[home] Update syncthingtray config

Change from explicitly launching syncthingtray to just having it
accessible. I attempted to get plasma-manager to automatically add the
plasmoid but was unsuccessful.

build-liveusb.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Build Live USB ISO from flake configuration
+# Creates an uncompressed ISO suitable for Ventoy and other USB boot tools
+
+set -e
+
+echo "Building Live USB ISO..."
+nix build .#nixosConfigurations.live-usb.config.system.build.isoImage --show-trace
+
+if [ -f "./result/iso/"*.iso ]; then
+    iso_file=$(ls ./result/iso/*.iso)
+    echo "✅ Build complete!"
+    echo "📁 ISO location: $iso_file"
+    echo "💾 Ready for Ventoy or dd to USB"
+else
+    echo "❌ Build failed - no ISO file found"
+    exit 1
+fi

flake.lock

@@ -43,11 +43,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752402455,
+        "lastModified": 1755914636,
-        "narHash": "sha256-mCHfZhQKdTj2JhCFcqfOfa3uKZbwUkPQbd0/zPnhOE8=",
+        "narHash": "sha256-VJ+Gm6YsHlPfUCpmRQxvdiZW7H3YPSrdVOewQHAhZN8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bf893ad4cbf46610dd1b620c974f824e266cd1df",
+        "rev": "8b55a6ac58b678199e5bba701aaff69e2b3281c0",
         "type": "github"
       },
       "original": {
@@ -62,11 +62,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1752199438,
+        "lastModified": 1755261305,
-        "narHash": "sha256-xSBMmGtq8K4Qv80TMqREmESCAsRLJRHAbFH2T/2Bf1Y=",
+        "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=",
         "owner": "nix-community",
         "repo": "NixOS-WSL",
-        "rev": "d34d9412556d3a896e294534ccd25f53b6822e80",
+        "rev": "203a7b463f307c60026136dd1191d9001c43457f",
         "type": "github"
       },
       "original": {
@@ -78,11 +78,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1751792365,
+        "lastModified": 1754725699,
-        "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=",
+        "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb",
+        "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1751984180,
+        "lastModified": 1755615617,
-        "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=",
+        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0",
+        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
         "type": "github"
       },
       "original": {
@@ -118,11 +118,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748196248,
+        "lastModified": 1754501628,
-        "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=",
+        "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "b7697abe89967839b273a863a3805345ea54ab56",
+        "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133",
         "type": "github"
       },
       "original": {

flake.nix

@@ -74,6 +74,34 @@
       ];
     };
 
+    nixosConfigurations.zix790prors = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = baseModules ++ [
+        ./machines/zix790prors/configuration.nix
+        inputs.home-manager.nixosModules.home-manager
+        {
+          home-manager.users.johno = import ./home/home.nix;
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
+    };
+
+    # Live USB ISO configuration
+    nixosConfigurations.live-usb = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = baseModules ++ [
+        ./machines/live-usb/configuration.nix
+        {
+          home-manager.users.nixos = { ... }: {
+            imports = [ ./home/home.nix ];
+            home.username = nixpkgs.lib.mkForce "nixos";
+            home.homeDirectory = nixpkgs.lib.mkForce "/home/nixos";
+          };
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
+    };
+
     homeConfigurations."johno" = inputs.home-manager.lib.homeManagerConfiguration {
       pkgs = inputs.nixpkgs.legacyPackages."x86_64-linux";
       modules = [

home/home.nix

@@ -57,6 +57,7 @@ in
     pkgs.ncdu
     pkgs.nextcloud-talk-desktop
     pkgs.openscad-unstable
+    pkgs.syncthingtray
     pkgs.pandoc
     #pkgs.pinentry-qt
     #pkgs.pytest
@@ -68,9 +69,7 @@ in
     pkgs.wofi
     pkgs.vlc
 
