ci: add plasma-bigscreen to cached packages

Add plasma-bigscreen to CI cache and expose it in flake packages.
The package is built from upstream master (not yet in nixpkgs).

.beads/.gitignore

@@ -0,0 +1,44 @@
+# SQLite databases
+*.db
+*.db?*
+*.db-journal
+*.db-wal
+*.db-shm
+
+# Daemon runtime files
+daemon.lock
+daemon.log
+daemon.pid
+bd.sock
+sync-state.json
+last-touched
+
+# Local version tracking (prevents upgrade notification spam after git ops)
+.local_version
+
+# Legacy database files
+db.sqlite
+bd.db
+
+# Worktree redirect file (contains relative path to main repo's .beads/)
+# Must not be committed as paths would be wrong in other clones
+redirect
+
+# Merge artifacts (temporary files from 3-way merge)
+beads.base.jsonl
+beads.base.meta.json
+beads.left.jsonl
+beads.left.meta.json
+beads.right.jsonl
+beads.right.meta.json
+
+# Sync state (local-only, per-machine)
+# These files are machine-specific and should not be shared across clones
+.sync.lock
+sync_base.jsonl
+
+# NOTE: Do NOT add negation patterns (e.g., !issues.jsonl) here.
+# They would override fork protection in .git/info/exclude, allowing
+# contributors to accidentally commit upstream issue databases.
+# The JSONL files (issues.jsonl, interactions.jsonl) and config files
+# are tracked by git by default since no pattern above ignores them.

.beads/README.md

@@ -0,0 +1,81 @@
+# Beads - AI-Native Issue Tracking
+
+Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
+
+## What is Beads?
+
+Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
+
+**Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
+
+## Quick Start
+
+### Essential Commands
+
+```bash
+# Create new issues
+bd create "Add user authentication"
+
+# View all issues
+bd list
+
+# View issue details
+bd show <issue-id>
+
+# Update issue status
+bd update <issue-id> --status in_progress
+bd update <issue-id> --status done
+
+# Sync with git remote
+bd sync
+```
+
+### Working with Issues
+
+Issues in Beads are:
+- **Git-native**: Stored in `.beads/issues.jsonl` and synced like code
+- **AI-friendly**: CLI-first design works perfectly with AI coding agents
+- **Branch-aware**: Issues can follow your branch workflow
+- **Always in sync**: Auto-syncs with your commits
+
+## Why Beads?
+
+✨ **AI-Native Design**
+- Built specifically for AI-assisted development workflows
+- CLI-first interface works seamlessly with AI coding agents
+- No context switching to web UIs
+
+🚀 **Developer Focused**
+- Issues live in your repo, right next to your code
+- Works offline, syncs when you push
+- Fast, lightweight, and stays out of your way
+
+🔧 **Git Integration**
+- Automatic sync with git commits
+- Branch-aware issue tracking
+- Intelligent JSONL merge resolution
+
+## Get Started with Beads
+
+Try Beads in your own projects:
+
+```bash
+# Install Beads
+curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
+
+# Initialize in your repo
+bd init
+
+# Create your first issue
+bd create "Try out Beads"
+```
+
+## Learn More
+
+- **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
+- **Quick Start Guide**: Run `bd quickstart`
+- **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
+
+---
+
+*Beads: Issue tracking that moves at the speed of thought* ⚡

.beads/config.yaml

@@ -0,0 +1,64 @@
+# Beads Configuration File
+# This file configures default behavior for all bd commands in this repository
+# All settings can also be set via environment variables (BD_* prefix)
+# or overridden with command-line flags
+
+# Issue prefix for this repository (used by bd init)
+# If not set, bd init will auto-detect from directory name
+# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
+issue-prefix: "x"
+
+# Use no-db mode: load from JSONL, no SQLite, write back after each command
+# When true, bd will use .beads/issues.jsonl as the source of truth
+# instead of SQLite database
+# no-db: false
+
+# Disable daemon for RPC communication (forces direct database access)
+# no-daemon: false
+
+# Disable auto-flush of database to JSONL after mutations
+# no-auto-flush: false
+
+# Disable auto-import from JSONL when it's newer than database
+# no-auto-import: false
+
+# Enable JSON output by default
+# json: false
+
+# Default actor for audit trails (overridden by BD_ACTOR or --actor)
+# actor: ""
+
+# Path to database (overridden by BEADS_DB or --db)
+# db: ""
+
+# Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)
+# auto-start-daemon: true
+
+# Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)
+# flush-debounce: "5s"
+
+# Git branch for beads commits (bd sync will commit to this branch)
+# IMPORTANT: Set this for team projects so all clones use the same sync branch.
+# This setting persists across clones (unlike database config which is gitignored).
+# Can also use BEADS_SYNC_BRANCH env var for local override.
+# If not set, bd sync will require you to run 'bd config set sync.branch <branch>'.
+sync-branch: "beads-sync"
+
+# Multi-repo configuration (experimental - bd-307)
+# Allows hydrating from multiple repositories and routing writes to the correct JSONL
+# repos:
+#   primary: "."  # Primary repo (where this database lives)
+#   additional:   # Additional repos to hydrate from (read-only)
+#     - ~/beads-planning  # Personal planning repo
+#     - ~/work-planning   # Work planning repo
+
+# Integration settings (access with 'bd config get/set')
+# These are stored in the database, not in this file:
+# - jira.url
+# - jira.project
+# - linear.url
+# - linear.api-key
+# - github.org
+# - github.repo
+
+routing.mode: "explicit"

.gitea/workflows/ci.yml

@@ -0,0 +1,107 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
+
+      - name: Check flake
+        run: nix flake check
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+  build-and-cache:
+    runs-on: ubuntu-latest
+    needs: check
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
+
+      - name: Setup SSH for cache
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CACHE_SSH_KEY }}" > ~/.ssh/cache_key
+          chmod 600 ~/.ssh/cache_key
+          ssh-keyscan -H ${{ secrets.CACHE_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
+
+      - name: Setup signing key
+        run: |
+          echo "${{ secrets.NIX_SIGNING_KEY }}" > /tmp/signing-key
+          chmod 600 /tmp/signing-key
+
+      - name: Build, sign, and cache all packages
+        run: |
+          PACKAGES=(
+            custom-claude-code
+            custom-app-launcher-server
+            custom-mcrcon-rbw
+            custom-tea-rbw
+            custom-rclone-torbox-setup
+            custom-nextcloud-talk-desktop
+            qt-pinned-jellyfin-media-player
+            qt-pinned-stremio
+            nix-deck-kernel
+            plasma-bigscreen
+          )
+
+          FAILED=()
+          SKIPPED=()
+          for pkg in "${PACKAGES[@]}"; do
+            echo "::group::Building $pkg"
+
+            # Check if package is already cached by evaluating its store path and checking the remote
+            OUT_PATH=$(nix eval ".#$pkg.outPath" --raw 2>/dev/null)
+            if [ -n "$OUT_PATH" ] && ssh -i ~/.ssh/cache_key ${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }} \
+                "nix path-info '$OUT_PATH' >/dev/null 2>&1"; then
+              echo "⏭ $pkg already cached ($OUT_PATH), skipping"
+              SKIPPED+=("$pkg")
+              echo "::endgroup::"
+              continue
+            fi
+
+            # --cores 2 limits parallel jobs to reduce RAM pressure on john-endesktop
+            if BUILD_OUTPUT=$(nix build ".#$pkg" --no-link --print-out-paths --cores 2 2>&1); then
+              OUT_PATH=$(echo "$BUILD_OUTPUT" | grep '^/nix/store/' | tail -1)
+              echo "$BUILD_OUTPUT"
+              echo "Store path: $OUT_PATH"
+
+              # Sign the closure
+              nix store sign --key-file /tmp/signing-key -r "$OUT_PATH"
+
+              # Push to cache
+              nix copy --to "ssh-ng://${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }}?ssh-key=$HOME/.ssh/cache_key" "$OUT_PATH"
+
+              # Create GC root to prevent garbage collection
+              OUT_HASH=$(basename "$OUT_PATH" | cut -d'-' -f1)
+              ssh -i ~/.ssh/cache_key ${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }} \
+                "mkdir -p /nix/var/nix/gcroots/ci-cache && ln -sfn $OUT_PATH /nix/var/nix/gcroots/ci-cache/${OUT_HASH}"
+
+              echo "✓ $pkg cached successfully"
+            else
+              echo "✗ $pkg failed to build"
+              FAILED+=("$pkg")
+            fi
+            echo "::endgroup::"
+          done
+
+          if [ ${#SKIPPED[@]} -gt 0 ]; then
+            echo "Skipped (already cached): ${SKIPPED[*]}"
+          fi
+
+          if [ ${#FAILED[@]} -gt 0 ]; then
+            echo "::error::Failed packages: ${FAILED[*]}"
+            exit 1
+          fi
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"

.gitignore

@@ -1 +1,8 @@
 result
+thoughts
+.beads
+
+# Gas Town (added by gt)
+.runtime/
+.claude/
+.logs/

.goosehints

@@ -9,7 +9,7 @@ Directory Structure:
 ----------------------
 • packages/      - Custom Nix packages leveraged across various configurations.
 • roles/         - Role-based configurations (e.g., kodi, bluetooth) each with its own module (default.nix) for inclusion in machine setups.
-• machines/      - Machine-specific configurations (e.g., nix-book, z790prors, boxy, wixos) including configuration.nix and hardware-configuration.nix tailored for each hardware.
+• machines/      - Machine-specific configurations (e.g., nix-book, zix790prors, boxy) including configuration.nix and hardware-configuration.nix tailored for each hardware.
 • home/          - Home-manager configurations for personal environments and application settings (e.g., home-nix-book.nix, home-z790prors.nix).
 
 Design Principles:

AGENTS.md

@@ -0,0 +1,227 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Overview
+
+This is a NixOS configuration repository using flakes, managing multiple machines and home-manager configurations. The repository follows a modular architecture with reusable "roles" that can be composed for different machines.
+
+## Architecture
+
+### Flake Structure
+- **flake.nix**: Main entry point defining inputs (nixpkgs, home-manager, plasma-manager, etc.) and outputs for multiple NixOS configurations
+- **Machines**: `nix-book`, `boxy`, `zix790prors`, `live-usb`, `johno-macbookpro` (Darwin/macOS)
+- **Home configurations**: Standalone home-manager configuration for user `johno`
+
+### Directory Structure
+- `machines/`: Machine-specific configurations with hardware-configuration.nix
+- `roles/`: Modular system configurations (audio, bluetooth, desktop, users, etc.)
+- `home/`: Home Manager configurations and user-specific modules
+- `home/modules/`: User environment modules (emacs, i3+sway, plasma-manager, tmux)
+- `packages/`: Custom package definitions
+
+### Role-Based Configuration System
+The repository uses a custom "roles" system where each role is a NixOS module with enable options:
+- `roles.desktop`: Desktop environment with sub-options for X11, Wayland, KDE, gaming, SDDM
+- `roles.audio`: Audio configuration
+- `roles.bluetooth`: Bluetooth support
+- `roles.users`: User account management
+- `roles.virtualisation`: Virtualization setup
+- `roles.kodi`: Kodi media center
+- `roles.nvidia`: NVIDIA GPU configuration
+- `roles.printing`: Printing support (CUPS)
+- `roles.spotifyd`: Spotify daemon
+- `roles.btrfs`: Btrfs filesystem configuration
+- `roles.nfs-mounts`: NFS mount configuration
+- `roles.darwin`: macOS-specific configurations
+
+Example role usage in machine configuration:
+```nix
+roles = {
+  audio.enable = true;
+  desktop = {
+    enable = true;
+    gaming = true;
+    kde = true;
+    wayland = true;
+  };
+  users.enable = true;
+};
+```
+
+### Home-Manager Role System
+The repository also uses a modular home-manager role system for user-space configuration:
+
+**Available Home Roles:**
+- `home.roles.base`: Core CLI tools, git, ssh, bash, rbw (enabled everywhere)
+- `home.roles.desktop`: GUI applications, Firefox, KDE services
+- `home.roles.office`: LibreOffice, OpenSCAD (heavy packages)
+- `home.roles.media`: VLC, Jellyfin, Moonlight (media consumption)
+- `home.roles.development`: Custom packages, kubectl, development tools
+- `home.roles.communication`: Element, Nextcloud Talk, Google cookie tools
+- `home.roles.sync`: Syncthing service and tray (for file synchronization)
+- `home.roles.kdeconnect`: KDE Connect for device integration
+- `home.roles.gaming`: Gaming applications (future expansion)
+
+**Role-Based Home Configurations:**
+- `home-desktop.nix`: Full-featured desktop for development workstations
+- `home-media-center.nix`: Living room media consumption and gaming setup (boxy)
+- `home-laptop-compact.nix`: Essential tools only, excludes office/media for storage constraints (nix-book)
+- `home-live-usb.nix`: Minimal setup for live environments, no persistent services
+- `home-darwin-work.nix`: macOS work laptop configuration
+
+**Machine-Specific Role Usage:**
+- **nix-book**: Compact laptop → excludes office/media roles due to SSD space constraints
+- **boxy**: Living room media center → optimized for media consumption, excludes sync/office (shared machine)
+- **zix790prors**: All-purpose workstation → full desktop experience with all roles enabled
+- **live-usb**: Temporary environment → only base + desktop roles, no persistent services
+- **johno-macbookpro**: macOS work laptop → Darwin-specific configuration with development tools
+
+## Common Commands
+
+### Building and Switching Configurations
+
+**NixOS (Linux):**
+```bash
+# Build and switch to a specific machine configuration
+sudo nixos-rebuild switch --flake .#<hostname>
+
+# Build without switching
+nixos-rebuild build --flake .#<hostname>
+
+# Build home-manager configuration only
+home-manager switch --flake .#johno
+```
+
+**Darwin (macOS):**
+```bash
+# Build and switch to Darwin configuration
+darwin-rebuild switch --flake .#johno-macbookpro
+
+# Build without switching
+darwin-rebuild build --flake .#johno-macbookpro
+```
+
+### Available Machine Configurations
+- `nix-book`: Compact laptop with storage constraints, uses `home/home-laptop-compact.nix`
+- `boxy`: Shared living room media center/gaming desktop with AMD GPU, uses `home/home-media-center.nix`
+- `zix790prors`: Powerful all-purpose workstation (gaming, 3D modeling, development), dual-boots Windows 11 with shared btrfs /games partition, uses `home/home-desktop.nix`
+- `live-usb`: Bootable ISO configuration, uses `home/home-live-usb.nix`
+- `johno-macbookpro`: macOS work laptop, uses `home/home-darwin-work.nix`
+
+### Flake Operations
+```bash
+# Update flake inputs
+nix flake update
+
+# Check flake
+nix flake check
+
+# Show flake info
+nix flake show
+```
+
+### Bootstrap New Machine
+Use the provided bootstrap script:
+```bash
+sudo ./bootstrap.sh <hostname>
+```
+This script pulls from the remote git repository and applies the configuration.
+
+### Build Live USB ISO
+Use the provided script to build a bootable ISO:
+```bash
+./build-liveusb.sh
+```
+Creates an ISO suitable for Ventoy and other USB boot tools in `./result/iso/`.
+
+## Development Workflow
+
+### Adding New Machines
+
+**NixOS:**
+1. Create new directory in `machines/<hostname>/`
+2. Add `configuration.nix` with role assignments
+3. Include hardware-configuration.nix (generated by nixos-generate-config)
+4. Add nixosConfiguration to flake.nix outputs
+
+**Darwin (macOS):**
+1. Create new directory in `machines/<hostname>/`
+2. Add `configuration.nix` with Darwin role assignments
+3. Add darwinConfiguration to flake.nix outputs
+
+### Adding New Roles
+1. Create directory in `roles/<role-name>/`
+2. Create `default.nix` with module definition using mkEnableOption
+3. Add role import to `roles/default.nix`
+4. Configure role options in machine configurations
+
+### Home Manager Modules
+- Located in `home/modules/`
+- Each module has its own `default.nix`
+- Imported in main home configuration files
+
+## Key Configuration Details
+
+- **Experimental features**: nix-command and flakes are enabled
+- **User**: Primary user is `johno` with trusted-user privileges
+- **Locale**: en_US.UTF-8, America/Los_Angeles timezone
+- **SSH**: OpenSSH enabled on all configurations
+- **Garbage collection**: Automatic, deletes older than 10 days
+- **Unfree packages**: Allowed globally
+
+## Issue Tracking (Gitea)
+
+**Tea CLI for Gitea:**
+```bash
+# Note: When using tea CLI, you must specify --repo johno/nixos-configs
+# The CLI doesn't automatically detect the repo from git remote
+
+# List all issues (open by default)
+tea issues --repo johno/nixos-configs
+
+# List closed issues
+tea issues --repo johno/nixos-configs --state closed
+
+# View specific issue
+tea issue --repo johno/nixos-configs 2
+
+# Create new issue
+tea issues create --repo johno/nixos-configs --title "Issue title" --body "Description"
+
+# Add comment to issue
+tea comment --repo johno/nixos-configs 2 "Comment text"
+
+# Close issue (note: 'issues' is plural, issue number comes last)
+tea issues close --repo johno/nixos-configs 2
+```
+
+## Important Notes
+
+- **Sudo access**: Claude Code does not have sudo access. Ask the user to run elevated commands like `sudo nixos-rebuild switch`
+
+## Landing the Plane (Session Completion)
+
+**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
+
+**MANDATORY WORKFLOW:**
+
+1. **File issues for remaining work** - Create issues for anything that needs follow-up
+2. **Run quality gates** (if code changed) - Tests, linters, builds
+3. **Update issue status** - Close finished work, update in-progress items
+4. **PUSH TO REMOTE** - This is MANDATORY:
+   ```bash
+   git pull --rebase
+   bd sync
+   git push
+   git status  # MUST show "up to date with origin"
+   ```
+5. **Clean up** - Clear stashes, prune remote branches
+6. **Verify** - All changes committed AND pushed
+7. **Hand off** - Provide context for next session
+
+**CRITICAL RULES:**
+- Work is NOT complete until `git push` succeeds
+- NEVER stop before pushing - that leaves work stranded locally
+- NEVER say "ready to push when you are" - YOU must push
+- If push fails, resolve and retry until it succeeds

CLAUDE.md

@@ -1,110 +0,0 @@
-# CLAUDE.md
-
-This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
-
-## Repository Overview
-
-This is a NixOS configuration repository using flakes, managing multiple machines and home-manager configurations. The repository follows a modular architecture with reusable "roles" that can be composed for different machines.
-
-## Architecture
-
-### Flake Structure
-- **flake.nix**: Main entry point defining inputs (nixpkgs, home-manager, plasma-manager, etc.) and outputs for multiple NixOS configurations
-- **Machines**: `nix-book`, `boxy`, `wixos` (WSL configuration)
-- **Home configurations**: Standalone home-manager configuration for user `johno`
-
-### Directory Structure
-- `machines/`: Machine-specific configurations with hardware-configuration.nix
-- `roles/`: Modular system configurations (audio, bluetooth, desktop, users, etc.)
-- `home/`: Home Manager configurations and user-specific modules
-- `home/modules/`: User environment modules (emacs, i3+sway, plasma-manager, tmux)
-- `packages/`: Custom package definitions
-
-### Role-Based Configuration System
-The repository uses a custom "roles" system where each role is a NixOS module with enable options:
-- `roles.desktop`: Desktop environment with sub-options for X11, Wayland, KDE, gaming, SDDM
-- `roles.audio`: Audio configuration
-- `roles.bluetooth`: Bluetooth support
-- `roles.users`: User account management
-- `roles.virtualisation`: Virtualization setup
-- `roles.kodi`: Kodi media center
-
-Example role usage in machine configuration:
-```nix
-roles = {
-  audio.enable = true;
-  desktop = {
-    enable = true;
-    gaming = true;
-    kde = true;
-    wayland = true;
-  };
-  users.enable = true;
-};
-```
-
-## Common Commands
-
-### Building and Switching Configurations
-```bash
-# Build and switch to a specific machine configuration
-sudo nixos-rebuild switch --flake .#<hostname>
-
-# Build without switching
-nixos-rebuild build --flake .#<hostname>
-
-# Build home-manager configuration only
-home-manager switch --flake .#johno
-```
-
-### Available Machine Configurations
-- `nix-book`: Uses `home/home-nix-book.nix`
-- `boxy`: Gaming desktop with AMD GPU, uses `home/home.nix`
-- `wixos`: WSL configuration, uses `home/home.nix`
-
-### Flake Operations
-```bash
-# Update flake inputs
-nix flake update
-
-# Check flake
-nix flake check
-
-# Show flake info
-nix flake show
-```
-
-### Bootstrap New Machine
-Use the provided bootstrap script:
-```bash
-sudo ./bootstrap.sh <hostname>
-```
-This script pulls from the remote git repository and applies the configuration.
-
-## Development Workflow
-
-### Adding New Machines
-1. Create new directory in `machines/<hostname>/`
-2. Add `configuration.nix` with role assignments
-3. Include hardware-configuration.nix (generated by nixos-generate-config)
-4. Add nixosConfiguration to flake.nix outputs
-
-### Adding New Roles
-1. Create directory in `roles/<role-name>/`
-2. Create `default.nix` with module definition using mkEnableOption
-3. Add role import to `roles/default.nix`
-4. Configure role options in machine configurations
-
-### Home Manager Modules
-- Located in `home/modules/`
-- Each module has its own `default.nix`
-- Imported in main home configuration files
-
-## Key Configuration Details
-
-- **Experimental features**: nix-command and flakes are enabled
-- **User**: Primary user is `johno` with trusted-user privileges
-- **Locale**: en_US.UTF-8, America/Los_Angeles timezone
-- **SSH**: OpenSSH enabled on all configurations
-- **Garbage collection**: Automatic, deletes older than 10 days
-- **Unfree packages**: Allowed globally

build-liveusb.sh

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-# Build Live USB ISO from flake configuration
-# Creates an uncompressed ISO suitable for Ventoy and other USB boot tools
-
-set -e
-
-echo "Building Live USB ISO..."
-nix build .#nixosConfigurations.live-usb.config.system.build.isoImage --show-trace
-
-if [ -f "./result/iso/"*.iso ]; then
-    iso_file=$(ls ./result/iso/*.iso)
-    echo "✅ Build complete!"
-    echo "📁 ISO location: $iso_file"
-    echo "💾 Ready for Ventoy or dd to USB"
-else
-    echo "❌ Build failed - no ISO file found"
-    exit 1
-fi

flake.lock

@@ -1,18 +1,41 @@
 {
   "nodes": {
-    "flake-compat": {
+    "doomemacs": {
       "flake": false,
       "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "lastModified": 1774080407,
+        "narHash": "sha256-FYbalilgDFjIVwK+D6DjDos1IMmMGA20lRf8k6Ykm1Y=",
+        "owner": "doomemacs",
+        "repo": "doomemacs",
+        "rev": "d8d75443d39d95f3c5256504eb838e0acc62ef44",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
+        "owner": "doomemacs",
+        "repo": "doomemacs",
+        "type": "github"
+      }
+    },
+    "emacs-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-doom-emacs-unstraightened"
+        ],
+        "nixpkgs-stable": [
+          "nix-doom-emacs-unstraightened"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774256052,
+        "narHash": "sha256-7OLaUBQCOCt4XXbjHq9xqBopOJJpbV6Cl8mWdMLzazc=",
+        "owner": "nix-community",
+        "repo": "emacs-overlay",
+        "rev": "c4b7915a9467aa611c7346d2322514cdf8c1ba45",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "emacs-overlay",
         "type": "github"
       }
     },
@@ -23,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752428473,
-        "narHash": "sha256-IsE7fdAYbRlZuc0H5FtPfhhuHvlxnDGoAxdlnjpVNCU=",
+        "lastModified": 1768846578,
+        "narHash": "sha256-82f/+e8HAwmBukiLlr7I3HYvM/2GCd5SOc+BC+qzsOQ=",
         "ref": "refs/heads/main",
-        "rev": "1fad66b55144ab6beaecd900172a21ac3c34dc52",
-        "revCount": 10,
+        "rev": "c11ff9d3c67372a843a0fa6bf23132e986bd6955",
+        "revCount": 14,
         "type": "git",
         "url": "https://git.johnogle.info/johno/google-cookie-retrieval.git"
       },
@@ -43,62 +66,165 @@
         ]
       },
       "locked": {
-        "lastModified": 1752402455,
-        "narHash": "sha256-mCHfZhQKdTj2JhCFcqfOfa3uKZbwUkPQbd0/zPnhOE8=",
+        "lastModified": 1774274588,
+        "narHash": "sha256-dnHvv5EMUgTzGZmA+3diYjQU2O6BEpGLEOgJ1Qe9LaY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bf893ad4cbf46610dd1b620c974f824e266cd1df",
+        "rev": "cf9686ba26f5ef788226843bc31fda4cf72e373b",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
     },
-    "nixos-wsl": {
+    "home-manager-unstable": {
       "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
       },
       "locked": {
-        "lastModified": 1752199438,
-        "narHash": "sha256-xSBMmGtq8K4Qv80TMqREmESCAsRLJRHAbFH2T/2Bf1Y=",
+        "lastModified": 1774292006,
+        "narHash": "sha256-RI5sjkDEwIiD2eZHd7iM6ZqPoPWZvn3KdBiMumA3IYI=",
         "owner": "nix-community",
-        "repo": "NixOS-WSL",
-        "rev": "d34d9412556d3a896e294534ccd25f53b6822e80",
+        "repo": "home-manager",
+        "rev": "3cea83bf84abeb72581bdee380fa526d7fcd7e5b",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "main",
-        "repo": "NixOS-WSL",
+        "ref": "master",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "jovian": {
+      "inputs": {
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774168156,
+        "narHash": "sha256-+pwZSARdlM2RQQ6V0q76+WMKW9aNIcxkSOIThcz/f0A=",
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "rev": "939caad56508542d0f19cab963e2bc693f5f2831",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "type": "github"
+      }
+    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772129556,
+        "narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=",
+        "owner": "nix-darwin",
+        "repo": "nix-darwin",
+        "rev": "ebec37af18215214173c98cf6356d0aca24a2585",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-darwin",
+        "ref": "nix-darwin-25.11",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "nix-doom-emacs-unstraightened": {
+      "inputs": {
+        "doomemacs": "doomemacs",
+        "emacs-overlay": "emacs-overlay",
+        "nixpkgs": [],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1774265710,
+        "narHash": "sha256-ar8pFUSAxXhV7DpVRjNvgviWuqOqWPAImb4MM7lSh5Y=",
+        "owner": "marienz",
+        "repo": "nix-doom-emacs-unstraightened",
+        "rev": "f6022b9192e034a817373692ede18a9319cf9730",
+        "type": "github"
+      },
+      "original": {
+        "owner": "marienz",
+        "repo": "nix-doom-emacs-unstraightened",
+        "type": "github"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "jovian",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729697500,
+        "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
+        "owner": "zhaofengli",
+        "repo": "nix-github-actions",
+        "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "ref": "matrix-name",
+        "repo": "nix-github-actions",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1751792365,
-        "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=",
-        "owner": "NixOS",
+        "lastModified": 1774244481,
+        "narHash": "sha256-4XfMXU0DjN83o6HWZoKG9PegCvKvIhNUnRUI19vzTcQ=",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb",
+        "rev": "4590696c8693fea477850fe379a01544293ca4e2",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "owner": "nixos",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs-qt": {
       "locked": {
-        "lastModified": 1751984180,
-        "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=",
+        "lastModified": 1774244481,
+        "narHash": "sha256-4XfMXU0DjN83o6HWZoKG9PegCvKvIhNUnRUI19vzTcQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0",
+        "rev": "4590696c8693fea477850fe379a01544293ca4e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1774106199,
+        "narHash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "6c9a78c09ff4d6c21d0319114873508a6ec01655",
         "type": "github"
       },
       "original": {
@@ -118,11 +244,34 @@
         ]
       },
       "locked": {
-        "lastModified": 1748196248,
-        "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=",
+        "lastModified": 1772361940,
+        "narHash": "sha256-B1Cz+ydL1iaOnGlwOFld/C8lBECPtzhiy/pP93/CuyY=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "b7697abe89967839b273a863a3805345ea54ab56",
+        "rev": "a4b33606111c9c5dcd10009042bb710307174f51",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "type": "github"
+      }
+    },
+    "plasma-manager-unstable": {
+      "inputs": {
+        "home-manager": [
+          "home-manager-unstable"
+        ],
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772361940,
+        "narHash": "sha256-B1Cz+ydL1iaOnGlwOFld/C8lBECPtzhiy/pP93/CuyY=",
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "rev": "a4b33606111c9c5dcd10009042bb710307174f51",
         "type": "github"
       },
       "original": {
@@ -135,9 +284,30 @@
       "inputs": {
         "google-cookie-retrieval": "google-cookie-retrieval",
         "home-manager": "home-manager",
-        "nixos-wsl": "nixos-wsl",
-        "nixpkgs": "nixpkgs_2",
-        "plasma-manager": "plasma-manager"
+        "home-manager-unstable": "home-manager-unstable",
+        "jovian": "jovian",
+        "nix-darwin": "nix-darwin",
+        "nix-doom-emacs-unstraightened": "nix-doom-emacs-unstraightened",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-qt": "nixpkgs-qt",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "plasma-manager": "plasma-manager",
+        "plasma-manager-unstable": "plasma-manager-unstable"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -2,104 +2,392 @@
   description = "A very basic flake";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixos-wsl.url = "github:nix-community/NixOS-WSL/main";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    # Separate nixpkgs for qt5webengine-dependent packages (jellyfin-media-player, etc.)
+    # Updates on separate Renovate schedule to avoid massive qt rebuilds
+    nixpkgs-qt.url = "github:nixos/nixpkgs/nixos-25.11";
+
+    nix-darwin = {
+      url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    home-manager-unstable = {
+      url = "github:nix-community/home-manager/master";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
     plasma-manager = {
       url = "github:nix-community/plasma-manager";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
     };
 
+    plasma-manager-unstable = {
+      url = "github:nix-community/plasma-manager";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.home-manager.follows = "home-manager-unstable";
+    };
+
     google-cookie-retrieval = {
       url = "git+https://git.johnogle.info/johno/google-cookie-retrieval.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    jovian = {
+      url = "github:Jovian-Experiments/Jovian-NixOS";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
+    nix-doom-emacs-unstraightened = {
+      url = "github:marienz/nix-doom-emacs-unstraightened";
+      # Don't follow nixpkgs to avoid rebuild issues with emacs-overlay
+      inputs.nixpkgs.follows = "";
+    };
   };
 
-  outputs = { self, nixpkgs, nixos-wsl, ... } @ inputs: let
-    baseModules = [
-      ./roles
-      inputs.home-manager.nixosModules.home-manager
-      {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.sharedModules = [
-          inputs.plasma-manager.homeManagerModules.plasma-manager
-        ];
-        home-manager.extraSpecialArgs = {
-          globalInputs = inputs;
-        };
-      }
-    ];
-  in {
-    nixosConfigurations.nix-book = nixpkgs.lib.nixosSystem rec {
-      system = "x86_64-linux";
-      modules = baseModules ++ [
-        ./machines/nix-book/configuration.nix
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nixpkgs-unstable,
+      ...
+    }@inputs:
+    let
+      # Shared overlay function to reduce duplication across module sets
+      # Parameters:
+      #   unstableOverlays: Additional overlays to apply when importing nixpkgs-unstable
+      mkBaseOverlay =
         {
-          home-manager.users.johno = import ./home/home-nix-book.nix;
-          home-manager.extraSpecialArgs = { inherit system; };
-        }
-      ];
-    };
-
-    nixosConfigurations.boxy = nixpkgs.lib.nixosSystem rec {
-      system = "x86_64-linux";
-      modules = baseModules ++ [
-        ./machines/boxy/configuration.nix
-        inputs.home-manager.nixosModules.home-manager
-        {
-          home-manager.users.johno = import ./home/home.nix;
-          home-manager.extraSpecialArgs = { inherit system; };
-        }
-      ];
-    };
-
-    nixosConfigurations.wixos = nixpkgs.lib.nixosSystem rec {
-      system = "x86_64-linux";
-      modules = baseModules ++ [
-        nixos-wsl.nixosModules.default
-        ./machines/wixos/configuration.nix
-        inputs.home-manager.nixosModules.home-manager
-        {
-          home-manager.users.johno = import ./home/home.nix;
-          home-manager.extraSpecialArgs = { inherit system; };
-        }
-      ];
-    };
-
-    # Live USB ISO configuration
-    nixosConfigurations.live-usb = nixpkgs.lib.nixosSystem rec {
-      system = "x86_64-linux";
-      modules = baseModules ++ [
-        ./machines/live-usb/configuration.nix
-        {
-          home-manager.users.nixos = { ... }: {
-            imports = [ ./home/home.nix ];
-            home.username = nixpkgs.lib.mkForce "nixos";
-            home.homeDirectory = nixpkgs.lib.mkForce "/home/nixos";
+          unstableOverlays ? [ ],
+        }:
+        (final: prev: {
+          unstable = import nixpkgs-unstable {
+            system = prev.stdenv.hostPlatform.system;
+            config.allowUnfree = true;
+            overlays = unstableOverlays;
           };
-          home-manager.extraSpecialArgs = { inherit system; };
-        }
-      ];
-    };
+          # Separate nixpkgs for qt5webengine-heavy packages to avoid rebuild churn
+          qt-pinned = import inputs.nixpkgs-qt {
+            system = prev.stdenv.hostPlatform.system;
+            config = {
+              allowUnfree = true;
+              permittedInsecurePackages = [ "qtwebengine-5.15.19" ];
+            };
+          };
+          custom = prev.callPackage ./packages { };
+          # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
+          bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
+        });
 
