diff --git a/flake.lock b/flake.lock
index 53cf028..e9344e0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -264,6 +264,42 @@
       "inputs": {
         "systems": "systems_7"
       },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_8"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_9"
+      },
       "locked": {
         "lastModified": 1681202837,
         "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@@ -325,7 +361,7 @@
     },
     "gomod2nix": {
       "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "tangled",
           "nixpkgs"
@@ -392,11 +428,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1774626137,
-        "narHash": "sha256-1WelwA45Xm4glTG8R9IX9jYeFKDG2HbR79jAauLezUE=",
+        "lastModified": 1774647770,
+        "narHash": "sha256-UNNi14XiqRWWjO8ykbFwA5wRwx7EscsC+GItOVpuGjc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "9df3a639007cfe0d074433f7fc225ea94f877d08",
+        "rev": "02371c05a04a2876cf92e2d67a259e8f87399068",
         "type": "github"
       },
       "original": {
@@ -406,6 +442,27 @@
       }
     },
     "home-manager_4": {
+      "inputs": {
+        "nixpkgs": [
+          "openclaw",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767909183,
+        "narHash": "sha256-u/bcU0xePi5bgNoRsiqSIwaGBwDilKKFTz3g0hqOBAo=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "cd6e96d56ed4b2a779ac73a1227e0bb1519b3509",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_5": {
       "inputs": {
         "nixpkgs": [
           "zen-browser",
@@ -1275,6 +1332,24 @@
         "type": "github"
       }
     },
+    "nix-steipete-tools": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_9"
+      },
+      "locked": {
+        "lastModified": 1773561580,
+        "narHash": "sha256-wT0bKTp45YnMkc4yXQvk943Zz/rksYiIjEXGdWzxnic=",
+        "owner": "openclaw",
+        "repo": "nix-steipete-tools",
+        "rev": "cd4c429ff3b3aaef9f92e59812cf2baf5704b86f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "openclaw",
+        "repo": "nix-steipete-tools",
+        "type": "github"
+      }
+    },
     "nixos-hardware": {
       "locked": {
         "lastModified": 1774567711,
@@ -1308,6 +1383,38 @@
       }
     },
     "nixpkgs_10": {
+      "locked": {
+        "lastModified": 1767767207,
+        "narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5912c1772a44e31bf1c63c0390b90501e5026886",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_11": {
+      "locked": {
+        "lastModified": 1771848320,
+        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_12": {
       "locked": {
         "lastModified": 1682134069,
         "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@@ -1321,7 +1428,23 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_11": {
+    "nixpkgs_13": {
+      "locked": {
+        "lastModified": 1771419570,
+        "narHash": "sha256-bxAlQgre3pcQcaRUm/8A0v/X8d2nhfraWSFqVmMcBcU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "6d41bc27aaf7b6a3ba6b169db3bd5d6159cfaa47",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_14": {
       "locked": {
         "lastModified": 1773389992,
         "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=",
@@ -1448,16 +1571,16 @@
     },
     "nixpkgs_9": {
       "locked": {
-        "lastModified": 1771848320,
-        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
-        "owner": "nixos",
+        "lastModified": 1767364772,
+        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
+        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -1485,6 +1608,52 @@
         "type": "github"
       }
     },
+    "openclaw": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "home-manager": "home-manager_4",
+        "nix-steipete-tools": "nix-steipete-tools",
+        "nixpkgs": "nixpkgs_10"
+      },
+      "locked": {
+        "lastModified": 1773851886,
+        "narHash": "sha256-+3ygZuf5K8mtSGMMEZ/h+vxGvXCu1CmiB+531KMagH8=",
+        "owner": "openclaw",
+        "repo": "nix-openclaw",
+        "rev": "64d410666821866c565e048a4d07d6cf5d8e494e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "openclaw",
+        "repo": "nix-openclaw",
+        "type": "github"
+      }
+    },
+    "pion-webrtc": {
+      "inputs": {
+        "flake-utils": [
+          "spacebar",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "spacebar",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773624569,
+        "narHash": "sha256-CKfTu9nDD85yv7hHxCKl8tGv4R+/Yj44ANAwvqSO2q4=",
+        "owner": "spacebarchat",
+        "repo": "pion-webrtc",
+        "rev": "5382e83ccbb0305a91b9ae92eae2ee9f5ac39398",
+        "type": "github"
+      },
+      "original": {
+        "owner": "spacebarchat",
+        "repo": "pion-webrtc",
+        "type": "github"
+      }
+    },
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat_2",
@@ -1521,8 +1690,11 @@
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_7",
         "nvf": "nvf",
+        "openclaw": "openclaw",
+        "spacebar": "spacebar",
         "tangled": "tangled",
         "vscode-server": "vscode-server",
+        "wafrn": "wafrn",
         "zen-browser": "zen-browser"
       }
     },
@@ -1564,6 +1736,28 @@
         "type": "github"
       }
     },
+    "spacebar": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pion-webrtc": "pion-webrtc"
+      },
+      "locked": {
+        "lastModified": 1774630159,
+        "narHash": "sha256-jWYPNoab9rqCM0Gb+RtTpXfrJ/g4XsnOoy2JwjWhSno=",
+        "owner": "spacebarchat",
+        "repo": "server",
+        "rev": "7c07c9b6fde0d539c5c3a6cf7afc022a9d3b7da6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "spacebarchat",
+        "repo": "server",
+        "type": "github"
+      }
+    },
     "sqlite-lib-src": {
       "flake": false,
       "locked": {
@@ -1683,6 +1877,36 @@
         "type": "github"
       }
     },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_9": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tangled": {
       "inputs": {
         "actor-typeahead-src": "actor-typeahead-src",
@@ -1696,7 +1920,7 @@
         "inter-fonts-src": "inter-fonts-src",
         "lucide-src": "lucide-src",
         "mermaid-src": "mermaid-src",
-        "nixpkgs": "nixpkgs_9",
+        "nixpkgs": "nixpkgs_11",
         "sqlite-lib-src": "sqlite-lib-src"
       },
       "locked": {
@@ -1706,17 +1930,17 @@
         "rev": "5a17af77bf13448e49a3b0b00cf93baa7821ce30",
         "revCount": 2120,
         "type": "git",
-        "url": "https://tangled.sh/@tangled.sh/core"
+        "url": "https://tangled.sh/tangled.sh/core"
       },
       "original": {
         "type": "git",
-        "url": "https://tangled.sh/@tangled.sh/core"
+        "url": "https://tangled.sh/tangled.sh/core"
       }
     },
     "vscode-server": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_10"
+        "flake-utils": "flake-utils_4",
+        "nixpkgs": "nixpkgs_12"
       },
       "locked": {
         "lastModified": 1770124655,
@@ -1732,6 +1956,42 @@
         "type": "github"
       }
     },
+    "wafrn": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_13",
+        "wafrn-src": "wafrn-src"
+      },
+      "locked": {
+        "lastModified": 1771530828,
+        "narHash": "sha256-U9gTyZILNGjK4kbSKsR6xPGFV/sjvzDFRreDXWyg5hE=",
+        "ref": "refs/heads/main",
+        "rev": "715d83e0a1730b2bb4e649941863ed67d964ad65",
+        "revCount": 11,
+        "type": "git",
+        "url": "https://git.ocbwoy3.dev/kris/wafrn-nix"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.ocbwoy3.dev/kris/wafrn-nix"
+      }
+    },
+    "wafrn-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1770394446,
+        "narHash": "sha256-yUGn0HjwEDJOLlwcNP+ZfCjU04x9Y6PkmeahdcEP23A=",
+        "ref": "main",
+        "rev": "01e89d8fd0ba56d5781e4671a54531563d1a46c6",
+        "revCount": 6083,
+        "type": "git",
+        "url": "https://codeberg.org/wafrn/wafrn"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://codeberg.org/wafrn/wafrn"
+      }
+    },
     "xdph": {
       "inputs": {
         "hyprland-protocols": [
@@ -1775,8 +2035,8 @@
     },
     "zen-browser": {
       "inputs": {
-        "home-manager": "home-manager_4",
-        "nixpkgs": "nixpkgs_11"
+        "home-manager": "home-manager_5",
+        "nixpkgs": "nixpkgs_14"
       },
       "locked": {
         "lastModified": 1774605342,
diff --git a/flake.nix b/flake.nix
index c06b173..c64d52f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,39 +24,35 @@
 		nvf.url = "github:notashelf/nvf";
 