-    ## Kubernetes cluster management
+    ## Kubernetes cluster management handled by kubectl-secure module
-    pkgs.kubectl
-    pkgs.kubernetes-helm
 
     globalInputs.google-cookie-retrieval.packages.${system}.default
   ];
@@ -117,6 +116,7 @@ in
   imports = [
     ./modules/emacs
     ./modules/i3+sway
+    ./modules/kubectl
     ./modules/plasma-manager
     ./modules/tmux
   ];
@@ -152,7 +152,7 @@ in
 
   programs.jq.enable = true;
 
-  programs.k9s.enable = true;
+  programs.kubectl-secure.enable = true;
 
   programs.neovim = {
     enable = true;
@@ -194,10 +194,6 @@ in
 
   services.syncthing = {
     enable = true;
-    tray = {
-      enable = true;
-      command = "syncthingtray --wait";
-    };
   };
 
   xdg.enable = true;

home/modules/kubectl/default.nix

@@ -0,0 +1,249 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.kubectl-secure;
+in
+{
+  options.programs.kubectl-secure = {
+    enable = mkEnableOption "secure kubectl configuration with Bitwarden integration";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      kubectl
+      kubernetes-helm
+    ];
+
+    programs.k9s.enable = true;
+
+    programs.bash.initExtra = mkAfter ''
+      # Kubectl secure session management
+      export KUBECTL_SESSION_DIR="/dev/shm/kubectl-$$"
+      
+      kube-select() {
+        if [[ $# -ne 1 ]]; then
+          echo "Usage: kube-select <context-name>"
+          echo "Available contexts: $(kube-list)"
+          return 1
+        fi
+        
+        local context="$1"
+        
+        # Clean up any existing session first
+        kube-clear 2>/dev/null
+        
+        # Create new session directory
+        mkdir -p "$KUBECTL_SESSION_DIR"
+        chmod 700 "$KUBECTL_SESSION_DIR"
+        
+        # Set cleanup trap for this shell session
+        trap "rm -rf '$KUBECTL_SESSION_DIR' 2>/dev/null" EXIT
+        
+        # Set KUBECONFIG for this session
+        export KUBECONFIG="$KUBECTL_SESSION_DIR/config"
+        
+        # Load config from Bitwarden secure notes
+        if ! rbw get "kubectl-$context" > "$KUBECONFIG" 2>/dev/null; then
+          echo "Error: Could not retrieve kubectl-$context from Bitwarden"
+          echo "Make sure the entry exists with name: kubectl-$context"
+          kube-clear
+          return 1
+        fi
+        
+        # Verify the kubeconfig is valid
+        if ! kubectl config view >/dev/null 2>&1; then
+          echo "Error: Invalid kubeconfig retrieved from Bitwarden"
+          kube-clear
+          return 1
+        fi
+        
+        echo "✓ Loaded kubectl context: $context (session: $$)"
+        echo "  Config location: $KUBECONFIG"
+      }
+      
+      kube-list() {
+        echo "Available kubectl contexts in Bitwarden:"
+        rbw search kubectl- 2>/dev/null | grep "^kubectl-" | sed 's/^kubectl-/  - /' || echo "  (none found or rbw not accessible)"
+      }
+      
+      kube-clear() {
+        if [[ -n "$KUBECTL_TIMEOUT_PID" ]]; then
+          kill "$KUBECTL_TIMEOUT_PID" 2>/dev/null
+          unset KUBECTL_TIMEOUT_PID
+        fi
+        
+        if [[ -d "$KUBECTL_SESSION_DIR" ]]; then
+          rm -rf "$KUBECTL_SESSION_DIR"
+          echo "Cleared kubectl session ($$)"
+        fi
+        
+        unset KUBECONFIG
+      }
+      
+      kube-status() {
+        if [[ -f "$KUBECONFIG" ]]; then
+          local current_context
+          current_context=$(kubectl config current-context 2>/dev/null)
+          if [[ -n "$current_context" ]]; then
+            echo "Active kubectl context: $current_context"
+            echo "Session: $$ | Config: $KUBECONFIG"
+            
+            # Show cluster info
+            local cluster_server
+            cluster_server=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2>/dev/null)
+            if [[ -n "$cluster_server" ]]; then
+              echo "Cluster: $cluster_server"
+            fi
+          else
+            echo "No active context in current session"
+          fi
+        else
+          echo "No kubectl session active in this shell"
+          echo "Use 'kube-select <context>' to start a session"
+        fi
+      }
+
+      # Helper function to show available commands
+      kube-help() {
+        echo "Secure kubectl session management commands:"
+        echo ""
+        echo "Session management:"
+        echo "  kube-select <context>     - Load kubeconfig from Bitwarden"
+        echo "  kube-status              - Show current session status"
+        echo "  kube-clear               - Clear current session"
+        echo ""
+        echo "Configuration management:"
