todo

Flake lock file updates:

• Updated input 'ctp':
    'github:catppuccin/nix/e82c195f2276825b0a08024fdaff80f965edcd69?narHash=sha256-ul1iRBfVX2vc971tHHhVtxX2hycU3nVwgO005OcOKnw%3D' (2026-04-29)
  → 'github:catppuccin/nix/e68cf5deaf1a7afed2e548835dba2ae99f5a3ccb?narHash=sha256-kbIhdhDPaTP6gxAPkcRYeB%2BcqPFDpTM/bnw%2Bm%2B26vkI%3D' (2026-05-02)
• Updated input 'ctp/nixpkgs':
    'github:NixOS/nixpkgs/b12141ef619e0a9c1c84dc8c684040326f27cdcc?narHash=sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24%3D' (2026-04-18)
  → 'github:NixOS/nixpkgs/1c3fe55ad329cbcb28471bb30f05c9827f724c76?narHash=sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M%2BC8yzzIRYbE%3D' (2026-04-27)
• Updated input 'hm':
    'github:nix-community/home-manager/2e54a938cdd4c8e414b2518edc3d82308027c670?narHash=sha256-SwgiG2T5pbyo33Vz7/vUCAhEMgwCK8Pa2nDSx5a6/WE%3D' (2026-04-30)
  → 'github:nix-community/home-manager/7ef1c04d11f7ef69fd946b118c768c32de0b89a5?narHash=sha256-8ceIdvijN2tm9fIAUgnIZ8BM8TlsFx7pRYKRoxNsi1k%3D' (2026-05-05)
• Updated input 'mc':
    'github:Infinidoge/nix-minecraft/0707737282f65e25ed8e6e73f8767872659b7fb8?narHash=sha256-rPszOFTm7gP9n/JGiFH4SeuEALC8FBJtXu5owvHVjaQ%3D' (2026-05-02)
  → 'github:Infinidoge/nix-minecraft/34a46e4de360c5004ee1866f5e3de78bf5e8b289?narHash=sha256-8dQ/DOUvQI8x5i6MZ309/xZLLVfV1CgWbD2%2BJiQ7Hd4%3D' (2026-05-05)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/1c3fe55ad329cbcb28471bb30f05c9827f724c76?narHash=sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M%2BC8yzzIRYbE%3D' (2026-04-27)
  → 'github:nixos/nixpkgs/15f4ee454b1dce334612fa6843b3e05cf546efab?narHash=sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM%2BZ4%3D' (2026-04-30)

.forgejo/workflows/activate.yml

@@ -0,0 +1,41 @@
+name: Activate Homelab Configuration
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+
+env:
+  PATH: /run/current-system/sw/bin:/run/wrappers/bin
+
+jobs:
+  rebuild:
+    runs-on: self-hosted
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ./ssh
+          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ./ssh/deploy_key
+          chmod 600 ./ssh/deploy_key
+          
+      - name: Rebuild and switch
+        run: |
+          ssh -i ./ssh/deploy_key \
+            -o PasswordAuthentication=no \
+            -o StrictHostKeyChecking=no \
+            -o UserKnownHostsFile=/dev/null \
+            root@localhost \
+            "bash -lc 'nixos-rebuild switch --refresh --flake git+http://localhost:5080/satr14/nix-flake#homelab -L'"
+
+      - name: Show generation
+        if: always()
+        run: |
+          ssh -i ./ssh/deploy_key \
+            -o PasswordAuthentication=no \
+            -o StrictHostKeyChecking=no \
+            -o UserKnownHostsFile=/dev/null \
+            root@localhost "bash -lc 'nixos-version'"
+
+      - name: Clean Up
+        if: always()
+        run: rm -f ./ssh/deploy_key

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "nixEnvSelector.suggestion": false
+}

README.md

@@ -1,5 +1,18 @@
 ![nix-flake](ss.png)
-rewrite of my nixos flake with hopefully better structuring and modularity
 
 > [!WARNING]
-> this flake is ment for personal use. code is not well documented and is not ment to be used by others. use at your own risk.
+> This flake is ment for personal use. The code is not well documented nor structured and is not ment to be used by others. **Use at your own risk.**
+
+## Hosts
+- `thinkpad` - Thinkpad T480, i5 8350U, 16GB RAM, 256GB NVME
+- `homelab` - i7 8700T, 32GB RAM, 512GB NVME, 1TB 2.5" SATA
+
+## Todo
+- Automatic backups to external drives.
+- Better documentation and code structure.
+- Use NixOS modules system. 
+
+## Credits
+- [orangc's flake](https://git.orangc.net/c/dots)
+- [vimjoyer's tutorials](https://www.youtube.com/@vimjoyer)
+- [wallpaper source](https://github.com/er2de2/catppuccin_walls/blob/master/wallpapers_png/autumn_2.0.png)

flake.lock

@@ -5,11 +5,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1773146250,
+        "lastModified": 1777734189,
-        "narHash": "sha256-azzOjRqTxAqByzRP87jUUsmfOQ85i7h/YkrgTX0jZgg=",
+        "narHash": "sha256-kbIhdhDPaTP6gxAPkcRYeB+cqPFDpTM/bnw+m+26vkI=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "0fa0d06dd3cd09f37f76d19b389d7ff947dfd7e8",
+        "rev": "e68cf5deaf1a7afed2e548835dba2ae99f5a3ccb",
         "type": "github"
       },
       "original": {
@@ -18,6 +18,22 @@
         "type": "github"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -62,11 +78,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773179137,
+        "lastModified": 1777977606,
-        "narHash": "sha256-EdW2bwzlfme0vbMOcStnNmKlOAA05Bp6su2O8VLGT0k=",
+        "narHash": "sha256-8ceIdvijN2tm9fIAUgnIZ8BM8TlsFx7pRYKRoxNsi1k=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3f98e2bbc661ec0aaf558d8a283d6955f05f1d09",
+        "rev": "7ef1c04d11f7ef69fd946b118c768c32de0b89a5",
         "type": "github"
       },
       "original": {
@@ -76,13 +92,33 @@
         "type": "github"
       }
     },
+    "mc": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs_3",
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1777952170,
+        "narHash": "sha256-8dQ/DOUvQI8x5i6MZ309/xZLLVfV1CgWbD2+JiQ7Hd4=",
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "rev": "34a46e4de360c5004ee1866f5e3de78bf5e8b289",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1772773019,
+        "lastModified": 1777268161,
-        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
         "type": "github"
       },
       "original": {
@@ -109,11 +145,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1772963539,
+        "lastModified": 1769461804,
-        "narHash": "sha256-9jVDGZnvCckTGdYT53d/EfznygLskyLQXYwJLKMPsZs=",
+        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9dcb002ca1690658be4a04645215baea8b95f31d",
+        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
         "type": "github"
       },
       "original": {
@@ -125,16 +161,16 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1772736753,
+        "lastModified": 1777578337,
-        "narHash": "sha256-au/m3+EuBLoSzWUCb64a/MZq6QUtOV8oC0D9tY2scPQ=",
+        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
-        "owner": "NixOS",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "917fec990948658ef1ccd07cef2a1ef060786846",
+        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
+        "owner": "nixos",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -144,26 +180,8 @@
         "ctp": "ctp",
         "gl": "gl",
         "hm": "hm",
-        "nixpkgs": "nixpkgs_3",
+        "mc": "mc",
-        "sops": "sops"
-      }
-    },
-    "sops": {
-      "inputs": {
         "nixpkgs": "nixpkgs_4"
-      },
-      "locked": {
-        "lastModified": 1773096132,
-        "narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
       }
     },
     "systems": {
@@ -180,6 +198,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -6,19 +6,20 @@
       url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    
+
-    sops.url = "github:Mic92/sops-nix";
     gl.url = "github:nix-community/nixGL";
     ctp.url = "github:catppuccin/nix";
+    
+    mc.url = "github:Infinidoge/nix-minecraft";
   };
 
-  outputs = inputs: let 
+  outputs = inputs: let
     pkgs = import inputs.nixpkgs {
       system = "x86_64-linux";
       overlays = [ inputs.gl.overlay ];
       config = {
         allowUnfree = true;
-        permittedInsecurePackages = [ "ventoy-qt5-1.1.10" ];
+        permittedInsecurePackages = [ "ventoy-qt5-1.1.12" ];
       };
     };
     args = {
@@ -31,17 +32,15 @@
       modules = [
         ./hosts/${host}/config.nix
         inputs.ctp.nixosModules.catppuccin
-        inputs.sops.nixosModules.sops
       ];
     };
-    
+
     nixosConfigWithHome = host: inputs.nixpkgs.lib.nixosSystem {
       inherit pkgs;
       specialArgs = args // { hostname = host; };
       modules = [
         ./hosts/${host}/config.nix
         inputs.ctp.nixosModules.catppuccin
-        inputs.sops.nixosModules.sops
         inputs.hm.nixosModules.home-manager
         {
           home-manager = {
@@ -53,7 +52,7 @@
         }
       ];
     };
-    
+
     homeConfig = host: inputs.hm.lib.homeManagerConfiguration {
       extraSpecialArgs = args // { hostname = host; };
       inherit pkgs;

hosts/bootstrap/config.nix

@@ -21,7 +21,7 @@
     tailscale.enable = true;
     openssh = {
       enable = true;
-      settings.PermitRootLogin = "yes";
+      settings.PermitRootLogin = "prohibit-password";
     };
   };
   users.users."${username}" = {

lib/options.nix

@@ -1,4 +1,12 @@
-{
+let
+  d = dest: { inherit dest; auth = false; };
+  da = dest: { inherit dest; auth = true; };
+  
+  ext4 = path: { inherit path; type = "ext4"; };
+  btrfs = path: { inherit path; type = "btrfs"; };
+  
+  selfSigned = service: { inherit service; originRequest.noTLSVerify = true; };
+in {
   flake-path = "~/Projects/nix-flake"; # set this to the cloned repo path
 
