From 0fb5e46e8ffbfa87a8ec07819f27952974471e2b Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Sun, 4 Jan 2026 16:45:43 -0600
Subject: [PATCH 1/6] secrets boa, still not working fully

---
 flakes/secrets-bao/nixos-module.nix | 93 +++++++++++++++++++++++++----
 hosts/juni/flake.lock               |  4 +-
 2 files changed, 84 insertions(+), 13 deletions(-)

diff --git a/flakes/secrets-bao/nixos-module.nix b/flakes/secrets-bao/nixos-module.nix
index 303bebad..aed19c58 100644
--- a/flakes/secrets-bao/nixos-module.nix
+++ b/flakes/secrets-bao/nixos-module.nix
@@ -46,14 +46,41 @@ let
     sig="$(${pkgs.coreutils}/bin/printf '%s' "$h64.$p64" | ${pkgs.openssl}/bin/openssl dgst -sha256 -sign "$pem_file" | b64url)"
     assertion="$h64.$p64.$sig"
 
-    ${pkgs.curl}/bin/curl -sS -X POST "${cfg.zitadelTokenEndpoint}" \
+    resp=""
+    if ! resp="$(${pkgs.curl}/bin/curl -sS --fail-with-body -X POST "${cfg.zitadelTokenEndpoint}" \
       -H 'content-type: application/x-www-form-urlencoded' \
       --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
       --data-urlencode "assertion=$assertion" \
       --data-urlencode "scope=${cfg.zitadelScopes}" \
-      | ${pkgs.jq}/bin/jq -r .access_token
+    )"; then
+      echo "Zitadel token endpoint returned error; response:" >&2
+      echo "$resp" >&2
+      exit 1
+    fi
+
+    token="$(${pkgs.jq}/bin/jq -r '.access_token // empty' <<<"$resp" 2>/dev/null || true)"
+    if [ -z "$token" ] || [ "$token" = "null" ]; then
+      echo "Zitadel token mint did not return access_token; response:" >&2
+      echo "$resp" >&2
+      exit 1
+    fi
+
+    # Quick sanity check: JWT should have 2 dots.
+    if ! ${pkgs.gnugrep}/bin/grep -q '\\.' <<<"$token"; then
+      echo "Zitadel access_token does not look like a JWT; response:" >&2
+      echo "$resp" >&2
+      exit 1
+    fi
+
+    ${pkgs.coreutils}/bin/printf '%s' "$token"
   '';
 
+  zitadelHost =
+    let
+      noProto = lib.strings.removePrefix "https://" (lib.strings.removePrefix "http://" cfg.zitadelTokenEndpoint);
+    in
+    builtins.head (lib.strings.splitString "/" noProto);
+
   mkAgentConfig = pkgs.writeText "vault-agent.hcl" ''
     vault {
       address = "${cfg.openBaoAddr}"
@@ -231,8 +258,13 @@ in
         zitadel-mint-jwt = {
           description = "Mint Zitadel access token (JWT) for OpenBao";
           wantedBy = [ "multi-user.target" ];
-          after = [ "network-online.target" "nss-lookup.target" ];
-          wants = [ "network-online.target" ];
+          after = [
+            "network-online.target"
+            "nss-lookup.target"
+            "NetworkManager-wait-online.service"
+            "systemd-resolved.service"
+          ];
+          wants = [ "network-online.target" "NetworkManager-wait-online.service" ];
 
           serviceConfig = {
             Type = "oneshot";
@@ -249,16 +281,50 @@ in
                 exit 1
               fi
 
-              # Wait for DNS + routing to be up.
-              for i in {1..60}; do
-                if ${pkgs.glibc}/bin/getent hosts sso.joshuabell.xyz >/dev/null; then
+              echo "zitadel-mint-jwt: starting (host=${zitadelHost})" >&2
+
+              jwt_is_valid() {
+                local token="$1"
+                local payload_b64 payload_json exp now
+
+                payload_b64="$(${pkgs.coreutils}/bin/printf '%s' "$token" | ${pkgs.coreutils}/bin/cut -d. -f2)"
+                payload_b64="$(${pkgs.coreutils}/bin/printf '%s' "$payload_b64" | ${pkgs.gnused}/bin/sed -e 's/-/+/g' -e 's/_/\//g')"
+
+                case $((${pkgs.coreutils}/bin/printf '%s' "$payload_b64" | ${pkgs.coreutils}/bin/wc -c)) in
+                  *1) payload_b64="$payload_b64=" ;;
+                  *2) payload_b64="$payload_b64==" ;;
+                  *3) : ;;
+                  *0) : ;;
+                esac
+
+                payload_json="$(${pkgs.coreutils}/bin/printf '%s' "$payload_b64" | ${pkgs.coreutils}/bin/base64 -d 2>/dev/null || true)"
+                exp="$(${pkgs.jq}/bin/jq -r '.exp // empty' <<<"$payload_json" 2>/dev/null || true)"
+                if [ -z "$exp" ]; then
+                  return 1
+                fi
+
+                now="$(${pkgs.coreutils}/bin/date +%s)"
+                if [ "$exp" -gt $(( now + 60 )) ]; then
+                  return 0
+                fi
+                return 1
+              }
+
+              if [ -s "${cfg.zitadelJwtPath}" ] && jwt_is_valid "$(cat "${cfg.zitadelJwtPath}")"; then
+                echo "zitadel-mint-jwt: existing token still valid; skipping" >&2
+                exit 0
+              fi
+
+              # Wait for DNS to be usable.
+              for i in {1..120}; do
+                if ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null; then
                   break
                 fi
                 sleep 1
               done
 
