fi
        fi
      done
    fi
    runHook postInstall
  '';
  meta = with lib; {
    description = "Claude Desktop - AI assistant from Anthropic";
    homepage = "https://claude.ai";
    license = licenses.unfree;
    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
    maintainers = with maintainers; [ ];
    platforms = [ "x86_64-linux" ];
    mainProgram = "claude-desktop";
  };
 }
--- a/readme.md
+++ b/readme.md
@ -1,87 +1,123 @@
-# Nix Configuration
+# NixOS Configuration
-My personal Nix configuration for multiple NixOS hosts, home-manager users, miscellaneous resources... too many things to list. If I could put my life in a flake I would.
+A declarative, modular NixOS/Home Manager flake configuration managing multiple systems with a tag-based architecture for maximum code reuse and flexibility.
 ## Hosts
-### Desktop Systems
+| Host | Type | System | Version | Description |
- **rotterdam** - Main desktop workstation (x86_64)
+|------|------|--------|---------|-------------|
-  - Features: Desktop, AI tools, Bluetooth, Dev environment, Gaming, Virtualization (libvirtd), Podman
+| **rotterdam** | Desktop | x86_64-linux | NixOS Unstable | Primary workstation with gaming, development |
-  - Storage: Ephemeral root with LUKS encryption
+| **io** | Laptop | x86_64-linux | NixOS Unstable | Mobile workstation |
 | **alexandria** | Server/NAS | x86_64-linux | NixOS 25.05 | Personal server running Nextcloud, Forgejo, Jellyfin, Vaultwarden |
 | **trantor** | VPS | aarch64-linux | NixOS 25.05 | Oracle Cloud instance |
- **io** - Laptop workstation (x86_64)
+## Key Features
  - Features: Desktop, AI tools, Bluetooth, Dev environment, Podman
  - Storage: Ephemeral root with LUKS encryption
-### Servers
+### Architecture
- **alexandria** - Home server (x86_64)
+- **Tag-based module system** - Compose configurations using tags instead of traditional inheritance
-  - Hosts: Nextcloud, Vaultwarden, Jellyfin, Kanidm
+- **Flake-based** - Fully reproducible builds with locked dependencies
 - **Multi-platform** - Supports both x86_64 and aarch64 architectures
 - **Deployment automation** - Remote deployment via deploy-rs
- **trantor** - Cloud server (aarch64)
+### Desktop Experience
-  - Hosts: Forgejo
+- **Niri compositor** - Custom fork with auto-centering window columns
-  - Cloud provider: Oracle Cloud Infrastructure
+- **Unified theming** - Stylix-based theming
-  - Storage: Ephemeral root with btrfs
+- **Wayland-native** - Full Wayland support
 - **Ephemeral root** - Impermanent filesystem using BTRFS for atomic rollback capability
-## Home Manager Configurations
+### Self-Hosted Services
-
+- **Nextcloud** - Cloud storage with calendar, contacts, and notes
- **user@rotterdam** - Full desktop setup with gaming, OBS, and complete development environment
+- **Forgejo** - Self-hosted Git server
- **user@io** - Lightweight desktop setup
+- **Jellyfin** - Media streaming
-
+- **Vaultwarden** - Password manager backend
-Both configurations include:
+- **LibreSpeed** - Network speed testing
- btop, direnv, helix, starship, tmux
+- All services behind Nginx and Tailscale with automatic SSL via Let's Encrypt
 - Stylix theme management
 - Fish shell with custom configurations
 ## Terranix Configurations
 Infrastructure as code using Terranix (NixOS + Terraform/OpenTofu):
 - **oci-trantor** - Oracle Cloud Infrastructure provisioning for Trantor server
