fix: deprecations

Consolidate nixpkgs instances into once for all x86 systems

.envrc

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 watch_file devshell.nix
 
 use flake

.github/workflows/nix-flake-check.yml

@@ -1,10 +1,8 @@
 name: Continuous Integration
-
 on:
   pull_request:
   push:
     branches: [main]
-
 jobs:
   checks:
     name: "Checks"

.github/workflows/nix-flake-update.yml

@@ -3,7 +3,6 @@ on:
   workflow_dispatch: # allows manual triggering
   schedule:
     - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
-
 jobs:
   lockfile:
     runs-on: ubuntu-latest

admins.nix

@@ -2,7 +2,7 @@
   dadada = {
     shell = "zsh";
     keys = [
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE2JWU+BuWSvoiGFSTDQ9/1SCvfJEnkFQsFLYPNlY6wcAAAABHNzaDo= dadada <dadada@dadada.li>"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrT9sQhJWrTPIMOEsZ8UzkY7BKJYYK2Aj/Q3NZu2z7uAAAABHNzaDo= dadada@gorgon"
       "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOFHB9T6fjkuIU8jW9gGiYGSEFSfrnY/6GJUfmfMx10HAAAABHNzaDo= Backup dadada <dadada@dadada.li>"
     ];
   };

checks.nix

@@ -1,20 +0,0 @@
-{ self
-, flake-utils
-, nixpkgs
-, ...
-}:
-(flake-utils.lib.eachDefaultSystem (system:
-  let
-    pkgs = nixpkgs.legacyPackages.${system};
-    formatter = self.formatter.${system};
-  in
-  {
-    checks = {
-      format = pkgs.runCommand
-        "check-format"
-        {
-          buildInputs = [ formatter ];
-        }
-        "${formatter}/bin/nixpkgs-fmt --check ${./.} && touch $out";
-    };
-  })).checks

devshell.nix

@@ -6,9 +6,7 @@
 
   packages = with pkgs; [
     agenix
-    nixpkgs-fmt
     nixos-rebuild
-    nil
   ];
 
   commands = [
@@ -25,7 +23,7 @@
       name = "format";
       help = "Format the project";
       command = ''
-        nixpkgs-fmt .
+        treefmt .
       '';
       category = "dev";
     }

flake.lock

@@ -3,26 +3,43 @@
     "agenix": {
       "inputs": {
         "darwin": "darwin",
-        "home-manager": "home-manager",
+        "home-manager": [
+          "home-manager"
+        ],
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1703089996,
-        "narHash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU=",
+        "lastModified": 1750173260,
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "564595d0ad4be7277e07fa63b5a991b3c645655d",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
         "type": "github"
       },
       "original": {
         "owner": "ryantm",
-        "ref": "0.15.0",
         "repo": "agenix",
         "type": "github"
       }
     },
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
@@ -31,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -47,17 +64,16 @@
     },
     "devshell": {
       "inputs": {
-        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1717408969,
-        "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=",
+        "lastModified": 1741473158,
+        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
         "owner": "numtide",
         "repo": "devshell",
-        "rev": "1ebbe68d57457c8cae98145410b164b5477761f4",
+        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
         "type": "github"
       },
       "original": {
@@ -66,14 +82,71 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1753140376,
+        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-registry": {
       "flake": false,
       "locked": {
-        "lastModified": 1717415742,
-        "narHash": "sha256-HKvoLGZUsBpjkxWkdtctGYj6RH0bl6vcw0OjTOqyzJk=",
+        "lastModified": 1744623129,
+        "narHash": "sha256-nlQTQrHqM+ywXN0evDXnYEV6z6WWZB5BFQ2TkXsduKw=",
         "owner": "NixOS",
         "repo": "flake-registry",
-        "rev": "895a65f8d5acf848136ee8fe8e8f736f0d27df96",
+        "rev": "1322f33d5836ae757d2e6190239252cf8402acf6",
         "type": "github"
       },
       "original": {
@@ -84,14 +157,16 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": [
+          "systems"
+        ]
       },
       "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -100,39 +175,40 @@
         "type": "github"
       }
     },
-    "flake-utils_2": {
+    "gitignore": {
       "inputs": {
-        "systems": [
-          "systems"
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
         "type": "github"
       }
     },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
-          "agenix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1682203081,
-        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "lastModified": 1753470191,
+        "narHash": "sha256-hOUWU5L62G9sm8NxdiLWlLIJZz9H52VuFiDllHdwmVA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "rev": "a1817d1c0e5eabe7dfdfe4caa46c94d9d8f3fdb6",
         "type": "github"
       },
       "original": {
@@ -141,50 +217,53 @@
         "type": "github"
       }
     },
-    "home-manager_2": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1717527182,
-        "narHash": "sha256-vWSkg6AMok1UUQiSYVdGMOXKD2cDFnajITiSi0Zjd1A=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "845a5c4c073f74105022533907703441e0464bc3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "release-24.05",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
     "homepage": {
       "flake": false,
       "locked": {
-        "lastModified": 1714328013,
-        "narHash": "sha256-nA/7hKv8qz2+ru84rXiMa52+gyvyIhLWP9tJB6Q/DLQ=",
-        "owner": "dadada",
-        "repo": "dadada.li",
-        "rev": "b971b5905b38be19b4fa4e7d99a70df0aebfba28",
+        "lastModified": 1727338449,
+        "narHash": "sha256-VwOGtT1WB+isk0z/D/Be05GgeaTFfsXTGt7aScCAfec=",
+        "rev": "60398d3d728a0057b4cad49879ef637c06b28371",
+        "type": "tarball",
+        "url": "https://git.dadada.li/api/v1/repos/dadada/dadada.li/archive/60398d3d728a0057b4cad49879ef637c06b28371.tar.gz?rev=60398d3d728a0057b4cad49879ef637c06b28371"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
         "type": "github"
       },
       "original": {
-        "owner": "dadada",
-        "repo": "dadada.li",
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
         "type": "github"
       }
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1712450863,
-        "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -201,11 +280,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718025593,
-        "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
+        "lastModified": 1751903740,
+        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
+        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
         "type": "github"
       },
       "original": {
@@ -216,11 +295,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1717995329,
-        "narHash": "sha256-lQJXEFHHVsFdFLx0bvoRbZH3IXUBsle6EWj9JroTJ/s=",
+        "lastModified": 1753122741,
+        "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "58b52b0dd191af70f538c707c66c682331cfdffc",
+        "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22",
         "type": "github"
       },
       "original": {
@@ -232,11 +311,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1718086528,
-        "narHash": "sha256-hoB7B7oPgypePz16cKWawPfhVvMSXj4G/qLsfFuhFjw=",
+        "lastModified": 1753429684,
+        "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "47b604b07d1e8146d5398b42d3306fdebd343986",
+        "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
         "type": "github"
       },
       "original": {
@@ -246,14 +341,43 @@
         "type": "github"
       }
     },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
         "devshell": "devshell",
+        "disko": "disko",
         "flake-registry": "flake-registry",
-        "flake-utils": "flake-utils_2",
-        "home-manager": "home-manager_2",
+        "flake-utils": "flake-utils",
+        "home-manager": "home-manager",
         "homepage": "homepage",
+        "lanzaboote": "lanzaboote",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
@@ -261,6 +385,27 @@
         "treefmt-nix": "treefmt-nix"
       }
     },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -298,11 +443,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718139168,
-        "narHash": "sha256-1TZQcdETNdJMcfwwoshVeCjwWfrPtkSQ8y8wFX3it7k=",
+        "lastModified": 1753439394,
+        "narHash": "sha256-Bv9h1AJegLI8uAhiJ1sZ4XAndYxhgf38tMgCQwiEpmc=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "1cb529bffa880746a1d0ec4e0f5076876af931f1",
+        "rev": "2673921c03d6e75fdf4aa93e025772608d1482cf",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,23 +2,32 @@
   description = "dadada's nix flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     flake-utils = {
       url = "github:numtide/flake-utils";
       inputs.systems.follows = "systems";
     };
     home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
     homepage = {
-      url = "github:dadada/dadada.li";
+      url = "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz";
       flake = false;
     };
     agenix = {
-      url = "github:ryantm/agenix/0.15.0";
+      url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
     };
     devshell = {
       url = "github:numtide/devshell";

home/dconf.nix

@@ -1,6 +1,11 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 with lib.hm.gvariant;
 {
+  home.packages = [
+    pkgs.adwaita-icon-theme
+    pkgs.adwaita-qt
+  ];
+
   dconf.settings = with lib.hm.gvariant; {
     "org/gnome/shell" = {
       favorite-apps = [
@@ -13,7 +18,11 @@ with lib.hm.gvariant;
     };
 
     "org/gnome/shell" = {
-      disable-user-extensions = true;
+      disable-user-extensions = false;
+      enabled-extensions = [
+        "system-monitor@gnome-shell-extensions.gcampax.github.com"
+        "switcher@landau.fi"
+      ];
     };
 
     "org/gnome/desktop/calendar" = {
@@ -24,14 +33,27 @@ with lib.hm.gvariant;
       current = mkUint32 0;
       per-window = false;
       show-all-sources = true;
-      sources = [ (mkTuple [ "xkb" "eu" ]) (mkTuple [ "xkb" "de" ]) ];
-      xkb-options = [ "lv3:ralt_switch" "caps:escape" ];
+      sources = [
+        (mkTuple [
+          "xkb"
+          "eu"
+        ])
+        (mkTuple [
+          "xkb"
+          "de"
+        ])
+      ];
+      xkb-options = [
+        "lv3:ralt_switch"
+        "caps:escape"
+      ];
     };
 
     "org/gnome/desktop/interface" = {
       clock-show-date = true;
       clock-show-seconds = false;
       clock-show-weekday = true;
+      cursor-theme = "Adwaita";
       enable-animations = true;
       enable-hot-corners = false;
       font-antialiasing = "grayscale";
@@ -40,11 +62,12 @@ with lib.hm.gvariant;
       gtk-enable-primary-paste = false;
       gtk-key-theme = "Emacs";
       gtk-theme = "Adwaita";
+      color-scheme = "prefer-light";
       icon-theme = "Adwaita";
       locate-pointer = false;
       monospace-font-name = "JetBrains Mono 10";
       show-battery-percentage = false;
-      text-scaling-factor = 1.0;
+      #text-scaling-factor = 1.0;
       toolkit-accessibility = false;
     };
 
@@ -116,7 +139,10 @@ with lib.hm.gvariant;
       composer-attribution-language = "de_DE";
       composer-reply-start-bottom = false;
       composer-signature-in-new-only = true;
-      composer-spell-languages = [ "de" "en_US" ];
+      composer-spell-languages = [
+        "de"
+        "en_US"
+      ];
       composer-top-signature = false;
       composer-unicode-smileys = false;
       composer-visually-wrap-long-lines = true;
@@ -168,11 +194,11 @@ with lib.hm.gvariant;
     };
 
     "org/gnome/settings-daemon/plugins/power" = {
-      idle-dim = false;
-      power-button-action = "hibernate";
+      idle-dim = true;
+      power-button-action = "interactive";
       power-saver-profile-on-low-battery = true;
-      sleep-inactive-ac-type = "nothing";
-      sleep-inactive-battery-timeout = 3600;
+      sleep-inactive-ac-type = "blank";
+      sleep-inactive-battery-timeout = 600;
       sleep-inactive-battery-type = "suspend";
     };
 

home/default.nix

@@ -1,6 +1,7 @@
-{ pkgs
-, lib
-, ...
+{
+  pkgs,
+  lib,
+  ...
 }:
 let
   useFeatures = [
@@ -9,7 +10,7 @@ let
     "direnv"
     "git"
     "gpg"
-    "gtk"
+    #"gtk"
     #"keyring"
     "syncthing"
     "tmux"
@@ -17,6 +18,26 @@ let
     "zsh"
     "helix"
   ];
+  colors = {
+    background = "fdf6e3";
+    foreground = "657b83";
+    regular0 = "eee8d5"; # background darker
+    regular1 = "dc322f"; # red
+    regular2 = "859900"; # green
+    regular3 = "b58900"; # dark orange
+    regular4 = "268bd2"; # azure blue
+    regular5 = "d33682"; # hot pink
+    regular6 = "2aa198"; # petrol
+    regular7 = "073642"; # navy
+    bright0 = "cb4b16"; # orange
+    bright1 = "fdf6e3"; # foreground
+    bright2 = "93a1a1"; # grey
+    bright3 = "839496"; # slightly darker grey
+    bright4 = "657b83"; # even slightly darker grey
+    bright5 = "6c71c4"; # purple
+    bright6 = "586e75"; # pretty dark grey
+    bright7 = "002b36"; # dark navy blue
+  };
 in
 {
   imports = [
@@ -28,7 +49,9 @@ in
   programs.gpg.settings.default-key = "99658A3EB5CD7C13";
 
   dadada.home =
-    lib.attrsets.genAttrs useFeatures (useFeatures: { enable = true; })
+    lib.attrsets.genAttrs useFeatures (useFeatures: {
+      enable = true;
+    })
     // {
       session = {
         enable = true;
@@ -56,7 +79,9 @@ in
       Restart = "always";
     };
 
-    Install = { WantedBy = [ "graphical-session.target" ]; };
+    Install = {
+      WantedBy = [ "graphical-session.target" ];
+    };
   };
 
   programs.offlineimap.enable = false;
@@ -127,6 +152,288 @@ in
     Install.WantedBy = [ "multi-user.target" ];
   };
 