   username = "satr14";
@@ -15,20 +23,78 @@
   
   homelab = rec {
     domain = "satr14.my.id"; # root domain for dns, ssl certs, reverse proxy, etc.
-    cf-tunnel-id = "26318288-cdd7-4e58-904b-c45f10d3e40a";
+    ssh-keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESvQFXoUBafatqnxTd6qk3WEOcfwb3AIWVTstR3lHzX forgejo"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtdH1YqRH9xhuHMivezLvj/hpH77yfH3HUCaRboB/hb forgejo-deploy-runner"
+    ];
     disks = {
-      gallery = "/dev/disk/by-uuid/834f51c1-90ee-4601-ba76-ef0419198d67"; # disk for photo gallery 
+      # gallery = ext4 "/dev/disk/by-uuid/834f51c1-90ee-4601-ba76-ef0419198d67"; # disk for photo gallery 
-      data = "/dev/disk/by-uuid/a5752dd6-092d-484c-969c-2fdc7cb4a5f0"; # disk for app data
+      # data = ext4 "/dev/disk/by-uuid/a5752dd6-092d-484c-969c-2fdc7cb4a5f0"; # disk for app data
-      host = "/dev/disk/by-uuid/968f14a4-631e-4325-8cd1-f9aec0da9e4d"; # disk for media collection (named host for backwards compatibility)
+      # host = ext4 "/dev/disk/by-uuid/968f14a4-631e-4325-8cd1-f9aec0da9e4d"; # disk for media collection (named host for backwards compatibility)
+      # ^^ virtual disks
+      
+      # achive = ext4 "/dev/disk/by-uuid/"; # long term archival 
+      data = ext4 "/dev/disk/by-uuid/aa453135-4b7a-4b12-8efc-f3dda093d2b7"; # app data
+      share = btrfs "/dev/disk/by-uuid/f1ee1d17-e852-4e02-ae86-eaf6116a2aeb"; # file server
+    };
+    dash = [
+      [ "PocketID" "authentik" "https://auth.${domain}" "http://localhost:1411/" ]
+      [ "Forgejo" "forgejo" "https://git.${domain}" "http://localhost:5080/" ]
+      [ "Copyparty" "files" "https://cdn.${domain}" "http://localhost:3923/" ]
+      [ "CryptPad" "cryptpad" "https://docs.${domain}" "http://localhost:7090/" ]
+      [ "CodeServer" "coder" "https://code.proxy.${domain}" "http://localhost:8443/" ]
+      [ "AdGuardHome" "adguard" "https://dns.proxy.${domain}" "http://localhost:8088/" ]
+      [ "Traefik" "traefikproxy" "https://dynamic.proxy.${domain}/dashboard/" "" ]
+      [ "Immich" "immich" "https://gallery.proxy.${domain}" "http://localhost:2283/" ]
+      [ "Jellyfin" "jellyfin" "https://media.proxy.${domain}" "http://localhost:8096/" ]
+      [ "VaultWarden" "vaultwarden" "https://pass.proxy.${domain}" "http://localhost:8060/" ]
+      [ "Ollama" "ollama" "https://ai.proxy.${domain}" "http://localhost:8080/" ]
+      [ "Ntfy" "ntfy" "https://notify.proxy.${domain}" "http://localhost:8067/" ]
+      [ "SearXNG" "searxng" "https://search.proxy.${domain}" "http://localhost:8091/" ]
+      [ "Dockge" "docker" "https://containers.proxy.${domain}" "http://localhost:5001/" ]
+    ];
+    routes = {
+      "mc0.${domain}"     = "tcp://localhost:25565";
+      
+      "docs-sandbox.${domain}" = "http://localhost:7090";
+      "docs.${domain}"         = "http://localhost:7090";
+      
+      "cdn.${domain}"     = selfSigned "https://localhost:3923";
+      
+      "git.${domain}"     = "http://localhost:5080";
+      "auth.${domain}"    = "http://localhost:1411";
+      "dash.${domain}"    = "http://localhost:5070";
+      "media.${domain}"   = "http://localhost:8096";
+      "gallery.${domain}" = "http://localhost:2284";
+    };
+    proxy = {
+      base = "proxy.${domain}";
+      hosts = {
+        "containers" = da "http://localhost:5001";
+        "code"       = da "http://localhost:8443";
+        "dns"        = da "http://localhost:8088";
+        
+        "gallery"    = d "http://localhost:2283";
+        "dynamic"    = d "http://localhost:8082";
+        "search"     = d "http://localhost:8091";
+        "notify"     = d "http://localhost:8067";
+        "media"      = d "http://localhost:8096";
+        "pass"       = d "http://localhost:8060";
+        "auth"       = d "http://localhost:1411";
+        "git"        = d "http://localhost:5080";
+        "cdn"        = d "http://localhost:3923";
+        "ai"         = d "http://localhost:8080";
+        "@"          = d "http://localhost:5070";
+      };
+      redirects = {
+        "www"  = "https://${proxy.base}";
+        "dash" = "https://${proxy.base}";
+        "immich" = "https://gallery.${proxy.base}";
+        "2fa" = "https://2fa.${domain}";
+      };
     };
     records = [
-      [ "server.dns.${domain}"     "10.3.14.69"         ]
+      [ "main.dns.${domain}"       "100.113.147.93" ] # this machine
-      [ "router.dns.${domain}"     "10.3.14.1"          ]
-      [ "home.dns.${domain}"       "10.3.14.235"        ]
-      [ "workspace.dns.${domain}"  "10.3.14.57"         ]
-      [ "old-main.dns.${domain}"   "10.3.14.42"         ] # old main machine for connecting while migrating
-      
-      [ "main.dns.${domain}"       "10.3.14.215"        ] # this machine
       [ "proxy.${domain}"          "main.dns.${domain}" ]
       [ "*.proxy.${domain}"        "proxy.${domain}"    ]
       
@@ -62,7 +128,9 @@
   };
 
   git = { # setup your git author
-    user = "Satria";
+    username = "satr14"; # forgejo username
+    server = "https://git.satr14.my.id"; # forgejo server url
+    user = "satr14";
     email = "admin@satr14.my.id";
   };
 }

modules/hardware/homelab.nix

@@ -1,14 +1,13 @@
 { ... }: {
   imports = [
+    # ./misc/cpu-hotplug.nix
+    # ./misc/serial.nix 
+    # ./misc/qemu-virtio.nix
+    # ^^ only used if vm
+    
     ./core/firmware.nix
     ./core/igpu.nix
     ./misc/disks.nix
-    ./misc/serial.nix
   ];
   
-  boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "virtio_console" ]; 
-  services = {
-    qemuGuest.enable = true;
-    spice-vdagentd.enable = true;
-  };
 }

modules/hardware/misc/battery-power.nix

@@ -1,4 +1,4 @@
-{ pkgs, resume-dev, ... }: {
+{ pkgs, username, resume-dev, ... }: {
   powerManagement.powertop.enable = true;
 
   services = {
@@ -10,6 +10,20 @@
         echo 85 > /sys/class/power_supply/BAT*/charge_control_end_threshold || true
       ''}"
     '';
+    cron = {
+      enable = true;
+      systemCronJobs = [
+        "* * * * * ${username} bash -x ${pkgs.writeShellScript "low-battery-notifier" ''
+          BAT_PCT=`${pkgs.acpi}/bin/acpi -b | ${pkgs.gnugrep}/bin/grep -P -o '[0-9]+(?=%)'`
+          BAT_STA=`${pkgs.acpi}/bin/acpi -b | ${pkgs.gnugrep}/bin/grep -P -o '\w+(?=,)'`
+          echo "`date` battery status:$BAT_STA percentage:$BAT_PCT"
+          export DISPLAY=:0
+          export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u)/bus
+          test $BAT_PCT -le 30 && test $BAT_PCT -gt 15 && test $BAT_STA = "Discharging" && ${pkgs.libnotify}/bin/notify-send "Low Battery" "Battery remaining: $BAT_PCT%."
+          test $BAT_PCT -le 15                         && test $BAT_STA = "Discharging" && ${pkgs.libnotify}/bin/notify-send -u critical "Low Battery" "Shutdown at 10%."
+        ''} > /tmp/cron.batt.log 2>&1"
+      ];
+    };
     upower = {
       enable = true;
       percentageCritical = 15;

modules/hardware/misc/cpu-freq.nix

@@ -51,7 +51,7 @@
       enable = true; # wait for fix: https://github.com/AdnanHodzic/auto-cpufreq/issues/906
       settings = {
         charger = {
-          governor = "performance";
+          governor = "powersave"; # "performance";
           energy_performance_preference = "performance";
           turbo = "always";
           platform_profile = "performance";

modules/hardware/misc/cpu-hotplug.nix

@@ -0,0 +1,5 @@
+{ ... }: {
+  services.udev.extraRules = ''
+    SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
+  '';
+}

modules/hardware/misc/disks.nix

@@ -1,13 +1,15 @@
 { lib, homelab, ... }: let
   globalOpts = {
-    fsType = "ext4";
     autoFormat = true;
     autoResize = true;
   };
 in {
   fileSystems = {
     "/".autoResize = true;
-  } // lib.mapAttrs' (name: device:
+  } // lib.mapAttrs' (name: dev:
-    lib.nameValuePair "/mnt/${name}" (globalOpts // { inherit device; })
+    lib.nameValuePair "/mnt/${name}" (globalOpts // {
+      device = dev.path;
+      fsType = dev.type;
+    })
   ) homelab.disks;
 }

modules/hardware/misc/qemu-virtio.nix

@@ -0,0 +1,14 @@
+{ ... }: {
+  boot.initrd.availableKernelModules = [
+    "virtio_net"
+    "virtio_pci"
+    "virtio_mmio"
+    "virtio_blk"
+    "virtio_scsi"
+    "virtio_console"
+  ]; 
+  services = {
+    qemuGuest.enable = true;
+    spice-vdagentd.enable = true;
+  };
+}

modules/hardware/thinkpad.nix

@@ -12,7 +12,7 @@
   ];
 
   boot = {
-    kernelPackages = pkgs.linuxPackages;
+    kernelPackages = pkgs.linuxPackages_zen;
     kernel.sysctl."vm.laptop_mode" = 5;
     initrd.availableKernelModules = [ "thinkpad_acpi" ];
     kernelParams = [

modules/home/core/apps.nix

@@ -1,44 +1,69 @@
 { pkgs, ... }: {
   nixpkgs.config.allowUnfree = true;
 
