fix: shift renovate schedules to 5-7 PM Saturday to align with cron

CronJob runs at 0/6/12/18h. Old 2-4 PM window never had a run
inside it, so Renovate never created PRs. Shift to 5-7 PM so the
18:00 run lands in the window. nixpkgs-qt staggered to 7-9 PM.

.beads/.gitignore

@@ -32,6 +32,11 @@ beads.left.meta.json
 beads.right.jsonl
 beads.right.meta.json
 
+# Sync state (local-only, per-machine)
+# These files are machine-specific and should not be shared across clones
+.sync.lock
+sync_base.jsonl
+
 # NOTE: Do NOT add negation patterns (e.g., !issues.jsonl) here.
 # They would override fork protection in .git/info/exclude, allowing
 # contributors to accidentally commit upstream issue databases.

.beads/config.yaml

@@ -6,7 +6,7 @@
 # Issue prefix for this repository (used by bd init)
 # If not set, bd init will auto-detect from directory name
 # Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
-# issue-prefix: ""
+issue-prefix: "x"
 
 # Use no-db mode: load from JSONL, no SQLite, write back after each command
 # When true, bd will use .beads/issues.jsonl as the source of truth
@@ -59,4 +59,6 @@ sync-branch: "beads-sync"
 # - linear.url
 # - linear.api-key
 # - github.org
-# - github.repo
+# - github.repo
+
+routing.mode: "explicit"

.beads/metadata.json

@@ -1,4 +0,0 @@
-{
-  "database": "beads.db",
-  "jsonl_export": "sync_base.jsonl"
-}

.gitea/workflows/ci.yml

@@ -12,9 +12,97 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@main
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
 
       - name: Check flake
         run: nix flake check
         env:
           NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+  build-and-cache:
+    runs-on: ubuntu-latest
+    needs: check
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
+
+      - name: Setup SSH for cache
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CACHE_SSH_KEY }}" > ~/.ssh/cache_key
+          chmod 600 ~/.ssh/cache_key
+          ssh-keyscan -H ${{ secrets.CACHE_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
+
+      - name: Setup signing key
+        run: |
+          echo "${{ secrets.NIX_SIGNING_KEY }}" > /tmp/signing-key
+          chmod 600 /tmp/signing-key
+
+      - name: Build, sign, and cache all packages
+        run: |
+          PACKAGES=(
+            custom-claude-code
+            custom-app-launcher-server
+            custom-mcrcon-rbw
+            custom-tea-rbw
+            custom-rclone-torbox-setup
+            custom-beads
+            custom-gastown
+            custom-perles
+            qt-pinned-jellyfin-media-player
+            qt-pinned-stremio
+            nix-deck-kernel
+          )
+
+          FAILED=()
+          SKIPPED=()
+          for pkg in "${PACKAGES[@]}"; do
+            echo "::group::Building $pkg"
+
+            # Check if package is already cached by evaluating its store path and checking the remote
+            OUT_PATH=$(nix eval ".#$pkg.outPath" --raw 2>/dev/null)
+            if [ -n "$OUT_PATH" ] && ssh -i ~/.ssh/cache_key ${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }} \
+                "nix path-info '$OUT_PATH' >/dev/null 2>&1"; then
+              echo "⏭ $pkg already cached ($OUT_PATH), skipping"
+              SKIPPED+=("$pkg")
+              echo "::endgroup::"
+              continue
+            fi
+
+            # --cores 2 limits parallel jobs to reduce RAM pressure on john-endesktop
+            if BUILD_OUTPUT=$(nix build ".#$pkg" --no-link --print-out-paths --cores 2 2>&1); then
+              OUT_PATH=$(echo "$BUILD_OUTPUT" | grep '^/nix/store/' | tail -1)
+              echo "$BUILD_OUTPUT"
+              echo "Store path: $OUT_PATH"
+
+              # Sign the closure
+              nix store sign --key-file /tmp/signing-key -r "$OUT_PATH"
+
+              # Push to cache
+              nix copy --to "ssh-ng://${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }}?ssh-key=$HOME/.ssh/cache_key" "$OUT_PATH"
+
+              # Create GC root to prevent garbage collection
+              OUT_HASH=$(basename "$OUT_PATH" | cut -d'-' -f1)
+              ssh -i ~/.ssh/cache_key ${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }} \
+                "mkdir -p /nix/var/nix/gcroots/ci-cache && ln -sfn $OUT_PATH /nix/var/nix/gcroots/ci-cache/${OUT_HASH}"
+
+              echo "✓ $pkg cached successfully"
+            else
+              echo "✗ $pkg failed to build"
+              FAILED+=("$pkg")
+            fi
+            echo "::endgroup::"
+          done
+
+          if [ ${#SKIPPED[@]} -gt 0 ]; then
+            echo "Skipped (already cached): ${SKIPPED[*]}"
+          fi
+
+          if [ ${#FAILED[@]} -gt 0 ]; then
+            echo "::error::Failed packages: ${FAILED[*]}"
+            exit 1
+          fi
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"

.gitignore

@@ -1,3 +1,8 @@
 result
 thoughts
 .beads
+
+# Gas Town (added by gt)
+.runtime/
+.claude/
+.logs/

flake.lock

@@ -2,17 +2,16 @@
   "nodes": {
     "beads": {
       "inputs": {
-        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs-unstable"
         ]
       },
       "locked": {
-        "lastModified": 1767911810,
-        "narHash": "sha256-0L4ATr01UsmBC0rSW62VIMVVSUihAQu2+ZOoHk9BQnA=",
+        "lastModified": 1773070962,
+        "narHash": "sha256-kHZXx+kygpVholOBsuQocCtksHo5ZWYskP64qK2Kjh0=",
         "owner": "steveyegge",
         "repo": "beads",
-        "rev": "28ff9fe9919a9665a0f00f5b3fcd084b43fb6cc3",
+        "rev": "9604d30b7c746f9f04f6dea5f82996f71bb66073",
         "type": "github"
       },
       "original": {
@@ -24,11 +23,11 @@
     "doomemacs": {
       "flake": false,
       "locked": {
-        "lastModified": 1767773143,
-        "narHash": "sha256-QL/t9v2kFNxBDyNJb/s411o3mxujan+QX5IZglTdpTk=",
+        "lastModified": 1772615218,
+        "narHash": "sha256-z+3c0AGkrMf1xZ+pq57aVp4Zo4KsqFMIjEVzSZinghc=",
         "owner": "doomemacs",
         "repo": "doomemacs",
-        "rev": "3e15fb36d7f94f0a218bda977be4d3f5da983a71",
+        "rev": "d23bbe87721c61f4d5a605f2914b32780bb89949",
         "type": "github"
       },
       "original": {
@@ -47,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768011937,
-        "narHash": "sha256-SnU2XTo34vwVaijs+4VwcXTNwMWO4nwzzs08N39UagA=",
+        "lastModified": 1772706147,
+        "narHash": "sha256-C0UMYQg3KBU6+L8TLfQ/s60O6/Tiu/JpN8C/WiIH9DU=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "79abf71d9897cf3b5189f7175cda1b1102abc65c",
+        "rev": "54af2ae96631311dc4d2686a07e4f472fb36f516",
         "type": "github"
       },
       "original": {
@@ -78,6 +77,30 @@
         "type": "github"
       }
     },
+    "gastown": {
+      "inputs": {
+        "beads": [
+          "beads"
+        ],
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773088127,
+        "narHash": "sha256-gJFayiBYrF0Q99AOQH29uq0Mli8KRfwReYeAh5H5evY=",
+        "owner": "steveyegge",
+        "repo": "gastown",
+        "rev": "8da798be0663af74be7960844b90038e51769203",
+        "type": "github"
+      },
+      "original": {
+        "owner": "steveyegge",
+        "repo": "gastown",
+        "type": "github"
+      }
+    },
     "google-cookie-retrieval": {
       "inputs": {
         "nixpkgs": [
@@ -85,11 +108,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1761423376,
-        "narHash": "sha256-pMy3cnUFfue4vz/y0jx71BfcPGxZf+hk/DtnzWvfU0c=",
+        "lastModified": 1768846578,
+        "narHash": "sha256-82f/+e8HAwmBukiLlr7I3HYvM/2GCd5SOc+BC+qzsOQ=",
         "ref": "refs/heads/main",
-        "rev": "a1f695665771841a988afc965526cbf99160cd77",
-        "revCount": 11,
+        "rev": "c11ff9d3c67372a843a0fa6bf23132e986bd6955",
+        "revCount": 14,
         "type": "git",
         "url": "https://git.johnogle.info/johno/google-cookie-retrieval.git"
       },
@@ -105,11 +128,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767514898,
-        "narHash": "sha256-ONYqnKrPzfKEEPChoJ9qPcfvBqW9ZgieDKD7UezWPg4=",
+        "lastModified": 1772633058,
+        "narHash": "sha256-SO7JapRy2HPhgmqiLbfnW1kMx5rakPMKZ9z3wtRLQjI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7a06e8a2f844e128d3b210a000a62716b6040b7f",
+        "rev": "080657a04188aca25f8a6c70a0fb2ea7e37f1865",
         "type": "github"
       },
       "original": {
@@ -126,11 +149,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767556355,
-        "narHash": "sha256-RDTUBDQBi9D4eD9iJQWtUDN/13MDLX+KmE+TwwNUp2s=",
+        "lastModified": 1772633327,
+        "narHash": "sha256-jl+DJB2DUx7EbWLRng+6HNWW/1/VQOnf0NsQB4PlA7I=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f894bc4ffde179d178d8deb374fcf9855d1a82b7",
+        "rev": "5a75730e6f21ee624cbf86f4915c6e7489c74acc",
         "type": "github"
       },
       "original": {
@@ -148,11 +171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767082077,
-        "narHash": "sha256-2tL1mRb9uFJThUNfuDm/ehrnPvImL/QDtCxfn71IEz4=",
+        "lastModified": 1772517207,
+        "narHash": "sha256-qxHfxqbigqBTn//U4leIS5he22Wp1GS0+zmwGV7Pozs=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "efd4b22e6fdc6d7fb4e186ae333a4b74e03da440",
+        "rev": "7ca1501c2d80900b5967baea4d42581f84b388dd",
         "type": "github"
       },
       "original": {
@@ -168,11 +191,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765066094,
-        "narHash": "sha256-0YSU35gfRFJzx/lTGgOt6ubP8K6LeW0vaywzNNqxkl4=",
+        "lastModified": 1772129556,
+        "narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "688427b1aab9afb478ca07989dc754fa543e03d5",
+        "rev": "ebec37af18215214173c98cf6356d0aca24a2585",
         "type": "github"
       },
       "original": {
@@ -190,11 +213,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1768034604,
-        "narHash": "sha256-62pIZMvGHhYJmMiiBsxHqZt/dFyENPcFHlJq5NJF3Sw=",
+        "lastModified": 1772716420,
+        "narHash": "sha256-T3UEKNTGqBl44AQ0+0OIpiWMXeQ8+4QW/akSc4yeL2A=",
         "owner": "marienz",
         "repo": "nix-doom-emacs-unstraightened",
-        "rev": "9b3b8044fe4ccdcbb2d6f733d7dbe4d5feea18bc",
+        "rev": "be3ecb81a85be302e27d46ff32a1e251e444327d",
         "type": "github"
       },
       "original": {
@@ -227,11 +250,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1767480499,
-        "narHash": "sha256-8IQQUorUGiSmFaPnLSo2+T+rjHtiNWc+OAzeHck7N48=",
+        "lastModified": 1772598333,
+        "narHash": "sha256-YaHht/C35INEX3DeJQNWjNaTcPjYmBwwjFJ2jdtr+5U=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "30a3c519afcf3f99e2c6df3b359aec5692054d92",
+        "rev": "fabb8c9deee281e50b1065002c9828f2cf7b2239",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-qt": {
+      "locked": {
+        "lastModified": 1772598333,
+        "narHash": "sha256-YaHht/C35INEX3DeJQNWjNaTcPjYmBwwjFJ2jdtr+5U=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "fabb8c9deee281e50b1065002c9828f2cf7b2239",
         "type": "github"
       },
       "original": {
@@ -243,11 +282,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1767379071,
-        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
+        "lastModified": 1772624091,
+        "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
+        "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
         "type": "github"
       },
       "original": {
@@ -257,6 +296,22 @@
         "type": "github"
       }
     },
+    "perles": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1772661365,
+        "narHash": "sha256-kMlvIpfGMBkN5D1W0O1fcqUiH3dyobcH0GRRLCX7GGo=",
+        "owner": "zjrosen",
+        "repo": "perles",
+        "rev": "326ff1938dfe073daab7939762ce2f44c2ee74a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zjrosen",
+        "repo": "perles",
+        "type": "github"
+      }
+    },
     "plasma-manager": {
       "inputs": {
         "home-manager": [
@@ -267,11 +322,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763909441,
-        "narHash": "sha256-56LwV51TX/FhgX+5LCG6akQ5KrOWuKgcJa+eUsRMxsc=",
+        "lastModified": 1772361940,
+        "narHash": "sha256-B1Cz+ydL1iaOnGlwOFld/C8lBECPtzhiy/pP93/CuyY=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "b24ed4b272256dfc1cc2291f89a9821d5f9e14b4",
+        "rev": "a4b33606111c9c5dcd10009042bb710307174f51",
         "type": "github"
       },
       "original": {
@@ -290,11 +345,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763909441,
-        "narHash": "sha256-56LwV51TX/FhgX+5LCG6akQ5KrOWuKgcJa+eUsRMxsc=",
+        "lastModified": 1772361940,
+        "narHash": "sha256-B1Cz+ydL1iaOnGlwOFld/C8lBECPtzhiy/pP93/CuyY=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "b24ed4b272256dfc1cc2291f89a9821d5f9e14b4",
+        "rev": "a4b33606111c9c5dcd10009042bb710307174f51",
         "type": "github"
       },
       "original": {
@@ -306,6 +361,7 @@
     "root": {
       "inputs": {
         "beads": "beads",
+        "gastown": "gastown",
         "google-cookie-retrieval": "google-cookie-retrieval",
         "home-manager": "home-manager",
         "home-manager-unstable": "home-manager-unstable",
@@ -313,7 +369,9 @@
         "nix-darwin": "nix-darwin",
         "nix-doom-emacs-unstraightened": "nix-doom-emacs-unstraightened",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-qt": "nixpkgs-qt",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "perles": "perles",
         "plasma-manager": "plasma-manager",
         "plasma-manager-unstable": "plasma-manager-unstable"
       }

