[nix-deck] Use NixOS unstable for better Jovian compatibility

- Switch nix-deck to use nixpkgs-unstable and unstable home-manager/plasma-manager - Remove jovian-compat.nix shim (not needed on unstable) - Add bitwarden-desktop compatibility overlay for stable/unstable coexistence - Update hardware-configuration.nix with actual Steam Deck hardware detection - Add 8GB swap file configuration - Configure AMD CPU microcode updates This allows nix-deck to work with the latest Jovian-NixOS while keeping other machines on stable 25.05. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add Steam Deck (nix-deck) configuration with Jovian-NixOS and remote building
2025-11-17 16:40:11 -08:00 · 2025-11-17 16:06:20 -08:00 · 2025-11-17 16:05:39 -08:00 · 2025-11-17 16:05:29 -08:00 · 2025-11-17 15:36:20 -08:00 · 2025-11-15 14:11:12 -08:00
73 changed files with 5329 additions and 570 deletions
--- a/.goosehints
+++ b/.goosehints
@@ -0,0 +1,21 @@
+NixOS Configurations Repository
+================================
+
+Overview:
+---------
+This repository hosts modular and reproducible NixOS configurations managed via Nix flakes. It is structured to separate concerns across machine-specific setups, common roles, and custom packages.
+
+Directory Structure:
+----------------------
+• packages/      - Custom Nix packages leveraged across various configurations.
+• roles/         - Role-based configurations (e.g., kodi, bluetooth) each with its own module (default.nix) for inclusion in machine setups.
+• machines/      - Machine-specific configurations (e.g., nix-book, z790prors, boxy, wixos) including configuration.nix and hardware-configuration.nix tailored for each hardware.
+• home/          - Home-manager configurations for personal environments and application settings (e.g., home-nix-book.nix, home-z790prors.nix).
+
+Design Principles:
+------------------
+• Modularity: Clear separation between roles, machines, and packages allows for flexible and reusable configurations.
+• Declarative & Reproducible: Using Nix flakes guarantees a fully declarative setup that can be effortlessly reproduced across systems.
+• Scalability: The structure is designed to accommodate adding new roles or machines with minimal disruption to existing configurations.
+
+This file serves as a concise guide for navigating and understanding the repository from an advanced Nix perspective. Further documentation can be found within the respective directories or individual README files where applicable.
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,177 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Overview
+
+This is a NixOS configuration repository using flakes, managing multiple machines and home-manager configurations. The repository follows a modular architecture with reusable "roles" that can be composed for different machines.
+
+## Architecture
+
+### Flake Structure
+- **flake.nix**: Main entry point defining inputs (nixpkgs, home-manager, plasma-manager, etc.) and outputs for multiple NixOS configurations
+- **Machines**: `nix-book`, `boxy`, `wixos` (WSL configuration), `zix790prors`, `live-usb`, `johno-macbookpro` (Darwin/macOS)
+- **Home configurations**: Standalone home-manager configuration for user `johno`
+
+### Directory Structure
+- `machines/`: Machine-specific configurations with hardware-configuration.nix
+- `roles/`: Modular system configurations (audio, bluetooth, desktop, users, etc.)
+- `home/`: Home Manager configurations and user-specific modules
+- `home/modules/`: User environment modules (emacs, i3+sway, plasma-manager, tmux)
+- `packages/`: Custom package definitions
+
+### Role-Based Configuration System
+The repository uses a custom "roles" system where each role is a NixOS module with enable options:
+- `roles.desktop`: Desktop environment with sub-options for X11, Wayland, KDE, gaming, SDDM
+- `roles.audio`: Audio configuration
+- `roles.bluetooth`: Bluetooth support
+- `roles.users`: User account management
+- `roles.virtualisation`: Virtualization setup
+- `roles.kodi`: Kodi media center
+- `roles.nvidia`: NVIDIA GPU configuration
+- `roles.printing`: Printing support (CUPS)
+- `roles.spotifyd`: Spotify daemon
+- `roles.btrfs`: Btrfs filesystem configuration
+- `roles.nfs-mounts`: NFS mount configuration
+- `roles.darwin`: macOS-specific configurations
+
+Example role usage in machine configuration:
+```nix
+roles = {
+  audio.enable = true;
+  desktop = {
+    enable = true;
+    gaming = true;
+    kde = true;
+    wayland = true;
+  };
+  users.enable = true;
+};
+```
+
+### Home-Manager Role System
+The repository also uses a modular home-manager role system for user-space configuration:
+
+**Available Home Roles:**
+- `home.roles.base`: Core CLI tools, git, ssh, bash, rbw (enabled everywhere)
+- `home.roles.desktop`: GUI applications, Firefox, KDE services
+- `home.roles.office`: LibreOffice, OpenSCAD (heavy packages)
+- `home.roles.media`: VLC, Jellyfin, Moonlight (media consumption)
+- `home.roles.development`: Custom packages, kubectl, development tools
+- `home.roles.communication`: Element, Nextcloud Talk, Google cookie tools
+- `home.roles.sync`: Syncthing service and tray (for file synchronization)
+- `home.roles.kdeconnect`: KDE Connect for device integration
+- `home.roles.gaming`: Gaming applications (future expansion)
+
+**Role-Based Home Configurations:**
+- `home-desktop.nix`: Full-featured desktop for development workstations
+- `home-media-center.nix`: Living room media consumption and gaming setup (boxy)
+- `home-laptop-compact.nix`: Essential tools only, excludes office/media for storage constraints (nix-book)
+- `home-live-usb.nix`: Minimal setup for live environments, no persistent services
+- `home-darwin-work.nix`: macOS work laptop configuration
+
+**Machine-Specific Role Usage:**
+- **nix-book**: Compact laptop → excludes office/media roles due to SSD space constraints
+- **boxy**: Living room media center → optimized for media consumption, excludes sync/office (shared machine)
+- **zix790prors**: All-purpose workstation → full desktop experience with all roles enabled
+- **wixos**: WSL2 development → full desktop experience, inherits from zix790prors Windows host
+- **live-usb**: Temporary environment → only base + desktop roles, no persistent services
+- **johno-macbookpro**: macOS work laptop → Darwin-specific configuration with development tools
+
+## Common Commands
+
+### Building and Switching Configurations
+
+**NixOS (Linux):**
+```bash
+# Build and switch to a specific machine configuration
+sudo nixos-rebuild switch --flake .#<hostname>
+
+# Build without switching
+nixos-rebuild build --flake .#<hostname>
+
+# Build home-manager configuration only
+home-manager switch --flake .#johno
+```
+
+**Darwin (macOS):**
+```bash
+# Build and switch to Darwin configuration
+darwin-rebuild switch --flake .#johno-macbookpro
+
+# Build without switching
+darwin-rebuild build --flake .#johno-macbookpro
+```
+
+### Available Machine Configurations
+- `nix-book`: Compact laptop with storage constraints, uses `home/home-laptop-compact.nix`
+- `boxy`: Shared living room media center/gaming desktop with AMD GPU, uses `home/home-media-center.nix`
+- `zix790prors`: Powerful all-purpose workstation (gaming, 3D modeling, development), dual-boots Windows 11 with shared btrfs /games partition, uses `home/home-desktop.nix`
+- `wixos`: WSL2 development environment running in Windows partition of zix790prors, uses `home/home-desktop.nix`
+- `live-usb`: Bootable ISO configuration, uses `home/home-live-usb.nix`
+- `johno-macbookpro`: macOS work laptop, uses `home/home-darwin-work.nix`
+
+### Flake Operations
+```bash
+# Update flake inputs
+nix flake update
+
+# Check flake
+nix flake check
+
+# Show flake info
+nix flake show
+```
+
+### Bootstrap New Machine
+Use the provided bootstrap script:
+```bash
+sudo ./bootstrap.sh <hostname>
+```
+This script pulls from the remote git repository and applies the configuration.
+
+### Build Live USB ISO
+Use the provided script to build a bootable ISO:
+```bash
+./build-liveusb.sh
+```
+Creates an ISO suitable for Ventoy and other USB boot tools in `./result/iso/`.
+
+## Development Workflow
+
+### Adding New Machines
+
+**NixOS:**
+1. Create new directory in `machines/<hostname>/`
+2. Add `configuration.nix` with role assignments
+3. Include hardware-configuration.nix (generated by nixos-generate-config)
+4. Add nixosConfiguration to flake.nix outputs
+
+**Darwin (macOS):**
+1. Create new directory in `machines/<hostname>/`
+2. Add `configuration.nix` with Darwin role assignments
+3. Add darwinConfiguration to flake.nix outputs
+
+### Adding New Roles
+1. Create directory in `roles/<role-name>/`
+2. Create `default.nix` with module definition using mkEnableOption
+3. Add role import to `roles/default.nix`
+4. Configure role options in machine configurations
+
+### Home Manager Modules
+- Located in `home/modules/`
+- Each module has its own `default.nix`
+- Imported in main home configuration files
+
+## Key Configuration Details
+
+- **Experimental features**: nix-command and flakes are enabled
+- **User**: Primary user is `johno` with trusted-user privileges
+- **Locale**: en_US.UTF-8, America/Los_Angeles timezone
+- **SSH**: OpenSSH enabled on all configurations
+- **Garbage collection**: Automatic, deletes older than 10 days
+- **Unfree packages**: Allowed globally
+
+## Important Notes
+
+- **Sudo access**: Claude Code does not have sudo access. Ask the user to run elevated commands like `sudo nixos-rebuild switch`
--- a/STEAM_DECK_JOVIAN_SETUP.md
+++ b/STEAM_DECK_JOVIAN_SETUP.md
@@ -0,0 +1,280 @@
+# Steam Deck (nix-deck) Jovian-NixOS Setup Guide
+
+This document describes the setup for installing and maintaining NixOS with Jovian-NixOS on a Steam Deck.
+
+## Overview
+
+The `nix-deck` configuration provides:
+- **Jovian-NixOS integration** for Steam Deck hardware support
+- **Remote building** using `zix790prors` as the build host
+- **SteamOS role** for easy Steam Deck UI configuration
+- **Compatibility shim** for using Jovian on NixOS 25.05 stable
+
+## Architecture
+
+### Remote Building
+
+The setup uses distributed builds to avoid slow compilation on the Steam Deck:
+
+- **Build Host**: `zix790prors` (powerful desktop)
+  - Runs as a dedicated `nix-builder` user (not root)
+  - Accepts SSH connections from client machines
+  - Performs all heavy compilation work
+
+- **Build Clients**: `nix-book` and `nix-deck`
+  - Automatically offload builds to `zix790prors`
+  - Fall back to local building if remote builder is unavailable
+  - Steam Deck heavily prefers remote (speedFactor=4)
+
+### Jovian-NixOS Integration
+
+- **Jovian module**: Provides Steam Deck hardware support, drivers, and Steam UI
+- **Compatibility layer**: `roles/jovian-compat.nix` provides `services.logind.settings` for NixOS 25.05
+  - **IMPORTANT**: Remove this when upgrading to NixOS 25.11+
+  - An assertion will fail the build if used on 25.11+
+
+- **SteamOS role**: `roles.desktop.steamos` abstracts Jovian configuration
+  ```nix
+  roles.desktop.steamos = {
+    enable = true;
+    autoStart = false;  # Set to true to boot directly to Steam UI
+    desktopSession = "plasmawayland";
+  };
+  ```
+
+## Initial Installation
+
+### Prerequisites
+
+1. Steam Deck in recovery mode or booted to a live Linux environment
+2. SSH access enabled on the Steam Deck
+3. SSH key set up for passwordless authentication
+
+### Option 1: Using nixos-anywhere (Initial Install Only)
+
+```bash
+# From your main machine
+nix run github:nix-community/nixos-anywhere -- \
+  --flake .#nix-deck \
+  root@<steam-deck-ip>
+```
+
+**Note**: This is only for the initial install. For updates, see below.
+
+### Option 2: Manual Installation
+
+1. Boot Steam Deck from NixOS installer USB
+2. Partition and format the disk
+3. Mount filesystems
+4. Clone this repository
+5. Generate hardware config:
+   ```bash
+   nixos-generate-config --show-hardware-config > /tmp/hw.nix
+   ```
+6. Copy the hardware config content to `machines/nix-deck/hardware-configuration.nix`
+7. Keep the `jovian.devices.steamdeck` settings in the file
+8. Install:
+   ```bash
+   nixos-install --flake .#nix-deck
+   ```
+
+## Updates and Rebuilds
+
+### Method 1: Remote Build and Deploy (Recommended)
+
+Build on your main machine, deploy to Steam Deck:
+
+```bash
+# From nix-book or zix790prors
+nixos-rebuild switch \
+  --flake .#nix-deck \
+  --target-host root@nix-deck \
+  --build-host localhost
+```
+
+### Method 2: On-Device Rebuild (Uses Remote Builder)
+
+The Steam Deck is configured to automatically use `zix790prors` as a remote builder:
+
+```bash
+# SSH into the Steam Deck
+ssh root@nix-deck
+
+# This will automatically build on zix790prors
+nixos-rebuild switch --flake /path/to/nixos-configs#nix-deck
+```
+
+The build will automatically happen on `zix790prors` and be deployed locally.
+
+## Remote Builder Setup
+
+### On the Build Host (zix790prors)
+
+The configuration creates a `nix-builder` user that client machines connect to:
+
+```nix
+roles.remote-build.enableBuilder = true;
+```
+
+### On Client Machines (nix-book, nix-deck)
+
+Configure the remote builder:
+
+```nix
+roles.remote-build.builders = [{
+  hostName = "zix790prors";
+  maxJobs = 16;
+  speedFactor = 4;  # Higher = prefer remote more
+}];
+```
+
+### SSH Key Setup
+
+1. Generate SSH key on the builder host for the `nix-builder` user:
+   ```bash
+   sudo -u nix-builder ssh-keygen -t ed25519 -f /var/lib/nix-builder/.ssh/id_ed25519
+   ```
+
+2. Copy the public key to client machines:
+   ```bash
+   # Add to /var/lib/nix-builder/.ssh/authorized_keys on zix790prors
+   ```
+
+3. On client machines, ensure you can connect:
+   ```bash
+   ssh nix-builder@zix790prors
+   ```
+
+## Configuration Files
+
+### Key Files Created/Modified
+
+- `flake.nix` - Added Jovian input and nix-deck configuration
+- `roles/jovian-compat.nix` - Compatibility shim (remove in 25.11+)
+- `roles/desktop/steamos.nix` - SteamOS/Jovian role abstraction
+- `roles/remote-build/default.nix` - Remote builder role
+- `machines/nix-deck/configuration.nix` - Steam Deck system config
+- `machines/nix-deck/hardware-configuration.nix` - Hardware config (placeholder)
+
+### Example Configuration
+
+```nix
+# machines/nix-deck/configuration.nix
+{
+  roles = {
+    desktop = {
+      enable = true;
+      wayland = true;
+      gaming.enable = true;
+      kde = true;
+      sddm = true;
+      steamos = {
+        enable = true;
+        autoStart = false;  # or true to boot to Steam UI
+        desktopSession = "plasmawayland";
+      };
+    };
+    remote-build.builders = [{
+      hostName = "zix790prors";
+      maxJobs = 16;
+      speedFactor = 4;
+    }];
+  };
+}
+```
+
+## Jovian Features
+
+### Enabled by Default
+
+- Steam Deck hardware support (`jovian.devices.steamdeck.enable`)
+- Steam UI (`jovian.steam.enable`)
+- Decky Loader plugin system (`jovian.decky-loader.enable`)
+
+### Optional Features
+
+Set in the hardware-configuration.nix:
+
+```nix
+jovian.devices.steamdeck = {
+  enable = true;
+  autoUpdate = false;  # Auto-update BIOS/controller firmware
+};
+```
+
+### Manual Firmware Updates
+
+```bash
+# BIOS update
+sudo jupiter-biosupdate
+
+# Controller update
+sudo jupiter-controller-update
+
+# Docking station (connect via USB-C first)
+jupiter-dock-updater
+```
+
+## Troubleshooting
+
+### Remote Builds Not Working
+
+1. Check SSH connectivity:
+   ```bash
+   ssh nix-builder@zix790prors
+   ```
+
+2. Verify builder is trusted:
+   ```bash
+   # On zix790prors
+   nix show-config | grep trusted-users
+   ```
+
+3. Check build logs:
+   ```bash
+   journalctl -u nix-daemon -f
+   ```
+
+### Jovian Not Working
+
+1. Ensure you're on NixOS 25.05 or the compatibility layer is removed for 25.11+
+2. Check Jovian is imported in flake.nix
+3. Verify hardware config has `jovian.devices.steamdeck.enable = true`
+
+### Compatibility Layer Issues
+
+If you see an error about `jovian-compat.nix` being incompatible:
+
+1. You're running NixOS 25.11 or later
+2. Remove `./roles/jovian-compat.nix` from `flake.nix`
+3. Jovian should work natively on 25.11+
+
+## Future Upgrades
+
+### Upgrading to NixOS 25.11
+
+1. Update `nixpkgs` input in flake.nix to 25.11
+2. Remove `./roles/jovian-compat.nix` from flake.nix imports
+3. The assertion in jovian-compat.nix will prevent accidental use
+4. Test the build
+5. Deploy
+
+### Switching to Unstable
+
+If you need Jovian to follow unstable nixpkgs:
+
+1. Edit `flake.nix`:
+   ```nix
+   jovian = {
+     url = "github:Jovian-Experiments/Jovian-NixOS";
+     inputs.nixpkgs.follows = "nixpkgs-unstable";
+   };
+   ```
+
+2. This only affects Jovian packages, not your base system
+
+## Additional Resources
+
+- [Jovian-NixOS Documentation](https://jovian-experiments.github.io/Jovian-NixOS/)
+- [Jovian Steam Deck Guide](https://jovian-experiments.github.io/Jovian-NixOS/devices/valve-steam-deck/)
+- [NixOS Remote Builds](https://nixos.org/manual/nix/stable/advanced-topics/distributed-builds.html)
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+# bootstrap.sh
+# Usage: sudo ./bootstrap.sh <hostname>
+set -euo pipefail
+
+NEW_HOSTNAME="${1:?missing hostname}"
+FLAKE_URI="git+https://git.johnogle.info/johno/nixos-configs.git#${NEW_HOSTNAME}"
+
+export NIX_CONFIG="experimental-features = nix-command flakes"
+nixos-rebuild switch --flake "$FLAKE_URI"
+
--- a/build-liveusb.sh
+++ b/build-liveusb.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Build Live USB ISO from flake configuration
+# Creates an uncompressed ISO suitable for Ventoy and other USB boot tools
+
+set -e
+
+echo "Building Live USB ISO..."
+nix build .#nixosConfigurations.live-usb.config.system.build.isoImage --show-trace
+
+if [ -f "./result/iso/"*.iso ]; then
+    iso_file=$(ls ./result/iso/*.iso)
+    echo "✅ Build complete!"
