feat(home): Configure alex@jakalx.net account

It conflicted with the beta version of the nvidia drivers.

.envrc

@@ -0,0 +1 @@
+use flake

flake.lock

@@ -6,14 +6,15 @@
         "home-manager": "home-manager",
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1701216516,
-        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
+        "lastModified": 1716561646,
+        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
+        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
         "type": "github"
       },
       "original": {
@@ -46,11 +47,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
         "type": "github"
       },
       "original": {
@@ -67,11 +68,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706302763,
-        "narHash": "sha256-Le1wk75qlzOSfzDk8vqYxSdoEyr/ORIbMhziltVNGYw=",
+        "lastModified": 1716431128,
+        "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "f7424625dc1f2e4eceac3009cbd1203d566feebc",
+        "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
         "type": "github"
       },
       "original": {
@@ -84,16 +85,16 @@
       "inputs": {
         "flake-utils": "flake-utils",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ],
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1702399955,
-        "narHash": "sha256-FnB5O1RVFzj3h7Ayf7UxFnOL1gsJuG6gn1LCTd9dKFs=",
+        "lastModified": 1716714348,
+        "narHash": "sha256-BKe2l6j185w6NCD5o2WbT3v6Ul8CYIUGlmI04MbS6QE=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "47798c4ab07d5f055bb2625010cf6d8e3f384923",
+        "rev": "929e09706815a9e10cc749393eaa5895761de32a",
         "type": "github"
       },
       "original": {
@@ -105,11 +106,27 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1668681692,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -120,14 +137,14 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -136,6 +153,27 @@
         "type": "github"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -144,31 +182,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682203081,
-        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "home-manager-unstable": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unstable"
-        ]
-      },
-      "locked": {
-        "lastModified": 1702538064,
-        "narHash": "sha256-At5GwJPu2tzvS9dllhBoZmqK6lkkh/sOp2YefWRlaL8=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "0e2e443ff24f9d75925e91b89d1da44b863734af",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
         "type": "github"
       },
       "original": {
@@ -184,16 +202,15 @@
         ]
       },
       "locked": {
-        "lastModified": 1702195709,
-        "narHash": "sha256-+zRjWkm5rKqQ57PuLZ3JF3xi3vPMiOJzItb1m/43Cq4=",
+        "lastModified": 1716711219,
+        "narHash": "sha256-TnZETiQPXbyT5mdCHMOyrJnx2+BwroMBRrguciz1vEo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6761b8188b860f374b457eddfdb05c82eef9752f",
+        "rev": "05e6ba83eb3585ce0aff7b41e4bd0e317d05ad4a",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-23.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -270,36 +287,21 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1702346276,
-        "narHash": "sha256-eAQgwIWApFQ40ipeOjVSoK4TEHVd6nbSd9fApiHIw5A=",
+        "lastModified": 1716509168,
+        "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7",
+        "rev": "bfb7a882678e518398ce9a31a881538679f6f092",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs-22_11": {
-      "locked": {
-        "lastModified": 1669558522,
-        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-22.11",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs-23_05": {
+    "nixpkgs-droid": {
       "locked": {
         "lastModified": 1704290814,
         "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
@@ -308,21 +310,6 @@
         "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
         "type": "github"
       },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-23.05",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs-droid": {
-      "locked": {
-        "lastModified": 1702350026,
-        "narHash": "sha256-A+GNZFZdfl4JdDphYKBJ5Ef1HOiFsP18vQe9mqjmUis=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "9463103069725474698139ab10f17a9d125da859",
-        "type": "github"
-      },
       "original": {
         "owner": "NixOS",
         "ref": "nixos-23.05",
@@ -348,43 +335,43 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1702221085,
-        "narHash": "sha256-Br3GCSkkvkmw46cT6wCz6ro2H1WgDMWbKE0qctbdtL0=",
+        "lastModified": 1716361217,
+        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c2786e7084cbad90b4f9472d5b5e35ecb57958af",
+        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1705316053,
-        "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=",
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1670751203,
-        "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
+        "lastModified": 1709703039,
+        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
+        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",
         "type": "github"
       },
       "original": {
@@ -441,35 +428,55 @@
         "type": "gitlab"
       }
     },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_2"
+      },
+      "locked": {
+        "lastModified": 1716213921,
+        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
         "disko": "disko",
         "emacs": "emacs",
         "home-manager": "home-manager_2",
-        "home-manager-unstable": "home-manager-unstable",
         "nix-on-droid": "nix-on-droid",
         "nixpkgs": "nixpkgs",
         "nixpkgs-droid": "nixpkgs-droid",
-        "nixpkgs-unstable": "nixpkgs-unstable",
+        "pre-commit-hooks": "pre-commit-hooks",
         "snm": "snm"
       }
     },
     "snm": {
       "inputs": {
         "blobs": "blobs",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "nixpkgs": "nixpkgs_2",
-        "nixpkgs-22_11": "nixpkgs-22_11",
-        "nixpkgs-23_05": "nixpkgs-23_05",
         "utils": "utils_2"
       },
       "locked": {
-        "lastModified": 1703666786,
-        "narHash": "sha256-SLPNpM/rI8XPyVJAxMYAe+n6NiYSpuXvdwPILHP4yZI=",
+        "lastModified": 1714720456,
+        "narHash": "sha256-e0WFe1BHqX23ADpGBc4ZRu38Mg+GICCZCqyS6EWCbHc=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "b5023b36a1f6628865cb42b4353bd2ddde0ea9f4",
+        "rev": "41059fc548088e49e3ddb3a2b4faeb5de018e60f",
         "type": "gitlab"
       },
       "original": {
@@ -494,6 +501,36 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "utils": {
       "locked": {
         "lastModified": 1659877975,
@@ -510,12 +547,15 @@
       }
     },
     "utils_2": {
+      "inputs": {
+        "systems": "systems_3"
+      },
       "locked": {
-        "lastModified": 1605370193,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,17 +1,14 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     nixpkgs-droid.url = "github:NixOS/nixpkgs/nixos-23.05";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+
+    pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
+    pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-23.11";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    home-manager-unstable = {
       url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # simple mailserver
@@ -27,7 +24,7 @@
 
     emacs = {
       url = "github:nix-community/emacs-overlay";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
 
     #    simplex-chat = {
@@ -45,51 +42,117 @@
     disko.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { home-manager, nixpkgs, nixpkgs-unstable, ... }@inputs: {
-    nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = { inherit inputs; };
-      modules = let
-        postfix-overlay = final: prev: {
-          postfix = nixpkgs-unstable.legacyPackages."x86_64-linux".postfix;
-        };
-      in [
-        ({ inputs, lib, ... }: {
-          nixpkgs = {
-            config.allowUnfree = true;
-            overlays = with inputs; [ emacs.overlay postfix-overlay ];
-          };
-          nix.registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
-        })
-        ./hosts/thrall
-        home-manager.nixosModules.home-manager
+  outputs =
+    {
+      self,
+      home-manager,
+      nixpkgs,
+      pre-commit-hooks,
+      ...
+    }@inputs:
+    {
+      checks."x86_64-linux" =
+        let
+          system = "x86_64-linux";
+          pkgs = import nixpkgs { inherit system; };
+        in
         {
-          home-manager.useGlobalPkgs = true;
-          home-manager.useUserPackages = true;
-          home-manager.users.alex = import ./home/alex/cli.nix;
-        }
-      ];
-    };
+          pre-commit-check = pre-commit-hooks.lib.${system}.run {
+            src = ./.;
+            tools.fourmolu = pkgs.haskellPackages.fourmolu;
+            tools.nixfmt = pkgs.nixfmt-rfc-style;
+            hooks = {
+              nixfmt.enable = true;
+              fourmolu.enable = true;
+              hpack.enable = true;
+              hlint.enable = true;
+              ormolu = {
+                settings.defaultExtensions = [ "GHC2021" ];
+              };
+            };
+          };
+        };
 
-    nixosConfigurations."dregil" = nixpkgs-unstable.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = { inherit inputs; };
-      modules = [ ./hosts/dregil ];
-    };
-
-    nixosConfigurations."igor" = nixpkgs-unstable.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = { inherit inputs; };
-      modules = [ ./hosts/igor ];
-    };
-
-    nixOnDroidConfigurations.default = with inputs;
-      nix-on-droid.lib.nixOnDroidConfiguration {
+      nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {
+          inherit inputs;
+        };
         modules = [
-          ./hosts/redmi
-          { nix.registry.nixpkgs.flake = nixpkgs-droid; }
-          { nix.nixPath = [ "nixpkgs=${nixpkgs-droid}" ]; }
+          (
+            { inputs, lib, ... }:
+            {
+              nixpkgs = {
+                config.allowUnfree = true;
+                overlays = with inputs; [ emacs.overlay ];
+              };
+            }
+          )
+          ./hosts/thrall
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+          }
+          { home-manager.users.alex = ./hosts/thrall/alex.nix; }
         ];
       };
-  };
+
+      nixosConfigurations."dregil" = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {
+          inherit inputs;
+        };
+        modules = [ ./hosts/dregil ];
+      };
+
+      nixosConfigurations."igor" = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {
+          inherit inputs;
+        };
+        modules = [ ./hosts/igor ];
+      };
+
+      nixOnDroidConfigurations.default =
+        with inputs;
+        nix-on-droid.lib.nixOnDroidConfiguration {
+          modules = [
+            ./hosts/redmi
+            { nix.registry.nixpkgs.flake = nixpkgs-droid; }
+            { nix.nixPath = [ "nixpkgs=${nixpkgs-droid}" ]; }
+          ];
+        };
+
+      devShells."x86_64-linux".default =
+        let
+          system = "x86_64-linux";
+          pkgs = import nixpkgs { inherit system; };
+        in
+        pkgs.haskellPackages.shellFor {
+          inherit (self.checks.${system}.pre-commit-check) shellHook;
+
+          packages = p: [
+            p.xmonad
+            p.xmonad-contrib
+          ];
+
+          withHoogle = true;
+
+          nativeBuildInputs = with pkgs; [
+            haskellPackages.haskell-language-server
+            haskellPackages.fourmolu
+            haskellPackages.hspec-discover
+            haskellPackages.doctest
+            haskellPackages.xmonad
+            haskellPackages.xmonad-contrib
+            cabal-install
+            ghcid
+            nixfmt-rfc-style
+            nil
+            hpack
+            hlint
+          ];
+        };
+    };
 }

home/alex/cli.nix

@@ -9,11 +9,16 @@ let
   };
 
   myEza = if builtins.hasAttr "eza" pkgs then "eza" else "exa";
-in {
+in
+{
   imports = [
     ./programs/neovim/default.nix
     ./programs/emacs/default.nix
     ./programs/editorconfig
+    ./programs/jq
+    ./programs/fzf
+    ./programs/git
+    ./programs/shell
   ];
 
   programs.home-manager.enable = true;
@@ -37,7 +42,7 @@ in {
 
     # nix tools
     nix-index
-    nixfmt
+    nixfmt-rfc-style
     # misc
     fd # better find
     file # info about files
@@ -55,13 +60,19 @@ in {
     shellcheck
     editorconfig-core-c
     shfmt
-    (aspellWithDicts (dicts: with dicts; [ en en-computers en-science de ]))
+    (aspellWithDicts (
+      dicts: with dicts; [
+        en
+        en-computers
+        en-science
+        de
+      ]
+    ))
 
     # system tools
     htop-vim # htop with vim bindings
     erdtree # du+tree had sex
     dua # ncdu but better
-    fzf
 
     gopass
     gopass-jsonapi
@@ -80,7 +91,11 @@ in {
 
     nix-prefetch-git
   ];
-  home.extraOutputsToInstall = [ "doc" "info" "devdoc" ];
+  home.extraOutputsToInstall = [
+    "doc"
+    "info"
+    "devdoc"
+  ];
 
   xdg.enable = true;
 
@@ -109,7 +124,9 @@ in {
   };
 
   programs = {
-    bash = { enable = true; };
+    bash = {
+      enable = true;
+    };
 
     # better cat
     bat.enable = true;
@@ -117,28 +134,21 @@ in {
     # htop replacement with a nice UI
     btop.enable = true;
 
-    zsh = {
-      enable = true;
-      enableAutosuggestions = true;
-      oh-my-zsh = {
-        enable = true;
-        plugins = [ "git" "fzf" "fd" "z" ];
-        theme = "simple";
-      };
-    };
-
     # better ls with icons and stuff, maybe also try lsd
     ${myEza} = {
       enable = true;
       icons = true;
-      enableAliases = true;
     };
 
-    starship = { enable = true; };
+    starship = {
+      enable = true;
+    };
 
     direnv = {
       enable = true;
-      nix-direnv = { enable = true; };
+      nix-direnv = {
+        enable = true;
+      };
       enableZshIntegration = true;
       enableBashIntegration = true;
     };
@@ -148,18 +158,11 @@ in {
       settings.git_protocol = "ssh";
     };
 
