[doom] Increase default font size

mu4e's refile moves messages between IMAP folders, enabling
cross-device sync via mbsync. notmuch tags are local-only.

- Switch from notmuch to mu/mu4e packages
- Auto-initialize mu database on first sync
- Configure mu4e with folder shortcuts and refile to Archive
- Add NixOS load-path for mu4e elisp files

AGENTS.md

@@ -172,6 +172,32 @@ Creates an ISO suitable for Ventoy and other USB boot tools in `./result/iso/`.
 - **Garbage collection**: Automatic, deletes older than 10 days
 - **Unfree packages**: Allowed globally
 
+## Issue Tracking (Gitea)
+
+**Tea CLI for Gitea:**
+```bash
+# Note: When using tea CLI, you must specify --repo johno/nixos-configs
+# The CLI doesn't automatically detect the repo from git remote
+
+# List all issues (open by default)
+tea issues --repo johno/nixos-configs
+
+# List closed issues
+tea issues --repo johno/nixos-configs --state closed
+
+# View specific issue
+tea issue --repo johno/nixos-configs 2
+
+# Create new issue
+tea issues create --repo johno/nixos-configs --title "Issue title" --body "Description"
+
+# Add comment to issue
+tea comment --repo johno/nixos-configs 2 "Comment text"
+
+# Close issue (note: 'issues' is plural, issue number comes last)
+tea issues close --repo johno/nixos-configs 2
+```
+
 ## Important Notes
 
 - **Sudo access**: Claude Code does not have sudo access. Ask the user to run elevated commands like `sudo nixos-rebuild switch`

flake.lock

@@ -180,11 +180,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1766070988,
-        "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=",
+        "lastModified": 1767379071,
+        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8",
+        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
         "type": "github"
       },
       "original": {

flake.nix

@@ -152,9 +152,9 @@
       system = "x86_64-linux";
       modules = nixosModules ++ [
         ./machines/boxy/configuration.nix
-        inputs.home-manager.nixosModules.home-manager
         {
           home-manager.users.johno = import ./home/home-media-center.nix;
+          home-manager.users.kodi = import ./home/home-kodi.nix;
           home-manager.extraSpecialArgs = { inherit system; };
         }
       ];
@@ -209,6 +209,15 @@
       ];
     };
 
+    # ZFS/NFS server configuration
+    nixosConfigurations.john-endesktop = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = nixosModules ++ [
+        ./machines/john-endesktop/configuration.nix
+        # Minimal server - no home-manager needed
+      ];
+    };
+
     # Darwin/macOS configurations
     darwinConfigurations."blkfv4yf49kt7" = inputs.nix-darwin.lib.darwinSystem rec {
       system = "aarch64-darwin";

home/home-kodi.nix

@@ -0,0 +1,28 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for kodi user on boxy
+  # Focused on media center volume control via Home Assistant
+
+  home.username = "kodi";
+  home.homeDirectory = "/home/kodi";
+  home.stateVersion = "24.05";
+
+  # Enable minimal roles for kodi user
+  home.roles = {
+    base.enable = true;
+    plasma-manager-kodi.enable = true;
+  };
+
+  home.packages = with pkgs; [
+    kdePackages.kconfig
+  ];
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+  ];
+}

home/roles/default.nix

@@ -15,6 +15,7 @@
     ./launchers
     ./media
     ./office
+    ./plasma-manager-kodi
     ./sync
     ./tmux
     ./emacs

home/roles/emacs/doom/config.el

@@ -28,7 +28,7 @@
 ;; up, `M-x eval-region' to execute elisp code, and 'M-x doom/reload-font' to
 ;; refresh your font settings. If Emacs still can't find your font, it likely
 ;; wasn't installed correctly. Font issues are rarely Doom issues!
-(setq doom-font (font-spec :family "Fira Code"))
+(setq doom-font (font-spec :family "Fira Code" :size 16))
 
 ;; Auto-install nerd-icons fonts if they're missing
 (defun my/ensure-nerd-icons-fonts ()
@@ -159,31 +159,48 @@
   (dolist (module '("bbdb" "buffer" "elisp" "emacs" "gnus" "os" "search-and-replace" "url"))
     (gptel-tool-library-load-module module)))
 
