Remove perles

Add fast-cpu and fast-storage labels since this node has a faster CPU
than other cluster nodes and is the NFS host with fast local storage.
Also add k3s-upgrade=disabled to exclude from system-upgrade-controller.

.claude/commands/import_gitea_issues.md

@@ -0,0 +1,130 @@
+---
+description: Import open Gitea issues as beads, skipping already-imported ones
+---
+
+# Import Gitea Issues as Beads
+
+This skill imports open Gitea issues as beads, checking for duplicates to avoid re-importing already tracked issues.
+
+## Prerequisites
+
+- `tea` CLI must be installed and configured for the repository
+- `bd` (beads) CLI must be installed
+- Must be in a git repository with a Gitea/Forgejo remote
+
+## Workflow
+
+### Step 1: Get open Gitea issues
+
+List all open issues using `tea`:
+
+```bash
+tea issues
+```
+
+This returns a table with columns: INDEX, TITLE, LABELS, MILESTONE
+
+### Step 2: Get existing beads
+
+List all current beads to check what's already imported:
+
+```bash
+bd list
+```
+
+Also check bead notes for issue URLs to identify imports:
+
+```bash
+bd list --json | jq -r '.[] | select(.notes != null) | .notes' | grep -oP 'issues/\K\d+'
+```
+
+### Step 3: Check for already-linked PRs
+
+Check if any open PRs reference beads (skip these issues as they're being worked on):
+
+```bash
+tea pr list
+```
+
+Look for PRs with:
+- Bead ID in title: `[nixos-configs-xxx]`
+- Bead reference in body: `Implements bead:` or `Bead ID:`
+
+### Step 4: For each untracked issue, create a bead
+
+For each issue not already tracked:
+
+1. **Get full issue details**:
+   ```bash
+   tea issue [ISSUE_NUMBER]
+   ```
+
+2. **Determine bead type** based on issue content:
+   - "bug" - if issue mentions bug, error, broken, fix, crash
+   - "feature" - if issue mentions feature, add, new, enhancement
+   - "task" - default for other issues
+
+3. **Create the bead**:
+   ```bash
+   bd add "[ISSUE_TITLE]" \
+     --type=[TYPE] \
+     --priority=P2 \
+     --notes="Gitea issue: [ISSUE_URL]
+
+   Original issue description:
+   [ISSUE_BODY]"
+   ```
+
+   Note: The `--notes` flag accepts multi-line content.
+
+### Step 5: Report results
+
+Present a summary:
+
+```
+## Gitea Issues Import Summary
+
+### Imported as Beads
+| Issue | Title | Bead ID | Type |
+|-------|-------|---------|------|
+| #5 | Add dark mode | nixos-configs-abc | feature |
+| #3 | Config broken on reboot | nixos-configs-def | bug |
+
+### Skipped (Already Tracked)
+| Issue | Title | Reason |
+|-------|-------|--------|
+| #4 | Update flake | Existing bead: nixos-configs-xyz |
+| #2 | Refactor roles | PR #7 references bead |
+
+### Skipped (Other)
+| Issue | Title | Reason |
+|-------|-------|--------|
+| #1 | Discussion: future plans | No actionable work |
+```
+
+## Type Detection Heuristics
+
+Keywords to detect issue type:
+
+**Bug indicators** (case-insensitive):
+- bug, error, broken, fix, crash, fail, issue, problem, wrong, not working
+
+**Feature indicators** (case-insensitive):
+- feature, add, new, enhancement, implement, support, request, want, would be nice
+
+**Task** (default):
+- Anything not matching bug or feature patterns
+
+## Error Handling
+
+- **tea not configured**: Report error and exit
+- **bd not available**: Report error and exit
+- **Issue already has bead**: Skip and report in summary
+- **Issue is a PR**: Skip (tea shows PRs and issues separately)
+
+## Notes
+
+- Default priority is P2; adjust manually after import if needed
+- Issue labels from Gitea are not automatically mapped to bead tags
+- Run this periodically to catch new issues
+- After import, use `bd ready` to see which beads can be worked on

build-liveusb.sh

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-# Build Live USB ISO from flake configuration
-# Creates an uncompressed ISO suitable for Ventoy and other USB boot tools
-
-set -e
-
-echo "Building Live USB ISO..."
-nix build .#nixosConfigurations.live-usb.config.system.build.isoImage --show-trace
-
-if [ -f "./result/iso/"*.iso ]; then
-    iso_file=$(ls ./result/iso/*.iso)
-    echo "✅ Build complete!"
-    echo "📁 ISO location: $iso_file"
-    echo "💾 Ready for Ventoy or dd to USB"
-else
-    echo "❌ Build failed - no ISO file found"
-    exit 1
-fi