 - **cloudflare-baduhaidev** - DNS and CDN configuration for baduhai.dev domain
 - **tailscale-tailnet** - Tailscale network ACL and device management
 ## Services
 All services are accessible via custom domains under baduhai.dev:
 - **Kanidm** (auth.baduhai.dev) - Identity and access management
 - **Vaultwarden** (pass.baduhai.dev) - Password manager
 - **Forgejo** (git.baduhai.dev) - Git forge (publicly accessible)
 - **Nextcloud** (cloud.baduhai.dev) - File sync and collaboration
 - **Jellyfin** (jellyfin.baduhai.dev) - Media server
 Services are accessible via:
 - LAN for alexandria-hosted services
 - Tailscale VPN for all services
 - Public internet for Forgejo only
 ## Notable Features
 ### Ephemeral Root
 Rotterdam, io, and trantor use an ephemeral root filesystem that resets on every boot:
 - Root filesystem is automatically rolled back using btrfs snapshots
 - Old snapshots retained for 30 days
 - Persistent data stored in dedicated subvolumes
 - Implements truly stateless systems
 ### Custom DNS Architecture
 - Unbound DNS servers on both alexandria and trantor
 - Service routing based on visibility flags (public/LAN/Tailscale)
 - Split-horizon DNS for optimal access paths
 ### Security
- LUKS full-disk encryption on desktop systems
+- **Agenix** - Encrypted secrets management
- Fail2ban on public-facing servers
+- **Tailscale** - Zero-config VPN mesh network
- agenix for secrets management
+- **Firewall** - Configured on all hosts
- Tailscale for secure remote access
+- SSH key-based authentication
-### Desktop Environment
+## Repository Structure
 - Custom Niri window manager (Wayland compositor)
 - Using forked version with auto-centering feature
 - Stylix for consistent theming
-### Development Setup
+```
- Nix flakes for reproducible builds
+.
- deploy-rs for automated deployments
+├── flake.nix                    # Main flake definition
- Podman for containerization
+├── utils.nix                    # Tag-based module system utilities
- Complete AI tooling integration
+├── nixosConfigurations.nix      # Host definitions with tags
 ├── homeConfigurations.nix       # User configurations
 ├── deploy.nix                   # Remote deployment configuration
 ├── hosts/
 │   ├── alexandria/              # Server-specific config
 │   ├── io/                      # Laptop-specific config
 │   ├── rotterdam/               # Desktop-specific config
 │   ├── trantor/                 # VPS-specific config
 │   └── modules/
 │       ├── common/              # Shared base configuration
 │       ├── desktop/             # Desktop environment setup
 │       ├── server/              # Server-specific modules
 │       └── [tag].nix            # Optional feature modules
 ├── users/
 │   └── modules/                 # Home Manager configurations
 │       └── [tag].nix            # Optional feature modules
 ├── packages/                    # Custom package definitions
 └── secrets/                     # Encrypted secrets (agenix)
 ```
 ## Tag System
 Configurations are composed using tags that map to modules:
 **Common Tags** (all hosts):
 - `common` - Base system configuration (automatically applied)
 **General Tags**:
 - `desktop` - *Mostly* full desktop environment with Niri WM
 - `dev` - Development tools and environments
 - `gaming` - Steam, Heroic, gamemode, controller support
 - `ephemeral` - Impermanent root filesystem