+        echo "  kube-list                - List available contexts in Bitwarden"
+        echo ""
+        echo "Help:"
+        echo "  kube-help                - Show this help"
+        echo ""
+        echo "Examples:"
+        echo "  kube-select prod                     # Loads from secure note"
+        echo "  kubectl get pods"
+        echo "  kube-clear"
+        echo ""
+        echo "Note: Kubeconfigs are stored as secure notes in Bitwarden"
+      }
+    '';
+    
+    programs.zsh.initExtra = mkAfter ''
+      # Kubectl secure session management (zsh)
+      export KUBECTL_SESSION_DIR="/dev/shm/kubectl-$$"
+      
+      kube-select() {
+        if [[ $# -ne 1 ]]; then
+          echo "Usage: kube-select <context-name>"
+          echo "Available contexts: $(kube-list)"
+          return 1
+        fi
+        
+        local context="$1"
+        
+        # Clean up any existing session first
+        kube-clear 2>/dev/null
+        
+        # Create new session directory
+        mkdir -p "$KUBECTL_SESSION_DIR"
+        chmod 700 "$KUBECTL_SESSION_DIR"
+        
+        # Set cleanup trap for this shell session
+        trap "rm -rf '$KUBECTL_SESSION_DIR' 2>/dev/null" EXIT
+        
+        # Set KUBECONFIG for this session
+        export KUBECONFIG="$KUBECTL_SESSION_DIR/config"
+        
+        # Load config from Bitwarden secure notes
+        if ! rbw get "kubectl-$context" > "$KUBECONFIG" 2>/dev/null; then
+          echo "Error: Could not retrieve kubectl-$context from Bitwarden"
+          echo "Make sure the entry exists with name: kubectl-$context"
+          kube-clear
+          return 1
+        fi
+        
+        # Verify the kubeconfig is valid
+        if ! kubectl config view >/dev/null 2>&1; then
+          echo "Error: Invalid kubeconfig retrieved from Bitwarden"
+          kube-clear
+          return 1
+        fi
+        
+        echo "✓ Loaded kubectl context: $context (session: $$)"
+        echo "  Config location: $KUBECONFIG"
+        
+        # Optional: Set timeout cleanup
+        if [[ ${toString cfg.sessionTimeout} -gt 0 ]]; then
+          (sleep ${toString cfg.sessionTimeout}; kube-clear 2>/dev/null) &
+          export KUBECTL_TIMEOUT_PID=$!
+        fi
+      }
+      
+      kube-list() {
+        echo "Available kubectl contexts in Bitwarden:"
+        rbw search kubectl- 2>/dev/null | grep "^kubectl-" | sed 's/^kubectl-/  - /' || echo "  (none found or rbw not accessible)"
+      }
+      
+      kube-clear() {
+        if [[ -n "$KUBECTL_TIMEOUT_PID" ]]; then
+          kill "$KUBECTL_TIMEOUT_PID" 2>/dev/null
+          unset KUBECTL_TIMEOUT_PID
+        fi
+        
+        if [[ -d "$KUBECTL_SESSION_DIR" ]]; then
+          rm -rf "$KUBECTL_SESSION_DIR"
+          echo "Cleared kubectl session ($$)"
+        fi
+        
+        unset KUBECONFIG
+      }
+      
+      kube-status() {
+        if [[ -f "$KUBECONFIG" ]]; then
+          local current_context
+          current_context=$(kubectl config current-context 2>/dev/null)
+          if [[ -n "$current_context" ]]; then
+            echo "Active kubectl context: $current_context"
+            echo "Session: $$ | Config: $KUBECONFIG"
+            
+            # Show cluster info
+            local cluster_server
+            cluster_server=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2>/dev/null)
+            if [[ -n "$cluster_server" ]]; then
+              echo "Cluster: $cluster_server"
+            fi
+          else
+            echo "No active context in current session"
+          fi
+        else
+          echo "No kubectl session active in this shell"
+          echo "Use 'kube-select <context>' to start a session"
+        fi
+      }
+
+      # Helper function to show available commands
+      kube-help() {
+        echo "Secure kubectl session management commands:"
+        echo ""
+        echo "Session management:"
+        echo "  kube-select <context>     - Load kubeconfig from Bitwarden"
+        echo "  kube-status              - Show current session status"
+        echo "  kube-clear               - Clear current session"
+        echo ""
+        echo "Configuration management:"
+        echo "  kube-list                - List available contexts in Bitwarden"
+        echo ""
+        echo "Help:"
+        echo "  kube-help                - Show this help"
+        echo ""
+        echo "Examples:"
+        echo "  kube-select prod                     # Loads from secure note"
+        echo "  kubectl get pods"
+        echo "  kube-clear"
+        echo ""
+        echo "Note: Kubeconfigs are stored as secure notes in Bitwarden"
+      }
+    '';
+  };
+}