flake.nix

@@ -56,94 +56,75 @@
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, nixos-wsl, ... } @ inputs: let
-    nixosModules = [
-      ./roles
-    ] ++ [
-      inputs.home-manager.nixosModules.home-manager
-      {
-        nixpkgs.overlays = [
-          (final: prev: {
+    # Shared overlay function to reduce duplication across module sets
+    # Parameters:
+    #   unstableOverlays: Additional overlays to apply when importing nixpkgs-unstable
+    mkBaseOverlay = { unstableOverlays ? [] }: (final: prev: {
       unstable = import nixpkgs-unstable {
         system = prev.stdenv.hostPlatform.system;
         config.allowUnfree = true;
+        overlays = unstableOverlays;
       };
       custom = prev.callPackage ./packages {};
       # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
       bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
-          })
-        ];
+    });
+
+    # Shared home-manager configuration factory
+    # Parameters:
+    #   sharedModules: Additional modules to include in home-manager.sharedModules
+    mkHomeManagerConfig = { sharedModules ? [] }: {
       home-manager.useGlobalPkgs = true;
       home-manager.useUserPackages = true;
-        home-manager.sharedModules = [
-          inputs.plasma-manager.homeModules.plasma-manager
+      home-manager.sharedModules = sharedModules ++ [
         inputs.nix-doom-emacs-unstraightened.homeModule
       ];
       home-manager.extraSpecialArgs = {
         globalInputs = inputs;
       };
+    };
+
+    nixosModules = [
+      ./roles
+      inputs.home-manager.nixosModules.home-manager
+      {
+        nixpkgs.overlays = [ (mkBaseOverlay {}) ];
       }
+      (mkHomeManagerConfig {
+        sharedModules = [ inputs.plasma-manager.homeModules.plasma-manager ];
+      })
     ];
+
     # Modules for unstable-based systems (like nix-deck)
     nixosModulesUnstable = [
       ./roles
-    ] ++ [
       inputs.home-manager-unstable.nixosModules.home-manager
       inputs.jovian.nixosModules.jovian
       {
-        nixpkgs.overlays = [
-          (final: prev: {
-            unstable = import nixpkgs-unstable {
-              system = prev.stdenv.hostPlatform.system;
-              config.allowUnfree = true;
-            };
-            custom = prev.callPackage ./packages {};
-            # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
-            bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
+        nixpkgs.overlays = [ (mkBaseOverlay {}) ];
+      }
+      (mkHomeManagerConfig {
+        sharedModules = [ inputs.plasma-manager-unstable.homeModules.plasma-manager ];
       })
     ];
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.sharedModules = [
-          inputs.plasma-manager-unstable.homeModules.plasma-manager
-          inputs.nix-doom-emacs-unstraightened.homeModule
-        ];
-        home-manager.extraSpecialArgs = {
-          globalInputs = inputs;
-        };
-      }
-    ];
+
     darwinModules = [
       ./roles/darwin.nix
-    ] ++ [
       inputs.home-manager.darwinModules.home-manager
       {
         nixpkgs.overlays = [
-          (final: prev: {
-            unstable = import nixpkgs-unstable {
-              system = prev.stdenv.hostPlatform.system;
-              config.allowUnfree = true;
-              overlays = [
+          (mkBaseOverlay {
             # Override claude-code in unstable to use our custom GCS-based build
             # (needed for corporate networks that block npm registry)
+            unstableOverlays = [
               (ufinal: uprev: {
-                  claude-code = prev.custom.claude-code or (prev.callPackage ./packages {}).claude-code;
+                claude-code = uprev.callPackage ./packages/claude-code {};
               })
             ];
-            };
-            custom = prev.callPackage ./packages {};
-            # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
-            bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
           })
         ];
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.sharedModules = [
-          inputs.nix-doom-emacs-unstraightened.homeModule
-        ];
-        home-manager.extraSpecialArgs = {
-          globalInputs = inputs;
-        };
       }
+      (mkHomeManagerConfig { sharedModules = []; })
     ];
 
   in {
@@ -275,6 +256,16 @@
           export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
           ${builtins.readFile ./scripts/upgrade.sh}
         '';
+
+        bootstrap = pkgs.writeShellScriptBin "bootstrap" ''
+          export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+          ${builtins.readFile ./scripts/bootstrap.sh}
+        '';
+
+        build-liveusb = pkgs.writeShellScriptBin "build-liveusb" ''
+          export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+          ${builtins.readFile ./scripts/build-liveusb.sh}
+        '';
       in {
         update-doomemacs = {
           type = "app";
@@ -292,6 +283,14 @@
           type = "app";
           program = "${upgrade}/bin/upgrade";
         };
+        bootstrap = {
+          type = "app";
+          program = "${bootstrap}/bin/bootstrap";
+        };
+        build-liveusb = {
+          type = "app";
+          program = "${build-liveusb}/bin/build-liveusb";
+        };
       }
     );
   };

home/home-server.nix

@@ -11,6 +11,7 @@
     base.enable = true;
     development.enable = true;
     emacs.enable = true;
+    kubectl.enable = true;
     starship.enable = true;
     tmux.enable = true;
   };

home/roles/communication/default.nix

@@ -4,7 +4,6 @@ with lib;
 
 let
   cfg = config.home.roles.communication;
-  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.communication = {
@@ -13,14 +12,14 @@ in
 
   config = mkIf cfg.enable {
     home.packages = [
-      # For logging back into google chat (cross-platform)
-      globalInputs.google-cookie-retrieval.packages.${system}.default
-    ] ++ optionals isLinux [
-      # Linux-only communication apps (Electron apps don't build on Darwin)
+      # Communication apps
       pkgs.element-desktop
       # Re-enabled in 25.11 after security issues were resolved
       pkgs.fluffychat
       pkgs.nextcloud-talk-desktop
+      
+      # For logging back into google chat
+      globalInputs.google-cookie-retrieval.packages.${system}.default
     ];
   };
 }

home/roles/desktop/default.nix

@@ -4,7 +4,6 @@ with lib;
 
 let
   cfg = config.home.roles.desktop;
-  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.desktop = {
@@ -13,29 +12,27 @@ in
 
   config = mkIf cfg.enable {
     home.packages = with pkgs; [
-      # Cross-platform desktop applications
+      # Desktop applications
       bitwarden-desktop
-      keepassxc
-      xdg-utils # XDG utilities for opening files/URLs with default applications
-    ] ++ optionals isLinux [
-      # Linux-only desktop applications
       dunst
+      keepassxc
       unstable.ghostty
       