+    echo "📁 ISO location: $iso_file"
+    echo "💾 Ready for Ventoy or dd to USB"
+else
+    echo "❌ Build failed - no ISO file found"
+    exit 1
+fi
--- a/flake.lock
+++ b/flake.lock
@@ -1,38 +1,41 @@
 {
  "nodes": {
-    "aquamarine": {
-      "inputs": {
-        "hyprutils": [
-          "hyprland",
-          "hyprutils"
-        ],
-        "hyprwayland-scanner": [
-          "hyprland",
-          "hyprwayland-scanner"
-        ],
-        "nixpkgs": [
-          "hyprland",
-          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "systems"
-        ]
-      },
+    "flake-compat": {
+      "flake": false,
      "locked": {
-        "lastModified": 1722347739,
-        "narHash": "sha256-rAoh+K6KG+b1DwSWtqRVocdojnH6nGk6q07mNltoUSM=",
-        "owner": "hyprwm",
-        "repo": "aquamarine",
-        "rev": "7c3565f9bedc7cb601cc0baa14792247e4dc1d5a",
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
        "type": "github"
      },
      "original": {
-        "owner": "hyprwm",
-        "repo": "aquamarine",
+        "owner": "edolstra",
+        "repo": "flake-compat",
        "type": "github"
      }
    },
+    "google-cookie-retrieval": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1761423376,
+        "narHash": "sha256-pMy3cnUFfue4vz/y0jx71BfcPGxZf+hk/DtnzWvfU0c=",
+        "ref": "refs/heads/main",
+        "rev": "a1f695665771841a988afc965526cbf99160cd77",
+        "revCount": 11,
+        "type": "git",
+        "url": "https://git.johnogle.info/johno/google-cookie-retrieval.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.johnogle.info/johno/google-cookie-retrieval.git"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -40,210 +43,148 @@
        ]
      },
      "locked": {
-        "lastModified": 1723986931,
-        "narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
+        "lastModified": 1758463745,
+        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
+        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
+        "ref": "release-25.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
-    "hy3": {
+    "home-manager-unstable": {
      "inputs": {
-        "hyprland": [
-          "hyprland"
+        "nixpkgs": [
+          "nixpkgs-unstable"
        ]
      },
      "locked": {
-        "lastModified": 1724185071,
-        "narHash": "sha256-5ykCHWCX0P+cN2mZsJpPh1rW83tqDQ7KgeAimeh+kQo=",
-        "owner": "outfoxxed",
-        "repo": "hy3",
-        "rev": "23682f7707e7f051618c1c35ce09708b80164c62",
+        "lastModified": 1763416652,
+        "narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312",
        "type": "github"
      },
      "original": {
-        "owner": "outfoxxed",
-        "repo": "hy3",
+        "owner": "nix-community",
+        "ref": "master",
+        "repo": "home-manager",
        "type": "github"
      }
    },
-    "hyprcursor": {
+    "jovian": {
      "inputs": {
-        "hyprlang": [
-          "hyprland",
-          "hyprlang"
-        ],
+        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
-          "hyprland",
-          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "systems"
+          "nixpkgs-unstable"
        ]
      },
      "locked": {
-        "lastModified": 1721330371,
-        "narHash": "sha256-aYlHTWylczLt6ERJyg6E66Y/XSCbVL7leVcRuJmVbpI=",
-        "owner": "hyprwm",
-        "repo": "hyprcursor",
-        "rev": "4493a972b48f9c3014befbbf381ed5fff91a65dc",
+        "lastModified": 1763223001,
+        "narHash": "sha256-Hi6XxTJJjKsDrO+D0fYXS88ehCYzQkZlp9qxX1zoM1s=",
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
+        "rev": "68a1bcc019378272e601558719f82005a80ddab0",
        "type": "github"
      },
      "original": {
-        "owner": "hyprwm",
-        "repo": "hyprcursor",
+        "owner": "Jovian-Experiments",
+        "repo": "Jovian-NixOS",
        "type": "github"
      }
    },
-    "hyprland": {
-      "inputs": {
-        "aquamarine": "aquamarine",
-        "hyprcursor": "hyprcursor",
-        "hyprlang": "hyprlang",
-        "hyprutils": "hyprutils",
-        "hyprwayland-scanner": "hyprwayland-scanner",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems",
-        "xdph": "xdph"
-      },
-      "locked": {
-        "lastModified": 1724517953,
-        "narHash": "sha256-EjlyG4Q2cJZOJ7iuCSu/EfY1Jb5dMJOpggN9+WcLxg0=",
-        "ref": "refs/heads/main",
-        "rev": "66586c38f53f16bcf762f019359a3c9042546a72",
-        "revCount": 5134,
-        "submodules": true,
-        "type": "git",
-        "url": "https://github.com/hyprwm/Hyprland"
-      },
-      "original": {
-        "submodules": true,
-        "type": "git",
-        "url": "https://github.com/hyprwm/Hyprland"
-      }
-    },
-    "hyprland-protocols": {
+    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
-          "hyprland",
-          "xdph",
          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "xdph",
-          "systems"
        ]
      },
      "locked": {
-        "lastModified": 1721326555,
-        "narHash": "sha256-zCu4R0CSHEactW9JqYki26gy8h9f6rHmSwj4XJmlHgg=",
-        "owner": "hyprwm",
-        "repo": "hyprland-protocols",
-        "rev": "5a11232266bf1a1f5952d5b179c3f4b2facaaa84",
+        "lastModified": 1762912391,
+        "narHash": "sha256-4hpBE7bGd24SfD28rzMdUGXsLsNEYxCCrTipFdoqoNM=",
+        "owner": "nix-darwin",
+        "repo": "nix-darwin",
+        "rev": "d76299b2cd01837c4c271a7b5186e3d5d8ebd126",
        "type": "github"
      },
      "original": {
-        "owner": "hyprwm",
-        "repo": "hyprland-protocols",
+        "owner": "nix-darwin",
+        "ref": "nix-darwin-25.05",
+        "repo": "nix-darwin",
        "type": "github"
      }
    },
-    "hyprlang": {
+    "nix-github-actions": {
      "inputs": {
-        "hyprutils": [
-          "hyprland",
-          "hyprutils"
-        ],
        "nixpkgs": [
-          "hyprland",
+          "jovian",
          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "systems"
        ]
      },
      "locked": {
-        "lastModified": 1721324361,
-        "narHash": "sha256-BiJKO0IIdnSwHQBSrEJlKlFr753urkLE48wtt0UhNG4=",
-        "owner": "hyprwm",
-        "repo": "hyprlang",
-        "rev": "adbefbf49664a6c2c8bf36b6487fd31e3eb68086",
+        "lastModified": 1729697500,
+        "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
+        "owner": "zhaofengli",
+        "repo": "nix-github-actions",
+        "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
        "type": "github"
      },
      "original": {
-        "owner": "hyprwm",
-        "repo": "hyprlang",
+        "owner": "zhaofengli",
+        "ref": "matrix-name",
+        "repo": "nix-github-actions",
        "type": "github"
      }
    },
-    "hyprutils": {
+    "nixos-wsl": {
      "inputs": {
-        "nixpkgs": [
-          "hyprland",
-          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "systems"
-        ]
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1722098849,
-        "narHash": "sha256-D3wIZlBNh7LuZ0NaoCpY/Pvu+xHxIVtSN+KkWZYvvVs=",
-        "owner": "hyprwm",
-        "repo": "hyprutils",
-        "rev": "5dcbbc1e3de40b2cecfd2007434d86e924468f1f",
+        "lastModified": 1763385941,
+        "narHash": "sha256-99CBNgyMvg3Zu/hxqixtShevrF4Kfr/qjtizQ6oseVI=",
+        "owner": "nix-community",
+        "repo": "NixOS-WSL",
+        "rev": "cc6483354b236c2fc95cc1d4ba1f0f40b7345e69",
        "type": "github"
      },
      "original": {
-        "owner": "hyprwm",
-        "repo": "hyprutils",
-        "type": "github"
-      }
-    },
-    "hyprwayland-scanner": {
-      "inputs": {
-        "nixpkgs": [
-          "hyprland",
-          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1721324119,
-        "narHash": "sha256-SOOqIT27/X792+vsLSeFdrNTF+OSRp5qXv6Te+fb2Qg=",
-        "owner": "hyprwm",
-        "repo": "hyprwayland-scanner",
-        "rev": "a048a6cb015340bd82f97c1f40a4b595ca85cc30",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hyprwm",
-        "repo": "hyprwayland-scanner",
+        "owner": "nix-community",
+        "ref": "main",
+        "repo": "NixOS-WSL",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1723637854,
-        "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
+        "lastModified": 1762977756,
+        "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1763283776,
+        "narHash": "sha256-Y7TDFPK4GlqrKrivOcsHG8xSGqQx3A6c+i7novT85Uk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
+        "rev": "50a96edd8d0db6cc8db57dab6bb6d6ee1f3dc49a",
        "type": "github"
      },
      "original": {
@@ -253,58 +194,81 @@
        "type": "github"
      }
    },
-    "root": {
-      "inputs": {
-        "home-manager": "home-manager",
-        "hy3": "hy3",
-        "hyprland": "hyprland",
-        "nixpkgs": "nixpkgs"
-      }
-    },
-    "systems": {
+    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "lastModified": 1763049705,
+        "narHash": "sha256-A5LS0AJZ1yDPTa2fHxufZN++n8MCmtgrJDtxFxrH4S8=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "3acb677ea67d4c6218f33de0db0955f116b7588c",
        "type": "github"
      },
      "original": {
-        "owner": "nix-systems",
-        "repo": "default-linux",
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "xdph": {
+    "plasma-manager": {
      "inputs": {
-        "hyprland-protocols": "hyprland-protocols",
-        "hyprlang": [
-          "hyprland",
-          "hyprlang"
+        "home-manager": [
+          "home-manager"
        ],
        "nixpkgs": [
-          "hyprland",
          "nixpkgs"
-        ],
-        "systems": [
-          "hyprland",
-          "systems"
        ]
      },
      "locked": {
-        "lastModified": 1722365976,
-        "narHash": "sha256-Khdm+mDzYA//XaU0M+hftod+rKr5q9SSHSEuiQ0/9ow=",
-        "owner": "hyprwm",
-        "repo": "xdg-desktop-portal-hyprland",
-        "rev": "7f2a77ddf60390248e2a3de2261d7102a13e5341",
+        "lastModified": 1762784320,
+        "narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=",
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "rev": "7911a0f8a44c7e8b29d031be3149ee8943144321",
        "type": "github"
      },
      "original": {
-        "owner": "hyprwm",
-        "repo": "xdg-desktop-portal-hyprland",
+        "owner": "nix-community",
+        "repo": "plasma-manager",
        "type": "github"
      }
+    },
+    "plasma-manager-unstable": {
+      "inputs": {
+        "home-manager": [
+          "home-manager-unstable"
+        ],
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762784320,
+        "narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=",
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "rev": "7911a0f8a44c7e8b29d031be3149ee8943144321",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "google-cookie-retrieval": "google-cookie-retrieval",
+        "home-manager": "home-manager",
+        "home-manager-unstable": "home-manager-unstable",
+        "jovian": "jovian",
+        "nix-darwin": "nix-darwin",
+        "nixos-wsl": "nixos-wsl",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "plasma-manager": "plasma-manager",
+        "plasma-manager-unstable": "plasma-manager-unstable"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -2,51 +2,217 @@
  description = "A very basic flake";

  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixos-wsl.url = "github:nix-community/NixOS-WSL/main";
+    
+    nix-darwin = {
+      url = "github:nix-darwin/nix-darwin/nix-darwin-25.05";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

    home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    hyprland = {
-      type = "git";
-      url = "https://github.com/hyprwm/Hyprland";
-      submodules = true;
+    home-manager-unstable = {
+      url = "github:nix-community/home-manager/master";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
+    plasma-manager = {
+      url = "github:nix-community/plasma-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+
+    plasma-manager-unstable = {
+      url = "github:nix-community/plasma-manager";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.home-manager.follows = "home-manager-unstable";
+    };
+
+    google-cookie-retrieval = {
+      url = "git+https://git.johnogle.info/johno/google-cookie-retrieval.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    hy3 = {
-      url = "github:outfoxxed/hy3";
-      inputs.hyprland.follows = "hyprland";
+
+    jovian = {
+      url = "github:Jovian-Experiments/Jovian-NixOS";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
  };

-  outputs = { self, nixpkgs, ... } @ inputs: {
-    nixosConfigurations.z790prors-nix = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = { inherit inputs; };
-      modules = [ ./machines/z790prors/configuration.nix ];
-    };
-
-    nixosConfigurations.nix-book = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = { inherit inputs; };
-      modules = [ ./machines/nix-book/configuration.nix ];
-    };
-
-    homeConfigurations = let
-      system = "x86_64-linux";
-      pkgs = nixpkgs.legacyPackages.${system};
-    in {
-      "johno@nix-book" = inputs.home-manager.lib.homeManagerConfiguration {
-        inherit pkgs;
-
-        extraSpecialArgs = { inherit inputs; };
-        modules = [
-          inputs.hyprland.homeManagerModules.default
-          /home/johno/.config/home-manager/home-nix-book.nix
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-wsl, ... } @ inputs: let
+    nixosModules = [
+      ./roles
+    ] ++ [
+      inputs.home-manager.nixosModules.home-manager
+      inputs.jovian.nixosModules.jovian
+      {
+        nixpkgs.overlays = [
+          (final: prev: {
+            unstable = import nixpkgs-unstable {
+              system = prev.system;
+              config.allowUnfree = true;
+            };
+            custom = prev.callPackage ./packages {};
+            # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
+            bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
+          })
        ];
-      };
+        home-manager.useGlobalPkgs = true;
+        home-manager.useUserPackages = true;
+        home-manager.sharedModules = [
+          inputs.plasma-manager.homeModules.plasma-manager
+        ];
+        home-manager.extraSpecialArgs = {
+          globalInputs = inputs;
+        };
+      }
+    ];
+    # Modules for unstable-based systems (like nix-deck)
+    nixosModulesUnstable = [
+      ./roles
+    ] ++ [
+      inputs.home-manager-unstable.nixosModules.home-manager
+      inputs.jovian.nixosModules.jovian
+      {
+        nixpkgs.overlays = [
+          (final: prev: {
+            unstable = import nixpkgs-unstable {
+              system = prev.system;
+              config.allowUnfree = true;
+            };
+            custom = prev.callPackage ./packages {};
+            # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
+            bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
+          })
+        ];
+        home-manager.useGlobalPkgs = true;
+        home-manager.useUserPackages = true;
+        home-manager.sharedModules = [
+          inputs.plasma-manager-unstable.homeModules.plasma-manager
+        ];
+        home-manager.extraSpecialArgs = {
+          globalInputs = inputs;
+        };
+      }
+    ];
+    darwinModules = [
+      ./roles/darwin.nix
+    ] ++ [
+      inputs.home-manager.darwinModules.home-manager
+      {
+        nixpkgs.overlays = [
+          (final: prev: {
+            unstable = import nixpkgs-unstable {
+              system = prev.system;
+              config.allowUnfree = true;
+            };
+            custom = prev.callPackage ./packages {};
+            # Compatibility: bitwarden renamed to bitwarden-desktop in unstable
+            bitwarden-desktop = prev.bitwarden-desktop or prev.bitwarden;
+          })
+        ];
+        home-manager.useGlobalPkgs = true;
+        home-manager.useUserPackages = true;
+        home-manager.extraSpecialArgs = {
+          globalInputs = inputs;
+        };
+      }
+    ];
+
+  in {
+    nixosConfigurations.nix-book = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = nixosModules ++ [
+        ./machines/nix-book/configuration.nix
+        {
+          home-manager.users.johno = {
+            imports = [ ./home/home-laptop-compact.nix ];
+            # Machine-specific overrides
+            home.i3_sway.extraSwayConfig = {
+              output.eDP-1.scale = "1.75";
+            };
+          };
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
+    };
+
+    nixosConfigurations.boxy = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = nixosModules ++ [
+        ./machines/boxy/configuration.nix
+        inputs.home-manager.nixosModules.home-manager
+        {
+          home-manager.users.johno = import ./home/home-media-center.nix;
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
+    };
+
+    nixosConfigurations.wixos = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = nixosModules ++ [
+        nixos-wsl.nixosModules.default
+        ./machines/wixos/configuration.nix
+        inputs.home-manager.nixosModules.home-manager
+        {
+          home-manager.users.johno = import ./home/home-desktop.nix;
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
+    };
+
+    nixosConfigurations.zix790prors = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = nixosModules ++ [
+        ./machines/zix790prors/configuration.nix
+        inputs.home-manager.nixosModules.home-manager
+        {
+          home-manager.users.johno = import ./home/home-desktop.nix;
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
+    };
+
+    # Live USB ISO configuration
+    nixosConfigurations.live-usb = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = nixosModules ++ [
+        ./machines/live-usb/configuration.nix
+        {
+          home-manager.users.nixos = import ./home/home-live-usb.nix;
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
+    };
+
+    # Steam Deck configuration (using unstable for better Jovian compatibility)
+    nixosConfigurations.nix-deck = nixpkgs-unstable.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = nixosModulesUnstable ++ [
+        ./machines/nix-deck/configuration.nix
+        {
+          home-manager.users.johno = import ./home/home-desktop.nix;
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
+    };
+
+    # Darwin/macOS configurations
+    darwinConfigurations."blkfv4yf49kt7" = inputs.nix-darwin.lib.darwinSystem rec {
+      system = "aarch64-darwin";
+      modules = darwinModules ++ [
+        ./machines/johno-macbookpro/configuration.nix
+        {
+          home-manager.users.johno = import ./home/home-darwin-work.nix;
+          home-manager.extraSpecialArgs = { inherit system; };
+        }
+      ];
    };
  };
 }
--- a/home/home-darwin-work.nix
+++ b/home/home-darwin-work.nix
@@ -0,0 +1,233 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+let
+  leader = "cmd"; # Change this to experiment with different leader keys (e.g., "cmd", "ctrl")
+in
+{
+  # Home Manager configuration for Darwin work laptop
+  # Corporate-friendly setup with essential development tools
+
+  home.username = lib.mkForce "johno";
+  home.homeDirectory = lib.mkForce "/Users/johno";
+  home.stateVersion = "24.05";
+
+  # System packages
+  home.packages = with pkgs; [
+    autoraise
+  ];
+
+  # Note: ghostty installed via Homebrew (managed outside of nix)
+
+  # Auto-start autoraise on login
+  launchd.agents.autoraise = {
+    enable = true;
+    config = {
+      ProgramArguments = [
+        "${pkgs.autoraise}/bin/AutoRaise"
+        "-pollMillis" "50"
+        "-delay" "2"
+        "-focusDelay" "2"
+      ];
+      RunAtLoad = true;
+      KeepAlive = true;
+    };
+  };
+
+  # Auto-start aerospace on login
+  # NOTE: In 25.11+, this can be simplified to `programs.aerospace.launchd.enable = true`
+  launchd.agents.aerospace = {
+    enable = true;
+    config = {
+      Program = "${pkgs.aerospace}/Applications/AeroSpace.app/Contents/MacOS/AeroSpace";
+      RunAtLoad = true;
+      KeepAlive = true;
+      StandardOutPath = "/tmp/aerospace.log";
+      StandardErrorPath = "/tmp/aerospace.err.log";
+    };
+  };
+
+  # Override Darwin-incompatible settings from base role
+  programs.rbw.settings.pinentry = lib.mkForce pkgs.pinentry_mac;
+
+  # Disable Home Manager from managing shell RC files
+  # topsoil/compost will manage these files instead
+  programs.bash.enable = lib.mkForce false;
+  programs.zsh.enable = lib.mkForce false;
+
+  # Create a local nix integration file that topsoil-managed configs can source
+  home.file.".nix-integration.sh" = {
+    text = ''
+      # Source Home Manager session variables (nix paths, environment, etc.)
+      if [ -e /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh ]; then
+        . /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh
+      fi
+
+      # Setup bash completions from nix profiles
+      if [[ ! -v BASH_COMPLETION_VERSINFO ]] && [ -n "$NIX_PROFILES" ]; then
+        for profile in $NIX_PROFILES; do
+          if [ -f "$profile/etc/profile.d/bash_completion.sh" ]; then
+            . "$profile/etc/profile.d/bash_completion.sh"
+            break
+          fi
+        done
+      fi
+
+      # command-not-found handler
+      command_not_found_handle() {
+        local p=/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite
+        if [ -n "$NIX_PROFILES" ]; then
+          for profile in $NIX_PROFILES; do
+            if [ -x "$profile/bin/command-not-found" ] && [ -f "$p" ]; then
+              "$profile/bin/command-not-found" "$@"
+              return $?
+            fi
+          done
+        fi
+        echo "$1: command not found" >&2
+        return 127
+      }
+    '';
+  };
+
+  home.file.".nix-integration.zsh" = {
+    text = ''
+      # Source Home Manager session variables (nix paths, environment, etc.)
+      if [ -e /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh ]; then
+        . /etc/profiles/per-user/johno/etc/profile.d/hm-session-vars.sh
+      fi
+
+      # Setup zsh completions from nix profiles
+      typeset -U path cdpath fpath manpath
+      for profile in ''${(z)NIX_PROFILES}; do
+        fpath+=($profile/share/zsh/site-functions $profile/share/zsh/$ZSH_VERSION/functions $profile/share/zsh/vendor-completions)
+      done
+      autoload -U compinit && compinit
+
+      # command-not-found handler
+      command_not_found_handler() {
+        local p=/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite
+        if [ -n "$NIX_PROFILES" ]; then
+          for profile in ''${(z)NIX_PROFILES}; do
+            if [ -x "$profile/bin/command-not-found" ] && [ -f "$p" ]; then
+              "$profile/bin/command-not-found" "$@"
+              return $?
