Fix conflicting audio role config: remove pulseaudio, keep pipewire

Remove services.pulseaudio configuration that conflicted with
services.pipewire. PipeWire replaces PulseAudio and provides
compatibility through pulse.enable.

Also added alsa.enable and alsa.support32Bit for better ALSA support.

.beads/.gitignore

@@ -0,0 +1,39 @@
+# SQLite databases
+*.db
+*.db?*
+*.db-journal
+*.db-wal
+*.db-shm
+
+# Daemon runtime files
+daemon.lock
+daemon.log
+daemon.pid
+bd.sock
+sync-state.json
+last-touched
+
+# Local version tracking (prevents upgrade notification spam after git ops)
+.local_version
+
+# Legacy database files
+db.sqlite
+bd.db
+
+# Worktree redirect file (contains relative path to main repo's .beads/)
+# Must not be committed as paths would be wrong in other clones
+redirect
+
+# Merge artifacts (temporary files from 3-way merge)
+beads.base.jsonl
+beads.base.meta.json
+beads.left.jsonl
+beads.left.meta.json
+beads.right.jsonl
+beads.right.meta.json
+
+# NOTE: Do NOT add negation patterns (e.g., !issues.jsonl) here.
+# They would override fork protection in .git/info/exclude, allowing
+# contributors to accidentally commit upstream issue databases.
+# The JSONL files (issues.jsonl, interactions.jsonl) and config files
+# are tracked by git by default since no pattern above ignores them.

.beads/README.md

@@ -0,0 +1,81 @@
+# Beads - AI-Native Issue Tracking
+
+Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
+
+## What is Beads?
+
+Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
+
+**Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
+
+## Quick Start
+
+### Essential Commands
+
+```bash
+# Create new issues
+bd create "Add user authentication"
+
+# View all issues
+bd list
+
+# View issue details
+bd show <issue-id>
+
+# Update issue status
+bd update <issue-id> --status in_progress
+bd update <issue-id> --status done
+
+# Sync with git remote
+bd sync
+```
+
+### Working with Issues
+
+Issues in Beads are:
+- **Git-native**: Stored in `.beads/issues.jsonl` and synced like code
+- **AI-friendly**: CLI-first design works perfectly with AI coding agents
+- **Branch-aware**: Issues can follow your branch workflow
+- **Always in sync**: Auto-syncs with your commits
+
+## Why Beads?
+
+✨ **AI-Native Design**
+- Built specifically for AI-assisted development workflows
+- CLI-first interface works seamlessly with AI coding agents
+- No context switching to web UIs
+
+🚀 **Developer Focused**
+- Issues live in your repo, right next to your code
+- Works offline, syncs when you push
+- Fast, lightweight, and stays out of your way
+
+🔧 **Git Integration**
+- Automatic sync with git commits
+- Branch-aware issue tracking
+- Intelligent JSONL merge resolution
+
+## Get Started with Beads
+
+Try Beads in your own projects:
+
+```bash
+# Install Beads
+curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
+
+# Initialize in your repo
+bd init
+
+# Create your first issue
+bd create "Try out Beads"
+```
+
+## Learn More
+
+- **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
+- **Quick Start Guide**: Run `bd quickstart`
+- **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
+
+---
+
+*Beads: Issue tracking that moves at the speed of thought* ⚡

.beads/config.yaml

@@ -0,0 +1,62 @@
+# Beads Configuration File
+# This file configures default behavior for all bd commands in this repository
+# All settings can also be set via environment variables (BD_* prefix)
+# or overridden with command-line flags
+
+# Issue prefix for this repository (used by bd init)
+# If not set, bd init will auto-detect from directory name
+# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
+# issue-prefix: ""
+
+# Use no-db mode: load from JSONL, no SQLite, write back after each command
+# When true, bd will use .beads/issues.jsonl as the source of truth
+# instead of SQLite database
+# no-db: false
+
+# Disable daemon for RPC communication (forces direct database access)
+# no-daemon: false
+
+# Disable auto-flush of database to JSONL after mutations
+# no-auto-flush: false
+
+# Disable auto-import from JSONL when it's newer than database
+# no-auto-import: false
+
+# Enable JSON output by default
+# json: false
+
+# Default actor for audit trails (overridden by BD_ACTOR or --actor)
+# actor: ""
+
+# Path to database (overridden by BEADS_DB or --db)
+# db: ""
+
+# Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)
+# auto-start-daemon: true
+
+# Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)
+# flush-debounce: "5s"
+
+# Git branch for beads commits (bd sync will commit to this branch)
+# IMPORTANT: Set this for team projects so all clones use the same sync branch.
+# This setting persists across clones (unlike database config which is gitignored).
+# Can also use BEADS_SYNC_BRANCH env var for local override.
+# If not set, bd sync will require you to run 'bd config set sync.branch <branch>'.
+sync-branch: "beads-sync"
+
+# Multi-repo configuration (experimental - bd-307)
+# Allows hydrating from multiple repositories and routing writes to the correct JSONL
+# repos:
+#   primary: "."  # Primary repo (where this database lives)
+#   additional:   # Additional repos to hydrate from (read-only)
+#     - ~/beads-planning  # Personal planning repo
+#     - ~/work-planning   # Work planning repo
+
+# Integration settings (access with 'bd config get/set')
+# These are stored in the database, not in this file:
+# - jira.url
+# - jira.project
+# - linear.url
+# - linear.api-key
+# - github.org
+# - github.repo

.beads/metadata.json

@@ -0,0 +1,4 @@
+{
+  "database": "beads.db",
+  "jsonl_export": "sync_base.jsonl"
+}

.gitattributes

@@ -0,0 +1,3 @@
+
+# Use bd merge for beads JSONL files
+.beads/issues.jsonl merge=beads

AGENTS.md

@@ -172,6 +172,58 @@ Creates an ISO suitable for Ventoy and other USB boot tools in `./result/iso/`.
 - **Garbage collection**: Automatic, deletes older than 10 days
 - **Unfree packages**: Allowed globally
 
+## Issue Tracking (Gitea)
+
+**Tea CLI for Gitea:**
+```bash
+# Note: When using tea CLI, you must specify --repo johno/nixos-configs
+# The CLI doesn't automatically detect the repo from git remote
+
+# List all issues (open by default)
+tea issues --repo johno/nixos-configs
+
+# List closed issues
+tea issues --repo johno/nixos-configs --state closed
+
+# View specific issue
+tea issue --repo johno/nixos-configs 2
+
+# Create new issue
+tea issues create --repo johno/nixos-configs --title "Issue title" --body "Description"
+
+# Add comment to issue
+tea comment --repo johno/nixos-configs 2 "Comment text"
+
+# Close issue (note: 'issues' is plural, issue number comes last)
+tea issues close --repo johno/nixos-configs 2
+```
+
 ## Important Notes
 
-- **Sudo access**: Claude Code does not have sudo access. Ask the user to run elevated commands like `sudo nixos-rebuild switch`
+- **Sudo access**: Claude Code does not have sudo access. Ask the user to run elevated commands like `sudo nixos-rebuild switch`
+
+## Landing the Plane (Session Completion)
+
+**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
+
+**MANDATORY WORKFLOW:**
+
+1. **File issues for remaining work** - Create issues for anything that needs follow-up
+2. **Run quality gates** (if code changed) - Tests, linters, builds
+3. **Update issue status** - Close finished work, update in-progress items
+4. **PUSH TO REMOTE** - This is MANDATORY:
+   ```bash
+   git pull --rebase
+   bd sync
+   git push
+   git status  # MUST show "up to date with origin"
+   ```
+5. **Clean up** - Clear stashes, prune remote branches
+6. **Verify** - All changes committed AND pushed
+7. **Hand off** - Provide context for next session
+
+**CRITICAL RULES:**
+- Work is NOT complete until `git push` succeeds
+- NEVER stop before pushing - that leaves work stranded locally
+- NEVER say "ready to push when you are" - YOU must push
+- If push fails, resolve and retry until it succeeds

