From d3b5c279005c629b0411f9db0ca86f20c37751f0 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Wed, 2 Apr 2025 23:59:19 -0400
Subject: [PATCH 01/41] workflow: try build with conduwuit's cache

---
 .github/workflows/build-machines-and-homes.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index c955639..e7e2764 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -47,8 +47,8 @@ jobs:
             accept-flake-config = true
             system-features = nixos-test benchmark big-parallel kvm
             secret-key-files = /home/runner/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
+            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems https://attic.kennel.juneis.dog/conduwuit
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE=
 
       - name: Install Lix
         run: |

From 912cde0be459bb4a727cce882ed846d32f73d6d9 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Fri, 4 Apr 2025 10:01:49 -0400
Subject: [PATCH 02/41] bump conduwuit

---
 flake.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/flake.lock b/flake.lock
index 0fe0871..7eb0812 100644
--- a/flake.lock
+++ b/flake.lock
@@ -114,11 +114,11 @@
         "rocksdb": "rocksdb"
       },
       "locked": {
-        "lastModified": 1743473828,
-        "narHash": "sha256-x/sfh6LCHGAz8rL23GHhH7dac1LtHBbRRJi1p8gOdtI=",
+        "lastModified": 1743735594,
+        "narHash": "sha256-aaP8OjY4fkpxk2JdSggx9S3Rk+P+VhuivT6aRpLxoj0=",
         "owner": "girlbossceo",
         "repo": "conduwuit",
-        "rev": "0f81c1e1ccdcb0c5c6d5a27e82f16eb37b1e61c8",
+        "rev": "00f7745ec4ebcea5f892376c5de5db1299f71696",
         "type": "github"
       },
       "original": {
@@ -151,11 +151,11 @@
     },
     "crane_2": {
       "locked": {
-        "lastModified": 1742394900,
-        "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=",
+        "lastModified": 1739936662,
+        "narHash": "sha256-x4syUjNUuRblR07nDPeLDP7DpphaBVbUaSoeZkFbGSk=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd",
+        "rev": "19de14aaeb869287647d9461cbd389187d8ecdb7",
         "type": "github"
       },
       "original": {

From d3c61ac0dfe0c7cca1595edd9846551ce3331b22 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Fri, 4 Apr 2025 12:06:56 -0400
Subject: [PATCH 03/41] kitty: improve keybindings and bring back kitten ssh
 alias

---
 home/kitty.nix | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/home/kitty.nix b/home/kitty.nix
index ea7047f..0021bb5 100644
--- a/home/kitty.nix
+++ b/home/kitty.nix
@@ -17,10 +17,10 @@
 
       # will probably lower this later but the max allowed is actually 4GB
       # this is NOT stored in memory and can only be viewed with scrollback_pager
-      "scrollback_pager_history_size" = "1024";
+      "scrollback_pager_history_size" = "10"; # in MB
       # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
       "scrollback_pager" = "bat --pager='less -FR +G'";
-      "scrollback_lines" = 20000;
+      # "scrollback_lines" = 20000;
     };
     keybindings = {
       # kitty_mod is ctrl+shift by default
@@ -58,18 +58,29 @@
       "kitty_mod+alt+p" = "move_tab_backward";
       "kitty_mod+q" = "close_tab";
       "kitty_mod+t" = "new_tab_with_cwd";
-      "ctrl+f2" = "detach_tab";
 
       # hints
       # > basically means the preceding key is a prefix (think tmux)
       "kitty_mod+o>o" = "open_url_with_hints";
-      "kitty_mod+o>p" = "kitten hints --type path --program -";
-      "kitty_mod+o>n" = "kitten hints --type line --program -";
-      "kitty_mod+o>w" = "kitten hints --type word --program -";
-      "kitty_mod+o>h" = "kitten hints --type hash --program -";
+      # `--program @` means copy to clipboard
+      "kitty_mod+o>u" = "kitten hints --type url --program @";
+      "kitty_mod+o>p" = "kitten hints --type path --program @";
+      "kitty_mod+o>n" = "kitten hints --type line --program @";
+      "kitty_mod+o>w" = "kitten hints --type word --program @";
+      "kitty_mod+o>h" = "kitten hints --type hash --program @";
       "kitty_mod+o>l" = "kitten hints --type linenum";
+
+      # scrolling
+      "kitty_mod+u" = "scroll_page_up";
+      "kitty_mod+d" = "scroll_page_down";
+      "kitty_mod+a" = "scroll_home";
+      "kitty_mod+e" = "scroll_end";
+      "kitty_mod+z" = "scroll_to_prompt -1"; # scroll to previous shell prompt
+      "kitty_mod+x" = "scroll_to_prompt 1"; # scroll to next shell prompt
+      "kitty_mod+y" = "show_scrollback"; # browse scrollback buffer in pager
+      "kitty_mod+g" = "show_last_command_output"; # browse output of last command in pager
     };
   };
 
-  # programs.zsh.shellAliases."ssh" = "kitten ssh"; # doesn't seem to work with bitwarden ssh agent :(
+  programs.zsh.shellAliases."ssh" = "kitten ssh";
 }

From afda7622defc3f33bfa35b2346f29ab10ca1e931 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Fri, 4 Apr 2025 12:07:39 -0400
Subject: [PATCH 04/41] hedgedoc: fix domain

---
 hosts/chunk/hedgedoc.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix
index 62505f9..1e7e497 100644
--- a/hosts/chunk/hedgedoc.nix
+++ b/hosts/chunk/hedgedoc.nix
@@ -11,7 +11,7 @@
         dialect = "postgresql";
       };
       port = 8085;
-      domain = "pad.cything.io";
+      domain = "pad.cy7.sh";
       allowEmailRegister = false;
       protocolUseSSL = true;
     };

From 541d625c8e30176fd25e79201eee72871309088b Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Fri, 4 Apr 2025 12:14:02 -0400
Subject: [PATCH 05/41] garage: use 16M block_size and compression_level 3

---
 hosts/chunk/garage.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix
index 982e1f4..639bbd8 100644
--- a/hosts/chunk/garage.nix
+++ b/hosts/chunk/garage.nix
@@ -20,8 +20,8 @@
       replication_factor = 1;
       db_engine = "lmdb";
       disable_scrub = true;
-      block_size = "128M";
-      compression_level = "none";
+      block_size = "16M";
+      compression_level = 3;
     };
     environmentFile = config.sops.secrets."garage/env".path;
     logLevel = "warn";

From 160f89b4238b8278f0e0d00d97829eef067bfc50 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Fri, 4 Apr 2025 12:14:24 -0400
Subject: [PATCH 06/41] tune rclone (again)

---
 hosts/chunk/rclone.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix
index c592fbb..1c474af 100644
--- a/hosts/chunk/rclone.nix
+++ b/hosts/chunk/rclone.nix
@@ -14,18 +14,19 @@ let
         --config ${config.sops.secrets."rclone/config".path} \
         --allow-other \
         --cache-dir /var/cache/rclone \
-        --transfers 32 \
+        --transfers 64 \
         --vfs-cache-mode full \
         --vfs-cache-min-free-space 5G \
         --dir-cache-time 30d \
         --no-checksum \
         --no-modtime \
         --vfs-fast-fingerprint \
-        --vfs-read-chunk-size 16M \
+        --vfs-read-chunk-size 8M \
         --vfs-read-chunk-streams 16 \
-        --sftp-concurrency 64 \
+        --sftp-concurrency 128 \
         --sftp-chunk-size 255k \
         --buffer-size 0 \
+        --write-back-cache \
         ${remote} ${mount}
     '';
     ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -zu ${mount}";

From 2c9d24f06a1a20292aca678437f959f1dc2ab2e5 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Fri, 4 Apr 2025 12:52:29 -0400
Subject: [PATCH 07/41] authelia: oauth for hedgedoc and guard grafana

---
 hosts/chunk/grafana.nix        |  1 +
 hosts/chunk/hedgedoc.nix       |  1 +
 modules/authelia.nix           | 19 ++++++++++++++++++-
 secrets/services/hedgedoc.yaml | 13 ++++---------
 4 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/hosts/chunk/grafana.nix b/hosts/chunk/grafana.nix
index f79a7ff..33a77a0 100644
--- a/hosts/chunk/grafana.nix
+++ b/hosts/chunk/grafana.nix
@@ -42,6 +42,7 @@
 
   services.caddy.virtualHosts."grafana.cy7.sh".extraConfig = ''
     import common
+    import authelia
     reverse_proxy localhost:8088
   '';
 }
diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix
index 1e7e497..765e0f5 100644
--- a/hosts/chunk/hedgedoc.nix
+++ b/hosts/chunk/hedgedoc.nix
@@ -14,6 +14,7 @@
       domain = "pad.cy7.sh";
       allowEmailRegister = false;
       protocolUseSSL = true;
+      imageuploadtype = "minio";
     };
   };
 
diff --git a/modules/authelia.nix b/modules/authelia.nix
index afd8b52..b882a42 100644
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@@ -77,6 +77,23 @@ in
             userinfo_signed_response_alg = "none";
             token_endpoint_auth_method = "client_secret_basic";
           }
+          {
+            client_id = "hedgedoc";
+            client_name = "HedgeDoc";
+            client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg";
+            public = false;
+            authorization_policy = "two_factor";
+            redirect_uris = [
+              "https://pad.cy7.sh/auth/oauth2/callback"
+            ];
+            scopes = [ "openid" "profile" "email" ];
+            userinfo_signed_response_alg = "none";
+            grant_types = [ "refresh_token" "authorization_code" ];
+            response_types = [ "code" ];
+            response_modes = [ "form_post" "query" "fragment" ];
+            audience = [];
+            token_endpoint_auth_method = "client_secret_post";
+          }
         ];
       };
       secrets = {
@@ -101,4 +118,4 @@ in
       reverse_proxy localhost:9091
     '';
   };
-}
\ No newline at end of file
+}
diff --git a/secrets/services/hedgedoc.yaml b/secrets/services/hedgedoc.yaml
index 84ef3d6..a970c3b 100644
--- a/secrets/services/hedgedoc.yaml
+++ b/secrets/services/hedgedoc.yaml
@@ -1,10 +1,6 @@
 hedgedoc:
-    env: ENC[AES256_GCM,data:15rWiIYWyIJ0Hxl5I8m+EBV+FkNDT/OHlLK9shVS46UE7SQtuIh45N5hvwgs0rg9E9Tawu+lyE2aozWNh6HSDUZ1h4FYrB+JHwIetGkOqXSLHfXi,iv:v9ohLTtlxw3fsRoJJoOY5VYxVsxUyDEsQHRjcGKg/GY=,tag:Wncm1reqNblnVhRTYjU3Pg==,type:str]
+    env: ENC[AES256_GCM,data:XClDoB4GH+gdOO2d2MQZUvjY1Y70/hlGbPlULBMNL+xv8OLUQCIpA8XBV8pLKdSbSimrzyXhIAIbCGGS4Q1NoWcoH99G4+pXRvHyOo7MyUs8wqXJc/mQ+e1SEXji3cwdiQUxrbov6w6e6fEYg4VhsHs/zJXLeS2M3jdYAlYy3jeJ5WcbPO9zlkz6h21fO5FOKzzaPXgnZGxj4JiZUivHLzSsQ+4TN3bgSdb+2048uQAn9RnLFKeROVE9Z8DzAIIPbE6KxWwYr2fFCdlegFA3taLJ+FwoCCaSoLDOrd78SDzcHmSpLJfD3ZRCFExE9xogLXx7kZNX6uPtncxN1W5iemW9F7aEyZmkv0POUlldyLSyhTk8Z6jzQkgbymIp/STHdcg4GvWvz8KZ+Yd+tBjkNlTCXuc0S/JGuyjf6we8yuYWnRkfMwQ4GNIjsIHQYSMjpLviNZfKrPk8T0DijtmZnb4Zdw5eg4KLjMS3DfJAeR7c3LnOOIwgzcwTBDFsQunnxpZTT6eZSFbyktVEBH6CaXTWONzOH2Ff1mn/Tbzg7RHo/CaOXDqeJ6B5GejK5ahmeko1SYp+qsX/qdf75lNbJieUcPtfkVwrcHK187HbPSZkf6DYDNvpDcuPD1kQqq2OUb5lHKohbN8iGnwzFlPF4w60jGOzwry8CbctZtynFB6LdK4NTPsiGv9OqU+y5rqm24GjaHljTawbMwYt5kWmLYMtVwcWkXJdFdRUu4hfmMmNUYExpx5CBCjiXZTnElTivmGw3NPdncIsfjo8gOliM/ZidmZxrn5a5+RzLfYslQecp50ek/9UIRPB9P4UyLqgl3rYwh4BadVyIro5mRQBz3nnvEj1kwIeSVwC60Ysv/Uel4zfULKV0vAE+7x2Ogs1s/4N3wYuCns/+UOnS2DNnnjpSHF75Z/GktD9Ni1MJYeOpLU559gbGzKen+6ndy2oXQw8fdFC7ZlwkzRO5YKmrOpwVaVUC4vIYWJO4lFCgajJEpqGhRgPjHE8xFcPu1/kCyYFWVUC/9CAYFFqzpOhczLiS08CqCR9F9XktX3tgHqcJkz473B6xsAIeS2TCgMtRozLwi8OBwiDUZZYAVSmt+h1Dlq09cvjfhXfPQCHVh5jajlPNuXsNXtfVlz45i1DYo7ccyE+Svn2eMs5smkCXt66aFOMujURvkzTZqXYK3loaQPck2DXlN6nFCXlig==,iv:eUa/yfdrxj9+GBqyp03s/7q67fAgr6Z39sT4iqb/38Q=,tag:Je9lq7BLB4NJGDTWAKRgIQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
           enc: |
@@ -24,8 +20,7 @@ sops:
             enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e
             9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-17T03:25:54Z"
-    mac: ENC[AES256_GCM,data:1cxiK/HhqYzatT2PhZxjvtizII2QMHqbbyOujUtx4cT8x488j2wecu6hOfSkuHbQ43AxA8kDH1NAruPCSdCpj3PytMR+np+R/5WuRcK+OF/FCnWvWvvHqgDnBs/wYjllnR6HyWBlhrROpINxu9ch4fzN0Def3I7O+wJgpojnPiU=,iv:PKPykPv9zSHj9+HXnrg1v8Ty78te66D9ZH6c1V7Qlh4=,tag:JQk68u6p317r3Df+hv16+g==,type:str]
-    pgp: []
+    lastmodified: "2025-04-04T16:46:41Z"
+    mac: ENC[AES256_GCM,data:X7wtnmauh/tRbYCSPNtr/38CVyhIezYQKwcysna+3d31QatbAfTSkAMAWcSG+brpvAW14UfhwRiaCPoSjkS5eSkwd99S0CBI50yCjUFh43Uum3TBJhAnc6bzQkJHGXRk7duxkQJvEeDDZT4ph+/UoZ2xGu5LCjpLenDqldeHgCg=,iv:jMVBz0gPoW/J8NvkSGMjx28nXpX8mpWBrvXyCgi7F1U=,tag:mTj/2mwVjy3wYIsHnbMXDw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.1