 - `networkmanager` - WiFi and network management
 - `libvirtd` - KVM/QEMU virtualization
 - `podman` - Container runtime
 - `bluetooth` - Bluetooth support
 - `fwupd` - Firmware update daemon
 **Server Tags**:
 - `server` - Server-specific configuration
 ## Usage
 ### Rebuilding a Configuration
 ```bash
 # Local rebuild
 sudo nixos-rebuild switch --flake .#hostname
 # Remote deployment
 deploy .#hostname
 ```
 ### Updating Dependencies
 ```bash
 nix flake update
 ```
 ### Adding a New Host
 1. Create host directory in `hosts/`
 2. Define configuration in `nixosConfigurations.nix` with appropriate tags
 3. Add deployment profile in `deploy.nix` if needed
 ## Dependencies
 - [nixpkgs](https://github.com/NixOS/nixpkgs) - Stable (25.05) and unstable channels
 - [home-manager](https://github.com/nix-community/home-manager) - User configuration
 - [agenix](https://github.com/ryantm/agenix) - Secrets management
 - [disko](https://github.com/nix-community/disko) - Declarative disk partitioning
 - [stylix](https://github.com/danth/stylix) - System-wide theming
 - [niri-flake](https://github.com/sodiboo/niri-flake) - Wayland compositor (custom fork)
 - [impermanence](https://github.com/nix-community/impermanence) - Ephemeral filesystem support
 - [deploy-rs](https://github.com/serokell/deploy-rs) - Remote deployment
 - [nix-flatpak](https://github.com/gmodena/nix-flatpak) - Declarative Flatpak management
--- a/secrets/cloudflare.age
+++ b/secrets/cloudflare.age
@ -1,11 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 Kfdnog IHXv4c5we36dCUsB1v8uEF23tIRlDQ/8WR1hX4GQ+Uc
+-> ssh-ed25519 Kfdnog gEZvRtLBhGslmS97VaRqoucgExvOopsHAAne4lCmEEY
-Cwccw64BYBdSZUdkSqKESIU7E17cLNtiAZZ3Y1xV87A
+NkIeFYuQFntDOBqd3k0/OVYMcM7h73uO0jPXaHzEcZc
-> ssh-ed25519 8YSAiw Ce3vdMG111ubjcFgd3+q2Qw2+7dsoUz7SiudtuLDr0Y
+-> ssh-ed25519 8YSAiw bVV4jIDbBKxsr6mQ4Tv0rP6ylrAEOJWkqjpyvXjnQRU
-JUodwFsKfOTZXxFyRrEk/4gxJ4goPkwvYeThi893M0U
+6kUe5Syw7sd+aF2QEgr6Yj+fOPL5zSJN1PJvY9Kdhlg
-> ssh-ed25519 J6tVTA bExFuITTGXkTvhW25nushN7zT/PJGDoezsqu7fLKemI
+-> ssh-ed25519 J6tVTA 4JMlJmhHAYUgjiWwB1Q278TSjJypwecALmfnosxan0s
-4a90v0F4wgcZeqWBQ/EpqOZ9OCgT7qruwVvlGZeFmN8
+WIubcIFrjMV0GpyU1ZGc48YwrqOtSmJxweonw1KnR+U
-> ssh-ed25519 Qt3Q+A j1oo46pNh1+yPEtxpgj+QPQPf5m82jL0DHGMacY8UFA
+--- 78A7re4LLB/0n5AXLRlVqiMNFMAQ2ZvjjK21YGRveRE
-vy52Hl1WLTdKNA8+4p7A48Sg9+QkMXbECf/uxVMCLYk
+ú_‘4pkVCKmÈÊ#~kIô<49>8Em3ôkºp|Ó0^÷tSk<53>És¬/øÃõÎ…?= lÔ,„‚Ž<E2809A>ì²7âã~Í„¶cû{ãÈž¨AªÝø‹Œ>Zã’Èl¬§—GTJs²GYŠ´—/Ëö/×B4ÃeŠÑ'óðIIÐãcÿ
,"‡<Ÿ
 --- 429vzgFnmFbEqDMwdvC0/EYDJlKU64YEGgE0AqPqlBs
 čď›¬<E280BA>÷€b‰/!8Očô3Df®/ľŹ&kNQhuůr“t¤%&]ł˛ÎŐŇÖucÚjŮHĆ]Ż_łž¨ë5‚@D$<1C>>éN8Ď¦	>Ť9:®CvĐŃ¦69W'X·]X^çŰĆ»$Ť§}|cš÷ă/žß¸={ľuÉłs
--- a/secrets/forgejo-root-password.age
+++ b/secrets/forgejo-root-password.age
--- a/secrets/nextcloud-adminpass.age
+++ b/secrets/nextcloud-adminpass.age
--- a/secrets/nextcloud-secrets.json.age
+++ b/secrets/nextcloud-secrets.json.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,7 +7,7 @@ let
  alexandria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA root@alexandria";
-  trantor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIh/2u5pr/iPVeavlsor5hbTtsgUfP1JpzZVco2YQAo3 root@trantor";
+  trantor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkGuGLZPnYJbCGY4BhJ9uTupp6ruuR1NZ7FEYEaLPA7 root@alexandria";
 in
 {
@ -15,7 +15,6 @@ in
    io-user
    rotterdam-user
    alexandria
    trantor
  ];
  "nextcloud-adminpass.age".publicKeys = [
