flake.lock: Update

Flake lock file updates:

• Updated input 'nix-ai-tools':
    'github:numtide/nix-ai-tools/58d5d222d6802a75c1ed637d049ea438d199051a?narHash=sha256-pQ2XzsB/n8E5FWYnICZu/BzkKy8a50EzmUGTCo5SeHg%3D' (2025-11-13)
  → 'github:numtide/nix-ai-tools/a2dfa932ed37e5b6224b39b4982c85cd8ebcca14?narHash=sha256-n6bChFrCf2/uHzTsZdABUt1%2BUa3n0jinNfamHd5DmBA%3D' (2025-11-17)
• Updated input 'nix-ai-tools/blueprint':
    'github:numtide/blueprint/633af1961cae8e02bc6195e6e599a6b09bf75217?narHash=sha256-wTQzbbQ6XHtvNJVuhJj%2BytZDRyNtwUKbrIfIvMvKNfQ%3D' (2025-10-28)
  → 'github:numtide/blueprint/5a9bba070f801d63e2af3c9ef00b86b212429f4f?narHash=sha256-O9Y%2BWer8wOh%2BN%2B4kcCK5p/VLrXyX%2Bktk0/s3HdZvJzk%3D' (2025-11-16)
• Updated input 'nix-ai-tools/nixpkgs':
    'github:NixOS/nixpkgs/9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4?narHash=sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI%3D' (2025-11-11)
  → 'github:NixOS/nixpkgs/85a6c4a07faa12aaccd81b36ba9bfc2bec974fa1?narHash=sha256-3YJkOBrFpmcusnh7i8GXXEyh7qZG/8F5z5%2B717550Hk%3D' (2025-11-16)

.gitignore

@@ -3,6 +3,8 @@ result
 result-*
 .direnv/
 oci-trantor/
+tailscale-tailnet/
+cloudflare-baduhaidev
 
 # Personal notes and temporary files
 todo.md

devShells.nix

@@ -1,12 +1,12 @@
-{ ... }:
+{ inputs, ... }:
 
 {
   perSystem =
-    { pkgs, ... }:
+    { pkgs, system, ... }:
     {
       devShells.default = pkgs.mkShell {
         packages = with pkgs; [
-          agenix-cli
+          inputs.agenix.packages.${system}.default
           deploy-rs
           nil
           nixfmt-rfc-style

diskoConfigurations.nix

@@ -1,12 +0,0 @@
-{ inputs, ... }:
-
-{
-  imports = [
-    inputs.disko.flakeModule
-  ];
-
-  flake.diskoConfigurations = {
-    io.modules = [ ./disko/io.nix ];
-    trantor.modules = [ ./disko/trantor.nix ];
-  };
-}

