migrate remaining git.t-juice.club references to code.t-juice.club

Update flake inputs, MCP server URLs, and remove old GitHub Actions
workflows (will be replaced with new CI on Forgejo).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/actions-check.yaml

@@ -1,33 +0,0 @@
-name: Check actions
-on:
-  push:
-    paths:
-      - .github/workflows/*.yaml
-      - .github/workflows/*.yml
-  pull_request:
-    paths:
-      - .github/workflows/*.yaml
-      - .github/workflows/*.yml
-
-jobs:
-  check-actions-actionlint:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/catthehacker/ubuntu:runner-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '1.23'
-      - run: |
-          go install github.com/rhysd/actionlint/cmd/actionlint@latest
-          actionlint .github/workflows/*.yaml
-  check-actions-yamllint:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/catthehacker/ubuntu:runner-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v5
-      - run: |
-          pipx run yamllint .github/workflows/*.yaml

.github/workflows/flake-check.yaml

@@ -1,14 +0,0 @@
-name: Run nix flake check
-on:
-  push:
-  pull_request:
-
-jobs:
-  flake-check:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/catthehacker/ubuntu:runner-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v27
-      - run: nix flake check

.github/workflows/flake-update.yaml

@@ -1,36 +0,0 @@
----
-name: Periodic flake update
-on:  # yamllint disable-line rule:truthy
-  schedule:
-    - cron: "0 */2 * * *"
-
-permissions:
-  contents: write
-
-jobs:
-  flake-update:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/catthehacker/ubuntu:runner-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          ref: master
-      - uses: cachix/install-nix-action@v27
-      - name: configure git
-        env:
-          SSH_PRIVKEY: ${{ secrets.BOT_SSH_PRIVKEY }}
-          SSH_PUBKEY: ${{ secrets.BOT_SSH_PUBKEY }}
-        run: |
-          echo "$SSH_PRIVKEY" > "$RUNNER_TEMP/id_ed25519"
-          echo "$SSH_PUBKEY" > "$RUNNER_TEMP/id_ed25519.pub"
-          chmod -R 0600 "$RUNNER_TEMP/id_ed25519.pub" "$RUNNER_TEMP/id_ed25519"
-          git config --global user.name 'torjus-bot'
-          git config --global user.email 'torjus-bot@git.t-juice.club'
-          git config --global user.signingKey "$RUNNER_TEMP/id_ed25519.pub"
-          git config --global gpg.format ssh
-          git config --global commit.gpgsign true
-      - name: flake update
-        run: nix flake update --commit-lock-file
-      - name: push
-        run: git push

.mcp.json

@@ -2,28 +2,28 @@
   "mcpServers": {
     "nixpkgs-options": {
       "command": "nix",
-      "args": ["run", "git+https://git.t-juice.club/torjus/labmcp#nixpkgs-search", "--", "options", "serve"],
+      "args": ["run", "git+https://code.t-juice.club/torjus/labmcp#nixpkgs-search", "--", "options", "serve"],
       "env": {
         "NIXPKGS_SEARCH_DATABASE": "sqlite:///run/user/1000/labmcp/nixpkgs-search.db"
       }
     },
     "nixpkgs-packages": {
       "command": "nix",
-      "args": ["run", "git+https://git.t-juice.club/torjus/labmcp#nixpkgs-search", "--", "packages", "serve"],
+      "args": ["run", "git+https://code.t-juice.club/torjus/labmcp#nixpkgs-search", "--", "packages", "serve"],
       "env": {
         "NIXPKGS_SEARCH_DATABASE": "sqlite:///run/user/1000/labmcp/nixpkgs-search.db"
       }
     },
     "hm-options": {
       "command": "nix",
-      "args": ["run", "git+https://git.t-juice.club/torjus/labmcp#hm-options", "--", "serve"],
+      "args": ["run", "git+https://code.t-juice.club/torjus/labmcp#hm-options", "--", "serve"],
       "env": {
         "HM_OPTIONS_DATABASE": "sqlite:///run/user/1000/labmcp/hm-options.db"
       }
     },
     "git-explorer": {
       "command": "nix",
-      "args": ["run", "git+https://git.t-juice.club/torjus/labmcp#git-explorer", "--", "serve"],
+      "args": ["run", "git+https://code.t-juice.club/torjus/labmcp#git-explorer", "--", "serve"],
       "env": {
         "GIT_REPO_PATH": "/home/torjus/git/nixos-servers"
       }

.sops.yaml

@@ -23,3 +23,4 @@ creation_rules:
       - age:
         - *admin_torjus
         - *server_magicman
+        - *server_gunter

CLAUDE.md

@@ -24,8 +24,8 @@ nix build .#nixosConfigurations.magicman.config.system.build.toplevel
 nix develop
 ```
 
-If config clearly only affects one host, bulding for just the relevant host is enough.
-Otherwise, build both.
+If config clearly only affects one host, building for just the relevant host is enough.
+Otherwise, build both. **Always ask before building gunter** — it takes a long time.
 
 If moving things around, you can use `nix eval` before and after changes to check that things remain the same.
 ```

docs/gunter-monitor-issues.md

@@ -7,9 +7,11 @@ Two of the four monitors on gunter (desktop) intermittently fail to work on star
 ## System Configuration
 
 - **GPU**: NVIDIA GeForce RTX 3080 Ti
-- **Driver**: NVIDIA open driver 590.48.01 (beta)
-- **Kernel**: 6.18.8
+- **Driver**: NVIDIA proprietary driver 590.48.01 (beta)
+- **Kernel**: 6.18.12
 - **Compositor**: Hyprland
+- **Open driver**: `false` (switched from open to proprietary 2026-02-21)
+- **Initrd nvidia modules**: None (removed 2026-03-03, was bloating initrd to 191MB)
 
 ### Monitor Setup
 
@@ -26,7 +28,7 @@ The GPU only has 3 DisplayPort outputs, so one Samsung monitor is connected to t
 
