feat(languages): enable tailwind language support

WARN: This commit message assumes the reason for disabling is darwin.

.gitignore

@@ -0,0 +1,2 @@
+# gitignore
+.pre-commit-config.*

.sops.yaml

@@ -1,7 +1,7 @@
 keys:
-  - &admin age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
+  - &rafiq age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: \.(yaml)$
     key_groups:
     - age:
-      - *admin
+      - *rafiq

docs/README.md

@@ -0,0 +1,29 @@
+# Pantheon
+This flake serves as a monorepo for my systems (using IaC), dotfiles, and scripts.
+It's hosted at https://git.rrv.sh/rrvsh/pantheon, and mirrored to https://github.com/rrvsh/pantheon.
+
+## Structure
+The system configurations are defined in [`flake.manifest`](nix/manifest.nix).
+`flake.manifest.owner` provides the attributes for the administrator user, including username and pubkey.
+`flake.manifest.hosts` provides the specifications for the system configurations that should be exposed by the flake as nixosConfigurations.
+`flake.modules.nixos.*` provide NixOS options and configurations.
+The attribute `flake.modules.nixos.default` provides options that will be applied to every system of that class.
+You can use it as seen [here](nix/modules/flake/home-manager.nix):
+
+```nix
+flake.modules.nixos.default.imports = [ inputs.home-manager.nixosModules.default ];
+```
+
+The other attributes under `flake.modules.nixos` should be opt-in, i.e. provide options that will be set in the profiles.
+`flake.profiles.nixos` provides profiles which use the options defined in `flake.modules.nixos` to define different roles for each system, such as graphical, laptop, headless, etc.
+Options should not be defined here.
+`flake.contracts.nixos.*` will provide contracts, such as reverse proxies or databases, which will configure options on the provider and receiver host.
+
+## Acknowledgements
+Thanks to the following for inspiring this configuration. I highly recommend you look through their writings and configurations.
+- [ornicar](https://github.com/ornicar/dotfiles) which is where I first heard of NixOS
+- [No Boilerplate](https://www.youtube.com/watch?v=CwfKlX3rA6E&pp=0gcJCfwAo7VqN5tD) for making me finally try the OS
+- [ryan4yin](https://nixos-and-flakes.thiscute.world/) for being an amazing introduction to NixOS, home-manager, and flakes
+- [NotAShelf](https://github.com/NotAShelf/) for their blog and for the wonderful [NVF](https://github.com/notashelf/nvf)
+- [mightyiam](https://github.com/mightyiam/infra) for their infrastructure repo using flake-parts
+- [drupol](https://not-a-number.io/2025/refactoring-my-infrastructure-as-code-configurations/) for this blog post which convinced me to rebase my infra to use flake-parts

docs/cheatsheet.md

@@ -0,0 +1,2 @@
+# cheatsheet
+`__curPos.file` will give the full evaluated path of the nix file it is called in. See [this issue](https://github.com/NixOS/nix/issues/5897#issuecomment-1012165198) for more information.

flake.lock

@@ -1,62 +1,92 @@
 {
   "nodes": {
-    "disko": {
+    "base16": {
       "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
+        "fromYaml": "fromYaml"
       },
       "locked": {
-        "lastModified": 1747621015,
-        "narHash": "sha256-j0fo1rNxZvmFLMaE945UrbLJZAHTlQmq0/QMgOP4GTs=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "cec44d77d9dacf0c91d3d51aff128fefabce06ee",
+        "lastModified": 1746562888,
+        "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=",
+        "owner": "SenchoPens",
+        "repo": "base16.nix",
+        "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "repo": "disko",
+        "owner": "SenchoPens",
+        "repo": "base16.nix",
         "type": "github"
       }
     },
-    "flake-compat": {
+    "base16-fish": {
       "flake": false,
       "locked": {
-        "lastModified": 1650374568,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "lastModified": 1622559957,
+        "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
+        "owner": "tomyun",
+        "repo": "base16-fish",
+        "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
+        "owner": "tomyun",
+        "repo": "base16-fish",
         "type": "github"
       }
     },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
-      },
+    "base16-helix": {
+      "flake": false,
       "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "lastModified": 1748408240,
+        "narHash": "sha256-9M2b1rMyMzJK0eusea0x3lyh3mu5nMeEDSc4RZkGm+g=",
+        "owner": "tinted-theming",
+        "repo": "base16-helix",
+        "rev": "6c711ab1a9db6f51e2f6887cc3345530b33e152e",
         "type": "github"
       },
       "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
+        "owner": "tinted-theming",
+        "repo": "base16-helix",
         "type": "github"
       }
     },
-    "flake-utils": {
+    "base16-vim": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1732806396,
+        "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=",
+        "owner": "tinted-theming",
+        "repo": "base16-vim",
+        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-vim",
+        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
+        "type": "github"
+      }
+    },
+    "dedupe_flake-compat": {
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "dedupe_flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": [
+          "systems"
+        ]
       },
       "locked": {
         "lastModified": 1731533236,
@@ -72,40 +102,168 @@
         "type": "github"
       }
     },
-    "flake-utils-plus": {
+    "dedupe_gitignore": {
       "inputs": {
-        "flake-utils": "flake-utils_2"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1715533576,
-        "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=",
-        "owner": "gytis-ivaskevicius",
-        "repo": "flake-utils-plus",
-        "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
-        "owner": "gytis-ivaskevicius",
-        "repo": "flake-utils-plus",
-        "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
         "type": "github"
       }
     },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_3"
-      },
+    "dedupe_mnw": {
       "locked": {
-        "lastModified": 1694529238,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "lastModified": 1748710831,
+        "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
+        "owner": "gerg-l",
+        "repo": "mnw",
+        "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "gerg-l",
+        "repo": "mnw",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751854533,
+        "narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "16b74a1e304197248a1bc663280f2548dbfcae3c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "files": {
+      "locked": {
+        "lastModified": 1750263550,
+        "narHash": "sha256-EW/QJ8i/13GgiynBb6zOMxhLU1uEkRqmzbIDEP23yVA=",
+        "owner": "mightyiam",
+        "repo": "files",
+        "rev": "5f4ef1fd1f9012354a9748be093e277675d10f07",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mightyiam",
+        "repo": "files",
+        "type": "github"
+      }
+    },
+    "firefox-gnome-theme": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1748383148,
+        "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=",
+        "owner": "rafaelmardojai",
+        "repo": "firefox-gnome-theme",
+        "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rafaelmardojai",
+        "repo": "firefox-gnome-theme",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751413152,
+        "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "fromYaml": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731966426,
+        "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=",
+        "owner": "SenchoPens",
+        "repo": "fromYaml",
+        "rev": "106af9e2f715e2d828df706c386a685698f3223b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SenchoPens",
+        "repo": "fromYaml",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "dedupe_flake-compat"
+        ],
+        "gitignore": [
+          "dedupe_gitignore"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1750779888,
+        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gnome-shell": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1748186689,
+        "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=",
+        "owner": "GNOME",
+        "repo": "gnome-shell",
+        "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "GNOME",
+        "ref": "48.2",
+        "repo": "gnome-shell",
         "type": "github"
       }
     },
@@ -116,11 +274,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747688838,
-        "narHash": "sha256-FZq4/3OtGV/cti9Vccsy2tGSUrxTO4hkDF9oeGRTen4=",
+        "lastModified": 1751990210,
+        "narHash": "sha256-krWErNDl9ggMLSfK00Q2BcoSk3+IRTSON/DiDgUzzMw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "45c2985644b60ab64de2a2d93a4d132ecb87cf66",
+        "rev": "218da00bfa73f2a61682417efe74549416c16ba6",
         "type": "github"
       },
       "original": {
@@ -144,44 +302,74 @@
         "type": "github"
       }
     },
-    "mnw": {
+    "import-tree": {
       "locked": {
-        "lastModified": 1747499976,
-        "narHash": "sha256-YTiSI4WLbk0CleXeBheYmKZV6iqKyBpyoh1e+vcQzu4=",
-        "owner": "Gerg-L",
-        "repo": "mnw",
-        "rev": "72433a144c4ac16931e9148f78db4a0e4c147441",
+        "lastModified": 1751399845,
+        "narHash": "sha256-iun7//YHeEFgEOcG4KKKoy3d2GWOYqokLFVU/zIs79Y=",
+        "owner": "vic",
+        "repo": "import-tree",
+        "rev": "e24a50ff9b5871d4bdd8900679784812eeb120ea",
         "type": "github"
       },
       "original": {
-        "owner": "Gerg-L",
-        "repo": "mnw",
+        "owner": "vic",
+        "repo": "import-tree",
         "type": "github"
       }
     },
-    "nil": {
+    "make-shell": {
       "inputs": {
-        "flake-utils": [
-          "nvf",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nvf",
-          "nixpkgs"
-        ],
-        "rust-overlay": "rust-overlay"
+        "flake-compat": [
+          "dedupe_flake-compat"
+        ]
       },
       "locked": {
-        "lastModified": 1741118843,
-        "narHash": "sha256-ggXU3RHv6NgWw+vc+HO4/9n0GPufhTIUjVuLci8Za8c=",
-        "owner": "oxalica",
-        "repo": "nil",
-        "rev": "577d160da311cc7f5042038456a0713e9863d09e",
+        "lastModified": 1733933815,
+        "narHash": "sha256-9JjM7eT66W4NJAXpGUsdyAFXhBxFWR2Z9LZwUa7Hli0=",
+        "owner": "nicknovitski",
+        "repo": "make-shell",
+        "rev": "ffeceae9956df03571ea8e96ef77c2924f13a63c",
         "type": "github"
       },
       "original": {
-        "owner": "oxalica",
-        "repo": "nil",
+        "owner": "nicknovitski",
+        "repo": "make-shell",
+        "type": "github"
+      }
+    },
+    "manifest": {
+      "locked": {
+        "lastModified": 1752588656,
+        "narHash": "sha256-clKPzQ43eDpukeiGHzXmd1hGb2s4N+MWXAzQ5u5+pHQ=",
+        "owner": "rrvsh",
+        "repo": "manifest",
+        "rev": "365902fba994f30469298dee0c98a5fc0f41ec38",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rrvsh",
+        "repo": "manifest",
+        "type": "github"
+      }
+    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751313918,
+        "narHash": "sha256-HsJM3XLa43WpG+665aGEh8iS8AfEwOIQWk3Mke3e7nk=",
+        "owner": "nix-darwin",
+        "repo": "nix-darwin",
+        "rev": "e04a388232d9a6ba56967ce5b53a8a6f713cdfcf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-darwin",
+        "ref": "master",
+        "repo": "nix-darwin",
         "type": "github"
       }
     },
@@ -192,11 +380,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747540584,
-        "narHash": "sha256-cxCQ413JTUuRv9Ygd8DABJ1D6kuB/nTfQqC0Lu9C0ls=",
+        "lastModified": 1751774635,
+        "narHash": "sha256-DuOznGdgMxeSlPpUu6Wkq0ZD5e2Cfv9XRZeZlHWMd1s=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "ec179dd13fb7b4c6844f55be91436f7857226dce",
+        "rev": "85686025ba6d18df31cc651a91d5adef63378978",
         "type": "github"
       },
       "original": {
@@ -207,11 +395,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1747542820,
-        "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=",
+        "lastModified": 1751792365,
+        "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
+        "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb",
         "type": "github"
       },
       "original": {
@@ -221,38 +409,53 @@
         "type": "github"
       }
     },
-    "nixpkgs-lib": {
+    "nur": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1743296961,
-        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "lastModified": 1752005241,
+        "narHash": "sha256-+7DH6wh2BYnLRJzYXEbVlA1ZuAR4MxZI/paknbAuzk4=",
         "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "repo": "NUR",
+        "rev": "a2570fb4d0699fd34ebbbd52e2a763722601f6c6",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "repo": "nixpkgs.lib",
+        "repo": "NUR",
         "type": "github"
       }
     },
     "nvf": {
       "inputs": {
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
-        "mnw": "mnw",
-        "nil": "nil",
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "flake-utils": [
+          "dedupe_flake-utils"
+        ],
+        "mnw": [
+          "dedupe_mnw"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_2"
+        "systems": [
+          "systems"
+        ]
       },
       "locked": {
-        "lastModified": 1747525582,
-        "narHash": "sha256-oEZ6DV4bPcNZIuwW5Kcd+/zT3PMkXse2kX/3jHoomGk=",
+        "lastModified": 1752001027,
+        "narHash": "sha256-JgP8lW4QBr9v/U4ETaIOMvGCd/DAA1AjZ1lqjIwfWno=",
         "owner": "notashelf",
         "repo": "nvf",
-        "rev": "d3a0e7029ac57eef1120225973247851c5b967b5",
+        "rev": "c4d80273aaefeadaad96db97d077c647942b0e96",
         "type": "github"
       },
       "original": {
@@ -261,59 +464,93 @@
         "type": "github"
       }
     },
+    "python-flexseal": {
+      "inputs": {
+        "flake-utils": [
+          "stable-diffusion-webui-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "stable-diffusion-webui-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751898758,
+        "narHash": "sha256-8EmTPdfOymvvHhmHYWiyO3cwZ4gtLo5uBFm3CU5vySo=",
+        "owner": "Janrupf",
+        "repo": "python-flexseal",
+        "rev": "af318e1fd047abbefcc68d0292a4d902179c95fe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Janrupf",
+        "repo": "python-flexseal",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "dedupe_flake-compat": "dedupe_flake-compat",
+        "dedupe_flake-utils": "dedupe_flake-utils",
+        "dedupe_gitignore": "dedupe_gitignore",
+        "dedupe_mnw": "dedupe_mnw",
         "disko": "disko",
+        "files": "files",
+        "flake-parts": "flake-parts",
+        "git-hooks": "git-hooks",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
+        "import-tree": "import-tree",
+        "make-shell": "make-shell",
+        "manifest": "manifest",
+        "nix-darwin": "nix-darwin",
         "nix-index-database": "nix-index-database",
         "nixpkgs": "nixpkgs",
+        "nur": "nur",
         "nvf": "nvf",
-        "snowfall-lib": "snowfall-lib",
-        "sops-nix": "sops-nix"
+        "rrv-sh": "rrv-sh",
+        "rrvsh-nixpkgs": "rrvsh-nixpkgs",
+        "sops-nix": "sops-nix",
+        "stable-diffusion-webui-nix": "stable-diffusion-webui-nix",
+        "stylix": "stylix",
+        "systems": "systems",
+        "text": "text"
       }
     },
-    "rust-overlay": {
+    "rrv-sh": {
       "inputs": {
-        "nixpkgs": [
-          "nvf",
-          "nil",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1741055476,
-        "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "aefb7017d710f150970299685e8d8b549d653649",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
-    "snowfall-lib": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "flake-utils-plus": "flake-utils-plus",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1736130495,
-        "narHash": "sha256-4i9nAJEZFv7vZMmrE0YG55I3Ggrtfo5/T07JEpEZ/RM=",
-        "owner": "snowfallorg",
-        "repo": "lib",
-        "rev": "02d941739f98a09e81f3d2d9b3ab08918958beac",
+        "lastModified": 1751721838,
+        "narHash": "sha256-702c0fbgpUuEuQsduGJ9I5bSrCLYEG88SPuZXcSQqTs=",
+        "owner": "rrvsh",
+        "repo": "rrv.sh",
+        "rev": "e00c1c2607b55f43ef74b5f555f62838f4fe5963",
         "type": "github"
       },
       "original": {
-        "owner": "snowfallorg",
-        "repo": "lib",
+        "owner": "rrvsh",
+        "repo": "rrv.sh",
+        "type": "github"
+      }
+    },
+    "rrvsh-nixpkgs": {
+      "locked": {
+        "lastModified": 1750146550,
+        "narHash": "sha256-vFNbONVWIdYBqlKZoJScDRjnQ/euDmVqgCL2ebnsu7U=",
+        "owner": "rrvsh",
+        "repo": "nixpkgs",
+        "rev": "d7fa95990fd890bbd17ca8361f5d4e4935512c75",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rrvsh",
+        "ref": "librechat-module",
+        "repo": "nixpkgs",
         "type": "github"
       }
     },
@@ -324,11 +561,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "lastModified": 1751606940,
+        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
         "type": "github"
       },
       "original": {
@@ -337,6 +574,70 @@
         "type": "github"
       }
     },
+    "stable-diffusion-webui-nix": {
+      "inputs": {
+        "flake-utils": [
+          "dedupe_flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "python-flexseal": "python-flexseal"
+      },
+      "locked": {
+        "lastModified": 1751899247,
+        "narHash": "sha256-bh6xwc24Rv0YE4grKXvj+kmXmydns+OrlWn4WLnJSY4=",
+        "owner": "janrupf",
+        "repo": "stable-diffusion-webui-nix",
+        "rev": "d5ba5dccd190b0ded17f9c4a23dc7665c6dc2eae",
+        "type": "github"
+      },
+      "original": {
+        "owner": "janrupf",
+        "repo": "stable-diffusion-webui-nix",
+        "type": "github"
+      }
+    },
+    "stylix": {
+      "inputs": {
+        "base16": "base16",
+        "base16-fish": "base16-fish",
+        "base16-helix": "base16-helix",
+        "base16-vim": "base16-vim",
+        "firefox-gnome-theme": "firefox-gnome-theme",
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "gnome-shell": "gnome-shell",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nur": [
+          "nur"
+        ],
+        "systems": [
+          "systems"
+        ],
+        "tinted-foot": "tinted-foot",
+        "tinted-kitty": "tinted-kitty",
+        "tinted-schemes": "tinted-schemes",
+        "tinted-tmux": "tinted-tmux",
+        "tinted-zed": "tinted-zed"
+      },
+      "locked": {
+        "lastModified": 1751995939,
+        "narHash": "sha256-C5CSTv+b8XSbqJwqTP8SGkZEK3YCCJnmvRbg209ql5w=",
+        "owner": "nix-community",
+        "repo": "stylix",
+        "rev": "8f3259dbc57c8ee871492fde80f77468826bbd63",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "stylix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -352,33 +653,99 @@
         "type": "github"
       }
     },
-    "systems_2": {
+    "text": {
       "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "lastModified": 1751819711,
+        "narHash": "sha256-Emci++Hknzr2FEZRUbRDD7prI5JwwGsACO/GaU9Pmxg=",
+        "owner": "rrvsh",
+        "repo": "text.nix",
+        "rev": "00ba1e616ef3b761a52d5f7ac32892715cc4bcd1",
         "type": "github"
       },
       "original": {
-        "owner": "nix-systems",
-        "repo": "default",
+        "owner": "rrvsh",
+        "repo": "text.nix",
         "type": "github"
       }
     },
-    "systems_3": {
+    "tinted-foot": {
+      "flake": false,
       "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "lastModified": 1726913040,
+        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
+        "owner": "tinted-theming",
+        "repo": "tinted-foot",
+        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
         "type": "github"
       },
       "original": {
-        "owner": "nix-systems",
-        "repo": "default",
+        "owner": "tinted-theming",
+        "repo": "tinted-foot",
+        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
+        "type": "github"
+      }
+    },
+    "tinted-kitty": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1735730497,
+        "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=",
+        "owner": "tinted-theming",
+        "repo": "tinted-kitty",
+        "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-kitty",
+        "type": "github"
+      }
+    },
+    "tinted-schemes": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1748180480,
+        "narHash": "sha256-7n0XiZiEHl2zRhDwZd/g+p38xwEoWtT0/aESwTMXWG4=",
+        "owner": "tinted-theming",
+        "repo": "schemes",
+        "rev": "87d652edd26f5c0c99deda5ae13dfb8ece2ffe31",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "schemes",
+        "type": "github"
+      }
+    },
+    "tinted-tmux": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1748740859,
+        "narHash": "sha256-OEM12bg7F4N5WjZOcV7FHJbqRI6jtCqL6u8FtPrlZz4=",
+        "owner": "tinted-theming",
+        "repo": "tinted-tmux",
+        "rev": "57d5f9683ff9a3b590643beeaf0364da819aedda",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-tmux",
+        "type": "github"
+      }
+    },
+    "tinted-zed": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1725758778,
+        "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
+        "owner": "tinted-theming",
+        "repo": "base16-zed",
+        "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-zed",
         "type": "github"
       }
     }