-    git = {
-      enable = true;
-      ignores = [ "*~" "*.swp" "result" "dist-newstyle" ];
-      userEmail = user.mail;
-      userName = user.fullName;
-      aliases = { st = "status"; };
-      extraConfig = { init.defaultBranch = "main"; };
-    };
-
     gpg = {
       enable = true;
-      settings = { homedir = "~/.local/share/gnupg"; };
+      settings = {
+        homedir = "~/.local/share/gnupg";
+      };
     };
 
     helix = {
@@ -170,7 +173,9 @@ in {
     password-store = {
       enable = true;
       package = pkgs.gopass;
-      settings = { PASSWORD_STORE_DIR = "$HOME/.local/share/password-store"; };
+      settings = {
+        PASSWORD_STORE_DIR = "$HOME/.local/share/password-store";
+      };
     };
 
     ssh.enable = true;
@@ -181,8 +186,8 @@ in {
   services.gpg-agent = {
     enable = true;
     enableSshSupport = true;
-    defaultCacheTtl = 300;
-    defaultCacheTtlSsh = 300;
+    defaultCacheTtl = 7200;
+    defaultCacheTtlSsh = 7200;
   };
 
   home.file.".local" = {

home/alex/home.nix

@@ -1,9 +1,29 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
   imports = [
     ./cli.nix
-    # ./programs/xmonad/default.nix
+    ./programs/devenv.nix
+    ./programs/rofi
+    ./programs/xmonad
+    ./programs/jitsi-meet
+    ./programs/simplex-chat
+    ./programs/zathura
+    ./services/polybar
+    ./services/dunst
+    ./services/udiskie
+    ./services/picom
+    ./services/screen-locker
+    ./services/blueman-applet
+    ./services/network-manager
+    ./services/syncthing
+    ./services/git-sync
+    ./modules/email.nix
   ];
 
   home = {
@@ -14,20 +34,15 @@
 
     keyboard.layout = "us";
     keyboard.variant = "dvorak";
-    keyboard.options =
-      [ "terminate:ctrl_alt_bksp" "caps:escape" "compose:ralt" ];
+    keyboard.options = [
+      "terminate:ctrl_alt_bksp"
+      "caps:escape"
+      "compose:ralt"
+    ];
 
     packages = with pkgs; [
       # social
-      (jitsi-meet-electron.overrideAttrs (prev: rec {
-        version = "2023.10.0";
-        src = fetchurl {
-          url =
-            "https://github.com/jitsi/jitsi-meet-electron/releases/download/v${version}/jitsi-meet-x86_64.AppImage";
-          sha256 = "sha256-zhOx/gdsiQMuOCCE5sn+JNu0WJrH36XfvqqNvE24St8=";
-          name = "jitsi-meet-electron-${version}.AppImage";
-        };
-      })) # jitsi as a stand-alone app
+      jitsi-meet-electron
       discord # talk to other people
 
       # system tools
@@ -36,7 +51,8 @@
 
       # gaming support
       lutris
-      winePackages.stagingFull
+      bottles
+      wine64Packages.stagingFull
 
       # reading
       calibre
@@ -45,6 +61,8 @@
 
   news.display = "silent";
 
+  my.git-sync.enable = true;
+
   programs = {
     alacritty.enable = true;
     # autorandr.enable = true;
@@ -59,32 +77,36 @@
       enable = true;
       package = pkgs.firefox.override {
         cfg = {
-          nativeMessagingHosts.packages =
-            [ pkgs.browserpass pkgs.tridactyl-native ];
+          nativeMessagingHosts.packages = [
+            pkgs.browserpass
+            pkgs.tridactyl-native
+          ];
           enableGnomeExtensions = true;
         };
       };
     };
     mpv.enable = true;
-    rofi.enable = true;
-    rofi.pass.enable = true;
-    zathura.enable = true;
 
-    zsh = let
-      auth-socket-env = ''
-        export SSH_AUTH_SOCK="$(${pkgs.gnupg}/bin/gpgconf -L agent-ssh-socket)"
-      '';
-    in {
-      enable = true;
-      loginExtra = auth-socket-env;
-      initExtra = auth-socket-env;
-    };
+    zsh =
+      let
+        auth-socket-env = ''
+          export SSH_AUTH_SOCK="$(${pkgs.gnupg}/bin/gpgconf -L agent-ssh-socket)"
+        '';
+      in
+      {
+        enable = true;
+        loginExtra = auth-socket-env;
+        initExtra = auth-socket-env;
+      };
   };
 
   services.gpg-agent = {
     enable = true;
     enableSshSupport = true;
     sshKeys = [ "9027AB16B9A7C20BD29F30F55CBA054430BF014C" ];
+    extraConfig = ''
+      pinentry-program ${pkgs.pinentry.qt}/bin/pinentry
+    '';
   };
 
   # services.autorandr = { enable = true; };

home/alex/modules/email.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  mkAccount =
+    addr:
+    let
+      domain = lib.lists.elemAt (lib.strings.splitString "@" addr) 1;
+    in
+    {
+      address = addr;
+      gpg = {
+        key = "F2132F0C63730C6BC42BCC2A41A6D13FECA21280";
+        signByDefault = true;
+      };
+      mbsync = {
+        enable = true;
+        create = "maildir";
+      };
+      passwordCommand = "${lib.getBin pkgs.gopass}/bin/gopass --nosync show -o eMail/${domain}/${addr}";
+      msmtp.enable = true;
+      notmuch.enable = true;
+      realName = "Alexander Kobjolke";
+      userName = addr;
+    };
+in
+{
+  programs.mbsync.enable = true;
+  programs.msmtp.enable = true;
+  programs.notmuch = {
+    enable = true;
+    hooks.preNew = "mbsync --all";
+  };
+
+  accounts.email = {
+    accounts.failco = mkAccount "me@failco.de" // {
+      primary = true;
+      imap.host = "thrall.failco.de";
+      smtp.host = "thrall.failco.de";
+    };
+
+    accounts.jakalx = mkAccount "alex@jakalx.net" // {
+      imap.host = "thrall.failco.de";
+      smtp.host = "thrall.failco.de";
+    };
+  };
+}

home/alex/programs/devenv.nix

@@ -0,0 +1,5 @@
+{ pkgs, ... }:
+
+{
+  config.home.packages = [ pkgs.devenv ];
+}

home/alex/programs/emacs/doom/config.el

@@ -3,11 +3,21 @@
 ;; Place your private configuration here! Remember, you do not need to run 'doom
 ;; sync' after modifying this file!
 
+(setq ak/at-work? (getenv "AK_AT_WORK"))
 
 ;; Some functionality uses this to identify you, e.g. GPG configuration, email
 ;; clients, file templates and snippets.
-(setq user-full-name "Alexander Kobjolke"
-      user-mail-address "me@failco.de")
+(setq! user-full-name "Alexander Kobjolke"
+       user-mail-address "me@failco.de")
+
+(when ak/at-work?
+  (setq! user-mail-address "alexander.kobjolke@atlas-elektronik.com")
+  (add-to-list 'lsp-disabled-clients 'cmakels)
+
+  ;; exclude cmake from formatting on save
+  (add-to-list '+format-on-save-disabled-modes
+               'cmake-mode))
+
 
 ;; Doom exposes five (optional) variables for controlling fonts in Doom. Here
 ;; are the three important ones:
@@ -25,38 +35,48 @@
 ;; There are two ways to load a theme. Both assume the theme is installed and
 ;; available. You can either set `doom-theme' or manually load a theme with the
 ;; `load-theme' function. This is the default:
-(setq doom-theme 'doom-gruvbox)
+(setq! doom-theme 'doom-gruvbox)
+(setq! doom-localleader-key ",")
+(setq! doom-localleader-alt-key "M-,")
 
 (require 're-builder)
-(setq reb-re-syntax 'string)
+(setq! reb-re-syntax 'string)
 
 ;; If you use `org' and don't want your org files in the default location below,
 ;; change `org-directory'. It must be set before org loads!
-(setq org-directory "~/org/"
-      org-roam-directory (file-truename "~/org/notes"))
+(setq! org-directory "~/org/"
+       org-log-into-drawer t)
 
 ;; do not create a new workspace for each emacsclient
 (after! persp-mode
-    (setq persp-emacsclient-init-frame-behaviour-override "main"))
+    (setq! persp-emacsclient-init-frame-behaviour-override "main"))
 
-(defun my/org-id-update-org-roam-files ()
-  "Update Org-ID locations for all Org-roam files."
-  (interactive)
-  (org-id-update-id-locations (org-roam-list-files)))
 
 (defun my/org-id-update-id-current-file ()
   "Scan the current buffer for Org-ID locations and update them."
   (interactive)
   (org-id-update-id-locations (list (buffer-file-name (current-buffer)))))
 
-(setq undo-limit 80000000                         ; Raise undo-limit to 80Mb
-      evil-want-fine-undo t                       ; By default while in insert all changes are one big blob. Be more granular
-      auto-save-default t                         ; Nobody likes to loose work, I certainly don't
-      )
+(setq! undo-limit 80000000                         ; Raise undo-limit to 80Mb
+       auto-save-default t                         ; Nobody likes to loose work, I certainly don't
+       )
+
+;; tweak some VI defaults
+(after! evil
+  (setq! evil-ex-substitute-global t     ; I like my s/../.. to be global by default
+         evil-move-cursor-back nil       ; Don't move the block cursor when toggling insert mode
+         evil-want-fine-undo t                       ; By default while in insert all changes are one big blob. Be more granular
+         evil-want-Y-yank-to-eol t
+         evil-escape-key-sequence "qq"               ; define an escape sequence
+         evil-escape-delay 0.175
+         evil-move-beyond-eol t                      ; let the cursor move beyond eol just as in regular emacs
+         evil-kill-on-visual-paste nil ; Don't put overwritten text in the kill ring
+         evil-snipe-override-evil-repeat-keys nil))
+
 
 ;; This determines the style of line numbers in effect. If set to `nil', line
 ;; numbers are disabled. For relative line numbers, set this to `relative'.
-(setq display-line-numbers-type t)
+(setq! display-line-numbers-type 'relative)
 
 ;; mouse
 ;; enable mouse reporting for terminal emulators
@@ -69,79 +89,122 @@
                               (interactive)
                               (scroll-up 1))))
 
-;; disable highlight lines
-                                        ;(remove-hook 'doom-first-buffer-hook #'global-hl-line-mode)
+(after! haskell-mode
+  (setq haskell-process-type 'cabal-repl))
 
-(setq haskell-process-type 'cabal-new-repl)
+(after! org
+  (setq! org-log-into-drawer t
+         org-todo-keywords '(
+                             (sequence "NEXT(n)" "TODO(t)" "WAIT(w@/!)" "|" "DONE(d!)" "CNCL(k@)")
+                             (sequence "[ ](T)" "[-](S)" "[?](W)" "|" "[X](D)")
+                             ))
+  (use-package! org-ql)
+  (use-package! org-bookmark-heading)
 
-(setq evil-snipe-override-evil-repeat-keys nil)
-(setq doom-localleader-key ",")
-(setq doom-localleader-alt-key "M-,")
+  (add-hook! 'org-mode-hook #'+org-init-keybinds-h))
 
-(use-package! org
-  :config (setq org-log-into-drawer t
-                org-todo-keywords '(
-                                    (sequence "NEXT(n)" "TODO(t)" "WAIT(w@/!)" "|" "DONE(d!)" "CNCL(k@)")
-                                    (sequence "[ ](T)" "[-](S)" "[?](W)" "|" "[X](D)")
-                                    )))
+(use-package! activities
+  :demand t
+  :config
+  (defun ak/activities-define--with-prefix-arg ()
+    "Call 'C-u activities-define' in order to save the current activity."
+    (interactive)
+    (let ((current-prefix-arg '(4)))
+      (call-interactively #'activities-define)))
 
-(use-package! org-ql)
+  (activities-mode)
+  (activities-tabs-mode)
+  (map!
+   (:prefix ("C-c a" . "Activities")
+    :desc "Switch activity" "a" #'activities-switch
+    :desc "Resume activity" "r" #'activities-resume
+    :desc "Create new activity" "n" #'activities-new
+    :desc "List activities" "l" #'activities-list
+    :desc "Save current activity " "s" #'ak/activities-define--with-prefix-arg
+    :desc "Save all activities" "S" #'activities-save-all
+    :desc "Revert activity to default" "R" #'activities-revert
+    )
+   )
+  )
 
 (use-package! elfeed-web)
 
+(when ak/at-work?
+  (after! forge
+    (add-to-list 'forge-alist '("gitlab.atlas.de" "gitlab.atlas.de/api/v4" "gitlab.atlas.de" forge-gitlab-repository))
+    )
+
+  (after! code-review
+    (setq code-review-auth-login-marker 'forge)
+    ;; (setq code-review-gitlab-host "gitlab.atlas.de/api")
+    ;; (setq code-review-gitlab-graphql-host "gitlab.atlas.de/api")
+    (add-hook 'code-review-mode-hook
+              (lambda ()
+                ;; include *Code-Review* buffer into current workspace
+                (persp-add-buffer (current-buffer))))))
+
 (setq ak/bibliography (list (concat org-directory "references.bib")))
-                                        ;(setq org-cite-global-bibliography (list (concat org-directory "references.bib")))
+;; (setq org-cite-global-bibliography (list (concat org-directory "references.bib")))
 (setq! bibtex-completion-bibliography ak/bibliography)
 (setq! citar-bibliography ak/bibliography)
 
