From f4b49fdcde5d4aa7cde11292e24d39a86ac95b72 Mon Sep 17 00:00:00 2001
From: Hendrik Sokolowski <hensoko@gssws.de>
Date: Sat, 28 Jan 2023 22:30:37 +0100
Subject: [PATCH] reset later

---
 flake.lock                                    |  55 +++--
 flake.nix                                     |   8 +-
 hosts/companion/companion.nix                 |   2 +
 hosts/companion/configuration.nix             |  21 +-
 hosts/companion/hardware-configuration.nix    |  60 ++---
 hosts/companion/home-controller.nix           |   2 +-
 hosts/cox/configuration.nix                   |   1 +
 hosts/cox/hardware-configuration.nix          |  56 +++--
 hosts/cox/home-controller.nix                 |   2 +-
 hosts/cox/paperless.nix                       | 112 +++++++++
 hosts/cube/configuration.nix                  |   2 +-
 hosts/cube/hardware-configuration.nix         |   2 +
 hosts/cube/nextcloud-apps.nix                 | 118 ++++-----
 hosts/cube/nextcloud.nix                      |  10 +-
 hosts/cube/tang-container.nix                 |  64 +++++
 hosts/cube/tang.nix                           |  23 ++
 hosts/falcone/configuration.nix               |  25 +-
 hosts/falcone/hardware-configuration.nix      |  12 +-
 hosts/giggles/configuration.nix               |   1 +
 hosts/giggles/hardware-configuration.nix      |  62 +++--
 hosts/giggles/home-controller.nix             |   1 -
 hosts/giggles/lrad.nix                        |  47 ++++
 hosts/giggles/tang-container.nix              |  54 ++++
 modules/home-controller/default.nix           |   2 +-
 modules/terminal-life/default.nix             |   2 +
 modules/terminal-life/nvim/default.nix        |   2 +-
 overlays/tang.nix                             |  13 +
 pkgs/_sources/generated.json                  | 230 ++++++++++++++++++
 pkgs/_sources/generated.nix                   |  76 +++---
 profiles/base-user/session-variables.nix      |   2 +-
 ...ome_controller_companion_wireguard_key.age |  37 ++-
 secrets/home_controller_cox_wireguard_key.age |  41 ++--
 .../home_controller_giggles_wireguard_key.age | Bin 1008 -> 1019 bytes
 secrets/secrets.nix                           |   6 +-
 users/hensoko/default.nix                     |   1 +
 users/hensoko/ssh.nix                         |  11 +-
 users/iot/default.nix                         |   2 +
 users/iot/home.nix                            |   1 -
 38 files changed, 857 insertions(+), 309 deletions(-)
 create mode 100644 hosts/cox/paperless.nix
 create mode 100644 hosts/cube/tang-container.nix
 create mode 100644 hosts/cube/tang.nix
 create mode 100644 hosts/giggles/lrad.nix
 create mode 100644 hosts/giggles/tang-container.nix
 create mode 100644 overlays/tang.nix
 create mode 100644 pkgs/_sources/generated.json

diff --git a/flake.lock b/flake.lock
index cb18a02a..33acc36e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1662241716,
-        "narHash": "sha256-urqPvSvvGUhkwzTDxUI8N1nsdMysbAfjmBNZaTYBZRU=",
+        "lastModified": 1673301561,
+        "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "c96da5835b76d3d8e8d99a0fec6fe32f8539ee2e",
+        "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
         "type": "github"
       },
       "original": {
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1661882940,
-        "narHash": "sha256-4LaVFnV22WrOA0aolqqk9dXrM8crikcrLQt29G18F7M=",
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "80cec5115aae74accc4ccfb9f84306d7863f0632",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
         "type": "github"
       },
       "original": {
@@ -51,11 +51,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1659725433,
-        "narHash": "sha256-1ZxuK67TL29YLw88vQ18Y2Y6iYg8Jb7I6/HVzmNB6nM=",
+        "lastModified": 1674127017,
+        "narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "41f15759dd8b638e7b4f299730d94d5aa46ab7eb",
+        "rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
         "type": "github"
       },
       "original": {
@@ -218,11 +218,11 @@
     },
     "latest": {
       "locked": {
-        "lastModified": 1662019588,
-        "narHash": "sha256-oPEjHKGGVbBXqwwL+UjsveJzghWiWV0n9ogo1X6l4cw=",
+        "lastModified": 1674641431,
+        "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2da64a81275b68fdad38af669afeda43d401e94b",
+        "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
         "type": "github"
       },
       "original": {
@@ -239,11 +239,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1662101674,
-        "narHash": "sha256-Yn4jpQ3xMn2U8E/hZiaCulFn7NkUTZ5PMMPY8ClMJD4=",
+        "lastModified": 1673395322,
+        "narHash": "sha256-Xwaoz3+/+kCu8Przi1W3MWdQcOQ9wLVrr8nfBN6L6wA=",
         "owner": "musnix",
         "repo": "musnix",
-        "rev": "c28a81cfdc33cbe95bce3aa853da5d8e5d8f5d00",
+        "rev": "46d6e6435edcfa2a4adcfdd95d576979b710f4cb",
         "type": "github"
       },
       "original": {
@@ -269,11 +269,11 @@
     },
     "nixos": {
       "locked": {
-        "lastModified": 1674868155,
-        "narHash": "sha256-eFNm2h6fNbgD7ZpO4MHikCB5pSnCJ7DTmwPisjetmwc=",
+        "lastModified": 1674781052,
+        "narHash": "sha256-nseKFXRvmZ+BDAeWQtsiad+5MnvI/M2Ak9iAWzooWBw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ce20e9ebe1903ea2ba1ab006ec63093020c761cb",
+        "rev": "cc4bb87f5457ba06af9ae57ee4328a49ce674b1b",
         "type": "github"
       },
       "original": {
@@ -289,11 +289,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1660727616,
-        "narHash": "sha256-zYTIvdPMYMx/EYqXODAwIIU30RiEHqNHdgarIHuEYZc=",
+        "lastModified": 1674666581,
+        "narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "adccd191a0e83039d537e021f19495b7bad546a1",
+        "rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa",
         "type": "github"
       },
       "original": {
@@ -304,11 +304,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1662458987,
-        "narHash": "sha256-hcDwRlsXZMp2Er3vQk1JEUZWhBPLVC9vTT4xHvhpcE0=",
+        "lastModified": 1674550793,
+        "narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "504b32caf83986b7e6b9c79c1c13008f83290f19",
+        "rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
         "type": "github"
       },
       "original": {
@@ -385,6 +385,7 @@
     },
     "nur": {
       "locked": {
+        "lastModified": 0,
         "narHash": "sha256-koC6DBYmLCrgXA+AMHVaODf1uHYPmvcFygHfy3eg6vI=",
         "path": "/nix/store/6mfkswqi67m35qwv0vh7kpk8rypbl2rq-source",
         "type": "path"
@@ -413,11 +414,11 @@
     },
     "utils": {
       "locked": {
-        "lastModified": 1648297722,
-        "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index ed58ce14..227dafc9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -183,7 +183,7 @@
             redpanda = hensoko;
 
             # home pc
-            harrison = hensoko ++ [ daw graphical non-free social work ];
+            harrison = hensoko ++ [ daw gaming graphical non-free social work ];
 
             # work laptop
             norman = hensoko ++ [ graphical non-free social virtualisation work ];
@@ -192,7 +192,7 @@
             falcone = hensoko-iot;
 
             # surface
-            surfplace = hensoko ++ [ graphical non-free social work ];
+            surfplace = hensoko ++ [ graphical non-free social ];
           };
         };
 
@@ -229,8 +229,8 @@
           };
 
           companion = { sshUser = "iot"; };
-          cox = { };
-          giggles = { };
+          cox = { sshUser = "iot"; };
+          giggles = { sshUser = "iot"; };
           ringo = { };
           cube = {
             sshUser = "iot";
diff --git a/hosts/companion/companion.nix b/hosts/companion/companion.nix
index ca873721..6ff0d422 100644
--- a/hosts/companion/companion.nix
+++ b/hosts/companion/companion.nix
@@ -10,6 +10,8 @@ in
   ];
 
   config = {
+    nixpkgs.crossSystem.system = "aarch64-linux";
+
     boot.plymouth.enable = lib.mkForce false;
     pub-solar.nextcloud.enable = lib.mkForce false;
   };
diff --git a/hosts/companion/configuration.nix b/hosts/companion/configuration.nix
index 1b8dc6c7..1b16a50a 100644
--- a/hosts/companion/configuration.nix
+++ b/hosts/companion/configuration.nix
@@ -2,13 +2,14 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, lib, ... }:
+{ inputs, pkgs, builtins, config, lib, ... }:
 
 {
   imports =
     [
       ./hardware-configuration.nix
       ./home-controller.nix
+      ./paperless.nix
     ];
 
   boot.loader.timeout = lib.mkForce 0;
@@ -20,6 +21,10 @@
     efiSupport = true;
     efiInstallAsRemovable = true;
     device = "nodev";
+
+    extraInstallCommands = ''
+      cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
+    '';
   };
 
