sorry but this ones just lots of shit

bin/backup_browse.sh

@@ -54,7 +54,7 @@ fi
 export BORG_PASSPHRASE
 
 # --- DEFAULT REPO ---
-REPO="${1:-/holocron/backups}"
+REPO="${1:-/holocron/archives/servers/snowbelle}"
 
 # --- CHECK REQUIRED COMMANDS ---
 for cmd in borg fzf find tree cp mkdir; do

hosts/snowbelle/configuration.nix

@@ -22,12 +22,14 @@ in
     backups.repo = "/holocron/archives/servers/snowbelle";
     sops.enable = true;
     podman.enable = true;
+    yubikey.enable = true;
     syncthing.enable = true;
     tailscale.enable = true;
     nvidia.enable = true;
   };
   holocron = {
     copyparty.enable = true;
+    ensure_perms.enable = true;
     zfs.enable = true;
     smb.enable = true;
     nfs.enable = true;

modules/holocron/default.nix

@@ -11,6 +11,10 @@
     ./smb
     ./zfs
     ./copyparty
+    ./perms
   ];
 
+  # define the groups used for backups and archives
+  users.groups.archives = {gid = 727;};
+
 }

modules/holocron/perms/default.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  service = "ensure_perms";
+  cfg = config.holocron.${service};
+
+  # define variables for paths
+  archives_path = "/holocron/archives";
+  media_path = "/holocron/media";
+  users_path = "/holocron/users";
+in {
+  options.holocron.ensure_perms = {
+    enable = lib.mkEnableOption "enables perms ensurence script";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # service to run periodically to reset the perms on all zpools
+    # everything works fine without this, just for peace of mind
+    # and to clean up the ownership from the arr stack in /holocron/media
+    systemd.services.${service} = {
+      description = "ensure file permissions for archives, media and user folders";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = pkgs.writeShellScript "ensure_perms" ''
+
+          # Fix ownership for archives directory
+          echo "starting ${archives_path}"
+          chown -Rc root:archives ${archives_path}
+          chmod -Rc 2770 ${archives_path}
+
+          # Fix ownership for media directory
+          echo "starting ${media_path}"
+          chown -Rc root:media ${media_path}
+          chmod -Rc 2770 ${media_path}
+
+          # Fix user directories
+          for user_dir in ${users_path}/*; do
+            if [ -d "$user_dir" ]; then
+              user=$(basename "$user_dir")
+              echo "starting $user_dir"
+              chown -Rc "$user:$user" "$user_dir"
+              chmod -Rc 700 "$user_dir"
+            fi
+          done
+          echo "fin"
+        '';
+      };
+    };
+
+    systemd.timers.${service} = {
+      description = "run script to ensure_perms daily";
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnCalendar = "03:30";
+        Persistent = true;
+      };
+    };
+  };
+}

modules/system/backups/default.nix

@@ -9,7 +9,7 @@ in a borg archive to the specified repo
 
       |     <3yy>    |
       V              V
-  modules.system.backups.baks = {
+  system.backups.baks = {
     ${service} = { paths = [ cfg.data_dir ]; };
   };
 */
@@ -46,12 +46,17 @@ in
 
   config = lib.mkIf (cfg.enable && cfg.baks != {}) {
     
+    systemd.tmpfiles.rules = [
+      "d /holocron/archives 2770 root archives - -"
+    ];
+
     systemd.services.backups = {
       description = "backup service with borg!";
       path = [ pkgs.borgbackup ];
       serviceConfig = {
         Type = "oneshot";
-#        EnvironmentFile = config.modules.system.backups.passphraseFile;
+        User = "root";
+        Group = "archives";   # make perms shake out
         # the actual script borg is using
         ExecStart = pkgs.writeShellScript "borg-backup" ''
           backup() {
@@ -59,7 +64,7 @@ in
             export BORG_PASSPHRASE="$(cat ${cfg.passwd_file})"
             export BORG_REPO="${cfg.repo}"
             timestamp="$(date +'%Y-%m-%d_%H:%M:%S')"
-            mode=${cfg.mode}
+            mode=split
 