-              if ! ${pkgs.glibc}/bin/getent hosts sso.joshuabell.xyz >/dev/null; then
-                echo "DNS still not ready for sso.joshuabell.xyz" >&2
+              if ! ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null; then
+                echo "DNS still not ready for ${zitadelHost}" >&2
                 exit 1
               fi
 
@@ -276,7 +342,10 @@ in
                 exit 1
               fi
 
-              ${pkgs.coreutils}/bin/printf '%s' "$jwt" > "${cfg.zitadelJwtPath}"
+              tmp="$(${pkgs.coreutils}/bin/mktemp)"
+              trap '${pkgs.coreutils}/bin/rm -f "$tmp"' EXIT
+              ${pkgs.coreutils}/bin/printf '%s' "$jwt" > "$tmp"
+              ${pkgs.coreutils}/bin/mv -f "$tmp" "${cfg.zitadelJwtPath}"
             '';
           };
         };
@@ -296,7 +365,7 @@ in
             User = "root";
             Group = "root";
             Restart = "on-failure";
-            RestartSec = "2s";
+            RestartSec = "30s";
 
             UMask = "0077";
             ExecStart = "${pkgs.openbao}/bin/bao agent -config=${mkAgentConfig}";
@@ -310,6 +379,8 @@ in
           description = "Wait for OpenBao secret ${name}";
           after = [ "vault-agent.service" ];
           requires = [ "vault-agent.service" ];
+          startLimitIntervalSec = 300;
+          startLimitBurst = 3;
 
           serviceConfig = {
             Type = "oneshot";
diff --git a/hosts/juni/flake.lock b/hosts/juni/flake.lock
index 0f4d6da0..b721bbcc 100644
--- a/hosts/juni/flake.lock
+++ b/hosts/juni/flake.lock
@@ -1310,8 +1310,8 @@
     },
     "secrets-bao": {
       "locked": {
-        "lastModified": 1767294512,
-        "narHash": "sha256-VJsOr6MRAskbLVRHtLplIHBvi6K45yj0H2TSP0V2SKI=",
+        "lastModified": 1767301838,
+        "narHash": "sha256-rQCAZ5A9ozbDfkzdZpH30BBqzcxKXN3BJmL74BoPSsA=",
         "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
         "type": "path"
       },

From 9e8d6fcddb36f092fe5208154ca1bf070e7eebc5 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Sun, 4 Jan 2026 17:32:01 -0600
Subject: [PATCH 2/6] many updates

---
 flakes/beszel/flake.lock                      |   6 +-
 flakes/common/hm_modules/ssh.nix              |   5 +
 .../common/nix_modules/remote_lio_builds.nix  |  11 +-
 flakes/opencode/flake.lock                    |  12 +-
 hosts/oren/flake.lock                         | 201 +++++++++---------
 hosts/oren/flake.nix                          |  22 +-
 6 files changed, 126 insertions(+), 131 deletions(-)

