sync with labv2.nix + standalone flake with toDisk app

Previous history:
- c359054 daku working!
- 8de5cff fix integer overflow in vmix network lib
- 9c25a66 daku on 25.05. with ollama
- 385a3bf vmix enables relaxed sandbox
- c363da1 restructure vmixLib into linux/windows subattrs with OS-specific customizeImage
- edd4dc2 vmix: port namespace model and module improvements from conf.nix
- 6666ecf vmix: add SPICE support, install virtio guest tools with SPICE agent
- 46f5671 vmix: add QEMU guest agent channel for Windows VMs
- e1fea34 vmix: add Win11 LTSC 2024 image, refactor VirtIO driver selection
- c27ae68 vmix: make customizeImage chroot-sandboxed by default, opt-in impure
- 305fbac virt customize needs chroot for now due to usr bin env things. could be fixed later
- 264d30f vmix: add win10 VM on desk, disable SMB signing for guest Samba access
- 9b64f51 vmix: split Windows templates into per-category files, add comprehensive debloat
- ef91bf8 vmix: fix missing parent registry keys in Windows templates
- f87f340 win10 VM on panda with AMD GPU + USB passthrough
- 38e474f vmix: split Windows build into Audit Mode install + composable templates
- a6a8db3 vmix: win11 support, remove build VNC, switch VMs to SPICE
- 6cf5a21 generalize stage sets bg color, accent color and sets visual effects to performance
- a84849f remove rdp template since it doesn't even work
- 5245263 vmix: best performance template + generalize cleanup
- ab12dd3 vmix: use CopyProfile for best performance visual effects
- bce3326 vmix: CopyProfile for best performance visual effects
- 2496107 vmix: add app templates (7zip, VLC, ImageGlass, Edge WebView, VC++ runtimes)
- 29a6123 wip: debug default associations xml
- 2a2e5f5 vmix: fix DefaultAssociations.xml cmd.exe escaping
- cc6ff9d vmix: move DefaultAssociations.xml to template only
- a4a78ec vmix: add removeWMP template to remove Windows Media Player
- 3fe56de vmix: improved Edge removal (files, shortcuts, scheduled tasks)
- a491767 vmix: fully remove Edge via post-oobe AppxPackage removal
- 6ca1619 vmix: remove Edge DevToolsClient SystemApps + AppxPackage
- 0c1ec35 vmix: sandboxie windows app template
- 628bbd2 vmix: add Sandboxie-Plus template
- f055a41 vmix: reorganize templates, add file associations, remove Paint
- 34326f4 vmix: set Thorium as default browser via PS-SFTA in post-oobe
- 86af258 vmix: Active Setup for default browser (all users, no post-oobe needed)
- 35b8cb0 remove vnc display from thorium template
- c7e0af6 vmix: fix Win11 generalize timeout + UCPD disable for URL associations
- 43a1345 vmix: add Office 2024 template + Ohook activation in generalize
- 03bbce0 vmix: updated office installation xml. more privacy options enabled
- 790a0ee vmix: thorium installation - hide SFTA window
- a0e5c18 vmix: fix office install.bat call + add privacy registry policies
- 3df38ca vmix: fix Ohook activation + suppress Office theme dialog
- df39ba3 vmix: remove sandboxie shortcut from desktop
- 50d5972 vmix: skip Sandboxie desktop shortcut via installer flag
- ee2fa0f vmix: fix win10 default browser
- 938315b vmix: windows: set accent color to automatic. remove accent color from unnecessary elements
- beceda8 vmix: allow ISO-only VMs without OS disk, add WinPE VM to panda

Flake outputs: overlays.default, nixosModules.default, lib, apps.toDisk

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/images/windows/templates/essentials/amd-gpu-drivers.nix

@@ -0,0 +1,11 @@
+# Install AMD GPU drivers (silent install via INF from ISO)
+{ drivers, makeFilesISO, ... }:
+{
+  name = "amd-gpu";
+  cdroms = [ (makeFilesISO { name = "amd-gpu-drivers"; files = [ drivers.amd-gpu-zip ]; }) ];
+  auditScript = ''
+    @echo off
+    echo Installing AMD GPU drivers (INF)...
+    pnputil /add-driver "D:\WT6A_INF\u0413647.inf" /install /subdirs
+  '';
+}