-;; Notmuch email configuration
-(after! notmuch
-  (setq notmuch-search-oldest-first nil
-        notmuch-show-logo nil
-        notmuch-fcc-dirs "proton/Sent"
+;; mu4e email configuration
+;; Add NixOS mu4e to load-path (installed via mu.mu4e package)
+(when-let ((mu-path (executable-find "mu")))
+  (add-to-list 'load-path
+               (expand-file-name "../share/emacs/site-lisp/mu4e"
+                                 (file-name-directory mu-path))))
 
-        ;; User identity
-        user-mail-address "john@ogle.fyi"
-        user-full-name "John Ogle"
+(after! mu4e
+  ;; User identity
+  (setq user-mail-address "john@ogle.fyi"
+        user-full-name "John Ogle")
 
-        ;; Sending mail via msmtp
-        message-send-mail-function 'message-send-mail-with-sendmail
+  ;; Maildir location (no account prefix - single account)
+  (setq mu4e-maildir "~/Mail"
+        mu4e-attachment-dir "~/Downloads")
+
+  ;; Folder config (matches ~/Mail/INBOX, ~/Mail/Sent, etc.)
+  (setq mu4e-sent-folder "/Sent"
+        mu4e-drafts-folder "/Drafts"
+        mu4e-trash-folder "/Trash"
+        mu4e-refile-folder "/Archive")
+
+  ;; Shortcuts for common folders
+  (setq mu4e-maildir-shortcuts
+        '((:maildir "/INBOX"   :key ?i)
+          (:maildir "/Archive" :key ?a)
+          (:maildir "/Sent"    :key ?s)
+          (:maildir "/Trash"   :key ?t)))
+
+  ;; Behavior settings
+  (setq mu4e-get-mail-command "mbsync -a"
+        mu4e-update-interval 300  ; 5 minutes (matches systemd timer)
+        mu4e-change-filenames-when-moving t  ; required for mbsync
+        mu4e-headers-date-format "%Y-%m-%d"
+        mu4e-headers-time-format "%H:%M")
+
+  ;; Sending mail via msmtp
+  (setq message-send-mail-function 'message-send-mail-with-sendmail
         sendmail-program (executable-find "msmtp")
         message-sendmail-envelope-from 'header
         mail-envelope-from 'header
-        mail-specify-envelope-from t
-
-        ;; Saved searches for quick access
-        notmuch-saved-searches
-        '((:name "inbox"   :query "tag:inbox"                    :key "i")
-          (:name "unread"  :query "tag:unread"                   :key "u")
-          (:name "flagged" :query "tag:flagged"                  :key "f")
-          (:name "sent"    :query "tag:sent"                     :key "t")
-          (:name "drafts"  :query "tag:draft"                    :key "d")
-          (:name "all"     :query "*"                            :key "a"))))
+        mail-specify-envelope-from t))
 
 ;; Whenever you reconfigure a package, make sure to wrap your config in an
 ;; `after!' block, otherwise Doom's defaults may override your settings. E.g.

home/roles/emacs/doom/init.el

@@ -176,8 +176,8 @@
        ;;zig               ; C, but simpler
 
        :email
-       ;;(mu4e +org +gmail)
-       notmuch
+       (mu4e +org)
+       ;;notmuch
        ;;(wanderlust +gmail)
 
        :app

home/roles/email/default.nix

@@ -7,14 +7,15 @@ let
 in
 {
   options.home.roles.email = {
-    enable = mkEnableOption "Enable email with notmuch, mbsync, and msmtp";
+    enable = mkEnableOption "Enable email with mu4e, mbsync, and msmtp";
   };
 
   config = mkIf cfg.enable {
     home.packages = with pkgs; [
       isync      # provides mbsync for IMAP sync
       msmtp      # for SMTP sending
-      notmuch    # email indexing and search
+      mu         # email indexer for mu4e
+      mu.mu4e    # mu4e elisp files for Emacs
       openssl    # for certificate management
     ];
 
@@ -52,26 +53,6 @@ in
       SyncState *
     '';
 