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1760836749,
-        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "lastModified": 1761656077,
+        "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "2f0f812f69f3eb4140157fe15e12739adf82e32a",
+        "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
         "type": "github"
       },
       "original": {
@@ -91,6 +91,28 @@
         "type": "github"
       }
     },
+    "blueprint": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-ai-tools",
+          "nixpkgs"
+        ],
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1763308703,
+        "narHash": "sha256-O9Y+Wer8wOh+N+4kcCK5p/VLrXyX+ktk0/s3HdZvJzk=",
+        "owner": "numtide",
+        "repo": "blueprint",
+        "rev": "5a9bba070f801d63e2af3c9ef00b86b212429f4f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "blueprint",
+        "type": "github"
+      }
+    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
@@ -186,11 +208,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
         "type": "github"
       },
       "original": {
@@ -204,11 +226,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1760948891,
-        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
+        "lastModified": 1762040540,
+        "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
+        "rev": "0010412d62a25d959151790968765a70c436598b",
         "type": "github"
       },
       "original": {
@@ -261,7 +283,25 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_8"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -338,11 +378,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1760929667,
-        "narHash": "sha256-nZh6uvc71nVNaf/y+wesnjwsmJ6IZZUnP2EzpZe48To=",
+        "lastModified": 1762178366,
+        "narHash": "sha256-I+8yE5HVR2SFcHnW0771psQ/zn0qVzsKHY/gUM0nEVM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "189c21cf879669008ccf06e78a553f17e88d8ef0",
+        "rev": "8c824254b1ed9e797f6235fc3c62f365893c561a",
         "type": "github"
       },
       "original": {
@@ -418,11 +458,11 @@
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
       },
       "locked": {
-        "lastModified": 1760950171,
-        "narHash": "sha256-E2ySTu/oK7cYBdAI3tlGP9zVjF4mZgWJ1OZInBCMb00=",
+        "lastModified": 1762152856,
+        "narHash": "sha256-U3SDbk7tIwLChpvb3FL66o8V0byaQ2RGMiy/3oLdxTI=",
         "owner": "sodiboo",
         "repo": "niri-flake",
-        "rev": "f851a923137c0a54719412146fd63d24b3214e60",
+        "rev": "df17789929ac80f4157b15724450db6a303a6dc9",
         "type": "github"
       },
       "original": {
@@ -451,11 +491,11 @@
     "niri-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1760940149,
-        "narHash": "sha256-KbM47vD6E0cx+v4jYQZ8mD5N186AKm2CQlyh34TW58U=",
+        "lastModified": 1762146685,
+        "narHash": "sha256-anRlNG6t7esBbF1+ALDeathVBSclA0PEL52Vo0WnN5g=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "b3245b81a6ed8edfaf5388a74d2e0a23c24941e5",
+        "rev": "a2ca2b3c866bc781b12c334a9f949b3db6d7c943",
         "type": "github"
       },
       "original": {
@@ -464,6 +504,26 @@
         "type": "github"
       }
     },
+    "nix-ai-tools": {
+      "inputs": {
+        "blueprint": "blueprint",
+        "nixpkgs": "nixpkgs_5",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1763412165,
+        "narHash": "sha256-n6bChFrCf2/uHzTsZdABUt1+Ua3n0jinNfamHd5DmBA=",
+        "owner": "numtide",
+        "repo": "nix-ai-tools",
+        "rev": "a2dfa932ed37e5b6224b39b4982c85cd8ebcca14",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-ai-tools",
+        "type": "github"
+      }
+    },
     "nix-flatpak": {
       "locked": {
         "lastModified": 1754777568,
@@ -487,11 +547,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1760846226,
-        "narHash": "sha256-xmU8kAsRprJiTGBTaGrwmjBP3AMA9ltlrxHKFuy5JWc=",
+        "lastModified": 1762055842,
+        "narHash": "sha256-Pu1v3mlFhRzZiSxVHb2/i/f5yeYyRNqr0RvEUJ4UgHo=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "5024e1901239a76b7bf94a4cd27f3507e639d49e",
+        "rev": "359ff6333a7b0b60819d4c20ed05a3a1f726771f",
         "type": "github"
       },
       "original": {
@@ -503,7 +563,7 @@
     "nix-options-doc": {
       "inputs": {
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_6",
         "rust-overlay": "rust-overlay_2"
       },
       "locked": {
@@ -525,14 +585,14 @@
       "inputs": {
         "flake-compat": "flake-compat_2",
         "nix-options-doc": "nix-options-doc",
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_7"
       },
       "locked": {
-        "lastModified": 1760856139,
-        "narHash": "sha256-N+F4n1WYE3AWc/kmdqIz67GNX7PgyKosnmGYYx8vR9k=",
+        "lastModified": 1761970410,
+        "narHash": "sha256-IUm2nkbKlDkG94ruTmIYLERpBn6gXydm3scZIKzpcKs=",
         "owner": "nix-community",
         "repo": "nixos-cli",
-        "rev": "c8f5ce1fd9bf151df74328795b6b2720e2e22d75",
+        "rev": "5c259f72ae1eaa00b99354d81130d8fddb7f9a7a",
         "type": "github"
       },
       "original": {
@@ -559,11 +619,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1754788789,
-        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "lastModified": 1761765539,
+        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",
         "type": "github"
       },
       "original": {
@@ -574,11 +634,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1760862643,
-        "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=",
+        "lastModified": 1761999846,
+        "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c",
+        "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31",
         "type": "github"
       },
       "original": {
@@ -590,11 +650,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1760862643,
-        "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=",
+        "lastModified": 1761999846,
+        "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c",
+        "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31",
         "type": "github"
       },
       "original": {
@@ -604,13 +664,45 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs_10": {
       "locked": {
-        "lastModified": 1761880412,
-        "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=",
+        "lastModified": 1762111121,
+        "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
+        "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_11": {
+      "locked": {
+        "lastModified": 1755615617,
+        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1752596105,
+        "narHash": "sha256-lFNVsu/mHLq3q11MuGkMhUUoSXEdQjCHvpReaGP1S2k=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dab3a6e781554f965bde3def0aa2fda4eb8f1708",
         "type": "github"
       },
       "original": {
@@ -638,11 +730,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1760878510,
-        "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=",
+        "lastModified": 1761907660,
+        "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67",
+        "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15",
         "type": "github"
       },
       "original": {
@@ -653,6 +745,22 @@
       }
     },
     "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1763312402,
+        "narHash": "sha256-3YJkOBrFpmcusnh7i8GXXEyh7qZG/8F5z5+717550Hk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "85a6c4a07faa12aaccd81b36ba9bfc2bec974fa1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
       "locked": {
         "lastModified": 1740695751,
         "narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=",
@@ -668,13 +776,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_6": {
+    "nixpkgs_7": {
       "locked": {
-        "lastModified": 1759070547,
-        "narHash": "sha256-JVZl8NaVRYb0+381nl7LvPE+A774/dRpif01FKLrYFQ=",
+        "lastModified": 1761880412,
+        "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "647e5c14cbd5067f44ac86b74f014962df460840",
+        "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
         "type": "github"
       },
       "original": {
@@ -684,13 +792,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_7": {
+    "nixpkgs_8": {
       "locked": {
-        "lastModified": 1760878510,
-        "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=",
+        "lastModified": 1761907660,
+        "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67",
+        "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15",
         "type": "github"
       },
       "original": {
@@ -700,7 +808,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_8": {
+    "nixpkgs_9": {
       "locked": {
         "lastModified": 1758690382,
         "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=",
@@ -716,36 +824,20 @@
         "type": "github"
       }
     },
-    "nixpkgs_9": {
-      "locked": {
-        "lastModified": 1755615617,
-        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "noctalia": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
         ],
         "quickshell": "quickshell",
-        "systems": "systems_4"
+        "systems": "systems_5"
       },
       "locked": {
-        "lastModified": 1761190730,
-        "narHash": "sha256-XAs/Q4zBJIfK/bwq9KjTUkTH15A+Pe2rIilyvalEHuM=",
+        "lastModified": 1762156721,
+        "narHash": "sha256-gHfzrTDSnNC5yRJwkZfP55fPHUc8DuB4OQEIBSQSs18=",
         "owner": "noctalia-dev",
         "repo": "noctalia-shell",
-        "rev": "c3439b262c7cb3d57c93197a93a3aa382582bdae",
+        "rev": "5ca5aa602f58a8e0e73fedbef351f1cdf8cbe981",
         "type": "github"
       },
       "original": {
@@ -787,11 +879,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753595452,
-        "narHash": "sha256-vqkSDvh7hWhPvNjMjEDV4KbSCv2jyl2Arh73ZXe274k=",
+        "lastModified": 1761821581,
+        "narHash": "sha256-nLuc6jA7z+H/6bHPEBSOYPbz7RtvNCZiTKmYItJuBmM=",
         "ref": "refs/heads/master",
-        "rev": "a5431dd02dc23d9ef1680e67777fed00fe5f7cda",
-        "revCount": 665,
+        "rev": "db1777c20b936a86528c1095cbcb1ebd92801402",
+        "revCount": 699,
         "type": "git",
         "url": "https://git.outfoxxed.me/outfoxxed/quickshell"
       },
@@ -810,14 +902,16 @@
         "impermanence": "impermanence",
         "niri": "niri",
         "niri-flake": "niri-flake",
+        "nix-ai-tools": "nix-ai-tools",
         "nix-flatpak": "nix-flatpak",
         "nix-index-database": "nix-index-database",
         "nixos-cli": "nixos-cli",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_8",
         "nixpkgs-stable": "nixpkgs-stable_2",
         "noctalia": "noctalia",
         "stylix": "stylix",
         "terranix": "terranix",
+        "vicinae": "vicinae",
         "zen-browser": "zen-browser"
       }
     },
@@ -873,9 +967,9 @@
         "firefox-gnome-theme": "firefox-gnome-theme",
         "flake-parts": "flake-parts_2",
         "gnome-shell": "gnome-shell",
-        "nixpkgs": "nixpkgs_8",
+        "nixpkgs": "nixpkgs_9",
         "nur": "nur",
-        "systems": "systems_5",
+        "systems": "systems_6",
         "tinted-foot": "tinted-foot",
         "tinted-kitty": "tinted-kitty",
         "tinted-schemes": "tinted-schemes",
@@ -883,11 +977,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1760472212,
-        "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=",
+        "lastModified": 1762101397,
+        "narHash": "sha256-wGiL2K3kAyBBmIZpJEskaSIgyzzpg0zwfvri+Sy6/CI=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db",
+        "rev": "8c0640d5722a02178c8ee80a62c5f019cab4b3c1",
         "type": "github"
       },
       "original": {
@@ -986,20 +1080,50 @@
         "type": "github"
       }
     },
+    "systems_7": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "terranix": {
       "inputs": {
         "flake-parts": "flake-parts_3",
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_6"
+        "systems": "systems_7"
       },
       "locked": {
-        "lastModified": 1757278723,
-        "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=",
+        "lastModified": 1762161791,
+        "narHash": "sha256-J1L1yP29NVBJO04LA/JGM6kwhnjeNhEsX0tLFnuN3FI=",
         "owner": "terranix",
         "repo": "terranix",
-        "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb",
+        "rev": "a79a47b4617dfb92184e2e5b8f5aa6fc06c659c8",
         "type": "github"
       },
       "original": {
@@ -1089,6 +1213,27 @@
         "type": "github"
       }
     },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-ai-tools",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762938485,
+        "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "utils": {
       "inputs": {
         "systems": "systems_2"
@@ -1107,6 +1252,25 @@
         "type": "github"
       }
     },
+    "vicinae": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs_10"
+      },
+      "locked": {
+        "lastModified": 1762709887,
+        "narHash": "sha256-8BoGGsWfkS/2ODBSCYd5HJNFGuLY8fFl27rXmWClXQw=",
+        "owner": "vicinaehq",
+        "repo": "vicinae",
+        "rev": "54722e36137d8273ef0a5db37776fb8302c79238",
+        "type": "github"
+      },
+      "original": {
+        "owner": "vicinaehq",
+        "repo": "vicinae",
+        "type": "github"
+      }
+    },
     "xwayland-satellite-stable": {
       "flake": false,
       "locked": {
@@ -1127,11 +1291,11 @@
     "xwayland-satellite-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1759707084,
-        "narHash": "sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70=",
+        "lastModified": 1761622056,
+        "narHash": "sha256-fBrUszJXmB4MY+wf3QsCnqWHcz7u7fLq0QMAWCltIQg=",
         "owner": "Supreeeme",
         "repo": "xwayland-satellite",
-        "rev": "a9188e70bd748118b4d56a529871b9de5adb9988",
+        "rev": "0728d59ff6463a502e001fb090f6eb92dbc04756",
         "type": "github"
       },
       "original": {
@@ -1143,14 +1307,14 @@
     "zen-browser": {
       "inputs": {
         "home-manager": "home-manager_3",
-        "nixpkgs": "nixpkgs_9"
+        "nixpkgs": "nixpkgs_11"
       },
       "locked": {
-        "lastModified": 1760934351,
-        "narHash": "sha256-RehxVjBRC9EiBO36EPZROLHhVVSWFe3KEROhaEapboM=",
+        "lastModified": 1762131860,
+        "narHash": "sha256-sIPhzkDrfe6ptthZiwoxQyO6rKd9PgJnl+LOyythQkI=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "596c3ac14be576b93f5db9252a1b0581e453ec9f",
+        "rev": "10e69cb268b1d3dc91135e72f5462b2acfbcc3aa",
         "type": "github"
       },
       "original": {

