fix: asahi notch

fix: disable omnisharp until upstream fix
chore: update asahi
2026-01-17 12:14:03 -05:00 · 2026-01-17 10:19:01 -05:00 · 2026-01-17 10:14:01 -05:00 · 2026-01-17 10:10:26 -05:00 · 2026-01-17 09:35:36 -05:00 · 2026-01-17 09:28:38 -05:00
49 changed files with 1781 additions and 740 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 _scratch
 result
 ._*
 .direnv
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,22 +1,31 @@
 keys:
-  # Admin - Age Native
+  # Global Admin
  - &admin_reichard age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
-  # lin-va-mbp-personal@evanreichard - SSH Derived
+
  # User SSH Derived
  - &user_lin-va-mbp-personal age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
  # mac-va-mbp-personal@evanreichard - SSH Derived
  - &user_mac-va-mbp-personal age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
  - &user_lin-va-thinkpad age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
  - &user_lin-va-desktop age15hdlen5dgjvdfgg2j0uzvchs5vs3xuptkhsw9xeuatcuk6uwrvcsz7hcsg
  # System SSH Derived
  - &system_lin-va-desktop age1mxjrvjxkn69kfn2np3wpd73g44fuhsgykw7l5ss9rx30em5jfp2scnrq32
  - &system_lin-va-thinkpad age13gymlygyac9z2slecl53jp8spq7e8n4zkan86n0gmnm3nrj4muxqa5ullm
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
          - *admin_reichard
-  - path_regex: secrets/lin-va-mbp-personal/evanreichard/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/common/systems.yaml
    key_groups:
      - age:
          - *admin_reichard
          - *system_lin-va-desktop
          - *system_lin-va-thinkpad
  - path_regex: secrets/common/evanreichard.yaml
    key_groups:
      - age:
          - *admin_reichard
          - *user_lin-va-mbp-personal
-  - path_regex: secrets/mac-va-mbp-personal/evanreichard/[^/]+\.(yaml|json|env|ini)$
+          - *user_lin-va-thinkpad
    key_groups:
      - age:
          - *admin_reichard
          - *user_mac-va-mbp-personal
--- a/README.md
+++ b/README.md
@@ -78,3 +78,27 @@ if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
 fi
 # End Nix
 ```
 #### SOPS
 1. Convert your SSH key to an age key
 2. Get age public key
 3. Update `.sops.yaml` with rules
 4. Edit file
 ```bash
 # Ensure Config
 mkdir -p ~/.config/sops/age
 # Convert SSH to Age
 ssh-to-age -private-key -i $HOME/.ssh/id_ed25519 -o ~/.config/sops/age/keys.txt
 # Get Public Key
 age-keygen -y ~/.config/sops/age/keys.txt
 ssh-to-age -private-key -i ~/.ssh/id_ed25519 | age-keygen -y
 SOPS_AGE_KEY_FILE=<ADMIN_KEY> sops -d --extract '["lin-va-desktop"]["host"]' ./secrets/keys.yaml | ssh-to-age -private-key | age-keygen -y
 # Edit File
 # NOTE: You can specify key with - `SOPS_AGE_KEY_FILE=~/.config/sops/age/other.txt`
 sops secrets/lin-va-thinkpad/evanreichard/default.yaml
 ```
--- a/flake.lock
+++ b/flake.lock
@@ -5,20 +5,18 @@
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1755115705,
+        "lastModified": 1768564560,
-        "narHash": "sha256-CjWlI6c1pWu+X5Qz8B6K1httNpA4eDNxf/Ozfm6Mvlw=",
+        "narHash": "sha256-YyIzhZoFVE4C5P9e0wZGjx4P9IT/OTUMFF3r6iKd3UY=",
-        "owner": "tpwrules",
+        "owner": "nix-community",
        "repo": "nixos-apple-silicon",
-        "rev": "78b5825968dc784dae2fe71b1c76f364efe107ae",
+        "rev": "83a2bb509972148aa6d3f75c65103b6bfb7898af",
        "type": "github"
      },
      "original": {
-        "owner": "tpwrules",
+        "owner": "nix-community",
        "ref": "release-25.05",
        "repo": "nixos-apple-silicon",
        "type": "github"
      }
@@ -30,11 +28,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765066094,
+        "lastModified": 1767634391,
-        "narHash": "sha256-0YSU35gfRFJzx/lTGgOt6ubP8K6LeW0vaywzNNqxkl4=",
+        "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=",
        "owner": "nix-darwin",
        "repo": "nix-darwin",
-        "rev": "688427b1aab9afb478ca07989dc754fa543e03d5",
+        "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2",
        "type": "github"
      },
      "original": {
@@ -49,11 +47,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1764350888,
+        "lastModified": 1766150702,
-        "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=",
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
        "type": "github"
      },
      "original": {
@@ -70,11 +68,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1764475519,
+        "lastModified": 1768622624,
-        "narHash": "sha256-12TAT2CD+L+wdIHszQnPyu8zGSBxcazoVZmP6UQjk6s=",
+        "narHash": "sha256-Em6PP667PeXbEjidbV2LnNwmUYohbrSFvVPLYLUDHms=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "1172c39fb0e847a7f036e480d94f629edcf2cf46",
+        "rev": "8061c6d9199dc6cc0727d4241959eea28f2fa0a6",
        "type": "gitlab"
      },
      "original": {
@@ -86,11 +84,11 @@
    },
    "flake-compat": {
      "locked": {
-        "lastModified": 1746162366,
+        "lastModified": 1761640442,
-        "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
+        "narHash": "sha256-AtrEP6Jmdvrqiv4x2xa5mrtaIp3OEe8uBYCDZDS+hu8=",
        "owner": "nix-community",
        "repo": "flake-compat",
-        "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
+        "rev": "4a56054d8ffc173222d09dad23adf4ba946c8884",
        "type": "github"
      },
      "original": {
@@ -159,11 +157,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764536451,
+        "lastModified": 1768603898,
-        "narHash": "sha256-BgtcUkBfItu9/yU14IgUaj4rYOanTOUZjUfBP20/ZB4=",
+        "narHash": "sha256-vRV1dWJOCpCal3PRr86wE2WTOMfAhTu6G7bSvOsryUo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "3fdd076e08049a9c7a83149b270440d9787d2df5",
+        "rev": "2a63d0e9d2c72ac4d4150ebb242cf8d86f488c8c",
        "type": "github"
      },
      "original": {
@@ -211,11 +209,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1752596105,
+        "lastModified": 1763618868,
-        "narHash": "sha256-lFNVsu/mHLq3q11MuGkMhUUoSXEdQjCHvpReaGP1S2k=",
+        "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "dab3a6e781554f965bde3def0aa2fda4eb8f1708",
+        "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942",
        "type": "github"
      },
      "original": {
@@ -227,11 +225,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1764242076,
+        "lastModified": 1768564909,
-        "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=",
+        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4",
+        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
        "type": "github"
      },
      "original": {
@@ -243,11 +241,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1764494334,
+        "lastModified": 1768323494,
-        "narHash": "sha256-x2xCEXUlU4Ap56+t5HaoReOQ/bV/bIQ5rzTn/m+V3HQ=",
+        "narHash": "sha256-yBXJLE6WCtrGo7LKiB6NOt6nisBEEkguC/lq/rP3zRQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d542db745310b6929708d9abea513f3ff19b1341",
+        "rev": "2c3e5ec5df46d3aeee2a1da0bfedd74e21f4bf3a",
        "type": "github"
      },
      "original": {
@@ -280,11 +278,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736130495,
+        "lastModified": 1765361626,
-        "narHash": "sha256-4i9nAJEZFv7vZMmrE0YG55I3Ggrtfo5/T07JEpEZ/RM=",
+        "narHash": "sha256-kX0Dp/kYSRbQ+yd9e3lmmUWdNbipufvKfL2IzbrSpnY=",
        "owner": "snowfallorg",
        "repo": "lib",
-        "rev": "02d941739f98a09e81f3d2d9b3ab08918958beac",
+        "rev": "c566ad8b7352c30ec3763435de7c8f1c46ebb357",
        "type": "github"
      },
      "original": {
@@ -300,11 +298,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764483358,
+        "lastModified": 1768481291,
-        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
+        "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
+        "rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
        "type": "github"
      },
      "original": {
@@ -327,27 +325,6 @@
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "apple-silicon",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1754492133,
        "narHash": "sha256-B+3g9+76KlGe34Yk9za8AF3RL+lnbHXkLiVHLjYVOAc=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "1298185c05a56bff66383a20be0b41a307f52228",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -14,7 +14,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    apple-silicon = {
-      url = "github:tpwrules/nixos-apple-silicon/release-25.05";
+      url = "github:nix-community/nixos-apple-silicon";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-generators = {
--- a/homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix
+++ b/homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix
@@ -30,5 +30,9 @@ in
        opencode = enabled;
      };
    };
    security = {
      sops = enabled;
    };
  };
 }
--- a/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix
+++ b/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix
@@ -21,11 +21,10 @@ in
      ssh-agent = enabled;
      fusuma = enabled;
      swww = enabled;
      sops = {
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
    };
    security = {
      sops = enabled;
    };
    programs = {
--- a/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix
+++ b/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix
@@ -22,11 +22,10 @@ in
      fusuma = enabled;
      swww = enabled;
      poweralertd = enabled;
      sops = {
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
    };
    security = {
      sops = enabled;
    };
    programs = {
@@ -51,6 +50,7 @@ in
        git = enabled;
        k9s = enabled;
        nvim = enabled;
        opencode = enabled;
      };
    };
  };
--- a/homes/x86_64-linux/evanreichard@lin-va-utility/default.nix
+++ b/homes/x86_64-linux/evanreichard@lin-va-utility/default.nix
@@ -21,11 +21,10 @@ in
      ssh-agent = enabled;
      fusuma = enabled;
      swww = enabled;
      sops = {
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
    };
    security = {
      sops = enabled;
    };
    programs = {
@@ -50,10 +49,6 @@ in
    };
  };
  # home.packages = with pkgs; [
  #   catppuccin-gtk
  # ];
  dconf = {
    settings = {
      "org/gnome/desktop/interface" = {
--- a/modules/darwin/security/sops/default.nix
+++ b/modules/darwin/security/sops/default.nix
@@ -1,31 +1,35 @@
-{ config, lib, namespace, ... }:
+{ config
 , lib
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf mkEnableOption types;
  inherit (lib.${namespace}) mkOpt;
  getFile = lib.snowfall.fs.get-file;
  user = config.users.users.${config.${namespace}.user.name};
  cfg = config.${namespace}.security.sops;
 in
 {
-  options.${namespace}.security.sops = {
+  options.${namespace}.security.sops = with types; {
-    enable = lib.mkEnableOption "sops";
+    enable = mkEnableOption "Enable sops";
-    defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
+    defaultSopsFile = mkOpt str "secrets/systems/${config.system.name}.yaml" "Default sops file.";
-    sshKeyPaths = mkOpt (with lib.types; listOf path) [
+    sshKeyPaths = mkOpt (listOf path) [ ] "Additional SSH key paths to use.";
      "/etc/ssh/ssh_host_ed25519_key"
    ] "SSH Key paths to use.";
  };
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
    sops = {
-      inherit (cfg) defaultSopsFile;
+      defaultSopsFile = getFile cfg.defaultSopsFile;
      age = {
-        inherit (cfg) sshKeyPaths;
+        keyFile = "${user.home}/.config/sops/age/keys.txt";
-
+        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
        keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
      };
    };
    sops.secrets.builder_ssh_key = {
-      sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+      sopsFile = getFile "secrets/common/systems.yaml";
    };
  };
 }
--- a/modules/home/programs/terminal/git/default.nix
+++ b/modules/home/programs/terminal/git/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, namespace, ... }:
+{ pkgs
 , lib
 , config
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf;
  cfg = config.${namespace}.programs.terminal.git;
@@ -82,10 +87,7 @@ in
      };
    };
-    home.packages = with pkgs; [
+    home.packages = with pkgs; [ gh ];
      gh
      pre-commit
    ];
    # Copy Configuration
    xdg.configFile = {
--- a/modules/home/programs/terminal/nvim/config/lua/llm-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/llm-config.lua
@@ -1,28 +1,16 @@
 local llm_endpoint = "https://llm-api.va.reichard.io"
-local llm_assistant_model = "devstral-small-2-instruct"
+local llm_assistant_model = "qwen3-coder-30b-instruct"
-local llm_infill_model = "qwen2.5-coder-3b-instruct"
+local llm_infill_model = "qwen3-coder-30b-instruct"
-- Default Llama - Toggle Llama & Copilot
+-- local llm_assistant_model = "devstral-small-2-instruct"
-- vim.g.copilot_filetypes = { ["*"] = false }
+-- local llm_infill_model = "qwen2.5-coder-3b-instruct"
-local current_mode = "copilot"
+
-local function toggle_llm_fim_provider()
+
-	if current_mode == "llama" then
+local current_fim = "copilot" -- change this to switch default
 		vim.g.copilot_filetypes = { ["*"] = true }
 		vim.cmd("Copilot enable")
 		vim.cmd("LlamaDisable")
 		current_mode = "copilot"
 		vim.notify("Copilot FIM enabled", vim.log.levels.INFO)
 	else
 		vim.g.copilot_filetypes = { ["*"] = true }
 		vim.cmd("Copilot disable")
 		vim.cmd("LlamaEnable")
 		current_mode = "llama"
 		vim.notify("Llama FIM enabled", vim.log.levels.INFO)
 	end
 end
 -- Copilot Configuration
 vim.g.copilot_no_tab_map = true
 vim.g.copilot_filetypes = { ["*"] = true }
 -- LLama LLM FIM
 vim.g.llama_config = {
@@ -30,9 +18,24 @@ vim.g.llama_config = {
 	model = llm_infill_model,
 	n_predict = 2048,
 	ring_n_chunks = 32,
-	enable_at_startup = false,
+	enable_at_startup = (current_fim == "llama"), -- enable based on default
 }
 -- Toggle function for manual switching
 local function switch_llm_fim_provider(switch_to)
 	if switch_to == "llama" then
 		vim.cmd("Copilot disable")
 		vim.cmd("LlamaEnable")
 		current_fim = "llama"
 		vim.notify("Llama FIM enabled", vim.log.levels.INFO)
 	else
 		vim.cmd("Copilot enable")
 		vim.cmd("LlamaDisable")
 		current_fim = "copilot"
 		vim.notify("Copilot FIM enabled", vim.log.levels.INFO)
 	end
 end
 -- Configure Code Companion
 require("plugins.codecompanion.fidget-spinner"):init()
 local codecompanion = require("codecompanion")
@@ -75,7 +78,13 @@ codecompanion.setup({
 -- Create KeyMaps for Code Companion
 vim.keymap.set("n", "<leader>aa", codecompanion.actions, { desc = "Actions" })
-vim.keymap.set("n", "<leader>af", toggle_llm_fim_provider, { desc = "Toggle FIM (Llama / Copilot)" })
+vim.keymap.set("n", "<leader>af", function()
 	if current_fim == "llama" then
 		switch_llm_fim_provider("copilot")
 	else
 		switch_llm_fim_provider("llama")
 	end
 end, { desc = "Toggle FIM (Llama / Copilot)" })
 vim.keymap.set("n", "<leader>ao", function() require("snacks.terminal").toggle("opencode") end,
 	{ desc = "Toggle OpenCode" })
 vim.keymap.set("v", "<leader>ai", ":CodeCompanion<cr>", { desc = "Inline Prompt" })
--- a/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
@@ -134,7 +134,13 @@ setup_lsp("cssls", {
 setup_lsp("ts_ls", {
 	on_attach = on_attach_no_formatting,
 	cmd = { nix_vars.tsls, "--stdio" },
-	filetypes = { "typescript", "typescriptreact" },
+	filetypes = { "typescript", "typescriptreact", "javascript" },
 })
 -- ESLint LSP
 setup_lsp("eslint", {
 	on_attach = on_attach_no_formatting,
 	cmd = { nix_vars.vscls .. "/bin/vscode-eslint-language-server", "--stdio" },
 })
 -- C LSP Configuration
@@ -149,20 +155,26 @@ setup_lsp("lua_ls", {
 	filetypes = { "lua" },
 })
 -- Lua LSP Configuration
 setup_lsp("sqls", {
 	cmd = { nix_vars.sqls },
 })
 -- Nix LSP Configuration
 setup_lsp("nil_ls", {
 	filetypes = { "nix" },
 })
 -- Omnisharp LSP Configuration
-setup_lsp("omnisharp", {
+-- NOTE: https://github.com/NixOS/nixpkgs/issues/479348
-	enable_roslyn_analyzers = true,
+-- setup_lsp("omnisharp", {
-	enable_import_completion = true,
+-- 	enable_roslyn_analyzers = true,
-	organize_imports_on_format = true,
+-- 	enable_import_completion = true,
-	enable_decompilation_support = true,
+-- 	organize_imports_on_format = true,
-	filetypes = { "cs", "vb", "csproj", "sln", "slnx", "props", "csx", "targets", "tproj", "slngen", "fproj" },
+-- 	enable_decompilation_support = true,
-	cmd = { nix_vars.omnisharp, "--languageserver", "--hostPID", tostring(vim.fn.getpid()) },
+-- 	filetypes = { "cs", "vb", "csproj", "sln", "slnx", "props", "csx", "targets", "tproj", "slngen", "fproj" },
-})
+-- 	cmd = { nix_vars.omnisharp, "--languageserver", "--hostPID", tostring(vim.fn.getpid()) },
 -- })
 -- Go LSP Configuration
 setup_lsp("gopls", {
@@ -205,44 +217,19 @@ setup_lsp("golangci_lint_ls", {
 ------------------------------------------------------
 local none_ls = require("null-ls")
 local eslintFiles = {
 	".eslintrc",
 	".eslintrc.js",
 	".eslintrc.cjs",
 	".eslintrc.yaml",
 	".eslintrc.yml",
 	".eslintrc.json",
 	"eslint.config.js",
 	"eslint.config.mjs",
 	"eslint.config.cjs",
 	"eslint.config.ts",
 	"eslint.config.mts",
 	"eslint.config.cts",
 }
 local has_eslint_in_parents = function(fname)
 	local root_file = require("lspconfig").util.insert_package_json(eslintFiles, "eslintConfig", fname)
 	return require("lspconfig").util.root_pattern(unpack(root_file))(fname)
 end
 none_ls.setup({
 	sources = {
-		-- Prettier Formatting
+		-- Formatting
 		none_ls.builtins.formatting.prettier,
 		none_ls.builtins.formatting.prettier.with({ filetypes = { "template" } }),
 		require("none-ls.diagnostics.eslint_d").with({
 			condition = function(utils)
 				return has_eslint_in_parents(vim.fn.getcwd())
 			end,
 		}),
 		none_ls.builtins.completion.spell,
 		none_ls.builtins.formatting.nixpkgs_fmt, -- TODO: nixd native LSP?
 		none_ls.builtins.diagnostics.sqlfluff,
 		none_ls.builtins.formatting.sqlfluff,
 		require("none-ls.formatting.autopep8").with({
 			filetypes = { "starlark", "python" },
 			extra_args = { "--max-line-length", "100" },
 		}),
 		-- Completion
 		none_ls.builtins.completion.spell,
 	},
 	on_attach = function(client, bufnr)
 		if client:supports_method("textDocument/formatting") then
--- a/modules/home/programs/terminal/nvim/default.nix
+++ b/modules/home/programs/terminal/nvim/default.nix
@@ -148,7 +148,6 @@ in
        luaformatter
        nixpkgs-fmt
        nodePackages.prettier
        sqlfluff
        stylua
        # Tools
@@ -167,6 +166,9 @@ in
      };
      # Generate Nix Vars
      # NOTE: https://github.com/NixOS/nixpkgs/issues/479348
      #   omnisharp = "${pkgs.omnisharp-roslyn}/bin/OmniSharp",
      "nvim/lua/nix-vars.lua".text = ''
        local nix_vars = {
          bash = "${pkgs.bashInteractive}/bin/bash",
@@ -174,10 +176,10 @@ in
          golintls = "${pkgs.golangci-lint-langserver}/bin/golangci-lint-langserver",
          gopls = "${pkgs.gopls}/bin/gopls",
          luals = "${pkgs.lua-language-server}/bin/lua-language-server",
          omnisharp = "${pkgs.omnisharp-roslyn}/bin/OmniSharp",
          sveltels = "${pkgs.nodePackages.svelte-language-server}/bin/svelteserver",
          tsls = "${pkgs.nodePackages.typescript-language-server}/bin/typescript-language-server",
          vscls = "${pkgs.nodePackages.vscode-langservers-extracted}",
          sqls = "${pkgs.sqls}/bin/sqls",
        }
        return nix_vars
      '';
--- a/modules/home/programs/terminal/opencode/config/agents/agent-creator.md
+++ b/modules/home/programs/terminal/opencode/config/agents/agent-creator.md
@@ -0,0 +1,65 @@
 ---
 description: Creates and configures new OpenCode agents based on requirements
 mode: subagent
 temperature: 0.3
 permission:
  write: allow
 ---
 You help users create custom OpenCode agents. When asked to create an agent:
 1. **Understand the need**: Ask clarifying questions about:
   - What tasks should this agent handle?
