flake.lock: Update

Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/fcdea223397448d35d9b31f798479227e80183f6?narHash=sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L%2BVSybPfiIgzU8lbQ%3D' (2025-11-08)
  → 'github:ryantm/agenix/b027ee29d959fda4b60b57566d64c98a202e0feb?narHash=sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I%3D' (2026-02-04)
• Updated input 'fenix':
    'github:nix-community/fenix/b2344f384a82db1410ab09769eb8c4a820de667f?narHash=sha256-0dPzo1ElvAIZ0RwEwx5FfqAUiFj22K9QJOU9stiMCrw%3D' (2026-01-31)
  → 'github:nix-community/fenix/e4c413b9546d6c9e6426b33b4d6de1a49a375024?narHash=sha256-8XbJXrhMFhLgoBrjFIJx5XJi%2BSD%2B7/gbvaIXCuqy9Z0%3D' (2026-02-28)
• Updated input 'fenix/rust-analyzer-src':
    'github:rust-lang/rust-analyzer/eb0588812b041ebbf2645555f2a4df3bcd853c6d?narHash=sha256-ax6cH54Nc20QuxlHNC8RMt1P8quMECY4gaACFAdd5ec%3D' (2026-01-30)
  → 'github:rust-lang/rust-analyzer/8494a8b3b769c17e8594d811012cc1b0fab090c7?narHash=sha256-DkjUvrEnnhHjOcjMx6aXfYGIZ0PWmcYzvVayhRj1r4M%3D' (2026-02-27)
• Updated input 'home-manager':
    'github:nix-community/home-manager/366d78c2856de6ab3411c15c1cb4fb4c2bf5c826?narHash=sha256-tNqCP/%2B2%2BpeAXXQ2V8RwsBkenlfWMERb%2BUy6xmevyhM%3D' (2026-01-28)
  → 'github:nix-community/home-manager/9b9142b5fe214c2adabe86257c33e022372b7c96?narHash=sha256-TL3%2BckbOTILXrR0qSK3dJj2BJ0S5yz/YSsUF1oEgd9g%3D' (2026-02-28)
• Updated input 'llm-agents':
    'github:numtide/llm-agents.nix/bbd22c02ac546b7ba07147eb14194128b44ff209?narHash=sha256-hvlg7rTzAmfX2HW0GgrVGvbXoNioTK0bidbRv42QEhY%3D' (2026-02-15)
  → 'github:numtide/llm-agents.nix/45656c46d998310ea6306a0036d581bf77091213?narHash=sha256-1f5WHVW5jwO0TEBZNIK3GkgkwTqBaUFrNCf0WQ4/sM8%3D' (2026-03-01)
• Updated input 'llm-agents/blueprint':
    'github:numtide/blueprint/c7da5c70ad1c9b60b6f5d4f674fbe205d48d8f6c?narHash=sha256-zI%2B7cbMI4wMIR57jMjDSEsVb3grapTnURDxxJPYFIW0%3D' (2026-01-25)
  → 'github:numtide/blueprint/06ee7190dc2620ea98af9eb225aa9627b68b0e33?narHash=sha256-bLqwib%2BrtyBRRVBWhMuBXPCL/OThfokA%2Bj6%2BuH7jDGU%3D' (2026-02-18)
• Updated input 'llm-agents/nixpkgs':
    'github:NixOS/nixpkgs/2343bbb58f99267223bc2aac4fc9ea301a155a16?narHash=sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8%3D' (2026-02-11)
  → 'github:NixOS/nixpkgs/bcc4a9d9533c033d806a46b37dc444f9b0da49dd?narHash=sha256-K7Dg9TQ0mOcAtWTO/FX/FaprtWQ8BmEXTpLIaNRhEwU%3D' (2026-02-18)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/82befcf7dc77c909b0f2a09f5da910ec95c5b78f?narHash=sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws%3D' (2025-12-09)
  → 'github:nix-community/nix-index-database/8f590b832326ab9699444f3a48240595954a4b10?narHash=sha256-/phvMgr1yutyAMjKnZlxkVplzxHiz60i4rc%2BgKzpwhg%3D' (2026-02-22)
• Updated input 'nix-topology':
    'github:oddlama/nix-topology/a15cac71d3399a4c2d1a3482ae62040a3a0aa07f?narHash=sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk%3D' (2026-01-21)
  → 'github:oddlama/nix-topology/b493b9b970388d79129ce1a92a6b060c9305386f?narHash=sha256-gFyFAFYYoNsvd6heI0XtDMIa4pnykjwDljS7dQm45uE%3D' (2026-02-24)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/a351494b0e35fd7c0b7a1aae82f0afddf4907aa8?narHash=sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds%3D' (2026-01-25)
  → 'github:NixOS/nixos-hardware/41c6b421bdc301b2624486e11905c9af7b8ec68e?narHash=sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw%3D' (2026-02-24)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/fa83fd837f3098e3e678e6cf017b2b36102c7211?narHash=sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o%3D' (2026-01-28)
  → 'github:NixOS/nixpkgs/1267bb4920d0fc06ea916734c11b0bf004bbe17e?narHash=sha256-7DaQVv4R97cii/Qdfy4tmDZMB2xxtyIvNGSwXBBhSmo%3D' (2026-02-25)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2?narHash=sha256-AYqlWrX09%2BHvGs8zM6ebZ1pwUqjkfpnv8mewYwAo%2BiM%3D' (2026-02-04)
  → 'github:NixOS/nixpkgs/dd9b079222d43e1943b6ebd802f04fd959dc8e61?narHash=sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE%3D' (2026-02-27)
• Updated input 'nur':
    'github:nix-community/NUR/c74b53b75a4219cdecea1194a95e36a222981860?narHash=sha256-n3YYhO6VpGadtVOiL/eAxnm9JBC6GfXsJfj8O6V/JvU%3D' (2026-01-31)
  → 'github:nix-community/NUR/7bf299ddf8a26872aa45acc49a4424bd17237072?narHash=sha256-lqwxrCp2ZgAjlYRKbT%2BbkvXmxZSibCyB3ee96HwLV34%3D' (2026-03-01)
• Updated input 'opencrow':
    'github:pinpox/opencrow/9ec2d17e6c9d45b22b9cca3174b6b1a75758d8f6?narHash=sha256-CGAS5ISs%2Bh6GNQwaOLycfbcFRkN0legi/hdDov4Obfk%3D' (2026-02-20)
  → 'github:pinpox/opencrow/bb555b7796ec1842e0295462736ee7a956abc676?narHash=sha256-Fi0zLX0hGm2eAQJ0d0FTb2y%2BKuCcM8zjkzkEyZB4fUI%3D' (2026-02-28)
• Added input 'panoptikon':
    'git+https://code.kmein.de/kfm/panoptikon?ref=refs/heads/main&rev=30e15d8f95693ba82d2d93ef9acbc1ceb65ef430' (2026-02-21)
• Added input 'panoptikon/nixpkgs':
    'github:NixOS/nixpkgs/0182a361324364ae3f436a63005877674cf45efb?narHash=sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ%3D' (2026-02-17)
• Updated input 'stockholm':
    'github:krebs/stockholm/0122ded2137e568e771e753c0c3a17b1b20d9ca7?narHash=sha256-k558r83lvHbqDlEFEf3zCX1/WuMNgnp1bjMbwMhg5wM%3D' (2026-01-21)
  → 'github:krebs/stockholm/bab362d0f6fcde28ac41716ca15cc552d4659ec5?narHash=sha256-1srlGKTtf0a2nfH78MohqNtkcvLSuEIEVccPD4WJCZk%3D' (2026-02-23)
• Updated input 'stylix':
    'github:danth/stylix/413e927522d65ca8a37b283f4e88ada4865971dd?narHash=sha256-J2jDCqzdtUxKVstC/zwy4TaSYgUxyzInGZ1qU7W2LaE%3D' (2026-01-31)
  → 'github:danth/stylix/ebb238f14d6f930068be4718472da3105fd5d3bf?narHash=sha256-RzBpBwn93GWxLjacTte%2Bngwwg0L/BVOg4G/sSIeK3Rw%3D' (2026-02-22)
• Updated input 'treefmt-nix':
    'github:numtide/treefmt-nix/28b19c5844cc6e2257801d43f2772a4b4c050a1b?narHash=sha256-8aAYwyVzSSwIhP2glDhw/G0i5%2BwOrren3v6WmxkVonM%3D' (2026-01-29)
  → 'github:numtide/treefmt-nix/337a4fe074be1042a35086f15481d763b8ddc0e7?narHash=sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD%2BFyxk%3D' (2026-02-04)
• Updated input 'wrappers':
    'github:lassulus/wrappers/241f2f7dfcac0dbb2338105bdba7f03f412c5847?narHash=sha256-gzTvuaJZaymgxQC4rOZ9HlMRRWHVF2moEEaTnCG556A%3D' (2026-02-05)
  → 'github:lassulus/wrappers/4e12f430ae705d9bbb591ca9c51cbccbee050a23?narHash=sha256-dqkfxxpIiIs4wdWhT4lfQi1lfA0CgIftPiYGvw0tUOk%3D' (2026-02-26)