-    homeConfigurations."johno" = inputs.home-manager.lib.homeManagerConfiguration {
-      pkgs = inputs.nixpkgs.legacyPackages."x86_64-linux";
-      modules = [
-        inputs.plasma-manager.homeManagerModules.plasma-manager
-        ./home/home.nix
+      # Shared home-manager configuration factory
+      # Parameters:
+      #   sharedModules: Additional modules to include in home-manager.sharedModules
+      mkHomeManagerConfig =
+        {
+          sharedModules ? [ ],
+        }:
+        {
+          home-manager.useGlobalPkgs = true;
+          home-manager.useUserPackages = true;
+          home-manager.sharedModules = sharedModules ++ [
+            inputs.nix-doom-emacs-unstraightened.homeModule
+          ];
+          home-manager.extraSpecialArgs = {
+            globalInputs = inputs;
+          };
+        };
+
+      # Shared unstable overlays for custom package builds
+      customUnstableOverlays = [
+        # Override claude-code in unstable to use our custom GCS-based build
+        # (needed for corporate networks that block npm registry)
+        (ufinal: uprev: {
+          claude-code = uprev.callPackage ./packages/claude-code { };
+        })
       ];
-      extraSpecialArgs = {
+
+      nixosModules = [
+        ./roles
+        inputs.home-manager.nixosModules.home-manager
+        {
+          nixpkgs.overlays = [ (mkBaseOverlay { unstableOverlays = customUnstableOverlays; }) ];
+        }
+        (mkHomeManagerConfig {
+          sharedModules = [ inputs.plasma-manager.homeModules.plasma-manager ];
+        })
+      ];
+
+      # Modules for unstable-based systems (like nix-deck)
+      nixosModulesUnstable = [
+        ./roles
+        inputs.home-manager-unstable.nixosModules.home-manager
+        inputs.jovian.nixosModules.jovian
+        {
+          nixpkgs.overlays = [ (mkBaseOverlay { unstableOverlays = customUnstableOverlays; }) ];
+        }
+        (mkHomeManagerConfig {
+          sharedModules = [ inputs.plasma-manager-unstable.homeModules.plasma-manager ];
+        })
+      ];
+
+      darwinModules = [
+        ./roles/darwin.nix
+        inputs.home-manager.darwinModules.home-manager
+        {
+          nixpkgs.overlays = [ (mkBaseOverlay { unstableOverlays = customUnstableOverlays; }) ];
+        }
+        (mkHomeManagerConfig { sharedModules = [ ]; })
+      ];
+
+    in
+    {
+      nixosConfigurations.nix-book = nixpkgs.lib.nixosSystem rec {
         system = "x86_64-linux";
-        globalInputs = inputs;
+        modules = nixosModules ++ [
+          ./machines/nix-book/configuration.nix
+          {
+            home-manager.users.johno = {
+              imports = [ ./home/home-laptop-compact.nix ];
+              # Machine-specific overrides
+              home.roles.i3_sway.extraSwayConfig = {
+                output.eDP-1.scale = "1.75";
+              };
+            };
+            home-manager.extraSpecialArgs = { inherit system; };
+          }
+        ];
       };
+
+      nixosConfigurations.boxy = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        modules = nixosModules ++ [
+          ./machines/boxy/configuration.nix
+          {
+            home-manager.users.johno = import ./home/home-media-center.nix;
+            # kodi user: AVR volume control + minimal Plasma config for Bigscreen session
+            home-manager.users.kodi = import ./home/home-kodi.nix;
+            home-manager.extraSpecialArgs = { inherit system; };
+          }
+        ];
+      };
+
+      nixosConfigurations.gym-box = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        modules = nixosModules ++ [
+          ./machines/gym-box/configuration.nix
+          {
+            home-manager.users.johno = import ./home/home-media-center.nix;
+            home-manager.users.kodi = import ./home/home-kodi.nix;
+            home-manager.extraSpecialArgs = { inherit system; };
+          }
+        ];
+      };
+
+      nixosConfigurations.zix790prors = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        modules = nixosModules ++ [
+          ./machines/zix790prors/configuration.nix
+          {
+            home-manager.users.johno = {
+              imports = [ ./home/home-desktop.nix ];
+              home.roles.i3_sway.extraSwayConfig = {
+                output = {
+                  "DP-1" = {
+                    mode = "3440x1440@164.900Hz";
+                  };
+                };
+              };
+            };
+            home-manager.extraSpecialArgs = { inherit system; };
+          }
+        ];
+      };
+
+      # Live USB ISO configuration
+      nixosConfigurations.live-usb = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        modules = nixosModules ++ [
+          ./machines/live-usb/configuration.nix
+          {
+            home-manager.users.nixos = import ./home/home-live-usb.nix;
+            home-manager.extraSpecialArgs = { inherit system; };
+          }
+        ];
+      };
+
+      # Steam Deck configuration (using unstable for better Jovian compatibility)
+      nixosConfigurations.nix-deck = nixpkgs-unstable.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        modules = nixosModulesUnstable ++ [
+          ./machines/nix-deck/configuration.nix
+          {
+            home-manager.users.johno = import ./home/home-desktop.nix;
+            home-manager.extraSpecialArgs = { inherit system; };
+          }
+        ];
+      };
+
+      # ZFS/NFS server configuration
+      nixosConfigurations.john-endesktop = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        modules = nixosModules ++ [
+          ./machines/john-endesktop/configuration.nix
+          inputs.home-manager.nixosModules.home-manager
+          {
+            home-manager.users.johno = import ./home/home-server.nix;
+            home-manager.extraSpecialArgs = { inherit system; };
+          }
+        ];
+      };
+
+      # Darwin/macOS configurations
+      darwinConfigurations."BLKFV4YF49KT7" = inputs.nix-darwin.lib.darwinSystem rec {
+        system = "aarch64-darwin";
+        modules = darwinModules ++ [
+          ./machines/johno-macbookpro/configuration.nix
+          {
+            home-manager.users.johno = import ./home/home-darwin-work.nix;
+            home-manager.extraSpecialArgs = { inherit system; };
+          }
+        ];
+      };
+
+      # Packages for CI caching (custom packages, flake inputs, and qt-pinned)
+      packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (
+        system:
+        let
+          pkgs = import nixpkgs {
+            inherit system;
+            config.allowUnfree = true;
+            overlays = [ (mkBaseOverlay { }) ];
+          };
+          pkgsQt = import inputs.nixpkgs-qt {
+            inherit system;
+            config = {
+              allowUnfree = true;
+              permittedInsecurePackages = [ "qtwebengine-5.15.19" ];
+            };
+          };
+        in
+        {
+          "custom-claude-code" = pkgs.custom.claude-code;
+          "custom-app-launcher-server" = pkgs.custom.app-launcher-server;
+          "custom-mcrcon-rbw" = pkgs.custom.mcrcon-rbw;
+          "custom-tea-rbw" = pkgs.custom.tea-rbw;
+          "custom-rclone-torbox-setup" = pkgs.custom.rclone-torbox-setup;
+          "custom-opencode" = pkgs.custom.opencode;
+          "qt-pinned-jellyfin-media-player" = pkgsQt.jellyfin-media-player;
+          "qt-pinned-stremio" = pkgsQt.stremio;
+          # Plasma Bigscreen — not yet in nixpkgs, built from upstream
+          "plasma-bigscreen" = pkgs.kdePackages.callPackage ./roles/plasma-bigscreen/package.nix { };
+        }
+        // (
+          if system == "x86_64-linux" then
+            {
+              "custom-nextcloud-talk-desktop" = pkgs.custom.nextcloud-talk-desktop;
+              # nix-deck kernel from Jovian-NixOS (Steam Deck) - expensive to build
+              "nix-deck-kernel" = self.nixosConfigurations.nix-deck.config.boot.kernelPackages.kernel;
+            }
+          else
+            { }
+        )
+      );
+
+      # Flake apps
+      apps = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ] (
+        system:
+        let
+          pkgs = import nixpkgs { inherit system; };
+          commonDeps = [
+            pkgs.curl
+            pkgs.jq
+            pkgs.nix
+            pkgs.git
+            pkgs.gnused
+            pkgs.gnugrep
+            pkgs.coreutils
+            pkgs.gawk
+          ];
+
+          update-doomemacs = pkgs.writeShellScriptBin "update-doomemacs" ''
+            export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+            ${builtins.readFile ./scripts/update-doomemacs.sh}
+          '';
+
+          update-claude-code = pkgs.writeShellScriptBin "update-claude-code" ''
+            export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+            ${builtins.readFile ./packages/claude-code/update.sh}
+          '';
+
+          update-opencode = pkgs.writeShellScriptBin "update-opencode" ''
+            export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+            ${builtins.readFile ./packages/opencode/update.sh}
+          '';
+
+          rotate-wallpaper = pkgs.writeShellScriptBin "rotate-wallpaper" ''
+            export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+            ${builtins.readFile ./scripts/rotate-wallpaper.sh}
+          '';
+
+          upgrade = pkgs.writeShellScriptBin "upgrade" ''
+            export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+            ${builtins.readFile ./scripts/upgrade.sh}
+          '';
+
+          bootstrap = pkgs.writeShellScriptBin "bootstrap" ''
+            export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+            ${builtins.readFile ./scripts/bootstrap.sh}
+          '';
+
+          build-liveusb = pkgs.writeShellScriptBin "build-liveusb" ''
+            export PATH="${pkgs.lib.makeBinPath commonDeps}:$PATH"
+            ${builtins.readFile ./scripts/build-liveusb.sh}
+          '';
+        in
+        {
+          update-doomemacs = {
+            type = "app";
+            program = "${update-doomemacs}/bin/update-doomemacs";
+            meta.description = "Update Doom Emacs configuration";
+          };
+          update-claude-code = {
+            type = "app";
+            program = "${update-claude-code}/bin/update-claude-code";
+            meta.description = "Update Claude Code package version";
+          };
+          update-opencode = {
+            type = "app";
+            program = "${update-opencode}/bin/update-opencode";
+            meta.description = "Update OpenCode package version";
+          };
+          rotate-wallpaper = {
+            type = "app";
+            program = "${rotate-wallpaper}/bin/rotate-wallpaper";
+            meta.description = "Rotate desktop wallpaper";
+          };
+          upgrade = {
+            type = "app";
+            program = "${upgrade}/bin/upgrade";
+            meta.description = "Upgrade NixOS configuration";
+          };
+          bootstrap = {
+            type = "app";
+            program = "${bootstrap}/bin/bootstrap";
+            meta.description = "Bootstrap a new NixOS machine";
+          };
+          build-liveusb = {
+            type = "app";
+            program = "${build-liveusb}/bin/build-liveusb";
+            meta.description = "Build a bootable Live USB ISO";
+          };
+        }
+      );
     };
-  };
 }

home/home-darwin-work.nix

@@ -0,0 +1,123 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for Darwin work laptop
+  # Corporate-friendly setup with essential development tools
+
+  home.username = lib.mkForce "johno";
+  home.homeDirectory = lib.mkForce "/Users/johno";
+  home.stateVersion = "24.05";
+
+  # System packages
+  home.packages = with pkgs; [
+    google-cloud-sdk
+  ];
+
+  # Note: ghostty installed via Homebrew (managed outside of nix)
+
+  # Override Darwin-incompatible settings from base role
+  programs.rbw.settings.pinentry = lib.mkForce pkgs.pinentry_mac;
+
+  # Disable Home Manager from managing shell RC files
+  # topsoil/compost will manage these files instead
+  programs.bash.enable = lib.mkForce false;
+  programs.zsh.enable = lib.mkForce false;
+
+  # Create a local nix integration file that topsoil-managed configs can source
+  home.file.".nix-integration.sh" = {
+    text = ''
+      # Source Home Manager session variables (nix paths, environment, etc.)
+      if [ -e /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh ]; then
+        . /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh
+      fi
+
+      # Setup bash completions from nix profiles
+      if [[ ! -v BASH_COMPLETION_VERSINFO ]] && [ -n "$NIX_PROFILES" ]; then
+        for profile in $NIX_PROFILES; do
+          if [ -f "$profile/etc/profile.d/bash_completion.sh" ]; then
+            . "$profile/etc/profile.d/bash_completion.sh"
+            break
+          fi
+        done
+      fi
+
+      # command-not-found handler
+      command_not_found_handle() {
+        local p=/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite
+        if [ -n "$NIX_PROFILES" ]; then
+          for profile in $NIX_PROFILES; do
+            if [ -x "$profile/bin/command-not-found" ] && [ -f "$p" ]; then
+              "$profile/bin/command-not-found" "$@"
+              return $?
+            fi
+          done
+        fi
+        echo "$1: command not found" >&2
+        return 127
+      }
+    '';
+  };
+
+  home.file.".nix-integration.zsh" = {
+    text = ''
+      # Source Home Manager session variables (nix paths, environment, etc.)
+      if [ -e /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh ]; then
+        . /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh
+      fi
+
+      # Setup zsh completions from nix profiles
+      typeset -U path cdpath fpath manpath
+      for profile in ''${(z)NIX_PROFILES}; do
+        fpath+=($profile/share/zsh/site-functions $profile/share/zsh/$ZSH_VERSION/functions $profile/share/zsh/vendor-completions)
+      done
+      autoload -U compinit && compinit
+
+      # command-not-found handler
+      command_not_found_handler() {
+        local p=/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite
+        if [ -n "$NIX_PROFILES" ]; then
+          for profile in ''${(z)NIX_PROFILES}; do
+            if [ -x "$profile/bin/command-not-found" ] && [ -f "$p" ]; then
+              "$profile/bin/command-not-found" "$@"
+              return $?
+            fi
+          done
+        fi
+        echo "$1: command not found" >&2
+        return 127
+      }
+    '';
+  };
+
+  # Keep SSH and Git disabled to avoid conflicts with work environment
+  programs.ssh.enable = lib.mkForce false;
+  programs.git.enable = lib.mkForce false;
+  programs.rbw.enable = lib.mkForce false;
+
+  home.shell.enableShellIntegration = true;
+
+  home.roles = {
+    base.enable = true;
+    development = {
+      enable = true;
+      allowArbitraryClaudeCodeModelSelection = true;
+    };
+    tmux.enable = true;
+    emacs.enable = true;
+    aerospace = {
+      enable = true;
+      leader = "cmd";
+      ctrlShortcuts.enable = false;
+      sketchybar.enable = true;
+      # Optional: Add per-machine userSettings overrides
+      # userSettings = {
+      #   mode.main.binding."${leader}-custom" = "custom-command";
+      # };
+    };
+  };
+
+  imports = [
+    ./roles
+    ./roles/base-darwin
+  ];
+}

home/home-desktop.nix

@@ -0,0 +1,38 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for full desktop experience
+  home.username = "johno";
+  home.homeDirectory = "/home/johno";
+  home.stateVersion = "24.05";
+
+  # Enable all desktop roles for full-featured experience
+  home.roles = {
+    "3d-printing".enable = true;
+    base.enable = true;
+    gaming.enable = true;
+    desktop.enable = true;
+    emacs.enable = true;
+    email.enable = true;
+    i3_sway.enable = true;
+    office.enable = true;
+    media.enable = true;
+    development.enable = true;
+    communication.enable = true;
+    sync.enable = true;
+    kdeconnect.enable = true;
+    kubectl.enable = true;
+    tmux.enable = true;
+    plasma-manager.enable = true;
+    starship.enable = true;
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./roles/base-linux
+  ];
+}

home/home-kodi.nix

@@ -0,0 +1,30 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for kodi user on boxy
+  # Focused on media center volume control via Home Assistant
+
+  home.username = "kodi";
+  home.homeDirectory = "/home/kodi";
+  home.stateVersion = "24.05";
+
+  # Enable minimal roles for kodi user
+  home.roles = {
+    base.enable = true;
+    plasma-manager-kodi.enable = true;
+    kdeconnect.enable = true;
+  };
+
+  home.packages = with pkgs; [
+    kdePackages.kconfig
+  ];
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./roles/base-linux
+  ];
+}

home/home-laptop-compact.nix

@@ -0,0 +1,46 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for compact laptop setups
+  # Optimized for space-constrained environments
+  
+  home.username = "johno";
+  home.homeDirectory = "/home/johno";
+  home.stateVersion = "24.05";
+
+  # Enable essential roles only (exclude heavy office/media packages)
+  home.roles = {
+    base.enable = true;
+    desktop.enable = true;
+    gaming.enable = true;
+    development.enable = true;
+    communication.enable = true;
+    email.enable = true;
+    kdeconnect.enable = true;
+    media.enable = true;
+    sync.enable = true;
+    kubectl.enable = true;
+    tmux.enable = true;
+    plasma-manager.enable = true;
+    emacs.enable = true;
+    i3_sway.enable = true;
+    starship.enable = true;
+
+    # Launcher wrappers for excluded/optional packages
+    launchers = {
+      enable = true;
+      packages = [
+        "libreoffice"
+      ];
+    };
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./roles/base-linux
+  ];
+}

home/home-live-usb.nix

@@ -0,0 +1,43 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for live USB environments
+  # Minimal setup without persistent services
+  
+  home.username = "nixos";
+  home.homeDirectory = "/home/nixos";
+  home.stateVersion = "24.05";
+
+  # Enable minimal roles only (no sync or kdeconnect for live environment)
+  home.roles = {
+    base.enable = true;
+    desktop.enable = true;
+    tmux.enable = true;
+    plasma-manager.enable = true;
+    emacs = {
+      enable = true;
+      # Use pre-built Doom Emacs - all packages built at nix build time
+      # This means no doom sync is needed after booting the live USB
+      prebuiltDoom = true;
+    };
+    i3_sway.enable = true;
+    starship.enable = true;
+    # development.enable = false;  # Not needed for live USB
+    # communication.enable = false; # Not needed for live USB
+    # office.enable = false;       # Not needed for live USB
+    # media.enable = false;        # Not needed for live USB
+    # sync.enable = false;         # No persistent sync on live USB
+    # kdeconnect.enable = false;   # No device integration on live USB
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./roles/base-linux
+  ];
+
+  # Live USB specific overrides can go here if needed
+}

home/home-media-center.nix

@@ -0,0 +1,39 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for media center setups
+  # Optimized for living room media consumption and gaming
+  
+  home.username = "johno";
+  home.homeDirectory = "/home/johno";
+  home.stateVersion = "24.05";
+
+  # Enable media center focused roles
+  home.roles = {
+    base.enable = true;
+    desktop.enable = true;
+    gaming.enable = true;
+    media.enable = true;
+    communication.enable = true;
+    kdeconnect.enable = true;
+    development.enable = true;
+    tmux.enable = true;
+    plasma-manager.enable = true;
+    emacs.enable = true;
+    i3_sway.enable = true;
+    starship.enable = true;
+    # office.enable = false;    # Not needed for media center
+    # sync.enable = false;      # Shared machine, no personal file sync
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./roles/base-linux
+  ];
+
+  # Media center specific overrides can go here if needed
+}

home/home-nix-book.nix

@@ -1,11 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./home.nix
-  ];
-
-  home.i3_sway.extraSwayConfig = {
-    output.eDP-1.scale = "1.75";
-  };
-}

home/home-server.nix

@@ -0,0 +1,27 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for servers (minimal with development tools)
+  home.username = "johno";
+  home.homeDirectory = "/home/johno";
+  home.stateVersion = "24.05";
+
+  # Minimal roles for server with development capability
+  home.roles = {
+    base.enable = true;
+    development.enable = true;
+    emacs.enable = true;
+    kubectl.enable = true;
+    starship.enable = true;
+    tmux.enable = true;
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./roles/base-linux
+  ];
+}

home/home.nix

@@ -1,204 +0,0 @@
-{ pkgs, customPkgs, globalInputs, system, ... }:
-
-let
-  customPkgs = pkgs.callPackage ../packages {};
-in
-{
-  # Home Manager needs a bit of information about you and the paths it should
-  # manage.
-  home.username = "johno";
-  home.homeDirectory = "/home/johno";
-
-  # This value determines the Home Manager release that your configuration is
-  # compatible with. This helps avoid breakage when a new Home Manager release
-  # introduces backwards incompatible changes.
-  #
-  # You should not change this value, even if you update Home Manager. If you do
-  # want to update the value, then make sure to first check the Home Manager
-  # release notes.
-  home.stateVersion = "24.05"; # Please read the comment before changing.
-
-  # The home.packages option allows you to install Nix packages into your
-  # environment.
-  home.packages = [
-    # # Adds the 'hello' command to your environment. It prints a friendly
-    # # "Hello, world!" when run.
-    # pkgs.hello
-
-    # # It is sometimes useful to fine-tune packages, for example, by applying
-    # # overrides. You can do that directly here, just don't forget the
-    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
-    # # fonts?
-    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
-
-    # # You can also create simple shell scripts directly inside your
-    # # configuration. For example, this adds a command 'my-hello' to your
-    # # environment:
-    # (pkgs.writeShellScriptBin "my-hello" ''
-    #   echo "Hello, ${config.home.username}!"
-    # '')
-
-    pkgs.bitwarden
-    pkgs.claude-code
-    pkgs.codex
-    pkgs.dunst
-    pkgs.element-desktop
-    pkgs.fd
-    #pkgs.fluffychat # security vulnerability in current version
-    pkgs.goose-cli
-    pkgs.gzip
-    pkgs.htop
-    pkgs.jellyfin-media-player
-    pkgs.keepassxc
-    pkgs.killall
-    pkgs.kitty
-    pkgs.less
-    pkgs.moonlight-qt
-    pkgs.ncdu
-    pkgs.nextcloud-talk-desktop
-    pkgs.openscad-unstable
-    pkgs.pandoc
-    #pkgs.pinentry-qt
-    #pkgs.pytest
-    pkgs.shellcheck
-    pkgs.solaar # Logitech management software
-    (pkgs.snapcast.override { pulseaudioSupport = true; })
-    pkgs.tmux
-    pkgs.waybar
-    pkgs.wofi
-    pkgs.vlc
-
-    ## Kubernetes cluster management
-    pkgs.kubectl
-    pkgs.kubernetes-helm
-
-    globalInputs.google-cookie-retrieval.packages.${system}.default
-  ];
-
-  # Home Manager is pretty good at managing dotfiles. The primary way to manage
-  # plain files is through 'home.file'.
-  home.file = {
-    # # Building this configuration will create a copy of 'dotfiles/screenrc' in
-    # # the Nix store. Activating the configuration will then make '~/.screenrc' a
-    # # symlink to the Nix store copy.
-    # ".screenrc".source = dotfiles/screenrc;
-
-    # # You can also set the file content immediately.
-    # ".gradle/gradle.properties".text = ''
-    #   org.gradle.console=verbose
-    #   org.gradle.daemon.idletimeout=3600000
-    # '';
-  };
-
-  targets.genericLinux.enable = true;
-
-  # Home Manager can also manage your environment variables through
-  # 'home.sessionVariables'. These will be explicitly sourced when using a
-  # shell provided by Home Manager. If you don't want to manage your shell
-  # through Home Manager then you have to manually source 'hm-session-vars.sh'
-  # located at either
-  #
-  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
-  #
-  # or
-  #
-  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
-  #
-  # or
-  #
-  #  /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh
-  #
-  home.sessionVariables = {
-  };
-
-  home.sessionPath = [
-  ];
-
-  imports = [
-    ./modules/emacs
-    ./modules/i3+sway
-    ./modules/plasma-manager
-    ./modules/tmux
-  ];
-
-  programs.bash = {
-    enable = true;
-    initExtra = ''
-      codex() {
-        local key
-        key="$(rbw get openai-api-key-codex)"
-        OPENAI_API_KEY="$key" command codex "$@"
-      }
-    '';
-  };
-
-  # Let Home Manager install and manage itself.
-  programs.home-manager.enable = true;
-
-  programs.command-not-found.enable = true;
-
-  programs.firefox = {
-    enable = true;
-  };
-
-  programs.git = {
-    enable = true;
-    userName = "John Ogle";
-    userEmail = "john@ogle.fyi";
-    extraConfig = {
-      safe.directory = "/etc/nixos";
-    };
-  };
-
-  programs.jq.enable = true;
-
-  programs.k9s.enable = true;
-
-  programs.neovim = {
-    enable = true;
-    viAlias = true;
-    vimAlias = true;
-  };
-
-  programs.rbw = {
-    enable = true;
-    settings = {
-      email = "john@johnogle.info";
-      base_url = "https://bitwarden.johnogle.info";
-      pinentry = pkgs.pinentry-qt;
-    };
-  };
-
-  programs.spotify-player.enable = true;
-
-  programs.ssh = {
-    enable = true;
-    addKeysToAgent = "yes";
-    matchBlocks = {
-      "nucdeb1" = {
-        hostname = "nucdeb1.oglehome";
-        user = "root";
-      };
-    };
-  };
-
-  services.kdeconnect = {
-    enable = true;
-    indicator = true;
-    package = pkgs.kdePackages.kdeconnect-kde;
-  };
-
-  services.gnome-keyring = {
-    enable = true;
-  };
-
-  services.syncthing = {
-    enable = true;
-    tray = {
-      enable = true;
-      command = "syncthingtray --wait";
-    };
-  };
-
-  xdg.enable = true;
-}

home/modules/emacs/default.nix

@@ -1,47 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  doomEmacs = pkgs.fetchFromGitHub {
-    owner = "doomemacs";
-    repo = "doomemacs";
-    rev = "8406c1ff22b95bd0f816de4a0223fa3ce3c82568";
-    sha256 = "sha256-rOkgOdmLESVAbOeEM9nJTzxyI+akdk48Ed2VlktOy3Q=";
-  };
-in
-{
-  config = {
-    home.packages = [
-      pkgs.emacs
-
-      pkgs.emacs-all-the-icons-fonts
-      pkgs.fira-code
-      pkgs.fontconfig
-      pkgs.graphviz
-      pkgs.isort
-      pkgs.nerd-fonts.fira-code
-      pkgs.nerd-fonts.droid-sans-mono
-      pkgs.nil # nix lsp language server
-      pkgs.nixfmt-rfc-style
-      (pkgs.ripgrep.override {withPCRE2 = true;})
-      pkgs.pipenv
-      pkgs.poetry
-      pkgs.python3
-    ];
-
-    fonts.fontconfig.enable = true;
-
-    home.file."${config.xdg.configHome}/emacs".source = doomEmacs;
-    home.sessionPath = [
-      "${config.xdg.configHome}/emacs/bin"
-    ];
-
-    home.sessionVariables = {
-      DOOMDIR = "${config.xdg.configHome}/doom";
-      DOOMLOCALDIR = "${config.xdg.dataHome}/doom";
-    };
-
-    home.file."${config.xdg.configHome}/doom".source = ./doom;
-  };
-}

home/modules/emacs/doom/config.el

@@ -1,116 +0,0 @@
-;;; $DOOMDIR/config.el -*- lexical-binding: t; -*-
-
-;; Place your private configuration here! Remember, you do not need to run 'doom
-;; sync' after modifying this file!
-
-
-;; Some functionality uses this to identify you, e.g. GPG configuration, email
-;; clients, file templates and snippets. It is optional.
-;; (setq user-full-name "John Doe"
-;;       user-mail-address "john@doe.com")
-
-;; Doom exposes five (optional) variables for controlling fonts in Doom:
-;;
-;; - `doom-font' -- the primary font to use
-;; - `doom-variable-pitch-font' -- a non-monospace font (where applicable)
-;; - `doom-big-font' -- used for `doom-big-font-mode'; use this for
-;;   presentations or streaming.
-;; - `doom-symbol-font' -- for symbols
-;; - `doom-serif-font' -- for the `fixed-pitch-serif' face
-;;
-;; See 'C-h v doom-font' for documentation and more examples of what they
-;; accept. For example:
-;;
-;;(setq doom-font (font-spec :family "Fira Code" :size 12 :weight 'semi-light)
-;;      doom-variable-pitch-font (font-spec :family "Fira Sans" :size 13))
-;;
-;; If you or Emacs can't find your font, use 'M-x describe-font' to look them
-;; up, `M-x eval-region' to execute elisp code, and 'M-x doom/reload-font' to
-;; refresh your font settings. If Emacs still can't find your font, it likely
-;; wasn't installed correctly. Font issues are rarely Doom issues!
-(setq doom-font (font-spec :family "Fira Code"))
-
-;; There are two ways to load a theme. Both assume the theme is installed and
-;; available. You can either set `doom-theme' or manually load a theme with the
-;; `load-theme' function. This is the default:
-(setq doom-theme 'doom-one)
-
-;; This determines the style of line numbers in effect. If set to `nil', line
-;; numbers are disabled. For relative line numbers, set this to `relative'.
-(setq display-line-numbers-type t)
-
-;; If you use `org' and don't want your org files in the default location below,
-;; change `org-directory'. It must be set before org loads!
-(setq org-directory "~/org/")
-(after! org
-  (setq org-agenda-span 'week
-        my-agenda-dirs '("projects" "roam")
-        org-agenda-files (cons org-directory (mapcan (lambda (x) (directory-files-recursively
-                                                                  (expand-file-name x org-directory)
-                                                                  "\.org$"))
-                                                     my-agenda-dirs))
-        org-log-done 'time
-        org-agenda-custom-commands '(("n" "Agenda"
-                                      ((agenda "")
-                                       (tags-todo "-someday-recurring")))
-                                     ("s" "Someday Items"
-                                      ((tags-todo "+someday"))))
-        org-todo-keywords '((sequence "TODO(t)" "IN-PROGRESS(p)" "WAIT(w)" "|" "DONE(d)" "KILL(k)"))
-        org-journal-file-type 'weekly
-        org-journal-file-format "%Y-%m-%d.org"
-        org-capture-templates
-          '(("t" "Todo" entry (file+headline "~/org/todo.org" "Inbox")
-             "* TODO %? \n %i \n%a" :prepend t))))
-
-;; (use-package! org-caldav
-;;   :defer t
-;;   :config
-;;   (setq org-caldav-url "https://nextcloud.johnogle.info/remote.php/dav/calendars/johno"
-;;         org-caldav-calendar-id "personal"
-;;         org-icalendar-timezone "America/Los_Angeles"
-;;         org-caldav-inbox "~/org/calendar.org"
-;;         org-caldav-files nil
-;;         org-caldav-sync-direction 'cal->org))
-
-(defun my/get-rbw-password (alias)
-  "Return the password for ALIAS via rbw, unlocking the vault only if needed."
-  (let* ((cmd     (format "rbw get %s 2>&1" alias))
-         (output  (shell-command-to-string cmd)))
-    (string-trim output)))
-
-(use-package! gptel
-  :defer t
-  :config
-  (setq! gptel-api-key (my/get-rbw-password "openai-api-key-chatgpt-el")))
-
-;; Whenever you reconfigure a package, make sure to wrap your config in an
-;; `after!' block, otherwise Doom's defaults may override your settings. E.g.
-;;
-;;   (after! PACKAGE
-;;     (setq x y))
-;;
-;; The exceptions to this rule:
-;;
-;;   - Setting file/directory variables (like `org-directory')
-;;   - Setting variables which explicitly tell you to set them before their
-;;     package is loaded (see 'C-h v VARIABLE' to look up their documentation).
-;;   - Setting doom variables (which start with 'doom-' or '+').
-;;
-;; Here are some additional functions/macros that will help you configure Doom.
-;;
-;; - `load!' for loading external *.el files relative to this one
-;; - `use-package!' for configuring packages
-;; - `after!' for running code after a package has loaded
-;; - `add-load-path!' for adding directories to the `load-path', relative to
-;;   this file. Emacs searches the `load-path' when you load packages with
-;;   `require' or `use-package'.
-;; - `map!' for binding new keys
-;;
-;; To get information about any of these functions/macros, move the cursor over
-;; the highlighted symbol at press 'K' (non-evil users must press 'C-c c k').
-;; This will open documentation for it, including demos of how they are used.
-;; Alternatively, use `C-h o' to look up a symbol (functions, variables, faces,
-;; etc).
-;;
-;; You can also try 'gd' (or 'C-c c d') to jump to their definition and see how
-;; they are implemented.

home/modules/i3+sway/default.nix

@@ -1,146 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-let
-  cfg = config.home.i3_sway;
-  i3_cfg = config.xsession.windowManager.i3.config;
-
-  shared_config = recursiveUpdate rec {
-    modifier = "Mod4";
-    terminal = "kitty";
-    defaultWorkspace = "workspace number 1";
-
-    keybindings = {
-      "${shared_config.modifier}+Return" = "exec ${terminal}";
-      "${shared_config.modifier}+Shift+q" = "kill";
-      "${shared_config.modifier}+d" = "exec ${i3_cfg.menu}";
-
-      "${shared_config.modifier}+h" = "focus left";
-      "${shared_config.modifier}+j" = "focus down";
-      "${shared_config.modifier}+k" = "focus up";
-      "${shared_config.modifier}+l" = "focus right";
-
-      "${shared_config.modifier}+Shift+h" = "move left";
-      "${shared_config.modifier}+Shift+j" = "move down";
-      "${shared_config.modifier}+Shift+k" = "move up";
-      "${shared_config.modifier}+Shift+l" = "move right";
-
-      "${shared_config.modifier}+Left" = "focus left";
-      "${shared_config.modifier}+Down" = "focus down";
-      "${shared_config.modifier}+Up" = "focus up";
-      "${shared_config.modifier}+Right" = "focus right";
-
-      "${shared_config.modifier}+Shift+Left" = "move left";
-      "${shared_config.modifier}+Shift+Down" = "move down";
-      "${shared_config.modifier}+Shift+Up" = "move up";
-      "${shared_config.modifier}+Shift+Right" = "move right";
-
-      #"${shared_config.modifier}+h" = "split h";
-      "${shared_config.modifier}+v" = "split v";
-      "${shared_config.modifier}+f" = "fullscreen toggle";
-
-      "${shared_config.modifier}+s" = "layout stacking";
-      "${shared_config.modifier}+w" = "layout tabbed";
-      "${shared_config.modifier}+e" = "layout toggle split";
-
-      "${shared_config.modifier}+Shift+space" = "floating toggle";
-      "${shared_config.modifier}+space" = "focus mode_toggle";
-
-      "${shared_config.modifier}+a" = "focus parent";
-
-      "${shared_config.modifier}+Shift+minus" = "move scratchpad";
-      "${shared_config.modifier}+minus" = "scratchpad show";
-
-      "${shared_config.modifier}+1" = "workspace number 1";
-      "${shared_config.modifier}+2" = "workspace number 2";
-      "${shared_config.modifier}+3" = "workspace number 3";
-      "${shared_config.modifier}+4" = "workspace number 4";
-      "${shared_config.modifier}+5" = "workspace number 5";
-      "${shared_config.modifier}+6" = "workspace number 6";
-      "${shared_config.modifier}+7" = "workspace number 7";
-      "${shared_config.modifier}+8" = "workspace number 8";
-      "${shared_config.modifier}+9" = "workspace number 9";
-      "${shared_config.modifier}+0" = "workspace number 10";
-
-      "${shared_config.modifier}+Shift+1" =
-        "move container to workspace number 1";
-      "${shared_config.modifier}+Shift+2" =
-        "move container to workspace number 2";
-      "${shared_config.modifier}+Shift+3" =
-        "move container to workspace number 3";
-      "${shared_config.modifier}+Shift+4" =
-        "move container to workspace number 4";
-      "${shared_config.modifier}+Shift+5" =
-        "move container to workspace number 5";
-      "${shared_config.modifier}+Shift+6" =
-        "move container to workspace number 6";
-      "${shared_config.modifier}+Shift+7" =
-        "move container to workspace number 7";
-      "${shared_config.modifier}+Shift+8" =
-        "move container to workspace number 8";
-      "${shared_config.modifier}+Shift+9" =
-        "move container to workspace number 9";
-      "${shared_config.modifier}+Shift+0" =
-        "move container to workspace number 10";
-
-      "${shared_config.modifier}+Shift+c" = "reload";
-      "${shared_config.modifier}+Shift+r" = "restart";
-
-      "${shared_config.modifier}+r" = "mode resize";
-
-      "XF86MonBrightnessUp" = "exec brightnessctl s +5%";
-      "XF86MonBrightnessDown" = "exec brightnessctl s 5%-";
-    };
-  } cfg.extraSharedConfig;
-in {
-  options.home.i3_sway = {
-    extraSharedConfig = mkOption {
-      default = {};
-    };
-    extraI3Config = mkOption {
-      default = {};
-    };
-    extraSwayConfig = mkOption {
-      default = {};
-    };
-  };
-
-  config = {
-    xsession.windowManager.i3 = let
-      base_i3_config = recursiveUpdate shared_config {
-        keybindings = {
-          "${shared_config.modifier}+Shift+e" =
-            "exec i3-nagbar -t warning -m 'Do you want to exit i3?' -b 'Yes' 'i3-msg exit'";
-        };
-      };
-    in {
-      enable = true;
-      config = recursiveUpdate base_i3_config cfg.extraI3Config;
-    };
-
-    wayland.windowManager.sway = let
-      base_sway_config = recursiveUpdate shared_config {
-        keybindings = {
-          "${shared_config.modifier}+Shift+e" =
-            "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
-        };
-        input = {
-          "type:keyboard" = {
-            xkb_options = "caps:escape";
-          };
-          "type:touchpad" = {
-            tap = "enabled";
-            tap_button_map = "lrm";
-            drag = "enabled";
-            natural_scroll = "disabled";
-            dwt = "enabled";
-          };
-        };
-      };
-    in {
-      enable = true;
-      config = recursiveUpdate base_sway_config cfg.extraSwayConfig;
-    };
-  };
-}