flake.nix

@@ -49,6 +49,10 @@
       url = "github:terranix/terranix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    nix-ai-tools.url = "github:numtide/nix-ai-tools";
+
+    vicinae.url = "github:vicinaehq/vicinae";
   };
 
   outputs =
@@ -62,7 +66,6 @@
       imports = [
         ./deploy.nix
         ./devShells.nix
-        ./diskoConfigurations.nix
         ./homeConfigurations.nix
         ./nixosConfigurations.nix
         ./nixosModules.nix

hosts/alexandria/firewall.nix

@@ -1,11 +0,0 @@
-{ ... }:
-
-{
-  networking.firewall = {
-    allowedTCPPorts = [
-      80
-      443
-    ];
-    allowedUDPPorts = [ ];
-  };
-}

hosts/alexandria/forgejo.nix

@@ -1,35 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-let
-  utils = import ../../utils.nix { inherit inputs lib; };
-  inherit (utils) mkNginxVHosts;
-in
-{
-  services.forgejo = {
-    enable = true;
-    repositoryRoot = "/data/forgejo";
-    settings = {
-      session.COOKIE_SECURE = true;
-      server = {
-        PROTOCOL = "http+unix";
-        DOMAIN = "git.baduhai.dev";
-        ROOT_URL = "https://git.baduhai.dev";
-        OFFLINE_MODE = true; # disable use of CDNs
-        SSH_DOMAIN = "baduhai.dev";
-      };
-      log.LEVEL = "Warn";
-      mailer.ENABLED = false;
-      actions.ENABLED = false;
-    };
-  };
-
-  services.nginx.virtualHosts = mkNginxVHosts {
-    acmeHost = "baduhai.dev";
-    domains."git.baduhai.dev".locations."/".proxyPass =
-      "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
-  };
-}

hosts/alexandria/jellyfin.nix

@@ -10,7 +10,6 @@ in
   };
 
   services.nginx.virtualHosts = mkNginxVHosts {
-    acmeHost = "baduhai.dev";
     domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
   };
 }

hosts/alexandria/kanidm.nix

@@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  inputs,
+  pkgs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+  kanidmCertDir = "/var/lib/kanidm/certs";
+in
+
+{
+  services.kanidm = {
+    enableServer = true;
+    enableClient = true;
+    package = pkgs.kanidm;
+
+    serverSettings = {
+      domain = "auth.baduhai.dev";
+      origin = "https://auth.baduhai.dev";
+      bindaddress = "127.0.0.1:8443";
+      ldapbindaddress = "127.0.0.1:636";
+      trust_x_forward_for = true;
+      # Use self-signed certificates for internal TLS
+      tls_chain = "${kanidmCertDir}/cert.pem";
+      tls_key = "${kanidmCertDir}/key.pem";
+    };
+
+    clientSettings = {
+      uri = "https://auth.baduhai.dev";
+    };
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."auth.baduhai.dev" = {
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:8443";
+        extraConfig = ''
+          proxy_ssl_verify off;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 636 ];
+
+  # Generate self-signed certificates for kanidm's internal TLS
+  systemd.services.kanidm-generate-certs = {
+    description = "Generate self-signed TLS certificates for Kanidm";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "kanidm.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      mkdir -p ${kanidmCertDir}
+      if [ ! -f ${kanidmCertDir}/key.pem ]; then
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \
+          -keyout ${kanidmCertDir}/key.pem \
+          -out ${kanidmCertDir}/cert.pem \
+          -days 3650 -nodes \
+          -subj "/CN=localhost" \
+          -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+        chown -R kanidm:kanidm ${kanidmCertDir}
+        chmod 600 ${kanidmCertDir}/key.pem
+        chmod 644 ${kanidmCertDir}/cert.pem
+      fi
+    '';
+  };
+
+  # Ensure certificate generation runs before kanidm starts
+  systemd.services.kanidm = {
+    after = [ "kanidm-generate-certs.service" ];
+    wants = [ "kanidm-generate-certs.service" ];
+  };
+}

hosts/alexandria/librespeed.nix

@@ -1,30 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-
-let
-  utils = import ../../utils.nix { inherit inputs lib; };
-  inherit (utils) mkNginxVHosts;
-in
-
-{
-  virtualisation.oci-containers.containers."librespeed" = {
-    image = "lscr.io/linuxserver/librespeed:latest";
-    environment = {
-      TZ = "America/Bahia";
-    };
-    ports = [ "127.0.0.1:58080:80" ];
-    extraOptions = [
-      "--pull=newer"
-      "--label=io.containers.autoupdate=registry"
-    ];
-  };
-
-  services.nginx.virtualHosts = mkNginxVHosts {
-    acmeHost = "baduhai.dev";
-    domains."speedtest.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:58080/";
-  };
-}

hosts/alexandria/nextcloud.nix

@@ -24,7 +24,13 @@ in
       database.createLocally = true;
       maxUploadSize = "16G";
       extraApps = {
-        inherit (config.services.nextcloud.package.packages.apps) calendar contacts notes;
+        inherit (config.services.nextcloud.package.packages.apps)
+          calendar
+          contacts
+          notes
+          tasks
+          user_oidc
+          ;
       };
       extraAppsEnable = true;
       caching = {
@@ -35,6 +41,7 @@ in
         trusted_proxies = [ "127.0.0.1" ];
         default_phone_region = "BR";
         maintenance_window_start = "4";
+        allow_local_remote_servers = true;
         enabledPreviewProviders = [
           "OC\\Preview\\BMP"
           "OC\\Preview\\EMF"
@@ -71,7 +78,6 @@ in
     };
 
     nginx.virtualHosts = mkNginxVHosts {
-      acmeHost = "baduhai.dev";
       domains."cloud.baduhai.dev" = { };
     };
   };

hosts/alexandria/nginx.nix

@@ -7,7 +7,15 @@
 
 let
   utils = import ../../utils.nix { inherit inputs lib; };
-  inherit (utils) mkNginxVHosts;
+  inherit (utils) mkNginxVHosts services;
+
+  # Get all unique domains from shared services that have LAN IPs (served by this host)
+  localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services));
+
+  # Generate ACME cert configs for all local domains
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
 in
 