flake.nix

@@ -4,6 +4,9 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    # Separate nixpkgs for qt5webengine-dependent packages (jellyfin-media-player, etc.)
+    # Updates on separate Renovate schedule to avoid massive qt rebuilds
+    nixpkgs-qt.url = "github:nixos/nixpkgs/nixos-25.11";
 
     nix-darwin = {
       url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
@@ -47,6 +50,17 @@
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
 
+    gastown = {
+      url = "github:steveyegge/gastown";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.beads.follows = "beads";
+    };
+
+    perles = {
+      url = "github:zjrosen/perles";
+      flake = false;  # No flake.nix upstream yet
+    };
+
     nix-doom-emacs-unstraightened = {
       url = "github:marienz/nix-doom-emacs-unstraightened";
       # Don't follow nixpkgs to avoid rebuild issues with emacs-overlay
@@ -64,6 +78,14 @@
         config.allowUnfree = true;
         overlays = unstableOverlays;
       };
+      # Separate nixpkgs for qt5webengine-heavy packages to avoid rebuild churn
+      qt-pinned = import inputs.nixpkgs-qt {
+        system = prev.stdenv.hostPlatform.system;
+        config = {
+          allowUnfree = true;
+          permittedInsecurePackages = [ "qtwebengine-5.15.19" ];
+        };
+      };
       custom = prev.callPackage ./packages {};
       # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
       bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
@@ -84,11 +106,33 @@
     };
 
 
+    # Shared unstable overlays for custom package builds
+    customUnstableOverlays = [
+      # Override claude-code in unstable to use our custom GCS-based build
+      # (needed for corporate networks that block npm registry)
+      (ufinal: uprev: {
+        claude-code = uprev.callPackage ./packages/claude-code {};
+      })
+      # Pin dolt to v1.82.4 (gastown requires >= 1.82.4)
+      (ufinal: uprev: {
+        dolt = uprev.dolt.overrideAttrs (old: rec {
+          version = "1.82.4";
+          src = uprev.fetchFromGitHub {
+            owner = "dolthub";
+            repo = "dolt";
+            tag = "v${version}";
+            hash = "sha256-mavL3y+Kv25hzFlDFXk7W/jeKVKlCBjlc67GkL3Jcwk=";
+          };
+          vendorHash = "sha256-K1KzsqptZxO5OraWKIXeqKuVSzb6E/Mjy3c5PQ7Rs9k=";
+        });
+      })
+    ];
+
     nixosModules = [
       ./roles
       inputs.home-manager.nixosModules.home-manager
       {
-        nixpkgs.overlays = [ (mkBaseOverlay {}) ];
+        nixpkgs.overlays = [ (mkBaseOverlay { unstableOverlays = customUnstableOverlays; }) ];
       }
       (mkHomeManagerConfig {
         sharedModules = [ inputs.plasma-manager.homeModules.plasma-manager ];
@@ -101,7 +145,7 @@
       inputs.home-manager-unstable.nixosModules.home-manager
       inputs.jovian.nixosModules.jovian
       {
-        nixpkgs.overlays = [ (mkBaseOverlay {}) ];
+        nixpkgs.overlays = [ (mkBaseOverlay { unstableOverlays = customUnstableOverlays; }) ];
       }
       (mkHomeManagerConfig {
         sharedModules = [ inputs.plasma-manager-unstable.homeModules.plasma-manager ];
@@ -112,17 +156,7 @@
       ./roles/darwin.nix
       inputs.home-manager.darwinModules.home-manager
       {
-        nixpkgs.overlays = [
-          (mkBaseOverlay {
-            # Override claude-code in unstable to use our custom GCS-based build
-            # (needed for corporate networks that block npm registry)
-            unstableOverlays = [
-              (ufinal: uprev: {
-                claude-code = uprev.callPackage ./packages/claude-code {};
-              })
-            ];
-          })
-        ];
+        nixpkgs.overlays = [ (mkBaseOverlay { unstableOverlays = customUnstableOverlays; }) ];
       }
       (mkHomeManagerConfig { sharedModules = []; })
     ];
@@ -162,7 +196,16 @@
       modules = nixosModules ++ [
         ./machines/zix790prors/configuration.nix
         {
-          home-manager.users.johno = import ./home/home-desktop.nix;
+          home-manager.users.johno = {
+            imports = [ ./home/home-desktop.nix ];
+            home.roles.i3_sway.extraSwayConfig = {
+              output = {
+                "DP-1" = {
+                  mode = "3440x1440@164.900Hz";
+                };
+              };
+            };
+          };
           home-manager.extraSpecialArgs = { inherit system; };
         }
       ];
@@ -206,7 +249,7 @@
     };
 
     # Darwin/macOS configurations
-    darwinConfigurations."blkfv4yf49kt7" = inputs.nix-darwin.lib.darwinSystem rec {
+    darwinConfigurations."BLKFV4YF49KT7" = inputs.nix-darwin.lib.darwinSystem rec {
       system = "aarch64-darwin";
       modules = darwinModules ++ [
         ./machines/johno-macbookpro/configuration.nix
@@ -217,6 +260,53 @@
       ];
     };
 
+    # Packages for CI caching (custom packages, flake inputs, and qt-pinned)
+    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
+      let
+        pkgs = import nixpkgs {
+          inherit system;
+          config.allowUnfree = true;
+          overlays = [ (mkBaseOverlay {}) ];
+        };
+        pkgsQt = import inputs.nixpkgs-qt {
+          inherit system;
+          config = {
+            allowUnfree = true;
+            permittedInsecurePackages = [ "qtwebengine-5.15.19" ];
+          };
+        };
+        # Version strings for flake input packages
+        beadsRev = builtins.substring 0 8 (inputs.beads.rev or "unknown");
+        gastownRev = builtins.substring 0 8 (inputs.gastown.rev or "unknown");
+      in {
+        "custom-claude-code" = pkgs.custom.claude-code;
+        "custom-app-launcher-server" = pkgs.custom.app-launcher-server;
+        "custom-mcrcon-rbw" = pkgs.custom.mcrcon-rbw;
+        "custom-tea-rbw" = pkgs.custom.tea-rbw;
+        "custom-rclone-torbox-setup" = pkgs.custom.rclone-torbox-setup;
+        "qt-pinned-jellyfin-media-player" = pkgsQt.jellyfin-media-player;
+        "qt-pinned-stremio" = pkgsQt.stremio;
+        # Flake input packages (beads, gastown) - these get version from input rev
+        "custom-beads" = pkgs.callPackage ./packages/beads {
+          inherit (pkgs.unstable) buildGoModule;
+          src = inputs.beads;
+          version = "0.52.0-${beadsRev}";
+        };
+        "custom-gastown" = pkgs.callPackage ./packages/gastown {
+          src = inputs.gastown;
+          version = "unstable-${gastownRev}";
+        };
+        "custom-perles" = pkgs.callPackage ./packages/perles {
+          inherit (pkgs.unstable) buildGoModule;
+          src = inputs.perles;
+          version = "unstable-${builtins.substring 0 8 (inputs.perles.rev or "unknown")}";
+        };
+      } // (if system == "x86_64-linux" then {
+        # nix-deck kernel from Jovian-NixOS (Steam Deck) - expensive to build
+        "nix-deck-kernel" = self.nixosConfigurations.nix-deck.config.boot.kernelPackages.kernel;
+      } else {})
+    );
+
     # Flake apps
     apps = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ] (system:
       let

home/home-darwin-work.nix

@@ -107,7 +107,7 @@
     aerospace = {
       enable = true;
       leader = "cmd";
-      ctrlShortcuts.enable = true;
+      ctrlShortcuts.enable = false;
       sketchybar.enable = true;
       # Optional: Add per-machine userSettings overrides
       # userSettings = {

home/home-kodi.nix

@@ -12,6 +12,7 @@
   home.roles = {
     base.enable = true;
     plasma-manager-kodi.enable = true;
+    kdeconnect.enable = true;
   };
 
   home.packages = with pkgs; [

home/roles/aerospace/default.nix

@@ -632,7 +632,9 @@ in
       text = ''
         #!/bin/bash
 
-        DISK_USAGE=$(df -H / | grep -v Filesystem | awk '{print $5}')
+        # Monitor /System/Volumes/Data which contains user data on APFS
+        # The root / is a read-only snapshot with minimal usage
+        DISK_USAGE=$(df -H /System/Volumes/Data | grep -v Filesystem | awk '{print $5}')
 
         ${pkgs.sketchybar}/bin/sketchybar --set $NAME label="$DISK_USAGE"
       '';

home/roles/base/default.nix

@@ -22,6 +22,7 @@ in
       shellcheck
       tmux
       tree
+      watch
     ];
 
     # Automatic garbage collection for user profile (home-manager generations).

home/roles/development/default.nix

@@ -5,6 +5,27 @@ with lib;
 let
   cfg = config.home.roles.development;
 
+  # Build beads and gastown from flake inputs using shared package definitions
+  beadsRev = builtins.substring 0 8 (globalInputs.beads.rev or "unknown");
+  beadsPackage = pkgs.callPackage ../../../packages/beads {
+    src = globalInputs.beads;
+    version = "0.52.0-${beadsRev}";
+  };
+
+  gastownRev = builtins.substring 0 8 (globalInputs.gastown.rev or "unknown");
+  gastownPackage = pkgs.callPackage ../../../packages/gastown {
+    src = globalInputs.gastown;
+    version = "unstable-${gastownRev}";
+  };
+
+  # Build perles from flake input using shared package definition
+  perlesRev = builtins.substring 0 8 (globalInputs.perles.rev or "unknown");
+  perlesPackage = pkgs.callPackage ../../../packages/perles {
+    inherit (pkgs.unstable) buildGoModule;
+    src = globalInputs.perles;
+    version = "unstable-${perlesRev}";
+  };
+
   # Fetch the claude-plugins repository (for humanlayer commands/agents)
   # Update the rev to get newer versions of the commands
   claudePluginsRepo = builtins.fetchGit {
@@ -15,6 +36,12 @@ let
     ref = "main";
   };
 
