test gitea docker

.sops.yaml

@@ -3,7 +3,25 @@ keys:
   - &laptop age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q
   - &android age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74
 creation_rules:
-  - path_regex: system/secrets.yaml$
+  - path_regex: features/secrets.yaml$
+    key_groups:
+    - age:
+      - *laptop
+      - *homebox
+      - *android
+  - path_regex: live/secrets.yaml$
+    key_groups:
+    - age:
+      - *laptop
+      - *homebox
+      - *android
+  - path_regex: container/secrets.yaml$
+    key_groups:
+    - age:
+      - *laptop
+      - *homebox
+      - *android
+  - path_regex: users/.*/secrets.yaml$
     key_groups:
     - age:
       - *laptop

flake.lock

@@ -20,11 +20,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775558810,
+        "lastModified": 1776702787,
-        "narHash": "sha256-fy95EdPnqQlpbP8+rk0yWKclWShCUS5VKs6P7/1MF2c=",
+        "narHash": "sha256-qc5uwEWbuubzYthmZcfCapooZGXhoYZWfTQ24TozbCQ=",
         "owner": "hyprwm",
         "repo": "aquamarine",
-        "rev": "7371b669b22aa2af980f913fc312a786d2f1abb2",
+        "rev": "9a1ca6b8cb4d86a599787a55b78f2ddf809bf945",
         "type": "github"
       },
       "original": {
@@ -61,11 +61,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773889306,
+        "lastModified": 1776613567,
-        "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
+        "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
+        "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
         "type": "github"
       },
       "original": {
@@ -82,11 +82,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1775880170,
+        "lastModified": 1777003388,
-        "narHash": "sha256-63PLZ7lspPAqpV/+d0oNtDHLCWQf1MVFRG2DOeDK+nU=",
+        "narHash": "sha256-IS8oeyaqYS/MPpDp0Z7i86PwcdTqJ2dritgdRtWzkew=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "28b164d30b5ab6820ef7e17281ae55c539ae9ff5",
+        "rev": "03d4270c1f75494910b7b8039b1a050bc7055c97",
         "type": "gitlab"
       },
       "original": {
@@ -254,11 +254,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1776885253,
+        "lastModified": 1777004352,
-        "narHash": "sha256-vslJ5ezhyD+HBMEqzsPLOBfalILmPrAABR68yxrhEuM=",
+        "narHash": "sha256-SV+9PgNwZ8jHVCjK6YaCBzaheLSW7cDnm5DpOYrD8Vw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d79c987e654347083e903ab6d2a89ed3d0752177",
+        "rev": "6012cf1fed3eba66115f3fd117b9be6bd2a15b2f",
         "type": "github"
       },
       "original": {
@@ -283,11 +283,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772461003,
+        "lastModified": 1776511930,
-        "narHash": "sha256-pVICsV7FtcEeVwg5y/LFh3XFUkVJninm/P1j/JHzEbM=",
+        "narHash": "sha256-fCpwFiTW0rT7oKJqr3cqHMnkwypSwQKpbtUEtxdkgrM=",
         "owner": "hyprwm",
         "repo": "hyprcursor",
-        "rev": "b62396457b9cfe2ebf24fe05404b09d2a40f8ed7",
+        "rev": "39435900785d0c560c6ae8777d29f28617d031ef",
         "type": "github"
       },
       "original": {
@@ -312,11 +312,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775496928,
+        "lastModified": 1776426399,
-        "narHash": "sha256-Ds759WU03mGWtu3I43J+5GF5Ni8TvF+GYQUFD+fVeMo=",
+        "narHash": "sha256-RUESLKNikIeEq9ymGJ6nmcDXiSFQpUW1IhJ245nL3xM=",
         "owner": "hyprwm",
         "repo": "hyprgraphics",
-        "rev": "cf95d93d17baa18f1d9b016b3afe27f820521a6e",
+        "rev": "68d064434787cf1ed4a2fe257c03c5f52f33cf84",
         "type": "github"
       },
       "original": {
@@ -342,11 +342,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1775828308,
+        "lastModified": 1776947531,
-        "narHash": "sha256-mKW54+ilZNBVsU3GnzHhZUb041H7L/R8aPA0GD+1oKQ=",
+        "narHash": "sha256-BnUJwexEDpt10Csws8UNq/34r5zaUl8oXNrDHd6oJVA=",
         "ref": "refs/heads/main",
-        "rev": "f7755322fc515108cc9eed8113c09492d4a352c1",
+        "rev": "b65714e3b8e123fb2febd507905d25fa6abd0400",
-        "revCount": 7141,
+        "revCount": 7171,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/hyprwm/Hyprland"
@@ -390,11 +390,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774710575,
+        "lastModified": 1776426575,
-        "narHash": "sha256-p7Rcw13+gA4Z9EI3oGYe3neQ3FqyOOfZCleBTfhJ95Q=",
+        "narHash": "sha256-KI6nIfVihn/DPaeB5Et46Xg3dkNHrrEtUd5LBBVomB0=",
         "owner": "hyprwm",
         "repo": "hyprland-guiutils",
-        "rev": "0703df899520001209646246bef63358c9881e36",
+        "rev": "a968d211048e3ed538e47b84cb3649299578f19d",
         "type": "github"
       },
       "original": {
@@ -444,11 +444,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772459629,
+        "lastModified": 1776426736,
-        "narHash": "sha256-/iwvNUYShmmnwmz/czEUh6+0eF5vCMv0xtDW0STPIuM=",
+        "narHash": "sha256-rl7i4aY+9p8LysJp7o8uRWahCkpFznCgGHXszlTw7b0=",
         "owner": "hyprwm",
         "repo": "hyprlang",
-        "rev": "7615ee388de18239a4ab1400946f3d0e498a8186",
+        "rev": "7833ff33b2e82d3406337b5dcf0d1cec595d83e9",
         "type": "github"
       },
       "original": {
@@ -521,11 +521,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774911391,
+        "lastModified": 1776428866,
-        "narHash": "sha256-c4YVwO33Mmw+FIV8E0u3atJZagHvGTJ9Jai6RtiB8rE=",
+        "narHash": "sha256-XfRlBolGtjvalTHJp3XvvpYLBjkMhaZLLU0WqZ91Fcg=",
         "owner": "hyprwm",
         "repo": "hyprutils",
-        "rev": "e6caa3d4d1427eedbdf556cf4ceb70f2d9c0b56d",
+        "rev": "eedd60805cd96d4442586f2ba5fe51d549b12674",
         "type": "github"
       },
       "original": {
@@ -546,11 +546,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772459835,
+        "lastModified": 1776430932,
-        "narHash": "sha256-978jRz/y/9TKmZb/qD4lEYHCQGHpEXGqy+8X2lFZsak=",
+        "narHash": "sha256-Yv3RPiUvl7CAsJgwIVsqcj7akn1gLyJP1F/mocof5hA=",
         "owner": "hyprwm",
         "repo": "hyprwayland-scanner",
-        "rev": "0a692d4a645165eebd65f109146b8861e3a925e7",
+        "rev": "4c2fcc06dc9722c97dbb54ba649c69b18ce83d2e",
         "type": "github"
       },
       "original": {
@@ -575,11 +575,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775414057,
+        "lastModified": 1776728575,
-        "narHash": "sha256-mDpHnf+MkdOxEqIM1TnckYYh9p1SXR8B3KQfNZ12M8s=",
+        "narHash": "sha256-z9eGphrArEBpl1O/GCH0wlY6z4K9vA6yWh2gAS6qytU=",
         "owner": "hyprwm",
         "repo": "hyprwire",
-        "rev": "86012ee01b0fdd8bf3101ef38816f2efbee42490",
+        "rev": "f3a80888783702a39691b684d099e16b83ed4702",
         "type": "github"
       },
       "original": {
@@ -618,6 +618,22 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1776983936,
+        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1775423009,
@@ -713,11 +729,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1775423009,
+        "lastModified": 1776548001,
-        "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=",
+        "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9",
+        "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc",
         "type": "github"
       },
       "original": {
@@ -729,11 +745,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1775811116,
+        "lastModified": 1776734388,
-        "narHash": "sha256-t+HZK42pB6N+i5RGbuy7Xluez/VvWbembBdvzsc23Ss=",
+        "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "54170c54449ea4d6725efd30d719c5e505f1c10e",
+        "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac",
         "type": "github"
       },
       "original": {
@@ -791,6 +807,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_8": {
+      "locked": {
+        "lastModified": 1772047000,
+        "narHash": "sha256-7DaQVv4R97cii/Qdfy4tmDZMB2xxtyIvNGSwXBBhSmo=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "1267bb4920d0fc06ea916734c11b0bf004bbe17e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixvim": {
       "inputs": {
         "flake-parts": "flake-parts_3",
@@ -832,6 +864,24 @@
         "type": "github"
       }
     },
+    "opi-zero2w": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_8"
+      },
+      "locked": {
+        "lastModified": 1772415536,
+        "narHash": "sha256-dS4XyDDVCjGEFDX4zgaalQqMlfWL7JfeLGJpLwcAAFE=",
+        "owner": "virusdave",
+        "repo": "nixos-opi-zero2w",
+        "rev": "1337ecfb2443f059f8971eb89eae487fbc6b0dcc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "virusdave",
+        "repo": "nixos-opi-zero2w",
+        "type": "github"
+      }
+    },
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -842,11 +892,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775036584,
+        "lastModified": 1776796298,
-        "narHash": "sha256-zW0lyy7ZNNT/x8JhzFHBsP2IPx7ATZIPai4FJj12BgU=",
+        "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "4e0eb042b67d863b1b34b3f64d52ceb9cd926735",
+        "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad",
         "type": "github"
       },
       "original": {
@@ -864,9 +914,11 @@
         "home-manager": "home-manager_2",
         "hyprland": "hyprland",
         "import-tree": "import-tree_2",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_4",
         "nixpkgs-us": "nixpkgs-us",
         "nixvim": "nixvim",
+        "opi-zero2w": "opi-zero2w",
         "sops-nix": "sops-nix"
       }
     },
@@ -877,11 +929,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775682595,
+        "lastModified": 1776771786,
-        "narHash": "sha256-0E9PohY/VuESLq0LR4doaH7hTag513sDDW5n5qmHd1Q=",
+        "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d2e8438d5886e92bc5e7c40c035ab6cae0c41f76",
+        "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598",
         "type": "github"
       },
       "original": {
@@ -948,11 +1000,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773601989,
+        "lastModified": 1776608502,
-        "narHash": "sha256-2tJf/CQoHApoIudxHeJye+0Ii7scR0Yyi7pNiWk0Hn8=",
+        "narHash": "sha256-UH8YoQxx4hFOm6qjMdjRQNRvSejFIR/wBZ8fW1p9sME=",
         "owner": "hyprwm",
         "repo": "xdg-desktop-portal-hyprland",
-        "rev": "a9b862d1aa000a676d310cc62d249f7ad726233d",
+        "rev": "4a293523d36dfa367e67ec304cc718ea66a8fec2",
         "type": "github"
       },
       "original": {