flake.lock

@@ -1,13 +1,34 @@
 {
   "nodes": {
+    "beads": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767911810,
+        "narHash": "sha256-0L4ATr01UsmBC0rSW62VIMVVSUihAQu2+ZOoHk9BQnA=",
+        "owner": "steveyegge",
+        "repo": "beads",
+        "rev": "28ff9fe9919a9665a0f00f5b3fcd084b43fb6cc3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "steveyegge",
+        "repo": "beads",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1761588595,
-        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "lastModified": 1765121682,
+        "narHash": "sha256-4VBOP18BFeiPkyhy9o4ssBNQEvfvv1kXkasAYd0+rrA=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "rev": "65f23138d8d09a92e30f1e5c87611b23ef451bf3",
         "type": "github"
       },
       "original": {
@@ -16,6 +37,24 @@
         "type": "github"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "google-cookie-retrieval": {
       "inputs": {
         "nixpkgs": [
@@ -43,11 +82,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764866045,
-        "narHash": "sha256-0GsEtXV9OquDQ1VclQfP16cU5VZh7NEVIOjSH4UaJuM=",
+        "lastModified": 1767514898,
+        "narHash": "sha256-ONYqnKrPzfKEEPChoJ9qPcfvBqW9ZgieDKD7UezWPg4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f63d0fe9d81d36e5fc95497217a72e02b8b7bcab",
+        "rev": "7a06e8a2f844e128d3b210a000a62716b6040b7f",
         "type": "github"
       },
       "original": {
@@ -64,11 +103,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764872372,
-        "narHash": "sha256-uZuXRz9CzeCHsRbc2MQvKomwoX6GcFC5BUMEk3ouSFU=",
+        "lastModified": 1767556355,
+        "narHash": "sha256-RDTUBDQBi9D4eD9iJQWtUDN/13MDLX+KmE+TwwNUp2s=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "05a56dbf24f195c62286e3273a2671d3b4904b00",
+        "rev": "f894bc4ffde179d178d8deb374fcf9855d1a82b7",
         "type": "github"
       },
       "original": {
@@ -86,11 +125,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764746434,
-        "narHash": "sha256-6ymFuw+Z1C90ezf8H0BP3c2JFZhJYwMq31px2StwWHU=",
+        "lastModified": 1767082077,
+        "narHash": "sha256-2tL1mRb9uFJThUNfuDm/ehrnPvImL/QDtCxfn71IEz4=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "b4c0b604148adacf119b89824ed26df8926ce42c",
+        "rev": "efd4b22e6fdc6d7fb4e186ae333a4b74e03da440",
         "type": "github"
       },
       "original": {
@@ -106,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764161084,
-        "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
+        "lastModified": 1765066094,
+        "narHash": "sha256-0YSU35gfRFJzx/lTGgOt6ubP8K6LeW0vaywzNNqxkl4=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "e95de00a471d07435e0527ff4db092c84998698e",
+        "rev": "688427b1aab9afb478ca07989dc754fa543e03d5",
         "type": "github"
       },
       "original": {
@@ -148,11 +187,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1764730608,
-        "narHash": "sha256-FxKIa3OCSRVC23qrk7VT68vExUcmSruJ8OobVlSWOxc=",
+        "lastModified": 1765841014,
+        "narHash": "sha256-55V0AJ36V5Egh4kMhWtDh117eE3GOjwq5LhwxDn9eHg=",
         "owner": "nix-community",
         "repo": "NixOS-WSL",
-        "rev": "10124c58674360765adcb38c9a8b081fb72904e4",
+        "rev": "be4af8042e7a61fa12fda58fe9a3b3babdefe17b",
         "type": "github"
       },
       "original": {
@@ -164,11 +203,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1764517877,
-        "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
+        "lastModified": 1765472234,
+        "narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
+        "rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
         "type": "github"
       },
       "original": {
@@ -180,11 +219,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1764667669,
-        "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
+        "lastModified": 1767379071,
+        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "418468ac9527e799809c900eda37cbff999199b6",
+        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
         "type": "github"
       },
       "original": {
@@ -196,11 +235,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1764677808,
-        "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
+        "lastModified": 1767480499,
+        "narHash": "sha256-8IQQUorUGiSmFaPnLSo2+T+rjHtiNWc+OAzeHck7N48=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
+        "rev": "30a3c519afcf3f99e2c6df3b359aec5692054d92",
         "type": "github"
       },
       "original": {
@@ -258,6 +297,7 @@
     },
     "root": {
       "inputs": {
+        "beads": "beads",
         "google-cookie-retrieval": "google-cookie-retrieval",
         "home-manager": "home-manager",
         "home-manager-unstable": "home-manager-unstable",
@@ -269,6 +309,21 @@
         "plasma-manager": "plasma-manager",
         "plasma-manager-unstable": "plasma-manager-unstable"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -42,6 +42,11 @@
       url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+
+    beads = {
+      url = "github:steveyegge/beads";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, nixos-wsl, ... } @ inputs: let
@@ -152,9 +157,9 @@
       system = "x86_64-linux";
       modules = nixosModules ++ [
         ./machines/boxy/configuration.nix
-        inputs.home-manager.nixosModules.home-manager
         {
           home-manager.users.johno = import ./home/home-media-center.nix;
+          home-manager.users.kodi = import ./home/home-kodi.nix;
           home-manager.extraSpecialArgs = { inherit system; };
         }
       ];
@@ -209,6 +214,15 @@
       ];
     };
 
+    # ZFS/NFS server configuration
+    nixosConfigurations.john-endesktop = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = nixosModules ++ [
+        ./machines/john-endesktop/configuration.nix
+        # Minimal server - no home-manager needed
+      ];
+    };
+
     # Darwin/macOS configurations
     darwinConfigurations."blkfv4yf49kt7" = inputs.nix-darwin.lib.darwinSystem rec {
       system = "aarch64-darwin";
@@ -220,5 +234,50 @@
         }
       ];
     };
+
+    # Flake apps
+    apps = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ] (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        commonDeps = [ pkgs.curl pkgs.jq pkgs.nix pkgs.git pkgs.gnused pkgs.gnugrep pkgs.coreutils pkgs.gawk ];
+
+        update-doomemacs = pkgs.writeShellScriptBin "update-doomemacs" ''
+          export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+          ${builtins.readFile ./scripts/update-doomemacs.sh}
+        '';
+
+        update-claude-code = pkgs.writeShellScriptBin "update-claude-code" ''
+          export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+          ${builtins.readFile ./packages/claude-code/update.sh}
+        '';
+
+        rotate-wallpaper = pkgs.writeShellScriptBin "rotate-wallpaper" ''
+          export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+          ${builtins.readFile ./scripts/rotate-wallpaper.sh}
+        '';
+
+        upgrade = pkgs.writeShellScriptBin "upgrade" ''
+          export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+          ${builtins.readFile ./scripts/upgrade.sh}
+        '';
+      in {
+        update-doomemacs = {
+          type = "app";
+          program = "${update-doomemacs}/bin/update-doomemacs";
+        };
+        update-claude-code = {
+          type = "app";
+          program = "${update-claude-code}/bin/update-claude-code";
+        };
+        rotate-wallpaper = {
+          type = "app";
+          program = "${rotate-wallpaper}/bin/rotate-wallpaper";
+        };
+        upgrade = {
+          type = "app";
+          program = "${upgrade}/bin/upgrade";
+        };
+      }
+    );
   };
 }

home/home-desktop.nix

@@ -11,6 +11,9 @@
     "3d-printing".enable = true;
     base.enable = true;
     desktop.enable = true;
+    emacs.enable = true;
+    email.enable = true;
+    i3_sway.enable = true;
     office.enable = true;
     media.enable = true;
     development.enable = true;
@@ -20,8 +23,6 @@
     kubectl.enable = true;
     tmux.enable = true;
     plasma-manager.enable = true;
-    emacs.enable = true;
-    i3_sway.enable = true;
   };
 
   targets.genericLinux.enable = true;

home/home-kodi.nix

@@ -0,0 +1,28 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for kodi user on boxy
+  # Focused on media center volume control via Home Assistant
+
+  home.username = "kodi";
+  home.homeDirectory = "/home/kodi";
+  home.stateVersion = "24.05";
+
+  # Enable minimal roles for kodi user
+  home.roles = {
+    base.enable = true;
+    plasma-manager-kodi.enable = true;
+  };
+
+  home.packages = with pkgs; [
+    kdePackages.kconfig
+  ];
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+  ];
+}

home/home-laptop-compact.nix

@@ -14,6 +14,7 @@
     desktop.enable = true;
     development.enable = true;
     communication.enable = true;
+    email.enable = true;
     kdeconnect.enable = true;
     media.enable = true;
     sync.enable = true;

home/roles/default.nix

@@ -8,12 +8,14 @@
     ./communication
     ./desktop
     ./development
+    ./email
     ./gaming
     ./kdeconnect
     ./kubectl
     ./launchers
     ./media
     ./office
+    ./plasma-manager-kodi
     ./sync
     ./tmux
     ./emacs

home/roles/desktop/default.nix

@@ -81,6 +81,45 @@ in
       enable = true;
     };
 
+    # rbw vault unlock on login and resume from suspend
+    systemd.user.services.rbw-unlock-on-login = {
+      Unit = {
+        Description = "Unlock rbw vault at login";
+        After = [ "graphical-session.target" ];
+      };
+      Service = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.rbw}/bin/rbw unlock";
+        Environment = "RBW_AGENT=${pkgs.rbw}/bin/rbw-agent";
+        # KillMode = "process" prevents systemd from killing the rbw-agent daemon
+        # when this oneshot service completes. The agent is spawned by rbw unlock
+        # and needs to persist after the service exits.
+        KillMode = "process";
+      };
+      Install = {
+        WantedBy = [ "graphical-session.target" ];
+      };
+    };
+
+    systemd.user.services.rbw-unlock-on-resume = {
+      Unit = {
+        Description = "Unlock rbw vault after resume from suspend";
+        After = [ "suspend.target" ];
+      };
+      Service = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.rbw}/bin/rbw unlock";
+        Environment = "RBW_AGENT=${pkgs.rbw}/bin/rbw-agent";
+        # KillMode = "process" prevents systemd from killing the rbw-agent daemon
+        # when this oneshot service completes. The agent is spawned by rbw unlock
+        # and needs to persist after the service exits.
+        KillMode = "process";
+      };
+      Install = {
+        WantedBy = [ "suspend.target" ];
+      };
+    };
+
     # KDE environment variables for proper integration
     home.sessionVariables = {
       QT_QPA_PLATFORMTHEME = "kde";

home/roles/development/default.nix

@@ -5,7 +5,7 @@ with lib;
 let
   cfg = config.home.roles.development;
 
-  # Fetch the claude-plugins repository
+  # Fetch the claude-plugins repository (for humanlayer commands/agents)
   # Update the rev to get newer versions of the commands
   claudePluginsRepo = builtins.fetchGit {
     url = "https://github.com/jeffh/claude-plugins.git";
@@ -14,6 +14,7 @@ let
     rev = "5e3e4d937162185b6d78c62022cbfd1c8ad42c4c";
     ref = "main";
   };
+
 in
 {
   options.home.roles.development = {
@@ -36,12 +37,14 @@ in
 
   config = mkIf cfg.enable {
     home.packages = [
+      globalInputs.beads.packages.${system}.default
       pkgs.unstable.claude-code
       pkgs.unstable.claude-code-router
       pkgs.unstable.codex
 
       # Custom packages
       pkgs.custom.tea-rbw
+      pkgs.custom.perles
     ];
 
     # Install Claude Code humanlayer command and agent plugins
@@ -89,6 +92,16 @@ in
       }"
     '';
 
+    # Set up beads Claude Code integration (hooks for SessionStart/PreCompact)
+    # This uses the CLI + hooks approach which is recommended over MCP for Claude Code
+    home.activation.claudeCodeBeadsSetup = lib.hm.dag.entryAfter ["writeBoundary" "claudeCodeCommands"] ''
+      # Run bd setup claude to install hooks into ~/.claude/settings.json
+      # This is idempotent - safe to run multiple times
+      ${globalInputs.beads.packages.${system}.default}/bin/bd setup claude 2>/dev/null || true
+
+      $DRY_RUN_CMD echo "Claude Code beads integration configured (hooks installed)"
+    '';
+
     # Note: modules must be imported at top-level home config
   };
 }

home/roles/emacs/default.nix

@@ -8,8 +8,8 @@ let
   doomEmacs = pkgs.fetchFromGitHub {
     owner = "doomemacs";
     repo = "doomemacs";
-    rev = "8f55404781edacf66fa330205533b002de3fb5ee";
-    sha256 = "sha256-vHwgENjip2+AFzs4oZfnKEAJKwf5Zid7fakImvxxQUw=";
+    rev = "38d94da67dc84897a4318714dcc48494c016d8c4";
+    sha256 = "sha256-Uc6qONH3jjUVDgW+pPBCGC7mh88ZY05u1y37fQrsxq0=";
   };
 
   # Shared emacs packages

home/roles/emacs/doom/config.el

@@ -28,7 +28,7 @@
 ;; up, `M-x eval-region' to execute elisp code, and 'M-x doom/reload-font' to
 ;; refresh your font settings. If Emacs still can't find your font, it likely
 ;; wasn't installed correctly. Font issues are rarely Doom issues!
-(setq doom-font (font-spec :family "Fira Code"))
+(setq doom-font (font-spec :family "Fira Code" :size 16))
 
 ;; Auto-install nerd-icons fonts if they're missing
 (defun my/ensure-nerd-icons-fonts ()
@@ -71,7 +71,10 @@
         org-journal-file-format "%Y-%m-%d.org"
         org-capture-templates
           '(("t" "Todo" entry (file+headline "~/org/todo.org" "Inbox")
-             "* TODO %? \n %i \n%a" :prepend t))))
+             "* TODO %? \n %i \n%a" :prepend t)))
+  ;; Make blocked tasks more visible in agenda (they have subtasks to do!)
+  (custom-set-faces!
+    '(org-agenda-dimmed-todo-face :foreground "#bb9af7" :weight normal)))
 
 (map! :after org-agenda
       :map org-agenda-mode-map
@@ -145,12 +148,24 @@
    :args (list '(:name "dirpath" :type "string" :description "Directory path to list"))))
 
 (use-package! claude-code-ide
-  :defer t
-  :config
-  (claude-code-ide-emacs-tools-setup)
+  :commands (claude-code-ide-menu claude-code-ide-open-here)
+  :init
   (map! :leader
         (:prefix ("o" . "open")
-         :desc "Claude Code IDE" "c" #'claude-code-ide-menu)))
+         :desc "Claude Code IDE" "c" #'claude-code-ide-menu))
+  :config
+  (claude-code-ide-emacs-tools-setup)
+  (setq claude-code-ide-cli-path "claude"
+        claude-code-ide-cli-extra-flags "--dangerously-skip-permissions"
+        claude-code-ide-focus-claude-after-ediff t
+        claude-code-ide-focus-on-open t
+        claude-code-ide-show-claude-window-in-ediff t
+        claude-code-ide-switch-tab-on-ediff t
+        claude-code-ide-use-ide-diff t
+        claude-code-ide-use-side-window t
+        claude-code-ide-window-height 20
+        claude-code-ide-window-side 'right
+        claude-code-ide-window-width 90))
 
 (after! gptel
   (require 'gptel-tool-library)
@@ -159,6 +174,49 @@
   (dolist (module '("bbdb" "buffer" "elisp" "emacs" "gnus" "os" "search-and-replace" "url"))
     (gptel-tool-library-load-module module)))
 
+;; mu4e email configuration
+;; Add NixOS mu4e to load-path (installed via mu.mu4e package)
+(when-let ((mu-path (executable-find "mu")))
+  (add-to-list 'load-path
+               (expand-file-name "../share/emacs/site-lisp/mu4e"
+                                 (file-name-directory mu-path))))
+
+(after! mu4e
+  ;; User identity
+  (setq user-mail-address "john@ogle.fyi"
+        user-full-name "John Ogle")
+
+  ;; Maildir location (no account prefix - single account)
+  (setq mu4e-maildir "~/Mail"
+        mu4e-attachment-dir "~/Downloads")
+
+  ;; Folder config (matches ~/Mail/INBOX, ~/Mail/Sent, etc.)
+  (setq mu4e-sent-folder "/Sent"
+        mu4e-drafts-folder "/Drafts"
+        mu4e-trash-folder "/Trash"
+        mu4e-refile-folder "/Archive")
+
+  ;; Shortcuts for common folders
+  (setq mu4e-maildir-shortcuts
+        '((:maildir "/INBOX"   :key ?i)
+          (:maildir "/Archive" :key ?a)
+          (:maildir "/Sent"    :key ?s)
+          (:maildir "/Trash"   :key ?t)))
+
+  ;; Behavior settings
+  (setq mu4e-get-mail-command "mbsync -a"
+        mu4e-update-interval 300  ; 5 minutes (matches systemd timer)
+        mu4e-change-filenames-when-moving t  ; required for mbsync
+        mu4e-headers-date-format "%Y-%m-%d"
+        mu4e-headers-time-format "%H:%M")
+
+  ;; Sending mail via msmtp
+  (setq message-send-mail-function 'message-send-mail-with-sendmail
+        sendmail-program (executable-find "msmtp")
+        message-sendmail-envelope-from 'header
+        mail-envelope-from 'header
+        mail-specify-envelope-from t))
+
 ;; Whenever you reconfigure a package, make sure to wrap your config in an
 ;; `after!' block, otherwise Doom's defaults may override your settings. E.g.
 ;;

home/roles/emacs/doom/init.el

@@ -176,7 +176,7 @@
        ;;zig               ; C, but simpler
 
        :email
-       ;;(mu4e +org +gmail)
+       (mu4e +org)
        ;;notmuch
        ;;(wanderlust +gmail)
 

home/roles/email/default.nix

@@ -0,0 +1,123 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.email;
+in
+{
+  options.home.roles.email = {
+    enable = mkEnableOption "Enable email with mu4e, mbsync, and msmtp";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      isync      # provides mbsync for IMAP sync
+      msmtp      # for SMTP sending
+      mu         # email indexer for mu4e
+      mu.mu4e    # mu4e elisp files for Emacs
+      openssl    # for certificate management
+    ];
+
+    # Ensure Mail directory exists
+    home.file."Mail/.keep".text = "";
+
+    # mbsync configuration
+    home.file.".mbsyncrc".text = ''
+      # IMAP Account Configuration
+      IMAPAccount proton
+      Host proton.johnogle.info
+      Port 143
+      User john@ogle.fyi
+      PassCmd "${pkgs.rbw}/bin/rbw get proton.johnogle.info"
+      TLSType STARTTLS
+      AuthMechs PLAIN
+
+      # Remote Storage
+      IMAPStore proton-remote
+      Account proton
+
+      # Local Storage
+      MaildirStore proton-local
+      Path ~/Mail/
+      Inbox ~/Mail/INBOX
+      SubFolders Verbatim
+
+      # Channel Configuration - Main (excludes Sent)
+      Channel proton-main
+      Far :proton-remote:
+      Near :proton-local:
+      Patterns * !Sent
+      Create Both
+      Expunge Both
+      SyncState *
+
+      # Channel Configuration - Sent (pull only)
+      Channel proton-sent
+      Far :proton-remote:Sent
+      Near :proton-local:Sent
+      Create Near
+      Expunge Near
+      Sync Pull
+      SyncState *
+
+      # Group both channels
+      Group proton
+      Channel proton-main
+      Channel proton-sent
+    '';
+
+    # msmtp configuration
+    home.file.".msmtprc".text = ''
+      # Default settings
+      defaults
+      auth           plain
+      tls            on
+      tls_starttls   on
+      tls_trust_file /etc/ssl/certs/ca-certificates.crt
+      logfile        ${config.home.homeDirectory}/.msmtp.log
+
+      # Proton mail account
+      account        proton
+      host           proton.johnogle.info
+      port           25
+      from           john@ogle.fyi
+      user           john@ogle.fyi
+      passwordeval   rbw get proton.johnogle.info
+
+      # Set default account
+      account default : proton
+    '';
+
+    # Systemd service for mail sync
+    systemd.user.services.mbsync = {
+      Unit = {
+        Description = "Mailbox synchronization service";
+        After = [ "network-online.target" ];
+        Wants = [ "network-online.target" ];
+      };
+      Service = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.bash}/bin/bash -c 'mkdir -p ~/Mail && ${pkgs.isync}/bin/mbsync -a && (${pkgs.mu}/bin/mu info >/dev/null 2>&1 || ${pkgs.mu}/bin/mu init --maildir ~/Mail --personal-address=john@ogle.fyi) && ${pkgs.mu}/bin/mu index'";
+        Environment = "PATH=${pkgs.rbw}/bin:${pkgs.coreutils}/bin";
+        StandardOutput = "journal";
+        StandardError = "journal";
+      };
+    };
+
+    # Systemd timer for automatic sync
+    systemd.user.timers.mbsync = {
+      Unit = {
+        Description = "Mailbox synchronization timer";
+      };
+      Timer = {
+        OnBootSec = "2min";
+        OnUnitActiveSec = "5min";
+        Unit = "mbsync.service";
+      };
+      Install = {
+        WantedBy = [ "timers.target" ];
+      };
+    };
+  };
+}

home/roles/i3+sway/default.nix

@@ -4,6 +4,8 @@ with lib;
 
 let
   cfg = config.home.roles.i3_sway;
+  wallpaperConfig = import ../../wallpapers;
+  currentWallpaper = builtins.elemAt wallpaperConfig.wallpapers wallpaperConfig.currentIndex;
 
   shared_config = recursiveUpdate rec {
     modifier = "Mod4";
@@ -12,6 +14,7 @@ let
 
     keybindings = {
       "${shared_config.modifier}+Return" = "exec ${terminal}";
+      "${shared_config.modifier}+Shift+Return" = "exec ${cfg.browser}";
       "${shared_config.modifier}+Shift+q" = "kill";
 
       "${shared_config.modifier}+a" = "focus parent";
@@ -96,6 +99,12 @@ in {
   options.home.roles.i3_sway = {
     enable = mkEnableOption "i3 and Sway tiling window managers with waybar and rofi";
 
+    browser = mkOption {
+      type = types.str;
+      default = "firefox --new-window";
+      description = "Browser to use for new window keybinding";
+    };
+
     extraSharedConfig = mkOption {
       type = types.attrs;
       default = {};
@@ -281,7 +290,7 @@ in {
           }
           # Set wallpaper with feh
           {
-            command = "feh --bg-scale ${../../wallpapers/metroid-samus-returns-kz-3440x1440.jpg}";
+            command = "feh ${currentWallpaper.feh} ${currentWallpaper.file}";
             always = false;
             notification = false;
           }
@@ -314,7 +323,7 @@ in {
         };
         output = {
           "*" = {
-            bg = "${../../wallpapers/metroid-samus-returns-kz-3440x1440.jpg} fill";
+            bg = "${currentWallpaper.file} ${currentWallpaper.sway}";
           };
         };
         startup = [

home/roles/plasma-manager-kodi/default.nix

@@ -0,0 +1,199 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.plasma-manager-kodi;
+
+  # Define the volume control scripts as derivations
+  volumeUpScript = pkgs.writeShellScript "avr-volume-up" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Send volume up command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\"}" \
+        "$HA_URL/api/services/media_player/volume_up" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to increase volume after $MAX_RETRIES attempts"
+    exit 1
+  '';
+
+  volumeDownScript = pkgs.writeShellScript "avr-volume-down" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Send volume down command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\"}" \
+        "$HA_URL/api/services/media_player/volume_down" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to decrease volume after $MAX_RETRIES attempts"
+    exit 1
+  '';
+
+  volumeMuteScript = pkgs.writeShellScript "avr-volume-mute" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Get current mute state
+    STATE_RESPONSE=$(${pkgs.curl}/bin/curl -s -H "Authorization: Bearer $TOKEN" \
+      "$HA_URL/api/states/$ENTITY_ID")
+
+    CURRENT_MUTE=$(echo "$STATE_RESPONSE" | ${pkgs.jq}/bin/jq -r '.attributes.is_volume_muted // false')
+
+    # Toggle: if currently muted (true), unmute (false), and vice versa
+    if [ "$CURRENT_MUTE" = "true" ]; then
+      NEW_MUTE="false"
+      NOTIFY_MSG="Unmuted"
+    else
+      NEW_MUTE="true"
+      NOTIFY_MSG="Muted"
+    fi
+
+    # Send mute toggle command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\", \"is_volume_muted\": $NEW_MUTE}" \
+        "$HA_URL/api/services/media_player/volume_mute" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to toggle mute after $MAX_RETRIES attempts"
+    exit 1
+  '';
+in
+{
+  options.home.roles.plasma-manager-kodi = {
+    enable = mkEnableOption "KDE Plasma volume control for kodi user via Home Assistant";
+  };
+
+  config = mkIf cfg.enable {
+    programs.plasma = {
+      enable = true;
+      overrideConfig = true;
+
+      # Disable default kmix volume shortcuts to prevent conflicts
+      shortcuts.kmix = {
+        "increase_volume" = "none";
+        "decrease_volume" = "none";
+        "mute" = "none";
+      };
+
+      # Define custom volume control commands with key bindings
+      hotkeys.commands = {
+        "volume-up-avr" = {
+          name = "Volume Up AVR";
+          key = "Volume Up";
+          command = toString volumeUpScript;
+        };
+
+        "volume-down-avr" = {
+          name = "Volume Down AVR";
+          key = "Volume Down";
+          command = toString volumeDownScript;
+        };
+
+        "volume-mute-avr" = {
+          name = "Mute Toggle AVR";
+          key = "Volume Mute";
+          command = toString volumeMuteScript;
+        };
+      };
+
+      # KDE Settings customization
+      configFile = {
+        # Session restore settings
+        "ksmserverrc"."General"."loginMode" = "emptySession";
+
+        # Screen locking settings
+        "kscreenlockerrc"."Daemon"."Autolock" = false;
+        "kscreenlockerrc"."Daemon"."LockOnResume" = false;
+
+        # Theme settings
+        "kdeglobals"."KDE"."LookAndFeelPackage" = "org.kde.breezedark.desktop";
+      };
+    };
+  };
+}

home/roles/plasma-manager/default.nix

@@ -4,6 +4,8 @@ with lib;
 
 let
   cfg = config.home.roles.plasma-manager;
+  wallpaperConfig = import ../../wallpapers;
+  currentWallpaper = builtins.elemAt wallpaperConfig.wallpapers wallpaperConfig.currentIndex;
 in
 {
   options.home.roles.plasma-manager = {
@@ -181,7 +183,7 @@ in
         plasma-localerc.Formats.LANG = "en_US.UTF-8";
 
         # Set wallpaper for all desktops
-        plasmarc.Wallpapers.usersWallpapers = "${../../wallpapers/metroid-samus-returns-kz-3440x1440.jpg}";
+        plasmarc.Wallpapers.usersWallpapers = "${currentWallpaper.file}";
       };
     };
   };

home/wallpapers/default.nix

@@ -0,0 +1,45 @@
+# Wallpaper rotation system
+# The currentIndex is incremented by `nix run .#rotate-wallpaper`
+# and gets committed as part of `nix run .#upgrade`
+{
+  currentIndex = 1;  # Index into wallpapers list
+
+  wallpapers = [
+    {
+      name = "metroid-samus-returns";
+      file = ./metroid-samus-returns-kz-3440x1440.jpg;
+      sway = "fill";
+      feh = "--bg-fill";
+    }
+    {
+      name = "metroid3_map";
+      file = ./metroid3_map.gif;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+    {
+      name = "super-metroid-gunship-cavern";
+      file = ./super-metroid-gunship-cavern.jpg;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+    {
+      name = "super-metroid-samus-statue";
+      file = ./super-metroid-samus-statue.png;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+    {
+      name = "metroid-samus-action-4k";
+      file = ./metroid-samus-action-4k.jpg;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+    {
+      name = "metroid-creature-minimalist";
+      file = ./metroid-creature-minimalist.jpg;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+  ];
+}

machines/boxy/configuration.nix

@@ -26,10 +26,20 @@ with lib;
       enable = true;
       autologin = true;
       wayland = true;
+      jellyfinScaleFactor = 1.0;
     };
+    nfs-mounts.enable = true;
     users.enable = true;
   };
 
+  # Enable KDE Wallet PAM integration for auto-unlock
+  security.pam.services.sddm = {
+    kwallet = {
+      enable = true;
+      package = pkgs.kdePackages.kwallet-pam;
+    };
+  };
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;

machines/john-endesktop/MIGRATION_PLAN.md

@@ -0,0 +1,424 @@
+# Migration Plan: Arch Linux to NixOS on john-endesktop (ZFS/NFS Server)
+
+## Overview
+This document outlines the plan to migrate the john-endesktop server from Arch Linux to NixOS while maintaining the existing ZFS pools and NFS exports that serve your k3s cluster.
+
+## Current System State
+
+### Hardware
+- **Boot disk**: nvme0n1
+  - nvme0n1p3: 1000M EFI partition (UUID: F5C6-D570)
+  - nvme0n1p4: 120GB ext4 / (current Arch root)
+  - nvme0n1p5: 810GB - **Target for NixOS** (being removed from media pool)
+- **Network**: enp0s31f6 @ 10.0.0.43/24 (DHCP)
+
+### ZFS Pools
+- **media**: ~3.5TB JBOD pool (2 drives after nvme0n1p5 removal)
+  - wwn-0x50014ee2ba653d70-part2
+  - ata-WDC_WD20EZBX-00AYRA0_WD-WX62D627X7Z8-part2
+  - Contains: /media/media/nix (bind mounted to /nix on Arch)
+  - NFS: Shared to 10.0.0.0/24 via ZFS sharenfs property
+
+- **swarmvols**: 928GB mirror pool - **PRODUCTION DATA**
+  - wwn-0x5002538f52707e2d-part2
+  - wwn-0x5002538f52707e81-part2
+  - Contains: iocage jails and k3s persistent volumes
+  - NFS: Shared to 10.0.0.0/24 via ZFS sharenfs property
+  - Backed up nightly to remote borg
+
+### Services
+- NFS server exporting /media and /swarmvols to k3s cluster
+- ZFS managing pools with automatic exports via sharenfs property
+
+## Prerequisites
+
+### Before Starting
+1. ✅ Ensure nvme0n1p5 removal from media pool is complete
+   ```bash
+   ssh 10.0.0.43 "zpool status media"
+   # Should show no "removing" devices
+   ```
+
+2. ✅ Verify recent backups exist
+   ```bash
+   # Verify swarmvols backup is recent (< 24 hours)
+   # Check your borg backup system
+   ```
+
+3. ✅ Notify k3s cluster users of planned maintenance window
+   - NFS shares will be unavailable during migration
+   - Estimate: 30-60 minutes downtime
+
+4. ✅ Build NixOS configuration from your workstation
+   ```bash
+   cd ~/nixos-configs
+   nix build .#nixosConfigurations.john-endesktop.config.system.build.toplevel
+   ```
+
+## Migration Steps
+
+### Phase 1: Prepare NixOS Installation Media
+
+1. **Download NixOS minimal ISO**
+   ```bash
+   wget https://channels.nixos.org/nixos-25.11/latest-nixos-minimal-x86_64-linux.iso
+   ```
+
+2. **Create bootable USB**
+   ```bash
+   # Identify USB device (e.g., /dev/sdb)
+   lsblk
+   # Write ISO to USB
+   sudo dd if=latest-nixos-minimal-x86_64-linux.iso of=/dev/sdX bs=4M status=progress
+   sudo sync
+   ```
+
+### Phase 2: Backup and Shutdown
+
+1. **On the server, verify ZFS pool status**
+   ```bash
+   ssh 10.0.0.43 "zpool status"
+   ssh 10.0.0.43 "zfs list"
+   ```
+
+2. **Export ZFS pools cleanly**
+   ```bash
+   ssh 10.0.0.43 "sudo zpool export media"
+   ssh 10.0.0.43 "sudo zpool export swarmvols"
+   ```
+
+3. **Shutdown Arch Linux**
+   ```bash
+   ssh 10.0.0.43 "sudo shutdown -h now"
+   ```
+
+### Phase 3: Install NixOS
+
+1. **Boot from NixOS USB**
+   - Insert USB drive
+   - Power on and select USB in boot menu
+
+2. **Connect to network**
+   ```bash
+   # If DHCP doesn't work automatically:
+   sudo systemctl start dhcpcd
+   ip a  # Verify you have 10.0.0.43 or another IP
+   ```
+
+3. **Enable SSH for remote installation (recommended)**
+   ```bash
+   # Set password for nixos user
+   sudo passwd nixos
+   # Start SSH
+   sudo systemctl start sshd
+   # From your workstation:
+   ssh nixos@10.0.0.43
+   ```
+
+4. **Partition nvme0n1p5 with btrfs**
+   ```bash
+   # Verify the device is clear
+   lsblk
+   sudo wipefs -a /dev/nvme0n1p5
+
+   # Create btrfs filesystem
+   sudo mkfs.btrfs -L nixos /dev/nvme0n1p5
+
+   # Mount and create subvolumes
+   sudo mount /dev/nvme0n1p5 /mnt
+   sudo btrfs subvolume create /mnt/@
+   sudo btrfs subvolume create /mnt/@home
+   sudo btrfs subvolume create /mnt/@nix
+   sudo btrfs subvolume create /mnt/@log
+   sudo umount /mnt
+
+   # Mount root subvolume
+   sudo mount -o subvol=@,compress=zstd,noatime /dev/nvme0n1p5 /mnt
+
+   # Create mount points
+   sudo mkdir -p /mnt/{boot,home,nix,var/log}
+
+   # Mount other subvolumes
+   sudo mount -o subvol=@home,compress=zstd,noatime /dev/nvme0n1p5 /mnt/home
+   sudo mount -o subvol=@nix,compress=zstd,noatime /dev/nvme0n1p5 /mnt/nix
+   sudo mount -o subvol=@log,compress=zstd,noatime /dev/nvme0n1p5 /mnt/var/log
+
+   # Mount EFI partition
+   sudo mount /dev/nvme0n1p3 /mnt/boot
+   ```
+
+5. **Import ZFS pools**
+   ```bash
+   # Import pools (should be visible)
+   sudo zpool import
+
+   # Import with force if needed due to hostid
+   sudo zpool import -f media
+   sudo zpool import -f swarmvols
+
+   # Verify pools are mounted
+   zfs list
+   ls -la /media /swarmvols
+   ```
+
+6. **Generate initial hardware configuration**
+   ```bash
+   sudo nixos-generate-config --root /mnt
+   ```
+
+7. **Get the new root filesystem UUID**
+   ```bash
+   blkid /dev/nvme0n1p5
+   # Note the UUID for updating hardware-configuration.nix
+/dev/nvme0n1p5: LABEL="nixos" UUID="5f4ad025-bfab-4aed-a933-6638348059e5" UUID_SUB="4734d820-7b8a-4b7f-853a-026021c1d204" BLOCK_SIZE="4096" TYPE="btrfs" PARTLABEL="data" PARTUUID="9ea025df-cdb7-48fd-b5d4-37cd5d8588eb"
+   ```
+
+8. **Copy your NixOS configuration to the server**
+   ```bash
+   # From your workstation:
+   scp -r ~/nixos-configs/machines/john-endesktop/* nixos@10.0.0.43:/tmp/
+
+   # On server:
+   sudo mkdir -p /mnt/etc/nixos
+   sudo cp /tmp/configuration.nix /mnt/etc/nixos/
+   sudo cp /tmp/hardware-configuration.nix /mnt/etc/nixos/
+
+   # Edit hardware-configuration.nix to update the root filesystem UUID
+   sudo nano /mnt/etc/nixos/hardware-configuration.nix
+   # Change: device = "/dev/disk/by-uuid/CHANGE-THIS-TO-YOUR-UUID";
+   # To:     device = "/dev/disk/by-uuid/[UUID from blkid]";
+   ```
+
+9. **Install NixOS**
+   ```bash
+   sudo nixos-install
+
+   # Set root password when prompted
+   # Set user password
+   sudo nixos-install --no-root-passwd
+   ```
+
+10. **Reboot into NixOS**
+    ```bash
+    sudo reboot
+    # Remove USB drive
+    ```
+
+### Phase 4: Post-Installation Verification
+
+1. **Boot into NixOS and verify system**
+   ```bash
+   ssh johno@10.0.0.43
+
+   # Check NixOS version
+   nixos-version
+
+   # Verify hostname
+   hostname  # Should be: john-endesktop
+   ```
+
+2. **Verify ZFS pools imported correctly**
+   ```bash
+   zpool status
+   zpool list
+   zfs list
+
+   # Check for hostid mismatch warnings (should be gone)
+   # Verify both pools show ONLINE status
+   ```
+
+3. **Verify NFS exports are active**
+   ```bash
+   sudo exportfs -v
+   systemctl status nfs-server
+
+   # Should see /media and /swarmvols exported to 10.0.0.0/24
+   ```
+
+4. **Test NFS mount from another machine**
+   ```bash
+   # From a k3s node or your workstation:
+   sudo mount -t nfs 10.0.0.43:/swarmvols /mnt
+   ls -la /mnt
+   sudo umount /mnt
+
+   sudo mount -t nfs 10.0.0.43:/media /mnt
+   ls -la /mnt
+   sudo umount /mnt
+   ```
+
+5. **Verify ZFS sharenfs properties preserved**
+   ```bash
+   zfs get sharenfs media
+   zfs get sharenfs swarmvols
+
+   # Should show: sec=sys,mountpoint,no_subtree_check,no_root_squash,rw=@10.0.0.0/24
+   ```
+
+6. **Check swap device**
+   ```bash
+   swapon --show
+   free -h
+   # Should show /dev/zvol/media/swap
+   ```
+
+### Phase 5: Restore k3s Cluster Access
+
+1. **Restart k3s nodes or remount NFS shares**
+   ```bash
+   # On each k3s node:
+   sudo systemctl restart k3s  # or k3s-agent
+   ```
+
+2. **Verify k3s pods have access to persistent volumes**
+   ```bash
+   # On k3s master:
+   kubectl get pv
+   kubectl get pvc
+   # Check that volumes are bound and accessible
+   ```
+
+## Rollback Plan
+
+If something goes wrong during migration, you can roll back to Arch Linux:
+
+### Quick Rollback (If NixOS won't boot)
+
+1. **Boot from NixOS USB (or Arch USB)**
+
+2. **Import ZFS pools**
+   ```bash
+   sudo zpool import -f media
+   sudo zpool import -f swarmvols
+   ```
+
+3. **Start NFS manually (temporary)**
+   ```bash
+   sudo mkdir -p /media /swarmvols
+   sudo systemctl start nfs-server
+   sudo exportfs -o rw,sync,no_subtree_check,no_root_squash 10.0.0.0/24:/media
+   sudo exportfs -o rw,sync,no_subtree_check,no_root_squash 10.0.0.0/24:/swarmvols
+   sudo exportfs -v
+   ```
+   This will restore k3s cluster access immediately while you diagnose.
+
+4. **Boot back into Arch Linux**
+   ```bash
+   # Reboot and select nvme0n1p4 (Arch) in GRUB/boot menu
+   sudo reboot
+   ```
+
+5. **Verify Arch boots and services start**
+   ```bash
+   ssh johno@10.0.0.43
+   zpool status
+   systemctl status nfs-server
+   ```
+
+### Full Rollback (If needed)
+
+1. **Follow Quick Rollback steps above**
+
+2. **Re-add nvme0n1p5 to media pool (if desired)**
+   ```bash
+   # Only if you want to restore the original configuration
+   sudo zpool add media /dev/nvme0n1p5
+   ```
+
+3. **Clean up NixOS partition**
+   ```bash
+   # If you want to reclaim nvme0n1p5 for other uses
+   sudo wipefs -a /dev/nvme0n1p5
+   ```
+
+## Risk Mitigation
+
+### Data Safety
+- ✅ **swarmvols** (production): Mirrored + nightly borg backups
+- ⚠️  **media** (important): JBOD - no redundancy, but not catastrophic
+- ✅ **NixOS install**: Separate partition, doesn't touch ZFS pools
+- ✅ **Arch Linux**: Remains bootable on nvme0n1p4 until verified
+
+### Service Continuity
+- Downtime: 30-60 minutes expected
+- k3s cluster: Will reconnect automatically when NFS returns
+- Rollback time: < 10 minutes to restore Arch
+
+### Testing Approach
+1. Test NFS exports from NixOS live environment before installation
+2. Test single NFS mount from k3s node before full cluster restart
+3. Keep Arch Linux boot option until 24-48 hours of stable NixOS operation
+
+## Post-Migration Tasks
+
+After successful migration and 24-48 hours of stable operation:
+
+1. **Update k3s NFS mounts (if needed)**
+   - Verify no hardcoded references to old system
+
+2. **Optional: Repurpose Arch partition**
+   ```bash
+   # After you're confident NixOS is stable
+   # You can wipe nvme0n1p4 and repurpose it
+   ```
+
+3. **Update documentation**
+   - Update infrastructure docs with NixOS configuration
+   - Document any deviations from this plan
+
+4. **Consider setting up NixOS remote deployment**
+   ```bash
+   # From your workstation:
+   nixos-rebuild switch --target-host johno@10.0.0.43 --flake .#john-endesktop
+   ```
+
+## Timeline
+
+- **Preparation**: 1-2 hours (testing config build, downloading ISO)
+- **Migration window**: 1-2 hours (installation + verification)
+- **Verification period**: 24-48 hours (before removing Arch)
+- **Total**: ~3 days from start to declaring success
+
+## Emergency Contacts
+
+- Borg backup location: [Document your borg repo location]
+- K3s cluster nodes: [Document your k3s nodes]
+- Critical services on k3s: [Document what's running that depends on these NFS shares]
+
+## Checklist
+
+Pre-migration:
+- [x] nvme0n1p5 removal from media pool complete
+- [x] Recent backup verified (< 24 hours)
+- [x] Maintenance window scheduled
+- [x] NixOS ISO downloaded
+- [x] Bootable USB created
+- [x] NixOS config builds successfully
+
+During migration:
+- [ ] ZFS pools exported
+- [ ] Arch Linux shutdown cleanly
+- [ ] Booted from NixOS USB
+- [ ] nvme0n1p5 formatted with btrfs
+- [ ] Btrfs subvolumes created
+- [ ] ZFS pools imported
+- [ ] NixOS installed
+- [ ] Root password set
+
+Post-migration:
+- [ ] NixOS boots successfully
+- [ ] ZFS pools mounted automatically
+- [ ] NFS server running
+- [ ] NFS exports verified
+- [ ] Test mount from k3s node successful
+- [ ] k3s cluster reconnected
+- [ ] Persistent volumes accessible
+- [ ] No hostid warnings in zpool status
+- [ ] Arch Linux still bootable (for rollback)
+
+Final verification (after 24-48 hours):
+- [ ] All services stable
+- [ ] No unexpected issues
+- [ ] Performance acceptable
+- [ ] Ready to remove Arch partition (optional)
+- [ ] Ready to remove /swarmvols/media-backup (optional)

machines/john-endesktop/configuration.nix

@@ -0,0 +1,112 @@
+# NixOS configuration for john-endesktop (ZFS/NFS server)
+# Migrated from Arch Linux to provide ZFS pools via NFS to k3s cluster
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # Boot configuration
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # ZFS support
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.forceImportRoot = false;
+  boot.zfs.extraPools = [ "media" "swarmvols" ];
+
+  # Set ZFS hostid to match current system (from Arch Linux)
+  # This resolves the hostid mismatch warnings
+  networking.hostId = "007f0101";
+
+  # Hostname
+  networking.hostName = "john-endesktop";
+
+  # Network configuration - using DHCP on enp0s31f6
+  networking.useDHCP = false;
+  networking.interfaces.enp0s31f6.useDHCP = true;
+
+  # NFS Server configuration
+  services.nfs.server = {
+    enable = true;
+
+    # NFS protocol versions
+    # v3 for broader compatibility, v4 for better performance
+    exports = ''
+      # These are managed by ZFS sharenfs properties
+      # but we enable the NFS server here
+    '';
+  };
+
+  # Enable NFS4 with proper configuration
+  services.rpcbind.enable = true;
+
+  # Firewall configuration for NFS
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      111   # rpcbind
+      2049  # nfs
+      4000  # nfs callback
+      4001  # nlockmgr
+      4002  # mountd
+      20048 # mountd
+    ];
+    allowedUDPPorts = [
+      111   # rpcbind
+      2049  # nfs
+      4000  # nfs callback
+      4001  # nlockmgr
+      4002  # mountd
+      20048 # mountd
+    ];
+    # Allow NFS from local network
+    extraCommands = ''
+      iptables -A nixos-fw -p tcp -s 10.0.0.0/24 -j ACCEPT
+      iptables -A nixos-fw -p udp -s 10.0.0.0/24 -j ACCEPT
+    '';
+  };
+
+  # ZFS maintenance
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      interval = "monthly";
+    };
+    trim = {
+      enable = true;
+      interval = "weekly";
+    };
+  };
+
+  # Basic system packages
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+    htop
+    tmux
+    zfs
+  ];
+
+  # Enable SSH
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = true;
+    };
+  };
+
+  # User configuration
+  roles.users.enable = true;
+
+  # Time zone
+  time.timeZone = "America/Los_Angeles"; # Adjust as needed
+
+  # NixOS version
+  system.stateVersion = "25.11";
+}

machines/john-endesktop/hardware-configuration.nix

@@ -0,0 +1,63 @@
+# Hardware configuration for john-endesktop
+# This file should be regenerated after NixOS installation using:
+# nixos-generate-config --show-hardware-config
+
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  # Boot configuration
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # File systems - these will need to be updated after installation
+  # The nvme0n1p5 partition will be formatted as btrfs for NixOS root
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/5f4ad025-bfab-4aed-a933-6638348059e5";
+    fsType = "btrfs";
+    options = [ "subvol=@" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/5f4ad025-bfab-4aed-a933-6638348059e5";
+    fsType = "btrfs";
+    options = [ "subvol=@home" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/5f4ad025-bfab-4aed-a933-6638348059e5";
+    fsType = "btrfs";
+    options = [ "subvol=@nix" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/var/log" = {
+    device = "/dev/disk/by-uuid/5f4ad025-bfab-4aed-a933-6638348059e5";
+    fsType = "btrfs";
+    options = [ "subvol=@log" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/boot" = {
+    # This should match your current EFI partition
+    device = "/dev/disk/by-uuid/F5C6-D570";
+    fsType = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };
+
+  # ZFS pools - these are imported by ZFS, not managed by fileSystems
+  # The pools should be imported automatically via boot.zfs.extraPools
+  # /media and /swarmvols will be mounted by ZFS
+
+  # No swap needed - 23GB RAM is sufficient for this NFS/ZFS server
+  swapDevices = [ ];
+
+  # CPU microcode
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  # Networking
+  networking.useDHCP = lib.mkDefault true;
+}

machines/nix-book/configuration.nix

@@ -39,6 +39,17 @@
   boot.loader.efi.canTouchEfiVariables = true;
 
   boot.initrd.luks.devices."luks-b614167b-9045-4234-a441-ac6f60a96d81".device = "/dev/disk/by-uuid/b614167b-9045-4234-a441-ac6f60a96d81";
+
+  services.logind.settings.Login = {
+    HandleLidSwitch = "suspend-then-hibernate";
+    HandlePowerKey = "hibernate";
+    HandlePowerKeyLongPress = "poweroff";
+  };
+  systemd.sleep.extraConfig = ''
+    HibernateDelaySec=30m
+    SuspendState=mem
+  '';
+
   networking.hostName = "nix-book"; # Define your hostname.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 

machines/zix790prors/configuration.nix

@@ -7,10 +7,10 @@
 with lib;
 
 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
+  imports = [
+    ./hardware-configuration.nix
+    #./virtual-surround.nix
+  ];
 
   roles = {
     audio.enable = true;

machines/zix790prors/virtual-surround.nix

@@ -0,0 +1,132 @@
+# Virtual 4.1 surround sound setup
+# Routes FL/FR to AmazonBasics USB speaker, RL/RR to Fosi BT20A PRO Bluetooth speaker
+{ pkgs, ... }:
+
+{
+  services.pipewire.extraConfig.pipewire."10-virtual-surround" = {
+    "context.objects" = [
+      {
+        factory = "adapter";
+        args = {
+          "factory.name" = "support.null-audio-sink";
+          "node.name" = "virtual_surround_sink";
+          "node.description" = "Virtual 4.1 Surround (AmazonBasics + Fosi)";
+          "media.class" = "Audio/Sink";
+          "audio.position" = [ "FL" "FR" "RL" "RR" "LFE" ];
+          "monitor.channel-volumes" = true;
+        };
+      }
+    ];
+    "context.modules" = [
+      {
+        name = "libpipewire-module-loopback";
+        args = {
+          "node.description" = "Route Front to AmazonBasics";
+          "capture.props" = {
+            "node.name" = "route_front_capture";
+            "audio.position" = [ "FL" "FR" ];
+            "stream.dont-remix" = true;
+            "node.passive" = true;
+          };
+          "playback.props" = {
+            "node.name" = "route_front_playback";
+            "node.target" = "alsa_output.usb-C-Media_Electronics_Inc._AmazonBasics_Professional_Mic_2-00.analog-stereo";
+            "audio.position" = [ "FL" "FR" ];
+            "stream.dont-remix" = true;
+          };
+        };
+      }
+      {
+        name = "libpipewire-module-loopback";
+        args = {
+          "node.description" = "Route Rear to Fosi Audio";
+          "capture.props" = {
+            "node.name" = "route_rear_capture";
+            "audio.position" = [ "RL" "RR" ];
+            "stream.dont-remix" = true;
+            "node.passive" = true;
+          };
+          "playback.props" = {
+            "node.name" = "route_rear_playback";
+            "node.target" = "bluez_output.F4_4E_FD_FB_58_62.1";
+            "audio.position" = [ "FL" "FR" ];
+            "stream.dont-remix" = true;
+          };
+        };
+      }
+      {
+        name = "libpipewire-module-loopback";
+        args = {
+          "node.description" = "Route Subwoofer to AmazonBasics";
+          "capture.props" = {
+            "node.name" = "route_lfe_capture";
+            "audio.position" = [ "LFE" ];
+            "stream.dont-remix" = true;
+            "node.passive" = true;
+          };
+          "playback.props" = {
+            "node.name" = "route_lfe_playback";
+            "node.target" = "alsa_output.usb-C-Media_Electronics_Inc._AmazonBasics_Professional_Mic_2-00.analog-stereo";
+            "audio.position" = [ "MONO" ];
+            "stream.dont-remix" = false;
+          };
+        };
+      }
+    ];
+  };
+
+  # Systemd services to fix PipeWire loopback routing for virtual surround
+  systemd.user.services.pipewire-surround-link = {
+    description = "Link virtual surround sink to loopback captures";
+    after = [ "pipewire.service" "wireplumber.service" ];
+    requires = [ "pipewire.service" "wireplumber.service" ];
+    wantedBy = [ "pipewire.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = false;
+      ExecStart = pkgs.writeShellScript "surround-link" ''
+        sleep 2
+        # Disconnect wrong connections
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX0 route_front_capture:input_FL 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX1 route_front_capture:input_FR 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX0 route_rear_capture:input_RL 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX1 route_rear_capture:input_RR 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX0 route_lfe_capture:input_LFE 2>/dev/null || true
+        # Create correct connections
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_FL route_front_capture:input_FL 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_FR route_front_capture:input_FR 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_RL route_rear_capture:input_RL 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_RR route_rear_capture:input_RR 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_LFE route_lfe_capture:input_LFE 2>/dev/null || true
+      '';
+    };
+  };
+
+  systemd.user.services.pipewire-surround-link-check = {
+    description = "Check and fix surround sink links";
+    after = [ "pipewire.service" "wireplumber.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "surround-link-check" ''
+        if ${pkgs.pipewire}/bin/pw-cli ls Node 2>/dev/null | grep -q "bluez_output.F4_4E_FD_FB_58_62"; then
+          if ${pkgs.pipewire}/bin/pw-link -l 2>/dev/null | grep -q "route_front_capture:input_FL.*alsa_input"; then
+            ${pkgs.systemd}/bin/systemctl --user start pipewire-surround-link.service
+          fi
+          if ! ${pkgs.pipewire}/bin/pw-link -l 2>/dev/null | grep -q "virtual_surround_sink:monitor_FL.*route_front_capture"; then
+            ${pkgs.systemd}/bin/systemctl --user start pipewire-surround-link.service
+          fi
+        fi
+      '';
+    };
+  };
+
+  systemd.user.timers.pipewire-surround-link-check = {
+    description = "Periodically check surround sink links";
+    wantedBy = [ "default.target" ];
+    timerConfig = {
+      OnStartupSec = "10s";
+      OnUnitActiveSec = "10s";
+      Unit = "pipewire-surround-link-check.service";
+    };
+  };
+}

packages/claude-code/default.nix

@@ -5,24 +5,24 @@
 }:
 
 let
-  version = "2.0.53";
+  version = "2.0.76";
 
   srcs = {
     aarch64-darwin = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/darwin-arm64/claude";
-      sha256 = "28c3ad73a20f3ae7ab23efa24d45a9791ccbe071284f1622d4e5e2b89c4a15b7";
+      sha256 = "b76f6d4d09233e67295897b0a1ed2e22d7afa406431529d8b1b532b63b8cbcbd";
     };
     x86_64-darwin = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/darwin-x64/claude";
-      sha256 = "a27f7b75a51514658640432a0afec8be130673eb7dbecc9a4d742527dd85d29a";
+      sha256 = "9d94582f0af5d2201f1c907bf24ff8d216104b897ee0b24795a6c081f40e08d7";
     };
     x86_64-linux = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/linux-x64/claude";
-      sha256 = "9c4cc19e207fb6bf7ea140a1580d5ed0dd0a481af471f23614d5a140a4abf1c6";
+      sha256 = "5dcdb480f91ba0df0bc8bd6aff148d3dfd3883f0899eeb5b9427a8b0abe7a687";
     };
     aarch64-linux = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/linux-arm64/claude";
-      sha256 = "a5d4044034f3b63c38379bc2dd4067a4dd3c8ec48965ba8e66e3623774a93b72";
+      sha256 = "f64a994c8e5bfb84d7242cebbec75d6919db2ee46d50b8fc7a88d5066db193f9";
     };
   };
 
@@ -57,4 +57,4 @@ in stdenv.mkDerivation {
     platforms = [ "aarch64-darwin" "x86_64-darwin" "x86_64-linux" "aarch64-linux" ];
     mainProgram = "claude";
   };
-}
+}

packages/claude-code/update.sh

@@ -33,7 +33,8 @@ YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 
 CASK_URL="https://raw.githubusercontent.com/Homebrew/homebrew-cask/HEAD/Casks/c/claude-code.rb"
-NIX_FILE="$(dirname "$0")/default.nix"
+REPO_ROOT="${REPO_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+NIX_FILE="$REPO_ROOT/packages/claude-code/default.nix"
 
 echo "Fetching latest claude-code version from Homebrew cask..."
 

packages/default.nix

@@ -4,4 +4,5 @@
   tea-rbw = pkgs.callPackage ./tea-rbw {};
   app-launcher-server = pkgs.callPackage ./app-launcher-server {};
   claude-code = pkgs.callPackage ./claude-code {};
+  perles = pkgs.callPackage ./perles {};
 }

packages/perles/default.nix

@@ -0,0 +1,26 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "perles";
+  version = "unstable-2025-01-09";
+
+  src = fetchFromGitHub {
+    owner = "zjrosen";
+    repo = "perles";
+    rev = "main";
+    hash = "sha256-JgRayb4+mJ1r0AtdnQfqAw2+QRte+licsfZOaRgYqcs=";
+  };
+
+  vendorHash = "sha256-R7UWTdBuPteneRqxrWK51nqLtZwDsqQoMAcohN4fyak=";
+
+  # Tests require a real git repository context
+  doCheck = false;
+
+  meta = with lib; {
+    description = "A TUI for the Beads issue tracking system with BQL query language";
+    homepage = "https://github.com/zjrosen/perles";
+    license = licenses.mit;
+    maintainers = [ ];
+    mainProgram = "perles";
+  };
+}

roles/audio/default.nix

@@ -21,17 +21,11 @@ in
 
       services.pipewire = {
         enable = true;
+        alsa.enable = true;
+        alsa.support32Bit = true;
         pulse.enable = true;
       };
 
-      services.pulseaudio = {
-        package = pkgs.pulseaudioFull;
-        extraConfig = ''
-          load-module module-combine-sink
-          load-module module-switch-on-connect
-        '';
-      };
-
       services.squeezelite = {
         #enable = true;
         pulseAudio = true;

roles/desktop/gaming.nix

@@ -22,6 +22,8 @@ in
         # indiviudal cores
         #retroarch-full
         ryubing
+
+        yarg
       ];
 
       programs.steam = {

roles/kodi/default.nix

@@ -48,10 +48,19 @@ in
       then pkgs.symlinkJoin {
         name = "jellyfin-media-player-scaled";
         paths = [ pkgs.jellyfin-media-player ];
-        buildInputs = [ pkgs.makeWrapper ];
+        nativeBuildInputs = [ pkgs.makeWrapper ];
         postBuild = ''
-          wrapProgram $out/bin/jellyfinmediaplayer \
-            --add-flags "--scale-factor ${toString cfg.jellyfinScaleFactor}"
+          mkdir -p $out/bin
+          rm -f $out/bin/jellyfin-desktop
+          makeWrapper ${pkgs.jellyfin-media-player}/bin/jellyfin-desktop $out/bin/jellyfin-desktop \
+            --add-flags "--tv --scale-factor ${toString cfg.jellyfinScaleFactor}"
+
+          # Update .desktop file to include scale factor and TV mode arguments
+          mkdir -p $out/share/applications
+          rm -f $out/share/applications/org.jellyfin.JellyfinDesktop.desktop
+          substitute ${pkgs.jellyfin-media-player}/share/applications/org.jellyfin.JellyfinDesktop.desktop \
+            $out/share/applications/org.jellyfin.JellyfinDesktop.desktop \
+            --replace-fail "Exec=jellyfin-desktop" "Exec=jellyfin-desktop --tv --scale-factor ${toString cfg.jellyfinScaleFactor}"
         '';
       }
       else pkgs.jellyfin-media-player;

scripts/rotate-wallpaper.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Configuration
+REPO_ROOT="${REPO_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+WALLPAPER_FILE="$REPO_ROOT/home/wallpapers/default.nix"
+
+echo -e "${GREEN}Rotating wallpaper...${NC}"
+
+# Check if file exists
+if [[ ! -f "$WALLPAPER_FILE" ]]; then
+    echo -e "${RED}Error: $WALLPAPER_FILE not found${NC}"
+    exit 1
+fi
+
+# Get current index
+CURRENT_INDEX=$(grep -oP 'currentIndex = \K\d+' "$WALLPAPER_FILE")
+echo -e "Current index: ${YELLOW}$CURRENT_INDEX${NC}"
+
+# Count wallpapers (count occurrences of "name = " in the wallpapers list)
+WALLPAPER_COUNT=$(grep -c 'name = "' "$WALLPAPER_FILE")
+echo -e "Total wallpapers: ${YELLOW}$WALLPAPER_COUNT${NC}"
+
+# Calculate next index (wrap around)
+NEXT_INDEX=$(( (CURRENT_INDEX + 1) % WALLPAPER_COUNT ))
+echo -e "Next index: ${YELLOW}$NEXT_INDEX${NC}"
+
+# Update the currentIndex
+sed -i "s/currentIndex = $CURRENT_INDEX;/currentIndex = $NEXT_INDEX;/" "$WALLPAPER_FILE"
+
+echo -e "${GREEN}Successfully rotated wallpaper!${NC}"
+echo -e "  Old index: ${YELLOW}$CURRENT_INDEX${NC}"
+echo -e "  New index: ${YELLOW}$NEXT_INDEX${NC}"
+echo ""
+echo "Rebuild your system to apply the new wallpaper."

scripts/update-doomemacs.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Configuration
+OWNER="doomemacs"
+REPO="doomemacs"
+FILE="home/roles/emacs/default.nix"
+# Use current working directory as repo root (allows running from anywhere in the repo)
+REPO_ROOT="${REPO_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+TARGET_FILE="$REPO_ROOT/$FILE"
+
+echo -e "${GREEN}Updating DoomEmacs to latest commit...${NC}"
+
+# Check if file exists
+if [[ ! -f "$TARGET_FILE" ]]; then
+    echo -e "${RED}Error: $TARGET_FILE not found${NC}"
+    exit 1
+fi
+
+# Get the default branch first
+echo "Fetching repository information..."
+DEFAULT_BRANCH=$(curl -s "https://api.github.com/repos/$OWNER/$REPO" | jq -r '.default_branch')
+
+if [[ -z "$DEFAULT_BRANCH" ]] || [[ "$DEFAULT_BRANCH" == "null" ]]; then
+    echo -e "${RED}Error: Failed to fetch default branch${NC}"
+    exit 1
+fi
+
+# Get the latest commit SHA from GitHub
+echo "Fetching latest commit SHA from $DEFAULT_BRANCH branch..."
+LATEST_SHA=$(curl -s "https://api.github.com/repos/$OWNER/$REPO/commits/$DEFAULT_BRANCH" | jq -r '.sha')
+
+if [[ -z "$LATEST_SHA" ]] || [[ "$LATEST_SHA" == "null" ]]; then
+    echo -e "${RED}Error: Failed to fetch latest commit SHA${NC}"
+    exit 1
+fi
+
+echo -e "Latest commit: ${YELLOW}$LATEST_SHA${NC}"
+
+# Get current SHA from file
+CURRENT_SHA=$(grep -oP 'rev = "\K[^"]+' "$TARGET_FILE")
+echo -e "Current commit: ${YELLOW}$CURRENT_SHA${NC}"
+
+if [[ "$CURRENT_SHA" == "$LATEST_SHA" ]]; then
+    echo -e "${GREEN}Already up to date!${NC}"
+    exit 0
+fi
+
+# Update the rev field
+echo "Updating rev in $FILE..."
+sed -i "s/rev = \".*\"/rev = \"$LATEST_SHA\"/" "$TARGET_FILE"
+
+# Fetch the new sha256 hash using nix-prefetch
+echo "Fetching new sha256 hash..."
+NEW_SHA256=$(nix-prefetch-url --unpack "https://github.com/$OWNER/$REPO/archive/$LATEST_SHA.tar.gz" 2>/dev/null)
+
+if [[ -z "$NEW_SHA256" ]]; then
+    echo -e "${RED}Error: Failed to fetch sha256 hash${NC}"
+    # Revert the rev change
+    sed -i "s/rev = \".*\"/rev = \"$CURRENT_SHA\"/" "$TARGET_FILE"
+    exit 1
+fi
+
+# Convert to SRI hash format
+SRI_HASH=$(nix hash to-sri --type sha256 "$NEW_SHA256")
+echo -e "New sha256: ${YELLOW}$SRI_HASH${NC}"
+
+# Update the sha256 field
+sed -i "s|sha256 = \".*\"|sha256 = \"$SRI_HASH\"|" "$TARGET_FILE"
+
+echo -e "${GREEN}Successfully updated DoomEmacs!${NC}"
+echo -e "  Old commit: ${YELLOW}$CURRENT_SHA${NC}"
+echo -e "  New commit: ${YELLOW}$LATEST_SHA${NC}"
+echo -e "  New sha256: ${YELLOW}$SRI_HASH${NC}"
+echo ""
+echo "You can now rebuild your system with the updated DoomEmacs."

scripts/upgrade.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+REPO_ROOT="${REPO_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}  NixOS Configuration Major Upgrade${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo ""
+
+# Step 1: Update flake inputs
+echo -e "${GREEN}[1/4] Updating flake inputs...${NC}"
+cd "$REPO_ROOT"
+nix flake update
+echo ""
+
+# Step 2: Update Doom Emacs
+echo -e "${GREEN}[2/4] Updating Doom Emacs...${NC}"
+"$REPO_ROOT/scripts/update-doomemacs.sh"
+echo ""
+
+# Step 3: Update Claude Code
+echo -e "${GREEN}[3/4] Updating Claude Code...${NC}"
+"$REPO_ROOT/packages/claude-code/update.sh"
+echo ""
+
+# Step 4: Rotate wallpaper
+echo -e "${GREEN}[4/4] Rotating wallpaper...${NC}"
+"$REPO_ROOT/scripts/rotate-wallpaper.sh"
+echo ""
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${GREEN}Upgrade complete!${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo ""
+echo "Next steps:"
+echo "  1. Review changes: git diff"
+echo "  2. Rebuild system: sudo nixos-rebuild switch --flake ."
+echo "  3. If satisfied, commit: git add -A && git commit -m 'chore: Major upgrade'"