flake.nix

@@ -1,39 +1,134 @@
 {
-  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    disko.url = "github:nix-community/disko";
-    disko.inputs.nixpkgs.follows = "nixpkgs";
-    snowfall-lib.url = "github:snowfallorg/lib";
-    snowfall-lib.inputs.nixpkgs.follows = "nixpkgs";
-    impermanence.url = "github:nix-community/impermanence";
-    home-manager.url = "github:nix-community/home-manager";
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    nix-index-database.url = "github:nix-community/nix-index-database";
-    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
-    sops-nix.url = "github:Mic92/sops-nix";
-    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    nvf.url = "github:notashelf/nvf";
-    nvf.inputs.nixpkgs.follows = "nixpkgs";
-  };
-
   outputs =
-    inputs:
-    inputs.snowfall-lib.mkFlake {
-      inherit inputs;
-      src = ./.;
-      snowfall.namespace = "pantheon";
-      systems.modules.nixos = with inputs; [
-        disko.nixosModules.disko
-        impermanence.nixosModules.impermanence
-        sops-nix.nixosModules.sops
-      ];
-      homes.modules = with inputs; [
-        impermanence.homeManagerModules.impermanence
-        nix-index-database.hmModules.nix-index
-        nvf.homeManagerModules.default
-      ];
-      outputs-builder = channels: {
-        formatter = channels.nixpkgs.nixfmt-rfc-style;
+    { self, ... }@inputs:
+    inputs.flake-parts.lib.mkFlake { inherit inputs; } (
+      (inputs.import-tree ./nix)
+      // {
+        systems = import inputs.systems;
+        flake = {
+          inherit self;
+          paths.root = ./.;
+        };
+      }
+    );
+  inputs = {
+    ### SYSTEM ###
+
+    # systems provides a list of supported nix systems.
+    systems.url = "github:nix-systems/default";
+    # nixos-unstable provides a binary cache for all packages.
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    # My fork for random shit
+    rrvsh-nixpkgs.url = "github:rrvsh/nixpkgs/librechat-module";
+    # home-manager manages our user packages and dotfiles
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    # nix darwin provides declarative mac configuration
+    nix-darwin = {
+      url = "github:nix-darwin/nix-darwin/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    # the nix user repository for mainly firefox extensions
+    nur = {
+      url = "github:nix-community/NUR";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-parts.follows = "flake-parts";
+    };
+    # impermanence provides a nice abstraction over linking files from /persist
+    impermanence.url = "github:nix-community/impermanence";
+    # flake-parts lets us define flake modules.
+    flake-parts = {
+      url = "github:hercules-ci/flake-parts";
+      inputs.nixpkgs-lib.follows = "nixpkgs";
+    };
+    # disko provides declarative drive partitioning
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    # sops-nix lets us version control secrets like passwords and api keys
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    stylix = {
+      url = "github:nix-community/stylix";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-parts.follows = "flake-parts";
+        systems.follows = "systems";
+        nur.follows = "nur";
       };
     };
+
+    ### FLAKE PARTS MODULES ###
+
+    # import-tree imports all nix files in a given directory.
+    import-tree.url = "github:vic/import-tree";
+    # files lets us write text files and automatically add checks for them
+    files.url = "github:mightyiam/files";
+    # text.nix lets us easily define markdown text to pass to files
+    text.url = "github:rrvsh/text.nix";
+    # manifest lets us define all hosts in one file
+    manifest.url = "github:rrvsh/manifest";
+    # make-shells.<name> creates devShells and checks
+    make-shell = {
+      url = "github:nicknovitski/make-shell";
+      inputs.flake-compat.follows = "dedupe_flake-compat";
+    };
+    # git-hooks ensures nix flake check is ran before commits
+    git-hooks = {
+      url = "github:cachix/git-hooks.nix";
+      inputs = {
+        flake-compat.follows = "dedupe_flake-compat";
+        nixpkgs.follows = "nixpkgs";
+        gitignore.follows = "dedupe_gitignore";
+      };
+    };
+
+    ### FLAKES ###
+
+    # nix-index-database indexes the nixpkgs binaries for use with comma
+    nix-index-database = {
+      url = "github:nix-community/nix-index-database";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    # nvf provides modules to wrap neovim
+    nvf = {
+      url = "github:notashelf/nvf";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-parts.follows = "flake-parts";
+        systems.follows = "systems";
+        flake-utils.follows = "dedupe_flake-utils";
+        mnw.follows = "dedupe_mnw";
+      };
+    };
+    # provides comfy ui and sdwebui services
+    stable-diffusion-webui-nix = {
+      url = "github:janrupf/stable-diffusion-webui-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "dedupe_flake-utils";
+    };
+    # my website :)
+    rrv-sh = {
+      url = "github:rrvsh/rrv.sh";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    ### DEDUPE ###
+
+    dedupe_flake-compat.url = "github:edolstra/flake-compat";
+    dedupe_flake-utils = {
+      url = "github:numtide/flake-utils";
+      inputs.systems.follows = "systems";
+    };
+    dedupe_mnw.url = "github:gerg-l/mnw";
+    dedupe_gitignore = {
+      url = "github:hercules-ci/gitignore.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
 }

homes/x86_64-linux/rafiq/default.nix

@@ -1,37 +0,0 @@
-{
-  pkgs,
-  ...
-}:
-{
-  cli.shell = "zsh";
-  cli.editor = "nvf";
-  cli.file-browser = "yazi";
-  cli.git.name = "Mohammad Rafiq";
-  cli.git.email = "rafiq@rrv.sh";
-  cli.git.defaultBranch = "prime";
-  desktop.windowManager = "hyprland";
-  desktop.browser = "firefox";
-  desktop.terminal = "kitty";
-
-  home.shellAliases = {
-    v = "nvim";
-    edit = "nvim $(fzf)";
-  };
-
-  home.packages = with pkgs; [
-    ripgrep
-    fzf
-    devenv
-    pantheon.rebuild
-  ];
-
-  home.persistence."/persist/home/rafiq".directories = [
-    "repos"
-  ];
-
-  programs.direnv = {
-    enable = true;
-    nix-direnv.enable = true;
-  };
-
-}

lib/default.nix

@@ -1,7 +0,0 @@
-{ lib, ... }:
-{
-  mkStrOption = lib.mkOption {
-    type = lib.types.str;
-    default = "";
-  };
-}

modules/home/cli/default.nix

@@ -1,30 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-{
-  options.cli = {
-    shell = lib.pantheon.mkStrOption;
-    editor = lib.pantheon.mkStrOption;
-    file-browser = lib.pantheon.mkStrOption;
-    git = {
-      name = lib.pantheon.mkStrOption;
-      email = lib.pantheon.mkStrOption;
-      defaultBranch = lib.pantheon.mkStrOption;
-    };
-  };
-
-  config = lib.mkMerge [
-    {
-      programs.zoxide.enable = true;
-      home.persistence."/persist/home/${config.snowfallorg.user.name}".directories = [
-        "./local/share/zoxide"
-      ];
-    }
-    {
-      programs.nix-index.enable = true;
-      programs.nix-index-database.comma.enable = true;
-    }
-  ];
-}

modules/home/cli/editor/nvf/autocomplete.nix

@@ -1,6 +0,0 @@
-{
-  blink-cmp = {
-    enable = true;
-    setupOpts.signature.enabled = true;
-  };
-}

modules/home/cli/editor/nvf/default.nix

@@ -1,23 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkIf (config.cli.editor == "nvf") {
-    home.sessionVariables.EDITOR = "nvim";
-    programs.nvf = {
-      enable = true;
-      settings.vim = {
-        keymaps = import ./keymaps.nix;
-        lsp = import ./lsp.nix;
-        languages = import ./languages.nix;
-        autocomplete = import ./autocomplete.nix;
-        utility.yazi-nvim = {
-          enable = true;
-          mappings = {
-            openYazi = "t";
-            openYaziDir = "T";
-          };
-          setupOpts.open_for_directories = true;
-        };
-      };
-    };
-  };
-}

modules/home/cli/editor/nvf/keymaps.nix

@@ -1,9 +0,0 @@
-[
-  {
-    desc = "Open the file path under the cursor, making the file if it doesn't exist.";
-    key = "gf";
-    mode = "n";
-    action = ":cd %:p:h<CR>:e <cfile><CR>";
-    silent = true;
-  }
-]

modules/home/cli/editor/nvf/languages.nix

@@ -1,8 +0,0 @@
-{
-  enableExtraDiagnostics = true;
-  enableFormat = true;
-  enableTreesitter = true;
-  nix.enable = true;
-  nix.format.type = "nixfmt";
-  nix.lsp.server = "nixd";
-}

modules/home/cli/editor/nvf/lsp.nix

@@ -1,9 +0,0 @@
-{
-  enable = true;
-  formatOnSave = true;
-  inlayHints.enable = true;
-  lightbulb.enable = true;
-  lspkind.enable = true;
-  null-ls.enable = true;
-  otter-nvim.enable = true;
-}

modules/home/cli/file-browser/default.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ./yazi.nix
-  ];
-}

modules/home/cli/file-browser/yazi.nix

@@ -1,10 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkIf (config.cli.file-browser == "yazi") {
-    home.sessionVariables.FILE_BROWSER = "yazi";
-    programs.yazi = {
-      enable = true;
-      shellWrapperName = "t";
-    };
-  };
-}

modules/home/cli/shell/default.nix

@@ -1,15 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkIf (config.cli.shell == "zsh") {
-    home.sessionVariables.SHELL = "zsh";
-    programs.zsh = {
-      enable = true;
-      enableVteIntegration = true;
-      syntaxHighlighting.enable = true;
-      history.share = true;
-      history.size = 10000;
-      history.ignoreDups = true;
-      history.ignoreSpace = true;
-    };
-  };
-}

modules/home/cli/utilities/default.nix

@@ -1,3 +0,0 @@
-{
-  imports = [ ./git.nix ];
-}

modules/home/desktop/browser/firefox/default.nix

@@ -1,12 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkIf (config.desktop.browser == "firefox") {
-    home.persistence."/persist/home/rafiq".directories = [ ".mozilla/firefox" ];
-    home.sessionVariables.BROWSER = "firefox";
-    programs.firefox = {
-      enable = true;
-      profiles.rafiq.id = 0;
-      profiles.test.id = 1;
-    };
-  };
-}

modules/home/desktop/default.nix

@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  osConfig,
-  ...
-}:
-{
-  options.desktop = {
-    windowManager = lib.pantheon.mkStrOption;
-    browser = lib.pantheon.mkStrOption;
-    terminal = lib.pantheon.mkStrOption;
-  };
-
-  config = {
-    assertions = [
-      {
-        assertion = (osConfig.desktop.windowManager == config.desktop.windowManager);
-        message = "You have set your home window manager to one that is not installed on this system.";
-      }
-    ];
-  };
-}

modules/home/desktop/terminal/default.nix

@@ -1,14 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  config = lib.mkMerge [
-    (lib.mkIf (config.desktop.terminal == "kitty") {
-      home.packages = with pkgs; [ kitty ];
-      home.sessionVariables.TERMINAL = "kitty";
-    })
-  ];
-}