-    # Notmuch configuration
-    home.file.".notmuch-config".text = ''
-      [database]
-      path=${config.home.homeDirectory}/Mail
-
-      [user]
-      name=John Ogle
-      primary_email=john@ogle.fyi
-
-      [new]
-      tags=unread;inbox;
-      ignore=
-
-      [search]
-      exclude_tags=deleted;spam;
-
-      [maildir]
-      synchronize_flags=true
-    '';
-
     # msmtp configuration
     home.file.".msmtprc".text = ''
       # Default settings
@@ -103,7 +84,7 @@ in
       };
       Service = {
         Type = "oneshot";
-        ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.isync}/bin/mbsync -a && ${pkgs.notmuch}/bin/notmuch new'";
+        ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.isync}/bin/mbsync -a && (${pkgs.mu}/bin/mu info >/dev/null 2>&1 || ${pkgs.mu}/bin/mu init --maildir ~/Mail --personal-address=john@ogle.fyi) && ${pkgs.mu}/bin/mu index'";
         Environment = "PATH=${pkgs.rbw}/bin:${pkgs.coreutils}/bin";
         StandardOutput = "journal";
         StandardError = "journal";

home/roles/plasma-manager-kodi/default.nix

@@ -0,0 +1,199 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.plasma-manager-kodi;
+
+  # Define the volume control scripts as derivations
+  volumeUpScript = pkgs.writeShellScript "avr-volume-up" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Send volume up command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\"}" \
+        "$HA_URL/api/services/media_player/volume_up" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to increase volume after $MAX_RETRIES attempts"
+    exit 1
+  '';
+
+  volumeDownScript = pkgs.writeShellScript "avr-volume-down" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Send volume down command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\"}" \
+        "$HA_URL/api/services/media_player/volume_down" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to decrease volume after $MAX_RETRIES attempts"
+    exit 1
+  '';
+
+  volumeMuteScript = pkgs.writeShellScript "avr-volume-mute" ''
+    #!/usr/bin/env bash
+
+    # Configuration
+    HA_URL="https://home-assistant.johnogle.info"
+    ENTITY_ID="media_player.denon_avr_s970h_2"
+    MAX_RETRIES=3
+
+    # Read token from KDE Wallet and strip whitespace
+    TOKEN=$(${pkgs.kdePackages.kwallet}/bin/kwallet-query -r ha_avr_token kdewallet -f Passwords 2>/dev/null | tr -d '[:space:]')
+
+    if [ -z "$TOKEN" ]; then
+      ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to retrieve Home Assistant token from KDE Wallet"
+      exit 1
+    fi
+
+    # Get current mute state
+    STATE_RESPONSE=$(${pkgs.curl}/bin/curl -s -H "Authorization: Bearer $TOKEN" \
+      "$HA_URL/api/states/$ENTITY_ID")
+
+    CURRENT_MUTE=$(echo "$STATE_RESPONSE" | ${pkgs.jq}/bin/jq -r '.attributes.is_volume_muted // false')
+
+    # Toggle: if currently muted (true), unmute (false), and vice versa
+    if [ "$CURRENT_MUTE" = "true" ]; then
+      NEW_MUTE="false"
+      NOTIFY_MSG="Unmuted"
+    else
+      NEW_MUTE="true"
+      NOTIFY_MSG="Muted"
+    fi
+
+    # Send mute toggle command with retry logic
+    for i in $(seq 1 $MAX_RETRIES); do
+      RESPONSE=$(${pkgs.curl}/bin/curl -s -w "\n%{http_code}" -X POST \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"entity_id\": \"$ENTITY_ID\", \"is_volume_muted\": $NEW_MUTE}" \
+        "$HA_URL/api/services/media_player/volume_mute" 2>&1)
+
+      HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+      if [ "$HTTP_CODE" = "200" ]; then
+        exit 0
+      fi
+
+      # Wait before retry (except on last attempt)
+      if [ $i -lt $MAX_RETRIES ]; then
+        sleep 0.5
+      fi
+    done
+
+    # All retries failed
+    ${pkgs.libnotify}/bin/notify-send -u critical "Volume Control Error" "Failed to toggle mute after $MAX_RETRIES attempts"
+    exit 1
+  '';
+in
+{
+  options.home.roles.plasma-manager-kodi = {
+    enable = mkEnableOption "KDE Plasma volume control for kodi user via Home Assistant";
+  };
+
+  config = mkIf cfg.enable {
+    programs.plasma = {
+      enable = true;
+      overrideConfig = true;
+
+      # Disable default kmix volume shortcuts to prevent conflicts
+      shortcuts.kmix = {
+        "increase_volume" = "none";
+        "decrease_volume" = "none";
+        "mute" = "none";
+      };
+
+      # Define custom volume control commands with key bindings
+      hotkeys.commands = {
+        "volume-up-avr" = {
+          name = "Volume Up AVR";
+          key = "Volume Up";
+          command = toString volumeUpScript;
+        };
+
+        "volume-down-avr" = {
+          name = "Volume Down AVR";
+          key = "Volume Down";
+          command = toString volumeDownScript;
+        };
+
+        "volume-mute-avr" = {
+          name = "Mute Toggle AVR";
+          key = "Volume Mute";
+          command = toString volumeMuteScript;
+        };
+      };
+
+      # KDE Settings customization
+      configFile = {
+        # Session restore settings
+        "ksmserverrc"."General"."loginMode" = "emptySession";
+
+        # Screen locking settings
+        "kscreenlockerrc"."Daemon"."Autolock" = false;
+        "kscreenlockerrc"."Daemon"."LockOnResume" = false;
+
+        # Theme settings
+        "kdeglobals"."KDE"."LookAndFeelPackage" = "org.kde.breezedark.desktop";
+      };
+    };
+  };
+}