diff --git a/flakes/beszel/flake.lock b/flakes/beszel/flake.lock
index 0e6cba16..99107dd5 100644
--- a/flakes/beszel/flake.lock
+++ b/flakes/beszel/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "beszel-nixpkgs": {
       "locked": {
-        "lastModified": 1765472234,
-        "narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
+        "lastModified": 1767379071,
+        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
+        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
         "type": "github"
       },
       "original": {
diff --git a/flakes/common/hm_modules/ssh.nix b/flakes/common/hm_modules/ssh.nix
index 7b1d70d9..fe33b623 100644
--- a/flakes/common/hm_modules/ssh.nix
+++ b/flakes/common/hm_modules/ssh.nix
@@ -54,6 +54,11 @@ in
       "lio" = lib.mkIf (hasSecret "nix2lio") {
         identityFile = age.secrets.nix2lio.path;
         user = "josh";
+        extraOptions = {
+          "PubkeyAcceptedKeyTypes" = "ssh-ed25519";
+          "ServerAliveInterval" = 60;
+          "IPQoS" = "throughput";
+        };
       };
       "lio_" = lib.mkIf (hasSecret "nix2lio") {
         identityFile = age.secrets.nix2lio.path;
diff --git a/flakes/common/nix_modules/remote_lio_builds.nix b/flakes/common/nix_modules/remote_lio_builds.nix
index 7a54d1ce..040ede21 100644
--- a/flakes/common/nix_modules/remote_lio_builds.nix
+++ b/flakes/common/nix_modules/remote_lio_builds.nix
@@ -12,20 +12,11 @@ let
     secrets ? ${secret} && secrets.${secret} != null;
 in
 {
-  # Remote build off home lio computer
-  programs.ssh.extraConfig = lib.mkIf (hasSecret "nix2lio") ''
-    Host lio_
-      PubkeyAcceptedKeyTypes ssh-ed25519
-      ServerAliveInterval 60
-      IPQoS throughput
-      IdentityFile ${config.age.secrets.nix2lio.path}
-  '';
   nix = lib.mkIf (hasSecret "nix2lio") {
     distributedBuilds = true;
     buildMachines = [
       {
-        # TODO require hostname in ssh config?
-        hostName = "lio_";
+        hostName = "lio";
         system = "x86_64-linux";
         protocol = "ssh-ng";
         maxJobs = 32;
diff --git a/flakes/opencode/flake.lock b/flakes/opencode/flake.lock
index 2c9880e4..9821db5b 100644
--- a/flakes/opencode/flake.lock
+++ b/flakes/opencode/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1767026758,
-        "narHash": "sha256-7fsac/f7nh/VaKJ/qm3I338+wAJa/3J57cOGpXi0Sbg=",
+        "lastModified": 1767364772,
+        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "346dd96ad74dc4457a9db9de4f4f57dab2e5731d",
+        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
         "type": "github"
       },
       "original": {
@@ -21,11 +21,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1767126722,
-        "narHash": "sha256-bXBpPQ9altAzsuFKhIS83LKwuLIxKJ4gWMAG5xzk+fM=",
+        "lastModified": 1767556352,
+        "narHash": "sha256-iYP/fa9guprb2hn8ONJrJe6U076zbeKHdqyyL0gvH8s=",
         "owner": "sst",
         "repo": "opencode",
-        "rev": "3fe5d91372fdf859e09ed5a2aefe359e0648ed10",
+        "rev": "c545fa2a289518fda35be66d1c81936a54962702",
         "type": "github"
       },
       "original": {
diff --git a/hosts/oren/flake.lock b/hosts/oren/flake.lock
index a785e1a0..ae4bda2a 100644
--- a/hosts/oren/flake.lock
+++ b/hosts/oren/flake.lock
@@ -31,11 +31,11 @@
       },
       "locked": {
         "dir": "flakes/beszel",
-        "lastModified": 1766426360,
-        "narHash": "sha256-QcCko39bjdoSLezpfj4+/HGCyC/XDaomt17Rb8/cG1E=",
+        "lastModified": 1767566743,
+        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
         "ref": "refs/heads/master",
-        "rev": "286f8a1687dd1b2b8c383942a8ee25d8350de892",
-        "revCount": 967,
+        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
+        "revCount": 1035,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -64,11 +64,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1767105946,
-        "narHash": "sha256-IRgl+mna4n7jDyVw0hPSwE2VnbXj0wnuyDaUwmhE/YU=",
+        "lastModified": 1767566743,
+        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
         "ref": "refs/heads/master",
-        "rev": "f25a2e5dc61a7b10f7c26d491eed3a53a5b47854",
-        "revCount": 1002,
+        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
+        "revCount": 1035,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -123,11 +123,11 @@
       },
       "locked": {
         "dir": "flakes/de_plasma",
-        "lastModified": 1766426360,
-        "narHash": "sha256-QcCko39bjdoSLezpfj4+/HGCyC/XDaomt17Rb8/cG1E=",
+        "lastModified": 1767566743,
+        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
         "ref": "refs/heads/master",
-        "rev": "286f8a1687dd1b2b8c383942a8ee25d8350de892",
-        "revCount": 967,
+        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
+        "revCount": 1035,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -161,11 +161,11 @@
       },
       "locked": {
         "dir": "flakes/flatpaks",
