diff --git a/.github/workflows/cachix.yml b/.github/workflows/cachix.yml
index 2112f8d..06bed3e 100644
--- a/.github/workflows/cachix.yml
+++ b/.github/workflows/cachix.yml
@@ -5,20 +5,6 @@ on:
   workflow_dispatch:
 
 jobs:
-  check:
-    name: Check flake
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: cachix/install-nix-action@v31
-      - uses: cachix/cachix-action@v14
-        with:
-          name: lava
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - run: nix flake check --keep-going --verbose
-
   build:
     name: Build linux-lava for x86_64-linux
     runs-on: ubuntu-latest
@@ -35,7 +21,7 @@ jobs:
         with:
           fetch-depth: 0
       - uses: cachix/install-nix-action@v31
-      - uses: cachix/cachix-action@v14
+      - uses: cachix/cachix-action@v16
         with:
           name: lava
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
diff --git a/containers/amethyst/configuration.nix b/containers/amethyst/configuration.nix
new file mode 100644
index 0000000..b9d496d
--- /dev/null
+++ b/containers/amethyst/configuration.nix
@@ -0,0 +1,47 @@
+{ lib, pkgs, ... }: {
+  system.stateVersion = "23.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/transmission 755 transmission transmission"
+    "d /persist/transmission/.config/transmission-daemon 750 transmission transmission"
+    "d /persist/transmission/.incomplete 750 transmission transmission"
+    "d /persist/transmission/Downloads 755 transmission transmission"
+    "d /persist/transmission/watchdir 755 transmission transmission"
+  ];
+  networking.wg-quick.interfaces.wg0 = {
+    configFile = "/persist/vpn.conf";
+    preUp = ''
+          # Try to access the DNS for up to 300s
+          for i in {1..60}; do
+            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
+            echo "Attempt $i: DNS still not available"
+            sleep 5s
+          done
+    '';
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/258793
+  systemd.services.transmission.serviceConfig = {
+    BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
+    RootDirectoryStartOnly = lib.mkForce false;
+    RootDirectory = lib.mkForce "";
+    PrivateMounts = lib.mkForce false;
+    PrivateUsers = lib.mkForce false;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9091 ];
+  services.transmission = {
+    enable = true;
+    package = pkgs.transmission_4;
+    downloadDirPermissions = "775";
+    openFirewall = true;
+    home = "/persist/transmission";
+    settings = {
+      ratio-limit-enabled = true;
+      rpc-bind-address = "0.0.0.0";
+      rpc-enabled = true;
+      rpc-port = 9091;
+      rpc-host-whitelist-enabled = false;
+      rpc-whitelist-enabled = false;
+    };
+  };
+}
diff --git a/containers/amethyst/flake.lock b/containers/amethyst/flake.lock
new file mode 100644
index 0000000..88ab73f
--- /dev/null
+++ b/containers/amethyst/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix
new file mode 100644
index 0000000..739c3e5
--- /dev/null
+++ b/containers/amethyst/flake.nix
@@ -0,0 +1,51 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }: {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      modules = [ ./configuration.nix ];
+    };
+    nixosModule = { ... }:
+    let
+      name = "amethyst";
+      fqdn = "amethyst.lava.moe";
+      subnet = "1";
+    in {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
+        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
+        hostAddress6 = "fd0d:1::${subnet}:1";
+        localAddress6 = "fd0d:1::${subnet}:2";
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = [ ./configuration.nix ]; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}
diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix
new file mode 100644
index 0000000..6629a31
--- /dev/null
+++ b/containers/beryllium/configuration.nix
@@ -0,0 +1,23 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  fileSystems."/var/lib/private" = {
+    device = "/persist";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 6167 ];
+  networking.firewall.allowedUDPPorts = [ 6167 ];
+  # TODO: this should be generically set
+  networking.useHostResolvConf = false;
+  networking.nameservers = [ "8.8.8.8" ];
+
+  services.matrix-continuwuity = {
+    enable = true;
+    settings.global = {
+      # TODO: link this with outer container's address
+      address = [ "10.30.2.2" ];
+      server_name = "lava.moe";
+      rocksdb_recovery_mode = 2;
+    };
+  };
+}
diff --git a/containers/beryllium/flake.lock b/containers/beryllium/flake.lock
new file mode 100644
index 0000000..88ab73f
--- /dev/null
+++ b/containers/beryllium/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix
new file mode 100644
index 0000000..5805401
--- /dev/null
+++ b/containers/beryllium/flake.nix
@@ -0,0 +1,69 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }: {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      modules = [ ./configuration.nix ];
+    };
+    nixosModule = { ... }:
+    let
+      name = "beryllium";
+      fqdn = "beryllium.lava.moe";
+      subnet = "2";
+    in {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".extraConfig = "return 302 'https://lava.moe';";
+        locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
+        locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
+      };
+
+      services.nginx.virtualHosts."lava.moe" = {
+        locations."= /.well-known/matrix/server".extraConfig =
+          let
+            server = { "m.server" = "${fqdn}:443"; };
+          in ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+        locations."= /.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
+              # "m.identity_server" = { "base_url" = "https://vector.im"; };
+            };
+          in ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = [ ./configuration.nix ]; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}
diff --git a/containers/citrine/configuration.nix b/containers/citrine/configuration.nix
new file mode 100644
index 0000000..0f4242a
--- /dev/null
+++ b/containers/citrine/configuration.nix
@@ -0,0 +1,53 @@
+{ config, fqdn, lib, ... }: {
+  system.stateVersion = "25.11";
+  networking.firewall.allowedTCPPorts = [ 22 3000 ];
+  networking.firewall.allowedUDPPorts = [ 22 3000 ];
+
+  systemd.tmpfiles.rules = [
+    "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
+  ];
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      DEFAULT.APP_NAME = "cilly's botanical laboratory";
+      server = {
+        DOMAIN = fqdn;
+        ROOT_URL = "https://${fqdn}/";
+        HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_DOMAIN = "git.lava.moe";
+        SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
+      };
+      ui = lib.mkForce {
+        DEFAULT_THEME = "catppuccin-maroon-auto";
+        THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
+          "catppuccin-pink"
+          "catppuccin-maroon"
+          "catppuccin-flamingo"
+          "catppuccin-rosewater"
+          "forgejo"
+          "gitea"
+        ];
+      };
+      api.ENABLE_SWAGGER = false;
+      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+      repository.ENABLE_PUSH_CREATE_USER = true;
+      repository.ENABLE_PUSH_CREATE_ORG = true;
+      service.DISABLE_REGISTRATION = true;
+    };
+    stateDir = "/persist/forgejo";
+  };
+
+  systemd.services.forgejo.serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+    PrivateUsers = lib.mkForce false;
+  };
+
+  catppuccin.forgejo.enable = true;
+
+  environment.systemPackages = [ config.services.forgejo.package ];
+}
diff --git a/containers/citrine/flake.lock b/containers/citrine/flake.lock
new file mode 100644
index 0000000..d627614
--- /dev/null
+++ b/containers/citrine/flake.lock
@@ -0,0 +1,62 @@
+{
+  "nodes": {
+    "catppuccin": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1773403535,
+        "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773122722,
+        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "catppuccin": "catppuccin",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/containers/citrine/flake.nix b/containers/citrine/flake.nix
new file mode 100644
index 0000000..c2a81b7
--- /dev/null
+++ b/containers/citrine/flake.nix
@@ -0,0 +1,68 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    catppuccin.url = "github:catppuccin/nix";
+  };
+  outputs = { nixpkgs, catppuccin, ... }:
+  let
+    name = "citrine";
+    fqdn = "lab.lava.moe";
+    subnetId = "3";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      catppuccin.nixosModules.catppuccin
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:3000";
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}
diff --git a/containers/citrine/templates/base/footer_content.tmpl b/containers/citrine/templates/base/footer_content.tmpl
new file mode 100644
index 0000000..a9238c3
--- /dev/null
+++ b/containers/citrine/templates/base/footer_content.tmpl
@@ -0,0 +1,31 @@
+<footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
+    <div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
+        {{if ShowFooterPoweredBy}}
+            <a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
+        {{end}}
+        {{if (or .ShowFooterVersion .PageIsAdmin)}}
+            {{if .IsAdmin}}
+                <a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
+            {{else}}
+                {{AppVerNoMetadata}}
+            {{end}}
+        {{end}}
+        {{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
+            {{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
+            {{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
+        {{end}}
+    </div>
+    <div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
+        <div class="ui dropdown upward language">
+            <span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
+            <div class="menu language-menu">
+                {{range .AllLangs}}
+                    <a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
+                {{end}}
+            </div>
+        </div>
+        <a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
+        {{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
+        {{template "custom/extra_links_footer" .}}
+    </div>
+</footer>
diff --git a/containers/citrine/templates/home.tmpl b/containers/citrine/templates/home.tmpl
new file mode 100644
index 0000000..d460caf
--- /dev/null
+++ b/containers/citrine/templates/home.tmpl
@@ -0,0 +1,19 @@
+{{template "base/head" .}}
+{{if not .IsSigned}}
+    <script>window.location.href = "/explore/repos";</script>
+{{end}}
+<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
+    <div class="tw-mb-8 tw-px-8">
+        <div class="center">
+            <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
+            <div class="hero">
+                <h1 class="ui icon header title">
+                    {{AppDisplayName}}
+                </h1>
+                <h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
+            </div>
+        </div>
+    </div>
+    {{template "home_forgejo" .}}
+</div>
+{{template "base/footer" .}}
diff --git a/containers/diamond/configuration.nix b/containers/diamond/configuration.nix
new file mode 100644
index 0000000..01b4311
--- /dev/null
+++ b/containers/diamond/configuration.nix
@@ -0,0 +1,22 @@
+{ fqdn, ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/vaultwarden 755 vaultwarden vaultwarden"
+  ];
+  fileSystems."/var/lib/vaultwarden" = {
+    device = "/persist/vaultwarden";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+  networking.firewall.allowedUDPPorts = [ 8000 ];
+
+  services.vaultwarden = {
+    enable = true;
+    domain = fqdn;
+    config = {
+      DOMAIN = "https://${fqdn}";
+      ROCKET_ADDRESS = "::";
+    };
+  };
+}
diff --git a/containers/diamond/flake.lock b/containers/diamond/flake.lock
new file mode 100644
index 0000000..88ab73f
--- /dev/null
+++ b/containers/diamond/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/containers/diamond/flake.nix b/containers/diamond/flake.nix
new file mode 100644
index 0000000..71ab4fd
--- /dev/null
+++ b/containers/diamond/flake.nix
@@ -0,0 +1,51 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "diamond";
+    fqdn = "astransia.lava.moe";
+    subnetId = "4";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    modules = [
+      ./configuration.nix
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { ... }: {
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:8000";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}
diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix
new file mode 100644
index 0000000..421ddb0
--- /dev/null
+++ b/containers/emerald/configuration.nix
@@ -0,0 +1,23 @@
+{ fqdn, shareFqdn, ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/navidrome 755 navidrome navidrome"
+  ];
+  networking.firewall.allowedTCPPorts = [ 4533 ];
+  networking.firewall.allowedUDPPorts = [ 4533 ];
+
+  services.navidrome = {
+    enable = true;
+    environmentFile = "/binds/navidrome_env";
+    settings = {
+      Port = 4533;
+      Address = "[::]";
+      BaseUrl = "https://${fqdn}/";
+      ShareURL = "https://${shareFqdn}";
+      EnableSharing = true;
+      DataFolder = "/persist/navidrome";
+      MusicFolder = "/binds/music/main";
+    };
+  };
+  systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
+}
diff --git a/containers/emerald/flake.lock b/containers/emerald/flake.lock
new file mode 100644
index 0000000..88ab73f
--- /dev/null
+++ b/containers/emerald/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix
new file mode 100644
index 0000000..5ee69e4
--- /dev/null
+++ b/containers/emerald/flake.nix
@@ -0,0 +1,78 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "emerald";
+    fqdn = "navia.lava.moe";
+    shareFqdn = "muse.lava.moe";
+    subnetId = "5";
+
+    subnet = x: "fd0d:2::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.32.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:4533";
+        listenAddresses = [ "100.67.2.1" ];
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn shareFqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."music" = {
+          hostPath = "/flower/media/music";
+          mountPoint = "/binds/music";
+          isReadOnly = true;
+        };
+        bindMounts."navidrome_env" = {
+          hostPath = config.age.secrets.navidrome_env.path;
+          mountPoint = "/binds/navidrome_env";
+          isReadOnly = true;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}
diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix
new file mode 100644
index 0000000..9fcb5f5
--- /dev/null
+++ b/containers/fluorite/configuration.nix
@@ -0,0 +1,22 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  systemd.tmpfiles.rules = [
+    "d /persist/slskd/Downloads 755 slskd slskd"
+  ];
+  fileSystems."/var/lib/slskd" = {
+    device = "/persist/slskd";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  networking.firewall.allowedTCPPorts = [ 5030 50300 ];
+  networking.firewall.allowedUDPPorts = [ 5030 50300 ];
+
+  services.slskd = {
+    enable = true;
+    domain = null;
+    environmentFile = "/binds/slskd_env";
+    settings = {
+      shares.directories = [ "/binds/music/" ];
+    };
+  };
+}
diff --git a/containers/fluorite/flake.lock b/containers/fluorite/flake.lock
new file mode 100644
index 0000000..88ab73f
--- /dev/null
+++ b/containers/fluorite/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix
new file mode 100644
index 0000000..33fcdb1
--- /dev/null
+++ b/containers/fluorite/flake.nix
@@ -0,0 +1,89 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "fluorite";
+    fqdn = "fluorite.lava.moe";
+    subnetId = "6";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+      networking.firewall.allowedTCPPorts = [ 50300 ];
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[${client}]:5030";
+        listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
+      };
+
+      systemd.tmpfiles.rules = [
+        "d /persist/containers/${name} 755 root users"
+        "d /persist/media/music 075 nobody users"
+      ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        forwardPorts = [
+          {
+            containerPort = 50300;
+            hostPort = 50300;
+            protocol = "tcp";
+          }
+        ];
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."music" = {
+          hostPath = "/persist/media/music";
+          mountPoint = "/binds/music";
+          isReadOnly = true;
+        };
+        bindMounts."slskd_env" = {
+          hostPath = config.age.secrets.slskd_env.path;
+          mountPoint = "/binds/slskd_env";
+          isReadOnly = true;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}
diff --git a/containers/garnet/configuration.nix b/containers/garnet/configuration.nix
new file mode 100644
index 0000000..21400c5
--- /dev/null
+++ b/containers/garnet/configuration.nix
@@ -0,0 +1,36 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  fileSystems."/var/lib/opencloud" = {
+    device = "/flower/data";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  fileSystems."/etc/opencloud" = {
+    device = "/persist/cfg";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  # TODO: hardcoded address
+  networking.extraHosts = ''
+    100.67.2.1 cloud.lava.moe
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 9200 ];
+  networking.firewall.allowedUDPPorts = [ 9200 ];
+
+  environment.etc."opencloud-admin-pass".text = ''
+    IDM_ADMIN_PASSWORD=supersillysecure
+  '';
+  services.opencloud = {
+    enable = true;
+    url = "https://cloud.lava.moe";
+    address = "10.30.7.2";
+    port = 9200;
+    environment = {
+      PROXY_TLS = "false";
+      IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
+      IDP_ID_TOKEN_EXPIRATION = "2592000";
+    };
+    environmentFile = "/etc/opencloud-admin-pass";
+  };
+}
diff --git a/containers/garnet/flake.lock b/containers/garnet/flake.lock
new file mode 100644
index 0000000..4070242
--- /dev/null
+++ b/containers/garnet/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix
new file mode 100644
index 0000000..df835a4
--- /dev/null
+++ b/containers/garnet/flake.nix
@@ -0,0 +1,84 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }:
+  let
+    name = "garnet";
+    fqdn = "cloud.lava.moe";
+    subnetId = "7";
+
+    subnet = x: "fd0d:1::${subnetId}:${toString x}";
+    host = subnet 1;
+    client = subnet 2;
+
+    subnet4 = x: "10.30.${subnetId}.${toString x}";
+    host4 = subnet4 1;
+    client4 = subnet4 2;
+
+    modules = [
+      ./configuration.nix
+      {
+        networking.useHostResolvConf = false;
+        networking.nameservers = [ host ];
+      }
+    ];
+  in {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      inherit modules;
+    };
+    nixosModule = { config, ... }: {
+      networking.nat = {
+        enable = true;
+        enableIPv6 = true;
+        internalInterfaces = [ "ve-${name}" ];
+      };
+
+      services.nginx.virtualHosts."${fqdn}" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://${client4}:9200";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          proxy_read_timeout 3600s;
+          proxy_send_timeout 3600s;
+          keepalive_requests 100000;
+          keepalive_timeout 5m;
+          http2_max_concurrent_streams 512;
+        '';
+        # TODO: hardcoded address
+        listenAddresses = [ "100.67.2.1" ];
+      };
+
+      systemd.tmpfiles.rules = [
+        "d /persist/containers/${name} 755 root users"
+      ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = host4;
+        localAddress = client4;
+        hostAddress6 = host;
+        localAddress6 = client;
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = modules; };
+        specialArgs = { inherit fqdn; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        bindMounts."content" = {
+          hostPath = "/flower/opencloud";
+          mountPoint = "/flower";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}
diff --git a/flake.lock b/flake.lock
index adc268d..2578a7e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,14 +3,15 @@
     "aagl": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1747604854,
-        "narHash": "sha256-hV6LbeBnXYlxaJ1t/CZQUM0U16mAT4F0WrvuxObJwDo=",
+        "lastModified": 1779903856,
+        "narHash": "sha256-uRShMtD6xW3ZKZbCQ6sDzKWEnbBXUg3IGfOARYogKhg=",
         "owner": "ezKEa",
         "repo": "aagl-gtk-on-nix",
-        "rev": "c975050923763f4239a6f8a3a1c76125346b95f8",
+        "rev": "50671fc7f29d686f63ef34b603320d44ad7f2d29",
         "type": "github"
       },
       "original": {
@@ -29,11 +30,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1747575206,
-        "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "4835b1dc898959d8547a871ef484930675cb47f1",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
         "type": "github"
       },
       "original": {
@@ -42,41 +43,131 @@
         "type": "github"
       }
     },
-    "catppuccin": {
+    "c-amethyst": {
       "inputs": {
-        "catppuccin-v1_1": "catppuccin-v1_1",
