migrate remaining git.t-juice.club references to code.t-juice.club

Update flake inputs, MCP server URLs, and remove old GitHub Actions
workflows (will be replaced with new CI on Forgejo).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/actions-check.yaml

@@ -1,33 +0,0 @@
-name: Check actions
-on:
-  push:
-    paths:
-      - .github/workflows/*.yaml
-      - .github/workflows/*.yml
-  pull_request:
-    paths:
-      - .github/workflows/*.yaml
-      - .github/workflows/*.yml
-
-jobs:
-  check-actions-actionlint:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/catthehacker/ubuntu:runner-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '1.23'
-      - run: |
-          go install github.com/rhysd/actionlint/cmd/actionlint@latest
-          actionlint .github/workflows/*.yaml
-  check-actions-yamllint:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/catthehacker/ubuntu:runner-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v5
-      - run: |
-          pipx run yamllint .github/workflows/*.yaml

.github/workflows/flake-check.yaml

@@ -1,14 +0,0 @@
-name: Run nix flake check
-on:
-  push:
-  pull_request:
-
-jobs:
-  flake-check:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/catthehacker/ubuntu:runner-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v27
-      - run: nix flake check

.github/workflows/flake-update.yaml

@@ -1,36 +0,0 @@
----
-name: Periodic flake update
-on:  # yamllint disable-line rule:truthy
-  schedule:
-    - cron: "0 */2 * * *"
-
-permissions:
-  contents: write
-
-jobs:
-  flake-update:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/catthehacker/ubuntu:runner-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          ref: master
-      - uses: cachix/install-nix-action@v27
-      - name: configure git
-        env:
-          SSH_PRIVKEY: ${{ secrets.BOT_SSH_PRIVKEY }}
-          SSH_PUBKEY: ${{ secrets.BOT_SSH_PUBKEY }}
-        run: |
-          echo "$SSH_PRIVKEY" > "$RUNNER_TEMP/id_ed25519"
-          echo "$SSH_PUBKEY" > "$RUNNER_TEMP/id_ed25519.pub"
-          chmod -R 0600 "$RUNNER_TEMP/id_ed25519.pub" "$RUNNER_TEMP/id_ed25519"
-          git config --global user.name 'torjus-bot'
-          git config --global user.email 'torjus-bot@git.t-juice.club'
-          git config --global user.signingKey "$RUNNER_TEMP/id_ed25519.pub"
-          git config --global gpg.format ssh
-          git config --global commit.gpgsign true
-      - name: flake update
-        run: nix flake update --commit-lock-file
-      - name: push
-        run: git push

.mcp.json

@@ -0,0 +1,33 @@
+{
+  "mcpServers": {
+    "nixpkgs-options": {
+      "command": "nix",
+      "args": ["run", "git+https://code.t-juice.club/torjus/labmcp#nixpkgs-search", "--", "options", "serve"],
+      "env": {
+        "NIXPKGS_SEARCH_DATABASE": "sqlite:///run/user/1000/labmcp/nixpkgs-search.db"
+      }
+    },
+    "nixpkgs-packages": {
+      "command": "nix",
+      "args": ["run", "git+https://code.t-juice.club/torjus/labmcp#nixpkgs-search", "--", "packages", "serve"],
+      "env": {
+        "NIXPKGS_SEARCH_DATABASE": "sqlite:///run/user/1000/labmcp/nixpkgs-search.db"
+      }
+    },
+    "hm-options": {
+      "command": "nix",
+      "args": ["run", "git+https://code.t-juice.club/torjus/labmcp#hm-options", "--", "serve"],
+      "env": {
+        "HM_OPTIONS_DATABASE": "sqlite:///run/user/1000/labmcp/hm-options.db"
+      }
+    },
+    "git-explorer": {
+      "command": "nix",
+      "args": ["run", "git+https://code.t-juice.club/torjus/labmcp#git-explorer", "--", "serve"],
+      "env": {
+        "GIT_REPO_PATH": "/home/torjus/git/nixos-servers"
+      }
+    }
+  }
+}
+

.sops.yaml

@@ -23,3 +23,4 @@ creation_rules:
       - age:
         - *admin_torjus
         - *server_magicman
+        - *server_gunter

AGENTS.md

@@ -1,71 +0,0 @@
-# AGENTS.md
-
-## Overview
-This repository contains NixOS configurations for multiple machines using flakes, home-manager, and sops-nix for secrets.
-
-## Working with this Repository
-
-### DO
-- Use `nix fmt` or `nix fmt .` to format files before committing (uses nixfmt-tree)
-- Test builds with `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`
-- Use the included devShell run `nix develop` to get formatting and linting tools
-- When adding packages, check both overlays in `flake.nix` and `home/programs/` 
-- Follow the directory structure: `hosts/` for system configs, `home/` for home-manager configs
-- **CRITICAL: When adding NEW files, run `git add <newfile>` BEFORE building. Nix flakes ignore untracked files in the build context, so newly added files won't be copied and builds will fail until they're git-tracked**
-
-### DON'T
-- Don't work directly on master branch, always create a new branch if editing something
-- Don't run `nix flake update` to update inputs, this should only be done by the user manually
-- Don't directly edit files in `secrets/` - they should be manually managed by the user
-- Don't add secrets to Git
-- Don't format with tools other than `nix fmt` (the formatter is defined in flake.nix)
-- Don't modify `.sops.yaml` or any secrets, ask the user to do it manually
-- Don't use `nix-shell` directly - use `nix develop` for the devShell environment
-- Don't skip builds after configuration changes - test before pushing
-- Don't mix stable and unstable packages arbitrarily in the same expression
-- Don't commit without running `nix fmt` - formatted Nix is required
-- **Don't try to build with newly created but untracked files - `nix build` will fail to find them**
-
-## Specific Patterns
-
-### Adding a New Program
-- DO add to `home/packages` if no nixos or home-manager options are used.
-- DO create a subdirectory in `home/programs/` if nixos or home-manager options are used.
-- DO `git add` the new configuration files before attempting to build
-- DON'T add programs directly to user configs unless absolutely necessary
-
-### Modifying System Configuration
-- DO check `system/` for shared configs across hosts
-- DO check individual `hosts/<hostname>/` for host-specific overrides
-- DON'T duplicate configuration - use `system/` modules for shared settings
-
-### Working with Secrets
-- DON'T add unencrypted secrets to the repository
-- DON'T commit decrypted secrets
-- DON'T add secrets, ask the user do it themselves
-
-### Testing
-- DO run `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel` to test
-- DON'T push untested configuration changes
-- DON'T attempt to build configurations with newly added but untracked files
-
-### Git
-If change is small, and can be described sufficiently in the summary, dont add a long
-body to the commit, prefer just the summary if sufficient.
-
-Commits should match the format:
-`topic: description of change`
-
-Some examples:
-- hyprland: convert deprecated windowrules
-- packages: nixfmt-rfc-style renamed
-- gunter: use beta nvidia driver
-
-
-## Repository Structure Guide
-- `flake.nix` - Entrypoint, inputs, overlays, and configurations
-- `hosts/` - System-level NixOS configs per host
-- `home/` - Home-manager configs (programs, editor, window managers)
-- `system/` - Shared system modules (fonts, security, services)
-- `secrets/` - Encrypted secrets (managed by sops-nix)
-- `scripts/` - Utility scripts

CLAUDE.md

@@ -0,0 +1,147 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Overview
+
+This is a NixOS configuration repository using flakes for managing multiple machines (gunter, magicman). It uses home-manager for user configurations and sops-nix for secrets management. Custom packages from private git repositories are integrated via flake inputs and overlays.
+
+## Essential Commands
+
+### Formatting
+```bash
+nix fmt                  # Format all Nix files (uses nixfmt-tree)
+nix fmt .                # Same as above
+```
+
+### Building & Testing
+```bash
+# Test build a specific host configuration
+nix build .#nixosConfigurations.gunter.config.system.build.toplevel
+nix build .#nixosConfigurations.magicman.config.system.build.toplevel
+
+# Enter development shell (includes act, actionlint, yamllint)
+nix develop
+```
+
+If config clearly only affects one host, building for just the relevant host is enough.
+Otherwise, build both. **Always ask before building gunter** — it takes a long time.
+
+If moving things around, you can use `nix eval` before and after changes to check that things remain the same.
+```
+nix eval .#nixosConfigurations.magicman.config.nix.settings.substituters --json | jq
+```
+
+### Comparing with Running System
+```bash
+# Build and compare against currently running system
+nixos-rebuild build --flake . && nvd diff /run/current-system result
+```
+This shows package version changes, added/removed packages, and closure size differences between what's currently running and the repo configuration.
+
+### Common Operations
+```bash
+# Check flake without building
+nix flake check
+
+# Show flake outputs
+nix flake show
+```
+
+## Architecture
+
+### Flake Structure
+- **Inputs**: Uses both stable (nixos-25.05) and unstable nixpkgs channels
+- **Overlays**: `overlay-stable` provides `pkgs.stable` for stable packages; custom overlays integrate private packages (ghettoptt, huecli, nixprstatus, natstonotify, nix-packages)
+- **System**: x86_64-linux primary, with multi-platform devShell support
+
+### Directory Organization
+```
+├── flake.nix                 # Main entrypoint with overlays and host definitions
+├── hosts/                    # Per-host system configurations
+│   ├── gunter/              # Desktop with multi-monitor, nvidia, steam
+│   └── magicman/            # Laptop configuration
+├── home/                     # Home-manager user configurations
+│   ├── hosts/               # Per-host user settings (imports packages + programs)
+│   ├── editor/              # Neovim configuration
+│   ├── hyprland/            # Wayland compositor with custom options
+│   ├── packages/            # Simple packages (no options)
+│   ├── programs/            # Programs with home-manager options (dunst, git, firefox, etc.)
+│   ├── services/            # User services (backup, ghettoptt, natstonotify)
+│   ├── scripts/             # User scripts
+│   ├── sops/                # User secrets configuration
+│   ├── ssh/                 # SSH configuration
+│   └── zsh/                 # Shell configuration
+├── system/                   # Shared system-level modules
+│   ├── monitoring/          # logs.nix, metrics.nix
+│   ├── fonts.nix            # Font configuration
+│   ├── locale.nix           # Localization settings
+│   ├── users.nix            # User account definitions
+│   └── ...                  # Other system modules
+└── secrets/                  # SOPS-encrypted secrets (don't modify)
+```
+
+### Configuration Pattern
+- Each host's `default.nix` imports: `configuration.nix`, `hardware-configuration.nix`, host-specific modules, `../../system`, and `../../home/hosts/<hostname>`
+- Home-manager imports are in `home/hosts/<hostname>/default.nix` which imports editor, hyprland, packages, programs, services, etc.
+- Shared system config goes in `system/`, host-specific overrides in `hosts/<hostname>/`
+
+### Hyprland Custom Options
+The hyprland module in `home/hyprland/default.nix` provides custom options:
+- `hyprland.monitors`: List of monitor configurations
+- `hyprland.extraEnv`: Environment variables
+- `hyprland.extraKeybinds`: Additional keybindings
+- `hyprland.extraWorkspaces`: Named workspace definitions
+- `hyprland.monitorVariables`: Monitor name variables (e.g., `$mon_left`)
+- `hyprland.enableGrimblast`, `hyprland.enableWacom`, `hyprland.cursorNoHardware`: Feature flags
+
+## Critical Workflow Rules
+
+### Git Tracking for New Files
+**CRITICAL**: Nix flakes ignore untracked files. When adding new files, run `git add <newfile>` BEFORE attempting to build. Builds will fail with "file not found" errors until files are git-tracked.
+
+### Branching
+Always create a new branch for changes. Never work directly on master branch.
+
+### Formatting
+Always run `nix fmt` before committing. Formatted Nix code is required.
+
+### Commit Messages
+Format: `topic: description`
+
+Examples:
+- `hyprland: convert deprecated windowrules`
+- `packages: nixfmt-rfc-style renamed`
+- `gunter: use beta nvidia driver`
+
+Keep summaries concise. Only add commit body if needed for context.
+
+### Forbidden Operations
+- Don't run `nix flake update` (user manages input updates)
+- Don't edit files in `secrets/` directory
+- Don't modify `.sops.yaml`
+- Don't use `nix-shell` (use `nix develop` instead)
+- Don't mix stable/unstable packages arbitrarily
+- Don't skip builds after configuration changes
+
+### Adding Programs
+- If no NixOS/home-manager options needed: add to `home/packages`
+- If using options: create subdirectory in `home/programs/`
+- Remember to `git add` new files before building
+
+## Package Management
+
+### Using Stable Packages
+The `overlay-stable` provides access to stable nixpkgs via `pkgs.stable`:
+```nix
+environment.systemPackages = [ pkgs.stable.somePackage ];
+```
+Do not use packages from stable unless explicitly requested.
+
+### Custom Packages
+Custom packages from private repos are available via overlays:
+- `pkgs.ghettoptt`
+- `pkgs.huecli`
+- `pkgs.nixprstatus`
+- `pkgs.natstonotify`
+- Plus packages from `nix-packages` overlay