 ### Kernel Errors
 
-The following errors appear in the kernel log during boot (17-27 seconds after boot start):
+The following errors appear in the kernel log during boot:
 
 ```
 [drm:nv_drm_dev_load [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000100] Failed to add connector for NvKmsKapiDisplay 0x00000800
@@ -37,25 +39,44 @@ The following errors appear in the kernel log during boot (17-27 seconds after b
 
 ### Root Cause Analysis
 
-1. **MST timing issues** - The downstream Samsung monitor isn't ready when the driver tries to enumerate the daisy chain during boot
-2. **NVIDIA open driver MST bugs** - The open-source driver (`hardware.nvidia.open = true`) has historically had more MST issues than the proprietary one
-3. **Power sequencing** - The monitors may need more time to negotiate the MST link during cold boot
+1. **MST timing issues** - The downstream Samsung monitor isn't ready when the driver tries to enumerate the daisy chain during boot. The MST topology hasn't been negotiated yet when the driver first probes, regardless of how early or late it loads.
+2. **Power sequencing** - The monitors may need more time to negotiate the MST link during cold boot
 
-## Potential Solutions
+## Changes Made
 
-1. **Switch to proprietary driver** - Change `hardware.nvidia.open = false` in `hosts/gunter/configuration.nix`
+### 2026-02-21: Switch to proprietary driver + initrd loading
 
-2. **Add boot delay for nvidia-drm** - Add kernel parameter `nvidia-drm.load_on_init=0` to defer initialization
+**Change 1: `hardware.nvidia.open = false`** (previously `true`)
 
-3. **Try different nvidia module options** - Add to `boot.extraModprobeConfig`:
-   ```nix
-   options nvidia-drm modeset=1 fbdev=1
-   options nvidia NVreg_PreserveVideoMemoryAllocations=1
+With the open driver, boot produced 7 errors including flip event timeouts and kernel WARNING stack traces:
+```
+Failed to add connector for NvKmsKapiDisplay 0x00000800
+Failed to get dynamic displays
+Flip event timeout on head 0
+Flip event timeout on head 1
+Failed to add encoder for NvKmsKapiDisplay 0x00000001
+WARNING: CPU: 5 PID: 1169 at nvidia-drm/nvidia-drm-crtc.h:328 __nv_drm_handle_flip_event (x2)
 ```
 
-4. **Check monitor firmware** - Samsung LS27A600U monitors have had MST firmware updates
+With the proprietary driver, only the 2 MST enumeration errors remain. The flip timeouts and kernel warnings are gone. The driver handles the MST failure much more gracefully.
 
-5. **Reduce link rate during boot** - Lower refresh rate to 60Hz initially to reduce bandwidth requirements
+**Change 2: Load nvidia modules in initrd** (`boot.initrd.kernelModules`)
+
+Without initrd loading, the nvidia driver took ~22 seconds to initialize (11s to first error, 10 more to give up on dynamic displays). During this time monitors lost signal and went to sleep.
+
+With initrd loading, the driver loads and initializes in under 1 second. However, the same two MST errors still occur - the MST topology simply isn't ready yet regardless of timing.
+
+**Result**: Subjectively improved - monitors now typically recover after a single power cycle instead of requiring multiple attempts. The boot process is also faster with no 20+ second black screen hang.
+
+## Remaining Solutions to Try
+
+1. **Display rescan service** - Create a systemd service that triggers the nvidia driver to re-enumerate displays a few seconds after boot. This could auto-detect MST monitors without manual power cycling.
+
+2. **Remove `quiet splash`** from kernel params - Keeps console output active during boot, which maintains an active DP signal through the UEFI-to-kernel transition and may help keep the MST link alive.
+
+3. **Check monitor firmware** - Samsung LS27A600U monitors have had MST firmware updates. Updating could improve MST link negotiation reliability.
+
+4. **Reduce initial link rate** - Lower refresh rate to 60Hz initially to reduce DP bandwidth requirements during MST negotiation, potentially making link training more reliable.
 
 ## Useful Diagnostic Commands
 
@@ -98,7 +119,3 @@ done
 
 - `hosts/gunter/configuration.nix` - NVIDIA driver settings
 - `home/hosts/gunter/default.nix` - Hyprland monitor configuration
-
-## Date Investigated
-
-2025-02-06

docs/magicman-keyboard-luks.md

@@ -0,0 +1,156 @@
+# Magicman: PS/2 Keyboard Broken at LUKS Prompt After BIOS Update
+
+## Issue
+
+After updating the ThinkPad L14 Gen 4 (21H2S3US00) BIOS to version R24ET51W (1.34)
+via `fwupdmgr`, the built-in laptop keyboard no longer works during the LUKS disk
+encryption password prompt. An external USB keyboard must be used to unlock the disk.
+The laptop keyboard works normally after boot.
+
+## Machine Details
+
+- **Model**: Lenovo ThinkPad L14 Gen 4 (21H2S3US00)
+- **BIOS**: R24ET51W (1.34), dated 2025-10-31
+- **EC**: R24HT33W
+- **Date**: 2026-03-06
+
+### What fwupdmgr Installed
+
+- System Firmware: 0.1.12 → 0.1.34
+- UEFI dbx: 20230301 → 20250902
+- KEK CA: 2011 → 2023
+
+## Symptoms
+
+- Laptop keyboard does not respond at the LUKS password prompt (neither systemd nor scripted initrd)
+- USB keyboard works fine at the LUKS prompt
+- Laptop keyboard works immediately after boot (at greetd login)
+- Text typed on the laptop keyboard during LUKS prompt sometimes partially appears
+  at the greetd username field after boot, indicating the keyboard hardware IS generating
+  scancodes that get buffered and flushed later
+
+## Kernel Errors
+
+Every boot shows these errors from the atkbd driver:
+
+```
+atkbd serio0: Failed to deactivate keyboard on isa0060/serio0
+atkbd serio0: Failed to enable keyboard on isa0060/serio0
+input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input0
+atkbd serio0: Spurious ACK on isa0060/serio0. Some program might be trying to access hardware directly.
+```
+
+The keyboard device IS registered despite the errors, and the `kbd` input handler
+binds to it (`Handlers=sysrq kbd leds event6`).
+
+## Root Cause Analysis
+
+The BIOS update changed the PS/2 controller (i8042) initialization behavior. The atkbd
+driver sends a deactivate command (0xF5) during init, which likely succeeds at disabling
+the keyboard even though the ACK times out. The subsequent enable command (0xF4) also
+times out without re-enabling it. The keyboard stays disabled at the hardware level —
+it queues keypresses in its small internal buffer (~16 keys) but doesn't send scancodes
+to the host until something re-enables it during full boot. This is NOT a timing issue —
+leaving the system at the LUKS prompt for several minutes does not fix the keyboard.
+Something specific that happens later in the boot process (likely during switch-root
+when udev re-processes devices) re-enables the keyboard.
+
+## What Was Tried
+
+### Kernel Parameters (none helped)
+
+- `i8042.dumbkbd` — skip keyboard reset during i8042 probe
+- `i8042.nopnp` — don't use PNP to discover controllers
+- `i8042.reset` — force i8042 controller reset
+- `i8042.nomux` — don't probe for MUX
+- `atkbd.reset` — reset keyboard during atkbd init
+- `console=tty1` — explicitly route console I/O to tty1
+- Various combinations of the above
+
+### Initrd Module Loading
+
+- Added `i8042`, `atkbd`, `thinkpad_acpi` to `boot.initrd.kernelModules`
+- `thinkpad_acpi` loads the EC driver early, but didn't help
+
+### Initrd Services
+
+- Created `keyboard-reconnect` systemd service that runs before `systemd-cryptsetup@root.service`
+- Tried `echo reconnect > /sys/bus/serio/devices/serio0/drvctl` — reconnect also fails
+- Tried full module reload: `rmmod atkbd; rmmod i8042; sleep N; modprobe i8042; modprobe atkbd`
+  - Tested with sleep 2 and sleep 8
+  - The reload creates a new serio device (serio2) but initialization fails identically
+
+### Plymouth
+
+- Disabled Plymouth (`boot.plymouth.enable = false`) — no effect