-      # Linux-only desktop utilities
+      # Desktop utilities
       feh # Image viewer and wallpaper setter for X11
       rofi # Application launcher for X11
       solaar # Logitech management software
       waybar
       wofi # Application launcher for Wayland
+      xdg-utils # XDG utilities for opening files/URLs with default applications
       
-      # Linux-only system utilities with GUI components
+      # System utilities with GUI components
       (snapcast.override { pulseaudioSupport = true; })
       
-      # KDE tiling window management (Linux-only)
+      # KDE tiling window management
       kdePackages.krohnkite  # Dynamic tiling extension for KWin 6
       
-      # KDE PIM applications for email, calendar, and contacts (Linux-only)
+      # KDE PIM applications for email, calendar, and contacts
       kdePackages.kmail
       kdePackages.kmail-account-wizard
       kdePackages.kmailtransport
@@ -43,33 +40,33 @@ in
       kdePackages.kaddressbook
       kdePackages.kontact
       
-      # KDE System components needed for proper integration (Linux-only)
+      # KDE System components needed for proper integration
       kdePackages.kded
       kdePackages.systemsettings
       kdePackages.kmenuedit
       
-      # Desktop menu support (Linux-only)
+      # Desktop menu support
       kdePackages.plasma-desktop # Contains applications.menu
       
-      # KDE Online Accounts support (Linux-only)
+      # KDE Online Accounts support
       kdePackages.kaccounts-integration
       kdePackages.kaccounts-providers
       kdePackages.signond
       
-      # KDE Mapping (Linux-only)
+      # KDE Mapping
       kdePackages.marble  # Virtual globe and world atlas
       
-      # KDE Productivity (Linux-only)
+      # KDE Productivity
       kdePackages.kate        # Advanced text editor with syntax highlighting
       kdePackages.okular      # Universal document viewer (PDF, ePub, etc.)
       kdePackages.spectacle   # Screenshot capture utility
       kdePackages.filelight   # Visual disk usage analyzer
       
-      # KDE Multimedia (Linux-only)
+      # KDE Multimedia
       kdePackages.gwenview    # Image viewer and basic editor
       kdePackages.elisa       # Music player
       
-      # KDE System Utilities (Linux-only)
+      # KDE System Utilities  
       kdePackages.ark         # Archive manager (zip, tar, 7z, etc.)
       kdePackages.yakuake     # Drop-down terminal emulator
     ];
@@ -80,15 +77,12 @@ in
 
     programs.spotify-player.enable = true;
 
-    # Linux-only: GNOME keyring service
-    services.gnome-keyring = mkIf isLinux {
+    services.gnome-keyring = {
       enable = true;
     };
 
-    # Linux-only: systemd user services for rbw vault unlock
-    systemd.user.services = mkIf isLinux {
-      # rbw vault unlock on login
-      rbw-unlock-on-login = {
+    # rbw vault unlock on login and resume from suspend
+    systemd.user.services.rbw-unlock-on-login = {
       Unit = {
         Description = "Unlock rbw vault at login";
         After = [ "graphical-session.target" ];
@@ -107,8 +101,7 @@ in
       };
     };
 
-      # rbw vault unlock on resume from suspend
-      rbw-unlock-on-resume = {
+    systemd.user.services.rbw-unlock-on-resume = {
       Unit = {
         Description = "Unlock rbw vault after resume from suspend";
         After = [ "suspend.target" ];
@@ -126,10 +119,9 @@ in
         WantedBy = [ "suspend.target" ];
       };
     };
-    };
 
-    # Linux-only: KDE environment variables for proper integration
-    home.sessionVariables = mkIf isLinux {
+    # KDE environment variables for proper integration
+    home.sessionVariables = {
       QT_QPA_PLATFORMTHEME = "kde";
       KDE_SESSION_VERSION = "6";
     };
@@ -149,14 +141,13 @@ in
           "x-scheme-handler/https" = "firefox.desktop";
         };
         defaultApplications = {
-          # Web browsers (cross-platform)
+          # Web browsers
           "text/html" = "firefox.desktop";
           "x-scheme-handler/http" = "firefox.desktop";
           "x-scheme-handler/https" = "firefox.desktop";
           "x-scheme-handler/about" = "firefox.desktop";
           "x-scheme-handler/unknown" = "firefox.desktop";
-        } // optionalAttrs isLinux {
-          # Linux-only: KDE application associations
+          
           # Documents
           "application/pdf" = "okular.desktop";
           "text/plain" = "kate.desktop";
@@ -199,11 +190,9 @@ in
       };
     };
 
-    # Linux-only: Fix for KDE applications.menu file issue on Plasma 6
+    # Fix for KDE applications.menu file issue on Plasma 6
     # KDE still looks for applications.menu but Plasma 6 renamed it to plasma-applications.menu
-    xdg.configFile."menus/applications.menu" = mkIf isLinux {
-      source = "${pkgs.kdePackages.plasma-workspace}/etc/xdg/menus/plasma-applications.menu";
-    };
+    xdg.configFile."menus/applications.menu".source = "${pkgs.kdePackages.plasma-workspace}/etc/xdg/menus/plasma-applications.menu";
 
     # Note: modules must be imported at top-level home config
   };

home/roles/development/default.nix

@@ -44,7 +44,6 @@ in
 
       # Custom packages
       pkgs.custom.tea-rbw
-      pkgs.custom.perles
     ];
 
     # Install Claude Code humanlayer command and agent plugins

home/roles/development/skills/gitea_pr_review.md

@@ -0,0 +1,244 @@
+---
+description: Manage and respond to Gitea/Forgejo PR review comments
+---
+
+# Gitea PR Review Comments
+
+This skill enables reading PR review comments and posting inline thread replies on Gitea/Forgejo instances.
+
+## Prerequisites
+
+- `tea` CLI configured with a Gitea/Forgejo instance
+- Access token from tea config: `~/.config/tea/config.yml`
+- Repository must be a Gitea/Forgejo remote (not GitHub)
+
+## Configuration
+
+Get the Gitea instance URL and token from tea config:
+
+```bash
+# Get the default login URL and token
+yq -r '.logins[] | select(.name == "default") | .url' ~/.config/tea/config.yml
+yq -r '.logins[] | select(.name == "default") | .token' ~/.config/tea/config.yml
+```
+
+Or if you have a specific login name:
+```bash
+yq -r '.logins[] | select(.name == "YOUR_LOGIN") | .url' ~/.config/tea/config.yml
+yq -r '.logins[] | select(.name == "YOUR_LOGIN") | .token' ~/.config/tea/config.yml
+```
+
+## Commands
+
+### 1. List PR Review Comments
+
+Fetch all reviews and their comments for a PR:
+
+```bash
+# Set environment variables
+GITEA_URL="https://git.johnogle.info"
+TOKEN="<your-token>"
+OWNER="<repo-owner>"
+REPO="<repo-name>"
+PR_NUMBER="<pr-number>"
+
+# Get all reviews for the PR
+curl -s -H "Authorization: token $TOKEN" \
+  "$GITEA_URL/api/v1/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews" | jq
+
+# Get comments for a specific review
+REVIEW_ID="<review-id>"
+curl -s -H "Authorization: token $TOKEN" \
+  "$GITEA_URL/api/v1/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews/$REVIEW_ID/comments" | jq
+```
+
+### 2. View All Review Comments (Combined)
+
+```bash
+# Get all reviews and their comments in one view
+curl -s -H "Authorization: token $TOKEN" \
+  "$GITEA_URL/api/v1/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews" | \
+  jq -r '.[] | "Review \(.id) by \(.user.login): \(.state)\n  Body: \(.body)"'
+
+# For each review, show inline comments
+for REVIEW_ID in $(curl -s -H "Authorization: token $TOKEN" \
+  "$GITEA_URL/api/v1/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews" | jq -r '.[].id'); do
+  echo "=== Review $REVIEW_ID comments ==="
+  curl -s -H "Authorization: token $TOKEN" \
+    "$GITEA_URL/api/v1/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews/$REVIEW_ID/comments" | \
+    jq -r '.[] | "[\(.path):\(.line)] \(.body)"'
+done
+```
+
+### 3. Reply to Review Comments (Web Endpoint Method)
+
+The Gitea REST API does not support replying to review comment threads. The web UI uses a different endpoint:
+
+```
+POST /{owner}/{repo}/pulls/{pr_number}/files/reviews/comments
+Content-Type: multipart/form-data
+```
+
+**Required form fields:**
+- `reply`: Review ID to reply to
+- `content`: The reply message
+- `path`: File path
+- `line`: Line number
+- `side`: `proposed` or `original`
+- `single_review`: `true`
+- `origin`: `timeline`
+- `_csrf`: CSRF token (required for web endpoint)
+
+**Authentication Challenge:**
+This endpoint requires session-based authentication, not API tokens. Options:
+
+#### Option A: Use Browser Session (Recommended)
+
+1. Log in to Gitea in your browser
+2. Open browser developer tools and copy cookies
+3. Use the session cookies with curl
+
+```bash
+# First, get CSRF token from the PR page
+CSRF=$(curl -s -c cookies.txt -b cookies.txt \
+  "$GITEA_URL/$OWNER/$REPO/pulls/$PR_NUMBER/files" | \
+  grep -oP 'name="_csrf" value="\K[^"]+')
+
+# Post the reply
+curl -s -b cookies.txt \
+  -F "reply=$REVIEW_ID" \
+  -F "content=Your reply message here" \
+  -F "path=$FILE_PATH" \
+  -F "line=$LINE_NUMBER" \
+  -F "side=proposed" \
+  -F "single_review=true" \
+  -F "origin=timeline" \
+  -F "_csrf=$CSRF" \
+  "$GITEA_URL/$OWNER/$REPO/pulls/$PR_NUMBER/files/reviews/comments"
+```
+
+#### Option B: Create Top-Level Comment (Fallback)
+
+If thread replies are not critical, use the API to create a top-level comment:
+
+```bash
+# Create a top-level comment mentioning the review context
+curl -s -X POST \
+  -H "Authorization: token $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"body\": \"Re: @reviewer's comment on $FILE_PATH:$LINE_NUMBER\n\nYour reply here\"}" \
+  "$GITEA_URL/api/v1/repos/$OWNER/$REPO/issues/$PR_NUMBER/comments"
+```
+
+Or use tea CLI:
+```bash
+tea comment $PR_NUMBER "Re: @reviewer's comment on $FILE_PATH:$LINE_NUMBER
+
+Your reply here"
+```
+
+### 4. Submit a New Review
+
+Create a new review with inline comments:
+
+```bash
+curl -s -X POST \
+  -H "Authorization: token $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "body": "Overall review comments",
+    "event": "COMMENT",
+    "comments": [
+      {
+        "path": "path/to/file.py",
+        "body": "Comment on this line",
+        "new_position": 10
+      }
+    ]
+  }' \
+  "$GITEA_URL/api/v1/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews"
+```
+
+Event types: `COMMENT`, `APPROVE`, `REQUEST_CHANGES`
+
+## Workflow Example
+
+### Reading and Responding to Reviews
+
+1. **Set up environment**:
+   ```bash
+   export GITEA_URL=$(yq -r '.logins[] | select(.name == "default") | .url' ~/.config/tea/config.yml)
+   export TOKEN=$(yq -r '.logins[] | select(.name == "default") | .token' ~/.config/tea/config.yml)
+   export OWNER="johno"
+   export REPO="nixos-configs"
+   export PR_NUMBER="5"
+   ```
+
+2. **List all pending review comments**:
+   ```bash
+   # Get reviews
+   curl -s -H "Authorization: token $TOKEN" \
+     "$GITEA_URL/api/v1/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews" | \
+     jq -r '.[] | select(.state == "REQUEST_CHANGES" or .state == "COMMENT") |
+       "Review \(.id) by \(.user.login) (\(.state)):\n\(.body)\n"'
+   ```
+
+3. **Get detailed comments for a review**:
+   ```bash
+   REVIEW_ID="2"
+   curl -s -H "Authorization: token $TOKEN" \
+     "$GITEA_URL/api/v1/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews/$REVIEW_ID/comments" | \
+     jq -r '.[] | "File: \(.path):\(.line)\nComment: \(.body)\nID: \(.id)\n---"'
+   ```
+
+4. **Respond using top-level comment** (most reliable):
+   ```bash
+   tea comment $PR_NUMBER "Addressing review feedback:
+
+   - File \`path/to/file.py\` line 10: Fixed the issue by...
+   - File \`other/file.py\` line 25: Updated as suggested..."
+   ```
+
+## API Reference
+
+### Endpoints
+
+| Action | Method | Endpoint |
+|--------|--------|----------|
+| List reviews | GET | `/api/v1/repos/{owner}/{repo}/pulls/{index}/reviews` |
+| Get review | GET | `/api/v1/repos/{owner}/{repo}/pulls/{index}/reviews/{id}` |
+| Get review comments | GET | `/api/v1/repos/{owner}/{repo}/pulls/{index}/reviews/{id}/comments` |
+| Create review | POST | `/api/v1/repos/{owner}/{repo}/pulls/{index}/reviews` |
+| Submit review | POST | `/api/v1/repos/{owner}/{repo}/pulls/{index}/reviews/{id}` |
+| Delete review | DELETE | `/api/v1/repos/{owner}/{repo}/pulls/{index}/reviews/{id}` |
+| Create issue comment | POST | `/api/v1/repos/{owner}/{repo}/issues/{index}/comments` |
+
+### Review States
+
+- `PENDING` - Draft review not yet submitted
+- `COMMENT` - General comment without approval/rejection
+- `APPROVE` - Approving the changes
+- `REQUEST_CHANGES` - Requesting changes before merge
+
+## Limitations
+
+1. **Thread replies**: The Gitea REST API does not support replying directly to review comment threads. This is a known limitation. Workarounds:
+   - Use top-level comments with context
+   - Use the web UI manually for thread replies
+   - Implement session-based authentication to use the web endpoint
+
+2. **CSRF tokens**: The web endpoint for thread replies requires CSRF tokens, which expire and need to be fetched from the page.
+
+3. **Session auth**: API tokens work for REST API but not for web endpoints that require session cookies.
+
+## Tips
+
+- Always quote file paths and line numbers when responding via top-level comments
+- Use `tea pr view $PR_NUMBER --comments` to see all comments
+- Use `tea open pulls/$PR_NUMBER` to open the PR in browser for manual thread replies
+- Consider using `tea pr approve $PR_NUMBER` after addressing all comments
+
+## See Also
+
+- Gitea API Documentation: https://docs.gitea.com/api/1.20/
+- `tea` CLI: https://gitea.com/gitea/tea

home/roles/emacs/doom/config.el

@@ -167,6 +167,20 @@
         claude-code-ide-window-side 'right
         claude-code-ide-window-width 90))
 
+(use-package! beads
+  :commands (beads)
+  :init
+  (map! :leader
+        (:prefix ("o" . "open")
+         (:prefix ("B" . "beads")
+          :desc "List issues"      "B" (cmd! (require 'beads) (beads-list))
+          :desc "Project issues"   "p" (cmd! (require 'beads) (beads-project-list))
+          :desc "Activity feed"    "a" (cmd! (require 'beads) (beads-activity))
+          :desc "Stale issues"     "s" (cmd! (require 'beads) (beads-stale))
+          :desc "Orphaned issues"  "o" (cmd! (require 'beads) (beads-orphans))
+          :desc "Find duplicates"  "d" (cmd! (require 'beads) (beads-duplicates))
+          :desc "Lint issues"      "l" (cmd! (require 'beads) (beads-lint))))))
+
 (after! gptel
   (require 'gptel-tool-library)
   (setq gptel-tool-library-use-maybe-safe t

home/roles/email/default.nix

@@ -4,7 +4,6 @@ with lib;
 
 let
   cfg = config.home.roles.email;
-  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.email = {
@@ -90,9 +89,8 @@ in
       account default : proton
     '';
 
-    # Linux-only: Systemd service for mail sync (Darwin uses launchd instead)
-    systemd.user.services = mkIf isLinux {
-      mbsync = {
+    # Systemd service for mail sync
+    systemd.user.services.mbsync = {
       Unit = {
         Description = "Mailbox synchronization service";
         After = [ "network-online.target" ];
@@ -106,11 +104,9 @@ in
         StandardError = "journal";
       };
     };
-    };
 
-    # Linux-only: Systemd timer for automatic sync
-    systemd.user.timers = mkIf isLinux {
-      mbsync = {
+    # Systemd timer for automatic sync
+    systemd.user.timers.mbsync = {
       Unit = {
         Description = "Mailbox synchronization timer";
       };
@@ -124,5 +120,4 @@ in
       };
     };
   };
-  };
 }

home/roles/kdeconnect/default.nix

@@ -4,15 +4,13 @@ with lib;
 
 let
   cfg = config.home.roles.kdeconnect;
-  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.kdeconnect = {
     enable = mkEnableOption "Enable KDE Connect for device integration";
   };
 
-  # KDE Connect services are Linux-only (requires D-Bus and systemd)
-  config = mkIf (cfg.enable && isLinux) {
+  config = mkIf cfg.enable {
     services.kdeconnect = {
       enable = true;
       indicator = true;

home/roles/sync/default.nix

@@ -4,7 +4,6 @@ with lib;
 
 let
   cfg = config.home.roles.sync;
-  isLinux = pkgs.stdenv.isLinux;
 in
 {
   options.home.roles.sync = {
@@ -12,10 +11,9 @@ in
   };
 
   config = mkIf cfg.enable {
-    # Linux-only: syncthingtray requires system tray support
-    home.packages = optionals isLinux (with pkgs; [
+    home.packages = with pkgs; [
       syncthingtray
-    ]);
+    ];
 
     services.syncthing = {
       enable = true;

machines/boxy/configuration.nix

@@ -26,6 +26,7 @@ with lib;
       enable = true;
       autologin = true;
       wayland = true;
+      appLauncherServer = true;
       jellyfinScaleFactor = 1.0;
     };
     nfs-mounts.enable = true;

machines/john-endesktop/configuration.nix

@@ -104,6 +104,23 @@ with lib;
   # User configuration
   roles.users.enable = true;
 
+  # k3s agent configuration
+  roles.k3s-node = {
+    enable = true;
+    role = "agent";
+    # serverAddr defaults to https://10.0.0.222:6443
+    # tokenFile defaults to /etc/k3s/token
+    extraFlags = [
+      # Node labels for workload scheduling
+      # fast-cpu: This node has a faster CPU than other cluster nodes
+      "--node-label=fast-cpu=true"
+      # fast-storage: This node is the NFS host with fast local storage access
+      "--node-label=fast-storage=true"
+      # k3s-upgrade=disabled: NixOS manages k3s upgrades via Nix, not system-upgrade-controller
+      "--node-label=k3s-upgrade=disabled"
+    ];
+  };
+
   # Time zone
   time.timeZone = "America/Los_Angeles"; # Adjust as needed
 

machines/nix-book/configuration.nix

@@ -41,14 +41,9 @@
   boot.initrd.luks.devices."luks-b614167b-9045-4234-a441-ac6f60a96d81".device = "/dev/disk/by-uuid/b614167b-9045-4234-a441-ac6f60a96d81";
 
   services.logind.settings.Login = {
-    HandleLidSwitch = "suspend-then-hibernate";
     HandlePowerKey = "hibernate";
     HandlePowerKeyLongPress = "poweroff";
   };
-  systemd.sleep.extraConfig = ''
-    HibernateDelaySec=30m
-    SuspendState=mem
-  '';
 
   networking.hostName = "nix-book"; # Define your hostname.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.

machines/wixos/configuration.nix

@@ -17,6 +17,15 @@
       enable = true;
       wayland = true;
     };
+    nvidia = {
+      enable = true;
+      package = "latest";
+      graphics.extraPackages = with pkgs; [
+        mesa
+        libvdpau-va-gl
+        libva-vdpau-driver
+      ];
+    };
     users.enable = true;
   };
 
@@ -29,28 +38,13 @@
   wsl.wslConf.network.hostname = "wixos";
   wsl.wslConf.user.default = "johno";
 
-  services.xserver.videoDrivers = [ "nvidia" ];
-  hardware.graphics = { 
-    enable = true;
-
-    extraPackages = with pkgs; [
-      mesa
-      libvdpau-va-gl
-      libva-vdpau-driver
-    ];
-  };
+  # WSL-specific environment variables for graphics
   environment.sessionVariables = {
     LD_LIBRARY_PATH = [
       "/usr/lib/wsl/lib"
       "/run/opengl-driver/lib"
     ];
   };
-  hardware.nvidia = {
-    modesetting.enable = true;
-    nvidiaSettings = true;
-    open = true;
-    package = config.boot.kernelPackages.nvidiaPackages.latest;
-  };
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions

machines/zix790prors/configuration.nix

@@ -25,8 +25,12 @@ with lib;
       wayland = true;
       x11 = true;
     };
+    kodi.enable = true;
     nfs-mounts.enable = true;
-    nvidia.enable = true;
+    nvidia = {
+      enable = true;
+      graphics.enable32Bit = true;
+    };
     printing.enable = true;
     remote-build.enableBuilder = true;
     users.enable = true;
@@ -47,27 +51,11 @@ with lib;
   # Fix dual boot clock sync - tell Linux to use local time for hardware clock
   time.hardwareClockInLocalTime = true;
 
-  # NVIDIA Graphics configuration
-  services.xserver.videoDrivers = [ "nvidia" ];
-  hardware.graphics.enable = true;
-  hardware.graphics.enable32Bit = true;
-  
   # Set DP-0 as primary display with 164.90Hz refresh rate
   services.xserver.displayManager.sessionCommands = ''
     ${pkgs.xorg.xrandr}/bin/xrandr --output DP-0 --mode 3440x1440 --rate 164.90 --primary
   '';
 
-  hardware.nvidia = {
-    modesetting.enable = true;
-    nvidiaSettings = true;
-    package = pkgs.linuxPackages.nvidiaPackages.stable;
-    open = true;
-    
-    # For gaming performance
-    powerManagement.enable = false;
-    powerManagement.finegrained = false;
-  };
-
   services.ollama = {
     enable = true;
     acceleration = "cuda";

packages/default.nix

@@ -1,8 +1,6 @@
 { pkgs, ... }:
 {
-  vulkanHDRLayer = pkgs.callPackage ./vulkan-hdr-layer {};
   tea-rbw = pkgs.callPackage ./tea-rbw {};
   app-launcher-server = pkgs.callPackage ./app-launcher-server {};
   claude-code = pkgs.callPackage ./claude-code {};
-  perles = pkgs.callPackage ./perles {};
 }

packages/perles/default.nix

@@ -1,26 +0,0 @@
-{ lib, buildGoModule, fetchFromGitHub }:
-
-buildGoModule rec {
-  pname = "perles";
-  version = "unstable-2025-01-09";
-
-  src = fetchFromGitHub {
-    owner = "zjrosen";
-    repo = "perles";
-    rev = "main";
-    hash = "sha256-JgRayb4+mJ1r0AtdnQfqAw2+QRte+licsfZOaRgYqcs=";
-  };
-
-  vendorHash = "sha256-R7UWTdBuPteneRqxrWK51nqLtZwDsqQoMAcohN4fyak=";
-
-  # Tests require a real git repository context
-  doCheck = false;
-
-  meta = with lib; {
-    description = "A TUI for the Beads issue tracking system with BQL query language";
-    homepage = "https://github.com/zjrosen/perles";
-    license = licenses.mit;
-    maintainers = [ ];
-    mainProgram = "perles";
-  };
-}

packages/vulkan-hdr-layer/default.nix

@@ -1,34 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, meson, pkg-config, vulkan-loader, ninja, writeText, vulkan-headers, vulkan-utility-libraries,  jq, libX11, libXrandr, libxcb, wayland, wayland-scanner }:
-
-stdenv.mkDerivation rec {
-  pname = "vulkan-hdr-layer";
-  version = "63d2eec";
-
-  src = (fetchFromGitHub {
-    owner = "Zamundaaa";
-    repo = "VK_hdr_layer";
-    rev = "869199cd2746e7f69cf19955153080842b6dacfc";
-    fetchSubmodules = true;
-    hash = "sha256-xfVYI+Aajmnf3BTaY2Ysg5fyDO6SwDFGyU0L+F+E3is=";
-  }).overrideAttrs (_: {
-    GIT_CONFIG_COUNT = 1;
-    GIT_CONFIG_KEY_0 = "url.https://github.com/.insteadOf";
-    GIT_CONFIG_VALUE_0 = "git@github.com:";
-  });
-
-  nativeBuildInputs = [ vulkan-headers meson ninja pkg-config jq ];
-
-  buildInputs = [ vulkan-headers vulkan-loader vulkan-utility-libraries libX11 libXrandr libxcb wayland wayland-scanner ];
-
-  # Help vulkan-loader find the validation layers
-  setupHook = writeText "setup-hook" ''
-    addToSearchPath XDG_DATA_DIRS @out@/share
-  '';
-
-  meta = with lib; {
-    description = "Layers providing Vulkan HDR";
-    homepage = "https://github.com/Zamundaaa/VK_hdr_layer";
-    platforms = platforms.linux;
-    license = licenses.mit;
-  };
-}

roles/default.nix

@@ -9,6 +9,7 @@ with lib;
     ./bluetooth
     ./btrfs
     ./desktop
+    ./k3s-node
     ./kodi
     ./nfs-mounts
     ./nvidia