   - Should it be primary or subagent?
   - What tools does it need access to?
   - Any special permissions or restrictions?
   - Should it use a specific model?
 2. **Generate the config**: Create a markdown file in the appropriate location:
   - Global: `~/.config/opencode/agent/`
   - Project: `.opencode/agent/`
 3. **Available config options**:
   - `description` (required): Brief description of agent purpose
   - `mode`: "primary", "subagent", or "all" (defaults to "all")
   - `temperature`: 0.0-1.0 (lower = focused, higher = creative)
   - `maxSteps`: Limit agentic iterations
   - `disable`: Set to true to disable agent
   - `tools`: Control tool access (write, edit, bash, etc.)
   - `permission`: Set to "ask", "allow", or "deny" for edit/bash/webfetch
   - Additional provider-specific options pass through to the model
 4. **Tools configuration**:
   - Set individual tools: `write: true`, `bash: false`
   - Use wildcards: `mymcp_*: false`
   - Inherits from global config, agent config overrides
 5. **Permissions** (for edit, bash, webfetch):
   - `ask`: Prompt before running
   - `allow`: Run without approval
   - `deny`: Disable completely
   - Can set per-command for bash: `"git push": "ask"`
 6. **Keep it simple**: Start minimal, users can extend later.
 7. **Explain usage**: Tell them how to invoke with `@agent-name`.
 Example structure:
 ```markdown
 ---
 description: [one-line purpose]
 mode: subagent
 model: anthropic/claude-sonnet-4-20250514
 temperature: 0.2
 tools:
  write: false
  bash: false
 permission:
  edit: deny
 ---
 [Clear instructions for the agent's behavior]
 ```
 Be conversational. Ask questions before generating.
--- a/modules/home/programs/terminal/opencode/config/agents/developer.md
+++ b/modules/home/programs/terminal/opencode/config/agents/developer.md
@@ -0,0 +1,44 @@
 ---
 description: Implements code from plans and review feedback
 mode: subagent
 temperature: 0.3
 permission:
  "*": deny
  bash: allow
  context7_*: allow
  edit: allow
  glob: allow
  grep: allow
  list: allow
  lsp: allow
  read: allow
  todoread: allow
  todowrite: allow
 ---
 You implement code. You're the only agent that modifies files.
 **Input:**
 - Plan file path from @planner
 - Optional: Review feedback from @reviewer
 **Workflow:**
 1. Read the plan file
 2. Read the specific files/lines mentioned in context maps
 3. Read incrementally if needed (imports, function definitions, etc.)
 4. Implement changes
 5. Commit:
   ```bash
   git add -A
   git commit -m "type: description"
   ```
   Types: `feat`, `fix`, `refactor`, `docs`, `test`, `chore`
 **Rules:**
 - Trust the plan - don't re-analyze or re-plan
 - Start with context map locations, expand only as needed
 - Fix all critical/regular findings, use judgment on nits
 - Stop reading once you understand the change
--- a/modules/home/programs/terminal/opencode/config/agents/orchestrator.md
+++ b/modules/home/programs/terminal/opencode/config/agents/orchestrator.md
@@ -0,0 +1,37 @@
 ---
 description: Orchestrates development by delegating to subagents
 mode: primary
 temperature: 0.2
 maxSteps: 50
 permission:
  "*": deny
  task:
    "*": deny
    planner: allow
    developer: allow
    reviewer: allow
 ---
 You orchestrate development by delegating to subagents. Never code yourself.
 **Subagents:**
 - **@planner** - Creates implementation plans in `./plans/`
 - **@developer** - Implements from plan files
 - **@reviewer** - Reviews implementations
 **Workflow:**
 1. **Plan**: Call @planner with requirements
 2. **Review Plan**: Show user the plan path, ask for approval
 3. **Develop**: Call @developer with plan file path
 4. **Review Code**: Call @reviewer with implementation
 5. **Iterate**: If NEEDS_WORK, call @developer with plan + feedback
 6. **Done**: When APPROVED or APPROVED_WITH_NITS
 **Rules:**
 - Always pass plan file path to @developer (not plan content)
 - Include review feedback on iterations
 - Nits are optional - ask user if they want them fixed
 - Keep user informed of current step
--- a/modules/home/programs/terminal/opencode/config/agents/planner.md
+++ b/modules/home/programs/terminal/opencode/config/agents/planner.md
@@ -0,0 +1,100 @@
 ---
 description: Explores codebase and breaks features into ordered implementation tasks. Writes plans to ./plans/
 mode: subagent
 temperature: 0.3
 permission:
  "*": deny
  context7_*: allow
  edit: allow
  glob: allow
  grep: allow
  list: allow
  lsp: allow
  read: allow
 ---
 # Code Task Planner Agent
 You are a code analysis agent that breaks down feature requests into implementable, independent tasks.
 ## Your Task
 1. **Analyze the codebase** using available tools (grep, lsp, read, etc.)
 2. **Identify dependencies** between components
 3. **Create ordered tasks** where each task can be implemented independently
 4. **Generate context maps** showing exact files and line numbers that need changes
 5. **Write the plan** to `./plans/<PLAN_NAME>.md`
 ## Task Requirements
 - **Independent**: Each task should be implementable without future tasks
 - **Hierarchical**: Dependencies must come before dependents
 - **Specific**: Include exact file paths and line numbers
 - **Contextual**: Explain WHY each file matters (1-2 lines max)
 ## Output Format
 Write to `./plans/<PLAN_NAME>.md` with this structure:
 ```markdown
 # Plan: <PLAN_NAME>
 ## Feature Overview
 <feature summary>
 ## Implementation Tasks
 ### Task 1: <Descriptive Title>
 **Context Map:**
 - `<file_path>:<line_number>` - <why it's relevant or what changes>
 - `<file_path>:<line_number>` - <why it's relevant or what changes>
 ---
 ### Task 2: <Descriptive Title>
 **Context Map:**
 - `<file_path>:<line_number>` - <why it's relevant or what changes>
 ---
 ```
 ## Analysis Strategy
 1. **Start with interfaces/contracts** - these are foundational
 2. **Then implementations** - concrete types that satisfy interfaces
 3. **Then handlers/controllers** - code that uses the implementations
 4. **Finally integrations** - wiring everything together
 ## Context Map Guidelines
 - Use exact line numbers from actual code analysis
 - Be specific: "Add AddChat method" not "modify file"
 - Include both new additions AND modifications to existing code
 - If a file doesn't exist yet, use line 0 and note "new file"
 ## Example
 ```markdown
 ### Task 1: Add Store Interface Methods
 **Context Map:**
 - `./internal/store/interface.go:15` - Add Conversation struct definition
 - `./internal/store/interface.go:28` - Add AddConversation method to Store interface
 - `./internal/store/interface.go:32` - Add AddMessage method to Store interface
 ```
 Remember: The context map is what developers see FIRST, so make it count!
 ## Completion
 After writing the plan file, respond with:
 **Plan created:** `<PLAN_NAME>`
 **Path:** `./plans/<PLAN_NAME>.md`
 **Tasks:** <number of tasks>
--- a/modules/home/programs/terminal/opencode/config/agents/reviewer.md
+++ b/modules/home/programs/terminal/opencode/config/agents/reviewer.md
@@ -0,0 +1,53 @@
 ---
 description: Reviews implementations and provides structured feedback
 mode: subagent
 temperature: 0.2
 permission:
  "*": deny
  bash:
    "*": deny
    "git diff *": allow
    "git log *": allow
    "git show *": allow
    "git show": allow
    "git status *": allow
    "git status": allow
  glob: allow
  grep: allow
  list: allow
  lsp: allow
  read: allow
 ---
 You review code implementations.
 **Process:**
 1. Check `git status` - if uncommitted changes, stop and tell @developer to commit
 2. Review latest commit with `git show`
 3. Read full files only if needed for context
 **Response format:**
 VERDICT: [APPROVED | NEEDS_WORK | APPROVED_WITH_NITS]
 **Critical:** (security, logic errors, data corruption)
 - Finding 1
 - Finding 2
 **Regular:** (quality, error handling, performance)
 - Finding 1
 **Nits:** (style, minor improvements)
 - Finding 1
 **Verdict rules:**
 - NEEDS_WORK: Any critical or regular findings
 - APPROVED_WITH_NITS: Only nits
 - APPROVED: No findings
 Be thorough, not pedantic.
--- a/modules/home/programs/terminal/opencode/default.nix
+++ b/modules/home/programs/terminal/opencode/default.nix
@@ -2,10 +2,15 @@
 , pkgs
 , config
 , namespace
 , osConfig
 , ...
 }:
 let
  inherit (lib) mkIf;
  helpers = import ./lib.nix { inherit lib; };
  llamaSwapConfig = osConfig.${namespace}.services.llama-swap.config or { };
  cfg = config.${namespace}.programs.terminal.opencode;
 in
 {
@@ -14,68 +19,63 @@ in
  };
  config = mkIf cfg.enable {
    # Enable OpenCode
    programs.opencode = {
      enable = true;
      package = pkgs.reichard.opencode;
      enableMcpIntegration = true;
-      settings = {
+      agents = {
        orchestrator = ./config/agents/orchestrator.md;
        planner = ./config/agents/planner.md;
        developer = ./config/agents/developer.md;
        reviewer = ./config/agents/reviewer.md;
        agent-creator = ./config/agents/agent-creator.md;
      };
    };
    # Define OpenCode Configuration
    sops = {
      secrets.context7_apikey = {
        sopsFile = lib.snowfall.fs.get-file "secrets/common/evanreichard.yaml";
      };
      templates."opencode.json" = {
        path = ".config/opencode/opencode.json";
        content = builtins.toJSON {
          "$schema" = "https://opencode.ai/config.json";
          theme = "catppuccin";
        model = "llama-swap/devstral-small-2-instruct";
        permission = {
          edit = "allow";
          bash = "ask";
          webfetch = "ask";
          doom_loop = "ask";
          external_directory = "ask";
        };
        lsp = {
          nil = {
            command = [
              "${pkgs.nil}/bin/nil"
              "--stdio"
            ];
            extensions = [ ".nix" ];
          };
        };
          provider = {
            "llama-swap" = {
              npm = "@ai-sdk/openai-compatible";
              options = {
                baseURL = "https://llm-api.va.reichard.io/v1";
              };
-            models = {
+              models = helpers.toOpencodeModels llamaSwapConfig;
              gpt-oss-20b-thinking = {
                name = "GPT OSS (20B)";
              };
              devstral-small-2-instruct = {
                name = "Devstral Small 2 (24B)";
              };
              qwen3-coder-30b-instruct = {
                name = "Qwen3 Coder (30B)";
              };
              qwen3-next-80b-instruct = {
                name = "Qwen3 Next (80B) - Instruct";
              };
              qwen3-30b-2507-thinking = {
                name = "Qwen3 2507 (30B) Thinking";
              };
              qwen3-30b-2507-instruct = {
                name = "Qwen3 2507 (30B) Instruct";
            };
          };
          lsp = {
            biome = {
              disabled = true;
            };
            starlark = {
              command = [
                "${pkgs.pyright}/bin/pyright-langserver"
                "--stdio"
              ];
              extensions = [ ".star" ];
            };
          };
          mcp = {
-          gopls = {
+            context7 = {
-            type = "local";
+              type = "remote";
-            command = [
+              url = "https://mcp.context7.com/mcp";
-              "${pkgs.gopls}/bin/gopls"
+              headers = {
-              "mcp"
+                CONTEXT7_API_KEY = "${config.sops.placeholder.context7_apikey}";
-            ];
+              };
              enabled = true;
            };
          };
        };
      };
    };
  };
 }
--- a/modules/home/programs/terminal/opencode/lib.nix
+++ b/modules/home/programs/terminal/opencode/lib.nix
@@ -0,0 +1,53 @@
 { lib }:
 let
  inherit (lib)
    mapAttrs
    filterAttrs
    any
    flatten
    listToAttrs
    nameValuePair
    ;
 in
 {
  # Convert llama-swap models to opencode format
  toOpencodeModels =
    llamaSwapConfig:
    let
      textGenModels = filterAttrs
        (
          name: model: any (t: t == "text-generation") (model.metadata.type or [ ])
        )
        (llamaSwapConfig.models or { });
      localModels = mapAttrs
        (
          name: model:
            {
              inherit (model) name;
            }
            // (
              if model.macros.ctx or null != null then
                {
                  limit = {
                    context = lib.toInt model.macros.ctx;
                    input = lib.toInt model.macros.ctx;
                    output = lib.toInt model.macros.ctx;
                  };
                }
              else
                { }
            )
        )
        textGenModels;
      peerModels = listToAttrs (
        flatten (
          map (peer: map (modelName: nameValuePair modelName { name = modelName; }) peer.models) (
            builtins.attrValues (llamaSwapConfig.peers or { })
          )
        )
      );
    in
    localModels // peerModels;
 }
--- a/modules/home/security/sops/default.nix
+++ b/modules/home/security/sops/default.nix
@@ -0,0 +1,37 @@
 { config
 , lib
 , namespace
 , pkgs
 , ...
 }:
 let
  inherit (lib) mkIf mkEnableOption types;
  inherit (lib.${namespace}) mkOpt;
  getFile = lib.snowfall.fs.get-file;
  cfg = config.${namespace}.security.sops;
 in
 {
  options.${namespace}.security.sops = with types; {
    enable = mkEnableOption "Enable sops";
    defaultSopsFile = mkOpt str "secrets/common/evanreichard.yaml" "Default sops file.";
    sshKeyPaths = mkOpt (listOf path) [ ] "Additional SSH key paths to use.";
  };
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      age
      sops
      ssh-to-age
    ];
    sops = {
      defaultSopsFile = getFile cfg.defaultSopsFile;
      age = {
        keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
      };
    };
  };
 }
--- a/modules/home/services/sops/default.nix
+++ b/modules/home/services/sops/default.nix
@@ -1,33 +0,0 @@
 { config, lib, namespace, pkgs, ... }:
 let
  inherit (lib) mkIf types;
  inherit (lib.${namespace}) mkOpt;
  cfg = config.${namespace}.services.sops;
 in
 {
  options.${namespace}.services.sops = with types; {
    enable = lib.mkEnableOption "sops";
    defaultSopsFile = mkOpt path null "Default sops file.";
    sshKeyPaths = mkOpt (listOf path) [ ] "SSH Key paths to use.";
  };
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      age
      sops
      ssh-to-age
    ];
    sops = {
      inherit (cfg) defaultSopsFile;
      defaultSopsFormat = "yaml";
      age = {
        generateKey = true;
        keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
      };
    };
  };
 }
--- a/modules/home/services/swww/default.nix
+++ b/modules/home/services/swww/default.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, namespace, ... }:
+{ config
 , lib
 , pkgs
 , namespace
 , ...
 }:
 let
  cfg = config.${namespace}.services.swww;
 in
--- a/modules/nixos/display-managers/sddm/default.nix
+++ b/modules/nixos/display-managers/sddm/default.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, namespace, ... }:
+{ config
 , lib
 , pkgs
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf types;
  inherit (lib.${namespace}) mkOpt;
@@ -17,8 +22,7 @@ in
        sddm = {
          inherit (cfg) enable;
          package = pkgs.kdePackages.sddm;
-          #theme = "catppuccin-mocha"; # https://github.com/nixos/nixpkgs/issues/434963
+          theme = "catppuccin-mocha-mauve";
          theme = "breeze";
          wayland.enable = true;
        };
      };
--- a/modules/nixos/hardware/asahi/default.nix
+++ b/modules/nixos/hardware/asahi/default.nix
@@ -1,7 +1,7 @@
 { config, lib, inputs, namespace, ... }:
 let
  inherit (lib) types optionalAttrs;
-  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+  inherit (lib.${namespace}) mkOpt;
  cfg = config.${namespace}.hardware.asahi;
 in
@@ -12,7 +12,6 @@ in
  options.${namespace}.hardware.asahi = {
    enable = lib.mkEnableOption "support for asahi linux";
    enableGPU = mkBoolOpt false "enable gpu driver";
    firmwareDirectory = mkOpt types.path null "firmware directory";
  };
@@ -21,7 +20,6 @@ in
      enable = cfg.enable;
    } // optionalAttrs cfg.enable {
      peripheralFirmwareDirectory = cfg.firmwareDirectory;
      useExperimentalGPUDriver = cfg.enableGPU;
    };
  };
 }
--- a/modules/nixos/security/sops/default.nix
+++ b/modules/nixos/security/sops/default.nix
@@ -1,31 +1,39 @@
-{ config, lib, namespace, ... }:
+{ config
 , lib
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf mkEnableOption types;
  inherit (lib.${namespace}) mkOpt;
  getFile = lib.snowfall.fs.get-file;
  user = config.users.users.${config.${namespace}.user.name};
  cfg = config.${namespace}.security.sops;
 in
 {
-  options.${namespace}.security.sops = {
+  options.${namespace}.security.sops = with types; {
-    enable = lib.mkEnableOption "sops";
+    enable = mkEnableOption "Enable sops";
-    defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
+    defaultSopsFile = mkOpt str "secrets/systems/${config.system.name}.yaml" "Default sops file.";
-    sshKeyPaths = mkOpt (with lib.types; listOf path) [
+    sshKeyPaths = mkOpt (listOf path) [ ] "Additional SSH key paths to use.";
      # "/etc/ssh/ssh_host_ed25519_key"
    ] "SSH Key paths to use.";
  };
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
    sops = {
-      inherit (cfg) defaultSopsFile;
+      defaultSopsFile = getFile cfg.defaultSopsFile;
      age = {
-        inherit (cfg) sshKeyPaths;
+        keyFile = "${user.home}/.config/sops/age/keys.txt";
-
+        sshKeyPaths = [
-        keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
+          "/etc/ssh/ssh_host_ed25519_key"
          "${user.home}/.ssh/id_ed25519"
        ]
        ++ cfg.sshKeyPaths;
      };
    };
    sops.secrets.builder_ssh_key = {
-      sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+      sopsFile = getFile "secrets/common/systems.yaml";
    };
  };
 }
--- a/modules/nixos/services/llama-cpp/default.nix
+++ b/modules/nixos/services/llama-cpp/default.nix
@@ -1,123 +0,0 @@
 {
  config,
  pkgs,
  lib,
  namespace,
  ...