+            fi
+          done
+        fi
+        echo "$1: command not found" >&2
+        return 127
+      }
+    '';
+  };
+
+  # Keep SSH and Git disabled to avoid conflicts with work environment
+  programs.ssh.enable = lib.mkForce false;
+  programs.git.enable = lib.mkForce false;
+  programs.rbw.enable = lib.mkForce false;
+
+  home.shell.enableShellIntegration = true;
+
+  # TODO: Move this to its own role and/or module
+  programs.aerospace = {
+    enable = true;
+    userSettings.mode.main.binding = {
+      "${leader}-slash" = "layout tiles horizontal vertical";
+      "${leader}-comma" = "layout accordion horizontal vertical";
+      "${leader}-shift-q" = "close";
+      "${leader}-shift-f" = "fullscreen";
+      "${leader}-h" = "focus left";
+      "${leader}-j" = "focus down";
+      "${leader}-k" = "focus up";
+      "${leader}-l" = "focus right";
+      "${leader}-shift-h" = "move left";
+      "${leader}-shift-j" = "move down";
+      "${leader}-shift-k" = "move up";
+      "${leader}-shift-l" = "move right";
+      "${leader}-minus" = "resize smart -50";
+      "${leader}-equal" = "resize smart +50";
+      "${leader}-1" = "workspace 1";
+      "${leader}-2" = "workspace 2";
+      "${leader}-3" = "workspace 3";
+      "${leader}-4" = "workspace 4";
+      "${leader}-5" = "workspace 5";
+      "${leader}-6" = "workspace 6";
+      "${leader}-7" = "workspace 7";
+      "${leader}-8" = "workspace 8";
+      "${leader}-9" = "workspace 9";
+      "${leader}-0" = "workspace 10";
+      "${leader}-shift-1" = "move-node-to-workspace 1";
+      "${leader}-shift-2" = "move-node-to-workspace 2";
+      "${leader}-shift-3" = "move-node-to-workspace 3";
+      "${leader}-shift-4" = "move-node-to-workspace 4";
+      "${leader}-shift-5" = "move-node-to-workspace 5";
+      "${leader}-shift-6" = "move-node-to-workspace 6";
+      "${leader}-shift-7" = "move-node-to-workspace 7";
+      "${leader}-shift-8" = "move-node-to-workspace 8";
+      "${leader}-shift-9" = "move-node-to-workspace 9";
+      "${leader}-shift-0" = "move-node-to-workspace 10";
+      "${leader}-tab" = "workspace-back-and-forth";
+      "${leader}-shift-tab" = "move-workspace-to-monitor --wrap-around next";
+
+      "${leader}-enter" = ''
+        exec-and-forget osascript <<'APPLESCRIPT'
+        tell application "Ghostty"
+            activate
+            tell application "System Events"
+                keystroke "n" using {command down}
+            end tell
+        end tell
+        APPLESCRIPT
+      '';
+
+      "${leader}-shift-enter" = ''
+        exec-and-forget osascript <<'APPLESCRIPT'
+        tell application "Google Chrome"
+            set newWindow to make new window
+            activate
+            tell newWindow to set index to 1
+        end tell
+        APPLESCRIPT
+      '';
+
+      "${leader}-shift-e" = "exec-and-forget zsh --login -c \"emacsclient -c -n\"";
+
+      # Service mode: Deliberate aerospace window management
+      "${leader}-i" = "mode service";
+
+      # Passthrough mode: Temporarily disable aerospace to use macOS shortcuts
+      # Press Cmd-P, then use any macOS shortcut (like Cmd-K in Slack), then press Cmd-P again to exit
+      "${leader}-p" = "mode passthrough";
+    };
+
+    # Service mode: For deliberate aerospace window management operations
+    userSettings.mode.service.binding = {
+      esc = ["reload-config" "mode main"];
+      r = ["flatten-workspace-tree" "mode main"]; # reset layout
+      f = ["layout floating tiling" "mode main"]; # Toggle between floating and tiling layout
+      backspace = ["close-all-windows-but-current" "mode main"];
+
+      "${leader}-shift-h" = ["join-with left" "mode main"];
+      "${leader}-shift-j" = ["join-with down" "mode main"];
+      "${leader}-shift-k" = ["join-with up" "mode main"];
+      "${leader}-shift-l" = ["join-with right" "mode main"];
+    };
+
+    # Passthrough mode: All shortcuts pass through to macOS
+    # This mode has minimal bindings - just ways to exit back to main mode
+    userSettings.mode.passthrough.binding = {
+      esc = "mode main";
+      "${leader}-p" = "mode main";  # Toggle back with same key (Cmd-P)
+    };
+  };
+
+  home.roles = {
+    base.enable = true;
+  };
+
+  imports = [
+    ./roles
+    ./modules/emacs
+    ./modules/kubectl
+    ./modules/tmux
+  ];
+}
--- a/home/home-desktop.nix
+++ b/home/home-desktop.nix
@@ -0,0 +1,33 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for full desktop experience
+  home.username = "johno";
+  home.homeDirectory = "/home/johno";
+  home.stateVersion = "24.05";
+
+  # Enable all desktop roles for full-featured experience
+  home.roles = {
+    base.enable = true;
+    desktop.enable = true;
+    office.enable = true;
+    media.enable = true;
+    development.enable = true;
+    communication.enable = true;
+    sync.enable = true;
+    kdeconnect.enable = true;
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./modules/emacs
+    ./modules/i3+sway
+    ./modules/kubectl
+    ./modules/plasma-manager
+    ./modules/tmux
+  ];
+}
--- a/home/home-laptop-compact.nix
+++ b/home/home-laptop-compact.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for compact laptop setups
+  # Optimized for space-constrained environments
+  
+  home.username = "johno";
+  home.homeDirectory = "/home/johno";
+  home.stateVersion = "24.05";
+
+  # Enable essential roles only (exclude heavy office/media packages)
+  home.roles = {
+    base.enable = true;
+    desktop.enable = true;
+    development.enable = true;
+    communication.enable = true;
+    kdeconnect.enable = true;
+    media.enable = true;
+    sync.enable = true;
+    # office.enable = false;  # Excluded for storage constraints
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./modules/emacs
+    ./modules/i3+sway
+    ./modules/kubectl
+    ./modules/plasma-manager
+    ./modules/tmux
+  ];
+
+}
--- a/home/home-live-usb.nix
+++ b/home/home-live-usb.nix
@@ -0,0 +1,37 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for live USB environments
+  # Minimal setup without persistent services
+  
+  home.username = "nixos";
+  home.homeDirectory = "/home/nixos";
+  home.stateVersion = "24.05";
+
+  # Enable minimal roles only (no sync or kdeconnect for live environment)
+  home.roles = {
+    base.enable = true;
+    desktop.enable = true;
+    # development.enable = false;  # Not needed for live USB
+    # communication.enable = false; # Not needed for live USB  
+    # office.enable = false;       # Not needed for live USB
+    # media.enable = false;        # Not needed for live USB
+    # sync.enable = false;         # No persistent sync on live USB
+    # kdeconnect.enable = false;   # No device integration on live USB
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./modules/emacs
+    ./modules/i3+sway
+    ./modules/kubectl
+    ./modules/plasma-manager
+    ./modules/tmux
+  ];
+
+  # Live USB specific overrides can go here if needed
+}
--- a/home/home-media-center.nix
+++ b/home/home-media-center.nix
@@ -0,0 +1,37 @@
+{ pkgs, globalInputs, system, ... }:
+
+{
+  # Home Manager configuration for media center setups
+  # Optimized for living room media consumption and gaming
+  
+  home.username = "johno";
+  home.homeDirectory = "/home/johno";
+  home.stateVersion = "24.05";
+
+  # Enable media center focused roles
+  home.roles = {
+    base.enable = true;
+    desktop.enable = true;
+    media.enable = true;
+    communication.enable = true;
+    kdeconnect.enable = true;
+    development.enable = true;
+    # office.enable = false;    # Not needed for media center
+    # sync.enable = false;      # Shared machine, no personal file sync
+  };
+
+  targets.genericLinux.enable = true;
+  home.sessionVariables = {};
+  home.sessionPath = [];
+
+  imports = [
+    ./roles
+    ./modules/emacs
+    ./modules/i3+sway
+    ./modules/kubectl
+    ./modules/plasma-manager
+    ./modules/tmux
+  ];
+
+  # Media center specific overrides can go here if needed
+}
--- a/home/modules/emacs/default.nix
+++ b/home/modules/emacs/default.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  doomEmacs = pkgs.fetchFromGitHub {
+    owner = "doomemacs";
+    repo = "doomemacs";
+    rev = "8f55404781edacf66fa330205533b002de3fb5ee";
+    sha256 = "sha256-vHwgENjip2+AFzs4oZfnKEAJKwf5Zid7fakImvxxQUw=";
+  };
+
+  # Shared emacs packages
+  emacsPackages = epkgs: [
+    epkgs.vterm
+    epkgs.treesit-grammars.with-all-grammars
+  ];
+
+  # Default emacs configuration with vterm support
+  defaultEmacsPackage = 
+    if pkgs.stdenv.isDarwin 
+    then pkgs.emacs-macport.pkgs.withPackages emacsPackages
+    else pkgs.emacs.pkgs.withPackages emacsPackages;
+in
+{
+  config = {
+    home.packages = [
+      pkgs.emacs-all-the-icons-fonts
+      pkgs.fira-code
+      pkgs.fontconfig
+      pkgs.graphviz
+      pkgs.isort
+      #pkgs.libvterm # native vterm library
+      pkgs.nerd-fonts.fira-code
+      pkgs.nerd-fonts.droid-sans-mono
+      pkgs.nil # nix lsp language server
+      pkgs.nixfmt-rfc-style
+      (pkgs.ripgrep.override {withPCRE2 = true;})
+      pkgs.pipenv
+      pkgs.poetry
+      pkgs.python3
+    ];
+
+    programs.emacs = {
+      enable = true;
+      package = defaultEmacsPackage;
+    };
+
+    fonts.fontconfig.enable = true;
+
+    # Mount emacs and tree-sitter grammars from nix store
+    home.file = {
+      "${config.xdg.configHome}/emacs".source = doomEmacs;
+    };
+
+    home.sessionPath = [
+      "${config.xdg.configHome}/emacs/bin"
+    ];
+
+    home.sessionVariables = {
+      DOOMDIR = "${config.xdg.configHome}/doom";
+      DOOMLOCALDIR = "${config.xdg.dataHome}/doom";
+    };
+
+    # TODO: Use mkOutOfStoreSymlink instead?
+    home.activation.doomConfig = lib.hm.dag.entryAfter ["writeBoundary"] ''
+      # Always remove and recreate the symlink to ensure it points to the source directory
+      rm -rf "${config.xdg.configHome}/doom"
+      ln -sf "${config.home.homeDirectory}/nixos-configs/home/modules/emacs/doom" "${config.xdg.configHome}/doom"
+    '';
+  };
+}
--- a/home/modules/emacs/doom/config.el
+++ b/home/modules/emacs/doom/config.el
@@ -0,0 +1,192 @@
+;;; $DOOMDIR/config.el -*- lexical-binding: t; -*-
+
+;; Place your private configuration here! Remember, you do not need to run 'doom
+;; sync' after modifying this file!
+
+
+;; Some functionality uses this to identify you, e.g. GPG configuration, email
+;; clients, file templates and snippets. It is optional.
+;; (setq user-full-name "John Doe"
+;;       user-mail-address "john@doe.com")
+
+;; Doom exposes five (optional) variables for controlling fonts in Doom:
+;;
+;; - `doom-font' -- the primary font to use
+;; - `doom-variable-pitch-font' -- a non-monospace font (where applicable)
+;; - `doom-big-font' -- used for `doom-big-font-mode'; use this for
+;;   presentations or streaming.
+;; - `doom-symbol-font' -- for symbols
+;; - `doom-serif-font' -- for the `fixed-pitch-serif' face
+;;
+;; See 'C-h v doom-font' for documentation and more examples of what they
+;; accept. For example:
+;;
+;;(setq doom-font (font-spec :family "Fira Code" :size 12 :weight 'semi-light)
+;;      doom-variable-pitch-font (font-spec :family "Fira Sans" :size 13))
+;;
+;; If you or Emacs can't find your font, use 'M-x describe-font' to look them
+;; up, `M-x eval-region' to execute elisp code, and 'M-x doom/reload-font' to
+;; refresh your font settings. If Emacs still can't find your font, it likely
+;; wasn't installed correctly. Font issues are rarely Doom issues!
+(setq doom-font (font-spec :family "Fira Code"))
+
+;; Auto-install nerd-icons fonts if they're missing
+(defun my/ensure-nerd-icons-fonts ()
+  "Check if nerd-icons fonts are installed and install them if missing."
+  (when (display-graphic-p)
+    (unless (find-font (font-spec :name "Symbols Nerd Font Mono"))
+      (when (fboundp 'nerd-icons-install-fonts)
+        (nerd-icons-install-fonts t)))))
+
+(add-hook 'doom-init-ui-hook #'my/ensure-nerd-icons-fonts)
+
+;; There are two ways to load a theme. Both assume the theme is installed and
+;; available. You can either set `doom-theme' or manually load a theme with the
+;; `load-theme' function. This is the default:
+(setq doom-theme 'doom-tokyo-night)
+
+;; This determines the style of line numbers in effect. If set to `nil', line
+;; numbers are disabled. For relative line numbers, set this to `relative'.
+(setq display-line-numbers-type t)
+
+;; If you use `org' and don't want your org files in the default location below,
+;; change `org-directory'. It must be set before org loads!
+(setq org-directory "~/org/")
+(after! org
+  (setq org-agenda-span 'week
+        org-agenda-start-with-log-mode t
+        my-agenda-dirs '("projects" "roam")
+        org-agenda-files (cons org-directory (mapcan (lambda (x) (directory-files-recursively
+                                                                  (expand-file-name x org-directory)
+                                                                  "\.org$"))
+                                                     my-agenda-dirs))
+        org-log-done 'time
+        org-agenda-custom-commands '(("n" "Agenda"
+                                      ((agenda "")
+                                       (tags-todo "-someday-recurring")))
+                                     ("s" "Someday Items"
+                                      ((tags-todo "+someday"))))
+        org-todo-keywords '((sequence "TODO(t)" "IN-PROGRESS(p)" "WAIT(w)" "|" "DONE(d)" "KILL(k)"))
+        org-journal-file-type 'weekly
+        org-journal-file-format "%Y-%m-%d.org"
+        org-capture-templates
+          '(("t" "Todo" entry (file+headline "~/org/todo.org" "Inbox")
+             "* TODO %? \n %i \n%a" :prepend t))))
+
+(map! :after org-agenda
+      :map org-agenda-mode-map
+      :localleader
+      (:prefix ("v" . "view")
+       "d" #'org-agenda-day-view
+       "w" #'org-agenda-week-view))
+
+;; (use-package! org-caldav
+;;   :defer t
+;;   :config
+;;   (setq org-caldav-url "https://nextcloud.johnogle.info/remote.php/dav/calendars/johno"
+;;         org-caldav-calendar-id "personal"
+;;         org-icalendar-timezone "America/Los_Angeles"
+;;         org-caldav-inbox "~/org/calendar.org"
+;;         org-caldav-files nil
+;;         org-caldav-sync-direction 'cal->org))
+
+(defun my/get-rbw-password (alias)
+  "Return the password for ALIAS via rbw, unlocking the vault only if needed."
+  (let* ((cmd     (format "rbw get %s 2>&1" alias))
+         (output  (shell-command-to-string cmd)))
+    (string-trim output)))
+
+(after! gptel
+  :config
+  (setq! gptel-api-key (my/get-rbw-password "openai-api-key-chatgpt-el")
+         gptel-default-mode 'org-mode
+         gptel-use-tools t
+         gptel-confirm-tool-calls 'always
+         gptel-include-reasoning 'ignore
+         gptel-model "qwen3:30b")
+
+  ;; Set default backend to be Ollama-Local
+  (setq! gptel-backend
+         (gptel-make-ollama "Ollama-Local"
+           :host "localhost:11434"
+           :stream t
+           :models '(deepseek-r1 deepseek-r1-fullctx qwen3:30b qwen3:4b llama3.1 qwen2.5-coder mistral-nemo gpt-oss)))
+
+  ;; Define custom tools
+  (gptel-make-tool
+   :name "run_shell_command"
+   :description "Execute shell commands and return output. Use this to run system commands, check file contents, or perform system operations."
+   :function (lambda (command)
+               (condition-case err
+                   (shell-command-to-string command)
+                 (error (format "Error running command: %s" (error-message-string err)))))
+   :args (list '(:name "command" :type "string" :description "Shell command to execute")))
+
+  (gptel-make-tool
+   :name "read_file"
+   :description "Read the contents of a file and return as text"
+   :function (lambda (filepath)
+               (condition-case err
+                   (with-temp-buffer
+                     (insert-file-contents (expand-file-name filepath))
+                     (buffer-string))
+                 (error (format "Error reading file %s: %s" filepath (error-message-string err)))))
+   :args (list '(:name "filepath" :type "string" :description "Path to the file to read")))
+
+  (gptel-make-tool
+   :name "list_directory"
+   :description "List contents of a directory"
+   :function (lambda (dirpath)
+               (condition-case err
+                   (mapconcat 'identity 
+                              (directory-files (expand-file-name dirpath) nil "^[^.]")
+                              "\n")
+                 (error (format "Error listing directory %s: %s" dirpath (error-message-string err)))))
+   :args (list '(:name "dirpath" :type "string" :description "Directory path to list"))))
+
+(use-package! claude-code-ide
+  :defer t
+  :config
+  (claude-code-ide-emacs-tools-setup)
+  (map! :leader
+        (:prefix ("o" . "open")
+         :desc "Claude Code IDE" "c" #'claude-code-ide-menu)))
+
+(after! gptel
+  (require 'gptel-tool-library)
+  (setq gptel-tool-library-use-maybe-safe t
+        gptel-tool-library-use-unsafe t)
+  (dolist (module '("bbdb" "buffer" "elisp" "emacs" "gnus" "os" "search-and-replace" "url"))
+    (gptel-tool-library-load-module module)))
+
+;; Whenever you reconfigure a package, make sure to wrap your config in an
+;; `after!' block, otherwise Doom's defaults may override your settings. E.g.
+;;
+;;   (after! PACKAGE
+;;     (setq x y))
+;;
+;; The exceptions to this rule:
+;;
+;;   - Setting file/directory variables (like `org-directory')
+;;   - Setting variables which explicitly tell you to set them before their
+;;     package is loaded (see 'C-h v VARIABLE' to look up their documentation).
+;;   - Setting doom variables (which start with 'doom-' or '+').
+;;
+;; Here are some additional functions/macros that will help you configure Doom.
+;;
+;; - `load!' for loading external *.el files relative to this one
+;; - `use-package!' for configuring packages
+;; - `after!' for running code after a package has loaded
+;; - `add-load-path!' for adding directories to the `load-path', relative to
+;;   this file. Emacs searches the `load-path' when you load packages with
+;;   `require' or `use-package'.
+;; - `map!' for binding new keys
+;;
+;; To get information about any of these functions/macros, move the cursor over
+;; the highlighted symbol at press 'K' (non-evil users must press 'C-c c k').
+;; This will open documentation for it, including demos of how they are used.
+;; Alternatively, use `C-h o' to look up a symbol (functions, variables, faces,
+;; etc).
+;;
+;; You can also try 'gd' (or 'C-c c d') to jump to their definition and see how
+;; they are implemented.
--- a/home/modules/emacs/doom/init.el
+++ b/home/modules/emacs/doom/init.el
@@ -0,0 +1,192 @@
+;;; init.el -*- lexical-binding: t; -*-
+
+;; This file controls what Doom modules are enabled and what order they load
+;; in. Remember to run 'doom sync' after modifying it!
+
+;; NOTE Press 'SPC h d h' (or 'C-h d h' for non-vim users) to access Doom's
+;;      documentation. There you'll find a link to Doom's Module Index where all
+;;      of our modules are listed, including what flags they support.
+
+;; NOTE Move your cursor over a module's name (or its flags) and press 'K' (or
+;;      'C-c c k' for non-vim users) to view its documentation. This works on
+;;      flags as well (those symbols that start with a plus).
+;;
+;;      Alternatively, press 'gd' (or 'C-c c d') on a module to browse its
+;;      directory (for easy access to its source code).
+
+(doom! :input
+       ;;bidi              ; (tfel ot) thgir etirw uoy gnipleh
+       ;;chinese
+       ;;japanese
+       ;;layout            ; auie,ctsrnm is the superior home row
+
+       :completion
+       ;;company           ; the ultimate code completion backend
+       (corfu +orderless)  ; complete with cap(f), cape and a flying feather!
+       ;;helm              ; the *other* search engine for love and life
+       ;;ido               ; the other *other* search engine...
+       ;;ivy               ; a search engine for love and life
+       vertico           ; the search engine of the future
+
+       :ui
+       ;;deft              ; notational velocity for Emacs
+       doom              ; what makes DOOM look the way it does
+       doom-dashboard    ; a nifty splash screen for Emacs
+       ;;doom-quit         ; DOOM quit-message prompts when you quit Emacs
+       ;;(emoji +unicode)  ; 🙂
+       hl-todo           ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW
+       ;;indent-guides     ; highlighted indent columns
+       ;;ligatures         ; ligatures and symbols to make your code pretty again
+       ;;minimap           ; show a map of the code on the side
+       modeline          ; snazzy, Atom-inspired modeline, plus API
+       ;;nav-flash         ; blink cursor line after big motions
+       ;;neotree           ; a project drawer, like NERDTree for vim
+       ophints           ; highlight the region an operation acts on
+       (popup +defaults)   ; tame sudden yet inevitable temporary windows
+       ;;tabs              ; a tab bar for Emacs
+       ;;treemacs          ; a project drawer, like neotree but cooler
+       unicode           ; extended unicode support for various languages
+       (vc-gutter +pretty) ; vcs diff in the fringe
+       vi-tilde-fringe   ; fringe tildes to mark beyond EOB
+       ;;window-select     ; visually switch windows
+       workspaces        ; tab emulation, persistence & separate workspaces
+       ;;zen               ; distraction-free coding or writing
+
+       :editor
+       (evil +everywhere); come to the dark side, we have cookies
+       file-templates    ; auto-snippets for empty files
+       fold              ; (nigh) universal code folding
+       ;;(format +onsave)  ; automated prettiness
+       ;;god               ; run Emacs commands without modifier keys
+       ;;lispy             ; vim for lisp, for people who don't like vim
+       multiple-cursors  ; editing in many places at once
+       ;;objed             ; text object editing for the innocent
+       ;;parinfer          ; turn lisp into python, sort of
+       ;;rotate-text       ; cycle region at point between text candidates
+       snippets          ; my elves. They type so I don't have to
+       ;;word-wrap         ; soft wrapping with language-aware indent
+
+       :emacs
+       dired             ; making dired pretty [functional]
+       electric          ; smarter, keyword-based electric-indent
+       ;;ibuffer         ; interactive buffer management
+       undo              ; persistent, smarter undo for your inevitable mistakes
+       vc                ; version-control and Emacs, sitting in a tree
+
+       :term
+       ;;eshell            ; the elisp shell that works everywhere
+       ;;shell             ; simple shell REPL for Emacs
+       ;;term              ; basic terminal emulator for Emacs
+       vterm             ; the best terminal emulation in Emacs
+
+       :checkers
+       syntax              ; tasing you for every semicolon you forget
+       ;;(spell +flyspell) ; tasing you for misspelling mispelling
+       ;;grammar           ; tasing grammar mistake every you make
+
+       :tools
+       ansible
+       ;;biblio            ; Writes a PhD for you (citation needed)
+       ;;collab            ; buffers with friends
+       ;;debugger          ; FIXME stepping through code, to help you add bugs
+       ;;direnv
+       docker
+       ;;editorconfig      ; let someone else argue about tabs vs spaces
+       ;;ein               ; tame Jupyter notebooks with emacs
+       (eval +overlay)     ; run code, run (also, repls)
+       llm               ; When I said  you needed friends, I didn't mean...
+       lookup              ; navigate your code and its documentation
+       lsp               ; M-x vscode
+       magit             ; a git porcelain for Emacs
+       ;;make              ; run make tasks from Emacs
+       ;;pass              ; password manager for nerds
+       pdf               ; pdf enhancements
+       ;;prodigy           ; FIXME managing external services & code builders
+       ;;terraform         ; infrastructure as code
+       ;;tmux              ; an API for interacting with tmux
+       tree-sitter       ; syntax and parsing, sitting in a tree...
+       ;;upload            ; map local to remote projects via ssh/ftp
+
+       :os
+       (:if (featurep :system 'macos) macos)  ; improve compatibility with macOS
+       tty               ; improve the terminal Emacs experience
+
+       :lang
+       ;;agda              ; types of types of types of types...
+       ;;beancount         ; mind the GAAP
+       ;;(cc +lsp)         ; C > C++ == 1
+       ;;clojure           ; java with a lisp
+       ;;common-lisp       ; if you've seen one lisp, you've seen them all
+       ;;coq               ; proofs-as-programs
+       ;;crystal           ; ruby at the speed of c
+       ;;csharp            ; unity, .NET, and mono shenanigans
+       ;;data              ; config/data formats
+       ;;(dart +flutter)   ; paint ui and not much else
+       ;;dhall
+       ;;elixir            ; erlang done right
+       ;;elm               ; care for a cup of TEA?
+       emacs-lisp        ; drown in parentheses
+       ;;erlang            ; an elegant language for a more civilized age
+       ;;ess               ; emacs speaks statistics
+       ;;factor
+       ;;faust             ; dsp, but you get to keep your soul
+       ;;fortran           ; in FORTRAN, GOD is REAL (unless declared INTEGER)
+       ;;fsharp            ; ML stands for Microsoft's Language
+       ;;fstar             ; (dependent) types and (monadic) effects and Z3
+       ;;gdscript          ; the language you waited for
+       ;;(go +lsp)         ; the hipster dialect
+       ;;(graphql +lsp)    ; Give queries a REST
+       ;;(haskell +lsp)    ; a language that's lazier than I am
+       ;;hy                ; readability of scheme w/ speed of python
+       ;;idris             ; a language you can depend on
+       ;;json              ; At least it ain't XML
+       ;;(java +lsp)       ; the poster child for carpal tunnel syndrome
+       ;;javascript        ; all(hope(abandon(ye(who(enter(here))))))
+       ;;julia             ; a better, faster MATLAB
+       ;;kotlin            ; a better, slicker Java(Script)
+       ;;latex             ; writing papers in Emacs has never been so fun
+       ;;lean              ; for folks with too much to prove
+       ;;ledger            ; be audit you can be
+       ;;lua               ; one-based indices? one-based indices
+       markdown          ; writing docs for people to ignore
+       ;;nim               ; python + lisp at the speed of c
+       (nix +tree-sitter)               ; I hereby declare "nix geht mehr!"
+       ;;ocaml             ; an objective camel
+       (org +roam2)               ; organize your plain life in plain text
+       ;;php               ; perl's insecure younger brother
+       ;;plantuml          ; diagrams for confusing people more
+       ;;purescript        ; javascript, but functional
+       (python +poetry)            ; beautiful is better than ugly
+       ;;qt                ; the 'cutest' gui framework ever
+       ;;racket            ; a DSL for DSLs
+       ;;raku              ; the artist formerly known as perl6
+       ;;rest              ; Emacs as a REST client
+       ;;rst               ; ReST in peace
+       ;;(ruby +rails)     ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"}
+       ;;(rust +lsp)       ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
+       ;;scala             ; java, but good
+       ;;(scheme +guile)   ; a fully conniving family of lisps
+       sh                ; she sells {ba,z,fi}sh shells on the C xor
+       ;;sml
+       ;;solidity          ; do you need a blockchain? No.
+       ;;swift             ; who asked for emoji variables?
+       ;;terra             ; Earth and Moon in alignment for performance.
+       ;;web               ; the tubes
+       ;;yaml              ; JSON, but readable
+       ;;zig               ; C, but simpler
+
+       :email
+       ;;(mu4e +org +gmail)
+       ;;notmuch
+       ;;(wanderlust +gmail)
+
+       :app
+       ;;calendar
+       ;;emms
+       ;;everywhere        ; *leave* Emacs!? You must be joking
+       ;;irc               ; how neckbeards socialize
+       ;;(rss +org)        ; emacs as an RSS reader
+
+       :config
+       ;;literate
+       (default +bindings +smartparens))
--- a/home/modules/emacs/doom/packages.el
+++ b/home/modules/emacs/doom/packages.el
@@ -0,0 +1,61 @@
+;; -*- no-byte-compile: t; -*-
+;;; $DOOMDIR/packages.el
+
+;; To install a package with Doom you must declare them here and run 'doom sync'
+;; on the command line, then restart Emacs for the changes to take effect -- or
+;; use 'M-x doom/reload'.
+
+
+;; To install SOME-PACKAGE from MELPA, ELPA or emacsmirror:
+;; (package! some-package)
+
+;; To install a package directly from a remote git repo, you must specify a
+;; `:recipe'. You'll find documentation on what `:recipe' accepts here:
+;; https://github.com/radian-software/straight.el#the-recipe-format
+;; (package! another-package
+;;   :recipe (:host github :repo "username/repo"))
+
+;; If the package you are trying to install does not contain a PACKAGENAME.el
+;; file, or is located in a subdirectory of the repo, you'll need to specify
+;; `:files' in the `:recipe':
+;; (package! this-package
+;;   :recipe (:host github :repo "username/repo"
+;;            :files ("some-file.el" "src/lisp/*.el")))
+
+;; If you'd like to disable a package included with Doom, you can do so here
+;; with the `:disable' property:
+;; (package! builtin-package :disable t)
+
+;; You can override the recipe of a built in package without having to specify
+;; all the properties for `:recipe'. These will inherit the rest of its recipe
+;; from Doom or MELPA/ELPA/Emacsmirror:
+;; (package! builtin-package :recipe (:nonrecursive t))
+;; (package! builtin-package-2 :recipe (:repo "myfork/package"))
+
+;; Specify a `:branch' to install a package from a particular branch or tag.
+;; This is required for some packages whose default branch isn't 'master' (which
+;; our package manager can't deal with; see radian-software/straight.el#279)
+;; (package! builtin-package :recipe (:branch "develop"))
+
+;; Use `:pin' to specify a particular commit to install.
+;; (package! builtin-package :pin "1a2b3c4d5e")
+
+
+;; Doom's packages are pinned to a specific commit and updated from release to
+;; release. The `unpin!' macro allows you to unpin single packages...
+;; (unpin! pinned-package)
+;; ...or multiple packages
+;; (unpin! pinned-package another-pinned-package)
+;; ...Or *all* packages (NOT RECOMMENDED; will likely break things)
+;; (unpin! t)
+
+;; (package! org-caldav)
+
+(package! gptel :recipe (:nonrecursive t))
+
+(package! claude-code-ide
+  :recipe (:host github :repo "manzaltu/claude-code-ide.el"))
+
+(package! gptel-tool-library
+  :recipe (:host github :repo "aard-fi/gptel-tool-library"
+           :files ("*.el")))
--- a/home/modules/i3+sway/default.nix
+++ b/home/modules/i3+sway/default.nix
@@ -0,0 +1,441 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.i3_sway;
+
+  shared_config = recursiveUpdate rec {
+    modifier = "Mod4";
+    terminal = "ghostty";
+    defaultWorkspace = "workspace number 1";
+
+    keybindings = {
+      "${shared_config.modifier}+Return" = "exec ${terminal}";
+      "${shared_config.modifier}+Shift+q" = "kill";
+
+      "${shared_config.modifier}+h" = "focus left";
+      "${shared_config.modifier}+j" = "focus down";
+      "${shared_config.modifier}+k" = "focus up";
+      "${shared_config.modifier}+l" = "focus right";
+
+      "${shared_config.modifier}+Shift+h" = "move left";
+      "${shared_config.modifier}+Shift+j" = "move down";
+      "${shared_config.modifier}+Shift+k" = "move up";
+      "${shared_config.modifier}+Shift+l" = "move right";
+
+      "${shared_config.modifier}+Left" = "focus left";
+      "${shared_config.modifier}+Down" = "focus down";
+      "${shared_config.modifier}+Up" = "focus up";
+      "${shared_config.modifier}+Right" = "focus right";
+
+      "${shared_config.modifier}+Shift+Left" = "move left";
+      "${shared_config.modifier}+Shift+Down" = "move down";
+      "${shared_config.modifier}+Shift+Up" = "move up";
+      "${shared_config.modifier}+Shift+Right" = "move right";
+
+      #"${shared_config.modifier}+h" = "split h";
+      "${shared_config.modifier}+v" = "split v";
+      "${shared_config.modifier}+Shift+f" = "fullscreen toggle";
+
+      "${shared_config.modifier}+s" = "layout stacking";
+      "${shared_config.modifier}+w" = "layout tabbed";
+      "${shared_config.modifier}+e" = "layout toggle split";
+
+      "${shared_config.modifier}+Shift+space" = "floating toggle";
+      "${shared_config.modifier}+space" = "focus mode_toggle";
+
+      "${shared_config.modifier}+a" = "focus parent";
+
+      "${shared_config.modifier}+Shift+minus" = "move scratchpad";
+      "${shared_config.modifier}+minus" = "scratchpad show";
+
+      "${shared_config.modifier}+1" = "workspace number 1";
+      "${shared_config.modifier}+2" = "workspace number 2";
+      "${shared_config.modifier}+3" = "workspace number 3";
+      "${shared_config.modifier}+4" = "workspace number 4";
+      "${shared_config.modifier}+5" = "workspace number 5";
+      "${shared_config.modifier}+6" = "workspace number 6";
+      "${shared_config.modifier}+7" = "workspace number 7";
+      "${shared_config.modifier}+8" = "workspace number 8";
+      "${shared_config.modifier}+9" = "workspace number 9";
+      "${shared_config.modifier}+0" = "workspace number 10";
+
+      "${shared_config.modifier}+Shift+1" =
+        "move container to workspace number 1";
+      "${shared_config.modifier}+Shift+2" =
+        "move container to workspace number 2";
+      "${shared_config.modifier}+Shift+3" =
+        "move container to workspace number 3";
+      "${shared_config.modifier}+Shift+4" =
+        "move container to workspace number 4";
+      "${shared_config.modifier}+Shift+5" =
+        "move container to workspace number 5";
+      "${shared_config.modifier}+Shift+6" =
+        "move container to workspace number 6";
+      "${shared_config.modifier}+Shift+7" =
+        "move container to workspace number 7";
+      "${shared_config.modifier}+Shift+8" =
+        "move container to workspace number 8";
+      "${shared_config.modifier}+Shift+9" =
+        "move container to workspace number 9";
+      "${shared_config.modifier}+Shift+0" =
+        "move container to workspace number 10";
+
+      "${shared_config.modifier}+Shift+c" = "reload";
+      "${shared_config.modifier}+Shift+r" = "restart";
+
+      "${shared_config.modifier}+r" = "mode resize";
+
+      "XF86MonBrightnessUp" = "exec brightnessctl s +5%";
+      "XF86MonBrightnessDown" = "exec brightnessctl s 5%-";
+    };
+  } cfg.extraSharedConfig;
+in {
+  options.home.i3_sway = {
+    extraSharedConfig = mkOption {
+      default = {};
+    };
+    extraI3Config = mkOption {
+      default = {};
+    };
+    extraSwayConfig = mkOption {
+      default = {};
+    };
+  };
+
+  config = {
+    # i3blocks configuration file
+    home.file.".config/i3blocks/config".text = ''
+      # i3blocks config - replicating waybar setup
+      separator_block_width=15
+      markup=pango
+
+      [disk]
+      command=df -h / | awk 'NR==2 {print "💾 " $5}'
+      interval=30
+      separator=true
+
+      [cpu]
+      command=top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print "🧠 " int(100 - $1) "%"}'
+      interval=2
+      separator=true
+
+      [memory]
+      command=free | awk 'NR==2 {printf "🐏 %.0f%%\n", $3*100/$2}'
+      interval=5
+      separator=true
+
+      [pulseaudio]
+      command=${pkgs.writeShellScript "i3blocks-pulseaudio" ''
+        volume=$(pactl get-sink-volume @DEFAULT_SINK@ | grep -Po '\d+%' | head -1)
+        muted=$(pactl get-sink-mute @DEFAULT_SINK@ | grep -o 'yes')
+        if [ "$muted" = "yes" ]; then
+          echo "🔇"
+        else
+          vol_num=''${volume%\%}
+          if [ $vol_num -le 33 ]; then
+            echo "🔈 $volume"
+          elif [ $vol_num -le 66 ]; then
+            echo "🔉 $volume"
+          else
+            echo "🔊 $volume"
+          fi
+        fi
+      ''}
+      interval=1
+      signal=10
+      separator=true
+
+      [backlight]
+      command=${pkgs.writeShellScript "i3blocks-backlight" ''
+        if command -v brightnessctl &>/dev/null; then
+          brightnessctl g | awk -v max=$(brightnessctl m) '{printf "☀️ %.0f%%\n", ($1/max)*100}'
+        fi
+      ''}
+      interval=1
+      separator=true
+
+      [network]
+      command=${pkgs.writeShellScript "i3blocks-network" ''
+        if iwgetid -r &>/dev/null; then
+          ssid=$(iwgetid -r)
+          signal=$(grep "^\s*w" /proc/net/wireless | awk '{print int($3 * 100 / 70)}')
+          echo "📶 $ssid ($signal%)"
+        else
+          ip=$(ip -4 addr show | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | grep -v '127.0.0.1' | head -1)
+          if [ -n "$ip" ]; then
+            echo "🔌 $ip"
+          else
+            echo "❌"
+          fi
+        fi
+      ''}
+      interval=5
+      separator=true
+
+      [battery]
+      command=${pkgs.writeShellScript "i3blocks-battery" ''
+        if [ -d /sys/class/power_supply/BAT0 ]; then
+          capacity=$(cat /sys/class/power_supply/BAT0/capacity)
+          status=$(cat /sys/class/power_supply/BAT0/status)
+
+          if [ "$status" = "Charging" ]; then
+            echo "⚡ $capacity%"
+          else
+            echo "🔋 $capacity%"
+          fi
+        fi
+      ''}
+      interval=10
+      separator=true
+
+      [time]
+      command=date '+%Y-%m-%d %H:%M'
+      interval=1
+      separator=false
+    '';
+
+    xsession.windowManager.i3 = let
+      base_i3_config = recursiveUpdate shared_config {
+        bars = [{
+          position = "bottom";
+          statusCommand = "${pkgs.i3blocks}/bin/i3blocks";
+          trayOutput = "primary";  # Enable system tray on primary output
+          fonts = {
+            names = [ "Fira Code" "monospace" ];
+            size = 11.0;
+          };
+          colors = {
+            background = "#000000";
+            statusline = "#ffffff";
+            separator = "#666666";
+
+            # Workspace button colors (matching waybar)
+            focusedWorkspace = {
+              border = "#285577";
+              background = "#285577";
+              text = "#ffffff";
+            };
+            activeWorkspace = {
+              border = "#5f676a";
+              background = "#5f676a";
+              text = "#ffffff";
+            };
+            inactiveWorkspace = {
+              border = "#222222";
+              background = "#222222";
+              text = "#888888";
+            };
+            urgentWorkspace = {
+              border = "#900000";
+              background = "#900000";
+              text = "#ffffff";
+            };
+          };
+        }];
+        keybindings = shared_config.keybindings // {
+          "${shared_config.modifier}+d" = "exec rofi -show drun";
+          "${shared_config.modifier}+Shift+e" =
+            "exec i3-nagbar -t warning -m 'Do you want to exit i3?' -b 'Yes' 'i3-msg exit'";
+        };
+        startup = [
+          # GNOME polkit authentication agent
+          {
+            command = "/run/current-system/sw/libexec/polkit-gnome-authentication-agent-1";
+            always = false;
+            notification = false;
+          }
+          # Picom compositor for smooth rendering and no tearing (important for Nvidia)
+          {
+            command = "picom --backend glx -b";
+            always = false;
+            notification = false;
+          }
+          # NetworkManager system tray applet
+          {
+            command = "nm-applet";
+            always = false;
+            notification = false;
+          }
+          # Set wallpaper with feh
+          {
+            command = "feh --bg-scale ${../../wallpapers/metroid-samus-returns-kz-3440x1440.jpg}";
+            always = false;
+            notification = false;
+          }
+        ];
+      };
+    in {
+      enable = true;
+      config = recursiveUpdate base_i3_config cfg.extraI3Config;
+    };
+
+    wayland.windowManager.sway = let
+      base_sway_config = recursiveUpdate shared_config {
+        bars = [];  # Disable default bar, use waybar instead
+        keybindings = shared_config.keybindings // {
+          "${shared_config.modifier}+d" = "exec wofi --show drun";
+          "${shared_config.modifier}+Shift+e" =
+            "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
+        };
+        input = {
+          "type:keyboard" = {
+            xkb_options = "caps:escape";
+          };
+          "type:touchpad" = {
+            tap = "enabled";
+            tap_button_map = "lrm";
+            drag = "enabled";
+            natural_scroll = "disabled";
+            dwt = "enabled";
+          };
+        };
+        output = {
+          "*" = {
+            bg = "${../../wallpapers/metroid-samus-returns-kz-3440x1440.jpg} fill";
+          };
+        };
+      };
+    in {
+      enable = true;
+      config = recursiveUpdate base_sway_config cfg.extraSwayConfig;
+    };
+
+    programs.waybar = {
+      enable = true;
+      systemd.enable = true;
+      settings = {
+        mainBar = {
+          layer = "top";
+          position = "bottom";
+          height = 30;
+          spacing = 4;
+
+          modules-left = [ "sway/workspaces" "sway/mode" ];
+          modules-center = [ ];
+          modules-right = [ "disk" "cpu" "memory" "pulseaudio" "backlight" "network" "battery" "tray" "clock" ];
+
+          "sway/workspaces" = {
+            disable-scroll = true;
+            all-outputs = true;
+          };
+
+          "clock" = {
+            format = "{:%Y-%m-%d %H:%M}";
+            tooltip-format = "<tt><small>{calendar}</small></tt>";
+            calendar = {
+              mode = "year";
+              mode-mon-col = 3;
+              weeks-pos = "right";
+              on-scroll = 1;
+              format = {
+                months = "<span color='#ffead3'><b>{}</b></span>";
+                days = "<span color='#ecc6d9'><b>{}</b></span>";
+                weeks = "<span color='#99ffdd'><b>W{}</b></span>";
+                weekdays = "<span color='#ffcc66'><b>{}</b></span>";
+                today = "<span color='#ff6699'><b><u>{}</u></b></span>";
+              };
+            };
+          };
+
+          "disk" = {
+            interval = 30;
+            format = "💾 {percentage_used}%";
+            path = "/";
+            tooltip-format = "Used: {used} / {total} ({percentage_used}%)\nFree: {free} ({percentage_free}%)";
+          };
+
+          "cpu" = {
+            format = "🧠 {usage}%";
+            tooltip = false;
+          };
+
+          "memory" = {
+            format = "🐏 {percentage}%";
+            tooltip-format = "RAM: {used:0.1f}G / {total:0.1f}G";
+          };
+
+          "pulseaudio" = {
+            format = "{icon} {volume}%";
+            format-muted = "🔇";
+            format-icons = {
+              headphone = "🎧";
+              default = [ "🔈" "🔉" "🔊" ];
+            };
+            on-click = "pavucontrol";
+          };
+
+          "backlight" = {
+            format = "☀️ {percent}%";
+            tooltip = false;
+          };
+
+          "network" = {
+            format-wifi = "📶 {essid} ({signalStrength}%)";
+            format-ethernet = "🔌 {ipaddr}";
+            format-disconnected = "❌";
+            tooltip-format = "{ifname}: {ipaddr}/{cidr}";
+          };
+
+          "battery" = {
+            states = {
+              warning = 30;
+              critical = 15;
+            };
+            format = "{icon} {capacity}%";
+            format-charging = "⚡ {capacity}%";
+            format-icons = [ "🪫" "🔋" "🔋" "🔋" "🔋" ];
+          };
+
+          "tray" = {
+            spacing = 10;
+          };
+        };
+      };
+      style = ''
+        * {
+          padding: 0 4px;
+          font-family: "Fira Code", monospace;
+          font-size: 13px;
+        }
+
+        #workspaces button {
+          padding: 0 8px;
+          background-color: transparent;
+          color: #ffffff;
+          border: none;
+        }
+
+        #workspaces button.focused {
+          background-color: #285577;
+          font-weight: bold;
+        }
+
+        #workspaces button.visible {
+          background-color: #5f676a;
+        }
+
+        #workspaces button.urgent {
+          background-color: #900000;
+        }
+      '';
+    };
+
+    programs.rofi = {
+      enable = true;
+      theme = "solarized";
+      extraConfig = {
+        modi = "drun,run,window";
+        show-icons = true;
+        drun-display-format = "{name}";
+        disable-history = false;
+        hide-scrollbar = true;
+        display-drun = " Apps";
+        display-run = " Run";
+        display-window = " Windows";
+        sidebar-mode = true;
+      };
+    };
+  };
+}
--- a/home/modules/kubectl/default.nix
+++ b/home/modules/kubectl/default.nix
@@ -0,0 +1,249 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.kubectl-secure;
+in
+{
+  options.programs.kubectl-secure = {
+    enable = mkEnableOption "secure kubectl configuration with Bitwarden integration";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      kubectl
+      kubernetes-helm
+    ];
+
+    programs.k9s.enable = true;
+
+    programs.bash.initExtra = mkAfter ''
+      # Kubectl secure session management
+      export KUBECTL_SESSION_DIR="/dev/shm/kubectl-$$"
+      
+      kube-select() {
+        if [[ $# -ne 1 ]]; then
+          echo "Usage: kube-select <context-name>"
+          echo "Available contexts: $(kube-list)"
+          return 1
+        fi
+        
+        local context="$1"
+        
+        # Clean up any existing session first
+        kube-clear 2>/dev/null
+        
+        # Create new session directory
+        mkdir -p "$KUBECTL_SESSION_DIR"
+        chmod 700 "$KUBECTL_SESSION_DIR"
+        
+        # Set cleanup trap for this shell session
+        trap "rm -rf '$KUBECTL_SESSION_DIR' 2>/dev/null" EXIT
+        
+        # Set KUBECONFIG for this session
+        export KUBECONFIG="$KUBECTL_SESSION_DIR/config"
+        
+        # Load config from Bitwarden secure notes
+        if ! rbw get "kubectl-$context" > "$KUBECONFIG" 2>/dev/null; then
+          echo "Error: Could not retrieve kubectl-$context from Bitwarden"
+          echo "Make sure the entry exists with name: kubectl-$context"
+          kube-clear
+          return 1
+        fi
+        
+        # Verify the kubeconfig is valid
+        if ! kubectl config view >/dev/null 2>&1; then
+          echo "Error: Invalid kubeconfig retrieved from Bitwarden"
+          kube-clear
+          return 1
+        fi
+        
+        echo "✓ Loaded kubectl context: $context (session: $$)"
+        echo "  Config location: $KUBECONFIG"
+      }
+      
+      kube-list() {
+        echo "Available kubectl contexts in Bitwarden:"
+        rbw search kubectl- 2>/dev/null | grep "^kubectl-" | sed 's/^kubectl-/  - /' || echo "  (none found or rbw not accessible)"
+      }
+      
+      kube-clear() {
+        if [[ -n "$KUBECTL_TIMEOUT_PID" ]]; then
+          kill "$KUBECTL_TIMEOUT_PID" 2>/dev/null
+          unset KUBECTL_TIMEOUT_PID
+        fi
+        
+        if [[ -d "$KUBECTL_SESSION_DIR" ]]; then
+          rm -rf "$KUBECTL_SESSION_DIR"
+          echo "Cleared kubectl session ($$)"
+        fi
+        
+        unset KUBECONFIG
+      }
+      
+      kube-status() {
+        if [[ -f "$KUBECONFIG" ]]; then
+          local current_context
+          current_context=$(kubectl config current-context 2>/dev/null)
+          if [[ -n "$current_context" ]]; then
+            echo "Active kubectl context: $current_context"
+            echo "Session: $$ | Config: $KUBECONFIG"
+            
+            # Show cluster info
+            local cluster_server
+            cluster_server=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2>/dev/null)
+            if [[ -n "$cluster_server" ]]; then
+              echo "Cluster: $cluster_server"
+            fi
+          else
+            echo "No active context in current session"
+          fi
+        else
+          echo "No kubectl session active in this shell"
+          echo "Use 'kube-select <context>' to start a session"
+        fi
+      }
+
+      # Helper function to show available commands
+      kube-help() {
+        echo "Secure kubectl session management commands:"
+        echo ""
+        echo "Session management:"
+        echo "  kube-select <context>     - Load kubeconfig from Bitwarden"
+        echo "  kube-status              - Show current session status"
+        echo "  kube-clear               - Clear current session"
+        echo ""
+        echo "Configuration management:"
+        echo "  kube-list                - List available contexts in Bitwarden"
+        echo ""
+        echo "Help:"
+        echo "  kube-help                - Show this help"
+        echo ""
+        echo "Examples:"
+        echo "  kube-select prod                     # Loads from secure note"
+        echo "  kubectl get pods"
+        echo "  kube-clear"
+        echo ""
+        echo "Note: Kubeconfigs are stored as secure notes in Bitwarden"
+      }
+    '';
+    
+    programs.zsh.initExtra = mkAfter ''
+      # Kubectl secure session management (zsh)
+      export KUBECTL_SESSION_DIR="/dev/shm/kubectl-$$"
+      
+      kube-select() {
+        if [[ $# -ne 1 ]]; then
+          echo "Usage: kube-select <context-name>"
+          echo "Available contexts: $(kube-list)"
+          return 1
+        fi
+        
+        local context="$1"
+        
+        # Clean up any existing session first
+        kube-clear 2>/dev/null
+        
+        # Create new session directory
+        mkdir -p "$KUBECTL_SESSION_DIR"
+        chmod 700 "$KUBECTL_SESSION_DIR"
+        
+        # Set cleanup trap for this shell session
+        trap "rm -rf '$KUBECTL_SESSION_DIR' 2>/dev/null" EXIT
+        
+        # Set KUBECONFIG for this session
+        export KUBECONFIG="$KUBECTL_SESSION_DIR/config"
+        
+        # Load config from Bitwarden secure notes
+        if ! rbw get "kubectl-$context" > "$KUBECONFIG" 2>/dev/null; then
+          echo "Error: Could not retrieve kubectl-$context from Bitwarden"
+          echo "Make sure the entry exists with name: kubectl-$context"
+          kube-clear
+          return 1
+        fi
+        
+        # Verify the kubeconfig is valid
+        if ! kubectl config view >/dev/null 2>&1; then
+          echo "Error: Invalid kubeconfig retrieved from Bitwarden"
+          kube-clear
+          return 1
+        fi
+        
+        echo "✓ Loaded kubectl context: $context (session: $$)"
+        echo "  Config location: $KUBECONFIG"
+        
+        # Optional: Set timeout cleanup
+        if [[ ${toString cfg.sessionTimeout} -gt 0 ]]; then
+          (sleep ${toString cfg.sessionTimeout}; kube-clear 2>/dev/null) &
+          export KUBECTL_TIMEOUT_PID=$!
+        fi
+      }
+      
+      kube-list() {
+        echo "Available kubectl contexts in Bitwarden:"
+        rbw search kubectl- 2>/dev/null | grep "^kubectl-" | sed 's/^kubectl-/  - /' || echo "  (none found or rbw not accessible)"
+      }
+      
+      kube-clear() {
+        if [[ -n "$KUBECTL_TIMEOUT_PID" ]]; then
+          kill "$KUBECTL_TIMEOUT_PID" 2>/dev/null
+          unset KUBECTL_TIMEOUT_PID
+        fi
+        
+        if [[ -d "$KUBECTL_SESSION_DIR" ]]; then
+          rm -rf "$KUBECTL_SESSION_DIR"
+          echo "Cleared kubectl session ($$)"
+        fi
+        
+        unset KUBECONFIG
+      }
+      
+      kube-status() {
+        if [[ -f "$KUBECONFIG" ]]; then
+          local current_context
+          current_context=$(kubectl config current-context 2>/dev/null)
+          if [[ -n "$current_context" ]]; then
+            echo "Active kubectl context: $current_context"
+            echo "Session: $$ | Config: $KUBECONFIG"
+            
+            # Show cluster info
+            local cluster_server
+            cluster_server=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2>/dev/null)
+            if [[ -n "$cluster_server" ]]; then
+              echo "Cluster: $cluster_server"
+            fi
+          else
+            echo "No active context in current session"
+          fi
+        else
+          echo "No kubectl session active in this shell"
+          echo "Use 'kube-select <context>' to start a session"
+        fi
+      }
+
+      # Helper function to show available commands
+      kube-help() {
+        echo "Secure kubectl session management commands:"
+        echo ""
+        echo "Session management:"
+        echo "  kube-select <context>     - Load kubeconfig from Bitwarden"
+        echo "  kube-status              - Show current session status"
+        echo "  kube-clear               - Clear current session"
+        echo ""
+        echo "Configuration management:"
+        echo "  kube-list                - List available contexts in Bitwarden"
+        echo ""
+        echo "Help:"
+        echo "  kube-help                - Show this help"
+        echo ""
+        echo "Examples:"
+        echo "  kube-select prod                     # Loads from secure note"
+        echo "  kubectl get pods"
+        echo "  kube-clear"
+        echo ""
+        echo "Note: Kubeconfigs are stored as secure notes in Bitwarden"
+      }
+    '';
+  };
+}
--- a/home/modules/plasma-manager/default.nix
+++ b/home/modules/plasma-manager/default.nix
@@ -0,0 +1,178 @@
+{ config, lib, pkgs, ... }:
+
+
+# The current KDE config can be output with the command:
+# nix run github:nix-community/plasma-manager
+#
+# Plasma-manager options documentation
+# https://nix-community.github.io/plasma-manager/options.xhtml
+#
+# TODO: (ambitious) Add Kmail support to plasma-manager
+{
+  programs.plasma = {
+    enable = true;
+    overrideConfig = true;
+
+    hotkeys.commands."launch-ghostty" = {
+      name = "Launch Ghostty";
+      key = "Meta+Return";
+      command = "ghostty";
+    };
+
+    shortcuts = {
+      kmix = {
+        "decrease_microphone_volume" = "Microphone Volume Down";
+        "decrease_volume" = "Volume Down";
+        "decrease_volume_small" = "Shift+Volume Down";
+        "increase_microphone_volume" = "Microphone Volume Up";
+        "increase_volume" = "Volume Up";
+        "increase_volume_small" = "Shift+Volume Up";
+        "mic_mute" = ["Microphone Mute" "Meta+Volume Mute,Microphone Mute" "Meta+Volume Mute,Mute Microphone"];
+        "mute" = "Volume Mute";
+      };
+
+      mediacontrol = {
+        "mediavolumedown" = "none,,Media volume down";
+        "mediavolumeup" = "none,,Media volume up";
+        "nextmedia" = "Media Next";
+        "pausemedia" = "Media Pause";
+        "playmedia" = "none,,Play media playback";
+        "playpausemedia" = "Media Play";
+        "previousmedia" = "Media Previous";
+        "stopmedia" = "Media Stop";
+      };
+
+      ksmserver = {
+        "Lock Session" = ["Meta+Ctrl+Q" "Screensaver" "Screensaver,Lock Session"];
+      };
+
+      kwin = {
+        "Window Close" = "Meta+Shift+Q";
+        "Kill Window" = "Meta+Ctrl+Esc";
+        "Window Operations Menu" = "Alt+F3";
+        "Window Resize" = "Meta+R,,Resize Window";
+
+        "Overview" = "Meta+Ctrl+W";
+        "Grid View" = "Meta+G";
+        "Edit Tiles" = "Meta+T";
+
+        "Activate Window Demanding Attention" = "Meta+Ctrl+A";
+
+        "Show Desktop" = "Meta+Ctrl+D";
+
+        "Walk Through Windows" = "Alt+Tab";
+        "Walk Through Windows (Reverse)" = "Alt+Shift+Tab";
+        "Walk Through Windows of Current Application" = "Alt+`";
+        "Walk Through Windows of Current Application (Reverse)" = "Alt+~";
+
+        "Window Quick Tile Bottom" = "Meta+Down";
+        "Window Quick Tile Left" = "Meta+Left";
+        "Window Quick Tile Right" = "Meta+Right";
+        "Window Quick Tile Top" = "Meta+Up";
+
+        "Switch to Desktop 1" = "Meta+1";
+        "Switch to Desktop 2" = "Meta+2";
+        "Switch to Desktop 3" = "Meta+3";
+        "Switch to Desktop 4" = "Meta+4";
+        "Switch to Desktop 5" = "Meta+5";
+        "Switch to Desktop 6" = "Meta+6";
+        "Switch to Desktop 7" = "Meta+7";
+        "Switch to Desktop 8" = "Meta+8";
+        "Switch to Desktop 9" = "Meta+9";
+        "Switch to Desktop 10" = "Meta+0";
+        
+        "Window to Desktop 1" = "Meta+!";    # Meta+Shift+1
+        "Window to Desktop 2" = "Meta+@";    # Meta+Shift+2
+        "Window to Desktop 3" = "Meta+#";    # Meta+Shift+3
+        "Window to Desktop 4" = "Meta+$";    # Meta+Shift+4
+        "Window to Desktop 5" = "Meta+%";    # Meta+Shift+5
+        "Window to Desktop 6" = "Meta+^";    # Meta+Shift+6
+        "Window to Desktop 7" = "Meta+&";    # Meta+Shift+7
+        "Window to Desktop 8" = "Meta+*";    # Meta+Shift+8
+        "Window to Desktop 9" = "Meta+(";    # Meta+Shift+9
+        "Window to Desktop 10" = "Meta+)";   # Meta+Shift+0
+
+        "view_actual_size" = "Meta+Ctrl+=";
+        "view_zoom_in" = ["Meta++" "Meta+=,Meta++" "Meta+=,Zoom In"];
+        "view_zoom_out" = "Meta+-";
+      };
+      "org_kde_powerdevil"."Decrease Keyboard Brightness" = "Keyboard Brightness Down";
+      "org_kde_powerdevil"."Decrease Screen Brightness" = "Monitor Brightness Down";
+      "org_kde_powerdevil"."Decrease Screen Brightness Small" = "Shift+Monitor Brightness Down";
+      "org_kde_powerdevil"."Hibernate" = "Hibernate";
+      "org_kde_powerdevil"."Increase Keyboard Brightness" = "Keyboard Brightness Up";
+      "org_kde_powerdevil"."Increase Screen Brightness" = "Monitor Brightness Up";
+      "org_kde_powerdevil"."Increase Screen Brightness Small" = "Shift+Monitor Brightness Up";
+      "org_kde_powerdevil"."PowerDown" = "Power Down";
+      "org_kde_powerdevil"."PowerOff" = "Power Off";
+      "org_kde_powerdevil"."Sleep" = "Sleep";
+      "org_kde_powerdevil"."Toggle Keyboard Backlight" = "Keyboard Light On/Off";
+      "org_kde_powerdevil"."Turn Off Screen" = [ ];
+      "org_kde_powerdevil"."powerProfile" = ["Battery" "Meta+B,Battery" "Meta+B,Switch Power Profile"];
+
+      plasmashell = {
+        "activate application launcher" = ["Meta" "Alt+F1,Meta" "Alt+F1,Activate Application Launcher"];
+        "activate task manager entry 1" = "none,,";
+        "activate task manager entry 2" = "none,,";
+        "activate task manager entry 3" = "none,,";
+        "activate task manager entry 4" = "none,,";
+        "activate task manager entry 5" = "none,,";
+        "activate task manager entry 6" = "none,,";
+        "activate task manager entry 7" = "none,,";
+        "activate task manager entry 8" = "none,,";
+        "activate task manager entry 9" = "none,,";
+        "activate task manager entry 10" = "none,,";
+        "show activity switcher" = "none,,";
+      };
+    };
+
+    configFile = {
+      kwinrc.Desktops.Number = {
+        value = 10;
+        immutable = true;
+      };
+      
+      # Enable KWin tiling features
+      kwinrc.Tiling = {
+        # Enable tiling functionality  
+        "padding" = 4;
+      };
+      
+      # Enable krohnkite plugin automatically
+      kwinrc.Plugins = {
+        krohnkiteEnabled = true;
+      };
+      
+      kwinrc.Effect-overview = {
+        # Configure overview effect for better tiling workflow
+        BorderActivate = 9;  # Top-left corner activation
+      };
+
+      kcminputrc.Libinput = {
+        AccelerationProfile = "adaptive";
+        PointerAcceleration = 0.5;
+      };
+
+      kcminputrc.Mouse = {
+        X11LibInputXAccelProfileFlat = false;
+        XLbInptAccelProfileFlat = false;
+      };
+
+      kdeglobals.KDE.LookAndFeelPackage = "org.kde.breezedark.desktop";
+
+      # Focus follows mouse configuration
+      kwinrc.Windows = {
+        FocusPolicy = "FocusFollowsMouse";
+        AutoRaise = true;  # Set to true if you want windows to auto-raise on focus
+        AutoRaiseInterval = 750;  # Delay in ms before auto-raise (if enabled)
+        DelayFocusInterval = 0;  # Delay in ms before focus follows mouse
+      };
+
+      # Desktop wallpaper configuration
+      plasma-localerc.Formats.LANG = "en_US.UTF-8";
+      
+      # Set wallpaper for all desktops
+      plasmarc.Wallpapers.usersWallpapers = "${../../wallpapers/metroid-samus-returns-kz-3440x1440.jpg}";
+    };
+  };
+}
--- a/home/modules/tmux/default.nix
+++ b/home/modules/tmux/default.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+let
+  tokyo-night = pkgs.tmuxPlugins.mkTmuxPlugin {
+    pluginName = "tokyo-night";
+    rtpFilePath = "tokyo-night.tmux";
+    version = "1.6.1";
+    src = pkgs.fetchFromGitHub {
+      owner = "janoamaral";
+      repo = "tokyo-night-tmux";
+      rev = "d610ced20d5f602a7995854931440e4a1e0ab780";
+      sha256 = "sha256-17vEgkL7C51p/l5gpT9dkOy0bY9n8l0/LV51mR1k+V8=";
+    };
+  };
+in
+{
+  programs.tmux.enable = true;
+  programs.tmux.terminal = "tmux-direct";
+  programs.tmux.keyMode = "vi";
+  programs.tmux.escapeTime = 0;
+  programs.tmux.mouse = true;
+  programs.tmux.newSession = true;
+  programs.tmux.historyLimit = 50000;
+  programs.tmux.clock24 = true;
+  programs.tmux.baseIndex = 1;
+  programs.tmux.prefix = "M-\\\\";
+
+  programs.tmux.plugins = with pkgs; [
+    tmuxPlugins.cpu
+    tmuxPlugins.battery
+    tmuxPlugins.better-mouse-mode
+    tmuxPlugins.net-speed
+    tmuxPlugins.online-status
+    tmuxPlugins.pain-control
+    tmuxPlugins.tilish
+    tmuxPlugins.yank
+
+    {
+      plugin = tmuxPlugins.resurrect;
+      extraConfig = "set -g @resurrect-strategy-nvim 'session'";
+    }
+    {
+      plugin = tmuxPlugins.continuum;
+      extraConfig = ''
+        set -g @continuum-restore 'on'
+        set -g @continuum-save-interval '15' # minutes
+      '';
+    }
+
+    tokyo-night
+  ];
+}
--- a/home/roles/base/default.nix
+++ b/home/roles/base/default.nix
@@ -0,0 +1,81 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.base;
+in
+{
+  options.home.roles.base = {
+    enable = mkEnableOption "Enable base CLI tools and essential programs";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      fd
+      glances
+      gzip
+      htop
+      killall
+      less
+      ncdu
+      shellcheck
+      tmux
+      tree
+    ];
+
+    # Essential programs everyone needs
+    programs.bash = {
+      enable = true;
+      initExtra = ''
+        codex() {
+          local key
+          key="$(rbw get openai-api-key-codex)"
+          OPENAI_API_KEY="$key" command codex "$@"
+        }
+      '';
+    };
+
+    programs.home-manager.enable = true;
+    programs.command-not-found.enable = true;
+
+    programs.git = {
+      enable = true;
+      userName = "John Ogle";
+      userEmail = "john@ogle.fyi";
+      extraConfig = {
+        safe.directory = "/etc/nixos";
+      };
+    };
+
+    programs.jq.enable = true;
+
+    programs.neovim = {
+      enable = true;
+      viAlias = true;
+      vimAlias = true;
+    };
+
+    programs.ssh = {
+      enable = true;
+      addKeysToAgent = "yes";
+      matchBlocks = {
+        "nucdeb1" = {
+          hostname = "nucdeb1.oglehome";
+          user = "root";
+        };
+      };
+    };
+
+    programs.rbw = {
+      enable = true;
+      settings = {
+        email = "john@johnogle.info";
+        base_url = "https://bitwarden.johnogle.info";
+        pinentry = pkgs.pinentry-qt;
+      };
+    };
+
+    # Note: modules must be imported at top-level home config
+  };
+}
--- a/home/roles/communication/default.nix
+++ b/home/roles/communication/default.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.communication;
+in
+{
+  options.home.roles.communication = {
+    enable = mkEnableOption "Enable communication and messaging applications";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = [
+      # Communication apps
+      pkgs.element-desktop
+      #pkgs.fluffychat #marked insecure as of nixos 25.05
+      pkgs.nextcloud-talk-desktop
+      
+      # For logging back into google chat
+      globalInputs.google-cookie-retrieval.packages.${system}.default
+    ];
+  };
+}
--- a/home/roles/default.nix
+++ b/home/roles/default.nix
@@ -0,0 +1,13 @@
+{
+  imports = [
+    ./base
+    ./communication
+    ./desktop
+    ./development
+    ./gaming
+    ./kdeconnect
+    ./media
+    ./office
+    ./sync
+  ];
+}
--- a/home/roles/desktop/default.nix
+++ b/home/roles/desktop/default.nix
@@ -0,0 +1,160 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.desktop;
+in
+{
+  options.home.roles.desktop = {
+    enable = mkEnableOption "Enable desktop GUI applications and utilities";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      # Desktop applications
+      bitwarden-desktop
+      dunst
+      keepassxc
+      unstable.ghostty
+      
+      # Desktop utilities
+      feh # Image viewer and wallpaper setter for X11
+      rofi # Application launcher for X11
+      solaar # Logitech management software
+      waybar
+      wofi # Application launcher for Wayland
+      xdg-utils # XDG utilities for opening files/URLs with default applications
+      
+      # System utilities with GUI components
+      (snapcast.override { pulseaudioSupport = true; })
+      
+      # KDE tiling window management
+      kdePackages.krohnkite  # Dynamic tiling extension for KWin 6
+      
+      # KDE PIM applications for email, calendar, and contacts
+      kdePackages.kmail
+      kdePackages.kmail-account-wizard
+      kdePackages.kmailtransport
+      kdePackages.korganizer
+      kdePackages.kaddressbook
+      kdePackages.kontact
+      
+      # KDE System components needed for proper integration
+      kdePackages.kded
+      kdePackages.systemsettings
+      kdePackages.kmenuedit
+      
+      # Desktop menu support
+      kdePackages.plasma-desktop # Contains applications.menu
+      
+      # KDE Online Accounts support
+      kdePackages.kaccounts-integration
+      kdePackages.kaccounts-providers
+      kdePackages.signond
+      
+      # KDE Mapping
+      kdePackages.marble  # Virtual globe and world atlas
+      
+      # KDE Productivity
+      kdePackages.kate        # Advanced text editor with syntax highlighting
+      kdePackages.okular      # Universal document viewer (PDF, ePub, etc.)
+      kdePackages.spectacle   # Screenshot capture utility
+      kdePackages.filelight   # Visual disk usage analyzer
+      
+      # KDE Multimedia
+      kdePackages.gwenview    # Image viewer and basic editor
+      kdePackages.elisa       # Music player
+      
+      # KDE System Utilities  
+      kdePackages.ark         # Archive manager (zip, tar, 7z, etc.)
+      kdePackages.yakuake     # Drop-down terminal emulator
+    ];
+
+    programs.firefox = {
+      enable = true;
+    };
+
+    programs.spotify-player.enable = true;
+
+    services.gnome-keyring = {
+      enable = true;
+    };
+
+    # KDE environment variables for proper integration
+    home.sessionVariables = {
+      QT_QPA_PLATFORMTHEME = "kde";
+      KDE_SESSION_VERSION = "6";
+    };
+
+    xdg = {
+      enable = true;
+      
+      # Ensure desktop files are made available for discovery
+      desktopEntries = {};  # This creates the desktop files directory structure
+      
+      mimeApps = {
+        enable = true;
+        associations.added = {
+          # Ensure associations are properly registered
+          "text/html" = "firefox.desktop";
+          "x-scheme-handler/http" = "firefox.desktop";
+          "x-scheme-handler/https" = "firefox.desktop";
+        };
+        defaultApplications = {
+          # Web browsers
+          "text/html" = "firefox.desktop";
+          "x-scheme-handler/http" = "firefox.desktop";
+          "x-scheme-handler/https" = "firefox.desktop";
+          "x-scheme-handler/about" = "firefox.desktop";
+          "x-scheme-handler/unknown" = "firefox.desktop";
+          
+          # Documents
+          "application/pdf" = "okular.desktop";
+          "text/plain" = "kate.desktop";
+          "text/x-tex" = "kate.desktop";
+          "text/x-c" = "kate.desktop";
+          "text/x-python" = "kate.desktop";
+          "application/x-shellscript" = "kate.desktop";
+          
+          # Images
+          "image/png" = "gwenview.desktop";
+          "image/jpeg" = "gwenview.desktop";
+          "image/jpg" = "gwenview.desktop";
+          "image/gif" = "gwenview.desktop";
+          "image/bmp" = "gwenview.desktop";
+          "image/tiff" = "gwenview.desktop";
+          "image/webp" = "gwenview.desktop";
+          
+          # Archives
+          "application/zip" = "ark.desktop";
+          "application/x-tar" = "ark.desktop";
+          "application/x-compressed-tar" = "ark.desktop";
+          "application/x-7z-compressed" = "ark.desktop";
+          "application/x-rar" = "ark.desktop";
+          
+          # Audio
+          "audio/mpeg" = "elisa.desktop";
+          "audio/mp4" = "elisa.desktop";
+          "audio/flac" = "elisa.desktop";
+          "audio/ogg" = "elisa.desktop";
+          "audio/wav" = "elisa.desktop";
+          
+          # Email
+          "message/rfc822" = "kmail.desktop";
+          "x-scheme-handler/mailto" = "kmail.desktop";
+          
+          # Calendar
+          "text/calendar" = "korganizer.desktop";
+          "application/x-vnd.akonadi.calendar.event" = "korganizer.desktop";
+        };
+      };
+    };
+
+    # Fix for KDE applications.menu file issue on Plasma 6
+    # KDE still looks for applications.menu but Plasma 6 renamed it to plasma-applications.menu
+    xdg.configFile."menus/applications.menu".source = "${pkgs.kdePackages.plasma-workspace}/etc/xdg/menus/plasma-applications.menu";
+
+    # Note: modules must be imported at top-level home config
+  };
+}
--- a/home/roles/development/default.nix
+++ b/home/roles/development/default.nix
@@ -0,0 +1,26 @@
+{ config, lib, pkgs, globalInputs, system, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.development;
+in
+{
+  options.home.roles.development = {
+    enable = mkEnableOption "Enable development tools and utilities";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = [
+      pkgs.unstable.claude-code
+      pkgs.codex
+
+      # Custom packages
+      pkgs.custom.tea-rbw
+    ];
+
+    programs.kubectl-secure.enable = true;
+
+    # Note: modules must be imported at top-level home config
+  };
+}
--- a/home/roles/gaming/default.nix
+++ b/home/roles/gaming/default.nix
@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.gaming;
+in
+{
+  options.home.roles.gaming = {
+    enable = mkEnableOption "Enable gaming applications and tools";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      # Gaming applications would go here
+      # This role is created for future expansion
+      # moonlight-qt is currently in media role but could be moved here
+    ];
+  };
+}
--- a/home/roles/kdeconnect/default.nix
+++ b/home/roles/kdeconnect/default.nix
@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.kdeconnect;
+in
+{
+  options.home.roles.kdeconnect = {
+    enable = mkEnableOption "Enable KDE Connect for device integration";
+  };
+
+  config = mkIf cfg.enable {
+    services.kdeconnect = {
+      enable = true;
+      indicator = true;
+      package = pkgs.kdePackages.kdeconnect-kde;
+    };
+  };
+}
--- a/home/roles/media/default.nix
+++ b/home/roles/media/default.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.media;
+in
+{
+  options.home.roles.media = {
+    enable = mkEnableOption "Enable media and multimedia applications";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      # Media players and streaming
+      # Using delfin instead of jellyfin-media-player to avoid qtwebengine security issues
+      # For full Jellyfin features, use web interface at http://jellyfin-server:8096
+      delfin
+      moonlight-qt
+      vlc
+
+      # Spotify client
+      # Using unstable version for better authentication support
+      unstable.ncspot
+    ];
+  };
+}
--- a/home/roles/office/default.nix
+++ b/home/roles/office/default.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.office;
+in
+{
+  options.home.roles.office = {
+    enable = mkEnableOption "Enable office applications and document processing tools";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      # Office suite
+      libreoffice
+      
+      # CAD/Design tools
+      openscad-unstable
+    ];
+  };
+}
--- a/home/roles/sync/default.nix
+++ b/home/roles/sync/default.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.home.roles.sync;
+in
+{
+  options.home.roles.sync = {
+    enable = mkEnableOption "Enable file synchronization services";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      syncthingtray
+    ];
+
+    services.syncthing = {
+      enable = true;
+    };
+  };
+}
--- a/home/wallpapers/metroid-samus-returns-kz-3440x1440.jpg
+++ b/home/wallpapers/metroid-samus-returns-kz-3440x1440.jpg
--- a/machines/boxy/configuration.nix
+++ b/machines/boxy/configuration.nix
@@ -0,0 +1,69 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      gaming.enable = true;
+      kde = true;
+      sddm = true;
+      wayland = true;
+    };
+    kodi = {
+      enable = true;
+      autologin = true;
+      wayland = true;
+    };
+    users.enable = true;
+  };
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "boxy"; # Define your hostname.