+- Tested `plymouth.enable=0` on kernel command line — no effect
+- Confirmed password agent falls back to `systemd-tty-ask-password-agent` on `/dev/tty1`
+
+### Scripted Initrd
+
+- Switched from systemd initrd to scripted initrd (`boot.initrd.systemd.enable = false`)
+- Uses a completely different password prompt mechanism (shell `read`)
+- Same result — keyboard still doesn't work
+
+### BIOS
+
+- Checked BIOS settings — no relevant keyboard/PS/2 options available
+- `fwupdmgr get-updates` shows no newer BIOS version available
+
+## Planned Fix: TPM + Secure Boot Auto-Unlock
+
+### Approach
+
+Use TPM2-based LUKS unlock with Secure Boot to bypass the keyboard requirement entirely.
+
+- **lanzaboote** — replaces systemd-boot, produces signed Unified Kernel Images (UKIs)
+  that bundle kernel + initrd + cmdline into a single signed EFI binary
+- **Secure Boot** — ensures only signed code can boot, prevents tampering with boot chain
+- **TPM2 unlock** — `systemd-cryptenroll` binds LUKS key to TPM PCR 7 (Secure Boot policy)
+- **Passphrase kept as fallback** — if TPM/Secure Boot state changes, unlock with USB keyboard + password
+
+### Why PCR 7 Only
+
+Binding to PCR 7 alone means kernel/initrd updates (frequent on nixos-unstable) do NOT
+require re-enrollment. PCR 7 only changes when Secure Boot keys or policy change.
+
+Cmdline tampering is prevented by lanzaboote's UKI approach — the cmdline is embedded in
+the signed binary and cannot be edited at the bootloader.
+
+### Setup Steps
+
+1. Install `sbctl` and create Secure Boot signing keys
+2. Put BIOS into Secure Boot "Setup Mode" and enroll custom keys (include Microsoft keys for fwupd)
+3. Enable lanzaboote in NixOS config (replaces systemd-boot)
+4. Rebuild, verify Secure Boot works
+5. Enroll TPM with `systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7`
+
+After setup, `nixos-rebuild switch/boot` works as usual — lanzaboote automatically signs
+each new generation.
+
+### Security Considerations
+
+**Protected against:**
+- Offline disk read (pull SSD, boot USB)
+- Boot chain tampering (unsigned code won't boot)
+- Cmdline editing (locked into signed UKI)
+
+**Remaining attack surface:**
+- Stolen while suspended — disk is decrypted in RAM, only screen lock protects.
+  Consider hibernate instead of suspend (hibernate locks LUKS since RAM is powered off).
+- Network services — system is fully running after boot, exposed services are reachable
+- DMA attacks via Thunderbolt/PCIe — mitigated by IOMMU (should be on by default)
+- Cold boot attacks — exotic, requires freezing RAM
+
+For a stolen-laptop scenario this is solid. The biggest practical risk is theft while
+the laptop is suspended.
+
+### Other Considered Alternatives
+
+- **BIOS update from Lenovo** fixing the PS/2 controller init sequence
+- **Kernel patch** to handle the failed enable more gracefully
+- **TPM + PIN** — not viable due to the same PS/2 keyboard issue at the PIN prompt
+
+## Current Workaround
+
+Use an external USB keyboard to enter the LUKS password at boot.

flake.lock

@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "catppuccin": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1772983749,
+        "narHash": "sha256-IRC/YpTVMDr/lMmWMEc+JU4d+L9z3v38jZuj0jSLaW0=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "3594e4c94994515e0e32884dad20ca70ae88fc49",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
     "ghettoptt": {
       "inputs": {
         "nixpkgs": [
@@ -7,18 +25,18 @@
         ]
       },
       "locked": {
-        "lastModified": 1728602333,
-        "narHash": "sha256-sKbnng/g4ijuKcjShBi7oPxyUrCnMJDDy17U9W/TuMg=",
+        "lastModified": 1773164481,
+        "narHash": "sha256-pAHExVIUqQdnaKniNTdlxheQ/IOU3nTeEV/DRrCc8wg=",
         "ref": "master",
-        "rev": "84fcfdde62de9888d3af8bcb0d7134137b276b55",
-        "revCount": 23,
+        "rev": "bb7f415c08d6189514dce8c43d69eea6372f0528",
+        "revCount": 24,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/ghettoptt"
+        "url": "https://code.t-juice.club/torjus/ghettoptt"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/ghettoptt"
+        "url": "https://code.t-juice.club/torjus/ghettoptt"
       }
     },
     "home-manager": {
@@ -28,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770818644,
-        "narHash": "sha256-DYS4jIRpRoKOzJjnR/QqEd/MlT4OZZpt8CrBLv+cjsE=",
+        "lastModified": 1772985285,
+        "narHash": "sha256-wEEmvfqJcl9J0wyMgMrj1TixOgInBW/6tLPhWGoZE3s=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0acbd1180697de56724821184ad2c3e6e7202cd7",
+        "rev": "5be5d8245cbc7bc0c09fbb5f38f23f223c543f85",
         "type": "github"
       },
       "original": {
@@ -51,18 +69,18 @@
         "uv2nix": "uv2nix"
       },
       "locked": {
-        "lastModified": 1757974387,
-        "narHash": "sha256-vVFZTB3NxJCH91aaAtop3MEZcilPQ273epV1gcnQE4s=",
+        "lastModified": 1773164725,
+        "narHash": "sha256-FNW+hOB6NCEpZt73FPiafLBPfwnSdTJeaGNCN3r+zEQ=",
         "ref": "master",
-        "rev": "b341e613337b87cef7a0f4ea05d677288cafa3fb",
-        "revCount": 33,
+        "rev": "e5226d3e32180eb59edae6c29053854dda82750c",
+        "revCount": 34,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/huecli"
+        "url": "https://code.t-juice.club/torjus/huecli"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/huecli"
+        "url": "https://code.t-juice.club/torjus/huecli"
       }
     },
     "natstonotify": {
@@ -72,18 +90,18 @@
         ]
       },
       "locked": {
-        "lastModified": 1739302828,
-        "narHash": "sha256-D6l5tAh1FDpdz9/tQC7kYhFPQzqI1HICwNh7fRejfrw=",
+        "lastModified": 1773164311,
+        "narHash": "sha256-HRR4TBCGp5okWW2eV6vUTYAhUR7I+MNADtlOaIe8fec=",
         "ref": "master",
-        "rev": "bfcf518fe0b2fe19075667f7b22227376d102509",
-        "revCount": 7,
+        "rev": "7e784076242f4bbcf63a35c14ea752bf7a285d8a",
+        "revCount": 8,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/natstonotify"
+        "url": "https://code.t-juice.club/torjus/natstonotify"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/natstonotify"
+        "url": "https://code.t-juice.club/torjus/natstonotify"
       }
     },
     "nix-packages": {
@@ -93,31 +111,31 @@
         ]
       },
       "locked": {
-        "lastModified": 1757017925,
-        "narHash": "sha256-QC1SkvyU5nQ32lju2GYK9ozuh/JYWXfWK/T7OC6dVls=",
+        "lastModified": 1773106737,
+        "narHash": "sha256-/XL6Dn+SehMGlXvuKubNMcTk4iq2J75Z5cVO+HkIfDY=",
         "ref": "master",
-        "rev": "7723cb45020e1f561f527779540faa5901d34e4d",
-        "revCount": 31,
+        "rev": "295b0bf12ec1849564bdaa8fc2cd0f19af1a2715",
+        "revCount": 47,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/nix-packages"
+        "url": "https://code.t-juice.club/torjus/nix-packages"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/nix-packages"
+        "url": "https://code.t-juice.club/torjus/nix-packages"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1770562336,
-        "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
-        "owner": "nixos",
+        "lastModified": 1772773019,
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
         "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
@@ -139,6 +157,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1772773019,
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixprstatus": {
       "inputs": {
         "nixpkgs": [
@@ -149,18 +183,18 @@
         "uv2nix": "uv2nix_2"
       },
       "locked": {
-        "lastModified": 1767871861,
-        "narHash": "sha256-Oh0Y9bTvvMm3JQH/C/8XLCeemgvMDbIgFh1NSYFyINY=",
+        "lastModified": 1773164966,
+        "narHash": "sha256-uwkLjHH6BmNzcF791y9ceUcfZtRu/v0+61d4/TbGLxY=",
         "ref": "master",
