fix postfix hopefully

2026-01-28 15:09:47 -06:00 · 2026-01-28 14:10:10 -06:00 · 2026-01-28 13:48:37 -06:00 · 2026-01-28 12:28:14 -06:00 · 2026-01-09 23:10:42 -06:00 · 2026-01-09 20:23:13 -06:00
83 changed files with 2146 additions and 260 deletions
--- a/bin/rebuild
+++ b/bin/rebuild
@@ -26,6 +26,8 @@ echo "files:"
 git status --short
 read -rp "commit message: " commit_msg
 echo "rebuilding nixos with flake.nix..."
 #if ! sudo nixos-rebuild switch --flake .#"$hostname" 2>&1 | tee "$logfile"; then
 #if ! nh os switch 2>&1 | tee "$logfile"; then
 if ! sudo nixos-rebuild switch --flake .#"$hostname" 2>&1 | tee "$logfile"; then
    echo "rebuild failed; exited with no commit"
    exit 1
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -4,14 +4,14 @@
 {
  description = "blakes nix config";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-25.05";
+    nixpkgs.url = "nixpkgs/nixos-25.11";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
    nix-darwin = {
-      url = "github:LnL7/nix-darwin";
+      url = "github:nix-darwin/nix-darwin/master";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-25.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager-unstable = {
@@ -19,6 +19,7 @@
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    nix-homebrew.url = "github:zhaofengli/nix-homebrew";
    nix-flatpak.url = "github:gmodena/nix-flatpak/?ref=latest";
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -27,6 +28,14 @@
      url = "github:nix-community/disko/latest";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lanzaboote = {
      url = "github:nix-community/lanzaboote/v0.4.3";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    watershot = {
      url = "github:Kirottu/watershot";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    vpn-confinement = {
      url = "github:Maroka-chan/VPN-Confinement";
    };
@@ -35,7 +44,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    autoaspm = {
-      url = "github:notthebee/AutoASPM";
+      url = "git+https://git.notthebe.ee/notthebee/AutoASPM.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    stylix = {
@@ -78,9 +87,19 @@
        specialArgs = {inherit inputs stable_pkgs unstable_pkgs;};
        modules = [
          ./hosts/nixos/yveltal/configuration.nix
          ./hosts/nixos/yveltal/disko.nix
          inputs.home-manager-unstable.nixosModules.default
          inputs.disko.nixosModules.disko
        ];
      };
      mew = nixpkgs-unstable.lib.nixosSystem {
        system = systems.x86_64;
        specialArgs = {inherit inputs stable_pkgs unstable_pkgs;};
        modules = [
          ./hosts/nixos/mew/configuration.nix
          ./hosts/nixos/mew/disko.nix
          inputs.home-manager-unstable.nixosModules.default
          inputs.disko.nixosModules.disko
          ./hosts/nixos/yveltal/disko.nix
        ];
      };
      vaniville = nixpkgs.lib.nixosSystem {
@@ -97,14 +116,15 @@
        system = systems.darwin;
        specialArgs = {inherit inputs stable_pkgs unstable_pkgs nix-homebrew;};
        modules = [
-          ./hosts/darwin/cen-it-07/configuration.nix
+          #./hosts/darwin/cen-it-07/configuration.nix
          inputs.home-manager.darwinModules.default
          nix-homebrew.darwinModules.nix-homebrew
          {
            nix-homebrew = {
              enable = true;  # install homebrew
              enableRosetta = true;   # install homebrew for rosetta as well
-              user = "blake";  # user owning homebrew prefix
+              autoMigrate = true;
              user = "bhelderman";  # user owning homebrew prefix
            };
          }
        ];
--- a/hosts/nixos/default.nix
+++ b/hosts/nixos/default.nix
@@ -5,47 +5,78 @@
  inputs,
  ...
 }: {
  imports = [
    inputs.autoaspm.nixosModules.default
  ];
  # set timezone
  time.timeZone = "America/Chicago";
  nix = {
    # garbage collect & remove builds older then 14 days
    gc = {
      automatic = true;
      dates = "daily";
      options = "--delete-older-than 14d";
      persistent = true;
    };
    # optimise nix store, dedupe and such
    optimise = {
      automatic = true;
      dates = [ "daily" ];
    };
    # the goats
    settings = {
      substituters = [
        "https://cache.nixos.org"
      ];
      trusted-public-keys = [
      ];
      experimental-features = lib.mkDefault [
        "nix-command"
        "flakes"
      ];
    };
  };
  # allow proprietary packages
  nixpkgs = {
    config = {
      allowUnfree = true;
      allowUnfreePredicate = _: true;
    };
  };
  # power management
  services.autoaspm.enable = true;
  powerManagement.powertop.enable = true;
  # things are better this way
  users.defaultUserShell = pkgs.zsh;
  # base system package install list
  environment.systemPackages = with pkgs; [
    wget
    curl
    dig
    nmap
    rsync
    iperf3
    jq
    git
    age
    fzf
    cifs-utils
    neofetch
    usbutils
    pciutils
    python3
    vim
-    lf
+    ncdu
    btop
    powertop
-    dig
+    iotop
    cifs-utils
    usbutils
    pciutils
    lm_sensors
  ];
-  # set timezone
+  # nice to have passwordless sudo
  time.timeZone = "America/Chicago";
  # allow proprietary packages
  nixpkgs.config.allowUnfree = true;
  # power management
  services.autoaspm.enable = true;
  powerManagement.powertop.enable = true;
  # enable flakes
  nix.settings.experimental-features = ["nix-command" "flakes"];
  users.defaultUserShell = pkgs.zsh;
  # passwordless rebuild
  security.sudo = {
    extraRules = [
      {
@@ -67,6 +98,18 @@
            command = "/run/current-system/sw/bin/tailscale";
            options = ["NOPASSWD"];
          }
          {
            command = "/etc/profiles/per-user/blake/bin/nom";
            options = ["NOPASSWD"];
          }
          {
            command = "/etc/profiles/per-user/blake/bin/nom-build";
            options = ["NOPASSWD"];
          }
          {
            command = "/etc/profiles/per-user/blake/bin/nom-shell";
            options = ["NOPASSWD"];
          }
        ];
      }
    ];
--- a/hosts/nixos/froakie/disko.nix
+++ b/hosts/nixos/froakie/disko.nix
@@ -0,0 +1,70 @@
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = ""; # disk id here
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "crypted";
                # disable settings.keyFile if you want to use interactive password entry
                #passwordFile = "/tmp/secret.key"; # Interactive
                settings = {
                  allowDiscards = true;
                  #keyFile = "/tmp/secret.key";
                };
                #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
                content = {
                  type = "btrfs";
                  extraArgs = [ "-f" ];
                  subvolumes = {
                    "@root" = {
                      mountpoint = "/";
                      mountOptions = [
                        "compress=zstd"
                        "noatime"
                      ];
                    };
                    "@home" = {
                      mountpoint = "/home";
                      mountOptions = [
                        "compress=zstd"
                        "noatime"
                      ];
                    };
                    "@nix" = {
                      mountpoint = "/nix";
                      mountOptions = [
                        "compress=zstd"
                        "noatime"
                      ];
                    };
                    "@swap" = {
                      mountpoint = "/.swapvol";
                      swap.swapfile.size = "32G";
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/nixos/mew/configuration.nix
+++ b/hosts/nixos/mew/configuration.nix
@@ -0,0 +1,113 @@
 {
  pkgs,
  config,
  lib,
  modulesPath,
  inputs,
  stable_pkgs,
  unstable_pkgs,
  ...
 }: {
  imports = [
    # Include the results of the hardware scan.
    (modulesPath + "/installer/scan/not-detected.nix")
    #./hardware-configuration.nix
    ../../nixos
    ../../../users/blake
    ../../../modules/desktop
    ../../../modules/system
  ];
  # home grown nixos modules
  system = {
    secure_boot.enable = false;
    cifs_mounts.enable = true;
    udiskie.enable = true;
    ssh.enable = true;
    sops.enable = true;
    japanese.enable = true;
    yubikey.enable = true;
    yubikey.lock_on_remove = false;
    tailscale.enable = true;
    syncthing.enable = true;
    flatpak.enable = true;
    graphics = {
      enable = true;
      vendor = "amd";
    };
  };
  desktop = {
    pipewire.enable = true;
    hypr.enable = true;
    greetd.enable = true;
  };
  gaming = {
    steam.enable = true;
    lutris.enable = true;
    proton_ge.enable = true;
    gamemode.enable = true;
    mangohud.enable = true;
  };
  # import home grown host specific home-manager modules
  home-manager.users.blake.imports = [
    ../../../users/blake/hosts/yveltal.nix
  ];
  # fix power buttons
  # move this to a laptops file at some point
  services.logind.settings.Login = {
    HandlePowerKey = "suspend-then-hibernate";
    HandleLidSwitch = "suspend-then-hibernate";
  };
  # sets the delay before hibernation for ^
  systemd.sleep.extraConfig = ''
    HibernateDelaySec=1800
  '';
  # boot (systemd is growing on me)
  boot = {
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [];
    loader = {
      systemd-boot.enable = true; # systemd your pretty cool ya know
      efi.canTouchEfiVariables = true;
    };
    initrd = {
      systemd.enable = true; # better logging
      availableKernelModules = ["xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" "ahci"];
      kernelModules = [];
    };
  };
  # setup hostname and networking stack
  networking = {
    hostName = "mew"; # hostname
    useDHCP = lib.mkDefault true;
    interfaces = {
      wlp7s0.useDHCP = lib.mkDefault true;
    };
    firewall = {
      enable = true;
      allowedTCPPorts = [22];
      allowedUDPPorts = [51820]; # wireguard
    };
    networkmanager = {
      enable = true; # the goat
      dns = "systemd-resolved"; # the backup dancer!
    };
  };
  services.resolved = {
    enable = true;
    fallbackDns = ["1.1.1.1" "9.9.9.9"];
    dnsovertls = "opportunistic";
  };
  hardware.bluetooth.enable = true;
  system.stateVersion = "25.05"; # stays here :   )
  # hardware shit
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/nixos/mew/disko.nix
+++ b/hosts/nixos/mew/disko.nix
@@ -0,0 +1,70 @@
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/disk/by-id/nvme-MTFDHBA512TDV-1AZ1AABHA_UJUND0170FW7O0"; # disk id here
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "crypted";
                # disable settings.keyFile if you want to use interactive password entry
                #passwordFile = "/tmp/secret.key"; # Interactive
                settings = {
                  allowDiscards = true;
                  #keyFile = "/tmp/secret.key";
                };
                #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
                content = {
                  type = "btrfs";
                  extraArgs = [ "-f" ];
                  subvolumes = {
                    "@root" = {
                      mountpoint = "/";
                      mountOptions = [
                        "compress=zstd"
                        "noatime"
                      ];
                    };
                    "@home" = {
                      mountpoint = "/home";
                      mountOptions = [
                        "compress=zstd"
                        "noatime"
                      ];
                    };
                    "@nix" = {
                      mountpoint = "/nix";
                      mountOptions = [
                        "compress=zstd"
                        "noatime"
                      ];
                    };
                    "@swap" = {
                      mountpoint = "/.swapvol";
                      swap.swapfile.size = "32G";
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/nixos/snowbelle/configuration.nix
+++ b/hosts/nixos/snowbelle/configuration.nix
@@ -14,11 +14,12 @@ in
      ../../../modules/holocron
      ../../../modules/homelab
      ../../../modules/gameservers/minecraft_recpro
      ../../../modules/gameservers/minecraft_modded
    ];
-#      home-manager.users.blake.imports = [
+  home-manager.users.blake.imports = [
-#      ../../../users/blake/hosts/snowbelle.nix
+  ../../../users/blake/hosts/snowbelle.nix
-#      ];
+  ];
  system = {
    ssh.enable = true;
@@ -66,6 +67,7 @@ in
  };
  gameservers = {
    minecraft_recpro.enable = true;
    minecraft_modded.enable = true;
  };
  # boot (systemd is going on me)
--- a/hosts/nixos/yveltal/configuration.nix
+++ b/hosts/nixos/yveltal/configuration.nix
@@ -1,8 +1,15 @@
 { pkgs, config, lib, modulesPath, inputs, stable_pkgs, unstable_pkgs, ... }:
 {
-  imports =
+  pkgs,
-    [ # Include the results of the hardware scan.
+  config,
  lib,
  modulesPath,
  inputs,
  stable_pkgs,
  unstable_pkgs,
  ...
 }: {
  imports = [
    # Include the results of the hardware scan.
    (modulesPath + "/installer/scan/not-detected.nix")
    #./hardware-configuration.nix
    ../../nixos
@@ -11,28 +18,28 @@
    ../../../modules/system
  ];
-  home-manager.users.blake.imports = [
+  # home grown nixos modules
  ../../../users/blake/hosts/yveltal.nix
  ];
  system = {
    secure_boot.enable = true;
    cifs_mounts.enable = true;
    udiskie.enable = true;
    ssh.enable = true;
    sops.enable = true;
    yubikey.enable = true;
    yubikey.lock_on_remove = true;
    tailscale.enable = true;
    syncthing.enable = true;
    flatpak.enable = true;
    graphics = {
      enable = true;
      vendor = "intel";
    };
  };
  desktop = {
    pipewire.enable = true;
    hypr.enable = true;
    greetd.enable = true;
  };
  gaming = {
    steam.enable = true;
    lutris.enable = true;
@@ -41,7 +48,13 @@
    mangohud.enable = true;
  };
  # import home grown host specific home-manager modules
  home-manager.users.blake.imports = [
    ../../../users/blake/hosts/yveltal.nix
  ];
  # fix power buttons
  # move this to a laptops file at some point
  services.logind.settings.Login = {
    HandlePowerKey = "suspend-then-hibernate";
    HandleLidSwitch = "suspend-then-hibernate";
@@ -67,39 +80,33 @@
  };
  # setup hostname and networking stack
  services.resolved = {
    enable = true;
    fallbackDns = [ "1.1.1.1" "9.9.9.9" ];
    dnsovertls = "opportunistic";
  };
  networking = {
    hostName = "yveltal"; # hostname
    useDHCP = lib.mkDefault true;
    interfaces = {
      wlp0s20f3.useDHCP = lib.mkDefault true;
    };
    firewall = {
      enable = true;
      allowedTCPPorts = [22];
      allowedUDPPorts = [51820]; # wireguard
    };
    networkmanager = {
      enable = true; # the goat
      dns = "systemd-resolved"; # the backup dancer!
