313 current 2025-10-11 18:01:55 25.05.20251006.20c4598 6.12.50 *

312 current 2025-10-11 17:54:46 25.05.20251006.20c4598 6.12.50 *
311 current 2025-10-11 17:44:24 25.05.20251006.20c4598 6.12.50 *
2025-10-11 18:08:36 -05:00 · 2025-10-11 18:02:03 -05:00 · 2025-10-11 17:54:48 -05:00 · 2025-10-11 17:44:27 -05:00 · 2025-10-11 17:42:29 -05:00 · 2025-10-11 17:35:22 -05:00
29 changed files with 1268 additions and 164 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 240 current  2025-10-10 21:55:37  25.05.20251006.20c4598  6.12.50                          *
+# generation: 313 current  2025-10-11 18:01:55  25.05.20251006.20c4598  6.12.50                          *
 {
  description = "blakes nix config";
  inputs = {
--- a/hosts/snowbelle/configuration.nix
+++ b/hosts/snowbelle/configuration.nix
@@ -20,12 +20,9 @@ in
      backups.enable = true;
      backups.repo = "/holocron/backups";
      sops.enable = true;
-      docker.enable = true;
+      podman.enable = true;
      syncthing.enable = true;
      tailscale.enable = true;
      vpns.enable = false;
      vpns.wg_mex = false;
      vpn-confinement.enable = false;
      nvidia.enable = true;
    };
    homelab = {
@@ -39,9 +36,10 @@ in
      jellyfin.enable = true;
      vaultwarden.enable = true;
      gitea.enable = true;
      glance.enable = true;
      qbittorrent.enable = true;
      immich.enable = true;
-      home-assistant.enable = true;
+      hass.enable = true;
      zigbee2mqtt.enable = true;
      mosquitto.enable = true;
      prowlarr.enable = true;
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@@ -27,6 +27,16 @@ in
      type = lib.types.str;
      description = "base domain used for reverse proxy";
    };
    public_domain = lib.mkOption {
      default = "blakedheld.xyz";
      type = lib.types.str;
      description = "base domain used for reverse proxy";
    };
    host_ip = lib.mkOption {
      default = "10.10.0.10";
      type = lib.types.str;
      description = "base domain used for reverse proxy";
    };
  };
  imports = [
--- a/modules/homelab/gameservers/minecraft_recpro/default.nix
+++ b/modules/homelab/gameservers/minecraft_recpro/default.nix
@@ -62,18 +62,19 @@ in
      wants = [ "network.target" ];
      serviceConfig = {
        User = "minecraft";
        Group = "minecraft";
        WorkingDirectory = srv.data_dir;
        UMask = "0007";
-        ExecStart = "${pkgs.openjdk21}/bin/java -Xmx${srv.ram} -jar ${srv.data_dir}/server.jar nogui";
+        ExecStart = "${pkgs.openjdk21}/bin/java -Xmx${srv.ram} -jar server.jar nogui";
-#        ExecStart = "${pkgs.tmux}/bin/tmux new-session -d -s mcrp-${name} '${pkgs.openjdk21}/bin/java -Xmx${srv.ram} -jar ${srv.data_dir}/server.jar nogui'";
+#        ExecStart = "${pkgs.tmux}/bin/tmux new-session -d -s mc-${name} '${pkgs.openjdk21}/bin/java -Xmx${srv.ram} -jar server.jar nogui'";
-#        ExecStop = "${pkgs.tmux}/bin/tmux send-keys -t mcrp-${name} C-c"; # stop server by sending Ctrl+C to tmux session
+#        ExecStop = "${pkgs.tmux}/bin/tmux send-keys -t mc-${name} C-c";
        Restart = "on-failure";
        KillMode = "process";
      };
      wantedBy = [ "multi-user.target" ];
    }) servers;
-    environment.systemPackages = with pkgs; [ openjdk21 mcrcon ];
+    environment.systemPackages = with pkgs; [ openjdk21 mcrcon tmux ];
    services.mysql = {
      enable = true;
@@ -128,9 +129,14 @@ in
    };
-
+    # add to backups
-
+    modules.system.backups.baks = lib.listToAttrs (
-     # add to backups
+      lib.mapAttrsToList (srv_name: cfg:
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+        {
          name = srv_name;                     # attribute key
          value = { paths = [ cfg.data_dir ]; }; # attribute value
        }
      ) servers
    );
  };
 }
--- a/modules/homelab/services/arr/bazarr/default.nix
+++ b/modules/homelab/services/arr/bazarr/default.nix
@@ -81,7 +81,17 @@ in
      };
    };
-     # add to backups
+    # add to glance
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.services.glance.links.mediastack = [{ 
      title = service; 
      url = "https://${cfg.url}"; 
      error-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      check-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      icon = "di:${service}"; }];
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/arr/prowlarr/default.nix
+++ b/modules/homelab/services/arr/prowlarr/default.nix
@@ -83,7 +83,17 @@ in
      };
    };
-     # add to backups
+    # add to glance
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.services.glance.links.mediastack = [{ 
      title = service; 
      url = "https://${cfg.url}"; 
      error-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      check-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      icon = "di:${service}"; }];
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/arr/radarr/default.nix
+++ b/modules/homelab/services/arr/radarr/default.nix
@@ -86,7 +86,17 @@ in
      };
    };
-     # add to backups
+    # add to glance
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.services.glance.links.mediastack = [{ 
      title = service; 
      url = "https://${cfg.url}"; 
      error-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      check-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      icon = "di:${service}"; }];
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/arr/sonarr/default.nix
+++ b/modules/homelab/services/arr/sonarr/default.nix
@@ -84,7 +84,17 @@ in
      };
    };
-     # add to backups
+    # add to glance
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.services.glance.links.mediastack = [{ 
      title = service; 
      url = "https://${cfg.url}"; 
      error-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      check-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      icon = "di:${service}"; }];
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/default.nix
+++ b/modules/homelab/services/default.nix
@@ -3,22 +3,24 @@
 {
  # services show up in glance in reverse import order lmao
  imports = [
-    ./jellyfin
+    ./smarthome/zigbee2mqtt
    ./vaultwarden
    ./gitea
    ./qbittorrent
    ./immich
    ./uptime-kuma
    ./nginx-proxy
    ./smarthome/homeassistant
-    ./smarthome/zigbee2mqtt
+    ./immich
    ./smarthome/mosquitto
    ./arr/prowlarr
    ./arr/flaresolverr
    ./arr/bazarr
-    ./arr/sonarr
+    ./arr/prowlarr
    ./qbittorrent
    ./arr/radarr
    ./arr/sonarr
    ./jellyfin
    ./nginx-proxy
    ./arr/flaresolverr
    ./smarthome/mosquitto
    ./uptime-kuma
    ./glance
  ];
 }
--- a/modules/homelab/services/default_temp.nix
+++ b/modules/homelab/services/default_temp.nix
@@ -85,6 +85,9 @@ in
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };
 # uncomment for service hosted publicly
 #---------------------------------------------------------------------------
 #     # external reverse proxy entry
 #     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
 #      forceSSL = true;
@@ -95,6 +98,22 @@ in
 #      };
 #    };
 #
 #    # add to glance public service
 #    modules.services.glance.links.<category> = [{
 #      title = service;
 #      url = "https://pass.${homelab.public_domain}";
 #      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
 #      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
 #      icon = "di:${service}"; }];
 #---------------------------------------------------------------------------
 #    # add to glance local service
 #    modules.services.glance.links.<category> = [{
 #      title = service;
 #      url = "https://${cfg.url}";
 #      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
 #      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
 #      icon = "di:${service}"; }];
 #
 #    sops.secrets = {
 #      "${service}_" = {
 #        owner = "${service}";
@@ -102,7 +121,9 @@ in
 #      };
 #    };
-     # add to backups
+    # add to backups
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/gitea/default.nix
+++ b/modules/homelab/services/gitea/default.nix
@@ -108,6 +108,14 @@ in
      };
    };
    # add to glance
    modules.services.glance.links.services = [{
      title = service;
      url = "https://git.${homelab.public_domain}";
      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${service}"; }];
    sops.secrets = {
      "${service}_database_password" = {
        owner = "${service}";
@@ -115,7 +123,9 @@ in
      };
    };
-     # add to backups
+    # add to backups
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/glance/default.nix
+++ b/modules/homelab/services/glance/default.nix
@@ -0,0 +1,256 @@
 { pkgs, config, lib, ... }:
 /*
 this is a wrapper module for glance that allows you to
 to pass monitor entries in with nix, all declaratively!
        |           <8yy>            |
        V                            V
    # add to glance
    modules.services.glance.links.mediastack = [{ 
      title = service; 
      url = "https://${cfg.url}"; 
      error-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      check-url = "http://${homelab.host_ip}:${toString cfg.port}"; 
      icon = "di:${service}";
      allow-insecure = true; }];
 */
 let
  service = "glance";
  cfg = config.modules.services.${service};
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
 in
 {
  options.modules.services.${service} = {
    enable = lib.mkEnableOption "enables ${service}";
    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7700;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
    links = {
      services = lib.mkOption {
        type = lib.types.listOf lib.types.attrs;
        default = [];
        description = "list of links for ${service}";
      };
      mediastack = lib.mkOption {
        type = lib.types.listOf lib.types.attrs;
        default = [];
        description = "list of links for ${service}";
      };
      system = lib.mkOption {
        type = lib.types.listOf lib.types.attrs;
        default = [];
        description = "list of links for ${service}";
      };
    };
  };
  config = lib.mkIf cfg.enable {
    # declare ${service} group
    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
    # declare ${service} user
    users.users.${service} = {
      description = "${service} server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
      home = cfg.data_dir;
      createHome = true;
      group = "${service}";
      extraGroups = [];
    };
  services.${service} = {
      enable = true;
      openFirewall = true;
      settings = {
        server = {
          host = "0.0.0.0";
          port = cfg.port;
        };
       pages = [
          {
            name = "violet";
            hide-desktop-navigation = true;
            columns = [
              {
                size = "small";
                widgets = [
                  { type = "calendar"; first-day-of-week = "monday"; }
                  { type = "server-stats"; servers = [ { type = "local"; name = "violet"; } ]; }
                  {
                    type = "clock";
                    hour-format = "24h";
                    timezones = [
                      { timezone = "America/Chicago"; label = "HTX"; }
                      { timezone = "America/Denver"; label = "AF"; }
                    ];
                  }
                  { type = "twitch-channels"; channels = [ "mang0" "SaltSSBM" "thewaffle77" "ironmouse" "linustech" ]; }
                ];
              }
              {
                size = "full";
                widgets = [
                  {
                    type = "search";
                    autofocus = true;
                    search-engine = "https://www.ecosia.org/search?q={QUERY}";
                    new-tab = true;
                    bangs = [
                      { title = "YouTube"; shortcut = "!y"; url = "https://www.youtube.com/results?search_query={QUERY}"; }
                      { title = "Google"; shortcut = "!g"; url = "https://www.google.com/search?q={QUERY}"; }
                      { title = "Github"; shortcut = "!gh"; url = "https://github.com/search?q={QUERY}&type=repositories"; }
                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "services";
                    sites = cfg.links.services;
 #                    sites = [
 #                      { title = "jellyfin"; url = "https://media.blakedheld.xyz"; icon = "di:jellyfin"; }
 #                      { title = "audiobookshelf"; url = "https://audiobooks.blakedheld.xyz"; icon = "di:audiobookshelf"; }
 #                      { title = "yacreader"; url = "http://10.10.0.30:3434"; icon = "/assets/icons/yacreader.png"; }
 #                      { title = "sonarr"; url = "http://10.10.0.30:3636"; icon = "di:sonarr"; }
 #                      { title = "qbittorrent"; url = "http://10.10.0.40:3333"; icon = "di:qbittorrent"; }
 #                      { title = "radarr"; url = "http://10.10.0.30:3737"; icon = "di:radarr"; }
 #                      { title = "kiwix"; url = "http://10.10.0.30:5050"; icon = "di:kiwix"; }
 #                      { title = "prowlarr"; url = "http://10.10.0.30:3535"; icon = "di:prowlarr"; }
 #                      { title = "bazarr"; url = "http://10.10.0.30:3838"; icon = "di:bazarr"; }
 #                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "mediastack";
                    sites = cfg.links.mediastack;
 #                    [
 #                      { title = "immich"; url = "https://pics.blakedheld.xyz"; icon = "di:immich"; }
 #                      { title = "vaultwarden"; url = "https://pass.blakedheld.xyz"; icon = "di:vaultwarden"; }
 #                      { title = "gitea"; url = "https://git.blakedheld.xyz"; icon = "di:gitea"; }
 #                      { title = "home assistant"; url = "https://home.blakedheld.xyz"; icon = "di:home-assistant"; }
 #                      { title = "zigbee2mqtt"; url = "http://10.10.0.30:4142"; icon = "di:zigbee2mqtt"; }
 #                      { title = "syncthing"; url = "http://10.10.0.20:2222"; icon = "di:syncthing"; }
 #                      { title = "archivebox"; url = "http://10.10.0.30:5656"; icon = "sh:archivebox"; }
 #                      { title = "copyparty"; url = "http://10.10.0.20:3923"; icon = "sh:copyparty"; }
 #                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "system";
                    sites = cfg.links.system;
 #                    [
 #                      { title = "proxmox"; url = "http://10.10.0.10:8006"; icon = "di:proxmox"; allow-insecure = true; }
 #                      { title = "nginx"; url = "http://10.10.0.30:8080"; icon = "di:nginx"; }
 #                      { title = "uptime kuma"; url = "http://10.10.0.30:8181"; icon = "di:uptime-kuma"; }
 #                      { title = "tn holocron"; url = "https://10.10.0.20"; icon = "di:truenas"; allow-insecure = true; }
 #                      { title = "bebe"; url = "https://10.10.0.1"; icon = "di:unifi"; allow-insecure = true; }
 #                    ];
                  }
                ];
              }
              {
                size = "small";
                widgets = [
                  { type = "weather"; location = "Pearland, Texas, United States"; units = "imperial"; hour-format = "24h"; }
                  {
                    type = "markets";
                    markets = [
                      { symbol = "SPY"; name = "S&P 500"; }
                      { symbol = "XMR-USD"; name = "Monero"; }
                      { symbol = "NVDA"; name = "NVIDIA"; }
                      { symbol = "AAPL"; name = "Apple"; }
                      { symbol = "MSFT"; name = "Microsoft"; }
                    ];
                  }
                  {
                    type = "releases";
                    cache = "1d";
                    repositories = [
                      "glanceapp/glance"
                      "go-gitea/gitea"
                      "immich-app/immich"
                      "syncthing/syncthing"
                    ];
                  }
                ];
              }
            ];
          }
        ];
  };
  };
    # override umask to make permissions work out
    systemd.services.${service}.serviceConfig = {
      UMask = lib.mkForce "0007";
 #      User = "${service}";
 #      Group = "${service}";
    };
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
    # internal reverse proxy entry
    services.nginx.virtualHosts."${cfg.url}" = {
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };
 #     # external reverse proxy entry
 #     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
 #      forceSSL = true;
 #      sslCertificate = sec."ssl_blakedheld_crt".path;
 #      sslCertificateKey = sec."ssl_blakedheld_key".path;
 #      locations."/" = {
 #        proxyPass = "http://127.0.0.1:${toString cfg.port}";
 #      };
 #    };
 #
 #    sops.secrets = {
 #      "${service}_" = {
 #        owner = "${service}";
 #        group = "${service}";
 #      };
 #    };
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/glance/default.nix.WORKING
+++ b/modules/homelab/services/glance/default.nix.WORKING
@@ -0,0 +1,230 @@
 { pkgs, config, lib, ... }:
 let
  service = "glance";
  cfg = config.modules.services.${service};
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
 in
 {
  options.modules.services.${service} = {
    enable = lib.mkEnableOption "enables ${service}";
    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7700;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
    pages = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options.description = lib.mkOption { type = lib.types.str; };
        options.url         = lib.mkOption { type = lib.types.str; };
        options.icon        = lib.mkOption { type = lib.types.str; };
        options.category    = lib.mkOption { type = lib.types.str; };
      });
      default = {};
      description = "configure the service for use in ${service}";
    };
  };
  config = lib.mkIf cfg.enable {
    # declare ${service} group
    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
    # declare ${service} user
    users.users.${service} = {
      description = "${service} server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
      home = cfg.data_dir;
      createHome = true;
      group = "${service}";
      extraGroups = [];
    };
  services.${service} = {
      enable = true;
      openFirewall = true;
      settings = {
        server = {
          host = "0.0.0.0";
          port = cfg.port;
        };
       pages = [
          {
            name = "violet";
            hide-desktop-navigation = true;
            columns = [
              {
                size = "small";
                widgets = [
                  { type = "calendar"; first-day-of-week = "monday"; }
                  { type = "server-stats"; servers = [ { type = "local"; name = "violet"; } ]; }
                  {
                    type = "clock";
                    hour-format = "24h";
                    timezones = [
                      { timezone = "America/Chicago"; label = "HTX"; }
                      { timezone = "America/Denver"; label = "AF"; }
                    ];
                  }
                  { type = "twitch-channels"; channels = [ "mang0" "SaltSSBM" "thewaffle77" "ironmouse" "linustech" ]; }
                ];
              }
              {
                size = "full";
                widgets = [
                  {
                    type = "search";
                    autofocus = true;
                    search-engine = "https://www.ecosia.org/search?q={QUERY}";
                    new-tab = true;
                    bangs = [
                      { title = "YouTube"; shortcut = "!y"; url = "https://www.youtube.com/results?search_query={QUERY}"; }
                      { title = "Google"; shortcut = "!g"; url = "https://www.google.com/search?q={QUERY}"; }
                      { title = "Github"; shortcut = "!gh"; url = "https://github.com/search?q={QUERY}&type=repositories"; }
                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "mediastack";
                    sites = [
                      { title = "jellyfin"; url = "https://media.blakedheld.xyz"; icon = "di:jellyfin"; }
                      { title = "audiobookshelf"; url = "https://audiobooks.blakedheld.xyz"; icon = "di:audiobookshelf"; }
                      { title = "yacreader"; url = "http://10.10.0.30:3434"; icon = "/assets/icons/yacreader.png"; }
                      { title = "sonarr"; url = "http://10.10.0.30:3636"; icon = "di:sonarr"; }
                      { title = "qbittorrent"; url = "http://10.10.0.40:3333"; icon = "di:qbittorrent"; }
                      { title = "radarr"; url = "http://10.10.0.30:3737"; icon = "di:radarr"; }
                      { title = "kiwix"; url = "http://10.10.0.30:5050"; icon = "di:kiwix"; }
                      { title = "prowlarr"; url = "http://10.10.0.30:3535"; icon = "di:prowlarr"; }
                      { title = "bazarr"; url = "http://10.10.0.30:3838"; icon = "di:bazarr"; }
                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "services";
                    sites = [
                      { title = "immich"; url = "https://pics.blakedheld.xyz"; icon = "di:immich"; }
                      { title = "vaultwarden"; url = "https://pass.blakedheld.xyz"; icon = "di:vaultwarden"; }
                      { title = "gitea"; url = "https://git.blakedheld.xyz"; icon = "di:gitea"; }
                      { title = "home assistant"; url = "https://home.blakedheld.xyz"; icon = "di:home-assistant"; }
                      { title = "zigbee2mqtt"; url = "http://10.10.0.30:4142"; icon = "di:zigbee2mqtt"; }
                      { title = "syncthing"; url = "http://10.10.0.20:2222"; icon = "di:syncthing"; }
                      { title = "archivebox"; url = "http://10.10.0.30:5656"; icon = "sh:archivebox"; }
                      { title = "copyparty"; url = "http://10.10.0.20:3923"; icon = "sh:copyparty"; }
                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "system";
                    sites = [
                      { title = "proxmox"; url = "http://10.10.0.10:8006"; icon = "di:proxmox"; allow-insecure = true; }
                      { title = "nginx"; url = "http://10.10.0.30:8080"; icon = "di:nginx"; }
                      { title = "uptime kuma"; url = "http://10.10.0.30:8181"; icon = "di:uptime-kuma"; }
                      { title = "tn holocron"; url = "https://10.10.0.20"; icon = "di:truenas"; allow-insecure = true; }
                      { title = "bebe"; url = "https://10.10.0.1"; icon = "di:unifi"; allow-insecure = true; }
                    ];
                  }
                ];
              }
              {
                size = "small";
                widgets = [
                  { type = "weather"; location = "Pearland, Texas, United States"; units = "imperial"; hour-format = "24h"; }
                  {
                    type = "markets";
                    markets = [
                      { symbol = "SPY"; name = "S&P 500"; }
                      { symbol = "XMR-USD"; name = "Monero"; }
                      { symbol = "NVDA"; name = "NVIDIA"; }
                      { symbol = "AAPL"; name = "Apple"; }
                      { symbol = "MSFT"; name = "Microsoft"; }
                    ];
                  }
                  {
                    type = "releases";
                    cache = "1d";
                    repositories = [
                      "glanceapp/glance"
                      "go-gitea/gitea"
                      "immich-app/immich"
                      "syncthing/syncthing"
                    ];
                  }
                ];
              }
            ];
          }
        ];
  };
  };
    # override umask to make permissions work out
    systemd.services.${service}.serviceConfig = {
      UMask = lib.mkForce "0007";
 #      User = "${service}";
 #      Group = "${service}";
    };
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
    # internal reverse proxy entry
    services.nginx.virtualHosts."${cfg.url}" = {
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };
 #     # external reverse proxy entry
 #     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
 #      forceSSL = true;
 #      sslCertificate = sec."ssl_blakedheld_crt".path;
 #      sslCertificateKey = sec."ssl_blakedheld_key".path;
 #      locations."/" = {
 #        proxyPass = "http://127.0.0.1:${toString cfg.port}";
 #      };
 #    };
 #
 #    sops.secrets = {
 #      "${service}_" = {
 #        owner = "${service}";
 #        group = "${service}";
 #      };
 #    };
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/glance/default.nix.hardswing
+++ b/modules/homelab/services/glance/default.nix.hardswing
@@ -0,0 +1,230 @@
 { pkgs, config, lib, ... }:
 let
  service = "glance";
  cfg = config.modules.services.${service};
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
 in
 {
  options.modules.services.${service} = {
    enable = lib.mkEnableOption "enables ${service}";
    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7700;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
    pages = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options.description = lib.mkOption { type = lib.types.str; };
        options.url         = lib.mkOption { type = lib.types.str; };
        options.icon        = lib.mkOption { type = lib.types.str; };
        options.category    = lib.mkOption { type = lib.types.str; };
      });
      default = {};
      description = "configure the service for use in ${service}";
    };
  };
  config = lib.mkIf cfg.enable {
    # declare ${service} group
    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
    # declare ${service} user
    users.users.${service} = {
      description = "${service} server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
      home = cfg.data_dir;
      createHome = true;
      group = "${service}";
      extraGroups = [];
    };
  services.${service} = {
      enable = true;
      openFirewall = true;
      settings = {
        server = {
          host = "0.0.0.0";
          port = cfg.port;
        };
       pages = [
          {
            name = "violet";
            hide-desktop-navigation = true;
            columns = [
              {
                size = "small";
                widgets = [
                  { type = "calendar"; first-day-of-week = "monday"; }
                  { type = "server-stats"; servers = [ { type = "local"; name = "violet"; } ]; }
                  {
                    type = "clock";
                    hour-format = "24h";
                    timezones = [
                      { timezone = "America/Chicago"; label = "HTX"; }
                      { timezone = "America/Denver"; label = "AF"; }
                    ];
                  }
                  { type = "twitch-channels"; channels = [ "mang0" "SaltSSBM" "thewaffle77" "ironmouse" "linustech" ]; }
                ];
              }
              {
                size = "full";
                widgets = [
                  {
                    type = "search";
                    autofocus = true;
                    search-engine = "https://www.ecosia.org/search?q={QUERY}";
                    new-tab = true;
                    bangs = [
                      { title = "YouTube"; shortcut = "!y"; url = "https://www.youtube.com/results?search_query={QUERY}"; }
                      { title = "Google"; shortcut = "!g"; url = "https://www.google.com/search?q={QUERY}"; }
                      { title = "Github"; shortcut = "!gh"; url = "https://github.com/search?q={QUERY}&type=repositories"; }
                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "mediastack";
                    sites = [
                      { title = "jellyfin"; url = "https://media.blakedheld.xyz"; icon = "di:jellyfin"; }
                      { title = "audiobookshelf"; url = "https://audiobooks.blakedheld.xyz"; icon = "di:audiobookshelf"; }
                      { title = "yacreader"; url = "http://10.10.0.30:3434"; icon = "/assets/icons/yacreader.png"; }
                      { title = "sonarr"; url = "http://10.10.0.30:3636"; icon = "di:sonarr"; }
                      { title = "qbittorrent"; url = "http://10.10.0.40:3333"; icon = "di:qbittorrent"; }
                      { title = "radarr"; url = "http://10.10.0.30:3737"; icon = "di:radarr"; }
                      { title = "kiwix"; url = "http://10.10.0.30:5050"; icon = "di:kiwix"; }
                      { title = "prowlarr"; url = "http://10.10.0.30:3535"; icon = "di:prowlarr"; }
                      { title = "bazarr"; url = "http://10.10.0.30:3838"; icon = "di:bazarr"; }
                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "services";
                    sites = [
                      { title = "immich"; url = "https://pics.blakedheld.xyz"; icon = "di:immich"; }
                      { title = "vaultwarden"; url = "https://pass.blakedheld.xyz"; icon = "di:vaultwarden"; }
                      { title = "gitea"; url = "https://git.blakedheld.xyz"; icon = "di:gitea"; }
                      { title = "home assistant"; url = "https://home.blakedheld.xyz"; icon = "di:home-assistant"; }
                      { title = "zigbee2mqtt"; url = "http://10.10.0.30:4142"; icon = "di:zigbee2mqtt"; }
                      { title = "syncthing"; url = "http://10.10.0.20:2222"; icon = "di:syncthing"; }
                      { title = "archivebox"; url = "http://10.10.0.30:5656"; icon = "sh:archivebox"; }
                      { title = "copyparty"; url = "http://10.10.0.20:3923"; icon = "sh:copyparty"; }
                    ];
                  }
                  {
                    type = "monitor";
                    cache = "1m";
                    title = "system";
                    sites = [
                      { title = "proxmox"; url = "http://10.10.0.10:8006"; icon = "di:proxmox"; allow-insecure = true; }
                      { title = "nginx"; url = "http://10.10.0.30:8080"; icon = "di:nginx"; }
                      { title = "uptime kuma"; url = "http://10.10.0.30:8181"; icon = "di:uptime-kuma"; }
                      { title = "tn holocron"; url = "https://10.10.0.20"; icon = "di:truenas"; allow-insecure = true; }
                      { title = "bebe"; url = "https://10.10.0.1"; icon = "di:unifi"; allow-insecure = true; }
                    ];
                  }
                ];
              }
              {
                size = "small";
                widgets = [
                  { type = "weather"; location = "Pearland, Texas, United States"; units = "imperial"; hour-format = "24h"; }
                  {
                    type = "markets";
                    markets = [
                      { symbol = "SPY"; name = "S&P 500"; }
                      { symbol = "XMR-USD"; name = "Monero"; }
                      { symbol = "NVDA"; name = "NVIDIA"; }
                      { symbol = "AAPL"; name = "Apple"; }
                      { symbol = "MSFT"; name = "Microsoft"; }
                    ];
                  }
                  {
                    type = "releases";
                    cache = "1d";
                    repositories = [
                      "glanceapp/glance"
                      "go-gitea/gitea"
                      "immich-app/immich"
                      "syncthing/syncthing"
                    ];
                  }
                ];
              }
            ];
          }
        ];
  };
  };
    # override umask to make permissions work out
    systemd.services.${service}.serviceConfig = {
      UMask = lib.mkForce "0007";
 #      User = "${service}";
 #      Group = "${service}";
    };
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
    # internal reverse proxy entry
    services.nginx.virtualHosts."${cfg.url}" = {
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };
 #     # external reverse proxy entry
 #     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
 #      forceSSL = true;
 #      sslCertificate = sec."ssl_blakedheld_crt".path;
 #      sslCertificateKey = sec."ssl_blakedheld_key".path;
 #      locations."/" = {
 #        proxyPass = "http://127.0.0.1:${toString cfg.port}";
 #      };
 #    };
 #
 #    sops.secrets = {
 #      "${service}_" = {
 #        owner = "${service}";
 #        group = "${service}";
 #      };
 #    };
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/immich/default.nix
+++ b/modules/homelab/services/immich/default.nix
@@ -96,7 +96,17 @@ in
      };
    };
-     # add to backups
+    # add to glance
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir "/var/lib/redis-immich" ];
+    modules.services.glance.links.services = [{
      title = service;
      url = "https://photos.${homelab.public_domain}";
      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${service}"; }];
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir "/var/lib/redis-immich" ]; };
    };
  };
 }
--- a/modules/homelab/services/jellyfin/default.nix
+++ b/modules/homelab/services/jellyfin/default.nix
@@ -90,14 +90,17 @@ in
      };
    };
-#    sops.secrets = {
+    # add to glance
-#      "${service}_" = {
+    modules.services.glance.links.mediastack = [{
-#        owner = "${service}";
+      title = service;
-#        group = "${service}";
+      url = "https://media.${homelab.public_domain}";
-#      };
+      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
-#    };
+      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${service}"; }];
-     # add to backups
+    # add to backups
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/qbittorrent/default.nix
+++ b/modules/homelab/services/qbittorrent/default.nix
@@ -119,7 +119,17 @@ in
      };
    };
-     # add to backups
+    # add to glance
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.services.glance.links.mediastack = [{
      title = service;
      url = "https://${cfg.url}";
      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${service}"; }];
    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/smarthome/homeassistant/default.nix
+++ b/modules/homelab/services/smarthome/homeassistant/default.nix
@@ -1,7 +1,8 @@
 { pkgs, config, lib, inputs, ... }:
 let
-  service = "home-assistant";
+  nixservice = "home-assistant";
  service = "hass";
  cfg = config.modules.services.${service};
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
@@ -18,12 +19,12 @@ in
    };
    url = lib.mkOption {
      type = lib.types.str;
-      default = "hass.${homelab.base_domain}";
+      default = "${service}.${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
-      default = "/var/lib/hass";
+      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
@@ -41,53 +42,49 @@ in
  config = lib.mkIf cfg.enable {
    # declare ${service} group
-    users.groups.hass = { gid = lib.mkForce cfg.ids; };
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
    # declare ${service} user
-    users.users.hass = {
+    users.users.${service} = {
      description = "${service} server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
-      #home = cfg.data_dir;
+      home = cfg.data_dir;
-      #createHome = true;
+      createHome = true;
-      group = "hass";
+      group = service;
-      extraGroups = [ "bluetooth" ];
+      extraGroups = [];
    };
-    # enable the ${service} service
+    # still suss as fuck bro man fuck
-    services.${service} = {
+    virtualisation.oci-containers.containers = {
-      enable = true;
+      hass = {
-      package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.home-assistant;
+        image = "homeassistant/home-assistant:stable";
-      extraComponents = [
+        autoStart = true;
-        # required for onboarding
+        extraOptions = [
-        "analytics"
+          "--pull=newer"
-        "google_translate"
+          "--network=host"
-        "met"
+        ];
-        "radio_browser"
+        volumes = [
-        "shopping_list"
+          "${cfg.data_dir}:/config"
-        # zlib
+        ];
-        "isal"
+#        ports = [
-      ];
+#          "0.0.0.0:7704:8123"
-      # imperative config
+#          "0.0.0.0:4141:4141"
-#      config = null;
+#        ];
-#      lovelaceConfig = null;
+        environment = {
-#      configDir = cfg.data_dir;
+          TZ = homelab.tz;
-      # declartive poggers!
+          PUID = toString config.users.users.${service}.uid;
-      config = {
+          PGID = toString config.users.groups.${service}.gid;
-        # Includes dependencies for a basic setup
+        };
        default_config = {};
      };
    };
    # override umask to make permissions work out
    systemd.services.${service}.serviceConfig = {
      UMask = lib.mkForce "0007";
      User = lib.mkForce "hass";
      Group = lib.mkForce "hass";
    };
-#    # open firewall
+    # open firewall
    networking.firewall.allowedTCPPorts = [ cfg.port 8123 ];
    # internal reverse proxy entry
@@ -95,28 +92,93 @@ in
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      extraConfig = ''
        proxy_buffering off;
      '';
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
        extraConfig = 
          "proxy_set_header Upgrade $http_upgrade;" + 
          "proxy_set_header Connection upgrade;"
        ;
      };
    };
     # external reverse proxy entry
-     services.nginx.virtualHosts."hass.blakedheld.xyz" = {
+     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
      forceSSL = true;
      sslCertificate = sec."ssl_blakedheld_crt".path;
      sslCertificateKey = sec."ssl_blakedheld_key".path;
      extraConfig = ''
        proxy_buffering off;
      '';
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
        extraConfig = 
          "proxy_set_header Upgrade $http_upgrade;" + 
          "proxy_set_header Connection upgrade;"
        ;
      };
    };
-#    sops.secrets = {
+    # add to glance
-#      "${service}_" = {
+    modules.services.glance.links.services = [{
-#        owner = "${service}";
+      title = "home assistant";
-#        group = "${service}";
+      url = "https://hass.${homelab.public_domain}";
-#      };
+      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
-#    };
+      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${nixservice}"; }];
-     # add to backups
+    # add to backups
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
 # here lies my tough, and I mean fucking tough, swing at
 # getting this to work bare metal, ggs ill see you again
 # - didnt take long
 # --------------------------------------------------------------------------------
 #    # enable the ${service} service
 #    services.${nixservice} = {
 #      enable = true;
 #      package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.home-assistant;
 #      extraComponents = [
 #        # required for onboarding
 #        "analytics"
 #        "google_translate"
 #        "met"
 #        "radio_browser"
 #        "shopping_list"
 #        "isal"
 #        "default_config"
 #        "mqtt"
 #      ];
 #      extraPackages = python3Packages: with python3Packages; [
 #        psycopg2
 #        universal-silabs-flasher
 #        getmac
 #        zha
 #        ha-silabs-firmware-client
 #        paho-mqtt
 #        aiomqtt
 #        aiounifi
 #        ibeacon-ble
 #      ];
 #      # imperative config
 #      config = null;
 #      lovelaceConfig = null;
 #      configDir = cfg.data_dir;
 #      # declartive poggers!
 ##      config = {
 ##        # Includes dependencies for a basic setup
 ##        default_config = {};
 ##      };
 #    };
--- a/modules/homelab/services/smarthome/mosquitto/default.nix
+++ b/modules/homelab/services/smarthome/mosquitto/default.nix
@@ -60,8 +60,14 @@ in
      {
        port = 1883;
        address = "0.0.0.0";
-        settings.allow_anonymous = true;
+        users.zigbee = {
-        #passwordFile = sec."mosquitto_password_file".path;   # optional
+          acl = [ "readwrite #" ];
          hashedPassword = "$7$101$140powz2MtsRawFT$ydndjal9wCAywIWtUEAh/IusdfDFvnHMupTFjdS7Ad/EjsEIbJgHrLY9waCe4Z3142XieuxMrXUDjMTp2qwyiw==";
        };
        # use with no auth
 #        settings.allow_anonymous = true;
 #        acl = [ "pattern readwrite #" ];
 #        omitPasswordAuth = true;
      }
    ];
    # override umask to make permissions work out
@@ -71,27 +77,19 @@ in
      Group = "${service}";
    };
-#    # open firewall
+    # open firewall
    networking.firewall.allowedTCPPorts = [ cfg.port ];
 #    # internal reverse proxy entry
 #    services.nginx.virtualHosts."${cfg.url}" = {
 #      forceSSL = true;
 #      sslCertificate = sec."ssl_blakedheld_crt".path;
 #      sslCertificateKey = sec."ssl_blakedheld_key".path;
 #      locations."/" = {
 #        proxyPass = "http://127.0.0.1:${toString cfg.port}";
 #      };
 #    };
    sops.secrets = {
-      "${service}_password_file" = {
+      "${service}_hashed_passwd" = {
        owner = "${service}";
        group = "${service}";
      };
    };
-     # add to backups
+    # add to backups
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.system.backups.baks = {
     ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/smarthome/zigbee2mqtt/default.nix
+++ b/modules/homelab/services/smarthome/zigbee2mqtt/default.nix
@@ -18,7 +18,7 @@ in
    };
    url = lib.mkOption {
      type = lib.types.str;
-      default = "${service}.${homelab.base_domain}";
+      default = "z2m.${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
@@ -61,7 +61,11 @@ in
      settings = {
          mqtt = {
            base_topic = "zigbee2mqtt";
            client_id = "zigbee2mqtt";
            server = "mqtt://localhost:1883";
            user = "!/run/secrets/mosquitto_passwd.yaml user";
            password = "!/run/secrets/mosquitto_passwd.yaml password";
            keepalive = 20;
          };
          serial = {
            port = "/dev/serial/by-id/usb-Itead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_V2_4a4e75d63653ef1198d728e0174bec31-if00-port0";
@@ -99,15 +103,25 @@ in
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };
 #
 #    sops.secrets = {
 #      "${service}_" = {
 #        owner = "${service}";
 #        group = "${service}";
 #      };
 #    };
-     # add to backups
+    # add to glance
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.services.glance.links.services = [{
      title = service;
      url = "https://${cfg.url}";
      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${service}"; }];
    sops.secrets = {
      "mosquitto_passwd.yaml" = {
        owner = "${service}";
        group = "${service}";
      };
    };
    # add to backups
    modules.system.backups.baks = {
     ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/homelab/services/uptime-kuma/default.nix
+++ b/modules/homelab/services/uptime-kuma/default.nix
@@ -60,6 +60,7 @@ in
      settings = 
      {
        PORT = toString cfg.port;
        HOST = "0.0.0.0";
      };
    };
@@ -83,7 +84,7 @@ in
      };
    };
 #     # external reverse proxy entry
-#     services.nginx.virtualHosts."uptime.blakedheld.xyz" = {
+#     services.nginx.virtualHosts."up.blakedheld.xyz" = {
 #      forceSSL = true;
 #      sslCertificate = sec."ssl_blakedheld_crt".path;
 #      sslCertificateKey = sec."ssl_blakedheld_key".path;
@@ -92,6 +93,14 @@ in
 #      };
 #    };
    # add to glance
    modules.services.glance.links.system = [{
      title = service;
      url = "https://${cfg.url}";
      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${service}"; }];
 #    sops.secrets = {
 #      "${service}_" = {
 #        owner = "${service}";
--- a/modules/homelab/services/vaultwarden/default.nix
+++ b/modules/homelab/services/vaultwarden/default.nix
@@ -103,6 +103,14 @@ in
      };
    };
    # add to glance
    modules.services.glance.links.services = [{
      title = service;
      url = "https://pass.${homelab.public_domain}";
      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${service}"; }];
    sops.secrets = {
      "${service}_admin_token" = {
        owner = "${service}";
@@ -111,6 +119,8 @@ in
    };
     # add to backups
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
 }
--- a/modules/system/backups.nix
+++ b/modules/system/backups.nix
@@ -1,76 +1,123 @@
 { config, lib, pkgs, ... }:
 /*
 this module enables a backup script made with borg!
 to use import & set the options below
 to declare a backup add the following code
 to a module and it will backup all listed paths
 in a borg archive to the specified repo
      |     <3yy>    |
      V              V
  modules.system.backups.baks = {
    ${service} = { paths = [ cfg.data_dir ]; };
  };
 */
 let
  cfg = config.modules.system.backups;
  sec = config.sops.secrets;
  borg = "${pkgs.borgbackup}/bin/borg";
  backup_paths = lib.unique config.modules.system.backups.paths;
  passwd_file = config.sops.secrets."borg_passwd".path;
 in
 {
  options.modules.system.backups = {
    enable = lib.mkEnableOption "enables backups with borg";
    baks = lib.mkOption {
      type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
      default = {};
      description = "backup jobs, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
    };
    paths = lib.mkOption {
-      type = lib.types.listOf lib.types.path;
+      type = lib.types.list;
      default = [];
      description = "list of directories to back up";
    };
    repo = lib.mkOption {
      type = lib.types.path;
      default = "/holocron/borg";
      description = "borg repository path";
    };
-    passphraseFile = lib.mkOption {
+    passwd_file = lib.mkOption {
      type = lib.types.path;
-      default = passwd_file;
+      default = sec."borg_passwd".path;
      description = "borg repository passphrase file";
    };
  };
-  config = lib.mkIf (cfg.enable && backup_paths != []) {
+  config = lib.mkIf (cfg.enable && cfg.baks != {}) {
 #    systemd.tmpfiles.rules = [
 #      "d ${cfg.repo} 0755 root root"
 #    ];
    systemd.services.backups = {
      description = "backup service with borg!";
      path = [ pkgs.borgbackup ];
      serviceConfig = {
        Type = "oneshot";
-        EnvironmentFile = config.modules.system.backups.passphraseFile;
+#        EnvironmentFile = config.modules.system.backups.passphraseFile;
        # the actual script borg is using
        ExecStart = pkgs.writeShellScript "borg-backup" ''
          set -euo pipefail
-          export BORG_PASSPHRASE="$(cat ${passwd_file})"
+          export BORG_PASSPHRASE="$(cat ${cfg.passwd_file})"
          export BORG_REPO="${cfg.repo}"
-          timestamp="$(date +'%Y-%m-%dT%H:%M:%S')"
+          timestamp="$(date +'%Y-%m-%d_%H:%M:%S')"
          mode=all
-          # Initialize repo if it doesn't exist
+          # init repo in needed
          if ! borg info "$BORG_REPO" >/dev/null 2>&1; then
-            echo "init borg repo at $BORG_REPO"
+            echo "Initializing Borg repo at $BORG_REPO"
            borg init --encryption=repokey "$BORG_REPO"
          fi
-          # Create backup
+          borg break-lock "$BORG_REPO" || true
          echo "starting backup..."
          borg create \
            --verbose \
            --filter AME \
            --list \
            --stats \
            --show-rc \
            --compression lz4 \
            "$BORG_REPO::${toString config.networking.hostName}-$timestamp" \
            ${lib.concatStringsSep " " cfg.paths}
-          # Prune old backups according to retention policy
+          echo "starting backup at $timestamp"
          echo "Pruning old backups..."
          borg prune -v --list "$BORG_REPO" \
            --keep-daily=7 \
            --keep-weekly=52 \
            --keep-monthly=-1
-          echo "$timestamp - backup completed successfully."
+          if [ "$mode" = "sep" ]; then
            # loop for each backup
            ${lib.concatStringsSep "\n\n" (lib.mapAttrsToList (bak_name: bak_paths:
              ''
                echo "------------ Backing up ${bak_name} ------------"
                archive="$timestamp-${bak_name}"
                echo "backing up: ${lib.concatStringsSep " " bak_paths.paths} → $archive"
                borg create \
                  --verbose \
                  --filter AME \
                  --list \
                  --stats \
                  --show-rc \
                  --compression lzma,9 \
                  "$BORG_REPO::$archive" \
                  ${lib.concatStringsSep " " bak_paths.paths}
              echo "pruning old backups for ${bak_name}..."
              borg prune -v --list "$BORG_REPO" \
                --prefix "${bak_name}-" \
                --keep-daily=7 \
                --keep-weekly=52 \
                --keep-monthly=-1
              echo "backup run complete at \"$BORG_REPO::$archive\""
              ''
            ) cfg.baks)}
          else
          # flatten all paths from cfg.baks into one big list
            all_paths="${
              lib.concatStringsSep " "
              (lib.flatten
                (lib.mapAttrsToList (_: bak: bak.paths) cfg.baks))
            }"
              borg create \
                --verbose \
                --filter AME \
                --list \
                --stats \
                --show-rc \
                --compression lzma,9 \
                "$BORG_REPO::$timestamp-${toString config.networking.hostName}" \
                $all_paths
              echo "pruning old backups for ${toString config.networking.hostName}..."
              borg prune -v --list "$BORG_REPO" \
                --prefix "${toString config.networking.hostName}" \
                --keep-daily=7 \
                --keep-weekly=52 \
                --keep-monthly=-1
            echo "backup run complete at \"$BORG_REPO::${toString config.networking.hostName}\""
          fi
        '';
      };
    };
@@ -97,6 +144,3 @@ in
    };
  };
 }
 # add to modules
 # modules.system.backups.paths = lib.mkIf cfg.backups [ <path> ];
--- a/modules/system/backups.nix.bak
+++ b/modules/system/backups.nix.bak
@@ -0,0 +1,102 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.modules.system.backups;
  borg = "${pkgs.borgbackup}/bin/borg";
  backup_paths = lib.unique config.modules.system.backups.paths;
  passwd_file = config.sops.secrets."borg_passwd".path;
 in
 {
  options.modules.system.backups = {
    enable = lib.mkEnableOption "enables backups with borg";
    paths = lib.mkOption {
      type = lib.types.listOf lib.types.path;
      default = [];
      description = "list of directories to back up";
    };
    repo = lib.mkOption {
      type = lib.types.path;
      default = "/holocron/borg";
      description = "borg repository path";
    };
    passphraseFile = lib.mkOption {
      type = lib.types.path;
      default = passwd_file;
      description = "borg repository passphrase file";
    };
  };
  config = lib.mkIf (cfg.enable && backup_paths != []) {
 #    systemd.tmpfiles.rules = [
 #      "d ${cfg.repo} 0755 root root"
 #    ];
    systemd.services.backups = {
      description = "backup service with borg!";
      path = [ pkgs.borgbackup ];
      serviceConfig = {
        Type = "oneshot";
        EnvironmentFile = config.modules.system.backups.passphraseFile;
        # the actual script borg is using
        ExecStart = pkgs.writeShellScript "borg-backup" ''
          set -euo pipefail
          export BORG_PASSPHRASE="$(cat ${passwd_file})"
          export BORG_REPO="${cfg.repo}"
          timestamp="$(date +'%Y-%m-%dT%H:%M:%S')"
          # Initialize repo if it doesn't exist
          if ! borg info "$BORG_REPO" >/dev/null 2>&1; then
            echo "init borg repo at $BORG_REPO"
            borg init --encryption=repokey "$BORG_REPO"
          fi
          # Create backup
          echo "starting backup..."
          borg create \
            --verbose \
            --filter AME \
            --list \
            --stats \
            --show-rc \
            --compression lzma,9 \
            "$BORG_REPO::${toString config.networking.hostName}-$timestamp" \
            ${lib.concatStringsSep " " cfg.paths}
          # Prune old backups according to retention policy
          echo "Pruning old backups..."
          borg prune -v --list "$BORG_REPO" \
            --keep-daily=7 \
            --keep-weekly=52 \
            --keep-monthly=-1
          echo "$timestamp - backup completed successfully."
        '';
      };
    };
    # create timer to run backups daily
    systemd.timers.backups = {
      description = "daily borg backup timer";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
      };
    };
    # install borg binary
    environment.systemPackages = [ pkgs.borgbackup ];
    # declare secret for repo password
    sops.secrets = {
      "borg_passwd" = { 
        owner = "root";
        group = "root";
      };
    };
  };
 }
 # add to modules
 # modules.system.backups.paths = lib.mkIf cfg.backups [ <path> ];
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -6,6 +6,7 @@
    ./backups.nix
    ./sops.nix
    ./docker.nix
    ./podman.nix
    ./tailscale.nix
    ./vpns.nix
    ./vpn-confinement.nix
@@ -23,4 +24,9 @@
  modules.system.syncthing.enable = lib.mkDefault false;
  modules.system.nvidia.enable = lib.mkDefault false;
 #  modules.system.backups.baks = {
 #    ${service} = { paths = [ cfg.data_dir ]; };
 #  };
 }
--- a/modules/system/podman.nix
+++ b/modules/system/podman.nix
@@ -0,0 +1,24 @@
 { pkgs, config, lib, ... }:
 let
  cfg = config.modules.system.podman;
 in
 {
  options.modules.system.podman = {
    enable = lib.mkEnableOption "enables podman";
  };
  config = lib.mkIf cfg.enable {
    virtualisation = {
      oci-containers.backend = "podman";
      podman = {
        enable = true;
        dockerCompat = true;
        autoPrune.enable = true;
        defaultNetwork.settings = {
          dns_enabled = true;
        };
      };
    };
  };
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -20,11 +20,12 @@ vpncon_mex_config: ENC[AES256_GCM,data:4i356X97sBoRliskmh5ewcEwZHkpo37IhPcemKVdW
 vaultwarden_admin_token: ENC[AES256_GCM,data:G1v3N064ci0Fw5EtTzaryailWpsv6f4w6eoHp2vjXIBtIlScdQk1Q0W+eDNRk8Wr2C3ysTXQNbyYismNsls+jeS3W+YqkKL4fnh3a5UTzQrMqvaH11n3ak0X9R9vmt+ZJXBrUrAOKJ6RPHJJSWenhjDB77kwEdQ=,iv:f8X+x/AdmZ3b3dtcSFrxGgA2tCgDRpgddjlVu3mdCmM=,tag:c0MXljVvhwOdvrb/8hWlsQ==,type:str]
 #ENC[AES256_GCM,data:2ESzSsQZqKdjD7OXN8ZPThj6g9acJREe,iv:aDFPB0vs8NNo8ExLcJw7qtQvWbCb1XK6TJrHSK86qss=,tag:z+dypHAGUjEXP7Y9MHYWwg==,type:comment]
 gitea_database_password: ENC[AES256_GCM,data:nhFn0/G7gW5rk996OZzlcTt7T9KMbP8MNM+ReFC8w1H9ZqBSJUbs3K+n68uQVrkOVSXE0cKpOR1VbQ+i+46z3g==,iv:bT4GRZZ83v47/EmeV2KaUFo+4qTT4T2AktFUpPiZdF4=,tag:OC9TInkAr1egM+xnBDizxw==,type:str]
 #ENC[AES256_GCM,data:nbB5Cd7i/KTMCjCzcX8o1sxREZQ/gLAG,iv:iyuO2erxdJM08WHJBjKuNIXYxVhH7rfyOLTcGCcGqNQ=,tag:UeDszimXv8kQUmDetLeFqg==,type:comment]
 mosquitto_password_file: ENC[AES256_GCM,data:7ifs2hGnFQSgJOAKpN0usfiaqLjj7Rjb7zn1/qBDbqEi5hV0JfUncZGorBivR/+kjXHQO6nxaHcKqYvPedNdJ7Qy4/uil/xwgwSmzcbisdVYkhd2pf/N34EQFxmqohud0aTH9V47QbgTdrUPfvsiL+ljLvLu4w==,iv:z7YPIfJHHaLOJrDVnMQhgcMzYAPordFR11kHRAzZqYU=,tag:LRddczdvy01YTm2DFDgSJQ==,type:str]
 #ENC[AES256_GCM,data:HJ81OxRD2xtNZKv+8oDqiT8mYpv45JMvjxU5pdmEKzl64SK3lQ==,iv:wStoC6XaZlvRPfbqti2CUbPrOOTt4KktaUp2ecVrggU=,tag:isOwKfNdQZAM+E8YQXBSFA==,type:comment]
 velocity_forwarding: ENC[AES256_GCM,data:MUNhW3q0/klK51k3,iv:dGT5N+IrZfBxMIwa0mUrIKF2HJvx/uZ5o/ps6bgDNOE=,tag:KNY2LKwmmnCdWqRnxSKctw==,type:str]
 minecraft_recpro_db_passwd: ENC[AES256_GCM,data:dPAkdEX0hBigo/lND2r3ShxnS4Jc5wTI2ShcKnvjig==,iv:WjPugYspUvhy6TAh5UF3etvxTZjAPe3bkgFxIkh6FDw=,tag:h9LGoxp2x8PHxcP8fEkSlA==,type:str]
 #ENC[AES256_GCM,data:nbB5Cd7i/KTMCjCzcX8o1sxREZQ/gLAG,iv:iyuO2erxdJM08WHJBjKuNIXYxVhH7rfyOLTcGCcGqNQ=,tag:UeDszimXv8kQUmDetLeFqg==,type:comment]
 mosquitto_hashed_passwd: ENC[AES256_GCM,data:k1Lnr8ZTDpzXMoRmRH61X41boX/D8Rm1KPh7x3/IHFo+XKIOUQns53iA+7e7Ohp8uWSthDlOk4SlRvTXdUNiEz7Zmw9LYwy7BHbwpNo2pFApAye1ORPrMrhMUkUfgBgc8oqPPyRXmmrOAFp6GBbRhg==,iv:D8wQL9iF0rqOte5X24kDTVjYUJXbZSLz0Ykbp0HqmYo=,tag:RUCgO1uKPIdumSo563cg1Q==,type:str]
 mosquitto_passwd.yaml: ENC[AES256_GCM,data:9xwHiUaQ6zG/4rkRemXtbRJ/KEV4yajqyYlcXRR1eAQ2XijYOzitPjt53h3FPqp5rxl6dJerXNH5CiZZK3t1l339NxNseJFGVmIHitWJxNmGJMlG3M8r8Q==,iv:C6WWZuVkYaasB2pol3uf4Mc3d/lDEgt2pKX+dHl/Cr4=,tag:jYTC6RKF2TzDSwSUh6D8zQ==,type:str]
 sops:
    age:
        - recipient: age14gfh682a7m7jfp3qrulql03x5rs7yedwmxwksxrrmgjsunstyuksqx93pz
@@ -36,7 +37,7 @@ sops:
            U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
            PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-10T08:43:27Z"
+    lastmodified: "2025-10-11T10:14:22Z"
-    mac: ENC[AES256_GCM,data:3mH0+EY8MFLe78x38CFyWY7CzgkRftAAy25y6lWcqeY8U6XT9CCenaL6vsbZO5j1ypXMtYMlJOO2VFgM5SmbdEKY1rzZldNOoyeMpfV/hHRI6Gm1dD9IyXFFISb12MhO3kt/stWRs84ufGkKe/BpjcurnFlbCAy064cQd9Knu1Y=,iv:KZOlNj/WkbhwgY/OvuY+emTtYftaFZWi+CFIZwFfXiw=,tag:adndDqlpqiVx6VYqKLVETQ==,type:str]
+    mac: ENC[AES256_GCM,data:80GGFasWeFt8D6clEJ8xO2xLQG+xRrekNeu2M7VMvFyPaigYPWz1oMTN4zmbWSX+MCpc/EZuP3rRm7o33embAY3z4qxKuXexTwn4a36xHr1aNCSE5JYXnc3d+e48MnOD284QTWJD1+SEQ2pt2OraDa73HGYckUXz0g9yduLx4tc=,iv:mFLSg+C6BbNu5cneSJZE6tdZGmxHDfHCeVscWZtHB8k=,tag:GP8wpdwstFtIFxuoUPi/3g==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/users/blake/dotfiles/lf/lfrc
+++ b/users/blake/dotfiles/lf/lfrc
@@ -28,13 +28,14 @@ map ] half-down
 # files & archives
 map ad mkdir
 map af mkfile
 map ab mkbak
 map ae extract
 map aa archive
 # trash
 map gt cd ~/.local/share/Trash/files
 map <delete> trash
-map <s-delete> $trash-restore
+map <s-delete> $trash restore
 # --- functions ---
@@ -78,7 +79,7 @@ cmd archive %{{
 }}
 # move files to trash
-cmd trash %IFS="$(printf '\n\t')"; trash-put $fx
+cmd trash %IFS="$(printf '\n\t')"; trash put $fx
 # make a directory
 cmd mkdir %{{
@@ -100,4 +101,10 @@ cmd mkfile %{{
    fi
 }}
 # make backup
 cmd mkbak %{{
  for x in $fx; do
    cp $x $x.bak
  done
 }}
--- a/users/blake/home.nix
+++ b/users/blake/home.nix
@@ -14,6 +14,7 @@
      imagemagick
      sops
      usbutils
      trashy
  ];