-        "rev": "b4e3e6de659bf8c96b84dd47249c71b357dd50c2",
-        "revCount": 62,
+        "rev": "61c04a87f944cfc93b9f3f2904991c41664e28c5",
+        "revCount": 63,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/nixprstatus"
+        "url": "https://code.t-juice.club/torjus/nixprstatus"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/nixprstatus"
+        "url": "https://code.t-juice.club/torjus/nixprstatus"
       }
     },
     "pyproject-build-systems": {
@@ -265,12 +299,13 @@
     },
     "root": {
       "inputs": {
+        "catppuccin": "catppuccin",
         "ghettoptt": "ghettoptt",
         "home-manager": "home-manager",
         "huecli": "huecli",
         "natstonotify": "natstonotify",
         "nix-packages": "nix-packages",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-stable": "nixpkgs-stable",
         "nixprstatus": "nixprstatus",
         "sops-nix": "sops-nix"
@@ -283,11 +318,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770683991,
-        "narHash": "sha256-xVfPvXDf9QN3Eh9dV+Lw6IkWG42KSuQ1u2260HKvpnc=",
+        "lastModified": 1772944399,
+        "narHash": "sha256-xTzsSd3r5HBeufSZ3fszAn0ldfKctvsYG7tT2YJg5gY=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8b89f44c2cc4581e402111d928869fe7ba9f7033",
+        "rev": "c8e69670b316d6788e435a3aa0bda74eb1b82cc0",
         "type": "github"
       },
       "original": {

flake.nix

@@ -13,25 +13,28 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     ghettoptt = {
-      url = "git+https://git.t-juice.club/torjus/ghettoptt?ref=master";
+      url = "git+https://code.t-juice.club/torjus/ghettoptt?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     huecli = {
-      url = "git+https://git.t-juice.club/torjus/huecli?ref=master";
+      url = "git+https://code.t-juice.club/torjus/huecli?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nix-packages = {
-      url = "git+https://git.t-juice.club/torjus/nix-packages?ref=master";
+      url = "git+https://code.t-juice.club/torjus/nix-packages?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nixprstatus = {
-      url = "git+https://git.t-juice.club/torjus/nixprstatus?ref=master";
+      url = "git+https://code.t-juice.club/torjus/nixprstatus?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     natstonotify = {
-      url = "git+https://git.t-juice.club/torjus/natstonotify?ref=master";
+      url = "git+https://code.t-juice.club/torjus/natstonotify?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    catppuccin = {
+      url = "github:catppuccin/nix";
+    };
   };
 
   outputs =
@@ -45,6 +48,7 @@
       huecli,
       natstonotify,
       nix-packages,
+      catppuccin,
       ...
     }@inputs:
     let

home/editor/neovim/default.nix

@@ -16,17 +16,21 @@
         cmp_luasnip
         copilot-cmp
         copilot-lua
-        lsp-zero-nvim
+        gitsigns-nvim
+        indent-blankline-nvim
         lualine-nvim
         luasnip
         nvim-cmp
         nvim-lspconfig
         plenary-nvim
         telescope-nvim
+        telescope-fzf-native-nvim
+        todo-comments-nvim
+        trouble-nvim
         undotree
         vim-floaterm
-        vim-fugitive
         vim-sleuth
+        which-key-nvim
         (nvim-treesitter.withPlugins (p: [
           p.tree-sitter-yaml
           p.tree-sitter-nix
@@ -57,7 +61,7 @@
 
     # LSPs
     gopls
-    pyright
+    basedpyright
     nodePackages.typescript-language-server
     nodePackages.typescript
     nil

home/editor/neovim/keybinds.lua

@@ -1,32 +1,57 @@
 -- Keybinds
-vim.keymap.set("n", "<Leader>ds", vim.diagnostic.open_float, { desc = "Show diagnostic" })
+
+-- Diagnostics
+vim.keymap.set("n", "<leader>ds", vim.diagnostic.open_float, { desc = "Show diagnostic" })
+vim.keymap.set("n", "<leader>dd", '<cmd>Trouble diagnostics toggle<CR>', { desc = "Diagnostics list" })
+vim.keymap.set("n", "<leader>db", '<cmd>Trouble diagnostics toggle filter.buf=0<CR>', { desc = "Buffer diagnostics" })
 
 -- Term
-vim.g.floaterm_keymap_toggle = '<leader>ft'
+vim.g.floaterm_keymap_toggle = '<leader>T'
 
 -- Tabs
-vim.keymap.set('n', '<leader>n', ':tabnew<CR>',
-	{ silent = true, desc = '[N]ew tab' })
-vim.keymap.set('n', '<leader>p', ':tabnext<CR>',
-	{ silent = true, desc = '[p]Next tab' })
-vim.keymap.set('n', '<leader>P', ':tabprev<CR>',
-	{ silent = true, desc = '[P]Previous tab' })
+vim.keymap.set('n', '<leader>tn', ':tabnew<CR>',
+	{ silent = true, desc = 'New tab' })
+vim.keymap.set('n', '<leader>tp', ':tabnext<CR>',
+	{ silent = true, desc = 'Next tab' })
+vim.keymap.set('n', '<leader>tP', ':tabprev<CR>',
+	{ silent = true, desc = 'Previous tab' })
 
 -- Telescope
 vim.keymap.set('n', '<leader>?', require('telescope.builtin').oldfiles,
-	{ desc = '[?] FInd recently opened files' })
+	{ desc = 'Find recently opened files' })
 vim.keymap.set('n', '<leader>ff', require('telescope.builtin').find_files,
-	{ desc = '[F]ind [F]iles' })
-vim.keymap.set('n', '<leader>ff', require('telescope.builtin').find_files,
-	{ desc = '[F]ind [F]iles' })
+	{ desc = 'Find files' })
 vim.keymap.set('n', '<leader>fg', require('telescope.builtin').live_grep,
-	{ desc = '[F]ind by [G]rep' })
+	{ desc = 'Find by grep' })
+vim.keymap.set('n', '<leader>fb', require('telescope.builtin').buffers,
+	{ desc = 'Find buffers' })
+vim.keymap.set('n', '<leader>fd', require('telescope.builtin').diagnostics,
+	{ desc = 'Find diagnostics' })
+vim.keymap.set('n', '<leader>fw', require('telescope.builtin').grep_string,
+	{ desc = 'Find word under cursor' })
 
--- Tabs
-vim.keymap.set('n', '<leader>tt', ':tabnew<cr>')
-vim.keymap.set('n', '<leader>tn', ':tabnext<cr>')
-vim.keymap.set('n', '<leader>tp', ':tabprevious<cr>')
+-- Undotree
+vim.keymap.set('n', '<leader>u', vim.cmd.UndotreeToggle,
+	{ desc = 'Toggle undotree' })
+
+-- Gitsigns
+local gs = require('gitsigns')
+vim.keymap.set('n', ']h', gs.next_hunk, { desc = 'Next git hunk' })
+vim.keymap.set('n', '[h', gs.prev_hunk, { desc = 'Previous git hunk' })
+vim.keymap.set('n', '<leader>gs', gs.stage_hunk, { desc = 'Stage hunk' })
+vim.keymap.set('n', '<leader>gr', gs.reset_hunk, { desc = 'Reset hunk' })
+vim.keymap.set('n', '<leader>gS', gs.stage_buffer, { desc = 'Stage buffer' })
+vim.keymap.set('n', '<leader>gR', gs.reset_buffer, { desc = 'Reset buffer' })
+vim.keymap.set('n', '<leader>gp', gs.preview_hunk, { desc = 'Preview hunk' })
+vim.keymap.set('n', '<leader>gb', gs.blame_line, { desc = 'Blame line' })
+
+-- Todo comments
+vim.keymap.set('n', ']t', function() require('todo-comments').jump_next() end, { desc = 'Next todo comment' })
+vim.keymap.set('n', '[t', function() require('todo-comments').jump_prev() end, { desc = 'Previous todo comment' })
+vim.keymap.set('n', '<leader>ft', '<cmd>TodoTelescope<CR>', { desc = 'Find TODOs' })
 
 -- LSP
-vim.keymap.set('n', 'gD', vim.lsp.buf.declaration)
-vim.keymap.set('n', 'gd', vim.lsp.buf.definition)
+vim.keymap.set('n', '<leader>lr', vim.lsp.buf.rename, { desc = 'Rename' })
+vim.keymap.set('n', '<leader>la', vim.lsp.buf.code_action, { desc = 'Code action' })
+vim.keymap.set('n', '<leader>lf', function() vim.lsp.buf.format({ async = false }) end,
+	{ desc = 'Format' })

home/editor/neovim/plugins.lua

@@ -1,25 +1,13 @@
 -- Plugins
 
--- LSP stuff
-local lsp_zero = require('lsp-zero')
-
-
-lsp_zero.on_attach(function(_, bufnr)
-	lsp_zero.default_keymaps({ buffer = bufnr })
-end)
-
-lsp_zero.format_on_save({
-	format_opts = {
-		async = false,
-		timeout_ms = 10000,
-	},
-	servers = {
-		['gopls'] = { 'go' },
-		['nil_ls'] = { 'nix' },
-		['lua_ls'] = { 'lua' },
-		['ts_ls'] = { 'typescript', 'javascript', 'typescriptreact' },
-	},
+-- Format on save for nix, lua, ts/js
+vim.api.nvim_create_autocmd("BufWritePre", {
+	pattern = { "*.nix", "*.lua", "*.ts", "*.tsx", "*.js" },
+	callback = function()
+		vim.lsp.buf.format({ async = false, timeout_ms = 10000 })