 {
@@ -19,9 +27,7 @@ in
       dnsProvider = "cloudflare";
       credentialsFile = config.age.secrets.cloudflare.path;
     };
-    certs."baduhai.dev" = {
-      extraDomainNames = [ "*.baduhai.dev" ];
-    };
+    certs = acmeCerts;
   };
 
   services.nginx = {
@@ -30,14 +36,21 @@ in
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-    virtualHosts = mkNginxVHosts {
-      acmeHost = "baduhai.dev";
-      domains."_".locations."/".return = "444";
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
     };
   };
 
   users.users.nginx.extraGroups = [ "acme" ];
 
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   age.secrets.cloudflare = {
     file = ../../secrets/cloudflare.age;
     owner = "nginx";

hosts/alexandria/unbound.nix

@@ -0,0 +1,58 @@
+{ inputs, lib, ... }:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "192.168.0.0/16 allow"
+          "::1/128 allow"
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # LAN-only DNS records
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'')
+          (lib.filter (e: e ? lanIP) utils.services);
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

hosts/alexandria/vaultwarden.nix

@@ -20,7 +20,6 @@ in
   };
 
   services.nginx.virtualHosts = mkNginxVHosts {
-    acmeHost = "baduhai.dev";
     domains."pass.baduhai.dev".locations."/".proxyPass =
       "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
   };

hosts/io/disko.nix

@@ -1,4 +1,8 @@
+{ inputs, ... }:
+
 {
+  imports = [ inputs.disko.nixosModules.default ];
+
   disko.devices.disk.main = {
     type = "disk";
     device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";

hosts/io/hardware-configuration.nix

@@ -2,15 +2,12 @@
   config,
   lib,
   modulesPath,
-  self,
+  inputs,
   ...
 }:
 
 {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-    self.diskoConfigurations.io
-  ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot = {
     initrd = {

hosts/io/services.nix

@@ -49,6 +49,7 @@
       };
     };
     upower.enable = true;
+    power-profiles-daemon.enable = true;
   };
 
   # TODO: remove once gmodena/nix-flatpak/issues/45 fixed

hosts/modules/ai.nix

@@ -0,0 +1,10 @@
+{ inputs, pkgs, ... }:
+
+{
+  environment.systemPackages = with inputs.nix-ai-tools.packages.${pkgs.system}; [
+    claude-desktop
+    claude-code
+    claudebox
+    opencode
+  ];
+}

hosts/modules/common/openssh.nix

@@ -4,10 +4,8 @@
   services.openssh = {
     enable = true;
     settings.PermitRootLogin = "no";
+    extraConfig = ''
+      PrintLastLog no
+    '';
   };
-  programs.fish.interactiveShellInit = ''
-    if set -q SSH_CONNECTION
-      neofetch
-    end
-  '';
 }

hosts/modules/common/programs.nix

@@ -25,6 +25,16 @@
 
   programs = {
     command-not-found.enable = false;
-    fish.enable = true;
+    fish = {
+      enable = true;
+      interactiveShellInit = ''
+        set fish_greeting
+        if set -q SSH_CONNECTION
+          export TERM=xterm-256color
+          clear
+          fastfetch
+        end
+      '';
+    };
   };
 }

hosts/modules/common/users.nix

@@ -10,8 +10,9 @@
         "wheel"
       ];
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
       ];
       hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
     };

hosts/modules/desktop/desktop.nix

@@ -20,7 +20,6 @@
     systemPackages = with pkgs; [
       ### Web ###
       bitwarden-desktop
-      brave
       fragments
       nextcloud-client
       tor-browser
@@ -35,6 +34,7 @@
       libreoffice
       onlyoffice-desktopeditors
       papers
+      presenterm
       rnote
       ### Graphics & Design ###
       gimp

hosts/modules/dev.nix

@@ -3,7 +3,6 @@
 {
   environment.systemPackages = with pkgs; [
     bat
-    claude-code
     lazygit
     fd
     fzf

hosts/modules/ephemeral.nix

@@ -10,7 +10,7 @@
     enable = true;
     rootDevice =
       if config.networking.hostName == "trantor" then
-        "/dev/disk/by-id/scsi-36067d367fe184830a89bbe708c7b1066"
+        "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2"
       else
         "/dev/mapper/cryptroot";
     rootSubvolume = "@root";

hosts/modules/gaming.nix

@@ -6,7 +6,6 @@
     heroic
     mangohud
     prismlauncher
-    protonup
     steam-run
   ];
 

hosts/trantor/boot.nix

@@ -1,3 +1,6 @@
 {
-  boot.initrd.systemd.enable = true;
+  boot = {
+    initrd.systemd.enable = true;
+    loader.efi.efiSysMountPoint = "/boot/efi";
+  };
 }

hosts/trantor/disko.nix

@@ -1,7 +1,11 @@
+{ inputs, ... }:
+
 {
+  imports = [ inputs.disko.nixosModules.default ];
+
   disko.devices.disk.main = {
     type = "disk";
-    device = "/dev/disk/by-id/scsi-36067d367fe184830a89bbe708c7b1066";
+    device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20";
     content = {
       type = "gpt";
       partitions = {
@@ -27,8 +31,7 @@
           name = "root";
           size = "100%";
           content = {
-            type = "filesystem";
-            format = "btrfs";
+            type = "btrfs";
             extraArgs = [ "-f" ];
             subvolumes = {
               "@root" = {

hosts/trantor/fail2ban.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "::1"
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      "100.64.0.0/10"
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "10000h";
+      overalljails = true;
+    };
+  };
+}

hosts/trantor/forgejo.nix

@@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+
+{
+  services = {
+    forgejo = {
+      enable = true;
+      settings = {
+        session.COOKIE_SECURE = true;
+        server = {
+          PROTOCOL = "http+unix";
+          DOMAIN = "git.baduhai.dev";
+          ROOT_URL = "https://git.baduhai.dev";
+          OFFLINE_MODE = true; # disable use of CDNs
+          SSH_DOMAIN = "git.baduhai.dev";
+        };
+        log.LEVEL = "Warn";
+        mailer.ENABLED = false;
+        actions.ENABLED = false;
+        service.DISABLE_REGISTRATION = true;
+        oauth2_client = {
+          ENABLE_AUTO_REGISTRATION = true;
+          UPDATE_AVATAR = true;
+          ACCOUNT_LINKING = "login";
+          USERNAME = "preferred_username";
+        };
+      };
+    };
+    nginx.virtualHosts = mkNginxVHosts {
+      domains."git.baduhai.dev".locations."/".proxyPass =
+        "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
+    };
+    fail2ban.jails.forgejo = {
+      settings = {
+        enabled = true;
+        filter = "forgejo";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
+      };
+    };
+  };
+
+  environment = {
+    etc."fail2ban/filter.d/forgejo.conf".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+      journalmatch = _SYSTEMD_UNIT=forgejo.service
+    '';
+
+    persistence.main.directories = [
+      {
+        directory = config.services.forgejo.stateDir;
+        inherit (config.services.forgejo) user group;
+        mode = "0700";
+      }
+    ];
+  };
+
+  # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
+  systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
+}

hosts/trantor/hardware-configuration.nix

@@ -1,29 +1,18 @@
 {
   lib,
   modulesPath,
-  self,
   ...
 }:
 