machines/boxy/configuration.nix

@@ -17,7 +17,7 @@ with lib;
     bluetooth.enable = true;
     desktop = {
       enable = true;
-      gaming = true;
+      gaming.enable = true;
       kde = true;
       sddm = true;
       wayland = true;

machines/live-usb/configuration.nix

@@ -0,0 +1,89 @@
+# Live USB ISO configuration for recovery and installation
+{ pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    # Use minimal installation CD as base
+    (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
+  ];
+
+  # Use roles structure for consistent configuration
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      kde = true;
+      x11 = true;
+      wayland = true;
+      sddm = true;
+    };
+  };
+
+  # Allow unfree packages for broader hardware support
+  nixpkgs.config.allowUnfree = true;
+
+  # Essential packages for system recovery and installation
+  environment.systemPackages = with pkgs; [
+    # Text editors
+    neovim
+    nano
+    
+    # System tools
+    git
+    curl
+    wget
+    htop
+    tree
+    lsof
+    strace
+    
+    # Filesystem tools
+    btrfs-progs
+    e2fsprogs
+    xfsprogs
+    ntfs3g
+    dosfstools
+    
+    # Network tools
+    networkmanager
+    wirelesstools
+    
+    # Hardware tools
+    pciutils
+    usbutils
+    smartmontools
+    
+    # Archive tools
+    unzip
+    p7zip
+    
+    # Development tools (for quick fixes)
+    gcc
+    binutils
+  ];
+
+  # Enable NetworkManager for easy wifi setup
+  networking.networkmanager.enable = true;
+  
+  # Enable SSH daemon for remote access
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "yes";
+      PasswordAuthentication = true;
+    };
+  };
+
+  # ISO customization
+  isoImage = {
+    volumeID = "NIXOS-LIVE";
+  };
+
+  # Enable some useful services
+  services.udisks2.enable = true; # For mounting USB drives
+
+  # Hardware support
+  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
+}

machines/nix-book/configuration.nix

@@ -15,7 +15,7 @@
     desktop = {
       enable = true;
       wayland = true;
-      gaming = false;
+      gaming.enable = false;
       kde = true;
       sddm = true;
     };
@@ -39,14 +39,6 @@
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
-  # Btrfs deduplication service
-  services.beesd.filesystems = {
-    root = {
-      spec = "/";
-      hashTableSizeMB = 32;  # 128MB per TB recommended, ~225GB = ~32MB
-      verbosity = "err";     # Only show actual problems
-    };
-  };
 