docs/gunter-monitor-issues.md

@@ -0,0 +1,121 @@
+# Gunter Monitor Boot Issues
+
+## Problem Description
+
+Two of the four monitors on gunter (desktop) intermittently fail to work on startup. The affected monitors are always the two Samsung LS27A600U displays, which are connected via DisplayPort daisy-chaining (MST - Multi-Stream Transport). Power cycling the monitors typically resolves the issue until the next reboot.
+
+## System Configuration
+
+- **GPU**: NVIDIA GeForce RTX 3080 Ti
+- **Driver**: NVIDIA proprietary driver 590.48.01 (beta)
+- **Kernel**: 6.18.12
+- **Compositor**: Hyprland
+- **Open driver**: `false` (switched from open to proprietary 2026-02-21)
+- **Initrd nvidia modules**: None (removed 2026-03-03, was bloating initrd to 191MB)
+
+### Monitor Setup
+
+| Port  | Monitor                  | Resolution     | Connection    |
+|-------|--------------------------|----------------|---------------|
+| DP-1  | Acer XB271HU (center)    | 2560x1440@120Hz | Direct        |
+| DP-3  | BenQ G2420HDBL (top)     | 1920x1080@60Hz  | Direct        |
+| DP-4  | Samsung LS27A600U (right)| 2560x1440@75Hz  | Daisy-chained |
+| DP-5  | Samsung LS27A600U (left) | 2560x1440@75Hz  | Daisy-chained |
+
+The GPU only has 3 DisplayPort outputs, so one Samsung monitor is connected to the other via DP daisy-chaining (MST).
+
+## Diagnostic Findings
+
+### Kernel Errors
+
+The following errors appear in the kernel log during boot:
+
+```
+[drm:nv_drm_dev_load [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000100] Failed to add connector for NvKmsKapiDisplay 0x00000800
+[drm:nv_drm_dev_load [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000100] Failed to get dynamic displays
+```
+
+"Dynamic displays" in NVIDIA terminology refers to MST-connected monitors. These errors indicate the driver is failing to enumerate the daisy-chained displays during initialization.
+
+### Root Cause Analysis
+
+1. **MST timing issues** - The downstream Samsung monitor isn't ready when the driver tries to enumerate the daisy chain during boot. The MST topology hasn't been negotiated yet when the driver first probes, regardless of how early or late it loads.
+2. **Power sequencing** - The monitors may need more time to negotiate the MST link during cold boot
+
+## Changes Made
+
+### 2026-02-21: Switch to proprietary driver + initrd loading
+
+**Change 1: `hardware.nvidia.open = false`** (previously `true`)
+
+With the open driver, boot produced 7 errors including flip event timeouts and kernel WARNING stack traces:
+```
+Failed to add connector for NvKmsKapiDisplay 0x00000800
+Failed to get dynamic displays
+Flip event timeout on head 0
+Flip event timeout on head 1
+Failed to add encoder for NvKmsKapiDisplay 0x00000001
+WARNING: CPU: 5 PID: 1169 at nvidia-drm/nvidia-drm-crtc.h:328 __nv_drm_handle_flip_event (x2)
+```
+
+With the proprietary driver, only the 2 MST enumeration errors remain. The flip timeouts and kernel warnings are gone. The driver handles the MST failure much more gracefully.
+
+**Change 2: Load nvidia modules in initrd** (`boot.initrd.kernelModules`)
+
+Without initrd loading, the nvidia driver took ~22 seconds to initialize (11s to first error, 10 more to give up on dynamic displays). During this time monitors lost signal and went to sleep.
+
+With initrd loading, the driver loads and initializes in under 1 second. However, the same two MST errors still occur - the MST topology simply isn't ready yet regardless of timing.
+
+**Result**: Subjectively improved - monitors now typically recover after a single power cycle instead of requiring multiple attempts. The boot process is also faster with no 20+ second black screen hang.
+
+## Remaining Solutions to Try
+
+1. **Display rescan service** - Create a systemd service that triggers the nvidia driver to re-enumerate displays a few seconds after boot. This could auto-detect MST monitors without manual power cycling.
+
+2. **Remove `quiet splash`** from kernel params - Keeps console output active during boot, which maintains an active DP signal through the UEFI-to-kernel transition and may help keep the MST link alive.
+
+3. **Check monitor firmware** - Samsung LS27A600U monitors have had MST firmware updates. Updating could improve MST link negotiation reliability.
+
+4. **Reduce initial link rate** - Lower refresh rate to 60Hz initially to reduce DP bandwidth requirements during MST negotiation, potentially making link training more reliable.
+
+## Useful Diagnostic Commands
+
+### Kernel logs for display/nvidia issues
+```bash
+journalctl -k --no-pager | grep -iE '(nvidia|drm|display|edid|dp|hdmi|monitor)'
+```
+
+### Kernel errors and warnings
+```bash
+journalctl -k --no-pager | grep -iE '(error|fail|warn)'
+```
+
+### Current monitor state (Hyprland)
+```bash
+hyprctl monitors all
+```
+
+### DRM connector status
+```bash
+cat /sys/class/drm/*/status
+ls -la /sys/class/drm/
+```
+
+### GPU and driver info
+```bash
+nvidia-smi --query-gpu=name,driver_version --format=csv,noheader
+```
+
+### Check EDID data for each connector
+```bash
+for f in /sys/class/drm/card1-DP-*/; do
+  echo "=== $(basename $f) ===";
+  cat "$f/enabled" 2>/dev/null;
+  cat "$f/edid" 2>/dev/null | xxd | head -5;
+done
+```
+
+## Related Configuration Files
+
+- `hosts/gunter/configuration.nix` - NVIDIA driver settings
+- `home/hosts/gunter/default.nix` - Hyprland monitor configuration

docs/magicman-keyboard-luks.md

@@ -0,0 +1,156 @@
+# Magicman: PS/2 Keyboard Broken at LUKS Prompt After BIOS Update
+
+## Issue
+
+After updating the ThinkPad L14 Gen 4 (21H2S3US00) BIOS to version R24ET51W (1.34)
+via `fwupdmgr`, the built-in laptop keyboard no longer works during the LUKS disk
+encryption password prompt. An external USB keyboard must be used to unlock the disk.
+The laptop keyboard works normally after boot.
+
+## Machine Details
+
+- **Model**: Lenovo ThinkPad L14 Gen 4 (21H2S3US00)
+- **BIOS**: R24ET51W (1.34), dated 2025-10-31
+- **EC**: R24HT33W
+- **Date**: 2026-03-06
+
+### What fwupdmgr Installed
+
+- System Firmware: 0.1.12 → 0.1.34
+- UEFI dbx: 20230301 → 20250902
+- KEK CA: 2011 → 2023
+
+## Symptoms
+
+- Laptop keyboard does not respond at the LUKS password prompt (neither systemd nor scripted initrd)
+- USB keyboard works fine at the LUKS prompt
+- Laptop keyboard works immediately after boot (at greetd login)
+- Text typed on the laptop keyboard during LUKS prompt sometimes partially appears
+  at the greetd username field after boot, indicating the keyboard hardware IS generating
+  scancodes that get buffered and flushed later
+
+## Kernel Errors
+
+Every boot shows these errors from the atkbd driver:
+
+```
+atkbd serio0: Failed to deactivate keyboard on isa0060/serio0
+atkbd serio0: Failed to enable keyboard on isa0060/serio0
+input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input0
+atkbd serio0: Spurious ACK on isa0060/serio0. Some program might be trying to access hardware directly.
+```
+
+The keyboard device IS registered despite the errors, and the `kbd` input handler
+binds to it (`Handlers=sysrq kbd leds event6`).
+
+## Root Cause Analysis
+
+The BIOS update changed the PS/2 controller (i8042) initialization behavior. The atkbd
+driver sends a deactivate command (0xF5) during init, which likely succeeds at disabling
+the keyboard even though the ACK times out. The subsequent enable command (0xF4) also
+times out without re-enabling it. The keyboard stays disabled at the hardware level —
+it queues keypresses in its small internal buffer (~16 keys) but doesn't send scancodes
+to the host until something re-enables it during full boot. This is NOT a timing issue —
+leaving the system at the LUKS prompt for several minutes does not fix the keyboard.
+Something specific that happens later in the boot process (likely during switch-root
+when udev re-processes devices) re-enables the keyboard.
+
+## What Was Tried
+
+### Kernel Parameters (none helped)
+
+- `i8042.dumbkbd` — skip keyboard reset during i8042 probe
+- `i8042.nopnp` — don't use PNP to discover controllers
+- `i8042.reset` — force i8042 controller reset
+- `i8042.nomux` — don't probe for MUX
+- `atkbd.reset` — reset keyboard during atkbd init
+- `console=tty1` — explicitly route console I/O to tty1
+- Various combinations of the above
+
+### Initrd Module Loading
+
+- Added `i8042`, `atkbd`, `thinkpad_acpi` to `boot.initrd.kernelModules`
+- `thinkpad_acpi` loads the EC driver early, but didn't help
+
+### Initrd Services
+
+- Created `keyboard-reconnect` systemd service that runs before `systemd-cryptsetup@root.service`
+- Tried `echo reconnect > /sys/bus/serio/devices/serio0/drvctl` — reconnect also fails
+- Tried full module reload: `rmmod atkbd; rmmod i8042; sleep N; modprobe i8042; modprobe atkbd`
+  - Tested with sleep 2 and sleep 8
+  - The reload creates a new serio device (serio2) but initialization fails identically
+
+### Plymouth
+
+- Disabled Plymouth (`boot.plymouth.enable = false`) — no effect
+- Tested `plymouth.enable=0` on kernel command line — no effect
+- Confirmed password agent falls back to `systemd-tty-ask-password-agent` on `/dev/tty1`
+
+### Scripted Initrd
+
+- Switched from systemd initrd to scripted initrd (`boot.initrd.systemd.enable = false`)
+- Uses a completely different password prompt mechanism (shell `read`)
+- Same result — keyboard still doesn't work
+
+### BIOS
+
+- Checked BIOS settings — no relevant keyboard/PS/2 options available
+- `fwupdmgr get-updates` shows no newer BIOS version available
+
+## Planned Fix: TPM + Secure Boot Auto-Unlock
+
+### Approach
+
+Use TPM2-based LUKS unlock with Secure Boot to bypass the keyboard requirement entirely.
+
+- **lanzaboote** — replaces systemd-boot, produces signed Unified Kernel Images (UKIs)
+  that bundle kernel + initrd + cmdline into a single signed EFI binary
+- **Secure Boot** — ensures only signed code can boot, prevents tampering with boot chain
+- **TPM2 unlock** — `systemd-cryptenroll` binds LUKS key to TPM PCR 7 (Secure Boot policy)
+- **Passphrase kept as fallback** — if TPM/Secure Boot state changes, unlock with USB keyboard + password
+
+### Why PCR 7 Only
+
+Binding to PCR 7 alone means kernel/initrd updates (frequent on nixos-unstable) do NOT
+require re-enrollment. PCR 7 only changes when Secure Boot keys or policy change.
+
+Cmdline tampering is prevented by lanzaboote's UKI approach — the cmdline is embedded in
+the signed binary and cannot be edited at the bootloader.
+
+### Setup Steps
+
+1. Install `sbctl` and create Secure Boot signing keys
+2. Put BIOS into Secure Boot "Setup Mode" and enroll custom keys (include Microsoft keys for fwupd)
+3. Enable lanzaboote in NixOS config (replaces systemd-boot)
+4. Rebuild, verify Secure Boot works
+5. Enroll TPM with `systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7`
+
+After setup, `nixos-rebuild switch/boot` works as usual — lanzaboote automatically signs
+each new generation.
+
+### Security Considerations
+
+**Protected against:**
+- Offline disk read (pull SSD, boot USB)
+- Boot chain tampering (unsigned code won't boot)
+- Cmdline editing (locked into signed UKI)
+
+**Remaining attack surface:**
+- Stolen while suspended — disk is decrypted in RAM, only screen lock protects.
+  Consider hibernate instead of suspend (hibernate locks LUKS since RAM is powered off).
+- Network services — system is fully running after boot, exposed services are reachable
+- DMA attacks via Thunderbolt/PCIe — mitigated by IOMMU (should be on by default)
+- Cold boot attacks — exotic, requires freezing RAM
+
+For a stolen-laptop scenario this is solid. The biggest practical risk is theft while
+the laptop is suspended.
+
+### Other Considered Alternatives
+
+- **BIOS update from Lenovo** fixing the PS/2 controller init sequence
+- **Kernel patch** to handle the failed enable more gracefully
+- **TPM + PIN** — not viable due to the same PS/2 keyboard issue at the PIN prompt
+
+## Current Workaround
+
+Use an external USB keyboard to enter the LUKS password at boot.

