diff --git a/home/default.nix b/home/default.nix
index 3c46f22..8edb0ac 100644
--- a/home/default.nix
+++ b/home/default.nix
@@ -7,6 +7,7 @@
   imports = [
     ./programs/neovim/.
     ./programs/git.nix
+    ./programs/lf/.
     ./programs/zsh.nix
     ./programs/tmux/.
   ];
@@ -39,8 +40,6 @@
     ytfzf
   ];
 
-  programs.yazi.enable = true;
-
   programs.zoxide.enable = true;
 
   programs.rbw = {
@@ -66,7 +65,10 @@
     };
   };
 
-  programs.fzf.enable = true;
+  programs.fzf = {
+    enable = true;
+    enableZshIntegration = true;
+  };
 
   programs.direnv.enable = true;
 }
diff --git a/home/desktop/niri/default.nix b/home/desktop/niri/default.nix
index 05865a5..d2e1d76 100644
--- a/home/desktop/niri/default.nix
+++ b/home/desktop/niri/default.nix
@@ -136,9 +136,6 @@
 
         "XF86AudioMute".action.spawn = ["wpctl" "set-mute" "@DEFAULT_AUDIO_SINK@" "toggle"];
         "XF86AudioMicMute".action.spawn = ["wpctl" "set-mute" "@DEFAULT_AUDIO_SOURCE@" "toggle"];
-        "XF86AudioNext".action.spawn = ["playerctl" "next"];
-        "XF86AudioPrev".action.spawn = ["playerctl" "previous"];
-        "XF86AudioPlay".action.spawn = ["playerctl" "play-pause"];
 
         "XF86MonBrightnessUp".action.spawn = ["brightness" "+10%"];
         "XF86MonBrightnessDown".action.spawn = ["brightness" "10%-"];
diff --git a/home/desktop/utils/waybar.nix b/home/desktop/utils/waybar.nix
index 72756b4..02d90cb 100644
--- a/home/desktop/utils/waybar.nix
+++ b/home/desktop/utils/waybar.nix
@@ -42,8 +42,8 @@
           on-click = "${pkgs.pavucontrol}/bin/pavucontrol";
         };
         mpris = {
-          format = "{player_icon} {title}";
-          format-paused = "⏸️ {player_icon} {title}";
+          format = "{player_icon} {dynamic}";
+          format-paused = "⏸️ {player_icon} {dynamic}";
           player-icons = {
             default = "▶️";
             mpd = "🎵";
diff --git a/home/programs/graphical.nix b/home/programs/graphical.nix
index df550f1..301b503 100644
--- a/home/programs/graphical.nix
+++ b/home/programs/graphical.nix
@@ -1,6 +1,7 @@
 {
   pkgs,
   inputs,
+  user,
   ...
 }: {
   imports = [
@@ -25,7 +26,6 @@
     youtube-music
     transmission_4-gtk
     feishin
-    grayjay
 
     # other
     element-desktop
@@ -68,12 +68,8 @@
     ];
   };
 
-  programs.zed-editor = {
+  programs.chromium = {
     enable = true;
-    extensions = ["tsgo" "nix" "ansible" "helm"];
-    userSettings = {
-      vim_mode = true;
-    };
-    extraPackages = [pkgs.nixd pkgs.vtsls];
+    package = pkgs.brave;
   };
 }
diff --git a/home/programs/zsh.nix b/home/programs/zsh.nix
index 2978de1..dfb2b02 100644
--- a/home/programs/zsh.nix
+++ b/home/programs/zsh.nix
@@ -3,7 +3,6 @@
   config,
   ...
 }: {
-  home.shell.enableZshIntegration = true;
   programs.starship.enable = true;
   programs.zsh = {
     enable = true;
diff --git a/images/demonslayer.png b/images/demonslayer.png
new file mode 100644
index 0000000..51b68eb
Binary files /dev/null and b/images/demonslayer.png differ
diff --git a/images/nier.jpg b/images/nier.jpg
new file mode 100644
index 0000000..f832f96
Binary files /dev/null and b/images/nier.jpg differ
diff --git a/images/nier2.jpg b/images/nier2.jpg
new file mode 100644
index 0000000..3fbca6c
Binary files /dev/null and b/images/nier2.jpg differ
diff --git a/images/nix-soft.png b/images/nix-soft.png
new file mode 100644
index 0000000..3e252b8
Binary files /dev/null and b/images/nix-soft.png differ
diff --git a/lib/mkconf.nix b/lib/mkconf.nix
index 972a413..93f6100 100644
--- a/lib/mkconf.nix
+++ b/lib/mkconf.nix
@@ -20,7 +20,6 @@ in
       ++ [
         home-manager.nixosModules.home-manager
         sops-nix.nixosModules.sops
-        ../nixos/modules/predicate.nix
         {
           home-manager = {
             useGlobalPkgs = true;
diff --git a/lib/nixvim.nix b/lib/nixvim.nix
index 1248388..1b26adb 100644
--- a/lib/nixvim.nix
+++ b/lib/nixvim.nix
@@ -28,7 +28,6 @@ in {
     scrolloff = 4;
     smoothscroll = true;
     ignorecase = true;
-    winborder = "rounded";
 
     undofile = true;
     undodir = lua ''vim.fn.expand("$HOME/.local/share/nvim/undo")'';
@@ -73,10 +72,10 @@ in {
       options.desc = "copy to clipboard";
     }
     {
-      mode = "n";
-      options.desc = "LSP Format";
-      key = "<leader>cf";
-      action = luaFunc "vim.lsp.buf.format({async = true;})";
+      key = "<leader>ca";
+      action = ''
+        require("actions-preview").code_actions
+      '';
     }
     {
       key = "<C-Tab>";
@@ -284,6 +283,9 @@ in {
       inlayHints = true;
       servers = {
         ts_ls.enable = true;
+        eslint = {
+          enable = true;
+        };
         nixd = {
           enable = true;
           settings = {
diff --git a/nixos/modules/predicate.nix b/nixos/modules/predicate.nix
deleted file mode 100644
index 586f13c..0000000
--- a/nixos/modules/predicate.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}: {
-  options = {
-    allowUnfreePkgNames = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-    };
-  };
-
-  config = {
-    nixpkgs.config.allowUnfreePredicate = pkg:
-      builtins.elem (lib.getName pkg) config.allowUnfreePkgNames;
-  };
-}
diff --git a/nixos/modules/work.nix b/nixos/modules/work.nix
index cd358c3..f22246a 100644
--- a/nixos/modules/work.nix
+++ b/nixos/modules/work.nix
@@ -6,13 +6,14 @@
 }: let
   user = config.user;
 in {
-  allowUnfreePkgNames = [
-    # nonfree vscode required for dev containers
-    "vscode"
-    "steam-run"
-    "postman"
-    "drawio" # the creator had a hissyfit over a negative review: https://github.com/jgraph/drawio/discussions/4623
-  ];
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [
+      # nonfree vscode required for dev containers
+      "vscode"
+      "steam-run"
+      "postman"
+      "drawio" # the creator had a hissyfit over a negative review: https://github.com/jgraph/drawio/discussions/4623
+    ];
 
   nixpkgs.config.permittedInsecurePackages = [
     "openssl-1.1.1w" # required for mongodb
diff --git a/nixos/programs/gamer.nix b/nixos/programs/gamer.nix
index 7356755..62452f1 100644
--- a/nixos/programs/gamer.nix
+++ b/nixos/programs/gamer.nix
@@ -1,11 +1,16 @@
-{...}: {
-  allowUnfreePkgNames = [
-    "steam"
-    "steam-unwrapped"
-    "steam-run"
-    "steam-original"
-    "osu-lazer"
-  ];
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [
+      "steam"
+      "steam-unwrapped"
+      "steam-run"
+      "steam-original"
+      "osu-lazer"
+    ];
   programs.steam = {
     enable = true;
     remotePlay.openFirewall = true;
diff --git a/nixos/services/arr.nix b/nixos/services/arr.nix
index e4c344e..833614f 100644
--- a/nixos/services/arr.nix
+++ b/nixos/services/arr.nix
@@ -1,20 +1,20 @@
-{
-  config,
-  lib,
-  user,
-  ...
-}: let
+{config, lib, user, ...}: let
   inherit (config) sops;
   inherit (sops) templates placeholder;
 in {
+  nixpkgs.config.permittedInsecurePackages = [
+    "aspnetcore-runtime-6.0.36"
+    "aspnetcore-runtime-wrapped-6.0.36"
+    "dotnet-sdk-6.0.428"
+    "dotnet-sdk-wrapped-6.0.428"
+  ];
   users.users.${user}.extraGroups = ["media"];
   users.groups.media = {
     gid = 979;
   };
-  services.prowlarr = {
+  services.jackett = {
     enable = true;
   };
-  services.flaresolverr.enable = true;
   services.lidarr = {
     enable = true;
     group = "media";
@@ -27,13 +27,21 @@ in {
     enable = true;
     group = "media";
   };
-  services.bazarr = {
-    enable = true;
-    group = "media";
-  };
   services.jellyseerr.enable = true;
+  sops.secrets.sonarr-sslkey = {
+    sopsFile = ../../certs/alpine.prawn-justice.ts.net.key;
+    format = "binary";
+    owner = "nginx";
+  };
+  # this was fun to figure out, but pointless atm.
+  services.nginx.virtualHosts."alpine.prawn-justice.ts.net" = {
+    forceSSL = true;
+    sslCertificateKey = config.sops.secrets.sonarr-sslkey.path;
+    sslCertificate = ../../certs/alpine.prawn-justice.ts.net.crt;
+  };
   # probably easier if i just put this in a nixos-container
   virtualisation.oci-containers.containers.transmission = {
+    autoStart = false;
     image = "docker.io/haugene/transmission-openvpn:5.3.2";
     ports = ["9091:9091"];
     volumes = [
@@ -41,7 +49,7 @@ in {
       "/home/tristan/pods/transmission/config:/config"
       "/mnt/storage/media/unsorted:/data/completed"
     ];
-    environmentFiles = [templates."transmission/env".path];
+    environmentFiles = [ templates."transmission/env".path ];
     environment = {
       PUID = "1000";
       PGID = toString config.users.groups.media.gid;
@@ -71,43 +79,4 @@ in {
       OPENVPN_PASSWORD=${placeholder."transmission/auth/OPENVPN_PASSWORD"}
     '';
   };
-
-  sops.secrets."sonarr/api_key" = {};
-  sops.secrets."radarr/api_key" = {};
-  sops.secrets."prowlarr/api_key" = {};
-  services.prometheus.exporters.exportarr-sonarr = {
-    enable = true;
-    url = "http://localhost:${toString config.services.sonarr.settings.server.port}/sonarr";
-    port = 9708;
-    apiKeyFile = config.sops.secrets."sonarr/api_key".path;
-  };
-  services.prometheus.exporters.exportarr-radarr = {
-    enable = true;
-    url = "http://localhost:${toString config.services.radarr.settings.server.port}";
-    port = 9709;
-    apiKeyFile = config.sops.secrets."radarr/api_key".path;
-  };
-  services.prometheus.exporters.exportarr-prowlarr = {
-    enable = true;
-    url = "http://localhost:${toString config.services.prowlarr.settings.server.port}";
-    port = 9710;
-    apiKeyFile = config.sops.secrets."prowlarr/api_key".path;
-  };
-  services.prometheus = {
-    enable = true;
-    scrapeConfigs = [
-      {
-        job_name = "exportarr";
-        static_configs = [
-          {
-            targets = [
-              "localhost:${toString config.services.prometheus.exporters.exportarr-radarr.port}"
-              "localhost:${toString config.services.prometheus.exporters.exportarr-sonarr.port}"
-              "localhost:${toString config.services.prometheus.exporters.exportarr-prowlarr.port}"
-            ];
-          }
-        ];
-      }
-    ];
-  };
 }
diff --git a/nixos/services/prometheus.nix b/nixos/services/prometheus.nix
index bae5c9f..8581e70 100644
--- a/nixos/services/prometheus.nix
+++ b/nixos/services/prometheus.nix
@@ -29,34 +29,28 @@ in {
     ];
     rules = [
       (builtins.toJSON {
-        groups = [
-          {
-            name = "node";
-            rules = [
-              {
-                alert = "io error";
-                expr = ''node_filesystem_device_error{device_error!="permission denied"} > 0'';
-              }
-              {
-                alert = "disk full";
-                expr = ''node_filesystem_avail_bytes{fstype=~"ext4|btrfs"} < ${toString (50 * 1024 * 1024 * 1024)}'';
-              }
-            ];
-          }
-        ];
+        groups = [{
+          name = "node";
+          rules = [
+            {
+              alert = "io error";
+              expr = ''node_filesystem_device_error{device_error!="permission denied"} > 0'';
+            }
+            {
+              alert = "disk full";
+              expr = ''node_filesystem_avail_bytes{fstype=~"ext4|btrfs"} < ${toString (50 * 1024 * 1024 * 1024)}'';
+            }
+          ];
+        }];
       })
     ];
-    alertmanagers = [
-      {
-        static_configs = [
-          {
-            targets = [
-              "localhost:9093"
-            ];
-          }
+    alertmanagers = [ {
+      static_configs = [ {
+        targets = [
+          "localhost:9093"
         ];
-      }
-    ];
+      } ];
+    } ];
     exporters = {
       postgres = {
         enable = true;
@@ -64,35 +58,39 @@ in {
       };
     };
     alertmanager = {
-      enable = false;
+      enable = true;
       configuration = {
-        route = {
-          receiver = "alertmanager-ntfy";
-          routes = [{
-            matchers = [
-              ''node_filesystem_device_error != 0''
-            ];
+        receivers = [{
+          name = "ntfy";
+          webhook_configs = [{
+            url = "http://localhost${config.services.ntfy-sh.settings.listen-http}/alert/trigger";
           }];
+        }];
+        route = {
+          receiver = "ntfy";
+          # routes = [{
+          #   matchers = [
+          #     ''node_filesystem_device_error != 0''
+          #   ];
+          # }];
         };
       };
     };
-    alertmanager-ntfy = {
-      enable = false;
-      settings = {
-        ntfy = {
-          baseurl = "https://up.tristans.cloud";
-          notification = {
-            topic = "alert";
-          };
-        };
-      };
-    };
+    # alertmanager-ntfy = {
+    #   enable = true;
+    #   settings = {
+    #     ntfy = {
+    #       baseurl = "https://up.tristans.cloud";
+    #       notification = {