machines/boxy/configuration.nix

@@ -26,11 +26,20 @@ with lib;
       enable = true;
       autologin = true;
       wayland = true;
-      jellyfinScaleFactor = 2.5;
+      jellyfinScaleFactor = 1.0;
     };
+    nfs-mounts.enable = true;
     users.enable = true;
   };
 
+  # Enable KDE Wallet PAM integration for auto-unlock
+  security.pam.services.sddm = {
+    kwallet = {
+      enable = true;
+      package = pkgs.kdePackages.kwallet-pam;
+    };
+  };
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;

machines/john-endesktop/MIGRATION_PLAN.md

@@ -0,0 +1,423 @@
+# Migration Plan: Arch Linux to NixOS on john-endesktop (ZFS/NFS Server)
+
+## Overview
+This document outlines the plan to migrate the john-endesktop server from Arch Linux to NixOS while maintaining the existing ZFS pools and NFS exports that serve your k3s cluster.
+
+## Current System State
+
+### Hardware
+- **Boot disk**: nvme0n1
+  - nvme0n1p3: 1000M EFI partition (UUID: F5C6-D570)
+  - nvme0n1p4: 120GB ext4 / (current Arch root)
+  - nvme0n1p5: 810GB - **Target for NixOS** (being removed from media pool)
+- **Network**: enp0s31f6 @ 10.0.0.43/24 (DHCP)
+
+### ZFS Pools
+- **media**: ~3.5TB JBOD pool (2 drives after nvme0n1p5 removal)
+  - wwn-0x50014ee2ba653d70-part2
+  - ata-WDC_WD20EZBX-00AYRA0_WD-WX62D627X7Z8-part2
+  - Contains: /media/media/nix (bind mounted to /nix on Arch)
+  - NFS: Shared to 10.0.0.0/24 via ZFS sharenfs property
+
+- **swarmvols**: 928GB mirror pool - **PRODUCTION DATA**
+  - wwn-0x5002538f52707e2d-part2
+  - wwn-0x5002538f52707e81-part2
+  - Contains: iocage jails and k3s persistent volumes
+  - NFS: Shared to 10.0.0.0/24 via ZFS sharenfs property
+  - Backed up nightly to remote borg
+
+### Services
+- NFS server exporting /media and /swarmvols to k3s cluster
+- ZFS managing pools with automatic exports via sharenfs property
+
+## Prerequisites
+
+### Before Starting
+1. ✅ Ensure nvme0n1p5 removal from media pool is complete
+   ```bash
+   ssh 10.0.0.43 "zpool status media"
+   # Should show no "removing" devices
+   ```
+
+2. ✅ Verify recent backups exist
+   ```bash
+   # Verify swarmvols backup is recent (< 24 hours)
+   # Check your borg backup system
+   ```
+
+3. ✅ Notify k3s cluster users of planned maintenance window
+   - NFS shares will be unavailable during migration
+   - Estimate: 30-60 minutes downtime
+
+4. ✅ Build NixOS configuration from your workstation
+   ```bash
+   cd ~/nixos-configs
+   nix build .#nixosConfigurations.john-endesktop.config.system.build.toplevel
+   ```
+
+## Migration Steps
+
+### Phase 1: Prepare NixOS Installation Media
+
+1. **Download NixOS minimal ISO**
+   ```bash
+   wget https://channels.nixos.org/nixos-25.11/latest-nixos-minimal-x86_64-linux.iso
+   ```
+
+2. **Create bootable USB**
+   ```bash
+   # Identify USB device (e.g., /dev/sdb)
+   lsblk
+   # Write ISO to USB
+   sudo dd if=latest-nixos-minimal-x86_64-linux.iso of=/dev/sdX bs=4M status=progress
+   sudo sync
+   ```
+
+### Phase 2: Backup and Shutdown
+
+1. **On the server, verify ZFS pool status**