-        "lastModified": 1766426360,
-        "narHash": "sha256-QcCko39bjdoSLezpfj4+/HGCyC/XDaomt17Rb8/cG1E=",
+        "lastModified": 1767566743,
+        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
         "ref": "refs/heads/master",
-        "rev": "286f8a1687dd1b2b8c383942a8ee25d8350de892",
-        "revCount": 967,
+        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
+        "revCount": 1035,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -202,11 +202,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1766292113,
-        "narHash": "sha256-sWTtmkQujRpjWYCnZc8LWdDiCzrRlSBPrGovkZpLkBI=",
+        "lastModified": 1767514898,
+        "narHash": "sha256-ONYqnKrPzfKEEPChoJ9qPcfvBqW9ZgieDKD7UezWPg4=",
         "owner": "rycee",
         "repo": "home-manager",
-        "rev": "fdec8815a86db36f42fc9c8cb2931cd8485f5aed",
+        "rev": "7a06e8a2f844e128d3b210a000a62716b6040b7f",
         "type": "github"
       },
       "original": {
@@ -273,11 +273,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1765779637,
-        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "lastModified": 1767379071,
+        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
         "type": "github"
       },
       "original": {
@@ -289,11 +289,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1766201043,
-        "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
+        "lastModified": 1767325753,
+        "narHash": "sha256-yA/CuWyqm+AQo2ivGy6PlYrjZBQm7jfbe461+4HF2fo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
+        "rev": "64049ca74d63e971b627b5f3178d95642e61cedd",
         "type": "github"
       },
       "original": {
@@ -305,11 +305,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1766201043,
-        "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
+        "lastModified": 1767480499,
+        "narHash": "sha256-8IQQUorUGiSmFaPnLSo2+T+rjHtiNWc+OAzeHck7N48=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
+        "rev": "30a3c519afcf3f99e2c6df3b359aec5692054d92",
         "type": "github"
       },
       "original": {
@@ -321,11 +321,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1766125104,
-        "narHash": "sha256-l/YGrEpLromL4viUo5GmFH3K5M1j0Mb9O+LiaeCPWEM=",
+        "lastModified": 1767026758,
+        "narHash": "sha256-7fsac/f7nh/VaKJ/qm3I338+wAJa/3J57cOGpXi0Sbg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7d853e518814cca2a657b72eeba67ae20ebf7059",
+        "rev": "346dd96ad74dc4457a9db9de4f4f57dab2e5731d",
         "type": "github"
       },
       "original": {
@@ -337,15 +337,16 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1764776358,
-        "narHash": "sha256-MxXSCRiV7DI5U3Ra1UxVJTTUyKsONAE8+8QdSXsGIhA=",
+        "lastModified": 1766309749,
+        "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0b8cec1eb2241336971009cdd4af641b930d0d97",
+        "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -385,11 +386,11 @@
     "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1763599441,
-        "narHash": "sha256-RwCQQfgQIQITVSJSX+QOSIOChT7E2AXdIwfU07S9GaU=",
+        "lastModified": 1766398838,
+        "narHash": "sha256-pO+bnwywDmhEpmU3Zw2VCAT8uLEgRlpHcAfW9NwqWis=",
         "owner": "CopilotC-Nvim",
         "repo": "CopilotChat.nvim",
-        "rev": "df5376c132382dd47e3e552612940cbf25b3580c",
+        "rev": "ed94e56ee8292f5df351e17709ff4b178ca84200",
         "type": "github"
       },
       "original": {
@@ -433,11 +434,11 @@
     "nvim_plugin-MeanderingProgrammer/render-markdown.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1764732647,
-        "narHash": "sha256-jya61X22LbcT4hpeio3qE/oOI/lvqKpf09oGEHHvQdA=",
+        "lastModified": 1765914395,
+        "narHash": "sha256-A7pm8sBQWsZl3Kc7JBh3gBUyKb6GfJ5J0zfn3mSGjKs=",
         "owner": "MeanderingProgrammer",
         "repo": "render-markdown.nvim",
-        "rev": "b2b135347e299ffbf7f4123fb7811899b0c9f4b8",
+        "rev": "07d088bf8bdadd159eb807b90eaee86a4778383f",
         "type": "github"
       },
       "original": {
@@ -513,11 +514,11 @@
     "nvim_plugin-b0o/schemastore.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1764655248,
-        "narHash": "sha256-9nUBzwbMkzLySMW/Y0EkFpvFgHeW5YDQ3J3moVQarjQ=",
+        "lastModified": 1766167236,
+        "narHash": "sha256-+Z1foMyKMxyMmYqmyu1KWiyL4Fc0Zm2SYV7RoZ9Ut2I=",
         "owner": "b0o",
         "repo": "schemastore.nvim",
-        "rev": "e9c00ea7813006dfa29f35c174f83f0184d45a93",
+        "rev": "8b92ea89835b8e5dbc779a675ebb0e5fcb9a1993",
         "type": "github"
       },
       "original": {
@@ -529,11 +530,11 @@
     "nvim_plugin-catppuccin/nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1764084803,
-        "narHash": "sha256-ds+Rm9H00s++RC1dH4OQpCg1FXSm4HuwDGzr4ah0YBU=",
+        "lastModified": 1765701669,
+        "narHash": "sha256-8GKpGGdeBwxuMrheojyl162CzUntRcq9AktQVmKbpuI=",
         "owner": "catppuccin",
         "repo": "nvim",