-        "catppuccin-v1_2": "catppuccin-v1_2",
-        "home-manager": "home-manager_2",
-        "home-manager-stable": "home-manager-stable",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable",
-        "nuscht-search": "nuscht-search"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1736069220,
-        "narHash": "sha256-76MaB3COao55nlhWmSmq9PKgu2iGIs54C1cAE0E5J6Y=",
+        "path": "./containers/amethyst",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/amethyst",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "c-beryllium": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "path": "./containers/beryllium",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/beryllium",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "c-citrine": {
+      "inputs": {
+        "catppuccin": "catppuccin",
+        "nixpkgs": "nixpkgs_5"
+      },
+      "locked": {
+        "path": "./containers/citrine",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/citrine",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "c-diamond": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_6"
+      },
+      "locked": {
+        "path": "./containers/diamond",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/diamond",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "c-emerald": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_7"
+      },
+      "locked": {
+        "path": "./containers/emerald",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/emerald",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "c-fluorite": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_8"
+      },
+      "locked": {
+        "path": "./containers/fluorite",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/fluorite",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "c-garnet": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_9"
+      },
+      "locked": {
+        "path": "./containers/garnet",
+        "type": "path"
+      },
+      "original": {
+        "path": "./containers/garnet",
+        "type": "path"
+      },
+      "parent": []
+    },
+    "catppuccin": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_4"
+      },
+      "locked": {
+        "lastModified": 1773403535,
+        "narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "8eada392fd6571a747e1c5fc358dd61c14c8704e",
+        "rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
         "type": "github"
       },
       "original": {
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "8eada392fd6571a747e1c5fc358dd61c14c8704e",
         "type": "github"
       }
     },
     "catppuccin-palette": {
       "flake": false,
       "locked": {
-        "lastModified": 1742245182,
-        "narHash": "sha256-R52Q1FVAclvBk7xNgj/Jl+GPCIbORNf6YbJ1nxH3Gzs=",
+        "lastModified": 1774131488,
+        "narHash": "sha256-hsy+GhuM4MSjnwGq1YJSLBFIbVm67SSdPRgObP00mxw=",
         "owner": "catppuccin",
         "repo": "palette",
-        "rev": "0df7db6fe201b437d91e7288fa22807bb0e44701",
+        "rev": "07d02aa110ef9eb7e7427afca5c73ba9cf7f8ebd",
         "type": "github"
       },
       "original": {
@@ -113,6 +204,33 @@
         "url": "https://flakehub.com/f/catppuccin/nix/1.2.%2A.tar.gz"
       }
     },
+    "catppuccin_2": {
+      "inputs": {
+        "catppuccin-v1_1": "catppuccin-v1_1",
+        "catppuccin-v1_2": "catppuccin-v1_2",
+        "home-manager": "home-manager_2",
+        "home-manager-stable": "home-manager-stable",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable",
+        "nuscht-search": "nuscht-search"
+      },
+      "locked": {
+        "lastModified": 1736069220,
+        "narHash": "sha256-76MaB3COao55nlhWmSmq9PKgu2iGIs54C1cAE0E5J6Y=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "8eada392fd6571a747e1c5fc358dd61c14c8704e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "8eada392fd6571a747e1c5fc358dd61c14c8704e",
+        "type": "github"
+      }
+    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
@@ -138,11 +256,11 @@
     "fast-syntax-highlighting": {
       "flake": false,
       "locked": {
-        "lastModified": 1688591419,
-        "narHash": "sha256-RVX9ZSzjBW3LpFs2W86lKI6vtcvDWP6EPxzeTcRZua4=",
+        "lastModified": 1752660993,
+        "narHash": "sha256-ZihUL4JAVk9V+IELSakytlb24BvEEJ161CQEHZYYoSA=",
         "owner": "zdharma-continuum",
         "repo": "fast-syntax-highlighting",
-        "rev": "cf318e06a9b7c9f2219d78f41b46fa6e06011fd9",
+        "rev": "3d574ccf48804b10dca52625df13da5edae7f553",
         "type": "github"
       },
       "original": {
@@ -154,11 +272,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
@@ -170,31 +288,15 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
         "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
+        "owner": "NixOS",
         "repo": "flake-compat",
         "type": "github"
       }
@@ -207,11 +309,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1778716662,
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -221,36 +323,15 @@
       }
     },
     "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "neovim-nightly",
-          "hercules-ci-effects",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
-        "type": "github"
-      },
-      "original": {
-        "id": "flake-parts",
-        "type": "indirect"
-      }
-    },
-    "flake-parts_3": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1778716662,
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -277,21 +358,57 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "git-hooks": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
         "gitignore": "gitignore",
         "nixpkgs": [
-          "neovim-nightly",
+          "nix-gaming",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1747372754,
-        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "lastModified": 1778507602,
+        "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
         "type": "github"
       },
       "original": {
@@ -303,7 +420,7 @@
     "gitignore": {
       "inputs": {
         "nixpkgs": [
-          "neovim-nightly",
+          "nix-gaming",
           "git-hooks",
           "nixpkgs"
         ]
@@ -322,28 +439,6 @@
         "type": "github"
       }
     },
-    "hercules-ci-effects": {
-      "inputs": {
-        "flake-parts": "flake-parts_2",
-        "nixpkgs": [
-          "neovim-nightly",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1747284884,
-        "narHash": "sha256-lTSKhRrassMcJ1ZsuUVunyl/F04vvCKY80HB/4rvvm4=",
-        "owner": "hercules-ci",
-        "repo": "hercules-ci-effects",
-        "rev": "7168f6002a6b48a9b6151e1e97e974a0722ecfdc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "hercules-ci-effects",
-        "type": "github"
-      }
-    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -415,11 +510,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747565775,
-        "narHash": "sha256-B6jmKHUEX1jxxcdoYHl7RVaeohtAVup8o3nuVkzkloA=",
+        "lastModified": 1779969295,
+        "narHash": "sha256-HwIJ3tOcwSMiV75L7KqJXciXR9UfT+d7rwOZMX7cTnA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "97118a310eb8e13bc1b9b12d67267e55b7bee6c8",
+        "rev": "61e2c9659324181e0f0ed911958c536333b1d4f6",
         "type": "github"
       },
       "original": {
@@ -459,11 +554,11 @@
     "linux-tkg": {
       "flake": false,
       "locked": {
-        "lastModified": 1747584459,
-        "narHash": "sha256-E07Co94EpSchJ5fwH/i8Hs7SyWIvrb8dYcVu0HVXbv4=",
+        "lastModified": 1779857514,
+        "narHash": "sha256-dCrVB3cFvv1d/9wuEejYN131b1phyf6SDy1bcEvtWGo=",
         "owner": "Frogging-Family",
         "repo": "linux-tkg",
-        "rev": "be60339c0df7483b00d91e750e6742635e0a593a",
+        "rev": "c9196dea7ee464f7792f94cd39c32431ad9e25ab",
         "type": "github"
       },
       "original": {
@@ -474,22 +569,18 @@
     },
     "neovim-nightly": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
         "flake-parts": "flake-parts",
-        "git-hooks": "git-hooks",
-        "hercules-ci-effects": "hercules-ci-effects",
         "neovim-src": "neovim-src",
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "treefmt-nix": "treefmt-nix"
+        ]
       },
       "locked": {
-        "lastModified": 1747554936,
-        "narHash": "sha256-LBFEVTt3JISA/HDHznJanvlNvKllNfILr1nfI8KZmVM=",
+        "lastModified": 1780013080,
+        "narHash": "sha256-m984DKbcIeNNuLYFjN3780rPEd55Xe9/cB4BNKkIDvg=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "5a732bf3edb47767a25c3b05436e4c21f91edf91",
+        "rev": "c6cc238427db8f61b786a66d7e02cf7724b30226",
         "type": "github"
       },
       "original": {
@@ -501,11 +592,11 @@
     "neovim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1747523215,
-        "narHash": "sha256-55RIMak4EwDaLdNTkM+4d3LjC90wlkNRaaG8DupK3AM=",
+        "lastModified": 1779979065,
+        "narHash": "sha256-3uF/oP2D4Jka3DU2G8qqml75UOzPRrK+FIp+jghOq0s=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "5661f74ab2a6ef0c497ef2ea49bc58ea89b6ab6b",
+        "rev": "5d85669a33e10f1f156b086562458cbbc8054438",
         "type": "github"
       },
       "original": {
@@ -516,15 +607,16 @@
     },
     "nix-gaming": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
-        "nixpkgs": "nixpkgs_2"
+        "flake-parts": "flake-parts_2",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs_10"
       },
       "locked": {
-        "lastModified": 1747594704,
-        "narHash": "sha256-IAUIY96BaMM4o+BeMLcviBji/Xais7WfU5TIPjgPEEQ=",
+        "lastModified": 1779768228,
+        "narHash": "sha256-/dRavNAx/Mp67xcQQ3JBIMyf0cLoXqKedafB1+wksAE=",
         "owner": "fufexan",
         "repo": "nix-gaming",
-        "rev": "1c04e472eafbd37d82af17769d45932e39b37b76",
+        "rev": "6e7a8414c0f547a86646eb0b56ebf89e7cc217a2",
         "type": "github"
       },
       "original": {
@@ -533,13 +625,33 @@
         "type": "github"
       }
     },
+    "nix-index-database": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1779604987,
+        "narHash": "sha256-ZQ5z+fVhxYKtIFwtqGp5O0PD84BM1riASvqDaN5Xs+s=",
+        "owner": "nix-community",
+        "repo": "nix-index-database",
+        "rev": "8fba98c80b48fa013820e0163c5096922fea4ddd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-index-database",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1745930157,
-        "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
         "type": "github"
       },
       "original": {
@@ -551,11 +663,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1743296961,
-        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "lastModified": 1777168982,
+        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14",
         "type": "github"
       },
       "original": {
@@ -580,13 +692,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs_10": {
       "locked": {
-        "lastModified": 1747426788,
-        "narHash": "sha256-N4cp0asTsJCnRMFZ/k19V9akkxb7J/opG+K+jU57JGc=",
+        "lastModified": 1779536132,
+        "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "12a55407652e04dcf2309436eb06fef0d3713ef3",
+        "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456",
         "type": "github"
       },
       "original": {
@@ -596,13 +708,157 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_11": {
       "locked": {
-        "lastModified": 1747542820,
-        "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=",
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_12": {
+      "locked": {
+        "lastModified": 1770019141,
+        "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1773122722,
+        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_7": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_8": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_9": {
+      "locked": {
+        "lastModified": 1779560665,
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
         "type": "github"
       },
       "original": {
@@ -638,11 +894,11 @@
     "nvim-treesitter": {
       "flake": false,
       "locked": {
-        "lastModified": 1747068210,
-        "narHash": "sha256-bYbwIVii2mxFyro91ogCVLkIyrMNP4QJRSGNVcZPVEU=",
+        "lastModified": 1775221900,
+        "narHash": "sha256-PQR6tFt4lCrAZNQG7BLMD1IiCKja9wDS1S4laGJf/HE=",
         "owner": "nvim-treesitter",
         "repo": "nvim-treesitter",
-        "rev": "066fd6505377e3fd4aa219e61ce94c2b8bdb0b79",
+        "rev": "4916d6592ede8c07973490d9322f187e07dfefac",
         "type": "github"
       },
       "original": {
@@ -651,14 +907,57 @@
         "type": "github"
       }
     },
+    "pastel": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs_12",
+        "pnpm2nix": "pnpm2nix"
+      },
+      "locked": {
+        "lastModified": 1775622883,
+        "narHash": "sha256-2+7uCRXn+tn4LVaO7hLKPaezdKPW6HGvTr00aO4Tcxs=",
+        "owner": "cillynder",
+        "repo": "pastel",
+        "rev": "46f6569d5ad41ec1256dbf999d21701f73d6077b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cillynder",
+        "repo": "pastel",
+        "type": "github"
+      }
+    },
+    "pnpm2nix": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "pastel",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717937937,
+        "narHash": "sha256-bKoHjG5P15vCVpDndIXFfoJC65XhrBPQ9GWcXtXNuDA=",
+        "owner": "wrvsrx",
+        "repo": "pnpm2nix-nzbr",
+        "rev": "a2d285ad5718cb202f45e98a4f839a5b2608c4b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "wrvsrx",
+        "ref": "adapt-to-v9",
+        "repo": "pnpm2nix-nzbr",
+        "type": "github"
+      }
+    },
     "pure": {
       "flake": false,
       "locked": {
-        "lastModified": 1745571677,
-        "narHash": "sha256-m4vCfX/IwByQN0OvcwDs+fy6LYndhGbNDQueOCREVx8=",
+        "lastModified": 1779255807,
+        "narHash": "sha256-UQ0hP3qJd4Qxiw1LXPdb9d0Dc4OSD3HJpgYzaCfujno=",
         "owner": "sindresorhus",
         "repo": "pure",
-        "rev": "5c2158096cd992ad73ae4b42aa43ee618383e092",
+        "rev": "cc0759a0de620f191510e2e2f9748194a605b54d",
         "type": "github"
       },
       "original": {
@@ -671,37 +970,69 @@
       "inputs": {
         "aagl": "aagl",
         "agenix": "agenix",
-        "catppuccin": "catppuccin",
+        "c-amethyst": "c-amethyst",
+        "c-beryllium": "c-beryllium",
+        "c-citrine": "c-citrine",
+        "c-diamond": "c-diamond",
+        "c-emerald": "c-emerald",
+        "c-fluorite": "c-fluorite",
+        "c-garnet": "c-garnet",
+        "catppuccin": "catppuccin_2",
         "catppuccin-palette": "catppuccin-palette",
         "fast-syntax-highlighting": "fast-syntax-highlighting",
         "home-manager": "home-manager_3",
         "linux-tkg": "linux-tkg",
         "neovim-nightly": "neovim-nightly",
         "nix-gaming": "nix-gaming",
-        "nixpkgs": "nixpkgs_3",
+        "nix-index-database": "nix-index-database",
+        "nixpkgs": "nixpkgs_11",
         "nvim-treesitter": "nvim-treesitter",
+        "pastel": "pastel",
         "pure": "pure",
         "spicetify-nix": "spicetify-nix",
         "spotify-adblock": "spotify-adblock",
+        "stevenblack-hosts": "stevenblack-hosts",
         "tree-sitter-jsonc": "tree-sitter-jsonc",
+        "website": "website",
         "wine-discord-ipc-bridge": "wine-discord-ipc-bridge",
         "zsh-abbr": "zsh-abbr",
         "zsh-history-substring-search": "zsh-history-substring-search"
       }
     },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "aagl",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1777605393,
+        "narHash": "sha256-Hjp0VOOHgHcTrX23iVvnfAudPcuCmfkfpQNFwv2v/ks=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "ff88db34cfa486fc4964a6991cab1678d82eee8c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "spicetify-nix": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_3"
+        "systems": "systems_5"
       },
       "locked": {
-        "lastModified": 1747607404,
-        "narHash": "sha256-xj2Ji+rE+oYjf0BsTDT7K/StnYuZQK9MTbX8U1DUcC0=",
+        "lastModified": 1779824049,
+        "narHash": "sha256-dWHVUjP03KSVG1PaLKA6j9EdxWSxSQvipMUIcSyuA/U=",
         "owner": "Gerg-L",
         "repo": "spicetify-nix",
-        "rev": "8c1be0e5e9a7f35ccd6f7b10bcfa08f2734dad91",
+        "rev": "1362178e5f5f7a848c49fe9dee004ef8824f100a",
         "type": "github"
       },
       "original": {
@@ -713,11 +1044,11 @@
     "spotify-adblock": {
       "flake": false,
       "locked": {
-        "lastModified": 1739206126,
+        "lastModified": 1773417310,
         "narHash": "sha256-nwiX2wCZBKRTNPhmrurWQWISQdxgomdNwcIKG2kSQsE=",
         "owner": "abba23",
         "repo": "spotify-adblock",
-        "rev": "8e0312d6085a6e4f9afeb7c2457517a75e8b8f9d",
+        "rev": "813d3451c53126bf1941baaf8dd37f1152c3f412",
         "type": "github"
       },
       "original": {
@@ -726,6 +1057,22 @@
         "type": "github"
       }
     },
+    "stevenblack-hosts": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1779976382,
+        "narHash": "sha256-wt5NGa4K8/vda669UYUmTUt+BR9X5fPnuTZFfQdpLYo=",
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "rev": "d3e838712512490260f051150e3573eeebecfadb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -771,14 +1118,44 @@
         "type": "github"
       }
     },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tree-sitter-jsonc": {
       "flake": false,
       "locked": {
-        "lastModified": 1615145540,
-        "narHash": "sha256-iWc2ePRiQnZ0FEdMAaAwa3iYt/SY0bEjQrZyqE9EhlU=",
+        "lastModified": 1769637052,
+        "narHash": "sha256-V38tvBHJsSHJbj8QrMbt5hz2q8WLf4jtKsTiAo98/Vo=",
         "owner": "WhyNotHugo",
         "repo": "tree-sitter-jsonc",
-        "rev": "02b01653c8a1c198ae7287d566efa86a135b30d5",
+        "rev": "f7890ba894d885d1b2b721cfae759b07d53c8886",
         "type": "gitlab"
       },
       "original": {
@@ -787,24 +1164,20 @@
         "type": "gitlab"
       }
     },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "neovim-nightly",
-          "nixpkgs"
-        ]
-      },
+    "website": {
+      "flake": false,
       "locked": {
-        "lastModified": 1747469671,
-        "narHash": "sha256-bo1ptiFoNqm6m1B2iAhJmWCBmqveLVvxom6xKmtuzjg=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "ab0378b61b0d85e73a8ab05d5c6029b5bd58c9fb",
+        "lastModified": 1668017714,
+        "narHash": "sha256-ywy/7xeT6FHkF7lcs+stW1WPV+piE8ztSwcQ161iico=",
+        "owner": "cillynder",
+        "repo": "lavadesu.github.io",
+        "rev": "4e30c50be520a0a1bbecf408f056e6aaf135df67",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
+        "owner": "cillynder",
+        "ref": "master",
+        "repo": "lavadesu.github.io",
         "type": "github"
       }
     },
@@ -827,11 +1200,11 @@
     "zsh-abbr": {
       "flake": false,
       "locked": {
-        "lastModified": 1740172038,
-        "narHash": "sha256-idwCtAwXa7qNZlKE8KdS9cUgEOCSdf6tec0YuXINcl8=",
+        "lastModified": 1773890443,
+        "narHash": "sha256-SVuwDeHIBg8yArKGzDEfsG3fz0UwABQoJkyKTQAPUiw=",
         "ref": "refs/heads/main",
-        "rev": "f9e43d78110db0a8bf8ec75ca5b101a06b1d5ce8",
-        "revCount": 1041,
+        "rev": "889f4772c12b9dbe4965bbd56f2572af0a28fa3b",
+        "revCount": 1139,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/olets/zsh-abbr"
@@ -845,11 +1218,11 @@
     "zsh-history-substring-search": {
       "flake": false,
       "locked": {
-        "lastModified": 1717563893,
-        "narHash": "sha256-1+w0AeVJtu1EK5iNVwk3loenFuIyVlQmlw8TWliHZGI=",
+        "lastModified": 1768499095,
+        "narHash": "sha256-KHujL1/TM5R3m4uQh2nGVC98D6MOyCgQpyFf+8gjKR0=",
         "owner": "zsh-users",
         "repo": "zsh-history-substring-search",
-        "rev": "87ce96b1862928d84b1afe7c173316614b30e301",
+        "rev": "14c8d2e0ffaee98f2df9850b19944f32546fdea5",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index db61e01..5cf3457 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,24 +2,27 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     home-manager.url = "github:nix-community/home-manager";
-    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
-    agenix.url = "github:ryantm/agenix";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
-    aagl.url = "github:ezKEa/aagl-gtk-on-nix";
+    agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
+    aagl.url = "github:ezKEa/aagl-gtk-on-nix";
     catppuccin.url = "github:catppuccin/nix/8eada392fd6571a747e1c5fc358dd61c14c8704e";
     catppuccin.inputs.nixpkgs.follows = "nixpkgs";
     catppuccin-palette = { url = "github:catppuccin/palette"; flake = false; };
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
     neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
 
     nix-gaming.url = "github:fufexan/nix-gaming";
+    nix-index-database.url = "github:nix-community/nix-index-database";
+    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
     spicetify-nix.url = "github:Gerg-L/spicetify-nix";
     spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
 
     # services
-    # hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
-    # website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };
+    pastel.url = "github:cillynder/pastel";
+    stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; };
+    website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; };
 
     # zsh plugins
     zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; };
@@ -33,6 +36,15 @@
     spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; };
     tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; };
     wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; };
+
+    # containers
+    c-amethyst.url = "path:./containers/amethyst";
+    c-beryllium.url = "path:./containers/beryllium";
+    c-citrine.url = "path:./containers/citrine";
+    c-diamond.url = "path:./containers/diamond";
+    c-emerald.url = "path:./containers/emerald";
+    c-fluorite.url = "path:./containers/fluorite";
+    c-garnet.url = "path:./containers/garnet";
   };
 
   outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
@@ -64,11 +76,14 @@
           specialArgs = {
             inherit inputs;
             modules = import ./modules { lib = nixpkgs.lib; };
+            gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
           };
         };
     in
     {
+      nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
       nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
+      nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
       nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
 
       packages."x86_64-linux" =
diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix
new file mode 100644
index 0000000..06c415f
--- /dev/null
+++ b/hosts/alyssum/default.nix
@@ -0,0 +1,45 @@
+{ inputs, lib, modules, modulesPath, ... }: {
+  networking.hostName = "alyssum";
+  system.stateVersion = "25.11";
+  time.timeZone = "Australia/Melbourne";
+
+  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
+    passwd.file = ../../secrets/passwd.age;
+    navidrome_env.file = ../../secrets/navidrome_env.age;
+    wpa_conf = {
+      file = ../../secrets/wpa_conf.age;
+      path = "/etc/wpa_supplicant/imperative.conf";
+      symlink = false;
+    };
+  };
+
+  imports = with modules.system; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    home-manager
+
+    base
+    kernel
+    nix-stable
+    packages
+    security
+    tailscale
+
+    modules.services.nginx
+    modules.services.syncthing
+
+    inputs.c-emerald.nixosModule
+    inputs.c-garnet.nixosModule
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./home.syncthing.nix
+    ./samba.nix
+
+    ../../users/hana
+  ];
+
+  me.environment = "headless";
+  services.syncthing.user = lib.mkForce "hana";
+}
diff --git a/hosts/alyssum/filesystem.nix b/hosts/alyssum/filesystem.nix
new file mode 100644
index 0000000..bdea423
--- /dev/null
+++ b/hosts/alyssum/filesystem.nix
@@ -0,0 +1,35 @@
+{ ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+
+  mkLabelMount = label: type: {
+    device = "/dev/disk/by-label/${label}";
+    fsType = type;
+    options = [ "defaults" "relatime" ];
+  };
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
+    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
+  };
+  submount = mkBtrfsMount "alyssum";
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=8G" "mode=755" ];
+    };
+    "/boot" = mkLabelMount "stem" "vfat";
+
+    "/flower" = mkBtrfsMount "myosotis" "/@" true;
+    "/nix" = submount "/@/nix" false;
+    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
+    "/persist/.snapshots" = submount "/snap/persist" false;
+    "/var/log/journal" = bind "/persist/journal";
+  };
+}
diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix
new file mode 100644
index 0000000..8d5a1cc
--- /dev/null
+++ b/hosts/alyssum/home.syncthing.nix
@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+let
+  configOn = user: port: {
+    me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
+    me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
+
+    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
+
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+      linger = true;
+    };
+    home-manager.users.${user} = { ... }: {
+      home = {
+        username = "${user}";
+        homeDirectory = "/home/${user}";
+        stateVersion = "26.05";
+      };
+      services.syncthing = {
+        enable = true;
+        guiAddress = "[::]:${toString port}";
+        overrideDevices = false;
+        overrideFolders = false;
+        settings = {
+          options.listenAddresses = [
+            "tcp://0.0.0.0:2${toString port}"
+            "quic://0.0.0.0:2${toString port}"
+            "dynamic+https://relays.syncthing.net/endpoint"
+          ];
+          defaults.folder.path = "/flower/syncthing/${user}";
+        };
+      };
+    };
+  };
+in lib.mkMerge [
+  (configOn "kujira" 8385)
+  (configOn "cilly" 8386)
+]
diff --git a/hosts/alyssum/kernel.nix b/hosts/alyssum/kernel.nix
new file mode 100644
index 0000000..5e9b300
--- /dev/null
+++ b/hosts/alyssum/kernel.nix
@@ -0,0 +1,12 @@
+{ config, lib, ... }: {
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+  };
+  hardware.cpu.amd.updateMicrocode = true;
+}
diff --git a/hosts/alyssum/networking.nix b/hosts/alyssum/networking.nix
new file mode 100644
index 0000000..281cbb6
--- /dev/null
+++ b/hosts/alyssum/networking.nix
@@ -0,0 +1,15 @@
+{ config, ... }: {
+  networking = {
+    useDHCP = true;
+    wireless.enable = true;
+
+    interfaces.wlp1s0.useDHCP = false;
+    interfaces.wlp1s0.ipv4.addresses = [{
+      address = "192.168.1.167";
+      prefixLength = 24;
+    }];
+
+    defaultGateway = "192.168.1.1";
+    nameservers = [ "8.8.8.8" "8.8.4.4" ];
+  };
+}
diff --git a/hosts/alyssum/packages.nix b/hosts/alyssum/packages.nix
new file mode 100644
index 0000000..2d4bd30
--- /dev/null
+++ b/hosts/alyssum/packages.nix
@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+
+    kitty.terminfo
+  ];
+  environment.variables.EDITOR = "nvim";
+}
diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix
new file mode 100644
index 0000000..d876981
--- /dev/null
+++ b/hosts/alyssum/samba.nix
@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+let
+  configOn = user: let
+    passwd_fname = "passwd_smb${user}";
+  in {
+    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
+    me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
+    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
+
+    users.users.${user} = {
+      hashedPasswordFile = config.age.secrets.passwd.path;
+      isNormalUser = true;
+    };
+
+    system.activationScripts = {
+      init_smbpasswd.text = let
+        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
+      in ''
+        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
+      '';
+    };
+    services.samba.settings."${user}" = {
+      "path" = "/flower/smb/${user}";
+      "browseable" = "yes";
+      "read only" = "no";
+      "guest ok" = "no";
+      "create mask" = "0644";
+      "directory mask" = "0755";
+      "force user" = user;
+      "force group" = "users";
+      "valid users" = user;
+    };
+  };
+in lib.mkMerge [
+  (configOn "cilly")
+  (configOn "kujira")
+  {
+    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
+
+    networking.firewall.allowPing = true;
+
+    services.samba = {
+      enable = true;
+      package = pkgs.samba4Full;
+      openFirewall = true;
+      settings = {
+        global = {
+          "server smb encrypt" = "required";
+          "workgroup" = "WORKGROUP";
+          "server string" = "smbnix";
+          "netbios name" = "smbnix";
+          "security" = "user";
+          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
+          "hosts deny" = "0.0.0.0/0";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+        };
+        "public" = {
+          "path" = "/flower/smb/public";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "yes";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "hana";
+          "force group" = "users";
+        };
+      };
+    };
+
+    services.samba-wsdd = {
+      enable = true;
+      openFirewall = true;
+    };
+
+    services.avahi = {
+      enable = true;
+      openFirewall = true;
+      nssmdns4 = true;
+      publish.enable = true;
+      publish.userServices = true;
+    };
+  }
+]
diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix
index 77b07a7..841e909 100644
--- a/hosts/anemone/default.nix
+++ b/hosts/anemone/default.nix
@@ -5,6 +5,7 @@
 
   nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
   age.secrets = {
+    wg_anemone.file = ../../secrets/wg_anemone.age;
     passwd.file = ../../secrets/passwd.age;
   };
 
@@ -16,6 +17,7 @@
     bluetooth
     ccache
     corectrl
+    docker
     flatpak
     greetd
     gui
@@ -26,6 +28,8 @@
     printing
     security
     snapper
+    tailscale
+    wireguard
 
     ./filesystem.nix
     ./kernel.nix
@@ -51,4 +55,6 @@
 
   services.fprintd.enable = true;
   services.tlp.enable = true;
+
+  programs.kdeconnect.enable = true;
 }
diff --git a/hosts/anemone/kernel.nix b/hosts/anemone/kernel.nix
index cbee34c..d959b37 100644
--- a/hosts/anemone/kernel.nix
+++ b/hosts/anemone/kernel.nix
@@ -23,14 +23,14 @@
     ];
   };
 
-  swapDevices = [{
-    device = "/persist/swapfile";
-    size = 16 * 1024;
-  }];
-
-  systemd.sleep.extraConfig = ''
-    HibernateMode=shutdown
-  '';
+  # swapDevices = [{
+  #   device = "/persist/swapfile";
+  #   size = 16 * 1024;
+  # }];
+  #
+  # systemd.sleep.extraConfig = ''
+  #   HibernateMode=shutdown
+  # '';
   /*
   services.logind.lidSwitch = "suspend-then-hibernate";
   systemd.sleep.extraConfig = ''
diff --git a/hosts/anemone/networking.nix b/hosts/anemone/networking.nix
index 8b6bdf9..f5a4dc5 100644
--- a/hosts/anemone/networking.nix
+++ b/hosts/anemone/networking.nix
@@ -1,18 +1,4 @@
 { config, ... }: {
-  networking = {
-    #nameservers = [ "8.8.8.8" "8.8.4.4" ];
-
-    #wg-quick.interfaces.wg0.configFile = "/persist/vpn.conf";
-
-    networkmanager = {
-      enable = true;
-      #dns = "none";
-    };
-
-    extraHosts = ''
-      192.168.100.16 hyacinth
-    '';
-  };
-
+  networking.wireless.iwd.enable = true;
   environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
 }
diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
new file mode 100644
index 0000000..f65dfd1
--- /dev/null
+++ b/hosts/dandelion/default.nix
@@ -0,0 +1,44 @@
+{ inputs, modules, modulesPath, ... }: {
+  networking.hostName = "dandelion";
+  system.stateVersion = "23.11";
+  time.timeZone = "Australia/Melbourne";
+
+  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
+    slskd_env.file = ../../secrets/slskd_env.age;
+    wg_dandelion.file = ../../secrets/wg_dandelion.age;
+  };
+
+  imports = with modules.system; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    home-manager
+
+    base
+    kernel
+    nix-stable
+    packages
+    security
+    tailscale
+    wireguard
+
+    modules.services.banksia
+    modules.services.nginx
+    modules.services.unbound
+    modules.services.website
+
+    inputs.c-amethyst.nixosModule
+    inputs.c-beryllium.nixosModule
+    inputs.c-citrine.nixosModule
+    inputs.c-diamond.nixosModule
+    inputs.c-fluorite.nixosModule
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./nginx.nix
+
+    ../../users/hana
+  ];
+
+  me.environment = "headless";
+}
diff --git a/hosts/dandelion/filesystem.nix b/hosts/dandelion/filesystem.nix
new file mode 100644
index 0000000..861bc15
--- /dev/null
+++ b/hosts/dandelion/filesystem.nix
@@ -0,0 +1,34 @@
+{ ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+
+  mkLabelMount = label: type: {
+    device = "/dev/disk/by-label/${label}";
+    fsType = type;
+    options = [ "defaults" "relatime" ];
+  };
+  mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
+    options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
+  };
+  submount = mkBtrfsMount "DANDELION";
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=6G" "mode=755" ];
+    };
+    "/boot" = mkLabelMount "UEFI" "vfat";
+
+    "/nix" = submount "/@/nix" false;
+    "/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
+    "/persist/.snapshots" = submount "/snap/persist" false;
+    "/var/log/journal" = bind "/persist/journal";
+  };
+}
diff --git a/hosts/dandelion/kernel.nix b/hosts/dandelion/kernel.nix
new file mode 100644
index 0000000..7ea7d43
--- /dev/null
+++ b/hosts/dandelion/kernel.nix
@@ -0,0 +1,10 @@
+{ ... }: {
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+    initrd.kernelModules = [ "nvme" ];
+  };
+}
diff --git a/hosts/dandelion/networking.nix b/hosts/dandelion/networking.nix
new file mode 100644
index 0000000..322719e
--- /dev/null
+++ b/hosts/dandelion/networking.nix
@@ -0,0 +1,4 @@
+{ ... }: {
+  networking.useDHCP = true;
+  networking.interfaces.enp2s0.useDHCP = false;
+}
diff --git a/hosts/dandelion/nginx.nix b/hosts/dandelion/nginx.nix
new file mode 100644
index 0000000..c29de38
--- /dev/null
+++ b/hosts/dandelion/nginx.nix
@@ -0,0 +1,8 @@
+{ ... }: {
+  services.nginx.virtualHosts."muse.lava.moe" = {
+    useACMEHost = "lava.moe";
+    forceSSL = true;
+    locations."/".return = "404";
+    locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
+  };
+}
diff --git a/hosts/dandelion/packages.nix b/hosts/dandelion/packages.nix
new file mode 100644
index 0000000..2d4bd30
--- /dev/null
+++ b/hosts/dandelion/packages.nix
@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+
+    kitty.terminfo
+  ];
+  environment.variables.EDITOR = "nvim";
+}
diff --git a/hosts/hyacinth/default.nix b/hosts/hyacinth/default.nix
index ff21b6b..a32d4bd 100644
--- a/hosts/hyacinth/default.nix
+++ b/hosts/hyacinth/default.nix
@@ -3,11 +3,10 @@
   system.stateVersion = "21.11";
   time.timeZone = "Australia/Melbourne";
 
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
   age.secrets = {
     passwd.file = ../../secrets/passwd.age;
-    wg_hyacinth.file = ../../secrets/wg_blossom.age;
+    wg_hyacinth.file = ../../secrets/wg_hyacinth.age;
     wpa_conf.file = ../../secrets/wpa_conf.age;
   };
   imports = with modules.system; [
@@ -19,6 +18,7 @@
     bluetooth
     ccache
     corectrl
+    docker
     flatpak
     greetd
     gui
@@ -29,7 +29,8 @@
     printing
     security
     snapper
-    virtualisation
+    tailscale
+    wireguard
 
     modules.services.syncthing
 
@@ -42,5 +43,5 @@
   ];
   systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
 
-  services.jenkins.enable = true;
+  me.hasBluetooth = true;
 }
diff --git a/hosts/hyacinth/filesystem.nix b/hosts/hyacinth/filesystem.nix
index c85d7be..2757182 100644
--- a/hosts/hyacinth/filesystem.nix
+++ b/hosts/hyacinth/filesystem.nix
@@ -15,7 +15,7 @@ in
     "/" = {
       device = "rootfs";
       fsType = "tmpfs";
-      options = [ "defaults" "size=8G" "mode=755" ];
+      options = [ "defaults" "size=24G" "mode=755" ];
     };
     "/boot" = mkLabelMount "CUP" "vfat";
 
diff --git a/hosts/hyacinth/kernel.nix b/hosts/hyacinth/kernel.nix
index 3e2d8d1..f410014 100644
--- a/hosts/hyacinth/kernel.nix
+++ b/hosts/hyacinth/kernel.nix
@@ -13,4 +13,8 @@
     ];
     kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
   };
+  hardware.amdgpu.overdrive = {
+    enable = true;
+    ppfeaturemask = "0xffffffff";
+  };
 }
diff --git a/hosts/hyacinth/networking.nix b/hosts/hyacinth/networking.nix
index 7796639..0b2eb03 100644
--- a/hosts/hyacinth/networking.nix
+++ b/hosts/hyacinth/networking.nix
@@ -3,12 +3,13 @@
   networking = {
     useDHCP = true;
     interfaces.enp5s0.useDHCP = false;
+    interfaces.enp5s0.wakeOnLan.enable = true;
 
     interfaces.enp5s0.ipv4.addresses = [{
-      address = "192.168.0.151";
+      address = "192.168.1.201";
       prefixLength = 24;
     }];
-    defaultGateway = "192.168.0.1";
+    defaultGateway = "192.168.1.1";
     nameservers = [ "8.8.8.8" "8.8.4.4" ];
 
     extraHosts = ''
diff --git a/hosts/hyacinth/packages.nix b/hosts/hyacinth/packages.nix
index a1288ca..69f9ba1 100644
--- a/hosts/hyacinth/packages.nix
+++ b/hosts/hyacinth/packages.nix
@@ -1,6 +1,7 @@
 { pkgs, ... }: {
   environment.systemPackages = with pkgs; [
-    jetbrains.idea-community-bin
+    discord
+    jetbrains.idea
     texliveFull
   ];
 }
diff --git a/modules/binds.nix b/modules/binds.nix
new file mode 100644
index 0000000..c9ffe18
--- /dev/null
+++ b/modules/binds.nix
@@ -0,0 +1,13 @@
+{ config, lib, ...}: {
+  imports = [ ./options.nix ];
+  fileSystems = lib.mapAttrs (dest: key: let
+    target = if (lib.strings.hasPrefix "/" key)
+      then key
+      else "/persist/binds/${key}";
+  in {
+    depends = [ "/persist" ];
+    device = target;
+    fsType = "none";
+    options = [ "bind" ];
+  }) config.me.binds;
+}
diff --git a/modules/default.nix b/modules/default.nix
index fb3ab68..6775c55 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -14,8 +14,10 @@ let
     }) paths
   );
 in {
+  binds = ./binds.nix;
   options = ./options.nix;
   services = mkAttrsFromPaths [
+    ./services/banksia.nix
     ./services/jellyfin.nix
     ./services/nginx.nix
     ./services/postgres.nix
@@ -23,8 +25,10 @@ in {
     ./services/synapse.nix
     ./services/syncthing.nix
     ./services/tmptsync.nix
+    ./services/transmission.nix
     ./services/unbound.nix
     ./services/vaultwarden.nix
+    ./services/website.nix
   ];
   system = mkAttrsFromPaths [
     ./system/aagl.nix
@@ -33,6 +37,7 @@ in {
     ./system/bluetooth.nix
     ./system/ccache.nix
     ./system/corectrl.nix
+    ./system/docker.nix
     ./system/flatpak.nix
     ./system/greetd.nix
     ./system/gui.nix
@@ -45,12 +50,13 @@ in {
     ./system/printing.nix
     ./system/security.nix
     ./system/snapper.nix
-    ./system/transmission.nix
+    ./system/tailscale.nix
     ./system/virtualisation.nix
     ./system/wireguard.nix
   ];
   user = mkAttrsFromPaths [
     ./user/catppuccin.nix
+    ./user/comma.nix
     ./user/direnv.nix
     ./user/dunst.nix
     ./user/eww.nix
diff --git a/modules/options.nix b/modules/options.nix
index b522127..e861c12 100644
--- a/modules/options.nix
+++ b/modules/options.nix
@@ -44,5 +44,10 @@ in {
       type = types.bool;
       default = false;
     };
+
+    binds = lib.mkOption {
+      type = with lib.types; attrsOf str;
+      default = {};
+    };
   };
 }
diff --git a/modules/services/banksia.nix b/modules/services/banksia.nix
new file mode 100644
index 0000000..2ace618
--- /dev/null
+++ b/modules/services/banksia.nix
@@ -0,0 +1,11 @@
+# TODO ^^
+{ ... }: {
+  services.nginx.virtualHosts = {
+    "banksia.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
+      locations."/api".proxyPass = "http://localhost:8080/";
+    };
+  };
+}
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index c58f2ee..a02b7e9 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -1,18 +1,21 @@
-{ config, inputs, ... }: {
+{ config, ... }: {
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   security.acme = {
     acceptTerms = true;
-    email = "me@lava.moe";
-    certs."lava.moe" = {
+    defaults = {
+      email = "me@lava.moe";
       group = "nginx";
-      domain = "lava.moe";
+      dnsProvider = "cloudflare";
+      environmentFile = config.age.secrets."acme_dns".path;
+    };
+    certs."lava.moe" = {
       extraDomainNames = [
         "*.lava.moe"
         "*.local.lava.moe"
       ];
-      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets."acme_dns".path;
     };
+    certs."cilly.moe" = {};
+    certs."cilly.dev" = {};
   };
 
   services.nginx = {
@@ -21,28 +24,5 @@
     recommendedOptimisation = true;
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
-
-    virtualHosts = {
-      "lava.moe" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        root = inputs.website.outPath;
-      };
-      "cdn.lava.moe" = {
-        useACMEHost = "lava.moe";
-        forceSSL = true;
-        root = "/persist/cdn";
-      };
-      "_" = {
-        default = true;
-        addSSL = true;
-        # TODO generate this somewhere
-        sslCertificate = "/persist/fakeCerts/fake.crt";
-        sslCertificateKey = "/persist/fakeCerts/fake.key";
-        extraConfig = ''
-          return 444;
-        '';
-      };
-    };
   };
 }
diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix
index bffdcee..bbbeaa1 100644
--- a/modules/services/postgres.nix
+++ b/modules/services/postgres.nix
@@ -8,6 +8,7 @@ in {
   services.postgresql = {
     enable = true;
     dataDir = dir;
+    # TODO: broken :3
     package = pkgs.postgresql_13;
     authentication = lib.mkOverride 10 ''
       #type  database  DBuser  origin-address      auth-method
diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix
index 2316f9f..db32371 100644
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@@ -1,7 +1,8 @@
 { config, ... }:
 let
   dir = "/persist/shared/.syncthing";
-  uid = toString config.users.users.rin.uid;
+  user = if config.me.gui then "rin" else "hana";
+  uid = toString config.users.users."${user}".uid;
   gid = toString config.users.groups.users.gid;
 in
 {
@@ -13,9 +14,10 @@ in
   services.syncthing = {
     enable = true;
     openDefaultPorts = true;
-    user = "rin";
+    user = user;
     group = "users";
     dataDir = "/persist/shared/.syncthing/data";
     configDir = "/persist/shared/.syncthing/config";
+    guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
   };
 }
diff --git a/modules/system/transmission.nix b/modules/services/transmission.nix
similarity index 71%
rename from modules/system/transmission.nix
rename to modules/services/transmission.nix
index 202b5ae..7540d68 100644
--- a/modules/system/transmission.nix
+++ b/modules/services/transmission.nix
@@ -5,13 +5,6 @@
     downloadDirPermissions = "775";
     openFirewall = true;
     settings = {
-      alt-speed-down = 512;
-      alt-speed-enabled = true;
-      alt-speed-time-begin = 360;
-      alt-speed-time-day = 127;
-      alt-speed-time-enabled = true;
-      alt-speed-time-end = 1380;
-      alt-speed-up = 256;
       download-dir = "/persist/transmission/Downloads";
       incomplete-dir = "/persist/transmission/.incomplete";
       ratio-limit-enabled = true;
diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix
index a9cf3bc..8aae0fd 100644
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@@ -1,8 +1,17 @@
-{ inputs, ... }:
+{ inputs, pkgs, gcSecrets, ... }:
 let
   dir = "/persist/unbound";
+
+  converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
+    echo "server:" > "$out"
+    grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
+  '';
 in {
-  networking.firewall.interfaces.wlan0 = {
+  networking.firewall.interfaces."ve-+" = {
+    allowedUDPPorts = [ 53 853 ];
+    allowedTCPPorts = [ 53 853 ];
+  };
+  networking.firewall.interfaces.wg0 = {
     allowedUDPPorts = [ 53 853 ];
     allowedTCPPorts = [ 53 853 ];
   };
@@ -16,17 +25,27 @@ in {
         name = ".";
         forward-tls-upstream = true;
         forward-addr = [
+          "2606:4700:4700::1111@853#cloudflare-dns.com"
+          "2606:4700:4700::1001@853#cloudflare-dns.com"
+          "2001:4860:4860::8888@853#dns.google"
+          "2001:4860:4860::8844@853#dns.google"
           "1.1.1.1@853#cloudflare-dns.com"
           "1.0.0.1@853#cloudflare-dns.com"
+          "8.8.8.8@853#dns.google"
+          "8.8.4.4@853#dns.google"
         ];
       }];
 
       server = {
-        interface = [ "0.0.0.0" ];
+        interface = [ "0.0.0.0" "::0" ];
         access-control = [
           "127.0.0.1/8      allow"
           "10.0.0.0/8       allow"
+          "100.64.0.0/10    allow"
           "192.168.100.0/24 allow"
+          "fd0d::/16        allow"
+          "fd7a:115c:a1e0::/48 allow"
+          "${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
         ];
         domain-insecure = [ "\"local.lava.moe\"" ];
         local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
@@ -35,7 +54,7 @@ in {
         ];
       };
 
-      include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
+      include = "${converted}";
     };
   };
 
diff --git a/modules/services/website.nix b/modules/services/website.nix
new file mode 100644
index 0000000..3fba609
--- /dev/null
+++ b/modules/services/website.nix
@@ -0,0 +1,43 @@
+{ inputs, pkgs, ... }: let
+  pastel = inputs.pastel.packages.${pkgs.system}.default;
+in {
+  services.nginx.virtualHosts = {
+    "cilly.moe" = {
+      useACMEHost = "cilly.moe";
+      forceSSL = true;
+      root = pastel.outPath;
+    };
+    "cilly.dev" = {
+      useACMEHost = "cilly.dev";
+      forceSSL = true;
+      root = pastel.outPath;
+    };
+    "lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      root = inputs.website.outPath;
+    };
+    "cdn.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      extraConfig = ''
+        return 301 https://sh.lava.moe$request_uri;
+      '';
+    };
+    "sh.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      root = "/persist/cdn";
+    };
+    "_" = {
+      default = true;
+      addSSL = true;
+      # TODO generate this somewhere
+      sslCertificate = "/persist/fakeCerts/fake.crt";
+      sslCertificateKey = "/persist/fakeCerts/fake.key";
+      extraConfig = ''
+        return 444;
+      '';
+    };
+  };
+}
diff --git a/modules/system/base.nix b/modules/system/base.nix
index c924309..c45eb99 100644
--- a/modules/system/base.nix
+++ b/modules/system/base.nix
@@ -1,5 +1,5 @@
 { config, inputs, modules, ... }: {
-  imports = [ modules.options ];
+  imports = [ modules.binds modules.options ];
 
   environment.etc = {
     "machine-id".source = "/persist/machine-id";
@@ -11,6 +11,8 @@
   environment.pathsToLink = [ "/share/zsh" ];
 
   i18n.defaultLocale = "en_AU.UTF-8";
+  i18n.extraLocales = [ "en_GB.UTF-8/UTF-8" ];
+
   users.mutableUsers = false;
 
   system = {
@@ -21,6 +23,5 @@
     };
   };
   nix.registry.config.flake = inputs.self;
-  nix.registry.nixpkgs.flake = inputs.nixpkgs;
   nix.registry.shells.flake = inputs.self;
 }
diff --git a/modules/system/corectrl.nix b/modules/system/corectrl.nix
index c2ec98d..6f6ca01 100644
--- a/modules/system/corectrl.nix
+++ b/modules/system/corectrl.nix
@@ -1,9 +1,5 @@
 { ... }: {
   programs.corectrl = {
     enable = true;
-    gpuOverclock = {
-      enable = true;
-      ppfeaturemask = "0xffffffff";
-    };
   };
 }
diff --git a/modules/system/docker.nix b/modules/system/docker.nix
new file mode 100644
index 0000000..1ebd190
--- /dev/null
+++ b/modules/system/docker.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+  virtualisation.docker = {
+    enable = true;
+    storageDriver = "btrfs";
+    # rootless = {
+    #   enable = true;
+    #   setSocketVariable = true;
+    # };
+  };
+  environment.systemPackages = [
+    pkgs.docker-compose
+  ];
+}
diff --git a/modules/system/greetd.nix b/modules/system/greetd.nix
index ad4a2d6..f220847 100644
--- a/modules/system/greetd.nix
+++ b/modules/system/greetd.nix
@@ -3,7 +3,7 @@
     enable = true;
     settings = {
       default_session = {
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
+        command = "${pkgs.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
         user = "greeter";
       };
 
diff --git a/modules/system/gui.nix b/modules/system/gui.nix
index e9443ab..7028dac 100644
--- a/modules/system/gui.nix
+++ b/modules/system/gui.nix
@@ -15,7 +15,6 @@
       hanazono
       noto-fonts
       noto-fonts-cjk-sans
-      noto-fonts-extra
       open-sans
       twemoji-color-font
       unifont
diff --git a/modules/system/input.nix b/modules/system/input.nix
index 2ef1eab..a0bf2ff 100644
--- a/modules/system/input.nix
+++ b/modules/system/input.nix
@@ -6,7 +6,19 @@
         "-arinterval 15"
       ];
     };
-    xkb.options = "caps:escape";
   };
-  console.useXkbConfig = true;
+  services.keyd = {
+    enable = true;
+    keyboards = {
+      default = {
+        ids = [ "*" ];
+        settings = {
+          main = {
+            capslock = "esc";
+            esc = "capslock";
+          };
+        };
+      };
+    };
+  };
 }
diff --git a/modules/system/nix-stable.nix b/modules/system/nix-stable.nix
index a88612a..1884c04 100644
--- a/modules/system/nix-stable.nix
+++ b/modules/system/nix-stable.nix
@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }: {
   nix = {
+    package = pkgs.nixVersions.latest;
+
     settings = rec {
       substituters = [
         "https://cache.nixos.org?priority=10"
@@ -17,4 +19,5 @@
     '';
   };
   nixpkgs.config.allowUnfree = true;
+  programs.nh.enable = true;
 }
diff --git a/modules/system/nix.nix b/modules/system/nix.nix
index e520205..eb14f73 100644
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@@ -1,5 +1,6 @@
-{ config, lib, pkgs, ... }: {
+{ config, inputs, pkgs, ... }: {
   nix = {
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
     package = pkgs.nixVersions.latest;
 
     settings = rec {
@@ -23,5 +24,5 @@
     '';
   };
   nixpkgs.config.allowUnfree = true;
-  system.rebuild.enableNg = true;
+  programs.nh.enable = true;
 }
diff --git a/modules/system/packages-gui.nix b/modules/system/packages-gui.nix
index 9e6e946..d853c40 100644
--- a/modules/system/packages-gui.nix
+++ b/modules/system/packages-gui.nix
@@ -1,16 +1,15 @@
 { config, lib, pkgs, ... }: {
   config = lib.mkIf config.me.gui {
     environment.systemPackages = with pkgs; [
-     gparted
+      android-tools
+      gparted
       nautilus
     ];
-    programs.adb.enable = true;
     hardware.graphics.extraPackages = with pkgs; [
-      vaapiIntel
-      vaapiVdpau
+      intel-vaapi-driver
+      libva-vdpau-driver
       libvdpau-va-gl
     ];
-    programs.light.enable = true;
     hardware.opentabletdriver.enable = true;
     hardware.keyboard.qmk.enable = true;
     programs.steam = {
diff --git a/modules/system/packages.nix b/modules/system/packages.nix
index d13ac73..d4e2e3c 100644
--- a/modules/system/packages.nix
+++ b/modules/system/packages.nix
@@ -1,12 +1,14 @@
 { pkgs, ... }: {
   imports = [ ./packages-gui.nix ];
   environment.systemPackages = with pkgs; [
-    comma
-    ecryptfs
+    # ecryptfs
     efibootmgr
+    fd
     git
+    git-crypt
     htop
     jq
+    kitty.terminfo
     libarchive
     lf
     msr-tools
@@ -14,8 +16,9 @@
     neovim
     nfs-utils
     ntfs3g
-    sshfs
+    ripgrep
     rsync
+    sshfs
     wget
   ];
   environment.variables.EDITOR = "nvim";
diff --git a/modules/system/security.nix b/modules/system/security.nix
index 602f108..f1f087b 100644
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
   networking.firewall =
   let
     iptables = "${pkgs.iptables}/bin/iptables";
@@ -53,5 +53,33 @@
         }
       ];
     };
+    pam = lib.mkIf (config.me.environment != "headless") {
+      u2f = {
+        enable = true;
+        settings = {
+          cue = true;
+          pinverification = 1;
+        };
+      };
+      services.doas.rules.auth = {
+        u2f.settings.pinverification = lib.mkForce 0;
+        u2f_int = lib.mkMerge [
+          {
+            enable = true;
+            order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
+            control = "sufficient";
+            modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
+            inherit (config.security.pam.u2f) settings;
+          }
+          {
+            settings = lib.mkForce {
+              interactive = true;
+              pinverification = 0;
+              userpresence = 0;
+            };
+          }
+        ];
+      };
+    };
   };
 }
diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix
new file mode 100644
index 0000000..5e3e044
--- /dev/null
+++ b/modules/system/tailscale.nix
@@ -0,0 +1,13 @@
+{ config, lib, ... }: {
+  age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
+  me.binds."/var/lib/tailscale" = "tailscale";
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
+
+  services.tailscale = {
+    enable = true;
+    authKeyFile = config.age.secrets.tailscale_auth.path;
+    openFirewall = true;
+    useRoutingFeatures = if config.me.environment == "headless" then "both" else "client";
+  };
+}
diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix
index 2684d65..71f85ad 100644
--- a/modules/system/wireguard.nix
+++ b/modules/system/wireguard.nix
@@ -1,13 +1,11 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, gcSecrets, ... }:
 let
-  port = 51820;
-  serverName = "sugarcane";
-  serverInterface = "ens3";
-  serverIp = "51.79.240.130";
+  port = 51801;
+  serverName = "dandelion";
+  serverInterface = "enp0s6";
+  serverIp = gcSecrets.wireguard.gateway;
 
   forwarding = {
-    "80" = [ "10.100.0.2" "80" ];
-    "443" = [ "10.100.0.2" "443" ];
     "22727" = [ "10.100.0.3" "7777" ];
   };
 