 		# Extras
-		tangled.url = "git+https://tangled.sh/@tangled.sh/core";
+		tangled.url = "git+https://tangled.sh/tangled.sh/core";
+		wafrn.url = "git+https://git.ocbwoy3.dev/kris/wafrn-nix";
 		vscode-server.url = "github:nix-community/nixos-vscode-server";
+		spacebar = {
+			url = "github:spacebarchat/server";
+			inputs.nixpkgs.follows = "nixpkgs";
+		};
+
+		# slop
+		openclaw.url = "github:openclaw/nix-openclaw";
 	};
 
-	# Required by NixOS:
-	# ./hardware-configuration.nix 
-
-	# inputs.home-manager.nixosModules.default
-	# catppuccin.nixosModules.catppuccin
-	# nix-flatpak.nixosModules.nix-flatpak
-
 	outputs = { self, nixpkgs, ... }@inputs: {
 		nixosConfigurations.default = nixpkgs.lib.nixosSystem {
 			specialArgs = {
 				inherit inputs;
 			};
 			modules = [
-				# inputs.nixos-hardware.nixosModules.common-gpu-nvidia
 				inputs.home-manager.nixosModules.default
 				inputs.catppuccin.nixosModules.catppuccin
 				inputs.nix-flatpak.nixosModules.nix-flatpak
-				# inputs.chaotic.nixosModules.default
 				inputs.chaotic.nixosModules.nyx-cache
 				inputs.chaotic.nixosModules.nyx-overlay
 				inputs.chaotic.nixosModules.nyx-registry
-				# ./hosts/default/hardware-configuration.nix
-
-				# lil hack to not use --impure when rebuilding nixos >:3
 				"/etc/nixos/hardware-configuration.nix"
-				
 				./hosts/default/configuration.nix
 			];
 		};
+
 		nixosConfigurations.server = nixpkgs.lib.nixosSystem {
 			specialArgs = {
 				inherit inputs;
@@ -64,19 +60,23 @@
 			modules = [
 				inputs.catppuccin.nixosModules.catppuccin
 				inputs.tangled.nixosModules.knot
+				inputs.wafrn.nixosModules.default
 				inputs.tangled.nixosModules.spindle
 				inputs.vscode-server.nixosModules.default
-
 				inputs.chaotic.nixosModules.nyx-cache
 				inputs.chaotic.nixosModules.nyx-overlay
 				inputs.chaotic.nixosModules.nyx-registry
-
-				# lil hack to not use --impure when rebuilding nixos >:3
-				"/etc/nixos/hardware-configuration.nix"
-				
+				./modules/openclaw-user.nix
+				./modules/openclaw-sudo.nix
+				./modules/openclaw-fs.nix
+				./modules/openclaw-docker.nix
+				./modules/openclaw-docker-env.nix
+				./modules/openclaw-watchdog.nix
 				./hosts/server/configuration.nix
+				./hosts/server/hardware-configuration.nix
 			];
 		};
+
 		nixosConfigurations.fix_nixpkgs = nixpkgs.lib.nixosSystem {
 			specialArgs = {
 				inherit inputs;
diff --git a/hosts/default/packages.nix b/hosts/default/packages.nix
index bc3be0d..5864909 100644
--- a/hosts/default/packages.nix
+++ b/hosts/default/packages.nix
@@ -1,14 +1,12 @@
 { inputs, config, pkgs, lib, ... }:
 
 {
-	
 	fonts.packages = with pkgs; [
 		noto-fonts
 		noto-fonts-cjk-sans
 		noto-fonts-emoji
 		monaspace
 		geist-font
-		# nerdfonts
 		nerd-fonts.geist-mono
 		nerd-fonts.monaspace
 		nerd-fonts.symbols-only
@@ -19,37 +17,36 @@
 
 	environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib";
 
-	security.polkit = {
-		enable = true;
-	};
-
+	security.polkit.enable = true;
 	security.soteria.enable = true;
 
-	# surely they should add programs.discord!!
 	environment.systemPackages = with pkgs; [
+		mosh
 		(discord.override {
 			withEquicord = true;
 		})
 
-		# hyprland stuff
 		inputs.hyprlock.packages.${pkgs.stdenv.hostPlatform.system}.hyprlock
 		inputs.hyprsysteminfo.packages.${pkgs.stdenv.hostPlatform.system}.hyprsysteminfo
-		
-		# minecraft
+
 		qemu
 		(writeShellScriptBin "qemu-system-x86_64-uefi" ''
 			qemu-system-x86_64 \
 				-bios ${OVMF.fd}/FV/OVMF.fd \
 				"$@"
 		'')
-		(writeShellScriptBin "regretevator" ''xdg-open roblox://placeId=4972273297'')
-		(writeShellScriptBin "kaijuparadise" ''xdg-open roblox://placeId=6456351776'')
-		(writeShellScriptBin "sewh" ''xdg-open roblox://placeId=16991287194'')	
+		(writeShellScriptBin "regretevator" "xdg-open roblox://placeId=4972273297")
+		(writeShellScriptBin "kaijuparadise" "xdg-open roblox://placeId=6456351776")
+		(writeShellScriptBin "sewh" "xdg-open roblox://placeId=16991287194")
 
-		(writeShellScriptBin "fix-gtk" ''${inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland}/bin/hyprctl dispatch exec "${pkgs.xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk -r"'')
+		(writeShellScriptBin "fix-gtk" ''${
+			inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland
+		}/bin/hyprctl dispatch exec "${pkgs.xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk -r"'')
 		(callPackage ./apps/wl-shimeji.nix {})
-		(writeShellScriptBin "stop-shimejis" ''${inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland}/bin/hyprctl dispatch exec "shimejictl stop"'')
-		# (writeShellScriptBin "partynoob" ''shimejictl summon PartyNoob'')
+		(writeShellScriptBin "stop-shimejis" ''${
+			inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland
+		}/bin/hyprctl dispatch exec "shimejictl stop"'')
+
 		quickshell
 		kdePackages.qtdeclarative
 		catppuccin-gtk
@@ -58,7 +55,6 @@
 		catppuccin-catwalk
 		catppuccin-whiskers
 		mission-center
-		# nvtopPackages.full
 		libxkbcommon
 		ffmpeg-full
 		gnupg
@@ -92,7 +88,6 @@
 			pypresence
 			pygobject3
 		]))
-		# wrangler
 		fontforge
 		xclip
 		gamescope
@@ -122,27 +117,21 @@
 		playerctl
 		mangohud
 		jq
-		github-cli
 		file
 		nwg-look
-		# rhythmbox
 		hyprpolkitagent
 
-		# important
 		glib
 		openssl
 		nss
-		glibc # C LIBRARY DO NOT REMOVE VERY IMPORTANT
-		gobject-introspection 
+		glibc
+		gobject-introspection
 		gimp3
 		mpv
 		nixfmt-rfc-style
 
 		kdePackages.kdialog
 
-		(writeShellScriptBin "roblox-studio-patcher" ''${pkgs.bun}/bin/bun run /etc/nixos/scripts/bin/patchInternalRobloxStudio.ts'')
-		# firefox-devedition 
-
+		(writeShellScriptBin "roblox-studio-patcher" "${pkgs.bun}/bin/bun run /etc/nixos/scripts/bin/patchInternalRobloxStudio.ts")
 	];
-
 }
diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index b87bd5b..becd920 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -1,84 +1,243 @@
-{ config, pkgs, lib, ... }:
-
 {
-	imports = [
-		./modules/atproto-pds.nix
-		./modules/cloudflare.nix
-		./modules/tangled.nix
-		../../modules/force.nix
-	];
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
-	# gcc. shit breaks. wtf
-	environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib";
+let
+  mkUserService = pkgs.writeShellScriptBin "mk-user-service" ''
+        set -euo pipefail
 
-	services.vscode-server.enable = true;
+        if [ "$#" -lt 2 ]; then
+          echo "Usage: mk-user-service <name> <exec command...>" >&2
+          exit 1
+        fi
 
-	systemd.services.ocbwoy3-start-pm2 = {
-		enable = true;
-		description = "Start PM2";
-		after = [ "network.target" ];
-		wantedBy = [ "multi-user.target" ];
-		serviceConfig = {
-			Type = "forking";
-			User = "ocbwoy3";
-			LimitNOFILE = "infinity";
-			LimitNPROC = "infinity";
-			LimitCORE = "infinity";
-			Environment = "PM2_HOME=/home/ocbwoy3/.pm2";
-			PIDFile = "/home/ocbwoy3/.pm2/pm2.pid";
-			Restart = "on-failure";
+        name="$1"
+        shift
 
