nixy: enable etc overlay and nixos-init; set initial user pass

This reverts commit 8ef4d1145f.

.sops.yaml

@@ -0,0 +1,30 @@
+keys:
+  - &magpie       age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+  - &mediabox     age19yrl6pr73cv067ksfz0txp3zm2au25jfyjeerw23ml55ps5cyyfqtm3kmt
+  - &nixy         age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+
+creation_rules:
+
+  - path_regex: common/secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *magpie
+      - *mediabox
+      - *nixy
+
+  - path_regex: magpie/secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *magpie
+      - *nixy
+
+  - path_regex: mediabox/secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *mediabox
+      - *nixy
+
+  - path_regex: nixy/secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *nixy

README.md

@@ -1 +0,0 @@
-NixOS configuration using nix flakes and home-manager

README.txt

@@ -0,0 +1,3 @@
+NixOS configuration using nix flakes and home-manager
+
+Main repository found at: https://git.project-cloud.net/asmir/nixos_flake_config

blue/configuration.nix

@@ -1,12 +1,9 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
 {
   config,
   pkgs,
-  lib,
   ...
-}: {
+}:
+{
   imports = [
   ];
 
@@ -17,14 +14,17 @@
     optimise.automatic = true;
     gc.automatic = true;
     gc.options = "--delete-older-than 7d";
-    package = pkgs.nixUnstable;
-    settings.experimental-features = ["nix-command" "flakes"];
+    package = pkgs.nixVersions.latest;
+    settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
   };
 
   boot = {
     kernelPackages = pkgs.linuxPackages_latest;
-    kernelParams = ["msr.allow_writes=on"];
-    supportedFilesystems = ["btrfs"];
+    kernelParams = [ "msr.allow_writes=on" ];
+    supportedFilesystems = [ "btrfs" ];
     tmpOnTmpfs = true;
     initrd.compressor = "zstd";
     loader.systemd-boot = {
@@ -43,7 +43,7 @@
     doas.enable = true;
     doas.extraRules = [
       {
-        users = ["akill"];
+        users = [ "akill" ];
         keepEnv = true;
         persist = true;
       }
@@ -57,15 +57,16 @@
   networking = {
     firewall.enable = true;
     hostName = "blue";
-    nameservers = ["127.0.0.1" "::1"];
+    nameservers = [
+      "127.0.0.1"
+      "::1"
+    ];
     dhcpcd.extraConfig = "nohook resolv.conf";
 
     networkmanager = {
       enable = true;
       dns = "none";
-      /*
-      wifi.backend = "iwd";
-      */
+      # wifi.backend = "iwd";
     };
   };
 
@@ -96,8 +97,8 @@
     services = {
       "caps2esc" = {
         description = "Intercepts keyboard udev events";
-        wants = ["systemd-udevd.service"];
-        wantedBy = ["multi-user.target"];
+        wants = [ "systemd-udevd.service" ];
+        wantedBy = [ "multi-user.target" ];
         serviceConfig.Nice = -20;
         script = ''
           ${pkgs.interception-tools}/bin/intercept \
@@ -156,7 +157,10 @@
       windowManager.i3.enable = true;
     };
 
-    udev.packages = [pkgs.rtl-sdr pkgs.openhantek6022];
+    udev.packages = [
+      pkgs.rtl-sdr
+      pkgs.openhantek6022
+    ];
 
     tlp = {
       enable = true;
@@ -166,32 +170,38 @@
       enable = true;
       bindings = [
         {
-          keys = [113];
-          events = ["key"];
+          keys = [ 113 ];
+          events = [ "key" ];
           command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master toggle'";
         }
 
         {
-          keys = [114];
-          events = ["key" "rep"];
+          keys = [ 114 ];
+          events = [
+            "key"
+            "rep"
+          ];
           command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%- unmute'";
         }
 
         {
-          keys = [115];
-          events = ["key" "rep"];
+          keys = [ 115 ];
+          events = [
+            "key"
+            "rep"
+          ];
           command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%+ unmute'";
         }
 
         {
-          keys = [224];
-          events = ["key"];
+          keys = [ 224 ];
+          events = [ "key" ];
           command = "${pkgs.light}/bin/light -U 5";
         }
 
         {
-          keys = [225];
-          events = ["key"];
+          keys = [ 225 ];
+          events = [ "key" ];
           command = "${pkgs.light}/bin/light -A 5";
         }
       ];
@@ -241,7 +251,7 @@
       allowBitmaps = true;
       useEmbeddedBitmaps = true;
       defaultFonts = {
-        monospace = ["JetBrainsMono"];
+        monospace = [ "JetBrainsMono" ];
       };
     };
 
@@ -310,6 +320,14 @@
   users.users.akill = {
     isNormalUser = true;
     shell = pkgs.zsh;
-    extraGroups = ["wireshark" "kvm" "tty" "audio" "sound" "adbusers" "dialout"];
+    extraGroups = [
+      "wireshark"
+      "kvm"
+      "tty"
+      "audio"
+      "sound"
+      "adbusers"
+      "dialout"
+    ];
   };
 }

blue/hardware-configuration.nix

@@ -4,50 +4,79 @@
 {
   config,
   lib,
-  pkgs,
   modulesPath,
   ...
-}: {
+}:
+{
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = ["kvm-intel"];
-  boot.extraModulePackages = [];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/0af4dcb9-6e59-4946-87b2-0d2f14b808d4";
     fsType = "btrfs";
-    options = ["subvol=root" "compress=zstd" "noatime"];
+    options = [
+      "subvol=root"
+      "compress=zstd"
+      "noatime"
+    ];
   };
 
-  boot.initrd.luks.devices."enc_root".device = "/dev/disk/by-uuid/8eb8ac22-d89d-4406-bfbd-ce43e283649f";
+  boot.initrd.luks.devices."enc_root".device =
+    "/dev/disk/by-uuid/8eb8ac22-d89d-4406-bfbd-ce43e283649f";
 
   fileSystems."/home" = {
     device = "/dev/disk/by-uuid/0af4dcb9-6e59-4946-87b2-0d2f14b808d4";
     fsType = "btrfs";
-    options = ["subvol=home" "compress=zstd" "noatime"];
+    options = [
+      "subvol=home"
+      "compress=zstd"
+      "noatime"
+    ];
   };
 
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/0af4dcb9-6e59-4946-87b2-0d2f14b808d4";
     fsType = "btrfs";
-    options = ["subvol=nix" "compress=zstd" "noatime"];
+    options = [
+      "subvol=nix"
+      "compress=zstd"
+      "noatime"
+    ];
   };
 
   fileSystems."/var/log" = {
     device = "/dev/disk/by-uuid/0af4dcb9-6e59-4946-87b2-0d2f14b808d4";
     fsType = "btrfs";
-    options = ["subvol=log" "compress=zstd" "noatime"];
+    options = [
+      "subvol=log"
+      "compress=zstd"
+      "noatime"
+    ];
     neededForBoot = true;
   };
 
   fileSystems."/persist" = {
     device = "/dev/disk/by-uuid/0af4dcb9-6e59-4946-87b2-0d2f14b808d4";
     fsType = "btrfs";
-    options = ["subvol=persist" "compress=zstd" "noatime"];
+    options = [
+      "subvol=persist"
+      "compress=zstd"
+      "noatime"
+    ];
   };
 
   fileSystems."/boot" = {
@@ -55,7 +84,7 @@
     fsType = "vfat";
   };
 
-  swapDevices = [];
+  swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

common/packages.nix

@@ -1,35 +1,54 @@
+{ pkgs
+, system
+, ...
+}:
 {
-  config,
-  pkgs,
-  nix-xilinx,
-  ...
-}: {
-  environment.systemPackages = with pkgs;
+  environment.systemPackages =
+    with pkgs;
     [
+      onboard
+      maliit-keyboard
+      maliit-framework
+      wvkbd
       acpi
+      aria2
       binutils
+      binwalk
       bluez
       bluez-tools
       btop
-      curlHTTP3
+      busybox
+      curl
       dfu-util
       dhcpcd
       direnv
       dmidecode
       dnsmasq
+      dnsutils
+      dtach
+      ethtool
+      f2fs-tools
       fd
       file
+      fio
       fzf
       fzy
       git
+      adwaita-icon-theme
+      gnomeExtensions.appindicator
       gnupg
       gptfdisk
+      hcxdumptool
       hdparm
-      htop
+      htop-vim
       interception-tools
+      iw
       jq
       lm_sensors
+      man-pages
+      man-pages-posix
       meson
+      mosh
       msmtp
       nano
       neovim
@@ -39,19 +58,26 @@
       nmap
       ntfs3g
       ntfsprogs
+      nvim
+      nvme-cli
       openhantek6022
+      optipng
       pax-utils
       pciutils
+      proxychains-ng
       pstree
       psutils
       qemu_kvm
       ripgrep
       rsync
       silver-searcher
+      socat
+      sops
       sshfs
       strace
       swaylock
       tig
+      tmux
       traceroute
       unrar
       unzip
@@ -64,9 +90,11 @@
       vulkan-tools-lunarg
       vulkan-validation-layers
       wget
+      wirelesstools
+      wol
       xdg-utils
+      xfsprogs
       zip
       z-lua
-    ]
-    ++ (with nix-xilinx.packages.x86_64-linux; [vivado vitis vitis_hls model_composer xilinx-shell]);
+    ];
 }

common/secrets/wg_preshared.yaml

@@ -0,0 +1,42 @@
+wg_preshared:
+    nixy: ENC[AES256_GCM,data:kP+Vt48NMpdBSGjpWzzxt+nqxPNXrofV4kLwgU4o62riB9rxU1CZ4Ddr17k=,iv:xCqR/rbGrJYBkxOpsAg1qxxEGXRD+577JGTNDqshcOQ=,tag:9rAdg6Zw6kVzLxwF1U+pNg==,type:str]
+    mediabox: ENC[AES256_GCM,data:BL9vCUE6wWtmTNPMCvJNZjiAMUWRmLLHOk73v1Z8EOJWcsZ5G3U+08TxBBg=,iv:XTZnF2kMVurTD+TPL0T7uDDu1gGjOdO7AWHXsZS5yO8=,tag:6RIAsbe0Ue4MX28VxzbPCg==,type:str]
+    workstation: ENC[AES256_GCM,data:x60PMdgihMjtvQagphdO0uft7LLU2grdgeTrO5oSRiqOtb23P5S5SxDQ3Js=,iv:CB8QldIZ8/FjbcAkLxekygUo5luHig7FnH7wyrgZEuk=,tag:E3XWxPH5/fHyFmGimQ4tLg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQ3JGNWRMeGhwM1dIOU5T
+            ZEt4WVhFa2lSaklpM3hmR04wY213TGd6K1FvCnltWFpqNHdrQ2V1V2ZDdTVOYlhP
+            M0x2TVRJbUtZK2xaOGE5Ri93YmV6R1UKLS0tIDQ3VkNrYjFNTjNrRTNFRmhYaENt
+            ZkRpMnZ3ZldOdWJ3VGw1T1RnRG15WDQKeZ9VBkcu2j83Hjofy1AAtBBqM9Tk3uFi
+            F/wgzV7mBXiBB/4w17iJsU5mB6s/JXXnGq11pu9QXC5tu072huCNYQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19yrl6pr73cv067ksfz0txp3zm2au25jfyjeerw23ml55ps5cyyfqtm3kmt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheWtsbnArT3BwSVJ4QTJB
+            ZENTK2ZpS0lLUmJ1d1VaUVVGNnNXMEZ4RFJvCmFueFNiQjk5MkdnTVkvVVk1TkVV
+            M2Izamo0M1lGaVRPaGFOQUhkNGpmSmsKLS0tIGxtSXVackdsTTN1cTIvSEo4bGg3
+            a0dVL2FmL05TRllrZjBuOStPNTBHcU0KOaJFNhr0emSiAJFOFsaJ4sdUwjzg5TOW
+            Mh3JvRJINefiBUsFnFx8d3gn0+jHn+kXw22WMGRcbGgZTxJbFylmeA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UVJiMENSeFdGWHRVVkt0
+            UEI4ek9jRFdYYkN5Nlc5Qi85MDhPRTA2bGt3CnZJcThNU1huczJGaEF6WWpzcHdV
+            dWhIczMzWSt0ZEVXeXdVQlBOZTZsN3cKLS0tIHRBQlhPT1FDcEZWU3JyNEZ0UWxC
+            eDhXVWo2UHVCaFUrak9aVEU5N0FxRVEKDKBpbHWwTkW3BFAXQ213/glZyTz88OjZ
+            JHh0phDzFZG0+nzBz3TAi0ZyYnlbOYAuEvQh1uUg9MI1XUCr8GC9Qw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-22T16:06:34Z"
+    mac: ENC[AES256_GCM,data:BRgF+L22FuN/v+Vi57JLaTxtAe4Gr8UtY4QIYRUeigpHCkxza+pUd5qyGTIsHeaRFWNy726u9+PlX3uy0MlOt9lzQ1Zlmc+hDthUIHRWX9mqO+j5+klmDvVug5yqr2f7HMtBD+tnEwDr65FuPNKqJjmg1Tbk0RD12yt/gkEAy7w=,iv:aTWVlHEQGNgnIIoJ2IpnppU6lo7g0kI7gxtPM1ZqXvM=,tag:PhZypRZAlmxnKz1Kxtppzg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

common/suspend.nix

@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.services.batteryNotifier;
-in {
+in
+{
   options = {
     services.batteryNotifier = {
       enable = mkOption {
@@ -42,7 +44,7 @@ in {
       timerConfig.OnBootSec = "1m";
       timerConfig.OnUnitInactiveSec = "1m";
       timerConfig.Unit = "lowbatt.service";
-      wantedBy = ["timers.target"];
+      wantedBy = [ "timers.target" ];
     };
     systemd.user.services."lowbatt" = {
       description = "battery level notifier";

common/wg_pubkey_proton

@@ -0,0 +1 @@
+g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=

common/wg_pubkey_workstation

@@ -0,0 +1 @@
+kbmzzQc3bBpkjE7K/ohycZtx+ml+dzVYOQ2xM0/bzzQ=

flake.lock

@@ -19,11 +19,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1732722421,
+        "narHash": "sha256-HRJ/18p+WoXpWJkcdsk9St5ZiukCqSDgbOGFa8Okehg=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "9ed2ac151eada2306ca8c418ebd97807bb08f6ac",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
         "type": "github"
       },
       "original": {
@@ -48,37 +48,51 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1668681692,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
+    "git-hooks": {
       "inputs": {
-        "systems": "systems"
+        "flake-compat": [
+          "simple-nixos-mailserver",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "simple-nixos-mailserver",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "lastModified": 1763988335,
+        "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "simple-nixos-mailserver",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
         "type": "github"
       }
     },
@@ -89,15 +103,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1696446489,
-        "narHash": "sha256-xSjMKdNR+q/3hdSPyg/LUMsZT/WIoUi8dcm5zT4SMUQ=",
+        "lastModified": 1764536451,
+        "narHash": "sha256-BgtcUkBfItu9/yU14IgUaj4rYOanTOUZjUfBP20/ZB4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "68f7d8c0fb0bfc67d1916dd7f06288424360d43a",
+        "rev": "3fdd076e08049a9c7a83149b270440d9787d2df5",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -110,11 +125,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696069591,
-        "narHash": "sha256-YFPEWMV6XRi7CgDB1qJ67dIYPnrOETuxQO4mnPmxbQs=",
+        "lastModified": 1732892167,
+        "narHash": "sha256-AZ0rgM9xj+Bf2C8RfGMUvuVdcqkvQU5/Wm8u6A5xYJg=",
         "owner": "asmir.abdulahovic",
         "repo": "nix-xilinx",
-        "rev": "a20ac5924afa24d45227df7d7d54574a9409a4a6",
+        "rev": "3071f40914fe2db3837a40a72a97af6f0a442f16",
         "type": "gitlab"
       },
       "original": {
@@ -125,62 +140,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1696193975,
-        "narHash": "sha256-mnQjUcYgp9Guu3RNVAB2Srr1TqKcPpRXmJf4LJk6KRY=",
+        "lastModified": 1764522689,
+        "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fdd898f8f79e8d2f99ed2ab6b3751811ef683242",
+        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-22_11": {
-      "locked": {
-        "lastModified": 1669558522,
-        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-22.11",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs-23_05": {
-      "locked": {
-        "lastModified": 1684782344,
-        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-23.05",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1696123266,
-        "narHash": "sha256-S6MZEneQeE4M/E/C8SMnr7B7oBnjH/hbm96Kak5hAAI=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "dbe90e63a36762f1fbde546e26a84af774a32455",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -192,11 +161,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698363600,
-        "narHash": "sha256-r71uS/uw3I9xJAnmlgaN0TC9aC/1m2L4iNhKjqBzAtQ=",
+        "lastModified": 1764594740,
+        "narHash": "sha256-YLyM7w1j7BcOK9F+L7x7iY9wfOzPfcIBWW9LeU9Wzoo=",
         "ref": "refs/heads/master",
-        "rev": "9652f4cb75d799ee5a2511883d2fda60bea00141",
-        "revCount": 19,
+        "rev": "878c87430f5e3c109f183a1822988b1c32413131",
+        "revCount": 51,
         "type": "git",
         "url": "https://git.project-cloud.net/asmir/nvim_flake"
       },
@@ -205,26 +174,26 @@
         "url": "https://git.project-cloud.net/asmir/nvim_flake"
       }
     },
-    "peerix": {
+    "project-cloud": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "theme_anemone": "theme_anemone",
+        "theme_deepthought": "theme_deepthought"
       },
       "locked": {
-        "lastModified": 1684706914,
-        "narHash": "sha256-pBlTtsC28e/5MUTe4NWeNNOc/4Kf6EzGQGppQEQ/ioo=",
-        "owner": "asmir.abdulahovic",
-        "repo": "peerix",
-        "rev": "8fdbbd0039240e05b4f93bbd5b454d5643e8a8d1",
-        "type": "gitlab"
+        "lastModified": 1729077289,
+        "narHash": "sha256-z5LEPxOJq2LjhPhY4QE1IOt0lBD39cipR6Lw8vRTNlI=",
+        "ref": "refs/heads/master",
+        "rev": "eab712e42139d33911ba767c2ff1bfbdf05c254d",
+        "revCount": 27,
+        "type": "git",
+        "url": "https://git.project-cloud.net/asmir/project-cloud"
       },
       "original": {
-        "owner": "asmir.abdulahovic",
-        "repo": "peerix",
-        "type": "gitlab"
+        "type": "git",
+        "url": "https://git.project-cloud.net/asmir/project-cloud"
       }
     },
     "root": {
@@ -233,7 +202,7 @@
         "nix-xilinx": "nix-xilinx",
         "nixpkgs": "nixpkgs",
         "nvim": "nvim",
-        "peerix": "peerix",
+        "project-cloud": "project-cloud",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "sops-nix": "sops-nix",
         "swaysw": "swaysw",
@@ -243,20 +212,18 @@
     "simple-nixos-mailserver": {
       "inputs": {
         "blobs": "blobs",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
+        "git-hooks": "git-hooks",
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-22_11": "nixpkgs-22_11",
-        "nixpkgs-23_05": "nixpkgs-23_05",
-        "utils": "utils"
+        ]
       },
       "locked": {
-        "lastModified": 1689976554,
-        "narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=",
+        "lastModified": 1764381008,
+        "narHash": "sha256-s+/BuhPPSJHpPRcylqfW+3UFyYsHjAhKdtPSxusYn0U=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e",
+        "rev": "76bd7a85e78a9b8295782a9cf719ec3489d8eb55",
         "type": "gitlab"
       },
       "original": {
@@ -269,15 +236,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1696320910,
-        "narHash": "sha256-fbuEc6wylH+0VxG48lhPBK+SQJHfo2lusUwWHZNipIM=",
+        "lastModified": 1764483358,
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "746c7fa1a64c1671a4bf287737c27fdc7101c4c2",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
         "type": "github"
       },
       "original": {
@@ -293,11 +259,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698401726,
-        "narHash": "sha256-kGMqxaNaNSbKJS/55KqqMvLj1xOBc8zCizs6I3xiCo0=",
+        "lastModified": 1711800706,
+        "narHash": "sha256-VuClUfWEmuv6Ysf6g42rfIm4cRZ/DWYZJxlNd9f1IL4=",
         "ref": "refs/heads/master",
-        "rev": "1e49032fbfec10b51c9f627aab286290ac15977c",
-        "revCount": 3,
+        "rev": "7422c005ffdd282c389d21c5f8a4ea835bc1a0f0",
+        "revCount": 4,
         "type": "git",
         "url": "https://git.project-cloud.net/asmir/swaysw"
       },
@@ -306,33 +272,35 @@
         "url": "https://git.project-cloud.net/asmir/swaysw"
       }
     },
-    "systems": {
+    "theme_anemone": {
+      "flake": false,
       "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "lastModified": 1699399376,
+        "narHash": "sha256-u2baLVhc/tWd9h9+g9vKBN1m4qG23uL1HUizFigOJXw=",
+        "owner": "Speyll",
+        "repo": "anemone",
+        "rev": "565a6e84e3054a45ec31729125801ab1f403c936",
         "type": "github"
       },
       "original": {
-        "owner": "nix-systems",
-        "repo": "default",
+        "owner": "Speyll",
+        "repo": "anemone",
         "type": "github"
       }
     },
-    "utils": {
+    "theme_deepthought": {
+      "flake": false,
       "locked": {
-        "lastModified": 1605370193,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "lastModified": 1681035730,
+        "narHash": "sha256-dzhfGmhuNCbloqknM7lVnFbNYmf2/ue7az6DQok44yM=",
+        "owner": "RatanShreshtha",
+        "repo": "DeepThought",
+        "rev": "430c1d5085dd6bea4cd6bd2d55003db67ba6bea0",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "RatanShreshtha",
+        "repo": "DeepThought",
         "type": "github"
       }
     },
@@ -343,17 +311,17 @@
         ]
       },
       "locked": {
-        "lastModified": 1696448728,
-        "narHash": "sha256-kUc6983IX9n0eQxTFZRK7LYCLHoxoGZ5rOV7nu8hGRI=",
-        "owner": "asmir.abdulahovic",
-        "repo": "zremap",
-        "rev": "9043844893cfc333ed04d04c1d3b67d9904c0afc",
-        "type": "gitlab"
+        "lastModified": 1764579633,
+        "narHash": "sha256-gOD5RMHOB9Fw4T3nk2a95YdU0J24QU3uWUiZVIQza64=",
+        "ref": "refs/heads/master",
+        "rev": "b0707744e2b4a077e759145cdbfa8d8d1017e732",
+        "revCount": 25,
+        "type": "git",
+        "url": "https://git.project-cloud.net/asmir/zremap"
       },
       "original": {
-        "owner": "asmir.abdulahovic",
-        "repo": "zremap",
-        "type": "gitlab"
+        "type": "git",
+        "url": "https://git.project-cloud.net/asmir/zremap"
       }
     }
   },

flake.nix

@@ -2,20 +2,15 @@
   description = "NixOS configuration";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
 
     nix-xilinx = {
       url = "gitlab:asmir.abdulahovic/nix-xilinx";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    peerix = {
-      url = "gitlab:asmir.abdulahovic/peerix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     zremap = {
-      url = "gitlab:asmir.abdulahovic/zremap";
+      url = "git+https://git.project-cloud.net/asmir/zremap";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -35,7 +30,7 @@
     };
 
     home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -43,119 +38,119 @@
       url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    project-cloud = {
+      url = "git+https://git.project-cloud.net/asmir/project-cloud";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = inputs @ {
-    home-manager,
-    nixpkgs,
-    nix-xilinx,
-    nvim,
-    peerix,
-    simple-nixos-mailserver,
-    sops-nix,
-    swaysw,
-    zremap,
-    ...
-  }: let
-    pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
-  in {
-    nixosConfigurations = rec {
-      nixy = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [
-          {_module.args = inputs;}
-          ./nixy/configuration.nix
-          ./nixy/hardware-configuration.nix
-          ./common/packages.nix
-          sops-nix.nixosModules.sops
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.akill = import ./home/home.nix;
-            home-manager.extraSpecialArgs = {inherit inputs;};
-          }
-          peerix.nixosModules.peerix
-          {
-            services.peerix = {
-              enable = true;
-              globalCacheTTL = 10;
-              package = peerix.packages.x86_64-linux.peerix;
-              openFirewall = true; # UDP/12304
-              privateKeyFile = nixy.config.sops.secrets."peerix/private".path;
-              publicKeyFile = ./nixy/peerix-public;
-              publicKey = "peerix-mediabox:UDgG3xdQYv7bmx2l4ZPNRPJtp2zMmY++H/fnGeJ9BQw=";
-            };
-          }
-        ];
+  outputs =
+    inputs@{ home-manager
+    , nixpkgs
+    , nix-xilinx
+    , nvim
+    , project-cloud
+    , simple-nixos-mailserver
+    , sops-nix
+    , swaysw
+    , zremap
+    , ...
+    }:
+    let
+      pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
+    in
+    {
+      nixosConfigurations = {
+        nixy = nixpkgs.lib.nixosSystem rec {
+          system = "x86_64-linux";
+          modules = [
+            { _module.args = inputs; }
+            { _module.args.system = system; }
+            { nix.registry.nixpkgs.flake = nixpkgs; }
+            ./common/packages.nix
+            ./common/suspend.nix
+            ./nixy/configuration.nix
+            ./nixy/hardware-configuration.nix
+            sops-nix.nixosModules.sops
+            home-manager.nixosModules.home-manager
+            {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users.akill = import ./home/nixy/home.nix;
+              home-manager.extraSpecialArgs = { inherit inputs system; };
+              home-manager.backupFileExtension = "home_backup";
+            }
+          ];
+        };
+
+        mediabox = nixpkgs.lib.nixosSystem rec {
+          system = "x86_64-linux";
+          modules = [
+            { _module.args = inputs; }
+            { _module.args.system = system; }
+            { nix.registry.nixpkgs.flake = nixpkgs; }
+            ./common/packages.nix
+            ./common/suspend.nix
+            ./mediabox/configuration.nix
+            ./mediabox/hardware-configuration.nix
+            ./modules/qbittorrent.nix
+            sops-nix.nixosModules.sops
+            home-manager.nixosModules.home-manager
+            {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users.akill = import ./home/mediabox/home.nix;
+              home-manager.extraSpecialArgs = { inherit inputs system; };
+            }
+          ];
+        };
+
+        blue = nixpkgs.lib.nixosSystem rec {
+          system = "x86_64-linux";
+          modules = [
+            { _module.args = inputs; }
+            { _module.args.system = system; }
+            { nix.registry.nixpkgs.flake = nixpkgs; }
+            ./blue/configuration.nix
+            ./blue/hardware-configuration.nix
+            ./common/packages.nix
+            home-manager.nixosModules.home-manager
+            {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users.akill = import ./home/blue/home.nix;
+              home-manager.extraSpecialArgs = { inherit inputs system; };
+            }
+          ];
+        };
+
+        magpie = nixpkgs.lib.nixosSystem rec {
+          system = "aarch64-linux";
+          modules = [
+            { _module.args = inputs; }
+            { _module.args.system = system; }
+            { nix.registry.nixpkgs.flake = nixpkgs; }
+            ./magpie/configuration.nix
+            ./magpie/hardware-configuration.nix
+            simple-nixos-mailserver.nixosModule
+            sops-nix.nixosModules.sops
+            (builtins.toPath "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix")
+          ];
+        };
       };
 