home/modules/plasma-manager/default.nix

@@ -1,127 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-
-# The current KDE config can be output with the command:
-# nix run github:nix-community/plasma-manager
-#
-# Plasma-manager options documentation
-# https://nix-community.github.io/plasma-manager/options.xhtml
-#
-# TODO: (ambitious) Add Kmail support to plasma-manager
-{
-  programs.plasma = {
-    enable = true;
-    overrideConfig = true;
-
-    hotkeys.commands."launch-konsole" = {
-      name = "Launch Konsole";
-      key = "Meta+Return";
-      command = "konsole";
-    };
-
-    shortcuts = {
-      kmix = {
-        "decrease_microphone_volume" = "Microphone Volume Down";
-        "decrease_volume" = "Volume Down";
-        "decrease_volume_small" = "Shift+Volume Down";
-        "increase_microphone_volume" = "Microphone Volume Up";
-        "increase_volume" = "Volume Up";
-        "increase_volume_small" = "Shift+Volume Up";
-        "mic_mute" = ["Microphone Mute" "Meta+Volume Mute,Microphone Mute" "Meta+Volume Mute,Mute Microphone"];
-        "mute" = "Volume Mute";
-      };
-
-      mediacontrol = {
-        "mediavolumedown" = "none,,Media volume down";
-        "mediavolumeup" = "none,,Media volume up";
-        "nextmedia" = "Media Next";
-        "pausemedia" = "Media Pause";
-        "playmedia" = "none,,Play media playback";
-        "playpausemedia" = "Media Play";
-        "previousmedia" = "Media Previous";
-        "stopmedia" = "Media Stop";
-      };
-
-      ksmserver = {
-        "Lock Session" = ["Meta+Ctrl+Q" "Screensaver" "Screensaver,Lock Session"];
-      };
-
-      kwin = {
-        "Window Close" = "Meta+Shift+Q";
-        "Kill Window" = "Meta+Ctrl+Esc";
-        "Window Operations Menu" = "Alt+F3";
-        "Window Resize" = "Meta+R,,Resize Window";
-
-        "Overview" = "Meta+W";
-        "Grid View" = "Meta+G";
-        "Edit Tiles" = "Meta+T";
-
-        "Activate Window Demanding Attention" = "Meta+Ctrl+A";
-
-        "Show Desktop" = "Meta+D";
-
-        "Walk Through Windows" = "Alt+Tab";
-        "Walk Through Windows (Reverse)" = "Alt+Shift+Tab";
-        "Walk Through Windows of Current Application" = "Alt+`";
-        "Walk Through Windows of Current Application (Reverse)" = "Alt+~";
-        "Window Fullscreen" = "Meta+Shift+F,,Make Window Fullscreen";
-
-        "Window Quick Tile Bottom" = "Meta+Down";
-        "Window Quick Tile Left" = "Meta+Left";
-        "Window Quick Tile Right" = "Meta+Right";
-        "Window Quick Tile Top" = "Meta+Up";
-
-        "view_actual_size" = "Meta+0";
-        "view_zoom_in" = ["Meta++" "Meta+=,Meta++" "Meta+=,Zoom In"];
-        "view_zoom_out" = "Meta+-";
-      };
-      "org_kde_powerdevil"."Decrease Keyboard Brightness" = "Keyboard Brightness Down";
-      "org_kde_powerdevil"."Decrease Screen Brightness" = "Monitor Brightness Down";
-      "org_kde_powerdevil"."Decrease Screen Brightness Small" = "Shift+Monitor Brightness Down";
-      "org_kde_powerdevil"."Hibernate" = "Hibernate";
-      "org_kde_powerdevil"."Increase Keyboard Brightness" = "Keyboard Brightness Up";
-      "org_kde_powerdevil"."Increase Screen Brightness" = "Monitor Brightness Up";
-      "org_kde_powerdevil"."Increase Screen Brightness Small" = "Shift+Monitor Brightness Up";
-      "org_kde_powerdevil"."PowerDown" = "Power Down";
-      "org_kde_powerdevil"."PowerOff" = "Power Off";
-      "org_kde_powerdevil"."Sleep" = "Sleep";
-      "org_kde_powerdevil"."Toggle Keyboard Backlight" = "Keyboard Light On/Off";
-      "org_kde_powerdevil"."Turn Off Screen" = [ ];
-      "org_kde_powerdevil"."powerProfile" = ["Battery" "Meta+B,Battery" "Meta+B,Switch Power Profile"];
-
-      plasmashell = {
-        "activate application launcher" = ["Meta" "Alt+F1,Meta" "Alt+F1,Activate Application Launcher"];
-        "activate task manager entry 1" = "none,,";
-        "activate task manager entry 2" = "none,,";
-        "activate task manager entry 3" = "none,,";
-        "activate task manager entry 4" = "none,,";
-        "activate task manager entry 5" = "none,,";
-        "activate task manager entry 6" = "none,,";
-        "activate task manager entry 7" = "none,,";
-        "activate task manager entry 8" = "none,,";
-        "activate task manager entry 9" = "none,,";
-        "activate task manager entry 10" = "none,,";
-        "show activity switcher" = "none,,";
-      };
-    };
-
-    configFile = {
-      kwinrc.Desktops.Number = {
-        value = 10;
-        immutable = true;
-      };
-
-      kcminputrc.Libinput = {
-        AccelerationProfile = "adaptive";
-        PointerAcceleration = 0.5;
-      };
-
-      kcminputrc.Mouse = {
-        X11LibInputXAccelProfileFlat = false;
-        XLbInptAccelProfileFlat = false;
-      };
-
-      kdeglobals.KDE.LookAndFeelPackage = "org.kde.breezedark.desktop";
-    };
-  };
-}

home/modules/tmux/default.nix

@@ -1,52 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  tokyo-night = pkgs.tmuxPlugins.mkTmuxPlugin {
-    pluginName = "tokyo-night";
-    rtpFilePath = "tokyo-night.tmux";
-    version = "1.6.1";
-    src = pkgs.fetchFromGitHub {
-      owner = "janoamaral";
-      repo = "tokyo-night-tmux";
-      rev = "d610ced20d5f602a7995854931440e4a1e0ab780";
-      sha256 = "sha256-17vEgkL7C51p/l5gpT9dkOy0bY9n8l0/LV51mR1k+V8=";
-    };
-  };
-in
-{
-  programs.tmux.enable = true;
-  programs.tmux.terminal = "tmux-direct";
-  programs.tmux.keyMode = "vi";
-  programs.tmux.escapeTime = 0;
-  programs.tmux.mouse = true;
-  programs.tmux.newSession = true;
-  programs.tmux.historyLimit = 50000;
-  programs.tmux.clock24 = true;
-  programs.tmux.baseIndex = 1;
-  programs.tmux.prefix = "M-\\\\";
-
-  programs.tmux.plugins = with pkgs; [
-    tmuxPlugins.cpu
-    tmuxPlugins.battery
-    tmuxPlugins.better-mouse-mode
-    tmuxPlugins.net-speed
-    tmuxPlugins.online-status
-    tmuxPlugins.pain-control
-    tmuxPlugins.tilish
-    tmuxPlugins.yank
-
-    {
-      plugin = tmuxPlugins.resurrect;
-      extraConfig = "set -g @resurrect-strategy-nvim 'session'";
-    }
-    {
-      plugin = tmuxPlugins.continuum;
-      extraConfig = ''
-        set -g @continuum-restore 'on'
-        set -g @continuum-save-interval '15' # minutes
-      '';
-    }
-
-    tokyo-night
-  ];
-}

home/roles/3d-printing/default.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles."3d-printing";
+in
+{
+  options.home.roles."3d-printing" = {
+    enable = mkEnableOption "Enable 3D printing applications and tools";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      # 3D Slicing Software
+      orca-slicer  # G-code generator for 3D printers (Bambu, Prusa, Voron, etc.)
+
+      # 3D Modeling Software
+      openscad-unstable  # 3D parametric model compiler (nightly build)
+    ];
+  };
+}

home/roles/aerospace/default.nix

@@ -0,0 +1,729 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.aerospace;
+in
+{
+  options.home.roles.aerospace = {
+    enable = mkEnableOption "AeroSpace tiling window manager for macOS";
+
+    leader = mkOption {
+      type = types.str;
+      default = "cmd";
+      description = "Leader key for aerospace shortcuts (e.g., 'cmd', 'ctrl', 'alt')";
+      example = "ctrl";
+    };
+
+    launchd.enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to enable launchd agent for auto-starting aerospace";
+    };
+
+    userSettings = mkOption {
+      type = types.attrs;
+      default = {};
+      description = ''
+        Additional aerospace configuration settings to merge with defaults.
+        Use this to override or extend the default configuration on a per-machine basis.
+      '';
+      example = literalExpression ''
+        {
+          mode.main.binding."''${leader}-custom" = "custom-command";
+        }
+      '';
+    };
+
+    autoraise = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to enable autoraise (auto-focus window on hover)";
+      };
+
+      pollMillis = mkOption {
+        type = types.int;
+        default = 50;
+        description = "Polling interval in milliseconds";
+      };
+
+      delay = mkOption {
+        type = types.int;
+        default = 2;
+        description = "Delay before raising window";
+      };
+
+      focusDelay = mkOption {
+        type = types.int;
+        default = 2;
+        description = "Delay before focusing window";
+      };
+    };
+
+    enableSpansDisplays = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Configure macOS Spaces to span displays (required for aerospace multi-monitor support).
+        Sets com.apple.spaces.spans-displays to true.
+
+        NOTE: This was previously set at the system level in modules/aerospace.nix,
+        but has been moved to home-manager for better modularity.
+      '';
+    };
+
+    ctrlShortcuts = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Remap common macOS Cmd shortcuts to Ctrl equivalents for all operations.
+          This makes macOS behave more like Linux.
+
+          Shortcuts remapped globally:
+          - Ctrl+N: New Window
+          - Ctrl+T: New Tab
+          - Ctrl+W: Close Tab
+          - Ctrl+S: Save / Save As
+          - Ctrl+O: Open
+          - Ctrl+F: Find
+          - Ctrl+H: Find and Replace
+          - Ctrl+P: Print
+          - Ctrl+C/V/X: Copy/Paste/Cut
+          - Ctrl+Z: Undo
+
+          NOTE: Terminal emulators like Ghostty require per-app overrides (configured separately)
+          to preserve Ctrl+C as SIGINT instead of Copy.
+        '';
+      };
+    };
+
+    sketchybar = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable SketchyBar status bar";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Only apply on Darwin systems
+    assertions = [
+      {
+        assertion = pkgs.stdenv.isDarwin;
+        message = "Aerospace role is only supported on macOS (Darwin) systems";
+      }
+    ];
+
+    # Configure macOS preferences via targets.darwin.defaults
+    targets.darwin.defaults = mkMerge [
+      # Spaces span displays (required for multi-monitor aerospace)
+      (mkIf cfg.enableSpansDisplays {
+        "com.apple.spaces" = {
+          spans-displays = true;
+        };
+      })
+
+      # Ctrl shortcuts to make macOS behave more like Linux
+      (mkIf cfg.ctrlShortcuts.enable {
+        NSGlobalDomain.NSUserKeyEquivalents = {
+          # Window/Tab operations
+          "New Window" = "^n";
+          "New Tab" = "^t";
+          "Close Tab" = "^w";
+          # File operations
+          "Save" = "^s";
+          "Save As…" = "^$s";  # Ctrl+Shift+S
+          "Open" = "^o";
+          "Open…" = "^o";
+          # Find operations
+          "Find" = "^f";
+          "Find…" = "^f";
+          "Find and Replace" = "^h";
+          "Find and Replace…" = "^h";
+          # Print
+          "Print" = "^p";
+          "Print…" = "^p";
+          # Clipboard operations
+          "Copy" = "^c";
+          "Paste" = "^v";
+          "Cut" = "^x";
+          # Undo/Redo
+          "Undo" = "^z";
+          "Redo" = "^$z";  # Ctrl+Shift+Z
+        };
+      })
+
+      # Ghostty-specific overrides to preserve terminal behavior
+      # Remap clipboard operations back to Cmd (macOS default) so Ctrl+C remains SIGINT
+      (mkIf cfg.ctrlShortcuts.enable {
+        "com.mitchellh.ghostty".NSUserKeyEquivalents = {
+          # Remap back to Cmd for clipboard operations
+          "Copy" = "@c";    # Cmd+C
+          "Paste" = "@v";   # Cmd+V
+          "Cut" = "@x";     # Cmd+X
+          "Undo" = "@z";    # Cmd+Z
+          "Redo" = "@$z";   # Cmd+Shift+Z
+        };
+      })
+    ];
+
+    # Install aerospace package and optional tools if enabled
+    home.packages = [ pkgs.aerospace ]
+      ++ optionals cfg.autoraise.enable [ pkgs.autoraise ]
+      ++ optionals cfg.sketchybar.enable [ pkgs.sketchybar pkgs.sketchybar-app-font ];
+
+    # Enable and configure aerospace
+    programs.aerospace.enable = true;
+    programs.aerospace.launchd.enable = cfg.launchd.enable;
+    programs.aerospace.userSettings = mkMerge [
+      # Default configuration with leader key substitution
+      {
+        # Disable normalizations for i3-like behavior
+        enable-normalization-flatten-containers = false;
+        enable-normalization-opposite-orientation-for-nested-containers = false;
+
+        mode.main.binding = {
+          "${cfg.leader}-w" = "layout accordion horizontal";  # tabbed
+          "${cfg.leader}-s" = "layout accordion vertical";    # stacking
+          "${cfg.leader}-e" = "layout tiles horizontal vertical";  # tiles, toggles orientation
+          "${cfg.leader}-shift-q" = "close";
+          "${cfg.leader}-shift-f" = "fullscreen";
+          "${cfg.leader}-h" = "focus left";
+          "${cfg.leader}-j" = "focus down";
+          "${cfg.leader}-k" = "focus up";
+          "${cfg.leader}-l" = "focus right";
+          "${cfg.leader}-shift-h" = "move left";
+          "${cfg.leader}-shift-j" = "move down";
+          "${cfg.leader}-shift-k" = "move up";
+          "${cfg.leader}-shift-l" = "move right";
+          "${cfg.leader}-r" = "mode resize";
+          "${cfg.leader}-1" = "workspace 1";
+          "${cfg.leader}-2" = "workspace 2";
+          "${cfg.leader}-3" = "workspace 3";
+          "${cfg.leader}-4" = "workspace 4";
+          "${cfg.leader}-5" = "workspace 5";
+          "${cfg.leader}-6" = "workspace 6";
+          "${cfg.leader}-7" = "workspace 7";
+          "${cfg.leader}-8" = "workspace 8";
+          "${cfg.leader}-9" = "workspace 9";
+          "${cfg.leader}-0" = "workspace 10";
+          "${cfg.leader}-shift-1" = "move-node-to-workspace 1";
+          "${cfg.leader}-shift-2" = "move-node-to-workspace 2";
+          "${cfg.leader}-shift-3" = "move-node-to-workspace 3";
+          "${cfg.leader}-shift-4" = "move-node-to-workspace 4";
+          "${cfg.leader}-shift-5" = "move-node-to-workspace 5";
+          "${cfg.leader}-shift-6" = "move-node-to-workspace 6";
+          "${cfg.leader}-shift-7" = "move-node-to-workspace 7";
+          "${cfg.leader}-shift-8" = "move-node-to-workspace 8";
+          "${cfg.leader}-shift-9" = "move-node-to-workspace 9";
+          "${cfg.leader}-shift-0" = "move-node-to-workspace 10";
+          "${cfg.leader}-tab" = "workspace-back-and-forth";
+          "${cfg.leader}-shift-tab" = "move-workspace-to-monitor --wrap-around next";
+
+          "${cfg.leader}-enter" = ''
+            exec-and-forget osascript <<'APPLESCRIPT'
+            tell application "Ghostty"
+                activate
+                tell application "System Events"
+                    keystroke "n" using {command down}
+                end tell
+            end tell
+            APPLESCRIPT
+          '';
+
+          "${cfg.leader}-shift-enter" = ''
+            exec-and-forget osascript <<'APPLESCRIPT'
+            tell application "Google Chrome"
+                set newWindow to make new window
+                activate
+                tell newWindow to set index to 1
+            end tell
+            APPLESCRIPT
+          '';
+
+          "${cfg.leader}-shift-e" = "exec-and-forget zsh --login -c \"emacsclient -c -n\"";
+
+          # Service mode: Deliberate aerospace window management
+          "${cfg.leader}-i" = "mode service";
+
+          # Passthrough mode: Temporarily disable aerospace to use macOS shortcuts
+          "${cfg.leader}-p" = "mode passthrough";
+        };
+
+        # Resize mode: For window resizing operations
+        mode.resize.binding = {
+          h = "resize width -50";
+          j = "resize height +50";
+          k = "resize height -50";
+          l = "resize width +50";
+
+          minus = "resize smart -50";
+          equal = "resize smart +50";
+
+          esc = "mode main";
+          enter = "mode main";
+        };
+
+        # Service mode: For deliberate aerospace window management operations
+        mode.service.binding = {
+          esc = ["reload-config" "mode main"];
+          r = ["flatten-workspace-tree" "mode main"]; # reset layout
+          f = ["layout floating tiling" "mode main"]; # Toggle between floating and tiling layout
+          backspace = ["close-all-windows-but-current" "mode main"];
+
+          "${cfg.leader}-shift-h" = ["join-with left" "mode main"];
+          "${cfg.leader}-shift-j" = ["join-with down" "mode main"];
+          "${cfg.leader}-shift-k" = ["join-with up" "mode main"];
+          "${cfg.leader}-shift-l" = ["join-with right" "mode main"];
+        };
+
+        # Passthrough mode: All shortcuts pass through to macOS
+        mode.passthrough.binding = {
+          esc = "mode main";
+          "${cfg.leader}-p" = "mode main";
+        };
+
+        # SketchyBar integration - notify bar of workspace changes
+        exec-on-workspace-change = mkIf cfg.sketchybar.enable [
+          "/bin/bash" "-c"
+          "${pkgs.sketchybar}/bin/sketchybar --trigger aerospace_workspace_change FOCUSED=$AEROSPACE_FOCUSED_WORKSPACE PREV=$AEROSPACE_PREV_WORKSPACE"
+        ];
+      }
+      # Gaps configuration - prevent windows from overlapping SketchyBar
+      (mkIf cfg.sketchybar.enable {
+        gaps = {
+          outer = {
+            top = 0;
+            bottom = 38;
+            left = 0;
+            right = 0;
+          };
+        };
+      })
+      cfg.userSettings
+    ];
+
+    # Launchd agent for autoraise
+    launchd.agents.autoraise = mkIf cfg.autoraise.enable {
+      enable = true;
+      config = {
+        ProgramArguments = [
+          "${pkgs.autoraise}/bin/AutoRaise"
+          "-pollMillis" (toString cfg.autoraise.pollMillis)
+          "-delay" (toString cfg.autoraise.delay)
+          "-focusDelay" (toString cfg.autoraise.focusDelay)
+        ];
+        RunAtLoad = true;
+        KeepAlive = true;
+      };
+    };
+
+    # SketchyBar configuration
+    home.file.".config/sketchybar/sketchybarrc" = mkIf cfg.sketchybar.enable {
+      executable = true;
+      onChange = "${pkgs.sketchybar}/bin/sketchybar --reload";
+      text = ''
+        #!/bin/bash
+
+        # Plugin directory
+        PLUGIN_DIR="$HOME/.config/sketchybar/plugins"
+
+        # Colors - i3/sway theme with exact color matching
+        # Focused window/workspace color from i3/sway
+        FOCUSED=0xff285577
+
+        # Background colors matching i3blocks bar
+        BAR_BG=0xff333333          # Dark gray
+        ITEM_BG=0xff333333         # Dark gray matching bar
+
+        # Text colors
+        TEXT=0xffffffff            # White text
+        GRAY=0xff888888            # Muted text for inactive items
+
+        # Accent colors for warnings
+        WARNING=0xffff9900
+        CRITICAL=0xff900000
+
+        # Configure the bar appearance
+        ${pkgs.sketchybar}/bin/sketchybar --bar \
+            position=bottom \
+            height=30 \
+            color=$BAR_BG \
+            border_width=0 \
+            corner_radius=0 \
+            padding_left=10 \
+            padding_right=10 \
+            shadow=off \
+            topmost=on \
+            sticky=on
+
+        # Set default properties for all items
+        # Using monospace font to match waybar's Fira Code styling
+        ${pkgs.sketchybar}/bin/sketchybar --default \
+            updates=when_shown \
+            icon.font="Fira Code:Regular:13.0" \
+            icon.color=$TEXT \
+            icon.padding_left=4 \
+            icon.padding_right=4 \
+            label.font="Fira Code:Regular:13.0" \
+            label.color=$TEXT \
+            label.padding_left=4 \
+            label.padding_right=4 \
+            padding_left=4 \
+            padding_right=4 \
+            background.corner_radius=0 \
+            background.height=30
+
+        # Register aerospace workspace change event
+        ${pkgs.sketchybar}/bin/sketchybar --add event aerospace_workspace_change
+
+        # Create workspace indicators for workspaces 1-10
+        for sid in 1 2 3 4 5 6 7 8 9 10; do
+            # Display "0" for workspace 10
+            if [ "$sid" = "10" ]; then
+                display="0"
+            else
+                display="$sid"
+            fi
+
+            ${pkgs.sketchybar}/bin/sketchybar --add item space.$sid left \
+                --subscribe space.$sid aerospace_workspace_change \
+                --set space.$sid \
+                    drawing=on \
+                    update_freq=2 \
+                    width=32 \
+                    background.color=$ITEM_BG \
+                    background.corner_radius=0 \
+                    background.height=30 \
+                    background.drawing=on \
+                    icon="$display" \
+                    icon.padding_left=13 \
+                    icon.padding_right=11 \
+                    icon.align=center \
+                    label.drawing=off \
+                    click_script="${pkgs.aerospace}/bin/aerospace workspace $sid" \
+                    script="$PLUGIN_DIR/aerospace.sh $sid"
+        done
+
+        # System monitoring modules (right side)
+        # Note: Items added to 'right' appear in reverse order (last added = leftmost)
+        # Adding in reverse to get: disk | cpu | memory | battery | volume | calendar
+        ${pkgs.sketchybar}/bin/sketchybar --add item calendar right \
+                   --set calendar \
+                       icon="📅" \
+                       update_freq=30 \
+                       background.color=$ITEM_BG \
+                       background.drawing=on \
+                       script="$PLUGIN_DIR/calendar.sh"
+
+        ${pkgs.sketchybar}/bin/sketchybar --add item volume right \
+                   --set volume \
+                       background.color=$ITEM_BG \
+                       background.drawing=on \
+                       script="$PLUGIN_DIR/volume.sh" \
+                   --subscribe volume volume_change
+
+        ${pkgs.sketchybar}/bin/sketchybar --add item battery right \
+                   --set battery \
+                       update_freq=120 \
+                       background.color=$ITEM_BG \
+                       background.drawing=on \
+                       script="$PLUGIN_DIR/battery.sh" \
+                   --subscribe battery system_woke power_source_change
+
+        ${pkgs.sketchybar}/bin/sketchybar --add item memory right \
+                   --set memory \
+                       update_freq=5 \
+                       icon="🐏" \
+                       background.color=$ITEM_BG \
+                       background.drawing=on \
+                       script="$PLUGIN_DIR/memory.sh"
+
+        ${pkgs.sketchybar}/bin/sketchybar --add item cpu right \
+                   --set cpu \
+                       update_freq=2 \
+                       icon="🧠" \
+                       background.color=$ITEM_BG \
+                       background.drawing=on \
+                       script="$PLUGIN_DIR/cpu.sh"
+
+        ${pkgs.sketchybar}/bin/sketchybar --add item disk right \
+                   --set disk \
+                       update_freq=60 \
+                       icon="💾" \
+                       background.color=$ITEM_BG \
+                       background.drawing=on \
+                       script="$PLUGIN_DIR/disk.sh"
+
+        # Menu bar extras / system tray items (rightmost)
+        # Note: Requires Screen Recording permission for SketchyBar in System Settings
+        # Use 'sketchybar --query default_menu_items' to discover available items
+
+        # Bluetooth
+        ${pkgs.sketchybar}/bin/sketchybar --add alias "Control Center,Bluetooth" right \
+            --set "Control Center,Bluetooth" \
+                alias.update_freq=1 \
+                padding_left=0 \
+                padding_right=0
+
+        # WiFi
+        ${pkgs.sketchybar}/bin/sketchybar --add alias "Control Center,WiFi" right \
+            --set "Control Center,WiFi" \
+                alias.update_freq=1 \
+                padding_left=0 \
+                padding_right=0
+
+        # Add other menu bar apps as discovered
+        # Common examples:
+        # - Cloudflare WARP: --add alias "Cloudflare WARP,Item-0" right
+        # - Notion Calendar: --add alias "Notion Calendar,Item-0" right
+        # Run 'sketchybar --query default_menu_items' to find exact names
+
+        # Update the bar
+        ${pkgs.sketchybar}/bin/sketchybar --update
+      '';
+    };
+
+    # SketchyBar aerospace workspace plugin
+    home.file.".config/sketchybar/plugins/aerospace.sh" = mkIf cfg.sketchybar.enable {
+      executable = true;
+      text = ''
+        #!/bin/bash
+
+        # Colors
+        FOCUSED_COLOR=0xff285577
+        ITEM_BG=0xff333333
+        TEXT=0xffffffff
+        GRAY=0xff555555
+
+        # Get the currently focused workspace directly from aerospace
+        # Trim whitespace to ensure clean comparison
+        FOCUSED=$(${pkgs.aerospace}/bin/aerospace list-workspaces --focused | tr -d ' \n\r')
+
+        # Get list of empty workspaces
+        EMPTY_WORKSPACES=$(${pkgs.aerospace}/bin/aerospace list-workspaces --monitor all --empty)
+
+        # Get workspace number - from $1 if provided (event-triggered), otherwise extract from $NAME (routine update)
+        # $NAME is always available (e.g., "space.1", "space.2", etc.)
+        # $1 is only available when called via event trigger with positional argument
+        if [ -n "$1" ]; then
+            WORKSPACE_NUM=$(echo "$1" | tr -d ' \n\r')
+        else
+            # Extract number from item name: "space.1" -> "1", "space.10" -> "10"
+            WORKSPACE_NUM=$(echo "$NAME" | sed 's/space\.//')
+        fi
+
+        # Check if workspace has windows (is NOT empty)
+        IS_EMPTY=false
+        if echo "$EMPTY_WORKSPACES" | grep -q "^$WORKSPACE_NUM$"; then
+            IS_EMPTY=true
+        fi
+
+        # Check if this workspace is focused
+        IS_FOCUSED=false
+        if [ "$WORKSPACE_NUM" = "$FOCUSED" ]; then
+            IS_FOCUSED=true
+        fi
+
+        # Determine display value (workspace 10 displays as "0")
+        if [ "$WORKSPACE_NUM" = "10" ]; then
+            DISPLAY="0"
+        else
+            DISPLAY="$WORKSPACE_NUM"
+        fi
+
+        # Determine visibility and styling
+        # Always show focused workspace (even if empty) with fixed width
+        # Hide non-focused empty workspaces by setting width to 0 (collapsed)
+        # Show non-focused non-empty workspaces with fixed width and inactive styling
+
+        if [ "$IS_FOCUSED" = "true" ]; then
+            # Focused workspace - always show with focused styling and bold font
+            ${pkgs.sketchybar}/bin/sketchybar --set space.$WORKSPACE_NUM \
+                drawing=on \
+                icon="$DISPLAY" \
+                width=32 \
+                icon.padding_left=13 \
+                icon.padding_right=11 \
+                icon.align=center \
+                background.color=$FOCUSED_COLOR \
+                background.drawing=on \
+                icon.color=$TEXT \
+                icon.font="Fira Code:Bold:13.0"
+        elif [ "$IS_EMPTY" = "true" ]; then
+            # Empty workspace (not focused) - hide by collapsing width and clearing content
+            # Using width=0 with drawing=on so updates=when_shown continues to run the script
+            ${pkgs.sketchybar}/bin/sketchybar --set space.$WORKSPACE_NUM \
+                drawing=on \
+                icon="" \
+                label="" \
+                width=0 \
+                icon.padding_left=0 \
+                icon.padding_right=0 \
+                background.drawing=off
+        else
+            # Non-empty workspace (not focused) - show with inactive styling and white text
+            ${pkgs.sketchybar}/bin/sketchybar --set space.$WORKSPACE_NUM \
+                drawing=on \
+                icon="$DISPLAY" \
+                width=32 \
+                icon.padding_left=13 \
+                icon.padding_right=11 \
+                icon.align=center \
+                background.color=$ITEM_BG \
+                background.drawing=on \
+                icon.color=$TEXT \
+                icon.font="Fira Code:Regular:13.0"
+        fi
+      '';
+    };
+
+    # SketchyBar CPU monitoring plugin
+    home.file.".config/sketchybar/plugins/cpu.sh" = mkIf cfg.sketchybar.enable {
+      executable = true;
+      text = ''
+        #!/bin/bash
+
+        CORE_COUNT=$(sysctl -n machdep.cpu.thread_count)
+        CPU_INFO=$(ps -eo pcpu,user)
+        CPU_SYS=$(echo "$CPU_INFO" | grep -v $(whoami) | sed "s/[^ 0-9\.]//g" | awk "{sum+=\$1} END {print sum/(100.0 * $CORE_COUNT)}")
+        CPU_USER=$(echo "$CPU_INFO" | grep $(whoami) | sed "s/[^ 0-9\.]//g" | awk "{sum+=\$1} END {print sum/(100.0 * $CORE_COUNT)}")
+        CPU_PERCENT="$(echo "$CPU_SYS $CPU_USER" | awk '{printf "%.0f\n", ($1 + $2)*100}')"
+
+        ${pkgs.sketchybar}/bin/sketchybar --set $NAME label="$CPU_PERCENT%"
+      '';
+    };
+
+    # SketchyBar memory monitoring plugin
+    # Shows actual memory pressure (excludes file cache/inactive pages)
+    home.file.".config/sketchybar/plugins/memory.sh" = mkIf cfg.sketchybar.enable {
+      executable = true;
+      text = ''
+        #!/bin/bash
+
+        # Use awk for all arithmetic to avoid bash integer overflow on large RAM systems
+        # Memory pressure = Anonymous (app memory) + Wired + Compressor RAM
+        # - Anonymous pages: app-allocated memory (heap, stack) - matches Activity Monitor's "App Memory"
+        # - Wired: kernel/system memory that can't be paged out
+        # - Pages occupied by compressor: actual RAM used by compressor (NOT "stored in compressor")
+        TOTAL_RAM=$(sysctl -n hw.memsize)
+        MEMORY_PERCENT=$(vm_stat | awk -v total_ram="$TOTAL_RAM" '
+          /page size of/ { page_size = $8 }
+          /Anonymous pages/ { anon = $3 + 0 }
+          /Pages wired/ { wired = $4 + 0 }
+          /Pages occupied by compressor/ { compressor = $5 + 0 }
+          END {
+            used = (anon + wired + compressor) * page_size
+            printf "%.0f", used / total_ram * 100
+          }
+        ')
+
+        ${pkgs.sketchybar}/bin/sketchybar --set $NAME label="$MEMORY_PERCENT%"
+      '';
+    };
+
+    # SketchyBar disk monitoring plugin
+    home.file.".config/sketchybar/plugins/disk.sh" = mkIf cfg.sketchybar.enable {
+      executable = true;
+      text = ''
+        #!/bin/bash
+
+        # Monitor /System/Volumes/Data which contains user data on APFS
+        # The root / is a read-only snapshot with minimal usage
+        DISK_USAGE=$(df -H /System/Volumes/Data | grep -v Filesystem | awk '{print $5}')
+
+        ${pkgs.sketchybar}/bin/sketchybar --set $NAME label="$DISK_USAGE"
+      '';
+    };
+
+    # SketchyBar battery monitoring plugin
+    home.file.".config/sketchybar/plugins/battery.sh" = mkIf cfg.sketchybar.enable {
+      executable = true;
+      text = ''
+        #!/bin/bash
+
+        PERCENTAGE=$(pmset -g batt | grep -Eo "\d+%" | cut -d% -f1)
+        CHARGING=$(pmset -g batt | grep 'AC Power')
+
+        if [ "$PERCENTAGE" = "" ]; then
+            exit 0
+        fi
+
+        # Select icon based on battery level
+        case ''${PERCENTAGE} in
+            9[0-9]|100) ICON="🔋"
+            ;;
+            [6-8][0-9]) ICON="🔋"
+            ;;
+            [3-5][0-9]) ICON="🔋"
+            ;;
+            [1-2][0-9]) ICON="🔋"
+            ;;
+            *) ICON="🪫"
+        esac
+
+        # Show charging icon if connected to power
+        if [[ $CHARGING != "" ]]; then
+            ICON="⚡"
+        fi
+
+        ${pkgs.sketchybar}/bin/sketchybar --set $NAME icon="$ICON" label="''${PERCENTAGE}%"
+      '';
+    };
+
+    # SketchyBar volume monitoring plugin
+    home.file.".config/sketchybar/plugins/volume.sh" = mkIf cfg.sketchybar.enable {
+      executable = true;
+      text = ''
+        #!/bin/bash
+
+        if [ "$SENDER" = "volume_change" ]; then
+            VOLUME=$(osascript -e "output volume of (get volume settings)")
+            MUTED=$(osascript -e "output muted of (get volume settings)")
+
+            if [ "$MUTED" = "true" ]; then
+                ICON="🔇"
+                LABEL=""
+            else
+                case $VOLUME in
+                    [6-9][0-9]|100) ICON="🔊"
+                    ;;
+                    [3-5][0-9]) ICON="🔉"
+                    ;;
+                    *) ICON="🔈"
+                esac
+                LABEL="$VOLUME%"
+            fi
+
+            ${pkgs.sketchybar}/bin/sketchybar --set $NAME icon="$ICON" label="$LABEL"
+        fi
+      '';
+    };
+
+    # SketchyBar calendar/clock plugin
+    home.file.".config/sketchybar/plugins/calendar.sh" = mkIf cfg.sketchybar.enable {
+      executable = true;
+      text = ''
+        #!/bin/bash
+
+        ${pkgs.sketchybar}/bin/sketchybar --set $NAME label="$(date '+%Y-%m-%d %H:%M')"
+      '';
+    };
+
+    # Launchd agent for auto-starting sketchybar
+    launchd.agents.sketchybar = mkIf cfg.sketchybar.enable {
+      enable = true;
+      config = {
+        ProgramArguments = [ "${pkgs.sketchybar}/bin/sketchybar" ];
+        RunAtLoad = true;
+        KeepAlive = true;
+        StandardOutPath = "/tmp/sketchybar.log";
+        StandardErrorPath = "/tmp/sketchybar.err.log";
+      };
+    };
+  };
+}

home/roles/base-darwin/default.nix

@@ -0,0 +1,11 @@
+{
+  # Base imports for Darwin home configurations
+  # Includes Darwin-specific roles that only work on macOS
+  imports = [
+    ../aerospace
+  ];
+
+  # Override to use -d instead of --delete-older-than on Darwin due to launchd bug
+  # https://github.com/nix-community/home-manager/issues/7211
+  nix.gc.options = "-d";
+}

home/roles/base-linux/default.nix

@@ -0,0 +1,9 @@
+{
+  # Base imports for Linux home configurations
+  # Includes Linux-specific roles that require Linux-only home-manager modules
+  imports = [
+    ../plasma-manager
+    ../plasma-manager-kodi
+    ../i3+sway
+  ];
+}

home/roles/base/default.nix

@@ -0,0 +1,104 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.home.roles.base;
+in
+{
+  options.home.roles.base = {
+    enable = mkEnableOption "Enable base CLI tools and essential programs";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      fd
+      glances
+      gzip
+      htop
+      killall
+      less
+      lnav
+      ncdu
+      shellcheck
+      tmux
+      tree
+      watch
+      custom.opencode
+    ];
+
+    # Automatic garbage collection for user profile (home-manager generations).
+    # This complements system-level gc which only cleans system generations.
+    # - Linux: Uses --delete-older-than to keep 10-day rollback window
+    # - Darwin: Overridden to use -d in base-darwin role to avoid launchd bug
+    #   (https://github.com/nix-community/home-manager/issues/7211)
+    nix.gc = {
+      automatic = true;
+      randomizedDelaySec = mkIf pkgs.stdenv.isLinux "14m";
+      options = lib.mkDefault "--delete-older-than 10d";
+    };
+
+    # Essential programs everyone needs
+    programs.bash = {
+      enable = true;
+      initExtra = ''
+        codex() {
+          local key
+          key="$(rbw get openai-api-key-codex)"
+          OPENAI_API_KEY="$key" command codex "$@"
+        }
+      '';
+    };
+
+    programs.home-manager.enable = true;
+    programs.command-not-found.enable = true;
+
+    programs.git = {
+      enable = true;
+      signing.format = null;
+      settings = {
+        user.name = "John Ogle";
+        user.email = "john@ogle.fyi";
+        safe.directory = "/etc/nixos";
+      };
+    };
+
+    programs.jq.enable = true;
+
+    programs.neovim = {
+      enable = true;
+      viAlias = true;
+      vimAlias = true;
+    };
+
+    programs.ssh = {
+      enable = true;
+      enableDefaultConfig = false;
+      matchBlocks = {
+        "*" = {
+          addKeysToAgent = "yes";
+        };
+        "nucdeb1" = {
+          hostname = "nucdeb1.oglehome";
+          user = "root";
+        };
+      };
+    };
+
+    programs.rbw = {
+      enable = true;
+      settings = {
+        email = "john@johnogle.info";
+        base_url = "https://bitwarden.johnogle.info";
+        pinentry = pkgs.pinentry-qt;
+      };
+    };
+
+    # Note: modules must be imported at top-level home config
+  };
+}