+  xdg = {
+    autostart.enable = true;
+    mimeApps = {
+      enable = true;
+      defaultApplications = {
+        "text/plain" = "nvim.desktop";
+        "text/html" = "brave-browser.desktop";
+        "application/pdf" = "brave-browser.desktop";
+        "x-scheme-handler/http" = "brave-browser.desktop";
+        "x-scheme-handler/https" = "brave-browser.desktop";
+        "x-terminal-emulator" = "kitty.desktop";
+        "inode/directory" = "pcmanfm-qt.desktop";
+        "audio/mpeg" = "vlc.desktop";
+        "audio/mp3" = "vlc.desktop";
+        "audio/wav" = "vlc.desktop";
+        "audio/flac" = "vlc.desktop";
+        "video/mp4" = "vlc.desktop";
+        "video/x-matroska" = "vlc.desktop";
+        "video/webm" = "vlc.desktop";
+        "video/x-msvideo" = "vlc.desktop";
+      };
+    };
+  };
+  
   home.packages = with pkgs; [
-      zed-editor
+    zed-editor
-      # kicad-small
+    # kicad-small
-      # arduino-ide
+    # arduino-ide
 
-      slack
+    slack
-      discord
+    discord
-      protonmail-desktop
+    # protonmail-desktop # https://www.reddit.com/r/NixOS/comments/1rm9alf/protonmail_in_nixos/
-      
+    
-      vlc
+    vlc
-      brave
+    brave
-      libreoffice
+    flameshot
-      appimage-run
+    libreoffice
-      # keepassxc
+    appimage-run
+    # keepassxc
 
-      virt-manager
+    virt-manager
-      # winboat
+    # winboat
-      
+    
-      remmina
+    remmina
-      moonlight-qt
+    moonlight-qt
-      # rustdesk
+    # rustdesk
-      
+    
-      
+    
-      # inkscape
+    # inkscape
-      # davinci-resolve
+    # davinci-resolve
-      # kdePackages.kdenlive
+    # kdePackages.kdenlive
-      (wrapOBS {
+    (wrapOBS {
-        plugins = with obs-studio-plugins; [
+      plugins = with obs-studio-plugins; [
-          wlrobs
+        wlrobs
-          obs-backgroundremoval
+        obs-backgroundremoval
-          obs-pipewire-audio-capture
+        obs-pipewire-audio-capture
-        ];
+      ];
-      })
+    })
 
-      ferium
+    ferium
-      portablemc
+    packwiz
-      prismlauncher
+    portablemc
-      steamguard-cli
+    steamguard-cli
-      # modrinth-app
+    # modrinth-app
-    ];
+  ];
 }

modules/home/core/cli.nix

@@ -44,13 +44,26 @@
       enable = true;
       defaultEditor = true;
       vimAlias = true;
+      withRuby = false;
+      withPython3 = false;
       initLua = ''
         vim.opt.clipboard = "unnamedplus"
         vim.opt.termguicolors = true
+        vim.g.clipboard = {
+          name = "OSC 52",
+          copy = {
+            ["+"] = require("vim.ui.clipboard.osc52").copy("+"),
+            ["*"] = require("vim.ui.clipboard.osc52").copy("*"),
+          },
+          paste = {
+            ["+"] = require("vim.ui.clipboard.osc52").paste("+"),
+            ["*"] = require("vim.ui.clipboard.osc52").paste("*"),
+          },
+        }
         require("nvim-tree").setup()
         vim.api.nvim_create_autocmd("VimEnter", {
           callback = function()
-            -- vim.cmd("NvimTreeOpen")
+            vim.cmd("set nu")
             vim.cmd.wincmd 'p'
           end,
         })
@@ -63,7 +76,6 @@
         telescope-file-browser-nvim
         nvim-tree-lua
         nvim-cmp
-        barbar-nvim
         indent-blankline-nvim
         markdown-preview-nvim
       ];
@@ -80,6 +92,7 @@
     };
     git = {
       enable = true;
+      signing.format = null;
       settings = {
         pull.rebase = "true";
         credential.helper = "cache --timeout=3600";

modules/home/core/code.nix

@@ -2,10 +2,18 @@
   programs.zed-editor = {
     enable = true;
     package = pkgs.zed-editor;
-    extensions = [ "nix" ];
+    extensions = [
+      "html" "html-snippets"
+      "svelte" "svelte-snippets"
+      "wakatime" "discord-presence"
+      "catppuccin" "catppuccin-icons"
+      "git-firefly"
+      "nix"
+    ];
     userSettings = {
+      diff_view_style =  "unified";
+      cli_default_open_behavior = "existing_window";
       format_on_save = "off";
-      features.edit_prediction_provider = "copilot";
       vim_mode = true;
       git.inline_blame.enabled = true;
       gutter.line_numbers = true;
@@ -19,6 +27,27 @@
       file_types.tailwindcss = [ "*.css" ];
       auto_install_extensions.catppuccin-icons = true;
       icon_theme = "Catppuccin Mocha";
+      git_panel.tree_view = true;
+      diagnostics = {
+        button = true;
+        include_warnings = true;
+        inline = {
+          enabled = true;
+          update_debounce_ms = 150;
+          padding = 4;
+          min_column = 0;
+          max_severity = null;
+        };
+      };
+      agent = {
+        tool_permissions.default = "allow";
+        default_model = {
+          provider = "copilot_chat";
+          model = "claude-sonnet-4.6";
+          effort = "high";
+          enable_thinking = false;
+        };
+      };
       theme = {
         mode = "dark";
         light = "Catppuccin Mocha (sapphire)";

modules/home/core/shell.nix

@@ -1,4 +1,4 @@
-{ hostname, flake-path, zsh-theme, ... }: {
+{ git, hostname, flake-path, zsh-theme, ... }: {
   programs = {
     pay-respects = {
       enable = true;
@@ -32,14 +32,14 @@
       '';
       shellAliases = {
         "cd-gvfs" = "cd /run/user/$(id -u)/gvfs";
-        "wlp-set" = "swww img --transition-type=grow --transition-duration=1";
+        "wlp-set" = "awww img --transition-type=grow --transition-duration=1";
         "ssh" = "TERM=xterm-256color ssh";
         "cd" = "z";
 
         "sys" = "sudo systemctl --runtime";
-        "sys-log" = "journalctl -f -b -u";
+        "sys-log" = "journalctl -o cat -f -b -u";
         "user" = "systemctl --user --runtime";
-        "user-log" = "journalctl -f -b --user-unit";
+        "user-log" = "journalctl -o cat -f -b --user-unit";
 
         "ts" = "sudo tailscale";
         "tsip" = "tailscale ip -4";
@@ -64,9 +64,10 @@
         "wm-disp" = "wm-ctl dispatch dpms";
 
         "gh-author-setup" = "git config user.name $(gh api -H \"Accept: application/vnd.github+json\" -H \"X-GitHub-Api-Version: 2022-11-28\" /user | jq -r .login) && git config user.email $(gh api -H \"Accept: application/vnd.github+json\" -H \"X-GitHub-Api-Version: 2022-11-28\" /user/emails | jq -r \".[1].email\")";
+        "fg-create-repo" = "git remote add origin ${git.server}/${git.username}/$(basename $PWDw).git && git push";
         "convert-pdf" = "libreoffice --headless --convert-to pdf";
         
-        "mcl" = "portablemc start -l $(cat .minecraft/portablemc-launch-params.json | jq -r .email) $(cat .minecraft/portablemc-launch-params.json | jq -r .version)";
+        "mcl" = "portablemc start -l $(cat ~/.minecraft/portablemc-launch-params.json | jq -r .email) $(cat ~/.minecraft/portablemc-launch-params.json | jq -r .version)";
         "mc" = "ferium upgrade; mcl";
       };
       initContent = ''

modules/home/core/xdg.nix

@@ -1,26 +0,0 @@
-{ ... }: {
-  xdg = {
-    autostart.enable = true;
-    mimeApps = {
-      enable = true;
-      defaultApplications = {
-        "text/plain" = "nvim.desktop";
-        "text/html" = "brave-browser.desktop";
-        "application/pdf" = "brave-browser.desktop";
-        "x-scheme-handler/http" = "brave-browser.desktop";
-        "x-scheme-handler/https" = "brave-browser.desktop";
-        "x-scheme-handler/terminal" = "kitty.desktop";
-        "x-terminal-emulator" = "kitty.desktop";
-        "inode/directory" = "pcmanfm-qt.desktop";
-        "audio/mpeg" = "vlc.desktop";
-        "audio/mp3" = "vlc.desktop";
-        "audio/wav" = "vlc.desktop";
-        "audio/flac" = "vlc.desktop";
-        "video/mp4" = "vlc.desktop";
-        "video/x-matroska" = "vlc.desktop";
-        "video/webm" = "vlc.desktop";
-        "video/x-msvideo" = "vlc.desktop";
-      };
-    };
-  };
-}