+   ```bash
+   ssh 10.0.0.43 "zpool status"
+   ssh 10.0.0.43 "zfs list"
+   ```
+
+2. **Export ZFS pools cleanly**
+   ```bash
+   ssh 10.0.0.43 "sudo zpool export media"
+   ssh 10.0.0.43 "sudo zpool export swarmvols"
+   ```
+
+3. **Shutdown Arch Linux**
+   ```bash
+   ssh 10.0.0.43 "sudo shutdown -h now"
+   ```
+
+### Phase 3: Install NixOS
+
+1. **Boot from NixOS USB**
+   - Insert USB drive
+   - Power on and select USB in boot menu
+
+2. **Connect to network**
+   ```bash
+   # If DHCP doesn't work automatically:
+   sudo systemctl start dhcpcd
+   ip a  # Verify you have 10.0.0.43 or another IP
+   ```
+
+3. **Enable SSH for remote installation (recommended)**
+   ```bash
+   # Set password for nixos user
+   sudo passwd nixos
+   # Start SSH
+   sudo systemctl start sshd
+   # From your workstation:
+   ssh nixos@10.0.0.43
+   ```
+
+4. **Partition nvme0n1p5 with btrfs**
+   ```bash
+   # Verify the device is clear
+   lsblk
+   sudo wipefs -a /dev/nvme0n1p5
+
+   # Create btrfs filesystem
+   sudo mkfs.btrfs -L nixos /dev/nvme0n1p5
+
+   # Mount and create subvolumes
+   sudo mount /dev/nvme0n1p5 /mnt
+   sudo btrfs subvolume create /mnt/@
+   sudo btrfs subvolume create /mnt/@home
+   sudo btrfs subvolume create /mnt/@nix
+   sudo btrfs subvolume create /mnt/@log
+   sudo umount /mnt
+
+   # Mount root subvolume
+   sudo mount -o subvol=@,compress=zstd,noatime /dev/nvme0n1p5 /mnt
+
+   # Create mount points
+   sudo mkdir -p /mnt/{boot,home,nix,var/log}
+
+   # Mount other subvolumes
+   sudo mount -o subvol=@home,compress=zstd,noatime /dev/nvme0n1p5 /mnt/home
+   sudo mount -o subvol=@nix,compress=zstd,noatime /dev/nvme0n1p5 /mnt/nix
+   sudo mount -o subvol=@log,compress=zstd,noatime /dev/nvme0n1p5 /mnt/var/log
+
+   # Mount EFI partition
+   sudo mount /dev/nvme0n1p3 /mnt/boot
+   ```
+
+5. **Import ZFS pools**
+   ```bash
+   # Import pools (should be visible)
+   sudo zpool import
+
+   # Import with force if needed due to hostid
+   sudo zpool import -f media
+   sudo zpool import -f swarmvols
+
+   # Verify pools are mounted
+   zfs list
+   ls -la /media /swarmvols
+   ```
+
+6. **Generate initial hardware configuration**
+   ```bash
+   sudo nixos-generate-config --root /mnt
+   ```
+
+7. **Get the new root filesystem UUID**
+   ```bash
+   blkid /dev/nvme0n1p5
+   # Note the UUID for updating hardware-configuration.nix
+   ```
+
+8. **Copy your NixOS configuration to the server**
+   ```bash
+   # From your workstation:
+   scp -r ~/nixos-configs/machines/john-endesktop/* nixos@10.0.0.43:/tmp/
+
+   # On server:
+   sudo mkdir -p /mnt/etc/nixos
+   sudo cp /tmp/configuration.nix /mnt/etc/nixos/
+   sudo cp /tmp/hardware-configuration.nix /mnt/etc/nixos/
+
+   # Edit hardware-configuration.nix to update the root filesystem UUID
+   sudo nano /mnt/etc/nixos/hardware-configuration.nix
+   # Change: device = "/dev/disk/by-uuid/CHANGE-THIS-TO-YOUR-UUID";
+   # To:     device = "/dev/disk/by-uuid/[UUID from blkid]";
+   ```
+
+9. **Install NixOS**
+   ```bash
+   sudo nixos-install
+