    io-user
@ -27,9 +26,4 @@ in
    rotterdam-user
    alexandria
  ];
  "forgejo-root-password.age".publicKeys = [
    io-user
    rotterdam-user
    trantor
  ];
 }
--- a/shared/services.nix
+++ b/shared/services.nix
@ -1,43 +0,0 @@
 # Shared service definitions for cross-host configuration
 {
  # Host IP definitions
  hosts = {
    alexandria = {
      lanIP = "192.168.15.142";
      tailscaleIP = "100.76.19.50";
    };
    trantor = {
      tailscaleIP = "100.108.5.90";
    };
  };
  # Service definitions - IPs are inherited from host
  services = [
    {
      name = "kanidm";
      domain = "auth.baduhai.dev";
      host = "alexandria";
    }
    {
      name = "vaultwarden";
      domain = "pass.baduhai.dev";
      host = "alexandria";
    }
    {
      name = "forgejo";
      domain = "git.baduhai.dev";
      host = "trantor";
      public = true;
    }
    {
      name = "nextcloud";
      domain = "cloud.baduhai.dev";
      host = "alexandria";
    }
    {
      name = "jellyfin";
      domain = "jellyfin.baduhai.dev";
      host = "alexandria";
    }
  ];
 }
--- a/terranix/cloudflare/baduhai.dev.nix
+++ b/terranix/cloudflare/baduhai.dev.nix
@ -1,86 +0,0 @@
 # Required environment variables:
 #   CLOUDFLARE_API_TOKEN - API token with "Edit zone DNS" permissions
 #   AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
 #   AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
 { config, lib, ... }:
 let
  inherit (import ../../shared/services.nix) services;
  # Helper to extract subdomain from full domain (e.g., "git.baduhai.dev" -> "git")
  getSubdomain = domain: lib.head (lib.splitString "." domain);
  # Generate DNS records for services
  # Public services point to trantor's public IP
  # Private services point to their tailscale IP
  mkServiceRecords = lib.listToAttrs (
    lib.imap0 (
      i: svc:
      let
        subdomain = getSubdomain svc.domain;
        targetIP =
          if svc.public or false then
            config.data.terraform_remote_state.trantor "outputs.instance_public_ip"
          else
            svc.tailscaleIP;
      in
      {
        name = "service_${toString i}";
        value = {
          zone_id = config.variable.zone_id.default;
          name = subdomain;
          type = "A";
          content = targetIP;
          proxied = false;
          ttl = 3600;
        };
      }
    ) services
  );
 in
 {
  terraform.required_providers.cloudflare = {
    source = "cloudflare/cloudflare";
    version = "~> 5.0";
  };
  terraform.backend.s3 = {
    bucket = "terraform-state";
    key = "cloudflare/baduhai.dev.tfstate";
    region = "auto";
    endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
    skip_credentials_validation = true;
    skip_metadata_api_check = true;
    skip_region_validation = true;
    skip_requesting_account_id = true;
    use_path_style = true;
  };
  variable = {
    zone_id = {
      default = "c63a8332fdddc4a8e5612ddc54557044";
      type = "string";
    };
  };
  data = {
    terraform_remote_state.trantor = {
      backend = "s3";
      config = {
        bucket = "terraform-state";
        key = "oci/trantor.tfstate";
        region = "auto";
        endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
        skip_credentials_validation = true;
        skip_metadata_api_check = true;
        skip_region_validation = true;
        skip_requesting_account_id = true;