flake.lock

@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "catppuccin": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1772983749,
+        "narHash": "sha256-IRC/YpTVMDr/lMmWMEc+JU4d+L9z3v38jZuj0jSLaW0=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "3594e4c94994515e0e32884dad20ca70ae88fc49",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
     "ghettoptt": {
       "inputs": {
         "nixpkgs": [
@@ -7,18 +25,18 @@
         ]
       },
       "locked": {
-        "lastModified": 1728602333,
-        "narHash": "sha256-sKbnng/g4ijuKcjShBi7oPxyUrCnMJDDy17U9W/TuMg=",
+        "lastModified": 1773164481,
+        "narHash": "sha256-pAHExVIUqQdnaKniNTdlxheQ/IOU3nTeEV/DRrCc8wg=",
         "ref": "master",
-        "rev": "84fcfdde62de9888d3af8bcb0d7134137b276b55",
-        "revCount": 23,
+        "rev": "bb7f415c08d6189514dce8c43d69eea6372f0528",
+        "revCount": 24,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/ghettoptt"
+        "url": "https://code.t-juice.club/torjus/ghettoptt"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/ghettoptt"
+        "url": "https://code.t-juice.club/torjus/ghettoptt"
       }
     },
     "home-manager": {
@@ -28,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769776025,
-        "narHash": "sha256-70a1kVC08AMTvPc7iqQsJbbD4Y1fukakMVudz4oY9SM=",
+        "lastModified": 1772985285,
+        "narHash": "sha256-wEEmvfqJcl9J0wyMgMrj1TixOgInBW/6tLPhWGoZE3s=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0fba737f8d5571d41467f3d99a878e11b8c0f0f0",
+        "rev": "5be5d8245cbc7bc0c09fbb5f38f23f223c543f85",
         "type": "github"
       },
       "original": {
@@ -51,18 +69,18 @@
         "uv2nix": "uv2nix"
       },
       "locked": {
-        "lastModified": 1757974387,
-        "narHash": "sha256-vVFZTB3NxJCH91aaAtop3MEZcilPQ273epV1gcnQE4s=",
+        "lastModified": 1773164725,
+        "narHash": "sha256-FNW+hOB6NCEpZt73FPiafLBPfwnSdTJeaGNCN3r+zEQ=",
         "ref": "master",
-        "rev": "b341e613337b87cef7a0f4ea05d677288cafa3fb",
-        "revCount": 33,
+        "rev": "e5226d3e32180eb59edae6c29053854dda82750c",
+        "revCount": 34,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/huecli"
+        "url": "https://code.t-juice.club/torjus/huecli"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/huecli"
+        "url": "https://code.t-juice.club/torjus/huecli"
       }
     },
     "natstonotify": {
@@ -72,18 +90,18 @@
         ]
       },
       "locked": {
-        "lastModified": 1739302828,
-        "narHash": "sha256-D6l5tAh1FDpdz9/tQC7kYhFPQzqI1HICwNh7fRejfrw=",
+        "lastModified": 1773164311,
+        "narHash": "sha256-HRR4TBCGp5okWW2eV6vUTYAhUR7I+MNADtlOaIe8fec=",
         "ref": "master",
-        "rev": "bfcf518fe0b2fe19075667f7b22227376d102509",
-        "revCount": 7,
+        "rev": "7e784076242f4bbcf63a35c14ea752bf7a285d8a",
+        "revCount": 8,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/natstonotify"
+        "url": "https://code.t-juice.club/torjus/natstonotify"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/natstonotify"
+        "url": "https://code.t-juice.club/torjus/natstonotify"
       }
     },
     "nix-packages": {
@@ -93,31 +111,31 @@
         ]
       },
       "locked": {
-        "lastModified": 1757017925,
-        "narHash": "sha256-QC1SkvyU5nQ32lju2GYK9ozuh/JYWXfWK/T7OC6dVls=",
+        "lastModified": 1773106737,
+        "narHash": "sha256-/XL6Dn+SehMGlXvuKubNMcTk4iq2J75Z5cVO+HkIfDY=",
         "ref": "master",
-        "rev": "7723cb45020e1f561f527779540faa5901d34e4d",
-        "revCount": 31,
+        "rev": "295b0bf12ec1849564bdaa8fc2cd0f19af1a2715",
+        "revCount": 47,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/nix-packages"
+        "url": "https://code.t-juice.club/torjus/nix-packages"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/nix-packages"
+        "url": "https://code.t-juice.club/torjus/nix-packages"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1769461804,
-        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
-        "owner": "nixos",
+        "lastModified": 1772773019,
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
         "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
@@ -139,6 +157,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1772773019,
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixprstatus": {
       "inputs": {
         "nixpkgs": [
@@ -149,18 +183,18 @@
         "uv2nix": "uv2nix_2"
       },
       "locked": {
-        "lastModified": 1767871861,
-        "narHash": "sha256-Oh0Y9bTvvMm3JQH/C/8XLCeemgvMDbIgFh1NSYFyINY=",
+        "lastModified": 1773164966,
+        "narHash": "sha256-uwkLjHH6BmNzcF791y9ceUcfZtRu/v0+61d4/TbGLxY=",
         "ref": "master",
-        "rev": "b4e3e6de659bf8c96b84dd47249c71b357dd50c2",
-        "revCount": 62,
+        "rev": "61c04a87f944cfc93b9f3f2904991c41664e28c5",
+        "revCount": 63,
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/nixprstatus"
+        "url": "https://code.t-juice.club/torjus/nixprstatus"
       },
       "original": {
         "ref": "master",
         "type": "git",
-        "url": "https://git.t-juice.club/torjus/nixprstatus"
+        "url": "https://code.t-juice.club/torjus/nixprstatus"
       }
     },
     "pyproject-build-systems": {
@@ -265,12 +299,13 @@
     },
     "root": {
       "inputs": {
+        "catppuccin": "catppuccin",
         "ghettoptt": "ghettoptt",
         "home-manager": "home-manager",
         "huecli": "huecli",
         "natstonotify": "natstonotify",
         "nix-packages": "nix-packages",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-stable": "nixpkgs-stable",
         "nixprstatus": "nixprstatus",
         "sops-nix": "sops-nix"
@@ -283,11 +318,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769469829,
-        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
+        "lastModified": 1772944399,
+        "narHash": "sha256-xTzsSd3r5HBeufSZ3fszAn0ldfKctvsYG7tT2YJg5gY=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
+        "rev": "c8e69670b316d6788e435a3aa0bda74eb1b82cc0",
         "type": "github"
       },
       "original": {

flake.nix

@@ -13,25 +13,28 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     ghettoptt = {
-      url = "git+https://git.t-juice.club/torjus/ghettoptt?ref=master";
+      url = "git+https://code.t-juice.club/torjus/ghettoptt?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     huecli = {
-      url = "git+https://git.t-juice.club/torjus/huecli?ref=master";
+      url = "git+https://code.t-juice.club/torjus/huecli?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nix-packages = {
-      url = "git+https://git.t-juice.club/torjus/nix-packages?ref=master";
+      url = "git+https://code.t-juice.club/torjus/nix-packages?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nixprstatus = {
-      url = "git+https://git.t-juice.club/torjus/nixprstatus?ref=master";
+      url = "git+https://code.t-juice.club/torjus/nixprstatus?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     natstonotify = {
-      url = "git+https://git.t-juice.club/torjus/natstonotify?ref=master";
+      url = "git+https://code.t-juice.club/torjus/natstonotify?ref=master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    catppuccin = {
+      url = "github:catppuccin/nix";
+    };
   };
 
   outputs =
@@ -45,6 +48,7 @@
       huecli,
       natstonotify,
       nix-packages,
+      catppuccin,
       ...
     }@inputs:
     let

home/editor/neovim/default.nix

@@ -16,17 +16,21 @@
         cmp_luasnip
         copilot-cmp
         copilot-lua
-        lsp-zero-nvim
+        gitsigns-nvim
+        indent-blankline-nvim
         lualine-nvim
         luasnip
         nvim-cmp
         nvim-lspconfig
         plenary-nvim
         telescope-nvim
+        telescope-fzf-native-nvim
+        todo-comments-nvim
+        trouble-nvim
         undotree
         vim-floaterm
-        vim-fugitive
         vim-sleuth
+        which-key-nvim
         (nvim-treesitter.withPlugins (p: [
           p.tree-sitter-yaml
           p.tree-sitter-nix
@@ -57,14 +61,13 @@
 
     # LSPs
     gopls
-    pyright
+    basedpyright
     nodePackages.typescript-language-server
     nodePackages.typescript
     nil
     yaml-language-server
     lua-language-server
     clang-tools
-    zls
     ruff
   ];
   home.sessionVariables.EDITOR = "nvim";

home/editor/neovim/keybinds.lua

@@ -1,32 +1,57 @@
 -- Keybinds
-vim.keymap.set("n", "<Leader>ds", vim.diagnostic.open_float, { desc = "Show diagnostic" })
+
+-- Diagnostics
+vim.keymap.set("n", "<leader>ds", vim.diagnostic.open_float, { desc = "Show diagnostic" })
+vim.keymap.set("n", "<leader>dd", '<cmd>Trouble diagnostics toggle<CR>', { desc = "Diagnostics list" })
+vim.keymap.set("n", "<leader>db", '<cmd>Trouble diagnostics toggle filter.buf=0<CR>', { desc = "Buffer diagnostics" })
 
 -- Term
-vim.g.floaterm_keymap_toggle = '<leader>ft'
+vim.g.floaterm_keymap_toggle = '<leader>T'
 
 -- Tabs
-vim.keymap.set('n', '<leader>n', ':tabnew<CR>',
-	{ silent = true, desc = '[N]ew tab' })
-vim.keymap.set('n', '<leader>p', ':tabnext<CR>',
-	{ silent = true, desc = '[p]Next tab' })
-vim.keymap.set('n', '<leader>P', ':tabprev<CR>',
-	{ silent = true, desc = '[P]Previous tab' })
+vim.keymap.set('n', '<leader>tn', ':tabnew<CR>',
+	{ silent = true, desc = 'New tab' })
+vim.keymap.set('n', '<leader>tp', ':tabnext<CR>',
+	{ silent = true, desc = 'Next tab' })
+vim.keymap.set('n', '<leader>tP', ':tabprev<CR>',
+	{ silent = true, desc = 'Previous tab' })
 
 -- Telescope
 vim.keymap.set('n', '<leader>?', require('telescope.builtin').oldfiles,
-	{ desc = '[?] FInd recently opened files' })
+	{ desc = 'Find recently opened files' })
 vim.keymap.set('n', '<leader>ff', require('telescope.builtin').find_files,
-	{ desc = '[F]ind [F]iles' })
-vim.keymap.set('n', '<leader>ff', require('telescope.builtin').find_files,
-	{ desc = '[F]ind [F]iles' })
+	{ desc = 'Find files' })
 vim.keymap.set('n', '<leader>fg', require('telescope.builtin').live_grep,
-	{ desc = '[F]ind by [G]rep' })
+	{ desc = 'Find by grep' })
+vim.keymap.set('n', '<leader>fb', require('telescope.builtin').buffers,
+	{ desc = 'Find buffers' })
+vim.keymap.set('n', '<leader>fd', require('telescope.builtin').diagnostics,
+	{ desc = 'Find diagnostics' })
+vim.keymap.set('n', '<leader>fw', require('telescope.builtin').grep_string,
+	{ desc = 'Find word under cursor' })
 