 {
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-    self.diskoConfigurations.trantor
-  ];
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
-  boot = {
-    kernelModules = [ ];
-    extraModulePackages = [ ];
-    initrd = {
-      availableKernelModules = [
-        "xhci_pci"
-        "virtio_pci"
-        "virtio_scsi"
-        "usbhid"
-      ];
-      kernelModules = [ ];
-    };
-  };
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "usbhid"
+  ];
 
   networking.useDHCP = lib.mkDefault true;
 

hosts/trantor/nginx.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts services;
+
+  # Get all unique domains from shared services on trantor (host = "trantor")
+  localDomains = lib.unique (
+    map (s: s.domain) (lib.filter (s: s.host == "trantor") services)
+  );
+
+  # Generate ACME cert configs for all local domains
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
+in
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs = acmeCerts;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  age.secrets.cloudflare = {
+    file = ../../secrets/cloudflare.age;
+    owner = "nginx";
+    group = "nginx";
+  };
+}

hosts/trantor/openssh.nix

@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+  services = {
+    openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+    fail2ban.jails.sshd = {
+      settings = {
+        enabled = true;
+        port = "ssh";
+        filter = "sshd";
+        logpath = "/var/log/auth.log";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
+      };
+    };
+  };
+}

hosts/trantor/unbound.nix

@@ -0,0 +1,58 @@
+{ inputs, lib, ... }:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "100.64.0.0/10 allow" # Tailscale CGNAT range
+          "::1/128 allow"
+          "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # Tailnet DNS records from shared services
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services;
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

nixosConfigurations.nix

@@ -10,6 +10,7 @@ in
       hostname = "rotterdam";
       tags = [
         "desktop"
+        "ai"
         "bluetooth"
         "dev"
         "ephemeral"
@@ -25,6 +26,7 @@ in
       hostname = "io";
       tags = [
         "desktop"
+        "ai"
         "bluetooth"
         "dev"
         "ephemeral"
@@ -38,7 +40,6 @@ in
       tags = [
         # "server" TODO: uncomment when 25.11 is out.
         "fwupd"
-        "podman"
       ];
     };
 

readme.md

@@ -1,123 +1,87 @@
-# NixOS Configuration
+# Nix Configuration
 
-A declarative, modular NixOS/Home Manager flake configuration managing multiple systems with a tag-based architecture for maximum code reuse and flexibility.
+My personal Nix configuration for multiple NixOS hosts, home-manager users, miscellaneous resources... too many things to list. If I could put my life in a flake I would.
 
 ## Hosts
 
-| Host | Type | System | Version | Description |
-|------|------|--------|---------|-------------|
-| **rotterdam** | Desktop | x86_64-linux | NixOS Unstable | Primary workstation with gaming, development |
-| **io** | Laptop | x86_64-linux | NixOS Unstable | Mobile workstation |
-| **alexandria** | Server/NAS | x86_64-linux | NixOS 25.05 | Personal server running Nextcloud, Forgejo, Jellyfin, Vaultwarden |
-| **trantor** | VPS | aarch64-linux | NixOS 25.05 | Oracle Cloud instance |
+### Desktop Systems
+- **rotterdam** - Main desktop workstation (x86_64)
+  - Features: Desktop, AI tools, Bluetooth, Dev environment, Gaming, Virtualization (libvirtd), Podman
+  - Storage: Ephemeral root with LUKS encryption
 
-## Key Features
+- **io** - Laptop workstation (x86_64)
+  - Features: Desktop, AI tools, Bluetooth, Dev environment, Podman
+  - Storage: Ephemeral root with LUKS encryption
 
-### Architecture
-- **Tag-based module system** - Compose configurations using tags instead of traditional inheritance
-- **Flake-based** - Fully reproducible builds with locked dependencies
-- **Multi-platform** - Supports both x86_64 and aarch64 architectures
-- **Deployment automation** - Remote deployment via deploy-rs
+### Servers
+- **alexandria** - Home server (x86_64)
+  - Hosts: Nextcloud, Vaultwarden, Jellyfin, Kanidm
 
-### Desktop Experience
-- **Niri compositor** - Custom fork with auto-centering window columns
-- **Unified theming** - Stylix-based theming
-- **Wayland-native** - Full Wayland support
-- **Ephemeral root** - Impermanent filesystem using BTRFS for atomic rollback capability
+- **trantor** - Cloud server (aarch64)
+  - Hosts: Forgejo
+  - Cloud provider: Oracle Cloud Infrastructure
+  - Storage: Ephemeral root with btrfs
 
-### Self-Hosted Services
-- **Nextcloud** - Cloud storage with calendar, contacts, and notes
-- **Forgejo** - Self-hosted Git server
-- **Jellyfin** - Media streaming
-- **Vaultwarden** - Password manager backend
-- **LibreSpeed** - Network speed testing
-- All services behind Nginx and Tailscale with automatic SSL via Let's Encrypt
+## Home Manager Configurations
+
+- **user@rotterdam** - Full desktop setup with gaming, OBS, and complete development environment
+- **user@io** - Lightweight desktop setup
+
+Both configurations include:
+- btop, direnv, helix, starship, tmux
+- Stylix theme management
+- Fish shell with custom configurations
+
+## Terranix Configurations
+
+Infrastructure as code using Terranix (NixOS + Terraform/OpenTofu):
+
+- **oci-trantor** - Oracle Cloud Infrastructure provisioning for Trantor server
+- **cloudflare-baduhaidev** - DNS and CDN configuration for baduhai.dev domain
+- **tailscale-tailnet** - Tailscale network ACL and device management
+
+## Services
+
+All services are accessible via custom domains under baduhai.dev:
+
+- **Kanidm** (auth.baduhai.dev) - Identity and access management
+- **Vaultwarden** (pass.baduhai.dev) - Password manager
+- **Forgejo** (git.baduhai.dev) - Git forge (publicly accessible)
+- **Nextcloud** (cloud.baduhai.dev) - File sync and collaboration
+- **Jellyfin** (jellyfin.baduhai.dev) - Media server
+
+Services are accessible via:
+- LAN for alexandria-hosted services
+- Tailscale VPN for all services
+- Public internet for Forgejo only
+
+## Notable Features
+
+### Ephemeral Root
+Rotterdam, io, and trantor use an ephemeral root filesystem that resets on every boot:
+- Root filesystem is automatically rolled back using btrfs snapshots
+- Old snapshots retained for 30 days
+- Persistent data stored in dedicated subvolumes
+- Implements truly stateless systems
+
+### Custom DNS Architecture
+- Unbound DNS servers on both alexandria and trantor
+- Service routing based on visibility flags (public/LAN/Tailscale)
+- Split-horizon DNS for optimal access paths
 
 ### Security
-- **Agenix** - Encrypted secrets management
-- **Tailscale** - Zero-config VPN mesh network
-- **Firewall** - Configured on all hosts
-- SSH key-based authentication
+- LUKS full-disk encryption on desktop systems
+- Fail2ban on public-facing servers
+- agenix for secrets management
+- Tailscale for secure remote access
 
-## Repository Structure
+### Desktop Environment
+- Custom Niri window manager (Wayland compositor)
+- Using forked version with auto-centering feature
+- Stylix for consistent theming
 