   # Enable networking
   networking.networkmanager.enable = true;

machines/nix-book/hardware-configuration.nix

@@ -10,19 +10,27 @@
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "sdhci_pci" ];
   boot.initrd.kernelModules = [ ];
+  boot.initrd.luks.devices."luks-4126fbd4-bd09-4ece-af0d-6fff414c21b3".device = "/dev/disk/by-uuid/4126fbd4-bd09-4ece-af0d-6fff414c21b3";
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  roles.btrfs = {
-    { device = "/dev/disk/by-uuid/223a44e5-91e2-4272-830e-129166042a1d";
+    enable = true;
-      fsType = "btrfs";
+    filesystems."/dev/disk/by-uuid/223a44e5-91e2-4272-830e-129166042a1d" = {
-      options = [ 
+      mountpoints = {
-        "compress=zstd"  # Enable zstd compression for space savings
+        "/" = {
-        "noatime"        # Don't update access times for performance
+          compression = "zstd";
-      ];
+          extraOptions = [ "noatime" ];
+        };
+      };
+      scrub.enable = true;
+      deduplication = {
+        enable = true;
+        hashTableSizeMB = 32;
+        verbosity = "err";
+      };
     };
-
+  };
-  boot.initrd.luks.devices."luks-4126fbd4-bd09-4ece-af0d-6fff414c21b3".device = "/dev/disk/by-uuid/4126fbd4-bd09-4ece-af0d-6fff414c21b3";
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/7A0B-CF88";

machines/zix790prors/configuration.nix

@@ -0,0 +1,92 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      gaming = {
+        enable = true;
+        emulation = true;
+      };
+      kde = true;
+      sddm = true;
+      wayland = true;
+    };
+    nfs-mounts.enable = true;
+    printing.enable = true;
+    users.enable = true;
+    virtualisation.enable = true;
+  };
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.configurationLimit = 2; # Reduced to save /boot space (TODO Increase /boot partition size)
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.timeout = 10;
+
+  networking.hostName = "zix790prors"; # Define your hostname.
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Fix dual boot clock sync - tell Linux to use local time for hardware clock
+  time.hardwareClockInLocalTime = true;
+
+  # NVIDIA Graphics configuration
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.graphics.enable = true;
+  hardware.graphics.enable32Bit = true;
+  
+  hardware.nvidia = {
+    # Modesetting is required.
+    modesetting.enable = true;
+    
+    # Enable the Nvidia settings menu,
+    # accessible via `nvidia-settings`.
+    nvidiaSettings = true;
+    
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    package = pkgs.linuxPackages.nvidiaPackages.stable;
+    
+    # Use open source kernel modules (recommended for RTX/GTX 16xx and newer)
+    # Set to false if you have an older GPU
+    open = true;
+    
+    # For gaming performance
+    powerManagement.enable = false;
+    powerManagement.finegrained = false;
+  };
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.11"; # Did you read the comment?
+
+}

machines/zix790prors/hardware-configuration.nix

@@ -0,0 +1,57 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/76B0-738E";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  roles.btrfs = {
+    enable = true;
+    filesystems."/dev/disk/by-uuid/ec22734b-d1a3-4c99-8c6f-86f6a8d79007" = {
+      mountpoints = {
+        "/" = {
+          compression = "zstd";
+          extraOptions = [ "noatime" ];
+        };
+      };
+      scrub.enable = true;
+      deduplication = {
+        enable = true;
+        hashTableSizeMB = 128;
+        verbosity = "err";
+      };
+    };
+    filesystems."/dev/disk/by-uuid/4f9844ac-c1ad-4426-8eb3-21f2306345fb" = {
+      mountpoints = {
+        "/games" = {
+          extraOptions = [ "noatime" ];
+        };
+      };
+      scrub.enable = true;
+      deduplication = {
+        enable = true;
+        hashTableSizeMB = 256;
+        verbosity = "err";
+      };
+    };
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