   # Set your time zone.
@@ -29,23 +34,11 @@
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
   networking.useDHCP = false;
-  networking.interfaces.eth0.useDHCP = true;
-  networking.interfaces.wlan0.useDHCP = false;
+  networking.interfaces.enabcm6e4ei0.useDHCP = true;
   networking.networkmanager.enable = lib.mkForce false;
 
   boot.loader.systemd-boot.enable = lib.mkForce false;
 
-  nix = {
-    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
-  };
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    vim
-    wget
-  ];
-
   # Open ports in the firewall.
   networking.firewall.allowedTCPPorts = [ 2380 6443 ];
   # networking.firewall.allowedUDPPorts = [ ... ];
diff --git a/hosts/companion/hardware-configuration.nix b/hosts/companion/hardware-configuration.nix
index 1b59fa36..7805d0f3 100644
--- a/hosts/companion/hardware-configuration.nix
+++ b/hosts/companion/hardware-configuration.nix
@@ -5,57 +5,61 @@
 
 {
   imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "uas" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
-  boot.initrd.supportedFilesystems = [ "zfs" ];
-  boot.supportedFilesystems = [ "zfs" ];
 
-  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+  boot.kernelParams = [ "usb-storage.quirks=2109:0716:u,174c:55aa:u" ];
 
-  boot.initrd.luks.devices = {
-    cryptroot = {
-      device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
-      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
-      bypassWorkqueues = true;
-      fallbackToPassword = true;
-    };
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.supportedFilesystems = [ ];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  boot.loader.efi.canTouchEfiVariables = false;
+
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = false;
+  boot.loader.timeout = 0;
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/2538df0f-9d17-4651-a7ee-26d6f28e4e71";
+    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
   };
 
   fileSystems."/" =
-    {
-      device = "zroot/root";
-      fsType = "zfs";
+    { device = "/dev/disk/by-label/root";
+      fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/5552-1B21";
+    { device = "/dev/disk/by-uuid/5552-1B21";
       fsType = "vfat";
     };
 
-  fileSystems."/var/lib/rancher/k3s/storage" =
-    {
-      device = "zroot/kubernetes-localstorage";
-      fsType = "zfs";
-    };
-
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
+    [ { device = "/dev/disk/by-label/swap"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = false;
-  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
-  networking.hostId = "71f2d82a";
 
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
diff --git a/hosts/companion/home-controller.nix b/hosts/companion/home-controller.nix
index ff7ab606..534c2dfd 100644
--- a/hosts/companion/home-controller.nix
+++ b/hosts/companion/home-controller.nix
@@ -2,7 +2,7 @@
 
 {
   config = {
-    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+    #age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
     age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
 
     pub-solar.home-controller = {
diff --git a/hosts/cox/configuration.nix b/hosts/cox/configuration.nix
index bdb0f92d..14ac5211 100644
--- a/hosts/cox/configuration.nix
+++ b/hosts/cox/configuration.nix
@@ -10,6 +10,7 @@
       ./backup.nix
       ./hardware-configuration.nix
       ./home-controller.nix
+      ./paperless.nix
     ];
 
   boot.loader.timeout = 0;
diff --git a/hosts/cox/hardware-configuration.nix b/hosts/cox/hardware-configuration.nix
index 3b52c24b..dff6b612 100644
--- a/hosts/cox/hardware-configuration.nix
+++ b/hosts/cox/hardware-configuration.nix
@@ -5,57 +5,59 @@
 
 {
   imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "uas" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
-  boot.initrd.supportedFilesystems = [ "zfs" ];
-  boot.supportedFilesystems = [ "zfs" ];
 
-  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+  boot.kernelPackages = pkgs.linuxPackages_6_1;
+  boot.supportedFilesystems = [ ];
 
-  boot.initrd.luks.devices = {
-    cryptroot = {
-      device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
-      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
-      bypassWorkqueues = true;
-      fallbackToPassword = true;
-    };
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  boot.loader.efi.canTouchEfiVariables = false;
+
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = false;
+  boot.loader.timeout = 0;
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/d86a20a6-686c-4bf8-bd3b-911901272742";
+    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
   };
 
   fileSystems."/" =
-    {
-      device = "zroot/root";
-      fsType = "zfs";
+    { device = "/dev/disk/by-uuid/6a419f58-bef1-4dd9-9b4f-389e35ba686a";
+      fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/6CB3-6DB8";
+    { device = "/dev/disk/by-uuid/6CB3-6DB8";
       fsType = "vfat";
     };
 
-  fileSystems."/var/lib/rancher/k3s/storage" =
-    {
-      device = "zroot/kubernetes-localstorage";
-      fsType = "zfs";
-    };
-
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
+    [ { device = "/dev/disk/by-uuid/ea401985-e25f-4d13-8d72-5a5660c4384f"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = false;
+  #networking.useDHCP = lib.mkDefault true;
   networking.interfaces.eth0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
-  networking.hostId = "71f2d82a";
 
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
diff --git a/hosts/cox/home-controller.nix b/hosts/cox/home-controller.nix
index d017c570..ce06d8bb 100644
--- a/hosts/cox/home-controller.nix
+++ b/hosts/cox/home-controller.nix
@@ -2,7 +2,7 @@
 
 {
   config = {
-    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+    #age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
     age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
 
     pub-solar.home-controller = {
diff --git a/hosts/cox/paperless.nix b/hosts/cox/paperless.nix
new file mode 100644
index 00000000..eb03e8bf
--- /dev/null
+++ b/hosts/cox/paperless.nix
@@ -0,0 +1,112 @@
+{ pkgs, config, ... }:
+
+let
+  containerStateDir = "/data";
+  hostStateDir = "/opt/documents/paperless";
+  httpPort = 80;
+  paperlessPort = 8080;
+  ftpListenPort = 20021;
+  ftpPasvMinPort = 22021;
+  ftpPasvMaxPort = 24021;
+  domain = "cox.local";
+in
+  {
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        httpPort
+        ftpListenPort
+      ];
+
+      allowedTCPPortRanges = [ { from = ftpPasvMinPort; to = ftpPasvMaxPort; } ];
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."${domain}" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString paperlessPort}";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_read_timeout 300s;
+            proxy_set_header Host ''$host;
+            proxy_set_header X-Forwarded-For ''$remote_addr;
+          '';
+        };
+      };
+    };
+
+    containers."paperless" = {
+      autoStart = true;
+      ephemeral = true;
+
+      tmpfs = [ "/tmp:size=2G" ];
+
+      bindMounts."${containerStateDir}" = {
+        hostPath = hostStateDir;
+        isReadOnly = false;
+      };
+
+      config = { config, pkgs, ... }: {
+        networking.firewall.enable = false;
+
+        users.users."paperless".extraGroups = [ "ftp" ];
+
+        services.paperless = {
+          enable = true;
+          dataDir = "/data";
+          consumptionDir = "/data/ftp/consume";
+          consumptionDirIsPublic = true;
+          port = paperlessPort;
+          extraConfig = {
+            PAPERLESS_OCR_LANGUAGE = "deu+eng";
+            PAPERLESS_ALLOWED_HOSTS = "${domain}";
+            PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${domain}";
+            PAPERLESS_CORS_ALLOWED_HOSTS = "http://${domain}";
+
+          };
+        };
+
+        services.vsftpd = {
+          enable = true;
+          anonymousUser = true;
+          anonymousUserNoPassword = true;
+          anonymousUserHome = "/data/ftp";
+          anonymousUploadEnable = true;
+          anonymousUmask = "007";
+          writeEnable = true;
+          extraConfig = ''
+            listen=YES
+            listen_ipv6=NO
+            listen_port=${toString ftpListenPort}
+            chown_uploads=YES
+            chown_username=paperless
+            download_enable=NO
+            pasv_min_port=${toString ftpPasvMinPort}
+            pasv_max_port=${toString ftpPasvMaxPort}
+          '';
+        };
+
+        systemd.services.nextcloud-autosync = {
+          unitConfig = {
+            Description = "Auto sync Nextcloud";
+            After = "network-online.target";
+          };
+          serviceConfig = {
+            User = "paperless";
+            Type = "simple";
+            ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de";
+            TimeoutStopSec = "180";
+            KillMode = "process";
+            KillSignal = "SIGINT";
+          };
+          wantedBy = ["multi-user.target"];
+        };
+        systemd.timers.nextcloud-autosync = {
+          unitConfig.Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
+          timerConfig.OnUnitActiveSec = "60min";
+          wantedBy = ["multi-user.target" "timers.target"];
+        };
+      };
+    };
+  }
diff --git a/hosts/cube/configuration.nix b/hosts/cube/configuration.nix
index 60701de5..7ba483fb 100644
--- a/hosts/cube/configuration.nix
+++ b/hosts/cube/configuration.nix
@@ -13,7 +13,7 @@
       ./wireguard.nix
 
       ./invoiceplane.nix
-      ./tang.nix
+      #./tang.nix
       #./whiteboard.nix
     ];
 
diff --git a/hosts/cube/hardware-configuration.nix b/hosts/cube/hardware-configuration.nix
index 4cacc166..61cb3929 100644
--- a/hosts/cube/hardware-configuration.nix
+++ b/hosts/cube/hardware-configuration.nix
@@ -15,6 +15,8 @@
   boot.extraModulePackages = [ ];
   boot.extraModprobeConfig = "options kvm_intel nested=1";
 