--- Tabs
-vim.keymap.set('n', '<leader>tt', ':tabnew<cr>')
-vim.keymap.set('n', '<leader>tn', ':tabnext<cr>')
-vim.keymap.set('n', '<leader>tp', ':tabprevious<cr>')
+-- Undotree
+vim.keymap.set('n', '<leader>u', vim.cmd.UndotreeToggle,
+	{ desc = 'Toggle undotree' })
+
+-- Gitsigns
+local gs = require('gitsigns')
+vim.keymap.set('n', ']h', gs.next_hunk, { desc = 'Next git hunk' })
+vim.keymap.set('n', '[h', gs.prev_hunk, { desc = 'Previous git hunk' })
+vim.keymap.set('n', '<leader>gs', gs.stage_hunk, { desc = 'Stage hunk' })
+vim.keymap.set('n', '<leader>gr', gs.reset_hunk, { desc = 'Reset hunk' })
+vim.keymap.set('n', '<leader>gS', gs.stage_buffer, { desc = 'Stage buffer' })
+vim.keymap.set('n', '<leader>gR', gs.reset_buffer, { desc = 'Reset buffer' })
+vim.keymap.set('n', '<leader>gp', gs.preview_hunk, { desc = 'Preview hunk' })
+vim.keymap.set('n', '<leader>gb', gs.blame_line, { desc = 'Blame line' })
+
+-- Todo comments
+vim.keymap.set('n', ']t', function() require('todo-comments').jump_next() end, { desc = 'Next todo comment' })
+vim.keymap.set('n', '[t', function() require('todo-comments').jump_prev() end, { desc = 'Previous todo comment' })
+vim.keymap.set('n', '<leader>ft', '<cmd>TodoTelescope<CR>', { desc = 'Find TODOs' })
 
 -- LSP
-vim.keymap.set('n', 'gD', vim.lsp.buf.declaration)
-vim.keymap.set('n', 'gd', vim.lsp.buf.definition)
+vim.keymap.set('n', '<leader>lr', vim.lsp.buf.rename, { desc = 'Rename' })
+vim.keymap.set('n', '<leader>la', vim.lsp.buf.code_action, { desc = 'Code action' })
+vim.keymap.set('n', '<leader>lf', function() vim.lsp.buf.format({ async = false }) end,
+	{ desc = 'Format' })

home/editor/neovim/plugins.lua

@@ -1,25 +1,13 @@
 -- Plugins
 
--- LSP stuff
-local lsp_zero = require('lsp-zero')
-
-
-lsp_zero.on_attach(function(_, bufnr)
-	lsp_zero.default_keymaps({ buffer = bufnr })
-end)
-
-lsp_zero.format_on_save({
-	format_opts = {
-		async = false,
-		timeout_ms = 10000,
-	},
-	servers = {
-		['gopls'] = { 'go' },
-		['nil_ls'] = { 'nix' },
-		['lua_ls'] = { 'lua' },
-		['ts_ls'] = { 'typescript', 'javascript', 'typescriptreact' },
-	},
+-- Format on save for nix, lua, ts/js
+vim.api.nvim_create_autocmd("BufWritePre", {
+	pattern = { "*.nix", "*.lua", "*.ts", "*.tsx", "*.js" },
+	callback = function()
+		vim.lsp.buf.format({ async = false, timeout_ms = 10000 })
+	end,
 })
+
 -- LSP: go
 vim.lsp.config("gopls", {
 	settings = {
@@ -158,14 +146,12 @@ vim.api.nvim_create_autocmd("LspAttach", {
 	desc = 'LSP: Disable hover capability from Ruff',
 })
 
--- Pyright
-vim.lsp.config("pyright", {
+-- Basedpyright
+vim.lsp.config("basedpyright", {
 	settings = {
-		pyright = {
+		basedpyright = {
 			-- Using Ruff's import organizer
 			disableOrganizeImports = true,
-		},
-		python = {
 			analysis = {
 				-- Ignore all files for analysis to exclusively use Ruff for linting
 				ignore = { '*' },
@@ -173,7 +159,10 @@ vim.lsp.config("pyright", {
 		},
 	},
 })
-vim.lsp.enable({ "pyright" })
+vim.lsp.enable({ "basedpyright" })
+
+-- Gitsigns
+require('gitsigns').setup()
 
 -- Telescope
 require('telescope').setup({
@@ -186,8 +175,9 @@ require('telescope').setup({
 		}
 	},
 })
+require('telescope').load_extension('fzf')
 
--- Tresitter stuff
+-- Treesitter
 require('nvim-treesitter').setup {
 	ensure_installed = {},
 	auto_install = false,
@@ -262,12 +252,12 @@ require('copilot_cmp').setup()
 
 -- Cmp
 local cmp = require('cmp')
-local cmp_action = lsp_zero.cmp_action()
+local luasnip = require('luasnip')
 
 cmp.setup({
 	snippet = {
 		expand = function(args)
-			require('luasnip').lsp_expand(args.body)
+			luasnip.lsp_expand(args.body)
 		end,
 	},
 	mapping = cmp.mapping.preset.insert({
@@ -275,9 +265,25 @@ cmp.setup({
 		['<CR>'] = cmp.mapping.confirm({ select = false }),
 		-- Ctrl+Space to open completion menu
 		['<C-Space>'] = cmp.mapping.complete(),
-		-- Move between snippet placeholders
-		['<C-f>'] = cmp_action.luasnip_jump_forward(),
-		['<C-b>'] = cmp_action.luasnip_jump_backward(),
+		-- Tab to select next item or jump in snippet
+		['<Tab>'] = cmp.mapping(function(fallback)
+			if cmp.visible() then
+				cmp.select_next_item()
+			elseif luasnip.expand_or_jumpable() then
+				luasnip.expand_or_jump()
+			else
+				fallback()
+			end
+		end, { 'i', 's' }),
+		['<S-Tab>'] = cmp.mapping(function(fallback)
+			if cmp.visible() then
+				cmp.select_prev_item()
+			elseif luasnip.jumpable(-1) then
+				luasnip.jump(-1)
+			else
+				fallback()
+			end
+		end, { 'i', 's' }),
 		-- Scroll in completion docs
 		['<C-k>'] = cmp.mapping.scroll_docs(-4),
 		['<C-j>'] = cmp.mapping.scroll_docs(4),
@@ -292,6 +298,29 @@ cmp.setup({
 })
 
 
+-- Indent blankline
+require('ibl').setup()
+
+-- Trouble
+require('trouble').setup({
+	icons = false,
+})
+
+-- Todo comments
+require('todo-comments').setup({
+	signs = false,
+})
+
+-- Which-key
+require('which-key').setup()
+require('which-key').add({
+	{ "<leader>d", group = "Diagnostics" },
+	{ "<leader>f", group = "Find" },
+	{ "<leader>g", group = "Git" },
+	{ "<leader>l", group = "LSP" },
+	{ "<leader>t", group = "Tabs" },
+})
+
 -- Colorscheme
 require('catppuccin').setup {
 }

home/hosts/gunter/default.nix

@@ -17,22 +17,26 @@
       {
         imports = [
           inputs.sops-nix.homeManagerModules.sops
+          inputs.catppuccin.homeModules.catppuccin
           ../../editor/neovim
           ../../hyprland
           ../../packages
           ../../programs/dunst
           ../../programs/git
+          ../../programs/gtk
           ../../programs/firefox
           ../../programs/kitty
           ../../programs/obs-studio
           ../../programs/rofi
           ../../programs/streamcontroller
           ../../programs/tmux
+          ../../programs/claude-code
           ../../programs/vscode
           ../../scripts
           ../../services/backup-home.nix
           ../../services/ghettoptt.nix
           ../../services/natstonotify.nix
+          ../../services/labmcp.nix
           ../../sops
           ../../ssh
           ../../zsh
@@ -106,6 +110,8 @@
         };
         programs.home-manager.enable = true;
 
+        services.dunst.settings.global.monitor = "DP-1";
+
         # Custom options
         torjus.home.obs = {
           enable = true;

home/hosts/magicman/default.nix

@@ -17,16 +17,19 @@
       {
         imports = [
           inputs.sops-nix.homeManagerModules.sops
+          inputs.catppuccin.homeModules.catppuccin
           ../../sops
+          ../../services/labmcp.nix
           ../../editor/neovim
+          ../../programs/claude-code
           ../../programs/firefox
           ../../programs/tmux
           ../../programs/dunst
           ../../programs/kitty
+          ../../programs/gtk
           ../../programs/rofi
           ../../programs/obs-studio
           ../../programs/vscode
-          ../../programs/pywal
           ../../scripts
           ../../scripts/batlvl.nix
           ../../zsh
@@ -38,6 +41,11 @@
         tmux.enable = true;
         hyprland.enable = true;
         hyprland.monitors = [ "eDP-1,1920x1080@60,0x0,1" ];
+        wayland.windowManager.hyprland.settings = {
+          input.touchpad = {
+            natural_scroll = false;
+          };
+        };
         hyprland.extraKeybinds = [
           # Workspace keybinds
           "$mainMod,1,workspace,1"
@@ -58,6 +66,7 @@
           homeDirectory = "/home/${user}";
           stateVersion = "23.11";
         };
+        services.dunst.settings.global.monitor = "eDP-1";
         torjus.home.obs.enable = true;
         programs.home-manager.enable = true;
       };

home/hyprland/cursor.nix

@@ -9,5 +9,4 @@
     size = 32;
   };
 
-  gtk.enable = true;
 }

home/hyprland/default.nix

@@ -73,7 +73,6 @@ in
       [
         dunst
         hyprpaper
-        rofi
         slurp
         swww
         waybar
@@ -183,7 +182,10 @@ in
           name = "wacom-one-by-wacom-m-pen";
         };
 
-        cursor = optionalAttrs cfg.cursorNoHardware {
+        cursor = {
+          hide_on_key_press = true;
+        }
+        // optionalAttrs cfg.cursorNoHardware {
           no_hardware_cursors = true;
         };
 
@@ -204,6 +206,7 @@ in
           gaps_out = 10;
           border_size = 2;
           layout = "dwindle";
+          resize_on_border = true;
         };
 
         animations = {
@@ -233,10 +236,14 @@ in
         misc = {
           force_default_wallpaper = 0;
           disable_hyprland_logo = true;
+          disable_splash_rendering = true;
+          key_press_enables_dpms = true;
+          mouse_move_enables_dpms = true;
         };
 
         ecosystem = {
           no_update_news = true;
+          no_donation_nag = true;
         };
 
         windowrule = [
@@ -247,8 +254,9 @@ in
           }
         ];
 
-        workspace =
-          [ "special:special, on-created-empty:kitty, rounding:true, decorate:false, border:false" ]
+        workspace = [
+          "special:special, on-created-empty:kitty, rounding:true, decorate:false, border:false"
+        ]
         ++ cfg.extraWorkspaces;
 
         bindm = [
@@ -260,8 +268,9 @@ in
           # term
           "$mainMod,Return,exec,$term"
           # rofi
-          "$mainMod,D,exec,rofi-launcher"
+          "$mainMod,D,exec,rofi -show drun"
           "$mainMod,P,exec,rofi-rbw"
+          "$mainMod,E,exec,rofi -show emoji"
           # hyprlock
           "$shiftMainMod,l,exec,${pkgs.hyprlock}/bin/hyprlock"
           # hyprland

home/hyprland/waybar/default.nix

@@ -14,8 +14,9 @@ let
     dontUnpack = true;
     installPhase = "install -Dm755 ${./arrhist.py} $out/bin/arrhist";
   };
-  withArrhist = if (osConfig.system.name == "gunter") then true else false;
-  withBattery = if (osConfig.system.name == "magicman") then true else false;
+  cfg = osConfig.host.capabilities;
+  withArrhist = cfg.enableArrhist;
+  withBattery = cfg.hasBattery;
 in
 {
   sops.secrets."sonarr_base_url" = { };
@@ -23,15 +24,9 @@ in
   sops.secrets."radarr_base_url" = { };
   sops.secrets."radarr_api_key" = { };
 
