chore(tree-wide): rm everything for rebase

modules/home/default.nix

@@ -1,38 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-let
-  inherit (lib) mkOption;
-  inherit (lib.types) listOf str;
-in
-{
-  imports = [ inputs.impermanence.homeManagerModules.impermanence ];
-  options.persistDirs = mkOption {
-    type = listOf str;
-    default = [ ];
-  };
-  config = {
-    # Helper options
-    home.persistence."/persist/home/${config.home.username}" = {
-      directories = config.persistDirs;
-      allowOther = true;
-    };
-
-    # Global options
-    persistDirs = [
-      # For system activation
-      ".ssh"
-      ".config/sops/age"
-    ];
-    programs.ssh.enable = true;
-    # To set colors properly when on ssh
-    programs.ssh.extraConfig = ''
-      Host *
-        SetEnv TERM=xterm-256color
-    '';
-    home.stateVersion = "24.11";
-  };
-}

modules/nixos/default.nix

@@ -1,112 +0,0 @@
-{
-  inputs,
-  lib,
-  config,
-  ...
-}:
-let
-  inherit (lib) mkOption singleton;
-  inherit (lib.types)
-    listOf
-    str
-    coercedTo
-    submodule
-    shellPackage
-    ;
-  inherit (lib.pantheon) mkStrOption;
-  inherit (lib.snowfall.fs) get-file;
-  rootDir = submodule {
-    options = {
-      directory = mkOption { type = str; };
-      user = mkOption {
-        type = str;
-        default = "root";
-      };
-      group = mkOption {
-        type = str;
-        default = "root";
-      };
-      mode = mkOption {
-        type = str;
-        default = "0755";
-      };
-    };
-  };
-in
-{
-  imports = [
-    inputs.sops-nix.nixosModules.sops
-    inputs.stylix.nixosModules.stylix
-  ];
-  options = {
-    hostname = mkStrOption;
-    mainUser = {
-      name = mkStrOption;
-      publicKey = mkStrOption;
-      email = mkStrOption;
-      shell = mkOption {
-        type = shellPackage;
-      };
-    };
-    persistDirs = mkOption {
-      type = listOf (coercedTo str (d: { directory = d; }) rootDir);
-      default = [ ];
-    };
-  };
-  config = {
-    # Helper options
-    environment.persistence."/persist".directories = config.persistDirs;
-
-    # Global options
-    persistDirs = [
-      "/var/lib/systemd"
-      "/var/lib/nixos"
-    ];
-    stylix.enable = true;
-    nixpkgs.config.allowUnfree = true;
-    nix.settings.experimental-features = [
-      "nix-command"
-      "flakes"
-      "pipe-operators"
-    ];
-    nix.settings.trusted-users = [ "@wheel" ];
-    system.stateVersion = "25.05";
-    time.timeZone = "Asia/Singapore";
-    i18n.defaultLocale = "en_US.UTF-8";
-    users = {
-      # Don't allow imperative configuration
-      mutableUsers = false;
-      users.root.openssh.authorizedKeys.keys = [ config.mainUser.publicKey ];
-      groups.users = {
-        gid = 100;
-        members = [ "${config.mainUser.name}" ];
-      };
-      users."${config.mainUser.name}" = {
-        inherit (config.mainUser) shell;
-        uid = 1000;
-        isNormalUser = true;
-        hashedPasswordFile = config.sops.secrets."${config.mainUser.name}/hashedPassword".path;
-        extraGroups = [ "wheel" ];
-        openssh.authorizedKeys.keys = [ config.mainUser.publicKey ];
-      };
-    };
-    security.sudo.wheelNeedsPassword = false;
-    sops = {
-      defaultSopsFile = get-file "secrets/secrets.yaml";
-      age.sshKeyPaths = [ "/persist/home/${config.mainUser.name}/.ssh/id_ed25519" ];
-      secrets = {
-        "keys/openrouter" = { };
-        "keys/gemini" = { };
-        "keys/cloudflare" = { };
-        "keys/telegram_bot" = { };
-        "rafiq/hashedPassword".neededForUsers = true;
-        "rafiq/personalEmailPassword" = { };
-        "rafiq/workEmailPassword" = { };
-      };
-    };
-    environment.shellInit = # sh
-      ''
-        export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
-      '';
-  };
-}

modules/nixos/desktop/audio/default.nix

@@ -1,6 +0,0 @@
-{
-  services.pipewire = {
-    enable = true;
-    pulse.enable = true;
-  };
-}

modules/nixos/desktop/browser/tor-browser/default.nix

@@ -1,20 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib) mkEnableOption mkIf singleton;
-  cfg = config.desktop.browser.tor-browser;
-in
-{
-  options.desktop.browser.tor-browser.enable = mkEnableOption "";
-
-  config = mkIf cfg.enable {
-    home-manager.sharedModules = singleton {
-      persistDirs = singleton ".tor project";
-      home.packages = singleton pkgs.tor-browser;
-    };
-  };
-}

modules/nixos/desktop/default.nix

@@ -1,37 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib)
-    mkEnableOption
-    mkIf
-    singleton
-    optional
-    ;
-  inherit (lib.pantheon) mkStrOption;
-  inherit (pkgs) font-awesome wl-clipboard-rs;
-  cfg = config.desktop;
-in
-{
-  options.desktop = {
-    enable = mkEnableOption "";
-    enableWaylandUtilities = mkEnableOption "";
-    mainMonitor = {
-      id = mkStrOption;
-      scale = mkStrOption;
-      resolution = mkStrOption;
-      refresh-rate = mkStrOption;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    fonts.packages = singleton font-awesome;
-    services.getty.autologinUser = config.mainUser.name;
-    home-manager.sharedModules = optional cfg.enableWaylandUtilities {
-      home.packages = [ wl-clipboard-rs ];
-    };
-  };
-}

modules/nixos/desktop/gaming/default.nix

@@ -1,37 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib)
-    mkEnableOption
-    mkIf
-    mkMerge
-    singleton
-    ;
-  cfg = config.desktop.gaming;
-in
-{
-  options.desktop.gaming = {
-    steam.enable = mkEnableOption "";
-    prism-launcher.enable = mkEnableOption "";
-  };
-
-  config = mkMerge [
-    (mkIf cfg.steam.enable {
-      programs.steam = {
-        enable = true;
-        gamescopeSession.enable = true;
-      };
-      home-manager.sharedModules = singleton { persistDirs = singleton ".local/share/Steam"; };
-    })
-    (mkIf cfg.prism-launcher.enable {
-      home-manager.sharedModules = singleton {
-        home.packages = singleton pkgs.prismlauncher;
-        persistDirs = singleton ".local/share/PrismLauncher";
-      };
-    })
-  ];
-}

modules/nixos/desktop/launcher/default.nix

@@ -1,16 +0,0 @@
-{ lib, config, ... }:
-let
-  inherit (lib) singleton mkEnableOption;
-  cfg = config.desktop.launcher;
-in
-{
-  options.desktop.launcher = {
-    fuzzel.enable = mkEnableOption "";
-    wofi.enable = mkEnableOption "";
-  };
-
-  config.home-manager.sharedModules = singleton {
-    programs.fuzzel.enable = cfg.fuzzel.enable;
-    programs.wofi.enable = cfg.wofi.enable;
-  };
-}

modules/nixos/desktop/lockscreen/default.nix

@@ -1,22 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib)
-    mkEnableOption
-    mkIf
-    mkMerge
-    singleton
-    ;
-  cfg = config.desktop.lockscreen;
-in
-{
-  options.desktop.lockscreen = {
-    hyprlock.enable = mkEnableOption "";
-  };
-
-  config = mkMerge [
-    (mkIf cfg.hyprlock.enable {
-      security.pam.services.hyprlock = { };
-      home-manager.sharedModules = singleton { programs.hyprlock.enable = true; };
-    })
-  ];
-}

modules/nixos/desktop/media-player/default.nix

@@ -1,18 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib) mkEnableOption optional singleton;
-  inherit (pkgs) vlc;
-  cfg = config.desktop.media-player;
-in
-{
-  options.desktop.media-player = {
-    vlc.enable = mkEnableOption "";
-  };
-
-  config.home-manager.sharedModules = optional cfg.vlc.enable { home.packages = singleton vlc; };
-}

modules/nixos/desktop/services/default.nix

@@ -1,30 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib)
-    mkMerge
-    singleton
-    mkEnableOption
-    mkIf
-    ;
-  cfg = config.desktop.services;
-in
-{
-  options.desktop.services = {
-    spotifyd.enable = mkEnableOption "";
-  };
-
-  config = mkMerge [
-    (mkIf cfg.spotifyd.enable {
-      networking.firewall.allowedTCPPorts = [ 5353 ];
-      networking.firewall.allowedUDPPorts = [ 5353 ];
-      home-manager.sharedModules = singleton {
-        services.spotifyd.enable = true;
-        services.spotifyd.settings.global = {
-          device_name = "${config.hostname}";
-          device_type = "computer";
-          zeroconf_port = 5353;
-        };
-      };
-    })
-  ];
-}

modules/nixos/desktop/services/sunshine/default.nix

@@ -1,24 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) singleton mkIf mkEnableOption;
-  cfg = config.desktop.services.sunshine;
-in
-{
-  options.desktop.services.sunshine = {
-    enable = mkEnableOption "";
-  };
-  config = mkIf cfg.enable {
-    services.sunshine = {
-      enable = true;
-      capSysAdmin = true;
-      openFirewall = true;
-      settings = {
-        sunshine_name = config.hostname;
-        origin_pin_allowed = "wan";
-        origin_web_ui_allowed = "wan";
-      };
-      applications = { };
-    };
-    home-manager.sharedModules = singleton { persistDirs = singleton ".config/sunshine"; };
-  };
-}