        use_path_style = true;
      };
    };
  };
  resource.cloudflare_dns_record = mkServiceRecords;
 }
--- a/terranix/oci/trantor.nix
+++ b/terranix/oci/trantor.nix
@ -1,13 +1,3 @@
 # Required environment variables:
 #   instead of OCI variables, ~/.oci/config may also be used
 #   OCI_TENANCY_OCID - Oracle tenancy OCID (or use TF_VAR_* to override variables)
 #   OCI_USER_OCID - Oracle user OCID
 #   OCI_FINGERPRINT - API key fingerprint
 #   OCI_PRIVATE_KEY_PATH - Path to OCI API private key
 #   AWS variables are required
 #   AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
 #   AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
 { config, ... }:
 {
@ -53,7 +43,6 @@
    ssh_public_keys = {
      default = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
      ];
@ -240,7 +229,6 @@
      threshold = 5;
      threshold_type = "PERCENTAGE";
      display_name = "daily-spend-alert";
      recipients = "baduhai@proton.me";
      description = "Alert when daily spending exceeds $0.05";
      message = "Daily spending has exceeded $0.05 in the trantor compartment";
    };
--- a/terranix/tailscale/tailnet.nix
+++ b/terranix/tailscale/tailnet.nix
@ -1,43 +0,0 @@
 # Required environment variables:
 #   TAILSCALE_API_KEY - Tailscale API key with appropriate permissions
 #   TAILSCALE_TAILNET - Your tailnet name (e.g., "user@example.com" or "example.org.github")
 #   AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
 #   AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
 { config, ... }:
 {
  terraform.required_providers.tailscale = {
    source = "tailscale/tailscale";
    version = "~> 0.17";
  };
  terraform.backend.s3 = {
    bucket = "terraform-state";
    key = "tailscale/tailnet.tfstate";
    region = "auto";
    endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
    skip_credentials_validation = true;
    skip_metadata_api_check = true;
    skip_region_validation = true;
    skip_requesting_account_id = true;
    use_path_style = true;
  };
  variable = {
    trantor_tailscale_ip = {
      default = "100.108.5.90";
      type = "string";
    };
  };
  resource = {
    tailscale_dns_nameservers.global = {
      nameservers = [
        config.variable.trantor_tailscale_ip.default
        "1.1.1.1"
        "1.0.0.1"
      ];
    };
  };
 }
--- a/terranixConfigurations.nix
+++ b/terranixConfigurations.nix
@ -14,14 +14,6 @@
          modules = [ ./terranix/oci/trantor.nix ];
          terraformWrapper.package = pkgs.opentofu;
        };
        cloudflare-baduhaidev = {
          modules = [ ./terranix/cloudflare/baduhai.dev.nix ];
          terraformWrapper.package = pkgs.opentofu;
        };
        tailscale-tailnet = {
          modules = [ ./terranix/tailscale/tailnet.nix ];
          terraformWrapper.package = pkgs.opentofu;
        };
      };
    };
 }
--- a/users/modules/common/fish.nix
+++ b/users/modules/common/fish.nix
@ -3,10 +3,7 @@
 {
  programs.fish = {
    enable = true;
-    interactiveShellInit = ''
+    interactiveShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source";
      set fish_greeting
      ${lib.getExe pkgs.nix-your-shell} fish | source
    '';
    loginShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source";
    plugins = [
      {
--- a/users/modules/desktop/desktop.nix
+++ b/users/modules/desktop/desktop.nix
@ -1,21 +1,15 @@
 {
  config,
  inputs,
  pkgs,
  ...