-        "rev": "ce4a8e0d5267e67056f9f4dcf6cb1d0933c8ca00",
+        "rev": "ce8d176faa4643e026e597ae3c31db59b63cef09",
         "type": "github"
       },
       "original": {
@@ -545,11 +546,11 @@
     "nvim_plugin-chrisgrieser/nvim-early-retirement": {
       "flake": false,
       "locked": {
-        "lastModified": 1764104935,
-        "narHash": "sha256-mvs0uIoxidy3jfC6oymwhaZVRbJrW+/kuMcIpR8TI6M=",
+        "lastModified": 1766186911,
+        "narHash": "sha256-COYpFOZTMGpZVfSJFMix/6TM5Eeemngcx1iukMa2nDE=",
         "owner": "chrisgrieser",
         "repo": "nvim-early-retirement",
-        "rev": "cd29cf40af7473530a8598245ba1d348fd5e1fa0",
+        "rev": "86edd80026e4eea2cef7d1e5dadcf34432e6098d",
         "type": "github"
       },
       "original": {
@@ -577,11 +578,11 @@
     "nvim_plugin-folke/lazy.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1762421181,
-        "narHash": "sha256-h5404njTAfqMJFQ3MAr2PWSbV81eS4aIs0cxAXkT0EM=",
+        "lastModified": 1765971162,
+        "narHash": "sha256-5A4kducPwKb5fKX4oSUFvo898P0dqfsqqLxFaXBsbQY=",
         "owner": "folke",
         "repo": "lazy.nvim",
-        "rev": "85c7ff3711b730b4030d03144f6db6375044ae82",
+        "rev": "306a05526ada86a7b30af95c5cc81ffba93fef97",
         "type": "github"
       },
       "original": {
@@ -689,11 +690,11 @@
     "nvim_plugin-j-hui/fidget.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1761243883,
-        "narHash": "sha256-XXTeJweQRIsC/WFhFxFbepOETV8e5Wfmh513su2Wve0=",
+        "lastModified": 1766143069,
+        "narHash": "sha256-uy2Z6vn9UYDN7Dr7iuiTrualRQdmUT0dwHP/eZXA/uA=",
         "owner": "j-hui",
         "repo": "fidget.nvim",
-        "rev": "e32b672d8fd343f9d6a76944fedb8c61d7d8111a",
+        "rev": "64463022a1f2ff1318ab22a2ea4125ed9313a483",
         "type": "github"
       },
       "original": {
@@ -801,11 +802,11 @@
     "nvim_plugin-mfussenegger/nvim-lint": {
       "flake": false,
       "locked": {
-        "lastModified": 1763729870,
-        "narHash": "sha256-9fIZPUZhnQEHJtvboCs+A2QXo4UMTFejuHNagDkfkRk=",
+        "lastModified": 1766127989,
+        "narHash": "sha256-ysIoJ8uMAHu/OCemQ3yUYMhKIVnSDLQCvJH0SaGIOK4=",
         "owner": "mfussenegger",
         "repo": "nvim-lint",
-        "rev": "d1118791070d090777398792a73032a0ca5c79ff",
+        "rev": "7a64f4067065c16a355d40d0d599b8ca6b25de6d",
         "type": "github"
       },
       "original": {
@@ -817,11 +818,11 @@
     "nvim_plugin-mrcjkb/rustaceanvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1764542305,
-        "narHash": "sha256-t7xAQ9sczLyA1zODmD+nEuWuLnhrfSOoPu/4G/YTGdU=",
+        "lastModified": 1766276825,
+        "narHash": "sha256-dcXnh5SYPh1VRctTuCnuVPKFQuAI4XEvQasolCOv+Xw=",
         "owner": "mrcjkb",
         "repo": "rustaceanvim",
-        "rev": "6c3785d6a230bec63f70c98bf8e2842bed924245",
+        "rev": "0fa0462a2d6c9629e0bd03d1902e6a1472ceac3e",
         "type": "github"
       },
       "original": {
@@ -833,11 +834,11 @@
     "nvim_plugin-neovim/nvim-lspconfig": {
       "flake": false,
       "locked": {
-        "lastModified": 1764477618,
-        "narHash": "sha256-IpVDEOr//Jy+r3Z5Qo8nxDa3fNO+BTBKzAmbqvxtCQE=",
+        "lastModified": 1766443238,
+        "narHash": "sha256-P95gPOwJ+rRofLb8iV5UOnh26to1I3sFrWGlGxHyz1M=",
         "owner": "neovim",
         "repo": "nvim-lspconfig",
-        "rev": "effe4bf2e1afb881ea67291c648b68dd3dfc927a",
+        "rev": "b34c08e0ea22bac67798f00238318fd16bd99b7c",
         "type": "github"
       },
       "original": {
@@ -945,11 +946,11 @@
     "nvim_plugin-nvim-telescope/telescope.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1764418954,
-        "narHash": "sha256-e6XSJRv4KB0z+nzGWmlV/YZNwWsyrrpQTloePRKWmw4=",
+        "lastModified": 1766268405,
+        "narHash": "sha256-O1rUiVKpDSvKMkZMFaEd8/ACcSgO/lfa1+Hc8uHbFOI=",
         "owner": "nvim-telescope",
         "repo": "telescope.nvim",
-        "rev": "e69b434b968a33815e2f02a5c7bd7b8dd4c7d4b2",
+        "rev": "e709d31454ee6e6157f0537f861f797bd44c0bad",
         "type": "github"
       },
       "original": {
@@ -961,11 +962,11 @@
     "nvim_plugin-nvim-tree/nvim-tree.lua": {
       "flake": false,
       "locked": {
-        "lastModified": 1764713359,
-        "narHash": "sha256-dSaO5esPKj1y4vNyLb3AK9egmFJsmWxkGOT+etJsbRA=",
+        "lastModified": 1766192360,
+        "narHash": "sha256-Br+r9f/2o0AkewnGm7kFNfl3uYm1Akkklof0Sm5AL2M=",
         "owner": "nvim-tree",
         "repo": "nvim-tree.lua",
-        "rev": "59088b96a32ea47caf4976e164dbd88b86447fb7",
+        "rev": "b8b44b6a2494d086a9177251a119f9daec6cace8",
         "type": "github"
       },
       "original": {
@@ -977,11 +978,11 @@
     "nvim_plugin-nvim-tree/nvim-web-devicons": {
       "flake": false,
       "locked": {
-        "lastModified": 1761440007,
-        "narHash": "sha256-klBjUtj0AvarN5a6O8Hh2t5BuOTe/m3ps2cHnlxVJvE=",
+        "lastModified": 1766287594,
+        "narHash": "sha256-ZdFRd0//C0Lle4cYIoAHBdz/yvQqmeylLNwvSifaWm4=",
         "owner": "nvim-tree",
         "repo": "nvim-web-devicons",
-        "rev": "8dcb311b0c92d460fac00eac706abd43d94d68af",
+        "rev": "6788013bb9cb784e606ada44206b0e755e4323d7",
         "type": "github"
       },
       "original": {
@@ -993,11 +994,11 @@
     "nvim_plugin-nvim-treesitter/nvim-treesitter-context": {
       "flake": false,
       "locked": {
-        "lastModified": 1762769683,
-        "narHash": "sha256-ICwAUXKngSPsJ6VV+84KUPqtAwlGPrm4FIf9ioisiz8=",
+        "lastModified": 1765030629,
+        "narHash": "sha256-3NtwOA9d2ezLoo7qnzKAr6gwEdcpUqLc7ou4QI+9rDY=",
         "owner": "nvim-treesitter",
         "repo": "nvim-treesitter-context",
-        "rev": "660861b1849256398f70450afdf93908d28dc945",
+        "rev": "64dd4cf3f6fd0ab17622c5ce15c91fc539c3f24a",
         "type": "github"
       },
       "original": {
@@ -1105,11 +1106,11 @@
     "nvim_plugin-stevearc/conform.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1764743081,
-        "narHash": "sha256-qCjrMt3fsRbLr/iM7nFHG7oKtyTTGcse4/cJbm3odJE=",
+        "lastModified": 1766346125,
+        "narHash": "sha256-Pp4bGTlZEqxHoHqVCEekDdg2jvNayxAuBReK4HJ6yGg=",
         "owner": "stevearc",
         "repo": "conform.nvim",
-        "rev": "ffe26e8df8115c9665d24231f8a49fadb2d611ce",
+        "rev": "5420c4b5ea0aeb99c09cfbd4fd0b70d257b44f25",
         "type": "github"
       },
       "original": {
@@ -1217,11 +1218,11 @@
     "nvim_plugin-zbirenbaum/copilot.lua": {
       "flake": false,
       "locked": {
-        "lastModified": 1764638966,
-        "narHash": "sha256-wQ6SfAunVMd5tNeM7RMvrfPC2ELRibyEQboVQlU/fBs=",
+        "lastModified": 1766207702,
+        "narHash": "sha256-879050VUJpWBrHxUA3hRpcYbn3KgBGpVpKLdSVOwbIA=",
         "owner": "zbirenbaum",
         "repo": "copilot.lua",
-        "rev": "881f99b827d65b41f522eecc21b112cf518028ac",
+        "rev": "e78d1ffebdf6ccb6fd8be4e6898030c1cf5f9b64",
         "type": "github"
       },
       "original": {
@@ -1236,11 +1237,11 @@
       },
       "locked": {
         "dir": "flakes/opencode",
-        "lastModified": 1766426360,
-        "narHash": "sha256-QcCko39bjdoSLezpfj4+/HGCyC/XDaomt17Rb8/cG1E=",
+        "lastModified": 1767566743,
+        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
         "ref": "refs/heads/master",
-        "rev": "286f8a1687dd1b2b8c383942a8ee25d8350de892",
-        "revCount": 967,
+        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
+        "revCount": 1035,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -1255,11 +1256,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1766426038,
-        "narHash": "sha256-3TxsJjL5M83q9nOa4ls6rWfbECYUE6llzBAgqCYQml8=",
+        "lastModified": 1767126722,
+        "narHash": "sha256-bXBpPQ9altAzsuFKhIS83LKwuLIxKJ4gWMAG5xzk+fM=",
         "owner": "sst",
         "repo": "opencode",
-        "rev": "6baee0791f48bcf32eef1e199d0cadca57772b9b",
+        "rev": "3fe5d91372fdf859e09ed5a2aefe359e0648ed10",
         "type": "github"
       },
       "original": {
@@ -1383,11 +1384,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1765641080,
-        "narHash": "sha256-AyPi7rZVfjTjQrhPHP+ugpVY8tcUzF3Lw1RjACuxAms=",
+        "lastModified": 1767195473,
+        "narHash": "sha256-xL3DZSWiNSvW58LsJwFIpQ9i3Vs5uaYUjbL60rpFxPk=",
         "ref": "refs/heads/master",
-        "rev": "224ad4e3ecd9421c7469c4f06ff5faf7f6e8bedb",
-        "revCount": 325,
+        "rev": "88e86b5a7d40697ade905f534dcd5372a67b8102",
+        "revCount": 328,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
       },
@@ -1404,11 +1405,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764729618,
-        "narHash": "sha256-z4RA80HCWv2los1KD346c+PwNPzMl79qgl7bCVgz8X0=",
+        "lastModified": 1766457837,
+        "narHash": "sha256-aeBbkQ0HPFNOIsUeEsXmZHXbYq4bG8ipT9JRlCcKHgU=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "52764074a85145d5001bf0aa30cb71936e9ad5b8",
+        "rev": "2c7510a559416d07242621d036847152d970612b",
         "type": "github"
       },
       "original": {
@@ -1445,11 +1446,11 @@
       },
       "locked": {
         "dir": "flakes/secrets",
-        "lastModified": 1766426360,
-        "narHash": "sha256-QcCko39bjdoSLezpfj4+/HGCyC/XDaomt17Rb8/cG1E=",
+        "lastModified": 1767566743,
+        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
         "ref": "refs/heads/master",
-        "rev": "286f8a1687dd1b2b8c383942a8ee25d8350de892",
-        "revCount": 967,
+        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
+        "revCount": 1035,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
diff --git a/hosts/oren/flake.nix b/hosts/oren/flake.nix
index daf37c0c..8bcc0f1c 100644
--- a/hosts/oren/flake.nix
+++ b/hosts/oren/flake.nix
@@ -31,7 +31,7 @@
       flatpaks,
       beszel,
       ros_neovim,
-    nixpkgs-unstable,
+      nixpkgs-unstable,
       ...
     }@inputs:
     let
@@ -69,11 +69,9 @@
 
               secrets.nixosModules.default
               ros_neovim.nixosModules.default
-              (
-                {
-                  ringofstorms-nvim.includeAllRuntimeDependencies = true;
-                }
-              )
+              ({
+                ringofstorms-nvim.includeAllRuntimeDependencies = true;
+              })
               inputs.opencode.nixosModules.default
 
               flatpaks.nixosModules.default
@@ -92,15 +90,15 @@
               common.nixosModules.tty_caps_esc
               common.nixosModules.zsh
               common.nixosModules.more_filesystems
+              common.nixosModules.remote_lio_builds
 
               beszel.nixosModules.agent
               ({
-                  beszelAgent = {
-                    listen = "${overlayIp}:45876";
-                    token = "f8a54c41-486b-487a-a78d-a087385c317b";
-                  };
-                }
-              )
+                beszelAgent = {
+                  listen = "${overlayIp}:45876";
+                  token = "f8a54c41-486b-487a-a78d-a087385c317b";
+                };
+              })
 
               ./configuration.nix
               ./hardware-configuration.nix

From 8a343a60d403851e58d26588de6f05cc45a34396 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Sun, 4 Jan 2026 17:33:55 -0600
Subject: [PATCH 3/6] fix ssh config;

---
 flakes/common/hm_modules/ssh.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flakes/common/hm_modules/ssh.nix b/flakes/common/hm_modules/ssh.nix
index fe33b623..bc0b0355 100644
--- a/flakes/common/hm_modules/ssh.nix
+++ b/flakes/common/hm_modules/ssh.nix
@@ -56,7 +56,7 @@ in
         user = "josh";
         extraOptions = {
           "PubkeyAcceptedKeyTypes" = "ssh-ed25519";
-          "ServerAliveInterval" = 60;
+          "ServerAliveInterval" = "60";
           "IPQoS" = "throughput";
         };
       };

From 165f87ebc19a48b56008738d01c5e2e5bebbbdfd Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Sun, 4 Jan 2026 18:19:42 -0600
Subject: [PATCH 4/6] fix remote builds

---
 flakes/common/nix_modules/remote_lio_builds.nix | 1 +
 hosts/oren/flake.lock                           | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/flakes/common/nix_modules/remote_lio_builds.nix b/flakes/common/nix_modules/remote_lio_builds.nix
index 040ede21..04722cf7 100644
--- a/flakes/common/nix_modules/remote_lio_builds.nix
+++ b/flakes/common/nix_modules/remote_lio_builds.nix
@@ -29,6 +29,7 @@ in
           "uid-range" # Often helpful
         ];
         mandatoryFeatures = [ ];
+        sshKey = config.age.secrets.nix2lio.path;
       }
     ];
   };
diff --git a/hosts/oren/flake.lock b/hosts/oren/flake.lock
index ae4bda2a..c6956683 100644
--- a/hosts/oren/flake.lock
+++ b/hosts/oren/flake.lock
@@ -64,11 +64,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1767566743,
-        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
+        "lastModified": 1767569635,
+        "narHash": "sha256-rVJkob5yTUo9n3vd+YC2u/LDN7Soy3KMDJDGh12ijBg=",
         "ref": "refs/heads/master",
-        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
-        "revCount": 1035,
+        "rev": "8a343a60d403851e58d26588de6f05cc45a34396",
+        "revCount": 1037,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },

From 9bf3d2cc8ee17f95a271cc371c05d8e534337a25 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Sun, 4 Jan 2026 18:46:33 -0600
Subject: [PATCH 5/6] distributed builds true

---
 hosts/lio/configuration.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/lio/configuration.nix b/hosts/lio/configuration.nix
index cb8f9d5c..934447ee 100644
--- a/hosts/lio/configuration.nix
+++ b/hosts/lio/configuration.nix
@@ -34,6 +34,7 @@
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJN2nsLmAlF6zj5dEBkNSJaqcCya+aB6I0imY8Q5Ew0S nix2lio"
   ];
+  nix.distributedBuilds = true;
   # Allow emulation of aarch64-linux binaries for cross compiling
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 

From 80451ecb9263254eb6235348c539dc5bfd445fab Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Sun, 4 Jan 2026 19:15:23 -0600
Subject: [PATCH 6/6] update

---
 flakes/common/hm_modules/ssh.nix              |  1 +
 .../common/nix_modules/remote_lio_builds.nix  |  1 +
 hosts/oren/flake.lock                         | 66 +++++++++----------
 3 files changed, 35 insertions(+), 33 deletions(-)

diff --git a/flakes/common/hm_modules/ssh.nix b/flakes/common/hm_modules/ssh.nix
index bc0b0355..db4685a8 100644
--- a/flakes/common/hm_modules/ssh.nix
+++ b/flakes/common/hm_modules/ssh.nix
@@ -33,6 +33,7 @@ in
         controlMaster = "no";
         controlPath = "~/.ssh/master-%r@%n:%p";
         controlPersist = "no";
+        StrictHostKeyChecking = "accept-new";
       };
 
       # EXTERNAL
diff --git a/flakes/common/nix_modules/remote_lio_builds.nix b/flakes/common/nix_modules/remote_lio_builds.nix
index 04722cf7..aff5e272 100644
--- a/flakes/common/nix_modules/remote_lio_builds.nix
+++ b/flakes/common/nix_modules/remote_lio_builds.nix
@@ -27,6 +27,7 @@ in
           "big-parallel"
           "kvm"
           "uid-range" # Often helpful
+          "recursive-nix"
         ];
         mandatoryFeatures = [ ];
         sshKey = config.age.secrets.nix2lio.path;
diff --git a/hosts/oren/flake.lock b/hosts/oren/flake.lock
index c6956683..7d550e14 100644
--- a/hosts/oren/flake.lock
+++ b/hosts/oren/flake.lock
@@ -31,11 +31,11 @@
       },
       "locked": {
         "dir": "flakes/beszel",
-        "lastModified": 1767566743,
-        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
+        "lastModified": 1767572382,
+        "narHash": "sha256-oDoVrmMpww4uY3Ez1XzrHsxJTZmBMiOO/mNrU2njiWQ=",
         "ref": "refs/heads/master",
-        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
-        "revCount": 1035,
+        "rev": "165f87ebc19a48b56008738d01c5e2e5bebbbdfd",
+        "revCount": 1038,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -47,11 +47,11 @@
     },
     "beszel-nixpkgs": {
       "locked": {
-        "lastModified": 1765472234,
-        "narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
+        "lastModified": 1767379071,
+        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
+        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
         "type": "github"
       },
       "original": {
@@ -64,11 +64,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1767569635,
-        "narHash": "sha256-rVJkob5yTUo9n3vd+YC2u/LDN7Soy3KMDJDGh12ijBg=",
+        "lastModified": 1767572382,
+        "narHash": "sha256-oDoVrmMpww4uY3Ez1XzrHsxJTZmBMiOO/mNrU2njiWQ=",
         "ref": "refs/heads/master",
-        "rev": "8a343a60d403851e58d26588de6f05cc45a34396",
-        "revCount": 1037,
+        "rev": "165f87ebc19a48b56008738d01c5e2e5bebbbdfd",
+        "revCount": 1038,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -123,11 +123,11 @@
       },
       "locked": {
         "dir": "flakes/de_plasma",
-        "lastModified": 1767566743,
-        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
+        "lastModified": 1767572382,
+        "narHash": "sha256-oDoVrmMpww4uY3Ez1XzrHsxJTZmBMiOO/mNrU2njiWQ=",
         "ref": "refs/heads/master",
-        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
-        "revCount": 1035,
+        "rev": "165f87ebc19a48b56008738d01c5e2e5bebbbdfd",
+        "revCount": 1038,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -161,11 +161,11 @@
       },
       "locked": {
         "dir": "flakes/flatpaks",
-        "lastModified": 1767566743,
-        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
+        "lastModified": 1767572382,
+        "narHash": "sha256-oDoVrmMpww4uY3Ez1XzrHsxJTZmBMiOO/mNrU2njiWQ=",
         "ref": "refs/heads/master",
-        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
-        "revCount": 1035,
+        "rev": "165f87ebc19a48b56008738d01c5e2e5bebbbdfd",
+        "revCount": 1038,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -321,11 +321,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1767026758,
-        "narHash": "sha256-7fsac/f7nh/VaKJ/qm3I338+wAJa/3J57cOGpXi0Sbg=",
+        "lastModified": 1767364772,
+        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "346dd96ad74dc4457a9db9de4f4f57dab2e5731d",
+        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
         "type": "github"
       },
       "original": {
@@ -1237,11 +1237,11 @@
       },
       "locked": {
         "dir": "flakes/opencode",
-        "lastModified": 1767566743,
-        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
+        "lastModified": 1767572382,
+        "narHash": "sha256-oDoVrmMpww4uY3Ez1XzrHsxJTZmBMiOO/mNrU2njiWQ=",
         "ref": "refs/heads/master",
-        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
-        "revCount": 1035,
+        "rev": "165f87ebc19a48b56008738d01c5e2e5bebbbdfd",
+        "revCount": 1038,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -1256,11 +1256,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1767126722,
-        "narHash": "sha256-bXBpPQ9altAzsuFKhIS83LKwuLIxKJ4gWMAG5xzk+fM=",
+        "lastModified": 1767556352,
+        "narHash": "sha256-iYP/fa9guprb2hn8ONJrJe6U076zbeKHdqyyL0gvH8s=",
         "owner": "sst",
         "repo": "opencode",
-        "rev": "3fe5d91372fdf859e09ed5a2aefe359e0648ed10",
+        "rev": "c545fa2a289518fda35be66d1c81936a54962702",
         "type": "github"
       },
       "original": {
@@ -1446,11 +1446,11 @@
       },
       "locked": {
         "dir": "flakes/secrets",
-        "lastModified": 1767566743,
-        "narHash": "sha256-7YDcKGAXCyOZNZJlmkM1bQnxlSBuvGu8eJWg9MsGJrA=",
+        "lastModified": 1767572382,
+        "narHash": "sha256-oDoVrmMpww4uY3Ez1XzrHsxJTZmBMiOO/mNrU2njiWQ=",
         "ref": "refs/heads/master",
-        "rev": "0fb5e46e8ffbfa87a8ec07819f27952974471e2b",
-        "revCount": 1035,
+        "rev": "165f87ebc19a48b56008738d01c5e2e5bebbbdfd",
+        "revCount": 1038,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },