feat: migrate m3-atlas from MinIO to RustFS

- Replace minio.nix with rustfs.nix using rustfs-flake NixOS module - Add rustfs flake input (github:rustfs/rustfs-flake) - Reuse same ports (API: 3008, Console: 3007) and data dir (/var/storage/s3) - Add separate agenix secrets for access-key and secret-key - Keep Traefik routes unchanged (s3.m3tam3re.com, minio.m3tam3re.com) - MinIO had 6 unfixed CVEs and is abandoned upstream
Merge pull request 'feat: integrate m3ta-home for centralized user profiles' (#9 ) from feat/m3ta-home-integration into master
2026-05-02 11:44:32 +02:00 · 2026-05-02 11:02:54 +02:00 · 2026-05-02 11:01:12 +02:00 · 2026-05-02 10:54:42 +02:00 · 2026-05-02 10:41:12 +02:00 · 2026-05-02 10:08:50 +02:00
187 changed files with 7232 additions and 1836 deletions
--- a/.beads/.gitignore
+++ b/.beads/.gitignore
@@ -0,0 +1,73 @@
 # Dolt database (managed by Dolt, not git)
 dolt/
 embeddeddolt/
 # Runtime files
 bd.sock
 bd.sock.startlock
 sync-state.json
 last-touched
 .exclusive-lock
 # Daemon runtime (lock, log, pid)
 daemon.*
 # Interactions log (runtime, not versioned)
 interactions.jsonl
 # Push state (runtime, per-machine)
 push-state.json
 # Lock files (various runtime locks)
 *.lock
 # Credential key (encryption key for federation peer auth — never commit)
 .beads-credential-key
 # Local version tracking (prevents upgrade notification spam after git ops)
 .local_version
 # Worktree redirect file (contains relative path to main repo's .beads/)
 # Must not be committed as paths would be wrong in other clones
 redirect
 # Sync state (local-only, per-machine)
 # These files are machine-specific and should not be shared across clones
 .sync.lock
 export-state/
 export-state.json
 # Ephemeral store (SQLite - wisps/molecules, intentionally not versioned)
 ephemeral.sqlite3
 ephemeral.sqlite3-journal
 ephemeral.sqlite3-wal
 ephemeral.sqlite3-shm
 # Dolt server management (auto-started by bd)
 dolt-server.pid
 dolt-server.log
 dolt-server.lock
 dolt-server.port
 dolt-server.activity
 # Corrupt backup directories (created by bd doctor --fix recovery)
 *.corrupt.backup/
 # Backup data (auto-exported JSONL, local-only)
 backup/
 # Per-project environment file (Dolt connection config, GH#2520)
 .env
 # Legacy files (from pre-Dolt versions)
 *.db
 *.db?*
 *.db-journal
 *.db-wal
 *.db-shm
 db.sqlite
 bd.db
 # NOTE: Do NOT add negation patterns here.
 # They would override fork protection in .git/info/exclude.
 # Config files (metadata.json, config.yaml) are tracked by git by default
 # since no pattern above ignores them.
--- a/.beads/README.md
+++ b/.beads/README.md
@@ -0,0 +1,81 @@
 # Beads - AI-Native Issue Tracking
 Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
 ## What is Beads?
 Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
 **Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
 ## Quick Start
 ### Essential Commands
 ```bash
 # Create new issues
 bd create "Add user authentication"
 # View all issues
 bd list
 # View issue details
 bd show <issue-id>
 # Update issue status
 bd update <issue-id> --claim
 bd update <issue-id> --status done
 # Sync with Dolt remote
 bd dolt push
 ```
 ### Working with Issues
 Issues in Beads are:
 - **Git-native**: Stored in Dolt database with version control and branching
 - **AI-friendly**: CLI-first design works perfectly with AI coding agents
 - **Branch-aware**: Issues can follow your branch workflow
 - **Always in sync**: Auto-syncs with your commits
 ## Why Beads?
 ✨ **AI-Native Design**
 - Built specifically for AI-assisted development workflows
 - CLI-first interface works seamlessly with AI coding agents
 - No context switching to web UIs
 🚀 **Developer Focused**
 - Issues live in your repo, right next to your code
 - Works offline, syncs when you push
 - Fast, lightweight, and stays out of your way
 🔧 **Git Integration**
 - Automatic sync with git commits
 - Branch-aware issue tracking
 - Dolt-native three-way merge resolution
 ## Get Started with Beads
 Try Beads in your own projects:
 ```bash
 # Install Beads
 curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
 # Initialize in your repo
 bd init
 # Create your first issue
 bd create "Try out Beads"
 ```
 ## Learn More
 - **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
 - **Quick Start Guide**: Run `bd quickstart`
 - **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
 ---
 *Beads: Issue tracking that moves at the speed of thought* ⚡
--- a/.beads/config.yaml
+++ b/.beads/config.yaml
@@ -0,0 +1,56 @@
 # Beads Configuration File
 # This file configures default behavior for all bd commands in this repository
 # All settings can also be set via environment variables (BD_* prefix)
 # or overridden with command-line flags
 # Issue prefix for this repository (used by bd init)
 # If not set, bd init will auto-detect from directory name
 # Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
 # issue-prefix: ""
 # Use no-db mode: JSONL-only, no Dolt database
 # When true, bd will use .beads/issues.jsonl as the source of truth
 # no-db: false
 # Enable JSON output by default
 # json: false
 # Feedback title formatting for mutating commands (create/update/close/dep/edit)
 # 0 = hide titles, N > 0 = truncate to N characters
 # output:
 #   title-length: 255
 # Default actor for audit trails (overridden by BEADS_ACTOR or --actor)
 # actor: ""
 # Export events (audit trail) to .beads/events.jsonl on each flush/sync
 # When enabled, new events are appended incrementally using a high-water mark.
 # Use 'bd export --events' to trigger manually regardless of this setting.
 # events-export: false
 # Multi-repo configuration (experimental - bd-307)
 # Allows hydrating from multiple repositories and routing writes to the correct database
 # repos:
 #   primary: "."  # Primary repo (where this database lives)
 #   additional:   # Additional repos to hydrate from (read-only)
 #     - ~/beads-planning  # Personal planning repo
 #     - ~/work-planning   # Work planning repo
 # JSONL backup (periodic export for off-machine recovery)
 # Auto-enabled when a git remote exists. Override explicitly:
 # backup:
 #   enabled: false     # Disable auto-backup entirely
 #   interval: 15m      # Minimum time between auto-exports
 #   git-push: false    # Disable git push (export locally only)
 #   git-repo: ""       # Separate git repo for backups (default: project repo)
 # Integration settings (access with 'bd config get/set')
 # These are stored in the database, not in this file:
 # - jira.url
 # - jira.project
 # - linear.url
 # - linear.api-key
 # - github.org
 # - github.repo
 sync.remote: "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixos-config.git"
--- a/.beads/hooks/post-checkout
+++ b/.beads/hooks/post-checkout
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run post-checkout "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'post-checkout' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run post-checkout "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'post-checkout'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
--- a/.beads/hooks/post-merge
+++ b/.beads/hooks/post-merge
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run post-merge "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'post-merge' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run post-merge "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'post-merge'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
--- a/.beads/hooks/pre-commit
+++ b/.beads/hooks/pre-commit
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run pre-commit "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'pre-commit' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run pre-commit "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'pre-commit'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
--- a/.beads/hooks/pre-push
+++ b/.beads/hooks/pre-push
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run pre-push "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'pre-push' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run pre-push "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'pre-push'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
--- a/.beads/hooks/prepare-commit-msg
+++ b/.beads/hooks/prepare-commit-msg
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run prepare-commit-msg "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'prepare-commit-msg' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run prepare-commit-msg "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'prepare-commit-msg'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
@@ -0,0 +1,3 @@
 {"id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
 {"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
 {"id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}
--- a/.beads/metadata.json
+++ b/.beads/metadata.json
@@ -0,0 +1,7 @@
 {
  "database": "dolt",
  "backend": "dolt",
  "dolt_mode": "embedded",
  "dolt_database": "home_profile_restructuring",
  "project_id": "664fc7e3-94eb-4874-aab6-e47835abe9d8"
 }
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,3 @@
 # Use bd merge for beads JSONL files
 .beads/issues.jsonl merge=beads
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,46 @@
 # Sisyphus work session data
 .sisyphus/
 # Editor files
 *~
 .*.swp
 .*.swo
 .*.swx
 # Build artifacts
 result
 result-*
 .direnv/
 # IDE
 .vscode/
 .idea/
 *.iml
 # OS
 .DS_Store
 Thumbs.db
 # Opencode rules
 .opencode-rules
 opencode.json
 # AI agent state
 .sidecar/
 .sidecar-*
 .sisyphus/
 .sidecar-agent
 .sidecar-task
 .sidecar-pr
 .sidecar-start.sh
 .sidecar-base
 .td-root
 .cache
 .pi*
 .worktrees/
 docs/plans/
 # Beads / Dolt files (added by bd init)
 .dolt/
 *.db
 .beads-credential-key
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,445 @@
 # Agent Instructions
 This project uses **bd** (beads) for issue tracking. Run `bd prime` for full workflow context.
 ## Quick Reference
 ```bash
 bd ready              # Find available work
 bd show <id>          # View issue details
 bd update <id> --claim  # Claim work atomically
 bd close <id>         # Complete work
 bd dolt push          # Push beads data to remote
 ```
 ## Non-Interactive Shell Commands
 **ALWAYS use non-interactive flags** with file operations to avoid hanging on confirmation prompts.
 Shell commands like `cp`, `mv`, and `rm` may be aliased to include `-i` (interactive) mode on some systems, causing the agent to hang indefinitely waiting for y/n input.
 **Use these forms instead:**
 ```bash
 # Force overwrite without prompting
 cp -f source dest           # NOT: cp source dest
 mv -f source dest           # NOT: mv source dest
 rm -f file                  # NOT: rm file
 # For recursive operations
 rm -rf directory            # NOT: rm -r directory
 cp -rf source dest          # NOT: cp -r source dest
 ```
 **Other commands that may prompt:**
 - `scp` - use `-o BatchMode=yes` for non-interactive
 - `ssh` - use `-o BatchMode=yes` to fail instead of prompting
 - `apt-get` - use `-y` flag
 - `brew` - use `HOMEBREW_NO_AUTO_UPDATE=1` env var
 <!-- BEGIN BEADS INTEGRATION v:1 profile:minimal hash:ca08a54f -->
 ## Beads Issue Tracker
 This project uses **bd (beads)** for persistent task tracking. Run `bd prime` for full workflow context.
 ### Why Beads?
 - **Prefer Beads over ad-hoc markdown TODO lists** — Beads provides structured, queryable, shareable issue tracking with dependency management
 - **Never use `bd edit`** — it opens an interactive editor which blocks agent workflows
 - **Use flags and stdin instead** — `bd update <id> --claim`, `bd create --title "..." --estimate 2`
 ### Slash Commands (Agent Workflow)
 | Command | Purpose |
 |---------|---------|
 | `/beads:ready` | Find unblocked issues |
 | `/beads:create` | Create a new issue |
 | `/beads:update` | Update an issue (claim, status) |
 | `/beads:close` | Close completed work |
 | `/beads:stats` | Project-level snapshot |
 ### Core Workflow (6 Steps)
 #### 1. Find Unblocked Work
 ```bash
 bd ready --json
 ```
 Lists issues with no blocking dependencies that are ready to work on.
 #### 2. Claim Work
 ```bash
 bd update <id> --claim
 ```
 Atomically assigns the issue to you (sets status to "in-progress").
 #### 3. Inspect Details
 ```bash
 bd show <id>
 ```
 View full issue details including:
 - Description and acceptance criteria
 - Blocking/blocked-by dependencies
 - Time estimates
 - Status history
 #### 4. Create Newly Discovered Work
 ```bash
 # Create a new issue
 bd create \
  --title "Fix audio on m3-helios" \
  --estimate 2 \
  --priority high \
  --labels nixos,audio
 # Link dependencies
 bd dep <id> --blocks <blocked-id>      # This issue blocks another
 bd dep <id> --after <after-id>         # This issue after another completes
 bd dep <id> --requires <requires-id>  # This issue requires another
 ```
 #### 5. Complete Work
 ```bash
 bd close <id> --reason "Added PulseAudio fallback to configuration.nix"
 ```
 Provide a concise summary of what was done. The `--reason` is mandatory.
 #### 6. Project Snapshot
 ```bash
 bd status --json    # Current state of all issues
 bd stats            # Metrics: velocity, cycle time, bottlenecks
 ```
 ### Example Complete Workflow
 ```bash
 # Start session - find work
 bd ready --json
 # Claim available issue
 bd update 42 --claim
 # Do the work...
 # Discover something else needed
 bd create --title "Document hermes-agent setup" --estimate 1
 # Link as related
 bd dep 43 --after 42
 # Complete original
 bd close 42 --reason "Added Hyprland idle timeout config"
 # Close related
 bd close 43 --reason "Added setup docs to AGENTS.md"
 # Push state to remote
 bd dolt push
 ```
 ### Rules
 - Use `bd` for ALL task tracking — do NOT use TodoWrite, TaskCreate, or markdown TODO lists
 - Run `bd prime` for detailed command reference and session close protocol
 - Use `bd remember` for persistent knowledge — do NOT use MEMORY.md files
 ## Session Completion
 **When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
 **MANDATORY WORKFLOW:**
 1. **File issues for remaining work** - Create issues for anything that needs follow-up
 2. **Run quality gates** (if code changed) - Tests, linters, builds
 3. **Update issue status** - Close finished work, update in-progress items
 4. **PUSH TO REMOTE** - This is MANDATORY:
   ```bash
   git pull --rebase
   bd dolt push
   git push
   git status  # MUST show "up to date with origin"
   ```
 5. **Clean up** - Clear stashes, prune remote branches
 6. **Verify** - All changes committed AND pushed
 7. **Hand off** - Provide context for next session
 **CRITICAL RULES:**
 - Work is NOT complete until `git push` succeeds
 - NEVER stop before pushing - that leaves work stranded locally
 - NEVER say "ready to push when you are" - YOU must push
 - If push fails, resolve and retry until it succeeds
 <!-- END BEADS INTEGRATION -->
 # Project Agent
 **Workspace Path:** `/home/m3tam3re/p/NIX/nixos-config`
 _(Note to Pi: Your file write/edit tools run in a different directory by default. You MUST use absolute paths starting with the Workspace Path above for ALL file operations!)_
 **Generated:** 2026-04-26
 ---
 ## Stack
 | Component        | Version/Source                    |
 | ---------------- | --------------------------------- |
 | **Nixpkgs**      | nixos-unstable + 25.05 stable     |
 | **Home Manager** | github:nix-community/home-manager |
 | **m3ta-home**    | code.m3ta.dev/m3tam3re/m3ta-home  |
 | **m3ta-nixpkgs** | code.m3ta.dev/m3tam3re/nixpkgs    |
 | **Agenix**       | github:ryantm/agenix              |
 | **Disko**        | github:nix-community/disko        |
 | **NUR**          | github:nix-community/NUR          |
 | **Formatter**    | alejandra                         |
 | **Linters**      | statix, deadnix                   |
 | **IDE**          | nixd                              |
 | **Hermes Agent** | NousResearch/hermes-agent         |
 | **LLM Agents**   | numtide/llm-agents.nix            |
 ---
 ## Structure
 ```
 nixos-config/
 ├── flake.nix                    # Entry point: hosts, overlays, dev shells, m3ta-home input
 ├── coding-rules.json            # Opencode rules configuration
 │
 ├── hosts/                        # Per-host NixOS configurations
 │   ├── common/                   # Shared across all hosts
 │   │   ├── users/
 │   │   │   └── m3tam3re.nix     # ← Central user + m3ta-home integration
 │   │   ├── default.nix          # Shared NixOS settings, overlays, home-manager setup
 │   │   ├── ports.nix            # Network ports config
 │   │   └── extraServices/       # Common service toggles
 │   ├── m3-ares/                  # TUXEDO laptop (desktop)
 │   │   └── home.nix             # Hyprland: eDP-1 + HDMI, XDG/MIME
 │   ├── m3-kratos/                # AMD desktop (desktop)
 │   │   └── home.nix             # Hyprland: dual DP, XDG/MIME
 │   ├── m3-daedalus/              # Portable laptop (desktop, no Hyprland)
 │   │   └── home.nix             # XDG/MIME only
 │   ├── m3-atlas/                 # Primary server (server + coding)
 │   ├── m3-helios/                # AdGuard DNS server (minimal server)
 │   ├── m3-hermes/                # Secondary server (minimal server)
 │   └── m3-aether/                # Cloud VM (minimal server)
 │
 ├── modules/                      # Reusable NixOS modules
 │   └── nixos/                    # NixOS-specific modules
 │
 ├── overlays/                    # Package overlays (stable/locked/master/pinned)
 │   ├── default.nix
 │   └── mods/
 │
 ├── pkgs/                        # Custom packages
 │
 ├── secrets/                     # Encrypted secrets (agenix)
 │   └── secrets.nix
 │
 ├── .opencode-rules/             # Opencode AI rules
 │   ├── concerns/
 │   ├── languages/nix.md
 │   └── USAGE.md
 │
 └── .pi/                         # Agent configuration
 ```
 ### Home-Manager Integration
 Home-Manager configs are managed centrally in the **`m3ta-home`** repository:
 - **Repo**: `code.m3ta.dev/m3tam3re/m3ta-home`
 - **Docs**: See m3ta-home README for full documentation
 What lives where:
 | Concern | Location | Why |
 |---------|----------|-----|
 | Shell, CLI tools, editors, apps | `m3ta-home/profiles/` | Portable across all hosts |
 | User identity (git, SSH, JJ) | `m3ta-home/users/` | Switchable: private vs work |
 | Feature flags (enable/disable) | `nixos-config/hosts/common/users/m3tam3re.nix` | Per-host decisions |
 | Monitor layouts, window rules | `nixos-config/hosts/<name>/home.nix` | Hardware-specific |
 | XDG/MIME defaults | `nixos-config/hosts/<name>/home.nix` | Host-specific preferences |
 | NixOS overlays | `nixos-config/overlays/` | System-level package management |
 #### Host → Profile Mapping
 Defined in `hosts/common/users/m3tam3re.nix`:
 ```nix
 hostProfiles = {
  # Desktop hosts
  m3-ares     = { context = "desktop"; sets = ["coding" "gaming" "media"]; };
  m3-kratos   = { context = "desktop"; sets = ["coding" "gaming" "media"]; };
  m3-daedalus = { context = "desktop"; sets = ["coding" "media"]; };
  # Server hosts
  m3-atlas    = { context = "server";  sets = ["coding"]; };
  m3-helios   = { context = "server";  sets = []; };
  m3-hermes   = { context = "server";  sets = []; };
  m3-aether   = { context = "server";  sets = []; };
 };
 ```
 #### Work Identity Use Case
 The same `m3ta-home` repo supports a **work identity** for company machines:
 ```nix
 # On a work NixOS machine:
 (m3ta-lib.mkHome {
  user = "m3tam3re";
  identity = "work";       # ← switches git to sascha.koenig, SSH to AZ hosts
  context = "desktop";
  sets = ["coding"];
 })
 ```
 This provides the familiar shell/editor/CLI setup but with work git credentials and SSH configuration.