roles/btrfs/default.nix

@@ -0,0 +1,173 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.btrfs;
+in
+{
+  options.roles.btrfs = {
+    enable = mkEnableOption "Enable btrfs filesystem management";
+    
+    filesystems = mkOption {
+      type = types.attrsOf (types.submodule {
+        options = {
+          # Filesystem-level maintenance options
+          scrub = {
+            enable = mkOption { 
+              type = types.bool; 
+              default = true;
+              description = "Enable automatic scrubbing for this filesystem";
+            };
+            interval = mkOption { 
+              type = types.str; 
+              default = "weekly";
+              description = "Scrub interval (systemd timer format)";
+            };
+          };
+          deduplication = {
+            enable = mkOption { 
+              type = types.bool; 
+              default = false;
+              description = "Enable beesd deduplication for this filesystem";
+            };
+            hashTableSizeMB = mkOption { 
+              type = types.int; 
+              default = 1024;
+              description = "Hash table size in MB (should be multiple of 16)";
+            };
+            verbosity = mkOption { 
+              type = types.str; 
+              default = "info";
+              description = "Logging verbosity level";
+            };
+          };
+          balance = {
+            enable = mkOption { 
+              type = types.bool; 
+              default = false;
+              description = "Enable periodic balance operations";
+            };
+            interval = mkOption { 
+              type = types.str; 
+              default = "monthly";
+              description = "Balance interval (systemd timer format)";
+            };
+            dataUsage = mkOption { 
+              type = types.int; 
+              default = 50;
+              description = "Data usage threshold for balance";
+            };
+            metadataUsage = mkOption { 
+              type = types.int; 
+              default = 50;
+              description = "Metadata usage threshold for balance";
+            };
+          };
+          
+          # Mountpoint-based configuration
+          mountpoints = mkOption {
+            type = types.attrsOf (types.submodule {
+              options = {
+                subvolume = mkOption { 
+                  type = types.nullOr types.str; 
+                  default = null;
+                  description = "Subvolume name. If null, uses default subvolume.";
+                };
+                compression = mkOption { 
+                  type = types.str; 
+                  default = "zstd";
+                  description = "Compression algorithm (zstd, lzo, lz4, none)";
+                };
+                autodefrag = mkOption { 
+                  type = types.bool; 
+                  default = false;
+                  description = "Enable automatic defragmentation";
+                };
+                extraOptions = mkOption { 
+                  type = types.listOf types.str; 
+                  default = [];
+                  description = "Additional mount options";
+                };
+              };
+            });
+            default = {};
+            description = "Mountpoint configurations for this filesystem";
+          };
+        };
+      });
+      default = {};
+      description = "Btrfs filesystems configuration";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      btrfs-progs
+      compsize
+    ];
+
+    # Generate fileSystems configuration from mountpoints
+    fileSystems = mkMerge (flatten (mapAttrsToList (device: fsCfg:
+      mapAttrsToList (mountpoint: mountCfg:
+        {
+          ${mountpoint} = {
+            device = device;
+            fsType = "btrfs";
+            options = 
+              (optional (mountCfg.subvolume != null) "subvol=${mountCfg.subvolume}") ++
+              [ "compress=${mountCfg.compression}" ] ++
+              (optional mountCfg.autodefrag "autodefrag") ++
+              mountCfg.extraOptions;
+          };
+        }
+      ) fsCfg.mountpoints
+    ) cfg.filesystems));
+    
+    # Configure scrub service using NixOS built-in
+    services.btrfs.autoScrub = mkIf (any (fs: fs.scrub.enable) (attrValues cfg.filesystems)) {
+      enable = true;
+      interval = "weekly"; # TODO: Make this configurable per filesystem
+      fileSystems = attrNames (filterAttrs (_: fs: fs.scrub.enable) cfg.filesystems);
+    };
+    
+    # Configure beesd for filesystems with deduplication enabled
+    services.beesd.filesystems = mapAttrs' (device: fsCfg: 
+      nameValuePair (replaceStrings ["/"] ["_"] (replaceStrings ["-"] ["_"] device)) {
+        spec = device;
+        hashTableSizeMB = fsCfg.deduplication.hashTableSizeMB;
+        verbosity = fsCfg.deduplication.verbosity;
+      }
+    ) (filterAttrs (_: fs: fs.deduplication.enable) cfg.filesystems);
+    
+    # Custom balance services for filesystems with balance enabled
+    systemd.services = mkMerge (mapAttrsToList (device: fsCfg: mkIf fsCfg.balance.enable {
+      "btrfs-balance-${replaceStrings ["/"] ["-"] (replaceStrings ["-"] ["_"] device)}" = {
+        description = "Balance btrfs filesystem ${device}";
+        script = ''
+          ${pkgs.btrfs-progs}/bin/btrfs balance start \
+            -dusage=${toString fsCfg.balance.dataUsage} \
+            -musage=${toString fsCfg.balance.metadataUsage} \
+            ${device}
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+          Nice = 19;
+          IOSchedulingClass = "idle";
+        };
+      };
+    }) cfg.filesystems);
+    
+    # Balance timers
+    systemd.timers = mkMerge (mapAttrsToList (device: fsCfg: mkIf fsCfg.balance.enable {
+      "btrfs-balance-${replaceStrings ["/"] ["-"] (replaceStrings ["-"] ["_"] device)}" = {
+        description = "Periodic balance for ${device}";
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = fsCfg.balance.interval;
+          Persistent = true;
+        };
+      };
+    }) cfg.filesystems);
+  };
+}