 }:
 {
  imports = [ inputs.vicinae.homeManagerModules.default ];
  fonts.fontconfig.enable = true;
  home.packages = with pkgs; [ xwayland-satellite ];
  services.vicinae = {
    enable = true;
    autoStart = true;
  };
  programs = {
    ghostty = {
@ -28,7 +22,7 @@
          url = "https://raw.githubusercontent.com/hackr-sh/ghostty-shaders/cb6eb4b0d1a3101c869c62e458b25a826f9dcde3/cursor_blaze.glsl";
          sha256 = "sha256:0g2lgqjdrn3c51glry7x2z30y7ml0y61arl5ykmf4yj0p85s5f41";
        }}";
-        bell-features = "";
+        bell-features = "border";
        gtk-titlebar-style = "tabs";
        keybind = [ "shift+enter=text:\\x1b\\r" ];
      };
@ -47,28 +41,33 @@
      enable = true;
      defaultApplications = {
        "text/html" = [
-          "re.sonny.Junction.desktop"
+          "com.github.timecraft.junction.desktop"
          "zen-browser.desktop"
          "brave-browser.desktop"
          "torbrowser.desktop"
        ];
        "x-scheme-handler/http" = [
-          "re.sonny.Junction.desktop"
+          "com.github.timecraft.junction.desktop"
          "zen-browser.desktop"
          "brave-browser.desktop"
          "torbrowser.desktop"
        ];
        "x-scheme-handler/https" = [
-          "re.sonny.Junction.desktop"
+          "com.github.timecraft.junction.desktop"
          "zen-browser.desktop"
          "brave-browser.desktop"
          "torbrowser.desktop"
        ];
        "x-scheme-handler/about" = [
-          "re.sonny.Junction.desktop"
+          "com.github.timecraft.junction.desktop"
          "zen-browser.desktop"
          "brave-browser.desktop"
          "torbrowser.desktop"
        ];
        "x-scheme-handler/unknown" = [
-          "re.sonny.Junction.desktop"
+          "com.github.timecraft.junction.desktop"
          "zen-browser.desktop"
          "brave-browser.desktop"
          "torbrowser.desktop"
        ];
        "image/jpeg" = "org.gnome.Loupe.desktop";
@ -100,17 +99,17 @@
        "text/x-log" = "Helix.desktop";
        "application/x-shellscript" = "Helix.desktop";
        "application/vnd.openxmlformats-officedocument.wordprocessingml.document" =
-          "com.collabora.Office.desktop"; # DOCX
+          "onlyoffice-desktopeditors.desktop"; # DOCX
        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" =
-          "com.collabora.Office.desktop"; # XLSX
+          "onlyoffice-desktopeditors.desktop"; # XLSX
        "application/vnd.openxmlformats-officedocument.presentationml.presentation" =
-          "com.collabora.Office.desktop"; # PPTX
+          "onlyoffice-desktopeditors.desktop"; # PPTX
-        "application/vnd.oasis.opendocument.text" = "com.collabora.Office.desktop"; # ODT
+        "application/vnd.oasis.opendocument.text" = "onlyoffice-desktopeditors.desktop"; # ODT
-        "application/vnd.oasis.opendocument.spreadsheet" = "com.collabora.Office.desktop"; # ODS
+        "application/vnd.oasis.opendocument.spreadsheet" = "onlyoffice-desktopeditors.desktop"; # ODS
-        "application/vnd.oasis.opendocument.presentation" = "com.collabora.Office.desktop"; # ODP
+        "application/vnd.oasis.opendocument.presentation" = "onlyoffice-desktopeditors.desktop"; # ODP
-        "application/msword" = "com.collabora.Office.desktop"; # DOC
+        "application/msword" = "onlyoffice-desktopeditors.desktop"; # DOC
-        "application/vnd.ms-excel" = "com.collabora.Office.desktop"; # XLS
+        "application/vnd.ms-excel" = "onlyoffice-desktopeditors.desktop"; # XLS
-        "application/vnd.ms-powerpoint" = "com.collabora.Office.desktop"; # PPT
+        "application/vnd.ms-powerpoint" = "onlyoffice-desktopeditors.desktop"; # PPT
