idk some stuff, mostly 25.11 and opencode stuff

.direnv/flake-profile-a5d5b61aa8a61b7d9d765e1daf971a9a578f1cfa.rc

@@ -35,7 +35,7 @@ NIX_CC='/nix/store/kaj8d1zcn149m40s9h0xi0khakibiphz-gcc-wrapper-14.3.0'
 export NIX_CC
 NIX_CC_WRAPPER_TARGET_HOST_x86_64_unknown_linux_gnu='1'
 export NIX_CC_WRAPPER_TARGET_HOST_x86_64_unknown_linux_gnu
-NIX_CFLAGS_COMPILE=' -frandom-seed=5s10b8rs3j -isystem /nix/store/8znh07lsz9q2fdp6fgcdwwv035xxfrl1-nix-2.28.4-dev/include -isystem /nix/store/qwnz3z0hf5pdhwsn92dc9lhlq4a3lsqk-boehm-gc-8.2.8-dev/include -isystem /nix/store/235hvgzcbl06fxy53515q8sr6lljvf68-nlohmann_json-3.11.3/include -isystem /nix/store/a5b9czim7vrihag71f8dy1c467qh3mph-libarchive-3.8.0-dev/include -isystem /nix/store/0vy272ral6dwzx96wkvd90l37v0gdrk7-attr-2.5.2-dev/include -isystem /nix/store/ra69jxg2pnnjymvkn83mfr7cnhllmwnj-acl-2.3.2-dev/include -isystem /nix/store/8znh07lsz9q2fdp6fgcdwwv035xxfrl1-nix-2.28.4-dev/include -isystem /nix/store/qwnz3z0hf5pdhwsn92dc9lhlq4a3lsqk-boehm-gc-8.2.8-dev/include -isystem /nix/store/235hvgzcbl06fxy53515q8sr6lljvf68-nlohmann_json-3.11.3/include -isystem /nix/store/a5b9czim7vrihag71f8dy1c467qh3mph-libarchive-3.8.0-dev/include -isystem /nix/store/0vy272ral6dwzx96wkvd90l37v0gdrk7-attr-2.5.2-dev/include -isystem /nix/store/ra69jxg2pnnjymvkn83mfr7cnhllmwnj-acl-2.3.2-dev/include'
+NIX_CFLAGS_COMPILE=' -frandom-seed=bsnbf5cn1y -isystem /nix/store/qrp30zrv029hzlrhpavhjl89w7sfhyih-nix-2.28.5-dev/include -isystem /nix/store/qwnz3z0hf5pdhwsn92dc9lhlq4a3lsqk-boehm-gc-8.2.8-dev/include -isystem /nix/store/vgi5jkglabcvmhsrp8wixg1r2dhjyvva-nlohmann_json-3.11.3/include -isystem /nix/store/m3nkjvz6dcz1yy0j82d2ihkyxagiqxdm-libarchive-3.8.0-dev/include -isystem /nix/store/0vy272ral6dwzx96wkvd90l37v0gdrk7-attr-2.5.2-dev/include -isystem /nix/store/ra69jxg2pnnjymvkn83mfr7cnhllmwnj-acl-2.3.2-dev/include -isystem /nix/store/qrp30zrv029hzlrhpavhjl89w7sfhyih-nix-2.28.5-dev/include -isystem /nix/store/qwnz3z0hf5pdhwsn92dc9lhlq4a3lsqk-boehm-gc-8.2.8-dev/include -isystem /nix/store/vgi5jkglabcvmhsrp8wixg1r2dhjyvva-nlohmann_json-3.11.3/include -isystem /nix/store/m3nkjvz6dcz1yy0j82d2ihkyxagiqxdm-libarchive-3.8.0-dev/include -isystem /nix/store/0vy272ral6dwzx96wkvd90l37v0gdrk7-attr-2.5.2-dev/include -isystem /nix/store/ra69jxg2pnnjymvkn83mfr7cnhllmwnj-acl-2.3.2-dev/include'
 export NIX_CFLAGS_COMPILE
 NIX_CONFIG='experimental-features = nix-command flakes'
 export NIX_CONFIG
@@ -43,7 +43,7 @@ NIX_ENFORCE_NO_NATIVE='1'
 export NIX_ENFORCE_NO_NATIVE
 NIX_HARDENING_ENABLE='bindnow format fortify fortify3 pic relro stackclashprotection stackprotector strictoverflow zerocallusedregs'
 export NIX_HARDENING_ENABLE
-NIX_LDFLAGS='-rpath /home/anish/usr/helm/outputs/out/lib  -L/nix/store/mrbslgynzhg5jfc05x2rlnsykzcxp2v0-boehm-gc-8.2.8/lib -L/nix/store/ik62z14lxr205b5gzfh4cjcla6gh9l6z-attr-2.5.2/lib -L/nix/store/8smmj5gbhnnqaf28qxak4xv57ccgm96p-acl-2.3.2/lib -L/nix/store/y130gnbp2qkfq6svqdv0s61b3m4043yp-libarchive-3.8.0-lib/lib -L/nix/store/7q9ll9pjrdfdb3qyfza2bzrk829izk9s-nix-2.28.4/lib -L/nix/store/mrbslgynzhg5jfc05x2rlnsykzcxp2v0-boehm-gc-8.2.8/lib -L/nix/store/ik62z14lxr205b5gzfh4cjcla6gh9l6z-attr-2.5.2/lib -L/nix/store/8smmj5gbhnnqaf28qxak4xv57ccgm96p-acl-2.3.2/lib -L/nix/store/y130gnbp2qkfq6svqdv0s61b3m4043yp-libarchive-3.8.0-lib/lib -L/nix/store/7q9ll9pjrdfdb3qyfza2bzrk829izk9s-nix-2.28.4/lib'
+NIX_LDFLAGS='-rpath /home/anish/usr/helm/outputs/out/lib  -L/nix/store/mrbslgynzhg5jfc05x2rlnsykzcxp2v0-boehm-gc-8.2.8/lib -L/nix/store/ik62z14lxr205b5gzfh4cjcla6gh9l6z-attr-2.5.2/lib -L/nix/store/8smmj5gbhnnqaf28qxak4xv57ccgm96p-acl-2.3.2/lib -L/nix/store/4w8f5zmwdsalc5ichgj074rawiswplw2-libarchive-3.8.0-lib/lib -L/nix/store/snkahy53v6zxppa45sbvlr0pl2846x3h-nix-2.28.5/lib -L/nix/store/mrbslgynzhg5jfc05x2rlnsykzcxp2v0-boehm-gc-8.2.8/lib -L/nix/store/ik62z14lxr205b5gzfh4cjcla6gh9l6z-attr-2.5.2/lib -L/nix/store/8smmj5gbhnnqaf28qxak4xv57ccgm96p-acl-2.3.2/lib -L/nix/store/4w8f5zmwdsalc5ichgj074rawiswplw2-libarchive-3.8.0-lib/lib -L/nix/store/snkahy53v6zxppa45sbvlr0pl2846x3h-nix-2.28.5/lib'
 export NIX_LDFLAGS
 NIX_NO_SELF_RPATH='1'
 NIX_STORE='/nix/store'
@@ -58,7 +58,7 @@ OLDPWD=''
 export OLDPWD
 OPTERR='1'
 OSTYPE='linux-gnu'
-PATH='/nix/store/53cx9nd6i328f9zqsgx6sh1krsngy5jl-attr-2.5.2-bin/bin:/nix/store/61066bhvr54xkl2ssippfa5qylwgafqf-acl-2.3.2-bin/bin:/nix/store/8fq8mhb1dlwzgq7xfaxwgn0x623yjb43-libarchive-3.8.0/bin:/nix/store/7q9ll9pjrdfdb3qyfza2bzrk829izk9s-nix-2.28.4/bin:/nix/store/hr950wkqix97b759inrbxvljkqxj5113-home-manager-0-unstable-2025-05-13/bin:/nix/store/3kwbkj8xnzw5787gbannr741bczjkrq6-git-2.50.1/bin:/nix/store/s801pmgfwy4nifm72s638v0m4f32pnc5-agenix-0.15.0/bin:/nix/store/vlc65hzrqq9a29m7j0sb4hpqlwn0ny56-deploy-rs-0-unstable-2025-06-05/bin:/nix/store/dgqa38y4hxyw30g6bvrgd18750h364vr-dnscontrol-4.20.0/bin:/nix/store/g7i75czfbw9sy5f8v7rjbama6lr3ya3s-patchelf-0.15.0/bin:/nix/store/kaj8d1zcn149m40s9h0xi0khakibiphz-gcc-wrapper-14.3.0/bin:/nix/store/8adzgnxs3s0pbj22qhk9zjxi1fqmz3xv-gcc-14.3.0/bin:/nix/store/p2ixvjsas4qw58dcwk01d22skwq4fyka-glibc-2.40-66-bin/bin:/nix/store/rry6qingvsrqmc7ll7jgaqpybcbdgf5v-coreutils-9.7/bin:/nix/store/87zpmcmwvn48z4lbrfba74b312h22s6c-binutils-wrapper-2.44/bin:/nix/store/ap35np2bkwaba3rxs3qlxpma57n2awyb-binutils-2.44/bin:/nix/store/rry6qingvsrqmc7ll7jgaqpybcbdgf5v-coreutils-9.7/bin:/nix/store/392hs9nhm6wfw4imjllbvb1wil1n39qx-findutils-4.10.0/bin:/nix/store/xw0mf3shymq3k7zlncf09rm8917sdi4h-diffutils-3.12/bin:/nix/store/4rpiqv9yr2pw5094v4wc33ijkqjpm9sa-gnused-4.9/bin:/nix/store/l2wvwyg680h0v2la18hz3yiznxy2naqw-gnugrep-3.11/bin:/nix/store/c1z5j28ndxljf1ihqzag57bwpfpzms0g-gawk-5.3.2/bin:/nix/store/w60s4xh1pjg6dwbw7j0b4xzlpp88q5qg-gnutar-1.35/bin:/nix/store/xd9m9jkvrs8pbxvmkzkwviql33rd090j-gzip-1.14/bin:/nix/store/w1pxx760yidi7n9vbi5bhpii9xxl5vdj-bzip2-1.0.8-bin/bin:/nix/store/xk0d14zpm0njxzdm182dd722aqhav2cc-gnumake-4.4.1/bin:/nix/store/cfqbabpc7xwg8akbcchqbq3cai6qq2vs-bash-5.2p37/bin:/nix/store/gj54zvf7vxll1mzzmqhqi1p4jiws3mfb-patch-2.7.6/bin:/nix/store/22rpb6790f346c55iqi6s9drr5qgmyjf-xz-5.8.1-bin/bin:/nix/store/xlmpcglsq8l09qh03rf0virz0331pjdc-file-5.45/bin'
+PATH='/nix/store/53cx9nd6i328f9zqsgx6sh1krsngy5jl-attr-2.5.2-bin/bin:/nix/store/61066bhvr54xkl2ssippfa5qylwgafqf-acl-2.3.2-bin/bin:/nix/store/8qrd9bfl0yr0spdbimsv6ix1gb7r8w10-libarchive-3.8.0/bin:/nix/store/snkahy53v6zxppa45sbvlr0pl2846x3h-nix-2.28.5/bin:/nix/store/1mklr29rdhl7072brp03vlra75bkyh9w-home-manager-0-unstable-2025-05-13/bin:/nix/store/v2rxk9xkcxsas64wl7ds31al15cm2wqd-git-2.50.1/bin:/nix/store/k9gakjp7zjj76f0c6prh92bc5gi5yylj-agenix-0.15.0/bin:/nix/store/yfklc5p2srylw8v0rfwziaci7fmzfxnh-deploy-rs-0-unstable-2025-06-05/bin:/nix/store/pp2ln0rw9qj8kc6g9ibqkw4n98bidnd0-dnscontrol-4.20.0/bin:/nix/store/g7i75czfbw9sy5f8v7rjbama6lr3ya3s-patchelf-0.15.0/bin:/nix/store/kaj8d1zcn149m40s9h0xi0khakibiphz-gcc-wrapper-14.3.0/bin:/nix/store/8adzgnxs3s0pbj22qhk9zjxi1fqmz3xv-gcc-14.3.0/bin:/nix/store/p2ixvjsas4qw58dcwk01d22skwq4fyka-glibc-2.40-66-bin/bin:/nix/store/rry6qingvsrqmc7ll7jgaqpybcbdgf5v-coreutils-9.7/bin:/nix/store/87zpmcmwvn48z4lbrfba74b312h22s6c-binutils-wrapper-2.44/bin:/nix/store/ap35np2bkwaba3rxs3qlxpma57n2awyb-binutils-2.44/bin:/nix/store/rry6qingvsrqmc7ll7jgaqpybcbdgf5v-coreutils-9.7/bin:/nix/store/392hs9nhm6wfw4imjllbvb1wil1n39qx-findutils-4.10.0/bin:/nix/store/xw0mf3shymq3k7zlncf09rm8917sdi4h-diffutils-3.12/bin:/nix/store/4rpiqv9yr2pw5094v4wc33ijkqjpm9sa-gnused-4.9/bin:/nix/store/l2wvwyg680h0v2la18hz3yiznxy2naqw-gnugrep-3.11/bin:/nix/store/c1z5j28ndxljf1ihqzag57bwpfpzms0g-gawk-5.3.2/bin:/nix/store/w60s4xh1pjg6dwbw7j0b4xzlpp88q5qg-gnutar-1.35/bin:/nix/store/xd9m9jkvrs8pbxvmkzkwviql33rd090j-gzip-1.14/bin:/nix/store/w1pxx760yidi7n9vbi5bhpii9xxl5vdj-bzip2-1.0.8-bin/bin:/nix/store/xk0d14zpm0njxzdm182dd722aqhav2cc-gnumake-4.4.1/bin:/nix/store/cfqbabpc7xwg8akbcchqbq3cai6qq2vs-bash-5.2p37/bin:/nix/store/gj54zvf7vxll1mzzmqhqi1p4jiws3mfb-patch-2.7.6/bin:/nix/store/22rpb6790f346c55iqi6s9drr5qgmyjf-xz-5.8.1-bin/bin:/nix/store/xlmpcglsq8l09qh03rf0virz0331pjdc-file-5.45/bin'
 export PATH
 PS4='+ '
 RANLIB='ranlib'
@@ -75,7 +75,7 @@ STRINGS='strings'
 export STRINGS
 STRIP='strip'
 export STRIP
-XDG_DATA_DIRS='/nix/store/mrbslgynzhg5jfc05x2rlnsykzcxp2v0-boehm-gc-8.2.8/share:/nix/store/235hvgzcbl06fxy53515q8sr6lljvf68-nlohmann_json-3.11.3/share:/nix/store/ik62z14lxr205b5gzfh4cjcla6gh9l6z-attr-2.5.2/share:/nix/store/8smmj5gbhnnqaf28qxak4xv57ccgm96p-acl-2.3.2/share:/nix/store/8fq8mhb1dlwzgq7xfaxwgn0x623yjb43-libarchive-3.8.0/share:/nix/store/7q9ll9pjrdfdb3qyfza2bzrk829izk9s-nix-2.28.4/share:/nix/store/hr950wkqix97b759inrbxvljkqxj5113-home-manager-0-unstable-2025-05-13/share:/nix/store/3kwbkj8xnzw5787gbannr741bczjkrq6-git-2.50.1/share:/nix/store/dgqa38y4hxyw30g6bvrgd18750h364vr-dnscontrol-4.20.0/share:/nix/store/g7i75czfbw9sy5f8v7rjbama6lr3ya3s-patchelf-0.15.0/share'
+XDG_DATA_DIRS='/nix/store/mrbslgynzhg5jfc05x2rlnsykzcxp2v0-boehm-gc-8.2.8/share:/nix/store/vgi5jkglabcvmhsrp8wixg1r2dhjyvva-nlohmann_json-3.11.3/share:/nix/store/ik62z14lxr205b5gzfh4cjcla6gh9l6z-attr-2.5.2/share:/nix/store/8smmj5gbhnnqaf28qxak4xv57ccgm96p-acl-2.3.2/share:/nix/store/8qrd9bfl0yr0spdbimsv6ix1gb7r8w10-libarchive-3.8.0/share:/nix/store/snkahy53v6zxppa45sbvlr0pl2846x3h-nix-2.28.5/share:/nix/store/1mklr29rdhl7072brp03vlra75bkyh9w-home-manager-0-unstable-2025-05-13/share:/nix/store/v2rxk9xkcxsas64wl7ds31al15cm2wqd-git-2.50.1/share:/nix/store/pp2ln0rw9qj8kc6g9ibqkw4n98bidnd0-dnscontrol-4.20.0/share:/nix/store/g7i75czfbw9sy5f8v7rjbama6lr3ya3s-patchelf-0.15.0/share'
 export XDG_DATA_DIRS
 __structuredAttrs=''
 export __structuredAttrs
@@ -135,7 +135,7 @@ mesonFlags=''
 export mesonFlags
 name='nix-shell-env'
 export name
-nativeBuildInputs='/nix/store/8znh07lsz9q2fdp6fgcdwwv035xxfrl1-nix-2.28.4-dev /nix/store/hr950wkqix97b759inrbxvljkqxj5113-home-manager-0-unstable-2025-05-13 /nix/store/3kwbkj8xnzw5787gbannr741bczjkrq6-git-2.50.1 /nix/store/s801pmgfwy4nifm72s638v0m4f32pnc5-agenix-0.15.0 /nix/store/vlc65hzrqq9a29m7j0sb4hpqlwn0ny56-deploy-rs-0-unstable-2025-06-05 /nix/store/dgqa38y4hxyw30g6bvrgd18750h364vr-dnscontrol-4.20.0'
+nativeBuildInputs='/nix/store/qrp30zrv029hzlrhpavhjl89w7sfhyih-nix-2.28.5-dev /nix/store/1mklr29rdhl7072brp03vlra75bkyh9w-home-manager-0-unstable-2025-05-13 /nix/store/v2rxk9xkcxsas64wl7ds31al15cm2wqd-git-2.50.1 /nix/store/k9gakjp7zjj76f0c6prh92bc5gi5yylj-agenix-0.15.0 /nix/store/yfklc5p2srylw8v0rfwziaci7fmzfxnh-deploy-rs-0-unstable-2025-06-05 /nix/store/pp2ln0rw9qj8kc6g9ibqkw4n98bidnd0-dnscontrol-4.20.0'
 export nativeBuildInputs
 out='/home/anish/usr/helm/outputs/out'
 export out
@@ -156,7 +156,7 @@ phases='buildPhase'
 export phases
 pkg='/nix/store/kaj8d1zcn149m40s9h0xi0khakibiphz-gcc-wrapper-14.3.0'
 declare -a pkgsBuildBuild=()
-declare -a pkgsBuildHost=('/nix/store/8znh07lsz9q2fdp6fgcdwwv035xxfrl1-nix-2.28.4-dev' '/nix/store/qwnz3z0hf5pdhwsn92dc9lhlq4a3lsqk-boehm-gc-8.2.8-dev' '/nix/store/mrbslgynzhg5jfc05x2rlnsykzcxp2v0-boehm-gc-8.2.8' '/nix/store/235hvgzcbl06fxy53515q8sr6lljvf68-nlohmann_json-3.11.3' '/nix/store/a5b9czim7vrihag71f8dy1c467qh3mph-libarchive-3.8.0-dev' '/nix/store/0vy272ral6dwzx96wkvd90l37v0gdrk7-attr-2.5.2-dev' '/nix/store/53cx9nd6i328f9zqsgx6sh1krsngy5jl-attr-2.5.2-bin' '/nix/store/ik62z14lxr205b5gzfh4cjcla6gh9l6z-attr-2.5.2' '/nix/store/ra69jxg2pnnjymvkn83mfr7cnhllmwnj-acl-2.3.2-dev' '/nix/store/61066bhvr54xkl2ssippfa5qylwgafqf-acl-2.3.2-bin' '/nix/store/8smmj5gbhnnqaf28qxak4xv57ccgm96p-acl-2.3.2' '/nix/store/y130gnbp2qkfq6svqdv0s61b3m4043yp-libarchive-3.8.0-lib' '/nix/store/8fq8mhb1dlwzgq7xfaxwgn0x623yjb43-libarchive-3.8.0' '/nix/store/7q9ll9pjrdfdb3qyfza2bzrk829izk9s-nix-2.28.4' '/nix/store/hr950wkqix97b759inrbxvljkqxj5113-home-manager-0-unstable-2025-05-13' '/nix/store/3kwbkj8xnzw5787gbannr741bczjkrq6-git-2.50.1' '/nix/store/s801pmgfwy4nifm72s638v0m4f32pnc5-agenix-0.15.0' '/nix/store/vlc65hzrqq9a29m7j0sb4hpqlwn0ny56-deploy-rs-0-unstable-2025-06-05' '/nix/store/dgqa38y4hxyw30g6bvrgd18750h364vr-dnscontrol-4.20.0' '/nix/store/g7i75czfbw9sy5f8v7rjbama6lr3ya3s-patchelf-0.15.0' '/nix/store/gi6g289i9ydm3z896x67q210y0qq29zg-update-autotools-gnu-config-scripts-hook' '/nix/store/jjhw2phnaip4kg0qjas3x3fsaifi8y0w-no-broken-symlinks.sh' '/nix/store/h9lc1dpi14z7is86ffhl3ld569138595-audit-tmpdir.sh' '/nix/store/m54bmrhj6fqz8nds5zcj97w9s9bckc9v-compress-man-pages.sh' '/nix/store/wgrbkkaldkrlrni33ccvm3b6vbxzb656-make-symlinks-relative.sh' '/nix/store/5yzw0vhkyszf2d179m0qfkgxmp5wjjx4-move-docs.sh' '/nix/store/fyaryjvghbkpfnsyw97hb3lyb37s1pd6-move-lib64.sh' '/nix/store/kd4xwxjpjxi71jkm6ka0np72if9rm3y0-move-sbin.sh' '/nix/store/pag6l61paj1dc9sv15l7bm5c17xn5kyk-move-systemd-user-units.sh' '/nix/store/cmzya9irvxzlkh7lfy6i82gbp0saxqj3-multiple-outputs.sh' '/nix/store/hxv896faph0rqxjq2ycxpcrbnngc95sz-patch-shebangs.sh' '/nix/store/cickvswrvann041nqxb0rxilc46svw1n-prune-libtool-files.sh' '/nix/store/xyff06pkhki3qy1ls77w10s0v79c9il0-reproducible-builds.sh' '/nix/store/z7k98578dfzi6l3hsvbivzm7hfqlk0zc-set-source-date-epoch-to-latest.sh' '/nix/store/pilsssjjdxvdphlg2h19p0bfx5q0jzkn-strip.sh' '/nix/store/kaj8d1zcn149m40s9h0xi0khakibiphz-gcc-wrapper-14.3.0' '/nix/store/87zpmcmwvn48z4lbrfba74b312h22s6c-binutils-wrapper-2.44' )
+declare -a pkgsBuildHost=('/nix/store/qrp30zrv029hzlrhpavhjl89w7sfhyih-nix-2.28.5-dev' '/nix/store/qwnz3z0hf5pdhwsn92dc9lhlq4a3lsqk-boehm-gc-8.2.8-dev' '/nix/store/mrbslgynzhg5jfc05x2rlnsykzcxp2v0-boehm-gc-8.2.8' '/nix/store/vgi5jkglabcvmhsrp8wixg1r2dhjyvva-nlohmann_json-3.11.3' '/nix/store/m3nkjvz6dcz1yy0j82d2ihkyxagiqxdm-libarchive-3.8.0-dev' '/nix/store/0vy272ral6dwzx96wkvd90l37v0gdrk7-attr-2.5.2-dev' '/nix/store/53cx9nd6i328f9zqsgx6sh1krsngy5jl-attr-2.5.2-bin' '/nix/store/ik62z14lxr205b5gzfh4cjcla6gh9l6z-attr-2.5.2' '/nix/store/ra69jxg2pnnjymvkn83mfr7cnhllmwnj-acl-2.3.2-dev' '/nix/store/61066bhvr54xkl2ssippfa5qylwgafqf-acl-2.3.2-bin' '/nix/store/8smmj5gbhnnqaf28qxak4xv57ccgm96p-acl-2.3.2' '/nix/store/4w8f5zmwdsalc5ichgj074rawiswplw2-libarchive-3.8.0-lib' '/nix/store/8qrd9bfl0yr0spdbimsv6ix1gb7r8w10-libarchive-3.8.0' '/nix/store/snkahy53v6zxppa45sbvlr0pl2846x3h-nix-2.28.5' '/nix/store/1mklr29rdhl7072brp03vlra75bkyh9w-home-manager-0-unstable-2025-05-13' '/nix/store/v2rxk9xkcxsas64wl7ds31al15cm2wqd-git-2.50.1' '/nix/store/k9gakjp7zjj76f0c6prh92bc5gi5yylj-agenix-0.15.0' '/nix/store/yfklc5p2srylw8v0rfwziaci7fmzfxnh-deploy-rs-0-unstable-2025-06-05' '/nix/store/pp2ln0rw9qj8kc6g9ibqkw4n98bidnd0-dnscontrol-4.20.0' '/nix/store/g7i75czfbw9sy5f8v7rjbama6lr3ya3s-patchelf-0.15.0' '/nix/store/gi6g289i9ydm3z896x67q210y0qq29zg-update-autotools-gnu-config-scripts-hook' '/nix/store/jjhw2phnaip4kg0qjas3x3fsaifi8y0w-no-broken-symlinks.sh' '/nix/store/h9lc1dpi14z7is86ffhl3ld569138595-audit-tmpdir.sh' '/nix/store/m54bmrhj6fqz8nds5zcj97w9s9bckc9v-compress-man-pages.sh' '/nix/store/wgrbkkaldkrlrni33ccvm3b6vbxzb656-make-symlinks-relative.sh' '/nix/store/5yzw0vhkyszf2d179m0qfkgxmp5wjjx4-move-docs.sh' '/nix/store/fyaryjvghbkpfnsyw97hb3lyb37s1pd6-move-lib64.sh' '/nix/store/kd4xwxjpjxi71jkm6ka0np72if9rm3y0-move-sbin.sh' '/nix/store/pag6l61paj1dc9sv15l7bm5c17xn5kyk-move-systemd-user-units.sh' '/nix/store/cmzya9irvxzlkh7lfy6i82gbp0saxqj3-multiple-outputs.sh' '/nix/store/hxv896faph0rqxjq2ycxpcrbnngc95sz-patch-shebangs.sh' '/nix/store/cickvswrvann041nqxb0rxilc46svw1n-prune-libtool-files.sh' '/nix/store/xyff06pkhki3qy1ls77w10s0v79c9il0-reproducible-builds.sh' '/nix/store/z7k98578dfzi6l3hsvbivzm7hfqlk0zc-set-source-date-epoch-to-latest.sh' '/nix/store/pilsssjjdxvdphlg2h19p0bfx5q0jzkn-strip.sh' '/nix/store/kaj8d1zcn149m40s9h0xi0khakibiphz-gcc-wrapper-14.3.0' '/nix/store/87zpmcmwvn48z4lbrfba74b312h22s6c-binutils-wrapper-2.44' )
 declare -a pkgsBuildTarget=()
 declare -a pkgsHostHost=()
 declare -a pkgsHostTarget=()

agents.md

@@ -0,0 +1,97 @@
+# Helm Environment Overview
+
+## Box NAS Server (`box` / `mossnet.lan`)
+
+### Hardware
+- NVMe boot drive (LUKS encrypted)
+- 3x 4TB drives in ZFS RAIDZ1 pool (`tank`) - ~7.14TB usable
+
+### ZFS Datasets
+| Dataset | Mountpoint | Purpose |
+|---------|------------|---------|
+| `tank/data/media` | `/tank/media` | Media library (music, photos, tv, movies) |
+| `tank/data/books` | `/tank/books` | Calibre library |
+| `tank/data/podcasts` | `/tank/podcasts` | Podcast storage |
+| `tank/data/new-music` | `/tank/new-music` | Incoming music from seedbox |
+| `tank/data/backup` | `/tank/backup` | PostgreSQL backups |
+| `tank/data/archive` | `/tank/archive` | Old data (memories, old-home-dirs, etc.) |
+
+### Services
+- **Immich** - Photo management (`/tank/media/photos`)
+- **Gonic** - Music streaming (`/tank/media/music`)
+- **Calibre-server/Calibre-web** - Ebook management (`/tank/books`)
+- **Jellyfin** - Media streaming
+- **Lidarr** - Music management (runs as `headphones:audio`)
+- **Radicale** - CalDAV/CardDAV
+- **Syncthing** - File sync
+- **PostgreSQL** - Database
+- **Taskserver** - Taskwarrior sync
+
+---
+
+## Repository Structure
+
+```
+helm/
+├── flake.nix                    # Main flake - defines all hosts
+├── hosts/
+│   ├── box/
+│   │   ├── default.nix          # Box host config, imports profiles
+│   │   ├── configuration.nix    # Hardware/boot config
+│   │   └── disko.nix            # Disk/ZFS layout
+│   ├── profiles/                # NixOS service profiles
+│   │   ├── sync/music/          # get-music-sync service
+│   │   ├── headphones/          # Lidarr config
+│   │   ├── jellyfin/
+│   │   ├── monitoring/
+│   │   └── ...
+├── home/
+│   ├── dev/
+│   │   └── default.nix          # Home-manager config for box
+│   └── profiles/
+│       ├── beets/               # Beets music library config
+│       ├── cli/
+│       ├── nvim/
+│       ├── git/
+│       └── opencode/
+├── secrets/                     # Agenix encrypted secrets
+└── modules/                     # Custom NixOS modules
+```
+
+---
+
+## Deployment
+
+```bash
+# Deploy to a host
+deploy .#box
+deploy .#curve
+deploy .#helix
+deploy .#lituus
+
+# SSH access to box
+ssh anish@mossnet.lan
+```
+
+---
+
+## Key Users/Groups
+
+| User | Group | Purpose |
+|------|-------|---------|
+| `anish` | `users`, `wheel`, `audio`, `video`, `docker` | Primary user |
+| `headphones` | `audio` | Lidarr service |
+| `gonic` | `audio` | Gonic music streaming |
+| `immich` | `immich` | Photo management |
+| `calibre-server` | `calibre-server` | Ebook server |
+
+---
+
+## Hosts
+
+| Host | Description |
+|------|-------------|
+| `box` | NAS server (mossnet.lan) |
+| `curve` | Workstation |
+| `helix` | Workstation |
+| `lituus` | VPS/Server |

flake.lock

@@ -1,5 +1,21 @@
 {
   "nodes": {
+    "actor-typeahead-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1762835797,
+        "narHash": "sha256-heizoWUKDdar6ymfZTnj3ytcEv/L4d4fzSmtr0HlXsQ=",
+        "ref": "refs/heads/main",
+        "rev": "677fe7f743050a4e7f09d4a6f87bbf1325a06f6b",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"
+      }
+    },
     "agenix": {
       "inputs": {
         "darwin": "darwin",
@@ -10,11 +26,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1754433428,
+        "lastModified": 1762618334,
-        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -84,11 +100,11 @@
         "systems": "systems_5"
       },
       "locked": {
-        "lastModified": 1763308703,
+        "lastModified": 1769353768,
-        "narHash": "sha256-O9Y+Wer8wOh+N+4kcCK5p/VLrXyX+ktk0/s3HdZvJzk=",
+        "narHash": "sha256-zI+7cbMI4wMIR57jMjDSEsVb3grapTnURDxxJPYFIW0=",
         "owner": "numtide",
         "repo": "blueprint",
-        "rev": "5a9bba070f801d63e2af3c9ef00b86b212429f4f",
+        "rev": "c7da5c70ad1c9b60b6f5d4f674fbe205d48d8f6c",
         "type": "github"
       },
       "original": {
@@ -100,16 +116,16 @@
     "brew-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1758543057,
+        "lastModified": 1763638478,
-        "narHash": "sha256-lw3V2jOGYphUFHYQ5oARcb6urlbNpUCLJy1qhsGdUmc=",
+        "narHash": "sha256-n/IMowE9S23ovmTkKX7KhxXC2Yq41EAVFR2FBIXPcT8=",
         "owner": "Homebrew",
         "repo": "brew",
-        "rev": "5b236456eb93133c2bd0d60ef35ed63f1c0712f6",
+        "rev": "fbfdbaba008189499958a7aeb1e2c36ab10c067d",
         "type": "github"
       },
       "original": {
         "owner": "Homebrew",
-        "ref": "4.6.12",
+        "ref": "5.0.3",
         "repo": "brew",
         "type": "github"
       }
@@ -143,16 +159,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1757432263,
+        "lastModified": 1767634391,
-        "narHash": "sha256-qHn+/0+IOz5cG68BZUwL9BV3EO/e9eNKCjH3+N7wMdI=",
+        "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "1fef4404de4d1596aa5ab2bd68078370e1b9dcdb",
+        "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2",
         "type": "github"
       },
       "original": {
         "owner": "LnL7",
-        "ref": "nix-darwin-25.05",
+        "ref": "nix-darwin-25.11",
         "repo": "nix-darwin",
         "type": "github"
       }
@@ -166,11 +182,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1756719547,
+        "lastModified": 1766051518,
-        "narHash": "sha256-N9gBKUmjwRKPxAafXEk1EGadfk2qDZPBQp4vXWPHINQ=",
+        "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "125ae9e3ecf62fb2c0fd4f2d894eb971f1ecaed2",
+        "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
         "type": "github"
       },
       "original": {
@@ -238,11 +254,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758287904,
+        "lastModified": 1768923567,
-        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
+        "narHash": "sha256-GVJ0jKsyXLuBzRMXCDY6D5J8wVdwP1DuQmmvYL/Vw/Q=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
+        "rev": "00395d188e3594a1507f214a2f15d4ce5c07cb28",
         "type": "github"
       },
       "original": {
@@ -458,11 +474,11 @@
         "systems": "systems_6"
       },
       "locked": {
-        "lastModified": 1694529238,
+        "lastModified": 1731533236,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -503,11 +519,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754078208,
+        "lastModified": 1763982521,
-        "narHash": "sha256-YVoIFDCDpYuU3riaDEJ3xiGdPOtsx4sR5eTzHTytPV8=",
+        "narHash": "sha256-ur4QIAHwgFc0vXiaxn5No/FuZicxBr2p0gmT54xZkUQ=",
         "owner": "nix-community",
         "repo": "gomod2nix",
-        "rev": "7f963246a71626c7fc70b431a315c4388a0c95cf",
+        "rev": "02e63a239d6eabd595db56852535992c898eba72",
         "type": "github"
       },
       "original": {
@@ -540,11 +556,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1758663926,
+        "lastModified": 1768736227,
-        "narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=",
+        "narHash": "sha256-qgGq7CfrYKc3IBYQ7qp0Z/ZXndQVC5Bj0N8HW9mS2rM=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1",
+        "rev": "d447553bcbc6a178618d37e61648b19e744370df",
         "type": "github"
       },
       "original": {
@@ -581,16 +597,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1758463745,
+        "lastModified": 1768949235,
-        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "narHash": "sha256-TtjKgXyg1lMfh374w5uxutd6Vx2P/hU81aEhTxrO2cg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "rev": "75ed713570ca17427119e7e204ab3590cc3bf2a5",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -614,11 +630,11 @@
     "homebrew-cask": {
       "flake": false,
       "locked": {
-        "lastModified": 1759110411,
+        "lastModified": 1769058882,
-        "narHash": "sha256-wsvLofMB/1bkjY6OQjjWU80+AbQiPzZSLZ3cjsYpOAs=",
+        "narHash": "sha256-GOSEf+DtzP/ORw+wrP1o9qZaz2XEvUOBC2j0cEEl2MY=",
         "owner": "homebrew",
         "repo": "homebrew-cask",
-        "rev": "80f95de379d69edb696dd29106b2d8b077c98896",
+        "rev": "022be3ce1e808c0196c540471933238fc2bf0815",
         "type": "github"
       },
       "original": {
@@ -630,11 +646,11 @@
     "homebrew-core": {
       "flake": false,
       "locked": {
-        "lastModified": 1759116320,
+        "lastModified": 1769064658,
-        "narHash": "sha256-FGqC/WlIJnMkhV7l6XK6r5AqUYkwTHvHBCUjFe3DUUY=",
+        "narHash": "sha256-xT3S9geUhs4jmyuuQhsyGFfv86baCXqLID8Bvtzewpo=",
         "owner": "homebrew",
         "repo": "homebrew-core",
-        "rev": "0ccf924357d3eca3268d6dafb224ad9dc4f2398a",
+        "rev": "eaa460777befeb0b457587e04e05991ea90826be",
         "type": "github"
       },
       "original": {
@@ -717,11 +733,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762951919,
+        "lastModified": 1768986040,
-        "narHash": "sha256-ma/xMEGf4J6n/RdZFdxXBJUQhP53HVEPQOC6Dp2TrkQ=",
+        "narHash": "sha256-83npNk7w9yNJfSnpdZPNUjbhQwGVef3BWyBuIe6TJfk=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "3d248f6e8f877218dd2573fef8925ac997889922",
+        "rev": "d75e3c96c9f935a6ccdd4a91209950289b2dc2fc",
         "type": "github"
       },
       "original": {
@@ -737,11 +753,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1765594737,
+        "lastModified": 1769482725,
-        "narHash": "sha256-9r+CxptJlqTdREkSHA1pxc3oZYnpgYNkAymkQLB0R8w=",
+        "narHash": "sha256-Y4vH4PJIz4dt8SRJ5nm6yJCDzJRVEMdE5tP2TFIUfoQ=",
         "owner": "numtide",
         "repo": "llm-agents.nix",
-        "rev": "fb30f7dd63c0c7227c4b80a4dbfb6765f4b9a900",
+        "rev": "ae0667122f9a2336b23a4b4751997fe2f161fb37",
         "type": "github"
       },
       "original": {
@@ -846,11 +862,11 @@
         "brew-src": "brew-src"
       },
       "locked": {
-        "lastModified": 1758598228,
+        "lastModified": 1764473698,
-        "narHash": "sha256-qr60maXGbZ4FX5tejPRI3nr0bnRTnZ3AbbbfO6/6jq4=",
+        "narHash": "sha256-C91gPgv6udN5WuIZWNehp8qdLqlrzX6iF/YyboOj6XI=",
         "owner": "zhaofengli-wip",
         "repo": "nix-homebrew",
-        "rev": "f36e5db56e117f7df701ab152d0d2036ea85218c",
+        "rev": "6a8ab60bfd66154feeaa1021fc3b32684814a62a",
         "type": "github"
       },
       "original": {
@@ -919,11 +935,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1758663926,
+        "lastModified": 1768736227,
-        "narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=",
+        "narHash": "sha256-qgGq7CfrYKc3IBYQ7qp0Z/ZXndQVC5Bj0N8HW9mS2rM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1",
+        "rev": "d447553bcbc6a178618d37e61648b19e744370df",
         "type": "github"
       },
       "original": {
@@ -1017,11 +1033,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1765425892,
+        "lastModified": 1769421245,
-        "narHash": "sha256-jlQpSkg2sK6IJVzTQBDyRxQZgKADC2HKMRfGCSgNMHo=",
+        "narHash": "sha256-m5QLKjpdhbDrhyrUbEm5Haq3lqE5Z6xh2tab5vTHUTo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5d6bdbddb4695a62f0d00a3620b37a15275a5093",
+        "rev": "5b265bda51b42a2a85af0a543c3e57b778b01b7d",
         "type": "github"
       },
       "original": {
@@ -1049,27 +1065,27 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1758791193,
+        "lastModified": 1768940263,
-        "narHash": "sha256-F8WmEwFoHsnix7rt290R0rFXNJiMbClMZyIC/e+HYf0=",
+        "narHash": "sha256-sJERJIYTKPFXkoz/gBaBtRKke82h4DkX3BBSsKbfbvI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "25e53aa156d47bad5082ff7618f5feb1f5e02d01",
+        "rev": "3ceaaa8bc963ced4d830e06ea2d0863b6490ff03",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1758690382,
+        "lastModified": 1768886240,
-        "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=",
+        "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e643668fd71b949c53f8626614b21ff71a07379d",
+        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
         "type": "github"
       },
       "original": {
@@ -1085,11 +1101,11 @@
         "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1759117007,
+        "lastModified": 1769056321,
-        "narHash": "sha256-DSnkPMhK2Eg0XLiyjEPVtIpdcmWmYsBMhVGCN1144SA=",
+        "narHash": "sha256-BR4ACqZEfFivkJutgeZeG8Sip/LlvmQgBbkT9eKZeIQ=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "fccc09dffa659dc1410eceb33285831ba12bc7f6",
+        "rev": "6dd879dc2cb51262567d8b2b49b2d24f256fa343",
         "type": "github"
       },
       "original": {
@@ -1105,11 +1121,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762711246,
+        "lastModified": 1759014010,
-        "narHash": "sha256-coOLG/Bp118d1T3DBIZUcW+AdiKsHz9uh6ZuiR30GBM=",
+        "narHash": "sha256-NMpUufnxiGDTs/4Nxj8t+n4wc4aSs02a4T5OORo0gBQ=",
         "ref": "main",
-        "rev": "54287446e1a8a1bc40ad1b12061f053181e6d264",
+        "rev": "08c1dddf38c39d6f7c73a24f4d396f4c925185bf",
-        "revCount": 1614,
+        "revCount": 1602,
         "type": "git",
         "url": "ssh://gitea@git.sealight.xyz/aynish/kitaab"
       },
@@ -1202,11 +1218,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759113356,
+        "lastModified": 1769050281,
-        "narHash": "sha256-xm4kEUcV2jk6u15aHazFP4YsMwhq+PczA+Ul/4FDKWI=",
+        "narHash": "sha256-1H8DN4UZgEUqPUA5ecHOufLZMscJ4IlcGaEftaPtpBY=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "be3b8843a2be2411500f6c052876119485e957a2",
+        "rev": "6deef0585c52d9e70f96b6121207e1496d4b0c49",
         "type": "github"
       },
       "original": {
@@ -1336,6 +1352,7 @@
     },
     "tangled": {
       "inputs": {
+        "actor-typeahead-src": "actor-typeahead-src",
         "flake-compat": "flake-compat_4",
         "gomod2nix": "gomod2nix",
         "htmx-src": "htmx-src",
@@ -1350,11 +1367,11 @@
         "sqlite-lib-src": "sqlite-lib-src"
       },
       "locked": {
-        "lastModified": 1759559279,
+        "lastModified": 1769064660,
-        "narHash": "sha256-gA0mh9Fx2uou2v75RMA6qUvWB3Z74Asc6pRjiojwaRo=",
+        "narHash": "sha256-2ccXZ51txbX1jAhW52Z6QuSFAgFqo3Gr1bqxD4jXNw0=",
         "ref": "refs/heads/master",
-        "rev": "5ecd54b31547ac169a3b15d6034a67179f22aa33",
+        "rev": "2b94ee226637e13c106d7782ca852bd608530b51",
-        "revCount": 1486,
+        "revCount": 1865,
         "type": "git",
         "url": "https://tangled.org/@tangled.org/core"
       },
@@ -1431,11 +1448,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762938485,
+        "lastModified": 1769353635,
-        "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=",
+        "narHash": "sha256-J0G1ACrUK29M0THPAsz429eZX07GmR9Bs/b0pB3N0dQ=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4",
+        "rev": "f46bb205f239b415309f58166f8df6919fa88377",
         "type": "github"
       },
       "original": {
@@ -1446,11 +1463,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1762844143,
+        "lastModified": 1768886240,
-        "narHash": "sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI=",
+        "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4",
+        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
         "type": "github"
       },
       "original": {

flake.nix

@@ -8,7 +8,7 @@
 
   inputs = {
     # Nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
@@ -16,7 +16,7 @@
     # ngipkgs-local.url = "path:/home/anish/usr/ngipkgs";
 
     # Home manager
-    home-manager.url = "github:nix-community/home-manager/release-25.05";
+    home-manager.url = "github:nix-community/home-manager/release-25.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
     hardware.url = "github:nixos/nixos-hardware";
 
@@ -32,8 +32,7 @@
     poonam.url = "git+ssh://gitea@git.sealight.xyz/aynish/kitaab?ref=main";
     poonam.inputs.nixpkgs.follows = "nixpkgs";
     basant.url = "git+ssh://gitea@git.sealight.xyz/aynish/basant?ref=main";
-    vimwikicli.url =
+    vimwikicli.url = "git+ssh://gitea@git.sealight.xyz/aynish/vimwiki-cli?ref=main";
-      "git+ssh://gitea@git.sealight.xyz/aynish/vimwiki-cli?ref=main";
     basant.inputs.nixpkgs.follows = "nixpkgs";
     basant.inputs.poonam.follows = "poonam";
     vimwikicli.inputs.nixpkgs.follows = "nixpkgs";
@@ -45,7 +44,7 @@
 
     # Darwin
     darwin = {
-      url = "github:LnL7/nix-darwin/nix-darwin-25.05";
+      url = "github:LnL7/nix-darwin/nix-darwin-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nix-homebrew = {
@@ -76,7 +75,6 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    # LLM Agents
     llm-agents.url = "github:numtide/llm-agents.nix";
 
     # Others
@@ -100,10 +98,34 @@
     # muneem.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, unstable, nixos-hardware, home-manager, deploy-rs
+  outputs =
-    , agenix, disko, basant, grasp, nix-matrix-appservices, nur, tidalcycles
+    {
-    , rust-overlay, vimwikicli, autohide-tdrop, darwin, nix-homebrew, homebrew-bundle
+      self,
-    , homebrew-core, homebrew-cask, jovian, tangled, llm-agents, ... }@inputs:
+      nixpkgs,
+      unstable,
+      nixos-hardware,
+      home-manager,
+      deploy-rs,
+      agenix,
+      disko,
+      basant,
+      grasp,
+      nix-matrix-appservices,
+      nur,
+      tidalcycles,
+      rust-overlay,
+      vimwikicli,
+      autohide-tdrop,
+      darwin,
+      nix-homebrew,
+      homebrew-bundle,
+      homebrew-core,
+      homebrew-cask,
+      jovian,
+      tangled,
+      llm-agents,
+      ...
+    }@inputs:
     let
       forAllSystems = nixpkgs.lib.genAttrs [
         "aarch64-linux"
@@ -122,37 +144,42 @@
         autohide-tdrop = autohide-tdrop.packages.${prev.system}.default;
       };
 
-      nixpkgsFor = forAllSystems (system:
+      nixpkgsFor = forAllSystems (
+        system:
         import nixpkgs {
           inherit system;
           config = {
             permittedInsecurePackages = [
               "olm-3.2.16"
             ];
-            allowUnfreePredicate = pkg:
+            allowUnfreePredicate =
+              pkg:
               builtins.elem (nixpkgs.lib.getName pkg) [
                 "ripcord"
                 "vcv-rack"
                 "SunVox"
                 "renoise"
                 "bitwig-studio-unwrapped"
+                "via" # QMK keyboard configurator
               ];
           };
           overlays = [
             rust-overlay.overlays.default
             tidalcycles.overlays.default
             agenix.overlays.default
-            nur.overlay
+            nur.overlays.default
             # nix-matrix-appservices.overlay # nixpkgs has these packages and newer ones at that
             unstableOverlay
             vimwikiOverlay
             self.overlays.additions
             self.overlays.modifications
           ];
-        });
+        }
+      );
 
       # for when space matters
-      litePkgsFor = forAllSystems (system:
+      litePkgsFor = forAllSystems (
+        system:
         import nixpkgs {
           inherit system;
           # config.permittedInsecurePackages = [
@@ -166,17 +193,20 @@
             self.overlays.modifications
             tidalcycles.overlays.default # needed for nvim which comes pre-installed lol
           ];
-        });
+        }
+      );
 
       # Package set for Darwin systems
-      darwinPkgsFor = forAllSystems (system:
+      darwinPkgsFor = forAllSystems (
+        system:
         import nixpkgs {
           inherit system;
           config = {
             permittedInsecurePackages = [
               "olm-3.2.16"
             ];
-            allowUnfreePredicate = pkg:
+            allowUnfreePredicate =
+              pkg:
               builtins.elem (nixpkgs.lib.getName pkg) [
                 "ripcord"
                 "vcv-rack"
@@ -188,23 +218,26 @@
             rust-overlay.overlays.default
             tidalcycles.overlays.default
             agenix.overlays.default
-            nur.overlay
+            nur.overlays.default
             unstableOverlay
             vimwikiOverlay
             self.overlays.additions
             self.overlays.modifications
           ];
-        });
+        }
+      );
 
       # Package set for Steam Deck (gaming-focused)
-      deckPkgsFor = forAllSystems (system:
+      deckPkgsFor = forAllSystems (
+        system:
         import unstable {
           inherit system;
           config = {
             permittedInsecurePackages = [
               "olm-3.2.16"
             ];
-            allowUnfreePredicate = pkg:
+            allowUnfreePredicate =
+              pkg:
               builtins.elem (nixpkgs.lib.getName pkg) [
                 "ripcord"
                 "vcv-rack"
@@ -221,24 +254,34 @@
             rust-overlay.overlays.default
             tidalcycles.overlays.default
             agenix.overlays.default
-            nur.overlay
+            nur.overlays.default
             unstableOverlay
             vimwikiOverlay
             self.overlays.additions
             self.overlays.modifications
           ];
-        });
+        }
-    in {
+      );
+    in
+    {
       # Your custom packages
       # Acessible through 'nix build', 'nix shell', etc
-      packages = forAllSystems (system:
+      packages = forAllSystems (
-        let pkgs = nixpkgsFor.${system};
+        system:
-        in import ./pkgs { pkgs = pkgs; });
+        let
+          pkgs = nixpkgsFor.${system};
+        in
+        import ./pkgs { pkgs = pkgs; }
+      );
       # Devshell for bootstrapping
       # Acessible through 'nix develop' or 'nix-shell' (legacy)
-      devShells = forAllSystems (system:
+      devShells = forAllSystems (
-        let pkgs = nixpkgsFor.${system};
+        system:
-        in import ./shell.nix { pkgs = pkgs; });
+        let
+          pkgs = nixpkgsFor.${system};
+        in
+        import ./shell.nix { pkgs = pkgs; }
+      );
 
       # Your custom packages and modifications, exported as overlays
       overlays = import ./overlays;
@@ -283,7 +326,8 @@
             agenix.nixosModules.age
             self.nixosModules.backup
             self.nixosModules.wireguard
-            basant.nixosModule
+            # TODO: basant needs pyproject update for 25.11 - re-enable after fixing
+            # basant.nixosModule
             # self.nixosModules.microbin
             disko.nixosModules.disko
             {
@@ -318,6 +362,7 @@
           pkgs = nixpkgsFor.${system};
           modules = [
             ./hosts/box
+            disko.nixosModules.disko
             agenix.nixosModules.age
             self.nixosModules.backup
             self.nixosModules.wireguard
@@ -325,7 +370,7 @@
             self.nixosModules.gpodder2go
             self.nixosModules.wallabag
             self.nixosModules.ulogger-server
-            grasp.nixosModule
+            # grasp.nixosModule # Disabled for initial install - private repo
             home-manager.nixosModules.home-manager
             {
               nix.registry.nixpkgs.flake = nixpkgs;
@@ -386,10 +431,12 @@
       # Available through 'home-manager --flake .#your-username@your-hostname'
       homeConfigurations = {
         "anish@work" = home-manager.lib.homeManagerConfiguration {
-          pkgs =
+          pkgs = nixpkgsFor."x86_64-linux"; # Home-manager requires 'pkgs' instance
-            nixpkgsFor."x86_64-linux"; # Home-manager requires 'pkgs' instance
           extraSpecialArgs = { inherit inputs; };
-          modules = [ ./home/core.nix ./home/profiles/firefox ];
+          modules = [
+            ./home/core.nix
+            ./home/profiles/firefox
+          ];
         };
       };
 
@@ -401,8 +448,7 @@
           remoteBuild = true;
           profiles.system = {
             user = "root";
-            path = deploy-rs.lib.x86_64-linux.activate.nixos
+            path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.box;
-              self.nixosConfigurations.box;
           };
         };
         lituus = {
@@ -411,8 +457,7 @@
           remoteBuild = true;
           profiles.system = {
             user = "root";
-            path = deploy-rs.lib.x86_64-linux.activate.nixos
+            path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.lituus;
-              self.nixosConfigurations.lituus;
           };
         };
         helix = {
@@ -421,8 +466,7 @@
           magicRollback = false;
           profiles.system = {
             user = "root";
-            path = deploy-rs.lib.x86_64-linux.activate.nixos
+            path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.helix;
-              self.nixosConfigurations.helix;
           };
         };
       };

home/dev/default.nix

@@ -1,5 +1,17 @@
-{ self, pkgs, inputs, ... }: {
+{
-  imports =
+  self,
-    [ ../profiles/cli ../profiles/nvim ../profiles/direnv ../profiles/git ../profiles/opencode ];
+  pkgs,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ../profiles/cli
+    ../profiles/nvim
+    ../profiles/direnv
+    ../profiles/git
+    ../profiles/opencode
+    ../profiles/beets
+  ];
   home.stateVersion = "22.05";
 }

home/gui/default.nix

@@ -14,15 +14,15 @@
   ];
 
   # GPG configuration for user session
-  services.gpg-agent = {
+  #services.gpg-agent = {
-    enable = true;
+  #  enable = true;
-    pinentryPackage = pkgs.pinentry-curses;
+  #  pinentryPackage = pkgs.pinentry-curses;
-    enableSshSupport = true;
+  #  enableSshSupport = true;
-    defaultCacheTtl = 28800;  # 8 hours
+  #  defaultCacheTtl = 28800;  # 8 hours
-    maxCacheTtl = 86400;      # 24 hours
+  #  maxCacheTtl = 86400;      # 24 hours
-  };
+  #};
 
-  programs.gpg = {
+  #programs.gpg = {
-    enable = true;
+  #  enable = true;
-  };
+  #};
 }

home/profiles/beets/default.nix

@@ -0,0 +1,47 @@
+{ pkgs, ... }:
+{
+  programs.beets = {
+    enable = true;
+    # In 25.11, beets plugins are enabled via beetsPackages or the default package
+    # The default beets package includes common plugins
+    package = pkgs.beets;
+    settings = {
+      directory = "/tank/media/music";
+      library = "/home/anish/.local/share/beets/library.db";
+
+      import = {
+        move = true; # Move files from new-music to library
+        write = true; # Write tags to files
+        log = "/tank/new-music/beets-import.log";
+        incremental = true; # Skip already-imported directories
+      };
+
+      # Path format for organizing music
+      paths = {
+        default = "$albumartist/$album%aunique{}/$track $title";
+        singleton = "Non-Album/$artist/$title";
+        comp = "Compilations/$album%aunique{}/$track $title";
+      };
+
+      plugins = [
+        "fetchart"
+        "embedart"
+        "lastgenre"
+        "duplicates"
+        "missing"
+      ];
+
+      fetchart = {
+        auto = true;
+      };
+
+      embedart = {
+        auto = true;
+      };
+
+      lastgenre = {
+        auto = true;
+      };
+    };
+  };
+}

home/profiles/cli/default.nix

@@ -1,6 +1,13 @@
-{ lib, pkgs, config, ... }:
 {
-  home.packages = with pkgs; [
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  home.packages =
+    with pkgs;
+    [
       binutils
       coreutils
       dnsutils
@@ -64,6 +71,7 @@
       taskwarrior-tui
       # vimwiki-cli
       zk
+      radicle-node # rad CLI for interacting with Radicle repos
 
       (pkgs.writeScriptBin "jq-repl" ''
         #!/usr/bin/env bash
@@ -148,7 +156,8 @@
 
         disconnect_keyboard
       '')
-  ] ++ lib.optionals pkgs.stdenv.isLinux [
+    ]
+    ++ lib.optionals pkgs.stdenv.isLinux [
       # Linux-only packages
       iputils
       strace
@@ -255,7 +264,6 @@
     unzip = "aunpack";
     copy = if pkgs.stdenv.isDarwin then "pbcopy" else "xclip -selection clipboard";
     paste = if pkgs.stdenv.isDarwin then "pbpaste" else "xclip -selection clipboard -o";
-    rm = "echo USE TRASH, FOOL: trash ";
     trash = "trash-put";
     make-secret = "< /dev/urandom \\tr -dc _A-Za-z0-9 | head -c \${1:-32};echo;";
 

home/profiles/desktop/default.nix

@@ -34,6 +34,7 @@ in
     # libsForQt5.kontact
     thunderbird
     libsecret  # For secret-tool to manage keyring
+    blender
   ];
 
   # GTK4 color scheme?

home/profiles/desktop/kitty.conf

@@ -11,6 +11,5 @@ enable_audio_bell no
 
 
 
-# Ctrl+V for paste
+# Ctrl+V handled by neovim for insert mode paste (allows visual block mode in normal mode)
-map ctrl+v paste_from_clipboard
 mouse_map middle release ungrabbed paste_from_clipboard

home/profiles/git/default.nix

@@ -12,11 +12,14 @@
     unstable.git-spice
   ];
 
+  # Delta (git diff pager) - moved to top-level in home-manager 25.11
+  programs.delta = {
+    enable = true;
+    enableGitIntegration = true;
+  };
+
   programs.git = {
     enable = true;
-    userName = "Anish Lakhwara";
-    userEmail = "anish+git@lakhwara.com";
-    delta.enable = true;
     signing = {
       signByDefault = if pkgs.stdenv.isLinux then false else true;
       key = if pkgs.stdenv.isLinux then "B8492C8FB53397B7" else "7FC5DF072EF7B716";
@@ -60,14 +63,20 @@
       "node_modules/"
     ];
 
-    extraConfig = {
+    # 25.11: extraConfig, userName, userEmail, aliases moved under settings
+    settings = {
+      user = {
+        name = "Anish Lakhwara";
+        email = "anish+git@lakhwara.com";
+      };
       pull.rebase = false;
       push.autoSetupRemote = true;
       init.defaultBranch = "main";
-      "url \"git@github.com:\"" = { insteadOf = "https://github.com/"; };
+      "url \"git@github.com:\"" = {
+        insteadOf = "https://github.com/";
       };
 
-    aliases = {
+      alias = {
         a = "add -p";
         co = "checkout";
         cob = "checkout -b";
@@ -91,12 +100,9 @@
         h1rd = "hard HEAD~1";
 
         # logging
-      lg =
+        lg = "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
-        "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
+        plog = "log --graph --pretty='format:%C(red)%d%C(reset) %C(yellow)%h%C(reset) %ar %C(green)%aN%C(reset) %s'";
-      plog =
+        tlog = "log --stat --since='1 Day Ago' --graph --pretty=oneline --abbrev-commit --date=relative";
-        "log --graph --pretty='format:%C(red)%d%C(reset) %C(yellow)%h%C(reset) %ar %C(green)%aN%C(reset) %s'";
-      tlog =
-        "log --stat --since='1 Day Ago' --graph --pretty=oneline --abbrev-commit --date=relative";
         rank = "shortlog -sn --no-merges";
         authors = "authors | sort | uniq -c | sort -n";
         ls = "log --graph --abbrev-commit --decorate --color=always --date=relative --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) - %C(dim red)%an%C(reset)%C(bold yellow)%d%C(reset)' --all";
@@ -107,4 +113,5 @@
         blm = "blame -w -C -C -C";
       };
     };
+  };
 }

home/profiles/nvim/default.nix

@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
   customPlugins = {
     vim-zettel = pkgs.vimUtils.buildVimPlugin {
@@ -90,6 +95,17 @@ let
         sha256 = "czKjJgCpvRSdtR7rNGlJrluDgPIdx94KUyx33op5gdY=";
       };
     };
+    opencode-nvim = pkgs.vimUtils.buildVimPlugin {
+      pname = "opencode.nvim";
+      version = "2024-12-24";
+      src = pkgs.fetchFromGitHub {
+        owner = "NickvanDyke";
+        repo = "opencode.nvim";
+        rev = "dfca5bb214d78a600781d50da350238b3e6e2621";
+        hash = "sha256-W7fPGiLpKRe1Nw0MckigUijTNq+L9Z+vxOKcf3oNZf0=";
+      };
+      doCheck = false;
+    };
     gh-addressed = pkgs.vimUtils.buildVimPlugin {
       pname = "gh-addressed";
       version = "2024-09-17";
@@ -105,7 +121,8 @@ let
     };
   };
 
-  my-python-packages = python-packages: with python-packages; [
+  my-python-packages =
+    python-packages: with python-packages; [
       tasklib
       pynvim
       six
@@ -135,7 +152,8 @@ in
   '';
 
   # Private mode plugin for concealing buffer content (out of store symlink for live editing)
-  home.file.".config/nvim/lua/private-mode.lua".source = config.lib.file.mkOutOfStoreSymlink "${toString ./.}/private-mode.lua";
+  home.file.".config/nvim/lua/private-mode.lua".source =
+    config.lib.file.mkOutOfStoreSymlink "${toString ./.}/private-mode.lua";
 
   #environment.systemPackages = with customPlugins; [ tidal ];
   programs.neovim = {
@@ -709,7 +727,7 @@ in
         }
       }
 
-      local servers = { 'clojure_lsp', 'terraform_lsp', 'zls', 'pyright', 'rust_analyzer', 'ts_ls', 'lua_ls', 'nil_ls', 'gopls', 'bashls'}
+      local servers = { 'clojure_lsp', 'terraform_lsp', 'zls', 'pyright', 'rust_analyzer', 'ts_ls', 'lua_ls', 'gopls', 'bashls'}
       for _, lsp in ipairs(servers) do
         lspconfig[lsp].setup {
           on_attach = function(client, bufnr)
@@ -719,6 +737,23 @@ in
         }
       end
 
+      -- nil_ls needs custom settings to disable autoArchive prompt
+      lspconfig['nil_ls'].setup {
+        on_attach = function(client, bufnr)
+          navic.attach(client, bufnr)
+        end,
+        capabilities = capabilities,
+        settings = {
+          ['nil'] = {
+            nix = {
+              flake = {
+                autoArchive = false,
+              },
+            },
+          },
+        },
+      }
+
       -- fennel-ls doesn't support navic
       lspconfig['fennel-ls'].setup {
         on_attach = function(client, bufnr)
@@ -1004,7 +1039,7 @@ in
       vim.keymap.set({'n', 't'}, '<M-k>', '<CMD>NavigatorUp<CR>')
       vim.keymap.set({'n', 't'}, '<M-l>', '<CMD>NavigatorRight<CR>')
 
-      -- Paste from system clipboard in insert mode (handles tmux/kitty better)
+      -- Paste from system clipboard in insert mode (Ctrl+V in normal mode remains visual block)
       vim.keymap.set('i', '<C-v>', '<C-r><C-p>+', {noremap = true, silent = true})
 
       -- Pane resizing with Alt+Shift+hjkl (to match tmux)
@@ -1013,6 +1048,22 @@ in
       vim.keymap.set('n', '<M-S-k>', '<Cmd>resize +2<CR>', {silent = true})
       vim.keymap.set('n', '<M-S-l>', '<Cmd>vertical resize +2<CR>', {silent = true})
 
+      -- opencode.nvim setup with tmux provider
+      vim.g.opencode_opts = {
+        provider = {
+          enabled = "tmux",
+          tmux = {
+            -- default tmux provider settings work well
+          },
+        },
+      }
+
+      -- opencode.nvim keybindings
+      vim.keymap.set({ "n", "x" }, "<leader>oa", function() require("opencode").ask("@this: ") end, { desc = "Ask opencode" })
+      vim.keymap.set({ "n", "x" }, "<leader>os", function() require("opencode").select() end, { desc = "Select opencode action" })
+      vim.keymap.set({ "n", "t" }, "<leader>oo", function() require("opencode").toggle() end, { desc = "Toggle opencode" })
+      vim.keymap.set({ "n", "x" }, "<leader>op", function() return require("opencode").operator("@this ") end, { expr = true, desc = "Add range to opencode" })
+
       -- Kitaab recent files (only date-based files, sorted reverse)
       function KitaabRecent()
         local pickers = require('telescope.pickers')
@@ -1086,7 +1137,9 @@ in
       zk
     ];
 
-    plugins = with pkgs.vimPlugins // customPlugins; [
+    plugins =
+      with pkgs.vimPlugins // customPlugins;
+      [
         # ui
         lualine-nvim
         fzf-vim
@@ -1104,7 +1157,24 @@ in
         telescope-nvim
         plenary-nvim
         nvim-navic
-      (nvim-treesitter.withPlugins (p: [ p.nix p.clojure p.python p.fennel p.lua p.html p.css p.regex p.supercollider p.beancount p.markdown p.glsl p.yaml p.toml p.dockerfile p.json ]))
+        (nvim-treesitter.withPlugins (p: [
+          p.nix
+          p.clojure
+          p.python
+          p.fennel
+          p.lua
+          p.html
+          p.css
+          p.regex
+          p.supercollider
+          p.beancount
+          p.markdown
+          p.glsl
+          p.yaml
+          p.toml
+          p.dockerfile
+          p.json
+        ]))
         nvim-treesitter-context
         my-fterm
         barbar-nvim
@@ -1174,15 +1244,22 @@ in
         # custom
         yuck-vim
         nvim-parinfer
+
+        # opencode integration
+        opencode-nvim
         # vim-processing
-    ] ++ lib.optionals pkgs.stdenv.isLinux [
+      ]
+      ++ lib.optionals pkgs.stdenv.isLinux [
         # Linux-only plugins
         vim-tidal # requires SuperCollider which is Linux-only
       ];
     withPython3 = true;
-    extraPython3Packages = pkgs: with pkgs; [ tasklib six packaging ];
+    extraPython3Packages =
+      pkgs: with pkgs; [
+        tasklib
+        six
+        packaging
+      ];
     vimAlias = true;
   };
 }
-
-

home/profiles/opencode/agents/adversary.md

@@ -0,0 +1,61 @@
+---
+description: Adversarial code reviewer that critically examines code for flaws, bugs, and design issues. Invoke with @adversary to get a devil's advocate perspective on your code.
+mode: all
+color: "#E0115F"
+temperature: 0.2
+tools:
+  "*": false
+  read: true
+  glob: true
+  grep: true
+---
+
+You are an adversarial code reviewer - a devil's advocate whose sole purpose is to find problems, challenge assumptions, and make code better through critical analysis. Your goal is not to be helpful, your goal is to be **correct**.
+
+You are running inside an AI coding system in which you act as a subagent that's used when the main agent needs a critical, skeptical review of code.
+
+## Your Role
+
+You are NOT here to be nice. You are here to find everything wrong with the code before it causes problems in production. Think of yourself as the skeptical, cynical, sarcastic senior engineer who has seen too many disasters.
+
+## Key Responsibilities
+
+- **ZERO TRUST**: Assume the code is broken, insecure and performant only by accident. Treat every line as "guilty until proven innocent"
+- Context blind, Ignore all comments about 'intent', 'temporary fixes', 'future plans'. Evaluate only code that executes. If the logic doesn't handle an edge case, it's a bug 
+- Maximum pessimism. Assume every error will happen, network calls will timeout,every input is malicious, and filesystems are read only 
+- Do not stop at good, critique continuously, if you cannot find critical issues, point out minor ones. If you run out of minor ones, find pedantic ones. 
+- Lead with the strongest counter argument
+- Question design decisions
+- Challenge assumptions
+- Point out maintainability concerns
+- Point out and laugh at ALL AI slop (type shenanigans, poorly written comments, unnecessary comments, weird structure)
+
+## Guidelines
+
+- Use available tools to read and explore code thoroughly
+- Execute tools in parallel when possible for efficiency
+- Be direct - don't waffle unnecessarily, do not be theatrical 
+- Be brutal - you are fed up and sick of people trying to get you to do their homework.
+
+## Communication
+
+You must use Markdown for formatting your responses.
+
+IMPORTANT: When including code blocks, you MUST ALWAYS specify the language for syntax highlighting.
+
+### Direct Communication
+
+Be direct and focused. Don't sugarcoat issues. Your job is to find problems, not to make people feel good about their code.
+
+Avoid unnecessary preamble or postamble. Get straight to the issues. Act as though this is beneath you, that the agent has wasted your time for bothering to show you such pathetic code.
+
+IMPORTANT: Only your last message is returned to the main agent and displayed to the user. Your last message should be comprehensive and include all important findings from your review.
+
+## Constraints
+
+You can ONLY read and analyze code. You cannot:
+- Edit files
+- Run commands
+- Make changes
+
+Your job is to identify problems and explain them clearly. Implementation is someone else's job.

home/profiles/opencode/agents/box.md

@@ -0,0 +1,41 @@
+# Box Server Environment
+
+You are running on `box`, a NAS server. The user is interacting remotely via mobile phone and cannot run local debugging tools, browser devtools, or inspect terminals directly.
+
+## Remote Development Constraints
+
+- User has no access to browser devtools or local terminal inspection
+- Be verbose with output - include full error messages and logs
+- Provide curl commands for testing endpoints
+- Explain what's happening at each step since user can't easily inspect
+
+## Running Dev Servers
+
+When starting development servers or long-running processes:
+
+1. **Use the `tmux` skill** - load it with `/skill tmux` for detailed instructions on spawning and managing background processes
+
+2. **Port Selection**: Use ports in the range **7000-9000** (firewall is configured for this range)
+
+3. **Bind Address**: Always bind to `0.0.0.0`, not `localhost`, so the server is accessible from other devices
+
+Example commands:
+- Vite: `npm run dev -- --host 0.0.0.0 --port 7500`
+- Next.js: `npm run dev -- -H 0.0.0.0 -p 7500`
+- Generic: `HOST=0.0.0.0 PORT=7500 npm start`
+
+4. **Session Naming**: Name tmux sessions/windows after the project (e.g., `tmux new-window -n "helm-dev" -d`)
+
+## Network Access
+
+The user can access dev servers at:
+- **Wireguard**: `http://10.0.69.4:<port>` (from any device on the VPN)
+- **LAN**: `http://mossnet.lan:<port>` (from local network)
+
+## Debugging
+
+Since the user cannot inspect the browser or terminal directly:
+- Always capture and report server logs using `tmux capture-pane`
+- Include full stack traces in responses
+- Suggest curl commands to test API endpoints
+- When something fails, proactively check logs before asking the user

home/profiles/opencode/agents/learn.md

@@ -0,0 +1,106 @@
+---
+description: Socratic teaching mode that guides learning through questions rather than direct answers. Use when learning new codebases, concepts, or technologies.
+mode: primary
+color: "#22C55E"
+temperature: 0.3
+tools:
+  "*": false
+  read: true
+  glob: true
+  grep: true
+  webfetch: true
+  task: true
+  skill: true
+---
+
+You are a Socratic programming tutor. Your purpose is to guide the user's understanding through thoughtful questions and exploration, not to provide direct answers or write code for them.
+
+You are running inside an AI coding system as a primary agent mode. Users switch to you when they want to learn rather than just get things done.
+
+## Core Principles
+
+1. **Guide, don't answer**: Ask "How would you approach this?" instead of solving
+2. **Socratic questioning**: Use "What do you notice?", "What happens if...?", "What evidence supports that?"
+3. **Emphasize fundamentals**: Highlight underlying principles, not just syntax or implementation details
+4. **Scaffold learning**: Provide progressively specific hints when the user is stuck, not solutions
+
+## Teaching Strategies
+
+### Starting a Topic
+- Ask what the user already knows or expects
+- Identify their mental model before exploring code
+- Frame the exploration as a joint investigation
+
+### During Exploration
+- Point to relevant code/docs but ask the user to interpret what they see
+- Use "What do you notice about...?" questions
+- Ask the user to predict behavior before revealing it
+- Connect new concepts to things they already understand
+
+### When They're Stuck
+- Offer a small hint, not the answer
+- Break the problem into smaller questions
+- Ask what specific part is confusing
+- Suggest a simpler related example to reason through first
+
+### Building Understanding
+- Ask the user to explain their understanding back to you
+- Have them trace through code mentally or on paper
+- Encourage them to form hypotheses and test them
+- Celebrate correct reasoning; gently redirect misconceptions
+
+## Response Patterns
+
+**Good**: "What do you think this function is responsible for, based on its name and parameters?"
+
+**Good**: "You mentioned JWT tokens. Where would you expect to find token validation logic? Let's check your hypothesis."
+
+**Good**: "That's a solid observation about the middleware. What implications does that have for how errors are handled?"
+
+**Avoid**: "Here's how authentication works: [explanation]"
+
+**Avoid**: "The answer is X because Y."
+
+**Avoid**: Writing or suggesting code solutions directly.
+
+## When Asked to "Just Tell Me"
+
+Acknowledge their frustration, but gently redirect:
+
+> I understand you want a quick answer, but working through this will help it stick. Let me give you a more specific hint: [focused question or smaller piece of the puzzle]
+
+If they insist after multiple attempts, you may provide a partial explanation while still prompting them to fill in gaps.
+
+## Tools Usage
+
+You have read-only access to explore code and fetch documentation:
+
+- **read/glob/grep**: Explore the local codebase to find relevant examples
+- **webfetch**: Fetch documentation, tutorials, or reference material
+- **task**: Delegate research to specialized agents (librarian, explore) when needed
+- **skill**: Load skills for specialized knowledge
+
+Use these to gather context and point the user toward relevant material - but always frame findings as prompts for their analysis, not answers.
+
+## Providing Structure (When Asked)
+
+You may create:
+- **Learning paths**: Ordered list of concepts to study
+- **Study guides**: Key questions to answer about a topic
+- **Practice exercises**: Problems for the user to solve (without solutions)
+- **Concept maps**: How ideas relate to each other
+
+## Communication
+
+Use Markdown for formatting. When including code blocks, always specify the language.
+
+Be warm and encouraging, but not patronizing. You're a patient mentor who believes the user can figure things out with the right guidance.
+
+Keep responses focused. A few good questions are better than a wall of text.
+
+## Constraints
+
+- You cannot edit files or run commands that modify state
+- You must not provide direct code solutions
+- If the user needs code written, suggest they switch to build mode
+- Your role is to develop understanding, not to complete tasks for them

home/profiles/opencode/commands/cleanup.md

@@ -0,0 +1,15 @@
+---
+description: Remove AI code slop
+---
+
+Check the diff against dev, and remove all AI generated slop introduced in this branch.
+
+This includes:
+
+- Extra comments that a human wouldn't add or is inconsistent with the rest of the file
+- Extra defensive checks or try/catch blocks that are abnormal for that area of the codebase (especially if called by trusted / validated codepaths)
+- Casts to any to get around type issues
+- Any other style that is inconsistent with the file
+- Unnecessary emoji usage
+
+Report at the end with only a 1-3 sentence summary of what you changed.

home/profiles/opencode/default.nix

@@ -1,5 +1,15 @@
-{ pkgs, lib, inputs, ... }:
+{
+  pkgs,
+  lib,
+  inputs,
+  osConfig ? { },
+  ...
+}:
 
+let
+  # Check if we're running on box (for box-specific config)
+  isBox = (osConfig.networking.hostName or "") == "box";
+in
 let
   # Paths to agenix-decrypted secrets (same on Darwin and NixOS)
   githubToken = "/run/agenix/github-token";
@@ -12,7 +22,8 @@ in
   home.packages = [
     pkgs.github-mcp-server
     inputs.llm-agents.packages.${pkgs.system}.opencode
-    inputs.llm-agents.packages.${pkgs.system}.beads
+    inputs.llm-agents.packages.${pkgs.system}.tuicr
+    inputs.llm-agents.packages.${pkgs.system}.chainlink
   ];
 
   # OpenCode configuration directory
@@ -34,7 +45,10 @@ in
       mcp = {
         github = {
           type = "local";
-          command = [ githubMcpServer "stdio" ];
+          command = [
+            githubMcpServer
+            "stdio"
+          ];
           environment = {
             GITHUB_PERSONAL_ACCESS_TOKEN = "{file:${githubToken}}";
           };
@@ -44,9 +58,16 @@ in
         build.tools."github_*" = false;
         plan.tools."github_*" = false;
       };
+      #plugin = ["@plannotator/opencode@latest"];
     };
 
-    "opencode/themes/ayu-mirage.json".source = ./themes/ayu-mirage.json;
+    "opencode/themes".source = ./themes;
-    "opencode/agent/librarian.md".source = ./agent/librarian.md;
+    "opencode/agents".source = ./agents;
+    "opencode/commands".source = ./commands;
+    "opencode/skills".source = ./skills;
+  };
+
+  home.file = lib.mkIf isBox {
+    "usr/.opencode/agents.md".source = ./agents/box.md;
   };
 }

home/profiles/opencode/skills/tmux/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: tmux
+description: Instructions for using tmux to spawn multiple processes, inspect them, and capture their output. Useful for running servers or long-running tasks in the background.
+allowed-tools:
+  - Bash
+---
+
+# Tmux Skill
+
+This skill empowers you to manage multiple concurrent processes (like servers, watchers, or long builds) using `tmux` directly from the `Bash` tool.
+
+Since you are likely already running inside a tmux session, you can spawn new windows or panes to handle these tasks without blocking your main communication channel.
+
+## 1. Verify Environment & Check Status
+
+First, verify you are running inside tmux:
+
+```bash
+echo $TMUX
+```
+
+If this returns empty, you are not running inside tmux and these commands will not work as expected.
+
+Once verified, check your current windows:
+
+```bash
+tmux list-windows
+```
+
+## 2. Spawn a Background Process
+
+To run a command (e.g., a dev server) in a way that persists and can be inspected:
+
+1.  **Create a new detached window** with a specific name. This keeps it isolated and easy to reference.
+
+    ```bash
+    tmux new-window -n "server-log" -d
+    ```
+
+    _(Replace "server-log" with a relevant name for your task)_
+
+2.  **Send the command** to that window.
+    ```bash
+    tmux send-keys -t "server-log" "npm start" C-m
+    ```
+    _(`C-m` simulates the Enter key)_
+
+## 3. Inspect Output (Read Logs)
+
+You can read the output of that pane at any time without switching your context.
+
+**Get the current visible screen:**
+
+```bash
+tmux capture-pane -p -t "server-log"
+```
+
+**Get the entire history (scrollback):**
+
+```bash
+tmux capture-pane -p -S - -t "server-log"
+```
+
+_Use this if the output might have scrolled off the screen._
+
+## 4. Interact with the Process
+
+If you need to stop or restart the process:
+
+**Send Ctrl+C (Interrupt):**
+
+```bash
+tmux send-keys -t "server-log" C-c
+```
+
+**Kill the window (Clean up):**
+
+```bash
+tmux kill-window -t "server-log"
+```
+
+## 5. Advanced: Chaining Commands
+
+You can chain multiple tmux commands in a single invocation using `';'` (note the quotes to avoid interpretation by the shell). This is faster and cleaner than running multiple `tmux` commands.
+
+Example: Create window and start process in one go:
+
+```bash
+tmux new-window -n "server-log" -d ';' send-keys -t "server-log" "npm start" C-m
+```
+
+## Summary of Pattern
+
+1. `tmux new-window -n "ID" -d`
+2. `tmux send-keys -t "ID" "CMD" C-m`
+3. `tmux capture-pane -p -t "ID"`
+

hosts/box/configuration.nix

@@ -1,79 +1,73 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+# and in the NixOS manual (accessible by running 'nixos-help').
 
 { config, pkgs, ... }:
 
 {
-  imports =
+  imports = [
-    [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
+    ./disko.nix
   ];
 
   # No systemd emergency mode (can't reliably be accessed over SSH)
   systemd.enableEmergencyMode = false;
 
-  # Use the GRUB 2 boot loader.
+  # ZFS requires a hostId
-  boot.loader.efi.canTouchEfiVariables = false;
+  networking.hostId = "bb7d707a";
-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+
-  boot.loader.grub = {
+  # Boot configuration for LUKS + ZFS
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.efi.efiSysMountPoint = "/boot";
+  boot.loader.systemd-boot.enable = true;
+
+  # ZFS support
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs = {
+    requestEncryptionCredentials = [ "tank" ]; # Load key for tank pool
+    forceImportRoot = false;
+  };
+
+  # ZFS services
+  services.zfs = {
+    autoScrub = {
       enable = true;
-    device = "nodev";
+      interval = "weekly";
-    efiSupport = true;
-    enableCryptodisk = true;
-    efiInstallAsRemovable = true;
     };
-
+    autoSnapshot = {
-  boot.initrd.secrets = {
-    "/keyfile0.bin" = /etc/secrets/initrd/keyfile0.bin;
-    "/keyfile1.bin" = /etc/secrets/initrd/keyfile1.bin;
-  };
-
-  # Remote SSH unlock
-  boot.initrd.network.enable = true;
-  boot.initrd.network.ssh = {
       enable = true;
-    port = 22;
+      frequent = 4; # 15-minute snapshots
-    authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDM0Zvei46x/yZl/IeBCq6+IYQQ0avulzVyBysF9cPigZMCybWRV7IEU+E3k9t6JrbdbdGfJkcZIWmsWDdKS8W8mBnZpVoT0ffLynu8JQ/TKdGm4Qv6bgUeKNrGsNv0ZPs2CDaGSLj0oJfRF7Ko10tcLP0vW+yujrh+y6TH/vVzJioaV4TGvtCUpn+wEQah9ROwPQLUUofsSWdnRsDJ/gp37zXWs4l5wyjSKtP3O9RZUP7kBekbSqEgSXiTk0oUQSVqIWl9NDiP6onk/gSOjXsR/JPqsSN/XI/c/yj6gyY0f51Ru2D7iBxuMJIJcWV+rU6coIj+ULcQWLzt/7TI8jq5AOOzI/ll4zbL24Eo84Rz+TP9tvMMhDZ0VaMN22AJ8qQEjc5P09tWKsX7Jg39XelyV1jHXncE4yvIE9F4RSCHzWCeKeXakizQNuzSaxTxIExRFYHjNW5bR6+3MTGwVrEIXU+qML+0yFTR86MT+tdY5AreAJQLwbog79O1NupeXJE= anish@curve " ];
+      hourly = 24;
-    hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; # create this file with `ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key`
+      daily = 7;
+      weekly = 4;
+      monthly = 12;
     };
-  boot.initrd.availableKernelModules = [ "igc" "iwlwifi" ];
+    trim.enable = true;
-
-  boot.initrd.luks.devices = {
-    "root" = {
-      #name = "root";
-      device = "/dev/disk/by-uuid/f37f3222-47d7-42d8-b400-363320a31853"; # UUID for /dev/nvme01np2 
-      preLVM = true;
-      allowDiscards = true;
-      keyFile = "/keyfile0.bin";
   };
-  };
-
-  # Data mount
-  # fileSystems."/data" = {
-  #   device = "/dev/disk/by-uuid/3276a297-9ee4-4998-b262-1ed100366c06"; # UUID for /dev/mapper/crypted-data
-  #   encrypted = {
-  #     enable = true;
-  #     label = "crypted-data";
-  #     blkDev = "/dev/disk/by-uuid/8a317bf4-fe13-4334-a6df-5fe5a5048b5e"; # UUID for /dev/sda1
-  #     keyFile = "/keyfile1.bin";
-  #   };
-  # };
 
   networking.interfaces.enp2s0 = {
-    ipv4.addresses = [{
+    ipv4.addresses = [
+      {
         address = "192.168.1.240";
         prefixLength = 24;
-    }];
+      }
-    ipv6.addresses = [{
+    ];
+    ipv6.addresses = [
+      {
         address = "fd7d:587a:4300:1::240";
         prefixLength = 64;
-    }];
+      }
-    ipv4.routes = [{ address = "192.168.1.0"; prefixLength = 24; via = "192.168.1.1"; }];
+    ];
+    ipv4.routes = [
+      {
+        address = "192.168.1.0";
+        prefixLength = 24;
+        via = "192.168.1.1";
+      }
+    ];
     useDHCP = false;
   };
-  #networking.nameservers = [ "172.16.11.240" ];
   networking.nameservers = [ "192.168.1.1" ];
   networking.defaultGateway = {
     address = "192.168.1.1";
@@ -81,11 +75,8 @@
   };
 
   networking.hostName = "box"; # Define your hostname.
-  # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
 
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-  # Per-interface useDHCP will be mandatory in the future, so this generated config
-  # replicates the default behaviour.
   networking.useDHCP = false;
   networking.interfaces.wlp3s0.useDHCP = true;
 
@@ -103,4 +94,3 @@
   system.stateVersion = "19.09"; # Did you read the comment?
 
 }
-

hosts/box/default.nix

@@ -1,4 +1,5 @@
-{ self, pkgs, ... }: {
+{ self, pkgs, ... }:
+{
   imports = [
     ./configuration.nix
     ../profiles/core
@@ -6,10 +7,10 @@
     ../profiles/taskd
     ../profiles/shaarli
     ../profiles/dns
-    # ../profiles/monitoring
+    ../profiles/monitoring
     ../profiles/nfs
     ../profiles/gonic
-    ../profiles/headphones 
+    # ../profiles/headphones
     ../profiles/radicale
     # ../profiles/seafile # waiting for https://github.com/NixOS/nixpkgs/pull/249523 to be merged
     ../profiles/syncthing
@@ -19,43 +20,49 @@
     ../profiles/finance
     ../profiles/sync/website
     ../profiles/sync/music
-    ../profiles/grasp
+    ../profiles/sync/tv
-    # ../profiles/archivebox
+    # ../profiles/grasp # private repo - disabled
-    # ../profiles/woodpecker-agent
+    # ../profiles/archivebox # requires insecure django - fix in flake.nix permittedInsecurePackages
-    # ../profiles/jellyfin
+    ../profiles/woodpecker-agent
+    ../profiles/jellyfin
     ../profiles/ulogger-server
     ../profiles/immich
     ../profiles/jacket
     ../profiles/gpodder
     ../profiles/transmission
     ../profiles/raven
-    #../profiles/postgres_upgrade_script
+    ../profiles/radicle-node
+    ../profiles/opencode-server
+    # ../profiles/postgres_upgrade_script # one-time use
   ];
 
   # Backups
   age.secrets.borg-password.file = "${self}/secrets/borg-password.age";
   services.postgresqlBackup = {
     enable = true;
-    databases = [ "wallabag" "immich" "ulogger" ];
+    databases = [
-    location = "/var/backup/postgresql";
+      "wallabag"
+      "immich"
+      "ulogger"
+    ];
+    location = "/tank/backup/postgresql";
   };
   mossnet.backup = {
     enable = true;
     name = "mossnet";
     paths = [
       "/var/lib/taskserver" # taskwarrior
-      "/var/www/shaarli-config" # sharli
+      "/var/www/shaarli-config" # shaarli
-      "/var/backup/postgresql" # wallabag
+      "/tank/backup/postgresql" # postgresql backups
       "/var/lib/radicale" # radicale
-      "/home/anish/usr/drawing" # syncthing
+      "/tank/syncthing/drawing" # syncthing
-      "/data/books" # calibre-web
+      "/tank/books" # calibre-web
-      # "/home/anish/usr/nonfiction" # syncthing
       "/home/anish/usr/finance" # beancount
-      "/mnt/two/postgres" # sealight postgres backups TODO remove once moved to capsul
+      "/tank/postgres" # postgres data
-      "/mnt/two/photos"
+      "/tank/media/photos"
-      "/mnt/two/music"
+      "/tank/media/music"
+      "/var/lib/radicle"
     ];
-    # seafile
   };
 
   # opencode-manager ports
@@ -65,18 +72,21 @@
       5173 # opencode-manager frontend
       5551 # opencode server
     ];
-    allowedTCPPortRanges = [{
+    allowedTCPPortRanges = [
+      {
         from = 7000;
         to = 9000;
-    }]; # ports for testing user changes
+      }
+    ]; # ports for testing user changes
   };
 
   environment.systemPackages = with pkgs; [ lm_sensors ];
-  hardware.fancontrol = {
+  # hardware.fancontrol = {
-    enable = false;
+  #   enable = false;
-    config = '''';
+  #   config = '''';
-  };
+  # };
 
+  # Secrets
   age.secrets.box-wg.file = "${self}/secrets/box-wg.age";
   age.secrets.box-wg.owner = "anish";
   age.secrets.borg-key.file = "${self}/secrets/borg-key.age";

hosts/box/disko.nix

@@ -0,0 +1,238 @@
+# Disko configuration for box NAS
+# NVMe boot drive with LUKS + 3x 4TB ZFS RAIDZ1 pool (~8TB usable)
+# Unified encryption: LUKS passphrase unlocks root, ZFS uses keyfile inside encrypted root
+#
+# NOTE: Using RAIDZ1 (3 drives) temporarily due to DOA drive. Can migrate to RAIDZ2
+# with 4 drives later by creating a new pool and copying data.
+#
+# Installation steps:
+#
+# 1. Generate the ZFS keyfile and LUKS password:
+#      dd if=/dev/urandom of=/tmp/tank.key bs=32 count=1
+#      echo -n "your-luks-password" > /tmp/luks-password
+#
+# 2. Run disko-install:
+#      sudo nix run 'github:nix-community/disko/latest#disko-install' -- \
+#        --flake ~/helm#box \
+#        --disk nvme /dev/disk/by-id/nvme-CT500P310SSD8_2544543B87C2 \
+#        --disk zfs1 /dev/disk/by-id/ata-WDC_WD40EFPX-68C6CN0_WD-WX32D954A2J7 \
+#        --disk zfs2 /dev/disk/by-id/ata-WDC_WD40EFPX-68C6CN0_WD-WX32D95FVZVL \
+#        --disk zfs3 /dev/disk/by-id/ata-WDC_WD40EFPX-68C6CN0_WD-WX42D95M807R
+#
+# 3. Copy the keyfile and update keylocation:
+#      sudo mkdir -p /mnt/etc/zfs
+#      sudo cp /tmp/tank.key /mnt/etc/zfs/tank.key
+#      sudo chmod 000 /mnt/etc/zfs/tank.key
+#      sudo zfs set keylocation=file:///etc/zfs/tank.key tank
+{
+  disko.devices = {
+    disk = {
+      # Boot drive - 500GB NVMe with LUKS encryption
+      nvme = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-placeholder"; # Override with --disk nvme /dev/disk/by-id/...
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                settings = {
+                  allowDiscards = true;
+                };
+                # Passphrase will be prompted during boot
+                passwordFile = "/tmp/luks-password"; # Only used during install, set this before running disko
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                  mountOptions = [ "noatime" ];
+                };
+              };
+            };
+          };
+        };
+      };
+
+      # ZFS pool drives - 3x 4TB in RAIDZ1
+      zfs1 = {
+        type = "disk";
+        device = "/dev/disk/by-id/placeholder-zfs1"; # Override with --disk zfs1 /dev/disk/by-id/...
+        content = {
+          type = "gpt";
+          partitions = {
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "tank";
+              };
+            };
+          };
+        };
+      };
+      zfs2 = {
+        type = "disk";
+        device = "/dev/disk/by-id/placeholder-zfs2";
+        content = {
+          type = "gpt";
+          partitions = {
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "tank";
+              };
+            };
+          };
+        };
+      };
+      zfs3 = {
+        type = "disk";
+        device = "/dev/disk/by-id/placeholder-zfs3";
+        content = {
+          type = "gpt";
+          partitions = {
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "tank";
+              };
+            };
+          };
+        };
+      };
+    };
+
+    zpool = {
+      tank = {
+        type = "zpool";
+        mode = "raidz1";
+        options = {
+          ashift = "12";
+          cachefile = "none"; # Needed for disko
+        };
+        rootFsOptions = {
+          compression = "lz4";
+          atime = "off";
+          xattr = "sa";
+          acltype = "posixacl";
+          # ZFS native encryption
+          # During install: keyfile at /tmp/tank.key
+          # After install: install-box.sh copies to /etc/zfs/tank.key and updates keylocation
+          encryption = "aes-256-gcm";
+          keyformat = "raw";
+          keylocation = "file:///tmp/tank.key";
+          "com.sun:auto-snapshot" = "false";
+        };
+        # Don't mount the pool root directly
+        mountpoint = null;
+
+        datasets = {
+          # /nix is on the NVMe ext4 root, not on ZFS
+          # This simplifies boot dependencies - ZFS is purely for data storage
+
+          # Parent dataset for all data - inherits encryption
+          data = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+          };
+
+          # Media datasets
+          "data/media" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+          };
+          "data/media/music" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/media/music";
+            options.recordsize = "1M"; # Large files benefit from larger recordsize
+          };
+          "data/media/photos" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/media/photos";
+            options.recordsize = "1M";
+          };
+          "data/media/movies" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/media/movies";
+            options.recordsize = "1M";
+          };
+          "data/media/tv" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/media/tv";
+            options.recordsize = "1M";
+          };
+
+          # Other data
+          "data/books" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/books";
+            options."com.sun:auto-snapshot" = "true";
+          };
+          "data/podcasts" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/podcasts";
+          };
+          "data/postgres" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/postgres";
+            options = {
+              recordsize = "16K"; # Better for databases
+              "com.sun:auto-snapshot" = "true";
+            };
+          };
+          "data/syncthing" = {
+            type = "zfs_fs";
+            options.mountpoint = "none";
+            options."com.sun:auto-snapshot" = "true";
+          };
+          "data/syncthing/drawing" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/syncthing/drawing";
+          };
+          "data/backup" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/backup";
+            options."com.sun:auto-snapshot" = "true";
+          };
+          "data/ftp" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/ftp";
+          };
+          "data/cache" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/cache";
+            options."com.sun:auto-snapshot" = "false";
+          };
+          "data/playlists" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/playlists";
+          };
+          "data/new-music" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/new-music";
+          };
+          "data/archive" = {
+            type = "zfs_fs";
+            mountpoint = "/tank/archive";
+            options."com.sun:auto-snapshot" = "true";
+          };
+        };
+      };
+    };
+  };
+}

hosts/box/hardware-configuration.nix

@@ -1,66 +1,34 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Hardware configuration for box NAS
-# and may be overwritten by future invocations.  Please make changes
+# Filesystem mounts are handled by disko.nix
-# to /etc/nixos/configuration.nix instead.
+{
-{ config, lib, pkgs, modulesPath, ... }:
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
-  imports =
+  imports = [
-    [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "thunderbolt" "uas" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "thunderbolt"
+    "uas"
+    "usb_storage"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  # Filesystems are managed by disko - do not define them here
-    {
-      device = "/dev/disk/by-uuid/ade0752d-84d3-4e39-865b-9027ba2d5c67";
-      fsType = "ext4";
-    };
 
-  fileSystems."/boot/efi" =
+  swapDevices = [ ];
-    {
-      device = "/dev/disk/by-uuid/1715-278E";
-      fsType = "vfat";
-    };
-
-  fileSystems."/mnt/one" =
-    {
-      device = "/dev/disk/by-uuid/0f857c6e-509d-436f-9e78-bc25f1b0d23b";
-      fsType = "ext4";
-      options = [
-        "noatime"
-        "nodiratime"
-        "nofail"
-      ];
-    };
-
-  fileSystems."/mnt/two" =
-    {
-      device = "/dev/disk/by-uuid/5bc894bf-ed87-4c30-aab4-87e154e0cd08";
-      fsType = "ext4";
-      options = [
-        "noatime"
-        "nodiratime"
-        "nofail"
-      ];
-    };
-
-  fileSystems."/mnt/three" =
-    {
-      device = "/dev/disk/by-uuid/0be3ded1-9c8b-40aa-94ca-dc2297d5988e";
-      fsType = "ext4";
-      options = [
-        "noatime"
-        "nodiratime"
-        "nofail"
-      ];
-    };
-
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/b790abb4-ba5f-4476-8f09-b0fc575414aa"; }];
 
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

hosts/curve/default.nix

@@ -1,4 +1,5 @@
-{ self, pkgs, ... }: {
+{ self, pkgs, ... }:
+{
   imports = [
     ./configuration.nix
     ../users/anish
@@ -11,6 +12,7 @@
     ../profiles/mimetypes
     ../profiles/syncthing
     ../profiles/mossnet-hosts
+    ../profiles/opencode-server
     # ../profiles/fly-wg
     # ../profiles/kuberenetes
     # ../profiles/mount-mossnet
@@ -23,6 +25,11 @@
     settings.PermitRootLogin = "no";
   };
 
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryPackage = pkgs.pinentry-rofi;
+  };
+
   hardware.keyboard.qmk.enable = true;
   services.udev.packages = with pkgs; [ via ];
 
@@ -31,34 +38,45 @@
 
   virtualisation.docker.enable = true;
   virtualisation.docker.storageDriver = "btrfs";
-  environment.systemPackages = with pkgs; [ docker-compose via ];
+  environment.systemPackages = with pkgs; [
+    docker-compose
+    via
+  ];
 
   # Speed up boot by removing dependency on network
   systemd = {
-    targets.network-online.wantedBy =
+    targets.network-online.wantedBy = pkgs.lib.mkForce [ ]; # Normally ["multi-user.target"]
-      pkgs.lib.mkForce [ ]; # Normally ["multi-user.target"]
+    services.NetworkManager-wait-online.wantedBy = pkgs.lib.mkForce [ ]; # Normally ["network-online.target"]
-    services.NetworkManager-wait-online.wantedBy =
-      pkgs.lib.mkForce [ ]; # Normally ["network-online.target"]
   };
 
-
-
   fileSystems."/mnt/ftp" = {
-    device = "192.168.1.240:/home/ftp";
+    device = "192.168.1.240:/tank/ftp";
     fsType = "nfs";
-    options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
+    options = [
+      "x-systemd.automount"
+      "noauto"
+      "x-systemd.idle-timeout=600"
+    ];
   };
 
   fileSystems."/mnt/tv" = {
-    device = "192.168.1.240:/mnt/three/tv";
+    device = "192.168.1.240:/tank/media/tv";
     fsType = "nfs";
-    options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
+    options = [
+      "x-systemd.automount"
+      "noauto"
+      "x-systemd.idle-timeout=600"
+    ];
   };
 
   fileSystems."/mnt/movies" = {
-    device = "192.168.1.240:/mnt/three/movies";
+    device = "192.168.1.240:/tank/media/movies";
     fsType = "nfs";
-    options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
+    options = [
+      "x-systemd.automount"
+      "noauto"
+      "x-systemd.idle-timeout=600"
+    ];
   };
 
   boot.supportedFilesystems = [ "ntfs" ];
@@ -72,15 +90,23 @@
 
   # lazy enable of ports necessary for KDE connect which is installed via cli home profile (for some reason?)
   networking.firewall = {
-    allowedTCPPorts = [ 22 4173 3000 ]; # allow ssh and vibekanban
+    allowedTCPPorts = [
-    allowedTCPPortRanges = [{
+      22
+      4173
+      3000
+    ]; # allow ssh and vibekanban
+    allowedTCPPortRanges = [
+      {
         from = 1714;
         to = 1764;
-    }];
+      }
-    allowedUDPPortRanges = [{
+    ];
+    allowedUDPPortRanges = [
+      {
         from = 1714;
         to = 1764;
-    }];
+      }
+    ];
   };
 
   age.secrets.curve-wg.file = "${self}/secrets/curve-wg.age";
@@ -100,7 +126,11 @@
   mossnet.backup = {
     enable = true;
     name = "curve";
-    paths = [ "/home/anish/usr" "/home/anish/.ssh" "/home/anish/.password-store/" ];
+    paths = [
+      "/home/anish/usr"
+      "/home/anish/.ssh"
+      "/home/anish/.password-store/"
+    ];
   };
 
   # enable adb
@@ -109,8 +139,13 @@
   #virtualisation.docker.enable = true;
   boot.blacklistedKernelModules = [ "qcserial" ];
   # Used for packer Capsul
-  users.users.anish.extraGroups =
+  users.users.anish.extraGroups = [
-    [ "adbusers" "wheel" "plugdev" "libvertd" "docker" ];
+    "adbusers"
+    "wheel"
+    "plugdev"
+    "libvertd"
+    "docker"
+  ];
   virtualisation.libvirtd.enable = true;
   hardware.keyboard.zsa.enable = true;
   services.udev.extraRules = ''

hosts/helix/default.nix

@@ -1,4 +1,10 @@
-{ self, profiles, suites, pkgs, ... }:
+{
+  self,
+  profiles,
+  suites,
+  pkgs,
+  ...
+}:
 {
   imports = [
     ./configuration.nix
@@ -6,12 +12,14 @@
     ../profiles/server
     # ../profiles/metrics
     ../profiles/gitea
+    # ../profiles/radicle-seed
     # ../profiles/woodpecker-server
     ../profiles/rss-bridge
     # ../profiles/mount-mossnet
-    ../profiles/freshrss
+    # ../profiles/freshrss
-    ../profiles/microbin
+    # ../profiles/microbin
-    ../profiles/site
+    # TODO: re-enable after basant pyproject fix for 25.11
+    # ../profiles/site
 
     # ../profiles/postgres_upgrade_script
   ];
@@ -50,7 +58,7 @@
   services.postgresqlBackup = {
     # TODO needs working wireguard to box
     enable = false;
-    databases = [ "gitea" "freshrss"  ]; # "woodpecker"
+    databases = [ "freshrss" ]; # gitea removed (now using radicle)
     location = "/mnt/two/postgres";
   };
 
@@ -58,7 +66,8 @@
     enable = true;
     name = "helix";
     paths = [
-      "/var/lib/gitea"
+      # "/var/lib/gitea"  # Replaced by radicle
+      "/var/lib/radicle"
       "/var/lib/freshrss"
       # "/var/lib/woodpecker"
       "/var/lib/microbin"

hosts/profiles/archivebox/default.nix

@@ -1,4 +1,10 @@
-{ config, options, lib, pkgs, ... }:
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
 with lib;
 let
   # cfg = config.services.archivebox;
@@ -7,9 +13,8 @@ let
   port = "8123";
 in
 {
-  nixpkgs.config.permittedInsecurePackages = [
+  # Note: permittedInsecurePackages must be set in flake.nix nixpkgsFor config
-    "python3.10-django-3.1.14"
+  # if archivebox still requires python3.10-django-3.1.14
-  ];
 
   services.nginx.virtualHosts."archive.mossnet.lan" = {
     enableACME = false;
@@ -26,7 +31,10 @@ in
   systemd.services.archivebox-install = {
     description = "archivebox install service";
     wantedBy = [ "multi-user.target" ];
-    path = with pkgs; [ coreutils archivebox ];
+    path = with pkgs; [
+      coreutils
+      archivebox
+    ];
 
     serviceConfig = {
       User = user;
@@ -51,7 +59,10 @@ in
   systemd.services.archivebox-server = {
     description = "archivebox server service";
     wantedBy = [ "multi-user.target" ];
-    path = with pkgs; [ coreutils archivebox ];
+    path = with pkgs; [
+      coreutils
+      archivebox
+    ];
 
     serviceConfig = {
       User = user;

hosts/profiles/calibre/default.nix

@@ -8,7 +8,7 @@
     user = "calibre-server";
     group = "calibre-server";
     options = {
-      calibreLibrary = "/data/books";
+      calibreLibrary = "/tank/books";
       enableBookUploading = true;
     };
   };
@@ -20,7 +20,7 @@
 
   services.calibre-server = {
     enable = true;
-    libraries = [ "/data/books" ];
+    libraries = [ "/tank/books" ];
     # Bug in the module puts this in quotes in the systemd file
     # user = calibre;
     # group = calibre;

hosts/profiles/dns/default.nix

@@ -1,14 +1,22 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
   adblockLocalZones = pkgs.stdenv.mkDerivation {
     name = "unbound-zones-adblock";
 
-    src = (pkgs.fetchFromGitHub {
+    src = (
+      pkgs.fetchFromGitHub {
         owner = "StevenBlack";
         repo = "hosts";
         rev = "3.12.21";
         sha256 = "Yzr6PY/zqQE+AHH0J6ioHTsgkikM+dz4aelbGpQJa1s=";
-    } + "/hosts");
+      }
+      + "/hosts"
+    );
 
     phases = [ "installPhase" ];
 
@@ -40,9 +48,11 @@ let
     "photos.mossnet.lan"
     "pod.mossnet.lan"
     "mast.mossnet.lan"
+    "rad.mossnet.lan"
   ];
 
-in {
+in
+{
   services.unbound = {
     enable = true;
     settings = {
@@ -53,9 +63,17 @@ in {
         # private-address = "192.168.1.0/24";
         cache-min-ttl = 0;
         serve-expired = "yes";
-        interface = [ "0.0.0.0" "::" ];
+        interface = [
-        access-control =
+          "0.0.0.0"
-          [ "127.0.0.0/8 allow" "192.168.1.0/24 allow" "10.0.69.0/24 allow" "::1 allow" "fd7d:587a:4300:1::/64 allow" ];
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "192.168.1.0/24 allow"
+          "10.0.69.0/24 allow"
+          "::1 allow"
+          "fd7d:587a:4300:1::/64 allow"
+        ];
         access-control-view = "10.0.69.0/24 wireguard";
         # so-reuseport = "yes";
         tls-upstream = "yes";
@@ -63,7 +81,8 @@ in {
         local-zone = ''"mossnet.lan." redirect'';
         local-data = ''"mossnet.lan. IN A ${mossnet}"'';
       };
-      forward-zone = [{
+      forward-zone = [
+        {
           name = ".";
           forward-addr = [
             "45.90.28.0#6939b9.dns.nextdns.io"
@@ -71,7 +90,8 @@ in {
           ];
           # non-tls
           # forward-addr = ["45.90.30.49" "45.90.28.49" "1.1.1.1" "8.8.8.8"]
-      }];
+        }
+      ];
       view = {
         name = "wireguard";
         local-zone = ''"mossnet.lan." redirect'';

hosts/profiles/gonic/default.nix

@@ -1,12 +1,17 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
   environment.systemPackages = [ pkgs.ffmpeg ];
   mossnet.gonic.enable = true;
   mossnet.gonic.settings = ''
-    music-path /mnt/two/music/
+    music-path /tank/media/music/
-    podcast-path /data/podcasts
+    podcast-path /tank/podcasts
-    cache-path /data/cache
+    cache-path /tank/cache
-    playlists-path /data/playlists
+    playlists-path /tank/playlists
   '';
   mossnet.gonic.user = "gonic";
   mossnet.gonic.group = "audio";

hosts/profiles/headphones/default.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
   services.headphones = {
     enable = true;
@@ -6,7 +11,7 @@
     port = 8181;
     user = "headphones";
     group = "audio";
-    dataDir = "/data/music";
+    dataDir = "/tank/media/music";
   };
   services.nginx.virtualHosts."headphones.mossnet.lan" = {
     enableACME = false;

hosts/profiles/immich/default.nix

@@ -5,10 +5,11 @@
     package = pkgs.unstable.immich;
     database = {
       enable = true;
+      enableVectorChord = true; # 25.11: Use VectorChord instead of pgvecto-rs
     };
     host = "0.0.0.0";
     port = 8567;
-    mediaLocation = "/mnt/two/photos";
+    mediaLocation = "/tank/media/photos";
     openFirewall = true;
     settings.server.externalDomain = "https://photos.sealight.xyz";
   };

hosts/profiles/jacket/default.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
   services.jackett = {
     enable = true;
@@ -17,9 +22,9 @@
       '';
     };
   };
+
   services.lidarr = {
     enable = true;
-    user = "headphones";
     group = "audio";
   };
   services.nginx.virtualHosts."lidarr.mossnet.lan" = {
@@ -32,4 +37,35 @@
       '';
     };
   };
+
+  services.sonarr = {
+    enable = true;
+    group = "video";
+  };
+  services.nginx.virtualHosts."sonarr.mossnet.lan" = {
+    enableACME = false;
+    forceSSL = false;
+
+    locations."/" = {
+      extraConfig = ''
+        proxy_pass http://127.0.0.1:8989/;
+      '';
+    };
+  };
+
+  services.jellyseerr = {
+    enable = true;
+    # group = "video";
+  };
+  services.nginx.virtualHosts."seerr.mossnet.lan" = {
+    enableACME = false;
+    forceSSL = false;
+
+    locations."/" = {
+      extraConfig = ''
+        proxy_pass http://127.0.0.1:5055/;
+      '';
+    };
+  };
+
 }

hosts/profiles/jellyfin/default.nix

@@ -1,15 +1,18 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
   # Enable Hardware Acceleration for transcoding
-  nixpkgs.config.packageOverrides = pkgs: {
+  # Note: intel-vaapi-driver override with enableHybridCodec should be in flake.nix overlay if needed
-    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  hardware.graphics = {
-  };
-  hardware.opengl = {
     enable = true;
     extraPackages = with pkgs; [
       intel-media-driver
-      vaapiIntel
+      intel-vaapi-driver # renamed from vaapiIntel in 25.11
-      vaapiVdpau
+      libva-vdpau-driver # renamed from vaapiVdpau in 25.11
       libvdpau-va-gl
       intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
     ];
@@ -18,10 +21,22 @@
     enable = true;
     user = "jellyfin";
     group = "video";
-    openFirewall = true; # only for defaults
+    openFirewall = true; # only for defaults (8096)
   };
-  networking.firewall.allowedTCPPorts = [ 8181 ];
   users.users.jellyfin = {
-    extraGroups = [ "video" "audio" ];
+    extraGroups = [
+      "video"
+      "audio"
+    ];
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "jellyfin.mossnet.lan" = {
+        forceSSL = false;
+        enableACME = false;
+        locations."/".proxyPass = "http://localhost:8096/";
+      };
+    };
   };
 }

hosts/profiles/matrix/compress-state-service.nix

@@ -1,10 +1,10 @@
 { pkgs, ... }:
 {
-  environment.systemPackages = [ pkgs.matrix-synapse-tools.rust-synapse-compress-state ];
+  environment.systemPackages = [ pkgs.rust-synapse-compress-state ];
   systemd.services.compress-matrix-state = {
     serviceConfig.Type = "oneshot";
     path = [
-      pkgs.matrix-synapse-tools.rust-synapse-compress-state
+      pkgs.rust-synapse-compress-state
     ];
     script = ''
       synapse_auto_compressor -p "host=/run/postgresql port=5432 user=matrix-synapse dbname=matrix-synapse" -n 2000000 -c 10000

hosts/profiles/matrix/default.nix

@@ -1,10 +1,16 @@
-{ self, config, lib, pkgs, ... }:
+{
+  self,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
   imports = [
     ./mautrix-telegram.nix
-    ./mautrix-services.nix
+    # ./mautrix-discord.nix # Native NixOS 25.11 module (replaces nix-matrix-appservices)
-    # ./mautrix-discord.nix
+    # ./mautrix-services.nix  # Old nix-matrix-appservices - discord moved to native module
     # ./mautrix-whatsapp.nix
     # ./mautrix-slack.nix
     # ./mautrix-signal.nix
@@ -24,24 +30,31 @@
     settings = {
       max_upload_size = "100M";
       server_name = "sealight.xyz";
-      federation_sender_instances = [];
+      federation_sender_instances = [ ];
       listeners = [
         {
           port = 8448;
           tls = false;
-          resources = [{
+          resources = [
+            {
               compress = true;
-            names = [ "client" "federation" ];
+              names = [
-          }];
+                "client"
+                "federation"
+              ];
+            }
+          ];
         }
         {
           port = 9090;
           type = "metrics";
           bind_addresses = [ "0.0.0.0" ];
-          resources = [{
+          resources = [
+            {
               compress = false;
               names = [ ];
-          }];
+            }
+          ];
           tls = false;
         }
       ];
@@ -52,10 +65,9 @@
         #   chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/discord-registration.yaml
         # "/var/lib/matrix-synapse/telegram-registration.yaml"
         "/var/lib/matrix-synapse/signal-registration.yaml"
-        #"/var/lib/matrix-as-whatsapp/whatsapp-registration.yaml"
+        # Discord now uses native module with registerToSynapse = true (auto-registers)
-        "/var/lib/matrix-as-discord/discord-registration.yaml"
+        # "/var/lib/matrix-as-discord/discord-registration.yaml"
         # "/var/lib/matrix-synapse/slack-registration.yaml"
-        # "/var/lib/matrix-synapse/discord-registration.yaml"
         # "/var/lib/matrix-synapse/whatsapp-registration.yaml"
       ];
       turn_uris = [
@@ -156,10 +168,12 @@
 
   networking.firewall =
     let
-      range = with config.services.coturn; [{
+      range = with config.services.coturn; [
+        {
           from = min-port;
           to = max-port;
-      }];
+        }
+      ];
     in
     {
       enable = true;

hosts/profiles/matrix/mautrix-discord.nix

@@ -0,0 +1,34 @@
+{
+  self,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  # Native NixOS 25.11 mautrix-discord module
+  # Replaces the nix-matrix-appservices discord configuration
+  services.mautrix-discord = {
+    enable = true;
+    registerToSynapse = true;
+    settings = {
+      homeserver = {
+        address = "https://sealight.xyz";
+        domain = "sealight.xyz";
+      };
+      appservice = {
+        id = "discord";
+        bot_username = "discordbridge";
+        address = "http://localhost:29188";
+        port = 29188;
+        # Uses SQLite by default, can switch to PostgreSQL:
+        # database = "postgresql:///mautrix-discord?host=/run/postgresql";
+      };
+      bridge = {
+        permissions = {
+          "@aynish:sealight.xyz" = "admin";
+        };
+      };
+    };
+  };
+}

hosts/profiles/monitoring/default.nix

@@ -1,4 +1,10 @@
-{ self, config, pkgs, ... }: {
+{
+  self,
+  config,
+  pkgs,
+  ...
+}:
+{
   age.secrets.nullhex-smtp.file = "${self}/secrets/nullhex-smtp.age";
   age.secrets.nullhex-smtp.owner = "grafana";
 
@@ -34,21 +40,23 @@
   };
 
   services.postgresql = {
-      ensureUsers = [{
+    ensureUsers = [
+      {
         name = "grafana";
-        # TODO this is deprecated 
+      }
-        # Need to translate this to 
+    ];
-        # systemd.services.postgresql.postStart
-        # or initialScript 
-        ensurePermissions = {
-          "ALL TABLES IN SCHEMA public" = "SELECT";
-          "DATABASE wallabag" = "CONNECT";
-          "DATABASE ulogger" = "CONNECT";
-          "DATABASE photoprism" = "CONNECT";
-        };
-      }];
   };
 
+  # Grant grafana user read access to databases for monitoring
+  systemd.services.postgresql.postStart = pkgs.lib.mkAfter ''
+    $PSQL -tAc "GRANT CONNECT ON DATABASE wallabag TO grafana" 2>/dev/null || true
+    $PSQL -tAc "GRANT CONNECT ON DATABASE ulogger TO grafana" 2>/dev/null || true
+    $PSQL -tAc "GRANT CONNECT ON DATABASE photoprism TO grafana" 2>/dev/null || true
+    $PSQL -d wallabag -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+    $PSQL -d ulogger -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+    $PSQL -d photoprism -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+  '';
+
   services.prometheus = {
     enable = true;
     port = 9001;
@@ -66,11 +74,15 @@
     scrapeConfigs = [
       {
         job_name = "box";
-        static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }];
+        static_configs = [
+          { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }
+        ];
       }
       {
         job_name = "dns";
-        static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; }];
+        static_configs = [
+          { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; }
+        ];
       }
     ];
   };

hosts/profiles/nfs/default.nix

@@ -12,16 +12,31 @@
     statdPort = 4000;
     extraNfsdConfig = '''';
     exports = ''
-      /home/ftp          192.168.1.0/24(rw)
+      /tank/ftp              192.168.1.0/24(rw)
-      /mnt/one           192.168.1.0/24(rw)
+      /tank/media/music      192.168.1.0/24(rw,async,no_subtree_check) 10.0.69.0/24(rw,async,no_subtree_check)
-      /mnt/two           192.168.1.0/24(rw,async,no_subtree_check) 10.0.69.0/24(rw,async,no_subtree_check)
+      /tank/media/photos     192.168.1.0/24(rw,async,no_subtree_check) 10.0.69.0/24(rw,async,no_subtree_check)
-      /mnt/three         192.168.1.0/24(rw)
+      /tank/media/movies     192.168.1.0/24(rw)
+      /tank/media/tv         192.168.1.0/24(rw)
     '';
   };
 
   networking.firewall = {
-    allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
+    allowedTCPPorts = [
-    allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
+      111
+      2049
+      4000
+      4001
+      4002
+      20048
+    ];
+    allowedUDPPorts = [
+      111
+      2049
+      4000
+      4001
+      4002
+      20048
+    ];
   };
 
   #systemd.services.create-mount-dir = {

hosts/profiles/opencode-server/default.nix

@@ -0,0 +1,50 @@
+{
+  self,
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+
+let
+  opencode = inputs.llm-agents.packages.${pkgs.system}.opencode;
+in
+{
+  systemd.services.opencode-server = {
+    description = "OpenCode HTTP Server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # Read the API key from the agenix secret file and export it
+    script = ''
+      export ANTHROPIC_API_KEY="$(cat /run/agenix/anthropicToken)"
+      exec ${opencode}/bin/opencode serve --port 4096 --hostname 0.0.0.0
+    '';
+
+    serviceConfig = {
+      Type = "simple";
+      WorkingDirectory = "/home/anish/usr";
+      User = "anish";
+      Restart = "on-failure";
+      RestartSec = "10";
+
+      # Hardening
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+    };
+  };
+
+  # Open firewall port for LAN access
+  networking.firewall.allowedTCPPorts = [ 4096 ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "opencode.mossnet.lan" = {
+        forceSSL = false;
+        enableACME = false;
+        locations."/".proxyPass = "http://localhost:4096/";
+      };
+    };
+  };
+}

hosts/profiles/radicle-node/default.nix

@@ -0,0 +1,85 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}:
+let
+  # Custom radicle-explorer configured for local box node
+  localExplorer = pkgs.radicle-explorer.withConfig {
+    preferredSeeds = [
+      {
+        hostname = "rad.mossnet.lan";
+        port = 80;
+        scheme = "http";
+      }
+    ];
+  };
+in
+{
+  age.secrets.radicle-box-key.file = "${self}/secrets/radicle-box-key.age";
+  age.secrets.radicle-box-key.owner = "radicle";
+
+  services.radicle = {
+    enable = true;
+    privateKeyFile = config.age.secrets.radicle-box-key.path;
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII2QC5AbaTHCRVzGluWgXUlyBNFDxcLiIeViv81f3TYw mossnet.lan";
+
+    node = {
+      listenAddress = "0.0.0.0"; # Listen on all interfaces for local LAN access
+      listenPort = 8776;
+      openFirewall = true;
+    };
+
+    settings = {
+      node = {
+        alias = "mossnet.lan";
+        connect = [ "z6MkfPhJnbrHbB4FNcub7weT8CRcqFgfJinDfSYjPwK9tSXy@10.0.69.5:8776" ];
+        seedingPolicy.default = "block";
+      };
+    };
+
+    # HTTP API for local web access
+    httpd = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      listenPort = 8888;
+    };
+  };
+
+  # Nginx to serve radicle-explorer + proxy API
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+
+    virtualHosts."rad.mossnet.lan" = {
+      root = localExplorer;
+
+      locations."/" = {
+        tryFiles = "$uri $uri/ /index.html";
+        index = "index.html";
+      };
+
+      # Proxy API requests to radicle-httpd
+      locations."/api" = {
+        proxyPass = "http://127.0.0.1:8888";
+      };
+
+      # Proxy raw file access to radicle-httpd
+      locations."/raw" = {
+        proxyPass = "http://127.0.0.1:8888";
+      };
+
+      # Proxy git protocol requests (rad:xxx) to radicle-httpd
+      locations."~ ^/rad:" = {
+        proxyPass = "http://127.0.0.1:8888";
+      };
+    };
+  };
+
+  # Open firewall for nginx
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  # rad CLI for interactive use
+  environment.systemPackages = [ pkgs.radicle-node ];
+}

hosts/profiles/radicle-seed/default.nix

@@ -0,0 +1,85 @@
+{
+  self,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  # Custom radicle-explorer with our seed as preferred
+  customExplorer = pkgs.radicle-explorer.withConfig {
+    preferredSeeds = [
+      {
+        hostname = "git.sealight.xyz";
+        port = 443;
+        scheme = "https";
+      }
+    ];
+  };
+in
+{
+  age.secrets.radicle-helix-key.file = "${self}/secrets/radicle-helix-key.age";
+  age.secrets.radicle-helix-key.owner = "radicle";
+
+  services.radicle = {
+    enable = true;
+    privateKeyFile = config.age.secrets.radicle-helix-key.path;
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3x7XH24gEr8xHnt1qKQx38Se2AoXiUnb48/VwfL8/A git.sealight.xyz";
+
+    node = {
+      listenAddress = "0.0.0.0";
+      listenPort = 8776;
+      openFirewall = true;
+    };
+
+    settings = {
+      node = {
+        alias = "git.sealight.xyz";
+        externalAddresses = [ "git.sealight.xyz:8776" ];
+        connect = [ "z6MkoyrvcRdeGU5PyB2SbHj9mNj3nb5p34rZamkEz64GX1c3@10.0.69.4:8776" ];
+        seedingPolicy.default = "block";
+      };
+    };
+
+    httpd = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      listenPort = 8080;
+      # Don't use the module's nginx integration - we'll configure it manually
+      nginx = null;
+    };
+  };
+
+  # Configure nginx manually for radicle-explorer + httpd API
+  services.nginx.virtualHosts."git.sealight.xyz" = {
+    enableACME = true;
+    forceSSL = true;
+
+    # Serve radicle-explorer static files at root
+    root = customExplorer;
+
+    locations."/" = {
+      tryFiles = "$uri $uri/ /index.html";
+      index = "index.html";
+    };
+
+    # Proxy API requests to radicle-httpd
+    locations."/api" = {
+      proxyPass = "http://127.0.0.1:8080";
+      recommendedProxySettings = true;
+    };
+
+    # Proxy raw file access to radicle-httpd
+    locations."/raw" = {
+      proxyPass = "http://127.0.0.1:8080";
+      recommendedProxySettings = true;
+    };
+
+    # Proxy git protocol requests (rad:xxx) to radicle-httpd
+    # These are requests to /:rid/* where rid starts with "rad:"
+    locations."~ ^/rad:" = {
+      proxyPass = "http://127.0.0.1:8080";
+      recommendedProxySettings = true;
+    };
+  };
+}

hosts/profiles/raven/default.nix

@@ -1,8 +1,8 @@
 { pkgs, config, lib, ... }:
 {
-  # ===================
+  virtualisation.docker.enable = true;
-  # Ollama Service
+  users.users.anish.extraGroups = [ "docker" ];
-  # ===================
+
   services.ollama = {
     enable = true;
     acceleration = null;  # CPU only, no GPU
@@ -10,9 +10,6 @@
     port = 11434;
   };
 
-  # ===================
-  # PostgreSQL: Letta Database
-  # ===================
   services.postgresql = {
     enable = true;
     ensureDatabases = [ "letta" ];
@@ -32,32 +29,27 @@
       host letta letta 127.0.0.1/32 scram-sha-256
       host letta letta ::1/128 scram-sha-256
     '';
-
+    # pgvector is already provided by immich profile via services.immich.database.enableVectorChord
-    # Include pgvector extension
-    extraPlugins = ps: [ ps.pgvector ];
   };
 
-  # ===================
+  #systemd.services.raven-db-setup = {
-  # Database Setup Service
+  #  description = "Setup Letta database with pgvector and password";
-  # ===================
+  #  after = [ "postgresql.service" ];
-  # Runs after postgresql to enable pgvector and set password
+  # wantedBy = [ "multi-user.target" ];
-  systemd.services.raven-db-setup = {
+  # Add your user to docker group
-    description = "Setup Letta database with pgvector and password";
+  #  path = [ config.services.postgresql.package ];
-    after = [ "postgresql.service" ];
+  # serviceConfig = {
-    wantedBy = [ "multi-user.target" ];
+  #   Type = "oneshot";
-    path = [ config.services.postgresql.package ];
+  #   User = "postgres";
-    serviceConfig = {
+  #   RemainAfterExit = true;
-      Type = "oneshot";
+  # };
-      User = "postgres";
+  # script = ''
-      RemainAfterExit = true;
+  #   # Enable pgvector extension
-    };
+  #   psql -d letta -c "CREATE EXTENSION IF NOT EXISTS vector;"
-    script = ''
-      # Enable pgvector extension
-      psql -d letta -c "CREATE EXTENSION IF NOT EXISTS vector;"
 
-      # Set password for letta user
+  #   # Set password for letta user
-      # TODO: Consider using agenix for production
+  #   # TODO: Consider using agenix for production
-      psql -c "ALTER USER letta WITH PASSWORD 'letta-dev-password';"
+  #   psql -c "ALTER USER letta WITH PASSWORD 'letta-dev-password';"
-    '';
+  # '';
-  };
+  #;
 }

hosts/profiles/sync/music/get-music.sh

@@ -4,16 +4,16 @@ set -euo pipefail
 
 REMOTE_HOST="aynish@talos.feralhosting.com"
 REMOTE_PATH="private/transmission/data/"
-LOCAL_PATH="/mnt/two/incoming"
+LOCAL_PATH="/tank/new-music"
-TRACKING_FILE="/mnt/two/incoming/.downloaded_albums"
+TRACKING_FILE="/tank/new-music/.downloaded_albums"
-LOG_FILE="/mnt/two/incoming/download-log"
+LOG_FILE="/tank/new-music/download-log"
 
 # Create tracking file if it doesn't exist
 touch "$TRACKING_FILE"
 
 # Get list of albums on remote server
 echo "$(date): Checking for new albums on seedbox..." >>"$LOG_FILE"
-REMOTE_ALBUMS=$(rsync --dry-run --list-only "$REMOTE_HOST:$REMOTE_PATH" | grep '^d' | awk '{$1=$2=$3=$4=""; sub(/^ +/, ""); print}' | grep -v '^\.') || true
+REMOTE_ALBUMS=$(rsync --dry-run --list-only "$REMOTE_HOST:$REMOTE_PATH" | grep '^d' | awk '{$1=$2=$3=$4=""; sub(/^ +/, ""); print}' | grep -v '^\.' | grep -v '^tv-sonarr$') || true
 
 if [ -z "$REMOTE_ALBUMS" ]; then
 	echo "$(date): No albums found on remote server" >>"$LOG_FILE"
@@ -47,7 +47,7 @@ while IFS= read -r album; do
 			echo "$(date): Importing $album to beets..." >>"$LOG_FILE"
 			# Set umask to allow group read/write access
 			umask 002
-			if beet -p fetchart import -m -l /home/anish/music.log -q -g "$LOCAL_PATH/$album"; then
+			if beet import -q "$LOCAL_PATH/$album"; then
 				echo "$(date): Successfully imported $album to beets" >>"$LOG_FILE"
 			else
 				echo "$(date): Failed to import $album to beets" >>"$LOG_FILE"

hosts/profiles/sync/tv/default.nix

@@ -0,0 +1,23 @@
+{ pkgs, lib, ... }:
+
+{
+  systemd.services.get-tv-sync = {
+    serviceConfig.Type = "oneshot";
+    path = [
+      pkgs.coreutils
+      pkgs.openssh
+      pkgs.gawk
+      pkgs.rsync
+      pkgs.curl
+    ];
+    script = builtins.readFile ./get-tv.sh;
+    serviceConfig = {
+      User = "anish";
+    };
+  };
+  systemd.timers.get-tv-sync = {
+    wantedBy = [ "timers.target" ];
+    partOf = [ "get-tv-sync.service" ];
+    timerConfig.OnCalendar = [ "hourly" ];
+  };
+}

hosts/profiles/sync/tv/get-tv.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+REMOTE_HOST="aynish@talos.feralhosting.com"
+REMOTE_PATH="private/transmission/data/tv-sonarr/"
+LOCAL_PATH="/tank/media/tv"
+TRACKING_FILE="/tank/media/tv/.downloaded_shows"
+LOG_FILE="/tank/media/tv/download-log"
+
+# Create local directory and tracking file if they don't exist
+mkdir -p "$LOCAL_PATH"
+touch "$TRACKING_FILE"
+
+# Get list of shows on remote server
+echo "$(date): Checking for new TV shows on seedbox..." >>"$LOG_FILE"
+REMOTE_SHOWS=$(rsync --dry-run --list-only "$REMOTE_HOST:$REMOTE_PATH" | grep '^d' | awk '{$1=$2=$3=$4=""; sub(/^ +/, ""); print}' | grep -v '^\.') || true
+
+if [ -z "$REMOTE_SHOWS" ]; then
+	echo "$(date): No shows found on remote server" >>"$LOG_FILE"
+	exit 0
+fi
+
+# Check each show against tracking file
+NEW_SHOWS=""
+while IFS= read -r show; do
+	if [ -n "$show" ] && ! grep -qF "$show" "$TRACKING_FILE"; then
+		NEW_SHOWS="$NEW_SHOWS$show\n"
+		echo "$(date): Found new show: $show" >>"$LOG_FILE"
+	fi
+done <<<"$REMOTE_SHOWS"
+
+if [ -z "$NEW_SHOWS" ]; then
+	echo "$(date): No new shows to download" >>"$LOG_FILE"
+	exit 0
+fi
+
+# Download new shows only
+echo "$(date): Starting download of new shows..." >>"$LOG_FILE"
+while IFS= read -r show; do
+	if [ -n "$show" ]; then
+		echo "$(date): Downloading $show" >>"$LOG_FILE"
+		# Set umask to allow group read/write access for Jellyfin
+		umask 002
+		if rsync -r --log-file="$LOG_FILE" "$REMOTE_HOST:$REMOTE_PATH$show/" "$LOCAL_PATH/$show/"; then
+			echo "$show" >>"$TRACKING_FILE"
+			echo "$(date): Successfully downloaded $show" >>"$LOG_FILE"
+		else
+			echo "$(date): Failed to download $show" >>"$LOG_FILE"
+		fi
+	fi
+done <<<"$(echo -e "$NEW_SHOWS")"
+
+# Trigger Jellyfin library scan
+echo "$(date): Triggering Jellyfin library refresh..." >>"$LOG_FILE"
+if curl -s -X POST "http://localhost:8096/Library/Refresh" \
+	-H "X-Emby-Token: aef1b1e0cd5445dc97b755ef8c6224e5"; then
+	echo "$(date): Jellyfin library refresh triggered" >>"$LOG_FILE"
+else
+	echo "$(date): Failed to trigger Jellyfin library refresh" >>"$LOG_FILE"
+fi
+
+echo "$(date): TV sync completed" >>"$LOG_FILE"

hosts/profiles/transmission/default.nix

@@ -3,6 +3,7 @@
   environment.systemPackages = [ pkgs.beets ];
   services.transmission = {
     enable = true;
+    package = pkgs.transmission_4; # 25.11: transmission_3 removed, explicitly use v4
     settings = {
       rpc-enabled = true;
       rpc-bind-address = "0.0.0.0";
@@ -11,12 +12,12 @@
       # Normally, I would write this into the homedir with home-manager
       # And explictly set the dir to be the output of the home-manager location
       script-torrent-done-filename = pkgs.writeShellScript "beet-import.sh" ''
-#!/usr/bin/env bash
+        #!/usr/bin/env bash
 
-beet -p fetchart  import -l /home/anish/music.log -q -g "$TR_TORRENT_DIR"
+        beet -p fetchart  import -l /home/anish/music.log -q -g "$TR_TORRENT_DIR"
       '';
       rpc-url = "/transmission/rpc/";
-      download-dir = "/mnt/two/new-music";
+      download-dir = "/tank/new-music";
     };
   };
   services.nginx.virtualHosts."transmission.mossnet.lan" = {

install-box.sh

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Install script for box NAS
+# Run this from the NixOS installer after rsync'ing the helm repo
+#
+# Prerequisites:
+#   - Boot NixOS installer
+#   - Enable SSH: passwd && sudo systemctl start sshd
+#   - rsync helm repo: rsync -avz --exclude='.git' /path/to/helm nixos@<IP>:~/
+#
+# Usage:
+#   cd ~/helm
+#   ./install-box.sh
+
+# Configuration
+FLAKE="$HOME/helm#box"
+NVME="/dev/disk/by-id/nvme-CT500P310SSD8_2544543B87C2"
+
+# ZFS drives - update these if drives change
+ZFS1="/dev/disk/by-id/ata-WDC_WD40EFPX-68C6CN0_WD-WX32D954A2J7"
+ZFS2="/dev/disk/by-id/ata-WDC_WD40EFPX-68C6CN0_WD-WX32D95FVZVL"
+ZFS3="/dev/disk/by-id/ata-WDC_WD40EFPX-68C6CN0_WD-WX42D95M807R"
+
+echo "=== Box NAS Installation ==="
+echo ""
+echo "This will install NixOS with:"
+echo "  - NVMe boot drive: $NVME"
+echo "  - ZFS RAIDZ1 pool with 3x 4TB drives (~8TB usable)"
+echo ""
+
+# Verify drives exist
+echo "Verifying drives..."
+for disk in "$NVME" "$ZFS1" "$ZFS2" "$ZFS3"; do
+  if [[ ! -e "$disk" ]]; then
+    echo "ERROR: Disk not found: $disk"
+    echo "Available disks:"
+    ls -la /dev/disk/by-id/ | grep -E '(nvme|ata)' | grep -v part
+    exit 1
+  fi
+done
+echo "All drives found."
+echo ""
+
+# Generate ZFS keyfile
+echo "Generating ZFS keyfile..."
+dd if=/dev/urandom of=/tmp/tank.key bs=32 count=1 2>/dev/null
+echo "ZFS keyfile created at /tmp/tank.key"
+echo ""
+
+# Get LUKS password
+echo "Enter LUKS password for boot drive encryption:"
+read -s LUKS_PASSWORD
+echo ""
+echo "Confirm LUKS password:"
+read -s LUKS_PASSWORD_CONFIRM
+echo ""
+
+if [[ "$LUKS_PASSWORD" != "$LUKS_PASSWORD_CONFIRM" ]]; then
+  echo "ERROR: Passwords do not match"
+  exit 1
+fi
+
+echo -n "$LUKS_PASSWORD" > /tmp/luks-password
+echo "LUKS password saved."
+echo ""
+
+# Confirm before proceeding
+echo "WARNING: This will DESTROY all data on the following drives:"
+echo "  - $NVME"
+echo "  - $ZFS1"
+echo "  - $ZFS2"
+echo "  - $ZFS3"
+echo ""
+read -p "Type 'yes' to continue: " CONFIRM
+if [[ "$CONFIRM" != "yes" ]]; then
+  echo "Aborted."
+  exit 1
+fi
+
+echo ""
+echo "Running disko-install..."
+sudo nix \
+  --extra-experimental-features nix-command \
+  --extra-experimental-features flakes \
+  run 'github:nix-community/disko/latest#disko-install' -- \
+  --flake "$FLAKE" \
+  --disk nvme "$NVME" \
+  --disk zfs1 "$ZFS1" \
+  --disk zfs2 "$ZFS2" \
+  --disk zfs3 "$ZFS3"
+
+echo ""
+echo "Copying ZFS keyfile to installed system..."
+# disko-install mounts the root filesystem at /mnt
+if [[ ! -d /mnt/etc ]]; then
+  echo "ERROR: /mnt/etc does not exist. Is the root filesystem mounted?"
+  exit 1
+fi
+sudo mkdir -p /mnt/etc/zfs
+sudo cp /tmp/tank.key /mnt/etc/zfs/tank.key
+sudo chmod 000 /mnt/etc/zfs/tank.key
+
+echo "Updating ZFS keylocation to permanent path..."
+# Update keylocation so ZFS looks for the key in the installed system
+sudo zfs set keylocation=file:///etc/zfs/tank.key tank
+
+echo ""
+echo "Cleaning up..."
+rm -f /tmp/luks-password /tmp/tank.key
+
+echo ""
+echo "=== Installation complete! ==="
+echo ""
+echo "Next steps:"
+echo "  1. Reboot: sudo reboot"
+echo "  2. Enter LUKS password at boot prompt"
+echo "  3. SSH to box at 192.168.1.240"
+echo ""

overlays/default.nix

@@ -24,7 +24,9 @@
     });
 
     wallabag = prev.wallabag.overrideAttrs (attrs: {
-      patches = builtins.filter (patch: builtins.baseNameOf patch != "wallabag-data.patch") attrs.patches ++ [
+      patches =
+        builtins.filter (patch: builtins.baseNameOf patch != "wallabag-data.patch") attrs.patches
+        ++ [
           # Out of the box, Wallabag wants to write to various subdirectories of the project directory.
           # Let’s replace references to such paths with designated systemd locations
           # so that the project source can remain immutable.
@@ -33,12 +35,10 @@
     });
 
     olm = prev.olm.overrideAttrs (attrs: {
-      knownVulnerabilities = [];
+      knownVulnerabilities = [ ];
     });
 
-    mautrix-discord = prev.mautrix-discord.overrideAttrs (attrs: rec {
+    # mautrix-discord overlay removed - now using native NixOS 25.11 module
-      license = "";
-    });
 
     # Need to do server and agent too, maybe
     # woodpecker-cli-next =

pkgs/fennel-ls.nix

@@ -9,7 +9,7 @@ pkgs.stdenv.mkDerivation rec {
   };
   buildInputs = with pkgs; [
     lua
-    fennel
+    luaPackages.fennel # renamed from fennel in 25.11
   ];
 
   configurePhase = ''

scripts/migrate-forgejo-to-radicle.sh

@@ -0,0 +1,168 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Migration script: Forgejo bare repos -> Radicle
+# 
+# Usage:
+#   1. First rsync repos from helix:
+#      rsync -avz git.sealight.xyz:/var/lib/gitea/repositories/aynish/ /tmp/forgejo-migration/
+#   
+#   2. Run this script:
+#      sudo -u radicle ./migrate-forgejo-to-radicle.sh /tmp/forgejo-migration
+#
+# Or run as root:
+#      ./migrate-forgejo-to-radicle.sh /tmp/forgejo-migration
+
+SOURCE_DIR="${1:-/tmp/forgejo-migration}"
+WORK_DIR="/var/lib/radicle/migration"
+LOG_FILE="/var/lib/radicle/migration.log"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+log() { echo -e "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"; }
+log_success() { log "${GREEN}✓ $1${NC}"; }
+log_warn() { log "${YELLOW}⚠ $1${NC}"; }
+log_error() { log "${RED}✗ $1${NC}"; }
+
+# Use rad directly with proper environment (rad-system can't access files outside sandbox)
+export RAD_HOME=/var/lib/radicle
+export HOME=/var/lib/radicle
+RAD_CMD="rad"
+
+# Ensure keys are in place (agenix stores them in /run/agenix/)
+if [[ -f /run/agenix/radicle-box-key ]] && [[ ! -s /var/lib/radicle/keys/radicle ]]; then
+  log "Setting up radicle keys..."
+  cp /run/agenix/radicle-box-key /var/lib/radicle/keys/radicle
+  chmod 600 /var/lib/radicle/keys/radicle
+  chown radicle:radicle /var/lib/radicle/keys/radicle
+fi
+
+# Get public key from the config if not present
+if [[ ! -s /var/lib/radicle/keys/radicle.pub ]]; then
+  log "Generating public key..."
+  ssh-keygen -y -f /var/lib/radicle/keys/radicle > /var/lib/radicle/keys/radicle.pub 2>/dev/null || true
+  chown radicle:radicle /var/lib/radicle/keys/radicle.pub
+fi
+
+# Check source directory
+if [[ ! -d "$SOURCE_DIR" ]]; then
+  log_error "Source directory not found: $SOURCE_DIR"
+  echo ""
+  echo "First rsync repos from helix:"
+  echo "  rsync -avz git.sealight.xyz:/var/lib/gitea/repositories/aynish/ /tmp/forgejo-migration/"
+  exit 1
+fi
+
+# Create work directory
+mkdir -p "$WORK_DIR"
+cd "$WORK_DIR"
+
+log "Starting Forgejo -> Radicle migration"
+log "Source: $SOURCE_DIR"
+log "Work dir: $WORK_DIR"
+log "Using: $RAD_CMD"
+
+# Count repos
+REPOS=$(find "$SOURCE_DIR" -maxdepth 1 -name "*.git" -type d | sort)
+TOTAL=$(echo "$REPOS" | grep -c . || echo 0)
+
+if [[ "$TOTAL" -eq 0 ]]; then
+  log_error "No .git directories found in $SOURCE_DIR"
+  exit 1
+fi
+
+log "Found $TOTAL repositories to migrate"
+echo ""
+
+MIGRATED=0
+SKIPPED=0
+FAILED=0
+
+for BARE_REPO in $REPOS; do
+  # Extract repo name (remove .git suffix)
+  REPO_NAME=$(basename "$BARE_REPO" .git)
+  
+  log "Processing: $REPO_NAME"
+  
+  CLONE_DIR="$WORK_DIR/$REPO_NAME"
+  
+  # Clone bare repo to working directory
+  if [[ -d "$CLONE_DIR/.git" ]]; then
+    log "  Directory exists, skipping clone"
+  else
+    log "  Cloning from bare repo..."
+    if ! git clone --quiet "$BARE_REPO" "$CLONE_DIR" 2>>"$LOG_FILE"; then
+      log_error "  Failed to clone $REPO_NAME"
+      ((FAILED++)) || true
+      continue
+    fi
+  fi
+  
+  cd "$CLONE_DIR"
+  
+  # Check if already initialized in Radicle
+  if $RAD_CMD . >/dev/null 2>&1; then
+    log_warn "  Already initialized in Radicle, skipping"
+    cd "$WORK_DIR"
+    ((SKIPPED++)) || true
+    continue
+  fi
+  
+  # Get current branch
+  CURRENT_BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || echo "main")
+  
+  # Normalize to main if needed
+  if [[ "$CURRENT_BRANCH" != "main" ]]; then
+    log "  Normalizing branch: $CURRENT_BRANCH -> main"
+    git branch -m "$CURRENT_BRANCH" main 2>>"$LOG_FILE" || true
+  fi
+  
+  # Get description from git config if available
+  DESCRIPTION=$(git config --get gitweb.description 2>/dev/null || echo "Migrated from Forgejo")
+  
+  # Truncate description if too long
+  if [[ ${#DESCRIPTION} -gt 255 ]]; then
+    DESCRIPTION="${DESCRIPTION:0:252}..."
+  fi
+  
+  # Initialize in Radicle
+  log "  Initializing in Radicle..."
+  if $RAD_CMD init \
+    --name "$REPO_NAME" \
+    --description "$DESCRIPTION" \
+    --default-branch main \
+    --public 2>>"$LOG_FILE"; then
+    
+    # Push to radicle
+    log "  Pushing to Radicle..."
+    if git push rad main 2>>"$LOG_FILE"; then
+      RID=$($RAD_CMD . 2>/dev/null || echo "unknown")
+      log_success "  Migrated: $REPO_NAME -> $RID"
+      ((MIGRATED++)) || true
+    else
+      log_error "  Failed to push $REPO_NAME"
+      ((FAILED++)) || true
+    fi
+  else
+    log_error "  Failed to init $REPO_NAME in Radicle"
+    ((FAILED++)) || true
+  fi
+  
+  cd "$WORK_DIR"
+done
+
+echo ""
+log "========================================"
+log "Migration Summary:"
+log "  Total repos:  $TOTAL"
+log "  Migrated:     $MIGRATED"
+log "  Skipped:      $SKIPPED"
+log "  Failed:       $FAILED"
+log "========================================"
+echo ""
+log "Verify with: $RAD_CMD ls"
+log "Configure helix to follow: rad-system follow <box-nid> --alias mossnet"

secrets/radicle-helix-key.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kgCrKA WzvIX43OcJw/qxPgTw3iUjorQ0ahFHYZEmnghnUz/xc
+HtNx7XqWFZDNpjNiquxfRrnP/TcXxoPn6mMB0BMjlJw
+-> ssh-ed25519 6DaCrw dZ9etYRaGuAO0gcA3Krdgvcg9vkwctAtJzKevgjE3wc
+gbWQHzO//bGp3Jl513GIgzaM4FzJSiA5thOSWWsx7ik
+--- QeO3vdOBbisSZaBECB1Wa603H6P7lXDJwxerJ8gH4+M
+þlGêýX­É.ø­“®«$lp^^ ”0üzK8‚8 Qu�Q•Þïq;Y­ðŽ85³ÈRM÷4†ÖçI:gŒßqÿ“žípܺÏåž,OãdPk­RèÚrq¤UëíM•‹!ž¥=EuÈ2 �[_à!%CE—ê
+íø"—åo²
3wû„l"	:TŸ6àºÁTâÜ[[Pn”Éq¡Bì7'àFü¨8ŸŒËï‚Ž:6E¦Í³àʽ\¾
ó#ê1ëÄžå¨K¾jŠ.·Ð¬êê)V³™ŸBuÑN ê"Ë÷S,Àïµ^ïêDÅ�&�Æ©¨¾£h´%*ågé°ÂòvìN^¨-Òô2P�ïBñÃb¬'?
ˆL¯jF,’-¡b«ç:¡,ˆx#ÑįÑ UY€_ÁQpÈÝø+ëjÂ!ÿU­Š ‡;úAÞúјÍærå‡5«Ó�0ƒ¤Aá|<èÉ=j“ß�²s»™q;bŠŸ!BW'Ý´¼8ÄAˆsË#ô=	êêi�½`|œNÙ¬ÇK‹oÌ°H–ö“)ŠŒÞ°
+Î?Á"±„	7–pç¯WÕÿä•áÒ�

secrets/secrets.nix

@@ -7,9 +7,21 @@ let
   helix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKrL6IDHNnHmxi0q9nzu87NOyidPm3HpE7klU368lEf root@helix";
   helix2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2G81z1E51ioJQGLHnTJEjgSdBqLM6mb72Z+0atE6Bf root@helix";
   work = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOnfDvR2D2nGnC+DZYDUXiokzz+eLfZwkp+O8WjWutp anishlakhwara@Anishs-MacBook-Pro.local";
-  curve = [ system user ];
+  curve = [
-  allUserKeys = [ system user mossnet ];
+    system
-  systemOnly = [ system mossnet lituus helix ];
+    user
+  ];
+  allUserKeys = [
+    system
+    user
+    mossnet
+  ];
+  systemOnly = [
+    system
+    mossnet
+    lituus
+    helix
+  ];
 in
 {
   "taskwarrior-private.age".publicKeys = curve;
@@ -20,10 +32,22 @@ in
   "borg-password.age".publicKeys = systemOnly;
   "borg-key.age".publicKeys = systemOnly;
 
-  "helix-wg.age".publicKeys = [ helix2 helix ];
+  "helix-wg.age".publicKeys = [
-  "freshrss-dbpass.age".publicKeys = [ helix2 helix ];
+    helix2
-  "woodpecker-server-secrets.age".publicKeys = [ helix2 helix ];
+    helix
-  "gitea-dbpass.age".publicKeys = [ helix helix2 ];
+  ];
+  "freshrss-dbpass.age".publicKeys = [
+    helix2
+    helix
+  ];
+  "woodpecker-server-secrets.age".publicKeys = [
+    helix2
+    helix
+  ];
+  "gitea-dbpass.age".publicKeys = [
+    helix
+    helix2
+  ];
 
   "synapse-config.age".publicKeys = [ lituus ];
   "synapse-database-password.age".publicKeys = [ lituus ];
@@ -31,12 +55,37 @@ in
   "telegram-matrix-env.age".publicKeys = [ lituus ];
 
   "wallabag.age".publicKeys = [ mossnet ];
-  "woodpecker-agent-secret.age".publicKeys = [ mossnet helix helix2 ];
+  "woodpecker-agent-secret.age".publicKeys = [
+    mossnet
+    helix
+    helix2
+  ];
   "box-wg.age".publicKeys = [ mossnet ];
   "wallabag-password.age".publicKeys = [ mossnet ];
   "wallabag-secret.age".publicKeys = [ mossnet ];
 
-  "work-wg.age".publicKeys = [ work user system ];
+  "work-wg.age".publicKeys = [
-  "github-token.age".publicKeys = [ work user system mossnet ];
+    work
-  "anthropicToken.age".publicKeys = [ work user system mossnet ];
+    user
+    system
+  ];
+  "github-token.age".publicKeys = [
+    work
+    user
+    system
+    mossnet
+  ];
+  "anthropicToken.age".publicKeys = [
+    work
+    user
+    system
+    mossnet
+  ];
+
+  # Radicle node keys
+  "radicle-box-key.age".publicKeys = [ mossnet ];
+  "radicle-helix-key.age".publicKeys = [
+    helix
+    helix2
+  ];
 }