             # init repo in needed
             if ! borg info "$BORG_REPO" >/dev/null 2>&1; then
@@ -80,7 +85,7 @@ in
                   echo "backing up: ${lib.concatStringsSep " " bak_paths.paths} → $archive"
                   borg create \
                     --verbose \
-                   # --filter AME \
+                    --filter AME \
                     --list \
                     --stats \
                     --show-rc \
@@ -142,7 +147,7 @@ in
       description = "daily borg backup timer";
       wantedBy = [ "timers.target" ];
       timerConfig = {
-        OnCalendar = "daily";
+        OnCalendar = "04:00";
         Persistent = true;
       };
     };

modules/system/default.nix

@@ -10,6 +10,7 @@
     ./sops
     ./docker
     ./podman
+    ./yubikey
     ./tailscale
     ./vpns
     ./vpn-confinement

modules/system/home-manager/default.nix

@@ -1,12 +0,0 @@
-{ inputs, pkgs, config, lib, ... }:
-{
-  home-manager."blake" = {
-    extraSpecialArgs = { inherit inputs; };
-    users = {
-      modules = [
-        ../../users/blake/home.nix;
-        inputs.self.outputs.homeManagerModules.default;
-      ];
-    };
-  };
-}

modules/system/nvidia/default.nix

@@ -1,18 +1,19 @@
-{ pkgs, config, lib, ... }:
-
-let
-  cfg = config.system.nvidia;
-in
 {
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.system.nvidia;
+in {
   options.system.nvidia = {
     enable = lib.mkEnableOption "enables nvidia";
   };
 
   config = lib.mkIf cfg.enable {
-
+    services.xserver.videoDrivers = ["nvidia"];
-    services.xserver.videoDrivers = [ "nvidia" ];
+    boot.kernelModules = ["nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm"];
-      boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm" ];
+    #      boot.kernelModules = [ "nvidia" ];
-#      boot.kernelModules = [ "nvidia" ];
 
     hardware.graphics = {
       enable = true;
@@ -21,8 +22,8 @@ in
 
     # enable nvidia proprietary driver
     hardware.nvidia = {
-      modesetting.enable = true;  # required
+      modesetting.enable = true; # required
-      open = false;   # use proprietary driver
+      open = false; # use proprietary driver
       nvidiaSettings = true; # no shit
       powerManagement.enable = false; # can cause sleep issues
       package = config.boot.kernelPackages.nvidiaPackages.stable;
@@ -32,6 +33,5 @@ in
     hardware.nvidia-container-toolkit.enable = true;
     virtualisation.docker.daemon.settings.features.cdi = true;
     virtualisation.docker.rootless.daemon.settings.features.cdi = true;
-
   };
 }

modules/system/podman/default.nix

@@ -1,17 +1,18 @@
-{ pkgs, config, lib, ... }:
-
-let
-  cfg = config.system.podman;
-in
 {
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.system.podman;
+in {
   options.system.podman = {
     enable = lib.mkEnableOption "enables podman";
   };
 
   config = lib.mkIf cfg.enable {
-
     # install the binary for compose
-    environment.systemPackages = with pkgs; [ podman-compose ];
+    environment.systemPackages = with pkgs; [podman-compose];
 
     virtualisation = {
       oci-containers.backend = "podman";

modules/system/sops/default.nix

@@ -1,10 +1,13 @@
-{ pkgs, config, lib, inputs, ... }:
-
-let
-  cfg = config.system.sops;
-in
 {
-  imports = [ inputs.sops-nix.nixosModules.sops ];
+  pkgs,
+  config,
+  lib,
+  inputs,
+  ...
+}: let
+  cfg = config.system.sops;
+in {
+  imports = [inputs.sops-nix.nixosModules.sops];
 
   options.system.sops = {
     enable = lib.mkEnableOption "enables sops";
@@ -15,11 +18,10 @@ in
     sops = {
       defaultSopsFile = ../../../secrets/secrets.yaml;
       defaultSopsFormat = "yaml";
-#      age.keyFile = "/home/blake/.config/sops/age/keys.txt";
       age.keyFile = "/etc/sops/keys.txt";
 
       secrets = {
-        "blake_passwd" =  { 
+        "blake_passwd" = {
           owner = "root";
           group = "root";
           neededForUsers = true;

modules/system/yubikey/default.nix

@@ -0,0 +1,61 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+/*
+# to enroll a yubikey (works like .ssh/known_hosts)
+nix-shell -p pam_u2f
+mkdir -p ~/.config/Yubico
+pamu2fcfg > ~/.config/Yubico/u2f_keys
+pamu2fcfg -n >> ~/.config/Yubico/u2f_keys (to add additional yubikeys)
+
+# to test auth with pam
+nix-shell -p pamtester
+pamtester login <username> authenticate
+pamtester sudo <username> authenticate
+*/
+let
+  service = "yubikey";
+  cfg = config.system.${service};
+  sec = config.sops.secrets;
+  homelab = config.homelab;
+in {
+  options.system.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+    mode = lib.mkOption {
+      type = lib.types.str;
+      default = "u2f";
+      description = "weather to run pam in u2f or challenge-response)";
+    };
+    lock_on_remove = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "enable automatic locking of device upon removal of yubikey";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.pam.services = lib.mkIf (cfg.mode == "u2f") {
+      login.u2fAuth = true;
+      sudo.u2fAuth = true;
+    };
+
+    security.pam.yubico = lib.mkIf (cfg.mode == "challenge-response") {
+      enable = true;
+      debug = true;
+      mode = "challenge-response";
+      id = ["<placeholder>"];
+    };
+
+    services.udev.extraRules = lib.mkIf (cfg.lock_on_remove == true) ''
+      ACTION=="remove",\
+       ENV{ID_BUS}=="usb",\
+       ENV{ID_MODEL_ID}=="0407",\
+       ENV{ID_VENDOR_ID}=="1050",\
+       ENV{ID_VENDOR}=="Yubico",\
+       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+    '';
+  };
+}