-```
-.
-├── flake.nix                    # Main flake definition
-├── utils.nix                    # Tag-based module system utilities
-├── nixosConfigurations.nix      # Host definitions with tags
-├── homeConfigurations.nix       # User configurations
-├── deploy.nix                   # Remote deployment configuration
-├── hosts/
-│   ├── alexandria/              # Server-specific config
-│   ├── io/                      # Laptop-specific config
-│   ├── rotterdam/               # Desktop-specific config
-│   ├── trantor/                 # VPS-specific config
-│   └── modules/
-│       ├── common/              # Shared base configuration
-│       ├── desktop/             # Desktop environment setup
-│       ├── server/              # Server-specific modules
-│       └── [tag].nix            # Optional feature modules
-├── users/
-│   └── modules/                 # Home Manager configurations
-│       └── [tag].nix            # Optional feature modules
-├── packages/                    # Custom package definitions
-└── secrets/                     # Encrypted secrets (agenix)
-```
-
-## Tag System
-
-Configurations are composed using tags that map to modules:
-
-**Common Tags** (all hosts):
-- `common` - Base system configuration (automatically applied)
-
-**General Tags**:
-- `desktop` - *Mostly* full desktop environment with Niri WM
-- `dev` - Development tools and environments
-- `gaming` - Steam, Heroic, gamemode, controller support
-- `ephemeral` - Impermanent root filesystem
-- `networkmanager` - WiFi and network management
-- `libvirtd` - KVM/QEMU virtualization
-- `podman` - Container runtime
-- `bluetooth` - Bluetooth support
-- `fwupd` - Firmware update daemon
-
-**Server Tags**:
-- `server` - Server-specific configuration
-
-## Usage
-
-### Rebuilding a Configuration
-
-```bash
-# Local rebuild
-sudo nixos-rebuild switch --flake .#hostname
-
-# Remote deployment
-deploy .#hostname
-```
-
-### Updating Dependencies
-
-```bash
-nix flake update
-```
-
-### Adding a New Host
-
-1. Create host directory in `hosts/`
-2. Define configuration in `nixosConfigurations.nix` with appropriate tags
-3. Add deployment profile in `deploy.nix` if needed
-
-## Dependencies
-
-- [nixpkgs](https://github.com/NixOS/nixpkgs) - Stable (25.05) and unstable channels
-- [home-manager](https://github.com/nix-community/home-manager) - User configuration
-- [agenix](https://github.com/ryantm/agenix) - Secrets management
-- [disko](https://github.com/nix-community/disko) - Declarative disk partitioning
-- [stylix](https://github.com/danth/stylix) - System-wide theming
-- [niri-flake](https://github.com/sodiboo/niri-flake) - Wayland compositor (custom fork)
-- [impermanence](https://github.com/nix-community/impermanence) - Ephemeral filesystem support
-- [deploy-rs](https://github.com/serokell/deploy-rs) - Remote deployment
-- [nix-flatpak](https://github.com/gmodena/nix-flatpak) - Declarative Flatpak management
+### Development Setup
+- Nix flakes for reproducible builds
+- deploy-rs for automated deployments
+- Podman for containerization
+- Complete AI tooling integration

secrets/cloudflare.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 Kfdnog gEZvRtLBhGslmS97VaRqoucgExvOopsHAAne4lCmEEY
-NkIeFYuQFntDOBqd3k0/OVYMcM7h73uO0jPXaHzEcZc
--> ssh-ed25519 8YSAiw bVV4jIDbBKxsr6mQ4Tv0rP6ylrAEOJWkqjpyvXjnQRU
-6kUe5Syw7sd+aF2QEgr6Yj+fOPL5zSJN1PJvY9Kdhlg
--> ssh-ed25519 J6tVTA 4JMlJmhHAYUgjiWwB1Q278TSjJypwecALmfnosxan0s
-WIubcIFrjMV0GpyU1ZGc48YwrqOtSmJxweonw1KnR+U
---- 78A7re4LLB/0n5AXLRlVqiMNFMAQ2ZvjjK21YGRveRE
-ú_‘4pk
VCKmÈÊ#~kIô<49>8Em3ôkºp|Ó0^÷tSk<53>És¬/øÃõÎ…?= lÔ,„‚Ž<E2809A>ì²7âã~Í„¶cû{ãÈž¨AªÝ­ø‹Œ>Zã’Èl¬§—GTJs²GYŠ´—/Ëö/×B4ÃeŠÑ'óðIIÐãcÿ
,"‡<Ÿ
+-> ssh-ed25519 Kfdnog IHXv4c5we36dCUsB1v8uEF23tIRlDQ/8WR1hX4GQ+Uc
+Cwccw64BYBdSZUdkSqKESIU7E17cLNtiAZZ3Y1xV87A
+-> ssh-ed25519 8YSAiw Ce3vdMG111ubjcFgd3+q2Qw2+7dsoUz7SiudtuLDr0Y
+JUodwFsKfOTZXxFyRrEk/4gxJ4goPkwvYeThi893M0U
+-> ssh-ed25519 J6tVTA bExFuITTGXkTvhW25nushN7zT/PJGDoezsqu7fLKemI
+4a90v0F4wgcZeqWBQ/EpqOZ9OCgT7qruwVvlGZeFmN8
+-> ssh-ed25519 Qt3Q+A j1oo46pNh1+yPEtxpgj+QPQPf5m82jL0DHGMacY8UFA
+vy52Hl1WLTdKNA8+4p7A48Sg9+QkMXbECf/uxVMCLYk
+--- 429vzgFnmFbEqDMwdvC0/EYDJlKU64YEGgE0AqPqlBs
+č<E280BA>÷€b‰/!8Očô3Df®/ľŹ&kNQhuůr“t¤%&]ł˛ÎŐŇÖucÚjŮHĆ]Ż_łž¨ë5‚@D$<1C>>éN8Ϧ	>Ť9:®CvĐѦ69W'X·]X^çŰĆ»$Ť§}|cš÷ă/ž߸={ľuÉłs

secrets/secrets.nix

@@ -7,7 +7,7 @@ let
 
   alexandria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA root@alexandria";
 
-  trantor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkGuGLZPnYJbCGY4BhJ9uTupp6ruuR1NZ7FEYEaLPA7 root@alexandria";
+  trantor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIh/2u5pr/iPVeavlsor5hbTtsgUfP1JpzZVco2YQAo3 root@trantor";
 in
 
 {
@@ -15,6 +15,7 @@ in
     io-user
     rotterdam-user
     alexandria
+    trantor
   ];
   "nextcloud-adminpass.age".publicKeys = [
     io-user
@@ -26,4 +27,9 @@ in
     rotterdam-user
     alexandria
   ];
+  "forgejo-root-password.age".publicKeys = [
+    io-user
+    rotterdam-user
+    trantor
+  ];
 }

shared/services.nix

@@ -0,0 +1,48 @@
+# Shared service definitions for cross-host configuration
+# Used by:
+# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin, kanidm)
+# - trantor: DNS server (Tailnet) + service hosting (forgejo)
+{
+  services = [
+    {
+      name = "kanidm";
+      domain = "auth.baduhai.dev";
+      host = "alexandria";
+      lanIP = "192.168.15.142";
+      tailscaleIP = "100.76.19.50";
+      port = 8443;
+    }
+    {
+      name = "vaultwarden";
+      domain = "pass.baduhai.dev";
+      host = "alexandria";
+      lanIP = "192.168.15.142";
+      tailscaleIP = "100.76.19.50";
+      port = 8222;
+    }
+    {
+      name = "forgejo";
+      domain = "git.baduhai.dev";
+      host = "trantor";
+      public = true;
+      tailscaleIP = "100.108.5.90";
+      port = 3000;
+    }
+    {
+      name = "nextcloud";
+      domain = "cloud.baduhai.dev";
+      host = "alexandria";
+      lanIP = "192.168.15.142";
+      tailscaleIP = "100.76.19.50";
+      port = 443;
+    }
+    {
+      name = "jellyfin";
+      domain = "jellyfin.baduhai.dev";
+      host = "alexandria";
+      lanIP = "192.168.15.142";
+      tailscaleIP = "100.76.19.50";
+      port = 8096;
+    }
+  ];
+}