modules/home/desktop/windowManager/hyprland/default.nix

@@ -1,61 +0,0 @@
-{
-  config,
-  lib,
-  osConfig,
-  ...
-}:
-let
-  mainMonitor = osConfig.desktop.mainMonitor;
-in
-{
-  imports = [
-
-  ];
-
-  config = lib.mkIf (config.desktop.windowManager == "hyprland") (
-    lib.mkMerge [
-      {
-        xdg.configFile."uwsm/env".text = # sh
-          ''
-
-          '';
-        wayland.windowManager.hyprland = {
-          enable = true;
-          systemd.enable = false;
-          settings = {
-            ecosystem.no_update_news = true;
-            "$hypr" = "CTRL_SUPER_ALT_SHIFT";
-
-            monitor = [
-              "${mainMonitor.id}, ${mainMonitor.resolution}@${mainMonitor.refresh-rate}, auto, ${mainMonitor.scale}"
-              ", preferred, auto, 1"
-            ];
-
-            bind = [
-              "$hypr, Q, exec, uwsm stop"
-              "SUPER, W, killactive"
-
-              "SUPER, return, exec, uwsm app -- $TERMINAL"
-              "SUPER, O, exec, uwsm app -- $BROWSER"
-
-              "SUPER, H, cyclenext, visible"
-              "SUPER, L, cyclenext, visible prev"
-              "SUPER_ALT, H, movewindow, l"
-              "SUPER_ALT, J, movewindow, d"
-              "SUPER_ALT, K, movewindow, u"
-              "SUPER_ALT, L, movewindow, r"
-              "ALT_SHIFT, H, resizeactive, -10% 0"
-              "ALT_SHIFT, J, resizeactive, 0 -10%"
-              "ALT_SHIFT, K, resizeactive, 0 10%"
-              "ALT_SHIFT, L, resizeactive, 10% 0"
-              "SUPER_CTRL, H, workspace, r-1"
-              "SUPER_CTRL, L, workspace, r+1"
-              "$hypr, H, movetoworkspace, r-1"
-              "$hypr, L, movetoworkspace, r+1"
-            ];
-          };
-        };
-      }
-    ]
-  );
-}

modules/home/system/default.nix

@@ -1,12 +0,0 @@
-{ config, ... }:
-{
-  home.persistence."/persist/home/${config.snowfallorg.user.name}" = {
-    directories = [
-      ".ssh"
-      ".config/sops/age"
-    ];
-    allowOther = true;
-  };
-
-  home.stateVersion = "24.11";
-}

modules/nixos/cli/default.nix

@@ -1,19 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  imports = [ ];
-
-  options.cli = { };
-
-  config = lib.mkMerge [
-    {
-      programs.zsh.enable = true;
-      users.defaultUserShell = pkgs.zsh;
-      environment.pathsToLink = [ "/share/zsh" ]; # enables completion
-    }
-  ];
-}

modules/nixos/desktop/default.nix

@@ -1,16 +0,0 @@
-{ lib, ... }:
-{
-  imports = [
-    ./windowManager.nix
-  ];
-
-  options.desktop = {
-    mainMonitor = {
-      id = lib.pantheon.mkStrOption;
-      scale = lib.pantheon.mkStrOption;
-      resolution = lib.pantheon.mkStrOption;
-      refresh-rate = lib.pantheon.mkStrOption;
-    };
-    windowManager = lib.pantheon.mkStrOption;
-  };
-}

modules/nixos/desktop/windowManager.nix

@@ -1,23 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkMerge [
-    (lib.mkIf (config.desktop.windowManager == "hyprland") {
-      environment.loginShellInit = # sh
-        ''
-          if [[ -z "$SSH_CLIENT" && -z "$SSH_CONNECTION" ]]; then
-            if uwsm check may-start; then
-              exec uwsm start hyprland-uwsm.desktop
-            fi
-          fi
-        '';
-      environment.variables = {
-        ELECTRON_OZONE_PLATFORM_HINT = "auto";
-        NIXOS_OZONE_WL = "1";
-      };
-      programs.hyprland = {
-        enable = true;
-        withUWSM = true;
-      };
-    })
-  ];
-}

modules/nixos/hardware/audio.nix

@@ -1,9 +0,0 @@
-{ config, ... }:
-{
-  config = {
-    services.pipewire = {
-      enable = true;
-      pulse.enable = true;
-    };
-  };
-}

modules/nixos/hardware/btrfs.nix

@@ -1,89 +0,0 @@
-{ lib, config, ... }:
-let
-  cfg = config.hardware.drives.btrfs;
-in
-{
-  config = lib.mkIf (cfg.enable) (
-    lib.mkMerge [
-      {
-        boot.initrd.kernelModules = [ "dm-snapshot" ];
-        disko.devices.disk.main = {
-          device = cfg.drive;
-          type = "disk";
-          content.type = "gpt";
-          content.partitions = {
-            boot.name = "boot";
-            boot.size = "1M";
-            boot.type = "EF02";
-            esp.name = "ESP";
-            esp.size = "500M";
-            esp.type = "EF00";
-            esp.content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-            swap.size = "4G";
-            swap.content = {
-              type = "swap";
-              resumeDevice = true;
-            };
-            root.name = "root";
-            root.size = "100%";
-            root.content = {
-              type = "lvm_pv";
-              vg = "root_vg";
-            };
-          };
-        };
-
-        disko.devices.lvm_vg.root_vg = {
-          type = "lvm_vg";
-          lvs.root.size = "100%FREE";
-          lvs.root.content.type = "btrfs";
-          lvs.root.content.extraArgs = [ "-f" ];
-          lvs.root.content.subvolumes = {
-            "/root".mountpoint = "/";
-            "/persist".mountpoint = "/persist";
-            "/persist".mountOptions = [
-              "subvol=persist"
-              "noatime"
-            ];
-            "/nix".mountpoint = "/nix";
-            "/nix".mountOptions = [
-              "subvol=nix"
-              "noatime"
-            ];
-          };
-        };
-      }
-      (lib.mkIf (cfg.ephemeralRoot) {
-        boot.initrd.postDeviceCommands = lib.mkAfter ''
-          	    mkdir /btrfs_tmp
-          	    mount /dev/root_vg/root /btrfs_tmp
-          	    if [[ -e /btrfs_tmp/root ]]; then
-          		mkdir -p /btrfs_tmp/old_roots
-          		timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
-          		mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
-          	    fi
-
-          	    delete_subvolume_recursively() {
-          		IFS=$'\n'
-          		for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-          		    delete_subvolume_recursively "/btrfs_tmp/$i"
-          		done
-          		btrfs subvolume delete "$1"
-          	    }
-
-          	    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-          		delete_subvolume_recursively "$i"
-          	    done
-
-          	    btrfs subvolume create /btrfs_tmp/root
-          	    umount /btrfs_tmp
-          	  '';
-        programs.fuse.userAllowOther = true;
-      })
-    ]
-  );
-}

modules/nixos/hardware/cpu.nix

@@ -1,9 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkMerge [
-    (lib.mkIf (config.hardware.platform == "amd") {
-      hardware.cpu.amd.updateMicrocode = true;
-      boot.kernelModules = [ "kvm-amd" ];
-    })
-  ];
-}

modules/nixos/hardware/default.nix

@@ -1,28 +0,0 @@
-{ lib, ... }:
-{
-  imports = [
-    ./btrfs.nix
-    ./nvidia.nix
-    ./audio.nix
-    ./cpu.nix
-    ./networking.nix
-  ];
-
-  options.hardware = {
-    drives.btrfs = {
-      enable = lib.mkEnableOption "";
-      drive = lib.pantheon.mkStrOption;
-      ephemeralRoot = lib.mkEnableOption "";
-    };
-    gpu = lib.pantheon.mkStrOption;
-    platform = lib.pantheon.mkStrOption;
-  };
-
-  config = {
-    services.fwupd.enable = true;
-    hardware.bluetooth = {
-      enable = true;
-      settings.General.Experimental = true;
-    };
-  };
-}

modules/nixos/hardware/networking.nix

@@ -1,24 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkMerge [
-    {
-      networking.useDHCP = lib.mkDefault true;
-      networking.hostName = config.system.hostname;
-      networking.networkmanager.enable = true;
-
-      services.openssh = {
-        enable = true;
-        settings = {
-          PrintMotd = true;
-        };
-      };
-
-      services.tailscale = {
-        enable = true;
-        authKeyFile = config.sops.secrets."keys/tailscale".path;
-      };
-      environment.persistence."/persist".files = [ "/var/lib/tailscale/tailscaled.state" ];
-    }
-
-  ];
-}

modules/nixos/hardware/nvidia.nix

@@ -1,28 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-{
-  config = lib.mkIf (config.hardware.gpu == "nvidia") (
-    lib.mkMerge [
-      {
-        #TODO: Setup CUDA
-        hardware.graphics.enable = true;
-        hardware.graphics.extraPackages = with pkgs; [
-          nvidia-vaapi-driver
-        ];
-        services.xserver.videoDrivers = [ "nvidia" ];
-        hardware.nvidia.open = true;
-        hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
-        nixpkgs.config.allowUnfree = true;
-        environment.variables = {
-          LIBVA_DRIVER_NAME = "nvidia";
-          __GLX_VENDOR_LIBRARY_NAME = "nvidia";
-          NVD_BACKEND = "direct";
-        };
-      }
-    ]
-  );
-}

modules/nixos/system/boot.nix

@@ -1,19 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkMerge [
-    {
-      boot.initrd.availableKernelModules = [
-        "nvme"
-        "xhci_pci"
-        "ahci"
-        "usbhid"
-        "usb_storage"
-        "sd_mod"
-      ];
-      boot.loader.efi.canTouchEfiVariables = true;
-    }
-    (lib.mkIf (config.system.bootloader == "systemd-boot") {
-      boot.loader.systemd-boot.enable = true;
-    })
-  ];
-}

modules/nixos/system/default.nix

@@ -1,21 +0,0 @@
-{ config, lib, ... }:
-{
-  imports = [
-    ./boot.nix
-    ./users.nix
-    ./localisation.nix
-    ./nix-config.nix
-    ./secrets.nix
-  ];
-
-  options.system = {
-    hostname = lib.pantheon.mkStrOption;
-    mainUser.name = lib.pantheon.mkStrOption;
-    mainUser.publicKey = lib.pantheon.mkStrOption;
-    bootloader = lib.pantheon.mkStrOption;
-  };
-
-  config = {
-    system.stateVersion = "25.05"; # Did you read the comment?
-  };
-}

modules/nixos/system/localisation.nix

@@ -1,9 +0,0 @@
-{ config, lib, ... }:
-{
-  config = lib.mkMerge [
-    {
-      time.timeZone = "Asia/Singapore";
-      i18n.defaultLocale = "en_US.UTF-8";
-    }
-  ];
-}

modules/nixos/system/nix-config.nix

@@ -1,16 +0,0 @@
-{ config, ... }:
-{
-  config = {
-    nixpkgs.config.allowUnfree = true;
-
-    nix.settings = {
-      experimental-features = [
-        "nix-command"
-        "flakes"
-        "pipe-operators"
-      ];
-
-      trusted-users = [ "@wheel" ];
-    };
-  };
-}

modules/nixos/system/secrets.nix

@@ -1,11 +0,0 @@
-{ lib, ... }:
-{
-  sops = {
-    defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml";
-    age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ];
-    secrets = {
-      "keys/tailscale" = { };
-      "rafiq/hashedPassword".neededForUsers = true;
-    };
-  };
-}

modules/nixos/system/users.nix

@@ -1,26 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-{
-  config = lib.mkMerge [
-    {
-      users.mutableUsers = false;
-      users.groups.users = {
-        gid = 100;
-        members = [ "${config.system.mainUser.name}" ];
-      };
-      users.users."${config.system.mainUser.name}" = {
-        linger = true;
-        uid = 1000;
-        isNormalUser = true;
-        hashedPasswordFile = config.sops.secrets."${config.system.mainUser.name}/hashedPassword".path;
-        extraGroups = [ "wheel" ];
-        openssh.authorizedKeys.keys = [ config.system.mainUser.publicKey ];
-      };
-      services.getty.autologinUser = config.system.mainUser.name;
-      security.sudo.wheelNeedsPassword = false;
-    }
-  ];
-}

nix/configurations.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  inherit (lib) nixosSystem;
+  inherit (inputs.nix-darwin.lib) darwinSystem;
+  inherit (lib.lists) optional;
+  inherit (lib.attrsets) mapAttrs;
+  inherit (cfg.lib.modules) forAllUsers';
+  inherit (config.manifest) hosts;
+  cfg = config.flake;
+  globalCfg = hostName: hostConfig: {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = { inherit hostName hostConfig; };
+    sharedModules = [ cfg.modules.homeManager.default ];
+    users = forAllUsers' (name: _: cfg.modules.homeManager.${name});
+  };
+  mkConfigurations =
+    class: hosts:
+    mapAttrs (
+      name: value:
+      if class == "nixos" then
+        nixosSystem {
+          specialArgs = {
+            inherit (config.flake) self;
+            hostName = name;
+            hostConfig = value;
+          };
+          modules = [
+            cfg.modules.nixos.default
+            inputs.home-manager.nixosModules.home-manager
+            { home-manager = globalCfg name value; }
+            (value.extraCfg or { })
+          ] ++ optional value.graphical cfg.modules.nixos.graphical;
+        }
+      else if class == "darwin" then
+        darwinSystem {
+          specialArgs = {
+            inherit (config.flake) self;
+            hostName = name;
+            hostConfig = value;
+          };
+          modules = [
+            cfg.modules.darwin.default
+            inputs.home-manager.darwinModules.home-manager
+            { home-manager = globalCfg name value; }
+            (value.extraCfg or { })
+          ] ++ optional value.graphical cfg.modules.darwin.graphical;
+        }
+      else
+        { }
+    ) hosts;
+in
+{
+  imports = [ inputs.home-manager.flakeModules.home-manager ];
+  flake.nixosConfigurations = mkConfigurations "nixos" hosts.nixos;
+  flake.darwinConfigurations = mkConfigurations "darwin" hosts.darwin;
+}

nix/files/cheatsheet.nix

@@ -0,0 +1,18 @@
+{ lib, config, ... }:
+let
+  inherit (builtins) concatStringsSep;
+  inherit (lib.lists) singleton;
+in
+{
+  text.cheatsheet = concatStringsSep "\n" [
+    "`__curPos.file` will give the full evaluated path of the nix file it is called in. See [this issue](https://github.com/NixOS/nix/issues/5897#issuecomment-1012165198) for more information."
+  ];
+  perSystem =
+    { pkgs, ... }:
+    {
+      files.files = singleton {
+        path_ = "docs/cheatsheet.md";
+        drv = pkgs.writeText "cheatsheet.md" config.text.cheatsheet;
+      };
+    };
+}

nix/files/gitignore.nix

@@ -0,0 +1,13 @@
+{ config, ... }:
+{
+  perSystem =
+    { pkgs, ... }:
+    {
+      files.files = [
+        {
+          path_ = ".gitignore";
+          drv = pkgs.writeText ".gitignore" config.text.gitignore;
+        }
+      ];
+    };
+}

nix/files/readme.nix

@@ -0,0 +1,54 @@
+{ config, ... }:
+{
+  text.readme = {
+    heading = "Pantheon";
+    description = # markdown
+      ''
+        This flake serves as a monorepo for my systems (using IaC), dotfiles, and scripts.
+        It's hosted at https://git.rrv.sh/rrvsh/pantheon, and mirrored to https://github.com/rrvsh/pantheon.
+      '';
+    order = [
+      "Structure"
+      "Acknowledgements"
+    ];
+    parts."Acknowledgements" = # markdown
+      ''
+        Thanks to the following for inspiring this configuration. I highly recommend you look through their writings and configurations.
+        - [ornicar](https://github.com/ornicar/dotfiles) which is where I first heard of NixOS
+        - [No Boilerplate](https://www.youtube.com/watch?v=CwfKlX3rA6E&pp=0gcJCfwAo7VqN5tD) for making me finally try the OS
+        - [ryan4yin](https://nixos-and-flakes.thiscute.world/) for being an amazing introduction to NixOS, home-manager, and flakes
+        - [NotAShelf](https://github.com/NotAShelf/) for their blog and for the wonderful [NVF](https://github.com/notashelf/nvf)
+        - [mightyiam](https://github.com/mightyiam/infra) for their infrastructure repo using flake-parts
+        - [drupol](https://not-a-number.io/2025/refactoring-my-infrastructure-as-code-configurations/) for this blog post which convinced me to rebase my infra to use flake-parts
+      '';
+    parts."Structure" = # markdown
+      ''
+        The system configurations are defined in [`flake.manifest`](nix/manifest.nix).
+        `manifest.owner` provides the attributes for the administrator user, including username and pubkey.
+        `manifest.hosts` provides the specifications for the system configurations that should be exposed by the flake as nixosConfigurations.
+        `flake.modules.nixos.*` provide NixOS options and configurations.
+        The attribute `flake.modules.nixos.default` provides options that will be applied to every system of that class.
+        You can use it as seen [here](nix/modules/flake/home-manager.nix):
+
+        ```nix
+        flake.modules.nixos.default.imports = [ inputs.home-manager.nixosModules.default ];
+        ```
+
+        The other attributes under `flake.modules.nixos` should be opt-in, i.e. provide options that will be set in the profiles.
+        `flake.profiles.nixos` provides profiles which use the options defined in `flake.modules.nixos` to define different roles for each system, such as graphical, laptop, headless, etc.
+        Options should not be defined here.
+        `flake.contracts.nixos.*` will provide contracts, such as reverse proxies or databases, which will configure options on the provider and receiver host.
+      '';
+  };
+
+  perSystem =
+    { pkgs, ... }:
+    {
+      files.files = [
+        {
+          path_ = "docs/README.md";
+          drv = pkgs.writeText "README.md" config.text.readme;
+        }
+      ];
+    };
+}

nix/flake-parts/files.nix

@@ -0,0 +1,28 @@
+{
+  inputs,
+  withSystem,
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (builtins) map head;
+  inherit (lib.lists) concatStringsSep;
+  mkListEntry = x: "- [" + x.path_ + "](" + x.path_ + ")";
+  listOfGeneratedFiles = withSystem (head config.systems) (psArgs: psArgs.config.files.files);
+in
+{
+  imports = [ inputs.files.flakeModules.default ];
+  perSystem = psArgs: {
+    make-shells.default.packages = [ psArgs.config.files.writer.drv ];
+  };
+  text.readme.parts."Generated Files" = concatStringsSep "\n" (
+    [
+      "This flake uses the [files flake-parts module](https://flake.parts/options/files.html) to generate documentation."
+
+      "The list of generated files are:"
+
+    ]
+    ++ (map mkListEntry listOfGeneratedFiles)
+  );
+}

nix/flake-parts/flake-parts.nix

@@ -0,0 +1,10 @@
+{ inputs, ... }:
+{
+  debug = true;
+  imports = [
+    inputs.make-shell.flakeModules.default
+    inputs.manifest.flakeModules.default
+    inputs.flake-parts.flakeModules.modules
+    inputs.text.flakeModules.default
+  ];
+}

nix/flake-parts/git-hooks.nix

@@ -0,0 +1,24 @@
+{ inputs, ... }:
+{
+  imports = [ inputs.git-hooks.flakeModule ];
+  text.gitignore = ".pre-commit-config.*";
+  perSystem = psArgs: {
+    pre-commit.settings.hooks = {
+      # Nix Linters
+      deadnix.enable = true;
+      statix.enable = true;
+      nil.enable = true;
+      nixfmt-rfc-style.enable = true;
+      # Flake Health Checks
+      flake-checker.enable = true;
+      # Misc
+      mixed-line-endings.enable = true;
+      trim-trailing-whitespace.enable = true;
+      #TODO: figure out vale
+      #TODO: make nix develop work
+      #TODO: add nix flake check
+      #TODO: add write-files
+    };
+    make-shells.default.shellHook = psArgs.config.pre-commit.installationScript;
+  };
+}

nix/homes/rafiq/_nvf/autocomplete.nix

@@ -0,0 +1,25 @@
+{ lib }:
+{
+  blink-cmp = {
+    enable = true;
+    friendly-snippets.enable = true;
+    sourcePlugins.ripgrep.enable = true;
+    setupOpts = {
+      # Disable completion in markdown files
+      # TODO: Disable completion when in comments
+      enabled =
+        lib.generators.mkLuaInline
+          # lua
+          ''
+            function()
+              return not vim.tbl_contains({"markdown"}, vim.bo.filetype)
+                and vim.bo.buftype ~= "prompt"
+                and vim.b.completion ~= false
+            end
+          '';
+      completion.documentation.auto_show_delay_ms = 0;
+      # Show e.g. function parameters
+      signature.enabled = true;
+    };
+  };
+}

nix/homes/rafiq/_nvf/binds.nix

@@ -0,0 +1,3 @@
+{
+  whichKey.enable = true;
+}

nix/homes/rafiq/_nvf/languages.nix

@@ -0,0 +1,36 @@
+{
+  enableExtraDiagnostics = true;
+  enableFormat = true;
+  enableTreesitter = true;
+  bash.enable = true;
+  clang.enable = true;
+  # broken on macos
+  # csharp.enable = true;
+  css.enable = true;
+  go.enable = true;
+  html.enable = true;
+  lua.enable = true;
+  markdown = {
+    enable = true;
+    extensions.markview-nvim.enable = true;
+    format.type = "prettierd";
+  };
+  nix = {
+    enable = true;
+    format.type = "nixfmt";
+    lsp.server = "nil";
+  };
+  python = {
+    enable = true;
+    format.type = "ruff";
+    lsp.server = "pyright";
+  };
+  rust.enable = true;
+  rust.crates.enable = true;
+  tailwind.enable = true;
+  ts.enable = true;
+  ts.extensions.ts-error-translator.enable = true;
+  typst.enable = true;
+  typst.extensions.typst-preview-nvim.enable = true;
+  yaml.enable = true;
+}

nix/homes/rafiq/_nvf/lsp.nix

@@ -0,0 +1,17 @@
+{
+  enable = true;
+  # Show virtual text hints
+  inlayHints.enable = true;
+  lightbulb.enable = true;
+  # Show icons for lsp actions
+  lspkind.enable = true;
+  null-ls.enable = true;
+  otter-nvim = {
+    enable = true;
+    setupOpts = {
+      buffers.set_filetype = true;
+      buffers.write_to_disk = true;
+      handle_leading_whitespace = true;
+    };
+  };
+}

nix/homes/rafiq/_nvf/navigation.nix

@@ -0,0 +1,9 @@
+{
+  harpoon = {
+    enable = true;
+    mappings.listMarks = "<leader>ml";
+    mappings.markFile = "<leader>mm";
+    setupOpts.defaults.save_on_toggle = true;
+    setupOpts.defaults.sync_on_ui_close = true;
+  };
+}

nix/homes/rafiq/_nvf/snippets.nix

@@ -0,0 +1,28 @@
+{ pkgs }:
+{
+  luasnip = {
+    enable = true;
+    setupOpts.enable_autosnippets = true;
+    providers = with pkgs.vimPlugins; [ vim-snippets ];
+    loaders = "require('luasnip.loaders.from_vscode').lazy_load()";
+    customSnippets.snipmate = {
+      nix = [
+        {
+          trigger = "mod";
+          description = "empty module";
+          body = # nix
+            ''
+              {config, lib, ...}:
+              let
+                cfg = config.$1;
+              in
+              {
+                options.$1 = { $2 };
+                config = $3;
+              }
+            '';
+        }
+      ];
+    };
+  };
+}

nix/homes/rafiq/_nvf/statusline.nix

@@ -0,0 +1,10 @@
+{
+  lualine = {
+    enable = true;
+    refresh = {
+      statusline = 10;
+      winbar = 10;
+    };
+    #TODO: rice lualine
+  };
+}

nix/homes/rafiq/_nvf/ui.nix

@@ -0,0 +1,16 @@
+{
+  borders = {
+    enable = true;
+    globalStyle = "rounded";
+  };
+  breadcrumbs.enable = true;
+  # Show color values e.g. #ffffff
+  colorizer.enable = true;
+  # Highlight matching symbols
+  illuminate.enable = true;
+  noice.enable = true;
+  noice.setupOpts.notify.enabled = false;
+  # Make folds look nicer
+  nvim-ufo.enable = true;
+  smartcolumn.enable = true;
+}

nix/homes/rafiq/_nvf/utility.nix

@@ -0,0 +1,11 @@
+{
+  motion.hop.enable = true;
+  yazi-nvim = {
+    enable = true;
+    mappings = {
+      openYazi = "<leader>tt";
+      openYaziDir = "<leader>TT";
+    };
+    setupOpts.open_for_directories = true;
+  };
+}

nix/homes/rafiq/_nvf/visuals.nix

@@ -0,0 +1,7 @@
+{
+  indent-blankline.enable = true;
+  fidget-nvim.enable = true;
+  fidget-nvim.setupOpts.notification.override_vim_notify = true;
+  nvim-web-devicons.enable = true;
+  rainbow-delimiters.enable = true;
+}

nix/homes/rafiq/_scripts/commit.nix

@@ -0,0 +1,71 @@
+{ pkgs, ... }:
+pkgs.writeShellScriptBin "commit" # bash
+  ''
+    if git diff-index --quiet HEAD --; then exit 0; fi
+
+    PROMPT="Please generate a commit message for this diff."
+    GUIDELINES="1. Use conventional commit syntax, following the context. 2. Cap the commit message at 80 characters, preferably less. You must not go beyond this limit. 3. Do not include backticks. Only generate the raw text. 4. Be as succint as possible. Each commit should be atomic. You may throw a warning if it is not."
+    NUM_ANCESTORS=0
+    PUSH=false
+
+    # Parse arguments
+    while [[ $# -gt 0 ]]; do
+      case "$1" in
+        --num-ancestors | -n)
+          NUM_ANCESTORS="$2"
+          shift 2
+          ;;
+        --push | -u)
+          PUSH=true
+          shift
+          ;;
+        *)
+          echo "Unrecognised argument: $1. Exiting..."
+          exit 1
+          ;;
+      esac
+    done
+
+    # Get context and diff
+    CONTEXT=$(git --no-pager log -n 10)
+    DIFF=$(git --no-pager diff HEAD~$NUM_ANCESTORS)
+
+    # Generate initial response
+    RESPONSE=$(aichat "$PROMPT\nGuidelines: $GUIDELINES\nContext from git log:\n$CONTEXT\nDiff from git diff HEAD:\n$DIFF")
+
+    while true; do
+      echo "$RESPONSE"
+      echo
+      echo "Choose an action:"
+      read -p "Options: [y]es, [r]eroll, [e]dit, [q]uit? " -n 1 -r choice
+      echo
+
+      case "$choice" in
+        y | yes)
+          git commit -am "$RESPONSE"
+          echo "Committed successfully."
+          if $PUSH; then
+            git push
+            echo "Pushed successfully."
+          fi
+          exit 0
+          ;;
+        r | reroll)
+          RESPONSE=$(aichat "$PROMPT\nGuidelines: $GUIDELINES\nContext from git log:\n$CONTEXT\nDiff from git diff HEAD:\n$DIFF")
+          ;;
+        e | edit)
+          echo "$RESPONSE" > /tmp/commit_msg.txt
+          "$EDITOR" /tmp/commit_msg.txt
+          RESPONSE=$(cat /tmp/commit_msg.txt)
+          rm /tmp/commit_msg.txt
+          ;;
+        q | quit | "")
+          echo "Aborted."
+          exit 1
+          ;;
+        *)
+          echo "Invalid choice. Please choose again."
+          ;;
+      esac
+    done
+  ''

nix/homes/rafiq/_scripts/edit.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+let
+  finder = "${pkgs.fzf}/bin/fzf --preview 'cat {}'";
+in
+pkgs.writeShellScriptBin "edit" # sh
+  ''
+    if [ $# -gt 0 ]; then
+      $EDITOR $(${finder} -q $*)
+    else
+      $EDITOR $(${finder})
+    fi
+  ''

nix/homes/rafiq/_scripts/note.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+pkgs.writeShellScriptBin "note" # bash
+  ''
+    zk edit -i
+    pushd ~/notebook > /dev/null
+    git add .
+    commit -u
+    popd > /dev/null
+  ''

nix/homes/rafiq/_scripts/rebuild.nix

@@ -0,0 +1,148 @@
+{ pkgs }:
+let
+  inherit (pkgs.lib) getExe;
+in
+pkgs.writeShellScriptBin "rebuild" # sh
+  ''
+    QUICK=false
+    NO_GENERATION_CHECK=false
+    TEST_SHELL=false
+    REMOTE_HOSTS=()
+    REBUILDING_ALL=false
+    # ANSI color codes
+    GREEN='\033[0;32m'
+    ORANGE='\033[0;33m'
+    RED='\033[0;31m'
+    NC='\033[0m'
+
+    info() {
+      timestamp=$(date "+%Y-%m-%d %H:%M:%S")
+      echo -e "''${GREEN}''${timestamp} INFO: $1''${NC}"
+    }
+
+    warn() {
+      timestamp=$(date "+%Y-%m-%d %H:%M:%S")
+      echo -e "''${ORANGE}''${timestamp} WARN: $1''${NC}"
+    }
+
+    err() {
+      timestamp=$(date "+%Y-%m-%d %H:%M:%S")
+      echo -e "''${RED}''${timestamp} ERROR: $1''${NC}"
+    }
+
+    prompt() {
+      local PROMPT="$1"
+      shift
+      read -p "$PROMPT? (y/n) [n]: " -n 1 -r REPLY
+      echo
+      if [[ "$REPLY" =~ ^[Yy]$ ]]; then
+          "$*"
+      else
+          info "$PROMPT aborted."
+      fi
+    }
+
+    spawn_test_shell() {
+      info "Spawning test shell on $1..."
+      (export PS1="Test shell> "
+      exec ${pkgs.bash}/bin/bash ssh "$1") || {
+        ${pkgs.cowsay}/bin/cowsay "You aborted."
+        exit 1
+      }
+    }
+
+    rebuild_remote() {
+      local args=(".#nixosConfigurations.$1" "--target-host" "$1")
+      local CURRENT_GENERATION=$(ssh "$1" readlink /nix/var/nix/profiles/system | cut -d- -f2)
+
+      if "$TEST_SHELL"; then
+        info "Testing $1..."
+        ${getExe pkgs.nh} os test "''${args[@]}" || exit 1
+        git diff HEAD --color=always --stat --patch
+        spawn_test_shell "$1"
+        info "Rebuilding $1..."
+        ${getExe pkgs.nh} os boot "''${args[@]}" || exit 1
+      else
+        info "Rebuilding $1 on $HOSTNAME..."
+        ${getExe pkgs.nh} os switch "''${args[@]}" || exit 1
+      fi
+
+      if ! "$NO_GENERATION_CHECK"; then
+        local NEW_GENERATION=$(ssh "$1" readlink /nix/var/nix/profiles/system | cut -d- -f2)
+        info "$1 - New generation is $NEW_GENERATION. Current is $CURRENT_GENERATION."
+        if [ ! $NEW_GENERATION -gt $CURRENT_GENERATION ]; then
+          warn "New config was not added to bootloader."
+        fi
+      fi
+    }
+
+    info "Starting rebuild script."
+
+    if [ ! -f "flake.nix" ]; then
+      err "flake.nix not found in the current directory. Exiting."
+      exit 1  # Indicate an error
+    fi
+
+    while [[ $# -gt 0 ]]; do
+      case "$1" in
+        --quick | -q)
+          QUICK=true
+          shift
+          ;;
+        --no-generation-check | -n)
+          NO_GENERATION_CHECK=true
+          shift
+          ;;
+        --test-shell | -t)
+          TEST_SHELL=true
+          shift
+          ;;
+        --all | -a)
+          reachable_hosts=()
+          hostnames=$(nix flake show --all-systems --json | , jq -r '.nixosConfigurations | keys | .[]')
+          for host in ''${hostnames[@]}; do
+            info "Checking if $host is reachable..."
+            if ping -c 1 -W 1 "$host" > /dev/null 2>&1 ; then
+              info "$host is reachable."
+              reachable_hosts+=("$host")
+            else
+              warn "$host is unreachable."
+            fi
+          done
+          REMOTE_HOSTS=(''${reachable_hosts[@]})
+          REBUILDING_ALL=true
+          shift
+          ;;
+        *)
+          if [ !REBUILDING_ALL ]; then
+            if ping -c 1 -W 1 "$1" > /dev/null 2>&1 ; then
+              REMOTE_HOSTS+=("$1")
+            else
+              err "$1 is unreachable. Exiting."
+              exit 1
+            fi
+          fi
+          shift
+          ;;
+      esac
+    done
+
+    if [ ''${#REMOTE_HOSTS[@]} == 0 ]; then
+      info "No hostnames provided."
+      REMOTE_HOSTS=("$HOSTNAME")
+    fi
+
+    git add .
+
+    for host in "''${REMOTE_HOSTS[@]}"; do
+      rebuild_remote $host
+    done
+
+    if ! "$QUICK"; then
+      prompt "Commit changes" commit
+      prompt "Reboot system" sudo systemctl reboot
+    fi
+
+    info "Rebuild script completed successfully."
+    exit 0
+  ''