+   # Set root password when prompted
+   # Set user password
+   sudo nixos-install --no-root-passwd
+   ```
+
+10. **Reboot into NixOS**
+    ```bash
+    sudo reboot
+    # Remove USB drive
+    ```
+
+### Phase 4: Post-Installation Verification
+
+1. **Boot into NixOS and verify system**
+   ```bash
+   ssh johno@10.0.0.43
+
+   # Check NixOS version
+   nixos-version
+
+   # Verify hostname
+   hostname  # Should be: john-endesktop
+   ```
+
+2. **Verify ZFS pools imported correctly**
+   ```bash
+   zpool status
+   zpool list
+   zfs list
+
+   # Check for hostid mismatch warnings (should be gone)
+   # Verify both pools show ONLINE status
+   ```
+
+3. **Verify NFS exports are active**
+   ```bash
+   sudo exportfs -v
+   systemctl status nfs-server
+
+   # Should see /media and /swarmvols exported to 10.0.0.0/24
+   ```
+
+4. **Test NFS mount from another machine**
+   ```bash
+   # From a k3s node or your workstation:
+   sudo mount -t nfs 10.0.0.43:/swarmvols /mnt
+   ls -la /mnt
+   sudo umount /mnt
+
+   sudo mount -t nfs 10.0.0.43:/media /mnt
+   ls -la /mnt
+   sudo umount /mnt
+   ```
+
+5. **Verify ZFS sharenfs properties preserved**
+   ```bash
+   zfs get sharenfs media
+   zfs get sharenfs swarmvols
+
+   # Should show: sec=sys,mountpoint,no_subtree_check,no_root_squash,rw=@10.0.0.0/24
+   ```
+
+6. **Check swap device**
+   ```bash
+   swapon --show
+   free -h
+   # Should show /dev/zvol/media/swap
+   ```
+
+### Phase 5: Restore k3s Cluster Access
+
+1. **Restart k3s nodes or remount NFS shares**
+   ```bash
+   # On each k3s node:
+   sudo systemctl restart k3s  # or k3s-agent
+   ```
+
+2. **Verify k3s pods have access to persistent volumes**
+   ```bash
+   # On k3s master:
+   kubectl get pv
+   kubectl get pvc
+   # Check that volumes are bound and accessible
+   ```
+
+## Rollback Plan
+
+If something goes wrong during migration, you can roll back to Arch Linux:
+
+### Quick Rollback (If NixOS won't boot)
+
+1. **Boot from NixOS USB (or Arch USB)**
+
+2. **Import ZFS pools**
+   ```bash
+   sudo zpool import -f media
+   sudo zpool import -f swarmvols
+   ```
+
+3. **Start NFS manually (temporary)**
+   ```bash
+   sudo mkdir -p /media /swarmvols
+   sudo systemctl start nfs-server
+   sudo exportfs -o rw,sync,no_subtree_check,no_root_squash 10.0.0.0/24:/media
+   sudo exportfs -o rw,sync,no_subtree_check,no_root_squash 10.0.0.0/24:/swarmvols
+   sudo exportfs -v
+   ```
+   This will restore k3s cluster access immediately while you diagnose.
+
+4. **Boot back into Arch Linux**
+   ```bash
+   # Reboot and select nvme0n1p4 (Arch) in GRUB/boot menu
+   sudo reboot
+   ```
+
+5. **Verify Arch boots and services start**
+   ```bash
+   ssh johno@10.0.0.43
+   zpool status
+   systemctl status nfs-server
+   ```
+
+### Full Rollback (If needed)
+
+1. **Follow Quick Rollback steps above**
+
+2. **Re-add nvme0n1p5 to media pool (if desired)**
+   ```bash
+   # Only if you want to restore the original configuration
+   sudo zpool add media /dev/nvme0n1p5
+   ```
+
+3. **Clean up NixOS partition**
+   ```bash