modules/home/default.nix

@@ -1,8 +1,16 @@
-{ username, ... }: {
+{ username, ctp-opt, ... }: {
   imports = [
+    ./core/shell.nix
     ./core/cli.nix
-    ./core/zsh.nix
   ];
+  
+  catppuccin = {
+    enable = true;
+    hyprlock.useDefaultConfig = false;
+    
+    flavor = ctp-opt.flavor;
+    accent = ctp-opt.accent;
+  };
 
   home = {
     stateVersion = "24.11";

modules/home/desktop.nix

@@ -1,23 +1,23 @@
 { pkgs, ... }: {
   imports = [
-    ./rice/hyprland.nix
+    ./rice/compositor.nix
-    ./rice/hyprlock.nix
+    ./rice/lockscreen.nix
-    ./rice/waybar.nix
+    ./rice/keybinds.nix
-    ./rice/rofi.nix
+    ./rice/logout.nix
-    ./rice/wlogout.nix
+    ./rice/notifs.nix
-    ./rice/hypridle.nix
-    ./rice/dunst.nix
     ./rice/cursor.nix
     ./rice/theme.nix
-    ./rice/keybinds.nix
+    ./rice/menu.nix
-    ./misc/kde-connect.nix
+    ./rice/idle.nix
+    ./rice/bar.nix
+    ./misc/handlers.nix
+    ./misc/phone.nix
     ./core/apps.nix
-    ./core/zed.nix
+    ./core/code.nix
-    ./core/xdg.nix
   ];
 
   services = {
-    swww.enable = true;
+    awww.enable = true;
     hyprpolkitagent.enable = true;
   };
 

modules/home/misc/handlers.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+let
+  ferium-installer-script = pkgs.writeShellScript "ferium-installer" ''
+    mod=$(echo "$1" | awk -F'/' '{print $NF}')
+    ${pkgs.kitty}/bin/kitty sh -c "ferium add $mod; read"
+  '';
+in
+{
+  xdg.desktopEntries."ferium-installer" = {
+    name = "Intercept Modrinth Links to Ferium";
+    exec = "${ferium-installer-script} %u";
+    mimeType = [ "x-scheme-handler/modrinth" ];
+  };
+
+  xdg.mimeApps.defaultApplications = {
+    "x-scheme-handler/modrinth" = "ferium-installer.desktop";
+  }; 
+}

modules/home/rice/bar.nix

@@ -45,8 +45,8 @@
           interval = 1;
           format = " {usage:2}% {avg_frequency}GHz";
           on-click = "auto-cpufreq-gtk";
-          on-click-right = "pkexec tlp power-saver && notify-send ${hostname} \"TLP set to: $(tlp-stat -s | grep 'Power profile' | awk -F '=' '{print $2}' | xargs)\"";
+          on-click-right = "pkexec auto-cpufreq --force powersave && notify-send ${hostname} \"CPU Governor Powersave Overide\"";
-          on-click-middle = "pkexec tlp start && notify-send ${hostname} \"TLP set to: $(tlp-stat -s | grep 'Power profile' | awk -F '=' '{print $2}' | xargs)\"";
+          on-click-middle = "pkexec auto-cpufreq --force reset && notify-send ${hostname} \"CPU Governor Overide Reset\"";
         };
         "memory" = {
           states = {

modules/home/rice/compositor.nix

@@ -30,7 +30,7 @@
 
         #"dunst &"
         #"hypridle &"
-        #"swww-daemon &"
+        #"awww-daemon &"
         "uwsm app -s s -- waybar &"
         "uwsm app -s b -- sunshine &"
 
@@ -51,6 +51,7 @@
         "GTK_APPLICATION_PREFER_DARK_THEME,1"
         "GTK_THEME,Adwaita:dark"
         "QT_QPA_PLATFORMTHEME,kvantum"
+        "QT_STYLE_OVERRIDE,kvantum"
       ];
 
       general = {
@@ -140,7 +141,7 @@
       layerrule = [
         "no_anim on, match:namespace selection" # hyprshot overlay
         "no_anim on, match:namespace hyprpicker"
-        "animation fade, match:namespace swww-daemon"
+        "animation fade, match:namespace awww-daemon"
         "animation fade, match:namespace logout_dialog"
         "animation fade, match:namespace hyprshutdown"
         "above_lock 2, match:namespace notifications"
@@ -155,7 +156,8 @@
         "stay_focused on, suppress_event fullscreen maximize, dim_around on, float on, match:title ^(Hyprland Polkit Agent|Unlock Login Keyring|KeePassXC -.*)$"
         "float on, match:title ^(Open|Print|Save|Rename|Move|Copy|Confirm).*"
         "float on, match:title ^(Preferences|Settings|Options|About|Passbolt).*"
-        "float on, match:title ^(MainPicker|Volume Control|File Operation Progress|Network Connections|Choose an Application| )$"
+        "float on, match:title ^(MainPicker|Volume Control|File Operation Progress|Network Connections|Choose an Application)$"
+        "float on, match:title ^(Please wait)$"
       ];
     };
   };

modules/home/rice/idle.nix

@@ -6,7 +6,7 @@
         lock_cmd = "hyprlock";
         unlock_cmd = "pkill -USR1 hyprlock";
         before_sleep_cmd = "hyprctl dispatch dpms off && hyprlock";
-        after_sleep_cmd = "hyprctl dispatch dpms on && pkill -USR2 hyprlock";
+        after_sleep_cmd = "hyprctl dispatch dpms on";
       };
       listener = [
         {

modules/home/rice/keybinds.nix

@@ -95,10 +95,10 @@
         "SUPER, N, exec, uwsm app -- rofi-network-manager"
 
         "SUPER, J, exec, notify-send -u critical ${hostname} 'Caffein Mode' && notify-send '(SUPER+X to reset)' && systemctl --user stop hypridle"
-        "SUPER, K, exec, notify-send -u critical ${hostname} 'Focus Mode' && notify-send '(SUPER+X to reset)' && systemctl --user stop swww && pkill -SIGUSR1 waybar && hyprctl --batch 'keyword decoration:inactive_opacity 1.0; keyword decoration:blur:enabled 0; keyword general:gaps_in 0; keyword general:gaps_out 0; keyword general:border_size 1; keyword decoration:rounding 0; keyword decoration:shadow:enabled false'"
+        "SUPER, K, exec, notify-send -u critical ${hostname} 'Focus Mode' && notify-send '(SUPER+X to reset)' && systemctl --user stop awww && pkill -SIGUSR1 waybar && hyprctl --batch 'keyword decoration:inactive_opacity 1.0; keyword decoration:blur:enabled 0; keyword general:gaps_in 0; keyword general:gaps_out 0; keyword general:border_size 1; keyword decoration:rounding 0; keyword decoration:shadow:enabled false'"
         "SUPER, B, submap, disabled-all-keybinds"
         "SUPER, H, exec, notify-send ${hostname} 'Animations Off' && hyprctl keyword animations:enabled 0"
-        "SUPER, X, exec, dunstctl close-all && hyprctl reload && hyprctl dispatch submap reset && pkill -SIGUSR2 waybar && systemctl --user restart swww hypridle fusuma"
+        "SUPER, X, exec, dunstctl close-all && hyprctl reload && hyprctl dispatch submap reset && pkill -SIGUSR2 waybar && systemctl --user restart awww hypridle fusuma"
         "SUPER, Z, exec, dunstctl close-all"
 
         "SUPER SHIFT, S, exec, hyprshot -zm region -o ~/Pictures/Screenshots; killall -9 hyprpicker hyprshot"
@@ -106,9 +106,7 @@
         ", PRINT, exec, hyprshot -zm region -o ~/Pictures/Screenshots; killall -9 hyprpicker hyprshot"
 
         "SUPER, R, exec, rofi -show drun -show-icons -display-drun '' -run-command \"uwsm app -- {cmd}\""
-        "SUPER, RETURN, exec, rofi -show window -show-icons -drun-display '' -window-format '{c} {t}'"
+        "SUPER, RETURN, exec, ls ~/Projects | rofi -dmenu -p \"Open Project\" | xargs -I {} sh -c 'mkdir -p ~/Projects/\"{}\" && zeditor ~/Projects/\"{}\"'"
-        "SUPER CTRL, RETURN, exec, rofi rofi -dmenu -p 'run nixpkgs' -lines 0 < /dev/null | xargs -r -I {} kitty -- nix run 'nixpkgs#{}'"
-        "SUPER ALT, RETURN, exec, rofi rofi -dmenu -p 'shell nixpkgs' -lines 0 < /dev/null | xargs -r -I {} kitty -- nde`ix shell 'nixpkgs#{}'"
         "SUPER, V, exec, rofi -modi clipboard:cliphist-rofi-img -show clipboard -show-icons"
         # "SUPER, B, exec, rofi -show calc -modi calc -no-show-match -no-sort"
 
@@ -126,8 +124,9 @@
         "SUPER, W, fullscreen, 1"
         "SUPER, S, fullscreen, 0"
         "SUPER, F, togglefloating,"
-        "SUPER, G, togglesplit,"
+        "SUPER, G, layoutmsg, togglesplit"
         "SUPER, L, exec, loginctl lock-session"
+        "SUPER SHIFT, L, exec, hyprctl dispatch dpms off && loginctl lock-session && sleep 1 && hyprctl dispatch dpms on"
         