-  xdg.configFile."waybar/macchiato.css" = {
-    source =
-      pkgs.fetchFromGitHub {
-        owner = "catppuccin";
-        repo = "waybar";
-        rev = "f74ab1eecf2dcaf22569b396eed53b2b2fbe8aff";
-        sha256 = "WLJMA2X20E5PCPg0ZPtSop0bfmu+pLImP9t8A8V4QK8=";
-      }
-      + "/themes/macchiato.css";
+  catppuccin.waybar = {
+    enable = true;
+    flavor = "macchiato";
   };
 
   programs.waybar = {
@@ -41,7 +36,6 @@ in
       target = "graphical-session.target";
     };
     style = ''
-      @import "macchiato.css";
       * {
         border: none;
         font-family: "JetbrainsMono Nerd Font";
@@ -136,6 +130,7 @@ in
       #pulseaudio,
       #network,
       #battery,
+      #disk,
       #custom-powermenu,
       #custom-arrhist {
         padding-left: 12px;
@@ -153,7 +148,7 @@ in
     settings = [
       (
         let
-          volInterval = if (osConfig.system.name == "gunter") then "5" else "1";
+          volInterval = toString cfg.volumeScrollStep;
         in
         {
           "layer" = "top";
@@ -163,6 +158,7 @@ in
             (lib.mkIf (withArrhist) "custom/arrhist")
             "pulseaudio"
             "pulseaudio#microphone"
+            "disk"
             "memory"
             "cpu"
             (lib.mkIf (withBattery) "battery")
@@ -216,6 +212,15 @@ in
             "interval" = 3;
             "format" = " {usage}%";
           };
+          "disk" = {
+            "interval" = 30;
+            "format" = "󰋊 {percentage_used}%";
+            "path" = "/";
+            "tooltip-format" = "{used} / {total}";
+            "states" = {
+              "warning" = 85;
+            };
+          };
           "tray" = {
             "icon-size" = 15;
             "spacing" = 6;

home/packages/default.nix

@@ -1,6 +1,6 @@
 { pkgs, osConfig, ... }:
 let
-  withCuda = if (osConfig.system.name == "gunter") then true else false;
+  withCuda = osConfig.host.capabilities.hasCuda;
 in
 {
   imports = [
@@ -13,7 +13,6 @@ in
     bat
     bzip2
     chromium
-    claude-code
     croc
     devenv
     distrobox
@@ -31,6 +30,7 @@ in
     kubectl
     lazygit
     lf
+    mdcat
     ncdu
     nvd
     nurl
@@ -57,7 +57,6 @@ in
     alacritty
     discord
     feh
-    krita
     mpv
     mumble
     pamixer
@@ -99,6 +98,7 @@ in
     rust-analyzer
 
     # Homemade shit
+    forgejo-mcp
     ghettoptt
     huecli
     nixprstatus
@@ -116,7 +116,7 @@ in
     (lutris.override {
       extraLibraries = pkgs: [
         nspr
-        xorg.libXdamage
+        libxdamage
       ];
     })
   ];

home/programs/claude-code/agents/docs-verifier.md

@@ -0,0 +1,72 @@
+---
+name: docs-verifier
+description: Verifies documentation accuracy against current codebase state. Use when you need to check if documentation is still correct and get recommendations for updates.
+tools: Read, Grep, Glob
+---
+
+You are a documentation verification agent. Your task is to verify that documentation accurately reflects the current state of the codebase.
+
+## Input
+
+You will receive a path to a documentation file. Your job is to:
+
+1. **Read and understand the documentation** - Parse the document to understand what it claims about the codebase (commands, file paths, configurations, architecture, etc.)
+
+2. **Verify each claim** - For each verifiable claim in the documentation:
+   - Find the relevant source files, configurations, or scripts
+   - Check if the documented behavior/structure still matches reality
+   - Note any discrepancies
+
+3. **Analyze discrepancies** - For each discrepancy found, determine the likely cause:
+   - Code changed and docs weren't updated
+   - Documentation was aspirational/planned but not implemented
+   - The documented feature was removed or deprecated
+   - The documented item is dynamic/frequently changing
+
+## Output
+
+Provide a structured report with the following sections:
+
+### Summary
+One paragraph overview of the documentation's accuracy status.
+
+### Verified Claims
+List claims that were verified as correct (brief, can be grouped).
+
+### Discrepancies Found
+For each discrepancy:
+- **Location**: Where in the documentation
+- **Claim**: What the documentation says
+- **Reality**: What the current state actually is
+- **Evidence**: File paths and relevant snippets showing the discrepancy
+
+### Recommendations
+For each discrepancy, recommend ONE of:
+
+1. **Update documentation** - When the code change is intentional and the docs are simply stale
+   - Provide the specific changes needed
+
+2. **Update code** - When the documentation describes the correct/intended behavior and the code has regressed or drifted
+   - Explain what code changes would be needed
+
+3. **Add volatility notice** - When the documented item is inherently dynamic (version numbers, generated values, frequently changing configs)
+   - Suggest wording like "This value may change" or recommend removing the specific value
+
+4. **Remove documentation** - When the documented feature no longer exists and shouldn't be restored
+   - Explain why removal is appropriate
+
+### Priority
+Rate the overall urgency: **Critical** / **High** / **Medium** / **Low** / **None**
+- Critical: Documentation actively misleads users into breaking things
+- High: Major features are incorrectly documented
+- Medium: Minor inaccuracies that could cause confusion
+- Low: Cosmetic issues or very minor discrepancies
+- None: Documentation is accurate
+
+## Guidelines
+
+- Be thorough but efficient - verify claims that matter, don't get stuck on trivialities
+- When searching for related files, use glob patterns and grep effectively
+- Quote specific file paths and line numbers as evidence
+- Keep the report concise and actionable
+- Focus on factual accuracy, not style or formatting suggestions

home/programs/claude-code/agents/security-reviewer.md

@@ -0,0 +1,52 @@
+---
+name: security-reviewer
+description: Security expert that reviews code for vulnerabilities, API key exposure, and security best practices. Use proactively after code changes to identify security issues.
+tools: Read, Grep, Glob, Bash
+---
+
+You are a security-focused code reviewer specializing in vulnerability detection.
+
+When reviewing code, if you are analyzing the master branch. You should review all code.
+
+If working on a feature branch, only review the changes in that branch. Keep responses short and to the point.
+
+When reviewing code, analyze for:
+
+## Common Vulnerabilities
+- Injection attacks (SQL, command, XPath, LDAP)
+- Cross-site scripting (XSS)
+- Cross-site request forgery (CSRF)
+- Insecure deserialization
+- Broken authentication/authorization
+
+## Secrets and Credentials
+- Hardcoded API keys, tokens, or passwords
+- Credentials in configuration files
+- Secrets committed to version control
+- Insecure credential storage
+
+## Input Handling
+- Missing input validation
+- Insufficient sanitization
+- Buffer overflows
+- Path traversal vulnerabilities
+
+## Cryptography
+- Weak hashing algorithms (MD5, SHA1 for security purposes)
+- Insecure random number generation
+- Improper key management
+- Missing encryption for sensitive data
+
+## Other Concerns
+- Overly permissive file/directory permissions
+- Privilege escalation risks
+- Insecure dependencies
+- Information disclosure in error messages
+- Race conditions
+
+For each issue found, provide:
+- **Severity**: Critical / High / Medium / Low
+- **Location**: File and line number
+- **Issue**: Clear explanation of the vulnerability
+- **Impact**: What an attacker could achieve
+- **Fix**: Recommended remediation with code example if applicable

home/programs/claude-code/default.nix

@@ -0,0 +1,81 @@
+{ pkgs, config, ... }:
+let
+  forgejo-mcp-wrapper = pkgs.writeShellScript "forgejo-mcp-wrapper" ''
+    export FORGEJO_ACCESS_TOKEN="$(cat ${config.sops.secrets.forgejo_access_token.path})"
+    exec forgejo-mcp --transport stdio --url https://code.t-juice.club
+  '';
+in
+{
+  sops.secrets."forgejo_access_token" = { };
+
+  programs.claude-code = {
+    enable = true;
+    package = pkgs.claude-code-bin;
+
+    agents = {
+      docs-verifier = ./agents/docs-verifier.md;
+      security-reviewer = ./agents/security-reviewer.md;
+    };
+
+    skills = {
+      pr = ./skills/pr;
+    };
+
+    mcpServers = {
+      forgejo = {
+        type = "stdio";
+        command = "${forgejo-mcp-wrapper}";
+      };
+    };
+
+    settings = {
+      model = "opus";
+      enabledPlugins = {
+        "gopls-lsp@claude-plugins-official" = true;
+      };
+      env = {
+        DISABLE_AUTOUPDATER = "1";
+      };
+      permissions = {
+        allow = [
+          "Bash(git diff:*)"
+          "Bash(git log:*)"
+          "Bash(git branch:*)"
+          "Bash(git commit:*)"
+          "Bash(git status:*)"
+          "Bash(git add:*)"
+          "Bash(nix build:*)"
+          "Bash(nix fmt:*)"
+          "Bash(nix flake check:*)"
+          "Bash(nix flake show:*)"
+          "Bash(nix eval:*)"
+          "Bash(nvd diff:*)"
+        ];
+        deny = [
+          "Read(*.tfvars)"
+          "Read(**/*.tfvars)"
+          "Read(.env)"
+          "Read(**/.env)"
+          "Read(~/.ssh/*)"
+        ];
+      };
+      hooks = {
+        PostToolUse = [
+          {
+            matcher = "EnterPlanMode";
+            hooks = [
+              {
+                type = "command";
+                command = "echo 'A plan is being created. If this session has not been renamed yet, suggest a concise, descriptive session name based on the conversation so far and ask the user to run /rename <suggested-name>.'";
+              }
+            ];
+          }
+        ];
+      };
+      statusLine = {
+        type = "command";
+        command = ''input=$(cat); echo "$(basename "$(echo "$input" | jq -r '.workspace.current_dir')") | $(echo "$input" | jq -r '.model.display_name')"'';
+      };
+    };
+  };
+}

home/programs/claude-code/skills/pr/SKILL.md

@@ -0,0 +1,119 @@
+---
+name: pr
+description: Generate a PR summary from the current feature branch and copy it to the clipboard.
+argument-hint: [optional: additional context or focus areas]
+user-invocable-only: true
+---
+
+# PR Summary Generator
+
+Generate a concise PR summary comparing the current branch to the main branch (master), and copy it to the clipboard.
+
+## Input
+
+Optional user context: $ARGUMENTS
+
+## Process
+
+1. **Get branch info**: Use git to determine:
+   - Current branch name
+   - Main branch (master)
+   - Verify we're not on master (warn if we are)
+
+2. **Gather commit information**: Use the git-explorer MCP tools:
+   - `commits_between` to get all commits from master to HEAD
+   - `get_commit_info` for each commit to see the full message and changes
+
+3. **Evaluate commit hygiene** (CRITICAL - do this before generating summary):
+
+   Review all commits and check for issues that suggest squashing:
+   - **Fixup commits**: Messages like "fix", "fixup", "oops", "typo", "forgot", "WIP"
+   - **Iterative fixes**: Multiple commits touching the same file for the same logical change
+   - **Broken intermediate states**: Commits that introduce then immediately fix issues
+   - **Noise commits**: Very small changes that don't warrant their own commit
+   - **Related changes split unnecessarily**: Commits that logically belong together
+
+   **If squashing is recommended**: STOP here. Do NOT generate PR summary or copy to clipboard.
+   Instead, respond with a short report:
+   - List which commits should be squashed together
+   - Explain briefly why (e.g., "fixup commit", "same logical change", "WIP")
+   - Suggest the resulting commit message(s)
+
+   **If commits look clean**: Continue to step 4.
+
+4. **Analyze the changes**:
+   - Group commits by topic/area if there are multiple
+   - Note the key files changed
+   - Understand the overall purpose of the branch
+
+5. **Generate the summary**: Create a markdown summary with:
+   - A "Summary" section with 2-4 bullet points describing what changed and why
+   - A "Changes" section listing key files/areas modified
+
+6. **Copy to clipboard**: Pipe the summary to `wl-copy`
+
+## Squash Recommendation Format
+
+When recommending squashing, respond like this:
+
+```
+Before creating a PR, I recommend squashing some commits:
+
+**Squash together:**
+- `abc123` "Add new feature"
+- `def456` "Fix typo in new feature"
+- `ghi789` "Forgot to add import"
+
+→ Suggested message: "Add new feature for X"
+
+**Reason:** These are iterative fixes to the same change.
+
+Run `git rebase -i master` to clean up, then invoke `/pr` again.
+```
+
+## Output Format
+
+```markdown
+## Summary
+
+- First key change or feature
+- Second key change
+- Additional context if needed
+
+## Changes
+
+- `path/to/file.nix` - Brief description of change
+- `path/to/other.nix` - Brief description
+```
+
+## Style Guidelines
+
+- **Concise**: Each bullet point should be one sentence
+- **Focus on "why"**: Explain the purpose, not just what files changed
+- **Group related changes**: Don't list every commit, summarize by area
+- **Technical accuracy**: Use correct terminology for the codebase
+- **No fluff**: Skip obvious statements like "this PR adds..."
+
+## Example
+
+For a branch with commits adding a new monitoring exporter:
+
+```markdown
+## Summary
+
+- Add systemd-exporter to all hosts for tracking service health metrics
+- Configure Prometheus scrape targets for the new exporter
+- Add Grafana dashboard for visualizing systemd unit status
+
+## Changes
+
+- `system/systemd-exporter.nix` - New module enabling systemd-exporter on all hosts
+- `services/monitoring/prometheus.nix` - Add scrape config for systemd-exporter job
+- `services/monitoring/grafana/dashboards/` - New systemd dashboard
+```
+
+## After Generating
+
+1. Confirm the summary was copied to clipboard
+2. Display the summary to the user so they can review it
+3. Mention they can paste it directly into a PR description

home/programs/dunst/default.nix

@@ -4,6 +4,11 @@
 }:
 