-			ExecStart = "${pkgs.pm2}/bin/pm2 resurrect";
-			ExecReload = "${pkgs.pm2}/bin/pm2 reload all";
-			ExecStop = "${pkgs.pm2}/bin/pm2 kill";
-		};
-	};
+        unitDir="''${XDG_CONFIG_HOME:-$HOME/.config}/systemd/user"
+        unitFile="$unitDir/$name.service"
 
-	services.openssh.settings = {
-		PubkeyAuthentication = "yes";
-		TrustedUserCAKeys = "/etc/ssh/ca.pub";
-	};
+        mkdir -p "$unitDir"
 
-	services.openssh = {
-		enable = lib.mkForce true;
-	};
+        if [ -e "$unitFile" ]; then
+          echo "Refusing to overwrite existing unit: $unitFile" >&2
+          exit 2
+        fi
 
-	environment.systemPackages = with pkgs; [
-		fastfetch
-		hyfetch
-		pm2
-		steam-run
-	];
+        cat > "$unitFile" <<EOF
+    [Unit]
+    Description=$name
 
-	users.users.ocbwoy3 = {
-		initialPassword = "thisisapassword42069!"; # not the type passwords i use
-		isNormalUser = true;
-		extraGroups = [ "wheel" "networkmanager" ];
-		shell = pkgs.zsh;
-	};
+    [Service]
+    Type=simple
+    ExecStart=$*
+    Restart=on-failure
+    RestartSec=2
 
-	virtualisation.docker.enable = true;
+    [Install]
+    WantedBy=default.target
+    EOF
 
-	services.mongodb = {
-		enable = true;
-		enableAuth = false;
-		package = pkgs.mongodb-ce;
-		replSetName = "rs0"; # dangerous
-		bind_ip = "0.0.0.0";
-	};
+        echo "Created $unitFile"
+        echo "Next steps:"
+        echo "  systemctl --user daemon-reload"
+        echo "  systemctl --user enable --now $name.service"
+  '';
+in
+{
+  imports = [
+    ./modules/atproto-pds.nix
+    ./modules/wafrn.nix
+    ./modules/cloudflare.nix
+    ./modules/tangled.nix
+    ../../modules/force.nix
+    ./modules/gitea.nix
+    ./modules/vaultwarden.nix
+    ./modules/zipline.nix
+    ./slop/openclaw.nix
+    ./slop/brave.nix
+  ];
 
-	networking.firewall = {
-		enable = true;
-		allowedTCPPorts = [ 22 443 3000 3001 8080 25565 ];
-		allowedUDPPorts = [ 22 443 3000 3001 8080 25565 ];
-	};
+  # gcc. shit breaks. wtf
+  environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib";
 
-	catppuccin = {
-		enable = true;
-		flavor = "mocha";
-		accent = "blue";
-	};
+  services.vscode-server.enable = true;
 
-	system.stateVersion = "23.05"; # DO NOT TOUCH
+  services.openssh.settings = lib.mkDefault {
+    PubkeyAuthentication = "yes";
+    TrustedUserCAKeys = "/etc/ssh/ca.pub";
+    PermitRootLogin = lib.mkDefault "prohibit-password";
+    KbdInteractiveAuthentication = lib.mkDefault false;
+  };
+
+  services.openssh = {
+    enable = lib.mkForce true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    mosh
+    fastfetch
+    hyfetch
+    bash
+    jdk
+    steam-run
+    opencode
+    bun
+    nodejs
+    node-gyp
+    playwright
+    chromium
+    brave
+    (pkgs.callPackage ./slop/rocksky-cli.nix { })
+  ];
+
+  users.users.ocbwoy3 = {
+    initialPassword = "thisisapassword42069!"; # not the type passwords i use
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "networkmanager"
+      "docker"
+    ];
+    shell = pkgs.zsh;
+  };
+
+  users.users.kris = {
+    initialPassword = "thisisapassword42069!";
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "networkmanager"
+      "docker"
+    ];
+    shell = pkgs.zsh;
+    packages = [
+      pkgs.mrpack-install
+      mkUserService
+    ];
+  };
+
+  system.activationScripts.enableKrisLinger.text = ''
+    ${pkgs.systemd}/bin/loginctl enable-linger kris || true
+  '';
+
+  nixpkgs.overlays = [
+    (final: prev: {
+      nixos-rebuild = prev.writeShellScriptBin "nixos-rebuild" ''
+                set -euo pipefail
+
+                action="''${1:-}"
+                case "$action" in
+                  switch|boot|test|build|dry-activate)
+                    needs_flake=1
+                    ;;
+                  *)
+                    needs_flake=0
+                    ;;
+                esac
+
+                has_flake=0
+                for arg in "$@"; do
+                  case "$arg" in
+                    --flake|--flake=*)
+                      has_flake=1
+                      break
+                      ;;
+                  esac
+                done
+
+                if [ "$needs_flake" -eq 1 ] && [ "$has_flake" -eq 0 ]; then
+                  cat >&2 <<'EOF'
+
+        🚨🚨🚨 WARNING: DANGEROUS SYSTEM REBUILD 🚨🚨🚨
+        This host is FLAKE-MANAGED. Do not attempt to rebuild the system from /etc/nixos.
+
+        Please ensure you are running THIS EXACT COMMAND inside /home/ocbwoy3/config:
+
+           sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade
+
+        Aborting unsafe nixos-rebuild invocation.
+        EOF
+                  exit 64
+                fi
+
+                exec ${prev.nixos-rebuild}/bin/nixos-rebuild "$@"
+      '';
+    })
+  ];
+
+  virtualisation.docker = {
+    enable = true;
+    daemon.settings = {
+      "log-driver" = "local";
+      "log-opts" = {
+        "max-size" = "10m";
+        "max-file" = "3";
+      };
+      "live-restore" = true;
+    };
+  };
+
+  systemd.services.docker.serviceConfig = {
+    CPUQuota = "200%";
+    MemoryMax = "12G";
+  };
+
+  services.mongodb = {
+    enable = true;
+    enableAuth = false;
+    package = pkgs.mongodb-ce;
+    replSetName = "rs0"; # dangerous
+    bind_ip = "0.0.0.0";
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      22
+      443
+      3000
+      3001
+      4067
+      8080
+      25565
+    ];
+    allowedUDPPorts = [
+      22
+      443
+      3000
+      3001
+      4067
+      8080
+      25565
+    ];
+  };
+
+  # Lock /etc/nixos to read-only mode (config lives in /home/ocbwoy3/config).
+  systemd.tmpfiles.rules = [
+    "z /etc/nixos 0555 root root - -"
+  ];
+
+  # Force resolver config to Cloudflare only.
+  networking.nameservers = lib.mkForce [
+    "1.1.1.1"
+    "1.0.0.1"
+  ];
+  environment.etc."resolv.conf".text = lib.mkForce ''
+    nameserver 1.1.1.1
+    nameserver 1.0.0.1
+  '';
+
+  catppuccin = {
+    enable = true;
+    flavor = "mocha";
+    accent = "blue";
+    gitea.enable = false;
+  };
+
+  system.stateVersion = "23.05"; # DO NOT TOUCH
 