+  # Claude Code statusline: shows model, cwd, git branch, and context usage %
+  claudeCodeStatusLineConfig = pkgs.writeText "claude-statusline.json" (builtins.toJSON {
+    type = "command";
+    command = ''input=$(cat); model=$(echo "$input" | jq -r '.model.display_name'); cwd=$(echo "$input" | jq -r '.workspace.current_dir'); if git -C "$cwd" rev-parse --git-dir > /dev/null 2>&1; then branch=$(git -C "$cwd" --no-optional-locks rev-parse --abbrev-ref HEAD 2>/dev/null || echo ""); if [ -n "$branch" ]; then git_info=" on $branch"; else git_info=""; fi; else git_info=""; fi; usage=$(echo "$input" | jq '.context_window.current_usage'); if [ "$usage" != "null" ]; then current=$(echo "$usage" | jq '.input_tokens + .cache_creation_input_tokens + .cache_read_input_tokens'); size=$(echo "$input" | jq '.context_window.context_window_size'); pct=$((current * 100 / size)); context_info=" | ''${pct}% context"; else context_info=""; fi; printf "%s in %s%s%s" "$model" "$cwd" "$git_info" "$context_info"'';
+  });
+
 in
 {
   options.home.roles.development = {
@@ -37,13 +64,18 @@ in
 
   config = mkIf cfg.enable {
     home.packages = [
-      globalInputs.beads.packages.${system}.default
+      beadsPackage
+      gastownPackage
+      perlesPackage
       pkgs.unstable.claude-code
       pkgs.unstable.claude-code-router
       pkgs.unstable.codex
+      pkgs.unstable.dolt
+      pkgs.sqlite
 
       # Custom packages
       pkgs.custom.tea-rbw
+      pkgs.custom.pi-coding-agent
     ];
 
     # Install Claude Code humanlayer command and agent plugins
@@ -52,6 +84,9 @@ in
       rm -f ~/.claude/commands/humanlayer:* 2>/dev/null || true
       rm -f ~/.claude/agents/humanlayer:* 2>/dev/null || true
 
+      # Remove explicitly blocked commands that may have been installed previously
+      rm -f ~/.claude/commands/humanlayer:create_handoff.md 2>/dev/null || true
+
       # Create directories if they don't exist
       mkdir -p ~/.claude/commands
       mkdir -p ~/.claude/agents
@@ -60,13 +95,21 @@ in
       for file in ${claudePluginsRepo}/humanlayer/commands/*.md; do
         if [ -f "$file" ]; then
           filename=$(basename "$file" .md)
+
+          # Skip blocked commands
+          case "$filename" in
+            create_handoff) continue ;;
+          esac
+
           dest="$HOME/.claude/commands/humanlayer:''${filename}.md"
+          rm -f "$dest" 2>/dev/null || true
 
           # Copy file and conditionally remove the "model:" line from frontmatter
           ${if cfg.allowArbitraryClaudeCodeModelSelection
             then "cp \"$file\" \"$dest\""
             else "${pkgs.gnused}/bin/sed '/^model:/d' \"$file\" > \"$dest\""
           }
+          chmod u+w "$dest" 2>/dev/null || true
         fi
       done
 
@@ -75,17 +118,19 @@ in
         if [ -f "$file" ]; then
           filename=$(basename "$file" .md)
           dest="$HOME/.claude/agents/humanlayer:''${filename}.md"
+          rm -f "$dest" 2>/dev/null || true
 
           # Copy file and conditionally remove the "model:" line from frontmatter
           ${if cfg.allowArbitraryClaudeCodeModelSelection
             then "cp \"$file\" \"$dest\""
             else "${pkgs.gnused}/bin/sed '/^model:/d' \"$file\" > \"$dest\""
           }
+          chmod u+w "$dest" 2>/dev/null || true
         fi
       done
 
-      # Copy local skills from this repo (with retry for race conditions with running Claude)
-      for file in ${./skills}/*.md; do
+      # Copy local commands from this repo (with retry for race conditions with running Claude)
+      for file in ${./commands}/*.md; do
         if [ -f "$file" ]; then
           filename=$(basename "$file" .md)
           dest="$HOME/.claude/commands/''${filename}.md"
@@ -95,14 +140,47 @@ in
             sleep 0.5
             cp "$file" "$dest" || echo "Warning: Failed to copy $filename.md to commands"
           fi
+          chmod u+w "$dest" 2>/dev/null || true
         fi
       done
 
-      $DRY_RUN_CMD echo "Claude Code humanlayer commands and agents installed successfully${
-        if cfg.allowArbitraryClaudeCodeModelSelection
-        then " (model specifications preserved)"
-        else " (model selection removed)"
-      } + local skills"
+      # Copy local skills (reference materials) to skills subdirectory
+      mkdir -p ~/.claude/commands/skills
+      for file in ${./skills}/*.md; do
+        if [ -f "$file" ]; then
+          filename=$(basename "$file" .md)
+          dest="$HOME/.claude/commands/skills/''${filename}.md"
+          rm -f "$dest" 2>/dev/null || true
+          if ! cp "$file" "$dest" 2>/dev/null; then
+            sleep 0.5
+            cp "$file" "$dest" || echo "Warning: Failed to copy $filename.md to skills"
+          fi
+          chmod u+w "$dest" 2>/dev/null || true
+        fi
+      done
+
+      # Copy micro-skills (compact reusable knowledge referenced by formulas)
+      for file in ${./skills/micro}/*.md; do
+        if [ -f "$file" ]; then
+          dest="$HOME/.claude/commands/skills/$(basename "$file")"
+          rm -f "$dest" 2>/dev/null || true
+          cp "$file" "$dest"
+          chmod u+w "$dest" 2>/dev/null || true
+        fi
+      done
+
+      # Install beads formulas to user-level formula directory
+      mkdir -p ~/.beads/formulas
+      for file in ${./formulas}/*.formula.toml; do
+        if [ -f "$file" ]; then
+          dest="$HOME/.beads/formulas/$(basename "$file")"
+          rm -f "$dest" 2>/dev/null || true
+          cp "$file" "$dest"
+          chmod u+w "$dest" 2>/dev/null || true
+        fi
+      done
+
+      $DRY_RUN_CMD echo "Claude Code plugins installed: humanlayer commands/agents + local commands + local skills + formulas"
     '';
 
     # Set up beads Claude Code integration (hooks for SessionStart/PreCompact)
@@ -110,11 +188,63 @@ in
     home.activation.claudeCodeBeadsSetup = lib.hm.dag.entryAfter ["writeBoundary" "claudeCodeCommands"] ''
       # Run bd setup claude to install hooks into ~/.claude/settings.json
       # This is idempotent - safe to run multiple times
-      ${globalInputs.beads.packages.${system}.default}/bin/bd setup claude 2>/dev/null || true
+      ${beadsPackage}/bin/bd setup claude 2>/dev/null || true
 
       $DRY_RUN_CMD echo "Claude Code beads integration configured (hooks installed)"
     '';
 
+    # Configure Claude Code statusline (merge into existing settings.json)
+    home.activation.claudeCodeStatusLine = lib.hm.dag.entryAfter ["writeBoundary" "claudeCodeBeadsSetup"] ''
+      SETTINGS="$HOME/.claude/settings.json"
+      mkdir -p "$HOME/.claude"
+      if [ -f "$SETTINGS" ]; then
+        ${pkgs.jq}/bin/jq --slurpfile sl ${claudeCodeStatusLineConfig} '.statusLine = $sl[0]' "$SETTINGS" > "''${SETTINGS}.tmp" && mv "''${SETTINGS}.tmp" "$SETTINGS"
+      else
+        ${pkgs.jq}/bin/jq -n --slurpfile sl ${claudeCodeStatusLineConfig} '{statusLine: $sl[0]}' > "$SETTINGS"
+      fi
+      $DRY_RUN_CMD echo "Claude Code statusline configured"
+    '';
+
+    # Beads timer gate checker (Linux only - uses systemd)
+    # Runs every 5 minutes to auto-resolve expired timer gates across all beads projects
+    # This enables self-scheduling molecules (watchers, patrols, etc.)
+    systemd.user.services.beads-gate-check = lib.mkIf pkgs.stdenv.isLinux {
+      Unit = {
+        Description = "Check and resolve expired beads timer gates";
+      };
+      Service = {
+        Type = "oneshot";
+        # Check gates in all workspaces that have running daemons
+        ExecStart = pkgs.writeShellScript "beads-gate-check-all" ''
+          # Get list of workspaces from daemon registry
+          workspaces=$(${beadsPackage}/bin/bd daemon list --json 2>/dev/null | ${pkgs.jq}/bin/jq -r '.[].workspace // empty' 2>/dev/null)
+
+          if [ -z "$workspaces" ]; then
+            exit 0  # No beads workspaces, nothing to do
+          fi
+
+          for ws in $workspaces; do
+            if [ -d "$ws" ]; then
+              cd "$ws" && ${beadsPackage}/bin/bd gate check --type=timer --quiet 2>/dev/null || true
+            fi
+          done
+        '';
+      };
+    };
+
+    systemd.user.timers.beads-gate-check = lib.mkIf pkgs.stdenv.isLinux {
+      Unit = {
+        Description = "Periodic beads timer gate check";
+      };
+      Timer = {
+        OnBootSec = "5min";
+        OnUnitActiveSec = "5min";
+      };
+      Install = {
+        WantedBy = [ "timers.target" ];
+      };
+    };
+
     # Note: modules must be imported at top-level home config
   };
 }

home/roles/development/formulas/quick-fix.formula.toml

@@ -0,0 +1,115 @@
+# Quick Fix Formula
+#
+# Streamlined workflow for well-understood bugs and small fixes.
+# Skips the deep research and planning phases of RPI - get in, fix, get out.
+#
+# Use when:
+#   - Bug is well-understood (you know what's broken)
+#   - Fix is straightforward (no architectural decisions)
+#   - Change is small (< 100 lines)
+#
+# Use RPI instead when:
+#   - Root cause is unclear
+#   - Multiple approaches possible
+#   - Significant design decisions needed
+
+formula = "quick-fix"
+description = """
+Streamlined workflow for bugs and small fixes.
+
+A faster alternative to RPI for well-understood issues:
+1. Quick investigation to confirm understanding
+2. Implement the fix
+3. Verify with tests
+4. Commit and close
+
+No human gates - designed for quick turnaround on obvious fixes.
+"""
+version = 1
+type = "workflow"
+
+# === Variables ===
+
+[vars.title]
+required = true
+description = "Brief description of the bug/fix"
+
+[vars.bead_id]
+description = "Existing bead ID (creates new if not provided)"
+
+[vars.test_cmd]
+default = "make test"
+description = "Command to verify the fix"
+
+# === Steps ===
+
+[[steps]]
+id = "investigate"
+title = "Investigate: {{title}}"
+description = """
+Quick investigation to confirm understanding of the bug.
+
+Goals:
+- Locate the problematic code
+- Confirm root cause matches expectations
+- Identify files that need changes
+
+This is NOT deep research - spend 5-10 minutes max.
+If the bug is more complex than expected, pivot to RPI workflow.
+
+Output: Mental model of what to fix (no artifact needed).
+"""
+
+[[steps]]
+id = "fix"
+title = "Fix: {{title}}"
+needs = ["investigate"]
+description = """
+Implement the fix.
+
+Guidelines:
+- Make minimal changes to fix the issue
+- Follow existing code patterns
+- Add/update tests if appropriate
+- Keep changes focused (no drive-by refactors)
+
+If the fix grows beyond expectations, pause and consider:
+- Should this be an RPI workflow instead?
+- Should we split into multiple changes?
+"""
+
+[[steps]]
+id = "verify"
+title = "Verify fix"
+needs = ["fix"]
+description = """
+Verify the fix works correctly.
+
+Run: {{test_cmd}}
+
+Also check:
+- Bug is actually fixed (manual verification)
+- No obvious regressions introduced
+- Code compiles/builds cleanly
+
+If tests fail, iterate on the fix step.
+"""
+
+[[steps]]
+id = "commit"
+title = "Commit and close"
+needs = ["verify"]
+description = """
+Commit the fix and close the bead.
+
+Actions:
+1. Stage changes: git add -A
+2. Commit with descriptive message: git commit -m "fix: {{title}}"
+3. Push to remote: git push
+4. Close the bead: bd close {{bead_id}}
+
+Commit message should explain:
+- What was broken
+- How it was fixed
+- Any relevant context
+"""