        "application/zip" = "org.gnome.FileRoller.desktop";
        "application/x-tar" = "org.gnome.FileRoller.desktop";
        "application/x-compressed-tar" = "org.gnome.FileRoller.desktop";
--- a/users/modules/desktop/niri.nix
+++ b/users/modules/desktop/niri.nix
@ -8,35 +8,25 @@
 let
  isRotterdam = hostname == "rotterdam";
  noctalia = "${lib.getExe inputs.noctalia.packages.${pkgs.system}.default}";
 in
 {
  imports = [ inputs.noctalia.homeModules.default ];
  services.kanshi = {
    enable = true;
    settings = [
      {
        profile.name = "default";
        profile.outputs = [
          {
            criteria = "*";
            scale = 1.0;
          }
        ];
      }
    ];
  };
  home = {
-    packages = with pkgs; [
+    packages = with pkgs; [ xwayland-satellite ];
      xwayland-satellite
      inputs.noctalia.packages.${pkgs.system}.default
    ];
    sessionVariables.QT_QPA_PLATFORMTHEME = "gtk3";
  };
  xdg.configFile."niri/config.kdl".text = ''
    output "eDP-1" {
      scale 1.0
    }
    output "DP-3" {
      scale 1.0
    }
    input {
      keyboard {
        xkb {
@ -98,13 +88,18 @@ in
          gap 4
          place-within-column
        }
        ${lib.optionalString isRotterdam ''
          struts {
            left 8
            right 8
          }''}
    }
    overview {
      zoom 0.65
    }
-    spawn-at-startup "noctalia-shell" "-d"
+    spawn-at-startup "${noctalia}"
    layer-rule {
      match namespace="^wallpaper$"
        place-within-backdrop true
@ -140,18 +135,18 @@ in
    }
    binds {
-      Alt+Space repeat=false { spawn "vicinae" "toggle"; }
+      Alt+Space { spawn "${noctalia}" "ipc" "call" "launcher" "toggle"; }
-      XF86AudioRaiseVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "increase"; }
+      XF86AudioRaiseVolume allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "increase"; }
-      XF86AudioLowerVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "decrease"; }
+      XF86AudioLowerVolume allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "decrease"; }
-      XF86AudioMute allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "muteOutput"; }
+      XF86AudioMute allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "muteOutput"; }
-      XF86MonBrightnessUp allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "increase"; }
+      XF86MonBrightnessUp allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "brightness" "increase"; }
-      XF86MonBrightnessDown allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "decrease"; }
+      XF86MonBrightnessDown allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "brightness" "decrease"; }
      XF86AudioPlay        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "play-pause"; }
      XF86AudioStop        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "stop"; }
      XF86AudioPrev        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "previous"; }
      XF86AudioNext        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "next"; }
-      Mod+V repeat=false { spawn "vicinae" "vicinae://extensions/vicinae/clipboard/history"; }
+      Mod+V { spawn "${noctalia}" "ipc" "call" "launcher" "clipboard"; }
-      Mod+Shift+L repeat=false { spawn "noctalia-shell" "ipc" "call" "lockScreen" "lock"; }
+      Mod+Shift+L { spawn "${noctalia}" "ipc" "call" "lockScreen" "toggle"; }
      Mod+Return { spawn "ghostty"; }
      Ctrl+Alt+Shift+A allow-when-locked=true { spawn "toggleaudiosink"; }
      Mod+W repeat=false { toggle-overview; }
@ -160,13 +155,17 @@ in
      Mod+Shift+Q { close-window; }
      Alt+F4 { close-window; }
      Mod+Left  { focus-column-left; }
-      Mod+Down  { focus-window-or-workspace-down; }