 }
diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware-configuration.nix
new file mode 100644
index 0000000..e7dc2b3
--- /dev/null
+++ b/hosts/server/hardware-configuration.nix
@@ -0,0 +1,51 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/732D-084E";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  # swapDevices = [ { device = "/swap/swapfile"; } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/server/modules/Caddyfile b/hosts/server/modules/Caddyfile
new file mode 100644
index 0000000..3183dca
--- /dev/null
+++ b/hosts/server/modules/Caddyfile
@@ -0,0 +1,62 @@
+@favicon path /favicon.ico
+handle @favicon {
+	root * /lib/system-utdr-assets
+	rewrite * /tenna.ico
+	header Content-Type "image/vnd.microsoft.icon" # <-- microslop
+	file_server
+}
+
+@root path /
+handle @root {
+	header Content-Type "text/plain; charset=utf-8"
+	respond "
+
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢈⠈⣾⠀⠀⠀⠀⠀⠀⠀⠀⣰⠎⢈⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠐⠑⣹⠿⣧⠌⠀⠀⠀⠀⠀⣬⠷⣿⠛⠑⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⢀⢈⠀⠀⠀⠀⡱⣿⠌⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⣯⢎⢈⢈⣨⣿⣿⣯⢈⢈⢈⣮⣿⣿⠎⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠰⠳⡳⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⡷⠳⠳⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠱⣦⣌⣌⢌⢈⠈⠀⠀⠢⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⠯⠂⠀⠀⢈⢈⣌⣌⣬⠶⠁⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⡱⣿⣿⣿⣿⣯⣯⣌⣜⣹⣞⢹⡳⡷⢳⣙⣾⣙⣌⣬⣯⣿⣿⣿⣿⡿⠁⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠰⠷⠳⡷⣿⣿⣿⣿⣿⣿⣿⣯⣮⣿⣿⣿⣿⣿⣿⣿⡿⠷⠳⠷⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣨⣿⡿⠱⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⡱⣷⣯⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣸⣿⠿⠀⠀⠱⣷⣿⣿⣿⣿⣿⣿⣿⠷⠁⠀⠰⣿⣿⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⣨⣿⠿⠀⠀⠀⠀⢀⠈⠙⣿⣿⠟⠉⢈⠀⠀⠀⠀⠰⣿⣯⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⣀⣿⡿⠀⠀⠀⠀⠀⡳⣷⣿⣿⣿⣿⣿⡿⠃⠀⠀⠀⠀⡰⣿⣏⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⣌⣾⠗⠀⠀⠀⠀⠀⠀⠀⢀⣟⡻⡷⣻⣿⠏⠀⠀⠀⠀⠀⠀⠐⣷⣮⠈⠀⠀⠀⠀⠀⠀
+⢀⢈⢈⣈⣮⣼⣿⣿⠗⠀⠀⠀⠀⠀⠀⠀⢀⣽⣿⡿⣮⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠐⣷⣿⣿⣮⣌⢈⢈⢈
+⠀⢙⣿⠁⣈⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⣸⣿⣿⠑⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠑⣿⣏⠈⣱⢟⠉
+⠲⠳⣯⡾⠷⠑⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣿⣿⠏⠀⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠐⠑⡷⣮⠿⠳
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠐⣳⣿⣿⠀⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠐⣷⣿⣯⣿⣿⣿⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡳⣿⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣷⣿⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡳⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+
+This is an AT Protocol Personal Data Server (aka, an atproto PDS)
+
+Most API routes are under /xrpc/
+
+      Code: https://github.com/bluesky-social/atproto
+ Self-Host: https://github.com/bluesky-social/pds
+  Protocol: https://atproto.com
+
+As foretold in the prophecy.
+" 200
+}
+
+@robots path /robots.txt
+handle @robots {
+	header Content-Type "text/plain; charset=utf-8"
+	respond "User-agent: *
+Disallow: /
+" 200
+}
+
+handle {
+	reverse_proxy localhost:3000 {
+        header_up Host castletown.darkworld.download
+    }
+}
diff --git a/hosts/server/modules/atproto-pds.nix b/hosts/server/modules/atproto-pds.nix
index 58f2c2d..8d0b24c 100644
--- a/hosts/server/modules/atproto-pds.nix
+++ b/hosts/server/modules/atproto-pds.nix
@@ -1,26 +1,49 @@
-{ config, inputs, pkgs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+
+let
+  systemUtdrAssets = pkgs.callPackage ./system-utdr-assets { };
+in
 
 {
-	
-	# TODO:
-	# Upload PDS backup to /var/lib/pds
-	# and specify secrets in /private/atproto-pds.env
 
-	services.bluesky-pds = {
-		enable = true;
-		pdsadmin.enable = true;
-		environmentFiles = [ "/private/atproto-pds.env" ];
-		settings = {
-			PDS_CRAWLERS = "https://bsky.network";
-			LOG_ENABLED = "true";
-			PDS_HOSTNAME = "pds.ocbwoy3.dev";
-			# PDS_VERSION = "\"ATProto PDS v69420\"";
-			PDS_DID_PLC_URL = "https://plc.directory";
-			PDS_CONTACT_EMAIL_ADDRESS = "ocbwoy3@ocbwoy3.dev";
-			PDS_PRIVACY_POLICY_URL = "https://ocbwoy3.dev";
-			PDS_TERMS_OF_SERVICE_URL = "https://ocbwoy3.dev";
-			PDS_ACCEPTING_REPO_IMPORTS = "true";
-		};
-	};
+  # TODO:
+  # Upload PDS backup to /var/lib/pds
+  # and specify secrets in /private/atproto-pds.env
+
+  services.bluesky-pds = {
+    enable = true;
+    pdsadmin.enable = true;
+    environmentFiles = [ "/private/atproto-pds.env" ];
+    settings = {
+      PDS_CRAWLERS = "https://bsky.network";
+      LOG_ENABLED = "true";
+      PDS_HOSTNAME = "castletown.darkworld.download";
+      PDS_VERSION = "\"That feeling when Deltarune........ tomorrow! :3\"";
+      PDS_DID_PLC_URL = "https://plc.directory";
+      PDS_CONTACT_EMAIL_ADDRESS = "kris@darkworld.download";
+      #   PDS_PRIVACY_POLICY_URL = "https://bsky.social/about/support/privacy-policy";
+      #   PDS_TERMS_OF_SERVICE_URL = "https://bsky.social/about/support/tos";
+      PDS_ACCEPTING_REPO_IMPORTS = "true";
+    };
+  };
+
+  # Set host header to `localhost` in tunnel settings otherwise you'll end up wasting countless hours of your life
+
+  systemd.tmpfiles.rules = [
+    "L+ /lib/system-utdr-assets - - - - ${systemUtdrAssets}/lib/system-utdr-assets"
+  ];
+
+  services.caddy = {
+    enable = true;
+    globalConfig = ''
+      	auto_https off
+      	'';
+    virtualHosts."localhost:80".extraConfig = builtins.readFile ./Caddyfile;
+  };
 
 }
diff --git a/hosts/server/modules/cloudflare.nix b/hosts/server/modules/cloudflare.nix
index 7d790a8..805e0f2 100644
--- a/hosts/server/modules/cloudflare.nix
+++ b/hosts/server/modules/cloudflare.nix
@@ -1,21 +1,26 @@
-{ config, inputs, pkgs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
 
 {
 
-	environment.systemPackages = with pkgs; [
-		cloudflared
-	];
-	
-	# lib.mkIf (isOCbwoy3 == true)
-	services.cloudflared = {
-		enable = true;
-		tunnels = {
-			"selfhost" = {
-				# 2f83f704-e9f7-49fb-a6c4-d4a8f85d87e4
-				default = "http_status:404";
-				credentialsFile = "/private/cloudflared/selfhost.json";
-			};
-		};
-	};
+  environment.systemPackages = with pkgs; [
+    cloudflared
+  ];
+
+  # lib.mkIf (isOCbwoy3 == true)
+  services.cloudflared = {
+    enable = true;
+    tunnels = {
+      "selfhost" = {
+        # 2f83f704-e9f7-49fb-a6c4-d4a8f85d87e4
+        default = "http_status:404";
+        credentialsFile = "/private/cloudflared/selfhost.json";
+      };
+    };
+  };
 
 }
diff --git a/hosts/server/modules/gitea.nix b/hosts/server/modules/gitea.nix
new file mode 100644
index 0000000..f55f805
--- /dev/null
+++ b/hosts/server/modules/gitea.nix
@@ -0,0 +1,34 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  services.gitea = {
+    enable = true;
+
+    database = {
+      type = "postgres";
+    };
+
+    settings = {
+      server = {
+        DOMAIN = "git.ocbwoy3.dev";
+        ROOT_URL = "https://git.ocbwoy3.dev/";
+        HTTP_PORT = 2222;
+        DISABLE_SSH = true;
+        MAX_UPLOAD_FILE_SIZE = 5242880;
+      };
+
+      attachment = {
+        MAX_SIZE = 5; # MB (this is the one causing the 1024 KiB error)
+      };
+
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+    };
+  };
+}
diff --git a/hosts/server/modules/system-utdr-assets/default.nix b/hosts/server/modules/system-utdr-assets/default.nix
new file mode 100644
index 0000000..b92adca
--- /dev/null
+++ b/hosts/server/modules/system-utdr-assets/default.nix
@@ -0,0 +1,21 @@
+{ stdenvNoCC, lib }:
+
+stdenvNoCC.mkDerivation {
+  pname = "system-utdr-assets";
+  version = "1.0.0";
+
+  src = ./.;
+
+  installPhase = ''
+        mkdir -p "$out/lib/system-utdr-assets"
+        cp "$src/tenna.ico" "$out/lib/system-utdr-assets/tenna.ico"
+    	cp "$src/logo.png" "$out/lib/system-utdr-assets/logo.png"
+    	cp "$src/favicon.png" "$out/lib/system-utdr-assets/favicon.png"
+  '';
+
+  meta = with lib; {
+    description = "System Undertale & Deltarune assets";
+    license = licenses.unfree;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/hosts/server/modules/system-utdr-assets/favicon.png b/hosts/server/modules/system-utdr-assets/favicon.png
new file mode 100644
index 0000000..9d3adbf
Binary files /dev/null and b/hosts/server/modules/system-utdr-assets/favicon.png differ
diff --git a/hosts/server/modules/system-utdr-assets/logo.png b/hosts/server/modules/system-utdr-assets/logo.png
new file mode 100644
index 0000000..85dbb09
Binary files /dev/null and b/hosts/server/modules/system-utdr-assets/logo.png differ
diff --git a/hosts/server/modules/system-utdr-assets/tenna.ico b/hosts/server/modules/system-utdr-assets/tenna.ico
new file mode 100644
index 0000000..d960b91
Binary files /dev/null and b/hosts/server/modules/system-utdr-assets/tenna.ico differ
diff --git a/hosts/server/modules/tangled.nix b/hosts/server/modules/tangled.nix
index d93ffa2..ae13ce0 100644
--- a/hosts/server/modules/tangled.nix
+++ b/hosts/server/modules/tangled.nix
@@ -1,21 +1,26 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 {
-	services.tangled-knot = {
-		enable = true;
-		server = {
-			listenAddr = "0.0.0.0:3003";
-			owner = "did:plc:s7cesz7cr6ybltaryy4meb6y";
-			hostname = "knot.ocbwoy3.dev";
-		};
-	};
+  services.tangled.knot = {
+    enable = true;
+    server = {
+      listenAddr = "0.0.0.0:3003";
+      owner = "did:plc:s7cesz7cr6ybltaryy4meb6y";
+      hostname = "knot.ocbwoy3.dev";
+    };
+  };
 
-	services.tangled-spindle = {
-		enable = true;
-		server = {
-			listenAddr = "0.0.0.0:3004";
-			owner = "did:plc:s7cesz7cr6ybltaryy4meb6y";
-			hostname = "spindle.ocbwoy3.dev";
-		};
-	};
+  services.tangled.spindle = {
+    enable = true;
+    server = {
+      listenAddr = "0.0.0.0:3004";
+      owner = "did:plc:s7cesz7cr6ybltaryy4meb6y";
+      hostname = "spindle.ocbwoy3.dev";
+    };
+  };
 }
diff --git a/hosts/server/modules/vaultwarden.nix b/hosts/server/modules/vaultwarden.nix
new file mode 100644
index 0000000..714f46e
--- /dev/null
+++ b/hosts/server/modules/vaultwarden.nix
@@ -0,0 +1,44 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+    config = {
+      # Keep data alongside the secret env file so we can back it up together.
+      DATA_FOLDER = "/var/lib/vaultwarden/data";
+      PUSH_RELAY_URI = "https://api.bitwarden.eu";
+      PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
+      DOMAIN = "https://vault.ocbwoy3.dev";
+      ROCKET_ADDRESS = "0.0.0.0";
+      ROCKET_PORT = 8222;
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = "0.0.0.0";
+      WEBSOCKET_PORT = 3012;
+      SIGNUPS_ALLOWED = false;
+    };
+  };
+
+  # Allow vaultwarden to write under /var/lib/vaultwarden and ensure the directories exist.
+  systemd.services.vaultwarden.serviceConfig = {
+    ReadWritePaths = [ "/var/lib/vaultwarden" ];
+  };
+
+  # Create parent/data directories with proper ownership before startup.
+  systemd.tmpfiles.rules = [
+    "d /var/lib/vaultwarden 0750 vaultwarden vaultwarden -"
+    "d /var/lib/vaultwarden/data 0750 vaultwarden vaultwarden -"
+  ];
+
+  # cloudflared!!
+  # networking.firewall.allowedTCPPorts = [
+  #   8222
+  #   3012
+  # ];
+}
diff --git a/hosts/server/modules/wafrn.nix b/hosts/server/modules/wafrn.nix
new file mode 100644
index 0000000..28c290d
--- /dev/null
+++ b/hosts/server/modules/wafrn.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+
+{
+
+  # DONT ENABLE YET!!
+  services.wafrn = {
+    enable = false;
+    stateDir = "/var/lib/wafrn";
+    secretsFile = "/private/wafrn/secrets.env";
+    caddyConfigDir = "/private/wafrn/caddy";
+
+    # cloudflared doesnt need https
+    httpPort = 6767;
+    httpsPort = null;
+
+    environment = {
+      DOMAIN_NAME = "cyberworld.darkworld.download";
+      CACHE_DOMAIN = "cyberworld-cache.darkworld.download";
+      MEDIA_DOMAIN = "cyberworld-media.darkworld.download";
+      FRONTEND_MEDIA_URL = "https://cyberworld-media.darkworld.download";
+      FRONTEND_CACHE_URL = "https://cyberworld-cache.darkworld.download/api/cache?media=";
+      FRONTEND_FQDN_URL = "https://cyberworld.darkworld.download";
+      ACME_EMAIL = "kris@darkworld.download";
+    };
+  };
+
+}
diff --git a/hosts/server/modules/zipline.nix b/hosts/server/modules/zipline.nix
new file mode 100644
index 0000000..37afd5f
--- /dev/null
+++ b/hosts/server/modules/zipline.nix
@@ -0,0 +1,17 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  services.zipline = {
+    enable = true;
+    environmentFiles = [ "/private/zipline/zipline.env" ];
+    settings = {
+      CORE_HOSTNAME = "127.0.0.1";
+      CORE_PORT = 3015;
+    };
+  };
+}
diff --git a/hosts/server/slop/brave-shim.nix b/hosts/server/slop/brave-shim.nix
new file mode 100644
index 0000000..14decaf
--- /dev/null
+++ b/hosts/server/slop/brave-shim.nix
@@ -0,0 +1,201 @@
+{ pkgs }:
+
+let
+  pythonEnv = pkgs.python3.withPackages (ps: with ps; [
+    fastapi
+    uvicorn
+    ddgs
+    pyyaml
+  ]);
+in
+pkgs.stdenvNoCC.mkDerivation {
+  pname = "brave-shim";
+  version = "0.1.0";
+  dontUnpack = true;
+
+  installPhase = ''
+    mkdir -p $out/bin $out/share/brave-shim
+
+    cat > $out/share/brave-shim/brave_shim.conf <<'CONF'
+server:
+  host: "127.0.0.1"
+  port: 8000
+
+ssl:
+  use_custom_ca: false
+  ca_bundle_path: "/etc/ssl/certs/ca-certificates.crt"
+  verify_ssl: true
+
+logging:
+  file_path: "/home/openclaw/.local/state/brave-shim/brave_shim.log"
+  level: "INFO"
+
+bot_protection:
+  cache_expiration: 3600
+  min_delay: 1.0
+  max_delay: 2.5
+
+search:
+  default_count: 10
+  local_count: 5
+CONF
+
+    cat > $out/share/brave-shim/brave_shim.py <<'PY'
+import time
+import random
+import yaml
+import uvicorn
+import logging
+import os
+import ssl
+from fastapi import FastAPI, Query
+from ddgs import DDGS
+from pathlib import Path
+
+config_path = Path(os.environ.get("BRAVE_SHIM_CONF", "brave_shim.conf"))
+if not config_path.exists():
+    raise FileNotFoundError(f"Config not found: {config_path}")
+
+with open(config_path, "r") as f:
+    config = yaml.safe_load(f)
+
+os.makedirs(os.path.dirname(config["logging"]["file_path"]), exist_ok=True)
+logging.basicConfig(
+    level=config['logging']['level'],
+    format="%(asctime)s [%(levelname)s] %(message)s",
+    handlers=[logging.FileHandler(config['logging']['file_path'])]
+)
+logger = logging.getLogger("brave_shim")
+
+ssl_cfg = config.get('ssl', {})
+verify_ssl = ssl_cfg.get('verify_ssl', True)
+custom_ca_status = "System Default"
+
+if ssl_cfg.get('use_custom_ca'):
+    ca_path = ssl_cfg['ca_bundle_path']
+    if os.path.exists(ca_path):
+        os.environ["SSL_CERT_FILE"] = ca_path
+        os.environ["REQUESTS_CA_BUNDLE"] = ca_path
+        os.environ["CURL_CA_BUNDLE"] = ca_path
+
+        if not verify_ssl:
+            ssl._create_default_https_context = ssl._create_unverified_context
+            custom_ca_status = f"Active (Verify=OFF, Path={ca_path})"
+            logger.warning("SSL verification disabled")
+        else:
+            try:
+                context = ssl.create_default_context(cafile=ca_path)
+                ssl._create_default_https_context = lambda: context
+                custom_ca_status = f"Active (Path={ca_path})"
+            except Exception as e:
+                logger.error(f"SSL bundle load error: {e}")
+    else:
+        logger.error(f"SSL CA bundle not found: {ca_path}")
+        custom_ca_status = "Error: File not found"
+
+app = FastAPI(title="Brave Search API Shim", docs_url=None, redoc_url=None)
+search_cache = {}
+
+def get_from_cache(q):
+    expiration = config['bot_protection']['cache_expiration']
+    if q in search_cache:
+        timestamp, data = search_cache[q]
+        if time.time() - timestamp < expiration:
+            return data
+    return None
+
+@app.get("/status")
+async def health_check():
+    return {
+        "status": "online",
+        "cache_entries": len(search_cache),
+        "ssl_verify": verify_ssl,
+        "ca_bundle": custom_ca_status
+    }
+
+@app.get("/res/v1/web/search")
+async def search_proxy(q: str = Query(...), count: int = None):
+    res_count = count or config['search']['default_count']
+    cached_res = get_from_cache(q)
+    if cached_res:
+        logger.info(f"CACHE HIT: {q}")
+        return cached_res
+
+    time.sleep(random.uniform(config['bot_protection']['min_delay'], config['bot_protection']['max_delay']))
+    logger.info(f"FETCH WEB: {q}")
+    try:
+        with DDGS(verify=verify_ssl) as ddgs:
+            results = []
+            for r in ddgs.text(q, max_results=res_count):
+                results.append({
+                    "title": r.get("title"),
+                    "url": r.get("href"),
+                    "description": r.get("body"),
+                    "meta_url": {"path": r.get("href")}
+                })
+
+        response_data = {"web": {"results": results}}
+        search_cache[q] = (time.time(), response_data)
+        return response_data
+    except Exception as e:
+        logger.error(f"WEB search error for '{q}': {e}")
+        return {"web": {"results": []}, "error": str(e)}
+
+@app.get("/res/v1/local/pois")
+async def local_proxy(q: str = Query(...), count: int = None):
+    res_count = count or config['search']['local_count']
+    logger.info(f"FETCH LOCAL: {q}")
+    try:
+        with DDGS(verify=verify_ssl) as ddgs:
+            res = [
+                {
+                    "id": str(i),
+                    "name": r["title"],
+                    "address": r["body"][:100],
+                    "phone": "",
+                    "coordinates": {"latitude": 0.0, "longitude": 0.0}
+                }
+                for i, r in enumerate(ddgs.text(f"place {q}", max_results=res_count))
+            ]
+        return {"results": res}
+    except Exception as e:
+        logger.error(f"LOCAL search error for '{q}': {e}")
+        return {"results": []}
+
+@app.get("/res/v1/local/descriptions")
+async def local_descriptions(id: str = Query(...)):
+    return {"descriptions": {id: "Data from DDGS proxy."}}
+
+@app.get("/res/v1/summarizer/summary")
+async def summarizer_proxy(key: str = Query(...)):
+    return {"summary": "Summary ready.", "status": "complete"}
+
+if __name__ == "__main__":
+    logger.info(f"Starting brave-shim on {config['server']['host']}:{config['server']['port']}")
+    uvicorn.run(
+        app,
+        host=config['server']['host'],
+        port=config['server']['port'],
+        access_log=False,
+        log_level="critical"
+    )
+PY
+
+    cat > $out/bin/brave-shim <<EOF
+#!${pkgs.bash}/bin/bash
+set -euo pipefail
+export BRAVE_SHIM_CONF=\"\
+	s	h\
+\"
+EOF
+
+    # simpler wrapper (avoid quoting bugs)
+    cat > $out/bin/brave-shim <<EOF
+#!${pkgs.bash}/bin/bash
+set -euo pipefail
+export BRAVE_SHIM_CONF="''${BRAVE_SHIM_CONF:-$out/share/brave-shim/brave_shim.conf}"
+exec ${pythonEnv}/bin/python $out/share/brave-shim/brave_shim.py
+EOF
+    chmod +x $out/bin/brave-shim
+  '';
+}
diff --git a/hosts/server/slop/brave.nix b/hosts/server/slop/brave.nix
new file mode 100644
index 0000000..dc83115
--- /dev/null
+++ b/hosts/server/slop/brave.nix
@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+
+let
+  braveShim = pkgs.callPackage ./brave-shim.nix { };
+in
+{
+  # Local Brave API shim as a user service
+  systemd.user.services.brave-shim = {
+    description = "Brave Search API shim (DDGS)";
+    wantedBy = [ "default.target" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${braveShim}/bin/brave-shim";
+      Restart = "always";
+      RestartSec = "3";
+    };
+  };
+}
diff --git a/hosts/server/slop/gogcli.nix b/hosts/server/slop/gogcli.nix
new file mode 100644
index 0000000..98d26e3
--- /dev/null
+++ b/hosts/server/slop/gogcli.nix
@@ -0,0 +1,36 @@
+{
+  lib,
+  buildGo125Module,
+  fetchFromGitHub,
+}:
+
+buildGo125Module rec {
+  pname = "gogcli";
+  version = "0.11.0";
+
+  src = fetchFromGitHub {
+    owner = "steipete";
+    repo = "gogcli";
+    rev = "v${version}";
+    hash = "sha256-hJU40ysjRx4p9SWGmbhhpToYCpk3DcMAWCnKqxHRmh0=";
+  };
+
+  vendorHash = "sha256-WGRlv3UsK3SVBQySD7uZ8+FiRl03p0rzjBm9Se1iITs=";
+
+  subPackages = [ "cmd/gog" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/steipete/gogcli/internal/cmd.version=${version}"
+    "-X github.com/steipete/gogcli/internal/cmd.commit=v${version}"
+  ];
+
+  meta = with lib; {
+    description = "Google workspace CLI client";
+    homepage = "https://github.com/steipete/gogcli";
+    license = licenses.mit;
+    mainProgram = "gog";
+    platforms = platforms.linux ++ platforms.darwin;
+  };
+}
diff --git a/hosts/server/slop/nix-openclaw b/hosts/server/slop/nix-openclaw
new file mode 160000
index 0000000..fbef208
--- /dev/null
+++ b/hosts/server/slop/nix-openclaw
@@ -0,0 +1 @@
+Subproject commit fbef2087190ccfca375b351cdaad49bcbaea721a
diff --git a/hosts/server/slop/openclaw.nix b/hosts/server/slop/openclaw.nix
new file mode 100644
index 0000000..f00eeab
--- /dev/null
+++ b/hosts/server/slop/openclaw.nix
@@ -0,0 +1,69 @@
+{
+  inputs,
+  pkgs,
+  ...
+}:
+
+let
+  openclawPatched = inputs.openclaw.packages.${pkgs.system}.openclaw-gateway.overrideAttrs (old: {
+    installPhase =
+      old.installPhase
+      + "\n"
+      + ''
+        # Point Brave web-search endpoint to local shim.
+        # NOTE: upstream installPhase script does not run postInstall hooks,
+        # so patch directly at the end of installPhase.
+        if [ -d "$out/lib/openclaw/dist" ]; then
+          # Web-search tool hardcodes Brave endpoint in bundled JS.
+          # No runtime config option exists for Brave base URL in this OpenClaw version.
+          grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
+            substituteInPlace "$f" \
+              --replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
+              --replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
+              --replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
+              --replace "https://api.search.brave.com" "http://127.0.0.1:8000"
+          done
+        fi
+      '';
+  });
+in
+{
+  imports = [ inputs.openclaw.nixosModules.openclaw-gateway ];
+
+  users.users.openclaw = {
+    isSystemUser = false;
+    isNormalUser = true;
+    home = "/home/openclaw";
+    createHome = true;
+    group = "openclaw";
+    extraGroups = [ "docker" ];
+    shell = pkgs.bash;
+    description = "OpenClaw agent sandboxed user";
+    packages = [
+      openclawPatched
+      (pkgs.callPackage ./gogcli.nix { })
+      (pkgs.callPackage ./brave-shim.nix { })
+      pkgs.uv
+      pkgs.python3
+    ];
+  };
+
+  users.groups.openclaw = { };
+
+  # Keep the openclaw user's systemd --user instance running so the gateway stays up.
+  # Using activation script because services.logind.lingerUsers isn't available in this release.
+  system.activationScripts.enableOpenclawLinger.text = ''
+    ${pkgs.systemd}/bin/loginctl enable-linger openclaw || true
+  '';
+
+  # Run OpenClaw gateway as a NixOS system service under the dedicated user.
+  services.openclaw-gateway = {
+    enable = true;
+    package = openclawPatched;
+    createUser = false;
+    user = "openclaw";
+    group = "openclaw";
+    stateDir = "/home/openclaw/.local/share/openclaw";
+  };
+
+}
diff --git a/hosts/server/slop/rocksky-cli.nix b/hosts/server/slop/rocksky-cli.nix
new file mode 100644
index 0000000..30afe4a
--- /dev/null
+++ b/hosts/server/slop/rocksky-cli.nix
@@ -0,0 +1,9 @@
+{ pkgs }:
+
+pkgs.writeShellApplication {
+  name = "rocksky";
+  runtimeInputs = [ pkgs.bun ];
+  text = ''
+    exec ${pkgs.bun}/bin/bun x @rocksky/cli "$@"
+  '';
+}
diff --git a/modules/force.nix b/modules/force.nix
index d85a245..107b677 100644
--- a/modules/force.nix
+++ b/modules/force.nix
@@ -1,38 +1,42 @@
 { config, pkgs, ... }:
 
 {
-	imports = [
-		./nixos/bootloader.nix
-		./nixos/hardware.nix
-		./nixos/i18n.nix
-		./nixos/network.nix
-		./nixos/nixpkgs.nix
-		./nixos/nvidia.nix
-		./nixos/programs.nix
-		./stuff/nvim.nix
-		./stuff/zsh.nix
-	];
+  imports = [
+    ./nixos/bootloader.nix
+    ./nixos/hardware.nix
+    ./nixos/i18n.nix
+    ./nixos/network.nix
+    ./nixos/nixpkgs.nix
+    ./nixos/nvidia.nix
+    ./nixos/programs.nix
+    ./stuff/nvim.nix
+    ./stuff/zsh.nix
+  ];
 
-	environment.systemPackages = with pkgs; [
-		tmux
-		gh
-		file
-		glib
-		openssl
-		nss
-		glibc
-		nixfmt-rfc-style
-		killall
-		deno
-		bun
-		imagemagick
-		unzip
-		libwebp
-		nix-direnv
-		htop
-		nixpkgs-fmt
-		nixd
-		ffmpeg-full
-		gnupg
-	];
+  services.tailscale.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    tmux
+    gh
+    file
+    glib
+    openssl
+    nss
+    glibc
+    kitty
+    nixfmt-rfc-style
+    killall
+    deno
+    bun
+    imagemagick
+    unzip
+    libwebp
+    nix-direnv
+    htop
+    nixpkgs-fmt
+    nixd
+    ffmpeg-full
+    gnupg
+    codex
+  ];
 }
diff --git a/modules/nixos/network.nix b/modules/nixos/network.nix
index 93ac9b0..679814a 100644
--- a/modules/nixos/network.nix
+++ b/modules/nixos/network.nix
@@ -2,11 +2,14 @@
 
 {
 
-	#! Disable default nameservers to prevent ISP espionage
-	networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
+  #! Disable default nameservers to prevent ISP espionage
+  networking.nameservers = [
+    "1.1.1.1"
+    "1.0.0.1"
+  ];
 
-	networking.hostName = "ralsei-pc";
-	networking.networkmanager.enable = true;
-	networking.resolvconf.enable = false;
+  networking.hostName = "kris-server";
+  networking.networkmanager.enable = true;
+  networking.resolvconf.enable = false;
 
 }
diff --git a/modules/nixos/nvidia.nix b/modules/nixos/nvidia.nix
index f60a903..6e230f2 100644
--- a/modules/nixos/nvidia.nix
+++ b/modules/nixos/nvidia.nix
@@ -1,63 +1,75 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 {
 
-	# options nvidia NVreg_PreserveVideoMemoryAllocations=1
-	boot.extraModprobeConfig = ''
-		options nvidia_drm modeset=1 fbdev=1
-	'';
+  # options nvidia NVreg_PreserveVideoMemoryAllocations=1
+  boot.extraModprobeConfig = ''
+    		options nvidia_drm modeset=1 fbdev=1
+    	'';
 
-	environment.variables = {
-		LIBVA_DRIVER_NAME = "nvidia";
-		GBM_BACKEND = "nvidia-drm";
-		__GLX_VENDOR_LIBRARY_NAME = "nvidia";
-		NVD_BACKEND = "direct";
-		EGL_PLATFORM = "wayland";
-		VDPAU_DRIVER = "va_gl";
-		WAYLAND_DISPLAY = "wayland-1";
-		DISPLAY = ":0";
-		XDG_CURRENT_DESKTOP = "Hyprland";
-		MOZ_ENABLE_WAYLAND = "1"; # Enable Wayland for Firefox
-		CHROMIUM_FLAGS = "--enable-features=UseOzonePlatform --ozone-platform=wayland --enable-gpu-rasterization --enable-zero-copy"; # Enable Wayland and hardware acceleration for Chromium
-	};
+  environment.variables = {
+    LIBVA_DRIVER_NAME = "nvidia";
+    GBM_BACKEND = "nvidia-drm";
+    __GLX_VENDOR_LIBRARY_NAME = "nvidia";
+    NVD_BACKEND = "direct";
+    EGL_PLATFORM = "wayland";
+    VDPAU_DRIVER = "va_gl";
+    WAYLAND_DISPLAY = "wayland-1";
+    DISPLAY = ":0";
+    XDG_CURRENT_DESKTOP = "Hyprland";
+    MOZ_ENABLE_WAYLAND = "1"; # Enable Wayland for Firefox
+    CHROMIUM_FLAGS = "--enable-features=UseOzonePlatform --ozone-platform=wayland --enable-gpu-rasterization --enable-zero-copy"; # Enable Wayland and hardware acceleration for Chromium
+  };
 
-	environment.sessionVariables = {
-		NIXOS_OZONE_WL = 1;
-		LIBVA_DRIVER_NAME = "nvidia";
-		GBM_BACKEND = "nvidia-drm";
-		__GLX_VENDOR_LIBRARY_NAME = "nvidia";
-		NVD_BACKEND = "direct";
-		EGL_PLATFORM = "wayland";
-	};
+  environment.sessionVariables = {
+    NIXOS_OZONE_WL = 1;
+    LIBVA_DRIVER_NAME = "nvidia";
+    GBM_BACKEND = "nvidia-drm";
+    __GLX_VENDOR_LIBRARY_NAME = "nvidia";
+    NVD_BACKEND = "direct";
+    EGL_PLATFORM = "wayland";
+  };
 
-	# obs moment
-	# nixpkgs.config.cudaSupport = true;
+  # obs moment
+  # nixpkgs.config.cudaSupport = true;
 
-	hardware.graphics = { # hardware.graphics since NixOS 24.11
-		enable = true;
-		# driSupport = true;
-		extraPackages = with pkgs; [
-			nvidia-vaapi-driver
-			libvdpau-va-gl
-			vaapiVdpau
-			libvdpau
-		];
-	};
+  hardware.graphics = {
+    # hardware.graphics since NixOS 24.11
+    enable = true;
+    # driSupport = true;
+    extraPackages = with pkgs; [
+      nvidia-vaapi-driver
+      libvdpau-va-gl
+      libva-vdpau-driver
+      libvdpau
+    ];
+  };
 
-	hardware.nvidia = {
-		modesetting.enable = true;
-		powerManagement.enable = false;
-		powerManagement.finegrained = false;
-		open = true;
-		nvidiaSettings = true;
-		package = config.boot.kernelPackages.nvidiaPackages.beta;
-	};
+  hardware.nvidia = {
+    modesetting.enable = true;
+    powerManagement.enable = false;
+    powerManagement.finegrained = false;
+    open = true;
+    nvidiaSettings = true;
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
+  };
 
-	boot.kernelModules = [ "nvidia-uvm" "nvidia-drm" ];
-	boot.blacklistedKernelModules = [ "nouveau" ];
+  boot.kernelModules = [
+    "nvidia-uvm"
+    "nvidia-drm"
+  ];
+  boot.blacklistedKernelModules = [ "nouveau" ];
 
-	boot.kernelParams = [ "nvidia-drm.modeset=1" "nvidia-drm.fbdev=1" ];
+  boot.kernelParams = [
+    "nvidia-drm.modeset=1"
+    "nvidia-drm.fbdev=1"
+  ];
 
-	services.xserver.videoDrivers = ["nvidia"];
+  services.xserver.videoDrivers = [ "nvidia" ];
 
 }
diff --git a/modules/openclaw-docker-env.nix b/modules/openclaw-docker-env.nix
new file mode 100644
index 0000000..23b18e9
--- /dev/null
+++ b/modules/openclaw-docker-env.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  environment.variables = {
+    DOCKER_HOST = "tcp://127.0.0.1:2375";
+  };
+}
diff --git a/modules/openclaw-docker.nix b/modules/openclaw-docker.nix
new file mode 100644
index 0000000..e7d8a15
--- /dev/null
+++ b/modules/openclaw-docker.nix
@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+{
+  virtualisation.oci-containers.containers.docker-socket-proxy = {
+    image = "tecnativa/docker-socket-proxy:latest";
+    autoStart = true;
+    volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+    environment = {
+      CONTAINERS = "1";
+      IMAGES = "1";
+      NETWORKS = "1";
+      VOLUMES = "1";
+      INFO = "1";
+      POST = "1";
+      BUILD = "1";
+      COMMIT = "0";
+      CONFIGS = "0";
+      DISTRIBUTION = "0";
+      EXEC = "0";
+      GRPC = "0";
+      PLUGINS = "0";
+      SECRETS = "0";
+      SERVICES = "0";
+      SESSION = "0";
+      SWARM = "0";
+      SYSTEM = "0";
+      TASKS = "0";
+      AUTH = "0";
+      ALLOW_RESTARTS = "1";
+    };
+    ports = [ "127.0.0.1:2375:2375" ];
+  };
+}
diff --git a/modules/openclaw-fs.nix b/modules/openclaw-fs.nix
new file mode 100644
index 0000000..858309d
--- /dev/null
+++ b/modules/openclaw-fs.nix
@@ -0,0 +1,14 @@
+{ ... }:
+{
+  systemd.tmpfiles.rules = [
+    "d /private 0750 root root -"
+    "z /private/AT\x20Protocol 0700 root root -"
+    "z /private/cloudflared 0700 root root -"
+    "z /private/cloudflared.pem 0600 root root -"
+    "z /private/wafrn 0700 root root -"
+    "z /private/tangled.env 0600 root root -"
+    "z /private/vaultwarden 0700 root root -"
+    "d /private/zipline 0700 root root -"
+    "z /protected 0700 root root -"
+  ];
+}
diff --git a/modules/openclaw-sudo.nix b/modules/openclaw-sudo.nix
new file mode 100644
index 0000000..d6617d4
--- /dev/null
+++ b/modules/openclaw-sudo.nix
@@ -0,0 +1,17 @@
+{
+  security.sudo.extraRules = [
+    {
+      users = [ "openclaw" ];
+      commands = [
+        {
+          command = "/run/current-system/sw/bin/cat";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+}
diff --git a/modules/openclaw-user.nix b/modules/openclaw-user.nix
new file mode 100644
index 0000000..6e5b8c3
--- /dev/null
+++ b/modules/openclaw-user.nix
@@ -0,0 +1,3 @@
+{ pkgs, ... }:
+{
+}
diff --git a/modules/openclaw-watchdog.nix b/modules/openclaw-watchdog.nix
new file mode 100644
index 0000000..027f9d4
--- /dev/null
+++ b/modules/openclaw-watchdog.nix
@@ -0,0 +1,82 @@
+{ pkgs, ... }:
+{
+  systemd.services.openclaw-watchdog = {
+    description = "Post-rebuild health watchdog";
+    after = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "/etc/openclaw/nixos-rollback.sh check";
+    };
+    onFailure = [ "nixos-rollback.service" ];
+  };
+
+  systemd.services.nixos-rollback = {
+    description = "Autonomous NixOS rollback";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "/etc/openclaw/nixos-rollback.sh rollback";
+    };
+  };
+
+  environment.etc."openclaw/nixos-rollback.sh" = {
+    mode = "0750";
+    text = ''
+      #!/usr/bin/env bash
+      set -euo pipefail
+
+      WEBHOOK="$(cat /run/secrets/discord-webhook 2>/dev/null || echo "")"
+      UNITS=("sshd" "docker" "bluesky-pds" "cloudflared" "zipline")
+      HOSTNAME="$(hostname)"
+
+      notify() {
+        [ -z "$WEBHOOK" ] && return
+        curl -s -X POST "$WEBHOOK" \
+          -H "Content-Type: application/json" \
+          -d "{\"content\": \"$1\"}"
+      }
+
+      check_units() {
+        for unit in "''${UNITS[@]}"; do
+          if ! systemctl is-active --quiet "$unit"; then
+            return 1
+          fi
+        done
+        return 0
+      }
+
+      check_ssh() {
+        timeout 5 bash -c 'echo > /dev/tcp/127.0.0.1/22' 2>/dev/null
+      }
+
+      do_check() {
+        for i in $(seq 1 6); do
+          sleep 10
+          if check_units && check_ssh; then
+            notify "**[$HOSTNAME] NixOS switch healthy** — all units OK after rebuild."
+            exit 0
+          fi
+        done
+        exit 1
+      }
+
+      do_rollback() {
+        notify "**[$HOSTNAME] ROLLBACK TRIGGERED** — health check failed. Rolling back..."
+        if nixos-rebuild switch --rollback; then
+          sleep 15
+          if check_units && check_ssh; then
+            notify "**[$HOSTNAME] Rollback successful** — previous generation restored."
+          else
+            notify "**[$HOSTNAME] URGENT — rollback also failed.** Manual intervention needed."
+          fi
+        else
+          notify "**[$HOSTNAME] URGENT — rollback command failed.** Manual intervention needed."
+        fi
+      }
+
+      case "''${1:-check}" in
+        check) do_check ;;
+        rollback) do_rollback ;;
+      esac
+    '';
+  };
+}
diff --git a/modules/stuff/zsh.nix b/modules/stuff/zsh.nix
index c8380d8..bd5065d 100644
--- a/modules/stuff/zsh.nix
+++ b/modules/stuff/zsh.nix
@@ -1,28 +1,37 @@
-{ config, inputs, pkgs, lib, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
 
 {
 
-	programs.direnv = {
-		enable = true;
-		enableZshIntegration = true;
-	};
+  programs.direnv = {
+    enable = true;
+    enableZshIntegration = true;
+  };
 
-	programs.zsh = {
-		enable = true;
-		autosuggestions.enable = true;
-		zsh-autoenv.enable = true;
-		syntaxHighlighting.enable = true;
-		ohMyZsh = {
-			enable = true;
-			plugins = [ "git" "direnv" ];
-			theme = "robbyrussell";
-		};
-		shellAliases = {
-			# ultimate cpu killer 3000
-			nixrebuild = "sudo nixos-rebuild switch --flake .#default --impure --cores 20 -L --upgrade";
-			dangerous-nixrebuild-server = "sudo nixos-rebuild switch --flake .#server --impure --cores 4 -L --upgrade";
-			neofetch = "fastfetch";
-		};
-	};
+  programs.zsh = {
+    enable = true;
+    autosuggestions.enable = true;
+    zsh-autoenv.enable = true;
+    syntaxHighlighting.enable = true;
+    ohMyZsh = {
+      enable = true;
+      plugins = [
+        "git"
+        "direnv"
+      ];
+      theme = "robbyrussell";
+    };
+    shellAliases = {
+      # ultimate cpu killer 3000
+      nixrebuild = "sudo nixos-rebuild switch --flake .#default --impure --cores 20 -L --upgrade";
+      dangerous-nixrebuild-server = "sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade";
+      neofetch = "fastfetch";
+    };
+  };
 
 }