+  boot.kernelPackages = pkgs.linuxPackages_6_1;
+
   fileSystems."/" =
     {
       device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
diff --git a/hosts/cube/nextcloud-apps.nix b/hosts/cube/nextcloud-apps.nix
index ed23d7ac..f478c162 100644
--- a/hosts/cube/nextcloud-apps.nix
+++ b/hosts/cube/nextcloud-apps.nix
@@ -1,98 +1,84 @@
 { self, pkgs, config, lib, ... }:
 
+let
+  notify_push = pkgs.fetchzip {
+    sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
+    url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
+  };
+in
 {
-  services.nextcloud.extraApps = {
-    "bookmarks" = pkgs.fetchzip {
-      sha256 = "sha256-sX/2cd0lw2/fHwFUG3WUJ6E0AUzPqELHWCcdOYIbFzA=";
-      url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.3/bookmarks-11.0.3.tar.gz";
+  systemd.services.nextcloud-notify-push = {
+    enable = true;
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Environment = [
+        "PORT=7867"
+        "NEXTCLOUD_URL=https://data.gssws.de"
+      ];
+      ExecStart = "${notify_push}/bin/x86_64/notify_push /mnt/internal/nextcloud/config/config.php";
+      User = "nextcloud";
     };
+  };
+
+  services.nextcloud.extraApps = with pkgs.nextcloud25Packages.apps; {
+    inherit bookmarks calendar contacts deck keeweb news tasks;
+    inherit notify_push;
+
     "bruteforcesettings" = pkgs.fetchzip {
       sha256 = "8Sev4B7AOzLGPX6a4in0BEXJ5oL6m2EYGuBExSCnfok=";
       url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
     };
-    "calendar" = pkgs.fetchzip {
-      sha256 = "JBFujtDVRWn6ELl7fZU80go86/WLln5oRJTupTz9//s=";
-      url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz";
-    };
-    "contacts" = pkgs.fetchzip {
-      sha256 = "eTc51pkg3OdHJB7X4/hD39Ce+9vKzw1nlJ7BhPOzdy0=";
-      url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz";
-    };
     "cookbook" = pkgs.fetchzip {
-      sha256 = "QBmzGtjH8vciUxiku1HGnWw0P0oCySilEWciLoslDAU=";
-      url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz";
+      sha256 = "j7nAprAIY4NMPD6kXfmXVW+PgpRiyx5SRPSe6IEB/vY=";
+      url = "https://github.com/nextcloud/cookbook/releases/download/v0.10.1/Cookbook-0.10.1.tar.gz";
     };
     "cospend" = pkgs.fetchzip {
-      sha256 = "Vtg7CVf8KxGbFk9ghTvy86xOh9PD7o/c2//2mqqHARA=";
-      url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.4.10/cospend-1.4.10.tar.gz";
-    };
-    "deck" = pkgs.fetchzip {
-      sha256 = "hK+uI4Qolx37FYeY7m8BXheEIWp3I4cFooMUnpuVfOk=";
-      url = "https://github.com/nextcloud-releases/deck/releases/download/v1.7.1/deck-v1.7.1.tar.gz";
+      sha256 = "vGjK9Sy+q4ycS5MWeTTrwDGPTOp6t4leH+rF/Y54d0c=";
+      url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.5.5/cospend-1.5.5.tar.gz";
     };
     "files_accesscontrol" = pkgs.fetchzip {
-      sha256 = "D9hVQrOMPsyTBbr7B92aePzUOYpnNu5XnpqK4W86514=";
-      url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.14.1/files_accesscontrol-v1.14.1.tar.gz";
+      sha256 = "34goKXWLUym5p7alby3WEyFzr346psHUeJ/+OZtfGmc=";
+      url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.15.1/files_accesscontrol-v1.15.1.tar.gz";
     };
     "files_automatedtagging" = pkgs.fetchzip {
-      sha256 = "MdS63VELoM7kGzjzbEKfcH1KqX98KyGvDEvLgwvVld0=";
-      url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz";
+      sha256 = "PmcqHojtfww3wNIFoLM+hVXAjoo4zqzK6sUMeveHYa0=";
+      url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.15.0/files_automatedtagging-v1.15.0.tar.gz";
     };
     "files_fulltextsearch" = pkgs.fetchzip {
-      sha256 = "+1asXhTn62fpUlIi+B9ALKdrXxaYYymfhxPTB+C5obM=";
-      url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/v24.0.1/files_fulltextsearch-v24.0.1.tar.gz";
-    };
-    "files_markdown" = pkgs.fetchzip {
-      sha256 = "vv/PVDlQOm7Rjhzv8KXxkGpEnyidrV2nsl+Z2fdAFLY=";
-      url = "https://github.com/icewind1991/files_markdown/releases/download/v2.3.6/files_markdown.tar.gz";
+      sha256 = "DEl/CbCvwiWvkNQOuKtHWzifq3AMrhL5wLHmSMuL4TU=";
+      url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/25.0.0/files_fulltextsearch-25.0.0.tar.gz";
     };
     "files_mindmap" = pkgs.fetchzip {
-      sha256 = "gJK+XCWDc1jpHZBR0NL6UdHab9V/X/tRNmSw5tl751Q=";
-      url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.26/files_mindmap-0.0.26.tar.gz";
+      sha256 = "/u1H2QvyKfdGjelFAkLc3rRGQlm3T+OajAbpUF0+cdY=";
+      url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.27/files_mindmap-0.0.27.tar.gz";
     };
     "fulltextsearch" = pkgs.fetchzip {
-      sha256 = "6uZhK4rItVqIJfEpOWxgmVXYsWMeHKxHQ8GY/g5Wj/s=";
-      url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/v24.0.0/fulltextsearch-v24.0.0.tar.gz";
+      sha256 = "1LVo5Cv6Gf4M/laVlHfm5wAQ8I8EsdLIThVm/jUj6uA=";
+      url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/25.0.0/fulltextsearch-25.0.0.tar.gz";
     };
     "groupfolders" = pkgs.fetchzip {
-      sha256 = "99DqybcYR2tTSNFyZ6QtIQmd3XyHyFy2PL1fGsq48kQ=";
-      url = "https://github.com/nextcloud/groupfolders/releases/download/v12.0.2/groupfolders.tar.gz";
-    };
-    "impersonate" = pkgs.fetchzip {
-      sha256 = "XevbFa2Xyu0qAwtpvSd9CulsejrBj4AeIkV7GuWoOMw=";
-      url = "https://github.com/nextcloud-releases/impersonate/releases/download/v1.11.0/impersonate-v1.11.0.tar.gz";
-    };
-    "keeweb" = pkgs.fetchzip {
-      sha256 = "Fdx3+APQaJQ/uQH/gnkiPmsOqzX5GNJWjPfTyUobtfA=";
-      url = "https://github.com/jhass/nextcloud-keeweb/releases/download/v0.6.9/keeweb-0.6.9.tar.gz";
+      sha256 = "CGGt5QEzdJqOJywZQTQYeKIy/2JhHYGACHrfAmH9LD0=";
+      url = "https://github.com/nextcloud-releases/groupfolders/releases/download/v13.1.0/groupfolders-v13.1.0.tar.gz";
     };
     "maps" = pkgs.fetchzip {
-      sha256 = "2w7Mm+L9cHYq9BLpBpWhMv+V4h3OKCh68Cl6iHt65js=";
-      url = "https://github.com/nextcloud/maps/releases/download/v0.2.1/maps-0.2.1.tar.gz";
-    };
-    "news" = pkgs.fetchzip {
-      sha256 = "jbuqQJWLdE0olIaXLzjUEsPON4ZzMe9RKpH50HZZQsc=";
-      url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz";
-    };
-    "notes" = pkgs.fetchzip {
-      sha256 = "WdteA8pDSZ7ba+kngmveHC2KgzyLSB+PomFEZ7/uCC0=";
-      url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz";
+      sha256 = "8HNew2sIlMd+wt2a6jXa1tZpub56AnB5gfBs/cYlkcI=";
+      url = "https://github.com/nextcloud/maps/releases/download/v0.2.4/maps-0.2.4.tar.gz";
     };
+    #"notify_push" = pkgs.fetchzip {
+    #  sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
+    #  url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
+    #};
     "quota_warning" = pkgs.fetchzip {
-      sha256 = "ugiz1/dhpRoL401h/u3fQykP5zBqVby3nhHfQwyIIIQ=";
-      url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.14.0/quota_warning-v1.14.0.tar.gz";
+      sha256 = "If4tW4yJbJ1xgfOyN0wxcgHLxXUrtKPdphRhbQOM6b4=";
+      url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.15.0/quota_warning-v1.15.0.tar.gz";
     };
     "richdocuments" = pkgs.fetchzip {
-      sha256 = "4B0johygJOiC/nbXiW5KU+7hweCin//rUGfFprYzRQU=";
-      url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v6.2.0/richdocuments-v6.2.0.tar.gz";
-    };
-    "tasks" = pkgs.fetchzip {
-      sha256 = "HMNd8U2KsSzT5xCKh/mA5GwIfYIcA6KTFVF3ca8xc2A=";
-      url = "https://github.com/nextcloud/tasks/releases/download/v0.14.4/tasks.tar.gz";
-    };
-    "twofactor_totp" = pkgs.fetchzip {
-      sha256 = "F7h2VytPLwkVZxJZd1o9pWuhndh02z3i0pOUw5kzBIU=";
-      url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.0/twofactor_totp-v6.4.0.tar.gz";
+      sha256 = "I6Y3lyZADiUCpmnkRS7Muc54uOOvKpWdlQ189EKzesA=";
+      url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v7.0.2/richdocuments-v7.0.2.tar.gz";
     };
+    #"twofactor_totp" = pkgs.fetchzip {
+    #  sha256 = "p3Ft3sQ/2HPXCFE03dm8pBL39b7bWCi2iAxHkbOK2V4=";
+    #  url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
+    #};
   };
 }
diff --git a/hosts/cube/nextcloud.nix b/hosts/cube/nextcloud.nix
index 025bf706..af0bdd53 100644
--- a/hosts/cube/nextcloud.nix
+++ b/hosts/cube/nextcloud.nix
@@ -1,5 +1,8 @@
 { self, pkgs, config, lib, ... }:
 
+let
+  notifyPushPort = 7867;
+in
 {
   imports = [
     ./nextcloud-apps.nix
@@ -28,6 +31,11 @@
     virtualHosts."data.gssws.de" = {
       enableACME = true;
       forceSSL = true;
+
+      locations."^~ /push/" = {
+        proxyPass = "http://127.0.0.1:${toString notifyPushPort}";
+        proxyWebsockets = true;
+      };
     };
   };
 
@@ -103,7 +111,7 @@
   };
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud24;
+    package = pkgs.nextcloud25;
     hostName = "data.gssws.de";
     https = true;
     datadir = "/mnt/internal/nextcloud";
diff --git a/hosts/cube/tang-container.nix b/hosts/cube/tang-container.nix
new file mode 100644
index 00000000..93f0d6de
--- /dev/null
+++ b/hosts/cube/tang-container.nix
@@ -0,0 +1,64 @@
+{ pkgs, config, ... }:
+
+let
+  containerStateDir = "/data";
+  hostStateDir = "/opt/tangd";
+  domain = "";
+  serviceAddress = "10.10.42.12";
+in
+{
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${serviceAddress}:${toString servicePort}";
+    };
+  };
+
+  containers."tang" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = { config, pkgs, ... }: {
+      networking.firewall.enable = false;
+
+      users.groups."_tang" = {} ;
+
+      users.users."_tang" = {
+        group = "_tang";
+        isSystemUser = true;
+      };
+
+      environment.systemPackages = [ "${pkgs.jose}" ];
+
+      systemd.services."tangd@" = {
+        enable = true;
+        serviceConfig = {
+          ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
+          ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
+          StandardInput = "socket";
+          StandardOutput = "socket";
+          StandardError = "journal";
+          User = "_tang";
+          Group = "_tang";
+        };
+      };
+
+      systemd.sockets."tangd" = {
+        enable = true;
+        listenStreams = [ "${toString servicePort}" ];
+        wantedBy = [ "sockets.target" ];
+        socketConfig = {
+          Accept = true;
+        };
+      };
+
+      system.stateVersion = "22.11";
+    };
+
+  };
+}
diff --git a/hosts/cube/tang.nix b/hosts/cube/tang.nix
new file mode 100644
index 00000000..4492a113
--- /dev/null
+++ b/hosts/cube/tang.nix
@@ -0,0 +1,23 @@
+{ self, config, pkgs, ... }:
+
+let
+  domain = "t.gssws.de";
+  servicePort = 63080;
+in
+{
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${builtins.toString(servicePort)}";
+    };
+  };
+
+  virtualisation.oci-containers.containers."tang" = {
+    image = "cloggo/tangd";
+    ports = [ "127.0.0.1:${builtins.toString(servicePort)}:8080" ];
+    environment = {
+      IP_WHITELIST = "172.17.0.1";
+    };
+  };
+}
diff --git a/hosts/falcone/configuration.nix b/hosts/falcone/configuration.nix
index 6383f78f..b877e8fe 100644
--- a/hosts/falcone/configuration.nix
+++ b/hosts/falcone/configuration.nix
@@ -12,20 +12,9 @@
 
   pub-solar.core.disk-encryption-active = false;
 
-  boot.loader.timeout = lib.mkForce 0;
-
-  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
-
-  boot.loader.grub = {
-    enable = lib.mkForce true;
-    efiSupport = true;
-    efiInstallAsRemovable = true;
-    device = "nodev";
-
-    extraInstallCommands = ''
-      cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
-    '';
-  };
+  boot.loader.grub.enable = lib.mkForce false;
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.generic-extlinux-compatible.enable = lib.mkForce true;
 
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
@@ -35,13 +24,15 @@
   # replicates the default behaviour.
   networking.useDHCP = false;
   networking.interfaces.eth0.useDHCP = true;
-  networking.interfaces.wlan0.useDHCP = false;
   networking.networkmanager.enable = lib.mkForce false;
 
-  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.initrd.network = {
+    enable = true;
+  };
+
 
   # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
+  #networking.firewall.allowedTCPPorts = [ ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
diff --git a/hosts/falcone/hardware-configuration.nix b/hosts/falcone/hardware-configuration.nix
index 8815265a..f19e768c 100644
--- a/hosts/falcone/hardware-configuration.nix
+++ b/hosts/falcone/hardware-configuration.nix
@@ -16,20 +16,26 @@
   #boot.initrd.supportedFilesystems = [ "zfs" ];
   #boot.supportedFilesystems = [ "zfs" ];
 
-  #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_19;
 
   fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXOS_SD";
+    {
+      device = "/dev/disk/by-uuid/9f3208ae-ee05-44b8-a0bc-dc1e7499bdb8";
       fsType = "ext4";
     };
 
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/997A-7FBA";
+      fsType = "vfat";
+    };
+
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = false;
   networking.interfaces.eth0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
 
   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
diff --git a/hosts/giggles/configuration.nix b/hosts/giggles/configuration.nix
index 5e8d9f36..69aceb0e 100644
--- a/hosts/giggles/configuration.nix
+++ b/hosts/giggles/configuration.nix
@@ -10,6 +10,7 @@
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./home-controller.nix
+      ./tang-container.nix
     ];
 
   boot.loader.timeout = 0;
diff --git a/hosts/giggles/hardware-configuration.nix b/hosts/giggles/hardware-configuration.nix
index cfc5cf70..fafd29f4 100644
--- a/hosts/giggles/hardware-configuration.nix
+++ b/hosts/giggles/hardware-configuration.nix
@@ -5,57 +5,53 @@
 
 {
   imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "uas" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
-  boot.initrd.supportedFilesystems = [ "zfs" ];
-  boot.supportedFilesystems = [ "zfs" ];
 
-  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.supportedFilesystems = [ ];
 
-  boot.initrd.luks.devices = {
-    cryptroot = {
-      device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
-      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
-      bypassWorkqueues = true;
-      fallbackToPassword = true;
-    };
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  boot.loader.efi.canTouchEfiVariables = false;
+
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = false;
+  boot.loader.timeout = 0;
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/5edec8af-5f84-4d9f-9755-8abbb55e00af";
+    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
   };
 
   fileSystems."/" =
-    {
-      device = "zroot/root";
-      fsType = "zfs";
+    { device = "/dev/disk/by-label/root";
+      fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/2F05-9B4A";
+    { device = "/dev/disk/by-label/boot";
       fsType = "vfat";
     };
 
-  fileSystems."/var/lib/rancher/k3s/storage" =
-    {
-      device = "zroot/kubernetes-localstorage";
-      fsType = "zfs";
-    };
-
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
+    [ { device = "/dev/disk/by-label/swap"; }
+    ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = false;
-  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
-  networking.hostId = "71f2d82a";
+  networking.interfaces.enabcm6e4ei0.useDHCP = true;
 
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
diff --git a/hosts/giggles/home-controller.nix b/hosts/giggles/home-controller.nix
index ac7cfc01..bb82e219 100644
--- a/hosts/giggles/home-controller.nix
+++ b/hosts/giggles/home-controller.nix
@@ -2,7 +2,6 @@
 
 {
   config = {
-    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
     age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
 
     pub-solar.home-controller = {
diff --git a/hosts/giggles/lrad.nix b/hosts/giggles/lrad.nix
new file mode 100644
index 00000000..3979ba4f
--- /dev/null
+++ b/hosts/giggles/lrad.nix
@@ -0,0 +1,47 @@
+{ pkgs, config, ... }:
+
+let
+  serviceAddress = "10.10.41.11";
+  containerStateDir = "/data";
+  hostStateDir = "/srv/container/lrad";
+in
+{
+  containers."lrad" = {
+    privateNetwork = true;
+    hostAddress = "10.10.41.1";
+    localAddress = serviceAddress;
+
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = { config, pkgs, ... }: {
+      networking.firewall.allowedTCPPorts = [ 63080 ];
+
+      #users.users."tang".isSystemUser = true;
+
+      systemd.services."tangd" = {
+        enable = true;
+        # TODO: require data/tangd to exist
+        serviceConfig = {
+          ExecStart = "${pkgs.tang}/bin/tangd ${containerStateDir}/data/tangd";
+          StandardInput = "socket";
+          StandardOutput = "socket";
+          StandardError = "journal";
+          User = "tang";
+        };
+      };
+
+      systemd.sockets."tangd" = {
+        enable = true;
+        listenStreams = [ "63080" ];
+        wantedBy = [ "sockets.target" ];
+        socketConfig = {
+          Accept = true;
+        };
+      };
+    };
+
+  };
+}
diff --git a/hosts/giggles/tang-container.nix b/hosts/giggles/tang-container.nix
new file mode 100644
index 00000000..4f1d40cd
--- /dev/null
+++ b/hosts/giggles/tang-container.nix
@@ -0,0 +1,54 @@
+{ pkgs, config, ... }:
+
+let
+  containerStateDir = "/data";
+  hostStateDir = "/opt/tangd";
+  servicePort = 8081;
+in
+{
+  networking.firewall.allowedTCPPorts = [ servicePort ];
+
+  containers."tang" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = { config, pkgs, ... }: {
+      networking.firewall.enable = false;
+
+      users.groups."_tang" = {} ;
+
+      users.users."_tang" = {
+        group = "_tang";
+        isSystemUser = true;
+      };
+
+      environment.systemPackages = with pkgs; [ jose tang ];
+
+      systemd.services."tangd@" = {
+        enable = true;
+        serviceConfig = {
+          ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
+          ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
+          User = "_tang";
+          Group = "_tang";
+        };
+      };
+
+      systemd.sockets."tangd" = {
+        enable = true;
+        listenStreams = [ "${toString servicePort}" ];
+        wantedBy = [ "sockets.target" ];
+        socketConfig = {
+          Accept = true;
+        };
+      };
+
+      system.stateVersion = "22.11";
+    };
+
+  };
+}
diff --git a/modules/home-controller/default.nix b/modules/home-controller/default.nix
index 5e410765..a0562286 100644
--- a/modules/home-controller/default.nix
+++ b/modules/home-controller/default.nix
@@ -6,7 +6,7 @@ let
 in
 {
   imports = [
-    ./k3s.nix
+    #./k3s.nix
     ./wireguard.nix
   ];
 
diff --git a/modules/terminal-life/default.nix b/modules/terminal-life/default.nix
index ae1eeb90..3531be4e 100644
--- a/modules/terminal-life/default.nix
+++ b/modules/terminal-life/default.nix
@@ -38,6 +38,8 @@ in {
     home-manager = with pkgs;
       pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
         home.packages = [
+          watson
+        ] ++ lib.optionals (!cfg.lite) [
           ack
           asciinema
           bat
diff --git a/modules/terminal-life/nvim/default.nix b/modules/terminal-life/nvim/default.nix
index 89a5624a..9f173db1 100644
--- a/modules/terminal-life/nvim/default.nix
+++ b/modules/terminal-life/nvim/default.nix
@@ -10,7 +10,7 @@
 
   preview-file = pkgs.writeShellScriptBin "preview-file" (import ./preview-file.nix pkgs);
 in {
-  enable = true;
+  enable = lib.mkIf (!cfg.lite) true;
 
   viAlias = true;
   vimAlias = true;
diff --git a/overlays/tang.nix b/overlays/tang.nix
new file mode 100644
index 00000000..9a6802d9
--- /dev/null
+++ b/overlays/tang.nix
@@ -0,0 +1,13 @@
+final: prev: {
+  tang = prev.tang.overrideAttrs (oldAttrs: rec {
+    pname = "tang";
+    version = "11";
+
+    src = prev.fetchFromGitHub {
+      owner = "latchset";
+      repo = pname;
+      rev = "v${version}";
+      sha256 = "";
+    };
+  });
+}
diff --git a/pkgs/_sources/generated.json b/pkgs/_sources/generated.json
new file mode 100644
index 00000000..aad71523
--- /dev/null
+++ b/pkgs/_sources/generated.json
@@ -0,0 +1,230 @@
+{
+    "F-Sy-H": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "F-Sy-H",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "z-shell",
+            "repo": "F-Sy-H",
+            "rev": "81315330ff4eb4bc13b03fe6ec5bbb6fee0f27ac",
+            "sha256": "sha256-2b/O/1SIhKgqHYjwy7yPCEb3EMXgkIvOk+FC4PbuQ8c=",
+            "type": "github"
+        },
+        "version": "81315330ff4eb4bc13b03fe6ec5bbb6fee0f27ac"
+    },
+    "instant-nvim-nvfetcher": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "instant-nvim-nvfetcher",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "jbyuki",
+            "repo": "instant.nvim",
+            "rev": "294b6d08143b3db8f9db7f606829270149e1a786",
+            "sha256": "sha256-DXJWji/NR8ZCxe014rD51v3EHJHMhRQeOoI3SsY8mR4=",
+            "type": "github"
+        },
+        "version": "294b6d08143b3db8f9db7f606829270149e1a786"
+    },
+    "manix": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "manix",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "mlvzk",
+            "repo": "manix",
+            "rev": "d08e7ca185445b929f097f8bfb1243a8ef3e10e4",
+            "sha256": "sha256-GqPuYscLhkR5E2HnSFV4R48hCWvtM3C++3zlJhiK/aw=",
+            "type": "github"
+        },
+        "version": "d08e7ca185445b929f097f8bfb1243a8ef3e10e4"
+    },
+    "ohmyzsh": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "ohmyzsh",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "ohmyzsh",
+            "repo": "ohmyzsh",
+            "rev": "4181e8a2cc936bc7b7a89d674bf261023159ed35",
+            "sha256": "sha256-kne/2ErEqUqBx1xzQrvk6scrhOZYJDlUnNOlx0MbqNQ=",
+            "type": "github"
+        },
+        "version": "4181e8a2cc936bc7b7a89d674bf261023159ed35"
+    },
+    "powerlevel10k": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "powerlevel10k",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "romkatv",
+            "repo": "powerlevel10k",
+            "rev": "35165798a83e2e4f2f0aa6c820e2f7fba23e0179",
+            "sha256": "sha256-tThgRiE0iZH84yTSGtNxfFemLocbg71McAKyT7YWG8U=",
+            "type": "github"
+        },
+        "version": "35165798a83e2e4f2f0aa6c820e2f7fba23e0179"
+    },
+    "rnix-lsp-nvfetcher": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "rnix-lsp-nvfetcher",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "nix-community",
+            "repo": "rnix-lsp",
+            "rev": "95d40673fe43642e2e1144341e86d0036abd95d9",
+            "sha256": "sha256-F0s0m62S5bHNVWNHLZD6SeHiLrsDx98VQbRjDyIu+qQ=",
+            "type": "github"
+        },
+        "version": "95d40673fe43642e2e1144341e86d0036abd95d9"
+    },
+    "vim-apprentice-nvfetcher": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "vim-apprentice-nvfetcher",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "romainl",
+            "repo": "Apprentice",
+            "rev": "9942d0bb0a5d82f7a24450b00051c1f2cc008659",
+            "sha256": "sha256-Xs+vTdnihNbBFPOKsW+NB40pqN9eaadqzc0DIeNoOFo=",
+            "type": "github"
+        },
+        "version": "9942d0bb0a5d82f7a24450b00051c1f2cc008659"
+    },
+    "vim-beautify-nvfetcher": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "vim-beautify-nvfetcher",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "zeekay",
+            "repo": "vim-beautify",
+            "rev": "e0691483927dc5a0c051433602397419f9628623",
+            "sha256": "sha256-QPTCl6KaGcAjTS5yVDov9yxmv0fDaFoPLMsrtVIG6GQ=",
+            "type": "github"
+        },
+        "version": "e0691483927dc5a0c051433602397419f9628623"
+    },
+    "vim-caddyfile-nvfetcher": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "vim-caddyfile-nvfetcher",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "isobit",
+            "repo": "vim-caddyfile",
+            "rev": "24fe0720551883e407cb70ae1d7c03f162d1d5a0",
+            "sha256": "sha256-rRYv3vnt31g7hNTxttTD6BWdv5JJ+ko3rPNyDUEOZ9o=",
+            "type": "github"
+        },
+        "version": "24fe0720551883e407cb70ae1d7c03f162d1d5a0"
+    },
+    "vim-workspace-nvfetcher": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "vim-workspace-nvfetcher",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "thaerkh",
+            "repo": "vim-workspace",
+            "rev": "c26b473f9b073f24bacecd38477f44c5cd1f5a62",
+            "sha256": "sha256-XV7opLyfkHIDO0+JJaO/x0za0gsHuklrzapTGdLHJmI=",
+            "type": "github"
+        },
+        "version": "c26b473f9b073f24bacecd38477f44c5cd1f5a62"
+    },
+    "vimagit-nvfetcher": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "vimagit-nvfetcher",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "jreybert",
+            "repo": "vimagit",
+            "rev": "308650ddc1e9a94e49fae0ea04bbc1c45f23d4c4",
+            "sha256": "sha256-fhazQQqyFaO0fdoeNI9nBshwTDhKNHH262H/QThtuO0=",
+            "type": "github"
+        },
+        "version": "308650ddc1e9a94e49fae0ea04bbc1c45f23d4c4"
+    },
+    "zsh-nix-shell": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "zsh-nix-shell",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "chisui",
+            "repo": "zsh-nix-shell",
+            "rev": "af6f8a266ea1875b9a3e86e14796cadbe1cfbf08",
+            "sha256": "sha256-BjgMhILEL/qdgfno4LR64LSB8n9pC9R+gG7IQWwgyfQ=",
+            "type": "github"
+        },
+        "version": "af6f8a266ea1875b9a3e86e14796cadbe1cfbf08"
+    }
+}
\ No newline at end of file
diff --git a/pkgs/_sources/generated.nix b/pkgs/_sources/generated.nix
index eaf5b466..9ea1f2f6 100644
--- a/pkgs/_sources/generated.nix
+++ b/pkgs/_sources/generated.nix
@@ -1,5 +1,5 @@
 # This file was generated by nvfetcher, please do not modify it manually.
-{ fetchgit, fetchurl, fetchFromGitHub, dockerTools }:
+{ fetchgit, fetchurl, fetchFromGitHub }:
 {
   blesh-nvfetcher = {
     pname = "blesh-nvfetcher";
@@ -18,97 +18,111 @@
   instant-nvim-nvfetcher = {
     pname = "instant-nvim-nvfetcher";
     version = "294b6d08143b3db8f9db7f606829270149e1a786";
-    src = fetchFromGitHub {
+    src = fetchFromGitHub ({
       owner = "jbyuki";
       repo = "instant.nvim";
       rev = "294b6d08143b3db8f9db7f606829270149e1a786";
       fetchSubmodules = false;
       sha256 = "sha256-DXJWji/NR8ZCxe014rD51v3EHJHMhRQeOoI3SsY8mR4=";
-    };
-    date = "2022-06-25";
+    });
   };
   manix = {
     pname = "manix";
     version = "d08e7ca185445b929f097f8bfb1243a8ef3e10e4";
-    src = fetchFromGitHub {
+    src = fetchFromGitHub ({
       owner = "mlvzk";
       repo = "manix";
       rev = "d08e7ca185445b929f097f8bfb1243a8ef3e10e4";
       fetchSubmodules = false;
       sha256 = "sha256-GqPuYscLhkR5E2HnSFV4R48hCWvtM3C++3zlJhiK/aw=";
-    };
-    date = "2021-04-20";
+    });
+  };
+  ohmyzsh = {
+    pname = "ohmyzsh";
+    version = "4181e8a2cc936bc7b7a89d674bf261023159ed35";
+    src = fetchFromGitHub ({
+      owner = "ohmyzsh";
+      repo = "ohmyzsh";
+      rev = "4181e8a2cc936bc7b7a89d674bf261023159ed35";
+      fetchSubmodules = false;
+      sha256 = "sha256-kne/2ErEqUqBx1xzQrvk6scrhOZYJDlUnNOlx0MbqNQ=";
+    });
+  };
+  powerlevel10k = {
+    pname = "powerlevel10k";
+    version = "35165798a83e2e4f2f0aa6c820e2f7fba23e0179";
+    src = fetchFromGitHub ({
+      owner = "romkatv";
+      repo = "powerlevel10k";
+      rev = "35165798a83e2e4f2f0aa6c820e2f7fba23e0179";
+      fetchSubmodules = false;
+      sha256 = "sha256-tThgRiE0iZH84yTSGtNxfFemLocbg71McAKyT7YWG8U=";
+    });
   };
   rnix-lsp-nvfetcher = {
     pname = "rnix-lsp-nvfetcher";
     version = "95d40673fe43642e2e1144341e86d0036abd95d9";
-    src = fetchFromGitHub {
+    src = fetchFromGitHub ({
       owner = "nix-community";
       repo = "rnix-lsp";
       rev = "95d40673fe43642e2e1144341e86d0036abd95d9";
       fetchSubmodules = false;
       sha256 = "sha256-F0s0m62S5bHNVWNHLZD6SeHiLrsDx98VQbRjDyIu+qQ=";
-    };
-    date = "2022-11-27";
+    });
   };
   vim-apprentice-nvfetcher = {
     pname = "vim-apprentice-nvfetcher";
-    version = "59ad13661fa15edaf72c62218903c7817b5a3691";
-    src = fetchFromGitHub {
+    version = "9942d0bb0a5d82f7a24450b00051c1f2cc008659";
+    src = fetchFromGitHub ({
       owner = "romainl";
       repo = "Apprentice";
-      rev = "59ad13661fa15edaf72c62218903c7817b5a3691";
+      rev = "9942d0bb0a5d82f7a24450b00051c1f2cc008659";
       fetchSubmodules = false;
-      sha256 = "sha256-03B9tmU9+6t2hxhOgZxBqJr9r41CAqhHLUkHYvFdcks=";
-    };
-    date = "2023-02-15";
+      sha256 = "sha256-Xs+vTdnihNbBFPOKsW+NB40pqN9eaadqzc0DIeNoOFo=";
+    });
   };
   vim-beautify-nvfetcher = {
     pname = "vim-beautify-nvfetcher";
     version = "e0691483927dc5a0c051433602397419f9628623";
-    src = fetchFromGitHub {
+    src = fetchFromGitHub ({
       owner = "zeekay";
       repo = "vim-beautify";
       rev = "e0691483927dc5a0c051433602397419f9628623";
       fetchSubmodules = false;
       sha256 = "sha256-QPTCl6KaGcAjTS5yVDov9yxmv0fDaFoPLMsrtVIG6GQ=";
-    };
-    date = "2018-12-27";
+    });
   };
   vim-caddyfile-nvfetcher = {
     pname = "vim-caddyfile-nvfetcher";
     version = "24fe0720551883e407cb70ae1d7c03f162d1d5a0";
-    src = fetchFromGitHub {
+    src = fetchFromGitHub ({
       owner = "isobit";
       repo = "vim-caddyfile";
       rev = "24fe0720551883e407cb70ae1d7c03f162d1d5a0";
       fetchSubmodules = false;
       sha256 = "sha256-rRYv3vnt31g7hNTxttTD6BWdv5JJ+ko3rPNyDUEOZ9o=";
-    };
-    date = "2022-05-09";
+    });
   };
   vim-workspace-nvfetcher = {
     pname = "vim-workspace-nvfetcher";
-    version = "c0d1e4332a378f58bfdf363b4957168fa78e79b4";
-    src = fetchFromGitHub {
+    version = "c26b473f9b073f24bacecd38477f44c5cd1f5a62";
+    src = fetchFromGitHub ({
       owner = "thaerkh";
       repo = "vim-workspace";
-      rev = "c0d1e4332a378f58bfdf363b4957168fa78e79b4";
+      rev = "c26b473f9b073f24bacecd38477f44c5cd1f5a62";
       fetchSubmodules = false;
-      sha256 = "sha256-2Brx098dk5THiieBiW71FG9mUUwS1CSY9mpOPWA/Tq4=";
-    };
-    date = "2023-05-28";
+      sha256 = "sha256-XV7opLyfkHIDO0+JJaO/x0za0gsHuklrzapTGdLHJmI=";
+    });
   };
   vimagit-nvfetcher = {
     pname = "vimagit-nvfetcher";
     version = "308650ddc1e9a94e49fae0ea04bbc1c45f23d4c4";
-    src = fetchFromGitHub {
+    src = fetchFromGitHub ({
       owner = "jreybert";
       repo = "vimagit";
       rev = "308650ddc1e9a94e49fae0ea04bbc1c45f23d4c4";
       fetchSubmodules = false;
       sha256 = "sha256-fhazQQqyFaO0fdoeNI9nBshwTDhKNHH262H/QThtuO0=";
-    };
-    date = "2022-07-03";
+    });
   };
 }
diff --git a/profiles/base-user/session-variables.nix b/profiles/base-user/session-variables.nix
index 9219c7da..e7256a74 100644
--- a/profiles/base-user/session-variables.nix
+++ b/profiles/base-user/session-variables.nix
@@ -29,7 +29,7 @@
     VISUAL = "/etc/profiles/per-user/${psCfg.user.name}/bin/nvim";
 
     # fix "xdg-open fork-bomb" your preferred browser from here
-    BROWSER = "${pkgs.firefox-wayland}/bin/firefox";
+    BROWSER = "firefox";
 
     # node
     NODE_REPL_HISTORY = "${xdg.dataHome}/node_repl_history";
diff --git a/secrets/home_controller_companion_wireguard_key.age b/secrets/home_controller_companion_wireguard_key.age
index 2dff1587..43c1397d 100644
--- a/secrets/home_controller_companion_wireguard_key.age
+++ b/secrets/home_controller_companion_wireguard_key.age
@@ -1,21 +1,20 @@
 age-encryption.org/v1
--> ssh-ed25519 hPyiJw o4N8NmW8LiDRYhFe/FAjOhNVBrIfR0b/CFdGQsxVtWM
-hCLU6rlPPOwIXUEo3XczTLOEOSpzhi8CmUUilpgZjgk
--> ssh-ed25519 YFSOsg m1QEvo5sxpXKiz1mqU8vSqOkizROkwDOWTqy/nAbyGA
-Je9eJsT4cgyCE/orOfClUSzorzXwQIm1fQWwd5FczWw
+-> ssh-ed25519 hPyiJw 6XC5HcC380qjat1hwwxDv6FKtMpoB3YhO6SIE/vY8Bg
+3+FZexCmu0LnJ1zhSDi9ALPZyFJQaGWAbDucDGx1p6s
+-> ssh-ed25519 YFSOsg fLK2Dm1M/ENMOjtqnIsVgpPxWSLzgQUIJZQgi/Jjj0M
+0nAlkBsypGnKILFZw2aH1R7bbLYvwxkkKeoSS13WNT4
 -> ssh-rsa 42S2Dw
-aznDLPbJy/sfJHsYLt2bt7wzwPEn2NdYDsdxVzOqmZJL/3wVvjHUTaioaIsZBqaf
-/HWZYBgMPRIQHXjtGJTQXLFpM2TjEwzJqkIHMJoVq099YWHq/JvZeU+h/d7rXiXC
-3I0NSAikvBXa1+X1WPKQrvRBsqhiwnDGUDWXauTzSDu4FHLgAxGU+47xEp1EuJDJ
-YdXXMOqFvrN9iokaGlRlOprhVCver2YMDqGSUekbEifJDpyGmCqYOygh9qltLDfd
-QQjAIV8E+jYrvG168hMQQzoE8oZRMv7UYATmJ8bdTP244owoeEhiW+g43XWYduv6
-QKIJPlwASiGalUZPsIPoEA
--> ssh-ed25519 iHV63A 4RSm0/OwowRHTa0W2Gfbq9LTI4d0gM8macNk3Gntv0g
-sN82+hCyatAWEckguYGN0TxvSYDqP5cnY46s9z5JLvY
--> ssh-ed25519 t1M4HQ YILk5vPHK6++f9QB3dGMSWoai1b8pBWG/lIC+g2hK3Y
-A874dqyb8aTqyIQ54J4MaQYf/psIS4Ixcp23iwA5wwY
--> tV2gFP~-grease :{( C-v' cM2 Or?|@#I~
-nhLrAX8v3J/6846qoFDyKf6mUc+qWAmNXOYgu7DnDi9VtBsmDYhhmhzPF6k90YFG
-sJKoy1BEcOaLcy8UNGNTnmkQ0qI5Ig6CgPu8ohA1vKYMfTpfsl6nayU
---- ngrcCLqZmP/lqvIuBYgisjkHHjWmrUjApvZMjbLTB/I
-Q`�<wR�e�-���)�t����˸p�C��ؼ)��+���n2�ӌf13"SV�Iz@�%n�&�j����[ҫ�V�.E
\ No newline at end of file
+eWx85iMbgHBwTEHL2Rk4wvHxz0LJ8mQR1J2/+tiyh9Gnu8zwcbY8QgkFtP6jg1m5
+32Ije1sxSV7eXZzNeVLoPnt83+XNVjGsaljG8wFM3KU52Q35KpG3z9YNJa2wCvEv
+uXAnOQyPlMbiNIVlMOB1Mm3AKwOQ0+shtMgiGpjvxhCjhVnuXP2ZoGbKsdKkolPs
+irEpwk//+9P/jiGgtVQsxtMuvGdymXYfxnUSRM2/SmfADTpxZ1qZIgP6rt8xCdr0
+ynt9wuUnW3Jl+AajbgZQ03lkoG2CI0sW8XNMMhHKs2nkzc+44oKX8BmKKxcjzb17
+jdaYTQdAZS6C3vkRJDZTMQ
+-> ssh-ed25519 iHV63A FNEZUMi2N0//NoOlOzmLVpazAei5zZihjdJe7bu1ang
+gb9NLhR3/fAK21wS9WnMWVf8olWqkC+5oO3q4qv59oA
+-> ssh-ed25519 loGy+w TU5b9hXkD7fsD4gqs5SRzsr+9JvdoxQXtLOYBYRd4xs
+Ay3JIyKb3hLaK8j0vct6MFYQwFxSWyx0hYIU4V8ELOM
+-> s5f\-grease 9HT>f/%c
+alPwGgblUf62y+1HmKPpS6xE/IC4S575f1bXSACeC4LuWrHTpJ6JEgb0qQ
+--- 5uZsg+O17p3GDDwN7/UF/xRat9W5LrCdLFt6gtTnzhs
+��o�E��/��x�6���͊\]�Y�����q�����H�:o��A�Syy�QTk���|�}2��с;H�Fʝ
\ No newline at end of file
diff --git a/secrets/home_controller_cox_wireguard_key.age b/secrets/home_controller_cox_wireguard_key.age
index 33d3c364..bc3aad5a 100644
--- a/secrets/home_controller_cox_wireguard_key.age
+++ b/secrets/home_controller_cox_wireguard_key.age
@@ -1,24 +1,21 @@
 age-encryption.org/v1
--> ssh-ed25519 hPyiJw gZfQvV9HCdO9j5zpwMA5Yl6l6D0YMflyzmZ0v7f34Uo
-Cnr79ukKmOLh9ZRY7QknE5fvpXg4ud/fQL5C2b0x2Iw
--> ssh-ed25519 YFSOsg C/OJOHpk3+ErUt06r8qmgaHJBU5NT8cFplFL4+9rNzU
-n4VhOfN06R9hN6+9/Y/ewAN++BbZRSJMQHjifXR++M8
+-> ssh-ed25519 hPyiJw NGXu0u0ptngfcE4tLNFRPmUdGHCfgTzkCaumDat8jR0
+UBhZ14BVr4BeezHm928NMNWqT6g0VUFXAL/c3dYgM9M
+-> ssh-ed25519 YFSOsg V/vTBbj4Xh4dbrJO9bgwSl5fbuvu979S4Fefncq9Wwc
+4kLNwkCylI6y6jbi1+7yUx6eSNxkWm80GY8ad84dw3c
 -> ssh-rsa 42S2Dw
-JBbRTa+oX87YqJlH2+cZdaw/WMajk2HDa9kZ5z1dkbdcVrZrTyIYrnUuMjIQ4nmB
-JT9J6gV/y4FL0bN9d2uzNg45NGg3ZDkeCYsCT+N3tQXEReFUWk77cZifxDtnNUCL
-8Z+wcys9AZhFfL8+4a2R0sris76WMxUy5CHVay11U7bsh6P1uAcjtXqSPpdezKd9
-gIZ7GVE/nFEwnT/G0rROH3tiGON2J3LrjbVdUn/Lu4n7YDMRDZFBhLsDw9ULdTu3
-lNBsx/vzCkZnkbDGJl8N7X5hBEe2ww+GvvfvHJwwABpD7rgC0MQxPDM5IBEVsufH
-/CSrkWpJcUzEJMNdUBinzg
--> ssh-ed25519 iHV63A Aape0gDjnscqXIPeBoZbHsb5GEwm2MkWBOwkErZfRUU
-/mHovPO5uRwfPKBFuW0P2UT/Zi2idvHwI9ukJ1Hb8m4
--> ssh-ed25519 w1vtTQ Qp0fg5wN0709/99WttXspmctRkdVANA039oeyc1qB34
-mXy/qVJJhysMZxzoROp53nnryegjs6/tzRWCV2QtzUA
--> Gxy]y/-grease 6
-AUBVuO3rqf/dwC84Ns7x2Ce4CgUcw5Rm6MHK+KsKtSndt7CbfQiyfqvYKRvcEfmc
-BHJf3LCEgw0eBb4/nzlzT4lmIrjYAXBUbw0K+7E94jxMkNhWmjRto9gpYMBzqbdw
-6aQ
---- gtgGRISbHrAdJT4edKyToERGIPZ9CR6Md+9KeRx386o
-���[�F�;B��e\jQ��BZ���[�|�/�����e��7�.1�'�s<�����7�XK
-+c
-�����,�ݱ
\ No newline at end of file
+rdbkL5LXbRhyQOpbiMnIwZbon9onAIqjylH8vnXoX5Sk3/tCJFEPXGQLv0Lh7bgh
+LN8RRj9t6SIzmouiS9ajixotYXy3r7EjLYpA5JcxkP0V5tbJJSwFV/fZ7CVaYPjz
+9oF/xh/UhjNnkkasGrbj6ADjJ24ucbsMHBZ9zltx8R/34eAABwZ2Ru1ebEFXSfJw
+9wKK3lxr/IGPgUJWOkoNLqGPvhN9vDq77fXcO6dv2uH4ZOh409oM4YMGnWmGDbOP
+CeovHmubjBCqhdsb7L7JXj9E8Kc6fc4wwtcBviY821SrpySmygkDECQon6ds4Oxa
+A9+nfcleqBm4Mgk99iHn0A
+-> ssh-ed25519 iHV63A pPYIapM7Aul0ysYarrjwBxweO+Oc1Sv9Jds7H/2qcjw
+bU8ArzdCfVl70hmB8KC10ahhW2bbkEUel2ZFJel2F8g
+-> ssh-ed25519 SD75nw +WbP3VZY9xVTtbRz9FpUYCat2Df8jwOf/5o2ep5X+1g
+fIdHrRh2KbW4scuuhPMVMVuZnDXRst1T700XRpGJOcY
+-> ~YoI\1Qp-grease 2 s[h]Y@ gOXflh?
+rAEG+5bSOAUeJ9buxTgmlZFMTcAQiu2acNj6bA
+--- nr6yD/mtbagIoE1TuCDqQaOs4mT8OAa47qdBmhRQUx4
+�Ld2�u6U�ݏ>���:���
+)O���T�c�&
n��x"ݫn�r�"��*UNIa�kT�MwOF�/;�֪��5B���Z"
\ No newline at end of file
diff --git a/secrets/home_controller_giggles_wireguard_key.age b/secrets/home_controller_giggles_wireguard_key.age
index c39ac30112d65861e17c808738910a6c4ce48e2b..d3642e9f1fdebcabcfcdf4116cb62359727e19a8 100644
GIT binary patch
literal 1019
zcmZ9~JFDab0EXd0un1Ubv#>>A!9|AI+;7c7ZZnyjGr3JNnFMh+_hcsbWRgrk8!Iad
z3k8qbh<`yFVFh~|!D7Y5MjHzo+0Jz>PP4z@f%p5oBw9vg&|d03tI7ven?M5sEFXeh
zmoB3aB?yE8Q|*$;BWQ=Bux4{s@(!0t#FF@22vm>^=WI)6L^?`2HI$xuSqKiWKvXm+
z$ZJ)X6<Vh*w4bvrN+2|oDr0u^+M+DvI=(J?_*KnW?bI#-FGV(7H>Rslg3AOX(`wVE
zOskSl$Ati^gv<_VOTgHwtbkREVO=qvc-c>*oQQ|i+6Y}#L=Gb9Tj>hDDtLZEQZn4!
zYHjC%IJ!fH5vT>kY4o)o=U!tv<PH{+48L9n=6cK;SXR5aoR8{!p0-}*?aw3;Gx@AZ
z($VW<1Mh914Z;+*A-f`sa~DE^?NOY#xeyX52XRwzVppzxRc-Y7(AKISoLwW%#e(Lb
z6OWv?3b03IM?fl%KDdrH%Y89zBdeM@c0&c2Z1tLWTJ#xrNz_eiP{PhY>5<$=EHkwJ
zWOOY+(++v+6_eroCMT0_*R5SN50qxFI+%p{=hEA3;u^YgkBp7w>O!m91w@F(u_)Y7
zC;?|W)2KXV@CjNs2h52Tg6C^0^NuI@+|k>)aTkUQ_nQDelmp+R%<51mZR}r$f+&t0
z5DjFJ;jx9a<I$Y9qE@SA!rs=teNravNsI+;gO)4V+wJ^nm90*GqbC@L%Tp(FOw983
z!P3os&s?rj3$O><D;!tCHG#8^nM@t}g=L$V>oby^ki&koO~0&htrlO^5|~j}I;bYG
zgiO+kas8J=saO&CV^{}66J|*mFynqS6bxdJUDg4msrRc?G{?kga_eQfs!`yh-g^ec
zq7E|~2hp0+T;P)Kf9-AI0mUtoHuAa%eDr<`M!xlE_kmx7bElsGdFGouvM~F~N6ToS
zS0OU&#Vt(Zt`<)xV7Xj^8qIF7YV`KAd_ANP&Lc8v5%zXVOHC|JWo;>@&-fmcSis}o
z{{Htx`zikU{hP<{eEZssd4GQQz4rA_{D+4xe|Yxvi$A`8Q~2hmkI}EfpZ{ra?)Q7&
j-~9TS^z`13AHDI*^y1Ga%e!ygdH(##U(dd~1AX`(dZAlU

literal 1008
zcmZ9~z3by-0Kjnvr{E-llh8vB;c~sar-{QsnzuGhp1ifq3x|@n>C?P5%}bNC9Ec#t
zAt<-{2M9N-lZcbU55(y}^cF{5ZgUnz_$~JreBjGBg7G*$ZtKgbP0HhgvW8ekAmfLl
zra6q`9my~RKRQ^KMC(VVEl0x>P&W+=&kGNQ(%cbHO4Gw3+#D#m-?$X5Cux$Fh^#6c
zif#^uz8s2Zo3m7xizUf*Yc0eglsT_`8C8k;klU|of#RAC99d}U08t=KYR6SZkm0Ig
zQ2CZ<aY2UsiCzPSQcX3Kk~!kQ@DyB8HY27KZSwu#k-AyKYpCkepzp1cMKMmVHpi&B
z)#@f1(WFaCJ>o`%TI*LoOJTG^H@v{Zh81zUaW6(Zizlt$)zq=A1yWAzdZ|d#M0NFR
zY%YYj!Ho*xy!g<s2yIekgq%-py}?x0Ns<y4i4<Q3vLr&_Sg8lvMmP*0yVyjosEv_?
zj)#gWa?S0kXe`Hy338c(&?yQx+3|$oU}AK%q`u$-52f~1<%_kHT-u!G1>c=cT0J$+
z7Zl-pRz7?CT3PSGL7tG3x;T0#aN>_CYFhJ#T1O>`P5Me^1-x$Q)?wx}&J4TlR5Bb|
zKp4UOuirHFX&^2;`PyLuxB}caHFN8q0pIUZTN0H-a>dg=)HNeHuGB_w)@4&OemX_^
zY!TSfgj8zl5M?IABzjlE+uFA$C9^e42_sDmY|SvXVI|IeCoLAqepBhVr<6rdh0A^q
z=H6M~ogF7Y5=?1eeQ82d(kEGpt!NHpx-pB1^DOjE(g7^B`H)_Rz<6B~8VhJ}1UhM-
z^Rj_@BnBM-ZD`JLFi)K|M|S1L3d7C~&KAZiJ(Ah3V9<n~#r0A0yTPia9fw&2(E$z<
zw!YtKES?9>zWe{AkB+Ri|8NZJIBMe2z4z}v%&?K;-+QDzdW@*lawey%nVlwRA>q`V
zus16K8IQ-KfeK)ug3z0#j5<&CuIM?JrJ3NQ<Fe1zx=Q<%tZUvmK;C=)?O(56-T(XP
zv+uuvzdoJ3te8Ka)IYtr`{a#3#I`TqX?~A$>+N4&BsX8a{O5<SZyx;k*2kZH`pLTn
Yd_H{l?6>xF;pY#&(Q5zBn>Szm3)z%UAOHXW

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3498c0e4..d5006bc9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,9 +6,9 @@ let
   user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
   user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
 
-  system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOLyNmSzxVpVQtTWhkH48e03nFDdskE08N4L81MZcLZ root@nixos";
-  system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNr7q7eAkROtdvTmw96Q5tZu9W4jt31OCjc6L8uM5Uv root@nixos";
-  system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjIyVeAPsIpUTsB5bPEjmJeRFN8Xp3PD9a/41yPp3HM root@nixos";
+  system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwogNjatRZlft4qUFDFKg73kiYB1HNZZ0xGUwfyfTzP root@nixos";
+  system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMINORCNhrxSdo2z70GkKrV8vcge2elgNPYzdRve+hI5 root@nixos";
+  system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4u9Q36B8acRdBJi2RYU5pYpIMeCh+HKmtInR+IKQs root@nixos";
 
   system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
   system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
diff --git a/users/hensoko/default.nix b/users/hensoko/default.nix
index 2e52d7bf..9fe1fb3c 100644
--- a/users/hensoko/default.nix
+++ b/users/hensoko/default.nix
@@ -30,6 +30,7 @@ in
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc"
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILh+Q5Pnh5DS6ObZ5GhiCsxqezsAlEVykDjTrdW6/cgw hensoko@surfplace"
         ];
       };
     };
diff --git a/users/hensoko/ssh.nix b/users/hensoko/ssh.nix
index ab9e2c00..2edcf2bd 100644
--- a/users/hensoko/ssh.nix
+++ b/users/hensoko/ssh.nix
@@ -19,19 +19,13 @@ in
           port = 22;
         };
         "giggles" = {
-          hostname = "192.168.42.232";
           user = "iot";
-          port = 22;
         };
         "norman" = {
-          hostname = "192.168.42.233";
           user = "hensoko";
-          port = 22;
         };
         "cox" = {
-          hostname = "192.168.42.234";
           user = "iot";
-          port = 22;
         };
         "companion" = {
           user = "iot";
@@ -51,6 +45,11 @@ in
           user = "git";
           port = 2222;
         };
+
+        "falcone" = {
+          hostname = "192.168.42.117";
+          user = "iot";
+        };
       };
       extraConfig = "PubKeyAcceptedKeyTypes +ssh-rsa";
     };
diff --git a/users/iot/default.nix b/users/iot/default.nix
index 64e83cd6..5ba0918e 100644
--- a/users/iot/default.nix
+++ b/users/iot/default.nix
@@ -11,6 +11,7 @@ in
     home-manager.users = { inherit (hmUsers) iot; };
 
     pub-solar = {
+      core.lite = true;
       user = {
         name = "iot";
         description = "hensoko iot user";
@@ -21,6 +22,7 @@ in
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILh+Q5Pnh5DS6ObZ5GhiCsxqezsAlEVykDjTrdW6/cgw hensoko@surfplace"
         ];
       };
     };
diff --git a/users/iot/home.nix b/users/iot/home.nix
index 255e5619..119380fc 100644
--- a/users/iot/home.nix
+++ b/users/iot/home.nix
@@ -26,7 +26,6 @@ in
       dig
       fping
       btop
-      htop
       ncdu
       sysstat
       tig