-      mediabox = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [
-          {_module.args = inputs;}
-          ./common/packages.nix
-          ./common/suspend.nix
-          ./mediabox/configuration.nix
-          ./mediabox/hardware-configuration.nix
-          ./modules/qbittorrent.nix
-          sops-nix.nixosModules.sops
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.akill = import ./home/home.nix;
-          }
-          peerix.nixosModules.peerix
-          {
-            services.peerix = {
-              enable = true;
-              globalCacheTTL = 10;
-              package = peerix.packages.x86_64-linux.peerix;
-              openFirewall = true; # UDP/12304
-              privateKeyFile = mediabox.config.sops.secrets."peerix/private".path;
-              publicKeyFile = ./mediabox/peerix-public;
-              publicKey = "peerix-nixy:8THqS0R2zWF/47ai0RFmqJnieYTZ1jaWOD9tnzpvA6s=";
-            };
-          }
+      devShell.x86_64-linux = pkgs.mkShell {
+        buildInputs = with pkgs; [
+          sops
+          ssh-to-age
+          age
         ];
+        shellHook = ''
+          echo "Configuring NixOS!"
+        '';
       };
 
-      blue = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [
-          {_module.args = inputs;}
-          ./blue/configuration.nix
-          ./blue/hardware-configuration.nix
-          ./common/packages.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.akill = import ./home/home.nix;
-          }
-        ];
-      };
-      magpie = nixpkgs.lib.nixosSystem {
-        system = "arm64-linux";
-        modules = [
-          {_module.args = inputs;}
-          ./magpie/configuration.nix
-          ./magpie/hardware-configuration.nix
-          sops-nix.nixosModules.sops
-          simple-nixos-mailserver.nixosModule
-          (builtins.toPath "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix")
-        ];
-      };
+      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
     };
-
-    devShell.x86_64-linux = pkgs.mkShell {
-      buildInputs = with pkgs; [sops ssh-to-age age];
-      shellHook = ''
-        echo "Configuring NixOS!"
-      '';
-    };
-
-    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
-  };
 }

home/blue/home.nix

@@ -0,0 +1,351 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+let
+  qutebrowser_firejail = pkgs.writeShellScriptBin "qutebrowser" ''
+    firejail -- ${lib.getExe pkgs.qutebrowser} "$@"
+  '';
+in
+{
+  imports = [
+    ../common/zsh.nix
+    ../common/i3status-rust.nix
+    ../common/sway.nix
+    ../common/i3.nix
+    ./home_packages.nix
+    ../common/whatsapp-for-linux.nix
+  ];
+
+  home.stateVersion = "22.11";
+  home.username = "akill";
+  home.homeDirectory = "/home/akill";
+
+  xdg.enable = true;
+  xdg.mimeApps = {
+    enable = true;
+    defaultApplications = {
+      "application/pdf" = "sioyek.desktop";
+      "default-web-browser" = "org.qutebrowser.qutebrowser.desktop";
+      "text/html" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/about" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/http" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/https" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/unknown" = "org.qutebrowser.qutebrowser.desktop";
+    };
+  };
+
+  fonts.fontconfig.enable = true;
+
+  home.sessionVariables = rec {
+    BROWSER = lib.getExe qutebrowser_firejail;
+    DEFAULT_BROWSER = "${BROWSER}";
+    EDITOR = "nvim";
+    _JAVA_AWT_WM_NONREPARENTING = "1";
+    MOZ_ENABLE_WAYLAND = "1";
+    NIXOS_OZONE_WL = "1";
+    QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    SUDO_EDITOR = "nvim";
+    WLR_RENDERER = "vulkan";
+  };
+
+  wayland.windowManager.sway = {
+    enable = true;
+  };
+
+  programs = {
+    home-manager.enable = true;
+
+    librewolf = {
+      enable = true;
+      package = pkgs.librewolf-wayland;
+      settings = {
+        "webgl.disable" = true;
+        "middlemouse.paste" = false;
+      };
+    };
+
+    tmux = {
+      enable = true;
+      clock24 = true;
+      keyMode = "vi";
+      terminal = "screen-256color";
+      plugins = with pkgs.tmuxPlugins; [
+        sysstat
+        net-speed
+        gruvbox
+      ];
+    };
+
+    mpv = {
+      enable = true;
+      config = {
+        slang = "eng,en";
+        alang = "eng,en";
+        hwdec = "auto";
+        vo = "gpu-next";
+        ao = "pipewire";
+        osd-bar = "no";
+        border = "no";
+        script-opts-set = "";
+        ytdl-format = "bestvideo[height<=?1080]+bestaudio/best";
+      };
+
+      bindings = {
+        WHEEL_UP = "ignore";
+        WHEEL_DOWN = "ignore";
+        WHEEL_LEFT = "ignore";
+        WHEEL_RIGHT = "ignore";
+      };
+    };
+
+    alacritty = {
+      enable = true;
+
+      settings = {
+        font = {
+          normal.family = "JetBrainsMono";
+          italic.family = "JetBrainsMono";
+          bold.family = "JetBrainsMono";
+          bold_italic.family = "JetBrainsMono";
+          size = 14.0;
+        };
+
+        selection = {
+          text = "0xcfcfc2";
+          background = "0x232629";
+
+          normal = {
+            black = "0x1c1b19";
+            red = "0xef2f27";
+            green = "0x519f50";
+            yellow = "0xfbb829";
+            blue = "0x2c78bf";
+            magenta = "0xe02c6d";
+            cyan = "0x0aaeb3";
+            white = "0x918175";
+          };
+
+          bright = {
+            black = "0x2D2C29";
+            red = "0xf75341";
+            green = "0x98bc37";
+            yellow = "0xfed06e";
+            blue = "0x68A8E4";
+            magenta = "0xff5c8f";
+            cyan = "0x53fde9";
+            white = "0xfce8c3";
+          };
+        };
+      };
+    };
+
+    rofi = {
+      enable = true;
+      theme = "gruvbox-dark";
+    };
+
+    foot = {
+      enable = true;
+      server.enable = true;
+      settings = {
+        main = {
+          font = "JetBrainsMono:size=10";
+          dpi-aware = "yes";
+        };
+        mouse = {
+          hide-when-typing = "yes";
+        };
+      };
+    };
+
+    qutebrowser = {
+      enable = true;
+      keyBindings = {
+        normal = {
+          "j" = "scroll-px 0 25";
+          "k" = "scroll-px 0 -25";
+          "u" = "undo --window";
+          ";v" = "hint links spawn mpv {hint-url}";
+        };
+      };
+
+      settings = {
+        content.notifications.enabled = false;
+        content.pdfjs = true;
+        content.webgl = false;
+        fonts.completion.category = "14pt monospace";
+        fonts.completion.entry = "14pt monospace";
+        fonts.contextmenu = "14pt monospace";
+        fonts.debug_console = "14pt monospace";
+        fonts.downloads = "14pt monospace";
+        fonts.hints = "14pt monospace";
+        fonts.keyhint = "14pt monospace";
+        fonts.messages.info = "14pt monospace";
+        fonts.prompts = "14pt monospace";
+        fonts.statusbar = "14pt monospace";
+        hints.chars = "1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik9ol0p";
+        tabs.last_close = "close";
+        tabs.position = "left";
+        tabs.show = "multiple";
+        tabs.tabs_are_windows = true;
+        tabs.width = "12%";
+        zoom.default = "125%";
+      };
+    };
+
+    git = {
+      enable = true;
+      userName = "Asmir A";
+      userEmail = "asmir.abdulahovic@gmail.com";
+      extraConfig = {
+        init.defaultBranch = "master";
+        pull = {
+          rebase = true;
+        };
+        credential = {
+          helper = "store";
+        };
+      };
+      signing.key = "020C42B7A9ABA3E2";
+      signing.signByDefault = true;
+    };
+
+    obs-studio = {
+      enable = true;
+      plugins = with pkgs.obs-studio-plugins; [
+        obs-vkcapture
+        input-overlay
+        obs-multi-rtmp
+        obs-pipewire-audio-capture
+        wlrobs
+        obs-vaapi
+      ];
+    };
+
+    i3status-rust.enable = true;
+    z-lua.enable = true;
+    zsh.enable = true;
+  };
+
+  services = {
+    lorri.enable = false;
+    mako.enable = true;
+    cliphist.enable = true;
+    gammastep = {
+      enable = true;
+      latitude = "44.53";
+      longitude = "18.67";
+      temperature.day = 5500;
+      temperature.night = 2900;
+    };
+
+    gnome-keyring.enable = true;
+
+    gpg-agent = {
+      enable = true;
+      defaultCacheTtl = 1800;
+      enableSshSupport = true;
+    };
+
+    swayidle =
+      let
+        locker = pkgs.writeShellScriptBin "swaylock_fancy" ''
+          ALL_IMGS=""
+          LOCK_ARGS=""
+          for OUTPUT in $(${pkgs.sway}/bin/swaymsg -t get_outputs | ${lib.getExe pkgs.jq} -r '.[].name')
+          do
+            TMP_FILE=$(${pkgs.coreutils}/bin/mktemp /tmp/.swaylock_ss_XXXXXX.jpg)
+            ${lib.getExe pkgs.grim} -t ppm -o $OUTPUT - | \
+              ${lib.getExe pkgs.ffmpeg} -y -loglevel 0 -i - -vframes 1 -vf "boxblur=10" "$TMP_FILE"
+            LOCK_ARGS="$LOCK_ARGS --image $OUTPUT:$TMP_FILE"
+            ALL_IMGS="$ALL_IMGS $TMP_FILE"
+          done
+            ${lib.getExe pkgs.swaylock} -f $LOCK_ARGS
+            ${pkgs.coreutils}/bin/shred $ALL_IMGS
+            ${pkgs.coreutils}/bin/rm $ALL_IMGS
+        '';
+      in
+      /*
+        refresh_i3status = pkgs.writeShellScriptBin "refresh_i3status" ''
+          ${pkgs.coreutils}/bin/sleep 1 && ${pkgs.procps}/bin/pkill -USR1 i3status-rs
+        '';
+      */
+      {
+        enable = true;
+        events = [
+          {
+            event = "before-sleep";
+            command = "${locker}/bin/swaylock_fancy";
+          }
+          {
+            event = "lock";
+            command = "${locker}/bin/swaylock_fancy";
+          }
+          /*
+            {
+              event = "after-resume";
+              command = "${refresh_i3status}/bin/refresh_i3status";
+            }
+          */
+        ];
+        timeouts = [
+          {
+            timeout = 15 * 60;
+            command = "${locker}/bin/swaylock_fancy";
+          }
+        ];
+      };
+
+    kanshi = {
+      enable = true;
+      settings = [
+        {
+          profile.name = "undocked";
+          profile.outputs = [
+            {
+              criteria = "eDP-1";
+            }
+          ];
+        }
+
+        {
+          profile.name = "docked";
+          profile.outputs = [
+            {
+              criteria = "eDP-1";
+              position = "0,0";
+            }
+            {
+              criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026536";
+              mode = "1920x1080@74.973Hz";
+              position = "1920,0";
+            }
+            {
+              criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026535";
+              mode = "1920x1080@74.973Hz";
+              position = "3840,0";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  systemd.user = {
+    services = {
+      wayland-pipewire-idle-inhibit = {
+        Unit.Description = "inhibit sleep while audio output is active";
+        Service = {
+          ExecStart = "${lib.getExe pkgs.wayland-pipewire-idle-inhibit}";
+          Restart = "always";
+          RestartSec = 10;
+        };
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
+      };
+    };
+  };
+}

home/blue/home_packages.nix

@@ -0,0 +1,182 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  system,
+  ...
+}:
+let
+  chromium_teams = pkgs.writeShellScriptBin "chromium_teams" ''
+    ${lib.getExe pkgs.ungoogled-chromium} --socket=wayland org.chromium.Chromium --app=https://teams.microsoft.com/
+  '';
+  chromium_discord = pkgs.writeShellScriptBin "chromium_discord" ''
+    ${lib.getExe pkgs.ungoogled-chromium} --socket=wayland org.chromium.Chromium --app=https://discordapp.com/channels/@me
+  '';
+  chromium_stackfield = pkgs.writeShellScriptBin "chromium_stackfield" ''
+    ${lib.getExe pkgs.ungoogled-chromium} --socket=wayland org.chromium.Chromium --app=https://stackfield.com/
+  '';
+  nixy_switch = pkgs.writeShellScriptBin "nixy_switch" ''
+    ${pkgs.util-linux}/bin/ionice -c 3 -- \
+    ${pkgs.coreutils}/bin/nice -n 20 -- \
+    ${lib.getExe pkgs.nixos-rebuild} --flake ./#nixy switch
+  '';
+  qcad = pkgs.writeShellScriptBin "qcad" ''
+    QT_QPA_PLATFORM=xcb ${lib.getExe pkgs.qcad} $@
+  '';
+  ssh_proxy = pkgs.writeShellScriptBin "ssh_proxy" ''
+    if ${pkgs.coreutils}/bin/test $# -ne 1; then
+      echo "Usage: $0 <user>@<ssh_host>"
+      exit
+    fi
+    PROXY_PORT="1337"
+    ${lib.getExe pkgs.openssh} -D "$PROXY_PORT" -q -N "$@"
+  '';
+  wrap_sh =
+    let
+      bubblewrap = pkgs.callPackage ../../packages/bubblewrap/default.nix { };
+    in
+    pkgs.writeShellScriptBin "wrap.sh" ''
+      if ${pkgs.coreutils-full}/bin/test $# -ne 1; then
+        echo "Usage: $0 <directory>"
+        exit
+      fi
+      FULL_PATH=$(${pkgs.coreutils-full}/bin/realpath "$1")
+      BUBBLEWRAP_DIR="$1" ${bubblewrap}/bin/bwrap \
+        --bind / / \
+        --dev /dev \
+        --overlay-src "$FULL_PATH" \
+        --tmp-overlay "$FULL_PATH" \
+        "$SHELL"
+    '';
+in
+{
+  home.packages =
+    with pkgs;
+    [
+      anydesk
+      appimage-run
+      arp-scan
+      birdtray
+      blackmagic
+      blender
+      btop
+      cached-nix-shell
+      caddy
+      cargo
+      cmake
+      compsize
+      kdePackages.ark
+      ungoogled-chromium
+      # cura
+      deluge
+      dfu-util
+      discord
+      dmenu-wayland
+      drawio
+      dualsensectl
+      ffmpeg-full
+      firefox
+      freecad
+      gcc
+      gdb
+      ghostscript
+      glab
+      glaxnimate
+      gnumake
+      go
+      grim
+      heimdall
+      hyperfine
+      icestorm
+      imagemagick
+      imv
+      inkscape
+      jellyfin-media-player
+      kdePackages.kdenlive
+      kicad
+      kodi-wayland
+      krita
+      libnotify
+      libreoffice-qt6-fresh
+      libva-utils
+      linuxPackages_latest.perf
+      lsix
+      lsix
+      mediainfo
+      ncdu
+      neovide
+      nextpnr
+      ngspice
+      nix-init
+      nixpkgs-fmt
+      nix-prefetch-git
+      nom
+      openems
+      openocd
+      openscad
+      pandoc
+      paraview
+      pass-wayland
+      patchelf
+      pavucontrol
+      pay-respects
+      pirate-get
+      poppler_utils
+      powertop
+      pulsemixer
+      pwvucontrol
+      python3
+      python3Packages.west
+      remmina
+      river
+      rizin
+      rtorrent
+      sbcl
+      screen
+      seer
+      sioyek
+      slurp
+      steam-run
+      stm32cubemx
+      swayimg
+      tea
+      teams-for-linux
+      tectonic
+      tessen
+      texlive.combined.scheme-full
+      thunderbird
+      typst
+      upx
+      viber
+      waybar
+      wdisplays
+      weechat
+      whatsapp-for-linux
+      wine
+      wireshark
+      wl-clipboard
+      wlr-randr
+      wofi
+      x2goclient
+      yewtube
+      yosys
+      yt-dlp
+      zapzap
+      zathura
+      # zeal-qt6
+      zig
+    ]
+    ++ [
+      chromium_discord
+      chromium_stackfield
+      chromium_teams
+      nixy_switch
+      qcad
+      ssh_proxy
+      wrap_sh
+    ]
+    ++ [
+      inputs.swaysw.packages.${system}.swaysw
+      (pkgs.callPackage ../../packages/bubblewrap/default.nix { })
+    ];
+}

home/common/i3.nix

@@ -1,11 +1,12 @@
 {
-  config,
   lib,
   pkgs,
   ...
-}: let
+}:
+let
   scratchpad_cmd = "floating enable, resize set 1502 845, move position center, move scratchpad, scratchpad show";
-in {
+in
+{
   xsession.windowManager.i3 = {
     enable = true;
     package = pkgs.i3;
@@ -54,24 +55,28 @@ in {
         "${modifier}+Escape" = "workspace back_and_forth";
         "${modifier}+p" = "exec ${pkgs.dmenu}/bin/dmenu_run";
 
-        "Mod4+l" = "exec i3-msg [instance=\"python3_scr\"] scratchpad show || exec alacritty --class python3_scr -e python3";
+        "Mod4+l" =
+          "exec i3-msg [instance=\"python3_scr\"] scratchpad show || exec alacritty --class python3_scr -e python3";
         "Mod4+j" = "exec i3-msg [class=\"ViberPC\"] scratchpad show || exec viber";
         "Mod4+m" = "exec i3-msg [class=\"Thunderbird\"] scratchpad show || exec thunderbird";
-        "Mod4+y" = "exec i3-msg [instance=\"pulsemixer_scr\"] scratchpad show || exec alacritty --class pulsemixer_scr -e pulsemixer";
+        "Mod4+y" =
+          "exec i3-msg [instance=\"pulsemixer_scr\"] scratchpad show || exec alacritty --class pulsemixer_scr -e pulsemixer";
       };
 
       window = {
-        /*
-        border = 4;
-        */
+        # border = 4;
         commands = [
           {
             command = scratchpad_cmd;
-            criteria = {instance = "pulsemixer_scr|python3_scr";};
+            criteria = {
+              instance = "pulsemixer_scr|python3_scr";
+            };
           }
           {
             command = scratchpad_cmd;
-            criteria = {class = "Thunderbird";};
+            criteria = {
+              class = "Thunderbird";
+            };
           }
           {
             command = scratchpad_cmd;
@@ -82,7 +87,9 @@ in {
           }
           {
             command = "focus child, layout tabbed, focus";
-            criteria = {class = "qutebrowser";};
+            criteria = {
+              class = "qutebrowser";
+            };
           }
         ];
       };
@@ -91,7 +98,10 @@ in {
         {
           position = "top";
           fonts = {
-            names = ["DejaVu Sans Mono" "FontAwesome5Free"];
+            names = [
+              "DejaVu Sans Mono"
+              "FontAwesome5Free"
+            ];
             style = "Fixed Bold SemiCondensed";
             size = 7.0;
           };

home/common/i3status-rust.nix

@@ -0,0 +1,108 @@
+{ pkgs, ... }:
+let
+  kbd_switch = pkgs.writeShellScriptBin "kbd_switch" ''
+    declare -A -r KBD_CYCLE_MAP=(
+      ["English (US)"]="de"
+      ["German"]="ba"
+    )
+    LAYOUT="$(${pkgs.sway}/bin/swaymsg -t get_inputs -r | ${pkgs.jq}/bin/jq -r 'map(select(.type == "keyboard")).[0].xkb_layout_names.[]')"
+    swaymsg input "*" xkb_layout ''${KBD_CYCLE_MAP["$LAYOUT"]:-"us"}
+  '';
+in
+{
+  programs.i3status-rust = {
+    bars.top = {
+      icons = "awesome5";
+      theme = "gruvbox-dark";
+      settings.theme = {
+        theme = "plain";
+        overrides = {
+          separator_fg = "#3287a8";
+        };
+      };
+
+      blocks = [
+        {
+          block = "keyboard_layout";
+          driver = "sway";
+          click = [
+            {
+              cmd = "${kbd_switch}/bin/kbd_switch";
+              button = "left";
+            }
+          ];
+        }
+        {
+          block = "battery";
+          interval = 10;
+          format = "$icon $percentage $time";
+        }
+        {
+          block = "disk_space";
+          path = "/nix";
+          info_type = "available";
+          interval = 20;
+          warning = 20.0;
+          alert = 10.0;
+        }
+        {
+          block = "disk_space";
+          path = "/home";
+          info_type = "available";
+          interval = 20;
+          warning = 20.0;
+          alert = 10.0;
+        }
+        {
+          block = "net";
+          device = "wlan0";
+          if_command = "ip link show wlan0";
+          interval = 2;
+        }
+        {
+          block = "net";
+          device = "enp5s0";
+          if_command = "ip link show enp5s0";
+          interval = 2;
+        }
+        {
+          block = "net";
+          device = "enp7s0f3u1u1";
+          if_command = "ip link show enp7s0f3u1u1";
+          interval = 2;
+        }
+        {
+          block = "net";
+          device = "enp7s0f4u1u1";
+          if_command = "ip link show enp7s0f4u1u1";
+          interval = 2;
+        }
+        {
+          block = "net";
+          if_command = "ip link show eno1";
+          device = "eno1";
+          interval = 2;
+        }
+        {
+          block = "memory";
+        }
+        {
+          block = "cpu";
+          interval = 1;
+          format = "$utilization $barchart $frequency";
+        }
+        {
+          block = "temperature";
+          interval = 3;
+        }
+        {
+          block = "sound";
+        }
+        {
+          block = "time";
+          interval = 60;
+        }
+      ];
+    };
+  };
+}

home/common/sway.nix

@@ -0,0 +1,155 @@
+{
+  pkgs,
+  inputs,
+  system,
+  lib,
+  ...
+}:
+let
+  cliphist_sway = pkgs.writeShellScriptBin "cliphist_sway" ''
+    ${lib.getExe pkgs.cliphist} list | \
+    ${lib.getExe pkgs.wofi} --dmenu --insensitive | \
+    ${lib.getExe pkgs.cliphist} decode | \
+    ${pkgs.wl-clipboard}/bin/wl-copy
+  '';
+  screenshot_clip = pkgs.writeShellScriptBin "screenshot_clip" ''
+    GEOM="$(${lib.getExe pkgs.slurp} -d)"
+    ${lib.getExe pkgs.grim} -g "$GEOM" - | ${pkgs.wl-clipboard}/bin/wl-copy
+  '';
+  swaysw = inputs.swaysw.packages.${system}.swaysw;
+  term = "${pkgs.foot}/bin/footclient";
+in
+{
+  wayland.windowManager.sway = {
+    enable = true;
+    extraSessionCommands = "";
+    extraConfigEarly = '''';
+
+    config = {
+      fonts = {
+        names = [ "JetBrainsMono" ];
+        style = "Bold Semi-Condensed";
+        size = 11.0;
+      };
+
+      window.commands = [
+        {
+          command = "move scratchpad, resize set 1152 648";
+          criteria = {
+            app_id = "pulsemixer|python3|com.rtosta.zapzap|whatsapp-for-linux|com.viber";
+          };
+        }
+        {
+          command = "move scratchpad, resize set 1502 845";
+          criteria = {
+            app_id = "com.viber";
+          };
+        }
+        {
+          command = "floating enable";
+          criteria = {
+            app_id = "sws_cli";
+          };
+        }
+      ];
+
+      modifier = "Mod4";
+      output = {
+        eDP-1 = {
+          /*
+            bg = "~/pic/wallpaper stretch";
+            scale = "1.4";
+          */
+        };
+
+        HDMI-A-4 = {
+          res = "1920x1080";
+        };
+      };
+
+      input = {
+        "type:keyboard" = {
+          repeat_delay = "150";
+        };
+        "type:keyboard" = {
+          repeat_rate = "70";
+        };
+        "type:touchpad" = {
+          tap = "enabled";
+        };
+      };
+
+      bars = [
+        {
+          position = "top";
+          fonts = {
+            names = [
+              "Iosevka"
+              "FontAwesome"
+            ];
+            style = "Bold Semi-Condensed";
+            size = 12.0;
+          };
+          statusCommand = "${lib.getExe pkgs.i3status-rust} ~/.config/i3status-rust/config-top.toml";
+        }
+      ];
+
+      keybindings = {
+        "Alt+Shift+q" = "kill";
+        "Alt+Shift+Return" = "exec ${term}";
+        "Alt+p" = "exec ${pkgs.bemenu}/bin/bemenu-run";
+        "Alt+c" = "exec ${pkgs.moreutils}/bin/lckdo cliphist_sway ${cliphist_sway}/bin/cliphist_sway";
+        "Print" = "exec ${pkgs.moreutils}/bin/lckdo screenshot_clip ${screenshot_clip}/bin/screenshot_clip";
+
+        "Alt+Shift+space" = "floating toggle";
+        "Alt+space" = "focus mode_toggle";
+
+        "Alt+m" = "layout toggle splith tabbed";
+        "Alt+t" = "split toggle";
+        "Alt+s" = "layout toggle split";
+
+        "Alt+1" = "workspace 1";
+        "Alt+2" = "workspace 2";
+        "Alt+3" = "workspace 3";
+        "Alt+4" = "workspace 4";
+        "Alt+5" = "workspace 5";
+        "Alt+6" = "workspace 6";
+        "Alt+7" = "workspace 7";
+        "Alt+8" = "workspace 8";
+        "Alt+9" = "workspace 9";
+        "Alt+0" = "workspace 10";
+
+        "Alt+Shift+1" = "move container to workspace 1";
+        "Alt+Shift+2" = "move container to workspace 2";
+        "Alt+Shift+3" = "move container to workspace 3";
+        "Alt+Shift+4" = "move container to workspace 4";
+        "Alt+Shift+5" = "move container to workspace 5";
+        "Alt+Shift+6" = "move container to workspace 6";
+        "Alt+Shift+7" = "move container to workspace 7";
+        "Alt+Shift+8" = "move container to workspace 8";
+        "Alt+Shift+9" = "move container to workspace 9";
+        "Alt+Shift+0" = "move container to workspace 10";
+
+        "Alt+h" = "focus left";
+        "Alt+j" = "focus down";
+        "Alt+k" = "focus up";
+        "Alt+l" = "focus right";
+        "Alt+slash" = "exec ${pkgs.moreutils}/bin/lckdo swaysw ${swaysw}/bin/swaysw";
+        "Alt+Escape" = "workspace back_and_forth";
+        "Alt+f" = "fullscreen enable";
+        "Alt+bracketright" = "focus output right";
+        "Alt+bracketleft" = "focus output left";
+
+        "Mod4+l" =
+          ''exec ${pkgs.sway}/bin/swaymsg [app_id="python3"] scratchpad show || exec ${term} -a python3 ${lib.getExe pkgs.python3}'';
+        "Mod4+j" =
+          "exec ${pkgs.sway}/bin/swaymsg [app_id=com.rtosta.zapzap] scratchpad show || exec ${lib.getExe pkgs.zapzap}";
+        "Mod4+h" =
+          "exec ${pkgs.sway}/bin/swaymsg [app_id=com.viber] scratchpad show || exec ${pkgs.viber}/bin/viber";
+        "Mod4+y" =
+          ''exec ${pkgs.sway}/bin/swaymsg [app_id="pulsemixer"] scratchpad show || exec ${term} -a pulsemixer ${lib.getExe pkgs.pulsemixer}'';
+        "Mod4+p" = "exec ${lib.getExe pkgs.tessen} -a copy";
+      };
+    };
+  };
+}

home/common/whatsapp-for-linux.nix

@@ -1,12 +1,8 @@
+{ lib, ... }:
+with lib;
 {
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-with lib; {
   xdg.configFile."whatsapp-for-linux/settings.conf".source = builtins.toFile "settings.conf" (
-    generators.toINI {} {
+    generators.toINI { } {
       General = {
         zoom_level = 1;
         close_to_tray = false;