+
+  services.xserver.videoDrivers = [ "amdgpu" ];
+  hardware.graphics.enable = true;
+  hardware.graphics.enable32Bit = true;
+  hardware.graphics.extraPackages = with pkgs; [
+    amdvlk
+  ];
+  hardware.graphics.extraPackages32 = with pkgs; [
+    driversi686Linux.amdvlk
+  ];
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}
+
--- a/machines/boxy/hardware-configuration.nix
+++ b/machines/boxy/hardware-configuration.nix
@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "amdgpu" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5b0e8428-c9ef-41f9-8beb-a8ccb65ab573";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/59A7-C2A3";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/johno-macbookpro/configuration.nix
+++ b/machines/johno-macbookpro/configuration.nix
@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Basic system configuration for macOS work laptop
+  system.stateVersion = 6;
+
+  # Set primary user for nix-darwin
+  system.primaryUser = "johno";
+
+  # System preferences (can be expanded later)
+  system.defaults = {
+    dock.autohide = true;
+    finder.AppleShowAllExtensions = true;
+    NSGlobalDomain.AppleShowAllExtensions = true;
+  };
+
+  # TODO: Find a way to not duplicate this
+  launchd.user.envVariables = {
+    # DOOM Emacs environment variables
+    DOOMDIR = "/Users/johno/.config/doom";
+    DOOMLOCALDIR = "/Users/johno/.local/doom";
+  };
+}
--- a/machines/live-usb/configuration.nix
+++ b/machines/live-usb/configuration.nix
@@ -0,0 +1,91 @@
+# Live USB ISO configuration for recovery and installation
+{ pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    # Use minimal installation CD as base
+    (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
+  ];
+
+  # Use roles structure for consistent configuration
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      kde = true;
+      x11 = true;
+      wayland = true;
+      sddm = true;
+    };
+  };
+
+  # Allow unfree packages for broader hardware support
+  nixpkgs.config.allowUnfree = true;
+
+  # Essential packages for system recovery and installation
+  environment.systemPackages = with pkgs; [
+    # Text editors
+    neovim
+    nano
+    
+    # System tools
+    git
+    curl
+    wget
+    htop
+    tree
+    lsof
+    strace
+    
+    # Filesystem tools
+    btrfs-progs
+    e2fsprogs
+    xfsprogs
+    ntfs3g
+    dosfstools
+    
+    # Network tools
+    networkmanager
+    wirelesstools
+    
+    # Hardware tools
+    pciutils
+    usbutils
+    smartmontools
+    
+    # Archive tools
+    unzip
+    p7zip
+    
+    # Development tools (for quick fixes)
+    gcc
+    binutils
+  ];
+
+  # Enable NetworkManager for easy wifi setup
+  networking.networkmanager.enable = true;
+  # Disable wireless networking (conflicts with NetworkManager)
+  networking.wireless.enable = false;
+  
+  # Enable SSH daemon for remote access
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "yes";
+      PasswordAuthentication = true;
+    };
+  };
+
+  # ISO customization
+  isoImage = {
+    volumeID = "NIXOS-LIVE";
+  };
+
+  # Enable some useful services
+  services.udisks2.enable = true; # For mounting USB drives
+
+  # Hardware support
+  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
+}
--- a/machines/nix-book/configuration.nix
+++ b/machines/nix-book/configuration.nix
@@ -2,43 +2,36 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{ config, pkgs, inputs, ... }:
-
+{ pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

-  nix = {
-    package = pkgs.nixFlakes;
-
-    distributedBuilds = true;
-    buildMachines = [{
-      hostName = "z790prors.oglehome";
-      system = "x86_64-linux";
-      protocol = "ssh-ng";
-      sshUser = "johno";
-      sshKey = "/root/.ssh/id_ed25519";
-      maxJobs = 3;
-      speedFactor = 2;
-    }];
-    settings = {
-      experimental-features = [ "nix-command" "flakes" ];
-
-      substituters = [ 
-        "https://hyprland.cachix.org"
-        #"ssh://johno@z790prors.oglehome"
-      ];
-
-      builders-use-substitutes = true;
-
-      trusted-public-keys = [
-        "arch-store:lBSsckiRVH+A2ZyZWIzPwpSFstAGXcf/d7H1lSmiFo8="
-	"z790prors:2zFp1rh6cS+2aAHwmcKKkkg13LV+x2YVuAh7TCWSckw="
-	"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-      ];
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      wayland = true;
+      gaming.enable = false;
+      kde = true;
+      sddm = true;
    };
+    nfs-mounts.enable = true;
+    printing.enable = true;
+    remote-build.builders = [{
+      hostName = "zix790prors";
+      maxJobs = 16;
+      speedFactor = 3;
+    }];
+    spotifyd.enable = true;
+    users = {
+      enable = true;
+      extraGroups = [ "video" ];
+    };
+    virtualisation.enable = true;
  };

  # Bootloader.
@@ -49,38 +42,14 @@
  networking.hostName = "nix-book"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.

-  boot.kernelPackages = pkgs.linuxPackages_latest;
-
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-
  # Enable networking
  networking.networkmanager.enable = true;

-  # Set your time zone.
-  time.timeZone = "America/Los_Angeles";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_US.UTF-8";
-    LC_IDENTIFICATION = "en_US.UTF-8";
-    LC_MEASUREMENT = "en_US.UTF-8";
-    LC_MONETARY = "en_US.UTF-8";
-    LC_NAME = "en_US.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
-    LC_PAPER = "en_US.UTF-8";
-    LC_TELEPHONE = "en_US.UTF-8";
-    LC_TIME = "en_US.UTF-8";
-  };
-
-  # Configure keymap in X11
-  services.xserver.xkb = {
-    layout = "us";
-    variant = "";
-    options = "caps:escape";
+  # WireGuard setup
+  networking.wg-quick.interfaces = {
+    ogleNet = {
+      configFile = "/root/Oglehome-VPN-johno-nixbook.conf";
+    };
  };

  hardware.graphics = {
@@ -92,51 +61,6 @@
    ];
  };

-  hardware.pulseaudio.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.johno = {
-    isNormalUser = true;
-    description = "John Ogle";
-    extraGroups = [ "networkmanager" "wheel" "audio" ];
-    packages = with pkgs; [];
-  };
-
-  # Enable automatic login for the user.
-  services.getty.autologinUser = "johno";
-
-  # Allow unfree packages
-  nixpkgs.config.allowUnfree = true;
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-  #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
-  #  wget
-  ];
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-  };
-
-  virtualisation.docker.enable = true;
-  users.extraGroups.docker.members = [ "johno" ];
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
@@ -144,21 +68,4 @@
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
-
-
-  # Desktop
-
-  programs.steam.enable = true;
-  
-  #services.xserver.enable = true;
-  services.displayManager = {
-    sddm.enable = true;
-    sddm.wayland.enable = true;
-    #defaultSession = "plasmax11";
-  };
-  services.desktopManager.plasma6.enable = true;
-  programs.hyprland = {
-    enable = true;
-    package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
-  };
 }
--- a/machines/nix-book/hardware-configuration.nix
+++ b/machines/nix-book/hardware-configuration.nix
@@ -10,15 +10,27 @@

  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
+  boot.initrd.luks.devices."luks-4126fbd4-bd09-4ece-af0d-6fff414c21b3".device = "/dev/disk/by-uuid/4126fbd4-bd09-4ece-af0d-6fff414c21b3";
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/bd396529-e2c4-47cb-b844-8d6ed841f81a";
-      fsType = "ext4";
+  roles.btrfs = {
+    enable = true;
+    filesystems."/dev/disk/by-uuid/223a44e5-91e2-4272-830e-129166042a1d" = {
+      mountpoints = {
+        "/" = {
+          compression = "zstd";
+          extraOptions = [ "noatime" ];
+        };
+      };
+      scrub.enable = true;
+      deduplication = {
+        enable = true;
+        hashTableSizeMB = 32;
+        verbosity = "err";
+      };
    };
-
-  boot.initrd.luks.devices."luks-4126fbd4-bd09-4ece-af0d-6fff414c21b3".device = "/dev/disk/by-uuid/4126fbd4-bd09-4ece-af0d-6fff414c21b3";
+  };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/7A0B-CF88";
@@ -29,6 +41,7 @@
  swapDevices =
    [ { device = "/dev/disk/by-uuid/ec1f70ea-27b6-4646-ad3b-eac41bd83e3e"; }
    ];
+  zramSwap.enable = true;

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/machines/nix-book/nixbook-btrfs-migration.md
+++ b/machines/nix-book/nixbook-btrfs-migration.md
@@ -0,0 +1,223 @@
+# NixBook ext4 to btrfs Migration Guide
+
+## Overview
+This guide converts your nixbook machine from ext4 to btrfs with zstd compression and beesd deduplication while preserving your LUKS encryption and all data.
+
+## Current System Info
+- **Hostname**: nix-book
+- **Root filesystem**: ext4 on `/dev/disk/by-uuid/bd396529-e2c4-47cb-b844-8d6ed841f81a`
+- **Encryption**: LUKS with two devices configured
+- **Current usage**: 138GB used / 225GB total (65% full)
+- **Free space**: 76GB available (sufficient for conversion)
+
+## Pre-Migration Checklist
+
+### 1. Create Full System Backup (CRITICAL)
+```bash
+# Boot from NixOS live USB
+# Mount encrypted filesystem
+cryptsetup luksOpen /dev/disk/by-uuid/4126fbd4-bd09-4ece-af0d-6fff414c21b3 luks-nixbook
+mount /dev/mapper/luks-nixbook /mnt
+
+# Create backup to external drive (adjust target as needed)
+rsync -avxHAX --progress /mnt/ /path/to/backup/nixbook-backup/
+```
+
+### 2. Verify Configuration Changes
+The following files have been updated for btrfs:
+- `machines/nix-book/configuration.nix` - Added beesd service
+- `machines/nix-book/hardware-configuration.nix` - Changed fsType to btrfs with compression
+
+## Migration Process
+
+### Phase 1: Boot to Live Environment
+1. **Create NixOS live USB**:
+   ```bash
+   # Download latest NixOS ISO
+   # Flash to USB drive
+   dd if=nixos-minimal-xx.xx-x86_64-linux.iso of=/dev/sdX bs=4M status=progress
+   ```
+
+2. **Boot from live USB** and ensure you can access the encrypted drives
+
+### Phase 2: Filesystem Conversion
+3. **Unlock LUKS volumes**:
+   ```bash
+   cryptsetup luksOpen /dev/disk/by-uuid/4126fbd4-bd09-4ece-af0d-6fff414c21b3 luks-nixbook
+   cryptsetup luksOpen /dev/disk/by-uuid/b614167b-9045-4234-a441-ac6f60a96d81 luks-nixbook2
+   ```
+
+4. **Check filesystem before conversion**:
+   ```bash
+   fsck.ext4 -f /dev/mapper/luks-nixbook
+   ```
+
+5. **Convert ext4 to btrfs** (this preserves all data):
+   ```bash
+   # Install btrfs-progs if not available
+   nix-shell -p btrfs-progs
+
+   # Convert the filesystem (takes 15-45 minutes depending on data)
+   btrfs-convert /dev/mapper/luks-nixbook
+   
+   # Verify conversion succeeded
+   mount /dev/mapper/luks-nixbook /mnt
+   ls -la /mnt  # Should show your normal filesystem
+   btrfs filesystem show /mnt
+   ```
+
+6. **Get new filesystem UUID** (may have changed):
+   ```bash
+   blkid /dev/mapper/luks-nixbook
+   # Note the new UUID if it changed
+   ```
+
+### Phase 3: Configuration Update
+7. **Mount and chroot into system**:
+   ```bash
+   mount -o compress=zstd,noatime /dev/mapper/luks-nixbook /mnt
+   mount /dev/disk/by-uuid/7A0B-CF88 /mnt/boot
+   nixos-enter --root /mnt
+   ```
+
+8. **Update hardware-configuration.nix** if UUID changed:
+   ```bash
+   # Edit /etc/nixos/hardware-configuration.nix if needed
+   # Update the UUID in fileSystems."/" section
+   ```
+
+9. **Rebuild system with btrfs configuration**:
+   ```bash
+   cd /home/johno/nixos-configs
+   nixos-rebuild switch --flake .#nix-book
+   ```
+
+### Phase 4: Enable Compression and Deduplication
+10. **Reboot into new btrfs system**:
+    ```bash
+    exit  # Exit chroot
+    umount -R /mnt
+    reboot
+    ```
+
+11. **Verify btrfs is working**:
+    ```bash
+    mount | grep btrfs
+    btrfs filesystem usage /
+    ```
+
+12. **Enable and start beesd**:
+    ```bash
+    systemctl status beesd-root
+    systemctl start beesd-root
+    systemctl enable beesd-root
+    ```
+
+13. **Force compression on existing files** (optional but recommended):
+    ```bash
+    # This will compress existing files with zstd
+    btrfs filesystem defragment -r -czstd /
+    ```
+
+## Post-Migration Verification
+
+### Check System Health
+```bash
+# Verify btrfs health
+btrfs scrub start /
+btrfs scrub status /
+
+# Check compression effectiveness
+compsize /
+
+# Monitor beesd deduplication
+journalctl -u beesd-root -f
+
+# Check filesystem usage
+btrfs filesystem usage /
+df -h /
+```
+
+### Performance Monitoring
+```bash
+# Monitor beesd hash table
+ls -lh /.beeshash
+
+# Check compression ratio over time
+compsize /home /nix /var
+```
+
+## Expected Benefits
+
+### Space Savings
+- **Compression**: 20-30% reduction in disk usage from zstd
+- **Deduplication**: Additional 10-20% savings on duplicate files
+- **Combined**: Potentially 30-40% total space savings
+
+### Performance Impact
+- **Compression**: Minimal CPU overhead, often improves I/O performance
+- **Deduplication**: Background process, minimal impact during normal use
+- **Overall**: Should be neutral to positive performance impact
+
+## Rollback Plan (Emergency)
+
+If something goes wrong:
+
+1. **Boot from live USB**
+2. **Restore from backup**:
+   ```bash
+   cryptsetup luksOpen /dev/disk/by-uuid/4126fbd4-bd09-4ece-af0d-6fff414c21b3 luks-nixbook
+   mkfs.ext4 /dev/mapper/luks-nixbook
+   mount /dev/mapper/luks-nixbook /mnt
+   rsync -avxHAX --progress /path/to/backup/nixbook-backup/ /mnt/
+   ```
+3. **Restore original hardware-configuration.nix** with ext4 settings
+4. **Rebuild and reboot**
+
+## Troubleshooting
+
+### Common Issues
+
+**"Device busy" during conversion**:
+- Ensure no processes are accessing the filesystem
+- Check with `lsof` and `fuser`
+
+**UUID changed after conversion**:
+- Update hardware-configuration.nix with new UUID
+- Regenerate initrd: `nixos-rebuild switch`
+
+**Beesd service fails to start**:
+- Check disk space for hash table
+- Verify filesystem is btrfs: `mount | grep btrfs`
+- Check logs: `journalctl -u beesd-root`
+
+**Boot issues after conversion**:
+- Boot from live USB
+- Check /boot partition is mounted correctly
+- Verify LUKS UUIDs match in configuration
+- Rebuild bootloader: `nixos-rebuild switch --install-bootloader`
+
+## Maintenance
+
+### Regular Tasks
+```bash
+# Monthly scrub (checks for corruption)
+btrfs scrub start /
+
+# Monitor compression effectiveness
+compsize /
+
+# Check beesd deduplication status
+systemctl status beesd-root
+```
+
+### Space Management
+```bash
+# Balance filesystem (defragments and optimizes)
+btrfs balance start -dusage=50 /
+
+# Check for space issues
+btrfs filesystem usage /
+```
+
+This migration preserves all your data while gaining the benefits of modern btrfs features including transparent compression and automatic deduplication.
--- a/machines/nix-deck/configuration.nix
+++ b/machines/nix-deck/configuration.nix
@@ -0,0 +1,41 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      wayland = true;
+      gaming.enable = true;
+      kde = true;
+      sddm = true;
+      steamos = {
+        enable = true;
+        autoStart = false;
+        desktopSession = "plasmawayland";
+      };
+    };
+    remote-build.builders = [{
+      hostName = "zix790prors";
+      maxJobs = 16;
+      speedFactor = 4;  # Prefer remote heavily on Steam Deck
+    }];
+    users = {
+      enable = true;
+      extraGroups = [ "video" ];
+    };
+  };
+
+  # Bootloader
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "nix-deck";
+  networking.networkmanager.enable = true;
+
+  system.stateVersion = "25.05";
+}
--- a/machines/nix-deck/hardware-configuration.nix
+++ b/machines/nix-deck/hardware-configuration.nix
@@ -0,0 +1,51 @@
+# Hardware configuration for Steam Deck (nix-deck)
+# Generated from nixos-generate-config on 2025-11-17
+
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  # Steam Deck specific hardware configuration (Jovian)
+  jovian.devices.steamdeck = {
+    enable = true;
+    autoUpdate = false;  # Set to true if you want automatic firmware updates
+  };
+
+  # Kernel modules detected by nixos-generate-config
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "usb_storage"
+    "uas"
+    "usbhid"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # IMPORTANT: Update these filesystem configurations based on your actual partition layout
+  # The configuration below is a placeholder - adjust according to how you partitioned the disk
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
+  swapDevices = [{
+    device = "/swapfile";
+    size = 8192;  # 8GB swap file
+  }];
+
+  # AMD CPU microcode updates
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/wixos/configuration.nix
+++ b/machines/wixos/configuration.nix
@@ -0,0 +1,62 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+# NixOS-WSL specific options are documented on the NixOS-WSL repository:
+# https://github.com/nix-community/NixOS-WSL
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+  ];
+
+  roles = {
+    audio.enable = true;
+    desktop = {
+      enable = true;
+      wayland = true;
+    };
+    users.enable = true;
+  };
+
+  networking.hostName = "wixos";
+
+  wsl.enable = true;
+  wsl.defaultUser = "johno";
+  wsl.startMenuLaunchers = true;
+  wsl.useWindowsDriver = true;
+  wsl.wslConf.network.hostname = "wixos";
+  wsl.wslConf.user.default = "johno";
+
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.graphics = { 
+    enable = true;
+
+    extraPackages = with pkgs; [
+      mesa
+      libvdpau-va-gl
+      vaapiVdpau
+    ];
+  };
+  environment.sessionVariables = {
+    LD_LIBRARY_PATH = [
+      "/usr/lib/wsl/lib"
+      "/run/opengl-driver/lib"
+    ];
+  };
+  hardware.nvidia = {
+    modesetting.enable = true;
+    nvidiaSettings = true;
+    open = true;
+    package = config.boot.kernelPackages.nvidiaPackages.latest;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
--- a/machines/z790prors/configuration.nix
+++ b/machines/z790prors/configuration.nix
@@ -1,173 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ inputs, config, pkgs, ... }:
-
-let
-  kidsPackages = with pkgs; [
-    firefox
-  ];
-in
-{
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../roles/virtualisation/default.nix
-      ../../roles/nfs-mounts/default.nix
-    ];
-
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.useOSProber = true;
-
-  networking.hostName = "z790prors-nix"; # Define your hostname.
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-
-  # Set your time zone.
-  time.timeZone = "America/Los_Angeles";
-
-  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-  # Per-interface useDHCP will be mandatory in the future, so this generated config
-  # replicates the default behaviour.
-  networking.useDHCP = false;
-  networking.interfaces.enp3s0.useDHCP = true;
-
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  # };
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  nix.settings.secret-key-files = /root/cache-priv-key.pem;
-  nix.settings.max-jobs = "auto";
-  nix.settings.trusted-users = [ "johno" ];
-  nix.settings.substituters = [
-    "https://hyprland.cachix.org"
-  ];
-  nix.settings.trusted-public-keys = [
-    "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-  ];
-
-  nixpkgs.config.allowUnfree = true;
-
-  # Enable the X11 windowing system.
-  services.xserver.enable = true;
-  hardware.graphics.enable = true;
-  services.xserver.videoDrivers = ["nvidia"];
-  hardware.nvidia = {
-    modesetting.enable = true;
-    powerManagement.enable = false;
-    powerManagement.finegrained = false;
-    open = false;
-    nvidiaSettings = true;
-    package = config.boot.kernelPackages.nvidiaPackages.production;
-  };
-
-  # Configure keymap in X11
-  # services.xserver.layout = "us";
-  # services.xserver.xkbOptions = "eurosign:e";
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  hardware.pulseaudio.enable = true;
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.johno = {
-    isNormalUser = true;
-    description = "John Ogle";
-    extraGroups = [ "wheel" "networkmanager" "audio" "libvirtd" ]; # Enable ‘sudo’ for the user.