 }:
 let
  inherit (lib) types mkIf mkEnableOption;
  inherit (lib.${namespace}) mkOpt;
  cfg = config.${namespace}.services.llama-cpp;
  modelDir = "/models";
  availableModels = {
    "qwen2.5-coder-7b-q8_0.gguf" = {
      url = "https://huggingface.co/ggml-org/Qwen2.5-Coder-7B-Q8_0-GGUF/resolve/main/qwen2.5-coder-7b-q8_0.gguf?download=true";
      flag = "--fim-qwen-7b-default";
    };
    "qwen2.5-coder-3b-q8_0.gguf" = {
      url = "https://huggingface.co/ggml-org/Qwen2.5-Coder-3B-Q8_0-GGUF/resolve/main/qwen2.5-coder-3b-q8_0.gguf?download=true";
      flag = "--fim-qwen-3b-default";
    };
  };
 in
 {
  options.${namespace}.services.llama-cpp = with types; {
    enable = mkEnableOption "llama-cpp support";
    modelName = mkOpt str "qwen2.5-coder-3b-q8_0.gguf" "model to use";
  };
  config =
    let
      modelPath = "${modelDir}/${cfg.modelName}";
    in
    mkIf cfg.enable {
      assertions = [
        {
          assertion = availableModels ? ${cfg.modelName};
          message = "Invalid model '${cfg.modelName}'. Available models: ${lib.concatStringsSep ", " (lib.attrNames availableModels)}";
        }
      ];
      systemd.services = {
        # LLama Download Model
        download-model = {
          description = "Download Model";
          wantedBy = [ "multi-user.target" ];
          before = [ "llama-cpp.service" ];
          path = [
            pkgs.curl
            pkgs.coreutils
          ];
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
            User = "root";
            Group = "root";
          };
          script =
            let
              modelURL = availableModels.${cfg.modelName}.url;
            in
            ''
              set -euo pipefail
              if [ ! -f "${modelPath}" ]; then
                mkdir -p "${modelDir}"
                # Add -f flag to follow redirects and -L for location
                # Add --fail flag to exit with error on HTTP errors
                # Add -C - to resume interrupted downloads
                curl -f -L -C - \
                  -H "Accept: application/octet-stream" \
                  --retry 3 \
                  --retry-delay 5 \
                  --max-time 1800 \
                  "${modelURL}" \
                  -o "${modelPath}.tmp" && \
                mv "${modelPath}.tmp" "${modelPath}"
              fi
            '';
        };
        # Setup LLama API Service
        llama-cpp = {
          after = [ "download-model.service" ];
          requires = [ "download-model.service" ];
        };
      };
      services.llama-cpp = {
        enable = true;
        host = "0.0.0.0";
        port = 8012;
        openFirewall = true;
        model = "${modelPath}";
        package =
          (pkgs.llama-cpp.override {
            cudaSupport = true;
            blasSupport = true;
            rocmSupport = false;
            metalSupport = false;
          }).overrideAttrs
            (oldAttrs: {
              cmakeFlags = oldAttrs.cmakeFlags ++ [
                "-DGGML_CUDA_ENABLE_UNIFIED_MEMORY=1"
                "-DCMAKE_CUDA_ARCHITECTURES=61" # GTX-1070 / GTX-1080ti
                "-DGGML_NATIVE=ON"
                # Disable CPU Instructions - Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz
                # "-DLLAMA_FMA=OFF"
                # "-DLLAMA_AVX2=OFF"
                # "-DLLAMA_AVX512=OFF"
                # "-DGGML_FMA=OFF"
                # "-DGGML_AVX2=OFF"
                # "-DGGML_AVX512=OFF"
              ];
            });
        extraFlags = [ availableModels.${cfg.modelName}.flag ];
      };
    };
 }
--- a/modules/nixos/services/llama-swap/config.nix
+++ b/modules/nixos/services/llama-swap/config.nix
@@ -0,0 +1,454 @@
 { pkgs }:
 let
  llama-cpp = pkgs.reichard.llama-cpp;
  stable-diffusion-cpp = pkgs.reichard.stable-diffusion-cpp.override {
    cudaSupport = true;
  };
 in
 {
  models = {
    # https://huggingface.co/unsloth/Devstral-Small-2-24B-Instruct-2512-GGUF/tree/main
    "devstral-small-2-instruct" = {
      name = "Devstral Small 2 (24B) - Instruct";
      macros.ctx = "98304";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/Devstral/Devstral-Small-2-24B-Instruct-2512-UD-Q4_K_XL.gguf \
          --chat-template-file /mnt/ssd/Models/Devstral/Devstral-Small-2-24B-Instruct-2512-UD-Q4_K_XL_template.jinja \
          --temp 0.15 \
          -c ''${ctx} \
          -ctk q8_0 \
          -ctv q8_0 \
          -fit off \
          -dev CUDA0
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/GLM-4-32B-0414-GGUF/tree/main
    "glm-4-32b-instruct" = {
      name = "GLM 4 (32B) - Instruct";
      macros.ctx = "32768";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/GLM/GLM-4-32B-0414-Q4_K_M.gguf \
          -c ''${ctx} \
          --temp 0.6 \
          --top-k 40 \
          --top-p 0.95 \
          --min-p 0.0 \
          -fit off \
          -dev CUDA0
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/mradermacher/gpt-oss-20b-heretic-v2-i1-GGUF/tree/main
    "gpt-oss-20b-thinking" = {
      name = "GPT OSS (20B) - Thinking";
      macros.ctx = "131072";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/GPT-OSS/gpt-oss-20b-heretic-v2.i1-MXFP4_MOE.gguf \
          -c ''${ctx} \
          --temp 1.0 \
          --top-p 1.0 \
          --top-k 40 \
          -dev CUDA0
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/mradermacher/GPT-OSS-Cybersecurity-20B-Merged-i1-GGUF/tree/main
    "gpt-oss-csec-20b-thinking" = {
      name = "GPT OSS CSEC (20B) - Thinking";
      macros.ctx = "131072";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/GPT-OSS/GPT-OSS-Cybersecurity-20B-Merged.i1-MXFP4_MOE.gguf \
          -c ''${ctx} \
          --temp 1.0 \
          --top-p 1.0 \
          --top-k 40 \
          -dev CUDA0
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Qwen3-Next-80B-A3B-Instruct-GGUF/tree/main
    "qwen3-next-80b-instruct" = {
      name = "Qwen3 Next (80B) - Instruct";
      macros.ctx = "262144";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/Qwen3/Qwen3-Next-80B-A3B-Instruct-UD-Q2_K_XL.gguf \
          -c ''${ctx} \
          --temp 0.7 \
          --min-p 0.0 \
          --top-p 0.8 \
          --top-k 20 \
          --repeat-penalty 1.05 \
          -ctk q8_0 \
          -ctv q8_0 \
          -fit off
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Qwen3-30B-A3B-Instruct-2507-GGUF/tree/main
    "qwen3-30b-2507-instruct" = {
      name = "Qwen3 2507 (30B) - Instruct";
      macros.ctx = "262144";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/Qwen3/Qwen3-30B-A3B-Instruct-2507-Q4_K_M.gguf \
          -c ''${ctx} \
          --temp 0.7 \
          --min-p 0.0 \
          --top-p 0.8 \
          --top-k 20 \
          --presence-penalty 1.0 \
          --repeat-penalty 1.0 \
          -ctk q8_0 \
          -ctv q8_0 \
          -ts 70,30 \
          -fit off
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Qwen3-Coder-30B-A3B-Instruct-GGUF/tree/main
    "qwen3-coder-30b-instruct" = {
      name = "Qwen3 Coder (30B) - Instruct";
      macros.ctx = "131072";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/Qwen3/Qwen3-Coder-30B-A3B-Instruct-UD-Q6_K_XL.gguf \
          -c ''${ctx} \
          --temp 0.7 \
          --min-p 0.0 \
          --top-p 0.8 \
          --top-k 20 \
          --repeat-penalty 1.05 \
          -ctk q8_0 \
          -ctv q8_0 \
          -ts 70,30 \
          -fit off
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Qwen3-30B-A3B-Thinking-2507-GGUF/tree/main
    "qwen3-30b-2507-thinking" = {
      name = "Qwen3 2507 (30B) - Thinking";
      macros.ctx = "262144";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/Qwen3/Qwen3-30B-A3B-Thinking-2507-UD-Q4_K_XL.gguf \
          -c ''${ctx} \
          --temp 0.6 \
          --min-p 0.0 \
          --top-p 0.95 \
          --top-k 20 \
          --presence-penalty 1.0 \
          --repeat-penalty 1.0 \
          -ctk q8_0 \
          -ctv q8_0 \
          -ts 70,30 \
          -fit off
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Nemotron-3-Nano-30B-A3B-GGUF/tree/main
    "nemotron-3-nano-30b-thinking" = {
      name = "Nemotron 3 Nano (30B) - Thinking";
      macros.ctx = "1048576";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/Nemotron/Nemotron-3-Nano-30B-A3B-UD-Q4_K_XL.gguf \
          -c ''${ctx} \
          --temp 1.1 \
          --top-p 0.95 \
          -fit off
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Qwen3-VL-8B-Instruct-GGUF/tree/main
    "qwen3-8b-vision" = {
      name = "Qwen3 Vision (8B) - Thinking";
      macros.ctx = "65536";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/Qwen3/Qwen3-VL-8B-Instruct-UD-Q4_K_XL.gguf \
          --mmproj /mnt/ssd/Models/Qwen3/Qwen3-VL-8B-Instruct-UD-Q4_K_XL_mmproj-F16.gguf \
          -c ''${ctx} \
          --temp 0.7 \
          --min-p 0.0 \
          --top-p 0.8 \
          --top-k 20 \
          -ctk q8_0 \
          -ctv q8_0 \
          -fit off \
          -dev CUDA1
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Qwen2.5-Coder-7B-Instruct-128K-GGUF/tree/main
    "qwen2.5-coder-7b-instruct" = {
      name = "Qwen2.5 Coder (7B) - Instruct";
      macros.ctx = "131072";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          -m /mnt/ssd/Models/Qwen2.5/Qwen2.5-Coder-7B-Instruct-Q8_0.gguf \
          --fim-qwen-7b-default \
          -c ''${ctx} \
          --port ''${PORT} \
          -fit off \
          -dev CUDA1
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Qwen2.5-Coder-3B-Instruct-128K-GGUF/tree/main
    "qwen2.5-coder-3b-instruct" = {
      name = "Qwen2.5 Coder (3B) - Instruct";
      macros.ctx = "131072";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          -m /mnt/ssd/Models/Qwen2.5/Qwen2.5-Coder-3B-Instruct-Q8_0.gguf \
          --fim-qwen-3b-default \
          --port ''${PORT} \
          -c ''${ctx} \
          -fit off \
          -dev CUDA1
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # https://huggingface.co/unsloth/Qwen3-4B-Instruct-2507-GGUF/tree/main
    "qwen3-4b-2507-instruct" = {
      name = "Qwen3 2507 (4B) - Instruct";
      macros.ctx = "98304";
      cmd = ''
        ${llama-cpp}/bin/llama-server \
          --port ''${PORT} \
          -m /mnt/ssd/Models/Qwen3/Qwen3-4B-Instruct-2507-Q4_K_M.gguf \
          -c ''${ctx} \
          -fit off \
          -ctk q8_0 \
          -ctv q8_0 \
          -dev CUDA1
      '';
      metadata = {
        type = [ "text-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    # ---------------------------------------
    # ---------- Stable Diffussion ----------
    # ---------------------------------------
    "z-image-turbo" = {
      name = "Z-Image-Turbo";
      checkEndpoint = "/";
      cmd = ''
        ${stable-diffusion-cpp}/bin/sd-server \
          --listen-port ''${PORT} \
          --diffusion-fa \
          --diffusion-model /mnt/ssd/StableDiffusion/ZImageTurbo/z-image-turbo-Q8_0.gguf \
          --vae /mnt/ssd/StableDiffusion/ZImageTurbo/ae.safetensors \
          --llm /mnt/ssd/Models/Qwen3/Qwen3-4B-Instruct-2507-Q4_K_M.gguf \
          --cfg-scale 1.0 \
          --steps 8 \
          --rng cuda
      '';
      metadata = {
        type = [ "image-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    "qwen-image-edit-2511" = {
      name = "Qwen Image Edit 2511";
      checkEndpoint = "/";
      cmd = ''
        ${stable-diffusion-cpp}/bin/sd-server \
          --listen-port ''${PORT} \
          --diffusion-fa \
          --qwen-image-zero-cond-t \
          --diffusion-model /mnt/ssd/StableDiffusion/QwenImage/qwen-image-edit-2511-Q5_K_M.gguf \
          --vae /mnt/ssd/StableDiffusion/QwenImage/qwen_image_vae.safetensors \
          --llm /mnt/ssd/Models/Qwen2.5/Qwen2.5-VL-7B-Instruct.Q4_K_M.gguf \
          --lora-model-dir /mnt/ssd/StableDiffusion/QwenImage/Loras \
          --cfg-scale 2.5 \
          --sampling-method euler \
          --flow-shift 3 \
          --steps 20 \
          --rng cuda
      '';
      metadata = {
        type = [
          "image-edit"
          "image-generation"
        ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    "qwen-image-2512" = {
      name = "Qwen Image 2512";
      checkEndpoint = "/";
      cmd = ''
        ${stable-diffusion-cpp}/bin/sd-server \
          --listen-port ''${PORT} \
          --diffusion-fa \
          --diffusion-model /mnt/ssd/StableDiffusion/QwenImage/qwen-image-2512-Q5_K_M.gguf \
          --vae /mnt/ssd/StableDiffusion/QwenImage/qwen_image_vae.safetensors \
          --llm /mnt/ssd/Models/Qwen2.5/Qwen2.5-VL-7B-Instruct.Q4_K_M.gguf \
          --lora-model-dir /mnt/ssd/StableDiffusion/QwenImage/Loras \
          --cfg-scale 2.5 \
          --sampling-method euler \
          --flow-shift 3 \
          --steps 20 \
          --rng cuda
      '';
      metadata = {
        type = [ "image-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
    "chroma-radiance" = {
      name = "Chroma Radiance";
      checkEndpoint = "/";
      cmd = ''
        ${stable-diffusion-cpp}/bin/sd-server \
          --listen-port ''${PORT} \
          --diffusion-fa --chroma-disable-dit-mask \
          --diffusion-model /mnt/ssd/StableDiffusion/Chroma/chroma_radiance_x0_q8.gguf \
          --t5xxl /mnt/ssd/StableDiffusion/Chroma/t5xxl_fp16.safetensors \
          --cfg-scale 4.0 \
          --sampling-method euler \
          --rng cuda
      '';
      metadata = {
        type = [ "image-generation" ];
      };
      env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
    };
  };
  groups = {
    shared = {
      swap = true;
      exclusive = false;
      members = [
        "nemotron-3-nano-30b-thinking"
        "qwen3-30b-2507-instruct"
        "qwen3-30b-2507-thinking"
        "qwen3-coder-30b-instruct"
        "qwen3-next-80b-instruct"
      ];
    };
    cuda0 = {
      swap = true;
      exclusive = false;
      members = [
        "devstral-small-2-instruct"
        "glm-4-32b-instruct"
        "gpt-oss-20b-thinking"
        "gpt-oss-csec-20b-thinking"
      ];
    };
    cuda1 = {
      swap = true;
      exclusive = false;
      members = [
        "qwen2.5-coder-3b-instruct"
        "qwen2.5-coder-7b-instruct"
        "qwen3-4b-2507-instruct"
        "qwen3-8b-vision"
      ];
    };
  };
  peers = {
    synthetic = {
      proxy = "https://api.synthetic.new/openai/";
      models = [
        "hf:deepseek-ai/DeepSeek-R1-0528"
        "hf:deepseek-ai/DeepSeek-V3"
        "hf:deepseek-ai/DeepSeek-V3-0324"
        "hf:deepseek-ai/DeepSeek-V3.1"
        "hf:deepseek-ai/DeepSeek-V3.1-Terminus"
        "hf:deepseek-ai/DeepSeek-V3.2"
        "hf:meta-llama/Llama-3.3-70B-Instruct"
        "hf:meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8"
        "hf:MiniMaxAI/MiniMax-M2"
        "hf:MiniMaxAI/MiniMax-M2.1"
        "hf:moonshotai/Kimi-K2-Instruct-0905"
        "hf:moonshotai/Kimi-K2-Thinking"
        "hf:openai/gpt-oss-120b"
        "hf:Qwen/Qwen3-235B-A22B-Instruct-2507"
        "hf:Qwen/Qwen3-235B-A22B-Thinking-2507"
        "hf:Qwen/Qwen3-Coder-480B-A35B-Instruct"
        "hf:Qwen/Qwen3-VL-235B-A22B-Instruct"
        "hf:zai-org/GLM-4.5"
        "hf:zai-org/GLM-4.6"
        "hf:zai-org/GLM-4.7"
      ];
    };
  };
 }
--- a/modules/nixos/services/llama-swap/default.nix
+++ b/modules/nixos/services/llama-swap/default.nix
@@ -0,0 +1,107 @@
 { config
 , lib
 , pkgs
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf mkEnableOption recursiveUpdate;
  cfg = config.${namespace}.services.llama-swap;
  llama-swap = pkgs.reichard.llama-swap;
 in
 {
  options.${namespace}.services.llama-swap = {
    enable = mkEnableOption "enable llama-swap service";
    config = lib.mkOption {
      type = lib.types.unspecified;
      default = import ./config.nix { inherit pkgs; };
      readOnly = true;
      description = "The llama-swap configuration data";
    };
  };
  config = mkIf cfg.enable {
    # Create User
    users.groups.llama-swap = { };
    users.users.llama-swap = {
      isSystemUser = true;
      group = "llama-swap";
    };
    # Create Service
    systemd.services.llama-swap = {
      description = "Model swapping for LLaMA C++ Server (or any local OpenAPI compatible server)";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "exec";
        ExecStart = "${lib.getExe llama-swap} --listen :8080 --config ${
          config.sops.templates."llama-swap.json".path
        }";
        Restart = "on-failure";
        RestartSec = 3;
        # for GPU acceleration
        PrivateDevices = false;
        # hardening
        User = "llama-swap";
        Group = "llama-swap";
        CapabilityBoundingSet = "";
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        NoNewPrivileges = true;
        PrivateMounts = true;
        PrivateTmp = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";
        MemoryDenyWriteExecute = true;
        LimitMEMLOCK = "infinity";
        LockPersonality = true;
        RemoveIPC = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
        ];
        SystemCallErrorNumber = "EPERM";
        ProtectProc = "invisible";
        ProtectHostname = true;
        ProcSubset = "pid";
      };
    };
    # Create Config
    sops = {
      secrets.synthetic_apikey = {
        sopsFile = lib.snowfall.fs.get-file "secrets/common/systems.yaml";
      };
      templates."llama-swap.json" = {
        owner = "llama-swap";
        group = "llama-swap";
        mode = "0400";
        content = builtins.toJSON (
          recursiveUpdate cfg.config {
            peers.synthetic.apiKey = config.sops.placeholder.synthetic_apikey;
          }
        );
      };
    };
    networking.firewall.allowedTCPPorts = [ 8080 ];
  };
 }
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@@ -14,16 +14,11 @@ let
  cfg = config.${namespace}.services.openssh;
  globalKeys = [
-    # evanreichard@lin-va-mbp-personal
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY evanreichard@lin-va-mbp-personal"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV evanreichard@mac-va-mbp-personal"
-    # evanreichard@mac-va-mbp-personal
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz evanreichard@lin-va-thinkpad"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5e6Cty+7rX5BjIEHBTU6GnzfOxPJiHpSqin/BnsypO evanreichard@lin-va-terminal"
-    # evanreichard@lin-va-thinkpad
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARTNbl4lgQsp7SJEng7vprL0+ChC9e6iR7o/PiC4Jme evanreichard@mobile"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
    # evanreichard@lin-va-terminal
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5e6Cty+7rX5BjIEHBTU6GnzfOxPJiHpSqin/BnsypO"
    # evanreichard@mobile
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARTNbl4lgQsp7SJEng7vprL0+ChC9e6iR7o/PiC4Jme"
  ];
 in
 {
--- a/modules/nixos/system/boot/default.nix
+++ b/modules/nixos/system/boot/default.nix
@@ -1,4 +1,8 @@
-{ config, lib, namespace, ... }:
+{ config
 , lib
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf mkDefault;
  inherit (lib.${namespace}) mkBoolOpt;
@@ -27,7 +31,8 @@ in
    services.xe-guest-utilities.enable = mkIf cfg.xenGuest true;
    boot = {
-      kernelParams = lib.optionals cfg.silentBoot [
+      kernelParams =
        lib.optionals cfg.silentBoot [
          "quiet"
          "loglevel=3"
          "udev.log_level=3"
@@ -35,8 +40,9 @@ in
          "systemd.show_status=auto"
          "rd.systemd.show_status=auto"
          "vt.global_cursor_default=0"
-      ] ++ lib.optionals cfg.showNotch [
+        ]
-        "apple_dcp.show_notch=1"
+        ++ lib.optionals cfg.showNotch [
          "appledrm.show_notch=1"
        ];
      loader = {
@@ -60,10 +66,17 @@ in
      };
      initrd = mkIf cfg.xenGuest {
-        kernelModules = [ "xen_netfront" "xen_blkfront" ];
+        kernelModules = [
          "xen_netfront"
          "xen_blkfront"
        ];
        supportedFilesystems = [ "xenfs" ];
      };
-      kernelModules = mkIf cfg.xenGuest [ "xen_netfront" "xen_blkfront" "xenfs" ];
+      kernelModules = mkIf cfg.xenGuest [
        "xen_netfront"
        "xen_blkfront"
        "xenfs"
      ];
    };
  };
 }
--- a/packages/llama-cpp/default.nix
+++ b/packages/llama-cpp/default.nix
@@ -7,12 +7,12 @@
  vulkanSupport = true;
 }).overrideAttrs
  (oldAttrs: rec {
-    version = "7486";
+    version = "7562";
    src = pkgs.fetchFromGitHub {
      owner = "ggml-org";
      repo = "llama.cpp";
      tag = "b${version}";
-      hash = "sha256-I9wPNI0yn4I0zHge1Y7q+RYqYvHSyJWKAxY3pHbCTuY=";
+      hash = "sha256-yuTPj41B3YitRPrD6yV25ilrIxVKebPGSqdJMpVhUDg=";
      leaveDotGit = true;
      postFetch = ''
        git -C "$out" rev-parse --short HEAD > $out/COMMIT
@@ -22,7 +22,6 @@
    # Auto CPU Optimizations
    cmakeFlags = (oldAttrs.cmakeFlags or [ ]) ++ [
      "-DGGML_NATIVE=ON"
      "-DGGML_CUDA_ENABLE_UNIFIED_MEMORY=1"
      "-DCMAKE_CUDA_ARCHITECTURES=61;86" # GTX 1070 / GTX 1080ti / RTX 3090
    ];
--- a/packages/llama-swap/default.nix
+++ b/packages/llama-swap/default.nix
@@ -13,13 +13,13 @@ let
 in
 buildGoModule (finalAttrs: {
  pname = "llama-swap";
-  version = "176";
+  version = "182";
  src = fetchFromGitHub {
    owner = "mostlygeek";
    repo = "llama-swap";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-nfkuaiEITOmpkiLft3iNW1VUexHwZ36c8gwcQKGANbQ=";
+    hash = "sha256-w/VQS8uCpgniwLiJsH/8IG/AGasRxjCv7fADTfpvWLw=";
    # populate values that require us to use git. By doing this in postFetch we
    # can delete .git afterwards and maintain better reproducibility of the src.
    leaveDotGit = true;
@@ -32,7 +32,7 @@ buildGoModule (finalAttrs: {
    '';
  };
-  vendorHash = "sha256-/EbFyuCVFxHTTO0UwSV3B/6PYUpudxB2FD8nNx1Bb+M=";
+  vendorHash = "sha256-XiDYlw/byu8CWvg4KSPC7m8PGCZXtp08Y1velx4BR8U=";
  passthru.ui = callPackage ./ui.nix { llama-swap = finalAttrs.finalPackage; };
  passthru.npmDepsHash = "sha256-RKPcMwJ0qVOgbTxoGryrLn7AW0Bfmv9WasoY+gw4B30=";
--- a/packages/opencode/default.nix
+++ b/packages/opencode/default.nix
@@ -13,12 +13,12 @@
 }:
 let
  pname = "opencode";
-  version = "1.0.170";
+  version = "1.1.12";
  src = fetchFromGitHub {
-    owner = "sst";
+    owner = "anomalyco";
    repo = "opencode";
    tag = "v${version}";
-    hash = "sha256-Y0thIZ20p0FSBAH0mJfFn8e+OEUvlZyTuk+/yEt8Sy8=";
+    hash = "sha256-k6wRBtWFwyLWJ6R0el3dY/nBlg2t+XkTpsuEseLXp+E=";
  };
  node_modules = stdenvNoCC.mkDerivation {
@@ -75,7 +75,7 @@ let
    # NOTE: Required else we get errors that our fixed-output derivation references store paths
    dontFixup = true;
-    outputHash = "sha256-Aq774bgU12HkrF2oAtfu9kyQFlxUeDbmwlS9lz4Z4ZI=";
+    outputHash = "sha256-vRIWQt02VljcoYG3mwJy8uCihSTB/OLypyw+vt8LuL8=";
    outputHashAlgo = "sha256";
    outputHashMode = "recursive";
  };
@@ -95,8 +95,8 @@ stdenvNoCC.mkDerivation (finalAttrs: {
  ];
  patches = [
-    # NOTE: Relax Bun version check to be a warning instead of an error
+    ./relax-bun-version-check.patch # NOTE: Relax Bun version check to be a warning instead of an error
-    ./relax-bun-version-check.patch
+    ./root_fix.patch # https://github.com/anomalyco/opencode/pull/7691
  ];
  configurePhase = ''
--- a/packages/opencode/root_fix.patch
+++ b/packages/opencode/root_fix.patch
@@ -0,0 +1,31 @@
 diff --git i/packages/opencode/src/lsp/server.ts w/packages/opencode/src/lsp/server.ts
 index 24da77edc..b94285ba8 100644
 --- a/packages/opencode/src/lsp/server.ts
 +++ b/packages/opencode/src/lsp/server.ts
@@ -94,7 +94,7 @@ export namespace LSPServer {
     ),
     extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".mts", ".cts"],
     async spawn(root) {
 -      const tsserver = await Bun.resolve("typescript/lib/tsserver.js", Instance.directory).catch(() => {})
 +      const tsserver = await Bun.resolve("typescript/lib/tsserver.js", root).catch(() => {})
       log.info("typescript server", { tsserver })
       if (!tsserver) return
       const proc = spawn(BunProc.which(), ["x", "typescript-language-server", "--stdio"], {
@@ -169,7 +169,7 @@ export namespace LSPServer {
     root: NearestRoot(["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"]),
     extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".mts", ".cts", ".vue"],
     async spawn(root) {
 -      const eslint = await Bun.resolve("eslint", Instance.directory).catch(() => {})
 +      const eslint = await Bun.resolve("eslint", root).catch(() => {})
       if (!eslint) return
       log.info("spawning eslint server")
       const serverPath = path.join(Global.Path.bin, "vscode-eslint", "server", "out", "eslintServer.js")
@@ -1081,7 +1081,7 @@ export namespace LSPServer {
     extensions: [".astro"],
     root: NearestRoot(["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"]),
     async spawn(root) {
 -      const tsserver = await Bun.resolve("typescript/lib/tsserver.js", Instance.directory).catch(() => {})
 +      const tsserver = await Bun.resolve("typescript/lib/tsserver.js", root).catch(() => {})
       if (!tsserver) {
         log.info("typescript not found, required for Astro language server")
         return
--- a/packages/stable-diffusion-cpp/default.nix
+++ b/packages/stable-diffusion-cpp/default.nix
@@ -0,0 +1,124 @@
 { lib
 , stdenv
 , fetchFromGitHub
 , cmake
 , ninja
 , pkg-config
 , autoAddDriverRunpath
 , config ? { }
 , cudaSupport ? (config.cudaSupport or false)
 , cudaPackages ? { }
 , rocmSupport ? (config.rocmSupport or false)
 , rocmPackages ? { }
 , rocmGpuTargets ? (rocmPackages.clr.localGpuTargets or rocmPackages.clr.gpuTargets or [ ])
 , openclSupport ? false
 , clblast
 , vulkanSupport ? false
 , shaderc
 , vulkan-headers
 , vulkan-loader
 , spirv-tools
 , metalSupport ? (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64)
 , apple-sdk
 ,
 }:
 let
  inherit (lib)
    cmakeBool
    cmakeFeature
    optionals
    ;
  effectiveStdenv = if cudaSupport then cudaPackages.backendStdenv else stdenv;
 in
 effectiveStdenv.mkDerivation (finalAttrs: {
  pname = "stable-diffusion-cpp";
  version = "master-462-c5602a6";
  src = fetchFromGitHub {
    owner = "leejet";
    repo = "stable-diffusion.cpp";
    rev = "master-462-c5602a6";
    hash = "sha256-6uW9k30QqvozJACw+Hv4nRj9PyTzQqY/M0/CWjqrV28=";
    fetchSubmodules = true;
  };
  nativeBuildInputs = [
    cmake
    ninja
    pkg-config
  ]
  ++ optionals cudaSupport [
    (cudaPackages.cuda_nvcc)
    autoAddDriverRunpath
  ];
  buildInputs =
    (optionals cudaSupport (
      with cudaPackages;
      [
        cuda_cccl
        cuda_cudart
        libcublas
      ]
    ))
    ++ (optionals rocmSupport (
      with rocmPackages;
      [
        clr
        hipblas
        rocblas
      ]
    ))
    ++ (optionals vulkanSupport [
      shaderc
      vulkan-headers
      vulkan-loader
      spirv-tools
    ])
    ++ (optionals openclSupport [
      clblast
    ])
    ++ (optionals metalSupport [
      apple-sdk
    ]);
  cmakeFlags = [
    (cmakeBool "SD_BUILD_EXAMPLES" true)
    (cmakeBool "SD_BUILD_SHARED_LIBS" true)
    (cmakeBool "SD_USE_SYSTEM_GGML" false)
    (cmakeBool "SD_CUDA" cudaSupport)
    (cmakeBool "SD_HIPBLAS" rocmSupport)
    (cmakeBool "SD_VULKAN" vulkanSupport)
    (cmakeBool "SD_OPENCL" openclSupport)
    (cmakeBool "SD_METAL" metalSupport)
    (cmakeBool "SD_FAST_SOFTMAX" false)
  ]
  ++ optionals cudaSupport [
    (cmakeFeature "CMAKE_CUDA_ARCHITECTURES" cudaPackages.flags.cmakeCudaArchitecturesString)
  ]
  ++ optionals rocmSupport [
    (cmakeFeature "CMAKE_HIP_ARCHITECTURES" (builtins.concatStringsSep ";" rocmGpuTargets))
  ];
  patchFlags = [ "-p1" ];
  patches = [
    ./lora_enable.patch # https://github.com/leejet/stable-diffusion.cpp/pull/1156
    ./server_mask.patch # https://github.com/leejet/stable-diffusion.cpp/pull/1178
  ];
  meta = with lib; {
    description = "Stable Diffusion inference in pure C/C++";
    homepage = "https://github.com/leejet/stable-diffusion.cpp";
    license = licenses.mit;
    mainProgram = "sd";
    maintainers = with lib.maintainers; [
      dit7ya
      adriangl
    ];
    platforms = platforms.unix;
    badPlatforms = optionals (cudaSupport || openclSupport) platforms.darwin;
    broken = metalSupport && !stdenv.hostPlatform.isDarwin;
  };
 })
--- a/packages/stable-diffusion-cpp/lora_enable.patch
+++ b/packages/stable-diffusion-cpp/lora_enable.patch
@@ -0,0 +1,221 @@
 From 4aaca67479469faab232dc276afe12acdcd7f801 Mon Sep 17 00:00:00 2001
 From: mateusgpe <mushgp@gmail.com>
 Date: Wed, 31 Dec 2025 18:42:23 -0300
 Subject: [PATCH 1/2] fix(server): sanitize LoRA paths and enable dynamic
 loading
 - Implement `sanitize_lora_path` in `SDGenerationParams` to prevent directory traversal attacks via LoRA tags in prompts.
 - Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders.).
 - Update server example to pass `lora_model_dir` to `process_and_check`, enabling LoRA extraction from prompts.
 - Force `LORA_APPLY_AT_RUNTIME` in the server to allow applying LoRAs dynamically per request without reloading the model.
 ---
 examples/common/common.hpp | 67 +++++++++++++++++++++++++++++++++++---
 examples/server/main.cpp   |  5 +--
 2 files changed, 65 insertions(+), 7 deletions(-)
 diff --git a/examples/common/common.hpp b/examples/common/common.hpp
 index 7ea95ed14..7f869868c 100644
 --- a/examples/common/common.hpp
 +++ b/examples/common/common.hpp
@@ -1601,6 +1601,63 @@ struct SDGenerationParams {
         return true;
     }
 +    static bool sanitize_lora_path(const std::string& lora_model_dir,
 +                                   const std::string& raw_path_str,
 +                                   fs::path& full_path) {
 +        if (lora_model_dir.empty()) {
 +            return false;
 +        }
 +
 +        fs::path raw_path(raw_path_str);
 +
 +        // Disallow absolute paths.
 +        if (raw_path.is_absolute()) {
 +            LOG_WARN("lora path must be relative: %s", raw_path_str.c_str());
 +            return false;
 +        }
 +
 +        // Disallow '..' in the raw path to prevent basic traversal attempts.
 +        for (const auto& part : raw_path) {
 +            if (part == "..") {
 +                LOG_WARN("lora path cannot contain '..': %s", raw_path_str.c_str());
 +                return false;
 +            }
 +        }
 +
 +        fs::path lora_dir(lora_model_dir);
 +        full_path = lora_dir / raw_path;
 +
 +        // --- Security Checks on Canonical Path ---
 +        // Canonicalize paths to resolve symlinks and normalize separators for robust checks.
 +        // weakly_canonical is used because the target file might not exist yet.
 +        auto canonical_lora_dir  = fs::weakly_canonical(lora_dir);
 +        auto canonical_full_path = fs::weakly_canonical(full_path);
 +
 +        // 1. The resolved path must not be a directory.
 +        if (fs::is_directory(canonical_full_path)) {
 +            LOG_WARN("lora path resolved to a directory, not a file: %s", raw_path_str.c_str());
 +            return false;
 +        }
 +
 +        // 2. The file must be inside the designated lora directory.
 +        //    We check this by ensuring the relative path does not climb up with '..'.
 +        fs::path relative_path = canonical_full_path.lexically_relative(canonical_lora_dir);
 +        for (const auto& part : relative_path) {
 +            if (part == "..") {
 +                LOG_WARN("lora path is outside of the lora model directory: %s", raw_path_str.c_str());
 +                return false;
 +            }
 +        }
 +
 +        // 3. The file must be directly in the lora directory, not in a subdirectory.
 +        if (relative_path.has_parent_path() && !relative_path.parent_path().empty()) {
 +            LOG_WARN("lora path in subdirectories is not allowed: %s", raw_path_str.c_str());
 +            return false;
 +        }
 +
 +        return true;
 +    }
 +
     void extract_and_remove_lora(const std::string& lora_model_dir) {
         if (lora_model_dir.empty()) {
             return;
@@ -1632,10 +1689,10 @@ struct SDGenerationParams {
             }
             fs::path final_path;
 -            if (is_absolute_path(raw_path)) {
 -                final_path = raw_path;
 -            } else {
 -                final_path = fs::path(lora_model_dir) / raw_path;
 +            if (!sanitize_lora_path(lora_model_dir, raw_path, final_path)) {
 +                tmp    = m.suffix().str();
 +                prompt = std::regex_replace(prompt, re, "", std::regex_constants::format_first_only);
 +                continue;
             }
             if (!fs::exists(final_path)) {
                 bool found = false;
@@ -1643,7 +1700,7 @@ struct SDGenerationParams {
                     fs::path try_path = final_path;
                     try_path += ext;
                     if (fs::exists(try_path)) {
 -                        final_path = try_path;
 +                        final_path = try_path.lexically_normal();
                         found      = true;
                         break;
                     }
 diff --git a/examples/server/main.cpp b/examples/server/main.cpp
 index c540958f8..69c75d322 100644
 --- a/examples/server/main.cpp
 +++ b/examples/server/main.cpp
@@ -293,6 +293,7 @@ int main(int argc, const char** argv) {
     LOG_DEBUG("%s", default_gen_params.to_string().c_str());
     sd_ctx_params_t sd_ctx_params = ctx_params.to_sd_ctx_params_t(false, false, false);
 +    ctx_params.lora_apply_mode = LORA_APPLY_AT_RUNTIME;
     sd_ctx_t* sd_ctx              = new_sd_ctx(&sd_ctx_params);
     if (sd_ctx == nullptr) {
@@ -414,7 +415,7 @@ int main(int argc, const char** argv) {
                 return;
             }
 -            if (!gen_params.process_and_check(IMG_GEN, "")) {
 +            if (!gen_params.process_and_check(IMG_GEN, ctx_params.lora_model_dir)) {
                 res.status = 400;
                 res.set_content(R"({"error":"invalid params"})", "application/json");
                 return;
@@ -592,7 +593,7 @@ int main(int argc, const char** argv) {
                 return;
             }
 -            if (!gen_params.process_and_check(IMG_GEN, "")) {
 +            if (!gen_params.process_and_check(IMG_GEN, ctx_params.lora_model_dir)) {
                 res.status = 400;
                 res.set_content(R"({"error":"invalid params"})", "application/json");
                 return;
 From 4b80b61003aa06f41c6bdec47ff926e37007b87d Mon Sep 17 00:00:00 2001
 From: mateusgpe <mushgp@gmail.com>
 Date: Thu, 1 Jan 2026 15:24:01 -0300
 Subject: [PATCH 2/2] fix: sanitize LoRA paths and enable dynamic loading
 - Remove the restriction that LoRA models must be in the root of the LoRA directory, allowing them to be organized in subfolders.
 - Refactor the directory containment check to use `std::mismatch` instead of `lexically_relative` to verify the path is inside the allowed root.
 - Remove redundant `lexically_normal()` call when resolving file extensions.
 ---
 examples/common/common.hpp | 29 ++++++++++-------------------
 1 file changed, 10 insertions(+), 19 deletions(-)
 diff --git a/examples/common/common.hpp b/examples/common/common.hpp
 index 7f869868c..a2e919409 100644
 --- a/examples/common/common.hpp
 +++ b/examples/common/common.hpp
@@ -1610,13 +1610,12 @@ struct SDGenerationParams {
         fs::path raw_path(raw_path_str);
 -        // Disallow absolute paths.
 +        // Disallow absolute paths and '..' components
         if (raw_path.is_absolute()) {
             LOG_WARN("lora path must be relative: %s", raw_path_str.c_str());
             return false;
         }
 -        // Disallow '..' in the raw path to prevent basic traversal attempts.
         for (const auto& part : raw_path) {
             if (part == "..") {
                 LOG_WARN("lora path cannot contain '..': %s", raw_path_str.c_str());
@@ -1624,34 +1623,26 @@ struct SDGenerationParams {
             }
         }
 +        // Construct and canonicalize paths
         fs::path lora_dir(lora_model_dir);
         full_path = lora_dir / raw_path;
 -        // --- Security Checks on Canonical Path ---
 -        // Canonicalize paths to resolve symlinks and normalize separators for robust checks.
 -        // weakly_canonical is used because the target file might not exist yet.
         auto canonical_lora_dir  = fs::weakly_canonical(lora_dir);
         auto canonical_full_path = fs::weakly_canonical(full_path);
 -        // 1. The resolved path must not be a directory.
 +        // Check if path is a directory
         if (fs::is_directory(canonical_full_path)) {
             LOG_WARN("lora path resolved to a directory, not a file: %s", raw_path_str.c_str());
             return false;
         }
 -        // 2. The file must be inside the designated lora directory.
 -        //    We check this by ensuring the relative path does not climb up with '..'.
 -        fs::path relative_path = canonical_full_path.lexically_relative(canonical_lora_dir);
 -        for (const auto& part : relative_path) {
 -            if (part == "..") {
 -                LOG_WARN("lora path is outside of the lora model directory: %s", raw_path_str.c_str());
 -                return false;
 -            }
 -        }
 +        // Verify path stays within lora directory
 +        auto [root_end, nothing] = std::mismatch(
 +            canonical_lora_dir.begin(), canonical_lora_dir.end(),
 +            canonical_full_path.begin(), canonical_full_path.end());
 -        // 3. The file must be directly in the lora directory, not in a subdirectory.
 -        if (relative_path.has_parent_path() && !relative_path.parent_path().empty()) {
 -            LOG_WARN("lora path in subdirectories is not allowed: %s", raw_path_str.c_str());
 +        if (root_end != canonical_lora_dir.end()) {
 +            LOG_WARN("lora path is outside of the lora model directory: %s", raw_path_str.c_str());
             return false;
         }
@@ -1700,7 +1691,7 @@ struct SDGenerationParams {
                     fs::path try_path = final_path;
                     try_path += ext;
                     if (fs::exists(try_path)) {
 -                        final_path = try_path.lexically_normal();
 +                        final_path = try_path;
                         found      = true;
                         break;
                     }
--- a/packages/stable-diffusion-cpp/server_mask.patch
+++ b/packages/stable-diffusion-cpp/server_mask.patch
@@ -0,0 +1,13 @@
 diff --git i/examples/server/main.cpp w/examples/server/main.cpp
 index 9fa8804..b15daca 100644
 --- i/examples/server/main.cpp
 +++ w/examples/server/main.cpp
@@ -537,7 +537,7 @@ int main(int argc, const char** argv) {
             }
             std::vector<uint8_t> mask_bytes;
 -            if (req.form.has_field("mask")) {
 +            if (req.form.has_file("mask")) {
                 auto file = req.form.get_file("mask");
                 mask_bytes.assign(file.content.begin(), file.content.end());
             }
--- a/secrets/common/evanreichard.yaml
+++ b/secrets/common/evanreichard.yaml
@@ -0,0 +1,44 @@
 context7_apikey: ENC[AES256_GCM,data:K8/OoJMWBhN3ufmTa/tAiD3iMergDZQ1OBucUtLsrg+L26DXDPAko9D41w==,iv:/IVpaaPivUTn2rbIAPIwyN5nb7TmtDh05YlMdOlBkhE=,tag:0XJfoNlDelBwMXMAAqKjtQ==,type:str]
 rke2_kubeconfig: ENC[AES256_GCM,data:DLH4BNrQgkANalwz05S+zs7ak6G6hxJx/VqNyVxlBeVY3tvwVc5jxwva/WWEvy3Aoncf8V12XD6Tir8ste4j9OlFLYkb+yhHRTB+EavrmKWyZ/w7d2EKIMr/535DoZgfhFhlUqxLw6QR5lMFv6Md/vLDj/nj47cIGx302m5Lk10N/7Ltngvjx6GG1AZs8pQAKMhFuKJLzWL4xT5DcxcgfX5j50f8hOJ7DWIbLZfiFAi/ipUFo6GGjFgNpoLfpGJvw6LGw1t+Wr6f0NuWHwCNhR4Aj/Dff13XX6TW7o8sOXgN8RejNTnN4ntMBwA+eH3i9aQ3E2U3K3zgAGgERFrjg+c5p/y/sCWxNx+3v0Hkqj5WqF4k7PvGhG4S5eAJ85UpAlxtFBVO5LU0B7M9OH8K+ie+N/ZitJWBM0F2Pq2g8VKDcsJoEUotc3yoWCicjPH9Ohu55balf9L/xDrn+EfmmIGuHRT1GMwLiOVBolOO4tJF26sNuTONGJ5abrE6divNN3DPjZgPNNfX04wn4j5icT/omArwszpvw8zgtL+k2pA1aHRFoVqmT4sIgIJJrhXDCoG5f9/9q7gddVCfbXXhHV/GO0NKZnXRzIMF7ya2ntnLIBCBy3pIvhau1JJkMkKkEZT/pcExOMqAJzLoRc+oZz5TDhB5tE8H+AZD6tZJ2CsaIfRcKqo6QODcstpP+pSjg49t5DqJ/BkdlsQDBQyuSWz5JmGNMzp1jkwOajoS8qGu9jhQIQO/pj8RK859uRkm4fr4DmhPya13T+tILUf8+RN2ZyTn2+rdsDFD72CUm5WsOGg9plFAvWPArn0RLgMHMRb37Ggt3dCF7GESyQ1Owz3NBmrWVrCXB75FcIdCmCZG2OXP3yrYvihV4iLykq+myUZW+a5SnfLeZoB/gGCC2whcw+J3srQrFLlTfQ9eRYxSxsDCExTb6RmvZ6xYP22kSqtlQGrqmyBsHzpfVxZKL6h+kxZ16IMhXvkwjPUIsa8YysKXtrDLWW7U/sCbrYpfJU+cQ2zILtBBGLaaoeLAG/g2GNleEcLrUz9CS3ttf33GU3d2b1d83sAKMrB6fgma+wBsq1TC56m5G2aQs/Y5opqNIvWKWSSENXRRWmeLYJLBqvHiGtfL7kjGLli5cgcF0NuhK36AXrvoyAv+mfcgiNbWjLXOwlerHR1ByxKpYPO2CMmvVGlX4rQI74/UHfWX3MaagwXQLK/jQP7YjYHl1VivLy9ljfO1WOG0ruGmb6WJZhpuhTHB1cchiKSbxdZFP17mN+UxwuPtHAbQSxq0hL986bH1Jju4Dt4KkuAEqpHSrdHmRaT1Geovt7P3YsXh6eEAC7PHc0GhiaDCsacGMSzcqVYCFCbTg6PWx951jX7eLmh8KCBYObs0c7Wt4dLXaIYgH1nZgHt3CPkJ84O2O2UgssNjpeGz9HBXo20DwnUz/snKwKbUaMppRCPhag+zhkbBtH9SGq3GO0sXtAv4Imdm6nCfi+oBIvXw/91B82WuNUbAboU5kizOLGR4+vDAF6px5C7yfwVBaEQohkaKsQNDumpMDUFOO7gMNBHw3x5GD9+pG27bOIGcNTiaBhpFqbaaWcwyNMCmlSHqCEuOHEIeDJeRAgJXmVKp2bggTSoICIbY6Ar7ELNQ7IjRNJNxQKuoG42g1Wc054ScU+ClVkA5HYWfyrN8KSQaqUsucmqeAldR9PX7k1x8E4pi0C0fgtVumLam8uLx7d2s72ALh7EZ6uPC4Vuws/xtLlCrKtmIz37iXZQjOJ4pfHZCXzqJLrFW9vaYelK1RGt/dERvJqagjmVwQGSvP4o20KcqkCJlEtNvH4yKUKf9NbcGcaFvwhOdxew0BJDh8BN2VK7LBZcFquA5cYVOYLohBLPTw+RyWXCL7V2O6XThECOnOC+O1eKV8OAkTtSl6ywSDh9CxtWf43rmSz1SXEZlMIiGjG2YRVLaGf2gPpP9fbaNKH3GuXlfQAuplOyENWhIm5uIxg7ty2SFEHqHozjrOBPYgFN+Db96StcU6z9VDdNoEUEj/jyRlWBS+g60xze1Xu7vJ+cawvqBC5bXoK2Qx/b8JKQmlWt9A4W1dbUc+2Tqze1nsmG759o4r91aZllvDqN0IWmNQzNEYNi30pEqvrqWdRVno6r0Iwriwo9LfA1s84WU9RRpODBJLXZBPJ3iju0ejye1LqejgPn1fbgCvwLdJM/rFXTQQmup8ud6dHnVmGPcs1y+qIM47dev4g0KbeCbWLUAPhBjJk2WR2XYUSZOls3ZH4ITMkf+8cSap7JQC/j/aTiIkF4vTsh2aVJbyZWe1tdIz1IYcgQmcP50+DW/Lnx/YeBHBOPwrAMZlIiH7O017h74VBDLzIVNbamvVffZtO5NepWlwUz6zvU0Qvpqo37GFxs+EzgwkGAcyzOXU249bzGuD5K8GR4Tg+fAk+Hvvj5z6m93dmROC4HPX8Tr6qnCtlDX9LoKHPbF1V/KNLZ5fTgM3d2uqas2/EJfpRUKIHlP2jUAmHsj7j+KIYaItPkSe2lm+IBKSoIBmRE94ZSgQwdd6iqH630DBOvGcIGwmLGqRNLRT1+NwwIq9R3vdM/nh1Bk4oEKKkEFRtqldyEsqHa+21wNyUfDlb8B8VsE45Gn4tWaxBEAJf97iF+Csu6kK1h3GtBhkrK5aiH9gn5xnjWbXaqf9nYPZBC+WTVzPPDP3Q9yMAWoxqnbOKCHMjN0+it2ze66w2Hn6WWlt2SLvOKQkS4mp0Jb6AJy/8lxQN0m5ZpLALHOONBB5DLycjZ++4rGhex+ttDeb4R88AS8IlbirGWxge4Pkoxy58nLVRKbOPn6wtW5754bfUvwQco6igqgDrjsSWcQdCT+4g3hPJZJ3CXZ/XIR4MBr3kVgndnBBt6BgkdkB3UYifadG+E3WQhEkTP5tXzeqdVz9fqf0y+/AnAe3gJD7pJRAtulGEHMkhT5HpSHiBDaeVzIJiXL9J849AG/nCZHA5BaTx0xVq/K/WLMSJ9163AF6HgIpb6fF6BFD3eE/vV/xOJonUsvDebYButBPUHqKguNpjnNzoL4xN2Hp56qmo9RymxZrGOesOG4f8k6mvu+0+8C/lqn2kJpFYPlpRFrUuDdS5WBhUG9h/UG3HzY5IRqxPnRXNESbQJdKcSIpX73dTxg5y3vJTBIsZlSG3VpR0vRYfFvY4p+x4i27fE1d74BZcwNMKPsyeZC2YEGzgu3kdB42IGVyZcq6TkpjERLgt9YVAQDinmWSQsstQO+scOfzNY8o8iQdGspkwYFwW/AslZGwf4coxD4INNIAekfPk/utIcz/AOr1PEsz6gIS/U4Wg88ANaAp89ESNemjV4h3Op5pvmIna0KFX19QW777mSnkYWhT/Berm/FmQwziCAy0kUGIcjtjNhNQO7t0UjeHueZdiop25KoLkxBRQUp5vMCS2GSlvth5kkqeRUzawnU8dYyELJX+IbvNvjxx/1KkPbc/a5gIq5rSRTx1VPiPNBnwhqp++BRV1+vfeFVBV0+REY2jhsnbckAbeiLxaGo9V4s1dfS4i4u6A3iB/mbz6Lz4CL8fXFfik6233moOyB2NXsUGAzO8uXkjMgbrjK52ySrb/JZ4Dw5sJjoa0qCIR+a2ckD3ASFrrJVHafbkHTvJbG1uyP+rLqn4nz43UUfHDiKzYDkFT0VN8PPjnWYP5p3v/DYfbQYK2QBJyQVr33ssSlwEgH5HJIm7rAtf5nYA+Trsox+HU7/+/UwgVm1sF0hwEGxeeFaOirWEGdWpeq3MacvskjPyqtWZ+sPlYndo5setvFdCEIoeEv0QfLJzI30zTr8pcopwZLZS+TNrHqZWziDHPy+ssszghPANKWmziOKah+UJSU+xoQ2Z9Y4PTCZJFR9TCIhWYE4eXB+GJ5cH6b/mpI2THNN28cM,iv:rAkcmlrQuax2Khog8KOtoYcPC63Pv2X/NgM6aVGEmyQ=,tag:9wUJYjTF277eqrrvxOFS3w==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQTZkSS9RVXdEOW8zeFdh
            UWVUS2Zac2FwTm5wd2tNbVp3RGpPT3ltWTNRCkduTzZ4bzI2ekI3b2JOam0rMmpF
            RWFsTW4xZWw4MnBsZFdMTWVXK1MrVjgKLS0tIHFDblJTbnJoeGhLNFRhZ1MrQWMx
            RjE2c2hGbWtubUlTUUZNenBOMUpaQUUKJuuITY+LTX5c4BIxJfHcJqDKRyEdwk4P
            yFvFB7WnxdJBODk3m+by6Y4HDUkd0GjvUDegazT2e7/jX9kGMlMAog==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRlB1UFhRWDNPVWZ5U05J
            aENEdXA2em4vV2ZPUDVJMTU1cU8yd3VxcmcwCmVPT0JDcE9jc1ZsQzdoeE0xQVUx
            SXBydmFPT3BOYXVMYmVVQzFkZUVacDAKLS0tIGZXZGZEaElJZ2NpTGdYR0o5ek5z
            UTIxQ2tiaUVDKzU0YVRqelVsb1NqcjAKoTULI81692/CS8kiIdnwDaNu6XBBchkS
            niK4hBgwTC7F8BtyoYbzdjTdP5DDMOTQYaQbcJRWlHv71e/Np75UVQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ejdFVHVabDlpdzl5cUw2
            N2UzSUV5VkVXdUZNRzkxQWRmWTZJLzVRM1JJCks5WVdVMEt6enp1a0xWajZUUi9G
            amFvckVueCs4ZFczTUZuRjlReHlkUmcKLS0tIGpvVE9ET0M3N0lyamc5bWxJZis2
            cGhQN3B4OUFGbXhMb2VwMFBBT0F4amcKlbWZbECEZFd5SOUemw7uCj9qSuYSPNTP
            kb8RyUTVSNOpfdVckBOfgjZq9G4CLH+Ypl+buwqyO/jrSEGjQjpDrg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWGhFWVFCcGZKQ2FRbDkz
            MVZTKzJZblcwM2ZBanJTOE4zNXpnWkx4RVNNCjNaQW9IcHJjaVdXK1Yrdm9zNUM0
            RVAwa0VGd3FkYkNCck1Ham5EZG9MTUkKLS0tIFF5WEJFS1VqTytFTGkxUEs5MUdW
            TmgrVUFoUFJsMFNTbE4rQmtKelhCWHcKsFxYaS2QABbyTplVAsACUveK2Q640tei
            YYR2d56OLzZQqfnqE+lpR29zVvT1Q6yq2LJmj1GamhJPBIdeclvMIg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-12T02:52:28Z"
    mac: ENC[AES256_GCM,data:CYI9KKsr2zCnuw0wqrQk2yuJ91t818Ww0iqGP5j7mWATCNmg7V+gPivRVry3riqH+yVQm+v4J6coUFQyyngqPfLfHT1XybKtHbCP+vBxyU9YJc5DjZb1gatiJHHSNSUKDgU5bHn1/0ND+yK5o2iE16spCqXkBnSkxjtG7IkqXpA=,iv:vA3tIMvWe94/6npAmSi1AGn6gltPjkkxhbQZPFyTvec=,tag:+7eXnqA/EuaFsQvoWOqTMg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/common/systems.yaml
+++ b/secrets/common/systems.yaml
@@ -0,0 +1,35 @@
 synthetic_apikey: ENC[AES256_GCM,data:hs/50QG6DHyoSc306NX8lo7Y26QkdgMsFRKcMRKMD7OmPIF5,iv:uYRgiqPZ30IECqYLH/4v1FwAX0ZzU32jUj5GO3R4Hxc=,tag:pvip34Jvg6Cma7nbksBZZQ==,type:str]
 builder_ssh_key: ENC[AES256_GCM,data:JFky9teEUjj1GqVt/wKMH+YD6CMj7AQZ/J4JzCvvm5NgMWkCHJ6ipryq5nwklRkfUcUo3SzMutORxDytLeugyZ1Z8UlBBp/S+BwWHrzr8BcAnvFDxiIYtpf6n1hlpTixKiP5Z6HM/JMIbfnHlzyN7Ggk21oVCv8m7MTH8U6MShEOm+SuVM65Ibf8yBWcOkb7IHNodMvJfhUnU67ymWqVeujzosqTAvEf8cWFzl+E1lRcjM+zJ25WlhEd98jBDaL5gFfgDpbMiW+/oT2Ibq2FZzgwM+0Ye4OMMQUVxfPhh64DZrnmfSYZlYjfsA84DdaFko//zvslz+qFTv95f6SVxk1JQoX666J7naASfwf+Vv3foplsFBJvi0SDhlLC/92m/w/El777wrKZuBxjXSB7M0WqSobb9QHP+/03ktetGbckyNj+jotEylR2vx6kwPtQyf+VcmIU0RrX/EUJxVL9HPF3va3Ot0v2dzYkGHDeVbH+5QbjTt40wSjO1RH5rXR6liOGNt+5LsDBXfkF1TxKJcxnuwtjWknCS4w9BqhzqZ4bV44=,iv:HVtYNFnMe9WPdcbYjfEhmU7Zqd23j7amv/HA+hO6Rao=,tag:ZA0YdBPy9m4r8JSUrY37PA==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNzNQMlF1MGI2TkQxZFl1
            WGV2d3lVTVFRSmQwamx5eG9NRi92WWF4U0JrClF2SWdaNStwK1UraUF5Z2RpQ0dQ
            TGs4angrM1lrWkZzVm9EU2xoV1hieWcKLS0tIFVHN3hlVFFnSElpcTJvUDRwdVlU
            OVNDc0VpbDVmUmlwS3lHTlFBaGZ0UEkKMhxvuNH2lw2rn31G26u9ur8ShHRCZQHg
            PXPPBxMmbuoU4t5g1ongWqERG85YgOAOMO3werVw0Iw49AtQQzGE8w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mxjrvjxkn69kfn2np3wpd73g44fuhsgykw7l5ss9rx30em5jfp2scnrq32
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YTZUMUNUeElqbmFKanc2
            TklFbk8yTU93YUFTUW4vM3BwREgzditnSFMwCk1nNW1XWnBBWXBTb3k4enpwZlVQ
            bFVwNkNWOHZ3MTZUSjN4SWZYaDFzak0KLS0tIEtLYUhvNFVkOUp0QzVOei9XTm9C
            ZVNmVktSNDYxdGFvRUpmYnlJbGFHQTgKf7ovzPU3Vo84gwGTKU/SNCy+76WY88ve
            ZPkJ29D8BeaEwFCbNcDOygwiKGSFYV31a+2zYnTP4j5pf01d2it2eQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13gymlygyac9z2slecl53jp8spq7e8n4zkan86n0gmnm3nrj4muxqa5ullm
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2dEWVRDbzYxeWkyRmdo
            RzdBcm9UbXE5Q01zeHRxMisxajlDMnMvZW5vCm9pMEVlU3pEUGpoNmFlRlV4OXJ4
            QXg5ZTZSVkMzcTlFc2cvNzVQR2ZwelEKLS0tIDhhQmtGYTZjcEZwMXJoMjdMNVFt
            aHc4a3UvZUFRNzRtQTc2NTloWE0zdkUKL5FRH7D8MlR8ofvIieFqIStwEXQUvu2w
            +/SHKsi3lt9/1Vkk/Jlm1aymglp3ZdGVzTS/cxpM43VDDx+E3HYOQQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-12T02:56:42Z"
    mac: ENC[AES256_GCM,data:R6s3ErVrw2nvRhkCdiaa6FCmIxBKZGQggQX5bYe1xmhIXuujsl9NZ9aqlzlS1XvVDICJEIbryfoEnOqSCrY/vAmdlKNfzakZqLZRrkfOZed6PWFWjk3SX6HmuMR9dQSQgLRlDZINZcKMNE0kuLL+mx4bo8lV84VoqMHGHtkwAJI=,iv:NCh3zDMEiYcrYxPxP5lfGWYwWLl1/yylq7+gTEHyWF4=,tag:t7MOwGHejUFotIBi7kfecw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@@ -1,22 +0,0 @@
 builder_ssh_key: ENC[AES256_GCM,data:7WoeR4Fc9FQrTHsujqlIm/b0ASJuLQcWUwIeMqQ4wk9WEFrwycnMyoxzPyZ2oxRqmUp0LY2DFWaByOAABhKRN6oQFFse8ol4KOr4EZkFR131bFy8WhJaJWq6VZo8gLv+1hHo1etLeoNl/fwBVixqrqBibEWWBtTSlvEE6PYFPV/BcW/LfFaabnhmRjIEL5hCqcQTlBqPq9jMt6ALWcj42mdzsbamRWbaN0/W5QkcKDPTIfALMdJ36VR38+slOkkmxPGJFUMhgL08SgOcnitSevvo+hq6xkGhXY8hnV1lk9nC9o8MXYURacPobqW88fx145ez8a+o2xSjm3E/+KoGfGsWSatqrKqTMfm6pJndvf5JeCTCMER2sCZCF620OJ2fZM6VS/XwMzQjLQICFGMCKZm8RQEKhPjyPVVbu5voa9KNxdWp7l40Ya86dty2oUR56CB8lHB32uWiZAMR9v8LytUkoOy/8LZpfbRVIHm7nnywNirnve+81egixUz9t+vgZ2u7vL2LzzApWUjcLa/1pFVTPwspYJDohMSGtpHtmAInN80=,iv:emhMHi7Htuy7quNbKPNb/TdqkuDeHbYym1ubEeDOfls=,tag:pJGBVr69QbT1FerG153gUA==,type:str]
 rke2_kubeconfig: ENC[AES256_GCM,data:ZfqWAsIcx2h/cyrfkcyQXrO+dzYF7JRkplj3Y9mm4oEiQKeG7xeYdtNAE112PdFfLcI00HQRaKbzrcNBbG1M+kUQZROUk47sr7AqpeRxJIob1ZoTgwN98gQ1W0ikPFYBUw4HIVxmY9wuNyqDk54LNwu47A3hMUmCLEv8sPkk8r7lhA9Vf3HTtTbQBK8VBa5059YJyEIpZjMMaXPZReIR6Gka9qsZ4d1F1B8VYu+fBH2ZIKtG1HMCXzl/RvjaCqtlrk5AptooSQ/upOMq6omHWfBf8oty/0o6yasxYldMawetUW55TOm12QlgdmbDkXqeMAai03N3tj8zMESOVEHVxRzjosVTq4u5DzPAMmLFAk5NYaPpd5c6jlM2Gk7pT9v+X+n+GGYW9xfYLURe1sSy/yWmLXhEhOzLXkyc1T3M1bHWqnXDXfU1bhXWVLKwNDmuS96YWHb1o+Qr+3HTUCPQa70M9Va18O+pERD0Yj/Jz1HxwyAHKClRs06Lo73gl3eY7lOGhnafRSyxR91oMXs+ijSfFk8CNEA/PxKPaXUoKpDLpM6+iPnEmnsAT/kV9IrqnevsIABtzWMR6XHQbRodPowsx2zlSgzJfLkVZ37dsZawALv1FN/XOtrW53Zt8BGK3dIwIM1tRy6nR+UKoN8mQ4KI43MNZ7A7CagCAkWbs3AserDqU+4VYIF/biLVA9q+tZZory7lLraLpByVa2Mi1/JFUW23PyW6fa9nVvBDonzs5M4N7p4/Yw9rdWBWC/1ZQIvSKbTIla+mtDKX6GTlEAsaoJOFc+F8fX8FxGEZtxoXENshoyAvsQSihUbdsKkjDQAIcZ0lHAUKLJyJZSWFRkQsl64MkvBJwGedsMq/zzU8K96iBojYLQspPq8Yp612nxQahRyxAXWFvYAfMmxMqhSbEYuJA62DSUA1KwILZx7yPfKZWXLQzGDnpGyFRuORP+ZjANGXo1eqAED4cHqwZCHTo6q6Zh9zN4Y4jrO/z4G16PwheAi/WTJswzdI83J9FAR3TrKAGyf3a5hR03BNVHBbO+I6dX/Rhwp0eIdR0MPVXJE+CshcTixQNKWK7SRmpDQemAQq3g6c4i5DWB9PUlipkry+pcQzsz1omPLGjf/2Mz2CAdvPnjCYfeTeFxz42s6VJHBBd5Sgg/7ONQTj6QpvFhpP2u8aWmgbPnV3n0phejq9Bpj1lEEEN5JZlU2Swj6t6rtFD5fAZUu3L5FRPg5xZhCV0zu4VXuaEflPdidK35b0jIiz22qpAkw+/0vh36u+kkUOabgpnt+I3CqeCilRuq6tIvtIx2AHFZ4Y9WdfXpjd/BEl2GY8VrxSWzpXS0YYWiNwypJx/J1zzmZZO6G7QcKSpIuoULM4uneBlaZurjXdVT8QzupUmX+CVyXHZUTXX3tM0rFnuDG3uGjOUM+67kS/zd3LJk8fnY1awU08gTOrs7qIDIzqEaEVxvK60XcBqc4dDYG+FTKEOEOi88WGIZH12gFy49epciPaTQMxcKbRftE9R1fZNdze1PwX2lrm891KTBD7YwFJkUin88Ype7bQNI4Djyca0TumZjYKok1AoSzjLTJGYOmiZg9wYyN+6m/FrdM0krgUQzvErtfSFryX4XaLbpPJnpRcdzoiNzwwuVYMLn5mBhj4m08gjiiHQlVlSMSJxpXi6GdXqrMCDudDHyPX5LHh21e2wajZ59p1Y42Gew1dOOP+M/5/0PrwDvqKhUWgAp2q8PzQuQ+ZyCq63jVpTI0/BskiD1iQBwQFDN2A32V9xymnkuS1pKn9xnosNMWVR3R9l6sLQDxH6vJcCEqWvCmxg8n5nfPtgx0E+clmmFFHVQ/xmXbe1lKS1o/M5dLHDG3CdrUpSEf8IC7/qkhaG8d3EmKGFskwJcbpPSzCJfMLS1JuYGJL/m7jqSI5JJ+KzTlPQCjubW74+EEvScTIaQP7e+RtE60LbgkwLprIEfCao3I+P0W4YgqLfE/xF4NQ3qVy3vrXOVGJSR4e0R3rI9RiuHmYoduldqtLr8rhqVqbU33q9s1ifL/62Rh2ZnXcnP4w75eH1EtunucZ2ml9QwHbpG0liKrthvPlmUNVsOhWdwlUfHrCUs8sgLNwW98mgG+7Kva4edejNmaEq/43TtN/RBmrNanB0Dp2SIeEbYRFfLqWGCtIRJpeJF227ggJXxt3fZnCW1eiEihDLKfc3hz+7zo/QlkBkbbj9D1BRURieH7DCr8cvymKa1QL9nRl0aJzWvMg//Q8/nMA23qBays34s4EUrcDin6AnUZIu63eAvxtcesPDTVq31+NatLmty21VG3mk7s7yw1dDwJncCXQ6zYp+SOC90xMFUR++FYcpX6qFiRGk7qNln9hnllwu1SqQYgV/w9MmD6GYLk+/xCUWK3kbCjWZ0Nhxkk+A3snUealYeeK75fZfL8TlAkgKqpRL1KlY3jrDe2rgzQyrHb7AoLukf2RJcXwu3GBP9PLQjJSSJw3vEHltCDnt7YR2KRA5NvJw429brs/4RvkBlX2a593swY63YthWinhCs6I3kgiDVaycpiQit4HCwMATAnhkzD590QLgf/am+7vcQlxl1MCtG6V+mBSIDQw17kxfrq/P18MyKixtREI/TW2lT127JvMlH3Te3f5KDQNyWc5oUP8bsfvxpZ6nO6xrUY1pZ+1eCsapkNalLH5x4yk3viGHiWS7ow44jjaCDraL/YCvGN+7SHjDBIWRpt+/ncrjezxWJa2yN29y+JrJgRxHYmfmZVMHxPGZ9aexCRHxnTVgwlT577VTDltqYi9CC0kQmTPt3CZzSiOP8ht4gwHNuNjNus8qGT9w7nYd81ViCYV/VpMRKmq9cR3rY75U6BU8QO74hFTfDigmGBPxXwGuhWZEWMbmK1Xl867xybVj9UTHhdbgnhta0J9RXm29A9YL3RMdL/DDZNQGq2eMK4CDq2l9X7UdPqbJphXfCv1AmCdufdvzEAq8kVEw5+RQxEOVV0g84G8bH5dOKfOwr7b9Bogtg37+j5pLPJzcoRKl3NynlWMGZVcnkEgRqmzFreXAYIyScE16rIzeEHdL5ngvm9EcPQfAWz6CvylrK7Bl91pJonNYprSqHUO0F4K4/kscm4j90kD5wpGOcrwke2+OI3oqez7QPmfzKnYoSrtcXqbt9lnluqobdYsCHY6mUjn4utROUD+g7gW5yYkxC7R1ySvvt5t63rOX6QH4UP9Uz7dCpo831vMHQ8Am+VFNbLXirq6/2P4TKTnScSQh/OnJ8Sx0/zxbPAb3jwzmx/eFAd+eazL0hCGTnh/D0WxcqfxTItOllsKUGX+md2VAoJQLra07gMJlh1tuDk2+ZXjvOsoGOMAzswpKPLf6TVe5Yi4eEosDM8ZFkVSngF3qx4TB2NcuKl739qUvLf0eL461y7+doJcdC+sl19scJjlEBFmEU9YNoJ8T0m9nT5UIi7l0tuek2i9SpzQRjHym1Y12JsiYoTR83mTBMR33hChE9aMc0FBkNesVJ9SBWOtLsd1i/UxUyZIk/C8shVGPmYplT9QOO/RqwJtvTeOkhrEWQq9zRoGqKQJs+j6VatHOdqVweX4/0icBN5QamXwgH61c7RbT79MDCZHvHSKkAe+eNVw7y6+0ZgCxtiIbo3RJwdRGqy6XHGnRfzRbzjO9H26gBmWX+Z7ZfeHLghen/tOW/qEh+uT1TR+O71GnhOgd1QQh84vyE2U+lAzneHI2gVG8EzA8Ho/UGiXJALQPElkJzR3GXDXVAHAw8Q6wCjLnxpmpkJZEJiJ9uDktKkNdF5uM6oEfQbxpP8uWJQnK4sCaZOTBsqEzyBm+KUXOpt0PbGFmb+gfPHIpO6rNGdWJ/C9F63ZbWhMXfONuLCjMis86lLJimwYH9G0PQWrmh7ENuZB3/giYbVqUjD3yP44axfw,iv:zfbeDFKb3hHQFi9wEuDj8XRqTLhc+2AnJU1roGJVZkU=,tag:mwNz9UCO6lCDK5hMWNLfNw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SnA3M2F0cXZjOGlFSTJw
            aE9BNGJsQ1JzelFoQk4yMGlpN2dkVUR4ZUNvCmljSDhsVU4rUnowV2dIdlhZYnMy
            aXo2OGZRd21PYk81ZE9pV05XSmpVOEEKLS0tIGhGNkVmTnVYRENEYlBxZXJTaExt
            SC91WFNocEN2K1NFK2dBUHYwZTQrVFkKKb3AlaRX96vJwEmxNNAThTlO9ZwtD1tv
            c6aBELEbmJFdHOcIJITzmS3YOssDOgTL2TbcSFu8mdAQYsRvxC96HA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-09T00:53:28Z"
    mac: ENC[AES256_GCM,data:NKv91i8Ms4TfbU0t9td4QoGD+9d9KYGQ9Mu1QlFdCc4AjMfRCcUCrvb9SVMF5JbYa8oZAH4Qp9FEJ5fFmgoTNrewspLUMpyjUYRgARYQWiHYhZjE/uTNhFo2FxXYLWsAlQjEJ8abbwUyr2y6NsK2tcQcOBDIWUssb4XqajNcylE=,iv:gvwQZB20JR4bKfMMR6sYjTnf3CNiOjcd8T30s2drKwY=,tag:mF9etyVyPVw5YblI8VdtTw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/secrets/keys.yaml
+++ b/secrets/keys.yaml
@@ -0,0 +1,27 @@
 lin-va-mbp-personal:
    user: ENC[AES256_GCM,data:sdEzYZW5HYS7gLM13JeJfBqdQR3+ITPwYWT0KNaqxmtv8uSwMFWrL2LFCOxvH+5aVcy2prc65uhb5i7tSR1awM/OnHfuW348MGft8m1FKzW4fC0J4gZLyX8v9jG7kTQCap6XnWhL6ebimW7z6omFlGZgWvVZlA76rXXYx1B1Q5YBrHg8Dy227bIpUGDSAMuHE2KDaORGcUi2TK7k9JZKeY+9EMtVZqGYZqfIlG55Ov65GYETjGotvUx59si9fNgQ3e1ENl1PyqPOqQiz5kFZcloBarzt6u0MkJtIunCbia/PXabsL/C8M0F3iycVT8O2Y3nHCk0WyCeb6WEhguwO0ODA/JxfAlOihgeAp1DCzs79JE+kquXvO0UtnFdlnuJqDXQwenUVIsOx7rUmqMRMGl0kwoLZ0T6sW0iXPkixBa2sRJIRtS09HFPuo/azFskeGJ8NQcE1s8CAYI4LhOiXldCrVfPqFNrKlS0l26gMBAeACkGtGCYo/Sw7QXEYSs/Wc+h9Hf0RLjWTpb4mkCKHBgZYVTnqMdY03rZZ,iv:F5n/cfEyq9MHJ9BHznPYh1edgIG8z2iXtZAfwrqlEBc=,tag:iX7iczPwdV8vku7ODze5pQ==,type:str]
 mac-va-mbp-personal:
    user: ENC[AES256_GCM,data:SqN4GK3UYe2EqBtW8pckko3Z5pB+J9yKUiV5EUpB9DTnk0qpufUMM5xdcUPXu5kLLRfrpOHVLU3iKNfXuNrbvgAD/Ex59fvIFMyFcvMOCW7DxAv20GouDsYsm4r/IJ3a5kooo4UolA8O8gPH8ABRdfiBc8qSoUiyNZuCB1s2ap7GVklHzUqsfpAvknhjZJdgNnBKyZd93qkj0sdHLqzrzde462OnTj9r5qPX0wmC51rrUBO9XyWEXcvXhXJf6vStHhVUSayGGn9XxD3opmHeUjdurnV4GtnJQS786oSagcbl0LaqgfLB1xvCc3M0jx5Z8TtHR48TztEXGBXyBfV+qv/hDe+FAydAL7ZITjpYjj1C00CHkMfQdSYyjj8ux9xCfWAq4oeKS+JNlEYiNKE0Q5lQeDrhOT5df9j9tUK3H0I65EEMkV9BMvK+CLnM7Rn5CXhz02wqEryJOmv/LkmU9aUUtmMZdSpKGdd/XSBiD5RpEISkxHipmlXwusha1uLjn6boDCIAQBlfopGqZRkEBJP5/yVJsyHwqlHLnaoWeoM4HENsOD+YUiColHnnSK8x,iv:+OQ0qKDIypVw/gVZW6RqqA76dq95R75ugN+PtTgq+T0=,tag:FmIIl2HHqYAdmfoXizKfXA==,type:str]
 lin-va-thinkpad:
    host: ENC[AES256_GCM,data:4gZHNXP+rzezfL8UATeAJRyFZsoE24BJ4cWzhYBbgm7VCpQn4tLwFNAtOyLNhOa/zwbbQaysLWbRNt34dw0VKoUiYkZ/YOD1w6j8lZl9U0Yl2O16iw1+uXrCqxax7skDgeF3vKJCQQa3KM/sX13TQ57MKcjEVwGapm/5rQ9h43fhWp3+923fcX6TWtLzJL0sxxnplPkqIPTJVn72VQDOsm1R4+UkY+AxczvsQzuvOpbKWNRjeTc9k0QEe0PsN7SijR8MsT1urrAKPaRJj2DQ0LGpO+6lBLSJN06o6lkOw/k3U7+vRZ4PSX+VexTnsPAis2Zy2JJktO7sZ5bc6kfOu3/hcHAbGFxbB3zueBMmW+LBd7sBdNDBfbFcieCpHpVUmeZNvmHCLhJjUkA/Ob8G6iHstSOMFenGQPb2IT64XwUSFF5RKHZ3JdDhv942Ha6l+ZRCW3rWd+u1WVo40uLSJmGqXCPUyYPi5Jzm0aZy2o0eDi6uCfDPSNhQgRa7+YLXJqXPnft/TJx/tc9Rb628t9oI5C1AOLGCBO6T,iv:eMAeHReoTLXkRbermeZ+2zOh/9dv1F0mqXU703+w/8g=,tag:oN0JjnkY3bt82LPBfdoYBQ==,type:str]
    user: ENC[AES256_GCM,data:qaRODwwBXyeCLv3CaCwK7M4n6OSakAqV6/sHnZJLUEhVjrY5R1omjQqHbG2VgBt+McCgvXElGhTZVxnadbGxv+0vhMcnmT1A8VdAovsD7SkLdUY5sPwAkzJCzD1XMA8e1EN/cvJBd48xFmQAHJReKV9SFNugj+Az3ZLqlyRa27BFet5uyOzBokMiYL34nbI+voP0xWNqVOmhexbz77UfGDr/JArdXEJNw5ITxlEpuKMDDcB3xPdoU3aRuZgg0HMH2q1ppeSPPE6PWpgmult6a90Fm320RnCTbSK3eASXh0ciqS6HGc4ej1W0Fy+ZeXhJlqoeash5GH6IMJgAfkW2i79gdd64BIWSKp7XtONFWKIzTSateMwLWYzPPuKSyaqRK0bsdsDCqE7LLyO5C/LCKog2Qnkb+7czYQRGMhnRQDfN/lK1xrbUaLbZPqHLDVG51IjI5c1k6DedjLiCaUrsGxFmqAtytFUQH08fTdT1iJr3cGzJzukXyi9MDQk/Y8mVLbpoVuyyNXPFGNoHSla5l5Ru1ijGuaQ2IuFfjRSaMQ/848g=,iv:1HjULpLbqPUefFiFd7TNT6VFv0pu43RDFC/cD4u+ZBU=,tag:mqiW2GEjDiwnT6bMUosQpg==,type:str]
 lin-va-terminal:
    user: ENC[AES256_GCM,data:CkE7Kef23kJpWdZMVlMuFM7FPSm/OGU/ye+BHP1kuRnaEFFPWCPeK8wxAqiXg5MyL7cpq2gGHj9OrvqLeceG76PZk2EmrUy+bx6FtETYwINxr7dhXIbqLdloFjmrqWF2SPbn3SyQBb2PSMl5vzg1zdKAHwoo+jyb2AE3plkAiPi7U/RTh9nTBgdzM8jAOpvQJ1+ezaLK+t4YcS9uZ017jacXjVsqZnUYaYvov3UWJDd8fGmIurb1LKo7sTgoZX0PVA6GsAwpzNJmSLZTCMRDEP5AQKe/Sz5HyKSeXDNykMLw5oG1pC9uWDbdMa9k4NW/PonZ/PwkbSStunbT9HSFlCq1ZheZQvI6IQ9irE5nZYGvjHDnibJv3+x7pfpayJFqdjG+fFwdjXP+Knn163MXdx9SqWtOjFhgULomS7fCLkx64EzjNPRqG84O67PP/YUFu7D58uTJ4GGndeM/e2rRZZ5t+6RxTlSATCGLyMvRLQCuuLMBDwlCo5VI8mWGWi91WDVNWjsHqmMpk0ASCwY6zDhLQPxdbkzcLBlG4LxGS124/Sw=,iv:mpkVnd/w1vAj/LpxppzgVOVNgq851bXqaSKz7wff1Q4=,tag:43OhgDHYAlrRO29fecMrrQ==,type:str]
 lin-va-desktop:
    host: ENC[AES256_GCM,data:4/t4s27KqqYGqogZVcGVjOSujiIzR9UUFz6b9FGfFFFCjz/tE69QvcMiDMde2zXLdjr85mClzRkhj5/RYb+QrdJFIcp+KnvjNuu8khdUVqRJwahyBc4XpKpRcKZX6qr9lKHQHnZjD/sbgn+Wx7Sm+dCxpnlArwGcxYTWOBCJ6KDoIYBd7AwyOZY9zsLJUm2AJyytcnE7cjeca0uXFO8CckRxlkKhBo+Q36kLwvchXne6idDRiqNep1J+4+NsiHW4Z/P1pOqm0YT96Qxd16k7OkonY7gt+ujjZLMvYVb5u0HDd6bc9uNEy+oxRTuxLNS9+1Gyz8bWgvDY2+E6MUZmefSJ6DM6USIJ3hS2oaiUF7MiDRzmSi5bolnFK2pfhRyQuozgPy5D684cvQrVzVZSuP5vwg+0HRmqsYxY+bMWoWwVqFWR9kRTxhzTCuOOLaoY9vPejTJLUlea1o/+NQZoo27Sb/kSRAc2cQDwBoFzqprhvE7sygkUYORd3utSH9B+EogLrBh85BXQmVv03x+6EQxuHKKxYB8LlpcM,iv:LtKNN1cRXap9LJvBMD9fHHXrScfmMOklCBQBbPEzs64=,tag:WsqCUGlyTlHOMvwfOGxAhw==,type:str]
    user: ENC[AES256_GCM,data:PqCBjNQ6ACH6qKXhjjzP0QKDXdk7jR8DnvCFrz1RH7+jRMSq30lFSPB62j/TgDx3PXevkNItuT9smyWHjB0eOVS0Ms4R6y3FYITIoY5PaNfGwYIxawpLr3BtFmkS+TLxTKf3WAikejwFTGeR8pl/clDsOlJuSDwGwR+1GghDhanxD+v+J9AizaK0/F88DknA694W+T3Ty2e8tqShV5e6VT2So9tJl78Q+duH458rL9WVMz8NhUW9KlBNYCYXZfRQbkZZojbPK0W70ne1BqNvbGPZXnWNfQQQodd9sQ7uCnyIL1o92uZoAQKAQTmD/fV6PWkLD2JgQD51MxZPBr4KziXgBiqE2xqg6Wtsi8FZMFMWgp+MnmWuNSMhFK5UOwb3894lbltAq0nX5OiYkZVBLKxQeU23fASxbJipzNKtaeP10Nf029GkWIq/zq5sThqmg/O97qse8YJJclMPvOqnO2mQsjktZk7PeJVi3ONnCkxACwk6CQsuzAu3ce+Jddz+lb57q4WFzzj1752vjDY5keacNhSyaalE4YXF7oY6xjy/T6A=,iv:KnZ+3H7tbz47eGZ/R5AFmk9zYHng7ghUozyd/p3Wl8k=,tag:BMXlLI04JAhaLMkmuEC7pQ==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcXhLbmU0czdSbDJUR3My
            engxSCtaL2Q3TUtwK1gvWlVPN2d2bVg5QlJjCmpjMWo5cEU0ZWpWTVlNczF3alFL
            U3QwdXFUTnM1Z3oxSkVEK2JmdUNqQ0UKLS0tIGF3U09rMmRPdmdRZ0dwdDVtZGZS
            bFIvV0QxbjZaSTZEVHhWVm9aaFQzZkEKCpWTU3EB4/eeW0X1U8e0XvZqCRri2LOX
            yEhVxm3WUF2eQvuEonkso9I/A1fV5OjE2RgldCnqzwW0U7kBtbrc8w==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-12T03:17:42Z"
    mac: ENC[AES256_GCM,data:Ld7+F9dIQTfFuJt7wc3XWXqw4hcojCz8xeKpNoBXrsLfQSjMR+JpHfzWUHgVtnGUTLIpx2d7MQEq5gs+OtYysxuFacX3HrcPVWbDVxDPgG6XryvFAJ/VOUpKC8zoHQcD9uTzd4oibT0rCMUHjmuO6Hz7fGFIjX/devKhRCzRmYk=,iv:HGeyk/EcC2DIb27w/8hBsbGsJ3GueENYg1kokPsGWq4=,tag:Z9orAdD3tiTAzO3WLS7DeQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/lin-va-mbp-personal/evanreichard/default.yaml
+++ b/secrets/lin-va-mbp-personal/evanreichard/default.yaml
@@ -1,21 +0,0 @@
 rke2_kubeconfig: ENC[AES256_GCM,data:ZfqWAsIcx2h/cyrfkcyQXrO+dzYF7JRkplj3Y9mm4oEiQKeG7xeYdtNAE112PdFfLcI00HQRaKbzrcNBbG1M+kUQZROUk47sr7AqpeRxJIob1ZoTgwN98gQ1W0ikPFYBUw4HIVxmY9wuNyqDk54LNwu47A3hMUmCLEv8sPkk8r7lhA9Vf3HTtTbQBK8VBa5059YJyEIpZjMMaXPZReIR6Gka9qsZ4d1F1B8VYu+fBH2ZIKtG1HMCXzl/RvjaCqtlrk5AptooSQ/upOMq6omHWfBf8oty/0o6yasxYldMawetUW55TOm12QlgdmbDkXqeMAai03N3tj8zMESOVEHVxRzjosVTq4u5DzPAMmLFAk5NYaPpd5c6jlM2Gk7pT9v+X+n+GGYW9xfYLURe1sSy/yWmLXhEhOzLXkyc1T3M1bHWqnXDXfU1bhXWVLKwNDmuS96YWHb1o+Qr+3HTUCPQa70M9Va18O+pERD0Yj/Jz1HxwyAHKClRs06Lo73gl3eY7lOGhnafRSyxR91oMXs+ijSfFk8CNEA/PxKPaXUoKpDLpM6+iPnEmnsAT/kV9IrqnevsIABtzWMR6XHQbRodPowsx2zlSgzJfLkVZ37dsZawALv1FN/XOtrW53Zt8BGK3dIwIM1tRy6nR+UKoN8mQ4KI43MNZ7A7CagCAkWbs3AserDqU+4VYIF/biLVA9q+tZZory7lLraLpByVa2Mi1/JFUW23PyW6fa9nVvBDonzs5M4N7p4/Yw9rdWBWC/1ZQIvSKbTIla+mtDKX6GTlEAsaoJOFc+F8fX8FxGEZtxoXENshoyAvsQSihUbdsKkjDQAIcZ0lHAUKLJyJZSWFRkQsl64MkvBJwGedsMq/zzU8K96iBojYLQspPq8Yp612nxQahRyxAXWFvYAfMmxMqhSbEYuJA62DSUA1KwILZx7yPfKZWXLQzGDnpGyFRuORP+ZjANGXo1eqAED4cHqwZCHTo6q6Zh9zN4Y4jrO/z4G16PwheAi/WTJswzdI83J9FAR3TrKAGyf3a5hR03BNVHBbO+I6dX/Rhwp0eIdR0MPVXJE+CshcTixQNKWK7SRmpDQemAQq3g6c4i5DWB9PUlipkry+pcQzsz1omPLGjf/2Mz2CAdvPnjCYfeTeFxz42s6VJHBBd5Sgg/7ONQTj6QpvFhpP2u8aWmgbPnV3n0phejq9Bpj1lEEEN5JZlU2Swj6t6rtFD5fAZUu3L5FRPg5xZhCV0zu4VXuaEflPdidK35b0jIiz22qpAkw+/0vh36u+kkUOabgpnt+I3CqeCilRuq6tIvtIx2AHFZ4Y9WdfXpjd/BEl2GY8VrxSWzpXS0YYWiNwypJx/J1zzmZZO6G7QcKSpIuoULM4uneBlaZurjXdVT8QzupUmX+CVyXHZUTXX3tM0rFnuDG3uGjOUM+67kS/zd3LJk8fnY1awU08gTOrs7qIDIzqEaEVxvK60XcBqc4dDYG+FTKEOEOi88WGIZH12gFy49epciPaTQMxcKbRftE9R1fZNdze1PwX2lrm891KTBD7YwFJkUin88Ype7bQNI4Djyca0TumZjYKok1AoSzjLTJGYOmiZg9wYyN+6m/FrdM0krgUQzvErtfSFryX4XaLbpPJnpRcdzoiNzwwuVYMLn5mBhj4m08gjiiHQlVlSMSJxpXi6GdXqrMCDudDHyPX5LHh21e2wajZ59p1Y42Gew1dOOP+M/5/0PrwDvqKhUWgAp2q8PzQuQ+ZyCq63jVpTI0/BskiD1iQBwQFDN2A32V9xymnkuS1pKn9xnosNMWVR3R9l6sLQDxH6vJcCEqWvCmxg8n5nfPtgx0E+clmmFFHVQ/xmXbe1lKS1o/M5dLHDG3CdrUpSEf8IC7/qkhaG8d3EmKGFskwJcbpPSzCJfMLS1JuYGJL/m7jqSI5JJ+KzTlPQCjubW74+EEvScTIaQP7e+RtE60LbgkwLprIEfCao3I+P0W4YgqLfE/xF4NQ3qVy3vrXOVGJSR4e0R3rI9RiuHmYoduldqtLr8rhqVqbU33q9s1ifL/62Rh2ZnXcnP4w75eH1EtunucZ2ml9QwHbpG0liKrthvPlmUNVsOhWdwlUfHrCUs8sgLNwW98mgG+7Kva4edejNmaEq/43TtN/RBmrNanB0Dp2SIeEbYRFfLqWGCtIRJpeJF227ggJXxt3fZnCW1eiEihDLKfc3hz+7zo/QlkBkbbj9D1BRURieH7DCr8cvymKa1QL9nRl0aJzWvMg//Q8/nMA23qBays34s4EUrcDin6AnUZIu63eAvxtcesPDTVq31+NatLmty21VG3mk7s7yw1dDwJncCXQ6zYp+SOC90xMFUR++FYcpX6qFiRGk7qNln9hnllwu1SqQYgV/w9MmD6GYLk+/xCUWK3kbCjWZ0Nhxkk+A3snUealYeeK75fZfL8TlAkgKqpRL1KlY3jrDe2rgzQyrHb7AoLukf2RJcXwu3GBP9PLQjJSSJw3vEHltCDnt7YR2KRA5NvJw429brs/4RvkBlX2a593swY63YthWinhCs6I3kgiDVaycpiQit4HCwMATAnhkzD590QLgf/am+7vcQlxl1MCtG6V+mBSIDQw17kxfrq/P18MyKixtREI/TW2lT127JvMlH3Te3f5KDQNyWc5oUP8bsfvxpZ6nO6xrUY1pZ+1eCsapkNalLH5x4yk3viGHiWS7ow44jjaCDraL/YCvGN+7SHjDBIWRpt+/ncrjezxWJa2yN29y+JrJgRxHYmfmZVMHxPGZ9aexCRHxnTVgwlT577VTDltqYi9CC0kQmTPt3CZzSiOP8ht4gwHNuNjNus8qGT9w7nYd81ViCYV/VpMRKmq9cR3rY75U6BU8QO74hFTfDigmGBPxXwGuhWZEWMbmK1Xl867xybVj9UTHhdbgnhta0J9RXm29A9YL3RMdL/DDZNQGq2eMK4CDq2l9X7UdPqbJphXfCv1AmCdufdvzEAq8kVEw5+RQxEOVV0g84G8bH5dOKfOwr7b9Bogtg37+j5pLPJzcoRKl3NynlWMGZVcnkEgRqmzFreXAYIyScE16rIzeEHdL5ngvm9EcPQfAWz6CvylrK7Bl91pJonNYprSqHUO0F4K4/kscm4j90kD5wpGOcrwke2+OI3oqez7QPmfzKnYoSrtcXqbt9lnluqobdYsCHY6mUjn4utROUD+g7gW5yYkxC7R1ySvvt5t63rOX6QH4UP9Uz7dCpo831vMHQ8Am+VFNbLXirq6/2P4TKTnScSQh/OnJ8Sx0/zxbPAb3jwzmx/eFAd+eazL0hCGTnh/D0WxcqfxTItOllsKUGX+md2VAoJQLra07gMJlh1tuDk2+ZXjvOsoGOMAzswpKPLf6TVe5Yi4eEosDM8ZFkVSngF3qx4TB2NcuKl739qUvLf0eL461y7+doJcdC+sl19scJjlEBFmEU9YNoJ8T0m9nT5UIi7l0tuek2i9SpzQRjHym1Y12JsiYoTR83mTBMR33hChE9aMc0FBkNesVJ9SBWOtLsd1i/UxUyZIk/C8shVGPmYplT9QOO/RqwJtvTeOkhrEWQq9zRoGqKQJs+j6VatHOdqVweX4/0icBN5QamXwgH61c7RbT79MDCZHvHSKkAe+eNVw7y6+0ZgCxtiIbo3RJwdRGqy6XHGnRfzRbzjO9H26gBmWX+Z7ZfeHLghen/tOW/qEh+uT1TR+O71GnhOgd1QQh84vyE2U+lAzneHI2gVG8EzA8Ho/UGiXJALQPElkJzR3GXDXVAHAw8Q6wCjLnxpmpkJZEJiJ9uDktKkNdF5uM6oEfQbxpP8uWJQnK4sCaZOTBsqEzyBm+KUXOpt0PbGFmb+gfPHIpO6rNGdWJ/C9F63ZbWhMXfONuLCjMis86lLJimwYH9G0PQWrmh7ENuZB3/giYbVqUjD3yP44axfw,iv:zfbeDFKb3hHQFi9wEuDj8XRqTLhc+2AnJU1roGJVZkU=,tag:mwNz9UCO6lCDK5hMWNLfNw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SnA3M2F0cXZjOGlFSTJw
            aE9BNGJsQ1JzelFoQk4yMGlpN2dkVUR4ZUNvCmljSDhsVU4rUnowV2dIdlhZYnMy
            aXo2OGZRd21PYk81ZE9pV05XSmpVOEEKLS0tIGhGNkVmTnVYRENEYlBxZXJTaExt
            SC91WFNocEN2K1NFK2dBUHYwZTQrVFkKKb3AlaRX96vJwEmxNNAThTlO9ZwtD1tv
            c6aBELEbmJFdHOcIJITzmS3YOssDOgTL2TbcSFu8mdAQYsRvxC96HA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-07T18:09:21Z"
    mac: ENC[AES256_GCM,data:RxVXYkx4JD2l6zIcx051DSyw4yYMWdK23ssaw94jkxlICvDyeZy9aO9kC0bAYqn0iB2BDEdh/0rzNZeJHlkjKQx9+et82iwFdwC9GSTVl/FV39fr9YbsqFQGqMAEo/JqElul9Sjd5vgdC1xQOF+Jceo11F9LhDteOiFn2a3Sv5I=,iv:sb9ah+Tk39FUIDpq4g5YGScIku3w5tVlDDNyxuHS4OY=,tag:nC+yLdj/moS2+nMIzNAOdw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/secrets/mac-va-mbp-personal/evanreichard/default.yaml
+++ b/secrets/mac-va-mbp-personal/evanreichard/default.yaml
@@ -1,26 +0,0 @@
 builder_ssh_key: ENC[AES256_GCM,data:1cYuaFJke/8GyqxPKp2zH/uARvW6Bqx6AsB16U8f3WkDpnxO6kym19MpDyQUBEjJ9Bj3RiBkSSL96jBv4YZfq+1cN8D6E14faKoYF5FZy5o1C+aTl+4L9zbrQIl/QDFh42qcJ6cYsOSjbEJv8kvZQBV7l+LNo8ZX07f76Kld3boouJJMMZWa9oaZgEifTxN4yDOPXTXNjCO3blGnsm+V3FPkba+EUASL9WH6+XLU2oW1Bc/sydOTiKGRJcs5eyqYvKi3evtxUUyqgdPVtUHNTsh6/B5kDLWFavfEfchPHT0LHIuqGJwGBglTp/NJThAoo5vNFAFIAUw9QWlY4alHhsi2L5g49r3s6i+3fGeyGCTP61uffY9HgF7nOdkTVMsRXacKh9fwgdsZAepcU+kJ3LJSdOaa4hUtCsZpFHUe4jA0kTHI1/V+7ak+iw92gNZTLKsCjIOzWFvEBVSXLctPdxQ8ezvF9ekvw5mkAwO7QYonlrQ3MUY/8b1DDOdjmfSwEyrLruew2KajFhm8/NM/2BOwcO/y+DbX2MSe5x0sx4HN79E=,iv:V25Tc7bOxc4wl5lf6gZOstN1InaCb3sfpCHMl65iwn8=,tag:mBFZcX2G3vpAOMw7V12d6w==,type:str]
 rke2_kubeconfig: ENC[AES256_GCM,data:oTOBktUE71QNJXqy8l5hhYKF3mSQlLxXE7rjsctyJi4nIk4bhKACGdYkB8B37Ws9QHm5h9tAn9J/ehbWyBwsOFQIhX7S0kov8/HPlatbY3aJ+PiHO5GWRkJjbq+GZrJgdGeOCSRlA5C4lOy9cYbCqbsgfp42cNxOPhOQUyqFNCmsWJvBiJDuQX3Sqk2QoDtfTayho/v5IiJ9Xjms6m1ng98uXmANHK2wFAv4IZ2+7j14jy5RRKylTtjooJxTalSzdODV4wufHOLqFRCeGs9U4A/SEbRWacssdTWOp/wkaumruEpbuRaX33EwFzAxnawD0T/PBA1w9MfrXoz7bYaQ8S0fpWQHTr7xj79yrlJslBvTp/SzC+7LlpdsOtJr/2LpbzwFowMFPOGg0XJUWlkevIIObBuEYyAnlytxlys+2UNx+szOuUsUDTdZlEtTyJT+Xp8WjFlXkHsi66s+rDxDvUcMG6oLy3IYiYA4D7Q65aDgiy87kDmdfItf5koEEpHU2wV20EtAP2mRZ8UNYnDHd3ZV1L2gLXHGMA/sa0Tn0l4fhfr+6K0niQ9RaZxrVfqyChCw4bSCyZZFajZXcEDXsQB5UKsnMmZ3p5ZtRe/mqKydAz/xQc8mZPYFWwXN3uWgOWLRraRib0thg/PQzsbGNrKxoqc0sY3JbUSBcyhtz2x7b0Sj+g8ibtySmSEM1DrcYFdLG/QHbg8MaSOIIlZDDan2SJ0vAd432hI9BBIxj3L0EOfVBkbzEdtuuW7SSCG650X2u4Rd0Kkjc7HoB6pafJTWx2QZ/CMKIZFiHfMJ1zRyxco7SwZzsTRZ1Y0W7qgnssKpqtRNwCfRTdDM/6aZ1HorNP2NombuyGmfvD/EZSt4xxsOZIgioqfghbcsTCFZQPUvfBSZvJ5KBXS8qacBmsUxMLRMyzSbq0mM/S9Rz8oUxN587K7pLTNNiwFsQ9mXlGgh//rzhdAfzQZF/uuMrjqYgxt3iOAT3Nd34RbZ8YK31SRf6lFy7b+hafS1FFVUnW8jnC57eo2wNpHFBNA1y60dokx9P1dzZUVVYK5iCK+QFkUweD9WSo0al09E3By2pQxZ1OS9UOcTxFbpP/WakD57/tkOvmGIirqrexVecDcODelGXhCVeXb8zJQDz2PdXz3M4G0zIV2JcgJDjJy91Rx56vxRQv0/mvPfjexm9gQcTWOpIeUOBGRCfMXMh0g0AANHxDheRa9WzYQ10uDE3DsyMT53+FGW73PyPBk5MzRY/RQXjTEVbhO/e8Km7KOuhRxpohcLHCugEFMqjsW/c5b6GU24s3n69XPxMWtdtMmnf1FaGGufuOXyYd2s1vQqi+542x41HYnXiT6OQwsFttnlbwfrosl9qgSSgsfwXNv7qHQUBDg1KczwlPBZ3cMA/rQUqHL2N4vEp00JoJFjBTbWrin2FCOBafQmpKPv9j/nqiJROr3I93bSaodk0rFOUDWV3Sp/YepeuYb6wY+lMgysg4jDuJxEYQytFfNI2SBd7g4Xh6vBW/GS1/JdaHhh/Ub5/Cqa0Pxl5fBjV1HQIaM8mXi+V90zRVqzKm9vl9wXjXzAk8QvWRiW5ruP3IsMl5myL1KBuFIgZNPkbv8Nap3XDgmO2IvM6gWI3LHW81cgS6dDcsuC2C9zr291MAlYQiaotqQ33u0ga/y8DTXB3mcLTPLpkWWRY+Cc+qVAuD3LwCvd2StUhxUNwDbwVaxtuSk+uWMx1PCPPwHDVB3sm93wbnKrvj0TMHdkh0im+KzSplaMAsCgKJj1YO3Yhjg+E9CwIaYEDKcCE8FNqioSzzaXABQgpa4zUWkWC+D4iD/kSS3Z+BgB0VCytB705SMbmHmAlWnNayFgQLx3xo/TkgF51jEghj2w2gPyTM8gLqq8kvpXnDx95nhfStRu3KZCuCZKadrv0V5mSCCSzw0STDKZjfwYHHMWOnf41UDG7M9+vWHdtZdnJjLvw8gIqmLl0fkw75jFXYXQaNj4vh6MNSp7ABA8wY5Ala/EckHjx9R88czgyvHTLfVOiFgIiOLvldSYmDlaMcyPTVH7JSTiSoZ7aUwNROQE0/C9GyvZH8MGN9Iy6YQAUQYf5jjesoe3dPJf66GmeCKKlAcO1aK91XXow+pWrYJBZilhXJgPNTKltP2ObDLeJ/30KYF7Gee9GvtJaKzBGjYFZZz9nj8ixIBymS+M7N65U8Sw+/37qCnkSDe6VgkMoXXijaPgfToR4yb6FdZOqRlvynbyC+lSO44l2S1CkKbUxrqzZX2pQ6iB1eJdaHmIBYawVg7tJOO3snPXYMiMAgmojrH1BUUpbQRRvG4BTrUOES4N+2etytiZ7N4GEDzshosVaf9NeFBWRGC58siec/BtKwo7HGcsc0zDvcq8MFJ6rEUDbuZuWn3+CvxC9fi4+CzDP3j3K9lOUiXJ6vxv+1eImFMVgQUiV4g2M/JMTv6+Ix8U9dHoaNVjQlnL1NZRo92C/T2WRx42V97hJOe81CXqRLY8mW30MXat7KK+n92bNsWTKZrNsKnzVb+i1YwMAiwG1bw0OCcmfVojozZ4wjUNkFJI2K0v0CCvwVIl9yUKMkCvo+I1m2ZInOXRme2HK82YFg6JxitlQvovdlUndN1Lo4PhaxbW3BNwJSn81FxJ4yh+d34eawZlsQ4l+er2CyWrXSOvQnK1F8UwDB5xgPb8TBj5FD4IZM+op2LPQiaPQZ7bShzpN20W413lBvauirbD8EaZqt2QExmDnYHs1EMcj10bvu7IyKwZTlBqOa/LpyUH/imY4DTB0aYHby+xnLX7760S0sJfKuJ7omQ4QBgz+NSZ/aFfPicugkPsCZI0lS9WCcczvHgbFRzB6YQ5uJEoK5o5SdVTpYWUBvuLbJ6IOKNKWxlBcrsj4aPm+AAsxRc9cHPbrCns6y01K2wCYCL5nzK7jnneQiR4edtfnwMlUoo3c6/vzwiof4EVVrN29QxVsIA/9yqk375mKlI/l7/eOf083Kbad215wvZ+0U7cgI0oaaVvapj3Ni3e3Es8XUIQCua5HRE6d4M6A7P+Ye1Wkt+8oTpKJzd9Hn/ITwCYVssdpMSwF2ARHgmTtq+sacvkR9gojG/LAJMUwA48Sc4M5rn+5vTCRTvuKXDFphLSUwNzqd58YENC/HJjZS8+co+BN7AaafrybfA0QQrXkY7f+elsAFmNfho+taMpkfQZCmmgfoHPVPYR0pxkV1czCymm5lTjgkC7e4ydngcyJSrUzrXrWREkEcEdXoSRt1/JHABKRbvRuTbuUlah1xS1pvffosnA7KJL+aTLErkWwww3WUPMRrvmhVlWZqHGqE8lCRyMUPny7li3I2IB+aHFXepYwZSMMQPIOIiE19Oz7MsaIrMknqfTtdc58McEPGUPKiVO8x+nfRQPY45jFF60XtiK+yemYDicUGMSkWdtVLXgDCD+KAJz5YzBl5YbnPD9L1X9pB8P0vEpnKC6X+GGiaPflVGiNAKRTUyVv8CJ+Yh+KEfJw8og/P6d/7dSKheBeAdaliigZ9qG8xfyY0jE++xedaxIcOBObBu6j70j+Tpp5bUPN25FyVR2GqG4xz5YbuhnrRjhA6lAh0nppPlP+Oz/j9pPvPaDGESLZ/WM6MWru7R8DrHePBtulRvhvwUsmrjosPXuCNGU4sd1MFh6kNyyJH3W1quy3IopUij0Amu40mmd8XEzsN2nmT2Eh3NCd/r/2yj/t+xwxNcQZ+bfxeMFOiEfX5RU2paKNrRIDUEbgR1rS8A3PEUPTxwTP10IuY+IMToCSgZkVIq7UjXg0Bx9QdwvXcN74ADwkD0Un5+jLf4mo43QacwnBLpm24XqDzO09vKOzA9XU5fdC6AJ4mqAJ5J/XU8bC1RWiSCul6NekoJAPVgMlpWTPCAdSrWeYoE0d7lVkl+g+nEIS4sb,iv:mC5XSWReVzjwheF1IzCzp34JRvL/vJipyaKhptkH+cU=,tag:SDoNiaWaPKzruj+HPv5jbw==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVWFObG51K2lTYlZidXBU
            aW55RnpkVDExbVBkNDl4NkV3MFNkNThjbWdZCklhWkVSaWpPSE1VY09iWGlPVE9Q
            bW1SY05jK3BwcDIwSHdMZjJHdWQyQkkKLS0tIHZYS2c2U2xtQ1QxajlKeWpmNXZW
            bmdpcTl2NjRWM3F3Q2RHbk1rTEFvZEkKWag1nmqFZMRjwFtIo6oqs+9UI/Mer5bK
            Ax7P7uwoZdiMN2g84W1pNTjj6GktFn3jrBaE+MxY6NUBr02apkRYZw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cURST1FTbVk4RGZTaitF
            MEt3Z2U0a004Zmo0VG1BN29DUnBLNGxPMEJFCkcyL1JrMkZsSTM5WCtZSldSeGZw
            SmdpV3AxRDJyVW1WMXBuclhBSDkvTXcKLS0tIDZsU2pBbEFHNkdqWW1CZW1hdVN3
            eW9OdlJmS21IVDNVNk9OMjZBT21PUTAK+lpsdEp2uvg8nFWu/hPtK0+Ahi5J//5d