configs/aerc.nix

@@ -91,7 +91,7 @@
           imap.host = mailhost;
           imap.port = 993;
           smtp.host = mailhost;
-          smtp.port = 25;
+          smtp.port = 587;
           smtp.tls.useStartTls = true;
         };
       ical-ephemeris =

configs/bots/default.nix

@@ -69,7 +69,7 @@ in
     wantedBy = [ "multi-user.target" ];
     description = "Telegram reverse bot";
     path = [ pkgs.ffmpeg ];
-    enable = true;
+    enable = false;
     script = ''
       TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-reverse
     '';
@@ -81,7 +81,7 @@ in
   systemd.services.telegram-streaming-link = {
     wantedBy = [ "multi-user.target" ];
     description = "Telegram bot converting YouTube Music <-> Spotify";
-    enable = true;
+    enable = false;
     script = ''
       TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-streaming-link
     '';
@@ -92,7 +92,7 @@ in
   systemd.services.telegram-betacode = {
     wantedBy = [ "multi-user.target" ];
     description = "Telegram beta code bot";
-    enable = true;
+    enable = false;
     script = ''
       TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-betacode
     '';
@@ -103,7 +103,7 @@ in
   systemd.services.telegram-proverb = {
     wantedBy = [ "multi-user.target" ];
     description = "Telegram proverb bot";
-    enable = true;
+    enable = false;
     script = ''
       TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-proverb
     '';

configs/default.nix

@@ -88,7 +88,7 @@ in
         {
           sxiv = swallow "${pkgs.nsxiv}/bin/nsxiv";
           zathura = swallow "${pkgs.zathura}/bin/zathura";
-          im = "${pkgs.openssh}/bin/ssh weechat@makanek -t tmux attach-session -t IM";
+          im = "${pkgs.openssh}/bin/ssh weechat@makanek -t screen -x weechat";
           yt = "${pkgs.yt-dlp}/bin/yt-dlp --add-metadata -ic"; # Download video link
           yta = "${pkgs.yt-dlp}/bin/yt-dlp --add-metadata --audio-format mp3 --audio-quality 0 -xic"; # Download with audio
         };

configs/graphical/home-manager.nix

@@ -265,9 +265,9 @@ in
         exec-once = [
           (lib.getExe pkgs.ashell)
           "hyprctl dispatch exec \"[workspace special:${language.obsidian} silent] obsidian\""
-          "${lib.getExe' pkgs.wl-clipboard "wl-paste"} -t text --watch ${lib.getExe pkgs.clipman} store"
-          (lib.getExe pkgs.hyprsunset)
-          (lib.getExe pkgs.hyprpaper)
+          (lib.getExe pkgs.niphas-clipboard-watcher)
+          (lib.getExe pkgs.niphas-redshift)
+          (lib.getExe pkgs.niphas-set-wallpaper)
         ];
 
         device = [
@@ -341,7 +341,7 @@ in
           ",XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"
           ",XF86MonBrightnessUp, exec, brightnessctl -e4 -n2 set 5%+"
           ",XF86MonBrightnessDown, exec, brightnessctl -e4 -n2 set 5%-"
-          ", Print, exec, ${lib.getExe pkgs.niphas-screenshot} -m region --clipboard-only"
+          ", Print, exec, ${lib.getExe pkgs.niphas-screenshot}"
         ];
         bindl = [
           ", XF86AudioNext, exec, playerctl next"
@@ -355,7 +355,7 @@ in
           "${mod} SHIFT, R, exit,"
           "${mod}, t, exec, ${lib.getExe pkgs.niphas-file-browser}"
           "${mod}, Y, exec, ${lib.getExe pkgs.niphas-web-browser}"
-          "${mod}, Q, exec, ${lib.getExe pkgs.clipman} pick --tool=rofi"
+          "${mod}, Q, exec, ${lib.getExe pkgs.niphas-clipman}"
           "${mod}, u, exec, ${lib.getExe pkgs.unicodmenu}"
           "${mod}, p, exec, ${lib.getExe pkgs.rofi-pass-wayland}"
           "${mod} SHIFT, Z, togglefloating,"

configs/packages.nix

@@ -129,6 +129,7 @@ in
     polyglot
     qrpaste
     ttspaste
+    pi # llm agent
     new-mac # get a new mac address
     scanned
     default-gateway