home/roles/communication/default.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.communication;
+  isLinux = pkgs.stdenv.isLinux;
+in
+{
+  options.home.roles.communication = {
+    enable = mkEnableOption "Enable communication and messaging applications";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = [
+      # For logging back into google chat (cross-platform)
+      globalInputs.google-cookie-retrieval.packages.${system}.default
+    ] ++ optionals isLinux [
+      # Linux-only communication apps (Electron apps don't build on Darwin)
+      pkgs.element-desktop
+      # Re-enabled in 25.11 after security issues were resolved
+      pkgs.fluffychat
+      pkgs.custom.nextcloud-talk-desktop
+    ];
+  };
+}

home/roles/default.nix

@@ -0,0 +1,23 @@
+{
+  # Shared roles that work across all platforms (Linux, Darwin, etc.)
+  # Platform-specific roles are imported via base-linux or base-darwin
+  # in each home configuration file
+  imports = [
+    ./3d-printing
+    ./base
+    ./communication
+    ./desktop
+    ./development
+    ./email
+    ./gaming
+    ./kdeconnect
+    ./kubectl
+    ./launchers
+    ./media
+    ./office
+    ./sync
+    ./tmux
+    ./emacs
+    ./starship
+  ];
+}

home/roles/desktop/default.nix

@@ -0,0 +1,210 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.desktop;
+  isLinux = pkgs.stdenv.isLinux;
+in
+{
+  options.home.roles.desktop = {
+    enable = mkEnableOption "Enable desktop GUI applications and utilities";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      # Cross-platform desktop applications
+      bitwarden-desktop
+      keepassxc
+      xdg-utils # XDG utilities for opening files/URLs with default applications
+    ] ++ optionals isLinux [
+      # Linux-only desktop applications
+      dunst
+      unstable.ghostty
+
+      # Linux-only desktop utilities
+      feh # Image viewer and wallpaper setter for X11
+      rofi # Application launcher for X11
+      solaar # Logitech management software
+      waybar
+      wofi # Application launcher for Wayland
+
+      # Linux-only system utilities with GUI components
+      (snapcast.override { pulseaudioSupport = true; })
+
+      # KDE tiling window management (Linux-only)
+      kdePackages.krohnkite  # Dynamic tiling extension for KWin 6
+
+      # KDE PIM applications for email, calendar, and contacts (Linux-only)
+      kdePackages.kmail
+      kdePackages.kmail-account-wizard
+      kdePackages.kmailtransport
+      kdePackages.korganizer
+      kdePackages.kaddressbook
+      kdePackages.kontact
+
+      # KDE System components needed for proper integration (Linux-only)
+      kdePackages.kded
+      kdePackages.systemsettings
+      kdePackages.kmenuedit
+
+      # Desktop menu support (Linux-only)
+      kdePackages.plasma-desktop # Contains applications.menu
+
+      # KDE Online Accounts support (Linux-only)
+      kdePackages.kaccounts-integration
+      kdePackages.kaccounts-providers
+      kdePackages.signond
+
+      # KDE Mapping (Linux-only)
+      kdePackages.marble  # Virtual globe and world atlas
+
+      # KDE Productivity (Linux-only)
+      kdePackages.kate        # Advanced text editor with syntax highlighting
+      kdePackages.okular      # Universal document viewer (PDF, ePub, etc.)
+      kdePackages.spectacle   # Screenshot capture utility
+      kdePackages.filelight   # Visual disk usage analyzer
+
+      # KDE Multimedia (Linux-only)
+      kdePackages.gwenview    # Image viewer and basic editor
+      kdePackages.elisa       # Music player
+
+      # KDE System Utilities (Linux-only)
+      kdePackages.ark         # Archive manager (zip, tar, 7z, etc.)
+      kdePackages.yakuake     # Drop-down terminal emulator
+    ];
+
+    programs.firefox = {
+      enable = true;
+    };
+
+    programs.spotify-player.enable = true;
+
+    # Linux-only: GNOME keyring service
+    services.gnome-keyring = mkIf isLinux {
+      enable = true;
+    };
+
+    # Linux-only: systemd user services for rbw vault unlock
+    systemd.user.services = mkIf isLinux {
+      # rbw vault unlock on login
+      rbw-unlock-on-login = {
+        Unit = {
+          Description = "Unlock rbw vault at login";
+          After = [ "graphical-session.target" ];
+        };
+        Service = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.rbw}/bin/rbw unlock";
+          Environment = "RBW_AGENT=${pkgs.rbw}/bin/rbw-agent";
+          # KillMode = "process" prevents systemd from killing the rbw-agent daemon
+          # when this oneshot service completes. The agent is spawned by rbw unlock
+          # and needs to persist after the service exits.
+          KillMode = "process";
+        };
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
+      };
+
+      # rbw vault unlock on resume from suspend
+      rbw-unlock-on-resume = {
+        Unit = {
+          Description = "Unlock rbw vault after resume from suspend";
+          After = [ "suspend.target" ];
+        };
+        Service = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.rbw}/bin/rbw unlock";
+          Environment = "RBW_AGENT=${pkgs.rbw}/bin/rbw-agent";
+          # KillMode = "process" prevents systemd from killing the rbw-agent daemon
+          # when this oneshot service completes. The agent is spawned by rbw unlock
+          # and needs to persist after the service exits.
+          KillMode = "process";
+        };
+        Install = {
+          WantedBy = [ "suspend.target" ];
+        };
+      };
+    };
+
+    # Linux-only: KDE environment variables for proper integration
+    home.sessionVariables = mkIf isLinux {
+      QT_QPA_PLATFORMTHEME = "kde";
+      KDE_SESSION_VERSION = "6";
+    };
+
+    xdg = {
+      enable = true;
+
+      # Ensure desktop files are made available for discovery
+      desktopEntries = {};  # This creates the desktop files directory structure
+
+      mimeApps = {
+        enable = true;
+        associations.added = {
+          # Ensure associations are properly registered
+          "text/html" = "firefox.desktop";
+          "x-scheme-handler/http" = "firefox.desktop";
+          "x-scheme-handler/https" = "firefox.desktop";
+        };
+        defaultApplications = {
+          # Web browsers (cross-platform)
+          "text/html" = "firefox.desktop";
+          "x-scheme-handler/http" = "firefox.desktop";
+          "x-scheme-handler/https" = "firefox.desktop";
+          "x-scheme-handler/about" = "firefox.desktop";
+          "x-scheme-handler/unknown" = "firefox.desktop";
+        } // optionalAttrs isLinux {
+          # Linux-only: KDE application associations
+          # Documents
+          "application/pdf" = "okular.desktop";
+          "text/plain" = "kate.desktop";
+          "text/x-tex" = "kate.desktop";
+          "text/x-c" = "kate.desktop";
+          "text/x-python" = "kate.desktop";
+          "application/x-shellscript" = "kate.desktop";
+
+          # Images
+          "image/png" = "gwenview.desktop";
+          "image/jpeg" = "gwenview.desktop";
+          "image/jpg" = "gwenview.desktop";
+          "image/gif" = "gwenview.desktop";
+          "image/bmp" = "gwenview.desktop";
+          "image/tiff" = "gwenview.desktop";
+          "image/webp" = "gwenview.desktop";
+
+          # Archives
+          "application/zip" = "ark.desktop";
+          "application/x-tar" = "ark.desktop";
+          "application/x-compressed-tar" = "ark.desktop";
+          "application/x-7z-compressed" = "ark.desktop";
+          "application/x-rar" = "ark.desktop";
+
+          # Audio
+          "audio/mpeg" = "elisa.desktop";
+          "audio/mp4" = "elisa.desktop";
+          "audio/flac" = "elisa.desktop";
+          "audio/ogg" = "elisa.desktop";
+          "audio/wav" = "elisa.desktop";
+
+          # Email
+          "message/rfc822" = "kmail.desktop";
+          "x-scheme-handler/mailto" = "kmail.desktop";
+
+          # Calendar
+          "text/calendar" = "korganizer.desktop";
+          "application/x-vnd.akonadi.calendar.event" = "korganizer.desktop";
+        };
+      };
+    };
+
+    # Linux-only: Fix for KDE applications.menu file issue on Plasma 6
+    # KDE still looks for applications.menu but Plasma 6 renamed it to plasma-applications.menu
+    xdg.configFile."menus/applications.menu" = mkIf isLinux {
+      source = "${pkgs.kdePackages.plasma-workspace}/etc/xdg/menus/plasma-applications.menu";
+    };
+
+    # Note: modules must be imported at top-level home config
+  };
+}

home/roles/development/default.nix

@@ -0,0 +1,123 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.development;
+
+  # Fetch the claude-plugins repository (for humanlayer commands/agents)
+  # Update the rev to get newer versions of the commands
+  claudePluginsRepo = builtins.fetchGit {
+    url = "https://github.com/jeffh/claude-plugins.git";
+    # To update: change this to the latest commit hash
+    # You can find the latest commit at: https://github.com/jeffh/claude-plugins/commits/main
+    rev = "5e3e4d937162185b6d78c62022cbfd1c8ad42c4c";
+    ref = "main";
+  };
+
+  # Claude Code statusline: shows model, cwd, git branch, and context usage %
+  claudeCodeStatusLineConfig = pkgs.writeText "claude-statusline.json" (builtins.toJSON {
+    type = "command";
+    command = ''input=$(cat); model=$(echo "$input" | jq -r '.model.display_name'); cwd=$(echo "$input" | jq -r '.workspace.current_dir'); if git -C "$cwd" rev-parse --git-dir > /dev/null 2>&1; then branch=$(git -C "$cwd" --no-optional-locks rev-parse --abbrev-ref HEAD 2>/dev/null || echo ""); if [ -n "$branch" ]; then git_info=" on $branch"; else git_info=""; fi; else git_info=""; fi; usage=$(echo "$input" | jq '.context_window.current_usage'); if [ "$usage" != "null" ]; then current=$(echo "$usage" | jq '.input_tokens + .cache_creation_input_tokens + .cache_read_input_tokens'); size=$(echo "$input" | jq '.context_window.context_window_size'); pct=$((current * 100 / size)); context_info=" | ''${pct}% context"; else context_info=""; fi; printf "%s in %s%s%s" "$model" "$cwd" "$git_info" "$context_info"'';
+  });
+
+in
+{
+  options.home.roles.development = {
+    enable = mkEnableOption "Enable development tools and utilities";
+
+    allowArbitraryClaudeCodeModelSelection = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to preserve model specifications in Claude Code humanlayer commands and agents.
+
+        When false (default), the model: line is stripped from frontmatter, allowing Claude Code
+        to use its default model selection.
+
+        When true, the model: specifications from the source files are preserved, allowing
+        commands to specify opus/sonnet/haiku explicitly.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = [
+      pkgs.unstable.claude-code
+      pkgs.unstable.codex
+      pkgs.sqlite
+
+      # Custom packages
+      pkgs.custom.tea-rbw
+      pkgs.custom.pi-coding-agent
+    ];
+
+    # Install Claude Code humanlayer command and agent plugins
+    home.activation.claudeCodeCommands = lib.hm.dag.entryAfter ["writeBoundary"] ''
+      # Clean up old plugin-installed commands and agents to avoid duplicates
+      rm -f ~/.claude/commands/humanlayer:* 2>/dev/null || true
+      rm -f ~/.claude/agents/humanlayer:* 2>/dev/null || true
+
+      # Remove explicitly blocked commands that may have been installed previously
+      rm -f ~/.claude/commands/humanlayer:create_handoff.md 2>/dev/null || true
+
+      # Create directories if they don't exist
+      mkdir -p ~/.claude/commands
+      mkdir -p ~/.claude/agents
+
+      # Copy all humanlayer command files and remove model specifications
+      for file in ${claudePluginsRepo}/humanlayer/commands/*.md; do
+        if [ -f "$file" ]; then
+          filename=$(basename "$file" .md)
+
+          # Skip blocked commands
+          case "$filename" in
+            create_handoff) continue ;;
+          esac
+
+          dest="$HOME/.claude/commands/humanlayer:''${filename}.md"
+          rm -f "$dest" 2>/dev/null || true
+
+          # Copy file and conditionally remove the "model:" line from frontmatter
+          ${if cfg.allowArbitraryClaudeCodeModelSelection
+            then "cp \"$file\" \"$dest\""
+            else "${pkgs.gnused}/bin/sed '/^model:/d' \"$file\" > \"$dest\""
+          }
+          chmod u+w "$dest" 2>/dev/null || true
+        fi
+      done
+
+      # Copy all humanlayer agent files and remove model specifications
+      for file in ${claudePluginsRepo}/humanlayer/agents/*.md; do
+        if [ -f "$file" ]; then
+          filename=$(basename "$file" .md)
+          dest="$HOME/.claude/agents/humanlayer:''${filename}.md"
+          rm -f "$dest" 2>/dev/null || true
+
+          # Copy file and conditionally remove the "model:" line from frontmatter
+          ${if cfg.allowArbitraryClaudeCodeModelSelection
+            then "cp \"$file\" \"$dest\""
+            else "${pkgs.gnused}/bin/sed '/^model:/d' \"$file\" > \"$dest\""
+          }
+          chmod u+w "$dest" 2>/dev/null || true
+        fi
+      done
+
+      $DRY_RUN_CMD echo "Claude Code plugins installed: humanlayer commands/agents"
+    '';
+
+    # Configure Claude Code statusline (merge into existing settings.json)
+    home.activation.claudeCodeStatusLine = lib.hm.dag.entryAfter ["writeBoundary"] ''
+      SETTINGS="$HOME/.claude/settings.json"
+      mkdir -p "$HOME/.claude"
+      if [ -f "$SETTINGS" ]; then
+        ${pkgs.jq}/bin/jq --slurpfile sl ${claudeCodeStatusLineConfig} '.statusLine = $sl[0]' "$SETTINGS" > "''${SETTINGS}.tmp" && mv "''${SETTINGS}.tmp" "$SETTINGS"
+      else
+        ${pkgs.jq}/bin/jq -n --slurpfile sl ${claudeCodeStatusLineConfig} '{statusLine: $sl[0]}' > "$SETTINGS"
+      fi
+      $DRY_RUN_CMD echo "Claude Code statusline configured"
+    '';
+
+    # Note: modules must be imported at top-level home config
+  };
+}

home/roles/emacs/default.nix

@@ -0,0 +1,118 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.home.roles.emacs;
+
+  doomEmacs = pkgs.fetchFromGitHub {
+    owner = "doomemacs";
+    repo = "doomemacs";
+    rev = "d23bbe87721c61f4d5a605f2914b32780bb89949";
+    sha256 = "sha256-z+3c0AGkrMf1xZ+pq57aVp4Zo4KsqFMIjEVzSZinghc=";
+  };
+
+  # Shared emacs packages
+  emacsPackages = epkgs: [
+    epkgs.vterm
+    epkgs.treesit-grammars.with-all-grammars
+  ];
+
+  # Default emacs configuration with vterm support
+  defaultEmacsPackage =
+    if pkgs.stdenv.isDarwin then
+      pkgs.emacs-macport.pkgs.withPackages emacsPackages
+    else
+      pkgs.emacs.pkgs.withPackages emacsPackages;
+
+  # Path to doom config directory (relative to this file)
+  doomConfigDir = ./doom;
+in
+{
+  options.home.roles.emacs = {
+    enable = mkEnableOption "Doom Emacs with vterm and tree-sitter support";
+
+    prebuiltDoom = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Use nix-doom-emacs-unstraightened to pre-build all Doom packages at
+        nix build time. This eliminates the need to run `doom sync` after
+        first boot, making it ideal for live USB images or immutable systems.
+
+        When enabled, the doom configuration is read-only (stored in nix store).
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable (mkMerge [
+    # Common configuration for both modes
+    {
+      home.packages = [
+        pkgs.emacs-all-the-icons-fonts
+        pkgs.fira-code
+        pkgs.fontconfig
+        pkgs.graphviz
+        pkgs.isort
+        pkgs.nerd-fonts.fira-code
+        pkgs.nerd-fonts.droid-sans-mono
+        pkgs.nil # nix lsp language server
+        pkgs.nixfmt
+        (pkgs.ripgrep.override { withPCRE2 = true; })
+        pkgs.pipenv
+        pkgs.poetry
+        pkgs.python3
+      ];
+
+      fonts.fontconfig.enable = true;
+    }
+
+    # Standard Doom Emacs mode (requires doom sync at runtime)
+    (mkIf (!cfg.prebuiltDoom) {
+      programs.emacs = {
+        enable = true;
+        package = defaultEmacsPackage;
+      };
+
+      # Mount emacs and tree-sitter grammars from nix store
+      home.file = {
+        "${config.xdg.configHome}/emacs".source = doomEmacs;
+      };
+
+      home.sessionPath = [
+        "${config.xdg.configHome}/emacs/bin"
+      ];
+
+      home.sessionVariables = {
+        DOOMDIR = "${config.xdg.configHome}/doom";
+        DOOMLOCALDIR = "${config.xdg.dataHome}/doom";
+      };
+
+      # TODO: Use mkOutOfStoreSymlink instead?
+      home.activation.doomConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+        # Always remove and recreate the symlink to ensure it points to the source directory
+        rm -rf "${config.xdg.configHome}/doom"
+        ln -sf "${config.home.homeDirectory}/nixos-configs/home/roles/emacs/doom" "${config.xdg.configHome}/doom"
+      '';
+    })
+
+    # Pre-built Doom Emacs mode (no doom sync needed - ideal for live USB)
+    (mkIf cfg.prebuiltDoom {
+      programs.doom-emacs = {
+        enable = true;
+        doomDir = doomConfigDir;
+        doomLocalDir = "${config.xdg.dataHome}/doom";
+        # Add extra packages that aren't part of Doom but needed for our config
+        extraPackages = epkgs: [
+          epkgs.vterm
+          epkgs.treesit-grammars.with-all-grammars
+        ];
+      };
+    })
+  ]);
+}

home/roles/emacs/doom/config.el

@@ -0,0 +1,394 @@
+;;; $DOOMDIR/config.el -*- lexical-binding: t; -*-
+
+;; Place your private configuration here! Remember, you do not need to run 'doom
+;; sync' after modifying this file!
+
+
+;; Some functionality uses this to identify you, e.g. GPG configuration, email
+;; clients, file templates and snippets. It is optional.
+;; (setq user-full-name "John Doe"
+;;       user-mail-address "john@doe.com")
+
+;; Doom exposes five (optional) variables for controlling fonts in Doom:
+;;
+;; - `doom-font' -- the primary font to use
+;; - `doom-variable-pitch-font' -- a non-monospace font (where applicable)
+;; - `doom-big-font' -- used for `doom-big-font-mode'; use this for
+;;   presentations or streaming.
+;; - `doom-symbol-font' -- for symbols
+;; - `doom-serif-font' -- for the `fixed-pitch-serif' face
+;;
+;; See 'C-h v doom-font' for documentation and more examples of what they
+;; accept. For example:
+;;
+;;(setq doom-font (font-spec :family "Fira Code" :size 12 :weight 'semi-light)
+;;      doom-variable-pitch-font (font-spec :family "Fira Sans" :size 13))
+;;
+;; If you or Emacs can't find your font, use 'M-x describe-font' to look them
+;; up, `M-x eval-region' to execute elisp code, and 'M-x doom/reload-font' to
+;; refresh your font settings. If Emacs still can't find your font, it likely
+;; wasn't installed correctly. Font issues are rarely Doom issues!
+(setq doom-font (font-spec :family "Fira Code" :size 16))
+
+;; Auto-install nerd-icons fonts if they're missing
+(defun my/ensure-nerd-icons-fonts ()
+  "Check if nerd-icons fonts are installed and install them if missing."
+  (when (display-graphic-p)
+    (unless (find-font (font-spec :name "Symbols Nerd Font Mono"))
+      (when (fboundp 'nerd-icons-install-fonts)
+        (nerd-icons-install-fonts t)))))
+
+(add-hook 'doom-init-ui-hook #'my/ensure-nerd-icons-fonts)
+
+;; There are two ways to load a theme. Both assume the theme is installed and
+;; available. You can either set `doom-theme' or manually load a theme with the
+;; `load-theme' function. This is the default:
+(setq doom-theme 'doom-tokyo-night)
+
+;; This determines the style of line numbers in effect. If set to `nil', line
+;; numbers are disabled. For relative line numbers, set this to `relative'.
+(setq display-line-numbers-type t)
+
+;; If you use `org' and don't want your org files in the default location below,
+;; change `org-directory'. It must be set before org loads!
+(setq org-directory "~/org/")
+(after! org
+  ;; Skip recurring events past their CALDAV_UNTIL date
+  ;; org-caldav ignores UNTIL from RRULE, so we store it as a property
+  ;; and filter here in the agenda
+  (defun my/skip-if-past-until ()
+    "Return non-nil if entry has CALDAV_UNTIL and current date is past it."
+    (let ((until-str (org-entry-get nil "CALDAV_UNTIL")))
+      (when (and until-str
+                 (string-match "^\\([0-9]\\{4\\}\\)\\([0-9]\\{2\\}\\)\\([0-9]\\{2\\}\\)" until-str))
+        (let* ((until-year (string-to-number (match-string 1 until-str)))
+               (until-month (string-to-number (match-string 2 until-str)))
+               (until-day (string-to-number (match-string 3 until-str)))
+               (until-time (encode-time 0 0 0 until-day until-month until-year))
+               (today (current-time)))
+          (when (time-less-p until-time today)
+            (org-end-of-subtree t))))))
+
+  (setq org-agenda-span 'week
+        org-agenda-start-with-log-mode t
+        my-agenda-dirs '("projects" "roam")
+        org-agenda-files (cons org-directory (mapcan (lambda (x) (directory-files-recursively
+                                                                  (expand-file-name x org-directory)
+                                                                  "\.org$"))
+                                                     my-agenda-dirs))
+        org-log-done 'time
+        org-agenda-skip-function-global #'my/skip-if-past-until
+        org-agenda-custom-commands '(("n" "Agenda"
+                                      ((agenda "")
+                                       (tags-todo "-someday-recurring")))
+                                     ("s" "Someday Items"
+                                      ((tags-todo "+someday"))))
+        org-todo-keywords '((sequence "TODO(t)" "IN-PROGRESS(p)" "WAIT(w)" "|" "DONE(d)" "KILL(k)"))
+        org-journal-file-type 'weekly
+        org-journal-file-format "%Y-%m-%d.org"
+        org-capture-templates
+          '(("t" "Todo" entry (file+headline "~/org/todo.org" "Inbox")
+             "* TODO %? \n %i \n%a" :prepend t)))
+  ;; Make blocked tasks more visible in agenda (they have subtasks to do!)
+  (custom-set-faces!
+    '(org-agenda-dimmed-todo-face :foreground "#bb9af7" :weight normal)))
+
+(map! :after org-agenda
+      :map org-agenda-mode-map
+      :localleader
+      (:prefix ("v" . "view")
+       "d" #'org-agenda-day-view
+       "w" #'org-agenda-week-view))
+
+;; org-caldav: Sync Org entries with Nextcloud CalDAV
+;; Setup requirements:
+;; 1. Create Nextcloud app password: Settings -> Security -> Devices & sessions
+;; 2. Store in rbw: rbw add nextcloud-caldav (put app password as the secret)
+;; 3. Run: doom sync
+;; 4. Test: M-x my/org-caldav-sync-with-rbw (or SPC o a s)
+;;
+;; Note: Conflict resolution is "Org always wins" - treat Org as source of truth
+;; for entries that originated in Org.
+
+;; Define sync wrapper before use-package (so keybinding works)
+(defun my/org-caldav-sync-with-rbw ()
+  "Run org-caldav-sync with credentials from rbw embedded in URL."
+  (interactive)
+  (require 'org)
+  (require 'org-caldav)
+  (let* ((password (my/get-rbw-password "nextcloud-caldav"))
+         ;; Embed credentials in URL (url-encode password in case of special chars)
+         (encoded-pass (url-hexify-string password)))
+    (setq org-caldav-url
+          (format "https://johno:%s@nextcloud.johnogle.info/remote.php/dav/calendars/johno"
+                  encoded-pass))
+    (org-caldav-sync)))
+
+(use-package! org-caldav
+  :after org
+  :commands (org-caldav-sync my/org-caldav-sync-with-rbw)
+  :init
+  (map! :leader
+        (:prefix ("o" . "open")
+         (:prefix ("a" . "agenda/calendar")
+          :desc "Sync CalDAV" "s" #'my/org-caldav-sync-with-rbw)))
+  :config
+  ;; Nextcloud CalDAV base URL (credentials added dynamically by sync wrapper)
+  (setq org-caldav-url "https://nextcloud.johnogle.info/remote.php/dav/calendars/johno")
+
+  ;; Timezone for iCalendar export
+  (setq org-icalendar-timezone "America/Los_Angeles")
+
+  ;; Sync state storage (in org directory for multi-machine sync)
+  (setq org-caldav-save-directory (expand-file-name ".org-caldav/" org-directory))
+
+  ;; Backup file for entries before modification
+  (setq org-caldav-backup-file (expand-file-name ".org-caldav/backup.org" org-directory))
+
+  ;; Limit past events to 30 days (avoids uploading years of scheduled tasks)
+  (setq org-caldav-days-in-past 30)
+
+  ;; Sync behavior: bidirectional by default
+  (setq org-caldav-sync-direction 'twoway)
+
+  ;; What changes from calendar sync back to Org (conservative: title and timestamp only)
+  (setq org-caldav-sync-changes-to-org 'title-and-timestamp)
+
+  ;; Deletion handling: never auto-delete to prevent accidental mass deletion
+  (setq org-caldav-delete-calendar-entries 'never)
+  (setq org-caldav-delete-org-entries 'never)
+
+  ;; Enable TODO/VTODO sync
+  (setq org-icalendar-include-todo 'all)
+  (setq org-caldav-sync-todo t)
+
+  ;; Map VTODO percent-complete to org-todo-keywords
+  ;; Format: (PERCENT "KEYWORD") - percent thresholds map to states
+  (setq org-caldav-todo-percent-states
+        '((0 "TODO")
+          (25 "WAIT")
+          (50 "IN-PROGRESS")
+          (100 "DONE")
+          (100 "KILL")))
+
+  ;; Allow export with broken links (mu4e links can't be resolved during export)
+  (setq org-export-with-broken-links 'mark)
+
+  ;; Calendar-specific configuration
+  (setq org-caldav-calendars
+        '(;; Personal calendar: two-way sync with family-shared Nextcloud calendar
+          (:calendar-id "personal"
+           :inbox "~/org/personal-calendar.org"
+           :files ("~/org/personal-calendar.org"))
+
+          ;; Tasks calendar: one-way sync (org → calendar only)
+          ;; SCHEDULED/DEADLINE items from todo.org push to private Tasks calendar.
+          ;; No inbox = no download from calendar (effectively one-way).
+          ;; Note: Create 'tasks' calendar in Nextcloud first, keep it private.
+          (:calendar-id "tasks"
+           :files ("~/org/todo.org"))))
+
+  ;; Handle UNTIL in recurring events
+  ;; org-caldav ignores UNTIL from RRULE - events repeat forever.
+  ;; This advice extracts UNTIL and stores it as a property for agenda filtering.
+  (defun my/org-caldav-add-until-property (orig-fun eventdata-alist)
+    "Advice to store CALDAV_UNTIL property for recurring events."
+    (let ((result (funcall orig-fun eventdata-alist)))
+      (let* ((rrule-props (alist-get 'rrule-props eventdata-alist))
+             (until-str (cadr (assoc 'UNTIL rrule-props)))
+             (summary (alist-get 'summary eventdata-alist)))
+        ;; Debug: log what we're seeing
+        (message "CALDAV-DEBUG: %s | rrule-props: %S | until: %s"
+                 (or summary "?") rrule-props until-str)
+        (when until-str
+          (save-excursion
+            (org-back-to-heading t)
+            (org-entry-put nil "CALDAV_UNTIL" until-str))))
+      result))
+
+  (advice-add 'org-caldav-insert-org-event-or-todo
+              :around #'my/org-caldav-add-until-property)
+  )
+
+(defun my/get-rbw-password (alias &optional no-error)
+  "Return the password for ALIAS via rbw, unlocking the vault only if needed.
+If NO-ERROR is non-nil, return nil instead of signaling an error when
+rbw is unavailable or the entry is not found."
+  (if (not (executable-find "rbw"))
+      (if no-error
+          nil
+        (user-error "rbw: not installed or not in PATH"))
+    (let* ((cmd (format "rbw get %s 2>/dev/null" (shell-quote-argument alias)))
+           (output (string-trim (shell-command-to-string cmd))))
+      (if (string-empty-p output)
+          (if no-error
+              nil
+            (user-error "rbw: no entry found for '%s' - run: rbw add %s" alias alias))
+        output))))
+
+(after! gptel
+  :config
+  (setq! gptel-api-key (my/get-rbw-password "openai-api-key-chatgpt-el" t)
+         gptel-default-mode 'org-mode
+         gptel-use-tools t
+         gptel-confirm-tool-calls 'always
+         gptel-include-reasoning 'ignore
+         gptel-model "qwen3:30b")
+
+  ;; Set default backend to be Ollama-Local
+  (setq! gptel-backend
+         (gptel-make-ollama "Ollama-Local"
+           :host "localhost:11434"
+           :stream t
+           :models '(deepseek-r1 deepseek-r1-fullctx qwen3:30b qwen3:4b llama3.1 qwen2.5-coder mistral-nemo gpt-oss)))
+
+  ;; Define custom tools
+  (gptel-make-tool
+   :name "run_shell_command"
+   :description "Execute shell commands and return output. Use this to run system commands, check file contents, or perform system operations."
+   :function (lambda (command)
+               (condition-case err
+                   (shell-command-to-string command)
+                 (error (format "Error running command: %s" (error-message-string err)))))
+   :args (list '(:name "command" :type "string" :description "Shell command to execute")))
+
+  (gptel-make-tool
+   :name "read_file"
+   :description "Read the contents of a file and return as text"
+   :function (lambda (filepath)
+               (condition-case err
+                   (with-temp-buffer
+                     (insert-file-contents (expand-file-name filepath))
+                     (buffer-string))
+                 (error (format "Error reading file %s: %s" filepath (error-message-string err)))))
+   :args (list '(:name "filepath" :type "string" :description "Path to the file to read")))
+
+  (gptel-make-tool
+   :name "list_directory"
+   :description "List contents of a directory"
+   :function (lambda (dirpath)
+               (condition-case err
+                   (mapconcat 'identity 
+                              (directory-files (expand-file-name dirpath) nil "^[^.]")
+                              "\n")
+                 (error (format "Error listing directory %s: %s" dirpath (error-message-string err)))))
+   :args (list '(:name "dirpath" :type "string" :description "Directory path to list"))))
+
+(use-package! pi-coding-agent
+  :commands (pi-coding-agent pi-coding-agent-toggle)
+  :init
+  (defalias 'pi 'pi-coding-agent)
+  (map! :leader
+        (:prefix ("o" . "open")
+         :desc "Pi Coding Agent" "p" #'pi-coding-agent))
+  :config
+  ;; Tree-sitter grammars are managed by Nix (treesit-grammars.with-all-grammars),
+  ;; so suppress the auto-install prompt
+  (setq pi-coding-agent-essential-grammar-action 'warn))
+
+(use-package! claude-code-ide
+  :commands (claude-code-ide-menu claude-code-ide-open-here)
+  :init
+  (map! :leader
+        (:prefix ("o" . "open")
+         :desc "Claude Code IDE" "c" #'claude-code-ide-menu))
+  :config
+  (claude-code-ide-emacs-tools-setup)
+  (setq claude-code-ide-cli-path "claude"
+        claude-code-ide-cli-extra-flags "--dangerously-skip-permissions"
+        claude-code-ide-focus-claude-after-ediff t
+        claude-code-ide-focus-on-open t
+        claude-code-ide-show-claude-window-in-ediff t
+        claude-code-ide-switch-tab-on-ediff t
+        claude-code-ide-use-ide-diff t
+        claude-code-ide-use-side-window t
+        claude-code-ide-window-height 20
+        claude-code-ide-window-side 'right
+        claude-code-ide-window-width 90))
+
+(after! gptel
+  (require 'gptel-tool-library)
+  (setq gptel-tool-library-use-maybe-safe t
+        gptel-tool-library-use-unsafe t)
+  (dolist (module '("bbdb" "buffer" "elisp" "emacs" "gnus" "os" "search-and-replace" "url"))
+    (gptel-tool-library-load-module module)))
+
+;; mu4e email configuration
+;; Add NixOS mu4e to load-path (installed via mu.mu4e package)
+(when-let ((mu-path (executable-find "mu")))
+  (add-to-list 'load-path
+               (expand-file-name "../share/emacs/site-lisp/mu4e"
+                                 (file-name-directory mu-path))))
+
+(after! mu4e
+  ;; User identity
+  (setq user-mail-address "john@ogle.fyi"
+        user-full-name "John Ogle")
+
+  ;; Maildir location (no account prefix - single account)
+  (setq mu4e-maildir "~/Mail"
+        mu4e-attachment-dir "~/Downloads")
+
+  ;; Folder config (matches ~/Mail/INBOX, ~/Mail/Sent, etc.)
+  (setq mu4e-sent-folder "/Sent"
+        mu4e-drafts-folder "/Drafts"
+        mu4e-trash-folder "/Trash"
+        mu4e-refile-folder "/Archive")
+
+  ;; Shortcuts for common folders
+  (setq mu4e-maildir-shortcuts
+        '((:maildir "/INBOX"   :key ?i)
+          (:maildir "/Archive" :key ?a)
+          (:maildir "/Sent"    :key ?s)
+          (:maildir "/Trash"   :key ?t)))
+
+  ;; Behavior settings
+  (setq mu4e-get-mail-command "mbsync -a"
+        mu4e-update-interval 300  ; 5 minutes (matches systemd timer)
+        mu4e-change-filenames-when-moving t  ; required for mbsync
+        mu4e-headers-date-format "%Y-%m-%d"
+        mu4e-headers-time-format "%H:%M")
+
+  ;; Sending mail via msmtp
+  ;; NOTE: message-sendmail-f-is-evil and --read-envelope-from are required
+  ;; to prevent msmtp from stripping the email body when processing headers.
+  ;; Without these, multipart messages (especially from org-msg) may arrive
+  ;; with empty bodies.
+  (setq sendmail-program (executable-find "msmtp")
+        send-mail-function #'message-send-mail-with-sendmail
+        message-send-mail-function #'message-send-mail-with-sendmail
+        message-sendmail-f-is-evil t
+        message-sendmail-extra-arguments '("--read-envelope-from")
+        message-sendmail-envelope-from 'header))
+
+;; Whenever you reconfigure a package, make sure to wrap your config in an
+;; `after!' block, otherwise Doom's defaults may override your settings. E.g.
+;;
+;;   (after! PACKAGE
+;;     (setq x y))
+;;
+;; The exceptions to this rule:
+;;
+;;   - Setting file/directory variables (like `org-directory')
+;;   - Setting variables which explicitly tell you to set them before their
+;;     package is loaded (see 'C-h v VARIABLE' to look up their documentation).
+;;   - Setting doom variables (which start with 'doom-' or '+').
+;;
+;; Here are some additional functions/macros that will help you configure Doom.
+;;
+;; - `load!' for loading external *.el files relative to this one
+;; - `use-package!' for configuring packages
+;; - `after!' for running code after a package has loaded
+;; - `add-load-path!' for adding directories to the `load-path', relative to
+;;   this file. Emacs searches the `load-path' when you load packages with
+;;   `require' or `use-package'.
+;; - `map!' for binding new keys
+;;
+;; To get information about any of these functions/macros, move the cursor over
+;; the highlighted symbol at press 'K' (non-evil users must press 'C-c c k').
+;; This will open documentation for it, including demos of how they are used.
+;; Alternatively, use `C-h o' to look up a symbol (functions, variables, faces,
+;; etc).
+;;
+;; You can also try 'gd' (or 'C-c c d') to jump to their definition and see how
+;; they are implemented.

home/roles/emacs/doom/init.el

@@ -33,7 +33,7 @@
        doom              ; what makes DOOM look the way it does
        doom-dashboard    ; a nifty splash screen for Emacs
        ;;doom-quit         ; DOOM quit-message prompts when you quit Emacs
-       (emoji +unicode)  ; 🙂
+       ;;(emoji +unicode)  ; 🙂
        hl-todo           ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW
        ;;indent-guides     ; highlighted indent columns
        ;;ligatures         ; ligatures and symbols to make your code pretty again
@@ -45,7 +45,7 @@
        (popup +defaults)   ; tame sudden yet inevitable temporary windows
        ;;tabs              ; a tab bar for Emacs
        ;;treemacs          ; a project drawer, like neotree but cooler
-       ;;unicode           ; extended unicode support for various languages
+       unicode           ; extended unicode support for various languages
        (vc-gutter +pretty) ; vcs diff in the fringe
        vi-tilde-fringe   ; fringe tildes to mark beyond EOB
        ;;window-select     ; visually switch windows
@@ -59,7 +59,7 @@
        ;;(format +onsave)  ; automated prettiness
        ;;god               ; run Emacs commands without modifier keys
        ;;lispy             ; vim for lisp, for people who don't like vim
-       ;;multiple-cursors  ; editing in many places at once
+       multiple-cursors  ; editing in many places at once
        ;;objed             ; text object editing for the innocent
        ;;parinfer          ; turn lisp into python, sort of
        ;;rotate-text       ; cycle region at point between text candidates
@@ -77,7 +77,7 @@
        ;;eshell            ; the elisp shell that works everywhere
        ;;shell             ; simple shell REPL for Emacs
        ;;term              ; basic terminal emulator for Emacs
-       ;;vterm             ; the best terminal emulation in Emacs
+       vterm             ; the best terminal emulation in Emacs
 
        :checkers
        syntax              ; tasing you for every semicolon you forget
@@ -94,6 +94,7 @@
        ;;editorconfig      ; let someone else argue about tabs vs spaces
        ;;ein               ; tame Jupyter notebooks with emacs
        (eval +overlay)     ; run code, run (also, repls)
+       llm               ; When I said  you needed friends, I didn't mean...
        lookup              ; navigate your code and its documentation
        lsp               ; M-x vscode
        magit             ; a git porcelain for Emacs
@@ -175,7 +176,7 @@
        ;;zig               ; C, but simpler
 
        :email
-       ;;(mu4e +org +gmail)
+       (mu4e +org)
        ;;notmuch
        ;;(wanderlust +gmail)
 

home/roles/emacs/doom/packages.el

@@ -49,6 +49,26 @@
 ;; ...Or *all* packages (NOT RECOMMENDED; will likely break things)
 ;; (unpin! t)
 
-;; (package! org-caldav)
+(package! org-caldav)
+
+;; Pin org-msg - upstream doom pin references a force-pushed commit
+(package! org-msg :pin "aa608b399586fb771ad37045a837f8286a0b6124")
+
+;; Note: Packages with custom recipes must be pinned for nix-doom-emacs-unstraightened
+;; to build deterministically. Update pins when upgrading packages.
 