home/roles/development/formulas/rpi.formula.toml

@@ -0,0 +1,124 @@
+# RPI Formula - Research -> Plan -> Implement
+#
+# Universal workflow for feature development with human gates.
+
+formula = "rpi"
+description = """
+Research -> Plan -> Implement workflow.
+
+Usage:
+  bd pour rpi --var title="Add user preferences"
+  bd pour rpi --var title="Auth" --var bead_id="project-abc" --var test_cmd="nix flake check"
+"""
+version = 1
+type = "workflow"
+
+# ─── Variables ───
+
+[vars.title]
+required = true
+description = "What are we building?"
+
+[vars.bead_id]
+description = "Existing bead ID (creates new if not provided)"
+
+[vars.test_cmd]
+default = "make test"
+description = "Command to run tests"
+
+[vars.lint_cmd]
+default = "make lint"
+description = "Command to run linting"
+
+# ─── Research Phase ───
+
+[[steps]]
+id = "research"
+title = "Research: {{title}}"
+skill = "research-agents"
+description = """
+Conduct comprehensive codebase research.
+
+Goals:
+- Understand current implementation
+- Identify patterns to follow
+- Find relevant files and dependencies
+- Document key discoveries
+
+Output: thoughts/beads-{{bead_id}}/research.md
+"""
+
+# ─── Planning Phase ───
+
+[[steps]]
+id = "plan"
+title = "Plan: {{title}}"
+needs = ["research"]
+type = "human"
+skill = "planning"
+description = """
+Create detailed implementation plan based on research.
+
+Goals:
+- Present understanding and clarify requirements
+- Propose design options with tradeoffs
+- Define phases with success criteria
+- Identify what we're NOT doing
+
+Output: thoughts/beads-{{bead_id}}/plan.md
+"""
+
+[steps.gate]
+type = "human"
+reason = "Plan approval before implementation"
+
+# ─── Implementation Phase ───
+
+[[steps]]
+id = "implement"
+title = "Implement: {{title}}"
+needs = ["plan"]
+description = """
+Execute the approved plan phase by phase.
+
+For each phase:
+1. Make the changes
+2. Run verification: {{test_cmd}}, {{lint_cmd}}
+3. Update plan checkboxes for resumability
+
+Stop and ask if encountering unexpected issues.
+"""
+
+# ─── Verification Phase ───
+
+[[steps]]
+id = "verify"
+title = "Manual verification"
+needs = ["implement"]
+type = "human"
+description = """
+Human confirms implementation works correctly.
+
+Check: feature works, edge cases handled, no regressions.
+Tests: {{test_cmd}} | Lint: {{lint_cmd}}
+"""
+
+[steps.gate]
+type = "human"
+reason = "Confirm implementation is correct"
+
+# ─── Completion ───
+
+[[steps]]
+id = "complete"
+title = "Close bead"
+needs = ["verify"]
+skill = "artifact-format"
+description = """
+Mark work as complete.
+
+Actions:
+- bd update {{bead_id}} --notes="Implementation complete"
+- bd close {{bead_id}} --reason="Completed: {{title}}"
+- bd sync && git push
+"""

home/roles/development/skills/bd_workflow.md

@@ -0,0 +1,230 @@
+---
+description: How to use the bd (beads) CLI for issue tracking, dependencies, and workflow orchestration
+---
+
+# BD Workflow
+
+The `bd` CLI is a git-backed issue tracker with first-class dependency support. Use it for multi-session work, blocking relationships, and persistent memory across conversation compaction.
+
+## When to Use BD vs TodoWrite
+
+| Use BD | Use TodoWrite |
+|--------|---------------|
+| Work spans multiple sessions | Single-session tasks |
+| Dependencies between tasks | Independent subtasks |
+| Need audit trail in git | Ephemeral tracking |
+| Cross-repo coordination | Local project only |
+| Resuming after compaction | Simple task lists |
+
+## Core Commands
+
+### Creating Issues
+
+```bash
+bd create "Issue title"                          # Basic task
+bd create "Bug title" --type=bug --priority=1    # P1 bug
+bd create "Feature" --type=feature -d "Details"  # With description
+bd q "Quick capture"                             # Output only ID
+```
+
+### Managing Issues
+
+```bash
+bd show <id>                    # View issue details
+bd show <id> --children         # View children of epic
+bd list                         # List open issues (default 50)
+bd list --all                   # Include closed
+bd list -s in_progress          # Filter by status
+bd list -t bug -p 0             # P0 bugs
+bd list --pretty                # Tree format
+```
+
+### Updating Issues
+
+```bash
+bd update <id> --status=in_progress    # Start work
+bd update <id> --status=blocked        # Mark blocked
+bd update <id> --claim                 # Claim atomically
+bd update <id> --add-label=urgent      # Add label
+bd update <id> -d "New description"    # Update description
+```
+
+### Closing Issues
+
+```bash
+bd close <id>                          # Close issue
+bd close <id> --continue               # Auto-advance to next step
+bd close <id> --suggest-next           # Show newly unblocked
+```
+
+## Finding Work
+
+```bash
+bd ready                     # Ready issues (no blockers)
+bd ready --mol <mol-id>      # Ready steps in molecule
+bd ready -n 5                # Limit to 5
+bd ready --assignee me       # Assigned to me
+bd blocked                   # Show blocked issues
+bd blocked --parent <id>     # Blocked within epic
+```
+
+## Dependency Management
+
+### Creating Dependencies
+
+```bash
+bd dep <blocker> --blocks <blocked>    # A blocks B
+bd dep add <blocked> <blocker>         # Same as above
+bd dep relate <id1> <id2>              # Bidirectional link
+```
+
+### Viewing Dependencies
+
+```bash
+bd dep list <id>             # Show dependencies
+bd dep tree <id>             # Dependency tree
+bd dep cycles                # Detect cycles
+```
+
+### Removing Dependencies
+
+```bash
+bd dep remove <blocked> <blocker>      # Remove dependency
+bd dep unrelate <id1> <id2>            # Remove relation
+```
+
+## Sync Workflow
+
+BD syncs issues via git. The daemon handles this automatically, but manual sync is available:
+
+```bash
+bd sync                      # Full sync (pull, merge, push)
+bd sync --flush-only         # Export to JSONL only
+bd sync --import-only        # Import from JSONL only
+bd sync --status             # Show sync branch diff
+bd sync --squash             # Accumulate without commit
+```
+
+## Formula and Molecule Workflow
+
+Formulas are reusable workflow templates. Molecules are instantiated workflows.
+
+### Formulas
+
+```bash
+bd formula list                        # List available formulas
+bd formula list --type=workflow        # Filter by type
+bd formula show <name>                 # Show formula details
+bd cook <formula>                      # Compile to proto (stdout)
+bd cook <formula> --var name=auth      # With variable substitution
+bd cook <formula> --dry-run            # Preview steps
+bd cook <formula> --persist            # Save to database
+```
+
+### Molecules: Pour vs Wisp
+
+| pour (persistent) | wisp (ephemeral) |
+|-------------------|------------------|
+| Feature implementations | Release workflows |
+| Multi-session work | Patrol cycles |
+| Audit trail needed | Health checks |
+| Git-synced | Local only |
+
+```bash
+# Persistent molecule (liquid phase)
+bd mol pour <proto> --var name=auth
+
+# Ephemeral molecule (vapor phase)
+bd mol wisp <proto> --var version=1.0
+bd mol wisp list                       # List wisps
+bd mol wisp gc                         # Garbage collect
+```
+
+### Tracking Molecule Progress
+
+```bash
+bd mol show <mol-id>                   # Show structure
+bd mol show <mol-id> --parallel        # Parallelizable steps
+bd mol current                         # Where am I?
+bd mol current <mol-id>                # Status for molecule
+bd mol progress <mol-id>               # Progress summary + ETA
+```
+
+### Molecule Lifecycle
+
+```bash
+bd mol squash <mol-id>                 # Condense to digest
+bd mol burn <mol-id>                   # Delete wisp
+bd mol distill <epic-id>               # Extract formula from epic
+```
+
+## Gates and Human Checkpoints
+
+Gates are async wait conditions that block workflow steps:
+
+| Gate Type | Wait Condition |
+|-----------|---------------|
+| human | Manual `bd close` |
+| timer | Timeout expires |
+| gh:run | GitHub workflow completes |
+| gh:pr | PR merges |
+| bead | Cross-rig bead closes |
+
+```bash
+bd gate list                           # Show open gates
+bd gate list --all                     # Include closed
+bd gate check                          # Evaluate all gates
+bd gate check --type=bead              # Check bead gates only
+bd gate resolve <id>                   # Close manually
+```
+
+## Common Patterns
+
+### Starting Work on a Bead
+
+```bash
+bd update <id> --status=in_progress
+# ... do work ...
+bd close <id>
+```
+
+### Creating Related Issues
+
+```bash
+bd create "Main task" --deps "blocks:<other-id>"
+bd dep add <new-id> <blocker-id>
+```
+
+### Working Through a Molecule
+
+```bash
+bd mol pour my-workflow --var name=feature
+bd ready --mol <mol-id>                # Find next step
+bd update <step-id> --claim            # Claim step
+# ... do work ...
+bd close <step-id> --continue          # Close and advance
+```
+
+### Quick Status Check
+
+```bash
+bd ready -n 3                          # Top 3 ready items
+bd list -s in_progress                 # What's in flight?
+bd blocked                             # What's stuck?
+```
+
+## Useful Flags
+
+| Flag | Effect |
+|------|--------|
+| `--json` | JSON output for scripting |
+| `--quiet` | Suppress non-essential output |
+| `--dry-run` | Preview without executing |
+| `--pretty` | Tree format display |
+
+## Integration Notes
+
+- BD auto-syncs via daemon (check with `bd info`)
+- Issues stored in `.beads/` directory
+- JSONL files sync through git
+- Use `bd doctor` if something seems wrong

home/roles/development/skills/micro/artifact-format.md

@@ -0,0 +1,123 @@
+---
+description: How to structure research and plan artifacts in thoughts/
+---
+
+# Artifact Format
+
+Standardized format for thoughts/ artifacts. All beads-related artifacts should follow these conventions for consistency and machine parseability.
+
+## Frontmatter (Required)
+
+Every artifact MUST include YAML frontmatter:
+
+```yaml
+---
+date: 2026-01-15T10:00:00-08:00  # ISO 8601 with timezone
+bead_id: project-abc              # Bead identifier
+bead_title: "Title of the bead"   # Human-readable title
+author: claude                    # Who created this
+git_commit: abc123def             # Commit hash at creation
+branch: main                      # Branch name
+repository: repo-name             # Repository name
+status: draft|complete            # Artifact status
+---
+```
+
+### Gathering Metadata
+
+```bash
+git rev-parse HEAD                           # Current commit
+git branch --show-current                    # Current branch
+basename $(git rev-parse --show-toplevel)    # Repo name
+date -Iseconds                               # ISO timestamp
+```
+
+## Research Artifact Structure
+
+Location: `thoughts/beads-{bead-id}/research.md`
+
+```markdown
+# Research: {bead title}
+
+**Bead**: {bead-id}
+**Date**: {timestamp}
+**Git Commit**: {commit hash}
+
+## Research Question
+{Original question from bead description}
+
+## Summary
+{2-3 sentence overview answering the research question}
+
+## Key Discoveries
+- {Finding with file:line reference}
+- {Pattern or convention found}
+- {Architectural decision documented}
+
+## Architecture
+{Current patterns and conventions in the codebase}
+
+## Code References
+- `path/to/file.py:123` - Description of relevance
+- `another/file.ts:45-67` - Description of relevance
+
+## Open Questions
+{Areas needing further investigation or human clarification}
+```
+
+## Plan Artifact Structure
+
+Location: `thoughts/beads-{bead-id}/plan.md`
+
+```markdown
+# {Title} Implementation Plan
+
+## Overview
+{What we're implementing and why - 1-2 sentences}
+
+## Current State
+{What exists now, key constraints discovered}
+
+### Key Discoveries
+- {Finding with file:line reference}
+- {Pattern to follow}
+
+## Desired End State
+{Specification of what success looks like}
+
+## What We're NOT Doing
+{Explicitly list out-of-scope items}
+
+## Phase 1: {Descriptive Name}
+
+### Overview
+{What this phase accomplishes}
+
+### Changes
+- [ ] {Specific change with file path}
+- [ ] {Another change}
+
+### Success Criteria
+
+#### Automated
+- [ ] Tests pass: `{test command}`
+- [ ] Lint passes: `{lint command}`
+
+#### Manual
+- [ ] {Human verification step}
+
+## Phase 2: {Descriptive Name}
+{Repeat structure...}
+
+## References
+- Bead: {bead-id}
+- Research: `thoughts/beads-{bead-id}/research.md`
+```
+
+## Key Principles
+
+1. **Always include file:line references** - Makes artifacts actionable
+2. **Separate automated vs manual verification** - Enables agent autonomy
+3. **Use checkboxes for phases** - Enables resumability after interruption
+4. **Keep frontmatter machine-parseable** - Enables tooling integration
+5. **Link related artifacts** - Research links to plan, plan links to bead