+      Mod+Down  { focus-window-down; }
-      Mod+Up    { focus-window-or-workspace-up; }
+      Mod+Up    { focus-window-up; }
      Mod+Right { focus-column-right; }
      Mod+H     { focus-column-left; }
      Mod+L     { focus-column-right; }
-      Mod+J     { focus-window-or-workspace-down; }
+      Mod+J     { focus-window-down; }
-      Mod+K     { focus-window-or-workspace-up; }
+      Mod+K     { focus-window-up; }
      Ctrl+Alt+J    { focus-workspace-down; }
      Ctrl+Alt+K    { focus-workspace-up; }
      Ctrl+Alt+Down { focus-workspace-down; }
      Ctrl+Alt+Up   { focus-workspace-up; }
      Mod+Ctrl+Left  { move-column-left; }
      Mod+Ctrl+Down  { move-window-down-or-to-workspace-down; }
      Mod+Ctrl+Up    { move-window-up-or-to-workspace-up; }
@ -221,8 +220,8 @@ in
      Mod+Print { screenshot; }
      Ctrl+Print { screenshot-window; }
      Mod+Backspace allow-inhibiting=false { toggle-keyboard-shortcuts-inhibit; }
-      Mod+Alt+E { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; }
+      Mod+Alt+E { spawn "${noctalia}" "ipc" "call" "sessionMenu" "toggle"; }
-      Ctrl+Alt+Delete { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; }
+      Ctrl+Alt+Delete { spawn "${noctalia}" "ipc" "call" "sessionMenu" "toggle"; }
      Mod+Ctrl+P { power-off-monitors; }
    }
  '';
--- a/users/modules/stylix.nix
+++ b/users/modules/stylix.nix
@ -46,7 +46,7 @@
        name = "FiraCode Nerd Font";
      };
      emoji = {
-        package = pkgs.noto-fonts-color-emoji;
+        package = pkgs.noto-fonts-emoji;
        name = "Noto Color Emoji";
      };
      sizes = {
--- a/utils.nix
+++ b/utils.nix
@ -8,24 +8,9 @@ let
    home-manager
    agenix
    ;
  # Import shared service definitions
  sharedServices = import ./shared/services.nix;
  # Enrich services with host IP information
  enrichedServices = builtins.map (svc:
    let
      hostInfo = sharedServices.hosts.${svc.host} or {};
    in
    svc // lib.optionalAttrs (hostInfo ? lanIP) { inherit (hostInfo) lanIP; }
        // lib.optionalAttrs (hostInfo ? tailscaleIP) { inherit (hostInfo) tailscaleIP; }
  ) sharedServices.services;
 in
 {
  # Re-export enriched services and hosts for use in host configs
  services = enrichedServices;
  inherit (sharedServices) hosts;
  # Tag-based host configuration system
  mkHost =
    {
@ -193,41 +178,16 @@ in
  # Nginx virtual host utilities
  mkNginxVHosts =
-    { domains }:
+    {
      acmeHost,
      domains,
    }:
    let
-      # Extract domain name and apply it as useACMEHost
+      commonVHostConfig = {
-      mkVHostConfig = domain: config:
+        useACMEHost = acmeHost;
        lib.recursiveUpdate {
          useACMEHost = domain;
        forceSSL = true;
        kTLS = true;
-        } config;
+      };
    in
-    lib.mapAttrs mkVHostConfig domains;
+    lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) domains;
  # Split DNS utilities for unbound
  # Generates unbound view config from a list of DNS entries
  mkSplitDNS =
    entries:
    let
      # Generate local-data entries for all domains
      tailscaleData = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') entries;
      lanData = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') entries;
    in
    [
      # Single Tailscale view with all domains
      {
        name = "tailscale";
        view-first = true;
        local-zone = ''"baduhai.dev." transparent'';
        local-data = tailscaleData;
      }
      # Single LAN view with all domains
      {
        name = "lan";
        view-first = true;
        local-zone = ''"baduhai.dev." transparent'';
        local-data = lanData;
      }
    ];
 }