 {
+  catppuccin.dunst = {
+    enable = true;
+    flavor = "macchiato";
+  };
+
   services.dunst = {
     enable = true;
     iconTheme = {
@@ -13,7 +18,7 @@
     settings = {
       global = {
         origin = "top-right";
-        monitor = "4";
+        follow = "none";
         alignment = "left";
         vertical_alignment = "center";
         width = "(0, 400)";
@@ -36,10 +41,8 @@
         history_length = 20;
         always_run_script = true;
         corner_radius = 10;
-        # follow = "mouse";
-        font = "Source Sans Pro 10";
-        format = "<b>%s</b>\\n%b"; # format = "<span foreground='#f3f4f5'><b>%s %p</b></span>\n%b"
-        frame_color = "#232323";
+        font = "JetBrainsMono Nerd Font 10";
+        format = "<b>%s</b>\\n%b";
         frame_width = 1;
         offset = "(15, 15)";
         horizontal_padding = 10;
@@ -61,19 +64,6 @@
       fullscreen_delay_everything = {
         fullscreen = "delay";
       };
-
-      urgency_critical = {
-        background = "#d64e4e";
-        foreground = "#f0e0e0";
-      };
-      urgency_low = {
-        background = "#232323";
-        foreground = "#2596be";
-      };
-      urgency_normal = {
-        background = "#1e1e2a";
-        foreground = "#2596be";
-      };
     };
   };
 }

home/programs/gtk/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  gtk = {
+    enable = true;
+    theme = {
+      name = "catppuccin-macchiato-blue-standard";
+      package = pkgs.catppuccin-gtk.override {
+        variant = "macchiato";
+        accents = [ "blue" ];
+      };
+    };
+  };
+}

home/programs/obs-studio/default.nix

@@ -30,12 +30,12 @@
           .overrideAttrs
             (
               final: prev: {
-                version = "1.3.3";
+                version = "1.3.6";
                 src = pkgs.fetchFromGitHub {
-                  owner = "royshil";
+                  owner = "occ-ai";
                   repo = "obs-backgroundremoval";
                   rev = final.version;
-                  hash = "sha256-NDe71iDnVcnMilGr5kdbemq8jEKd3WW45tbMwxjqUwo=";
+                  hash = "sha256-2BVcOH7wh1ibHZmaTMmRph/jYchHcCbq8mn9wo4LQOU=";
                 };
                 nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ];
                 cmakeFlags = [

home/programs/rofi/config.rasi

@@ -1,17 +0,0 @@
-configuration{
-    modi: "run,drun,window";
-    icon-theme: "Oranchelo";
-    show-icons: true;
-    terminal: "alacritty";
-    drun-display-format: "{icon} {name}";
-    location: 0;
-    disable-history: false;
-    hide-scrollbar: true;
-    display-drun: "   Apps ";
-    display-run: "   Run ";
-    display-window: " 﩯  Window";
-    display-Network: " 󰤨  Network";
-    sidebar-mode: true;
-}
-
-@theme "latte"

home/programs/rofi/default.nix

@@ -1,27 +1,33 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
-  xdg.configFile."rofi/config.rasi" = {
-    source = ./config.rasi;
+  catppuccin.rofi = {
+    enable = true;
+    flavor = "macchiato";
   };
 
-  xdg.configFile."rofi/macchiato.rasi" = {
-    source =
-      pkgs.fetchFromGitHub {
-        owner = "catppuccin";
-        repo = "rofi";
-        rev = "5350da41a11814f950c3354f090b90d4674a95ce";
-        sha256 = "DNorfyl3C4RBclF2KDgwvQQwixpTwSRu7fIvihPN8JY=";
-      }
-      + "/basic/.local/share/rofi/themes/catppuccin-macchiato.rasi";
+  programs.rofi = {
+    enable = true;
+    terminal = "kitty";
+    location = "center";
+    font = "JetBrains Mono Nerd Font 12";
+    plugins = [
+      pkgs.rofi-emoji
+      pkgs.rofi-calc
+    ];
+    extraConfig = {
+      modi = "drun,ssh,window,calc,emoji";
+      matching = "fuzzy";
+      show-icons = true;
+      icon-theme = "Oranchelo";
+      drun-display-format = "{icon} {name}";
+      hide-scrollbar = true;
+      disable-history = false;
+      display-drun = "Apps";
+      display-ssh = "SSH";
+      display-window = "Window";
+      display-calc = "Calc";
+      display-emoji = "Emoji";
+      sidebar-mode = true;
     };
-  xdg.configFile."rofi/latte.rasi" = {
-    source =
-      pkgs.fetchFromGitHub {
-        owner = "catppuccin";
-        repo = "rofi";
-        rev = "5350da41a11814f950c3354f090b90d4674a95ce";
-        sha256 = "DNorfyl3C4RBclF2KDgwvQQwixpTwSRu7fIvihPN8JY=";
-      }
-      + "/basic/.local/share/rofi/themes/catppuccin-latte.rasi";
   };
 }

home/scripts/default.nix

@@ -7,10 +7,6 @@
     source = ./hl-no-opacity.sh;
     executable = true;
   };
-  home.file.".local/bin/rofi-launcher" = {
-    source = ./rofi-launcher.sh;
-    executable = true;
-  };
   home.file.".local/bin/randomwp" = {
     source = ./randomwp.sh;
     executable = true;

home/scripts/rofi-launcher.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-rofi \
-    -show drun \
-    -modi run,drun,ssh \
-    -scroll-method 0 \
-    -drun-match-fields all \
-    -drun-display-format "{name}" \
-    -terminal kitty

home/services/backup-home.nix

@@ -1,5 +1,14 @@
-{ pkgs, config, ... }:
+{
+  pkgs,
+  config,
+  lib,
+  osConfig,
+  ...
+}:
 let
+  cfg = osConfig.host.capabilities;
+  backupEnabled = cfg.backupRepository != null && cfg.backupPassword != null;
+
   # Backup home script
   backup-home = pkgs.writeShellApplication {
     name = "backup-home";
@@ -12,8 +21,8 @@ let
     ];
     text = ''
       echo "========== BACKUP HOME STARTING =========="
-      export RESTIC_PASSWORD="gunter.home.2rjus.net"
-      export RESTIC_REPOSITORY="rest:http://10.69.12.52:8000/gunter.home.2rjus.net"
+      export RESTIC_PASSWORD="${cfg.backupPassword}"
+      export RESTIC_REPOSITORY="${cfg.backupRepository}"
       SECRET_PATH="$XDG_CONFIG_HOME/sops-nix/secrets/gotify_backup_home"
 
       if ! [ -f "$SECRET_PATH" ]; then
@@ -53,7 +62,7 @@ let
           retval=$?
           if [ $retval -ne 0 ]; then
             curl "https://gotify.t-juice.club/message?token=$GOTIFY_TOKEN" \
-              -F "title=Backup of home@gunter failed!" \
+              -F "title=Backup of home@${osConfig.networking.hostName} failed!" \
               -F "message=Please check status of backup-home service"
           fi
       fi
@@ -92,9 +101,9 @@ let
   };
 in
 {
-  sops.secrets."gotify_backup_home" = { };
+  sops.secrets."gotify_backup_home" = lib.mkIf backupEnabled { };
 
-  systemd.user.services.backup-home = {
+  systemd.user.services.backup-home = lib.mkIf backupEnabled {
     Unit = {
       Description = "Backup home directory";
       After = [
@@ -107,7 +116,7 @@ in
       ExecStart = "${backup-home}/bin/backup-home";
     };
   };
-  systemd.user.timers.backup-home = {
+  systemd.user.timers.backup-home = lib.mkIf backupEnabled {
     Unit = {
       Description = "Backup home directory";
       After = [ "network.target" ];

home/services/labmcp.nix

@@ -0,0 +1,6 @@
+{
+  # Ensure runtime directory exists for labmcp MCP servers
+  systemd.user.tmpfiles.rules = [
+    "d %t/labmcp 0755 - - -"
+  ];
+}

home/ssh/config.nix

@@ -22,7 +22,7 @@ in
 
     matchBlocks = {
       "bmo.uio.no-on-eduroam" = (
-        lib.mkIf (osConfig.system.name == "magicman") (
+        lib.mkIf (osConfig.host.capabilities.hasEduroamAccess) (
           lib.hm.dag.entryBefore [ "bmo.uio.no" "*" ] {
             match = "host bmo.uio.no exec \"nmcli -g GENERAL.STATE c s eduroam|grep -q -E '\\bactiv'\"";
             hostname = "bmo.uio.no";

hosts/gunter/configuration.nix

@@ -31,14 +31,8 @@
       "mt76"
     ];
     # Kernel stuff
-    kernelPackages = pkgs.linuxPackages_latest;
-    # kernelPackages = lib.warn "Pinned to kernel 6.12 due to issues" pkgs.linuxPackages_6_12;
-    kernelParams = [
-      "quiet"
-      "splash"
-      "rd.systemd.show_status=false"
-      "module_blacklist=amdgpu"
-    ];
+    kernelPackages = lib.warn "Kernel pinned to 6.18 due to nvidia driver incompatibility with 6.19" pkgs.linuxPackages_6_18;
+    kernelParams = [ "module_blacklist=amdgpu" ];
 
     kernel.sysctl = {
       "vm.max_map_count" = 262144;
@@ -50,30 +44,34 @@
 
     # Bootloader stuff
     loader.systemd-boot = {
-      enable = true;
       configurationLimit = 10;
       memtest86.enable = true;
     };
-    loader.efi = {
-      canTouchEfiVariables = true;
-    };
     supportedFilesystems = [ "nfs" ];
   };
 
   # Networking stuff
   networking.hostName = "gunter"; # Define your hostname.
-  networking.networkmanager.enable = true;
-  networking.nftables.enable = true;
-  networking.firewall = {
-    enable = true;
-    allowedTCPPorts = [
-      8989
+  networking.firewall.allowedTCPPorts = [ 8989 ];
+
+  # Additional nix caches for homelab and CUDA
+  nix.settings = {
+    substituters = [
+      "https://nix-cache.home.2rjus.net"
+      "https://cuda-maintainers.cachix.org"
+    ];
+
+    trusted-substituters = [
+      "https://nix-cache.home.2rjus.net"
+      "https://cuda-maintainers.cachix.org"
+    ];
+
+    trusted-public-keys = [
+      "nix-cache02.home.2rjus.net-1:QyT5FAvJtV+EPQrgQQ6iV9JMg1kRiWuIAJftM35QMls="
+      "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
     ];
   };
 
-  # Set time stuff
-  time.timeZone = "Europe/Oslo";
-
   # Enable graphics
   hardware.graphics = {
     enable = true;
@@ -88,7 +86,7 @@
     modesetting.enable = true;
     powerManagement.enable = false;
     powerManagement.finegrained = false;
-    open = true;
+    open = false;
     nvidiaSettings = false;
 
     package = config.boot.kernelPackages.nvidiaPackages.beta;
@@ -105,7 +103,7 @@
     #     };
   };
 
-  # Setup hyprland
+  # Setup nvidia video drivers
   # nixpkgs.overlays = [
   #   (self: super: {
   #     hyprland = super.hyprland.override {
@@ -113,68 +111,20 @@
   #     };
   #   })
   # ];
-  services.displayManager.gdm.wayland = true;
-
-  services.xserver.enable = true;
   services.xserver.videoDrivers = [ "nvidia" ];
-  programs.hyprland = {
-    enable = true;
-    withUWSM = true;
-    xwayland.enable = true;
-    portalPackage = pkgs.xdg-desktop-portal-hyprland;
+
+  # Host capabilities
+  host.capabilities = {
+    hasCuda = true;
+    hasBattery = false;
+    formFactor = "desktop";
+    volumeScrollStep = 5;
+    enableArrhist = true;
+    hasEduroamAccess = false;
+    backupRepository = "rest:http://10.69.12.52:8000/gunter.home.2rjus.net";
+    backupPassword = "gunter.home.2rjus.net";
   };
 