 (package! gptel :recipe (:nonrecursive t))
+
+(package! claude-code-ide
+  :recipe (:host github :repo "manzaltu/claude-code-ide.el")
+  :pin "760240d7f03ff16f90ede9d4f4243cd94f3fed73")
+
+(package! gptel-tool-library
+  :recipe (:host github :repo "aard-fi/gptel-tool-library"
+           :files ("*.el"))
+  :pin "baffc3b0d74a2b7cbda0d5cd6dd7726d6ccaca83")
+
+(package! pi-coding-agent
+  :recipe (:host github :repo "dnouri/pi-coding-agent"
+           :files ("*.el"))
+  :pin "8d8158b0a6150ce13d91e561a1223790670acaa7")

home/roles/email/default.nix

@@ -0,0 +1,128 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.email;
+  isLinux = pkgs.stdenv.isLinux;
+in
+{
+  options.home.roles.email = {
+    enable = mkEnableOption "Enable email with mu4e, mbsync, and msmtp";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      isync      # provides mbsync for IMAP sync
+      msmtp      # for SMTP sending
+      mu         # email indexer for mu4e
+      mu.mu4e    # mu4e elisp files for Emacs
+      openssl    # for certificate management
+    ];
+
+    # Ensure Mail directory exists
+    home.file."Mail/.keep".text = "";
+
+    # mbsync configuration
+    home.file.".mbsyncrc".text = ''
+      # IMAP Account Configuration
+      IMAPAccount proton
+      Host proton.johnogle.info
+      Port 143
+      User john@ogle.fyi
+      PassCmd "${pkgs.rbw}/bin/rbw get proton.johnogle.info"
+      TLSType STARTTLS
+      AuthMechs PLAIN
+
+      # Remote Storage
+      IMAPStore proton-remote
+      Account proton
+
+      # Local Storage
+      MaildirStore proton-local
+      Path ~/Mail/
+      Inbox ~/Mail/INBOX
+      SubFolders Verbatim
+
+      # Channel Configuration - Main (excludes Sent)
+      Channel proton-main
+      Far :proton-remote:
+      Near :proton-local:
+      Patterns * !Sent
+      Create Both
+      Expunge Both
+      SyncState *
+
+      # Channel Configuration - Sent (pull only)
+      Channel proton-sent
+      Far :proton-remote:Sent
+      Near :proton-local:Sent
+      Create Near
+      Expunge Near
+      Sync Pull
+      SyncState *
+
+      # Group both channels
+      Group proton
+      Channel proton-main
+      Channel proton-sent
+    '';
+
+    # msmtp configuration
+    home.file.".msmtprc".text = ''
+      # Default settings
+      defaults
+      auth           plain
+      tls            on
+      tls_starttls   on
+      tls_trust_file /etc/ssl/certs/ca-certificates.crt
+      logfile        ${config.home.homeDirectory}/.msmtp.log
+
+      # Proton mail account
+      account        proton
+      host           proton.johnogle.info
+      port           25
+      from           john@ogle.fyi
+      user           john@ogle.fyi
+      passwordeval   rbw get proton.johnogle.info
+
+      # Set default account
+      account default : proton
+    '';
+
+    # Linux-only: Systemd service for mail sync (Darwin uses launchd instead)
+    systemd.user.services = mkIf isLinux {
+      mbsync = {
+        Unit = {
+          Description = "Mailbox synchronization service";
+          After = [ "network-online.target" ];
+          Wants = [ "network-online.target" ];
+        };
+        Service = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.bash}/bin/bash -c 'mkdir -p ~/Mail && ${pkgs.isync}/bin/mbsync -a && (${pkgs.mu}/bin/mu info >/dev/null 2>&1 || ${pkgs.mu}/bin/mu init --maildir ~/Mail --personal-address=john@ogle.fyi) && ${pkgs.mu}/bin/mu index'";
+          Environment = "PATH=${pkgs.rbw}/bin:${pkgs.coreutils}/bin";
+          StandardOutput = "journal";
+          StandardError = "journal";
+        };
+      };
+    };
+
+    # Linux-only: Systemd timer for automatic sync
+    systemd.user.timers = mkIf isLinux {
+      mbsync = {
+        Unit = {
+          Description = "Mailbox synchronization timer";
+        };
+        Timer = {
+          OnBootSec = "2min";
+          OnUnitActiveSec = "5min";
+          Unit = "mbsync.service";
+        };
+        Install = {
+          WantedBy = [ "timers.target" ];
+        };
+      };
+    };
+  };
+}

home/roles/gaming/default.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.gaming;
+in
+{
+  options.home.roles.gaming = {
+    enable = mkEnableOption "Enable gaming applications and tools";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      custom.mcrcon-rbw
+    ];
+  };
+}

home/roles/i3+sway/default.nix

@@ -0,0 +1,496 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.i3_sway;
+  wallpaperConfig = import ../../wallpapers;
+  currentWallpaper = builtins.elemAt wallpaperConfig.wallpapers wallpaperConfig.currentIndex;
+
+  shared_config = recursiveUpdate rec {
+    modifier = "Mod4";
+    terminal = "ghostty";
+    defaultWorkspace = "workspace number 1";
+
+    keybindings = {
+      "${shared_config.modifier}+Return" = "exec ${terminal}";
+      "${shared_config.modifier}+Shift+Return" = "exec ${cfg.browser}";
+      "${shared_config.modifier}+Shift+q" = "kill";
+
+      "${shared_config.modifier}+a" = "focus parent";
+      "${shared_config.modifier}+Shift+a" = "focus child";
+
+      "${shared_config.modifier}+h" = "focus left";
+      "${shared_config.modifier}+j" = "focus down";
+      "${shared_config.modifier}+k" = "focus up";
+      "${shared_config.modifier}+l" = "focus right";
+
+      "${shared_config.modifier}+Shift+h" = "move left";
+      "${shared_config.modifier}+Shift+j" = "move down";
+      "${shared_config.modifier}+Shift+k" = "move up";
+      "${shared_config.modifier}+Shift+l" = "move right";
+
+      "${shared_config.modifier}+Left" = "focus left";
+      "${shared_config.modifier}+Down" = "focus down";
+      "${shared_config.modifier}+Up" = "focus up";
+      "${shared_config.modifier}+Right" = "focus right";
+
+      "${shared_config.modifier}+Shift+Left" = "move left";
+      "${shared_config.modifier}+Shift+Down" = "move down";
+      "${shared_config.modifier}+Shift+Up" = "move up";
+      "${shared_config.modifier}+Shift+Right" = "move right";
+
+      #"${shared_config.modifier}+h" = "split h";
+      "${shared_config.modifier}+v" = "split v";
+      "${shared_config.modifier}+Shift+f" = "fullscreen toggle";
+
+      "${shared_config.modifier}+s" = "layout stacking";
+      "${shared_config.modifier}+w" = "layout tabbed";
+      "${shared_config.modifier}+e" = "layout toggle split";
+
+      "${shared_config.modifier}+Shift+space" = "floating toggle";
+      "${shared_config.modifier}+space" = "focus mode_toggle";
+
+      "${shared_config.modifier}+Shift+minus" = "move scratchpad";
+      "${shared_config.modifier}+minus" = "scratchpad show";
+
+      "${shared_config.modifier}+1" = "workspace number 1";
+      "${shared_config.modifier}+2" = "workspace number 2";
+      "${shared_config.modifier}+3" = "workspace number 3";
+      "${shared_config.modifier}+4" = "workspace number 4";
+      "${shared_config.modifier}+5" = "workspace number 5";
+      "${shared_config.modifier}+6" = "workspace number 6";
+      "${shared_config.modifier}+7" = "workspace number 7";
+      "${shared_config.modifier}+8" = "workspace number 8";
+      "${shared_config.modifier}+9" = "workspace number 9";
+      "${shared_config.modifier}+0" = "workspace number 10";
+
+      "${shared_config.modifier}+Shift+1" =
+        "move container to workspace number 1";
+      "${shared_config.modifier}+Shift+2" =
+        "move container to workspace number 2";
+      "${shared_config.modifier}+Shift+3" =
+        "move container to workspace number 3";
+      "${shared_config.modifier}+Shift+4" =
+        "move container to workspace number 4";
+      "${shared_config.modifier}+Shift+5" =
+        "move container to workspace number 5";
+      "${shared_config.modifier}+Shift+6" =
+        "move container to workspace number 6";
+      "${shared_config.modifier}+Shift+7" =
+        "move container to workspace number 7";
+      "${shared_config.modifier}+Shift+8" =
+        "move container to workspace number 8";
+      "${shared_config.modifier}+Shift+9" =
+        "move container to workspace number 9";
+      "${shared_config.modifier}+Shift+0" =
+        "move container to workspace number 10";
+
+      "${shared_config.modifier}+Shift+c" = "reload";
+      "${shared_config.modifier}+Shift+r" = "restart";
+
+      "${shared_config.modifier}+r" = "mode resize";
+
+      "XF86MonBrightnessUp" = "exec ddcutil setvcp 10 + 5";
+      "XF86MonBrightnessDown" = "exec ddcutil setvcp 10 - 5";
+    };
+  } cfg.extraSharedConfig;
+in {
+  options.home.roles.i3_sway = {
+    enable = mkEnableOption "i3 and Sway tiling window managers with waybar and rofi";
+
+    browser = mkOption {
+      type = types.str;
+      default = "firefox --new-window";
+      description = "Browser to use for new window keybinding";
+    };
+
+    extraSharedConfig = mkOption {
+      type = types.attrs;
+      default = {};
+      description = "Extra configuration shared between i3 and sway";
+    };
+
+    extraI3Config = mkOption {
+      type = types.attrs;
+      default = {};
+      description = "Extra i3-specific configuration";
+    };
+
+    extraSwayConfig = mkOption {
+      type = types.attrs;
+      default = {};
+      description = "Extra sway-specific configuration";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # i3blocks configuration file
+    home.file.".config/i3blocks/config".text = ''
+      # i3blocks config - replicating waybar setup
+      separator_block_width=15
+      markup=pango
+
+      [disk]
+      command=df -h / | awk 'NR==2 {print "💾 " $5}'
+      interval=30
+      separator=true
+
+      [cpu]
+      command=top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print "🧠 " int(100 - $1) "%"}'
+      interval=2
+      separator=true
+
+      [memory]
+      command=free | awk 'NR==2 {printf "🐏 %.0f%%\n", $3*100/$2}'
+      interval=5
+      separator=true
+
+      [pulseaudio]
+      command=${pkgs.writeShellScript "i3blocks-pulseaudio" ''
+        volume=$(pactl get-sink-volume @DEFAULT_SINK@ | grep -Po '\d+%' | head -1)
+        muted=$(pactl get-sink-mute @DEFAULT_SINK@ | grep -o 'yes')
+        if [ "$muted" = "yes" ]; then
+          echo "🔇"
+        else
+          vol_num=''${volume%\%}
+          if [ $vol_num -le 33 ]; then
+            echo "🔈 $volume"
+          elif [ $vol_num -le 66 ]; then
+            echo "🔉 $volume"
+          else
+            echo "🔊 $volume"
+          fi
+        fi
+      ''}
+      interval=1
+      signal=10
+      separator=true
+
+      [backlight]
+      command=${pkgs.writeShellScript "i3blocks-backlight" ''
+        if command -v ddcutil &>/dev/null; then
+          # Handle mouse scroll events
+          case $BLOCK_BUTTON in
+            4) ddcutil setvcp 10 + 5 ;;  # Scroll up - increase brightness
+            5) ddcutil setvcp 10 - 5 ;;  # Scroll down - decrease brightness
+          esac
+
+          # Display current brightness
+          brightness=$(ddcutil getvcp 10 2>/dev/null | grep -oP 'current value =\s*\K\d+')
+          if [ -n "$brightness" ]; then
+            echo "☀️ $brightness%"
+          fi
+        fi
+      ''}
+      interval=5
+      separator=true
+
+      [network]
+      command=${pkgs.writeShellScript "i3blocks-network" ''
+        if iwgetid -r &>/dev/null; then
+          ssid=$(iwgetid -r)
+          signal=$(grep "^\s*w" /proc/net/wireless | awk '{print int($3 * 100 / 70)}')
+          echo "📶 $ssid ($signal%)"
+        else
+          ip=$(ip -4 addr show | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | grep -v '127.0.0.1' | head -1)
+          if [ -n "$ip" ]; then
+            echo "🔌 $ip"
+          else
+            echo "❌"
+          fi
+        fi
+      ''}
+      interval=5
+      separator=true
+
+      [battery]
+      command=${pkgs.writeShellScript "i3blocks-battery" ''
+        if [ -d /sys/class/power_supply/BAT0 ]; then
+          capacity=$(cat /sys/class/power_supply/BAT0/capacity)
+          status=$(cat /sys/class/power_supply/BAT0/status)
+
+          if [ "$status" = "Charging" ]; then
+            echo "⚡ $capacity%"
+          else
+            echo "🔋 $capacity%"
+          fi
+        fi
+      ''}
+      interval=10
+      separator=true
+
+      [time]
+      command=date '+%Y-%m-%d %H:%M'
+      interval=1
+      separator=false
+    '';
+
+    xsession.windowManager.i3 = let
+      base_i3_config = recursiveUpdate shared_config {
+        bars = [{
+          position = "bottom";
+          statusCommand = "${pkgs.i3blocks}/bin/i3blocks";
+          trayOutput = "primary";  # Enable system tray on primary output
+          fonts = {
+            names = [ "Fira Code" "monospace" ];
+            size = 11.0;
+          };
+          colors = {
+            background = "#000000";
+            statusline = "#ffffff";
+            separator = "#666666";
+
+            # Workspace button colors (matching waybar)
+            focusedWorkspace = {
+              border = "#285577";
+              background = "#285577";
+              text = "#ffffff";
+            };
+            activeWorkspace = {
+              border = "#5f676a";
+              background = "#5f676a";
+              text = "#ffffff";
+            };
+            inactiveWorkspace = {
+              border = "#222222";
+              background = "#222222";
+              text = "#888888";
+            };
+            urgentWorkspace = {
+              border = "#900000";
+              background = "#900000";
+              text = "#ffffff";
+            };
+          };
+        }];
+        keybindings = shared_config.keybindings // {
+          "${shared_config.modifier}+d" = "exec rofi -show drun";
+          "${shared_config.modifier}+Shift+e" =
+            "exec i3-nagbar -t warning -m 'Do you want to exit i3?' -b 'Yes' 'i3-msg exit'";
+        };
+        startup = [
+          # GNOME polkit authentication agent
+          {
+            command = "/run/current-system/sw/libexec/polkit-gnome-authentication-agent-1";
+            always = false;
+            notification = false;
+          }
+          # Picom compositor for smooth rendering and no tearing (important for Nvidia)
+          {
+            command = "picom --backend glx -b";
+            always = false;
+            notification = false;
+          }
+          # NetworkManager system tray applet
+          {
+            command = "nm-applet";
+            always = false;
+            notification = false;
+          }
+          # Set wallpaper with feh
+          {
+            command = "feh ${currentWallpaper.feh} ${currentWallpaper.file}";
+            always = false;
+            notification = false;
+          }
+        ];
+      };
+    in {
+      enable = true;
+      config = recursiveUpdate base_i3_config cfg.extraI3Config;
+    };
+
+    wayland.windowManager.sway = let
+      base_sway_config = recursiveUpdate shared_config {
+        bars = [];  # Disable default bar, use waybar instead
+        keybindings = shared_config.keybindings // {
+          "${shared_config.modifier}+d" = "exec wofi --show drun";
+          "${shared_config.modifier}+Shift+e" =
+            "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
+        };
+        input = {
+          "type:keyboard" = {
+            xkb_options = "caps:escape";
+          };
+          "type:touchpad" = {
+            tap = "enabled";
+            tap_button_map = "lrm";
+            drag = "enabled";
+            natural_scroll = "disabled";
+            dwt = "enabled";
+          };
+        };
+        output = {
+          "*" = {
+            bg = "${currentWallpaper.file} ${currentWallpaper.sway}";
+          };
+        };
+        startup = [
+          # Launch waybar status bar
+          {
+            command = "waybar";
+            always = false;
+          }
+        ];
+      };
+    in {
+      enable = true;
+      extraOptions = [ "--unsupported-gpu" ];
+      config = recursiveUpdate base_sway_config cfg.extraSwayConfig;
+    };
+
+    programs.waybar = {
+      enable = true;
+      systemd.enable = false;  # Don't auto-start via systemd - only launch in sway
+      settings = {
+        mainBar = {
+          layer = "top";
+          position = "bottom";
+          height = 30;
+          spacing = 4;
+
+          modules-left = [ "sway/workspaces" "sway/mode" ];
+          modules-center = [ ];
+          modules-right = [ "disk" "cpu" "memory" "pulseaudio" "custom/backlight-ddc" "backlight" "network" "battery" "tray" "clock" ];
+
+          "sway/workspaces" = {
+            disable-scroll = true;
+            all-outputs = true;
+          };
+
+          "clock" = {
+            format = "{:%Y-%m-%d %H:%M}";
+            tooltip-format = "<tt><small>{calendar}</small></tt>";
+            calendar = {
+              mode = "year";
+              mode-mon-col = 3;
+              weeks-pos = "right";
+              on-scroll = 1;
+              format = {
+                months = "<span color='#ffead3'><b>{}</b></span>";
+                days = "<span color='#ecc6d9'><b>{}</b></span>";
+                weeks = "<span color='#99ffdd'><b>W{}</b></span>";
+                weekdays = "<span color='#ffcc66'><b>{}</b></span>";
+                today = "<span color='#ff6699'><b><u>{}</u></b></span>";
+              };
+            };
+          };
+
+          "disk" = {
+            interval = 30;
+            format = "💾 {percentage_used}%";
+            path = "/";
+            tooltip-format = "Used: {used} / {total} ({percentage_used}%)\nFree: {free} ({percentage_free}%)";
+          };
+
+          "cpu" = {
+            format = "🧠 {usage}%";
+            tooltip = false;
+          };
+
+          "memory" = {
+            format = "🐏 {percentage}%";
+            tooltip-format = "RAM: {used:0.1f}G / {total:0.1f}G";
+          };
+
+          "pulseaudio" = {
+            format = "{icon} {volume}%";
+            format-muted = "🔇";
+            format-icons = {
+              headphone = "🎧";
+              default = [ "🔈" "🔉" "🔊" ];
+            };
+            on-click = "pavucontrol";
+          };
+
+          "backlight" = {
+            format = "☀️ {percent}%";
+            tooltip = false;
+          };
+
+          "custom/backlight-ddc" = {
+            exec = pkgs.writeShellScript "waybar-backlight-ddc" ''
+              if command -v ddcutil &>/dev/null; then
+                # Display current brightness
+                brightness=$(ddcutil getvcp 10 --brief 2>/dev/null | awk '{print $4}')
+                if [ -n "$brightness" ]; then
+                  echo "☀️ $brightness%"
+                fi
+              fi
+            '';
+            interval = 5;
+            format = "{}";
+            on-scroll-up = "ddcutil setvcp 10 + 5 2>/dev/null &";
+            on-scroll-down = "ddcutil setvcp 10 - 5 2>/dev/null &";
+            tooltip = false;
+          };
+
+          "network" = {
+            format-wifi = "📶 {essid} ({signalStrength}%)";
+            format-ethernet = "🔌 {ipaddr}";
+            format-disconnected = "❌";
+            tooltip-format = "{ifname}: {ipaddr}/{cidr}";
+          };
+
+          "battery" = {
+            states = {
+              warning = 30;
+              critical = 15;
+            };
+            format = "{icon} {capacity}%";
+            format-charging = "⚡ {capacity}%";
+            format-icons = [ "🪫" "🔋" "🔋" "🔋" "🔋" ];
+          };
+
+          "tray" = {
+            spacing = 10;
+          };
+        };
+      };
+      style = ''
+        * {
+          padding: 0 4px;
+          font-family: "Fira Code", monospace;
+          font-size: 13px;
+        }
+
+        #workspaces button {
+          padding: 0 8px;
+          background-color: #333333;
+          color: #ffffff;
+          border: none;
+        }
+
+        #workspaces button.focused {
+          background-color: #285577;
+          font-weight: bold;
+        }
+
+        #workspaces button.visible {
+          background-color: #5f676a;
+        }
+
+        #workspaces button.urgent {
+          background-color: #900000;
+        }
+      '';
+    };
+
+    programs.rofi = {
+      enable = true;
+      theme = "solarized";
+      extraConfig = {
+        modi = "drun,run,window";
+        show-icons = true;
+        drun-display-format = "{name}";
+        disable-history = false;
+        hide-scrollbar = true;
+        display-drun = " Apps";
+        display-run = " Run";
+        display-window = " Windows";
+        sidebar-mode = true;
+      };
+    };
+  };
+}

home/roles/kdeconnect/default.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.kdeconnect;
+  isLinux = pkgs.stdenv.isLinux;
+in
+{
+  options.home.roles.kdeconnect = {
+    enable = mkEnableOption "Enable KDE Connect for device integration";
+  };
+
+  # KDE Connect services are Linux-only (requires D-Bus and systemd)
+  config = mkIf (cfg.enable && isLinux) {
+    services.kdeconnect = {
+      enable = true;
+      indicator = true;
+      package = pkgs.kdePackages.kdeconnect-kde;
+    };
+  };
+}

home/roles/kubectl/default.nix

@@ -0,0 +1,243 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.kubectl;
+in
+{
+  options.home.roles.kubectl = {
+    enable = mkEnableOption "management tools for the homelab k3s oglenet cluster with secure Bitwarden integration";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      kubectl
+      kubernetes-helm
+    ];
+
+    programs.k9s.enable = true;
+
+    programs.bash.initExtra = mkAfter ''
+      # Kubectl secure session management
+      export KUBECTL_SESSION_DIR="/dev/shm/kubectl-$$"
+
+      kube-select() {
+        if [[ $# -ne 1 ]]; then
+          echo "Usage: kube-select <context-name>"
+          echo "Available contexts: $(kube-list)"
+          return 1
+        fi
+
+        local context="$1"
+
+        # Clean up any existing session first
+        kube-clear 2>/dev/null
+
+        # Create new session directory
+        mkdir -p "$KUBECTL_SESSION_DIR"
+        chmod 700 "$KUBECTL_SESSION_DIR"
+
+        # Set cleanup trap for this shell session
+        trap "rm -rf '$KUBECTL_SESSION_DIR' 2>/dev/null" EXIT
+
+        # Set KUBECONFIG for this session
+        export KUBECONFIG="$KUBECTL_SESSION_DIR/config"
+
+        # Load config from Bitwarden secure notes
+        if ! rbw get "kubectl-$context" > "$KUBECONFIG" 2>/dev/null; then
+          echo "Error: Could not retrieve kubectl-$context from Bitwarden"
+          echo "Make sure the entry exists with name: kubectl-$context"
+          kube-clear
+          return 1
+        fi
+
+        # Verify the kubeconfig is valid
+        if ! kubectl config view >/dev/null 2>&1; then
+          echo "Error: Invalid kubeconfig retrieved from Bitwarden"
+          kube-clear
+          return 1
+        fi
+
+        echo "✓ Loaded kubectl context: $context (session: $$)"
+        echo "  Config location: $KUBECONFIG"
+      }
+
+      kube-list() {
+        echo "Available kubectl contexts in Bitwarden:"
+        rbw search kubectl- 2>/dev/null | grep "^kubectl-" | sed 's/^kubectl-/  - /' || echo "  (none found or rbw not accessible)"
+      }
+
+      kube-clear() {
+        if [[ -n "$KUBECTL_TIMEOUT_PID" ]]; then
+          kill "$KUBECTL_TIMEOUT_PID" 2>/dev/null
+          unset KUBECTL_TIMEOUT_PID
+        fi
+
+        if [[ -d "$KUBECTL_SESSION_DIR" ]]; then
+          rm -rf "$KUBECTL_SESSION_DIR"
+          echo "Cleared kubectl session ($$)"
+        fi
+
+        unset KUBECONFIG
+      }
+
+      kube-status() {
+        if [[ -f "$KUBECONFIG" ]]; then
+          local current_context
+          current_context=$(kubectl config current-context 2>/dev/null)
+          if [[ -n "$current_context" ]]; then
+            echo "Active kubectl context: $current_context"
+            echo "Session: $$ | Config: $KUBECONFIG"
+
+            # Show cluster info
+            local cluster_server
+            cluster_server=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2>/dev/null)
+            if [[ -n "$cluster_server" ]]; then
+              echo "Cluster: $cluster_server"
+            fi
+          else
+            echo "No active context in current session"
+          fi
+        else
+          echo "No kubectl session active in this shell"
+          echo "Use 'kube-select <context>' to start a session"
+        fi
+      }
+
+      # Helper function to show available commands
+      kube-help() {
+        echo "Secure kubectl session management commands:"
+        echo ""
+        echo "Session management:"
+        echo "  kube-select <context>     - Load kubeconfig from Bitwarden"
+        echo "  kube-status              - Show current session status"
+        echo "  kube-clear               - Clear current session"
+        echo ""
+        echo "Configuration management:"
+        echo "  kube-list                - List available contexts in Bitwarden"
+        echo ""
+        echo "Help:"
+        echo "  kube-help                - Show this help"
+        echo ""
+        echo "Examples:"
+        echo "  kube-select prod                     # Loads from secure note"
+        echo "  kubectl get pods"
+        echo "  kube-clear"
+        echo ""
+        echo "Note: Kubeconfigs are stored as secure notes in Bitwarden"
+      }
+    '';
+
+    programs.zsh.initExtra = mkAfter ''
+      # Kubectl secure session management (zsh)
+      export KUBECTL_SESSION_DIR="/dev/shm/kubectl-$$"
+
+      kube-select() {
+        if [[ $# -ne 1 ]]; then
+          echo "Usage: kube-select <context-name>"
+          echo "Available contexts: $(kube-list)"
+          return 1
+        fi
+
+        local context="$1"
+
+        # Clean up any existing session first
+        kube-clear 2>/dev/null
+
+        # Create new session directory
+        mkdir -p "$KUBECTL_SESSION_DIR"
+        chmod 700 "$KUBECTL_SESSION_DIR"
+
+        # Set cleanup trap for this shell session
+        trap "rm -rf '$KUBECTL_SESSION_DIR' 2>/dev/null" EXIT
+
+        # Set KUBECONFIG for this session
+        export KUBECONFIG="$KUBECTL_SESSION_DIR/config"
+
+        # Load config from Bitwarden secure notes
+        if ! rbw get "kubectl-$context" > "$KUBECONFIG" 2>/dev/null; then
+          echo "Error: Could not retrieve kubectl-$context from Bitwarden"
+          echo "Make sure the entry exists with name: kubectl-$context"
+          kube-clear
+          return 1
+        fi
+
+        # Verify the kubeconfig is valid
+        if ! kubectl config view >/dev/null 2>&1; then
+          echo "Error: Invalid kubeconfig retrieved from Bitwarden"
+          kube-clear
+          return 1
+        fi
+
+        echo "✓ Loaded kubectl context: $context (session: $$)"
+        echo "  Config location: $KUBECONFIG"
+      }
+
+      kube-list() {
+        echo "Available kubectl contexts in Bitwarden:"
+        rbw search kubectl- 2>/dev/null | grep "^kubectl-" | sed 's/^kubectl-/  - /' || echo "  (none found or rbw not accessible)"
+      }
+
+      kube-clear() {
+        if [[ -n "$KUBECTL_TIMEOUT_PID" ]]; then
+          kill "$KUBECTL_TIMEOUT_PID" 2>/dev/null
+          unset KUBECTL_TIMEOUT_PID
+        fi
+
+        if [[ -d "$KUBECTL_SESSION_DIR" ]]; then
+          rm -rf "$KUBECTL_SESSION_DIR"
+          echo "Cleared kubectl session ($$)"
+        fi
+
+        unset KUBECONFIG
+      }
+
+      kube-status() {
+        if [[ -f "$KUBECONFIG" ]]; then
+          local current_context
+          current_context=$(kubectl config current-context 2>/dev/null)
+          if [[ -n "$current_context" ]]; then
+            echo "Active kubectl context: $current_context"
+            echo "Session: $$ | Config: $KUBECONFIG"
+
+            # Show cluster info
+            local cluster_server
+            cluster_server=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2>/dev/null)
+            if [[ -n "$cluster_server" ]]; then
+              echo "Cluster: $cluster_server"
+            fi
+          else
+            echo "No active context in current session"
+          fi
+        else
+          echo "No kubectl session active in this shell"
+          echo "Use 'kube-select <context>' to start a session"
+        fi
+      }
+
+      # Helper function to show available commands
+      kube-help() {
+        echo "Secure kubectl session management commands:"
+        echo ""
+        echo "Session management:"
+        echo "  kube-select <context>     - Load kubeconfig from Bitwarden"
+        echo "  kube-status              - Show current session status"
+        echo "  kube-clear               - Clear current session"
+        echo ""
+        echo "Configuration management:"
+        echo "  kube-list                - List available contexts in Bitwarden"
+        echo ""
+        echo "Help:"
+        echo "  kube-help                - Show this help"
+        echo ""
+        echo "Examples:"
+        echo "  kube-select prod                     # Loads from secure note"
+        echo "  kubectl get pods"
+        echo "  kube-clear"
+        echo ""
+        echo "Note: Kubeconfigs are stored as secure notes in Bitwarden"
+      }
+    '';
+  };
+}

home/roles/launchers/default.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.launchers;
+
+  # Generate a wrapper script for a package
+  makeLauncher = packageName: pkgs.writeShellScriptBin packageName ''
+    exec env NIXPKGS_ALLOW_UNFREE=1 ${pkgs.nix}/bin/nix run --impure nixpkgs#${packageName} -- "$@"
+  '';
+
+  # Generate all launcher scripts from the package list
+  launcherPackages = map makeLauncher cfg.packages;
+in
+{
+  options.home.roles.launchers = {
+    enable = mkEnableOption "wrapper launchers for excluded packages";
+
+    packages = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [ "steam" "libreoffice" "lutris" ];
+      description = ''
+        List of package names to create launcher wrappers for.
+        Each wrapper will run: NIXPKGS_ALLOW_UNFREE=1 nix run --impure nixpkgs#<package>
+
+        This is useful for occasionally running packages without permanently installing them.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = launcherPackages;
+  };
+}

home/roles/media/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.media;
+in
+{
+  options.home.roles.media = {
+    enable = mkEnableOption "Enable media and multimedia applications";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      # Media players and streaming
+      # Using delfin instead of jellyfin-media-player to avoid qtwebengine security issues
+      # For full Jellyfin features, use web interface at http://jellyfin-server:8096
+      delfin
+      moonlight-qt
+      vlc
+
+      # Spotify client
+      # Using unstable version for better authentication support
+      unstable.ncspot
+    ];
+  };
+}

home/roles/office/default.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.office;
+in
+{
+  options.home.roles.office = {
+    enable = mkEnableOption "Enable office applications and document processing tools";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      # Office suite
+      libreoffice
+      
+      # CAD/Design tools
+      openscad-unstable
+    ];
+  };
+}

home/roles/plasma-manager-kodi/default.nix

@@ -0,0 +1,199 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.plasma-manager-kodi;
+
+  # Define the volume control scripts as derivations
+  volumeUpScript = pkgs.writeShellScript "avr-volume-up" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Send volume up command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\"}" \
+        "$HA_URL/api/services/media_player/volume_up" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to increase volume after $MAX_RETRIES attempts"
+    exit 1
+  '';
+
+  volumeDownScript = pkgs.writeShellScript "avr-volume-down" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Send volume down command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\"}" \
+        "$HA_URL/api/services/media_player/volume_down" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to decrease volume after $MAX_RETRIES attempts"
+    exit 1
+  '';
+
+  volumeMuteScript = pkgs.writeShellScript "avr-volume-mute" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Get current mute state
+    STATE_RESPONSE=$(${pkgs.curl}/bin/curl -s -H "Authorization: Bearer $TOKEN" \
+      "$HA_URL/api/states/$ENTITY_ID")
+
+    CURRENT_MUTE=$(echo "$STATE_RESPONSE" | ${pkgs.jq}/bin/jq -r '.attributes.is_volume_muted // false')
+
+    # Toggle: if currently muted (true), unmute (false), and vice versa
+    if [ "$CURRENT_MUTE" = "true" ]; then
+      NEW_MUTE="false"
+      NOTIFY_MSG="Unmuted"
+    else
+      NEW_MUTE="true"
+      NOTIFY_MSG="Muted"
+    fi
+
+    # Send mute toggle command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\", \"is_volume_muted\": $NEW_MUTE}" \
+        "$HA_URL/api/services/media_player/volume_mute" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to toggle mute after $MAX_RETRIES attempts"
+    exit 1
+  '';
+in
+{
+  options.home.roles.plasma-manager-kodi = {
+    enable = mkEnableOption "KDE Plasma volume control for kodi user via Home Assistant";
+  };
+
+  config = mkIf cfg.enable {
+    programs.plasma = {
+      enable = true;
+      overrideConfig = true;
+
+      # Disable default kmix volume shortcuts to prevent conflicts
+      shortcuts.kmix = {
+        "increase_volume" = "none";
+        "decrease_volume" = "none";
+        "mute" = "none";
+      };
+
+      # Define custom volume control commands with key bindings
+      hotkeys.commands = {
+        "volume-up-avr" = {
+          name = "Volume Up AVR";
+          key = "Volume Up";
+          command = toString volumeUpScript;
+        };
+
+        "volume-down-avr" = {
+          name = "Volume Down AVR";
+          key = "Volume Down";
+          command = toString volumeDownScript;
+        };
+
+        "volume-mute-avr" = {
+          name = "Mute Toggle AVR";
+          key = "Volume Mute";
+          command = toString volumeMuteScript;
+        };
+      };
+
+      # KDE Settings customization
+      configFile = {
+        # Session restore settings
+        "ksmserverrc"."General"."loginMode" = "emptySession";
+
+        # Screen locking settings
+        "kscreenlockerrc"."Daemon"."Autolock" = false;
+        "kscreenlockerrc"."Daemon"."LockOnResume" = false;
+
+        # Theme settings
+        "kdeglobals"."KDE"."LookAndFeelPackage" = "org.kde.breezedark.desktop";
+      };
+    };
+  };
+}