modules/nixos/desktop/window-manager/hyprland/default.nix

@@ -1,55 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) mkEnableOption mkIf singleton;
-  inherit (config.desktop) mainMonitor;
-  cfg = config.desktop.window-manager.hyprland;
-in
-{
-  options.desktop.window-manager.hyprland.enable = mkEnableOption "";
-
-  config = mkIf cfg.enable {
-    # Enable custom module for wayland utilities (clipboard etc.)
-    desktop.enableWaylandUtilities = true;
-    # Start Hyprland at boot only if not connecting through SSH
-    environment.loginShellInit = # sh
-      ''
-        if [[ -z "$SSH_CLIENT" && -z "$SSH_CONNECTION" ]]; then
-          if uwsm check may-start; then
-            exec uwsm start hyprland-uwsm.desktop
-          fi
-        fi
-      '';
-    environment.variables = {
-      # Get Electron apps to use Wayland
-      ELECTRON_OZONE_PLATFORM_HINT = "auto";
-      NIXOS_OZONE_WL = "1";
-    };
-    programs.hyprland = {
-      enable = true;
-      # Use UWSM to have each process controlled by systemd init
-      withUWSM = true;
-    };
-    home-manager.sharedModules = singleton {
-      wayland.windowManager.hyprland = {
-        enable = true;
-        # This is needed for UWSM
-        systemd.enable = false;
-        # Null the packages since we use them system wide
-        package = null;
-        portalPackage = null;
-        settings.monitor = [ "${mainMonitor.id}, ${mainMonitor.resolution}@${mainMonitor.refresh-rate}, auto, ${mainMonitor.scale}" ];
-      };
-      xdg.configFile."uwsm/env".text = # sh
-        ''
-          # Force apps to scale right with Wayland
-          export GDK_SCALE=${mainMonitor.scale}
-          export STEAM_FORCE_DESKTOPUI_SCALING=${mainMonitor.scale}
-        '';
-      xdg.configFile."uwsm/env-hyprland".text = # sh
-        ''
-          export GDK_SCALE=${mainMonitor.scale}
-          export STEAM_FORCE_DESKTOPUI_SCALING=${mainMonitor.scale}
-        '';
-    };
-  };
-}

modules/nixos/machine/bootloader/default.nix

@@ -1,30 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  inherit (lib.pantheon) mkIntOption mkStrOption;
-  cfg = config.machine.bootloader;
-in
-{
-  options.machine.bootloader = {
-    type = mkStrOption;
-    configurationLimit = mkIntOption 5;
-  };
-  config.boot = {
-    initrd.availableKernelModules = [
-      "nvme"
-      "xhci_pci"
-      "ahci"
-      "usbhid"
-      "usb_storage"
-      "sd_mod"
-    ];
-    loader.efi.canTouchEfiVariables = true;
-    loader.systemd-boot = {
-      enable = cfg.type == "systemd-boot";
-      inherit (cfg) configurationLimit;
-    };
-  };
-}

modules/nixos/machine/default.nix

@@ -1,19 +0,0 @@
-{ lib, modulesPath, ... }:
-let
-  inherit (lib) singleton;
-in
-{
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  config = {
-    services.fwupd.enable = true;
-    persistDirs = singleton "/var/lib/bluetooth";
-    hardware.bluetooth = {
-      enable = true;
-      settings.General.Experimental = true;
-    };
-    hardware.xone.enable = true;
-  };
-}

modules/nixos/machine/drives/btrfs/default.nix

@@ -1,116 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-let
-  inherit (lib) mkIf mkEnableOption;
-  inherit (lib.pantheon) mkStrOption;
-  cfg = config.machine.drives.btrfs;
-  ephemeralRootCfg = {
-    boot.initrd.postDeviceCommands = lib.mkAfter ''
-      	    mkdir /btrfs_tmp
-      	    mount /dev/root_vg/root /btrfs_tmp
-      	    if [[ -e /btrfs_tmp/root ]]; then
-      		mkdir -p /btrfs_tmp/old_roots
-      		timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
-      		mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
-      	    fi
-
-      	    delete_subvolume_recursively() {
-      		IFS=$'\n'
-      		for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-      		    delete_subvolume_recursively "/btrfs_tmp/$i"
-      		done
-      		btrfs subvolume delete "$1"
-      	    }
-
-      	    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-      		delete_subvolume_recursively "$i"
-      	    done
-
-      	    btrfs subvolume create /btrfs_tmp/root
-      	    umount /btrfs_tmp
-      	  '';
-    programs.fuse.userAllowOther = true;
-    fileSystems."/persist".neededForBoot = true;
-    #FIXME: below should be in module or something
-    environment.persistence."/persist" = {
-      hideMounts = true;
-      files = [
-        "/etc/ssh/ssh_host_ed25519_key"
-        "/etc/ssh/ssh_host_ed25519_key.pub"
-        "/etc/ssh/ssh_host_rsa_key"
-        "/etc/ssh/ssh_host_rsa_key.pub"
-        "/etc/machine-id"
-      ];
-    };
-  };
-in
-{
-  imports = [
-    inputs.disko.nixosModules.disko
-    inputs.impermanence.nixosModules.impermanence
-  ];
-  options.machine.drives.btrfs = {
-    enable = mkEnableOption "";
-    drive = mkStrOption;
-    ephemeralRoot = mkEnableOption "";
-  };
-  config = mkIf cfg.enable (
-    {
-      boot.initrd.kernelModules = [ "dm-snapshot" ];
-      disko.devices.disk.main = {
-        device = cfg.drive;
-        type = "disk";
-        content.type = "gpt";
-        content.partitions = {
-          boot.name = "boot";
-          boot.size = "1M";
-          boot.type = "EF02";
-          esp.name = "ESP";
-          esp.size = "500M";
-          esp.type = "EF00";
-          esp.content = {
-            type = "filesystem";
-            format = "vfat";
-            mountpoint = "/boot";
-          };
-          swap.size = "4G";
-          swap.content = {
-            type = "swap";
-            resumeDevice = true;
-          };
-          root.name = "root";
-          root.size = "100%";
-          root.content = {
-            type = "lvm_pv";
-            vg = "root_vg";
-          };
-        };
-      };
-
-      disko.devices.lvm_vg.root_vg = {
-        type = "lvm_vg";
-        lvs.root.size = "100%FREE";
-        lvs.root.content.type = "btrfs";
-        lvs.root.content.extraArgs = [ "-f" ];
-        lvs.root.content.subvolumes = {
-          "/root".mountpoint = "/";
-          "/persist".mountpoint = "/persist";
-          "/persist".mountOptions = [
-            "subvol=persist"
-            "noatime"
-          ];
-          "/nix".mountpoint = "/nix";
-          "/nix".mountOptions = [
-            "subvol=nix"
-            "noatime"
-          ];
-        };
-      };
-    }
-    // ephemeralRootCfg
-  );
-}