-  };
-
-  users.users.eli = {
-    isNormalUser = true;
-    description = "Eli";
-    home = "/arch/@home/eli";
-    packages = kidsPackages;
-  };
-
-  users.users.andrew = {
-    isNormalUser = true;
-    description = "Andrew";
-    home = "/arch/@home/andrew";
-    packages = kidsPackages;
-  };
-
-  users.users.jules = {
-    isNormalUser = true;
-    description = "Jules";
-    home = "/arch/@home/jules";
-    packages = kidsPackages;
-  };
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
-    git
-  ];
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  services.displayManager = {
-    sddm.enable = true;
-    sddm.wayland.enable = true;
-    #defaultSession = "plasmax11";
-  };
-  services.desktopManager.plasma6.enable = true;
-  programs.hyprland = {
-    enable = true;
-    package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
-  };
-
-  programs.java.enable = true;
-  programs.steam = {
-    enable = true;
-    remotePlay.openFirewall = true;
-    localNetworkGameTransfers.openFirewall = true;
-    #package = pkgs.steam.override {
-      #withJava = true;
-      #withPrimus = true;
-      #extraPkgs = pkgs: [ bumblebee glxinfo ];
-    #};
-  };
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
-
-}
-
--- a/machines/z790prors/hardware-configuration.nix
+++ b/machines/z790prors/hardware-configuration.nix
@@ -1,35 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/8d996d13-6d55-4524-83a2-6f6fb47a09ea";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/7445-C336";
-      fsType = "vfat";
-    };
-
-  fileSystems."/arch" =
-    { device = "/dev/disk/by-label/endeavouros";
-      fsType = "btrfs";
-    };
-
-  swapDevices = [ ];
-
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}
--- a/machines/zix790prors/README.org
+++ b/machines/zix790prors/README.org
@@ -0,0 +1,31 @@
+* zix790prors
+
+The re-birthed NixOS install of my 2024/2025 gaming pc / workstation.
+
+** Specs
+- **CPU:** Intel Core i7-14700K (20 cores, 28 threads, up to 5.6 GHz)
+- **Memory:** 64 GB RAM
+- **Storage:**
+  - 4TB NVMe SSD (main drive with dual-boot partitions)
+    - Windows 11 partition (NTFS)
+    - NixOS /nix/store partition (btrfs)
+    - Shared /games partition (btrfs, accessible from both Windows and NixOS)
+- **GPU:** NVIDIA GeForce RTX 4070 Ti
+- **Boot:** UEFI with 100MB EFI System Partition
+
+This is a powerful all-purpose workstation optimized for gaming, 3D modeling, and development. It dual-boots Windows 11 with a shared btrfs /games partition accessible from both operating systems.
+*** Validation
+Given the above specs, I want to run shell commands to validate them for accuracy. Use the run_shell_command tool to get the results required to complete this validation. Do not return to the user until you have exhausted your self-serve options for accomplishing your task.
+
+** BIOS Settings
+
+**2025-09-08**
+
+I underclocked the CPU today. I set the cpu/cache voltage offset to -50mV and lowered the P-Core multiplier from 56x to 50x. I was able to run Intel XTU benchmarks and the CPU stayed around 80C without any throttling kicking in, whereas before it would bounce around various cores at 100C with lots of throttling taking place.
+
+My goals for this change are:
+- CPU longevity
+- Fan noise
+- Addressing various apps that say 100C is a "critical temperature" (though I believe the CPU is rated for up to 110C)
+
+I'm leaving some performance on the table, but it almost feels like the default settings for this CPU were to effectively be overclocked.
--- a/machines/zix790prors/configuration.nix
+++ b/machines/zix790prors/configuration.nix
@@ -0,0 +1,97 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  roles = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    desktop = {
+      enable = true;
+      gaming = {
+        enable = true;
+        emulation = true;
+      };
+      kde = true;
+      sddm = true;
+      wayland = true;
+      x11 = true;
+    };
+    nfs-mounts.enable = true;
+    nvidia.enable = true;
+    printing.enable = true;
+    remote-build.enableBuilder = true;
+    users.enable = true;
+    virtualisation.enable = true;
+  };
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.configurationLimit = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.timeout = 10;
+
+  networking.hostName = "zix790prors"; # Define your hostname.
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Fix dual boot clock sync - tell Linux to use local time for hardware clock
+  time.hardwareClockInLocalTime = true;
+
+  # NVIDIA Graphics configuration
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.graphics.enable = true;
+  hardware.graphics.enable32Bit = true;
+  
+  # Set DP-0 as primary display with 164.90Hz refresh rate
+  services.xserver.displayManager.sessionCommands = ''
+    ${pkgs.xorg.xrandr}/bin/xrandr --output DP-0 --mode 3440x1440 --rate 164.90 --primary
+  '';
+
+  hardware.nvidia = {
+    modesetting.enable = true;
+    nvidiaSettings = true;
+    package = pkgs.linuxPackages.nvidiaPackages.stable;
+    open = true;
+    
+    # For gaming performance
+    powerManagement.enable = false;
+    powerManagement.finegrained = false;
+  };
+
+  services.ollama = {
+    enable = true;
+    acceleration = "cuda";
+    loadModels = [ "gpt-oss" "deepseek-r1" "qwen3:30b" ];
+  };
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.11"; # Did you read the comment?
+
+}
--- a/machines/zix790prors/hardware-configuration.nix
+++ b/machines/zix790prors/hardware-configuration.nix
@@ -0,0 +1,57 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/11C1-EB58";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  roles.btrfs = {
+    enable = true;
+    filesystems."/dev/disk/by-uuid/ec22734b-d1a3-4c99-8c6f-86f6a8d79007" = {
+      mountpoints = {
+        "/" = {
+          compression = "zstd";
+          extraOptions = [ "noatime" ];
+        };
+      };
+      scrub.enable = true;
+      deduplication = {
+        enable = true;
+        hashTableSizeMB = 128;
+        verbosity = "err";
+      };
+    };
+    filesystems."/dev/disk/by-uuid/4f9844ac-c1ad-4426-8eb3-21f2306345fb" = {
+      mountpoints = {
+        "/games" = {
+          extraOptions = [ "noatime" ];
+        };
+      };
+      scrub.enable = true;
+      deduplication = {
+        enable = true;
+        hashTableSizeMB = 256;
+        verbosity = "err";
+      };
+    };
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/packages/app-launcher-server/app-launcher-server.py
+++ b/packages/app-launcher-server/app-launcher-server.py
@@ -0,0 +1,176 @@
+#!/usr/bin/env python3
+
+import json
+import logging
+import os
+import subprocess
+import sys
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from urllib.parse import urlparse
+import psutil
+
+# Configure logging
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger(__name__)
+
+# Allowlisted applications that can be launched
+ALLOWED_APPS = {
+    'firefox': 'firefox',
+    'kodi': 'kodi'
+}
+
+def is_app_running(app_name):
+    """Check if an application is already running, returns (is_running, pid)"""
+    command = ALLOWED_APPS.get(app_name)
+    if not command:
+        return False, None
+
+    logger.debug(f"Looking for processes related to app '{app_name}' (command: '{command}')")
+
+    for proc in psutil.process_iter(['name', 'cmdline', 'pid']):
+        try:
+            proc_name = proc.info['name']
+            cmdline = proc.info['cmdline'] or []
+
+            logger.debug(f"Checking process PID {proc.info['pid']}: name='{proc_name}', cmdline={cmdline}")
+
+            # Check multiple patterns for the application:
+            # 1. Process name exactly matches command
+            # 2. Process name contains the command (e.g., "kodi.bin" contains "kodi")
+            # 3. Command line starts with the command
+            # 4. Command line contains the wrapped version (e.g., ".kodi-wrapped")
+            # 5. Any command line argument ends with the command executable
+
+            matches = False
+            match_reason = ""
+
+            if proc_name == command:
+                matches = True
+                match_reason = f"exact process name match: '{proc_name}'"
+            elif command in proc_name:
+                matches = True
+                match_reason = f"process name contains command: '{proc_name}' contains '{command}'"
+            elif cmdline and cmdline[0] == command:
+                matches = True
+                match_reason = f"exact cmdline match: '{cmdline[0]}'"
+            elif cmdline and cmdline[0].endswith('/' + command):
+                matches = True
+                match_reason = f"cmdline path ends with command: '{cmdline[0]}'"
+            elif cmdline and any(f'.{command}-wrapped' in arg for arg in cmdline):
+                matches = True
+                match_reason = f"wrapped command in cmdline: {cmdline}"
+            elif cmdline and any(f'{command}.bin' in arg for arg in cmdline):
+                matches = True
+                match_reason = f"binary command in cmdline: {cmdline}"
+
+            if matches:
+                logger.info(f"Found running {app_name} process: PID {proc.info['pid']} ({match_reason})")
+                return True, proc.info['pid']
+
+        except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
+            continue
+
+    logger.debug(f"No running process found for {app_name}")
+    return False, None
+
+class AppLauncherHandler(BaseHTTPRequestHandler):
+    def log_message(self, format, *args):
+        logger.info(format % args)
+
+    def do_GET(self):
+        if self.path == '/':
+            self.send_response(200)
+            self.send_header('Content-type', 'application/json')
+            self.end_headers()
+            response = {
+                'status': 'running',
+                'available_apps': list(ALLOWED_APPS.keys()),
+                'usage': 'POST /launch/<app_name> to launch an application'
+            }
+            self.wfile.write(json.dumps(response, indent=2).encode())
+        else:
+            self.send_error(404)
+
+    def do_POST(self):
+        parsed_path = urlparse(self.path)
+        path_parts = parsed_path.path.strip('/').split('/')
+
+        if len(path_parts) == 2 and path_parts[0] == 'launch':
+            app_name = path_parts[1]
+            self.launch_app(app_name)
+        else:
+            self.send_error(404, "Invalid endpoint. Use /launch/<app_name>")
+
+    def launch_app(self, app_name):
+        if app_name not in ALLOWED_APPS:
+            self.send_error(400, f"Application '{app_name}' not allowed. Available apps: {list(ALLOWED_APPS.keys())}")
+            return
+
+        command = ALLOWED_APPS[app_name]
+
+        # Check if app is already running
+        is_running, existing_pid = is_app_running(app_name)
+        if is_running:
+            logger.info(f"Application {app_name} is already running (PID: {existing_pid}), skipping launch")
+            self.send_response(200)
+            self.send_header('Content-type', 'application/json')
+            self.end_headers()
+            response = {
+                'status': 'success',
+                'message': f'{app_name} is already running',
+                'pid': existing_pid,
+                'already_running': True
+            }
+            self.wfile.write(json.dumps(response).encode())
+            return
+
+        try:
+            # Launch the application in the background
+            # Ensure we have the proper environment for GUI apps
+            env = os.environ.copy()
+
+            logger.info(f"Launching application: {command}")
+            process = subprocess.Popen(
+                [command],
+                env=env,
+                stdout=subprocess.DEVNULL,
+                stderr=subprocess.DEVNULL,
+                start_new_session=True
+            )
+
+            self.send_response(200)
+            self.send_header('Content-type', 'application/json')
+            self.end_headers()
+            response = {
+                'status': 'success',
+                'message': f'Successfully launched {app_name}',
+                'pid': process.pid,
+                'already_running': False
+            }
+            self.wfile.write(json.dumps(response).encode())
+
+        except FileNotFoundError:
+            logger.error(f"Application not found: {command}")
+            self.send_error(500, f"Application '{app_name}' not found on system")
+        except Exception as e:
+            logger.error(f"Error launching {command}: {e}")
+            self.send_error(500, f"Failed to launch {app_name}: {str(e)}")
+
+def main():
+    port = int(sys.argv[1]) if len(sys.argv) > 1 else 8081
+
+    server = HTTPServer(('0.0.0.0', port), AppLauncherHandler)
+    logger.info(f"App launcher server starting on port {port}")
+    logger.info(f"Available applications: {list(ALLOWED_APPS.keys())}")
+
+    try:
+        server.serve_forever()
+    except KeyboardInterrupt:
+        logger.info("Server shutting down...")
+        server.server_close()
+
+if __name__ == '__main__':
+    main()
--- a/packages/app-launcher-server/default.nix
+++ b/packages/app-launcher-server/default.nix
@@ -0,0 +1,10 @@
+{ pkgs }:
+
+let
+  python = pkgs.python3.withPackages (ps: with ps; [
+    psutil
+  ]);
+in
+pkgs.writeShellScriptBin "app-launcher-server" ''
+  exec ${python}/bin/python3 ${./app-launcher-server.py} "$@"
+''
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  vulkanHDRLayer = pkgs.callPackage ./vulkan-hdr-layer {};
+  tea-rbw = pkgs.callPackage ./tea-rbw {};
+  app-launcher-server = pkgs.callPackage ./app-launcher-server {};
+}
--- a/packages/tea-rbw/default.nix
+++ b/packages/tea-rbw/default.nix
@@ -0,0 +1,58 @@
+{ pkgs, ... }:
+
+pkgs.writeShellScriptBin "tea" ''
+  set -euo pipefail
+
+  # Check if tea config directory exists and has authentication
+  TEA_CONFIG_DIR="''${XDG_CONFIG_HOME:-$HOME/.config}/tea"
+  TEA_CONFIG_FILE="$TEA_CONFIG_DIR/config.yml"
+
+  # Function to setup tea authentication with rbw
+  setup_tea_auth() {
+    echo "Tea authentication not found. Setting up with rbw..."
+    
+    # Check if rbw is available
+    if ! command -v rbw &> /dev/null; then
+      echo "Error: rbw is not available. Please ensure rbw is installed and configured."
+      exit 1
+    fi
+
+    # Try to get the token from rbw
+    echo "Attempting to retrieve Gitea token from rbw..."
+    echo "Please enter the rbw entry name for your Gitea token:"
+    read -r rbw_entry
+
+    if ! token=$(rbw get "$rbw_entry" 2>/dev/null); then
+      echo "Error: Failed to retrieve token from rbw entry '$rbw_entry'"
+      echo "Available rbw entries:"
+      rbw list 2>/dev/null || echo "Failed to list rbw entries"
+      exit 1
+    fi
+
+    # Prompt for Gitea URL
+    echo "Please enter your Gitea URL (e.g., https://git.example.com):"
+    read -r gitea_url
+
+    # Create tea config directory if it doesn't exist
+    mkdir -p "$TEA_CONFIG_DIR"
+
+    # Setup tea login
+    if ! ${pkgs.tea}/bin/tea login add --name "default" --url "$gitea_url" --token "$token"; then
+      echo "Error: Failed to setup tea authentication"
+      exit 1
+    fi
+
+    echo "Tea authentication setup complete!"
+  }
+
+  # Check if tea is already configured
+  if [[ ! -f "$TEA_CONFIG_FILE" ]]; then
+    setup_tea_auth
+  elif ! ${pkgs.tea}/bin/tea whoami &>/dev/null; then
+    echo "Tea config exists but authentication failed. Re-running setup..."
+    setup_tea_auth
+  fi
+
+  # Execute tea with all provided arguments
+  exec ${pkgs.tea}/bin/tea "$@"
+''
--- a/packages/vulkan-hdr-layer/default.nix
+++ b/packages/vulkan-hdr-layer/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, meson, pkg-config, vulkan-loader, ninja, writeText, vulkan-headers, vulkan-utility-libraries,  jq, libX11, libXrandr, libxcb, wayland, wayland-scanner }:
+
+stdenv.mkDerivation rec {
+  pname = "vulkan-hdr-layer";
+  version = "63d2eec";
+
+  src = (fetchFromGitHub {
+    owner = "Zamundaaa";
+    repo = "VK_hdr_layer";
+    rev = "869199cd2746e7f69cf19955153080842b6dacfc";
+    fetchSubmodules = true;
+    hash = "sha256-xfVYI+Aajmnf3BTaY2Ysg5fyDO6SwDFGyU0L+F+E3is=";
+  }).overrideAttrs (_: {
+    GIT_CONFIG_COUNT = 1;
+    GIT_CONFIG_KEY_0 = "url.https://github.com/.insteadOf";
+    GIT_CONFIG_VALUE_0 = "git@github.com:";
+  });
+
+  nativeBuildInputs = [ vulkan-headers meson ninja pkg-config jq ];
+
+  buildInputs = [ vulkan-headers vulkan-loader vulkan-utility-libraries libX11 libXrandr libxcb wayland wayland-scanner ];
+
+  # Help vulkan-loader find the validation layers
+  setupHook = writeText "setup-hook" ''
+    addToSearchPath XDG_DATA_DIRS @out@/share
+  '';
+
+  meta = with lib; {
+    description = "Layers providing Vulkan HDR";
+    homepage = "https://github.com/Zamundaaa/VK_hdr_layer";
+    platforms = platforms.linux;
+    license = licenses.mit;
+  };
+}
--- a/roles/audio/default.nix
+++ b/roles/audio/default.nix
@@ -0,0 +1,41 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.audio;
+in
+{
+  options.roles.audio = {
+    enable = mkEnableOption "Enable the audio role";
+  };
+
+  config = mkIf cfg.enable
+    {
+      environment.systemPackages = with pkgs; [
+        easyeffects
+        paprefs
+        pavucontrol
+        pulsemixer
+      ];
+
+      services.pipewire = {
+        enable = true;
+        pulse.enable = true;
+      };
+
+      services.pulseaudio = {
+        package = pkgs.pulseaudioFull;
+        extraConfig = ''
+          load-module module-combine-sink
+          load-module module-switch-on-connect
+        '';
+      };
+
+      services.squeezelite = {
+        #enable = true;
+        pulseAudio = true;
+      };
+    };
+
+}
--- a/roles/bluetooth/default.nix
+++ b/roles/bluetooth/default.nix
@@ -0,0 +1,26 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.bluetooth;
+in
+{
+  options.roles.bluetooth = {
+    enable = mkEnableOption "Enable the bluetooth role";
+  };
+
+  config = mkIf cfg.enable
+    {
+      hardware.bluetooth.enable = true;
+      hardware.bluetooth.powerOnBoot = true;
+      hardware.bluetooth.settings = {
+        General = {
+          Enable = "Source,Sink,Media,Socket";
+        };
+      };
+
+      services.blueman.enable = true;
+    };
+
+}
--- a/roles/btrfs/default.nix
+++ b/roles/btrfs/default.nix
@@ -0,0 +1,173 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.btrfs;
+in
+{
+  options.roles.btrfs = {
+    enable = mkEnableOption "Enable btrfs filesystem management";
+    
+    filesystems = mkOption {
+      type = types.attrsOf (types.submodule {
+        options = {
+          # Filesystem-level maintenance options
+          scrub = {
+            enable = mkOption { 
+              type = types.bool; 
+              default = true;
+              description = "Enable automatic scrubbing for this filesystem";
+            };
+            interval = mkOption { 
+              type = types.str; 
+              default = "weekly";
+              description = "Scrub interval (systemd timer format)";
+            };
+          };
+          deduplication = {
+            enable = mkOption { 
+              type = types.bool; 
+              default = false;
+              description = "Enable beesd deduplication for this filesystem";
+            };
+            hashTableSizeMB = mkOption { 
+              type = types.int; 
+              default = 1024;
+              description = "Hash table size in MB (should be multiple of 16)";
+            };
+            verbosity = mkOption { 
+              type = types.str; 
+              default = "info";
+              description = "Logging verbosity level";
+            };
+          };
+          balance = {
+            enable = mkOption { 
+              type = types.bool; 
+              default = false;
+              description = "Enable periodic balance operations";
+            };
+            interval = mkOption { 
+              type = types.str; 
+              default = "monthly";
+              description = "Balance interval (systemd timer format)";
+            };
+            dataUsage = mkOption { 
+              type = types.int; 
+              default = 50;
+              description = "Data usage threshold for balance";
+            };
+            metadataUsage = mkOption { 
+              type = types.int; 
+              default = 50;
+              description = "Metadata usage threshold for balance";
+            };
+          };
+          
+          # Mountpoint-based configuration
+          mountpoints = mkOption {
+            type = types.attrsOf (types.submodule {
+              options = {
+                subvolume = mkOption { 
+                  type = types.nullOr types.str; 
+                  default = null;
+                  description = "Subvolume name. If null, uses default subvolume.";
+                };
+                compression = mkOption { 
+                  type = types.str; 
+                  default = "zstd";
+                  description = "Compression algorithm (zstd, lzo, lz4, none)";
+                };
+                autodefrag = mkOption { 
+                  type = types.bool; 
+                  default = false;
+                  description = "Enable automatic defragmentation";
+                };
+                extraOptions = mkOption { 
+                  type = types.listOf types.str; 
+                  default = [];
+                  description = "Additional mount options";
+                };
+              };
+            });
+            default = {};
+            description = "Mountpoint configurations for this filesystem";
+          };
+        };
+      });
+      default = {};
+      description = "Btrfs filesystems configuration";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      btrfs-progs
+      compsize
+    ];
+
+    # Generate fileSystems configuration from mountpoints
+    fileSystems = mkMerge (flatten (mapAttrsToList (device: fsCfg:
+      mapAttrsToList (mountpoint: mountCfg:
+        {
+          ${mountpoint} = {
+            device = device;
+            fsType = "btrfs";
+            options = 
+              (optional (mountCfg.subvolume != null) "subvol=${mountCfg.subvolume}") ++
+              [ "compress=${mountCfg.compression}" ] ++
+              (optional mountCfg.autodefrag "autodefrag") ++
+              mountCfg.extraOptions;
+          };
+        }
+      ) fsCfg.mountpoints
+    ) cfg.filesystems));
+    
+    # Configure scrub service using NixOS built-in
+    services.btrfs.autoScrub = mkIf (any (fs: fs.scrub.enable) (attrValues cfg.filesystems)) {
+      enable = true;
+      interval = "weekly"; # TODO: Make this configurable per filesystem
+      fileSystems = attrNames (filterAttrs (_: fs: fs.scrub.enable) cfg.filesystems);
+    };
+    
+    # Configure beesd for filesystems with deduplication enabled
+    services.beesd.filesystems = mapAttrs' (device: fsCfg: 
+      nameValuePair (replaceStrings ["/"] ["_"] (replaceStrings ["-"] ["_"] device)) {
+        spec = device;
+        hashTableSizeMB = fsCfg.deduplication.hashTableSizeMB;
+        verbosity = fsCfg.deduplication.verbosity;
+      }
+    ) (filterAttrs (_: fs: fs.deduplication.enable) cfg.filesystems);
+    
+    # Custom balance services for filesystems with balance enabled
+    systemd.services = mkMerge (mapAttrsToList (device: fsCfg: mkIf fsCfg.balance.enable {
+      "btrfs-balance-${replaceStrings ["/"] ["-"] (replaceStrings ["-"] ["_"] device)}" = {
+        description = "Balance btrfs filesystem ${device}";
+        script = ''
+          ${pkgs.btrfs-progs}/bin/btrfs balance start \
+            -dusage=${toString fsCfg.balance.dataUsage} \
+            -musage=${toString fsCfg.balance.metadataUsage} \
+            ${device}
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+          Nice = 19;
+          IOSchedulingClass = "idle";
+        };
+      };
+    }) cfg.filesystems);
+    
+    # Balance timers
+    systemd.timers = mkMerge (mapAttrsToList (device: fsCfg: mkIf fsCfg.balance.enable {
+      "btrfs-balance-${replaceStrings ["/"] ["-"] (replaceStrings ["-"] ["_"] device)}" = {
+        description = "Periodic balance for ${device}";
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = fsCfg.balance.interval;
+          Persistent = true;
+        };
+      };
+    }) cfg.filesystems);
+  };
+}
--- a/roles/darwin.nix
+++ b/roles/darwin.nix
@@ -0,0 +1,120 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  # Extract the set-environment path that nix-darwin generates
+  setEnvironmentPath = "${config.system.build.setEnvironment}";
+in
+{
+  config = {
+    # Salt manages /etc/bashrc, /etc/zshrc, /etc/zshenv
+    # nix-darwin writes to .local variants for nix-specific configuration
+
+    # Disable nix-darwin from managing the main shell files
+    environment.etc."bashrc".enable = false;
+    environment.etc."zshrc".enable = false;
+    environment.etc."zshenv".enable = false;
+    environment.etc."zprofile".enable = false;
+
+    # Create .local files with nix environment setup
+    environment.etc."bash.local".text = ''
+      # Nix environment setup
+      if [ -z "$__NIX_DARWIN_SET_ENVIRONMENT_DONE" ]; then
+        . ${setEnvironmentPath}
+      fi
+    '';
+
+    environment.etc."zshrc.local".text = ''
+      # Nix environment setup (already done in zshenv.local)
+    '';
+
+    environment.etc."zshenv.local".text = ''
+      # Nix environment setup
+      if [[ -o rcs ]]; then
+        if [ -z "''${__NIX_DARWIN_SET_ENVIRONMENT_DONE-}" ]; then
+          . ${setEnvironmentPath}
+        fi
+
+        # Tell zsh how to find installed completions
+        for p in ''${(z)NIX_PROFILES}; do
+          fpath=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions $fpath)
+        done
+      fi
+    '';
+
+    time.timeZone = "America/Los_Angeles";
+
+    # System preferences
+    system.defaults = {
+      # Custom keyboard shortcuts
+      CustomUserPreferences = {
+        "com.apple.symbolichotkeys" = {
+          AppleSymbolicHotKeys = {
+            # Screenshot - Capture entire screen (Cmd+Ctrl+3)
+            "28" = {
+              enabled = true;
+              value = {
+                parameters = [ 51 20 1310720 ];
+                type = "standard";
+              };
+            };
+            # Screenshot - Capture selected portion (Cmd+Ctrl+4)
+            "30" = {
+              enabled = true;
+              value = {
+                parameters = [ 52 21 1310720 ];
+                type = "standard";
+              };
+            };
+            # Screenshot - Show screenshot toolbar (Cmd+Ctrl+5)
+            "184" = {
+              enabled = true;
+              value = {
+                parameters = [ 53 23 1310720 ];
+                type = "standard";
+              };
+            };
+          };
+        };
+      };
+    };
+
+    environment.systemPackages = with pkgs; [
+      git
+      glances
+      pciutils
+      tree
+      usbutils
+      vim
+    ];
+
+    nix = {
+      package = pkgs.nix;
+      # distributedBuilds = true;
+      # buildMachines = [{
+      #   hostName = "z790prors.oglehome";
+      #   system = "x86_64-linux";
+      #   protocol = "ssh-ng";
+      #   sshUser = "johno";
+      #   sshKey = "/root/.ssh/id_ed25519";
+      #   maxJobs = 3;
+      #   speedFactor = 2;
+      # }];
+      settings = {
+        experimental-features = [ "nix-command" "flakes" ];
+        max-jobs = "auto";
+        trusted-users = [ "johno" ];
+        substituters = [
+        ];
+      };
+
+      gc = {
+        automatic = true;
+        options = "--delete-older-than 10d";
+      };
+    };
+
+    nixpkgs.config.allowUnfree = true;
+  };
+}
--- a/roles/default.nix
+++ b/roles/default.nix
@@ -0,0 +1,90 @@
+{ lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ./audio
+    ./bluetooth
+    ./btrfs
+    ./desktop
+    ./kodi
+    ./nfs-mounts
+    ./nvidia
+    ./printing
+    ./remote-build
+    ./spotifyd
+    ./users
+    ./virtualisation
+  ];
+
+  config = {
+    i18n.defaultLocale = "en_US.UTF-8";
+    i18n.extraLocaleSettings = {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+    };
+    time.timeZone = "America/Los_Angeles";
+
+    services.xserver.xkb = {
+      layout = "us";
+      variant = "";
+      options = "caps:escape";
+    };
+
+    # Don't go to emergency mode if we aren't able to mount filesystems.