home/roles/plasma-manager/default.nix

@@ -0,0 +1,190 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.plasma-manager;
+  wallpaperConfig = import ../../wallpapers;
+  currentWallpaper = builtins.elemAt wallpaperConfig.wallpapers wallpaperConfig.currentIndex;
+in
+{
+  options.home.roles.plasma-manager = {
+    enable = mkEnableOption "KDE Plasma desktop environment configuration";
+  };
+
+  config = mkIf cfg.enable {
+    # The current KDE config can be output with the command:
+    # nix run github:nix-community/plasma-manager
+    #
+    # Plasma-manager options documentation
+    # https://nix-community.github.io/plasma-manager/options.xhtml
+    #
+    # TODO: (ambitious) Add Kmail support to plasma-manager
+    programs.plasma = {
+      enable = true;
+      overrideConfig = true;
+
+      hotkeys.commands."launch-ghostty" = {
+        name = "Launch Ghostty";
+        key = "Meta+Return";
+        command = "ghostty";
+      };
+
+      shortcuts = {
+        kmix = {
+          "decrease_microphone_volume" = "Microphone Volume Down";
+          "decrease_volume" = "Volume Down";
+          "decrease_volume_small" = "Shift+Volume Down";
+          "increase_microphone_volume" = "Microphone Volume Up";
+          "increase_volume" = "Volume Up";
+          "increase_volume_small" = "Shift+Volume Up";
+          "mic_mute" = ["Microphone Mute" "Meta+Volume Mute,Microphone Mute" "Meta+Volume Mute,Mute Microphone"];
+          "mute" = "Volume Mute";
+        };
+
+        mediacontrol = {
+          "mediavolumedown" = "none,,Media volume down";
+          "mediavolumeup" = "none,,Media volume up";
+          "nextmedia" = "Media Next";
+          "pausemedia" = "Media Pause";
+          "playmedia" = "none,,Play media playback";
+          "playpausemedia" = "Media Play";
+          "previousmedia" = "Media Previous";
+          "stopmedia" = "Media Stop";
+        };
+
+        ksmserver = {
+          "Lock Session" = ["Meta+Ctrl+Q" "Screensaver" "Screensaver,Lock Session"];
+        };
+
+        kwin = {
+          "Window Close" = "Meta+Shift+Q";
+          "Kill Window" = "Meta+Ctrl+Esc";
+          "Window Operations Menu" = "Alt+F3";
+          "Window Resize" = "Meta+R,,Resize Window";
+
+          "Overview" = "Meta+Ctrl+W";
+          "Grid View" = "Meta+G";
+          "Edit Tiles" = "Meta+T";
+
+          "Activate Window Demanding Attention" = "Meta+Ctrl+A";
+
+          "Show Desktop" = "Meta+Ctrl+D";
+
+          "Walk Through Windows" = "Alt+Tab";
+          "Walk Through Windows (Reverse)" = "Alt+Shift+Tab";
+          "Walk Through Windows of Current Application" = "Alt+`";
+          "Walk Through Windows of Current Application (Reverse)" = "Alt+~";
+
+          "Window Quick Tile Bottom" = "Meta+Down";
+          "Window Quick Tile Left" = "Meta+Left";
+          "Window Quick Tile Right" = "Meta+Right";
+          "Window Quick Tile Top" = "Meta+Up";
+
+          "Switch to Desktop 1" = "Meta+1";
+          "Switch to Desktop 2" = "Meta+2";
+          "Switch to Desktop 3" = "Meta+3";
+          "Switch to Desktop 4" = "Meta+4";
+          "Switch to Desktop 5" = "Meta+5";
+          "Switch to Desktop 6" = "Meta+6";
+          "Switch to Desktop 7" = "Meta+7";
+          "Switch to Desktop 8" = "Meta+8";
+          "Switch to Desktop 9" = "Meta+9";
+          "Switch to Desktop 10" = "Meta+0";
+
+          "Window to Desktop 1" = "Meta+!";    # Meta+Shift+1
+          "Window to Desktop 2" = "Meta+@";    # Meta+Shift+2
+          "Window to Desktop 3" = "Meta+#";    # Meta+Shift+3
+          "Window to Desktop 4" = "Meta+$";    # Meta+Shift+4
+          "Window to Desktop 5" = "Meta+%";    # Meta+Shift+5
+          "Window to Desktop 6" = "Meta+^";    # Meta+Shift+6
+          "Window to Desktop 7" = "Meta+&";    # Meta+Shift+7
+          "Window to Desktop 8" = "Meta+*";    # Meta+Shift+8
+          "Window to Desktop 9" = "Meta+(";    # Meta+Shift+9
+          "Window to Desktop 10" = "Meta+)";   # Meta+Shift+0
+
+          "view_actual_size" = "Meta+Ctrl+=";
+          "view_zoom_in" = ["Meta++" "Meta+=,Meta++" "Meta+=,Zoom In"];
+          "view_zoom_out" = "Meta+-";
+        };
+        "org_kde_powerdevil"."Decrease Keyboard Brightness" = "Keyboard Brightness Down";
+        "org_kde_powerdevil"."Decrease Screen Brightness" = "Monitor Brightness Down";
+        "org_kde_powerdevil"."Decrease Screen Brightness Small" = "Shift+Monitor Brightness Down";
+        "org_kde_powerdevil"."Hibernate" = "Hibernate";
+        "org_kde_powerdevil"."Increase Keyboard Brightness" = "Keyboard Brightness Up";
+        "org_kde_powerdevil"."Increase Screen Brightness" = "Monitor Brightness Up";
+        "org_kde_powerdevil"."Increase Screen Brightness Small" = "Shift+Monitor Brightness Up";
+        "org_kde_powerdevil"."PowerDown" = "Power Down";
+        "org_kde_powerdevil"."PowerOff" = "Power Off";
+        "org_kde_powerdevil"."Sleep" = "Sleep";
+        "org_kde_powerdevil"."Toggle Keyboard Backlight" = "Keyboard Light On/Off";
+        "org_kde_powerdevil"."Turn Off Screen" = [ ];
+        "org_kde_powerdevil"."powerProfile" = ["Battery" "Meta+B,Battery" "Meta+B,Switch Power Profile"];
+
+        plasmashell = {
+          "activate application launcher" = ["Meta" "Alt+F1,Meta" "Alt+F1,Activate Application Launcher"];
+          "activate task manager entry 1" = "none,,";
+          "activate task manager entry 2" = "none,,";
+          "activate task manager entry 3" = "none,,";
+          "activate task manager entry 4" = "none,,";
+          "activate task manager entry 5" = "none,,";
+          "activate task manager entry 6" = "none,,";
+          "activate task manager entry 7" = "none,,";
+          "activate task manager entry 8" = "none,,";
+          "activate task manager entry 9" = "none,,";
+          "activate task manager entry 10" = "none,,";
+          "show activity switcher" = "none,,";
+        };
+      };
+
+      configFile = {
+        kwinrc.Desktops.Number = {
+          value = 10;
+          immutable = true;
+        };
+
+        # Enable KWin tiling features
+        kwinrc.Tiling = {
+          # Enable tiling functionality
+          "padding" = 4;
+        };
+
+        # Enable krohnkite plugin automatically
+        kwinrc.Plugins = {
+          krohnkiteEnabled = true;
+        };
+
+        kwinrc.Effect-overview = {
+          # Configure overview effect for better tiling workflow
+          BorderActivate = 9;  # Top-left corner activation
+        };
+
+        kcminputrc.Libinput = {
+          AccelerationProfile = "adaptive";
+          PointerAcceleration = 0.5;
+        };
+
+        kcminputrc.Mouse = {
+          X11LibInputXAccelProfileFlat = false;
+          XLbInptAccelProfileFlat = false;
+        };
+
+        kdeglobals.KDE.LookAndFeelPackage = "org.kde.breezedark.desktop";
+
+        # Focus follows mouse configuration
+        kwinrc.Windows = {
+          FocusPolicy = "FocusFollowsMouse";
+          AutoRaise = true;  # Set to true if you want windows to auto-raise on focus
+          AutoRaiseInterval = 750;  # Delay in ms before auto-raise (if enabled)
+          DelayFocusInterval = 0;  # Delay in ms before focus follows mouse
+        };
+
+        # Desktop wallpaper configuration
+        plasma-localerc.Formats.LANG = "en_US.UTF-8";
+
+        # Set wallpaper for all desktops
+        plasmarc.Wallpapers.usersWallpapers = "${currentWallpaper.file}";
+      };
+    };
+  };
+}

home/roles/starship/default.nix

@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.starship;
+in
+{
+  options.home.roles.starship = {
+    enable = mkEnableOption "starship cross-shell prompt";
+  };
+
+  config = mkIf cfg.enable {
+    programs.starship = {
+      enable = true;
+      enableBashIntegration = true;
+      enableZshIntegration = true;
+
+      settings = {
+        add_newline = true;
+
+        character = {
+          success_symbol = "[>](bold green)";
+          error_symbol = "[x](bold red)";
+          vimcmd_symbol = "[<](bold green)";
+        };
+
+        directory = {
+          truncation_length = 4;
+          truncate_to_repo = true;
+        };
+
+        git_branch = {
+          symbol = "";
+          format = "[$symbol$branch(:$remote_branch)]($style) ";
+        };
+
+        git_status = {
+          format = "([$all_status$ahead_behind]($style) )";
+        };
+
+        nix_shell = {
+          symbol = "";
+          format = "[$symbol$state( \\($name\\))]($style) ";
+        };
+
+        cmd_duration = {
+          min_time = 2000;
+          format = "[$duration]($style) ";
+        };
+
+        # Disable modules that are noisy or rarely needed
+        package.disabled = true;
+        nodejs.disabled = true;
+        python.disabled = true;
+        ruby.disabled = true;
+        java.disabled = true;
+        golang.disabled = true;
+        rust.disabled = true;
+        php.disabled = true;
+        lua.disabled = true;
+        perl.disabled = true;
+        terraform.disabled = true;
+        kubernetes.disabled = true;
+        docker_context.disabled = true;
+        aws.disabled = true;
+        gcloud.disabled = true;
+        azure.disabled = true;
+      };
+    };
+  };
+}

home/roles/sync/default.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.sync;
+  isLinux = pkgs.stdenv.isLinux;
+in
+{
+  options.home.roles.sync = {
+    enable = mkEnableOption "Enable file synchronization services";
+  };
+
+  config = mkIf cfg.enable {
+    # Linux-only: syncthingtray requires system tray support
+    home.packages = optionals isLinux (with pkgs; [
+      syncthingtray
+    ]);
+
+    services.syncthing = {
+      enable = true;
+    };
+  };
+}

home/roles/tmux/default.nix

@@ -0,0 +1,62 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.tmux;
+
+  tokyo-night = pkgs.tmuxPlugins.mkTmuxPlugin {
+    pluginName = "tokyo-night";
+    rtpFilePath = "tokyo-night.tmux";
+    version = "1.6.1";
+    src = pkgs.fetchFromGitHub {
+      owner = "janoamaral";
+      repo = "tokyo-night-tmux";
+      rev = "d610ced20d5f602a7995854931440e4a1e0ab780";
+      sha256 = "sha256-17vEgkL7C51p/l5gpT9dkOy0bY9n8l0/LV51mR1k+V8=";
+    };
+  };
+in
+{
+  options.home.roles.tmux = {
+    enable = mkEnableOption "tmux terminal multiplexer with Tokyo Night theme";
+  };
+
+  config = mkIf cfg.enable {
+    programs.tmux.enable = true;
+    programs.tmux.terminal = "tmux-direct";
+    programs.tmux.keyMode = "vi";
+    programs.tmux.escapeTime = 0;
+    programs.tmux.mouse = true;
+    programs.tmux.newSession = true;
+    programs.tmux.historyLimit = 50000;
+    programs.tmux.clock24 = true;
+    programs.tmux.baseIndex = 1;
+    programs.tmux.prefix = "M-\\\\";
+
+    programs.tmux.plugins = with pkgs; [
+      tmuxPlugins.cpu
+      tmuxPlugins.battery
+      tmuxPlugins.better-mouse-mode
+      tmuxPlugins.net-speed
+      tmuxPlugins.online-status
+      tmuxPlugins.pain-control
+      tmuxPlugins.tilish
+      tmuxPlugins.yank
+
+      {
+        plugin = tmuxPlugins.resurrect;
+        extraConfig = "set -g @resurrect-strategy-nvim 'session'";
+      }
+      {
+        plugin = tmuxPlugins.continuum;
+        extraConfig = ''
+          set -g @continuum-restore 'on'
+          set -g @continuum-save-interval '15' # minutes
+        '';
+      }
+
+      tokyo-night
+    ];
+  };
+}

home/wallpapers/default.nix

@@ -0,0 +1,45 @@
+# Wallpaper rotation system
+# The currentIndex is incremented by `nix run .#rotate-wallpaper`
+# and gets committed as part of `nix run .#upgrade`
+{
+  currentIndex = 2;  # Index into wallpapers list
+
+  wallpapers = [
+    {
+      name = "metroid-samus-returns";
+      file = ./metroid-samus-returns-kz-3440x1440.jpg;
+      sway = "fill";
+      feh = "--bg-fill";
+    }
+    {
+      name = "metroid3_map";
+      file = ./metroid3_map.gif;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+    {
+      name = "super-metroid-gunship-cavern";
+      file = ./super-metroid-gunship-cavern.jpg;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+    {
+      name = "super-metroid-samus-statue";
+      file = ./super-metroid-samus-statue.png;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+    {
+      name = "metroid-samus-action-4k";
+      file = ./metroid-samus-action-4k.jpg;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+    {
+      name = "metroid-creature-minimalist";
+      file = ./metroid-creature-minimalist.jpg;
+      sway = "fit";
+      feh = "--bg-max";
+    }
+  ];
+}

machines/boxy/configuration.nix

@@ -17,19 +17,29 @@ with lib;
     bluetooth.enable = true;
     desktop = {
       enable = true;
-      gaming = true;
+      gaming.enable = true;
       kde = true;
       sddm = true;
       wayland = true;
     };
-    kodi = {
+    plasma-bigscreen = {
       enable = true;
-      autologin = false;
-      wayland = true;
+      autologin = true;
+      jellyfinScaleFactor = 1.0;
+      appLauncherServer.enable = true;
     };
+    nfs-mounts.enable = true;
     users.enable = true;
   };
 
+  # Enable KDE Wallet PAM integration for auto-unlock
+  security.pam.services.sddm = {
+    kwallet = {
+      enable = true;
+      package = pkgs.kdePackages.kwallet-pam;
+    };
+  };
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -39,12 +49,7 @@ with lib;
   services.xserver.videoDrivers = [ "amdgpu" ];
   hardware.graphics.enable = true;
   hardware.graphics.enable32Bit = true;
-  hardware.graphics.extraPackages = with pkgs; [
-    amdvlk
-  ];
-  hardware.graphics.extraPackages32 = with pkgs; [
-    driversi686Linux.amdvlk
-  ];
+  # RADV (AMD's Vulkan driver) is now enabled by default, amdvlk was removed
 
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
@@ -66,4 +71,3 @@ with lib;
   system.stateVersion = "24.05"; # Did you read the comment?
 
 }
-

machines/gym-box/configuration.nix

@@ -0,0 +1,74 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      gaming.enable = true;
+      kde = true;
+      sddm = true;
+      wayland = true;
+    };
+    plasma-bigscreen = {
+      enable = true;
+      autologin = true;
+      jellyfinScaleFactor = 1.0;
+      appLauncherServer.enable = true;
+    };
+    nfs-mounts.enable = true;
+    users.enable = true;
+  };
+
+  # Enable KDE Wallet PAM integration for auto-unlock
+  security.pam.services.sddm = {
+    kwallet = {
+      enable = true;
+      package = pkgs.kdePackages.kwallet-pam;
+    };
+  };
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "gym-box";
+  networking.networkmanager.enable = true;
+
+  services.xserver.videoDrivers = [ "amdgpu" ];
+  hardware.graphics.enable = true;
+  hardware.graphics.enable32Bit = true;
+  # RADV (AMD's Vulkan driver) is now enabled by default, amdvlk was removed
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}

machines/gym-box/hardware-configuration.nix

@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "uas" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/59c0df78-c6fa-415d-8592-13547a3fada6";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/DC66-D04C";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/john-endesktop/MIGRATION_PLAN.md

@@ -0,0 +1,424 @@
+# Migration Plan: Arch Linux to NixOS on john-endesktop (ZFS/NFS Server)
+
+## Overview
+This document outlines the plan to migrate the john-endesktop server from Arch Linux to NixOS while maintaining the existing ZFS pools and NFS exports that serve your k3s cluster.
+
+## Current System State
+
+### Hardware
+- **Boot disk**: nvme0n1
+  - nvme0n1p3: 1000M EFI partition (UUID: F5C6-D570)
+  - nvme0n1p4: 120GB ext4 / (current Arch root)
+  - nvme0n1p5: 810GB - **Target for NixOS** (being removed from media pool)
+- **Network**: enp0s31f6 @ 10.0.0.43/24 (DHCP)
+
+### ZFS Pools
+- **media**: ~3.5TB JBOD pool (2 drives after nvme0n1p5 removal)
+  - wwn-0x50014ee2ba653d70-part2
+  - ata-WDC_WD20EZBX-00AYRA0_WD-WX62D627X7Z8-part2
+  - Contains: /media/media/nix (bind mounted to /nix on Arch)
+  - NFS: Shared to 10.0.0.0/24 via ZFS sharenfs property
+
+- **swarmvols**: 928GB mirror pool - **PRODUCTION DATA**
+  - wwn-0x5002538f52707e2d-part2
+  - wwn-0x5002538f52707e81-part2
+  - Contains: iocage jails and k3s persistent volumes
+  - NFS: Shared to 10.0.0.0/24 via ZFS sharenfs property
+  - Backed up nightly to remote borg
+
+### Services
+- NFS server exporting /media and /swarmvols to k3s cluster
+- ZFS managing pools with automatic exports via sharenfs property
+
+## Prerequisites
+
+### Before Starting
+1. ✅ Ensure nvme0n1p5 removal from media pool is complete
+   ```bash
+   ssh 10.0.0.43 "zpool status media"
+   # Should show no "removing" devices
+   ```
+
+2. ✅ Verify recent backups exist
+   ```bash
+   # Verify swarmvols backup is recent (< 24 hours)
+   # Check your borg backup system
+   ```
+
+3. ✅ Notify k3s cluster users of planned maintenance window
+   - NFS shares will be unavailable during migration
+   - Estimate: 30-60 minutes downtime
+
+4. ✅ Build NixOS configuration from your workstation
+   ```bash
+   cd ~/nixos-configs
+   nix build .#nixosConfigurations.john-endesktop.config.system.build.toplevel
+   ```
+
+## Migration Steps
+
+### Phase 1: Prepare NixOS Installation Media
+
+1. **Download NixOS minimal ISO**
+   ```bash
+   wget https://channels.nixos.org/nixos-25.11/latest-nixos-minimal-x86_64-linux.iso
+   ```
+
+2. **Create bootable USB**
+   ```bash
+   # Identify USB device (e.g., /dev/sdb)
+   lsblk
+   # Write ISO to USB
+   sudo dd if=latest-nixos-minimal-x86_64-linux.iso of=/dev/sdX bs=4M status=progress
+   sudo sync
+   ```
+
+### Phase 2: Backup and Shutdown
+
+1. **On the server, verify ZFS pool status**
+   ```bash
+   ssh 10.0.0.43 "zpool status"
+   ssh 10.0.0.43 "zfs list"
+   ```
+
+2. **Export ZFS pools cleanly**
+   ```bash
+   ssh 10.0.0.43 "sudo zpool export media"
+   ssh 10.0.0.43 "sudo zpool export swarmvols"
+   ```
+
+3. **Shutdown Arch Linux**
+   ```bash
+   ssh 10.0.0.43 "sudo shutdown -h now"
+   ```
+
+### Phase 3: Install NixOS
+
+1. **Boot from NixOS USB**
+   - Insert USB drive
+   - Power on and select USB in boot menu
+
+2. **Connect to network**
+   ```bash
+   # If DHCP doesn't work automatically:
+   sudo systemctl start dhcpcd
+   ip a  # Verify you have 10.0.0.43 or another IP
+   ```
+
+3. **Enable SSH for remote installation (recommended)**
+   ```bash
+   # Set password for nixos user
+   sudo passwd nixos
+   # Start SSH
+   sudo systemctl start sshd
+   # From your workstation:
+   ssh nixos@10.0.0.43
+   ```
+
+4. **Partition nvme0n1p5 with btrfs**
+   ```bash
+   # Verify the device is clear
+   lsblk
+   sudo wipefs -a /dev/nvme0n1p5
+
+   # Create btrfs filesystem
+   sudo mkfs.btrfs -L nixos /dev/nvme0n1p5
+
+   # Mount and create subvolumes
+   sudo mount /dev/nvme0n1p5 /mnt
+   sudo btrfs subvolume create /mnt/@
+   sudo btrfs subvolume create /mnt/@home
+   sudo btrfs subvolume create /mnt/@nix
+   sudo btrfs subvolume create /mnt/@log
+   sudo umount /mnt
+
+   # Mount root subvolume
+   sudo mount -o subvol=@,compress=zstd,noatime /dev/nvme0n1p5 /mnt
+
+   # Create mount points
+   sudo mkdir -p /mnt/{boot,home,nix,var/log}
+
+   # Mount other subvolumes
+   sudo mount -o subvol=@home,compress=zstd,noatime /dev/nvme0n1p5 /mnt/home
+   sudo mount -o subvol=@nix,compress=zstd,noatime /dev/nvme0n1p5 /mnt/nix
+   sudo mount -o subvol=@log,compress=zstd,noatime /dev/nvme0n1p5 /mnt/var/log
+
+   # Mount EFI partition
+   sudo mount /dev/nvme0n1p3 /mnt/boot
+   ```
+
+5. **Import ZFS pools**
+   ```bash
+   # Import pools (should be visible)
+   sudo zpool import
+
+   # Import with force if needed due to hostid
+   sudo zpool import -f media
+   sudo zpool import -f swarmvols
+
+   # Verify pools are mounted
+   zfs list
+   ls -la /media /swarmvols
+   ```
+
+6. **Generate initial hardware configuration**
+   ```bash
+   sudo nixos-generate-config --root /mnt
+   ```
+
+7. **Get the new root filesystem UUID**
+   ```bash
+   blkid /dev/nvme0n1p5
+   # Note the UUID for updating hardware-configuration.nix
+/dev/nvme0n1p5: LABEL="nixos" UUID="5f4ad025-bfab-4aed-a933-6638348059e5" UUID_SUB="4734d820-7b8a-4b7f-853a-026021c1d204" BLOCK_SIZE="4096" TYPE="btrfs" PARTLABEL="data" PARTUUID="9ea025df-cdb7-48fd-b5d4-37cd5d8588eb"
+   ```
+
+8. **Copy your NixOS configuration to the server**
+   ```bash
+   # From your workstation:
+   scp -r ~/nixos-configs/machines/john-endesktop/* nixos@10.0.0.43:/tmp/
+
+   # On server:
+   sudo mkdir -p /mnt/etc/nixos
+   sudo cp /tmp/configuration.nix /mnt/etc/nixos/
+   sudo cp /tmp/hardware-configuration.nix /mnt/etc/nixos/
+
+   # Edit hardware-configuration.nix to update the root filesystem UUID
+   sudo nano /mnt/etc/nixos/hardware-configuration.nix
+   # Change: device = "/dev/disk/by-uuid/CHANGE-THIS-TO-YOUR-UUID";
+   # To:     device = "/dev/disk/by-uuid/[UUID from blkid]";
+   ```
+
+9. **Install NixOS**
+   ```bash
+   sudo nixos-install
+
+   # Set root password when prompted
+   # Set user password
+   sudo nixos-install --no-root-passwd
+   ```
+
+10. **Reboot into NixOS**
+    ```bash
+    sudo reboot
+    # Remove USB drive
+    ```
+
+### Phase 4: Post-Installation Verification
+
+1. **Boot into NixOS and verify system**
+   ```bash
+   ssh johno@10.0.0.43
+
+   # Check NixOS version
+   nixos-version
+
+   # Verify hostname
+   hostname  # Should be: john-endesktop
+   ```
+
+2. **Verify ZFS pools imported correctly**
+   ```bash
+   zpool status
+   zpool list
+   zfs list
+
+   # Check for hostid mismatch warnings (should be gone)
+   # Verify both pools show ONLINE status
+   ```
+
+3. **Verify NFS exports are active**
+   ```bash
+   sudo exportfs -v
+   systemctl status nfs-server
+
+   # Should see /media and /swarmvols exported to 10.0.0.0/24
+   ```
+
+4. **Test NFS mount from another machine**
+   ```bash
+   # From a k3s node or your workstation:
+   sudo mount -t nfs 10.0.0.43:/swarmvols /mnt
+   ls -la /mnt
+   sudo umount /mnt
+
+   sudo mount -t nfs 10.0.0.43:/media /mnt
+   ls -la /mnt
+   sudo umount /mnt
+   ```
+
+5. **Verify ZFS sharenfs properties preserved**
+   ```bash
+   zfs get sharenfs media
+   zfs get sharenfs swarmvols
+
+   # Should show: sec=sys,mountpoint,no_subtree_check,no_root_squash,rw=@10.0.0.0/24
+   ```
+
+6. **Check swap device**
+   ```bash
+   swapon --show
+   free -h
+   # Should show /dev/zvol/media/swap
+   ```
+
+### Phase 5: Restore k3s Cluster Access
+
+1. **Restart k3s nodes or remount NFS shares**
+   ```bash
+   # On each k3s node:
+   sudo systemctl restart k3s  # or k3s-agent
+   ```
+
+2. **Verify k3s pods have access to persistent volumes**
+   ```bash
+   # On k3s master:
+   kubectl get pv
+   kubectl get pvc
+   # Check that volumes are bound and accessible
+   ```
+
+## Rollback Plan
+
+If something goes wrong during migration, you can roll back to Arch Linux:
+
+### Quick Rollback (If NixOS won't boot)
+
+1. **Boot from NixOS USB (or Arch USB)**
+
+2. **Import ZFS pools**
+   ```bash
+   sudo zpool import -f media
+   sudo zpool import -f swarmvols
+   ```
+
+3. **Start NFS manually (temporary)**
+   ```bash
+   sudo mkdir -p /media /swarmvols
+   sudo systemctl start nfs-server
+   sudo exportfs -o rw,sync,no_subtree_check,no_root_squash 10.0.0.0/24:/media
+   sudo exportfs -o rw,sync,no_subtree_check,no_root_squash 10.0.0.0/24:/swarmvols
+   sudo exportfs -v
+   ```
+   This will restore k3s cluster access immediately while you diagnose.
+
+4. **Boot back into Arch Linux**
+   ```bash
+   # Reboot and select nvme0n1p4 (Arch) in GRUB/boot menu
+   sudo reboot
+   ```
+
+5. **Verify Arch boots and services start**
+   ```bash
+   ssh johno@10.0.0.43
+   zpool status
+   systemctl status nfs-server
+   ```
+
+### Full Rollback (If needed)
+
+1. **Follow Quick Rollback steps above**
+
+2. **Re-add nvme0n1p5 to media pool (if desired)**
+   ```bash
+   # Only if you want to restore the original configuration
+   sudo zpool add media /dev/nvme0n1p5
+   ```
+
+3. **Clean up NixOS partition**
+   ```bash
+   # If you want to reclaim nvme0n1p5 for other uses
+   sudo wipefs -a /dev/nvme0n1p5
+   ```
+
+## Risk Mitigation
+
+### Data Safety
+- ✅ **swarmvols** (production): Mirrored + nightly borg backups
+- ⚠️  **media** (important): JBOD - no redundancy, but not catastrophic
+- ✅ **NixOS install**: Separate partition, doesn't touch ZFS pools
+- ✅ **Arch Linux**: Remains bootable on nvme0n1p4 until verified
+
+### Service Continuity
+- Downtime: 30-60 minutes expected
+- k3s cluster: Will reconnect automatically when NFS returns
+- Rollback time: < 10 minutes to restore Arch
+
+### Testing Approach
+1. Test NFS exports from NixOS live environment before installation
+2. Test single NFS mount from k3s node before full cluster restart
+3. Keep Arch Linux boot option until 24-48 hours of stable NixOS operation
+
+## Post-Migration Tasks
+
+After successful migration and 24-48 hours of stable operation:
+
+1. **Update k3s NFS mounts (if needed)**
+   - Verify no hardcoded references to old system
+
+2. **Optional: Repurpose Arch partition**
+   ```bash
+   # After you're confident NixOS is stable
+   # You can wipe nvme0n1p4 and repurpose it
+   ```
+
+3. **Update documentation**
+   - Update infrastructure docs with NixOS configuration
+   - Document any deviations from this plan
+
+4. **Consider setting up NixOS remote deployment**
+   ```bash
+   # From your workstation:
+   nixos-rebuild switch --target-host johno@10.0.0.43 --flake .#john-endesktop
+   ```
+
+## Timeline
+
+- **Preparation**: 1-2 hours (testing config build, downloading ISO)
+- **Migration window**: 1-2 hours (installation + verification)
+- **Verification period**: 24-48 hours (before removing Arch)
+- **Total**: ~3 days from start to declaring success
+
+## Emergency Contacts
+
+- Borg backup location: [Document your borg repo location]
+- K3s cluster nodes: [Document your k3s nodes]
+- Critical services on k3s: [Document what's running that depends on these NFS shares]
+
+## Checklist
+
+Pre-migration:
+- [x] nvme0n1p5 removal from media pool complete
+- [x] Recent backup verified (< 24 hours)
+- [x] Maintenance window scheduled
+- [x] NixOS ISO downloaded
+- [x] Bootable USB created
+- [x] NixOS config builds successfully
+
+During migration:
+- [ ] ZFS pools exported
+- [ ] Arch Linux shutdown cleanly
+- [ ] Booted from NixOS USB
+- [ ] nvme0n1p5 formatted with btrfs
+- [ ] Btrfs subvolumes created
+- [ ] ZFS pools imported
+- [ ] NixOS installed
+- [ ] Root password set
+
+Post-migration:
+- [ ] NixOS boots successfully
+- [ ] ZFS pools mounted automatically
+- [ ] NFS server running
+- [ ] NFS exports verified
+- [ ] Test mount from k3s node successful
+- [ ] k3s cluster reconnected
+- [ ] Persistent volumes accessible
+- [ ] No hostid warnings in zpool status
+- [ ] Arch Linux still bootable (for rollback)
+
+Final verification (after 24-48 hours):
+- [ ] All services stable
+- [ ] No unexpected issues
+- [ ] Performance acceptable
+- [ ] Ready to remove Arch partition (optional)
+- [ ] Ready to remove /swarmvols/media-backup (optional)

machines/john-endesktop/configuration.nix

@@ -0,0 +1,167 @@
+# NixOS configuration for john-endesktop (ZFS/NFS server)
+# Migrated from Arch Linux to provide ZFS pools via NFS to k3s cluster
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # Boot configuration
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # ZFS support
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.forceImportRoot = false;
+  boot.zfs.extraPools = [ "media" "swarmvols" ];
+
+  # Set ZFS hostid to match current system (from Arch Linux)
+  # This resolves the hostid mismatch warnings
+  networking.hostId = "007f0101";
+
+  # Hostname
+  networking.hostName = "john-endesktop";
+
+  # Network configuration - using DHCP on enp0s31f6
+  networking.useDHCP = false;
+  networking.interfaces.enp0s31f6.useDHCP = true;
+
+  # NFS Server configuration
+  services.nfs.server = {
+    enable = true;
+
+    # NFS protocol versions
+    # v3 for broader compatibility, v4 for better performance
+    exports = ''
+      # These are managed by ZFS sharenfs properties
+      # but we enable the NFS server here
+    '';
+  };
+
+  # Enable NFS4 with proper configuration
+  services.rpcbind.enable = true;
+
+  # Firewall configuration for NFS
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      111   # rpcbind
+      2049  # nfs
+      4000  # nfs callback
+      4001  # nlockmgr
+      4002  # mountd
+      5000  # harmonia binary cache
+      20048 # mountd
+    ];
+    allowedUDPPorts = [
+      111   # rpcbind
+      2049  # nfs
+      4000  # nfs callback
+      4001  # nlockmgr
+      4002  # mountd
+      20048 # mountd
+    ];
+    # Allow NFS from local network
+    extraCommands = ''
+      iptables -A nixos-fw -p tcp -s 10.0.0.0/24 -j ACCEPT
+      iptables -A nixos-fw -p udp -s 10.0.0.0/24 -j ACCEPT
+    '';
+  };
+
+  # ZFS maintenance
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      interval = "monthly";
+    };
+    trim = {
+      enable = true;
+      interval = "weekly";
+    };
+  };
+
+  # Basic system packages
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+    htop
+    tmux
+    zfs
+    rclone
+    custom.rclone-torbox-setup  # Helper script to set up TorBox credentials via rbw
+  ];
+
+  # Enable SSH
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = true;
+    };
+  };
+
+  # User configuration
+  roles.users.enable = true;
+
+  # Enable as remote builder (similar to zix790prors)
+  roles.remote-build.enableBuilder = true;
+
+  # k3s agent configuration
+  roles.k3s-node = {
+    enable = true;
+    role = "agent";
+    # serverAddr defaults to https://10.0.0.222:6443
+    # tokenFile defaults to /etc/k3s/token
+    extraFlags = [
+      # Node labels for workload scheduling
+      # fast-cpu: This node has a faster CPU than other cluster nodes
+      "--node-label=fast-cpu=true"
+      # fast-storage: This node is the NFS host with fast local storage access
+      "--node-label=fast-storage=true"
+      # k3s-upgrade=disabled: NixOS manages k3s upgrades via Nix, not system-upgrade-controller
+      "--node-label=k3s-upgrade=disabled"
+    ];
+  };
+
+  roles.virtualisation.enable = true;
+
+  # TorBox WebDAV mount for rdt-client and Jellyfin
+  roles.rclone-mount = {
+    enable = true;
+    mounts.torbox = {
+      webdavUrl = "https://webdav.torbox.app";
+      username = "john@ogle.fyi";  # TorBox account email
+      mountPoint = "/media/media/torbox-rclone";
+      environmentFile = "/etc/rclone/torbox.env";
+      vfsCacheMode = "full";  # Best for streaming media
+      dirCacheTime = "5m";
+      extraArgs = [
+        "--buffer-size=64M"
+        "--vfs-read-chunk-size=32M"
+        "--vfs-read-chunk-size-limit=off"
+      ];
+      # Wait for ZFS media pool to be mounted before starting
+      requiresMountsFor = [ "/media" ];
+    };
+  };
+
+  # Harmonia binary cache server
+  # Replaces the broken k8s deployment with native NixOS service
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ "/etc/harmonia/signing-key.private" ];
+    settings = {
+      bind = "[::]:5000";
+    };
+  };
+
+  # Time zone
+  time.timeZone = "America/Los_Angeles"; # Adjust as needed
+
+  # NixOS version
+  system.stateVersion = "25.11";
+}

machines/john-endesktop/hardware-configuration.nix

@@ -0,0 +1,63 @@
+# Hardware configuration for john-endesktop
+# This file should be regenerated after NixOS installation using:
+# nixos-generate-config --show-hardware-config
+
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  # Boot configuration
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # File systems - these will need to be updated after installation
+  # The nvme0n1p5 partition will be formatted as btrfs for NixOS root
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/5f4ad025-bfab-4aed-a933-6638348059e5";
+    fsType = "btrfs";
+    options = [ "subvol=@" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/5f4ad025-bfab-4aed-a933-6638348059e5";
+    fsType = "btrfs";
+    options = [ "subvol=@home" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/5f4ad025-bfab-4aed-a933-6638348059e5";
+    fsType = "btrfs";
+    options = [ "subvol=@nix" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/var/log" = {
+    device = "/dev/disk/by-uuid/5f4ad025-bfab-4aed-a933-6638348059e5";
+    fsType = "btrfs";
+    options = [ "subvol=@log" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/boot" = {
+    # This should match your current EFI partition
+    device = "/dev/disk/by-uuid/F5C6-D570";
+    fsType = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };
+
+  # ZFS pools - these are imported by ZFS, not managed by fileSystems
+  # The pools should be imported automatically via boot.zfs.extraPools
+  # /media and /swarmvols will be mounted by ZFS
+
+  # No swap needed - 23GB RAM is sufficient for this NFS/ZFS server
+  swapDevices = [ ];
+
+  # CPU microcode
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  # Networking
+  networking.useDHCP = lib.mkDefault true;
+}

machines/johno-macbookpro/configuration.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Basic system configuration for macOS work laptop
+  system.stateVersion = 6;
+
+  # Set primary user for nix-darwin
+  system.primaryUser = "johno";
+
+  # System preferences (can be expanded later)
+  system.defaults = {
+    dock.autohide = true;
+    finder.AppleShowAllExtensions = true;
+    NSGlobalDomain.AppleShowAllExtensions = true;
+  };
+
+  # TODO: Find a way to not duplicate this
+  launchd.user.envVariables = {
+    # DOOM Emacs environment variables
+    DOOMDIR = "/Users/johno/.config/doom";
+    DOOMLOCALDIR = "/Users/johno/.local/doom";
+  };
+}

machines/live-usb/configuration.nix

@@ -65,6 +65,8 @@
 
   # Enable NetworkManager for easy wifi setup
   networking.networkmanager.enable = true;
+  # Disable wireless networking (conflicts with NetworkManager)
+  networking.wireless.enable = false;
   