nix/homes/rafiq/darwin.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+let
+  inherit (lib.modules) mkIf;
+in
+{
+  flake.modules.homeManager.rafiq =
+    {
+      pkgs,
+      config,
+      hostName,
+      hostConfig,
+      ...
+    }:
+    mkIf (pkgs.system == "aarch64-darwin" || pkgs.system == "x86_64-darwin") {
+      home.file."Library/Application Support/aichat/config.yaml".text = ''
+        model: gemini:gemini-2.0-flash
+        clients:
+        - type: gemini
+      '';
+    };
+}

nix/homes/rafiq/default.nix

@@ -0,0 +1,146 @@
+{ lib, inputs, ... }:
+let
+  inherit (lib.strings) concatStrings;
+in
+{
+  flake.modules.homeManager.rafiq =
+    { pkgs, ... }:
+    {
+      imports = [
+        inputs.nvf.homeManagerModules.default
+        inputs.nix-index-database.hmModules.nix-index
+      ];
+      persistDirs = [
+        ".local/share/zoxide"
+        "notebook"
+      ];
+      xdg.configFile."aichat/config.yaml".text = ''
+        model: gemini:gemini-2.0-flash
+        clients:
+        - type: gemini
+      '';
+      home = {
+        sessionVariables = {
+          EDITOR = "nvim";
+          FETCH = "hyfetch";
+          FILE_BROWSER = "yazi";
+          SHELL = "fish";
+        };
+        shellAliases = {
+          fetch = "hyfetch";
+          windows = "sudo systemctl reboot --boot-loader-entry=auto-windows";
+          v = "$EDITOR";
+          e = "edit";
+          cd = "z"; # zoxide
+          ai = "aichat -r %shell% -e";
+        };
+        packages = with pkgs; [
+          fastfetch
+          ripgrep
+          aichat
+          (import ./_scripts/edit.nix { inherit pkgs; })
+          (import ./_scripts/commit.nix { inherit pkgs; })
+          (import ./_scripts/note.nix { inherit pkgs; })
+          (import ./_scripts/rebuild.nix { inherit pkgs; })
+        ];
+      };
+      programs = {
+        mise.enable = true;
+        nvf.enable = true;
+        nvf.settings.vim = {
+          syntaxHighlighting = true;
+          hideSearchHighlight = true;
+          searchCase = "ignore";
+          undoFile.enable = true;
+          telescope.enable = true;
+          fzf-lua.enable = true;
+          git.enable = true;
+          autopairs.nvim-autopairs.enable = true;
+          autocomplete = import ./_nvf/autocomplete.nix { inherit lib; };
+          binds = import ./_nvf/binds.nix;
+          languages = import ./_nvf/languages.nix;
+          lsp = import ./_nvf/lsp.nix;
+          navigation = import ./_nvf/navigation.nix;
+          notes.todo-comments.enable = true;
+          options = {
+            autoindent = true;
+            backspace = "indent,eol,start";
+            cursorline = true;
+            expandtab = true;
+            shiftwidth = 2;
+            smartindent = true;
+            tabstop = 2;
+          };
+          snippets = import ./_nvf/snippets.nix { inherit pkgs; };
+          statusline = import ./_nvf/statusline.nix;
+          treesitter = {
+            autotagHtml = true;
+            fold = true;
+            indent.disable = [ "markdown" ];
+            textobjects.enable = true;
+          };
+          ui = import ./_nvf/ui.nix;
+          utility = import ./_nvf/utility.nix;
+          visuals = import ./_nvf/visuals.nix;
+        };
+        zk = {
+          enable = true;
+          settings.notebook.dir = "~/notebook";
+        };
+        hyfetch = {
+          enable = true;
+          settings = {
+            preset = "bisexual";
+            mode = "rgb";
+            light_dark = "dark";
+            lightness = 0.5;
+            color_align = {
+              # Flag color alignment
+              mode = "horizontal";
+              fore_back = null;
+            };
+            backend = "fastfetch";
+          };
+        };
+
+        tealdeer.enable = true;
+        tealdeer.enableAutoUpdates = true;
+        direnv = {
+          enable = true;
+          nix-direnv.enable = true;
+        };
+        zoxide.enable = true;
+        nix-index.enable = true;
+        nix-index-database.comma.enable = true;
+        fzf.enable = true;
+        fzf.enableZshIntegration = true;
+        yazi = {
+          enable = true;
+          shellWrapperName = "t";
+          settings.mgr.sort_by = "natural";
+        };
+        fish.enable = true;
+        starship = {
+          enable = true;
+          settings = {
+            add_newline = false;
+            format = concatStrings [
+              # First Line
+              ## Left Prompt
+              "$hostname$directory"
+              "$fill"
+              ## Right Prompt
+              "$all"
+              # Second Line
+              ## Left Prompt
+              "$character"
+            ];
+            git_branch.format = "[$symbol$branch(:$remote_branch)]($style) ";
+            shlvl.disabled = false;
+            username.disabled = true;
+            fill.symbol = " ";
+          };
+        };
+      };
+    };
+}

nix/homes/rafiq/desktop/_hyprland/decoration.nix

@@ -0,0 +1,14 @@
+{
+  animation = [ "workspaces, 1, 1, default" ];
+  general = {
+    border_size = 2;
+    gaps_in = 0;
+    gaps_out = 0;
+    resize_on_border = true;
+  };
+  decoration = {
+    rounding = 10;
+    rounding_power = 2;
+    inactive_opacity = 0.9;
+  };
+}

nix/homes/rafiq/desktop/_hyprland/keybinds.nix

@@ -0,0 +1,56 @@
+{ pkgs, ... }:
+{
+  "$hypr" = "CTRL_SUPER_ALT_SHIFT";
+  "$meh" = "CONTROL_SHIFT_ALT";
+  bind = [
+    "$hypr, Q, exec, uwsm stop"
+    "SUPER, W, killactive"
+
+    "SUPER, return, exec, uwsm app -- $TERMINAL"
+    "SUPER, O, exec, uwsm app -- $BROWSER"
+    "SUPER, Escape, exec, uwsm app -- $LOCKSCREEN"
+    #TODO:add file browser
+
+    #TODO: make it directional
+    "SUPER, H, cyclenext, visible"
+    "SUPER, L, cyclenext, visible prev"
+    "SUPER_ALT, H, movewindow, l"
+    "SUPER_ALT, J, movewindow, d"
+    "SUPER_ALT, K, movewindow, u"
+    "SUPER_ALT, L, movewindow, r"
+    "ALT_SHIFT, H, resizeactive, -10% 0"
+    "ALT_SHIFT, J, resizeactive, 0 -10%"
+    "ALT_SHIFT, K, resizeactive, 0 10%"
+    "ALT_SHIFT, L, resizeactive, 10% 0"
+    "SUPER_CTRL, H, workspace, r-1"
+    "SUPER_CTRL, L, workspace, r+1"
+    "$hypr, H, movetoworkspace, r-1"
+    "$hypr, L, movetoworkspace, r+1"
+
+    "$hypr, V, togglefloating"
+  ];
+
+  bindr = [
+    # Activates on SUPER without any other modifier
+    "SUPER, Super_L, exec, uwsm app -- $($LAUNCHER --launch-prefix=\"uwsm app -- \")"
+  ];
+
+  bindle = [
+    "SUPER, 6, exec, ${pkgs.wireplumber}/bin/wpctl set-volume -l 1.5 @DEFAULT_AUDIO_SINK@ 5%-"
+    "SUPER, 7, exec, ${pkgs.playerctl}/bin/playerctl previous"
+    "SUPER, 8, exec, ${pkgs.playerctl}/bin/playerctl -a play-pause"
+    "SUPER, 9, exec, ${pkgs.playerctl}/bin/playerctl next"
+    "SUPER, 0, exec, ${pkgs.wireplumber}/bin/wpctl set-volume -l 1.5 @DEFAULT_AUDIO_SINK@ 5%+"
+
+    "ALT, mouse_up, resizeactive, 10% 10%"
+    "ALT, mouse_down, resizeactive, -10% -10%"
+  ];
+
+  bindm = [
+    "ALT, mouse:272, movewindow"
+    "ALT, mouse:273, resizeactive"
+  ];
+  bindc = [
+    "ALT, mouse:272, togglefloating"
+  ];
+}

nix/homes/rafiq/desktop/darwin.nix

@@ -0,0 +1,37 @@
+{ config, ... }:
+let
+  inherit (config.manifest) admin;
+in
+{
+  flake.modules.darwin.graphical.homebrew = {
+    enable = true;
+    user = admin.username;
+    onActivation.cleanup = "uninstall";
+    brews = [
+      "mise"
+      "docker"
+    ];
+    casks = [
+      "ghostty"
+      "slack"
+      "gitify"
+      "telegram"
+      "vial"
+      "linear-linear"
+      "chatgpt"
+    ];
+  };
+  flake.modules.homeManager.rafiq = {
+    # make sure brew is on the path for M1
+    programs.zsh.initContent = ''
+      if [[ $(uname -m) == 'arm64' ]]; then
+        eval "$(/opt/homebrew/bin/brew shellenv)"
+      fi
+    '';
+    programs.fish.shellInit = ''
+      if test (uname -m) = "arm64"
+        eval (/opt/homebrew/bin/brew shellenv)
+      end
+    '';
+  };
+}

nix/homes/rafiq/desktop/default.nix

@@ -0,0 +1,61 @@
+{ lib, inputs, ... }:
+{
+  flake.modules.homeManager.rafiq =
+    { pkgs, config, ... }:
+    let
+      inherit (lib.modules) mkIf;
+      inherit (builtins) map listToAttrs;
+      inherit (lib.lists) findFirstIndex;
+      inherit (inputs.nur.legacyPackages.${pkgs.stdenv.hostPlatform.system}.repos.rycee) firefox-addons;
+      profiles = listToAttrs (
+        map (name: {
+          inherit name;
+          # If there are duplicate profile names, findFirstIndex will cause issues.
+          value = profileCfg (findFirstIndex (x: x == name) null syncedProfiles);
+        }) syncedProfiles
+      );
+      syncedProfiles = [
+        "rafiq"
+        "test"
+      ];
+      profileCfg = id: {
+        inherit id;
+        settings."extensions.autoDisableScopes" = 0; # Auto enable extensions
+        extensions = {
+          force = true;
+          packages = with firefox-addons; [
+            darkreader
+            gesturefy
+            sponsorblock
+            ublock-origin
+          ];
+        };
+      };
+    in
+    mkIf config.graphical {
+      stylix = {
+        image = ./wallpaper.png;
+        targets = {
+          firefox.colorTheme.enable = true;
+          firefox.profileNames = syncedProfiles;
+        };
+      };
+      home = {
+        sessionVariables = {
+          BROWSER = "firefox";
+          TERMINAL = "ghostty";
+        };
+      };
+      programs = {
+        vesktop.enable = true;
+        thunderbird.enable = true;
+        thunderbird.profiles.rafiq.isDefault = true;
+        # ghostty is broken on nix-darwin
+        ghostty.settings.confirm-close-surface = false;
+        firefox = {
+          enable = true;
+          inherit profiles;
+        };
+      };
+    };
+}

nix/homes/rafiq/desktop/nixos.nix

@@ -0,0 +1,232 @@
+{ lib, config, ... }:
+let
+  inherit (config.manifest) admin;
+in
+{
+  allowedUnfreePackages = [
+    "stremio-shell"
+    "stremio-server"
+    "steam"
+    "steam-unwrapped"
+  ];
+  flake.modules.nixos.graphical =
+    { config, pkgs, ... }:
+    {
+      fonts.packages = [ pkgs.font-awesome ];
+      services.getty.autologinUser = admin.username;
+      # Start Hyprland at boot only if not connecting through SSH
+      environment.loginShellInit = # sh
+        ''
+          if [[ -z "$SSH_CLIENT" && -z "$SSH_CONNECTION" ]]; then
+            if uwsm check may-start; then
+              exec uwsm start hyprland-uwsm.desktop
+            fi
+          fi
+        '';
+      environment.variables = {
+        # Get Electron apps to use Wayland
+        ELECTRON_OZONE_PLATFORM_HINT = "auto";
+        NIXOS_OZONE_WL = "1";
+      };
+      programs = {
+        hyprland = {
+          enable = true;
+          # Use UWSM to have each process controlled by systemd init
+          withUWSM = true;
+        };
+        steam = {
+          enable = true;
+          gamescopeSession.enable = true;
+        };
+      };
+      security.pam.services.hyprlock = { };
+      services.sunshine = {
+        enable = true;
+        capSysAdmin = true;
+        openFirewall = true;
+        settings = {
+          sunshine_name = config.networking.hostName;
+          origin_pin_allowed = "wan";
+          origin_web_ui_allowed = "wan";
+        };
+        applications = { };
+      };
+      # spotifyd
+      networking.firewall.allowedTCPPorts = [ 5353 ];
+      networking.firewall.allowedUDPPorts = [ 5353 ];
+    };
+  flake.modules.homeManager.rafiq =
+    {
+      pkgs,
+      config,
+      hostName,
+      hostConfig,
+      ...
+    }:
+    let
+      inherit (lib.modules) mkMerge mkIf;
+    in
+    mkIf (config.graphical && pkgs.system == "x86_64-linux") {
+      stylix.targets.waybar.addCss = false;
+      persistDirs = [
+        "docs"
+        "repos"
+        "vids"
+        "tmp"
+        ".cache/Smart Code ltd/Stremio"
+        ".local/share/Smart Code ltd/Stremio"
+        ".mozilla/firefox"
+        ".tor project"
+        ".local/share/Steam"
+        ".local/share/PrismLauncher"
+        ".config/sunshine"
+      ];
+      home = {
+        packages = with pkgs; [
+          wl-clipboard-rs
+          stremio
+          tor-browser
+          vlc
+          prismlauncher
+        ];
+        sessionVariables = {
+          LAUNCHER = "fuzzel";
+          LOCKSCREEN = "hyprlock";
+          NOTIFICATION_DAEMON = "mako";
+          STATUS_BAR = "waybar";
+        };
+      };
+      # xdg.configFile."uwsm/env".text = # sh
+      #   ''
+      #     # Force apps to scale right with Wayland
+      #     export GDK_SCALE=${mainMonitor.scale}
+      #     export STEAM_FORCE_DESKTOPUI_SCALING=${mainMonitor.scale}
+      #   '';
+      # xdg.configFile."uwsm/env-hyprland".text = # sh
+      #   ''
+      #     export GDK_SCALE=${mainMonitor.scale}
+      #     export STEAM_FORCE_DESKTOPUI_SCALING=${mainMonitor.scale}
+      #   '';
+      wayland.windowManager.hyprland = {
+        enable = true;
+        # This is needed for UWSM
+        systemd.enable = false;
+        # Null the packages since we use them system wide
+        package = null;
+        portalPackage = null;
+        settings = mkMerge [
+          (import ./_hyprland/decoration.nix)
+          (import ./_hyprland/keybinds.nix { inherit pkgs; })
+          {
+            ecosystem.no_update_news = true;
+            xwayland.force_zero_scaling = true;
+            monitor =
+              let
+                mainMonitor = hostConfig.machine.monitors.main;
+              in
+              [
+                "${mainMonitor.id}, ${mainMonitor.resolution}@${mainMonitor.refresh-rate}, auto, ${mainMonitor.scale}"
+                ", preferred, auto, 1"
+              ];
+            exec-once = [
+              "uwsm app -- $LOCKSCREEN"
+              "uwsm app -- $NOTIFICATION_DAEMON"
+              "uwsm app -- $STATUS_BAR"
+            ];
+          }
+        ];
+      };
+      services = {
+        spotifyd.enable = true;
+        spotifyd.settings.global = {
+          device_name = "${hostName}";
+          device_type = "computer";
+          zeroconf_port = 5353;
+        };
+        mako.enable = true;
+        mako.settings.default-timeout = 10000;
+      };
+      programs = {
+        obs-studio.enable = true;
+        fuzzel.enable = true;
+        ghostty.enable = true;
+        waybar = {
+          enable = true;
+          settings = [
+            {
+              layer = "top";
+              modules-left = [
+                "pulseaudio"
+              ];
+              modules-right = [
+                "battery"
+                "clock"
+              ];
+              "pulseaudio" = {
+                format = "{icon} {volume}%";
+                format-muted = "";
+                format-icons.default = [
+                  ""
+                  ""
+                ];
+                on-click = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";
+              };
+              "clock" = {
+                interval = 1;
+                format = "{:%F %T}";
+              };
+              "battery" = {
+                interval = 1;
+                bat-compatibility = true;
+              };
+            }
+          ];
+          style = # css
+            ''
+              window#waybar {
+                background-color: rgba(0, 0, 0, 0);
+              }
+
+              #pulseaudio,
+              #battery,
+              #clock {
+                padding-top: 5px;
+                padding-bottom: 5px;
+                padding-right: 5px;
+                color: #ffffff;
+              }
+            '';
+        };
+        hyprlock = {
+          enable = true;
+          settings = {
+            general.hide_cursor = true;
+            general.ignore_empty_input = true;
+            background.blur_passes = 5;
+            background.blur_size = 5;
+            label = {
+              text = ''hi, $USER.'';
+              font_size = 32;
+              position = "0, 0";
+              halign = "center";
+              valign = "center";
+              zindex = 1;
+              shadow_passes = 5;
+              shadow_size = 5;
+            };
+            input-field = {
+              placeholder_text = "";
+              fade_on_empty = true;
+              size = "200, 45";
+              position = "0, -5%";
+              halign = "center";
+              valign = "center";
+              zindex = 1;
+              shadow_passes = 5;
+              shadow_size = 5;
+            };
+          };
+        };
+      };
+    };
+}

nix/homes/rafiq/git.nix

@@ -1,22 +1,18 @@
-{ config, ... }:
 {
-  config = {
-    home.sessionVariables.GIT_CONFIG_GLOBAL = "$HOME/.config/git/config";
+  flake.modules.homeManager.rafiq = {
     home.shellAliases = {
       gs = "git status";
       gc = "git commit";
       gcam = "git commit -am";
       gu = "git push";
       gy = "git pull";
+      gdh = "git diff HEAD";
     };
     programs.git = {
       enable = true;
-      userName = config.cli.git.name;
-      userEmail = config.cli.git.email;
-      signing.key = "~/.ssh/id_ed25519.pub";
       signing.signByDefault = true;
       extraConfig = {
-        init.defaultBranch = config.cli.git.defaultBranch;
+        init.defaultBranch = "prime";
         push.autoSetupRemote = true;
         pull.rebase = false;
         core.editor = "$EDITOR";

nix/lib/attrsets.nix

@@ -0,0 +1,54 @@
+{ lib, ... }:
+let
+  inherit (builtins) attrNames head;
+  inherit (lib.trivial) pipe;
+  inherit (lib.attrsets) filterAttrs;
+in
+{
+  flake.lib.attrsets = {
+    /**
+      `firstAttrNameMatching pred set` filters an attribute set `set` based on a predicate `pred`
+      and returns the *first* attribute name that satisfies the predicate.
+
+      # Example
+
+      ```nix
+      let
+        mySet = {
+          a = { value = 1; };
+          b = { value = 2; };
+          c = { value = 3; };
+        };
+
+        isGreaterThanOne = name: value: value.value > 1;
+
+        result = firstAttrNameMatching isGreaterThanOne mySet;
+
+      in
+        result
+      # Output: "b"
+      ```
+
+      # Type
+
+      ```
+      firstAttrNameMatching :: (String -> Any -> Bool) -> AttrSet -> String
+      ```
+
+      # Arguments
+
+      pred
+      : A function that takes an attribute name and its value and returns a boolean.
+
+      set
+      : The attribute set to filter.
+    */
+    firstAttrNameMatching =
+      pred: set:
+      pipe set [
+        (filterAttrs pred)
+        attrNames
+        head
+      ];
+  };
+}

nix/lib/lists.nix

@@ -0,0 +1,13 @@
+let
+  inherit (builtins) length tail;
+in
+{
+  flake.lib.lists = rec {
+    shortenList =
+      count: list:
+      let
+        len = length list;
+      in
+      if len <= count then list else (shortenList count (tail list));
+  };
+}

nix/lib/modules.nix

@@ -0,0 +1,100 @@
+{ lib, config, ... }:
+let
+  inherit (builtins) foldl' attrNames;
+  inherit (lib.attrsets) mapAttrs;
+in
+{
+  flake.lib.modules = {
+    /**
+      Fold over the users list and create an attribute set.
+
+      # Inputs
+
+      `f`
+
+      : A function that takes the name of a user and returns an attribute set.
+
+      # Type
+
+      ```
+      userListToAttrs :: (String -> AttrSet) -> AttrSet
+      ```
+
+      # Examples
+      :::{.example}
+      ## `userListToAttrs` usage example
+
+      ```nix
+      flake.manifest.users.rafiq = { ... };
+      flake.modules.homeManager.users = userListToAttrs (name: {
+        ${name}.home.username = name;
+      });
+      => flake.modules.homeManager.default.users.rafiq.home.username = "rafiq";
+      ```
+
+      :::
+    */
+    userListToAttrs = f: foldl' (acc: elem: acc // (f elem)) { } (attrNames config.manifest.users);
+    /**
+      Return an attribute set for use with a option that needs to be used for all users.
+
+      # Inputs
+
+      `attrset`
+
+      : An attribute set to apply to all the users.
+
+      # Type
+
+      ```
+      forAllUsers :: AttrSet -> AttrSet
+      ```
+
+      # Examples
+      :::{.example}
+      ## `forAllUsers` usage example
+
+      ```nix
+      flake.manifest.users.rafiq = { ... };
+      flake.modules.nixos.default.users = forAllUsers {
+        isNormalUser = true;
+      };
+      => flake.modules.nixos.default.users.rafiq.isNormalUser = true;
+      ```
+
+      :::
+    */
+    forAllUsers = attrset: mapAttrs (_: _: attrset) config.manifest.users;
+
+    /**
+      Like forAllUsers, but passes in the name and value from the manifest.
+
+      # Inputs
+
+      `f`
+
+      : A function that takes an attribute name and its value, and returns the new value for the attribute.
+
+      # Type
+
+      ```
+      forAllUsers' :: (String -> Any -> Any) -> AttrSet
+      ```
+
+      # Examples
+      :::{.example}
+      ## `forAllUsers'` usage example
+
+      ```nix
+      flake.manifest.users.rafiq = { ... };
+      flake.modules.homeManager.users = forAllUsers' (name: value: {
+        home.username = name;
+      });
+      => flake.modules.homeManager.default.users.rafiq.home.username = "rafiq";
+      ```
+
+      :::
+    */
+    forAllUsers' = f: mapAttrs f config.manifest.users;
+  };
+}

nix/lib/options.nix

@@ -0,0 +1,45 @@
+{ lib, ... }:
+let
+  inherit (lib.options) mkOption;
+  inherit (lib.types)
+    str
+    path
+    int
+    port
+    attrs
+    ;
+in
+{
+  flake.lib.options = {
+    mkStrOption =
+      default:
+      mkOption {
+        inherit default;
+        type = str;
+      };
+    mkAttrOption =
+      default:
+      mkOption {
+        inherit default;
+        type = attrs;
+      };
+    mkIntOption =
+      default:
+      mkOption {
+        inherit default;
+        type = int;
+      };
+    mkPortOption =
+      default:
+      mkOption {
+        type = port;
+        inherit default;
+      };
+    mkPathOption =
+      default:
+      mkOption {
+        type = path;
+        inherit default;
+      };
+  };
+}

nix/lib/services.nix

@@ -0,0 +1,69 @@
+{ config, lib, ... }:
+let
+  inherit (builtins) length concatStringsSep;
+  inherit (lib.options) mkEnableOption;
+  inherit (lib.strings) splitString;
+  inherit (lib.lists) singleton;
+  inherit (lib.modules) mkMerge mkIf;
+  inherit (cfg.lib.options) mkStrOption mkPortOption mkAttrOption;
+  inherit (cfg.lib.lists) shortenList;
+  cfg = config.flake;
+in
+{
+  flake.lib.services = rec {
+    splitDomain = domain: splitString "." domain;
+    isRootDomain = domain: length (splitDomain domain) <= 2;
+    mkRootDomain = domain: concatStringsSep "." (shortenList 2 (splitDomain domain));
+    mkWildcardDomain = rootDomain: concatStringsSep "." ((singleton "*") ++ (splitDomain rootDomain));
+    mkHost = domain: if isRootDomain domain then domain else mkWildcardDomain (mkRootDomain domain);
+    mkWebApp =
+      {
+        config,
+        name,
+        defaultPort,
+        persistDirs ? [ ],
+        extraOptions ? { },
+        extraConfig ? { },
+      }:
+      let
+        cfg = config.server.web-apps.${name};
+        networkingConfig =
+          {
+            config,
+            cfg,
+            name,
+          }:
+          mkIf (cfg.domain != "") {
+            assertions = singleton {
+              assertion = config.server.web-servers.nginx.enable;
+              message = "You must enable a web server if you want to set server.web-apps.${name}.domain.";
+            };
+            server.ddns.domains = singleton (mkRootDomain cfg.domain);
+            server.web-servers.nginx.proxies = singleton {
+              source = cfg.domain;
+              target = "http://${config.networking.hostName}:${toString cfg.port}";
+            };
+          };
+
+      in
+      {
+        options.server.web-apps.${name} = {
+          enable = mkEnableOption "";
+          port = mkPortOption defaultPort;
+          domain = mkStrOption "";
+          openFirewall = mkEnableOption "";
+          extraCfg = mkAttrOption { };
+        } // extraOptions;
+
+        config = mkIf cfg.enable (mkMerge [
+          {
+            inherit persistDirs;
+            networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = singleton cfg.port; };
+          }
+          (networkingConfig { inherit config cfg name; })
+          extraConfig
+        ]);
+      };
+
+  };
+}

nix/manifest.nix

@@ -0,0 +1,104 @@
+{
+  manifest = {
+    users.rafiq = {
+      primary = true;
+      name = "Mohammad Rafiq";
+      email = "rafiq@rrv.sh";
+      shell = "fish";
+      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n rafiq";
+    };
+    hosts = {
+      darwin = {
+        venus = {
+          graphical = true;
+          machine.platform = "intel";
+        };
+        hephaestus = {
+          graphical = true;
+          machine.platform = "apple-silicon";
+        };
+      };
+      nixos = {
+        nemesis = {
+          graphical = true;
+          machine = {
+            platform = "amd";
+            gpu = "nvidia";
+            root.drive = "/dev/disk/by-id/nvme-CT2000P3SSD8_2325E6E77434";
+            monitors.main = {
+              id = "desc:OOO AN-270W04K";
+              resolution = "3840x2160";
+              refresh-rate = "60";
+              scale = "2";
+            };
+          };
+          extraCfg = {
+            machine = {
+              bluetooth.enable = true;
+              usb.automount = true;
+              usb.qmk.enable = true;
+              virtualisation = {
+                podman.enable = true;
+                podman.distrobox.enable = true;
+              };
+            };
+            server.web-apps = {
+              comfy-ui.enable = true;
+              sd-webui-forge.enable = true;
+            };
+          };
+        };
+        apollo = {
+          graphical = false;
+          machine = {
+            platform = "intel";
+            root.drive = "/dev/disk/by-id/nvme-eui.002538d221b47b01";
+          };
+          extraCfg.server = {
+            ddns = {
+              enable = true;
+              domains = [
+                "aenyrathia.wiki"
+                "slayment.com"
+              ];
+            };
+            web-servers = {
+              enableSSL = true;
+              nginx = {
+                enable = true;
+                proxies = [
+                  {
+                    source = "aenyrathia.wiki";
+                    target = "http://helios:5896";
+                  }
+                  {
+                    source = "il.bwfiq.com";
+                    target = "http://helios:2283";
+                  }
+                ];
+              };
+            };
+            databases = {
+              mongodb.enable = true;
+              mysql.enable = true;
+              postgresql.enable = true;
+            };
+            web-apps = {
+              librechat = {
+                enable = true;
+                domain = "chat.bwfiq.com";
+              };
+              forgejo = {
+                enable = true;
+                domain = "git.rrv.sh";
+                openFirewall = true;
+              };
+              rrv-sh.enable = true;
+              rrv-sh.domain = "rrv.sh";
+            };
+          };
+        };
+      };
+    };
+  };
+}

nix/meta.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}:
+let
+  inherit (lib.options) mkOption;
+  inherit (lib.types) path lazyAttrsOf raw;
+  inherit (inputs.flake-parts.lib) mkSubmoduleOptions;
+  cfg = config.flake;
+in
+{
+  options.flake = mkSubmoduleOptions {
+    self = mkOption { type = raw; };
+    lib = mkOption {
+      type = lazyAttrsOf raw;
+      default = { };
+    };
+    paths = {
+      root = mkOption { type = path; };
+      secrets = mkOption {
+        type = path;
+        readOnly = true;
+      };
+    };
+  };
+  config.flake = {
+    paths.secrets = cfg.paths.root + "/secrets";
+  };
+}

nix/modules/cli/git.nix

@@ -0,0 +1,17 @@
+{ config, ... }:
+let
+  inherit (config.manifest) users;
+in
+{
+  flake.modules.homeManager.default =
+    { config, ... }:
+    {
+      home.sessionVariables.GIT_CONFIG_GLOBAL = "$HOME/.config/git/config";
+      programs.git = {
+        enable = true;
+        userName = users.${config.home.username}.name;
+        userEmail = users.${config.home.username}.email;
+        signing.key = "~/.ssh/id_ed25519.pub";
+      };
+    };
+}

nix/modules/cli/nix.nix

@@ -0,0 +1,13 @@
+{
+  flake.modules.nixos.default.nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  flake.modules.darwin.default = {
+    nix.enable = false;
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+  };
+}

nix/modules/cli/shell.nix

@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+let
+  cfg = config.flake;
+  inherit (config.manifest) users;
+  inherit (cfg.lib.modules) forAllUsers';
+  inherit (lib.attrsets) mapAttrs';
+in
+{
+  flake.modules = {
+    nixos.default =
+      { pkgs, ... }:
+      {
+        programs = mapAttrs' (name: value: {
+          name = value.shell;
+          value.enable = true;
+        }) users;
+        users.users = forAllUsers' (_: value: { shell = pkgs.${value.shell}; });
+      };
+    darwin.default =
+      { pkgs, ... }:
+      {
+        programs = mapAttrs' (name: value: {
+          name = value.shell;
+          value.enable = true;
+        }) users;
+        users.users = forAllUsers' (_: value: { shell = pkgs.${value.shell}; });
+        environment.shells = [ pkgs.fish ];
+      };
+    homeManager.default =
+      { config, ... }:
+      {
+        programs.${users.${config.home.username}.shell}.enable = true;
+        home.shell.enableShellIntegration = true;
+      };
+  };
+}

nix/modules/graphical/default.nix

@@ -0,0 +1,17 @@
+{ lib, ... }:
+let
+  inherit (lib.options) mkEnableOption;
+in
+{
+  flake.modules = {
+    nixos.graphical = {
+      home-manager.sharedModules = [ { graphical = true; } ];
+      services.pipewire = {
+        enable = true;
+        pulse.enable = true;
+      };
+    };
+    homeManager.default.options.graphical = mkEnableOption "";
+    darwin.graphical.home-manager.sharedModules = [ { graphical = true; } ];
+  };
+}

nix/modules/graphical/stylix.nix

@@ -0,0 +1,20 @@
+{ inputs, ... }:
+{
+  # needs to be default because the options get
+  # evaluated even if graphical is set to false
+  flake.modules.nixos.default =
+    { pkgs, ... }:
+    {
+      imports = [ inputs.stylix.nixosModules.stylix ];
+      stylix.enable = true;
+      stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark-hard.yaml";
+    };
+  flake.modules.darwin.default =
+    { pkgs, ... }:
+    {
+      imports = [ inputs.stylix.darwinModules.stylix ];
+      stylix.enable = true;
+      #TODO: move into manifest
+      stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark-hard.yaml";
+    };
+}

nix/modules/machine/bootloader.nix

@@ -0,0 +1,18 @@
+{
+  flake.modules.nixos.default.boot = {
+    initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "ahci"
+      "usbhid"
+      "usb_storage"
+      "sd_mod"
+    ];
+    loader.efi.canTouchEfiVariables = true;
+    #TODO: disable for mbp?
+    loader.systemd-boot = {
+      enable = true;
+      configurationLimit = 5;
+    };
+  };
+}

nix/modules/machine/default.nix

@@ -0,0 +1,58 @@
+{ lib, ... }:
+let
+  inherit (lib.options) mkEnableOption;
+  inherit (lib.modules) mkIf mkMerge;
+in
+{
+  flake.modules.nixos.default =
+    {
+      config,
+      modulesPath,
+      pkgs,
+      ...
+    }:
+    let
+      cfg = config.machine;
+    in
+    {
+      imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+      options.machine = {
+        bluetooth.enable = mkEnableOption "";
+        usb.automount = mkEnableOption "";
+        usb.qmk.enable = mkEnableOption "";
+      };
+      config = mkMerge [
+        (mkIf cfg.usb.automount {
+          services.udisks2.enable = true;
+          home-manager.sharedModules = [
+            {
+              services.udiskie = {
+                enable = true;
+                automount = true;
+                notify = true;
+              };
+            }
+          ];
+        })
+        (mkIf cfg.usb.qmk.enable {
+          hardware.keyboard.qmk.enable = true;
+          services.udev = {
+            packages = with pkgs; [
+              vial
+              qmk
+              qmk-udev-rules
+              qmk_hid
+            ];
+          };
+
+        })
+        (mkIf cfg.bluetooth.enable {
+          persistDirs = [ "/var/lib/bluetooth" ];
+          hardware.bluetooth = {
+            enable = true;
+            settings.General.Experimental = true;
+          };
+        })
+      ];
+    };
+}

nix/modules/machine/gpu.nix

@@ -0,0 +1,37 @@
+{
+  allowedUnfreePackages = [
+    "nvidia-x11"
+    "nvidia-settings"
+  ];
+  flake.modules.nixos.default =
+    {
+      config,
+      pkgs,
+      hostConfig,
+      ...
+    }:
+    let
+      inherit (hostConfig.machine) gpu;
+    in
+    if gpu == "nvidia" then
+      {
+        hardware = {
+          graphics.enable = true;
+          graphics.extraPackages = [ pkgs.nvidia-vaapi-driver ];
+          nvidia.open = true;
+          nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
+        };
+        services.xserver.videoDrivers = [ "nvidia" ];
+        environment.variables = {
+          LIBVA_DRIVER_NAME = "nvidia";
+          __GLX_VENDOR_LIBRARY_NAME = "nvidia";
+          NVD_BACKEND = "direct";
+        };
+        nix.settings.substituters = [ "https://cuda-maintainers.cachix.org" ];
+        nix.settings.trusted-public-keys = [
+          "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
+        ];
+      }
+    else
+      { };
+}

nix/modules/machine/platform.nix

@@ -0,0 +1,23 @@
+{
+  flake.modules.nixos.default =
+    { hostConfig, ... }:
+    let
+      inherit (hostConfig.machine) platform;
+      arch = if platform == "amd" || platform == "intel" then "x86_64" else "aarch64";
+    in
+    {
+      hardware.cpu.${platform}.updateMicrocode = true;
+      boot.kernelModules = [ "kvm-${platform}" ];
+      nixpkgs.hostPlatform = "${arch}-linux";
+    };
+
+  flake.modules.darwin.default =
+    { hostConfig, ... }:
+    let
+      inherit (hostConfig.machine) platform;
+      arch = if platform == "intel" then "x86_64" else "aarch64";
+    in
+    {
+      nixpkgs.hostPlatform = "${arch}-darwin";
+    };
+}

nix/modules/machine/root.nix

@@ -0,0 +1,95 @@
+{ lib, inputs, ... }:
+let
+  inherit (lib.modules) mkMerge mkIf mkAfter;
+in
+{
+  flake.modules.nixos.default =
+    { hostConfig, ... }:
+    let
+      inherit (hostConfig.machine) root;
+    in
+    {
+      imports = [ inputs.disko.nixosModules.disko ];
+      config = mkMerge [
+        {
+          # BTRFS - may add more later on
+          boot.initrd.kernelModules = [ "dm-snapshot" ];
+          disko.devices.disk.main = {
+            device = root.drive;
+            content.type = "gpt";
+            content.partitions = {
+              boot = {
+                name = "boot";
+                size = "1M";
+                type = "EF02";
+              };
+              esp = {
+                name = "ESP";
+                size = "500M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                };
+              };
+              swap = {
+                size = "4G";
+                content = {
+                  type = "swap";
+                  resumeDevice = true;
+                };
+              };
+              root = {
+                name = "root";
+                size = "100%";
+                content = {
+                  type = "lvm_pv";
+                  vg = "root_vg";
+                };
+              };
+            };
+          };
+
+          disko.devices.lvm_vg.root_vg = {
+            type = "lvm_vg";
+            lvs.root = {
+              size = "100%FREE";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = {
+                  "/root".mountpoint = "/";
+                  "/persist" = {
+                    mountpoint = "/persist";
+                    mountOptions = [
+                      "subvol=persist"
+                      "noatime"
+                    ];
+                  };
+                  "/nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = [
+                      "subvol=nix"
+                      "noatime"
+                    ];
+                  };
+                };
+              };
+            };
+          };
+        }
+        # Ephemeral by default - assumes btrfs
+        (mkIf root.ephemeral {
+          boot.initrd.postDeviceCommands = mkAfter ''
+            mkdir /btrfs_tmp
+            mount /dev/root_vg/root /btrfs_tmp
+
+            if [[ -e /btrfs_tmp/root ]]; then
+              btrfs subvolume delete "/btrfs_tmp/root"
+            fi
+          '';
+        })
+      ];
+    };
+}

nix/modules/machine/virtualisation.nix

@@ -0,0 +1,36 @@
+{ lib, config, ... }:
+let
+  inherit (lib.modules) mkIf;
+  inherit (lib.options) mkEnableOption;
+  inherit (lib.lists) optional;
+  inherit (config.flake.lib.modules) forAllUsers;
+in
+{
+  flake.modules.nixos.default =
+    { pkgs, config, ... }:
+    let
+      cfg = config.machine.virtualisation;
+    in
+    {
+      options.machine.virtualisation = {
+        podman.enable = mkEnableOption "";
+        podman.distrobox.enable = mkEnableOption "";
+      };
+      config = mkIf cfg.podman.enable {
+        virtualisation.containers.enable = true;
+        virtualisation.podman = {
+          enable = true;
+          dockerCompat = true;
+          defaultNetwork.settings.dns_enabled = true;
+        };
+        users.users = forAllUsers {
+          extraGroups = [ "podman" ];
+          autoSubUidGidRange = cfg.podman.distrobox.enable;
+        };
+        home-manager.sharedModules = optional cfg.podman.distrobox.enable {
+          home.packages = [ pkgs.distrobox ];
+          persistDirs = [ ".local/share/containers" ];
+        };
+      };
+    };
+}

nix/modules/networking/default.nix

@@ -0,0 +1,16 @@
+{ lib, ... }:
+let
+  inherit (lib.modules) mkDefault;
+in
+{
+  flake.modules.nixos.default =
+    { hostName, ... }:
+    {
+      networking = {
+        inherit hostName;
+        enableIPv6 = false;
+        useDHCP = mkDefault true;
+        networkmanager.enable = true;
+      };
+    };
+}

nix/modules/networking/ssh.nix

@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+let
+  cfg = config.flake;
+  inherit (config.manifest) admin;
+  inherit (lib.modules) mkMerge;
+  inherit (cfg.lib.modules) forAllUsers';
+in
+{
+  flake.modules.nixos.default = mkMerge [
+    {
+      services.openssh.enable = true;
+      users.users = forAllUsers' (_: value: { openssh.authorizedKeys.keys = [ value.pubkey ]; });
+      persistFiles = [
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+      ];
+    }
+    { users.users.root.openssh.authorizedKeys.keys = [ admin.pubkey ]; }
+  ];
+  flake.modules.homeManager.default = {
+    persistDirs = [ ".ssh" ];
+    programs.ssh.enable = true;
+    programs.ssh.extraConfig = ''
+      Host *
+        SetEnv TERM=xterm-256color
+    '';
+  };
+}

nix/modules/networking/tailscale.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+let
+  inherit (config.flake.paths) secrets;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    {
+      services.tailscale = {
+        enable = true;
+        authKeyFile = config.sops.secrets."tailscale/client-secret".path;
+        authKeyParameters.preauthorized = true;
+      };
+      persistDirs = [ "/var/lib/tailscale" ];
+      sops.secrets."tailscale/client-secret".sopsFile = secrets + "/tailscale.yaml";
+    };
+  flake.modules.darwin.default =
+    { pkgs, ... }:
+    {
+      services.tailscale = {
+        enable = true;
+        package = pkgs.tailscale.overrideAttrs { doCheck = false; };
+      };
+    };
+}

nix/modules/server/databases.nix

@@ -0,0 +1,90 @@
+{ lib, config, ... }:
+let
+  inherit (builtins) toString;
+  inherit (lib.modules) mkIf mkMerge mkOverride;
+  inherit (lib.lists) singleton;
+  inherit (lib.options) mkEnableOption;
+  inherit (config.flake.lib.options) mkPortOption;
+in
+{
+  allowedUnfreePackages = [ "mongodb" ];
+  flake.modules.nixos.default =
+    { config, pkgs, ... }:
+    let
+      cfg = config.server.databases;
+    in
+    {
+      options.server.databases = {
+        mongodb = {
+          enable = mkEnableOption "the MongoDB server";
+          port = mkPortOption 27017;
+        };
+        mysql = {
+          enable = mkEnableOption "the MySQL server";
+          port = mkPortOption 3306;
+        };
+        postgresql = {
+          enable = mkEnableOption "the postgresql server";
+          port = mkPortOption 5432;
+        };
+      };
+
+      config = mkMerge [
+        (mkIf cfg.postgresql.enable {
+          networking.firewall.allowedTCPPorts = singleton cfg.postgresql.port;
+          persistDirs = singleton {
+            directory = toString config.services.postgresql.dataDir;
+            user = "postgres";
+            group = "postgres";
+          };
+          services.postgresql = {
+            enable = true;
+            enableTCPIP = true;
+            settings = { inherit (cfg.postgresql) port; };
+            authentication = mkOverride 10 ''
+              #type database DBuser auth-method
+              local all all trust
+
+              # ipv4
+              host all all 0.0.0.0/0 trust
+            '';
+            ensureDatabases = singleton "alphastory";
+            ensureUsers = singleton {
+              name = "alphastory";
+              ensureDBOwnership = true;
+            };
+          };
+        })
+        (mkIf cfg.mongodb.enable {
+          networking.firewall.allowedTCPPorts = [ cfg.mongodb.port ];
+          persistDirs = singleton {
+            directory = toString config.services.mongodb.dbpath;
+            user = "mongodb";
+            group = "mongodb";
+          };
+          services.mongodb = {
+            enable = true;
+            bind_ip = "0.0.0.0";
+            extraConfig = ''
+              net.port: ${toString cfg.mongodb.port}
+            '';
+          };
+        })
+        (mkIf cfg.mysql.enable {
+          networking.firewall.allowedTCPPorts = [ cfg.mysql.port ];
+          persistDirs = singleton {
+            directory = toString config.services.mysql.dataDir;
+            user = "mysql";
+            group = "mysql";
+          };
+          services.mysql = {
+            enable = true;
+            package = pkgs.mariadb;
+            settings.mysqld = {
+              inherit (cfg.mysql) port;
+            };
+          };
+        })
+      ];
+    };
+}

nix/modules/server/ddns.nix

@@ -0,0 +1,59 @@
+{ lib, config, ... }:
+let
+  inherit (lib.modules) mkIf;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.types) enum str listOf;
+  inherit (lib.lists) unique;
+  inherit (builtins) map;
+  inherit (config.flake.paths) secrets;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      cfg = config.server.ddns;
+      mkDomain = domain_name: {
+        inherit domain_name;
+        sub_domains = [
+          "@"
+          "*"
+        ];
+      };
+    in
+    {
+      options.server.ddns = {
+        enable = mkEnableOption "";
+        type = mkOption {
+          type = enum [ "godns" ];
+          default = "godns";
+        };
+        domains = mkOption {
+          type = listOf str;
+          default = [ ];
+        };
+      };
+
+      config = mkIf cfg.enable {
+        sops.secrets."keys/cloudflare".sopsFile = secrets + "/keys.yaml";
+        services.godns = {
+          enable = if (cfg.type == "godns") then true else false;
+          loadCredential = [ "cf_token:${config.sops.secrets."keys/cloudflare".path}" ];
+          settings = {
+            provider = "Cloudflare";
+            login_token_file = "$CREDENTIALS_DIRECTORY/cf_token";
+            # Sanitize the list of domains with unique so we can add to it with every service.
+            domains = map mkDomain (unique cfg.domains);
+            resolver = "1.1.1.1";
+            ip_urls = [
+              "https://wtfismyip.com/text"
+              "https://api.ipify.org"
+              "https://myip.biturl.top"
+              "https://api-ipv4.ip.sb/ip"
+            ];
+            ip_type = "IPv4";
+            interval = 300;
+          };
+        };
+      };
+    };
+}

nix/modules/server/web-apps/comfy-ui.nix

@@ -0,0 +1,34 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}:
+let
+  inherit (lib.lists) singleton;
+  inherit (config.flake.lib.services) mkWebApp;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      upstreamCfg = config.services.comfyUi;
+    in
+    mkWebApp {
+      inherit config;
+      name = "comfy-ui";
+      defaultPort = 8188;
+      persistDirs = singleton {
+        directory = upstreamCfg.dataDir;
+        inherit (upstreamCfg) user group;
+        mode = "777";
+      };
+      extraConfig.services.comfyUi = {
+        enable = true;
+        listenHost = "0.0.0.0";
+      };
+    }
+    // {
+      imports = [ inputs.stable-diffusion-webui-nix.nixosModules.default ];
+    };
+}

nix/modules/server/web-apps/forgejo.nix

@@ -0,0 +1,47 @@
+{ lib, config, ... }:
+let
+  inherit (lib.lists) singleton optional;
+  inherit (config.flake.lib.options) mkPortOption;
+  inherit (config.flake.lib.services) mkWebApp;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      cfg = config.server.web-apps.forgejo;
+      upstreamCfg = config.services.forgejo;
+    in
+    mkWebApp {
+      inherit config;
+      name = "forgejo";
+      defaultPort = 3000;
+      persistDirs = singleton {
+        directory = upstreamCfg.stateDir;
+        inherit (upstreamCfg) user group;
+      };
+      extraOptions = {
+        sshPort = mkPortOption 2222;
+      };
+      extraConfig = {
+        networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.sshPort;
+        services.forgejo = {
+          enable = true;
+          settings = {
+            server = {
+              DOMAIN = cfg.domain;
+              ROOT_URL = "https://${cfg.domain}/";
+              HTTP_PORT = cfg.port;
+              START_SSH_SERVER = true;
+              SSH_PORT = cfg.sshPort;
+            };
+            repository = {
+              USE_COMPAT_SSH_URI = false;
+              ENABLE_PUSH_CREATE_USER = true;
+              ENABLE_PUSH_CREATE_ORG = true;
+            };
+            "repository.signing".FORMAT = "ssh";
+          };
+        };
+      };
+    };
+}

nix/modules/server/web-apps/librechat.nix

@@ -0,0 +1,87 @@
+{
+  lib,
+  inputs,
+  config,
+  ...
+}:
+let
+  inherit (lib.lists) singleton;
+  inherit (config.flake.lib.options) mkStrOption;
+  inherit (config.flake.lib.services) mkWebApp;
+  inherit (config.flake.paths) secrets;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      cfg = config.server.web-apps.librechat;
+      upstreamCfg = config.services.librechat;
+    in
+    mkWebApp {
+      inherit config;
+      name = "librechat";
+      defaultPort = 3080;
+      persistDirs = singleton {
+        directory = upstreamCfg.dataDir;
+        inherit (upstreamCfg) user group;
+      };
+      extraOptions.mongodbURI = mkStrOption "mongodb://${config.networking.hostName}:27017/LibreChat";
+      extraConfig = {
+        sops.secrets = {
+          "librechat/creds_key".sopsFile = secrets + "/librechat.yaml";
+          "librechat/creds_iv".sopsFile = secrets + "/librechat.yaml";
+          "librechat/jwt_secret".sopsFile = secrets + "/librechat.yaml";
+          "librechat/jwt_refresh_secret".sopsFile = secrets + "/librechat.yaml";
+          "keys/gemini".sopsFile = secrets + "/keys.yaml";
+          "keys/openrouter".sopsFile = secrets + "/keys.yaml";
+        };
+        services.librechat = {
+          enable = true;
+          openFirewall = true;
+          inherit (cfg) port;
+          env = {
+            HOST = "0.0.0.0";
+            ALLOW_REGISTRATION = "true";
+            NO_INDEX = "true";
+            MONGO_URI = cfg.mongodbURI;
+            DOMAIN_CLIENT = cfg.domain;
+            DOMAIN_SERVER = cfg.domain;
+            ENDPOINTS = "anthropic,agents,google";
+          };
+          credentials = {
+            CREDS_KEY = config.sops.secrets."librechat/creds_key".path;
+            CREDS_IV = config.sops.secrets."librechat/creds_iv".path;
+            JWT_SECRET = config.sops.secrets."librechat/jwt_secret".path;
+            JWT_REFRESH_SECRET = config.sops.secrets."librechat/jwt_refresh_secret".path;
+            OPENROUTER_KEY = config.sops.secrets."keys/openrouter".path;
+            GOOGLE_KEY = config.sops.secrets."keys/gemini".path;
+          };
+          settings = {
+            version = "1.1.4";
+            cache = true;
+            endpoints.custom = [
+              {
+                name = "OpenRouter";
+                apiKey = "\${OPENROUTER_KEY}";
+                baseURL = "https://openrouter.ai/api/v1";
+                models.default = [ "meta-llama/llama-3-70b-instruct" ];
+                models.fetch = true;
+                titleConvo = true;
+                titleModel = "current_model";
+                modelDisplayLabel = "OpenRouter";
+              }
+            ];
+            interface = {
+              privacyPolicy = {
+                externalUrl = "https://librechat.ai/privacy-policy";
+                openNewTab = true;
+              };
+            };
+          };
+        };
+      };
+    }
+    // {
+      imports = singleton "${inputs.rrvsh-nixpkgs}/nixos/modules/services/web-apps/librechat.nix";
+    };
+}

nix/modules/server/web-apps/rrv-sh.nix

@@ -0,0 +1,23 @@
+{ config, inputs, ... }:
+let
+  inherit (config.flake.lib.services) mkWebApp;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      cfg = config.server.web-apps.rrv-sh;
+    in
+    mkWebApp {
+      inherit config;
+      name = "rrv-sh";
+      defaultPort = 2309;
+      extraConfig.services.rrv-sh = {
+        enable = true;
+        inherit (cfg) port;
+      };
+    }
+    // {
+      imports = [ inputs.rrv-sh.nixosModules.default ];
+    };
+}

nix/modules/server/web-apps/sd-webui-forge.nix

@@ -0,0 +1,34 @@
+{
+  lib,
+  inputs,
+  config,
+  ...
+}:
+let
+  inherit (lib.lists) singleton;
+  inherit (config.flake.lib.services) mkWebApp;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      upstreamCfg = config.services.sd-webui-forge;
+    in
+    mkWebApp {
+      inherit config;
+      name = "sd-webui-forge";
+      defaultPort = 7860;
+      persistDirs = singleton {
+        directory = upstreamCfg.dataDir;
+        inherit (upstreamCfg) user group;
+      };
+      extraConfig.services.sd-webui-forge = {
+        enable = true;
+        listen = true;
+        extraArgs = "--cuda-malloc";
+      };
+    }
+    // {
+      imports = [ inputs.stable-diffusion-webui-nix.nixosModules.default ];
+    };
+}

nix/modules/server/web-servers.nix

@@ -0,0 +1,142 @@
+{ lib, config, ... }:
+let
+  inherit (builtins) listToAttrs map;
+  inherit (config.flake.lib.options) mkStrOption mkPathOption;
+  inherit (config.flake.lib.services) mkRootDomain;
+  inherit (config.flake.paths) secrets;
+  inherit (config.manifest.admin) email;
+  inherit (lib.types) listOf submodule attrs;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkMerge mkIf;
+  inherit (lib.lists) singleton;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      cfg = config.server.web-servers;
+      sslCheck = good: bad: if cfg.enableSSL then good else bad;
+    in
+    {
+      options.server.web-servers = {
+        enableSSL = mkEnableOption "";
+        nginx = {
+          enable = mkEnableOption "the Nginx server";
+          openFirewall = mkEnableOption "" // {
+            default = true;
+          };
+          enableDefaultSink = mkEnableOption "" // {
+            default = true;
+          };
+          pages = mkOption {
+            default = [ ];
+            type = listOf (submodule {
+              options = {
+                domain = mkStrOption "";
+                root = mkPathOption "";
+                extraConfig = mkOption {
+                  type = attrs;
+                  default = { };
+                };
+                locations = mkOption {
+                  type = attrs;
+                  default = { };
+                };
+              };
+            });
+          };
+          proxies = mkOption {
+            default = [ ];
+            type = listOf (submodule {
+              options = {
+                source = mkStrOption "";
+                target = mkStrOption "";
+                extraConfig = mkOption {
+                  type = attrs;
+                  default = { };
+                };
+                locations = mkOption {
+                  type = attrs;
+                  default = { };
+                };
+              };
+            });
+          };
+        };
+      };
+      config = mkMerge [
+        (mkIf cfg.enableSSL {
+          sops.secrets."keys/cloudflare".sopsFile = secrets + "/keys.yaml";
+          security.acme = {
+            acceptTerms = true;
+            defaults = {
+              inherit email;
+              dnsProvider = "cloudflare";
+              credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
+            };
+            certs = {
+              "rrv.sh".extraDomainNames = singleton "*.rrv.sh";
+              "bwfiq.com".extraDomainNames = singleton "*.bwfiq.com";
+              "slayment.com".extraDomainNames = singleton "*.slayment.com";
+              "aenyrathia.wiki".extraDomainNames = singleton "*.aenyrathia.wiki";
+            };
+          };
+        })
+        (mkIf cfg.nginx.enable {
+          networking.firewall.allowedTCPPorts = mkIf cfg.nginx.openFirewall [
+            443
+            80
+          ];
+          users.users.nginx.extraGroups = singleton "acme";
+          services.nginx = {
+            enable = true;
+            recommendedProxySettings = true;
+            recommendedTlsSettings = true;
+            recommendedOptimisation = true;
+            recommendedGzipSettings = true;
+            virtualHosts = mkMerge [
+              (mkIf cfg.nginx.enableDefaultSink {
+                "_" = {
+                  default = true;
+                  rejectSSL = sslCheck true false;
+                  locations."/" = {
+                    return = "444";
+                  };
+                };
+              })
+              (listToAttrs (
+                map (page: {
+                  name = page.domain;
+                  value = {
+                    addSSL = sslCheck true false;
+                    useACMEHost = sslCheck (mkRootDomain page.domain) null;
+                    acmeRoot = null; # needed for DNS validation
+                    locations = {
+                      "/" = {
+                        inherit (page) root;
+                      } // page.extraConfig;
+                    } // page.locations;
+                  };
+                }) cfg.nginx.pages
+              ))
+              (listToAttrs (
+                map (proxy: {
+                  name = proxy.source;
+                  value = {
+                    addSSL = sslCheck true false;
+                    useACMEHost = sslCheck (mkRootDomain proxy.source) null;
+                    acmeRoot = null; # needed for DNS validation
+                    locations = {
+                      "/" = {
+                        proxyPass = proxy.target;
+                      } // proxy.extraConfig;
+                    } // proxy.locations;
+                  };
+                }) cfg.nginx.proxies
+              ))
+            ];
+          };
+        })
+      ];
+    };
+}

nix/modules/system/persist.nix

@@ -0,0 +1,66 @@
+{
+  lib,
+  inputs,
+  config,
+  ...
+}:
+let
+  inherit (lib.modules) mkIf;
+  inherit (lib.options) mkOption;
+  inherit (config.flake.lib.options) mkStrOption;
+  inherit (lib.types)
+    listOf
+    str
+    coercedTo
+    submodule
+    ;
+  permOpts = {
+    user = mkStrOption "root";
+    group = mkStrOption "root";
+    mode = mkStrOption "0755";
+  };
+  mkOpts =
+    type: opts:
+    mkOption {
+      default = [ ];
+      type = listOf (
+        coercedTo str (d: { ${type} = d; }) (submodule {
+          options = {
+            ${type} = mkStrOption "";
+          } // opts;
+        })
+      );
+    };
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    {
+      imports = [ inputs.impermanence.nixosModules.impermanence ];
+      options.persistDirs = mkOpts "directory" permOpts;
+      options.persistFiles = mkOpts "file" { parentDirectory = permOpts; };
+      config = {
+        programs.fuse.userAllowOther = true;
+        fileSystems."/persist".neededForBoot = true;
+        environment.persistence."/persist" = {
+          hideMounts = true;
+          directories = config.persistDirs;
+          files = config.persistFiles;
+        };
+      };
+    };
+  flake.modules.homeManager.default =
+    { config, pkgs, ... }:
+    {
+      imports = [ inputs.impermanence.homeManagerModules.impermanence ];
+      options.persistDirs = mkOpts "directory" { };
+      options.persistFiles = mkOpts "file" { };
+      config = mkIf (pkgs.system == "x86_64-linux") {
+        home.persistence."/persist${config.home.homeDirectory}" = {
+          allowOther = true;
+          directories = config.persistDirs;
+          files = config.persistFiles;
+        };
+      };
+    };
+}

nix/modules/system/secrets.nix

@@ -0,0 +1,77 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+let
+  cfg = config.flake;
+  inherit (cfg.paths) secrets;
+  inherit (builtins) readFile;
+  inherit (lib.meta) getExe;
+  inherit (lib.strings) trim;
+  inherit (config.manifest.admin) username pubkey;
+in
+{
+  flake.modules = {
+    nixos.default =
+      { config, ... }:
+      {
+        imports = [ inputs.sops-nix.nixosModules.sops ];
+        config = {
+          sops = {
+            age.sshKeyPaths = [
+              "/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519"
+            ];
+            secrets."keys/gemini".sopsFile = secrets + "/keys.yaml";
+          };
+          environment.shellInit = # sh
+            ''
+              export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
+            '';
+        };
+      };
+    darwin.default =
+      { config, ... }:
+      {
+        imports = [ inputs.sops-nix.darwinModules.sops ];
+        config = {
+          sops = {
+            age.sshKeyPaths = [ "${config.users.users.${username}.home}/.ssh/id_ed25519" ];
+            secrets."keys/gemini".sopsFile = secrets + "/keys.yaml";
+          };
+          environment.shellInit = # sh
+            ''
+              export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
+            '';
+        };
+      };
+    homeManager.default.persistDirs = [ ".config/sops/age" ];
+  };
+  perSystem =
+    { pkgs, ... }:
+    {
+      files.files = [
+        {
+          path_ = ".sops.yaml";
+          drv =
+            pkgs.writeText ".sops.yaml" # yaml
+              ''
+                keys:
+                  - &${username} ${trim (
+                    readFile "${
+                      pkgs.runCommand "" { } ''
+                        mkdir $out; echo ${pubkey} | ${getExe pkgs.ssh-to-age} > $out/agepubkey
+                      ''
+                    }/agepubkey"
+                  )}
+                creation_rules:
+                  - path_regex: \.(yaml)$
+                    key_groups:
+                    - age:
+                      - *${username}
+              '';
+        }
+      ];
+    };
+}

nix/modules/system/sudo.nix

@@ -0,0 +1,19 @@
+{ config, ... }:
+let
+  inherit (config.manifest) admin;
+in
+{
+  flake.modules.nixos.default = {
+    security.sudo.wheelNeedsPassword = false;
+    nix.settings.trusted-users = [ "@wheel" ];
+    users.users.${admin.username}.extraGroups = [ "wheel" ];
+  };
+  flake.modules.darwin.default.security = {
+    sudo.extraConfig = "%admin          ALL = (ALL) NOPASSWD: ALL";
+    pam.services.sudo_local = {
+      enable = true;
+      reattach = true;
+      touchIdAuth = true;
+    };
+  };
+}