home/common/zsh.nix

@@ -0,0 +1,120 @@
+{ pkgs, lib, ... }:
+{
+  home.sessionVariables = {
+    /*ZDOTDIR = "\"$HOME/\".config/zsh";*/
+    /*HISTFILE = "\"$XDG_STATE_HOME\"/zsh/history";*/
+  };
+
+  programs.z-lua = {
+    enableAliases = true;
+    enableZshIntegration = true;
+  };
+
+  programs.zsh = {
+    autocd = true;
+    enableCompletion = false;
+    defaultKeymap = "viins";
+    /* dotDir = "\"$XDG_CONFIG_HOME\"/zsh"; */
+
+    setOptions = [
+      "c_bases"
+      "completealiases"
+      "completeinword"
+      "nobeep"
+      "nopromptcr"
+      "notify"
+    ];
+
+    shellAliases = {
+      cfind = "${pkgs.cscope}/bin/cscope -C -R -L1";
+      chmod = "chmod -v";
+      chown = "chown -v";
+      cp = "cp -v";
+      rm = "rm -v";
+      ip = "ip --color=auto";
+      f = "''$(${lib.getExe pkgs.pay-respects} zsh)";
+    };
+
+    history = {
+      expireDuplicatesFirst = true;
+      extended = true;
+      save = 100000;
+      size = 100000;
+    };
+
+    plugins = [
+      {
+        name = "nix_shell";
+        src = pkgs.zsh-nix-shell;
+        file = "share/zsh-nix-shell/nix-shell.plugin.zsh";
+      }
+      {
+        name = "nix_completion";
+        src = pkgs.nix-zsh-completions;
+        file = "share/zsh/plugins/nix/nix-zsh-completions.plugin.zsh";
+      }
+      {
+        name = "pure_prompt";
+        src = pkgs.fetchFromGitHub {
+          owner = "sindresorhus";
+          repo = "pure";
+          rev = "54bd501c802283dee0940457da6eb3e642bd1453";
+          hash = "sha256-AZSxP2g6BWoxyiSQH7yzbbbfGcwD8jgnXPPfcYwJUL0=";
+        };
+        file = "pure.plugin.zsh";
+      }
+      {
+        name = "fzf";
+        src = pkgs.fzf-zsh;
+        file = "share/zsh/plugins/fzf-zsh/fzf-zsh.plugin.zsh";
+      }
+      {
+        name = "zsh-sudo";
+        src = pkgs.oh-my-zsh;
+        file = "share/oh-my-zsh/plugins/sudo/sudo.plugin.zsh";
+      }
+      {
+        name = "zsh-fast-syntax-highlighting";
+        src = pkgs.zsh-fast-syntax-highlighting;
+        file = "share/zsh/plugins/fast-syntax-highlighting/fast-syntax-highlighting.plugin.zsh";
+      }
+    ];
+
+    envExtra = '''';
+
+    initContent = ''
+      # binds
+      bindkey '^K' fzf-file-widget
+
+      RPS1=""
+
+      function chpwd() {
+        ls;
+      }
+
+      function osc7-pwd() {
+       emulate -L zsh # also sets localoptions for us
+       setopt extendedglob
+       local LC_ALL=C
+       printf '\e]7;file://%s%s\e\' $HOST ''${PWD//(#m)([^@-Za-z&-;_~])/%''${(l:2::0:)''$(([##16]#MATCH))}}
+      }
+
+      function chpwd-osc7-pwd() {
+        (( ZSH_SUBSHELL )) || osc7-pwd
+      }
+      add-zsh-hook -Uz chpwd chpwd-osc7-pwd
+
+      eval "$(direnv hook zsh)"
+      zstyle ':completion:*' matcher-list 'm:{a-z}={A-Za-z}'
+
+      if [[ -n "$PS1" ]] && [[ -z "$TMUX" ]] && [[ -n "$SSH_CONNECTION" ]]; then
+        TMUX_EXE="${lib.getExe pkgs.tmux}"
+        systemd-run --scope --user $TMUX_EXE attach-session -t $USER || systemd-run --scope --user $TMUX_EXE new-session -s $USER
+      fi
+
+      if [[ -n "$BUBBLEWRAP_DIR" ]]; then
+        RPS1="{{$BUBBLEWRAP_DIR}}"
+      fi
+    '';
+  };
+}

home/home.nix

@@ -1,244 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  inputs,
-  ...
-}:
-with lib; {
-  imports = [./zsh.nix ./i3status-rust.nix ./sway.nix ./i3.nix ./home_packages.nix ./whatsapp-for-linux.nix];
-
-  home.stateVersion = "22.11";
-  home.username = "akill";
-  home.homeDirectory = "/home/akill";
-
-  xdg.enable = true;
-  xdg.mimeApps = {
-    enable = true;
-    defaultApplications = {
-      "application/pdf" = ["sioyek.desktop"];
-    };
-  };
-
-  fonts.fontconfig.enable = true;
-
-  home.sessionVariables = {
-    BROWSER = "qutebrowser";
-    EDITOR = "nvim";
-    _JAVA_AWT_WM_NONREPARENTING = "1";
-    MOZ_ENABLE_WAYLAND = "1";
-    QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
-    SUDO_EDITOR = "nvim";
-    #WLR_RENDERER = "vulkan";
-  };
-
-  wayland.windowManager.sway = {enable = true;};
-
-  programs = {
-    home-manager.enable = true;
-
-    librewolf = {
-      enable = true;
-      package = pkgs.librewolf-wayland;
-      settings = {
-        "webgl.disable" = true;
-        "middlemouse.paste" = false;
-      };
-    };
-
-    mpv = {
-      enable = true;
-      config = {
-        slang = "eng,en";
-        alang = "eng,en";
-        hwdec = "auto";
-        vo = "gpu-next";
-        ao = "pipewire";
-        script-opts-set = "ytdl_hook-ytdl_path=yt-dlp,sponsorblock-local_database=no,sponsorblock-skip_categories=[sponsor,intro,selfpromo]";
-        ytdl-format = "bestvideo[height<=?1080]+bestaudio/best";
-      };
-
-      bindings = {
-        WHEEL_UP = "ignore";
-        WHEEL_DOWN = "ignore";
-        WHEEL_LEFT = "ignore";
-        WHEEL_RIGHT = "ignore";
-      };
-    };
-
-    alacritty = {
-      enable = true;
-
-      settings = {
-        font = {
-          normal.family = "JetBrainsMono";
-          italic.family = "JetBrainsMono";
-          bold.family = "JetBrainsMono";
-          bold_italic.family = "JetBrainsMono";
-          size = 14.0;
-        };
-
-        selection = {
-          text = "0xcfcfc2";
-          background = "0x232629";
-
-          normal = {
-            black = "0x1c1b19";
-            red = "0xef2f27";
-            green = "0x519f50";
-            yellow = "0xfbb829";
-            blue = "0x2c78bf";
-            magenta = "0xe02c6d";
-            cyan = "0x0aaeb3";
-            white = "0x918175";
-          };
-
-          bright = {
-            black = "0x2D2C29";
-            red = "0xf75341";
-            green = "0x98bc37";
-            yellow = "0xfed06e";
-            blue = "0x68A8E4";
-            magenta = "0xff5c8f";
-            cyan = "0x53fde9";
-            white = "0xfce8c3";
-          };
-        };
-      };
-    };
-
-    rofi = {
-      enable = true;
-      theme = "gruvbox-dark";
-    };
-
-    foot = {
-      enable = true;
-      server.enable = true;
-      settings = {
-        main = {
-          font = "JetBrainsMono:size=10";
-          dpi-aware = "yes";
-        };
-        mouse = {hide-when-typing = "yes";};
-      };
-    };
-
-    qutebrowser = {
-      enable = true;
-      package = pkgs.qutebrowser;
-      keyBindings = {
-        normal = {
-          "j" = "scroll-px 0 25";
-          "k" = "scroll-px 0 -25";
-          "u" = "undo --window";
-          ";v" = "hint links spawn mpv {hint-url}";
-        };
-      };
-
-      settings = {
-        content.notifications.enabled = false;
-        content.pdfjs = true;
-        content.webgl = false;
-        fonts.completion.category = "14pt monospace";
-        fonts.completion.entry = "14pt monospace";
-        fonts.contextmenu = "14pt monospace";
-        fonts.debug_console = "14pt monospace";
-        fonts.downloads = "14pt monospace";
-        fonts.hints = "14pt monospace";
-        fonts.keyhint = "14pt monospace";
-        fonts.messages.info = "14pt monospace";
-        fonts.prompts = "14pt monospace";
-        fonts.statusbar = "14pt monospace";
-        hints.chars = "1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik9ol0p";
-        tabs.last_close = "close";
-        tabs.position = "left";
-        tabs.show = "multiple";
-        tabs.tabs_are_windows = true;
-        tabs.width = "12%";
-        zoom.default = "125%";
-      };
-    };
-
-    git = {
-      enable = true;
-      userName = "Asmir A";
-      userEmail = "asmir.abdulahovic@gmail.com";
-      extraConfig = {
-        pull = {rebase = true;};
-        credential = {helper = "store";};
-      };
-    };
-
-    obs-studio = {
-      enable = true;
-      plugins = with pkgs.obs-studio-plugins; [obs-vkcapture input-overlay obs-multi-rtmp obs-pipewire-audio-capture wlrobs obs-vaapi];
-    };
-
-    i3status-rust.enable = true;
-    z-lua.enable = true;
-    zsh.enable = true;
-  };
-
-  services = {
-    lorri.enable = false;
-    mako.enable = true;
-    gammastep = {
-      enable = true;
-      latitude = "44.53";
-      longitude = "18.67";
-      temperature.day = 5500;
-      temperature.night = 2900;
-    };
-
-    gnome-keyring.enable = true;
-
-    gpg-agent = {
-      enable = true;
-      defaultCacheTtl = 1800;
-      enableSshSupport = true;
-    };
-
-    swayidle = {
-      enable = true;
-      events = [
-        {
-          event = "before-sleep";
-          command = "swaylock_bg_blur.sh";
-        }
-        {
-          event = "lock";
-          command = "swaylock_bg_blur.sh";
-        }
-        {
-          event = "after-resume";
-          command = "pkill -USR1 i3status-rs";
-        }
-      ];
-      timeouts = [
-        {
-          timeout = 15 * 60;
-          command = "swaylock_bg_blur.sh";
-        }
-      ];
-    };
-  };
-
-  systemd.user = {
-    services = {
-      /*
-       himalaya = {
-      Unit.Description = "Himalaya new messages notifier";
-      Service = {
-      ExecStart = "himalaya notify";
-      Restart = "always";
-      RestartSec = 10;
-      };
-      Install = {
-      WantedBy = [ "multi-user.target" ];
-      };
-      };
-      */
-    };
-  };
-}

home/home_packages.nix

@@ -1,105 +0,0 @@
-{
-  config,
-  pkgs,
-  inputs,
-  ...
-}: {
-  home.packages = with pkgs;
-    [
-      alejandra
-      appimage-run
-      arp-scan
-      birdtray
-      blackmagic
-      btop
-      cached-nix-shell
-      caddy
-      cargo
-      ccls
-      cemu
-      cmake
-      compsize
-      cura
-      deluge
-      ffmpeg-full
-      firefox
-      gcc
-      gdb
-      glab
-      glaxnimate
-      gnumake
-      go
-      grim
-      hyperfine
-      imagemagick
-      imv
-      jellyfin-media-player
-      kdenlive
-      kicad
-      kodi-wayland
-      libnotify
-      libreoffice
-      libva-utils
-      mediainfo
-      ncdu
-      neovide
-      ngspice
-      nix-init
-      nodePackages.peerflix
-      openocd
-      pandoc
-      pass
-      patchelf
-      pavucontrol
-      pirate-get
-      powertop
-      pulsemixer
-      python3
-      python3Packages.west
-      remmina
-      river
-      rtorrent
-      rustc
-      screen
-      seer
-      sioyek
-      skypeforlinux
-      slurp
-      texlive.combined.scheme-full
-      thunderbird
-      upx
-      waybar
-      wdisplays
-      whatsapp-for-linux
-      wireshark
-      wl-clipboard
-      wlr-randr
-      wofi
-      x2goclient
-      yewtube
-      yt-dlp
-      zathura
-      zeal-qt6
-      zig
-      zls
-
-      /* install here until nvim flake is fixed */
-      alejandra
-      ccls
-      gopls
-      luaformatter
-      nixd
-      pyright
-      rust-analyzer
-      sumneko-lua-language-server
-      svls
-      texlab
-      tree-sitter
-      verible
-      zls
-    ]
-    ++ [
-      inputs.swaysw.packages.x86_64-linux.swaysw
-      inputs.nvim.packages.x86_64-linux.nvim
-    ];
-}

home/i3status-rust.nix

@@ -1,69 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  programs.i3status-rust = {
-    bars.top = {
-      icons = "awesome5";
-      theme = "gruvbox-dark";
-      settings.theme = {
-        theme = "plain";
-        overrides = {
-          separator_fg = "#3287a8";
-        };
-      };
-
-      blocks = [
-        {
-          block = "battery";
-          interval = 10;
-          format = "$icon $percentage $time";
-        }
-        {
-          block = "disk_space";
-          path = "/";
-          info_type = "available";
-          interval = 20;
-          warning = 20.0;
-          alert = 10.0;
-        }
-        {
-          block = "net";
-          device = "wlan0";
-          interval = 2;
-        }
-        {
-          block = "net";
-          device = "enp5s0";
-          interval = 2;
-        }
-        {
-          block = "net";
-          device = "eno1";
-          interval = 2;
-        }
-        {
-          block = "memory";
-        }
-        {
-          block = "cpu";
-          interval = 1;
-          format = "$utilization $barchart $frequency";
-        }
-        {
-          block = "temperature";
-          interval = 3;
-        }
-        {
-          block = "sound";
-        }
-        {
-          block = "time";
-          interval = 60;
-        }
-      ];
-    };
-  };
-}

home/mediabox/home.nix

@@ -0,0 +1,348 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+let
+  qutebrowser_firejail = pkgs.writeShellScriptBin "qutebrowser" ''
+    firejail -- ${lib.getExe pkgs.qutebrowser} "$@"
+  '';
+in
+{
+  imports = [
+    ../common/zsh.nix
+    ./home_packages.nix
+    ../common/whatsapp-for-linux.nix
+  ];
+
+  home.stateVersion = "22.11";
+  home.username = "akill";
+  home.homeDirectory = "/home/akill";
+
+  xdg.enable = true;
+  xdg.mimeApps = {
+    enable = true;
+    defaultApplications = {
+      "application/pdf" = "sioyek.desktop";
+      "default-web-browser" = "org.qutebrowser.qutebrowser.desktop";
+      "text/html" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/about" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/http" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/https" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/unknown" = "org.qutebrowser.qutebrowser.desktop";
+    };
+  };
+
+  fonts.fontconfig.enable = true;
+
+  home.sessionVariables = rec {
+    BROWSER = lib.getExe qutebrowser_firejail;
+    DEFAULT_BROWSER = "${BROWSER}";
+    EDITOR = "nvim";
+    _JAVA_AWT_WM_NONREPARENTING = "1";
+    MOZ_ENABLE_WAYLAND = "1";
+    NIXOS_OZONE_WL = "1";
+    QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    SUDO_EDITOR = "nvim";
+    WLR_RENDERER = "vulkan";
+  };
+
+  wayland.windowManager.sway = {
+    enable = false;
+  };
+
+  programs = {
+    home-manager.enable = true;
+
+    librewolf = {
+      enable = true;
+      package = pkgs.librewolf-wayland;
+      settings = {
+        "webgl.disable" = true;
+        "middlemouse.paste" = false;
+      };
+    };
+
+    tmux = {
+      enable = true;
+      clock24 = true;
+      keyMode = "vi";
+      terminal = "screen-256color";
+      plugins = with pkgs.tmuxPlugins; [
+        sysstat
+        net-speed
+        gruvbox
+      ];
+    };
+
+    mpv = {
+      enable = true;
+      config = {
+        slang = "eng,en";
+        alang = "eng,en";
+        hwdec = "auto";
+        vo = "gpu-next";
+        ao = "pipewire";
+        osd-bar = "no";
+        border = "no";
+        script-opts-set = "";
+        ytdl-format = "bestvideo[height<=?1080]+bestaudio/best";
+      };
+
+      bindings = {
+        WHEEL_UP = "ignore";
+        WHEEL_DOWN = "ignore";
+        WHEEL_LEFT = "ignore";
+        WHEEL_RIGHT = "ignore";
+      };
+    };
+
+    alacritty = {
+      enable = true;
+
+      settings = {
+        font = {
+          normal.family = "JetBrainsMono";
+          italic.family = "JetBrainsMono";
+          bold.family = "JetBrainsMono";
+          bold_italic.family = "JetBrainsMono";
+          size = 14.0;
+        };
+
+        selection = {
+          text = "0xcfcfc2";
+          background = "0x232629";
+
+          normal = {
+            black = "0x1c1b19";
+            red = "0xef2f27";
+            green = "0x519f50";
+            yellow = "0xfbb829";
+            blue = "0x2c78bf";
+            magenta = "0xe02c6d";
+            cyan = "0x0aaeb3";
+            white = "0x918175";
+          };
+
+          bright = {
+            black = "0x2D2C29";
+            red = "0xf75341";
+            green = "0x98bc37";
+            yellow = "0xfed06e";
+            blue = "0x68A8E4";
+            magenta = "0xff5c8f";
+            cyan = "0x53fde9";
+            white = "0xfce8c3";
+          };
+        };
+      };
+    };
+
+    rofi = {
+      enable = true;
+      theme = "gruvbox-dark";
+    };
+
+    foot = {
+      enable = true;
+      server.enable = true;
+      settings = {
+        main = {
+          font = "JetBrainsMono:size=10";
+          dpi-aware = "yes";
+        };
+        mouse = {
+          hide-when-typing = "yes";
+        };
+      };
+    };
+
+    qutebrowser = {
+      enable = true;
+      keyBindings = {
+        normal = {
+          "j" = "scroll-px 0 25";
+          "k" = "scroll-px 0 -25";
+          "u" = "undo --window";
+          ";v" = "hint links spawn mpv {hint-url}";
+        };
+      };
+
+      settings = {
+        content.notifications.enabled = false;
+        content.pdfjs = true;
+        content.webgl = false;
+        fonts.completion.category = "14pt monospace";
+        fonts.completion.entry = "14pt monospace";
+        fonts.contextmenu = "14pt monospace";
+        fonts.debug_console = "14pt monospace";
+        fonts.downloads = "14pt monospace";
+        fonts.hints = "14pt monospace";
+        fonts.keyhint = "14pt monospace";
+        fonts.messages.info = "14pt monospace";
+        fonts.prompts = "14pt monospace";
+        fonts.statusbar = "14pt monospace";
+        hints.chars = "1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik9ol0p";
+        tabs.last_close = "close";
+        tabs.position = "left";
+        tabs.show = "multiple";
+        tabs.tabs_are_windows = true;
+        tabs.width = "12%";
+        zoom.default = "125%";
+      };
+    };
+
+    git = {
+      enable = true;
+      userName = "Asmir A";
+      userEmail = "asmir.abdulahovic@gmail.com";
+      extraConfig = {
+        init.defaultBranch = "master";
+        pull = {
+          rebase = true;
+        };
+        credential = {
+          helper = "store";
+        };
+      };
+      signing.key = "020C42B7A9ABA3E2";
+      signing.signByDefault = true;
+    };
+
+    obs-studio = {
+      enable = true;
+      plugins = with pkgs.obs-studio-plugins; [
+        obs-vkcapture
+        input-overlay
+        obs-multi-rtmp
+        obs-pipewire-audio-capture
+        wlrobs
+        obs-vaapi
+      ];
+    };
+
+    i3status-rust.enable = false;
+    z-lua.enable = true;
+    zsh.enable = true;
+  };
+
+  services = {
+    lorri.enable = false;
+    mako.enable = true;
+    cliphist.enable = true;
+    gammastep = {
+      enable = true;
+      latitude = "44.53";
+      longitude = "18.67";
+      temperature.day = 5500;
+      temperature.night = 2900;
+    };
+
+    gnome-keyring.enable = true;
+
+    gpg-agent = {
+      enable = true;
+      defaultCacheTtl = 1800;
+      enableSshSupport = true;
+    };
+
+    swayidle =
+      let
+        locker = pkgs.writeShellScriptBin "swaylock_fancy" ''
+          ALL_IMGS=""
+          LOCK_ARGS=""
+          for OUTPUT in $(${pkgs.sway}/bin/swaymsg -t get_outputs | ${lib.getExe pkgs.jq} -r '.[].name')
+          do
+            TMP_FILE=$(${pkgs.coreutils}/bin/mktemp /tmp/.swaylock_ss_XXXXXX.jpg)
+            ${lib.getExe pkgs.grim} -t ppm -o $OUTPUT - | \
+              ${lib.getExe pkgs.ffmpeg} -y -loglevel 0 -i - -vframes 1 -vf "boxblur=10" "$TMP_FILE"
+            LOCK_ARGS="$LOCK_ARGS --image $OUTPUT:$TMP_FILE"
+            ALL_IMGS="$ALL_IMGS $TMP_FILE"
+          done
+            ${lib.getExe pkgs.swaylock} -f $LOCK_ARGS
+            ${pkgs.coreutils}/bin/shred $ALL_IMGS
+            ${pkgs.coreutils}/bin/rm $ALL_IMGS
+        '';
+      in
+      /*
+        refresh_i3status = pkgs.writeShellScriptBin "refresh_i3status" ''
+          ${pkgs.coreutils}/bin/sleep 1 && ${pkgs.procps}/bin/pkill -USR1 i3status-rs
+        '';
+      */
+      {
+        enable = false;
+        events = [
+          {
+            event = "before-sleep";
+            command = "${locker}/bin/swaylock_fancy";
+          }
+          {
+            event = "lock";
+            command = "${locker}/bin/swaylock_fancy";
+          }
+          /*
+            {
+              event = "after-resume";
+              command = "${refresh_i3status}/bin/refresh_i3status";
+            }
+          */
+        ];
+        timeouts = [
+          {
+            timeout = 15 * 60;
+            command = "${locker}/bin/swaylock_fancy";
+          }
+        ];
+      };
+
+    kanshi = {
+      enable = false;
+      settings = [
+        {
+          profile.name = "undocked";
+          profile.outputs = [
+            {
+              criteria = "eDP-1";
+            }
+          ];
+        }
+
+        {
+          profile.name = "docked";
+          profile.outputs = [
+            {
+              criteria = "eDP-1";
+              position = "0,0";
+            }
+            {
+              criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026536";
+              mode = "1920x1080@74.973Hz";
+              position = "1920,0";
+            }
+            {
+              criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026535";
+              mode = "1920x1080@74.973Hz";
+              position = "3840,0";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  systemd.user = {
+    services = {
+      wayland-pipewire-idle-inhibit = {
+        Unit.Description = "inhibit sleep while audio output is active";
+        Service = {
+          ExecStart = "${lib.getExe pkgs.wayland-pipewire-idle-inhibit}";
+          Restart = "always";
+          RestartSec = 10;
+        };
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
+      };
+    };
+  };
+}

home/mediabox/home_packages.nix

@@ -0,0 +1,58 @@
+{ lib
+, pkgs
+, ...
+}:
+let
+  chromium_discord = pkgs.writeShellScriptBin "chromium_discord" ''
+    ${lib.getExe pkgs.ungoogled-chromium} --socket=wayland org.chromium.Chromium --app=https://discordapp.com/channels/@me
+  '';
+in
+{
+  home.packages =
+    with pkgs;
+    [
+      cached-nix-shell
+      deluge
+      dualsensectl
+      ffmpeg-full
+      firefox
+      freetube
+      imv
+      inkscape
+      jellyfin-media-player
+      kodi-wayland
+      libnotify
+      libreoffice-qt6-fresh
+      libva-utils
+      nixpkgs-fmt
+      nix-prefetch-git
+      pandoc
+      paraview
+      pass-wayland
+      pavucontrol
+      pay-respects
+      pirate-get
+      poppler_utils
+      pulsemixer
+      pwvucontrol
+      python3
+      remmina
+      rtorrent
+      sioyek
+      steam-run
+      stremio
+      swayimg
+      tessen
+      ungoogled-chromium
+      wdisplays
+      wine
+      wl-clipboard
+      wlr-randr
+      wofi
+      yt-dlp
+      zathura
+    ]
+    ++ [
+      chromium_discord
+    ];
+}

home/nixy/home.nix

@@ -0,0 +1,363 @@
+{ lib
+, pkgs
+, ...
+}:
+let
+  qutebrowser_firejail = pkgs.writeShellScriptBin "qutebrowser" ''
+    firejail -- ${lib.getExe pkgs.qutebrowser} "$@"
+  '';
+in
+{
+  imports = [
+    ../common/zsh.nix
+    ../common/i3status-rust.nix
+    ../common/sway.nix
+    ../common/i3.nix
+    ./home_packages.nix
+    ../common/whatsapp-for-linux.nix
+  ];
+
+  home.stateVersion = "22.11";
+  home.username = "akill";
+  home.homeDirectory = "/home/akill";
+
+  xdg.enable = true;
+  xdg.mimeApps = {
+    enable = true;
+    defaultApplications = {
+      "application/pdf" = "sioyek.desktop";
+      "default-web-browser" = "org.qutebrowser.qutebrowser.desktop";
+      "text/html" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/about" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/http" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/https" = "org.qutebrowser.qutebrowser.desktop";
+      "x-scheme-handler/unknown" = "org.qutebrowser.qutebrowser.desktop";
+    };
+  };
+
+  fonts.fontconfig.enable = true;
+
+  home.sessionVariables = rec {
+    BROWSER = lib.getExe qutebrowser_firejail;
+    DEFAULT_BROWSER = "${BROWSER}";
+    EDITOR = "nvim";
+    _JAVA_AWT_WM_NONREPARENTING = "1";
+    MOZ_ENABLE_WAYLAND = "1";
+    NIXOS_OZONE_WL = "1";
+    QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    SUDO_EDITOR = "nvim";
+    WLR_RENDERER = "vulkan";
+  };
+
+  home.pointerCursor = {
+    package = pkgs.adwaita-icon-theme;
+    name = "Adwaita";
+    size = 38;
+  };
+
+  wayland.windowManager.sway = {
+    enable = true;
+  };
+
+  programs = {
+    home-manager.enable = true;
+
+    librewolf = {
+      enable = true;
+      settings = {
+        "webgl.disable" = true;
+        "middlemouse.paste" = false;
+      };
+    };
+
+    tmux = {
+      enable = true;
+      clock24 = true;
+      keyMode = "vi";
+      terminal = "screen-256color";
+      plugins = with pkgs.tmuxPlugins; [
+        sysstat
+        net-speed
+        gruvbox
+      ];
+    };
+
+    mpv = {
+      enable = true;
+      scripts = [
+        pkgs.mpvScripts.uosc
+        pkgs.mpvScripts.autosubsync-mpv
+      ];
+      config = {
+        osc = "no";
+        osd-bar = "no";
+        border = "no";
+        slang = "eng,en";
+        alang = "eng,en";
+        hwdec = "auto";
+        vo = "gpu-next";
+        ao = "pipewire";
+        ytdl-format = "bestvideo[height<=?1080]+bestaudio/best";
+      };
+
+      bindings = {
+        "s" = "script-binding uosc/subtitles";
+        "a" = "script-binding uosc/audio";
+        WHEEL_UP = "ignore";
+        WHEEL_DOWN = "ignore";
+        WHEEL_LEFT = "ignore";
+        WHEEL_RIGHT = "ignore";
+      };
+    };
+
+    alacritty = {
+      enable = true;
+
+      settings = {
+        font = {
+          normal.family = "JetBrainsMono";
+          italic.family = "JetBrainsMono";
+          bold.family = "JetBrainsMono";
+          bold_italic.family = "JetBrainsMono";
+          size = 14.0;
+        };
+
+        selection = {
+          text = "0xcfcfc2";
+          background = "0x232629";
+
+          normal = {
+            black = "0x1c1b19";
+            red = "0xef2f27";
+            green = "0x519f50";
+            yellow = "0xfbb829";
+            blue = "0x2c78bf";
+            magenta = "0xe02c6d";
+            cyan = "0x0aaeb3";
+            white = "0x918175";
+          };
+
+          bright = {
+            black = "0x2D2C29";
+            red = "0xf75341";
+            green = "0x98bc37";
+            yellow = "0xfed06e";
+            blue = "0x68A8E4";
+            magenta = "0xff5c8f";
+            cyan = "0x53fde9";
+            white = "0xfce8c3";
+          };
+        };
+      };
+    };
+
+    rofi = {
+      enable = true;
+      theme = "gruvbox-dark";
+    };
+
+    foot = {
+      enable = true;
+      server.enable = true;
+      settings = {
+        main = {
+          font = "JetBrainsMono:size=10";
+          dpi-aware = "yes";
+        };
+        mouse = {
+          hide-when-typing = "yes";
+        };
+      };
+    };
+
+    qutebrowser = {
+      enable = true;
+      keyBindings = {
+        normal = {
+          "j" = "scroll-px 0 25";
+          "k" = "scroll-px 0 -25";
+          "u" = "undo --window";
+          ";v" = "hint links spawn mpv {hint-url}";
+        };
+      };
+
+      settings = {
+        content.notifications.enabled = false;
+        content.pdfjs = true;
+        content.webgl = false;
+        fonts.completion.category = "14pt monospace";
+        fonts.completion.entry = "14pt monospace";
+        fonts.contextmenu = "14pt monospace";
+        fonts.debug_console = "14pt monospace";
+        fonts.downloads = "14pt monospace";
+        fonts.hints = "14pt monospace";
+        fonts.keyhint = "14pt monospace";
+        fonts.messages.info = "14pt monospace";
+        fonts.prompts = "14pt monospace";
+        fonts.statusbar = "14pt monospace";
+        hints.chars = "1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik9ol0p";
+        tabs.last_close = "close";
+        tabs.position = "left";
+        tabs.show = "multiple";
+        tabs.tabs_are_windows = true;
+        tabs.width = "12%";
+        zoom.default = "125%";
+      };
+    };
+
+    git = {
+      enable = true;
+      settings = {
+	user = {
+	  name = "Asmir A";
+	  email = "asmir.abdulahovic@gmail.com";
+        };
+        init.defaultBranch = "master";
+        pull = {
+          rebase = true;
+        };
+        credential = {
+          helper = "store";
+        };
+      };
+      signing.key = "020C42B7A9ABA3E2";
+      signing.signByDefault = true;
+    };
+
+    obs-studio = {
+      enable = true;
+      plugins = with pkgs.obs-studio-plugins; [
+        obs-vkcapture
+        input-overlay
+        obs-multi-rtmp
+        obs-pipewire-audio-capture
+        wlrobs
+        obs-vaapi
+      ];
+    };
+
+    i3status-rust.enable = true;
+    z-lua.enable = true;
+    zsh.enable = true;
+  };
+
+  services = {
+    lorri.enable = false;
+    mako.enable = true;
+    cliphist.enable = true;
+    gammastep = {
+      enable = true;
+      latitude = "44.53";
+      longitude = "18.67";
+      temperature.day = 5500;
+      temperature.night = 2900;
+    };
+
+    gnome-keyring.enable = true;
+
+    gpg-agent = {
+      enable = true;
+      defaultCacheTtl = 1800;
+      enableSshSupport = true;
+    };
+
+    swayidle =
+      let
+        locker = pkgs.writeShellScriptBin "swaylock_fancy" ''
+          ALL_IMGS=""
+          LOCK_ARGS=""
+          for OUTPUT in $(${pkgs.sway}/bin/swaymsg -t get_outputs | ${lib.getExe pkgs.jq} -r '.[].name')
+          do
+            TMP_FILE=$(${pkgs.coreutils}/bin/mktemp /tmp/.swaylock_ss_XXXXXX.jpg)
+            ${lib.getExe pkgs.grim} -t ppm -o $OUTPUT - | \
+              ${lib.getExe pkgs.ffmpeg} -y -loglevel 0 -i - -vframes 1 -vf "boxblur=10" "$TMP_FILE"
+            LOCK_ARGS="$LOCK_ARGS --image $OUTPUT:$TMP_FILE"
+            ALL_IMGS="$ALL_IMGS $TMP_FILE"
+          done
+            ${lib.getExe pkgs.swaylock} -f $LOCK_ARGS
+            ${pkgs.coreutils}/bin/shred $ALL_IMGS
+            ${pkgs.coreutils}/bin/rm $ALL_IMGS
+        '';
+      in
+        /*
+        refresh_i3status = pkgs.writeShellScriptBin "refresh_i3status" ''
+          ${pkgs.coreutils}/bin/sleep 1 && ${pkgs.procps}/bin/pkill -USR1 i3status-rs
+        '';
+        */
+      {
+        enable = true;
+        events = [
+          {
+            event = "before-sleep";
+            command = "${locker}/bin/swaylock_fancy";
+          }
+          {
+            event = "lock";
+            command = "${locker}/bin/swaylock_fancy";
+          }
+          /*
+            {
+              event = "after-resume";
+              command = "${refresh_i3status}/bin/refresh_i3status";
+            }
+          */
+        ];
+        timeouts = [
+          {
+            timeout = 15 * 60;
+            command = "${locker}/bin/swaylock_fancy";
+          }
+        ];
+      };
+
+    kanshi = {
+      enable = true;
+      settings = [
+        {
+          profile.name = "undocked";
+          profile.outputs = [
+            {
+              criteria = "eDP-1";
+            }
+          ];
+        }
+
+        {
+          profile.name = "docked";
+          profile.outputs = [
+            {
+              criteria = "eDP-1";
+              position = "0,0";
+            }
+            {
+              criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026536";
+              mode = "1920x1080@74.973Hz";
+              position = "1920,0";
+            }
+            {
+              criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026535";
+              mode = "1920x1080@74.973Hz";
+              position = "3840,0";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  systemd.user = {
+    services = {
+      wayland-pipewire-idle-inhibit = {
+        Unit.Description = "inhibit sleep while audio output is active";
+        Service = {
+          ExecStart = "${lib.getExe pkgs.wayland-pipewire-idle-inhibit}";
+          Restart = "always";
+          RestartSec = 10;
+        };
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
+      };
+    };
+  };
+}

home/nixy/home_packages.nix

@@ -0,0 +1,183 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  system,
+  ...
+}:
+let
+  chromium_teams = pkgs.writeShellScriptBin "chromium_teams" ''
+    ${lib.getExe pkgs.ungoogled-chromium} --socket=wayland org.chromium.Chromium --app=https://teams.microsoft.com/
+  '';
+  chromium_discord = pkgs.writeShellScriptBin "chromium_discord" ''
+    ${lib.getExe pkgs.ungoogled-chromium} --socket=wayland org.chromium.Chromium --app=https://discordapp.com/channels/@me
+  '';
+  chromium_stackfield = pkgs.writeShellScriptBin "chromium_stackfield" ''
+    ${lib.getExe pkgs.ungoogled-chromium} --socket=wayland org.chromium.Chromium --app=https://stackfield.com/
+  '';
+  nixy_switch = pkgs.writeShellScriptBin "nixy_switch" ''
+    ${pkgs.util-linux}/bin/ionice -c 3 -- \
+    ${pkgs.coreutils}/bin/nice -n 20 -- \
+    ${lib.getExe pkgs.nixos-rebuild} --flake ./#nixy switch
+  '';
+  qcad = pkgs.writeShellScriptBin "qcad" ''
+    QT_QPA_PLATFORM=xcb ${lib.getExe pkgs.qcad} $@
+  '';
+  ssh_proxy = pkgs.writeShellScriptBin "ssh_proxy" ''
+    if ${pkgs.coreutils}/bin/test $# -ne 1; then
+      echo "Usage: $0 <user>@<ssh_host>"
+      exit
+    fi
+    PROXY_PORT="1337"
+    ${lib.getExe pkgs.openssh} -D "$PROXY_PORT" -q -N "$@"
+  '';
+  wrap_sh =
+    let
+      bubblewrap = pkgs.callPackage ../../packages/bubblewrap/default.nix { };
+    in
+    pkgs.writeShellScriptBin "wrap.sh" ''
+      if ${pkgs.coreutils-full}/bin/test $# -ne 1; then
+        echo "Usage: $0 <directory>"
+        exit
+      fi
+      FULL_PATH=$(${pkgs.coreutils-full}/bin/realpath "$1")
+      BUBBLEWRAP_DIR="$1" ${bubblewrap}/bin/bwrap \
+        --bind / / \
+        --dev /dev \
+        --overlay-src "$FULL_PATH" \
+        --tmp-overlay "$FULL_PATH" \
+        "$SHELL"
+    '';
+in
+{
+  home.packages =
+    with pkgs;
+    [
+      anydesk
+      appimage-run
+      arp-scan
+      birdtray
+      blackmagic
+      blender
+      btop
+      cached-nix-shell
+      caddy
+      cargo
+      cmake
+      compsize
+      kdePackages.ark
+      ungoogled-chromium
+      cura-appimage
+      deluge
+      dfu-util
+      discord
+      dmenu-wayland
+      drawio
+      dualsensectl
+      ffmpeg-full
+      firefox
+      freecad
+      gcc
+      gdb
+      ghostscript
+      glab
+      glaxnimate
+      gnumake
+      go
+      grim
+      heimdall
+      hyperfine
+      icestorm
+      imagemagick
+      imv
+      inkscape
+      #jellyfin-media-player
+      kdePackages.kdenlive
+      kicad
+      kodi-wayland
+      krita
+      libnotify
+      libreoffice-qt6-fresh
+      libva-utils
+      perf
+      lsix
+      lsix
+      mediainfo
+      ncdu
+      neovide
+      nextpnr
+      ngspice
+      nix-init
+      nixpkgs-fmt
+      nix-prefetch-git
+      nom
+      openems
+      openocd
+      openscad
+      pandoc
+      #paraview
+      pass-wayland
+      patchelf
+      pavucontrol
+      pay-respects
+      pirate-get
+      poppler-utils
+      powertop
+      pulsemixer
+      pwvucontrol
+      python3
+      python3Packages.west
+      qucs-s
+      radeontop
+      remmina
+      river-classic
+      rizin
+      rtorrent
+      sbcl
+      screen
+      seer
+      sioyek
+      slurp
+      steam-run
+      stm32cubemx
+      swayimg
+      tea
+      teams-for-linux
+      tectonic
+      tessen
+      texlive.combined.scheme-full
+      thunderbird
+      typst
+      upx
+      viber
+      waybar
+      wdisplays
+      weechat
+      wasistlos
+      wine
+      wireshark
+      wl-clipboard
+      wlr-randr
+      wofi
+      x2goclient
+      yewtube
+      yosys
+      yt-dlp
+      zapzap
+      zathura
+      zig
+    ]
+    ++ [
+      chromium_discord
+      chromium_stackfield
+      chromium_teams
+      nixy_switch
+      qcad
+      ssh_proxy
+      wrap_sh
+    ]
+    ++ [
+      inputs.swaysw.packages.${system}.swaysw
+      (pkgs.callPackage ../../packages/bubblewrap/default.nix { })
+    ];
+}

home/sway.nix

@@ -1,121 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  wayland.windowManager.sway = {
-    enable = true;
-    extraSessionCommands = "";
-
-    config = {
-      fonts = {
-        names = ["JetBrainsMono"];
-        style = "Bold Semi-Condensed";
-        size = 11.0;
-      };
-
-      window.commands = [
-        {
-          command = "move scratchpad, resize set 1152 648";
-          criteria = {app_id = "pulsemixer|python3|whatsapp-for-linux|com.viber.Viber";};
-        }
-        {
-          command = "move scratchpad, resize set 1502 845";
-          criteria = {class = "ViberPC";};
-        }
-        {
-          command = "floating enable";
-          criteria = {app_id = "sws_cli";};
-        }
-      ];
-
-      modifier = "Mod4";
-      output = {
-        eDP-1 = {
-          bg = "~/pic/wallpaper stretch";
-          /*
-          scale = "1.4";
-          */
-        };
-
-        HDMI-A-4 = {
-          res = "1920x1080";
-        };
-      };
-
-      input = {
-        "type:keyboard" = {repeat_delay = "150";};
-        "type:keyboard" = {repeat_rate = "70";};
-        "type:touchpad" = {tap = "enabled";};
-      };
-
-      bars = [
-        {
-          position = "top";
-          fonts = {
-            names = ["Iosevka" "FontAwesome"];
-            style = "Bold Semi-Condensed";
-            size = 12.0;
-          };
-          statusCommand = "i3status-rs ~/.config/i3status-rust/config-top.toml";
-        }
-      ];
-
-      keybindings = {
-        "Alt+Shift+q" = "kill";
-        "Alt+Shift+Return" = "exec ${pkgs.foot}/bin/footclient";
-        "Alt+p" = "exec ${pkgs.dmenu-wayland}/bin/dmenu-wl_run -fn \"mono 14\"";
-
-        "Alt+Shift+space" = "floating toggle";
-        "Alt+space" = "focus mode_toggle";
-
-        "Alt+m" = "layout toggle splith tabbed";
-        "Alt+t" = "split toggle";
-        "Alt+s" = "layout toggle split";
-
-        "Alt+1" = "workspace 1";
-        "Alt+2" = "workspace 2";
-        "Alt+3" = "workspace 3";
-        "Alt+4" = "workspace 4";
-        "Alt+5" = "workspace 5";
-        "Alt+6" = "workspace 6";
-        "Alt+7" = "workspace 7";
-        "Alt+8" = "workspace 8";
-        "Alt+9" = "workspace 9";
-        "Alt+0" = "workspace 10";
-
-        "Alt+Shift+1" = "move container to workspace 1";
-        "Alt+Shift+2" = "move container to workspace 2";
-        "Alt+Shift+3" = "move container to workspace 3";
-        "Alt+Shift+4" = "move container to workspace 4";
-        "Alt+Shift+5" = "move container to workspace 5";
-        "Alt+Shift+6" = "move container to workspace 6";
-        "Alt+Shift+7" = "move container to workspace 7";
-        "Alt+Shift+8" = "move container to workspace 8";
-        "Alt+Shift+9" = "move container to workspace 9";
-        "Alt+Shift+0" = "move container to workspace 10";
-
-        "Alt+h" = "focus left";
-        "Alt+j" = "focus down";
-        "Alt+k" = "focus up";
-        "Alt+l" = "focus right";
-        "Alt+slash" = "exec swaysw";
-        "Alt+Escape" = "workspace back_and_forth";
-        "Alt+f" = "fullscreen enable";
-
-        "Mod4+l" = ''
-          exec swaymsg [app_id="python3"] scratchpad show || exec foot -a python3 python3'';
-        "Mod4+h" = "exec swaymsg [app_id=whatsapp-for-linux] scratchpad show || exec whatsapp-for-linux";
-        "Mod4+j" = "exec swaymsg [app_id=com.viber.Viber] scratchpad show";
-        "Mod4+y" = ''
-          exec swaymsg [app_id="pulsemixer"] scratchpad show || exec foot -a pulsemixer pulsemixer'';
-
-        "XF86AudioRaiseVolume" = "exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') +5%";
-        "XF86AudioLowerVolume" = "exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') -5%";
-        "XF86AudioMute" = "exec pactl set-sink-mute $(pacmd list-sinks |awk '/* index:/{print $3}') toggle";
-        "XF86AudioMicMute" = "exec pactl set-source-mute $(pacmd list-sources |awk '/* index:/{print $3}') toggle";
-      };
-    };
-  };
-}

home/vimrc.lua

@@ -1,233 +0,0 @@
--- Basic settings
-vim.g.loaded_matchparen = true
-vim.g.netrw_liststyle = 3
-vim.wo.number = true
-
-local glob_opts = {
-	background = 'dark',
-	belloff = 'all',
-	breakindent = true,
-	hlsearch = false,
-	laststatus = 0,
-	lazyredraw = true,
-	showcmd = true,
-	synmaxcol = 800,
-	syntax = 'on',
-	termguicolors = true,
-	titleold = vim.fn.getcwd(),
-	title = true,
-	wildmenu = true,
-	wrap = true,
-}
-
-for option, value in pairs(glob_opts) do
-	vim.go[option] = value
-end
-
-
-vim.cmd([[colorscheme gruvbox]])
-
-require 'nvim-treesitter.configs'.setup {
-	highlight = { enable = true, disable = {} },
-	indent = { enable = false, disable = {} },
-	rainbow = {
-		enable = true,
-		extended_mode = true, -- Highlight also non-parentheses delimiters, boolean or table: lang -> boolean
-		max_file_lines = 1000, -- Do not enable for files with more than 1000 lines, int
-		colors = {
-			'#ff0000', '#ffa500', '#ffff00', '#008000', '#0051a0', '#8003f2'
-		} -- table of hex strings
-	}
-}
-
--- Mappings.
--- See `:help vim.diagnostic.*` for documentation on any of the below functions
-local opts = { noremap = true, silent = true }
-vim.api.nvim_set_keymap('n', '<space>e',
-	'<cmd>lua vim.diagnostic.open_float()<CR>', opts)
-vim.api.nvim_set_keymap('n', '<space>q',
-	'<cmd>lua vim.diagnostic.setloclist()<CR>', opts)
-vim.api.nvim_set_keymap('n', 'Q', '<cmd>nohl<CR>', opts)
-vim.api.nvim_set_keymap('n', 'j', 'gj', opts)
-vim.api.nvim_set_keymap('n', 'k', 'gk', opts)
-vim.api.nvim_set_keymap('v', 'j', 'gj', opts)
-vim.api.nvim_set_keymap('v', 'k', 'gk', opts)
-vim.api.nvim_set_keymap('n', '<C-J>', '<C-W><C-J>', opts)
-vim.api.nvim_set_keymap('n', '<C-K>', '<C-W><C-K>', opts)
-vim.api.nvim_set_keymap('n', '<C-L>', '<C-W><C-L>', opts)
-vim.api.nvim_set_keymap('n', '<C-H>', '<C-W><C-H>', opts)
-vim.api.nvim_set_keymap('n', "<C-P>", "<cmd>lua require('fzf-lua').files()<CR>", opts)
-
-vim.api.nvim_create_autocmd('LspAttach', {
-	desc = 'LSP actions',
-	callback = function()
-		local bufmap = function(mode, lhs, rhs)
-			vim.keymap.set(mode, lhs, rhs, { buffer = true })
-		end
-
-		-- Displays hover information about the symbol under the cursor
-		bufmap('n', 'K', '<cmd>lua vim.lsp.buf.hover()<cr>')
-
-		-- Jump to the definition
-		bufmap('n', 'gd', '<cmd>lua vim.lsp.buf.definition()<cr>')
-
-		-- Jump to declaration
-		bufmap('n', 'gD', '<cmd>lua vim.lsp.buf.declaration()<cr>')
-
-		-- Lists all the implementations for the symbol under the cursor
-		bufmap('n', 'gi', '<cmd>lua vim.lsp.buf.implementation()<cr>')
-
-		-- Jumps to the definition of the type symbol
-		bufmap('n', 'go', '<cmd>lua vim.lsp.buf.type_definition()<cr>')
-
-		-- Lists all the references
-		bufmap('n', 'gr', '<cmd>lua vim.lsp.buf.references()<cr>')
-
-		-- Displays a function's signature information
-		bufmap('n', '<C-k>', '<cmd>lua vim.lsp.buf.signature_help()<cr>')
-
-		-- Renames all references to the symbol under the cursor
-		bufmap('n', 'rn', '<cmd>lua vim.lsp.buf.rename()<cr>')
-
-		-- Selects a code action available at the current cursor position
-		bufmap('n', '<F4>', '<cmd>lua vim.lsp.buf.code_action()<cr>')
-		bufmap('x', '<F4>', '<cmd>lua vim.lsp.buf.range_code_action()<cr>')
-
-		-- Show diagnostics in a floating window
-		bufmap('n', 'gl', '<cmd>lua vim.diagnostic.open_float()<cr>')
-
-		-- Move to the previous diagnostic
-		bufmap('n', '[d', '<cmd>lua vim.diagnostic.goto_prev()<cr>')
-
-		-- Move to the next diagnostic
-		bufmap('n', ']d', '<cmd>lua vim.diagnostic.goto_next()<cr>')
-
-		-- Format current buffer
-		bufmap('n', '<space>f', function() vim.lsp.buf.format { async = true } end)
-	end
-})
-
-vim.diagnostic.config({ virtual_text = false}) -- Turn off inline diagnostics 
-
--- Show all diagnostics on current line in floating window
-vim.api.nvim_set_keymap( 'n', '<Leader>d', ':lua vim.diagnostic.open_float()<CR>', opts)
-
--- Go to next diagnostic (if there are multiple on the same line, only shows
--- one at a time in the floating window)
-vim.api.nvim_set_keymap( 'n', '<Leader>n', ':lua vim.diagnostic.goto_next()<CR>', opts)
-
--- Go to prev diagnostic (if there are multiple on the same line, only shows
--- one at a time in the floating window)
-vim.api.nvim_set_keymap( 'n', '<Leader>p', ':lua vim.diagnostic.goto_prev()<CR>', opts)
-
--- Use a loop to conveniently call 'setup' on multiple servers and
--- map buffer local keybindings when the language server attaches
-local cmp = require 'cmp'
-cmp.setup({
-	snippet = {
-		expand = function(args)
-			vim.fn["UltiSnips#Anon"](args.body)
-		end,
-	},
-	sources = cmp.config.sources({
-		{ name = 'nvim_lsp' },
-		{ name = 'buffer' },
-		{ name = 'path' },
-		{ name = 'ultisnips' },
-	}),
-	mapping = {
-		["<Tab>"] = cmp.mapping({
-			i = function(fallback)
-				if cmp.visible() then
-					cmp.select_next_item({ behavior = cmp.SelectBehavior.Insert })
-				else
-					fallback()
-				end
-			end,
-		}),
-		["<S-Tab>"] = cmp.mapping({
-			i = function(fallback)
-				if cmp.visible() then
-					cmp.select_prev_item({ behavior = cmp.SelectBehavimr.Insert })
-				else
-					fallback()
-				end
-			end,
-		}),
-		['<Down>'] = cmp.mapping(cmp.mapping.select_next_item({ behavior = cmp.SelectBehavior.Select }), { 'i' }),
-		['<Up>'] = cmp.mapping(cmp.mapping.select_prev_item({ behavior = cmp.SelectBehavior.Select }), { 'i' }),
-		['<C-n>'] = cmp.mapping({
-			i = function(fallback)
-				if cmp.visible() then
-					cmp.select_next_item({ behavior = cmp.SelectBehavior.Select })
-				else
-					fallback()
-				end
-			end
-		}),
-		['<C-p>'] = cmp.mapping({
-			i = function(fallback)
-				if cmp.visible() then
-					cmp.select_prev_item({ behavior = cmp.SelectBehavior.Select })
-				else
-					fallback()
-				end
-			end
-		}),
-		['<C-b>'] = cmp.mapping(cmp.mapping.scroll_docs(-4), { 'i', 'c' }),
-		['<C-f>'] = cmp.mapping(cmp.mapping.scroll_docs(4), { 'i', 'c' }),
-		['<C-Space>'] = cmp.mapping(cmp.mapping.complete(), { 'i', 'c' }),
-		['<C-e>'] = cmp.mapping({ i = cmp.mapping.close(), c = cmp.mapping.close() }),
-		['<CR>'] = cmp.mapping({
-			i = cmp.mapping.confirm({ behavior = cmp.ConfirmBehavior.Replace, select = false }),
-		}),
-	}
-})
-
-local servers = { 'pyright', 'rust_analyzer', 'ccls', 'nixd', 'texlab', 'zls' }
-local capabilities = require('cmp_nvim_lsp').default_capabilities()
-for _, lsp in pairs(servers) do
-	require('lspconfig')[lsp].setup {
-		capabilities = capabilities
-	}
-end
-
-require('lspconfig').lua_ls.setup({
-	capabilities = capabilities,
-	single_file_support = true,
-	settings = {
-		Lua = {
-			diagnostics = {
-				globals = { 'vim' },
-			},
-			runtime = {
-				version = 'LuaJIT',
-				path = vim.split(package.path, ';'),
-			},
-			workspace = {
-				library = {
-					[vim.fn.expand('$VIMRUNTIME/lua')] = true,
-					[vim.fn.expand('$VIMRUNTIME/lua/vim/lsp')] = true,
-				},
-			},
-			telemetry = {
-				enable = false,
-			},
-		},
-	},
-})
-
-require('lspconfig').verible.setup({
-	capabilities = capabilities,
-	root_dir = function() return vim.loop.cwd() end
-})
-
-if vim.fn.exists('+undofile') ~= 0 then
-	local undo_dir = vim.env.HOME .. '/.config/nvim/undo'
-	if vim.fn.isdirectory(undo_dir) == 0 then vim.fn.mkdir(undo_dir, 'p') end
-	vim.o.undodir = undo_dir
-	vim.o.undofile = true
-end
-
-vim.cmd([[syntax sync minlines=100]])
-vim.cmd([[syntax sync maxlines=140]])

home/vimrc.nix

@@ -1,55 +0,0 @@
-{
-  pkgs,
-  vimUtils,
-  fetchFromGitHub,
-}: {
-  extraPackages = with pkgs; [
-    ccls
-    luaformatter
-    nixd
-    pyright
-    rust-analyzer
-    sumneko-lua-language-server
-    svls
-    texlab
-    verible
-    zls
-  ];
-
-  plugins = with pkgs.vimPlugins; [
-    (nvim-treesitter.withPlugins (parsers: [
-      parsers.c
-      parsers.cpp
-      parsers.json
-      parsers.latex
-      parsers.lua
-      parsers.nix
-      parsers.python
-      parsers.query
-      parsers.rust
-      parsers.verilog
-      parsers.vimdoc
-      parsers.zig
-    ]))
-    cmp-buffer
-    cmp-cmdline
-    cmp-nvim-lsp
-    cmp-nvim-ultisnips
-    cmp-path
-    colorizer
-    fugitive
-    fzf-lua
-    gruvbox
-    nvim-cmp
-    nvim-lspconfig
-    nvim-ts-rainbow
-    repeat
-    targets-vim
-    UltiSnips
-    vim-addon-nix
-    vim-signify
-    vim-slime
-    vim-snippets
-    zig-vim
-  ];
-}

home/zsh.nix

@@ -1,104 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  programs.z-lua = {
-    enableAliases = true;
-    enableZshIntegration = true;
-  };
-
-  programs.zsh = {
-    autocd = true;
-    enableCompletion = false;
-    syntaxHighlighting.enable = true;
-    defaultKeymap = "viins";
-
-    shellAliases = {
-      cfind = "cscope -C -R -L1";
-      chmod = "chmod -v";
-      chown = "chown -v";
-      cp = "cp -v";
-      rm = "rm -v";
-      ip = "ip --color=auto";
-    };
-
-    history = {
-      expireDuplicatesFirst = true;
-      extended = true;
-      save = 100000;
-      size = 100000;
-    };
-
-    plugins = [
-      {
-        name = "nix_shell";
-        src = pkgs.zsh-nix-shell;
-        file = "share/zsh-nix-shell/nix-shell.plugin.zsh";
-      }
-      {
-        name = "nix_completion";
-        src = pkgs.nix-zsh-completions;
-        file = "share/zsh/plugins/nix/nix-zsh-completions.plugin.zsh";
-      }
-      {
-        name = "fast_syntax_highlight";
-        src = pkgs.zsh-fast-syntax-highlighting;
-        file = "share/zsh/site-functions/fast-syntax-highlighting.plugin.zsh";
-      }
-      {
-        name = "pure_prompt";
-        src = pkgs.fetchFromGitHub {
-          owner = "sindresorhus";
-          repo = "pure";
-          rev = "47c0c881f0e7cfdb5eaccd335f52ad17b897c060";
-          sha256 = "15xdhi72pq88ls5gx1h0k23jvb41j6kq6ar17dqmd5d38zsgwl3v";
-        };
-        file = "pure.plugin.zsh";
-      }
-      {
-        name = "fzf";
-        src = pkgs.fzf-zsh;
-        file = "share/zsh/plugins/fzf-zsh/fzf-zsh.plugin.zsh";
-      }
-      {
-        name = "zsh-sudo";
-        src = pkgs.fetchFromGitHub {
-          owner = "hcgraf";
-          repo = "zsh-sudo";
-          rev = "d8084def6bb1bde2482e7aa636743f40c69d9b32";
-          sha256 = "1dpm51w3wjxil8sxqw4qxim5kmf6afmkwz1yfhldpdlqm7rfwpi3";
-        };
-        file = "sudo.plugin.zsh";
-      }
-    ];
-
-    envExtra = '''';
-
-    initExtra = ''
-      # binds
-      bindkey '^K' fzf-file-widget
-
-      # options
-      setopt nobeep
-      setopt nopromptcr
-      setopt c_bases
-      setopt completeinword
-      setopt completealiases
-      setopt extendedglob
-      setopt notify
-
-      #
-      RPS1=""
-
-      #
-      function chpwd() {
-        ls;
-      }
-
-      eval "$(direnv hook zsh)"
-      zstyle ':completion:*' matcher-list 'm:{a-z}={A-Za-z}'
-    '';
-  };
-}

magpie/configuration.nix

@@ -1,82 +1,131 @@
+{ config
+, pkgs
+, lib
+, project-cloud
+, nvim
+, system
+, ...
+}:
 {
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports = [];
+  imports = [ ];
 
   nix.optimise.automatic = true;
-  nix.settings.experimental-features = ["nix-command" "flakes"];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
-  boot.loader.grub.devices = ["/dev/sda"];
+  boot.loader.systemd-boot.configurationLimit = 2;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelParams = [
+    "ip=dhcp"
+    "console=tty"
+  ];
+  boot.kernel.sysctl = {
+    "net.core.default_qdisc" = "fq";
+    "net.ipv4.tcp_congestion_control" = "bbr";
+  };
+
+  boot.initrd = {
+    compressor = "zstd";
+    availableKernelModules = [
+      "virtio-pci"
+      "virtio-gpu"
+    ];
+    systemd.enable = true;
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        hostKeys = [ /etc/ssh_dummy_ed25519_key ];
+        authorizedKeyFiles = [ ../nixy/ssh_pubkey ];
+      };
+    };
+  };
 
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
   users.users.root.initialHashedPassword = "";
   users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0gyN7DzF7+sinneq7++fT93dNWe9ttKnLZJEb0LVs7UxPtz/ovlxnktAgEtSh7NUUGKPILGG6+YG/Jz3pb4cLuQHtavIQ2mIzIbiNl+c80gLNPulfOrC3KyCacYnlcEpoV+4yvMPLDf+5ySilYoF30CSIo8B7B4PSwO3/I20oXXY0zeVmYKs65BY8OrR8PDdtPpuqGcTdPpVSrooZQoykriFeejBb0Jn7qWO7vmsTyUZZIP4nKKUyqE6iFZ2zv+J3mYfuoglQKO1+kqcCYCef0sheLZGD4/QIIL8HJ9yNWb6OQhu7MEv1NowuHkviImwVO3actZ1/x4lrWt4mY+bGglVwA90u1KZUQ10qKQ2xCG2ZHE9DSxWxpI/Yq2P4pLA/XSkYFPpzmoD9c6cpv0WLAvmQrEVkqK0xXo+KszUlyGy5sVJl7/h1fZ8YhWsWUnU1XJFmKLaomUZflL3h7X6xJNVPzZmso8l1INdCvIBDu+G84kAp1/aFalSJMyjTgvCc1hxhAVYhmrc3msGH0Jk8CcPBwYa0BH4EryacdupOS/c5VxAbdyuizEgitP1ylRmydVVDEItPNXFvpWdyEehf/VmsUXqL48mBzfvi6feD5AzKjPaQNaATpxLs9Sl9CMxSy27ahHwEK6dek1wm7nkoSIDSRWfGhYKr3lUg0emAYQ=="
+    (builtins.readFile ../nixy/ssh_pubkey)
   ];
 
   environment.systemPackages = with pkgs; [
-    alejandra
     curl
     fd
     file
     fzf
     fzy
     git
-    htop
+    nvim.packages.${system}.nvim
+    htop-vim
+    nvim
+    pciutils
     tig
+    tmux
     unzip
+    usbutils
     wget
     zip
   ];
 
   programs.mosh.enable = true;
-  programs.neovim = {
-    enable = true;
-    vimAlias = true;
-    viAlias = true;
-  };
+
+  /* Srv settings found on SrvOS */
+  fonts.fontconfig.enable = lib.mkDefault false;
+  xdg.autostart.enable = lib.mkDefault false;
+  xdg.icons.enable = lib.mkDefault false;
+  xdg.menus.enable = lib.mkDefault false;
+  xdg.mime.enable = lib.mkDefault false;
+  xdg.sounds.enable = lib.mkDefault false;
 
   mailserver = {
     enable = true;
-    debug = false;
+    debug.all = false;
     fqdn = "mail.project-cloud.net";
-    domains = ["project-cloud.net"];
+    domains = [ "project-cloud.net" ];
     enableSubmissionSsl = true;
     enableImap = false;
     enableImapSsl = true;
+    stateVersion = 3;
 
     # A list of all login accounts. To create the password hashes, use
     # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
     loginAccounts = {
       "gitea@project-cloud.net" = {
         hashedPasswordFile = config.sops.secrets."gitea_mail_pw_hash".path;
-        aliases = ["git@project-cloud.net"];
+        aliases = [ "git@project-cloud.net" ];
       };
       "asmir@project-cloud.net" = {
         hashedPasswordFile = config.sops.secrets."asmir_mail_pw_hash".path;
-        aliases = ["asmir.abdulahovic@project-cloud.net"];
+        aliases = [ "asmir.abdulahovic@project-cloud.net" ];
       };
     };
     certificateScheme = "acme-nginx";
   };
 
   services.journald.extraConfig = ''SystemMaxUse=50M '';
-  services.logind.extraConfig = ''KillUserProcesses=yes '';
+  services.logind.settings.Login = { KillUserProcesses = true; };
   services.openssh.settings.PermitRootLogin = "prohibit-password";
   services.openssh.enable = true;
-  services.opendkim.enable = true;
+  services.openssh.listenAddresses = [
+    {
+      addr = "10.100.0.1"; # wireguard
+      port = 22;
+    }
+  ];
+
+  services.opendkim = {
+    enable = true;
+    selector = "mail";
+  };
 
   services.miniflux = {
-    enable = true;
+    enable = false;
     adminCredentialsFile = config.sops.secrets."miniflux_env".path;
     config = {
       LISTEN_ADDR = "localhost:5001";
@@ -84,23 +133,21 @@
     };
   };
 
-  services.restya-board = {
+  services.goatcounter = {
     enable = true;
-    /*
-    virtualHost.serverName = "board.project-cloud.net";
-    */
-    virtualHost.listenHost = "localhost";
-    virtualHost.listenPort = 4001;
+    port = 8002;
+    proxy = true;
+    address = "127.0.0.1";
   };
 
   services.nextcloud = {
-    enable = true;
-    package = pkgs.nextcloud27;
+    enable = false;
+    package = pkgs.nextcloud28;
     config.adminpassFile = config.sops.secrets."nextcloud_admin".path;
     configureRedis = true;
-    hostName = "project-cloud.net";
+    hostName = "cloud.project-cloud.net";
     https = true;
-    extraOptions = {
+    settings = {
       mail_smtpmode = "sendmail";
       mail_sendmailmode = "pipe";
       enabledPreviewProviders = [
@@ -117,24 +164,40 @@
         "OC\\Preview\\XBitmap"
       ];
     };
+    phpOptions = {
+      "opcache.jit" = "tracing";
+      "opcache.jit_buffer_size" = "100M";
+      "opcache.interned_strings_buffer" = "16";
+    };
   };
 
   services.nginx = {
     enable = true;
-    package = pkgs.nginxQuic;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    virtualHosts.${config.services.nextcloud.hostName} = {
+    virtualHosts."project-cloud.net" = {
       quic = true;
+      http3 = true;
       forceSSL = true;
       enableACME = true;
+      root = "${project-cloud.packages.${system}.default}/public";
     };
 
+    /*
+      virtualHosts.${config.services.nextcloud.hostName} = {
+        quic = true;
+        http3 = true;
+        forceSSL = true;
+        enableACME = true;
+      };
+    */
+
     virtualHosts."miniflux.project-cloud.net" = {
       quic = true;
+      http3 = true;
       forceSSL = true;
       enableACME = true;
       locations."/" = {
@@ -144,19 +207,21 @@
 
     virtualHosts.${config.services.gitea.settings.server.DOMAIN} = {
       quic = true;
+      http3 = true;
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.gitea.settings.server.HTTP_PORT}";
+        proxyPass = "http://unix:${toString config.services.gitea.settings.server.HTTP_ADDR}";
       };
     };
 
-    virtualHosts."board.project-cloud.net" = {
+    virtualHosts."stats.project-cloud.net" = {
       quic = true;
+      http3 = true;
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.restya-board.virtualHost.listenPort}";
+        proxyPass = "http://localhost:8002/";
       };
     };
   };
@@ -173,6 +238,8 @@
       ROOT_URL = "https://git.project-cloud.net";
       DISABLE_SSH = true;
       HTTP_PORT = 3001;
+      LANDING_PAGE = "explore";
+      PROTOCOL = "http+unix";
     };
     settings.mailer = {
       ENABLED = true;
@@ -182,27 +249,57 @@
     };
 
     settings.service = {
-      REGISTER_EMAIL_CONFIRM = true;
       DISABLE_REGISTRATION = true;
+      REGISTER_EMAIL_CONFIRM = true;
     };
 
-    settings."markup.restructuredtext" = let
-      docutils =
-        pkgs.python3.withPackages (ps: with ps; [docutils pygments]);
-    in {
-      ENABLED = true;
-      FILE_EXTENSIONS = ".rst";
-      RENDER_COMMAND = "${docutils}/bin/rst2html.py";
-      IS_INPUT_FILE = false;
-    };
+    settings."markup.restructuredtext" =
+      let
+        docutils = pkgs.python3.withPackages (
+          ps: with ps; [
+            docutils
+            pygments
+          ]
+        );
+      in
+      {
+        ENABLED = true;
+        FILE_EXTENSIONS = ".rst";
+        RENDER_COMMAND = "${docutils}/bin/rst2html.py";
+        IS_INPUT_FILE = false;
+      };
   };
 
-  /*
-  needed for sendmail mail functionality
-  */
-  users.users.gitea.extraGroups = ["postdrop"];
+  services.nfs.server.enable = false;
+  services.nfs.server.extraNfsdConfig = ''
+    rdma = true
+    vers3 = false
+    vers4.0 = false
+    vers4.1 = false
+  '';
+  services.nfs.server.exports = ''
+    /export/nixy    10.100.0.1/24(rw,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=100)
+  '';
+
+  services.borgbackup.jobs."borgbase" = {
+    paths = [
+      "/var/lib/gitea"
+    ];
+    exclude = [ ];
+    repo = "ssh://na9fqv67@na9fqv67.repo.borgbase.com/./repo";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgbase_enc_key".path}";
+    };
+    environment.BORG_RSH = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgbase_ssh_key".path}";
+    compression = "auto,zstd";
+    startAt = "daily";
+  };
+
+  # needed for sendmail mail functionality
+  users.users.gitea.extraGroups = [ "postdrop" ];
   systemd.services.gitea.serviceConfig = {
-    RestrictAddressFamilies = ["AF_NETLINK"];
+    RestrictAddressFamilies = [ "AF_NETLINK" ];
     ProtectSystem = lib.mkForce false;
   };
 
@@ -211,36 +308,107 @@
     defaults.email = "asmir.abdulahovic@gmail.com";
   };
 
-  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
-
-  sops.secrets."miniflux_env" = {
-    sopsFile = ./secrets/miniflux.yaml;
-  };
-
-  sops.secrets."gitea_mail_pw_hash" = {
-    sopsFile = ./secrets/gitea_mail_pw_hash.yaml;
-  };
-
-  sops.secrets."asmir_mail_pw_hash" = {
-    sopsFile = ./secrets/asmir_mail_pw_hash.yaml;
-  };
-
-  sops.secrets."gitea_db" = {
-    sopsFile = ./secrets/gitea_db.yaml;
-    owner = config.users.users.gitea.name;
-  };
-
-  sops.secrets."nextcloud_admin" = {
-    sopsFile = ./secrets/nextcloud_admin.yaml;
-    owner = config.users.users.nextcloud.name;
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      "asmir_mail_pw_hash".sopsFile = ./secrets/asmir_mail_pw_hash.yaml;
+      "borgbase_enc_key".sopsFile = ./secrets/borgbase_enc_key.yaml;
+      "borgbase_ssh_key".sopsFile = ./secrets/borgbase_ssh_key.yaml;
+      "gitea_mail_pw_hash".sopsFile = ./secrets/gitea_mail_pw_hash.yaml;
+      "miniflux_env".sopsFile = ./secrets/miniflux.yaml;
+      "wg_preshared/mediabox".sopsFile = ../common/secrets/wg_preshared.yaml;
+      "wg_preshared/nixy".sopsFile = ../common/secrets/wg_preshared.yaml;
+      "wg_preshared/workstation".sopsFile = ../common/secrets/wg_preshared.yaml;
+      "wg_privkey".sopsFile = ./secrets/wg_privkey.yaml;
+      "gitea_db" = {
+        sopsFile = ./secrets/gitea_db.yaml;
+        owner = config.users.users.gitea.name;
+      };
+      /*
+        "nextcloud_admin" = {
+          sopsFile = ./secrets/nextcloud_admin.yaml;
+          owner = config.users.users.nextcloud.name;
+        };
+      */
+    };
   };
 
   networking.hostName = "magpie";
-  networking.wireless.enable = false;
-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [80 443 587];
-  networking.firewall.allowedUDPPorts = [];
+  networking.nftables.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+      587
+      2049
+    ]; # http, mail, mail, nfs
+    allowedUDPPorts = [
+      443
+      51820
+    ]; # mail, wireguard
+    allowPing = true;
+    logRefusedConnections = lib.mkDefault false;
+  };
+
+  networking.nat = {
+    enable = true;
+    externalInterface = "enp1s0";
+    internalInterfaces = [ "wg0" ];
+  };
+
   networking.networkmanager.enable = true;
+  networking.wireless.enable = false;
+
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "10.100.0.1/24" ];
+      listenPort = 51820;
+
+      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+      #postSetup = ''
+      #  ${pkgs.nftables}/bin/nft add rule ip nat POSTROUTING oifname "eth0" ip saddr 10.100.0.0/24 counter masquerade
+      #'';
+      # This undoes the above command, TODO fix command below to be more specific
+      #postShutdown = ''
+      #  ${pkgs.nftables}/bin/nft flush table ip nat
+      #'';
+      privateKeyFile = config.sops.secrets."wg_privkey".path;
+
+      peers = [
+        {
+          publicKey = builtins.readFile ../nixy/wg_pubkey;
+          presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path;
+          allowedIPs = [ "10.100.0.6/32" ];
+        }
+        {
+          publicKey = builtins.readFile ../mediabox/wg_pubkey;
+          presharedKeyFile = config.sops.secrets."wg_preshared/mediabox".path;
+          allowedIPs = [ "10.100.0.5/32" ];
+        }
+        {
+          publicKey = builtins.readFile ../common/wg_pubkey_workstation;
+          presharedKeyFile = config.sops.secrets."wg_preshared/workstation".path;
+          allowedIPs = [ "10.100.0.4/32" ];
+        }
+      ];
+    };
+  };
+
+  systemd = {
+    enableEmergencyMode = false;
+
+    watchdog = {
+      runtimeTime = "20s";
+      rebootTime = "30s";
+    };
+
+    sleep.extraConfig = ''
+      AllowSuspend=no
+      AllowHibernation=no
+    '';
+  };
 
   system.stateVersion = "22.11";
 }

magpie/hardware-configuration.nix

@@ -2,20 +2,24 @@
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
-  config,
   lib,
-  pkgs,
   modulesPath,
   ...
-}: {
+}:
+{
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid" "sr_mod"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = [];
-  boot.extraModulePackages = [];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_pci"
+    "usbhid"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/118de1e5-f23e-4af3-a10a-054eded78152";
@@ -27,7 +31,7 @@
     fsType = "vfat";
   };
 
-  swapDevices = [];
+  swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

magpie/secrets/asmir_mail_pw_hash.yaml

@@ -8,11 +8,20 @@ sops:
         - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbTM0ZzVHZ1hlNzJ6d25a
-            eFpZMHdBZjBFSjU4L0dkK1Noby9HK29CMldNCkJWb2NmcC9jNVFBMWJOZjVBalRw
-            VVZsN3B1WGJseDFiRTA1R3cvU3c2NEEKLS0tIFI4WHFDRHBCN29IQ0tPVC9zbHZS
-            OFdsQUpvRzNKc2x1WW13b2d4R3lxdXMKJeMJ1IdxS+WUTzUlFdc4WfnUozWU4/80
-            9GBPz3VCppunrXrh1zFkfIL+Lz48HFyf7HNI4na6TkyqipR6wsW4gw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOS3RoalBRQTB5Mkp4THpa
+            aG9jS0UraEJlWHlVRFBWNWNJNGVOd0hxdUZBCm10OWwramN3UGdLUFpwbkduaU16
+            S1FWcHIrK0dKRTAvSlN4SlI3eHJJL3cKLS0tIFljS3oxWXZyRlFEVUdUYXRsc2x4
+            N1h6SFYrcTZQK1JSRWZsV2MvTGFwb0kKxRohlU6vR3CR2SGqDT9P8AxQXMSbpQuO
+            g1t6gj3c+YBugUsCMuNpYEE+8OvfSQmsZV0VHojS8dMHSD9x75237w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bnFpZzB2b21YVEZtenBj
+            TlkxdVlSWmM3dDNnQmxqQm5FWlQ0ZHhySGg0Cll1andBcE0yZ04zaFZlajBDSDUx
+            VHRWbFVOeE1CZmlveTB0UEpjZUpzMEEKLS0tIE5tcVFuaWt6K2RKR3FodGYra25n
+            bHNWWmh1dFdJVGtETWYvZDY1TGpvUVkKu4sO+/OXdV4xsLmOMlbV5nIidX+iREgF
+            q0IavI9nzOZ0tkWSV/9mFua8Mp1vPW8wCBOqnW3nhPvYDoTbGQEovQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-10-20T19:31:29Z"
     mac: ENC[AES256_GCM,data:xXiCems/1em6JdK3V5GcD811yc8t6iHHFmz0OOrWM3muR807Ux80TrD3uoMN8GxIMyr0AloH41k8+vxaSlMmHsGGl6o1P13aR03E+A9ZLp1W2Nb3nCy5rH4pF8WSeNMxZ1SoT2iEAtTsh29xusocQTMUvr7Ou8TDLyVvrKhBPZw=,iv:SSPpVTbVQTvhPg1qm9akrg2ji1fRcukkwX5P2FzWMb4=,tag:a6GiGWfwnKLtteVoi9DJtQ==,type:str]

magpie/secrets/borgbase_enc_key.yaml

@@ -0,0 +1,30 @@
+borgbase_enc_key: ENC[AES256_GCM,data:bnSjKRY6HlmOyhjyuJLH8Xqzzpm7NgZI5g==,iv:RYlg83PqV2DIQHa5FoD6ls/utVjuSwmrv56N6Lrtn8s=,tag:hC6e9d5/EH9V7kG23XblEQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCdm1lejdSTm1PN1dsWHNJ
+            Nzc5aERNUlk5U0VoNWRzcVlMSXpqSEFmYkVNCkhqeHZrMng4WjEzcnBxdmtVUWlz
+            NXhiNFB6Ukc2eGRiNW96YVloQyt0ZW8KLS0tIFhjUVlITVVTcktCTzEzdUJzTmsy
+            UVhGc2VKeFJmS3RUY2YrR2FVVlVOcDAKsl+Fo16/3PpQ35aF4EBq5kjpyNxnZfip
+            1sfq1ppUfg6QRRICWtxUyXLS898BVusW8cMft6k9JbgZfQnc9YUSBg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMTZhdm1mVXhWdlNJVytR
+            Z3ROLzNnZHUvMXRUcCtPeFFBRWJxY3lyRWljCkErdXAxc3ZETFMxd3ZCRHJPY2JU
+            N1YxL0VJZ1M0eUdEblhrTDd2VWNNRVUKLS0tIFRBTGNKUDUxaDdGK2x4aWIxMm9i
+            Zit1QTdRTjVNdjhFYklEUVlsQjZCM2cKtutM+au5vNF0x9ZP9Cg4pMUGsScIMRFU
+            KYrBHGW+VfEDpr534X8FXe1Uox70U+HPoT/mEm4RF575ssbTSoW0Hg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-05T19:01:07Z"
+    mac: ENC[AES256_GCM,data:Fz1ZwYR7cg+bcgNe/JZ2oEqhYihQWnCoy3J76VIPb089PNCXXp0xJ/eYjOoKlGK42z1wEO8hJ8FoaLvzuqhO0aatKpHDx0bBos8YqZYuGAuW115AdK5m6ecby7yi5lBIBpXOv1sU8uOtdBR32UPFAQ9oQf0KleWju47phF43v9o=,iv:Lbu5eLKfEnrehSY1+r0z75pZnNDNEVSmrEaJRDpDTU4=,tag:TLdtQTNbo0dxlpV9ZPm+uQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

magpie/secrets/borgbase_ssh_key.yaml

@@ -0,0 +1,30 @@
+borgbase_ssh_key: ENC[AES256_GCM,data:W/aAQPSaPxGPeY50arJr50OWZjN+RJt9Y4MlpPNtw3KT2y+fUuMpNAjMuGd+3mzA2bs9YpE2WlgJ7KO5XPH7M36tSI+K2pcnjX1NMl8giJ952iCsqW4siij64JguK/gUi3GAe3LXHTjr3VgubSdqVd25k0bys+GiMfsHXXGD6tinKmEheis6XgfcChrvyYgQ4DKPW4HOHC4/V6roXaK+GTe+qY0BdzM27cDHc3a85cuHAAeDnYdNfdRAItI3KmDCx8edeBwt4vonR/v9AaDRH2PjZWq583Rlqoa8TQvQi0+yWf6O6MikHQlP1GoYCe5iI+rOF6KTseDjS2aoLZ+mXNxVmmOVdZrq1vx0UpsbJWRZE+1UluQwdrEm1mLMrI4Z2wFNfzjg9rOiJ36AL1YdcXtI0RHLYp8r92Qt3IFVwcC1NT/AWJkFOGr5z0PX0w+mi4J+f1wDvVguXp2KaguB2XAJbnpgQQ2ZqYv0gTkBLZ/RAOyQgaMaESCfJBWXE3DESMOspj4AYUsjQiaxmF13,iv:ph++5hCX3DzqwCoObz73/Xn0qy/+Za5+DI/EVsc67yY=,tag:0VkALd0j3D6yA7jCE7vogg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydXE0RXhGU0tsbnRTU0pw
+            THZBNngvUEwwMGVTQ3dscCtKMnVCb1pSSzN3CkVzNS9UY3dqYWRDOENTaFhadFcz
+            MGlibCt5Q3ppelVQU1AyM0wvTm1zMXMKLS0tIHNGM291dE5lb2pwTDFWbWtiUFNp
+            Y1ZoSG43TFd0WktKY3lUM3Y0RHJHZVkK0/sD5M54XiQzkSMlDHPkSVMypoxdhU/f
+            0nUWA20s6IU63Oqn0j7rGwV6S5j+fZCBzF4kSi8JLJb0619G2++M5g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiem5ZRE1oRU1hWENzc2sv
+            dkg4czhVeVNJQllnWG9vYnptL1FhZy9zc0hBClhLRzQxNlhQUEVUcnZDYlZqTWYx
+            eDQzV2ozbkd6ZWVZNWkxOXhBV0JNR00KLS0tIFQ4d29OQzhoWTl0Z3BrOURTSktU
+            SHZNdFhmS3ZQMnhzMDJWMTl4cXNudFEKhgbRW+6xqGhkTtr4h4JzPxZnGKqr4jcX
+            BABLTgzqvM+JvBzmUcYjuagVcLpWsQcNWBaYFBJBMhP8oOgF2dVBcQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-05T20:03:21Z"
+    mac: ENC[AES256_GCM,data:YpXUK6UNKpdudVZ+YManWreHufFzw9XbF1cBYutdAaTdqhlzPErpuOmEKLuMA7nr7SQkLK4pu1Eg0P5CA3QXsh0VUHMTiFWxNz7KZeoYAkacK9WzutEldsMG4iVlKmGHhQApSNW4kfPBKs1TgYyZdndBHEdILcoLDxke8kfkoVU=,iv:rpNeNTfXoMpScSfyrY7uK9ZkKasJGVAhgiMoe0XyJFo=,tag:Rl4Ya+iq0BvMSM/J0wySnQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

magpie/secrets/gitea_db.yaml

@@ -8,11 +8,20 @@ sops:
         - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZ3l1UTRDMFVlM01TR1dW
-            VzNnRXpuc0R0d3BpVzZveHRrdHRTTVRXNWpnCjVqNittd3BiZ0d3YXVQUXBpWExU
-            cGdkSmVtOHJBN3FEdDVCeTVjUllHc0EKLS0tIG5TQlpIQXhNNmJiR0Y3L1p3SVpG
-            ZnlvRDRUam5MaFdZcGgyZlJSZzMvVWcKxiwENpP7qlF0Uy7DJM0WwLFQ0h+ost5T
-            BCsZtGP61Z2WcQq0EWYLqJItR2Tk3AXox014CJAm+G/G8PMTAKv0xw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUXAraFhvN0NLeHhKWGJt
+            c2ttRGljUzZiN2ZJeWpTdVRzNCtzL0pqdHhnCmJvek9YNkF4UTd1ZEFSaDBJR1Jz
+            ZkUwTFNEYkhmbS9DVUJ0cTNrTVR5TlkKLS0tIFdscFJCaTJjYXFPcVZXUXBPS2ph
+            bERTT1dsaStRQnRvb1VnV2lTdGNQd0UK3dXTtGkfxq7oLzDrxFomE0oAjgZo+7H7
+            SVVxKy/caewOXbI3R/CHxuaYb0fDDlyIX/zqxqkSaXUIh4rsIT46xw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCOFFtQUptR2xIcW5FS3JR
+            aUdLbGRJeU4rbFFVcU9HVVdYL293WXY0L3hvCmpPN1BnRDlZNDhOT25zVFRjaGE1
+            TThWQUVDOG5YOGtlRmU1T1pZZ1dxTHcKLS0tIHZSUTBDbFN5eXZPMHZvZ2UwMFJu
+            cjhmWGJIUEhZQjNXN3J6ZTk1aE1jZHMKjiwLd6gHiLJx63AIzM17C3RaEBbCFIyI
+            ppLWEw8cm53hvjCuxsY8jJ/5kHD+25Pw2NMAD5PKt8SjrJzrJcOtMA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-10-17T21:16:10Z"
     mac: ENC[AES256_GCM,data:EPiLv8IzVXqRan9UlBuA3TmxtB3f4Qj4owed+1Pat9Tih1yOe4Z9RT28JIYJQ70R/IK+Yi0NQem9Ec6HU+8kaxLE3fff/4PM+B9QQbB6fjgLFod/nFk+OuWgR7FTcJ2j16OnlxE5ikCP+qdfvAM0eEv+BoDrWv98gSyCXtMCe48=,iv:th0E7zioz7gtgMlns8kvnf5hmlRH0KX65wPxBi3YP6Y=,tag:JhoGvF8LJmrAQpUOEopohA==,type:str]

magpie/secrets/gitea_mail_pw_hash.yaml

@@ -8,11 +8,20 @@ sops:
         - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCT2VyNWxUeUZ5aDdHcXJR
-            WGJVOGgyeC83MEV4REpGZkRUcVJKZDBqYmtjCllQdFhyRWNiTURYQmpucndFWDlr
-            WUFybGtmckNBdXYzMVZxT3lQM1k3aTgKLS0tIEpNZjU1RkpSOVo3Y1ovR0lmbHJu
-            bENVWmpCcTVqMDh2Wjhob2I2VzRRblkKPGCV1gRyihDCStM4tmvp89d996v1UzdJ
-            /NyK49//+uJJqwCEWuvHWWCB+EbkkOE6gPPKXZyXZSTbb/TDDcVF/Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrL2YxU2VhNTArQ0QwYzlU
+            Z0NSRm5KRU8xRmZCT1E1N09KY2Vob0lsQ2k0CktqTlZnaUVNaEhpT3BkOGNmN2cv
+            Z0JoaFFTTzBwNzVmcHNOeXdwVzdQOTQKLS0tIDluazF6RXA0MVYvY2dRRGkxMGRk
+            UEltOVNQdElpRGJVVlpoTVV2bU5rSncKoSGq75dVH7j/hSnqdjgWJyDgg0doEr6K
+            anD9sghKSX0afZmVJFOCXZ+lRYi7kmRbqFNBkkuuFndERtbN/5foXw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNW9UcERVditoUE1DVUsw
+            WmxtbVNHeVpQS0g2WENJWTVJeHNUMU4yZEVNCnNrSnFnU2hUckxlYjJMYk5CTW9j
+            eU9mU1F4WlY1NWdLU0VxaDVtZWduaXcKLS0tIExtRHJkbFBKTWRjSGZOWGc1U0FF
+            ZjJkY0FpQnhCazVVVG1DOUZsQ2lXYzgK3UWDBu/Aq7n6CQiRF4NOQdSD4nfU2Gm2
+            Tlzyou5rj/rSAv5J7ENsDAzKtK6e5+Xe7acUDY+4Rye82vDxyoblaQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-10-14T21:21:12Z"
     mac: ENC[AES256_GCM,data:NE9btXZKE3KJmxtWc0Ytb0atfBJKRs5T+Xk9RDFX6veSGBoB+M2+YMCONQdr8T2w6lLJqlrMBHqlfuvD3YnDj041xZmfSsi9NACliWj6GWVWcFWWc6W9OVH8/5CfwjYBdgTJ2o7wdnF9fYHvwMRcaHThDmoUkaExVtVsyu912og=,iv:kyekfEq32GSKVNKy8MJYfT5ZMKNSRQUk1viB2W6k29U=,tag:7ie/2P/F3bPQXpkWGKqTfA==,type:str]

magpie/secrets/miniflux.yaml

@@ -8,11 +8,20 @@ sops:
         - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZ1d3aGhud0UyOVV6Vzcw
-            Q3Q2OVRQOEpXUk1TK2dOOEZtKzNlUkJGZHh3CmJwYnRpWFhJWHZXQ2I1TnhKWDRx
-            MGlrbXJoQTVPcUFBa0gvME95OVlxWkEKLS0tIHNZWWRwWUJPV3o3REpENzdMYkVk
-            Y1V5SXhCUllDWGhjK3JzWDRKQU9hMmMKuVmn6OAy2q/mpBKqUhl1qfpnPvFOd72c
-            /jMqnxClGSVXjJ5qdvcXCfLeYwT8vnhViNZmjE1ebRosE5YupvrjUg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0K0ZNSWEweUNTbm5KZE5y
+            M3ZlbTdBc1RheHFNbGpxZllRdi9tMXVJaEFJCmdQdWh6cks5L3JFclJYWmlkYmVv
+            WDA2YXhiN3ovL1V0ZlJjbmluSm5tbGMKLS0tIG1QRnoxMHBQeGtLekRSRVVMNWdP
+            R1BuNDZVNzNaTmVvZm9EMy9ld0V4U1UKFjPcFiuhjwCChJKGQbIPFsHwl9oE7S+g
+            Utne4LrODAa3wj8TX3vgfRTBrljJmt+OwQJxRfTtq2ocyzR9rNUI+w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNFAvaUlyeHA3Mnluam1G
+            dmtIWHU2R2pRV2E3NTVKV1NOTHRSYjVhQVRVCnR4OENHZGYzVE9UdlJBTjdxblIz
+            Q0MxN3gyeTJhNTdORFk0SDdycVFrWjAKLS0tIEc5c0RMNjdLSTNKWExsVmlQUGx5
+            RFp0dWJXOVVvSGlhZ1pPbGRBWmt2S0UKTwkFwYaTr5jNuQTlqR/1ud8ITKGIbNiM
+            myAf39EHCP6cQQ0fjtx2ihy56m9xoK35Aj7h3w0fadONWtCNnhuH2A==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-10-13T11:17:33Z"
     mac: ENC[AES256_GCM,data:CpzC0H2Rfvl7F9tXCJ0WwkhE4Ba7eOIl1QMh1DHP8YQ9rChzAE8S5SXXuJA0jcmVY6NPfZ7zl8VEBepE+LHCq2UdSkAefawLeM6HwNfedP8N+zheqlyCZ8Os48628aHYN0PVI+/dMvpWWcfl+CFaH1mm4c+KYedCIsS9ZEYi9N8=,iv:EbF58pxbtHxPTAgs4dbZ31qyRT3QJ1kQoUShbLE11FY=,tag:FNF/OzS2SL3FweFw0RcRLQ==,type:str]

magpie/secrets/nextcloud_admin.yaml

@@ -8,11 +8,20 @@ sops:
         - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUnQ3SDAyRTUxUDF0dDhY
-            K3JmQWlYRVJtdEFac0J4U0RGKzZGNXJmUEg4CmtBSW9yNGZScXhKdnhZWkxIamFW
-            YXEzbGhwR2F3dDJGdzljZUZBeERhU1kKLS0tIGlXZUhsdnI4ell5R3ZZbjZ0NCtO
-            TUpkZmxBNzZ1UUY1dGRud2hycGUyZW8KFUGikaFQjFfmn068qex2tpGbRHIbmS3l
-            27lqo8+eRFnq0nw8H/1yRMi8IghR0+XK68T49hlt0VLS9LZJG1aPag==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHYVVnM0xOVzJ5OFZsYlZL
+            SThvVkNBdzJoVkZ3ZFBMYVlTNjQwNUxuaVFjCjBhUFRSaGZ6TEh4ellSdS9Uc3FP
+            cGJaanNUci9JMDZISXljM1lSREZaZGcKLS0tIFhJOGVIM3Bub3J0WWVMNDlqY3da
+            RmVCdEpoUjJGTDYzczNnOWRRTTE3WmcKnRV787F3yBJgSDEhHW1+sAFcyvH+OMQf
+            N7er4Wd9Tqi3IJ/lR2Z7Gwn1Dfm5kMHk+hxzPlmdpaGr42ZJNPmNVw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZmFFRXU5NnlGRit6K1ov
+            TmR0K05uY2hva3liaDdGNmhST3dWTGdZb1EwCkpsQ3o1ZWloaUdFR3NpbS9uKzE5
+            S0ZRRmkxbkJnMFN6SzhzUFo1M3NnTnMKLS0tIE84aFdJS3E4eWw3SG1JeXJwRWd2
+            RWp5ZUtUNzJ4OWswWmhXWjRkZkpzWEUKj23XymHvh+nh3HiPD+erv2GZNNpUZKp6
+            s0KJSkGuIuILf3kfgp23jXNSFLMEtWwlSh5EP02g2EIHzUg2kLKNpQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-10-17T23:08:24Z"
     mac: ENC[AES256_GCM,data:fb9cOL4Q+q5uarmXtXNlpRmWgv/Ao1MqwwH2V2CQxEiP8zFyFBZs2435vdcLzrQrnBXz0JLVu4g10SH2T4dpYFP42teIkrgmneecjjcM+UOsBsGsrxlpHMha1t/ERRhBA7uJze5/kwHqry6eruWehRTu65QF1qBTql3m6ipjCeY=,iv:a7aFuTCcRCIDERlrj/9dFCF7VgCDDakfPteQimHV3lc=,tag:4mwrDHaQWA4EU0AgtgZaMg==,type:str]

magpie/secrets/wg_privkey.yaml

@@ -0,0 +1,30 @@
+wg_privkey: ENC[AES256_GCM,data:TnUTZheznQqnyK59qdLmAcuVr9JICWlNVtPF1qRMDPbBblD0ALn10qbEC7M=,iv:83fum5iYUrw08XJ0s7RE+/WDGeVjVswPlptzQjWOjeQ=,tag:YhQlmilbnrpRxcUb6rzfHg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUFplcGZMWGhrS2NsRUZF
+            WnltcCsvS0VaV29RbTdDK1UveDJwdlBXbTBJCkVaekVUWFVSVkZ5UjUwaWMxU3h0
+            eEtOQUR2VkF6RUtLYVBNalJPV3YzWWsKLS0tIDNGek4veStoa011VUV2Z3ZSUVpq
+            ZWlYQ2x6a3ROdlYzc3E1WjRhN3F1QUUKwaJruHMCoWtgvep0fI00helDZh8WVrsh
+            MV5IaEH5xapid5HHw9bLkjeeVKcT1fo7LCovouv+G5NTjvVzsMyLhw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRWdQeWxUUlJaRndzcVln
+            ck5USkpzdDJpSWJTNDZJWVBMQnl0QnVvTDF3Clg2SEY3eDdqS0Y5ei8vUlk0dTli
+            bTYycFYyMjcxdmtpc1IybXBxN2RORm8KLS0tIHlHaEJLMnRTQ20yN2RrRnNqMzk0
+            ZVlSb1FHVVJhb0IyaHJiQlpHRjNyMDAKNQ8VzdC3s43YcZk6UQjyA1GX69x/znhE
+            ZaFkMfNX6CgxfjKRW2rhXrJi+txdhmQ0CfpfWDr3zp3XVuMq942M1Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-04T19:04:00Z"
+    mac: ENC[AES256_GCM,data:qYNlokRd1lQnOwNNVbV4PwdYeybIRNrxDKX4RPfHJxvQGHBmISzd52JCnCe7zJ14FP/bSNhQqfuxyjdxid/DVPUvkHP+HlaKUR0SLv6c91ORDoaMRC93hrPXypRGplFSbSjnd3dME43ll3oH8fLe4lP9z9KhGS2lRMdduptfWvg=,iv:/j6OOT1dK94vrPOk1Lbcca8KeWvoD+ZaHoH6nMMo0y8=,tag:syHuBVkhOCJ8JCONKkqFkg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

magpie/wg_pubkey

@@ -0,0 +1 @@
+xhjJdIXtTBNhtSoehsi6p+znIgOfMRetl5/wtnMxJGk=

mediabox/configuration.nix

@@ -1,20 +1,24 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+{ config
+, nvim
+, pkgs
+, system
+, zremap
+, ...
+}:
+let
+  USER = "akill";
+in
 {
-  config,
-  pkgs,
-  lib,
-  sops-nix,
-  zremap,
-  ...
-}: {
-  imports = [];
+  imports = [ ];
 
   system.stateVersion = "23.05";
   system.autoUpgrade.enable = false;
+  system.switch = {
+    enable = true;
+    enableNg = true;
+  };
 
-  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.secrets."peerix/private" = {
     sopsFile = ./secrets/peerix.yaml;
     mode = "0400";
@@ -22,48 +26,88 @@
     group = config.users.users.nobody.group;
   };
 
+  sops.secrets."wg_privkey" = {
+    sopsFile = ./secrets/wg_privkey.yaml;
+  };
+
+  sops.secrets."wg_preshared/mediabox" = {
+    sopsFile = ../common/secrets/wg_preshared.yaml;
+  };
+
   nix = {
     optimise.automatic = true;
     gc.automatic = true;
     gc.options = "--delete-older-than 7d";
-    package = pkgs.nixUnstable;
+    package = pkgs.nixVersions.latest;
     settings = {
-      experimental-features = ["nix-command" "flakes"];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+      trusted-users = [ "akill" "root" ];
     };
   };
 
   boot = {
-    initrd.compressor = "zstd";
-    kernelModules = ["acpi_call"];
+    initrd = {
+      compressor = "zstd";
+      availableKernelModules = [ "e1000e" ];
+      network = {
+        enable = true;
+        udhcpc.enable = true;
+        ssh = {
+          enable = true;
+          hostKeys = [ /etc/ssh_dummy_ed25519_key ];
+          authorizedKeys = [ (builtins.readFile ../nixy/ssh_pubkey) ];
+        };
+      };
+    };
+
+    kernelModules = [ "acpi_call" ];
     kernelPackages = pkgs.linuxPackages_latest;
-    kernelParams = ["msr.allow_writes=on"];
+    kernelParams = [ "msr.allow_writes=on" ];
+    kernel.sysctl = {
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
+    };
     loader.systemd-boot = {
       editor = false;
       enable = true;
       memtest86.enable = true;
     };
     readOnlyNixStore = true;
-    supportedFilesystems = ["btrfs"];
+    supportedFilesystems = [ "btrfs" ];
     tmp.useTmpfs = true;
   };
 
   security = {
     rtkit.enable = true;
-    acme = {
-      acceptTerms = true;
-      defaults.email = "aasmir@gmx.com";
-    };
+    allowSimultaneousMultithreading = true;
+    sudo.enable = true;
+    doas.enable = true;
+    doas.extraRules = [
+      {
+        users = [ USER ];
+        keepEnv = true;
+        persist = true;
+      }
+    ];
   };
 
   powerManagement = {
     enable = true;
-    cpuFreqGovernor = "ondemand";
   };
 
   networking = {
+    nftables.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [80 443];
+      allowedTCPPorts = [
+        80
+        443
+        51820
+        8020
+      ];
     };
 
     hostName = "mediabox";
@@ -71,23 +115,45 @@
     interfaces.wlp3s0.useDHCP = false;
     useDHCP = false;
     wireless.enable = false;
-    wireless.interfaces = ["wlp3s0"];
-    nameservers = ["127.0.0.1" "::1"];
+    wireless.interfaces = [ "wlp3s0" ];
+    nameservers = [
+      "127.0.0.1"
+      "::1"
+    ];
     dhcpcd.extraConfig = "nohook resolv.conf";
-    networkmanager.dns = "none";
+
     extraHosts = ''
       192.168.1.173 nixy.lan
       192.168.88.171 jellyfin.mediabox.lan
+      192.168.88.171 jellyseerr.mediabox.lan
       192.168.88.171 mediabox.lan
       192.168.88.171 qbittorrent.mediabox.lan
       192.168.88.1   router.lan
       192.168.88.231 workstation.lan
+      192.168.88.121 ender.lan
     '';
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.100.0.5/24" ];
+        privateKeyFile = config.sops.secrets."wg_privkey".path;
+        peers = [
+          {
+            publicKey = builtins.readFile ../magpie/wg_pubkey;
+            presharedKeyFile = config.sops.secrets."wg_preshared/mediabox".path;
+            allowedIPs = [ "10.100.0.0/24" ];
+            endpoint = "5.75.229.224:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
   };
 
   time.timeZone = "Europe/Sarajevo";
 
   nixpkgs.config.allowUnfree = true;
+  nixpkgs.overlays = [ nvim.overlays.${system}.overlay ];
   environment = {
     homeBinInPath = true;
     variables = {
@@ -95,81 +161,82 @@
     };
   };
 
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
+  programs = {
+    steam = {
+      enable = true;
+      remotePlay.openFirewall = true;
+      dedicatedServer.openFirewall = false;
+      localNetworkGameTransfers.openFirewall = true;
+    };
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+    appimage = {
+      enable = true;
+      binfmt = true;
+    };
+    nix-ld = {
+      enable = false;
+      libraries = with pkgs; [
+        stdenv.cc.cc.lib
+        zlib
+      ];
+    };
+    zsh.enable = true;
+    firejail.enable = true;
   };
-  programs.zsh.enable = true;
-  programs.light.enable = true;
-  programs.firejail.enable = true;
-  programs.adb.enable = false;
-  programs.wireshark.enable = true;
-  programs.sway.enable = true;
 
   # List services that you want to enable:
   systemd = {
     services = {
-      "macchanger-wireless" = {
-        after = ["sys-subsystem-net-devices-wlp3s0.device"];
-        before = ["network-pre.target"];
-        bindsTo = ["sys-subsystem-net-devices-wlp3s0.device"];
-        description = "Changes MAC of my wireless interface for privacy reasons";
-        stopIfChanged = false;
-        wantedBy = ["multi-user.target"];
-        wants = ["network-pre.target"];
-        script = ''
-          ${pkgs.macchanger}/bin/macchanger -e wlp3s0 || true
-        '';
-        serviceConfig.Type = "oneshot";
-      };
-
-      "zremap" = {
-        description = "Intercepts keyboard udev events";
-        wants = ["systemd-udevd.service"];
-        wantedBy = ["multi-user.target"];
+      "zremap@" = {
+        enable = true;
+        restartIfChanged = true;
         serviceConfig.Nice = -20;
-        script = ''
-          sleep 1
-          ${zremap.defaultPackage.x86_64-linux}/bin/zremap \
-          /dev/input/by-path/platform-i8042-serio-0-event-kbd
-        '';
+        unitConfig = {
+          Description = "zremap on %I";
+          ConditionPathExists = "%I";
+        };
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
+        };
       };
 
       "wakeonlan" = {
         description = "Reenable wake on lan every boot";
-        after = ["network.target"];
+        after = [ "network.target" ];
         serviceConfig = {
           Type = "oneshot";
           ExecStart = "${pkgs.ethtool}/sbin/ethtool -s enp0s25 wol m";
         };
-        wantedBy = ["default.target" "suspend.target" "shutdown.target"];
+        wantedBy = [
+          "default.target"
+          "suspend.target"
+          "shutdown.target"
+        ];
       };
-
-      /*
-      "cpu_setting" = {
-        description = "Enable turboot boost and undervolt cpu after suspend";
-        wantedBy = ["post-resume.target" "multi-user.target"];
-        after = ["post-resume.target"];
-        script = ''
-                 echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
-                 echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
-          ${pkgs.undervolt}/bin/undervolt --core -105 --cache -105 --uncore -105 --gpu -15 -p1 47 28 -p2 57 0.0025
-        '';
-        serviceConfig.Type = "oneshot";
-      };
-      */
     };
+
+    coredump.enable = false;
+    extraConfig = ''
+      DefaultTimeoutStartSec=30s
+      DefaultTimeoutStopSec=30s
+    '';
   };
 
   services = {
     acpid.enable = true;
     btrfs.autoScrub.enable = true;
     dbus.enable = true;
+    dbus.implementation = "broker";
+    envfs.enable = true;
     fstrim.enable = true;
     fwupd.enable = true;
     ntp.enable = true;
     openssh.enable = true;
-    restya-board.enable = false;
+    openssh.settings.PermitRootLogin = "yes";
     thinkfan.enable = false;
 
     xrdp = {
@@ -183,13 +250,13 @@
     };
 
     jellyfin = {
-      enable = true;
+      enable = false;
       user = "akill";
       openFirewall = true;
     };
 
     jellyseerr = {
-      enable = true;
+      enable = false;
       openFirewall = true;
     };
 
@@ -200,130 +267,95 @@
       pulse.enable = true;
     };
 
-    deluge = {
+    avahi = {
       enable = false;
-      user = "akill";
+      nssmdns4 = false;
       openFirewall = true;
-      dataDir = "/home/akill/.config/deluge";
-      web = {
-        enable = true;
-        openFirewall = false;
-      };
-      config = {
-        download_location = "/media";
-        allow_remote = true;
-        daemon_port = 58846;
-      };
-    };
-
-    transmission = {
-      enable = false;
-      openFirewall = true;
-      settings = {
-        rpc-whitelist = "192.168.88.*";
-        download-dir = "/media";
-      };
-    };
-
-    qbittorrent = {
-      enable = true;
-      user = "akill";
-      openFirewall = true;
-      dataDir = "/home/akill/.config/qbittorrent";
-      port = 8081;
-    };
-
-    nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-
-      virtualHosts."deluge.mediabox.lan" = {
-        locations."/".proxyPass = "http://localhost:8112/";
-      };
-      virtualHosts."qbittorrent.mediabox.lan" = {
-        locations."/".proxyPass = "http://localhost:8081/";
-      };
-      virtualHosts."jellyfin.mediabox.lan" = {
-        locations."/".proxyPass = "http://localhost:8096/";
-      };
-      virtualHosts."jellyseerr.mediabox.lan" = {
-        locations."/".proxyPass = "http://localhost:5055/";
-      };
     };
 
+    libinput.enable = true;
     xserver = {
       enable = true;
-      libinput.enable = true;
+      dpi = 144;
       desktopManager.xterm.enable = false;
-      displayManager.lightdm.enable = false;
-      displayManager.defaultSession = "none+icewm";
-      windowManager.icewm.enable = true;
+      desktopManager.plasma5.bigscreen.enable = true;
+      #desktopManager.plasma6.enable = true;
+      displayManager = {
+        lightdm.enable = false;
+        startx.enable = true;
+        sddm.enable = true;
+        sddm.wayland.enable = true;
+      };
+      windowManager.i3.enable = false;
     };
 
-    udev.packages = [];
+    udev = {
+      packages = [ ];
+      extraRules = ''
+        #zremap on new keyboard
+        ACTION=="add", SUBSYSTEM=="input", ATTRS{phys}!="", KERNEL=="event[0-9]*", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}=="1", TAG+="systemd", ENV{SYSTEMD_WANTS}+="zremap@$env{DEVNAME}.service"
+      '';
+    };
 
     tlp = {
-      enable = true;
-      settings = {};
+      enable = false;
+    };
+
+    batteryNotifier = {
+      enable = false;
+      notifyCapacity = 20;
+      suspendCapacity = 10;
     };
 
     actkbd = {
       enable = true;
       bindings = [
         {
-          keys = [121];
-          events = ["key"];
-          command = "${pkgs.alsaUtils}/bin/amixer -q set Master toggle";
+          keys = [ 115 ];
+          events = [ "key" ];
+          command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+";
         }
+
         {
-          keys = [122];
-          events = ["key" "rep"];
-          command = "${pkgs.alsaUtils}/bin/amixer -q set Master ${config.sound.mediaKeys.volumeStep}- unmute";
+          keys = [ 114 ];
+          events = [
+            "key"
+            "rep"
+          ];
+          command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-";
         }
+
         {
-          keys = [123];
-          events = ["key" "rep"];
-          command = "${pkgs.alsaUtils}/bin/amixer -q set Master ${config.sound.mediaKeys.volumeStep}+ unmute";
+          keys = [ 113 ];
+          events = [
+            "key"
+            "rep"
+          ];
+          command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle";
         }
+
         {
-          keys = [224];
-          events = ["key"];
-          command = "/run/current-system/sw/bin/light -U 5";
+          keys = [ 224 ];
+          events = [ "key" ];
+          command = "${pkgs.light}/bin/light -U 5";
         }
+
         {
-          keys = [225];
-          events = ["key"];
-          command = "/run/current-system/sw/bin/light -A 5";
+          keys = [ 225 ];
+          events = [ "key" ];
+          command = "${pkgs.light}/bin/light -A 5";
         }
       ];
     };
 
-    mpd = {
-      musicDirectory = "/home/mpd/music";
-      enable = false;
-      extraConfig = ''
-        audio_output {
-          type "pulse"
-          name "pulsee srv"
-          server "127.0.0.1"
-        }
-      '';
-    };
-
-    batteryNotifier = {
-      enable = true;
-      notifyCapacity = 20;
-      suspendCapacity = 10;
-    };
-
     dnscrypt-proxy2 = {
       enable = true;
       settings = {
         ipv6_servers = true;
         require_dnssec = true;
+        require_nolog = true;
+        require_nofilter = true;
+        http3 = true;
 
         sources.public-resolvers = {
           urls = [
@@ -335,33 +367,62 @@
         };
       };
     };
+
+    journald.extraConfig = ''
+      SystemMaxUse=50M
+    '';
+
+    logind.extraConfig = ''
+      KillUserProcesses=yes
+    '';
+
   };
 
-  fonts.packages = with pkgs; [
-    dina-font
-    fira-code
-    fira-code-symbols
-    font-awesome
-    font-awesome_4
-    iosevka
-    jetbrains-mono
-    liberation_ttf
-    proggyfonts
-    siji
-  ];
+  fonts = {
+    fontconfig = {
+      cache32Bit = true;
+      allowBitmaps = true;
+      useEmbeddedBitmaps = true;
+      defaultFonts = {
+        monospace = [ "JetBrainsMono" ];
+      };
+    };
+
+    packages = with pkgs; [
+      dejavu_fonts
+      dina-font
+      fira-code
+      fira-code-symbols
+      font-awesome_6
+      inconsolata
+      iosevka
+      jetbrains-mono
+      liberation_ttf
+      libertine
+      noto-fonts
+      noto-fonts-cjk-sans
+      noto-fonts-color-emoji
+      noto-fonts-emoji
+      proggyfonts
+      siji
+      terminus_font
+      terminus_font_ttf
+      ubuntu_font_family
+      vistafonts
+    ];
+  };
 
   virtualisation = {
     podman = {
-      enable = true;
+      enable = false;
+      autoPrune.enable = true;
       dockerCompat = true;
     };
   };
 
-  sound.enable = true;
-
   hardware = {
     bluetooth = {
-      enable = false;
+      enable = true;
       settings = {
         General = {
           Enable = "Source,Sink,Media,Socket";
@@ -369,14 +430,9 @@
       };
     };
 
-    opengl = {
+    graphics = {
       enable = true;
-      driSupport = true;
-      driSupport32Bit = true;
-      extraPackages = with pkgs; [
-        intel-media-driver
-        vaapiIntel
-      ];
+      extraPackages = [ ];
     };
   };
 
@@ -385,21 +441,34 @@
     algorithm = "zstd";
   };
 
-  users.users.akill = {
+  users.users.${USER} = {
     isNormalUser = true;
     shell = pkgs.zsh;
-    extraGroups = ["wireshark" "wheel" "kvm" "tty" "audio" "sound" "adbusers" "transmission"];
+    extraGroups = [
+      "wheel"
+      "tty"
+      "audio"
+      "sound"
+    ];
+    openssh.authorizedKeys.keys = [
+      (builtins.readFile ../nixy/ssh_pubkey)
+    ];
   };
 
   users.users.ado = {
     isNormalUser = true;
     shell = pkgs.zsh;
-    extraGroups = ["wireshark" "wheel" "kvm" "tty" "audio" "sound" "adbusers" "transmission"];
+    extraGroups = [
+      "wheel"
+      "tty"
+      "audio"
+      "sound"
+    ];
   };
 
   users.users.mediauser = {
     isNormalUser = true;
     shell = pkgs.bash;
-    extraGroups = [];
+    extraGroups = [ ];
   };
 }

mediabox/hardware-configuration.nix

@@ -2,25 +2,35 @@
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
-  config,
   lib,
-  pkgs,
   modulesPath,
   ...
-}: {
+}:
+{
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = ["kvm-intel"];
-  boot.extraModulePackages = [];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ehci_pci"
+    "ahci"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/ae774285-60dc-4b08-ab26-8208e8f4e81e";
     fsType = "btrfs";
-    options = ["subvol=root" "compress=lzo" "noatime"];
+    options = [
+      "subvol=root"
+      "compress=lzo"
+      "noatime"
+    ];
   };
 
   boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/60aa7671-bfee-451b-b871-ac7c5a4a9f3a";
@@ -28,25 +38,41 @@
   fileSystems."/home" = {
     device = "/dev/disk/by-uuid/ae774285-60dc-4b08-ab26-8208e8f4e81e";
     fsType = "btrfs";
-    options = ["subvol=home" "compress=lzo" "noatime"];
+    options = [
+      "subvol=home"
+      "compress=lzo"
+      "noatime"
+    ];
   };
 
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/ae774285-60dc-4b08-ab26-8208e8f4e81e";
     fsType = "btrfs";
-    options = ["subvol=nix" "compress=lzo" "noatime"];
+    options = [
+      "subvol=nix"
+      "compress=lzo"
+      "noatime"
+    ];
   };
 
   fileSystems."/persist" = {
     device = "/dev/disk/by-uuid/ae774285-60dc-4b08-ab26-8208e8f4e81e";
     fsType = "btrfs";
-    options = ["subvol=persist" "compress=lzo" "noatime"];
+    options = [
+      "subvol=persist"
+      "compress=lzo"
+      "noatime"
+    ];
   };
 
   fileSystems."/var/log" = {
     device = "/dev/disk/by-uuid/ae774285-60dc-4b08-ab26-8208e8f4e81e";
     fsType = "btrfs";
-    options = ["subvol=log" "compress=lzo" "noatime"];
+    options = [
+      "subvol=log"
+      "compress=lzo"
+      "noatime"
+    ];
     neededForBoot = true;
   };
 
@@ -56,7 +82,7 @@
   };
 
   swapDevices = [
-    {device = "/dev/disk/by-uuid/7b44ab02-84ff-4ffd-be26-58247cf5a982";}
+    { device = "/dev/disk/by-uuid/7b44ab02-84ff-4ffd-be26-58247cf5a982"; }
   ];
 
   hardware.cpu.intel.updateMicrocode = true;

mediabox/secrets/peerix.yaml

@@ -6,32 +6,23 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+        - recipient: age19yrl6pr73cv067ksfz0txp3zm2au25jfyjeerw23ml55ps5cyyfqtm3kmt
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMkdLVEFQMVk1allhK2hL
-            NXFXc254SmhxK0lFWTd1SUorUGQ0VEJPcXo4ClNYSkhJbnVjUjdFOGtoWFV2VWZC
-            NmpaRDVhWnRQUmVDWS9WU2pTVlBEQ1EKLS0tIFAydU9aYXJnd1NnRzU2YXpXM1Vq
-            VWhhbkZTT1kwTEl5VEVWR1A2aW5OUDgKiYcj5Yo42RjQeo1UeUTBV8YBNYL8ccLW
-            bQ1655MU/q3LQh14lqwbsOfmGjPc9H0ECltm+V+kNPTRi76qFhcodg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Zmc0c1AxMVEzdi94L0Nh
+            dHJFSHVSbG1vay9NUDBEVkM4ZWNoT3h4Q1c0CkhWdWVzTEJxZENZYXVFT2RhV3pT
+            aDZIUUdWVUVRUDc4ZEFDTkdnaDJxdVkKLS0tIDd6TE56REdjRVdtSXB1dkJrVVNj
+            dUxhRnB4dVFRam9xNlFiY2VOSXpNamcKNzRghHeyPtltKH4GkJQ0ef4apr5gziq9
+            dhXy6Qil48QJd4hnyr7GW1n7eRIq24OWO3WglLbVAUSQr/gzM2TWiA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1eGJCRlhHbk1JQWl2RllZ
-            R3hkVGtIamJzZlVLazUrVEJnNmU3Z0tLMG5RClp2Z01Fc1p5QzFhUWNzU2NpU0Zo
-            aTRPMFhPYlA4VmZNUWFsWHZRMUxyaTQKLS0tIG51TW9JRW12RzVmdWpZY3FaVnBR
-            UTZ2YWdQVjRTTUxPUWVwbHI4aklITmMKZQnfJs01D4FX+MF6oU0FmWYQ4reB/X/k
-            Lat8FrqerqaCYqYmAKe3HWBR6HEVm0U7I7jkVuoROMqz3uci+5HWbQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age19yrl6pr73cv067ksfz0txp3zm2au25jfyjeerw23ml55ps5cyyfqtm3kmt
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNTNhaFVzaWFoTU9GdEZD
-            Z0JWQlFXc3N3SnAwR09YUmIxZlpvNllmU2tnCkFtVlRXMGV2d1V4S0ZxNlRiVzlC
-            N3dHSFM2eG02UVQrdGR0SnhUMitvelkKLS0tIFpvQUlIZ05HK3F0a2FkKy9EOURY
-            YzUwa2s0eTliSmxtajdjYmFsOSs2T1kKg08c1uB0swRSo0R6s6hup5JBfkrCKoxf
-            SjwBAZtjNhr3hrLy1eoo/dpYG6oAkEs3GvaaZ02ldT872dxZvg6r+g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMjVQZkVVQmZFbCt3Z2ZI
+            Q3NVZUJ0VkZjK0E5SFpqWE50c2dOeFNsUm1jCmdDZGxZYk13emhhanRzWjhvZFM1
+            UWNpNm5malkrU1Rkak9PNWk2bW5nRDQKLS0tIE9UdXg4L0hMRzJuUERIMytvc2pr
+            Y1BBZFJseUNIeTVtTjBGazk5WE1ZcUUKs9pEtDbCYRfSP0Rh9ENo9A6nUFkYHr4D
+            3DvOKSyLL33FBoEddDBd7Si1mpjY2bunueBAe+diDgOrol6tWIMoUw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-09-30T14:18:57Z"
     mac: ENC[AES256_GCM,data:R0TJ/7uihpsCHwPLXFYKi+ZaEUtbZVz02utDF7vO7gYDN1MFa0c5nZ/mAnJJtTJI41GdAu9ezTUiU6H1HTHLxYMeUoNAAvNlSCkvGc/oMQofXidL34hq1X2vG05N3UQlkbAXTlCBkYc20oVVOVmT/lq7USEx29oB/ytxZzKYFvM=,iv:qpz0g+O4kwChct1ddiT3D8rZBg08YUr4Ba5pJ4WQyzo=,tag:pWLFiQWl1QSzveBxnq4uXw==,type:str]

mediabox/secrets/wg_privkey.yaml

@@ -0,0 +1,30 @@
+wg_privkey: ENC[AES256_GCM,data:ovAxwZEcmRzt/zb42ortPwPyREC16E5YNfDBguZK7uByR4BgJi8kNeoG+GY=,iv:Cv50+JB5S+44U3L9od4zwrEKHi/LM38LnA94DkvCer4=,tag:ehKQrqWwA6daxc2yASDWNQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19yrl6pr73cv067ksfz0txp3zm2au25jfyjeerw23ml55ps5cyyfqtm3kmt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSGxudng1enhDa281S0pm
+            Q0kwQmc1T2hUK0dHd3B4cUh3RzZPZ1dGaXo4CkdPMzNnQWMyYjJiUWk4WEYyODFp
+            b2FTbnZwMHh6SHhIcjVNbnBKSVk3TWMKLS0tIFBZOW56K2Y5Q3I4dmh5dXBieEF2
+            SWQwcmkzQU5aeEliS29QN3Y0V04zNU0KF0WmF8BDvZ2DyJFztKJv8YmDuqVsAoO4
+            QEVLwrJDurRxcNIVGLs5W+60Osa5XMpNc74e23rU7mucB5wPA/84dg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMUtUYyswV3czWDdXWG1x
+            cnh5QTZpdlBZYlZ2b2oweXJ5SkZSQldhQmpZCmFrQVlyYnNqZ01kVTVNQTlBRFNR
+            WDlITEJOUFZGa0U2NG8xMGpkSnNOQTAKLS0tIDNlK0dxWnB3a3dkTnRmTm5oTlFD
+            eGV1VE1tL1c0a3hUdXM2bExmV1l3RnMK8aOugY3XHTCfeBDJVOyGljuuu6hQGJ7W
+            ZGoxOz+hhYIHj/04J9DIIOUyt81m8LNCbxcacFKyW7Sqosfj+7N7Gg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-14T19:25:26Z"
+    mac: ENC[AES256_GCM,data:vcyglyYG93K3KBISpIESGlNCs5ojWZAL0gyDUzBNCxG5H8RKEz1Y7yOtr5EXnnP66qcBHlKhb81Iyrc071pmJL9dIttiqmvjSWf0zZ9RuV0uYcO/42cqk3J4tBJ6iYCi64y58jifDObbRni6jiGVEGEkSk8cXFqR8UXoSTeXWtU=,iv:avpWr8SeHK1VHz9XhkO7Nd7VOfMP7JXcQaXJA8Xiuhs=,tag:ixJsw/snZEWXGhdPLU1cGg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

mediabox/wg_pubkey

@@ -0,0 +1 @@
+S+tL/pTm4D7bsWj/dhpPXHYxcye/DuNMguLD5l1ACEU=

modules/nextcloud.nix

@@ -2,7 +2,8 @@
   config,
   pkgs,
   ...
-}: {
+}:
+{
   # Enable Nginx
   services.nginx = {
     enable = true;
@@ -61,7 +62,7 @@
     enable = true;
 
     # Ensure the database, user, and permissions always exist
-    ensureDatabases = ["nextcloud"];
+    ensureDatabases = [ "nextcloud" ];
     ensureUsers = [
       {
         name = "nextcloud";
@@ -72,7 +73,7 @@
 
   # Ensure that postgres is running before running the setup
   systemd.services."nextcloud-setup" = {
-    requires = ["postgresql.service"];
-    after = ["postgresql.service"];
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
   };
 }

modules/qbittorrent.nix

@@ -4,11 +4,13 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.services.qbittorrent;
   configDir = "${cfg.dataDir}/.config";
   openFilesLimit = 4096;
-in {
+in
+{
   options.services.qbittorrent = {
     enable = mkOption {
       type = types.bool;
@@ -67,24 +69,24 @@ in {
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [pkgs.qbittorrent];
+    environment.systemPackages = [ pkgs.qbittorrent ];
 
     nixpkgs.overlays = [
       (final: prev: {
-        qbittorrent = prev.qbittorrent.override {guiSupport = false;};
+        qbittorrent = prev.qbittorrent.override { guiSupport = false; };
       })
     ];
 
     networking.firewall = mkIf cfg.openFirewall {
-      allowedTCPPorts = [cfg.port];
-      allowedUDPPorts = [cfg.port];
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
     };
 
     systemd.services.qbittorrent = {
-      after = ["network.target"];
+      after = [ "network.target" ];
       description = "qBittorrent Daemon";
-      wantedBy = ["multi-user.target"];
-      path = [pkgs.qbittorrent];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.qbittorrent ];
       serviceConfig = {
         ExecStart = ''
           ${pkgs.qbittorrent}/bin/qbittorrent-nox \
@@ -110,7 +112,10 @@ in {
       };
     };
 
-    users.groups =
-      mkIf (cfg.group == "qbittorrent") {qbittorrent = {gid = null;};};
+    users.groups = mkIf (cfg.group == "qbittorrent") {
+      qbittorrent = {
+        gid = null;
+      };
+    };
   };
 }

nixy/configuration.nix

@@ -1,53 +1,109 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+{ config
+, nvim
+, pkgs
+, system
+, zremap
+, ...
+}:
+let
+    USER = "akill";
+in
 {
-  config,
-  pkgs,
-  lib,
-  nix-xilinx,
-  sops-nix,
-  zremap,
-  ...
-}: {
-  imports = [];
+  imports = [ ];
 
-  system.stateVersion = "23.05";
-  system.autoUpgrade.enable = false;
+  system = {
+    stateVersion = "23.05";
+    autoUpgrade.enable = false;
+    etc.overlay.enable = true;
+    nixos-init.enable = true;
+  };
 
-  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
-  sops.secrets."peerix/private" = {
-    sopsFile = ./secrets/peerix.yaml;
-    mode = "0400";
-    owner = config.users.users.nobody.name;
-    group = config.users.users.nobody.group;
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      "peerix/private" = {
+        sopsFile = ./secrets/peerix.yaml;
+        mode = "0400";
+        owner = config.users.users.nobody.name;
+        group = config.users.users.nobody.group;
+      };
+
+      "wg_privkey" = {
+        sopsFile = ./secrets/wg_privkey.yaml;
+      };
+
+      "wg_preshared/nixy" = {
+        sopsFile = ../common/secrets/wg_preshared.yaml;
+      };
+
+      "wg_privkey_proton" = {
+        sopsFile = ./secrets/wg_privkey_proton.yaml;
+      };
+
+      "wg_endpoint_proton" = {
+        sopsFile = ./secrets/wg_privkey_proton.yaml;
+      };
+
+      "borgbase_enc_key" = {
+        sopsFile = ./secrets/borgbase_enc_key.yaml;
+        owner = config.users.users.${USER}.name;
+      };
+
+      "borgbase_ssh_key" = {
+        sopsFile = ./secrets/borgbase_ssh_key.yaml;
+        owner = config.users.users.${USER}.name;
+      };
+    };
   };
 
   nix = {
     optimise.automatic = true;
     gc.automatic = true;
     gc.options = "--delete-older-than 7d";
-    package = pkgs.nixUnstable;
+    package = pkgs.nixVersions.latest;
     settings = {
-      experimental-features = ["nix-command" "flakes"];
+      sandbox = true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
     };
   };
 
   boot = {
-    extraModulePackages = with config.boot.kernelPackages; [usbip];
+    extraModulePackages = with config.boot.kernelPackages; [
+      usbip
+      v4l2loopback
+    ];
     initrd.compressor = "zstd";
-    initrd.kernelModules = ["amdgpu"];
-    binfmt.emulatedSystems = ["wasm32-wasi" "x86_64-windows"];
+    initrd.kernelModules = [ ];
+    initrd.systemd.enable = true;
+    binfmt.emulatedSystems = [
+      "wasm32-wasi"
+      "x86_64-windows"
+    ];
+    kernelParams = [
+      "psmouse.synaptics_intertouch=0"
+      "mem_sleep_default=deep"
+      "amdgpu.sg_display=0"
+      "amdgpu.gttsize=2048"
+    ];
     kernelPackages = pkgs.linuxPackages_latest;
-    kernelParams = ["psmouse.synaptics_intertouch=0" "mem_sleep_default=deep"];
+    kernel.sysctl = {
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "kernel.unprivileged_userns_clone" = "1"; /* Needed with harderned kernel */
+    };
     loader.efi.canTouchEfiVariables = true;
     loader.systemd-boot = {
       editor = false;
       enable = true;
       memtest86.enable = true;
     };
-    readOnlyNixStore = true;
-    supportedFilesystems = ["btrfs"];
+    nixStoreMountOpts = [ "ro" ];
+    supportedFilesystems = [
+      "xfs"
+    ];
     tmp.useTmpfs = true;
   };
 
@@ -58,7 +114,7 @@
     doas.enable = true;
     doas.extraRules = [
       {
-        users = ["akill"];
+        users = [ USER ];
         keepEnv = true;
         persist = true;
       }
@@ -70,13 +126,22 @@
   };
 
   networking = {
+    nftables.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [80 443];
+      allowedTCPPorts = [
+        80
+        443
+        51820
+        8020
+      ];
     };
 
     hostName = "nixy";
-    nameservers = ["127.0.0.1" "::1"];
+    nameservers = [
+      "127.0.0.1"
+      "::1"
+    ];
     dhcpcd.extraConfig = "nohook resolv.conf";
 
     extraHosts = ''
@@ -86,6 +151,7 @@
       192.168.88.171 qbittorrent.mediabox.lan
       192.168.88.1   router.lan
       192.168.88.231 workstation.lan
+      192.168.88.121 ender.lan
     '';
 
     networkmanager = {
@@ -103,13 +169,52 @@
         };
       };
     };
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.100.0.6/24" ];
+        privateKeyFile = config.sops.secrets."wg_privkey".path;
+        peers = [
+          {
+            publicKey = builtins.readFile ../magpie/wg_pubkey;
+            presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path;
+            allowedIPs = [ "10.100.0.0/24" ];
+            endpoint = "5.75.229.224:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+
+      neox_wg = {
+        ips = [ "192.168.51.2/32" ];
+        privateKeyFile = config.sops.secrets."wg_privkey".path;
+        peers = [
+          {
+            publicKey = builtins.readFile ../nixy/wg_pubkey_nx;
+            allowedIPs = [ "192.168.2.0/24" ];
+            endpoint = "185.194.64.26:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
   };
 
   time.timeZone = "Europe/Sarajevo";
 
   nixpkgs.config.allowUnfree = true;
-  nixpkgs.overlays = [nix-xilinx.overlay];
+  nixpkgs.overlays = [
+    nvim.overlays.${system}.overlay
+  ];
   environment = {
+    etc = {
+      "firejail/qutebrowser.local".text = ''
+        whitelist ''${RUNUSER}/qutebrowser
+      '';
+    };
+    extraInit = ''
+      unset -v SSH_ASKPASS
+    '';
     homeBinInPath = true;
     variables = {
       PATH = "$HOME/.cargo/bin";
@@ -117,10 +222,27 @@
   };
 
   programs = {
+    steam = {
+      enable = true;
+      remotePlay.openFirewall = true;
+      dedicatedServer.openFirewall = false;
+      localNetworkGameTransfers.openFirewall = true;
+    };
     gnupg.agent = {
       enable = true;
       enableSSHSupport = true;
     };
+    appimage = {
+      enable = true;
+      binfmt = true;
+    };
+    nix-ld = {
+      enable = false;
+      libraries = with pkgs; [
+        stdenv.cc.cc.lib
+        zlib
+      ];
+    };
     zsh.enable = true;
     firejail.enable = true;
     adb.enable = true;
@@ -128,37 +250,150 @@
     sway.enable = true;
   };
 
+  documentation.dev.enable = true;
+
   # List services that you want to enable:
   systemd = {
+    #sysusers.enable = true;
     services = {
-      "zremap" = {
-        description = "Intercepts keyboard udev events";
-        wants = ["systemd-udevd.service"];
-        wantedBy = ["multi-user.target"];
+      # Fix issue where systemd-vconsole-setup failes to find keymap
+      systemd-vconsole-setup = {
+        unitConfig = {
+          After = "local-fs.target";
+        };
+      };
+
+      "zremap@" = {
+        enable = true;
+        restartIfChanged = true;
         serviceConfig.Nice = -20;
-        script = ''
-          sleep 1
-          ${zremap.defaultPackage.x86_64-linux}/bin/zremap \
-          /dev/input/by-path/platform-i8042-serio-0-event-kbd
-        '';
+        unitConfig = {
+          Description = "zremap on %I";
+          ConditionPathExists = "%I";
+        };
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
+        };
+      };
+
+      "netns@" = {
+        description = "%I network namespace";
+        before = [ "network.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
+          ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
+        };
+      };
+
+      "wg_proton" = {
+        description = "wg network interface";
+        bindsTo = [ "netns@wg.service" ];
+        requires = [ "network-online.target" ];
+        wants = [ "dnscrypt-proxy_proton.service" ];
+        after = [ "netns@wg.service" ];
+        before = [ "dnscrypt-proxy_proton.service" ];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = pkgs.writers.writeBash "wg-up" ''
+            set -e
+            ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}")
+            ${pkgs.iproute2}/bin/ip link add proton_wg type wireguard
+            ${pkgs.iproute2}/bin/ip link set proton_wg netns wg
+            ${pkgs.iproute2}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg
+            ${pkgs.iproute2}/bin/ip netns exec wg \
+              ${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${
+                config.sops.secrets."wg_privkey_proton".path
+              }"
+            ${pkgs.iproute2}/bin/ip netns exec wg \
+              ${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \
+                endpoint "$ENDPOINT_IP:51820" \
+                persistent-keepalive "25" \
+                allowed-ips "0.0.0.0/0"
+            ${pkgs.iproute2}/bin/ip -n wg link set lo up
+            ${pkgs.iproute2}/bin/ip -n wg link set proton_wg up
+            ${pkgs.iproute2}/bin/ip -n wg route add default dev proton_wg
+          '';
+          ExecStop = pkgs.writers.writeBash "wg-down" ''
+            ${pkgs.iproute2}/bin/ip -n wg route del default dev proton_wg
+            ${pkgs.iproute2}/bin/ip -n wg link del proton_wg
+          '';
+        };
+      };
+
+      "dnscrypt-proxy_proton" = {
+        description = "DNSCrypt-proxy client proton";
+        wants = [
+          "network-online.target"
+          "nss-lookup.target"
+        ];
+        before = [ "nss-lookup.target" ];
+        after = [ "wg_proton.service" ];
+        partOf = [ "wg_proton.service" ];
+        serviceConfig = {
+          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+          CacheDirectory = "dnscrypt-proxy";
+          DynamicUser = true;
+          ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy.configFile}";
+          LockPersonality = true;
+          LogsDirectory = "dnscrypt-proxy";
+          MemoryDenyWriteExecute = true;
+          NetworkNamespacePath = "/var/run/netns/wg";
+          NonBlocking = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          Restart = "always";
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RuntimeDirectory = "dnscrypt-proxy";
+          StateDirectory = "dnscrypt-proxy";
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "@chown"
+            "~@aio"
+            "~@keyring"
+            "~@memlock"
+            "~@setuid"
+            "~@timer"
+          ];
+        };
       };
     };
 
-    extraConfig = ''
-      DefaultTimeoutStartSec=30s
-      DefaultTimeoutStopSec=30s
-    '';
+    coredump.enable = false;
+    settings.Manager = {
+      DefaultTimeoutStartSec = "30s";
+      DefaultTimeoutStopSec = "30s";
+    };
   };
 
   services = {
     acpid.enable = true;
-    btrfs.autoScrub.enable = true;
     dbus.enable = true;
+    dbus.implementation = "broker";
+    envfs.enable = true;
     fstrim.enable = true;
     fwupd.enable = true;
     ntp.enable = true;
     openssh.enable = true;
     printing.enable = true;
+    userborn.enable = true;
 
     pipewire = {
       enable = true;
@@ -167,21 +402,29 @@
       pulse.enable = true;
     };
 
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+    };
+
+    libinput.enable = true;
     xserver = {
       enable = true;
       dpi = 144;
-      libinput.enable = true;
       desktopManager.xterm.enable = false;
       displayManager = {
         lightdm.enable = false;
         startx.enable = true;
-        defaultSession = "none+i3";
       };
-      windowManager.i3.enable = true;
+      windowManager.i3.enable = false;
     };
 
     udev = {
-      packages = [pkgs.rtl-sdr pkgs.openhantek6022];
+      packages = [
+        pkgs.openhantek6022
+        pkgs.openocd
+      ];
       extraRules = ''
         #Xilinx FTDI
         ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666"
@@ -189,65 +432,120 @@
         #Xilinx Digilent
         ATTR{idVendor}=="1443", MODE:="666"
         ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666"
+
+        #Arduino UNO r4
+        SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666"
+
+        #zremap on new keyboard
+        ACTION=="add", SUBSYSTEM=="input", ATTRS{phys}!="", KERNEL=="event[0-9]*", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}=="1", TAG+="systemd", ENV{SYSTEMD_WANTS}+="zremap@$env{DEVNAME}.service"
       '';
     };
 
     tlp = {
       enable = true;
+      settings = {
+        START_CHARGE_THRESH_BAT0 = 70;
+        STOP_CHARGE_THRESH_BAT0 = 86;
+      };
+    };
+
+    batteryNotifier = {
+      enable = true;
+      notifyCapacity = 12;
+      suspendCapacity = 5;
     };
 
     actkbd = {
       enable = true;
       bindings = [
         {
-          keys = [113];
-          events = ["key"];
-          command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master toggle'";
+          keys = [ 115 ];
+          events = [ "key" ];
+          command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+";
         }
 
         {
-          keys = [114];
-          events = ["key" "rep"];
-          command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%- unmute'";
+          keys = [ 114 ];
+          events = [
+            "key"
+            "rep"
+          ];
+          command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-";
         }
 
         {
-          keys = [115];
-          events = ["key" "rep"];
-          command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%+ unmute'";
+          keys = [ 113 ];
+          events = [
+            "key"
+            "rep"
+          ];
+          command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle";
         }
 
         {
-          keys = [224];
-          events = ["key"];
+          keys = [ 224 ];
+          events = [ "key" ];
           command = "${pkgs.light}/bin/light -U 5";
         }
 
         {
-          keys = [225];
-          events = ["key"];
+          keys = [ 225 ];
+          events = [ "key" ];
           command = "${pkgs.light}/bin/light -A 5";
         }
       ];
     };
 
-    dnscrypt-proxy2 = {
+    dnscrypt-proxy = {
       enable = true;
       settings = {
         ipv6_servers = true;
         require_dnssec = true;
+        require_nolog = true;
+        require_nofilter = true;
+        http3 = true;
 
         sources.public-resolvers = {
           urls = [
             "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
             "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
           ];
-          cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+          cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
           minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
         };
       };
     };
 
+    borgbackup.jobs."borgbase" =
+      let
+        user = config.users.users.${USER};
+        home = user.home;
+      in
+      {
+        user = user.name;
+        paths = [
+          (home + "/pic/priv")
+          (home + "/pproj")
+          (home + "/videos/priv")
+        ];
+        exclude = [
+          "**/.ccls_cache"
+          "**/*.d"
+          "**/*.map"
+          "**/*.o"
+          "**/zig-cache"
+          "**/zig-out"
+        ];
+        repo = "ssh://oda929rv@oda929rv.repo.borgbase.com/./repo";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgbase_enc_key".path}";
+        };
+        environment.BORG_RSH = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgbase_ssh_key".path}";
+        compression = "auto,zstd";
+        startAt = "daily";
+      };
+
     nix-serve = {
       enable = false;
       secretKeyFile = "/var/cache-priv-key.pem";
@@ -257,9 +555,10 @@
       SystemMaxUse=50M
     '';
 
-    logind.extraConfig = ''
-      KillUserProcesses=yes
-    '';
+    logind.settings.Login = {
+      KillUserProcesses = true;
+    };
+
   };
 
   fonts = {
@@ -268,7 +567,7 @@
       allowBitmaps = true;
       useEmbeddedBitmaps = true;
       defaultFonts = {
-        monospace = ["JetBrainsMono"];
+        monospace = [ "JetBrainsMono" ];
       };
     };
 
@@ -277,27 +576,36 @@
       dina-font
       fira-code
       fira-code-symbols
-      font-awesome
-      font-awesome_4
+      font-awesome_6
       inconsolata
       iosevka
       jetbrains-mono
       liberation_ttf
+      libertine
       noto-fonts
-      noto-fonts-cjk
-      noto-fonts-emoji
+      noto-fonts-cjk-sans
+      noto-fonts-color-emoji
       proggyfonts
       siji
       terminus_font
       terminus_font_ttf
-      ubuntu_font_family
+      ubuntu-classic
+      vista-fonts
     ];
   };
 
   virtualisation = {
+    waydroid.enable = false;
+    libvirtd = {
+      enable = true;
+      allowedBridges = [
+        "virbr0"
+        "br0"
+      ];
+    };
+    spiceUSBRedirection.enable = true;
     containers.storage.settings = {
       storage = {
-        driver = "btrfs";
         graphroot = "/var/lib/containers/storage";
         runroot = "/run/containers/storage";
       };
@@ -309,34 +617,43 @@
     };
   };
 
-  sound.enable = true;
-
   hardware = {
     bluetooth = {
       enable = true;
       settings = {
         General = {
+          Experimental = true;
           Enable = "Source,Sink,Media,Socket";
         };
       };
     };
 
-    opengl = {
+    graphics = {
       enable = true;
-      driSupport = true;
-      driSupport32Bit = true;
-      extraPackages = with pkgs; [];
+      extraPackages = [ ];
     };
+    rtl-sdr.enable = true;
   };
 
   zramSwap = {
-    enable = false;
+    enable = true;
     algorithm = "zstd";
   };
 
-  users.users.akill = {
+  users.users.${USER} = {
     isNormalUser = true;
+    initialHashedPassword = "$y$j9T$XGffGsmN/u.wO5wZ.cBml/$9iCw3eWY0GSUH/aA8ESCAxKeTCAMqY21XQF7b5ujxD6";
     shell = pkgs.zsh;
-    extraGroups = ["wireshark" "kvm" "tty" "audio" "sound" "adbusers" "dialout" "wheel"];
+    extraGroups = [
+      "adbusers"
+      "audio"
+      "dialout"
+      "kvm"
+      "plugdev"
+      "sound"
+      "tty"
+      "wheel"
+      "wireshark"
+    ];
   };
 }

nixy/hardware-configuration.nix

@@ -7,72 +7,59 @@
   pkgs,
   modulesPath,
   ...
-}: {
+}:
+
+{
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = ["nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = ["kvm-amd" "amdgpu"];
-  boot.extraModulePackages = [];
+  boot.initrd.luks.devices."crypt_dev".device =
+    "/dev/disk/by-uuid/e10821b9-5426-4f03-b716-1645a64fcd6a";
+  boot.initrd.luks.devices."crypt_dev".allowDiscards = true;
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "ehci_pci"
+    "xhci_pci"
+    "uas"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [
+    "kvm-amd"
+    "amd-gpu"
+  ];
+  boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
-    device = "/dev/disk/by-uuid/f06ac545-07c1-4b2b-8c0b-eeac43892933";
-    fsType = "btrfs";
-    options = ["subvol=root" "compress=lzo" "noatime"];
-  };
-
-  boot.initrd.luks.devices."sys_enc".device = "/dev/disk/by-uuid/682d030d-189e-4b47-a60a-62cf1f3729d3";
-
-  fileSystems."/home" = {
-    device = "/dev/disk/by-uuid/f06ac545-07c1-4b2b-8c0b-eeac43892933";
-    fsType = "btrfs";
-    options = ["subvol=home" "compress=lzo" "noatime"];
+    device = "/dev/disk/by-uuid/c461c971-54ca-4fb7-91e8-6ac70de53ef2";
+    fsType = "xfs";
   };
 
   fileSystems."/nix" = {
-    device = "/dev/disk/by-uuid/f06ac545-07c1-4b2b-8c0b-eeac43892933";
-    fsType = "btrfs";
-    options = ["subvol=nix" "compress=lzo" "noatime"];
+    device = "/dev/disk/by-uuid/eeaa6fab-d67d-400f-b6d4-b1f44c2e0047";
+    fsType = "xfs";
   };
 
-  fileSystems."/persist" = {
-    device = "/dev/disk/by-uuid/f06ac545-07c1-4b2b-8c0b-eeac43892933";
-    fsType = "btrfs";
-    options = ["subvol=persist" "compress=lzo" "noatime"];
-  };
-
-  fileSystems."/var/log" = {
-    device = "/dev/disk/by-uuid/f06ac545-07c1-4b2b-8c0b-eeac43892933";
-    fsType = "btrfs";
-    options = ["subvol=log" "compress=lzo" "noatime"];
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/aeaa71ca-a439-4ef3-9ab8-db7ae8f59376";
+    fsType = "xfs";
   };
 
   fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/3F3E-9833";
+    device = "/dev/disk/by-uuid/828E-F3C3";
     fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
   };
 
-  fileSystems."/opt/xilinx" = {
-    device = "/dev/disk/by-uuid/09912fb9-0284-4b4e-add1-d4a27329539f";
-    fsType = "erofs";
-  };
+  swapDevices = [ ];
 
-  swapDevices = [
-    /*
-    {
-       device = "/dev/disk/by-uuid/ee1792c9-098b-40c1-b760-20def16ba67f";
-       encrypted = {
-         enable = true;
-         keyFile = "/mnt-root/swap.key";
-         label = "swap_encr";
-         blkDev = "/dev/disk/by-uuid/aee12e27-b45a-4291-be78-db0a903071b3";
-       };
-     }
-    */
-  ];
-
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  nix.settings.max-jobs = lib.mkDefault 8;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixy/secrets/borgbase_enc_key.yaml

@@ -0,0 +1,21 @@
+borgbase_enc_key: ENC[AES256_GCM,data:AD+JghEOX25tBGYhoU1ge1fqrA+5AK8N4yg=,iv:u05GVeWbL3xdZQgGkXSPkxlATd2M9MX4uSZiLOHMMRE=,tag:pmTQIJWmz+ePmSNzO/EO4Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaDhSZVVibVl1NU84NG9U
+            aEVQbThIcC9CajNHS25SVW1SMFFwMUsvMmxJCkpTVThpZ0JZdEpLTnJlQWFqM244
+            LzFaUFVvWWxIcU4wRlhXalF5TkNpVHMKLS0tIExXMUx5cDBBbDloQ0sxbEY0eGdj
+            bE5vNHVHekI2RzY5M3JNcTdCa3pNeUUK8C04wF1te6epA97sNrhoz0VUn+MC7SML
+            6N1CZK3MuRARBqcj4c/W1aXuTysvuV1o/Fl5xOk/gbumcfwnDYj28A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-21T08:14:25Z"
+    mac: ENC[AES256_GCM,data:7M+akGH09E2JYyKLmwpjx0VCEBmXqO6bNHFNRCO+9LdSIqsEw8MD4WGO0zwHOD9ls7+1OPFeoU+MVbtfMhmvN4g6rg+tFkXbxPSXCPkTA4tL90ZLXoBIpUBxKKhFMxtdOnjXxES3rTzjXGAvxocFOiNv/7pKbzeqMJUnH9FgAcM=,iv:h0+OpLmutMyPN3YFhyuHFgWSqxVK5WmBAE0k5ezEo9A=,tag:UKOXnTOjWaLDEOYk5YK4Aw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixy/secrets/borgbase_ssh_key.yaml

@@ -0,0 +1,21 @@
+borgbase_ssh_key: ENC[AES256_GCM,data:lLHIBmw/03An3SRJUjYS2pn0g7XEW0kTXtSObhIGwjBwlRypU7uQDz4JseOA2GbSm+GqsGK8U3Ifgirb7t8AsGy6DPxO+2sm+ByJ1S46G6cwkO2GateJw4Zg0mmhUBBuB/eXQMLuBLKZM2WGta5+6O0SWxDtsrTsBhlo5qbwwYILu0gg2zsBWFSn1OBGgvjYYRTd7N85WX8+S7oNYVAL2HjCmhHHtYrLnua4ajBY9dQEzrKdZaQW4v39HV9MyoilEz17fFLU8S2KbJ1iw8HgoAc9W81hpQNNd8fWKY+e0iWxD9X5H7UTs8YP/bsKeWyG4OAwr99zIZ1Lqzi0EuZI+PYkIz4Q4WBmv1wD6Py274iug3kr1OqvaIOmIT/9j2C3mOZTqxuFaF5T4NMkcIeViCBmRwUMTl/8a36X+n/MYxRoznHCQmg8zKubDuykVJfBmFwxbUc9tx8PeodnWeiASOV7FvBie47yq+NyBGItJXAK14SxLE9T2sxRchJWcrQBcekZdZ5Mej20lfUlcAGkwfUc0e54xsv1K3oY,iv:5157BQmbfuF5EYbDHCy/TmnTYErIwmgXO8RaX6f18xs=,tag:T2eZN46Qd6RgLWk4kbYgPQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5b2YzSDdaU3R5TUdqS3Nv
+            eUYraFBiZlZ1TXBqYzlWNUNYOFlyMzJvWEE4ClJ6R25CRXRUZ2FDTFY2ZmJIRkRX
+            WVJCSy83N2JUNzRuT3VuSUF1OTV2TUkKLS0tIEZ5cVg1V2o0MkdmWEx1emJVdjZ0
+            RkZFL2tRNW9RdnAwalE2ZzVQcnljRFUKRyN8ahv9ZI63m8ycl74GZ59lyAXUsKmi
+            tfPqQvL1oTtJr3hzwy2bkctXQLYjGvsMyZt2tiWpy5vLc1MrxlqVDQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-21T08:16:40Z"
+    mac: ENC[AES256_GCM,data:VkXpCPQB4RypDrK31pYWXeOcl8ulis6fMF1q/SLCg2wXnL0jFrmAFp78C+ers9xFhbnUnMbVc/ZJIVKfa0g94WV3jJbn4+HB0GPWQCz7LwhmG5XEY5O5sFLuDCcHb/epZvDbCsEQeiq+TGDHp6TtdL8qDF+hE2k8qfsy570wocU=,iv:HQleJtHWQ5uk4+Witn2aaqh0SvXqomfiSO/ExgPzVag=,tag:hlBmboddR8GDAmBpETi0Ow==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixy/secrets/peerix.yaml

@@ -1,31 +1,22 @@
 peerix:
-    private: ENC[AES256_GCM,data:767u5KKjk2lMr70vtBvX06t8n/1r5xpCrRNKc9QvypJmbPS+vS8vij8JYJZDKKFBh5xUazSLQC1ga2mpb+hEO2rgD0Aa70p22wwfOP+qCJQNYwlEf0MLWhlblTCE9Cr/eQSX7g==,iv:tPEB4NWbLMvzrUIvosj9PfinMhdWNBu5btjElvbDzxg=,tag:wzxaBzW0R6HKCyP5zlMPRw==,type:str]
+    private: ENC[AES256_GCM,data:Oi8H5nqJ0Bf45wQepCjdZNHBOv4AlPxNN7L5Th3gcRQlW1FS77nusIWGSUvlmL2a5LTN0FV36o2GFPrrhiwmvnkQwuSZKc9VeDTf7SX0RRL1NLmRR/zy4WsRNJFxlqtjahieqg==,iv:6hJwqcdPayZaYZhJ0OfYLAtmeVndLEfeYZjUq5/3qJE=,tag:MiAfg8aZAHNYbB0JwcdStg==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbi9uTGVPYlhYYWdFb25u
-            SGhSUm9rNmEzSkNVUEVIOGNLb1Z3VFdjNERFCjVEYXlXTlRCV2dLMW1VMWgzcXBR
-            OWxSOUZjZ2VCTzRycDhZRGRXWS9KRTAKLS0tIG8yMkZNeFRtdHVPTTJOM2tRSk5F
-            OXp3Wmh0b1lYQnJBWlMxeGZaZXdnY2MKftJPaUc9sDM8YmvUo1eVDNXWX4scr1rH
-            SMAod/Oq0BvQfyGIpvVBfL5T7RxlF1DwOedg/p3PSfMPjok7QLyv+A==
-            -----END AGE ENCRYPTED FILE-----
         - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdU9WSjZkWUd6NXFpdXNp
-            R2huUXZQOGZzb0Z0ekN2WkdRdEFJYk54RmhnCmo0ampNK01VR3lQM0RGYWlNQ3cx
-            Rk1BK1lIUHJPZ2R5YVd6RTlYbXJDVWcKLS0tIGV0Yy8ySnFMQ25PQUNBL3dPdmc3
-            WjhldWNVL0h6T1lUSEdXeHFQemRBVEEKJzh1HExRoy/iyTtBNaVdNgolWyFHaaLV
-            VTDZYEHq+eEIrVAG5xefG/nPpj2K6FRItA6+4PcKtyARG+gKYwp2tw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMEIyck1xbVJ4Zm56Z3dM
+            OGsxa1p0TGIvRE5DYXZzTDM3YUZFVTAxbUUwCllPd0FOUlRiZW5wT2QvLzZXYjRr
+            S1A5WjZxLzNYQ1ZWVFFQTzRwMFQweFEKLS0tIHNoZUpHS2dDNmFKc3ZVNFZuUFU4
+            L0M0MitMeDg1ZWYxcDNCQlVGUjRKeFkKvD2SKnuh517o2knPr2SOWq3kubMyI7UV
+            j6HgXVbHUDjmKl2dY+YVTnmxrK54E+Q6iiu7mQnvLdzxYBK/EiNt9w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-28T11:55:00Z"
-    mac: ENC[AES256_GCM,data:ieNyjQlo1tQ8qxFMyIN5XGgUiclYIfJe6WUyWiR3qJKKOTnx5MBWNUuHfUMkpm2ToNpaxiDUih2Hhqv5S0Bq1zoExMLjqE36GgaOivha6DeoQn5+WH8bMdMAoc1PlCQkj6Fxw2sdZlrIKcswADk4MfDzdaY/vKoQ5AtK5Bdkgok=,iv:JaOfWEwbLhOTquQVIG6Ll38jkGOCzbtD8h5c7SOAzik=,tag:m4Fmor24Q9GDoe7nu2VnEA==,type:str]
+    lastmodified: "2024-04-21T08:17:51Z"
+    mac: ENC[AES256_GCM,data:v4KQq3Y5ZxsyMxR+FS1BZkH/bPTIIHfQu800U44odaNycIbWnuwCnLWGyJK6Por76bWALycGppDbHPKKW/N1I1XLy/EAXo02+nhHNvKVi2cXSXciuEPc/Cl+6TbP39lx4+EOM8CZoNZ8HAiS3QPy2bwZdMjEw/OHl8TqlN07q9s=,iv:PIcv/b6t+54/yCTZj+12Yep15ors/wXNUnaXjLjpVbM=,tag:JxO5M3OYaWzqgf4gUhCzzg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

nixy/secrets/wg_preshared.yaml

@@ -0,0 +1,21 @@
+wg_preshared: ENC[AES256_GCM,data:k+aFYDNMojf5kktn6KJ4F5mH5oGdqxdF0MO88NcYpai9USnH394XRL9ASvs=,iv:L5LIXbADhrivKjK/V0E5QpRT7BDsktwIuKHgY+2qr84=,tag:pCW1naU/ygxAIDYWV2hHPQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSHZvYy9TTmVEb2ZSTncy
+            ckJ1bXZGWVdJSkVHMGx2Vk5ZNlZ3Q2wzVFQ0Cmg1M3hKNFhnZk5nTE54RTdyR0Vs
+            NVRiTEltSnkxdmhhdGlycHNPWjFLbncKLS0tIE02NVJRZTd0VmowT1c4cjhKNlZk
+            Q01BQWNSVWtIMnFXRWpxR3JDMU8zYTAKIbfpM8uUb09cUlA8YWtgEOL5zvWf5omv
+            baZINiAu0/f1avYmW6Qb+aLa2ALrSZaotj46Uwd9Lb5mtjJ/8v9IOg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-20T18:12:20Z"
+    mac: ENC[AES256_GCM,data:4PWjwxOO0UuNsevCbzCLaiW7C+So4mEGivd9GzyLKx2JlkNFVB8wqPrY1Rl1ANMrT+7LKc8tVOA4zbweNc9idFG4y5DcvnDSieqKu9v1MeEMHqNpz5TTLbCP81g7qegjI/WKul2kaWIdPaioI/f5x2E6rEYnzFv+Di2mc3W+Qcc=,iv:iE9sali0O3sQIhOw30RGR/4ZQsAPcSxq1qxosfasojU=,tag:+9AOwph5A4oDXsK6Z3YeZA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixy/secrets/wg_privkey.yaml

@@ -0,0 +1,21 @@
+wg_privkey: ENC[AES256_GCM,data:XL9FU1kZXvBJfwyt3HpQe8k8zg9HT6Xm0BdjNMduSu9uAgcHbglpLc/qTB0=,iv:QgX1VsmLUsDozFXmzDVPukjPNTa4Lnh806AQ4qdgpa8=,tag:RNVlDbtx8vAAbG0rinLVOw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSnkyM1ZrcnEvM3VHL0Nk
+            THhUUDdGU2s5UFgrVGZ3WXhkYTRIVTlaeGs4CjR4eVpmRy9qUkZSWkpFZDZHRDZI
+            ZWRXSmMzL2RWZkVrSlFPcC9ueGpDVFkKLS0tIDZWbENyS2hrSCtlNlBHaE56QTha
+            eFJmWXk1SVJEbDJOc1Q1VFlzVS8yODgKFXRAtR+67x0dkQTqZPtMT0Hd+aW+5K17
+            S/lhuHRhITt3woQnecVPMYklgJJlsyQ6blKhJw8dvhbVWWThZ853rQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-21T08:18:59Z"
+    mac: ENC[AES256_GCM,data:xPKsGZD5RKT/WMRupe4YTgoiUQRFq77KQyGaazeY1GEPI117gWxRHEpiyCLnfhZWcaekPWoXosm32wRLwDAXM/Femk567i5uKKG2wAqApWbc+FXTQ71w/CFr9uEWFApBjpEHpuBBaFV23qJfylsqeMp9r52d9Sp5eDQC4RJead0=,iv:oiNoZ/bqQUe+luqeuldw1M0KB2d4C5T7kXy+mLFZNZQ=,tag:5pK22TYGwbBNyWlfd/Ufxw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixy/secrets/wg_privkey_proton.yaml

@@ -0,0 +1,22 @@
+wg_privkey_proton: ENC[AES256_GCM,data:qVVd+1s2T3sKDi03V+eMvgqW8LAVl/yEKwtG2EMn8NhBCN7RvlttC5SeIDM=,iv:/QcrtmMjCzZRulumIz5u9oxyaRt+HUq96ZiP8ecpvAo=,tag:1DCaJqVGfg3sfvKTQnmzZA==,type:str]
+wg_endpoint_proton: ENC[AES256_GCM,data:ggoWnB6nGjGc/kSOaCo=,iv:1r5J6SO5JYH7+bMhE2lGwfFETVFeS61eCXtej0Pl07M=,tag:p+0hhQ/vqZzZML24YReA0g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdXZpL1lrOEYyYVdFTzNJ
+            SHhXRVc5Y0o4ZzN2THRjM215UWczVjZOTXg4CjBJZ2VxN0t0ZFgzTmJMeXo5SWZk
+            UjRlNmdRTVVPbHVEeXM3TWhoS0pSUTQKLS0tIEtkTURBc1A3d2lTalhmeEoxUkZj
+            K3BHZnUzN3ZrL1dFQk8rWFpZR05pbFUKObrnIpY3NR1o3/lKhTfVpQU+eQRTi7wF
+            SAjGZ5BRdCi5x1VWRxiT1Fvjqkm7kBEQFvdSvbqW2UK6lVHtWgt2Vg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-12T13:30:18Z"
+    mac: ENC[AES256_GCM,data:3UqJGcNGPZDlLA3a0uNHUI0ykDC0ByxAR2ZsrsbWQMv3BS6zyBuc+zpTHQZoIPGsAMUetuB3OuA0IQNll3abg6u2AadEQBUf1PYMWlo58txLYlAs/q0g+575F+LhDSgmDMKOFXz4HqbFP0RYTHkPnmjWPMWWY3G9o6B3Iaw5+Kc=,iv:massJRpGcH4pDZxJrpQYy80XVViyw+qFsZ8Sk9Xze08=,tag:eDvuNadKGKBS/3jauvnuFQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixy/ssh_pubkey

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPNCxE/8z02lVOC1unJbPMH+Ma+KRJfmz33oUfz3hKc root@nixy

nixy/wg_pubkey

@@ -0,0 +1 @@
+oHVmhw80daHjDjo7nwt/Y9eKBaH5FoTiVeukwDObijM=

nixy/wg_pubkey_nx

@@ -0,0 +1 @@
+eoYSDh27qQFpvOcDmuVFzSTuPnrHQYXDMqatKmDAth0=

packages/bubblewrap/default.nix

@@ -0,0 +1,56 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  docbook_xsl,
+  libxslt,
+  meson,
+  ninja,
+  pkg-config,
+  bash-completion,
+  libcap,
+  libselinux,
+}:
+stdenv.mkDerivation rec {
+  pname = "bubblewrap";
+  version = "0.8.0";
+
+  src = fetchFromGitHub {
+    owner = "rhendric";
+    repo = "bubblewrap";
+    rev = "23ff0f875b3a0200c1796daa01173ecec7deaf88";
+    hash = "sha256-EWsuAGsShaHEmLi0jUHX2bFQZkinIOsRbgB7tZSfq8E=";
+  };
+
+  postPatch = ''
+    substituteInPlace tests/libtest.sh \
+      --replace "/var/tmp" "$TMPDIR"
+  '';
+
+  nativeBuildInputs = [
+    docbook_xsl
+    libxslt
+    meson
+    ninja
+    pkg-config
+  ];
+
+  buildInputs = [
+    bash-completion
+    libcap
+    libselinux
+  ];
+
+  # incompatible with Nix sandbox
+  doCheck = false;
+
+  meta = with lib; {
+    changelog = "https://github.com/containers/bubblewrap/releases/tag/${src.rev}";
+    description = "Unprivileged sandboxing tool";
+    homepage = "https://github.com/containers/bubblewrap";
+    license = licenses.lgpl2Plus;
+    maintainers = with maintainers; [ dotlambda ];
+    platforms = platforms.linux;
+    mainProgram = "bwrap";
+  };
+}

packages/viber/default.nix

@@ -0,0 +1,171 @@
+{
+  alsa-lib,
+  brotli,
+  cups,
+  curl,
+  bubblewrap,
+  bash,
+  writeShellScriptBin,
+  dbus,
+  dpkg,
+  expat,
+  fetchurl,
+  fontconfig,
+  freetype,
+  glib,
+  gst_all_1,
+  harfbuzz,
+  krb5,
+  lcms,
+  lib,
+  libcap,
+  libevent,
+  libGL,
+  libGLU,
+  libopus,
+  libpulseaudio,
+  libwebp,
+  libxkbcommon,
+  libxml2,
+  libxslt,
+  makeWrapper,
+  mesa,
+  nspr,
+  nss,
+  openssl,
+  snappy,
+  stdenv,
+  systemd,
+  wayland,
+  xorg,
+  zlib,
+  zstd,
+  ...
+}:
+stdenv.mkDerivation {
+  pname = "viber";
+  version = "23.2.0.3";
+
+  src = fetchurl {
+    # Official link: https://download.cdn.viber.com/cdn/desktop/Linux/viber.deb
+    url = "https://download.cdn.viber.com/cdn/desktop/Linux/viber.deb";
+    hash = "sha256-9WHiI2WlsgEhCPkrQoAunmF6lSb2n5RgQJ2+sdnSShM=";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [ dpkg ];
+
+  dontUnpack = true;
+
+  libPath = lib.makeLibraryPath [
+    alsa-lib
+    brotli
+    cups
+    curl
+    dbus
+    expat
+    fontconfig
+    freetype
+    glib
+    gst_all_1.gst-plugins-bad
+    gst_all_1.gst-plugins-base
+    gst_all_1.gstreamer
+    harfbuzz
+    krb5
+    lcms
+    libcap
+    libevent
+    libGLU
+    libGL
+    libopus
+    libpulseaudio
+    libwebp
+    libxkbcommon
+    libxml2
+    libxslt
+    mesa
+    nspr
+    nss
+    openssl
+    snappy
+    stdenv.cc.cc
+    systemd
+    wayland
+    zlib
+    zstd
+
+    xorg.libICE
+    xorg.libSM
+    xorg.libX11
+    xorg.libxcb
+    xorg.libXcomposite
+    xorg.libXcursor
+    xorg.libXdamage
+    xorg.libXext
+    xorg.libXfixes
+    xorg.libXi
+    xorg.libXrandr
+    xorg.libXrender
+    xorg.libXScrnSaver
+    xorg.libXtst
+    xorg.xcbutilimage
+    xorg.xcbutilkeysyms
+    xorg.xcbutilrenderutil
+    xorg.xcbutilwm
+    xorg.libxkbfile
+  ];
+
+  installPhase =
+    let
+      viberWrap = writeShellScriptBin "viberWrap" ''
+        ${bubblewrap}/bin/bwrap --bind / / \
+        --dev /dev \
+        --tmpfs $HOME \
+        --bind  $HOME/.ViberPC/ $HOME/.ViberPC \
+        --bind  $HOME/Downloads/ $HOME/Downloads \
+        $@
+      '';
+    in
+    ''
+      dpkg-deb -x $src $out
+      mkdir -p $out/bin
+
+      # Soothe nix-build "suspicions"
+      chmod -R g-w $out
+
+      for file in $(find $out -type f \( -perm /0111 -o -name \*.so\* \) ); do
+        patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" "$file" || true
+        patchelf --set-rpath $libPath:$out/opt/viber/lib $file || true
+      done
+
+      # qt.conf is not working, so override everything using environment variables
+      wrapProgram $out/opt/viber/Viber \
+        --set QT_PLUGIN_PATH "$out/opt/viber/plugins" \
+        --set QT_XKB_CONFIG_ROOT "${xorg.xkeyboardconfig}/share/X11/xkb" \
+        --set QTCOMPOSE "${xorg.libX11.out}/share/X11/locale" \
+        --set QML2_IMPORT_PATH "$out/opt/viber/qml"
+
+      echo "#!${bash}/bin/bash" > $out/bin/viber
+      echo "${viberWrap}/bin/viberWrap $out/opt/viber/Viber" >> $out/bin/viber
+      chmod +x $out/bin/viber
+
+      mv $out/usr/share $out/share
+      rm -rf $out/usr
+
+      # Fix the desktop link
+      substituteInPlace $out/share/applications/viber.desktop \
+        --replace /opt/viber/Viber $out/opt/viber/Viber \
+        --replace /usr/share/ $out/share/
+    '';
+  dontStrip = true;
+  dontPatchELF = true;
+
+  meta = {
+    homepage = "https://www.viber.com";
+    description = "An instant messaging and Voice over IP (VoIP) app";
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+    license = lib.licenses.unfree;
+    platforms = [ "x86_64-linux" ];
+    maintainers = with lib.maintainers; [ jagajaga ];
+  };
+}