update

Add api, authHeader, and discovery.type fields so omp can
discover models via GET /v1/models with the Bearer token.

.gitea/workflows/deploy.yml

@@ -0,0 +1,38 @@
+name: Build
+on:
+  push:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: nix
+    steps:
+      - uses: https://github.com/actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Unlock git-crypt
+        run: |
+          git-crypt unlock /run/agenix/git-crypt-key-dotfiles
+
+      - name: Build NixOS configuration (yarn)
+        run: |
+          nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
+
+      - name: Record yarn store path for pull-update
+        continue-on-error: true
+        run: |
+          mkdir -p /var/lib/dotfiles-deploy
+          readlink -f result > /var/lib/dotfiles-deploy/yarn
+          nix-store --add-root /var/lib/dotfiles-deploy/yarn-gcroot -r "$(readlink -f result)"
+
+      - name: Build NixOS configuration (mreow)
+        run: |
+          nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
+
+      - name: Record mreow store path
+        continue-on-error: true
+        run: |
+          mkdir -p /var/lib/dotfiles-deploy
+          readlink -f result > /var/lib/dotfiles-deploy/mreow
+          nix-store --add-root /var/lib/dotfiles-deploy/mreow-gcroot -r "$(readlink -f result)"

.gitignore

@@ -0,0 +1 @@
+/result

AGENTS.md

@@ -0,0 +1,168 @@
+# AGENTS.md
+
+## Project Overview
+
+NixOS dotfiles for two hosts using Nix flakes + home-manager:
+- **mreow** — Framework 13 AMD AI 300 laptop, niri WM, greetd, swaylock
+- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, pull-based updates from CI
+
+Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-crypt. **Never read or write files in those directories.**
+
+## Build & Deploy Commands
+
+```sh
+# Build and apply (default: boot, or pass switch/test/build)
+./deploy.sh              # nixos-rebuild boot --flake . --use-remote-sudo
+./deploy.sh switch       # apply immediately
+./deploy.sh test         # apply without adding boot entry
+./deploy.sh build        # build only, no activation
+
+# Build a specific host without deploying
+nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
+nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
+
+# yarn pulls updates automatically on boot from the binary cache.
+# CI builds the yarn closure, records the store path, and Harmonia serves it.
+# To manually trigger the pull on yarn:
+systemctl start pull-update
+
+# Format all Nix files (uses nixfmt-tree, declared in flake.nix)
+nix fmt
+
+# Evaluate without building (quick syntax/type check)
+nix eval .#nixosConfigurations.mreow.config.system.build.toplevel --no-build 2>&1 | head -5
+nix eval .#nixosConfigurations.yarn.config.system.build.toplevel --no-build 2>&1 | head -5
+
+# Update flake inputs
+nix flake update
+nix flake update --input-name nixpkgs   # update a single input
+```
+
+There are no tests. Validation is done by building the system configuration (`nix build -L`).
+Always append `-L` to `nix build` for verbose build logs.
+If nix complains a file isn't found, `git add` the file first — Nix flakes only see tracked files.
+
+## Repository Structure
+
+```
+flake.nix                          # Root flake: inputs, outputs, host definitions
+deploy.sh                          # Wrapper around nixos-rebuild
+system/
+  common.nix                       # Shared system config (boot, audio, users, etc.)
+  system-mreow.nix                 # Laptop-specific system config
+  system-yarn.nix                  # Desktop-specific system config
+  networking.nix                   # NetworkManager, DNS
+  impermanence.nix                 # Ephemeral root for yarn
+  disk_mreow.nix / disk_yarn.nix   # Disko disk layouts
+  vm.nix                           # Virtualization (libvirt, waydroid)
+  vr.nix / no-rgb.nix / steam.nix  # Feature modules
+  secrets/                         # git-crypt encrypted, DO NOT READ
+home-manager/
+  home-mreow.nix                   # Laptop home-manager entry point
+  home-yarn.nix                    # Desktop home-manager entry point
+  gui.nix                          # GUI packages + theming (imports no-gui.nix)
+  no-gui.nix                       # CLI tools, dev toolchains, git config
+  desktop.nix                      # Desktop environment (niri, dunst, swaylock, noctalia)
+  wallpaper.png                    # Shared wallpaper
+  progs/                           # One file per program
+    fish.nix, alacritty.nix, emacs.nix, helix.nix, niri.nix, ...
+    zen/                           # Zen Browser (multi-file: default.nix, ublock.nix, dark-reader.nix)
+    opencode.nix                   # AI coding tools config
+  util/                            # Helper derivations (blur.nix, inverse_color.nix)
+  secrets/                         # git-crypt encrypted, DO NOT READ
+```
+
+## Import Hierarchy
+
+```
+flake.nix
+ ├─ system/system-{host}.nix → common.nix → networking.nix, vm.nix, steam.nix
+ └─ home-manager/home-{host}.nix → gui.nix → no-gui.nix
+                                  → desktop.nix → niri.nix, dunst.nix, swaylock.nix, noctalia.nix
+```
+
+Adding a new program: create `home-manager/progs/myprog.nix`, import it from the appropriate layer (`gui.nix` for GUI apps, `no-gui.nix` for CLI tools, or `home-{host}.nix` for host-specific).
+
+## Nix Code Style
+
+**Formatter**: `nixfmt-tree` — run `nix fmt` before committing. All style below conforms to what nixfmt-tree produces.
+
+### Module Structure
+```nix
+# Function arguments: destructured attrset, alphabetical-ish, always end with `...`
+{ pkgs, lib, inputs, config, ... }:
+
+# Optional let bindings for local values
+let
+  myThing = "value";
+in
+{
+  imports = [
+    ./other-module.nix
+  ];
+
+  # Configuration here
+}
+```
+
+### Conventions
+- **Indentation**: 2 spaces (enforced by nixfmt-tree)
+- **Imports**: relative paths (`./progs/fish.nix`), one per line in a list
+- **Package references**: use `lib.getExe pkgs.foo` for bin paths, not `${pkgs.foo}/bin/foo`
+- **Package lists**: group thematically with comments, use `with pkgs;` or `lib.concatLists` for multiple groups
+- **Unfree packages**: explicitly allowlisted per-file via `nixpkgs.config.allowUnfreePredicate`
+- **Comments**: lowercase, informal, `#` style. Use `# BUG!` or `# TODO!` prefixes for known issues
+- **No trailing commas**: Nix syntax does not support them
+- **Attribute sets**: opening brace on same line, closing brace aligned with the key
+- **Overlays**: imported inline within the module that needs them via `nixpkgs.overlays`
+- **Special args**: passed through `specialArgs` (system) or `extraSpecialArgs` (home-manager) in flake.nix — includes `inputs`, `username`, `hostname`, `niri-package`, `homeDirectory`, `stateVersion`
+
+### Patterns Used
+
+```nix
+# Package path references
+lib.getExe pkgs.swaylock        # preferred
+"${pkgs.avizo}/bin/volumectl"   # acceptable when lib.getExe doesn't work
+
+# Conditional/host-specific overrides
+lib.mkForce false               # override inherited values
+lib.mkDefault "value"           # set overridable defaults
+
+# Helper derivations (see home-manager/util/)
+pkgs.callPackage ../util/blur.nix       # for derivations that take { stdenv, ... }:
+
+# Combining package lists
+home.packages = with pkgs; lib.concatLists [
+  [ pkg1 pkg2 ]   # group 1
+  [ pkg3 pkg4 ]   # group 2
+  someList         # from let binding
+];
+```
+
+### Naming
+- **Host configs**: `system-{hostname}.nix`, `home-{hostname}.nix`, `disk_{hostname}.nix`
+- **Program modules**: `progs/{program-name}.nix` (one program per file)
+- **Utility derivations**: `util/{descriptive-name}.nix`
+- **Variables**: `snake_case` or `camelCase` (no strict rule, follow local context)
+
+## Key Technical Details
+
+- **nixpkgs channel**: unstable (`nixos-unstable`)
+- **Secure boot**: lanzaboote with keys extracted from `system/secrets/secureboot.tar`
+- **Disk management**: disko
+- **Privilege escalation**: doas (sudo is disabled), shim at `doas-sudo-shim`
+- **Shell**: fish (bash redirects to fish via `programs.bash.interactiveShellInit`)
+- **Wayland**: niri compositor, xwayland-satellite for X11 compat
+- **Desktop shell**: noctalia-shell (bar, launcher, notifications)
+- **Git**: GPG signing enabled (`signByDefault = true`), default branch `main`
+- **Impermanence** (yarn only): root is ephemeral, `/persistent` holds state, home is bind-mounted
+
+## Agent-Specific Instructions
+
+- If instructed to commit, **disable GPG signing** (`git commit --no-gpg-sign`).
+- Use `nix-shell -p <package>` if a tool is not available in the environment.
+- For `nix build`, always append `-L` for verbose logs.
+- If nix reports a missing file, run `git add <file>` first — flakes only see git-tracked files.
+- Do not read files under `system/secrets/` or `home-manager/secrets/`.
+- Run `nix fmt` after editing any `.nix` file.
+- Validate changes with `nix build .#nixosConfigurations.{host}.config.system.build.toplevel -L`.

README.md

@@ -18,5 +18,4 @@ There is more that I'm using, but those are the main ones! Read my configs to ge
   - Got my background from [here](https://old.reddit.com/r/celestegame/comments/11dtgwg/all_most_of_the_backgrounds_in_celeste_edited/) and used the command `magick input.png -filter Point -resize 2880x1920! output.png` to upscale it bilinearly
 
 ## TODO!
-- [ ] further unify desktop and laptop configs
 - [ ] Seperate out common shell utilities into a module or some sort (could be used on other machines)

flake.lock

@@ -12,11 +12,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1771437256,
-        "narHash": "sha256-bLqwib+rtyBRRVBWhMuBXPCL/OThfokA+j6+uH7jDGU=",
+        "lastModified": 1776249299,
+        "narHash": "sha256-Dt9t1TGRmJFc0xVYhttNBD6QsAgHOHCArqGa0AyjrJY=",
         "owner": "numtide",
         "repo": "blueprint",
-        "rev": "06ee7190dc2620ea98af9eb225aa9627b68b0e33",
+        "rev": "56131e8628f173d24a27f6d27c0215eff57e40dd",
         "type": "github"
       },
       "original": {
@@ -46,26 +46,59 @@
         ]
       },
       "locked": {
-        "lastModified": 1770895533,
-        "narHash": "sha256-v3QaK9ugy9bN9RXDnjw0i2OifKmz2NnKM82agtqm/UY=",
-        "owner": "nix-community",
+        "lastModified": 1776182890,
+        "narHash": "sha256-+/VOe8XGq5klpU+I19D+3TcaR7o+Cwbq67KNF7mcFak=",
+        "owner": "Mic92",
         "repo": "bun2nix",
-        "rev": "c843f477b15f51151f8c6bcc886954699440a6e1",
+        "rev": "648d293c51e981aec9cb07ba4268bc19e7a8c575",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
+        "owner": "Mic92",
+        "ref": "catalog-support",
         "repo": "bun2nix",
         "type": "github"
       }
     },
+    "cachyos-kernel": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1776183001,
+        "narHash": "sha256-lvLKB5dTqjO1S/YonS9ZyWemEjO6QXtN4D76rYEYy4s=",
+        "owner": "CachyOS",
+        "repo": "linux-cachyos",
+        "rev": "4224303b6d7a50dd1cc3ffa78864050cc9536eec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "CachyOS",
+        "repo": "linux-cachyos",
+        "type": "github"
+      }
+    },
+    "cachyos-kernel-patches": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1776355454,
+        "narHash": "sha256-b9Hc0sTxjEzDbphzS9yQqxVha/7bsPIs2cQQQvaG45E=",
+        "owner": "CachyOS",
+        "repo": "kernel-patches",
+        "rev": "b5e029226df5cc30c103651072d49a7af2878202",
+        "type": "github"
+      },
+      "original": {
+        "owner": "CachyOS",
+        "repo": "kernel-patches",
+        "type": "github"
+      }
+    },
     "crane": {
       "locked": {
-        "lastModified": 1771796463,
-        "narHash": "sha256-9bCDuUzpwJXcHMQYMS1yNuzYMmKO/CCwCexpjWOl62I=",
+        "lastModified": 1773189535,
+        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "3d3de3313e263e04894f284ac18177bd26169bad",
+        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
         "type": "github"
       },
       "original": {
@@ -74,28 +107,6 @@
         "type": "github"
       }
     },
-    "deploy-rs": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "utils": "utils"
-      },
-      "locked": {
-        "lastModified": 1770019181,
-        "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
-        "type": "github"
-      },
-      "original": {
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "type": "github"
-      }
-    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -120,11 +131,11 @@
     "doomemacs": {
       "flake": false,
       "locked": {
-        "lastModified": 1772783183,
-        "narHash": "sha256-YpqMWBeMQHHwlwCjXe7zU9UKU8Up7rdXTKikPsiHNJw=",
+        "lastModified": 1776400245,
+        "narHash": "sha256-RuQB1PxazI4DOw3O+rEVU2FPT0vP0Xb+Gp/M6Yqer20=",
         "owner": "doomemacs",
         "repo": "doomemacs",
-        "rev": "15d55259159d471f5bd329c712f1010c39e3cc37",
+        "rev": "860a91aaac235701f30b70fdc74259d438818968",
         "type": "github"
       },
       "original": {
@@ -143,11 +154,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772818138,
-        "narHash": "sha256-Q/zaIhzvvjCN6/oPcOsyljP0LO0RUvB90BSuDNVYNF8=",
+        "lastModified": 1776478519,
+        "narHash": "sha256-4TWCOVYe0iWEKuW7OH93nRI4Z7u68wNT6k9UJn0FZ5w=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "594ce4b67cd089110785a9c23731f61767d233d3",
+        "rev": "513e332b074507e1b46992952e7d83f329f2c22c",
         "type": "github"
       },
       "original": {
@@ -156,18 +167,40 @@
         "type": "github"
       }
     },
+    "firefox-addons": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "dir": "pkgs/firefox-addons",
+        "lastModified": 1776398575,
+        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
+        "owner": "rycee",
+        "repo": "nur-expressions",
+        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
+        "type": "gitlab"
+      },
+      "original": {
+        "dir": "pkgs/firefox-addons",
+        "owner": "rycee",
+        "repo": "nur-expressions",
+        "type": "gitlab"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "owner": "edolstra",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
+        "owner": "NixOS",
         "repo": "flake-compat",
         "type": "github"
       }
@@ -196,11 +229,29 @@
         ]
       },
       "locked": {
-        "lastModified": 1772408722,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -211,7 +262,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -227,24 +278,6 @@
         "type": "github"
       }
     },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_5"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -274,11 +307,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772807318,
-        "narHash": "sha256-Qjw6ILt8cb2HQQpCmWNLMZZ63wEo1KjTQt+1BcQBr7k=",
+        "lastModified": 1776454077,
+        "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "daa2c221320809f5514edde74d0ad0193ad54ed8",
+        "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
         "type": "github"
       },
       "original": {
@@ -333,11 +366,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772783167,
-        "narHash": "sha256-yOeOq+dmcgkzLRolqAG28bA8ilj3D89vZgAIkBafC5A=",
+        "lastModified": 1776428236,
+        "narHash": "sha256-+0SyQglnT2xUiyY07155G+O7aUWISELwqtTnfURufRU=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "2a9a092cabc057309900943d6c69ad4728c693ed",
+        "rev": "eac78fc379ca47f7e21be8539c405e5fb489a857",
         "type": "github"
       },
       "original": {
@@ -379,11 +412,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772216104,
-        "narHash": "sha256-1TnGN26vnCEQk5m4AavJZxGZTb/6aZyphemRPRwFUfs=",
+        "lastModified": 1776248416,
+        "narHash": "sha256-TC6yzbCAex1pDfqUZv9u8fVm8e17ft5fNrcZ0JRDOIQ=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "dbe5112de965bbbbff9f0729a9789c20a65ab047",
+        "rev": "18e9e64bae15b828c092658335599122a6db939b",
         "type": "github"
       },
       "original": {
@@ -400,15 +433,15 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_3",
+        "systems": "systems_2",
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1772806698,
-        "narHash": "sha256-hc6NZ0UlY5V1hHlrsCG+fJClReMJQCqW4SJ3Kq1SVK8=",
+        "lastModified": 1776482297,
+        "narHash": "sha256-KmsWPwtbO8vrlH/R9stIun0LKZ4PFSCCEdqWDeLgbTE=",
         "owner": "numtide",
         "repo": "llm-agents.nix",
-        "rev": "a90b7a43af62a0732c7aba479fd493c777956aa0",
+        "rev": "66c76393570f8fc4730caa2dc2d2c470fe33a3c9",
         "type": "github"
       },
       "original": {
@@ -431,11 +464,11 @@
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
       },
       "locked": {
-        "lastModified": 1772698812,
-        "narHash": "sha256-7+K/VaZ7TXUeUGSYshg8wC3UsRZHB+M4x6r38Q1B79c=",
+        "lastModified": 1776435348,
+        "narHash": "sha256-qsZnMThxTqxCJZ7DEKu3DD3KjIPcuUBvZ0C9a2uIvaQ=",
         "owner": "sodiboo",
         "repo": "niri-flake",
-        "rev": "5641625ef950f024e3e0e3f38bb91f876290c0be",
+        "rev": "55b5b1fc9481ab267603a1099e5d4b4ebc7394d7",
         "type": "github"
       },
       "original": {
@@ -464,11 +497,11 @@
     "niri-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1772207631,
-        "narHash": "sha256-Jkkg+KqshFO3CbTszVVpkKN2AOObYz+wMsM3ONo1z5g=",
+        "lastModified": 1776432730,
+        "narHash": "sha256-Pq1ZVvRGq/IFiFH6vkNwMfZEpWk23NjgGdX50COdj/c=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "e708f546153f74acf33eb183b3b2992587a701e5",
+        "rev": "c814c656c53ea9d69f5afb45c88f4dc4d25338cd",
         "type": "github"
       },
       "original": {
@@ -477,6 +510,31 @@
         "type": "github"
       }
     },
+    "nix-cachyos-kernel": {
+      "inputs": {
+        "cachyos-kernel": "cachyos-kernel",
+        "cachyos-kernel-patches": "cachyos-kernel-patches",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1776386586,
+        "narHash": "sha256-eVAUaL/6n8mnmBiPpEVW1NDNVSKLWhYVfycG+P0SvWU=",
+        "owner": "xddxdd",
+        "repo": "nix-cachyos-kernel",
+        "rev": "c65c3faf90ae07bae101c15ef502f0bcb06c5d74",
+        "type": "github"
+      },
+      "original": {
+        "owner": "xddxdd",
+        "ref": "release",
+        "repo": "nix-cachyos-kernel",
+        "type": "github"
+      }
+    },
     "nix-doom-emacs-unstraightened": {
       "inputs": {
         "doomemacs": "doomemacs",
@@ -486,14 +544,14 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_4"
+        "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1772787454,
-        "narHash": "sha256-ZX2thoeGlLv19f7dTYXn87mJqOKs2NcmQdW9Sz+ZbPg=",
+        "lastModified": 1776419397,
+        "narHash": "sha256-vmWJwNYtQFexLG6r/v8Dlou/5z8FbFCLo3QqZ/stLYQ=",
         "owner": "marienz",
         "repo": "nix-doom-emacs-unstraightened",
-        "rev": "1daa7d67180961e06d8fe0ef80394de5ec61fe93",
+        "rev": "7623dd4adbdf5f8a8464ecc5fd089e5c5cb5dada",
         "type": "github"
       },
       "original": {
@@ -541,11 +599,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1771969195,
-        "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
+        "lastModified": 1775490113,
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
         "type": "github"
       },
       "original": {
@@ -557,11 +615,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1772624091,
-        "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
+        "lastModified": 1776169885,
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
         "type": "github"
       },
       "original": {
@@ -571,6 +629,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1774748309,
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "noctalia": {
       "inputs": {
         "nixpkgs": [
@@ -579,11 +652,11 @@
         "noctalia-qs": "noctalia-qs"
       },
       "locked": {
-        "lastModified": 1772804651,
-        "narHash": "sha256-90DfP4v5+DITh2C12HP4v6hMkF0o6WN5TlrcOAQeMHI=",
+        "lastModified": 1776302695,
+        "narHash": "sha256-xZc9o1JLQpmWn2Dqui323+Tq2Ai4sSdtdvbFZCs4qLo=",
         "owner": "noctalia-dev",
         "repo": "noctalia-shell",
-        "rev": "6b64fa11fca2f4d80625dfa0e15523ed13808cf4",
+        "rev": "a7c724181fca5d1aff2d47b18fa733504cfdbda2",
         "type": "github"
       },
       "original": {
@@ -597,14 +670,16 @@
         "nixpkgs": [
           "noctalia",
           "nixpkgs"
-        ]
+        ],
+        "systems": "systems_4",
+        "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1772673824,
-        "narHash": "sha256-TLHXPoELZA6VeuzC1Zpx+MnSsYzrJs+DSieMgfjAOJc=",
+        "lastModified": 1775957204,
+        "narHash": "sha256-d4CVRtAty2GzDYXx4xYQmR+nlOjjKovyprQfZhgLckU=",
         "owner": "noctalia-dev",
         "repo": "noctalia-qs",
-        "rev": "f8531192cd09b9ea2e78d18e9cfc9d3dba498690",
+        "rev": "68e82fe34c68ee839a9c37e3466820e266af0c86",
         "type": "github"
       },
       "original": {
@@ -613,31 +688,9 @@
         "type": "github"
       }
     },
-    "oh-my-opencode": {
-      "inputs": {
-        "flake-utils": "flake-utils_2",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1770618333,
-        "narHash": "sha256-7Y9e2nrsi4yKwBXZ7RUF1B5FN4RJUT4rYI1SvA0vDEw=",
-        "owner": "yebei199",
-        "repo": "oh-my-opencode",
-        "rev": "bde5264e4c3a91ded482acd35c8ed239d21d1de2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "yebei199",
-        "ref": "nix",
-        "repo": "oh-my-opencode",
-        "type": "github"
-      }
-    },
     "pre-commit": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
         "gitignore": "gitignore",
         "nixpkgs": [
           "lanzaboote",
@@ -645,11 +698,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1771858127,
-        "narHash": "sha256-Gtre9YoYl3n25tJH2AoSdjuwcqij5CPxL3U3xysYD08=",
+        "lastModified": 1772893680,
+        "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "49bbbfc218bf3856dfa631cead3b052d78248b83",
+        "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9",
         "type": "github"
       },
       "original": {
@@ -660,9 +713,9 @@
     },
     "root": {
       "inputs": {
-        "deploy-rs": "deploy-rs",
         "disko": "disko",
         "emacs-overlay": "emacs-overlay",
+        "firefox-addons": "firefox-addons",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
         "jovian-nixos": "jovian-nixos",
@@ -670,12 +723,12 @@
         "lanzaboote": "lanzaboote",
         "llm-agents": "llm-agents",
         "niri": "niri",
+        "nix-cachyos-kernel": "nix-cachyos-kernel",
         "nix-doom-emacs-unstraightened": "nix-doom-emacs-unstraightened",
         "nix-flatpak": "nix-flatpak",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "noctalia": "noctalia",
-        "oh-my-opencode": "oh-my-opencode",
         "rust-overlay": "rust-overlay",
         "zen-browser": "zen-browser"
       }
@@ -687,11 +740,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772775058,
-        "narHash": "sha256-i+I9RYN8kYb9/9kibkxd0avkkislD1tyWojSVgIy160=",
+        "lastModified": 1776481912,
+        "narHash": "sha256-Xq7p+Ex3YHFAd+fFFLOYw2Wv67582X7SAmrEDtIDZQ4=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "629bbb7f9d02787a54e28398b411da849246253b",
+        "rev": "e611106c527e8ab0adbb641183cda284411d575c",
         "type": "github"
       },
       "original": {
@@ -747,31 +800,16 @@
     },
     "systems_4": {
       "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
         "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
         "type": "github"
       }
     },
@@ -783,11 +821,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772660329,
-        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
+        "lastModified": 1775636079,
+        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
+        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
         "type": "github"
       },
       "original": {
@@ -796,21 +834,25 @@
         "type": "github"
       }
     },
-    "utils": {
+    "treefmt-nix_2": {
       "inputs": {
-        "systems": "systems"
+        "nixpkgs": [
+          "noctalia",
+          "noctalia-qs",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "lastModified": 1775636079,
+        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
         "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "repo": "treefmt-nix",
+        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
         "type": "github"
       },
       "original": {
         "owner": "numtide",
-        "repo": "flake-utils",
+        "repo": "treefmt-nix",
         "type": "github"
       }
     },
@@ -834,11 +876,11 @@
     "xwayland-satellite-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1772429643,
-        "narHash": "sha256-M+bAeCCcjBnVk6w/4dIVvXvpJwOKnXjwi/lDbaN6Yws=",
+        "lastModified": 1773622265,
+        "narHash": "sha256-wToKwH7IgWdGLMSIWksEDs4eumR6UbbsuPQ42r0oTXQ=",
         "owner": "Supreeeme",
         "repo": "xwayland-satellite",
-        "rev": "10f985b84cdbcc3bbf35b3e7e43d1b2a84fa9ce2",
+        "rev": "a879e5e0896a326adc79c474bf457b8b99011027",
         "type": "github"
       },
       "original": {
@@ -857,11 +899,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772772172,
-        "narHash": "sha256-OCEb6jXTvhnMTMqMLleYChekDO/zh+VtunBAS0WevPM=",
+        "lastModified": 1776403742,
+        "narHash": "sha256-ZmGY9XiOsuMS/THsSNkgp2fnc3asXQX/xRrQpWnY9nA=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "5f8f34c0dd56808ecbfa35697353c455e4a416b3",
+        "rev": "ca7077bea5c830470437ea878da2a1940773324c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -33,6 +33,11 @@
       inputs.home-manager.follows = "home-manager";
     };
 
+    firefox-addons = {
+      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     niri = {
       url = "github:sodiboo/niri-flake";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -58,12 +63,6 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
     };
-
-    deploy-rs = {
-      url = "github:serokell/deploy-rs";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     jovian-nixos = {
       url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -74,14 +73,12 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    llm-agents = {
-      url = "github:numtide/llm-agents.nix";
+    nix-cachyos-kernel = {
+      url = "github:xddxdd/nix-cachyos-kernel/release";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-
-    # wait for https://github.com/code-yeongyu/oh-my-opencode/pull/921 to be merged
-    oh-my-opencode = {
-      url = "github:yebei199/oh-my-opencode/nix";
+    llm-agents = {
+      url = "github:numtide/llm-agents.nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -98,7 +95,6 @@
       lanzaboote,
       nixos-hardware,
       home-manager,
-      deploy-rs,
       jovian-nixos,
       ...
     }@inputs:
@@ -134,6 +130,9 @@
                 {
                   # home-manager.useGlobalPkgs = true;
                   home-manager.useUserPackages = true;
+                  home-manager.sharedModules = [
+                    inputs.zen-browser.homeModules.twilight
+                  ];
                   home-manager.extraSpecialArgs = {
                     inherit
                       inputs
@@ -152,14 +151,5 @@
           };
         }
       ) { } hostnames;
-
-      # Deploy-rs configuration for yarn host only
-      deploy.nodes.yarn = {
-        hostname = "desktop";
-        profiles.system = {
-          sshUser = "root";
-          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.yarn;
-        };
-      };
     };
 }

home-manager/desktop.nix

@@ -9,9 +9,6 @@
     # niri wayland compositor
     ./progs/niri.nix
 
-    # statusbar
-    # ./progs/eww/eww.nix
-
     # lockscreen
     ./progs/swaylock.nix
 
@@ -29,5 +26,4 @@
     # used by /etc/nixos logic to launch niri
     config.programs.niri.package
   ];
-
 }

home-manager/gui.nix

@@ -2,6 +2,7 @@
   pkgs,
   lib,
   inputs,
+  config,
   ...
 }:
 {
@@ -12,6 +13,7 @@
     ./progs/emacs.nix
     # ./progs/trezor.nix # - broken
     ./progs/flatpak.nix
+    ./progs/zen
   ];
 
   nixpkgs.config.allowUnfreePredicate =
@@ -34,7 +36,6 @@
       # browsers
       [
         tor-browser
-        inputs.zen-browser.packages."${system}".twilight
         grayjay
       ]
 
@@ -171,7 +172,6 @@
   };
 
   home.sessionVariables = {
-    BROWSER = "zen";
     LD_LIBRARY_PATH = "${pkgs.lib.makeLibraryPath [
       pkgs.stdenv.cc.cc
     ]}";
@@ -188,6 +188,8 @@
       package = pkgs.adw-gtk3;
       name = "adw-gtk3-dark";
     };
+    # gtk4 apps use libadwaita natively, no theme package needed
+    gtk4.theme = null;
     iconTheme = {
       package = pkgs.adwaita-icon-theme;
       name = "Adwaita";

home-manager/no-gui.nix

@@ -107,6 +107,11 @@ let
     units
 
     jq
+
+    # DNS things
+    dig
+
+    bun
   ];
 
 in
@@ -114,7 +119,7 @@ in
   imports = [
     ./progs/fish.nix
     ./progs/helix.nix
-    ./progs/opencode.nix
+    ./progs/pi.nix
     (
       { ... }:
       {
@@ -206,8 +211,6 @@ in
         # power stuff
         powerstat
 
-        nodePackages_latest.nodejs
-
         yt-dlp
       ]
       rust_pkgs

home-manager/progs/borg.nix

@@ -8,7 +8,6 @@
         location = {
           sourceDirectories = (
             map (f: "${homeDirectory}/${f}") [
-              ".zen"
               ".local/share/fish"
               ".ssh"
               "Documents"
@@ -16,18 +15,6 @@
               "Pictures"
               "school"
             ]
-            ++ (map (f: ".config/Signal/${f}") [
-              "stickers.noindex"
-              "attachments.noindex"
-              "downloads.noindex"
-              "drafts.noindex"
-              "sql"
-              "IndexedDB"
-              "Local Storage"
-              "SharedStorage"
-              "config.json"
-              "Preferences"
-            ])
           );
 
           excludeHomeManagerSymlinks = true;

home-manager/progs/doom.d/config.el

@@ -82,5 +82,16 @@
   (map! :map undo-fu-mode-map "C-?" #'undo-fu-only-redo))
 
 
+;; Fix SPC p p slowness
+(after! projectile
+  (setq projectile-indexing-method 'alien
+        projectile-enable-caching nil
+        projectile-project-search-path '("~/projects/"))
+  (projectile-discover-projects-in-search-path))
+
+;; Packages are already natively compiled by Nix; JIT recompilation
+;; just wastes cycles (and the eln-cache is invalidated on every rebuild anyway)
+(setq native-comp-jit-compilation nil)
+
 ;; line wrapping
 (visual-line-mode t)

home-manager/progs/eww/config/eww.scss

@@ -1,109 +0,0 @@
-$background: #1e1e2e;
-$pink: #f5c2e7;
-$lavendar: #b4befe;
-$red: #f38ba8;
-$maroon: #eba0ac;
-$peach: #fab387;
-$yellow: #f9e2af;
-$green: #a6e3a1;
-$text: #cdd6f4;
-$subtext: #a6adc8;
-$surface: #585b70;
-
-* {
-	color: $text;
-	font-family: CaskaydiaCove Nerd Font Mono;
-	font-weight: 600;
-	font-size: 10pt;
-	padding: 0 1px;
-}
-
-.red {
-	color: $red;
-}
-
-.maroon {
-	color: $maroon;
-}
-
-.peach {
-	color: $peach;
-}
-
-.yellow {
-	color: $yellow;
-}
-
-.green {
-	color: $green;
-}
-
-.lavendar {
-	color: $lavendar;
-}
-
-.symbol {
-	color: $lavendar;
-	font-size: 20px;
-}
-
-.button {
-	* {
-		all: unset;
-		margin: 0 5px;
-		font-size: 14pt;
-		transition: color 0.2s ease-in-out;
-	}
-
-	&:hover * {
-		color: $pink;
-	}
-}
-
-.bluetooth * {
-	font-size: 10pt;
-	padding: 0 0.3em;
-}
-
-.padded>*:not(:last-child) {
-	padding: 0 10px;
-	border-right: 1px solid $surface;
-}
-
-.background {
-	border: 1px solid $pink;
-	background-color: $background;
-	border-radius: 12px;
-	opacity: 0.8;
-}
-
-scale trough {
-	margin: 0 10px;
-	border: none;
-	background-color: #FFF;
-	min-height: 3px;
-	min-width: 100px;
-
-	& slider {
-		box-shadow: none;
-		background-image: none;
-		border: none;
-		background-color: $pink;
-		min-width: 5pt;
-		min-height: 5pt;
-		margin: -5pt;
-	}
-
-	& highlight {
-		border: none;
-		background-color: $lavendar;
-	}
-}
-
-.clipboard {
-	color: $subtext;
-}
-
-.time {
-	padding-right: 10px;
-}

home-manager/progs/eww/config/eww.yuck

@@ -1 +0,0 @@
-(include "./statusbar.yuck")

home-manager/progs/eww/config/scripts/currentWindow.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-niri_data=$(niri msg --json focused-window)
-
-if [[ "$niri_data" == "null" ]]; then
-    exit 0
-fi
-
-name=$(echo "$niri_data" | jq -r '.["app_id"], .["title"]' | tr '\n' ' ' | sed 's/.$//')
-proc_name=$(echo "$name" | head -c 55)
-
-
-# TODO! fix this logic, add a '...' at the end
-if [[ "$name" != "$proc_name" ]]; then
-    proc_name="$proc_name..."
-fi
-
-echo "$proc_name"

home-manager/progs/eww/config/scripts/currentWorkspace.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env fish
-
-niri msg --json workspaces | jq -r '.[] | select(.is_focused == true) | .["id"]'

home-manager/progs/eww/config/scripts/power_bat.rs

@@ -1,58 +0,0 @@
-#!/usr/bin/env rust-script
-
-use std::{fmt, fs::read_to_string, str::FromStr};
-
-const BASE_PATH: &str = "/sys/class/power_supply/BAT1/";
-const CURRENT_NOW_PATH: &str = "current_now";
-const VOLTAGE_NOW_PATH: &str = "voltage_now";
-const STATUS_PATH: &str = "status";
-const FACTOR: f32 = 1e6_f32;
-
-#[derive(Debug)]
-enum Status {
-    Charging,
-    Discharging,
-    NotCharging,
-}
-
-impl FromStr for Status {
-    type Err = &'static str;
-
-    fn from_str(input: &str) -> Result<Status, Self::Err> {
-        match input {
-            "Charging" => Ok(Status::Charging),
-            "Discharging" => Ok(Status::Discharging),
-            "Not charging" => Ok(Status::NotCharging),
-            _ => Err("unknown state"),
-        }
-    }
-}
-
-impl fmt::Display for Status {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        fmt::Debug::fmt(self, f)
-    }
-}
-
-fn fetch_and_trim_into<T: FromStr<Err = impl fmt::Debug>>(path: &str) -> T {
-    let mut content = read_to_string(BASE_PATH.to_owned() + path).unwrap();
-    content.pop();
-    T::from_str(&content).unwrap()
-}
-
-fn fetch_bat_info(path: &str) -> f32 {
-    let value: f32 = fetch_and_trim_into(path);
-    value / FACTOR
-}
-
-fn main() {
-    let current_now: f32 = fetch_bat_info(CURRENT_NOW_PATH);
-    let voltage_now: f32 = fetch_bat_info(VOLTAGE_NOW_PATH);
-    let watts: f32 = current_now * voltage_now;
-    let status: Status = fetch_and_trim_into(STATUS_PATH);
-
-    println!(
-        "voltage: {:.4}\ncurrent: {:.4}\nwatts: {:.4}\nstatus: {}",
-        voltage_now, current_now, watts, status
-    );
-}

home-manager/progs/eww/config/scripts/sound/getSink.sh

@@ -1,2 +0,0 @@
-#!/usr/bin/env sh
-wpctl inspect @DEFAULT_SINK@ | grep -E "^  +\* node\.description" | cut -d' ' -f6- | tr -d '"'

home-manager/progs/eww/config/scripts/sound/getVolume.sh

@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-output=$(wpctl get-volume @DEFAULT_SINK@ | cut -d' ' -f2- | sed -E 's/\.//g' | sed 's/^0*//g')
-count=$(echo "$output" | awk -F, '{print $1+0}')
-muted=$(echo "$output" | cut -d'[' -f2 | cut -d ']' -f1)
-
-# if not muted, set to empty string
-if [ "$muted" == "$count" ]; then
-  muted=""
-fi
-
-color="green"
-if ((count > 75)); then color="yellow"; fi
-if ((count > 90)); then color="peach"; fi
-if ((count > 100)); then color="maroon"; fi
-if ((count > 110)); then color="red"; fi
-
-output="${count}%"
-if [ "$muted" != "" ]; then
-  output="${output} [${muted}]"
-fi
-
-echo "{\"count\":\"${output}\", \"color\":\"${color}\"}"