-;; Use an ISO date format for ledger entries
-(setq ledger-default-date-format "%Y-%m-%d"
-      ledger-binary-path "hledger"
-      ledger-report-auto-width nil
-      ledger-mode-should-check-version nil
-      ledger-init-file-name " "
-      ledger-post-amount-alignment-column 58
-      ledger-report-native-highlighting-arguments '("--color=always")
-      ledger-highlight-xact-under-point t)
+(after! ledger-mode
+  (setq!
+   ;; Use an ISO date format for ledger entries
+   ledger-default-date-format "%Y-%m-%d"
+   ledger-binary-path "hledger"
+   ledger-report-auto-width nil
+   ledger-mode-should-check-version nil
+   ledger-init-file-name " "
+   ledger-post-amount-alignment-column 58
+   ledger-report-native-highlighting-arguments '("--color=always")
+   ledger-highlight-xact-under-point t)
 
-(setq ledger-reports
-      '(("bal" "%(binary) -f %(ledger-file) bal -B")
-        ("reg" "%(binary) -f %(ledger-file) reg -B")
-        ("payee" "%(binary) -f %(ledger-file) reg -B @%(payee)")
-        ("account" "%(binary) -f %(ledger-file) reg -B %(account)")))
+  (setq! ledger-reports
+         '(("bal" "%(binary) -f %(ledger-file) bal -B")
+           ("reg" "%(binary) -f %(ledger-file) reg -B")
+           ("payee" "%(binary) -f %(ledger-file) reg -B @%(payee)")
+           ("account" "%(binary) -f %(ledger-file) reg -B %(account)"))) )
 
-;; (use-package! ormolu
-;;   :hook (haskell-mode . ormolu-format-on-save-mode)
-;;   :bind
-;;   (:map haskell-mode-map
 
 (after! lsp-haskell
-  (setq lsp-haskell-formatting-provider "fourmolu"))
+  (setq lsp-haskell-formatting-provider "fourmolu")
 
-;; tweak some VI defaults
-(after! evil
-  (setq evil-ex-substitute-global t     ; I like my s/../.. to by global by default
-        evil-move-cursor-back nil       ; Don't move the block cursor when toggling insert mode
-        evil-kill-on-visual-paste nil)) ; Don't put overwritten text in the kill ring
+  ;; will define elisp functions for the given lsp code actions, prefixing the
+  ;; given function names with "lsp"
+  (lsp-make-interactive-code-action wingman-fill-hole "refactor.wingman.fillHole")
+  (lsp-make-interactive-code-action wingman-case-split "refactor.wingman.caseSplit")
+  (lsp-make-interactive-code-action wingman-refine "refactor.wingman.refine")
+  (lsp-make-interactive-code-action wingman-split-func-args "refactor.wingman.spltFuncArgs")
+  (lsp-make-interactive-code-action wingman-use-constructor "refactor.wingman.useConstructor")
 
-(setq org-gtd-update-ack "3.0.0")
+  ;; example key bindings
+  ;; (define-key haskell-mode-map (kbd "C-c d") #'lsp-wingman-case-split)
+  ;; (define-key haskell-mode-map (kbd "C-c n") #'lsp-wingman-fill-hole)
+  ;; (define-key haskell-mode-map (kbd "C-c r") #'lsp-wingman-refine)
+  ;; (define-key haskell-mode-map (kbd "C-c c") #'lsp-wingman-use-constructor)
+  ;; (define-key haskell-mode-map (kbd "C-c a") #'lsp-wingman-split-func-args)
+  )
 
 ;; Org GTD support
 (use-package! org-gtd
   :after org
   :demand t
+  :init
+  (setq! org-gtd-update-ack "3.0.0")
+
   :config
-  (setq org-gtd-directory "~/org")
-  (setq org-gtd-default-file-name "actionable")
-  (setq org-edna-use-inheritance t)
-                                        ;(setq org-gtd-areas-of-focus '("house" "haskell" "foss"))
-                                        ;(setq org-gtd-organize-hooks '(org-gtd-set-area-of-focus org-set-tags-command))
+  (setq! org-gtd-directory org-directory)
+  (setq! org-gtd-default-file-name "actionable")
+  (setq! org-edna-use-inheritance t)
+  ;; (setq org-gtd-areas-of-focus '("house" "haskell" "foss"))
+  ;; (setq org-gtd-organize-hooks '(org-gtd-set-area-of-focus org-set-tags-command))
   (org-edna-mode)
   (map! :leader
         :desc "Capture"        "X"  #'org-gtd-capture
-        (:prefix ("d" . "org-gtd")
+        (:prefix ("d" . "GTD")
          :desc "Capture"        "c"  #'org-gtd-capture
-         :desc "Engage"         "e"  #'org-gtd-engage-grouped-by-context
+         :desc "Engage"         "e"  #'org-gtd-engage
          :desc "Process inbox"  "p"  #'org-gtd-process-inbox
          :desc "Show all next"  "n"  #'org-gtd-show-all-next
          (:prefix ("r" . "Review")
@@ -152,59 +215,52 @@
          ))
   (map! :map org-gtd-clarify-map
         :desc "Organize this item" "C-c C-c" #'org-gtd-organize)
-  :bind
-  (("C-c d c" . #'org-gtd-capture)
-   ("C-c d e" . #'org-gtd-engage-grouped-by-context)
-   ("C-c d p" . #'org-gtd-process-inbox)
-   ("C-c d n" . #'org-gtd-show-all-next)
-   ("C-c d r p" . #'org-gtd-review-stuck-projects))
-  )
+  (map! (:prefix ("C-c d" . "GTD")
+         :desc "Capture"        "c"  #'org-gtd-capture
+         :desc "Engage"         "e"  #'org-gtd-engage
+         :desc "Process inbox"  "p"  #'org-gtd-process-inbox
+         :desc "Show all next"  "n"  #'org-gtd-show-all-next
+         (:prefix ("r" . "Review")
+          :desc "Stuck projects" "p"  #'org-gtd-review-stuck-projects
+          :desc "Stuck actions" "a"  #'org-gtd-review-stuck-single-action-items
+          :desc "Stuck habits" "h"  #'org-gtd-review-stuck-habit-items))))
 
-(defun ak/org-roam-node-insert-immediate (arg &rest args)
-  (interactive "P")
-  (let ((args (cons arg args))
-        (org-roam-capture-templates (list (append (car org-capture-templates) '(:immediate-finish t))))
-        )
-    (apply #'org-roam-node-insert args)))
-
-(use-package! org-habit
-  :after org
-  :config (setq org-habit-show-habits t
-                org-habit-preceding-days 35
-                org-habit-following-days 7
-                )
-
-  )
+(after! org-habit
+  (setq org-habit-show-habits t
+        org-habit-preceding-days 35
+        org-habit-following-days 7))
 
 (use-package! org-edna
   :after org-gtd
   :init
   (setq org-edna-use-inheritance t)
   :config
-  (org-edna-mode 1)
-  )
-
-(use-package! emacsql-sqlite3
-  :custom
-  (org-roam-database-connector 'sqlite3))
+  (org-edna-mode 1))
 
 (use-package! nov
   :mode ("\\.epub\\'" . nov-mode)
   :config
   (setq nov-save-place-file (concat doom-cache-dir "nov-places")))
 
+(use-package! protobuf-mode
+  :mode ("\\.proto\\'" . protobuf-mode))
+
+(use-package! systemd
+  :mode ("\\.\\(service\\|target\\|socket\\|timer\\)\\'" . systemd-mode))
+
 (use-package! org-present
   :after org)
 
 (use-package! denote
   :after org
   :config
-  (setq denote-directory (concat org-directory "/notes")
-
-        )
+  (setq! denote-directory (concat org-directory "/notes"))
+  (require 'denote-journal-extras)
+  (setq! denote-journal-extras-title-format 'day-date-month-year)
   (map! :leader
         (:prefix ("n" . "notes")
-         :desc "Denote"        "d"  #'denote-open-or-create-with-command
+         :desc "Denote"            "d"  #'denote-open-or-create-with-command
+         :desc "New journal entry" "j"  #'denote-journal-extras-new-or-existing-entry
          ))
   :bind
   (("C-c n d" . #'denote-open-or-create-with-command))
@@ -213,56 +269,55 @@
 (use-package! org-super-agenda
   :after org-agenda
   :init
-  (setq org-agenda-skip-deadline-if-done t
-        org-agenda-skip-scheduled-if-done t
-        org-agenda-include-deadlines t
-        org-agenda-block-separator nil
-        org-agenda-compact-blocks t
-        org-agenda-start-day nil
-        org-agenda-span 1
-        org-agenda-start-on-weekday nil
-        )
-  (setq org-agenda-custom-commands
-        '(("a" "Getting Things done"
-           ((agenda "" ((org-agenda-overriding-header "")
-                        (org-super-agenda-groups
-                         '((:name "Today"
-                            :time-grid t
-                            :date today
-                            :order 1)))))
-            (alltodo "" ((org-agenda-overriding-header "")
+  (setq! org-agenda-skip-deadline-if-done t
+         org-agenda-skip-scheduled-if-done t
+         org-agenda-include-deadlines t
+         org-agenda-block-separator nil
+         org-agenda-compact-blocks t
+         org-agenda-start-day nil
+         org-agenda-span 1
+         org-agenda-start-on-weekday nil
+         )
+  (setq! org-agenda-custom-commands
+         '(("a" "Getting Things done"
+            ((agenda "" ((org-agenda-overriding-header "")
                          (org-super-agenda-groups
-                          '(;(:log t)
-                            (:name "Waiting for..."
-                             :todo "WAIT"
-                             :order 1)
-                            (:discard (:not (:todo ("NEXT" "START"))))
-                            (:name "Next actions"
-                             :auto-parent (:todo ("NEXT" "STRT"))
-                             :order 2
-                             )
-                            (:discard (:anything t)
-                             :order 99)
-                            ))))
-            ))))
+                          '((:name "Today"
+                             :time-grid t
+                             :date today
+                             :order 1)))))
+             (alltodo "" ((org-agenda-overriding-header "")
+                          (org-super-agenda-groups
+                           '(;(:log t)
+                             (:name "Waiting for..."
+                              :todo "WAIT"
+                              :order 1)
+                             (:discard (:not (:todo ("NEXT" "STRT"))))
+                             (:name "Next actions"
+                              :auto-parent (:todo ("NEXT" "STRT"))
+                              :order 2
+                              )
+                             (:discard (:anything t)
+                              :order 99)
+                             ))))
+             ))))
   :config
   (org-super-agenda-mode)
   )
 
 (use-package! org-fc
-  :after org
-  :init
-  (setq org-fc-directories (concat org-directory "/cards"))
+  :after org straight
+  :config
+  (setq! org-fc-directories (concat org-directory "/cards"))
+  (setq! org-fc-source-path (concat straight-base-dir "repos/org-fc"))
   )
 
-(use-package! vterm
-  :config
+(after! vterm
   (setq vterm-min-window-width 50)
   )
 
 (map! :desc "Move workspace to the left" :leader :n "TAB <" #'+workspace/swap-left)
 (map! :desc "Move workspace to the left" :leader :n "TAB >" #'+workspace/swap-right)
-(map! :desc "Denote" :leader :n "n d" #'denote)
 
 ;; Here are some additional functions/macros that could help you configure Doom:
 ;;

home/alex/programs/emacs/doom/init.el

@@ -20,17 +20,18 @@
        ;;layout            ; auie,ctsrnm is the superior home row
 
        :completion
-       company           ; the ultimate code completion backend
+       ;; company          ; the ultimate code completion backend
        ;;helm              ; the *other* search engine for love and life
        ;;ido               ; the other *other* search engine...
        ;;ivy               ; a search engine for love and life
-       (vertico +icons)    ; the search engine of the future
+       (vertico +orderless +icons)    ; the search engine of the future
+       (corfu +orderless +icons +dabbrev)
 
        :ui
        ;;deft              ; notational velocity for Emacs
        doom              ; what makes DOOM look the way it does
        doom-dashboard    ; a nifty splash screen for Emacs
-       ;;doom-quit         ; DOOM quit-message prompts when you quit Emacs
+       doom-quit         ; DOOM quit-message prompts when you quit Emacs
        (emoji +unicode +github +ascii)  ; 🙂
        hl-todo           ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW
        ;;hydra
@@ -45,7 +46,7 @@
        ;;tabs              ; a tab bar for Emacs
        ;;treemacs          ; a project drawer, like neotree but cooler
        unicode           ; extended unicode support for various languages
-       vc-gutter         ; vcs diff in the fringe
+       (vc-gutter +diff-hl) ; vcs diff in the fringe
        vi-tilde-fringe   ; fringe tildes to mark beyond EOB
        (window-select +numbers)     ; visually switch windows
        workspaces        ; tab emulation, persistence & separate workspaces
@@ -57,10 +58,11 @@
        fold              ; (nigh) universal code folding
        (format +onsave)  ; automated prettiness
        ;;god               ; run Emacs commands without modifier keys
-       ;;lispy             ; vim for lisp, for people who don't like vim
-       multiple-cursors  ; editing in many places at once
+       ;; lispy             ; vim for lisp, for people who don't like vim
+       multiple-cursors
+                                        ; editing in many places at once
        ;;objed             ; text object editing for the innocent
-       ;;parinfer          ; turn lisp into python, sort of
+       ;; parinfer          ; turn lisp into python, sort of
        rotate-text       ; cycle region at point between text candidates
        snippets          ; my elves. They type so I don't have to
        word-wrap         ; soft wrapping with language-aware indent
@@ -88,7 +90,7 @@
        biblio              ; Writes a PhD for you (citation needed)
        (debugger +lsp)          ; FIXME stepping through code, to help you add bugs
        direnv
-       ;;docker
+       docker
        editorconfig      ; let someone else argue about tabs vs spaces
        ;;ein               ; tame Jupyter notebooks with emacs
        (eval +overlay)     ; run code, run (also, repls)
@@ -102,9 +104,9 @@
        ;;prodigy           ; FIXME managing external services & code builders
        ;;rgb               ; creating color strings
        ;;taskrunner        ; taskrunner for all your projects
-       ;;terraform         ; infrastructure as code
        tmux              ; an API for interacting with tmux
        tree-sitter
+       (terraform +lsp)         ; infrastructure as code
        ;;upload            ; map local to remote projects via ssh/ftp
 
        :os
@@ -114,31 +116,31 @@
        :lang
        ;;agda              ; types of types of types of types...
        ;;beancount         ; mind the GAAP
-       (cc +lsp)                ; C > C++ == 1
+       (cc +lsp +tree-sitter)                ; C > C++ == 1
        ;;clojure           ; java with a lisp
-       ;;common-lisp       ; if you've seen one lisp, you've seen them all
+       common-lisp       ; if you've seen one lisp, you've seen them all
        ;;coq               ; proofs-as-programs
        ;;crystal           ; ruby at the speed of c
        ;;csharp            ; unity, .NET, and mono shenanigans
        data              ; config/data formats
        ;;(dart +flutter)   ; paint ui and not much else
        ;;dhall
-       ;;elixir            ; erlang done right
-       (elm +lsp)             ; care for a cup of TEA?
+       (elixir +lsp +tree-sitter)            ; erlang done right
+       (elm +lsp +tree-sitter)             ; care for a cup of TEA?
        emacs-lisp        ; drown in parentheses
-       ;;erlang            ; an elegant language for a more civilized age
+       (erlang +lsp +tree-sitter)            ; an elegant language for a more civilized age
        ;;ess               ; emacs speaks statistics
        ;;factor
        ;;faust             ; dsp, but you get to keep your soul
        ;;fsharp            ; ML stands for Microsoft's Language
        ;;fstar             ; (dependent) types and (monadic) effects and Z3
        ;;gdscript          ; the language you waited for
-       (go +lsp)         ; the hipster dialect
+       (go +lsp +tree-sitter)         ; the hipster dialect
        (graphql +lsp)    ; Give queries a REST
-       (haskell +lsp)  ; a language that's lazier than I am
+       (haskell +lsp +tree-sitter)  ; a language that's lazier than I am
        ;;hy                ; readability of scheme w/ speed of python
        ;;idris             ; a language you can depend on
-       json              ; At least it ain't XML
+       (json +lsp +tree-sitter)              ; At least it ain't XML
        (java +lsp +tree-sitter)       ; the poster child for carpal tunnel syndrome
        javascript        ; all(hope(abandon(ye(who(enter(here))))))
        ;;julia             ; a better, faster MATLAB
@@ -149,34 +151,34 @@
        lua               ; one-based indices? one-based indices
        markdown          ; writing docs for people to ignore
        ;;nim               ; python + lisp at the speed of c
-       nix               ; I hereby declare "nix geht mehr!"
+       (nix +lsp +tree-sitter)  ; I hereby declare "nix geht mehr!"
        ;;ocaml             ; an objective camel
-       (org +roam2 +pandoc +present +gnuplot +noter)               ; organize your plain life in plain text
+       (org +pandoc +present +gnuplot +noter)               ; organize your plain life in plain text
        ;;php               ; perl's insecure younger brother
        plantuml          ; diagrams for confusing people more
        ;;purescript        ; javascript, but functional
-       python            ; beautiful is better than ugly
+       (python +lsp +tree-sitter +pyenv)            ; beautiful is better than ugly
        qt                ; the 'cutest' gui framework ever
        ;;racket            ; a DSL for DSLs
        ;;raku              ; the artist formerly known as perl6
-       rest              ; Emacs as a REST client
+       (rest +jq)          ; Emacs as a REST client
        ;;rst               ; ReST in peace
        ;;(ruby +rails)     ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"}
-       (rust +lsp)             ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
+       (rust +lsp +tree-sitter)             ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
        ;;scala             ; java, but good
        ;;(scheme +guile)   ; a fully conniving family of lisps
-       sh                ; she sells {ba,z,fi}sh shells on the C xor
+       (sh +lsp +tree-sitter)                ; she sells {ba,z,fi}sh shells on the C xor
        ;;sml
        ;;solidity          ; do you need a blockchain? No.
        ;;swift             ; who asked for emoji variables?
        ;;terra             ; Earth and Moon in alignment for performance.
-       ;;web               ; the tubes
-       yaml              ; JSON, but readable
-       ;;zig               ; C, but simpler
+       (web +lsp +tree-sitter)               ; the tubes
+       (yaml +lsp +tree-sitter)              ; JSON, but readable
+       (zig +lsp +tree-sitter)               ; C, but simpler
 
        :email
-       (mu4e +org +gmail)
-       ;;notmuch
+       ;; (mu4e +org +gmail)
+       (notmuch +org +afew)
        ;;(wanderlust +gmail)
 
        :app
@@ -190,7 +192,3 @@
        :config
        ;;literate
        (default +bindings +smartparens))
-
-(setq native-comp-deferred-compilation nil)
-(after! (doom-packages straight)
-  (setq straight--native-comp-available t))

home/alex/programs/emacs/doom/packages.el

@@ -68,4 +68,9 @@
 (package! denote)
 (package! org-super-agenda)
 (package! org-ql)
+(package! org-bookmark-heading)
+(package! activities
+  :recipe (:host github :repo "alphapapa/activities.el" :branch "master"))
 (package! elfeed-web)
+(package! systemd)
+(package! protobuf-mode)

home/alex/programs/fzf/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  programs.fzf = { enable = true; };
+}

home/alex/programs/git/default.nix

@@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+
+{
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+    ignores = [
+      "*~"
+      "*.swp"
+      "result"
+      "dist-newstyle"
+      ".direnv"
+      "*.bak"
+      ".pre-commit-config.yaml"
+    ];
+    signing = {
+      key = "41A6D13FECA21280";
+      signByDefault = false;
+    };
+    delta = { enable = true; };
+    # TODO create option for my own account meta data
+    userEmail = "me@failco.de";
+    userName = "Alexander Kobjolke";
+
+    extraConfig = {
+      pull = { rebase = true; };
+      merge = { conflictstyle = "diff3"; };
+      submodule = { recurse = true; };
+    };
+
+    aliases = {
+      a = "add";
+      c = "commit";
+      ca = "commit --amend";
+      can = "commit --amend --no-edit";
+      cl = "clone";
+      cm = "commit -m";
+      co = "checkout";
+      cp = "cherry-pick";
+      cpx = "cherry-pick -x";
+      d = "diff";
+      f = "fetch";
+      fo = "fetch origin";
+      fu = "fetch upstream";
+      lol = "log --graph --decorate --pretty=oneline --abbrev-commit";
+      lola = "log --graph --decorate --pretty=oneline --abbrev-commit --all";
+      pl = "pull";
+      pr = "pull -r";
+      ps = "push";
+      psf = "push -f";
+      rb = "rebase";
+      rbi = "rebase -i";
+      r = "remote";
+      ra = "remote add";
+      rr = "remote rm";
+      rv = "remote -v";
+      rs = "remote show";
+      st = "status";
+    };
+    extraConfig = { init.defaultBranch = "main"; };
+  };
+
+  programs.git-cliff = { enable = true; };
+}

home/alex/programs/jitsi-meet/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.home.packages = [ pkgs.jitsi-meet-electron ];
+}

home/alex/programs/jq/default.nix

@@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  programs.jq = {
+    enable = true;
+  };
+}

home/alex/programs/rofi/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.programs.rofi = {
+    enable = true;
+    plugins = with pkgs; [ rofi-calc rofi-emoji ];
+    terminal = "${pkgs.alacritty}/bin/alacritty";
+    theme = ./themes/gruvbox-dark-soft.rasi;
+    pass = {
+      enable = true;
+      stores = [ config.programs.password-store.settings.PASSWORD_STORE_DIR ];
+      extraConfig = ''
+        default_user=:filename
+      '';
+    };
+  };
+
+  # let rofi insert emojis directly
+  config.home.packages = [ pkgs.xdotool ];
+}

home/alex/programs/rofi/themes/gruvbox-dark-soft.rasi

@@ -0,0 +1,191 @@
+/* ==========================================================================
+   Rofi color theme
+
+   Based on the Gruvbox color scheme for Vim by morhetz
+   https://github.com/morhetz/gruvbox
+
+   File: gruvbox-dark-soft.rasi
+   Desc: Gruvbox dark (soft contrast) color theme for Rofi
+   Author: bardisty <b@bah.im>
+   Source: https://github.com/bardisty/gruvbox-rofi
+   Modified: Mon Feb 12 2018 06:04:37 PST -0800
+   ========================================================================== */
+
+* {
+    /* Theme settings */
+    highlight: bold italic;
+    scrollbar: true;
+
+    /* Gruvbox dark colors */
+    gruvbox-dark-bg0-soft:     #32302f;
+    gruvbox-dark-bg1:          #3c3836;
+    gruvbox-dark-bg3:          #665c54;
+    gruvbox-dark-fg0:          #fbf1c7;
+    gruvbox-dark-fg1:          #ebdbb2;
+    gruvbox-dark-red-dark:     #cc241d;
+    gruvbox-dark-red-light:    #fb4934;
+    gruvbox-dark-yellow-dark:  #d79921;
+    gruvbox-dark-yellow-light: #fabd2f;
+    gruvbox-dark-gray:         #a89984;
+
+    /* Theme colors */
+    background:                  @gruvbox-dark-bg0-soft;
+    background-color:            @background;
+    foreground:                  @gruvbox-dark-fg1;
+    border-color:                @gruvbox-dark-gray;
+    separatorcolor:              @border-color;
+    scrollbar-handle:            @border-color;
+
+    normal-background:           @background;
+    normal-foreground:           @foreground;
+    alternate-normal-background: @gruvbox-dark-bg1;
+    alternate-normal-foreground: @foreground;
+    selected-normal-background:  @gruvbox-dark-bg3;
+    selected-normal-foreground:  @gruvbox-dark-fg0;
+
+    active-background:           @gruvbox-dark-yellow-dark;
+    active-foreground:           @background;
+    alternate-active-background: @active-background;
+    alternate-active-foreground: @active-foreground;
+    selected-active-background:  @gruvbox-dark-yellow-light;
+    selected-active-foreground:  @active-foreground;
+
+    urgent-background:           @gruvbox-dark-red-dark;
+    urgent-foreground:           @background;
+    alternate-urgent-background: @urgent-background;
+    alternate-urgent-foreground: @urgent-foreground;
+    selected-urgent-background:  @gruvbox-dark-red-light;
+    selected-urgent-foreground:  @urgent-foreground;
+}
+
+/* ==========================================================================
+   File: gruvbox-common.rasi
+   Desc: Shared rules between all gruvbox themes
+   Author: bardisty <b@bah.im>
+   Source: https://github.com/bardisty/gruvbox-rofi
+   Modified: Mon Feb 12 2018 06:06:47 PST -0800
+   ========================================================================== */
+
+window {
+    background-color: @background;
+    border:           2;
+    padding:          2;
+}
+
+mainbox {
+    border:  0;
+    padding: 0;
+}
+
+message {
+    border:       2px 0 0;
+    border-color: @separatorcolor;
+    padding:      1px;
+}
+
+textbox {
+    highlight:  @highlight;
+    text-color: @foreground;
+}
+
+listview {
+    border:       2px solid 0 0;
+    padding:      2px 0 0;
+    border-color: @separatorcolor;
+    spacing:      2px;
+    scrollbar:    @scrollbar;
+}
+
+element {
+    border:  0;
+    padding: 2px;
+}
+
+element.normal.normal {
+    background-color: @normal-background;
+    text-color:       @normal-foreground;
+}
+
+element.normal.urgent {
+    background-color: @urgent-background;
+    text-color:       @urgent-foreground;
+}
+
+element.normal.active {
+    background-color: @active-background;
+    text-color:       @active-foreground;
+}
+
+element.selected.normal {
+    background-color: @selected-normal-background;
+    text-color:       @selected-normal-foreground;
+}
+
+element.selected.urgent {
+    background-color: @selected-urgent-background;
+    text-color:       @selected-urgent-foreground;
+}
+
+element.selected.active {
+    background-color: @selected-active-background;
+    text-color:       @selected-active-foreground;
+}
+
+element.alternate.normal {
+    background-color: @alternate-normal-background;
+    text-color:       @alternate-normal-foreground;
+}
+
+element.alternate.urgent {
+    background-color: @alternate-urgent-background;
+    text-color:       @alternate-urgent-foreground;
+}
+
+element.alternate.active {
+    background-color: @alternate-active-background;
+    text-color:       @alternate-active-foreground;
+}
+
+scrollbar {
+    width:        4px;
+    border:       0;
+    handle-color: @scrollbar-handle;
+    handle-width: 8px;
+    padding:      0;
+}
+
+mode-switcher {
+    border:       2px 0 0;
+    border-color: @separatorcolor;
+}
+
+inputbar {
+    spacing:    0;
+    text-color: @normal-foreground;
+    padding:    2px;
+    children:   [ prompt, textbox-prompt-sep, entry, case-indicator ];
+}
+
+case-indicator,
+entry,
+prompt,
+button {
+    spacing:    0;
+    text-color: @normal-foreground;
+}
+
+button.selected {
+    background-color: @selected-normal-background;
+    text-color:       @selected-normal-foreground;
+}
+
+textbox-prompt-sep {
+    expand:     false;
+    str:        ":";
+    text-color: @normal-foreground;
+    margin:     0 0.3em 0 0;
+}
+element-text, element-icon {
+    background-color: inherit;
+    text-color:       inherit;
+}

home/alex/programs/shell/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+{
+  home.shellAliases = {
+    suspend = "systemctl hibernate";
+    nrs = "sudo nixos-rebuild switch --flake .";
+    nrb = "sudo nixos-rebuild build --flake .";
+  };
+
+  programs.zsh = {
+    enable = true;
+    autosuggestion.enable = true;
+    oh-my-zsh = {
+      enable = true;
+      plugins = [ "git" "fzf" "fd" "z" ];
+      theme = "simple";
+    };
+  };
+}

home/alex/programs/simplex-chat/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.home.packages = [ pkgs.simplex-chat-desktop ];
+}

home/alex/programs/xmonad/config.hs

@@ -1,77 +1,151 @@
 import XMonad
-
-import XMonad.Hooks.DynamicLog
-import XMonad.Hooks.ManageDocks
-import XMonad.Hooks.ManageHelpers
-import XMonad.Hooks.StatusBar
-import XMonad.Hooks.StatusBar.PP
-
-import XMonad.Util.EZConfig
-import XMonad.Util.Loggers
-import XMonad.Util.Ungrab
-
-import XMonad.Layout.Magnifier
-import XMonad.Layout.ThreeColumns
-
+import XMonad.Actions.CycleWS qualified as WS
+import XMonad.Actions.Navigation2D (navigation2DP, windowGo, windowSwap)
 import XMonad.Hooks.EwmhDesktops
+import XMonad.Hooks.ManageDocks qualified as Docks
+import XMonad.Hooks.ManageHelpers (doCenterFloat, doFullFloat, isDialog, isFullscreen)
+import XMonad.Hooks.SetWMName
+import XMonad.Layout.BinarySpacePartition
+import XMonad.Layout.BorderResize (borderResize)
+import XMonad.Layout.NoBorders (smartBorders)
+import XMonad.Layout.ThreeColumns
+import XMonad.Layout.ToggleLayouts (ToggleLayout (..), toggleLayouts)
+import XMonad.ManageHook (doFloat)
+import XMonad.StackSet as W
+import XMonad.Util.EZConfig qualified as EZ
+import XMonad.Util.NamedScratchpad
+import XMonad.Util.Ungrab (unGrab)
+import XMonad.Util.WorkspaceCompare qualified as WS
 
+import Control.Monad (when)
+import Numeric.Natural
+import System.Environment (getArgs)
+import System.FilePath ((</>))
+import System.Info (arch, os)
+import System.Posix.Process (executeFile)
+import Text.Printf (printf)
+
+compiledConfig = printf "xmonad-%s-%s" arch os
+
+compileRestart resume = do
+    dirs <- asks directories
+    whenX (recompile dirs True) $ do
+        when resume writeStateToFile
+        catchIO
+            ( do
+                args <- getArgs
+                executeFile (cacheDir dirs </> compiledConfig) False args Nothing
+            )
+
+myLayout = smartBorders . borderResize . Docks.avoidStruts $ toggleLayouts Full emptyBSP
 
 main :: IO ()
-main = xmonad
-     . ewmhFullscreen
-     . ewmh
-     . withEasySB (statusBarProp "xmobar" (pure myXmobarPP)) defToggleStrutsKey
-     $ myConfig
+main = getDirectories >>= launch myConfig
 
-myConfig = def
-    { modMask    = mod4Mask      -- Rebind Mod to the Super key
-    , layoutHook = myLayout      -- Use custom layouts
-    , manageHook = myManageHook  -- Match on certain windows
-    }
-  `additionalKeysP`
-    [ ("M-S-z", spawn "xscreensaver-command -lock")
-    , ("M-C-s", unGrab *> spawn "scrot -s"        )
-    , ("M-f"  , spawn "firefox"                   )
+-- change size of window using direction so that it can be used together with the navigation2D function
+-- see: similar to windowGo and windowSwap
+windowMoveSplit :: Direction2D -> Bool -> X ()
+windowMoveSplit direction _ = sendMessage $ MoveSplit direction
+
+data VolumeCommand
+    = ToggleVolume
+    | LowerVolume Natural
+    | RaiseVolume Natural
+
+interpretVolumeCommand :: VolumeCommand -> String
+interpretVolumeCommand command = "amixer -q set Master " <> cmd
+  where
+    cmd = case command of
+        ToggleVolume -> "toggle"
+        LowerVolume delta -> show delta <> "%-"
+        RaiseVolume delta -> show delta <> "%+"
+
+changeVolume :: VolumeCommand -> X ()
+changeVolume = spawn . interpretVolumeCommand
+
+myWorkspaceFilter :: X WS.WorkspaceSort
+myWorkspaceFilter = do
+    sortXineramaAware <- WS.getSortByXineramaRule
+    pure $ sortXineramaAware . WS.filterOutWs [scratchpadWorkspaceTag]
+
+scratchpads =
+    [ NS
+        "notes"
+        "emacsclient -c -F '((name . \"gtd\"))'"
+        (resource =? "gtd")
+        doCenterFloat
+    , -- (customFloating $ W.RationalRect (1/6) (1/6) (2/3) (2/3))
+      NS
+        "shell"
+        "alacritty --class scratchpad"
+        (resource =? "scratchpad")
+        (customFloating $ W.RationalRect (1 / 6) (1 / 6) (2 / 3) (2 / 3))
     ]
 
-myManageHook :: ManageHook
-myManageHook = composeAll
-    [ className =? "Gimp" --> doFloat
-    , isDialog            --> doFloat
-    ]
+myConfig =
+    addEwmhWorkspaceSort myWorkspaceFilter
+        . ewmhFullscreen
+        . ewmh
+        . Docks.docks
+        . nav
+        $ def
+            { modMask = mod4Mask -- Use Super instead of Alt
+            , terminal = "alacritty"
+            , layoutHook = myLayout
+            , handleEventHook = handleEventHook def <+> fullscreenEventHook
+            , -- this seems to be necessary to make java gui applications work :(
+              startupHook = ewmhDesktopsStartup >> setWMName "LG3D"
+            , manageHook =
+                mconcat
+                    [ namedScratchpadManageHook scratchpads
+                    , isDialog --> doFloat
+                    , isFullscreen --> doFullFloat
+                    , className =? "steam_proton" --> doFloat
+                    , manageHook def
+                    ]
+            }
+            `EZ.additionalKeysP` [ ("M-S-z", spawn "xscreensaver-command -lock")
+                                 , ("M-S-r", compileRestart True)
+                                 , ("M-S-q", restart "xmonad" True)
+                                 , ("M-C-s", unGrab *> spawn "scrot -s")
+                                 , ("M-b", sendMessage Docks.ToggleStruts)
+                                 , ("M-f", sendMessage (Toggle "Full"))
+                                 , ("M-p", spawn appLauncher)
+                                 , ("M-i", spawn passLauncher)
+                                 , ("M-w", kill)
+                                 , ("M-l", WS.toggleWS)
+                                 , ("M-g", WS.prevWS)
+                                 , ("M-C-g", WS.swapPrevScreen)
+                                 , ("M-S-g", WS.shiftPrevScreen)
+                                 , ("M-r", WS.nextWS)
+                                 , ("M-C-r", WS.swapNextScreen)
+                                 , ("M-S-r", WS.shiftNextScreen)
+                                 , -- scratchpads
+                                   ("M-s M-s", namedScratchpadAction scratchpads "notes")
+                                 , ("M-s s", namedScratchpadAction scratchpads "shell")
+                                 , -- backlight control
 
-myLayout = tiled ||| Mirror tiled ||| Full ||| threeCol
+                                   ("<XF86MonBrightnessDown>", spawn "xbacklight -dec 5")
+                                 , ("<XF86MonBrightnessUp>", spawn "xbacklight -inc 5")
+                                 , ("<F5>", spawn "xbacklight -dec 5")
+                                 , ("<F6>", spawn "xbacklight -inc 5")
+                                 , -- volume control
+
+                                   ("<XF86AudioMute>", changeVolume ToggleVolume)
+                                 , ("<XF86AudioLowerVolume>", changeVolume $ LowerVolume 5)
+                                 , ("<XF86AudioRaiseVolume>", changeVolume $ RaiseVolume 5)
+                                 , ("M-a", sendMessage Balance)
+                                 , ("M-S-a", sendMessage Equalize)
+                                 , ("M-o", sendMessage Rotate)
+                                 ]
   where
-    threeCol = magnifiercz' 1.3 $ ThreeColMid nmaster delta ratio
-    tiled    = Tall nmaster delta ratio
-    nmaster  = 1      -- Default number of windows in the master pane
-    ratio    = 1/2    -- Default proportion of screen occupied by master pane
-    delta    = 3/100  -- Percent of screen to increment by when resizing panes
+    -- navigate using dvorak bindings
+    nav = navigation2DP def ("c", "h", "t", "n") [("M-", windowGo), ("M-C-", windowSwap), ("M-S-", windowMoveSplit)] True
+    appLauncher = "rofi -show combi -modes combi -combi-modes window,drun,run,ssh"
+    passLauncher = "rofi-pass"
 
-myXmobarPP :: PP
-myXmobarPP = def
-    { ppSep             = magenta " • "
-    , ppTitleSanitize   = xmobarStrip
-    , ppCurrent         = wrap " " "" . xmobarBorder "Top" "#8be9fd" 2
-    , ppHidden          = white . wrap " " ""
-    , ppHiddenNoWindows = lowWhite . wrap " " ""
-    , ppUrgent          = red . wrap (yellow "!") (yellow "!")
-    , ppOrder           = \[ws, l, _, wins] -> [ws, l, wins]
-    , ppExtras          = [logTitles formatFocused formatUnfocused]
-    }
-  where
-    formatFocused   = wrap (white    "[") (white    "]") . magenta . ppWindow
-    formatUnfocused = wrap (lowWhite "[") (lowWhite "]") . blue    . ppWindow
-
-    -- | Windows should have *some* title, which should not not exceed a
-    -- sane length.
-    ppWindow :: String -> String
-    ppWindow = xmobarRaw . (\w -> if null w then "untitled" else w) . shorten 30
-
-    blue, lowWhite, magenta, red, white, yellow :: String -> String
-    magenta  = xmobarColor "#ff79c6" ""
-    blue     = xmobarColor "#bd93f9" ""
-    white    = xmobarColor "#f8f8f2" ""
-    yellow   = xmobarColor "#f1fa8c" ""
-    red      = xmobarColor "#ff5555" ""
-    lowWhite = xmobarColor "#bbbbbb" ""
+-- myManageHook :: ManageHook
+-- myManageHook = composeAll
+--     [ className =? "Gimp" --> doFloat
+--     , isDialog            --> doFloat
+--     ]

home/alex/programs/xmonad/default.nix

@@ -1,11 +1,12 @@
 { config, lib, pkgs, ... }:
 
 {
-  xsession = {
-    windowManager.command = let
-      xmonad = pkgs.xmonad-with-packages.override {
-        packages = self: [ self.xmonad-contrib ];
-      };
-    in "${xmonad}/bin/xmonad";
+  config.xsession.windowManager.xmonad = {
+    enable = true;
+    enableContribAndExtras = true;
+    config = ./config.hs;
   };
+
+  # control backlight
+  config.home.packages = [ pkgs.xorg.xbacklight pkgs.scrot ];
 }

home/alex/programs/zathura/default.nix

@@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.programs.zathura = {
+    enable = true;
+    extraConfig = builtins.readFile ./gruvbox-dark.zathurarc;
+  };
+}

home/alex/programs/zathura/gruvbox-dark.zathurarc

@@ -0,0 +1,40 @@
+set notification-error-bg       "#282828" # bg
+set notification-error-fg       "#fb4934" # bright:red
+set notification-warning-bg     "#282828" # bg
+set notification-warning-fg     "#fabd2f" # bright:yellow
+set notification-bg             "#282828" # bg
+set notification-fg             "#b8bb26" # bright:green
+
+set completion-bg               "#504945" # bg2
+set completion-fg               "#ebdbb2" # fg
+set completion-group-bg         "#3c3836" # bg1
+set completion-group-fg         "#928374" # gray
+set completion-highlight-bg     "#83a598" # bright:blue
+set completion-highlight-fg     "#504945" # bg2
+
+# Define the color in index mode
+set index-bg                    "#504945" # bg2
+set index-fg                    "#ebdbb2" # fg
+set index-active-bg             "#83a598" # bright:blue
+set index-active-fg             "#504945" # bg2
+
+set inputbar-bg                 "#282828" # bg
+set inputbar-fg                 "#ebdbb2" # fg
+
+set statusbar-bg                "#504945" # bg2
+set statusbar-fg                "#ebdbb2" # fg
+
+set highlight-color             "#fabd2f" # bright:yellow
+set highlight-active-color      "#fe8019" # bright:orange
+
+set default-bg                  "#282828" # bg
+set default-fg                  "#ebdbb2" # fg
+set render-loading              true
+set render-loading-bg           "#282828" # bg
+set render-loading-fg           "#ebdbb2" # fg
+
+# Recolor book content's color
+set recolor-lightcolor          "#282828" # bg
+set recolor-darkcolor           "#ebdbb2" # fg
+set recolor                     "true"
+# set recolor-keephue             true      # keep original color

home/alex/services/blueman-applet/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.blueman-applet = { enable = true; };
+}

home/alex/services/dunst/default.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.dunst = {
+    enable = true;
+    iconTheme = {
+      name = "Adwaita";
+      package = pkgs.gnome3.adwaita-icon-theme;
+      size = "16x16";
+    };
+    settings = {
+      global = {
+        monitor = 0;
+        geometry = "600x50-50+65";
+        shrink = "yes";
+        transparency = 10;
+        padding = 16;
+        horizontal_padding = 16;
+        font = "JetBrainsMono Nerd Font 10";
+        line_height = 4;
+        format = "<b>%s</b>\\n%b";
+      };
+    };
+  };
+}

home/alex/services/git-sync/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+let cfg = config.my.git-sync;
+in {
+  options.my.git-sync = { enable = lib.mkEnableOption "git-sync"; };
+
+  config.services.git-sync = lib.mkIf cfg.enable {
+    enable = true;
+    repositories = {
+      "org" = {
+        path = "${config.home.homeDirectory}/org";
+        uri = "git+ssh://git@git.failco.de:jakalx/org.git";
+      };
+    };
+  };
+}

home/alex/services/network-manager/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.network-manager-applet = { enable = true; };
+}

home/alex/services/picom/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.picom = {
+    enable = true;
+    activeOpacity = 1.0;
+    inactiveOpacity = 0.8;
+    backend = "glx";
+    fade = true;
+    fadeDelta = 5;
+    opacityRules = [ "100:name *= 'i3lock'" ];
+    shadow = true;
+    shadowOpacity = 0.75;
+  };
+}

home/alex/services/polybar/config.ini

@@ -0,0 +1,235 @@
+;==========================================================
+;
+;
+;   ██████╗  ██████╗ ██╗  ██╗   ██╗██████╗  █████╗ ██████╗
+;   ██╔══██╗██╔═══██╗██║  ╚██╗ ██╔╝██╔══██╗██╔══██╗██╔══██╗
+;   ██████╔╝██║   ██║██║   ╚████╔╝ ██████╔╝███████║██████╔╝
+;   ██╔═══╝ ██║   ██║██║    ╚██╔╝  ██╔══██╗██╔══██║██╔══██╗
+;   ██║     ╚██████╔╝███████╗██║   ██████╔╝██║  ██║██║  ██║
+;   ╚═╝      ╚═════╝ ╚══════╝╚═╝   ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝
+;
+;
+;   To learn more about how to configure Polybar
+;   go to https://github.com/polybar/polybar
+;
+;   The README contains a lot of information
+;
+;==========================================================
+
+[colors]
+background = #282A2E
+background-alt = #373B41
+foreground = #C5C8C6
+primary = #F0C674
+secondary = #8ABEB7
+alert = #A54242
+disabled = #707880
+
+[bar/main]
+width = 100%
+height = 24pt
+radius = 6
+
+; dpi = 96
+
+background = ${colors.background}
+foreground = ${colors.foreground}
+
+line-size = 3pt
+
+border-size = 4pt
+border-color = #00000000
+
+padding-left = 0
+padding-right = 1
+
+module-margin = 1
+
+separator = |
+separator-foreground = ${colors.disabled}
+
+font-0 = monospace;2
+
+modules-left = xworkspaces xwindow
+modules-center = systray
+modules-right = filesystem pulseaudio xkeyboard memory cpu battery wlan eth backlight date
+
+cursor-click = pointer
+cursor-scroll = ns-resize
+
+enable-ipc = true
+
+tray-position = center
+
+; wm-restack = generic
+; wm-restack = bspwm
+; wm-restack = i3
+
+; override-redirect = true
+
+[module/systray]
+type = internal/tray
+
+format-margin = 8pt
+tray-spacing = 16pt
+
+[module/battery]
+type = internal/battery
+
+; This is useful in case the battery never reports 100% charge
+; Default: 100
+full-at = 99
+
+; format-low once this charge percentage is reached
+; Default: 10
+; New in version 3.6.0
+low-at = 10
+
+; Use the following command to list batteries and adapters:
+; $ ls -1 /sys/class/power_supply/
+battery = BAT0
+adapter = ADP0
+
+; If an inotify event haven't been reported in this many
+; seconds, manually poll for new values.
+;
+; Needed as a fallback for systems that don't report events
+; on sysfs/procfs.
+;
+; Disable polling by setting the interval to 0.
+;
+; Default: 5
+poll-interval = 5
+
+[module/backlight]
+type = internal/xbacklight
+
+; XRandR output to get get values from
+; Default: the monitor defined for the running bar
+;output = DP-4
+
+; Create scroll handlers used to set the backlight value
+; Default: true
+enable-scroll = true
+
+; Available tags:
+;   <label> (default)
+;   <ramp>
+;   <bar>
+format = <ramp>
+
+; Available tokens:
+;   %percentage% (default)
+label = %percentage%%
+
+; Only applies if <ramp> is used
+ramp-0 = 🌕
+ramp-1 = 🌔
+ramp-2 = 🌓
+ramp-3 = 🌒
+ramp-4 = 🌑
+
+[module/xworkspaces]
+type = internal/xworkspaces
+
+label-active = %name%
+label-active-background = ${colors.background-alt}
+label-active-underline= ${colors.primary}
+label-active-padding = 1
+
+label-occupied = %name%
+label-occupied-padding = 1
+
+label-urgent = %name%
+label-urgent-background = ${colors.alert}
+label-urgent-padding = 1
+
+label-empty = %name%
+label-empty-foreground = ${colors.disabled}
+label-empty-padding = 1
+
+[module/xwindow]
+type = internal/xwindow
+label = %title:0:60:...%
+
+[module/filesystem]
+type = internal/fs
+interval = 25
+
+mount-0 = /
+
+label-mounted = %{F#F0C674}%mountpoint%%{F-} %percentage_used%%
+
+label-unmounted = %mountpoint% not mounted
+label-unmounted-foreground = ${colors.disabled}
+
+[module/pulseaudio]
+type = internal/pulseaudio
+
+format-volume-prefix = "VOL "
+format-volume-prefix-foreground = ${colors.primary}
+format-volume = <label-volume>
+
+label-volume = %percentage%%
+
+label-muted = muted
+label-muted-foreground = ${colors.disabled}
+
+[module/xkeyboard]
+type = internal/xkeyboard
+blacklist-0 = num lock
+
+label-layout = %layout%
+label-layout-foreground = ${colors.primary}
+
+label-indicator-padding = 2
+label-indicator-margin = 1
+label-indicator-foreground = ${colors.background}
+label-indicator-background = ${colors.secondary}
+
+[module/memory]
+type = internal/memory
+interval = 2
+format-prefix = "RAM "
+format-prefix-foreground = ${colors.primary}
+label = %percentage_used:2%%
+
+[module/cpu]
+type = internal/cpu
+interval = 2
+format-prefix = "CPU "
+format-prefix-foreground = ${colors.primary}
+label = %percentage:2%%
+
+[network-base]
+type = internal/network
+interval = 5
+format-connected = <label-connected>
+format-disconnected = <label-disconnected>
+label-disconnected = %{F#F0C674}%ifname%%{F#707880} disconnected
+
+[module/wlan]
+inherit = network-base
+interface-type = wireless
+label-connected = %{F#F0C674}%ifname%%{F-} %essid% %local_ip%
+
+[module/eth]
+inherit = network-base
+interface-type = wired
+label-connected = %{F#F0C674}%ifname%%{F-} %local_ip%
+
+[module/date]
+type = internal/date
+interval = 1
+
+date = %H:%M
+date-alt = %Y-%m-%d %H:%M:%S
+
+label = %date%
+label-foreground = ${colors.primary}
+
+[settings]
+screenchange-reload = true
+pseudo-transparency = true
+
+; vim:ft=dosini

home/alex/services/polybar/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+let
+  mypolybar = pkgs.polybar.override {
+    alsaSupport = true;
+    mpdSupport = true;
+    pulseSupport = true;
+  };
+in {
+  config.home.packages = with pkgs; [ font-awesome material-design-icons ];
+
+  config.services.polybar = {
+    enable = true;
+    package = mypolybar;
+    config = ./config.ini;
+    script = ''
+      polybar & disown
+    '';
+  };
+}

home/alex/services/screen-locker/default.nix

@@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.screen-locker = {
+    enable = true;
+    inactiveInterval = 30;
+    lockCmd = "${pkgs.betterlockscreen}/bin/betterlockscreen -l dim";
+    xautolock.extraOptions = [ "-killer 'systemctl suspend'" ];
+  };
+}

home/alex/services/syncthing/default.nix

@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.syncthing = {
+    enable = true;
+    tray = {
+      enable = true;
+      command = "syncthingtray --wait";
+    };
+  };
+}

home/alex/services/udiskie/default.nix

@@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.udiskie = {
+    enable = true;
+    tray = "always";
+  };
+}

hosts/dregil/configuration.nix

@@ -16,8 +16,10 @@ in {
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     # <nixos-hardware/lenovo/legion/15ich>
+    ../../modules/appimage.nix
+    ../../modules/sudo.nix
     ../../modules/wm/x.nix
-    ../../modules/wm/xmonad.nix
+    ../../modules/wm/xmonad/default.nix
   ];
 
   # Use the systemd-boot EFI boot loader.
@@ -79,8 +81,8 @@ in {
   ];
 
   # adjust channels to nixpkgs used on this system via this flake
-  environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-unstable.outPath;
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs-unstable}" ];
+  environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs.outPath;
+  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
 
   nix.settings.max-jobs = 3;
   nix.settings.cores = 4;
@@ -98,9 +100,10 @@ in {
 
   services.blueman.enable = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Open ports in the firewall
+  # 22000, 21027 syncthing discovery and connectivity
+  networking.firewall.allowedTCPPorts = [ 5223 22000 ];
+  networking.firewall.allowedUDPPorts = [ 21027 22000 ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 

hosts/dregil/default.nix

@@ -1,13 +1,10 @@
 { lib, config, pkgs, inputs, ... }: {
   imports = [
-    ({ inputs, lib, ... }: {
-      nixpkgs = { config.allowUnfree = true; };
-      nix.registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
-    })
+    ({ ... }: { nixpkgs = { config.allowUnfree = true; }; })
     ../../modules/security.nix
     ../../modules/common-system.nix
     ./configuration.nix
-    inputs.home-manager-unstable.nixosModules.home-manager
+    inputs.home-manager.nixosModules.home-manager
     ../../home/anne/default.nix
     ../../home/alex/default.nix
   ];

hosts/dregil/hardware-configuration.nix

@@ -1,13 +1,25 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules =
-    [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "thunderbolt"
+    "nvme"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [
     "dm-snapshot"
     "uas"
@@ -27,26 +39,38 @@
       keyFileSize = 4096;
     };
   };
-  boot.kernelModules = [ "kvm-intel" "nvidia" ];
-  boot.extraModulePackages = [ pkgs.linuxPackages.nvidia_x11 ];
+  boot.kernelModules = [
+    "kvm-intel"
+    "nvidia"
+  ];
   boot.kernelParams = [ "module_blacklist=i915" ];
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
     fsType = "btrfs";
-    options = [ "subvol=root" "compress=zstd" ];
+    options = [
+      "subvol=root"
+      "compress=zstd"
+    ];
   };
 
   fileSystems."/home" = {
     device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
     fsType = "btrfs";
-    options = [ "subvol=home" "compress=zstd" ];
+    options = [
+      "subvol=home"
+      "compress=zstd"
+    ];
   };
 
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
     fsType = "btrfs";
-    options = [ "subvol=nix" "compress=zstd" "noatime" ];
+    options = [
+      "subvol=nix"
+      "compress=zstd"
+      "noatime"
+    ];
   };
 
   fileSystems."/boot" = {
@@ -54,8 +78,7 @@
     fsType = "vfat";
   };
 
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/b8c224ad-095e-4a48-b5b2-a19451fdeb95"; }];
+  swapDevices = [ { device = "/dev/disk/by-uuid/b8c224ad-095e-4a48-b5b2-a19451fdeb95"; } ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -67,8 +90,7 @@
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-  hardware.cpu.intel.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 
   hardware.nvidia = {
     nvidiaSettings = true;

hosts/thrall/alex.nix

@@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [ ../../home/alex/cli.nix ../../home/alex/services/git-sync ];
+
+  config.my.git-sync.enable = true;
+}

hosts/thrall/default.nix

@@ -2,22 +2,32 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ inputs, config, pkgs, ... }:
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
 let
-  authorityFromUrl = url:
-    builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
-in {
+  authorityFromUrl = url: builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
+in
+{
+  disabledModules = [ "services/web-apps/hledger-web.nix" ];
+
   imports = [
     ./hardware-configuration.nix
     inputs.snm.nixosModule
     inputs.agenix.nixosModules.age
     ../../modules/security.nix
+    ../../modules/sudo.nix
     ../../modules/upgrade-pg-cluster.nix
     ../../modules/nix-config.nix
     ../../modules/iohk.nix
     ../../modules/timezone.nix
     ../../modules/keybase.nix
     ../../modules/ssh.nix
+    ../../modules/hledger-web.nix
   ];
 
   # Use the GRUB 2 boot loader.
@@ -44,84 +54,89 @@ in {
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
-  networking = let extIface = "ens3";
-  in {
-    hostName = "thrall";
-    domain = "failco.de";
-    wireless.enable = false;
-    useDHCP = false;
-    enableIPv6 = false;
-    interfaces.${extIface} = {
-      ipv4.addresses = [{
-        address = "195.90.211.228";
-        prefixLength = 22;
-      }];
-    };
-    defaultGateway = "195.90.208.1";
-    nameservers = [ "1.1.1.1" "8.8.8.8" ];
-    firewall = {
-      allowedTCPPorts = [ 22 53 80 443 5000 ];
-      allowedUDPPorts = [ 53 42666 ];
-    };
-
-    # wireguard related config
-    nat.enable = true;
-    nat.externalInterface = extIface;
-    nat.internalInterfaces = [ "wg0" ];
-
-    wireguard.interfaces = {
-      wg0 = {
-        ips = [ "10.0.0.1/24" ];
-        listenPort = 42666;
-
-        postSetup = ''
-          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
-        '';
-        postShutdown = ''
-          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
-        '';
-
-        privateKeyFile = config.age.secrets.wireguard-thrall.path;
-        peers = [
+  networking =
+    let
+      extIface = "ens3";
+    in
+    {
+      hostName = "thrall";
+      domain = "failco.de";
+      wireless.enable = false;
+      useDHCP = false;
+      enableIPv6 = false;
+      interfaces.${extIface} = {
+        ipv4.addresses = [
           {
-            # my phone
-            publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
-            allowedIPs = [ "10.0.0.2/32" ];
-          }
-          {
-            # my tablet
-            publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
-            allowedIPs = [ "10.0.0.3/32" ];
-          }
-          {
-            # homematic
-            publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
-            allowedIPs = [ "10.0.0.4/32" ];
+            address = "195.90.211.228";
+            prefixLength = 22;
           }
         ];
       };
+      defaultGateway = "195.90.208.1";
+      nameservers = [
+        "1.1.1.1"
+        "8.8.8.8"
+      ];
+      firewall = {
+        allowedTCPPorts = [
+          22
+          53
+          80
+          443
+          5000
+        ];
+        allowedUDPPorts = [
+          53
+          42666
+        ];
+      };
+
+      # wireguard related config
+      nat.enable = true;
+      nat.externalInterface = extIface;
+      nat.internalInterfaces = [ "wg0" ];
+
+      wireguard.interfaces = {
+        wg0 = {
+          ips = [ "10.0.0.1/24" ];
+          listenPort = 42666;
+
+          postSetup = ''
+            ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
+          '';
+          postShutdown = ''
+            ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
+          '';
+
+          privateKeyFile = config.age.secrets.wireguard-thrall.path;
+          peers = [
+            {
+              # my phone
+              publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
+              allowedIPs = [ "10.0.0.2/32" ];
+            }
+            {
+              # my tablet
+              publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
+              allowedIPs = [ "10.0.0.3/32" ];
+            }
+            {
+              # homematic
+              publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
+              allowedIPs = [ "10.0.0.4/32" ];
+            }
+          ];
+        };
+      };
     };
-  };
 
   security.acme = {
     acceptTerms = true;
     defaults.email = "alex@jakalx.net";
   };
 
-  security.sudo = {
-    enable = true;
-    execWheelOnly = true;
-    extraRules = [{
-      groups = [ "wheel" ];
-      commands = [{
-        command = "/run/current-system/sw/bin/nixos-rebuild";
-        options = [ "NOPASSWD" ];
-      }];
-    }];
-  };
-
   # Select internationalization properties.
   i18n.defaultLocale = "en_US.UTF-8";
   console = {
@@ -139,7 +154,14 @@ in {
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
-  environment.systemPackages = with pkgs; [ wget rsync htop tmux git rclone ];
+  environment.systemPackages = with pkgs; [
+    wget
+    rsync
+    htop
+    tmux
+    git
+    rclone
+  ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
@@ -163,7 +185,11 @@ in {
 
   services.kresd = {
     enable = true;
-    listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
+    listenPlain = [
+      "[::1]:53"
+      "127.0.0.1:53"
+      "10.0.0.1:53"
+    ];
   };
 
   services.lorri.enable = true;
@@ -223,29 +249,25 @@ in {
       '';
     };
 
-    # gitea
-    "${config.services.gitea.settings.server.DOMAIN}" = {
+    # forgejo - git web frontend
+    "${config.services.forgejo.settings.server.DOMAIN}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:${
-            toString config.services.gitea.settings.server.HTTP_PORT
-          }/";
+        proxyPass = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}/";
         proxyWebsockets = true;
       };
     };
 
     # paperless
-    "${authorityFromUrl config.services.paperless.extraConfig.PAPERLESS_URL}" =
-      {
-        forceSSL = true;
-        enableACME = true;
-        locations."/" = {
-          proxyPass =
-            "http://127.0.0.1:${toString config.services.paperless.port}/";
-          proxyWebsockets = true;
-        };
+    "${authorityFromUrl config.services.paperless.settings.PAPERLESS_URL}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
+        proxyWebsockets = true;
       };
+    };
 
     # hledger
     "${authorityFromUrl config.services.hledger-web.baseUrl}" = {
@@ -253,16 +275,22 @@ in {
       enableACME = true;
       basicAuthFile = config.age.secrets.hledger-web.path;
       locations."/" = {
-        proxyPass = "http://${config.services.hledger-web.host}:${
-            toString config.services.hledger-web.port
-          }/";
+        proxyPass = "http://${config.services.hledger-web.host}:${toString config.services.hledger-web.port}/";
         proxyWebsockets = true;
       };
     };
   };
 
-  services.gitea = {
+  users.users.git = {
+    home = config.services.forgejo.stateDir;
+    useDefaultShell = true;
+    group = config.services.forgejo.group;
+    isSystemUser = true;
+  };
+
+  services.forgejo = {
     enable = true;
+    user = "git";
     database.type = "sqlite3";
     lfs.enable = true;
 
@@ -278,10 +306,13 @@ in {
 
       mailer = {
         ENABLED = true;
-        MAILER_TYPE = "smtp";
-        FROM = "git@failco.de";
-        HOST = "thrall.failco.de:25";
-        IS_TLS_ENABLED = false;
+        PROTOCOL = "smtp";
+        SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+        FROM = "noreply@failco.de";
+      };
+
+      other = {
+        SHOW_FOOTER_VERSION = false;
       };
     };
   };
@@ -291,9 +322,15 @@ in {
     address = "127.0.0.1";
     port = 3002;
     consumptionDirIsPublic = true;
-    extraConfig = {
+    settings = {
       PAPERLESS_OCR_LANGUAGE = "deu+eng";
       PAPERLESS_URL = "https://docs.failco.de";
+      PAPERLESS_CONSUMER_RECURSIVE = true;
+      PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
+
+      # workaround for classification getting stuck, see
+      # https://github.com/NixOS/nixpkgs/issues/240591#issuecomment-1915678490
+      OMP_NUM_THREADS = 1;
     };
   };
 
@@ -307,7 +344,10 @@ in {
       manage = true;
     };
     journalFiles = [ "current.journal" ];
-    extraOptions = [ "-B" "--value=then" ];
+    extraOptions = [
+      "-B"
+      "--value=then"
+    ];
   };
 
   services.fail2ban = {
@@ -317,8 +357,12 @@ in {
     bantime = "1h";
     bantime-increment.enable = true;
 
-    ignoreIP =
-      [ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ];
+    ignoreIP = [
+      "127.0.0.0/8"
+      "195.90.211.228"
+      "10.0.0.0/8"
+      "192.168.0.0/16"
+    ];
 
     jails.postfix = ''
       filter   = postfix
@@ -332,10 +376,8 @@ in {
     enable = true;
     user = "alex";
     dataDir = "/home/alex/sync";
-    overrideDevices =
-      true; # overrides any devices added or deleted through the WebUI
-    overrideFolders =
-      true; # overrides any folders added or deleted through the WebUI
+    overrideDevices = true; # overrides any devices added or deleted through the WebUI
+    overrideFolders = true; # overrides any folders added or deleted through the WebUI
     settings = {
       folders = {
         "org" = {
@@ -346,11 +388,20 @@ in {
           path = "/home/alex/media/scan";
           devices = [ "redmi" ];
         };
+        "paperless" = {
+          path = "${config.services.paperless.consumptionDir}";
+          devices = [
+            "redmi"
+            "dregil"
+          ];
+        };
       };
       devices = {
         "redmi" = {
-          id =
-            "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
+          id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
+        };
+        "dregil" = {
+          id = "SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
         };
       };
     };
@@ -359,16 +410,26 @@ in {
   mailserver = {
     enable = true;
     fqdn = "thrall.failco.de";
-    domains = [ "failco.de" "jakalx.net" "kobjolke.de" ];
+    domains = [
+      "failco.de"
+      "jakalx.net"
+      "kobjolke.de"
+    ];
 
     loginAccounts = {
       "me@failco.de" = {
         # nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt'
         hashedPasswordFile = config.age.secrets.mailPass.path;
 
-        aliases = [ "lx@failco.de" "alex@failco.de" ];
+        aliases = [
+          "lx@failco.de"
+          "alex@failco.de"
+        ];
 
-        catchAll = [ "failco.de" "kobjolke.de" ];
+        catchAll = [
+          "failco.de"
+          "kobjolke.de"
+        ];
       };
 
       "alex@jakalx.net" = {
@@ -382,7 +443,9 @@ in {
       };
     };
 
-    extraVirtualAliases = { "familie@kobjolke.de" = [ "me@failco.de" ]; };
+    extraVirtualAliases = {
+      "familie@kobjolke.de" = [ "me@failco.de" ];
+    };
 
     forwards = {
       "anne@kobjolke.de" = "anne.kobjolke@gmail.cem";
@@ -396,12 +459,22 @@ in {
     virusScanning = true;
   };
 
-  services.postgresql = { package = pkgs.postgresql_15; };
+  services.postgresql = {
+    package = pkgs.postgresql_15;
+  };
   services.roundcube = {
     enable = true;
     hostName = "mail.failco.de";
-    dicts = with pkgs.aspellDicts; [ en de ];
-    plugins = [ "archive" "attachment_reminder" "managesieve" "markasjunk" ];
+    dicts = with pkgs.aspellDicts; [
+      en
+      de
+    ];
+    plugins = [
+      "archive"
+      "attachment_reminder"
+      "managesieve"
+      "markasjunk"
+    ];
     extraConfig = ''
       # starttls needed for authentication, so the fqdn required to match
       # the certificate
@@ -418,6 +491,4 @@ in {
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "20.09"; # Did you read the comment?
-
 }
-

modules/appimage.nix

@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.binfmt.registrations.appimage = {
+    wrapInterpreterInShell = false;
+    interpreter = "${pkgs.appimage-run}/bin/appimage-run";
+    recognitionType = "magic";
+    offset = 0;
+    mask = "\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff";
+    magicOrExtension = "\\x7fELF....AI\\x02";
+  };
+}

modules/common-system.nix

@@ -21,10 +21,5 @@
 
   networking.firewall.enable = true;
 
-  nix = {
-    registry = {
-      nixpkgs.flake = inputs.nixpkgs;
-      nixpkgs-unstable.flake = inputs.nixpkgs-unstable;
-    };
-  };
+  nix = { registry = { nixpkgs.flake = inputs.nixpkgs; }; };
 }

modules/hardening.nix

@@ -0,0 +1,752 @@
+{ config, lib, pkgs, ... }: {
+  systemd.services.systemd-rfkill = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.syslog = {
+    serviceConfig = {
+      PrivateNetwork = true;
+      CapabilityBoundingSet =
+        [ "CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE" ];
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      PrivateMounts = true;
+      SystemCallArchitectures = "native";
+      MemoryDenyWriteExecute = true;
+      LockPersonality = true;
+      ProtectKernelTunables = true;
+      RestrictRealtime = true;
+      PrivateUsers = true;
+      PrivateTmp = true;
+      UMask = "0077";
+      RestrictNamespace = true;
+      ProtectProc = "invisible";
+      ProtectHome = true;
+      DeviceAllow = false;
+      ProtectSystem = "full";
+    };
+  };
+
+  systemd.services.systemd-journald = {
+    serviceConfig = {
+      UMask = 77;
+      PrivateNetwork = true;
+      ProtectHostname = true;
+      ProtectKernelModules = true;
+    };
+  };
+  systemd.services.auto-cpufreq = {
+    serviceConfig = {
+      CapabilityBoundingSet = "";
+      ProtectSystem = "full";
+      ProtectHome = true;
+      PrivateNetwork = true;
+      IPAddressDeny = "any";
+      NoNewPrivileges = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectHostname = false;
+      MemoryDenyWriteExecute = true;
+      ProtectClock = true;
+      RestrictNamespaces = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectProc = true;
+      ReadOnlyPaths = [ "/" ];
+      InaccessiblePaths = [ "/home" "/root" "/proc" ];
+      SystemCallFilter = [ "@system-service" ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+    };
+  };
+  systemd.services.NetworkManager-dispatcher = {
+    serviceConfig = {
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateUsers = true;
+      PrivateDevices = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.display-manager = {
+    serviceConfig = {
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true; # so we won't need all of this
+    };
+  };
+  systemd.services.emergency = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # Might need adjustment for emergency access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."getty@tty1" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."getty@tty7" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.NetworkManager = {
+    serviceConfig = {
+      NoNewPrivileges = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      SystemCallArchitectures = "native";
+      MemoryDenyWriteExecute = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      RestrictNamespaces = true;
+      ProtectKernelTunables = true;
+      ProtectHome = true;
+      PrivateTmp = true;
+      UMask = "0077";
+    };
+  };
+  systemd.services."nixos-rebuild-switch-to-configuration" = {
+    serviceConfig = {
+      ProtectHome = true;
+      NoNewPrivileges = true; # Prevent gaining new privileges
+    };
+  };
+  systemd.services."dbus" = {
+    serviceConfig = {
+      PrivateTmp = true;
+      PrivateNetwork = true;
+      ProtectSystem = "full";
+      ProtectHome = true;
+      SystemCallFilter =
+        "~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap";
+      ProtectKernelTunables = true;
+      NoNewPrivileges = true;
+      CapabilityBoundingSet = [
+        "~CAP_SYS_TIME"
+        "~CAP_SYS_PACCT"
+        "~CAP_KILL"
+        "~CAP_WAKE_ALARM"
+        "~CAP_SYS_BOOT"
+        "~CAP_SYS_CHROOT"
+        "~CAP_LEASE"
+        "~CAP_MKNOD"
+        "~CAP_NET_ADMIN"
+        "~CAP_SYS_ADMIN"
+        "~CAP_SYSLOG"
+        "~CAP_NET_BIND_SERVICE"
+        "~CAP_NET_BROADCAST"
+        "~CAP_AUDIT_WRITE"
+        "~CAP_AUDIT_CONTROL"
+        "~CAP_SYS_RAWIO"
+        "~CAP_SYS_NICE"
+        "~CAP_SYS_RESOURCE"
+        "~CAP_SYS_TTY_CONFIG"
+        "~CAP_SYS_MODULE"
+        "~CAP_IPC_LOCK"
+        "~CAP_LINUX_IMMUTABLE"
+        "~CAP_BLOCK_SUSPEND"
+        "~CAP_MAC_*"
+        "~CAP_DAC_*"
+        "~CAP_FOWNER"
+        "~CAP_IPC_OWNER"
+        "~CAP_SYS_PTRACE"
+        "~CAP_SETUID"
+        "~CAP_SETGID"
+        "~CAP_SETPCAP"
+        "~CAP_FSETID"
+        "~CAP_SETFCAP"
+        "~CAP_CHOWN"
+      ];
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      RestrictNamespaces = true;
+      MemoryDenyWriteExecute = true;
+      RestrictAddressFamilies = [ "~AF_PACKET" "~AF_NETLINK" ];
+      ProtectHostname = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      PrivateUsers = true;
+    };
+  };
+  systemd.services.nix-daemon = {
+    serviceConfig = {
+      ProtectHome = true;
+      PrivateUsers = false;
+    };
+  };
+  systemd.services.reload-systemd-vconsole-setup = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictNamespaces = true;
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.rescue = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # Might need adjustment for rescue operations
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Networking might be necessary in rescue mode
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny =
+        "any"; # May need to be relaxed for network troubleshooting in rescue mode
+    };
+  };
+  systemd.services."systemd-ask-password-console" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for console access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # A more permissive filter
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."systemd-ask-password-wall" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # A more permissive filter
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.thermald = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for adjusting cooling policies
+      ProtectKernelModules = true; # May need adjustment for module control
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May require access to specific hardware devices
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      CapabilityBoundingSet = "";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+      DeviceAllow = [ ];
+      RestrictAddressFamilies = [ ];
+    };
+  };
+  systemd.services."user@1000" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true; # Be cautious, as this may restrict user operations
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.virtlockd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for accessing VM resources
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust as necessary
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need adjustment for network operations
+    };
+  };
+  systemd.services.virtlogd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for accessing VM logs
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter =
+        [ "@system-service" ]; # Adjust based on log management needs
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny =
+        "any"; # May need to be relaxed for network-based log collection
+    };
+  };
+  systemd.services.virtlxcd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for container management
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for container user management
+      PrivateDevices = true; # Containers might require broader device access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked containers
+      RestrictNamespaces = true;
+      SystemCallFilter =
+        [ "@system-service" ]; # Adjust based on container operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+  systemd.services.virtqemud = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for VM management
+      ProtectKernelModules =
+        true; # May need adjustment for VM hardware emulation
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for VM user management
+      PrivateDevices = true; # VMs might require broader device access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked VMs
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+  systemd.services.virtvboxd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Required for some VM management tasks
+      ProtectKernelModules = true; # May need adjustment for module handling
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for VM user management
+      PrivateDevices = true; # VMs may require access to certain devices
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked VMs
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+}

modules/hledger-web.nix

@@ -0,0 +1,140 @@
+{ lib, pkgs, config, ... }:
+with lib;
+let cfg = config.services.hledger-web;
+in {
+  options.services.hledger-web = {
+
+    enable = mkEnableOption (lib.mdDoc "hledger-web service");
+
+    serveApi = mkEnableOption
+      (lib.mdDoc "serving only the JSON web API, without the web UI");
+
+    host = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = lib.mdDoc ''
+        Address to listen on.
+      '';
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 5000;
+      example = 80;
+      description = lib.mdDoc ''
+        Port to listen on.
+      '';
+    };
+
+    capabilities = {
+      view = mkOption {
+        type = types.bool;
+        default = true;
+        description = lib.mdDoc ''
+          Enable the view capability.
+        '';
+      };
+      add = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Enable the add capability.
+        '';
+      };
+      manage = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Enable the manage capability.
+        '';
+      };
+    };
+
+    stateDir = mkOption {
+      type = types.path;
+      default = "/var/lib/hledger-web";
+      description = lib.mdDoc ''
+        Path the service has access to. If left as the default value this
+        directory will automatically be created before the hledger-web server
+        starts, otherwise the sysadmin is responsible for ensuring the
+        directory exists with appropriate ownership and permissions.
+      '';
+    };
+
+    journalFiles = mkOption {
+      type = types.listOf types.str;
+      default = [ ".hledger.journal" ];
+      description = lib.mdDoc ''
+        Paths to journal files relative to {option}`services.hledger-web.stateDir`.
+      '';
+    };
+
+    baseUrl = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "https://example.org";
+      description = lib.mdDoc ''
+        Base URL, when sharing over a network.
+      '';
+    };
+
+    extraOptions = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      example = [ "--forecast" ];
+      description = lib.mdDoc ''
+        Extra command line arguments to pass to hledger-web.
+      '';
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    users.users.hledger = {
+      name = "hledger";
+      group = "hledger";
+      isSystemUser = true;
+      home = cfg.stateDir;
+      useDefaultShell = true;
+    };
+
+    users.groups.hledger = { };
+
+    systemd.services.hledger-web = let
+      serverArgs = with cfg;
+        escapeShellArgs ([
+          "--serve"
+          "--host=${host}"
+          "--port=${toString port}"
+          (optionalString capabilities.add "--allow=add")
+          (optionalString capabilities.view "--allow=view")
+          (optionalString capabilities.manage "--allow=edit")
+          (optionalString (cfg.baseUrl != null) "--base-url=${cfg.baseUrl}")
+          (optionalString (cfg.serveApi) "--serve-api")
+        ] ++ (map (f: "--file=${stateDir}/${f}") cfg.journalFiles)
+          ++ extraOptions);
+    in {
+      description = "hledger-web - web-app for the hledger accounting tool.";
+      documentation = [ "https://hledger.org/hledger-web.html" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "networking.target" ];
+      serviceConfig = mkMerge [
+        {
+          ExecStart = "${pkgs.hledger-web}/bin/hledger-web ${serverArgs}";
+          Restart = "always";
+          WorkingDirectory = cfg.stateDir;
+          User = "hledger";
+          Group = "hledger";
+          PrivateTmp = true;
+        }
+        (mkIf (cfg.stateDir == "/var/lib/hledger-web") {
+          StateDirectory = "hledger-web";
+        })
+      ];
+    };
+
+  };
+
+  meta.maintainers = with lib.maintainers; [ marijanp erictapen ];
+}

modules/nix-config.nix

@@ -1,8 +1,13 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
   nix = {
-    package = pkgs.nixUnstable;
+    package = pkgs.nixVersions.latest;
     gc = {
       automatic = true;
       dates = "weekly";
@@ -11,7 +16,10 @@
 
     settings = {
       auto-optimise-store = true;
-      experimental-features = [ "nix-command" "flakes" "repl-flake" ];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
       warn-dirty = false;
 
       # avoid unwanted garbage collection when using direnv

modules/sudo.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    extraRules = [{
+      groups = [ "wheel" ];
+      commands = [{
+        command = "/run/current-system/sw/bin/nixos-rebuild";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+  };
+}

modules/wm/light.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.programs.light = { enable = true; };
+  config.services.actkbd = let light = "${pkgs.light}/bin/light";
+  in {
+    enable = true;
+    bindings = [
+      {
+        keys = [ 232 ];
+        events = [ "key" ];
+        command = "${light} -U 10";
+      }
+
+      {
+        keys = [ 233 ];
+        events = [ "key" ];
+        command = "${light} -A 10";
+      }
+    ];
+  };
+}

modules/wm/x.nix

@@ -1,18 +1,24 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
   # Enable the X11 windowing system.
   services = {
-    dbus = { enable = true; };
+    dbus = {
+      enable = true;
+    };
 
     xserver = {
       enable = true;
-      exportConfiguration = true;
 
-      # Configure keymap in X11
-      layout = "us";
-
-      xkbOptions = "terminate:ctrl_alt_bksp,caps:escape,compose:ralt";
+      xkb = {
+        options = "terminate:ctrl_alt_bksp,caps:escape,compose:ralt";
+        layout = "us";
+      };
 
       videoDrivers = [ "nvidia" ]; # "modesetting" ];
 
@@ -23,14 +29,14 @@
 
       desktopManager.xfce.enable = true;
       desktopManager.gnome.enable = true;
+    };
 
-      # Enable touchpad support (enabled default in most desktopManager).
-      libinput = {
-        enable = true;
-        touchpad.disableWhileTyping = true;
-        mouse.naturalScrolling =
-          config.services.xserver.libinput.touchpad.naturalScrolling;
-      };
+    # Enable touchpad support (enabled default in most desktopManager).
+    libinput = {
+      enable = true;
+      touchpad.disableWhileTyping = true;
+      touchpad.tapping = false;
+      mouse.naturalScrolling = config.services.libinput.touchpad.naturalScrolling;
     };
   };
 }

modules/wm/xmonad/default.nix

@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
 {
-  services = {
+  config.services = {
     upower.enable = true;
 
     xserver = {
@@ -12,5 +12,5 @@
     };
   };
 
-  systemd.services.upower.enable = true;
+  config.systemd.services.upower.enable = true;
 }