terranix/cloudflare/baduhai.dev.nix

@@ -0,0 +1,86 @@
+# Required environment variables:
+#   CLOUDFLARE_API_TOKEN - API token with "Edit zone DNS" permissions
+#   AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
+#   AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
+
+{ config, lib, ... }:
+
+let
+  inherit (import ../../shared/services.nix) services;
+
+  # Helper to extract subdomain from full domain (e.g., "git.baduhai.dev" -> "git")
+  getSubdomain = domain: lib.head (lib.splitString "." domain);
+
+  # Generate DNS records for services
+  # Public services point to trantor's public IP
+  # Private services point to their tailscale IP
+  mkServiceRecords = lib.listToAttrs (
+    lib.imap0 (
+      i: svc:
+      let
+        subdomain = getSubdomain svc.domain;
+        targetIP =
+          if svc.public or false then
+            config.data.terraform_remote_state.trantor "outputs.instance_public_ip"
+          else
+            svc.tailscaleIP;
+      in
+      {
+        name = "service_${toString i}";
+        value = {
+          zone_id = config.variable.zone_id.default;
+          name = subdomain;
+          type = "A";
+          content = targetIP;
+          proxied = false;
+          ttl = 3600;
+        };
+      }
+    ) services
+  );
+in
+
+{
+  terraform.required_providers.cloudflare = {
+    source = "cloudflare/cloudflare";
+    version = "~> 5.0";
+  };
+
+  terraform.backend.s3 = {
+    bucket = "terraform-state";
+    key = "cloudflare/baduhai.dev.tfstate";
+    region = "auto";
+    endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
+    skip_credentials_validation = true;
+    skip_metadata_api_check = true;
+    skip_region_validation = true;
+    skip_requesting_account_id = true;
+    use_path_style = true;
+  };
+
+  variable = {
+    zone_id = {
+      default = "c63a8332fdddc4a8e5612ddc54557044";
+      type = "string";
+    };
+  };
+
+  data = {
+    terraform_remote_state.trantor = {
+      backend = "s3";
+      config = {
+        bucket = "terraform-state";
+        key = "oci/trantor.tfstate";
+        region = "auto";
+        endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
+        skip_credentials_validation = true;
+        skip_metadata_api_check = true;
+        skip_region_validation = true;
+        skip_requesting_account_id = true;
+        use_path_style = true;
+      };
+    };
+  };
+
+  resource.cloudflare_dns_record = mkServiceRecords;
+}

terranix/oci/trantor.nix

@@ -1,3 +1,13 @@
+# Required environment variables:
+#   instead of OCI variables, ~/.oci/config may also be used
+#   OCI_TENANCY_OCID - Oracle tenancy OCID (or use TF_VAR_* to override variables)
+#   OCI_USER_OCID - Oracle user OCID
+#   OCI_FINGERPRINT - API key fingerprint
+#   OCI_PRIVATE_KEY_PATH - Path to OCI API private key
+#   AWS variables are required
+#   AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
+#   AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
+
 { config, ... }:
 
 {
@@ -43,6 +53,7 @@
 
     ssh_public_keys = {
       default = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
       ];
@@ -229,6 +240,7 @@
       threshold = 5;
       threshold_type = "PERCENTAGE";
       display_name = "daily-spend-alert";
+      recipients = "baduhai@proton.me";
       description = "Alert when daily spending exceeds $0.05";
       message = "Daily spending has exceeded $0.05 in the trantor compartment";
     };

terranix/tailscale/tailnet.nix

@@ -0,0 +1,43 @@
+# Required environment variables:
+#   TAILSCALE_API_KEY - Tailscale API key with appropriate permissions
+#   TAILSCALE_TAILNET - Your tailnet name (e.g., "user@example.com" or "example.org.github")
+#   AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
+#   AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
+
+{ config, ... }:
+
+{
+  terraform.required_providers.tailscale = {
+    source = "tailscale/tailscale";
+    version = "~> 0.17";
+  };
+
+  terraform.backend.s3 = {
+    bucket = "terraform-state";
+    key = "tailscale/tailnet.tfstate";
+    region = "auto";
+    endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
+    skip_credentials_validation = true;
+    skip_metadata_api_check = true;
+    skip_region_validation = true;
+    skip_requesting_account_id = true;
+    use_path_style = true;
+  };
+
+  variable = {
+    trantor_tailscale_ip = {
+      default = "100.108.5.90";
+      type = "string";
+    };
+  };
+
+  resource = {
+    tailscale_dns_nameservers.global = {
+      nameservers = [
+        config.variable.trantor_tailscale_ip.default
+        "1.1.1.1"
+        "1.0.0.1"
+      ];
+    };
+  };
+}

terranixConfigurations.nix

@@ -14,6 +14,14 @@
           modules = [ ./terranix/oci/trantor.nix ];
           terraformWrapper.package = pkgs.opentofu;
         };
+        cloudflare-baduhaidev = {
+          modules = [ ./terranix/cloudflare/baduhai.dev.nix ];
+          terraformWrapper.package = pkgs.opentofu;
+        };
+        tailscale-tailnet = {
+          modules = [ ./terranix/tailscale/tailnet.nix ];
+          terraformWrapper.package = pkgs.opentofu;
+        };
       };
     };
 }

users/modules/common/fish.nix

@@ -3,7 +3,10 @@
 {
   programs.fish = {
     enable = true;
-    interactiveShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source";
+    interactiveShellInit = ''
+      set fish_greeting
+      ${lib.getExe pkgs.nix-your-shell} fish | source
+    '';
     loginShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source";
     plugins = [
       {

users/modules/desktop/desktop.nix

@@ -1,15 +1,21 @@
 {
-  config,
   inputs,
   pkgs,
   ...
 }:
 
 {
+  imports = [ inputs.vicinae.homeManagerModules.default ];
+
   fonts.fontconfig.enable = true;
 
   home.packages = with pkgs; [ xwayland-satellite ];
 
+  services.vicinae = {
+    enable = true;
+    autoStart = true;
+  };
+
   programs = {
 
     ghostty = {
@@ -22,7 +28,7 @@
           url = "https://raw.githubusercontent.com/hackr-sh/ghostty-shaders/cb6eb4b0d1a3101c869c62e458b25a826f9dcde3/cursor_blaze.glsl";
           sha256 = "sha256:0g2lgqjdrn3c51glry7x2z30y7ml0y61arl5ykmf4yj0p85s5f41";
         }}";
-        bell-features = "border";
+        bell-features = "";
         gtk-titlebar-style = "tabs";
         keybind = [ "shift+enter=text:\\x1b\\r" ];
       };
@@ -41,33 +47,28 @@
       enable = true;
       defaultApplications = {
         "text/html" = [
-          "com.github.timecraft.junction.desktop"
+          "re.sonny.Junction.desktop"
           "zen-browser.desktop"
-          "brave-browser.desktop"
           "torbrowser.desktop"
         ];
         "x-scheme-handler/http" = [
-          "com.github.timecraft.junction.desktop"
+          "re.sonny.Junction.desktop"
           "zen-browser.desktop"
-          "brave-browser.desktop"
           "torbrowser.desktop"
         ];
         "x-scheme-handler/https" = [
-          "com.github.timecraft.junction.desktop"
+          "re.sonny.Junction.desktop"
           "zen-browser.desktop"
-          "brave-browser.desktop"
           "torbrowser.desktop"
         ];
         "x-scheme-handler/about" = [
-          "com.github.timecraft.junction.desktop"
+          "re.sonny.Junction.desktop"
           "zen-browser.desktop"
-          "brave-browser.desktop"
           "torbrowser.desktop"
         ];
         "x-scheme-handler/unknown" = [
-          "com.github.timecraft.junction.desktop"
+          "re.sonny.Junction.desktop"
           "zen-browser.desktop"
-          "brave-browser.desktop"
           "torbrowser.desktop"
         ];
         "image/jpeg" = "org.gnome.Loupe.desktop";

users/modules/desktop/niri.nix

@@ -8,25 +8,35 @@
 
 let
   isRotterdam = hostname == "rotterdam";
-  noctalia = "${lib.getExe inputs.noctalia.packages.${pkgs.system}.default}";
 in
 