   # Enable SSH daemon for remote access
   services.openssh = {

machines/nix-book/configuration.nix

@@ -15,18 +15,47 @@
     desktop = {
       enable = true;
       wayland = true;
-      gaming = false;
+      gaming.enable = true;
       kde = true;
       sddm = true;
     };
     nfs-mounts.enable = true;
     printing.enable = true;
+    remote-build.builders = [
+      {
+        hostName = "zix790prors.oglehome";
+        maxJobs = 16;
+        speedFactor = 3;
+      }
+      {
+        hostName = "john-endesktop.oglehome";
+        maxJobs = 1;
+        speedFactor = 1;
+      }
+    ];
     spotifyd.enable = true;
     users = {
       enable = true;
       extraGroups = [ "video" ];
     };
-    virtualisation.enable = true;
+    virtualisation = {
+      enable = true;
+      waydroid = true;
+    };
+    wireguard = {
+      enable = true;
+      autostart = true;
+      interfaceName = "ogleNet";
+      address = [ "192.168.4.2/32" ];
+      privateKeyFile = "/etc/wireguard/oglehome-private-key";
+      dns = [ "192.168.4.1" ];
+      peers = [{
+        publicKey = "AWkmtaz0poyyKJGnRcabO5ecd6ESh1lKu+XRb3ObxBc=";
+        endpoint = "pi.johnogle.info:6666";
+        allowedIPs = [ "0.0.0.0/0" ];
+        persistentKeepalive = 25;
+      }];
+    };
   };
 
   # Bootloader.
@@ -34,12 +63,15 @@
   boot.loader.efi.canTouchEfiVariables = true;
 
   boot.initrd.luks.devices."luks-b614167b-9045-4234-a441-ac6f60a96d81".device = "/dev/disk/by-uuid/b614167b-9045-4234-a441-ac6f60a96d81";
+
+  services.logind.settings.Login = {
+    HandlePowerKey = "hibernate";
+    HandlePowerKeyLongPress = "poweroff";
+  };
+
   networking.hostName = "nix-book"; # Define your hostname.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-
-
   # Enable networking
   networking.networkmanager.enable = true;
 

machines/nix-deck/configuration.nix

@@ -0,0 +1,48 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../roles/desktop/steamos.nix
+  ];
+
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      wayland = true;
+      gaming.enable = true;
+      kde = true;
+      steamos = {
+        enable = true;
+        autoStart = true;
+        desktopSession = "plasma";
+      };
+    };
+    remote-build.builders = [
+      {
+        hostName = "zix790prors.oglehome";
+        maxJobs = 16;
+        speedFactor = 4;
+      }
+      {
+        hostName = "john-endesktop.oglehome";
+        maxJobs = 1;
+        speedFactor = 2;
+      }
+    ];
+    users = {
+      enable = true;
+      extraGroups = [ "video" ];
+    };
+  };
+
+  # Bootloader
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "nix-deck";
+  networking.networkmanager.enable = true;
+
+  system.stateVersion = "25.05";
+}

machines/nix-deck/hardware-configuration.nix

@@ -0,0 +1,51 @@
+# Hardware configuration for Steam Deck (nix-deck)
+# Generated from nixos-generate-config on 2025-11-17
+
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  # Steam Deck specific hardware configuration (Jovian)
+  jovian.devices.steamdeck = {
+    enable = true;
+    autoUpdate = false;  # Set to true if you want automatic firmware updates
+  };
+
+  # Kernel modules detected by nixos-generate-config
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "usb_storage"
+    "uas"
+    "usbhid"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # IMPORTANT: Update these filesystem configurations based on your actual partition layout
+  # The configuration below is a placeholder - adjust according to how you partitioned the disk
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
+  swapDevices = [{
+    device = "/swapfile";
+    size = 8192;  # 8GB swap file
+  }];
+
+  # AMD CPU microcode updates
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/wixos/configuration.nix

@@ -1,62 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-# NixOS-WSL specific options are documented on the NixOS-WSL repository:
-# https://github.com/nix-community/NixOS-WSL
-
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-  ];
-
-  roles = {
-    audio.enable = true;
-    desktop = {
-      enable = true;
-      wayland = true;
-    };
-    users.enable = true;
-  };
-
-  networking.hostName = "wixos";
-
-  wsl.enable = true;
-  wsl.defaultUser = "johno";
-  wsl.startMenuLaunchers = true;
-  wsl.useWindowsDriver = true;
-  wsl.wslConf.network.hostname = "wixos";
-  wsl.wslConf.user.default = "johno";
-
-  services.xserver.videoDrivers = [ "nvidia" ];
-  hardware.graphics = { 
-    enable = true;
-
-    extraPackages = with pkgs; [
-      mesa
-      libvdpau-va-gl
-      vaapiVdpau
-    ];
-  };
-  environment.sessionVariables = {
-    LD_LIBRARY_PATH = [
-      "/usr/lib/wsl/lib"
-      "/run/opengl-driver/lib"
-    ];
-  };
-  hardware.nvidia = {
-    modesetting.enable = true;
-    nvidiaSettings = true;
-    open = true;
-    package = config.boot.kernelPackages.nvidiaPackages.latest;
-  };
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
-}

machines/zix790prors/README.org

@@ -0,0 +1,31 @@
+* zix790prors
+
+The re-birthed NixOS install of my 2024/2025 gaming pc / workstation.
+
+** Specs
+- **CPU:** Intel Core i7-14700K (20 cores, 28 threads, up to 5.6 GHz)
+- **Memory:** 64 GB RAM
+- **Storage:**
+  - 4TB NVMe SSD (main drive with dual-boot partitions)
+    - Windows 11 partition (NTFS)
+    - NixOS /nix/store partition (btrfs)
+    - Shared /games partition (btrfs, accessible from both Windows and NixOS)
+- **GPU:** NVIDIA GeForce RTX 4070 Ti
+- **Boot:** UEFI with 100MB EFI System Partition
+
+This is a powerful all-purpose workstation optimized for gaming, 3D modeling, and development. It dual-boots Windows 11 with a shared btrfs /games partition accessible from both operating systems.
+*** Validation
+Given the above specs, I want to run shell commands to validate them for accuracy. Use the run_shell_command tool to get the results required to complete this validation. Do not return to the user until you have exhausted your self-serve options for accomplishing your task.
+
+** BIOS Settings
+
+**2025-09-08**
+
+I underclocked the CPU today. I set the cpu/cache voltage offset to -50mV and lowered the P-Core multiplier from 56x to 50x. I was able to run Intel XTU benchmarks and the CPU stayed around 80C without any throttling kicking in, whereas before it would bounce around various cores at 100C with lots of throttling taking place.
+
+My goals for this change are:
+- CPU longevity
+- Fan noise
+- Addressing various apps that say 100C is a "critical temperature" (though I believe the CPU is rated for up to 110C)
+
+I'm leaving some performance on the table, but it almost feels like the default settings for this CPU were to effectively be overclocked.

machines/zix790prors/configuration.nix

@@ -0,0 +1,84 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    #./virtual-surround.nix
+  ];
+
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      gaming = {
+        enable = true;
+      };
+      kde = true;
+      sddm = true;
+      wayland = true;
+      x11 = true;
+    };
+    kodi.enable = true;
+    nfs-mounts.enable = true;
+    nvidia = {
+      enable = true;
+      graphics.enable32Bit = true;
+    };
+    printing.enable = true;
+    remote-build.enableBuilder = true;
+    users.enable = true;
+    virtualisation.enable = true;
+  };
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.configurationLimit = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.timeout = 10;
+
+  networking.hostName = "zix790prors"; # Define your hostname.
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Fix dual boot clock sync - tell Linux to use local time for hardware clock
+  time.hardwareClockInLocalTime = true;
+
+  # Set DP-0 as primary display with 164.90Hz refresh rate
+  services.xserver.displayManager.sessionCommands = ''
+    ${pkgs.xorg.xrandr}/bin/xrandr --output DP-0 --mode 3440x1440 --rate 164.90 --primary
+  '';
+
+  services.ollama = {
+    enable = true;
+    acceleration = "cuda";
+    loadModels = [ "gpt-oss" "deepseek-r1" "qwen3:30b" ];
+  };
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.11"; # Did you read the comment?
+
+}

machines/zix790prors/hardware-configuration.nix

@@ -0,0 +1,57 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/11C1-EB58";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  roles.btrfs = {
+    enable = true;
+    filesystems."/dev/disk/by-uuid/ec22734b-d1a3-4c99-8c6f-86f6a8d79007" = {
+      mountpoints = {
+        "/" = {
+          compression = "zstd";
+          extraOptions = [ "noatime" ];
+        };
+      };
+      scrub.enable = true;
+      deduplication = {
+        enable = true;
+        hashTableSizeMB = 128;
+        verbosity = "err";
+      };
+    };
+    filesystems."/dev/disk/by-uuid/4f9844ac-c1ad-4426-8eb3-21f2306345fb" = {
+      mountpoints = {
+        "/games" = {
+          extraOptions = [ "noatime" ];
+        };
+      };
+      scrub.enable = true;
+      deduplication = {
+        enable = true;
+        hashTableSizeMB = 256;
+        verbosity = "err";
+      };
+    };
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/zix790prors/virtual-surround.nix

@@ -0,0 +1,132 @@
+# Virtual 4.1 surround sound setup
+# Routes FL/FR to AmazonBasics USB speaker, RL/RR to Fosi BT20A PRO Bluetooth speaker
+{ pkgs, ... }:
+
+{
+  services.pipewire.extraConfig.pipewire."10-virtual-surround" = {
+    "context.objects" = [
+      {
+        factory = "adapter";
+        args = {
+          "factory.name" = "support.null-audio-sink";
+          "node.name" = "virtual_surround_sink";
+          "node.description" = "Virtual 4.1 Surround (AmazonBasics + Fosi)";
+          "media.class" = "Audio/Sink";
+          "audio.position" = [ "FL" "FR" "RL" "RR" "LFE" ];
+          "monitor.channel-volumes" = true;
+        };
+      }
+    ];
+    "context.modules" = [
+      {
+        name = "libpipewire-module-loopback";
+        args = {
+          "node.description" = "Route Front to AmazonBasics";
+          "capture.props" = {
+            "node.name" = "route_front_capture";
+            "audio.position" = [ "FL" "FR" ];
+            "stream.dont-remix" = true;
+            "node.passive" = true;
+          };
+          "playback.props" = {
+            "node.name" = "route_front_playback";
+            "node.target" = "alsa_output.usb-C-Media_Electronics_Inc._AmazonBasics_Professional_Mic_2-00.analog-stereo";
+            "audio.position" = [ "FL" "FR" ];
+            "stream.dont-remix" = true;
+          };
+        };
+      }
+      {
+        name = "libpipewire-module-loopback";
+        args = {
+          "node.description" = "Route Rear to Fosi Audio";
+          "capture.props" = {
+            "node.name" = "route_rear_capture";
+            "audio.position" = [ "RL" "RR" ];
+            "stream.dont-remix" = true;
+            "node.passive" = true;
+          };
+          "playback.props" = {
+            "node.name" = "route_rear_playback";
+            "node.target" = "bluez_output.F4_4E_FD_FB_58_62.1";
+            "audio.position" = [ "FL" "FR" ];
+            "stream.dont-remix" = true;
+          };
+        };
+      }
+      {
+        name = "libpipewire-module-loopback";
+        args = {
+          "node.description" = "Route Subwoofer to AmazonBasics";
+          "capture.props" = {
+            "node.name" = "route_lfe_capture";
+            "audio.position" = [ "LFE" ];
+            "stream.dont-remix" = true;
+            "node.passive" = true;
+          };
+          "playback.props" = {
+            "node.name" = "route_lfe_playback";
+            "node.target" = "alsa_output.usb-C-Media_Electronics_Inc._AmazonBasics_Professional_Mic_2-00.analog-stereo";
+            "audio.position" = [ "MONO" ];
+            "stream.dont-remix" = false;
+          };
+        };
+      }
+    ];
+  };
+
+  # Systemd services to fix PipeWire loopback routing for virtual surround
+  systemd.user.services.pipewire-surround-link = {
+    description = "Link virtual surround sink to loopback captures";
+    after = [ "pipewire.service" "wireplumber.service" ];
+    requires = [ "pipewire.service" "wireplumber.service" ];
+    wantedBy = [ "pipewire.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = false;
+      ExecStart = pkgs.writeShellScript "surround-link" ''
+        sleep 2
+        # Disconnect wrong connections
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX0 route_front_capture:input_FL 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX1 route_front_capture:input_FR 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX0 route_rear_capture:input_RL 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX1 route_rear_capture:input_RR 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link -d alsa_input.pci-0000_00_1f.3.pro-input-2:capture_AUX0 route_lfe_capture:input_LFE 2>/dev/null || true
+        # Create correct connections
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_FL route_front_capture:input_FL 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_FR route_front_capture:input_FR 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_RL route_rear_capture:input_RL 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_RR route_rear_capture:input_RR 2>/dev/null || true
+        ${pkgs.pipewire}/bin/pw-link virtual_surround_sink:monitor_LFE route_lfe_capture:input_LFE 2>/dev/null || true
+      '';
+    };
+  };
+
+  systemd.user.services.pipewire-surround-link-check = {
+    description = "Check and fix surround sink links";
+    after = [ "pipewire.service" "wireplumber.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "surround-link-check" ''
+        if ${pkgs.pipewire}/bin/pw-cli ls Node 2>/dev/null | grep -q "bluez_output.F4_4E_FD_FB_58_62"; then
+          if ${pkgs.pipewire}/bin/pw-link -l 2>/dev/null | grep -q "route_front_capture:input_FL.*alsa_input"; then
+            ${pkgs.systemd}/bin/systemctl --user start pipewire-surround-link.service
+          fi
+          if ! ${pkgs.pipewire}/bin/pw-link -l 2>/dev/null | grep -q "virtual_surround_sink:monitor_FL.*route_front_capture"; then
+            ${pkgs.systemd}/bin/systemctl --user start pipewire-surround-link.service
+          fi
+        fi
+      '';
+    };
+  };
+
+  systemd.user.timers.pipewire-surround-link-check = {
+    description = "Periodically check surround sink links";
+    wantedBy = [ "default.target" ];
+    timerConfig = {
+      OnStartupSec = "10s";
+      OnUnitActiveSec = "10s";
+      Unit = "pipewire-surround-link-check.service";
+    };
+  };
+}

packages/app-launcher-server/app-launcher-server.py

@@ -0,0 +1,176 @@
+#!/usr/bin/env python3
+
+import json
+import logging
+import os
+import subprocess
+import sys
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from urllib.parse import urlparse
+import psutil
+
+# Configure logging
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger(__name__)
+
+# Allowlisted applications that can be launched
+ALLOWED_APPS = {
+    'firefox': 'firefox',
+    'kodi': 'kodi'
+}
+
+def is_app_running(app_name):
+    """Check if an application is already running, returns (is_running, pid)"""
+    command = ALLOWED_APPS.get(app_name)
+    if not command:
+        return False, None
+
+    logger.debug(f"Looking for processes related to app '{app_name}' (command: '{command}')")
+
+    for proc in psutil.process_iter(['name', 'cmdline', 'pid']):
+        try:
+            proc_name = proc.info['name']
+            cmdline = proc.info['cmdline'] or []
+
+            logger.debug(f"Checking process PID {proc.info['pid']}: name='{proc_name}', cmdline={cmdline}")
+
+            # Check multiple patterns for the application:
+            # 1. Process name exactly matches command
+            # 2. Process name contains the command (e.g., "kodi.bin" contains "kodi")
+            # 3. Command line starts with the command
+            # 4. Command line contains the wrapped version (e.g., ".kodi-wrapped")
+            # 5. Any command line argument ends with the command executable
+
+            matches = False
+            match_reason = ""
+
+            if proc_name == command:
+                matches = True
+                match_reason = f"exact process name match: '{proc_name}'"
+            elif command in proc_name:
+                matches = True
+                match_reason = f"process name contains command: '{proc_name}' contains '{command}'"
+            elif cmdline and cmdline[0] == command:
+                matches = True
+                match_reason = f"exact cmdline match: '{cmdline[0]}'"
+            elif cmdline and cmdline[0].endswith('/' + command):
+                matches = True
+                match_reason = f"cmdline path ends with command: '{cmdline[0]}'"
+            elif cmdline and any(f'.{command}-wrapped' in arg for arg in cmdline):
+                matches = True
+                match_reason = f"wrapped command in cmdline: {cmdline}"
+            elif cmdline and any(f'{command}.bin' in arg for arg in cmdline):
+                matches = True
+                match_reason = f"binary command in cmdline: {cmdline}"
+
+            if matches:
+                logger.info(f"Found running {app_name} process: PID {proc.info['pid']} ({match_reason})")
+                return True, proc.info['pid']
+
+        except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
+            continue
+
+    logger.debug(f"No running process found for {app_name}")
+    return False, None
+
+class AppLauncherHandler(BaseHTTPRequestHandler):
+    def log_message(self, format, *args):
+        logger.info(format % args)
+
+    def do_GET(self):
+        if self.path == '/':
+            self.send_response(200)
+            self.send_header('Content-type', 'application/json')
+            self.end_headers()
+            response = {
+                'status': 'running',
+                'available_apps': list(ALLOWED_APPS.keys()),
+                'usage': 'POST /launch/<app_name> to launch an application'
+            }
+            self.wfile.write(json.dumps(response, indent=2).encode())
+        else:
+            self.send_error(404)
+
+    def do_POST(self):
+        parsed_path = urlparse(self.path)
+        path_parts = parsed_path.path.strip('/').split('/')
+
+        if len(path_parts) == 2 and path_parts[0] == 'launch':
+            app_name = path_parts[1]
+            self.launch_app(app_name)
+        else:
+            self.send_error(404, "Invalid endpoint. Use /launch/<app_name>")
+
+    def launch_app(self, app_name):
+        if app_name not in ALLOWED_APPS:
+            self.send_error(400, f"Application '{app_name}' not allowed. Available apps: {list(ALLOWED_APPS.keys())}")
+            return
+
+        command = ALLOWED_APPS[app_name]
+
+        # Check if app is already running
+        is_running, existing_pid = is_app_running(app_name)
+        if is_running:
+            logger.info(f"Application {app_name} is already running (PID: {existing_pid}), skipping launch")
+            self.send_response(200)
+            self.send_header('Content-type', 'application/json')
+            self.end_headers()
+            response = {
+                'status': 'success',
+                'message': f'{app_name} is already running',
+                'pid': existing_pid,
+                'already_running': True
+            }
+            self.wfile.write(json.dumps(response).encode())
+            return
+
+        try:
+            # Launch the application in the background
+            # Ensure we have the proper environment for GUI apps
+            env = os.environ.copy()
+
+            logger.info(f"Launching application: {command}")
+            process = subprocess.Popen(
+                [command],
+                env=env,
+                stdout=subprocess.DEVNULL,
+                stderr=subprocess.DEVNULL,
+                start_new_session=True
+            )
+
+            self.send_response(200)
+            self.send_header('Content-type', 'application/json')
+            self.end_headers()
+            response = {
+                'status': 'success',
+                'message': f'Successfully launched {app_name}',
+                'pid': process.pid,
+                'already_running': False
+            }
+            self.wfile.write(json.dumps(response).encode())
+
+        except FileNotFoundError:
+            logger.error(f"Application not found: {command}")
+            self.send_error(500, f"Application '{app_name}' not found on system")
+        except Exception as e:
+            logger.error(f"Error launching {command}: {e}")
+            self.send_error(500, f"Failed to launch {app_name}: {str(e)}")
+
+def main():
+    port = int(sys.argv[1]) if len(sys.argv) > 1 else 8081
+
+    server = HTTPServer(('0.0.0.0', port), AppLauncherHandler)
+    logger.info(f"App launcher server starting on port {port}")
+    logger.info(f"Available applications: {list(ALLOWED_APPS.keys())}")
+
+    try:
+        server.serve_forever()
+    except KeyboardInterrupt:
+        logger.info("Server shutting down...")
+        server.server_close()
+
+if __name__ == '__main__':
+    main()

packages/app-launcher-server/default.nix

@@ -0,0 +1,10 @@
+{ pkgs }:
+
+let
+  python = pkgs.python3.withPackages (ps: with ps; [
+    psutil
+  ]);
+in
+pkgs.writeShellScriptBin "app-launcher-server" ''
+  exec ${python}/bin/python3 ${./app-launcher-server.py} "$@"
+''

packages/claude-code/README.md

@@ -0,0 +1,116 @@
+# claude-cli
+
+Custom Nix package for Claude Code CLI.
+
+## Why This Package Exists
+
+The official `claude-code` package in nixpkgs tries to fetch from npm registry, which is blocked by Block's corporate security (Cloudflare Teams dependency confusion protection). This custom package fetches directly from Anthropic's Google Cloud Storage distribution, bypassing the npm registry entirely.
+
+## Updating to a New Version
+
+### Automated Update (Recommended)
+
+Run the update script to automatically fetch and update to the latest version:
+
+```bash
+cd packages/claude-cli
+./update.sh
+```
+
+The script will:
+- Fetch the latest version from Homebrew cask
+- Update version and all SHA256 hashes in default.nix
+- Show you what changed
+
+For a dry-run to see what would change:
+
+```bash
+./update.sh --dry-run
+```
+
+After the script completes, follow the "Test the Build" steps below.
+
+### Manual Update
+
+If you prefer to update manually, or if the automated script fails:
+
+#### 1. Find the Latest Version and Hashes
+
+Check the Homebrew cask formula for the latest version info:
+
+```bash
+curl -s "https://raw.githubusercontent.com/Homebrew/homebrew-cask/HEAD/Casks/c/claude-code.rb" | head -50
+```
+
+This will show:
+- The latest `version` number
+- SHA256 hashes for all platforms (`arm64`, `x86_64`, `x86_64_linux`, `arm64_linux`)
+
+#### 2. Update default.nix
+
+Edit `default.nix` and update:
+
+1. The `version` variable (line 9):
+   ```nix
+   version = "2.0.51";  # Update this
+   ```
+
+2. All four platform sha256 hashes in the `srcs` attribute set (lines 11-27):
+   ```nix
+   aarch64-darwin = {
+     sha256 = "...";  # Update from Homebrew cask "arm:" value
+   };
+   x86_64-darwin = {
+     sha256 = "...";  # Update from Homebrew cask "x86_64:" value
+   };
+   x86_64-linux = {
+     sha256 = "...";  # Update from Homebrew cask "x86_64_linux:" value
+   };
+   aarch64-linux = {
+     sha256 = "...";  # Update from Homebrew cask "arm64_linux:" value
+   };
+   ```
+
+#### 3. Test the Build
+
+Before committing, test that the package builds successfully:
+
+```bash
+NIXPKGS_ALLOW_UNFREE=1 nix-build -E 'with import <nixpkgs> { config.allowUnfree = true; }; callPackage ./packages/claude-cli {}'
+```
+
+Verify the version:
+
+```bash
+./result/bin/claude --version
+```
+
+Clean up the test build:
+
+```bash
+rm result
+```
+
+#### 4. Deploy
+
+Commit your changes and rebuild:
+
+```bash
+git add packages/claude-cli/
+git commit -m "claude-cli: Update to version X.Y.Z"
+darwin-rebuild switch --flake .#blkfv4yf49kt7
+```
+
+## Alternative: Automated Hash Fetching
+
+If you prefer to fetch hashes automatically, you can use `nix-prefetch-url`:
+
+```bash
+# For macOS ARM64 (your current platform)
+nix-prefetch-url "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/VERSION/darwin-arm64/claude"
+
+# For other platforms, replace VERSION and adjust the platform string:
+# darwin-x64, linux-x64, linux-arm64
+```
+
+This will download the file and output the SHA256 hash.

packages/claude-code/default.nix

@@ -0,0 +1,75 @@
+{ lib
+, stdenv
+, fetchurl
+, patchelf
+, glibc
+}:
+
+let
+  version = "2.1.75";
+
+  srcs = {
+    aarch64-darwin = {
+      url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/darwin-arm64/claude";
+      sha256 = "8c541a5e924eda2070eaf1702a48047af671c4dff6a11a5e762076614a082675";
+    };
+    x86_64-darwin = {
+      url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/darwin-x64/claude";
+      sha256 = "82c90b91a0a18f60191f817b9b42304d8b17dbed75795b715c41f4fdfe4c782d";
+    };
+    x86_64-linux = {
+      url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/linux-x64/claude";
+      sha256 = "328b0a429c05a04f911157d886be5123cf1824a19ba8ca1f9d594c004eac32c9";
+    };
+    aarch64-linux = {
+      url = "https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/${version}/linux-arm64/claude";
+      sha256 = "ec8f4f7f7bb50611dae70c109a76ee1da6a3ab45511c65f117df215848ecc905";
+    };
+  };
+
+  src = srcs.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+in stdenv.mkDerivation {
+  pname = "claude-code";
+  inherit version;
+
+  src = fetchurl {
+    inherit (src) url sha256;
+  };
+
+  dontUnpack = true;
+  dontBuild = true;
+  # Bun standalone binaries have JS code appended after the ELF sections
+  # stripping/patching would remove or corrupt this appended data
+  dontStrip = true;
+  dontPatchELF = true;
+
+  # Don't use autoPatchelfHook - it rewrites the ELF and strips the appended
+  # bun bundle (the JS code is appended after the ELF sections)
+  nativeBuildInputs = lib.optionals stdenv.isLinux [ patchelf ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 $src $out/bin/claude
+
+    runHook postInstall
+  '';
+
+  # Manually patch the interpreter for bun standalone binaries
+  # patchelf --set-interpreter modifies in-place without rewriting the entire ELF,
+  # preserving the appended JS bundle that bun needs at runtime
+  postFixup = lib.optionalString stdenv.isLinux ''
+    interpreter="${glibc}/lib/${if stdenv.hostPlatform.system == "aarch64-linux" then "ld-linux-aarch64.so.1" else "ld-linux-x86-64.so.2"}"
+    patchelf --set-interpreter "$interpreter" $out/bin/claude
+  '';
+
+  meta = with lib; {
+    description = "Terminal-based AI coding assistant from Anthropic";
+    homepage = "https://www.anthropic.com/claude-code";
+    license = licenses.unfree;
+    maintainers = [ ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" "x86_64-linux" "aarch64-linux" ];
+    mainProgram = "claude";
+  };
+}

packages/claude-code/npm.nix

@@ -0,0 +1,34 @@
+{ lib
+, buildNpmPackage
+, fetchurl
+, nodejs_18
+}:
+
+buildNpmPackage {
+  pname = "claude-cli";
+  version = "0.2.65";
+  
+  src = fetchurl {
+    url = "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-0.2.65.tgz";
+    sha256 = "0wwaqq7k9p5aw4vqhfpdgf3da09x64q55wibqaprk6kjvn130i92";
+  };
+  
+  npmDepsHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; # Will be updated after first build
+  
+  nodejs = nodejs_18;
+  
+  # Don't run npm audit or other network operations during build
+  npmConfigHook = ''
+    npm config set audit false
+    npm config set fund false
+  '';
+  
+  meta = with lib; {
+    description = "Terminal-based AI coding assistant from Anthropic (npm distribution)";
+    homepage = "https://www.anthropic.com/claude-code";
+    license = licenses.unfree;
+    maintainers = [ ];
+    platforms = platforms.all;
+    mainProgram = "claude";
+  };
+}

packages/claude-code/update.sh

@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DRY_RUN=false
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --dry-run|-n)
+            DRY_RUN=true
+            shift
+            ;;
+        --help|-h)
+            echo "Usage: $0 [OPTIONS]"
+            echo ""
+            echo "Options:"
+            echo "  --dry-run, -n    Show what would be updated without making changes"
+            echo "  --help, -h       Show this help message"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            echo "Use --help for usage information"
+            exit 1
+            ;;
+    esac
+done
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+CASK_URL="https://raw.githubusercontent.com/Homebrew/homebrew-cask/HEAD/Casks/c/claude-code.rb"
+REPO_ROOT="${REPO_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+NIX_FILE="$REPO_ROOT/packages/claude-code/default.nix"
+
+echo "Fetching latest claude-code version from Homebrew cask..."
+
+# Fetch the cask file
+CASK_CONTENT=$(curl -fsSL "$CASK_URL")
+
+# Extract version (format: version "X.Y.Z")
+NEW_VERSION=$(echo "$CASK_CONTENT" | grep -m1 'version' | sed -E 's/.*version "([^"]+)".*/\1/')
+
+# Extract SHA256 hashes (be specific to match sha256 lines only)
+SHA_ARM=$(echo "$CASK_CONTENT" | grep 'sha256 arm:' | sed -E 's/.*"([a-f0-9]{64})".*/\1/')
+SHA_X86_64=$(echo "$CASK_CONTENT" | grep 'x86_64:' | sed -E 's/.*"([a-f0-9]{64})".*/\1/')
+SHA_X86_64_LINUX=$(echo "$CASK_CONTENT" | grep 'x86_64_linux:' | sed -E 's/.*"([a-f0-9]{64})".*/\1/')
+SHA_ARM64_LINUX=$(echo "$CASK_CONTENT" | grep 'arm64_linux:' | sed -E 's/.*"([a-f0-9]{64})".*/\1/')
+
+# Get current version
+CURRENT_VERSION=$(grep -m1 'version = ' "$NIX_FILE" | sed -E 's/.*version = "([^"]+)".*/\1/')
+
+# Validate extracted data
+if [ -z "$NEW_VERSION" ] || [ -z "$SHA_ARM" ] || [ -z "$SHA_X86_64" ] || [ -z "$SHA_X86_64_LINUX" ] || [ -z "$SHA_ARM64_LINUX" ]; then
+    echo -e "${RED}Error: Failed to extract all required values from Homebrew cask${NC}"
+    echo "Version: $NEW_VERSION"
+    echo "ARM: $SHA_ARM"
+    echo "x86_64: $SHA_X86_64"
+    echo "x86_64_linux: $SHA_X86_64_LINUX"
+    echo "arm64_linux: $SHA_ARM64_LINUX"
+    exit 1
+fi
+
+# Check if update is needed
+if [ "$CURRENT_VERSION" = "$NEW_VERSION" ]; then
+    echo -e "${GREEN}Already up to date: $CURRENT_VERSION${NC}"
+    exit 0
+fi
+
+echo -e "${YELLOW}Updating from $CURRENT_VERSION to $NEW_VERSION${NC}"
+
+if [ "$DRY_RUN" = true ]; then
+    echo -e "${YELLOW}DRY RUN - No changes will be made${NC}"
+    echo ""
+    echo "Would update:"
+    echo "  Version: $CURRENT_VERSION -> $NEW_VERSION"
+    echo "  aarch64-darwin SHA: $SHA_ARM"
+    echo "  x86_64-darwin SHA:  $SHA_X86_64"
+    echo "  x86_64-linux SHA:   $SHA_X86_64_LINUX"
+    echo "  aarch64-linux SHA:  $SHA_ARM64_LINUX"
+    exit 0
+fi
+
+# Update version
+sed -i.tmp "s/version = \".*\";/version = \"$NEW_VERSION\";/" "$NIX_FILE"
+
+# Update SHA256 hashes using awk for more reliable parsing
+awk -v sha_arm="$SHA_ARM" -v sha_x86="$SHA_X86_64" -v sha_x86_linux="$SHA_X86_64_LINUX" -v sha_arm_linux="$SHA_ARM64_LINUX" '
+/aarch64-darwin = {/ { in_arm = 1 }
+/x86_64-darwin = {/ { in_x86 = 1 }
+/x86_64-linux = {/ { in_x86_linux = 1 }
+/aarch64-linux = {/ { in_arm_linux = 1 }
+/};/ {
+  in_arm = 0
+  in_x86 = 0
+  in_x86_linux = 0
+  in_arm_linux = 0
+}
+/sha256 = / {
+  if (in_arm) {
+    sub(/sha256 = ".*";/, "sha256 = \"" sha_arm "\";")
+  } else if (in_x86) {
+    sub(/sha256 = ".*";/, "sha256 = \"" sha_x86 "\";")
+  } else if (in_x86_linux) {
+    sub(/sha256 = ".*";/, "sha256 = \"" sha_x86_linux "\";")
+  } else if (in_arm_linux) {
+    sub(/sha256 = ".*";/, "sha256 = \"" sha_arm_linux "\";")
+  }
+}
+{ print }
+' "$NIX_FILE" > "$NIX_FILE.new"
+
+mv "$NIX_FILE.new" "$NIX_FILE"
+
+# Clean up temp files
+rm -f "$NIX_FILE.tmp"
+
+echo -e "${GREEN}Successfully updated to version $NEW_VERSION${NC}"
+echo ""
+echo "Updated SHA256 hashes:"
+echo "  aarch64-darwin: $SHA_ARM"
+echo "  x86_64-darwin:  $SHA_X86_64"
+echo "  x86_64-linux:   $SHA_X86_64_LINUX"
+echo "  aarch64-linux:  $SHA_ARM64_LINUX"
+echo ""
+echo "Next steps:"
+echo "  1. Review changes: git diff $NIX_FILE"
+echo "  2. Test build: NIXPKGS_ALLOW_UNFREE=1 nix-build -E 'with import <nixpkgs> { config.allowUnfree = true; }; callPackage ./packages/claude-code {}'"
+echo "  3. Verify version: ./result/bin/claude --version"
+echo "  4. Commit: git add $NIX_FILE && git commit -m 'claude-code: Update to version $NEW_VERSION'"