+   # If you want to reclaim nvme0n1p5 for other uses
+   sudo wipefs -a /dev/nvme0n1p5
+   ```
+
+## Risk Mitigation
+
+### Data Safety
+- ✅ **swarmvols** (production): Mirrored + nightly borg backups
+- ⚠️  **media** (important): JBOD - no redundancy, but not catastrophic
+- ✅ **NixOS install**: Separate partition, doesn't touch ZFS pools
+- ✅ **Arch Linux**: Remains bootable on nvme0n1p4 until verified
+
+### Service Continuity
+- Downtime: 30-60 minutes expected
+- k3s cluster: Will reconnect automatically when NFS returns
+- Rollback time: < 10 minutes to restore Arch
+
+### Testing Approach
+1. Test NFS exports from NixOS live environment before installation
+2. Test single NFS mount from k3s node before full cluster restart
+3. Keep Arch Linux boot option until 24-48 hours of stable NixOS operation
+
+## Post-Migration Tasks
+
+After successful migration and 24-48 hours of stable operation:
+
+1. **Update k3s NFS mounts (if needed)**
+   - Verify no hardcoded references to old system
+
+2. **Optional: Repurpose Arch partition**
+   ```bash
+   # After you're confident NixOS is stable
+   # You can wipe nvme0n1p4 and repurpose it
+   ```
+
+3. **Update documentation**
+   - Update infrastructure docs with NixOS configuration
+   - Document any deviations from this plan
+
+4. **Consider setting up NixOS remote deployment**
+   ```bash
+   # From your workstation:
+   nixos-rebuild switch --target-host johno@10.0.0.43 --flake .#john-endesktop
+   ```
+
+## Timeline
+
+- **Preparation**: 1-2 hours (testing config build, downloading ISO)
+- **Migration window**: 1-2 hours (installation + verification)
+- **Verification period**: 24-48 hours (before removing Arch)
+- **Total**: ~3 days from start to declaring success
+
+## Emergency Contacts
+
+- Borg backup location: [Document your borg repo location]
+- K3s cluster nodes: [Document your k3s nodes]
+- Critical services on k3s: [Document what's running that depends on these NFS shares]
+
+## Checklist
+
+Pre-migration:
+- [x] nvme0n1p5 removal from media pool complete
+- [ ] Recent backup verified (< 24 hours)
+- [ ] Maintenance window scheduled
+- [ ] NixOS ISO downloaded
+- [ ] Bootable USB created
+- [ ] NixOS config builds successfully
+
+During migration:
+- [ ] ZFS pools exported
+- [ ] Arch Linux shutdown cleanly
+- [ ] Booted from NixOS USB
+- [ ] nvme0n1p5 formatted with btrfs
+- [ ] Btrfs subvolumes created
+- [ ] ZFS pools imported
+- [ ] NixOS installed
+- [ ] Root password set
+
+Post-migration:
+- [ ] NixOS boots successfully
+- [ ] ZFS pools mounted automatically
+- [ ] NFS server running
+- [ ] NFS exports verified
+- [ ] Test mount from k3s node successful
+- [ ] k3s cluster reconnected
+- [ ] Persistent volumes accessible
+- [ ] No hostid warnings in zpool status
+- [ ] Arch Linux still bootable (for rollback)
+
+Final verification (after 24-48 hours):
+- [ ] All services stable
+- [ ] No unexpected issues
+- [ ] Performance acceptable
+- [ ] Ready to remove Arch partition (optional)
+- [ ] Ready to remove /swarmvols/media-backup (optional)

machines/john-endesktop/configuration.nix

@@ -0,0 +1,112 @@
+# NixOS configuration for john-endesktop (ZFS/NFS server)
+# Migrated from Arch Linux to provide ZFS pools via NFS to k3s cluster
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # Boot configuration
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # ZFS support
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.forceImportRoot = false;
+  boot.zfs.extraPools = [ "media" "swarmvols" ];
+
+  # Set ZFS hostid to match current system (from Arch Linux)
+  # This resolves the hostid mismatch warnings
+  networking.hostId = "007f0101";
+
+  # Hostname
+  networking.hostName = "john-endesktop";
+
+  # Network configuration - using DHCP on enp0s31f6
+  networking.useDHCP = false;
+  networking.interfaces.enp0s31f6.useDHCP = true;
+
+  # NFS Server configuration
+  services.nfs.server = {
+    enable = true;
+
+    # NFS protocol versions
+    # v3 for broader compatibility, v4 for better performance
+    exports = ''
+      # These are managed by ZFS sharenfs properties
+      # but we enable the NFS server here
+    '';
+  };
+
+  # Enable NFS4 with proper configuration
+  services.rpcbind.enable = true;
+
+  # Firewall configuration for NFS
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      111   # rpcbind
+      2049  # nfs
+      4000  # nfs callback
+      4001  # nlockmgr
+      4002  # mountd
+      20048 # mountd
+    ];
+    allowedUDPPorts = [
+      111   # rpcbind
+      2049  # nfs
+      4000  # nfs callback
+      4001  # nlockmgr
+      4002  # mountd
+      20048 # mountd
+    ];
+    # Allow NFS from local network
+    extraCommands = ''
+      iptables -A nixos-fw -p tcp -s 10.0.0.0/24 -j ACCEPT
+      iptables -A nixos-fw -p udp -s 10.0.0.0/24 -j ACCEPT
+    '';
+  };
+
+  # ZFS maintenance
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      interval = "monthly";
+    };
+    trim = {
+      enable = true;
+      interval = "weekly";
+    };
+  };
+
+  # Basic system packages
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+    htop
+    tmux
+    zfs
+  ];
+
+  # Enable SSH
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = true;
+    };
+  };
+
+  # User configuration
+  roles.users.enable = true;
+
+  # Time zone
+  time.timeZone = "America/Los_Angeles"; # Adjust as needed
+
+  # NixOS version
+  system.stateVersion = "25.11";
+}

machines/john-endesktop/hardware-configuration.nix

@@ -0,0 +1,48 @@
+# Hardware configuration for john-endesktop
+# This file should be regenerated after NixOS installation using:
+# nixos-generate-config --show-hardware-config
+
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  # Boot configuration
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # File systems - these will need to be updated after installation
+  # The nvme0n1p5 partition will be formatted as btrfs for NixOS root
+  fileSystems."/" = {
+    # Update this device path after installation
+    device = "/dev/disk/by-uuid/CHANGE-THIS-TO-YOUR-UUID";
+    fsType = "btrfs";
+    options = [ "subvol=@" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/boot" = {
+    # This should match your current EFI partition
+    device = "/dev/disk/by-uuid/F5C6-D570";
+    fsType = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };
+
+  # ZFS pools - these are imported by ZFS, not managed by fileSystems
+  # The pools should be imported automatically via boot.zfs.extraPools
+  # /media and /swarmvols will be mounted by ZFS
+
+  # Swap - using ZFS zvol
+  swapDevices = [
+    { device = "/dev/zvol/media/swap"; }
+  ];
+
+  # CPU microcode
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  # Networking
+  networking.useDHCP = lib.mkDefault true;
+}

machines/nix-book/configuration.nix

@@ -39,6 +39,16 @@
   boot.loader.efi.canTouchEfiVariables = true;
 
   boot.initrd.luks.devices."luks-b614167b-9045-4234-a441-ac6f60a96d81".device = "/dev/disk/by-uuid/b614167b-9045-4234-a441-ac6f60a96d81";
+
+  # S3 deep sleep broken on Alder Lake - use direct hibernate on lid close
+  services.logind.settings.Login = {
+    HandleLidSwitch = "hibernate";
+    HandleLidSwitchExternalPower = "hibernate";
+    HandleLidSwitchDocked = "hibernate";
+    HandlePowerKey = "hibernate";
+    HandlePowerKeyLongPress = "poweroff";
+  };
+
   networking.hostName = "nix-book"; # Define your hostname.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 

roles/desktop/gaming.nix

@@ -22,6 +22,8 @@ in
         # indiviudal cores
         #retroarch-full
         ryubing
+
+        yarg
       ];
 
       programs.steam = {