-  # Setup common XDG env vars
-  environment.sessionVariables = rec {
-    XDG_CACHE_HOME = "$HOME/.cache";
-    XDG_CONFIG_HOME = "$HOME/.config";
-    XDG_DATA_HOME = "$HOME/.local/share";
-    XDG_STATE_HOME = "$HOME/.local/state";
-    XDG_BIN_HOME = "$HOME/.local/bin";
-    PATH = [ "${XDG_BIN_HOME}" ];
-  };
-
-  # Setup xdg portal
-  xdg.portal = {
-    enable = true;
-    xdgOpenUsePortal = true;
-    extraPortals = (
-      with pkgs;
-      [
-        # unstable.xdg-desktop-portal-hyprland
-        xdg-desktop-portal-gtk
-      ]
-    );
-  };
-
-  # Enable flakes
-  nix.settings = {
-    experimental-features = [
-      "nix-command"
-      "flakes"
-    ];
-    trusted-users = [
-      "root"
-      "torjus"
-    ];
-    trusted-substituters = [
-      "https://nix-cache.home.2rjus.net"
-      "https://cache.nixos.org"
-      "https://cuda-maintainers.cachix.org"
-    ];
-    substituters = [
-      "https://nix-cache.home.2rjus.net"
-      "https://cache.nixos.org"
-      "https://cuda-maintainers.cachix.org"
-    ];
-    trusted-public-keys = [
-      "nix-cache.home.2rjus.net-1:2kowZOG6pvhoK4AHVO3alBlvcghH20wchzoR0V86UWI="
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-      "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
-    ];
-  };
-
-  nixpkgs.config.allowUnfree = true;
   # Install system-wide packages
   environment.systemPackages = with pkgs; [
     curl
@@ -185,7 +135,7 @@
     wget
     v4l-utils
     nmap
-    (lib.mkIf (config.system.name == "gunter") pciutils)
+    pciutils
 
     # X shit
     # xorg.xorgserver

hosts/gunter/default.nix

@@ -5,7 +5,6 @@
   imports = [
     ./configuration.nix
     ./hardware-configuration.nix
-    ./steamuser.nix
     ./nfs.nix
     ./ollama.nix
     ./streamdeck.nix
@@ -13,5 +12,6 @@
     ./container.nix
     ../../system
     ../../home/hosts/gunter
+    ./steam.nix
   ];
 }

hosts/gunter/ollama.nix

@@ -1,11 +1,11 @@
 { pkgs, lib, ... }:
 {
   services.ollama = {
-    enable = true;
+    enable = false;
     package = pkgs.ollama-cuda;
   };
   services.open-webui = {
-    enable = true;
+    enable = false;
     package = pkgs.stable.open-webui;
     # enable = lib.warn "Open WebUI is disabled" false;
     environment = {

hosts/gunter/steam.nix

@@ -0,0 +1,5 @@
+{ ... }:
+{
+  programs.steam.enable = true;
+  programs.gamemode.enable = true;
+}

hosts/gunter/steamuser.nix

@@ -1,23 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.shells = with pkgs; [ zsh ];
-
-  services.xserver.desktopManager.xfce.enable = true;
-  programs.steam.enable = true;
-  programs.gamemode.enable = true;
-  services.flatpak.enable = true;
-
-  users.users.steam = {
-    isNormalUser = true;
-    initialPassword = "steam";
-    home = "/home/steam";
-    description = "Steam user";
-    shell = pkgs.zsh;
-    # Install some user packages
-    packages = with pkgs; [
-      firefox
-      mumble
-      easyeffects
-    ];
-  };
-}

hosts/magicman/configuration.nix

@@ -8,24 +8,17 @@
 
   # Bootloader stuff
   boot.kernelParams = [
-    "quiet"
-    "splash"
-    "rd.systemd.show_status=false"
     "acpi_backlight=native"
     "video=efifb:nobgrt"
     "loglevel=3"
     "rd.udev.log_level=3"
   ];
-  boot.kernelPackages = pkgs.linuxPackages_latest;
 
-  boot.loader.systemd-boot = {
-    enable = true;
-    configurationLimit = 3;
-  };
+  boot.extraModprobeConfig = ''
+    options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
+  '';
 
-  boot.loader.efi = {
-    canTouchEfiVariables = true;
-  };
+  boot.loader.systemd-boot.configurationLimit = 3;
 
   boot.initrd.systemd.enable = true;
   boot.plymouth = {
@@ -39,14 +32,7 @@
 
   # Networking stuff
   networking.hostName = "magicman"; # Define your hostname.
-  networking.networkmanager.enable = true;
-  networking.nftables.enable = true;
-  networking.firewall = {
-    enable = true;
-  };
-
-  # Set time stuff
-  time.timeZone = "Europe/Oslo";
+  networking.networkmanager.wifi.backend = "iwd";
 
   hardware = {
     enableRedistributableFirmware = true;
@@ -63,6 +49,18 @@
     };
   };
 
+  # Host capabilities
+  host.capabilities = {
+    hasCuda = false;
+    hasBattery = true;
+    formFactor = "laptop";
+    volumeScrollStep = 1;
+    enableArrhist = false;
+    hasEduroamAccess = true;
+    backupRepository = null;
+    backupPassword = null;
+  };
+
   # Bluetooth stuff
   services.blueman.enable = true;
   hardware.bluetooth.enable = true;
@@ -80,64 +78,18 @@
     };
   };
 
-  # Setup hyprland
-  services.xserver.enable = true;
-  services.displayManager.gdm.wayland = {
-    gdm.wayland = true;
-    lightdm.enable = false;
-  };
-  programs.hyprland = {
-    enable = true;
-    withUWSM = true;
-    xwayland.enable = true;
-    portalPackage = pkgs.xdg-desktop-portal-hyprland;
-  };
-
   # TRIM
   services.fstrim.enable = true;
 
-  # Setup common XDG env vars
-  environment.sessionVariables = rec {
-    XDG_CACHE_HOME = "$HOME/.cache";
-    XDG_CONFIG_HOME = "$HOME/.config";
-    XDG_DATA_HOME = "$HOME/.local/share";
-    XDG_STATE_HOME = "$HOME/.local/state";
-    XDG_BIN_HOME = "$HOME/.local/bin";
-    PATH = [ "${XDG_BIN_HOME}" ];
-  };
-
-  # Setup xdg portal
-  xdg.portal = {
-    enable = true;
-    xdgOpenUsePortal = true;
-    extraPortals = (
-      with pkgs;
-      [
-        # xdg-desktop-portal-hyprland
-        xdg-desktop-portal-gtk
-      ]
-    );
-  };
-
   programs.steam.enable = true;
 
-  # Enable flakes
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-  nix.settings.trusted-users = [
-    "root"
-    "torjus"
-  ];
-
-  nixpkgs.config.allowUnfree = true;
   # Install system-wide packages
   environment.systemPackages = with pkgs; [
     vim
     wget
     curl
     git
+    v4l-utils
   ];
 
   # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,

hosts/magicman/hardware-configuration.nix

@@ -21,8 +21,11 @@
     "sdhci_pci"
   ];
   boot.initrd.kernelModules = [ "i915" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot.kernelModules = [
+    "kvm-intel"
+    "v4l2loopback"
+  ];
+  boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/31b20f4c-24bb-4fd1-9a3e-8ccc19fe3d64";

hosts/magicman/laptop.nix

@@ -3,8 +3,6 @@
   hardware.brillo.enable = true;
   powerManagement.enable = true;
 
-  services.tlp.enable = true;
-
   services.auto-cpufreq = {
     enable = true;
     settings = {

packages/open-pomodoro.nix

@@ -1,48 +0,0 @@
-{
-  lib,
-  buildGoModule,
-  fetchFromGitHub,
-  installShellFiles,
-}:
-
-buildGoModule rec {
-  pname = "openpomodoro-cli";
-  version = "0.3.0";
-
-  src = fetchFromGitHub {
-    owner = "open-pomodoro";
-    repo = "openpomodoro-cli";
-    rev = "v${version}";
-    hash = "sha256-h/o4yxrZ8ViHhN2JS0ZJMfvcJBPCsyZ9ZQw9OmKnOfY=";
-  };
-
-  vendorHash = "sha256-BR9d/PMQ1ZUYWSDO5ID2bkTN+A+VbaLTlz5t0vbkO60=";
-
-  ldflags = [
-    "-s"
-    "-w"
-  ];
-
-  GOWORK = "off";
-
-  subPackages = [ "cmd/pomodoro" ];
-
-  nativeBuildInputs = [ installShellFiles ];
-
-  # postInstall = ''
-  #   installShellCompletion --cmd talosctl \
-  #     --bash <($out/bin/talosctl completion bash) \
-  #     --fish <($out/bin/talosctl completion fish) \
-  #     --zsh <($out/bin/talosctl completion zsh)
-  # '';
-
-  doCheck = false; # no tests
-
-  meta = with lib; {
-    description = "A command-line Pomodoro tracker which uses the Open Pomodoro Format";
-    mainProgram = "pomodoro";
-    homepage = "https://github.com/open-pomodoro/openpomodoro-cli";
-    license = licenses.mit;
-    # maintainers = with maintainers; [ flokli ];
-  };
-}