 {
   imports = [ inputs.noctalia.homeModules.default ];
 
+  services.kanshi = {
+    enable = true;
+    settings = [
+      {
+        profile.name = "default";
+        profile.outputs = [
+          {
+            criteria = "*";
+            scale = 1.0;
+          }
+        ];
+      }
+    ];
+  };
+
   home = {
-    packages = with pkgs; [ xwayland-satellite ];
+    packages = with pkgs; [
+      xwayland-satellite
+      inputs.noctalia.packages.${pkgs.system}.default
+    ];
     sessionVariables.QT_QPA_PLATFORMTHEME = "gtk3";
   };
 
   xdg.configFile."niri/config.kdl".text = ''
-    output "eDP-1" {
-      scale 1.0
-    }
-    output "DP-3" {
-      scale 1.0
-    }
-
     input {
       keyboard {
         xkb {
@@ -83,23 +93,18 @@ in
         inactive-color "#505050"
         urgent-color "#9b0000"
       }
-        tab-indicator {
-          width 4
-          gap 4
-          place-within-column
-        }
-        ${lib.optionalString isRotterdam ''
-          struts {
-            left 8
-            right 8
-          }''}
+      tab-indicator {
+        width 4
+        gap 4
+        place-within-column
+      }
     }
 
     overview {
       zoom 0.65
     }
 
-    spawn-at-startup "${noctalia}"
+    spawn-at-startup "noctalia-shell" "-d"
     layer-rule {
       match namespace="^wallpaper$"
         place-within-backdrop true
@@ -135,18 +140,18 @@ in
     }
 
     binds {
-      Alt+Space { spawn "${noctalia}" "ipc" "call" "launcher" "toggle"; }
-      XF86AudioRaiseVolume allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "increase"; }
-      XF86AudioLowerVolume allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "decrease"; }
-      XF86AudioMute allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "muteOutput"; }
-      XF86MonBrightnessUp allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "brightness" "increase"; }
-      XF86MonBrightnessDown allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "brightness" "decrease"; }
+      Alt+Space repeat=false { spawn "vicinae" "toggle"; }
+      XF86AudioRaiseVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "increase"; }
+      XF86AudioLowerVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "decrease"; }
+      XF86AudioMute allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "muteOutput"; }
+      XF86MonBrightnessUp allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "increase"; }
+      XF86MonBrightnessDown allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "decrease"; }
       XF86AudioPlay        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "play-pause"; }
       XF86AudioStop        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "stop"; }
       XF86AudioPrev        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "previous"; }
       XF86AudioNext        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "next"; }
-      Mod+V { spawn "${noctalia}" "ipc" "call" "launcher" "clipboard"; }
-      Mod+Shift+L { spawn "${noctalia}" "ipc" "call" "lockScreen" "toggle"; }
+      Mod+V repeat=false { spawn "vicinae" "vicinae://extensions/vicinae/clipboard/history"; }
+      Mod+Shift+L repeat=false { spawn "noctalia-shell" "ipc" "call" "lockScreen" "lock"; }
       Mod+Return { spawn "ghostty"; }
       Ctrl+Alt+Shift+A allow-when-locked=true { spawn "toggleaudiosink"; }
       Mod+W repeat=false { toggle-overview; }
@@ -155,17 +160,13 @@ in
       Mod+Shift+Q { close-window; }
       Alt+F4 { close-window; }
       Mod+Left  { focus-column-left; }
-      Mod+Down  { focus-window-down; }
-      Mod+Up    { focus-window-up; }
+      Mod+Down  { focus-window-or-workspace-down; }
+      Mod+Up    { focus-window-or-workspace-up; }
       Mod+Right { focus-column-right; }
       Mod+H     { focus-column-left; }
       Mod+L     { focus-column-right; }
-      Mod+J     { focus-window-down; }
-      Mod+K     { focus-window-up; }
-      Ctrl+Alt+J    { focus-workspace-down; }
-      Ctrl+Alt+K    { focus-workspace-up; }
-      Ctrl+Alt+Down { focus-workspace-down; }
-      Ctrl+Alt+Up   { focus-workspace-up; }
+      Mod+J     { focus-window-or-workspace-down; }
+      Mod+K     { focus-window-or-workspace-up; }
       Mod+Ctrl+Left  { move-column-left; }
       Mod+Ctrl+Down  { move-window-down-or-to-workspace-down; }
       Mod+Ctrl+Up    { move-window-up-or-to-workspace-up; }
@@ -220,8 +221,8 @@ in
       Mod+Print { screenshot; }
       Ctrl+Print { screenshot-window; }
       Mod+Backspace allow-inhibiting=false { toggle-keyboard-shortcuts-inhibit; }
-      Mod+Alt+E { spawn "${noctalia}" "ipc" "call" "sessionMenu" "toggle"; }
-      Ctrl+Alt+Delete { spawn "${noctalia}" "ipc" "call" "sessionMenu" "toggle"; }
+      Mod+Alt+E { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; }
+      Ctrl+Alt+Delete { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; }
       Mod+Ctrl+P { power-off-monitors; }
     }
   '';

users/modules/stylix.nix

@@ -46,7 +46,7 @@
         name = "FiraCode Nerd Font";
       };
       emoji = {
-        package = pkgs.noto-fonts-emoji;
+        package = pkgs.noto-fonts-color-emoji;
         name = "Noto Color Emoji";
       };
       sizes = {

utils.nix

@@ -8,9 +8,14 @@ let
     home-manager
     agenix
     ;
+
+  # Import shared service definitions
+  sharedServices = import ./shared/services.nix;
 in
 
 {
+  # Re-export shared services for use in host configs
+  inherit (sharedServices) services;
   # Tag-based host configuration system
   mkHost =
     {
@@ -178,16 +183,41 @@ in
 
   # Nginx virtual host utilities
   mkNginxVHosts =
-    {
-      acmeHost,
-      domains,
-    }:
+    { domains }:
     let
-      commonVHostConfig = {
-        useACMEHost = acmeHost;
-        forceSSL = true;
-        kTLS = true;
-      };
+      # Extract domain name and apply it as useACMEHost
+      mkVHostConfig = domain: config:
+        lib.recursiveUpdate {
+          useACMEHost = domain;
+          forceSSL = true;
+          kTLS = true;
+        } config;
     in
-    lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) domains;
+    lib.mapAttrs mkVHostConfig domains;
+
+  # Split DNS utilities for unbound
+  # Generates unbound view config from a list of DNS entries
+  mkSplitDNS =
+    entries:
+    let
+      # Generate local-data entries for all domains
+      tailscaleData = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') entries;
+      lanData = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') entries;
+    in
+    [
+      # Single Tailscale view with all domains
+      {
+        name = "tailscale";
+        view-first = true;
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = tailscaleData;
+      }
+      # Single LAN view with all domains
+      {
+        name = "lan";
+        view-first = true;
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = lanData;
+      }
+    ];
 }