secrets/secrets.yaml

@@ -1,5 +1,7 @@
 #ENC[AES256_GCM,data:b7E2U/jRfXEKulR/Pba0L4Aucy3MSUPj2BU=,iv:+KC+vfB2z2AIiPr5uIC4Pbfgc44GOs6SVRZW1v80hUE=,tag:kkn3UfJwdgxYERmfiMUmjw==,type:comment]
 blake_passwd: ENC[AES256_GCM,data:AfFql6/ghGhCDLOb4+QuAsDznz4hC4ilxZYCIH2sgBWX9tWXsUOgFw1k7CIhDoXIehz6YlTy0czekXPCqHL5gmIKRQTowU4svocw/Bl/Qz5CQ58RASB6YpnzOKTrwX7HCnu/ghpdMrcy2A==,iv:hMAkLcHjP0hiyCY4rhMU0Ae7jdYPa6MffEd2WGolbEo=,tag:p/6xmD8Te1RnFkp0zWw+ew==,type:str]
+#ENC[AES256_GCM,data:0HBVS2AYQ2VZXY4EbMLwiSjRNyWZ57bf,iv:20SLWXpbRTLk76g5mFrhg1Z9Qasv3NoSJbK/FOiIgtk=,tag:DbUffQwrDqzy2QO64uoUeg==,type:comment]
+klefki_auth_mapping: ENC[AES256_GCM,data:pvQEdxtj,iv:7IyAbt6yXfp2UBrZooRAT/9/E8c4+HCm5t+F5U2Lqzk=,tag:RcS/aWHSheMvLz3QhhCPxw==,type:str]
 #ENC[AES256_GCM,data:ZxHtUSuOy19M0EKoT5xltFiqRg==,iv:72PJL2eG68VC4wiJFo6wL0l7AaDIsge8l/D/ZlLOWWA=,tag:Q16ztObK2AnbCCS5mRgjtA==,type:comment]
 tailscale_authkey: ENC[AES256_GCM,data:SU0k3asrJd+WZ86VbC4w8TDJp+MqsbyagrzCfDcgTzO5yvBjpWAKbJ7A+VxgQvdu4+S2jMYbdrONPp3YbQ==,iv:VMYmGVk5GpUQApKKQYhdOw/cYCXrXxEZJJwHfQL4MjQ=,tag:7ruaoCDxuFQ7tE/JLJ37Xw==,type:str]
 #ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment]
@@ -45,7 +47,7 @@ sops:
             U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
             PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-16T05:02:49Z"
+    lastmodified: "2025-10-17T02:56:39Z"
-    mac: ENC[AES256_GCM,data:IU3J61qH0zCeSSrCdIdhrZ0IVl4F6AdhQ6enJl652PBNauqyNb+6ph+RnKbTVa6f1yDI1v75YHQmGgeZjOW7OWLH91rOwP0CsH59j1xeoLA1vWsUFNbEHnYowdcBb+tz4i6FMR2u4Nb5dLlOqKm2Xi3IT8ZPo1JDb7KB868jQ+4=,iv:yWxX1zFXG/FwnRoe3+7z9bAUu8qnM4M6w7KNfKHS3DQ=,tag:gmpZK3azAopujGlaBwnYnQ==,type:str]
+    mac: ENC[AES256_GCM,data:vs3SAec+USFLUkmsV3OBjVT5V5XwG/sqD2pMK5fDaUm0vTwk5nQsqNZz+uEG6DakG+xXJdyMfXTp2pBVPuuRkZhplIXtt1Pb2ExSqprmyN5O0jFGpNCMZq4pq6BqvM0fjdz6T3BXRhmJ3Z7e35/hn/8CJGYanNX5Ybb+0Ugx5Gg=,iv:PLw22dGgd3auwrSNvuD9Ur4+j9dNR1Of6w7dtQZLoYQ=,tag:u8OHCs6Xlrt+2sGK1NWQZA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