modules/nixos/machine/gpu/default.nix

@@ -1,41 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib)
-    mkMerge
-    mkIf
-    mkEnableOption
-    singleton
-    ;
-  cfg = config.machine.gpu;
-in
-{
-  options.machine.gpu = {
-    nvidia.enable = mkEnableOption "";
-  };
-  config = mkMerge [
-    (mkIf cfg.nvidia.enable {
-      hardware = {
-        graphics.enable = true;
-        graphics.extraPackages = singleton pkgs.nvidia-vaapi-driver;
-        nvidia.open = true;
-        nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
-      };
-      services.xserver.videoDrivers = [ "nvidia" ];
-      nixpkgs.config.allowUnfree = true;
-      environment.variables = {
-        LIBVA_DRIVER_NAME = "nvidia";
-        __GLX_VENDOR_LIBRARY_NAME = "nvidia";
-        NVD_BACKEND = "direct";
-      };
-      nix.settings.substituters = [ "https://cuda-maintainers.cachix.org" ];
-      nix.settings.trusted-public-keys = [
-        "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
-      ];
-    })
-  ];
-}

modules/nixos/machine/platform/default.nix

@@ -1,21 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) singleton mkOption;
-  inherit (lib.types) enum;
-  cfg = config.machine.platform;
-in
-{
-  options.machine.platform = {
-    type = mkOption {
-      type = enum [
-        "amd"
-        "intel"
-      ];
-    };
-  };
-
-  config = {
-    hardware.cpu.${cfg.type}.updateMicrocode = true;
-    boot.kernelModules = singleton "kvm-${cfg.type}";
-  };
-}

modules/nixos/machine/usb/default.nix

@@ -1,45 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  inherit (lib)
-    mkEnableOption
-    mkIf
-    mkMerge
-    singleton
-    ;
-  cfg = config.machine.usb;
-in
-{
-  options.machine.usb = {
-    automount = mkEnableOption "";
-    enableQmk = mkEnableOption "";
-  };
-
-  config = mkMerge [
-    (mkIf cfg.automount {
-      services.udisks2.enable = true;
-      home-manager.sharedModules = singleton {
-        services.udiskie = {
-          enable = true;
-          automount = true;
-          notify = true;
-        };
-      };
-    })
-    (mkIf cfg.enableQmk {
-      hardware.keyboard.qmk.enable = true;
-      services.udev = {
-        packages = with pkgs; [
-          vial
-          qmk
-          qmk-udev-rules
-          qmk_hid
-        ];
-      };
-    })
-  ];
-}

modules/nixos/machine/virtualisation/distrobox/default.nix

@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib) mkIf mkEnableOption singleton;
-  cfg = config.machine.virtualisation.distrobox;
-in
-{
-  options.machine.virtualisation.distrobox = {
-    enable = mkEnableOption "";
-  };
-  config = mkIf cfg.enable {
-    machine.virtualisation.podman.enable = true;
-    home-manager.sharedModules = singleton {
-      home.packages = singleton pkgs.distrobox;
-      # persistDirs = [ ".local/share/containers" ];
-    };
-  };
-}

modules/nixos/machine/virtualisation/podman/default.nix

@@ -1,32 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) mkEnableOption mkIf;
-  cfg = config.machine.virtualisation.podman;
-in
-{
-  options.machine.virtualisation.podman = {
-    enable = mkEnableOption "";
-  };
-  config = mkIf cfg.enable {
-    virtualisation = {
-      containers.enable = true;
-      podman = {
-        enable = true;
-        dockerCompat = true;
-        defaultNetwork.settings.dns_enabled = true;
-      };
-    };
-    users.users."${config.mainUser.name}" = {
-      extraGroups = [ "podman" ];
-      # https://wiki.nixos.org/wiki/Distrobox
-      # subGidRanges = singleton {
-      #   count = 65536;
-      #   startGid = 1000;
-      # };
-      # subUidRanges = singleton {
-      #   count = 65536;
-      #   startUid = 1000;
-      # };
-    };
-  };
-}

modules/nixos/networking/default.nix

@@ -1,28 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) mkDefault singleton;
-in
-{
-  sops.secrets = {
-    "tailscale/client-id".sopsFile = ./tailscale.yaml;
-    "tailscale/client-secret".sopsFile = ./tailscale.yaml;
-  };
-  networking = {
-    enableIPv6 = false;
-    useDHCP = mkDefault true;
-    hostName = config.hostname;
-    networkmanager.enable = true;
-  };
-
-  services.openssh = {
-    enable = true;
-    settings.PrintMotd = true;
-  };
-
-  services.tailscale = {
-    enable = true;
-    authKeyFile = config.sops.secrets."tailscale/client-secret".path;
-    authKeyParameters.preauthorized = true;
-  };
-  persistDirs = singleton "/var/lib/tailscale";
-}

modules/nixos/networking/tailscale.yaml

@@ -1,18 +0,0 @@
-tailscale:
-    client-id: ENC[AES256_GCM,data:kQ4H9b2h8DN+5eTvwIYHZ6s=,iv:/nC3LM0qDNj3wIm9XZd7UUn5SxmAOA1dofsDGElKjVU=,tag:AIj5F7KkORujLDe+ZOxJgw==,type:str]
-    client-secret: ENC[AES256_GCM,data:O0cKyuK+FfK2E1mzQpkgybPrqEs0fH1y3jCOG6usT++6x3sWuJNvT56OIHpVNu8GH/6BIBsnenC1J/sVNTYIzA==,iv:FugIzSjNpoe9Bwy+x/GHl0BpCtbogQXpY7s3ICevQc0=,tag:1kQIO4ekjKuvexQ923YE3g==,type:str]
-sops:
-    age:
-        - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbTNsZE5lN2JOT1Jsd2hz
-            OWpDWTFzTW05Nzl5K1AyMmgxcVV2eHlBRlF3Cnc3VW5IN014ck8zM3BIWnBMNFFt
-            UnE4aGhGNERUOTlwZEJyNWF1Q1o0RXcKLS0tIFlZSFFoaDlOMnBMSFVyT3FMbFZj
-            ckl5RVZiMnkzV0RFQXN1aHZKM2doMnMKD6BjRdqsHiKDth4aBiZ1lvlcO1OgY36O
-            cGkZjuH45L4a0Y0kvptq3iZ/iPnmX8hw8n/gdplzUkpBzdsNPebvSg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-01T21:11:39Z"
-    mac: ENC[AES256_GCM,data:YWgrMqqJgrGe+40a9CSDpAAgwPOeGXRFb58c6X6PxDHve3u5vQfHh+wkC0TFxadMsYcJTczRYf8YWuAwf7kFoO7ofYs+PfEi4ydKhl8WY9nXTsq+BFT4rDl/BaCfQw6qWD5/TKTtxm2pdtBNrG7bNeZJ8cVSOO/wsjoqrrbh3fk=,iv:8BXOX5O5apYLhZOWihagQBVldmsVoV+uEcejcO3cC0I=,tag:vansSul5Ebwooay48uYNZQ==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2

modules/nixos/server/databases/default.nix

@@ -1,84 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib) singleton;
-  cfg = config.server.databases;
-in
-{
-  options.server.databases = {
-    mongodb = {
-      enable = lib.mkEnableOption "the MongoDB server";
-      port = lib.pantheon.mkPortOption 27017;
-    };
-    mysql = {
-      enable = lib.mkEnableOption "the MySQL server";
-      port = lib.pantheon.mkPortOption 3306;
-    };
-    postgresql = {
-      enable = lib.mkEnableOption "the postgresql server";
-      port = lib.pantheon.mkPortOption 5432;
-    };
-  };
-
-  config = lib.mkMerge [
-    (lib.mkIf cfg.postgresql.enable {
-      networking.firewall.allowedTCPPorts = lib.singleton cfg.postgresql.port;
-      persistDirs = singleton {
-        directory = builtins.toString config.services.postgresql.dataDir;
-        user = "postgres";
-        group = "postgres";
-      };
-      services.postgresql = {
-        enable = true;
-        enableTCPIP = true;
-        settings = { inherit (cfg.postgresql) port; };
-        authentication = lib.mkOverride 10 ''
-          #type database DBuser auth-method
-          local all all trust
-
-          # ipv4
-          host all all 0.0.0.0/0 trust
-        '';
-        ensureDatabases = singleton "alphastory";
-        ensureUsers = singleton {
-          name = "alphastory";
-          ensureDBOwnership = true;
-        };
-      };
-    })
-    (lib.mkIf cfg.mongodb.enable {
-      networking.firewall.allowedTCPPorts = [ cfg.mongodb.port ];
-      persistDirs = singleton {
-        directory = builtins.toString config.services.mongodb.dbpath;
-        user = "mongodb";
-        group = "mongodb";
-      };
-      services.mongodb = {
-        enable = true;
-        bind_ip = "0.0.0.0";
-        extraConfig = ''
-          net.port: ${builtins.toString cfg.mongodb.port}
-        '';
-      };
-    })
-    (lib.mkIf cfg.mysql.enable {
-      networking.firewall.allowedTCPPorts = [ cfg.mysql.port ];
-      persistDirs = singleton {
-        directory = builtins.toString config.services.mysql.dataDir;
-        user = "mysql";
-        group = "mysql";
-      };
-      services.mysql = {
-        enable = true;
-        package = pkgs.mariadb;
-        settings.mysqld = {
-          inherit (cfg.mysql) port;
-        };
-      };
-    })
-  ];
-}

modules/nixos/server/default.nix

@@ -1,43 +0,0 @@
-{ lib, config, ... }:
-{
-  options.server.mountHelios = lib.mkEnableOption "";
-
-  config = lib.mkIf config.server.mountHelios {
-    sops.secrets."rafiq/oldSMBCredentials" = { };
-    sops.templates."smb-credentials".content = ''
-      username=rafiq
-      password=${config.sops.placeholder."rafiq/oldSMBCredentials"}
-    '';
-    fileSystems = {
-      "/media/helios/data" = {
-        device = "//helios/data";
-        fsType = "cifs";
-        options = [
-          "x-systemd.automount"
-          "x-systemd.requires=tailscaled.service"
-          "x-systemd.mount-timeout=0"
-        ];
-      };
-      "/media/helios/rafiqcloud" = {
-        device = "//helios/rafiqcloud";
-        fsType = "cifs";
-        options = [
-          "x-systemd.automount"
-          "x-systemd.requires=tailscaled.service"
-          "x-systemd.mount-timeout=0"
-          "credentials=${config.sops.templates."smb-credentials".path}"
-        ];
-      };
-      "/media/helios/rafiqmedia" = {
-        device = "//helios/rafiqmedia";
-        fsType = "cifs";
-        options = [
-          "x-systemd.automount"
-          "x-systemd.requires=tailscaled.service"
-          "x-systemd.mount-timeout=0"
-          "credentials=${config.sops.templates."smb-credentials".path}"
-        ];
-      };
-    };
-  };
-}

modules/nixos/server/networking/ddns/default.nix

@@ -1,62 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) mkIf mkOption mkEnableOption;
-  inherit (lib.types) enum str listOf;
-  inherit (lib.lists) unique;
-  inherit (builtins) map;
-  cfg = config.server.networking.ddns;
-  mkDomain = domain_name: {
-    inherit domain_name;
-    sub_domains = [
-      "@"
-      "*"
-    ];
-  };
-  # Sanitize the list of domains with unique so we can add to it with every service.
-  mkDomains = map mkDomain (unique cfg.domains);
-in
-{
-  options.server.networking.ddns = {
-    enable = mkEnableOption "";
-    type = mkOption {
-      type = enum [ "godns" ];
-      default = "godns";
-    };
-    domains = mkOption {
-      type = listOf str;
-      default = [ ];
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.godns = {
-      enable = if (cfg.type == "godns") then true else false;
-      loadCredential = [
-        "cf_token:${config.sops.secrets."keys/cloudflare".path}"
-        "telegram_bot_token:${config.sops.secrets."keys/telegram_bot".path}"
-      ];
-      settings = {
-        provider = "Cloudflare";
-        login_token_file = "$CREDENTIALS_DIRECTORY/cf_token";
-        domains = mkDomains;
-        resolver = "1.1.1.1";
-        ip_urls = [
-          "https://wtfismyip.com/text"
-          "https://api.ipify.org"
-          "https://myip.biturl.top"
-          "https://api-ipv4.ip.sb/ip"
-        ];
-        ip_type = "IPv4";
-        interval = 300;
-        notify = {
-          telegram = {
-            enabled = true;
-            bot_api_key_file = "$CREDENTIALS_DIRECTORY/telegram_bot_token";
-            chat_id = "384288005";
-            message_template = "Domain *{{ .Domain  }} has been updated to %0A{{ .CurrentIP }}";
-          };
-        };
-      };
-    };
-  };
-}

modules/nixos/server/web-apps/comfy-ui/default.nix

@@ -1,34 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-let
-  inherit (lib) singleton;
-  inherit (lib.pantheon.modules) mkWebApp;
-  upstreamCfg = config.services.comfyUi;
-in
-mkWebApp {
-  inherit config;
-  name = "comfy-ui";
-  defaultPort = 8188;
-  persistDirs = singleton {
-    directory = upstreamCfg.dataDir;
-    inherit (upstreamCfg) user group;
-    mode = "777";
-  };
-  extraConfig = {
-    assertions = singleton {
-      assertion = config.machine.gpu.nvidia.enable;
-      message = "You must run the comfy-ui service only with an nvidia gpu.";
-    };
-    services.comfyUi = {
-      enable = true;
-      listenHost = "0.0.0.0";
-    };
-  };
-}
-// {
-  imports = [ inputs.stable-diffusion-webui-nix.nixosModules.default ];
-}

modules/nixos/server/web-apps/forgejo/default.nix

@@ -1,41 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) singleton optional;
-  inherit (lib.pantheon) mkPortOption;
-  inherit (lib.pantheon.modules) mkWebApp;
-  cfg = config.server.web-apps.forgejo;
-  upstreamCfg = config.services.forgejo;
-in
-mkWebApp {
-  inherit config;
-  name = "forgejo";
-  defaultPort = 3000;
-  persistDirs = singleton {
-    directory = upstreamCfg.stateDir;
-    inherit (upstreamCfg) user group;
-  };
-  extraOptions = {
-    sshPort = mkPortOption 2222;
-  };
-  extraConfig = {
-    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.sshPort;
-    services.forgejo = {
-      enable = true;
-      settings = {
-        server = {
-          DOMAIN = cfg.domain;
-          ROOT_URL = "https://${cfg.domain}/";
-          HTTP_PORT = cfg.port;
-          START_SSH_SERVER = true;
-          SSH_PORT = cfg.sshPort;
-        };
-        repository = {
-          USE_COMPAT_SSH_URI = false;
-          ENABLE_PUSH_CREATE_USER = true;
-          ENABLE_PUSH_CREATE_ORG = true;
-        };
-        "repository.signing".FORMAT = "ssh";
-      };
-    };
-  };
-}

modules/nixos/server/web-apps/glance/default.nix

@@ -1,17 +0,0 @@
-{ lib, config, ... }:
-let
-  inherit (lib.pantheon.modules) mkWebApp;
-  cfg = config.server.web-apps.glance;
-in
-mkWebApp {
-  inherit config;
-  name = "glance";
-  defaultPort = 8080;
-  extraConfig = {
-    services.glance = {
-      enable = true;
-      settings.server.host = "0.0.0.0";
-      settings.server.port = cfg.port;
-    };
-  };
-}

modules/nixos/server/web-apps/librechat/default.nix

@@ -1,80 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-let
-  inherit (lib) singleton;
-  inherit (lib.pantheon) mkStrOption;
-  inherit (lib.pantheon.modules) mkWebApp;
-  cfg = config.server.web-apps.librechat;
-  upstreamCfg = config.services.librechat;
-in
-mkWebApp {
-  inherit config;
-  name = "librechat";
-  defaultPort = 3080;
-  persistDirs = singleton {
-    directory = upstreamCfg.dataDir;
-    inherit (upstreamCfg) user group;
-  };
-  extraOptions.mongodbURI = mkStrOption // {
-    default = "mongodb://${config.hostname}:27017/LibreChat";
-  };
-  extraConfig = {
-    sops.secrets = {
-      "librechat/creds_key" = { };
-      "librechat/creds_iv" = { };
-      "librechat/jwt_secret" = { };
-      "librechat/jwt_refresh_secret" = { };
-    };
-    services.librechat = {
-      enable = true;
-      openFirewall = true;
-      inherit (cfg) port;
-      env = {
-        HOST = "0.0.0.0";
-        ALLOW_REGISTRATION = "true";
-        NO_INDEX = "true";
-        MONGO_URI = cfg.mongodbURI;
-        DOMAIN_CLIENT = cfg.domain;
-        DOMAIN_SERVER = cfg.domain;
-        ENDPOINTS = "anthropic,agents,google";
-      };
-      credentials = {
-        CREDS_KEY = config.sops.secrets."librechat/creds_key".path;
-        CREDS_IV = config.sops.secrets."librechat/creds_iv".path;
-        JWT_SECRET = config.sops.secrets."librechat/jwt_secret".path;
-        JWT_REFRESH_SECRET = config.sops.secrets."librechat/jwt_refresh_secret".path;
-        OPENROUTER_KEY = config.sops.secrets."keys/openrouter".path;
-        GOOGLE_KEY = config.sops.secrets."keys/gemini".path;
-      };
-      settings = {
-        version = "1.1.4";
-        cache = true;
-        endpoints.custom = [
-          {
-            name = "OpenRouter";
-            apiKey = "\${OPENROUTER_KEY}";
-            baseURL = "https://openrouter.ai/api/v1";
-            models.default = [ "meta-llama/llama-3-70b-instruct" ];
-            models.fetch = true;
-            titleConvo = true;
-            titleModel = "current_model";
-            modelDisplayLabel = "OpenRouter";
-          }
-        ];
-        interface = {
-          privacyPolicy = {
-            externalUrl = "https://librechat.ai/privacy-policy";
-            openNewTab = true;
-          };
-        };
-      };
-    };
-  };
-}
-// {
-  imports = singleton "${inputs.rrvsh-nixpkgs}/nixos/modules/services/web-apps/librechat.nix";
-}

modules/nixos/server/web-apps/rrv-sh/default.nix

@@ -1,24 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-let
-  inherit (lib.pantheon.modules) mkWebApp;
-  cfg = config.server.web-apps.rrv-sh;
-in
-mkWebApp {
-  inherit config;
-  name = "rrv-sh";
-  defaultPort = 2309;
-  extraConfig = {
-    services.rrv-sh = {
-      enable = true;
-      inherit (cfg) port;
-    };
-  };
-}
-// {
-  imports = [ inputs.rrv-sh.nixosModules.default ];
-}