flake.nix

@@ -16,6 +16,11 @@
             inputs.nixpkgs.follows = "nixpkgs";
         };
 
+        nixos-hardware.url = "github:nixos/nixos-hardware/master";
+
+        opi-zero2w.url = "github:virusdave/nixos-opi-zero2w";
+        #opi-zero2w.url = "git+file:///home/nathan/Projects/tests/nixos-opi-zero2w";
+
         sops-nix = {
             url = "github:Mic92/sops-nix";
             inputs.nixpkgs.follows = "nixpkgs";

modules/features/default.nix

@@ -1,96 +0,0 @@
-{ inputs, ... }: {
-
-    flake.nixosModules.default = { config, lib, pkgs, ... }: {
-
-        imports = [
-            inputs.sops-nix.nixosModules.sops
-        ];
-
-        config = {
-
-            nix = {
-                nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-                channel.enable = false;
-                settings = {
-                    experimental-features = [ "nix-command" "flakes" ];
-                    builders-use-substitutes = (config.sops.secrets ? "remoteBuildKey");
-
-                    substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"];
-                    trusted-substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"];
-                    trusted-public-keys = lib.mkIf config.programs.hyprland.enable ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="];
-                };
-
-                distributedBuilds = lib.mkDefault (config.sops.secrets ? "remoteBuildKey");
-                buildMachines = lib.mkIf (config.sops.secrets ? "remoteBuildKey") [
-                {
-                    hostName = "esotericbytes.com";
-                    sshUser = "remote-builder";
-                    sshKey = config.sops.secrets."remoteBuildKey".path;
-                    supportedFeatures = [
-                        "nixos-test"
-                            "benchmark"
-                            "big-parallel"
-                            "kvm"
-                    ];
-                    systems = [ "x86_64-linux" "aarch64-linux" ];
-                }
-                ];
-            };
-
-            users.users."remote-builder" = lib.mkIf (builtins.any
-                (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) 
-                (builtins.attrNames config.sops.secrets)
-            ) {
-                isNormalUser = true;
-                createHome = false;
-            };
-
-            sops.templates."remote-builder" = lib.mkIf (builtins.any
-                (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) 
-                (builtins.attrNames config.sops.secrets)
-            )  {
-                content = builtins.concatStringsSep ''''\n'' (builtins.map 
-                        (y: config.sops.placeholder.${y}) 
-                        (builtins.filter 
-                         (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) 
-                         (builtins.attrNames config.sops.secrets)
-                        )
-                        );
-                path = "/etc/ssh/authorized_keys.d/remote-builder";
-                owner = "remote-builder";
-            };
-
-            sops = {
-                age.keyFile = "/var/lib/sops/age/keys.txt";
-                defaultSopsFormat = "yaml";
-            };
-
-            programs.fuse.userAllowOther = true;
-
-            home-manager = {
-                backupFileExtension = "backup";
-                useUserPackages = true;
-                sharedModules = [];
-            };
-
-            time.timeZone = lib.mkDefault "America/Chicago";
-
-            i18n = lib.mkDefault {
-                defaultLocale = "en_US.UTF-8";
-
-                extraLocaleSettings = {
-                    LC_ADDRESS = "en_US.UTF-8";
-                    LC_IDENTIFICATION = "en_US.UTF-8";
-                    LC_MEASUREMENT = "en_US.UTF-8";
-                    LC_MONETARY = "en_US.UTF-8";
-                    LC_NAME = "en_US.UTF-8";
-                    LC_NUMERIC = "en_US.UTF-8";
-                    LC_PAPER = "en_US.UTF-8";
-                    LC_TELEPHONE = "en_US.UTF-8";
-                    LC_TIME = "en_US.UTF-8";
-                };
-            };
-        };
-    };
-}
-

modules/features/ethdhcp.nix

@@ -0,0 +1,32 @@
+{ ... }: {
+
+    flake.nixosModules.ethdhcp = { config, lib, ... }: {
+
+        networking.firewall.interfaces."eno1" = {
+            allowedUDPPorts = [ 53 67 68 ];
+            allowedTCPPorts = [ 53 67 68 ];
+        };
+
+        networking = {
+            interfaces."eno1" = {
+                ipv4.addresses = [{ address = "192.168.121.1"; prefixLength = 24; }];
+            };
+
+            nat = {
+                enable = true;
+                internalInterfaces = [ "eno1" ];
+                externalInterface = "wlo1";
+            };
+        };
+
+        services.dnsmasq = {
+            enable = true;
+            settings = {
+                interface = "eno1";
+                dhcp-range = [ "192.168.121.2,192.168.121.2,1h" ];
+            };
+        };
+
+        networking.networkmanager.unmanaged = [ "eno1" ];
+    };
+}

modules/features/gitea.nix

@@ -80,6 +80,13 @@
                             repository = {
                                 DEFAULT_BRANCH = "master";
                             };
+
+                            migrations = {
+                                ALLOWED_DOMAINS = "*";
+                                ALLOW_LOCALNETWORKS = true;
+                                SKIP_TLS_VERIFY = true;
+                                BLOCKED_DOMAINS = "";
+                            };
                         };
 
                         database = {
@@ -119,6 +126,26 @@
         config = {
 
             networking.firewall.allowedTCPPorts = [ 2222 ];
+            sops.secrets = {
+                "gitea/dbpass" = {};
+            };
+
+            sops.templates."gitea.env".content = ''
+                USER_UID=1000
+                USER_GID=1000
+                GITEA__database__DB_TYPE=postgres
+                GITEA__database__HOST=${name}-db:5432
+                GITEA__database__NAME=gitea
+                GITEA__database__USER=gitea
+                GITEA__database__PASSWD=${config.sops.placeholder."gitea/dbpass"}
+            '';
+
+            sops.templates."gitea-db.env".content = ''
+                POSTGRES_USER=gitea
+                POSTGRES_DB=gitea
+                POSTGRES_PASSWORD=${config.sops.placeholder."gitea/dbpass"}
+            '';
+>>>>>>> dev
 
             virtualisation.oci-containers.containers."${name}" = {
                 image = "docker.gitea.com/gitea:1.25.4";
@@ -134,7 +161,7 @@
 
                 labels = {
                     "traefik.enable" = "true";
-                    "traefik.http.routers.${name}.entrypoints" = "localsecure";
+                    "traefik.http.routers.${name}.entrypoints" = "websecure";
                     "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
                     "traefik.http.routers.${name}.service" = "${name}";
                     "traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
@@ -153,15 +180,20 @@
                 ];
 
                 extraOptions = [
-                    "--ip=192.168.101.20"
+                    "--ip=192.168.101.25"
                 ];
 
                 volumes = [
-                    "vol_gitea:/data"
+                    "/etc/gitea/data:/data"
                 ];
 
-                environment = {
+                environmentFiles = [
-                };
+                    config.sops.templates."gitea.env".path
+                ];
+
+                dependsOn = [
+                    "${name}-db"
+                ];
             };
 
             virtualisation.oci-containers.containers."${name}-db" = {
@@ -183,15 +215,16 @@
                 ];
 
                 extraOptions = [
-                    "--ip=192.168.101.21"
+                    "--ip=192.168.101.26"
                 ];
 
                 volumes = [
                     "/etc/gitea/db:/var/lib/postgresql/data"
                 ];
 
-                environment = {
+                environmentFiles = [
-                };
+                    config.sops.templates."gitea-db.env".path
+                ];
             };
 
             systemd.services."docker-gitea" = {
@@ -203,12 +236,10 @@
                 };
                 after = [
                     "docker-network-setup.service"
-                        "docker-volume-gitea.service" 
                         "docker-gitea-db.service" 
                 ];
                 requires = [
                     "docker-network-setup.service"
-                        "docker-volume-gitea.service" 
                         "docker-gitea-db.service" 
                 ];
                 partOf = [
@@ -239,21 +270,6 @@
                     "docker-compose-gitea-root.target"
                 ];
             };
-
-            systemd.services."docker-volume-gitea" = {
-                path = [ pkgs.docker ];
-                serviceConfig = {
-                    Type = "oneshot";
-                    RemainAfterExit = true;
-                };
-                script = ''
-                    docker volume inspect vol_gitea || docker volume create vol_gitea --driver=local
-                    '';
-                partOf = [ "docker-compose-gitea-root.target" ];
-                wantedBy = [ "docker-compose-gitea-root.target" ];
-            };
-
         };
     };
-
 }

modules/features/home-manager.nix

@@ -0,0 +1,21 @@
+{ inputs, ... }: {
+
+    flake.nixosModules.default = { config, lib, pkgs, ... }: {
+
+        imports = [
+            inputs.home-manager.nixosModules.default
+        ];
+
+        config = {
+            
+            programs.fuse.userAllowOther = true;
+
+            home-manager = {
+                backupFileExtension = "backup";
+                useUserPackages = true;
+                sharedModules = [];
+            };
+        };
+    };
+}
+

modules/features/hotspot.nix

@@ -0,0 +1,55 @@
+{ ... }: {
+
+    flake.nixosModules.hotspot = { config, lib, ... }: {
+
+        networking.firewall.interfaces."wlo1" = {
+            allowedUDPPorts = [ 53 67 68 ];
+            allowedTCPPorts = [ 53 67 68 ];
+        };
+
+        networking = {
+            interfaces."wlo1" = {
+                ipv4.addresses = [{ address = "192.168.121.1"; prefixLength = 24; }];
+            };
+
+            nat = {
+                enable = true;
+                internalInterfaces = [ "wlo1" ];
+                externalInterface = "eno1";
+            };
+        };
+
+        services.dnsmasq = {
+            enable = true;
+            settings = {
+                interface = "wlo1";
+                dhcp-range = [ "192.168.121.2,192.168.121.10,1h" ];
+            };
+        };
+
+        sops.secrets."hotspotPass".sopsFile = ./secrets.yaml;
+
+        services.hostapd = {
+            enable = true;
+
+            radios.wlo1 = {
+                networks.wlo1 = {
+                    ssid = "laptopHotspot";
+                    authentication.saePasswords = [{ passwordFile = "${config.sops.secrets."hotspotPass".path}"; }];
+                };
+
+                countryCode = "US";
+
+                band = "2g";
+
+                channel = 7;
+
+                wifi4 = {
+                    enable = true;
+                };
+            };
+        };
+
+        networking.networkmanager.unmanaged = [ "wlo1" ];
+    };
+}

modules/features/hyprland.nix

@@ -22,6 +22,8 @@
 
                 portalPackage = inputs.hyprland.packages.${system}.xdg-desktop-portal-hyprland;
             };
+            
+            programs.partition-manager.enable = true;
         };
     };
 }

modules/features/locale.nix

@@ -0,0 +1,27 @@
+{ ... }: {
+
+    flake.nixosModules.default = { config, lib, pkgs, ... }: {
+
+        config = {
+
+            time.timeZone = lib.mkDefault "America/Chicago";
+
+            i18n = lib.mkDefault {
+                defaultLocale = "en_US.UTF-8";
+
+                extraLocaleSettings = {
+                    LC_ADDRESS = "en_US.UTF-8";
+                    LC_IDENTIFICATION = "en_US.UTF-8";
+                    LC_MEASUREMENT = "en_US.UTF-8";
+                    LC_MONETARY = "en_US.UTF-8";
+                    LC_NAME = "en_US.UTF-8";
+                    LC_NUMERIC = "en_US.UTF-8";
+                    LC_PAPER = "en_US.UTF-8";
+                    LC_TELEPHONE = "en_US.UTF-8";
+                    LC_TIME = "en_US.UTF-8";
+                };
+            };
+        };
+    };
+}
+

modules/features/n8n.nix

@@ -42,7 +42,7 @@
                 ];
 
                 extraOptions = [
-                    "--ip=192.168.101.2"
+                    "--ip=192.168.101.14"
                 ];
 
                 volumes = [

modules/features/netbird/netbird.nix

@@ -31,6 +31,32 @@
         };
     };
 
+    flake.nixosModules.netbird-sbc = { config, lib, pkgs, ... }: {
+
+        config = let 
+            pkgs-us = import inputs.nixpkgs-us {
+                system = "x86_64-linux";
+            };
+        in {
+
+            sops.secrets."netbirdKey".sopsFile = ./../secrets.yaml;
+
+            services.netbird = {
+                enable = lib.mkDefault true;
+
+                clients.default = {
+                    port = 51820;
+                    name = "netbird";
+                    interface = "wt0";
+                    hardened = false;
+                };
+
+                package = pkgs-us.netbird;
+                #package =   pkgs.netbird;
+            };
+        };
+    };
+
     flake.nixosModules.netbird-docker = { config, lib, pkgs, ... }: {
 
         imports = [
@@ -218,6 +244,7 @@
                 extraOptions = [
                     "--network-alias=signal"
                         "--network=docker-main"
+                        "--ip=192.168.101.2"
                 ];
             };
             systemd.services."docker-netbird-signal" = {

modules/features/nix.nix

@@ -0,0 +1,21 @@
+{ inputs, ... }: {
+
+    flake.nixosModules.default = { config, lib, pkgs, ... }: {
+
+        config = {
+
+            nix = {
+                nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+                channel.enable = false;
+                settings = {
+                    experimental-features = [ "nix-command" "flakes" ];
+
+                    substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"];
+                    trusted-substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"];
+                    trusted-public-keys = lib.mkIf config.programs.hyprland.enable ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="];
+                };
+            };
+        };
+    };
+}
+

modules/features/remoteBuilds.nix

@@ -0,0 +1,61 @@
+{ inputs, ... }: {
+
+    flake.nixosModules.sops = { config, lib, ... }: {
+
+        imports = [
+            inputs.sops-nix.nixosModules.sops
+        ];
+
+        config = {
+
+            nix = {
+                settings = {
+                    builders-use-substitutes = (config.sops.secrets ? "remoteBuildKey");
+
+                };
+
+                distributedBuilds = lib.mkDefault (config.sops.secrets ? "remoteBuildKey");
+
+                buildMachines = lib.mkIf (config.sops.secrets ? "remoteBuildKey") [
+                {
+                    hostName = "esotericbytes.com";
+                    sshUser = "remote-builder";
+                    sshKey = config.sops.secrets."remoteBuildKey".path;
+                    supportedFeatures = [
+                        "nixos-test"
+                        "benchmark"
+                        "big-parallel"
+                        "kvm"
+                    ];
+                    systems = [ "x86_64-linux" "aarch64-linux" ];
+                }
+                ];
+
+            };
+
+            users.users."remote-builder" = lib.mkIf (builtins.any
+                (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) 
+                (builtins.attrNames config.sops.secrets)
+            ) {
+                isNormalUser = true;
+                createHome = true;
+                home = "/tmp/remote-builder";
+            };
+
+            sops.templates."remote-builder" = lib.mkIf (builtins.any
+                    (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) 
+                    (builtins.attrNames config.sops.secrets)
+                    )  {
+                content = builtins.concatStringsSep ''''\n'' (builtins.map 
+                        (y: config.sops.placeholder.${y}) 
+                        (builtins.filter 
+                         (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) 
+                         (builtins.attrNames config.sops.secrets)
+                        )
+                        );
+                path = "/etc/ssh/authorized_keys.d/remote-builder";
+                owner = "remote-builder";
+            };
+        };
+    };
+}

modules/features/secrets.yaml

@@ -2,6 +2,7 @@ remoteBuildClientKeys:
     laptop: ENC[AES256_GCM,data:SZRAZ36nSueWVLcdvpgZpltp/aORqAObFWhgqtIrTYccoK/3F7l0J+VJzF51FASa6spbGJL2BSbzOygyal609pvJc9Hb9bIN85GMzV1P4lha62iC8dkuVLXezPU=,iv:veQJxL4QTxFg2UKm2+I3RQXyuwW2rXEV/gXIQ7nBtlY=,tag:9C9Ltzwz823yY029p9K41A==,type:str]
     pi4: ENC[AES256_GCM,data:zT7V70DbBj5OIl5dTkUjvdqrxSiPcc+oFvL7R2ZAuytSQWdo9MR+WuuhN1Zeo0Ho9eGcbS+Qwr/Vs+yIYU+XaUlgawHM6aiUXoQmQE/yJFOPYUcmi0R4mxD0nkPZ0w==,iv:HQ+bxpeHZq9cezF6omZ1OMecfOw74pXzBujndhXnLPM=,tag:AM5O21nYzb4xzybOPvBwRg==,type:str]
     android: ENC[AES256_GCM,data:srkEb7oAxcN5++sTWQo43C8M4JNpfeeJlcGLGUA6gp74kcES1HnIs87ZtCik121oMSYD15LZ8p/x/AV2QdGMobQFxoMQ2NEehhP66n2EoXcEos3BXqUlbphiBGMRfVK9+w==,iv:bmDbVfVSZLU+EsZh/GBBY9QVcfHZJB9gLZYeI3NYoGY=,tag:biE4/DN7z2wRyFBjK7vEnQ==,type:str]
+hotspotPass: ENC[AES256_GCM,data:str2NCiO3mkWQiNWC1fouqHl,iv:gtwKki5hs9PHMzrK516QxZ4iLx8raIV7vCdJ7RpPd/E=,tag:j+Yw431Mghqt//bFUQnSSA==,type:str]
 sops:
     age:
         - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q
@@ -31,7 +32,7 @@ sops:
             NXNhczV5Y3o3dmJ2RVk3eDBRd1FDdEkK4ELlB6suN3R3GJ6XRQCvE9mgiXUOMFs3
             Yi+VfJTi3pkUQEi8MZP64Nl6IR5dXjUoPXFhBNcplmLf09JDjH4LJQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-26T22:28:31Z"
+    lastmodified: "2026-04-24T23:13:22Z"
-    mac: ENC[AES256_GCM,data:hTEenm/UO84leu7alRdWlicKKrwNlaRR7ZQzhDtOCUcXemvwe30WkSq2mdzOnSo0uMSg1HZIlna8oRUd31ENe1aWfl69PlYPxEicmN5UHykVboXydw6m0yPoAqHj+nqG/vkWsVp0JN8HvTc59mzD+1DfydhJA3m0juaa81w5GsY=,iv:HBkE78QhX1wZANpvDW7nOIOTKBdCv0/dUc1Xv5+OQmQ=,tag:6I2z8MgZxnXjqd4iikA9nQ==,type:str]
+    mac: ENC[AES256_GCM,data:m/4/y5r+BTeq5AtR6u3+vKxgTopGu+kIOGjaKMtNp/SSY1x086hzBfnB8p3BtLFijxYVrEqM/4JxvKU3m41jOtx4/1oSM/BXjHRUl+7diDSOcBaBtJMH2xam2b7Jlg4J0bW4ai3QnEQVF1A00dcmmEUqa/LZInFYSOXjB+FICCo=,iv:RcqpkSk8BSkcreVG1cY5f2OukCgcT36vqCyOfqoNXIs=,tag:aIDe4Tv5BygBYbyQ8GGr5Q==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.12.1

modules/features/sops.nix

@@ -0,0 +1,21 @@
+{ inputs, ... }: {
+
+    flake.nixosModules.sops = { config, lib, ... }: {
+
+        imports = [
+            inputs.sops-nix.nixosModules.sops
+        ];
+
+        config = {
+
+            sops = {
+                age = {
+                    keyFile = "/var/lib/sops/age/keys.txt";
+                    #generateKey = true;
+                };
+
+                defaultSopsFormat = "yaml";
+            };
+        };
+    };
+}

modules/features/traefik/config/routing.yml

@@ -8,7 +8,7 @@ http:
       rule: "Host(`esotericbytes.com`) || Host(`www.esotericbytes.com`)"
       service: "homepage"
       middlewares:
-        - authentik
+        - authentik@docker
       tls:
         certResolver: "cloudflare"
     
@@ -20,15 +20,6 @@ http:
       tls:
         certResolver: "cloudflare"
 
-    gitea: 
-      entryPoints: 
-        - "localsecure"
-        - "websecure"
-      rule: "Host(`gitea.esotericbytes.com`)"
-      service: "gitea"
-      tls:
-        certResolver: "cloudflare"
-
     octoprint:
       entryPoints:
         - "localsecure"
@@ -49,27 +40,9 @@ http:
         servers: 
           - url: "http://192.168.100.31:4444"
     
-    gitea:
-      loadBalancer:
-        servers: 
-          - url: "http://192.168.100.20:3000"
-    
     octoprint:
       loadBalancer:
         servers:
           - url: "http://rpi-3dp.local"
         passHostHeader: true
 
-tcp:
-  routers:
-    gitea-ssh:
-      entryPoints:
-        - "gitea-ssh"
-      rule: "HostSNI(`*`)"
-      service: "gitea-ssh"
-
-  services:
-    gitea-ssh:
-      loadBalancer:
-        servers:
-          - address: "192.168.100.20:2222"

modules/hosts/homebox/secrets.yaml

@@ -14,6 +14,7 @@ keycloak:
     dbpass: ENC[AES256_GCM,data:tc4wIAqzY7nonBhz8s+YdAux,iv:Wg0b0/xnl6cANLTOJWBsX+gw1iF8Q/GvO/iKyKwqJrM=,tag:LORKRmo4RjcrVbPNhk2A9Q==,type:str]
 netbird:
     secret_key: ENC[AES256_GCM,data:isJHGh/InvgJUSqISqxpWhZH0OMN/QG7WBbSS7WqHaWTdfZDBOh//PBP8g==,iv:j0D6feM3qnDjXijXRHgZPboFLHzPwWIhT5bYz3M+QMU=,tag:pOHRxOEdOUrL3n6DgqGDsA==,type:str]
+netbirdKey: ENC[AES256_GCM,data:NSOx62QO2/BMgsV6B+Bi20XN1s8PUYDogRVj4XXYeqhF2QZE,iv:FiJzCpy+4Et58KJlG25A/GqeYscFQ9yzLj5i1ZEVDos=,tag:nlviBvsFJBGsAmwVt3agTg==,type:str]
 gitlab:
     db_pass: ENC[AES256_GCM,data:N3KvXkXql/PDjxZSpGo/Apr/,iv:OOzhR4BEmV3T01PA50vqdJMg7D2OGKHn/8hiqKEaOd4=,tag:jzdonXH/D/5kZ5Cld2W//w==,type:str]
     root_pass: ENC[AES256_GCM,data:bALaUkoJw3N0ugZP/4MCnEsD,iv:LJdJpXlyzA6o00UVlK+l5WCCFIL/sT/fQNjI8wA5LAg=,tag:BYk1o/rjubyEpeHbgYA1Sg==,type:str]
@@ -38,7 +39,7 @@ sops:
             S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M
             8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-01T12:56:37Z"
+    lastmodified: "2026-04-26T03:37:06Z"
-    mac: ENC[AES256_GCM,data:clu/WnwHAQaowQ99Z8tNlIKKcVnLHYeYsgQK0meftXgiQKnLyLzqNipwfaU3qjITdm6fB7wY+TcySygpwFbY2f2TKrqAk7RxdnTFa61vQDqMF7rYPG90Ub79P+R5URZI8yjv69Hmrav0Y6z92vH8ItbPSRBLtgrbYZx36IFq0LU=,iv:qzBVA0xATM979tzu6cTvMrX77firvA5K0WU2hoUggoA=,tag:Fm3IqH0GUHBq9Din6ZW6ng==,type:str]
+    mac: ENC[AES256_GCM,data:gFZhelYC2ToiyRQmX2XiEmmMy3XeSFiF9EARogNcEIv+V/3Z4jKIDGwIvnP94s9ylgb+VZ2IoJLYb6zYSgYx/muOCoeoLifNwZOO+zA2hEgUf0kAhsM08HkuuwvifPwBZXO0P3VXTfP21QymetYVstX9ifYT3K5BIB2m9Unudu0=,iv:+Pr8idIxArX7eQEQaxigjhAGEOQRl7pz3p182yh6+Tg=,tag:qlpBKB4vg3BRFd/s+vDaDw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.1

modules/hosts/iso/configuration.nix

@@ -2,14 +2,19 @@
 
     flake.nixosModules.iso = { lib, pkgs, modulesPath, ... }: {
 
-        imports = with inputs; [
+        imports = with self.nixosModules; [
 
             (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
 
+            inputs.home-manager.nixosModules.default
+            
             self.nixosModules.default
-            self.nixosModules.aurora-greeter
+            aurora-greeter
-
+            hyprland
-            home-manager.nixosModules.default
+            pipewire
+            avahi
+            netbird
+            openssh
 
         ];
 
@@ -32,9 +37,21 @@
                 ];
             };
 
+            environment.etc."wallpaper.jpg".source = ./../../users/nathan/home-manager/dotfiles/Wallpaper/bluescape.jpg;
+
+            system.activationScripts."wallpaperInit" = {
+                text = ''
+                    mkdir -p /tmp/aurora/wallpaper
+                    cp /etc/wallpaper.jpg /tmp/aurora/wallpaper/wallpaper.jpg
+                '';
+            };
+
             users.users.nixos.enable = lib.mkForce false;
 
             networking = {
+
+                hostName = "iso";
+
                 nameservers = [ "1.1.1.1" "1.0.0.1" ];
                 networkmanager.enable = true;
             };

modules/hosts/iso/default.nix

@@ -1,13 +1,14 @@
 { self, inputs, ...}: {
 
-    perSystem = { config, system, pkgs, self', inputs', ... }: {
+    perSystem = { ... }: {
         packages.iso = self.nixosConfigurations.iso.config.system.build.isoImage;
     };
 
     flake.nixosConfigurations.iso = inputs.nixpkgs.lib.nixosSystem {
 
-        modules = [
+        modules = with self.nixosModules; [
-            self.nixosModules.iso
+            iso
+            user-nathan
         ];
     };
 

modules/hosts/laptop/configuration.nix

@@ -15,6 +15,7 @@
             avahi
             netbird
             openssh
+            sops
         ];
 
         config = {
@@ -31,6 +32,7 @@
                     efi.canTouchEfiVariables = true;
                     timeout = null;
                 };
+                binfmt.emulatedSystems = [ "aarch64-linux" ];
             };
 
             systemd.settings.Manager.DefaultLimitNOFILE = 2048;
@@ -47,7 +49,6 @@
 
             };
 
-            programs.partition-manager.enable = true;
             services.pulseaudio.enable = false;
 
             environment.systemPackages = with pkgs; [
@@ -81,7 +82,7 @@
                 ];
                 networkmanager = {
                     enable = true;
-                    dns = "none";
+                    #dns = "none";
                 };
                 useDHCP = false;
                 dhcpcd.enable = false;
@@ -89,6 +90,14 @@
 
             services.openssh.openFirewall = false;
 
+            specialisation = {
+                ethdhcp = {
+                    configuration = with self.nixosModules; lib.mkMerge [
+                        ethdhcp
+                    ];
+                };
+            };
+
 
             fonts.packages = with pkgs; [ nerd-fonts.fira-code ];
 

modules/hosts/pi4/configuration.nix

@@ -1,87 +1,50 @@
-{ inputs, ... }: {
+{ self, inputs, ... }: {
 
-    flake.nixosModules.pi4 = { config, pkgs, ... }: {
+    flake.nixosModules.pi4-install-sd = { config, pkgs, modulesPath, ... }: {
 
-        imports = [
+        imports = with self.nixosModules; [
-                inputs.disko.nixosModules.default
+
+            (modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
+            pi4-core
 
-                inputs.home-manager.nixosModules.default
         ];
 
         config = {
 
-            boot = {
+        };
-                loader = {
+    };
-                    grub.enable = false;
-                    generic-extlinux-compatible.enable = true;
-                };
-            };
 
-            networking = {
+    flake.nixosModules.pi4-install-disko = { config, pkgs, ... }: {
-                hostName = "pi4";
-                nameservers = [ "1.1.1.1" "1.0.0.1" ];
-                networkmanager.enable = true;
-            };
 
-            time.timeZone = "America/Chicago";
+        imports = with self.nixosModules; [
+            inputs.disko.nixosModules.default
 
-            i18n.defaultLocale = "en_US.UTF-8";
+            pi4-core
 
-            i18n.extraLocaleSettings = {
+            self.diskoConfigurations.pi4
-                LC_ADDRESS = "en_US.UTF-8";
+        ];
-                LC_IDENTIFICATION = "en_US.UTF-8";
-                LC_MEASUREMENT = "en_US.UTF-8";
-                LC_MONETARY = "en_US.UTF-8";
-                LC_NAME = "en_US.UTF-8";
-                LC_NUMERIC = "en_US.UTF-8";
-                LC_PAPER = "en_US.UTF-8";
-                LC_TELEPHONE = "en_US.UTF-8";
-                LC_TIME = "en_US.UTF-8";
-            };
 
-            hardware = {
+        config = {
-                bluetooth.enable = true;
 
-            };
+        };
+    };
 
-            programs.zsh.enable = true;
+    flake.nixosModules.pi4 = { config, pkgs, ... }: {
 
-            environment.shells = with pkgs; [ zsh ];
+        imports = with self.nixosModules; [
 
-            users = { 
+            pi4-core
-                groups.gpio = {};
-            };
 
-            services = {
+            netbird-sbc
-                udev.extraRules = ''
+            remoteBuilds
-                    SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660"
+            sops
-                    SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'"
+        ];
-                    SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'"
-                    '';
 
-                pulseaudio = {
+        config = {
-                    enable = true;
-                    extraConfig = ''
-                        load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
-                        '';
-                };
-
-            };
 
             sops = {
-                age.keyFile = "/var/lib/sops/age/keys.txt";
                 defaultSopsFile = ./secrets.yaml;
-                defaultSopsFormat = "yaml";
             };
-
-
-            fonts.packages = with pkgs; [ nerd-fonts.fira-code ];
-
-            sound.enable = true;
-
-            security.rtkit.enable = true;
-
-            system.stateVersion = "25.05";
         };
     };
 }

modules/hosts/pi4/core.nix

@@ -0,0 +1,72 @@
+{ self, inputs, ... }: {
+
+    flake.nixosModules.pi4-core = { config, pkgs, ... }: {
+
+        imports = with self.nixosModules; [
+
+            inputs.home-manager.nixosModules.default
+
+            self.nixosModules.default
+            user-nathan
+            avahi
+            openssh
+        ];
+
+        config = {
+
+            boot = {
+                loader = {
+                    grub.enable = false;
+                    generic-extlinux-compatible.enable = true;
+                };
+                kernelParams = [ "snd_bcm2835.enable_hdmi=1" "snd_bcm2835.enable_headphones=1" ];
+            };
+
+            networking = {
+                hostName = "pi4";
+                nameservers = [ "1.1.1.1" "1.0.0.1" ];
+                networkmanager.enable = true;
+            };
+
+            hardware = {
+                bluetooth.enable = true;
+
+            };
+
+            programs.zsh.enable = true;
+
+            environment.shells = with pkgs; [ zsh ];
+
+            environment.systemPackages = with pkgs; [
+                libraspberrypi
+                raspberrypi-eeprom
+            ];
+
+            users = { 
+                groups.gpio = {};
+            };
+
+            services = {
+                udev.extraRules = ''
+                    SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660"
+                    SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'"
+                    SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'"
+                '';
+
+                pulseaudio = {
+                    enable = true;
+                    extraConfig = ''
+                        load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
+                    '';
+                };
+
+            };
+
+            fonts.packages = with pkgs; [ nerd-fonts.fira-code ];
+
+            security.rtkit.enable = true;
+
+            system.stateVersion = "25.11";
+        };
+    };
+}

modules/hosts/pi4/default.nix

@@ -1,12 +1,48 @@
 { self, inputs, ... }: {
-    
+ 
-    flake.nixosConfigurations."pi4" = inputs.nixpkgs.lib.nixosSystem {
+    perSystem = { ... }: {
+        packages.pi4-sd = self.nixosConfigurations.pi4-install-sd.config.system.build.sdImage;
+    };
+
+    flake.nixosConfigurations.pi4 = inputs.nixpkgs.lib.nixosSystem {
+
+        system = "aarch64-linux";
 
         modules = [
             self.nixosModules.pi4
             self.nixosModules.pi4-hardware
-            self.diskoConfigurations.pi4
+            #self.diskoConfigurations.pi4
         ];
     };
 
+    flake.nixosConfigurations.pi4-install = inputs.nixpkgs.lib.nixosSystem {
+
+        system = "aarch64-linux";
+
+        modules = [
+            self.nixosModules.pi4-core
+            self.nixosModules.pi4-hardware
+        ];
+    };
+
+    flake.nixosConfigurations.pi4-install-sd = inputs.nixpkgs.lib.nixosSystem {
+
+        system = "aarch64-linux";
+
+        modules = [
+            self.nixosModules.pi4-install-sd
+            self.nixosModules.pi4-hardware
+        ];
+    };
+
+    flake.nixosConfigurations.pi4-install-disko = inputs.nixpkgs.lib.nixosSystem {
+
+        system = "aarch64-linux";
+
+        modules = [
+            self.nixosModules.pi4-install-disko
+            self.nixosModules.pi4-hardware
+            self.diskoConfigurations.pi4
+        ];
+    };
 }

modules/hosts/z2w/configuration.nix

@@ -0,0 +1,35 @@
+{ self, ... }: {
+
+    flake.nixosModules.z2w-install-sd = { config, pkgs, modulesPath, ... }: {
+
+        imports = with self.nixosModules; [
+
+            (modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
+            z2w-core
+
+        ];
+
+        config = {
+
+        };
+    };
+
+    flake.nixosModules.z2w = { config, pkgs, ... }: {
+
+        imports = with self.nixosModules; [
+
+            z2w-install-sd
+
+            netbird-sbc
+            remoteBuilds
+            sops
+        ];
+
+        config = {
+
+            sops = {
+                defaultSopsFile = ./secrets.yaml;
+            };
+        };
+    };
+}

modules/hosts/z2w/core.nix

@@ -0,0 +1,66 @@
+{ self, inputs, ... }: {
+
+    flake.nixosModules.z2w-core = { config, lib, pkgs, ... }: {
+
+        imports = with self.nixosModules; [
+
+            inputs.home-manager.nixosModules.default
+
+            self.nixosModules.default
+            user-nathan
+            avahi
+            openssh
+        ];
+
+        config = {
+
+            /*boot = {
+                loader = {
+                    grub.enable = false;
+                    generic-extlinux-compatible.enable = true;
+                };
+            };*/
+
+            networking = {
+                hostName = lib.mkDefault "z2w";
+                nameservers = [ "1.1.1.1" "1.0.0.1" ];
+                #networkmanager.enable = true;
+                #wireless.enable = lib.mkForce false;
+            };
+
+
+            /*hardware = {
+                bluetooth.enable = true;
+
+            };*/
+
+            programs.zsh.enable = true;
+
+            environment.shells = with pkgs; [ zsh ];
+/*
+            users = { 
+                groups.gpio = {};
+            };
+
+            services = {
+                udev.extraRules = ''
+                    SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660"
+                    SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'"
+                    SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'"
+                '';
+
+                pulseaudio = {
+                    enable = true;
+                    extraConfig = ''
+                        load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
+                    '';
+                };
+
+            };
+*/
+            fonts.packages = with pkgs; [ nerd-fonts.fira-code ];
+
+            system.stateVersion = "25.11";
+        };
+    };
+}

modules/hosts/z2w/default.nix

@@ -0,0 +1,26 @@
+{ self, inputs, ... }: {
+ 
+    perSystem = { ... }: {
+        packages.z2w-sd = self.nixosConfigurations.z2w-install-sd.config.system.build.sdImage;
+    };
+
+    flake.nixosConfigurations.z2w = inputs.nixpkgs.lib.nixosSystem {
+
+        system = "aarch64-linux";
+
+        modules = inputs.opi-zero2w.lib.withOpiZero2wEssentials [
+            self.nixosModules.z2w
+            #self.nixosModules.z2w-hardware
+        ];
+    };
+
+    flake.nixosConfigurations.z2w-install-sd = inputs.nixpkgs.lib.nixosSystem {
+
+        system = "aarch64-linux";
+
+        modules = inputs.opi-zero2w.lib.withOpiZero2wInstallerEssentials [
+            self.nixosModules.z2w-install-sd
+            #self.nixosModules.z2w-hardware
+        ];
+    };
+}

modules/users/nathan/home-manager/.sops.yaml

@@ -1,11 +0,0 @@
-keys:
-  - &homebox age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd
-  - &laptop age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q
-  - &android age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74
-creation_rules:
-  - path_regex: ^secrets.yaml$
-    key_groups:
-    - age:
-      - *laptop
-      - *homebox
-      - *android

modules/users/nathan/home-manager/default.nix

@@ -1,11 +1,8 @@
-{ self, inputs, ... }: {
+{ self, ... }: {
 
     flake.homeModules.nathan = { config, lib, pkgs, ... }: {
 
         imports = with self.homeModules; [
-            inputs.sops-nix.homeManagerModules.sops
-
-
             nathan-terminal
             nathan-mpd
             nathan-nh
@@ -41,35 +38,8 @@
                 iconTheme.name = "rose-pine-moon";
             };
 
-            sops = {
-                age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
-                defaultSopsFile = ./secrets.yaml;
-                defaultSopsFormat = "yaml";
-
-#secrets."remoteBuildKey" = {};
-            };
-
             services.mpris-proxy.enable = true;
 
-            programs.ssh = {
-                enable = true;
-
-                matchBlocks = {
-                    "builder" = {
-                        hostname = "esotericbytes.com";
-                        user = "remote-builder";
-                        identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519";
-                        port = 22;
-                    };
-
-                    "remote" = {
-                        hostname = "esotericbytes.com";
-                        user = "nathan";
-                        identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519";
-                        port = 22;
-                    };
-                };
-            };
         };
     };
 }

modules/users/nathan/home-manager/features/git.nix

@@ -4,26 +4,9 @@
 
         config = {
 
-            sops = {
-                secrets = {
-                    "git/username" = {};
-                    "git/email" = {};
-                };
-
-                templates.gitconfig.content = ''
-                    [user]
-                    name = "${config.sops.placeholder."git/username"}"
-                    email = "${config.sops.placeholder."git/email"}"
-                '';
-            };
-
             programs.git = {
                 enable = true;
 
-                includes = [
-                { path = "${config.sops.templates.gitconfig.path}"; }
-                ];
-
                 settings = {
                     init = {
                         defaultBranch = "master";
@@ -38,6 +21,11 @@
                             ];
                         };
                     };
+
+                    user = {
+                        name = "Nathan";
+                        email = "nathanblunkall5@gmail.com";
+                    };
                 };
             };
         };

modules/users/nathan/home-manager/features/packages.nix

@@ -2,6 +2,11 @@
 
     flake.homeModules.nathan = { config, lib, pkgs, ... }: {
 
+        options.olympus.packageSet = lib.mkOption {
+            type = lib.types.str;
+            default = "full";
+        };
+
         config = with lib; mkMerge [
         {
 
@@ -17,17 +22,6 @@
                 unzip
                 rsync
                 curl
-
-                (python314.withPackages (ps: with ps; [
-                    gpustat
-                    numpy
-                    matplotlib
-                    scipy
-                    pandas
-                    pyaudio
-                    pyusb
-                    requests
-                ]))
                 
                 cava 
                 android-tools
@@ -44,11 +38,6 @@
 
         (mkIf config.wayland.windowManager.hyprland.enable {
 
-            nixpkgs.config = {
-                allowUnfree = true;
-            };
-
-
          home.packages = with pkgs; [
 
          grim
@@ -56,13 +45,42 @@
          wl-clipboard
          xfce.thunar
          blueberry
+         brightnessctl
+         libdbusmenu-gtk3
+         ];
+         })
+
+        (mkIf (pkgs.stdenv.hostPlatform.system == "x86_64-linux") {
+
+         home.packages = with pkgs; [
+
+         (python314.withPackages (ps: with ps; [
+            gpustat
+            numpy
+            matplotlib
+            scipy
+            pandas
+            pyaudio
+            pyusb
+            requests
+         ]))
+
+         ];
+         })
+
+        (mkIf (config.olympus.packageSet == "full") {
+
+            nixpkgs.config = {
+                allowUnfree = true;
+            };
+
+
+         home.packages = with pkgs; [
 
          handbrake
          quickemu
          bottles
 
-         brightnessctl
-         libdbusmenu-gtk3
          lmms
 
 #unfree {

modules/users/nathan/home-manager/features/sops.nix

@@ -0,0 +1,23 @@
+{ inputs, ... }: {
+
+    flake.homeModules.nathan-sops = { config, lib, pkgs, ... }: {
+
+        imports = [
+            inputs.sops-nix.homeManagerModules.sops
+        ];
+
+        config = {
+
+            sops = {
+                age = {
+                    keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+                    generateKey = true;
+                };
+                
+                defaultSopsFormat = "yaml";
+
+#secrets."remoteBuildKey" = {};
+            };
+        };
+    };
+}

modules/users/nathan/home-manager/features/ssh.nix

@@ -1,27 +1,41 @@
 { ... }: {
 
-    flake.homeModules.nathan-terminal = { ... }: {
+    flake.homeModules.nathan-terminal = { config, ... }: {
 
         programs.ssh = {
-
             enable = true;
 
-# defaults as of 25.11
-            matchBlocks."*" = {
-                forwardAgent = false;
-                addKeysToAgent = "no";
-                compression = false;
-                serverAliveInterval = 0;
-                serverAliveCountMax = 3;
-                hashKnownHosts = false;
-                userKnownHostsFile = "~/.ssh/known_hosts";
-                controlMaster = "no";
-                controlPath = "~/.ssh/master-%r@%n:%p";
-                controlPersist = "no";
-            };
             enableDefaultConfig = false;
 
+            matchBlocks = {
 
+                "*" = {
+                    forwardAgent = false;
+                    addKeysToAgent = "no";
+                    compression = false;
+                    serverAliveInterval = 0;
+                    serverAliveCountMax = 3;
+                    hashKnownHosts = false;
+                    userKnownHostsFile = "~/.ssh/known_hosts";
+                    controlMaster = "no";
+                    controlPath = "~/.ssh/master-%r@%n:%p";
+                    controlPersist = "no";
+                };
+
+                "builder" = {
+                    hostname = "esotericbytes.com";
+                    user = "remote-builder";
+                    identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519";
+                    port = 22;
+                };
+
+                "remote" = {
+                    hostname = "esotericbytes.com";
+                    user = "nathan";
+                    identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519";
+                    port = 22;
+                };
+            };
         };
     };
 }

modules/users/nathan/home-manager/secrets.yaml

@@ -1,36 +0,0 @@
-git:
-    username: ENC[AES256_GCM,data:418z4cCK,iv:tgPmynsW8fEJs6n+OGfm6IypOjNNhVdVaqFImeKXpC4=,tag:V5zI47vb9FnSO/OWurbJ+A==,type:str]
-    email: ENC[AES256_GCM,data:xp6HlIO1pTgvrXpGAOQwl0UvcnY4zrLrmw==,iv:LzGkluWeSe8MQqPXQMnNOv062UY+BkQE1fGjGqd/nCg=,tag:Y9nwo+Hjcg4ea2GxGKWApA==,type:str]
-sops:
-    age:
-        - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMktJdFhxRjhaT0MyZ0N3
-            YVBMYlNkRnl1eU8zajZLWXRPajZzWDBGQWxVCkhMcEdsNlVKQ1VHR2hjZWdsR1gx
-            MkhCeVZGUDJwdkdDTiswRW40QjRRYWMKLS0tIENIN2pheisyR21YZkIzblVZZ1cw
-            bHpLWEdPdUc4d2ZSS1FjUDM0QWRQUWsKqvlH0oWHH/PhMDTYT5KhCTzaEffsf1jM
-            r0o60YUCe6pUFs0qPvOxEPM3bq+7MkUpH4eXVAw3tCov3nUkmwlVZg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5K3ovcmpPck1reGVPQ0lm
-            YTYvNGtaSk4vLzlYSW0rSkpHcjZWUnBMS2dBCmt3RU1PMkJ1VU5wNUc1NC9lbGFk
-            cjl6cXp6M292enFHckkyamwwaDRia2MKLS0tIGRUTzFGdDZFaS9LdkRjMW56U25B
-            emRDTncvNnlycHF3V2VJN3NlZTNVSjgK8RUx9qImdqjHBHisnwY+qRZ9vuafl3MN
-            jnJsIsKSdF51dWYskEMVnPYwn9HdOKkAh6amwSITcw3ZCcK7ftfT+g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWXVTSVQvNEhsMkQ2QkRl
-            SlZLTWN2eUdMa3MwdTBHZE8vdENKTTRKYVF3Ck01N2VNQUJPeHBwVHZTNWYzbXR5
-            ZS9hUDQydy9nQnR0SVpiUHV6ejhPb0EKLS0tIEZKeXV5QnpZYzBCVDR3WjVSV2Vv
-            TmJkL3VUbTRLNGNISGhFaGpmaXJ1cDAKpiZ8Nfml0KFq46JRg+394BCyZmnpE4XC
-            zqxRrNlGH/EDp00q5/jN84vQA+bOhGHcScQpvRCDKMXehQn3H4jksw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-16T16:08:48Z"
-    mac: ENC[AES256_GCM,data:3/ztJNXhOIPqgQ47QxjM5KTeAJwXPpUuVtvI5/xJsMOOZhXYRt+uhL584F98rJiMHhnbsuGIZi+jGlYRiE6c+GJ9X7TKLj9yRqKvCMSCdWHGzY721GH5kMPcjD2YDYZ4tt+olIMePNJBPjC1XJgfhfOvs43o2HyDTCS95cEQzB4=,iv:qofZBAwxbTrc/hPyuSi8nxibJ0bGhoytZpUTZwwzbuI=,tag:z1SJXutJmlJ+j6RnV4u29Q==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2

modules/users/nathan/nathan.nix

@@ -1,29 +1,41 @@
 { self, inputs, ... }: {
 
     flake.nixosModules.user-nathan = { config, lib, pkgs, ... }: let
-                laptop = [ "laptop" ];
+        laptop = [ "laptop" ];
-                homebox = [ "homebox" ];
+        homebox = [ "homebox" ];
-                #both = laptop ++ homebox;
+        iso = [ "iso" ];
-                useWith = x: y: (lib.mkIf (builtins.any (z: z == config.networking.hostName) x) y);
+        pi4 = [ "pi4" ];
-            in {
+        z2w = [ "red-black" "blue-white" "z2w" ];
-
+        useWith = x: y: (lib.mkIf (builtins.any (z: z == config.networking.hostName) x) y);
+    in {
+        
         config = {
 
-            sops.secrets."nathan/pass".neededForUsers = true;
-
             users.users.nathan = {
+                enable = true;
                 shell = pkgs.zsh;
                 name = lib.mkDefault "nathan";
                 isNormalUser = lib.mkDefault true;
-#hashedPasswordFile = lib.mkIf (cfg.hashedPasswordFile != null) cfg.hashedPasswordFile;
+                hashedPassword = lib.mkIf 
-                extraGroups = [ "networkmanager" "docker" "libvirtd" "wheel" ];
+                    (config.users.users.nathan.hashedPasswordFile == null) 
+                    "$y$j9T$F0pn6l4C45lz4a0FTZLqE0$Fc48Ptbmz/3MJCk/Jsaqop4ff.bY3J3GcjhmJx5R7k6";
+                extraGroups = lib.mkMerge [
+                    [ "networkmanager" "wheel" ]
+                    (useWith (homebox) [ "docker" "libvirtd" ])
+                    (useWith (pi4) [ "gpio" ])
+                ];
                 openssh.authorizedKeys.keys = lib.mkMerge [
-                    (useWith homebox [
+                    (useWith (homebox) [
                         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop"
                         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost"
                         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCM7ZgIu4+ntHZbzo9iQPq5pUt7AhpOnfvvI0lWDgO4CgtkPGvyFrDnW87wjAKGKYkgKeHWHIkwq2hkEDqlPD+7xxtPpwzfyo7ZS23xlP31rL14HcG21jGHgx9SO7RmGDHHylu4PwJzz/KX59hcVmpSSV4hgB/mYA9UKe6VHv39X4y3HsjmiHwNBOKXltG4V+VkxOZD6HcZ62sgkyDTaqDpE7p+q8vHPbm6dVTKC9cMjtJmjB5EesMGKcEAy3VN2tA9M0EndtaLcBKM39vDXGpBsjURYZTu7NbQnncnO7L8kVL0nT4vA/d4mCjB51dPoXIcxn1ise0TOb9G7TxMbBQQO5YMOpiB2iuZRRvB3sYoKwbO8YfSxZi0EhvLcxkF9GBFw+pWPl0p0D2fPBbW88YQfEpoAt2EWvEu/pgaMJsTHpgaIuDwPLVQmDciX4MRoi324oElGSK8yN0P8IaCHhFchuehLBWvTi34Qot0GpnxeTzmlLzImICO9Yq0I7dk2rk= nathan@rpi-3dp"
                     ])
 
+                    (useWith (iso ++ pi4 ++ z2w) [
+                        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop"
+                        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost"
+                    ])
+
                     (useWith laptop [
                         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost"
                     ])
@@ -37,14 +49,15 @@
 
             home-manager.users.nathan = with self.homeModules; lib.mkMerge [
                 self.homeModules.nathan
-                (useWith laptop nathan-aurora)
+                (useWith (laptop ++ iso) nathan-aurora)
-                (useWith laptop nathan-firefox)
+                (useWith (laptop ++ iso) nathan-firefox)
-                (useWith laptop nathan-rofi)
+                (useWith (laptop ++ iso) nathan-rofi)
-                (useWith laptop nathan-hypridle)
+                (useWith (laptop ++ iso) nathan-hypridle)
-                (useWith laptop nathan-hyprland)
+                (useWith (laptop ++ iso) nathan-hyprland)
-                (useWith laptop nathan-kitty)
+                (useWith (laptop ++ iso) nathan-kitty)
-                (useWith laptop nathan-scripts)
+                (useWith (laptop ++ iso) nathan-scripts)
-                (useWith laptop nathan-pywal)
+                (useWith (laptop ++ iso) nathan-pywal)
+                (useWith (laptop ++ homebox) nathan-sops)
                 
                 (useWith laptop {
                     wayland.windowManager.hyprland.extraConfig = ''
@@ -53,13 +66,35 @@
                         bind = ALT, Escape, exec, if [[ $(hyprctl monitors | grep 0x0 | sed -n -e "s/\t*1920x1080@//" -e "s/.[1234567890]* at 0x0//p") == 300 ]]; then hyprctl keyword monitor eDP-1,1920x1080@60,0x0,1; else hyprctl keyword monitor eDP-1,1920x1080@300,0x0,1; fi
                     '';
                 })
+
+                (useWith (iso) {
+
+                    wayland.windowManager.hyprland.extraConfig = ''
+                        monitor=,preferred,auto,1
+                    '';
+                })
+
+                (useWith (iso ++ pi4 ++ z2w ++ homebox) {
+
+                    olympus = {
+                        packageSet = "minimal";
+                    };
+                })
             ];
         };
     };
 
-    flake.homeModules.nathan-standalone = { lib, ... }:
+    flake.homeModules.nathan-sops = { ... }: {
+        imports = [
+            inputs.sops-nix.homeManagerModules.sops
+        ];
+        
+        config = {
+            sops.defaultSopsFile = ./secrets.yaml;
+        };
+    };
 
-    {
+    flake.homeModules.nathan-standalone = { ... }: {
 
         config = {                    
             
@@ -83,6 +118,7 @@
 
         modules = [
             self.homeModules.nathan
+            self.homeModules.nathan-standalone
         ];
     };
 }

modules/users/nathan/secrets.yaml

@@ -0,0 +1,35 @@
+nathan:
+    pass: ENC[AES256_GCM,data:QCpcdtN8Bzn4UnrIdwcEv5jkpW1Xfsmhy7iMyOmBUuMFqqmKrJcFbIUJCuNUSqtRgRl4KO7gzUuXfZbaDX0tm+B/YDEt8vAWxQ==,iv:3GYAq0I2uqJ91YewyTVoTQNR6cnwJROQr2ipgHvbmSo=,tag:oHnAjSNqIIp39LLI8kSONQ==,type:str]
+sops:
+    age:
+        - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNOWVVVVpVdGFMMmNaTmU2
+            ZStjR0liZVVKSHcyQUhiVkdCeWhCZUVGMzFRCkFRc0xpdUJ5R0lMUHZzcVN3TTd3
+            OXVuNHhqSVBoYnFveFljbHlBbGRoZVkKLS0tIHgvOFA2cGxMaTFBUGFrQVBmRVJ1
+            N3ZvV3VKbmhNUGx1ckhhdWZVemRCMGcKLwZZ+wlV8EOCk7F5eaBFR4HPPCjvPI/+
+            UyQFJSzc9gGCNrhGicFtrDLx0m/JCzU/jILFUXav9IUTZ8ZRi01BOA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ1hRVHIrWHp0ZnlFVmJR
+            ODk4VzZPWnBLaTMxK3pLR2VxQk9LY0tMWWhVCjFqUzMxb01JNXZuaWVIdEE2NkxL
+            UWp2UytEYVl0SnZHQm4veGNva1p1a2MKLS0tIEphZVU4VjJJblpDRzdNZ3hJbTAx
+            c3lUMjBXMjVUY2VlSm9SRTNHUEdJd1kK/hotdiVc5La4c6k4U73URA/26y6EMzDL
+            iHqVcXZmgkipQtFB5Fvfs/6Zuc0E2f4zQmZSaGw2hQheVl1snm5xiw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMDl4bWVPNnpxYXZmWG1h
+            N2krT2lqN09IOHlvS1FaL1hTNFpsZS9XUmdrCkRFc3YyaWNjejJobVlrdEFReW9N
+            RlRHdVc1RHNxUE0vV0VvTzdlMm11R3MKLS0tIEpDMUVVME9PdFVNVnVEeG5Oay9l
+            UU50YWtqSG5SYjc2YUhFWmNZc3NpNTAKPaL3XXAUMD0wjI3PkXEWN4epQPSURN+J
+            b7di0rMlc6JtJrtzU3HdfmXneMfd4Da9Xk1SeFIxKHS0AsD4cJyt2w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-24T01:30:18Z"
+    mac: ENC[AES256_GCM,data:1tuKI1VMDSiCNWZ2fXp4G3Z0OmhxdyF8IlTaoEFCq324qNgaIfUX7TLfzzEF7ogctf1VBwdu2klGNRKAwjaVIZ8/9U7RgjtkbP5KGJMtXiVkDh1gNV31mlE9ogddxixkQiM9j3wI3RbgsAJaBwo3WGNwEeRrqO21unlE28BrMo0=,iv:Asdx7jYvylRDxWRu7XALP9FpPxWvban8pldJ5b/O9to=,tag:cECR7vjAR05RyLhEWIIrcA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1

modules/users/nathan/sops.nix

@@ -0,0 +1,22 @@
+{ inputs, ... }: {
+
+    flake.nixosModules.sops = { config, lib, ... }: {
+        
+        imports = [
+            inputs.sops-nix.nixosModules.sops
+        ];
+
+        config = {
+            
+            sops.secrets."nathan/pass" = {
+                neededForUsers = true;
+                sopsFile = ./secrets.yaml;
+            };
+
+            users.users.nathan = {
+                enable = lib.mkDefault false;
+                hashedPasswordFile = lib.mkDefault config.sops.secrets."nathan/pass".path;
+            };
+        };
+    };
+}