@@ -20,52 +18,61 @@ let
       in ''
         ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
         ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
+        ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
       '') forwarding
     );
 
-  routeBypass = {
-    caramel = {
-      gateway = "192.168.100.1";
-      interface = "wlan0";
-      routes = [
-        serverIp
-      ];
-    };
-    hyacinth = {
-      gateway = "192.168.100.1";
-      interface = "enp5s0";
-      routes = [
-        serverIp
-      ];
-    };
-  };
-
   clients = {
-    caramel = {
-      publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA=";
-      allowedIPs = [ "10.100.0.2/32" ];
-    };
     hyacinth = {
       publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo=";
-      allowedIPs = [ "10.100.0.3/32" ];
+      allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3" "fd0d::3" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
     };
-    strawberry = {
-      publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg=";
-      allowedIPs = [ "10.100.0.4/32" ];
+    anemone = {
+      publicKey = "px5+JNdAmqBvUC++DhiJrUBRAr+BYP6iYVt4sbhPTWY=";
+      allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" "fd0d::4" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
     };
-    maple = {
-      publicKey = "kPw8hpANygfz83Oi/l+iCVYalV2zfs7fhkccjoGG2Do=";
-      allowedIPs = [ "10.100.0.5/32" ];
+    hibiscus = {
+      publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw=";
+      allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" "fd0d::5" ];
+      interfaces = {
+        wg0 = { peers = [ server6OnlyPeer ]; };
+        wg1 = { peers = [ serverPeer ]; autostart = false; };
+        wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
+      };
+    };
+    hazel = {
+      publicKey = "0zruTndObzHo+b1rbOuTsxCU97epygZycxXS/lgUHUc=";
+      allowedIPs = [ "10.100.0.21/32" "${gcSecrets.wireguard.ipv6Subnet}:21" "fd0d::21" ];
+      interfaces = {
+        wg0 = {
+          dns = [ "::1" "127.0.0.1" ];
+          peers = [ serverLocalOnlyPeer ];
+        };
+      };
     };
   };
 
-  clientPeers = builtins.attrValues clients;
-  serverPeer = {
+  clientPeers = builtins.map (client: builtins.removeAttrs client [ "interfaces" ]) (builtins.attrValues clients);
+  serverPeerWith = ips: {
     publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0=";
-    allowedIPs = [ "0.0.0.0/0" ];
+    allowedIPs = ips;
     endpoint = "${serverIp}:${toString port}";
     persistentKeepalive = 25;
   };
+  serverPeer = serverPeerWith [ "0.0.0.0/0" "::/0" ];
+  server6OnlyPeer = serverPeerWith [ "10.100.0.0/24" "::/0" ];
+  serverLocalOnlyPeer = serverPeerWith [ "10.100.0.0/24" "fd0d::/16" ];
 
   serverConfig = {
     nat = {
@@ -79,7 +86,7 @@ let
     };
 
     wireguard.interfaces.wg0 = {
-      ips = [ "10.100.0.1/24" ];
+      ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" "fd0d::1" ];
       listenPort = port;
 
       postSetup = ''
@@ -97,33 +104,24 @@ let
   };
 
   clientConfig = {
-    wireguard.interfaces.wg0 =
+    wg-quick.interfaces =
     let
       client = clients."${config.networking.hostName}";
-      routes = routeBypass."${config.networking.hostName}";
-      mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes;
-    in {
-      ips = client.allowedIPs;
-      listenPort = port;
-
-      postSetup = ''
-        ${mapRoutes "add"}
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
-      '';
-
-      postShutdown = ''
-        ${mapRoutes "del"}
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
-      '';
-
-      privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
-      peers = [ serverPeer ];
-    };
+    in
+      builtins.mapAttrs (interface: conf: {
+        address = client.allowedIPs;
+        dns = [ "fd0d::1" "10.100.0.1" ];
+        privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
+      } // conf) client.interfaces;
   };
 in {
+  boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({
+    "net.ipv6.conf.all.forwarding" = true;
+    "net.ipv6.conf.default.forwarding" = true;
+  });
   networking =
     lib.mkMerge [
       (lib.mkIf (config.networking.hostName == serverName) serverConfig)
-      (lib.mkIf (builtins.hasAttr config.networking.hostName clients) clientConfig)
+      (lib.mkIf (config.networking.hostName != serverName) clientConfig)
     ];
 }
diff --git a/modules/user/catppuccin.nix b/modules/user/catppuccin.nix
index 44973e6..176b42c 100644
--- a/modules/user/catppuccin.nix
+++ b/modules/user/catppuccin.nix
@@ -53,7 +53,7 @@
         echo "invalid theme, valid values: [dark, light, restore]"
         exit 1
       fi
-      current="$HOME/.local/state/nix/profiles/home-manager"
+      current="$HOME/.local/state/home-manager/gcroots/current-home/"
       cached="$HOME/.local/state/last-parent-specialisation"
       if [ -d "$current/specialisation" ]; then
         if [ -d "$cached" ]; then
diff --git a/modules/user/comma.nix b/modules/user/comma.nix
new file mode 100644
index 0000000..5ae7f03
--- /dev/null
+++ b/modules/user/comma.nix
@@ -0,0 +1,7 @@
+{ inputs, ... }: {
+  imports = [
+    inputs.nix-index-database.homeModules.default
+  ];
+  programs.nix-index.enable = true;
+  programs.nix-index-database.comma.enable = true;
+}
diff --git a/modules/user/direnv.nix b/modules/user/direnv.nix
index 3f54b94..2329800 100644
--- a/modules/user/direnv.nix
+++ b/modules/user/direnv.nix
@@ -5,7 +5,7 @@
       enable = true;
     };
   };
-  programs.git.extraConfig.core.excludesFile = ".envrc";
+  programs.git.settings.core.excludesFile = ".envrc";
   # We can't use .source since hm manages this file too
   xdg.configFile."direnv/direnvrc".text = builtins.readFile ../../res/direnvrc;
   home.activation = {
diff --git a/modules/user/eww.nix b/modules/user/eww.nix
index 9d839e0..13db70e 100644
--- a/modules/user/eww.nix
+++ b/modules/user/eww.nix
@@ -21,9 +21,9 @@ let
     '';
   };
 in {
-  home.packages = with pkgs; [ socat ];
+  home.packages = with pkgs; [ iw socat ];
   programs.eww = {
     enable = true;
-    configDir = res;
   };
+  xdg.configFile."eww".source = res;
 }
diff --git a/modules/user/git.nix b/modules/user/git.nix
index b64492e..ca2762e 100644
--- a/modules/user/git.nix
+++ b/modules/user/git.nix
@@ -1,15 +1,16 @@
 { ... }: {
   programs.git = {
     enable = true;
-    userName = "LavaDesu";
-    userEmail = "me@lava.moe";
     signing = {
       key = "059F098EBF0E9A13E10A46BF6500251E087653C9";
       signByDefault = true;
     };
-    extraConfig = {
+    settings = {
+      user.name = "Cilly Leang";
+      user.email = "mini@cilly.moe";
       core.abbrev = 11;
       safe.directory = "/home/rin/Projects/flakes";
+      init.defaultBranch = "master";
     };
   };
 }
diff --git a/modules/user/gpg.nix b/modules/user/gpg.nix
index 768c5d9..dba731f 100644
--- a/modules/user/gpg.nix
+++ b/modules/user/gpg.nix
@@ -5,6 +5,6 @@
   };
   services.gpg-agent = {
     enable = true;
-    pinentryPackage = pkgs.pinentry-gnome3;
+    pinentry.package = pkgs.pinentry-gnome3;
   };
 }
diff --git a/modules/user/hypridle.nix b/modules/user/hypridle.nix
index 68203b1..af7af86 100644
--- a/modules/user/hypridle.nix
+++ b/modules/user/hypridle.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  kblight = "light -s sysfs/leds/${config.me.kbBacklightDevice}";
+  kblight = "brightnessctl -d ${config.me.kbBacklightDevice}";
 in
 {
   home.packages = [ config.services.hypridle.package ];
@@ -16,18 +16,18 @@ in
       listener = lib.optionals (config.me.kbBacklightDevice != null) [
         {
           timeout = 120;
-          on-timeout = "${kblight} -O && ${kblight} -S 0";
-          on-resume = "${kblight} -I";
+          on-timeout = "${kblight} -s && ${kblight} 0";
+          on-resume = "${kblight} -r";
         }
       ] ++ [
         {
           timeout = 150;
-          on-timeout = "light -O && light -T 0.5";
-          on-resume = "light -I";
+          on-timeout = "brightnessctl -s && brightnessctl 50%-";
+          on-resume = "brightnessctl -r";
         }
         {
           timeout = 180;
-          on-timeout = "light -I && loginctl lock-session";
+          on-timeout = "brightnessctl -r && loginctl lock-session";
         }
         {
           timeout = 195;
diff --git a/modules/user/mpv.nix b/modules/user/mpv.nix
index 1b1899c..6ef3da4 100644
--- a/modules/user/mpv.nix
+++ b/modules/user/mpv.nix
@@ -1,8 +1,7 @@
-{ config, pkgs, ... }: {
+{ pkgs, ... }: {
   programs.mpv = {
     enable = true;
-    package = pkgs.mpv-unwrapped.wrapper {
-      mpv = pkgs.mpv-unwrapped;
+    package = pkgs.mpv.override {
       youtubeSupport = true;
       scripts = [ pkgs.mpvScripts.mpris ];
     };
diff --git a/modules/user/neovim-minimal.nix b/modules/user/neovim-minimal.nix
index e319e38..392097d 100644
--- a/modules/user/neovim-minimal.nix
+++ b/modules/user/neovim-minimal.nix
@@ -9,11 +9,12 @@
     vimAlias = true;
     vimdiffAlias = true;
     withNodeJs = false;
+    withPython3 = false;
+    withRuby = false;
 
     plugins = with pkgs.vimPlugins; [
-      ctrlp-vim
+      fzf-vim
       lualine-nvim
-      nerdtree
       tokyonight-nvim
       vim-fugitive
       vim-nix
@@ -21,14 +22,7 @@
       vim-signify
       vim-surround
 
-      nvim-cmp
-      nvim-lspconfig
-      cmp-nvim-lsp
-      cmp_luasnip
-      luasnip
-
       (nvim-treesitter.withPlugins (p: with p; [
-        tree-sitter-comment
         tree-sitter-json
         tree-sitter-lua
         tree-sitter-nix
diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix
index cc01311..2b8d4c1 100644
--- a/modules/user/neovim.nix
+++ b/modules/user/neovim.nix
@@ -1,9 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, sysConfig, ... }:
 let
   luaconf = pkgs.writeText "config.lua"
     (lib.replaceStrings
-      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"]
-      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor]
+      ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"]
+      ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName]
       (builtins.readFile ../../res/config.lua));
 in {
   systemd.user.tmpfiles.rules = [
@@ -17,24 +17,35 @@ in {
     vimdiffAlias = true;
     #package = pkgs.neovim-nightly;
     withNodeJs = true;
+    withPython3 = true;
+    withRuby = false;
 
     extraPackages = with pkgs; [
+      nixd
       rust-analyzer
-      nodePackages.diagnostic-languageserver
-      nodePackages.eslint_d
-      nodePackages.typescript-language-server
-      nodePackages.vscode-langservers-extracted
-      nodePackages.yaml-language-server
+      texlab
+      astro-language-server
+      tailwindcss-language-server
+      diagnostic-languageserver
+      eslint_d
+      typescript-language-server
+      vscode-langservers-extracted
+      yaml-language-server
     ];
 
     plugins = with pkgs.vimPlugins; [
+      autoclose-nvim
+      auto-save-nvim
       flutter-tools-nvim
       fzf-vim
       fzf-lsp-nvim
       lualine-nvim
+      nvim-ts-autotag
+      nvim-web-devicons
       plenary-nvim
       tokyonight-nvim
       vim-fugitive
+      vim-latex-live-preview
       vim-nix
       vim-repeat
       vim-signify
@@ -44,6 +55,7 @@ in {
 
       nvim-cmp
       nvim-dap
+      nvim-highlight-colors
       nvim-lspconfig
       cmp-nvim-lsp
       cmp_luasnip
@@ -51,6 +63,7 @@ in {
 
       #(pkgs.me.nvim-treesitter-nightly.withPlugins (p: with p; [
       (nvim-treesitter.withPlugins (p: with p; [
+        tree-sitter-astro
         tree-sitter-bash
         tree-sitter-c
         tree-sitter-c-sharp
@@ -61,6 +74,7 @@ in {
         tree-sitter-javascript
         tree-sitter-json
         tree-sitter-kotlin
+        tree-sitter-latex
         tree-sitter-lua
         tree-sitter-markdown
         tree-sitter-nix
diff --git a/modules/user/rofi.nix b/modules/user/rofi.nix
index 19e569e..1f11d06 100644
--- a/modules/user/rofi.nix
+++ b/modules/user/rofi.nix
@@ -16,7 +16,6 @@ let
 in {
   programs.rofi = {
     enable = true;
-    package = pkgs.rofi-wayland;
     theme = "theme";
   };
   xdg.configFile."rofi/theme.rasi".source = theme;
diff --git a/modules/user/spicetify.nix b/modules/user/spicetify.nix
index 6249895..ec854c4 100644
--- a/modules/user/spicetify.nix
+++ b/modules/user/spicetify.nix
@@ -40,7 +40,6 @@ in
       shuffle
       hidePodcasts
 
-      skipStats
       songStats
       history
       volumePercentage
diff --git a/modules/user/zsh.nix b/modules/user/zsh.nix
index 54533b9..1eb736c 100644
--- a/modules/user/zsh.nix
+++ b/modules/user/zsh.nix
@@ -38,7 +38,8 @@ let
     jf = "doas journalctl -f";
 
     fl = "cd ~/Projects/flakes";
-    nr = "doas nixos-rebuild switch --flake .#${sysConfig.networking.hostName} -v -L";
+    nr = "nh os switch";
+    nb = "nh os boot";
 
     gs = "git status";
     ga = "git add";
@@ -101,10 +102,9 @@ let
     bindkey -a -r ':'
   '';
 in {
-  programs.command-not-found.enable = true;
   programs.zsh = {
     enable = true;
-    dotDir = ".config/zsh";
+    dotDir = "${config.xdg.configHome}/zsh";
 
     autocd = true;
     defaultKeymap = "viins";
diff --git a/overlays/android-studio.nix b/overlays/android-studio.nix
deleted file mode 100644
index ef9ca5e..0000000
--- a/overlays/android-studio.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-self: { bash, buildFHSEnv, cacert, ncurses5, runCommand, ... } @ super:
-let
-  drvName = super.android-studio.name;
-  fhsEnv = buildFHSEnv {
-    name = "${drvName}-fhs-env";
-    # google's analytics calls jdk's getOperatingSystemMXBean which tries to parse cgroups and ultimately fails for whatever reason with an npe
-    unshareCgroup = false;
-    multiPkgs = pkgs: [
-      ncurses5
-
-      (runCommand "fedoracert" {}
-        ''
-        mkdir -p $out/etc/pki/tls/
-        ln -s ${cacert}/etc/ssl/certs $out/etc/pki/tls/certs
-        '')
-    ];
-  };
-
-  startScript = ''
-    #!${bash}/bin/bash
-    ${fhsEnv}/bin/${drvName}-fhs-env ${super.android-studio.passthru.unwrapped}/bin/studio.sh "$@"
-  '';
-in {
-  android-studio-patched = super.android-studio.overrideAttrs(_: {
-    inherit startScript;
-  });
-}
diff --git a/overlays/default.nix b/overlays/default.nix
index 752a2c8..cbe3e7e 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -1,10 +1,11 @@
 builtins.map (path: import path) [
-  ./android-studio.nix
   ./bitwarden-desktop.nix
   ./cascadia-code.nix
   ./ccache.nix
   ./eww.nix
+  ./jetbrains.nix
   ./material-icons.nix
+  ./openldap.nix
   ./steam.nix
   ./utillinux.nix
   ./wpa-supplicant.nix
diff --git a/overlays/jetbrains.nix b/overlays/jetbrains.nix
new file mode 100644
index 0000000..dd1d1ad
--- /dev/null
+++ b/overlays/jetbrains.nix
@@ -0,0 +1,22 @@
+# https://github.com/NixOS/nixpkgs/issues/375254
+self: super: {
+  jetbrains = super.jetbrains // {
+    gateway = let
+      unwrapped = super.jetbrains.gateway;
+    in super.buildFHSEnv {
+      name = "gateway";
+      inherit (unwrapped) version;
+
+      runScript = super.writeScript "gateway-wrapper" ''
+        unset JETBRAINS_CLIENT_JDK
+        exec ${unwrapped}/bin/gateway "$@"
+      '';
+
+      meta = unwrapped.meta;
+
+      passthru = {
+        inherit unwrapped;
+      };
+    };
+  };
+}
diff --git a/overlays/linux-lava.nix b/overlays/linux-lava.nix
index 4cfa1a4..321532f 100644
--- a/overlays/linux-lava.nix
+++ b/overlays/linux-lava.nix
@@ -1,12 +1,16 @@
 self: super: let
   llvmPackages = super.llvmPackages_19;
   clangVersion = super.lib.versions.major llvmPackages.libclang.version;
+  addFlagsScript = "$out/nix-support/add-local-cc-cflags-before.sh";
   cc = llvmPackages.stdenv.cc.override {
     # :sob: see https://github.com/NixOS/nixpkgs/issues/142901
     bintools = llvmPackages.bintools;
+
+    # https://github.com/NixOS/nixpkgs/issues/368850
     extraBuildCommands = ''
+      cat <(echo "NIX_CC_WRAPPER_SUPPRESS_TARGET_WARNING=1") "${addFlagsScript}" > "${addFlagsScript}.new"
+      mv "${addFlagsScript}.new" "${addFlagsScript}"
       substituteInPlace "$out/nix-support/cc-cflags" --replace " -nostdlibinc" ""
-      substituteInPlace "$out/nix-support/add-local-cc-cflags-before.sh" --replace 'echo "Warning: supplying the --target argument to a nix-wrapped compiler may not work correctly - cc-wrapper is currently not designed with multi-target compilers in mind. You may want to use an un-wrapped compiler instead." >&2' ""
       echo " -resource-dir=${llvmPackages.libclang.lib}/lib/clang/${clangVersion}" >> $out/nix-support/cc-cflags
     '';
   };
diff --git a/overlays/openldap.nix b/overlays/openldap.nix
new file mode 100644
index 0000000..f9b2b46
--- /dev/null
+++ b/overlays/openldap.nix
@@ -0,0 +1,9 @@
+self: super: {
+  # openldap i686 fails checks
+  # issue: https://github.com/NixOS/nixpkgs/issues/514113
+  # workaround: https://github.com/NixOS/nixpkgs/issues/513245#issuecomment-4320293674
+  # fix: https://github.com/NixOS/nixpkgs/pull/515956
+  openldap = super.openldap.overrideAttrs {
+    doCheck = !self.stdenv.hostPlatform.isi686;
+  };
+}
diff --git a/packages/linux-lava/bluetooth.patch b/packages/linux-lava/bluetooth.patch
new file mode 100644
index 0000000..87e198c
--- /dev/null
+++ b/packages/linux-lava/bluetooth.patch
@@ -0,0 +1,13 @@
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index ef9689f8776..aabbc031b5f 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -759,6 +759,8 @@ static const struct usb_device_id quirks_table[] = {
+ 						     BTUSB_WIDEBAND_SPEECH },
+ 	{ USB_DEVICE(0x2b89, 0x8761), .driver_info = BTUSB_REALTEK |
+ 						     BTUSB_WIDEBAND_SPEECH },
++	{ USB_DEVICE(0x2c4e, 0x0115), .driver_info = BTUSB_REALTEK |
++ 						     BTUSB_WIDEBAND_SPEECH },
+ 
+ 	/* Additional Realtek 8821AE Bluetooth devices */
+ 	{ USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
diff --git a/packages/linux-lava/default.nix b/packages/linux-lava/default.nix
index 0287a51..aa288f5 100644
--- a/packages/linux-lava/default.nix
+++ b/packages/linux-lava/default.nix
@@ -56,6 +56,10 @@ let
       INIT_STACK_ALL_ZERO = yes;
       INIT_STACK_NONE = no;
 
+      # bore
+      SCHED_BORE = yes;
+      MIN_BASE_SLICE_NS = freeform "2000000";
+
       # tickless timers
       HZ_PERIODIC = no;
       NO_HZ = yes;
diff --git a/packages/linux-lava/sources.nix b/packages/linux-lava/sources.nix
index 903fe81..1ea7dcb 100644
--- a/packages/linux-lava/sources.nix
+++ b/packages/linux-lava/sources.nix
@@ -1,17 +1,16 @@
 { fetchFromGitHub, inputs, lib }:
 let
-  version = "6.14.7";
-  kernelHash = "0w3nqh02vl8f2wsx3fmsvw1pdsnjs5zfqcmv2w2vnqdiwy1vd552";
-  kernelPatchHash = "05a5srmb27gqyv49mxy3rmlxgiinacwbyzmig1hk313m0wl88av3";
+  version = "7.0.10";
+  kernelHash = "1w4i705i0nl1xqv7fdhdbhy7j3xrzhl31fabs6vmgiw7nf06szxv";
+  kernelPatchHash = "0h7gxqcnww7sj5cdyblzj04775zhavwdylkm2pm91v6xkjbnz1zj";
 
   mm = lib.versions.majorMinor version;
   hasPatch = (builtins.length (builtins.splitVersion version)) == 3;
   tkgPatches = [
     "0002-clear-patches"
     "0003-glitched-base"
-    "0003-glitched-eevdf-additions"
+    "0001-bore"
     "0003-glitched-cfs"
-    "0007-v${mm}-fsync_legacy_via_futex_waitv"
     "0012-misc-additions"
   ];
 
@@ -36,6 +35,7 @@ in {
 
   kernelPatches = lib.optionals hasPatch [
     kernelPatchSrc
+    (patch ./bluetooth.patch)
   ]
   ++ builtins.map (name: {
     inherit name;
diff --git a/packages/spotify-adblock/0001-cargo.patch b/packages/spotify-adblock/0001-cargo.patch
deleted file mode 100644
index 84031b5..0000000
--- a/packages/spotify-adblock/0001-cargo.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 002a25dd56233d599adda61b298d612a46267407 Mon Sep 17 00:00:00 2001
-From: LavaDesu <me@lava.moe>
-Date: Tue, 14 Sep 2021 08:34:05 +0700
-Subject: [PATCH] cargo
-
----
- Cargo.lock | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 122 insertions(+)
- create mode 100644 Cargo.lock
-
-diff --git a/Cargo.lock b/Cargo.lock
-new file mode 100644
-index 00000000000..b952e17ca90
---- /dev/null
-+++ b/Cargo.lock
-@@ -0,0 +1,122 @@
-+# This file is automatically @generated by Cargo.
-+# It is not intended for manual editing.
-+version = 3
-+
-+[[package]]
-+name = "aho-corasick"
-+version = "0.7.18"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
-+dependencies = [
-+ "memchr",
-+]
-+
-+[[package]]
-+name = "lazy_static"
-+version = "1.4.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
-+
-+[[package]]
-+name = "libc"
-+version = "0.2.101"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "3cb00336871be5ed2c8ed44b60ae9959dc5b9f08539422ed43f09e34ecaeba21"
-+
-+[[package]]
-+name = "memchr"
-+version = "2.4.1"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
-+
-+[[package]]
-+name = "proc-macro2"
-+version = "1.0.29"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "b9f5105d4fdaab20335ca9565e106a5d9b82b6219b5ba735731124ac6711d23d"
-+dependencies = [
-+ "unicode-xid",
-+]
-+
-+[[package]]
-+name = "quote"
-+version = "1.0.9"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "c3d0b9745dc2debf507c8422de05d7226cc1f0644216dfdfead988f9b1ab32a7"
-+dependencies = [
-+ "proc-macro2",
-+]
-+
-+[[package]]
-+name = "regex"
-+version = "1.5.4"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461"
-+dependencies = [
-+ "aho-corasick",
-+ "memchr",
-+ "regex-syntax",
-+]
-+
-+[[package]]
-+name = "regex-syntax"
-+version = "0.6.25"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
-+
-+[[package]]
-+name = "serde"
-+version = "1.0.130"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "f12d06de37cf59146fbdecab66aa99f9fe4f78722e3607577a5375d66bd0c913"
-+dependencies = [
-+ "serde_derive",
-+]
-+
-+[[package]]
-+name = "serde_derive"
-+version = "1.0.130"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "d7bc1a1ab1961464eae040d96713baa5a724a8152c1222492465b54322ec508b"
-+dependencies = [
-+ "proc-macro2",
-+ "quote",
-+ "syn",
-+]
-+
-+[[package]]
-+name = "spotify-adblock"
-+version = "1.0.0"
-+dependencies = [
-+ "lazy_static",
-+ "libc",
-+ "regex",
-+ "serde",
-+ "toml",
-+]
-+
-+[[package]]
-+name = "syn"
-+version = "1.0.76"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "c6f107db402c2c2055242dbf4d2af0e69197202e9faacbef9571bbe47f5a1b84"
-+dependencies = [
-+ "proc-macro2",
-+ "quote",
-+ "unicode-xid",
-+]
-+
-+[[package]]
-+name = "toml"
-+version = "0.5.8"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "a31142970826733df8241ef35dc040ef98c679ab14d7c3e54d827099b3acecaa"
-+dependencies = [
-+ "serde",
-+]
-+
-+[[package]]
-+name = "unicode-xid"
-+version = "0.2.2"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
--- 
-2.32.0
-
diff --git a/packages/spotify-adblock/default.nix b/packages/spotify-adblock/default.nix
index 89161f0..57992de 100644
--- a/packages/spotify-adblock/default.nix
+++ b/packages/spotify-adblock/default.nix
@@ -7,7 +7,7 @@ rustPlatform.buildRustPackage {
   version = "1.0";
   src = inputs.spotify-adblock;
 
-  cargoHash = "sha256-yxumYGAMObgl1u6GlbEQOKOn1DWxXN8bbT7BjiWT96o=";
+  cargoHash = "sha256-oGpe+kBf6kBboyx/YfbQBt1vvjtXd1n2pOH6FNcbF8M=";
 
   patches = [ ./0002-allow-setting-config-from-environment-variable.patch ];
 
diff --git a/res/config-minimal.lua b/res/config-minimal.lua
index 7aade79..c2d3f06 100644
--- a/res/config-minimal.lua
+++ b/res/config-minimal.lua
@@ -1,20 +1,24 @@
 -- Keybindings
-local map = vim.api.nvim_set_keymap
+local map = vim.keymap.set
 map('n', '<C-H>', '<C-W>h', { noremap = true })
 map('n', '<C-J>', '<C-W>j', { noremap = true })
 map('n', '<C-K>', '<C-W>k', { noremap = true })
 map('n', '<C-L>', '<C-W>l', { noremap = true })
 map('n', '<C-Q>', ':q<CR>', { noremap = true })
+map('n', '<C-P>', ':Files<CR>', { noremap = true })
 
 -- Autocommands
 vim.cmd('au BufEnter * set noro')
+vim.cmd('au CursorHold * lua vim.diagnostic.open_float(0, { scope = "line", focusable = false })')
 
 -- Settings
+vim.opt.mouse = ""
 vim.opt.relativenumber = true
 vim.opt.number = true
 vim.opt.cursorline = true
 vim.opt.signcolumn = "yes:3"
 vim.opt.title = true
+vim.opt.termguicolors = true
 vim.opt.updatetime = 0
 vim.opt.clipboard:prepend('unnamedplus')
 
@@ -43,56 +47,9 @@ vim.g.signify_sign_delete_first_line = '┏━'
 vim.g.signify_sign_change            = vim.g.signify_sign_add
 vim.g.signify_sign_change_delete     = vim.g.signify_sign_delete
 
--- Theming
-vim.g.tokyonight_style = 'night'
-vim.cmd[[
-    syntax enable
-    colorscheme tokyonight
-]]
-local colors = require("tokyonight.colors").setup {}
-vim.cmd("highlight SignifySignAdd             guifg="..colors.green)
-vim.cmd("highlight SignifySignChange          guifg="..colors.orange)
-vim.cmd("highlight SignifySignDelete          guifg="..colors.red)
-vim.cmd("highlight SignifySignDeleteFirstLine guifg="..colors.red)
-vim.cmd("highlight SignifySignChangeDelete    guifg="..colors.red)
-
 -- Plugins
-require('nvim-treesitter.configs').setup {
+require('nvim-treesitter').setup {
     highlight = { enable = true },
     indent = { enable = false }
 }
-require('lualine').setup {
-    options = {
-        theme = 'tokyonight'
-    }
-}
-
--- LSP
-local nvim_lsp = require('lspconfig')
-
-local on_attach = function(client, bufnr)
-    local function buf_set_keymap(...) vim.api.nvim_buf_set_keymap(bufnr, ...) end
-    local function buf_set_option(...) vim.api.nvim_buf_set_option(bufnr, ...) end
-
-    buf_set_option('omnifunc', 'v:lua.vim.lsp.omnifunc')
-
-    local opts = { noremap = true, silent = true }
-
-    buf_set_keymap('n', 'gD', '<cmd>lua vim.lsp.buf.declaration()<CR>', opts)
-    buf_set_keymap('n', 'gd', '<cmd>lua vim.lsp.buf.definition()<CR>', opts)
-    buf_set_keymap('n', 'K', '<cmd>lua vim.lsp.buf.hover()<CR>', opts)
-    buf_set_keymap('n', 'gi', '<cmd>lua vim.lsp.buf.implementation()<CR>', opts)
-    buf_set_keymap('n', '<C-k>', '<cmd>lua vim.lsp.buf.signature_help()<CR>', opts)
-    buf_set_keymap('n', '<space>wa', '<cmd>lua vim.lsp.buf.add_workspace_folder()<CR>', opts)
-    buf_set_keymap('n', '<space>wr', '<cmd>lua vim.lsp.buf.remove_workspace_folder()<CR>', opts)
-    buf_set_keymap('n', '<space>wl', '<cmd>lua print(vim.inspect(vim.lsp.buf.list_workspace_folders()))<CR>', opts)
-    buf_set_keymap('n', '<space>D', '<cmd>lua vim.lsp.buf.type_definition()<CR>', opts)
-    buf_set_keymap('n', '<space>rn', '<cmd>lua vim.lsp.buf.rename()<CR>', opts)
-    buf_set_keymap('n', '<space>ca', '<cmd>lua vim.lsp.buf.code_action()<CR>', opts)
-    buf_set_keymap('n', 'gr', '<cmd>lua vim.lsp.buf.references()<CR>', opts)
-    buf_set_keymap('n', '<space>e', '<cmd>lua vim.diagnostic.open_float(0, { scope = "line" })<CR>', opts)
-    buf_set_keymap('n', '[d', '<cmd>lua vim.lsp.diagnostic.goto_prev()<CR>', opts)
-    buf_set_keymap('n', ']d', '<cmd>lua vim.lsp.diagnostic.goto_next()<CR>', opts)
-    buf_set_keymap('n', '<space>q', '<cmd>lua vim.lsp.diagnostic.set_loclist()<CR>', opts)
-    buf_set_keymap('n', '<space>f', '<cmd>lua vim.lsp.buf.formatting()<CR>', opts)
-end
+require('lualine').setup { }
diff --git a/res/config.lua b/res/config.lua
index 7899bda..c0b5dad 100644
--- a/res/config.lua
+++ b/res/config.lua
@@ -1,11 +1,13 @@
 -- Keybindings
-local map = vim.api.nvim_set_keymap
-map('n', '<C-H>', '<C-W>h', { noremap = true })
-map('n', '<C-J>', '<C-W>j', { noremap = true })
-map('n', '<C-K>', '<C-W>k', { noremap = true })
-map('n', '<C-L>', '<C-W>l', { noremap = true })
-map('n', '<C-Q>', ':q<CR>', { noremap = true })
-map('n', '<C-P>', ':Files<CR>', { noremap = true })
+local map = vim.keymap.set
+map('n', '<C-H>', '<C-W>h', { remap = false })
+map('n', '<C-J>', '<C-W>j', { remap = false })
+map('n', '<C-K>', '<C-W>k', { remap = false })
+map('n', '<C-L>', '<C-W>l', { remap = false })
+map('n', '<C-Q>', ':q<CR>', { remap = false })
+map('n', '<C-P>', ':Files<CR>', { remap = false })
+map('n', '<C-/>', 'gcc', { remap = true, silent = true })
+map('v', '<C-/>', 'gc', { remap = true, silent = true })
 
 -- Autocommands
 vim.cmd('au BufEnter * set noro')
@@ -18,6 +20,7 @@ vim.opt.number = true
 vim.opt.cursorline = true
 vim.opt.signcolumn = "yes:3"
 vim.opt.title = true
+vim.opt.termguicolors = true
 vim.opt.updatetime = 0
 vim.opt.clipboard:prepend('unnamedplus')
 
@@ -48,6 +51,7 @@ vim.g.signify_sign_change_delete     = vim.g.signify_sign_delete
 
 -- VimTeX
 vim.g.vimtex_view_method = "zathura"
+vim.g.vimtex_quickfix_open_on_warning = 0
 
 -- Theming
 vim.api.nvim_command("syntax enable")
@@ -64,13 +68,39 @@ vim.cmd("highlight SignifySignChangeDelete    guifg="..colors.red)
 vim.cmd("au FileType rust highlight DiagnosticUnderlineHint ctermfg=14 gui=italic guifg="..colors.overlay2)
 
 -- Plugins
-require('nvim-treesitter.configs').setup {
+require('autoclose').setup {}
+local function autosavecond(buf)
+    if vim.tbl_contains({"astro", "tex"}, vim.fn.getbufvar(buf, "&filetype")) then
+        return true
+    end
+    return false
+end
+require('auto-save').setup {
+    trigger_events = {
+        defer_save = { "InsertLeave", "TextChanged", "TextChangedI" },
+    },
+    debounce_delay = 250,
+    condition = autosavecond,
+}
+require('nvim-ts-autotag').setup {}
+require('nvim-highlight-colors').setup {
+    render = "virtual",
+}
+require('nvim-treesitter').setup {
     highlight = { enable = true },
     indent = { enable = false }
 }
 require('lualine').setup {
     options = {
-        theme = 'tokyonight'
+        theme = 'catppuccin'
+    },
+    sections = {
+        lualine_c = {
+            {
+                "filename",
+                path = 1,
+            }
+        }
     }
 }
 
@@ -78,74 +108,72 @@ require('lualine').setup {
 -- many thanks to @kristijanhusak
 -- https://github.com/nvim-treesitter/nvim-treesitter/issues/1167#issuecomment-920824125
 function _G.javascript_indent()
-  local line = vim.fn.getline(vim.v.lnum)
-  local prev_line = vim.fn.getline(vim.v.lnum - 1)
-  if line:match('^%s*[%*/]%s*') then
-    if prev_line:match('^%s*%*%s*') then
-      return vim.fn.indent(vim.v.lnum - 1)
+    local line = vim.fn.getline(vim.v.lnum)
+    local prev_line = vim.fn.getline(vim.v.lnum - 1)
+    if line:match('^%s*[%*/]%s*') then
+        if prev_line:match('^%s*%*%s*') then
+            return vim.fn.indent(vim.v.lnum - 1)
+        end
+        if prev_line:match('^%s*/%*%*%s*$') then
+            return vim.fn.indent(vim.v.lnum - 1) + 1
+        end
     end
-    if prev_line:match('^%s*/%*%*%s*$') then
-      return vim.fn.indent(vim.v.lnum - 1) + 1
-    end
-  end
 
-  return vim.fn['GetJavascriptIndent']()
+    return vim.fn['GetJavascriptIndent']()
 end
 
 vim.cmd('au FileType javascript setlocal indentexpr=v:lua.javascript_indent()')
 
 -- LSP
-local nvim_lsp = require('lspconfig')
+vim.api.nvim_create_autocmd("LspAttach", {
+    callback = function(args)
+        local client = vim.lsp.get_client_by_id(args.data.client_id)
+        if not client then
+            return
+        end
 
-local on_attach = function(client, bufnr)
-    local function buf_set_keymap(...) vim.api.nvim_buf_set_keymap(bufnr, ...) end
-    local function buf_set_option(...) vim.api.nvim_buf_set_option(bufnr, ...) end
+        local function buf_set_keymap(...) vim.api.nvim_buf_set_keymap(args.buf, ...) end
+        local function buf_set_option(...) vim.api.nvim_buf_set_option(args.buf, ...) end
 
-    local opts = { noremap = true, silent = true }
+        local opts = { noremap = true, silent = true }
 
-    buf_set_keymap('n', 'gD', '<cmd>lua vim.lsp.buf.declaration()<CR>', opts)
-    buf_set_keymap('n', 'gd', '<cmd>lua vim.lsp.buf.definition()<CR>', opts)
-    buf_set_keymap('n', 'K', '<cmd>lua vim.lsp.buf.hover()<CR>', opts)
-    buf_set_keymap('n', 'gi', '<cmd>lua vim.lsp.buf.implementation()<CR>', opts)
-    buf_set_keymap('n', '<C-k>', '<cmd>lua vim.lsp.buf.signature_help()<CR>', opts)
-    buf_set_keymap('n', '<space>wa', '<cmd>lua vim.lsp.buf.add_workspace_folder()<CR>', opts)
-    buf_set_keymap('n', '<space>wr', '<cmd>lua vim.lsp.buf.remove_workspace_folder()<CR>', opts)
-    buf_set_keymap('n', '<space>wl', '<cmd>lua print(vim.inspect(vim.lsp.buf.list_workspace_folders()))<CR>', opts)
-    buf_set_keymap('n', '<space>D', '<cmd>lua vim.lsp.buf.type_definition()<CR>', opts)
-    buf_set_keymap('n', '<space>rn', '<cmd>lua vim.lsp.buf.rename()<CR>', opts)
-    buf_set_keymap('n', '<space>ca', '<cmd>lua vim.lsp.buf.code_action()<CR>', opts)
-    buf_set_keymap('n', 'gr', '<cmd>lua vim.lsp.buf.references()<CR>', opts)
-    buf_set_keymap('n', '<space>e', '<cmd>lua vim.diagnostic.open_float(0, { scope = "line" })<CR>', opts)
-    buf_set_keymap('n', '[d', '<cmd>lua vim.lsp.diagnostic.goto_prev()<CR>', opts)
-    buf_set_keymap('n', ']d', '<cmd>lua vim.lsp.diagnostic.goto_next()<CR>', opts)
-    buf_set_keymap('n', '<space>q', '<cmd>lua vim.lsp.diagnostic.set_loclist()<CR>', opts)
-    buf_set_keymap('n', '<space>f', '<cmd>lua vim.lsp.buf.formatting()<CR>', opts)
-end
+        buf_set_keymap('n', 'gD', '<cmd>lua vim.lsp.buf.declaration()<CR>', opts)
+        buf_set_keymap('n', 'gd', '<cmd>lua vim.lsp.buf.definition()<CR>', opts)
+        buf_set_keymap('n', 'K', '<cmd>lua vim.lsp.buf.hover()<CR>', opts)
+        buf_set_keymap('n', 'gi', '<cmd>lua vim.lsp.buf.implementation()<CR>', opts)
+        buf_set_keymap('n', '<C-k>', '<cmd>lua vim.lsp.buf.signature_help()<CR>', opts)
+        buf_set_keymap('n', '<space>wa', '<cmd>lua vim.lsp.buf.add_workspace_folder()<CR>', opts)
+        buf_set_keymap('n', '<space>wr', '<cmd>lua vim.lsp.buf.remove_workspace_folder()<CR>', opts)
+        buf_set_keymap('n', '<space>wl', '<cmd>lua print(vim.inspect(vim.lsp.buf.list_workspace_folders()))<CR>', opts)
+        buf_set_keymap('n', '<space>D', '<cmd>lua vim.lsp.buf.type_definition()<CR>', opts)
+        buf_set_keymap('n', '<space>rn', '<cmd>lua vim.lsp.buf.rename()<CR>', opts)
+        buf_set_keymap('n', '<space>ca', '<cmd>lua vim.lsp.buf.code_action()<CR>', opts)
+        buf_set_keymap('n', 'gr', '<cmd>lua vim.lsp.buf.references()<CR>', opts)
+        buf_set_keymap('n', '<space>e', '<cmd>lua vim.diagnostic.open_float(0, { scope = "line" })<CR>', opts)
+        buf_set_keymap('n', '[d', '<cmd>lua vim.lsp.diagnostic.goto_prev()<CR>', opts)
+        buf_set_keymap('n', ']d', '<cmd>lua vim.lsp.diagnostic.goto_next()<CR>', opts)
+        buf_set_keymap('n', '<space>q', '<cmd>lua vim.lsp.diagnostic.set_loclist()<CR>', opts)
+        buf_set_keymap('n', '<space>f', '<cmd>lua vim.lsp.buf.formatting()<CR>', opts)
+    end
+})
 
-vim.lsp.handlers["textDocument/publishDiagnostics"] = vim.lsp.with(
-    vim.lsp.diagnostic.on_publish_diagnostics, {
-        focusable = false,
-        virtual_text = false,
-        underline = true,
-        signs = true,
-        update_in_insert = true
-    }
-)
-vim.lsp.handlers["textDocument/signatureHelp"] = vim.lsp.with(
-    vim.lsp.handlers.signature_help, { focusable = false }
-)
+vim.diagnostic.config({
+    focusable = false,
+    virtual_text = false,
+    underline = true,
+    signs = true,
+    update_in_insert = true
+})
 
-local capabilities = vim.lsp.protocol.make_client_capabilities()
-capabilities.textDocument.completion.completionItem.snippetSupport = true
 capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities)
 
-local servers = { 'cssls', 'html', 'nil_ls', 'ts_ls', 'yamlls' }
+local servers = { 'astro', 'clangd', 'cssls', 'html', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' }
 for _, lsp in ipairs(servers) do
-    nvim_lsp[lsp].setup {
+    vim.lsp.config(lsp, {
         capabilities = capabilities,
-        on_attach = on_attach,
         flags = { debounce_text_changes = 150 }
-    }
+    })
+    vim.lsp.enable(lsp)
 end
 
 -- nvim-cmp
@@ -195,15 +223,16 @@ cmp.setup {
 
 -- LSP/Omnisharp
 local pid = vim.fn.getpid()
-nvim_lsp.omnisharp.setup {
+vim.lsp.config("omnisharp", {
     capabilities = capabilities,
     on_attach = on_attach,
     flags = { debounce_text_changes = 150 },
     cmd = { "{{OMNISHARP_PATH}}", "--languageserver", "--hostPID", tostring(pid) }
-}
+})
+vim.lsp.enable("omnisharp")
 
 -- LSP/rust_analyzer
-nvim_lsp.rust_analyzer.setup {
+vim.lsp.config("rust_analyzer", {
     capabilities = capabilities,
     on_attach = on_attach,
     flags = { debounce_text_changes = 150 },
@@ -220,11 +249,11 @@ nvim_lsp.rust_analyzer.setup {
             }
         }
     }
-}
-
+})
+vim.lsp.enable("rust_analyzer")
 
 -- LSP/Diagnostics
-nvim_lsp.diagnosticls.setup {
+vim.lsp.config("diagnosticls", {
     capabilities = capabilities,
     on_attach = on_attach,
     flags = { debounce_text_changes = 150 },
@@ -260,7 +289,34 @@ nvim_lsp.diagnosticls.setup {
             vue = 'eslint'
         }
     }
-}
+})
+vim.lsp.enable("diagnosticls")
+
+-- LSP/nixd
+vim.lsp.config("nixd", {
+  cmd = { "nixd" },
+  filetypes = { "nix" },
+  root_markers = { "flake.nix", ".git" },
+  settings = {
+    nixd = {
+      nixpkgs = {
+        expr = "import <nixpkgs> { }",
+      },
+      formatting = {
+        command = { "nixfmt" },
+      },
+      options = {
+        nixos = {
+          expr = '(builtins.getFlake (toString ./.)).nixosConfigurations.{{HOSTNAME}}.options',
+        },
+        home_manager = {
+          expr = '(builtins.getFlake (builtins.toString ./.)).nixosConfigurations."{{USERNAME}}@{{HOSTNAME}}".options.home-manager.users.type.getSubOptions []',
+        },
+      },
+    },
+  },
+})
+vim.lsp.enable("nixd")
 
 -- LSP/Signatures
 require("lsp_signature").setup {
diff --git a/res/eww/eww.yuck b/res/eww/eww.yuck
index c153154..d72a2cc 100644
--- a/res/eww/eww.yuck
+++ b/res/eww/eww.yuck
@@ -1,4 +1,5 @@
 (defwindow mainbar :monitor 0
+
                    :geometry (geometry :x "0%"
                                        :y "0%"
                                        :width "100%"
@@ -39,12 +40,15 @@
   `cat /sys/class/power_supply/_BAT_PATH_/capacity`)
 (defpoll pbat_status :interval "1s" :run-while bat-enabled
   `cat /sys/class/power_supply/_BAT_PATH_/status`)
-(defpoll network_strength :interval "1s" :run-while wifi-enabled
-  `nmcli -f IN-USE,SIGNAL device wifi | grep '*' | tr -d -c 0-9`)
+(defpoll wifi_ssid :interval "1s" :run-while wifi-enabled
+  `iwctl station wlan0 show | grep "Connected network" | awk '{print $3}'`)
+(defpoll wifi_strength :interval "1s" :run-while wifi-enabled
+  `iw dev wlan0 link | awk '/signal/ {gsub("-",""); print $2}'`)
 (defpoll bluetooth_device :interval "1s" :run-while bt-enabled
   `bluetoothctl devices Connected | grep Device | cut -d" " -f3-`)
+(defpoll bluetooth_device_count :interval "1s" :run-while bt-enabled
+  `bluetoothctl devices Connected | wc -l`)
 
-(deflisten lnetwork :initial "" :run-while wifi-enabled "./scripts/network.sh")
 (deflisten ltitle :initial "" "./scripts/title.sh")
 (deflisten lworkspaces :initial "[]" "./scripts/workspaces.sh")
 (deflisten lcurrent_workspace :initial "1" "./scripts/active-workspace.sh")
@@ -99,28 +103,28 @@
       (revealer :transition "slideleft"
                 :reveal {bluetooth-extended && bluetooth_device != ""}
                 :duration 150
-        (label :text bluetooth_device
+        (label :text { bluetooth_device_count == "1" ? bluetooth_device : (bluetooth_device_count + " devices") }
                :class "base")))))
 
 (defwidget network []
   (button :onclick `eww update network-extended=${network-extended ? "false" : "true"}`
     (box :orientation "horizontal"
-         :class {"widget pill" + ((network-extended && lnetwork != "Disconnected") ? " extended" : "")}
-         :spacing {(network-extended && lnetwork != "Disconnected") ? 5 : 0}
+         :class {"widget pill" + ((network-extended && wifi_ssid != "") ? " extended" : "")}
+         :spacing {(network-extended && wifi_ssid != "") ? 5 : 0}
          :space-evenly false
       (label :text {
-          (lnetwork == "Disconnected") ? ""
-        : (network_strength == "") ? ""
-        : (network_strength < 20) ? ""
-        : (network_strength < 30) ? ""
-        : (network_strength < 55) ? ""
-        : (network_strength < 80) ? ""
+          (wifi_ssid == "") ? ""
+        : (wifi_strength == "") ? ""
+        : (wifi_strength < 75) ? ""
+        : (wifi_strength < 65) ? ""
+        : (wifi_strength < 60) ? ""
+        : (wifi_strength < 50) ? ""
         : ""}
              :class "base pill-icon")
       (revealer :transition "slideleft"
-                :reveal {network-extended && lnetwork != "Disconnected"}
+                :reveal {network-extended && wifi_ssid != ""}
                 :duration 150
-        (label :text lnetwork
+        (label :text wifi_ssid
                :class "base")))))
 
 (defwidget battery []
diff --git a/res/eww/scripts/network.sh b/res/eww/scripts/network.sh
deleted file mode 100755
index 7d0c2c8..0000000
--- a/res/eww/scripts/network.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-init=$(nmcli -t -f name,device connection show --active | grep wlp1s0 | cut -d\: -f1)
-
-if [[ -z $init ]]; then
-    echo Disconnected
-else
-    echo $init
-fi
-
-nmcli monitor | while read -r line ; do
-    if [[ $line == *"is now the primary connection" ]]; then
-        conn=$(echo $line | cut -d\' -f2)
-        echo $conn
-    fi
-    if [[ $line == "There's no primary connection" ]]; then
-        echo Disconnected
-    fi
-done
diff --git a/secrets.gcrypt/secrett b/secrets.gcrypt/secrett
deleted file mode 100644
index 1dddde4..0000000
Binary files a/secrets.gcrypt/secrett and /dev/null differ
diff --git a/secrets.gcrypt/shared.json b/secrets.gcrypt/shared.json
new file mode 100644
index 0000000..21378e7
Binary files /dev/null and b/secrets.gcrypt/shared.json differ
diff --git a/secrets.nix b/secrets.nix
index 7a1ea24..b1f55e5 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,18 +1,25 @@
 let
+  alyssum = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAp00i2DTwMk9i2WBEwpNTDA51TQJEqzpyCka6znmRzR";
   anemone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEPFifSAybe97xDP/cq6AAjy7Fm0go0dtQ9ICK6JRUgc";
   blossom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wfPCcpkNR3ubr7cBV0UwVCDo/sMmV0aI/JOJTIxQj";
-  caramel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPFJT1XYyjDZFHYT/8RdxAReKkeU8QfpLrmMjEeW/80";
-  sugarcane = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImymDDLSOdLcsox8wxS9Z84fsbsz6Mi58OU0od2p/ZQ";
   dandelion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUk99ku7+eiIO7Q9sIPlPx3GiUljLv7W404W/zwrtzI";
+  hazel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6mi50ecrrMIn5C4QUyCjPHfSElz0mhevvFCznUzIrK";
 
   rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
 in {
-  "secrets/passwd.age".publicKeys = [ anemone blossom caramel sugarcane rin ];
-  "secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ];
+  "secrets/passwd.age".publicKeys = [ alyssum anemone blossom rin ];
+  "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ];
+  "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ];
+  "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];
 
-  "secrets/acme_dns.age".publicKeys = [ dandelion rin ];
-  "secrets/warden_admin.age".publicKeys = [ caramel rin ];
-  "secrets/wg_blossom.age".publicKeys = [ blossom rin ];
-  "secrets/wg_caramel.age".publicKeys = [ caramel rin ];
-  "secrets/wg_sugarcane.age".publicKeys = [ sugarcane rin ];
+  "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
+  "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ];
+  "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
+  "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ];
+  "secrets/warden_admin.age".publicKeys = [ rin ];
+  "secrets/wg_anemone.age".publicKeys = [ anemone rin ];
+  "secrets/wg_dandelion.age".publicKeys = [ dandelion rin ];
+  "secrets/wg_hazel.age".publicKeys = [ hazel rin ];
+  "secrets/wg_hyacinth.age".publicKeys = [ blossom rin ];
+  "secrets/wg_caramel.age".publicKeys = [ rin ];
 }
diff --git a/secrets/acme_dns.age b/secrets/acme_dns.age
index 96eb63c..c440de6 100644
--- a/secrets/acme_dns.age
+++ b/secrets/acme_dns.age
@@ -1,7 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 bRFqeQ KWUiFdB5Lpd1BYGdmO/IcX0Cj9SUowY5sfwWH/FVyAU
-hJKgLSMy/yLfoRtIDVmK71cDoHALXp2rgmJuagpqJ1I
--> ssh-ed25519 U9FXlg bgY7WWmCyMWJzLSAnyZwCN5Lm29WVUILVkOUDFKgryo
-AZzW/A/rQEmSiy89ixBZHH9TbuLKlyAlWKLNDZj69+k
---- EoGAYXy1ggHHKrcZqHz4ugM2Biil4BCpFzVjEClsoKY
-�I�z淣�Z��A�v�Xwh|ݧOX���d�uҠ(�nk��	��,��� ����>���5t�u�(�ܸwlp�����[\�/�s�r�p�kۧF���R
\ No newline at end of file
+-> ssh-ed25519 kOMSPw vqjZO82kILUQaoD9EwOgnmXKD9IyscgtzP65BVKkGhs
+07f0vL5fSq+EVdJ4n3L/q0tGsh0SVLCueTzbrMQC2ok
+-> ssh-ed25519 bRFqeQ qZAsyhdIY/fg7weEBYfB/WwFBrr/fDRrjt0J/m+57W4
+FOWjbk7efoVdL9WxjWvaZ/0mJrQ4yj0fN/Fa3zztz84
+-> ssh-ed25519 ZAcXHw UHpAQ4nKoGGaZWXVj4UM6uBanOgDpBvG6XdoBvhz6y8
+xF1orqajQxp2QzU/e1sq8lMxz4AQ2Vr5a3wEU55QqyE
+-> ssh-ed25519 U9FXlg n/LPuRDZ7N0VbZYLNr86hH/yRuqd2zFC7Nnpooz8d0o
+aZig/wjd5vitGaJwQ89w2M7fj8fAiqTpdDOmLae74sM
+--- mXuALIh6k4n0cErsTFnwKemo/r2jFG7mGSTz2M8zXF8
+Zr2��.	��~M��P��XŹ1�)p�9R�9�ScLzhQ���O��0��H7���L�j�5�
�����\��l9�7���ܫn���>��
diff --git a/secrets/navidrome_env.age b/secrets/navidrome_env.age
new file mode 100644
index 0000000..7df364f
--- /dev/null
+++ b/secrets/navidrome_env.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw s/uDjoILzZ4meH5Thqdly/pPe2bTO7sKHPIsn7B/Ays
+Pg3ePdLimArZbzBJJkole/d6UjUafNayktjKqt9gqv4
+-> ssh-ed25519 bRFqeQ /yrku11wKk2gf24aPjSBZ1KBZXLOlSTOgvW13gjzC3M
+xTCWHdq5Vr02v9xDoEZqCcGLIdjZT9s29Gldoz27ow0
+-> ssh-ed25519 U9FXlg HhSqF8DRz/vW42Sf34fqGMIgj9Zpc5MeYNhqqsz7fBk
+4IzAURq50rY160/qAzo49cmhV7/skh7PGM8h9qI9WGE
+--- aSO1slFKfkECL6Gro84fMiDZ0QLLNbOrfiNegNK7ksc
+i'r��Ќ��l"�j^S�"_�UP��C��xs�1����M��w�ʍ�;#{a��}+��=��eԑ$�#s�z�Ki����J��D�?�>F��8k�Z(���;���)�[��b+�o�@�#2�L,����חL�<\��U���#����>13�p\��IQ)޽��@��p�,C��5�v8M%�NA	r7�ɀ�n��t
�'Ѕֲ��5+�bj��)�Ra�C�
\ No newline at end of file
diff --git a/secrets/passwd.age b/secrets/passwd.age
index 7d2a224..05ad906 100644
Binary files a/secrets/passwd.age and b/secrets/passwd.age differ
diff --git a/secrets/passwd_smbcilly.age b/secrets/passwd_smbcilly.age
new file mode 100644
index 0000000..41ad172
--- /dev/null
+++ b/secrets/passwd_smbcilly.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw CQaXT9/nw3NGD2/H/ctSQGXIoacgjfKQ24wkpEieLSQ
+i4xEXgWGQ7xgQyaDQQIeDuiCLjA6Le23qSnv8C1cbcI
+-> ssh-ed25519 U9FXlg GL4dCSCku/FA6ipb9XI1AxO4lhm2r/1lRAeqaGrB32o
++pPgqwnoPi3wJLobTimVMj0rng+XRapRG6jTYFXSsDM
+--- eVgn3ON19pqq+L832bqlbkHUQXdaTI+LfSL4bYfEdew
+�*�l\�W�!J7E/����"f@%\���[��j8fӶ��
\ No newline at end of file
diff --git a/secrets/passwd_smbkujira.age b/secrets/passwd_smbkujira.age
new file mode 100644
index 0000000..71b6bb8
--- /dev/null
+++ b/secrets/passwd_smbkujira.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw Kn+LPMoyOrVwI/nrGgnxgVA3D+tVY9Tccg/Yx/jL+E8
+IfWiSBh7KgNvgcHlcDzfdcB9nxm1zy12Ae7AGm39fdE
+-> ssh-ed25519 U9FXlg 6eIIGEIYDo02FBsgBnwbuOeR8t4xB6jSmLfIL73UCDg
+QOc0ddunQQcVEVD20DKKpn3wZWUSveFJSUTBnv+xnNk
+--- MjN2i0FNzbUpBGUDNgWGXrRsYl2gtsQX+JlzZV/fYdw
+T� <�R#d�Ć̎lLk�N���8�c�_N�)��T
\ No newline at end of file
diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age
new file mode 100644
index 0000000..eded5d0
--- /dev/null
+++ b/secrets/slskd_env.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ohyStA 3Do7MsCBX9ZgP6pIekvkRisFgF74jq2cKxrjUi2NlhM
+EdfLIUk40isfNBY4CKA0JjHc2RaCM/LJmvQJuue+aYs
+-> ssh-ed25519 bRFqeQ XcjdLy6CEELgdN133BkgTG0cUffU6N9nsapB3c9Swyc
++ILEkir7XMK/xLNrTs2R+pBoucIN7fVEBRZSZwBo7Fs
+-> ssh-ed25519 U9FXlg bqpdUcMN/bk7WlIruWmhj0hpFL/CliDHto/P/KaMdxk
+z6wKPbT1OAW7sDjeziwdqs6mf9Rk37xsU9pw4wYMOF4
+--- wNvTtQPOTxetOpazjBXo4fR3wPL7CVQq4R30gOj/qQw
+&P+�����S��y�=}��~1�C�����^.�?zL��H��R`akE��R��(4�R!�*l�!���A��~@VG����<��2��-K8H�Pu�2jS#WД�����l>@�a	.Mƞ���Hg[���$�Wˌ�[��"%N�,� rGN�mf�9F��k&~�OW�Z70���t�����?���eOf��A������z�,hq/�Z�&��Fy�5ɾ�BQw���/�"��J�S섘5�f}%B��PĮ�,
r�F`�Nm��n�C�Î��rJ���af� �i�?���0���pz�aV�[��y�j�X4��B>R,�tyO��IW!�(��n#�ܒj>�����58�9���d��0�����mi���%�t�C�R˄^I�r�M�")֙�S�&.)l�z�Өq����:�r���brE@�JǺsM����d��?�Sk
\ No newline at end of file
diff --git a/secrets/tailscale_auth.age b/secrets/tailscale_auth.age
new file mode 100644
index 0000000..be7af43
--- /dev/null
+++ b/secrets/tailscale_auth.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw judP6VmZDGErkHfUpCp3xTgJtWVmGv3/tZw3WGyhfhM
+10jxPIR6Qaf/iWLzbWOrFq9XBsm8OC3mcMrxEt+BYQ8
+-> ssh-ed25519 ohyStA Xc6TjSJYtJkK1VEauNJKn+RcTdwdkyJ0Sr+tbAJ8rGc
+vzQt4zMdktY5tNvfu9HsKBgJb52uM7x8bhF+WXwpWZ8
+-> ssh-ed25519 CUCjXQ r8WxaXpWtaBdMJ2ubaAwJ4ipSz/UtnMs0x3+eI8p0VU
+CdicUH7AE4E4XVHDAeYzQdsYMYA0sCLlt2P4eR24vvs
+-> ssh-ed25519 bRFqeQ E9sknPioO9leKqs8bFJDLrAMuRAJf0ZRyGMvy7O5wVA
+KX93oSqGHimM/PaeaoHq1aYVXGG1YsVMO2ihZaM8xVE
+-> ssh-ed25519 U9FXlg u7yG7cLylPUgu/Is4xx0BXVhX31vUtgStV5CYa8Cowg
+xAuGYZpMPVQpZYASXrMuqNE9wqqEG3kMLUNjLzPmL4g
+--- EoeqIMnX5tR3J51Cz2QEyjsgD/7h468bqjRmt3mOEjY
+��xHQ���)����k�)ĉB�~ە�֖Zv?����%lQx
OwZIs�ۄ�f4�D���ǔ�*�Otݳ�0.m[q�_[�����v���
\ No newline at end of file
diff --git a/secrets/warden_admin.age b/secrets/warden_admin.age
index ef48c4d..1c56924 100644
Binary files a/secrets/warden_admin.age and b/secrets/warden_admin.age differ
diff --git a/secrets/wg_anemone.age b/secrets/wg_anemone.age
new file mode 100644
index 0000000..3ed5b37
Binary files /dev/null and b/secrets/wg_anemone.age differ
diff --git a/secrets/wg_blossom.age b/secrets/wg_blossom.age
deleted file mode 100644
index f7f550e..0000000
--- a/secrets/wg_blossom.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 CUCjXQ iM2w01v4y0Q3DVbpGtt6f3HiHMRw7Xr08JgTB6fe8x4
-WiBMVRZr1edBVfLAPAFT4GSEGoyn9jWzO92yysNM9Mo
--> ssh-ed25519 U9FXlg Bvlaqu4nEbjfBGgBFKDmD1cBbxH2+dyz1BHzegz1AS4
-+sf3rC0J2Ik1SNtpr52GxV6G6tzGLiwlvjXFWE3qrSw
---- yaZjH1jeXqPGiw1lIkH9uz6QJo/nM1lBezbpVlJDNUM
-��cg��j���"�
-U��"�^�����*��A��Dvl2�c�Rq).N�Lt�ZjCB��5��l^�0)�䥆.���
\ No newline at end of file
diff --git a/secrets/wg_caramel.age b/secrets/wg_caramel.age
index 37276ac..a85d63f 100644
--- a/secrets/wg_caramel.age
+++ b/secrets/wg_caramel.age
@@ -1,7 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 krYeuQ vlK9Aa/Fhkj1jTAcccxKnSzj0jNfEoX5ymPhlaqIVSs
-Vb7lRsCmKM0Fvfb+NyNnNCjqCAQsndLNdA1nXFkiOrA
--> ssh-ed25519 U9FXlg H9ivqARf7cdfyBd4QnlqLiPNpfk2X/eK60K5//+7l1g
-oYgaHVWJ8xc+fmMTMvrXSt1DsVfbNF0z4V+N/C1vwXY
---- jtu3xxWFDWBtme5eM52EsMmOwKDss8EctnY7FpfQcI4
-��`��s�E��+XV�H�Gɯ�IZ�H{8��Ƣݙ���ۅ�o3c=9����B:gt������l	ё����vJ�>
+-> ssh-ed25519 U9FXlg VpFnvpTVZFSkKRpEgcmuT/WDLIP1ZySFLq2lRvrjq20
+7zQoSoIs1URmAYn2AdjvDTIY8GDYROcSxFq1bcl24Og
+--- iaQQUE1/Xj1vxto3d+Llyl6XGrSff5MGPxdCHW9EI40
+����Ʀ�`t��	�\� �
+b��peH���X�3�!�$�3]X�32�t~V�.=��>�$�x�B�KJ�AL:�DD�}5
\ No newline at end of file
diff --git a/secrets/wg_dandelion.age b/secrets/wg_dandelion.age
new file mode 100644
index 0000000..0229699
--- /dev/null
+++ b/secrets/wg_dandelion.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 bRFqeQ swv/p+w9+aytIkQ/6Yk1jouA+0M3rJabuiOz2rlpyAs
+wt+wnM1EEKAyDNefr9K4+DtZvHcOzz9Y1EBRFkA5Nv4
+-> ssh-ed25519 U9FXlg xxV/8JoorO4YWPbwSG7p306Pb2+aT10u9eNR69PhZAA
+rjOOuapa/h1tMYbdOc3Y/fPPzkNcYiamSk6rS/tbhtE
+--- UKvt/4aAyYHOk5bhAP55yxPhkxTE94/xEqIqpGF3yiE
+����5;_�E�DB�<k�J~��&�TD��z`/=t��ɲ�؈����;�y�)��%�LٕJ*@��
cx<;�ko��
\ No newline at end of file
diff --git a/secrets/wg_hazel.age b/secrets/wg_hazel.age
new file mode 100644
index 0000000..fa7fbb8
--- /dev/null
+++ b/secrets/wg_hazel.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZAcXHw eEKOjQqzqL9npB+C/wUahKJg58fedM6oxPKuKlMHpRo
+obx/pnoSM0uXYR7EC/yHYVs8gM/W74zoMijdWRpnYv8
+-> ssh-ed25519 U9FXlg o8QW/BHBKLHhahpcHf5ZrYIbCzilWVZvXr1nEChAqFM
+fgmtkUzJs2Oeq85JVl0HrHwBg/gjDQfzT5J+9Wyk8Kw
+--- yXs0fQOQfJ1NyPAPSr+1nm5/hVds5dhxW4WZagtMna0
+;�ǓוZ�I=Z��[�c�Ϗ7���&.�H�Fk��JUDN������i_N��TȊ�"��l�_G�o)f��s9&
\ No newline at end of file
diff --git a/secrets/wg_hyacinth.age b/secrets/wg_hyacinth.age
new file mode 100644
index 0000000..082940f
--- /dev/null
+++ b/secrets/wg_hyacinth.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 CUCjXQ ptHKlNvz+AmnB/Wt9XBBNyfOGeoPG5TbyrXv5993PDQ
+P0C17K+Kz8ocn0vzLf02aaYnxvRM/yjfRLMsBaJhsok
+-> ssh-ed25519 U9FXlg /M8ryJjXAdlWhvNHbQgKUxe/UtL7HqEs9RqNDQBW3SM
+p2d9OnOkU2Hx7+Kn+Z66qElFvczd3F4zVm5KXbOzYWY
+--- PVd8mrRk/t6qv/U32/AZk9YssRU1yn3CLPeyaEPBXi0
+��:�Dx[cyyۙc4�ɥ�/އ^�.��=�†�ȯo�G�VQdXf���^�@TRe���g���n����9UT�	
\ No newline at end of file
diff --git a/secrets/wg_sugarcane.age b/secrets/wg_sugarcane.age
deleted file mode 100644
index ef79954..0000000
--- a/secrets/wg_sugarcane.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 Hx37cw 6W7QYggFHAuAPxCBoTWdwSRxmJhtGHDgg3C2UJ73qgM
-Af4Gpj2kQsNWrMt4ZQ1ItmKsuSq7McE9Ckc9mAkotms
--> ssh-ed25519 U9FXlg +snitv62lCxu4sMz/iS8mz8I+5KUwtLO0jyAY1epr0s
-ePqUSmK3P3PVLo+IdWK3Gq+7b2kMkbJmpsyXqcWFAf8
---- oA8Y59o/iow4m2TjmFx5BvClendD1fpi2sRNtxnXz3Y
-�����(G��dm6��i����>�>�(~���B{b�3H��G�7֟[��qB:٬'���I��9���2Ѕ�J��d�}�
\ No newline at end of file
diff --git a/secrets/wpa_conf.age b/secrets/wpa_conf.age
index 17e93a9..555b594 100644
Binary files a/secrets/wpa_conf.age and b/secrets/wpa_conf.age differ
diff --git a/users/hana/default.nix b/users/hana/default.nix
index 25cfc8b..69558ea 100644
--- a/users/hana/default.nix
+++ b/users/hana/default.nix
@@ -1,4 +1,5 @@
 { config, lib, modules, pkgs, ... }: {
+  programs.nh.flake = "/persist/hana/flakes";
   programs.zsh.enable = true;
   users.users.hana = {
     isNormalUser = true;
@@ -7,8 +8,9 @@
     uid = 1002;
     hashedPassword = "$y$j9T$3xCNDudmfrIu5VfQQoDkj/$ugzJWq0gORN9jnhDsREu31CkL3zwniQu6KoLbmg6Wr/";
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15 rin@blossom"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5l9t8dc6mPsKKYqZlPKvhOdyqz+DS5UOcvHuh3uVGt @strawberry"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15 rin@anemone"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhP8yi/CdACtql3I4j0xI+r0KV4AVCb265Bd/RTFBu4 hana@dandelion"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5l9t8dc6mPsKKYqZlPKvhOdyqz+DS5UOcvHuh3uVGt cilly@hibiscus"
     ];
   };
 
@@ -16,10 +18,11 @@
     home = {
       username = "hana";
       homeDirectory = "/home/hana";
-      stateVersion = "23.11";
+      stateVersion = "24.11";
     };
 
     imports = with modules.user; [
+      comma
       direnv
       git
       neovim-minimal
diff --git a/users/rin/default.nix b/users/rin/default.nix
index 3737b18..a70d716 100644
--- a/users/rin/default.nix
+++ b/users/rin/default.nix
@@ -1,8 +1,9 @@
 { config, modules, pkgs, ... }: {
+  programs.nh.flake = "/home/rin/Projects/flakes";
   programs.zsh.enable = true;
   users.users.rin = {
     isNormalUser = true;
-    extraGroups = [ "adbusers" "audio" "corectrl" "dialout" "libvirtd" "networkmanager" "video" "wheel" "wireshark" ];
+    extraGroups = [ "adbusers" "audio" "corectrl" "dialout" "docker" "libvirtd" "networkmanager" "video" "wheel" "wireshark" ];
     shell = pkgs.zsh;
     uid = 1001;
     hashedPasswordFile = config.age.secrets.passwd.path;
@@ -20,6 +21,7 @@
       sessionVariables
 
       catppuccin
+      comma
       direnv
       git
       gpg
diff --git a/users/rin/packages.nix b/users/rin/packages.nix
index b679b35..3fe0129 100644
--- a/users/rin/packages.nix
+++ b/users/rin/packages.nix
@@ -1,10 +1,8 @@
 { config, inputs, pkgs, ... }:
 let
   dotnet-combined = (with pkgs.dotnetCorePackages; combinePackages [
-      dotnet_8.sdk
-      dotnet_9.sdk
-      aspnetcore_8_0-bin
-      aspnetcore_9_0-bin
+      dotnet_10.sdk
+      aspnetcore_10_0-bin
   ]);
 in {
   programs.firefox = {
@@ -14,55 +12,55 @@ in {
 
   home.packages = with pkgs; [
     dconf
-    fd
     ffmpeg
     gnupg
     kitty
-    nil
     nodejs_latest
     pamixer
-    qmk
-    ripgrep
+    pnpm
     unrar
-    weechat
     yt-dlp
-
-    nodePackages_latest.pnpm
+  ] ++ lib.optionals (config.me.environment == "desktop") [
+    krita
+    lutris
+    mangohud
+    inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin
+    qmk
+    tetrio-desktop
+    tor-browser
+    virt-manager
+    winetricks
   ] ++ lib.optionals config.me.gui [
     android-studio
-    ciscoPacketTracer8
+    brightnessctl
     drawio
-    element-desktop
+    evince
     eww
     feh
+    feishin
     file-roller
     gamescope
     gimp3
     grim
-    #kotatogram-desktop
-    krita
     lm_sensors
-    lutris
-    insomnia
     maim
-    mangohud
     me.psensor
-    inputs.nix-gaming.packages.x86_64-linux.osu-lazer-bin
-    inputs.nix-gaming.packages.x86_64-linux.wine-osu
     obsidian
     pavucontrol
-    prismlauncher
+    (prismlauncher.override {
+      jdks = [
+        jdk21
+        temurin-bin-25
+      ];
+    })
     qbittorrent
     rivalcfg
     screenkey
     slurp
     swaybg
-    (tetrio-desktop.override { withTetrioPlus = true; })
-    tor-browser-bundle-bin
+    texliveFull
     transmission-remote-gtk
     vesktop
-    virt-manager
-    winetricks
     zathura
     zenity