modules/nixos/server/web-apps/sd-webui-forge/default.nix

@@ -1,34 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-let
-  inherit (lib) singleton;
-  inherit (lib.pantheon.modules) mkWebApp;
-  upstreamCfg = config.services.sd-webui-forge;
-in
-mkWebApp {
-  inherit config;
-  name = "sd-webui-forge";
-  defaultPort = 7860;
-  persistDirs = singleton {
-    directory = upstreamCfg.dataDir;
-    inherit (upstreamCfg) user group;
-  };
-  extraConfig = {
-    assertions = singleton {
-      assertion = config.machine.gpu.nvidia.enable;
-      message = "You must run the sd-webui-forge service only with an nvidia gpu.";
-    };
-    services.sd-webui-forge = {
-      enable = true;
-      listen = true;
-      extraArgs = "--cuda-malloc";
-    };
-  };
-}
-// {
-  imports = [ inputs.stable-diffusion-webui-nix.nixosModules.default ];
-}

modules/nixos/server/web-servers/default.nix

@@ -1,34 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib)
-    mkMerge
-    mkIf
-    mkEnableOption
-    singleton
-    ;
-  cfg = config.server.web-servers;
-in
-{
-  options.server.web-servers = {
-    enableSSL = mkEnableOption "";
-  };
-
-  config = mkMerge [
-    (mkIf cfg.enableSSL {
-      security.acme = {
-        acceptTerms = true;
-        defaults = {
-          inherit (config.mainUser) email;
-          dnsProvider = "cloudflare";
-          credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
-        };
-        certs = {
-          "rrv.sh".extraDomainNames = singleton "*.rrv.sh";
-          "bwfiq.com".extraDomainNames = singleton "*.bwfiq.com";
-          "slayment.com".extraDomainNames = singleton "*.slayment.com";
-          "aenyrathia.wiki".extraDomainNames = singleton "*.aenyrathia.wiki";
-        };
-      };
-    })
-  ];
-}

modules/nixos/server/web-servers/nginx/default.nix

@@ -1,119 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib)
-    mkMerge
-    mkOption
-    mkEnableOption
-    mkIf
-    singleton
-    ;
-  inherit (lib.types) listOf submodule attrs;
-  inherit (lib.pantheon) mkStrOption mkPathOption mkRootDomain;
-  inherit (builtins) listToAttrs map;
-  cfg = config.server.web-servers.nginx;
-  sslCheck = good: bad: if config.server.web-servers.enableSSL then good else bad;
-  defaultSink = mkIf cfg.enableDefaultSink {
-    "_" = {
-      default = true;
-      rejectSSL = sslCheck true false;
-      locations."/" = {
-        return = "444";
-      };
-    };
-  };
-  pages = listToAttrs (
-    map (page: {
-      name = page.domain;
-      value = {
-        addSSL = sslCheck true false;
-        useACMEHost = sslCheck (mkRootDomain page.domain) null;
-        acmeRoot = null; # needed for DNS validation
-        locations = {
-          "/" = {
-            inherit (page) root;
-          } // page.extraConfig;
-        } // page.locations;
-      };
-    }) cfg.pages
-  );
-  proxyPasses = listToAttrs (
-    map (proxy: {
-      name = proxy.source;
-      value = {
-        addSSL = sslCheck true false;
-        useACMEHost = sslCheck (mkRootDomain proxy.source) null;
-        acmeRoot = null; # needed for DNS validation
-        locations = {
-          "/" = {
-            proxyPass = proxy.target;
-          } // proxy.extraConfig;
-        } // proxy.locations;
-      };
-    }) cfg.proxies
-  );
-in
-{
-  options.server.web-servers.nginx = {
-    enable = mkEnableOption "the Nginx server";
-    openFirewall = mkEnableOption "" // {
-      default = true;
-    };
-    enableDefaultSink = mkEnableOption "" // {
-      default = true;
-    };
-    pages = mkOption {
-      default = [ ];
-      type = listOf (submodule {
-        options = {
-          domain = mkStrOption;
-          root = mkPathOption "";
-          extraConfig = lib.mkOption {
-            type = attrs;
-            default = { };
-          };
-          locations = lib.mkOption {
-            type = attrs;
-            default = { };
-          };
-        };
-      });
-    };
-    proxies = mkOption {
-      default = [ ];
-      type = listOf (submodule {
-        options = {
-          source = mkStrOption;
-          target = mkStrOption;
-          extraConfig = lib.mkOption {
-            type = attrs;
-            default = { };
-          };
-          locations = lib.mkOption {
-            type = attrs;
-            default = { };
-          };
-        };
-      });
-    };
-  };
-
-  config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
-      443
-      80
-    ];
-    users.users.nginx.extraGroups = singleton "acme";
-    services.nginx = {
-      enable = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      recommendedOptimisation = true;
-      recommendedGzipSettings = true;
-      virtualHosts = mkMerge [
-        defaultSink
-        proxyPasses
-        pages
-      ];
-    };
-  };
-}