    };
  };
  services.resolved = {
    enable = true;
    fallbackDns = ["1.1.1.1" "9.9.9.9"];
    dnsovertls = "opportunistic";
  };
  hardware.bluetooth.enable = true;
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [
    22
  ];
  networking.firewall.allowedUDPPorts = [ 51820 ];
  # Or disable the firewall altogether.
  networking.firewall.enable = true;
  system.stateVersion = "25.05"; # stays here :   )
  # hardware shit
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/modules/desktop/gaming/lutris/default.nix
+++ b/modules/desktop/gaming/lutris/default.nix
@@ -13,6 +13,7 @@ in {
  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      lutris
      wine
    ];
  };
 }
--- a/modules/desktop/gaming/steam/default.nix
+++ b/modules/desktop/gaming/steam/default.nix
@@ -16,6 +16,7 @@ in {
      gamescopeSession.enable = true; # requires setting launch option `gamescope <options> -- %command%`
      remotePlay.openFirewall = true; # open ports for remote play
      #dedicatedServer.openFirewall = true; # open ports for source dedicated server
      protontricks.enable = true;
    };
  };
 }
--- a/modules/desktop/hypr/default.nix
+++ b/modules/desktop/hypr/default.nix
@@ -15,6 +15,8 @@ in {
    programs.hyprland.enable = true;
    # give hyprlock perms to unlock
-    security.pam.services.hyprlock = {};
+    security.pam.services.hyprlock = {
      enable = true;
    };
  };
 }
--- a/modules/gameservers/minecraft_modded/default.nix
+++ b/modules/gameservers/minecraft_modded/default.nix
@@ -0,0 +1,156 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  service = "minecraft_modded";
  cfg = config.gameservers.${service};
  sec = config.sops.secrets;
  servers = {
    cobblemon = {
      data_dir = "/var/lib/gameservers/minecraft_modded/cobblemon";
      start_file = "start.sh";
    };
  };
 in {
  options.gameservers.${service} = {
    enable = lib.mkEnableOption "enables ${service}";
    url = lib.mkOption {
      type = lib.types.str;
      default = "mc.recoil.pro";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/gameservers/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = 25565;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "enable backups for ${service}";
    };
    motd = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = "velocity";
    };
    backup_repo = lib.mkOption {
      type = lib.types.path;
      default = "/holocron/archives/gameservers/minecraft/modded";
      description = "path to take hourly backups to with borg!";
    };
  };
  config = lib.mkIf cfg.enable {
    # declare ${service} user
    users.users.minecraft = lib.mkDefault {
      description = "minecraft server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
      shell = pkgs.bash;
      group = "minecraft";
      extraGroups = [];
    };
    systemd.tmpfiles.rules =
      lib.attrsets.mapAttrsToList (
        name: cfg: "d ${cfg.data_dir} 0770 minecraft minecraft -"
      )
      servers;
    # Create a systemd service per server running in tmux
    systemd.services =
      lib.attrsets.mapAttrs (name: srv: {
        description = "minecraft_recpro: ${name}";
        after = ["network.target"];
        wants = ["network.target"];
        serviceConfig = {
          User = "minecraft";
          Group = "minecraft";
          WorkingDirectory = srv.data_dir;
          UMask = "0007";
          ExecStart = "${pkgs.openjdk21}/bin/java -Xms4G -Xmx12G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true @libraries/net/neoforged/neoforge/21.1.211/unix_args.txt";
          #ExecStart = "${srv.data_dir}/${srv.start_file}";
          Restart = "on-failure";
          KillMode = "process";
        };
        wantedBy = ["multi-user.target"];
      })
      servers;
    environment.systemPackages = with pkgs; [openjdk21 mcrcon];
    #    services.mysql = {
    #      enable = true;
    #      package = pkgs.mariadb;
    #      ensureDatabases = ["minecraft_recpro_db"];
    #      ensureUsers = [
    #        {
    #          name = "minecraft";
    #          ensurePermissions = {"minecraft_recpro_db.*" = "ALL PRIVILEGES";};
    #        }
    #      ];
    #      initialScript = pkgs.writeText "minecraft_recpro-init.sql" ''
    #        CREATE USER IF NOT EXISTS 'minecraft_recpro'@'localhost' IDENTIFIED BY 'IKNOWTHISISBADIJUSTNEEDTHISTOWORKRNPLS';
    #        GRANT ALL PRIVILEGES ON minecraft_recpro_db.* TO 'minecraft_recpro'@'localhost';
    #        FLUSH PRIVILEGES;
    #      '';
    #    };
    # open firewall
    networking.firewall.allowedTCPPorts = [25778];
    #    sops.secrets = {
    #      "velocity_forwarding" = {
    #        owner = "minecraft";
    #        group = "minecraft";
    #        path = "/var/lib/gameservers/minecraft_recpro/velocity/forwarding.secret";
    #        mode = "0400";
    #      };
    #      "minecraft_recpro_db_passwd" = {
    #        owner = "mysql";
    #        group = "mysql";
    #      };
    #    };
    # backups minecraft_recpro with borg!
    services.borgbackup.jobs.${service} = {
      archiveBaseName = service;
      repo = cfg.backup_repo;
      paths = lib.flatten (
        lib.attrValues (
          lib.mapAttrs (_: srv:
            [srv.data_dir]
            ++ (
              if builtins.hasAttr "db_dump" srv
              then [srv.db_dump]
              else []
            ))
          servers
        )
      );
      compression = "auto,zstd";
      #preHook = "systemctl start mysql-backup.service";
      startAt = "*-*-* *:00:00";
      group = "archives";
      encryption.mode = "repokey-blake2";
      encryption.passCommand = "cat ${config.sops.secrets."borg_passwd".path}";
      extraArgs = ["--verbose" "--show-rc" "--umask" "0007"];
      extraCreateArgs = ["--list" "--stats" "--filter" "AME"];
      prune.keep = {
        within = "1d"; # Keep all archives from the last day
        hourly = 24;
        daily = 7;
        weekly = 12;
        monthly = -1; # Keep at least one archive for each month
      };
    };
  };
 }
--- a/modules/holocron/syncthing/default.nix
+++ b/modules/holocron/syncthing/default.nix
@@ -22,7 +22,7 @@ in {
      dataDir = "/var/lib/syncthing";
      guiAddress = "0.0.0.0:2222";
      openDefaultPorts = true;
-      extraFlags = ["--no-default-folder"];
+      #extraFlags = ["--no-default-folder"];
      key = sec."${service}/snowbelle/key".path;
      cert = sec."${service}/snowbelle/cert".path;
      settings = {
@@ -31,11 +31,12 @@ in {
          "zygarde" = {id = "UYLTF52-VVKUR7F-JN33HQZ-RFNWGL3-JER52LA-GZD2LPJ-QIFEE7K-MNMZRQ5";};
          "yveltal" = {id = "ZVSQ4WJ-7OICYOZ-3ECES4X-KH37IPB-TKHKUJG-BSEGXVM-AHYY5C3-VKG44AX";};
          "CEN-IT-07" = {id = "DPYKA4Z-3PX7JB2-FBEOXXX-SC7TLT2-QC5P2IR-SXOPJGX-QO3DMII-5B7UCA4";};
          "CEN-IT-00007" = {id = "XBPXGYU-DUJSLDH-6BDNF4D-CO2COC3-N3FM6W5-IHZOJBM-Z2N77RI-IVAV5AH";};
        };
        folders = {
          "holocron" = {
            path = "/holocron/users/blake/holocron";
-            devices = ["lugia" "zygarde" "CEN-IT-07" "yveltal"];
+            devices = ["lugia" "zygarde" "CEN-IT-07" "CEN-IT-00007"  "yveltal"];
            id = "5voxg-c3he2";
            versioning = {
              type = "staggered";
--- a/modules/homelab/arr/bazarr/default.nix
+++ b/modules/homelab/arr/bazarr/default.nix
@@ -78,7 +78,7 @@ in
    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      extraConfig = ''
-        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
+        tls internal
        reverse_proxy 127.0.0.1:${toString cfg.port}
      '';
    };
--- a/modules/homelab/arr/flaresolverr/default.nix
+++ b/modules/homelab/arr/flaresolverr/default.nix
@@ -74,7 +74,7 @@ in
    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      extraConfig = ''
-        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
+        tls internal
        reverse_proxy 127.0.0.1:${toString cfg.port}
      '';
    };
--- a/modules/homelab/arr/prowlarr/default.nix
+++ b/modules/homelab/arr/prowlarr/default.nix
@@ -80,7 +80,7 @@ in
    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      extraConfig = ''
-        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
+        tls internal
        reverse_proxy 127.0.0.1:${toString cfg.port}
      '';
    };
--- a/modules/homelab/arr/radarr/default.nix
+++ b/modules/homelab/arr/radarr/default.nix
@@ -86,7 +86,7 @@ in
    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      extraConfig = ''
-        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
+        tls internal
        reverse_proxy 127.0.0.1:${toString cfg.port}
      '';
    };
--- a/modules/homelab/arr/sonarr/default.nix
+++ b/modules/homelab/arr/sonarr/default.nix
@@ -83,8 +83,9 @@ in
    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      # tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
      extraConfig = ''
-        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
+        tls internal
        reverse_proxy 127.0.0.1:${toString cfg.port}
      '';
    };
--- a/modules/homelab/dnsmasq/default.nix
+++ b/modules/homelab/dnsmasq/default.nix
@@ -24,6 +24,7 @@ in {
      enable = true;
      settings = {
        listen-address = "10.10.0.10";  # your LAN IP
        #interface = "enp89s0";
        bind-interfaces = true;
        address = "/snowbelle.lan/10.10.0.10";
        server = [ # upstream dns
--- a/modules/homelab/gitea/default.nix
+++ b/modules/homelab/gitea/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, nixpkgs-unstable, config, lib, ... }:
 let
  service = "gitea";
@@ -62,6 +62,10 @@ in
      createHome = true;
      group = service;
      extraGroups = [];
      # if you wanna attempt system ssh again
      #openssh.authorizedKeys.keyFiles = [
      #  "${cfg.data_dir}/.ssh/authorized_keys"
      #];
    };
    # declare the gitea service
@@ -73,16 +77,26 @@ in
      appName =  "gitea";
      settings = {
        server = {
          # http config
          ROOT_URL = "https://git.blakedheld.xyz";
          DOMAIN = "git.blakedheld.xyz";
          HTTP_PORT = cfg.port;
-          SSH_PORT = cfg.ssh_port;
+          # local network config
-          START_SSH_SERVER = true;
+          #LOCAL_ROOT_URL = "https://git.snowbelle.lan";
          ENABLE_PUSH_CREATE_USER = true;
          ALLOW_LOCALNETWORKS = true;
          ALLOWED_DOMAINS = "10.10.0.10";
          SKIP_TLS_VERIFY = true;
-
+          # configure for system ssh (trying to use the systms on nix sucks)
          SSH_PORT = cfg.ssh_port;
          START_SSH_SERVER = true;
          #          SSH_PORT = 22;
          #          START_SSH_SERVER = false;
          #          SSH_ROOT_PATH = "${cfg.data_dir}/.ssh";
          #          SSH_CREATE_AUTHORIZED_KEYS_FILE = true;
          # actual git config
          DEFAULT_BRANCH = "trunk";
          ENABLE_PUSH_CREATE_USER = true;
          DEFAULT_PUSH_CREATE_PRIVATE = true;
        };
      };
      database = {
@@ -99,8 +113,13 @@ in
    networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
    # add to caddy for reverse proxy
    services.caddy.virtualHosts."git.${homelab.public_domain}" = {
      extraConfig = ''
        reverse_proxy localhost:${toString cfg.port} {
        }
      '';
    };
    services.caddy.virtualHosts."${cfg.url}" = {
      serverAliases = [ "git.${homelab.public_domain}" ];
      extraConfig = ''
        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
        reverse_proxy localhost:${toString cfg.port} {
@@ -108,6 +127,7 @@ in
      '';
    };
    # add to glance
    homelab.glance.links.services = [{
      title = service;
--- a/modules/homelab/glance/default.nix
+++ b/modules/homelab/glance/default.nix
@@ -242,6 +242,13 @@ in
                    cache = "5s";
                    template = "<div style=\"display:flex; align-items:center; gap:12px;\">\n  <div style=\"width:40px; height:40px; flex-shrink:0;  border-radius:4px; display:flex; justify-content:center; align-items:center; overflow:hidden;\">\n    {{ if .JSON.Bool \"online\" }}\n      <img src=\"{{ .JSON.String \"icon\" | safeURL }}\" width=\"64\" height=\"64\" style=\"object-fit:contain;\">\n    {{ else }}\n      <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 20 20\" fill=\"currentColor\" style=\"width:32px; height:32px; opacity:0.5;\">\n        <path fill-rule=\"evenodd\" d=\"M1 5.25A2.25 2.25 0 0 1 3.25 3h13.5A2.25 2.25 0 0 1 19 5.25v9.5A2.25 2.25 0 0 1 16.75 17H3.25A2.25 2.25 0 0 1 1 14.75v-9.5Zm1.5 5.81v3.69c0 .414.336.75.75.75h13.5a.75.75 0 0 0 .75-.75v-2.69l-2.22-2.219a.75.75 0 0 0-1.06 0l-1.91 1.909.47.47a.75.75 0 1 1-1.06 1.06L6.53 8.091a.75.75 0 0 0-1.06 0l-2.97 2.97ZM12 7a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" clip-rule=\"evenodd\" />\n      </svg>\n    {{ end }}\n  </div>\n\n  <div style=\"flex-grow:1; min-width:0;\">\n    <a class=\"size-h4 block text-truncate color-highlight\">\n      {{ .JSON.String \"host\" }}\n      {{ if .JSON.Bool \"online\" }}\n      <span\n        style=\"width: 8px; height: 8px; border-radius: 50%; background-color: var(--color-positive); display: inline-block; vertical-align: middle;\"\n        data-popover-type=\"text\"\n        data-popover-text=\"Online\"\n      ></span>\n      {{ else }}\n      <span\n        style=\"width: 8px; height: 8px; border-radius: 50%; background-color: var(--color-negative); display: inline-block; vertical-align: middle;\"\n        data-popover-type=\"text\"\n        data-popover-text=\"Offline\"\n      ></span>\n      {{ end }}\n    </a>\n\n    <ul class=\"list-horizontal-text\">\n      <li>\n        {{ if .JSON.Bool \"online\" }}\n        <span>{{ .JSON.String \"version.name_clean\" }}</span>\n        {{ else }}\n        <span>Offline</span>\n        {{ end }}\n      </li>\n      {{ if .JSON.Bool \"online\" }}\n      <li data-popover-type=\"html\">\n        <div data-popover-html>\n          {{ range .JSON.Array \"players.list\" }}{{ .String \"name_clean\" }}<br>{{ end }}\n        </div>\n        <p style=\"display:inline-flex;align-items:center;\">\n          <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 24 24\" fill=\"currentColor\" class=\"size-6\" style=\"height:1em;vertical-align:middle;margin-right:0.5em;\">\n            <path fill-rule=\"evenodd\" d=\"M7.5 6a4.5 4.5 0 1 1 9 0 4.5 4.5 0 0 1-9 0ZM3.751 20.105a8.25 8.25 0 0 1 16.498 0 .75.75 0 0 1-.437.695A18.683 18.683 0 0 1 12 22.5c-2.786 0-5.433-.608-7.812-1.7a.75.75 0 0 1-.437-.695Z\" clip-rule=\"evenodd\" />\n          </svg>\n          {{ .JSON.Int \"players.online\" | formatNumber }}/{{ .JSON.Int \"players.max\" | formatNumber }} players\n        </p>\n      </li>\n      {{ else }}\n      <li>\n        <p style=\"display:inline-flex;align-items:center;\">\n          <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 24 24\" fill=\"currentColor\" class=\"size-6\" style=\"height:1em;vertical-align:middle;margin-right:0.5em;opacity:0.5;\">\n            <path fill-rule=\"evenodd\" d=\"M7.5 6a4.5 4.5 0 1 1 9 0 4.5 4.5 0 0 1-9 0ZM3.751 20.105a8.25 8.25 0 0 1 16.498 0 .75.75 0 0 1-.437.695A18.683 18.683 0 0 1 12 22.5c-2.786 0-5.433-.608-7.812-1.7a.75.75 0 0 1-.437-.695Z\" clip-rule=\"evenodd\" />\n          </svg>\n          0 players\n        </p>\n      </li>\n      {{ end }}\n    </ul>\n  </div>\n</div>";
                  }
                  {
                    type = "custom-api";
                    title = "cobblemon";
                    url = "https://api.mcstatus.io/v2/status/java/cobblemon.recoil.pro";
                    cache = "5s";
                    template = "<div style=\"display:flex; align-items:center; gap:12px;\">\n  <div style=\"width:40px; height:40px; flex-shrink:0;  border-radius:4px; display:flex; justify-content:center; align-items:center; overflow:hidden;\">\n    {{ if .JSON.Bool \"online\" }}\n      <img src=\"{{ .JSON.String \"icon\" | safeURL }}\" width=\"64\" height=\"64\" style=\"object-fit:contain;\">\n    {{ else }}\n      <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 20 20\" fill=\"currentColor\" style=\"width:32px; height:32px; opacity:0.5;\">\n        <path fill-rule=\"evenodd\" d=\"M1 5.25A2.25 2.25 0 0 1 3.25 3h13.5A2.25 2.25 0 0 1 19 5.25v9.5A2.25 2.25 0 0 1 16.75 17H3.25A2.25 2.25 0 0 1 1 14.75v-9.5Zm1.5 5.81v3.69c0 .414.336.75.75.75h13.5a.75.75 0 0 0 .75-.75v-2.69l-2.22-2.219a.75.75 0 0 0-1.06 0l-1.91 1.909.47.47a.75.75 0 1 1-1.06 1.06L6.53 8.091a.75.75 0 0 0-1.06 0l-2.97 2.97ZM12 7a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" clip-rule=\"evenodd\" />\n      </svg>\n    {{ end }}\n  </div>\n\n  <div style=\"flex-grow:1; min-width:0;\">\n    <a class=\"size-h4 block text-truncate color-highlight\">\n      {{ .JSON.String \"host\" }}\n      {{ if .JSON.Bool \"online\" }}\n      <span\n        style=\"width: 8px; height: 8px; border-radius: 50%; background-color: var(--color-positive); display: inline-block; vertical-align: middle;\"\n        data-popover-type=\"text\"\n        data-popover-text=\"Online\"\n      ></span>\n      {{ else }}\n      <span\n        style=\"width: 8px; height: 8px; border-radius: 50%; background-color: var(--color-negative); display: inline-block; vertical-align: middle;\"\n        data-popover-type=\"text\"\n        data-popover-text=\"Offline\"\n      ></span>\n      {{ end }}\n    </a>\n\n    <ul class=\"list-horizontal-text\">\n      <li>\n        {{ if .JSON.Bool \"online\" }}\n        <span>{{ .JSON.String \"version.name_clean\" }}</span>\n        {{ else }}\n        <span>Offline</span>\n        {{ end }}\n      </li>\n      {{ if .JSON.Bool \"online\" }}\n      <li data-popover-type=\"html\">\n        <div data-popover-html>\n          {{ range .JSON.Array \"players.list\" }}{{ .String \"name_clean\" }}<br>{{ end }}\n        </div>\n        <p style=\"display:inline-flex;align-items:center;\">\n          <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 24 24\" fill=\"currentColor\" class=\"size-6\" style=\"height:1em;vertical-align:middle;margin-right:0.5em;\">\n            <path fill-rule=\"evenodd\" d=\"M7.5 6a4.5 4.5 0 1 1 9 0 4.5 4.5 0 0 1-9 0ZM3.751 20.105a8.25 8.25 0 0 1 16.498 0 .75.75 0 0 1-.437.695A18.683 18.683 0 0 1 12 22.5c-2.786 0-5.433-.608-7.812-1.7a.75.75 0 0 1-.437-.695Z\" clip-rule=\"evenodd\" />\n          </svg>\n          {{ .JSON.Int \"players.online\" | formatNumber }}/{{ .JSON.Int \"players.max\" | formatNumber }} players\n        </p>\n      </li>\n      {{ else }}\n      <li>\n        <p style=\"display:inline-flex;align-items:center;\">\n          <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 24 24\" fill=\"currentColor\" class=\"size-6\" style=\"height:1em;vertical-align:middle;margin-right:0.5em;opacity:0.5;\">\n            <path fill-rule=\"evenodd\" d=\"M7.5 6a4.5 4.5 0 1 1 9 0 4.5 4.5 0 0 1-9 0ZM3.751 20.105a8.25 8.25 0 0 1 16.498 0 .75.75 0 0 1-.437.695A18.683 18.683 0 0 1 12 22.5c-2.786 0-5.433-.608-7.812-1.7a.75.75 0 0 1-.437-.695Z\" clip-rule=\"evenodd\" />\n          </svg>\n          0 players\n        </p>\n      </li>\n      {{ end }}\n    </ul>\n  </div>\n</div>";
                  }
                ];
              }
              {
--- a/modules/homelab/motd/default.nix
+++ b/modules/homelab/motd/default.nix
@@ -78,7 +78,7 @@ in {
      # --- gameservers ---
      echo -e "''${headings}gameservers:''${reset}"
-        for service in velocity smp superflat bento; do
+        for service in velocity smp superflat bento cobblemon; do
          status=$(systemctl is-active $service 2>/dev/null)
          if [ "$status" = "active" ]; then
              printf "%-32s%s\n" "  ''${active}[$service]''${reset}" "running"
--- a/modules/homelab/postfix/default.nix
+++ b/modules/homelab/postfix/default.nix
@@ -60,13 +60,11 @@ in {
    # enable the ${service} service
    services.postfix = {
      enable = true;
-      relayHost = "smtp.gmail.com";
+      settings.main = {
-      relayPort = cfg.port;
+        relayhost = ["smtp.gmail.com:${toString cfg.port}"];
      config = {
        #smtp_use_tls = "yes";
        smtp_tls_security_level = "may";
        smtp_sasl_auth_enable = "yes";
-        smtp_sasl_security_options = "";
+        smtp_sasl_security_options = "noanonymous";
        smtp_sasl_password_maps = "texthash:${config.sops.secrets."postfix_passwd".path}";
        # optional: Forward mails to root (e.g. from cron jobs, smartd)
        # to me privately and to my work email:
--- a/modules/homelab/qbittorrent/default.nix
+++ b/modules/homelab/qbittorrent/default.nix
@@ -117,7 +117,7 @@ in
    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      extraConfig = ''
-        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
+        tls internal
        reverse_proxy 127.0.0.1:${toString cfg.port}
      '';
    };
--- a/modules/system/cifs_mounts/default.nix
+++ b/modules/system/cifs_mounts/default.nix
@@ -0,0 +1,72 @@
 {
  pkgs,
  inputs,
  config,
  lib,
  ...
 }: let
  cfg = config.system.cifs_mounts;
  sec = config.sops.secrets;
 in {
  options.system.cifs_mounts = {
    enable = lib.mkEnableOption "enables mounting holocron fileshare on the client side";
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      cifs-utils
    ];
    fileSystems."/media/holocron/blake" = {
      device = "//10.10.0.10/users/blake";
      fsType = "cifs";
      options = [
        "x-systemd.automount"
        "noauto"
        "_netdev"
        "credentials=${sec."holocron_creds".path}"
        "uid=1000"
        "gid=1000"
        "file_mode=0664"
        "dir_mode=0775"
      ];
    };
    fileSystems."/media/holocron/archives" = {
      device = "//10.10.0.10/archives";
      fsType = "cifs";
      options = [
        "x-systemd.automount"
        "noauto"
        "_netdev"
        "credentials=${sec."holocron_creds".path}"
        "uid=1000"
        "gid=1000"
        "file_mode=0664"
        "dir_mode=0775"
      ];
    };
    fileSystems."/media/holocron/media" = {
      device = "//10.10.0.10/media";
      fsType = "cifs";
      options = [
        "x-systemd.automount"
        "noauto"
        "_netdev"
        "credentials=${sec."holocron_creds".path}"
        "uid=1000"
        "gid=1000"
        "file_mode=0664"
        "dir_mode=0775"
      ];
    };
    # manage secrets with sops
    sops.secrets = {
      "holocron_creds" = {
        owner = "blake";
        group = "blake";
      };
    };
  };
 }
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -11,10 +11,15 @@
    ./podman
    ./yubikey
    ./tailscale
    ./japanese
    ./vpns
    ./vpn-confinement
    ./syncthing
    ./graphics
    ./flatpak
    ./secure_boot
    ./cifs_mounts
    ./udiskie
  ];
  system.ssh.enable = lib.mkDefault true;
--- a/modules/system/flatpak/default.nix
+++ b/modules/system/flatpak/default.nix
@@ -0,0 +1,19 @@
 {
  pkgs,
  inputs,
  config,
  lib,
  ...
 }: let
  cfg = config.system.flatpak;
 in {
  options.system.flatpak = {
    enable = lib.mkEnableOption "enables nix-flatpak on nixos side";
  };
  imports = [inputs.nix-flatpak.nixosModules.nix-flatpak];
  config = lib.mkIf cfg.enable {
    services.flatpak.enable = true;
  };
 }
--- a/modules/system/graphics/default.nix
+++ b/modules/system/graphics/default.nix
@@ -57,12 +57,10 @@ in {
      # enable amd vulkan (program will choose this or regular)
      hardware.graphics.extraPackages = with pkgs; [
        amdvlk
        rocmPackages.clr.icd # enable open cl (compute framework like cuda)
      ];
      # ^ but 32 bit
      hardware.graphics.extraPackages32 = with pkgs; [
        driversi686Linux.amdvlk
      ];
      # make hip work (extension on cli.icd ^)
--- a/modules/system/japanese/default.nix
+++ b/modules/system/japanese/default.nix
@@ -0,0 +1,52 @@
 {
  pkgs,
  inputs,
  config,
  lib,
  ...
 }: let
  cfg = config.system.japanese;
 in {
  options.system.japanese = {
    enable = lib.mkEnableOption "enables japanese tools";
  };
  config = lib.mkIf cfg.enable {
    # japanese input
    i18n.inputMethod = {
      enabled = "fcitx5";
      fcitx5.addons = with pkgs; [
        fcitx5-mozc
        fcitx5-gtk
        fcitx5-qt
      ];
    };
    environment.systemPackages = with pkgs; [
      fcitx5
      fcitx5-configtool
    ];
    # fonts for japanese
    fonts = {
      enableDefaultPackages = true;
      packages = with pkgs; [
        noto-fonts
        noto-fonts-cjk
        noto-fonts-emoji
        source-han-sans
        source-han-serif
      ];
      fontconfig = {
        defaultFonts = {
          serif = [ "Noto Serif CJK JP" ];
          sansSerif = [ "Noto Sans CJK JP" ];
          monospace = [ "Noto Sans Mono CJK JP" ];
        };
      };
    };
  };
 }
--- a/modules/system/secure_boot/default.nix
+++ b/modules/system/secure_boot/default.nix
@@ -0,0 +1,43 @@
 {
  pkgs,
  inputs,
  config,
  lib,
  ...
 }: let
  cfg = config.system.secure_boot;
 in {
  options.system.secure_boot = {
    enable = lib.mkEnableOption "enables secureboot with lanzaboote";
  };
  imports = [inputs.lanzaboote.nixosModules.lanzaboote];
  config = lib.mkIf cfg.enable {
    # install userspace secureboot tools
    environment.systemPackages = with pkgs; [
      sbctl
      e2fsprogs
    ];
    # force disable systemd-boot so lanzaboote can be used
    boot.loader.systemd-boot.enable = lib.mkForce false;
    /*
    this uses the project lanzaboote for secureboot (extension on systemd)
    setup guide can be found here: https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md
    tldr:
    while currently using systemd-boot
    generate keys with `nix-shell -p --run "sudo sbctl create-keys"`
    rebuild with this module enabled then check `sudo sbctl verify`
    reboot and enable secureboot setup mode in bios
    check that setup mode is enabled with `sudo sbctl status`
    enroll keys with `sudo sbctl enroll-keys` use the `--microsoft` flag to incude their keys for compatibality
    reboot (disable secureboot setup mode if not done automatically) then check secure boot status with `sudo bootctl status`
    */
    boot.lanzaboote = {
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
  };
 }
--- a/modules/system/ssh/default.nix
+++ b/modules/system/ssh/default.nix
@@ -13,7 +13,7 @@ in
    services.openssh = {
      enable = true;
      settings = {
-        PasswordAuthentication = true;
+        PasswordAuthentication = false;
        PermitRootLogin = "no";
        X11Forwarding = false;
      };
--- a/modules/system/syncthing/default.nix
+++ b/modules/system/syncthing/default.nix
@@ -34,13 +34,15 @@ in {
          "snowbelle" = {id = "6WQ6ATA-5AT4RUM-NW67PAL-N62CPNV-ALRFG3P-5BDRO22-HWFC2Q4-5S5BDA5";};
          "lugia" = {id = "BKKSFPH-YEOVVAB-DTT7KK3-UDKAEJ2-PC6ECG7-Y76ZIVP-JRYMMXS-RTZYVQ3";};
          "zygarde" = {id = "UYLTF52-VVKUR7F-JN33HQZ-RFNWGL3-JER52LA-GZD2LPJ-QIFEE7K-MNMZRQ5";};
          "mew" = {id = "7ZC2NAS-QONQKAL-Z54NPMB-7TRXM6M-K7Z6PZD-FG4AI4H-V7SMFJN-JOYBHQO";};
          "yveltal" = {id = "ZVSQ4WJ-7OICYOZ-3ECES4X-KH37IPB-TKHKUJG-BSEGXVM-AHYY5C3-VKG44AX";};
          "CEN-IT-07" = {id = "DPYKA4Z-3PX7JB2-FBEOXXX-SC7TLT2-QC5P2IR-SXOPJGX-QO3DMII-5B7UCA4";};
          "CEN-IT-00007" = {id = "XBPXGYU-DUJSLDH-6BDNF4D-CO2COC3-N3FM6W5-IHZOJBM-Z2N77RI-IVAV5AH";};
        };
        folders = {
          "holocron" = {
            path = "/home/blake/holocron";
-            devices = ["lugia" "zygarde" "CEN-IT-07" "snowbelle"];
+            devices = ["lugia" "zygarde" "mew" "yveltal" "CEN-IT-07" "CEN-IT-00007" "snowbelle"];
            id = "5voxg-c3he2";
            versioning = {
              type = "staggered";
--- a/modules/system/tailscale/default.nix
+++ b/modules/system/tailscale/default.nix
@@ -21,6 +21,9 @@ in {
        "--accept-dns=true" # explicitly allow resolved
      ];
    };
    systemd.services.tailscaled = {
      after = [ "remote-fs.target" ];   # keep tailscale up until remote mounts are unmounted
    };
    # network config
    networking.firewall.trustedInterfaces = ["tailscale0"];
--- a/modules/system/udiskie/default.nix
+++ b/modules/system/udiskie/default.nix
@@ -0,0 +1,16 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  cfg = config.system.udiskie;
 in {
  options.system.udiskie = {
    enable = lib.mkEnableOption "enable udiskie for automount on nixos side";
  };
  config = lib.mkIf cfg.enable {
    services.udisks2.enable = true;
  };
 }
--- a/modules/system/yubikey/default.nix
+++ b/modules/system/yubikey/default.nix
@@ -5,7 +5,7 @@
  ...
 }:
 /*
-# to enroll a yubikey (works like .ssh/known_hosts)
+# to enroll a yubikey with pam (works like .ssh/known_hosts)
 nix-shell -p pam_u2f
 mkdir -p ~/.config/Yubico
 pamu2fcfg > ~/.config/Yubico/u2f_keys
@@ -15,6 +15,9 @@ pamu2fcfg -n >> ~/.config/Yubico/u2f_keys (to add additional yubikeys)
 nix-shell -p pamtester
 pamtester login <username> authenticate
 pamtester sudo <username> authenticate
 # to enroll yubikey with luks
 `sudo systemd-cryptenroll --fido2-device=auto /dev/<disk>`
 */
 let
  service = "yubikey";
@@ -43,9 +46,18 @@ in {
      yubikey-manager
    ];
    # enable smartcard
    services.pcscd.enable = true;
    # enables it for everything
    security.pam.u2f = lib.mkIf (cfg.mode == "u2f") {
      enable = true;
    };
    # selectivlt edit what u2f is enabled for
    security.pam.services = lib.mkIf (cfg.mode == "u2f") {
-      login.u2fAuth = true;
+      #login.u2fAuth = true;
-      sudo.u2fAuth = true;
+      #sudo.u2fAuth = true;
    };
    security.pam.yubico = lib.mkIf (cfg.mode == "challenge-response") {
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -6,6 +6,8 @@ klefki_auth_map: ENC[AES256_GCM,data:u8OBLtT/,iv:THW21BDyhyFIjcwixsAnaAODofxbuQZ
 tailscale_authkey: ENC[AES256_GCM,data:SU0k3asrJd+WZ86VbC4w8TDJp+MqsbyagrzCfDcgTzO5yvBjpWAKbJ7A+VxgQvdu4+S2jMYbdrONPp3YbQ==,iv:VMYmGVk5GpUQApKKQYhdOw/cYCXrXxEZJJwHfQL4MjQ=,tag:7ruaoCDxuFQ7tE/JLJ37Xw==,type:str]
 #ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment]
 borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str]
 #ENC[AES256_GCM,data:ztRwuY0mTMDmwV5HqVR7Dmc+dCWcrVRtWZGEL1abE/WUcA==,iv:mmaWfHRiENJUGNhyUBFo1z7PdzVPH1OUZrVhkce6KV0=,tag:GKEvT0qkzTtimQXDueKPdw==,type:comment]
 holocron_creds: ENC[AES256_GCM,data:2QXtXrN5w0UFn70GZOsYFPdtPwjLcuUdtkEam5aZ83N6LEDqPWJi,iv:kUS9pq5CX19vqHumc6QjY+Xpd4N+Ge7oCcQYtMFh+WM=,tag:IUA1ZVThF91EdHrwmS624g==,type:str]
 #ENC[AES256_GCM,data:VdbMrwGKUKNJHw==,iv:OLwBh6KQXR/H8eRgp/hH8k3QfIkK/ydL735kx/dpc8E=,tag:N+v+ym6RMbvW4IckbiLK8Q==,type:comment]
 syncthing:
    gui_passwd: ENC[AES256_GCM,data:CicGIe5dT8lJVchCcE4wg3E8va3RYR8d53MISkE=,iv:8ziDDyQvU8ABaKKwYlcHmvm8Qybk4G+q5F0Ghqluu9w=,tag:YlyNPE04KD3detL1QUTrgQ==,type:str]
@@ -15,6 +17,9 @@ syncthing:
    yveltal:
        key: ENC[AES256_GCM,data:unUnEeDhCqHUZCJtGCbj5rmrLx+9GiUTl75K3HdkI94YfCLNYCBACYu2v/7FbNIEsjVoQEA5/gKEcUHzVq6LaHM2w9GSo6tjkegdzTUgbHBJf4ssJ38z5rQkMc7tbzsA0NUHBPklz1eyjkW96HQPD0REcwA3CIc=,iv:PZ7vfhIpwPpMz4P04bewNhRuahmpukasgYb8fL/EJBE=,tag:G1HDyPAVSdm/fwqTXTT3PQ==,type:str]
        cert: ENC[AES256_GCM,data:yLq2dNjdMiRj4reyZWsSqZ+1rw4DTwKBZoQHzeKb8YBn63ub4TZPlnOjSTt2DwOQwrJDNhsaeGscZ6J7rLxF/rtH6YnR8XxQuOu/NNIcZ4m9EqhsXyznSx4Q+0gamUXujRgGRVH5FNrfiFoqP3VuNghoX+NLxfX0BcVruEjbmLUWVVzY0yS0ufzxegM8WFAxuKhcr1NlhBU65TxKUtbj4vcByzWHkfLGIb5ICnGeF/p9/FvpFSavw3nLdybDLJ6EKEeaxy6t984fkuotAvk54kLbF4yt0q5mjDxy0U6xtn1hg3x03IRAPjKDRdpDmzYf4XxykEb74JX9q2zjUhb2l1ORWcZu/uKvEiuZWDJRmJ4ypOiyZOCqTvY6s2iDhEjmMKxlNr2mhuz9Hn6b3KoQjePIEd1eS/VEmo09pEuUlhlAEziVcdnpeRyWlN2xpv4ps90gLxJ1Mj9nAZwRqFOQl0V4N5OBHEqMBE1nQv4afMpGX5QF2UotTpNfka+LdKwc1iHHtpHZYmG1/LVwz3jDv4XnVLdDWojFA/8eJIWVq1BsUTYSy+Q27bsoTX4iL0Y/OAHRzXZTqYc4aiAWJoaNTNgmagZ9C03SA6qePlGe/5azI3f54rC2m1/JDUtYW3IABHSFUaVnTdWnD4GDNSYRJIknyUwXR4sE3pRD979prmgtepOyETOAVgEeUVKz1leJZ2HyyhjFU41TL0IN/sl+YPD9bC3Nmw7OsxMFGPC4l5vn64DVp7HHRSKyJvZ5fG8s4nSzyZAKomkocOpKHEuQPyyerZpL1lne/m2B/y7/W2ouAGxcawZOSU6f74mn5wM=,iv:Ggag5SNUFkhMWS0u1kwkD5tGjiMv4i041bCESl5XOdc=,tag:pPISz0eBWzHcPHsC8dVG3g==,type:str]
    mew:
        key: ENC[AES256_GCM,data:8i2thp667lKEXR0cIaEOLHPXWlhFS38FvbtHgni3i0dTBx9DYtJbGogNaWMlA8r2HzBHkG3Jg0nJs7IOrJWugnGLNLbvhdsxBswEndOBaed4vq+SSN6ssxdjjyFd38wlIZNZsytjPFhyRgDLJ+0rftcIQXPjBhU=,iv:IZ3zWD/ZpalOzSAJQubo/y4LcEzHMEcl+C4GB3Q/nac=,tag:IKEwIkuvHE6qrUoCEqI2Ug==,type:str]
        cert: ENC[AES256_GCM,data:uvNZYmQnexXTr/Sz7vLQIJK93MmsoiJfCAL8/rLVQH0D+1nVaM472lqR5pP0qhLKuYhFUESxhAotVtqLpOWK1MfAxuk2RHv8mvbtIJkheRmsIWw7dAAABIkmgnelI03P2Tk2129I95vMM1lybu4W6m9VslwJF8X/4rCxshdbuz9mcjwxBpUEDr1V76DO3bgQUuPwizx17ON8gNd+NtRqPPaXlGrfLCFv1Fib3YFd7+WRkERki9ZO7Q0quY75G4Jseb28QaiM2BT7jfECJo4x7rMePMV303sIrF9paaUKTuSiCUsamLsi5Hwr907y2lHB9Gocwio7tnSRSRhHHcWLI8dQktzW7Flqs8+MZGZ1oJBQO7kQDefF1q4mddADimoqD9F1NsOiOmqqZRRB37alLGmRjeYBIlA6q/FgN9BAj9h0cG3oN1MUXPRGzDfggg5TLjBM2FbG/N3xgncZ2AzTPOcLtrtc0I2PYk3FFxgzpHWnjS2t7CQo/JxqdXbdy9nTHIqbrnKIQ/FtS7/p+cgQcU815UMsJm3qP+hPLCyNuziYq3Vt/X7C3eTnrqemXjEeJ/SJxb+Oul5GS1OL14dNsJllFNuj33Zep/hyQvHnf/HW7kXAfDqIP9zn85EFriAZEuaKwbHB2pkvbWKFxrpXJFhjnPFDKxGOjAmsLmil4paFKdt5hK7rp0mmoIMN+mMFbYx333llik0qk27yYTQwOR3eeCGqHODUU+izUT8NuQBezyxsEmEYu/YBcpatcYylwKgIFcC058oltsxlbxRg5Rrdk5FOqj7Uui0qwFXvYesz6Tiq/rGmcOPlcE5xw14=,iv:LePpzWGDTV1ONwt1uHUptMW1dO1SwwUKrtCEerc/DEc=,tag:a5B/7hmIxvLXU90Stcq7zA==,type:str]
 #ENC[AES256_GCM,data:A0ITyGOGMIoyVOcn5JOi1RAtqUM=,iv:+wWpmFbeLiX/Ae53pj0QmnYY3MEzOMib4cqbePUKtGI=,tag:JHXvrN4bOH+oD3Q70pUuew==,type:comment]
 pia_auth: ENC[AES256_GCM,data:rwAu4f5XVS4v4FCLj2zXAegIZeRPLIzUVv6TCrdfg9RGSDJYHgVAX0aFXCBQsDQju9RDycXmc9Id8IuyYN8=,iv:kEA4ADQyUI+zlQoZOKi81dw5BLE1oesqhVf6bfiLgB4=,tag:VHT2uPNW27F3KRM7ZhWdCw==,type:str]
 #ENC[AES256_GCM,data:mbIgMJBhL8nWJzl8q2dFL8XtO1Xa1Q==,iv:caYHYp1boK9wRgCcQe40HTWT/HxAIvYe+HyaruI53Vc=,tag:S6wowhAHObEcs7z8FimZ1g==,type:comment]
@@ -30,6 +35,7 @@ minecraft_recpro_db_passwd: ENC[AES256_GCM,data:dPAkdEX0hBigo/lND2r3ShxnS4Jc5wTI
 mosquitto_hashed_passwd: ENC[AES256_GCM,data:k1Lnr8ZTDpzXMoRmRH61X41boX/D8Rm1KPh7x3/IHFo+XKIOUQns53iA+7e7Ohp8uWSthDlOk4SlRvTXdUNiEz7Zmw9LYwy7BHbwpNo2pFApAye1ORPrMrhMUkUfgBgc8oqPPyRXmmrOAFp6GBbRhg==,iv:D8wQL9iF0rqOte5X24kDTVjYUJXbZSLz0Ykbp0HqmYo=,tag:RUCgO1uKPIdumSo563cg1Q==,type:str]
 mosquitto_passwd.yaml: ENC[AES256_GCM,data:9xwHiUaQ6zG/4rkRemXtbRJ/KEV4yajqyYlcXRR1eAQ2XijYOzitPjt53h3FPqp5rxl6dJerXNH5CiZZK3t1l339NxNseJFGVmIHitWJxNmGJMlG3M8r8Q==,iv:C6WWZuVkYaasB2pol3uf4Mc3d/lDEgt2pKX+dHl/Cr4=,tag:jYTC6RKF2TzDSwSUh6D8zQ==,type:str]
 #ENC[AES256_GCM,data:zmSByl0De3a39qLbS99oce7ORe2BBoPa+3I05/YYxL7iBeWCP3ZK,iv:6nUTBUFpNK7Mttckqu6Wk/QJ5cP4+iL+EH4ldaIuu9s=,tag:pc5UtjbNPsVOEMCdLKgGMA==,type:comment]
 #ENC[AES256_GCM,data:ZWlAWAthigdTlfHrQl1x8eSj+gv4Gj1poZfPViu1mVz/ZmUJFZyCSkdIg0CPdNNF38TE0iabBk+o7aHkFmIFz18hjVYAk4M2E034qg==,iv:jU+2E+XAILgFNyMkGZ1CMJ83q7V/yyEJwHXWw05RlHo=,tag:n8w0/ktmum5P31vMWJVxgA==,type:comment]
 postfix_passwd: ENC[AES256_GCM,data:3ndIsTGPyAQELM8lptBK241a3p77fNijXma4souFKnyrkLBpZ4OP6KWuldFlWySpSG7Yme0by5gOzg==,iv:nYuJKeY4H3OfQleLo7gvheT5JHgXW3hGQvjHeEEN260=,tag:q952E/0QLC49O5Rwua0RWQ==,type:str]
 #ENC[AES256_GCM,data:UcpnHZj5xr8P64PzhWVKbFy8pvFM9GCz2mDoW/6iRVqgLTL0FSn6KXep/kfLEnYiqv5ZpsVZjjXsbI5VRJfBo7w4kzX661oDU8323DfQHDkbo2g=,iv:nEApgutl5kjfZkwi9WTOwatraM3+TQqFgk5gEMw0rwA=,tag:Q4gndL+6q7jHN02QCpJDjw==,type:comment]
 #ENC[AES256_GCM,data:3oMbbBSrbjrqsdiON1ENB8JeKW0=,iv:+/eL/51OA+VHbkWWSNzQId5BlxnMm+5NBA0uKw010Tk=,tag:vBJpCYmvFivBYIKatDWgHw==,type:comment]
@@ -60,7 +66,7 @@ sops:
            U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
            PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-05T05:51:29Z"
+    lastmodified: "2026-01-28T21:02:05Z"
-    mac: ENC[AES256_GCM,data:y4KF/ImqWzga34UIjn8ohvR4Ktu785vNgyxLDxJZOvqZNsShlgSBQ+EnJ6TgG3Ghyo6n3frcMBaZJLP4QJVqsoigUMqqOdhp3xxLRQSV5c5GbmKscW2q/xdkKqnqbANDWxQ4FWd7n/CfH+FDxtRoWgkptRzhpqYEdXxFRjzR5jo=,iv:KJYp8BmuXyuDkpRH/ZjahT8tG4NoG7Y4XFJ9Q4GntLg=,tag:sr9HQCuynFXwYT7Ulbyerg==,type:str]
+    mac: ENC[AES256_GCM,data:b9aX43ViObNX29DkVNHtwkQRm26PRe2rZYhDnL1ZYLLWyaO3OGP9+rM4vHT0lyuowQ6+Ur3IMPVpUSziXYLh3mtxr0hyYy5Y1miBuIxXYLBi3oLRTW1TgZdklzFDVL3c1GT4lXEh4q9KG3dP64r9/8dvjO2iRIosZ93/l0pIi3A=,iv:/gdNfVy8UiQsIRAHh2jiha5fL+wmfgp0srxt17Ry4Xs=,tag:YdVbvpBnQSaIarGIfiTzKQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/users/blake/assets/wallpapers/camp.png
+++ b/users/blake/assets/wallpapers/camp.png
--- a/users/blake/assets/wallpapers/falcocartoon.png
+++ b/users/blake/assets/wallpapers/falcocartoon.png
--- a/users/blake/assets/wallpapers/floon
+++ b/users/blake/assets/wallpapers/floon
--- a/users/blake/assets/wallpapers/hairpin.png
+++ b/users/blake/assets/wallpapers/hairpin.png
--- a/users/blake/assets/wallpapers/ikanaide.png
+++ b/users/blake/assets/wallpapers/ikanaide.png
--- a/users/blake/assets/wallpapers/kitty.jpg
+++ b/users/blake/assets/wallpapers/kitty.jpg
--- a/users/blake/default.nix
+++ b/users/blake/default.nix
@@ -16,8 +16,10 @@
        group = "blake";
        hashedPasswordFile = config.sops.secrets."blake_passwd".path;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBrNHm/n7BrA8Vz0Lsc3fZQ5QJOm01InFvrzEDuD4BoD me@blakedheld.xyz"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBK0AGJfZGyqW8/krvQV+PL7axcDW/EnKyHy9M8wryQx klefki"
          "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPdC9cCX8awvA19Ri65fvbYjZYe8X1Ef+nOZAIv92AS6u4SkJYqOvPYfqRHXORNDpbzjTV6nackyCKvV5EO4niv4MFIgdkEQwuVHcYX32/dOsWdDoeXBT/l2sFFM7JESwQ== blake@zygarde"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVsjLEbnW/KeFXogppi0AP6ZbCZpObu7zFeRV/aLkP9 blake@lugia"
        ];
      };
    };
@@ -29,7 +31,7 @@
    extraSpecialArgs = {inherit inputs;};
    backupFileExtension = "bak";
    useUserPackages = true;
-    useGlobalPkgs = true;
+    useGlobalPkgs = false;
    users = {
      "blake" = import ./home.nix;
    };
--- a/users/blake/dots/core/default.nix
+++ b/users/blake/dots/core/default.nix
@@ -13,6 +13,8 @@
    ./gpg
    ./git
    ./xdg
    ./nh
    ./udiskie
  ];
  dots = {
@@ -24,6 +26,8 @@
    gpg.enable = lib.mkDefault true;
    git.enable = lib.mkDefault true;
    xdg.enable = lib.mkDefault true;
    nh.enable = lib.mkDefault true;
    udiskie.enable = lib.mkDefault true;
    };
--- a/users/blake/dots/core/git/default.nix
+++ b/users/blake/dots/core/git/default.nix
@@ -17,9 +17,11 @@ in {
    # configure git
    programs.${program} = {
      enable = true;
-      userName = "blake";
+      settings = {
-      userEmail = "me@blakedheld.xyz";
+        user = {
-      extraConfig = {
+          name = "blake";
          email = "me@blakedheld.xyz";
        };
        init.defaultBranch = "trunk";
        core.editor = "nvim";
        pull.rebase = true;
--- a/users/blake/dots/core/gpg/default.nix
+++ b/users/blake/dots/core/gpg/default.nix
@@ -15,6 +15,9 @@ in {
  config = lib.mkIf cfg.enable {
    programs.${program} = {
      enable = true;
      scdaemonSettings = {
        disable-ccid = true;
      };
    };
    services.gpg-agent = {
      enable = true;
--- a/users/blake/dots/core/lf/lfrc
+++ b/users/blake/dots/core/lf/lfrc
@@ -23,7 +23,9 @@ set ignorecase true
 # shortcuts
 map gb cd /holocron
 map gz cd %{{ [ -d /holocron ] && printf /holocron || printf /media/holocron }}
 map gn cd ~/.nix
 map gc cd ~/.config
 # navigation
 map [ half-up
--- a/users/blake/dots/core/nh/default.nix
+++ b/users/blake/dots/core/nh/default.nix
@@ -0,0 +1,24 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  program = "nh";
  cfg = config.dots.${program};
  home_dir = config.home.homeDirectory;
 in {
  options.dots.${program} = {
    enable = lib.mkEnableOption "enables ${program}";
  };
  config = lib.mkIf cfg.enable {
    programs.${program} = {
      enable = true;
      flake = "${home_dir}/.nix";
    };
    # add deps to userspace cause they are cool
    home.packages = with pkgs; [nix-output-monitor nvd];
  };
 }
--- a/users/blake/dots/core/nvf/default.nix
+++ b/users/blake/dots/core/nvf/default.nix
@@ -184,7 +184,7 @@ in {
              enable = true;
              format = {
                enable = true;
-                type = "alejandra";
+                type = ["alejandra"];
                #type = "nixfmt";
              };
            };
--- a/users/blake/dots/core/ssh/default.nix
+++ b/users/blake/dots/core/ssh/default.nix
@@ -15,33 +15,45 @@ in {
  config = lib.mkIf cfg.enable {
    programs.ssh = {
      enable = true;
-      #enableDefaultConfig = false;
+      enableDefaultConfig = false;
      matchBlocks = {
        "*" = {
          identityFile = "${home_dir}/.ssh/id_blake";
          forwardAgent = false;
          addKeysToAgent = "no";
          compression = false;
          serverAliveInterval = 0;
          serverAliveCountMax = 3;
          hashKnownHosts = false;
          userKnownHostsFile = "~/.ssh/known_hosts";
          controlMaster = "no";
          controlPath = "~/.ssh/master-%r@%n:%p";
          controlPersist = "no";
        };
        "git.blakedheld.xyz" = {
          user = "gitea";
-          identityFile = "${home_dir}/.ssh/id_snowbelle";
+          port = 7567;
        };
        "git.snowbelle.lan" = {
          user = "gitea";
-          identityFile = "${home_dir}/.ssh/id_snowbelle";
+          port = 7567;
        };
        "bebe" = {
          hostname = "10.10.0.1";
          user = "root";
          identityFile = "${home_dir}/.ssh/id_snowbelle";
        };
      };
    };
    # manage secrets with sops
    sops.secrets = {
-      "id_snowbelle" = {
+     "id_blake" = {
        mode = "0600";
-        path = "${home_dir}/.ssh/id_snowbelle";
+        path = "${home_dir}/.ssh/id_blake";
      };
-      "id_snowbelle.pub" = {
+      "id_blake.pub" = {
        mode = "644";
-        path = "${home_dir}/.ssh/id_snowbelle.pub";
+        path = "${home_dir}/.ssh/id_blake.pub";
      };
    };
  };
--- a/users/blake/dots/core/udiskie/default.nix
+++ b/users/blake/dots/core/udiskie/default.nix
@@ -0,0 +1,40 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  program = "udiskie";
  cfg = config.dots.${program};
  home_dir = config.home.homeDirectory;
 in {
  options.dots.${program} = {
    enable = lib.mkEnableOption "enables ${program}";
  };
  config = lib.mkIf cfg.enable {
    services.${program} = {
      enable = true;
      automount = true;
      notify = true;
      tray = "auto";
      settings = {
        program_options = {
        };
        device_config = [
          {
            id_uuid = ["4E21-0000" "9EA2-A886"];
            automount = true;
          }
          {
            id_type = "ntfs";
            skip = "true";
          }
        ];
      };
    };
    # add userspace tools
    home.packages = with pkgs; [udiskie];
  };
 }
--- a/users/blake/dots/core/xdg/default.nix
+++ b/users/blake/dots/core/xdg/default.nix
@@ -15,11 +15,9 @@ in {
  config = lib.mkIf cfg.enable {
    home.packages = with pkgs; [xdg-ninja ];
-    xdg =
+    xdg = {
      if pkgs.system == "x86_64-darwin"
      then {}
      else {
        enable = true;
        configHome = "${home_dir}/.config";
        cacheHome = "${home_dir}/.cache";
        dataHome = "${home_dir}/.local/share";
@@ -37,13 +35,17 @@ in {
          publicShare = "${home_dir}/public";
          templates = "${home_dir}/templates";
        };
        mimeApps = {
          enable = true;
          defaultApplications = {
            "application/pdf" = ["org.pwmt.zathura.desktop"];
          };
        };        
      };
    # misc env variables to get things out of ~ (<3 xdg-ninja)
-    home.sessionVariables =
+    home.sessionVariables = {
      if pkgs.system == "x86_64-darwin"
      then {}
      else {
      GOPATH = "$XDG_DATA_HOME/go";
      _JAVA_OPTIONS = ''-Djava.util.prefs.userRoot="$XDG_CONFIG_HOME"/java'';
    };
--- a/users/blake/dots/core/zsh/default.nix
+++ b/users/blake/dots/core/zsh/default.nix
@@ -22,7 +22,8 @@ in {
    programs.${program} = {
      enable = true;
-      dotDir = ".config/zsh";
+      dotDir = "${config.xdg.configHome}/zsh";
      #dotDir = ".config/zsh";
      autocd = true;
      enableCompletion = true;
@@ -46,7 +47,6 @@ in {
        src = "source ${home_dir}/.config/zsh/.zshrc";
        # --- config editing ---
        cfh = "nvim ${home_dir}/.config/hypr/hyprland.conf";
        cfl = "nvim ${home_dir}/.config/lf/lfrc";
        # --- navigation ---
@@ -57,6 +57,7 @@ in {
        "..." = "cd ../..";
        fs = "du -h | sort -h";
        ds = "du -hs";
        gn = "cd ${home_dir}/.nix";
        # --- shortcuts ---
        vswap = "cd ${home_dir}/.local/state/nvim/swap";
@@ -64,6 +65,8 @@ in {
        v = "nvim";
        sv = "sudo nvim";
        vim = "nvim";
        mime-type = "xdg-mime query filetype";
        mime-default = "xdg-mime query default";
        # --- safety ---
        cp = "cp -iv";
@@ -76,13 +79,14 @@ in {
        egrep = "egrep --color=auto";
        # --- scripts ---
        motd = "sh /etc/motd";
        rebuild = "sh ${home_dir}/.nix/bin/rebuild";
        perms = "sudo sh ${home_dir}/.nix/bin/fix-perms";
        # --- git ---
        status = "git status";
        add = "git add";
-        commit = "git commit -am";
+        commit = "git commit";
        push = "git push";
        pull = "git pull";
        dotfiles = "/usr/bin/git --git-dir=${home_dir}/.dotfiles --work-tree=$HOME";
--- a/users/blake/dots/desktop/hypr/default.nix
+++ b/users/blake/dots/desktop/hypr/default.nix
@@ -1,6 +1,7 @@
 {
  pkgs,
  lib,
  inputs,
  config,
  ...
 }: let
@@ -17,6 +18,7 @@ in {
      nwg-displays
      posy-cursors
      hyprpicker
      hyprshot
    ];
    wayland.windowManager.hyprland = {
@@ -40,6 +42,7 @@ in {
        exec-once = [
          "hyprctl setcursor ${config.home.pointerCursor.name} ${toString config.home.pointerCursor.size}"
          "waybar"
        ];
        # --- input ---
@@ -134,6 +137,7 @@ in {
          # screenshots
          "$mainMod SHIFT, C, exec, hyprshot --mode region --output-folder ${home_dir}/pictures/screenshots"
          ", Print, exec, hyprshot --mode output --output-folder ${home_dir}/pictures/screenshots"
          # multimedia
          ", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
@@ -285,7 +289,7 @@ in {
          {
            monitor = "";
            path = "${home_dir}/.nix/users/blake/assets/pfps/pikacig.jpg";
-            size = 350;
+            size = 325;
            border_color = lib.mkDefault "rgb(0047ab)";
            rounding = -1;
            position = "0, 85";
--- a/users/blake/dots/desktop/stylix/default.nix
+++ b/users/blake/dots/desktop/stylix/default.nix
@@ -63,6 +63,7 @@ in {
        waybar.addCss = false;
        nvf.transparentBackground = true;
        qt.enable = true;
        librewolf.enable = false;
      };
    };
  };
--- a/users/blake/dots/desktop/waybar/default.nix
+++ b/users/blake/dots/desktop/waybar/default.nix
@@ -17,7 +17,7 @@ in {
    programs.${program} = {
      enable = true;
      systemd = {
-        enable = true;
+        enable = false;
        target = "graphical-session.target";
      };
--- a/users/blake/dots/programs/_browsers/default.nix
+++ b/users/blake/dots/programs/_browsers/default.nix
--- a/users/blake/dots/programs/_browsers/firefox/default.nix
+++ b/users/blake/dots/programs/_browsers/firefox/default.nix
--- a/users/blake/dots/programs/_browsers/librewolf/default.nix
+++ b/users/blake/dots/programs/_browsers/librewolf/default.nix
--- a/users/blake/dots/programs/_flatpak/.template/default.nix
+++ b/users/blake/dots/programs/_flatpak/.template/default.nix
@@ -0,0 +1,25 @@
 {
  pkgs,
  lib,
  inputs,
  config,
  ...
 }: let
  program = "<placeholder>";
  app_id = "<placeholder>";
  origin = "flathub";
  cfg = config.dots.${program};
  home_dir = config.home.homeDirectory;
 in {
  options.dots.${program} = {
    enable = lib.mkEnableOption "enables ${program}";
  };
  config = lib.mkIf cfg.enable {
    services.flatpak.packages = [
      { appId = app_id; origin = origin;}
    ];
  };
 }
--- a/users/blake/dots/programs/_flatpak/default.nix
+++ b/users/blake/dots/programs/_flatpak/default.nix
@@ -0,0 +1,39 @@
 {
  pkgs,
  inputs,
  lib,
  config,
  ...
 }: let
  cfg = config.dots.flatpak;
 in {
  imports = [
    inputs.nix-flatpak.homeManagerModules.nix-flatpak
    ./devtoolbox
  ];
  options.dots.flatpak = {
    enable = lib.mkEnableOption "enables all programs by default";
  };
  # brought to you by nix-flatpak, readme is below
  # https://github.com/gmodena/nix-flatpak?tab=readme-ov-file
  config = lib.mkIf cfg.enable {
    home.sessionVariables = {
      XDG_DATA_DIRS = "$XDG_DATA_DIRS:/usr/share:/var/lib/flatpak/exports/share:$HOME/.local/share/flatpak/exports/share";
    };
    # install the cli
    home.packages = with pkgs; [ flatpak ];
    services.flatpak = {
      #remotes = {};
    };
    dots = {
      devtoolbox.enable = lib.mkDefault true;
    };
  };
 }
--- a/users/blake/dots/programs/_flatpak/devtoolbox/default.nix
+++ b/users/blake/dots/programs/_flatpak/devtoolbox/default.nix
@@ -0,0 +1,26 @@
 {
  pkgs,
  lib,
  inputs,
  config,
  ...
 }: let
  program = "devtoolbox";
  app_id = "me.iepure.devtoolbox";
  origin = "flathub";
  cfg = config.dots.${program};
  home_dir = config.home.homeDirectory;
 in {
  options.dots.${program} = {
    enable = lib.mkEnableOption "enables ${program}";
  };
  config = lib.mkIf cfg.enable {
    services.flatpak.packages = [
      { appId = app_id; origin = origin;}
      app_id
    ];
  };
 }
--- a/users/blake/dots/programs/_gaming/default.nix
+++ b/users/blake/dots/programs/_gaming/default.nix
@@ -0,0 +1,22 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  cfg = config.dots.gaming;
 in {
  imports = [
    ./slippi
  ];
  options.dots.gaming = {
    enable = lib.mkEnableOption "enables all programs by default";
  };
  config = lib.mkIf cfg.enable {
    dots = {
      slippi.enable = lib.mkDefault true;
    };
  };
 }
--- a/users/blake/dots/programs/_gaming/slippi/default.nix
+++ b/users/blake/dots/programs/_gaming/slippi/default.nix
--- a/users/blake/dots/programs/_media-tools/audacity/default.nix
+++ b/users/blake/dots/programs/_media-tools/audacity/default.nix
--- a/users/blake/dots/programs/_media-tools/default.nix
+++ b/users/blake/dots/programs/_media-tools/default.nix
@@ -4,24 +4,36 @@
  config,
  ...
 }: let
-  cfg = config.dots.media_tools;
+  cfg = config.dots.media-tools;
 in {
  imports = [
    ./mpv
    ./nsxiv
    ./obs
    ./gimp
    ./krita
    ./audacity
    ./krita
    ./kdenlive
  ];
-  options.dots.media_tools = {
+  options.dots.media-tools = {
    enable = lib.mkEnableOption "enables all programs by default";
  };
  config = lib.mkIf cfg.enable {
    dots = {
-      audacity.enable = lib.mkDefault true;
+      mpv.enable = lib.mkDefault true;
      nsxiv.enable = lib.mkDefault true;
      obs.enable = lib.mkDefault true;
      gimp.enable = lib.mkDefault true;
      audacity.enable = lib.mkDefault true;
      krita.enable = lib.mkDefault true;
      kdenlive.enable = lib.mkDefault true;
    };
    home.packages = with pkgs; [
      mediainfo
      ffmpeg_6
      imagemagick
    ];
  };
 }
--- a/users/blake/dots/programs/_media-tools/gimp/default.nix
+++ b/users/blake/dots/programs/_media-tools/gimp/default.nix
--- a/users/blake/dots/programs/_media-tools/kdenlive/default.nix
+++ b/users/blake/dots/programs/_media-tools/kdenlive/default.nix
--- a/users/blake/dots/programs/_media-tools/krita/default.nix
+++ b/users/blake/dots/programs/_media-tools/krita/default.nix
--- a/users/blake/dots/programs/_media-tools/mpv/default.nix
+++ b/users/blake/dots/programs/_media-tools/mpv/default.nix
--- a/users/blake/dots/programs/_media-tools/nsxiv/default.nix
+++ b/users/blake/dots/programs/_media-tools/nsxiv/default.nix
--- a/users/blake/dots/programs/_media-tools/obs/default.nix
+++ b/users/blake/dots/programs/_media-tools/obs/default.nix
@@ -0,0 +1,23 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  program = "obs";
  cfg = config.dots.${program};
 in {
  options.dots.${program} = {
    enable = lib.mkEnableOption "enables ${program}";
  };
  config = lib.mkIf cfg.enable {
    # enable with home-manager
    programs.obs-studio = {
      enable = true;
      plugins = [];
    };
  };
 }
--- a/users/blake/dots/programs/anki/default.nix
+++ b/users/blake/dots/programs/anki/default.nix
@@ -0,0 +1,20 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  program = "anki";
  cfg = config.dots.${program};
 in {
  options.dots.${program} = {
    enable = lib.mkEnableOption "enables ${program}";
  };
  config = lib.mkIf cfg.enable {
    # just install package
    home.packages = with pkgs; [anki];
  };
 }
--- a/users/blake/dots/programs/bitwarden/default.nix
+++ b/users/blake/dots/programs/bitwarden/default.nix
@@ -14,7 +14,8 @@ in {
  config = lib.mkIf cfg.enable {
    # just install package
-    home.packages = with pkgs; [bitwarden-desktop bitwarden-cli];
+    home.packages = with pkgs; [bitwarden-desktop bitwarden-cli hakuneko ];
  };
 }
--- a/users/blake/dots/programs/default.nix
+++ b/users/blake/dots/programs/default.nix
@@ -7,6 +7,12 @@
  cfg = config.dots.programs;
 in {
  imports = [
    ./_media-tools
    ./_browsers
    ./_gaming
    ./_flatpak
    ./anki
    ./thunderbird
    ./libreoffice
    ./gnucash
@@ -14,13 +20,8 @@ in {
    ./bitwarden
    ./zathura
    ./discord
-    ./mpv
+    ./yt-dlp
    ./nsxiv
    ./slippi
    ./media_tools
    ./browsers
  ];
  options.dots.programs = {
@@ -29,21 +30,20 @@ in {
  config = lib.mkIf cfg.enable {
    dots = {
      media-tools.enable = lib.mkDefault true;
      browsers.enable = lib.mkDefault true;
      gaming.enable = lib.mkDefault true;
      flatpak.enable = lib.mkDefault true;
      anki.enable = lib.mkDefault true;
      thunderbird.enable = lib.mkDefault true;
      libreoffice.enable = lib.mkDefault true;
      gnucash.enable = lib.mkDefault true;
      qalculate.enable = lib.mkDefault true;
      bitwarden.enable = lib.mkDefault true;
      discord.enable = lib.mkDefault true;
      zathura.enable = lib.mkDefault true;
-      mpv.enable = lib.mkDefault true;
+      yt-dlp.enable = lib.mkDefault true;
      nsxiv.enable = lib.mkDefault true;
      slippi.enable = lib.mkDefault true;
      media_tools.enable = lib.mkDefault true;
      browsers.enable = lib.mkDefault true;
    };
  };
 }
--- a/users/blake/dots/programs/yt-dlp/default.nix
+++ b/users/blake/dots/programs/yt-dlp/default.nix
@@ -0,0 +1,27 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  program = "yt-dlp";
  cfg = config.dots.${program};
 in {
  options.dots.${program} = {
    enable = lib.mkEnableOption "enables ${program}";
  };
  config = lib.mkIf cfg.enable {
    # enable with home-manager
    programs.${program} = {
      enable = true;
      settings = {
        embed-thumbnail = true;
        embed-subs = true;
        sub-langs = "all";
      };
    };
  };
 }
--- a/users/blake/home.nix
+++ b/users/blake/home.nix
@@ -29,10 +29,9 @@ in
    # cross party general packages here : )
    stateVersion = "25.05";
    packages = with pkgs; [
      fastfetch
      ripgrep
      iperf3
      p7zip
      imagemagick
      sops
      usbutils
    ];
@@ -41,6 +40,10 @@ in
  # needed for macos, linux don't mind
  programs.home-manager.enable = true;
  nixpkgs.config = {
    allowUnfree = true;
  };
  # set up seperate key file just for me 
  sops = {
    defaultSopsFile = ./secrets/secrets.yaml;
--- a/users/blake/hosts/froakie.nix
+++ b/users/blake/hosts/froakie.nix
@@ -0,0 +1,46 @@
 {
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 {
  imports = [
    ../dots
  ];
  dots = {
    stylix = {
      enable = true;
      wallpaper = ../assets/wallpapers/yveltal.jpg;
    };
    programs.enable = true;
    kitty.enable = true;
    librewolf.enable = true;
    waybar.enable = true;
    dunst.enable = true;
    hypr.enable = true;
    tofi.enable = true;
    clipboard.enable = true;
    cursor.enable = true;
    btop.enable = true;
    lf.enable = true;
    nvf.enable = true;
    zsh.enable = true;
    ssh.enable = true;
    gpg.enable = true;
    git.enable = true;
    xdg.enable = true;
    libreoffice.enable = true;
    gnucash.enable = true;
    qalculate.enable = true;
    bitwarden.enable = true;
  };
 }
--- a/users/blake/hosts/mew.nix
+++ b/users/blake/hosts/mew.nix
@@ -0,0 +1,48 @@
 {
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 {
  imports = [
    ../dots
  ];
  dots = {
    stylix = {
      enable = true;
      wallpaper = ../assets/wallpapers/yveltal.jpg;
      #wallpaper = ../assets/wallpapers/hairpin.png;
    };
    programs.enable = true;
    kitty.enable = true;
    librewolf.enable = true;
    waybar.enable = true;
    dunst.enable = true;
    hypr.enable = true;
    tofi.enable = true;
    clipboard.enable = true;
    cursor.enable = true;
    btop.enable = true;
    lf.enable = true;
    nvf.enable = true;
    zsh.enable = true;
    ssh.enable = true;
    gpg.enable = true;
    git.enable = true;
    xdg.enable = true;
    anki.enable = true;
    libreoffice.enable = true;
    gnucash.enable = true;
    qalculate.enable = true;
    bitwarden.enable = true;
  };
 }
--- a/users/blake/hosts/snowbelle.nix
+++ b/users/blake/hosts/snowbelle.nix
@@ -4,9 +4,10 @@
  pkgs,
  inputs,
  ...
-}:
+}: let
-  
+  home_dir = config.home.homeDirectory;
-{
+  #home_dir = "/home/blake";
 in {
  imports = [
    ../dots/core
  ];
@@ -19,13 +20,38 @@
    gpg.enable = true;
    git.enable = true;
    xdg.enable = true;
  };
  home.packages = with pkgs; [
    htop
    sl
  ];
  # import snowbelle specific ssh keys
  programs.ssh.matchBlocks = lib.mkForce {
    "git.blakedheld.xyz" = {
      user = "gitea";
      identityFile = "${home_dir}/.ssh/id_snowbelle";
      port = 7567;
    };
    "git.snowbelle.lan" = {
      user = "gitea";
      identityFile = "${home_dir}/.ssh/id_snowbelle";
      port = 7567;
    };
    "bebe" = {
      hostname = "10.10.0.1";
      user = "root";
      identityFile = "${home_dir}/.ssh/id_snowbelle";
    };
  };
  sops.secrets = {
    "id_snowbelle" = {
      mode = "0600";
      path = "${home_dir}/.ssh/id_snowbelle";
    };
    "id_snowbelle.pub" = {
      mode = "644";
      path = "${home_dir}/.ssh/id_snowbelle.pub";
    };
  };
 }
--- a/users/blake/hosts/yveltal.nix
+++ b/users/blake/hosts/yveltal.nix
@@ -15,6 +15,7 @@
    stylix = {
      enable = true;
      wallpaper = ../assets/wallpapers/yveltal.jpg;
      #wallpaper = ../assets/wallpapers/hairpin.png;
    };
    programs.enable = true;
@@ -37,6 +38,7 @@
    git.enable = true;
    xdg.enable = true;
    anki.enable = true;
    libreoffice.enable = true;
    gnucash.enable = true;
    qalculate.enable = true;
--- a/users/blake/secrets/secrets.yaml
+++ b/users/blake/secrets/secrets.yaml
@@ -1,12 +1,14 @@
 #ENC[AES256_GCM,data:3JeFFtzO7nuVZmzPcLsP7h12BKbnyOb9/A==,iv:V6gzwAze1FVjmpf1dD8CqQpUpO9CqWfj+nHImXgz+Zw=,tag:iT6zE2X7DQmIT9d4Ds4XiA==,type:comment]
 blake_passwd: ENC[AES256_GCM,data:AfFql6/ghGhCDLOb4+QuAsDznz4hC4ilxZYCIH2sgBWX9tWXsUOgFw1k7CIhDoXIehz6YlTy0czekXPCqHL5gmIKRQTowU4svocw/Bl/Qz5CQ58RASB6YpnzOKTrwX7HCnu/ghpdMrcy2A==,iv:hMAkLcHjP0hiyCY4rhMU0Ae7jdYPa6MffEd2WGolbEo=,tag:p/6xmD8Te1RnFkp0zWw+ew==,type:str]
 #ENC[AES256_GCM,data:0HBVS2AYQ2VZXY4EbMLwiSjRNyWZ57bf,iv:20SLWXpbRTLk76g5mFrhg1Z9Qasv3NoSJbK/FOiIgtk=,tag:DbUffQwrDqzy2QO64uoUeg==,type:comment]
-klefki_auth_map: ENC[AES256_GCM,data:eQ==,iv:DwWh1mhnM4EcYW3XtryDJSq1kIGwDKgekN8+FQqDhoE=,tag:oMCQkNDnIYJZeNZxrRGB5w==,type:str]
+klefki_auth_map: ENC[AES256_GCM,data:JOUluKyKlK4hbGmKVSNh61Gzp/OVsb1LVhAfqyBeQ0ChlQWJ5jzS+fSI4QaJz2KS3NWvHDP5I3Y4b51fUUPGleoBazPNGpPfRLDDCgI2ys+OiNOCtykUE8A9Rt83dlWhfnsjWzsa2gUGba/52qvjgzP9T5lejzS9U+WGdRX0xSITr2u96RXz6j0SWgHSlcrddINgSoNkMRmRctEQGLL39U5wdvRQM0CWJymPoH2IUVVhM/xw4vVUFH1YV4GtbI+pqOihtGfQFg==,iv:KRBDuozK7NUfYv8IDEE/zW+3EZQuI+KT9+N3HCg71LY=,tag:35Ox4fBaBfdGAsQ3J2a/4A==,type:str]
 #ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment]
 borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str]
-#ENC[AES256_GCM,data:ozhgyE+IyqR10KT8vI9x,iv:+ZOTucRlCZRQ9ZbxZgySPMOJ/qU4gXbhSyLAMgt4QMs=,tag:mQ3X+dqCet1Yk1gZ5pZ5gw==,type:comment]
+#ENC[AES256_GCM,data:en3kcMuSAicr6DR8y3V3,iv:Vw9YB+AqYwn2/ZP8FmbD1TsjHfxkCGpv7NLpoqZHEKM=,tag:jliaGGKQ7wex9e9gMSWFEQ==,type:comment]
 id_blake.pub: ENC[AES256_GCM,data:VgpZQOgDTndwcFadBUifeeExfoh29O/avrR0+tEbgCo4y+YDnhQzHOXIujgTrCZ9f6kgNY5NmMR0Ft9uNdud9TBn1Y86q1njfvdnoV6LzN74RNCv7zEb+WuKsHCpGyy4Qzw=,iv:tBAIjixrFpNJ1F73FFpvmKDMt9w3OO2NvWWhxxQ0kfw=,tag:fZuqSeGjdE3WtbHrsVXKsg==,type:str]
 id_blake: ENC[AES256_GCM,data:76DMhV/U3ain4Dfz9hjueUQHhnnbZYEJ9+tWCXtqI6Nzh5+2Vj2ngN6zgh+HsOqVvRRW5gu/llAEU595yzDta4KvMvPyf1wbjKKwxD7Be+5CE4Ls36Uco3Rw0vuVX5naGaxYkMIDsz49hJo9UIIVCbNtck9D5R8+e7nE0dI6AHgK6pLZVVN+7oavw8bVkuiGO8W9TQvHPjPiSIPMloxy9XqJAvVD+WzpmdmxnZuykfWVzMB91IZJjtjwd1HuAgSU+17e26ofnyqQk+rXx8cWwHRIkFy1kLIZAngeZ1BJG84BbEsBvAs0pep0OWwhNXg52fwSrBkEBQyFeOYbYoRuX07TGN6H/BdEiysrUa6UJOI1A9eSlXx2IniUgkpXax/cob/7OjUVRkVpRBBWl7by/1I0InTXA/gIBY2vNcIHOnQCT3QGiG2OHw7ige1cegYQOAVOWkgtgwTxYrW7orsamG1bVhhurfsSqUJ4rlH4rxi+k1DCKJtYxziAv3ebOeooWjQllq8emJ+Y9gnDR9qTAtRsgoOX4XPnGrksTGU6TmRzuG1x5ytbf6kMNbOiVfLqWRg2xNZs13ld1r+x91Ckxq7xyx0yhN3FKNZZ/S/UAh4=,iv:3VLepUnPmNhBJj6ykkNce+jMJg5uRiVvFjO1CZb7824=,tag:VrO9TPNCup0226ijhZmeYQ==,type:str]
 #ENC[AES256_GCM,data:aazR5wt1o1hhEEfgIsasf7C0wA==,iv:yy9NTzzx84/lnId3IKTl7KuO6FOXoSMdfIvBqeeocNQ=,tag:OH5+E7lGT5pKSfH7A/mG8g==,type:comment]
 id_snowbelle.pub: ENC[AES256_GCM,data:q4sOB8/SpcD36uE/+8OlE+vUZ1bO2RTDeVyyWK/PH89DTFBIfyAfyAzIJuw/Q9S8fNEGn4PqrNtP90wIPj85VQ7AlJzS2xSonp3D+ZHqUzLO1hN2ePnmme46KhVSJR3i,iv:T1CUXPUtwUqpivpitRSx4/lYoRleX65vrf6IOJQFXYg=,tag:eQP+jFWGZzambEwNvIx+HQ==,type:str]
 #ENC[AES256_GCM,data:7V0L0832xewUXU8/Bq469w==,iv:9bCzEpUcNx6qnCMomFweXgYmWwSMzdffDikjA22xu6E=,tag:F4S80e/EPXA0tS20KFRbXw==,type:comment]
 id_snowbelle: ENC[AES256_GCM,data:MAw5R2fqVIctN7fB/d3hfCU7W3sxvuy2O3w3n0vD8FxK1DAhqoROlVv04joV1a+U1hof57TYc1cN2ng9BRWxadc8ZIpWakokZYVI0dUG05/hPMyxctWPkOiDd5909aaNUFC2G+Y/VrgAemyrB+AlQgokV0U3fiz+qjg055fzO7ypaeM8okON6rBnigfwetmSm60MxpdYrVlxVaniDVvKKUYZjpHU8SZ+TYj6Jmm/bVuKWOJ2DXZbmM0CeKeIgnA9HML1wSXojMv2IMGulxq5mmdaiiJTPoL1q17OA5zZkkVW3Dx1y6SbEeBAQTPG32RHseAxXK6qdU6lftRQZKyivuyjdCVfBBw/VzqTxbWjSXXsjDdK/Ti09051w6znA1uvRX65XsOq6zPKt4BNwR+yMDF+xR9AElBTHES/TDf7TRc5YDyovlH2PhGNg12Coy3zfb6WESLyaz3/GYZxF0IjvBnDkN65CRjstut0CgKXcWY8x+CuKVysU+U4c0A2ucDnsf3HuITrdIufhAwRNNZMka7LWVsaaR/tnvcf,iv:agf/LEjohw1XAXsOJJ78kiBVJnTT95IUmWzYUujSlJI=,tag:a55o9L85a9Z7gG9s5BEfIw==,type:str]
 #ENC[AES256_GCM,data:ep/Z5O6RNFwTd0I5hvtk5DP9,iv:M7sclKcTR+IfCEsvz0lZaoZBRZlQsN/FhwuzFNXgVew=,tag:Ddo3Qf8tMBX9Amt7C9m5FA==,type:comment]
 klefki_pub.asc: ENC[AES256_GCM,data:lGfgwhgn2xCb1cNTo0nMP8R3KSDiEn0/k6neDE2dv1DynvXsHWmZSXED6VWBjY3uMU3YtcpXGCtxTU6EiaRKiGnhxslQlBiSypAnXHeh55DZJMJJ/JM7+BCtr33LY2lusF9/aAuKO9tbdpGmu63s5ItZ1/9zMoCJwBfpQZgY2HzZoBhjwqYu2wSkOOVAMjq+jXET7nASieOZXmpQq2uDepuEDa8MP7d6G6kV2KYJPdLYYaY4U2eppEr7ALhhJidYm3P38W47JuLyu/2raG0AY2uDtCQw9d16BcJO3au+T4B4mHzPg1/cPhQ2X4dHTTGHjRZ0sT95DrEYYmcwWVKHKyiuL8WPtQmF0QBfCOPczwJajJejB4DbxEW8U2kuhuoBWr7wZe4y/nbW2hB3pcMYYXc0EXen74IttiUrvksw+hbkLaZDCJgG91SOlWSwI12UlDrJJSzOYm+ODWqK+bKyqAafQTL9xh5heM3nQlR5G6/A/8UG+0q5ZDL+IxJwe+EffJNwrL1mn4Rc3qx068udMJC+qzmft7Ljey7mfoIiwepITpii1IA/CtuEqtpe4I5MUemQ60qAw/PoVbmD8zhOcnRHCBZtQ394I5vMo1qR2a4KeBICexx3IAjpeAQYI3+MAgo/bedqpklLYjbxpv37XwinoLj9ew4hKSjAB1wRRZlswmk+GD4XKlVo8eu88RCXYrsZ2oaOD4qxrtbc7+skGm+EqxL67nLW5n9bSC2u95bFJ1386teSFhsJL9w3EFiBlQRtm5tvee/ipmr6D2W7SyfCnSxImPC4TgTwkAXziQ3XtsUtGqj0Tv1HGayaAQpYzlJaPzf7h8oanH1VaA+AgRq+RY1OjLZGHEz37jSbqhWOiIWxwJ7qFaqGB90cHq3s07qcWrDl2wUawFLTXavZ0IF3gj9KnFSIzW3+ANvedUCXOjai+zOKmpxVFZ4Bi4W3Dcbl9B+qa0Ly0NIgldi7PmqEvL3V4FnJs6WnwdagyhXOzdlKVlrAgGluucgqBpBZZfpN6uB+tdkbrqzsdMbr+H9Hwk3RUxRzAK9k+J9WRgY7eMazH0najJ1PYh9/UZJf0DKWRi2vZTlWW+6ZruJWTohOKm+7MCgvMEttIpNQfvK6+cq7p3vwPe+pmq0DznNg4LO7Uu3cXKq3zHjl08KGE04KZyfoJuZPr+XrF91AywZ03HlT2SBBaZtFld1VapccgB5DqgE1JfFg+TS4is9a8G52Ad9yh/abUmLohsnUpGdYMaj/1FmhSLM7ldHeub8CmL2vKW4f/JTuqmOxq3X5RA+qw5f946ekUz9ZF8EyGvNwaRZ2p5m0MtXQG2IKp8Q61aBSpqbMwKzTW93VycEn7L5ZsoV5eYo0rC4PMawGkfgdNzBpq4NL5bNB82l6qHnWqU7jXh611/ZV4ueX2MLSB3cyhnaFxsH9bat1jGDtUl5umNWNtvN6rWBVsClmYfBLSUCEyftGPlxzAOy6vRHGxAdCNdoiTRGgZru3aYyW9l5XhYH1aZ+dOlTOwngaqqIb3kZoPzcc9xCeZ/I/N6iVuTUI69us8y3LVL6qKa6az5zTTgumoFB5kMugPtumS1U9hzhLtm9+hY6yZVgYredgAwVVIviMAqFFZztFkPiskcwIdrPhXzoXwfuBWDaq+dF9nykjw1F9U2gyDU0YhEOtSmdIWoIma3OmdOZ/h/JbWNrwUoAirmBmWIHQTmA5Ag==,iv:btQ5xmt/AA9vW1njJH4Inj6YmOBx6pGbHbsvCMbg7fI=,tag:DuQ4Wy9wX3mPQAVLLd6t1Q==,type:str]
@@ -21,7 +23,7 @@ sops:
            U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
            PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-02T01:48:31Z"
+    lastmodified: "2025-11-12T01:06:16Z"
-    mac: ENC[AES256_GCM,data:PqzsUJ/L0tc7iu6KrHz/bu/n+IM3tPl1vgJr4D2reCjHBHvIwpmgR64TeYn5OA71DeqoFjnYnf6PyKH+Ambf0uTuYCcGEesvqd9oQHMZGK2Bea9K/kJxeBbHxc3MEtJ4BD8pbFs1jK7KAGKfwRaEi/E9v2gGU0Mpp7PymJDtXBE=,iv:+kFswnPGRGmNVlyXtyfT2flGM+c4YySg9z7rzw5QZFo=,tag:rE+3IGwe24vztQvUB0uZLA==,type:str]
+    mac: ENC[AES256_GCM,data:kUWUwWHtGrbiKKr8gvhrhMhmWnxqRO2VNgP1LHxZ9ENpBqhtIj22o8D0BRr5WQHmtUISN1CPcEf13j/14rLVRyfLRvl/ofgrNmUboG4gbRPfUGov39gC+hmayeX3/vX9fTWBDThzWNBxNJgCj1k+nulw6c4XmQaPqYmE0/F+b7c=,iv:GZRbSCfI21LEqHWYEwC11G9jKtNGCtD534TRfmJiQns=,tag:Mwg8YLMGbsp3OC1K66Z3Wg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
Author	SHA1	Message	Date
blake	1f4494d333	fix postfix hopefully	2026-01-28 15:09:47 -06:00
blake	85255adb2c	fix postfix hopefully	2026-01-28 14:10:10 -06:00
blake	f251a6f5c7	fix postfix hopefully	2026-01-28 13:48:37 -06:00
blake	1f84cf19c7	fix postfix hopefully	2026-01-28 12:28:14 -06:00
blake	0e49c1b9ee	add japanese fonts and input	2026-01-09 23:10:42 -06:00
blake	3ff5251b15	add yveltal back to device list	2026-01-09 20:23:13 -06:00
blake	007c66c007	device list on syncthing	2026-01-09 20:17:00 -06:00
blake	d37a0ce652	updates for mew setup	2026-01-09 20:00:08 -06:00
blake	5ab6c9e4c8	add anki	2026-01-09 19:46:02 -06:00
blake	fccec4d504	add anki	2026-01-09 19:45:49 -06:00
blake	8feda54866	updates for mew setup	2026-01-09 19:18:15 -06:00
blake	7179e6f047	mew added	2026-01-09 18:50:18 -06:00
blake	1da9d994de	add new host	2026-01-09 18:02:44 -06:00
blake	e213c64481	add key for ipad	2026-01-09 00:02:43 -06:00
blake	49ac3c2bf5	add ipad to syncthing client	2026-01-08 16:32:21 -06:00
blake	8acebb13cc	add ipad to syncthing fixed	2026-01-08 16:28:56 -06:00
blake	ff08538bae	add ipad to syncthing	2026-01-08 16:26:40 -06:00
blake	494ac6cf57	switch back to listen address	2025-12-30 13:53:50 -06:00
blake	4cfddd2c7e	updates	2025-12-30 13:30:18 -06:00
blake	60509f93f0	fix proxys	2025-12-27 21:02:34 -06:00
blake	96d8fd1129	bind dns to interfact rather then ip	2025-12-13 13:20:55 -06:00
blake	39264279e0	add cobblemon to motd	2025-12-04 20:59:21 -06:00
blake	07c9533255	fix ssh message	2025-12-04 20:32:30 -06:00
blake	015f416169	finish cobblemon, add to glance	2025-12-04 20:30:00 -06:00
blake	35d8c83423	fix postfix	2025-12-04 20:13:38 -06:00
blake	b488af297a	fixin cobblemon, and new version warning finally GOD	2025-12-04 20:10:35 -06:00
blake	dbb5560793	fixin cobblemon	2025-12-04 20:01:52 -06:00
blake	7bcfef3ccf	enable cobblemon and modded mc in general	2025-12-04 19:57:06 -06:00
blake	a1fd3b3af2	fix postfix	2025-12-04 19:44:13 -06:00
blake	a45d9014dd	25.11	2025-12-04 19:39:07 -06:00
blake	80451e9430	added cobblemon	2025-12-04 19:37:52 -06:00
blake	df1a77f73e	added cobblemon	2025-12-04 19:37:40 -06:00
blake	6f51671dbb	updates	2025-11-25 19:28:49 -06:00
blake	a238d2b61c	updates	2025-11-20 16:56:11 -06:00
blake	62dd3f5d7c	darwin updates	2025-11-17 15:43:55 -06:00
blake	8b8dc8cde8	show casing shit	2025-11-17 15:37:38 -06:00
blake	3047ff97b4	add wallpapers	2025-11-12 22:11:01 -06:00
blake	1c963f5563	fin udiskie	2025-11-12 21:48:02 -06:00
blake	c02f2853c1	add icons, didnt do anything lmao	2025-11-12 21:47:12 -06:00
blake	d73a561b9d	add udiskie for automount	2025-11-12 21:11:10 -06:00
blake	7d97acfdfb	add udiskie for automount	2025-11-12 21:10:22 -06:00
blake	cfb55f980d	fix zdot till stable update	2025-11-12 00:36:23 -06:00
blake	1a67b02d7c	make gpg work with yubi smartcard	2025-11-12 00:19:07 -06:00
blake	0196b1d8b2	a whole lotta shit	2025-11-12 00:14:50 -06:00
blake	d7a6a85841	add folder for new device	2025-11-11 22:04:48 -06:00
blake	cc7aca0fce	fix gitea	2025-11-11 20:17:13 -06:00
blake	6b393c7e4f	add default branch	2025-11-11 20:15:35 -06:00
blake	c9bcda6043	fix relative path in dotdir	2025-11-11 19:29:37 -06:00
blake	7ce43bf8e7	add cifs client side mounts	2025-11-11 19:28:22 -06:00
blake	5a451bcaa1	add cifs client side mounts	2025-11-11 19:08:56 -06:00
blake	b4bba876ae	ssh temp fix for stable rn	2025-11-11 17:36:06 -06:00
blake	005d0451f5	testing ssh	2025-11-11 17:33:52 -06:00
blake	d20a1787c2	testing ssh	2025-11-11 17:25:42 -06:00
blake	6bb1a13741	test id file	2025-11-11 17:15:27 -06:00
blake	b21060e78d	fix snowbelle specific home man config	2025-11-11 17:10:51 -06:00
blake	8caa3b6fe7	ssh changes	2025-11-11 17:04:24 -06:00
blake	6fb6dc7abb	add blake ssh key	2025-11-11 16:50:42 -06:00
blake	4a6eb5059c	add blake ssh key	2025-11-11 16:49:10 -06:00
blake	d92a192a7f	random shit	2025-11-11 16:34:13 -06:00
blake	51c3ae6d1e	fin secureboot support	2025-11-11 16:29:31 -06:00
blake	2ea0b96230	add secure boot support	2025-11-11 15:55:18 -06:00
blake	f7ece5059d	add secure boot support	2025-11-11 15:51:22 -06:00
blake	b84a2d7628	change wallpaper back	2025-11-11 15:35:29 -06:00
blake	b78a43d40a	add fastfetch	2025-11-08 12:15:03 -06:00
blake	f5ff1a6639	attempt to fix flatpaks not appearing in tofi	2025-11-07 20:54:57 -06:00
blake	0534a04108	mime shit	2025-11-07 18:55:05 -06:00
blake	4af26da42f	add flatpaks with nix-flatpak, but like right this time	2025-11-07 18:38:37 -06:00
blake	d014733441	add flatpaks with nix-flatpak	2025-11-07 18:22:05 -06:00
blake	38c0191ad2	clean up gitea config from testing	2025-11-07 17:22:35 -06:00
blake	2bbbd49a07	fix ssh config	2025-11-07 17:21:00 -06:00
blake	38a22b5255	update ssh config	2025-11-07 17:17:01 -06:00
blake	a787a7dfc5	fin gitea testing	2025-11-07 17:10:37 -06:00
blake	4349ccb132	fix ssh, back to built in	2025-11-07 17:09:29 -06:00
blake	96920b6b3d	attempt to use systemssh	2025-11-07 16:35:13 -06:00
blake	b97d7e4cb1	just add a second entry for local access	2025-11-07 16:23:01 -06:00
blake	59927a4e3d	testing local access	2025-11-07 16:21:06 -06:00
blake	076653fd15	remove local url	2025-11-07 16:19:49 -06:00
blake	63dcc450b6	change reverseproxy for gitea	2025-11-07 16:19:32 -06:00
blake	c15704eb22	add local root url	2025-11-07 16:19:32 -06:00
blake	85f7a2889c	restructure slippi into gaming subdir	2025-11-07 15:35:58 -06:00
blake	6bfea61ffe	restructure slippi into gaming subdir	2025-11-07 15:35:45 -06:00
blake	4e0cc2a322	hope this is the right binary lmao	2025-11-07 15:06:54 -06:00
blake	7ef99c8dd1	add userspace tools and passwdless sudo	2025-11-07 15:05:42 -06:00
blake	1655c0a867	add nh, a nix cli helper tool	2025-11-07 14:54:33 -06:00
blake	724c63f9ff	add shortcut to goto ~/.nix	2025-11-07 04:21:22 -06:00
blake	5813db8160	rearrange common nix config, add optimising and garbage collecting	2025-11-07 04:18:09 -06:00
blake	cdf8403991	restructure programs (yes again okay like shut up), reorg standard packages, add obs : )	2025-11-07 03:54:32 -06:00
blake	10488b90c9	adjust default packages	2025-11-07 03:38:03 -06:00
blake	bcb1b88861	add motd alias	2025-11-07 03:13:49 -06:00