+	end,
 })
+
 -- LSP: go
 vim.lsp.config("gopls", {
 	settings = {
@@ -158,14 +146,12 @@ vim.api.nvim_create_autocmd("LspAttach", {
 	desc = 'LSP: Disable hover capability from Ruff',
 })
 
--- Pyright
-vim.lsp.config("pyright", {
+-- Basedpyright
+vim.lsp.config("basedpyright", {
 	settings = {
-		pyright = {
+		basedpyright = {
 			-- Using Ruff's import organizer
 			disableOrganizeImports = true,
-		},
-		python = {
 			analysis = {
 				-- Ignore all files for analysis to exclusively use Ruff for linting
 				ignore = { '*' },
@@ -173,7 +159,10 @@ vim.lsp.config("pyright", {
 		},
 	},
 })
-vim.lsp.enable({ "pyright" })
+vim.lsp.enable({ "basedpyright" })
+
+-- Gitsigns
+require('gitsigns').setup()
 
 -- Telescope
 require('telescope').setup({
@@ -186,8 +175,9 @@ require('telescope').setup({
 		}
 	},
 })
+require('telescope').load_extension('fzf')
 
--- Tresitter stuff
+-- Treesitter
 require('nvim-treesitter').setup {
 	ensure_installed = {},
 	auto_install = false,
@@ -262,12 +252,12 @@ require('copilot_cmp').setup()
 
 -- Cmp
 local cmp = require('cmp')
-local cmp_action = lsp_zero.cmp_action()
+local luasnip = require('luasnip')
 
 cmp.setup({
 	snippet = {
 		expand = function(args)
-			require('luasnip').lsp_expand(args.body)
+			luasnip.lsp_expand(args.body)
 		end,
 	},
 	mapping = cmp.mapping.preset.insert({
@@ -275,9 +265,25 @@ cmp.setup({
 		['<CR>'] = cmp.mapping.confirm({ select = false }),
 		-- Ctrl+Space to open completion menu
 		['<C-Space>'] = cmp.mapping.complete(),
-		-- Move between snippet placeholders
-		['<C-f>'] = cmp_action.luasnip_jump_forward(),
-		['<C-b>'] = cmp_action.luasnip_jump_backward(),
+		-- Tab to select next item or jump in snippet
+		['<Tab>'] = cmp.mapping(function(fallback)
+			if cmp.visible() then
+				cmp.select_next_item()
+			elseif luasnip.expand_or_jumpable() then
+				luasnip.expand_or_jump()
+			else
+				fallback()
+			end
+		end, { 'i', 's' }),
+		['<S-Tab>'] = cmp.mapping(function(fallback)
+			if cmp.visible() then
+				cmp.select_prev_item()
+			elseif luasnip.jumpable(-1) then
+				luasnip.jump(-1)
+			else
+				fallback()
+			end
+		end, { 'i', 's' }),
 		-- Scroll in completion docs
 		['<C-k>'] = cmp.mapping.scroll_docs(-4),
 		['<C-j>'] = cmp.mapping.scroll_docs(4),
@@ -292,6 +298,29 @@ cmp.setup({
 })
 
 
+-- Indent blankline
+require('ibl').setup()
+
+-- Trouble
+require('trouble').setup({
+	icons = false,
+})
+
+-- Todo comments
+require('todo-comments').setup({
+	signs = false,
+})
+
+-- Which-key
+require('which-key').setup()
+require('which-key').add({
+	{ "<leader>d", group = "Diagnostics" },
+	{ "<leader>f", group = "Find" },
+	{ "<leader>g", group = "Git" },
+	{ "<leader>l", group = "LSP" },
+	{ "<leader>t", group = "Tabs" },
+})
+
 -- Colorscheme
 require('catppuccin').setup {
 }

home/hosts/gunter/default.nix

@@ -17,17 +17,20 @@
       {
         imports = [
           inputs.sops-nix.homeManagerModules.sops
+          inputs.catppuccin.homeModules.catppuccin
           ../../editor/neovim
           ../../hyprland
           ../../packages
           ../../programs/dunst
           ../../programs/git
+          ../../programs/gtk
           ../../programs/firefox
           ../../programs/kitty
           ../../programs/obs-studio
           ../../programs/rofi
           ../../programs/streamcontroller
           ../../programs/tmux
+          ../../programs/claude-code
           ../../programs/vscode
           ../../scripts
           ../../services/backup-home.nix
@@ -107,6 +110,8 @@
         };
         programs.home-manager.enable = true;
 
+        services.dunst.settings.global.monitor = "DP-1";
+
         # Custom options
         torjus.home.obs = {
           enable = true;

home/hosts/magicman/default.nix

@@ -17,17 +17,19 @@
       {
         imports = [
           inputs.sops-nix.homeManagerModules.sops
+          inputs.catppuccin.homeModules.catppuccin
           ../../sops
           ../../services/labmcp.nix
           ../../editor/neovim
+          ../../programs/claude-code
           ../../programs/firefox
           ../../programs/tmux
           ../../programs/dunst
           ../../programs/kitty
+          ../../programs/gtk
           ../../programs/rofi
           ../../programs/obs-studio
           ../../programs/vscode
-          ../../programs/pywal
           ../../scripts
           ../../scripts/batlvl.nix
           ../../zsh
@@ -39,6 +41,11 @@
         tmux.enable = true;
         hyprland.enable = true;
         hyprland.monitors = [ "eDP-1,1920x1080@60,0x0,1" ];
+        wayland.windowManager.hyprland.settings = {
+          input.touchpad = {
+            natural_scroll = false;
+          };
+        };
         hyprland.extraKeybinds = [
           # Workspace keybinds
           "$mainMod,1,workspace,1"
@@ -59,6 +66,7 @@
           homeDirectory = "/home/${user}";
           stateVersion = "23.11";
         };
+        services.dunst.settings.global.monitor = "eDP-1";
         torjus.home.obs.enable = true;
         programs.home-manager.enable = true;
       };

home/hyprland/cursor.nix

@@ -9,5 +9,4 @@
     size = 32;
   };
 
-  gtk.enable = true;
 }

home/hyprland/default.nix

@@ -73,7 +73,6 @@ in
       [
         dunst
         hyprpaper
-        rofi
         slurp
         swww
         waybar
@@ -183,7 +182,10 @@ in
           name = "wacom-one-by-wacom-m-pen";
         };
 
-        cursor = optionalAttrs cfg.cursorNoHardware {
+        cursor = {
+          hide_on_key_press = true;
+        }
+        // optionalAttrs cfg.cursorNoHardware {
           no_hardware_cursors = true;
         };
 
@@ -204,6 +206,7 @@ in
           gaps_out = 10;
           border_size = 2;
           layout = "dwindle";
+          resize_on_border = true;
         };
 
         animations = {
@@ -233,10 +236,14 @@ in
         misc = {
           force_default_wallpaper = 0;
           disable_hyprland_logo = true;
+          disable_splash_rendering = true;
+          key_press_enables_dpms = true;
+          mouse_move_enables_dpms = true;
         };
 
         ecosystem = {
           no_update_news = true;
+          no_donation_nag = true;
         };
 
         windowrule = [
@@ -261,8 +268,9 @@ in
           # term
           "$mainMod,Return,exec,$term"
           # rofi
-          "$mainMod,D,exec,rofi-launcher"
+          "$mainMod,D,exec,rofi -show drun"
           "$mainMod,P,exec,rofi-rbw"
+          "$mainMod,E,exec,rofi -show emoji"
           # hyprlock
           "$shiftMainMod,l,exec,${pkgs.hyprlock}/bin/hyprlock"
           # hyprland

home/hyprland/waybar/default.nix

@@ -24,15 +24,9 @@ in
   sops.secrets."radarr_base_url" = { };
   sops.secrets."radarr_api_key" = { };
 
-  xdg.configFile."waybar/macchiato.css" = {
-    source =
-      pkgs.fetchFromGitHub {
-        owner = "catppuccin";
-        repo = "waybar";
-        rev = "f74ab1eecf2dcaf22569b396eed53b2b2fbe8aff";
-        sha256 = "WLJMA2X20E5PCPg0ZPtSop0bfmu+pLImP9t8A8V4QK8=";
-      }
-      + "/themes/macchiato.css";
+  catppuccin.waybar = {
+    enable = true;
+    flavor = "macchiato";
   };
 
   programs.waybar = {
@@ -42,7 +36,6 @@ in
       target = "graphical-session.target";
     };
     style = ''
-      @import "macchiato.css";
       * {
         border: none;
         font-family: "JetbrainsMono Nerd Font";
@@ -137,6 +130,7 @@ in
       #pulseaudio,
       #network,
       #battery,
+      #disk,
       #custom-powermenu,
       #custom-arrhist {
         padding-left: 12px;
@@ -164,6 +158,7 @@ in
             (lib.mkIf (withArrhist) "custom/arrhist")
             "pulseaudio"
             "pulseaudio#microphone"
+            "disk"
             "memory"
             "cpu"
             (lib.mkIf (withBattery) "battery")
@@ -217,6 +212,15 @@ in
             "interval" = 3;
             "format" = " {usage}%";
           };
+          "disk" = {
+            "interval" = 30;
+            "format" = "󰋊 {percentage_used}%";
+            "path" = "/";
+            "tooltip-format" = "{used} / {total}";
+            "states" = {
+              "warning" = 85;
+            };
+          };
           "tray" = {
             "icon-size" = 15;
             "spacing" = 6;

home/packages/default.nix

@@ -13,7 +13,6 @@ in
     bat
     bzip2
     chromium
-    claude-code-bin
     croc
     devenv
     distrobox
@@ -31,6 +30,7 @@ in
     kubectl
     lazygit
     lf
+    mdcat
     ncdu
     nvd
     nurl
@@ -57,7 +57,6 @@ in
     alacritty
     discord
     feh
-    krita
     mpv
     mumble
     pamixer
@@ -99,6 +98,7 @@ in
     rust-analyzer
 
     # Homemade shit
+    forgejo-mcp
     ghettoptt
     huecli
     nixprstatus
@@ -116,7 +116,7 @@ in
     (lutris.override {
       extraLibraries = pkgs: [
         nspr
-        xorg.libXdamage
+        libxdamage
       ];
     })
   ];

home/programs/claude-code/agents/docs-verifier.md

@@ -0,0 +1,72 @@
+---
+name: docs-verifier
+description: Verifies documentation accuracy against current codebase state. Use when you need to check if documentation is still correct and get recommendations for updates.
+tools: Read, Grep, Glob
+---
+
+You are a documentation verification agent. Your task is to verify that documentation accurately reflects the current state of the codebase.
+
+## Input
+
+You will receive a path to a documentation file. Your job is to:
+
+1. **Read and understand the documentation** - Parse the document to understand what it claims about the codebase (commands, file paths, configurations, architecture, etc.)
+
+2. **Verify each claim** - For each verifiable claim in the documentation:
+   - Find the relevant source files, configurations, or scripts
+   - Check if the documented behavior/structure still matches reality
+   - Note any discrepancies
+
+3. **Analyze discrepancies** - For each discrepancy found, determine the likely cause:
+   - Code changed and docs weren't updated
+   - Documentation was aspirational/planned but not implemented
+   - The documented feature was removed or deprecated
+   - The documented item is dynamic/frequently changing
+
+## Output
+
+Provide a structured report with the following sections:
+
+### Summary
+One paragraph overview of the documentation's accuracy status.
+
+### Verified Claims
+List claims that were verified as correct (brief, can be grouped).
+
+### Discrepancies Found
+For each discrepancy:
+- **Location**: Where in the documentation
+- **Claim**: What the documentation says
+- **Reality**: What the current state actually is
+- **Evidence**: File paths and relevant snippets showing the discrepancy
+
+### Recommendations
+For each discrepancy, recommend ONE of:
+
+1. **Update documentation** - When the code change is intentional and the docs are simply stale
+   - Provide the specific changes needed
+
+2. **Update code** - When the documentation describes the correct/intended behavior and the code has regressed or drifted
+   - Explain what code changes would be needed
+
+3. **Add volatility notice** - When the documented item is inherently dynamic (version numbers, generated values, frequently changing configs)
+   - Suggest wording like "This value may change" or recommend removing the specific value
+
+4. **Remove documentation** - When the documented feature no longer exists and shouldn't be restored
+   - Explain why removal is appropriate
+
+### Priority
+Rate the overall urgency: **Critical** / **High** / **Medium** / **Low** / **None**
+- Critical: Documentation actively misleads users into breaking things
+- High: Major features are incorrectly documented
+- Medium: Minor inaccuracies that could cause confusion
+- Low: Cosmetic issues or very minor discrepancies
+- None: Documentation is accurate
+
+## Guidelines
+
+- Be thorough but efficient - verify claims that matter, don't get stuck on trivialities
+- When searching for related files, use glob patterns and grep effectively
+- Quote specific file paths and line numbers as evidence
+- Keep the report concise and actionable
+- Focus on factual accuracy, not style or formatting suggestions

home/programs/claude-code/agents/security-reviewer.md

@@ -0,0 +1,52 @@
+---
+name: security-reviewer
+description: Security expert that reviews code for vulnerabilities, API key exposure, and security best practices. Use proactively after code changes to identify security issues.
+tools: Read, Grep, Glob, Bash
+---
+
+You are a security-focused code reviewer specializing in vulnerability detection.
+
+When reviewing code, if you are analyzing the master branch. You should review all code.
+
+If working on a feature branch, only review the changes in that branch. Keep responses short and to the point.
+
+When reviewing code, analyze for:
+
+## Common Vulnerabilities
+- Injection attacks (SQL, command, XPath, LDAP)
+- Cross-site scripting (XSS)
+- Cross-site request forgery (CSRF)
+- Insecure deserialization
+- Broken authentication/authorization
+
+## Secrets and Credentials
+- Hardcoded API keys, tokens, or passwords
+- Credentials in configuration files
+- Secrets committed to version control
+- Insecure credential storage
+
+## Input Handling
+- Missing input validation
+- Insufficient sanitization
+- Buffer overflows
+- Path traversal vulnerabilities
+
+## Cryptography
+- Weak hashing algorithms (MD5, SHA1 for security purposes)
+- Insecure random number generation
+- Improper key management
+- Missing encryption for sensitive data
+
+## Other Concerns
+- Overly permissive file/directory permissions
+- Privilege escalation risks
+- Insecure dependencies
+- Information disclosure in error messages
+- Race conditions
+
+For each issue found, provide:
+- **Severity**: Critical / High / Medium / Low
+- **Location**: File and line number
+- **Issue**: Clear explanation of the vulnerability
+- **Impact**: What an attacker could achieve
+- **Fix**: Recommended remediation with code example if applicable

home/programs/claude-code/default.nix

@@ -0,0 +1,81 @@
+{ pkgs, config, ... }:
+let
+  forgejo-mcp-wrapper = pkgs.writeShellScript "forgejo-mcp-wrapper" ''
+    export FORGEJO_ACCESS_TOKEN="$(cat ${config.sops.secrets.forgejo_access_token.path})"
+    exec forgejo-mcp --transport stdio --url https://code.t-juice.club
+  '';
+in
+{
+  sops.secrets."forgejo_access_token" = { };
+
+  programs.claude-code = {
+    enable = true;
+    package = pkgs.claude-code-bin;
+
+    agents = {
+      docs-verifier = ./agents/docs-verifier.md;
+      security-reviewer = ./agents/security-reviewer.md;
+    };
+
+    skills = {
+      pr = ./skills/pr;
+    };
+
+    mcpServers = {
+      forgejo = {
+        type = "stdio";
+        command = "${forgejo-mcp-wrapper}";
+      };
+    };
+
+    settings = {
+      model = "opus";
+      enabledPlugins = {
+        "gopls-lsp@claude-plugins-official" = true;
+      };
+      env = {
+        DISABLE_AUTOUPDATER = "1";
+      };
+      permissions = {
+        allow = [
+          "Bash(git diff:*)"
+          "Bash(git log:*)"
+          "Bash(git branch:*)"
+          "Bash(git commit:*)"
+          "Bash(git status:*)"
+          "Bash(git add:*)"
+          "Bash(nix build:*)"
+          "Bash(nix fmt:*)"
+          "Bash(nix flake check:*)"
+          "Bash(nix flake show:*)"
+          "Bash(nix eval:*)"
+          "Bash(nvd diff:*)"
+        ];
+        deny = [
+          "Read(*.tfvars)"
+          "Read(**/*.tfvars)"
+          "Read(.env)"
+          "Read(**/.env)"
+          "Read(~/.ssh/*)"
+        ];
+      };
+      hooks = {
+        PostToolUse = [
+          {
+            matcher = "EnterPlanMode";
+            hooks = [
+              {
+                type = "command";