From 2568f729231cc39118090d476537206ff6a2615b Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Fri, 4 Apr 2025 13:05:12 -0400
Subject: [PATCH 08/41] hedgedoc: don't use s3

---
 hosts/chunk/hedgedoc.nix       | 1 -
 secrets/services/hedgedoc.yaml | 6 +++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix
index 765e0f5..1e7e497 100644
--- a/hosts/chunk/hedgedoc.nix
+++ b/hosts/chunk/hedgedoc.nix
@@ -14,7 +14,6 @@
       domain = "pad.cy7.sh";
       allowEmailRegister = false;
       protocolUseSSL = true;
-      imageuploadtype = "minio";
     };
   };
 
diff --git a/secrets/services/hedgedoc.yaml b/secrets/services/hedgedoc.yaml
index a970c3b..eec4db4 100644
--- a/secrets/services/hedgedoc.yaml
+++ b/secrets/services/hedgedoc.yaml
@@ -1,5 +1,5 @@
 hedgedoc:
-    env: ENC[AES256_GCM,data:XClDoB4GH+gdOO2d2MQZUvjY1Y70/hlGbPlULBMNL+xv8OLUQCIpA8XBV8pLKdSbSimrzyXhIAIbCGGS4Q1NoWcoH99G4+pXRvHyOo7MyUs8wqXJc/mQ+e1SEXji3cwdiQUxrbov6w6e6fEYg4VhsHs/zJXLeS2M3jdYAlYy3jeJ5WcbPO9zlkz6h21fO5FOKzzaPXgnZGxj4JiZUivHLzSsQ+4TN3bgSdb+2048uQAn9RnLFKeROVE9Z8DzAIIPbE6KxWwYr2fFCdlegFA3taLJ+FwoCCaSoLDOrd78SDzcHmSpLJfD3ZRCFExE9xogLXx7kZNX6uPtncxN1W5iemW9F7aEyZmkv0POUlldyLSyhTk8Z6jzQkgbymIp/STHdcg4GvWvz8KZ+Yd+tBjkNlTCXuc0S/JGuyjf6we8yuYWnRkfMwQ4GNIjsIHQYSMjpLviNZfKrPk8T0DijtmZnb4Zdw5eg4KLjMS3DfJAeR7c3LnOOIwgzcwTBDFsQunnxpZTT6eZSFbyktVEBH6CaXTWONzOH2Ff1mn/Tbzg7RHo/CaOXDqeJ6B5GejK5ahmeko1SYp+qsX/qdf75lNbJieUcPtfkVwrcHK187HbPSZkf6DYDNvpDcuPD1kQqq2OUb5lHKohbN8iGnwzFlPF4w60jGOzwry8CbctZtynFB6LdK4NTPsiGv9OqU+y5rqm24GjaHljTawbMwYt5kWmLYMtVwcWkXJdFdRUu4hfmMmNUYExpx5CBCjiXZTnElTivmGw3NPdncIsfjo8gOliM/ZidmZxrn5a5+RzLfYslQecp50ek/9UIRPB9P4UyLqgl3rYwh4BadVyIro5mRQBz3nnvEj1kwIeSVwC60Ysv/Uel4zfULKV0vAE+7x2Ogs1s/4N3wYuCns/+UOnS2DNnnjpSHF75Z/GktD9Ni1MJYeOpLU559gbGzKen+6ndy2oXQw8fdFC7ZlwkzRO5YKmrOpwVaVUC4vIYWJO4lFCgajJEpqGhRgPjHE8xFcPu1/kCyYFWVUC/9CAYFFqzpOhczLiS08CqCR9F9XktX3tgHqcJkz473B6xsAIeS2TCgMtRozLwi8OBwiDUZZYAVSmt+h1Dlq09cvjfhXfPQCHVh5jajlPNuXsNXtfVlz45i1DYo7ccyE+Svn2eMs5smkCXt66aFOMujURvkzTZqXYK3loaQPck2DXlN6nFCXlig==,iv:eUa/yfdrxj9+GBqyp03s/7q67fAgr6Z39sT4iqb/38Q=,tag:Je9lq7BLB4NJGDTWAKRgIQ==,type:str]
+    env: ENC[AES256_GCM,data:hU4Ht9WkWknuYJ3yHZSm5o22wlssTNjPDZvgDi9DGEh8ULt2GzrEHfFHI9VcpyrbsLcw7HT5TuYrPibWMk4AEvqlZT/6UiyQFMso9mac6x7esf55RHTXr4F7gyC/eRDUE+mAzyhjB5xKaCUhaQpMOwA2t0zahtiaCzLvi/DXRo1jiB42Xt8Nwi1D+zRT3T/HYD8l7D+SZQQc6HC+WM/y7RIjEPcDeX/wTk+JqiGW++0D3GxCQgq6VOhw7EM4hs5aR659QVNICT9kJt9nxEsyU84nsws4MHzU53BvEY77rYZPvvrBSFJ+TnQJ0c/e8K2G9mgaEGkk/+Rmx3RbPQKuTNCzAJZ0m9g9XSwMHU/z5KkrxcI6xU1+JqpdL2Rx35JiNxbNNrlQSvXJFuGNSf0Z5l8RirKJL4HJXAsIPVZTxeJJ0rQflyb5hN63KH/vUTHJWucAFSRYwLHOgs4Yu7SKJjnWnrLYAK9K/eRprhe3Np3vTed13soZXjdB1Jz6lz3lUxZ4TpOb6E8rGt33GqACTp04DBkyUaxMg7fOQIi0riev9GcGNy1kQkDC5dOwWyQdSICIavBrL+4WRoK8xhsEMY8K58+TYfIm3XnWz6pSEl7OzdGNSFZJuwAPzGS065bCjHIlMxIUKlbx4rmGvecIGRLoa5a5XpFwVwPlH8IJ8LvDPXqyIBquL6IsoCNi+jVy7UV52WldqAAeC3+UJtD8LJj1FaWLkoshkSbcr5veZLtBnpOZsiPXtkn1qgRhCB0QjzNwz+AOJCamSn1R+i+JJN6Wja3mJytCrtoj0M6cc1beJBbam4PgxWd1CJE3zhstuqoktn9LdDZ3qNjPgRY3q4FPbjo53XvQQi/NgnPztMg2z7Rj8yeNtG+HjL2pfXIw9AXZwc19D+T7M5hR7jlD3117o+K2CeaC+wgfXPZ/xzIbhg==,iv:gvSOTStLJ5R4UaXj7gXQDCF4TAgway12yh1BtGz1Mvs=,tag:Jt+daURO+t8HME/m7tLEIw==,type:str]
 sops:
     age:
         - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
@@ -20,7 +20,7 @@ sops:
             enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e
             9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-04T16:46:41Z"
-    mac: ENC[AES256_GCM,data:X7wtnmauh/tRbYCSPNtr/38CVyhIezYQKwcysna+3d31QatbAfTSkAMAWcSG+brpvAW14UfhwRiaCPoSjkS5eSkwd99S0CBI50yCjUFh43Uum3TBJhAnc6bzQkJHGXRk7duxkQJvEeDDZT4ph+/UoZ2xGu5LCjpLenDqldeHgCg=,iv:jMVBz0gPoW/J8NvkSGMjx28nXpX8mpWBrvXyCgi7F1U=,tag:mTj/2mwVjy3wYIsHnbMXDw==,type:str]
+    lastmodified: "2025-04-04T17:04:50Z"
+    mac: ENC[AES256_GCM,data:RRkdyrxwrFs3r0SaNred5zTpz5CKf043+KWkFSvPFh0RbvIVyxzJKyfL9r7erifEMhPRJ7Hz5GKE4RAPA9yRLkA9C+416sZKfwdopqAe6zSRt4zd0QOPMdc2z3+07+1SP2ay/ZYCn6jjIyoBaki3t0DMv7e9a/OzFv3WfyjG/rg=,iv:K41muQnynaGoZsBquNF0SNFgssLF9KGzBz8siagI+38=,tag:jkWbWBloSbUSJXl9jedAMQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.1

From 7c180248fb4cf47d19007c00a66bb3f27bac5acc Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Fri, 4 Apr 2025 12:55:01 -0400
Subject: [PATCH 09/41] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'conduwuit':
    'github:girlbossceo/conduwuit/00f7745ec4ebcea5f892376c5de5db1299f71696' (2025-04-04)
  → 'github:girlbossceo/conduwuit/4e5b87d0cd16f3d015f4b61285b369d027bb909d' (2025-04-04)
• Updated input 'garage/crane':
    'github:ipetkov/crane/70947c1908108c0c551ddfd73d4f750ff2ea67cd' (2025-03-19)
  → 'github:ipetkov/crane/6fe74265bbb6d016d663b1091f015e2976c4a527' (2025-01-24)
• Updated input 'home-manager':
    'github:nix-community/home-manager/5ee44bc7c2e853f144390a12ebe5174ad7e3b9e0' (2025-04-02)
  → 'github:nix-community/home-manager/bb036cb35383982066e01a6ac8d45597132cf5d5' (2025-04-04)
• Updated input 'lanzaboote/crane':
    'github:ipetkov/crane/70947c1908108c0c551ddfd73d4f750ff2ea67cd' (2025-03-19)
  → 'github:ipetkov/crane/75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53' (2025-03-05)
• Updated input 'lanzaboote/flake-parts':
    'github:hercules-ci/flake-parts/c621e8422220273271f52058f618c94e405bb0f5' (2025-04-01)
  → 'github:hercules-ci/flake-parts/3876f6b87db82f33775b1ef5ea343986105db764' (2025-03-01)
• Updated input 'lanzaboote/rust-overlay':
    'github:oxalica/rust-overlay/1de27ae43712a971c1da100dcd84386356f03ec7' (2025-04-02)
  → 'github:oxalica/rust-overlay/38e9826bc4296c9daf18bc1e6aa299f3e932a403' (2025-03-06)
• Updated input 'lix-module/nixpkgs':
    'github:nixos/nixpkgs/77b584d61ff80b4cef9245829a6f1dfad5afdfa3' (2025-03-31)
  → 'github:nixos/nixpkgs/1e5b653dff12029333a6546c11e108ede13052eb' (2025-03-22)
• Updated input 'nil/rust-overlay':
    'github:oxalica/rust-overlay/1de27ae43712a971c1da100dcd84386356f03ec7' (2025-04-02)
  → 'github:oxalica/rust-overlay/aefb7017d710f150970299685e8d8b549d653649' (2025-03-04)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/adae22bea8bcc0aa2fd6e8732044660fb7755f5e' (2025-04-02)
  → 'github:nixos/nixpkgs/30705076a1748a2b2a1cf0539ea1665eef4d2f4a' (2025-04-04)
• Updated input 'nixpkgs-stable':
    'github:nixos/nixpkgs/02f2af8c8a8c3b2c05028936a1e84daefa1171d4' (2025-04-01)
  → 'github:nixos/nixpkgs/44a69ed688786e98a101f02b712c313f1ade37ab' (2025-04-02)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/1de27ae43712a971c1da100dcd84386356f03ec7' (2025-04-02)
  → 'github:oxalica/rust-overlay/c4a8327b0f25d1d81edecbb6105f74d7cf9d7382' (2025-04-03)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e7f4d7ed8bce8dfa7d2f2fe6f8b8f523e54646f8' (2025-04-01)
  → 'github:Mic92/sops-nix/cff8437c5fe8c68fc3a840a21bf1f4dc801da40d' (2025-04-04)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/bc23f562c367b3e6300d596c24f0080220897df7' (2025-04-02)
  → 'github:nix-community/nix-vscode-extensions/c8270f31af9c37e4fe5711567a6412460e94e9b7' (2025-04-04)
---
 flake.lock | 78 +++++++++++++++++++++++++++---------------------------
 1 file changed, 39 insertions(+), 39 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7eb0812..76a4f1e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -114,11 +114,11 @@
         "rocksdb": "rocksdb"
       },
       "locked": {
-        "lastModified": 1743735594,
-        "narHash": "sha256-aaP8OjY4fkpxk2JdSggx9S3Rk+P+VhuivT6aRpLxoj0=",
+        "lastModified": 1743780871,
+        "narHash": "sha256-xmDepDLHsIWiwpWYjhI40XOrV9jCKrYJQ+EK1EOIdRg=",
         "owner": "girlbossceo",
         "repo": "conduwuit",
-        "rev": "00f7745ec4ebcea5f892376c5de5db1299f71696",
+        "rev": "4e5b87d0cd16f3d015f4b61285b369d027bb909d",
         "type": "github"
       },
       "original": {
@@ -167,11 +167,11 @@
     },
     "crane_3": {
       "locked": {
-        "lastModified": 1742394900,
-        "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=",
+        "lastModified": 1737689766,
+        "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd",
+        "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527",
         "type": "github"
       },
       "original": {
@@ -182,11 +182,11 @@
     },
     "crane_4": {
       "locked": {
-        "lastModified": 1742394900,
-        "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=",
+        "lastModified": 1741148495,
+        "narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd",
+        "rev": "75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53",
         "type": "github"
       },
       "original": {
@@ -386,11 +386,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1740872218,
+        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
         "type": "github"
       },
       "original": {
@@ -610,11 +610,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743556466,
-        "narHash": "sha256-rvU79DJ6rPDxiH0sTp686Vlm+JewwAZPGcwt8OfHJbM=",
+        "lastModified": 1743783108,
+        "narHash": "sha256-Lg1cK7oGCNPOO1ts481m269WmdGNoigz8RNXLRE9Co0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5ee44bc7c2e853f144390a12ebe5174ad7e3b9e0",
+        "rev": "bb036cb35383982066e01a6ac8d45597132cf5d5",
         "type": "github"
       },
       "original": {
@@ -909,11 +909,11 @@
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1743501102,
-        "narHash": "sha256-7PCBQ4aGVF8OrzMkzqtYSKyoQuU2jtpPi4lmABpe5X4=",
+        "lastModified": 1743576891,
+        "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "02f2af8c8a8c3b2c05028936a1e84daefa1171d4",
+        "rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
         "type": "github"
       },
       "original": {
@@ -973,11 +973,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1743448293,
-        "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=",
+        "lastModified": 1742669843,
+        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "77b584d61ff80b4cef9245829a6f1dfad5afdfa3",
+        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
         "type": "github"
       },
       "original": {
@@ -989,11 +989,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1743559129,
-        "narHash": "sha256-7gpAWsENV3tY2HmeHYQ2MoQxGpys+jQWnkS/BHAMXVk=",
+        "lastModified": 1743775863,
+        "narHash": "sha256-gUnR9qcZK/O20oQFn1ijz7Nn66qG2Sp7JprDFl+oQBo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "adae22bea8bcc0aa2fd6e8732044660fb7755f5e",
+        "rev": "30705076a1748a2b2a1cf0539ea1665eef4d2f4a",
         "type": "github"
       },
       "original": {
@@ -1110,11 +1110,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743561237,
-        "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=",
+        "lastModified": 1741228283,
+        "narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "1de27ae43712a971c1da100dcd84386356f03ec7",
+        "rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403",
         "type": "github"
       },
       "original": {
@@ -1131,11 +1131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743561237,
-        "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=",
+        "lastModified": 1741055476,
+        "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "1de27ae43712a971c1da100dcd84386356f03ec7",
+        "rev": "aefb7017d710f150970299685e8d8b549d653649",
         "type": "github"
       },
       "original": {
@@ -1151,11 +1151,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743561237,
-        "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=",
+        "lastModified": 1743682350,
+        "narHash": "sha256-S/MyKOFajCiBm5H5laoE59wB6w0NJ4wJG53iAPfYW3k=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "1de27ae43712a971c1da100dcd84386356f03ec7",
+        "rev": "c4a8327b0f25d1d81edecbb6105f74d7cf9d7382",
         "type": "github"
       },
       "original": {
@@ -1171,11 +1171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743502316,
-        "narHash": "sha256-zI2WSkU+ei4zCxT+IVSQjNM9i0ST++T2qSFXTsAND7s=",
+        "lastModified": 1743756170,
+        "narHash": "sha256-2b11EYa08oqDmF3zEBLkG1AoNn9rB1k39ew/T/mSvbU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e7f4d7ed8bce8dfa7d2f2fe6f8b8f523e54646f8",
+        "rev": "cff8437c5fe8c68fc3a840a21bf1f4dc801da40d",
         "type": "github"
       },
       "original": {
@@ -1267,11 +1267,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743558944,
-        "narHash": "sha256-LtmHSXZjFXUWYwWhvEPWSbnmAD62TrvLdZGqQvcSHIY=",
+        "lastModified": 1743731627,
+        "narHash": "sha256-gFvZTGlSGCl7MZ5MrihUf7pkIY0zwaUVhl/iUBto/3I=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "bc23f562c367b3e6300d596c24f0080220897df7",
+        "rev": "c8270f31af9c37e4fe5711567a6412460e94e9b7",
         "type": "github"
       },
       "original": {

From 8ead8c14e3fbc895910e389bd0a7f0476b3d465a Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sat, 5 Apr 2025 12:57:19 -0400
Subject: [PATCH 10/41] rm element web

---
 home/codium.nix         |  6 ++++++
 home/kitty.nix          |  1 +
 hosts/chunk/default.nix |  1 -
 hosts/chunk/element.nix | 33 ---------------------------------
 4 files changed, 7 insertions(+), 34 deletions(-)
 delete mode 100644 hosts/chunk/element.nix

diff --git a/home/codium.nix b/home/codium.nix
index 117c9e0..706736d 100644
--- a/home/codium.nix
+++ b/home/codium.nix
@@ -24,6 +24,7 @@
           golang.go
           ms-python.python
           christian-kohler.path-intellisense
+          # firefox-devtools.vscode-firefox-debug
         ];
       userSettings =
         let
@@ -74,6 +75,11 @@
           "telemetry.enableTelemetry" = false;
           "telemetry.telemetryLevel" = "off";
           "window.titleBarStyle" = "custom";
+          # https://github.com/ChristianKohler/PathIntellisense#installation
+          "typescript.suggest.paths" = false;
+          "javascript.suggest.paths" = false;
+
+          "path-intellisense.absolutePathToWorkspace" = true;
 
           # terminal stuff
           "terminal.integrated.cursorBlinking" = true;
diff --git a/home/kitty.nix b/home/kitty.nix
index 0021bb5..a77a432 100644
--- a/home/kitty.nix
+++ b/home/kitty.nix
@@ -21,6 +21,7 @@
       # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
       "scrollback_pager" = "bat --pager='less -FR +G'";
       # "scrollback_lines" = 20000;
+      wheel_scroll_multiplier = 50;
     };
     keybindings = {
       # kitty_mod is ctrl+shift by default
diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index 56bae51..5ddc4d5 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -18,7 +18,6 @@
     ./grafana.nix
     ./conduwuit.nix
     ./immich.nix
-    ./element.nix
     ./forgejo.nix
     ./garage.nix
     ./tailscale.nix
diff --git a/hosts/chunk/element.nix b/hosts/chunk/element.nix
deleted file mode 100644
index 5a12e1e..0000000
--- a/hosts/chunk/element.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}:
-{
-  virtualisation.oci-containers.containers.element = {
-    image = "vectorim/element-web";
-    autoStart = true;
-    ports = [ "127.0.0.1:8089:8089" ];
-    pull = "newer";
-    networks = [ "element-net" ];
-    environment = {
-      ELEMENT_WEB_PORT = "8089";
-    };
-  };
-
-  systemd.services.create-element-net = {
-    serviceConfig.Type = "oneshot";
-    wantedBy = with config.virtualisation.oci-containers; [
-      "${backend}-element.service"
-    ];
-    script = ''
-      ${pkgs.podman}/bin/podman network exists element-net || \
-      ${pkgs.podman}/bin/podman network create element-net
-    '';
-  };
-
-  services.caddy.virtualHosts."element.cy7.sh".extraConfig = ''
-    import common
-    reverse_proxy localhost:8089
-  '';
-}

From f7157a11ed296160bf79b6a81b975311f68a55e7 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sat, 5 Apr 2025 16:46:18 -0400
Subject: [PATCH 11/41] containers: enable daily autoPrune

---
 modules/containerization.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/containerization.nix b/modules/containerization.nix
index fd39da9..2bcc8dd 100644
--- a/modules/containerization.nix
+++ b/modules/containerization.nix
@@ -30,6 +30,10 @@ in
         };
         # answer on /var/run/docker.sock
         dockerSocket.enable = true;
+        autoPrune = {
+          enable = true;
+          dates = "daily";
+        };
       };
       docker.enable = lib.mkIf (!cfg.usePodman) true;
       oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker";

From 895052fb204cef0250128538d2f82c877008f8e0 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sat, 5 Apr 2025 16:46:32 -0400
Subject: [PATCH 12/41] init karakeep (hoarder)

---
 .sops.yaml                     |  6 +++
 hosts/chunk/default.nix        | 17 +++----
 modules/authelia.nix           | 16 +++++++
 modules/default.nix            |  1 +
 modules/karakeep.nix           | 81 ++++++++++++++++++++++++++++++++++
 secrets/services/karakeep.yaml | 35 +++++++++++++++
 6 files changed, 145 insertions(+), 11 deletions(-)
 create mode 100644 modules/karakeep.nix
 create mode 100644 secrets/services/karakeep.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 21d2151..5dca48c 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -135,4 +135,10 @@ creation_rules:
           - *yt
           - *cy
           - *chunk
+  - path_regex: secrets/services/karakeep.yaml
+    key_groups:
+      - age:
+          - *yt
+          - *cy
+          - *chunk
 
diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index 5ddc4d5..9c6289d 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -46,20 +46,14 @@
     "rsyncnet/id_ed25519" = {
       sopsFile = ../../secrets/zh5061/chunk.yaml;
     };
-    "attic/env" = {
-      sopsFile = ../../secrets/services/attic.yaml;
-    };
     "garage/env" = {
       sopsFile = ../../secrets/services/garage.yaml;
     };
     "tailscale/auth" = {
       sopsFile = ../../secrets/services/tailscale.yaml;
     };
-    "zipline/env" = {
-      sopsFile = ../../secrets/services/zipline.yaml;
-    };
-    "searx/env" = {
-      sopsFile = ../../secrets/services/searx.yaml;
+    "karakeep/env" = {
+      sopsFile = ../../secrets/services/karakeep.yaml;
     };
   };
 
@@ -186,9 +180,10 @@
   programs.git.enable = true;
 
   my.caddy.enable = true;
-
-  # container stuff
   my.containerization.enable = true;
-
   my.authelia.enable = true;
+  my.karakeep = {
+    enable = true;
+    dataDir = "/opt/karakeep";
+  };
 }
diff --git a/modules/authelia.nix b/modules/authelia.nix
index b882a42..8b06196 100644
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@@ -49,6 +49,11 @@ in
         webauthn = {
           enable_passkey_login = true;
         };
+        identity_providers.oidc.claims_policies = {
+          # https://github.com/karakeep-app/karakeep/issues/410
+          # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
+          karakeep.id_token = [ "email" ];
+        };
         identity_providers.oidc.clients = [
           {
             client_id = "immich";
@@ -94,6 +99,17 @@ in
             audience = [];
             token_endpoint_auth_method = "client_secret_post";
           }
+          {
+            client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
+            client_name = "Karakeep";
+            client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw";
+            public = false;
+            authorization_policy = "two_factor";
+            redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ];
+            scopes = [ "openid" "profile" "email" ];
+            userinfo_signed_response_alg = "none";
+            claims_policy = "karakeep";
+          }
         ];
       };
       secrets = {
diff --git a/modules/default.nix b/modules/default.nix
index db7bfa4..0d4638f 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -10,5 +10,6 @@
     ./searx.nix
     ./attic.nix
     ./authelia.nix
+    ./karakeep.nix
   ];
 }
diff --git a/modules/karakeep.nix b/modules/karakeep.nix
new file mode 100644
index 0000000..3e75f74
--- /dev/null
+++ b/modules/karakeep.nix
@@ -0,0 +1,81 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.karakeep;
+in
+{
+  options.my.karakeep = {
+    enable = lib.mkEnableOption "karakeep";
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+    };
+    port = lib.mkOption {
+      default = 3002;
+      description = "port for the web service";
+      type = lib.types.port;
+    };
+    domain = lib.mkOption {
+      default = "keep.cy7.sh";
+      type = lib.types.str;
+    };
+    environmentFile = lib.mkOption {
+      default = config.sops.secrets."karakeep/env".path;
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.containers = {
+      karakeep-web = {
+        image = "ghcr.io/karakeep-app/karakeep:release";
+        pull = "newer";
+        volumes = [ "${cfg.dataDir}:/data" ];
+        ports = [ "${toString cfg.port}:3000"];
+        dependsOn = [
+          "karakeep-chrome"
+          "karakeep-meilisearch"
+        ];
+        environment = {
+          MEILI_ADDR = "http://karakeep-meilisearch:7700";
+          BROWSER_WEB_URL = "http://karakeep-chrome:9222";
+          DATA_DIR =  "/data";
+          NEXTAUTH_URL = "https://${cfg.domain}";
+          DISABLE_PASSWORD_AUTH = "true";
+          OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration";
+          OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
+          OAUTH_PROVIDER_NAME = "Authelia";
+          OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
+        };
+        # needs NEXTAUTH_SECRET
+        environmentFiles = [ "${cfg.environmentFile}" ];
+      };
+
+      karakeep-chrome = {
+        image = "ghcr.io/zenika/alpine-chrome:latest";
+        pull = "newer";
+        cmd = [
+          "--no-sandbox"
+          "--disable-gpu"
+          "--disable-dev-shm-usage"
+          "--remote-debugging-address=0.0.0.0"
+          "--remote-debugging-port=9222"
+          "--hide-scrollbars"
+        ];
+      };
+
+      karakeep-meilisearch = {
+        image = "getmeili/meilisearch:latest";
+        volumes = [ "meilisearch:/meili_data" ];
+        environment = {
+          MEILI_NO_ANALYTICS = "true";
+        };
+        # needs MEILI_MASTER_KEY
+        environmentFiles = [ "${cfg.environmentFile}" ];
+      };
+    };
+
+    services.caddy.virtualHosts.${cfg.domain}.extraConfig = ''
+      import common
+      reverse_proxy localhost:${toString cfg.port}
+    '';
+  };
+}
\ No newline at end of file
diff --git a/secrets/services/karakeep.yaml b/secrets/services/karakeep.yaml
new file mode 100644
index 0000000..cc09262
--- /dev/null
+++ b/secrets/services/karakeep.yaml
@@ -0,0 +1,35 @@
+karakeep:
+    env: ENC[AES256_GCM,data:SWc26EQaKR5d9hMDYzVHA/r7XfjwFZ0d44Co0IS6OayR24ej7yqLAtkNttROKoKFuYc0sHgN9bOy4MyX0s3qiSWYovIIUJgFiJjPQFYDAo+50WR4+5W5FgvYI6e42fcWrQhaCXWQrDyzch/zT2OITZsjXcQhT5E+IiPLVkaGOjGptE07GjM7ZXI4UxBzINFQOhxdfIO0km1o6Wq8GhJdWsz4exz4ahRslR+WjK/flV2GZVAj6EHSJ5sHohm74QlhxaShEbc/8IKP6R2gSjBFP7l8VvwFyIUD9sLzYGvS3iU=,iv:gSPQU0bZ+VRFbuaNDc90dW0ogWX2SMH7kewtq/u/11E=,tag:L0Y4EWSQUhcn2eHt+yZ7qQ==,type:str]
+sops:
+    age:
+        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaWQ1Q1JwRHJxQjNjdTAx
+            TXRsWjVZOG1mNEptNVhscHBaK2I5MHhjdlFjCkNqOEhwT3hyOHpHQ2k0ZmowUXB4
+            eks2dlpUS0V6VjBEYW9UWnhFOEw4VGsKLS0tIFo2a0FTRE5WdHBGVW5DOUFkaE9p
+            bitvUnJXSnB6UnV3VTEzSjlSYmEwVUEKHOwFCRu+SIyM0uJ6bNEAo+MMlsc8la6G
+            bLYdCoykcBu+uVXqn3BYTbrS5ylQMRYcbcPFJw5BVdmjIYF4LU5W6A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2ZnNVAyeVdJeHlTSW1x
+            QUhKRzlNclVUWE1ucHFLZW5sL1lnUDhkd0Y4CjFuekNEOE1icDNqL1JyT0hEYW16
+            Q2VyajJFWWtGUnBzOENGOEZHbWROZzAKLS0tIE8wMVc3TkV5Y1VyenIvOW02NDNq
+            cStTeUcvY1pJWEN2MzFEeThKT0JPc1EKXrtVG49a6YZVKiL1F8Xg3t3niTYv3LwN
+            NeAQ8srV0F6ckky7OCkvUp9GInZCWRzULXV/x+4IUb6C+KQaNm2vYA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDdUSUlmMk5VcytyT01N
+            UmRaK2k5Wkh5SlhPT3QrczY2eW9vZk5KWFZBCnBteitnNFlHdWRaaTRxSWYvYmtG
+            ZnY5ZXlYa3Z5aENlRy9BQjVSU1F3UzQKLS0tIFpjN1dOaWNKaU9PaENyaXc1K3BU
+            K2orZ0Y2Z05LSUZ5WHQ4TnVVY0QwSzQKiUQT4aSxXnaq0kEMp+q5WnIUoGypEmZ+
+            DQEhkB9yu/BrkjXH+HGQr1W5B4sJyb5rnl0+SQ+IypRIRyaX4CdFxg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-05T19:44:58Z"
+    mac: ENC[AES256_GCM,data:OmqsJI9BaICOTiH1cq4gZlNBbkAxn/pAOWBtkIjHdqpikABLG6fMY+sLpyeaovXjexIj9MZk7fPmV8dRZ5VNLHCqlYXK/cVoQBZ2HK+p/cGTAFelNAShu9NSgZdFmVgJJtOjVvFp8dtuY8VcQj861k/MPX0mNZt9pmXYdumjpNM=,iv:efHkp1KUctwtCjG9A8i5qs7nQfQqv2ya1yYlHHOt8pU=,tag:4lChpspl0oOUMiXzvGuA2Q==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1

From 9c859e23e66543b6bbd586f4248fae59c7b228e9 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sat, 5 Apr 2025 18:53:39 -0400
Subject: [PATCH 13/41] authelia: use random client_ids

---
 modules/authelia.nix           | 6 +++---
 secrets/services/hedgedoc.yaml | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/authelia.nix b/modules/authelia.nix
index 8b06196..f231f50 100644
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@@ -56,7 +56,7 @@ in
         };
         identity_providers.oidc.clients = [
           {
-            client_id = "immich";
+            client_id = "4EIrpRb9rnwHWjYWvlz2gYrtTmoOLF1D5gqXw28BvmOS0f-9T2p4CFwuctf4Co1hkpo2sd4Y";
             client_name = "immich";
             client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8";
             public = false;
@@ -70,7 +70,7 @@ in
             userinfo_signed_response_alg = "none";
           }
           {
-            client_id = "forgejo";
+            client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU";
             client_name = "Forgejo";
             client_secret = "$argon2id$v=19$m=65536,t=3,p=4$O2O5r/7A8hc4EMvernQ4Dw$YOVqtwY3jv0HlcxmviPq2CRnD7Dw85V9KDtTSUQE7bA";
             public = false;
@@ -83,7 +83,7 @@ in
             token_endpoint_auth_method = "client_secret_basic";
           }
           {
-            client_id = "hedgedoc";
+            client_id = "b_ITCG0uNzy9lZ5nVC~Ny5R35te8I3hoQW1uraCbdxeiE9VuiCIelMmZZ7dAZLg_anTUWSQG";
             client_name = "HedgeDoc";
             client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg";
             public = false;
diff --git a/secrets/services/hedgedoc.yaml b/secrets/services/hedgedoc.yaml
index eec4db4..0c693dc 100644
--- a/secrets/services/hedgedoc.yaml
+++ b/secrets/services/hedgedoc.yaml
@@ -1,5 +1,5 @@
 hedgedoc:
-    env: ENC[AES256_GCM,data:hU4Ht9WkWknuYJ3yHZSm5o22wlssTNjPDZvgDi9DGEh8ULt2GzrEHfFHI9VcpyrbsLcw7HT5TuYrPibWMk4AEvqlZT/6UiyQFMso9mac6x7esf55RHTXr4F7gyC/eRDUE+mAzyhjB5xKaCUhaQpMOwA2t0zahtiaCzLvi/DXRo1jiB42Xt8Nwi1D+zRT3T/HYD8l7D+SZQQc6HC+WM/y7RIjEPcDeX/wTk+JqiGW++0D3GxCQgq6VOhw7EM4hs5aR659QVNICT9kJt9nxEsyU84nsws4MHzU53BvEY77rYZPvvrBSFJ+TnQJ0c/e8K2G9mgaEGkk/+Rmx3RbPQKuTNCzAJZ0m9g9XSwMHU/z5KkrxcI6xU1+JqpdL2Rx35JiNxbNNrlQSvXJFuGNSf0Z5l8RirKJL4HJXAsIPVZTxeJJ0rQflyb5hN63KH/vUTHJWucAFSRYwLHOgs4Yu7SKJjnWnrLYAK9K/eRprhe3Np3vTed13soZXjdB1Jz6lz3lUxZ4TpOb6E8rGt33GqACTp04DBkyUaxMg7fOQIi0riev9GcGNy1kQkDC5dOwWyQdSICIavBrL+4WRoK8xhsEMY8K58+TYfIm3XnWz6pSEl7OzdGNSFZJuwAPzGS065bCjHIlMxIUKlbx4rmGvecIGRLoa5a5XpFwVwPlH8IJ8LvDPXqyIBquL6IsoCNi+jVy7UV52WldqAAeC3+UJtD8LJj1FaWLkoshkSbcr5veZLtBnpOZsiPXtkn1qgRhCB0QjzNwz+AOJCamSn1R+i+JJN6Wja3mJytCrtoj0M6cc1beJBbam4PgxWd1CJE3zhstuqoktn9LdDZ3qNjPgRY3q4FPbjo53XvQQi/NgnPztMg2z7Rj8yeNtG+HjL2pfXIw9AXZwc19D+T7M5hR7jlD3117o+K2CeaC+wgfXPZ/xzIbhg==,iv:gvSOTStLJ5R4UaXj7gXQDCF4TAgway12yh1BtGz1Mvs=,tag:Jt+daURO+t8HME/m7tLEIw==,type:str]
+    env: ENC[AES256_GCM,data:9xnOlQrk1qCyiAHSjmu8dvj2/z/BrJlngNGAQnMwvLsL0pnyvvyJLnYWTDYix1a9o8OJUNLw6Qhq7KbY4uXfxsNZkfGdVHwvkvhySjR2rcX/r90txqHJUUIxE/TzdsBvonzQ0F85KfXhsi69gKHp016gCj+jNf6CCY+tOVpt71el4Z+jzqLHasuQET8GctKJRzHOfNfCx/X2kJeb7RQl3JFC6/VmYT45bUk7uFfveFD9ao03wJwLKi27wO1WDrfpOigFdvkmqpbWZjaILYHYmkdhdlhr7w330CiCmGHT/ssmSPcu5cYUc8tjYPgpYLjusiUzpE5jmut5GaNwZsY9hNuow/mUVnQ/tCDH0ChOq0DQisJ07VMYlRII9tMdcuT4IbjjwiRcYlORAHsTFUuo5DCaDp8a4mx846BGp1YMQsvqJQgOe4x15VMpeB/ptxm79qxcLZKZ3BkiJaKmDdWsVk9RfqVgsxqiq16Me2EQhknO2s/oBjGOaoIiT4NEuRFQl0BIPgIMD0lYzKx0uDaYyclID5W0DqMI+SrcBd+WH/BB9HPdZx92rFe34PzjZse0i6+5UZHXUu8au6CyLMqGkUlzkSFwVT5W7Lv2m9P3+6YjgPRMaYbg8b6kmavB6EtjiqWtTbMKr3nxPVYJc5FRImvebfFqiLy5MWoNV6Qe7TUGIk6QtX2OWBhQ1UB+IpR+180QH7yw7UpgJ9EM8dD2m2/smar5P0BjAaqAFib++GzoB0OfFtxJNUjrejQC11tRWBXYvcHWwa78VbKPul0xqiEMmsAZufMix4lD1EgutTf1CXfv7l0rUpLwkYbWIq2hT5UI53L0YWJDl7zlhi94ANdXV8z8kCvMeXm2Fwl/vIgJ9JuFeVeVYPpXwx2coLBwE6uI4SuFvY1d4ojvzY8KftcHWO7srVzpuwrwW+6gKLwPQyEazv+sRKXAGo0ffMO2/2KRgOu9zGwaOFaNDAZ6gYFDWbPz6TMfNWHzfLEFK5BlVAL8KDb78IODUBYcMr2CX1Y=,iv:LDkuJgxIbohEVf7wmdtOZ/vlPddMYa7uzHGkL+0MnUM=,tag:pnJiCJydjTmUbS761fPUPw==,type:str]
 sops:
     age:
         - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
@@ -20,7 +20,7 @@ sops:
             enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e
             9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-04T17:04:50Z"
-    mac: ENC[AES256_GCM,data:RRkdyrxwrFs3r0SaNred5zTpz5CKf043+KWkFSvPFh0RbvIVyxzJKyfL9r7erifEMhPRJ7Hz5GKE4RAPA9yRLkA9C+416sZKfwdopqAe6zSRt4zd0QOPMdc2z3+07+1SP2ay/ZYCn6jjIyoBaki3t0DMv7e9a/OzFv3WfyjG/rg=,iv:K41muQnynaGoZsBquNF0SNFgssLF9KGzBz8siagI+38=,tag:jkWbWBloSbUSJXl9jedAMQ==,type:str]
+    lastmodified: "2025-04-05T21:08:15Z"
+    mac: ENC[AES256_GCM,data:cPisYUoZWd/vd+wWzz3xTnftj1RdjK20dWFo+MKssm/eu7eCOWDIaZdcJg13gkTleBpMWQy/mG1drC6GLfGQiBmkS99UCPAoo0aLTBL4FbSm6FEXdbVjoOI7URu6Sj31drWCMAm+lXYymWsHwZJrNLhjsCTQsxTPvFq8oOdNlXo=,iv:KpmJoZ/BGEEhZ75jXfXxegNglm7k6mtleRuVud6tX2g=,tag:lsiqX+YSz4mGK6mw9gdKNg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.1

From 2b39a5ab5354bb7f277b85b91406f8311bfc4faa Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 6 Apr 2025 10:52:27 -0400
Subject: [PATCH 14/41] workflow: nix copy compression zstd

---
 .github/workflows/build-machines-and-homes.yml | 4 ++--
 .github/workflows/build-packages.yml           | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index c955639..290761f 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -74,7 +74,7 @@ jobs:
         run: |
           package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
           nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
             -u https://nix-community.cachix.org \
             -u https://nixcache.web.cy7.sh \
             $package
@@ -143,7 +143,7 @@ jobs:
         run: |
           package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
           nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
             -u https://nix-community.cachix.org \
             -u https://nixcache.web.cy7.sh \
             $package
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index c188482..4f76a1d 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -62,7 +62,7 @@ jobs:
         if: '!cancelled()'
         run: |
           nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
             -u https://nix-community.cachix.org \
             -u https://nixcache.web.cy7.sh \
             "${{ matrix.package }}"

From a4bd232336012e5891decdd2369b3671c5205a31 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 6 Apr 2025 11:09:09 -0400
Subject: [PATCH 15/41] garage: use 128M block_size and none compression

---
 hosts/chunk/garage.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix
index 639bbd8..a36dc49 100644
--- a/hosts/chunk/garage.nix
+++ b/hosts/chunk/garage.nix
@@ -17,11 +17,12 @@
       };
       admin.api_bind_addr = "[::]:3903";
       rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "100.122.132.30:3901";
       replication_factor = 1;
       db_engine = "lmdb";
       disable_scrub = true;
-      block_size = "16M";
-      compression_level = 3;
+      block_size = "128M";
+      compression_level = "none";
     };
     environmentFile = config.sops.secrets."garage/env".path;
     logLevel = "warn";

From d9e6995b929c83c969904046c52a268168f922ff Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 6 Apr 2025 11:10:37 -0400
Subject: [PATCH 16/41] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/bb036cb35383982066e01a6ac8d45597132cf5d5' (2025-04-04)
  → 'github:nix-community/home-manager/ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7' (2025-04-06)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/b3696bfb6c24aa61428839a99e8b40c53ac3a82d' (2025-03-30)
  → 'github:nix-community/nix-index-database/a36f6a7148aec2c77d78e4466215cceb2f5f4bfb' (2025-04-06)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/30705076a1748a2b2a1cf0539ea1665eef4d2f4a' (2025-04-04)
  → 'github:nixos/nixpkgs/06f3516b0397bd241bde2daefc8538fc886c5467' (2025-04-05)
• Updated input 'nixpkgs-stable':
    'github:nixos/nixpkgs/44a69ed688786e98a101f02b712c313f1ade37ab' (2025-04-02)
  → 'github:nixos/nixpkgs/7819a0d29d1dd2bc331bec4b327f0776359b1fa6' (2025-04-05)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/c4a8327b0f25d1d81edecbb6105f74d7cf9d7382' (2025-04-03)
  → 'github:oxalica/rust-overlay/9d00c6b69408dd40d067603012938d9fbe95cfcd' (2025-04-06)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/cff8437c5fe8c68fc3a840a21bf1f4dc801da40d' (2025-04-04)
  → 'github:Mic92/sops-nix/523f58a4faff6c67f5f685bed33a7721e984c304' (2025-04-06)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/c8270f31af9c37e4fe5711567a6412460e94e9b7' (2025-04-04)
  → 'github:nix-community/nix-vscode-extensions/da51d4cab526bef885e8c95ab2b9455bfe0940d4' (2025-04-06)
---
 flake.lock | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/flake.lock b/flake.lock
index 76a4f1e..ba20fb3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -610,11 +610,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743783108,
-        "narHash": "sha256-Lg1cK7oGCNPOO1ts481m269WmdGNoigz8RNXLRE9Co0=",
+        "lastModified": 1743948087,
+        "narHash": "sha256-B6cIi2ScgVSROPPlTti6len+TdR0K25B9R3oKvbw3M8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bb036cb35383982066e01a6ac8d45597132cf5d5",
+        "rev": "ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7",
         "type": "github"
       },
       "original": {
@@ -826,11 +826,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743306489,
-        "narHash": "sha256-LROaIjSLo347cwcHRfSpqzEOa2FoLSeJwU4dOrGm55E=",
+        "lastModified": 1743911143,
+        "narHash": "sha256-4j4JPwr0TXHH4ZyorXN5yIcmqIQr0WYacsuPA4ktONo=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "b3696bfb6c24aa61428839a99e8b40c53ac3a82d",
+        "rev": "a36f6a7148aec2c77d78e4466215cceb2f5f4bfb",
         "type": "github"
       },
       "original": {
@@ -909,11 +909,11 @@
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1743576891,
-        "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
+        "lastModified": 1743813633,
+        "narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
+        "rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6",
         "type": "github"
       },
       "original": {
@@ -989,11 +989,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1743775863,
-        "narHash": "sha256-gUnR9qcZK/O20oQFn1ijz7Nn66qG2Sp7JprDFl+oQBo=",
+        "lastModified": 1743862455,
+        "narHash": "sha256-I/QXtrqznq1321mYR9TyMPX/zCWb9iAH64hO+pEBY00=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "30705076a1748a2b2a1cf0539ea1665eef4d2f4a",
+        "rev": "06f3516b0397bd241bde2daefc8538fc886c5467",
         "type": "github"
       },
       "original": {
@@ -1151,11 +1151,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743682350,
-        "narHash": "sha256-S/MyKOFajCiBm5H5laoE59wB6w0NJ4wJG53iAPfYW3k=",
+        "lastModified": 1743906877,
+        "narHash": "sha256-Thah1oU8Vy0gs9bh5QhNcQh1iuQiowMnZPbrkURonZA=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "c4a8327b0f25d1d81edecbb6105f74d7cf9d7382",
+        "rev": "9d00c6b69408dd40d067603012938d9fbe95cfcd",
         "type": "github"
       },
       "original": {
@@ -1171,11 +1171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743756170,
-        "narHash": "sha256-2b11EYa08oqDmF3zEBLkG1AoNn9rB1k39ew/T/mSvbU=",
+        "lastModified": 1743910657,
+        "narHash": "sha256-zr2jmWeWyhCD8WmO2aWov2g0WPPuZfcJDKzMJZYGq3Y=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "cff8437c5fe8c68fc3a840a21bf1f4dc801da40d",
+        "rev": "523f58a4faff6c67f5f685bed33a7721e984c304",
         "type": "github"
       },
       "original": {
@@ -1267,11 +1267,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743731627,
-        "narHash": "sha256-gFvZTGlSGCl7MZ5MrihUf7pkIY0zwaUVhl/iUBto/3I=",
+        "lastModified": 1743904774,
+        "narHash": "sha256-dHnwYLz1b6ohGP2DjWKpDFEZ9WOm4vYuPXKUna08awU=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "c8270f31af9c37e4fe5711567a6412460e94e9b7",
+        "rev": "da51d4cab526bef885e8c95ab2b9455bfe0940d4",
         "type": "github"
       },
       "original": {

From cad11e55f10cd36d3bc2cdf9ab8eba5c8f747b1b Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Mon, 7 Apr 2025 10:38:17 -0400
Subject: [PATCH 17/41] add new sk-ed25519 key

---
 hosts/chunk/default.nix | 4 +++-
 modules/caddy.nix       | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index 9c6289d..0509b8d 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -138,13 +138,15 @@
       "podman"
     ];
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
     ];
   };
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
   ];
   # for forgejo
   users.users.git = {
diff --git a/modules/caddy.nix b/modules/caddy.nix
index 0eb2cb7..f3f8e14 100644
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@@ -49,7 +49,8 @@ in
         respond / 200 {
           body "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6
         ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhUt9h5dCcrwOrZNKkStCX5OxumPzEwYXSU/0DgtWgP
-        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD"
+        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD
+        sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/IX9OFEhHS9Dl8nrtHkL7j7hhy7in9OAY/hVuzEGL0AAAABHNzaDo="
         }
       '';
     };

From 2001228889ee08234fc04af6bfdb67696a09974b Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Mon, 7 Apr 2025 10:38:44 -0400
Subject: [PATCH 18/41] ytnix: add systemd to nix-ld

---
 hosts/ytnix/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix
index ed91b61..ddf1364 100644
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@@ -274,7 +274,6 @@
     enable = true;
     # nix run github:thiagokokada/nix-alien#nix-alien-find-libs ./<binary>
     libraries = with pkgs; [
-      # TODO: revisit what we actually need
       mesa
       extest
       stdenv.cc.cc
@@ -330,6 +329,7 @@
       pcre2
       gsettings-desktop-schemas
       fzf
+      systemd
     ];
   };
   programs.evolution.enable = true;

From e678d56cad4e58a2e111faa8cddd472e2fdfab5b Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Mon, 7 Apr 2025 10:39:22 -0400
Subject: [PATCH 19/41] codium: rm path-intellisense cuz no work

---
 home/codium.nix | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/home/codium.nix b/home/codium.nix
index 706736d..1eb02a4 100644
--- a/home/codium.nix
+++ b/home/codium.nix
@@ -23,8 +23,6 @@
           tamasfe.even-better-toml
           golang.go
           ms-python.python
-          christian-kohler.path-intellisense
-          # firefox-devtools.vscode-firefox-debug
         ];
       userSettings =
         let
@@ -75,11 +73,6 @@
           "telemetry.enableTelemetry" = false;
           "telemetry.telemetryLevel" = "off";
           "window.titleBarStyle" = "custom";
-          # https://github.com/ChristianKohler/PathIntellisense#installation
-          "typescript.suggest.paths" = false;
-          "javascript.suggest.paths" = false;
-
-          "path-intellisense.absolutePathToWorkspace" = true;
 
           # terminal stuff
           "terminal.integrated.cursorBlinking" = true;

From 904cecde7667c6d924101a525904432dc81047cd Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Mon, 14 Apr 2025 10:32:02 -0400
Subject: [PATCH 20/41] codium: format on save

---
 home/codium.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/home/codium.nix b/home/codium.nix
index 1eb02a4..ba4e324 100644
--- a/home/codium.nix
+++ b/home/codium.nix
@@ -73,6 +73,7 @@
           "telemetry.enableTelemetry" = false;
           "telemetry.telemetryLevel" = "off";
           "window.titleBarStyle" = "custom";
+          "editor.formatOnSave" = true;
 
           # terminal stuff
           "terminal.integrated.cursorBlinking" = true;

From 68d6fcc45e6da99c691607e825df04b0d0880aac Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Mon, 14 Apr 2025 10:54:24 -0400
Subject: [PATCH 21/41] just don't use matrix anymore

---
 flake.lock                | 696 ++------------------------------------
 flake.nix                 |   2 -
 hosts/chunk/conduwuit.nix |  33 --
 hosts/chunk/default.nix   |   1 -
 overlay/default.nix       |   3 -
 5 files changed, 25 insertions(+), 710 deletions(-)
 delete mode 100644 hosts/chunk/conduwuit.nix

diff --git a/flake.lock b/flake.lock
index ba20fb3..435ec8d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,171 +1,6 @@
 {
   "nodes": {
-    "attic": {
-      "inputs": {
-        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1738524606,
-        "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=",
-        "owner": "zhaofengli",
-        "repo": "attic",
-        "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "zhaofengli",
-        "ref": "main",
-        "repo": "attic",
-        "type": "github"
-      }
-    },
-    "cachix": {
-      "inputs": {
-        "devenv": "devenv",
-        "flake-compat": "flake-compat_2",
-        "git-hooks": "git-hooks",
-        "nixpkgs": "nixpkgs_4"
-      },
-      "locked": {
-        "lastModified": 1737621947,
-        "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=",
-        "owner": "cachix",
-        "repo": "cachix",
-        "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "ref": "master",
-        "repo": "cachix",
-        "type": "github"
-      }
-    },
-    "cachix_2": {
-      "inputs": {
-        "devenv": [
-          "conduwuit",
-          "cachix",
-          "devenv"
-        ],
-        "flake-compat": [
-          "conduwuit",
-          "cachix",
-          "devenv"
-        ],
-        "git-hooks": [
-          "conduwuit",
-          "cachix",
-          "devenv"
-        ],
-        "nixpkgs": "nixpkgs_2"
-      },
-      "locked": {
-        "lastModified": 1728672398,
-        "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=",
-        "owner": "cachix",
-        "repo": "cachix",
-        "rev": "aac51f698309fd0f381149214b7eee213c66ef0a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "ref": "latest",
-        "repo": "cachix",
-        "type": "github"
-      }
-    },
-    "complement": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1741891349,
-        "narHash": "sha256-YvrzOWcX7DH1drp5SGa+E/fc7wN3hqFtPbqPjZpOu1Q=",
-        "owner": "girlbossceo",
-        "repo": "complement",
-        "rev": "e587b3df569cba411aeac7c20b6366d03c143745",
-        "type": "github"
-      },
-      "original": {
-        "owner": "girlbossceo",
-        "ref": "main",
-        "repo": "complement",
-        "type": "github"
-      }
-    },
-    "conduwuit": {
-      "inputs": {
-        "attic": "attic",
-        "cachix": "cachix",
-        "complement": "complement",
-        "crane": "crane_2",
-        "fenix": "fenix",
-        "flake-compat": "flake-compat_3",
-        "flake-utils": "flake-utils",
-        "liburing": "liburing",
-        "nix-filter": "nix-filter",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rocksdb": "rocksdb"
-      },
-      "locked": {
-        "lastModified": 1743780871,
-        "narHash": "sha256-xmDepDLHsIWiwpWYjhI40XOrV9jCKrYJQ+EK1EOIdRg=",
-        "owner": "girlbossceo",
-        "repo": "conduwuit",
-        "rev": "4e5b87d0cd16f3d015f4b61285b369d027bb909d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "girlbossceo",
-        "repo": "conduwuit",
-        "type": "github"
-      }
-    },
     "crane": {
-      "inputs": {
-        "nixpkgs": [
-          "conduwuit",
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722960479,
-        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
-    "crane_2": {
-      "locked": {
-        "lastModified": 1739936662,
-        "narHash": "sha256-x4syUjNUuRblR07nDPeLDP7DpphaBVbUaSoeZkFbGSk=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "19de14aaeb869287647d9461cbd389187d8ecdb7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "ref": "master",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
-    "crane_3": {
       "locked": {
         "lastModified": 1737689766,
         "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=",
@@ -180,7 +15,7 @@
         "type": "github"
       }
     },
-    "crane_4": {
+    "crane_2": {
       "locked": {
         "lastModified": 1741148495,
         "narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=",
@@ -195,75 +30,17 @@
         "type": "github"
       }
     },
-    "devenv": {
-      "inputs": {
-        "cachix": "cachix_2",
-        "flake-compat": [
-          "conduwuit",
-          "cachix",
-          "flake-compat"
-        ],
-        "git-hooks": [
-          "conduwuit",
-          "cachix",
-          "git-hooks"
-        ],
-        "nix": "nix",
-        "nixpkgs": [
-          "conduwuit",
-          "cachix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1733323168,
-        "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=",
-        "owner": "cachix",
-        "repo": "devenv",
-        "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "devenv",
-        "type": "github"
-      }
-    },
-    "fenix": {
-      "inputs": {
-        "nixpkgs": [
-          "conduwuit",
-          "nixpkgs"
-        ],
-        "rust-analyzer-src": "rust-analyzer-src"
-      },
-      "locked": {
-        "lastModified": 1740724364,
-        "narHash": "sha256-D1jLIueJx1dPrP09ZZwTrPf4cubV+TsFMYbpYYTVj6A=",
-        "owner": "nix-community",
-        "repo": "fenix",
-        "rev": "edf7d9e431cda8782e729253835f178a356d3aab",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "main",
-        "repo": "fenix",
-        "type": "github"
-      }
-    },
     "flake-compat": {
-      "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
+        "lastModified": 1717312683,
+        "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=",
+        "owner": "nix-community",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
+        "owner": "nix-community",
         "repo": "flake-compat",
         "type": "github"
       }
@@ -284,101 +61,7 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "ref": "master",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_4": {
-      "locked": {
-        "lastModified": 1717312683,
-        "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=",
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_5": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "conduwuit",
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722555600,
-        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "conduwuit",
-          "cachix",
-          "devenv",
-          "nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1712014858,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_3": {
       "inputs": {
         "nixpkgs-lib": [
           "lanzaboote",
@@ -413,7 +96,6 @@
       },
       "original": {
         "owner": "numtide",
-        "ref": "main",
         "repo": "flake-utils",
         "type": "github"
       }
@@ -472,24 +154,6 @@
         "type": "github"
       }
     },
-    "flake-utils_5": {
-      "inputs": {
-        "systems": "systems_5"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "flakey-profile": {
       "locked": {
         "lastModified": 1712898590,
@@ -507,9 +171,9 @@
     },
     "garage": {
       "inputs": {
-        "crane": "crane_3",
-        "flake-compat": "flake-compat_4",
-        "flake-utils": "flake-utils_2",
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -529,59 +193,7 @@
         "type": "github"
       }
     },
-    "git-hooks": {
-      "inputs": {
-        "flake-compat": [
-          "conduwuit",
-          "cachix",
-          "flake-compat"
-        ],
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "conduwuit",
-          "cachix",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
-      },
-      "locked": {
-        "lastModified": 1733318908,
-        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
     "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "conduwuit",
-          "cachix",
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
-    "gitignore_2": {
       "inputs": {
         "nixpkgs": [
           "lanzaboote",
@@ -625,9 +237,9 @@
     },
     "lanzaboote": {
       "inputs": {
-        "crane": "crane_4",
-        "flake-compat": "flake-compat_5",
-        "flake-parts": "flake-parts_3",
+        "crane": "crane_2",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -649,39 +261,6 @@
         "type": "github"
       }
     },
-    "libgit2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1697646580,
-        "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "type": "github"
-      }
-    },
-    "liburing": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1740613216,
-        "narHash": "sha256-NpPOBqNND3Qe9IwqYs0mJLGTmIx7e6FgUEBAnJ+1ZLA=",
-        "owner": "axboe",
-        "repo": "liburing",
-        "rev": "e1003e496e66f9b0ae06674869795edf772d5500",
-        "type": "github"
-      },
-      "original": {
-        "owner": "axboe",
-        "ref": "master",
-        "repo": "liburing",
-        "type": "github"
-      }
-    },
     "lix": {
       "flake": false,
       "locked": {
@@ -698,10 +277,10 @@
     },
     "lix-module": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
         "flakey-profile": "flakey-profile",
         "lix": "lix",
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs"
       },
       "locked": {
         "lastModified": 1742943028,
@@ -720,7 +299,7 @@
     },
     "nil": {
       "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -740,85 +319,6 @@
         "type": "github"
       }
     },
-    "nix": {
-      "inputs": {
-        "flake-compat": [
-          "conduwuit",
-          "cachix",
-          "devenv"
-        ],
-        "flake-parts": "flake-parts_2",
-        "libgit2": "libgit2",
-        "nixpkgs": "nixpkgs_3",
-        "nixpkgs-23-11": [
-          "conduwuit",
-          "cachix",
-          "devenv"
-        ],
-        "nixpkgs-regression": [
-          "conduwuit",
-          "cachix",
-          "devenv"
-        ],
-        "pre-commit-hooks": [
-          "conduwuit",
-          "cachix",
-          "devenv"
-        ]
-      },
-      "locked": {
-        "lastModified": 1727438425,
-        "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=",
-        "owner": "domenkozar",
-        "repo": "nix",
-        "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546",
-        "type": "github"
-      },
-      "original": {
-        "owner": "domenkozar",
-        "ref": "devenv-2.24",
-        "repo": "nix",
-        "type": "github"
-      }
-    },
-    "nix-filter": {
-      "locked": {
-        "lastModified": 1731533336,
-        "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
-        "owner": "numtide",
-        "repo": "nix-filter",
-        "rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "ref": "main",
-        "repo": "nix-filter",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "conduwuit",
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1729742964,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -861,53 +361,21 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1726042813,
-        "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
-        "owner": "NixOS",
+        "lastModified": 1742669843,
+        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
+        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "owner": "nixos",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1724316499,
-        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1730741070,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable_3": {
       "locked": {
         "lastModified": 1743813633,
         "narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=",
@@ -924,70 +392,6 @@
       }
     },
     "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1730531603,
-        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1717432640,
-        "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1733212471,
-        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_5": {
-      "locked": {
-        "lastModified": 1742669843,
-        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_6": {
       "locked": {
         "lastModified": 1743862455,
         "narHash": "sha256-I/QXtrqznq1321mYR9TyMPX/zCWb9iAH64hO+pEBY00=",
@@ -1009,7 +413,7 @@
           "lanzaboote",
           "flake-compat"
         ],
-        "gitignore": "gitignore_2",
+        "gitignore": "gitignore",
         "nixpkgs": [
           "lanzaboote",
           "nixpkgs"
@@ -1029,26 +433,8 @@
         "type": "github"
       }
     },
-    "rocksdb": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1741308171,
-        "narHash": "sha256-YdBvdQ75UJg5ffwNjxizpviCVwVDJnBkM8ZtGIduMgY=",
-        "owner": "girlbossceo",
-        "repo": "rocksdb",
-        "rev": "3ce04794bcfbbb0d2e6f81ae35fc4acf688b6986",
-        "type": "github"
-      },
-      "original": {
-        "owner": "girlbossceo",
-        "ref": "v9.11.1",
-        "repo": "rocksdb",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
-        "conduwuit": "conduwuit",
         "garage": "garage",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
@@ -1056,30 +442,13 @@
         "nil": "nil",
         "nix-index-database": "nix-index-database",
         "nix-ld": "nix-ld",
-        "nixpkgs": "nixpkgs_6",
-        "nixpkgs-stable": "nixpkgs-stable_3",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-stable": "nixpkgs-stable",
         "rust-overlay": "rust-overlay_4",
         "sops-nix": "sops-nix",
         "vscode-extensions": "vscode-extensions"
       }
     },
-    "rust-analyzer-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1740691488,
-        "narHash": "sha256-Fs6vBrByuiOf2WO77qeMDMTXcTGzrIMqLBv+lNeywwM=",
-        "owner": "rust-lang",
-        "repo": "rust-analyzer",
-        "rev": "fe3eda77d3a7ce212388bda7b6cec8bffcc077e5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "rust-lang",
-        "ref": "nightly",
-        "repo": "rust-analyzer",
-        "type": "github"
-      }
-    },
     "rust-overlay": {
       "inputs": {
         "nixpkgs": [
@@ -1244,24 +613,9 @@
         "type": "github"
       }
     },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "vscode-extensions": {
       "inputs": {
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_4",
         "nixpkgs": [
           "nixpkgs"
         ]
diff --git a/flake.nix b/flake.nix
index 37215e0..92d6363 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,8 +12,6 @@
     lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
     rust-overlay.url = "github:oxalica/rust-overlay";
     rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
-    conduwuit.url = "github:girlbossceo/conduwuit";
-    conduwuit.inputs.nixpkgs.follows = "nixpkgs";
     lix-module.url = "git+https://git.lix.systems/lix-project/nixos-module?ref=release-2.92";
     nix-ld.url = "github:nix-community/nix-ld";
     nix-ld.inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/chunk/conduwuit.nix b/hosts/chunk/conduwuit.nix
deleted file mode 100644
index 3a6638f..0000000
--- a/hosts/chunk/conduwuit.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ ... }:
-{
-  services.conduwuit = {
-    enable = true;
-    settings.global = {
-      port = [ 8448 ];
-      server_name = "cything.io";
-      allow_check_for_updates = true;
-    };
-  };
-
-  services.caddy.virtualHosts."chat.cything.io".extraConfig = ''
-    import common
-    reverse_proxy localhost:8448
-  '';
-
-  services.caddy.virtualHosts."cything.io" = {
-    serverAliases = [ "www.cything.io" ];
-    extraConfig = ''
-      import common
-
-      header /.well-known/matrix/* Content-Type application/json
-      header /.well-known/matrix/* Access-Control-Allow-Origin *
-      header /.well-known/matrix/* Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS,PATCH,HEAD
-      header /.well-known/matrix/* Access-Control-Allow-Headers X-Requested-With,Content-Type,Authorization,Origin,Accept
-      route {
-        respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"}
-        respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}}
-        redir https://cy7.sh/posts{uri} permanent
-      }
-    '';
-  };
-}
diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index 0509b8d..5dcbf56 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -16,7 +16,6 @@
     ./redlib.nix
     ./vaultwarden.nix
     ./grafana.nix
-    ./conduwuit.nix
     ./immich.nix
     ./forgejo.nix
     ./garage.nix
diff --git a/overlay/default.nix b/overlay/default.nix
index 9e6336c..3599338 100644
--- a/overlay/default.nix
+++ b/overlay/default.nix
@@ -7,9 +7,6 @@
       pkgFrom = flake: pkg: flake.packages.${prev.system}.${pkg};
     in
     {
-      conduwuit = pkgFrom inputs.conduwuit "default";
-      attic-server = pkgFrom inputs.attic "attic-server";
-      attic = pkgFrom inputs.attic "attic";
       garage = (
         (pkgFrom inputs.garage "default").overrideAttrs {
           meta.mainProgram = "garage";

From 40d0a1512d5153b5afac5cb3c8bbbebff43f6103 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Mon, 14 Apr 2025 16:26:26 -0400
Subject: [PATCH 22/41] disable karakeep

---
 hosts/chunk/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index 5dcbf56..2e4c960 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -184,7 +184,7 @@
   my.containerization.enable = true;
   my.authelia.enable = true;
   my.karakeep = {
-    enable = true;
+    enable = false;
     dataDir = "/opt/karakeep";
   };
 }

From 21399aaf47a14b57ce6f5b41789bdc22fd524ffc Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Tue, 15 Apr 2025 18:22:18 -0400
Subject: [PATCH 23/41] update readme

---
 README    |  1 +
 README.md | 40 ----------------------------------------
 2 files changed, 1 insertion(+), 40 deletions(-)
 create mode 100644 README
 delete mode 100644 README.md

diff --git a/README b/README
new file mode 100644
index 0000000..1a59725
--- /dev/null
+++ b/README
@@ -0,0 +1 @@
+this is only open source for free ci
diff --git a/README.md b/README.md
deleted file mode 100644
index eb52498..0000000
--- a/README.md
+++ /dev/null
@@ -1,40 +0,0 @@
-# infra
-## ./home
-- [home-manager](https://github.com/nix-community/home-manager) configuration files
-- foot, tmux, and zsh are configured in Nix
-- nvim, rofi, sway, waybar are configured in their own literature and symlinked to $XDG_CONFIG_HOME with home-manager
-
-## ./hosts
-- [`hosts/common.nix`](hosts/common.nix): configuration that makes sense on all computers
-- [`hosts/zsh.nix`](hosts/zsh.nix): for computers that have the power to run zsh
-### ./hosts/ytnix
-- personal laptop
-- a single [`default.nix`](hosts/ytnix/default.nix) that could be modularized but works for now
-
-### ./hosts/chunk
-- the overworked server with 5% SLA
-- very short and concise [`default.nix`](hosts/chunk/default.nix)
-- services organized in their modules
-- some services run through `virtualisation.oci-containers`:
-    - [immich](hosts/chunk/immich.nix)
-    - [conduwuit](hosts/chunk/conduwuit.nix)
-
-### ./hosts/titan
-- got this cause chunk would go down way too often :(
-- hosted on azure for "reliability"
-- runs:
-    - [ghost](hosts/titan/ghost.nix) (through `virtualisation.oci-containers`)
-    - [uptime-kuma](hosts/titan/uptime-kuma.nix)
-    - [ntfy-sh](hosts/titan/ntfy.nix)
-
-## ./secrets
-- secrets
-- see [`.sops.yaml`](.sops.yaml) for who privy to what
-
-## backups
-- hourly borgbackup to [rsync.net](https://rsync.net)
-- see [modules/backup](modules/backup.nix)
-
-## monitoring
-- [status.cything.io](https://status.cything.io/): uptime kuma (reliable)
-- [grafana.cything.io](https://grafana.cything.io/): some real-time metrics here; unlike the status page this will go kaput often

From c806ffb3bb83be59b24b7efc10ee4896c1cf025a Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Tue, 15 Apr 2025 18:23:23 -0400
Subject: [PATCH 24/41] rm garnix.yaml

---
 garnix.yaml | 6 ------
 1 file changed, 6 deletions(-)
 delete mode 100644 garnix.yaml

diff --git a/garnix.yaml b/garnix.yaml
deleted file mode 100644
index c189664..0000000
--- a/garnix.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-builds:
-  include:
-    - 'nixosConfigurations.*'
-    - 'homeConfigurations.*'
-    - '*.aarch64-linux.*'
-    - '*.x86_64-linux.*'

From e2df47ab99d06e1d062902a219fc5de8814ce7f5 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Tue, 15 Apr 2025 19:25:57 -0400
Subject: [PATCH 25/41] 2025 04 14 (#45)

* use lix from nixpkgs

* install nil

* just don't use matrix anymore

* try not using lix

* use nixpkgs unstable

* dogfood nixcp

* workflow: use runner.temp variable

* workflow: try hex encoded secret

* workflow: use envars for s3 region and endpoint

* rm matrix

* workflow: trace nixcp

* workflow: no lix and no checkout in build packages

* Revert "workflow: trace nixcp"

This reverts commit 16d0827bcb90bff73a072920eb83f97aa84394ce.
---
 .../workflows/build-machines-and-homes.yml    |  46 +++---
 .github/workflows/build-packages.yml          |  33 ++---
 flake.lock                                    | 131 +-----------------
 flake.nix                                     |   6 +-
 home/yt/ytnix.nix                             |   1 +
 hosts/common.nix                              |   2 +-
 overlay/default.nix                           |   1 +
 7 files changed, 41 insertions(+), 179 deletions(-)

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index 290761f..ba6ec24 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -8,6 +8,8 @@ env:
   TERM: ansi
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
+  AWS_DEFAULT_REGION: us-east-1
+  AWS_ENDPOINT_URL: https://s3.cy7.sh
 
 jobs:
   build-machines:
@@ -35,7 +37,7 @@ jobs:
           build-mount-path: /nix
 
       - name: setup binary cache key
-        run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
+        run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
 
       - name: Install Nix
         uses: cachix/install-nix-action@v30
@@ -46,16 +48,9 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
             system-features = nixos-test benchmark big-parallel kvm
-            secret-key-files = /home/runner/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
-
-      - name: Install Lix
-        run: |
-          sudo --preserve-env=PATH $(which nix) run \
-          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
-          upgrade-nix
-          nix --version
+            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
+            extra-substituters = https://nixcache.cy7.sh
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
 
       - name: Sync repository
         uses: actions/checkout@v4
@@ -73,10 +68,11 @@ jobs:
         if: '!cancelled()'
         run: |
           package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
-          nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
+          nix run github:cything/nixcp/2025-04-12 -- \
+            push \
+            --bucket nixcache \
+            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
             -u https://nix-community.cachix.org \
-            -u https://nixcache.web.cy7.sh \
             $package
 
   build-homes:
@@ -105,7 +101,7 @@ jobs:
           build-mount-path: /nix
 
       - name: setup binary cache key
-        run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
+        run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
 
       - name: Install Nix
         uses: cachix/install-nix-action@v30
@@ -116,16 +112,9 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
             system-features = nixos-test benchmark big-parallel kvm
-            secret-key-files = /home/runner/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
-
-      - name: Install Lix
-        run: |
-          sudo --preserve-env=PATH $(which nix) run \
-          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
-          upgrade-nix
-          nix --version
+            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
+            extra-substituters = https://nixcache.cy7.sh
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
 
       - name: Sync repository
         uses: actions/checkout@v4
@@ -142,8 +131,9 @@ jobs:
         if: '!cancelled()'
         run: |
           package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
-          nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
+          nix run github:cything/nixcp/2025-04-12 -- \
+            push \
+            --bucket nixcache \
+            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
             -u https://nix-community.cachix.org \
-            -u https://nixcache.web.cy7.sh \
             $package
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 4f76a1d..2688fb3 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -11,6 +11,8 @@ env:
   TERM: ansi
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
+  AWS_DEFAULT_REGION: us-east-1
+  AWS_ENDPOINT_URL: https://s3.cy7.sh
 
 jobs:
   build-packages:
@@ -22,13 +24,13 @@ jobs:
         os:
           - ubuntu-latest
           - ubuntu-24.04-arm
-          # - macos-latest
-          # - macos-13
+          - macos-latest
+          - macos-13
     runs-on: ${{ matrix.os }}
 
     steps:
       - name: setup binary cache key
-        run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
+        run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
 
       - name: Install Nix
         uses: cachix/install-nix-action@v30
@@ -39,21 +41,9 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
             system-features = nixos-test benchmark big-parallel kvm
-            secret-key-files = /home/runner/cache-priv-key.pem
-            extra-substituters = https://nixcache.cy7.sh https://cache.lix.systems
-            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=
-
-      - name: Install Lix
-        run: |
-          sudo --preserve-env=PATH $(which nix) run \
-          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
-          upgrade-nix
-          nix --version
-
-      - name: Sync repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
+            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
+            extra-substituters = https://nixcache.cy7.sh
+            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
 
       - run: nix build -L ${{ matrix.package }}
 
@@ -61,10 +51,11 @@ jobs:
         # https://stackoverflow.com/a/58859404
         if: '!cancelled()'
         run: |
-          nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
+          nix run github:cything/nixcp/2025-04-12 -- \
+            push \
+            --bucket nixcache \
+            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
             -u https://nix-community.cachix.org \
-            -u https://nixcache.web.cy7.sh \
             "${{ matrix.package }}"
 
       - name: prepare tarball to upload
diff --git a/flake.lock b/flake.lock
index 435ec8d..9feaf1e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -136,39 +136,6 @@
         "type": "github"
       }
     },
-    "flake-utils_4": {
-      "inputs": {
-        "systems": "systems_4"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flakey-profile": {
-      "locked": {
-        "lastModified": 1712898590,
-        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
-        "owner": "lf-",
-        "repo": "flakey-profile",
-        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lf-",
-        "repo": "flakey-profile",
-        "type": "github"
-      }
-    },
     "garage": {
       "inputs": {
         "crane": "crane",
@@ -261,45 +228,9 @@
         "type": "github"
       }
     },
-    "lix": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1737234286,
-        "narHash": "sha256-pgDJZjj4jpzkFxsqBTI/9Yb0n3gW+DvDtuv9SwQZZcs=",
-        "rev": "079528098f5998ba13c88821a2eca1005c1695de",
-        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/079528098f5998ba13c88821a2eca1005c1695de.tar.gz?rev=079528098f5998ba13c88821a2eca1005c1695de"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/lix/archive/release-2.92.tar.gz"
-      }
-    },
-    "lix-module": {
-      "inputs": {
-        "flake-utils": "flake-utils_2",
-        "flakey-profile": "flakey-profile",
-        "lix": "lix",
-        "nixpkgs": "nixpkgs"
-      },
-      "locked": {
-        "lastModified": 1742943028,
-        "narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=",
-        "ref": "release-2.92",
-        "rev": "3fae818597ca2f1474de62022f850c23be50528d",
-        "revCount": 134,
-        "type": "git",
-        "url": "https://git.lix.systems/lix-project/nixos-module"
-      },
-      "original": {
-        "ref": "release-2.92",
-        "type": "git",
-        "url": "https://git.lix.systems/lix-project/nixos-module"
-      }
-    },
     "nil": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -361,11 +292,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1742669843,
-        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+        "lastModified": 1744463964,
+        "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+        "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
         "type": "github"
       },
       "original": {
@@ -375,38 +306,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1743813633,
-        "narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1743862455,
-        "narHash": "sha256-I/QXtrqznq1321mYR9TyMPX/zCWb9iAH64hO+pEBY00=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "06f3516b0397bd241bde2daefc8538fc886c5467",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "pre-commit-hooks-nix": {
       "inputs": {
         "flake-compat": [
@@ -438,12 +337,10 @@
         "garage": "garage",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
-        "lix-module": "lix-module",
         "nil": "nil",
         "nix-index-database": "nix-index-database",
         "nix-ld": "nix-ld",
-        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-stable": "nixpkgs-stable",
+        "nixpkgs": "nixpkgs",
         "rust-overlay": "rust-overlay_4",
         "sops-nix": "sops-nix",
         "vscode-extensions": "vscode-extensions"
@@ -598,24 +495,10 @@
         "type": "github"
       }
     },
-    "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "vscode-extensions": {
       "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
+
         "nixpkgs": [
           "nixpkgs"
         ]
diff --git a/flake.nix b/flake.nix
index 92d6363..0aea8eb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,8 +2,7 @@
   description = "cy's flake";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     home-manager.url = "github:nix-community/home-manager";
@@ -12,7 +11,6 @@
     lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
     rust-overlay.url = "github:oxalica/rust-overlay";
     rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
-    lix-module.url = "git+https://git.lix.systems/lix-project/nixos-module?ref=release-2.92";
     nix-ld.url = "github:nix-community/nix-ld";
     nix-ld.inputs.nixpkgs.follows = "nixpkgs";
     nil.url = "github:oxalica/nil";
@@ -69,7 +67,6 @@
                 ./modules
                 inputs.sops-nix.nixosModules.sops
                 inputs.lanzaboote.nixosModules.lanzaboote
-                inputs.lix-module.nixosModules.default
                 inputs.nix-ld.nixosModules.nix-ld
               ];
             };
@@ -82,7 +79,6 @@
                 ./hosts/chunk
                 ./modules
                 inputs.sops-nix.nixosModules.sops
-                inputs.lix-module.nixosModules.default
               ];
             };
           };
diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix
index 686a8a3..3ed40e6 100644
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@@ -103,6 +103,7 @@
       gopls
       rust-analyzer
       minio-client
+      nil
     ];
 
   home.sessionVariables = {
diff --git a/hosts/common.nix b/hosts/common.nix
index 77e0edb..b5a71a0 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -1,4 +1,4 @@
-{ inputs, config, ... }:
+{ inputs, config, pkgs, ... }:
 {
   nix = {
     settings = {
diff --git a/overlay/default.nix b/overlay/default.nix
index 3599338..67d855e 100644
--- a/overlay/default.nix
+++ b/overlay/default.nix
@@ -12,6 +12,7 @@
           meta.mainProgram = "garage";
         }
       );
+      nil = pkgFrom inputs.nil "default";
     }
   )
 ]

From 71657e0ccb7b6ef81939b4b044ef1d3c02c72fec Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Tue, 15 Apr 2025 20:19:08 -0400
Subject: [PATCH 26/41] use nixcp main

---
 .github/workflows/build-machines-and-homes.yml | 4 ++--
 .github/workflows/build-packages.yml           | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index ba6ec24..6a14b19 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -68,7 +68,7 @@ jobs:
         if: '!cancelled()'
         run: |
           package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
-          nix run github:cything/nixcp/2025-04-12 -- \
+          nix run github:cything/nixcp -- \
             push \
             --bucket nixcache \
             --signing-key ${{ runner.temp }}/cache-priv-key.pem \
@@ -131,7 +131,7 @@ jobs:
         if: '!cancelled()'
         run: |
           package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
-          nix run github:cything/nixcp/2025-04-12 -- \
+          nix run github:cything/nixcp -- \
             push \
             --bucket nixcache \
             --signing-key ${{ runner.temp }}/cache-priv-key.pem \
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 2688fb3..423c88a 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -51,7 +51,7 @@ jobs:
         # https://stackoverflow.com/a/58859404
         if: '!cancelled()'
         run: |
-          nix run github:cything/nixcp/2025-04-12 -- \
+          nix run github:cything/nixcp -- \
             push \
             --bucket nixcache \
             --signing-key ${{ runner.temp }}/cache-priv-key.pem \

From 61a4f97684f05ea23003f1ba84b887c4a1448283 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Wed, 16 Apr 2025 21:37:51 -0400
Subject: [PATCH 27/41] use lix from nixpkgs

---
 hosts/common.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/common.nix b/hosts/common.nix
index b5a71a0..b1989b1 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -1,6 +1,7 @@
 { inputs, config, pkgs, ... }:
 {
   nix = {
+    package = pkgs.lix;
     settings = {
       experimental-features = "nix-command flakes";
       auto-optimise-store = true;

From b3f1d10575ab32fd94e7f2adffef6126c3f5e632 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Wed, 16 Apr 2025 21:37:57 -0400
Subject: [PATCH 28/41] install keepassxc

---
 home/yt/ytnix.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix
index 3ed40e6..4ba3f66 100644
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@@ -104,6 +104,7 @@
       rust-analyzer
       minio-client
       nil
+      keepassxc
     ];
 
   home.sessionVariables = {

From f5af830c30c16d065674b36051a72292292f4dd3 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Wed, 16 Apr 2025 21:38:04 -0400
Subject: [PATCH 29/41] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7' (2025-04-06)
  → 'github:nix-community/home-manager/c6b75d69b6994ba68ec281bd36faebcc56097800' (2025-04-16)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/a36f6a7148aec2c77d78e4466215cceb2f5f4bfb' (2025-04-06)
  → 'github:nix-community/nix-index-database/4fc9ea78c962904f4ea11046f3db37c62e8a02fd' (2025-04-13)
• Updated input 'nix-ld':
    'github:nix-community/nix-ld/140451db1cadeef1e7e9e054332b67b7be808916' (2025-03-31)
  → 'github:nix-community/nix-ld/9a3812797e25def1d4aed62b517606b7b93989dc' (2025-04-14)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/9d00c6b69408dd40d067603012938d9fbe95cfcd' (2025-04-06)
  → 'github:oxalica/rust-overlay/c564fb830c7d5b3e4fde5ea829a62f0e41e43a20' (2025-04-16)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/523f58a4faff6c67f5f685bed33a7721e984c304' (2025-04-06)
  → 'github:Mic92/sops-nix/61154300d945f0b147b30d24ddcafa159148026a' (2025-04-14)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/da51d4cab526bef885e8c95ab2b9455bfe0940d4' (2025-04-06)
  → 'github:nix-community/nix-vscode-extensions/47bd3dc652c4a02dc565a9360fe828af38bea287' (2025-04-16)
---
 flake.lock | 37 ++++++++++++++++++-------------------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/flake.lock b/flake.lock
index 9feaf1e..d4de20c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -189,11 +189,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743948087,
-        "narHash": "sha256-B6cIi2ScgVSROPPlTti6len+TdR0K25B9R3oKvbw3M8=",
+        "lastModified": 1744833442,
+        "narHash": "sha256-BBMWW2m64Grcc5FlXz74+vdkUyCJOfUGnl+VcS/4x44=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7",
+        "rev": "c6b75d69b6994ba68ec281bd36faebcc56097800",
         "type": "github"
       },
       "original": {
@@ -257,11 +257,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743911143,
-        "narHash": "sha256-4j4JPwr0TXHH4ZyorXN5yIcmqIQr0WYacsuPA4ktONo=",
+        "lastModified": 1744518957,
+        "narHash": "sha256-RLBSWQfTL0v+7uyskC5kP6slLK1jvIuhaAh8QvB75m4=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "a36f6a7148aec2c77d78e4466215cceb2f5f4bfb",
+        "rev": "4fc9ea78c962904f4ea11046f3db37c62e8a02fd",
         "type": "github"
       },
       "original": {
@@ -277,11 +277,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743410259,
-        "narHash": "sha256-tjdkPPkRT1Mj72yrpN8oUxYw9SaG8wOQWD3auS1bvSs=",
+        "lastModified": 1744621833,
+        "narHash": "sha256-II6a32kRc+KbLhU/jS8EbuXYt1PNCvsRvuBw2becgQM=",
         "owner": "nix-community",
         "repo": "nix-ld",
-        "rev": "140451db1cadeef1e7e9e054332b67b7be808916",
+        "rev": "9a3812797e25def1d4aed62b517606b7b93989dc",
         "type": "github"
       },
       "original": {
@@ -417,11 +417,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743906877,
-        "narHash": "sha256-Thah1oU8Vy0gs9bh5QhNcQh1iuQiowMnZPbrkURonZA=",
+        "lastModified": 1744803954,
+        "narHash": "sha256-f+gE6JtLhPzyDWOCEHbN/S30GEGHMtXEt41+Va7wzEU=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "9d00c6b69408dd40d067603012938d9fbe95cfcd",
+        "rev": "c564fb830c7d5b3e4fde5ea829a62f0e41e43a20",
         "type": "github"
       },
       "original": {
@@ -437,11 +437,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743910657,
-        "narHash": "sha256-zr2jmWeWyhCD8WmO2aWov2g0WPPuZfcJDKzMJZYGq3Y=",
+        "lastModified": 1744669848,
+        "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "523f58a4faff6c67f5f685bed33a7721e984c304",
+        "rev": "61154300d945f0b147b30d24ddcafa159148026a",
         "type": "github"
       },
       "original": {
@@ -498,17 +498,16 @@
     "vscode-extensions": {
       "inputs": {
         "flake-utils": "flake-utils_3",
-
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1743904774,
-        "narHash": "sha256-dHnwYLz1b6ohGP2DjWKpDFEZ9WOm4vYuPXKUna08awU=",
+        "lastModified": 1744768710,
+        "narHash": "sha256-ow0HDShvAe9gkM3Ww5aoJo1lDLpC5pYQ7qLtnTaHoyI=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "da51d4cab526bef885e8c95ab2b9455bfe0940d4",
+        "rev": "47bd3dc652c4a02dc565a9360fe828af38bea287",
         "type": "github"
       },
       "original": {

From 44a98fd703c59e659d3139af0d0113b1e4853c6b Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Thu, 17 Apr 2025 15:19:29 -0400
Subject: [PATCH 30/41] ytnix: enable firefox

---
 home/yt/ytnix.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix
index 4ba3f66..f22d425 100644
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@@ -162,4 +162,6 @@
     enable = true;
     addKeysToAgent = "yes";
   };
+
+  programs.firefox.enable = true;
 }

From 140f0f5dcf033c7e03b4e65c8248fec2f6f6a06a Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 01:18:41 -0400
Subject: [PATCH 31/41] kitty: use default theme

---
 home/kitty.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/home/kitty.nix b/home/kitty.nix
index a77a432..a6ddf37 100644
--- a/home/kitty.nix
+++ b/home/kitty.nix
@@ -7,7 +7,6 @@
       package = pkgs.ibm-plex;
       size = 12;
     };
-    themeFile = "GitHub_Dark";
     settings = {
       enable_audio_bell = true;
       # how many windows should be open before kitty asks

From c193ba21081c5387f74d41ae51c6fe431a964b8e Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 01:27:05 -0400
Subject: [PATCH 32/41] workflow: test post-build hook

---
 .github/workflows/build-machines-and-homes.yml | 17 ++++++++++++-----
 ci/upload-to-cache.sh                          |  8 ++++++++
 2 files changed, 20 insertions(+), 5 deletions(-)
 create mode 100755 ci/upload-to-cache.sh

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index 6a14b19..1d86c47 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -39,6 +39,17 @@ jobs:
       - name: setup binary cache key
         run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
 
+      - name: Sync repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: post-build-hook
+        run: |
+          sudo mkdir -p /etc/nix
+          sudo cp ci/upload-to-cache.sh /etc/nix/
+          sudo chmod +x /etc/nix/upload-to-cache.sh
+
       - name: Install Nix
         uses: cachix/install-nix-action@v30
         with:
@@ -51,11 +62,7 @@ jobs:
             secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
-
-      - name: Sync repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
+            post-build-hook = /etc/nix/upload-to-cache.sh
 
       - name: build
         run: |
diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh
new file mode 100755
index 0000000..a8f9e0f
--- /dev/null
+++ b/ci/upload-to-cache.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# https://nix.dev/guides/recipes/post-build-hook.html#implementing-the-build-hook
+set -eu
+set -f # disable globbing
+export IFS=' '
+echo "Uploading paths" $OUT_PATHS
+exec nix copy --to "s3://nixcache" $OUT_PATHS

From 2591401aa3491151325bad378022861eae74505a Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 01:33:55 -0400
Subject: [PATCH 33/41] workflow: debug

---
 .github/workflows/build-machines-and-homes.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index 1d86c47..a70ff0d 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -63,6 +63,9 @@ jobs:
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
             post-build-hook = /etc/nix/upload-to-cache.sh
+        
+      - name: debug
+        run: echo "$(which nix)"
 
       - name: build
         run: |

From eb054c444ac71f2f1703012504c826b0ec889545 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 01:35:16 -0400
Subject: [PATCH 34/41] temp disable maximize disk space

---
 .../workflows/build-machines-and-homes.yml    | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index a70ff0d..17a8c17 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -24,17 +24,17 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - name: Maximize build disk space
-        uses: easimon/maximize-build-space@v10
-        with:
-          overprovision-lvm: true
-          swap-size-mb: 1024
-          remove-dotnet: 'true'
-          remove-android: 'true'
-          remove-haskell: 'true'
-          remove-codeql: 'true'
-          remove-docker-images: 'true'
-          build-mount-path: /nix
+      # - name: Maximize build disk space
+      #   uses: easimon/maximize-build-space@v10
+      #   with:
+      #     overprovision-lvm: true
+      #     swap-size-mb: 1024
+      #     remove-dotnet: 'true'
+      #     remove-android: 'true'
+      #     remove-haskell: 'true'
+      #     remove-codeql: 'true'
+      #     remove-docker-images: 'true'
+      #     build-mount-path: /nix
 
       - name: setup binary cache key
         run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem

From 5a053b2379fd556f30a7a1a314e1b7491ad9ae30 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 01:36:23 -0400
Subject: [PATCH 35/41] fix nix path

---
 ci/upload-to-cache.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh
index a8f9e0f..c72c0a2 100755
--- a/ci/upload-to-cache.sh
+++ b/ci/upload-to-cache.sh
@@ -5,4 +5,5 @@ set -eu
 set -f # disable globbing
 export IFS=' '
 echo "Uploading paths" $OUT_PATHS
-exec nix copy --to "s3://nixcache" $OUT_PATHS
+# this is where the cachix installer installs nix
+exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache" $OUT_PATHS

From e38ed0e6f1d9e692a49451d45e9fc541e837f515 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 01:39:56 -0400
Subject: [PATCH 36/41] fix nix copy dest

---
 ci/upload-to-cache.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh
index c72c0a2..6e348a7 100755
--- a/ci/upload-to-cache.sh
+++ b/ci/upload-to-cache.sh
@@ -6,4 +6,4 @@ set -f # disable globbing
 export IFS=' '
 echo "Uploading paths" $OUT_PATHS
 # this is where the cachix installer installs nix
-exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache" $OUT_PATHS
+exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh" $OUT_PATHS

From 4f1bd260644c52469c42827e3db5e91be95aefba Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 01:59:00 -0400
Subject: [PATCH 37/41] setup aws profile for s3 auth

---
 .../workflows/build-machines-and-homes.yml    | 84 +++++++++----------
 ci/upload-to-cache.sh                         |  1 -
 2 files changed, 39 insertions(+), 46 deletions(-)

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index 17a8c17..f1e07bc 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -24,17 +24,17 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      # - name: Maximize build disk space
-      #   uses: easimon/maximize-build-space@v10
-      #   with:
-      #     overprovision-lvm: true
-      #     swap-size-mb: 1024
-      #     remove-dotnet: 'true'
-      #     remove-android: 'true'
-      #     remove-haskell: 'true'
-      #     remove-codeql: 'true'
-      #     remove-docker-images: 'true'
-      #     build-mount-path: /nix
+      - name: Maximize build disk space
+        uses: easimon/maximize-build-space@v10
+        with:
+          overprovision-lvm: true
+          swap-size-mb: 1024
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+          remove-docker-images: 'true'
+          build-mount-path: /nix
 
       - name: setup binary cache key
         run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
@@ -50,6 +50,14 @@ jobs:
           sudo cp ci/upload-to-cache.sh /etc/nix/
           sudo chmod +x /etc/nix/upload-to-cache.sh
 
+      - name: setup s3 credentials
+        run: |
+          sudo mkdir /root/.aws
+          echo "[default]" |sudo tee /root/.aws/config |sudo tee /root/.aws/credentials
+          echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" |sudo tee -a /root/.aws/credentials
+          echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" |sudo tee -a /root/.aws/credentials
+          echo "endpoint_url=$AWS_ENDPOINT_URL" |sudo tee -a /root/.aws/config
+
       - name: Install Nix
         uses: cachix/install-nix-action@v30
         with:
@@ -63,28 +71,11 @@ jobs:
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
             post-build-hook = /etc/nix/upload-to-cache.sh
-        
-      - name: debug
-        run: echo "$(which nix)"
 
       - name: build
         run: |
-          # package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
-          # nix build -L "$package"
           nix run nixpkgs#nixos-rebuild build -- -L --flake ".#${{ matrix.machine }}"
 
-      - name: cache
-        # https://stackoverflow.com/a/58859404
-        if: '!cancelled()'
-        run: |
-          package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
-          nix run github:cything/nixcp -- \
-            push \
-            --bucket nixcache \
-            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
-            -u https://nix-community.cachix.org \
-            $package
-
   build-homes:
     strategy:
       fail-fast: false
@@ -113,6 +104,25 @@ jobs:
       - name: setup binary cache key
         run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
 
+      - name: Sync repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: post-build-hook
+        run: |
+          sudo mkdir -p /etc/nix
+          sudo cp ci/upload-to-cache.sh /etc/nix/
+          sudo chmod +x /etc/nix/upload-to-cache.sh
+
+      - name: setup s3 credentials
+        run: |
+          sudo mkdir /root/.aws
+          echo "[default]" |sudo tee /root/.aws/config |sudo tee /root/.aws/credentials
+          echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" |sudo tee -a /root/.aws/credentials
+          echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" |sudo tee -a /root/.aws/credentials
+          echo "endpoint_url=$AWS_ENDPOINT_URL" |sudo tee -a /root/.aws/config
+
       - name: Install Nix
         uses: cachix/install-nix-action@v30
         with:
@@ -125,25 +135,9 @@ jobs:
             secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
-
-      - name: Sync repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
+            post-build-hook = /etc/nix/upload-to-cache.sh
 
       - name: build
         run: |
           package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
           nix build -L "$package"
-
-      - name: cache
-        # https://stackoverflow.com/a/58859404
-        if: '!cancelled()'
-        run: |
-          package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
-          nix run github:cything/nixcp -- \
-            push \
-            --bucket nixcache \
-            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
-            -u https://nix-community.cachix.org \
-            $package
diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh
index 6e348a7..6ea65f5 100755
--- a/ci/upload-to-cache.sh
+++ b/ci/upload-to-cache.sh
@@ -5,5 +5,4 @@ set -eu
 set -f # disable globbing
 export IFS=' '
 echo "Uploading paths" $OUT_PATHS
-# this is where the cachix installer installs nix
 exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh" $OUT_PATHS

From f3f15724d2dca0347b065ad9cf44176b88f720d6 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 02:23:19 -0400
Subject: [PATCH 38/41] ci use zstd to compress cache

---
 ci/upload-to-cache.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh
index 6ea65f5..98b72b5 100755
--- a/ci/upload-to-cache.sh
+++ b/ci/upload-to-cache.sh
@@ -5,4 +5,4 @@ set -eu
 set -f # disable globbing
 export IFS=' '
 echo "Uploading paths" $OUT_PATHS
-exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh" $OUT_PATHS
+exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh&compression=zstd" $OUT_PATHS

From 1cf31a7ae03f089ac038a998106e8e36b7f0d69c Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 02:26:56 -0400
Subject: [PATCH 39/41] ci use parallel compression

---
 ci/upload-to-cache.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh
index 98b72b5..559d062 100755
--- a/ci/upload-to-cache.sh
+++ b/ci/upload-to-cache.sh
@@ -5,4 +5,4 @@ set -eu
 set -f # disable globbing
 export IFS=' '
 echo "Uploading paths" $OUT_PATHS
-exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh&compression=zstd" $OUT_PATHS
+exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh&compression=zstd&parallel-compression=true" $OUT_PATHS

From 1b298adbf69446e4603cca5e1037a5c60c9bc30c Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 02:28:52 -0400
Subject: [PATCH 40/41] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'garage':
    'github:deuxfleurs-org/garage/14d2f2b18da015508d4a1e31b2f014da5188d516' (2025-03-21)
  → 'github:deuxfleurs-org/garage/4ef954d17604eba8aafa52902cd3c573978c7195' (2025-04-19)
• Updated input 'home-manager':
    'github:nix-community/home-manager/c6b75d69b6994ba68ec281bd36faebcc56097800' (2025-04-16)
  → 'github:nix-community/home-manager/f98314bb064cf8f8446c44afbadaaad2505875a7' (2025-04-20)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/4fc9ea78c962904f4ea11046f3db37c62e8a02fd' (2025-04-13)
  → 'github:nix-community/nix-index-database/69716041f881a2af935021c1182ed5b0cc04d40e' (2025-04-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/2631b0b7abcea6e640ce31cd78ea58910d31e650' (2025-04-12)
  → 'github:nixos/nixpkgs/b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef' (2025-04-17)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/c564fb830c7d5b3e4fde5ea829a62f0e41e43a20' (2025-04-16)
  → 'github:oxalica/rust-overlay/e2142ef330a61c02f274ac9a9cb6f8487a5d0080' (2025-04-20)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/47bd3dc652c4a02dc565a9360fe828af38bea287' (2025-04-16)
  → 'github:nix-community/nix-vscode-extensions/ff14820202442f847fd37862eb48a7cb254a19d3' (2025-04-20)
---
 flake.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/flake.lock b/flake.lock
index d4de20c..4370247 100644
--- a/flake.lock
+++ b/flake.lock
@@ -147,11 +147,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1742547966,
-        "narHash": "sha256-AJfw+XRaRyrlpb9Wy6rVz44JePy0AXWPECXVPBnrOfI=",
+        "lastModified": 1745093116,
+        "narHash": "sha256-38L/NZyfGSGff9f+FfRd4teA1Xj93hqcBJcqhxbLA7Y=",
         "owner": "deuxfleurs-org",
         "repo": "garage",
-        "rev": "14d2f2b18da015508d4a1e31b2f014da5188d516",
+        "rev": "4ef954d17604eba8aafa52902cd3c573978c7195",
         "type": "github"
       },
       "original": {
@@ -189,11 +189,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744833442,
-        "narHash": "sha256-BBMWW2m64Grcc5FlXz74+vdkUyCJOfUGnl+VcS/4x44=",
+        "lastModified": 1745128386,
+        "narHash": "sha256-xnNxL9lZC5Ez8AxTgHZZu8pYSNM34+5GD5jGSs8Vq4M=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c6b75d69b6994ba68ec281bd36faebcc56097800",
+        "rev": "f98314bb064cf8f8446c44afbadaaad2505875a7",
         "type": "github"
       },
       "original": {
@@ -257,11 +257,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744518957,
-        "narHash": "sha256-RLBSWQfTL0v+7uyskC5kP6slLK1jvIuhaAh8QvB75m4=",
+        "lastModified": 1745120797,
+        "narHash": "sha256-owQ0VQ+7cSanTVPxaZMWEzI22Q4bGnuvhVjLAJBNQ3E=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "4fc9ea78c962904f4ea11046f3db37c62e8a02fd",
+        "rev": "69716041f881a2af935021c1182ed5b0cc04d40e",
         "type": "github"
       },
       "original": {
@@ -292,11 +292,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1744463964,
-        "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
+        "lastModified": 1744932701,
+        "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
+        "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
         "type": "github"
       },
       "original": {
@@ -417,11 +417,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744803954,
-        "narHash": "sha256-f+gE6JtLhPzyDWOCEHbN/S30GEGHMtXEt41+Va7wzEU=",
+        "lastModified": 1745116541,
+        "narHash": "sha256-5xzA6dTfqCfTTDCo3ipPZzrg3wp01xmcr73y4cTNMP8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "c564fb830c7d5b3e4fde5ea829a62f0e41e43a20",
+        "rev": "e2142ef330a61c02f274ac9a9cb6f8487a5d0080",
         "type": "github"
       },
       "original": {
@@ -503,11 +503,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744768710,
-        "narHash": "sha256-ow0HDShvAe9gkM3Ww5aoJo1lDLpC5pYQ7qLtnTaHoyI=",
+        "lastModified": 1745114521,
+        "narHash": "sha256-P/TgmeavrpUiHCejjjsU2vOMB7cBIcHltGDSKKgi20E=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "47bd3dc652c4a02dc565a9360fe828af38bea287",
+        "rev": "ff14820202442f847fd37862eb48a7cb254a19d3",
         "type": "github"
       },
       "original": {

From a7de77a0fca41ab1397d0981f8c85b096339a158 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 02:36:48 -0400
Subject: [PATCH 41/41] update caddy hash

---
 modules/caddy.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/caddy.nix b/modules/caddy.nix
index f3f8e14..c5de226 100644
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@@ -21,7 +21,7 @@ in
           # (still need the @ to pass nix config check)
           "github.com/caddy-dns/cloudflare@v0.0.0-20250228175314-1fb64108d4de"
         ];
-        hash = "sha256-YYpsf8HMONR1teMiSymo2y+HrKoxuJMKIea5/NEykGc=";
+        hash = "sha256-pfh9DXUj35jlAntkWc4D5wuW04xxQfM1rZ4KFauMzvc=";
       };
       logFormat = lib.mkForce "level INFO";
       acmeCA = "https://acme-v02.api.letsencrypt.org/directory";