home/roles/development/skills/micro/planning.md

@@ -0,0 +1,121 @@
+---
+description: How to create effective implementation plans with phased delivery and clear success criteria
+---
+
+# Planning
+
+Create implementation plans that enable incremental, verifiable progress.
+
+## Core Principles
+
+1. **Incremental delivery**: Each phase should produce working, testable changes
+2. **Clear checkpoints**: Success criteria that can be verified without ambiguity
+3. **Buy-in before detail**: Confirm understanding and approach before writing specifics
+4. **Explicit scope**: State what we're NOT doing to prevent scope creep
+
+## Plan Document Structure
+
+```markdown
+# {Feature} Implementation Plan
+
+## Overview
+{1-2 sentences: what we're building and why}
+
+## Current State Analysis
+{What exists now, key constraints, file:line references}
+
+## Desired End State
+{Specification of outcome and how to verify it}
+
+## What We're NOT Doing
+{Explicit out-of-scope items}
+
+## Phase 1: {Descriptive Name}
+### Overview
+{What this phase accomplishes - should be independently valuable}
+
+### Changes Required
+{Specific files and modifications with code snippets}
+
+### Success Criteria
+#### Automated Verification
+- [ ] Tests pass: `{test command}`
+- [ ] Lint passes: `{lint command}`
+
+#### Manual Verification
+- [ ] {Human-observable outcome}
+
+## Testing Strategy
+{Unit tests, integration tests, manual testing steps}
+
+## References
+{Links to research, related files, similar implementations}
+```
+
+## Phase Design
+
+Good phases are:
+- **Self-contained**: Completable in one session
+- **Testable**: Has clear pass/fail criteria
+- **Reversible**: Can be rolled back if needed
+- **Incremental**: Builds on previous phases without requiring all phases
+
+Bad phases are:
+- "Refactor everything" (too broad)
+- "Add helper function" (too granular)
+- Phases that only work if ALL phases complete
+
+## Success Criteria Guidelines
+
+**Automated Verification** (agent-runnable):
+- Test commands: `make test`, `npm test`, `nix flake check`
+- Lint/format: `make lint`, `cargo fmt --check`
+- Type checking: `make typecheck`, `tsc --noEmit`
+- Build verification: `make build`, `nix build`
+
+**Manual Verification** (requires human):
+- UI/UX functionality and appearance
+- Performance under realistic conditions
+- Edge cases hard to automate
+- Integration with external systems
+
+**From Contribution Guidelines** (if CONTRIBUTING.md exists):
+- Include any testing requirements specified
+- Reference the guideline: "Per CONTRIBUTING.md: {requirement}"
+
+## Presenting Understanding
+
+Before writing the plan, confirm alignment:
+
+```
+Based on the requirements and my research, I understand we need to [summary].
+
+I've found that:
+- [Current implementation detail with file:line]
+- [Relevant pattern or constraint]
+- [Potential complexity identified]
+
+Questions my research couldn't answer:
+- [Specific technical question requiring judgment]
+```
+
+Only ask questions you genuinely cannot answer through code investigation.
+
+## Design Options Pattern
+
+When multiple approaches exist:
+
+```
+**Design Options:**
+1. [Option A] - [1-sentence description]
+   - Pro: [benefit]
+   - Con: [drawback]
+
+2. [Option B] - [1-sentence description]
+   - Pro: [benefit]
+   - Con: [drawback]
+
+Which approach aligns best with [relevant consideration]?
+```
+
+Get buy-in on approach before detailing phases.

home/roles/development/skills/micro/pr-description.md

@@ -0,0 +1,68 @@
+---
+description: How to write comprehensive PR descriptions that help reviewers understand changes
+---
+
+# PR Description
+
+Write PR descriptions that help reviewers understand what changed and why.
+
+## Structure
+
+Use this standard structure for PR descriptions:
+
+```markdown
+## Summary
+<1-3 bullet points of what changed and why>
+
+## Context
+<Why this change was needed - the problem being solved>
+<Link to related issues/tickets>
+
+## Changes
+<Detailed breakdown by area/component>
+- Area 1: What changed and why
+- Area 2: What changed and why
+
+## Testing
+<How this was verified>
+- Automated: Tests added/updated, CI status
+- Manual: Steps to verify functionality
+
+## Screenshots (if UI changes)
+<Before/after screenshots if applicable>
+```
+
+## Guidelines
+
+### Lead with WHY, not WHAT
+- The diff shows WHAT changed - your description explains WHY
+- Start with the problem being solved
+- Explain the approach chosen and alternatives considered
+
+### Link to context
+- Reference related issues: `Fixes #123` or `Relates to #456`
+- Link to design docs or discussions
+- Mention dependent PRs if any
+
+### Call out review areas
+- Highlight areas needing careful review
+- Note any tricky or non-obvious code
+- Point out architectural decisions
+
+### Note breaking changes prominently
+- Use a dedicated "Breaking Changes" section if applicable
+- Explain migration path for consumers
+- List any deprecations
+
+### Be scannable
+- Use bullet points over paragraphs
+- Keep sections focused and concise
+- Put the most important info first
+
+## Anti-patterns to Avoid
+
+- Empty descriptions or just "fixes bug"
+- Repeating the commit messages verbatim
+- Including irrelevant implementation details
+- Missing context on why the change was made
+- Forgetting to mention breaking changes

home/roles/development/skills/micro/research-agents.md

@@ -0,0 +1,49 @@
+---
+description: How to spawn and coordinate research sub-agents
+---
+
+# Research Agents
+
+Use parallel sub-agents for efficient codebase research.
+
+## Available Agents
+
+| Agent | Purpose |
+|-------|---------|
+| codebase-locator | Find WHERE files and components live |
+| codebase-analyzer | Understand HOW specific code works |
+| codebase-pattern-finder | Find examples of existing patterns |
+| thoughts-locator | Discover relevant documents in thoughts/ |
+
+## Spawning Protocol
+
+1. **Decompose** - Break the research question into 3-5 specific questions
+2. **Spawn parallel** - Use one Task call with multiple agents
+3. **Be specific** - Include directories and file patterns in prompts
+4. **Wait for all** - Do not synthesize until ALL agents complete
+5. **Synthesize** - Combine findings into coherent summary with file:line references
+
+## Example
+
+```
+Task(codebase-locator, "Find all files related to authentication in src/")
+Task(codebase-analyzer, "Explain how JWT tokens are validated in src/auth/")
+Task(codebase-pattern-finder, "Find examples of middleware patterns in src/")
+Task(thoughts-locator, "Find documents about auth design decisions in thoughts/")
+```
+
+## Key Principles
+
+- **Parallel when different** - Run agents in parallel when searching for different things
+- **WHAT not HOW** - Each agent knows its job; tell it what you need, not how to search
+- **Document, don't evaluate** - Agents should describe what exists, not critique it
+- **Specific directories** - Always scope searches to relevant directories
+- **File references** - Include specific file:line references in synthesis
+
+## Agent Prompts
+
+When spawning agents, include:
+- The specific question or goal
+- Relevant directories to search
+- Reminder to document (not evaluate) what they find
+- Request for file:line references in findings

home/roles/emacs/default.nix

@@ -8,8 +8,8 @@ let
   doomEmacs = pkgs.fetchFromGitHub {
     owner = "doomemacs";
     repo = "doomemacs";
-    rev = "38d94da67dc84897a4318714dcc48494c016d8c4";
-    sha256 = "sha256-Uc6qONH3jjUVDgW+pPBCGC7mh88ZY05u1y37fQrsxq0=";
+    rev = "d23bbe87721c61f4d5a605f2914b32780bb89949";
+    sha256 = "sha256-z+3c0AGkrMf1xZ+pq57aVp4Zo4KsqFMIjEVzSZinghc=";
   };
 
   # Shared emacs packages

home/roles/emacs/doom/config.el

@@ -53,6 +53,22 @@
 ;; change `org-directory'. It must be set before org loads!
 (setq org-directory "~/org/")
 (after! org
+  ;; Skip recurring events past their CALDAV_UNTIL date
+  ;; org-caldav ignores UNTIL from RRULE, so we store it as a property
+  ;; and filter here in the agenda
+  (defun my/skip-if-past-until ()
+    "Return non-nil if entry has CALDAV_UNTIL and current date is past it."
+    (let ((until-str (org-entry-get nil "CALDAV_UNTIL")))
+      (when (and until-str
+                 (string-match "^\\([0-9]\\{4\\}\\)\\([0-9]\\{2\\}\\)\\([0-9]\\{2\\}\\)" until-str))
+        (let* ((until-year (string-to-number (match-string 1 until-str)))
+               (until-month (string-to-number (match-string 2 until-str)))
+               (until-day (string-to-number (match-string 3 until-str)))
+               (until-time (encode-time 0 0 0 until-day until-month until-year))
+               (today (current-time)))
+          (when (time-less-p until-time today)
+            (org-end-of-subtree t))))))
+
   (setq org-agenda-span 'week
         org-agenda-start-with-log-mode t
         my-agenda-dirs '("projects" "roam")
@@ -61,6 +77,7 @@
                                                                   "\.org$"))
                                                      my-agenda-dirs))
         org-log-done 'time
+        org-agenda-skip-function-global #'my/skip-if-past-until
         org-agenda-custom-commands '(("n" "Agenda"
                                       ((agenda "")
                                        (tags-todo "-someday-recurring")))
@@ -83,25 +100,135 @@
        "d" #'org-agenda-day-view
        "w" #'org-agenda-week-view))
 
-;; (use-package! org-caldav
-;;   :defer t
-;;   :config
-;;   (setq org-caldav-url "https://nextcloud.johnogle.info/remote.php/dav/calendars/johno"
-;;         org-caldav-calendar-id "personal"
-;;         org-icalendar-timezone "America/Los_Angeles"
-;;         org-caldav-inbox "~/org/calendar.org"
-;;         org-caldav-files nil
-;;         org-caldav-sync-direction 'cal->org))
+;; org-caldav: Sync Org entries with Nextcloud CalDAV
+;; Setup requirements:
+;; 1. Create Nextcloud app password: Settings -> Security -> Devices & sessions
+;; 2. Store in rbw: rbw add nextcloud-caldav (put app password as the secret)
+;; 3. Run: doom sync
+;; 4. Test: M-x my/org-caldav-sync-with-rbw (or SPC o a s)
+;;
+;; Note: Conflict resolution is "Org always wins" - treat Org as source of truth
+;; for entries that originated in Org.
 