secrets/torjus/secret.yaml

@@ -4,32 +4,37 @@ sonarr_base_url: ENC[AES256_GCM,data:0HiHIX4KcPEE62Ti1fLH230rC1A7xYg=,iv:mkAnl6t
 radarr_api_key: ENC[AES256_GCM,data:Db1ISKTF+m2H1on55/4vdGticfqBdxfIzKHBxC9LAx4=,iv:NhiG4SmsRYIunW1ljFbxeHvRoi9fOVE+9DJn6kmZ6oI=,tag:DoJzo56CW3kJlySYmB8NYQ==,type:str]
 radarr_base_url: ENC[AES256_GCM,data:3UgOPQMblYhm0ysRB6VVosvZToIM5IA=,iv:o/s0bVBrjrma2Df2LlCCFL5Ks80063/4mABc6vzDrYg=,tag:eHKntLPM9yRRkMfIWSpIdg==,type:str]
 nats_nkey: ENC[AES256_GCM,data:TcIDFkFXB1+qfTqLylDI46w4/+Cy9XdXyXS26qCbwDaDoQNaRUsC6dw94mbT37352IWOCypTY0hweA==,iv:DC5GQyIXbNSx/mOLAOWTf5AyeFeViLxbKTMgZEfTEXE=,tag:krxk/dnZ58a8dcuWb7zhnA==,type:str]
+forgejo_access_token: ENC[AES256_GCM,data:5+AXgz03G9AEqhHlX87qdV8o1J2f/v/o59QPe5R8N06A7n4rt1A5eQ==,iv:ns/3F7+yr+bA4cqj6ghNLYyEuT+w+D+ILrKqMGbNQN4=,tag:rYI/497XuYkRmeLjxWaCIg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaUlVOWtoRTFvMHljV0Fu
-            TFp2Ym1jcThqbWRjUjdNSnhxRUsrOWl6S3dBCmh0L0YzaXNlRTFHMXFHTGc1T3I2
-            WE03WjJCSlJSV2lmSExTWDBQRnlOcDAKLS0tIFJoeEM5b0IrdWxTRWhvNnd0c3NG
-            dENGdjJteFFaQTNFaDgvSGV2UEtyT0EKbdg4atS91rB99l7zKKkfPzKk4T5Mq2x5
-            bX825DPrxauAhvrT7ca/A2OwA4kaFuxPrQGd3VOPAXTVhlbcFgIAdw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUzQ0Q3dyZzVUMTJUUFhV
+            djg5WVNqNVRjeEsxM2lvOGZ4U25OR0VjNFNJCk11bTdVMzdsVyswQWc3enpwWVEz
+            bC9GbHV2dnhCTm44RWNNZzNXcjE5MDgKLS0tIHJRZmUwMDU2Si8waWVYS29BZFFJ
+            VDlubEtVOEJabTNWRFVHQ2hiNXJPUTQKdmBIlI4JvAssYHeRzbjp7CbPDsDX1JZ5
+            TIw79h28sArmRkP5fDlM0D1rALLlbTBsn3KA2D3RZgsUcelFlckIJg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1stlqqspmt5fepyz35udrwr5avf9zuju79f787p26pu2d2j08yqps2q2t2c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSEZJWldRcmJ3c1BjbUpT
-            bmZXSmlHU0hVRTV3SG91bXpiTXhZd1RkY0Y4ClBxc0RabWJmMi8reHZYWnlmK3pC
-            bUw5V2FEV0pZdkZEMTJ5ZDZXWDM2NjgKLS0tIGZ6dEZ4dERYQXFRQTVkRHhycndz
-            dkgwQlRrdEp6b2FIVnowaDlUMEZpeHcK2icvVv+UpbcdVErRjjQhlQb6PuluC/K7
-            Vy8Rh7dTn++bSEdGidDNGYeUQBrVy2qooq04lQqbeOOrdmXVhTamdA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VkpsWTF6cmlIdEROSmcw
+            UTE1MzUwZlEwZGoyTUM0M2dQRlF1NExYTFNrCkFBNFFIZ1AyNTlRR2NZaXB3Y1Vj
+            Wk9xVmVoM1MweERpUWh1R0FDeFdWT1UKLS0tIHJOQWRZY3NHWmpEL1djY3lnTTZB
+            S2xsR3NESklzNEN5U3RUTElmbnQzSWcKaDJnCgQUjpz6gAVtWJPKykfuflQOyMLq
+            cmb5ZfKhvrgthByGtS1nN4dhwA8ndUJ31UqiU0xWDdak59ehczoquQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-11T19:22:47Z"
-    mac: ENC[AES256_GCM,data:vd8O5y1GNDTDrlundbNZcGRAQzKLDly4qyxTqRO2JrnDYOqD/vQ8TqRQYiUgGY+5AcgjoLMER8keE8OUmcngN16cbGx1zKTpdqyHb7B2KR7ZfWOjW5kTk5KWM1gLDA4hA2GBEjHFBPGKdcrjURek9MrT+iM+qArbizSjWlKuehc=,iv:cicEnvWynZizJqrUzPIzbJWl6O8uL65Vs7fAYsuqSNA=,tag:l5jBXQfFedVE/VccZh+1qQ==,type:str]
-    pgp: []
+        - recipient: age1whxf34vjdndqzwgm7yyaexdm46gdnv9sf3nal7qqyjr0nyhhndlsrmc0g3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRU2R0cU1JcGFRRkV2SE1E
+            RFBRWkdESTcveGsvMStZR0Q3bWo3L0FQcENzCjdsOEpCNGk2NjdPMXVUWnhFS3NE
+            WlR0bWxZTGdnakplS0M3S3F0Nm9hQ00KLS0tIFR3amxPWEhiWDZQU2xjUGRHb0xS
+            U2V0bjZ2TUVmS2F3S1dTSnBYTmZsMG8KJTT0r6PYJ/g/J0E/CxyxRfUhtq8KMEJi
+            w5WrsdHrEkukY0OGRG1i8ZeDDV5mR2KejjKoGWQU6cLYa/v+XHevhg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-10T01:57:15Z"
+    mac: ENC[AES256_GCM,data:BK1vTAg7I16ztjqlkeXk7fMLGd7cvIzxogVufsRGamA5PpZgZ8PmvFcQH5JSLbEl/cAKPRD5jr9X1fx9Yr4uAwnVBPpkfu4LUb1fOihWgq7W4YqrTLKB2KGJZaTIP/I800bHHqEsyUcgo2DZ4gEDP2X84tR81xGhwkpGyeH0nlY=,iv:9Sj12aEHkYTrkoZ33SxiHhpDiZrXmPKN6972B+NV14Y=,tag:qDZvGgEpELktFRPuL2J98g==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.12.1

system/boot.nix

@@ -0,0 +1,13 @@
+{ pkgs, lib, ... }:
+{
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+
+  boot.kernelParams = lib.mkBefore [
+    "quiet"
+    "splash"
+    "rd.systemd.show_status=false"
+  ];
+}

system/default.nix

@@ -1,16 +1,22 @@
 {
   imports = [
+    ./boot.nix
     ./fonts.nix
-    ./root-ca.nix
     ./fwupd.nix
     ./git.nix
     ./greetd.nix
+    ./host-capabilities.nix
+    ./hyprland.nix
+    ./label.nix
     ./libvirt.nix
     ./locale.nix
+    ./networking.nix
+    ./nix-config.nix
     ./podman.nix
+    ./root-ca.nix
     ./security.nix
     ./services.nix
     ./users.nix
-    ./label.nix
+    ./xdg.nix
   ];
 }

system/host-capabilities.nix

@@ -0,0 +1,64 @@
+{ lib, ... }:
+with lib;
+{
+  options.host.capabilities = {
+    # Hardware capabilities
+    hasCuda = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether the host has CUDA-capable GPU (for btop, OBS, etc.)";
+    };
+
+    hasBattery = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether the host has a battery (laptop)";
+    };
+
+    # Form factor
+    formFactor = mkOption {
+      type = types.enum [
+        "desktop"
+        "laptop"
+      ];
+      default = "desktop";
+      description = "Physical form factor of the host";
+    };
+
+    # UI behavior customizations
+    volumeScrollStep = mkOption {
+      type = types.int;
+      default = 5;
+      description = "Volume adjustment step percentage for scroll wheel";
+    };
+
+    # Service-specific features
+    enableArrhist = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable Sonarr/Radarr monitoring widget (arrhist)";
+    };
+
+    # Network environment features
+    hasEduroamAccess = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether this host can connect to eduroam (for SSH config)";
+    };
+
+    # Backup configuration
+    backupRepository = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Restic backup repository URL for this host";
+      example = "rest:http://10.69.12.52:8000/gunter.home.2rjus.net";
+    };
+
+    backupPassword = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Restic backup password identifier for this host";
+      example = "gunter.home.2rjus.net";
+    };
+  };
+}

system/hyprland.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  services.xserver.enable = true;
+  services.displayManager.gdm.wayland = true;
+
+  programs.hyprland = {
+    enable = true;
+    withUWSM = true;
+    xwayland.enable = true;
+    portalPackage = pkgs.xdg-desktop-portal-hyprland;
+  };
+}

system/locale.nix

@@ -1,5 +1,7 @@
 { ... }:
 {
+  time.timeZone = "Europe/Oslo";
+
   i18n = {
     supportedLocales = [
       "en_US.UTF-8/UTF-8"

system/monitoring/metrics.nix

@@ -14,5 +14,9 @@
       openFirewall = true;
       devices = [ "/dev/nvme0n1" ];
     };
+    systemd = {
+      enable = true;
+      openFirewall = true;
+    };
   };
 }

system/networking.nix

@@ -0,0 +1,8 @@
+{ lib, ... }:
+{
+  networking.networkmanager.enable = true;
+  networking.nftables.enable = true;
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = lib.mkDefault [ ];
+  networking.firewall.allowedUDPPorts = lib.mkDefault [ ];
+}

system/nix-config.nix

@@ -0,0 +1,24 @@
+{ ... }:
+{
+  nixpkgs.config.allowUnfree = true;
+
+  nix.settings = {
+    experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+
+    trusted-users = [
+      "root"
+      "torjus"
+    ];
+
+    substituters = [ "https://cache.nixos.org" ];
+
+    trusted-substituters = [ "https://cache.nixos.org" ];
+
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    ];
+  };
+}

system/root-ca-old.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWmgAwIBAgIQQCSzuOLIKLj1dGbC+NFttjAKBggqhkjOPQQDAjBAMRow
+GAYDVQQKExFob21lLjJyanVzLm5ldCBDQTEiMCAGA1UEAxMZaG9tZS4ycmp1cy5u
+ZXQgQ0EgUm9vdCBDQTAeFw0yNDEwMjEwOTEyNDRaFw0zNDEwMTkwOTEyNDRaMEAx
+GjAYBgNVBAoTEWhvbWUuMnJqdXMubmV0IENBMSIwIAYDVQQDExlob21lLjJyanVz
+Lm5ldCBDQSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGDE4ss9y
+9msphQ/Sa/tAoEaGoDHQcg5oRcxWL5SZYjUPNl+zbRZzqkvCz2S1XrHJPiPWbyJX
+cZAlPxbwZrWDyKNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
+AQEwHQYDVR0OBBYEFPZx6AahX5diBMChZbv5N4dh+vCTMAoGCCqGSM49BAMCA0kA
+MEYCIQC6yqMM9/s1Dct5jlq0NAGsDA68hVTDcO3RP61lxQlfBwIhAL1jlmIwaSJc
+TjdIMjPQ3ombBRqDJBDvDr8o6oOUjret
+-----END CERTIFICATE-----

system/root-ca.crt

@@ -1,12 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIIBxDCCAWmgAwIBAgIQQCSzuOLIKLj1dGbC+NFttjAKBggqhkjOPQQDAjBAMRow
-GAYDVQQKExFob21lLjJyanVzLm5ldCBDQTEiMCAGA1UEAxMZaG9tZS4ycmp1cy5u
-ZXQgQ0EgUm9vdCBDQTAeFw0yNDEwMjEwOTEyNDRaFw0zNDEwMTkwOTEyNDRaMEAx
-GjAYBgNVBAoTEWhvbWUuMnJqdXMubmV0IENBMSIwIAYDVQQDExlob21lLjJyanVz
-Lm5ldCBDQSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGDE4ss9y
-9msphQ/Sa/tAoEaGoDHQcg5oRcxWL5SZYjUPNl+zbRZzqkvCz2S1XrHJPiPWbyJX
-cZAlPxbwZrWDyKNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
-AQEwHQYDVR0OBBYEFPZx6AahX5diBMChZbv5N4dh+vCTMAoGCCqGSM49BAMCA0kA
-MEYCIQC6yqMM9/s1Dct5jlq0NAGsDA68hVTDcO3RP61lxQlfBwIhAL1jlmIwaSJc
-TjdIMjPQ3ombBRqDJBDvDr8o6oOUjret
+MIICIjCCAaigAwIBAgIUQ/Bd/4kNvkPjQjgGLUMynIVzGeAwCgYIKoZIzj0EAwMw
+QDELMAkGA1UEBhMCTk8xEDAOBgNVBAoTB0hvbWVsYWIxHzAdBgNVBAMTFmhvbWUu
+MnJqdXMubmV0IFJvb3QgQ0EwHhcNMjYwMjAxMjIxODA5WhcNMzYwMTMwMjIxODM5
+WjBAMQswCQYDVQQGEwJOTzEQMA4GA1UEChMHSG9tZWxhYjEfMB0GA1UEAxMWaG9t
+ZS4ycmp1cy5uZXQgUm9vdCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABH8xhIOl
+Nd1Yb1OFhgIJQZM+OkwoFenOQiKfuQ4oPMxaF+fnXdKc77qPDVRjeDy61oGS38X3
+CjPOZAzS9kjo7FmVbzdqlYK7ut/OylF+8MJkCT8mFO1xvuzIXhufnyAD4aNjMGEw
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEimBeAg
+3JVeF4BqdC9hMZ8MYKw2MB8GA1UdIwQYMBaAFEimBeAg3JVeF4BqdC9hMZ8MYKw2
+MAoGCCqGSM49BAMDA2gAMGUCMQCvhRElHBra/XyT93SKcG6ZzIG+K+DH3J5jm6Xr
+zaGj2VtdhBRVmEKaUcjU7htgSxcCMA9qHKYFcUH72W7By763M6sy8OOiGQNDSERY
+VgnNv9rLCvCef1C8G2bYh/sKGZTPGQ==
 -----END CERTIFICATE-----

system/root-ca.nix

@@ -4,6 +4,7 @@
     certificateFiles = [
       "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
       ./root-ca.crt
+      ./root-ca-old.crt
     ];
   };
 }

system/xdg.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  environment.sessionVariables = rec {
+    XDG_CACHE_HOME = "$HOME/.cache";
+    XDG_CONFIG_HOME = "$HOME/.config";
+    XDG_DATA_HOME = "$HOME/.local/share";
+    XDG_STATE_HOME = "$HOME/.local/state";
+    XDG_BIN_HOME = "$HOME/.local/bin";
+    PATH = [ "${XDG_BIN_HOME}" ];
+  };
+
+  xdg.portal = {
+    enable = true;
+    xdgOpenUsePortal = true;
+    extraPortals = with pkgs; [ xdg-desktop-portal-gtk ];
+  };
+}