flake.lock

@@ -12,11 +12,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1762618334,
-        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
         "type": "github"
       },
       "original": {
@@ -122,11 +122,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1769353768,
-        "narHash": "sha256-zI+7cbMI4wMIR57jMjDSEsVb3grapTnURDxxJPYFIW0=",
+        "lastModified": 1771437256,
+        "narHash": "sha256-bLqwib+rtyBRRVBWhMuBXPCL/OThfokA+j6+uH7jDGU=",
         "owner": "numtide",
         "repo": "blueprint",
-        "rev": "c7da5c70ad1c9b60b6f5d4f674fbe205d48d8f6c",
+        "rev": "06ee7190dc2620ea98af9eb225aa9627b68b0e33",
         "type": "github"
       },
       "original": {
@@ -189,11 +189,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1769842381,
-        "narHash": "sha256-0dPzo1ElvAIZ0RwEwx5FfqAUiFj22K9QJOU9stiMCrw=",
+        "lastModified": 1772261909,
+        "narHash": "sha256-8XbJXrhMFhLgoBrjFIJx5XJi+SD+7/gbvaIXCuqy9Z0=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "b2344f384a82db1410ab09769eb8c4a820de667f",
+        "rev": "e4c413b9546d6c9e6426b33b4d6de1a49a375024",
         "type": "github"
       },
       "original": {
@@ -384,11 +384,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769580047,
-        "narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=",
+        "lastModified": 1772302941,
+        "narHash": "sha256-TL3+ckbOTILXrR0qSK3dJj2BJ0S5yz/YSsUF1oEgd9g=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826",
+        "rev": "9b9142b5fe214c2adabe86257c33e022372b7c96",
         "type": "github"
       },
       "original": {
@@ -405,11 +405,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1771167156,
-        "narHash": "sha256-hvlg7rTzAmfX2HW0GgrVGvbXoNioTK0bidbRv42QEhY=",
+        "lastModified": 1772328903,
+        "narHash": "sha256-1f5WHVW5jwO0TEBZNIK3GkgkwTqBaUFrNCf0WQ4/sM8=",
         "owner": "numtide",
         "repo": "llm-agents.nix",
-        "rev": "bbd22c02ac546b7ba07147eb14194128b44ff209",
+        "rev": "45656c46d998310ea6306a0036d581bf77091213",
         "type": "github"
       },
       "original": {
@@ -496,11 +496,11 @@
         "wrappers": "wrappers"
       },
       "locked": {
-        "lastModified": 1770756688,
-        "narHash": "sha256-raCwOTt5xT7J1ysxdGrmBva6OVrvjf47EgVLi5B5R5o=",
+        "lastModified": 1771601908,
+        "narHash": "sha256-lqscsSHms5xk8iOOEj0J6XtrIcZp7/TXN4iiQjNeXzM=",
         "ref": "refs/heads/master",
-        "rev": "86bf2150a7cabd225149f35c0ff57576af6ded44",
-        "revCount": 38,
+        "rev": "13ee868d5d297fbcfa1370cfff67e5c7f5e3d0aa",
+        "revCount": 42,
         "type": "git",
         "url": "https://code.kmein.de/kfm/niphas"
       },
@@ -516,11 +516,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765267181,
-        "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
+        "lastModified": 1771734689,
+        "narHash": "sha256-/phvMgr1yutyAMjKnZlxkVplzxHiz60i4rc+gKzpwhg=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
+        "rev": "8f590b832326ab9699444f3a48240595954a4b10",
         "type": "github"
       },
       "original": {
@@ -537,11 +537,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769018862,
-        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
+        "lastModified": 1771963727,
+        "narHash": "sha256-gFyFAFYYoNsvd6heI0XtDMIa4pnykjwDljS7dQm45uE=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
+        "rev": "b493b9b970388d79129ce1a92a6b060c9305386f",
         "type": "github"
       },
       "original": {
@@ -574,11 +574,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1769302137,
-        "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=",
+        "lastModified": 1771969195,
+        "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
+        "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
         "type": "github"
       },
       "original": {
@@ -589,11 +589,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1770843696,
-        "narHash": "sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8=",
+        "lastModified": 1771423170,
+        "narHash": "sha256-K7Dg9TQ0mOcAtWTO/FX/FaprtWQ8BmEXTpLIaNRhEwU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2343bbb58f99267223bc2aac4fc9ea301a155a16",
+        "rev": "bcc4a9d9533c033d806a46b37dc444f9b0da49dd",
         "type": "github"
       },
       "original": {
@@ -636,11 +636,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1770197578,
-        "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
+        "lastModified": 1772198003,
+        "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
+        "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61",
         "type": "github"
       },
       "original": {
@@ -652,11 +652,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1769598131,
-        "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
+        "lastModified": 1772047000,
+        "narHash": "sha256-7DaQVv4R97cii/Qdfy4tmDZMB2xxtyIvNGSwXBBhSmo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
+        "rev": "1267bb4920d0fc06ea916734c11b0bf004bbe17e",
         "type": "github"
       },
       "original": {
@@ -666,6 +666,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1771369470,
+        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0182a361324364ae3f436a63005877674cf45efb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nur": {
       "inputs": {
         "flake-parts": "flake-parts_2",
@@ -674,11 +690,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769867112,
-        "narHash": "sha256-n3YYhO6VpGadtVOiL/eAxnm9JBC6GfXsJfj8O6V/JvU=",
+        "lastModified": 1772326810,
+        "narHash": "sha256-lqwxrCp2ZgAjlYRKbT+bkvXmxZSibCyB3ee96HwLV34=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "c74b53b75a4219cdecea1194a95e36a222981860",
+        "rev": "7bf299ddf8a26872aa45acc49a4424bd17237072",
         "type": "github"
       },
       "original": {
@@ -712,6 +728,47 @@
         "type": "github"
       }
     },
+    "opencrow": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772243521,
+        "narHash": "sha256-Fi0zLX0hGm2eAQJ0d0FTb2y+KuCcM8zjkzkEyZB4fUI=",
+        "owner": "pinpox",
+        "repo": "opencrow",
+        "rev": "bb555b7796ec1842e0295462736ee7a956abc676",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pinpox",
+        "repo": "opencrow",
+        "type": "github"
+      }
+    },
+    "panoptikon": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1771688635,
+        "narHash": "sha256-tKmjgdeoQV5W96Chr2B5WOFXC70FvcfxhNCmBT1YZUY=",
+        "ref": "refs/heads/main",
+        "rev": "30e15d8f95693ba82d2d93ef9acbc1ceb65ef430",
+        "revCount": 4,
+        "type": "git",
+        "url": "https://code.kmein.de/kfm/panoptikon"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://code.kmein.de/kfm/panoptikon"
+      }
+    },
     "retiolum": {
       "locked": {
         "lastModified": 1756302470,
@@ -745,6 +802,8 @@
         "nixpkgs-old": "nixpkgs-old",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nur": "nur",
+        "opencrow": "opencrow",
+        "panoptikon": "panoptikon",
         "retiolum": "retiolum",
         "scripts": "scripts",
         "stockholm": "stockholm",
@@ -760,11 +819,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1769786006,
-        "narHash": "sha256-ax6cH54Nc20QuxlHNC8RMt1P8quMECY4gaACFAdd5ec=",
+        "lastModified": 1772178959,
+        "narHash": "sha256-DkjUvrEnnhHjOcjMx6aXfYGIZ0PWmcYzvVayhRj1r4M=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "eb0588812b041ebbf2645555f2a4df3bcd853c6d",
+        "rev": "8494a8b3b769c17e8594d811012cc1b0fab090c7",
         "type": "github"
       },
       "original": {
@@ -809,11 +868,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769038106,
-        "narHash": "sha256-k558r83lvHbqDlEFEf3zCX1/WuMNgnp1bjMbwMhg5wM=",
+        "lastModified": 1771846963,
+        "narHash": "sha256-1srlGKTtf0a2nfH78MohqNtkcvLSuEIEVccPD4WJCZk=",
         "owner": "krebs",
         "repo": "stockholm",
-        "rev": "0122ded2137e568e771e753c0c3a17b1b20d9ca7",
+        "rev": "bab362d0f6fcde28ac41716ca15cc552d4659ec5",
         "type": "github"
       },
       "original": {
@@ -843,11 +902,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1769829895,
-        "narHash": "sha256-J2jDCqzdtUxKVstC/zwy4TaSYgUxyzInGZ1qU7W2LaE=",
+        "lastModified": 1771788390,
+        "narHash": "sha256-RzBpBwn93GWxLjacTte+ngwwg0L/BVOg4G/sSIeK3Rw=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "413e927522d65ca8a37b283f4e88ada4865971dd",
+        "rev": "ebb238f14d6f930068be4718472da3105fd5d3bf",
         "type": "github"
       },
       "original": {
@@ -1100,11 +1159,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769691507,
-        "narHash": "sha256-8aAYwyVzSSwIhP2glDhw/G0i5+wOrren3v6WmxkVonM=",
+        "lastModified": 1770228511,
+        "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b",
+        "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7",
         "type": "github"
       },
       "original": {
@@ -1177,11 +1236,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770311206,
-        "narHash": "sha256-gzTvuaJZaymgxQC4rOZ9HlMRRWHVF2moEEaTnCG556A=",
+        "lastModified": 1772137435,
+        "narHash": "sha256-dqkfxxpIiIs4wdWhT4lfQi1lfA0CgIftPiYGvw0tUOk=",
         "owner": "lassulus",
         "repo": "wrappers",
-        "rev": "241f2f7dfcac0dbb2338105bdba7f03f412c5847",
+        "rev": "4e12f430ae705d9bbb591ca9c51cbccbee050a23",
         "type": "github"
       },
       "original": {

flake.nix

@@ -12,6 +12,7 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     niphas.url = "git+https://code.kmein.de/kfm/niphas";
+    panoptikon.url = "git+https://code.kmein.de/kfm/panoptikon";
     nixos-hardware.url = "github:NixOS/nixos-hardware";
     nur.url = "github:nix-community/NUR";
     retiolum.url = "github:krebs/retiolum";
@@ -26,6 +27,7 @@
     wetter.url = "github:4z3/wetter";
     wrappers.url = "github:lassulus/wrappers";
     llm-agents.url = "github:numtide/llm-agents.nix";
+    opencrow.url = "github:pinpox/opencrow";
 
     voidrice.flake = false;
 
@@ -45,6 +47,8 @@
 
     agenix.inputs.home-manager.follows = "home-manager";
 
+    opencrow.inputs.treefmt-nix.follows = "treefmt-nix";
+
     agenix.inputs.nixpkgs.follows = "nixpkgs";
     autorenkalender.inputs.nixpkgs.follows = "nixpkgs";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
@@ -62,6 +66,7 @@
     wetter.inputs.nixpkgs.follows = "nixpkgs";
     niphas.inputs.nixpkgs.follows = "nixpkgs-unstable";
     wrappers.inputs.nixpkgs.follows = "nixpkgs";
+    opencrow.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs =
@@ -78,6 +83,7 @@
       tinc-graph,
       nix-topology,
       llm-agents,
+      opencrow,
       nixpkgs-unstable,
       nixos-hardware,
       niphas,
@@ -85,6 +91,7 @@
       autorenkalender,
       telebots,
       stockholm,
+      panoptikon,
       nix-index-database,
       stylix,
       voidrice,
@@ -188,7 +195,6 @@
       nixosModules = {
         moodle-dl = import modules/moodle-dl.nix;
         passport = import modules/passport.nix;
-        panoptikon = import modules/panoptikon.nix;
         power-action = import modules/power-action.nix;
         system-dependent = import modules/system-dependent.nix;
         telegram-bot = import modules/telegram-bot.nix;
@@ -281,6 +287,7 @@
         };
 
         # packaged from inputs
+        opencrow = opencrow.packages.${prev.stdenv.hostPlatform.system}.opencrow;
         wetter = wetter.packages.${prev.stdenv.hostPlatform.system}.wetter;
         agenix = agenix.packages.${prev.stdenv.hostPlatform.system}.default;
         pun-sort-api = scripts.packages.${prev.stdenv.hostPlatform.system}.pun-sort-api;
@@ -290,6 +297,7 @@
         menstruation-backend =
           menstruation-backend.packages.${prev.stdenv.hostPlatform.system}.menstruation-backend;
         telebots = telebots.packages.${prev.stdenv.hostPlatform.system}.telebots;
+        pi-llm = llm-agents.packages.${prev.stdenv.hostPlatform.system}.pi;
         hesychius = scripts.packages.${prev.stdenv.hostPlatform.system}.hesychius;
         autorenkalender = autorenkalender.packages.${prev.stdenv.hostPlatform.system}.default;
         onomap = scripts.packages.${prev.stdenv.hostPlatform.system}.onomap;
@@ -303,6 +311,7 @@
         radio-news = prev.callPackage packages/radio-news { };
         untilport = prev.callPackage packages/untilport.nix { };
         weechat-declarative = prev.callPackage packages/weechat-declarative.nix { };
+        pi = prev.callPackage packages/pi.nix { };
 
         # my packages
         betacode = prev.callPackage packages/betacode.nix { };
@@ -361,10 +370,6 @@
             inherit lib;
             pkgs = final;
           };
-          panoptikon = import lib/panoptikon.nix {
-            inherit lib;
-            pkgs = final;
-          };
         };
       };
 
@@ -376,6 +381,7 @@
               nixpkgs.overlays = [
                 self.overlays.default
                 niphas.overlays.default
+                panoptikon.overlays.default
                 (final: prev: {
                   niphas-git =
                     (prev.niphas-git.passthru.configuration.apply {
@@ -440,9 +446,10 @@
               ++ profiles.server
               ++ [
                 systems/ful/configuration.nix
-                self.nixosModules.panoptikon
+                panoptikon.nixosModules.default
                 self.nixosModules.go-webring
                 stockholm.nixosModules.reaktor2
+                opencrow.nixosModules.default
                 nur.modules.nixos.default
                 {
                   nixpkgs.overlays = [
@@ -618,6 +625,7 @@
             obsidian-vim
             opustags
             pdf-ocr
+            pi
             picoclaw
             pls
             polyglot

lib/panoptikon.nix

@@ -1,47 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}:
-{
-  # watcher scripts
-  url =
-    address:
-    pkgs.writers.writeDash "watch-url" ''
-      ${pkgs.curl}/bin/curl -sSL ${lib.escapeShellArg address} \
-        | ${pkgs.python3Packages.html2text}/bin/html2text --decode-errors=ignore
-    '';
-  urlSelector =
-    selector: address:
-    pkgs.writers.writeDash "watch-url-selector" ''
-      ${pkgs.curl}/bin/curl -sSL ${lib.escapeShellArg address} \
-        | ${pkgs.htmlq}/bin/htmlq ${lib.escapeShellArg selector} \
-        | ${pkgs.python3Packages.html2text}/bin/html2text
-    '';
-  urlJSON =
-    {
-      jqScript ? ".",
-    }:
-    address:
-    pkgs.writers.writeDash "watch-url-json" ''
-      ${pkgs.curl}/bin/curl -sSL ${lib.escapeShellArg address} | ${pkgs.jq}/bin/jq -f ${pkgs.writeText "script.jq" jqScript}
-    '';
-
-  # reporter scripts
-  kpaste-irc =
-    {
-      target,
-      retiolumLink ? false,
-      server ? "irc.r",
-      messagePrefix ? "change detected: ",
-      nick ? ''"$PANOPTIKON_WATCHER"-watcher'',
-    }:
-    pkgs.writers.writeDash "kpaste-irc-reporter" ''
-      KPASTE_CONTENT_TYPE=text/plain ${pkgs.kpaste}/bin/kpaste \
-        | ${pkgs.gnused}/bin/sed -n "${if retiolumLink then "2" else "3"}s/^/${messagePrefix}/p" \
-        | ${pkgs.nur.repos.mic92.ircsink}/bin/ircsink \
-          --nick ${nick} \
-          --server ${server} \
-          --target ${target}
-    '';
-}

modules/panoptikon.nix

@@ -1,123 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  options.services.panoptikon = {
-    enable = lib.mkEnableOption "Generic command output / website watcher";
-    watchers = lib.mkOption {
-      type = lib.types.attrsOf (
-        lib.types.submodule (watcher: {
-          options = {
-            script = lib.mkOption {
-              type = lib.types.path;
-              description = ''
-                A script whose stdout is to be watched.
-              '';
-              example = ''
-                pkgs.writers.writeDash "github-meta" '''
-                  ''${pkgs.curl}/bin/curl -sSL https://api.github.com/meta | ''${pkgs.jq}/bin/jq
-                '''
-              '';
-            };
-            frequency = lib.mkOption {
-              type = lib.types.str;
-              description = ''
-                How often to run the script. See systemd.time(7) for more information about the format.
-              '';
-              example = "*:0/3";
-              default = "daily";
-            };
-            loadCredential = lib.mkOption {
-              type = lib.types.listOf lib.types.str;
-              description = ''
-                This can be used to pass secrets to the systemd service without adding them to the nix store.
-              '';
-              default = [ ];
-            };
-            reporters = lib.mkOption {
-              type = lib.types.listOf lib.types.path;
-              description = ''
-                A list of scripts that take the diff (if any) via stdin and report it (e.g. to IRC, Telegram or Prometheus). The name of the watcher will be in the $PANOPTIKON_WATCHER environment variable.
-              '';
-              example = ''
-                [
-                  (pkgs.writers.writeDash "telegram-reporter" '''
-                    ''${pkgs.curl}/bin/curl -X POST https://api.telegram.org/bot''${TOKEN}/sendMessage \
-                      -d chat_id=123456 \
-                      -d text="$(cat)"
-                  ''')
-                  (pkgs.writers.writeDash "notify" '''
-                    ''${pkgs.libnotify}/bin/notify-send "$PANOPTIKON_WATCHER has changed."
-                  ''')
-                ]
-              '';
-            };
-          };
-          config = { };
-        })
-      );
-    };
-  };
-
-  config =
-    let
-      cfg = config.services.panoptikon;
-    in
-    lib.mkIf cfg.enable {
-      users.extraUsers.panoptikon = {
-        isSystemUser = true;
-        createHome = true;
-        home = "/var/lib/panoptikon";
-        group = "panoptikon";
-      };
-
-      users.extraGroups.panoptikon = { };
-
-      systemd.timers = lib.attrsets.mapAttrs' (
-        watcherName: _:
-        lib.nameValuePair "panoptikon-${watcherName}" {
-          timerConfig.RandomizedDelaySec = toString (60 * 60);
-        }
-      ) cfg.watchers;
-
-      systemd.services = lib.attrsets.mapAttrs' (
-        watcherName: watcherOptions:
-        lib.nameValuePair "panoptikon-${watcherName}" {
-          enable = true;
-          startAt = watcherOptions.frequency;
-          serviceConfig = {
-            Type = "oneshot";
-            User = "panoptikon";
-            Group = "panoptikon";
-            WorkingDirectory = "/var/lib/panoptikon";
-            RestartSec = toString (60 * 60);
-            Restart = "on-failure";
-            LoadCredential = watcherOptions.loadCredential;
-          };
-          unitConfig = {
-            StartLimitIntervalSec = "300";
-            StartLimitBurst = "5";
-          };
-          environment.PANOPTIKON_WATCHER = watcherName;
-          wants = [ "network-online.target" ];
-          script = ''
-            set -fux
-            ${watcherOptions.script} > ${lib.escapeShellArg watcherName}
-            diff_output=$(${pkgs.diffutils}/bin/diff --new-file ${
-              lib.escapeShellArg (watcherName + ".old")
-            } ${lib.escapeShellArg watcherName} || :)
-            if [ -n "$diff_output" ]
-            then
-              ${lib.strings.concatMapStringsSep "\n" (
-                reporter: ''echo "$diff_output" | ${reporter} || :''
-              ) watcherOptions.reporters}
-            fi
-            mv ${lib.escapeShellArg watcherName} ${lib.escapeShellArg (watcherName + ".old")}
-          '';
-        }
-      ) cfg.watchers;
-    };
-}

packages/pi.nix

@@ -0,0 +1,69 @@
+{
+  runCommand,
+  nodejs,
+  writeShellApplication,
+  lib,
+  jq,
+  cacert,
+  pi-llm,
+}:
+let
+  # Pre-install pi plugins into a fake npm global prefix
+  pluginPrefixRaw =
+    runCommand "pi-plugins-raw"
+      {
+        nativeBuildInputs = [
+          nodejs
+          cacert
+        ];
+        outputHashMode = "recursive";
+        outputHashAlgo = "sha256";
+        outputHash = "sha256-YrrQ5m8XYKFNR2+dn97GYxKxcWPBndomPZsqKfwD6w0=";
+        impureEnvVars = [
+          "http_proxy"
+          "https_proxy"
+        ];
+        SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
+      }
+      ''
+        export HOME=$TMPDIR
+        export npm_config_prefix=$out
+        npm install -g pi-hooks shitty-extensions
+      '';
+
+  # Remove the resistance extension (annoying terminator quote widget)
+  pluginPrefix = runCommand "pi-plugins" { } ''
+    cp -a ${pluginPrefixRaw} $out
+    chmod -R u+w $out
+    pkg=$out/lib/node_modules/shitty-extensions/package.json
+    ${lib.getExe jq} '.pi.extensions |= map(select(contains("resistance") | not))' "$pkg" > "$pkg.tmp"
+    mv "$pkg.tmp" "$pkg"
+  '';
+in
+writeShellApplication {
+  name = "pi";
+  runtimeInputs = [ nodejs ];
+  text = ''
+    set -efu
+    export npm_config_prefix="${pluginPrefix}"
+
+    # Ensure settings.json has our plugins listed
+    SETTINGS_DIR="''${PI_CODING_AGENT_DIR:-$HOME/.pi/agent}"
+    SETTINGS_FILE="$SETTINGS_DIR/settings.json"
+    mkdir -p "$SETTINGS_DIR"
+
+    # Add packages to settings if not already present
+    if [ ! -f "$SETTINGS_FILE" ]; then
+      echo '{"packages":["npm:pi-hooks","npm:shitty-extensions"]}' > "$SETTINGS_FILE"
+    else
+      for pkg in "npm:pi-hooks" "npm:shitty-extensions"; do
+        if ! grep -q "$pkg" "$SETTINGS_FILE"; then
+          ${lib.getExe jq} --arg p "$pkg" '.packages = ((.packages // []) + [$p] | unique)' "$SETTINGS_FILE" > "$SETTINGS_FILE.tmp"
+          mv "$SETTINGS_FILE.tmp" "$SETTINGS_FILE"
+        fi
+      done
+    fi
+
+    exec ${lib.getExe pi-llm} "$@"
+  '';
+}

secrets.txt

@@ -0,0 +1,89 @@
+secrets/alertmanager-token-reporters.age
+secrets/brevo-key.age
+secrets/cifs-credentials-zodiac.age
+secrets/copecart-ipn.age
+secrets/di-fm-key.age
+secrets/email-password-cock.age
+secrets/email-password-fysi.age
+secrets/email-password-ical-ephemeris.age
+secrets/email-password-letos.age
+secrets/email-password-meinhak99.age
+secrets/email-password-posteo.age
+secrets/fatteh-retiolum-privateKey-ed25519.age
+secrets/fatteh-retiolum-privateKey-rsa.age
+secrets/fatteh-syncthing-cert.age
+secrets/fatteh-syncthing-key.age
+secrets/fatteh-wireguard-aether-key.age
+secrets/fatteh-wireguard-aether-psk.age
+secrets/ful-retiolum-privateKey-ed25519.age
+secrets/ful-retiolum-privateKey-rsa.age
+secrets/ful-root.age
+secrets/fu-sftp-key.age
+secrets/gemini-api-key.age
+secrets/github-token-i3status-rust.age
+secrets/grafana-password-admin.age
+secrets/hetzner-storagebox-credentials.age
+secrets/home-assistant-token.age
+secrets/kabsa-retiolum-privateKey-ed25519.age
+secrets/kabsa-retiolum-privateKey-rsa.age
+secrets/kabsa-syncthing-cert.age
+secrets/kabsa-syncthing-key.age
+secrets/kabsa-wireguard-aether-key.age
+secrets/kabsa-wireguard-aether-psk.age
+secrets/kfm-password.age
+secrets/kibbeh-retiolum-privateKey-ed25519.age
+secrets/kibbeh-retiolum-privateKey-rsa.age
+secrets/kibbeh-syncthing-cert.age
+secrets/kibbeh-syncthing-key.age
+secrets/ledger-basicAuth.age
+secrets/makanek-retiolum-privateKey-ed25519.age
+secrets/makanek-retiolum-privateKey-rsa.age
+secrets/manakish-retiolum-privateKey-ed25519.age
+secrets/manakish-retiolum-privateKey-rsa.age
+secrets/manakish-syncthing-cert.age
+secrets/manakish-syncthing-key.age
+secrets/manakish-wireguard-aether-key.age
+secrets/manakish-wireguard-aether-psk.age
+secrets/mastodon-token-celan.age
+secrets/mastodon-token-hesychius.age
+secrets/mastodon-token-nietzsche.age
+secrets/mastodon-token-smyth.age
+secrets/mastodon-token-tlgwotd.age
+secrets/mastodon-token-transits.age
+secrets/matrix-token-lakai.age
+secrets/matrix-token-lakai-env.age
+secrets/maxmind-license-key.age
+secrets/mega-password.age
+secrets/miniflux-api-token.age
+secrets/miniflux-credentials.age
+secrets/nextcloud-password-admin.age
+secrets/nextcloud-password-database.age
+secrets/nextcloud-password-fysi.age
+secrets/nextcloud-password-kieran.age
+secrets/onlyoffice-jwt-key.age
+secrets/opencrow-matrix-token.age
+secrets/opencrow-soul.age
+secrets/openweathermap-api-key.age
+secrets/restic.age
+secrets/secrets.nix
+secrets/spotify-password.age
+secrets/spotify-username.age
+secrets/stw-berlin-card-code.age
+secrets/tabula-retiolum-privateKey-ed25519.age
+secrets/tabula-retiolum-privateKey-rsa.age
+secrets/tahina-retiolum-privateKey-ed25519.age
+secrets/tahina-retiolum-privateKey-rsa.age
+secrets/telegram-token-betacode.age
+secrets/telegram-token-kmein.age
+secrets/telegram-token-menstruation.age
+secrets/telegram-token-nachtischsatan.age
+secrets/telegram-token-proverb.age
+secrets/telegram-token-reverse.age
+secrets/telegram-token-streaming-link.age
+secrets/weechat-sec.conf.age
+secrets/wifi.age
+secrets/zaatar-moodle-dl-basicAuth.age
+secrets/zaatar-moodle-dl-tokens.json.age
+secrets/zaatar-retiolum-privateKey-ed25519.age
+secrets/zaatar-retiolum-privateKey-rsa.age
+secrets/zaatar-ympd-basicAuth.age

systems/ful/configuration.nix

@@ -16,7 +16,7 @@
     ./gemini.nix
     ./wallabag.nix
     ./nethack.nix
-    ./openclaw.nix
+    ./opencrow.nix
   ];
 
   niveum.passport = {

systems/ful/openclaw.nix

@@ -1,117 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  users.users.openclaw = {
-    isSystemUser = true;
-    group = "openclaw";
-    extraGroups = [ "openclaw-shared" ]; # Access to shared data
-    home = "/var/lib/openclaw";
-    createHome = true;
-    shell = pkgs.bash;
-    packages = [
-      pkgs.llm-agents.openclaw
-    ];
-  };
-
-  users.groups.openclaw = { };
-  users.groups.openclaw-shared = { };
-
-  systemd.services.openclaw = {
-    description = "OpenClaw Gateway Service";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    path = config.users.users.openclaw.packages;
-
-    serviceConfig = {
-      User = "openclaw";
-      Group = "openclaw";
-      StateDirectory = "openclaw";
-      WorkingDirectory = "/var/lib/openclaw";
-
-      ExecStart = pkgs.writeShellScript "openclaw-wrapper" ''
-        exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway
-      '';
-      ProtectHome = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectProc = "invisible";
-      ProcSubset = "pid";
-      RemoveIPC = true;
-      RestrictSUIDSGID = true;
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      LockPersonality = true;
-      UMask = "0077";
-
-      PrivateDevices = true;
-      DeviceAllow = [
-        "/dev/null rw"
-        "/dev/zero rw"
-        "/dev/random r"
-        "/dev/urandom r"
-      ];
-      SystemCallFilter = [
-        "@system-service"
-        "~@mount"
-        "@cpu-emulation"
-        "@debug"
-        "@keyring"
-        "@module"
-        "@obsolete"
-        "@raw-io"
-        "@reboot"
-        "@swap"
-      ];
-      SystemCallArchitectures = "native";
-
-      ProtectSystem = "strict";
-      ReadWritePaths = [
-        "/var/lib/openclaw"
-      ];
-      NoNewPrivileges = true;
-      PrivateTmp = true;
-      Restart = "always";
-    };
-
-    environment = {
-      OPENCLAW_HOME = "/var/lib/openclaw";
-    };
-  };
-
-  services.restic.backups.niveum.paths = [
-    config.users.users.openclaw.home
-  ];
-
-  systemd.services.openclaw-browser = {
-    description = "OpenClaw Browser (unrestricted)";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    serviceConfig = {
-      User = "openclaw";
-      Group = "openclaw";
-      WorkingDirectory = "/var/lib/openclaw";
-      # NO hardening here - let Chrome do its thing
-      ExecStart = "${lib.getExe pkgs.chromium} ${
-        lib.escapeShellArgs [
-          "--headless"
-          "--no-sandbox"
-          "--disable-setuid-sandbox"
-          "--disable-dev-shm-usage"
-          "--remote-debugging-port=9222"
-          "--remote-debugging-address=127.0.0.1"
-        ]
-      }";
-      Restart = "always";
-    };
-  };
-}