         "SUPER, down, togglespecialworkspace, hidden"
         "SUPER SHIFT, down, movetoworkspace, special:hidden"

modules/home/rice/theme.nix

@@ -1,23 +1,16 @@
 { lib, pkgs, ctp-opt, rice, ... }: {
-  catppuccin = {
-    enable = true;
-    hyprlock.useDefaultConfig = false;
-    
-    flavor = ctp-opt.flavor;
-    accent = ctp-opt.accent;
-  };
-  
   dconf = {
     enable = true;
     settings."org/gnome/desktop/interface" = {
       color-scheme = "prefer-dark";
-      gtk-theme = "Adwaita-dark";
+      gtk-theme = lib.mkForce "Adwaita-dark";
     };
   };
 
   gtk = {
     enable = true;
     gtk3.extraConfig.gtk-application-prefer-dark-theme = 1;
+    gtk4.theme = null;
     iconTheme = {
       name = "Papirus-Dark";
       package = lib.mkForce pkgs.papirus-icon-theme;
@@ -30,6 +23,11 @@
   
   qt = {
     enable = true;
+    kvantum = {
+      enable = true;
+      themes = with pkgs; [ catppuccin-kvantum ];
+      settings.General.theme = "catppuccin-${ctp-opt.flavor}-${ctp-opt.accent}";
+    };
     platformTheme.name = "kvantum";
     style = {
       name = "kvantum";

modules/scans/homelab.nix

@@ -5,26 +5,35 @@
 
 {
   imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/e33ab472-e518-4b4d-89d1-d75cfecb9f06";
+    { device = "/dev/disk/by-uuid/e5a7d45d-b9e9-43e7-ba5f-f4e67821bd0b";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/880C-9F0A";
+    { device = "/dev/disk/by-uuid/EC01-36B5";
       fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+} 

modules/system/homelab/ai.nix

@@ -5,15 +5,16 @@
       host = "127.0.0.1";
       port = 11434;
       user = "ollama";
-      home = "/mnt/data/ollama";
+      home = "/mnt/data/apps/ollama";
       loadModels = [ 
         "gemma3n:e4b" # "gemma3n:e2b" 
-        # "codellama:7b" "starcoder:3b"
+        "qwen3-coder-next:cloud" # "codellama:7b" "starcoder:3b"
       ];
     };
     open-webui = {
       enable = true;
       port = 8080;
+      environmentFile = "/mnt/data/apps/ollama/.env";
       environment = {
         OLLAMA_BASE_URL = "http://localhost:11434";
         # WEBUI_AUTH = "False";

modules/system/homelab/auth.nix

@@ -1,8 +1,8 @@
 { homelab, ... }: {
   services.pocket-id = {
     enable = true;
-    credentials.ENCRYPTION_KEY = "/mnt/data/pocketid/encryption-key";
+    credentials.ENCRYPTION_KEY = "/mnt/data/apps/pocketid/encryption-key";
-    dataDir = "/mnt/data/pocketid/data";
+    dataDir = "/mnt/data/apps/pocketid/data";
     settings = {
       PORT = "1411";
       HOST = "127.0.0.1";

modules/system/homelab/cdn.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [ copyparty-most ];
+
+  systemd.services.copyparty = {
+    description = "File Sharing Service";
+    enable = true;
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.copyparty-most}/bin/copyparty -c /mnt/share/cfg/files.conf";
+      Restart = "on-failure";
+    };
+  };
+}

modules/system/homelab/code.nix

@@ -0,0 +1,12 @@
+{ username, ... }: {
+  services.code-server = {
+    enable = true;
+    host = "127.0.0.1";
+    port = 8443;
+    user = username;
+    auth = "none";
+    disableTelemetry = true;
+    extensionsDir = "/mnt/data/apps/code-server/extensions";
+    userDataDir = "/mnt/data/apps/code-server/user-data";
+  };
+}

modules/system/homelab/containers.nix

@@ -1,5 +1,6 @@
 { homelab, lib, ... }: let
-  stacks-dir = "/mnt/data/dockge/stacks";
+  dockge-dir = "/mnt/data/apps/dockge";
+  stacks-dir = "${dockge-dir}/stacks";
 in {
   virtualisation.oci-containers.containers."dockge" = {
     image = "louislam/dockge:nightly";
@@ -8,7 +9,7 @@ in {
     };
     volumes = [
       "${stacks-dir}:${stacks-dir}:rw"
-      "/mnt/data/dockge/data:/app/data:rw"
+      "${dockge-dir}/data:/app/data:rw"
       "/var/run/docker.sock:/var/run/docker.sock:rw"
     ];
     ports = [

modules/system/homelab/dash.nix

@@ -53,31 +53,9 @@
     [ "Google Web Results Only" "!s" "https://google.com/search?udm=14&q={QUERY}" ]
   ];
   monitor = [
-    [ "Hypervisor" "https://10.3.14.69:8006/" ]
-    [ "Router" "http://10.3.14.1:80/" ]
     [ "DNS" "http://localhost:8088/" ]
-    [ "CDN" "http://nas.local:3000/" ]
     [ "Proxy" "https://proxy.${homelab.domain}/" ]
   ];
-  external = [
-    [ "Proxmox" "proxmox" "https://server.proxy.${homelab.domain}" "http://server.dns.${homelab.domain}:8006/" ]
-    [ "OpenWRT" "openwrt" "https://router.proxy.${homelab.domain}" "http://router.dns.${homelab.domain}:80/" ]
-    [ "HomeAssistant" "homeassistant" "https://home.proxy.${homelab.domain}" "http://home.dns.${homelab.domain}:8123/" ]
-    [ "OpenMediaVault" "openmediavault" "https://nas.local:80" "http://nas.local:80/" ]
-    [ "ApacheHTTPD" "apache" "https://nas.local:3000" "http://nas.local:3000/" ]
-  ];
-  services = [
-    [ "PocketID" "authentik" "https://auth.${homelab.domain}" "http://localhost:1411/" ]
-    [ "Forgejo" "forgejo" "https://git.${homelab.domain}" "http://localhost:5080/" ]
-    [ "AdGuardHome" "adguard" "https://dns.proxy.${homelab.domain}" "http://localhost:8088/" ]
-    [ "Traefik" "traefikproxy" "https://dynamic.proxy.${homelab.domain}/dashboard/" "http://localhost:81/dashboard/" ]
-    [ "Immich" "immich" "https://gallery.proxy.${homelab.domain}" "http://localhost:2283/" ]
-    [ "Jellyfin" "jellyfin" "https://media.proxy.${homelab.domain}" "http://localhost:8096/" ]
-    [ "VaultWarden" "vaultwarden" "https://pass.proxy.${homelab.domain}" "http://localhost:8060/" ]
-    [ "Ollama" "ollama" "https://ai.proxy.${homelab.domain}" "http://localhost:8080/" ]
-    [ "Dockge" "docker" "https://containers.proxy.${homelab.domain}" "http://localhost:5001/" ]
-    [ "Guacamole" "apacheguacamole" "https://remote.proxy.${homelab.domain}/guacamole" "http://localhost:8085/guacamole/" ]
-  ];
   bookmarks = [
     [ "Tailscale" "tailscale" "https://login.tailscale.com/" ]
     [ "Cloudflare" "cloudflare" "https://dash.cloudflare.com/" ]
@@ -96,7 +74,6 @@ in {
   };
   services.glance = {
     enable = true;
-    environmentFile = "/var/lib/glance/.env";
     settings = {
       server = {
         host = "127.0.0.1";
@@ -112,6 +89,101 @@ in {
       };
 