-(defun my/get-rbw-password (alias)
-  "Return the password for ALIAS via rbw, unlocking the vault only if needed."
-  (let* ((cmd     (format "rbw get %s 2>&1" alias))
-         (output  (shell-command-to-string cmd)))
-    (string-trim output)))
+;; Define sync wrapper before use-package (so keybinding works)
+(defun my/org-caldav-sync-with-rbw ()
+  "Run org-caldav-sync with credentials from rbw embedded in URL."
+  (interactive)
+  (require 'org)
+  (require 'org-caldav)
+  (let* ((password (my/get-rbw-password "nextcloud-caldav"))
+         ;; Embed credentials in URL (url-encode password in case of special chars)
+         (encoded-pass (url-hexify-string password)))
+    (setq org-caldav-url
+          (format "https://johno:%s@nextcloud.johnogle.info/remote.php/dav/calendars/johno"
+                  encoded-pass))
+    (org-caldav-sync)))
+
+(use-package! org-caldav
+  :after org
+  :commands (org-caldav-sync my/org-caldav-sync-with-rbw)
+  :init
+  (map! :leader
+        (:prefix ("o" . "open")
+         (:prefix ("a" . "agenda/calendar")
+          :desc "Sync CalDAV" "s" #'my/org-caldav-sync-with-rbw)))
+  :config
+  ;; Nextcloud CalDAV base URL (credentials added dynamically by sync wrapper)
+  (setq org-caldav-url "https://nextcloud.johnogle.info/remote.php/dav/calendars/johno")
+
+  ;; Timezone for iCalendar export
+  (setq org-icalendar-timezone "America/Los_Angeles")
+
+  ;; Sync state storage (in org directory for multi-machine sync)
+  (setq org-caldav-save-directory (expand-file-name ".org-caldav/" org-directory))
+
+  ;; Backup file for entries before modification
+  (setq org-caldav-backup-file (expand-file-name ".org-caldav/backup.org" org-directory))
+
+  ;; Limit past events to 30 days (avoids uploading years of scheduled tasks)
+  (setq org-caldav-days-in-past 30)
+
+  ;; Sync behavior: bidirectional by default
+  (setq org-caldav-sync-direction 'twoway)
+
+  ;; What changes from calendar sync back to Org (conservative: title and timestamp only)
+  (setq org-caldav-sync-changes-to-org 'title-and-timestamp)
+
+  ;; Deletion handling: never auto-delete to prevent accidental mass deletion
+  (setq org-caldav-delete-calendar-entries 'never)
+  (setq org-caldav-delete-org-entries 'never)
+
+  ;; Enable TODO/VTODO sync
+  (setq org-icalendar-include-todo 'all)
+  (setq org-caldav-sync-todo t)
+
+  ;; Map VTODO percent-complete to org-todo-keywords
+  ;; Format: (PERCENT "KEYWORD") - percent thresholds map to states
+  (setq org-caldav-todo-percent-states
+        '((0 "TODO")
+          (25 "WAIT")
+          (50 "IN-PROGRESS")
+          (100 "DONE")
+          (100 "KILL")))
+
+  ;; Allow export with broken links (mu4e links can't be resolved during export)
+  (setq org-export-with-broken-links 'mark)
+
+  ;; Calendar-specific configuration
+  (setq org-caldav-calendars
+        '(;; Personal calendar: two-way sync with family-shared Nextcloud calendar
+          (:calendar-id "personal"
+           :inbox "~/org/personal-calendar.org"
+           :files ("~/org/personal-calendar.org"))
+
+          ;; Tasks calendar: one-way sync (org → calendar only)
+          ;; SCHEDULED/DEADLINE items from todo.org push to private Tasks calendar.
+          ;; No inbox = no download from calendar (effectively one-way).
+          ;; Note: Create 'tasks' calendar in Nextcloud first, keep it private.
+          (:calendar-id "tasks"
+           :files ("~/org/todo.org"))))
+
+  ;; Handle UNTIL in recurring events
+  ;; org-caldav ignores UNTIL from RRULE - events repeat forever.
+  ;; This advice extracts UNTIL and stores it as a property for agenda filtering.
+  (defun my/org-caldav-add-until-property (orig-fun eventdata-alist)
+    "Advice to store CALDAV_UNTIL property for recurring events."
+    (let ((result (funcall orig-fun eventdata-alist)))
+      (let* ((rrule-props (alist-get 'rrule-props eventdata-alist))
+             (until-str (cadr (assoc 'UNTIL rrule-props)))
+             (summary (alist-get 'summary eventdata-alist)))
+        ;; Debug: log what we're seeing
+        (message "CALDAV-DEBUG: %s | rrule-props: %S | until: %s"
+                 (or summary "?") rrule-props until-str)
+        (when until-str
+          (save-excursion
+            (org-back-to-heading t)
+            (org-entry-put nil "CALDAV_UNTIL" until-str))))
+      result))
+
+  (advice-add 'org-caldav-insert-org-event-or-todo
+              :around #'my/org-caldav-add-until-property)
+  )
+
+(defun my/get-rbw-password (alias &optional no-error)
+  "Return the password for ALIAS via rbw, unlocking the vault only if needed.
+If NO-ERROR is non-nil, return nil instead of signaling an error when
+rbw is unavailable or the entry is not found."
+  (if (not (executable-find "rbw"))
+      (if no-error
+          nil
+        (user-error "rbw: not installed or not in PATH"))
+    (let* ((cmd (format "rbw get %s 2>/dev/null" (shell-quote-argument alias)))
+           (output (string-trim (shell-command-to-string cmd))))
+      (if (string-empty-p output)
+          (if no-error
+              nil
+            (user-error "rbw: no entry found for '%s' - run: rbw add %s" alias alias))
+        output))))
 
 (after! gptel
   :config
-  (setq! gptel-api-key (my/get-rbw-password "openai-api-key-chatgpt-el")
+  (setq! gptel-api-key (my/get-rbw-password "openai-api-key-chatgpt-el" t)
          gptel-default-mode 'org-mode
          gptel-use-tools t
          gptel-confirm-tool-calls 'always
@@ -147,6 +274,18 @@
                  (error (format "Error listing directory %s: %s" dirpath (error-message-string err)))))
    :args (list '(:name "dirpath" :type "string" :description "Directory path to list"))))
 
+(use-package! pi-coding-agent
+  :commands (pi-coding-agent pi-coding-agent-toggle)
+  :init
+  (defalias 'pi 'pi-coding-agent)
+  (map! :leader
+        (:prefix ("o" . "open")
+         :desc "Pi Coding Agent" "p" #'pi-coding-agent))
+  :config
+  ;; Tree-sitter grammars are managed by Nix (treesit-grammars.with-all-grammars),
+  ;; so suppress the auto-install prompt
+  (setq pi-coding-agent-essential-grammar-action 'warn))
+
 (use-package! claude-code-ide
   :commands (claude-code-ide-menu claude-code-ide-open-here)
   :init

home/roles/emacs/doom/packages.el

@@ -49,7 +49,10 @@
 ;; ...Or *all* packages (NOT RECOMMENDED; will likely break things)
 ;; (unpin! t)
 
-;; (package! org-caldav)
+(package! org-caldav)
+
+;; Pin org-msg - upstream doom pin references a force-pushed commit
+(package! org-msg :pin "aa608b399586fb771ad37045a837f8286a0b6124")
 
 ;; Note: Packages with custom recipes must be pinned for nix-doom-emacs-unstraightened
 ;; to build deterministically. Update pins when upgrading packages.
@@ -69,3 +72,8 @@
   :recipe (:type git :repo "https://codeberg.org/ctietze/beads.el.git"
            :files ("lisp/*.el"))
   :pin "f40a6461d3c0fa0969311bbb6a1e30d1bba86c88")
+
+(package! pi-coding-agent
+  :recipe (:host github :repo "dnouri/pi-coding-agent"
+           :files ("*.el"))
+  :pin "8d8158b0a6150ce13d91e561a1223790670acaa7")

home/wallpapers/default.nix

@@ -2,7 +2,7 @@
 # The currentIndex is incremented by `nix run .#rotate-wallpaper`
 # and gets committed as part of `nix run .#upgrade`
 {
-  currentIndex = 1;  # Index into wallpapers list
+  currentIndex = 2;  # Index into wallpapers list
 
   wallpapers = [
     {

machines/john-endesktop/configuration.nix

@@ -54,6 +54,7 @@ with lib;
       4000  # nfs callback
       4001  # nlockmgr
       4002  # mountd
+      5000  # harmonia binary cache
       20048 # mountd
     ];
     allowedUDPPorts = [
@@ -90,6 +91,8 @@ with lib;
     htop
     tmux
     zfs
+    rclone
+    custom.rclone-torbox-setup  # Helper script to set up TorBox credentials via rbw
   ];
 
   # Enable SSH
@@ -126,6 +129,36 @@ with lib;
 
   roles.virtualisation.enable = true;
 
+  # TorBox WebDAV mount for rdt-client and Jellyfin
+  roles.rclone-mount = {
+    enable = true;
+    mounts.torbox = {
+      webdavUrl = "https://webdav.torbox.app";
+      username = "john@ogle.fyi";  # TorBox account email
+      mountPoint = "/media/media/torbox-rclone";
+      environmentFile = "/etc/rclone/torbox.env";
+      vfsCacheMode = "full";  # Best for streaming media
+      dirCacheTime = "5m";
+      extraArgs = [
+        "--buffer-size=64M"
+        "--vfs-read-chunk-size=32M"
+        "--vfs-read-chunk-size-limit=off"
+      ];
+      # Wait for ZFS media pool to be mounted before starting
+      requiresMountsFor = [ "/media" ];
+    };
+  };
+
+  # Harmonia binary cache server
+  # Replaces the broken k8s deployment with native NixOS service
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ "/etc/harmonia/signing-key.private" ];
+    settings = {
+      bind = "[::]:5000";
+    };
+  };
+
   # Time zone
   time.timeZone = "America/Los_Angeles"; # Adjust as needed
 

machines/nix-book/configuration.nix

@@ -23,12 +23,12 @@
     printing.enable = true;
     remote-build.builders = [
       {
-        hostName = "zix790prors";
+        hostName = "zix790prors.oglehome";
         maxJobs = 16;
         speedFactor = 3;
       }
       {
-        hostName = "john-endesktop";
+        hostName = "john-endesktop.oglehome";
         maxJobs = 1;
         speedFactor = 1;
       }
@@ -38,7 +38,24 @@
       enable = true;
       extraGroups = [ "video" ];
     };
-    virtualisation.enable = true;
+    virtualisation = {
+      enable = true;
+      waydroid = true;
+    };
+    wireguard = {
+      enable = true;
+      autostart = true;
+      interfaceName = "ogleNet";
+      address = [ "192.168.4.2/32" ];
+      privateKeyFile = "/etc/wireguard/oglehome-private-key";
+      dns = [ "192.168.4.1" ];
+      peers = [{
+        publicKey = "AWkmtaz0poyyKJGnRcabO5ecd6ESh1lKu+XRb3ObxBc=";
+        endpoint = "pi.johnogle.info:6666";
+        allowedIPs = [ "0.0.0.0/0" ];
+        persistentKeepalive = 25;
+      }];
+    };
   };
 
   # Bootloader.
@@ -58,13 +75,6 @@
   # Enable networking
   networking.networkmanager.enable = true;
 
-  # WireGuard setup
-  networking.wg-quick.interfaces = {
-    ogleNet = {
-      configFile = "/root/Oglehome-VPN-johno-nixbook.conf";
-    };
-  };
-
   hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [

machines/nix-deck/configuration.nix

@@ -19,11 +19,18 @@
         desktopSession = "plasma";
       };
     };
-    remote-build.builders = [{
-      hostName = "zix790prors";
-      maxJobs = 16;
-      speedFactor = 4;  # Prefer remote heavily on Steam Deck
-    }];
+    remote-build.builders = [
+      {
+        hostName = "zix790prors.oglehome";
+        maxJobs = 16;
+        speedFactor = 4;
+      }
+      {
+        hostName = "john-endesktop.oglehome";
+        maxJobs = 1;
+        speedFactor = 2;
+      }
+    ];
     users = {
       enable = true;
       extraGroups = [ "video" ];

packages/beads/default.nix

@@ -0,0 +1,26 @@
+# Beads package - issue tracker for AI-supervised coding workflows
+# Takes src as argument so it can be called from both overlay and flake packages
+{ lib
+, buildGoModule
+, git
+, pkg-config
+, icu
+, src
+, version ? "unknown"
+}:
+
+buildGoModule {
+  pname = "beads";
+  inherit version src;
+  subPackages = [ "cmd/bd" ];
+  doCheck = false;
+  vendorHash = "sha256-XAhe4yuLzP9vQ3IFhWAO5fN/3OOfokcRxfeGKaRYEws=";
+  nativeBuildInputs = [ git pkg-config ];
+  buildInputs = [ icu ];
+  meta = with lib; {
+    description = "beads (bd) - An issue tracker designed for AI-supervised coding workflows";
+    homepage = "https://github.com/steveyegge/beads";
+    license = licenses.mit;
+    mainProgram = "bd";
+  };
+}

packages/claude-code/default.nix

@@ -1,28 +1,29 @@
 { lib
 , stdenv
 , fetchurl
-, autoPatchelfHook
+, patchelf
+, glibc
 }:
 
 let
-  version = "2.0.76";
+  version = "2.1.75";
 
   srcs = {
     aarch64-darwin = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/darwin-arm64/claude";
-      sha256 = "b76f6d4d09233e67295897b0a1ed2e22d7afa406431529d8b1b532b63b8cbcbd";
+      sha256 = "8c541a5e924eda2070eaf1702a48047af671c4dff6a11a5e762076614a082675";
     };
     x86_64-darwin = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/darwin-x64/claude";
-      sha256 = "9d94582f0af5d2201f1c907bf24ff8d216104b897ee0b24795a6c081f40e08d7";
+      sha256 = "82c90b91a0a18f60191f817b9b42304d8b17dbed75795b715c41f4fdfe4c782d";
     };
     x86_64-linux = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/linux-x64/claude";
-      sha256 = "5dcdb480f91ba0df0bc8bd6aff148d3dfd3883f0899eeb5b9427a8b0abe7a687";
+      sha256 = "328b0a429c05a04f911157d886be5123cf1824a19ba8ca1f9d594c004eac32c9";
     };
     aarch64-linux = {
       url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/linux-arm64/claude";
-      sha256 = "f64a994c8e5bfb84d7242cebbec75d6919db2ee46d50b8fc7a88d5066db193f9";
+      sha256 = "ec8f4f7f7bb50611dae70c109a76ee1da6a3ab45511c65f117df215848ecc905";
     };
   };
 