 ---
 ## Commands
 | Action               | Command                                                                | Notes                                             |
 | -------------------- | ---------------------------------------------------------------------- | ------------------------------------------------- |
 | **Enter dev shell**  | `nix develop`                                                          | Includes alejandra, nixd, agenix, statix, deadnix |
 | **Build host**       | `sudo nixos-rebuild switch --flake .#m3-ares`                          | Replace hostname as needed                        |
 | **Dry run build**    | `sudo nixos-rebuild dry-run --flake .#m3-ares`                         | Validate without applying                         |
 | **List hosts**       | `nix flake show`                                                       | Shows all NixOS configurations                    |
 | **Update flake**     | `sudo nixos-rebuild switch --flake .#m3-ares --update-input nixpkgs`   | Update specific input                             |
 | **Format code**      | `alejandra .`                                                          | Run before committing                             |
 | **Check lint**       | `statix check .`                                                       | Run statix for antipatterns                       |
 | **Remove dead code** | `deadnix -w .`                                                         | Clean up unused let bindings                      |
 | **Build ISO**        | `nix build .#nixosConfigurations.m3-ares.config.system.build.isoImage` | Generate install ISO                              |
 ---
 ## Conventions
 ### Formatting & Style
 - **Formatter:** `alejandra` (mandatory, run before commits)
 - **Indentation:** 2 spaces (alejandra default)
 - **Variables:** camelCase (e.g., `maxRetryAttempts`)
 - **Types/Modules:** PascalCase (e.g., `MyService`)
 - **Constants:** UPPER_SNAKE_CASE (e.g., `MAX_RETRIES`)
 - **Files:** hyphen-case (e.g., `my-file.nix`)
 ### Nix Module Patterns
 ```nix
 { config, lib, pkgs, ... }:
 {
  options.myService.enable = lib.mkEnableOption "my service";
  config = lib.mkIf config.myService.enable {
    services.myService.enable = true;
  };
 }
 ```
 ### Conditionals
 ```nix
 config = lib.mkMerge [
  (lib.mkIf cfg.enable { ... })
  (lib.mkIf cfg.extraConfig { ... })
 ];
 ```
 ### Anti-Patterns (AVOID)
 - **Never use `with pkgs;`** — always use explicit package references
 - **Never use `builtins.fetchTarball`** — use flake inputs instead
 - **Never use `import <nixpkgs>`** — always use inputs
 - **Never use `builtins.getAttr/hasAttr`** — use `lib.attrByPath` or `lib.optionalAttrs`
 - **Avoid anonymous functions in config** — extract to named lets
 ### Imports
 - Use flake inputs for dependencies (e.g., `inputs.home-manager.nixosModules.home-manager`)
 - Import relative paths with `./` or `../`
 - Never use absolute paths in imports
 ### Secrets
 - Secrets managed via **agenix** in `secrets/` directory
 - Never commit plaintext secrets
 - Use `.nix` extension for secret files
 ### Flake Input URLs
 All `code.m3ta.dev` inputs use **SSH** URLs:
 ```nix
 url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/<repo>";
 ```
 Anonymous HTTPS git on Gitea is unreliable and prompts for auth. SSH works with configured keys.
 ---
 ## Key Files
 | File                               | Purpose                                                                                    |
 | ---------------------------------- | ------------------------------------------------------------------------------------------ |
 | `flake.nix`                        | Central entry point defining all hosts, overlays, packages, dev shells, and nixpkgs config |
 | `hosts/common/default.nix`         | Shared Nix settings, nixpkgs overlays, home-manager setup (`useGlobalPkgs = true`)         |
 | `hosts/common/users/m3tam3re.nix`  | User definition + m3ta-home mkHome integration + per-host feature flags                    |
 | `hosts/<name>/home.nix`            | Host-specific overrides: monitors, workspaces, window rules, XDG/MIME                      |
 | `overlays/default.nix`             | Package version overrides (stable/locked/master branches)                                  |
 | `.opencode-rules/languages/nix.md` | Nix-specific conventions and patterns                                                      |
 ---
 ## What to Avoid
 1. **Don't modify `flake.lock`** directly — use `nix flake update`
 2. **Don't use impure operations** — this is a pure flake-based config
 3. **Don't commit without formatting** — always run `alejandra .` first
 4. **Don't add packages to hosts directly** — prefer adding to overlays or using NUR
 5. **Don't hardcode paths** — use `inputs` and relative imports
 6. **Don't create monolithic modules** — keep functions under 20 lines
 7. **Don't skip the dry-run** — always test with `--dry-run` before switching
 8. **Don't use lib.mkDefault lightly** — understand the precedence implications
 ---
 ## Notes
 ### Adding a New Host
 1. Add entry to `flake.nix` → `nixosConfigurations`
 2. Create directory in `hosts/` with:
   - `default.nix` — imports common + specific configs
   - `configuration.nix` — host-specific system config
   - `hardware-configuration.nix` — from `nixos-generate-config`
   - `programs.nix`, `services/`, `secrets.nix` as needed
 3. Add entry to `hostProfiles` in `hosts/common/users/m3tam3re.nix`
 4. Add feature flags in the `hostFlags` section
 5. Create `hosts/<name>/home.nix` if the host needs monitor/XDG overrides
 6. Run `sudo nixos-generate-config --dir ./hosts/new-host` first time
 ### Adding a New Package
 1. For simple packages: add to appropriate overlay in `overlays/default.nix`
 2. For complex packages: create in `pkgs/` directory
 3. For upstream packages: use NUR or add as flake input
 ### Adding a New Home-Manager Feature
 1. Create the module in `m3ta-home` under the appropriate profile directory
 2. Add the import to the parent `default.nix` in m3ta-home
 3. Enable it per-host via feature flags in `hosts/common/users/m3tam3re.nix`
 ### Development Workflow
 1. Edit config files
 2. Run `alejandra .` to format
 3. Run `statix check .` for linting
 4. Run `sudo nixos-rebuild dry-run --flake .#m3-ares`
 5. If successful: `sudo nixos-rebuild switch --flake .#m3-ares`
 ### Remote Building
 ```bash
 # Build on remote machine
 nix copy --to ssh://user@host .#nixosConfigurations.m3-ares.config.system.build.toplevel
 ssh user@host 'sudo nixos-rebuild switch --flake /nix/store/...-closure'
 ```
--- a/coding-rules.json
+++ b/coding-rules.json
@@ -0,0 +1 @@
 {"$schema":"https://opencode.ai/config.json","instructions":[".opencode-rules/concerns/coding-style.md",".opencode-rules/concerns/naming.md",".opencode-rules/concerns/documentation.md",".opencode-rules/concerns/testing.md",".opencode-rules/concerns/git-workflow.md",".opencode-rules/concerns/project-structure.md",".opencode-rules/languages/nix.md"]}
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -16,10 +16,20 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
-    nixpkgs-b69de56.url = "github:nixos/nixpkgs/b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221";
+    nixpkgs-45570c2.url = "github:nixos/nixpkgs/45570c299dc2b63c8c574c4cd77f0b92f7e2766e";
    nixpkgs-locked.url = "github:nixos/nixpkgs/2744d988fa116fc6d46cdfa3d1c936d0abd7d121";
    nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0";
    nixpkgs-master.url = "github:nixos/nixpkgs/master";
    m3ta-nixpkgs.url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs";
    llm-agents.url = "github:numtide/llm-agents.nix";
    #
    nur = {
      url = "github:nix-community/NUR";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix.url = "github:ryantm/agenix";
    disko = {
@@ -27,20 +37,58 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
+    nixos-generators = {url = "github:nix-community/nixos-generators";};
-    dotfiles = {
+    hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
-      url = "git+https://code.m3tam3re.com/m3tam3re/dotfiles.git";
+    rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor";
    nix-colors.url = "github:misterio77/nix-colors";
    m3ta-home = {
      url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agents = {
      # url = "path:/home/m3tam3re/p/AI/AGENTS";
      url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/AGENTS";
    };
    ## Skills
    skills-basecamp = {
      url = "github:basecamp/basecamp-cli";
      flake = false;
    };
    skills-anthropic = {
      url = "github:anthropics/skills";
      flake = false;
    };
    skills-kestra = {
      url = "github:kestra-io/agent-skills";
      flake = false;
    };
    skills-superpowers = {
      url = "github:obra/superpowers";
      flake = false;
    };
    skills-vercel = {
      url = "github:vercel-labs/skills";
      flake = false;
    };
    hermes-agent.url = "github:NousResearch/hermes-agent/v2026.4.30";
    rustfs = {
      url = "github:rustfs/rustfs-flake";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = {
    self,
    agenix,
    dotfiles,
    home-manager,
    nixpkgs,
    m3ta-nixpkgs,
    nur,
    agents,
    ...
  } @ inputs: let
    inherit (self) outputs;
@@ -52,41 +100,114 @@
      "x86_64-darwin"
    ];
    forAllSystems = nixpkgs.lib.genAttrs systems;
    allOverlays = import ./overlays {inherit inputs outputs;};
  in {
    packages =
      forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
-    overlays = import ./overlays {inherit inputs outputs;};
+    overlays = builtins.removeAttrs allOverlays ["mkLlmAgentsOverlay"];
    lib.mkLlmAgentsOverlay = allOverlays.mkLlmAgentsOverlay;
    homeManagerModules = import ./modules/home-manager;
    nixosConfigurations = {
      m3-ares = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
          hostname = "m3-ares";
        };
        modules = [
          ./hosts/m3-ares
          agenix.nixosModules.default
          m3ta-nixpkgs.nixosModules.default
          inputs.hermes-agent.nixosModules.default
        ];
      };
      m3-atlas = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
        };
        modules = [
          ./hosts/m3-atlas
          inputs.disko.nixosModules.disko
          agenix.nixosModules.default
          m3ta-nixpkgs.nixosModules.default
          inputs.rustfs.nixosModules.rustfs
        ];
      };
      m3-kratos = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
          hostname = "m3-kratos";
        };
        modules = [
          ./hosts/m3-kratos
          agenix.nixosModules.default
          nur.modules.nixos.default
          m3ta-nixpkgs.nixosModules.default
          inputs.hermes-agent.nixosModules.default
        ];
      };
      m3-helios = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs outputs;};
+        specialArgs = {
-        system = "x86_64-linux";
+          inherit inputs outputs;
          system = "x86_64-linux";
        };
        modules = [
          ./hosts/m3-helios
          inputs.disko.nixosModules.disko
          agenix.nixosModules.default
          m3ta-nixpkgs.nixosModules.default
        ];
      };
      m3-hermes = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
        };
        modules = [
          ./hosts/m3-hermes
          inputs.disko.nixosModules.disko
          agenix.nixosModules.default
          m3ta-nixpkgs.nixosModules.default
          inputs.hermes-agent.nixosModules.default
        ];
      };
    };
    homeConfigurations = {
-      "m3tam3re@m3-kratos" = home-manager.lib.homeManagerConfiguration {
+      "m3tam3re@m3-daedalus" = home-manager.lib.homeManagerConfiguration {
        pkgs = nixpkgs.legacyPackages."x86_64-linux";
        extraSpecialArgs = {
          inherit inputs outputs;
-          hostname = "m3-kratos";
+          system = "x86_64-linux";
          hostname = "m3-daedalus";
        };
-        modules = [./home/m3tam3re/m3tam3re-kratos.nix];
+        modules = [./home/m3tam3re/m3-daedalus.nix];
      };
    };
    devShells = forAllSystems (system: let
      pkgs = import nixpkgs {
        inherit system;
        config.allowUnfree = true; # Allow unfree packages in devShell
      };
      m3taLib = m3ta-nixpkgs.lib.x86_64-linux;
      rules = m3taLib.coding-rules.mkCodingRules {
        inherit agents;
        languages = ["nix"];
      };
    in {
      default = pkgs.mkShell {
        buildInputs = with pkgs; [
          alejandra
          nixd
          openssh
          agenix.packages.${system}.default
          statix
          deadnix
        ];
        inherit (rules) instructions shellHook;
      };
    });
  };
 }
--- a/home/common/default.nix
+++ b/home/common/default.nix
@@ -1,47 +0,0 @@
 {
  lib,
  outputs,
  pkgs,
  ...
 }: {
  imports = [
    (import
      ../../modules/home-manager/zellij-ps.nix)
  ]; #imports = builtins.attrValues outputs.homeManagerModules;
  nixpkgs = {
    # You can add overlays here
    overlays = [
      # Add overlays your own flake exports (from overlays and pkgs dir):
      outputs.overlays.additions
      outputs.overlays.modifications
      outputs.overlays.stable-packages
      outputs.overlays.pinned-packages
      outputs.overlays.master-packages
      # You can also add overlays exported from other flakes:
      # neovim-nightly-overlay.overlays.default
      # Or define it inline, for example:
      # (final: prev: {
      #   hi = final.hello.overrideAttrs (oldAttrs: {
      #     patches = [ ./change-hello-to-hi.patch ];
      #   });
      # })
    ];
    # Configure your nixpkgs instance
    config = {
      # Disable if you don't want unfree packages
      allowUnfree = true;
      # Workaround for https://github.com/nix-community/home-manager/issues/2942
      allowUnfreePredicate = _: true;
    };
  };
  nix = {
    package = lib.mkDefault pkgs.nix;
    settings = {
      experimental-features = ["nix-command" "flakes"];
      warn-dirty = false;
    };
  };
 }
--- a/home/features/cli/default.nix
+++ b/home/features/cli/default.nix
@@ -1,82 +0,0 @@
 {
  config,
  pkgs,
  ...
 }: {
  imports = [
    ./fish.nix
    ./fzf.nix
    ./neofetch.nix
    ./secrets.nix
    ./starship.nix
    ./zellij.nix
  ];
  programs.zoxide = {
    enable = true;
    enableFishIntegration = true;
  };
  programs.neovim = {
    enable = true;
    defaultEditor = true;
    viAlias = true;
    vimAlias = true;
    vimdiffAlias = true;
    withNodeJs = true;
    withPython3 = true;
  };
  programs.bat = {enable = true;};
  programs.eza = {
    enable = true;
    enableFishIntegration = true;
    enableBashIntegration = true;
    extraOptions = ["-l" "--icons" "--git" "-a"];
  };
  programs.lf = {
    enable = true;
    settings = {
      preview = true;
      drawbox = true;
      hidden = true;
      icons = true;
      theme = "Dracula";
      previewer = "bat";
    };
  };
  home.packages = with pkgs; [
    alejandra
    bc
    comma
    coreutils
    devenv
    direnv
    fabric-ai
    fd
    gcc
    go
    htop
    httpie
    jq
    just
    lf
    lazygit
    nix-index
    procs
    progress
    ripgrep
    tldr
    trash-cli
    unimatrix
    unzip
    wttrbar
    wireguard-tools
    yazi
    zellij-ps
    zip
  ];
 }
--- a/home/features/cli/fish.nix
+++ b/home/features/cli/fish.nix
@@ -1,73 +0,0 @@
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.features.cli.fish;
 in {
  options.features.cli.fish.enable = mkEnableOption "enable fish shell";
  config = mkIf cfg.enable {
    programs.fish = {
      enable = true;
      loginShellInit = ''
        set -x NIX_PATH nixpkgs=channel:nixos-unstable
        set -x NIX_LOG info
        set -x WEBKIT_DISABLE_COMPOSITING_MODE 1
        set -x TERMINAL kitty
        set -x EDITOR nvim
        set -x VISUAL zed
        set -x XDG_DATA_HOME $HOME/.local/share
        set -x FZF_CTRL_R_OPTS "
        --preview='bat --color=always -n {}'
        --preview-window up:3:hidden:wrap
        --bind 'ctrl-/:toggle-preview'
        --bind 'ctrl-y:execute-silent(echo -n {2..} | wl-copy)+abort'
        --color header:bold
        --header 'Press CTRL-Y to copy command into clipboard'"
        set -x FZF_DEFAULT_COMMAND fd --type f --exclude .git --follow --hidden
        set -x FZF_CTRL_T_COMMAND "$FZF_DEFAULT_COMMAND"
        set -x FLAKE $HOME/p/nixos/nixos-config
        if test (tty) = "/dev/tty1"
          exec Hyprland &> /dev/null
        end
      '';
      shellAbbrs = {
        ".." = "cd ..";
        "..." = "cd ../..";
        b = "yazi";
        ls = "eza";
        l = "eza -l --icons --git -a";
        lt = "eza --tree --level=2 --long --icons --git";
        grep = "rg";
        ps = "procs";
        just = "just --unstable";
        fs = "du -ah . | sort -hr | head -n 10";
        n = "nix";
        nd = "nix develop -c $SHELL";
        ns = "nix shell";
        nsn = "nix shell nixpkgs#";
        nb = "nix build";
        nbn = "nix build nixpkgs#";
        nf = "nix flake";
        nr = "sudo nixos-rebuild --flake .";
        nrs = "sudo nixos-rebuild switch --flake .#(uname -n)";
        snr = "sudo nixos-rebuild --flake .";
        snrs = "sudo nixos-rebuild --flake . switch";
        hm = "home-manager --flake .";
        hms = "home-manager --flake . switch";
        hmr = "cd ~/projects/nix-configurations; nix flake lock --update-input dotfiles; home-manager --flake .#(whoami)@(hostname) switch";
        tsu = "sudo tailscale up";
        tsd = "sudo tailscale down";
        vi = "nvim";
        vim = "nvim";
      };
    };
  };
 }
--- a/home/features/cli/fzf.nix
+++ b/home/features/cli/fzf.nix
@@ -1,37 +0,0 @@
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.features.cli.fzf;
 in {
  options.features.cli.fzf.enable = mkEnableOption "enable fuzzy finder";
  config = mkIf cfg.enable {
    programs.fzf = {
      enable = true;
      enableFishIntegration = true;
      colors = {
        "fg" = "#f8f8f2";
        "bg" = "#282a36";
        "hl" = "#bd93f9";
        "fg+" = "#f8f8f2";
        "bg+" = "#44475a";
        "hl+" = "#bd93f9";
        "info" = "#ffb86c";
        "prompt" = "#50fa7b";
        "pointer" = "#ff79c6";
        "marker" = "#ff79c6";
        "spinner" = "#ffb86c";
        "header" = "#6272a4";
      };
      defaultOptions = [
        "--preview='bat --color=always -n {}'"
        "--bind 'ctrl-/:toggle-preview'"
      ];
      defaultCommand = "fd --type f --exclude .git --follow --hidden";
      changeDirWidgetCommand = "fd --type d --exclude .git --follow --hidden";
    };
  };
 }
--- a/home/features/cli/neofetch.nix
+++ b/home/features/cli/neofetch.nix
@@ -1,15 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.features.cli.neofetch;
 in {
  options.features.cli.neofetch.enable = mkEnableOption "enable neofetch";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [neofetch];
  };
 }
--- a/home/features/cli/secrets.nix
+++ b/home/features/cli/secrets.nix
@@ -1,21 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.features.cli.secrets;
 in {
  options.features.cli.secrets.enable = mkEnableOption "enable secrets";
  config = mkIf cfg.enable {
    programs.password-store = {
      enable = true;
      package =
        pkgs.pass-wayland.withExtensions
        (exts: [exts.pass-otp exts.pass-import]);
    };
    home.packages = with pkgs; [pinentry];
  };
 }
--- a/home/features/cli/starship.nix
+++ b/home/features/cli/starship.nix
@@ -1,17 +0,0 @@
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.features.cli.starship;
 in {
  options.features.cli.starship.enable = mkEnableOption "enable starship prompt";
  config = mkIf cfg.enable {
    programs.starship = {
      enable = true;
      enableFishIntegration = true;
    };
  };
 }
--- a/home/features/cli/zellij.nix
+++ b/home/features/cli/zellij.nix
@@ -1,16 +0,0 @@
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.features.cli.zellij;
 in {
  options.features.cli.zellij.enable = mkEnableOption "enable tmux";
  config = mkIf cfg.enable {
    programs.zellij = {
      enable = true;
    };
  };
 }
--- a/home/features/coding/default.nix
+++ b/home/features/coding/default.nix
@@ -1,6 +0,0 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [
    nixd
    alejandra
  ];
 }
--- a/home/features/desktop/coding.nix
+++ b/home/features/desktop/coding.nix
@@ -1,3 +0,0 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [pinned.bruno zed-editor];
 }
--- a/home/features/desktop/default.nix
+++ b/home/features/desktop/default.nix
@@ -1,127 +0,0 @@
 {pkgs, ...}: {
  imports = [
    ./coding.nix
    ./fonts.nix
    ./gaming.nix
    ./hyprland.nix
    ./media.nix
    ./office.nix
    ./rofi.nix
    ./theme.nix
    ./wayland.nix
    ./wofi.nix
  ];
  xdg = {
    enable = true;
    configFile."mimeapps.list".force = true;
    mimeApps = {
      enable = true;
      associations.added = {
        "application/zip" = ["org.gnome.FileRoller.desktop"];
        "application/csv" = ["calc.desktop"];
        "application/pdf" = ["okularApplication_pdf.desktop"];
      };
      defaultApplications = {
        "application/zip" = ["org.gnome.FileRoller.desktop"];
        "application/csv" = ["calc.desktop"];
        "application/pdf" = ["okularApplication_pdf.desktop"];
        "application/md" = ["nvim.desktop"];
        "application/text" = ["nvim.desktop"];
        "x-scheme-handler/http" = ["io.github.zen_browser.zen"];
        "x-scheme-handler/https" = ["io.github.zen_browser.zen"];
      };
    };
    userDirs = {
      enable = true;
      createDirectories = true;
    };
  };
  home.sessionVariables = {
    WEBKIT_DISABLE_COMPOSITING_MODE = "1";
    NIXOS_OZONE_WL = "1";
    TERMINAL = "kitty";
    QT_QPA_PLATFORM = "wayland";
  };
  home.sessionPath = ["\${XDG_BIN_HOME}" "\${HOME}/.cargo/bin" "$HOME/.npm-global/bin"];
  fonts.fontconfig.enable = true;
  services.mako = {
    enable = true;
    backgroundColor = "#282a36";
    textColor = "#80FFEA";
    borderColor = "#9742b5";
    width = 400;
    height = 150;
    padding = "10,20";
    borderRadius = 8;
    borderSize = 1;
    margin = "20,20";
  };
  programs.kitty = {
    enable = true;
    shellIntegration = {
      enableFishIntegration = true;
      enableBashIntegration = true;
    };
    font = {name = "Fira Code";};
    themeFile = "Dracula";
    settings = {copy_on_select = "yes";};
  };
  home.pointerCursor = {
    gtk.enable = true;
    package = pkgs.bibata-cursors;
    name = "Bibata-Modern-Ice";
    size = 20;
  };
  home.packages = with pkgs; [
    appimage-run
    anytype
    # blueberry
    brave
    # brightnessctl
    # clipman
    distrobox
    # eww
    # firefox-devedition
    file-roller
    hyprpanel
    seahorse
    sushi
    # glib
    # google-chrome
    # gsettings-desktop-schemas
    # graphviz
    # ksnip
    nwg-look
    # pamixer
    # pavucontrol
    # libsForQt5.qtstyleplugins
    # stable.nyxt
    # pcmanfm
    protonmail-desktop
    # qt5ct
    # qt6.qtwayland
    #rustdesk
    # socat
    # unrar
    # unzip
    # usbutils
    # v4l-utils
    remmina
    slack
    telegram-desktop
    ungoogled-chromium
    # wl-clipboard
    # wlogout
    # wtype
    # xdg-utils
    # ydotool
    # zip
  ];
 }
--- a/home/features/desktop/fonts.nix
+++ b/home/features/desktop/fonts.nix
@@ -1,23 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.features.desktop.fonts;
 in {
  options.features.desktop.fonts.enable =
    mkEnableOption "install additional fonts for desktop apps";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      fira-code
      fira-code-symbols
      fira-code-nerdfont
      font-manager
      font-awesome_5
      noto-fonts
    ];
  };
 }
--- a/home/features/desktop/gaming.nix
+++ b/home/features/desktop/gaming.nix
@@ -1,20 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.features.desktop.gaming;
 in {
  options.features.desktop.gaming.enable =
    mkEnableOption "install gaming related stuff";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      goverlay
      mangohud
      protonup-ng
    ];
  };
 }
--- a/home/features/desktop/hyprland.nix
+++ b/home/features/desktop/hyprland.nix
@@ -1,181 +0,0 @@
 {
  wayland.windowManager.hyprland = {
    settings = {
      xwayland = {
        force_zero_scaling = true;
      };
      exec-once = [
        "hyprpanel"
        "hyprpaper"
        "hypridle"
        "wl-paste -p -t text --watch clipman store -P --histpath=\"~/.local/share/clipman-primary.json\""
      ];
      env = [
        "XCURSOR_SIZE,32"
        "WLR_NO_HARDWARE_CURSORS,1"
        "GTK_THEME,Dracula"
      ];
      input = {
        kb_layout = "de,us";
        kb_variant = "";
        kb_model = "";
        kb_rules = "";
        kb_options = "ctrl:nocaps";
        follow_mouse = 1;
      };
      general = {
        gaps_in = 5;
        gaps_out = 5;
        border_size = 1;
        "col.active_border" = "rgba(9742b5ee) rgba(9742b5ee) 45deg";
        "col.inactive_border" = "rgba(595959aa)";
        layout = "dwindle";
      };
      decoration = {
        "col.shadow" = "rgba(1E202966)";
        drop_shadow = true;
        shadow_range = 60;
        shadow_offset = "1 2";
        shadow_render_power = 3;
        shadow_scale = 0.97;
        rounding = 8;
        blur = {
          enabled = true;
          size = 3;
          passes = 3;
        };
        active_opacity = 0.9;
        inactive_opacity = 0.5;
      };
      animations = {
        enabled = true;
        bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
        animation = [
          "windows, 1, 7, myBezier"
          "windowsOut, 1, 7, default, popin 80%"
          "border, 1, 10, default"
          "borderangle, 1, 8, default"
          "fade, 1, 7, default"
          "workspaces, 1, 6, default"
        ];
      };
      dwindle = {
        pseudotile = true;
        preserve_split = true;
      };
      master = {
        new_status = "master";
      };
      gestures = {
        workspace_swipe = false;
      };
      device = [
        {
          name = "epic-mouse-v1";
          sensitivity = -0.5;
        }
        {
          name = "zsa-technology-labs-moonlander-mark-i";
          kb_layout = "us";
        }
        {
          name = "keychron-keychron-k7";
          kb_layout = "us";
        }
      ];
      windowrule = [
        "float, file_progress"
        "float, confirm"
        "float, dialog"
        "float, download"
        "float, notification"
        "float, error"
        "float, splash"
        "float, confirmreset"
        "float, title:Open File"
        "float, title:branchdialog"
        "float, Lxappearance"
        "float, Wofi"
        "float, dunst"
        "animation none,Wofi"
        "float,viewnior"
        "float,feh"
        "float, pavucontrol-qt"
        "float, pavucontrol"
        "float, file-roller"
        "fullscreen, wlogout"
        "float, title:wlogout"
        "fullscreen, title:wlogout"
        "idleinhibit focus, mpv"
        "idleinhibit fullscreen, firefox"
        "float, title:^(Media viewer)$"
        "float, title:^(Volume Control)$"
        "float, title:^(Picture-in-Picture)$"
        "size 800 600, title:^(Volume Control)$"
        "move 75 44%, title:^(Volume Control)$"
      ];
      "$mainMod" = "SUPER";
      bind = [
        "$mainMod, return, exec, kitty -e zellij-ps"
        "$mainMod, t, exec, kitty -e fish -c 'neofetch; exec fish'"
        "$mainMod SHIFT, e, exec, kitty -e zellij_nvim"
        "$mainMod, o, exec, hyprctl setprop activewindow opaque toggle"
        "$mainMod, b, exec, thunar"
        "$mainMod, Escape, exec, wlogout -p layer-shell"
        "$mainMod, Space, togglefloating"
        "$mainMod, q, killactive"
        "$mainMod, M, exit"
        "$mainMod, F, fullscreen"
        "$mainMod, V, togglefloating"
        "$mainMod, D, exec, rofi -show"
        "$mainMod SHIFT, S, exec, bemoji"
        "$mainMod, P, exec, rofi-pass"
        "$mainMod SHIFT, P, pseudo"
        "$mainMod, J, togglesplit"
        "$mainMod, h, movefocus, l"
        "$mainMod, l, movefocus, r"
        "$mainMod, k, movefocus, u"
        "$mainMod, j, movefocus, d"
        "$mainMod, 1, workspace, 1"
        "$mainMod, 2, workspace, 2"
        "$mainMod, 3, workspace, 3"
        "$mainMod, 4, workspace, 4"
        "$mainMod, 5, workspace, 5"
        "$mainMod, 6, workspace, 6"
        "$mainMod, 7, workspace, 7"
        "$mainMod, 8, workspace, 8"
        "$mainMod, 9, workspace, 9"
        "$mainMod, 0, workspace, 10"
        "$mainMod SHIFT, 1, movetoworkspace, 1"
        "$mainMod SHIFT, 2, movetoworkspace, 2"
        "$mainMod SHIFT, 3, movetoworkspace, 3"
        "$mainMod SHIFT, 4, movetoworkspace, 4"
        "$mainMod SHIFT, 5, movetoworkspace, 5"
        "$mainMod SHIFT, 6, movetoworkspace, 6"
        "$mainMod SHIFT, 7, movetoworkspace, 7"
        "$mainMod SHIFT, 8, movetoworkspace, 8"
        "$mainMod SHIFT, 9, movetoworkspace, 9"
        "$mainMod SHIFT, 0, movetoworkspace, 10"
        "$mainMod, mouse_down, workspace, e+1"
        "$mainMod, mouse_up, workspace, e-1"
      ];
      bindm = [
        "$mainMod, mouse:272, movewindow"
        "$mainMod, mouse:273, resizewindow"
      ];
    };
  };
 }
--- a/home/features/desktop/media.nix
+++ b/home/features/desktop/media.nix
@@ -1,52 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.features.desktop.media;
 in {
  options.features.desktop.media.enable =
    mkEnableOption "enable media features";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      # handbrake
      # kdePackages.kdenlive
      # makemkv
      # mediainfo
      amf
      blueberry
      ffmpeg_6-full
      gst_all_1.gstreamer
      gst_all_1.gst-vaapi
      handbrake
      kdePackages.kdenlive
      makemkv
      mpv
      pamixer
      pavucontrol
      qpwgraph
      v4l-utils
      plexamp
      spotify
      # uxplay
      # vlc
      # webcord
      # yt-dlp
      # unimatrix
    ];
    programs.obs-studio = {
      enable = true;
      plugins = with pkgs.obs-studio-plugins; [
        input-overlay
        obs-gstreamer
        obs-vaapi
        obs-vkcapture
        wlrobs
      ];
    };
  };
 }
--- a/home/features/desktop/office.nix
+++ b/home/features/desktop/office.nix
@@ -1,18 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.features.desktop.office;
 in {
  options.features.desktop.office.enable =
    mkEnableOption "install office and paperwork stuff";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      libreoffice-fresh
    ];
  };
 }
--- a/home/features/desktop/rofi.nix
+++ b/home/features/desktop/rofi.nix
@@ -1,38 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  cfg = config.features.desktop.rofi;
 in {
  options.features.desktop.rofi.enable = mkEnableOption "enable rofi";
  config = mkIf cfg.enable {
    programs.rofi = with pkgs; {
      enable = true;
      package = rofi.override {
        plugins = [
          rofi-calc
          rofi-emoji
          rofi-file-browser
        ];
      };
      pass = {
        enable = true;
        package = rofi-pass-wayland;
      };
      terminal = "\${pkgs.kitty}/bin/kitty";
      font = "Fira Code";
      extraConfig = {
        show-icons = true;
        disable-history = false;
        modi = "drun,calc,emoji,filebrowser";
        kb-primary-paste = "Control+V,Shift+Insert";
        kb-secondary-paste = "Control+v,Insert";
      };
      theme = "dracula";
    };
  };
 }
--- a/home/features/desktop/theme.nix
+++ b/home/features/desktop/theme.nix
@@ -1,17 +0,0 @@
 {pkgs, ...}: {
  qt = {
    enable = true;
    platformTheme.name = "gtk";
  };
  gtk = {
    enable = true;
    theme = {
      name = "Dracula";
      package = pkgs.dracula-theme;
    };
    iconTheme = {
      name = "Dracula";
      package = pkgs.dracula-icon-theme;
    };
  };
 }
--- a/home/features/desktop/wayland.nix
+++ b/home/features/desktop/wayland.nix
@@ -1,286 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.features.desktop.wayland;
 in {
  options.features.desktop.wayland.enable = mkEnableOption "wayland extra tools and config";
  config = mkIf cfg.enable {
    programs.waybar = {
      enable = true;
      style = ''
        @define-color background-darker rgba(30, 31, 41, 230);
        @define-color background #282a36;
        @define-color selection #44475a;
        @define-color foreground #f8f8f2;
        @define-color comment #6272a4;
        @define-color cyan #8be9fd;
        @define-color green #50fa7b;
        @define-color orange #ffb86c;
        @define-color pink #ff79c6;
        @define-color purple #bd93f9;
        @define-color red #ff5555;
        @define-color yellow #f1fa8c;
        * {
            border: none;
            border-radius: 0;
            font-family: FiraCode Nerd Font;
            font-weight: bold;
            font-size: 14px;
            min-height: 0;
        }
        window#waybar {
            background: rgba(21, 18, 27, 0);
            color: #cdd6f4;
        }
        tooltip {
            background: #1e1e2e;
            border-radius: 10px;
            border-width: 2px;
            border-style: solid;
            border-color: #11111b;
        }
        #workspaces button {
            padding: 5px;
            color: #313244;
            margin-right: 5px;
        }
        #workspaces button.active {
            color: #11111b;
            background: #a6e3a1;
            border-radius: 10px;
        }
        #workspaces button.focused {
            color: #a6adc8;
            background: #eba0ac;
            border-radius: 10px;
        }
        #workspaces button.urgent {
            color: #11111b;
            background: #a6e3a1;
            border-radius: 10px;
        }
        #workspaces button:hover {
            background: #11111b;
            color: #cdd6f4;
            border-radius: 10px;
        }
        #custom-language,
        #custom-updates,
        #custom-caffeine,
        #custom-weather,
        #window,
        #clock,
        #battery,
        #pulseaudio,
        #network,
        #workspaces,
        #tray,
        #backlight {
            background: #1e1e2e;
            padding: 0px 10px;
            margin: 3px 0px;
            margin-top: 10px;
            border: 1px solid #181825;
        }
        #tray {
            border-radius: 10px;
            margin-right: 10px;
        }
        #workspaces {
            background: #1e1e2e;
            border-radius: 10px;
            margin-left: 10px;
            padding-right: 0px;
            padding-left: 5px;
        }
        #custom-caffeine {
            color: #89dceb;
            border-radius: 10px 0px 0px 10px;
            border-right: 0px;
            margin-left: 10px;
        }
        #custom-language {
            color: #f38ba8;
            border-left: 0px;
            border-right: 0px;
        }
        #custom-updates {
            color: #f5c2e7;
            border-left: 0px;
            border-right: 0px;
        }
        #window {
            border-radius: 10px;
            margin-left: 60px;
            margin-right: 60px;
        }
        #clock {
            color: #fab387;
            border-radius: 10px 0px 0px 10px;
            margin-left: 0px;
            border-right: 0px;
        }
        #network {
            color: #f9e2af;
            border-left: 0px;
            border-right: 0px;
        }
        #pulseaudio {
            color: #89b4fa;
            border-left: 0px;
            border-right: 0px;
        }
        #pulseaudio.microphone {
            color: #cba6f7;
            border-left: 0px;
            border-right: 0px;
        }
        #battery {
            color: #a6e3a1;
            border-radius: 0 10px 10px 0;
            margin-right: 10px;
            border-left: 0px;
        }
        #custom-weather {
            border-radius: 0px 10px 10px 0px;
            border-right: 0px;
            margin-left: 0px;
        }
      '';
      settings = {
        mainbar = {
          layer = "top";
          position = "top";
          mod = "dock";
          exclusive = true;
          passthrough = false;
          gtk-layer-shell = true;
          height = 0;
          modules-left = ["clock" "custom/weather" "hyprland/workspaces"];
          modules-center = ["hyprland/window"];
          modules-right = [
            "tray"
            "custom/language"
            "battery"
            "backlight"
            "pulseaudio"
            "pulseaudio#microphone"
          ];
          "hyprland/window" = {
            format = "👉 {}";
            seperate-outputs = true;
          };
          "hyprland/workspaces" = {
            disable-scroll = true;
            all-outputs = true;
            on-click = "activate";
            format = " {name} {icon} ";
            on-scroll-up = "hyprctl dispatch workspace e+1";
            on-scroll-down = "hyprctl dispatch workspace e-1";
            format-icons = {
              "1" = "";
              "2" = "";
              "3" = "";
              "4" = "";
              "5" = "";
              "6" = "";
              "7" = "";
            };
            persistent_workspaces = {
              "1" = [];
              "2" = [];
              "3" = [];
              "4" = [];
            };
          };
          "custom/weather" = {
            format = "{}°C";
            tooltip = true;
            interval = 3600;
            exec = "wttrbar --location Pockau-Lengefeld";
            return-type = "json";
          };
          tray = {
            icon-size = 13;
            spacing = 10;
          };
          clock = {
            format = " {:%R   %d/%m}";
            tooltip-format = "<big>{:%Y %B}</big>\n<tt><small>{calendar}</small></tt>";
          };
          pulseaudio = {
            format = "{icon} {volume}%";
            tooltip = false;
            format-muted = " Muted";
            on-click = "pamixer -t";
            on-scroll-up = "pamixer -i 5";
            on-scroll-down = "pamixer -d 5";
            scroll-step = 5;
            format-icons = {
              headphone = "";
              hands-free = "";
              headset = "";
              phone = "";
              portable = "";
              car = "";
              default = ["" "" ""];
            };
          };
          "pulseaudio#microphone" = {
            format = "{format_source}";
            format-source = " {volume}%";
            format-source-muted = " Muted";
            on-click = "pamixer --default-source -t";
            on-scroll-up = "pamixer --default-source -i 5";
            on-scroll-down = "pamixer --default-source -d 5";
            scroll-step = 5;
          };
        };
      };
    };
    home.packages = with pkgs; [
      grim
      hyprcursor
      hyprlock
      hyprpaper
      qt6.qtwayland
      slurp
      waypipe
      wl-clipboard
      wf-recorder
      wl-mirror
      wl-clipboard
      wlogout
      wtype
      ydotool
    ];
  };
 }
--- a/home/features/desktop/wofi.nix
+++ b/home/features/desktop/wofi.nix
@@ -1,6 +0,0 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [
    wofi
    bemoji
  ];
 }
--- a/home/m3tam3re/dotfiles/default.nix
+++ b/home/m3tam3re/dotfiles/default.nix
@@ -1,26 +0,0 @@
 {
  pkgs,
  inputs,
  ...
 }: {
  home.file.".config/bat" = {
    source = "${inputs.dotfiles}/bat";
    recursive = true;
  };
  home.file.".config/nyxt" = {
    source = "${inputs.dotfiles}/nyxt";
    recursive = true;
  };
  # home.file.".config/hypr" = {
  #   source = "${inputs.dotfiles}/hypr";
  #   recursive = true;
  # };
  home.file.".config/nvim" = {
    source = "${inputs.dotfiles}/nvim";
    recursive = true;
  };
  home.file.".config/zellij" = {
    source = "${inputs.dotfiles}/zellij";
    recursive = true;
  };
 }
--- a/home/m3tam3re/home-server.nix
+++ b/home/m3tam3re/home-server.nix
@@ -1,115 +0,0 @@
 # This is a default home.nix generated by the follwing hone-manager command
 #
 # home-manager init ./
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  # Home Manager needs a bit of information about you and the paths it should
  # manage.
  home.username = lib.mkDefault "your-name";
  home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
  # This value determines the Home Manager release that your configuration is
  # compatible with. This helps avoid breakage when a new Home Manager release
  # introduces backwards incompatible changes.
  #
  # You should not change this value, even if you update Home Manager. If you do
  # want to update the value, then make sure to first check the Home Manager
  # release notes.
  home.stateVersion = "24.11"; # Please read the comment before changing.
  # The home.packages option allows you to install Nix packages into your
  # environment.
  home.packages = with pkgs; [
    # # Adds the 'hello' command to your environment. It prints a friendly
    # # "Hello, world!" when run.
    # pkgs.hello
    # # It is sometimes useful to fine-tune packages, for example, by applying
    # # overrides. You can do that directly here, just don't forget the
    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
    # # fonts?
    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
    # # You can also create simple shell scripts directly inside your
    # # configuration. For example, this adds a command 'my-hello' to your
    # # environment:
    # (pkgs.writeShellScriptBin "my-hello" ''
    #   echo "Hello, ${config.home.username}!"
    # '')
  ];
  # Home Manager is pretty good at managing dotfiles. The primary way to manage
  # plain files is through 'home.file'.
  home.file = {
    # # Building this configuration will create a copy of 'dotfiles/screenrc' in
    # # the Nix store. Activating the configuration will then make '~/.screenrc' a
    # # symlink to the Nix store copy.
    # ".screenrc".source = dotfiles/screenrc;
    # # You can also set the file content immediately.
    # ".gradle/gradle.properties".text = ''
    #   org.gradle.console=verbose
    #   org.gradle.daemon.idletimeout=3600000
    # '';
  };
  # Home Manager can also manage your environment variables through
  # 'home.sessionVariables'. If you don't want to manage your shell through Home
  # Manager then you have to manually source 'hm-session-vars.sh' located at
  # either
  #
  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
  #
  # or
  #
  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
  #
  # or
  #
  #  /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
  #
  home.sessionVariables = {
    # EDITOR = "emacs";
  };
  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;
  programs.git = {
    enable = true;
    userName = "m3tam3re";
    userEmail = "m@m3tam3re.com";
    aliases = {st = "status";};
    extraConfig = {
      core.excludesfile = "~/.gitignore_global";
      init.defaultBranch = "master";
    };
  };
  programs.zellij-ps = {
    enable = true;
    projectFolders = [
      "${config.home.homeDirectory}/p/c"
      "${config.home.homeDirectory}/p"
      "${config.home.homeDirectory}/.config"
    ];
    layout = ''
      layout {
          pane size=1 borderless=true {
              plugin location="zellij:tab-bar"
          }
          pane size="70%" command="nvim"
          pane split_direction="vertical" {
              pane
              pane command="unimatrix"
          }
          pane size=1 borderless=true {
              plugin location="zellij:status-bar"
          }
      }
    '';
  };
 }
--- a/home/m3tam3re/home.nix
+++ b/home/m3tam3re/home.nix
@@ -1,120 +0,0 @@
 # This is a default home.nix generated by the follwing hone-manager command
 #
 # home-manager init ./
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  # Home Manager needs a bit of information about you and the paths it should
  # manage.
  home.username = lib.mkDefault "your-name";
  home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
  # This value determines the Home Manager release that your configuration is
  # compatible with. This helps avoid breakage when a new Home Manager release
  # introduces backwards incompatible changes.
  #
  # You should not change this value, even if you update Home Manager. If you do
  # want to update the value, then make sure to first check the Home Manager
  # release notes.
  home.stateVersion = "24.11"; # Please read the comment before changing.
  # The home.packages option allows you to install Nix packages into your
  # environment.
  home.packages = with pkgs; [
    aider-chat-env
    # # Adds the 'hello' command to your environment. It prints a friendly
    # # "Hello, world!" when run.
    # pkgs.hello
    # # It is sometimes useful to fine-tune packages, for example, by applying
    # # overrides. You can do that directly here, just don't forget the
    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
    # # fonts?
    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
    # # You can also create simple shell scripts directly inside your
    # # configuration. For example, this adds a command 'my-hello' to your
    # # environment:
    # (pkgs.writeShellScriptBin "my-hello" ''
    #   echo "Hello, ${config.home.username}!"
    # '')
  ];
  # Home Manager is pretty good at managing dotfiles. The primary way to manage
  # plain files is through 'home.file'.
  home.file = {
    # # Building this configuration will create a copy of 'dotfiles/screenrc' in
    # # the Nix store. Activating the configuration will then make '~/.screenrc' a
    # # symlink to the Nix store copy.
    # ".screenrc".source = dotfiles/screenrc;
    # # You can also set the file content immediately.
    # ".gradle/gradle.properties".text = ''
    #   org.gradle.console=verbose
    #   org.gradle.daemon.idletimeout=3600000
    # '';
  };
  # Home Manager can also manage your environment variables through
  # 'home.sessionVariables'. If you don't want to manage your shell through Home
  # Manager then you have to manually source 'hm-session-vars.sh' located at
  # either
  #
  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
  #
  # or
  #
  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
  #
  # or
  #
  #  /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
  #
  home.sessionVariables = {
    # EDITOR = "emacs";
  };
  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;
  programs.git = {
    enable = true;
    difftastic.enable = true;
    userName = "m3tam3re";
    userEmail = "m@m3tam3re.com";
    aliases = {
      st = "status";
      logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
    };
    extraConfig = {
      core.excludesfile = "~/.gitignore_global";
      init.defaultBranch = "master";
    };
  };
  programs.zellij-ps = {
    enable = true;
    projectFolders = [
      "${config.home.homeDirectory}/p/c"
      "${config.home.homeDirectory}/p"
      "${config.home.homeDirectory}/.config"
    ];
    layout = ''
      layout {
          pane size=1 borderless=true {
              plugin location="zellij:tab-bar"
          }
          pane size="70%" command="nvim"
          pane split_direction="vertical" {
              pane
              pane command="unimatrix"
          }
          pane size=1 borderless=true {
              plugin location="zellij:status-bar"
          }
      }
    '';
  };
 }
--- a/home/m3tam3re/m3-helios.nix
+++ b/home/m3tam3re/m3-helios.nix
@@ -1,17 +0,0 @@
 {
  imports = [
    ../common
    ../features/cli
    ./home-server.nix
  ];
  features = {
    cli = {
      fish.enable = true;
      fzf.enable = true;
      neofetch.enable = true;
      secrets.enable = false;
      starship.enable = true;
    };
  };
 }
--- a/home/m3tam3re/m3-kratos.nix
+++ b/home/m3tam3re/m3-kratos.nix
@@ -1,97 +0,0 @@
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.features.desktop.hyprland;
 in {
  imports = [
    ../common
    ./dotfiles
    ./home.nix
    ../features/cli
    ../features/coding
    ../features/desktop
    ./services/librechat.nix
  ];
  options.features.desktop.hyprland.enable =
    mkEnableOption "enable Hyprland";
  config = mkMerge [
    # Base configuration
    {
      xdg = {
        # TODO: better structure
        enable = true;
        configFile."mimeapps.list".force = true;
        mimeApps = {
          enable = true;
          associations.added = {
            "application/zip" = ["org.gnome.FileRoller.desktop"];
            "application/csv" = ["calc.desktop"];
            "application/pdf" = ["okularApplication_pdf.desktop"];
            "x-scheme-handler/http" = ["io.github.zen_browser.zen.desktop"];
            "x-scheme-handler/https" = ["io.github.zen_browser.zen.desktop"];
          };
          defaultApplications = {
            "application/zip" = ["org.gnome.FileRoller.desktop"];
            "application/csv" = ["calc.desktop"];
            "application/pdf" = ["okularApplication_pdf.desktop"];
            "application/md" = ["nvim.desktop"];
            "application/text" = ["nvim.desktop"];
            "x-scheme-handler/http" = ["io.github.zen_browser.zen.desktop"];
            "x-scheme-handler/https" = ["io.github.zen_browser.zen.desktop"];
          };
        };
      };
      features = {
        cli = {
          fish.enable = true;
          fzf.enable = true;
          neofetch.enable = true;
          secrets.enable = true;
          starship.enable = true;
        };
        desktop = {
          gaming.enable = true;
          hyprland.enable = true;
          media.enable = true;
          office.enable = true;
          rofi.enable = true;
          fonts.enable = true;
          wayland.enable = true;
        };
      };
    }
    (mkIf cfg.enable {
      wayland.windowManager.hyprland = {
        enable = true;
        settings = {
          monitor = [
            "DP-1,2560x1440@144,0x0,1"
            "DP-2,2560x1440@144,2560x0,1"
          ];
          workspace = [
            "1, monitor:DP-1, default:true"
            "2, monitor:DP-1"
            "3, monitor:DP-1"
            "4, monitor:DP-2"
            "5, monitor:DP-1"
            "6, monitor:DP-2"
            "7, monitor:DP-2"
          ];
          windowrulev2 = [
            "workspace 1,class:dev.zed.Zed"
            "workspace 2,class:(com.obsproject.Studio)"
            "workspace 4,opacity 1.0, class:(chromium-browser)"
            "workspace 4,opacity 1.0, class:(zen-alpha)"
          ];
        };
      };
    })
  ];
 }
--- a/home/m3tam3re/services/librechat.nix
+++ b/home/m3tam3re/services/librechat.nix
@@ -1,18 +0,0 @@
 {
  systemd.user.services.librechat = {
    Unit = {
      Description = "LibreChat Start";
      After = ["network-online.target"];
      Wants = ["network-online.target"];
    };
    Install = {WantedBy = ["default.target"];};
    Service = {
      Type = "oneshot";
      RemainAfterExit = "yes";
      WorkingDirectory = "/home/m3tam3re/p/r/ai/LibreChat";
      ExecStart = "/run/current-system/sw/bin/podman-compose up -d";
      ExecStop = "/run/current-system/sw/bin/podman-compose down";
      Restart = "on-failure";
    };
  };
 }
--- a/hosts/common/AGENTS.md
+++ b/hosts/common/AGENTS.md
@@ -0,0 +1,76 @@
 # COMMON HOST CONFIGURATION
 **Shared base configuration and abstractions for all hosts**
 ## OVERVIEW
 Common imports, overlays, and custom patterns (extraServices, ports) used across 6 hosts.
 ## STRUCTURE
 ```
 common/
 ├── default.nix          # Base imports, overlays, nix settings
 ├── ports.nix            # Centralized port registry
 ├── extraServices/       # Optional service modules
 │   ├── default.nix
 │   ├── flatpak.nix
 │   ├── ollama.nix
 │   ├── podman.nix
 │   └── virtualisation.nix
 └── users/
    ├── default.nix
    └── m3tam3re.nix     # Primary user definition
 ```
 ## WHERE TO LOOK
 | Task | Location | Notes |
 |------|----------|-------|
 | Add port definition | ports.nix | Use config.m3ta.ports.get |
 | Enable optional service | Host config extraServices | Boolean flags |
 | Modify overlays | default.nix lines 27-36 | 5 overlay sources |
 | Add new user | users/ | Shared across all hosts |
 ## CONVENTIONS
 ### Port Registry Pattern
 ```nix
 # Define in ports.nix
 definitions = {
  myservice = 3099;
 };
 # Access in host config
 config.m3ta.ports.get "myservice"  # Returns 3099
 ```
 ### extraServices Abstraction
 Host configs enable via boolean:
 ```nix
 extraServices = {
  podman.enable = true;      # Container runtime
  ollama.enable = true;      # LLM inference
  flatpak.enable = false;    # Flatpak apps
  virtualisation.enable = true;  # QEMU/KVM
 };
 ```
 ### Overlay Precedence (bottom overrides top)
 1. stable-packages (nixpkgs-stable)
 2. locked-packages (nixpkgs-locked)
 3. pinned-packages (nixpkgs-45570c2, nixpkgs-9e58ed7)
 4. master-packages (nixpkgs-master)
 5. m3ta-nixpkgs (local custom overlay)
 ## ANTI-PATTERNS
 - **DON'T** add host-specific logic to common/ - belongs in hosts/<name>/
 - **DON'T** bypass port registry - hardcoded ports break consistency
 - **DON'T** modify user shell globally - set per-user if needed
 ## NOTES
 - Nix GC runs weekly, keeps 30 days
 - Trusted users: root, m3tam3re
 - Default shell: Nushell (set line 77)
 - Home-manager integrated at common level, not per-host
 - TODO on line 69: ports should only return actually used ports
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -1,31 +1,45 @@
 # Common configuration for all hosts
 {
  config,
  pkgs,
  lib,
  inputs,
  outputs,
  system,
  ...
 }: {
  imports = [
    ./extraServices
    ./ports.nix
    ./users
    inputs.home-manager.nixosModules.home-manager
  ];
  environment.pathsToLink = ["/share/xdg-desktop-portal" "/share/applications"];
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
-    extraSpecialArgs = {inherit inputs outputs;};
+    extraSpecialArgs = {
      inherit inputs outputs system;
      videoDrivers = config.services.xserver.videoDrivers or [];
    };
  };
  nixpkgs = {
    # You can add overlays here
    overlays = [
      # Add overlays your own flake exports (from overlays and pkgs dir):
-      outputs.overlays.additions
+      #outputs.overlays.additions
-      outputs.overlays.modifications
+      #outputs.overlays.modifications
      outputs.overlays.stable-packages
      outputs.overlays.locked-packages
      outputs.overlays.pinned-packages
      outputs.overlays.master-packages
      inputs.m3ta-nixpkgs.overlays.default
      inputs.m3ta-nixpkgs.overlays.modifications
      (outputs.lib.mkLlmAgentsOverlay system)
      # You can also add overlays exported from other flakes:
      # neovim-nightly-overlay.overlays.default
@@ -64,5 +78,5 @@
      ((lib.filterAttrs (_: lib.isType "flake")) inputs);
    nixPath = ["/etc/nix/path"];
  };
-  users.defaultUserShell = pkgs.fish;
+  users.defaultUserShell = pkgs.nushell;
 }
--- a/hosts/common/extraServices/flatpak.nix
+++ b/hosts/common/extraServices/flatpak.nix
@@ -7,14 +7,16 @@
 with lib; let
  cfg = config.extraServices.flatpak;
 in {
-  options.extraServices.flatpak.enable = mkEnableOption "enable podman";
+  options.extraServices.flatpak.enable = mkEnableOption "enable flatpak";
  config = mkIf cfg.enable {
    services.flatpak.enable = true;
    xdg.portal = {
      # xdg desktop intergration (required for flatpak)
      enable = true;
-      extraPortals = [pkgs.xdg-desktop-portal-gtk];
+      extraPortals = with pkgs; [
        xdg-desktop-portal-hyprland
      ];
      config.common.default = "*";
    };
  };
--- a/hosts/common/extraServices/ollama.nix
+++ b/hosts/common/extraServices/ollama.nix
@@ -1,6 +1,7 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
@@ -11,14 +12,22 @@ in {
  config = mkIf cfg.enable {
    services.ollama = {
      enable = true;
-      acceleration =
+      package =
        if config.services.xserver.videoDrivers == ["amdgpu"]
-        then "rocm"
+        then pkgs.ollama-rocm
        else if config.services.xserver.videoDrivers == ["nvidia"]
-        then "cuda"
+        then pkgs.ollama-cuda
-        else null;
+        else pkgs.ollama-cpu;
      host = "[::]";
      openFirewall = true;
      environmentVariables = {
        OLLAMA_ORIGINS = "https://msty.studio";
        OLLAMA_HOST = "0.0.0.0";
      };
    };
    nixpkgs.config = {
      rocmSupport = config.services.xserver.videoDrivers == ["amdgpu"];
      cudaSupport = config.services.xserver.videoDrivers == ["nvidia"];
    };
  };
 }
--- a/hosts/common/extraServices/virtualisation.nix
+++ b/hosts/common/extraServices/virtualisation.nix
@@ -17,22 +17,13 @@ in {
          package = pkgs.qemu_kvm;
          runAsRoot = true;
          swtpm.enable = true;
          ovmf = {
            enable = true;
            packages = [
              (pkgs.OVMF.override {
                secureBoot = true;
                tpmSupport = true;
              })
              .fd
            ];
          };
        };
      };
    };
    programs.virt-manager.enable = true;
-    environment.systemPackages = with pkgs; [
+    systemd.services.virt-secret-init-encryption.enable = false;
-      OVMFFull
+    environment = {
-    ];
+      systemPackages = [pkgs.qemu];
    };
  };
 }
--- a/hosts/common/ports.nix
+++ b/hosts/common/ports.nix
@@ -0,0 +1,75 @@
 {config, ...}: {
  m3ta.ports = {
    enable = true;
    definitions = {
      # System services
      ssh = 22;
      # Web & proxy services
      traefik = 80;
      traefik-ssl = 443;
      # Databases
      postgres = 5432;
      mysql = 3306;
      redis = 6379;
      # VPN & networking
      wireguard = 51820;
      tailscale = 41641;
      headscale = 3009;
      netbird-stun = 3478;
      netbird-proxy = 8443;
      netbird-metrics = 9090;
      netbird-health = 9000;
      # Containers & web apps
      gitea = 3030;
      baserow = 3001;
      ghost = 3002;
      wastebin = 3003;
      littlelink = 3004;
      searx = 3005;
      restreamer = 3006;
      paperless = 3012;
      vaultwarden = 3013;
      slash = 3010;
      slash-nemoti = 3016;
      kestra = 3018;
      outline = 3019;
      authentik = 3023;
      tuwunel = 3024;
      # Home automation
      homarr = 7575;
      # DNS
      adguardhome = 53;
    };
    hostOverrides = {
      # Host-specific overrides
      m3-ares = {
        # Any custom port overrides for m3-ares
      };
      m3-atlas = {
        # Any custom port overrides for m3-atlas
      };
      m3-helios = {
        # Any custom port overrides for m3-helios
      };
      m3-kratos = {
        # Any custom port overrides for m3-kratos
      };
    };
  };
  environment.etc."info/all-ports.json" = {
    text = builtins.toJSON {
      hostname = config.networking.hostName;
      ports = config.m3ta.ports.all; # TODO should only return actually used ports
    };
  };
 }
--- a/hosts/common/users/m3tam3re.nix
+++ b/hosts/common/users/m3tam3re.nix
@@ -1,11 +1,211 @@
 # hosts/common/users/m3tam3re.nix — Central user definition with m3ta-home integration.
 #
 # This module:
 #   1. Creates the m3tam3re NixOS user
 #   2. Loads the m3ta-home profile system via mkHome
 #   3. Sets per-host feature flags based on a host profile mapping
 #   4. Imports per-host home.nix overrides (monitors, HW-specific config)
 #
 # To add a new host:
 #   1. Add entry to hostProfiles below
 #   2. Add feature flags in the hostFlags section
 #   3. Create hosts/<hostname>/home.nix if the host needs overrides (monitors, etc.)
 {
  config,
  pkgs,
  inputs,
  ...
-}: {
+}: let
  hostname = config.networking.hostName;
  # ── Per-host profile mapping ──
  # Determines which m3ta-home context and sets each host gets.
  hostProfiles = {
    # ── Desktop hosts ──
    m3-ares = {
      context = "desktop";
      sets = ["coding" "gaming" "media"];
    };
    m3-kratos = {
      context = "desktop";
      sets = ["coding" "gaming" "media"];
    };
    m3-daedalus = {
      context = "desktop";
      sets = ["coding" "media"];
    };
    # ── Server hosts ──
    m3-atlas = {
      context = "server";
      sets = ["coding"];
    };
    m3-helios = {
      context = "server";
      sets = [];
    };
    m3-hermes = {
      context = "server";
      sets = [];
    };
    m3-aether = {
      context = "server";
      sets = [];
    };
  };
  profile = hostProfiles.${hostname} or {
    context = "server";
    sets = [];
  };
  m3ta-lib = inputs.m3ta-home.lib;
  # Check if a per-host home.nix exists
  hostHomeFile = ./../../${hostname}/home.nix;
  hostHomeExists = builtins.pathExists hostHomeFile;
  # ── Per-host feature flags ──
  # These enable/disable specific m3ta-home modules per host.
  hostFlags =
    if hostname == "m3-ares" || hostname == "m3-kratos"
    then {
      # Full desktop workstation
      base = {
        shell = {
          fish.enable = true;
          nushell.enable = true;
          starship.enable = true;
        };
        cliTools = {
          fzf.enable = true;
          nitch.enable = true;
          television.enable = true;
        };
        secrets.enable = true;
      };
      desktop = {
        wm = {
          hyprland.enable = true;
          rofi.enable = true;
          wayland.enable = true;
        };
        apps = {
          crypto.enable = true;
          obsidian.enable = true;
          office.enable = true;
        };
        theme = {
          fonts.enable = true;
          wallpapers.enable = true;
        };
      };
      coding = {
        editors = {
          neovim.enable = true;
          zed.enable = true;
        };
        lsp.enable = true;
        packages.enable = true;
        languages = {
          python.enable = true;
          javascript.enable = true;
          rustToolchain.enable = true;
          go.enable = true;
          typescript.enable = true;
        };
      };
      profiles.gaming = {
        steam.enable = true;
        gamescope.enable = true;
      };
      profiles.media = {
        obs.enable = true;
        ffmpeg.enable = true;
        kdenlive.enable = true;
        ytDlp.enable = true;
      };
    }
    else if hostname == "m3-daedalus"
    then {
      # Portable laptop — desktop without gaming, no Hyprland
      base = {
        shell = {
          fish.enable = true;
          nushell.enable = true;
          starship.enable = true;
        };
        cliTools = {
          fzf.enable = true;
          nitch.enable = true;
          television.enable = true;
        };
        secrets.enable = true;
      };
      desktop = {
        wm = {
          hyprland.enable = false;
          wayland.enable = false;
        };
        apps = {
          crypto.enable = false;
          obsidian.enable = true;
          office.enable = false;
        };
        theme = {
          fonts.enable = true;
          wallpapers.enable = false;
        };
      };
      coding = {
        editors = {
          neovim.enable = true;
          zed.enable = true;
        };
        lsp.enable = true;
        packages.enable = true;
        languages = {
          python.enable = true;
          javascript.enable = true;
          rustToolchain.enable = true;
          go.enable = true;
          typescript.enable = true;
        };
      };
      profiles.media = {
        ytDlp.enable = true;
      };
    }
    else if hostname == "m3-atlas"
    then {
      # Primary server — coding capable
      base = {
        shell = {
          nushell.enable = true;
          starship.enable = true;
        };
        cliTools = {
          fzf.enable = true;
          nitch.enable = true;
          zellij.enable = true;
        };
      };
      coding.editors.neovim.enable = true;
    }
    else {
      # m3-helios, m3-hermes, m3-aether — minimal server
      base = {
        shell = {
          fish.enable = true;
          starship.enable = true;
        };
        cliTools = {
          fzf.enable = true;
          nitch.enable = true;
        };
      };
    };
 in {
  # ── NixOS user definition ──
  users.users.m3tam3re = {
    #initialHashedPassword = "$y$j9T$IoChbWGYRh.rKfmm0G86X0$bYgsWqDRkvX.EBzJTX.Z0RsTlwspADpvEF3QErNyCMC";
    password = "12345";
    isNormalUser = true;
    description = "m3tam3re";
@@ -20,12 +220,34 @@
      "input"
      "kvm"
      "qemu-libvirtd"
      "adbusers"
    ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZcjCKl0DRuOUOMXbM0GKY5JjvmyFpVZ/tRlTKWu/zp razr"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZbg/Z9mnflXuLahGY8WOSBMqbgeqVIkIwRkquys1Ml sascha.koenig@azintec.com"
    ];
-    packages = [inputs.home-manager.packages.${pkgs.system}.default];
+    packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default];
  };
  # ── Home-Manager configuration via m3ta-home ──
  home-manager.users.m3tam3re = {
    imports =
      [
        # Load m3ta-home composition engine
        (m3ta-lib.mkHome {
          user = "m3tam3re";
          identity = "private";
          inherit (profile) context sets;
        })
        # Per-host feature flags
        hostFlags
      ]
      # Per-host home.nix (Hyprland monitors, XDG/MIME, HW-specific overrides)
      ++ (
        if hostHomeExists
        then [hostHomeFile]
        else []
      );
  };
  home-manager.users.m3tam3re =
    import ../../../home/m3tam3re/${config.networking.hostName}.nix;
 }
--- a/hosts/m3-aether/configuration.nix
+++ b/hosts/m3-aether/configuration.nix
@@ -0,0 +1,111 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 {pkgs, ...}: {
  imports = [
    # Include the results of the hardware scan.
    ./disko-config.nix
    ./hardware-configuration.nix
  ];
  # Bootloader.
  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  networking.hostName = "m3-helios"; # Define your hostname.
  networking.hostId = "3ebf1cd3";
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.networkmanager.enable =
    true; # Easiest to use and most distros use this by default.
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkb.options in tty.
  # };
  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # Enable the GNOME Desktop Environment.
  # services.xserver.displayManager.gdm.enable = true;
  # services.xserver.desktopManager.gnome.enable = true;
  # Configure keymap in X11
  # services.xserver.xkb.layout = "us";
  # services.xserver.xkb.options = "eurosign:e,caps:escape";
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  # hardware.pulseaudio.enable = true;
  # OR
  # Enable touchpad support (enabled default in most desktopManager).
  # services.libinput.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [neovim git];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.fstrim = {
    enable = true; # For SSD/thin-provisioned storage
    interval = "weekly";
  };
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/m3-aether/default.nix
+++ b/hosts/m3-aether/default.nix
@@ -0,0 +1,50 @@
 # A staring point is the basic NIXOS configuration generated by the ISO installer.
 # On an existing NIXOS install you can use the following command in your flakes basedir:
 # sudo nixos-generate-config --dir ./hosts/m3tam3re
 #
 # Please make sure to change the first couple of lines in your configuration.nix:
 # { config, inputs, ouputs, lib, pkgs, ... }:
 #
 # {
 #   imports = [ # Include the results of the hardware scan.
 #     ./hardware-configuration.nix
 #     inputs.home-manager.nixosModules.home-manager
 #   ];
 #   ...
 #
 # Moreover please update the packages option in your user configuration and add the home-manager options:
 # users.users = {
 #   m3tam3re = {
 #     isNormalUser = true;
 #     initialPassword = "12345";
 #     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
 #     packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
 #   };
 # };
 #
 # home-manager = {
 #   useUserPackages = true;
 #   extraSpecialArgs = { inherit inputs outputs; };
 #   users.m3tam3re =
 #     import ../../home/m3tam3re/${config.networking.hostName}.nix;
 # };
 #
 # Please also change your hostname accordingly:
 #:w
 # networking.hostName = "nixos"; # Define your hostname.
 {
  imports = [
    ../common
    ./configuration.nix
    ./programs.nix
    ./secrets.nix
    ./services
  ];
  extraServices = {
    flatpak.enable = true;
    ollama.enable = false;
    podman.enable = true;
    virtualisation.enable = false;
  };
 }
--- a/hosts/m3-aether/disko-config.nix
+++ b/hosts/m3-aether/disko-config.nix
@@ -0,0 +1,39 @@
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
            boot = {
              size = "1M";
              type = "EF02"; # for GRUB MBR
              priority = 1;
            };
            esp = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = ["defaults" "umask=0077"];
              };
            };
            root = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
                mountOptions = ["noatime" "nodiratime" "discard"];
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/m3-aether/hardware-configuration.nix
+++ b/hosts/m3-aether/hardware-configuration.nix
@@ -0,0 +1,28 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/m3-aether/programs.nix
+++ b/hosts/m3-aether/programs.nix
@@ -0,0 +1,14 @@
 {pkgs, ...}: {
  programs.nix-ld.enable = true;
  programs.nix-ld.libraries = with pkgs; [
    # Add any missing dynamic libraries for unpackaged programs
    # here, NOT in environment.systemPackages
  ];
  programs.fish.enable = true;
  programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 4d --keep 3";
    flake = "/home/m3tam3re/p/nixos/nixos-config";
  };
 }
--- a/hosts/m3-aether/secrets.nix
+++ b/hosts/m3-aether/secrets.nix
@@ -0,0 +1,15 @@
 {
  age = {
    secrets = {
      traefik = {
        file = ../../secrets/traefik.age;
        mode = "770";
        owner = "traefik";
      };
      m3tam3re-secrets = {
        file = ../../secrets/m3tam3re-secrets.age;
        owner = "m3tam3re";
      };
    };
  };
 }
--- a/hosts/m3-aether/services/cloud-init.nix
+++ b/hosts/m3-aether/services/cloud-init.nix
@@ -0,0 +1,7 @@
 {
  services.cloud-init = {
    enable = true;
    ext4.enable = true;
    network.enable = true;
  };
 }
--- a/hosts/m3-aether/services/default.nix
+++ b/hosts/m3-aether/services/default.nix
@@ -0,0 +1,5 @@
 {
  imports = [
    ./cloud-init.nix
  ];
 }
--- a/hosts/m3-ares/configuration.nix
+++ b/hosts/m3-ares/configuration.nix
@@ -0,0 +1,133 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 {pkgs, ...}: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
  ];
  specialisation = {
    "NVIDIA".configuration = {
      system.nixos.tags = ["NVIDIA"];
      services.xserver.videoDrivers = ["nvidia"];
      hardware.nvidia-container-toolkit.enable = true;
    };
  };
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.systemd-boot.memtest86.enable = true;
  boot.initrd.services.lvm.enable = false;
  # boot.kernelModules = [];
  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.extraModprobeConfig = ''
    options kvm_intel nested=1
    options kvm_intel emulate_invalid_guest_state=0
    options kvm ignore_msrs=1
  '';
  boot.blacklistedKernelModules = ["nova_core"];
  # CRITICAL FIX #4: Kernel parameters to prevent nouveau from loading early
  networking.hostName = "m3-ares"; # Define your hostname.
  # warp-terminal update fix
  # networking.extraHosts = ''
  #   127.0.0.1 releases.warp.dev
  #   127.0.0.1 app.warp.dev
  # '';
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.networkmanager.enable =
    true; # Easiest to use and most distros use this by default.
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkb.options in tty.
  # };
  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # Enable the GNOME Desktop Environment.
  # services.xserver.displayManager.gdm.enable = true;
  # services.xserver.desktopManager.gnome.enable = true;
  # displayManager.gdm.enable = true;
  # Configure keymap in X11
  # services.xserver.xkb.layout = "us";
  # services.xserver.xkb.options = "eurosign:e,caps:escape";
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  # hardware.pulseaudio.enable = true;
  # OR
  # Enable touchpad support (enabled default in most desktopManager).
  # services.libinput.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [neovim git];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "no";
    settings = {
      PasswordAuthentication = false;
    };
  };
  services.fstrim.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/m3-ares/default.nix
+++ b/hosts/m3-ares/default.nix
@@ -0,0 +1,51 @@
 # A staring point is the basic NIXOS configuration generated by the ISO installer.
 # On an existing NIXOS install you can use the following command in your flakes basedir:
 # sudo nixos-generate-config --dir ./hosts/m3tam3re
 #
 # Please make sure to change the first couple of lines in your configuration.nix:
 # { config, inputs, ouputs, lib, pkgs, ... }:
 #
 # {
 #   imports = [ # Include the results of the hardware scan.
 #     ./hardware-configuration.nix
 #     inputs.home-manager.nixosModules.home-manager
 #   ];
 #   ...
 #
 # Moreover please update the packages option in your user configuration and add the home-manager options:
 # users.users = {
 #   m3tam3re = {
 #     isNormalUser = true;
 #     initialPassword = "12345";
 #     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
 #     packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
 #   };
 # };
 #
 # home-manager = {
 #   useUserPackages = true;
 #   extraSpecialArgs = { inherit inputs outputs; };
 #   users.m3tam3re =
 #     import ../../home/m3tam3re/${config.networking.hostName}.nix;
 # };
 #
 # Please also change your hostname accordingly:
 #:w
 # networking.hostName = "nixos"; # Define your hostname.
 {
  imports = [
    ../common
    ./configuration.nix
    ./hardware.nix
    ./programs.nix
    ./secrets.nix
    ./services
  ];
  extraServices = {
    flatpak.enable = true;
    ollama.enable = false;
    podman.enable = true;
    virtualisation.enable = true;
  };
 }
--- a/hosts/m3-ares/hardware-configuration.nix
+++ b/hosts/m3-ares/hardware-configuration.nix
@@ -0,0 +1,73 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }: {
  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
  boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "sd_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = ["kvm-intel"];
  boot.extraModulePackages = [];
  boot.supportedFilesystems = ["nfs"];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d";
    fsType = "btrfs";
    options = ["subvol=root" "compress=zstd"];
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d";
    fsType = "btrfs";
    options = ["subvol=home" "compress=zstd"];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d";
    fsType = "btrfs";
    options = ["subvol=home" "compress=zstd" "noatime"];
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/4811-EA6E";
    fsType = "vfat";
  };
  fileSystems."/opt" = {
    device = "/dev/disk/by-uuid/3574df3a-2a90-4b54-9c21-128f1d01ff8f";
    fsType = "btrfs";
    options = ["noatime" "compress=zstd"];
  };
  fileSystems."/mnt/skynet-bkg" = {
    device = "192.168.1.100:/volume3/bkg";
    fsType = "nfs";
    options = ["noauto" "x-systemd.automount"];
  };
  fileSystems."/mnt/skynet" = {
    device = "192.168.1.100:/volume3/m3-skynet";
    fsType = "nfs";
    options = ["noauto" "x-systemd.automount"];
  };
  swapDevices = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp46s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode =
    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/m3-ares/hardware.nix
+++ b/hosts/m3-ares/hardware.nix
@@ -0,0 +1,58 @@
 {
  config,
  pkgs,
  inputs,
  ...
 }: {
  # Workaround for tuxedo-drivers module bug in unstable (nixpkgs#480391)
  # The unstable module has a type error - use stable module until fix propagates
  # disabledModules = [ "hardware/tuxedo-drivers.nix" ];
  # imports =
  #   [ "${inputs.nixpkgs-stable}/nixos/modules/hardware/tuxedo-drivers.nix" ];
  hardware.nvidia = {
    prime = {
      offload.enable = false;
      # Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA
      intelBusId = "PCI:0:2:0";
      # Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA
      nvidiaBusId = "PCI:1:0:0";
    };
    modesetting.enable = true;
    powerManagement.finegrained = false;
    powerManagement.enable = true;
    open = false;
    dynamicBoost.enable = true;
    nvidiaSettings = true;
    package = config.boot.kernelPackages.nvidiaPackages.production;
  };
  hardware.tuxedo-drivers.enable = true;
  hardware.bluetooth.enable = true;
  hardware.keyboard.zsa.enable = true;
  hardware.graphics.enable = true;
  services.hardware.bolt.enable = true;
  services.auto-cpufreq.enable = true;
  services.tlp = {
    enable = true;
    settings = {
      START_CHARGE_THRESH_BAT0 = 75;
      STOP_CHARGE_THRESH_BAT0 = 80;
    };
  };
  environment.systemPackages = with pkgs; [tuxedo-backlight];
  security.sudo.extraRules = [
    {
      users = ["@wheel"];
      commands = [
        {
          command = "/run/current-system/sw/bin/set-backlight";
          options = ["NOPASSWD"];
        }
      ];
    }
  ];
 }
--- a/hosts/m3-ares/home.nix
+++ b/hosts/m3-ares/home.nix
@@ -0,0 +1,71 @@
 # hosts/m3-ares/home.nix — Host-specific home-manager overrides.
 # TUXEDO laptop: eDP-1 + HDMI-A-1 external monitor.
 # Everything else (shell, editors, gaming, media, theme, etc.) comes from
 # m3ta-home via the profile mapping in hosts/common/users/m3tam3re.nix.
 {
  config,
  lib,
  ...
 }:
 with lib; {
  config = mkMerge [
    # ── XDG / MIME defaults ──
    {
      xdg = {
        enable = true;
        configFile."mimeapps.list".force = true;
        mimeApps = {
          enable = true;
          associations.added = {
            "application/zip" = ["org.gnome.FileRoller.desktop"];
            "application/csv" = ["calc.desktop"];
            "application/pdf" = ["vivaldi-stable.desktop"];
            "x-scheme-handler/http" = ["vivaldi-stable.desktop"];
            "x-scheme-handler/https" = ["vivaldi-stable.desktop"];
          };
          defaultApplications = {
            "application/zip" = ["org.gnome.FileRoller.desktop"];
            "application/csv" = ["calc.desktop"];
            "application/pdf" = ["vivaldi-stable.desktop"];
            "application/md" = ["dev.zed.Zed.desktop"];
            "application/text" = ["dev.zed.Zed.desktop"];
            "x-scheme-handler/http" = ["vivaldi-stable.desktop"];
            "x-scheme-handler/https" = ["vivaldi-stable.desktop"];
          };
        };
      };
    }
    # ── Hyprland monitor layout ──
    (mkIf config.desktop.wm.hyprland.enable {
      wayland.windowManager.hyprland = {
        enable = true;
        settings = {
          exec-once = ["tuxedo-backlight"];
          monitor = [
            "eDP-1,preferred,0x0,1.25"
            "HDMI-A-1,1920x1080@120,2560x0,1"
          ];
          workspace = [
            "1, monitor:eDP-1, default:true"
            "2, monitor:eDP-1"
            "3, monitor:eDP-1"
            "4, monitor:HDMI-A-1"
            "5, monitor:HDMI-A-1,border:false,rounding:false"
            "6, monitor:HDMI-A-1"
          ];
          windowrule = [
            "match:class dev.zed.Zed, workspace 1"
            "match:class Msty, workspace 1"
            "match:class ^(com.obsproject.Studio)$, workspace 2"
            "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
            "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
            "match:class ^steam_app_\\d+$, fullscreen on"
            "match:class ^steam_app_\\d+$, workspace 5"
            "match:class ^steam_app_\\d+$, idle_inhibit focus"
          ];
        };
      };
    })
  ];
 }
--- a/hosts/m3-ares/programs.nix
+++ b/hosts/m3-ares/programs.nix
@@ -0,0 +1,45 @@
 {pkgs, ...}: {
  programs.nix-ld.enable = true;
  programs.nix-ld.libraries = with pkgs; [
    # Add any missing dynamic libraries for unpackaged programs
    # here, NOT in environment.systemPackages
  ];
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
    withUWSM = true;
  };
  programs.steam = {
    enable = true;
    remotePlay.openFirewall = true;
    dedicatedServer.openFirewall = true;
    gamescopeSession = {
      enable = true;
      args = [
        "-W 1920"
        "-H 1080"
      ];
    };
  };
  programs.gamescope = {
    enable = true;
    capSysNice = true;
  };
  programs.fish.enable = true;
  programs.thunar = {
    enable = true;
    plugins = with pkgs; [thunar-archive-plugin thunar-volman];
  };
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryPackage = pkgs.pinentry-gnome3;
    settings = {default-cache-ttl = 10800;};
  };
  programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 4d --keep 3";
    flake = "/home/m3tam3re/p/nixos/nixos-config";
  };
 }
--- a/hosts/m3-ares/secrets.nix
+++ b/hosts/m3-ares/secrets.nix
@@ -0,0 +1,59 @@
 {
  age = {
    secrets = {
      anytype-key = {
        file = ../../secrets/anytype-key-ares.age;
        owner = "m3tam3re";
      };
      wg-DE = {
        file = ../../secrets/wg-DE.age;
        path = "/etc/wireguard/DE.conf";
      };
      wg-NL = {
        file = ../../secrets/wg-NL.age;
        path = "/etc/wireguard/NL.conf";
      };
      wg-NO = {
        file = ../../secrets/wg-NO.age;
        path = "/etc/wireguard/NO.conf";
      };
      wg-US = {
        file = ../../secrets/wg-US.age;
        path = "/etc/wireguard/US.conf";
      };
      wg-BR = {
        file = ../../secrets/wg-BR.age;
        path = "/etc/wireguard/BR.conf";
      };
      ref-key = {
        file = ../../secrets/ref-key.age;
        owner = "m3tam3re";
      };
      exa-key = {
        file = ../../secrets/exa-key.age;
        owner = "m3tam3re";
      };
      outline-key = {
        file = ../../secrets/outline-key.age;
        owner = "m3tam3re";
      };
      basecamp-client-id = {
        file = ../../secrets/basecamp-client-id.age;
        owner = "m3tam3re";
      };
      basecamp-client-secret = {
        file = ../../secrets/basecamp-client-secret.age;
        owner = "m3tam3re";
      };
      tailscale-key.file = ../../secrets/tailscale-key.age;
      m3tam3re-secrets = {
        file = ../../secrets/m3tam3re-secrets.age;
        owner = "m3tam3re";
      };
      hermes-env = {
        file = ../../secrets/hermes-env.age;
        owner = "m3tam3re";
      };
    };
  };
 }
--- a/hosts/m3-ares/services/containers/default.nix
+++ b/hosts/m3-ares/services/containers/default.nix
@@ -0,0 +1,4 @@
 {
  imports = [
  ];
 }
--- a/hosts/m3-ares/services/default.nix
+++ b/hosts/m3-ares/services/default.nix
@@ -0,0 +1,53 @@
 {pkgs, ...}: {
  imports = [
    ./containers
    ./hermes-agent.nix
    ./netbird.nix
    #./n8n.nix
    ./mem0.nix
    ./postgres.nix
    ./restic.nix
    ./sound.nix
    ./udev.nix
    ./wireguard.nix
  ];
  # console.useXkbConfig = true;
  # services.xserver.xkb = {
  #   layout = "de,us";
  #   options = "ctrl:nocaps";
  # };
  # optional, falls du auch die TTY-Konsole deutsch willst:
  services = {
    hypridle.enable = true;
    espanso = {
      enable = true;
      package = pkgs.espanso-wayland;
    };
    printing.enable = true;
    gvfs.enable = true;
    trezord.enable = true;
    gnome.gnome-keyring.enable = true;
    qdrant.enable = true;
    # qdrant = {
    #   enable = true;
    #   settings = {
    #     service = {
    #       host = "0.0.0.0";
    #     };
    #   };
    # };
    upower.enable = true;
    avahi = {
      enable = true;
      nssmdns4 = true;
      publish = {
        addresses = true;
        workstation = true;
        userServices = true;
      };
    };
    displayManager.gdm.enable = true;
  };
 }
--- a/hosts/m3-ares/services/hermes-agent.nix
+++ b/hosts/m3-ares/services/hermes-agent.nix
@@ -0,0 +1,184 @@
 {config, ...}: let
  # Default ElevenLabs voice: Bella (German-capable female)
  elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
 in {
  services.hermes-agent = {
    enable = true;
    addToSystemPackages = true;
    # Secrets via agenix
    environmentFiles = [config.age.secrets."hermes-env".path];
    # Non-secret environment variables
    environment = {
      GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
    };
    settings = {
      # ── Model ──────────────────────────────────────────────────────────
      model = {
        default = "glm-5.1";
        provider = "zai";
      };
      credential_pool_strategies = {
        zai = "fill_first";
      };
      toolsets = ["all"];
      # ── Agent ──────────────────────────────────────────────────────────
      agent = {
        max_turns = 90;
        gateway_timeout = 1800;
        tool_use_enforcement = "auto";
      };
      # ── Terminal ───────────────────────────────────────────────────────
      terminal = {
        backend = "ssh";
        modal_mode = "auto";
        cwd = ".";
        timeout = 180;
        persistent_shell = true;
      };
      # ── Browser ────────────────────────────────────────────────────────
      browser = {
        inactivity_timeout = 120;
        command_timeout = 30;
        cloud_provider = "local";
      };
      # ── Checkpoints / Compression ──────────────────────────────────────
      checkpoints = {
        enabled = true;
        max_snapshots = 50;
      };
      file_read_max_chars = 100000;
      compression = {
        enabled = true;
        threshold = 0.5;
        target_ratio = 0.2;
        protect_last_n = 20;
      };
      # ── Display ────────────────────────────────────────────────────────
      display = {
        compact = false;
        personality = "kawaii";
        resume_display = "full";
        busy_input_mode = "interrupt";
        inline_diffs = true;
        skin = "default";
        tool_progress = "all";
      };
      # ── TTS / STT / Voice ──────────────────────────────────────────────
      tts = {
        provider = "elevenlabs";
        elevenlabs = {
          voice_id = elevenlabsVoiceId;
          model_id = "eleven_multilingual_v2";
        };
      };
      stt = {
        enabled = true;
        provider = "local";
        local = {model = "base";};
      };
      voice = {
        record_key = "ctrl+b";
        max_recording_seconds = 120;
        silence_threshold = 200;
        silence_duration = 3.0;
      };
      # ── Memory ─────────────────────────────────────────────────────────
      memory = {
        memory_enabled = true;
        user_profile_enabled = true;
        memory_char_limit = 2200;
        user_char_limit = 1375;
      };
      # ── Delegation ─────────────────────────────────────────────────────
      delegation = {
        max_iterations = 50;
      };
      # ── Discord ────────────────────────────────────────────────────────
      discord = {
        require_mention = true;
        auto_thread = true;
        reactions = true;
      };
      # ── Approvals / Security ───────────────────────────────────────────
      approvals = {
        mode = "manual";
        timeout = 60;
      };
      security = {
        redact_secrets = true;
        tirith_enabled = true;
        tirith_fail_open = true;
      };
      # ── Cron / Session ─────────────────────────────────────────────────
      cron = {wrap_response = true;};
      session_reset = {
        mode = "both";
        idle_minutes = 1440;
        at_hour = 4;
      };
      # ── Web ────────────────────────────────────────────────────────────
      web = {backend = "exa";};
      # ── Platform Toolsets ──────────────────────────────────────────────
      platform_toolsets = {
        cli = [
          "browser"
          "clarify"
          "code_execution"
          "cronjob"
          "delegation"
          "file"
          "image_gen"
          "memory"
          "session_search"
          "skills"
          "terminal"
          "todo"
          "tts"
          "vision"
          "web"
        ];
        telegram = [
          "browser"
          "clarify"
          "code_execution"
          "cronjob"
          "delegation"
          "file"
          "image_gen"
          "memory"
          "session_search"
          "skills"
          "terminal"
          "todo"
          "tts"
          "vision"
          "web"
        ];
      };
    };
  };
 }
--- a/hosts/m3-ares/services/mem0.nix
+++ b/hosts/m3-ares/services/mem0.nix
@@ -0,0 +1,23 @@
 {
  m3ta.mem0 = {
    enable = true;
    port = 8000;
    host = "127.0.0.1";
    # LLM Configuration
    llm = {
      provider = "openai";
      apiKeyFile = "/var/lib/mem0/openai-api-key-1"; # Use agenix or sops-nix
    };
    # Vector Storage Configuration
    vectorStore = {
      provider = "qdrant"; # or "chroma", "pinecone", etc.
      config = {
        host = "localhost";
        port = 6333;
        collection_name = "mem0_alice";
      };
    };
  };
 }
--- a/hosts/m3-ares/services/n8n.nix
+++ b/hosts/m3-ares/services/n8n.nix
@@ -0,0 +1,11 @@
 {
  services.n8n = {
    enable = true;
    openFirewall = true;
  };
  systemd.services.n8n = {
    environment = {
      N8N_SECURE_COOKIE = "false";
    };
  };
 }
--- a/hosts/m3-ares/services/netbird.nix
+++ b/hosts/m3-ares/services/netbird.nix
@@ -0,0 +1,29 @@
 {pkgs, ...}: {
  services.netbird.enable = true;
  environment.systemPackages = with pkgs; [netbird-ui];
  systemd.services.netbird = {
    environment = {
      NB_DISABLE_SSH_CONFIG = "true";
    };
    path = [
      pkgs.shadow
      pkgs.util-linux
    ];
  };
  programs.ssh.extraConfig = ''
    Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
        PreferredAuthentications password,publickey,keyboard-interactive
        PasswordAuthentication yes
        PubkeyAuthentication yes
        BatchMode no
        ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null
        CheckHostIP no
        LogLevel ERROR
  '';
  networking.firewall.checkReversePath = "loose";
 }
--- a/hosts/m3-ares/services/postgres.nix
+++ b/hosts/m3-ares/services/postgres.nix
@@ -0,0 +1,22 @@
 {pkgs, ...}: {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_17;
    extensions = with pkgs.postgresql17Packages; [
      pgvector
    ];
    authentication = ''
      local all all trust
      host all all 127.0.0.1/32 trust
      host all all ::1/128 trust
      host all all 10.88.0.0/16 trust
      host all all 19.89.0.0/16 trust
    '';
    initialScript = pkgs.writeText "initialScript.sql" ''
      CREATE USER n8n WITH PASSWORD 'n8n';
      CREATE DATABASE n8n;
      GRANT ALL PRIVILEGES ON DATABASE n8n TO n8n;
    '';
  };
 }
--- a/hosts/m3-ares/services/restic.nix
+++ b/hosts/m3-ares/services/restic.nix
@@ -0,0 +1,25 @@
 {
  services.restic.backups = {
    skynet = {
      repository = "/mnt/skynet-bkg/m3-nix";
      passwordFile = "/etc/nixos/restic-pass";
      initialize = true;
      paths = ["/home/m3tam3re"];
      exclude = [
        "/home/m3tam3re/.cache"
        "/home/m3tam3re/Bilder/"
        "/home/m3tam3re/Videos/"
        "/home/m3tam3re/Downloads"
        "/home/m3tam3re/Library"
        "/home/m3tam3re/Projekte"
        "/home/m3tam3re/Sync"
        "/home/m3tam3re/.local/share/Trash"
      ];
      timerConfig = {
        OnCalendar = "09:30";
        RandomizedDelaySec = "2h";
        Persistent = true;
      };
    };
  };
 }
--- a/hosts/m3-ares/services/sound.nix
+++ b/hosts/m3-ares/services/sound.nix
@@ -0,0 +1,11 @@
 {
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    jack.enable = false;
    wireplumber.enable = true;
  };
 }
--- a/hosts/m3-ares/services/udev.nix
+++ b/hosts/m3-ares/services/udev.nix
@@ -0,0 +1,10 @@
 {pkgs, ...}: {
  services.udev.extraRules = ''
    SUBSYSTEM=="usb", MODE="0666"
    SUBSYSTEM=="leds", KERNEL=="rgb:kbd_backlight*", ACTION=="add", RUN+="${pkgs.coreutils}/bin/chmod a+w /sys/class/leds/%k/multi_intensity"
    KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_node=uinput"
    KERNEL=="event*", SUBSYSTEM=="input", MODE="0660", GROUP="input"  '';
  environment.systemPackages = with pkgs; [
    zsa-udev-rules
  ];
 }
--- a/hosts/m3-ares/services/wireguard.nix
+++ b/hosts/m3-ares/services/wireguard.nix
@@ -0,0 +1,25 @@
 {config, ...}: {
  networking.wg-quick.interfaces = {
    DE = {
      configFile = config.age.secrets.wg-DE.path;
      autostart = false;
    };
    NL = {
      configFile = config.age.secrets.wg-NL.path;
      autostart = false;
    };
    NO = {
      configFile = config.age.secrets.wg-NO.path;
      autostart = false;
    };
    US = {
      configFile = config.age.secrets.wg-US.path;
      autostart = false;
    };
    BR = {
      configFile = config.age.secrets.wg-BR.path;
      autostart = false;
    };
  };
  services.resolved.enable = true;
 }
--- a/hosts/m3-atlas/configuration.nix
+++ b/hosts/m3-atlas/configuration.nix
@@ -0,0 +1,116 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 {pkgs, ...}: {
  imports = [
    # Include the results of the hardware scan.
    ./disko-config.nix
    ./hardware-configuration.nix
  ];
  # Bootloader.
  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  networking.hostName = "m3-atlas"; # CHANGE ME.
  networking.hostId = "15b60253"; # CHANGE ME
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkb.options in tty.
  # };
  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # Enable the GNOME Desktop Environment.
  # services.xserver.displayManager.gdm.enable = true;
  # services.xserver.desktopManager.gnome.enable = true;
  # Configure keymap in X11
  # services.xserver.xkb.layout = "us";
  # services.xserver.xkb.options = "eurosign:e,caps:escape";
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  # hardware.pulseaudio.enable = true;
  # OR
  # Enable touchpad support (enabled default in most desktopManager).
  # services.libinput.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    neovim
    git
    ghostty.terminfo
  ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "no";
    settings = {
      PasswordAuthentication = false;
    };
  };
  # [[Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/m3-atlas/default.nix
+++ b/hosts/m3-atlas/default.nix
@@ -0,0 +1,50 @@
 # A staring point is the basic NIXOS configuration generated by the ISO installer.
 # On an existing NIXOS install you can use the following command in your flakes basedir:
 # sudo nixos-generate-config --dir ./hosts/m3tam3re
 #
 # Please make sure to change the first couple of lines in your configuration.nix:
 # { config, inputs, ouputs, lib, pkgs, ... }:
 #
 # {
 #   imports = [ # Include the results of the hardware scan.
 #     ./hardware-configuration.nix
 #     inputs.home-manager.nixosModules.home-manager
 #   ];
 #   ...
 #
 # Moreover please update the packages option in your user configuration and add the home-manager options:
 # users.users = {
 #   m3tam3re = {
 #     isNormalUser = true;
 #     initialPassword = "12345";
 #     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
 #     packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
 #   };
 # };
 #
 # home-manager = {
 #   useUserPackages = true;
 #   extraSpecialArgs = { inherit inputs outputs; };
 #   users.m3tam3re =
 #     import ../../home/m3tam3re/${config.networking.hostName}.nix;
 # };
 #
 # Please also change your hostname accordingly:
 #:w
 # networking.hostName = "nixos"; # Define your hostname.
 {
  imports = [
    ../common
    ./configuration.nix
    ./programs.nix
    ./secrets.nix
    ./services
  ];
  extraServices = {
    flatpak.enable = false;
    ollama.enable = false;
    podman.enable = true;
    virtualisation.enable = false;
  };
 }
--- a/hosts/m3-atlas/disko-config.nix
+++ b/hosts/m3-atlas/disko-config.nix
@@ -0,0 +1,39 @@
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/vda"; # CHANGE ME
        content = {
          type = "gpt";
          partitions = {
            boot = {
              size = "1M";
              type = "EF02"; # for GRUB MBR
              priority = 1;
            };
            esp = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = ["defaults" "umask=0077"];
              };
            };
            root = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
                mountOptions = ["noatime" "nodiratime" "discard"];
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/m3-atlas/hardware-configuration.nix
+++ b/hosts/m3-atlas/hardware-configuration.nix
@@ -0,0 +1,31 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  lib,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  fileSystems."/var/storage" = {
    device = "46.38.248.210:/voln723044a1";
    fsType = "nfs";
  };
 }
--- a/hosts/m3-atlas/programs.nix
+++ b/hosts/m3-atlas/programs.nix
@@ -0,0 +1,14 @@
 {pkgs, ...}: {
  programs.nix-ld.enable = true;
  programs.nix-ld.libraries = with pkgs; [
    # Add any missing dynamic libraries for unpackaged programs
    # here, NOT in environment.systemPackages
  ];
  programs.fish.enable = true;
  programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 4d --keep 3";
    flake = "/home/m3tam3re/p/nixos/nixos-config";
  };
 }
--- a/hosts/m3-atlas/secrets.nix
+++ b/hosts/m3-atlas/secrets.nix
@@ -0,0 +1,76 @@
 {
  age = {
    secrets = {
      baserow-env = {file = ../../secrets/baserow-env.age;};
      ghost-env = {file = ../../secrets/ghost-env.age;};
      kestra-config = {
        file = ../../secrets/kestra-config.age;
        mode = "644";
      };
      kestra-env = {file = ../../secrets/kestra-env.age;};
      littlelink-m3tam3re = {file = ../../secrets/littlelink-m3tam3re.age;};
      minio-root-cred = {file = ../../secrets/minio-root-cred.age;};
      rustfs-access-key = {file = ../../secrets/rustfs-access-key.age;};
      rustfs-secret-key = {file = ../../secrets/rustfs-secret-key.age;};
      n8n-env = {file = ../../secrets/n8n-env.age;};
      netbird-auth-secret = {
        file = ../../secrets/netbird-auth-secret.age;
      };
      netbird-db-password = {
        file = ../../secrets/netbird-db-password.age;
      };
      netbird-encryption-key = {
        file = ../../secrets/netbird-encryption-key.age;
      };
      netbird-dashboard-env = {
        file = ../../secrets/netbird-dashboard-env.age;
      };
      netbird-server-env = {
        file = ../../secrets/netbird-server-env.age;
      };
      netbird-proxy-env = {
        file = ../../secrets/netbird-proxy-env.age;
      };
      paperless-key = {file = ../../secrets/paperless-key.age;};
      restreamer-env = {file = ../../secrets/restreamer-env.age;};
      searx = {file = ../../secrets/searx.age;};
      tailscale-key = {file = ../../secrets/tailscale-key.age;};
      tuwunel-registration-token = {
        file = ../../secrets/tuwunel-registration-token.age;
        owner = "tuwunel";
      };
      traefik = {
        file = ../../secrets/traefik.age;
        owner = "traefik";
      };
      vaultwarden-env = {file = ../../secrets/vaultwarden-env.age;};
      m3tam3re-secrets = {
        file = ../../secrets/m3tam3re-secrets.age;
        owner = "m3tam3re";
      };
      gitea-runner-token = {
        file = ../../secrets/gitea-runner-token.age;
        mode = "600";
        owner = "gitea-runner";
        group = "gitea-runner";
      };
      ref-key = {
        file = ../../secrets/ref-key.age;
        owner = "m3tam3re";
      };
      exa-key = {
        file = ../../secrets/exa-key.age;
        owner = "m3tam3re";
      };
      basecamp-client-id = {
        file = ../../secrets/basecamp-client-id.age;
        owner = "m3tam3re";
      };
      basecamp-client-secret = {
        file = ../../secrets/basecamp-client-secret.age;
        owner = "m3tam3re";
      };
      authentik-env = {file = ../../secrets/authentik-env.age;};
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/AGENTS.md
+++ b/hosts/m3-atlas/services/containers/AGENTS.md
@@ -0,0 +1,85 @@
 # CONTAINER SERVICES (m3-atlas)
 **Container orchestration with Podman + Traefik reverse proxy**
 ## OVERVIEW
 11 containerized services on dedicated `web` network (10.89.0.0/24) with Traefik SSL termination.
 ## STRUCTURE
 ```
 containers/
 ├── default.nix          # Network setup + service imports
 ├── baserow.nix          # 10.89.0.10 - No-code database
 ├── ghost.nix            # 10.89.0.11 - Blog platform
 ├── kestra.nix           # 10.89.0.12 - Workflow orchestration
 ├── littlelink.nix       # 10.89.0.13 - Link aggregator
 ├── matomo.nix           # 10.89.0.14 - Analytics
 ├── restreamer.nix       # 10.89.0.15 - Video streaming
 ├── slash.nix            # 10.89.0.16 - Link shortener
 └── slash-nemoti.nix     # 10.89.0.17 - Personal link shortener
 ```
 ## WHERE TO LOOK
 | Task | Action | Notes |
 |------|--------|-------|
 | Add container | Copy existing .nix, increment IP | Must update default.nix imports |
 | Fix networking | Check IP conflicts in 10.89.0.0/24 | Gateway always 10.89.0.1 |
 | Debug Traefik | Check router rules in service file | Domain must match DNS |
 | Access database | Use `--add-host=mysql:10.89.0.1` | Gateway IP for host services |
 ## CONVENTIONS
 ### Container Definition Template
 ```nix
 virtualisation.oci-containers.containers.<name> = {
  image = "registry/image:tag";
  ports = ["127.0.0.1:<external>:<internal>"];
  volumes = ["/var/lib/<service>:/data"];
  environmentFiles = [config.age.secrets.<name>-env.path];
  extraOptions = [
    "--network=web"
    "--ip=10.89.0.<sequential>"
    "--add-host=mysql:10.89.0.1"  # If DB needed
  ];
 };
 ```
 ### Traefik Integration
 ```nix
 services.traefik.dynamicConfigOptions.http = {
  services.<name>.loadBalancer.servers = [{ 
    url = "http://127.0.0.1:<port>"; 
  }];
  routers.<name> = {
    rule = "Host(`<subdomain>.m3ta.dev`)";
    service = "<name>";
    tls.certResolver = "godaddy";
  };
  # Legacy redirect (if needed)
  routers.<name>-old = {
    rule = "Host(`<subdomain>.m3tam3re.com`)";
    service = "<name>";
    middlewares = ["redirect-m3ta"];
  };
 };
 ```
 ### IP Allocation
 - **10.89.0.1**: Gateway (host)
 - **10.89.0.10-17**: Assigned containers
 - **10.89.0.18+**: Available for new services
 ## ANTI-PATTERNS
 - **DON'T** expose ports publicly - bind to 127.0.0.1 only
 - **DON'T** skip static IP assignment - routing breaks without it
 - **DON'T** hardcode secrets - use age-encrypted env files
 - **DON'T** forget to add imports to default.nix
 ## NOTES
 - Network created via activation script in default.nix
 - All services behind Traefik - no direct external access
 - MySQL/PostgreSQL run on host, accessed via gateway IP
 - Secrets pattern: `<service>-env.age` with environment variables
--- a/hosts/m3-atlas/services/containers/authentik.nix
+++ b/hosts/m3-atlas/services/containers/authentik.nix
@@ -0,0 +1,67 @@
 {config, ...}: let
  image = "ghcr.io/goauthentik/server:2026.2.0";
  serverIp = "10.89.0.22";
  workerIp = "10.89.0.23";
  postgresHost = "10.89.0.1";
  postgresPort = config.m3ta.ports.get "postgres";
  authentikPort = config.m3ta.ports.get "authentik";
  sharedEnv = {
    AUTHENTIK_POSTGRESQL__HOST = postgresHost;
    AUTHENTIK_POSTGRESQL__PORT = toString postgresPort;
    AUTHENTIK_POSTGRESQL__USER = "authentik";
    AUTHENTIK_POSTGRESQL__NAME = "authentik";
  };
 in {
  virtualisation.oci-containers.containers = {
    "authentik-server" = {
      inherit image;
      cmd = ["server"];
      environment = sharedEnv;
      environmentFiles = [config.age.secrets.authentik-env.path];
      ports = ["127.0.0.1:${toString authentikPort}:9000"];
      volumes = [
        "authentik_media:/media"
        "authentik_templates:/templates"
      ];
      extraOptions = [
        "--add-host=postgres:${postgresHost}"
        "--ip=${serverIp}"
        "--network=web"
      ];
    };
    "authentik-worker" = {
      inherit image;
      cmd = ["worker"];
      user = "root";
      environment = sharedEnv;
      environmentFiles = [config.age.secrets.authentik-env.path];
      volumes = [
        "authentik_media:/media"
        "authentik_certs:/certs"
        "authentik_templates:/templates"
      ];
      extraOptions = [
        "--add-host=postgres:${postgresHost}"
        "--ip=${workerIp}"
        "--network=web"
      ];
    };
  };
  services.traefik.dynamicConfigOptions.http = {
    services.authentik.loadBalancer.servers = [
      {url = "http://localhost:${toString authentikPort}/";}
    ];
    routers.authentik = {
      rule = "Host(`auth.m3ta.dev`)";
      tls = {certResolver = "godaddy";};
      service = "authentik";
      entrypoints = "websecure";
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/baserow.nix
+++ b/hosts/m3-atlas/services/containers/baserow.nix
@@ -0,0 +1,35 @@
 {config, ...}: {
  virtualisation.oci-containers.containers."baserow" = {
    image = "docker.io/baserow/baserow:2.0.6";
    environmentFiles = [config.age.secrets.baserow-env.path];
    ports = ["127.0.0.1:${toString (config.m3ta.ports.get "baserow")}:80"];
    volumes = ["baserow_data:/baserow/data"];
    extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.10" "--network=web"];
  };
  # Traefik configuration specific to baserow
  services.traefik.dynamicConfigOptions.http = {
    services.baserow.loadBalancer.servers = [
      {
        url = "http://localhost:${toString (config.m3ta.ports.get "baserow")}/";
      }
    ];
    routers.baserow = {
      rule = "Host(`br.m3ta.dev`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "baserow";
      entrypoints = "websecure";
    };
    routers.baserow-old = {
      rule = "Host(`br.m3tam3re.com`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "baserow";
      entrypoints = "websecure";
      middlewares = ["subdomain-redirect"];
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/default.nix
+++ b/hosts/m3-atlas/services/containers/default.nix
@@ -0,0 +1,21 @@
 {lib, ...}: {
  imports = [
    ./baserow.nix
    ./ghost.nix
    ./kestra.nix
    ./littlelink.nix
    ./matomo.nix
    ./netbird.nix
    # ./n8n.nix
    # ./pangolin.nix
    ./restreamer.nix
    ./slash.nix
    ./slash-nemoti.nix
    ./authentik.nix
  ];
  system.activationScripts.createPodmanNetworkWeb = lib.mkAfter ''
    if ! /run/current-system/sw/bin/podman network exists web; then
      /run/current-system/sw/bin/podman network create web --subnet=10.89.0.0/24 --internal
    fi
  '';
 }
--- a/hosts/m3-atlas/services/containers/ghost.nix
+++ b/hosts/m3-atlas/services/containers/ghost.nix
@@ -0,0 +1,37 @@
 {config, ...}: {
  virtualisation.oci-containers.containers."ghost" = {
    image = "docker.io/ghost:latest";
    environmentFiles = [config.age.secrets.ghost-env.path];
    ports = ["127.0.0.1:3002:2368"];
    volumes = ["ghost_data:/var/lib/ghost/content"];
    extraOptions = ["--add-host=mysql:10.89.0.1" "--ip=10.89.0.11" "--network=web"];
  };
  # Traefik configuration specific to ghost
  services.traefik.dynamicConfigOptions.http = {
    services.ghost.loadBalancer.servers = [
      {
        url = "http://localhost:3002/";
      }
    ];
    routers = {
      ghost = {
        rule = "Host(`m3ta.dev`) || Host(`www.m3ta.dev`)";
        tls = {
          certResolver = "godaddy";
        };
        service = "ghost";
        entrypoints = "websecure";
        middlewares = ["strip-www"];
      };
      ghost-old = {
        rule = "Host(`www.m3tam3re.com`)";
        tls = {
          certResolver = "godaddy";
        };
        service = "ghost";
        entrypoints = "websecure";
        middlewares = ["domain-redirect"];
      };
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/kestra.nix
+++ b/hosts/m3-atlas/services/containers/kestra.nix
@@ -0,0 +1,32 @@
 {config, ...}: {
  virtualisation.oci-containers.containers."kestra" = {
    image = "docker.io/kestra/kestra:latest";
    environmentFiles = [config.age.secrets.kestra-env.path];
    cmd = ["server" "standalone" "--config" "/etc/config/application.yaml"];
    ports = ["127.0.0.1:3018:8080"];
    user = "root";
    volumes = [
      "/var/run/docker.sock:/var/run/docker.sock"
      "${config.age.secrets.kestra-config.path}:/etc/config/application.yaml"
      "kestra_data:/app/storage"
      "/tmp/kestra-wd:/tmp/kestra-wd"
    ];
    extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.18" "--network=web"];
  };
  systemd.tmpfiles.rules = [
    "d /tmp/kestra-wd 0750 1000 1000 - -"
  ];
  # Traefik configuration specific to littlelink
  services.traefik.dynamicConfigOptions.http = {
    services.kestra.loadBalancer.servers = [{url = "http://localhost:3018/";}];
    routers.kestra = {
      rule = "Host(`k.m3ta.dev`)";
      tls = {certResolver = "godaddy";};
      service = "kestra";
      entrypoints = "websecure";
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/littlelink.nix
+++ b/hosts/m3-atlas/services/containers/littlelink.nix
@@ -0,0 +1,25 @@
 {config, ...}: {
  virtualisation.oci-containers.containers."littlelink_m3tam3re" = {
    image = "ghcr.io/techno-tim/littlelink-server";
    environmentFiles = [config.age.secrets.littlelink-m3tam3re.path];
    ports = ["127.0.0.1:3004:3000"];
    extraOptions = ["--ip=10.89.0.4" "--network=web"];
  };
  # Traefik configuration specific to littlelink
  services.traefik.dynamicConfigOptions.http = {
    services.littlelink-m3tam3re.loadBalancer.servers = [
      {
        url = "http://localhost:3004/";
      }
    ];
    routers.littlelink-m3tam3re = {
      rule = "Host(`links.m3tam3re.com`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "littlelink-m3tam3re";
      entrypoints = "websecure";
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/matomo.nix
+++ b/hosts/m3-atlas/services/containers/matomo.nix
@@ -0,0 +1,43 @@
 {
  virtualisation.oci-containers.containers."matomo" = {
    image = "docker.io/matomo:latest";
    ports = ["127.0.0.1:3011:80"];
    volumes = ["matomo_data:/var/www/html"];
    environment = {
      MATOMO_DATABASE_HOST = "mysql";
      MATOMO_DATABASE_USERNAME = "matomo";
      MATOMO_DATABASE_PASSWORD = "matomo";
      MATOMO_DATABASE_DBNAME = "matomo";
      MYSQL_DATABASE = "matomo";
      PHP_MEMORY_LIMIT = "2048M";
    };
    extraOptions = ["--add-host=mysql:10.89.0.1" "--ip=10.89.0.16" "--network=web"];
  };
  # Traefik configuration specific to ghost
  services.traefik.dynamicConfigOptions.http = {
    services.matomo.loadBalancer.servers = [
      {
        url = "http://localhost:3011/";
      }
    ];
    routers = {
      matomo-nemoti = {
        rule = "Host(`stats.nemoti.com`)";
        tls = {
          certResolver = "godaddy";
        };
        service = "matomo";
        entrypoints = "websecure";
      };
      matomo-m3tam3re = {
        rule = "Host(`stats.m3tam3re.com`)";
        tls = {
          certResolver = "godaddy";
        };
        service = "matomo";
        entrypoints = "websecure";
      };
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/n8n.nix
+++ b/hosts/m3-atlas/services/containers/n8n.nix
@@ -0,0 +1,27 @@
 {config, ...}: {
  virtualisation.oci-containers.containers."n8n" = {
    image = "docker.n8n.io/n8nio/n8n";
    environmentFiles = [config.age.secrets.n8n-env.path];
    ports = ["127.0.0.1:5678:5678"];
    volumes = ["n8n_data:/home/node/.n8n"];
    extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.14" "--network=web"];
  };
  # Traefik configuration specific to n8n
  services.traefik.dynamicConfigOptions.http = {
    services.n8n.loadBalancer.servers = [
      {
        url = "http://localhost:5678/";
      }
    ];
    routers.n8n = {
      rule = "Host(`wf.m3tam3re.com`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "n8n";
      entrypoints = "websecure";
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/netbird.nix
+++ b/hosts/m3-atlas/services/containers/netbird.nix
@@ -0,0 +1,244 @@
 {
  config,
  pkgs,
  ...
 }: let
  serviceName = "netbird";
  stunPort = config.m3ta.ports.get "netbird-stun";
  proxyTlsPort = config.m3ta.ports.get "netbird-proxy";
  metricsPort = config.m3ta.ports.get "netbird-metrics";
  healthPort = config.m3ta.ports.get "netbird-health";
  postgresPort = config.m3ta.ports.get "postgres";
  wireguardPort = config.m3ta.ports.get "wireguard";
  domain = "v.m3ta.dev";
  proxyDomain = "p.m3ta.dev";
  ipBase = "10.89.0";
  ipOffset = 50;
  dashboardIp = "${ipBase}.${toString ipOffset}";
  serverIp = "${ipBase}.${toString (ipOffset + 1)}";
  proxyIp = "${ipBase}.${toString (ipOffset + 2)}";
  # Database configuration
  dbName = "netbird";
  dbUser = "netbird";
  dbHost = "${ipBase}.1";
  # NetBird config as Nix attribute set
  netbirdConfig = {
    server = {
      listenAddress = ":80";
      exposedAddress = "https://${domain}:443";
      stunPorts = [stunPort];
      metricsPort = metricsPort;
      healthcheckAddress = ":${toString healthPort}";
      logLevel = "info";
      logFile = "console";
      dataDir = "/var/lib/netbird";
      auth = {
        issuer = "https://${domain}/oauth2";
        localAuthDisabled = true;
        signKeyRefreshEnabled = true;
        dashboardRedirectURIs = [
          "https://${domain}/nb-auth"
          "https://${domain}/nb-silent-auth"
        ];
        cliRedirectURIs = ["http://localhost:53000/"];
      };
      reverseProxy = {
        trustedHTTPProxies = ["${ipBase}.1/32"];
      };
      # Proxy feature
      proxy = {
        enabled = true;
        domain = proxyDomain;
      };
      store = {
        engine = "postgres";
        postgres = {
          host = dbHost;
          port = postgresPort;
          database = dbName;
          username = dbUser;
        };
      };
    };
  };
  # Generate YAML from Nix attribute set
  yamlFormat = pkgs.formats.yaml {};
  configYamlBase = yamlFormat.generate "netbird-config-base.yaml" netbirdConfig;
  # Script that injects secrets at runtime
  configGenScript = pkgs.writeShellScript "netbird-gen-config" ''
    set -euo pipefail
    AUTH_SECRET=$(cat "$1")
    DB_PASSWORD=$(cat "$2")
    ENCRYPTION_KEY=$(cat "$3")
    ${pkgs.yq-go}/bin/yq eval "
      .server.authSecret = \"$AUTH_SECRET\" |
      .server.store.encryptionKey = \"$ENCRYPTION_KEY\" |
      .server.store.postgres.password = \"$DB_PASSWORD\"
    " ${configYamlBase}
  '';
 in {
  age.secrets."${serviceName}-auth-secret".file = ../../../../secrets/${serviceName}-auth-secret.age;
  age.secrets."${serviceName}-db-password".file = ../../../../secrets/${serviceName}-db-password.age;
  age.secrets."${serviceName}-encryption-key".file = ../../../../secrets/${serviceName}-encryption-key.age;
  age.secrets."${serviceName}-dashboard-env".file = ../../../../secrets/${serviceName}-dashboard-env.age;
  age.secrets."${serviceName}-server-env".file = ../../../../secrets/${serviceName}-server-env.age;
  age.secrets."${serviceName}-proxy-env".file = ../../../../secrets/${serviceName}-proxy-env.age;
  # Oneshot systemd service that generates the config with injected secrets
  systemd.services."${serviceName}-config" = {
    description = "Generate NetBird config with secrets";
    wantedBy = ["multi-user.target"];
    before = ["podman-${serviceName}-server.service"];
    requiredBy = ["podman-${serviceName}-server.service"];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = pkgs.writeShellScript "netbird-write-config" ''
        mkdir -p /var/lib/${serviceName}
        ${configGenScript} \
          ${config.age.secrets."${serviceName}-auth-secret".path} \
          ${config.age.secrets."${serviceName}-db-password".path} \
          ${config.age.secrets."${serviceName}-encryption-key".path} \
          > /var/lib/${serviceName}/config.yaml
        chmod 600 /var/lib/${serviceName}/config.yaml
      '';
    };
  };
  virtualisation.oci-containers.containers = {
    "${serviceName}-dashboard" = {
      image = "netbirdio/dashboard:latest";
      autoStart = true;
      environmentFiles = [config.age.secrets."${serviceName}-dashboard-env".path];
      extraOptions = [
        "--ip=${dashboardIp}"
        "--network=web"
      ];
    };
    "${serviceName}-server" = {
      image = "netbirdio/netbird-server:latest";
      autoStart = true;
      ports = ["${toString stunPort}:${toString stunPort}/udp"];
      environmentFiles = [config.age.secrets."${serviceName}-server-env".path];
      volumes = [
        "${serviceName}_data:/var/lib/netbird"
        "/var/lib/${serviceName}/config.yaml:/etc/netbird/config.yaml:ro"
      ];
      cmd = ["--config" "/etc/netbird/config.yaml"];
      extraOptions = [
        "--ip=${serverIp}"
        "--network=web"
      ];
    };
    "${serviceName}-proxy" = {
      image = "netbirdio/reverse-proxy:latest";
      autoStart = true;
      ports = ["${toString wireguardPort}:${toString wireguardPort}/udp"];
      volumes = [
        "${serviceName}_proxy_certs:/certs"
      ];
      environmentFiles = [config.age.secrets."${serviceName}-proxy-env".path];
      cmd = [
        "--domain=${proxyDomain}"
        "--mgmt=https://${domain}:443"
        "--addr=:${toString proxyTlsPort}"
        "--cert-dir=/certs"
        "--acme-certs"
        "--trusted-proxies=${ipBase}.1/32"
      ];
      dependsOn = ["${serviceName}-server"];
      extraOptions = [
        "--ip=${proxyIp}"
        "--network=web"
      ];
    };
  };
  services.traefik.dynamicConfigOptions = {
    # HTTP services and routers
    http = {
      services = {
        "${serviceName}-dashboard".loadBalancer.servers = [
          {url = "http://${dashboardIp}:80/";}
        ];
        "${serviceName}-server".loadBalancer.servers = [
          {url = "http://${serverIp}:80/";}
        ];
        "${serviceName}-server-h2c".loadBalancer.servers = [
          {url = "h2c://${serverIp}:80";}
        ];
      };
      routers = {
        # gRPC (Signal + Management)
        "${serviceName}-grpc" = {
          rule = "Host(`${domain}`) && (PathPrefix(`/signalexchange.SignalExchange/`) || PathPrefix(`/management.ManagementService/`) || PathPrefix(`/management.ProxyService/`))";
          entrypoints = "websecure";
          tls.certResolver = "godaddy";
          service = "${serviceName}-server-h2c";
          priority = 100;
        };
        # Backend (relay, WebSocket, API, OAuth2)
        "${serviceName}-backend" = {
          rule = "Host(`${domain}`) && (PathPrefix(`/relay`) || PathPrefix(`/ws-proxy/`) || PathPrefix(`/api`) || PathPrefix(`/oauth2`))";
          entrypoints = "websecure";
          tls.certResolver = "godaddy";
          service = "${serviceName}-server";
          priority = 100;
        };
        # Dashboard (catch-all, lowest priority)
        "${serviceName}-dashboard" = {
          rule = "Host(`${domain}`)";
          entrypoints = "websecure";
          tls.certResolver = "godaddy";
          service = "${serviceName}-dashboard";
          priority = 1;
        };
      };
    };
    # TCP for proxy TLS passthrough
    tcp = {
      services."${serviceName}-proxy-tls".loadBalancer.servers = [
        {address = "${proxyIp}:${toString proxyTlsPort}";}
      ];
      routers."${serviceName}-proxy-passthrough" = {
        entryPoints = ["websecure"];
        rule = "HostSNI(`*`)";
        service = "${serviceName}-proxy-tls";
        priority = 1;
        tls.passthrough = true;
      };
    };
    # ServersTransport for Proxy Protocol v2 (optional)
    serversTransports."pp-v2" = {
      proxyProtocol.version = 2;
    };
  };
  networking.firewall.allowedUDPPorts = [
    stunPort # STUN
    wireguardPort # WireGuard for proxy
  ];
 }
--- a/hosts/m3-atlas/services/containers/restreamer.nix
+++ b/hosts/m3-atlas/services/containers/restreamer.nix
@@ -0,0 +1,75 @@
 {config, ...}: {
  virtualisation.oci-containers.containers."restreamer" = {
    image = "docker.io/datarhei/restreamer:latest";
    environmentFiles = [config.age.secrets.restreamer-env.path];
    # Modified ports to include RTMPS
    ports = [
      "127.0.0.1:${toString (config.m3ta.ports.get "restreamer")}:8080" # Web UI
      "127.0.0.1:1936:1935" # RTMP
    ];
    volumes = [
      "restreamer_data:/core/data"
      "restreamer_config:/core/config"
    ];
    extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.13" "--network=web"];
  };
  # Traefik configuration
  services.traefik = {
    dynamicConfigOptions = {
      http = {
        services.restreamer.loadBalancer.servers = [
          {
            url = "http://localhost:${toString (config.m3ta.ports.get "restreamer")}/";
          }
        ];
        routers.restreamer = {
          rule = "Host(`stream.m3ta.dev`)";
          tls = {
            certResolver = "godaddy";
          };
          service = "restreamer";
          entrypoints = ["websecure"];
        };
      };
      tcp = {
        services = {
          rtmp-service.loadBalancer.servers = [
            {
              address = "localhost:1936";
            }
          ];
          rtmps-service.loadBalancer.servers = [
            {
              address = "localhost:1936";
            }
          ];
        };
        routers = {
          rtmp = {
            rule = "HostSNI(`*`)"; # Changed to accept all SNI
            service = "rtmp-service";
            entryPoints = ["rtmp"];
          };
          rtmps = {
            rule = "HostSNI(`stream.m3tam3re.com`)";
            service = "rtmps-service";
            entryPoints = ["rtmps"];
            tls = {
              certResolver = "godaddy";
              passthrough = false;
            };
          };
        };
      };
    };
  };
  # Firewall configuration
  networking.firewall = {
    allowedTCPPorts = [1935 1945];
  };
 }
--- a/hosts/m3-atlas/services/containers/slash-nemoti.nix
+++ b/hosts/m3-atlas/services/containers/slash-nemoti.nix
@@ -0,0 +1,27 @@
 {
  virtualisation.oci-containers.containers."slash-nemoti" = {
    image = "docker.io/yourselfhosted/slash:latest";
    ports = ["127.0.0.1:3016:5231"];
    volumes = [
      "slash-nemoti_data:/var/opt/slash"
    ];
    extraOptions = ["--ip=10.89.0.17" "--network=web"];
  };
  # Traefik configuration specific to littlelink
  services.traefik.dynamicConfigOptions.http = {
    services.slash-nemoti.loadBalancer.servers = [
      {
        url = "http://localhost:3016/";
      }
    ];
    routers.slash-nemoti = {
      rule = "Host(`l.nemoti.art`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "slash-nemoti";
      entrypoints = "websecure";
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/slash.nix
+++ b/hosts/m3-atlas/services/containers/slash.nix
@@ -0,0 +1,27 @@
 {
  virtualisation.oci-containers.containers."slash" = {
    image = "docker.io/yourselfhosted/slash:latest";
    ports = ["127.0.0.1:3010:5231"];
    volumes = [
      "slash_data:/var/opt/slash"
    ];
    extraOptions = ["--ip=10.89.0.15" "--network=web"];
  };
  # Traefik configuration specific to littlelink
  services.traefik.dynamicConfigOptions.http = {
    services.slash.loadBalancer.servers = [
      {
        url = "http://localhost:3010/";
      }
    ];
    routers.slash = {
      rule = "Host(`l.m3ta.dev`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "slash";
      entrypoints = "websecure";
    };
  };
 }
--- a/hosts/m3-atlas/services/default.nix
+++ b/hosts/m3-atlas/services/default.nix
@@ -0,0 +1,18 @@
 {
  imports = [
    ./tuwunel.nix
    ./containers
    ./gitea.nix
    ./gitea-actions-runner.nix
    ./rustfs.nix
    ./mysql.nix
    ./netbird.nix
    ./n8n.nix
    ./paperless.nix
    ./postgres.nix
    ./searx.nix
    ./traefik.nix
    ./vaultwarden.nix
    ./wastebin.nix
  ];
 }
--- a/hosts/m3-atlas/services/gitea-actions-runner.nix
+++ b/hosts/m3-atlas/services/gitea-actions-runner.nix
@@ -0,0 +1,57 @@
 {
  config,
  pkgs,
  ...
 }: {
  services.gitea-actions-runner = {
    instances.default = {
      enable = true;
      name = "${config.networking.hostName}-runner";
      url = "https://code.m3ta.dev";
      tokenFile = config.age.secrets.gitea-runner-token.path;
      # nixos:host is primary, ubuntu is fallback
      labels = [
        "nixos:host"
      ];
      # Host execution packages
      hostPackages = with pkgs; [
        bash
        curl
        coreutils
        git
        jq
        nix
        nix-update
        nodejs
        # Add any other tools you need for nix-update workflows
      ];
      # Advanced settings
      settings = {
        runner = {
          capacity = 4; # One job at a time (increase if you have resources)
          timeout = "4h"; # Nix builds can take a while
        };
        cache = {enabled = true;};
        container = {
          enable_ipv6 = true;
          privileged = false;
        };
      };
    };
  };
  # User management (auto-created by module, but ensuring proper setup)
  users.users.gitea-runner = {
    home = "/var/lib/gitea-runner";
    group = "gitea-runner";
    isSystemUser = true;
    createHome = true;
  };
  users.groups.gitea-runner = {};
  # Firewall: Allow Podman bridge networks for cache actions
  networking.firewall.trustedInterfaces = ["br-+"];
 }
--- a/hosts/m3-atlas/services/gitea.nix
+++ b/hosts/m3-atlas/services/gitea.nix
@@ -0,0 +1,46 @@
 {config, ...}: {
  services.gitea = {
    enable = true;
    settings = {
      server = {
        ROOT_URL = "https://code.m3ta.dev";
        HTTP_PORT = config.m3ta.ports.get "gitea";
      };
      mailer.SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
      service.DISABLE_REGISTRATION = true;
    };
    lfs.enable = true;
    dump = {
      enable = true;
      type = "tar.gz";
      interval = "03:30:00";
      backupDir = "/var/backup/gitea";
    };
  };
  # Traefik configuration specific to gitea
  services.traefik.dynamicConfigOptions.http = {
    services.gitea.loadBalancer.servers = [
      {
        url = "http://localhost:${toString (config.m3ta.ports.get "gitea")}/";
      }
    ];
    routers.gitea = {
      rule = "Host(`code.m3ta.dev`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "gitea";
      entrypoints = "websecure";
    };
    routers.gitea-old = {
      rule = "Host(`code.m3tam3re.com`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "gitea";
      entrypoints = "websecure";
      middlewares = ["subdomain-redirect"];
    };
  };
 }
--- a/hosts/m3-atlas/services/hermes-agent.nix
+++ b/hosts/m3-atlas/services/hermes-agent.nix
@@ -0,0 +1,191 @@
 {config, ...}: let
  # Default ElevenLabs voice: Bella (German-capable female)
  elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
 in {
  services.hermes-agent = {
    enable = true;
    addToSystemPackages = true;
    # Secrets via agenix
    environmentFiles = [config.age.secrets."hermes-env".path];
    # Non-secret environment variables
    environment = {
      #
    };
    # ── Container mode (podman) ──────────────────────────────────────────
    container = {
      enable = true;
      backend = "podman";
    };
    settings = {
      # ── Model ──────────────────────────────────────────────────────────
      model = {
        default = "glm-5.1";
        provider = "zai";
        base_url = "https://api.z.ai/api/coding/paas/v4/";
      };
      credential_pool_strategies = {
        zai = "fill_first";
      };
      toolsets = ["all"];
      # ── Agent ──────────────────────────────────────────────────────────
      agent = {
        max_turns = 90;
        gateway_timeout = 1800;
        tool_use_enforcement = "auto";
      };
      # ── Terminal ───────────────────────────────────────────────────────
      terminal = {
        backend = "local";
        modal_mode = "auto";
        cwd = ".";
        timeout = 180;
        persistent_shell = true;
      };
      # ── Browser ────────────────────────────────────────────────────────
      browser = {
        inactivity_timeout = 120;
        command_timeout = 30;
        cloud_provider = "local";
      };
      # ── Checkpoints / Compression ──────────────────────────────────────
      checkpoints = {
        enabled = true;
        max_snapshots = 50;
      };
      file_read_max_chars = 100000;
      compression = {
        enabled = true;
        threshold = 0.5;
        target_ratio = 0.2;
        protect_last_n = 20;
      };
      # ── Display ────────────────────────────────────────────────────────
      display = {
        compact = false;
        personality = "kawaii";
        resume_display = "full";
        busy_input_mode = "interrupt";
        inline_diffs = true;
        skin = "default";
        tool_progress = "all";
      };
      # ── TTS / STT / Voice ──────────────────────────────────────────────
      tts = {
        provider = "elevenlabs";
        elevenlabs = {
          voice_id = elevenlabsVoiceId;
          model_id = "eleven_multilingual_v2";
        };
      };
      stt = {
        enabled = true;
        provider = "local";
        local = {model = "base";};
      };
      voice = {
        record_key = "ctrl+b";
        max_recording_seconds = 120;
        silence_threshold = 200;
        silence_duration = 3.0;
      };
      # ── Memory ─────────────────────────────────────────────────────────
      memory = {
        memory_enabled = true;
        user_profile_enabled = true;
        memory_char_limit = 2200;
        user_char_limit = 1375;
      };
      # ── Delegation ─────────────────────────────────────────────────────
      delegation = {
        max_iterations = 50;
      };
      # ── Discord ────────────────────────────────────────────────────────
      discord = {
        require_mention = true;
        auto_thread = true;
        reactions = true;
      };
      # ── Approvals / Security ───────────────────────────────────────────
      approvals = {
        mode = "manual";
        timeout = 60;
      };
      security = {
        redact_secrets = true;
        tirith_enabled = true;
        tirith_fail_open = true;
      };
      # ── Cron / Session ─────────────────────────────────────────────────
      cron = {wrap_response = true;};
      session_reset = {
        mode = "both";
        idle_minutes = 1440;
        at_hour = 4;
      };
      # ── Web ────────────────────────────────────────────────────────────
      web = {backend = "exa";};
      # ── Platform Toolsets ──────────────────────────────────────────────
      platform_toolsets = {
        cli = [
          "browser"
          "clarify"
          "code_execution"
          "cronjob"
          "delegation"
          "file"
          "image_gen"
          "memory"
          "session_search"
          "skills"
          "terminal"
          "todo"
          "tts"
          "vision"
          "web"
        ];
        telegram = [
          "browser"
          "clarify"
          "code_execution"
          "cronjob"
          "delegation"
          "file"
          "image_gen"
          "memory"
          "session_search"
          "skills"
          "terminal"
          "todo"
          "tts"
          "vision"
          "web"
        ];
      };
    };
  };
 }
--- a/hosts/m3-atlas/services/mysql.nix
+++ b/hosts/m3-atlas/services/mysql.nix
@@ -0,0 +1,27 @@
 {pkgs, ...}: {
  services.mysql = {
    enable = true;
    package = pkgs.mysql84;
    ensureDatabases = [
      "ghost"
      "matomo"
    ];
    initialScript = pkgs.writeText "initial-script.sql" ''
      CREATE USER 'ghost'@'10.89.%' IDENTIFIED BY 'ghost';
      GRANT ALL PRIVILEGES ON ghost.* TO 'ghost'@'10.89.%';
      CREATE USER 'matomo'@'10.89.%' IDENTIFIED BY 'matomo';
      GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'10.89.%'; '';
  };
  services.mysqlBackup = {
    enable = true;
    calendar = "03:00:00";
    databases = ["ghost" "matomo"];
  };
  networking.firewall = {
    extraCommands = ''
      iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
      iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 3306 -j ACCEPT
    '';
  };
 }
--- a/hosts/m3-atlas/services/n8n.nix
+++ b/hosts/m3-atlas/services/n8n.nix
@@ -0,0 +1,34 @@
 {
  config,
  lib,
  ...
 }: {
  services.n8n = {
    enable = true;
    environment.WEBHOOK_URL = "https://wf.m3tam3re.com";
  };
  # Temporary fix for upstream module
  systemd.services.n8n.serviceConfig.LoadCredential = lib.mkForce [];
  systemd.services.n8n.environment.N8N_RUNNERS_AUTH_TOKEN_FILE = lib.mkForce null;
  systemd.services.n8n.serviceConfig = {
    EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];
  };
  # Traefik configuration specific to n8n
  services.traefik.dynamicConfigOptions.http = {
    services.n8n.loadBalancer.servers = [
      {
        url = "http://localhost:5678/";
      }
    ];
    routers.n8n = {
      rule = "Host(`wf.m3ta.dev`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "n8n";
      entrypoints = "websecure";
    };
  };
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`

							`# Use bd merge for beads JSONL files`
							`.beads/issues.jsonl merge=beads`
		`@@ -0,0 +1 @@`
							`{"$schema":"https://opencode.ai/config.json","instructions":[".opencode-rules/concerns/coding-style.md",".opencode-rules/concerns/naming.md",".opencode-rules/concerns/documentation.md",".opencode-rules/concerns/testing.md",".opencode-rules/concerns/git-workflow.md",".opencode-rules/concerns/project-structure.md",".opencode-rules/languages/nix.md"]}`