       pages = [
+        {
+          name = "Dashboard";
+          show-mobile-header = true;
+          width = "slim";
+          columns = [
+            {
+              size = "small";
+              widgets = [
+                {
+                  type = "monitor";
+                  title = "Critical Systems";
+                  cache = "15s";
+                  style = "compact";
+                  show-failing-only = true;
+                  sites = map (e: {
+                    same-tab = true;
+                    allow-insecure = true;
+                    title = builtins.elemAt e 0;
+                    url = builtins.elemAt e 1;
+                  }) monitor;
+                }
+                {
+                  type = "dns-stats";
+                  title = "DNS Stats";
+                  service = "adguard";
+                  url = "http://localhost:8088/";
+                  hour-format = "12h";
+                }
+                {
+                  type = "bookmarks";
+                  groups = [
+                    {
+                      links = [{
+                        same-tab = true;
+                        title = "NixFlake";
+                        icon = "si:nixos";
+                        url = "https://flake.satr14.my.id";
+                      }];
+                    }
+                    {
+                      links = map (e: {
+                        same-tab = true;
+                        title = builtins.elemAt e 0;
+                        icon = "si:${builtins.elemAt e 1}";
+                        url = builtins.elemAt e 2;
+                        alt-status-codes = [ 401 ];
+                      }) bookmarks;
+                    }
+                  ];
+                }
+                {
+                  type = "to-do";
+                  id = "tasks";
+                }
+              ];
+            }
+            {
+              size = "full";
+              widgets = [
+                {
+                  type = "server-stats";
+                  servers = [{
+                    type = "local";
+                    mountpoints = {
+                      "/boot".hide = true;
+                      "/nix/store".hide = true;
+                      "/var/lib/vaultwarden".hide = true;
+                      "/var/lib/private/cryptpad".hide = true;
+                      "/var/lib/acme/proxy.satr14.my.id".hide = true;
+                    };
+                  }];
+                }
+                {
+                  type = "monitor";
+                  cache = "1m";
+                  title = "Services";
+                  sites = map (e: { 
+                    same-tab = true;
+                    allow-insecure = true;
+                    title = builtins.elemAt e 0;
+                    icon = "si:${builtins.elemAt e 1}";
+                    url = builtins.elemAt e 2;
+                    check-url = builtins.elemAt e 3;
+                  }) homelab.dash;
+                }
+                {
+                  type = "docker-containers";
+                  title = "Containers";
+                  format-container-names = true;
+                  hide-by-default = true;
+                }
+              ];
+            }
+          ];
+        }
         {
           name = "Home";
           show-mobile-header = true;
@@ -210,107 +282,6 @@ in {
             }
           ];
         }
-        {
-          name = "Dashboard";
-          show-mobile-header = true;
-          width = "slim";
-          columns = [
-            {
-              size = "small";
-              widgets = [
-                {
-                  type = "monitor";
-                  title = "Critical Systems";
-                  cache = "15s";
-                  style = "compact";
-                  show-failing-only = true;
-                  sites = map (e: {
-                    same-tab = true;
-                    allow-insecure = true;
-                    title = builtins.elemAt e 0;
-                    url = builtins.elemAt e 1;
-                  }) monitor;
-                }
-                {
-                  type = "dns-stats";
-                  title = "DNS Stats";
-                  service = "adguard";
-                  url = "http://localhost:8088/";
-                  hour-format = "12h";
-                }
-                {
-                  type = "bookmarks";
-                  groups = [
-                    {
-                      links = [{
-                        same-tab = true;
-                        title = "NixFlake";
-                        icon = "si:nixos";
-                        url = "https://flake.satr14.my.id";
-                      }];
-                    }
-                    {
-                      links = map (e: {
-                        same-tab = true;
-                        title = builtins.elemAt e 0;
-                        icon = "si:${builtins.elemAt e 1}";
-                        url = builtins.elemAt e 2;
-                      }) bookmarks;
-                    }
-                  ];
-                }
-                {
-                  type = "to-do";
-                  id = "tasks";
-                }
-              ];
-            }
-            {
-              size = "full";
-              widgets = [
-                {
-                  type = "server-stats";
-                  servers = [{
-                    type = "local";
-                    mountpoints."/nix/store".hide = true;
-                  }];
-                }
-                {
-                  type = "monitor";
-                  cache = "1m";
-                  title = "External";
-                  sites = map (e: { 
-                    same-tab = true;
-                    allow-insecure = true;
-                    title = builtins.elemAt e 0;
-                    icon = "si:${builtins.elemAt e 1}";
-                    url = builtins.elemAt e 2;
-                    check-url = builtins.elemAt e 3;
-                  }) external;
-                }
-                {
-                  type = "monitor";
-                  cache = "1m";
-                  title = "Services";
-                  sites = map (e: { 
-                    same-tab = true;
-                    allow-insecure = true;
-                    title = builtins.elemAt e 0;
-                    icon = "si:${builtins.elemAt e 1}";
-                    url = builtins.elemAt e 2;
-                    check-url = builtins.elemAt e 3;
-                  }) services;
-                }
-                {
-                  type = "docker-containers";
-                  title = "Containers";
-                  format-container-names = true;
-                  hide-by-default = true;
-                }
-              ];
-            }
-          ];
-        }
       ];
     };
   };

modules/system/homelab/db.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }: {
+  services.postgresql = {
+    enable = true;
+    dataDir = "/mnt/data/apps/postgresql"; 
+    package = pkgs.postgresql_16;
+  };
+}

modules/system/homelab/docs.nix

@@ -0,0 +1,46 @@
+{ lib, pkgs, homelab, ... }: let
+  domain = "docs.${homelab.domain}";
+  sandbox = "docs-sandbox.${homelab.domain}";
+in {
+  services.cryptpad = {
+    enable = true;
+    settings = {
+      websocketPort = 7091;
+      httpPort = 7090;
+      httpAddress = "127.0.0.1";
+      httpUnsafeOrigin = "https://${domain}";
+      httpSafeOrigin = "https://${sandbox}";
+      blockDailyCheck = true;
+      disableIntegratedEviction = true;
+      adminKeys = [ 
+        "[satr14@docs.satr14.my.id/f1A82fmBuqQka2bNqrCb1WbB9r2ex5A3rdys5xLX3Hc=]"
+      ];
+    };
+  };
+  
+  systemd.tmpfiles.rules = lib.singleton "L+ /var/lib/cryptpad/customize/application_config.js - - - - ${pkgs.writeText "cryptpad-application-config.js" ''
+    (() => {
+      const factory = (AppConfig) => {
+          AppConfig.disableAnonymousPadCreation = true;
+          AppConfig.disableAnonymousStore = true;
+          AppConfig.defaultDarkTheme = true;
+          return AppConfig;
+      };
+  
+      if (typeof(module) !== 'undefined' && module.exports) {
+          module.exports = factory(
+              require('../www/common/application_config_internal.js')
+          );
+      } else if ((typeof(define) !== 'undefined' && define !== null) && (define.amd !== null)) {
+          define(['/common/application_config_internal.js'], factory);
+      }
+    })();
+  ''}";
+  
+  fileSystems."/var/lib/private/cryptpad" = {
+    device = "/mnt/data/apps/cryptpad";
+    depends = [ "/mnt/data" ]; 
+    options = [ "bind" "nofail" ];
+    fsType = "none";
+  };
+}

modules/system/homelab/gallery.nix

@@ -1,4 +1,4 @@
-{ lib, homelab, ... }: {
+{ lib, ... }: {
   users.users.immich.extraGroups = [ "video" "render" ];
 
   services = {
@@ -6,7 +6,7 @@
       enable = true;
       port = 2283;
       host = "127.0.0.1";
-      mediaLocation = "/mnt/gallery";
+      mediaLocation = "/mnt/data/gallery";
       accelerationDevices = null;
       environment.DB_URL = lib.mkForce "postgresql:///immich?host=/var/run/postgresql&user=immich"; # https://github.com/immich-app/immich/issues/26140
       machine-learning.enable = true;

modules/system/homelab/git.nix

@@ -1,48 +1,55 @@
 { pkgs, homelab, ... }: {
-  services.forgejo = {
+  services = {
-    enable = true;
+    forgejo = {
-    lfs.enable = true;
+      enable = true;
-    stateDir = "/mnt/data/forgejo";
+      lfs.enable = true;
-    package = pkgs.forgejo;
+      stateDir = "/mnt/data/apps/forgejo";
-    #secrets = {
+      package = pkgs.forgejo;
-    #  oauth2.JWT_SECRET = "/mnt/data/forgejo/custom/conf/oauth2_jwt_secret";
+      settings = {
-    #  server.LFS_JWT_SECRET = "/mnt/data/forgejo/custom/conf/lfs_jwt_secret";
+        server = {
-    #  security = {
+          DISABLE_SSH = false;
-    #    INTERNAL_TOKEN = "/mnt/data/forgejo/custom/conf/internal_token";
+          START_SSH_SERVER = true;
-    #    SECRET_KEY = "/mnt/data/forgejo/custom/conf/secret_key";
+          SSH_DOMAIN = "main.dns.${homelab.domain}";
-    #  };
+          SSH_LISTEN_HOST = "0.0.0.0";
-    #};
+          SSH_LISTEN_PORT = 5822;
-    settings = {
+          SSH_PORT = 5822;
-      server = {
+          DOMAIN = "git.${homelab.domain}";
-        DISABLE_SSH = false;
+          HTTP_ADDR = "127.0.0.1";
-        START_SSH_SERVER = true;
+          HTTP_PORT = 5080;
-        SSH_DOMAIN = "main.dns.${homelab.domain}";
+          PROTOCOL = "http";
-        SSH_LISTEN_HOST = "0.0.0.0";
+          ROOT_URL = "https://git.${homelab.domain}";
-        SSH_LISTEN_PORT = 5822;
+          LANDING_PAGE = "explore";
-        SSH_PORT = 5822;
+        };
-        DOMAIN = "git.${homelab.domain}";
+        oauth2_client.ENABLE_AUTO_REGISTRATION=true;
-        HTTP_ADDR = "127.0.0.1";
+        service = {
-        HTTP_PORT = 5080;
+          DISABLE_REGISTRATION = true;
-        PROTOCOL = "http";
+          ENABLE_OPENID_SIGNIN = false;
-        ROOT_URL = "https://git.${homelab.domain}";
+          ENABLE_OPENID_SIGNUP = false;
-        LANDING_PAGE = "explore";
+          ENABLE_INTERNAL_SIGNIN = false; 
-      };
+          SHOW_REGISTRATION_BUTTON = false;
-      oauth2_client.ENABLE_AUTO_REGISTRATION=true;
+          ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-      service = {
+          ALLOW_ONLY_INTERNAL_REGISTRATION = false;
-        DISABLE_REGISTRATION = true;
+          REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = true;
-        ENABLE_OPENID_SIGNIN = false;
+        };
-        ENABLE_OPENID_SIGNUP = false;
+        user.ENABLE_FOLLOWING = false;
-        ENABLE_INTERNAL_SIGNIN = true; # TODO: set false after migration complete
+        repository = {
-        SHOW_REGISTRATION_BUTTON = false;
+          DISABLE_STARS = true;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+          DISABLE_FORKS = true;
-        ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+          ENABLE_PUSH_CREATE_USER = true;
-        REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = true;
+        };
-      };
-      user.ENABLE_FOLLOWING = false;
-      repository = {
-        DISABLE_STARS = true;
-        DISABLE_FORKS = true;
       };
     };
+    gitea-actions-runner.instances.nixos-deploy = {
+      enable = true;
+      name = "nixos-server-runner";
+      url = "http://localhost:5080"; #"https://git.proxy.${homelab.domain}";
+      tokenFile = "/mnt/data/apps/forgejo/token-runner"; 
+      labels = [ "self-hosted:host" ];
+      hostPackages = with pkgs; [ bash coreutils git nix openssh bun ];
+    };
+  };
+  systemd.services = {
+    "gitea-runner-nixos-deploy".restartIfChanged = false;
+    "forgejo".restartIfChanged = false;
   };
 }

modules/system/homelab/mc.nix

@@ -0,0 +1,114 @@
+{ inputs, lib, pkgs, ... }: let
+  production = true;
+  ram-allocation-mb = 12288;
+  rcon-pass = "howdy";
+  modpack = let
+    commit = "8523f89493ace13087eb68cd9fe3b5eb4f669440";
+    path = if production then "commit/${commit}" else "branch/main";
+  in pkgs.fetchPackwizModpack {
+    packHash = "sha256-xB9Oc/aneogSQ9r7L42vyVM6xwq+QkoTaXYNuUzeo6M=";
+    url = "https://git.satr14.my.id/satr14/server-modpack/raw/${path}/pack.toml";
+  };
+  
+in {
+  imports = [ inputs.mc.nixosModules.minecraft-servers ];
+  nixpkgs.overlays = [ inputs.mc.overlay ];
+  
+  powerManagement.cpuFreqGovernor = "powersave"; # performance governor causes overheating and thermal throttling, works fine with powesave
+  boot.kernel.sysctl = {
+    "vm.nr_hugepages" = (ram-allocation-mb / 2) + 512; # (heap_mb / 2MB per page) + 512 pages (1GB) for ZGC off-heap overhead
+    "vm.swappiness" = 10;
+  };
+  
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+    managementSystem.systemd-socket.enable = true;
+    # ^^^ https://github.com/Infinidoge/nix-minecraft/issues/119
+    
+    # TODO: figure out how to set gamerules on start
+    # gamerules to disable: locator_bar, mob_explosion_drop_decay, (and possibly) reduced_debug_info, global_sound_events 
+    # gamerules to enable (temporarily): noend:disable_end
+   
+    servers.da-s3 = {
+      enable = true;
+      autoStart = true;
+      restart = "always";
+      enableReload = production;
+      # extraReload = ''
+      #   function rcon() {
+      #     ${pkgs.rcon-cli}/bin/rcon-cli -p ${rcon-pass} $@
+      #   }
+
+      #   rcon "gamerule locator_bar false"
+      #   rcon "gamerule mob_explosion_drop_decay false"
+      #   rcon "gamerule reduced_debug_info false"
+      #   rcon "gamerule global_sound_events false"
+      # '';
+      
+      operators = lib.mkIf (!production) {
+        "satr14" = {
+          uuid = "54441a30-fe73-46e7-adca-c476bd4fc6d2";
+          bypassesPlayerLimit = true;
+          level = 4;
+        };
+      };
+      
+      serverProperties = {
+        # server-ip = "localhost";
+        server-port = 25565;
+        server-name = "Minecraft Server";
+        motd = "§lSeason 3§r - §dExplorers Creativity 🔥";
+        log-ips = false; # TODO: figure out how to get ips from cloudflared tunnel
+        
+        difficulty = "normal";
+        gamemode = "survival";
+        max-world-size = 25000;
+        spawn-protection = 0;
+        pvp = true;
+        
+        online-mode = true;
+        enable-query = true;
+        enforce-secure-profile = false;
+        pevent-proxy-connections = false;
+        allow-flight = false;
+        player-idle-timeout = 0;
+        
+        view-distance = 12;
+        simulation-distance = 4;
+        
+        enable-rcon = true;
+        sync-chunk-writes = false;
+        "rcon.password" = rcon-pass;
+        "rcon.port" = 25575;
+      };
+      
+      symlinks = lib.mapAttrs'
+        (name: _: lib.nameValuePair "mods/${name}" "${modpack}/mods/${name}")
+        (builtins.readDir "${modpack}/mods");
+      
+      package = pkgs.fabricServers.fabric-1_21_11.override {
+        jre_headless = pkgs.javaPackages.compiler.temurin-bin.jdk-25;
+        loaderVersion = "0.19.2";
+      };
+
+      jvmOpts = let flags = [
+        "-Xms${toString ram-allocation-mb}M"
+        "-Xmx${toString ram-allocation-mb}M"
+        
+        "-XX:+UseZGC" # Use ZGC (requires Java v25+, 8+ CPU cores, 10GB+ RAM)
+        "-XX:+UseCompactObjectHeaders" # Use compact object headers (requires Java v16+, saves a couple of bits per object)
+        
+        "--add-modules=jdk.incubator.vector" # Exposes SIMD instructions (requires full JDK, useful with performance mods)
+        "-XX:+UseLargePages" # Large pages support (requires hugepages configured on the system)
+        "-XX:+AlwaysPreTouch" # Pre-allocates memory on startup, OS claims it immediately for JVM instead of negotiating it
+        "-XX:+DisableExplicitGC" # Disables mods from manually invoking the GC
+        "-XX:+PerfDisableSharedMem" # Disables constant /tmp writes for JVM metrics
+        "-XX:ZAllocationSpikeTolerance=5" # Helps when server is active with many players
+        "-XX:SoftMaxHeapSize=${toString (ram-allocation-mb - 2048)}M" # Leave 2GB headroom
+        "-XX:ZCollectionInterval=1" # Force a GC cycle at minimum every second
+        "-XX:ConcGCThreads=8" # Threads ZGC uses for concurrent work
+      ]; in lib.concatStringsSep " " flags;
+    };
+  };
+}

modules/system/homelab/media.nix

@@ -5,6 +5,7 @@
   services = {
     jellyfin = {
       enable = true;
+      dataDir = "/mnt/data/apps/jellyfin";
       hardwareAcceleration = {
         enable = true;
         device = "/dev/dri/renderD128";
@@ -43,4 +44,4 @@
     #   port = 8191;
     # };
   };
-}
+}

modules/system/homelab/notify.nix

@@ -0,0 +1,9 @@
+{ homelab, ... }: {
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      listen-http = "127.0.0.1:8067";
+      base-url = "https://ntfy.proxy.${homelab.domain}";
+    };
+  };
+}

modules/system/homelab/pass.nix

@@ -2,13 +2,19 @@
   services.vaultwarden = {
     enable = true;
     domain = "pass.proxy.${homelab.domain}";
-    backupDir = "/mnt/data/vaultwarden/backups";
+    backupDir = "/mnt/data/apps/vaultwarden/backups";
-    environmentFile = "/mnt/data/vaultwarden/.env";
+    environmentFile = "/mnt/data/apps/vaultwarden/.env";
     config = {
       ROCKET_PORT = 8060;
       ROCKET_ADDRESS = "127.0.0.1";
       ROCKET_LOG = "critical";
-      SIGNUPS_ALLOWED = true;
     };
   };
+  
+  fileSystems."/var/lib/vaultwarden" = {
+    device = "/mnt/data/apps/vaultwarden/data";
+    depends = [ "/mnt/data" ];
+    options = [ "bind" "nofail" ];
+    fsType = "none";
+  };
 }

modules/system/homelab/proxy.nix

@@ -1,28 +1,5 @@
-{ homelab, lib, ... }: let
+{ pkgs, homelab, lib, ... }: let
-  base = "proxy.${homelab.domain}";
+  htpasswd = "/mnt/data/apps/nginx/htpasswd";
-  hosts = {
-    "server"     = { dest = "https://server.dns.${homelab.domain}:8006"; auth = false; };
-    "router"     = { dest = "http://router.dns.${homelab.domain}:80"; auth = false; };
-    "home"       = { dest = "http://home.dns.${homelab.domain}:8123"; auth = false; };
-    
-    "dynamic"    = { dest = "http://127.0.0.1:8082"; auth = true; };
-    "dns"        = { dest = "http://localhost:8088"; auth = true; };
-    
-    "containers" = { dest = "http://localhost:5001"; auth = false; };
-    "gallery"    = { dest = "http://localhost:2283"; auth = false; };
-    "remote"     = { dest = "http://localhost:8085"; auth = false; };
-    "media"      = { dest = "http://localhost:8096"; auth = false; };
-    "pass"       = { dest = "http://localhost:8060"; auth = false; };
-    "auth"       = { dest = "http://localhost:1411"; auth = false; };
-    "git"        = { dest = "http://localhost:5080"; auth = false; };
-    "ai"         = { dest = "http://localhost:8080"; auth = false; };
-    "@"          = { dest = "http://localhost:5070"; auth = false; };
-  };
-  redirects = {
-    "www"  = "https://proxy.${homelab.domain}";
-    "dash" = "https://${homelab.domain}";
-    "immich" = "https://gallery.proxy${homelab.domain}";
-  };
   exta-conf = ''
     # proxy_set_header X-Auth-User $remote_user;
     proxy_read_timeout 600s;
@@ -41,25 +18,35 @@ in {
   security.acme = {
     acceptTerms = true;
     defaults.email = "admin@${homelab.domain}";
-    certs."${base}" = {
+    certs."${homelab.proxy.base}" = {
-      domain = "*.${base}";
+      domain = "*.${homelab.proxy.base}";
-      extraDomainNames = [ base ];
+      extraDomainNames = [ homelab.proxy.base ];
+      environmentFile = "/mnt/data/apps/acme/cf-api.env";
       dnsProvider = "cloudflare";
-      environmentFile = "/var/lib/acme/cloudflare.env";
       # ^^^contents: CLOUDFLARE_DNS_API_TOKEN=XXXXX
     };
   };
   