@@ -38,8 +39,14 @@ in stdenv.mkDerivation {
 
   dontUnpack = true;
   dontBuild = true;
+  # Bun standalone binaries have JS code appended after the ELF sections
+  # stripping/patching would remove or corrupt this appended data
+  dontStrip = true;
+  dontPatchELF = true;
 
-  nativeBuildInputs = lib.optionals stdenv.isLinux [ autoPatchelfHook ];
+  # Don't use autoPatchelfHook - it rewrites the ELF and strips the appended
+  # bun bundle (the JS code is appended after the ELF sections)
+  nativeBuildInputs = lib.optionals stdenv.isLinux [ patchelf ];
 
   installPhase = ''
     runHook preInstall
@@ -49,6 +56,14 @@ in stdenv.mkDerivation {
     runHook postInstall
   '';
 
+  # Manually patch the interpreter for bun standalone binaries
+  # patchelf --set-interpreter modifies in-place without rewriting the entire ELF,
+  # preserving the appended JS bundle that bun needs at runtime
+  postFixup = lib.optionalString stdenv.isLinux ''
+    interpreter="${glibc}/lib/${if stdenv.hostPlatform.system == "aarch64-linux" then "ld-linux-aarch64.so.1" else "ld-linux-x86-64.so.2"}"
+    patchelf --set-interpreter "$interpreter" $out/bin/claude
+  '';
+
   meta = with lib; {
     description = "Terminal-based AI coding assistant from Anthropic";
     homepage = "https://www.anthropic.com/claude-code";

packages/default.nix

@@ -4,4 +4,6 @@
   app-launcher-server = pkgs.callPackage ./app-launcher-server {};
   claude-code = pkgs.callPackage ./claude-code {};
   mcrcon-rbw = pkgs.callPackage ./mcrcon-rbw {};
+  rclone-torbox-setup = pkgs.callPackage ./rclone-torbox-setup {};
+  pi-coding-agent = pkgs.callPackage ./pi-coding-agent {};
 }

packages/gastown/default.nix

@@ -0,0 +1,31 @@
+# Gastown package - multi-agent workspace manager
+# Takes src as argument so it can be called from both overlay and flake packages
+{ lib
+, buildGoModule
+, src
+, version ? "unknown"
+}:
+
+buildGoModule {
+  pname = "gastown";
+  inherit version src;
+  vendorHash = "sha256-8SdvSASP+bJjMooqEQvkCzG+J6CbsK+HCQulrPnJZ1Y=";
+  subPackages = [ "cmd/gt" ];
+  doCheck = false;
+
+  # Must match ldflags from gastown Makefile - BuiltProperly=1 is required
+  # or gt will error with "This binary was built with 'go build' directly"
+  ldflags = [
+    "-X github.com/steveyegge/gastown/internal/cmd.Version=${version}"
+    "-X github.com/steveyegge/gastown/internal/cmd.Commit=${version}"
+    "-X github.com/steveyegge/gastown/internal/cmd.BuildTime=nix-build"
+    "-X github.com/steveyegge/gastown/internal/cmd.BuiltProperly=1"
+  ];
+
+  meta = with lib; {
+    description = "Gas Town - multi-agent workspace manager by Steve Yegge";
+    homepage = "https://github.com/steveyegge/gastown";
+    license = licenses.mit;
+    mainProgram = "gt";
+  };
+}

packages/perles/default.nix

@@ -0,0 +1,25 @@
+# Perles - Terminal UI for beads issue tracking
+# Takes src as argument so it can be called from both overlay and flake packages
+{ lib
+, buildGoModule
+, src
+, version ? "unknown"
+}:
+
+buildGoModule {
+  pname = "perles";
+  inherit version src;
+  doCheck = false;
+  vendorHash = "sha256-A5LE9Cor/DRcJtVpiScSoqDYhJIKyaq0cbK+OGmr4XU=";
+
+  ldflags = [
+    "-X main.version=${version}"
+  ];
+
+  meta = with lib; {
+    description = "Perles - Terminal UI for beads issue tracking";
+    homepage = "https://github.com/zjrosen/perles";
+    license = licenses.mit;
+    mainProgram = "perles";
+  };
+}

packages/pi-coding-agent/default.nix

@@ -0,0 +1,79 @@
+{ lib
+, stdenv
+, fetchurl
+, patchelf
+, glibc
+, makeWrapper
+}:
+
+let
+  version = "0.55.4";
+
+  srcs = {
+    aarch64-darwin = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-darwin-arm64.tar.gz";
+      sha256 = "0vsav9frvnzskk6p6j60i7klrs3m8lphhyi4c39mv2mvhpm8fkl5";
+    };
+    x86_64-darwin = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-darwin-x64.tar.gz";
+      sha256 = "1377rvhsiiww1bbpgv2v46fjm7iz2smmh8g2yhm28kbsq3gwvvr0";
+    };
+    x86_64-linux = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-linux-x64.tar.gz";
+      sha256 = "1wnfwnkfq5ffz6wyqyhciv4lz06bpxims0hv0dlhz0f9vliyc1md";
+    };
+    aarch64-linux = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-linux-arm64.tar.gz";
+      sha256 = "00fp37hgjl40kc59jfpv189i7np53ymm037hvds6k9y2sz818wjy";
+    };
+  };
+
+  src = srcs.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+in stdenv.mkDerivation {
+  pname = "pi-coding-agent";
+  inherit version;
+
+  src = fetchurl {
+    inherit (src) url sha256;
+  };
+
+  sourceRoot = "pi";
+
+  # Bun standalone binaries have JS code appended after the ELF sections
+  dontStrip = true;
+  dontPatchELF = true;
+
+  nativeBuildInputs = [ makeWrapper ]
+    ++ lib.optionals stdenv.isLinux [ patchelf ];
+
+  installPhase = ''
+    runHook preInstall
+
+    # Install the full pi directory structure (binary + supporting files)
+    mkdir -p $out/lib/pi-coding-agent
+    cp -r . $out/lib/pi-coding-agent/
+
+    # Create bin wrapper that runs the binary from its lib directory
+    # (pi expects supporting files like themes and wasm relative to itself)
+    mkdir -p $out/bin
+    makeWrapper $out/lib/pi-coding-agent/pi $out/bin/pi
+
+    runHook postInstall
+  '';
+
+  # Manually patch the interpreter for bun standalone binaries on Linux
+  postFixup = lib.optionalString stdenv.isLinux ''
+    interpreter="${glibc}/lib/${if stdenv.hostPlatform.system == "aarch64-linux" then "ld-linux-aarch64.so.1" else "ld-linux-x86-64.so.2"}"
+    patchelf --set-interpreter "$interpreter" $out/lib/pi-coding-agent/pi
+  '';
+
+  meta = with lib; {
+    description = "Minimal terminal coding agent with extensible tools and session management";
+    homepage = "https://github.com/badlogic/pi-mono/tree/main/packages/coding-agent";
+    license = licenses.mit;
+    maintainers = [ ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" "x86_64-linux" "aarch64-linux" ];
+    mainProgram = "pi";
+  };
+}

packages/rclone-torbox-setup/default.nix

@@ -0,0 +1,98 @@
+{ pkgs, ... }:
+
+pkgs.writeShellScriptBin "rclone-torbox-setup" ''
+  set -euo pipefail
+
+  # Default values
+  RBW_ENTRY="''${1:-torbox}"
+  ENV_FILE="''${2:-/etc/rclone/torbox.env}"
+
+  usage() {
+    echo "Usage: rclone-torbox-setup [rbw-entry] [env-file]"
+    echo ""
+    echo "Sets up rclone credentials for TorBox WebDAV mount."
+    echo "Retrieves password from rbw (Bitwarden), obscures it for rclone,"
+    echo "and writes it to the environment file for the systemd service."
+    echo ""
+    echo "Arguments:"
+    echo "  rbw-entry  Name of the Bitwarden entry containing the password (default: torbox)"
+    echo "  env-file   Path to write the environment file (default: /etc/rclone/torbox.env)"
+    echo ""
+    echo "The Bitwarden entry should contain your TorBox password as the password field."
+    echo ""
+    echo "Example:"
+    echo "  rclone-torbox-setup torbox-password /etc/rclone/torbox.env"
+    exit 1
+  }
+
+  if [[ "''${1:-}" == "-h" ]] || [[ "''${1:-}" == "--help" ]]; then
+    usage
+  fi
+
+  echo "rclone TorBox credential setup"
+  echo "=============================="
+  echo ""
+
+  # Check if rbw is available
+  if ! command -v rbw &> /dev/null; then
+    echo "Error: rbw is not available. Please ensure rbw is installed and configured."
+    exit 1
+  fi
+
+  # Check if rclone is available
+  if ! command -v rclone &> /dev/null; then
+    echo "Error: rclone is not available. Please ensure rclone is installed."
+    exit 1
+  fi
+
+  echo "Retrieving password from rbw entry: $RBW_ENTRY"
+
+  # Retrieve password from Bitwarden
+  if ! TORBOX_PASS=$(rbw get "$RBW_ENTRY" 2>/dev/null); then
+    echo ""
+    echo "Error: Failed to retrieve password from rbw entry '$RBW_ENTRY'"
+    echo ""
+    echo "Please ensure:"
+    echo "  1. The entry '$RBW_ENTRY' exists in Bitwarden"
+    echo "  2. rbw is unlocked: rbw unlock"
+    echo "  3. rbw is synced: rbw sync"
+    echo ""
+    echo "To create the entry in Bitwarden:"
+    echo "  - Name: $RBW_ENTRY"
+    echo "  - Password: Your TorBox password"
+    exit 1
+  fi
+
+  echo "Password retrieved successfully"
+
+  # Obscure the password for rclone
+  echo "Obscuring password for rclone..."
+  if ! OBSCURED_PASS=$(echo -n "$TORBOX_PASS" | rclone obscure -); then
+    echo "Error: Failed to obscure password with rclone"
+    exit 1
+  fi
+
+  # Create the directory if needed (requires sudo)
+  ENV_DIR=$(dirname "$ENV_FILE")
+  if [[ ! -d "$ENV_DIR" ]]; then
+    echo "Creating directory $ENV_DIR (requires sudo)..."
+    sudo mkdir -p "$ENV_DIR"
+  fi
+
+  # Write the environment file
+  echo "Writing environment file to $ENV_FILE (requires sudo)..."
+  echo "RCLONE_WEBDAV_PASS=$OBSCURED_PASS" | sudo tee "$ENV_FILE" > /dev/null
+  sudo chmod 600 "$ENV_FILE"
+
+  echo ""
+  echo "Setup complete!"
+  echo ""
+  echo "The environment file has been created at: $ENV_FILE"
+  echo "The rclone-mount-torbox systemd service will use this file."
+  echo ""
+  echo "To activate the mount after NixOS rebuild:"
+  echo "  sudo systemctl start rclone-mount-torbox"
+  echo ""
+  echo "To check status:"
+  echo "  sudo systemctl status rclone-mount-torbox"
+''