+  programs.foot = {
+    enable = true;
+    server.enable = false;
+    settings = {
+      inherit colors;
+      main = {
+        shell = "tmux";
+        font = "Jetbrains Mono:size=8";
+        dpi-aware = false;
+      };
+      mouse.hide-when-typing = true;
+      csd.preferred = "none";
+      cursor.color = "fdf6e3 586e75";
+      bell = {
+        urgent = true;
+        visual = false;
+      };
+    };
+  };
+
+  home.file.".config/sway/config".text = with colors; ''
+    # Read `man 5 sway` for a complete reference.
+
+    ### Variables
+    #
+    # Logo key. Use Mod1 for Alt.
+    set $mod Mod4
+    # Home row direction keys, like vim
+    set $left h
+    set $down j
+    set $up k
+    set $right l
+    # Your preferred terminal emulator
+    set $term foot
+    # Your preferred application launcher
+    # Note: pass the final command to swaymsg so that the resulting window can be opened
+    # on the original workspace that the command was run on.
+    set $menu fuzzel
+    set $wallpaper "~/lib/pictures/wallpaper.jpg"
+
+    ### Idle configuration
+    #
+    # Example configuration:
+    #
+    exec swayidle -w \
+             timeout 300 'swaylock -f -i $wallpaper -s fill' \
+             timeout 600 'swaymsg "output * power off"' resume 'swaymsg "output * power on"' \
+             before-sleep 'swaylock -f -i $wallpaper -s fill'
+    #
+    # This will lock your screen after 300 seconds of inactivity, then turn off
+    # your displays after another 300 seconds, and turn your screens back on when
+    # resumed. It will also lock your screen before your computer goes to sleep.
+
+    input * {
+      xkb_layout eu
+      xkb_model pc105+inet
+      xkb_options caps:escape
+        drag_lock enabled
+        drag enabled
+        dwt enabled
+        tap enabled
+        tap_button_map lrm
+        natural_scroll enabled
+    }
+
+    ### Key bindings
+    #
+    # Basics:
+    #
+    # Start a terminal
+    bindsym $mod+Return exec $term
+
+    # Kill focused window
+    bindsym $mod+Shift+q kill
+
+    # Start your launcher
+    bindsym $mod+d exec $menu
+
+    # Drag floating windows by holding down $mod and left mouse button.
+    # Resize them with right mouse button + $mod.
+    # Despite the name, also works for non-floating windows.
+    # Change normal to inverse to use left mouse button for resizing and right
+    # mouse button for dragging.
+    floating_modifier $mod normal
+
+    # Lock the screen
+    bindsym XF86Sleep exec 'swaylock -f -c ${background}'
+    bindsym $mod+End exec 'swaylock -f -c ${background}'
+
+    # Reload the configuration file
+    bindsym $mod+Shift+c reload
+
+    # Exit sway (logs you out of your Wayland session)
+    bindsym $mod+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'
+
+    # Brightness
+    bindsym --locked XF86MonBrightnessDown exec light -U 10
+    bindsym --locked XF86MonBrightnessUp exec light -A 10
+
+    # Volume
+    bindsym --locked XF86AudioRaiseVolume exec 'pactl set-sink-volume @DEFAULT_SINK@ +1%'
+    bindsym --locked XF86AudioLowerVolume exec 'pactl set-sink-volume @DEFAULT_SINK@ -1%'
+    bindsym --locked XF86AudioMute exec 'pactl set-sink-mute @DEFAULT_SINK@ toggle'
+
+    #
+    # Moving around:
+    #
+    # Move your focus around
+    bindsym $mod+$left focus left
+    bindsym $mod+$down focus down
+    bindsym $mod+$up focus up
+    bindsym $mod+$right focus right
+    # Or use $mod+[up|down|left|right]
+    bindsym $mod+Left focus left
+    bindsym $mod+Down focus down
+    bindsym $mod+Up focus up
+    bindsym $mod+Right focus right
+
+    # Move the focused window with the same, but add Shift
+    bindsym $mod+Shift+$left move left
+    bindsym $mod+Shift+$down move down
+    bindsym $mod+Shift+$up move up
+    bindsym $mod+Shift+$right move right
+    # Ditto, with arrow keys
+    bindsym $mod+Shift+Left move left
+    bindsym $mod+Shift+Down move down
+    bindsym $mod+Shift+Up move up
+    bindsym $mod+Shift+Right move right
+
+    #
+    # Workspaces:
+    #
+    # Switch to workspace
+    bindsym $mod+1 workspace number 1
+    bindsym $mod+2 workspace number 2
+    bindsym $mod+3 workspace number 3
+    bindsym $mod+4 workspace number 4
+    bindsym $mod+5 workspace number 5
+    bindsym $mod+6 workspace number 6
+    bindsym $mod+7 workspace number 7
+    bindsym $mod+8 workspace number 8
+    bindsym $mod+9 workspace number 9
+    bindsym $mod+0 workspace number 10
+    # Move focused container to workspace
+    bindsym $mod+Shift+1 move container to workspace number 1
+    bindsym $mod+Shift+2 move container to workspace number 2
+    bindsym $mod+Shift+3 move container to workspace number 3
+    bindsym $mod+Shift+4 move container to workspace number 4
+    bindsym $mod+Shift+5 move container to workspace number 5
+    bindsym $mod+Shift+6 move container to workspace number 6
+    bindsym $mod+Shift+7 move container to workspace number 7
+    bindsym $mod+Shift+8 move container to workspace number 8
+    bindsym $mod+Shift+9 move container to workspace number 9
+    bindsym $mod+Shift+0 move container to workspace number 10
+    # Note: workspaces can have any name you want, not just numbers.
+    # We just use 1-10 as the default.
+
+    #
+    # Layout stuff:
+    #
+    # You can "split" the current object of your focus with
+    # $mod+b or $mod+v, for horizontal and vertical splits
+    # respectively.
+    bindsym $mod+b splith
+    bindsym $mod+v splitv
+
+    # Switch the current container between different layout styles
+    bindsym $mod+s layout stacking
+    bindsym $mod+w layout tabbed
+    bindsym $mod+e layout toggle split
+
+    # Make the current focus fullscreen
+    bindsym $mod+f fullscreen
+
+    # Toggle the current focus between tiling and floating mode
+    bindsym $mod+Shift+space floating toggle
+
+    # Swap focus between the tiling area and the floating area
+    bindsym $mod+space focus mode_toggle
+
+    # Move focus to the parent container
+    bindsym $mod+a focus parent
+
+    #
+    # Font
+    #
+    font "pango:Jetbrains Mono 8"
+
+    #
+    # Scratchpad:
+    #
+    # Sway has a "scratchpad", which is a bag of holding for windows.
+    # You can send windows there and get them back later.
+
+    # Move the currently focused window to the scratchpad
+    bindsym $mod+Shift+minus move scratchpad
+
+    # Show the next scratchpad window or hide the focused scratchpad window.
+    # If there are multiple scratchpad windows, this command cycles through them.
+    bindsym $mod+minus scratchpad show
+
+    #
+    # Resizing containers:
+    #
+    mode "resize" {
+        # left will shrink the containers width
+        # right will grow the containers width
+        # up will shrink the containers height
+        # down will grow the containers height
+        bindsym $left resize shrink width 10px
+        bindsym $down resize grow height 10px
+        bindsym $up resize shrink height 10px
+        bindsym $right resize grow width 10px
+
+        # Ditto, with arrow keys
+        bindsym Left resize shrink width 10px
+        bindsym Down resize grow height 10px
+        bindsym Up resize shrink height 10px
+        bindsym Right resize grow width 10px
+
+        # Return to default mode
+        bindsym Return mode "default"
+        bindsym Escape mode "default"
+    }
+    bindsym $mod+r mode "resize"
+
+    #
+    # Status Bar:
+    #
+    # Read `man 5 sway-bar` for more information about this section.
+    bar {
+        position bottom
+
+        # When the status_command prints a new line to stdout, swaybar updates.
+        # The default just shows the current date and time.
+        status_command ~/.config/sway/status
+
+        colors {
+            statusline ${foreground}
+            background ${background}
+            inactive_workspace ${background}ee ${background}ee ${foreground}ee
+        }
+    }
+
+    # Gaps between multiple tiling windows
+    gaps inner 10
+    smart_gaps on
+
+    bindsym $mod+grave exec busctl --user call org.keepassxc.KeePassXC.MainWindow /keepassxc org.keepassxc.KeePassXC.MainWindow lockAllDatabases && swaylock -c #fdf6e3
+
+    # class                 border         backgr.        text           indicator      child_border
+    client.focused          #${bright6}    #${foreground} #${background} #${bright5}    #${regular4}
+    client.focused_inactive #${regular0}   #${regular0}   #${foreground} #${bright5}    #${regular0}
+    client.unfocused        #${regular0}   #${background} #${bright2}    #${bright5}    #${regular0}
+    client.urgent           #${bright1}    #${bright0}    #${regular4}   #${background} #${bright0}
+    client.placeholder      #${background} #${bright2}    #${foreground} #${background} #${bright2}
+
+    client.background       #${foreground}
+
+    include /etc/sway/config.d/*
+
+    exec sleep 5; systemctl --user restart kanshi.service
+    exec sleep 5; swaymsg output '*' bg $wallpaper fill
+  '';
+  home.file.".config/sway/status".source = ./status;
+  home.file.".config/kanshi/config".text = ''
+    profile Laptop {
+      output eDP-1 enable
+    }
+
+    profile Docked {
+      output eDP-1 disable
+      output "LG Electronics LG HDR 4K 0x000354D1" {
+        enable
+        scale 1.4
+        position 0,0
+      }
+    }
+  '';
+
+  #services.poweralertd.enable = true;
+
   # Let Home Manager install and manage itself.
   programs.home-manager.enable = true;
 

home/modules.nix

@@ -1,8 +1,13 @@
 { lib, ... }:
-with lib; let
-  modules' = dir: filterAttrs (name: type: (hasSuffix ".nix" name) || (type == "directory"))
-    (builtins.readDir dir);
-  modules = dir: mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}")))
-    (modules' dir);
+with lib;
+let
+  modules' =
+    dir:
+    filterAttrs (name: type: (hasSuffix ".nix" name) || (type == "directory")) (builtins.readDir dir);
+  modules =
+    dir:
+    mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}"))) (
+      modules' dir
+    );
 in
 (modules ./modules)

home/modules/alacritty/default.nix

@@ -1,9 +1,11 @@
-{ pkgs
-, lib
-, config
-, ...
+{
+  pkgs,
+  lib,
+  config,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.alacritty;
 in
 {
@@ -11,7 +13,6 @@ in
     enable = mkEnableOption "Enable alacritty config";
   };
   config = mkIf cfg.enable {
-    fonts.fontconfig.enable = true;
     home.packages = [
       pkgs.jetbrains-mono
     ];

home/modules/colors.nix

@@ -1,8 +1,10 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
-with lib; {
+with lib;
+{
   options.dadada.home.colors = mkOption {
     type = types.attrs;
     description = "Color scheme";

home/modules/direnv.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.direnv;
 in
 {

home/modules/git.nix

@@ -1,14 +1,17 @@
-{ config
-, lib
-, pkgs
-, ...
+{
+  config,
+  lib,
+  pkgs,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.git;
   allowedSigners = pkgs.writeTextFile {
     name = "allowed-signers";
     text = ''
       dadada@dadada.li sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKu+pA5Vy0QPHJMjn2S5DCsqKg2UvDhOsBwvvJLf4HbyAAAABHNzaDo= dadada <dadada@dadada.li>
+      dadada@dadada.li ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKRuecjbtDh4jyDZH3ccU9t0QFcAgZDBFO8ZWZBA9iT dadada@gorgon
     '';
   };
 in
@@ -33,7 +36,7 @@ in
         user = {
           email = "dadada@dadada.li";
           name = "Tim Schubert";
-          signingKey = "key::sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKu+pA5Vy0QPHJMjn2S5DCsqKg2UvDhOsBwvvJLf4HbyAAAABHNzaDo= dadada <dadada@dadada.li>";
+          signingKey = "key::ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKRuecjbtDh4jyDZH3ccU9t0QFcAgZDBFO8ZWZBA9iT dadada@gorgon";
         };
         core = {
           whitespace = {

home/modules/gpg.nix

@@ -1,8 +1,10 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.gpg;
 in
 {

home/modules/gtk.nix

@@ -1,9 +1,11 @@
-{ config
-, lib
-, pkgs
-, ...
+{
+  config,
+  lib,
+  pkgs,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.gtk;
 in
 {

home/modules/helix/default.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
   cfg = config.dadada.home.helix;
 in

home/modules/keyring.nix

@@ -1,8 +1,10 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.keyring;
 in
 {

home/modules/session.nix

@@ -1,8 +1,10 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.session;
 in
 {

home/modules/ssh.nix

@@ -1,8 +1,10 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.ssh;
 in
 {

home/modules/syncthing.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.syncthing;
 in
 {

home/modules/tmux.nix

@@ -1,8 +1,10 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.tmux;
 in
 {

home/modules/xdg.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   apps = {
     "x-scheme-handler/mailto" = "evolution.desktop";
     "message/rfc822" = "evolution.desktop";
@@ -29,6 +31,7 @@ in
   config = mkIf cfg.enable {
     xdg = {
       enable = true;
+      configHome = "${config.home.homeDirectory}/.config";
       mimeApps = {
         enable = false;
         associations.added = apps;
@@ -46,7 +49,7 @@ in
     home.packages = with pkgs; [
       evince
       firefox
-      xdg_utils
+      xdg-utils
     ];
   };
 }

home/modules/zsh.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.home.zsh;
 in
 {
@@ -26,11 +28,13 @@ in
         ignoreDups = true;
         ignoreSpace = true;
         save = 100000;
-        share = true;
+        # FIXME https://github.com/junegunn/fzf/issues/4061
+        #share = true;
+        share = false;
       };
       plugins = [
       ];
-      initExtra = ''
+      initContent = ''
         source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh
         source ${pkgs.fzf}/share/fzf/key-bindings.zsh
         source ${pkgs.fzf}/share/fzf/completion.zsh
@@ -40,12 +44,10 @@ in
 
         preexec() { echo -n -e "\033]0;$1\007" }
 
-        PROMPT="%F{red}%?%f %F{green}%m%f:%F{blue}%~%f "
+        PROMPT="%F{red}%?%f %F{green}%m%f:%F{blue}%~%f"$'\n'"╰─> "
         RPROMPT='$(git_super_status)'
-        #NIX_BUILD_SHELL="${pkgs.zsh}/bin/zsh"
-      '';
-      profileExtra = ''
       '';
+      profileExtra = '''';
       shellAliases = {
         ga = "git add";
         gc = "git commit";

home/nixpkgs-config.nix

@@ -1,6 +0,0 @@
-{ pkgs }: {
-  allowUnfree = true;
-  allowUnfreePredicate = pkg: true;
-  allowBroken = false;
-  android_sdk.accept_license = true;
-}

home/pkgs.nix

@@ -1,5 +1,6 @@
 { pkgs }:
-with pkgs; [
+with pkgs;
+[
   anki
   aqbanking
   aria2
@@ -14,19 +15,21 @@ with pkgs; [
   bluez-tools
   btop # htop
   choose # alternative to cut and awk with more readable syntax
+  chromium
   colordiff
   darcs
   delta # feature-rich diff viewer
   dig
   direnv
-  dstat
   duf # disk usage
+  dune3d
   dyff # diff tool for YAML
   element-desktop
   evince
   evolution
   ffmpeg
   file
+  fuzzel
   fx # themable json viewer
   fzf
   fzf
@@ -36,7 +39,6 @@ with pkgs; [
   gimp
   glow
   glow # render markdown
-  gnome.gnome-tweaks
   gnumake
   gnupg
   gping # ping with graphs
@@ -46,7 +48,6 @@ with pkgs; [
   h # Manage git repos
   hexyl # hex viewer
   htop
-  http-prompt
   httpie
   hub
   hyperfine # A command-line benchmarking tool.
@@ -61,13 +62,11 @@ with pkgs; [
   jameica
   jc # convert output to json
   josm
-  jujutsu
   jq
-  jq
-  #jupyter
-  kcachegrind
+  kanshi
   keepassxc
   kubetail
+  krita
   ldns
   liboping # oping, ping multiple hosts at once
   libreoffice
@@ -80,8 +79,11 @@ with pkgs; [
   mpv
   mtr
   mumble
+  nix-output-monitor
   ncurses
   newsflash
+  nixd
+  nixfmt-rfc-style
   nfs-utils
   niv
   nix-index
@@ -103,9 +105,11 @@ with pkgs; [
   prusa-slicer
   pv
   pwgen
-  python3
+  (python3.withPackages (pkgs: [
+    pkgs.pandas
+    pkgs.requests
+  ]))
   ranger
-  recipemd
   reptyr
   ripgrep
   ripgrep
@@ -117,28 +121,29 @@ with pkgs; [
   skim # fzf in Rust
   slurp
   socat
+  solvespace
   spotify
   sqlite
   sshfs-fuse
-  steam
   taplo
   tcpdump
   tdesktop
+  thunderbird
   tmux
   ttyd
   unzip
   usbutils
+  vegur
   virt-manager
   viu # view images from the terminal
   vscodium
   whois
   wireshark
-  xdg_utils
+  xdg-utils
   xmlstarlet
-  xsv # cut for csv
   unixtools.xxd
   xxh # portable shells
-  youtube-dl
+  yt-dlp
   # zotero Marked as insecure
   zeal
   zk