            NB6JJ7lwRWKy2NppFf9sy20Y1Z0Z5Ui40nbnURRzYgtsqbKBveUDcA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-07-29T23:30:28Z"
    mac: ENC[AES256_GCM,data:x3dnanNbIX0fippbbFqOSR9ptZGdAwWuyn7hf3z6i43rk8Nk9p9EVqmE4/Guz2QY2tG/cph/5/nwX4UCO4ixAdB7pAWZa6lI1JdFzMBfW1IGeXOLyprDt6xdFnCVXjy64HgNWiVOPUS4+olxNZ0LPmCof7odqn+Axj+icFK3N34=,iv:OyFac4TxnKXwJ0l7LcJTqVyl11gIpw8fvEAEQTrEBc0=,tag:zMOGwIwAZmel+4EIqy9/tQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/systems/aarch64-darwin/mac-va-mbp-personal/default.nix
+++ b/systems/aarch64-darwin/mac-va-mbp-personal/default.nix
@@ -1,4 +1,3 @@
 { lib, ... }:
 {
  system.stateVersion = 6;
  nix.enable = false;
@@ -9,13 +8,5 @@
      enable = true;
      usingDeterminate = true;
    };
    security = {
      sops = {
        enable = true;
        sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/mac-va-mbp-personal/default.yaml";
      };
    };
  };
 }
--- a/systems/aarch64-linux/lin-va-mbp-personal/default.nix
+++ b/systems/aarch64-linux/lin-va-mbp-personal/default.nix
@@ -1,4 +1,4 @@
-{ namespace, lib, ... }:
+{ namespace, lib, pkgs, ... }:
 let
  inherit (lib.${namespace}) enabled;
 in
@@ -30,7 +30,6 @@ in
      opengl = enabled;
      asahi = {
        enable = true;
        enableGPU = true;
        firmwareDirectory = ./firmware;
      };
    };
@@ -41,10 +40,7 @@ in
    };
    security = {
-      sops = {
+      sops = enabled;
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/lin-va-mbp-personal/default.yaml";
      };
    };
    virtualisation = {
@@ -57,4 +53,11 @@ in
      };
    };
  };
  # Additional System Packages
  environment.systemPackages = with pkgs; [
    mosh
    rclone
    unzip
  ];
 }
--- a/systems/x86_64-linux/lin-va-desktop/default.nix
+++ b/systems/x86_64-linux/lin-va-desktop/default.nix
@@ -5,11 +5,19 @@
 }:
 let
  inherit (lib.${namespace}) enabled;
  llama-cpp = pkgs.reichard.llama-cpp;
  stable-diffusion-cpp = pkgs.reichard.stable-diffusion-cpp.override {
    cudaSupport = true;
  };
 in
 {
  system.stateVersion = "25.11";
  time.timeZone = "America/New_York";
  boot.supportedFilesystems = [ "nfs" ];
  nixpkgs.config.allowUnfree = true;
  hardware.nvidia-container-toolkit.enable = true;
  security.pam.loginLimits = [
    {
      domain = "*";
@@ -25,8 +33,6 @@ in
    }
  ];
  nixpkgs.config.allowUnfree = true;
  fileSystems."/mnt/ssd" = {
    device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_1TB_S6PTNZ0R620739L-part1";
    fsType = "exfat";
@@ -76,231 +82,16 @@ in
    services = {
      openssh = enabled;
      llama-swap = enabled;
      mosh = enabled;
    };
    virtualisation = {
      podman = enabled;
    };
  };
-  systemd.services.llama-swap.serviceConfig.LimitMEMLOCK = "infinity";
+    security = {
-  services.llama-swap = {
+      sops = enabled;
    enable = true;
    openFirewall = true;
    package = pkgs.reichard.llama-swap;
    settings = {
      models = {
        # https://huggingface.co/unsloth/Devstral-Small-2-24B-Instruct-2512-GGUF/tree/main
        "devstral-small-2-instruct" = {
          name = "Devstral Small 2 (24B) - Instruct";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Devstral/Devstral-Small-2-24B-Instruct-2512-UD-Q4_K_XL.gguf \
              --chat-template-file /mnt/ssd/Models/Devstral/Devstral-Small-2-24B-Instruct-2512-UD-Q4_K_XL_template.jinja \
              --temp 0.15 \
              -c 98304 \
              -ctk q8_0 \
              -ctv q8_0 \
              -fit off \
              -dev CUDA0
          '';
        };
        # https://huggingface.co/mradermacher/gpt-oss-20b-heretic-v2-i1-GGUF/tree/main
        #  --chat-template-kwargs '{\"reasoning_effort\":\"low\"}'
        "gpt-oss-20b-thinking" = {
          name = "GPT OSS (20B) - Thinking";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/GPT-OSS/gpt-oss-20b-heretic-v2.i1-MXFP4_MOE.gguf \
              -c 131072 \
              --temp 1.0 \
              --top-p 1.0 \
              --top-k 40 \
              -dev CUDA0
          '';
        };
        # https://huggingface.co/unsloth/Qwen3-Next-80B-A3B-Instruct-GGUF/tree/main
        "qwen3-next-80b-instruct" = {
          name = "Qwen3 Next (80B) - Instruct";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-Next-80B-A3B-Instruct-UD-Q2_K_XL.gguf \
              -c 262144 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              --repeat-penalty 1.05 \
              -ctk q8_0 \
              -ctv q8_0 \
              -fit off
          '';
          # cmd = ''
          #   ${pkgs.reichard.llama-cpp}/bin/llama-server \
          #     --port ''${PORT} \
          #     -m /mnt/ssd/Models/Qwen3/Qwen3-Next-80B-A3B-Instruct-UD-Q4_K_XL.gguf \
          #     -c 131072 \
          #     --temp 0.7 \
          #     --min-p 0.0 \
          #     --top-p 0.8 \
          #     --top-k 20 \
          #     --repeat-penalty 1.05 \
          #     -ctk q8_0 \
          #     -ctv q8_0 \
          #     -fit off \
          #     -ncmoe 15 \
          #     -ts 77,23
          # '';
        };
        # https://huggingface.co/unsloth/Qwen3-30B-A3B-Instruct-2507-GGUF/tree/main
        "qwen3-30b-2507-instruct" = {
          name = "Qwen3 2507 (30B) - Instruct";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-30B-A3B-Instruct-2507-Q4_K_M.gguf \
              -c 262144 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              --repeat-penalty 1.05 \
              -ctk q8_0 \
              -ctv q8_0 \
              -ts 70,30
          '';
        };
        # https://huggingface.co/unsloth/Qwen3-Coder-30B-A3B-Instruct-GGUF/tree/main
        "qwen3-coder-30b-instruct" = {
          name = "Qwen3 Coder (30B) - Instruct";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-Coder-30B-A3B-Instruct-Q4_K_M.gguf \
              -c 262144 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              --repeat-penalty 1.05 \
              -ctk q8_0 \
              -ctv q8_0 \
              -ts 70,30
          '';
        };
        # https://huggingface.co/unsloth/Qwen3-30B-A3B-Thinking-2507-GGUF/tree/main
        "qwen3-30b-2507-thinking" = {
          name = "Qwen3 2507 (30B) - Thinking";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-30B-A3B-Thinking-2507-UD-Q4_K_XL.gguf \
              -c 262144 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              --repeat-penalty 1.05 \
              -ctk q8_0 \
              -ctv q8_0 \
              -ts 70,30
          '';
        };
        # https://huggingface.co/unsloth/Nemotron-3-Nano-30B-A3B-GGUF/tree/main
        "nemotron-3-nano-30b-thinking" = {
          name = "Nemotron 3 Nano (30B) - Thinking";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Nemotron/Nemotron-3-Nano-30B-A3B-UD-Q4_K_XL.gguf \
              -c 1048576 \
              --temp 1.1 \
              --top-p 0.95 \
              -fit off
          '';
        };
        # https://huggingface.co/unsloth/Qwen3-VL-8B-Instruct-GGUF/tree/main
        "qwen3-8b-vision" = {
          name = "Qwen3 Vision (8B) - Thinking";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3-VL-8B-Instruct-UD-Q4_K_XL.gguf \
              --mmproj /mnt/ssd/Models/Qwen3/Qwen3-VL-8B-Instruct-UD-Q4_K_XL_mmproj-F16.gguf \
              -c 65536 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              -ctk q8_0 \
              -ctv q8_0 \
              -dev CUDA1
          '';
        };
        # https://huggingface.co/unsloth/Qwen2.5-Coder-7B-Instruct-128K-GGUF/tree/main
        "qwen2.5-coder-7b-instruct" = {
          name = "Qwen2.5 Coder (7B) - Instruct";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              -m /mnt/ssd/Models/Qwen2.5/Qwen2.5-Coder-7B-Instruct-Q8_0.gguf \
              --fim-qwen-7b-default \
              -c 131072 \
              --port ''${PORT} \
              -dev CUDA1
          '';
        };
        # https://huggingface.co/unsloth/Qwen2.5-Coder-3B-Instruct-128K-GGUF/tree/main
        "qwen2.5-coder-3b-instruct" = {
          name = "Qwen2.5 Coder (3B) - Instruct";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              -m /mnt/ssd/Models/Qwen2.5/Qwen2.5-Coder-3B-Instruct-Q8_0.gguf \
              --fim-qwen-3b-default \
              --port ''${PORT} \
              -fit off \
              -dev CUDA1
          '';
        };
        # https://huggingface.co/unsloth/Qwen3-4B-Instruct-2507-GGUF/tree/main
        "qwen3-4b-2507-instruct" = {
          name = "Qwen3 2507 (4B) - Instruct";
          cmd = ''
            ${pkgs.reichard.llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-4B-Instruct-2507-Q4_K_M.gguf \
              -c 98304 \
              -fit off \
              -ctk q8_0 \
              -ctv q8_0 \
              -dev CUDA1
          '';
        };
      };
      groups = {
        coding = {
          swap = false;
          exclusive = true;
          members = [
            "devstral-small-2-instruct" # Primary
            "qwen2.5-coder-3b-instruct" # Infill
          ];
        };
      };
    };
  };
@@ -310,6 +101,9 @@ in
    git
    tmux
    vim
-    reichard.llama-cpp
+
    # Local Packages
    llama-cpp
    stable-diffusion-cpp
  ];
 }
--- a/systems/x86_64-linux/lin-va-thinkpad/default.nix
+++ b/systems/x86_64-linux/lin-va-thinkpad/default.nix
@@ -58,6 +58,7 @@ in
    };
    services = {
      openssh = enabled;
      tailscale = enabled;
      avahi = enabled;
      ydotool = enabled;
@@ -79,10 +80,7 @@ in
    };
    security = {
-      sops = {
+      sops = enabled;
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/lin-va-thinkpad/default.yaml";
      };
    };
  };
Author	SHA1	Message	Date
Evan Reichard	68fada8d38	fix: asahi notch	2026-01-17 12:14:03 -05:00
Evan Reichard	107397ce78	fix: disable omnisharp until upstream fix	2026-01-17 10:19:01 -05:00
Evan Reichard	0968aa12e3	chore: update asahi	2026-01-17 10:14:01 -05:00
Evan Reichard	6cfe7228f3	chore: rename sops	2026-01-17 10:10:26 -05:00
Evan Reichard	94249ce86b	chore: update flake	2026-01-17 09:35:36 -05:00
Evan Reichard	408151b2ec	chore: various improvements & refactor	2026-01-17 09:28:38 -05:00
Evan Reichard	51cd993f89	chore: update .gitignore	2026-01-11 22:23:38 -05:00
Evan Reichard	c8f5e744d0	chore(cleanup): sops, opencode, etc	2026-01-11 22:19:31 -05:00
Evan Reichard	1fe9396284	fix: sddm theme	2026-01-07 12:04:41 -05:00
Evan Reichard	0b01da43b8	chore: update packages	2026-01-07 12:04:18 -05:00
Evan Reichard	685d12dabd	update llama-swap defs	2026-01-02 19:49:00 -05:00
Evan Reichard	f3ceb57e5e	feat: stable-diffussion & updates	2026-01-02 09:50:44 -05:00
Evan Reichard	bb3305adbf	chore: update llama-swap	2025-12-28 12:40:27 -05:00
Evan Reichard	9965ca8816	chore: better swap behavior	2025-12-28 12:02:31 -05:00
Evan Reichard	dce002cc24	chore: update llamacpp	2025-12-28 10:04:00 -05:00
Evan Reichard	ece872fdeb	chore: update flake & llama-cpp	2025-12-26 21:38:46 -05:00
Evan Reichard	1c1f976186	chore: asahi flake	2025-12-26 20:55:10 -05:00