lib/images/windows/templates/essentials/best-performance.nix

@@ -0,0 +1,46 @@
+# Best Performance visual effects — set on Administrator profile in Audit Mode.
+# Used with generalize's CopyProfile=true: the Administrator's profile
+# (with these settings applied) becomes the default profile for new users.
+# CopyProfile bypasses SystemParametersInfo defaults during profile creation.
+# CopyProfile is the only approach that reliably actually works. Editing NTUSER.dat still reset some parameters
+{ ... }:
+{
+  name = "best-perf";
+  auditScript = ''
+    @echo off
+    echo Applying best performance to current profile...
+    :: Set appearance options to "custom"
+    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f
+    :: Animate controls, fade/slide menus, fade/slide tooltips,
+    :: fade out menu items, shadows under mouse, shadows under windows,
+    :: slide open combo boxes, smooth-scroll list boxes (disabled)
+    reg add "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012038010000000 /f
+    :: Animate windows when minimizing and maximizing (disabled)
+    reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d "0" /f
+    :: Animations in the taskbar (disabled)
+    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarAnimations /t REG_DWORD /d 0 /f
+    :: Enable Peek (disabled)
+    reg add "HKCU\Software\Microsoft\Windows\DWM" /v EnableAeroPeek /t REG_DWORD /d 0 /f
+    :: Save taskbar thumbnail previews (disabled)
+    reg add "HKCU\Software\Microsoft\Windows\DWM" /v AlwaysHibernateThumbnails /t REG_DWORD /d 0 /f
+    :: Show thumbnails instead of icons (disabled)
+    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v IconsOnly /t REG_DWORD /d 1 /f
+    :: Show translucent selection rectangle (disabled)
+    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ListviewAlphaSelect /t REG_DWORD /d 0 /f
+    :: Show window contents while dragging (disabled)
+    reg add "HKCU\Control Panel\Desktop" /v DragFullWindows /t REG_SZ /d "0" /f
+    :: Smooth edges of screen fonts (enabled)
+    reg add "HKCU\Control Panel\Desktop" /v FontSmoothing /t REG_SZ /d "2" /f
+    reg add "HKCU\Control Panel\Desktop" /v FontSmoothingGamma /t REG_DWORD /d 0 /f
+    reg add "HKCU\Control Panel\Desktop" /v FontSmoothingOrientation /t REG_DWORD /d 1 /f
+    reg add "HKCU\Control Panel\Desktop" /v FontSmoothingType /t REG_DWORD /d 2 /f
+    :: Use drop shadows for icon labels on the desktop (disabled)
+    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ListviewShadow /t REG_DWORD /d 0 /f
+    :: Disable transparency effects
+    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v EnableTransparency /t REG_DWORD /d 0 /f
+    :: Disable accent color on taskbar and window borders
+    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v ColorPrevalence /t REG_DWORD /d 0 /f
+    reg add "HKCU\Software\Microsoft\Windows\DWM" /v ColorPrevalence /t REG_DWORD /d 0 /f
+
+  '';
+}

lib/images/windows/templates/essentials/clear-file-associations.nix

@@ -0,0 +1,13 @@
+# Clear all FileExts UserChoice entries on the Administrator profile.
+# In Audit Mode these keys aren't hash-protected yet.
+# With CopyProfile=true in generalize, the clean profile (without UserChoice)
+# is copied to new users, so HKLM Classes become the effective defaults.
+{ ... }:
+{
+  name = "clear-assoc";
+  auditScript = ''
+    @echo off
+    echo Clearing FileExts UserChoice entries...
+    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts" /f 2>nul
+  '';
+}

lib/images/windows/templates/essentials/remove-edge.nix

@@ -0,0 +1,50 @@
+# Remove Microsoft Edge (both Chromium and built-in LTSC versions)
+{ ... }:
+{
+  name = "no-edge";
+  auditScript = ''
+    @echo off
+    :: Remove Chromium Edge using its installer
+    for /f "delims=" %%i in ('dir /b /ad "C:\Program Files (x86)\Microsoft\Edge\Application" 2^>nul') do (
+      if exist "C:\Program Files (x86)\Microsoft\Edge\Application\%%i\Installer\setup.exe" (
+        "C:\Program Files (x86)\Microsoft\Edge\Application\%%i\Installer\setup.exe" --uninstall --system-level --force-uninstall
+      )
+    )
+    
+    :: Remove Edge Update
+    if exist "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" (
+      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
+    )
+    
+    :: Remove Edge directories
+    rmdir /s /q "C:\Program Files (x86)\Microsoft\Edge" 2>nul
+    rmdir /s /q "C:\Program Files (x86)\Microsoft\EdgeUpdate" 2>nul
+    rmdir /s /q "C:\Program Files (x86)\Microsoft\EdgeCore" 2>nul
+
+    :: Remove Edge and DevToolsClient SystemApps
+    for /d %%d in ("C:\Windows\SystemApps\Microsoft.MicrosoftEdge_*") do (
+      takeown /f "%%d" /r /d y >nul 2>nul
+      icacls "%%d" /grant Administrators:F /t >nul 2>nul
+      rmdir /s /q "%%d" 2>nul
+    )
+    for /d %%d in ("C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_*") do (
+      takeown /f "%%d" /r /d y >nul 2>nul
+      icacls "%%d" /grant Administrators:F /t >nul 2>nul
+      rmdir /s /q "%%d" 2>nul
+    )
+    
+    :: Remove Edge AppxPackage for all users (audit mode)
+    powershell -Command "Get-AppxPackage -AllUsers *MicrosoftEdge* | Remove-AppxPackage -AllUsers -EA SilentlyContinue"
+    
+    :: Remove Edge shortcuts
+    del /q "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" 2>nul
+    del /q "%PUBLIC%\Desktop\Microsoft Edge.lnk" 2>nul
+    del /q "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk" 2>nul
+    del /q "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk" 2>nul
+    
+    :: Remove Edge Update scheduled tasks
+    schtasks /delete /tn "\MicrosoftEdgeUpdateTaskMachineCore" /f 2>nul
+    schtasks /delete /tn "\MicrosoftEdgeUpdateTaskMachineUA" /f 2>nul
+    reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v DoNotUpdateToEdgeWithChromium /t REG_DWORD /d 1 /f
+  '';
+}