+                command = "echo 'A plan is being created. If this session has not been renamed yet, suggest a concise, descriptive session name based on the conversation so far and ask the user to run /rename <suggested-name>.'";
+              }
+            ];
+          }
+        ];
+      };
+      statusLine = {
+        type = "command";
+        command = ''input=$(cat); echo "$(basename "$(echo "$input" | jq -r '.workspace.current_dir')") | $(echo "$input" | jq -r '.model.display_name')"'';
+      };
+    };
+  };
+}

home/programs/claude-code/skills/pr/SKILL.md

@@ -0,0 +1,119 @@
+---
+name: pr
+description: Generate a PR summary from the current feature branch and copy it to the clipboard.
+argument-hint: [optional: additional context or focus areas]
+user-invocable-only: true
+---
+
+# PR Summary Generator
+
+Generate a concise PR summary comparing the current branch to the main branch (master), and copy it to the clipboard.
+
+## Input
+
+Optional user context: $ARGUMENTS
+
+## Process
+
+1. **Get branch info**: Use git to determine:
+   - Current branch name
+   - Main branch (master)
+   - Verify we're not on master (warn if we are)
+
+2. **Gather commit information**: Use the git-explorer MCP tools:
+   - `commits_between` to get all commits from master to HEAD
+   - `get_commit_info` for each commit to see the full message and changes
+
+3. **Evaluate commit hygiene** (CRITICAL - do this before generating summary):
+
+   Review all commits and check for issues that suggest squashing:
+   - **Fixup commits**: Messages like "fix", "fixup", "oops", "typo", "forgot", "WIP"
+   - **Iterative fixes**: Multiple commits touching the same file for the same logical change
+   - **Broken intermediate states**: Commits that introduce then immediately fix issues
+   - **Noise commits**: Very small changes that don't warrant their own commit
+   - **Related changes split unnecessarily**: Commits that logically belong together
+
+   **If squashing is recommended**: STOP here. Do NOT generate PR summary or copy to clipboard.
+   Instead, respond with a short report:
+   - List which commits should be squashed together
+   - Explain briefly why (e.g., "fixup commit", "same logical change", "WIP")
+   - Suggest the resulting commit message(s)
+
+   **If commits look clean**: Continue to step 4.
+
+4. **Analyze the changes**:
+   - Group commits by topic/area if there are multiple
+   - Note the key files changed
+   - Understand the overall purpose of the branch
+
+5. **Generate the summary**: Create a markdown summary with:
+   - A "Summary" section with 2-4 bullet points describing what changed and why
+   - A "Changes" section listing key files/areas modified
+
+6. **Copy to clipboard**: Pipe the summary to `wl-copy`
+
+## Squash Recommendation Format
+
+When recommending squashing, respond like this:
+
+```
+Before creating a PR, I recommend squashing some commits:
+
+**Squash together:**
+- `abc123` "Add new feature"
+- `def456` "Fix typo in new feature"
+- `ghi789` "Forgot to add import"
+
+→ Suggested message: "Add new feature for X"
+
+**Reason:** These are iterative fixes to the same change.
+
+Run `git rebase -i master` to clean up, then invoke `/pr` again.
+```
+
+## Output Format
+
+```markdown
+## Summary
+
+- First key change or feature
+- Second key change
+- Additional context if needed
+
+## Changes
+
+- `path/to/file.nix` - Brief description of change
+- `path/to/other.nix` - Brief description
+```
+
+## Style Guidelines
+
+- **Concise**: Each bullet point should be one sentence
+- **Focus on "why"**: Explain the purpose, not just what files changed
+- **Group related changes**: Don't list every commit, summarize by area
+- **Technical accuracy**: Use correct terminology for the codebase
+- **No fluff**: Skip obvious statements like "this PR adds..."
+
+## Example
+
+For a branch with commits adding a new monitoring exporter:
+
+```markdown
+## Summary
+
+- Add systemd-exporter to all hosts for tracking service health metrics
+- Configure Prometheus scrape targets for the new exporter
+- Add Grafana dashboard for visualizing systemd unit status
+
+## Changes
+
+- `system/systemd-exporter.nix` - New module enabling systemd-exporter on all hosts
+- `services/monitoring/prometheus.nix` - Add scrape config for systemd-exporter job
+- `services/monitoring/grafana/dashboards/` - New systemd dashboard
+```
+
+## After Generating
+
+1. Confirm the summary was copied to clipboard
+2. Display the summary to the user so they can review it
+3. Mention they can paste it directly into a PR description

home/programs/dunst/default.nix

@@ -4,6 +4,11 @@
 }:
 
 {
+  catppuccin.dunst = {
+    enable = true;
+    flavor = "macchiato";
+  };
+
   services.dunst = {
     enable = true;
     iconTheme = {
@@ -13,7 +18,7 @@
     settings = {
       global = {
         origin = "top-right";
-        monitor = "4";
+        follow = "none";
         alignment = "left";
         vertical_alignment = "center";
         width = "(0, 400)";
@@ -36,10 +41,8 @@
         history_length = 20;
         always_run_script = true;
         corner_radius = 10;
-        # follow = "mouse";
-        font = "Source Sans Pro 10";
-        format = "<b>%s</b>\\n%b"; # format = "<span foreground='#f3f4f5'><b>%s %p</b></span>\n%b"
-        frame_color = "#232323";
+        font = "JetBrainsMono Nerd Font 10";
+        format = "<b>%s</b>\\n%b";
         frame_width = 1;
         offset = "(15, 15)";
         horizontal_padding = 10;
@@ -61,19 +64,6 @@
       fullscreen_delay_everything = {
         fullscreen = "delay";
       };
-
-      urgency_critical = {
-        background = "#d64e4e";
-        foreground = "#f0e0e0";
-      };
-      urgency_low = {
-        background = "#232323";
-        foreground = "#2596be";
-      };
-      urgency_normal = {
-        background = "#1e1e2a";
-        foreground = "#2596be";
-      };
     };
   };
 }

home/programs/gtk/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  gtk = {
+    enable = true;
+    theme = {
+      name = "catppuccin-macchiato-blue-standard";
+      package = pkgs.catppuccin-gtk.override {
+        variant = "macchiato";
+        accents = [ "blue" ];
+      };
+    };
+  };
+}

home/programs/obs-studio/default.nix

@@ -30,12 +30,12 @@
           .overrideAttrs
             (
               final: prev: {
-                version = "1.3.3";
+                version = "1.3.6";
                 src = pkgs.fetchFromGitHub {
-                  owner = "royshil";
+                  owner = "occ-ai";
                   repo = "obs-backgroundremoval";
                   rev = final.version;
-                  hash = "sha256-NDe71iDnVcnMilGr5kdbemq8jEKd3WW45tbMwxjqUwo=";
+                  hash = "sha256-2BVcOH7wh1ibHZmaTMmRph/jYchHcCbq8mn9wo4LQOU=";
                 };
                 nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
                 cmakeFlags = [

home/programs/rofi/config.rasi

@@ -1,17 +0,0 @@
-configuration{
-    modi: "run,drun,window";
-    icon-theme: "Oranchelo";
-    show-icons: true;
-    terminal: "alacritty";
-    drun-display-format: "{icon} {name}";
-    location: 0;
-    disable-history: false;
-    hide-scrollbar: true;
-    display-drun: "   Apps ";
-    display-run: "   Run ";
-    display-window: " 﩯  Window";
-    display-Network: " 󰤨  Network";
-    sidebar-mode: true;
-}
-
-@theme "latte"

home/programs/rofi/default.nix

@@ -1,27 +1,33 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
-  xdg.configFile."rofi/config.rasi" = {
-    source = ./config.rasi;
+  catppuccin.rofi = {
+    enable = true;
+    flavor = "macchiato";
   };
 
-  xdg.configFile."rofi/macchiato.rasi" = {
-    source =
-      pkgs.fetchFromGitHub {
-        owner = "catppuccin";
-        repo = "rofi";
-        rev = "5350da41a11814f950c3354f090b90d4674a95ce";