systems/ful/opencrow.nix

@@ -0,0 +1,83 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+{
+  age.secrets = {
+    opencrow-matrix-token = {
+      file = ../../secrets/opencrow-matrix-token.age;
+    };
+    opencrow-soul = {
+      file = ../../secrets/opencrow-soul.age;
+    };
+    opencrow-gemini-key = {
+      file = ../../secrets/opencrow-gemini-key.age;
+    };
+    opencrow-openrouter-key = {
+      file = ../../secrets/opencrow-openrouter-key.age;
+    };
+  };
+
+  environment.systemPackages = [
+    pkgs.pi
+  ];
+
+  services.opencrow = {
+    enable = true;
+
+    package = pkgs.opencrow;
+
+    extraPackages = [
+      pkgs.pi
+      pkgs.nix
+    ];
+
+    environmentFiles = [
+      config.age.secrets.opencrow-matrix-token.path
+      config.age.secrets.opencrow-openrouter-key.path
+      config.age.secrets.opencrow-gemini-key.path
+    ];
+
+    extraBindMounts."/run/opencrow/SOUL.md" = {
+      hostPath = config.age.secrets.opencrow-soul.path;
+      isReadOnly = true;
+    };
+
+    environment = {
+      NIX_REMOTE = "daemon";
+
+      PI_PERMISSION_LEVEL = "high";
+      OPENCROW_MATRIX_HOMESERVER = "https://matrix.org";
+      OPENCROW_MATRIX_USER_ID = "@fable_ai:matrix.org";
+      OPENCROW_SOUL_FILE = "/run/opencrow/SOUL.md";
+      OPENCROW_HEARTBEAT_INTERVAL = "2h";
+
+      # end of the month
+      OPENCROW_PI_PROVIDER = "openrouter";
+      OPENCROW_PI_MODEL = "stepfun/step-3.5-flash:free";
+      # OPENCROW_PI_PROVIDER = "google";
+      # OPENCROW_PI_MODEL = "gemini-2.0-flash";
+
+      # beginning of the month
+      # OPENCROW_PI_PROVIDER = "github-copilot";
+      # OPENCROW_PI_MODEL = "claude-opus-4.6";
+    };
+  };
+
+  containers.opencrow.config = {
+    nix.settings.experimental-features = [
+      "flakes"
+      "nix-command"
+    ];
+  };
+
+  nix.settings.experimental-features = [
+    "flakes"
+    "nix-command"
+  ];
+
+  services.restic.backups.niveum.paths = [
+    "/var/lib/opencrow"
+  ];
+}

systems/ful/panoptikon.nix

@@ -5,42 +5,23 @@
   ...
 }:
 let
-  irc-xxx = pkgs.lib.panoptikon.kpaste-irc {
+  irc-xxx = pkgs.panoptikonReporters.kpaste-irc {
     target = lib.escapeShellArg "#xxx";
     retiolumLink = true;
   };
 
-  matrix =
-    {
-      server ? "matrix.4d2.org",
-      target,
-    }:
-    pkgs.writers.writeDash "matrix-reporter" ''
-      export RAW_MESSAGE="$(cat)"
-      export MESSAGE=$(printf '<b>%s</b><br><pre>%s</pre>' "$PANOPTIKON_WATCHER" "$RAW_MESSAGE")
-      export MATRIX_TOKEN="$(cat ${config.age.secrets.matrix-token-lakai.path})"
-      export JSON_PAYLOAD=$(${pkgs.jq}/bin/jq -n --arg msgtype "m.text" --arg body "$RAW_MESSAGE" --arg formattedBody "$MESSAGE" '{msgtype: $msgtype, body: $body, format: "org.matrix.custom.html", formatted_body: $formattedBody}')
-      ${pkgs.curl}/bin/curl -X POST "https://${server}/_matrix/client/r0/rooms/${target}/send/m.room.message" \
-        -d "$JSON_PAYLOAD" \
-        -H "Authorization: Bearer $MATRIX_TOKEN" \
-        -H "Content-Type: application/json"
-    '';
+  matrix-kmein = pkgs.panoptikonReporters.matrix {
+    homeserver = "matrix.4d2.org";
+    roomId = lib.escapeShellArg "!zlwCuPiCNMSxDviFzA:4d2.org";
+    tokenPath = config.age.secrets.matrix-token-lakai.path;
+  };
 
-  matrix-kmein = matrix { target = "!zlwCuPiCNMSxDviFzA:4d2.org"; };
+  telegram-kmein = pkgs.panoptikonReporters.telegram {
+    tokenPath = config.age.secrets.telegram-token-kmein.path;
+    chatId = "-1001796440545";
+  };
 