lib/images/windows/templates/essentials/remove-ie.nix

@@ -0,0 +1,12 @@
+# Remove Internet Explorer
+{ ... }:
+{
+  name = "no-ie";
+  auditScript = ''
+    @echo off
+    echo Removing Internet Explorer...
+    dism /online /Remove-Capability /CapabilityName:Browser.InternetExplorer~~~~0.0.11.0 /NoRestart 2>nul
+    :: Disable IE feature if still present
+    dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64 /NoRestart 2>nul
+  '';
+}

lib/images/windows/templates/essentials/remove-paint.nix

@@ -0,0 +1,20 @@
+# Remove Microsoft Paint
+{ ... }:
+{
+  name = "no-paint";
+  auditScript = ''
+    @echo off
+    echo Removing Microsoft Paint...
+    :: Take ownership and delete mspaint.exe
+    takeown /f "C:\Windows\System32\mspaint.exe" >nul 2>nul
+    icacls "C:\Windows\System32\mspaint.exe" /grant Administrators:F >nul 2>nul
+    del /f "C:\Windows\System32\mspaint.exe" 2>nul
+    :: Remove Paint optional feature
+    dism /online /Remove-Capability /CapabilityName:Microsoft.Windows.MSPaint~~~~0.0.1.0 /NoRestart 2>nul
+    :: Remove Paint shortcuts
+    del /q "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" 2>nul
+    :: Remove PBrush class registration
+    reg delete "HKLM\SOFTWARE\Classes\PBrush" /f 2>nul
+    reg delete "HKLM\SOFTWARE\Classes\pbrush" /f 2>nul
+  '';
+}

lib/images/windows/templates/essentials/remove-wmp.nix

@@ -0,0 +1,11 @@
+# Remove Windows Media Player
+{ ... }:
+{
+  name = "no-wmp";
+  auditScript = ''
+    @echo off
+    echo Removing Windows Media Player...
+    dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer /NoRestart 2>nul
+    dism /online /Remove-Capability /CapabilityName:Microsoft.Windows.MediaPlayer~~~~0.0.12.0 /NoRestart 2>nul
+  '';
+}

lib/images/windows/templates/essentials/vcpp-runtimes.nix

@@ -0,0 +1,18 @@
+# Install all Visual C++ Redistributable runtimes (2005-2022, x86+x64)
+{ pkgs, makeFilesISO, ... }:
+let
+  installer = pkgs.fetchurl {
+    url = "https://github.com/abbodi1406/vcredist/releases/download/v0.103.0/VisualCppRedist_AIO_x86_x64.exe";
+    hash = "sha256-PBiORlG8wH3yvbBtaVhRWHl7G6+5FVewkhdiFijNWyM=";
+  };
+in {
+  name = "vcpp";
+  cdroms = [ (makeFilesISO { name = "vcpp-runtimes"; files = [ installer ]; }) ];
+  auditScript = ''
+    @echo off
+    echo Installing Visual C++ Redistributable runtimes...
+    copy D:\VisualCppRedist_AIO_x86_x64.exe C:\vcpp-setup.exe
+    start /wait C:\vcpp-setup.exe /ai /gm2
+    del /q C:\vcpp-setup.exe
+  '';
+}

lib/images/windows/templates/essentials/virtio-tools.nix

@@ -0,0 +1,18 @@
+# Install VirtIO guest tools (QEMU agent + SPICE vdagent)
+{ drivers, ... }:
+{
+  name = "virtio";
+  cdroms = [ drivers.virtio-iso ];
+  auditScript = ''
+    @echo off
+    :: VirtIO ISO is the first (and only) CD — drive letter D:
+    if exist D:\cert\virtio_win_cert.cer (
+      certutil -addstore TrustedPublisher D:\cert\virtio_win_cert.cer
+    )
+    if exist D:\virtio-win-guest-tools.exe (
+      D:\virtio-win-guest-tools.exe /install /passive /norestart
+    ) else if exist D:\guest-agent\qemu-ga-x86_64.msi (
+      msiexec /i D:\guest-agent\qemu-ga-x86_64.msi /qn /norestart
+    )
+  '';
+}