renovate.json

@@ -13,7 +13,7 @@
   "lockFileMaintenance": {
     "enabled": true,
     "schedule": [
-      "before 5am on monday"
+      "after 5pm and before 7pm on Saturday"
     ]
   },
   "dependencyDashboard": true,
@@ -37,6 +37,9 @@
         "/^nixpkgs$/",
         "/^home-manager$/",
         "/^nix-darwin$/"
+      ],
+      "schedule": [
+        "after 5pm and before 7pm on Saturday"
       ]
     },
     {
@@ -48,6 +51,21 @@
       "matchPackageNames": [
         "/nixpkgs-unstable/",
         "/home-manager-unstable/"
+      ],
+      "schedule": [
+        "after 5pm and before 7pm on Saturday"
+      ]
+    },
+    {
+      "description": "nixpkgs-qt updates on Saturday (staggered from main ecosystem)",
+      "matchManagers": [
+        "nix"
+      ],
+      "matchPackageNames": [
+        "/nixpkgs-qt/"
+      ],
+      "schedule": [
+        "after 7pm and before 9pm on Saturday"
       ]
     },
     {
@@ -59,6 +77,32 @@
       "matchPackageNames": [
         "/google-cookie-retrieval/"
       ]
+    },
+    {
+      "description": "Gastown is under active development - check for updates daily",
+      "matchManagers": [
+        "nix"
+      ],
+      "matchPackageNames": [
+        "/gastown/"
+      ],
+      "schedule": [
+        "before 6am"
+      ],
+      "automerge": false
+    },
+    {
+      "description": "Beads is under active development - check for updates daily",
+      "matchManagers": [
+        "nix"
+      ],
+      "matchPackageNames": [
+        "/beads/"
+      ],
+      "schedule": [
+        "before 6am"
+      ],
+      "automerge": false
     }
   ]
 }

roles/common.nix

@@ -23,7 +23,13 @@
         max-jobs = "auto";
         trusted-users = [ "johno" ];
         substituters = [
+          "http://john-endesktop.oglehome:5000"
         ];
+        trusted-public-keys = [
+          "harmonia.john-endesktop:1iGr4xZrsR7WtXOlPCgFF3LcODYBpu+B3TS54MyBn4M="
+        ];
+        fallback = true;
+        connect-timeout = 5;
       };
 
       gc = {

roles/default.nix

@@ -14,10 +14,12 @@ with lib;
     ./nfs-mounts
     ./nvidia
     ./printing
+    ./rclone-mount
     ./remote-build
     ./spotifyd
     ./users
     ./virtualisation
+    ./wireguard
   ];
 
   config = {

roles/desktop/wayland.nix

@@ -11,9 +11,8 @@ in
       enable = true;
       wrapperFeatures.gtk = true;
     };
-    programs.light.enable = true;
-
     environment.systemPackages = with pkgs; [
+      brightnessctl
       grim
       slurp
       wl-clipboard

roles/kodi/default.nix

@@ -47,23 +47,23 @@ in
       if cfg.jellyfinScaleFactor != null
       then pkgs.symlinkJoin {
         name = "jellyfin-media-player-scaled";
-        paths = [ pkgs.jellyfin-media-player ];
+        paths = [ pkgs.qt-pinned.jellyfin-media-player ];
         nativeBuildInputs = [ pkgs.makeWrapper ];
         postBuild = ''
           mkdir -p $out/bin
           rm -f $out/bin/jellyfin-desktop
-          makeWrapper ${pkgs.jellyfin-media-player}/bin/jellyfin-desktop $out/bin/jellyfin-desktop \
+          makeWrapper ${pkgs.qt-pinned.jellyfin-media-player}/bin/jellyfin-desktop $out/bin/jellyfin-desktop \
             --add-flags "--tv --scale-factor ${toString cfg.jellyfinScaleFactor}"
 
           # Update .desktop file to include scale factor and TV mode arguments
           mkdir -p $out/share/applications
           rm -f $out/share/applications/org.jellyfin.JellyfinDesktop.desktop
-          substitute ${pkgs.jellyfin-media-player}/share/applications/org.jellyfin.JellyfinDesktop.desktop \
+          substitute ${pkgs.qt-pinned.jellyfin-media-player}/share/applications/org.jellyfin.JellyfinDesktop.desktop \
             $out/share/applications/org.jellyfin.JellyfinDesktop.desktop \
             --replace-fail "Exec=jellyfin-desktop" "Exec=jellyfin-desktop --tv --scale-factor ${toString cfg.jellyfinScaleFactor}"
         '';
       }
-      else pkgs.jellyfin-media-player;
+      else pkgs.qt-pinned.jellyfin-media-player;
   in mkIf cfg.enable
     {
       users.extraUsers.kodi = {
@@ -77,14 +77,15 @@ in
       };
 
       environment.systemPackages = with pkgs; [
+        firefox
         jellyfinMediaPlayerPkg
         kodiPkg
+        qt-pinned.stremio
         wget
-        firefox
       ] ++ optional cfg.appLauncherServer.enable pkgs.custom.app-launcher-server;
 
       nixpkgs.config.permittedInsecurePackages = lib.warn
-        "Allowing insecure package qtwebengine-5.15.19 as a jellyfin-media-player dependency. Remove this once jellyfin is updated to use qt6"
+        "Allowing insecure package qtwebengine-5.15.19 as a jellyfin-media-player/stremio dependency. These are pinned to nixpkgs-qt to avoid rebuilds - update that input separately when you have time."
         [
           "qtwebengine-5.15.19"
         ];

roles/rclone-mount/default.nix

@@ -0,0 +1,149 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.rclone-mount;
+
+  # Generate systemd service for a single mount
+  mkMountService = name: mountCfg: {
+    description = "rclone mount for ${name}";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # Wait for parent mount points (e.g., ZFS pools) to be available
+    unitConfig = mkIf (mountCfg.requiresMountsFor != []) {
+      RequiresMountsFor = mountCfg.requiresMountsFor;
+    };
+
+    serviceConfig = {
+      Type = "notify";
+      ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${mountCfg.mountPoint}";
+      ExecStart = concatStringsSep " " ([
+        "${pkgs.rclone}/bin/rclone mount"
+        ":webdav:${mountCfg.remotePath}"
+        "${mountCfg.mountPoint}"
+        "--webdav-url=${mountCfg.webdavUrl}"
+        "--webdav-vendor=${mountCfg.webdavVendor}"
+        "--webdav-user=${mountCfg.username}"
+        "--allow-other"
+        "--vfs-cache-mode=${mountCfg.vfsCacheMode}"
+        "--dir-cache-time=${mountCfg.dirCacheTime}"
+        "--poll-interval=${mountCfg.pollInterval}"
+        "--log-level=${mountCfg.logLevel}"
+      ] ++ mountCfg.extraArgs);
+      ExecStop = "${pkgs.fuse}/bin/fusermount -uz ${mountCfg.mountPoint}";
+      Restart = "on-failure";
+      RestartSec = "10s";
+      EnvironmentFile = mountCfg.environmentFile;
+    };
+  };
+in
+{
+  options.roles.rclone-mount = {
+    enable = mkEnableOption "Enable rclone WebDAV mounts";
+
+    mounts = mkOption {
+      type = types.attrsOf (types.submodule {
+        options = {
+          webdavUrl = mkOption {
+            type = types.str;
+            description = "WebDAV server URL (e.g., https://webdav.torbox.app)";
+          };
+
+          webdavVendor = mkOption {
+            type = types.enum [ "other" "nextcloud" "owncloud" "sharepoint" "sharepoint-ntlm" "fastmail" ];
+            default = "other";
+            description = "WebDAV server vendor for optimizations";
+          };
+
+          username = mkOption {
+            type = types.str;
+            description = "WebDAV username (often email address)";
+          };
+
+          environmentFile = mkOption {
+            type = types.path;
+            description = ''
+              Path to environment file containing RCLONE_WEBDAV_PASS.
+              The password should be obscured using: rclone obscure <password>
+              File format: RCLONE_WEBDAV_PASS=<obscured_password>
+            '';
+          };
+
+          mountPoint = mkOption {
+            type = types.str;
+            description = "Local mount point path";
+          };
+
+          remotePath = mkOption {
+            type = types.str;
+            default = "/";
+            description = "Remote path on WebDAV server to mount";
+          };
+
+          vfsCacheMode = mkOption {
+            type = types.enum [ "off" "minimal" "writes" "full" ];
+            default = "full";
+            description = ''
+              VFS cache mode. For streaming media, 'full' is recommended.
+              - off: No caching (direct reads/writes)
+              - minimal: Cache open files only
+              - writes: Cache writes and open files
+              - full: Full caching of all files
+            '';
+          };
+
+          dirCacheTime = mkOption {
+            type = types.str;
+            default = "5m";
+            description = "Time to cache directory entries";
+          };
+
+          pollInterval = mkOption {
+            type = types.str;
+            default = "1m";
+            description = "Poll interval for remote changes";
+          };
+
+          logLevel = mkOption {
+            type = types.enum [ "DEBUG" "INFO" "NOTICE" "ERROR" ];
+            default = "INFO";
+            description = "rclone log level";
+          };
+
+          extraArgs = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = "Extra arguments to pass to rclone mount";
+          };
+
+          requiresMountsFor = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = ''
+              List of mount points that must be available before this service starts.
+              Use this when the mount point's parent is on a ZFS pool or other filesystem
+              that may not be mounted at boot time.
+              Example: [ "/media" ] to wait for the media ZFS pool to mount.
+            '';
+          };
+        };
+      });
+      default = {};
+      description = "Attribute set of rclone WebDAV mounts to configure";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Ensure FUSE is available
+    environment.systemPackages = [ pkgs.rclone pkgs.fuse ];
+    programs.fuse.userAllowOther = true;
+
+    # Create systemd services for each mount
+    systemd.services = mapAttrs' (name: mountCfg:
+      nameValuePair "rclone-mount-${name}" (mkMountService name mountCfg)
+    ) cfg.mounts;
+  };
+}

roles/remote-build/default.nix

@@ -35,12 +35,12 @@
 #    a) Configure builders in configuration.nix:
 #       roles.remote-build.builders = [
 #         {
-#           hostName = "zix790prors";
+#           hostName = "zix790prors.oglehome";
 #           maxJobs = 16;      # Number of parallel build jobs
 #           speedFactor = 3;   # Higher = prefer this builder
 #         }
 #         {
-#           hostName = "john-endesktop";
+#           hostName = "john-endesktop.oglehome";
 #           maxJobs = 1;       # Conservative for busy machines
 #           speedFactor = 1;
 #         }

roles/virtualisation/default.nix

@@ -13,6 +13,11 @@ in
       default = [ "johno" ];
       description = "List of users to add to the docker group";
     };
+    waydroid = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable waydroid support";
+    };
   };
 
   config = mkIf cfg.enable
@@ -21,5 +26,6 @@ in
       programs.virt-manager.enable = true;
       virtualisation.docker.enable = true;
       users.extraGroups.docker.members = cfg.dockerUsers;
+      virtualisation.waydroid.enable = cfg.waydroid;
     };
 }

roles/wireguard/default.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.wireguard;
+in
+{
+  options.roles.wireguard = {
+    enable = mkEnableOption "Enable WireGuard VPN";
+    interfaceName = mkOption {
+      type = types.str;
+      default = "wg0";
+      description = "Name of the WireGuard interface";
+    };
+    address = mkOption {
+      type = types.listOf types.str;
+      description = "Address(es) for the WireGuard interface";
+    };
+    privateKeyFile = mkOption {
+      type = types.path;
+      description = "Path to a root-owned file containing the WireGuard private key";
+    };
+    dns = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "DNS servers to use when the tunnel is active";
+    };
+    peers = mkOption {
+      type = types.listOf (types.submodule {
+        options = {
+          publicKey = mkOption {
+            type = types.str;
+            description = "Public key of the peer";
+          };
+          endpoint = mkOption {
+            type = types.str;
+            description = "Endpoint address of the peer (host:port)";
+          };
+          allowedIPs = mkOption {
+            type = types.listOf types.str;
+            description = "List of allowed IP ranges for this peer";
+          };
+          persistentKeepalive = mkOption {
+            type = types.int;
+            default = 25;
+            description = "Persistent keepalive interval in seconds";
+          };
+        };
+      });
+      description = "WireGuard peers";
+    };
+    autostart = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to start the VPN automatically on boot";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.wg-quick.interfaces.${cfg.interfaceName} = {
+      inherit (cfg) address dns autostart peers;
+      privateKeyFile = cfg.privateKeyFile;
+    };
+
+    systemd.services."wg-quick-${cfg.interfaceName}" = {
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+    };
+  };
+}