roles/default.nix

@@ -6,6 +6,7 @@ with lib;
   imports = [
     ./audio
     ./bluetooth
+    ./btrfs
     ./desktop
     ./kodi
     ./nfs-mounts

roles/desktop/default.nix

@@ -9,7 +9,10 @@ with lib;
     x11 = mkOption { type = types.bool; default = false; description = "Enable X11 support."; };
     wayland = mkOption { type = types.bool; default = false; description = "Enable Wayland support."; };
     kde = mkOption { type = types.bool; default = false; description = "Enable KDE."; };
-    gaming = mkOption { type = types.bool; default = false; description = "Enable gaming support."; };
+    gaming = {
+      enable = mkOption { type = types.bool; default = false; description = "Enable gaming support."; };
+      emulation = mkOption { type = types.bool; default = false; description = "Enable emulation support."; };
+    };
     sddm = mkOption { type = types.bool; default = false; description = "Enable SDDM greeter."; };
   };
 

roles/desktop/gaming.nix

@@ -6,13 +6,22 @@ let
   cfg = config.roles.desktop;
 in
 {
-  config = mkIf (cfg.enable && cfg.gaming) {
+  config = mkMerge [
-    environment.systemPackages = with pkgs; [
+    (mkIf (cfg.enable && cfg.gaming.enable) {
-      steam
+      environment.systemPackages = with pkgs; [
-      lutris
+        steam
-      moonlight
+        lutris
-    ];
+        moonlight
+      ];
 
-    # Possibly other gaming specific services or settings
+      # Possibly other gaming specific services or settings
-  };
+    })
+
+    (mkIf (cfg.enable && cfg.gaming.emulation) {
+      environment.systemPackages = with pkgs; [
+        ryubing
+        dolphin-emu
+      ];
+    })
+  ];
 }