-        sha256 = "DNorfyl3C4RBclF2KDgwvQQwixpTwSRu7fIvihPN8JY=";
-      }
-      + "/basic/.local/share/rofi/themes/catppuccin-macchiato.rasi";
+  programs.rofi = {
+    enable = true;
+    terminal = "kitty";
+    location = "center";
+    font = "JetBrains Mono Nerd Font 12";
+    plugins = [
+      pkgs.rofi-emoji
+      pkgs.rofi-calc
+    ];
+    extraConfig = {
+      modi = "drun,ssh,window,calc,emoji";
+      matching = "fuzzy";
+      show-icons = true;
+      icon-theme = "Oranchelo";
+      drun-display-format = "{icon} {name}";
+      hide-scrollbar = true;
+      disable-history = false;
+      display-drun = "Apps";
+      display-ssh = "SSH";
+      display-window = "Window";
+      display-calc = "Calc";
+      display-emoji = "Emoji";
+      sidebar-mode = true;
     };
-  xdg.configFile."rofi/latte.rasi" = {
-    source =
-      pkgs.fetchFromGitHub {
-        owner = "catppuccin";
-        repo = "rofi";
-        rev = "5350da41a11814f950c3354f090b90d4674a95ce";
-        sha256 = "DNorfyl3C4RBclF2KDgwvQQwixpTwSRu7fIvihPN8JY=";
-      }
-      + "/basic/.local/share/rofi/themes/catppuccin-latte.rasi";
   };
 }

home/scripts/default.nix

@@ -7,10 +7,6 @@
     source = ./hl-no-opacity.sh;
     executable = true;
   };
-  home.file.".local/bin/rofi-launcher" = {
-    source = ./rofi-launcher.sh;
-    executable = true;
-  };
   home.file.".local/bin/randomwp" = {
     source = ./randomwp.sh;
     executable = true;

home/scripts/rofi-launcher.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-rofi \
-    -show drun \
-    -modi run,drun,ssh \
-    -scroll-method 0 \
-    -drun-match-fields all \
-    -drun-display-format "{name}" \
-    -terminal kitty

hosts/gunter/configuration.nix

@@ -31,7 +31,7 @@
       "mt76"
     ];
     # Kernel stuff
-    # kernelPackages = lib.warn "Pinned to kernel 6.12 due to issues" pkgs.linuxPackages_6_12;
+    kernelPackages = lib.warn "Kernel pinned to 6.18 due to nvidia driver incompatibility with 6.19" pkgs.linuxPackages_6_18;
     kernelParams = [ "module_blacklist=amdgpu" ];
 
     kernel.sysctl = {
@@ -67,7 +67,7 @@
     ];
 
     trusted-public-keys = [
-      "nix-cache.home.2rjus.net-1:2kowZOG6pvhoK4AHVO3alBlvcghH20wchzoR0V86UWI="
+      "nix-cache02.home.2rjus.net-1:QyT5FAvJtV+EPQrgQQ6iV9JMg1kRiWuIAJftM35QMls="
       "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
     ];
   };
@@ -86,7 +86,7 @@
     modesetting.enable = true;
     powerManagement.enable = false;
     powerManagement.finegrained = false;
-    open = true;
+    open = false;
     nvidiaSettings = false;
 
     package = config.boot.kernelPackages.nvidiaPackages.beta;

hosts/gunter/ollama.nix

@@ -1,11 +1,11 @@
 { pkgs, lib, ... }:
 {
   services.ollama = {
-    enable = true;
+    enable = false;
     package = pkgs.ollama-cuda;
   };
   services.open-webui = {
-    enable = true;
+    enable = false;
     package = pkgs.stable.open-webui;
     # enable = lib.warn "Open WebUI is disabled" false;
     environment = {

hosts/magicman/configuration.nix

@@ -14,6 +14,10 @@
     "rd.udev.log_level=3"
   ];
 
+  boot.extraModprobeConfig = ''
+    options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
+  '';
+
   boot.loader.systemd-boot.configurationLimit = 3;
 
   boot.initrd.systemd.enable = true;
@@ -28,6 +32,7 @@
 
   # Networking stuff
   networking.hostName = "magicman"; # Define your hostname.
+  networking.networkmanager.wifi.backend = "iwd";
 
   hardware = {
     enableRedistributableFirmware = true;
@@ -84,6 +89,7 @@
     wget
     curl
     git
+    v4l-utils
   ];
 
   # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,

hosts/magicman/hardware-configuration.nix

@@ -21,8 +21,11 @@
     "sdhci_pci"
   ];
   boot.initrd.kernelModules = [ "i915" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot.kernelModules = [
+    "kvm-intel"
+    "v4l2loopback"
+  ];
+  boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/31b20f4c-24bb-4fd1-9a3e-8ccc19fe3d64";

hosts/magicman/laptop.nix

@@ -3,8 +3,6 @@
   hardware.brillo.enable = true;
   powerManagement.enable = true;
 
-  services.tlp.enable = true;
-
   services.auto-cpufreq = {
     enable = true;
     settings = {

secrets/torjus/secret.yaml

@@ -4,32 +4,37 @@ sonarr_base_url: ENC[AES256_GCM,data:0HiHIX4KcPEE62Ti1fLH230rC1A7xYg=,iv:mkAnl6t
 radarr_api_key: ENC[AES256_GCM,data:Db1ISKTF+m2H1on55/4vdGticfqBdxfIzKHBxC9LAx4=,iv:NhiG4SmsRYIunW1ljFbxeHvRoi9fOVE+9DJn6kmZ6oI=,tag:DoJzo56CW3kJlySYmB8NYQ==,type:str]
 radarr_base_url: ENC[AES256_GCM,data:3UgOPQMblYhm0ysRB6VVosvZToIM5IA=,iv:o/s0bVBrjrma2Df2LlCCFL5Ks80063/4mABc6vzDrYg=,tag:eHKntLPM9yRRkMfIWSpIdg==,type:str]
 nats_nkey: ENC[AES256_GCM,data:TcIDFkFXB1+qfTqLylDI46w4/+Cy9XdXyXS26qCbwDaDoQNaRUsC6dw94mbT37352IWOCypTY0hweA==,iv:DC5GQyIXbNSx/mOLAOWTf5AyeFeViLxbKTMgZEfTEXE=,tag:krxk/dnZ58a8dcuWb7zhnA==,type:str]
+forgejo_access_token: ENC[AES256_GCM,data:5+AXgz03G9AEqhHlX87qdV8o1J2f/v/o59QPe5R8N06A7n4rt1A5eQ==,iv:ns/3F7+yr+bA4cqj6ghNLYyEuT+w+D+ILrKqMGbNQN4=,tag:rYI/497XuYkRmeLjxWaCIg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaUlVOWtoRTFvMHljV0Fu
-            TFp2Ym1jcThqbWRjUjdNSnhxRUsrOWl6S3dBCmh0L0YzaXNlRTFHMXFHTGc1T3I2
-            WE03WjJCSlJSV2lmSExTWDBQRnlOcDAKLS0tIFJoeEM5b0IrdWxTRWhvNnd0c3NG
-            dENGdjJteFFaQTNFaDgvSGV2UEtyT0EKbdg4atS91rB99l7zKKkfPzKk4T5Mq2x5
-            bX825DPrxauAhvrT7ca/A2OwA4kaFuxPrQGd3VOPAXTVhlbcFgIAdw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUzQ0Q3dyZzVUMTJUUFhV
+            djg5WVNqNVRjeEsxM2lvOGZ4U25OR0VjNFNJCk11bTdVMzdsVyswQWc3enpwWVEz
+            bC9GbHV2dnhCTm44RWNNZzNXcjE5MDgKLS0tIHJRZmUwMDU2Si8waWVYS29BZFFJ
+            VDlubEtVOEJabTNWRFVHQ2hiNXJPUTQKdmBIlI4JvAssYHeRzbjp7CbPDsDX1JZ5
+            TIw79h28sArmRkP5fDlM0D1rALLlbTBsn3KA2D3RZgsUcelFlckIJg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1stlqqspmt5fepyz35udrwr5avf9zuju79f787p26pu2d2j08yqps2q2t2c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSEZJWldRcmJ3c1BjbUpT
-            bmZXSmlHU0hVRTV3SG91bXpiTXhZd1RkY0Y4ClBxc0RabWJmMi8reHZYWnlmK3pC
-            bUw5V2FEV0pZdkZEMTJ5ZDZXWDM2NjgKLS0tIGZ6dEZ4dERYQXFRQTVkRHhycndz
-            dkgwQlRrdEp6b2FIVnowaDlUMEZpeHcK2icvVv+UpbcdVErRjjQhlQb6PuluC/K7
-            Vy8Rh7dTn++bSEdGidDNGYeUQBrVy2qooq04lQqbeOOrdmXVhTamdA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VkpsWTF6cmlIdEROSmcw
+            UTE1MzUwZlEwZGoyTUM0M2dQRlF1NExYTFNrCkFBNFFIZ1AyNTlRR2NZaXB3Y1Vj
+            Wk9xVmVoM1MweERpUWh1R0FDeFdWT1UKLS0tIHJOQWRZY3NHWmpEL1djY3lnTTZB
+            S2xsR3NESklzNEN5U3RUTElmbnQzSWcKaDJnCgQUjpz6gAVtWJPKykfuflQOyMLq
+            cmb5ZfKhvrgthByGtS1nN4dhwA8ndUJ31UqiU0xWDdak59ehczoquQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-11T19:22:47Z"
-    mac: ENC[AES256_GCM,data:vd8O5y1GNDTDrlundbNZcGRAQzKLDly4qyxTqRO2JrnDYOqD/vQ8TqRQYiUgGY+5AcgjoLMER8keE8OUmcngN16cbGx1zKTpdqyHb7B2KR7ZfWOjW5kTk5KWM1gLDA4hA2GBEjHFBPGKdcrjURek9MrT+iM+qArbizSjWlKuehc=,iv:cicEnvWynZizJqrUzPIzbJWl6O8uL65Vs7fAYsuqSNA=,tag:l5jBXQfFedVE/VccZh+1qQ==,type:str]
-    pgp: []
+        - recipient: age1whxf34vjdndqzwgm7yyaexdm46gdnv9sf3nal7qqyjr0nyhhndlsrmc0g3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRU2R0cU1JcGFRRkV2SE1E
+            RFBRWkdESTcveGsvMStZR0Q3bWo3L0FQcENzCjdsOEpCNGk2NjdPMXVUWnhFS3NE
+            WlR0bWxZTGdnakplS0M3S3F0Nm9hQ00KLS0tIFR3amxPWEhiWDZQU2xjUGRHb0xS
+            U2V0bjZ2TUVmS2F3S1dTSnBYTmZsMG8KJTT0r6PYJ/g/J0E/CxyxRfUhtq8KMEJi
+            w5WrsdHrEkukY0OGRG1i8ZeDDV5mR2KejjKoGWQU6cLYa/v+XHevhg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-10T01:57:15Z"
+    mac: ENC[AES256_GCM,data:BK1vTAg7I16ztjqlkeXk7fMLGd7cvIzxogVufsRGamA5PpZgZ8PmvFcQH5JSLbEl/cAKPRD5jr9X1fx9Yr4uAwnVBPpkfu4LUb1fOihWgq7W4YqrTLKB2KGJZaTIP/I800bHHqEsyUcgo2DZ4gEDP2X84tR81xGhwkpGyeH0nlY=,iv:9Sj12aEHkYTrkoZ33SxiHhpDiZrXmPKN6972B+NV14Y=,tag:qDZvGgEpELktFRPuL2J98g==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.12.1