rosenthal: ai-robots-txt: Update to 1.40.

* modules/rosenthal/packages/web.scm (ai-robots-txt): Update to 1.40.
rosenthal: Add alloy-bin-aarch64-linux.
2026-04-03 00:14:20 +00:00 · 2025-09-16 20:54:14 +08:00 · 2025-09-15 21:56:27 +08:00 · 2025-09-15 21:30:29 +08:00 · 2025-09-15 21:30:20 +08:00 · 2025-09-15 21:30:03 +08:00
19 changed files with 3092 additions and 505 deletions
--- a/10
+++ b/10
@ -6,6 +6,16 @@
 (channel-news
 (version 0)
 (entry                                 ;2025-09-05
  (commit "c171b73ae7e66e55b4fc60422bc030c5aade444c")
  (title (en "Manual intervention required for Caddy service change")
         (zh "Caddy 服務改動需要人爲干預"))
  (body (en "@code{caddy-service-type} has switched to @code{etc-service-type}
 to set up Caddy configuration file.  Please remove the existing
@file{/etc/caddy} directory before system reconfiguration.")
        (zh "@code{caddy-service-type} 已改爲使用 @code{etc-service-type} 設置
 配置文件。請在重新配置系統前刪除已有的 @file{/etc/caddy} 目錄。")))
 (entry                                 ;2024-12-08
  (commit "162defb8388b4099f6ae8699ec8872f845a2481e")
  (title (en "Hyprland upstreamed")
--- a/README.org
+++ b/README.org
@ -3,13 +3,17 @@
 #+TITLE: Rosenthal - A certain Guix channel
-Rosenthal is a Guix channel (see [[https://guix.gnu.org/manual/devel/en/html_node/Channels.html][Channels]] in /GNU Guix Reference Manual/) created for experiments.  It currently holds some packages and services not ready for upstreaming to [[https://guix.gnu.org/][GNU Guix]].
+Rosenthal is a Guix channel (see [[https://guix.gnu.org/manual/devel/en/html_node/Channels.html][Channels]] in /GNU Guix Reference Manual/)
 created for experiments.  It currently holds some packages and services not
 ready for upstreaming to [[https://guix.gnu.org/][GNU Guix]].
-You can use [[https://toys.whereis.social/][toys]] to search packages and services from Rosenthal and other Guix channels.
+You can use [[https://toys.whereis.social/][toys]] to search packages and services from Rosenthal and other Guix
 channels.
-Note that all contents in this channel are subject to change and may be deleted **at any time**, please [[https://codeberg.org/hako/Rosenthal/issues][report an issue]] if you are affected.
+Note that all contents in this channel are subject to change and may be deleted
 **at any time**, please [[https://codeberg.org/hako/Rosenthal/issues][report an issue]] if you are affected.
-Channel definition:
+Channel specification:
 #+begin_src scheme
  (channel
   (name 'rosenthal)
@ -22,7 +26,13 @@ Channel definition:
      "13E7 6CD6 E649 C28C 3385  4DF5 5E5A A665 6149 17F7"))))
 #+end_src
-For configuration, see [[https://guix.gnu.org/manual/devel/en/html_node/Specifying-Additional-Channels.html][Specifying Additional Channels]], [[https://guix.gnu.org/manual/devel/en/html_node/Customizing-the-System_002dWide-Guix.html][Customizing the System-Wide Guix]] and [[https://guix.gnu.org/manual/devel/en/html_node/Guix-Home-Services.html#index-home_002dchannels_002dservice_002dtype][~home-channels-service-type~]] in /GNU Guix Reference Manual/.
+For configuration, see [[https://guix.gnu.org/manual/devel/en/html_node/Specifying-Additional-Channels.html][Specifying Additional Channels]], [[https://guix.gnu.org/manual/devel/en/html_node/Customizing-the-System_002dWide-Guix.html][Customizing the
 System-Wide Guix]] and [[https://guix.gnu.org/manual/devel/en/html_node/Guix-Home-Services.html#index-home_002dchannels_002dservice_002dtype][~home-channels-service-type~]] in /GNU Guix Reference
 Manual/.
 This channel provides substitutes built by [[https://ci.guix.moe/][Guix Moe CI]], see [[https://ultrarare.space/en/posts/guix-build-farm/][its blog post]] for
 setup and more information.  [[https://codeberg.org/hako/Testament/issues][Send a request]] if you'd like to see substitutes
 available for more channels.
 Wiki: https://codeberg.org/hako/Rosenthal/wiki
--- a/modules/rosenthal/examples/niri.kdl
+++ b/modules/rosenthal/examples/niri.kdl
@ -5,11 +5,11 @@
 // This config is in the KDL format: https://kdl.dev
 // "/-" comments out the following node.
 // Check the wiki for a full description of the configuration:
-// https://github.com/YaLTeR/niri/wiki/Configuration:-Overview
+// https://yalter.github.io/niri/Configuration:-Introduction
 // Input device configuration.
 // Find the full list of options on the wiki:
-// https://github.com/YaLTeR/niri/wiki/Configuration:-Input
+// https://yalter.github.io/niri/Configuration:-Input
 input {
    keyboard {
        xkb {
@ -19,18 +19,28 @@ input {
            // For example:
            // layout "us,ru"
            // options "grp:win_space_toggle,compose:ralt,ctrl:nocaps"
            // If this section is empty, niri will fetch xkb settings
            // from org.freedesktop.locale1. You can control these using
            // localectl set-x11-keymap.
        }
        // Enable numlock on startup, omitting this setting disables it.
        numlock
        repeat-delay 300
        repeat-rate 30
    }
    // Next sections include libinput settings.
    // Omitting settings disables them, or leaves them at their default values.
    // All commented-out settings here are examples, not defaults.
    touchpad {
        // off
        tap
        // dwt
        // dwtp
        // drag false
        // drag-lock
        natural-scroll
        // accel-speed 0.2
@ -54,6 +64,7 @@ input {
        // accel-profile "flat"
        // scroll-method "on-button-down"
        // scroll-button 273
        // scroll-button-lock
        // middle-emulation
    }
@ -69,7 +80,7 @@ input {
 // by running `niri msg outputs` while inside a niri instance.
 // The built-in laptop monitor is usually called "eDP-1".
 // Find more information on the wiki:
-// https://github.com/YaLTeR/niri/wiki/Configuration:-Outputs
+// https://yalter.github.io/niri/Configuration:-Outputs
 // Remember to uncomment the node by removing "/-"!
 /-output "eDP-1" {
    // Uncomment this line to disable this output.
@ -104,7 +115,7 @@ input {
 // Settings that influence how windows are positioned and sized.
 // Find more information on the wiki:
-// https://github.com/YaLTeR/niri/wiki/Configuration:-Layout
+// https://yalter.github.io/niri/Configuration:-Layout
 layout {
    // Set gaps around windows in logical pixels.
    gaps 16
@ -166,6 +177,9 @@ layout {
        active-color "#7fc8ff"
        // Color of the ring on inactive monitors.
        //
        // The focus ring only draws around the active window, so the only place
        // where you can see its inactive-color is on other monitors.
        inactive-color "#505050"
        // You can also use gradients. They take precedence over solid colors.
@ -175,7 +189,7 @@ layout {
        // You can use any CSS linear-gradient tool on the web to set these up.
        // Changing the color space is also supported, check the wiki for more info.
        //
-        // active-gradient from="#80c8ff" to="#bbddff" angle=45
+        // active-gradient from="#80c8ff" to="#c7ff7f" angle=45
        // You can also color the gradient relative to the entire view
        // of the workspace, rather than relative to just the window itself.
@ -194,7 +208,14 @@ layout {
        active-color "#ffc87f"
        inactive-color "#505050"
-        // active-gradient from="#ffbb66" to="#ffc880" angle=45 relative-to="workspace-view"
+        // Color of the border around windows that request your attention.
        urgent-color "#9b0000"
        // Gradients can use a few different interpolation color spaces.
        // For example, this is a pastel rainbow gradient via in="oklch longer hue".
        //
        // active-gradient from="#e5989b" to="#ffb4a2" angle=45 relative-to="workspace-view" in="oklch longer hue"
        // inactive-gradient from="#505050" to="#808080" angle=45 relative-to="workspace-view"
    }
@ -252,7 +273,17 @@ layout {
 // Note that running niri as a session supports xdg-desktop-autostart,
 // which may be more convenient to use.
 // See the binds section below for more spawn examples.
-// spawn-at-startup "foot" "fish"
+
 // This line starts waybar, a commonly used bar for Wayland compositors.
 // spawn-at-startup "waybar"
 // To run a shell command (with variables, pipes, etc.), use spawn-sh-at-startup:
 // spawn-sh-at-startup "qs -c ~/source/qs/MyAwesomeShell"
 hotkey-overlay {
    // Uncomment this line to disable the "Important Hotkeys" pop-up at startup.
    // skip-at-startup
 }
 // Uncomment this line to ask the clients to omit their client-side decorations if possible.
 // If the client will specifically ask for CSD, the request will be honored.
@ -271,7 +302,7 @@ screenshot-path "~/Screenshot from %Y-%m-%d %H-%M-%S.png"
 // Animation settings.
 // The wiki explains how to configure individual animations:
-// https://github.com/YaLTeR/niri/wiki/Configuration:-Animations
+// https://yalter.github.io/niri/Configuration:-Animations
 animations {
    // Uncomment to turn off all animations.
    // off
@ -282,7 +313,7 @@ animations {
 // Window rules let you adjust behavior for individual windows.
 // Find more information on the wiki:
-// https://github.com/YaLTeR/niri/wiki/Configuration:-Window-Rules
+// https://yalter.github.io/niri/Configuration:-Window-Rules
 // Work around WezTerm's initial configure bug
 // by setting an empty default-column-width.
@ -338,26 +369,35 @@ binds {
    Mod+Shift+Slash { show-hotkey-overlay; }
    // Suggested binds for running programs: terminal, app launcher, screen locker.
-    Mod+T { spawn "foot"; }
+    Mod+T hotkey-overlay-title="Open a Terminal: foot" { spawn "foot"; }
-    Mod+D { spawn "rofi" "-show" "drun"; }
+    Mod+D hotkey-overlay-title="Run an Application: rofi" { spawn "rofi" "-show" "drun"; }
-    // Super+Alt+L { spawn "swaylock"; }
+    // Super+Alt+L hotkey-overlay-title="Lock the Screen: swaylock" { spawn "swaylock"; }
-    // You can also use a shell. Do this if you need pipes, multiple commands, etc.
+    // Use spawn-sh to run a shell command. Do this if you need pipes, multiple commands, etc.
-    // Note: the entire command goes as a single argument in the end.
+    // Note: the entire command goes as a single argument. It's passed verbatim to `sh -c`.
-    // Mod+T { spawn "bash" "-c" "notify-send hello && exec foot"; }
+    // For example, this is a standard bind to toggle the screen reader (orca).
    Super+Alt+S allow-when-locked=true hotkey-overlay-title=null { spawn-sh "pkill orca || exec orca"; }
    // Example volume keys mappings for PipeWire & WirePlumber.
    // The allow-when-locked=true property makes them work even when the session is locked.
-    XF86AudioRaiseVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.1+"; }
+    // Using spawn-sh allows to pass multiple arguments together with the command.
-    XF86AudioLowerVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.1-"; }
+    XF86AudioRaiseVolume allow-when-locked=true { spawn-sh "wpctl set-volume @DEFAULT_AUDIO_SINK@ 0.1+"; }
-    XF86AudioMute        allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SINK@" "toggle"; }
+    XF86AudioLowerVolume allow-when-locked=true { spawn-sh "wpctl set-volume @DEFAULT_AUDIO_SINK@ 0.1-"; }
-    XF86AudioMicMute     allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SOURCE@" "toggle"; }
+    XF86AudioMute        allow-when-locked=true { spawn-sh "wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"; }
    XF86AudioMicMute     allow-when-locked=true { spawn-sh "wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"; }
    // Example brightness key mappings for light.
    // You can use regular spawn with multiple arguments too (to avoid going through "sh"),
    // but you need to manually put each argument in separate "" quotes.
    XF86MonBrightnessUp   allow-when-locked=true { spawn "light" "-A" "10"; }
    XF86MonBrightnessDown allow-when-locked=true { spawn "light" "-U" "10"; }
-    Mod+Q { close-window; }
+    // Open/close the Overview: a zoomed-out view of workspaces and windows.
    // You can also move the mouse into the top-left hot corner,
    // or do a four-finger swipe up on a touchpad.
    Mod+O repeat=false { toggle-overview; }
    Mod+Q repeat=false { close-window; }
    Mod+Left  { focus-column-left; }
    Mod+Down  { focus-window-down; }
@ -462,8 +502,8 @@ binds {
    // These binds are also affected by touchpad's natural-scroll, so these
    // example binds are "inverted", since we have natural-scroll enabled for
    // touchpads by default.
-    // Mod+TouchpadScrollDown { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.02+"; }
+    // Mod+TouchpadScrollDown { spawn-sh "wpctl set-volume @DEFAULT_AUDIO_SINK@ 0.02+"; }
-    // Mod+TouchpadScrollUp   { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.02-"; }
+    // Mod+TouchpadScrollUp   { spawn-sh "wpctl set-volume @DEFAULT_AUDIO_SINK@ 0.02-"; }
    // You can refer to workspaces by index. However, keep in mind that
    // niri is a dynamic workspace system, so these commands are kind of
@ -510,6 +550,8 @@ binds {
    Mod+Period { expel-window-from-column; }
    Mod+R { switch-preset-column-width; }
    // Cycling through the presets in reverse order is also possible.
    // Mod+R { switch-preset-column-width-back; }
    Mod+Shift+R { switch-preset-window-height; }
    Mod+Ctrl+R { reset-window-height; }
    Mod+F { maximize-column; }
@ -521,6 +563,9 @@ binds {
    Mod+C { center-column; }
    // Center all fully visible columns on screen.
    Mod+Ctrl+C { center-visible-columns; }
    // Finer width adjustments.
    // This command can also:
    // * set width in pixels: "1000"
@ -576,11 +621,10 @@ binds {
    Mod+Shift+P { power-off-monitors; }
 }
 // Rootless Xwayland support
 spawn-at-startup "xwayland-satellite" ":233"
 environment {
    DISPLAY ":233"
 }
 // Start user Shepherd
 spawn-at-startup "sh" "-c" "pgrep --uid $USER shepherd > /dev/null || shepherd"
 overview {
    backdrop-color "#D2DEE9"
 }
--- a/modules/rosenthal/packages/binaries.scm
+++ b/modules/rosenthal/packages/binaries.scm
@ -9,6 +9,7 @@
  #:use-module (guix deprecation)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix utils)
  #:use-module (guix build-system copy)
  #:use-module (gnu build icecat-extension)
  #:use-module (gnu packages base)
@ -28,18 +29,6 @@
 (define license
  (@@ (guix licenses) license))
 (define-public atuin-bin
  (deprecated-package "atuin-bin" atuin))
 (define-public hugo-bin
  (deprecated-package "hugo-bin" hugo))
 (define-public mihomo-bin
  (deprecated-package "mihomo-bin" mihomo))
 (define-public clash-meta-bin
  (deprecated-package "clash-meta-bin" mihomo-bin))
 (define-public cloudflare-warp-bin
  (package
    (name "cloudflare-warp-bin")
@ -153,6 +142,7 @@ exec ~a -jar ~a $@~%"
   (description
    "Komga is a media server for your comics, mangas, BDs, magazines and
 eBooks.")
   (supported-systems '("x86_64-linux"))
   (license license:expat)
   (properties '((upstream-name . "komga")
                 (disable-updater? . #t)))))
@ -238,12 +228,6 @@ monster-in-the-middle}.")
    (properties '((upstream-name . "shadow-tls")
                  (disable-updater? . #t)))))
 (define-public sing-box-bin
  (deprecated-package "sing-box-bin" sing-box))
 (define-public tailscale-bin
  (deprecated-package "tailscale-bin" tailscale))
 (define-public wakapi-bin
  (package
    (name "wakapi-bin")
@ -295,3 +279,179 @@ to WakaTime, which is used by all WakaTime text editor plugins.")
    (license license:bsd-3)
    (properties '((upstream-name . "wakatime-cli")
                  (disable-updater? . #t)))))
 (define-public grafana-bin
  (package
    (name "grafana-bin")
    (version "12.1.1")
    (source (origin
              (method url-fetch)
              (uri (string-append "https://dl.grafana.com/grafana/release/"
                                  version "/grafana_" version "_" "16903967602"
                                  "_linux_amd64.tar.gz"))
              (sha256
               (base32
                "056jj4ww1l36y77v9qmqhgsg7lsr328bhp7y48c6l125cal1snl2"))))
    (build-system copy-build-system)
    (arguments
     (list #:install-plan
           #~'(("bin" "bin")
               ("conf" "share/grafana/")
               ("public" "share/grafana/"))))
    (synopsis "Platform for monitoring and observability")
    (description
     "Grafana allows you to query, visualize, alert on and understand your
 metrics no matter where they are stored.")
    (home-page "https://grafana.com/")
    (license license:agpl3)
    (supported-systems '("x86_64-linux"))
    (properties '((upstream-name . "grafana")
                  (disable-updater? . #t)))))
 (define-public prometheus-bin
  (package
    (name "prometheus-bin")
    (version "3.5.0")
    (source (origin
              (method url-fetch)
              (uri (string-append "https://github.com/prometheus/prometheus"
                                  "/releases/download/v" version
                                  "/prometheus-" version ".linux-amd64.tar.gz"))
              (sha256
               (base32
                "16pk8s5lsrvzlqsrhdpmrw98nq8vyqa87wm417xjm0kdy9x844g8"))))
    (build-system copy-build-system)
    (arguments
     (list #:install-plan
           #~'(("prometheus" "bin/")
               ("promtool" "bin/")
               ("prometheus.yml" "etc/"))))
    (synopsis "Monitoring system and time series database")
    (description
     "Prometheus is a systems and service monitoring system.  It collects
 metrics from configured targets at given intervals, evaluates rule expressions,
 displays the results, and can trigger alerts when specified conditions are
 observed.")
    (home-page "https://prometheus.io/")
    (license license:asl2.0)
    (supported-systems '("x86_64-linux"))
    (properties '((upstream-name . "prometheus")))))
 (define-public mimir-bin
  (package
    (name "mimir-bin")
    (version "2.17.1")
    (source (origin
              (method url-fetch)
              (uri (string-append
                    "https://github.com/grafana/mimir/releases/download/mimir-"
                    version "/mimir-linux-amd64"))
              (sha256
               (base32
                "1vnrpzwyjz7plzdiih65853ndvg64a9n1x1i7jqr085byhpayp82"))))
    (build-system copy-build-system)
    (arguments
     (list #:phases
           #~(modify-phases %standard-phases
               (replace 'install
                 (lambda* (#:key source #:allow-other-keys)
                   (let ((name "mimir")
                         (dest (in-vicinity #$output "bin")))
                     (mkdir-p dest)
                     (with-directory-excursion dest
                       (copy-file source name)
                       (chmod name #o555))))))))
    (synopsis "Scalable long-term storage for Prometheus")
    (description
     "Grafana Mimir provides horizontally scalable, highly available,
 multi-tenant, long-term storage for Prometheus.")
    (home-page "https://grafana.com/oss/mimir/")
    (license license:agpl3)
    (supported-systems '("x86_64-linux"))
    (properties '((upstream-name . "mimir")
                  (disable-updater? . #t)))))
 (define-public loki-bin
  (package
    (name "loki-bin")
    (version "3.5.4")
    (source (origin
              (method url-fetch/zipbomb)
              (uri (string-append
                    "https://github.com/grafana/loki/releases/download/v"
                    version "/loki-linux-amd64.zip"))
              (sha256
               (base32
                "1z1z60ki4zavijw0idpard0xx38q8140wv2hykxb3rikb05z0frk"))))
    (build-system copy-build-system)
    (arguments
     (list #:install-plan
           #~'(("loki-linux-amd64" "bin/loki"))))
    (synopsis "Log aggregation system")
    (description
     "Loki is a horizontally scalable, highly available, multi-tenant log
 aggregation system inspired by Prometheus.  It is designed to be very cost
 effective and easy to operate.  It does not index the contents of the logs, but
 rather a set of labels for each log stream.")
    (home-page "https://grafana.com/oss/loki/")
    (license license:agpl3)
    (supported-systems '("x86_64-linux"))
    (properties '((upstream-name . "loki")
                  (disable-updater? . #t)))))
 (define-public alloy-bin
  (package
    (name "alloy-bin")
    (version "1.10.2")
    (source (origin
              (method url-fetch/zipbomb)
              (uri (string-append
                    "https://github.com/grafana/alloy/releases/download/v"
                    version "/alloy-linux-amd64.zip"))
              (sha256
               (base32
                "03hwmnkx2awxlfw3ixplfnwzx7n1x624n1yw6cgky4hhjz13d3i8"))))
    (build-system copy-build-system)
    (arguments
     (list #:install-plan
           #~'(("alloy-linux-amd64" "bin/alloy"))
           #:phases
           #~(modify-phases %standard-phases
               (add-after 'install 'patch-elf
                 (lambda* (#:key inputs #:allow-other-keys)
                   (let ((name "alloy")
                         (dest (in-vicinity #$output "bin"))
                         (ld.so (search-input-file inputs #$(glibc-dynamic-linker))))
                     (with-directory-excursion dest
                       (invoke "patchelf" "--set-interpreter" ld.so name))))))))
    (native-inputs (list patchelf))
    (synopsis
     "OpenTelemetry Collector distribution with programmable pipelines")
    (description
     "Grafana Alloy is an open source OpenTelemetry Collector distribution with
 built-in Prometheus pipelines and support for metrics, logs, traces, and
 profiles.")
    (home-page "https://grafana.com/oss/alloy-opentelemetry-collector/")
    (license license:agpl3)
    (supported-systems '("x86_64-linux"))
    (properties '((upstream-name . "alloy")
                  (disable-updater? . #t)))))
 (define-public alloy-bin-aarch64-linux
  (package
    (inherit alloy-bin)
    (name "alloy-bin-aarch64-linux")
    (version "1.10.2")
    (source (origin
              (method url-fetch/zipbomb)
              (uri (string-append
                    "https://github.com/grafana/alloy/releases/download/v"
                    version "/alloy-linux-arm64.zip"))
              (sha256
               (base32
                "1gnfdhs8rxyn18swy1kv1f2lbsj6abjlhrgaibsj2a87swgcyvjg"))))
    (arguments
     (substitute-keyword-arguments (package-arguments alloy-bin)
       ((#:install-plan _ ''())
        #~'(("alloy-linux-arm64" "bin/alloy")))))
    (supported-systems '("aarch64-linux"))))
--- a/modules/rosenthal/packages/ci.scm
+++ b/modules/rosenthal/packages/ci.scm
@ -8,22 +8,3 @@
  #:use-module (guix packages)
  #:use-module (guix git-download)
  #:use-module (gnu packages ci))
 (define-public cuirass/hako
  (let ((commit "ccc11de138b5c15990551ad6cc883aeb15a8f80c")
        (revision "2"))
    (package
      (inherit cuirass)
      (name "cuirass-hako")
      (version (git-version "1.2.0" revision commit))
      (source
       (origin
         (method git-fetch)
         (uri (git-reference
               (url "https://codeberg.org/guix/cuirass.git")
               (commit commit)))
         (file-name (git-file-name name version))
         (sha256
          (base32
           "1yxfss23pkr39ymrcw3injqm05aqczhkyjrn79qkfakwi2bqismm"))))
      (properties '((disable-updater? . #t))))))
--- a/modules/rosenthal/packages/golang.scm
+++ b/modules/rosenthal/packages/golang.scm
@ -0,0 +1,36 @@
 (define-module (rosenthal packages golang)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix gexp)
  #:use-module (guix packages)
  #:use-module (guix utils)
  #:use-module (guix download)
  #:use-module (guix git-download)
  #:use-module (rosenthal utils download)
  #:use-module (rosenthal utils cargo)
  #:use-module (guix build-system cargo)
  #:use-module (guix build-system copy)
  #:use-module (guix build-system go)
  #:use-module (gnu packages golang)
  #:use-module (gnu packages image)
  #:use-module (gnu packages jemalloc)
  #:use-module (gnu packages web)
  #:use-module (gnu packages version-control))
 (define-public go-1.25
  (package
    (inherit go-1.24)
    (name "go")
    (version "1.25.1")
    (source
     (origin
       (method git-fetch)
       (uri (git-reference
             (url "https://github.com/golang/go")
             (commit (string-append "go" version))))
       (file-name (git-file-name name version))
       (sha256
        (base32 "1pc6ybdsd2v6rviylmmdzns3v0ramrcbhn935ikff39shpij4xp4"))))
    ;; TODO
    (arguments
     (substitute-keyword-arguments (package-arguments go-1.24)
       ((#:tests? _ #t) #f)))))
--- a/modules/rosenthal/packages/networking.scm
+++ b/modules/rosenthal/packages/networking.scm
@ -139,7 +139,7 @@ bypass network restrictions." )
 (define-public sing-box
  (package
    (name "sing-box")
-    (version "1.12.3")
+    (version "1.12.4")
    (source (origin
              (method git-fetch)
              (uri (git-reference
@ -148,7 +148,7 @@ bypass network restrictions." )
              (file-name (git-file-name name version))
              (sha256
               (base32
-                "1253dbdixq936y3f5gw72an1l25pinzdqqnz1i9983ajxc5l4y1q"))))
+                "0izhria2rh4cvybghb0yfll5bibahvffgj5fhncx3frk6arrmkix"))))
    (build-system go-build-system)
    (arguments
     (list
@ -216,7 +216,7 @@ bypass network restrictions." )
              (file-name "vendored-go-dependencies")
              (sha256
               (base32
-                "1dbw0p8mmhxh715x7r9kwy5dribl3pa979fpfa98ayyynvd0zxb3"))))
+                "0plnpg70zmdspqqb609lvx5kncn7iccindygjmasq6myvy37bwi3"))))
      (if (%current-target-system)
          (list this-package)
          '())))
--- a/modules/rosenthal/packages/package-management.scm
+++ b/modules/rosenthal/packages/package-management.scm
@ -10,12 +10,14 @@
  #:use-module (rosenthal utils packages)
  #:use-module (gnu packages package-management))
-(define-public guix/hako
+(define-public guix/dolly
  (package
    (inherit
     (package-with-extra-patches guix
-       (rosenthal-patches "guix-change-publish-cache-storage.patch")))
+       (rosenthal-patches "guix-change-publish-cache-storage.patch"
-    (name "guix-hako")
+                          "guix-allow-out-of-tree-modules-in-initrd.patch"
                          "guix-wip-zfs-boot-support.patch")))
    (name "guix-dolly")
    (arguments
     (substitute-keyword-arguments (package-arguments guix)
       ((#:tests? _ #t) #f)
--- a/modules/rosenthal/packages/patches/guix-allow-out-of-tree-modules-in-initrd.patch
+++ b/modules/rosenthal/packages/patches/guix-allow-out-of-tree-modules-in-initrd.patch
@ -0,0 +1,270 @@
 From 4323514d1b259a0dd61572e3c0859fab4250d297 Mon Sep 17 00:00:00 2001
 Message-ID: <4323514d1b259a0dd61572e3c0859fab4250d297.1757725903.git.hako@ultrarare.space>
 From: Brian Cully <bjc@spork.org>
 Date: Sun, 16 Feb 2025 21:52:45 +0900
 Subject: [PATCH] Allow copying of out-of-tree modules to the Linux initrd.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 With this patch, modules for ‘initrd-modules’ will not only be searched for in
 the in-tree Linux modules, but also any additional modules specified in
 ‘kernel-loadable-modules’.
 * gnu/build/linux-modules.scm (find-module-file): Change DIRECTORY argument to
 DIRECTORIES.  Now takes a list of directories to search, rather than a single
 one.
 * gnu/system/linux-initrd.scm (flat-linux-module-directory): change LINUX
 argument to PACKAGES. Now contains a list of file-like objects to search for
 modules.
 (raw-initrd): Add LINUX-EXTRA-MODULE-DIRECTORIES keyword argument.  Pass it
 to (flat-linux-module-directory) along with the selected LINUX package.
 (base-initrd): Add LINUX-EXTRA-MODULE-DIRECTORIES keyword argument.  Pass it
 to (raw-initrd).
 * gnu/system.scm (operating-system-initrd-file): Pass in operating system
 definition's kernel-loadable-modules into (make-initrd) as
 LINUX-EXTRA-MODULE-DIRECTORIES.
 * doc/guix.texi (Initial RAM Disk): Document how out-of-tree modules can be
 used.
 Change-Id: Ic39f2abcfabc3ec34a71acce840038396bf9c82e
 Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
 Modified-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
 Modified-by: Hilton Chain <hako@ultrarare.space>
 ---
 doc/guix.texi               | 15 ++++++++++
 gnu/build/linux-modules.scm | 23 ++++++++++-----
 gnu/system.scm              |  2 ++
 gnu/system/linux-initrd.scm | 58 +++++++++++++++++++++++--------------
 4 files changed, 69 insertions(+), 29 deletions(-)
 diff --git a/doc/guix.texi b/doc/guix.texi
 index 4ab404dcdb2..3c05428829b 100644
 --- a/doc/guix.texi
 +++ b/doc/guix.texi
@@ -46404,6 +46404,21 @@ Initial RAM Disk
   (initrd-modules (cons "megaraid_sas" %base-initrd-modules)))
 @end lisp
 +If a module listed in @code{initrd-modules} is not included in the
 +Linux-libre kernel, then its location must be provided via the
 +@code{kernel-loadable-modules} list.
 +
 +As an example, if you need the driver for a Realtek RTL8821CE wireless
 +network adapter for mounting the root file system over NFS, your
 +configuration might include the following:
 +
 +@lisp
 +(operating-system
 +  ;; @dots{}
 +  (initrd-modules (cons "8821ce" %base-initrd-modules))
 +  (kernel-loadable-modules (list (list rtl8821ce-linux-module "module"))))
 +@end lisp
 +
 @defvar %base-initrd-modules
 This is the list of kernel modules included in the initrd by default.
 @end defvar
 diff --git a/gnu/build/linux-modules.scm b/gnu/build/linux-modules.scm
 index 32baf6c5259..f45db55f861 100644
 --- a/gnu/build/linux-modules.scm
 +++ b/gnu/build/linux-modules.scm
@@ -246,8 +246,8 @@ (define (file-name->module-name file)
 '.ko[.gz|.xz|.zst]' and normalizing it."
   (normalize-module-name (strip-extension (basename file))))
 -(define (find-module-file directory module)
 -  "Lookup module NAME under DIRECTORY, and return its absolute file name.
 +(define (find-module-file directories module)
 +  "Lookup module NAME under DIRECTORIES, and return its absolute file name.
 NAME can be a file name with or without '.ko', or it can be a module name.
 Raise an error if it could not be found.
@@ -255,6 +255,10 @@ (define (find-module-file directory module)
 module names usually (always?) use underscores as the inter-word separator,
 whereas file names often, but not always, use hyphens.  Examples:
 \"usb-storage.ko\", \"serpent_generic.ko\"."
 +  ;; For backward compatibility.
 +  (define %directories (if (pair? directories)
 +                           directories
 +                           (list directories)))
   (define names
     ;; List of possible file names.  XXX: It would of course be cleaner to
     ;; have a database that maps module names to file names and vice versa,
@@ -268,16 +272,19 @@ (define (find-module-file directory module)
                            (else chr)))
                        module))))
 -  (match (find-files directory
 -                     (lambda (file stat)
 -                       (member (strip-extension
 -                                (basename file)) names)))
 +  (match (append-map
 +          (cut find-files <>
 +               (lambda (file _)
 +                 (member (strip-extension
 +                          (basename file))
 +                         names)))
 +          %directories)
     ((file)
      file)
     (()
 -     (error "kernel module not found" module directory))
 +     (error "kernel module not found" module %directories))
     ((_ ...)
 -     (error "several modules by that name" module directory))))
 +     (error "several modules by that name" module %directories))))
 (define* (recursive-module-dependencies files
                                         #:key (lookup-module dot-ko))
 diff --git a/gnu/system.scm b/gnu/system.scm
 index 78a30646e1b..b709686744d 100644
 --- a/gnu/system.scm
 +++ b/gnu/system.scm
@@ -1380,6 +1380,8 @@ (define (operating-system-initrd-file os)
                #:linux (operating-system-kernel os)
                #:linux-modules
                (operating-system-initrd-modules os)
 +               #:linux-extra-module-directories
 +               (operating-system-kernel-loadable-modules os)
                #:mapped-devices mapped-devices
                #:keyboard-layout (operating-system-keyboard-layout os)))
 diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm
 index 17c2e6f6bfd..978084062b2 100644
 --- a/gnu/system/linux-initrd.scm
 +++ b/gnu/system/linux-initrd.scm
@@ -120,13 +120,19 @@ (define* (expression->initrd exp
                               `(#:references-graphs (("closure" ,init))))
                "/initrd.cpio.gz"))
 -(define (flat-linux-module-directory linux modules)
 +(define (flat-linux-module-directory packages modules)
   "Return a flat directory containing the Linux kernel modules listed in
 -MODULES and taken from LINUX."
 +MODULES and taken from PACKAGES."
   (define imported-modules
     (source-module-closure '((gnu build linux-modules)
                              (guix build utils))))
 +  (define package-inputs
 +    (map (match-lambda
 +           ((p o) (gexp-input p o))
 +           (p     (gexp-input p "out")))
 +         packages))
 +
   (define build-exp
     (with-imported-modules imported-modules
       (with-extensions (list guile-zlib guile-zstd)
@@ -138,13 +144,17 @@ (define (flat-linux-module-directory linux modules)
                          (srfi srfi-26)
                          (ice-9 match))
 -            (define module-dir
 -              (string-append #$linux "/lib/modules"))
 +            (define module-dirs
 +              (map (cut string-append <> "/lib/modules")
 +                   '#$package-inputs))
             (define builtin-modules
 -              (match (find-files module-dir (lambda (file stat)
 -                                              (string=? (basename file)
 -                                                        "modules.builtin")))
 +              (match (append-map
 +                      (cut find-files <>
 +                           (lambda (file stat)
 +                             (string=? (basename file)
 +                                       "modules.builtin")))
 +                      module-dirs)
                 ((file . _)
                  (call-with-input-file file
                    (lambda (port)
@@ -157,7 +167,7 @@ (define (flat-linux-module-directory linux modules)
               (lset-difference string=? '#$modules builtin-modules))
             (define modules
 -              (let* ((lookup  (cut find-module-file module-dir <>))
 +              (let* ((lookup  (cut find-module-file module-dirs <>))
                      (modules (map lookup modules-to-lookup)))
                 (append modules
                         (recursive-module-dependencies
@@ -192,6 +202,7 @@ (define* (raw-initrd file-systems
                       #:key
                       (linux linux-libre)
                       (linux-modules '())
 +                      (linux-extra-module-directories '())
                       (pre-mount #t)
                       (mapped-devices '())
                       (keyboard-layout #f)
@@ -199,15 +210,16 @@ (define* (raw-initrd file-systems
                       qemu-networking?
                       volatile-root?
                       (on-error 'debug))
 -  "Return as a file-like object a raw initrd, with kernel
 -modules taken from LINUX.  FILE-SYSTEMS is a list of file-systems to be
 -mounted by the initrd, possibly in addition to the root file system specified
 -on the kernel command line via 'root'.  LINUX-MODULES is a list of kernel
 -modules to be loaded at boot time. MAPPED-DEVICES is a list of device
 -mappings to realize before FILE-SYSTEMS are mounted. PRE-MOUNT is a
 -G-expression to evaluate before realizing MAPPED-DEVICES.
 -HELPER-PACKAGES is a list of packages to be copied in the initrd. It may include
 -e2fsck/static or other packages needed by the initrd to check root partition.
 +  "Return as a file-like object a raw initrd, with kernel modules taken from
 +LINUX.  FILE-SYSTEMS is a list of file-systems to be mounted by the initrd,
 +possibly in addition to the root file system specified on the kernel command
 +line via 'root'.  LINUX-MODULES is a list of kernel modules to be loaded at
 +boot time. LINUX-EXTRA-MODULE-DIRECTORIES is a list of file-like objects which
 +will be searched for modules in addition to the linux kernel. MAPPED-DEVICES
 +is a list of device mappings to realize before FILE-SYSTEMS are mounted.
 +HELPER-PACKAGES is a list of packages to be copied in the initrd. It may
 +include e2fsck/static or other packages needed by the initrd to check root
 +partition.
 When true, KEYBOARD-LAYOUT is a <keyboard-layout> record denoting the desired
 console keyboard layout.  This is done before MAPPED-DEVICES are set up and
@@ -244,7 +256,8 @@ (define* (raw-initrd file-systems
           #~())))
   (define kodir
 -    (flat-linux-module-directory linux linux-modules))
 +    (flat-linux-module-directory (cons linux linux-extra-module-directories)
 +                                 linux-modules))
   (expression->initrd
    (with-imported-modules (source-module-closure
@@ -392,6 +405,7 @@ (define* (base-initrd file-systems
                       #:key
                       (linux linux-libre)
                       (linux-modules '())
 +                      (linux-extra-module-directories '())
                       (mapped-devices '())
                       (keyboard-layout #f)
                       qemu-networking?
@@ -412,9 +426,10 @@ (define* (base-initrd file-systems
 QEMU-NETWORKING? and VOLATILE-ROOT? behaves as in raw-initrd.
 The initrd is automatically populated with all the kernel modules necessary
 -for FILE-SYSTEMS and for the given options.  Additional kernel
 -modules can be listed in LINUX-MODULES.  They will be added to the initrd, and
 -loaded at boot time in the order in which they appear."
 +for FILE-SYSTEMS and for the given options.  Additional kernel modules can be
 +listed in LINUX-MODULES.  Additional directories for modules can be listed in
 +LINUX-EXTRA-MODULE-DIRECTORIES.  They will be added to the initrd, and loaded
 +at boot time in the order in which they appear."
   (define linux-modules*
     ;; Modules added to the initrd and loaded from the initrd.
     `(,@linux-modules
@@ -434,6 +449,7 @@ (define* (base-initrd file-systems
   (raw-initrd file-systems
               #:linux linux
               #:linux-modules linux-modules*
 +              #:linux-extra-module-directories linux-extra-module-directories
               #:mapped-devices mapped-devices
               #:helper-packages helper-packages
               #:keyboard-layout keyboard-layout
 base-commit: 6174b135ffa3328fd7ad404b15b1586fc64e5666
 prerequisite-patch-id: f71061d735b69d75799eb03df6215bbcb20d53b2
 prerequisite-patch-id: 88337e68e714f3b1fe0d8e6588a1a4f423251610
 -- 
 2.51.0
--- a/modules/rosenthal/packages/patches/guix-wip-zfs-boot-support.patch
+++ b/modules/rosenthal/packages/patches/guix-wip-zfs-boot-support.patch
@ -0,0 +1,184 @@
 From ab4aa6e7bb41fe0f2c64cfb587562b19a7cb44ff Mon Sep 17 00:00:00 2001
 Message-ID: <ab4aa6e7bb41fe0f2c64cfb587562b19a7cb44ff.1757826291.git.hako@ultrarare.space>
 From: Hilton Chain <hako@ultrarare.space>
 Date: Sun, 7 Sep 2025 13:52:57 +0800
 Subject: [PATCH] WIP: ZFS boot support.
 Change-Id: I6579a36d66fcd0a487fe262c9a7c36e51532cb70
 ---
 gnu/build/file-systems.scm  | 21 ++++++++++++++-------
 gnu/build/linux-boot.scm    |  1 +
 gnu/system/file-systems.scm | 30 +++++++++++++++++++++---------
 gnu/system/linux-initrd.scm | 25 ++++++++++++++++++++-----
 guix/scripts/system.scm     |  3 ++-
 5 files changed, 58 insertions(+), 22 deletions(-)
 diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
 index c506a4911ff..05d0cb819ae 100644
 --- a/gnu/build/file-systems.scm
 +++ b/gnu/build/file-systems.scm
@@ -1173,13 +1173,20 @@ (define (canonicalize-device-spec spec)
   (match spec
     ((? string?)
 -     (if (or (string-contains spec ":/") ;nfs
 -             (and (>= (string-length spec) 2)
 -                  (equal? (string-take spec 2) "//")) ;cifs
 -             (string=? spec "none"))
 -         spec                  ; do not resolve NFS / CIFS / tmpfs devices
 -         ;; Nothing to do, but wait until SPEC shows up.
 -         (resolve identity spec identity)))
 +     (cond
 +      ((or (string-contains spec ":/") ;nfs
 +           (and (>= (string-length spec) 2)
 +                (equal? (string-take spec 2) "//")) ;cifs
 +           (string=? spec "none"))
 +       ;; Do not resolve NFS / CIFS / tmpfs devices.
 +       spec)
 +      ((and (>= (string-length spec) 4)
 +            (string=? (string-take spec 4) "zfs:"))
 +       ;; "zfs:zpool/dataset" => "zpool/dataset"
 +       (string-drop spec 4))
 +      (else
 +       ;; Nothing to do, but wait until SPEC shows up.
 +       (resolve identity spec identity))))
     ((? file-system-label?)
      ;; Resolve the label.
      (resolve find-partition-by-label
 diff --git a/gnu/build/linux-boot.scm b/gnu/build/linux-boot.scm
 index 548e28a1c97..2b577483832 100644
 --- a/gnu/build/linux-boot.scm
 +++ b/gnu/build/linux-boot.scm
@@ -523,6 +523,7 @@ (define* (boot-system #:key
     ;; So check for all four.
     (cond ((string-prefix? "/" device-string) device-string)
           ((string-contains device-string ":/") device-string) ; nfs-root
 +          ((string-prefix? "zfs:" device-string) device-string)
           ((uuid device-string) => identity)
           (else (file-system-label device-string))))
 diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
 index 4ea8237c70d..c6cf828db21 100644
 --- a/gnu/system/file-systems.scm
 +++ b/gnu/system/file-systems.scm
@@ -372,7 +372,9 @@ (define %pseudo-file-system-types
   ;; List of know pseudo file system types.  This is used when validating file
   ;; system definitions.
   '("binfmt_misc" "cgroup" "cgroup2" "debugfs" "devpts" "devtmpfs" "efivarfs" "fusectl"
 -    "hugetlbfs" "overlay" "proc" "securityfs" "sysfs" "tmpfs" "tracefs" "virtiofs" "xenfs"))
 +    "hugetlbfs" "overlay" "proc" "securityfs" "sysfs" "tmpfs" "tracefs" "virtiofs" "xenfs"
 +    ;; HACK
 +    "zfs"))
 (define %fuse-control-file-system
   ;; Control file system for Linux' file systems in user-space (FUSE).
@@ -627,18 +629,21 @@ (define (file-system-mount-point-predicate mount-point)
 ;;;
 -;;; Btrfs specific helpers.
 +;;; Btrfs specific helpers.  TODO: Refactor
 ;;;
 (define (btrfs-subvolume? fs)
   "Predicate to check if FS, a file-system object, is a Btrfs subvolume."
 -  (and-let* ((btrfs-file-system? (string= "btrfs" (file-system-type fs)))
 -             (option-keys (map (match-lambda
 -                                 ((key . value) key)
 -                                 (key key))
 -                               (file-system-options->alist
 -                                (file-system-options fs)))))
 -    (find (cut string-prefix? "subvol" <>) option-keys)))
 +  (or (and-let* ((btrfs-file-system? (string= "btrfs" (file-system-type fs)))
 +                 (option-keys (map (match-lambda
 +                                     ((key . value) key)
 +                                     (key key))
 +                                   (file-system-options->alist
 +                                    (file-system-options fs)))))
 +        (find (cut string-prefix? "subvol" <>) option-keys))
 +      (and (string=? "zfs" (file-system-type fs))
 +           ;; "zfs:zpool/dataset"
 +           (string-contains (file-system-device fs) "/"))))
 (define (btrfs-store-subvolume-file-name file-systems)
   "Return the subvolume file name within the Btrfs top level onto which the
@@ -664,6 +669,13 @@ (define (btrfs-store-subvolume-file-name file-systems)
     ;; XXX: Deriving the subvolume name based from a subvolume ID is not
     ;; supported, as we'd need to query the actual file system.
     (or (and=> (assoc-ref options "subvol") prepend-slash/maybe)
 +        (and (string=? "zfs" (file-system-type store-subvolume-fs))
 +             ;; "zfs:zpool/dataset" => "/dataset@"
 +             (and=> (file-system-device store-subvolume-fs)
 +                    (lambda (device)
 +                      (string-append
 +                       (substring device (string-index device #\/))
 +                       "@"))))
         (raise (condition
                 (&message
                  (message "The store is on a Btrfs subvolume, but the \
 diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm
 index 978084062b2..8bd4a4a7850 100644
 --- a/gnu/system/linux-initrd.scm
 +++ b/gnu/system/linux-initrd.scm
@@ -249,11 +249,25 @@ (define* (raw-initrd file-systems
     ;; File systems like btrfs need help to assemble multi-device file systems
     ;; but do not use manually-specified <mapped-devices>.
     (let ((file-system-types (map file-system-type file-systems)))
 -      (if (member "btrfs" file-system-types)
 -          ;; Ignore errors: if the system manages to boot anyway, the better.
 -          #~((system* (string-append #$btrfs-progs/static "/bin/btrfs")
 -                      "device" "scan"))
 -          #~())))
 +      (and
 +       (if (member "btrfs" file-system-types)
 +           ;; Ignore errors: if the system manages to boot anyway, the better.
 +           #~((system* (string-append #$btrfs-progs/static "/bin/btrfs")
 +                       "device" "scan"))
 +           #~())
 +       (map (lambda (zpool)
 +              ;; Ignore errors: if the system manages to boot anyway, the
 +              ;; better.
 +              #~(system* #$(file-append zfs "/sbin/zpool")
 +                         "import" "-N" #$zpool))
 +            (delete-duplicates
 +             ;; "zfs:zpool/dataset" => "zpool"
 +             (map (compose second
 +                           (cut string-split <> (char-set #\: #\/))
 +                           file-system-device)
 +                  (filter (lambda (fs)
 +                            (equal? (file-system-type fs) "zfs"))
 +                          file-systems)))))))
   (define kodir
     (flat-linux-module-directory (cons linux linux-extra-module-directories)
@@ -364,6 +378,7 @@ (define file-system-type-modules
                     ("jfs" => '("jfs"))
                     ("f2fs" => '("f2fs" "crc32_generic"))
                     ("xfs" => '("xfs"))
 +                    ("zfs" => '("zfs"))
                     (else '())))
 (define (file-system-modules file-systems)
 diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
 index 8a56f1cc63d..75a5bb1d5f1 100644
 --- a/guix/scripts/system.scm
 +++ b/guix/scripts/system.scm
@@ -610,7 +610,8 @@ (define (check-file-system-availability file-systems)
   (define literal
     (filter (lambda (fs)
 -              (string? (file-system-device fs)))
 +              (and (string? (file-system-device fs))
 +                   (not (string=? "zfs" (file-system-type fs)))))
             relevant))
   (define uuid
 base-commit: 6174b135ffa3328fd7ad404b15b1586fc64e5666
 prerequisite-patch-id: f71061d735b69d75799eb03df6215bbcb20d53b2
 prerequisite-patch-id: 88337e68e714f3b1fe0d8e6588a1a4f423251610
 prerequisite-patch-id: 466ade9e99cc152f8e9a33c742a4954ade466c25
 prerequisite-patch-id: d66207367fc491f6569100503cd9df98b6888560
 -- 
 2.51.0
--- a/modules/rosenthal/packages/rust-crates.scm
+++ b/modules/rosenthal/packages/rust-crates.scm
--- a/modules/rosenthal/packages/web.scm
+++ b/modules/rosenthal/packages/web.scm
@ -10,17 +10,21 @@
  #:use-module (guix download)
  #:use-module (guix git-download)
  #:use-module (rosenthal utils download)
  #:use-module (rosenthal utils cargo)
  #:use-module (guix build-system cargo)
  #:use-module (guix build-system copy)
  #:use-module (guix build-system go)
  #:use-module (gnu packages golang)
  #:use-module (gnu packages image)
  #:use-module (gnu packages jemalloc)
  #:use-module (gnu packages web)
-  #:use-module (gnu packages version-control))
+  #:use-module (gnu packages version-control)
  #:use-module (rosenthal packages golang))
 (define-public ai-robots-txt
  (package
    (name "ai-robots-txt")
-    (version "1.39")
+    (version "1.40")
    (source (origin
              (method git-fetch)
              (uri (git-reference
@ -29,7 +33,7 @@
              (file-name (git-file-name name version))
              (sha256
               (base32
-                "10x5rvqz1l4gqhhnf12pjqmv4azah9k4970ik0vjrj6z70dpdpk3"))
+                "1wa1c7awj2mpz78h1v0pw3v9w0ywpwjp26ml5s4qbgi0hmfcss5l"))
              (modules '((guix build utils)))
              (snippet '(delete-file-recursively "code"))))
    (build-system copy-build-system)
@ -102,7 +106,7 @@ order to protect upstream resources from web crawlers.")
 (define-public caddy
  (package
    (name "caddy")
-    (version "2.10.1")
+    (version "2.10.2")
    (source (origin
              (method git-fetch)
              (uri (git-reference
@ -111,14 +115,10 @@ order to protect upstream resources from web crawlers.")
              (file-name (git-file-name name version))
              (sha256
               (base32
-                "0h6bnkrqnikyial2d3rvs2ksamwghs837y88qk73sbqahprjakp8"))
+                "1ygjbvz1ig62r63l6324728nbg6nwbc0vsi5qis5cg2qyils9y1a"))))
              (modules '((guix build utils)))
              (snippet '(substitute* "go.mod"
                          (("^toolchain.*") "")
                          (("1.25") "1.24")))))
    (build-system go-build-system)
    (arguments
-     (list #:go go-1.24
+     (list #:go go-1.25
           #:tests? (not (%current-target-system)) ;TODO: Run test suite.
           #:install-source? #f
           #:import-path
@ -174,7 +174,7 @@ order to protect upstream resources from web crawlers.")
                       (invoke caddy "version"))))))))
    (native-inputs
     (list (origin
-             (method (go-mod-vendor #:go go-1.24))
+             (method (go-mod-vendor #:go go-1.25))
             (uri (package-source this-package))
             (file-name "vendored-go-dependencies")
             (sha256
@ -190,11 +190,11 @@ performance and flexibility, making it suitable for a variety of applications,
 from serving static websites to running dynamic web applications.")
    (license license:asl2.0)))
-(define-public caddy/hako
+(define-public caddy/dolly
  (package
    (inherit caddy)
-    (name "caddy-hako")
+    (name "caddy-dolly")
-    (version "2025.08.17-1")
+    (version "2025.09.06-2")
    (source (origin
              (method git-fetch)
              (uri (git-reference
@ -203,17 +203,17 @@ from serving static websites to running dynamic web applications.")
              (file-name (git-file-name name version))
              (sha256
               (base32
-                "07c1yxpyz1sbfs7xy8s32hsw3z4l6rpwz01g8n4lq4xzgavkpqab"))))
+                "1ag6wg6limzaijifcijvr60n8bgi77p211sm12pqjr8bslwgx1n7"))))
    (native-inputs
     (modify-inputs (package-native-inputs caddy)
       (replace "vendored-go-dependencies"
         (origin
-           (method (go-mod-vendor #:go go-1.24))
+           (method (go-mod-vendor #:go go-1.25))
           (uri (package-source this-package))
           (file-name "vendored-go-dependencies")
           (sha256
            (base32
-             "1fdspm2a4574hn4aik5wlli0yp4ih3w2rjyrw3s96n2drk0schqn"))))))
+             "04f50kbnskx22q8k7mdcnifz3f45jbsl2k9air9y3r49zh48cnin"))))))
    (home-page "https://git.boiledscript.com/hako/caddy")
    (properties '((disable-updater? . #t)))))
@ -376,3 +376,17 @@ looking for a reliable platform to manage their software projects.")
    (license license:gpl3+)
    (properties
     '((disable-updater? . #t)))))
 (define-public iocaine/dolly
  (package
    (inherit iocaine)
    (name "iocaine-dolly")
    (version "2.5.0")
    (source
     (origin
       (method url-fetch)
       (uri (crate-uri "iocaine" version))
       (file-name (string-append name "-" version ".tar.gz"))
       (sha256
        (base32 "1x445vnalm323qphxfbfrdzmv9q83h2kybimwm2j39j9p9hj188s"))))
    (inputs (cons* jemalloc (rosenthal-cargo-inputs 'iocaine)))))
--- a/modules/rosenthal/services/child-error.scm
+++ b/modules/rosenthal/services/child-error.scm
@ -49,7 +49,7 @@
 (define-configuration clash-configuration
  (clash
-   (file-like mihomo-bin)
+   (file-like mihomo)
   "The clash package.")
  (log-file
--- a/modules/rosenthal/services/file-systems.scm
+++ b/modules/rosenthal/services/file-systems.scm
@ -1,19 +1,25 @@
-;;; SPDX-FileCopyrightText: 2024 Hilton Chain <hako@ultrarare.space>
+;;; SPDX-FileCopyrightText: 2024, 2025 Hilton Chain <hako@ultrarare.space>
 ;;;
 ;;; SPDX-License-Identifier: GPL-3.0-or-later
 (define-module (rosenthal services file-systems)
  #:use-module (guix gexp)
  #:use-module (gnu packages backup)
  #:use-module (gnu packages file-systems)
  #:use-module (rosenthal packages admin)
  #:use-module (gnu services)
  #:use-module (gnu services base)
  #:use-module (gnu services configuration)
  #:use-module (gnu services linux)
  #:use-module (gnu services mcron)
  #:use-module (gnu services shepherd)
  #:use-module (gnu system pam)
  #:export (btrbk-service-type
            btrbk-configuration
-            dumb-runtime-dir-service-type))
+            dumb-runtime-dir-service-type
            zfs-service-type))
 ;;;
@ -89,3 +95,59 @@
                             (const dumb-runtime-dir-pam-service))))
   (default-value #f)                   ;No default value required.
   (description "Create @code{XDG_RUNTIME_DIR} on login and never remove it.")))
 ;;;
 ;;; ZFS
 ;;;
 (define zfs-shepherd-service
  (list (shepherd-service
          (provision '(zfs-import))
          (requirement '(kernel-module-loader))
          (start
           #~(make-forkexec-constructor
              (list #$(file-append zfs "/sbin/zpool") "import" "-a" "-N")))
          (one-shot? #t))
        (shepherd-service
          (provision '(zfs-volumes))
          (requirement '(zfs-import))
          (start
           #~(make-forkexec-constructor
              (list #$(file-append zfs "/bin/zvol_wait"))))
          (one-shot? #t))
        (shepherd-service
          (provision '(zfs-mount))
          (requirement '(zfs-import))
          (start
           #~(make-forkexec-constructor
              (list #$(file-append zfs "/sbin/zfs") "mount" "-a" "-l")))
          (one-shot? #t))
        (shepherd-service
          (provision '(file-system-zfs))
          (requirement '(zfs-mount))
          (start #~(const #t))
          (stop
           #~(make-system-destructor
              (string-join
               (list #$(file-append zfs "/sbin/zfs") "unmount" "-a")))))))
 (define zfs-service-type
  (service-type
    (name 'zfs)
    (extensions
     (list (service-extension linux-loadable-module-service-type
                              (const (list `(,zfs "module"))))
           (service-extension udev-service-type
                              (const (list zfs)))
           (service-extension kernel-module-loader-service-type
                              (const '("zfs")))
           (service-extension shepherd-root-service-type
                              (const zfs-shepherd-service))
           (service-extension user-processes-service-type
                              (const '(file-system-zfs)))
           (service-extension profile-service-type
                              (const (list zfs)))))
    (default-value #f)
    (description "")))
--- a/modules/rosenthal/services/monitoring.scm
+++ b/modules/rosenthal/services/monitoring.scm
@ -0,0 +1,419 @@
 ;;; SPDX-FileCopyrightText: 2025 Hilton Chain <hako@ultrarare.space>
 ;;;
 ;;; SPDX-License-Identifier: GPL-3.0-or-later
 (define-module (rosenthal services monitoring)
  #:use-module (guix gexp)
  #:use-module (guix records)
  #:use-module (rosenthal utils serializers ini)
  #:use-module (rosenthal utils serializers yaml)
  #:use-module (gnu system shadow)
  #:use-module (gnu services)
  #:use-module (gnu services configuration)
  #:use-module (gnu services databases)
  #:use-module (gnu services shepherd)
  #:use-module (gnu packages guile-xyz)
  #:use-module (rosenthal packages binaries)
  #:export (alloy-configuration
            alloy-service-type
            grafana-service-type
            grafana-configuration
            loki-service-type
            loki-configuration
            mimir-service-type
            mimir-configuration
            prometheus-service-type
            prometheus-configuration))
 ;;;
 ;;; alloy
 ;;;
 (define-configuration/no-serialization alloy-configuration
  (alloy
   (file-like alloy-bin)
   "")
  (config
   file-like
   "")
  (shepherd-provision
   (list-of-symbols '(alloy))
   "")
  (shepherd-requirement
   (list-of-symbols '())
   "")
  (auto-start?
   (boolean #t)
   ""))
 (define alloy-activation
  (lambda _
    #~(begin
        (use-modules (guix build utils))
        (let ((directory "/var/lib/alloy"))
          (unless (file-exists? directory)
            (mkdir-p directory)
            (chmod directory #o755))))))
 (define alloy-shepherd
  (match-record-lambda <alloy-configuration>
      (alloy config shepherd-provision shepherd-requirement auto-start?)
    (list (shepherd-service
            (provision shepherd-provision)
            (requirement `(loopback user-processes ,@shepherd-requirement))
            (start
             #~(make-forkexec-constructor
                (list #$(file-append alloy "/bin/alloy") "run" #$config)
                #:directory "/var/lib/alloy"))
            (stop #~(make-kill-destructor))
            (auto-start? auto-start?)))))
 (define alloy-service-type
  (service-type
    (name 'alloy)
    (extensions
     (list (service-extension activation-service-type
                              alloy-activation)
           (service-extension shepherd-root-service-type
                              alloy-shepherd)))
    (description "")))
 ;;;
 ;;; Grafana
 ;;;
 (define-configuration/no-serialization grafana-configuration
  (grafana
   (file-like grafana-bin)
   "")
  (config
   ini-config
   "")
  (database-password-file
   string
   "")
  (shepherd-provision
   (list-of-symbols '(grafana))
   "")
  (shepherd-requirement
   (list-of-symbols '())
   "")
  (auto-start?
   (boolean #t)
   ""))
 (define grafana-account
  (lambda _
    (list (user-group (name "grafana") (system? #t))
          (user-account
            (name "grafana")
            (group "grafana")
            (system? #t)
            (comment "Grafana user")
            (home-directory "/var/lib/grafana")))))
 (define grafana-postgresql-role
  (match-record-lambda <grafana-configuration>
      (database-password-file)
    (list (postgresql-role
            (name "grafana")
            (create-database? #t)
            (password-file database-password-file)))))
 (define grafana-activation
  (lambda _
    #~(begin
        (use-modules (guix build utils))
        (let ((user (getpwnam "grafana")))
          (for-each
           (lambda (directory)
             (unless (file-exists? directory)
               (mkdir-p directory)
               (chown directory (passwd:uid user) (passwd:gid user))))
           '("/var/log/grafana" "/var/lib/grafana"))))))
 (define grafana-shepherd
  (match-record-lambda <grafana-configuration>
      (grafana config shepherd-provision shepherd-requirement auto-start?)
    (let ((config-file
           (apply mixed-text-file "grafana.ini" (ini-serialize config))))
      (list (shepherd-service
              (provision shepherd-provision)
              (requirement `(loopback postgresql user-processes
                             ,@shepherd-requirement))
              (start
               #~(make-forkexec-constructor
                  (list #$(file-append grafana "/bin/grafana")
                        "server" "--config" #$config-file)
                  #:user "grafana"
                  #:group "grafana"
                  #:directory #$(file-append grafana "/share/grafana")))
              (stop #~(make-kill-destructor))
              (auto-start? auto-start?))))))
 (define grafana-service-type
  (service-type
    (name 'grafana)
    (extensions
     (list (service-extension account-service-type
                              grafana-account)
           (service-extension postgresql-role-service-type
                              grafana-postgresql-role)
           (service-extension activation-service-type
                              grafana-activation)
           (service-extension shepherd-root-service-type
                              grafana-shepherd)))
    (description "")))
 ;;;
 ;;; loki
 ;;;
 (define-configuration/no-serialization loki-configuration
  (loki
   (file-like loki-bin)
   "")
  (config
   yaml-config
   "")
  (shepherd-provision
   (list-of-symbols '(loki))
   "")
  (shepherd-requirement
   (list-of-symbols '())
   "")
  (auto-start?
   (boolean #t)
   ""))
 (define loki-account
  (lambda _
    (list (user-group (name "loki") (system? #t))
          (user-account
            (name "loki")
            (group "loki")
            (system? #t)
            (comment "Loki user")
            (home-directory "/var/lib/loki")))))
 (define loki-activation
  (lambda _
    #~(begin
        (use-modules (guix build utils))
        (let ((user (getpwnam "loki"))
              (directory "/var/lib/loki"))
          (unless (file-exists? directory)
            (mkdir-p directory)
            (chown directory (passwd:uid user) (passwd:gid user))
            (chmod directory #o755))))))
 (define loki-shepherd
  (match-record-lambda <loki-configuration>
      (loki config shepherd-provision shepherd-requirement auto-start?)
    (let ((config-file
           (computed-file "loki.yaml"
             (with-extensions (list guile-yamlpp)
               #~(begin
                   (use-modules (yamlpp))
                   (call-with-output-file #$output
                     (lambda (port)
                       (let ((emitter (make-yaml-emitter)))
                         (yaml-emit! emitter '#$config)
                         (display (yaml-emitter-string emitter) port)))))))))
      (list (shepherd-service
              (provision shepherd-provision)
              (requirement `(loopback user-processes ,@shepherd-requirement))
              (start
               #~(make-forkexec-constructor
                  (list #$(file-append loki "/bin/loki")
                        (string-append "-config.file=" #$config-file))
                  #:user "loki"
                  #:group "loki"
                  #:directory "/var/lib/loki"))
              (stop #~(make-kill-destructor))
              (auto-start? auto-start?))))))
 (define loki-service-type
  (service-type
    (name 'loki)
    (extensions
     (list (service-extension account-service-type
                              loki-account)
           (service-extension activation-service-type
                              loki-activation)
           (service-extension shepherd-root-service-type
                              loki-shepherd)))
    (description "")))
 ;;;
 ;;; mimir
 ;;;
 (define-configuration/no-serialization mimir-configuration
  (mimir
   (file-like mimir-bin)
   "")
  (config
   yaml-config
   "")
  (shepherd-provision
   (list-of-symbols '(mimir))
   "")
  (shepherd-requirement
   (list-of-symbols '())
   "")
  (auto-start?
   (boolean #t)
   ""))
 (define mimir-account
  (lambda _
    (list (user-group (name "mimir") (system? #t))
          (user-account
            (name "mimir")
            (group "mimir")
            (system? #t)
            (comment "Mimir user")
            (home-directory "/var/lib/mimir")))))
 (define mimir-activation
  (lambda _
    #~(begin
        (use-modules (guix build utils))
        (let ((user (getpwnam "mimir"))
              (directory "/var/lib/mimir"))
          (unless (file-exists? directory)
            (mkdir-p directory)
            (chown directory (passwd:uid user) (passwd:gid user))
            (chmod directory #o755))))))
 (define mimir-shepherd
  (match-record-lambda <mimir-configuration>
      (mimir config shepherd-provision shepherd-requirement auto-start?)
    (let ((config-file
           (computed-file "mimir.yaml"
             (with-extensions (list guile-yamlpp)
               #~(begin
                   (use-modules (yamlpp))
                   (call-with-output-file #$output
                     (lambda (port)
                       (let ((emitter (make-yaml-emitter)))
                         (yaml-emit! emitter '#$config)
                         (display (yaml-emitter-string emitter) port)))))))))
      (list (shepherd-service
              (provision shepherd-provision)
              (requirement `(loopback user-processes ,@shepherd-requirement))
              (start
               #~(make-forkexec-constructor
                  (list #$(file-append mimir "/bin/mimir")
                        (string-append "-config.file=" #$config-file))
                  #:user "mimir"
                  #:group "mimir"
                  #:directory "/var/lib/mimir"))
              (stop #~(make-kill-destructor))
              (auto-start? auto-start?))))))
 (define mimir-service-type
  (service-type
    (name 'mimir)
    (extensions
     (list (service-extension account-service-type
                              mimir-account)
           (service-extension activation-service-type
                              mimir-activation)
           (service-extension shepherd-root-service-type
                              mimir-shepherd)))
    (description "")))
 ;;;
 ;;; prometheus
 ;;;
 (define-configuration/no-serialization prometheus-configuration
  (prometheus
   (file-like prometheus-bin)
   "")
  (listen-address
   (string "0.0.0.0:9090")
   "")
  (config
   yaml-config
   "")
  (shepherd-provision
   (list-of-symbols '(prometheus))
   "")
  (shepherd-requirement
   (list-of-symbols '())
   "")
  (auto-start?
   (boolean #t)
   ""))
 (define prometheus-account
  (lambda _
    (list (user-group (name "prometheus") (system? #t))
          (user-account
            (name "prometheus")
            (group "prometheus")
            (system? #t)
            (comment "Prometheus user")
            (home-directory "/var/lib/prometheus")))))
 (define prometheus-activation
  (lambda _
    #~(begin
        (use-modules (guix build utils))
        (let ((user (getpwnam "prometheus"))
              (directory "/var/lib/prometheus"))
          (unless (file-exists? directory)
            (mkdir-p directory)
            (chown directory (passwd:uid user) (passwd:gid user))
            (chmod directory #o775))))))
 (define prometheus-shepherd
  (match-record-lambda <prometheus-configuration>
      (prometheus listen-address config shepherd-provision shepherd-requirement auto-start?)
    (let ((config-file
           (computed-file "prometheus.yml"
             (with-extensions (list guile-yamlpp)
               #~(begin
                   (use-modules (yamlpp))
                   (call-with-output-file #$output
                     (lambda (port)
                       (let ((emitter (make-yaml-emitter)))
                         (yaml-emit! emitter '#$config)
                         (display (yaml-emitter-string emitter) port)))))))))
      (list (shepherd-service
              (provision shepherd-provision)
              (requirement `(loopback user-processes ,@shepherd-requirement))
              (start
               #~(make-forkexec-constructor
                  (list #$(file-append prometheus "/bin/prometheus")
                        (string-append "--config.file=" #$config-file)
                        (string-append "--web.listen-address=" #$listen-address))
                  #:user "prometheus"
                  #:group "prometheus"
                  #:directory "/var/lib/prometheus"
                  #:log-file "/var/log/prometheus.log"))
              (stop #~(make-kill-destructor))
              (auto-start? auto-start?))))))
 (define prometheus-service-type
  (service-type
    (name 'prometheus)
    (extensions
     (list (service-extension account-service-type
                              prometheus-account)
           (service-extension activation-service-type
                              prometheus-activation)
           (service-extension shepherd-root-service-type
                              prometheus-shepherd)))
    (description "")))
--- a/modules/rosenthal/services/networking.scm
+++ b/modules/rosenthal/services/networking.scm
@ -16,372 +16,12 @@
  #:use-module (gnu services dbus)
  #:use-module (gnu services shepherd)
  #:use-module (gnu system shadow)
-  #:export (iwd-configuration
+  #:export (sing-box-service-type
            iwd-service-type
            sing-box-service-type
            sing-box-configuration
            tailscale-configuration
            tailscale-service-type))
 ;;;
 ;;; iwd
 ;;;
 (define %iwd-config-general
  '(enable-network-configuration?
    use-default-interface?
    address-randomization
    address-randomization-range
    roam-threshold
    roam-threshold-5g
    roam-retry-interval
    management-frame-protection
    control-port-over-nl80211?
    disable-anqp?
    disable-ocv?
    country))
 (define %iwd-config-network
  '(enable-ipv6?
    name-resolving-service
    route-priority-offset))
 (define %iwd-config-blacklist
  '(initial-timeout
    multiplier
    maximum-timeout))
 (define %iwd-config-rank
  '(band-modifier-5ghz
    band-modifier-6ghz))
 (define %iwd-config-scan
  '(disable-periodic-scan?
    initial-periodic-scan-interval
    maximum-periodic-scan-interval
    disable-roaming-scan?))
 (define %iwd-config-ipv4
  '(ap-address-pool))
 (define %iwd-config-driver-quirks
  '(default-interface
    force-pae
    power-save-disable))
 (define (uglify-field-name field-name)
  (case field-name
    ((control-port-over-nl80211?) "ControlPortOverNL80211")
    ((disable-anqp?) "DisableANQP")
    ((disable-ocv?) "DisableOCV")
    ((enable-ipv6?) "EnableIPv6")
    ((ap-address-pool) "APAddressPool")
    (else (string-delete char-set:punctuation
                         (string-capitalize (symbol->string field-name))))))
 (define (serialize-field field-name val)
  (format #f "~a = ~a~%" (uglify-field-name field-name) val))
 (define serialize-string serialize-field)
 (define-maybe string)
 (define (serialize-boolean field-name val)
  (serialize-field field-name (if val "true" "false")))
 (define-maybe boolean)
 (define cidr4? (@@ (gnu services vpn) cidr4?))
 (define serialize-cidr4 serialize-field)
 (define-maybe cidr4)
 (define (randomization-method? val)
  (memv val '(#f once network)))
 (define (serialize-randomization-method field-name val)
  (serialize-field field-name (or val 'disabled)))
 (define-maybe randomization-method)
 (define (randomization-range? val)
  (memv val '(full nic)))
 (define serialize-randomization-range serialize-field)
 (define-maybe randomization-range)
 (define (signal-strength? val)
  (and (number? val)
       (>= val -100)
       (<= val 1)))
 (define serialize-signal-strength serialize-field)
 (define-maybe signal-strength)
 (define (seconds? val)
  (and (integer? val)
       (not (negative? val))))
 (define serialize-seconds serialize-field)
 (define-maybe seconds)
 (define (protection-mode? val)
  (memv val '(0 1 2)))
 (define serialize-protection-mode serialize-field)
 (define-maybe protection-mode)
 (define (resolution-method? val)
  (memv val '(#f resolvconf)))
 (define (serialize-resolution-method field-name val)
  (serialize-field field-name (or val 'none)))
 (define serialize-integer serialize-field)
 (define-maybe integer)
 (define serialize-number serialize-field)
 (define-maybe number)
 (define (serialize-list-of-strings field-name val)
  (serialize-field field-name (string-join val ",")))
 (define-maybe list-of-strings)
 (define list-of-cidr4? (list-of cidr4?))
 (define serialize-list-of-cidr4 serialize-list-of-strings)
 (define-maybe list-of-cidr4)
 (define-configuration iwd-configuration
  (iwd
   (file-like iwd)
   "The iwd package to use.")
  (log-file
   (string "/var/log/iwd.log")
   "Log file location.")
  ;; General
  (enable-network-configuration?
   (boolean #f)
   "Enable network configuration.")
  (use-default-interface?
   maybe-boolean
   "Do not allow iwd to destroy / recreate wireless interfaces at startup,
 including default interfaces.")
  (address-randomization
   maybe-randomization-method
   "Available values are @code{#f}, @code{once} and @code{network}.  @code{#f}
 for default kernel behavior, @code{once} to randomize the MAC address when iwd
 starts or the hardware is detected for the first time, @code{network} to
 randomize the MAC address on each connection to a network (the MAC address is
 generated based on the SSID and permanent address of the adapter).")
  (address-randomization-range
   maybe-randomization-range
   "Available values are @code{nic} and @code{full}.  @code{nic} to only
 randomize the NIC specific octets (last 3 ones), @code{full} to randomize all
 6 octets of the address.")
  (roam-threshold
   maybe-signal-strength
   "Value in dBm, control how aggressively iwd roams when connected to a 2.4Ghz
 access point.")
  (roam-threshold-5g
   maybe-signal-strength
   "Value in dBm, control how aggressively iwd roams when connected to a 5Ghz
 access point.")
  (roam-retry-interval
   maybe-seconds
   "How long to wait before attempting to roam again if the last roam attempt
 failed, or if the signal of the newly connected BSS is still considered weak.")
  (management-frame-protection
   maybe-protection-mode
   "Available values are @code{0}, @code{1} and @code{2}.  @code{0} to
 completely turn off MFP (even if the hardware is capable), @code{1} to enable
 MFP if the local hardware and remote AP both support it, @code{2} to always
 require MFP.")
  (control-port-over-nl80211?
   maybe-boolean
   "Enable sending EAPoL packets over NL80211.")
  (disable-anqp?
   maybe-boolean
   "Disable ANQP queries.")
  (disable-ocv?
   maybe-boolean
   "Disable Operating Channel Validation.")
  (country
   maybe-string
   "ISO Alpha-2 Country Code.  Request the country to be set for the system.")
  ;; Network
  (enable-ipv6?
   maybe-boolean
   "Configure IPv6 addresses and routes.")
  (name-resolving-service
   (resolution-method 'resolvconf)
   "Available values are @code{resolvconf} and @code{#f}.  Configure a DNS
 resolution method used by the system and must be used in conjunction with
@code{enable-network-configuration?}.  @code{#f} to ignore DNS and domain name
 information.")
  (route-priority-offset
   maybe-integer
   "Configure a route priority offset used by the system to prioritize the
 default routes.  The route with lower priority offset is preferred.")
  ;; Blacklist
  (initial-timeout
   maybe-seconds
   "The initial time that a BSS spends on the blacklist.")
  (multiplier
   maybe-integer
   "If the BSS was blacklisted previously and another connection attempt has
 failed after the initial timeout has expired, then the BSS blacklist time will
 be extended by a multiple of @code{multiplier} for each unsuccessful attempt up
 to @code{maximum-timeout} time.")
  (maximum-timeout
   maybe-seconds
   "Maximum time that a BSS is blacklisted.")
  ;; Rank
  (band-modifier-5ghz
   maybe-number
   "Increase or decrease the preference for 5GHz access points by increasing or
 decreasing the value of this modifier.")
  (band-modifier-6ghz
   maybe-number
   "Increase or decrease the preference for 6GHz access points by increasing or
 decreasing the value of this modifier.")
  ;; Scan
  (disable-periodic-scan?
   maybe-boolean
   "Disable periodic scan.")
  (initial-periodic-scan-interval
   maybe-seconds
   "The initial periodic scan interval upon disconnect.")
  (maximum-periodic-scan-interval
   maybe-seconds
   "The maximum periodic scan interval.")
  (disable-roaming-scan?
   maybe-boolean
   "Disable roaming scan.")
  ;; IPv4
  (ap-address-pool
   maybe-list-of-cidr4
   "Define the space of IPs used for the AP mode subnet addresses and the DHCP
 server.")
  ;; DriverQuirks
  (default-interface
   maybe-list-of-strings
   "List of drivers or glob matches.  If a driver in use matches one in this
 list, IWD will not attempt to remove and re-create the default interface.")
  (force-pae
   maybe-list-of-strings
   "List of drivers or glob matches.  If a driver in use matches one in this
 list, @code{control-port-over-nl80211?} will not be used, and PAE will be used
 instead.")
  (power-save-disable
   maybe-list-of-strings
   "List of drivers or glob matches.  If a driver in use matches one in this
 list, power save will be disabled."))
 (define (serialize-iwd-configuration config)
  (apply mixed-text-file "main.conf"
         (append-map
          (match-lambda
            ((section . fields)
             (list "[" section "]\n"
                   (serialize-configuration
                    config
                    (filter-configuration-fields
                     iwd-configuration-fields
                     fields)))))
          `(("General"      . ,%iwd-config-general)
            ("Network"      . ,%iwd-config-network)
            ("Blacklist"    . ,%iwd-config-blacklist)
            ("Rank"         . ,%iwd-config-rank)
            ("Scan"         . ,%iwd-config-scan)
            ("IPv4"         . ,%iwd-config-ipv4)
            ("DriverQuirks" . ,%iwd-config-driver-quirks)))))
 (define (add-iwd-config-file config)
  `(("iwd/main.conf"
     ,(serialize-iwd-configuration config))))
 (define add-iwd-package
  (compose list iwd-configuration-iwd))
 (define (iwd-shepherd-service config)
  (match-record config <iwd-configuration>
                (iwd log-file
                     enable-network-configuration? name-resolving-service)
    (let ((conf (serialize-iwd-configuration config)))
      (list (shepherd-service
             (documentation "Run iwd")
             (provision `(,@(if enable-network-configuration?
                                '(networking)
                                '())
                          iwd))
             (requirement '(user-processes dbus-system))
             (start #~(make-forkexec-constructor
                       (list (string-append #$iwd "/libexec/iwd"))
                       #:log-file #$log-file))
             (stop #~(make-kill-destructor))
             (actions
              (list (shepherd-configuration-action "/etc/iwd/main.conf"))))))))
 (define iwd-service-type
  (service-type
   (name 'iwd)
   (extensions
    (list (service-extension shepherd-root-service-type
                             iwd-shepherd-service)
          (service-extension dbus-root-service-type
                             add-iwd-package)
          (service-extension etc-service-type
                             add-iwd-config-file)
          (service-extension profile-service-type
                             add-iwd-package)
          (service-extension log-rotation-service-type
                             (compose list iwd-configuration-log-file))))
   (default-value (iwd-configuration))
   (description "Run iwd, the iNet wireless daemon.")))
 ;;;
 ;;; sing-box
 ;;;
--- a/modules/rosenthal/services/web.scm
+++ b/modules/rosenthal/services/web.scm
@ -26,6 +26,9 @@
            forgejo-configuration
            forgejo-service-type
            iocaine-service-type
            iocaine-configuration
            jellyfin-configuration
            jellyfin-service-type
@ -79,9 +82,7 @@
           (program (file-append caddy "/bin/caddy"))
           (capabilities "cap_net_bind_service=+ep")))))
-(define caddy-activation
+(define (caddy-activation config)
  (match-record-lambda <caddy-configuration>
      (caddyfile)
  (with-imported-modules
      (source-module-closure '((guix build utils)
                               (gnu build activation)))
@ -89,17 +90,14 @@
        (use-modules (srfi srfi-26)
                     (guix build utils)
                     (gnu build activation))
-          (let* ((config-dir "/etc/caddy")
+        (let ((user (getpwnam "caddy")))
-                 (data-dir "/var/lib/caddy")
+          (mkdir-p/perms "/var/lib/caddy" user #o750)
-                 (config-file (in-vicinity config-dir "Caddyfile"))
+          (mkdir-p/perms "/var/log/caddy" user #o755)))))
-                 (user (getpwnam "caddy")))
+
-            (for-each (cut mkdir-p/perms <> user #o750)
+(define caddy-etc
-                      (list config-dir data-dir))
+  (match-record-lambda <caddy-configuration>
-            (copy-file #$caddyfile config-file)
+      (caddyfile)
-            (for-each
+    `(("caddy/Caddyfile" ,caddyfile))))
             (lambda (file)
               (chown file (passwd:uid user) (passwd:gid user)))
             (find-files data-dir #:directories? #t)))))))
 (define caddy-shepherd-services
  (match-record-lambda <caddy-configuration>
@ -119,6 +117,20 @@
                #:environment-variables '("HOME=/var/lib/caddy")))
            (stop
             #~(make-kill-destructor))
            (actions
             (list (shepherd-configuration-action "/etc/caddy/Caddyfile")
                   (shepherd-action
                     (name 'reload)
                     (documentation "Reload Caddy configuration file.")
                     (procedure
                      #~(lambda (pid)
                          (if pid
                              (begin
                                (invoke "/run/privileged/bin/caddy" "reload"
                                        "--config" "/etc/caddy/Caddyfile")
                                (display "Service caddy has been asked to \
 reload its configuration file."))
                              (display "Service caddy is not running.")))))))
            (auto-start? auto-start?)))))
 (define caddy-service-type
@ -127,10 +139,12 @@
   (extensions
    (list (service-extension account-service-type
                             caddy-accounts)
          (service-extension privileged-program-service-type
                             caddy-privileged-programs)
          (service-extension activation-service-type
                             caddy-activation)
          (service-extension etc-service-type
                             caddy-etc)
          (service-extension privileged-program-service-type
                             caddy-privileged-programs)
          (service-extension shepherd-root-service-type
                             caddy-shepherd-services)))
   (default-value #f)
@ -230,6 +244,91 @@
   (default-value (forgejo-configuration))
   (description "Run Forgejo.")))
 ;;;
 ;;; Iocaine
 ;;;
 (define-configuration/no-serialization iocaine-configuration
  (iocaine
   (file-like iocaine/dolly)
   "")
  (config
   file-object
   "")
  (log-file
   (string "/var/log/iocaine.log")
   "")
  (shepherd-provision
   (list-of-symbols '(iocaine))
   "")
  (shepherd-requirement
   (list-of-symbols '(loopback))
   "")
  (auto-start?
   (boolean #t)
   ""))
 (define iocaine-accounts
  (list (user-group (name "iocaine") (system? #t))
        (user-account
          (name "iocaine")
          (group "iocaine")
          (system? #t)
          (comment "Iocaine user")
          (home-directory "/var/empty"))))
 (define iocaine-etc
  (match-record-lambda <iocaine-configuration>
      (config)
    `(("iocaine/iocaine.toml" ,config))))
 (define iocaine-shepherd-service
  (match-record-lambda <iocaine-configuration>
      (iocaine log-file shepherd-provision shepherd-requirement auto-start?)
    (list (shepherd-service
            (provision shepherd-provision)
            (requirement (cons 'user-processes shepherd-requirement))
            (start
             #~(make-forkexec-constructor
                (list #$(file-append iocaine "/bin/iocaine")
                      "--config-file" "/etc/iocaine/iocaine.toml")
                #:user "iocaine"
                #:group "iocaine"
                #:log-file #$log-file))
            (stop #~(make-kill-destructor))
            (actions
             (list (shepherd-configuration-action "/etc/iocaine/iocaine.toml")
                   (shepherd-action
                     (name 'test)
                     (documentation "Test Iocaine configuration file.")
                     (procedure
                      #~(lambda (pid)
                          (if pid
                              (begin
                                (invoke #$(file-append iocaine "/bin/iocaine")
                                        "--config-file" "/etc/iocaine/iocaine.toml"
                                        "test")
                                (display "Service iocaine has been asked to \
 test its configuration file."))
                              (display "Service iocaine is not running.")))))))
            (auto-start? auto-start?)))))
 (define iocaine-service-type
  (service-type
   (name 'iocaine)
   (extensions
    (list (service-extension account-service-type
                             (const iocaine-accounts))
          (service-extension etc-service-type
                             iocaine-etc)
          (service-extension shepherd-root-service-type
                             iocaine-shepherd-service)
          (service-extension log-rotation-service-type
                             (compose list iocaine-configuration-log-file))))
   (description "")))
 ;;;
 ;;; Jellyfin
--- a/modules/rosenthal/utils/file.scm
+++ b/modules/rosenthal/utils/file.scm
@ -16,11 +16,20 @@
    (computed-file
     name
     #~(begin
-         (use-modules (guix build utils))
+         (use-modules (ice-9 match)
                      (guix build utils))
         (copy-file #$file #$output)
         (substitute* #$output
           (("\\$\\$([^\\$]+)\\$\\$" _ path)
-            (search-path '#$inputs path)))))))
+            (let loop ((candidates '#$inputs))
              (if (null? candidates)
                  (error "file '~a' not found" path)
                  (match candidates
                    ((candidate . rest)
                     (let ((full-path (in-vicinity candidate path)))
                       (if (file-exists? full-path)
                           full-path
                           (loop rest)))))))))))))
 (define (file-content file)
  (call-with-input-file (canonicalize-path file) get-string-all))
--- a/modules/rosenthal/utils/transformations.scm
+++ b/modules/rosenthal/utils/transformations.scm
@ -5,11 +5,16 @@
  #:use-module (srfi srfi-1)
  #:use-module (guix channels)
  #:use-module (guix gexp)
  #:use-module (guix packages)
  #:use-module (guix utils)
  #:use-module (gnu system)
  #:use-module (gnu services)
  #:use-module (gnu services base)
  #:use-module (rosenthal services file-systems)
  #:use-module (gnu packages package-management)
-  #:export (rosenthal-transformation-guix))
+  #:use-module (gnu packages file-systems)
  #:export (rosenthal-transformation-guix
            rosenthal-transformation-zfs))
 (define* (rosenthal-transformation-guix #:key (substitutes? #t)
@ -37,6 +42,13 @@
    (operating-system
      (inherit os)
      (services
       (cons* (simple-service 'guix-moe guix-service-type
                (guix-extension
                  (authorized-keys
                   (list %rosenthal-signing-key))
                  (substitute-urls
                   '("https://cache-cdn.guix.moe"))))
              (modify-services (operating-system-user-services os)
                (guix-service-type
                 config => (guix-configuration
@ -46,18 +58,28 @@
                                     (guix-configuration-channels config)))
                                (if channel?
                                    (cons %rosenthal-channel
-                                  (or configured-channels %default-channels))
+                                          (or configured-channels
                                              %default-channels))
                                    configured-channels)))
                             (guix
                              (if guix-source?
                                  (guix-for-channels channels)
-                          (guix-configuration-guix config)))
+                                  (guix-configuration-guix config)))))))))))
-                     (authorized-keys
+
-                      (cons %rosenthal-signing-key
+;; NOTE: Booting from ZFS requires patching Guix.
-                            (guix-configuration-authorized-keys config)))
+(define* (rosenthal-transformation-zfs #:key boot?)
-                     (substitute-urls
+  (lambda (os)
-                      (delete-duplicates
+    (operating-system
-                       `(,@(guix-configuration-substitute-urls config)
+      (inherit os)
-                         ,@(if substitutes?
+      (kernel-loadable-modules
-                               '("https://ci.boiledscript.com")
+       `(,@(if boot?
-                               '())))))))))))
+               `((,(package/inherit zfs
                     (arguments
                      (substitute-keyword-arguments (package-arguments zfs)
                        ((#:linux _ #f) (operating-system-kernel os)))))
                  "module"))
               '())
         ,@(operating-system-kernel-loadable-modules os)))
      (services
       (cons* (service zfs-service-type)
              (operating-system-user-services os))))))
Author	SHA1	Message	Date
Hilton Chain	3daa92a216	rosenthal: ai-robots-txt: Update to 1.40. * modules/rosenthal/packages/web.scm (ai-robots-txt): Update to 1.40.	2025-09-16 20:54:14 +08:00
Hilton Chain	1adedb4477	rosenthal: Add alloy-bin-aarch64-linux. * modules/rosenthal/packages/binaries.scm (alloy-bin-aarch64-linux): New variable.	2025-09-15 21:56:27 +08:00
Hilton Chain	44bb224568	services: Add alloy-service-type.	2025-09-15 21:30:29 +08:00
Hilton Chain	bb2494828d	services: Add mimir-service-type.	2025-09-15 21:30:20 +08:00
Hilton Chain	f7ec4842d3	services: Add loki-service-type.	2025-09-15 21:30:03 +08:00
Hilton Chain	6bc7653985	services: prometheus: Fix activation directory.	2025-09-15 18:07:58 +08:00
Hilton Chain	05613c1085	services: prometheus: Fix directory permission. * modules/rosenthal/services/monitoring.scm (prometheus-activation): Fix permission for /var/lib/prometheus, which is also used by prometheus-node-exporter.	2025-09-14 23:15:22 +08:00
Hilton Chain	3707e89521	services: Add prometheus-service-type. * modules/rosenthal/services/monitoring.scm (<prometheus-configuration>): New data type. (prometheus-account, prometheus-activation, prometheus-shepherd): New procedures. (prometheus-service-type): New variable.	2025-09-14 22:29:21 +08:00
Hilton Chain	4d50937404	services: Add grafana-service-type. * modules/rosenthal/services/monitoring.scm (<grafana-configuration>): New data type. (grafana-account, grafana-postgresql-role, grafana-activation) (grafana-shepherd): New procedures. (grafana-service-type): New variable.	2025-09-14 21:25:22 +08:00
Hilton Chain	ee6254000d	rosenthal: grafana-bin: Install assets. * modules/rosenthal/packages/binaries.scm (grafana-bin) [arguments] <#:install-plan>: Add assets.	2025-09-14 21:24:41 +08:00
Hilton Chain	1095ffcbe6	rosenthal: guix/dolly: Update ZFS patch with workaround for ‘guix deploy’ support. * modules/rosenthal/packages/patches/guix-wip-zfs-boot-support.patch: Update.	2025-09-14 14:53:58 +08:00
Hilton Chain	8e3cb6520c	utils: Add rosenthal-transformation-zfs. * modules/rosenthal/utils/transformations.scm (rosenthal-transformation-zfs): New procedure.	2025-09-13 20:15:33 +08:00
Hilton Chain	a71e15a31f	rosenthal: guix/dolly: Apply ZFS patches. * modules/rosenthal/packages/package-management.scm (guix/hako): Rename to... (guix/dolly): ...this and apply patches necessary for root on ZFS support.	2025-09-13 18:00:32 +08:00
Hilton Chain	0050466952	services: Add iocaine. * modules/rosenthal/services/web.scm (<iocaine-configuration>): New data type. (iocaine-etc, iocaine-shepherd-service): New procedures. (iocaine-accounts, iocaine-service-type): New variables.	2025-09-12 14:50:45 +08:00
Hilton Chain	62cbfda23d	service: caddy: Use invoke to reload configuration. * modules/rosenthal/services/web.scm (caddy-shepherd-services) [actions] <reload>: Use invoke.	2025-09-12 14:50:19 +08:00
Hilton Chain	dfe569fdc0	utils: computed-substitution-with-inputs: Support directory substitution. * modules/rosenthal/utils/file.scm (computed-substitution-with-inputs): Support directory substitution. Error when pattern not found.	2025-09-12 14:33:50 +08:00
Hilton Chain	dff8c3d547	rosenthal: Add alloy-bin. * modules/rosenthal/packages/binaries.scm (alloy-bin): New variable.	2025-09-09 09:11:04 +08:00
Hilton Chain	44d5fcc485	rosenthal: Add loki-bin. * modules/rosenthal/packages/binaries.scm (loki-bin): New variable.	2025-09-09 09:11:02 +08:00
Hilton Chain	de1cbe385f	rosenthal: Add mimir-bin. * modules/rosenthal/packages/binaries.scm (mimir-bin): New variable.	2025-09-09 09:10:41 +08:00
Hilton Chain	35ac609a1f	rosenthal: Add prometheus-bin. * modules/rosenthal/packages/binaries.scm (prometheus-bin): New variable.	2025-09-09 09:09:07 +08:00
Hilton Chain	9f69644049	rosenthal: Add grafana-bin. * modules/rosenthal/packages/binaries.scm (grafana-bin): New variable.	2025-09-09 09:08:53 +08:00
Hilton Chain	07f6489b9e	README: Mention substitute server. * README.org: Wrap lines. Mention Guix Moe CI.	2025-09-08 00:57:10 +08:00
Hilton Chain	d4a25e7613	utils: rosenthal-transformation-guix: Update substitute server. * modules/rosenthal/utils/transformations.scm (rosenthal-transformation-guix): Use https://cache-cdn.guix.moe and place it before official substitute servers.	2025-09-08 00:39:01 +08:00
Hilton Chain	1d06558776	examples: Update niri configuration. * modules/rosenthal/examples/niri.kdl: Update and adjust.	2025-09-07 22:15:33 +08:00
Hilton Chain	3d5946a604	rosenthal: Remove cuirass/hako. * modules/rosenthal/packages/ci.scm (cuirass/hako): Delete variable.	2025-09-06 21:45:56 +08:00
Hilton Chain	ab2946df94	rosenthal: caddy/dolly: Update to 2025.09.06-2. * modules/rosenthal/packages/web.scm (caddy/dolly): Update to 2025.09.06-2. [native-inputs]: Update vendored Go dependencies.	2025-09-06 14:59:26 +08:00
Hilton Chain	18b3253206	rosenthal: caddy: Update to 2.10.2. * modules/rosenthal/packages/web.scm (caddy): Update to 2.10.2. [source]: Remove snippet. [arguments] <#:go>: Use go-1.25. [native-inputs]: Update vendored Go dependencies.	2025-09-06 14:58:46 +08:00
Hilton Chain	204a252e3e	rosenthal: Add go-1.25. * modules/rosenthal/packages/golang.scm (go-1.25): New variable.	2025-09-06 14:57:43 +08:00
Hilton Chain	235654d2a8	rosenthal: caddy/hako: Rename to caddy/dolly. * modules/rosenthal/packages/web.scm (caddy/hako): Update to 2025.09.06-1. Rename to... (caddy/dolly): ...this.	2025-09-06 14:31:28 +08:00
Hilton Chain	071707bd41	rosenthal: Add iocaine/dolly. * modules/rosenthal/packages/web.scm (iocaine/dolly): New variable.	2025-09-06 14:30:21 +08:00
Hilton Chain	3f07c3a744	NEWS: Manual intervention required for Caddy service change. * NEWS: New entry.	2025-09-05 16:22:12 +08:00
Hilton Chain	c171b73ae7	services: caddy: Use etc-service-type to place configuration file. * modules/rosenthal/services/web.scm (caddy-etc): New procedure. (caddy-activation): Create /var/log/caddy. Remove use of /etc/caddy. (caddy-shepherd-services): Add "configuration" and "reload" actions.	2025-09-05 15:37:14 +08:00
Hilton Chain	4938fbe373	services: clash: Use mihomo. * modules/rosenthal/services/child-error.scm (clash-configuration): Use mihomo.	2025-09-04 13:05:57 +08:00
Hilton Chain	55dab73319	rosenthal: Remove deprecated packages. * modules/rosenthal/packages/binaries.scm (atuin-bin, hugo-bin, mihomo-bin) (clash-meta-bin, wakapi-bin, tailscale-bin): Delete variables.	2025-09-04 12:49:57 +08:00
Hilton Chain	9e51ad4215	services: Remove iwd-service-type. * modules/rosenthal/services/networking.scm (<iwd-configuration>): Delete data type. (%iwd-config-general, %iwd-config-network, %iwd-config-blacklist) (%iwd-config-rank, %iwd-config-scan, %iwd-config-ipv4) (%iwd-config-driver-quirks, iwd-shepherd-service, iwd-service-type): Delete variables. (uglify-field-name, serialize-field, serialize-string, maybe-string) (serialize-boolean, maybe-boolean, cidr4?, serialize-cidr4, maybe-cidr4) (randomization-method?, serialize-randomization-method, randomization-method) (randomization-range?, serialize-randomization-range, randomization-range) (signal-strength?, serialize-signal-strength, signal-strength, seconds?) (serialize-seconds, maybe-seconds, protection-mode?, serialize-protection-mode) (maybe-protection-mode, resolution-method?, serialize-resolution-method) (serialize-integer, maybe-integer, serialize-number, maybe-number) (serialize-list-of-strings, list-of-strings, list-of-cidr4?) (serialize-list-of-cidr4, list-of-cidr4) (serialize-iwd-configuration, add-iwd-config-file, add-iwd-package) Delete procedures.	2025-09-02 11:38:07 +08:00
Hilton Chain	eb7e08c63e	rosenthal: komga-bin: Set supported-systems to x86_64-linux only. * modules/rosenthal/packages/binaries.scm (komga-bin) [supported-systems]: Set to x86_64-linux.	2025-09-02 00:59:39 +08:00
Hilton Chain	4943e01c2a	rosenthal: cuirass/hako: Update to 1.2.0-3.ba77a7c. * modules/rosenthal/packages/ci.scm (cuirass/hako): Update to 1.2.0-3.ba77a7c.	2025-09-01 15:52:47 +08:00
Hilton Chain	84b2141d38	services: zfs: Export variable. * modules/rosenthal/services/file-systems.scm (zfs-service-type): Export.	2025-08-29 21:06:14 +08:00
Hilton Chain	6bf3906d6e	services: Add zfs-service-type. * modules/rosenthal/services/file-systems.scm (zfs-shepherd-service) (zfs-service-type): New variables.	2025-08-29 20:59:08 +08:00
MinkieYume	324e8d55fb	rosenthal: sing-box: Update to 1.12.4. * modules/rosenthal/packages/networking.scm (sing-box): Update to 1.12.4. [native-inputs]: Update vendored Go dependencies. Signed-off-by: Hilton Chain <hako@ultrarare.space>	2025-08-29 16:05:28 +08:00