home-manager/progs/eww/config/scripts/wifiInfo.zsh

@@ -1,23 +0,0 @@
-#!/usr/bin/env zsh
-export CHARSET=ASCII
-case $1 in
-	name)
-		nmcli -f IN-USE,SSID d w | grep '*' | sed 's/[\* ]//g' | cat
-		exit 0;;
-	strength)
-		str=$(nmcli -f ACTIVE,BARS d w | grep 'yes' | tr -d ' yesno')
-		case ${str: 0:-1} in
-		'****')
-			icon="󰤨"; colour="green";;
-		'***')
-			icon="󰤥"; colour="yellow";;
-		'**')
-			icon="󰤢"; colour="peach";;
-		'*')
-			icon="󰤟"; colour="maroon";;
-		*)
-			icon="󰤯"; colour="red";;
-		esac
-		echo "{\"icon\":\"$icon\",\"colour\":\"$colour\"}"
-		exit 0;;
-esac

home-manager/progs/eww/config/statusbar.yuck

@@ -1,130 +0,0 @@
-(defwindow statusbar
-    :monitor 0
-    :stacking "fg"
-    :exclusive true
-    :geometry (geometry
-               :y "0.5%"
-               :width "100%"
-               :height "24px"
-               :anchor "top center")
-    (statusbar))
-
-(defwidget statusbar []
-  (centerbox
-   (box :space-evenly false :halign 'start' :class 'padded'
-        (window-title))
-   (time)
-   (box :space-evenly false :halign 'end' :class 'padded'
-        (brightness-ctl)
-        (brightness-ctl-opener)
-        (volume)
-        (battery)
-        (bluetooth)
-        (wifi))))
-
-(defwidget cmd-slider [?symbol value command max color]
-           (box :space-evenly false
-                (label :text symbol :class "symbol")
-                (scale
-                 :min 0 :max max
-                 :value value
-                 :round-digits 0
-                 :timeout "200ms"
-                 :onchange command)
-                (label :text "${value}%" :class color)))
-
-(defpoll windowtitle :interval "1s" `scripts/currentWindow.sh`)
-
-(defwidget window-title []
-  (label
-   :text {windowtitle == "" ? "" : "(${windowtitle})"}))
-
-(defwidget brightness-ctl []
-  (box :visible brightnessctl-open
-       (cmd-slider :symbol "󰃠" :value brightness
-                   :command `brightnessctl set {}%`
-                   :max 101 :color {
-                   brightness >= 80 ? "green" :
-                   brightness >= 50 ? "yellow" :
-                   brightness >= 30 ? "peach" :
-                   brightness >= 10 ? "maroon" : "red"
-                   })))
-
-
-(defpoll brightness :interval "1s" :run-while brightnessctl-open `brightnessctl -m | awk -F, '{print $4+0}'`)
-
-
-(defvar brightnessctl-open false)
-(defwidget brightness-ctl-opener []
-  (eventbox :class "button"
-    (button
-      :onclick `${EWW_CMD} update brightnessctl-open=${!brightnessctl-open}`
-    "󰃠")))
-
-(defwidget wifi []
-  (eventbox
-    :class "button ${wifi-strength.colour}"
-    (label
-      :text {wifi-strength.icon}
-    :tooltip "Connected To: ${wifi-name}")))
-
-(defpoll wifi-strength :interval "10s" `scripts/wifiInfo.zsh strength`)
-(defpoll wifi-name :interval "1m" `scripts/wifiInfo.zsh name`)
-
-(defwidget bluetooth []
-  (eventbox
-    :class "bluetooth button ${ bluetooth-name != "" ? "green" : "lavendar" }"
-    :onclick `blueman-manager &`
-    (label
-    :text "${bluetooth-name} 󰂯")))
-
-; `FNR == 1 + head -c 30` so the name doesn't explode the screen
-(defpoll bluetooth-name :interval "10s" `bluetoothctl devices Connected | awk '$1 == "Device" {print $0}' | cut -d' ' -f3-`)
-
-(defwidget time []
-  (box
-    :space-evenly false
-    :class "time"
-    :tooltip {time.long}
-    (label :class "yellow" :text {time.hour})
-    (label :text ":")
-    (label :class "yellow" :text {time.minute})))
-
-(defpoll time :interval "1s" `date +'{"long":"%a %b %e %H:%M:%S %Z %Y","hour":"%H","minute":"%M"}'`)
-
-(defpoll powerstats :interval "2s" `power_bat`)
-
-(defwidget battery []
-  (box :space-evenly false
-    :tooltip powerstats
-    (label
-      :text {EWW_BATTERY.BAT1.status == "Charging" ? "󰂄" :
-      EWW_BATTERY.BAT1.capacity >= 90 ? "󰁹" :
-      EWW_BATTERY.BAT1.capacity >= 80 ? "󰂂" :
-      EWW_BATTERY.BAT1.capacity >= 70 ? "󰂁" :
-      EWW_BATTERY.BAT1.capacity >= 60 ? "󰂀" :
-      EWW_BATTERY.BAT1.capacity >= 50 ? "󰁿" :
-      EWW_BATTERY.BAT1.capacity >= 40 ? "󰁾" :
-      EWW_BATTERY.BAT1.capacity >= 30 ? "󰁽" :
-      EWW_BATTERY.BAT1.capacity >= 20 ? "󰁼" :
-      EWW_BATTERY.BAT1.capacity >= 10 ? "󰁻" : "󰁺"
-      }
-      :class {
-      EWW_BATTERY.BAT1.capacity >= 80 ? "green" :
-      EWW_BATTERY.BAT1.capacity >= 50 ? "yellow" :
-      EWW_BATTERY.BAT1.capacity >= 30 ? "peach" :
-      EWW_BATTERY.BAT1.capacity >= 10 ? "maroon" : "red"
-    })
-    (label :text "${EWW_BATTERY.BAT1.capacity}%" :class "yellow")))
-
-
-(defpoll volumevalue :interval "1s" `scripts/sound/getVolume.sh`)
-(defpoll volumesink :interval "1s" `scripts/sound/getSink.sh`)
-
-(defwidget volume []
-  (eventbox :tooltip volumesink
-  :onclick `pwvucontrol &`
-  (label :text "${volumevalue.count}" :class {volumevalue.color})))
-
-
-(defpoll currentworkspace :interval "1s" `scripts/currentWorkspace.sh`)

home-manager/progs/eww/eww.nix

@@ -1,40 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-{
-  home.packages = with pkgs; [
-    zsh
-    bluez
-    brightnessctl
-    (callPackage ./power_bat.nix { })
-  ];
-
-  programs.eww = {
-    enable = true;
-    configDir = ./config;
-  };
-
-  programs.niri.settings.spawn-at-startup = [
-    {
-      command = [
-        (lib.getExe config.programs.eww.package)
-        "-c"
-        "${config.programs.eww.configDir}"
-        "open"
-        "statusbar"
-      ];
-    }
-
-    # swaybg works on more than just sway (sets a wallpaper)
-    {
-      command = [
-        (lib.getExe pkgs.swaybg)
-        "-i"
-        "${../wallpaper.png}"
-      ];
-    }
-  ];
-}

home-manager/progs/eww/power_bat.nix

@@ -1,4 +0,0 @@
-{ pkgs, lib, ... }:
-pkgs.writeShellScriptBin "power_bat" ''
-  exec ${lib.getExe pkgs.rust-script} ${./config/scripts/power_bat.rs} "$@"
-''

home-manager/progs/noctalia.nix

@@ -12,6 +12,7 @@
 
   programs.noctalia-shell = {
     enable = true;
+    package = pkgs.noctalia-shell;
     settings = {
       bar = {
         position = "top";

home-manager/progs/opencode.nix

@@ -1,206 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  inputs,
-  ...
-}:
-let
-  # what model should be used in place of haiku?
-  haiku-model = "zai-coding-plan/glm-5";
-
-  opus-model = "zai-coding-plan/glm-5";
-
-  ohMyOpencodeConfig = {
-    "$schema" =
-      "https://raw.githubusercontent.com/code-yeongyu/oh-my-opencode/master/assets/oh-my-opencode.schema.json";
-    agents = {
-      sisyphus.model = opus-model;
-      sisyphus-junior.model = opus-model;
-      oracle.model = opus-model;
-      librarian.model = haiku-model;
-      explore.model = haiku-model;
-      multimodal-looker.model = "openrouter/qwen/qwen3-vl-30b-a3b-thinking";
-
-      prometheus.model = opus-model;
-      metis.model = opus-model;
-      momus.model = opus-model;
-      atlas.model = opus-model;
-    };
-    categories = {
-      visual-engineering.model = "openrouter/google/gemini-3-pro";
-      ultrabrain.model = opus-model;
-      artistry = {
-        model = "openrouter/google/gemini-3-pro";
-        variant = "max";
-      };
-      quick.model = haiku-model;
-      deep.model = opus-model;
-      writing.model = "openrouter/google/gemini-3-flash-preview";
-    };
-  };
-in
-{
-  home.packages =
-    let
-      ohMyOpencode =
-        let
-          orig = inputs.oh-my-opencode.packages.${pkgs.stdenv.hostPlatform.system};
-          fixed-node_modules = orig.node_modules.overrideAttrs (_: {
-            outputHash = "sha256-qq/eEoxFELVdt4qaJkrw8XNZ/Ph/RJdsyIp7LteQE5A=";
-          });
-        in
-        orig.oh-my-opencode.overrideAttrs (_: {
-          buildPhase = ''
-            cp -r ${fixed-node_modules}/node_modules .
-            chmod -R u+w node_modules
-            patchShebangs node_modules/
-            export HOME=$(mktemp -d)
-            bun run build
-          '';
-        });
-    in
-    [
-      ohMyOpencode
-      pkgs.playwright-driver.browsers
-    ];
-
-  home.sessionVariables = {
-    PLAYWRIGHT_BROWSERS_PATH = "${pkgs.playwright-driver.browsers}";
-    PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD = "1";
-  };
-
-  xdg.configFile."opencode/oh-my-opencode.json".text = builtins.toJSON ohMyOpencodeConfig;
-
-  xdg.configFile."opencode/skills/playwright.md".text =
-    let
-      browsers = pkgs.playwright-driver.browsers;
-      chromiumDir = builtins.head (
-        builtins.filter (n: builtins.match "chromium-[0-9]+" n != null) (
-          builtins.attrNames browsers.passthru.entries
-        )
-      );
-      chromiumPath = "${browsers}/${chromiumDir}/chrome-linux64/chrome";
-    in
-    ''
-      ---
-      name: playwright
-      description: "MUST USE for any browser-related tasks. Browser automation via Playwright MCP - verification, browsing, information gathering, web scraping, testing, screenshots, and all browser interactions."
-      mcp:
-        playwright:
-          command: npx
-          args:
-            - "@playwright/mcp@latest"
-            - "--executable-path"
-            - "${chromiumPath}"
-            - "--user-data-dir"
-            - "${config.home.homeDirectory}/.cache/playwright-mcp"
-      ---
-
-      # Playwright Browser Automation
-
-      This skill provides browser automation capabilities via the Playwright MCP server.
-    '';
-
-  programs.opencode = {
-    package = inputs.llm-agents.packages.${pkgs.stdenv.targetPlatform.system}.opencode;
-    enable = true;
-    rules = ''
-      You are an intelligent and observant agent.
-      If instructed to commit, disable gpg signing.
-      You are on nixOS, if you don't have access to a tool, you can access it via the `nix-shell` command.
-
-      ## Think deeply about everything.
-      When given a problem, break it down, abstract it out, understand the fundamentals, then solve it in the real world.
-
-      ## Misc
-      For long-running commands, make sure you set the timeout of the Bash tool provided to a larger value.
-      Do NOT read secret files. Do not directly read files that are api keys or are contextually sensitive.
-      Do NOT run `skill_mcp [mcp_name=playwright, tool_name=browser_install]` as browsers are provided by NixOS via PLAYWRIGHT_BROWSERS_PATH.
-
-      ## Behavior
-      Do not be sycophantic in your responses.
-      Do not use emojis unless explicitly asked to. This includes in code.
-      Use Test Driven Development methodology.
-
-      ## Nix
-      For using `nix build` append `-L` to get better visibility into the logs.
-      If you get an error that a file can't be found, always try to `git add` the file before trying other troubleshooting steps.
-
-
-      ## Android UI Interaction Workflow Summary
-      1. Taking Screenshots
-      adb exec-out screencap -p > /tmp/screen.png
-      Captures the current screen state as a PNG image.
-
-      2. Analyzing Screenshots
-      I delegate screenshot analysis to an explore agent rather than analyzing images directly:
-      mcp_task(subagent_type="explore", prompt="Analyze /tmp/screen.png. What screen is this? What elements are visible?")
-      The agent describes the UI, identifies elements, and estimates Y coordinates.
-
-      3. Getting Precise Element Coordinates
-      UI Automator dump - extracts the full UI hierarchy as XML:
-      adb shell uiautomator dump /sdcard/ui.xml && adb pull /sdcard/ui.xml /tmp/ui.xml
-      Then grep for specific elements:
-      # Find by text
-      grep -oP 'text="Login".*?bounds="[^"]*"' /tmp/ui.xml
-      # Find by class
-      grep -oP 'class="android.widget.EditText".*?bounds="[^"]*"' /tmp/ui.xml
-      Bounds format: [left,top][right,bottom] → tap center: ((left+right)/2, (top+bottom)/2)
-
-      4. Tapping Elements
-      adb shell input tap X Y
-      Where X, Y are pixel coordinates from the bounds.
-
-      5. Text Input
-      adb shell input text "some_text"
-      Note: Special characters need escaping (\!, \;, etc.)
-
-      6. Other Gestures
-      # Swipe/scroll
-      adb shell input swipe startX startY endX endY duration_ms
-      # Key events
-      adb shell input keyevent KEYCODE_BACK
-      adb shell input keyevent KEYCODE_ENTER
-
-      7. WebView Limitation
-      - UI Automator can see WebView content if accessibility is enabled
-      - Touch events on iframe content (like Cloudflare Turnstile) often fail due to cross-origin isolation
-      - Form fields in WebViews work if you get exact bounds from the UI dump
-
-      Typical Flow
-      1. Take screenshot → analyze with explore agent (get rough layout)
-      2. Dump UI hierarchy → grep for exact element bounds
-         - NEVER ASSUME COORDINATES. You must ALWAYS check first.
-         - Do this before ANY tap action as elements on the screen may of changed.
-      3. Calculate center coordinates from bounds
-      4. Tap/interact
-      5. Wait → screenshot → verify result
-    '';
-    settings = {
-      theme = "opencode";
-
-      model = opus-model;
-      # small model used for titles
-      small_model = "openrouter/openai/gpt-oss-20b:free";
-
-      autoshare = false;
-      # note: this updates opencode (and plugins like oh-my-opencode) at launch,
-      # bypassing the version pinned in flake.lock
-      autoupdate = true;
-      agent = { };
-      plugin = [ "oh-my-opencode" ];
-      provider = {
-        openrouter = {
-          models = {
-            "openai/gpt-oss-20b:free" = { };
-          };
-          options = {
-            # TODO! use agenix here instead
-            apiKey = "{file:${../secrets/openrouter_api_key}}";
-          };
-        };
-      };
-    };
-  };
-}

home-manager/progs/pi.nix

@@ -0,0 +1,179 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}:
+let
+  #   sisyphus/oracle/prometheus → default/slow/plan = opus
+  #   librarian/explore/quick   → smol/commit = haiku
+  ompSettings = {
+    modelRoles = {
+      default = "anthropic/claude-opus-4-7:high";
+      smol = "anthropic/claude-haiku-4-5:low";
+      slow = "anthropic/claude-opus-4-7:xhigh";
+      plan = "anthropic/claude-opus-4-7:high";
+      commit = "anthropic/claude-haiku-4-5:low";
+    };
+  };
+
+  # provider config — secrets read at eval time via builtins.readFile
+  # (omp treats apiKey as env-var-name-or-literal, not a shell command)
+  ompModels = {
+    providers = {
+      openrouter = {
+        apiKey = lib.strings.trim (builtins.readFile ../secrets/openrouter_api_key);
+      };
+      "llama.cpp" = {
+        baseUrl = "https://llm.sigkill.computer";
+        apiKey = lib.strings.trim (builtins.readFile ../secrets/llama_cpp_api_key);
+        api = "openai-responses";
+        authHeader = true;
+        discovery.type = "llama.cpp";
+      };
+    };
+  };
+in
+{
+  home.packages = [
+    (inputs.llm-agents.packages.${pkgs.stdenv.hostPlatform.system}.omp.overrideAttrs (old: {
+      patches = (old.patches or [ ]) ++ [ ];
+    }))
+  ];
+
+  # main settings: ~/.omp/agent/config.yml (JSON is valid YAML)
+  home.file.".omp/agent/config.yml".text = builtins.toJSON ompSettings;
+
+  # model/provider config: ~/.omp/agent/models.yml
+  home.file.".omp/agent/models.yml".text = builtins.toJSON ompModels;
+
+  # global instructions loaded at startup
+  home.file.".omp/agent/AGENTS.md".text = ''
+    You are an intelligent and observant agent.
+    If instructed to commit, disable gpg signing.
+    You are on nixOS, if you don't have access to a tool, you can access it via the `nix-shell` command.
+
+    ## Think deeply about everything.
+    When given a problem, break it down, abstract it out, understand the fundamentals, then solve it in the real world.
+
+    ## Misc
+    For long-running commands, make sure you set the timeout of the Bash tool provided to a larger value.
+    Do NOT read secret files. Do not directly read files that are api keys or are contextually sensitive.
+
+    ## Behavior
+    Do not be sycophantic in your responses.
+    Do not use emojis unless explicitly asked to. This includes in code.
+    Use Test Driven Development methodology.
+
+    ## Nix
+    For using `nix build` append `-L` to get better visibility into the logs.
+    If you get an error that a file can't be found, always try to `git add` the file before trying other troubleshooting steps.
+  '';
+
+  home.file.".omp/agent/skills/android-ui/SKILL.md".text = ''
+    ---
+    name: android-ui
+    description: Android UI automation via ADB. Use for any Android device interaction, UI testing, screenshot analysis, element coordinate lookup, and gesture automation.
+    ---
+
+    # Android UI
+
+    ## 1. Taking Screenshots
+    ```
+    adb exec-out screencap -p > /tmp/screen.png
+    ```
+    Captures the current screen state as a PNG image.
+
+    ## 2. Analyzing Screenshots
+    Read the screenshot file to understand the current screen state and identify UI elements.
+
+    ## 3. Getting Precise Element Coordinates
+    UI Automator dump - extracts the full UI hierarchy as XML:
+    ```
+    adb shell uiautomator dump /sdcard/ui.xml && adb pull /sdcard/ui.xml /tmp/ui.xml
+    ```
+    Then grep for specific elements:
+    ```sh
+    # Find by text
+    grep -oP 'text="Login".*?bounds="[^"]*"' /tmp/ui.xml
+    # Find by class
+    grep -oP 'class="android.widget.EditText".*?bounds="[^"]*"' /tmp/ui.xml
+    ```
+    Bounds format: `[left,top][right,bottom]` — tap center: `((left+right)/2, (top+bottom)/2)`
+
+    ## 4. Tapping Elements
+    ```
+    adb shell input tap X Y
+    ```
+    Where X, Y are pixel coordinates from the bounds.
+
+    ## 5. Text Input
+    ```
+    adb shell input text "some_text"
+    ```
+    Note: Special characters need escaping (`\!`, `\;`, etc.)
+
+    ## 6. Other Gestures
+    ```sh
+    # Swipe/scroll
+    adb shell input swipe startX startY endX endY duration_ms
+    # Key events
+    adb shell input keyevent KEYCODE_BACK
+    adb shell input keyevent KEYCODE_ENTER
+    ```
+
+    ## 7. WebView Limitation
+    - UI Automator can see WebView content if accessibility is enabled
+    - Touch events on iframe content (like Cloudflare Turnstile) often fail due to cross-origin isolation
+    - Form fields in WebViews work if you get exact bounds from the UI dump
+
+    ## Typical Flow
+    1. Take screenshot → analyze it (get rough layout)
+    2. Dump UI hierarchy → grep for exact element bounds
+       - NEVER ASSUME COORDINATES. You must ALWAYS check first.
+       - Do this before ANY tap action as elements on the screen may have changed.
+    3. Calculate center coordinates from bounds
+    4. Tap/interact
+    5. Wait → screenshot → verify result
+  '';
+
+  # omp has a built-in browser tool with NixOS auto-detection,
+  # but this skill provides playwright MCP as a supplementary option
+  home.file.".omp/agent/skills/playwright/SKILL.md".text =
+    let
+      browsers = pkgs.playwright-driver.browsers;
+      chromiumDir = builtins.head (
+        builtins.filter (n: builtins.match "chromium-[0-9]+" n != null) (
+          builtins.attrNames browsers.passthru.entries
+        )
+      );
+      chromiumPath = "${browsers}/${chromiumDir}/chrome-linux64/chrome";
+    in
+    ''
+      ---
+      name: playwright
+      description: Browser automation via Playwright MCP. Use as an alternative to the built-in browser tool for Playwright-specific workflows, testing, and web scraping. Chromium is provided by NixOS.
+      ---
+
+      # Playwright
+
+      ## Browser Setup
+      Chromium is provided by NixOS. Do NOT attempt to download browsers.
+
+      - Chromium path: `${chromiumPath}`
+      - Browsers path: `${browsers}`
+
+      ## Usage
+      Launch the Playwright MCP server for browser automation:
+      ```bash
+      npx @playwright/mcp@latest --executable-path "${chromiumPath}" --user-data-dir "${config.home.homeDirectory}/.cache/playwright-mcp"
+      ```
+
+      Set these environment variables if not already set:
+      ```bash
+      export PLAYWRIGHT_BROWSERS_PATH="${browsers}"
+      export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
+      ```
+    '';
+}

home-manager/progs/zen/dark-reader.nix

@@ -0,0 +1,164 @@
+# Dark Reader extension settings
+# Addon ID: addon@darkreader.org
+{ lib }:
+let
+  defaultTheme = {
+    mode = 1;
+    brightness = 100;
+    contrast = 100;
+    grayscale = 0;
+    sepia = 0;
+    useFont = false;
+    fontFamily = "Open Sans";
+    textStroke = 0;
+    engine = "dynamicTheme";
+    stylesheet = "";
+    darkSchemeBackgroundColor = "#181a1b";
+    darkSchemeTextColor = "#e8e6e3";
+    lightSchemeBackgroundColor = "#dcdad7";
+    lightSchemeTextColor = "#181a1b";
+    scrollbarColor = "";
+    selectionColor = "auto";
+    styleSystemControls = false;
+    lightColorScheme = "Default";
+    darkColorScheme = "Default";
+    immediateModify = false;
+  };
+
+  mkCustomTheme =
+    {
+      url,
+      engine ? defaultTheme.engine,
+      builtIn ? false,
+    }:
+    {
+      inherit url;
+      theme = defaultTheme // {
+        inherit engine;
+      };
+    }
+    // lib.optionalAttrs builtIn { inherit builtIn; };
+in
+{
+  force = true;
+  settings = {
+    enabled = true;
+    fetchNews = true;
+    syncSettings = false;
+    syncSitesFixes = false;
+    changeBrowserTheme = false;
+    enabledByDefault = false;
+    enableForPDF = true;
+    enableForProtectedPages = false;
+    enableContextMenus = false;
+    detectDarkTheme = true;
+    previewNewDesign = false;
+    previewNewestDesign = false;
+
+    theme = defaultTheme;
+
+    enabledFor = [
+      "search.nixos.org"
+      "quizlet.com"
+      "claude.ai"
+    ];
+
+    disabledFor = [
+      "cinny.envs.net"
+      "element.envs.net"
+      "mail.proton.me"
+      "mail.google.com"
+      "www.gardling.com"
+      "projects.fivethirtyeight.com"
+      "secure.bankofamerica.com"
+      "billpay-ui.bankofamerica.com"
+      "plus.pearson.com"
+      "immich.gardling.com"
+      "huggingface.co"
+      "session.masteringphysics.com"
+      "brainly.com"
+      "www.270towin.com"
+      "phet.colorado.edu"
+      "8042-1.portal.athenahealth.com"
+      "torrent.gardling.com"
+      "nssb-p.adm.fit.edu"
+      "mail.openbenchmarking.org"
+      "moneroocean.stream"
+      "app.diagrams.net"
+      "books.gw-project.org"
+      "chat.deepseek.com"
+      "n21.ultipro.com"
+      "www.egaroucid.nyanyan.dev"
+      "bitmagnet.gardling.com"
+      "frame.work"
+      "www.altcancer.net"
+      "jenkins.jpenilla.xyz"
+      "soulseek.gardling.com"
+      "discord.com"
+      "www.lufthansa.com"
+      "surveys.hyundaicx.com"
+      "www.apple.com"
+      "docs.google.com"
+      "marcuspork.com"
+      "en.akinator.com"
+      "www.reddit.com"
+      "terra.layoutit.com"
+      "www.ebay.com"
+      "www.nytimes.com"
+      "app.electricitymaps.com"
+      "www.revoy.com"
+      "kagi.com"
+      "www.bhphotovideo.com"
+      "survey.stackoverflow.co"
+      "www.google.com"
+      "en.wikipedia.org"
+      "workforcenow.adp.com"
+      "app.element.io"
+      "www.desmos.com"
+      "en.wiktionary.org"
+      "dariandean0.github.io"
+    ];
+
+    customThemes = [
+      (mkCustomTheme {
+        url = [ "*.officeapps.live.com" ];
+        engine = "cssFilter";
+        builtIn = true;
+      })
+      (mkCustomTheme {
+        url = [ "*.sharepoint.com" ];
+        engine = "cssFilter";
+        builtIn = true;
+      })
+      (mkCustomTheme {
+        url = [ "docs.google.com" ];
+        engine = "cssFilter";
+        builtIn = true;
+      })
+      (mkCustomTheme {
+        url = [ "onedrive.live.com" ];
+        engine = "cssFilter";
+        builtIn = true;
+      })
+      (mkCustomTheme {
+        url = [ "huggingface.co" ];
+        engine = "svgFilter";
+      })
+      (mkCustomTheme {
+        url = [ "www.last.fm" ];
+        engine = "svgFilter";
+      })
+    ];
+
+    automation = {
+      enabled = false;
+      mode = "";
+      behavior = "OnOff";
+    };
+
+    time = {
+      activation = "18:00";
+      deactivation = "9:00";
+    };
+  };
+}

home-manager/progs/zen/default.nix

@@ -0,0 +1,134 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  config,
+  ...
+}:
+let
+  firefox-addons = inputs.firefox-addons.packages.${pkgs.stdenv.hostPlatform.system};
+  buildFirefoxXpiAddon =
+    inputs.firefox-addons.lib.${pkgs.stdenv.hostPlatform.system}.buildFirefoxXpiAddon;
+
+  hacker-smacker = buildFirefoxXpiAddon {
+    pname = "hacker-smacker";
+    version = "2.2";
+    addonId = "jid1-eo0mcXLTqCkaWA@jetpack";
+    url = "https://addons.mozilla.org/firefox/downloads/file/4715262/hacker_smacker-2.2.xpi";
+    sha256 = "d28f0597d5c4bae5db712b4875f4104120f7e55e5ea769c44d70996be31cc0d1";
+    meta = with lib; {
+      homepage = "https://www.hackersmacker.org";
+      description = "Highlight (friend) and filter (foe) individual authors on Hacker News";
+      license = licenses.mit;
+      platforms = platforms.all;
+    };
+  };
+
+  consumer-rights-wiki = buildFirefoxXpiAddon {
+    pname = "consumer-rights-wiki";
+    version = "1.0.34";
+    addonId = "@crw-extension-firefox";
+    url = "https://addons.mozilla.org/firefox/downloads/file/4730448/consumer_rights_wiki-1.0.34.xpi";
+    sha256 = "732969ed4d5c7965b6254a1190a82ce4ab0ff44bda2295264eb8a22c452899ea";
+    meta = with lib; {
+      homepage = "https://github.com/FULU-Foundation/CRW-Extension";
+      description = "Shows a popup when the site you're viewing has an article on the Consumer Rights Wiki";
+      license = licenses.mit;
+      platforms = platforms.all;
+    };
+  };
+
+  ublockSettings = import ./ublock.nix { inherit lib; };
+  darkReaderSettings = import ./dark-reader.nix { inherit lib; };
+  redirectorSettings = import ./redirector.nix { inherit lib; };
+in
+{
+  programs.zen-browser = {
+    enable = true;
+    profiles.default = {
+      isDefault = true;
+
+      extensions = {
+        force = true;
+
+        packages =
+          (with firefox-addons; [
+            bitwarden
+            buster-captcha-solver
+            consent-o-matic
+            darkreader
+            fastforwardteam
+            localcdn
+            redirector
+            refined-github
+            return-youtube-dislikes
+            search-by-image # reverse image search
+            ruffle_rs
+            snowflake
+            steam-database
+            ublock-origin
+          ])
+          ++ [
+            hacker-smacker
+            consumer-rights-wiki
+          ];
+
+        settings = {
+          "uBlock0@raymondhill.net" = ublockSettings;
+          "addon@darkreader.org" = darkReaderSettings;
+          "redirector@einaregilsson.com" = redirectorSettings;
+        };
+      };
+
+      search = {
+        force = true;
+        default = "kagi";
+        privateDefault = "ddg";
+        order = [
+          "kagi"
+          "ddg"
+          "google"
+        ];
+        engines = {
+          kagi = {
+            name = "Kagi";
+            urls = [ { template = "https://kagi.com/search?q={searchTerms}"; } ];
+            iconMapObj."16" = "https://kagi.com/favicon.ico";
+            definedAliases = [ "@k" ];
+          };
+          google.metaData.alias = "@g";
+        };
+      };
+
+      settings = {
+        "identity.sync.tokenserver.uri" = "https://firefox-sync.sigkill.computer/1.0/sync/1.5";
+        # auto-enable extensions on install
+        "extensions.autoDisableScopes" = 0;
+        # don't sync prefs/addons — we manage them declaratively via nix
+        # syncing fights with the declarative config and can cause data loss
+        # https://github.com/nix-community/home-manager/issues/6083
+        "services.sync.engine.prefs" = false;
+        "services.sync.engine.addons" = false;
+        # use a separate default search engine in private windows
+        "browser.search.separatePrivateDefault.ui.enabled" = true;
+        "browser.search.separatePrivateDefault" = true;
+        # disable built-in password manager — using bitwarden
+        "signon.rememberSignons" = false;
+        "signon.autofillForms" = false;
+        "signon.management.page.breach-alerts.enabled" = false;
+        "signon.formlessCapture.enabled" = false;
+        "signon.privateBrowsingCapture.enabled" = false;
+        # disable the autocomplete popup on login fields
+        "signon.firefoxRelay.feature" = "";
+        "signon.generation.enabled" = false;
+        # disable passkey/webauthn prompts from the built-in manager
+        "security.webauthn.enable_conditional_mediation" = false;
+      };
+    };
+  };
+
+  # Zen ignores XDG and hardcodes ~/.zen — symlink to module-managed path
+  home.file.".zen".source = config.lib.file.mkOutOfStoreSymlink "${config.xdg.configHome}/zen";
+
+  home.sessionVariables.BROWSER = "zen";
+}

home-manager/progs/zen/redirector.nix

@@ -0,0 +1,75 @@
+# Redirector extension settings
+# Addon ID: redirector@einaregilsson.com
+#
+# To add a new redirect, just add another mkRedirect call to the list:
+#   (mkRedirect { from = "youtube.com"; to = "invidious.example.com"; description = "YouTube to Invidious"; })
+{ lib }:
+let
+  # helper to create a redirect rule from a simple domain mapping.
+  # handles www. subdomains automatically. for other subdomains
+  # (like old.reddit.com), create a separate rule with the full domain.
+  mkRedirect =
+    {
+      from,
+      to,
+      description,
+    }:
+    let
+      escapedFrom = builtins.replaceStrings [ "." ] [ "\\." ] from;
+    in
+    {
+      inherit description;
+      exampleUrl = "https://${from}/example";
+      exampleResult = "https://${to}/example";
+      error = null;
+      includePattern = "^https?://(www\\.)?${escapedFrom}(.*)$";
+      excludePattern = "";
+      patternDesc = "";
+      redirectUrl = "https://${to}$2";
+      patternType = "R";
+      processMatches = "noProcessing";
+      disabled = false;
+      grouped = false;
+      appliesTo = [ "main_frame" ];
+    };
+in
+{
+  force = true;
+  settings = {
+    redirects = [
+      (mkRedirect {
+        from = "x.com";
+        to = "xcancel.com";
+        description = "X to xcancel";
+      })
+      (mkRedirect {
+        from = "twitter.com";
+        to = "xcancel.com";
+        description = "Twitter to xcancel";
+      })
+      (mkRedirect {
+        from = "reddit.com";
+        to = "safereddit.com";
+        description = "Reddit to Redlib";
+      })
+      (mkRedirect {
+        from = "old.reddit.com";
+        to = "safereddit.com";
+        description = "Old Reddit to Redlib";
+      })
+      (mkRedirect {
+        from = "new.reddit.com";
+        to = "safereddit.com";
+        description = "New Reddit to Redlib";
+      })
+      (mkRedirect {
+        from = "np.reddit.com";
+        to = "safereddit.com";
+        description = "NP Reddit to Redlib";
+      })
+    ];
+    disabled = false;
+    logging = false;
+    enableNotifications = false;
+  };
+}

home-manager/progs/zen/ublock.nix

@@ -0,0 +1,143 @@
+# uBlock Origin extension settings
+# Addon ID: uBlock0@raymondhill.net
+{ lib }:
+{
+  force = true;
+  settings = {
+    userSettings = {
+      cloudStorageEnabled = true;
+      externalLists = builtins.concatStringsSep "\n" [
+        "https://abp.oisd.nl/"
+        "https://filters.adtidy.org/extension/ublock/filters/3.txt"
+        "https://gitflic.ru/project/magnolia1234/bypass-paywalls-clean-filters/blob/raw?file=bpc-paywall-filter.txt"
+        "https://raw.githubusercontent.com/DetachHead/ublock-filters/refs/heads/master/list.txt"
+        "https://raw.githubusercontent.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist/main/list.txt"
+      ];
+      importedLists = [
+        "https://abp.oisd.nl/"
+        "https://filters.adtidy.org/extension/ublock/filters/3.txt"
+        "https://gitflic.ru/project/magnolia1234/bypass-paywalls-clean-filters/blob/raw?file=bpc-paywall-filter.txt"
+        "https://raw.githubusercontent.com/DetachHead/ublock-filters/refs/heads/master/list.txt"
+        "https://raw.githubusercontent.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist/main/list.txt"
+      ];
+      popupPanelSections = 15;
+      prefetchingDisabled = false;
+    };
+
+    selectedFilterLists = [
+      "user-filters"
+      "ublock-filters"
+      "ublock-badware"
+      "ublock-privacy"
+      "ublock-quick-fixes"
+      "ublock-unbreak"
+      "easylist"
+      "adguard-generic"
+      "adguard-mobile"
+      "easyprivacy"
+      "adguard-spyware-url"
+      "block-lan"
+      "urlhaus-1"
+      "curben-phishing"
+      "plowe-0"
+      "dpollock-0"
+      "fanboy-cookiemonster"
+      "ublock-cookies-easylist"
+      "adguard-cookies"
+      "ublock-cookies-adguard"
+      "fanboy-social"
+      "adguard-social"
+      "fanboy-thirdparty_social"
+      "easylist-chat"
+      "easylist-newsletters"
+      "easylist-notifications"
+      "easylist-annoyances"
+      "adguard-mobile-app-banners"
+      "adguard-other-annoyances"
+      "adguard-popup-overlays"
+      "adguard-widgets"
+      "ublock-annoyances"
+      "SWE-1"
+      "https://filters.adtidy.org/extension/ublock/filters/3.txt"
+      "https://gitflic.ru/project/magnolia1234/bypass-paywalls-clean-filters/blob/raw?file=bpc-paywall-filter.txt"
+      "https://raw.githubusercontent.com/DetachHead/ublock-filters/refs/heads/master/list.txt"
+      "https://raw.githubusercontent.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist/main/list.txt"
+      "https://abp.oisd.nl/"
+    ];
+
+    whitelist = [
+      "chrome-extension-scheme"
+      "moz-extension-scheme"
+    ];
+
+    dynamicFilteringString = builtins.concatStringsSep "\n" [
+      "behind-the-scene * * noop"
+      "behind-the-scene * inline-script noop"
+      "behind-the-scene * 1p-script noop"
+      "behind-the-scene * 3p-script noop"
+      "behind-the-scene * 3p-frame noop"
+      "behind-the-scene * image noop"
+      "behind-the-scene * 3p noop"
+    ];
+
+    hostnameSwitchesString = builtins.concatStringsSep "\n" [
+      "no-large-media: behind-the-scene false"
+      "no-csp-reports: * true"
+      "no-scripting: arstechnica.com true"
+      "no-scripting: www.phoronix.com true"
+      "no-scripting: www.theatlantic.com true"
+      "no-scripting: wccftech.com true"
+      "no-remote-fonts: www.theverge.com true"
+      "no-scripting: www.theverge.com true"
+      "no-scripting: gamersnexus.net true"
+    ];
+
+    "user-filters" = builtins.concatStringsSep "\n" [
+      # Annoying fonts warning because of localCDN
+      "docs.google.com##.jfk-butterBar-shown.jfk-butterBar-info.jfk-butterBar"
+
+      # remove phoronix premium ad
+      "www.phoronix.com##aside:nth-of-type(3)"
+      "www.phoronix.com##aside.widget:nth-of-type(4)"
+
+      # Remove instagram login screen
+      "www.instagram.com##.x1nhvcw1.x1oa3qoh.x1qjc9v5.xqjyukv.xdt5ytf.x2lah0s.x1c4vz4f.x1odjw0f.xw2csxc.x1n2onr6.xo71vjh.x5pf9jr.x13lgxp2.x168nmei.x78zum5.xjbqb8w.x9f619"
+      "www.instagram.com##.xl56j7k.x1iyjqo2.xdt5ytf.x78zum5.x9f619.x1qjc9v5"
+      "www.instagram.com##.x1jfb8zj.x1qrby5j.x1n2onr6.x7ja8zs.x1t2pt76.x1lytzrv.xedcshv.xarpa2k.x3igimt.x12ejxvf.xaigb6o.x1beo9mf.x1h91t0o.x4k7w5x.x1uvtmcs"
+      "www.instagram.com##.x1h0vfkc.x13vifvy.xixxii4.x17qophe.xds687c.x1ey2m1c"
+      "www.instagram.com##.x1n2onr6.xg6iff7.xippug5.xdt5ytf.x78zum5"
+      "www.instagram.com##.xzkaem6.x1n2onr6 > .xjx87ck.x1yqm8si.xfk6m8.xh8yej3.x13vifvy.x1rohswg.xixxii4.x1odjw0f.xw2csxc.x17qophe.x5yr21d.x1pq812k.x1ja2u2z.x9f619"
+
+      # remove github dashboard copilot stuff
+      "github.com##copilot-dashboard-entrypoint"
+      "github.com##.hide-md.hide-sm.AppHeader-CopilotChat > react-partial-anchor"
+      "github.com##react-partial-anchor > .AppHeader-buttonLeft.AppHeader-button.Button--medium.Button--secondary.Button--iconOnly.Button"
+      "github.com##.Button.Button--medium.Button--secondary.AppHeader-button--dropdown.AppHeader-buttonRight.AppHeader-button"
+      "github.com##.tooltipped-sw.tooltipped.AppHeader-buttonRight.color-fg-muted.AppHeader-button.Button--medium.Button--secondary.Button--iconOnly.Button"
+
+      # github sidebar stuff
+      ''github.com##.rounded-2.p-3.color-border-default.border.\<color-bg-default.dashboard-changelog.mb-3''
+      "github.com##.mb-5.feed-right-sidebar"
+
+      "app.howthemarketworks.com##div.reveal-overlay:nth-of-type(8)"
+
+      # github copilot chat
+      "github.com##.CopilotChatInputPartial-module__inputSection--UWMD6"
+      "github.com##.CopilotChatInputPartial-module__inputContainer--EE6LJ"
+
+      # reddit
+      ''www.reddit.com##.font-normal > .mt-0.list-none.relative > .s\:rounded-2.bg-transparent.-outline-offset-1.py-2xs.cursor-pointer.hover\:no-underline.hover\:bg-neutral-background-hover.hover\:text-secondary-hover.text-secondary.gap-\[0\.5rem\].px-md.relative.justify-between.flex''
+
+      "www.quora.com##.qu-bg--raised.qu-mb--small.qu-boxShadow--small.qu-borderColor--raised.qu-borderAll.dom_annotate_question_answer_item_0.q-box > div > div > div > div > div.q-box"
+
+      "discord.com##.contentCollapsedWrapper__5f897"
+
+      "www.statista.com###pdfpremiumArrowModal > .vueModal__overlay"
+
+      # The AI summary BS
+      ''www.reddit.com##.px-md.pb-\[22px\].pt-md.mt-md.rounded-4.bg-neutral-background-weak.xs\:block.hidden''
+
+      "www.sciencedirect.com##.gXjxP.sc-fHSyaj"
+    ];
+  };
+}

system/common.nix

@@ -1,5 +1,6 @@
 {
   config,
+  options,
   pkgs,
   lib,
   username,
@@ -70,17 +71,214 @@
     # optimize the store
     optimise.automatic = true;
 
-    # enable flakes!
-    settings.experimental-features = [
-      "nix-command"
-      "flakes"
-    ];
+    # auto garbage collect old generations
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+
+    settings = {
+      # enable flakes!
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+
+      # Use muffin server as a binary cache
+      substituters = [ "https://nix-cache.sigkill.computer" ];
+      trusted-public-keys = [
+        "nix-cache.sigkill.computer-1:ONtQC9gUjL+2yNgMWB68NudPySXhyzJ7I3ra56/NPgk="
+      ];
+      netrc-file = "${./secrets/nix-cache-netrc}";
+    };
   };
 
+  # cachyos kernel overlay
+  nixpkgs.overlays = [ inputs.nix-cachyos-kernel.overlays.default ];
+
   # kernel options
   boot = {
-    kernelPackages = pkgs.linuxPackages_latest;
-    # kernelPackages = pkgs.linuxPackages;
+
+    # cachyos kernel: bore scheduler, full lto, x86_64-v3 (common to zen 3 + zen 5)
+    kernelPackages =
+      let
+        helpers = pkgs.callPackage "${inputs.nix-cachyos-kernel}/helpers.nix" { };
+        kernel = pkgs.cachyosKernels.linux-cachyos-bore-lto.override {
+          lto = "full";
+          processorOpt = "x86_64-v3";
+        };
+      in
+      helpers.kernelModuleLLVMOverride (pkgs.linuxKernel.packagesFor kernel);
+
+    # disable legacy subsystems neither host will ever use
+    kernelPatches = [
+      {
+        name = "disable-legacy-subsystems";
+        patch = null;
+        structuredExtraConfig = with lib.kernel; {
+          # ancient bus/card standards
+          PCMCIA = lib.mkForce no;
+          PCCARD = lib.mkForce no;
+          PARPORT = lib.mkForce no;
+          GAMEPORT = lib.mkForce module;
+          FIREWIRE = lib.mkForce no;
+          AGP = lib.mkForce no;
+
+          # legacy networking
+          ATM = lib.mkForce no;
+          FDDI = lib.mkForce no;
+          ISDN = lib.mkForce no;
+          CAN = lib.mkForce no;
+          NFC = lib.mkForce no;
+          INFINIBAND = lib.mkForce no;
+
+          # amateur radio (HAMRADIO is the umbrella but these are separate symbols)
+          HAMRADIO = lib.mkForce no;
+          AX25 = lib.mkForce no;
+          NETROM = lib.mkForce no;
+          ROSE = lib.mkForce no;
+
+          # dead protocols
+          PHONET = lib.mkForce no;
+          IEEE802154 = lib.mkForce no;
+          "6LOWPAN" = lib.mkForce no;
+          NET_9P = lib.mkForce no;
+          BATMAN_ADV = lib.mkForce no;
+
+          # tv tuners / digital video broadcasting
+          MEDIA_ANALOG_TV_SUPPORT = lib.mkForce no;
+          MEDIA_DIGITAL_TV_SUPPORT = lib.mkForce no;
+          DVB_CORE = lib.mkForce no;
+
+          # hypervisor guest support (bare metal only)
+          HYPERV = lib.mkForce no;
+          XEN = lib.mkForce no;
+          VMWARE_VMCI = lib.mkForce no;
+          VMWARE_BALLOON = lib.mkForce no;
+          VMWARE_PVSCSI = lib.mkForce no;
+          VMWARE_VMCI_VSOCKETS = lib.mkForce no;
+          VMXNET3 = lib.mkForce no;
+          DRM_VMWGFX = lib.mkForce no;
+          VBOXGUEST = lib.mkForce no;
+          VBOXSF_FS = lib.mkForce no;
+
+          # staging drivers (experimental/unmaintained)
+          STAGING = lib.mkForce no;
+          # SND_PCI stays — SND_HDA_INTEL (AMD HDA audio) lives under it
+          ACCESSIBILITY = lib.mkForce no;
+          MTD = lib.mkForce no;
+          MEDIA_RC_SUPPORT = lib.mkForce no;
+
+          # legacy storage (AHCI for modern SATA is independent)
+          ATA_SFF = lib.mkForce no;
+          SCSI_LOWLEVEL = lib.mkForce no;
+          FUSION = lib.mkForce no;
+
+          # misc legacy
+          MOST = lib.mkForce no;
+          PPDEV = lib.mkForce no;
+          PHANTOM = lib.mkForce no;
+          X86_ANDROID_TABLETS = lib.mkForce no;
+          # CHROME_PLATFORMS stays — Framework laptops use CrOS EC
+          SURFACE_PLATFORMS = lib.mkForce no;
+          MCTP = lib.mkForce no;
+          GPIB = lib.mkForce no;
+          SIOX = lib.mkForce no;
+          SLIMBUS = lib.mkForce no;
+          WWAN = lib.mkForce no;
+
+          # nvidia gpu
+          DRM_NOUVEAU = lib.mkForce no;
+
+          # other gpus not present
+          DRM_RADEON = lib.mkForce no;
+          DRM_GMA500 = lib.mkForce no;
+          DRM_AST = lib.mkForce no;
+          DRM_MGAG200 = lib.mkForce no;
+          DRM_HISI_HIBMC = lib.mkForce no;
+          DRM_APPLETBDRM = lib.mkForce no;
+
+          # intel gpu
+          DRM_I915 = lib.mkForce no;
+          DRM_XE = lib.mkForce no;
+
+          # intel cpu / platform
+          INTEL_IOMMU = lib.mkForce no;
+          INTEL_IDLE = lib.mkForce no;
+          INTEL_HFI_THERMAL = lib.mkForce no;
+          INTEL_TCC_COOLING = lib.mkForce no;
+          INTEL_SOC_DTS_THERMAL = lib.mkForce no;
+          INTEL_PCH_THERMAL = lib.mkForce no;
+          INTEL_POWERCLAMP = lib.mkForce no;
+          X86_PKG_TEMP_THERMAL = lib.mkForce no;
+          X86_INTEL_LPSS = lib.mkForce no;
+          INTEL_MEI = lib.mkForce no;
+          INTEL_TH = lib.mkForce no;
+          INTEL_VSEC = lib.mkForce no;
+          INTEL_IDXD = lib.mkForce no;
+          INTEL_IOATDMA = lib.mkForce no;
+          EDAC_E752X = lib.mkForce no;
+          EDAC_I82975X = lib.mkForce no;
+          EDAC_I3000 = lib.mkForce no;
+          EDAC_I3200 = lib.mkForce no;
+          EDAC_IE31200 = lib.mkForce no;
+          EDAC_X38 = lib.mkForce no;
+          EDAC_I5400 = lib.mkForce no;
+          EDAC_I7CORE = lib.mkForce no;
+          EDAC_I5100 = lib.mkForce no;
+          EDAC_I7300 = lib.mkForce no;
+          EDAC_SBRIDGE = lib.mkForce no;
+          EDAC_SKX = lib.mkForce no;
+          EDAC_I10NM = lib.mkForce no;
+          EDAC_IMH = lib.mkForce no;
+          EDAC_PND2 = lib.mkForce no;
+          EDAC_IGEN6 = lib.mkForce no;
+
+          # intel audio
+          SND_SOC_SOF_INTEL_TOPLEVEL = lib.mkForce no;
+          SND_SOC_INTEL_SST_TOPLEVEL = lib.mkForce no;
+
+          # mellanox networking
+          MLX4_CORE = lib.mkForce no;
+          MLX5_CORE = lib.mkForce no;
+          MLXSW_CORE = lib.mkForce no;
+          MLX_PLATFORM = lib.mkForce no;
+
+          # fpga
+          FPGA = lib.mkForce no;
+
+          # old x86 cpufreq / platform (both systems are modern Zen)
+          AMD_NUMA = lib.mkForce no;
+          X86_POWERNOW_K8 = lib.mkForce no;
+          X86_P4_CLOCKMOD = lib.mkForce no;
+          X86_SPEEDSTEP_LIB = lib.mkForce no;
+
+          # cxl (datacenter memory expansion)
+          CXL_BUS = lib.mkForce no;
+
+          # embedded SoC peripherals (not present on desktop/laptop)
+          INPUT_TOUCHSCREEN = lib.mkForce no;
+          INPUT_TABLET = lib.mkForce no;
+          INPUT_JOYSTICK = lib.mkForce no;
+          MEDIA_PLATFORM_DRIVERS = lib.mkForce no;
+          MEDIA_TEST_SUPPORT = lib.mkForce no;
+
+          # deprecated userland compat
+          SGETMASK_SYSCALL = lib.mkForce no;
+          UID16 = lib.mkForce no;
+          X86_X32_ABI = lib.mkForce no;
+        };
+      }
+    ];
+
+    # aes_generic is built-in as of linux 7.0, no longer a loadable module
+    initrd.luks.cryptoModules = lib.mkForce (
+      lib.filter (m: m != "aes_generic") options.boot.initrd.luks.cryptoModules.default
+    );
+
+    # some default initrd modules (ata_piix etc) don't exist with ATA_SFF=n
+    initrd.allowMissingModules = true;
 
     lanzaboote = {
       enable = true;
@@ -127,6 +325,7 @@
       # 1gb huge pages
       "hugepagesz=1G"
       "hugepages=3"
+
     ];
 
   };
@@ -169,7 +368,13 @@
     power-profiles-daemon.enable = true;
 
     # geolocation (uses beacondb.net by default)
-    geoclue2.enable = true;
+    geoclue2 = {
+      enable = true;
+      appConfig.zen-twilight = {
+        isAllowed = true;
+        isSystem = false;
+      };
+    };
   };
 
   # EST
@@ -206,8 +411,7 @@
 
   # Enable sound with pipewire.
   services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
-  # BUG! disable rtkit in order to fix mumble: https://github.com/NixOS/nixpkgs/issues/392992#issuecomment-2799867278
-  security.rtkit.enable = false;
+  security.rtkit.enable = true;
   services.pipewire = {
     enable = true;
     alsa.enable = true;

system/networking.nix

@@ -9,7 +9,7 @@
     networkmanager = {
       enable = true;
 
-      insertNameservers = [
+      appendNameservers = [
         "1.1.1.1"
         "9.9.9.9"
       ];

system/system-mreow.nix

@@ -14,12 +14,6 @@
     inputs.nixos-hardware.nixosModules.framework-amd-ai-300-series
   ];
 
-  # Disable PSR, PSR-SU, and Panel Replay to fix display hangs and corruption.
-  # Panel Replay requires PSR/PSR-SU to also be disabled to avoid issues.
-  # This overrides nixos-hardware's 0x10 with 0x410 (last value wins in kernel cmdline).
-  # https://github.com/NixOS/nixos-hardware/pull/1692
-  boot.kernelParams = lib.mkAfter [ "amdgpu.dcdebugmask=0x410" ];
-
   hardware.framework.laptop13.audioEnhancement.rawDeviceName =
     lib.mkDefault "alsa_output.pci-0000_c1_00.6.analog-stereo";
 
@@ -30,6 +24,29 @@
   # if I move to another lock screen program, i will have to replace `swaylock`
   security.pam.services.swaylock = { };
 
+  # Kernel-level power tuning. These are boot-time / module-load-time settings
+  # that power-profiles-daemon (in common.nix) does not manage. ppd handles
+  # governor and EPP at runtime; these cover everything else.
+  boot.kernelParams = [
+    # Disable NMI watchdog. Eliminates periodic perf-counter interrupts
+    # across all cores (~1 W). Kernel softlockup watchdog remains active.
+    "nmi_watchdog=0"
+
+    # Route kernel work items to already-busy CPUs rather than waking idle
+    # ones. Reduces C-state exit frequency -- significant on battery where
+    # cores idle often.
+    "workqueue.power_efficient=1"
+  ];
+
+  boot.kernel.sysctl."kernel.nmi_watchdog" = 0;
+
+  # Power-gate the HDA codec between audio activity. 1-second inactivity
+  # timeout; controller powers down fully. Wakes transparently on next
+  # audio event -- no audible artifacts on Framework 13 AMD.
+  boot.extraModprobeConfig = ''
+    options snd_hda_intel power_save=1 power_save_controller=Y
+  '';
+
   # Greetd display manager
   services.greetd = {
     enable = true;

system/system-yarn.nix

@@ -64,6 +64,7 @@
 
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin"
   ];
 
   programs.steam = {
@@ -74,12 +75,54 @@
   # LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT
   environment.systemPackages = with pkgs; [
     lact
+    jovian-stubs
   ];
   systemd.packages = with pkgs; [ lact ];
   systemd.services.lactd.wantedBy = [ "multi-user.target" ];
 
   systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
 
+  # root-level service that applies a pending update. Triggered by
+  # steamos-update (via systemctl start) when the user accepts an update.
+  # Runs as root so it can write the system profile and boot entry.
+  systemd.services.pull-update-apply = {
+    description = "Apply pending NixOS update pulled from binary cache";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "pull-update-apply" ''
+        set -uo pipefail
+        export PATH=${
+          pkgs.lib.makeBinPath [
+            pkgs.curl
+            pkgs.coreutils
+            pkgs.nix
+          ]
+        }
+        STORE_PATH=$(curl -sf --max-time 30 "https://nix-cache.sigkill.computer/deploy/yarn" || true)
+        if [ -z "$STORE_PATH" ]; then
+          echo "server unreachable"
+          exit 1
+        fi
+        echo "applying $STORE_PATH"
+        nix-store -r "$STORE_PATH" || { echo "fetch failed"; exit 1; }
+        nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "profile set failed"; exit 1; }
+        "$STORE_PATH/bin/switch-to-configuration" boot || { echo "boot entry failed"; exit 1; }
+        echo "update applied; reboot required"
+      '';
+    };
+  };
+
+  # Allow primary user to start pull-update-apply.service without a password
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (action.id == "org.freedesktop.systemd1.manage-units" &&
+          action.lookup("unit") == "pull-update-apply.service" &&
+          subject.user == "${username}") {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+
   nixpkgs.config.allowUnfreePredicate =
     pkg:
     builtins.elem (lib.getName pkg) [
@@ -95,65 +138,123 @@
   # This prevents Steam from requesting reboots for "system updates"
   # Steam client updates will still work normally
   nixpkgs.overlays = [
-    (final: prev: {
-      jovian-stubs = prev.stdenv.mkDerivation {
-        name = "jovian-stubs-no-update";
-        dontUnpack = true;
-        installPhase = ''
-          mkdir -p $out/bin
+    (
+      final: prev:
+      let
+        deploy-url = "https://nix-cache.sigkill.computer/deploy/yarn";
 
-          # steamos-update: always report "no update available" (exit 7)
-          # This disables the kernel mismatch check that triggers reboot prompts
-          cat > $out/bin/steamos-update << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $* (system updates disabled)"
-          exit 7
-          STUB
+        steamos-update-script = final.writeShellScript "steamos-update" ''
+          export PATH=${
+            final.lib.makeBinPath [
+              final.curl
+              final.coreutils
+              final.systemd
+            ]
+          }
 
-          # steamos-reboot: reboot the system
-          cat > $out/bin/steamos-reboot << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          systemctl reboot
-          STUB
+          STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
 
-          # steamos-select-branch: no-op stub
-          cat > $out/bin/steamos-select-branch << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          exit 0
-          STUB
+          if [ -z "$STORE_PATH" ]; then
+            >&2 echo "[steamos-update] server unreachable"
+            exit 7
+          fi
 
-          # steamos-factory-reset-config: no-op stub
-          cat > $out/bin/steamos-factory-reset-config << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          exit 0
-          STUB
+          CURRENT=$(readlink -f /nix/var/nix/profiles/system)
+          if [ "$CURRENT" = "$STORE_PATH" ]; then
+            >&2 echo "[steamos-update] no update available"
+            exit 0
+          fi
 
-          # steamos-firmware-update: no-op stub
-          cat > $out/bin/steamos-firmware-update << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          exit 0
-          STUB
+          # check-only mode: just report that an update exists
+          if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
+            >&2 echo "[steamos-update] update available"
+            exit 0
+          fi
 
-          # pkexec: pass through to real pkexec
-          cat > $out/bin/pkexec << 'STUB'
-          #!/bin/sh
-          exec /run/wrappers/bin/pkexec "$@"
-          STUB
-
-          # sudo: pass through to doas
-          cat > $out/bin/sudo << 'STUB'
-          #!/bin/sh
-          exec /run/wrappers/bin/doas "$@"
-          STUB
-
-          chmod 755 $out/bin/*
+          # apply: trigger the root-running systemd service to install the update
+          >&2 echo "[steamos-update] applying update..."
+          if systemctl start --wait pull-update-apply.service; then
+            >&2 echo "[steamos-update] update installed, reboot to apply"
+            exit 0
+          else
+            >&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
+            exit 1
+          fi
         '';
-      };
-    })
+      in
+      {
+        jovian-stubs = prev.stdenv.mkDerivation {
+          name = "jovian-stubs";
+          dontUnpack = true;
+          installPhase = ''
+            mkdir -p $out/bin
+            ln -s ${steamos-update-script} $out/bin/steamos-update
+            ln -s ${steamos-update-script} $out/bin/steamos-mandatory-update
+
+            # jupiter-initial-firmware-update: no-op (not a real steam deck)
+            cat > $out/bin/jupiter-initial-firmware-update << 'STUB'
+            #!/bin/sh
+            exit 0
+            STUB
+
+            # jupiter-biosupdate: no-op (not a real steam deck)
+            cat > $out/bin/jupiter-biosupdate << 'STUB'
+            #!/bin/sh
+            exit 0
+            STUB
+
+            # steamos-reboot: reboot the system
+            cat > $out/bin/steamos-reboot << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            systemctl reboot
+            STUB
+
+            # steamos-select-branch: no-op stub
+            cat > $out/bin/steamos-select-branch << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # steamos-factory-reset-config: no-op stub
+            cat > $out/bin/steamos-factory-reset-config << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # steamos-firmware-update: no-op stub
+            cat > $out/bin/steamos-firmware-update << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # pkexec: pass through to real pkexec
+            cat > $out/bin/pkexec << 'STUB'
+            #!/bin/sh
+            exec /run/wrappers/bin/pkexec "$@"
+            STUB
+
+            # sudo: strip flags and run the command directly (no escalation).
+            # privileged ops are delegated to root systemd services via systemctl.
+            cat > $out/bin/sudo << 'STUB'
+            #!/bin/sh
+            while [ $# -gt 0 ]; do
+              case "$1" in
+                -*) shift ;;
+                *) break ;;
+              esac
+            done
+            exec "$@"
+            STUB
+
+            find $out/bin -type f -exec chmod 755 {} +
+          '';
+        };
+      }
+    )
   ];
 
   jovian = {

system/vr.nix

@@ -14,10 +14,6 @@
     enable = true;
     openFirewall = true;
 
-    # Write information to /etc/xdg/openxr/1/active_runtime.json, VR applications
-    # will automatically read this and work with wivrn
-    defaultRuntime = true;
-
     # Executing it through the systemd service executes WiVRn w/ CAP_SYS_NICE
     # Resulting in no stutters!
     autoStart = true;