+    #         topic = "alert";
+    #       };
+    #     };
+    #   };
+    # };
   };
-  services.grafana.provision.datasources.settings.datasources = [
-    {
-      name = "Prometheus";
-      type = "prometheus";
-      url = "http://localhost:${toString prometheus.port}";
-    }
-  ];
+  services.grafana.provision.datasources.settings.datasources = [{
+    name = "Prometheus";
+    type = "prometheus";
+    url = "http://localhost:${toString prometheus.port}";
+  }];
 }
diff --git a/nixos/services/samba.nix b/nixos/services/samba.nix
index 8c8cf05..e1e0fb8 100644
--- a/nixos/services/samba.nix
+++ b/nixos/services/samba.nix
@@ -21,7 +21,7 @@
         "map to guest" = "bad user";
       };
       "Music" = {
-        "path" = "/mnt/storage/media/Music";
+        "path" = "/mnt/storage/media/Public/";
         "browseable" = "yes";
         "read only" = "no";
         "guest ok" = "yes";
diff --git a/nixos/workstation.nix b/nixos/workstation.nix
index 3667716..5e6c633 100644
--- a/nixos/workstation.nix
+++ b/nixos/workstation.nix
@@ -102,8 +102,4 @@
   services.udev.extraRules = ''
     KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="0e60", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
   '';
-
-  allowUnfreePkgNames = [
-    "grayjay"
-  ];
 }
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 8af60d8..7ef2c52 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -33,13 +33,11 @@ transmission:
         OPENVPN_USERNAME: ENC[AES256_GCM,data:RQ+hGLE6YEgN/aaa2TLpkg==,iv:oG794WxGe0t1ZI0PyC45ZgCPA0Ar2m/dSVDdMYBKJvY=,tag:CGnEu8ds0s4aH4ImCrNWNQ==,type:str]
         OPENVPN_PASSWORD: ENC[AES256_GCM,data:Jw==,iv:uGAaXFWfpSaeqY7yC9cR9iqblH3E3hudnrnIlOvdRCg=,tag:P1XJ2SBY82z9YZP9J/n5SA==,type:str]
 namecheap: ENC[AES256_GCM,data:PTEQK8+G1FfmvRk9IxrAZjCAhiKdV0AA+JxaJRZvbHU=,iv:xTrJzPooM0xzs9xgkNGWKRzRHeIIhMGa8EYW2/41ZvA=,tag:KHdLKuip439QNeAiBwreqg==,type:str]
-sonarr:
-    api_key: ENC[AES256_GCM,data:mBq+ndbhDtErh/sytTybutes7btHMIkg6wT9C7t4M9I=,iv:JicYavIQJpnmYbFpO+AVOTwrp2DeOB5xWBROwSYNF4Y=,tag:xmlaKpdn8A9s/HpdsBR+0g==,type:str]
-radarr:
-    api_key: ENC[AES256_GCM,data:iHDX/wLjde/6dj6+ORJaAnFCzXn82DXUWy3yh6fkmiQ=,iv:NcgRPa6Cy9tKLKYJ4OGr2cdW5smvpHbiXtBYJlEqOfw=,tag:BJ1YeMLXrhuDrZKsB5Z4YQ==,type:str]
-prowlarr:
-    api_key: ENC[AES256_GCM,data:p1KRHilxv8qSy8NEKQlBy8ppXDxmQDeZXAzRYyc7psA=,iv:HyK3YEKLvE01fLCkxR89G96uViAegIPi7Xb43mFeWlQ=,tag:B8pNOT9+2rPUqVL+rTDRHg==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age106vffwu4y8cx90y0rtzajgpafl8jq7ty5hf6pur2gjsuq3g2lf5qjmdq0q
           enc: |
@@ -50,7 +48,8 @@ sops:
             S3ZwcHhkdEEvY0pINDloand5S0NycHcKEpIt5EeIKhLQK7f74sWVN/x5gzh/Jq7x
             UUN5QtysRbWVGnWRxdNB8LIMjDJY9jRojycdQfSNebaz5ZLjEp8dZQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-19T18:47:49Z"
-    mac: ENC[AES256_GCM,data:xgsPA3TDBZ4C6aQVYoamOz2fi2iEaiUtT2eOFUnldBB4Wt+YNM4b4RVavXnlND1vOat9FtRzjmvI1rlkxoPV95tZz4B4QDfH/LUBWCwiOnZdLwrd4W0VWJLSxcX/hAmZ7qnGMpA7/G/0d45A2y0yMHJ3KGfqTsCikE/MPwrQbkg=,iv:1GEIIYygolYOGfS2LG1CmZCnacLaeOfBw+TGeh713DQ=,tag:E7mrU7xK2Zppq9QCwKdveQ==,type:str]
+    lastmodified: "2025-01-18T02:00:29Z"
+    mac: ENC[AES256_GCM,data:x3J0tRfNynM2qlB4YUUAUMYI/94opN1kJ1j0kOyeZ1GZHx+EA4dQZif4nPQOERo+5xRt8C4YXVDZEnCjD1TpQE6LYik0n0iY+84sY5fSr2SYiXzq2P72Tk7BzBklI9/zjndeJLJbydTJDMzOCvdEWIfHYZsHODnKXBO9pYwjAqU=,iv:z+QD93t72S2w0CqMV5sQk9oK9LMnQAxyaiExmqEcSp0=,tag:dbtyHUQ+n2EQvHEkQa7zrw==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.9.2