users/blake/default.nix

@@ -10,7 +10,7 @@
     users = {
       blake = {
         isNormalUser = true;
-        extraGroups = ["wheel" "networkmanager" "docker" "media" "podman" "minecraft"]; # Enable ‘sudo’ for the user.
+        extraGroups = ["wheel" "networkmanager" "docker" "media" "podman" "minecraft" "archives" ]; # Enable ‘sudo’ for the user.
         uid = 1000;
         shell = pkgs.zsh;
         group = "blake";
@@ -37,4 +37,17 @@
 
   nix.settings.trusted-users = ["blake"];
   programs.zsh.enable = true;
+
+
+  sops.secrets = {
+    "blake_passwd" =  { 
+      owner = "root";
+      group = "root";
+      neededForUsers = true;
+    };
+    "klefki_auth_map" =  { 
+      owner = "blake";
+      group = "blake";
+    };
+  };
 }

users/blake/dots/kitty/default.nix

@@ -0,0 +1,33 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  programs.kitty = {
+    enable = true;
+    enableZshIntegration = true;
+    enableGitIntegration = true;
+    #darwinLaunchOptions = [""];
+    settings = {
+      dynamic_background_opacity = "no";
+      confirm_os_window_close = "0";
+      shell_integration = "enabled";
+      cursor = "#d0d0d0";
+      cursor_shape = "beam";
+      cursor_beam_thickness = 2.5;
+      foreground = "#dddddd";
+      background = "#2F1730Q";
+      background_opacity = 0.9;
+      selection_foreground = "none";
+      selection_background = "none";
+      term = "xterm-256color";
+    };
+    #    font = {
+    #      package = ;
+    #      name = ;
+    #      size = 12;
+    #    };
+  };
+
+}

users/blake/dots/neovim/default.nix

@@ -4,183 +4,187 @@
   lib,
   inputs,
   ...
-}:
+}: let
-{
+  cfg = config.blake.nvf;
-  imports = [
+in {
-    inputs.nvf.homeManagerModules.default
+  options.blake.nvf = {
-  ];
+    enable = lib.mkEnableOption;
+  };
 
-  programs.nvf = {
+  config = lib.mkIf cfg.enable {
-    enable = true;
+    imports = [inputs.nvf.homeManagerModules.default];
-    settings = {
-      vim = {
-        globals = {
-          mapleader = " ";
-          maplocalleader = " ";
-        };
 
-        vimAlias = true;
+    programs.nvf = {
-
+      enable = true;
-        lsp.enable = true;
+      settings = {
-        statusline.lualine.enable = true;
+        vim = {
-        telescope.enable = true;
+          globals = {
-        autocomplete.nvim-cmp.enable = true;
+            mapleader = " ";
-        autopairs.nvim-autopairs.enable = true;
+            maplocalleader = " ";
-
-        keymaps = [
-          # visual line movement (insert mode)
-          {
-            key = "<Up>";
-            mode = [ "i" ];
-            action = "<C-o>gk";
-            desc = "Visual Line Up (Insert)";
-          }
-          {
-            key = "<Down>";
-            mode = [ "i" ];
-            action = "<C-o>gj";
-            desc = "Visual Line Down (Insert)";
-          }
-
-          # visual line movement (normal/visual)
-          {
-            key = "<Up>";
-            mode = [
-              "n"
-              "v"
-            ];
-            action = "g<Up>";
-            desc = "Visual Line Up";
-          }
-          {
-            key = "<Down>";
-            mode = [
-              "n"
-              "v"
-            ];
-            action = "g<Down>";
-            desc = "Visual Line Down";
-          }
-
-          # lsp
-          #{ key = "gd"; mode = [ "n" ]; action = "<cmd>lua vim.lsp.buf.definition()<CR>"; desc = "Go to definition"; }
-          #{ key = "K"; mode = [ "n" ]; action = "<cmd>lua vim.lsp.buf.hover()<CR>"; desc = "Hover info"; }
-          #{ key = "<leader>f"; mode = [ "n" ]; action = "<cmd>lua vim.lsp.buf.format({ async = true })<CR>"; desc = "Format buffer"; }
-
-          {
-            key = "gd";
-            mode = [ "n" ];
-            silent = true;
-            action = "<cmd>lua vim.lsp.buf.definition()<CR>";
-            desc = "Go to definition";
-          }
-          # Hover info
-          {
-            key = "K";
-            mode = [ "n" ];
-            silent = true;
-            action = "<cmd>lua vim.lsp.buf.hover()<CR>";
-            desc = "Hover info";
-          }
-          # Format buffer (Alejandra for Nix)
-          {
-            key = "<leader>F";
-            mode = [ "n" ];
-            silent = true;
-            action = "<cmd>lua vim.lsp.buf.format({ async = true })<CR>";
-            desc = "Format buffer";
-          }
-          # Code actions / quickfix
-          {
-            key = "<leader>a";
-            mode = [ "n" ];
-            silent = true;
-            action = "<cmd>lua vim.lsp.buf.code_action()<CR>";
-            desc = "Code action";
-          }
-          # Rename symbol
-          {
-            key = "<leader>r";
-            mode = [ "n" ];
-            silent = true;
-            action = "<cmd>lua vim.lsp.buf.rename()<CR>";
-            desc = "Rename symbol";
-          }
-          # Diagnostics
-          {
-            key = "<leader>e";
-            mode = [ "n" ];
-            silent = true;
-            action = "<cmd>lua vim.diagnostic.open_float()<CR>";
-            desc = "Show diagnostic";
-          }
-          {
-            key = "[d";
-            mode = [ "n" ];
-            silent = true;
-            action = "<cmd>lua vim.diagnostic.goto_prev()<CR>";
-            desc = "Previous diagnostic";
-          }
-          {
-            key = "]d";
-            mode = [ "n" ];
-            silent = true;
-            action = "<cmd>lua vim.diagnostic.goto_next()<CR>";
-            desc = "Next diagnostic";
-          }
-        ];
-
-        options = {
-          clipboard = "unnamedplus";
-
-          # line numbers
-          number = true;
-          numberwidth = 2;
-          relativenumber = true;
-
-          # tabs and indentation
-          tabstop = 2;
-          shiftwidth = 2;
-          softtabstop = -1;
-          expandtab = true;
-          smarttab = true;
-          autoindent = true;
-
-          # search
-          ignorecase = true;
-          smartcase = true;
-
-          # files and backups
-          backup = false;
-          writebackup = false;
-          undofile = true;
-          swapfile = true;
-
-          # wrapping
-          wrap = true;
-          linebreak = true;
-          breakindent = true;
-
-          termguicolors = true;
-          autoread = true;
-        };
-
-        languages = {
-          enableTreesitter = true;
-
-          nix = {
-            enable = true;
-            format = {
-              enable = true;
-              type = "alejandra";
-              #type = "nixfmt";
-            };
           };
 
-          markdown.enable = true;
+          vimAlias = true;
-          rust.enable = true;
-          lua.enable = true;
 
+          lsp.enable = true;
+          statusline.lualine.enable = true;
+          telescope.enable = true;
+          autocomplete.nvim-cmp.enable = true;
+          autopairs.nvim-autopairs.enable = true;
+
+          keymaps = [
+            # visual line movement (insert mode)
+            {
+              key = "<Up>";
+              mode = ["i"];
+              action = "<C-o>gk";
+              desc = "Visual Line Up (Insert)";
+            }
+            {
+              key = "<Down>";
+              mode = ["i"];
+              action = "<C-o>gj";
+              desc = "Visual Line Down (Insert)";
+            }
+
+            # visual line movement (normal/visual)
+            {
+              key = "<Up>";
+              mode = [
+                "n"
+                "v"
+              ];
+              action = "g<Up>";
+              desc = "Visual Line Up";
+            }
+            {
+              key = "<Down>";
+              mode = [
+                "n"
+                "v"
+              ];
+              action = "g<Down>";
+              desc = "Visual Line Down";
+            }
+
+            # lsp
+            #{ key = "gd"; mode = [ "n" ]; action = "<cmd>lua vim.lsp.buf.definition()<CR>"; desc = "Go to definition"; }
+            #{ key = "K"; mode = [ "n" ]; action = "<cmd>lua vim.lsp.buf.hover()<CR>"; desc = "Hover info"; }
+            #{ key = "<leader>f"; mode = [ "n" ]; action = "<cmd>lua vim.lsp.buf.format({ async = true })<CR>"; desc = "Format buffer"; }
+
+            {
+              key = "gd";
+              mode = ["n"];
+              silent = true;
+              action = "<cmd>lua vim.lsp.buf.definition()<CR>";
+              desc = "Go to definition";
+            }
+            # Hover info
+            {
+              key = "K";
+              mode = ["n"];
+              silent = true;
+              action = "<cmd>lua vim.lsp.buf.hover()<CR>";
+              desc = "Hover info";
+            }
+            # Format buffer (Alejandra for Nix)
+            {
+              key = "<leader>F";
+              mode = ["n"];
+              silent = true;
+              action = "<cmd>lua vim.lsp.buf.format({ async = true })<CR>";
+              desc = "Format buffer";
+            }
+            # Code actions / quickfix
+            {
+              key = "<leader>a";
+              mode = ["n"];
+              silent = true;
+              action = "<cmd>lua vim.lsp.buf.code_action()<CR>";
+              desc = "Code action";
+            }
+            # Rename symbol
+            {
+              key = "<leader>r";
+              mode = ["n"];
+              silent = true;
+              action = "<cmd>lua vim.lsp.buf.rename()<CR>";
+              desc = "Rename symbol";
+            }
+            # Diagnostics
+            {
+              key = "<leader>e";
+              mode = ["n"];
+              silent = true;
+              action = "<cmd>lua vim.diagnostic.open_float()<CR>";
+              desc = "Show diagnostic";
+            }
+            {
+              key = "[d";
+              mode = ["n"];
+              silent = true;
+              action = "<cmd>lua vim.diagnostic.goto_prev()<CR>";
+              desc = "Previous diagnostic";
+            }
+            {
+              key = "]d";
+              mode = ["n"];
+              silent = true;
+              action = "<cmd>lua vim.diagnostic.goto_next()<CR>";
+              desc = "Next diagnostic";
+            }
+          ];
+
+          options = {
+            clipboard = "unnamedplus";
+
+            # line numbers
+            number = true;
+            numberwidth = 2;
+            relativenumber = true;
+
+            # tabs and indentation
+            tabstop = 2;
+            shiftwidth = 2;
+            softtabstop = -1;
+            expandtab = true;
+            smarttab = true;
+            autoindent = true;
+
+            # search
+            ignorecase = true;
+            smartcase = true;
+
+            # files and backups
+            backup = false;
+            writebackup = false;
+            undofile = true;
+            swapfile = true;
+
+            # wrapping
+            wrap = true;
+            linebreak = true;
+            breakindent = true;
+
+            termguicolors = true;
+            autoread = true;
+          };
+
+          languages = {
+            enableTreesitter = true;
+
+            nix = {
+              enable = true;
+              format = {
+                enable = true;
+                type = "alejandra";
+                #type = "nixfmt";
+              };
+            };
+
+            markdown.enable = true;
+            rust.enable = true;
+            lua.enable = true;
+          };
         };
       };
     };

users/blake/home.nix

@@ -4,8 +4,14 @@
   pkgs,
   inputs,
   ...
-}: {
+}: let
-  imports = [
+  
+  # general config
+  linux_home = {
+    username = "blake";
+    homeDirectory = "/home/blake";
+  };
+  linux_imports = [
     inputs.sops-nix.homeManagerModules.sops
     ./dots/neovim
     ./dots/lf
@@ -15,27 +21,43 @@
     ./dots/git
     ./dots/xdg
   ];
+  darwin_home = {
+    username = "blake";
+    homeDirectory = "/home/blake";
+  };
+  darwin_imports = [
+    inputs.sops-nix.homeManagerModules.sops
+    ./dots/neovim
+    ./dots/lf
+    ./dots/zsh
+    ./dots/ssh
+    ./dots/gpg
+    ./dots/git
+  ];
+in
+{
+  imports = if pkgs.system == "x86_64-darwin" then darwin_imports else linux_imports;
 
   # general config
-  home.username = "blake";
+  home = (if pkgs.system == "x86_64-darwin" then darwin_home else linux_home) // {
-  home.homeDirectory = "/home/blake";
+    # cross party general packages here : )
-  home.stateVersion = "25.05";
+    stateVersion = "25.05";
+    packages = with pkgs; [
+      ripgrep
+      btop
+      p7zip
+      imagemagick
+      sops
+      usbutils
+    ];
+  };
 
-  # general packages
+  # needed for macos, linux don't mind
-  home.packages = with pkgs; [
-    ripgrep
-    btop
-    p7zip
-    imagemagick
-    sops
-    usbutils
-  ];
-
-  # for macos
   programs.home-manager.enable = true;
 
+  # set up seperate key file just for me 
   sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFile = ./secrets/secrets.yaml;
     defaultSopsFormat = "yaml";
     age.keyFile = "/home/blake/.config/sops/age/keys.txt";
   };

users/blake/secrets/secrets.yaml

@@ -0,0 +1,27 @@
+#ENC[AES256_GCM,data:3JeFFtzO7nuVZmzPcLsP7h12BKbnyOb9/A==,iv:V6gzwAze1FVjmpf1dD8CqQpUpO9CqWfj+nHImXgz+Zw=,tag:iT6zE2X7DQmIT9d4Ds4XiA==,type:comment]
+blake_passwd: ENC[AES256_GCM,data:AfFql6/ghGhCDLOb4+QuAsDznz4hC4ilxZYCIH2sgBWX9tWXsUOgFw1k7CIhDoXIehz6YlTy0czekXPCqHL5gmIKRQTowU4svocw/Bl/Qz5CQ58RASB6YpnzOKTrwX7HCnu/ghpdMrcy2A==,iv:hMAkLcHjP0hiyCY4rhMU0Ae7jdYPa6MffEd2WGolbEo=,tag:p/6xmD8Te1RnFkp0zWw+ew==,type:str]
+#ENC[AES256_GCM,data:0HBVS2AYQ2VZXY4EbMLwiSjRNyWZ57bf,iv:20SLWXpbRTLk76g5mFrhg1Z9Qasv3NoSJbK/FOiIgtk=,tag:DbUffQwrDqzy2QO64uoUeg==,type:comment]
+klefki_auth_map: ENC[AES256_GCM,data:eQ==,iv:DwWh1mhnM4EcYW3XtryDJSq1kIGwDKgekN8+FQqDhoE=,tag:oMCQkNDnIYJZeNZxrRGB5w==,type:str]
+#ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment]
+borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str]
+#ENC[AES256_GCM,data:ozhgyE+IyqR10KT8vI9x,iv:+ZOTucRlCZRQ9ZbxZgySPMOJ/qU4gXbhSyLAMgt4QMs=,tag:mQ3X+dqCet1Yk1gZ5pZ5gw==,type:comment]
+id_snowbelle.pub: ENC[AES256_GCM,data:q4sOB8/SpcD36uE/+8OlE+vUZ1bO2RTDeVyyWK/PH89DTFBIfyAfyAzIJuw/Q9S8fNEGn4PqrNtP90wIPj85VQ7AlJzS2xSonp3D+ZHqUzLO1hN2ePnmme46KhVSJR3i,iv:T1CUXPUtwUqpivpitRSx4/lYoRleX65vrf6IOJQFXYg=,tag:eQP+jFWGZzambEwNvIx+HQ==,type:str]
+#ENC[AES256_GCM,data:7V0L0832xewUXU8/Bq469w==,iv:9bCzEpUcNx6qnCMomFweXgYmWwSMzdffDikjA22xu6E=,tag:F4S80e/EPXA0tS20KFRbXw==,type:comment]
+id_snowbelle: ENC[AES256_GCM,data:MAw5R2fqVIctN7fB/d3hfCU7W3sxvuy2O3w3n0vD8FxK1DAhqoROlVv04joV1a+U1hof57TYc1cN2ng9BRWxadc8ZIpWakokZYVI0dUG05/hPMyxctWPkOiDd5909aaNUFC2G+Y/VrgAemyrB+AlQgokV0U3fiz+qjg055fzO7ypaeM8okON6rBnigfwetmSm60MxpdYrVlxVaniDVvKKUYZjpHU8SZ+TYj6Jmm/bVuKWOJ2DXZbmM0CeKeIgnA9HML1wSXojMv2IMGulxq5mmdaiiJTPoL1q17OA5zZkkVW3Dx1y6SbEeBAQTPG32RHseAxXK6qdU6lftRQZKyivuyjdCVfBBw/VzqTxbWjSXXsjDdK/Ti09051w6znA1uvRX65XsOq6zPKt4BNwR+yMDF+xR9AElBTHES/TDf7TRc5YDyovlH2PhGNg12Coy3zfb6WESLyaz3/GYZxF0IjvBnDkN65CRjstut0CgKXcWY8x+CuKVysU+U4c0A2ucDnsf3HuITrdIufhAwRNNZMka7LWVsaaR/tnvcf,iv:agf/LEjohw1XAXsOJJ78kiBVJnTT95IUmWzYUujSlJI=,tag:a55o9L85a9Z7gG9s5BEfIw==,type:str]
+#ENC[AES256_GCM,data:ep/Z5O6RNFwTd0I5hvtk5DP9,iv:M7sclKcTR+IfCEsvz0lZaoZBRZlQsN/FhwuzFNXgVew=,tag:Ddo3Qf8tMBX9Amt7C9m5FA==,type:comment]
+klefki_pub.asc: ENC[AES256_GCM,data:lGfgwhgn2xCb1cNTo0nMP8R3KSDiEn0/k6neDE2dv1DynvXsHWmZSXED6VWBjY3uMU3YtcpXGCtxTU6EiaRKiGnhxslQlBiSypAnXHeh55DZJMJJ/JM7+BCtr33LY2lusF9/aAuKO9tbdpGmu63s5ItZ1/9zMoCJwBfpQZgY2HzZoBhjwqYu2wSkOOVAMjq+jXET7nASieOZXmpQq2uDepuEDa8MP7d6G6kV2KYJPdLYYaY4U2eppEr7ALhhJidYm3P38W47JuLyu/2raG0AY2uDtCQw9d16BcJO3au+T4B4mHzPg1/cPhQ2X4dHTTGHjRZ0sT95DrEYYmcwWVKHKyiuL8WPtQmF0QBfCOPczwJajJejB4DbxEW8U2kuhuoBWr7wZe4y/nbW2hB3pcMYYXc0EXen74IttiUrvksw+hbkLaZDCJgG91SOlWSwI12UlDrJJSzOYm+ODWqK+bKyqAafQTL9xh5heM3nQlR5G6/A/8UG+0q5ZDL+IxJwe+EffJNwrL1mn4Rc3qx068udMJC+qzmft7Ljey7mfoIiwepITpii1IA/CtuEqtpe4I5MUemQ60qAw/PoVbmD8zhOcnRHCBZtQ394I5vMo1qR2a4KeBICexx3IAjpeAQYI3+MAgo/bedqpklLYjbxpv37XwinoLj9ew4hKSjAB1wRRZlswmk+GD4XKlVo8eu88RCXYrsZ2oaOD4qxrtbc7+skGm+EqxL67nLW5n9bSC2u95bFJ1386teSFhsJL9w3EFiBlQRtm5tvee/ipmr6D2W7SyfCnSxImPC4TgTwkAXziQ3XtsUtGqj0Tv1HGayaAQpYzlJaPzf7h8oanH1VaA+AgRq+RY1OjLZGHEz37jSbqhWOiIWxwJ7qFaqGB90cHq3s07qcWrDl2wUawFLTXavZ0IF3gj9KnFSIzW3+ANvedUCXOjai+zOKmpxVFZ4Bi4W3Dcbl9B+qa0Ly0NIgldi7PmqEvL3V4FnJs6WnwdagyhXOzdlKVlrAgGluucgqBpBZZfpN6uB+tdkbrqzsdMbr+H9Hwk3RUxRzAK9k+J9WRgY7eMazH0najJ1PYh9/UZJf0DKWRi2vZTlWW+6ZruJWTohOKm+7MCgvMEttIpNQfvK6+cq7p3vwPe+pmq0DznNg4LO7Uu3cXKq3zHjl08KGE04KZyfoJuZPr+XrF91AywZ03HlT2SBBaZtFld1VapccgB5DqgE1JfFg+TS4is9a8G52Ad9yh/abUmLohsnUpGdYMaj/1FmhSLM7ldHeub8CmL2vKW4f/JTuqmOxq3X5RA+qw5f946ekUz9ZF8EyGvNwaRZ2p5m0MtXQG2IKp8Q61aBSpqbMwKzTW93VycEn7L5ZsoV5eYo0rC4PMawGkfgdNzBpq4NL5bNB82l6qHnWqU7jXh611/ZV4ueX2MLSB3cyhnaFxsH9bat1jGDtUl5umNWNtvN6rWBVsClmYfBLSUCEyftGPlxzAOy6vRHGxAdCNdoiTRGgZru3aYyW9l5XhYH1aZ+dOlTOwngaqqIb3kZoPzcc9xCeZ/I/N6iVuTUI69us8y3LVL6qKa6az5zTTgumoFB5kMugPtumS1U9hzhLtm9+hY6yZVgYredgAwVVIviMAqFFZztFkPiskcwIdrPhXzoXwfuBWDaq+dF9nykjw1F9U2gyDU0YhEOtSmdIWoIma3OmdOZ/h/JbWNrwUoAirmBmWIHQTmA5Ag==,iv:btQ5xmt/AA9vW1njJH4Inj6YmOBx6pGbHbsvCMbg7fI=,tag:DuQ4Wy9wX3mPQAVLLd6t1Q==,type:str]
+sops:
+    age:
+        - recipient: age14gfh682a7m7jfp3qrulql03x5rs7yedwmxwksxrrmgjsunstyuksqx93pz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1WkdJMnJ3Y3IvN3lkemJK
+            RjF0dmgzT2lDcENka3BlK1NQRTBuR1BtSmhnCmI2cnRWdVpIM2t5SWNMOWNWdG84
+            SWRtMkNOYWZWbXFZYjJEWnVYazljcmMKLS0tIEF3eThDQTRKbEI0VWFLc3BSRVlF
+            U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
+            PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-17T07:41:50Z"
+    mac: ENC[AES256_GCM,data:WHuD9FaBmAGWpCaL3LxE55Fb2BHXyGwrk7N1aKwL5oIwQYbJX+3VdhW3jkMvWqDGNzaPE0/eVmpqQgEujOaY3cj0tQDLmmJ8SR5MAn5IytVJiW/ppgqL+5Nyko9kxjtyMfHFmPNQj6ehRA/D5NS3cvqvCrV6ENDdIwI/LcuGP3A=,iv:WZo3bt0LoK/U6dx9e68+JprhrDT0+dsceDt5dcJhI5A=,tag:PJRS3aNCjsTgvDJtr0gj9A==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0