+  fileSystems."/var/lib/acme/${homelab.proxy.base}" = {
+    device = "/mnt/data/apps/acme/${homelab.proxy.base}";
+    depends = [ "/mnt/data" ];
+    options = [ "bind" "nofail" ];
+    fsType = "none";
+  };
+  
   services = {
     nginx = {
       enable = true;
+      package = pkgs.angie;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
       virtualHosts = {
         "_" = {
           default = true;
           forceSSL = true;
-          useACMEHost = base;
+          useACMEHost = homelab.proxy.base;
           # locations."/".return = "404";
           locations."/" = {
             proxyPass = "http://127.0.0.1:81"; # traefik for docker container dynamic proxy
@@ -67,12 +54,12 @@ in {
             extraConfig = exta-conf;
           };
         };
-      } // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair "${subdomain}.${base}" {
+      } // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair "${subdomain}.${homelab.proxy.base}" {
-        useACMEHost = base;
+        useACMEHost = homelab.proxy.base;
         forceSSL = true;
-        locations."/".return = "301 ${base}";
+        locations."/".return = "301 ${cfg}";
-      }) redirects // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair (if subdomain == "@" then base else "${subdomain}.${base}") {
+      }) homelab.proxy.redirects // lib.mapAttrs' (subdomain: cfg: lib.nameValuePair (if subdomain == "@" then homelab.proxy.base else "${subdomain}.${homelab.proxy.base}") {
-        useACMEHost = base;
+        useACMEHost = homelab.proxy.base;
         forceSSL = true;
         extraConfig = ''
           access_log /var/log/nginx/${subdomain}.access.log;
@@ -81,13 +68,16 @@ in {
         locations."/" = {
           proxyPass = cfg.dest;
           proxyWebsockets = true;
-          basicAuthFile = if cfg.auth then "/var/lib/nginx/.htpasswd" else null;
+          basicAuthFile = if cfg.auth then htpasswd else null;
           extraConfig = exta-conf;
         };
-      }) hosts;
+      }) homelab.proxy.hosts;
     };
     traefik = {
       enable = true;
+      dynamicConfigOptions = {
+        http.middlewares.auth.basicAuth.usersFile = htpasswd;
+      };
       staticConfigOptions = {
         entryPoints = {
           traefik.address = "127.0.0.1:8082";
@@ -107,9 +97,8 @@ in {
         providers.docker = {
           endpoint = "unix:///var/run/docker.sock";
           exposedByDefault = false; 
-          defaultRule = "Host(`ct-{{ normalize .Name }}.${base}`)";
         };
       };
     };
   };
-}
+}

modules/system/homelab/remote.nix

@@ -1,18 +0,0 @@
-{ ... }: {
-  services = {
-    guacamole-server = {
-      enable = true;
-      host = "127.0.0.1";
-      port = 4822;
-    };
-    guacamole-client = {
-      enable = true;
-      enableWebserver = true;
-      settings = {
-        guacd-hostname = "127.0.0.1";
-        guacd-port = 4822;
-      };
-    };
-    tomcat.port = 8085;
-  };
-}

modules/system/homelab/search.nix

@@ -0,0 +1,21 @@
+{ ... }: {
+  services.searx = {
+    enable = true;
+    redisCreateLocally = true;
+    environmentFile = "/mnt/data/apps/searxng/.env";
+    settings = {
+      server = {
+        bind_address = "127.0.0.1";
+        port = 8091;
+        secret_key = "$SECRET_KEY";
+      };
+      general = {
+        debug = false;
+        donation_url = false;
+        contact_url = false;
+        privacy_policy_url = false;
+        enable_metrics = true;
+      };
+    };
+  };
+}

modules/system/homelab/share.nix

@@ -1,34 +0,0 @@
-{ ... }: {
-  services = {
-    httpd = {
-      enable = true;
-      virtualHosts."cdn" = {
-        listen = [{ ip = "127.0.0.1"; port = 3000; }];
-        documentRoot = "/mnt/share";
-      };
-    };
-
-    samba = {
-      enable = true;
-      settings = {
-        global = {
-          workgroup = "WORKGROUP";
-          "disable netbios" = "yes";
-          "allow insecure wide links" = "yes";
-          "server min protocol" = "SMB2_02";
-        };
-        "NAS" = {
-          path = "/mnt/share";
-          browseable = "yes";
-          "read only" = "no";
-          "create mask" = "0664";
-          "force create mode" = "0664";
-          "directory mask" = "0775";
-          "force directory mode" = "0775";
-          "follow symlinks" = "yes";
-          "wide links" = "yes";
-        };
-      };
-    };
-  };
-}

modules/system/homelab/tunnels.nix

@@ -1,19 +1,11 @@
-{ pkgs, lib, homelab, ... }: let
+{ pkgs, lib, homelab, ... }: {
-  routes = {
-    "git.${homelab.domain}"     = "http://localhost:5080";
-    "auth.${homelab.domain}"    = "http://localhost:1411";
-    "dash.${homelab.domain}"    = "http://localhost:5070";
-    "media.${homelab.domain}"   = "http://localhost:8096";
-    "gallery.${homelab.domain}" = "http://localhost:2284";
-  };
-in {
   services.cloudflared = {
     enable = true;
     tunnels.homelab = {
-      credentialsFile = "/mnt/data/cloudflared/homelab.json";
+      credentialsFile = "/mnt/data/apps/cloudflared/homelab.json";
-      certificateFile = "/mnt/data/cloudflared/cert.pem";
+      certificateFile = "/mnt/data/apps/cloudflared/cert.pem";
       default = "http_status:404";
-      ingress = routes;
+      ingress = homelab.routes;
     };
   };
   
@@ -31,7 +23,7 @@ in {
 
     script = lib.concatMapStringsSep "\n" (domain: ''
       echo "Ensuring DNS route for ${domain}..."
-      ${pkgs.cloudflared}/bin/cloudflared tunnel --origincert /mnt/data/cloudflared/cert.pem route dns ${homelab.cf-tunnel-id} ${domain} || true
+      ${pkgs.cloudflared}/bin/cloudflared tunnel --origincert /mnt/data/apps/cloudflared/cert.pem route dns --overwrite-dns $(cat /mnt/data/apps/cloudflared/homelab.json | ${pkgs.jq}/bin/jq -r .TunnelID) ${domain} || true
-    '') (builtins.attrNames routes);
+    '') (builtins.attrNames homelab.routes);
   };
 }

modules/system/misc/utilities.nix

@@ -1,60 +1,82 @@
 { pkgs, ... }: {
   environment.systemPackages = with pkgs; [
+    # Disk & Storage
     baobab
-    file-roller
-    gnome-network-displays
     gnome-disk-utility
-    
-    parted
-    smartmontools
-    lm_sensors
-    ntfs3g
-    virt-viewer
-    dconf2nix
-    pciutils
     gparted
+    parted
+    ntfs3g
     exfatprogs
-    pavucontrol
+    smartmontools
-    jq
+    rclone
+    ncdu
+    ventoy-full-qt
+
+    # System Monitoring & Hardware
+    htop
+    sysstat
     powertop
+    lm_sensors
     fastfetch
+    pciutils
+    usbutils
+    stress
+    stress-ng
+
+    # Networking
+    gnome-network-displays
     ethtool
     dig
     dnslookup
-    lsof
+    nmap
-    gucharmap
+    netcat
-    ncdu
+    traceroute
+    wakeonlan
+    cloudflared
+    cloud-utils
+
+    # Archives & Compression
+    file-roller
     zip
     unzip
+    p7zip
+
+    # GUI Utilities
+    pavucontrol
+    gucharmap
+    lxappearance
     blueman
     shared-mime-info
-    usbutils
-    
-    hplipWithPlugin
 
-    android-tools
+    # Virtualization & Containers
-    scrcpy
+    virt-viewer
     distrobox
 
-    ventoy-full-qt
+    # Android
+    android-tools
+    scrcpy
+
+    # Remote Access
+    freerdp
+
+    # Media
     ffmpeg
+
+    # Printing
+    hplipWithPlugin
+
+    # CLI Essentials
     vim
     wget
     curl
     openssl_3
-    htop
-    nmap
-    sysstat
-    netcat
-    p7zip
-    stress
-    stress-ng
-    wakeonlan
     coreutils-full
-    traceroute
+    jq
-    lxappearance
+    lsof
-    freerdp
 
+    # Nix & Development
+    rcon-cli
+    dconf2nix
     home-manager
     nix-index
     nixd

modules/system/server.nix

@@ -2,7 +2,7 @@
   ts-flags = [
     "--advertise-exit-node"
     "--advertise-routes=10.3.14.0/24,192.168.1.0/24"
-    "--ssh" # "--webclient"
+    "--ssh"
   ];
 in {
   imports = [
@@ -11,15 +11,21 @@ in {
     ./homelab/containers.nix
     ./homelab/gallery.nix
     ./homelab/tunnels.nix
-    ./homelab/remote.nix
+    ./homelab/notify.nix
+    ./homelab/search.nix
     ./homelab/media.nix
     ./homelab/proxy.nix
     ./homelab/auth.nix
     ./homelab/pass.nix
     ./homelab/dash.nix
+    ./homelab/code.nix
+    ./homelab/docs.nix
     ./homelab/dns.nix
     ./homelab/git.nix
+    ./homelab/cdn.nix
     ./homelab/ai.nix
+    ./homelab/db.nix
+    ./homelab/mc.nix
     
     ./core/swapfile.nix
     ./core/oom.nix
@@ -27,14 +33,19 @@ in {
     ./base.nix
   ];
 
-  services.tailscale = {
+  users.users.root.openssh.authorizedKeys.keys = homelab.ssh-keys;
-    enable = true;
-    authKeyFile = "/mnt/data/tailscale/authkey";
-    useRoutingFeatures = "server";
-    extraUpFlags = ts-flags;
-    extraSetFlags = ts-flags;
-  };
   
+  services = {
+    netbird.enable = true;
+    tailscale = {
+      enable = true;
+      authKeyFile = "/mnt/data/apps/tailscale/authkey";
+      useRoutingFeatures = "server";
+      extraUpFlags = ts-flags;
+      extraSetFlags = ts-flags;
+    };
+  };
+
   virtualisation = {
     oci-containers.backend = "docker";
     docker = {

modules/system/user.nix

@@ -7,6 +7,7 @@
     shell = pkgs.zsh;
     extraGroups = [
       "networkmanager"
+      "minecraft"
       "wheel"
       "dialout"
       "libvirtd"