+    # This is silly if you have multiple hard drives or partitions
+    # configured on a machine and then one goes away intentionally or
+    # unintentionally. If the system is already booting, let it continue
+    # to try and boot.
+    systemd.enableEmergencyMode = false;
+
+    # Enable the OpenSSH daemon.
+    services.openssh.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      git
+      glances
+      pciutils
+      tree
+      usbutils
+      vim
+    ];
+
+    nix = {
+      package = pkgs.nix;
+      # distributedBuilds = true;
+      # buildMachines = [{
+      #   hostName = "z790prors.oglehome";
+      #   system = "x86_64-linux";
+      #   protocol = "ssh-ng";
+      #   sshUser = "johno";
+      #   sshKey = "/root/.ssh/id_ed25519";
+      #   maxJobs = 3;
+      #   speedFactor = 2;
+      # }];
+      settings = {
+        experimental-features = [ "nix-command" "flakes" ];
+        max-jobs = "auto";
+        trusted-users = [ "johno" ];
+        substituters = [
+        ];
+      };
+
+      gc = {
+        automatic = true;
+        randomizedDelaySec = "14m";
+        options = "--delete-older-than 10d";
+      };
+    };
+
+    nixpkgs.config.allowUnfree = true;
+  };
+}
--- a/roles/desktop/default.nix
+++ b/roles/desktop/default.nix
@@ -0,0 +1,28 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+{
+  options.roles.desktop = {
+    enable = mkEnableOption "Enable the desktop role.";
+
+    x11 = mkOption { type = types.bool; default = false; description = "Enable X11 support."; };
+    wayland = mkOption { type = types.bool; default = false; description = "Enable Wayland support."; };
+    kde = mkOption { type = types.bool; default = false; description = "Enable KDE."; };
+    gaming = {
+      enable = mkOption { type = types.bool; default = false; description = "Enable gaming support."; };
+      emulation = mkOption { type = types.bool; default = false; description = "Enable emulation support."; };
+    };
+    sddm = mkOption { type = types.bool; default = false; description = "Enable SDDM greeter."; };
+  };
+
+  imports = [
+    ./x11.nix
+    ./wayland.nix
+    ./gaming.nix
+    ./kde.nix
+    ./programs.nix
+    ./sddm.nix
+    ./steamos.nix
+  ];
+}
--- a/roles/desktop/gaming.nix
+++ b/roles/desktop/gaming.nix
@@ -0,0 +1,37 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.desktop;
+in
+{
+  config = mkMerge [
+    (mkIf (cfg.enable && cfg.gaming.enable) {
+      environment.systemPackages = with pkgs; [
+        steam
+        lutris
+        moonlight
+      ];
+
+      # Possibly other gaming specific services or settings
+    })
+
+    (mkIf (cfg.enable && cfg.gaming.emulation) {
+      environment.systemPackages = with pkgs; [
+        dolphin-emu
+        dolphin-emu-primehack
+        retroarch-full
+        ryubing
+      ];
+      # TODO: Remove me once dolphin-emu and dolphin-emu-primehack update
+      #       dependencies to mbedtls from mbedtls_2 (which is currently)
+      #       unmaintained
+      nixpkgs.config.permittedInsecurePackages = [ "mbedtls-2.28.10" ];
+
+      warnings = [
+        "Using insecure mbedtls-2.28.10 for Dolphin Emu - check for updates regularly"
+      ];
+    })
+  ];
+}
--- a/roles/desktop/kde.nix
+++ b/roles/desktop/kde.nix
@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.desktop;
+in
+{
+  config = mkIf (cfg.enable && cfg.kde) {
+    services.desktopManager.plasma6.enable = true;
+  };
+}
--- a/roles/desktop/programs.nix
+++ b/roles/desktop/programs.nix
@@ -0,0 +1,37 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.desktop;
+in
+{
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      brightnessctl
+      emacs-nox
+      moonlight-qt
+    ];
+
+    programs.dconf.enable = true;
+    services.gnome.gnome-keyring.enable = true;
+    programs.kdeconnect.enable = true;
+
+    # XDG Desktop Portal for default application handling in non-KDE environments
+    xdg.portal = {
+      enable = true;
+      extraPortals = with pkgs; [
+        kdePackages.xdg-desktop-portal-kde  # For KDE application integration
+        xdg-desktop-portal-gtk  # Fallback for GTK applications
+      ];
+      config = {
+        common = {
+          default = "kde";
+        };
+        i3 = {
+          default = ["kde" "gtk"];
+        };
+      };
+    };
+  };
+}
--- a/roles/desktop/sddm.nix
+++ b/roles/desktop/sddm.nix
@@ -0,0 +1,15 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.desktop;
+in
+{
+  config = mkIf (cfg.enable && cfg.sddm) {
+    services.displayManager.sddm = {
+      enable = true;
+      wayland.enable = (!cfg.x11 && cfg.wayland);
+    };
+  };
+}
--- a/roles/desktop/steamos.nix
+++ b/roles/desktop/steamos.nix
@@ -0,0 +1,47 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.desktop;
+in
+{
+  options.roles.desktop.steamos = {
+    enable = mkEnableOption "SteamOS (Jovian) configuration";
+
+    autoStart = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Automatically start Steam Deck UI on boot";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "johno";
+      description = "User to run Steam as";
+    };
+
+    desktopSession = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Desktop session to launch when switching to Desktop Mode";
+    };
+
+    enableDeckyLoader = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable Decky Loader plugin system";
+    };
+  };
+
+  config = mkIf (cfg.enable && cfg.steamos.enable) {
+    jovian.steam = {
+      enable = true;
+      autoStart = cfg.steamos.autoStart;
+      user = cfg.steamos.user;
+      desktopSession = cfg.steamos.desktopSession;
+    };
+
+    jovian.decky-loader.enable = cfg.steamos.enableDeckyLoader;
+  };
+}
--- a/roles/desktop/wayland.nix
+++ b/roles/desktop/wayland.nix
@@ -0,0 +1,23 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.desktop;
+in
+{
+  config = mkIf (cfg.enable && cfg.wayland) {
+    programs.sway = {
+      enable = true;
+      wrapperFeatures.gtk = true;
+    };
+    programs.light.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      grim
+      slurp
+      wl-clipboard
+      mako
+    ];
+  };
+}
--- a/roles/desktop/x11.nix
+++ b/roles/desktop/x11.nix
@@ -0,0 +1,26 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.desktop;
+in
+{
+  config = mkIf (cfg.enable && cfg.x11) {
+    services.xserver = {
+      enable = true;
+
+      windowManager.i3 = {
+        enable = true;
+        extraPackages = with pkgs; [
+          dmenu
+          i3status
+          i3lock
+          polkit_gnome                    # GNOME polkit authentication agent (more stable with i3)
+          picom                           # Compositor for smooth rendering (important for Nvidia)
+          networkmanagerapplet            # NetworkManager system tray applet
+        ];
+      };
+    };
+  };
+}
--- a/roles/jovian-compat.nix
+++ b/roles/jovian-compat.nix
@@ -0,0 +1,43 @@
+{ lib, config, ... }:
+
+# Compatibility shim to provide services.logind.settings for NixOS 25.05
+# This allows Jovian-NixOS to work with stable NixOS
+# REMOVE THIS FILE when upgrading to NixOS 25.11 or later
+
+with lib;
+
+let
+  nixosVersion = config.system.nixos.release;
+  isCompatibleVersion = versionOlder nixosVersion "25.11";
+in
+{
+  options.services.logind.settings = mkOption {
+    type = types.attrsOf (types.attrsOf types.anything);
+    default = {};
+    description = "systemd-logind configuration. See logind.conf(5) for available options.";
+  };
+
+  config = mkMerge [
+    {
+      assertions = [
+        {
+          assertion = isCompatibleVersion;
+          message = ''
+            The Jovian compatibility shim (roles/jovian-compat.nix) is only needed for NixOS 25.05 and earlier.
+            You are running NixOS ${nixosVersion}.
+            Please remove 'roles/jovian-compat.nix' from your flake.nix imports.
+          '';
+        }
+      ];
+    }
+    (mkIf (config.services.logind.settings != {}) {
+      # Convert the settings to extraConfig format for older NixOS
+      services.logind.extraConfig = let
+        mkSection = section: settings:
+          "[${section}]\n" +
+          (concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${toString v}") settings));
+      in
+        concatStringsSep "\n\n" (mapAttrsToList mkSection config.services.logind.settings);
+    })
+  ];
+}
--- a/roles/kodi/default.nix
+++ b/roles/kodi/default.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.kodi;
+in
+{
+  options.roles.kodi = {
+    enable = mkEnableOption "Enable Kodi";
+    autologin = mkOption {
+      default = false;
+    };
+    wayland = mkOption {
+      default = true;
+    };
+    appLauncherServer = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable HTTP app launcher server for remote control";
+      };
+      port = mkOption {
+        type = types.int;
+        default = 8081;
+        description = "Port for the app launcher HTTP server";
+      };
+    };
+  };
+
+
+  config = let
+    kodiBasePkg = if cfg.wayland then pkgs.kodi-wayland else pkgs.kodi;
+    kodiPkg = kodiBasePkg.withPackages (pkgs: with pkgs; [
+      jellyfin
+      steam-launcher
+      steam-library
+      youtube
+    ]);
+  in mkIf cfg.enable
+    {
+      users.extraUsers.kodi = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" "networkmanager" "audio" "video" ];
+      };
+
+      networking.firewall = {
+        allowedTCPPorts = [ 8080 ] ++ optional cfg.appLauncherServer.enable cfg.appLauncherServer.port;
+        allowedUDPPorts = [ 8080 ];
+      };
+
+      environment.systemPackages = with pkgs; [
+        kodiPkg
+        wget
+        firefox
+      ] ++ optional cfg.appLauncherServer.enable pkgs.custom.app-launcher-server;
+
+      programs.kdeconnect.enable = true;
+
+      systemd.user.services = mkIf cfg.appLauncherServer.enable {
+        app-launcher-server = {
+          description = "HTTP App Launcher Server";
+          wantedBy = [ "graphical-session.target" ];
+          after = [ "graphical-session.target" ];
+          serviceConfig = {
+            Type = "simple";
+            ExecStart = "${pkgs.custom.app-launcher-server}/bin/app-launcher-server ${toString cfg.appLauncherServer.port}";
+            Restart = "always";
+            RestartSec = "5s";
+            Environment = [
+              "PATH=${pkgs.firefox}/bin:${kodiPkg}/bin:/run/current-system/sw/bin"
+            ];
+          };
+        };
+      };
+
+      services.displayManager = mkIf cfg.autologin {
+        autoLogin.enable = true;
+        autoLogin.user = "kodi";
+        defaultSession = "plasma";
+      };
+    };
+}
--- a/roles/nfs-mounts/default.nix
+++ b/roles/nfs-mounts/default.nix
@@ -1,8 +1,31 @@
-{ config, ... }:
+{ config, lib, ... }:

+with lib;
+
+let
+  cfg = config.roles.nfs-mounts;
+in
 {
-  fileSystems."/media" = {
-    device = "10.0.0.43:/media";
-    fsType = "nfs";
+  options.roles.nfs-mounts = {
+    enable = mkEnableOption "Enable default NFS mounts";
+    # TODO: implement requireMount
+    requireMount = mkOption {
+      type = types.bool;
+      description = "Hard fail if the NFS mounts are not available";
+      default = false;
+    };
  };
+
+  config = mkIf cfg.enable
+    {
+      fileSystems."/media" = {
+        device = "10.0.0.43:/media";
+        fsType = "nfs";
+        options = [
+          "defaults"
+          "nofail"
+          "softreval"
+        ];
+      };
+    };
 }
--- a/roles/nvidia/default.nix
+++ b/roles/nvidia/default.nix
@@ -0,0 +1,20 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.nvidia;
+in
+{
+  options.roles.nvidia = {
+    enable = mkEnableOption "Enable the nvidia role";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      libva-utils
+      nvidia-vaapi-driver
+      nvtopPackages.nvidia
+    ];
+  };
+}
--- a/roles/printing/default.nix
+++ b/roles/printing/default.nix
@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.printing;
+in
+{
+  options.roles.printing = {
+    enable = mkEnableOption "Enable default printing setup";
+  };
+
+  config = mkIf cfg.enable
+    {
+      services.printing.enable = true;
+
+      services.avahi = {
+        enable = true;
+        nssmdns4 = true;
+        openFirewall = true;
+      };
+
+      hardware.printers.ensurePrinters = [{
+        name = "MFC-L8900CDW_series";
+        deviceUri = "ipp://brother.oglehome/ipp/print";
+        model = "everywhere";
+      }];
+      hardware.printers.ensureDefaultPrinter = "MFC-L8900CDW_series";
+
+      # Fix ensure-printers service to wait for network availability
+      systemd.services.ensure-printers = {
+        after = [ "cups.service" "network-online.target" ];
+        wants = [ "cups.service" "network-online.target" ];
+      };
+    };
+}
--- a/roles/remote-build/default.nix
+++ b/roles/remote-build/default.nix
@@ -0,0 +1,127 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.remote-build;
+in
+{
+  options.roles.remote-build = {
+    enableBuilder = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable this machine as a remote build host for other machines";
+    };
+
+    builderUser = mkOption {
+      type = types.str;
+      default = "nix-builder";
+      description = "User account for remote builders to connect as";
+    };
+
+    builders = mkOption {
+      type = types.listOf (types.submodule {
+        options = {
+          hostName = mkOption {
+            type = types.str;
+            description = "Hostname or IP address of the build machine";
+          };
+
+          systems = mkOption {
+            type = types.listOf types.str;
+            default = [ "x86_64-linux" ];
+            description = "Supported systems";
+          };
+
+          maxJobs = mkOption {
+            type = types.int;
+            default = 8;
+            description = "Maximum number of parallel build jobs";
+          };
+
+          speedFactor = mkOption {
+            type = types.int;
+            default = 2;
+            description = "Speed factor compared to local building (higher = prefer remote)";
+          };
+
+          supportedFeatures = mkOption {
+            type = types.listOf types.str;
+            default = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+            description = "Supported build features";
+          };
+
+          sshUser = mkOption {
+            type = types.str;
+            default = "nix-builder";
+            description = "SSH user for connecting to the builder";
+          };
+
+          sshKey = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "Path to SSH private key for authentication";
+          };
+        };
+      });
+      default = [];
+      description = "List of remote build machines to use";
+    };
+
+    fallbackToLocalBuild = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Fallback to local building if remote builders are unavailable";
+    };
+  };
+
+  config = mkMerge [
+    # Builder host configuration
+    (mkIf cfg.enableBuilder {
+      # Create dedicated builder user
+      users.users.${cfg.builderUser} = {
+        isSystemUser = true;
+        group = cfg.builderUser;
+        description = "Nix remote build user";
+        home = "/var/lib/${cfg.builderUser}";
+        createHome = true;
+        shell = pkgs.bashInteractive;
+        openssh.authorizedKeys.keyFiles = [];  # Will be populated by client machines
+      };
+
+      users.groups.${cfg.builderUser} = {};
+
+      # Allow builder user to perform builds
+      nix.settings.trusted-users = [ cfg.builderUser ];
+
+      # Allow remote builds
+      services.openssh.enable = true;
+
+      # Ensure nix-daemon is accessible
+      nix.settings.allowed-users = [ "*" ];
+    })
+
+    # Client configuration (machines using remote builders)
+    (mkIf (cfg.builders != []) {
+      nix.buildMachines = map (builder: {
+        hostName = builder.hostName;
+        systems = builder.systems;
+        maxJobs = builder.maxJobs;
+        speedFactor = builder.speedFactor;
+        supportedFeatures = builder.supportedFeatures;
+        sshUser = builder.sshUser;
+        sshKey = builder.sshKey;
+      }) cfg.builders;
+
+      nix.distributedBuilds = true;
+
+      # Use substitutes from remote builders
+      nix.extraOptions = ''
+        builders-use-substitutes = true
+      '';
+
+      # Fallback to local build if remote unavailable
+      nix.settings.fallback = cfg.fallbackToLocalBuild;
+    })
+  ];
+}
--- a/roles/spotifyd/default.nix
+++ b/roles/spotifyd/default.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.spotifyd;
+in
+{
+  options.roles.spotifyd = {
+    enable = mkEnableOption "Enable the spotifyd role";
+  };
+
+  config = mkIf cfg.enable
+    {
+      roles.audio.enable = true;
+
+      services.spotifyd = {
+        enable = true;
+        settings = {
+          global = {
+            use_mpris = false;
+            backend = "alsa";
+            device = "sysdefault";
+            bitrate = 320;
+            cache_path = "";
+            zeroconf_port = 1234;
+            autoplay = false;
+          };
+        };
+      };
+
+      networking.firewall.allowedTCPPorts = [
+        1234
+        57621
+      ];
+      networking.firewall.allowedUDPPorts = [
+        5353
+      ];
+    };
+}
--- a/roles/users/default.nix
+++ b/roles/users/default.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.roles.users;
+in
+{
+  options.roles.users = {
+    enable = mkEnableOption "Enable default users";
+    extraGroups = mkOption {
+      default = [];
+    };
+    kids = mkOption {
+      type = types.bool;
+      default = false;
+    };
+  };
+
+  config = let
+    kidsPackages = with pkgs; [
+      firefox
+    ];
+  in mkIf cfg.enable {
+    users.users.johno = {
+      isNormalUser = true;
+      description = "John Ogle";
+      extraGroups = [ "wheel" "networkmanager" "audio" "video" ] ++ cfg.extraGroups;
+    };
+
+    users.users.eli = mkIf cfg.kids {
+      isNormalUser = true;
+      description = "Eli";
+      home = "/home/eli";
+      packages = kidsPackages;
+    };
+
+    users.users.andrew = mkIf cfg.kids {
+      isNormalUser = true;
+      description = "Andrew";
+      home = "/home/andrew";
+      packages = kidsPackages;
+    };
+
+    users.users.jules = mkIf cfg.kids {
+      isNormalUser = true;
+      description = "Jules";
+      home = "/home/jules";
+      packages = kidsPackages;
+    };
+  };
+}
--- a/roles/virtualisation/default.nix
+++ b/roles/virtualisation/default.nix
@@ -1,6 +1,20 @@
-{ config, ... }:
+{ config, lib, ... }:

+with lib;
+
+let
+  cfg = config.roles.virtualisation;
+in
 {
-  virtualisation.libvirtd.enable = true;
-  programs.virt-manager.enable = true;
+  options.roles.virtualisation = {
+    enable = mkEnableOption "Enable virtualisation";
+  };
+
+  config = mkIf cfg.enable
+    {
+      virtualisation.libvirtd.enable = true;
+      programs.virt-manager.enable = true;
+      virtualisation.docker.enable = true;
+      users.extraGroups.docker.members = [ "johno" ];
+    };
 }