home/status

@@ -0,0 +1,138 @@
+#!/usr/bin/env python3
+
+import json
+import sys
+import time
+import requests
+import logging
+import subprocess
+
+from datetime import datetime
+
+logger = logging.getLogger(__name__)
+
+
+class Status:
+    def status(self):
+        return None
+
+
+class Cat(Status):
+    index = 0
+
+    def status(self):
+        cat_width = 200
+        index = self.index
+        catwalk = "🐈🏳️‍🌈" + " " * index
+        self.index = (index + 1) % cat_width
+
+        return {"full_text": catwalk}
+
+
+class Space(Status):
+    backoff = 0
+    c_status = None
+
+    def status(self):
+        backoff = self.backoff
+        if self.backoff == 0:
+            self.update()
+
+        return {"full_text": self.c_status}
+
+    def update(self):
+        spacestatus_url = "https://status.stratum0.org/status.json"
+        resp = requests.get(url=spacestatus_url)
+        self.backoff = (self.backoff + 1) % 120
+        data = resp.json()
+        if data["isOpen"]:
+            since = datetime.strptime(data["since"], "%Y-%m-%dT%H:%M:%S.%f").strftime("%A at %H:%M")
+            spacestatus = f"Space is open since {since}"
+        else:
+            spacestatus = "Space is closed"
+        self.c_status = spacestatus
+
+
+class Battery(Status):
+    capacity_file = open('/sys/class/power_supply/BAT0/capacity', 'r')
+    status_file = open('/sys/class/power_supply/BAT0/status', 'r')
+
+    def status(self):
+        self.status_file.seek(0)
+        status = self.status_file.read().rstrip()
+
+        self.capacity_file.seek(0)
+        capacity = self.capacity_file.read().rstrip()
+
+        battery = f"{status} {capacity}%"
+
+        return {"full_text": battery}
+
+
+class Time(Status):
+    def status(self):
+        now = datetime.now()
+        match now.isocalendar().week % 10:
+            case 1:
+                th = "st"
+            case 2:
+                th = "nd"
+            case 3:
+                th = "rd"
+            case _:
+                th = "th"
+        return {"full_text": now.strftime(f"%V{th} %A %H:%M") }
+
+
+class FailedUnits(Status):
+    def status(self):
+        proc = subprocess.run(["systemctl", "list-units", "--failed"], capture_output = True)
+        stdout = proc.stdout.decode('utf-8')
+        failed = 0
+        for line in stdout:
+            if 'failed' in line:
+                failed += 1
+        if failed == 0:
+            return {"full_text": f"No failed units"}
+        else:
+            return {"full_text": f"There are {failed} failed units", "color": "#ff0000"}
+
+
+def print_header():
+    header = {
+        "version": 1,
+        "click_events": False,
+    }
+    print(json.dumps(header))
+    print("[")
+
+
+def run(interval, widgets):
+    print_header()
+
+    while True:
+        body = []
+
+        for widget in widgets:
+            try:
+                status = widget.status()
+            except Exception as e:
+                logger.error(e)
+            if status:
+                body += status,
+
+        print(json.dumps(body), ",", flush=True)
+
+        ts = interval - (time.time() % interval)
+        time.sleep(ts)
+
+
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.INFO)
+
+    # Interval in seconds
+    interval = 1.0
+
+    widgets = [Cat(), FailedUnits(), Space(), Battery(), Time()]
+
+    run(interval, widgets)

hydra-jobs.nix

@@ -1,5 +0,0 @@
-{ self, nixpkgs, ... }:
-(nixpkgs.lib.mapAttrs'
-  (name: config: nixpkgs.lib.nameValuePair name config.config.system.build.toplevel)
-  self.nixosConfigurations
-)

nixos/agares/configuration.nix

@@ -1,97 +0,0 @@
-{ config
-, modulesPath
-, pkgs
-, ...
-}:
-{
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-    ./ddns.nix
-    ./dns.nix
-    ./firewall.nix
-    ../modules/profiles/server.nix
-    ./network.nix
-    ./ntp.nix
-    ./ppp.nix
-  ];
-
-  fileSystems."/" = {
-    device = "/dev/sda1";
-    fsType = "btrfs";
-    options = [ "subvol=root" ];
-  };
-
-  #fileSystems."/nix/store" = {
-  #  device = "/dev/sda1";
-  #  fsType = "btrfs";
-  #  options = [ "subvol=/root/nix" "noatime" ];
-  #};
-
-  fileSystems."/swap" = {
-    device = "/dev/sda1";
-    fsType = "btrfs";
-    options = [ "subvol=/root/swap" "noatime" ];
-  };
-
-  #swapDevices = [{
-  #  device = "/swap/swapfile";
-  #  size = 32 * 1024; # 32 GByte
-  #}];
-
-  hardware.cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
-
-  dadada = {
-    admin.enable = true;
-  };
-
-  services.smartd.enable = true;
-
-  networking.hostName = "agares";
-  networking.domain = "bs.dadada.li";
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-  boot.loader.grub.extraConfig = "
-    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
-    terminal_input serial
-    terminal_output serial
-  ";
-
-  boot.kernelParams = [
-    "console=ttyS0,115200"
-    "amd_iommu=on"
-    "iommu=pt"
-  ];
-
-  boot.kernelModules = [
-    "kvm-amd"
-    "vfio"
-    "vfio_iommu_type1"
-    "vfio_pci"
-    "vfio_virqfd"
-  ];
-
-  environment.systemPackages = with pkgs; [
-    curl
-    flashrom
-    dmidecode
-    tcpdump
-  ];
-
-  services.munin-node = {
-    enable = true;
-    extraConfig = ''
-      host_name ${config.networking.hostName}
-      cidr_allow 10.3.3.3/32
-    '';
-  };
-
-  # Running router VM. They have to be restarted in the right order, so network comes up cleanly. Not ideal.
-  system.autoUpgrade.allowReboot = false;
-
-  system.stateVersion = "23.05";
-}

nixos/agares/ddns.nix

@@ -1,13 +0,0 @@
-{ config, ... }:
-{
-  dadada.ddns = {
-    domains = [ "vpn.dadada.li" ];
-    credentialsPath = config.age.secrets."ddns-credentials".path;
-    interface = "ppp0";
-  };
-
-  age.secrets."ddns-credentials" = {
-    file = "${config.dadada.secrets.path}/ddns-credentials.age";
-    mode = "400";
-  };
-}

nixos/agares/dns.nix

@@ -1,78 +0,0 @@
-{ ... }:
-{
-  services.unbound = {
-    enable = true;
-    localControlSocketPath = "/run/unbound/unbound.ctl";
-    settings = {
-      server = {
-        access-control = [
-          "127.0.0.0/8 allow"
-          "127.0.0.1/32 allow_snoop"
-          "192.168.96.0/19 allow"
-          "192.168.1.0/24 allow"
-          "172.16.128.0/24 allow"
-          "::1/128 allow_snoop"
-          "fd42:9c3b:f96d::/48 allow"
-        ];
-        interface = [
-          "127.0.0.1"
-          "192.168.1.1"
-          "192.168.100.1"
-          "192.168.101.1"
-          "192.168.102.1"
-          "192.168.103.1"
-          "192.168.120.1"
-          "::1"
-          "fd42:9c3b:f96d:100::1"
-          "fd42:9c3b:f96d:101::1"
-          "fd42:9c3b:f96d:102::1"
-          "fd42:9c3b:f96d:103::1"
-          "fd42:9c3b:f96d:120::1"
-        ];
-        prefer-ip6 = true;
-        prefetch = true;
-        prefetch-key = true;
-        serve-expired = false;
-        aggressive-nsec = true;
-        hide-identity = true;
-        hide-version = true;
-        use-caps-for-id = true;
-        val-permissive-mode = true;
-        local-data = [
-          "\"agares.bs.dadada.li. 10800 IN A 192.168.101.1\""
-          "\"danjal.bs.dadada.li. 10800 IN A 192.168.100.108\""
-          "\"legion.bs.dadada.li. 10800 IN A 192.168.100.107\""
-          "\"ninurta.bs.dadada.li. 10800 IN A 192.168.101.184\""
-          "\"agares.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101::1\""
-          "\"ninurta.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\""
-          "\"backup1.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\""
-        ];
-        local-zone = [
-          "\"168.192.in-addr.arpa.\" nodefault"
-          "\"d.f.ip6.arpa.\" nodefault"
-        ];
-      };
-      forward-zone = [
-        {
-          name = ".";
-          forward-tls-upstream = "yes";
-          forward-addr = [
-            "2620:fe::fe@853#dns.quad9.net"
-            "2620:fe::9@853#dns.quad9.net"
-            "9.9.9.9@853#dns.quad9.net"
-            "149.112.112.112@853#dns.quad9.net"
-          ];
-        }
-      ];
-      stub-zone =
-        let
-          stubZone = name: addrs: { name = "${name}"; stub-addr = addrs; };
-        in
-        [
-          #(stubZone "li.dadada.bs" ["192.168.128.220" "2a01:4f8:c010:a710::1"])
-          #(stubZone "d.6.9.f.b.3.c.9.2.4.d.f.ip6.arpa" ["192.168.101.220" "2a01:4f8:c010:a710::1"])
-          #(stubZone "168.192.in-addr.arpa" ["192.168.128.220" "2a01:4f8:c010:a710::1"])
-        ];
-    };
-  };
-}

nixos/agares/firewall.nix

@@ -1,13 +0,0 @@
-{ ... }:
-{
-  networking = {
-    useDHCP = false;
-    nat.enable = false;
-    firewall.enable = false;
-    nftables = {
-      enable = true;
-      checkRuleset = true;
-      ruleset = builtins.readFile ./rules.nft;
-    };
-  };
-}

nixos/agares/network.nix

@@ -1,300 +0,0 @@
-{ config, lib, ... }:
-let
-  ulaPrefix = "fd42:9c3b:f96d"; # fd42:9c3b:f96d::/48
-  ipv4Prefix = "192.168"; # 192.168.96.0/19
-  domain = "bs.dadada.li";
-in
-{
-  networking.useDHCP = false;
-  systemd.network = {
-    enable = true;
-    links = {
-      "10-persistent" = {
-        matchConfig.OriginalName = [ "enp1s0" "enp2s0" ]; # takes search domains from the [Network]
-        linkConfig.MACAddressPolicy = "persistent";
-      };
-    };
-    netdevs = {
-      # QoS concentrator
-      "ifb4ppp0" = {
-        netdevConfig = {
-          Kind = "ifb";
-          Name = "ifb4ppp0";
-        };
-      };
-      "20-lan" = {
-        netdevConfig = {
-          Kind = "vlan";
-          Name = "lan.10";
-        };
-        vlanConfig = {
-          Id = 10;
-        };
-      };
-      "20-freifunk" = {
-        netdevConfig = {
-          Kind = "vlan";
-          Name = "ff.11";
-        };
-        vlanConfig = {
-          Id = 11;
-        };
-      };
-      "20-roadw" = {
-        netdevConfig = {
-          Kind = "wireguard";
-          Name = "roadw";
-        };
-        wireguardConfig = {
-          PrivateKeyFile = config.age.secrets."wg-privkey-vpn-dadada-li".path;
-          ListenPort = 51234;
-        };
-        wireguardPeers = [{
-          wireguardPeerConfig =
-            let
-              peerAddresses = i: [
-                "${ipv4Prefix}.120.${i}/32"
-                "${ulaPrefix}:120::${i}/128"
-              ];
-            in
-            {
-              PublicKey = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU=";
-              AllowedIPs = peerAddresses "3";
-            };
-        }];
-      };
-      "20-wg0" = {
-        netdevConfig = {
-          Kind = "wireguard";
-          Name = "wg0";
-        };
-        wireguardConfig = {
-          PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path;
-          ListenPort = 51235;
-        };
-        wireguardPeers = lib.singleton {
-          wireguardPeerConfig = {
-            PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
-            AllowedIPs = [
-              "10.3.3.3/32"
-              "fd42:9c3b:f96d:121::3/128"
-              "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"
-            ];
-          };
-        };
-      };
-    };
-    networks =
-      let
-        subnet = name: subnetId: {
-          matchConfig.Name = name;
-          addresses = [
-            { addressConfig.Address = "${ipv4Prefix}.${subnetId}.1/24"; }
-            { addressConfig.Address = "${ulaPrefix}:${subnetId}::1/64"; }
-          ];
-          dhcpPrefixDelegationConfig = {
-            SubnetId = "auto";
-          };
-          ipv6Prefixes = [
-            {
-              ipv6PrefixConfig.Prefix = "${ulaPrefix}:${subnetId}::/64";
-            }
-          ];
-          dhcpServerConfig = {
-            DNS = "_server_address";
-            NTP = "_server_address";
-            EmitDNS = true;
-            EmitNTP = true;
-            EmitRouter = true;
-            PoolOffset = 100;
-            PoolSize = 100;
-          };
-          ipv6SendRAConfig = {
-            EmitDNS = true;
-            DNS = "_link_local";
-            EmitDomains = true; # takes search domains from the [Network]
-          };
-          linkConfig = {
-            RequiredForOnline = false;
-          };
-          networkConfig = {
-            Domains = domain;
-            EmitLLDP = "yes";
-            IPv6SendRA = true;
-            IPv6AcceptRA = false;
-            DHCPPrefixDelegation = true;
-            DHCPServer = true;
-          };
-          extraConfig = ''
-            [CAKE]
-            OverheadBytes = 38
-            Bandwidth = 1G
-            RTT = lan
-          '';
-        };
-      in
-      {
-        "10-mgmt" = lib.mkMerge [
-          (subnet "enp1s0" "100")
-          {
-            networkConfig.VLAN = [ "lan.10" "ff.11" ];
-            dhcpServerStaticLeases = [
-              {
-                # legion
-                dhcpServerStaticLeaseConfig = {
-                  Address = "192.168.100.107";
-                  MACAddress = "80:CC:9C:95:4A:60";
-                };
-              }
-              {
-                # danyal
-                dhcpServerStaticLeaseConfig = {
-                  Address = "192.168.100.108";
-                  MACAddress = "c8:9e:43:a3:3d:7f";
-                };
-              }
-            ];
-          }
-        ];
-        "30-wg0" = {
-          matchConfig.Name = "wg0";
-          address = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ];
-          DHCP = "no";
-          networkConfig.IPv6AcceptRA = false;
-          linkConfig.RequiredForOnline = false;
-          routes = [
-            { routeConfig = { Destination = "10.3.3.1/24"; }; }
-            { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; }
-          ];
-        };
-        "30-lan" = subnet "lan.10" "101" // {
-          dhcpServerStaticLeases = [
-            {
-              # ninurta
-              dhcpServerStaticLeaseConfig = {
-                Address = "192.168.101.184";
-                MACAddress = "48:21:0B:3E:9C:FE";
-              };
-            }
-            {
-              # crocell
-              dhcpServerStaticLeaseConfig = {
-                Address = "192.168.101.122";
-                MACAddress = "9C:C9:EB:4F:3F:0E";
-              };
-            }
-            {
-              # gorgon
-              dhcpServerStaticLeaseConfig = {
-                Address = "192.168.101.205";
-                MACAddress = "8C:C6:81:6A:39:2F";
-              };
-            }
-          ];
-        };
-
-        "30-ff" = subnet "ff.11" "102";
-
-        "30-ifb4ppp0" = {
-          name = "ifb4ppp0";
-          extraConfig = ''
-            [CAKE]
-            OverheadBytes = 65
-            Bandwidth = 100M
-            FlowIsolationMode = triple
-            RTT = internet
-          '';
-          linkConfig = {
-            RequiredForOnline = false;
-          };
-        };
-
-        "30-ppp0" = {
-          name = "ppp*";
-          linkConfig = {
-            RequiredForOnline = "routable";
-          };
-          networkConfig = {
-            KeepConfiguration = "static";
-            DefaultRouteOnDevice = true;
-            LinkLocalAddressing = "ipv6";
-            DHCP = "ipv6";
-          };
-          extraConfig = ''
-            [CAKE]
-            OverheadBytes = 65
-            Bandwidth = 40M
-            FlowIsolationMode = triple
-            NAT=true
-            RTT = internet
-
-            [DHCPv6]
-            PrefixDelegationHint= ::/56
-            UseAddress = false
-            UseDelegatedPrefix = true
-            WithoutRA = solicit
-
-            [DHCPPrefixDelegation]
-            UplinkInterface=:self
-          '';
-          ipv6SendRAConfig = {
-            # Let networkd know that we would very much like to use DHCPv6
-            # to obtain the "managed" information. Not sure why they can't
-            # just take that from the upstream RAs.
-            Managed = true;
-          };
-        };
-        # Talk to modem for management
-        "enp2s0" = {
-          name = "enp2s0";
-          linkConfig = {
-            RequiredForOnline = false;
-          };
-          networkConfig = {
-            Address = "192.168.1.254/24";
-            EmitLLDP = "yes";
-          };
-        };
-        "10-roadw" = {
-          matchConfig.Name = "roadw";
-          addresses = [
-            { addressConfig.Address = "${ipv4Prefix}.120.1/24"; }
-            { addressConfig.Address = "${ulaPrefix}:120::1/64"; }
-          ];
-          DHCP = "no";
-          networkConfig.IPv6AcceptRA = false;
-          linkConfig.RequiredForOnline = false;
-          routes = [
-            {
-              routeConfig = { Destination = "${ipv4Prefix}.120.1/24"; };
-            }
-            {
-              routeConfig = { Destination = "${ulaPrefix}::120:1/64"; };
-            }
-          ];
-        };
-      };
-  };
-
-  age.secrets."wg-privkey-vpn-dadada-li" = {
-    file = "${config.dadada.secrets.path}/wg-privkey-vpn-dadada-li.age";
-    owner = "systemd-network";
-  };
-
-  age.secrets."wg-privkey-wg0" = {
-    file = "${config.dadada.secrets.path}/agares-wg0-key.age";
-    owner = "systemd-network";
-  };
-
-  boot.kernel.sysctl = {
-    # Enable forwarding for interface
-    "net.ipv4.conf.all.forwarding" = "1";
-    "net.ipv6.conf.all.forwarding" = "1";
-    "net.ipv6.conf.all.accept_ra" = "0";
-    "net.ipv6.conf.all.autoconf" = "0";
-    # Set via systemd-networkd
-    #"net.ipv6.conf.${intf}.use_tempaddr" = "0";
-  };
-
-  powerManagement.cpuFreqGovernor = lib.mkDefault "schedutil";
-}

nixos/agares/ntp.nix

@@ -1,12 +0,0 @@
-{ ... }:
-{
-  services.chrony = {
-    enable = true;
-    extraConfig = ''
-      allow 192.168.1
-      allow 192.168.100
-      allow 192.168.101
-      allow 192.168.102
-    '';
-  };
-}

nixos/agares/ppp.nix

@@ -1,63 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  secretsPath = config.dadada.secrets.path;
-in
-{
-  # PPPoE
-  services.pppd = {
-    enable = true;
-    peers = {
-      telekom = {
-        enable = true;
-        autostart = true;
-        config = ''
-          debug
-
-          plugin pppoe.so enp2s0
-
-          noauth
-          hide-password
-          call telekom-secret
-
-          linkname ppp0
-
-          persist
-          maxfail 0
-          holdoff 5
-
-          noipdefault
-          defaultroute
-
-          lcp-echo-interval 15
-          lcp-echo-failure 3
-        '';
-      };
-    };
-  };
-
-  age.secrets."etc-ppp-telekom-secret" = {
-    file = "${secretsPath}/etc-ppp-telekom-secret.age";
-    owner = "root";
-    mode = "700";
-    path = "/etc/ppp/peers/telekom-secret";
-  };
-
-  age.secrets."etc-ppp-pap-secrets" = {
-    # format: client server passphrase
-    file = "${secretsPath}/etc-ppp-chap-secrets.age";
-    owner = "root";
-    mode = "700";
-    path = "/etc/ppp/pap-secrets";
-  };
-
-  # Hook for QoS via Intermediate Functional Block
-  environment.etc."ppp/ip-up" = {
-    mode = "755";
-    text = with lib; ''
-      #!/usr/bin/env sh
-      ${getBin pkgs.iproute2}/bin/tc qdisc del dev $1 ingress
-      ${getBin pkgs.iproute2}/bin/tc qdisc add dev $1 handle ffff: ingress
-      ${getBin pkgs.iproute2}/bin/tc filter add dev $1 parent ffff: matchall action mirred egress redirect dev ifb4ppp0
-    '';
-  };
-}

nixos/agares/rules.nft

@@ -1,136 +0,0 @@
-flush ruleset
-
-define IF_MGMT = "enp1s0"
-define IF_FF = "ff.11"
-define IF_LAN = "lan.10"
-define IF_WAN = "ppp0"
-
-# Modem uses this for internet uplink via our WAN
-define IF_MODEM = "enp2s0"
-
-define IF_ROADW = "roadw"
-
-table inet filter {
-  # Will give "no such file or directory if hardware does not support flow offloading"
-  # flowtable f {
-  #   hook ingress priority 0; devices = { enp1s0, enp2s0 }; flags offload;
-  # }
-
-  chain input_local {
-    ip6 saddr != ::1/128 log prefix "Dropped IPv6 nonlocalhost packet on loopback:" drop
-    accept comment "Accept traffic to loopback interface"
-  }
-
-  chain input_icmp_untrusted {
-    # Allow ICMP echo
-    ip protocol icmp icmp type { echo-request } limit rate 1000/second burst 5 packets accept comment "Accept echo request"
-
-    # Allow some ICMPv6
-    icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } limit rate 1000/second burst 5 packets accept comment "Allow some ICMPv6"
-  }
-
-  chain input_modem {
-    jump input_icmp_untrusted
-  }
-
-  chain input_wan {
-    # DHCPv6 client
-    meta nfproto ipv6 udp sport 547 accept comment "Allow DHCPv6 client"
-
-    jump input_icmp_untrusted
-
-    udp dport 51234 accept comment "Wireguard roadwarriors"
-  }
-
-  chain input_lan {
-    counter accept comment "Accept all traffic from LAN"
-  }
-
-  chain input_mgmt {
-    counter accept comment "Accept all traffic from MGMT"
-  }
-
-  chain input_roadw {
-    counter accept comment "Accept all traffic from roadwarriors"
-  }
-
-  chain input_ff {
-    jump input_icmp_untrusted
-
-    # DHCP
-    meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client"
-
-    # Allow DNS and DHCP from Freifunk
-    udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk"
-  }
-
-  chain input_wg0 {
-    tcp dport 4949 accept comment "Munin node"
-  }
-
-  chain input {
-    type filter hook input priority filter; policy drop;
-
-    ct state {established, related} counter accept comment "Accept packets from established and related connections"
-    ct state invalid counter drop comment "Early drop of invalid packets"
-
-    iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, wg0 : jump input_wg0 }
-  }
-
-# Only works if hardware flow offloading is available
-#  chain offload {
-#    type filter hook forward priority -100; policy accept;
-#    ip protocol tcp flow add @f
-#    counter packets 0 bytes 0
-#  }
-
-  chain forward {
-    type filter hook forward priority filter; policy drop;
-
-    # Accept connections tracked by destination NAT
-    ct status dnat counter accept comment "Accept connections tracked by DNAT"
-
-    # TCP options
-    tcp flags syn tcp option maxseg size set rt mtu comment "Remove TCP maximum segment size and set a size based on route information"
-
-    # ICMPv6
-    icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem } limit rate 5/second counter accept comment "Forward up to five ICMP messages of allowed types per second"
-    meta l4proto ipv6-icmp accept comment "Forward ICMP in IPv6"
-
-    # mgmt <-> *
-    iifname { $IF_LAN, $IF_ROADW } oifname $IF_MGMT counter reject comment "Reject traffic from LAN and roadwarrior to MGMT"
-    iifname $IF_MGMT oifname { $IF_LAN, $IF_ROADW } counter reject comment "Reject traffic from MGMT to LAN and roadwarrior"
-    # drop (instead of reject) everything else to MGMT
-
-    # LAN, ROADW -> * (except mgmt)
-    iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt"
-
-    # FF -> WAN
-    iifname { $IF_FF } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN"
-
-    # { WAN } -> { FF, LAN, RW }
-    iifname { $IF_WAN } oifname { $IF_FF, $IF_LAN, $IF_ROADW } ct state established,related counter accept comment "Allow established back from WAN"
-  }
-
-  chain output {
-    type filter hook output priority 100; policy accept;
-  }
-}
-
-table ip nat {
-  chain prerouting {
-    type nat hook prerouting priority dstnat; policy accept;
-  }
-
-  chain postrouting {
-    type nat hook postrouting priority srcnat; policy accept;
-    ip saddr { 192.168.96.0/19 } oifname { $IF_WAN } masquerade comment "Masquerade traffic from LANs"
-  }
-}
-
-table arp filter {
-  chain input {
-    type filter hook input priority filter; policy drop;
-    iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem"
-  }
-}

nixos/configurations.nix

@@ -1,74 +1,91 @@
-{ self
-, agenix
-, nixpkgs
-, home-manager
-, homepage
-, nixos-hardware
-, nixos-generators
-, ...
+{
+  self,
+  agenix,
+  disko,
+  home-manager,
+  homepage,
+  lanzaboote,
+  nixos-hardware,
+  nixos-generators,
+  nixpkgs,
+  ...
 }@inputs:
 let
-  nixosSystem = { system ? "x86_64-linux", extraModules ? [ ] }: nixpkgs.lib.nixosSystem {
-    inherit system;
-
-    modules = [{
-
-      nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
-    }] ++ (nixpkgs.lib.attrValues self.nixosModules) ++ [ agenix.nixosModules.age ] ++ extraModules;
+  # create a new instance allowing some unfree packages
+  nixpkgsx86 = import nixpkgs {
+    system = "x86_64-linux";
+    config.allowUnfreePredicate =
+      pkg:
+      builtins.elem (nixpkgs.lib.getName pkg) [
+        "aspell-dict-en-science"
+        "brgenml1lpr"
+        "saleae-logic-2"
+        "spotify"
+      ];
   };
+  nixosSystem = nixpkgs.lib.nixosSystem;
+  baseModule =
+    { lib, ... }:
+    {
+      _module.args.inputs = inputs;
+      imports = [
+        inputs.agenix.nixosModules.age
+        inputs.disko.nixosModules.disko
+        inputs.home-manager.nixosModules.home-manager
+        (
+          { pkgs, ... }:
+          {
+            dadada.homepage.package = homepage;
+            dadada.pkgs = inputs.self.packages.${pkgs.system};
+            dadada.inputs = inputs // {
+              dadada = inputs.self;
+            };
+          }
+        )
+        inputs.lanzaboote.nixosModules.lanzaboote
+      ]
+      ++ (lib.attrValues inputs.self.nixosModules);
+    };
+  homeModule = ./modules/profiles/home.nix;
 in
 {
-  gorgon = nixosSystem rec {
-    system = "x86_64-linux";
-
-    extraModules = [
-      {
-        nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
-        dadada.pkgs = self.packages.${system};
-        dadada.inputs = inputs // { dadada = self; };
-      }
-
-      nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
-
-      home-manager.nixosModules.home-manager
-      ({ pkgs, lib, ... }:
-        {
-          home-manager.useGlobalPkgs = true;
-          home-manager.useUserPackages = true;
-          home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [
-            { dadada.home.helix.package = pkgs.helix; }
-            { manual.manpages.enable = false; }
+  stolas = nixosSystem {
+    modules = [
+      { nixpkgs.pkgs = nixpkgsx86; }
+      baseModule
+      nixos-hardware.nixosModules.framework-amd-ai-300-series
+      homeModule
+      ./stolas
     ];
-          home-manager.users.dadada = import ../home;
-        })
+  };
+
+  gorgon = nixosSystem {
+    modules = [
+      { nixpkgs.pkgs = nixpkgsx86; }
+      baseModule
+      nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
+      homeModule
       ./gorgon/configuration.nix
     ];
   };
 
   surgat = nixosSystem {
-    system = "x86_64-linux";
-    extraModules = [
-      {
-        dadada.homepage.package = homepage;
-      }
-      ./modules/profiles/server.nix
+    modules = [
+      { nixpkgs.pkgs = nixpkgsx86; }
+      baseModule
       ./surgat/configuration.nix
     ];
   };
 
-  agares = nixosSystem {
-    extraModules = [
-      ./agares/configuration.nix
-    ];
-  };
-
-  installer = nixpkgs.lib.nixosSystem {
-    system = "x86_64-linux";
+  installer = nixosSystem {
     modules = [
       nixos-generators.nixosModules.install-iso
-      self.nixosModules.admin
+      inputs.self.nixosModules.admin
+      (
+        { lib, ... }:
         {
-        isoImage.isoName = nixpkgs.lib.mkForce "dadada-nixos-installer.iso";
+          nixpkgs.pkgs = nixpkgs.legacyPackages."x86_64-linux";
+          isoImage.isoName = lib.mkForce "dadada-nixos-installer.iso";
           networking.tempAddresses = "disabled";
           dadada.admin.enable = true;
           documentation.enable = true;
@@ -79,11 +96,14 @@ in
             keyMap = "us";
           };
         }
+      )
     ];
   };
 
   ninurta = nixosSystem {
-    extraModules = [
+    modules = [
+      { nixpkgs.pkgs = nixpkgsx86; }
+      baseModule
       ./ninurta/configuration.nix
     ];
   };

nixos/gorgon/configuration.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
+  secretsPath = config.dadada.secrets.path;
   xilinxJtag = pkgs.writeTextFile {
     name = "xilinx-jtag";
     text = ''
@@ -34,12 +36,23 @@ in
     ./hardware-configuration.nix
   ];
 
+  dadada.backupClient.bs.enable = false;
+  dadada.backupClient.backup1.enable = true;
   dadada.backupClient.backup2 = {
     enable = true;
     passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path;
     sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
     repo = "u355513-sub1@u355513-sub1.your-storagebox.de:/home/backup";
   };
+  dadada.backupClient.gs = {
+    enable = true;
+    passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path;
+  };
+
+  age.secrets."${config.networking.hostName}-backup-passphrase-gs".file =
+    "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age";
+
+  programs.ssh.startAgent = true;
 
   nix.extraOptions = ''
     experimental-features = nix-command flakes
@@ -63,15 +76,14 @@ in
         };
       };
     };
-    kernel.sysctl = {
-      "vm.swappiness" = 90;
-    };
   };
 
+  zramSwap.enable = true;
+
   networking.hostName = "gorgon";
 
   dadada = {
-    steam.enable = true;
+    steam.enable = false;
     yubikey.enable = true;
   };
 
@@ -98,8 +110,13 @@ in
     passwordFile = config.age.secrets.paperless.path;
   };
 
-  systemd.tmpfiles.rules = let cfg = config.services.paperless; in [
-    (if cfg.consumptionDirIsPublic then
+  systemd.tmpfiles.rules =
+    let
+      cfg = config.services.paperless;
+    in
+    [
+      (
+        if cfg.consumptionDirIsPublic then
           "d '${cfg.consumptionDir}' 777 - - - -"
         else
           "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
@@ -117,6 +134,7 @@ in
     enable = true;
     browsing = true;
     drivers = with pkgs; [
+      config.dadada.pkgs.citizen-cups
       hplip
       brlaser
       brgenml1lpr
@@ -124,10 +142,28 @@ in
     ];
   };
 
+  #hardware.printers.ensurePrinters = [
+  #  {
+  #    name = "Brother_HL-L2300D";
+  #    model = "everywhere";
+  #    location = "BS";
+  #    deviceUri = "ipp://192.168.101.29:631/printers/Brother_HL-L2300D";
+  #  }
+  #];
+
   environment.systemPackages = with pkgs; [
-    chromium
     ghostscript
     smartmontools
+
+    dmenu
+    grim # screenshot functionality
+    slurp # screenshot functionality
+    #mako # notification system developed by swaywm maintainer
+    pulseaudio
+
+    # KDE apps
+    kdePackages.kmail
+    kdePackages.kmail-account-wizard
   ];
 
   networking.firewall = {
@@ -143,7 +179,16 @@ in
   systemd.services.modem-manager.enable = lib.mkForce false;
   systemd.services."dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
 
-  services.udev.packages = [ xilinxJtag saleaeLogic keychron ]; #noMtpUdevRules ];
+  systemd.sleep.extraConfig = ''
+    HibernateDelaySec=1h
+  '';
+
+  services.udev.packages = [
+    xilinxJtag
+    saleaeLogic
+    keychron
+    pkgs.libsigrok
+  ]; # noMtpUdevRules ];
 
   virtualisation.libvirtd.enable = true;
 
@@ -155,7 +200,20 @@ in
   users.users = {
     dadada = {
       isNormalUser = true;
-      extraGroups = [ "wheel" "networkmanager" "libvirtd" "adbusers" "kvm" "video" "scanner" "lp" "docker" "dialout" "wireshark" "paperless" ];
+      extraGroups = [
+        "wheel"
+        "networkmanager"
+        "libvirtd"
+        "adbusers"
+        "kvm"
+        "video"
+        "scanner"
+        "lp"
+        "docker"
+        "dialout"
+        "wireshark"
+        "paperless"
+      ];
       shell = "/run/current-system/sw/bin/zsh";
     };
   };
@@ -164,46 +222,46 @@ in
     "127.0.0.2" = [ "kanboard.dadada.li" ];
   };
 
-  # https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html
-  systemd.timers.wg-reresolve-dns = {
-    wantedBy = [ "timers.target" ];
-    partOf = [ "wg-reresolve-dns.service" ];
-    timerConfig.OnCalendar = "hourly";
-  };
-
-  systemd.services.wg-reresolve-dns =
-    let
-      vpnPubKey = "x/y6I59buVzv9Lfzl+b17mGWbzxU+3Ke9mQNa1DLsDI=";
-    in
-    {
-      serviceConfig.Type = "oneshot";
-      script = ''
-        ${pkgs.wireguard-tools}/bin/wg set dadada peer ${vpnPubKey} endpoint vpn.dadada.li:51234 persistent-keepalive 25 allowed-ips fd42:9c3b:f96d::/48
-      '';
-    };
-
-  #networking.wg-quick.interfaces.mullvad = {
-  #  address = [ "10.68.15.202/32" "fc00:bbbb:bbbb:bb01::5:fc9/128" ];
-  #  privateKeyFile = "/var/lib/wireguard/mullvad";
-  #  peers = [
-  #    {
-  #      publicKey = "Ec/wwcosVal9Kjc97ZuTTV7Dy5c0/W5iLet7jrSEm2k=";
-  #      allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-  #      endpoint = "193.27.14.66:51820";
-  #      persistentKeepalive = 25;
-  #    }
-  #  ];
-  #  postUp = "${pkgs.iproute2}/bin/ip rule add to 193.27.14.66 lookup main";
-  #};
-
   services.gnome.gnome-keyring.enable = lib.mkForce false;
   programs.gnupg.agent.enable = true;
 
-  services.xserver.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
-  services.xserver.displayManager.gdm.enable = true;
+  # KDE
+  services = {
+    desktopManager.plasma6.enable = true;
+    displayManager.sddm.enable = true;
+    displayManager.sddm.wayland.enable = true;
+  };
+  services.greetd = {
+    enable = false;
+    settings = {
+      default_session = {
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
+        user = "greeter";
+      };
+    };
+  };
+  systemd.user.services.kanshi = {
+    enable = false;
+    description = "kanshi daemon";
+    environment = {
+      WAYLAND_DISPLAY = "wayland-1";
+      DISPLAY = ":0";
+    };
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = ''${pkgs.kanshi}/bin/kanshi'';
+    };
+  };
+  # enable Sway window manager
+  programs.sway = {
+    enable = false;
+    wrapperFeatures.gtk = true;
+  };
+  programs.light.enable = true;
+  xdg.portal.wlr.enable = false;
+  hardware.bluetooth.enable = true;
 
-  hardware.opengl = {
+  hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [
       vaapiVdpau
@@ -211,5 +269,16 @@ in
     ];
   };
 
+  powerManagement = {
+    enable = true;
+    powertop.enable = true;
+    cpuFreqGovernor = "schedutil";
+    powerUpCommands = ''
+      echo 40 > /sys/class/power_supply/BAT0/charge_control_start_threshold
+      echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold
+    '';
+  };
+  services.tlp.enable = false;
+
   system.stateVersion = "23.11";
 }

nixos/gorgon/hardware-configuration.nix

@@ -1,17 +1,26 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config
-, lib
-, pkgs
-, modulesPath
-, ...
-}: {
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "ehci_pci"
+    "xhci_pci"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];

nixos/modules/admin.nix

@@ -1,11 +1,16 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.admin;
-  extraGroups = [ "wheel" "libvirtd" ];
+  extraGroups = [
+    "wheel"
+    "libvirtd"
+  ];
 
   shells = {
     "bash" = pkgs.bashInteractive;
@@ -16,22 +21,32 @@ with lib; let
   shellNames = builtins.attrNames shells;
 
   adminOpts =
-    { name
-    , config
-    , ...
-    }: {
+    {
+      name,
+      config,
+      ...
+    }:
+    {
       options = {
         keys = mkOption {
           type = types.listOf types.str;
           default = [ ];
-          apply = x: assert (builtins.length x > 0 || abort "Please specify at least one key to be able to log in"); x;
+          apply =
+            x:
+            assert (builtins.length x > 0 || abort "Please specify at least one key to be able to log in");
+            x;
           description = ''
             The keys that should be able to access the account.
           '';
         };
         shell = mkOption {
           type = types.nullOr types.str;
-          apply = x: assert (builtins.elem x shellNames || abort "Please specify one of ${builtins.toString shellNames}"); x;
+          apply =
+            x:
+            assert (
+              builtins.elem x shellNames || abort "Please specify one of ${builtins.toString shellNames}"
+            );
+            x;
           default = "zsh";
           defaultText = literalExpression "zsh";
           example = literalExpression "bash";
@@ -78,18 +93,15 @@ in
 
     services.sshd.enable = true;
     services.openssh.settings.PasswordAuthentication = false;
-    security.sudo.wheelNeedsPassword = false;
+    security.sudo.wheelNeedsPassword = lib.mkDefault false;
     services.openssh.openFirewall = true;
 
-    users.users =
-      mapAttrs
-        (user: keys: {
+    users.users = mapAttrs (user: keys: {
       shell = shells."${keys.shell}";
-          extraGroups = extraGroups;
+      extraGroups = lib.mkDefault extraGroups;
       isNormalUser = true;
       openssh.authorizedKeys.keys = keys.keys;
-        })
-        cfg.users;
+    }) cfg.users;
 
     nix.settings.trusted-users = builtins.attrNames cfg.users;
 

nixos/modules/backup.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   backupExcludes = [
     "/backup"
     "/dev"
@@ -156,7 +158,7 @@ in
       };
     };
 
-    services.borgbackup.jobs.backup1 = mkIf cfg.bs.enable {
+    services.borgbackup.jobs.backup1 = mkIf cfg.backup1.enable {
       paths = "/";
       exclude = backupExcludes;
       repo = "borg@backup1.dadada.li:/mnt/storage/backups/${config.networking.hostName}";

nixos/modules/borg-server.nix

@@ -1,6 +1,11 @@
 { config, lib, ... }:
 let
-  inherit (lib) mkEnableOption mkIf mkOption types;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
   cfg = config.dadada.borgServer;
 in
 {
@@ -20,31 +25,49 @@ in
     services.borgbackup.repos = {
       "metis" = {
         allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis"
+        ];
         path = "${cfg.path}/metis";
         quota = "1T";
       };
       "gorgon" = {
         allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon"
+        ];
         path = "${cfg.path}/gorgon";
         quota = "1T";
       };
+      "stolas" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC/mVYd3o7oA0dsA58CgkqR40CSfeuU+rikleSrSXFz dadada@gorgon"
+        ];
+        path = "${cfg.path}/stolas";
+        quota = "1T";
+      };
       "surgat" = {
         allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat"
+        ];
         path = "${cfg.path}/surgat";
         quota = "50G";
       };
       "pruflas" = {
         allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas"
+        ];
         path = "${cfg.path}/pruflas";
         quota = "50G";
       };
       "wohnzimmerpi" = {
         allowSubRepos = false;
-        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi"
+        ];
         path = "${cfg.path}/wohnzimmerpi";
         quota = "50G";
       };

nixos/modules/ddns.nix

@@ -1,22 +1,34 @@
-{ config
-, pkgs
-, lib
-, ...
-}:
-with lib; let
-  cfg = config.dadada.ddns;
-  ddnsConfig = { domains, credentialsPath, interface }: {
-    systemd.timers = listToAttrs (forEach domains (domain:
-      nameValuePair "ddns-${domain}"
 {
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.dadada.ddns;
+  ddnsConfig =
+    {
+      domains,
+      credentialsPath,
+      interface,
+    }:
+    {
+      systemd.timers = listToAttrs (
+        forEach domains (
+          domain:
+          nameValuePair "ddns-${domain}" {
             wantedBy = [ "timers.target" ];
             partOf = [ "ddns-${domain}.service" ];
             timerConfig.OnCalendar = "hourly";
-        }));
+          }
+        )
+      );
 
-    systemd.services = listToAttrs (forEach domains (domain:
-      nameValuePair "ddns-${domain}"
-        {
+      systemd.services = listToAttrs (
+        forEach domains (
+          domain:
+          nameValuePair "ddns-${domain}" {
             serviceConfig = {
               Type = "oneshot";
               PrivateTmp = true;
@@ -42,10 +54,16 @@ with lib; let
 
               curl_url=$(url "$user" "$password" ${domain})
 
-            ${pkgs.curl}/bin/curl --ipv4 "$curl_url" ${if interface == null then "" else "--interface ${interface}"} || true
-            ${pkgs.curl}/bin/curl --ipv6 "$curl_url" ${if interface == null then "" else "--interface ${interface}"}
+              ${pkgs.curl}/bin/curl --ipv4 "$curl_url" ${
+                if interface == null then "" else "--interface ${interface}"
+              } || true
+              ${pkgs.curl}/bin/curl --ipv6 "$curl_url" ${
+                if interface == null then "" else "--interface ${interface}"
+              }
             '';
-        }));
+          }
+        )
+      );
     };
 in
 {

nixos/modules/default.nix

@@ -1,8 +1,16 @@
 { lib, ... }:
-with lib; let
-  modules' = dir: filterAttrs (name: type: (name != "default.nix" && name != "profiles" && ((hasSuffix ".nix" name) || (type == "directory"))))
-    (builtins.readDir dir);
-  modules = dir: mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}")))
-    (modules' dir);
+with lib;
+let
+  modules' =
+    dir:
+    filterAttrs (
+      name: type:
+      (name != "default.nix" && name != "profiles" && ((hasSuffix ".nix" name) || (type == "directory")))
+    ) (builtins.readDir dir);
+  modules =
+    dir:
+    mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}"))) (
+      modules' dir
+    );
 in
 (modules ./.)

nixos/modules/element.nix

@@ -1,7 +1,8 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
   cfg = config.dadada.element;

nixos/modules/fileShare.nix

@@ -1,8 +1,10 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.fileShare;
   sharePath = "/mnt/storage/share";
   ipv6 = "fd42:dead:beef::/48";

nixos/modules/gitea.nix

@@ -1,7 +1,8 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
   cfg = config.dadada.forgejo;
@@ -37,6 +38,11 @@ in
           LANDING_PAGE = "explore";
           OFFLINE_MODE = true;
           DISABLE_SSH = false;
+
+          # Use built-in SSH server
+          START_SSH_SERVER = true;
+          SSH_PORT = 22;
+
           DOMAIN = "git.dadada.li";
         };
         picture = {
@@ -69,6 +75,12 @@ in
       vmOverCommit = true;
     };
 
+    systemd.services.forgejo.serviceConfig = {
+      AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVICE";
+      CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE";
+      PrivateUsers = lib.mkForce false;
+    };
+
     services.nginx.virtualHosts."git.${config.networking.domain}" = {
       enableACME = true;
       forceSSL = true;

nixos/modules/headphones.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.headphones;
 in
 {

nixos/modules/homepage.nix

@@ -1,11 +1,13 @@
-{ config
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
 let
   cfg = config.dadada.homepage;
 in
-with lib; {
+with lib;
+{
   options.dadada.homepage = {
     enable = mkEnableOption "Enable home page";
     package = mkOption {

nixos/modules/inputs.nix

@@ -1,7 +1,8 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
   cfg = config.dadada.inputs;

nixos/modules/nixpkgs.nix

@@ -1,3 +0,0 @@
-{
-  nixpkgs.config.allowUnfreePredicate = pkg: true;
-}

nixos/modules/profiles/backup.nix

@@ -4,7 +4,7 @@ let
 in
 {
   dadada.backupClient.bs = {
-    enable = lib.mkDefault true;
+    enable = lib.mkDefault false;
     passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path;
     sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
   };
@@ -21,6 +21,8 @@ in
     sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
   };
 
-  age.secrets."${config.networking.hostName}-backup-passphrase".file = "${secretsPath}/${config.networking.hostName}-backup-passphrase.age";
-  age.secrets."${config.networking.hostName}-backup-ssh-key".file = "${secretsPath}/${config.networking.hostName}-backup-ssh-key.age";
+  age.secrets."${config.networking.hostName}-backup-passphrase".file =
+    "${secretsPath}/${config.networking.hostName}-backup-passphrase.age";
+  age.secrets."${config.networking.hostName}-backup-ssh-key".file =
+    "${secretsPath}/${config.networking.hostName}-backup-ssh-key.age";
 }

nixos/modules/profiles/base.nix

@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
   mkDefault = lib.mkDefault;
   inputs = config.dadada.inputs;
@@ -8,15 +13,26 @@ in
     ./upgrade-pg-cluster.nix
   ];
 
+  boot.tmp.useTmpfs = lib.mkDefault true;
+  boot.tmp.tmpfsSize = lib.mkDefault "50%";
+
   i18n.defaultLocale = mkDefault "en_US.UTF-8";
   console = mkDefault {
     font = "Lat2-Terminus16";
     keyMap = "us";
   };
 
+  i18n.supportedLocales = mkDefault [
+    "C.UTF-8/UTF-8"
+    "en_US.UTF-8/UTF-8"
+    "de_DE.UTF-8/UTF-8"
+  ];
+
   time.timeZone = mkDefault "Europe/Berlin";
 
-  nix.settings.substituters = [ https://cache.nixos.org/ ];
+  nix.package = pkgs.lix;
+
+  nix.settings.substituters = [ "https://cache.nixos.org/" ];
 
   nix.settings.trusted-public-keys = [
     "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
@@ -45,9 +61,14 @@ in
 
   services.resolved = {
     enable = mkDefault true;
-    fallbackDns = [ "9.9.9.9#dns.quad9.net" "2620:fe::fe:11#dns11.quad9.net" ];
+    fallbackDns = [
+      "9.9.9.9#dns.quad9.net"
+      "2620:fe::fe:11#dns11.quad9.net"
+    ];
   };
 
   programs.zsh.enable = mkDefault true;
-}
 
+  # Avoid some bots
+  services.openssh.ports = [ 2222 ];
+}

nixos/modules/profiles/cloud.nix

@@ -4,31 +4,49 @@ let
   initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key";
 in
 {
+  imports = [
+    ./server.nix
+  ];
+
   boot.initrd.availableKernelModules = [ "virtio-pci" ];
+
+  boot.kernelParams = [
+    # Wait forever for the filesystem root to show up
+    "rootflags=x-systemd.device-timeout=0"
+
+    # Wait forever to enter the LUKS passphrase via SSH
+    "rd.luks.options=timeout=0"
+  ];
   boot.initrd.network = {
     enable = true;
     ssh = {
       enable = true;
-      port = 22;
+      port = 2223;
       hostKeys = [
         config.age.secrets."${initrdHostKey}".path
       ];
-      authorizedKeys = with lib;
-        concatLists (mapAttrsToList
-          (name: user:
-            if elem "wheel" user.extraGroups then
-              user.openssh.authorizedKeys.keys
-            else
-              [ ])
-          config.users.users);
+      authorizedKeys =
+        with lib;
+        concatLists (
+          mapAttrsToList (
+            name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ]
+          ) config.users.users
+        );
     };
     postCommands = ''
       echo 'cryptsetup-askpass' >> /root/.profile
     '';
   };
 
+  assertions = lib.singleton {
+    assertion =
+      (config.boot.initrd.network.ssh.hostKeys != [ ])
+      -> config.boot.loader.supportsInitrdSecrets == true;
+    message = "Refusing to store private keys in store";
+  };
+
   age.secrets."${initrdHostKey}" = {
-    file = "${secretsPath}/${initrdHostKey}.age";
+    file = "${secretsPath}/initrd-${initrdHostKey}.age";
     mode = "600";
     path = "/etc/initrd/${initrdHostKey}";
     symlink = false;

nixos/modules/profiles/home.nix

@@ -0,0 +1,7 @@
+{ pkgs, inputs, ... }:
+{
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+  home-manager.sharedModules = pkgs.lib.attrValues inputs.self.hmModules;
+  home-manager.users.dadada = inputs.self.hmConfigurations.dadada;
+}

nixos/modules/profiles/laptop.nix

@@ -1,13 +1,13 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  lib,
+  ...
 }:
 let
   inputs = config.dadada.inputs;
-  secretsPath = config.dadada.secrets.path;
 in
-with lib; {
+with lib;
+{
   imports = [
     ./backup.nix
     ./base.nix
@@ -16,21 +16,16 @@ with lib; {
   networking.domain = mkDefault "dadada.li";
 
   services.fwupd.enable = mkDefault true;
-  programs.ssh.startAgent = true;
   programs.ssh.enableAskPassword = true;
   programs.nix-ld.enable = true;
 
-  nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value}") inputs;
-  nix.registry = lib.mapAttrs' (name: value: lib.nameValuePair name { flake = value; }) inputs;
+  nix.nixPath = mapAttrsToList (name: value: "${name}=${value}") inputs;
+  nix.registry = mkForce (mapAttrs' (name: value: nameValuePair name { flake = value; }) inputs);
   nix.settings.flake-registry = "${config.dadada.inputs.flake-registry}/flake-registry.json";
 
   age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
-  fonts.packages = mkDefault (with pkgs; [
-    source-code-pro
-  ]);
-
-  users.mutableUsers = mkDefault true;
+  users.mutableUsers = true;
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = mkDefault true;
@@ -52,12 +47,6 @@ with lib; {
     alsa.support32Bit = true;
     pulse.enable = true;
   };
-  hardware.pulseaudio.enable = false;
-
-  dadada.backupClient.gs = {
-    enable = true;
-    passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path;
-  };
-
-  age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age";
+  services.pulseaudio.enable = false;
+  security.sudo.wheelNeedsPassword = true;
 }

nixos/modules/profiles/server.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; {
+with lib;
+{
   imports = [
     ./backup.nix
     ./base.nix
@@ -16,15 +18,18 @@ with lib; {
   documentation.enable = mkDefault false;
   documentation.nixos.enable = mkDefault false;
 
-  services.btrfs.autoScrub.enable = mkDefault ((filterAttrs (name: fs: fs.fsType == "btrfs") config.fileSystems) != { });
+  services.btrfs.autoScrub.enable = mkDefault (
+    (filterAttrs (name: fs: fs.fsType == "btrfs") config.fileSystems) != { }
+  );
 
   services.journald.extraConfig = ''
     SystemKeepFree = 2G
+    MaxRetentionSec = 100days
   '';
 
   system.autoUpgrade = {
     enable = true;
-    flake = "github:dadada/nix-config#${config.networking.hostName}";
+    flake = "https://git.dadada.li/dadada/nix-config/archive/main.tar.gz#${config.networking.hostName}";
     allowReboot = mkDefault false;
     randomizedDelaySec = "45min";
   };

nixos/modules/profiles/upgrade-pg-cluster.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
   environment.systemPackages = lib.mkIf config.services.postgresql.enable [
     (

nixos/modules/share.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.share;
 in
 {

nixos/modules/steam.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.steam;
 in
 {
@@ -13,11 +15,8 @@ in
     };
   };
   config = mkIf cfg.enable {
-    nixpkgs.config.allowUnfree = true;
-
-    hardware.opengl = {
+    hardware.graphics = {
       enable = true;
-      driSupport32Bit = true;
       extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
     };
 

nixos/modules/sway.nix

@@ -1,40 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.dadada.sway;
-in
-{
-  options = {
-    dadada.sway.enable = lib.mkEnableOption "Enable sway";
-  };
-
-  config = lib.mkIf cfg.enable {
-    programs.sway = {
-      enable = true;
-      wrapperFeatures.gtk = true;
-      wrapperFeatures.base = true;
-      extraPackages = with pkgs; [
-        qt5.qtwayland
-        swayidle
-        xwayland
-        mako
-        kanshi
-        kitty
-        i3status
-        bemenu
-        xss-lock
-        swaylock
-        brightnessctl
-        playerctl
-      ];
-      extraSessionCommands = ''
-        export SDL_VIDEODRIVER=wayland
-        # needs qt5.qtwayland in systemPackages
-        export QT_QPA_PLATFORM=wayland
-        export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
-        # Fix for some Java AWT applications (e.g. Android Studio),
-        # use this if they aren't displayed properly:
-        export _JAVA_AWT_WM_NONREPARENTING=1
-      '';
-    };
-  };
-}

nixos/modules/vpnServer.nix

@@ -1,11 +1,15 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.vpnServer;
-  wgPeer = { name, ... }: {
+  wgPeer =
+    { name, ... }:
+    {
       options = {
         name = mkOption {
           internal = true;
@@ -41,13 +45,10 @@ in
         privateKeyFile = "/var/lib/wireguard/wg0-key";
         ips = [ "fd42:9c3b:f96d:0201::0/64" ];
         listenPort = 51234;
-        peers =
-          map
-            (peer: {
+        peers = map (peer: {
           allowedIPs = [ "fd42:9c3b:f96d:0201::${peer.id}/128" ];
           publicKey = peer.key;
-            })
-            (attrValues cfg.peers);
+        }) (attrValues cfg.peers);
         postSetup = ''
           wg set wg0 fwmark 51234
           ip -6 route add table 2468 fd42:9c3b:f96d::/48 dev ens3

nixos/modules/weechat.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.dadada.weechat;
 in
 {
@@ -34,7 +36,7 @@ in
       };
     };
     services.nginx.virtualHosts."weechat.dadada.li" = {
-      useACMEHost = "webchat.dadada.li";
+      enableACME = true;
       forceSSL = true;
 
       root = "${pkgs.nginx}/html";

nixos/modules/yubikey.nix

@@ -1,9 +1,11 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
-with lib; let
+with lib;
+let
   yubikey = config.dadada.yubikey;
 in
 {
@@ -32,7 +34,7 @@ in
       };
       u2f = {
         control = "sufficient";
-        cue = true;
+        settings.cue = true;
       };
     };
 
@@ -45,8 +47,7 @@ in
       #linuxPackages.acpi_call
       pam_u2f
       pamtester
-      yubikey-manager
-      yubikey-manager-qt
+      yubioath-flutter
     ];
   };
 }

nixos/ninurta/configuration.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
   hostAliases = [
     "ifrit.dadada.li"
@@ -9,7 +14,6 @@ let
   uwuPrivKey = "pruflas-wg0-key";
   wgHydraPrivKey = "pruflas-wg-hydra-key";
   uwuPresharedKey = "pruflas-wg0-preshared-key";
-  hydraGitHubAuth = "hydra-github-authorization";
   initrdSshKey = "/etc/ssh/ssh_initrd_ed25519_key";
   softServePort = 23231;
 in
@@ -37,6 +41,11 @@ in
     };
   };
 
+  services.openssh.ports = [
+    22
+    2222
+  ];
+
   dadada.backupClient.bs.enable = false;
   dadada.backupClient.backup1.enable = false;
 
@@ -57,7 +66,9 @@ in
   boot.loader.efi.canTouchEfiVariables = true;
 
   assertions = lib.singleton {
-    assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
+    assertion =
+      (config.boot.initrd.network.ssh.hostKeys != [ ])
+      -> config.boot.loader.supportsInitrdSecrets == true;
     message = "Refusing to store private keys in store";
   };
 
@@ -137,51 +148,21 @@ in
     startAt = "daily";
   };
 
-  services.postgresqlBackup = {
-    enable = true;
-    backupAll = true;
-    compression = "zstd";
-    location = "/var/backup/postgresql";
-  };
-
   age.secrets."ninurta-backup-passphrase" = {
     file = "${secretsPath}/ninurta-backup-passphrase.age";
     mode = "400";
   };
 
-  age.secrets.${hydraGitHubAuth} = {
-    file = "${secretsPath}/${hydraGitHubAuth}.age";
-    mode = "440";
-    owner = "hydra-www";
-    group = "hydra";
-  };
-
-  services.hydra = {
-    enable = true;
-    package = pkgs.hydra-unstable;
-    hydraURL = "https://hydra.dadada.li";
-    notificationSender = "hydra@localhost";
-    buildMachinesFiles = [ ];
-    useSubstitutes = true;
-    port = 3000;
-    listenHost = "10.3.3.3";
-    extraConfig = ''
-      Include ${config.age.secrets."${hydraGitHubAuth}".path}
-
-      <githubstatus>
-        jobs = nix-config:main.*
-        inputs = nix-config
-        excludeBuildFromContext = 1
-        useShortContext = 1
-      </githubstatus>
-    '';
-  };
-
   nix.buildMachines = [
     {
       hostName = "localhost";
       system = "x86_64-linux";
-      supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
+      supportedFeatures = [
+        "kvm"
+        "nixos-test"
+        "big-parallel"
+        "benchmark"
+      ];
       maxJobs = 16;
     }
   ];
@@ -220,33 +201,38 @@ in
 
   services.snapper = {
     cleanupInterval = "1d";
-    snapshotInterval = "hourly";
+    snapshotInterval = "daily";
     configs.home = {
       SUBVOLUME = "/home";
       TIMELINE_CREATE = true;
       TIMELINE_CLEANUP = true;
-      TIMELINE_LIMIT_HOURLY = 24;
-      TIMELINE_LIMIT_DAILY = 13;
-      TIMELINE_LIMIT_WEEKLY = 6;
-      TIMELINE_LIMIT_MONTHLY = 3;
+      TIMELINE_MIN_AGE = "1800";
+      TIMELINE_LIMIT_HOURLY = "5";
+      TIMELINE_LIMIT_DAILY = "7";
+      TIMELINE_LIMIT_WEEKLY = "0";
+      TIMELINE_LIMIT_MONTHLY = "0";
+      TIMELINE_LIMIT_YEARLY = "0";
     };
     configs.var = {
       SUBVOLUME = "/var";
       TIMELINE_CREATE = true;
       TIMELINE_CLEANUP = true;
-      TIMELINE_LIMIT_HOURLY = 24;
-      TIMELINE_LIMIT_DAILY = 13;
-      TIMELINE_LIMIT_WEEKLY = 6;
-      TIMELINE_LIMIT_MONTHLY = 3;
+      TIMELINE_MIN_AGE = "1800";
+      TIMELINE_LIMIT_HOURLY = "5";
+      TIMELINE_LIMIT_DAILY = "7";
+      TIMELINE_LIMIT_WEEKLY = "0";
+      TIMELINE_LIMIT_MONTHLY = "0";
+      TIMELINE_LIMIT_YEARLY = "0";
     };
     configs.storage = {
       SUBVOLUME = "/mnt/storage";
       TIMELINE_CREATE = true;
       TIMELINE_CLEANUP = true;
-      TIMELINE_LIMIT_HOURLY = 24;
-      TIMELINE_LIMIT_DAILY = 13;
-      TIMELINE_LIMIT_WEEKLY = 6;
-      TIMELINE_LIMIT_MONTHLY = 3;
+      TIMELINE_LIMIT_HOURLY = "10";
+      TIMELINE_LIMIT_DAILY = "10";
+      TIMELINE_LIMIT_WEEKLY = "10";
+      TIMELINE_LIMIT_MONTHLY = "10";
+      TIMELINE_LIMIT_YEARLY = "10";
     };
   };
 
@@ -271,6 +257,48 @@ in
       };
       "10-lan" = {
         matchConfig.Name = "enp*";
+        bridge = [ "br0" ];
+      };
+      "30-wg0" = {
+        matchConfig.Name = "wg0";
+        address = [
+          "10.3.3.3/32"
+          "fd42:9c3b:f96d:121::3/128"
+        ];
+        DHCP = "no";
+        networkConfig.IPv6AcceptRA = false;
+        linkConfig.RequiredForOnline = false;
+        routes = [
+          {
+            Destination = "10.3.3.1/24";
+          }
+          {
+            Destination = "fd42:9c3b:f96d:121::1/64";
+          }
+        ];
+      };
+      "30-uwu" = {
+        matchConfig.Name = "uwu";
+        address = [
+          "10.11.0.39/24"
+          "fc00:1337:dead:beef::10.11.0.39/128"
+        ];
+        dns = [ "10.11.0.1%uwu#uwu" ];
+        domains = [ "uwu" ];
+        DHCP = "no";
+        networkConfig.IPv6AcceptRA = false;
+        linkConfig.RequiredForOnline = false;
+        routes = [
+          {
+            Destination = "10.11.0.0/22";
+          }
+          {
+            Destination = "fc00:1337:dead:beef::10.11.0.0/118";
+          }
+        ];
+      };
+      "20-br0" = {
+        matchConfig.Name = "br0";
         networkConfig.DHCP = "ipv4";
         networkConfig.Domains = [ "bs.dadada.li" ];
         networkConfig.VLAN = [ ];
@@ -286,32 +314,14 @@ in
           UseDNS = true;
         };
       };
-      "30-wg0" = {
-        matchConfig.Name = "wg0";
-        address = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" ];
-        DHCP = "no";
-        networkConfig.IPv6AcceptRA = false;
-        linkConfig.RequiredForOnline = false;
-        routes = [
-          { routeConfig = { Destination = "10.3.3.1/24"; }; }
-          { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; }
-        ];
-      };
-      "30-uwu" = {
-        matchConfig.Name = "uwu";
-        address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ];
-        dns = [ "10.11.0.1%uwu#uwu" ];
-        domains = [ "uwu" ];
-        DHCP = "no";
-        networkConfig.IPv6AcceptRA = false;
-        linkConfig.RequiredForOnline = false;
-        routes = [
-          { routeConfig = { Destination = "10.11.0.0/22"; }; }
-          { routeConfig = { Destination = "fc00:1337:dead:beef::10.11.0.0/118"; }; }
-        ];
-      };
     };
     netdevs = {
+      "20-br0" = {
+        netdevConfig = {
+          Kind = "bridge";
+          Name = "br0";
+        };
+      };
       "20-wg0" = {
         netdevConfig = {
           Kind = "wireguard";
@@ -323,19 +333,21 @@ in
         };
         wireguardPeers = [
           {
-            wireguardPeerConfig = {
             PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
-              AllowedIPs = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ];
+            AllowedIPs = [
+              "10.3.3.1/32"
+              "fd42:9c3b:f96d:121::1/128"
+            ];
             PersistentKeepalive = 25;
             Endpoint = "surgat.dadada.li:51235";
-            };
           }
           {
-            wireguardPeerConfig = {
             PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU=";
-              AllowedIPs = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ];
+            AllowedIPs = [
+              "10.3.3.2/32"
+              "fd42:9c3b:f96d:121::2/128"
+            ];
             Endpoint = "192.168.101.1:51235";
-            };
           }
         ];
       };
@@ -347,15 +359,19 @@ in
         wireguardConfig = {
           PrivateKeyFile = config.age.secrets.${uwuPrivKey}.path;
         };
-        wireguardPeers = [{
-          wireguardPeerConfig = {
+        wireguardPeers = [
+          {
             PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
-            AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
+            AllowedIPs = [
+              "10.11.0.0/22"
+              "fc00:1337:dead:beef::10.11.0.0/118"
+              "192.168.178.0/23"
+            ];
             PersistentKeepalive = 25;
             PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path;
             Endpoint = "53c70r.de:51820";
-          };
-        }];
+          }
+        ];
       };
     };
   };
@@ -364,16 +380,21 @@ in
     enable = true;
     allowPing = true;
     allowedTCPPorts = [
-      22 # SSH
-      80 # munin web
-      631 # Printing
+      2222 # SSH
     ];
     allowedUDPPorts = [
-      631 # Printing
       51234 # Wireguard
       51235 # Wireguard
     ];
     interfaces = {
+      br0.allowedTCPPorts = [
+        22 # SSH
+        80 # munin web
+        631 # IPP
+      ];
+      br0.allowedUDPPorts = [
+        631 # IPP
+      ];
       uwu.allowedTCPPorts = [
         softServePort
       ];
@@ -388,30 +409,6 @@ in
   networking.networkmanager.enable = false;
   networking.useDHCP = false;
 
-  # Desktop things for media playback
-
-  services.xserver.enable = true;
-  services.xserver.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome = {
-    enable = true;
-    extraGSettingsOverridePackages = with pkgs; [ gnome3.gnome-settings-daemon ];
-    extraGSettingsOverrides = ''
-      [org.gnome.desktop.screensaver]
-      lock-delay=uint32 30
-      lock-enabled=true
-
-      [org.gnome.desktop.session]
-      idle-delay=uint32 0
-
-      [org.gnome.settings-daemon.plugins.power]
-      idle-dim=false
-      power-button-action='interactive'
-      power-saver-profile-on-low-battery=false
-      sleep-inactive-ac-type='nothing'
-      sleep-inactive-battery-type='nothing'
-    '';
-  };
-
   powerManagement = {
     enable = true;
     cpuFreqGovernor = "powersave";
@@ -422,15 +419,6 @@ in
     # Configure the disks to spin down after 10 min of inactivity.
   };
 
-  security.rtkit.enable = true;
-
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };
-
   services.udev.packages = [
     (pkgs.writeTextFile {
       name = "60-hdparm";
@@ -441,24 +429,13 @@ in
     })
   ];
 
-  hardware.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
 
   environment.systemPackages = with pkgs; [
-    firefox
-    spotify
-    mpv
     smartmontools
     hdparm
   ];
 
-  users.users."media" = {
-    isNormalUser = true;
-    description = "Media playback user";
-    extraGroups = [ "users" "video" ];
-    # allow anyone with physical access to log in
-    password = "media";
-  };
-
   users.users."backup-keepassxc" = {
     home = "/mnt/storage/backups/backup-keepassxc";
     isNormalUser = true;

nixos/ninurta/hardware-configuration.nix

@@ -1,21 +1,33 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
 
 {
-  imports =
-    [
+  imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = [ "igc" "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "igc"
+    "xhci_pci"
+    "thunderbolt"
+    "ahci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    {
+  fileSystems."/" = {
     device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
     fsType = "btrfs";
     options = [ "compress=zstd" ];
@@ -23,66 +35,80 @@
 
   boot.initrd.luks.devices."luks".device = "/dev/disk/by-uuid/bac4ee0e-e393-414f-ac3e-1ec20739abae";
 
-  fileSystems."/swap" =
-    {
+  fileSystems."/swap" = {
     device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
     fsType = "btrfs";
-      options = [ "subvol=swap" "noatime" ];
+    options = [
+      "subvol=swap"
+      "noatime"
+    ];
   };
 
-  fileSystems."/nix" =
-    {
+  fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
     fsType = "btrfs";
-      options = [ "subvol=nix" "noatime" "compress=zstd" ];
+    options = [
+      "subvol=nix"
+      "noatime"
+      "compress=zstd"
+    ];
   };
 
-  fileSystems."/var" =
-    {
+  fileSystems."/var" = {
     device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
     fsType = "btrfs";
-      options = [ "subvol=var" "compress=zstd" ];
+    options = [
+      "subvol=var"
+      "compress=zstd"
+    ];
   };
 
-  fileSystems."/home" =
-    {
+  fileSystems."/home" = {
     device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
     fsType = "btrfs";
-      options = [ "subvol=home" "compress=zstd" ];
+    options = [
+      "subvol=home"
+      "compress=zstd"
+    ];
   };
 
-  fileSystems."/root" =
-    {
+  fileSystems."/root" = {
     device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
     fsType = "btrfs";
-      options = [ "subvol=root" "compress=zstd" ];
+    options = [
+      "subvol=root"
+      "compress=zstd"
+    ];
   };
 
-  fileSystems."/boot" =
-    {
+  fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/2E20-49CB";
     fsType = "vfat";
   };
 
-  swapDevices = [{
+  swapDevices = [
+    {
       device = "/swap/swapfile";
       size = 32 * 1024; # 32 GByte
-  }];
+    }
+  ];
 
-
-  fileSystems."/mnt/storage" =
-    {
+  fileSystems."/mnt/storage" = {
     device = "/dev/disk/by-uuid/ce483e75-5886-4b03-a3f9-675b80560ac9";
     fsType = "btrfs";
-      options = [ "subvol=root" "compress=zstd" ];
+    options = [
+      "subvol=root"
+      "compress=zstd"
+    ];
   };
 
-
-  fileSystems."/mnt/storage/backups" =
-    {
+  fileSystems."/mnt/storage/backups" = {
     device = "/dev/disk/by-uuid/ce483e75-5886-4b03-a3f9-675b80560ac9";
     fsType = "btrfs";
-      options = [ "subvol=backups" "noatime" ];
+    options = [
+      "subvol=backups"
+      "noatime"
+    ];
   };
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

nixos/ninurta/monitoring.nix

@@ -19,9 +19,6 @@
 
       [surgat]
         address 10.3.3.1
-
-      [agares]
-        address 10.3.3.2
     '';
   };
   services.munin-node.enable = true;

nixos/ninurta/printing.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ cfg, pkgs, ... }:
 {
   hardware = {
     printers = {
@@ -29,10 +29,13 @@
 
   services.printing = {
     enable = true;
-    drivers = [ pkgs.brlaser ];
+    drivers = [
+      pkgs.brlaser
+      pkgs.gutenprint
+    ];
     # Remove all state at the start of the service
     stateless = true;
-    listenAddresses = [ "192.168.101.184:631" "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe:631" ];
+    listenAddresses = [ "192.168.101.29:631" ];
     allowFrom = [ "from 192.168.101.0/24" ];
     browsing = true;
     defaultShared = true;

nixos/stolas/default.nix

@@ -0,0 +1,205 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+
+  imports = [
+    ../modules/profiles/laptop.nix
+    ./disks.nix
+    ./paperless.nix
+  ];
+
+  boot = {
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+    kernelModules = [ "kvm-amd" ];
+    # Hopefully fixes suspend issues with wifi card
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [
+      "resume=UUID=81dfbfa5-d578-479c-b11c-3ee5abd6848a"
+      "resume_offset=79859524"
+      "zswap.enabled=1"
+    ];
+    extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ];
+    # Lanzaboote currently replaces the systemd-boot module.
+    # This setting is usually set to true in configuration.nix
+    # generated at installation time. So we force it to false
+    # for now.
+    loader.systemd-boot.enable = lib.mkForce false;
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usb_storage"
+        "sd_mod"
+      ];
+      # Ensure that TPM module is loaded
+      kernelModules = [ "tpm" ];
+    };
+  };
+
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+
+  hardware = {
+    # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features
+    bluetooth.enable = true;
+    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    enableRedistributableFirmware = true;
+    framework.laptop13.audioEnhancement.enable = true;
+    graphics = {
+      enable = true;
+      extraPackages = with pkgs; [
+        vaapiVdpau
+        libvdpau-va-gl
+      ];
+    };
+  };
+
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = "schedutil";
+  };
+
+  networking = {
+    hostName = "stolas";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22000 # Syncthing
+      ];
+      allowedUDPPorts = [
+        21027 # Syncthing
+      ];
+    };
+  };
+
+  nix = {
+    settings.max-jobs = lib.mkDefault 16;
+  };
+
+  dadada = {
+    admin.enable = true;
+    backupClient.gs.enable = false;
+    backupClient.backup1.enable = true;
+    backupClient.backup2 = {
+      enable = true;
+      repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup";
+    };
+  };
+
+  programs = {
+    adb.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox-wayland;
+    };
+    gnupg.agent.enable = true;
+    ssh.startAgent = true;
+    wireshark.enable = true;
+  };
+
+  services = {
+    avahi.enable = true;
+    desktopManager.plasma6.enable = true;
+    displayManager = {
+      sddm.enable = true;
+      sddm.wayland.enable = true;
+    };
+    gnome.gnome-keyring.enable = lib.mkForce false;
+    smartd.enable = true;
+    printing = {
+      enable = true;
+      browsing = true;
+    };
+    tlp.enable = false;
+    snapper = {
+      cleanupInterval = "1d";
+      snapshotInterval = "hourly";
+      configs = {
+        home = {
+          SUBVOLUME = "/home/dadada";
+          ALLOW_USERS = [ "dadada" ];
+          TIMELINE_CREATE = true;
+          TIMELINE_CLEANUP = true;
+          TIMELINE_MIN_AGE = "1800";
+          TIMELINE_LIMIT_HOURLY = "5";
+          TIMELINE_LIMIT_DAILY = "7";
+          TIMELINE_LIMIT_WEEKLY = "0";
+          TIMELINE_LIMIT_MONTHLY = "0";
+          TIMELINE_LIMIT_YEARLY = "0";
+        };
+        var = {
+          SUBVOLUME = "/var";
+          TIMELINE_CREATE = true;
+          TIMELINE_CLEANUP = true;
+          TIMELINE_MIN_AGE = "1800";
+          TIMELINE_LIMIT_HOURLY = "5";
+          TIMELINE_LIMIT_DAILY = "7";
+          TIMELINE_LIMIT_WEEKLY = "0";
+          TIMELINE_LIMIT_MONTHLY = "0";
+          TIMELINE_LIMIT_YEARLY = "0";
+        };
+        paperless = {
+          SUBVOLUME = "/var/lib/paperless";
+          TIMELINE_CREATE = true;
+          TIMELINE_CLEANUP = true;
+          TIMELINE_MIN_AGE = "3600";
+          TIMELINE_LIMIT_HOURLY = "10";
+          TIMELINE_LIMIT_DAILY = "10";
+          TIMELINE_LIMIT_WEEKLY = "10";
+          TIMELINE_LIMIT_MONTHLY = "10";
+          TIMELINE_LIMIT_YEARLY = "10";
+        };
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "25.05";
+  };
+
+  systemd.services = {
+    modem-manager.enable = lib.mkForce false;
+    "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
+  };
+
+  systemd.tmpfiles.rules = [
+    "v /var/.snapshots 0755 root root - -"
+    "v /var/paperless/.snapshots 0755 root root - -"
+    "v /home/dadada/.snapshots 0755 root root - -"
+  ];
+
+  virtualisation.libvirtd.enable = true;
+
+  users = {
+    users = {
+      dadada = {
+        initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA";
+        isNormalUser = true;
+        extraGroups = [
+          "wheel"
+          "networkmanager"
+          "libvirtd"
+          "adbusers"
+          "kvm"
+          "video"
+          "scanner"
+          "lp"
+          "docker"
+          "dialout"
+          "wireshark"
+          "paperless"
+        ];
+      };
+    };
+  };
+}

nixos/stolas/disks.nix

@@ -0,0 +1,100 @@
+{
+  disko.devices = {
+    nodev."/nix/var/nix/builds" = {
+      fsType = "tmpfs";
+      mountOptions = [
+        "size=80%"
+        "defaults"
+        "mode=755"
+      ];
+    };
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                settings = {
+                  allowDiscards = true;
+                  crypttabExtraOpts = [
+                    "tpm2-device=auto"
+                    "tpm2-pin=true"
+                  ];
+                };
+                #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/root" = {
+                      mountpoint = "/";
+                      mountOptions = [
+                        "compress=zstd"
+                        "relatime"
+                      ];
+                    };
+                    "/home" = {
+                      mountpoint = "/home";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "/dadada" = {
+                      mountpoint = "/home/dadada";
+                      mountOptions = [
+                        "compress=zstd"
+                        "relatime"
+                      ];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "/var" = {
+                      mountpoint = "/var";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "/paperless" = {
+                      mountpoint = "/var/lib/paperless";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "/swap" = {
+                      mountpoint = "/.swapvol";
+                      swap.swapfile.size = "128G";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixos/stolas/paperless.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+{
+  services.paperless = {
+    # TODO migrate DB
+    enable = true;
+    passwordFile = config.age.secrets.paperless.path;
+  };
+  systemd.tmpfiles.rules =
+    let
+      cfg = config.services.paperless;
+    in
+    [
+      (
+        if cfg.consumptionDirIsPublic then
+          "d '${cfg.consumptionDir}' 777 - - - -"
+        else
+          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
+      )
+    ];
+
+  age.secrets = {
+    paperless = {
+      file = "${config.dadada.secrets.path}/paperless.age";
+      mode = "700";
+      owner = "paperless";
+    };
+  };
+}

nixos/surgat/configuration.nix

@@ -1,6 +1,7 @@
-{ config
-, pkgs
-, ...
+{
+  config,
+  pkgs,
+  ...
 }:
 let
   hostName = "surgat";
@@ -42,7 +43,7 @@ in
   dadada.element.enable = true;
   dadada.forgejo.enable = true;
   dadada.miniflux.enable = true;
-  dadada.weechat.enable = true;
+  dadada.weechat.enable = false;
   dadada.homepage.enable = true;
   dadada.share.enable = true;
   dadada.backupClient = {
@@ -73,26 +74,33 @@ in
           "2a01:4f8:c17:1d70::/64"
         ];
         routes = [
-          { routeConfig.Gateway = "fe80::1"; }
+          { Gateway = "fe80::1"; }
           {
-            routeConfig = {
             Gateway = "172.31.1.1";
             GatewayOnLink = true;
-            };
           }
         ];
         linkConfig.RequiredForOnline = "routable";
       };
       "10-ninurta" = {
         matchConfig.Name = "ninurta";
-        address = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ];
+        address = [
+          "10.3.3.1/32"
+          "fd42:9c3b:f96d:121::1/128"
+        ];
         DHCP = "no";
         networkConfig.IPv6AcceptRA = false;
         linkConfig.RequiredForOnline = "no";
         routes = [
-          { routeConfig = { Destination = "10.3.3.3/24"; }; }
-          { routeConfig = { Destination = "fd42:9c3b:f96d:121::/64"; }; }
-          { routeConfig = { Destination = "fd42:9c3b:f96d:101::/64"; }; }
+          {
+            Destination = "10.3.3.3/24";
+          }
+          {
+            Destination = "fd42:9c3b:f96d:121::/64";
+          }
+          {
+            Destination = "fd42:9c3b:f96d:101::/64";
+          }
         ];
       };
     };
@@ -106,12 +114,16 @@ in
           PrivateKeyFile = "/var/lib/wireguard/hydra";
           ListenPort = 51235;
         };
-        wireguardPeers = [{
-          wireguardPeerConfig = {
+        wireguardPeers = [
+          {
             PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
-            AllowedIPs = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" ];
-          };
-        }];
+            AllowedIPs = [
+              "10.3.3.3/32"
+              "fd42:9c3b:f96d:121::3/128"
+              "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"
+            ];
+          }
+        ];
       };
     };
   };
@@ -137,16 +149,16 @@ in
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
 
-  swapDevices = [
-    {
-      device = "/var/swapfile";
-      size = 4096;
-    }
+  boot.kernelParams = [
+    "ip=49.12.3.98::172.31.1.1:255.255.255.255:surgat::dhcp"
   ];
 
   services.resolved = {
     enable = true;
-    fallbackDns = [ "9.9.9.9" "2620:fe::fe" ];
+    fallbackDns = [
+      "9.9.9.9"
+      "2620:fe::fe"
+    ];
   };
 
   system.autoUpgrade.allowReboot = false;

nixos/surgat/hardware-configuration.nix

@@ -1,17 +1,25 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config
-, lib
-, pkgs
-, modulesPath
-, ...
-}: {
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "virtio_pci"
+    "xhci_pci"
+    "sd_mod"
+    "sr_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];

outputs.nix

@@ -1,18 +1,17 @@
-# Adapted from Mic92/dotfiles
-{ self
-, flake-utils
-, flake-registry
-, homepage
-, nixpkgs
-, home-manager
-, nixos-hardware
-, agenix
-, devshell
-, ...
+{
+  self,
+  flake-utils,
+  nixpkgs,
+  agenix,
+  devshell,
+  treefmt-nix,
+  ...
 }@inputs:
-(flake-utils.lib.eachDefaultSystem (system:
+(flake-utils.lib.eachDefaultSystem (
+  system:
   let
-    pkgs = import nixpkgs { inherit system; };
+    pkgs = nixpkgs.legacyPackages.${system};
+    treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
   in
   {
     devShells.default =
@@ -28,23 +27,22 @@
       in
       import ./devshell.nix { inherit pkgs extraModules; };
 
-    formatter = pkgs.nixpkgs-fmt;
+    checks = {
+      formatting = treefmtEval.config.build.check self;
+    };
+
+    formatter = treefmtEval.config.build.wrapper;
 
     packages = import ./pkgs { inherit pkgs; } // {
-      installer-iso = self.nixosConfigurations.installer.config.system.build.isoImage;
+      installer-iso = inputs.self.nixosConfigurations.installer.config.system.build.isoImage;
     };
-  }))
-  // {
-
-  hmModules = import ./home/modules.nix { lib = nixpkgs.lib; };
-
-  nixosConfigurations = import ./nixos/configurations.nix inputs;
-
-  nixosModules = import ./nixos/modules { lib = nixpkgs.lib; };
-
-  overlays = import ./overlays.nix;
-
-  hydraJobs = import ./hydra-jobs.nix inputs;
-
-  checks = import ./checks.nix inputs;
+  }
+))
+// {
+  hmModules = import ./home/modules.nix { lib = nixpkgs.lib; };
+  hmConfigurations = {
+    dadada = import ./home;
+  };
+  nixosConfigurations = import ./nixos/configurations.nix inputs;
+  nixosModules = import ./nixos/modules { lib = nixpkgs.lib; };
 }

overlays.nix

@@ -1,23 +0,0 @@
-{
-  kanboard = final: prev: {
-    kanboard = prev.kanboard.overrideAttrs (oldAttrs: {
-      src = prev.fetchFromGitHub {
-        owner = "kanboard";
-        repo = "kanboard";
-        rev = "v${oldAttrs.version}";
-        sha256 = "sha256-WG2lTPpRG9KQpRdb+cS7CqF4ZDV7JZ8XtNqAI6eVzm0=";
-      };
-    });
-  };
-
-  recipemd = final: prev: {
-    pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
-      (
-        python-final: python-prev: {
-          recipemd = python-final.callPackage ./pkgs/recipemd.nix { };
-        }
-      )
-    ];
-    recipemd = prev.python3Packages.toPythonApplication final.python3Packages.recipemd;
-  };
-}

pkgs/citizen-cups.nix

@@ -0,0 +1,70 @@
+{
+  cups,
+  fetchzip,
+  lib,
+  stdenv,
+  rpm,
+}:
+
+let
+  version = "1.2.8";
+in
+stdenv.mkDerivation {
+  inherit version;
+  name = "citizen-cups";
+  pname = "citizen-cups";
+
+  src = fetchzip {
+    url = "https://www.citizen-systems.com/resource/support/POS/Generic_Printer_Files/CUPS_Linux_Driver/CUPS_Linux_Driver.zip";
+    hash = "sha256-2ha24/7oS/rINKmYxyVryX66kkc6niCChxhw/2KOPSw=";
+  };
+
+  nativeBuildInputs = [
+    rpm
+  ];
+
+  buildInputs = [
+    cups
+  ];
+
+  postUnpack = ''
+    pushd source
+    ls -la
+    rpm2archive ctzpos-cups-1.2.8-0.src.rpm
+    tar xvf ctzpos-cups-1.2.8-0.src.rpm.tgz
+    tar xvf ctzpos-cups-1.2.8.tar.bz2
+    popd
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+    pushd "ctzpos-cups-${version}";
+    gcc -Wl,-rpath,/usr/lib -Wall -fPIC -O2 -o rastertocbm1k rastertocbm1k.c -lcupsimage -lcups
+    gcc -Wl,-rpath,/usr/lib -Wall -fPIC -O2 -o rastertocds500 rastertocds500.c -lcupsimage -lcups
+    gcc -Wl,-rpath,/usr/lib -Wall -fPIC -O2 -o rastertocts2kl rastertocts2kl.c -lcupsimage -lcups
+    popd
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/cups/filter
+    install -D -m 755 ./ctzpos-cups-${version}/rastertocbm1k  $out/lib/cups/filter/rastertocbm1k
+    install -D -m 755 ./ctzpos-cups-${version}/rastertocds500 $out/lib/cups/filter/rastertocds500
+    install -D -m 755 ./ctzpos-cups-${version}/rastertocts2kl $out/lib/cups/filter/rastertocts2kl
+
+    mkdir -p $out/share/cups/model/citizen
+    install -D -m 644 ./ctzpos-cups-${version}/*.ppd $out/share/cups/model/citizen
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Citizen CUPS drivers and filters";
+    homepage = "https://www.citizen-systems.com";
+    #license = licenses.unfreeRedistributable;
+    maintainers = with maintainers; [ dadada ];
+    platforms = platforms.linux;
+  };
+}

pkgs/default.nix

@@ -1,2 +1,4 @@
 { pkgs }:
-{ }
+{
+  citizen-cups = pkgs.callPackage ./citizen-cups.nix { };
+}

pkgs/recipemd.nix

@@ -1,58 +0,0 @@
-{ lib
-, buildPythonPackage
-, fetchFromGitHub
-, pytestCheckHook
-, pythonPackages
-, installShellFiles
-, pythonOlder
-, pythonAtLeast
-}:
-buildPythonPackage rec {
-  pname = "recipemd";
-  version = "4.0.8";
-
-  disabled = pythonOlder "3.7" || pythonAtLeast "4";
-
-  src = fetchFromGitHub {
-    owner = "tstehr";
-    repo = "RecipeMD";
-    rev = "v${version}";
-    hash = "sha256-eumV2zm7TIJcTPRtWSckYz7jiyH3Ek4nIAVtuJs3sJc=";
-  };
-
-  propagatedBuildInputs = with pythonPackages; [
-    dataclasses-json
-    yarl
-    CommonMark
-    argcomplete
-    pyparsing
-  ];
-
-  nativeBuildInputs = [ installShellFiles ];
-
-  postInstall = ''
-    ${pythonPackages.argcomplete}/bin/register-python-argcomplete -s bash ${pname} > $out/completions.bash
-    installShellCompletion --bash --name recipemd.bash $out/completions.bash
-
-    ${pythonPackages.argcomplete}/bin/register-python-argcomplete -s fish ${pname} > $out/completions.fish
-    installShellCompletion --fish --name recipemd.fish $out/completions.fish
-
-    # The version of argcomplete in nixpkgs-stable does not have support for zsh
-    #${pythonPackages.argcomplete}/bin/register-python-argcomplete -s zsh ${pname} > $out/completions.zsh
-    #installShellCompletion --zsh --name _recipemd $out/completions.zsh
-  '';
-
-  checkInputs = [
-    pytestCheckHook
-    pythonPackages.pytestcov
-  ];
-
-  doCheck = true;
-
-  meta = with lib; {
-    description = "Markdown recipe manager, reference implementation of RecipeMD";
-    homepage = "https://recipemd.org";
-    license = [ licenses.lgpl3Only ];
-    maintainers = [ maintainers.dadada ];
-  };
-}

secrets/agares-backup-passphrase.age

@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 L7f05w RayKtknLNvFu88aFp4QL7ZMLAh5VmHmlr1DWVsWBziE
-rckeFrazZJ3TxY/yD2wlzRVLh9L4x1bV2Nk7Q0S/RWM
--> ssh-ed25519 Otklkw oub7OICQalIkCqAZh4/FfXB9PPBe7j2IpBP7WF/UXGk
-gAwxU97b0Js6UPv59/1389/qdPGQb4koa49R14c3UjA
--> mU.rG&?F-grease V? d a}mj5 ^&dc?\
-B0k6BjXmH0cm74+rjQrzJwKa1dcFwTdmlgltZ70oHctwA3+E4/CQ1ChH9UHzkHGG
-Fb62klB5XYePywsvxLo2nIGVIvhBgsfIvUpq
---- ONLpuXfKtuCB+VD5IQ5KeSPyqgEb4a2y26+n5E8Ph3E
-uîD{<7B>¨ríÚ˜¡°†RÊ9õP¦
j?hDÃ<™ØOÓœÝáè>
‡Ä-Œu¹áý#…Fñ2N+Ysò\ õ
+-> ssh-ed25519 L7f05w Sof4o2JYLqx59paPpBJWFek1IwCHb4VhuOcPpBkut20
+QNsXS0H2z5NCnKcDuxDVvY+AnTV27/Ijeo/kd12nkoQ
+-> ssh-ed25519 Otklkw WZt99A5jBrb7MNqzpCuGiJ8wJ/NxZrJE5Q02hvcVEVo
+yYlAifPMGC01CGpke5ABasi/sJ8O4r3+5SyoVpbpmM4
+--- vIe/LRs2QxPpZJUrdOFuTBNanHcMyzh7iAFRalWd2dU
+„ü+Ó]§¨GHuU³îʈƒQ&3'š¦Eãg—…ƒžÜƒ©âçZ‘Š\~¼»ûež)Þ1º£½ý×»Œy§ÚÈa

secrets/agares-wg0-key.age

@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 L7f05w ENcdsQ43v/xIe1Ej4BYjb/nTjIk76N2DR/zj754Puz0
-vIDFk+A/m8rOnBNXcvfBX4SJNxT6LP64s674v5pJtcQ
--> ssh-ed25519 Otklkw lLwVf/2E67Bue+VBu+EMupLjuv6wfR656CD1st71GRM
-AsXHvpANM0mOiSW3LTqzbEneVQSKNb0TvsMY2WCPfbk
--> DJZq-grease 9))O09 z2-
-ZFxd5v9Bma6VVIvpw8VK0DSR55lHUNOTh6cNxFJAezXn1apmjvuZPdMSXZ7OrE23
-qlqnskWvo+SX3JF7NH0yQf53dZJU
---- pSa5IqZmIDAHJkcPgqrS0WUwnD1ipE2pGr87qhTmrjk
-Ű(E<>/—P(<28>©Ő|JĄ€řŞëŘ‘éŇ‹<C587>zń`JOÁ2“ŚÔ–‚Űńd3qÁ±¤‡O­Ú!”8ňůHN3\°ĹŹę‘iš
+-> ssh-ed25519 L7f05w Nj0zjzK+5vf4YfUxLPNcBBY4ZC57tH9+rEVCv/ycNWo
+5Sk99vaYclDFwTnVKB6IOcTVYJ3SGTuLVJxyjb1W4tM
+-> ssh-ed25519 Otklkw ogKGpgcz0Gekw7p4LnmIKU2CEdhlkjypRGVZmFda8TI
+nkOU/yc7F5BCBRakevYDXyD8akGqYwD67C+9VDxUgyE
+--- zuz8UjdxI+CbMr33Z4P5ga1UoRe+oDXzVWgFUhUH1qE
+b#òs‡ÇPàDFúú%¨‹Ó|åUùŠ›áleæ<65>9f_üUçZ5œoÖeeK}M`a›Mª!ü5<C3BC><35>R@j}ãéÓ~æ°3ZÍҾ͒\

secrets/ifrit-backup-passphrase.age

@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 yMjj5g FtHlFiQa2xr57K9GiS2VX+NYI/2kP73wWXVBsr61cD8
-Gokj4dzQP6AB9YWRBvmXL8/Sts7NO6g6wP1hIYkKdp4
--> ssh-ed25519 Otklkw UB1L2gKr0wnsGktaVlnbr+nSUZQ34g7JO4uuHYhuuyM
-X4AT5taAJBtFia62IUTDa1cdbZtwaxYRQFCDez8aK8k
--> r;DMOG-grease h"Tb e?z^VJ icNa
-/0ZIHqI0whHoBw2Qs15bxY7o1sudscitKuUB3ysyFwUVsIG4nzTOS2GFuXTQ1WuD
-5pH2CQfp33hvqrqV
---- vji5ZWP7+BLgpmyX2Sxgdv7Ht37NvQ8DuY1/t3cvvuI
-]ýËe†£¬¸›‰Þ›³,%‰ qôŸ’âån<C3A5>„AM{D‘ ÆJWæL’‚·<E2809A>G@´œòêž/g‚G´o½ð.VÃ4
+-> ssh-ed25519 yMjj5g pE3otZ4+5k1GxhoU7FocCMvcHZ9PFzTRqRYiVXXq/H4
+aKCBiwVwbfetSTRaTJ31iTRsvNnbm2JYFQnqTOgCyOA
+-> ssh-ed25519 Otklkw jn4ZUyWFIeAt+XpxmlqckovK4/jit6SR+Xaouv7gfTU
+8yJLyWHk1m9KInOWozqRWXi3kiirgQ7c/ONOwgHk/Z8
+--- 8TS+ZFZfHvgcgOYBE3nzSxbCCmCOtqPWyldlegSu6QU
+§…:{	ÀÐ4~ÀNŒt¶XRlÁØ
’<16>‹=>$
²¼‡8DQ@êGˆ‚ï1Ú÷ 
å”FAOÑþtΫ

secrets/miniflux-admin-credentials.age

@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 jUOjpw Tuaz2+fgz5f2ZacAYc3TdREIurh+XG5RjjKpaEFgtGo
-gB1iaKV+xAv0PGdjZwmBCxMbxgCqZrM2JBDiEWCl//8
--> ssh-ed25519 Otklkw ocyFHtGzclF+7S9I7uSqsfn5weqxj5Wq32y4c6VDiSA
-hDX5Viym/WdFZE5rXzToFhqtGvj+Ft3Hh7oiuzCuG/Q
--> b&-grease 2u ~R j4C 3|h`M}/
-fdhnmlw+wqO8nb86f8jdDNW2P2SxzdwuljpRrlG/ZxXcC4QxtnO6RwK9NAS9UBQr
-OAxJ6v3P+cMYJcsPNLAr90rEzXfTV2VONZgoNwOKN2l5n/JX8aGCt5i/vVI
---- sYjj24oaGUMZPD4TV8JKfjSPHeYOKh+OpueLZT/TxCQ
-›TO&œúDd¬÷C2Æ”ÂËW^Ë»ž€Z¡¬ &b<óvN‚»Žî©Óbµ¡Rÿúß9rŸd<17>àm—ÂÒZ ±Õ}¥Åø¹zÆm‹&m 3^JQC8
+-> ssh-ed25519 jUOjpw 6ThewcuTvg2mn/jC1eqR0KFDXdN8G3JIUBLLiBabkFI
+lstfGPvJgaUOp0jriP2nsi4IvgwRjs8dnRye7+ihD/Q
+-> ssh-ed25519 Otklkw N0ozjfxbOBq7EIvxP4TRa2XyMQ8fINCiHjK0MFq2X0w
+tEeua88G2aN6REaUN6xTlkRLy0GFgNfj7v0VXhqddc4
+--- N9V7UfSDvrOAeOr3MRXiCwIu8JJt3NSL3FrGyPapLrM
+E<EFBFBD>"
K
?>V¾éÄb¦ñXùåþ”àždgð!„”<E2809E>ѹÁÏ) BØ	ÆßfÒì\=½[2L x‘°Áw<C381>¤Ýæ•ËXH*®òõl…9w¿½€

secrets/paperless.age

@@ -1,9 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 0aOabg 6QT8adxrQxGCx9w6JZPkbCsCM/Vos+D41JoEQ19h0AY
-UaXt2lE7VnhaQ4McdCIGo8kdaYrPyg3ne8MIBCt7NXE
--> ssh-ed25519 Otklkw GJQj739xwoeP9xTLpLrCxANx3/Ebipnr345xKSFLf3w
-xtQBgTYrLzkaWBkx8pi0R+GKa6inKFzFD5tompll3wo
--> )gWM0O-grease i%" tB
-culBBLA5Bt/POa9w
---- Vtxd8HsFnjBl6eXE4UYNoR1Ca/JA9UlK/WE+FNkmPtk
-bVv—<76>ż:±Šah&ŕ4üfNJ¤ˇ2]ČŮ{!%1ýŕąIa\}Xeżx1~_ć˛"šrŰ,Éj:O?ňáşľö5
+-> ssh-ed25519 WJCMDA NDB+Z1hpwH3PWjViCbrRdrt0WCFnsYDBVd1rADCQy2I
+p/QYmC6ZwwlyCNrVhUw1vUNfnNGiw8B/rsqP9EMGJ5E
+-> ssh-ed25519 Otklkw yLMSfitfbXO8qRqaJwKxx68R0AJHsTre0XlN2huudWY
+JYogGtU0LLPcJpN9oWmAQE0Kyk2yhNmxrVgh0JMFphE
+--- pGx08jh8YJCDeEvi7iZa6pXrlwg8otUTkxv0T5gwLcM
+ï˲'t2¦ÍŸÄEí/Ø¿â6@
+Dîfši¦VGO_a\{Žãã}›_~:©ý>ö¨Gä€ÂN÷í@ÚK|