roles/k3s-node/default.nix

@@ -0,0 +1,81 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.k3s-node;
+in
+{
+  options.roles.k3s-node = {
+    enable = mkEnableOption "Enable k3s node";
+
+    role = mkOption {
+      type = types.enum [ "server" "agent" ];
+      default = "agent";
+      description = "k3s role: server (control plane) or agent (worker)";
+    };
+
+    serverAddr = mkOption {
+      type = types.str;
+      default = "https://10.0.0.222:6443";
+      description = "URL of k3s server to join (required for agents, used for HA servers)";
+    };
+
+    tokenFile = mkOption {
+      type = types.path;
+      default = "/etc/k3s/token";
+      description = "Path to file containing the cluster join token";
+    };
+
+    clusterInit = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Initialize a new cluster (first server only)";
+    };
+
+    extraFlags = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Additional flags to pass to k3s";
+    };
+
+    gracefulNodeShutdown = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable graceful node shutdown";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Open firewall ports for k3s";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # k3s service configuration
+    services.k3s = {
+      enable = true;
+      role = cfg.role;
+      tokenFile = cfg.tokenFile;
+      extraFlags = cfg.extraFlags;
+      gracefulNodeShutdown.enable = cfg.gracefulNodeShutdown;
+      serverAddr = if (cfg.role == "agent" || !cfg.clusterInit) then cfg.serverAddr else "";
+      clusterInit = cfg.role == "server" && cfg.clusterInit;
+    };
+
+    # Firewall rules for k3s
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [
+        6443  # k3s API server
+        10250 # kubelet metrics
+      ] ++ optionals (cfg.role == "server") [
+        2379  # etcd clients (HA)
+        2380  # etcd peers (HA)
+      ];
+      allowedUDPPorts = [
+        8472  # flannel VXLAN
+      ];
+    };
+  };
+}

roles/kodi/default.nix

@@ -22,7 +22,7 @@ in
     appLauncherServer = {
       enable = mkOption {
         type = types.bool;
-        default = true;
+        default = false;
         description = "Enable HTTP app launcher server for remote control";
       };
       port = mkOption {

roles/nvidia/default.nix

@@ -8,9 +8,89 @@ in
 {
   options.roles.nvidia = {
     enable = mkEnableOption "Enable the nvidia role";
+
+    # Driver configuration options
+    open = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Use the open source nvidia kernel driver (for Turing and newer GPUs).";
+    };
+
+    modesetting = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable kernel modesetting for nvidia.";
+    };
+
+    nvidiaSettings = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable the nvidia-settings GUI.";
+    };
+
+    package = mkOption {
+      type = types.enum [ "stable" "latest" "beta" "vulkan_beta" "production" ];
+      default = "stable";
+      description = "The nvidia driver package to use.";
+    };
+
+    powerManagement = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable nvidia power management (useful for laptops, not recommended for desktops).";
+      };
+
+      finegrained = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable fine-grained power management for Turing and newer GPUs.";
+      };
+    };
+
+    graphics = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable hardware graphics support.";
+      };
+
+      enable32Bit = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable 32-bit graphics libraries (needed for some games).";
+      };
+
+      extraPackages = mkOption {
+        type = types.listOf types.package;
+        default = [];
+        description = "Extra packages to add to hardware.graphics.extraPackages.";
+      };
+    };
   };
 
   config = mkIf cfg.enable {
+    # Set xserver video driver
+    services.xserver.videoDrivers = [ "nvidia" ];
+
+    # Graphics configuration
+    hardware.graphics = {
+      enable = cfg.graphics.enable;
+      enable32Bit = cfg.graphics.enable32Bit;
+      extraPackages = cfg.graphics.extraPackages;
+    };
+
+    # NVIDIA driver configuration
+    hardware.nvidia = {
+      modesetting.enable = cfg.modesetting;
+      nvidiaSettings = cfg.nvidiaSettings;
+      open = cfg.open;
+      package = config.boot.kernelPackages.nvidiaPackages.${cfg.package};
+      powerManagement.enable = cfg.powerManagement.enable;
+      powerManagement.finegrained = cfg.powerManagement.finegrained;
+    };
+
+    # Additional packages for nvidia support
     environment.systemPackages = with pkgs; [
       libva-utils
       nvidia-vaapi-driver

scripts/bootstrap.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 # bootstrap.sh
-# Usage: sudo ./bootstrap.sh <hostname>
+# Usage: nix run .#bootstrap -- <hostname>
+# Or: sudo ./scripts/bootstrap.sh <hostname>
 set -euo pipefail
 
 NEW_HOSTNAME="${1:?missing hostname}"
@@ -8,4 +9,3 @@ FLAKE_URI="git+https://git.johnogle.info/johno/nixos-configs.git#${NEW_HOSTNAME}
 
 export NIX_CONFIG="experimental-features = nix-command flakes"
 nixos-rebuild switch --flake "$FLAKE_URI"
-

scripts/build-liveusb.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Build Live USB ISO from flake configuration
+# Creates an uncompressed ISO suitable for Ventoy and other USB boot tools
+# Usage: nix run .#build-liveusb
+# Or: ./scripts/build-liveusb.sh
+
+set -euo pipefail
+
+REPO_ROOT="${REPO_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+
+echo "Building Live USB ISO..."
+nix build "${REPO_ROOT}#nixosConfigurations.live-usb.config.system.build.isoImage" --show-trace
+
+if ls "${REPO_ROOT}/result/iso/"*.iso 1> /dev/null 2>&1; then
+    iso_file=$(ls "${REPO_ROOT}/result/iso/"*.iso)
+    echo "Build complete!"
+    echo "ISO location: $iso_file"
+    echo "Ready for Ventoy or dd to USB"
+else
+    echo "Build failed - no ISO file found"
+    exit 1
+fi