packages/default.nix

@@ -1,4 +1,11 @@
 { pkgs, ... }:
 {
-  vulkanHDRLayer = pkgs.callPackage ./vulkan-hdr-layer {};
+  tea-rbw = pkgs.callPackage ./tea-rbw { };
+  app-launcher-server = pkgs.callPackage ./app-launcher-server { };
+  claude-code = pkgs.callPackage ./claude-code { };
+  mcrcon-rbw = pkgs.callPackage ./mcrcon-rbw { };
+  rclone-torbox-setup = pkgs.callPackage ./rclone-torbox-setup { };
+  pi-coding-agent = pkgs.callPackage ./pi-coding-agent { };
+  nextcloud-talk-desktop = pkgs.callPackage ./nextcloud-talk-desktop { };
+  opencode = pkgs.callPackage ./opencode { };
 }

packages/mcrcon-rbw/default.nix

@@ -0,0 +1,40 @@
+{ pkgs, ... }:
+
+pkgs.writeShellScriptBin "mcrcon" ''
+  set -euo pipefail
+
+  # Configuration - can be overridden with environment variables
+  MINECRAFT_RCON_HOST="''${MCRCON_HOST:-10.0.0.165}"
+  MINECRAFT_RCON_PORT="''${MCRCON_PORT:-25575}"
+  RBW_ENTRY="minecraft-rcon"
+
+  # Check if rbw is available
+  if ! command -v rbw &> /dev/null; then
+    echo "Error: rbw is not available. Please ensure rbw is installed and configured."
+    exit 1
+  fi
+
+  # Retrieve password from Bitwarden
+  if ! MCRCON_PASS=$(rbw get "$RBW_ENTRY" 2>/dev/null); then
+    echo "Error: Failed to retrieve RCON password from rbw entry '$RBW_ENTRY'"
+    echo "Please ensure the entry exists in Bitwarden and rbw is synced."
+    echo ""
+    echo "To create the entry:"
+    echo "  1. Add 'minecraft-rcon' to Bitwarden with the RCON password"
+    echo "  2. Run 'rbw sync' to refresh the local cache"
+    exit 1
+  fi
+
+  # Export for mcrcon
+  export MCRCON_HOST="$MINECRAFT_RCON_HOST"
+  export MCRCON_PORT="$MINECRAFT_RCON_PORT"
+  export MCRCON_PASS
+
+  # If no arguments provided, start interactive terminal mode
+  if [[ $# -eq 0 ]]; then
+    exec ${pkgs.mcrcon}/bin/mcrcon -t
+  fi
+
+  # Execute mcrcon with all provided arguments
+  exec ${pkgs.mcrcon}/bin/mcrcon "$@"
+''

packages/nextcloud-talk-desktop/default.nix

@@ -0,0 +1,60 @@
+# Patched Nextcloud Talk Desktop with Wayland screen sharing support
+# Applies the core change from upstream draft PR #1022:
+# https://github.com/nextcloud/talk-desktop/pull/1022
+#
+# Patches the webpack bundle in app.asar to add setDisplayMediaRequestHandler
+# with useSystemPicker: true, enabling native PipeWire/portal-based
+# screen sharing on Wayland (Sway, Hyprland, etc.)
+{ lib
+, nextcloud-talk-desktop
+, nodejs
+, asar
+}:
+
+nextcloud-talk-desktop.overrideAttrs (old: {
+  pname = "nextcloud-talk-desktop-patched";
+
+  nativeBuildInputs = (old.nativeBuildInputs or []) ++ [ asar nodejs ];
+
+  # Patch the asar after the main installPhase creates the output
+  postFixup = (old.postFixup or "") + ''
+    echo "Patching app.asar for Wayland screen sharing..."
+    ASAR_PATH="$out/opt/Nextcloud Talk-linux-x64/resources/app.asar"
+
+    WORK=$(mktemp -d)
+    asar extract "$ASAR_PATH" "$WORK/app"
+
+    # In the webpack bundle:
+    #   session = l, desktopCapturer = a, app = n
+    # We inject setDisplayMediaRequestHandler right after n.whenReady().then((async()=>{
+    # useSystemPicker: true makes Electron use the native system picker
+    # (PipeWire/xdg-desktop-portal on Wayland)
+    node -e "
+      const fs = require('fs');
+      const p = '$WORK/app/.webpack/main/index.js';
+      let c = fs.readFileSync(p, 'utf8');
+
+      if (c.includes('setDisplayMediaRequestHandler')) {
+        console.log('Already patched');
+        process.exit(0);
+      }
+
+      const marker = 'n.whenReady().then((async()=>{';
+      const idx = c.indexOf(marker);
+      if (idx === -1) {
+        console.error('ERROR: Could not find whenReady marker in webpack bundle');
+        process.exit(1);
+      }
+
+      // Inject after the marker
+      const injection = 'l.defaultSession.setDisplayMediaRequestHandler(async(e,t)=>{const s=await a.getSources({types:[\"screen\",\"window\"]});s.length>0?t({video:s[0]}):t({})},{useSystemPicker:!0});';
+
+      c = c.slice(0, idx + marker.length) + injection + c.slice(idx + marker.length);
+      fs.writeFileSync(p, c, 'utf8');
+      console.log('Successfully patched main bundle for Wayland screen sharing');
+    "
+
+    asar pack "$WORK/app" "$ASAR_PATH"
+    rm -rf "$WORK"
+  '';
+})

packages/opencode/default.nix

@@ -0,0 +1,82 @@
+{
+  lib,
+  stdenv,
+  fetchzip,
+  patchelf,
+  glibc,
+}:
+
+let
+  version = "1.4.0";
+
+  srcs = {
+    aarch64-darwin = {
+      url = "https://github.com/anomalyco/opencode/releases/download/v${version}/opencode-darwin-arm64.zip";
+      sha256 = "0m97j2vln8yhhvnsjl92phx6dac24y7hgh75csmbkbhawkz9xm4l";
+    };
+    x86_64-darwin = {
+      url = "https://github.com/anomalyco/opencode/releases/download/v${version}/opencode-darwin-x64.zip";
+      sha256 = "17n04j06pdc2raxjm91y6p87gwpnra0liabpbjwdmyd1iqgqv0q8";
+    };
+    x86_64-linux = {
+      url = "https://github.com/anomalyco/opencode/releases/download/v${version}/opencode-linux-x64.tar.gz";
+      sha256 = "16117lwfj2lb8wjbq5cyf77vhi52ada5ys3212hjqw3qw3wrcc0r";
+    };
+    aarch64-linux = {
+      url = "https://github.com/anomalyco/opencode/releases/download/v${version}/opencode-linux-arm64.tar.gz";
+      sha256 = "06lvm1qiji74xdd3psqn6lwxak65gqsbmkib1pjb4n65f9246jwm";
+    };
+  };
+
+  src =
+    srcs.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+in
+stdenv.mkDerivation {
+  pname = "opencode";
+  inherit version;
+
+  src = fetchzip {
+    inherit (src) url sha256;
+  };
+
+  # Bun standalone binaries have JS code appended after the ELF sections
+  # stripping/patching would remove or corrupt this appended data
+  dontStrip = true;
+  dontPatchELF = true;
+
+  nativeBuildInputs = lib.optionals stdenv.isLinux [ patchelf ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 $src/opencode $out/bin/opencode
+
+    runHook postInstall
+  '';
+
+  # Manually patch the interpreter for bun standalone binaries on Linux
+  postFixup = lib.optionalString stdenv.isLinux ''
+    interpreter="${glibc}/lib/${
+      if stdenv.hostPlatform.system == "aarch64-linux" then
+        "ld-linux-aarch64.so.1"
+      else
+        "ld-linux-x86-64.so.2"
+    }"
+    patchelf --set-interpreter "$interpreter" $out/bin/opencode
+  '';
+
+  meta = with lib; {
+    description = "Terminal-based AI coding assistant";
+    homepage = "https://opencode.ai";
+    license = licenses.mit;
+    maintainers = [ ];
+    platforms = [
+      "aarch64-darwin"
+      "x86_64-darwin"
+      "x86_64-linux"
+      "aarch64-linux"
+    ];
+    mainProgram = "opencode";
+  };
+}

packages/opencode/update.sh

@@ -0,0 +1,148 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DRY_RUN=false
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --dry-run|-n)
+            DRY_RUN=true
+            shift
+            ;;
+        --help|-h)
+            echo "Usage: $0 [OPTIONS]"
+            echo ""
+            echo "Options:"
+            echo "  --dry-run, -n    Show what would be updated without making changes"
+            echo "  --help, -h       Show this help message"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            echo "Use --help for usage information"
+            exit 1
+            ;;
+    esac
+done
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+REPO_ROOT="${REPO_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+NIX_FILE="$REPO_ROOT/packages/opencode/default.nix"
+
+echo "Fetching latest opencode version from GitHub API..."
+
+RELEASE_INFO=$(curl -fsSL https://api.github.com/repos/anomalyco/opencode/releases/latest)
+NEW_VERSION=$(echo "$RELEASE_INFO" | jq -r '.tag_name' | sed 's/^v//')
+
+if [ -z "$NEW_VERSION" ] || [ "$NEW_VERSION" = "null" ]; then
+    echo -e "${RED}Error: Failed to fetch version from GitHub API${NC}"
+    exit 1
+fi
+
+CURRENT_VERSION=$(grep -m1 'version = ' "$NIX_FILE" | sed -E 's/.*version = "([^"]+)".*/\1/')
+
+if [ "$CURRENT_VERSION" = "$NEW_VERSION" ]; then
+    echo -e "${GREEN}Already up to date: $CURRENT_VERSION${NC}"
+    exit 0
+fi
+
+echo -e "${YELLOW}Updating from $CURRENT_VERSION to $NEW_VERSION${NC}"
+
+# Compute SHA256 hashes for each platform
+# fetchzip hashes the unpacked directory, so we need to extract and hash
+compute_unpacked_hash() {
+    local url="$1"
+    local ext="$2"
+    local tmpdir=$(mktemp -d)
+    local archive="/tmp/opencode-archive.$ext"
+    
+    curl -fsSL "$url" -o "$archive"
+    
+    if [ "$ext" = "zip" ]; then
+        (cd "$tmpdir" && unzip -q "$archive")
+    else
+        (cd "$tmpdir" && tar xzf "$archive")
+    fi
+    
+    local sri_hash=$(nix hash path "$tmpdir")
+    local nix32_hash=$(nix hash convert --hash-algo sha256 --to nix32 "$sri_hash")
+    
+    rm -rf "$tmpdir" "$archive"
+    echo "$nix32_hash"
+}
+
+echo "Computing SHA256 hashes (this may take a moment)..."
+
+SHA_DARWIN_ARM=$(compute_unpacked_hash "https://github.com/anomalyco/opencode/releases/download/v${NEW_VERSION}/opencode-darwin-arm64.zip" "zip")
+echo "  aarch64-darwin: $SHA_DARWIN_ARM"
+
+SHA_DARWIN_X64=$(compute_unpacked_hash "https://github.com/anomalyco/opencode/releases/download/v${NEW_VERSION}/opencode-darwin-x64.zip" "zip")
+echo "  x86_64-darwin: $SHA_DARWIN_X64"
+
+SHA_LINUX_X64=$(compute_unpacked_hash "https://github.com/anomalyco/opencode/releases/download/v${NEW_VERSION}/opencode-linux-x64.tar.gz" "tar.gz")
+echo "  x86_64-linux: $SHA_LINUX_X64"
+
+SHA_LINUX_ARM64=$(compute_unpacked_hash "https://github.com/anomalyco/opencode/releases/download/v${NEW_VERSION}/opencode-linux-arm64.tar.gz" "tar.gz")
+echo "  aarch64-linux: $SHA_LINUX_ARM64"
+
+if [ "$DRY_RUN" = true ]; then
+    echo -e "${YELLOW}DRY RUN - No changes will be made${NC}"
+    echo ""
+    echo "Would update:"
+    echo "  Version: $CURRENT_VERSION -> $NEW_VERSION"
+    echo "  aarch64-darwin SHA: $SHA_DARWIN_ARM"
+    echo "  x86_64-darwin SHA:  $SHA_DARWIN_X64"
+    echo "  x86_64-linux SHA:   $SHA_LINUX_X64"
+    echo "  aarch64-linux SHA:  $SHA_LINUX_ARM64"
+    exit 0
+fi
+
+# Update version
+sed -i.tmp "s/version = \".*\";/version = \"$NEW_VERSION\";/" "$NIX_FILE"
+
+# Update SHA256 hashes using awk
+awk -v sha_arm="$SHA_DARWIN_ARM" -v sha_x64="$SHA_DARWIN_X64" -v sha_linux_x64="$SHA_LINUX_X64" -v sha_linux_arm="$SHA_LINUX_ARM64" '
+/aarch64-darwin = {/ { in_arm = 1 }
+/x86_64-darwin = {/ { in_x64 = 1; in_arm = 0 }
+/x86_64-linux = {/ { in_linux_x64 = 1; in_x64 = 0 }
+/aarch64-linux = {/ { in_linux_arm = 1; in_linux_x64 = 0 }
+/};/ {
+  in_arm = 0
+  in_x64 = 0
+  in_linux_x64 = 0
+  in_linux_arm = 0
+}
+/sha256 = / {
+  if (in_arm) {
+    sub(/sha256 = ".*";/, "sha256 = \"" sha_arm "\";")
+  } else if (in_x64) {
+    sub(/sha256 = ".*";/, "sha256 = \"" sha_x64 "\";")
+  } else if (in_linux_x64) {
+    sub(/sha256 = ".*";/, "sha256 = \"" sha_linux_x64 "\";")
+  } else if (in_linux_arm) {
+    sub(/sha256 = ".*";/, "sha256 = \"" sha_linux_arm "\";")
+  }
+}
+{ print }
+' "$NIX_FILE" > "$NIX_FILE.new"
+
+mv "$NIX_FILE.new" "$NIX_FILE"
+rm -f "$NIX_FILE.tmp"
+
+echo -e "${GREEN}Successfully updated to version $NEW_VERSION${NC}"
+echo ""
+echo "Updated SHA256 hashes:"
+echo "  aarch64-darwin: $SHA_DARWIN_ARM"
+echo "  x86_64-darwin:  $SHA_DARWIN_X64"
+echo "  x86_64-linux:   $SHA_LINUX_X64"
+echo "  aarch64-linux:  $SHA_LINUX_ARM64"
+echo ""
+echo "Next steps:"
+echo "  1. Review changes: git diff $NIX_FILE"
+echo "  2. Test build: nix build .#custom-opencode"
+echo "  3. Verify version: ./result/bin/opencode --version"
+echo "  4. Commit: git add $NIX_FILE && git commit -m 'opencode: Update to version $NEW_VERSION'"

packages/pi-coding-agent/default.nix

@@ -0,0 +1,79 @@
+{ lib
+, stdenv
+, fetchurl
+, patchelf
+, glibc
+, makeWrapper
+}:
+
+let
+  version = "0.55.4";
+
+  srcs = {
+    aarch64-darwin = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-darwin-arm64.tar.gz";
+      sha256 = "0vsav9frvnzskk6p6j60i7klrs3m8lphhyi4c39mv2mvhpm8fkl5";
+    };
+    x86_64-darwin = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-darwin-x64.tar.gz";
+      sha256 = "1377rvhsiiww1bbpgv2v46fjm7iz2smmh8g2yhm28kbsq3gwvvr0";
+    };
+    x86_64-linux = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-linux-x64.tar.gz";
+      sha256 = "1wnfwnkfq5ffz6wyqyhciv4lz06bpxims0hv0dlhz0f9vliyc1md";
+    };
+    aarch64-linux = {
+      url = "https://github.com/badlogic/pi-mono/releases/download/v${version}/pi-linux-arm64.tar.gz";
+      sha256 = "00fp37hgjl40kc59jfpv189i7np53ymm037hvds6k9y2sz818wjy";
+    };
+  };
+
+  src = srcs.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+in stdenv.mkDerivation {
+  pname = "pi-coding-agent";
+  inherit version;
+
+  src = fetchurl {
+    inherit (src) url sha256;
+  };
+
+  sourceRoot = "pi";
+
+  # Bun standalone binaries have JS code appended after the ELF sections
+  dontStrip = true;
+  dontPatchELF = true;
+
+  nativeBuildInputs = [ makeWrapper ]
+    ++ lib.optionals stdenv.isLinux [ patchelf ];
+
+  installPhase = ''
+    runHook preInstall
+
+    # Install the full pi directory structure (binary + supporting files)
+    mkdir -p $out/lib/pi-coding-agent
+    cp -r . $out/lib/pi-coding-agent/
+
+    # Create bin wrapper that runs the binary from its lib directory
+    # (pi expects supporting files like themes and wasm relative to itself)
+    mkdir -p $out/bin
+    makeWrapper $out/lib/pi-coding-agent/pi $out/bin/pi
+
+    runHook postInstall
+  '';
+
+  # Manually patch the interpreter for bun standalone binaries on Linux
+  postFixup = lib.optionalString stdenv.isLinux ''
+    interpreter="${glibc}/lib/${if stdenv.hostPlatform.system == "aarch64-linux" then "ld-linux-aarch64.so.1" else "ld-linux-x86-64.so.2"}"
+    patchelf --set-interpreter "$interpreter" $out/lib/pi-coding-agent/pi
+  '';
+
+  meta = with lib; {
+    description = "Minimal terminal coding agent with extensible tools and session management";
+    homepage = "https://github.com/badlogic/pi-mono/tree/main/packages/coding-agent";
+    license = licenses.mit;
+    maintainers = [ ];
+    platforms = [ "aarch64-darwin" "x86_64-darwin" "x86_64-linux" "aarch64-linux" ];
+    mainProgram = "pi";
+  };
+}

packages/rclone-torbox-setup/default.nix

@@ -0,0 +1,98 @@
+{ pkgs, ... }:
+
+pkgs.writeShellScriptBin "rclone-torbox-setup" ''
+  set -euo pipefail
+
+  # Default values
+  RBW_ENTRY="''${1:-torbox}"
+  ENV_FILE="''${2:-/etc/rclone/torbox.env}"
+
+  usage() {
+    echo "Usage: rclone-torbox-setup [rbw-entry] [env-file]"
+    echo ""
+    echo "Sets up rclone credentials for TorBox WebDAV mount."
+    echo "Retrieves password from rbw (Bitwarden), obscures it for rclone,"
+    echo "and writes it to the environment file for the systemd service."
+    echo ""
+    echo "Arguments:"
+    echo "  rbw-entry  Name of the Bitwarden entry containing the password (default: torbox)"
+    echo "  env-file   Path to write the environment file (default: /etc/rclone/torbox.env)"
+    echo ""
+    echo "The Bitwarden entry should contain your TorBox password as the password field."
+    echo ""
+    echo "Example:"
+    echo "  rclone-torbox-setup torbox-password /etc/rclone/torbox.env"
+    exit 1
+  }
+
+  if [[ "''${1:-}" == "-h" ]] || [[ "''${1:-}" == "--help" ]]; then
+    usage
+  fi
+
+  echo "rclone TorBox credential setup"
+  echo "=============================="
+  echo ""
+
+  # Check if rbw is available
+  if ! command -v rbw &> /dev/null; then
+    echo "Error: rbw is not available. Please ensure rbw is installed and configured."
+    exit 1
+  fi
+
+  # Check if rclone is available
+  if ! command -v rclone &> /dev/null; then
+    echo "Error: rclone is not available. Please ensure rclone is installed."
+    exit 1
+  fi
+
+  echo "Retrieving password from rbw entry: $RBW_ENTRY"
+
+  # Retrieve password from Bitwarden
+  if ! TORBOX_PASS=$(rbw get "$RBW_ENTRY" 2>/dev/null); then
+    echo ""
+    echo "Error: Failed to retrieve password from rbw entry '$RBW_ENTRY'"
+    echo ""
+    echo "Please ensure:"
+    echo "  1. The entry '$RBW_ENTRY' exists in Bitwarden"
+    echo "  2. rbw is unlocked: rbw unlock"
+    echo "  3. rbw is synced: rbw sync"
+    echo ""
+    echo "To create the entry in Bitwarden:"
+    echo "  - Name: $RBW_ENTRY"
+    echo "  - Password: Your TorBox password"
+    exit 1
+  fi
+
+  echo "Password retrieved successfully"
+
+  # Obscure the password for rclone
+  echo "Obscuring password for rclone..."
+  if ! OBSCURED_PASS=$(echo -n "$TORBOX_PASS" | rclone obscure -); then
+    echo "Error: Failed to obscure password with rclone"
+    exit 1
+  fi
+
+  # Create the directory if needed (requires sudo)
+  ENV_DIR=$(dirname "$ENV_FILE")
+  if [[ ! -d "$ENV_DIR" ]]; then
+    echo "Creating directory $ENV_DIR (requires sudo)..."
+    sudo mkdir -p "$ENV_DIR"
+  fi
+
+  # Write the environment file
+  echo "Writing environment file to $ENV_FILE (requires sudo)..."
+  echo "RCLONE_WEBDAV_PASS=$OBSCURED_PASS" | sudo tee "$ENV_FILE" > /dev/null
+  sudo chmod 600 "$ENV_FILE"
+
+  echo ""
+  echo "Setup complete!"
+  echo ""
+  echo "The environment file has been created at: $ENV_FILE"
+  echo "The rclone-mount-torbox systemd service will use this file."
+  echo ""
+  echo "To activate the mount after NixOS rebuild:"
+  echo "  sudo systemctl start rclone-mount-torbox"
+  echo ""
+  echo "To check status:"
+  echo "  sudo systemctl status rclone-mount-torbox"
+''

packages/tea-rbw/default.nix

@@ -0,0 +1,58 @@
+{ pkgs, ... }:
+
+pkgs.writeShellScriptBin "tea" ''
+  set -euo pipefail
+
+  # Check if tea config directory exists and has authentication
+  TEA_CONFIG_DIR="''${XDG_CONFIG_HOME:-$HOME/.config}/tea"
+  TEA_CONFIG_FILE="$TEA_CONFIG_DIR/config.yml"
+
+  # Function to setup tea authentication with rbw
+  setup_tea_auth() {
+    echo "Tea authentication not found. Setting up with rbw..."
+    
+    # Check if rbw is available
+    if ! command -v rbw &> /dev/null; then
+      echo "Error: rbw is not available. Please ensure rbw is installed and configured."
+      exit 1
+    fi
+
+    # Try to get the token from rbw
+    echo "Attempting to retrieve Gitea token from rbw..."
+    echo "Please enter the rbw entry name for your Gitea token:"
+    read -r rbw_entry
+
+    if ! token=$(rbw get "$rbw_entry" 2>/dev/null); then
+      echo "Error: Failed to retrieve token from rbw entry '$rbw_entry'"
+      echo "Available rbw entries:"
+      rbw list 2>/dev/null || echo "Failed to list rbw entries"
+      exit 1
+    fi
+
+    # Prompt for Gitea URL
+    echo "Please enter your Gitea URL (e.g., https://git.example.com):"
+    read -r gitea_url
+
+    # Create tea config directory if it doesn't exist
+    mkdir -p "$TEA_CONFIG_DIR"
+
+    # Setup tea login
+    if ! ${pkgs.tea}/bin/tea login add --name "default" --url "$gitea_url" --token "$token"; then
+      echo "Error: Failed to setup tea authentication"
+      exit 1
+    fi
+
+    echo "Tea authentication setup complete!"
+  }
+
+  # Check if tea is already configured
+  if [[ ! -f "$TEA_CONFIG_FILE" ]]; then
+    setup_tea_auth
+  elif ! ${pkgs.tea}/bin/tea whoami &>/dev/null; then
+    echo "Tea config exists but authentication failed. Re-running setup..."
+    setup_tea_auth
+  fi
+
+  # Execute tea with all provided arguments
+  exec ${pkgs.tea}/bin/tea "$@"
+''

packages/vulkan-hdr-layer/default.nix

@@ -1,34 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, meson, pkg-config, vulkan-loader, ninja, writeText, vulkan-headers, vulkan-utility-libraries,  jq, libX11, libXrandr, libxcb, wayland, wayland-scanner }:
-
-stdenv.mkDerivation rec {
-  pname = "vulkan-hdr-layer";
-  version = "63d2eec";
-
-  src = (fetchFromGitHub {
-    owner = "Zamundaaa";
-    repo = "VK_hdr_layer";
-    rev = "869199cd2746e7f69cf19955153080842b6dacfc";
-    fetchSubmodules = true;
-    hash = "sha256-xfVYI+Aajmnf3BTaY2Ysg5fyDO6SwDFGyU0L+F+E3is=";
-  }).overrideAttrs (_: {
-    GIT_CONFIG_COUNT = 1;
-    GIT_CONFIG_KEY_0 = "url.https://github.com/.insteadOf";
-    GIT_CONFIG_VALUE_0 = "git@github.com:";
-  });
-
-  nativeBuildInputs = [ vulkan-headers meson ninja pkg-config jq ];
-
-  buildInputs = [ vulkan-headers vulkan-loader vulkan-utility-libraries libX11 libXrandr libxcb wayland wayland-scanner ];
-
-  # Help vulkan-loader find the validation layers
-  setupHook = writeText "setup-hook" ''
-    addToSearchPath XDG_DATA_DIRS @out@/share
-  '';
-
-  meta = with lib; {
-    description = "Layers providing Vulkan HDR";
-    homepage = "https://github.com/Zamundaaa/VK_hdr_layer";
-    platforms = platforms.linux;
-    license = licenses.mit;
-  };
-}

renovate.json

@@ -0,0 +1,82 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "timezone": "America/Los_Angeles",
+  "gitAuthor": "Renovate Bot <renovate@ogle.fyi>",
+  "nix": {
+    "enabled": true
+  },
+  "github-actions": {
+    "managerFilePatterns": [
+      "/.gitea/workflows/.+\\.ya?ml$/"
+    ]
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": [
+      "after 5pm and before 7pm on Saturday"
+    ]
+  },
+  "dependencyDashboard": true,
+  "dependencyDashboardAutoclose": false,
+  "dependencyDashboardTitle": "NixOS Configs Dependency Dashboard",
+  "packageRules": [
+    {
+      "description": "Group all GitHub Actions updates",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "groupName": "github-actions"
+    },
+    {
+      "description": "Group stable NixOS ecosystem inputs",
+      "matchManagers": [
+        "nix"
+      ],
+      "groupName": "nix-stable-ecosystem",
+      "matchPackageNames": [
+        "/^nixpkgs$/",
+        "/^home-manager$/",
+        "/^nix-darwin$/"
+      ],
+      "schedule": [
+        "after 5pm and before 7pm on Saturday"
+      ]
+    },
+    {
+      "description": "Group unstable NixOS ecosystem inputs",
+      "matchManagers": [
+        "nix"
+      ],
+      "groupName": "nix-unstable-ecosystem",
+      "matchPackageNames": [
+        "/nixpkgs-unstable/",
+        "/home-manager-unstable/"
+      ],
+      "schedule": [
+        "after 5pm and before 7pm on Saturday"
+      ]
+    },
+    {
+      "description": "nixpkgs-qt updates on Saturday (staggered from main ecosystem)",
+      "matchManagers": [
+        "nix"
+      ],
+      "matchPackageNames": [
+        "/nixpkgs-qt/"
+      ],
+      "schedule": [
+        "after 7pm and before 9pm on Saturday"
+      ]
+    },
+    {
+      "description": "Ignore private Gitea inputs (handle separately)",
+      "matchManagers": [
+        "nix"
+      ],
+      "enabled": false,
+      "matchPackageNames": [
+        "/google-cookie-retrieval/"
+      ]
+    }
+  ]
+}

roles/audio/default.nix

@@ -13,6 +13,7 @@ in
   config = mkIf cfg.enable
     {
       environment.systemPackages = with pkgs; [
+        easyeffects
         paprefs
         pavucontrol
         pulsemixer
@@ -20,17 +21,11 @@ in
 
       services.pipewire = {
         enable = true;
+        alsa.enable = true;
+        alsa.support32Bit = true;
         pulse.enable = true;
       };
 
-      services.pulseaudio = {
-        package = pkgs.pulseaudioFull;
-        extraConfig = ''
-          load-module module-combine-sink
-          load-module module-switch-on-connect
-        '';
-      };
-
       services.squeezelite = {
         #enable = true;
         pulseAudio = true;

roles/btrfs/default.nix

@@ -102,6 +102,11 @@ in
   };
 
   config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      btrfs-progs
+      compsize
+    ];
+
     # Generate fileSystems configuration from mountpoints
     fileSystems = mkMerge (flatten (mapAttrsToList (device: fsCfg:
       mapAttrsToList (mountpoint: mountCfg:
@@ -165,4 +170,4 @@ in
       };
     }) cfg.filesystems);
   };
-}
+}

roles/common.nix

@@ -0,0 +1,43 @@
+# Common configuration shared between NixOS and Darwin
+{ lib, pkgs, ... }:
+
+{
+  config = {
+    time.timeZone = "America/Los_Angeles";
+
+    environment.systemPackages = with pkgs; [
+      git
+      glances
+      pciutils
+      tree
+      usbutils
+      vim
+    ] ++ lib.optionals pkgs.stdenv.isLinux [
+      ghostty.terminfo  # So tmux works when SSH'ing from ghostty
+    ];
+
+    nix = {
+      package = pkgs.nix;
+      settings = {
+        experimental-features = [ "nix-command" "flakes" ];
+        max-jobs = "auto";
+        trusted-users = [ "johno" ];
+        substituters = [
+          "http://john-endesktop.oglehome:5000"
+        ];
+        trusted-public-keys = [
+          "harmonia.john-endesktop:1iGr4xZrsR7WtXOlPCgFF3LcODYBpu+B3TS54MyBn4M="
+        ];
+        fallback = true;
+        connect-timeout = 5;
+      };
+
+      gc = {
+        automatic = true;
+        options = "--delete-older-than 10d";
+      };
+    };
+
+    nixpkgs.config.allowUnfree = true;
+  };
+}

roles/darwin.nix

@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  # Extract the set-environment path that nix-darwin generates
+  setEnvironmentPath = "${config.system.build.setEnvironment}";
+in
+{
+  imports = [
+    ./common.nix
+  ];
+
+  config = {
+    # Salt manages /etc/bashrc, /etc/zshrc, /etc/zshenv
+    # nix-darwin writes to .local variants for nix-specific configuration
+
+    # Disable nix-darwin from managing the main shell files
+    environment.etc."bashrc".enable = false;
+    environment.etc."zshrc".enable = false;
+    environment.etc."zshenv".enable = false;
+    environment.etc."zprofile".enable = false;
+
+    # Create .local files with nix environment setup
+    environment.etc."bash.local".text = ''
+      # Nix environment setup
+      if [ -z "$__NIX_DARWIN_SET_ENVIRONMENT_DONE" ]; then
+        . ${setEnvironmentPath}
+      fi
+    '';
+
+    environment.etc."zshrc.local".text = ''
+      # Nix environment setup (already done in zshenv.local)
+    '';
+
+    environment.etc."zshenv.local".text = ''
+      # Nix environment setup
+      if [[ -o rcs ]]; then
+        if [ -z "''${__NIX_DARWIN_SET_ENVIRONMENT_DONE-}" ]; then
+          . ${setEnvironmentPath}
+        fi
+
+        # Tell zsh how to find installed completions
+        for p in ''${(z)NIX_PROFILES}; do
+          fpath=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions $fpath)
+        done
+      fi
+    '';
+
+    # System preferences
+    system.defaults = {
+      # Custom keyboard shortcuts
+      CustomUserPreferences = {
+        "com.apple.symbolichotkeys" = {
+          AppleSymbolicHotKeys = {
+            # Screenshot - Capture entire screen (Cmd+Ctrl+3)
+            "28" = {
+              enabled = true;
+              value = {
+                parameters = [ 51 20 1310720 ];
+                type = "standard";
+              };
+            };
+            # Screenshot - Capture selected portion (Cmd+Ctrl+4)
+            "30" = {
+              enabled = true;
+              value = {
+                parameters = [ 52 21 1310720 ];
+                type = "standard";
+              };
+            };
+            # Screenshot - Show screenshot toolbar (Cmd+Ctrl+5)
+            "184" = {
+              enabled = true;
+              value = {
+                parameters = [ 53 23 1310720 ];
+                type = "standard";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

roles/default.nix

@@ -4,16 +4,23 @@ with lib;
 
 {
   imports = [
+    ./common.nix
     ./audio
     ./bluetooth
     ./btrfs
     ./desktop
+    ./k3s-node
     ./kodi
     ./nfs-mounts
+    ./plasma-bigscreen
+    ./nvidia
     ./printing
+    ./rclone-mount
+    ./remote-build
     ./spotifyd
     ./users
     ./virtualisation
+    ./wireguard
   ];
 
   config = {
@@ -29,7 +36,6 @@ with lib;
       LC_TELEPHONE = "en_US.UTF-8";
       LC_TIME = "en_US.UTF-8";
     };
-    time.timeZone = "America/Los_Angeles";
 
     services.xserver.xkb = {
       layout = "us";
@@ -47,42 +53,7 @@ with lib;
     # Enable the OpenSSH daemon.
     services.openssh.enable = true;
 
-    environment.systemPackages = with pkgs; [
-      git
-      glances
-      pciutils
-      tree
-      usbutils
-      vim
-    ];
-
-    nix = {
-      package = pkgs.nix;
-      # distributedBuilds = true;
-      # buildMachines = [{
-      #   hostName = "z790prors.oglehome";
-      #   system = "x86_64-linux";
-      #   protocol = "ssh-ng";
-      #   sshUser = "johno";
-      #   sshKey = "/root/.ssh/id_ed25519";
-      #   maxJobs = 3;
-      #   speedFactor = 2;
-      # }];
-      settings = {
-        experimental-features = [ "nix-command" "flakes" ];
-        max-jobs = "auto";
-        trusted-users = [ "johno" ];
-        substituters = [
-        ];
-      };
-
-      gc = {
-        automatic = true;
-        randomizedDelaySec = "14m";
-        options = "--delete-older-than 10d";
-      };
-    };
-
-    nixpkgs.config.allowUnfree = true;
+    # NixOS-specific gc option (not available on Darwin)
+    nix.gc.randomizedDelaySec = "14m";
   };
 }

roles/desktop/default.nix

@@ -9,7 +9,9 @@ with lib;
     x11 = mkOption { type = types.bool; default = false; description = "Enable X11 support."; };
     wayland = mkOption { type = types.bool; default = false; description = "Enable Wayland support."; };
     kde = mkOption { type = types.bool; default = false; description = "Enable KDE."; };
-    gaming = mkOption { type = types.bool; default = false; description = "Enable gaming support."; };
+    gaming = {
+      enable = mkOption { type = types.bool; default = false; description = "Enable gaming support."; };
+    };
     sddm = mkOption { type = types.bool; default = false; description = "Enable SDDM greeter."; };
   };
 

roles/desktop/gaming.nix

@@ -6,13 +6,32 @@ let
   cfg = config.roles.desktop;
 in
 {
-  config = mkIf (cfg.enable && cfg.gaming) {
-    environment.systemPackages = with pkgs; [
-      steam
-      lutris
-      moonlight
-    ];
+  config = mkMerge [
+    (mkIf (cfg.enable && cfg.gaming.enable) {
+      environment.systemPackages = with pkgs; [
+        lutris
+        moonlight
 
-    # Possibly other gaming specific services or settings
-  };
+        # Emulators
+        dolphin-emu
+
+        # Re-enabled in 25.11 after binary build was fixed
+        dolphin-emu-primehack
+
+        # Experimenting with just using the steam version + downloading
+        # indiviudal cores
+        #retroarch-full
+        ryubing
+
+        yarg
+      ];
+
+      programs.steam = {
+        enable = true;
+        remotePlay.openFirewall = true;
+        dedicatedServer.openFirewall = true;
+        localNetworkGameTransfers.openFirewall = true;
+      };
+    })
+  ];
 }

roles/desktop/programs.nix

@@ -16,5 +16,23 @@ in
     programs.dconf.enable = true;
     services.gnome.gnome-keyring.enable = true;
     programs.kdeconnect.enable = true;
+
+    # XDG Desktop Portal for default application handling
+    xdg.portal = {
+      enable = true;
+      wlr.enable = cfg.wayland;  # xdg-desktop-portal-wlr for Sway screen sharing
+      extraPortals = with pkgs; [
+        kdePackages.xdg-desktop-portal-kde  # For KDE application integration
+        xdg-desktop-portal-gtk  # Fallback for GTK applications
+      ];
+      config = {
+        common = {
+          default = "kde";
+        };
+        i3 = {
+          default = ["kde" "gtk"];
+        };
+      };
+    };
   };
 }