-  telegram-kmein =
-    let
-      chatId = "-1001796440545";
-    in
-    pkgs.writers.writeDash "telegram-fulltext" ''
-      export TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")"
-      ${pkgs.curl}/bin/curl -X POST "https://api.telegram.org/bot''${TOKEN}/sendMessage" \
-        -d chat_id=${chatId} \
-        -d text="$(cat)" \
-        | ${pkgs.jq}/bin/jq -e .ok
-    '';
-
-  irc-kmein = pkgs.lib.panoptikon.kpaste-irc {
+  irc-kmein = pkgs.panoptikonReporters.kpaste-irc {
     messagePrefix = "$PANOPTIKON_WATCHER: ";
     target = "kmein";
     nick = "panoptikon-kmein";
@@ -48,7 +29,12 @@ let
   };
 in
 {
-  age.secrets.telegram-token-kmein.file = ../../secrets/telegram-token-kmein.age;
+  age.secrets.telegram-token-kmein = {
+    file = ../../secrets/telegram-token-kmein.age;
+    owner = "panoptikon";
+    group = "panoptikon";
+    mode = "400";
+  };
   age.secrets.matrix-token-lakai = {
     file = ../../secrets/matrix-token-lakai.age;
     owner = "panoptikon";
@@ -60,7 +46,7 @@ in
     enable = true;
     watchers = {
       "github-meta" = {
-        script = pkgs.lib.panoptikon.urlJSON {
+        script = pkgs.panoptikonWatchers.json {
           jqScript = ''
             {
               ssh_key_fingerprints: .ssh_key_fingerprints,
@@ -70,83 +56,71 @@ in
         } "https://api.github.com/meta";
         reporters = [ irc-xxx ];
       };
-      lammla = {
-        script = pkgs.lib.panoptikon.url "http://lammla.info/index.php?reihe=30";
-        reporters = [ matrix-kmein ];
-      };
-      kratylos = {
-        script = pkgs.lib.panoptikon.url "https://kratylos.reichert-online.org/current_issue/KRATYLOS";
-        reporters = [ matrix-kmein ];
-      };
       kobudo-tesshinkan = {
-        script = pkgs.lib.panoptikon.url "https://kobudo-tesshinkan.eu/index.php/de/termine-berichte/lehrgaenge/";
+        script = pkgs.panoptikonWatchers.html "https://kobudo-tesshinkan.eu/index.php/de/termine-berichte/lehrgaenge/";
         reporters = [
           telegram-kmein
           matrix-kmein
         ];
       };
-      zeno-free = {
-        script = pkgs.lib.panoptikon.urlSelector ".zenoCOMain" "http://www.zeno.org/Lesesaal/M/E-Books";
-        reporters = [ matrix-kmein ];
-      };
       carolinawelslau = {
-        script = pkgs.lib.panoptikon.urlSelector "#main" "https://carolinawelslau.de/";
+        script = pkgs.panoptikonWatchers.htmlSelector "#main" "https://carolinawelslau.de/";
         reporters = [ matrix-kmein ];
       };
       humboldt-preis = {
-        script = pkgs.lib.panoptikon.urlSelector "#content-core" "https://www.hu-berlin.de/de/ueberblick/menschen/ehrungen/humboldtpreis";
+        script = pkgs.panoptikonWatchers.htmlSelector "#content-core" "https://www.hu-berlin.de/de/ueberblick/menschen/ehrungen/humboldtpreis";
         reporters = [ matrix-kmein ];
       };
       lisalittmann = {
-        script = pkgs.lib.panoptikon.urlSelector "#site-content" "https://lisalittmann.de/";
+        script = pkgs.panoptikonWatchers.htmlSelector "#site-content" "https://lisalittmann.de/";
         reporters = [ matrix-kmein ];
       };
       lisalittmann-archive = {
-        script = pkgs.lib.panoptikon.urlSelector "#site-content" "https://lisalittmann.de/archive/";
+        script = pkgs.panoptikonWatchers.htmlSelector "#site-content" "https://lisalittmann.de/archive/";
         reporters = [ matrix-kmein ];
       };
       lisalittmann-projects = {
-        script = pkgs.lib.panoptikon.urlSelector "#site-content" "https://lisalittmann.de/projects/";
+        script = pkgs.panoptikonWatchers.htmlSelector "#site-content" "https://lisalittmann.de/projects/";
         reporters = [ matrix-kmein ];
       };
       tatort = {
-        script = pkgs.lib.panoptikon.urlSelector ".linklist" "https://www.daserste.de/unterhaltung/krimi/tatort/sendung/index.html";
+        script = pkgs.panoptikonWatchers.htmlSelector ".linklist" "https://www.daserste.de/unterhaltung/krimi/tatort/sendung/index.html";
         reporters = [ matrix-kmein ];
       };
       warpgrid-idiomarium = {
-        script = pkgs.lib.panoptikon.urlSelector "#site-content" "https://warpgrid.de/idiomarium/";
+        script = pkgs.panoptikonWatchers.htmlSelector "#site-content" "https://warpgrid.de/idiomarium/";
         reporters = [ matrix-kmein ];
       };
       warpgrid-futurism = {
-        script = pkgs.lib.panoptikon.urlSelector "#site-content" "https://warpgrid.de/futurism/";
+        script = pkgs.panoptikonWatchers.htmlSelector "#site-content" "https://warpgrid.de/futurism/";
         reporters = [ matrix-kmein ];
       };
       warpgrid-imagiary = {
-        script = pkgs.lib.panoptikon.urlSelector "#site-content" "https://warpgrid.de/imagiary/";
+        script = pkgs.panoptikonWatchers.htmlSelector "#site-content" "https://warpgrid.de/imagiary/";
         reporters = [ matrix-kmein ];
       };
       warpgrid-alchemy = {
-        script = pkgs.lib.panoptikon.urlSelector "#site-content" "https://warpgrid.de/alchemy/";
+        script = pkgs.panoptikonWatchers.htmlSelector "#site-content" "https://warpgrid.de/alchemy/";
         reporters = [ matrix-kmein ];
       };
       indogermanische-forschungen = {
-        script = pkgs.lib.panoptikon.urlSelector "#latestIssue" "https://www.degruyter.com/journal/key/INDO/html";
+        script = pkgs.panoptikonWatchers.htmlSelector "#latestIssue" "https://www.degruyter.com/journal/key/INDO/html";
         reporters = [ matrix-kmein ];
       };
       ig-neuigkeiten = {
-        script = pkgs.lib.panoptikon.urlSelector "[itemprop=articleBody]" "https://www.indogermanistik.org/aktuelles/neuigkeiten.html";
+        script = pkgs.panoptikonWatchers.htmlSelector "[itemprop=articleBody]" "https://www.indogermanistik.org/aktuelles/neuigkeiten.html";
         reporters = [ matrix-kmein ];
       };
       ig-tagungen = {
-        script = pkgs.lib.panoptikon.urlSelector "[itemprop=articleBody]" "https://www.indogermanistik.org/tagungen/tagungen-der-ig.html";
+        script = pkgs.panoptikonWatchers.htmlSelector "[itemprop=articleBody]" "https://www.indogermanistik.org/tagungen/tagungen-der-ig.html";
         reporters = [ matrix-kmein ];
       };
       fu-distant = {
-        script = pkgs.lib.panoptikon.urlSelector "#current_events" "https://www.geschkult.fu-berlin.de/en/e/ma-distant/Termine/index.html";
+        script = pkgs.panoptikonWatchers.htmlSelector "#current_events" "https://www.geschkult.fu-berlin.de/en/e/ma-distant/Termine/index.html";
         reporters = [ matrix-kmein ];
       };
       fu-aegyptologie = {
-        script = pkgs.lib.panoptikon.urlSelector "#current_events" "https://www.geschkult.fu-berlin.de/e/aegyptologie/termine/index.html";
+        script = pkgs.panoptikonWatchers.htmlSelector "#current_events" "https://www.geschkult.fu-berlin.de/e/aegyptologie/termine/index.html";
         reporters = [ matrix-kmein ];
       };
     };

systems/makanek/configuration.nix

@@ -9,7 +9,7 @@
     ./gitea.nix
     ./hardware-configuration.nix
     ./hedgedoc.nix
-    ./menstruation.nix
+    # ./menstruation.nix
     ./moinbot.nix
     ./monitoring
     # ./names.nix

systems/makanek/hardware-configuration.nix

@@ -34,7 +34,6 @@
   };
 
   swapDevices = [ ];
-  zramSwap.enable = true;
 
   nix.settings.max-jobs = lib.mkDefault 2;
 }

systems/makanek/nextcloud.nix

@@ -55,7 +55,7 @@ in
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud31;
+    package = pkgs.nextcloud32;
 
     https = true;
 

systems/makanek/weechat.nix

@@ -187,16 +187,19 @@ in
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       restartIfChanged = true;
-      path = [ pkgs.alacritty.terminfo ];
-      environment.WEECHAT_HOME = weechatHome;
+      path = [ pkgs.alacritty.terminfo pkgs.screen ];
+      environment = {
+        WEECHAT_HOME = weechatHome;
+      };
       # preStart = "${pkgs.coreutils}/bin/rm $WEECHAT_HOME/*.conf";
-      script = "${tmux} -2 new-session -d -s IM ${weechat}/bin/weechat";
-      preStop = "${tmux} kill-session -t IM";
+      script = "${pkgs.screen}/bin/screen -S weechat -d -m ${weechat}/bin/weechat";
+      preStop = "${pkgs.screen}/bin/screen -S weechat -X quit";
       serviceConfig = {
         User = "weechat";
         Group = "weechat";
         RemainAfterExit = true;
         Type = "oneshot";
+        RuntimeDirectory = "weechat-tmux";
       };
     };
 
@@ -210,7 +213,7 @@ in
     group = "weechat";
     home = "/var/lib/weechat";
     isSystemUser = true;
-    packages = [ pkgs.tmux ];
+    packages = [ pkgs.screen ];
   };
 
   age.secrets.weechat-sec = {

systems/manakish/hardware-configuration.nix

@@ -44,7 +44,7 @@
   };
 
   swapDevices = [ ];
-  zramSwap.enable = true;
+  zramSwap.enable = false;
 
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }