added panoptes-root

.sops.yaml

@@ -0,0 +1,14 @@
+keys:
+  - &john-p14s age1f6drjusg866yscj8029tk4yfpgecklrvezldm02ankm6h8nnwu5s2u6ahy
+  - &john-pc age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
+creation_rules:
+  - path_regex: \.yaml$
+    key_groups:
+    - age:
+      - *john-p14s
+      - *john-pc
+  - path_regex: \.json$
+    key_groups:
+    - age:
+      - *john-p14s
+      - *john-pc

README.md

@@ -40,42 +40,54 @@ nhmu
 
 ```nix
 {
-  description = "Home Manager configuration of john";
+  description = "John's system flake";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    home-manager = {
+    jsl-home = {
-      url = "github:nix-community/home-manager";
+      url = "git+https://gitea.john-stream.com/john/jsl-home?ref=dev";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    john-home-config = {
-      url = "path:/home/john/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
   };
 
-  outputs =
+  outputs = { self, nixpkgs, ... }@inputs:
-    { nixpkgs, ... }@inputs:
+  let
-    let
+   system = "x86_64-linux";
-      system = "x86_64-linux";
+   nixosSystem = nixpkgs.lib.nixosSystem;
-      pkgs = nixpkgs.legacyPackages.${system};
+   hostName = "john-p14s";
-      homeManagerConfiguration = inputs.home-manager.lib.homeManagerConfiguration;
+  in
-      jslDefault = inputs.john-home-config.homeManagerModules.default;
+  {
-      userName = "john";
+    nixosConfigurations.${hostName} = nixosSystem {
-    in
+      specialArgs =
-    {
+      {
-      homeConfigurations."${userName}" = homeManagerConfiguration {
+        inherit inputs;
-        inherit pkgs;
+        inherit system;
-        modules = [
-          jslDefault {
-            user = "${userName}";
-            # Add any additional configuration here
-          }
-          ./home.nix
-          # Add other home manager modules here
-        ];
       };
+      modules = [
+        ./hardware-configuration.nix
+        ./configuration.nix
+        inputs.jsl-home.nixosModules.default
+        {
+          stateVersion = "24.05";
+          user = "john";
+          root = true;
+          ssh = true;
+          profile = "personal";
+          enableShell = true;
+          _1password = true;
+          docker = true;
+          graphical = {
+            steam = true;
+            vscode = true;
+          };
+          extraImports = [
+            ./home-manager/john.nix
+            ./home-manager/gnome.nix
+            ./home-manager/ssh.nix
+          ];
+        }
+      ];
     };
+  };
 }
 ```

flake.nix

@@ -7,26 +7,102 @@
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    _1password-shell-plugins.url = "github:1Password/shell-plugins";
+    # _1password-shell-plugins.url = "github:1Password/shell-plugins";
+    nixgl = {
+      url = "github:nix-community/nixGL";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { nixpkgs, ... }@inputs:
+  outputs = { self, nixpkgs, ... }@inputs:
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
       lib = pkgs.lib;
+
+      # These will get applied to both the configured user and the root user (if enabled)
+      userOptions = config: {
+        openssh.authorizedKeys = lib.mkIf config.ssh (lib.mkMerge [
+          (lib.mkIf (config.profile == "personal") { keyFiles = [ ./keys/personal ]; })
+          (lib.mkIf (config.profile == "work") { keyFiles = [ ./keys/work ]; })
+        ]);
+        shell = lib.mkIf config.enableShell pkgs.zsh;
+      };
+
+      mkhomeManagerModules = config: [
+        (self.homeManagerModules.default inputs)
+        # { inherit (config) extraImports; }
+        {
+          user = config.user;
+          stateVersion = config.stateVersion;
+          profile = config.profile;
+          enableShell = config.enableShell;
+          ssh = config.ssh;
+          _1password = config._1password;
+          docker = config.docker;
+          graphical = config.graphical;
+        }
+      ] ++ config.extraImports;
+
     in
     {
-      homeManagerModules.default = { ... }: {
+      lib = { inherit mkhomeManagerModules; };
+
+      homeManagerModules.default = inputs: { 
+        imports = [ ./homeManagerModules ]; 
+      };
+
+      nixosModules.default = { config, ... }: {
         imports = [
-          ./options.nix
+          ./nixosModules
-          ./home.nix
+          inputs.home-manager.nixosModules.default
-          ./git.nix
-          inputs._1password-shell-plugins.hmModules.default
         ];
-        nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+        nix.settings.trusted-users = [ "root" "@wheel" ];
-          "1password-cli"
+        users.users.${config.user} = lib.mkMerge [
+          {
+            isNormalUser = true;
+            description = "John Lancaster";
+            extraGroups = []
+            ++ lib.optional config.root "wheel"
+            ++ lib.optional config.docker "docker"
+            ++ lib.optional config.networking.networkmanager.enable "networkmanager";
+          }
+          (userOptions config)
         ];
+
+        users.users.root = lib.mkIf config.root (userOptions config);
+        security.sudo-rs = lib.mkIf config.root {
+          enable = true;
+          execWheelOnly = false;
+          wheelNeedsPassword = false;
+          extraConfig = "Defaults        timestamp_timeout=1440";
+        };
+
+        programs.zsh.enable = lib.mkIf config.enableShell true;
+
+        virtualisation.docker = lib.mkIf config.docker {
+          enable = true;
+          enableOnBoot = true;
+          package = pkgs.docker;
+        };
+
+        home-manager = {
+          useUserPackages = true;
+          extraSpecialArgs = { inherit inputs; nixgl = inputs.nixgl; };
+          users = {
+            ${config.user} = {
+              imports = mkhomeManagerModules config;
+            };
+          } // lib.optionalAttrs config.root {
+            root = {
+              imports = mkhomeManagerModules (config // { user = "root"; });
+            };
+          };
+        };
       };
     };
 }

home.nix

@@ -1,152 +0,0 @@
-{ config, pkgs, lib, inputs, ... }:
-
-{
-  # imports = [
-  #   inputs._1password-shell-plugins.hmModules.default
-  # ];
-  # Home Manager needs a bit of information about you and the paths it should
-  # manage.
-  home.username = config.user;
-  home.homeDirectory = "/home/${config.user}";
-
-  # This value determines the Home Manager release that your configuration is
-  # compatible with. This helps avoid breakage when a new Home Manager release
-  # introduces backwards incompatible changes.
-  #
-  # You should not change this value, even if you update Home Manager. If you do
-  # want to update the value, then make sure to first check the Home Manager
-  # release notes.
-  home.stateVersion = "25.05"; # Please read the comment before changing.
-
-  # The home.packages option allows you to install Nix packages into your
-  # environment.
-  home.packages = with pkgs; [
-    wget
-    curl
-    cacert
-    busybox
-    gnugrep
-    dig
-    eza
-    gdu
-    lazygit
-    btop
-    yazi
-    (writeShellScriptBin "nhmu" ''
-      nix flake update --flake ~/.config/home-manager
-      nix run home-manager -- switch --flake ~/.config/home-manager
-    '')
-    (writeShellScriptBin "test-hm" ''
-      echo "${config.profile}"
-    '')
-
-    # # It is sometimes useful to fine-tune packages, for example, by applying
-    # # overrides. You can do that directly here, just don't forget the
-    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
-    # # fonts?
-    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
-  ];
-
-  # Home Manager is pretty good at managing dotfiles. The primary way to manage
-  # plain files is through 'home.file'.
-  home.file = {
-    # # Building this configuration will create a copy of 'dotfiles/screenrc' in
-    # # the Nix store. Activating the configuration will then make '~/.screenrc' a
-    # # symlink to the Nix store copy.
-    # ".screenrc".source = dotfiles/screenrc;
-
-    # # You can also set the file content immediately.
-    # ".gradle/gradle.properties".text = ''
-    #   org.gradle.console=verbose
-    #   org.gradle.daemon.idletimeout=3600000
-    # '';
-  };
-
-  # Home Manager can also manage your environment variables through
-  # 'home.sessionVariables'. These will be explicitly sourced when using a
-  # shell provided by Home Manager. If you don't want to manage your shell
-  # through Home Manager then you have to manually source 'hm-session-vars.sh'
-  # located at either
-  #
-  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
-  #
-  # or
-  #
-  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
-  #
-  # or
-  #
-  #  /etc/profiles/per-user/john/etc/profile.d/hm-session-vars.sh
-  #
-  home.sessionVariables = {
-    # EDITOR = "emacs";
-  };
-
-  # Let Home Manager install and manage itself.
-  programs.home-manager.enable = true;
-
-  programs.zsh = lib.mkIf config.shell {
-    enable = true;
-    enableCompletion = true;
-    autosuggestion.enable = true;
-    syntaxHighlighting.enable = true;
-    oh-my-zsh = {
-      enable = true;
-      theme = "risto";
-      plugins = [
-        "sudo"
-        "dotenv"
-        "git"
-        "ssh"
-        "ssh-agent"
-      ] ++ lib.optional config._1password "1password";
-    };
-    shellAliases.ls = "${pkgs.eza}/bin/eza -lgos type --no-time";
-    # initContent = lib.mkIf config._1password '' 
-    #   source ${config.home.homeDirectory}/.config/op/plugins.sh
-    # '';
-  };
-
-  programs.ssh = lib.mkIf config.ssh {
-    enable = true;
-    extraConfig = ''
-      SetEnv TERM="xterm-256color"
-      ${lib.optionalString config._1password "IdentityAgent ~/.1password/agent.sock"}
-    '';
-    matchBlocks = lib.mkMerge [
-      (lib.mkIf (config.profile == "personal") {
-        "panoptes" = {
-          hostname = "192.168.1.107";
-          user = "panoptes";
-        };
-        "pve5070" = {
-          hostname = "192.168.1.130";
-          user = "root";
-        };
-      })
-      (lib.mkIf (config.profile == "work") {
-        "ubuntu-nvidia" = {
-          hostname = "10.118.46.120";
-          user = "john";
-        };
-      })
-    ];
-  };
-
-  # https://developer.1password.com/docs/cli/shell-plugins/nix/
-  programs._1password-shell-plugins = lib.mkIf config._1password {
-    # enable 1Password shell plugins for bash, zsh, and fish shell
-    enable = true;
-    # the specified packages as well as 1Password CLI will be
-    # automatically installed and configured to use shell plugins
-    # https://developer.1password.com/docs/cli/shell-plugins
-    plugins = with pkgs; [ gh ];
-  };
-  home.file.".config/1Password/ssh/agent.toml" = lib.mkIf config._1password {
-    # https://developer.1password.com/docs/ssh/agent/config
-    text = ''
-      [[ssh-keys]]
-      vault = "Private"
-    '';
-  };
-}

homeManagerModules/default.nix

@@ -0,0 +1,111 @@
+{ inputs, config, pkgs, lib, ... }:
+{
+  # These modules are each responsible for responding appropriately to the options
+  imports = [
+    ./docker.nix
+    ./ghostty.nix
+    ./git.nix
+    ./shell.nix
+    ./sops.nix
+    ./ssh.nix
+    ./vscode.nix
+
+    ../nixosModules/options.nix
+    # inputs._1password-shell-plugins.hmModules.default
+    # Commented out because it tries to configure fish shell which we don't use
+  ];
+
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "1password-cli"
+    "discord"
+    "spotify"
+    "steam"
+    "steam-original"
+    "steam-unwrapped"
+    "steam-run"
+    "sublimetext4"
+    "vscode"
+    "vscode-extension-mhutchie-git-graph"
+    "vscode-extension-ms-vscode-remote-vscode-remote-extensionpack"
+    "vscode-extension-MS-python-vscode-pylance"
+    "vscode-extension-github-copilot"
+  ];
+
+  nixpkgs.config.permittedInsecurePackages = [
+    "openssl-1.1.1w"
+  ];
+
+  # Home Manager needs a bit of information about you and the paths it should
+  # manage.
+  home.username = config.user;
+  home.homeDirectory = lib.mkIf (config.user != "root") "/home/${config.user}";
+  home.stateVersion = config.stateVersion;
+
+  # The home.packages option allows you to install Nix packages into your
+  # environment.
+  home.packages = with pkgs; [
+    wget
+    curl
+    cacert
+    busybox
+    gnugrep
+    dig
+    gdu
+    lazygit
+    btop
+    yazi
+    uv
+    (writeShellScriptBin "nhmu" ''
+      nix flake update --flake ~/.config/home-manager
+      nix run home-manager -- switch --flake ~/.config/home-manager --impure
+    '')
+    # # It is sometimes useful to fine-tune packages, for example, by applying
+    # # overrides. You can do that directly here, just don't forget the
+    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
+    # # fonts?
+    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
+  ]
+  ++ lib.optional config.graphical.discord discord
+  ++ lib.optional config.graphical.joplin joplin-desktop
+  ++ lib.optional config.graphical.sublime sublime4;
+
+  # Home Manager can also manage your environment variables through
+  # 'home.sessionVariables'. These will be explicitly sourced when using a
+  # shell provided by Home Manager. If you don't want to manage your shell
+  # through Home Manager then you have to manually source 'hm-session-vars.sh'
+  # located at either
+  #
+  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
+  #
+  # or
+  #
+  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
+  #
+  # or
+  #
+  #  /etc/profiles/per-user/john/etc/profile.d/hm-session-vars.sh
+  #
+  home.sessionVariables = {
+    # EDITOR = "emacs";
+  };
+
+  # Let Home Manager install and manage itself.
+  programs.home-manager.enable = true;
+
+  # # https://developer.1password.com/docs/cli/shell-plugins/nix/
+  # programs._1password-shell-plugins = lib.mkIf config._1password {
+  #   # enable 1Password shell plugins for bash, zsh, and fish shell
+  #   enable = true;
+  #   # the specified packages as well as 1Password CLI will be
+  #   # automatically installed and configured to use shell plugins
+  #   # https://developer.1password.com/docs/cli/shell-plugins
+  #   plugins = with pkgs; [ gh ];
+  # };
+  home.file.".config/1Password/ssh/agent.toml" = lib.mkIf config._1password {
+    # https://developer.1password.com/docs/ssh/agent/config
+    text = ''
+      [[ssh-keys]]
+      vault = "Private"
+    '';
+  };
+}

homeManagerModules/docker.nix

@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+{
+  home.packages = lib.mkIf config.docker (with pkgs; [
+    docker
+    docker-compose
+    lazydocker
+    (pkgs.writeShellScriptBin "test-docker" ''
+      echo "Hello from docker.nix!"
+    '')
+  ]);
+}

homeManagerModules/ghostty.nix

@@ -0,0 +1,117 @@
+{ config, pkgs, lib, nixgl, ... }:
+{
+  home.sessionVariables = lib.mkIf (config.enableShell && config.graphical.ghostty) {
+    TERMINAL = "ghostty";
+  };
+  
+  # nixGL is now provided as a flake input
+  targets.genericLinux.nixGL = {
+    packages = nixgl.packages.${pkgs.system};
+    defaultWrapper = "mesa";
+    installScripts = [ "mesa" ];
+  };
+
+  programs.ghostty = lib.mkIf (config.enableShell && config.graphical.ghostty) {
+    enable = true;
+    enableZshIntegration = true;
+    package = config.lib.nixGL.wrap pkgs.ghostty;
+    settings = {
+      # command = "TERM=xterm-256color /usr/bin/bash";
+      font-size = 12;
+      font-family = "Source Code Pro";
+      # theme = "idleToes";
+      # theme = "CGA";
+      theme = "Catppuccin Mocha";
+      # theme = "CobaltNext";
+      # clipboard-read = "allow";
+      copy-on-select = true;
+      shell-integration = "zsh";
+      shell-integration-features = [ "no-title" "sudo" ];
+      gtk-single-instance = true;
+
+      window-padding-balance = true ;
+      window-padding-x = 5;
+      window-padding-y = 5;
+      initial-window = true;
+      resize-overlay = "never";
+
+      # Example: https://gist.github.com/adibhanna/c552c452fb244b3b721e3c2432e85cde
+      keybind = [
+        "ctrl+s>n=new_split:down"
+        "ctrl+t>n=new_tab"
+        "ctrl+t>1=goto_tab:1"
+        "ctrl+t>2=goto_tab:2"
+        "ctrl+t>3=goto_tab:3"
+        "ctrl+s>i=goto_split:up"
+        "ctrl+s>k=goto_split:down"
+      ];
+
+      # window-position-x = 500;
+      # window-position-y = 500;
+      window-height = 40;
+      window-width = 200;
+    };
+  };
+
+  # https://github.com/ghostty-org/ghostty/discussions/3763#discussioncomment-11699970
+  xdg.desktopEntries."com.mitchellh.ghostty" = lib.mkIf (config.enableShell && config.graphical.ghostty) {
+    name = "Ghostty";
+    type = "Application";
+    comment = "A terminal emulator";
+    exec = "ghostty";
+    icon = "com.mitchellh.ghostty";
+    terminal = false;
+    startupNotify = true;
+    categories = [ "System" "TerminalEmulator" ];
+    settings = {
+      Keywords = "terminal;tty;pty;";
+      X-GNOME-UsesNotifications = "true";
+      X-TerminalArgExec = "-e";
+      X-TerminalArgTitle = "--title=";
+      X-TerminalArgAppId = "--class=";
+      X-TerminalArgDir = "--working-directory=";
+      X-TerminalArgHold = "--wait-after-command";
+    };
+    actions = {
+      new-window = {
+        name = "New Window";
+        exec = "ghostty";
+      };
+    };
+  };
+
+  # https://discourse.nixos.org/t/apps-installed-via-home-manager-are-not-visible-within-gnome/48252/2
+  # home.activation.copyDesktopFiles = lib.hm.dag.entryAfter ["installPackages"] ''
+  #   if [ "$XDG_CURRENT_DESKTOP" = "GNOME" ]; then
+
+  #     mkdir -p "${config.home.homeDirectory}/.local/share/applications"
+
+  #     if [ -d "${config.home.homeDirectory}/.local/share/applications/nix" ]; then
+  #       rm -rf "${config.home.homeDirectory}/.local/share/applications/nix"
+  #     fi
+
+  #     ln -sf "${config.home.homeDirectory}/.nix-profile/share/applications" \
+  #       ${config.home.homeDirectory}/.local/share/applications/nix
+
+  #     mkdir -p "${config.home.homeDirectory}/.local/share/icons"
+
+  #     if [ -d "${config.home.homeDirectory}/.local/share/icons/nix" ]; then
+  #       rm -rf "${config.home.homeDirectory}/.local/share/icons/nix"
+  #     fi
+
+  #     ln -sf "${config.home.homeDirectory}/.nix-profile/share/icons" \
+  #       ${config.home.homeDirectory}/.local/share/icons/nix
+
+  #   fi
+  # '';
+
+  # https://wiki.nixos.org/wiki/GNOME
+  # https://hoverbear.org/blog/declarative-gnome-configuration-in-nixos/#setting-gnome-options
+  # dconf.settings = {
+  #   "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = {
+  #     "binding" = "<Super>Return";
+  #     "command" = "ghostty";
+  #     "name" = "Terminal";
+  #   };
+  # };
+}

homeManagerModules/git.nix

@@ -3,19 +3,19 @@
   programs.git = lib.mkMerge [
     {
       enable = true;
-      extraConfig = {
+      settings = {
         credential.helper = "store --file ~/.git-credentials";
         init.defaultBranch = "main";
         push.autoSetupRemote = true;
       };
     }
     (lib.mkIf (config.profile == "personal") {
-      userName = "John Lancaster";
+      settings.user.name = "John Lancaster";
-      userEmail = "32917998+jsl12@users.noreply.github.com";
+      settings.user.email = "32917998+jsl12@users.noreply.github.com";
     })
     (lib.mkIf (config.profile == "work") {
-      userName = "John Lancaster";
+      settings.user.name = "John Lancaster";
-      userEmail = "john.lancaster@crowncastle.com";
+      settings.user.email = "john.lancaster@crowncastle.com";
     })
   ];
 }

homeManagerModules/restic/flake.nix

@@ -0,0 +1,46 @@
+{
+  description = "Flake packaging resticprofile with a Home Manager module for programs.resticprofile";
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";  # Use latest Nixpkgs for Go package build
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = { self, nixpkgs, home-manager }:
+    let
+      systems = [ "x86_64-linux" "aarch64-linux" ];
+      # Define a function to build the resticprofile package for a given system:
+      resticprofilePkg = { pkgs, lib, ... }:
+        pkgs.buildGoModule rec {
+          pname = "resticprofile";
+          version = "0.31.0";
+          src = pkgs.fetchFromGitHub {
+            owner = "creativeprojects";
+            repo  = "resticprofile";
+            rev   = "v${version}";
+            sha256 = "sha256-ezelvyroQG1EW3SU63OVHJ/T4qjN5DRllvPIXnei1Z4=";  # source tarball hash
+          };
+          vendorHash = "sha256-M9S6F/Csz7HnOq8PSWjpENKm1704kVx9zDts1ieraTE=";  # Correct vendor hash
+          goPackagePath = "github.com/creativeprojects/resticprofile";
+          doCheck = false;  # Disable tests due to sandboxed build environment
+          meta = with lib; {
+            description = "Configuration profiles manager and scheduler for restic backup";
+            homepage    = "https://creativeprojects.github.io/resticprofile/";
+            license     = licenses.gpl3Only;
+            maintainers = [ ];  # (Add yourself or skip)
+          };
+        };
+    in {
+      # Provide the package for all supported systems:
+      packages = nixpkgs.lib.genAttrs systems (system: 
+        let pkgs = import nixpkgs { inherit system; }; 
+        in { resticprofile = resticprofilePkg { inherit pkgs; lib = pkgs.lib; }; }
+      );
+
+      # Provide the Home Manager module
+      homeManagerModules = {
+        resticprofile = ./resticprofile.nix;
+      };
+    };
+}

homeManagerModules/restic/profiles/base.nix

@@ -0,0 +1,46 @@
+{ lib, config, ... }:
+{
+  base = {
+    repository = "local:/mnt/backup";
+    password-file = "${config.xdg.configHome}/resticprofile/password.txt";
+    status-file = "{{ .ConfigDir }}/backup-status.json";
+    retention = {
+      after-backup = true;
+      keep-last = "10";
+      keep-hourly = "8";
+      keep-daily = "14";
+      keep-weekly = "8";
+    };
+    backup = {
+      verbose = true;
+      exclude = [
+        ".vscode*"
+        ".cache"
+        ".venv"
+        ".pyenv"
+        ".devenv"
+        "data/postgres"
+        "build"
+        "__pycache__"
+        "*.log"
+        "*.egg-info"
+        "*.csv"
+        "*.m4a"
+
+        ".local/share/Steam"
+        ".local/share/Trash"
+        "build"
+        "dist"
+        "/home/*/Pictures"
+        "/home/*/Videos"
+      ];
+      schedule-permission = "user";
+      schedule-priority = "background";
+      check-after = true;
+    };
+    prune = {
+      schedule-permission = "user";
+      schedule-lock-wait = "1h";
+    };
+  };
+}

homeManagerModules/restic/resticprofile.nix

@@ -0,0 +1,70 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption mkPackageOption mkIf types;
+  cfg = config.programs.resticprofile;
+  yamlFormat = pkgs.formats.yaml { };
+  baseProfile = import ./profiles/base.nix { inherit lib config; };
+  profiles = lib.recursiveUpdate baseProfile cfg.profiles;
+in {
+  options.programs.resticprofile = {
+    enable = mkEnableOption "Enable resticprofile (Restic backup profile manager)";
+
+    package = mkPackageOption pkgs "resticprofile" { };
+
+    # Multiple configuration files support
+    profiles = mkOption {
+      type = types.attrsOf yamlFormat.type;
+      default = { };
+      description = ''
+        Multiple configuration files for resticprofile. Each attribute name
+        becomes a YAML file under `$XDG_CONFIG_HOME/resticprofile/`.
+      '';
+      example = {
+        common = {
+          repository = "local:/backup";
+          passwordFile = "password.txt";
+          includes = [ "common.yaml" ];
+          backup = {
+            source = [ "/home/user/Documents" ];
+            schedule = "12:30";
+          };
+          forget = {
+            keep-daily = 7;
+            keep-weekly = 4;
+            keep-monthly = 6;
+            keep-yearly = 2;
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable (
+    let
+      resticprofileCmd = ''
+        ${cfg.package}/bin/resticprofile --config "${config.xdg.configHome}/resticprofile/profiles.yaml"
+      '';
+    in {
+      # Add a script to manually unschedule and reschedule all resticprofiles
+      home.packages = [
+        cfg.package
+        (pkgs.writeShellScriptBin "rp" ''
+          set -e
+          sudo ${cfg.package}/bin/resticprofile --config "${config.xdg.configHome}/resticprofile/profiles.yaml" $@
+        '')
+        (pkgs.writeShellScriptBin "rps" ''
+          set -e
+          rp unschedule --all
+          rp schedule --all
+        '')
+        (pkgs.writeShellScriptBin "rp-test" "rp run-schedule backup@default --dry-run")
+        (pkgs.writeShellScriptBin "rp-test" "rp run-schedule backup@default --dry-run")
+      ];
+      xdg.configFile."resticprofile/profiles.yaml".source = yamlFormat.generate "profiles" {
+        version = "2";
+        profiles = profiles;
+      };
+    }
+  );
+}

homeManagerModules/shell.nix

@@ -0,0 +1,46 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+  home.packages = with pkgs; [
+    eza
+    (writeShellScriptBin "test-pkgs" ''
+      echo "Hello from ~/.config/home-manager/home.nix!"
+    '')
+  ];
+  programs.zsh = lib.mkIf config.enableShell {
+    enable = true;
+    enableCompletion = true;
+    autosuggestion.enable = true;
+    # syntaxHighlighting.enable = true;
+    history = {
+      append = true;
+      ignoreAllDups = true;
+      ignorePatterns = [
+        "history"
+        "ls"
+        "eza"
+        "clear"
+      ];
+      save = 1000;
+      size = 1000;
+      share = true;
+    };
+    oh-my-zsh = {
+      enable = true;
+      # theme = "risto";
+      theme = "agnoster";
+      plugins = [
+        "sudo"
+        "dotenv"
+        "git"
+        "ssh"
+        "ssh-agent"
+      ] ++ lib.optional config._1password "1password";
+    };
+    shellAliases.ls = "${pkgs.eza}/bin/eza -lgos type --no-time";
+    # initContent = lib.mkIf config._1password '' 
+    #   if [ -f "${config.home.homeDirectory}/.config/op/plugins.sh" ]; then
+    #     source ${config.home.homeDirectory}/.config/op/plugins.sh
+    #   fi
+    # '';
+  };
+}

homeManagerModules/sops.nix

@@ -0,0 +1,50 @@
+{ inputs, config, pkgs, lib, ... }:
+let
+  sopsConfigPath = "${config.xdg.configHome}/home-manager/jsl-home/.sops.yaml";
+  sopsSecretsPath = "${config.xdg.configHome}/home-manager/jsl-home/keys/secrets.yaml";
+in
+{
+  imports = [
+    inputs.sops-nix.homeManagerModules.sops
+  ];
+  sops = {
+    # It's also possible to use a ssh key, but only when it has no password:
+    age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
+    defaultSopsFile = ../keys/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    
+    secrets."api/gmail_client_secret" = { };
+
+    templates."gmail_creds" = {
+      content = ''
+        {
+            "installed": {
+                "client_id": "499012320469-vtml6emu6bmujpsj9lud2b44jqu7h26j.apps.googleusercontent.com",
+                "project_id": "python-apis-423500",
+                "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+                "token_uri": "https://oauth2.googleapis.com/token",
+                "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+                "client_secret": "${config.sops.placeholder."api/gmail_client_secret"}",
+                "redirect_uris": [
+                    "http://localhost"
+                ]
+            }
+        }
+      '';
+      path = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
+    };
+  };
+
+  home.sessionVariables = {
+    GMAIL_CREDS_PATH = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
+  };
+
+  home.packages = with pkgs; [
+    (writeShellScriptBin "edit-secrets" ''
+      ${sops}/bin/sops --config ${sopsConfigPath} ${sopsSecretsPath}
+    '')
+    sops
+    age
+  ];
+  programs.zsh.shellAliases.sops = lib.mkIf config.enableShell "sops --config ${sopsConfigPath}";
+}

homeManagerModules/ssh.nix

@@ -0,0 +1,48 @@
+{ config, lib, ... }:
+{
+  programs.ssh = lib.mkIf config.ssh {
+    enable = true;
+    extraConfig = ''
+      SetEnv TERM="xterm-256color"
+      ${lib.optionalString config._1password "IdentityAgent ~/.1password/agent.sock"}
+    '';
+    matchBlocks = lib.mkMerge [
+      (lib.mkIf (config.profile == "personal") {
+        "ad-nix" = {
+          hostname = "192.168.1.201";
+          user = "appdaemon";
+        };
+        "docs" = {
+          hostname = "192.168.1.110";
+          user = "root";
+        };
+        "hermes" = {
+          hostname = "192.168.1.150";
+          user = "root";
+        };
+        "panoptes" = {
+          hostname = "192.168.1.107";
+          user = "panoptes";
+        };
+        "panoptes-root" = {
+          hostname = "192.168.1.107";
+          user = "root";
+        };
+        "pve5070" = {
+          hostname = "192.168.1.130";
+          user = "root";
+        };
+        "nix-test" = {
+          hostname = "192.168.1.36";
+          user = "john";
+        };
+      })
+      (lib.mkIf (config.profile == "work") {
+        "ubuntu-nvidia" = {
+          hostname = "10.118.46.120";
+          user = "john";
+        };
+      })
+    ];
+  };
+}

homeManagerModules/vscode.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+{
+  programs.vscode = lib.mkIf config.graphical.vscode {
+    enable = true;
+    package = pkgs.vscode;
+    profiles.default.extensions = with pkgs.vscode-extensions; [
+      mhutchie.git-graph
+      ms-vscode-remote.vscode-remote-extensionpack
+      ms-python.python
+      ms-python.vscode-pylance
+      ms-toolsai.jupyter
+      charliermarsh.ruff
+      github.vscode-pull-request-github
+      github.vscode-github-actions
+      github.copilot
+      catppuccin.catppuccin-vsc
+    ];
+  };
+}

keys/personal

@@ -0,0 +1,3 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIaHS9CLiDc6T1tja0fBwwv5qc6iwuckWN6w8MNo5yiR8LPWyrfueowNJkL4HMqu6OEuggtdybGw1Do4sW5o+toHCyWfZf3khI1l15opPXuVpD4CWED+SpJiZ0wBgRaCaWhfxLI+s4JOhjOO2OjiClPX3HfxIHyTpRiR78lOMcIieHSnzrAV2MatYKf6lL2ckOsIPwxo/OVM+1ljjX+HLq9IxGUCpWOnF4nF1rq3gKL2JUh2KsrgrzE3NB7EFuqKm8F0tF2rG3JjSvlwox0h06drKD02lpZWXPOBRlcyFDpNXymmc2bpG0S2Bbj5g+pqNBB0jO0h3kzWvYYqrtU/ElObg1cXhyi0PFOhhptlbhbK0Ao8B+pAbSZ661nMT3jpRWLVbnJrRFnXXdjX08r5eseQ3k4CFpv+g64n7yg3IMo9f8gA9P/hOexR+qu5AQ1Ad/tvkp6pPXnR/zsUnbe4p2A9MaNJm4E1zxbs5VGlXynNikXwDL+spkrnjwdfUULTk= john@JOHN-PC
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFn5ilhqaeDsOWSk7y29se2NvxGm8djlfL3RGLokj0q6 john@john-p14s
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHh9SBuxU2dOJHnpGZAE4cwe0fXcTBBAx+JmRsmIX+Tk8zooeM32vbNxxSXiZNpBGH5wzHNb534dWexGGG3sOaONmcL7SCoPIvaAdnIn5VsiznerLrzppSbx3Qn8eyF97WAGCcOcIUNmTIDDx1m6zG762WQnoaUEy0Ul5IR7ET5GQxP3p5Qwx8yqfixKDwarvV421sUIxYt9gee31jS9jcI3MFd6EL57hWle95Z8BGpR/Q7sXDBTZQWMZauh5NPwLMZS7k3bHgxXZ7WNOw/J/yts1ckBbvIFJSRNnMuWD0oGnDTL6aivGi+Eiswp0fpKzYGzquB3/wr3VU4G1JcMM5 JuiceSSH

keys/secrets.yaml

@@ -0,0 +1,28 @@
+restic_password:
+    john_ubuntu: ENC[AES256_GCM,data:Q4lUaFFDgoK9k4kQj7hSVKaFDGW0T+6V+OpFU5R528R3EKM7YJMgcFX+sK3mWl9XA4/6E1GeINpIqOpx+FP5Cf/8qt9sXBXCmXXSYdA4IH3RS6a1NkcIVjsTMvpn4q/fslCeYN4LB+r4pBGmdca105miqVun8J69cZGwjZ+wuxrMAP+mdnHdSUPycjNWJJzmEa3waQsygAi4A5cAN5sigOPBxe2pCTh/FEKoTgWmzHGJvcjrzuL6wNOpQrkMWwTsHCtbe9dyMP/fQpoBgYDT4W9Rd4XHhbrooje+g3x48EL1rkRIVVNRavpRUih/mjcdJGzzJ6jZmLLcc1f7SZIKZht7f+ZcdZl3rKQB+WanZgK/KAgKBRCrbIk2eeBZwkcRSw5kmGFU7x0azdIipJYj+3KHHQS5S2VW4j2tQG74xK3qaNJcSMjpKmdI1dHcPf0x2ILaDDV9Ts0H4GTOB2zO9iGy7x2tdPd4tugxxk5rr5rphTZL3lgUf0Ri/qMkJh9I8CsjUdvRycHeIEUZPmEVaIqJC2jrd2pBslis5VWD/6PHQBCob07d1fcpIYox4YXM3GcLg3OxiD8nZ7DTzGRMhciZtTKKWbBT8qzPud4ZQvDkT5l+XOpeM13wXFIMa13CwOzYeyWjycED0VQ/i3XRw9+9lg3cosfxaPdaFtv4MjV7Od62G/UJw3OxaQOHM2y24N+Q0pSBoTdDAFwDCH/kcqZji6ZrVTu4Rad8opcILJJcqC+pjegDvBtUdDz+G3/dFiS6m8RYIRb7qB5yEX/lCgzlECmRS2XP8uraNJ5NN8rtk0gdBtaI9/78YyAjLLGkjIcIR4uJA5buCZBR9jIdqf4f52fowbx18VPrwFXN2mYX6mPsKbDmaz0ILHq/I9n8bS/KM7gIQmTw/RAUwnmL4IRu8zHn6nmIqj6d8AkjYx7s6pG8OF8LgfhqZT7tdPKCd+n/HnYn1fZGSw26zHzPd4nKnVV1e3NYvX6CVwVycerGs9elOKtOI8GsrWYyXzJbfC+nWxbHKI/t6sxyzTBrHPR4r6l/CchQF+SfBs5aELKExe7h325qBB2y6EFdkbxTj1tPGqxttp9xJB1LUyNtwsEAkpD44JNqPxZCYHQbeVE3Oo3TYtRUSVWREc1WNIsfSG/anScYUhDEah9YyIdiG+O71QqegunusLoxmpF2rQtx7shtAvJV3skDBB0tFDoQyIV+yPo7kPV0D7Ig+Ba+mk5ASJrT9DXZ53Q2CCTLAuslU4MP7g22RX8rU3s2hFJq8m7wvMwpqa9Tr6O38i1wX4PhG1VRMM8EIlMQnLWWKmni6NbOYiRxFYJMioxH5SyE4ODQYXy5YIuLoRsX8VR6UqJ1GZb7sJf3M1aPOFOHzTN9hnziTRRe1KCMoBrAghrqhvL1VRr9X5PYMxnjBh6o0d5YTN0WOGD2iEVbCzqxFXcxQZBBp4KyNAAhFhGNw8WUp/rVoyCYn7+OEYFspY4FmGMTYhvxbq5LEptXeQgOP2ggBkqsw8sYP9oj1cb4kzBNv8M7nR9kM1EqvZpFV47phoTbBeMY4DZOJodkASFVM5/7ijWy/M9rtWMFMCXKURKkAQJRFADs0KqMJ5osnFFnubX7vKgK736XXF4+wIQuuHqEsYDZ90ftInxq8sYRnb2FZ0EV4yc8qqnz++fjwrAA5EV+zhL6l6hum1zL8JkUJ1ICKZ905If6nIeoul8MY3B1Cz4W+osN2Wtl8OeJ2t3iZx3wk/unVa8uDZH1owu47He68e2V8vpYxOaW4/hLyy/XuL5DukETrhRjC+7GbEaKaCwoA2UwAdqU,iv:N8ek+tp16WiZgjTDxXb0CRXH+MbLsl/oZ/OwcOoVRO0=,tag:uIzCSX0R/EObF/RdWxj64w==,type:str]
+api:
+    gmail_client_secret: ENC[AES256_GCM,data:du2gEY5TQIwpUEvJKDWKY3noLRGeiKek4IMwPUusVx8NMys=,iv:hIYi1xQYf6+hDhK0pNprBYu6wXwRH2yOTwQg6pzQa0A=,tag:sqmQ5GCkKbHpIy2R+Y5G/A==,type:str]
+sops:
+    age:
+        - recipient: age1f6drjusg866yscj8029tk4yfpgecklrvezldm02ankm6h8nnwu5s2u6ahy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWkxDSnlNT2Vua1ZXWC8r
+            SU9UMnhaVXVEVlZGL3dtYTBJSzNGbHVaSTJNCm9ZTFM3RndpRktUcWhwZk1Fc2dk
+            ZGtoWXdoOWVyK1F0YStSS3dsMkg2R28KLS0tIFkrdVFZNlVxRjhPaWdMZXl2elV3
+            TVpyTzFsNFNmd3FNU0tlMnlTOHNTQWsKfKdN4epZokF74bCNr9+jxulZJFBQM83P
+            quMhl+H85My8jAsEeC9CW7y2jdNPJkfk9gHun4ozoW8U7o6y5RLfJg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSakZRUnkraWtId2h3eUhB
+            REpkUHhYMm1MSmtFU2pvd1BpQ0xRTTlCWkZJCkxrTm1sdDBqclJ3RHR6VkllOFpo
+            ZXRtS2lsazRDS2lyRnZmT3FTTjJ6WUUKLS0tIExxNlFoeDhHQ3l5a1VvUHNRWUdw
+            Mms2UEhFSU82UWR5Z1VvU25qenJUQm8KtQeZDIfJIczm1l8ql/WmVEf8KI9dg0vw
+            9rNSjtBkEttVd21zUSOziG4513abllE8NFTkAc1z3HacuXpHTBnd5A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-03T17:03:22Z"
+    mac: ENC[AES256_GCM,data:c3rcMHTRxbnpQoW5eLn0X1aCL1v2ft05UTcHaCuGiCaF3b/loVjEQr30pepBgR07PSleTIi375Y0Rj8ik8Ot3j+Zl5BR32bEtqf6gcWwz6oSmeORDrJS15698d7/avJl82/EC0ZN77j+fcdkWZrCJHb47HGfRxKl9L5HbyWasA4=,iv:g3d3C571uYpTTFixYZg+ztg8jTdof1g6Hb5gtRvpRkk=,tag:8kAxrUwUVeWvpYjWMDE+AA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

nixosModules/default.nix

@@ -0,0 +1,8 @@
+{ inputs, config, pkgs, lib, ... }:
+{
+  imports = [
+    ./options.nix
+    ./scripts.nix
+    ./steam.nix
+  ];
+}

nixosModules/options.nix

@@ -0,0 +1,78 @@
+{ lib, ... }:
+
+{
+  options.user = lib.mkOption {
+    type = lib.types.str;
+    description = "The username for the Home Manager configuration.";
+  };
+
+  # This value determines the Home Manager release that your configuration is
+  # compatible with. This helps avoid breakage when a new Home Manager release
+  # introduces backwards incompatible changes.
+  #
+  # You should not change this value, even if you update Home Manager. If you do
+  # want to update the value, then make sure to first check the Home Manager
+  # release notes.
+  options.stateVersion = lib.mkOption {
+    type = lib.types.str;
+    description = "The state version when the configuration was initially created";
+  };
+
+  options.profile = lib.mkOption {
+    type = lib.types.enum [ "personal" "work" ];
+    default = "personal";
+    description = "Profile type for the Home Manager configuration.";
+  };
+
+  options.root = lib.mkOption {
+    type = lib.types.bool;
+    default = false;
+    description = "Whether enable all the root user stuff";
+  };
+
+  options.enableShell = lib.mkOption {
+    type = lib.types.bool;
+    default = true;
+    description = "Whether to enable all the zsh stuff";
+  };
+
+  options.ssh = lib.mkOption {
+    type = lib.types.bool;
+    default = true;
+    description = "Whether to enable SSH configuration";
+  };
+
+  options._1password = lib.mkOption {
+    type = lib.types.bool;
+    default = false;
+    description = "Whether to enable 1 password stuff";
+  };
+
+  options.extraImports = lib.mkOption {
+    type = lib.types.listOf lib.types.anything;
+    default = [];
+    description = "Additional Home Manager modules to import";
+  };
+
+  options.docker = lib.mkOption {
+    type = lib.types.bool;
+    default = false;
+    description = "Whether to enable docker stuff";
+  };
+
+  options.graphical = 
+    let
+      boolOption = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+      };
+    in
+    {
+      discord = boolOption;
+      ghostty = boolOption;
+      joplin = boolOption;
+      steam = boolOption;
+      sublime = boolOption;
+      vscode = boolOption;
+    };
+}

nixosModules/scripts.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+let
+  hostName = config.networking.hostName;
+in
+{
+  environment.systemPackages = with pkgs; [
+    (pkgs.writeShellScriptBin "nfs" ''
+      sudo nixos-rebuild switch --flake $(readlink -f /etc/nixos)#${hostName} --impure
+    '')
+    (pkgs.writeShellScriptBin "nfsu" ''
+      FLAKE=$(readlink -f /etc/nixos)
+      nix flake update --flake $FLAKE --impure
+      sudo nixos-rebuild switch --flake $FLAKE#${hostName} --impure
+    '')
+    (pkgs.writeShellScriptBin "test-dns" (builtins.readFile ../scripts/test-dns.sh))
+  ];
+}

nixosModules/steam.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+{
+  programs.steam = lib.mkIf config.graphical.steam {
+    enable = true;
+    gamescopeSession.enable = true;
+    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+    localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
+  };
+}

options.nix

@@ -1,32 +0,0 @@
-{ lib, ... }:
-
-{
-  options.user = lib.mkOption {
-    type = lib.types.str;
-    description = "The username for the Home Manager configuration.";
-  };
-
-  options.profile = lib.mkOption {
-    type = lib.types.enum [ "personal" "work" ];
-    default = "personal";
-    description = "Profile type for the Home Manager configuration.";
-  };
-
-  options.shell = lib.mkOption {
-    type = lib.types.bool;
-    default = true;
-    description = "Whether to enable all the zsh stuff";
-  };
-
-  options.ssh = lib.mkOption {
-    type = lib.types.bool;
-    default = true;
-    description = "Whether to enable SSH configuration";
-  };
-
-  options._1password = lib.mkOption {
-    type = lib.types.bool;
-    default = false;
-    description = "Whether to enable 1 password stuff";
-  };
-}

scripts/test-dns.sh

@@ -0,0 +1,110 @@
+#!/usr/bin/env bash
+
+# Function to test DNS resolution for a subdomain
+test_subdomain() {
+    local subdomain="$1"
+    local fqdn="${subdomain}.john-stream.com"
+    
+    echo "========================================"
+    echo "Testing DNS for: $fqdn"
+    echo "========================================"
+    echo ""
+
+    # Test panoptes
+    echo "📍 Testing: panoptes"
+    result=$(dig @panoptes "$fqdn" +short +time=2 +tries=1 2>&1)
+    if [ -n "$result" ]; then
+        echo "   ✅ Resolved to: $result"
+        dig @panoptes "$fqdn" +noall +answer +time=2 +tries=1 | sed 's/^/      /'
+    else
+        echo "   ❌ Failed to resolve"
+    fi
+    echo ""
+    
+    # Test CoreDNS (192.168.1.107)
+    echo "📍 Testing: 192.168.1.107 (CoreDNS)"
+    result=$(dig @192.168.1.107 "$fqdn" +short +time=2 +tries=1 2>&1)
+    if [ -n "$result" ]; then
+        echo "   ✅ Resolved to: $result"
+        dig @192.168.1.107 "$fqdn" +noall +answer +time=2 +tries=1 | sed 's/^/      /'
+    else
+        echo "   ❌ Failed to resolve"
+    fi
+    echo ""
+    
+    # Test Cloudflare DNS (1.1.1.1)
+    echo "📍 Testing: 1.1.1.1 (Cloudflare DNS)"
+    result=$(dig @1.1.1.1 "$fqdn" +short +time=2 +tries=1 2>&1)
+    if [ -n "$result" ]; then
+        echo "   ✅ Resolved to: $result"
+        dig @1.1.1.1 "$fqdn" +noall +answer +time=2 +tries=1 | sed 's/^/      /'
+    else
+        echo "   ❌ Failed to resolve"
+    fi
+    echo ""
+}
+
+# Function to check SSL certificate for the domain
+check_ssl_cert() {
+    local subdomain="$1"
+    local fqdn="${subdomain}.john-stream.com"
+    
+    echo "========================================"
+    echo "SSL Certificate Check for: $fqdn"
+    echo "========================================"
+    echo ""
+    
+    # Check if openssl is available
+    if ! command -v openssl &> /dev/null; then
+        echo "❌ openssl command not found. Please install openssl to check SSL certificates."
+        return 1
+    fi
+    
+    # Try to fetch SSL certificate information
+    echo "📍 Fetching SSL certificate information..."
+    cert_info=$(echo | openssl s_client -servername "$fqdn" -connect "$fqdn:443" 2>/dev/null | openssl x509 -noout -text 2>/dev/null)
+    
+    if [ -z "$cert_info" ]; then
+        echo "   ❌ Failed to retrieve SSL certificate. The domain may not be accessible via HTTPS."
+        return 1
+    fi
+    
+    # Extract and display key certificate information
+    echo "   ✅ SSL certificate found!"
+    echo ""
+    
+    # Get certificate details
+    cert_details=$(echo | openssl s_client -servername "$fqdn" -connect "$fqdn:443" 2>/dev/null | openssl x509 -noout -subject -issuer -dates 2>/dev/null)
+    
+    echo "📋 Certificate Details:"
+    echo "$cert_details" | sed 's/^/   /'
+    echo ""
+    
+    # Check certificate expiration
+    expiry_date=$(echo | openssl s_client -servername "$fqdn" -connect "$fqdn:443" 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
+    
+    if [ -n "$expiry_date" ]; then
+        expiry_epoch=$(date -d "$expiry_date" +%s 2>/dev/null)
+        current_epoch=$(date +%s)
+        days_until_expiry=$(( ($expiry_epoch - $current_epoch) / 86400 ))
+        
+        if [ $days_until_expiry -lt 0 ]; then
+            echo "⚠️  Certificate Status: EXPIRED ($days_until_expiry days ago)"
+        elif [ $days_until_expiry -lt 30 ]; then
+            echo "⚠️  Certificate Status: Expiring soon ($days_until_expiry days remaining)"
+        else
+            echo "✅ Certificate Status: Valid ($days_until_expiry days remaining)"
+        fi
+    fi
+    echo ""
+}
+
+# Test the subdomain
+if [ -z "$1" ]; then
+    echo "Usage: $0 <subdomain>"
+    echo "Example: $0 appdaemon"
+    exit 1
+fi
+
+test_subdomain "$1"
+check_ssl_cert "$1"