chore: Update inputs

feat(emacs): Add support packages to denote
feat(docs): Enable Tika support for paperless
2025-11-25 14:24:48 +01:00 · 2025-11-25 14:24:48 +01:00 · 2025-11-25 14:24:48 +01:00 · 2025-11-25 14:24:48 +01:00 · 2025-11-25 14:24:48 +01:00 · 2025-11-25 14:24:48 +01:00
87 changed files with 4925 additions and 720 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
 use flake
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +0,0 @@
 [submodule "home/emacs.d"]
 	path = home/emacs.d
 	url = https://github.com/hlissner/doom-emacs
--- a/flake.lock
+++ b/flake.lock
@ -3,16 +3,18 @@
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs"
-        ]
+        ],
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1677969766,
+        "lastModified": 1762618334,
-        "narHash": "sha256-AIp/ZYZMNLDZR/H7iiAlaGpu4lcXsVt9JQpBlf43HRY=",
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "03b51fe8e459a946c4b88dcfb6446e45efb2c24e",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
        "type": "github"
      },
      "original": {
@ -45,11 +47,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1673295039,
+        "lastModified": 1744478979,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
@ -59,34 +61,89 @@
        "type": "github"
      }
    },
-    "emacs": {
+    "disko": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1680257010,
+        "lastModified": 1763651264,
-        "narHash": "sha256-pNMB9sdoZOXEsszLD5TS0WG5Ysj2rVRmf92uxsxH/9A=",
+        "narHash": "sha256-8vvwZbw0s7YvBMJeyPVpWke6lg6ROgtts5N2/SMCcv4=",
        "owner": "nix-community",
-        "repo": "emacs-overlay",
+        "repo": "disko",
-        "rev": "cfec7f9501cc0e001f49d725a7cd733af7deb2ed",
+        "rev": "e86a89079587497174ccab6d0d142a65811a4fd9",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "repo": "emacs-overlay",
+        "repo": "disko",
        "type": "github"
      }
    },
    "distro-grub-themes": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1734806114,
        "narHash": "sha256-FWkDtoLMTTk2Lz4d4LkFjtV/xYyIlpwZlX5Np1QhXls=",
        "owner": "AdisonCavani",
        "repo": "distro-grub-themes",
        "rev": "ebbd17419890059e371a6f2dbf2a7e76190327d4",
        "type": "github"
      },
      "original": {
        "owner": "AdisonCavani",
        "repo": "distro-grub-themes",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1761588595,
        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1667395993,
+        "lastModified": 1731533236,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -95,19 +152,88 @@
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": [
          "snm",
          "flake-compat"
        ],
        "gitignore": "gitignore_2",
        "nixpkgs": [
          "snm",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1763319842,
        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "snm",
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs-unstable"
+          "agenix",
-        ],
+          "nixpkgs"
-        "utils": "utils"
+        ]
      },
      "locked": {
-        "lastModified": 1678831854,
+        "lastModified": 1745494811,
-        "narHash": "sha256-7HBmLFNVD2KjovSzypIN9NfyzpWelMe8sNbUVZIRsS0=",
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "cae54dc45c0d61c99c1dc8b04bc42f36c76f9771",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
@ -119,17 +245,36 @@
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nix-on-droid",
          "nixpkgs"
-        ],
+        ]
        "utils": "utils_2"
      },
      "locked": {
-        "lastModified": 1663932797,
+        "lastModified": 1763906693,
-        "narHash": "sha256-IH8ZBW99W2k7wKLS+Sat9HiKX1TPZjFTnsPizK5crok=",
+        "narHash": "sha256-inm7paa3myo8gE4TzjM8OPvsEg8xocWreIZBgBPEKgo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "de3758e31a3a1bc79d569f5deb5dac39791bf9b6",
+        "rev": "3d6c1c8fa0bea3a1a7ba23d6fa5993116766073b",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_3": {
      "inputs": {
        "nixpkgs": [
          "nix-on-droid",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709445365,
        "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7",
        "type": "github"
      },
      "original": {
@ -148,11 +293,11 @@
        "nmt": "nmt"
      },
      "locked": {
-        "lastModified": 1666720474,
+        "lastModified": 1705252799,
-        "narHash": "sha256-iWojjDS1D19zpeZXbBdjWb9MiKmVVFQCqtJmtTXgPx8=",
+        "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=",
        "owner": "Gerschtli",
        "repo": "nix-formatter-pack",
-        "rev": "14876cc8fe94a3d329964ecb073b4c988c7b61f5",
+        "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5",
        "type": "github"
      },
      "original": {
@ -163,90 +308,108 @@
    },
    "nix-on-droid": {
      "inputs": {
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager_3",
        "nix-formatter-pack": "nix-formatter-pack",
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-droid"
        ],
        "nixpkgs-docs": "nixpkgs-docs",
        "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap",
        "nmd": "nmd_2"
      },
      "locked": {
-        "lastModified": 1670198918,
+        "lastModified": 1720396533,
-        "narHash": "sha256-oNlUhAM0/a3pDdCMmBWA+CLrDAIYJqAAMyrDp8fNSM4=",
+        "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=",
        "owner": "t184256",
        "repo": "nix-on-droid",
-        "rev": "b00cb5e7e2a47d85a019119069b153cda4002d0a",
+        "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25",
        "type": "github"
      },
      "original": {
        "owner": "t184256",
-        "ref": "release-22.11",
+        "ref": "release-24.05",
        "repo": "nix-on-droid",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1678703398,
+        "lastModified": 1763678758,
-        "narHash": "sha256-Y1mW3dBsoWLHpYm+UIHb5VZ7rx024NNHaF16oZBx++o=",
+        "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "67f26c1cfc5d5783628231e776a81c1ade623e0b",
+        "rev": "117cc7f94e8072499b0a7aa4c52084fa4e11cc9b",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-docs": {
      "locked": {
        "lastModified": 1705957679,
        "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-droid": {
      "locked": {
        "lastModified": 1735563628,
        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-for-bootstrap": {
      "locked": {
-        "lastModified": 1669834992,
+        "lastModified": 1720244366,
-        "narHash": "sha256-YnhZGHgb4C3Q7DSGisO/stc50jFb9F/MzHeKS4giotg=",
+        "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "596a8e828c5dfa504f91918d0fa4152db3ab5502",
+        "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "596a8e828c5dfa504f91918d0fa4152db3ab5502",
+        "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1678654296,
        "narHash": "sha256-aVfw3ThpY7vkUeF1rFy10NAkpKDS2imj3IakrzT0Occ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "5a1dc8acd977ff3dccd1328b7c4a6995429a656b",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1669542132,
+        "lastModified": 1763553727,
-        "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
+        "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a115bb9bd56831941be3776c8a94005867f316a7",
+        "rev": "094318ea16502a7a81ce90dd3638697020f030a2",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
+        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
-        "type": "indirect"
+        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nmd": {
@ -266,19 +429,25 @@
      }
    },
    "nmd_2": {
-      "flake": false,
+      "inputs": {
        "nixpkgs": [
          "nix-on-droid",
          "nixpkgs-docs"
        ],
        "scss-reset": "scss-reset"
      },
      "locked": {
-        "lastModified": 1666190571,
+        "lastModified": 1705050560,
-        "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=",
+        "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=",
-        "owner": "rycee",
+        "owner": "~rycee",
        "repo": "nmd",
-        "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169",
+        "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3",
-        "type": "gitlab"
+        "type": "sourcehut"
      },
      "original": {
-        "owner": "rycee",
+        "owner": "~rycee",
        "repo": "nmd",
-        "type": "gitlab"
+        "type": "sourcehut"
      }
    },
    "nmt": {
@ -297,83 +466,123 @@
        "type": "gitlab"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1763741496,
        "narHash": "sha256-uIRqs/H18YEtMOn1OkbnPH+aNTwXKx+iU3qnxEkVUd0=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "20e71a403c5de9ce5bd799031440da9728c1cda1",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
-        "emacs": "emacs",
+        "disko": "disko",
-        "home-manager": "home-manager",
+        "distro-grub-themes": "distro-grub-themes",
        "home-manager": "home-manager_2",
        "nix-on-droid": "nix-on-droid",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs-droid": "nixpkgs-droid",
-        "snm": "snm"
+        "pre-commit-hooks": "pre-commit-hooks",
        "snm": "snm",
        "stable": "stable"
      }
    },
    "scss-reset": {
      "flake": false,
      "locked": {
        "lastModified": 1631450058,
        "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=",
        "owner": "andreymatin",
        "repo": "scss-reset",
        "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91",
        "type": "github"
      },
      "original": {
        "owner": "andreymatin",
        "repo": "scss-reset",
        "type": "github"
      }
    },
    "snm": {
      "inputs": {
        "blobs": "blobs",
-        "nixpkgs": "nixpkgs_2",
+        "flake-compat": "flake-compat_2",
-        "nixpkgs-22_11": [
+        "git-hooks": "git-hooks",
-          "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
        ],
        "utils": "utils_3"
      },
      "locked": {
-        "lastModified": 1671659164,
+        "lastModified": 1763564778,
-        "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=",
+        "narHash": "sha256-HSWMOylEaTtVgzIjpTbjcjVLXHDwNyV081eVUBfAcMs=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd",
+        "rev": "4987d275a90392347f84923cd4cd8efcf0aa7a22",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-22.11",
+        "ref": "master",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
-    "utils": {
+    "stable": {
      "locked": {
-        "lastModified": 1676283394,
+        "lastModified": 1751274312,
-        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
+        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
-        "owner": "numtide",
+        "owner": "NixOS",
-        "repo": "flake-utils",
+        "repo": "nixpkgs",
-        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "NixOS",
-        "repo": "flake-utils",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "utils_2": {
+    "systems": {
      "locked": {
-        "lastModified": 1659877975,
+        "lastModified": 1681028828,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
        "type": "github"
      }
    },
-    "utils_3": {
+    "systems_2": {
      "locked": {
-        "lastModified": 1605370193,
+        "lastModified": 1681028828,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "nix-systems",
-        "repo": "flake-utils",
+        "repo": "default",
        "type": "github"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -1,73 +1,151 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    stable.url = "github:NixOS/nixpkgs/nixos-24.11";
    nixpkgs-droid.url = "github:NixOS/nixpkgs/nixos-24.05";
    distro-grub-themes = {
      url = "github:AdisonCavani/distro-grub-themes";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
    pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
    home-manager = {
      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    # simple mailserver
    snm = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
-      inputs.nixpkgs-22_11.follows = "nixpkgs";
+      #      inputs.nixpkgs-23_05.follows = "nixpkgs";
    };
    nix-on-droid = {
-      url = "github:t184256/nix-on-droid/release-22.11";
+      url = "github:t184256/nix-on-droid/release-24.05";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-droid";
    };
    emacs = {
      url = "github:nix-community/emacs-overlay";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
 #    simplex-chat = {
 #      url = "github:simplex-chat/simplex-chat";
 #      inputs.nixpkgs.follows = "nixpkgs";
 #    };
    # age for nix to store encrypted passwords conveniently
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = { home-manager, nixpkgs, agenix, snm, ... }@inputs: {
+  outputs =
-    nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem {
+    {
-      system = "x86_64-linux";
+      self,
-      modules = [
+      home-manager,
-        ({
+      nixpkgs,
-          nixpkgs = {
+      stable,
-            config.allowUnfree = true;
+      pre-commit-hooks,
-            overlays = with inputs; [ emacs.overlay ];
+      ...
-          };
+    }@inputs:
-        })
+    {
-        snm.nixosModule
+      checks."x86_64-linux" =
-        ./modules/security.nix
+        let
-        ./hosts/thrall
+          system = "x86_64-linux";
-        agenix.nixosModules.age
+          pkgs = import nixpkgs { inherit system; };
-        home-manager.nixosModules.home-manager
+        in
        {
-          home-manager.useGlobalPkgs = true;
+          pre-commit-check = pre-commit-hooks.lib.${system}.run {
-          home-manager.useUserPackages = true;
+            src = ./.;
-          home-manager.users.alex = import ./home/cli.nix;
+            tools.fourmolu = pkgs.haskellPackages.fourmolu;
-        }
+            tools.nixfmt = pkgs.nixfmt-rfc-style;
-      ];
+            hooks = {
-    };
+              nixfmt-rfc-style.enable = true;
              fourmolu.enable = true;
              hpack.enable = true;
              hlint.enable = true;
              ormolu = {
                settings.defaultExtensions = [ "GHC2021" ];
              };
            };
          };
        };
-    nixosConfigurations."dregil" = import ./hosts/dregil { inherit inputs; };
+      nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem rec {
-    homeConfigurations = import ./outputs/homeConfigurations inputs;
+        system = "x86_64-linux";
        specialArgs = {
          inherit inputs;
          inherit system;
        };
        modules = [
          (
            { inputs, lib, ... }:
            {
              nixpkgs = {
                config.allowUnfree = true;
                # overlays = with inputs; [
                #   emacs.overlay
                # ];
              };
            }
          )
          ./hosts/thrall
          home-manager.nixosModules.home-manager
          {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.extraSpecialArgs = {
              inherit inputs;
            };
          }
          { home-manager.users.alex = ./hosts/thrall/alex.nix; }
        ];
      };
-    nixOnDroidConfigurations.default = inputs.nix-on-droid.lib.nixOnDroidConfiguration {
+      nixosConfigurations."dregil" = nixpkgs.lib.nixosSystem rec {
-      modules = [
+        system = "x86_64-linux";
-        ./hosts/redmi
+        specialArgs = {
-        { nix.registry.nixpkgs.flake = nixpkgs; }
+          inherit inputs;
-        { nix.nixPath = [ "nixpkgs=${nixpkgs}" ]; }
+          inherit system;
-      ];
+          stable = import inputs.stable { system = "x86_64-linux"; };
        };
        modules = [ ./hosts/dregil ];
      };
      nixosConfigurations."igor" = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = {
          inherit inputs;
        };
        modules = [ ./hosts/igor ];
      };
      homeConfigurations."alex@dregil" = home-manager.lib.homeManagerConfiguration {
      };
      nixOnDroidConfigurations.default =
        with inputs;
        nix-on-droid.lib.nixOnDroidConfiguration {
          pkgs = import nixpkgs-droid { };
          modules = [
            ./hosts/redmi
            { nix.registry.nixpkgs.flake = nixpkgs-droid; }
            { nix.nixPath = [ "nixpkgs=${nixpkgs-droid}" ]; }
          ];
        };
      devShells."x86_64-linux".default =
        let
          system = "x86_64-linux";
          pkgs = import nixpkgs { inherit system; };
        in
        pkgs.mkShell {
          inherit (self.checks.${system}.pre-commit-check) shellHook;
          packages = with pkgs; [
            nixfmt-rfc-style
            nil
          ];
        };
    };
  };
 }
--- a/home/alex/cli.nix
+++ b/home/alex/cli.nix
@ -0,0 +1,214 @@
 { config, pkgs, ... }:
 # minimal config, suitable for servers
 let
  user = {
    name = config.home.username;
    fullName = "Alexander Kobjolke";
    mail = "me@failco.de";
  };
  myEza = if builtins.hasAttr "eza" pkgs then "eza" else "exa";
 in
 {
  imports = [
    ./programs/neovim/default.nix
    ./programs/emacs/default.nix
    ./programs/editorconfig
    ./programs/jq
    ./programs/fzf
    ./programs/git
    ./programs/jujutsu
    ./programs/shell
    ./programs/devenv.nix
  ];
  programs.home-manager.enable = true;
  home = {
    stateVersion = "21.05";
    sessionPath = [ "$HOME/.local/bin" ];
  };
  # do not show home-manager notifications
  news.display = "silent";
  home.packages = with pkgs; [
    # archives
    #p7zip
    #unrar
    git-absorb
    git-annex
    git-annex-remote-rclone
    tea # command-line frontend for gitea
    # nix tools
    nix-index
    nixfmt-rfc-style
    # misc
    fd # better find
    file # info about files
    unzip
    dropbox
    gotop
    gnumake
    ripgrep # better grep
    pijul
    sqlite.dev
    sqlite
    # editing
    nil # nix language server
    shellcheck
    editorconfig-core-c
    shfmt
    (aspellWithDicts (
      dicts: with dicts; [
        en
        en-computers
        en-science
        de
      ]
    ))
    # system tools
    htop-vim # htop with vim bindings
    erdtree # du+tree had sex
    dua # ncdu but better
    gopass
    gopass-jsonapi
    gopass-hibp
    gcc
    cmake
    graphviz
    plantuml
    gnuplot
    pandoc
    hledger
    hledger-web
    hledger-ui
    nix-prefetch-git
  ];
  home.extraOutputsToInstall = [
    "doc"
    "info"
    "devdoc"
  ];
  xdg.enable = true;
  xdg.configFile.tmux = {
    target = "tmux/tmux.conf";
    text = ''
      set -g default-terminal "xterm-256color"
      set-window-option -g xterm-keys on
      set -ag update-environment "SSH_TTY SSH_CLIENT"
      set -g prefix C-z
      set -g status-keys vi
      setw -g mode-keys vi
      setw -g aggressive-resize on
      set -g mouse on
      # do not wait for a manually entered escape sequence, just forward it immediately
      set -g escape-time 0
      bind-key C-z send-prefix
      set -g renumber-windows on
      bind-key T swap-window -t 0
    '';
  };
  xdg.configFile.pijul = {
    target = "pijul/config.toml";
    text = ''
      [author]
      name = "${user.name}"
      full_name = "${user.fullName}"
      email = "${user.mail}"
    '';
  };
  programs = {
    bash = {
      enable = true;
    };
    # better cat
    bat.enable = true;
    # htop replacement with a nice UI
    btop.enable = true;
    # better ls with icons and stuff, maybe also try lsd
    ${myEza} = {
      enable = true;
      icons = "auto";
    };
    starship = {
      enable = true;
    };
    direnv = {
      enable = true;
      nix-direnv = {
        enable = true;
      };
      enableZshIntegration = true;
      enableBashIntegration = true;
    };
    gh = {
      enable = true;
      settings.git_protocol = "ssh";
    };
    gpg = {
      enable = true;
      settings = {
        homedir = "~/.local/share/gnupg";
      };
    };
    helix = {
      enable = true;
      settings.theme = "gruvbox";
    };
    password-store = {
      enable = true;
      package = pkgs.gopass;
      settings = {
        PASSWORD_STORE_DIR = "$HOME/.local/share/password-store";
      };
    };
    ssh = {
      enable = true;
      enableDefaultConfig = false;
      matchBlocks = {
        "*" = {
          controlMaster = "auto";
          controlPersist = "10m";
        };
      };
    };
    texlive.enable = true;
  };
  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
    defaultCacheTtl = 7200;
    defaultCacheTtlSsh = 7200;
  };
  home.file.".local" = {
    recursive = true;
    source = ./local;
  };
 }
--- a/home/alex/default.nix
+++ b/home/alex/default.nix
@ -0,0 +1,27 @@
 {
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 {
  imports = [ ];
  users.users."alex" = {
    isNormalUser = true;
    extraGroups = [
      "input"
      "networkmanager"
      "wheel"
      "video"
    ];
    description = "Alexander Kobjolke";
    home = "/home/alex";
    shell = pkgs.zsh;
  };
  home-manager.useGlobalPkgs = true;
  home-manager.useUserPackages = true;
  home-manager.users.alex = import ./home.nix;
 }
--- a/home/alex/home.nix
+++ b/home/alex/home.nix
@ -0,0 +1,119 @@
 {
  config,
  lib,
  pkgs,
  stable,
  ...
 }:
 {
  imports = [
    ./cli.nix
    ./programs/rofi
    # ./programs/xmonad
    # ./programs/i3
    ./programs/jitsi-meet
    ./programs/simplex-chat
    ./programs/zathura
    ./programs/autorandr
    # ./services/polybar
    # ./services/dunst
    # ./services/udiskie
    # ./services/picom
    # ./services/screen-locker
    # ./services/blueman-applet
    # ./services/network-manager
    ./services/syncthing
    ./services/git-sync
    ./modules/email.nix
  ];
  home = {
    homeDirectory = "/home/alex";
    stateVersion = "21.05";
    language.base = "en_US.UTF-8";
    keyboard.layout = "us";
    keyboard.variant = "dvorak";
    keyboard.options = [
      "terminate:ctrl_alt_bksp"
      "caps:escape"
      "compose:ralt"
    ];
    packages = with pkgs; [
      # social
      discord # talk to other people
      google-chrome
      signal-desktop
      # system tools
      uhk-agent # my keyboard
      mosh # ssh via udp
      rclone
      parallel-disk-usage
      gdu
      gnomeExtensions.paperwm
      # gaming support
      stable.bottles
      wine64Packages.stagingFull
      scummvm
      # reading
      xournalpp # pdf editor
    ];
  };
  news.display = "silent";
  my.git-sync.enable = true;
  programs = {
    alacritty.enable = true;
    browserpass = {
      enable = true;
      browsers = [ "firefox" ];
    };
    feh.enable = true;
    firefox = {
      enable = true;
      package = pkgs.firefox.override {
        cfg = {
          nativeMessagingHosts.packages = [
            pkgs.browserpass
            pkgs.tridactyl-native
          ];
          enableGnomeExtensions = true;
        };
      };
    };
    mpv.enable = true;
    zsh =
      let
        auth-socket-env = ''
          export SSH_AUTH_SOCK="$(${pkgs.gnupg}/bin/gpgconf -L agent-ssh-socket)"
        '';
      in
      {
        enable = true;
        loginExtra = auth-socket-env;
        initContent = auth-socket-env;
      };
  };
  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
    sshKeys = [ "9027AB16B9A7C20BD29F30F55CBA054430BF014C" ];
    extraConfig = ''
      pinentry-program ${pkgs.pinentry.qt}/bin/pinentry
    '';
  };
  xsession.enable = true;
 }
--- a/home/alex/local/bin/kill-old-mosh
+++ b/home/alex/local/bin/kill-old-mosh
--- a/home/alex/local/bin/merge-pdf
+++ b/home/alex/local/bin/merge-pdf
--- a/home/alex/modules/email.nix
+++ b/home/alex/modules/email.nix
@ -0,0 +1,58 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  mkAccount =
    addr:
    let
      domain = lib.lists.elemAt (lib.strings.splitString "@" addr) 1;
    in
    {
      address = addr;
      gpg = {
        key = "F2132F0C63730C6BC42BCC2A41A6D13FECA21280";
        signByDefault = true;
      };
      mbsync = {
        enable = true;
        create = "maildir";
      };
      passwordCommand = "${lib.getBin pkgs.gopass}/bin/gopass --nosync show -o eMail/${domain}/${addr}";
      msmtp.enable = true;
      notmuch.enable = true;
      realName = "Alexander Kobjolke";
      userName = addr;
    };
 in
 {
  programs.afew.enable = true;
  programs.mbsync.enable = true;
  programs.msmtp.enable = true;
  programs.notmuch = {
    enable = true;
    hooks.preNew = "mbsync --all";
  };
  programs.mu = {
    enable = true;
  };
  accounts.email = {
    accounts.failco = mkAccount "me@failco.de" // {
      primary = true;
      imap.host = "thrall.failco.de";
      smtp.host = "thrall.failco.de";
    };
    accounts.jakalx = mkAccount "alex@jakalx.net" // {
      imap.host = "thrall.failco.de";
      smtp.host = "thrall.failco.de";
    };
    accounts.google = mkAccount "petry.alexander@gmail.com" // {
      flavor = "gmail.com";
    };
  };
 }
--- a/home/alex/programs/autorandr/default.nix
+++ b/home/alex/programs/autorandr/default.nix
@ -0,0 +1,12 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  config.programs.autorandr = {
    enable = true;
  };
 }
--- a/home/alex/programs/devenv.nix
+++ b/home/alex/programs/devenv.nix
@ -0,0 +1,5 @@
 { pkgs, ... }:
 {
  config.home.packages = [ pkgs.devenv ];
 }
--- a/home/alex/programs/editorconfig/default.nix
+++ b/home/alex/programs/editorconfig/default.nix
@ -0,0 +1,18 @@
 { config, lib, pkgs, ... }:
 {
  editorconfig = {
    enable = true;
    settings = {
      "*" = {
        charset = "utf-8";
        end_of_line = "lf";
        trim_trailing_whitespace = true;
        insert_final_newline = true;
        max_line_width = 78;
        indent_style = "space";
        indent_size = 2;
      };
    };
  };
 }
--- a/home/alex/programs/emacs/default.nix
+++ b/home/alex/programs/emacs/default.nix
@ -0,0 +1,26 @@
 {
  pkgs,
  ...
 }:
 let
  emacsclient-wrapper = pkgs.writeShellScriptBin "e" ''
    exec ${pkgs.emacs}/bin/emacsclient --reuse-frame --no-wait "$@"
  '';
 in
 {
  home = {
    sessionPath = [ "$HOME/.emacs.d/bin" ];
    packages = [ emacsclient-wrapper ];
  };
  programs.emacs = {
    enable = true;
    extraPackages = epkgs: with epkgs; [ vterm ];
  };
  services.emacs = {
    enable = true;
    defaultEditor = true;
    startWithUserSession = true;
  };
 }
--- a/home/alex/programs/emacs/doom/config.el
+++ b/home/alex/programs/emacs/doom/config.el
@ -0,0 +1,410 @@
 ;;; $DOOMDIR/config.el -*- lexical-binding: t; -*-
 ;; Place your private configuration here! Remember, you do not need to run 'doom
 ;; sync' after modifying this file!
 (setq ak/at-work? (getenv "I_AM_AT_WORK"))
 ;; Some functionality uses this to identify you, e.g. GPG configuration, email
 ;; clients, file templates and snippets.
 (setq! user-full-name "Alexander Kobjolke"
       user-mail-address "me@failco.de"
       auth-sources '("~/.local/share/emacs/authinfo.gpg" "~/.authinfo.gpg" "~/.netrc")
       auth-source-cache-expiry nil)
 (when ak/at-work?
  (setq! user-mail-address "alexander.kobjolke@atlas-elektronik.com"))
 ;; Doom exposes five (optional) variables for controlling fonts in Doom. Here
 ;; are the three important ones:
 ;;
 ;; + `doom-font'
 ;; + `doom-variable-pitch-font'
 ;; + `doom-big-font' -- used for `doom-big-font-mode'; use this for
 ;;   presentations or streaming.
 ;;
 ;; They all accept either a font-spec, font string ("Input Mono-12"), or xlfd
 ;; font string. You generally only need these two:
 ;; (setq doom-font (font-spec :family "monospace" :size 12 :weight 'semi-light)
 ;;       doom-variable-pitch-font (font-spec :family "sans" :size 13))
 ;; There are two ways to load a theme. Both assume the theme is installed and
 ;; available. You can either set `doom-theme' or manually load a theme with the
 ;; `load-theme' function. This is the default:
 (setq! doom-theme 'doom-gruvbox)
 (setq! doom-localleader-key ",")
 (setq! doom-localleader-alt-key "M-,")
 (require 're-builder)
 (setq! reb-re-syntax 'string)
 ;; do not create a new workspace for each emacsclient
 ;; (after! persp-mode
 ;;     (setq! persp-emacsclient-init-frame-behaviour-override "main"))
 (after! lsp
  (add-to-list 'lsp-file-watch-ignored-directories "[/\\\\]\\.devenv\\'")
  (add-to-list 'lsp-file-watch-ignored-directories "[/\\\\]target\\'")
  )
 (defun set-frame-alpha (arg &optional active)
  "Interactively set the transparency of the active frame"
  (interactive "nEnter alpha value (1-100): \np")
  (let* ((elt (assoc 'alpha default-frame-alist))
         (old (frame-parameter nil 'alpha))
         (new (cond ((atom old)     `(,arg ,arg))
                    ((eql 1 active) `(,arg ,(cadr old)))
                    (t              `(,(car old) ,arg)))))
    (if elt (setcdr elt new) (push `(alpha ,@new) default-frame-alist))
    (set-frame-parameter nil 'alpha new)))
 (defun my/org-id-update-id-current-file ()
  "Scan the current buffer for Org-ID locations and update them."
  (interactive)
  (org-id-update-id-locations (list (buffer-file-name (current-buffer)))))
 (setq! undo-limit 80000000                         ; Raise undo-limit to 80Mb
       auto-save-default t                         ; Nobody likes to loose work, I certainly don't
       ;; switch-to-buffer-in-dedicated-window 'pop
       ;; switch-to-buffer-obey-display-actions t
       )
 ;; tweak some VI defaults
 (after! evil
  (setq! evil-ex-substitute-global t     ; I like my s/../.. to be global by default
         evil-move-cursor-back nil       ; Don't move the block cursor when toggling insert mode
         evil-want-fine-undo t                       ; By default while in insert all changes are one big blob. Be more granular
         evil-want-Y-yank-to-eol t
         evil-escape-key-sequence "qq"               ; define an escape sequence
         evil-escape-delay 0.175
         evil-move-beyond-eol t                      ; let the cursor move beyond eol just as in regular emacs
         evil-kill-on-visual-paste nil ; Don't put overwritten text in the kill ring
         evil-snipe-override-evil-repeat-keys nil))
 ;; This determines the style of line numbers in effect. If set to `nil', line
 ;; numbers are disabled. For relative line numbers, set this to `relative'.
 (setq! display-line-numbers-type 'relative)
 ;; mouse
 ;; enable mouse reporting for terminal emulators
 (unless window-system
  (xterm-mouse-mode 1)
  (global-set-key [mouse-4] (lambda ()
                              (interactive)
                              (scroll-down 1)))
  (global-set-key [mouse-5] (lambda ()
                              (interactive)
                              (scroll-up 1))))
 (use-package! org
  :init
  ;; If you use `org' and don't want your org files in the default location below,
  ;; change `org-directory'. It must be set before org loads!
  (setq! org-directory "~/org/")
  (setq! org-log-into-drawer t
         org-agenda-include-diary t
         org-agenda-sticky t
         org-todo-keywords '(
                             (sequence "NEXT(n)" "TODO(t)" "WAIT(w@/!)" "|" "DONE(d!)" "CNCL(k@)")
                             (sequence "[ ](T)" "[-](S)" "[?](W)" "|" "[X](D)")
                             )
         org-tag-alist '(
                         ;; Places
                         ("@home" . ?h)
                         ("@work" . ?w)
                         ;; devices
                         ("@phone" . ?p)
                         ("@computer" . ?c)
                         ;;
                         ("@email" . ?e)
                         ))
  :config
  (use-package! org-ql)
  (use-package! org-modern)
  (use-package! org-bookmark-heading)
  (add-hook! 'org-mode-hook #'+org-init-keybinds-h))
 (use-package! org-contacts
  :after org
  :custom (org-contacts-files '("~/org/contacts.org")))
 (use-package! activities
  :demand t
  :config
  (defun ak/activities-define--with-prefix-arg ()
    "Call 'C-u activities-define' in order to save the current activity."
    (interactive)
    (let ((current-prefix-arg '(4)))
      (call-interactively #'activities-define)))
  (activities-mode)
  (activities-tabs-mode)
  (setopt tab-bar-show 1)
  (map!
   (:prefix-map ("C-c a" . "Activities")
    :desc "Switch activity" "a" #'activities-switch
    :desc "Resume activity" "r" #'activities-resume
    :desc "Create new activity" "n" #'activities-new
    :desc "List activities" "l" #'activities-list
    :desc "Save current activity " "s" #'ak/activities-define--with-prefix-arg
    :desc "Save all activities" "S" #'activities-save-all
    :desc "Revert activity to default" "R" #'activities-revert
    )
   )
  )
 (when ak/at-work?
  (after! forge
    (add-to-list 'forge-alist '("gitlab.atlas.de" "gitlab.atlas.de/api/v4" "gitlab.atlas.de" forge-gitlab-repository)))
  (after! haskell-mode
    (setq haskell-process-type 'cabal-new-repl))
  (setq! plantuml-jar-path "~/opt/plantuml.jar")
  (setq! org-plantuml-jar-path plantuml-jar-path)
  (after! lsp
    (add-to-list 'lsp-disabled-clients 'cmakels))
  (add-to-list '+format-on-save-disabled-modes 'cmake-mode)
  (add-to-list '+format-on-save-disabled-modes 'nxml-mode)
  (use-package! code-review
    :init
    (setq code-review-auth-login-marker 'forge)
    ;; (setq code-review-gitlab-host "gitlab.atlas.de/api")
    ;; (setq code-review-gitlab-graphql-host "gitlab.atlas.de/api")
    :config
    (add-hook 'code-review-mode-hook
              (lambda ()
                ;; include *Code-Review* buffer into current workspace
                (persp-add-buffer (current-buffer))))))
 (after! magit
  (transient-append-suffix 'magit-fetch "-t"
    '("-f" "Bypass safety checks" "--force"))
  )
 (setq ak/bibliography (list (concat org-directory "references.bib")))
 ;; (setq org-cite-global-bibliography (list (concat org-directory "references.bib")))
 (setq! bibtex-completion-bibliography ak/bibliography)
 (setq! citar-bibliography ak/bibliography)
 (after! ledger-mode
  (setq!
   ;; Use an ISO date format for ledger entries
   ledger-default-date-format "%Y-%m-%d"
   ledger-binary-path "hledger"
   ledger-report-auto-width nil
   ledger-mode-should-check-version nil
   ledger-init-file-name " "
   ledger-post-amount-alignment-column 58
   ledger-report-native-highlighting-arguments '("--color=always")
   ledger-highlight-xact-under-point t)
  (setq! ledger-reports
         '(("bal" "%(binary) -f %(ledger-file) bal -B")
           ("reg" "%(binary) -f %(ledger-file) reg -B")
           ("payee" "%(binary) -f %(ledger-file) reg -B @%(payee)")
           ("account" "%(binary) -f %(ledger-file) reg -B %(account)"))) )
 (after! lsp-haskell
  (setq lsp-haskell-formatting-provider "fourmolu")
  ;; will define elisp functions for the given lsp code actions, prefixing the
  ;; given function names with "lsp"
  (lsp-make-interactive-code-action wingman-fill-hole "refactor.wingman.fillHole")
  (lsp-make-interactive-code-action wingman-case-split "refactor.wingman.caseSplit")
  (lsp-make-interactive-code-action wingman-refine "refactor.wingman.refine")
  (lsp-make-interactive-code-action wingman-split-func-args "refactor.wingman.spltFuncArgs")
  (lsp-make-interactive-code-action wingman-use-constructor "refactor.wingman.useConstructor")
  ;; example key bindings
  ;; (define-key haskell-mode-map (kbd "C-c d") #'lsp-wingman-case-split)
  ;; (define-key haskell-mode-map (kbd "C-c n") #'lsp-wingman-fill-hole)
  ;; (define-key haskell-mode-map (kbd "C-c r") #'lsp-wingman-refine)
  ;; (define-key haskell-mode-map (kbd "C-c c") #'lsp-wingman-use-constructor)
  ;; (define-key haskell-mode-map (kbd "C-c a") #'lsp-wingman-split-func-args)
  )
 ;; Org GTD support
 (use-package! org-gtd
  :after org
  :demand t
  :init
  (setq! org-gtd-update-ack "3.0.0")
  :config
  (setf  org-gtd-id--generate #'org-id-get-create)
  (setq! org-gtd-directory org-directory)
  (setq! org-gtd-default-file-name "actionable")
  (setq! org-gtd-refile-to-any-target nil)
  (setq! org-gtd-engage-prefix-width 40)
  (setq! org-edna-use-inheritance t)
  ;; (setq org-gtd-areas-of-focus '("house" "haskell" "foss"))
  (setq org-gtd-organize-hooks nil)
  (org-edna-mode)
  (map! :leader
        :desc "Capture"        "X"  #'org-gtd-capture
        (:prefix-map ("d" . "GTD")
         :desc "Capture"        "c"  #'org-gtd-capture
         :desc "Engage"         "e"  #'org-gtd-engage
         :desc "Engage Context" "@"  #'org-gtd-engage-grouped-by-context
         :desc "Process inbox"  "p"  #'org-gtd-process-inbox
         :desc "Show all next"  "n"  #'org-gtd-show-all-next
         :desc "Fix project"  "f"  #'org-gtd-projects-fix-todo-keywords-for-project-at-point
         (:prefix-map ("r" . "Review")
          :desc "Stuck projects" "p"  #'org-gtd-review-stuck-projects
          :desc "Stuck actions" "a"  #'org-gtd-review-stuck-single-action-items
          :desc "Stuck habits" "h"  #'org-gtd-review-stuck-habit-items
          )
         ))
  (map! :map org-gtd-clarify-map
        :desc "Organize this item" "C-c C-c" #'org-gtd-organize)
  (map! (:prefix-map ("C-c d" . "GTD")
         :desc "Capture"        "c"  #'org-gtd-capture
         :desc "Engage"         "e"  #'org-gtd-engage
         :desc "Engage Context" "@"  #'org-gtd-engage-grouped-by-context
         :desc "Process inbox"  "p"  #'org-gtd-process-inbox
         :desc "Show all next"  "n"  #'org-gtd-show-all-next
         :desc "Fix project"  "f"  #'org-gtd-projects-fix-todo-keywords-for-project-at-point
         (:prefix-map ("r" . "Review")
          :desc "Stuck projects" "p"  #'org-gtd-review-stuck-projects
          :desc "Stuck actions" "a"  #'org-gtd-review-stuck-single-action-items
          :desc "Stuck habits" "h"  #'org-gtd-review-stuck-habit-items))))
 (after! org-habit
  (setq org-habit-show-habits t
        org-habit-preceding-days 35
        org-habit-following-days 7))
 (use-package! org-edna
  :after org-gtd
  :init
  (setq org-edna-use-inheritance t)
  :config
  (org-edna-mode 1))
 (use-package! nov
  :mode ("\\.epub\\'" . nov-mode)
  :config
  (setq nov-save-place-file (concat doom-cache-dir "nov-places")))
 (use-package! protobuf-mode
  :mode ("\\.proto\\'" . protobuf-mode))
 (use-package! systemd
  :mode ("\\.\\(service\\|target\\|socket\\|timer\\)\\'" . systemd-mode))
 (use-package! org-present
  :after org)
 (use-package! denote
  :after org
  :config
  (setq! denote-directory (concat org-directory "/notes"))
  (map! :leader
        (:prefix-map ("n" . "notes")
         :desc "Denote"            "d"  #'denote-open-or-create-with-command
         ))
  :bind
  (("C-c n d" . #'denote-open-or-create-with-command))
  )
 (use-package! denote-org
  :after denote)
 (use-package! denote-journal
  :after denote)
 (use-package! denote-menu
  :after denote)
 (use-package! denote-sequence
  :after denote)
 (use-package! org-super-agenda
  :after org-agenda
  :init
  (setq! org-agenda-skip-deadline-if-done t
         org-agenda-skip-scheduled-if-done t
         org-agenda-include-deadlines t
         org-agenda-block-separator nil
         org-agenda-compact-blocks t
         org-agenda-start-day nil
         org-agenda-span 1
         org-agenda-start-on-weekday nil)
  (setq! org-agenda-custom-commands
         '(("a" "Getting Things done"
            ((agenda "" ((org-agenda-overriding-header "")
                         (org-super-agenda-groups
                          '((:name "Today"
                             :time-grid t
                             :date today
                             :order 1)))))
             (alltodo "" ((org-agenda-overriding-header "")
                          (org-super-agenda-groups
                           '(;(:log t)
                             (:name "Waiting for..."
                              :todo "WAIT"
                              :order 1)
                             (:discard (:not (:todo ("NEXT" "STRT"))))
                             (:name "Next actions"
                              :auto-parent (:todo ("NEXT" "STRT"))
                              :order 2
                              )
                             (:discard (:anything t)
                              :order 99)
                             ))))
             ))))
  :config
  (org-super-agenda-mode)
  )
 (use-package! org-fc
  :after org straight
  :config
  (setq! org-fc-directories (concat org-directory "/cards"))
  (setq! org-fc-source-path (concat straight-base-dir "repos/org-fc"))
  )
 (after! vterm
  (setq vterm-min-window-width 50)
  )
 (use-package! consult-denote
  :after denote)
 (use-package! cov)
                                        ;(use-package! casual-suite)
 (map! :desc "Move workspace to the left" :leader :n "TAB <" #'+workspace/swap-left)
 (map! :desc "Move workspace to the left" :leader :n "TAB >" #'+workspace/swap-right)
 ;; Here are some additional functions/macros that could help you configure Doom:
 ;;
 ;; - `load!' for loading external *.el files relative to this one
 ;; - `use-package!' for configuring packages
 ;; - `after!' for running code after a package has loaded
 ;; - `add-load-path!' for adding directories to the `load-path', relative to
 ;;   this file. Emacs searches the `load-path' when you load packages with
 ;;   `require' or `use-package'.
 ;; - `map!' for binding new keys
 ;;
 ;; To get information about any of these functions/macros, move the cursor over
 ;; the highlighted symbol at press 'K' (non-evil users must press 'C-c c k').
 ;; This will open documentation for it, including demos of how they are used.
 ;;
 ;; You can also try 'gd' (or 'C-c c d') to jump to their definition and see how
 ;; they are implemented.
--- a/home/alex/programs/emacs/doom/custom.el
+++ b/home/alex/programs/emacs/doom/custom.el
@ -0,0 +1,51 @@
 (custom-set-variables
 ;; custom-set-variables was added by Custom.
 ;; If you edit it by hand, you could mess it up, so be careful.
 ;; Your init file should contain only one such instance.
 ;; If there is more than one, they won't work right.
 '(ansi-color-names-vector
   ["#282c34" "#ff6c6b" "#98be65" "#ECBE7B" "#51afef" "#c678dd" "#46D9FF" "#bbc2cf"])
 '(custom-safe-themes
   '("c4063322b5011829f7fdd7509979b5823e8eea2abf1fe5572ec4b7af1dd78519" "835868dcd17131ba8b9619d14c67c127aa18b90a82438c8613586331129dda63" "7eea50883f10e5c6ad6f81e153c640b3a288cd8dc1d26e4696f7d40f754cc703" default))
 '(exwm-floating-border-color "#191b20")
 '(fci-rule-color "#5B6268")
 '(highlight-tail-colors
   ((("#333a38" "#99bb66" "green")
     . 0)
    (("#2b3d48" "#46D9FF" "brightcyan")
     . 20)))
 '(jdee-db-active-breakpoint-face-colors (cons "#1B2229" "#51afef"))
 '(jdee-db-requested-breakpoint-face-colors (cons "#1B2229" "#98be65"))
 '(jdee-db-spec-breakpoint-face-colors (cons "#1B2229" "#3f444a"))
 '(objed-cursor-color "#ff6c6b")
 '(pdf-view-midnight-colors (cons "#bbc2cf" "#282c34"))
 '(rustic-ansi-faces
   ["#282c34" "#ff6c6b" "#98be65" "#ECBE7B" "#51afef" "#c678dd" "#46D9FF" "#bbc2cf"])
 '(vc-annotate-background "#282c34")
 '(vc-annotate-color-map
   (list
    (cons 20 "#98be65")
    (cons 40 "#b4be6c")
    (cons 60 "#d0be73")
    (cons 80 "#ECBE7B")
    (cons 100 "#e6ab6a")
    (cons 120 "#e09859")
    (cons 140 "#da8548")
    (cons 160 "#d38079")
    (cons 180 "#cc7cab")
    (cons 200 "#c678dd")
    (cons 220 "#d974b7")
    (cons 240 "#ec7091")
    (cons 260 "#ff6c6b")
    (cons 280 "#cf6162")
    (cons 300 "#9f585a")
    (cons 320 "#6f4e52")
    (cons 340 "#5B6268")
    (cons 360 "#5B6268")))
 '(vc-annotate-very-old-color nil))
 (custom-set-faces
 ;; custom-set-faces was added by Custom.
 ;; If you edit it by hand, you could mess it up, so be careful.
 ;; Your init file should contain only one such instance.
 ;; If there is more than one, they won't work right.
 )
--- a/home/alex/programs/emacs/doom/init.el
+++ b/home/alex/programs/emacs/doom/init.el
@ -0,0 +1,194 @@
 ;;; init.el -*- lexical-binding: t; -*-
 ;; This file controls what Doom modules are enabled and what order they load
 ;; in. Remember to run 'doom sync' after modifying it!
 ;; NOTE Press 'SPC h d h' (or 'C-h d h' for non-vim users) to access Doom's
 ;;      documentation. There you'll find a "Module Index" link where you'll find
 ;;      a comprehensive list of Doom's modules and what flags they support.
 ;; NOTE Move your cursor over a module's name (or its flags) and press 'K' (or
 ;;      'C-c c k' for non-vim users) to view its documentation. This works on
 ;;      flags as well (those symbols that start with a plus).
 ;;
 ;;      Alternatively, press 'gd' (or 'C-c c d') on a module to browse its
 ;;      directory (for easy access to its source code).
 (doom! :input
       ;;chinese
       ;;japanese
       ;;layout            ; auie,ctsrnm is the superior home row
       :completion
       ;; company          ; the ultimate code completion backend
       ;;helm              ; the *other* search engine for love and life
       ;;ido               ; the other *other* search engine...
       ;;ivy               ; a search engine for love and life
       (vertico +orderless +icons)    ; the search engine of the future
       (corfu +orderless +icons +dabbrev)
       :ui
       ;;deft              ; notational velocity for Emacs
       doom              ; what makes DOOM look the way it does
       doom-dashboard    ; a nifty splash screen for Emacs
       doom-quit         ; DOOM quit-message prompts when you quit Emacs
       (emoji +unicode +github +ascii)  ; 🙂
       hl-todo           ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW
       ;;hydra
       ;;indent-guides     ; highlighted indent columns
       ;;(ligatures +extra)  ; ligatures and symbols to make your code pretty again
       ;;minimap           ; show a map of the code on the side
       modeline          ; snazzy, Atom-inspired modeline, plus API
       nav-flash         ; blink cursor line after big motions
       ;;neotree           ; a project drawer, like NERDTree for vim
       ophints           ; highlight the region an operation acts on
       (popup +defaults +all)   ; tame sudden yet inevitable temporary windows
       ;;tabs              ; a tab bar for Emacs
       ;;treemacs          ; a project drawer, like neotree but cooler
       unicode           ; extended unicode support for various languages
       (vc-gutter +diff-hl) ; vcs diff in the fringe
       vi-tilde-fringe   ; fringe tildes to mark beyond EOB
       (window-select +numbers)     ; visually switch windows
       workspaces        ; tab emulation, persistence & separate workspaces
       zen               ; distraction-free coding or writing
       :editor
       (evil +everywhere); come to the dark side, we have cookies
       file-templates    ; auto-snippets for empty files
       fold              ; (nigh) universal code folding
       (format +onsave)  ; automated prettiness
       ;;god               ; run Emacs commands without modifier keys
       ;; lispy             ; vim for lisp, for people who don't like vim
       multiple-cursors
                                        ; editing in many places at once
       ;;objed             ; text object editing for the innocent
       ;; parinfer          ; turn lisp into python, sort of
       rotate-text       ; cycle region at point between text candidates
       snippets          ; my elves. They type so I don't have to
       word-wrap         ; soft wrapping with language-aware indent
       :emacs
       (dired +ranger +icons)             ; making dired pretty [functional]
       electric          ; smarter, keyword-based electric-indent
       (ibuffer +icons)         ; interactive buffer management
       undo              ; persistent, smarter undo for your inevitable mistakes
       vc                ; version-control and Emacs, sitting in a tree
       :term
       eshell            ; the elisp shell that works everywhere
       ;;shell             ; simple shell REPL for Emacs
       ;;term              ; basic terminal emulator for Emacs
       vterm             ; the best terminal emulation in Emacs
       :checkers
       syntax              ; tasing you for every semicolon you forget
       (spell +flyspell +everywhere +aspell) ; tasing you for misspelling mispelling
       ;;grammar           ; tasing grammar mistake every you make
       :tools
       ansible
       biblio              ; Writes a PhD for you (citation needed)
       (debugger +lsp)          ; FIXME stepping through code, to help you add bugs
       direnv
       (docker +lsp)
       editorconfig      ; let someone else argue about tabs vs spaces
       ;;ein               ; tame Jupyter notebooks with emacs
       (eval +overlay)     ; run code, run (also, repls)
       ;;gist              ; interacting with github gists
       lookup              ; navigate your code and its documentation
       (lsp)               ; M-x vscode
       (magit +forge)             ; a git porcelain for Emacs
       make              ; run make tasks from Emacs
       pass              ; password manager for nerds
       pdf               ; pdf enhancements
       ;;prodigy           ; FIXME managing external services & code builders
       ;;rgb               ; creating color strings
       ;;taskrunner        ; taskrunner for all your projects
       tmux              ; an API for interacting with tmux
       tree-sitter
       (terraform +lsp)         ; infrastructure as code
       ;;upload            ; map local to remote projects via ssh/ftp
       :os
       (:if IS-MAC macos)  ; improve compatibility with macOS
       (tty +osc)               ; improve the terminal Emacs experience
       :lang
       ;;agda              ; types of types of types of types...
       ;;beancount         ; mind the GAAP
       (cc +lsp +tree-sitter)                ; C > C++ == 1
       ;;clojure           ; java with a lisp
       common-lisp       ; if you've seen one lisp, you've seen them all
       ;;coq               ; proofs-as-programs
       ;;crystal           ; ruby at the speed of c
       ;;csharp            ; unity, .NET, and mono shenanigans
       data              ; config/data formats
       ;;(dart +flutter)   ; paint ui and not much else
       ;;dhall
       (elixir +lsp +tree-sitter)            ; erlang done right
       (elm +lsp +tree-sitter)             ; care for a cup of TEA?
       emacs-lisp        ; drown in parentheses
       (erlang +lsp +tree-sitter)            ; an elegant language for a more civilized age
       ;;ess               ; emacs speaks statistics
       ;;factor
       ;;faust             ; dsp, but you get to keep your soul
       ;;fsharp            ; ML stands for Microsoft's Language
       ;;fstar             ; (dependent) types and (monadic) effects and Z3
       ;;gdscript          ; the language you waited for
       (go +lsp +tree-sitter)         ; the hipster dialect
       (graphql +lsp)    ; Give queries a REST
       (haskell +lsp +tree-sitter)  ; a language that's lazier than I am
       ;;hy                ; readability of scheme w/ speed of python
       ;;idris             ; a language you can depend on
       (json +lsp +tree-sitter)              ; At least it ain't XML
       (java +lsp +tree-sitter)       ; the poster child for carpal tunnel syndrome
       javascript        ; all(hope(abandon(ye(who(enter(here))))))
       ;;julia             ; a better, faster MATLAB
       (kotlin +lsp)            ; a better, slicker Java(Script)
       latex             ; writing papers in Emacs has never been so fun
       ;;lean              ; for folks with too much to prove
       ledger            ; be audit you can be
       (lua +lsp +tree-sitter)               ; one-based indices? one-based indices
       (markdown +grip)          ; writing docs for people to ignore
       ;;nim               ; python + lisp at the speed of c
       (nix +lsp +tree-sitter)  ; I hereby declare "nix geht mehr!"
       ;;ocaml             ; an objective camel
       (org +pandoc +present +gnuplot +noter)               ; organize your plain life in plain text
       ;;php               ; perl's insecure younger brother
       plantuml          ; diagrams for confusing people more
       (purescript +lsp)   ; javascript, but functional
       (python +lsp +tree-sitter +pyenv)            ; beautiful is better than ugly
       qt                ; the 'cutest' gui framework ever
       (racket +lsp +xp) ; a DSL for DSLs
       ;;raku              ; the artist formerly known as perl6
       (rest +jq)          ; Emacs as a REST client
       ;;rst               ; ReST in peace
       ;;(ruby +rails)     ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"}
       (rust +lsp +tree-sitter)             ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
       ;;scala             ; java, but good
       ;;(scheme +guile)   ; a fully conniving family of lisps
       (sh +lsp +tree-sitter)                ; she sells {ba,z,fi}sh shells on the C xor
       ;;sml
       ;;solidity          ; do you need a blockchain? No.
       ;;swift             ; who asked for emoji variables?
       ;;terra             ; Earth and Moon in alignment for performance.
       (web +lsp +tree-sitter)               ; the tubes
       (yaml +lsp +tree-sitter)              ; JSON, but readable
       (zig +lsp +tree-sitter)               ; C, but simpler
       :email
       (mu4e +org +gmail +mbsync)
       ;; (notmuch +org +afew)
       ;;(wanderlust +gmail)
       :app
       calendar
       ;;emms
       ;;everywhere        ; *leave* Emacs!? You must be joking
       irc               ; how neckbeards socialize
       (rss +org)        ; emacs as an RSS reader
       ;;twitter           ; twitter client https://twitter.com/vnought
       :config
       ;;literate
       (default +bindings +gnupg +smartparens))
--- a/home/alex/programs/emacs/doom/packages.el
+++ b/home/alex/programs/emacs/doom/packages.el
@ -0,0 +1,93 @@
 ;; -*- no-byte-compile: t; -*-
 ;;; $DOOMDIR/packages.el
 ;; To install a package with Doom you must declare them here and run 'doom sync'
 ;; on the command line, then restart Emacs for the changes to take effect -- or
 ;; use 'M-x doom/reload'.
 ;; To install SOME-PACKAGE from MELPA, ELPA or emacsmirror:
 ;;(package! some-package)
 ;; To install a package directly from a remote git repo, you must specify a
 ;; `:recipe'. You'll find documentation on what `:recipe' accepts here:
 ;; https://github.com/raxod502/straight.el#the-recipe-format
 ;;(package! another-package
 ;;  :recipe (:host github :repo "username/repo"))
 ;; If the package you are trying to install does not contain a PACKAGENAME.el
 ;; file, or is located in a subdirectory of the repo, you'll need to specify
 ;; `:files' in the `:recipe':
 ;;(package! this-package
 ;;  :recipe (:host github :repo "username/repo"
 ;;           :files ("some-file.el" "src/lisp/*.el")))
 ;; If you'd like to disable a package included with Doom, you can do so here
 ;; with the `:disable' property:
 ;;(package! builtin-package :disable t)
 ;; You can override the recipe of a built in package without having to specify
 ;; all the properties for `:recipe'. These will inherit the rest of its recipe
 ;; from Doom or MELPA/ELPA/Emacsmirror:
 ;;(package! builtin-package :recipe (:nonrecursive t))
 ;;(package! builtin-package-2 :recipe (:repo "myfork/package"))
 ;; Specify a `:branch' to install a package from a particular branch or tag.
 ;; This is required for some packages whose default branch isn't 'master' (which
 ;; our package manager can't deal with; see raxod502/straight.el#279)
 ;;(package! builtin-package :recipe (:branch "develop"))
 ;; Use `:pin' to specify a particular commit to install.
                                        ;(package! builtin-package :pin "1a2b3c4d5e")
 ;; Doom's packages are pinned to a specific commit and updated from release to
 ;; release. The `unpin!' macro allows you to unpin single packages...
                                        ;(unpin! pinned-package)
 ;; ...or multiple packages
                                        ;(unpin! pinned-package another-pinned-package)
 ;; ...Or *all* packages (NOT RECOMMENDED; will likely break things)
 ;;(unpin! t)
 ;;(package! this-package
 ;;  :recipe (:host github :repo "username/repo"
 ;;           :files ("some-file.el" "src/lisp/*.el")))
 ;;(unpin! compat)
 ;;(unpin! with-editor ghub)
 ;;(package! transient :pin "25b994a565ce8035330b0a3071ee430c0282349e") ; 0.8.8
 (package! ormolu)
 (package! org-gtd
  :recipe (:host github :repo "Trevoke/org-gtd.el" :branch "master"))
 (package! org-fc
  :recipe (:host sourcehut :repo "l3kn/org-fc" :branch "main"))
 (package! org-edna)
 (package! org-review
  :recipe (:host github :repo "jakalx/org-review" :branch "master"))
 (package! sqlite3)
 (package! emacsql-sqlite3)
 (package! nov)
 (package! org-present)
 (package! denote)
 (package! denote-org)
 (package! denote-journal)
 (package! denote-menu)
 (package! denote-sequence)
 (package! org-super-agenda)
 (package! org-modern)
 (package! org-ql)
 (package! org-contacts)
 (package! org-bookmark-heading)
 (package! activities
  :recipe (:host github :repo "alphapapa/activities.el" :branch "master"))
 ;; (package! elfeed-web)
 (package! systemd)
 (package! protobuf-mode)
 (package! cov)
 (package! modus-themes)
 (package! consult-denote)
 (package! casual-suite)
--- a/home/alex/programs/emacs/doom/snippets/org-mode/__
+++ b/home/alex/programs/emacs/doom/snippets/org-mode/__
@ -0,0 +1,3 @@
 # -*- mode: snippet -*-
 # name: Org Template file
 # --
--- a/home/alex/programs/fzf/default.nix
+++ b/home/alex/programs/fzf/default.nix
@ -0,0 +1,5 @@
 { config, lib, pkgs, ... }:
 {
  programs.fzf = { enable = true; };
 }
--- a/home/alex/programs/git/default.nix
+++ b/home/alex/programs/git/default.nix
@ -0,0 +1,83 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  programs.git = {
    enable = true;
    lfs.enable = true;
    ignores = [
      "*~"
      "*.swp"
      "result"
      "dist-newstyle"
      ".direnv"
      "*.bak"
      ".pre-commit-config.yaml"
    ];
    signing = {
      key = "41A6D13FECA21280";
      signByDefault = false;
    };
    settings = {
      pull = {
        rebase = true;
      };
      merge = {
        conflictstyle = "diff3";
      };
      submodule = {
        recurse = true;
      };
      user = {
        # TODO create option for my own account meta data
        email = "me@failco.de";
        name = "Alexander Kobjolke";
      };
      alias = {
        a = "add";
        c = "commit";
        ca = "commit --amend";
        can = "commit --amend --no-edit";
        cl = "clone";
        cm = "commit -m";
        co = "checkout";
        cp = "cherry-pick";
        cpx = "cherry-pick -x";
        d = "diff";
        f = "fetch";
        fo = "fetch origin";
        fu = "fetch upstream";
        lol = "log --graph --decorate --pretty=oneline --abbrev-commit";
        lola = "log --graph --decorate --pretty=oneline --abbrev-commit --all";
        pl = "pull";
        pr = "pull -r";
        ps = "push";
        psf = "push -f";
        rb = "rebase";
        rbi = "rebase -i";
        r = "remote";
        ra = "remote add";
        rr = "remote rm";
        rv = "remote -v";
        rs = "remote show";
        st = "status";
      };
      init.defaultBranch = "main";
    };
  };
  programs.delta = {
    enable = true;
    enableGitIntegration = true;
  };
  programs.git-cliff = {
    enable = true;
  };
 }
--- a/home/alex/programs/i3/default.nix
+++ b/home/alex/programs/i3/default.nix
@ -0,0 +1,15 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  config.xsession.windowManager.i3 = {
    enable = true;
    config = {
      modifier = "Mod4";
    };
  };
 }
--- a/home/alex/programs/jitsi-meet/default.nix
+++ b/home/alex/programs/jitsi-meet/default.nix
@ -0,0 +1,11 @@
 {
  config,
  lib,
  pkgs,
  stable,
  ...
 }:
 {
  config.home.packages = [ stable.jitsi-meet-electron ];
 }
--- a/home/alex/programs/jq/default.nix
+++ b/home/alex/programs/jq/default.nix
@ -0,0 +1,12 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  programs.jq = {
    enable = true;
  };
 }
--- a/home/alex/programs/jujutsu/default.nix
+++ b/home/alex/programs/jujutsu/default.nix
@ -0,0 +1,21 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  programs.jujutsu = {
    enable = true;
    settings = {
      user.name = config.programs.git.settings.user.name;
      user.email = config.programs.git.settings.user.email;
      ui.default-command = "log";
      aliases.init = [
        "git"
        "init"
      ];
    };
  };
 }
--- a/home/alex/programs/neovim/default.nix
+++ b/home/alex/programs/neovim/default.nix
@ -0,0 +1,20 @@
 { config, lib, pkgs, ... }:
 {
  programs.neovim = {
    enable = true;
    vimAlias = true;
    extraConfig = ''
      set nowrap
    '';
    plugins = with pkgs.vimPlugins; [
      vim-nix
      indentLine
      indent-blankline-nvim
      neoformat
    ];
  };
 }
--- a/home/alex/programs/rofi/default.nix
+++ b/home/alex/programs/rofi/default.nix
@ -0,0 +1,20 @@
 { config, lib, pkgs, ... }:
 {
  config.programs.rofi = {
    enable = true;
    plugins = with pkgs; [ rofi-calc rofi-emoji ];
    terminal = "${pkgs.alacritty}/bin/alacritty";
    theme = ./themes/gruvbox-dark-soft.rasi;
    pass = {
      enable = true;
      stores = [ config.programs.password-store.settings.PASSWORD_STORE_DIR ];
      extraConfig = ''
        default_user=:filename
      '';
    };
  };
  # let rofi insert emojis directly
  config.home.packages = [ pkgs.xdotool ];
 }
--- a/home/alex/programs/rofi/themes/gruvbox-dark-soft.rasi
+++ b/home/alex/programs/rofi/themes/gruvbox-dark-soft.rasi
@ -0,0 +1,191 @@
 /* ==========================================================================
   Rofi color theme
   Based on the Gruvbox color scheme for Vim by morhetz
   https://github.com/morhetz/gruvbox
   File: gruvbox-dark-soft.rasi
   Desc: Gruvbox dark (soft contrast) color theme for Rofi
   Author: bardisty <b@bah.im>
   Source: https://github.com/bardisty/gruvbox-rofi
   Modified: Mon Feb 12 2018 06:04:37 PST -0800
   ========================================================================== */
 * {
    /* Theme settings */
    highlight: bold italic;
    scrollbar: true;
    /* Gruvbox dark colors */
    gruvbox-dark-bg0-soft:     #32302f;
    gruvbox-dark-bg1:          #3c3836;
    gruvbox-dark-bg3:          #665c54;
    gruvbox-dark-fg0:          #fbf1c7;
    gruvbox-dark-fg1:          #ebdbb2;
    gruvbox-dark-red-dark:     #cc241d;
    gruvbox-dark-red-light:    #fb4934;
    gruvbox-dark-yellow-dark:  #d79921;
    gruvbox-dark-yellow-light: #fabd2f;
    gruvbox-dark-gray:         #a89984;
    /* Theme colors */
    background:                  @gruvbox-dark-bg0-soft;
    background-color:            @background;
    foreground:                  @gruvbox-dark-fg1;
    border-color:                @gruvbox-dark-gray;
    separatorcolor:              @border-color;
    scrollbar-handle:            @border-color;
    normal-background:           @background;
    normal-foreground:           @foreground;
    alternate-normal-background: @gruvbox-dark-bg1;
    alternate-normal-foreground: @foreground;
    selected-normal-background:  @gruvbox-dark-bg3;
    selected-normal-foreground:  @gruvbox-dark-fg0;
    active-background:           @gruvbox-dark-yellow-dark;
    active-foreground:           @background;
    alternate-active-background: @active-background;
    alternate-active-foreground: @active-foreground;
    selected-active-background:  @gruvbox-dark-yellow-light;
    selected-active-foreground:  @active-foreground;
    urgent-background:           @gruvbox-dark-red-dark;
    urgent-foreground:           @background;
    alternate-urgent-background: @urgent-background;
    alternate-urgent-foreground: @urgent-foreground;
    selected-urgent-background:  @gruvbox-dark-red-light;
    selected-urgent-foreground:  @urgent-foreground;
 }
 /* ==========================================================================
   File: gruvbox-common.rasi
   Desc: Shared rules between all gruvbox themes
   Author: bardisty <b@bah.im>
   Source: https://github.com/bardisty/gruvbox-rofi
   Modified: Mon Feb 12 2018 06:06:47 PST -0800
   ========================================================================== */
 window {
    background-color: @background;
    border:           2;
    padding:          2;
 }
 mainbox {
    border:  0;
    padding: 0;
 }
 message {
    border:       2px 0 0;
    border-color: @separatorcolor;
    padding:      1px;
 }
 textbox {
    highlight:  @highlight;
    text-color: @foreground;
 }
 listview {
    border:       2px solid 0 0;
    padding:      2px 0 0;
    border-color: @separatorcolor;
    spacing:      2px;
    scrollbar:    @scrollbar;
 }
 element {
    border:  0;
    padding: 2px;
 }
 element.normal.normal {
    background-color: @normal-background;
    text-color:       @normal-foreground;
 }
 element.normal.urgent {
    background-color: @urgent-background;
    text-color:       @urgent-foreground;
 }
 element.normal.active {
    background-color: @active-background;
    text-color:       @active-foreground;
 }
 element.selected.normal {
    background-color: @selected-normal-background;
    text-color:       @selected-normal-foreground;
 }
 element.selected.urgent {
    background-color: @selected-urgent-background;
    text-color:       @selected-urgent-foreground;
 }
 element.selected.active {
    background-color: @selected-active-background;
    text-color:       @selected-active-foreground;
 }
 element.alternate.normal {
    background-color: @alternate-normal-background;
    text-color:       @alternate-normal-foreground;
 }
 element.alternate.urgent {
    background-color: @alternate-urgent-background;
    text-color:       @alternate-urgent-foreground;
 }
 element.alternate.active {
    background-color: @alternate-active-background;
    text-color:       @alternate-active-foreground;
 }
 scrollbar {
    width:        4px;
    border:       0;
    handle-color: @scrollbar-handle;
    handle-width: 8px;
    padding:      0;
 }
 mode-switcher {
    border:       2px 0 0;
    border-color: @separatorcolor;
 }
 inputbar {
    spacing:    0;
    text-color: @normal-foreground;
    padding:    2px;
    children:   [ prompt, textbox-prompt-sep, entry, case-indicator ];
 }
 case-indicator,
 entry,
 prompt,
 button {
    spacing:    0;
    text-color: @normal-foreground;
 }
 button.selected {
    background-color: @selected-normal-background;
    text-color:       @selected-normal-foreground;
 }
 textbox-prompt-sep {
    expand:     false;
    str:        ":";
    text-color: @normal-foreground;
    margin:     0 0.3em 0 0;
 }
 element-text, element-icon {
    background-color: inherit;
    text-color:       inherit;
 }
--- a/home/alex/programs/shell/default.nix
+++ b/home/alex/programs/shell/default.nix
@ -0,0 +1,35 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  home.shellAliases = {
    suspend = "systemctl hibernate";
    nrs = "sudo nixos-rebuild switch --flake ~/src/nixos-config";
    nrb = "sudo nixos-rebuild build --flake ~/src/nixos-config";
  };
  programs.zsh = {
    enable = true;
    enableCompletion = true;
    autosuggestion.enable = true;
    syntaxHighlighting.enable = true;
    initContent = ''
      [ $TERM = "dumb" ] && unsetopt zle && PS1='$ '
    '';
    oh-my-zsh = {
      enable = true;
      plugins = [
        "git"
        "fzf"
        "z"
      ];
      theme = "simple";
    };
  };
 }
--- a/home/alex/programs/simplex-chat/default.nix
+++ b/home/alex/programs/simplex-chat/default.nix
@ -0,0 +1,5 @@
 { config, lib, pkgs, ... }:
 {
  config.home.packages = [ pkgs.simplex-chat-desktop ];
 }
--- a/home/alex/programs/xmonad/config.hs
+++ b/home/alex/programs/xmonad/config.hs
@ -0,0 +1,157 @@
 import XMonad
 import XMonad.Actions.CycleWS qualified as WS
 import XMonad.Actions.Navigation2D (navigation2DP, windowGo, windowSwap)
 import XMonad.Hooks.EwmhDesktops
 import XMonad.Hooks.ManageDocks qualified as Docks
 import XMonad.Hooks.ManageHelpers (doCenterFloat, doFullFloat, isDialog, isFullscreen)
 import XMonad.Hooks.SetWMName
 import XMonad.Layout.BinarySpacePartition
 import XMonad.Layout.BorderResize (borderResize)
 import XMonad.Layout.NoBorders (smartBorders)
 import XMonad.Layout.ThreeColumns
 import XMonad.Layout.ToggleLayouts (ToggleLayout (..), toggleLayouts)
 import XMonad.ManageHook (doFloat)
 import XMonad.StackSet as W
 import XMonad.Util.EZConfig qualified as EZ
 import XMonad.Util.NamedScratchpad
 import XMonad.Util.Ungrab (unGrab)
 import XMonad.Util.WorkspaceCompare qualified as WS
 import Control.Monad (when)
 import Numeric.Natural
 import System.Environment (getArgs)
 import System.FilePath ((</>))
 import System.Info (arch, os)
 import System.Posix.Process (executeFile)
 import Text.Printf (printf)
 compiledConfig = printf "xmonad-%s-%s" arch os
 compileRestart resume = do
    dirs <- asks directories
    whenX (recompile dirs True) $ do
        when resume writeStateToFile
        catchIO
            ( do
                args <- getArgs
                executeFile (cacheDir dirs </> compiledConfig) False args Nothing
            )
 myLayout = smartBorders . borderResize . Docks.avoidStruts $ toggleLayouts Full emptyBSP
 main :: IO ()
 main = getDirectories >>= launch myConfig
 -- change size of window using direction so that it can be used together with the navigation2D function
 -- see: similar to windowGo and windowSwap
 windowMoveSplit :: Direction2D -> Bool -> X ()
 windowMoveSplit direction _ = sendMessage $ MoveSplit direction
 data VolumeCommand
    = ToggleVolume
    | LowerVolume Natural
    | RaiseVolume Natural
 interpretVolumeCommand :: VolumeCommand -> String
 interpretVolumeCommand command = "amixer -q set Master " <> cmd
  where
    cmd = case command of
        ToggleVolume -> "toggle"
        LowerVolume delta -> show delta <> "%-"
        RaiseVolume delta -> show delta <> "%+"
 changeVolume :: VolumeCommand -> X ()
 changeVolume = spawn . interpretVolumeCommand
 myWorkspaceFilter :: X WS.WorkspaceSort
 myWorkspaceFilter = do
    sortXineramaAware <- WS.getSortByXineramaRule
    pure $ sortXineramaAware . WS.filterOutWs [scratchpadWorkspaceTag]
 scratchpads =
    [ NS
        "notes"
        "emacsclient -c -F '((name . \"gtd\"))'"
        (resource =? "gtd")
        doCenterFloat
    , -- (customFloating $ W.RationalRect (1/6) (1/6) (2/3) (2/3))
      NS
        "shell"
        "alacritty --class scratchpad"
        (resource =? "scratchpad")
        (customFloating $ W.RationalRect (1 / 6) (1 / 6) (2 / 3) (2 / 3))
    ]
 myConfig =
    addEwmhWorkspaceSort myWorkspaceFilter
        . ewmhFullscreen
        . ewmh
        . Docks.docks
        . nav
        $ def
            { modMask = mod4Mask -- Use Super instead of Alt
            , terminal = "alacritty"
            , layoutHook = myLayout
            , handleEventHook = handleEventHook def <+> fullscreenEventHook
            , -- this seems to be necessary to make java gui applications work :(
              startupHook = ewmhDesktopsStartup >> setWMName "LG3D"
            , manageHook =
                mconcat
                    [ namedScratchpadManageHook scratchpads
                    , isDialog --> doFloat
                    , isFullscreen --> doFullFloat
                    , className =? "steam_proton" --> doFloat
                    , manageHook def
                    ]
            }
            `EZ.additionalKeysP` [ ("M-S-z", spawn "xscreensaver-command -lock")
                                 , ("M-S-r", compileRestart True)
                                 , ("M-S-q", restart "xmonad" True)
                                 , ("M-C-s", unGrab *> spawn "scrot -s")
                                 , ("M-S-s", sendMessage Docks.ToggleStruts)
                                 , ("M-f", sendMessage (Toggle "Full"))
                                 , ("M-p", spawn appLauncher)
                                 , ("M-i", spawn passLauncher)
                                 , ("M-w", kill)
                                 , ("M-l", WS.toggleWS)
                                 , ("M-g", WS.prevWS)
                                 , ("M-C-g", WS.swapPrevScreen)
                                 , ("M-S-g", WS.shiftPrevScreen)
                                 , ("M-r", WS.nextWS)
                                 , ("M-C-r", WS.swapNextScreen)
                                 , ("M-S-r", WS.shiftNextScreen)
                                 , -- scratchpads
                                   ("M-s M-t", namedScratchpadAction scratchpads "shell")
                                 , ("M-s M-s", namedScratchpadAction scratchpads "notes")
                                 , -- backlight control
                                   ("<XF86MonBrightnessDown>", spawn "xbacklight -dec 5")
                                 , ("<XF86MonBrightnessUp>", spawn "xbacklight -inc 5")
                                 , ("<F5>", spawn "xbacklight -dec 5")
                                 , ("<F6>", spawn "xbacklight -inc 5")
                                 , -- transparency
                                   ("S-<XF86MonBrightnessDown>", spawn "picom-trans -c -5")
                                 , ("S-<XF86MonBrightnessUp>", spawn "picom-trans -c +5")
                                 , ("M-S-d", spawn "picom-trans -c +5")
                                 , ("M-S-b", spawn "picom-trans -c -5")
                                 , -- volume control
                                   ("<XF86AudioMute>", changeVolume ToggleVolume)
                                 , ("<XF86AudioLowerVolume>", changeVolume $ LowerVolume 5)
                                 , ("<XF86AudioRaiseVolume>", changeVolume $ RaiseVolume 5)
                                 , ("M-d", changeVolume $ RaiseVolume 5)
                                 , ("M-b", changeVolume $ LowerVolume 5)
                                 , ("M-a", sendMessage Balance)
                                 , ("M-S-a", sendMessage Equalize)
                                 , ("M-o", sendMessage Rotate)
                                 , ("M-y", withFocused $ windows . W.sink)
                                 ]
  where
    -- navigate using dvorak bindings
    nav = navigation2DP def ("c", "h", "t", "n") [("M-", windowGo), ("M-C-", windowSwap), ("M-S-", windowMoveSplit)] True
    appLauncher = "rofi -show combi -modes combi -combi-modes window,drun,run,ssh"
    passLauncher = "rofi-pass"
 -- myManageHook :: ManageHook
 -- myManageHook = composeAll
 --     [ className =? "Gimp" --> doFloat
 --     , isDialog            --> doFloat
 --     ]
--- a/home/alex/programs/xmonad/default.nix
+++ b/home/alex/programs/xmonad/default.nix
@ -0,0 +1,19 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  config.xsession.windowManager.xmonad = {
    enable = true;
    enableContribAndExtras = true;
    config = ./config.hs;
  };
  # control backlight
  config.home.packages = [
    pkgs.xorg.xbacklight
    pkgs.scrot
  ];
 }
--- a/home/alex/programs/zathura/default.nix
+++ b/home/alex/programs/zathura/default.nix
@ -0,0 +1,8 @@
 { config, lib, pkgs, ... }:
 {
  config.programs.zathura = {
    enable = true;
    extraConfig = builtins.readFile ./gruvbox-dark.zathurarc;
  };
 }
--- a/home/alex/programs/zathura/gruvbox-dark.zathurarc
+++ b/home/alex/programs/zathura/gruvbox-dark.zathurarc
@ -0,0 +1,40 @@
 set notification-error-bg       "#282828" # bg
 set notification-error-fg       "#fb4934" # bright:red
 set notification-warning-bg     "#282828" # bg
 set notification-warning-fg     "#fabd2f" # bright:yellow
 set notification-bg             "#282828" # bg
 set notification-fg             "#b8bb26" # bright:green
 set completion-bg               "#504945" # bg2
 set completion-fg               "#ebdbb2" # fg
 set completion-group-bg         "#3c3836" # bg1
 set completion-group-fg         "#928374" # gray
 set completion-highlight-bg     "#83a598" # bright:blue
 set completion-highlight-fg     "#504945" # bg2
 # Define the color in index mode
 set index-bg                    "#504945" # bg2
 set index-fg                    "#ebdbb2" # fg
 set index-active-bg             "#83a598" # bright:blue
 set index-active-fg             "#504945" # bg2
 set inputbar-bg                 "#282828" # bg
 set inputbar-fg                 "#ebdbb2" # fg
 set statusbar-bg                "#504945" # bg2
 set statusbar-fg                "#ebdbb2" # fg
 set highlight-color             "#fabd2f" # bright:yellow
 set highlight-active-color      "#fe8019" # bright:orange
 set default-bg                  "#282828" # bg
 set default-fg                  "#ebdbb2" # fg
 set render-loading              true
 set render-loading-bg           "#282828" # bg
 set render-loading-fg           "#ebdbb2" # fg
 # Recolor book content's color
 set recolor-lightcolor          "#282828" # bg
 set recolor-darkcolor           "#ebdbb2" # fg
 set recolor                     "true"
 # set recolor-keephue             true      # keep original color
--- a/home/alex/services/blueman-applet/default.nix
+++ b/home/alex/services/blueman-applet/default.nix
@ -0,0 +1,5 @@
 { config, lib, pkgs, ... }:
 {
  config.services.blueman-applet = { enable = true; };
 }
--- a/home/alex/services/dunst/default.nix
+++ b/home/alex/services/dunst/default.nix
@ -0,0 +1,30 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  config.services.dunst = {
    enable = true;
    iconTheme = {
      name = "Adwaita";
      package = pkgs.adwaita-icon-theme;
      size = "16x16";
    };
    settings = {
      global = {
        monitor = 0;
        geometry = "600x50-50+65";
        shrink = "yes";
        transparency = 10;
        padding = 16;
        horizontal_padding = 16;
        font = "JetBrainsMono Nerd Font 10";
        line_height = 4;
        format = "<b>%s</b>\\n%b";
      };
    };
  };
 }
--- a/home/alex/services/git-sync/default.nix
+++ b/home/alex/services/git-sync/default.nix
@ -0,0 +1,15 @@
 { config, lib, pkgs, ... }:
 let cfg = config.my.git-sync;
 in {
  options.my.git-sync = { enable = lib.mkEnableOption "git-sync"; };
  config.services.git-sync = lib.mkIf cfg.enable {
    enable = true;
    repositories = {
      "org" = {
        path = "${config.home.homeDirectory}/org";
        uri = "git+ssh://git@git.failco.de:jakalx/org.git";
      };
    };
  };
 }
--- a/home/alex/services/network-manager/default.nix
+++ b/home/alex/services/network-manager/default.nix
@ -0,0 +1,5 @@
 { config, lib, pkgs, ... }:
 {
  config.services.network-manager-applet = { enable = true; };
 }
--- a/home/alex/services/picom/default.nix
+++ b/home/alex/services/picom/default.nix
@ -0,0 +1,15 @@
 { config, lib, pkgs, ... }:
 {
  config.services.picom = {
    enable = true;
    activeOpacity = 1.0;
    inactiveOpacity = 0.8;
    backend = "glx";
    fade = true;
    fadeDelta = 5;
    opacityRules = [ "100:name *= 'i3lock'" ];
    shadow = true;
    shadowOpacity = 0.75;
  };
 }
--- a/home/alex/services/polybar/config.ini
+++ b/home/alex/services/polybar/config.ini
@ -0,0 +1,235 @@
 ;==========================================================
 ;
 ;
 ;   ██████╗  ██████╗ ██╗  ██╗   ██╗██████╗  █████╗ ██████╗
 ;   ██╔══██╗██╔═══██╗██║  ╚██╗ ██╔╝██╔══██╗██╔══██╗██╔══██╗
 ;   ██████╔╝██║   ██║██║   ╚████╔╝ ██████╔╝███████║██████╔╝
 ;   ██╔═══╝ ██║   ██║██║    ╚██╔╝  ██╔══██╗██╔══██║██╔══██╗
 ;   ██║     ╚██████╔╝███████╗██║   ██████╔╝██║  ██║██║  ██║
 ;   ╚═╝      ╚═════╝ ╚══════╝╚═╝   ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝
 ;
 ;
 ;   To learn more about how to configure Polybar
 ;   go to https://github.com/polybar/polybar
 ;
 ;   The README contains a lot of information
 ;
 ;==========================================================
 [colors]
 background = #282A2E
 background-alt = #373B41
 foreground = #C5C8C6
 primary = #F0C674
 secondary = #8ABEB7
 alert = #A54242
 disabled = #707880
 [bar/main]
 width = 100%
 height = 24pt
 radius = 6
 ; dpi = 96
 background = ${colors.background}
 foreground = ${colors.foreground}
 line-size = 3pt
 border-size = 4pt
 border-color = #00000000
 padding-left = 0
 padding-right = 1
 module-margin = 1
 separator = |
 separator-foreground = ${colors.disabled}
 font-0 = monospace;2
 modules-left = xworkspaces xwindow
 modules-center = systray
 modules-right = filesystem pulseaudio xkeyboard memory cpu battery wlan eth backlight date
 cursor-click = pointer
 cursor-scroll = ns-resize
 enable-ipc = true
 tray-position = center
 ; wm-restack = generic
 ; wm-restack = bspwm
 ; wm-restack = i3
 ; override-redirect = true
 [module/systray]
 type = internal/tray
 format-margin = 8pt
 tray-spacing = 16pt
 [module/battery]
 type = internal/battery
 ; This is useful in case the battery never reports 100% charge
 ; Default: 100
 full-at = 99
 ; format-low once this charge percentage is reached
 ; Default: 10
 ; New in version 3.6.0
 low-at = 10
 ; Use the following command to list batteries and adapters:
 ; $ ls -1 /sys/class/power_supply/
 battery = BAT0
 adapter = ADP0
 ; If an inotify event haven't been reported in this many
 ; seconds, manually poll for new values.
 ;
 ; Needed as a fallback for systems that don't report events
 ; on sysfs/procfs.
 ;
 ; Disable polling by setting the interval to 0.
 ;
 ; Default: 5
 poll-interval = 5
 [module/backlight]
 type = internal/xbacklight
 ; XRandR output to get get values from
 ; Default: the monitor defined for the running bar
 ;output = DP-4
 ; Create scroll handlers used to set the backlight value
 ; Default: true
 enable-scroll = true
 ; Available tags:
 ;   <label> (default)
 ;   <ramp>
 ;   <bar>
 format = <ramp>
 ; Available tokens:
 ;   %percentage% (default)
 label = %percentage%%
 ; Only applies if <ramp> is used
 ramp-0 = 🌕
 ramp-1 = 🌔
 ramp-2 = 🌓
 ramp-3 = 🌒
 ramp-4 = 🌑
 [module/xworkspaces]
 type = internal/xworkspaces
 label-active = %name%
 label-active-background = ${colors.background-alt}
 label-active-underline= ${colors.primary}
 label-active-padding = 1
 label-occupied = %name%
 label-occupied-padding = 1
 label-urgent = %name%
 label-urgent-background = ${colors.alert}
 label-urgent-padding = 1
 label-empty = %name%
 label-empty-foreground = ${colors.disabled}
 label-empty-padding = 1
 [module/xwindow]
 type = internal/xwindow
 label = %title:0:60:...%
 [module/filesystem]
 type = internal/fs
 interval = 25
 mount-0 = /
 label-mounted = %{F#F0C674}%mountpoint%%{F-} %percentage_used%%
 label-unmounted = %mountpoint% not mounted
 label-unmounted-foreground = ${colors.disabled}
 [module/pulseaudio]
 type = internal/pulseaudio
 format-volume-prefix = "VOL "
 format-volume-prefix-foreground = ${colors.primary}
 format-volume = <label-volume>
 label-volume = %percentage%%
 label-muted = muted
 label-muted-foreground = ${colors.disabled}
 [module/xkeyboard]
 type = internal/xkeyboard
 blacklist-0 = num lock
 label-layout = %layout%
 label-layout-foreground = ${colors.primary}
 label-indicator-padding = 2
 label-indicator-margin = 1
 label-indicator-foreground = ${colors.background}
 label-indicator-background = ${colors.secondary}
 [module/memory]
 type = internal/memory
 interval = 2
 format-prefix = "RAM "
 format-prefix-foreground = ${colors.primary}
 label = %percentage_used:2%%
 [module/cpu]
 type = internal/cpu
 interval = 2
 format-prefix = "CPU "
 format-prefix-foreground = ${colors.primary}
 label = %percentage:2%%
 [network-base]
 type = internal/network
 interval = 5
 format-connected = <label-connected>
 format-disconnected = <label-disconnected>
 label-disconnected = %{F#F0C674}%ifname%%{F#707880} disconnected
 [module/wlan]
 inherit = network-base
 interface-type = wireless
 label-connected = %{F#F0C674}%ifname%%{F-} %essid% %local_ip%
 [module/eth]
 inherit = network-base
 interface-type = wired
 label-connected = %{F#F0C674}%ifname%%{F-} %local_ip%
 [module/date]
 type = internal/date
 interval = 1
 date = %H:%M
 date-alt = %Y-%m-%d %H:%M:%S
 label = %date%
 label-foreground = ${colors.primary}
 [settings]
 screenchange-reload = true
 pseudo-transparency = true
 ; vim:ft=dosini
--- a/home/alex/services/polybar/default.nix
+++ b/home/alex/services/polybar/default.nix
@ -0,0 +1,19 @@
 { config, lib, pkgs, ... }:
 let
  mypolybar = pkgs.polybar.override {
    alsaSupport = true;
    mpdSupport = true;
    pulseSupport = true;
  };
 in {
  config.home.packages = with pkgs; [ font-awesome material-design-icons ];
  config.services.polybar = {
    enable = true;
    package = mypolybar;
    config = ./config.ini;
    script = ''
      polybar & disown
    '';
  };
 }
--- a/home/alex/services/screen-locker/default.nix
+++ b/home/alex/services/screen-locker/default.nix
@ -0,0 +1,15 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  config.services.screen-locker = {
    enable = false;
    inactiveInterval = 30;
    lockCmd = "${pkgs.i3lock}/bin/i3lock -n -c 000000";
    xautolock.extraOptions = [ "-detectsleep" ];
  };
 }
--- a/home/alex/services/syncthing/default.nix
+++ b/home/alex/services/syncthing/default.nix
@ -0,0 +1,11 @@
 { config, lib, pkgs, ... }:
 {
  config.services.syncthing = {
    enable = true;
    tray = {
      enable = true;
      command = "syncthingtray --wait";
    };
  };
 }
--- a/home/alex/services/udiskie/default.nix
+++ b/home/alex/services/udiskie/default.nix
@ -0,0 +1,8 @@
 { config, lib, pkgs, ... }:
 {
  config.services.udiskie = {
    enable = true;
    tray = "always";
  };
 }
--- a/home/anne/default.nix
+++ b/home/anne/default.nix
@ -0,0 +1,14 @@
 { config, lib, pkgs, ... }:
 let username = "anne";
 in {
  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [ "input" ];
    description = "Anne Kobjolke";
    home = "/home/${username}";
    hashedPassword =
      "$6$Lq3kAyI7Oh3uvf9T$lxE1V9adw1lqjRT0tvCdj17zUz.nJkqkMSA8Y6ipuBIHoZqJKJcQPLby/BWdDvzcmCbyEOtA7grToclNnbV49/";
  };
  home-manager.users.${username} = import ./home.nix;
 }
--- a/home/anne/home.nix
+++ b/home/anne/home.nix
@ -0,0 +1,26 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  home = {
    language.base = "de_DE.UTF-8";
    stateVersion = "23.05";
    packages = with pkgs; [
      firefox
      alacritty
      gnome-session
      gnome-control-center
    ];
    keyboard.layout = "de";
    keyboard.variant = "nodeadkeys";
  };
  xsession = {
    enable = true;
    windowManager.command = "${pkgs.gnome-session}/bin/gnome-session";
  };
 }
--- a/home/cli.nix
+++ b/home/cli.nix
@ -1,160 +0,0 @@
 { config, pkgs, ... }:
 # minimal config, suitable for servers
 let
  myUser = "alex";
  myName = "Alexander Kobjolke";
  myMail = "me@failco.de";
 in {
  imports = [
    # shell config
    #./modules/shell
  ];
  programs.home-manager.enable = true;
  home = {
    username = myUser;
    homeDirectory = "/home/${myUser}";
    stateVersion = "21.05";
    sessionPath = [ "$HOME/.local/bin" "$HOME/.emacs.d/bin" ];
  };
  home.packages = with pkgs; [
    # archives
    #p7zip
    #unrar
    # nix tools
    nix-index
    nixfmt
    # misc
    fd # better find
    file # info about files
    unzip
    dropbox
    gotop
    gnumake
    ripgrep # better grep
    pijul
    sqlite.dev
    sqlite
    #    pass
    pandoc
    hledger
    hledger-web
    hledger-iadd
    hledger-ui
    #smos
    #haskellPackages.patat # terminal based presentations using pandoc
    nix-prefetch-git
  ];
  home.extraOutputsToInstall = [ "doc" "info" "devdoc" ];
  xdg.enable = true;
  # xdg.configFile = {
  #   "emacs".source = ./emacs.d;
  # };
  xdg.configFile.tmux = {
    target = "tmux/tmux.conf";
    text = ''
      set -g default-terminal "tmux-256color"
      set -g prefix C-z
      # do not wait for a manually entered escape sequence, just forward it immediately
      set -g escape-time 0
      bind-key C-z send-prefix
      set -g renumber-windows on
    '';
  };
  xdg.configFile.pijul = {
    target = "pijul/config.toml";
    text = ''
      [author]
      name = "${myUser}"
      full_name = "${myName}"
      email = "${myMail}"
    '';
  };
  programs = {
    zsh = {
      enable = true;
      enableAutosuggestions = true;
      #      enableSyntaxHighlighting = true;
      shellAliases = { e = "emacsclient -c $@"; };
      oh-my-zsh = {
        enable = true;
        plugins = [ "git" ];
        theme = "simple";
      };
    };
    # better cat
    bat.enable = true;
    direnv = {
      enable = true;
      nix-direnv = { enable = true; };
      enableZshIntegration = true;
      enableBashIntegration = true;
    };
    emacs = {
      enable = true;
      package = pkgs.emacsGit;
      extraPackages = epkgs: with epkgs; [ vterm ];
      #package = pkgs.emacsUnstable;
    };
    gh = {
      enable = true;
      settings.git_protocol = "ssh";
    };
    git = {
      enable = true;
      ignores = [ "*~" "*.swp" "result" "dist-newstyle" ];
      userEmail = myMail;
      userName = myName;
      aliases = { st = "status"; };
      extraConfig = { init.defaultBranch = "main"; };
    };
    gpg = {
      enable = true;
      settings = { homedir = "~/.local/share/gnupg"; };
    };
    helix = {
      enable = true;
      settings.theme = "gruvbox";
    };
    password-store = {
      enable = true;
      package = pkgs.pass.withExtensions (exts: [ exts.pass-otp ]);
      settings = { PASSWORD_STORE_DIR = "$HOME/.local/share/password-store"; };
    };
    ssh.enable = true;
    neovim = import ./modules/nvim.nix pkgs;
    texlive.enable = true;
  };
  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
    defaultCacheTtl = 300;
    defaultCacheTtlSsh = 300;
  };
  services.emacs = { enable = true; };
  home.file.".local" = {
    recursive = true;
    source = ./local;
  };
 }
--- a/home/emacs.d
+++ b/home/emacs.d
@ -1 +0,0 @@
 Subproject commit bf8495b4122701fb30cb6cea37281dc8f3bedcd0
--- a/hosts/dregil/configuration.nix
+++ b/hosts/dregil/configuration.nix
@ -2,7 +2,13 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-{ inputs, config, pkgs, lib, ... }:
+{
  inputs,
  config,
  pkgs,
  lib,
  ...
 }:
 let
  nvidia-offload = pkgs.writeShellScriptBin "nvidia-offload" ''
    export __NV_PRIME_RENDER_OFFLOAD=1
@ -13,16 +19,20 @@ let
  '';
 in
 {
-  imports =
+  imports = [
-    [
+    # Include the results of the hardware scan.
-      # Include the results of the hardware scan.
+    ./hardware-configuration.nix
-      ./hardware-configuration.nix
+    # <nixos-hardware/lenovo/legion/15ich>
-      # <nixos-hardware/lenovo/legion/15ich>
+    ../../modules/appimage.nix
-    ];
+    ../../modules/sudo.nix
    ../../modules/wm/x.nix
    ../../modules/wm/xmonad/default.nix
  ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.timeout = 5;
  # do not protect the kernel image to allow hibernation
  security.protectKernelImage = lib.mkForce false;
@ -30,94 +40,68 @@ in
  networking.hostName = "dregil"; # Define your hostname.
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+  networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
-  # Configure network proxy if necessary
+  networking.extraHosts = ''
-  # networking.proxy.default = "http://user:password@proxy:port/";
+    127.0.0.1 localhost dregil.localdomain dregil
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+  '';
  i18n = {
    extraLocaleSettings = {
      TIME_STYLE = "iso";
    };
    extraLocales = "all";
  };
  console = {
    font = "Lat2-Terminus16";
-    useXkbConfig = true; # use xkbOptions in tty.
+    keyMap = "dvorak";
  };
  # Enable the X11 windowing system.
  services.xserver = {
    enable = true;
    exportConfiguration = true;
    # Configure keymap in X11
    layout = "dvorak";
    xkbOptions = "terminate:ctrl_alt_bksp,caps:escape,compose:ralt";
    videoDrivers = [ "nvidia" ]; # "modesetting" ];
    displayManager.lightdm = {
      enable = true;
    };
    desktopManager.xfce.enable = true;
    # Enable touchpad support (enabled default in most desktopManager).
    libinput = {
      enable = true;
      touchpad.disableWhileTyping = true;
      touchpad.naturalScrolling = true;
      mouse.naturalScrolling = config.services.xserver.libinput.touchpad.naturalScrolling;
    };
  };
  fonts = {
-    enableDefaultFonts = true;
+    enableDefaultPackages = true;
-    fonts = with pkgs; [
+    packages =
      with pkgs;
      [
        corefonts
        noto-fonts
        noto-fonts-emoji
        fira-code
        fira-code-symbols
-        nerdfonts
+      ]
-    ];
+      ++ builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts);
  };
  # Enable CUPS to print documents.
  # services.printing.enable = true;
-  # Enable sound.
+  # rtkit is optional but recommended
-  sound.enable = true;
+  security.rtkit.enable = true;
-  hardware.pulseaudio.enable = true;
+  services.pipewire = {
-
+    enable = true;
-  # Define a user account. Don't forget to set a password with ‘passwd’.
+    alsa.enable = true;
-  users.users.alex = {
+    alsa.support32Bit = true;
-    isNormalUser = true;
+    pulse.enable = true;
-    extraGroups = [ "wheel" # Enable ‘sudo’ for the user.
+    # If you want to use JACK applications, uncomment this
-                    "input"
+    #jack.enable = true;
-                  ];
+  };
 };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
-     wget
+    wget
-     ripgrep
+    ripgrep
-     git
+    git
-     nvidia-offload
+    nvidia-offload
-     pinentry
+    pinentry
  ];
  # adjust channels to nixpkgs used on this system via this flake
-  environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-unstable.outPath;
+  environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs.outPath;
-  nix.nixPath = [
+  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
    "nixpkgs=${inputs.nixpkgs-unstable}"
  ];
-  # Some programs need SUID wrappers, can be configured further or are
+  nix.settings.max-jobs = 3;
-  # started in user sessions.
+  nix.settings.cores = 4;
  # programs.mtr.enable = true;
  programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
  };
  programs.neovim = {
    enable = true;
@ -127,24 +111,30 @@ in
    enable = true;
  };
  programs.zsh = {
    enable = true;
  };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
-  # Open ports in the firewall.
+  services.blueman.enable = true;
-  # networking.firewall.allowedTCPPorts = [ ... ];
+
-  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Open ports in the firewall
  # 22000, 21027 syncthing discovery and connectivity
  networking.firewall.allowedTCPPorts = [
    5223
    22000
  ];
  networking.firewall.allowedUDPPorts = [
    21027
    22000
  ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  system.nixos.tags = [ "HiDPI" "nvidia-only" ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
@ -152,6 +142,4 @@ in
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/hosts/dregil/default.nix
+++ b/hosts/dregil/default.nix
@ -1,22 +1,32 @@
-{ inputs, ... }:
+{
-let
+  inputs,
-  inherit (inputs.nixpkgs-unstable.lib) nixosSystem;
+  stable,
-
+  system,
-  system = "x86_64-linux";
+  ...
-
+}:
-  pkgs = import inputs.nixpkgs-unstable {
+{
-    inherit system;
+  imports = [
-    config = {
+    (
-        allowUnfree = true;
+      { inputs, lib, ... }:
-    };      
+      {
-  };
+        nixpkgs = {
-in
+          config.allowUnfree = true;
-nixosSystem {
+        };
-  inherit system pkgs;
+        home-manager.extraSpecialArgs = { inherit stable; };
-  specialArgs = { inherit inputs; };
+      }
-  modules = [
+    )
    ../../modules/security.nix
    ../../modules/common-system.nix
    ./configuration.nix
    inputs.home-manager.nixosModules.home-manager
    inputs.distro-grub-themes.nixosModules.${system}.default
    ../../home/anne/default.nix
    ../../home/alex/default.nix
    ../../modules/grub-themes
    ../../modules/hyprland
    ../../modules/podman
    ../../modules/tailscale
    ../../modules/flatpak.nix
    ../../modules/nh.nix
  ];
 }
--- a/hosts/dregil/hardware-configuration.nix
+++ b/hosts/dregil/hardware-configuration.nix
@ -1,15 +1,34 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports =
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
-  boot.initrd.kernelModules = [ "dm-snapshot" "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1" ];
+    "xhci_pci"
    "thunderbolt"
    "nvme"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [
    "dm-snapshot"
    "uas"
    "usbcore"
    "usb_storage"
    "vfat"
    "nls_cp437"
    "nls_iso8859_1"
  ];
  boot.initrd.luks.devices = {
    root = {
      device = "/dev/disk/by-uuid/bebf96d1-2a2b-412c-a5f0-f9ed5730a05f";
@ -20,37 +39,46 @@
      keyFileSize = 4096;
    };
  };
-  boot.kernelModules = [ "kvm-intel" "nvidia" ];
+  boot.kernelModules = [
-  boot.extraModulePackages = [ pkgs.linuxPackages.nvidia_x11 ];
+    "kvm-intel"
    "nvidia"
  ];
  boot.kernelParams = [ "module_blacklist=i915" ];
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
+    device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
-      fsType = "btrfs";
+    fsType = "btrfs";
-      options = [ "subvol=root" "compress=zstd" ];
+    options = [
-    };
+      "subvol=root"
-
+      "compress=zstd"
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
      fsType = "btrfs";
      options = [ "subvol=home" "compress=zstd" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
      fsType = "btrfs";
      options = [ "subvol=nix" "compress=zstd" "noatime" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/786D-42D7";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/b8c224ad-095e-4a48-b5b2-a19451fdeb95";
      }
    ];
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
    fsType = "btrfs";
    options = [
      "subvol=home"
      "compress=zstd"
    ];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
    fsType = "btrfs";
    options = [
      "subvol=nix"
      "compress=zstd"
      "noatime"
    ];
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/786D-42D7";
    fsType = "vfat";
  };
  swapDevices = [ { device = "/dev/disk/by-uuid/b8c224ad-095e-4a48-b5b2-a19451fdeb95"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@ -64,29 +92,28 @@
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  hardware.video.hidpi.enable = true;
  hardware.nvidia = {
-     nvidiaSettings = true;
+    nvidiaSettings = true;
-     nvidiaPersistenced = true;
+    nvidiaPersistenced = true;
    open = true;
-#    modesetting.enable = true;
+    #    modesetting.enable = true;
-     package = config.boot.kernelPackages.nvidiaPackages.beta;
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
-#    prime = {
+    #    prime = {
-#      offload.enable = true;
+    #      offload.enable = true;
-#
+    #
-#      intelBusId = "PCI:1:0:0";
+    #      intelBusId = "PCI:1:0:0";
-#      nvidiaBusId = "PCI:1:0:0";
+    #      nvidiaBusId = "PCI:1:0:0";
-#      intelBusId = "0@0:2:0";
+    #      intelBusId = "0@0:2:0";
-#      nvidiaBusId = "1@1:0:0";
+    #      nvidiaBusId = "1@1:0:0";
-#    };
+    #    };
  };
-  hardware.opengl = {
+  hardware.graphics = {
    enable = true;
-    driSupport = true;
+    enable32Bit = true;
    driSupport32Bit = true;
  };
  hardware.keyboard.uhk.enable = true;
  hardware.bluetooth.enable = true;
 }
--- a/hosts/igor/default.nix
+++ b/hosts/igor/default.nix
@ -0,0 +1,147 @@
 {
  inputs,
  pkgs,
  config,
  ...
 }:
 {
  imports = [
    inputs.disko.nixosModules.disko
    ./hardware-configuration.nix
    ./disko-config.nix
    ./syncthing.nix
    ../../modules/security.nix
    ../../modules/nix-config.nix
    ../../modules/timezone.nix
    ../../modules/keybase.nix
    ../../modules/ssh.nix
    ../../modules/tailscale
    ../../modules/vsftpd
    ../../modules/mosh.nix
  ];
  config.boot.loader.grub.enable = true;
  config.boot.loader.grub.efiSupport = true;
  config.boot.loader.grub.efiInstallAsRemovable = true;
  #config.boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  config.boot.loader.grub.device = "/dev/disk/by-id/ata-HGST_HTS725050A7E630_TF655AY92SM3XL"; # or "nodev" for efi only
  config.security.sudo.wheelNeedsPassword = false;
  config.networking = {
    hostName = "igor";
    domain = "failco.de";
    wireless = {
      enable = true;
      userControlled.enable = true;
      allowAuxiliaryImperativeNetworks = true;
      secretsFile = "/etc/wireless.conf";
      networks = {
        Prapsschnalinen.pskRaw = "ext:home";
      };
    };
    useDHCP = true;
    enableIPv6 = true;
    networkmanager.enable = false;
    firewall.enable = true;
    firewall.allowedTCPPorts = [
      config.services.mysql.settings.mysqld.port
    ];
  };
  config.security.sudo = {
    enable = true;
    execWheelOnly = true;
  };
  # Select internationalization properties.
  config.i18n.defaultLocale = "en_US.UTF-8";
  config.console = {
    font = "Lat2-Terminus16";
    keyMap = "dvorak";
  };
  # Set your time zone.
  config.time.timeZone = "Europe/Berlin";
  # Enable the X11 windowing system.
  config.services.xserver.enable = true;
  config.services.logind.lidSwitch = "lock";
  # Enable the GNOME Desktop Environment.
  config.services.xserver.displayManager.gdm.enable = true;
  config.services.xserver.desktopManager.gnome.enable = true;
  # Configure keymap in X11
  config.services.xserver.xkb.layout = "us";
  config.services.xserver.xkb.variant = "dvorak";
  config.services.xserver.xkb.options = "eurosign:e,caps:escape";
  # Enable CUPS to print documents.
  config.services.printing.enable = true;
  # Enable sound.
  # hardware.pulseaudio.enable = true;
  # OR
  config.services.pipewire = {
    enable = true;
    pulse.enable = true;
  };
  # Enable touchpad support (enabled default in most desktopManager).
  config.services.libinput.enable = true;
  config.services.mysql = {
    enable = true;
    package = pkgs.mariadb;
  };
  config.programs.firefox.enable = true;
  config.programs.git.enable = true;
  config.programs.nm-applet.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  config.users.users.alex = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    shell = pkgs.zsh;
    packages = [ pkgs.devenv ];
  };
  config.environment.systemPackages = with pkgs; [
    alacritty
    dolphin
    waybar
    hyprpaper
    wofi
    tmux
    lftp
  ];
  config.programs.direnv = {
    enable = true;
    silent = true;
  };
  config.programs.hyprland = {
    enable = true;
    withUWSM = true;
  };
  config.programs.neovim = {
    enable = true;
    defaultEditor = true;
    viAlias = true;
    vimAlias = true;
  };
  config.programs.zsh.enable = true;
  config.system.stateVersion = "24.11";
 }
--- a/hosts/igor/disko-config.nix
+++ b/hosts/igor/disko-config.nix
@ -0,0 +1,67 @@
 {
  disko.devices = {
    disk.main = {
      type = "disk";
      device = "/dev/sdb";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            size = "1M";
            type = "EF02";
          };
          ESP = {
            priority = 1;
            name = "ESP";
            start = "1M";
            end = "512M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            size = "100%";
            content = {
              type = "btrfs";
              extraArgs = [ "-f" ];
              subvolumes = {
                "/rootfs" = {
                  mountpoint = "/";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/home" = {
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                  mountpoint = "/home";
                };
                "/nix" = {
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                  mountpoint = "/nix";
                };
                "/swap" = {
                  mountpoint = "/.swapvol";
                  swap = {
                    swapfile.size = "2G";
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/igor/hardware-configuration.nix
+++ b/hosts/igor/hardware-configuration.nix
@ -0,0 +1,72 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "ehci_pci"
    "ahci"
    "usb_storage"
    "sd_mod"
    "rtsx_pci_sdmmc"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
 #  fileSystems."/" =
 #    { device = "/dev/disk/by-uuid/e7720a57-f96a-4f37-a2ad-43527868418c";
 #      fsType = "btrfs";
 #      options = [ "subvol=rootfs" ];
 #    };
 #
 #  fileSystems."/.swapvol" =
 #    { device = "/dev/disk/by-uuid/e7720a57-f96a-4f37-a2ad-43527868418c";
 #      fsType = "btrfs";
 #      options = [ "subvol=swap" ];
 #    };
 #
 #  fileSystems."/boot" =
 #    { device = "/dev/disk/by-uuid/2EDA-47FD";
 #      fsType = "vfat";
 #      options = [ "fmask=0022" "dmask=0022" ];
 #    };
 #
 #  fileSystems."/home" =
 #    { device = "/dev/disk/by-uuid/e7720a57-f96a-4f37-a2ad-43527868418c";
 #      fsType = "btrfs";
 #      options = [ "subvol=home" ];
 #    };
 #
 #  fileSystems."/nix" =
 #    { device = "/dev/disk/by-uuid/e7720a57-f96a-4f37-a2ad-43527868418c";
 #      fsType = "btrfs";
 #      options = [ "subvol=nix" ];
 #    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wwp0s20u4i6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/igor/syncthing.nix
+++ b/hosts/igor/syncthing.nix
@ -0,0 +1,29 @@
 { config, lib, ... }:
 {
  config.services.syncthing = {
    enable = true;
    user = "vsftpd";
    group = "vsftpd";
    dataDir = "/var/lib/vsftpd";
    settings.devices = {
      thrall = {
        id = "P52YQU2-7LCEOVV-DSGTAZG-AJ2DSJD-JPHSUJE-HC2KAGO-YR4SXQD-V6OQ7QF";
 	addresses = [ "tcp://195.90.211.228:22000" ];
      };
    };
    settings.folders = {
      paperless = {
 	path = "${config.services.vsftpd.localRoot}/scan";
 	devices = [ "thrall" ];
 	versioning = {
          type = "trashcan";
          params.cleanoutDays = "90";
        };
      };
    };
  };
 }
--- a/hosts/redmi/default.nix
+++ b/hosts/redmi/default.nix
@ -4,12 +4,14 @@
  # Simply install just the packages
  environment.packages = with pkgs; [
    # User-facing stuff that you really really want to have
-    vim # or some other editor, e.g. nano or neovim
+    neovim
    git
    git-annex
    mosh
    openssh
    wget
    tmux
    # Some common stuff that people expect to have
    #diffutils
@ -27,13 +29,18 @@
    #xz
    #zip
    #unzip
    inetutils
  ];
  # Backup etc files instead of failing to activate generation if a file already exists in /etc
  environment.etcBackupExtension = ".bak";
  environment.sessionVariables = {
    EDITOR = "${pkgs.neovim}/bin/nvim";
  };
  # Read the changelog before changing this value
-  system.stateVersion = "22.11";
+  system.stateVersion = "24.05";
  # Set up nix for flakes
  nix.extraOptions = ''
--- a/hosts/thrall/alex.nix
+++ b/hosts/thrall/alex.nix
@ -0,0 +1,7 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ ../../home/alex/cli.nix ../../home/alex/services/git-sync ];
  config.my.git-sync.enable = true;
 }
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@ -2,28 +2,39 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-{ config, pkgs, ... }:
+{
-let extIface = "ens3";
+  inputs,
-in {
+  lib,
-  imports = [ # Include the results of the hardware scan.
+  config,
  pkgs,
  ...
 }:
 let
  authorityFromUrl = url: builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
 in
 {
  disabledModules = [ "services/web-apps/hledger-web.nix" ];
  imports = [
    ./hardware-configuration.nix
    inputs.snm.nixosModule
    inputs.agenix.nixosModules.age
    ../../modules/security.nix
    ../../modules/sudo.nix
    ../../modules/upgrade-pg-cluster.nix
    ../../modules/nix-config.nix
    ../../modules/iohk.nix
    ../../modules/timezone.nix
    ../../modules/keybase.nix
    ../../modules/ssh.nix
    ../../modules/hledger-web.nix
    ../../modules/tailscale
    ../../modules/mosh.nix
    ../../modules/nh.nix
  ];
  nix.package = pkgs.nixUnstable;
  nix.extraOptions = ''
    experimental-features = nix-command flakes ca-derivations
  '';
  # nix.registry.nixpkgs.flake = nixpkgs;
  # Binary Cache for Haskell.nix
  nix.settings.trusted-public-keys =
    [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
  #nix.binaryCaches = [ "https://hydra.iohk.io" ];
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
@ -31,9 +42,6 @@ in {
  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
  # boot.loader.systemd-boot.enable = true;
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  age.secrets = {
    mailPass.file = ../../secrets/mailPass.age;
    paperless-mail.file = ../../secrets/paperless-mail.age;
@ -41,85 +49,98 @@ in {
    hledger-web = {
      file = ../../secrets/hledger-web.htaccess.age;
      mode = "440";
-      owner = "nginx";
+      owner = config.services.nginx.user;
-      group = "nginx";
+      group = config.services.nginx.group;
    };
  };
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
-  networking = {
+  networking =
-    hostName = "thrall";
+    let
-    domain = "failco.de";
+      extIface = "ens3";
-    wireless.enable = false;
+    in
-    useDHCP = false;
+    {
-    enableIPv6 = false;
+      hostName = "thrall";
-    interfaces.${extIface}.ipv4.addresses = [{
+      domain = "failco.de";
-      address = "195.90.211.228";
+      wireless.enable = false;
-      prefixLength = 22;
+      useDHCP = false;
-    }];
+      enableIPv6 = false;
-    defaultGateway = "195.90.208.1";
+      interfaces.${extIface} = {
-    nameservers = [ "1.1.1.1" "8.8.8.8" ];
+        ipv4.addresses = [
    firewall = {
      allowedTCPPorts = [ 22 53 80 443 5000 ];
      allowedUDPPorts = [ 53 42666 ];
    };
    # wireguard related config
    nat.enable = true;
    nat.externalInterface = extIface;
    nat.internalInterfaces = [ "wg0" ];
    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.0.0.1/24" ];
        listenPort = 42666;
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
        '';
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
        '';
        privateKeyFile = config.age.secrets.wireguard-thrall.path;
        peers = [
          {
-            # my phone
+            address = "195.90.211.228";
-            publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
+            prefixLength = 22;
            allowedIPs = [ "10.0.0.2/32" ];
          }
          {
            # my tablet
            publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
            allowedIPs = [ "10.0.0.3/32" ];
          }
        ];
      };
      defaultGateway = "195.90.208.1";
      nameservers = [
        "8.8.8.8"
        "8.8.4.4"
      ];
      firewall = {
        allowedTCPPorts = [
          22
          53
          80
          443
          5000
          40005 # syncthing
        ];
        allowedUDPPorts = [
          53
        ];
      };
      # wireguard related config
      nat.enable = true;
      nat.externalInterface = extIface;
      nat.internalInterfaces = [ "wg0" ];
      wireguard.interfaces = {
        wg0 = {
          ips = [ "10.0.0.1/24" ];
          listenPort = 42666;
          postSetup = ''
            ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
          '';
          postShutdown = ''
            ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
          '';
          privateKeyFile = config.age.secrets.wireguard-thrall.path;
          peers = [
            {
              # my phone
              publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
              allowedIPs = [ "10.0.0.2/32" ];
            }
            {
              # my tablet
              publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
              allowedIPs = [ "10.0.0.3/32" ];
            }
            {
              # homematic
              publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
              allowedIPs = [ "10.0.0.4/32" ];
            }
          ];
        };
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "alex@jakalx.net";
  };
-  security.sudo = {
+  # Select internationalization properties.
    enable = true;
    execWheelOnly = true;
    extraRules = [{
      groups = [ "wheel" ];
      commands = [{
        command = "/run/current-system/sw/bin/nixos-rebuild";
        options = [ "NOPASSWD" ];
      }];
    }];
  };
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
@ -128,6 +149,7 @@ in {
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.alex = {
    description = "Alexander Kobjolke";
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    shell = pkgs.zsh;
@ -141,21 +163,16 @@ in {
    htop
    tmux
    git
    git-annex
    #agenix.defaultPackage.x86_64-linux
    restic # fast and secure backup
    rclone
  ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
  programs.mosh.enable = true;
  programs.neovim = {
    enable = true;
    defaultEditor = true;
@ -168,20 +185,19 @@ in {
  # List services that you want to enable:
  # depending on wireguard
  services.kresd = {
    enable = true;
-    listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
+    listenPlain = [
      "[::1]:53"
      "127.0.0.1:53"
      "10.0.0.1:53"
    ];
  };
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.lorri.enable = true;
  # configure backup via restic to gdrive
  services.restic.backups = { };
  services.keybase = { enable = true; };
  services.nginx = {
    enable = true;
@ -203,6 +219,16 @@ in {
      extraConfig = ''
        add_header X-Frame-Options 'SAMEORIGIN';
      '';
      locations."/photo-groove" = {
        proxyPass = "http://127.0.0.1:8000/";
        proxyWebsockets = true;
      };
      locations."/elfeed" = {
        proxyPass = "http://127.0.0.1:8080/elfeed";
        proxyWebsockets = true;
      };
    };
    "www.jakalx.net" = {
@ -215,56 +241,80 @@ in {
      '';
    };
-    # gitea
+    "kobjolke.de" = {
-    "git.failco.de" = {
+      forceSSL = true;
      enableACME = true;
      root = "/srv/www/kobjolke.de";
      serverAliases = [ "www.kobjolke.de" ];
      extraConfig = ''
        add_header X-Frame-Options 'SAMEORIGIN';
      '';
    };
    # forgejo - git web frontend
    "${config.services.forgejo.settings.server.DOMAIN}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
-        proxyPass = "http://127.0.0.1:3001/";
+        proxyPass = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}/";
        proxyWebsockets = true;
      };
    };
    # paperless
-    "docs.failco.de" = {
+    "${authorityFromUrl config.services.paperless.settings.PAPERLESS_URL}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
-        proxyPass = "http://127.0.0.1:3002/";
+        proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
        proxyWebsockets = true;
      };
    };
    # hledger
-    "ledger.failco.de" = {
+    "${authorityFromUrl config.services.hledger-web.baseUrl}" = {
      forceSSL = true;
      enableACME = true;
      basicAuthFile = config.age.secrets.hledger-web.path;
      locations."/" = {
-        proxyPass = "http://127.0.0.1:3003/";
+        proxyPass = "http://${config.services.hledger-web.host}:${toString config.services.hledger-web.port}/";
        proxyWebsockets = true;
      };
    };
  };
-  services.gitea = {
+  users.users.git = {
    home = config.services.forgejo.stateDir;
    useDefaultShell = true;
    group = config.services.forgejo.group;
    isSystemUser = true;
  };
  services.forgejo = {
    enable = true;
    user = "git";
    database.type = "sqlite3";
    lfs.enable = true;
    domain = "git.failco.de";
    rootUrl = "https://git.failco.de";
    httpAddress = "127.0.0.1";
    httpPort = 3001;
    settings = {
      service.DISABLE_REGISTRATION = true;
      server = {
        DOMAIN = "git.failco.de";
        ROOT_URL = "https://git.failco.de";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3001;
      };
      mailer = {
        ENABLED = true;
-        MAILER_TYPE = "smtp";
+        PROTOCOL = "smtp";
-        FROM = "git@failco.de";
+        SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
-        HOST = "thrall.failco.de:25";
+        FROM = "noreply@failco.de";
-        IS_TLS_ENABLED = false;
+      };
      other = {
        SHOW_FOOTER_VERSION = false;
      };
    };
  };
@ -274,63 +324,125 @@ in {
    address = "127.0.0.1";
    port = 3002;
    consumptionDirIsPublic = true;
-    extraConfig = {
+    configureTika = true;
    settings = {
      PAPERLESS_OCR_LANGUAGE = "deu+eng";
      PAPERLESS_OCR_USER_ARGS = ''{"invalidate_digital_signatures": true}'';
      PAPERLESS_URL = "https://docs.failco.de";
      PAPERLESS_CONSUMER_RECURSIVE = true;
      PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
      # workaround for classification getting stuck, see
      # https://github.com/NixOS/nixpkgs/issues/240591#issuecomment-1915678490
      OMP_NUM_THREADS = 1;
    };
  };
  services.hledger-web = {
    enable = true;
    baseUrl = "https://ledger.failco.de";
    port = 3003;
    capabilities = {
      view = true;
      add = true;
      manage = true;
    };
    journalFiles = [ "current.journal" ];
    extraOptions = [
      "-B"
      "--value=then"
    ];
  };
  services.fail2ban = {
    enable = true;
    maxretry = 5;
-    ignoreIP =
+
-      [ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ];
+    bantime = "1h";
    bantime-increment.enable = true;
    ignoreIP = [
      "127.0.0.0/8"
      "195.90.211.228"
      "10.0.0.0/8"
      "192.168.0.0/16"
    ];
    jails.postfix = ''
      filter   = postfix
      maxretry = 3
      action   = iptables[name=postfix, port=smtp, protocol=tcp]
      enabled  = true
    '';
  };
  services.syncthing = {
    enable = true;
    user = "alex";
    dataDir = "/home/alex/sync";
-    overrideDevices =
+    overrideDevices = true; # overrides any devices added or deleted through the WebUI
-      true; # overrides any devices added or deleted through the WebUI
+    overrideFolders = true; # overrides any folders added or deleted through the WebUI
-    overrideFolders =
+    settings = {
-      true; # overrides any folders added or deleted through the WebUI
+      folders = {
-    folders = {
+        "org" = {
-      "org" = {
+          path = "/home/alex/org";
-        path = "/home/alex/org";
+          devices = [ "redmi" ];
-        devices = [ "redmi" ];
+        };
        "paperless" = {
          path = "${config.services.paperless.consumptionDir}";
          devices = [
            "redmi"
            "dregil"
            "igor"
          ];
        };
      };
-      "scan" = {
+      devices = {
-        path = "/home/alex/media/scan";
+        redmi = {
-        devices = [ "redmi" ];
+          id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
-      };
+        };
-    };
+        dregil = {
-    devices = {
+          id = "SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
-      "redmi" = {
+        };
-        id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
+        igor = {
          id = "NHSYYF6-I5GWMTI-2SQ6PIA-EU3TYZF-3I7BI3K-QTSRGCT-QVLSFG4-74TL2QW";
        };
      };
    };
  };
  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "thrall.failco.de";
-    domains = [ "failco.de" "jakalx.net" ];
+    domains = [
      "failco.de"
      "jakalx.net"
      "kobjolke.de"
    ];
    loginAccounts = {
      "me@failco.de" = {
        # nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt'
        hashedPasswordFile = config.age.secrets.mailPass.path;
-        aliases = [ "lx@failco.de" "alex@failco.de" ];
+        aliases = [
          "lx@failco.de"
          "alex@failco.de"
          "abuse@failco.de"
          "postmaster@failco.de"
          "abuse@kobjolke.de"
          "postmaster@kobjolke.de"
          "abuse@jakalx.net"
          "postmaster@jakalx.net"
        ];
-        catchAll = [ "failco.de" ];
+        catchAll = [
        ];
      };
      "alex@jakalx.net" = {
        hashedPasswordFile = config.age.secrets.mailPass.path;
        catchAll = [ "jakalx.net" ];
      };
      "archive@failco.de" = {
@ -338,18 +450,45 @@ in {
      };
    };
-    certificateScheme = 3;
+    extraVirtualAliases = {
      "alex@kobjolke.de" = [ "me@failco.de" ];
    };
    forwards = {
      "familie@kobjolke.de" = [
        "alex@kobjolke.de"
        "anne@kobjolke.de"
      ];
      "anne@kobjolke.de" = "anne.kobjolke@gmail.com";
      "alexander@kobjolke.de" = "alex@kobjolke.de";
      "ida@kobjolke.de" = "alex@kobjolke.de";
      "klara@kobjolke.de" = "alex@kobjolke.de";
      "charlie@kobjolke.de" = "alex@kobjolke.de";
    };
    certificateScheme = "acme-nginx";
    enableImapSsl = true;
    enableManageSieve = true;
    virusScanning = true;
  };
  services.postgresql = {
    package = pkgs.postgresql_15;
  };
  services.roundcube = {
    enable = true;
    hostName = "mail.failco.de";
-    dicts = with pkgs.aspellDicts; [ en de ];
+    dicts = with pkgs.aspellDicts; [
-    plugins = [ "archive" "attachment_reminder" "managesieve" "markasjunk" ];
+      en
      de
    ];
    plugins = [
      "archive"
      "attachment_reminder"
      "managesieve"
      "markasjunk"
    ];
    extraConfig = ''
      # starttls needed for authentication, so the fqdn required to match
      # the certificate
@ -366,6 +505,4 @@ in {
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "20.09"; # Did you read the comment?
 }
--- a/modules/appimage.nix
+++ b/modules/appimage.nix
@ -0,0 +1,12 @@
 { config, lib, pkgs, ... }:
 {
  boot.binfmt.registrations.appimage = {
    wrapInterpreterInShell = false;
    interpreter = "${pkgs.appimage-run}/bin/appimage-run";
    recognitionType = "magic";
    offset = 0;
    mask = "\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff";
    magicOrExtension = "\\x7fELF....AI\\x02";
  };
 }
--- a/modules/common-system.nix
+++ b/modules/common-system.nix
@ -1,5 +1,6 @@
-{config, pkgs, inputs, ...}:
+{ config, pkgs, inputs, ... }: {
-{
+  imports = [ ./nix-config.nix ];
  i18n.defaultLocale = "en_US.UTF-8";
  time.timeZone = "Europe/Berlin";
@ -10,7 +11,7 @@
    git
    dua
    erdtree
-    exa
+    eza
    fd
    fzf
    bat
@ -20,26 +21,5 @@
  networking.firewall.enable = true;
-  nix = {
+  nix = { registry = { nixpkgs.flake = inputs.nixpkgs; }; };
      gc = {
        automatic = true;
        dates = "weekly";
        options = "--delete-older-than 30d";
      };
      registry = {
        nixpkgs.flake = inputs.nixpkgs;
        nixpkgs-unstable.flake = inputs.nixpkgs-unstable;
      };
      settings = {
        auto-optimise-store = true;
        experimental-features = [ "nix-command" "flakes" ];
        warn-dirty = false;
        # avoid unwanted garbage collection when using direnv
        keep-outputs = true;
        keep-derivations = true;
      };
  };
 }
--- a/modules/flatpak.nix
+++ b/modules/flatpak.nix
@ -0,0 +1,18 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  services.flatpak.enable = true;
  systemd.services.flatpak-repo = {
    wantedBy = [ "multi-user.target" ];
    path = [ pkgs.flatpak ];
    script = ''
      flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
    '';
  };
 }
--- a/modules/grub-themes/default.nix
+++ b/modules/grub-themes/default.nix
@ -0,0 +1,7 @@
 { ... }:
 {
  config.distro-grub-themes = {
    enable = true;
    theme = "nixos";
  };
 }
--- a/modules/hardening.nix
+++ b/modules/hardening.nix
@ -0,0 +1,752 @@
 { config, lib, pkgs, ... }: {
  systemd.services.systemd-rfkill = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      SystemCallFilter = [
        "write"
        "read"
        "openat"
        "close"
        "brk"
        "fstat"
        "lseek"
        "mmap"
        "mprotect"
        "munmap"
        "rt_sigaction"
        "rt_sigprocmask"
        "ioctl"
        "nanosleep"
        "select"
        "access"
        "execve"
        "getuid"
        "arch_prctl"
        "set_tid_address"
        "set_robust_list"
        "prlimit64"
        "pread64"
        "getrandom"
      ];
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services.syslog = {
    serviceConfig = {
      PrivateNetwork = true;
      CapabilityBoundingSet =
        [ "CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE" ];
      NoNewPrivileges = true;
      PrivateDevices = true;
      ProtectClock = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      PrivateMounts = true;
      SystemCallArchitectures = "native";
      MemoryDenyWriteExecute = true;
      LockPersonality = true;
      ProtectKernelTunables = true;
      RestrictRealtime = true;
      PrivateUsers = true;
      PrivateTmp = true;
      UMask = "0077";
      RestrictNamespace = true;
      ProtectProc = "invisible";
      ProtectHome = true;
      DeviceAllow = false;
      ProtectSystem = "full";
    };
  };
  systemd.services.systemd-journald = {
    serviceConfig = {
      UMask = 77;
      PrivateNetwork = true;
      ProtectHostname = true;
      ProtectKernelModules = true;
    };
  };
  systemd.services.auto-cpufreq = {
    serviceConfig = {
      CapabilityBoundingSet = "";
      ProtectSystem = "full";
      ProtectHome = true;
      PrivateNetwork = true;
      IPAddressDeny = "any";
      NoNewPrivileges = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectHostname = false;
      MemoryDenyWriteExecute = true;
      ProtectClock = true;
      RestrictNamespaces = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectProc = true;
      ReadOnlyPaths = [ "/" ];
      InaccessiblePaths = [ "/home" "/root" "/proc" ];
      SystemCallFilter = [ "@system-service" ];
      SystemCallArchitectures = "native";
      UMask = "0077";
    };
  };
  systemd.services.NetworkManager-dispatcher = {
    serviceConfig = {
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateUsers = true;
      PrivateDevices = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET";
      RestrictNamespaces = true;
      SystemCallFilter = [
        "write"
        "read"
        "openat"
        "close"
        "brk"
        "fstat"
        "lseek"
        "mmap"
        "mprotect"
        "munmap"
        "rt_sigaction"
        "rt_sigprocmask"
        "ioctl"
        "nanosleep"
        "select"
        "access"
        "execve"
        "getuid"
        "arch_prctl"
        "set_tid_address"
        "set_robust_list"
        "prlimit64"
        "pread64"
        "getrandom"
      ];
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services.display-manager = {
    serviceConfig = {
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true; # so we won't need all of this
    };
  };
  systemd.services.emergency = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true; # Might need adjustment for emergency access
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET";
      RestrictNamespaces = true;
      SystemCallFilter = [
        "write"
        "read"
        "openat"
        "close"
        "brk"
        "fstat"
        "lseek"
        "mmap"
        "mprotect"
        "munmap"
        "rt_sigaction"
        "rt_sigprocmask"
        "ioctl"
        "nanosleep"
        "select"
        "access"
        "execve"
        "getuid"
        "arch_prctl"
        "set_tid_address"
        "set_robust_list"
        "prlimit64"
        "pread64"
        "getrandom"
      ];
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services."getty@tty1" = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true;
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET";
      RestrictNamespaces = true;
      SystemCallFilter = [
        "write"
        "read"
        "openat"
        "close"
        "brk"
        "fstat"
        "lseek"
        "mmap"
        "mprotect"
        "munmap"
        "rt_sigaction"
        "rt_sigprocmask"
        "ioctl"
        "nanosleep"
        "select"
        "access"
        "execve"
        "getuid"
        "arch_prctl"
        "set_tid_address"
        "set_robust_list"
        "prlimit64"
        "pread64"
        "getrandom"
      ];
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services."getty@tty7" = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true;
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET";
      RestrictNamespaces = true;
      SystemCallFilter = [
        "write"
        "read"
        "openat"
        "close"
        "brk"
        "fstat"
        "lseek"
        "mmap"
        "mprotect"
        "munmap"
        "rt_sigaction"
        "rt_sigprocmask"
        "ioctl"
        "nanosleep"
        "select"
        "access"
        "execve"
        "getuid"
        "arch_prctl"
        "set_tid_address"
        "set_robust_list"
        "prlimit64"
        "pread64"
        "getrandom"
      ];
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services.NetworkManager = {
    serviceConfig = {
      NoNewPrivileges = true;
      ProtectClock = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      SystemCallArchitectures = "native";
      MemoryDenyWriteExecute = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      RestrictNamespaces = true;
      ProtectKernelTunables = true;
      ProtectHome = true;
      PrivateTmp = true;
      UMask = "0077";
    };
  };
  systemd.services."nixos-rebuild-switch-to-configuration" = {
    serviceConfig = {
      ProtectHome = true;
      NoNewPrivileges = true; # Prevent gaining new privileges
    };
  };
  systemd.services."dbus" = {
    serviceConfig = {
      PrivateTmp = true;
      PrivateNetwork = true;
      ProtectSystem = "full";
      ProtectHome = true;
      SystemCallFilter =
        "~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap";
      ProtectKernelTunables = true;
      NoNewPrivileges = true;
      CapabilityBoundingSet = [
        "~CAP_SYS_TIME"
        "~CAP_SYS_PACCT"
        "~CAP_KILL"
        "~CAP_WAKE_ALARM"
        "~CAP_SYS_BOOT"
        "~CAP_SYS_CHROOT"
        "~CAP_LEASE"
        "~CAP_MKNOD"
        "~CAP_NET_ADMIN"
        "~CAP_SYS_ADMIN"
        "~CAP_SYSLOG"
        "~CAP_NET_BIND_SERVICE"
        "~CAP_NET_BROADCAST"
        "~CAP_AUDIT_WRITE"
        "~CAP_AUDIT_CONTROL"
        "~CAP_SYS_RAWIO"
        "~CAP_SYS_NICE"
        "~CAP_SYS_RESOURCE"
        "~CAP_SYS_TTY_CONFIG"
        "~CAP_SYS_MODULE"
        "~CAP_IPC_LOCK"
        "~CAP_LINUX_IMMUTABLE"
        "~CAP_BLOCK_SUSPEND"
        "~CAP_MAC_*"
        "~CAP_DAC_*"
        "~CAP_FOWNER"
        "~CAP_IPC_OWNER"
        "~CAP_SYS_PTRACE"
        "~CAP_SETUID"
        "~CAP_SETGID"
        "~CAP_SETPCAP"
        "~CAP_FSETID"
        "~CAP_SETFCAP"
        "~CAP_CHOWN"
      ];
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      RestrictNamespaces = true;
      MemoryDenyWriteExecute = true;
      RestrictAddressFamilies = [ "~AF_PACKET" "~AF_NETLINK" ];
      ProtectHostname = true;
      LockPersonality = true;
      RestrictRealtime = true;
      PrivateUsers = true;
    };
  };
  systemd.services.nix-daemon = {
    serviceConfig = {
      ProtectHome = true;
      PrivateUsers = false;
    };
  };
  systemd.services.reload-systemd-vconsole-setup = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      PrivateUsers = true;
      PrivateDevices = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictNamespaces = true;
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services.rescue = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true; # Might need adjustment for rescue operations
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies =
        "AF_INET AF_INET6"; # Networking might be necessary in rescue mode
      RestrictNamespaces = true;
      SystemCallFilter = [
        "write"
        "read"
        "openat"
        "close"
        "brk"
        "fstat"
        "lseek"
        "mmap"
        "mprotect"
        "munmap"
        "rt_sigaction"
        "rt_sigprocmask"
        "ioctl"
        "nanosleep"
        "select"
        "access"
        "execve"
        "getuid"
        "arch_prctl"
        "set_tid_address"
        "set_robust_list"
        "prlimit64"
        "pread64"
        "getrandom"
      ];
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny =
        "any"; # May need to be relaxed for network troubleshooting in rescue mode
    };
  };
  systemd.services."systemd-ask-password-console" = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true; # May need adjustment for console access
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET AF_INET6";
      RestrictNamespaces = true;
      SystemCallFilter = [ "@system-service" ]; # A more permissive filter
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services."systemd-ask-password-wall" = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true;
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET AF_INET6";
      RestrictNamespaces = true;
      SystemCallFilter = [ "@system-service" ]; # A more permissive filter
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services.thermald = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true; # Necessary for adjusting cooling policies
      ProtectKernelModules = true; # May need adjustment for module control
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true; # May require access to specific hardware devices
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      CapabilityBoundingSet = "";
      RestrictNamespaces = true;
      SystemCallFilter = [ "@system-service" ];
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any";
      DeviceAllow = [ ];
      RestrictAddressFamilies = [ ];
    };
  };
  systemd.services."user@1000" = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true; # Be cautious, as this may restrict user operations
      PrivateDevices = true;
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET AF_INET6";
      RestrictNamespaces = true;
      SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any";
    };
  };
  systemd.services.virtlockd = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true; # May need adjustment for accessing VM resources
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET AF_INET6";
      RestrictNamespaces = true;
      SystemCallFilter = [ "@system-service" ]; # Adjust as necessary
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any"; # May need adjustment for network operations
    };
  };
  systemd.services.virtlogd = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers = true;
      PrivateDevices = true; # May need adjustment for accessing VM logs
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_INET AF_INET6";
      RestrictNamespaces = true;
      SystemCallFilter =
        [ "@system-service" ]; # Adjust based on log management needs
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny =
        "any"; # May need to be relaxed for network-based log collection
    };
  };
  systemd.services.virtlxcd = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true; # Necessary for container management
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers =
        true; # Be cautious, might need adjustment for container user management
      PrivateDevices = true; # Containers might require broader device access
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies =
        "AF_INET AF_INET6"; # Necessary for networked containers
      RestrictNamespaces = true;
      SystemCallFilter =
        [ "@system-service" ]; # Adjust based on container operations
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any"; # May need to be relaxed for network functionality
    };
  };
  systemd.services.virtqemud = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true; # Necessary for VM management
      ProtectKernelModules =
        true; # May need adjustment for VM hardware emulation
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers =
        true; # Be cautious, might need adjustment for VM user management
      PrivateDevices = true; # VMs might require broader device access
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies =
        "AF_INET AF_INET6"; # Necessary for networked VMs
      RestrictNamespaces = true;
      SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any"; # May need to be relaxed for network functionality
    };
  };
  systemd.services.virtvboxd = {
    serviceConfig = {
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true; # Required for some VM management tasks
      ProtectKernelModules = true; # May need adjustment for module handling
      ProtectControlGroups = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      PrivateTmp = true;
      PrivateUsers =
        true; # Be cautious, might need adjustment for VM user management
      PrivateDevices = true; # VMs may require access to certain devices
      PrivateIPC = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RestrictAddressFamilies =
        "AF_INET AF_INET6"; # Necessary for networked VMs
      RestrictNamespaces = true;
      SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
      SystemCallArchitectures = "native";
      UMask = "0077";
      IPAddressDeny = "any"; # May need to be relaxed for network functionality
    };
  };
 }
--- a/modules/hledger-web.nix
+++ b/modules/hledger-web.nix
@ -0,0 +1,140 @@
 { lib, pkgs, config, ... }:
 with lib;
 let cfg = config.services.hledger-web;
 in {
  options.services.hledger-web = {
    enable = mkEnableOption (lib.mdDoc "hledger-web service");
    serveApi = mkEnableOption
      (lib.mdDoc "serving only the JSON web API, without the web UI");
    host = mkOption {
      type = types.str;
      default = "127.0.0.1";
      description = lib.mdDoc ''
        Address to listen on.
      '';
    };
    port = mkOption {
      type = types.port;
      default = 5000;
      example = 80;
      description = lib.mdDoc ''
        Port to listen on.
      '';
    };
    capabilities = {
      view = mkOption {
        type = types.bool;
        default = true;
        description = lib.mdDoc ''
          Enable the view capability.
        '';
      };
      add = mkOption {
        type = types.bool;
        default = false;
        description = lib.mdDoc ''
          Enable the add capability.
        '';
      };
      manage = mkOption {
        type = types.bool;
        default = false;
        description = lib.mdDoc ''
          Enable the manage capability.
        '';
      };
    };
    stateDir = mkOption {
      type = types.path;
      default = "/var/lib/hledger-web";
      description = lib.mdDoc ''
        Path the service has access to. If left as the default value this
        directory will automatically be created before the hledger-web server
        starts, otherwise the sysadmin is responsible for ensuring the
        directory exists with appropriate ownership and permissions.
      '';
    };
    journalFiles = mkOption {
      type = types.listOf types.str;
      default = [ ".hledger.journal" ];
      description = lib.mdDoc ''
        Paths to journal files relative to {option}`services.hledger-web.stateDir`.
      '';
    };
    baseUrl = mkOption {
      type = with types; nullOr str;
      default = null;
      example = "https://example.org";
      description = lib.mdDoc ''
        Base URL, when sharing over a network.
      '';
    };
    extraOptions = mkOption {
      type = types.listOf types.str;
      default = [ ];
      example = [ "--forecast" ];
      description = lib.mdDoc ''
        Extra command line arguments to pass to hledger-web.
      '';
    };
  };
  config = mkIf cfg.enable {
    users.users.hledger = {
      name = "hledger";
      group = "hledger";
      isSystemUser = true;
      home = cfg.stateDir;
      useDefaultShell = true;
    };
    users.groups.hledger = { };
    systemd.services.hledger-web = let
      serverArgs = with cfg;
        escapeShellArgs ([
          "--serve"
          "--host=${host}"
          "--port=${toString port}"
          (optionalString capabilities.add "--allow=add")
          (optionalString capabilities.view "--allow=view")
          (optionalString capabilities.manage "--allow=edit")
          (optionalString (cfg.baseUrl != null) "--base-url=${cfg.baseUrl}")
          (optionalString (cfg.serveApi) "--serve-api")
        ] ++ (map (f: "--file=${stateDir}/${f}") cfg.journalFiles)
          ++ extraOptions);
    in {
      description = "hledger-web - web-app for the hledger accounting tool.";
      documentation = [ "https://hledger.org/hledger-web.html" ];
      wantedBy = [ "multi-user.target" ];
      after = [ "networking.target" ];
      serviceConfig = mkMerge [
        {
          ExecStart = "${pkgs.hledger-web}/bin/hledger-web ${serverArgs}";
          Restart = "always";
          WorkingDirectory = cfg.stateDir;
          User = "hledger";
          Group = "hledger";
          PrivateTmp = true;
        }
        (mkIf (cfg.stateDir == "/var/lib/hledger-web") {
          StateDirectory = "hledger-web";
        })
      ];
    };
  };
  meta.maintainers = with lib.maintainers; [ marijanp erictapen ];
 }
--- a/modules/hyprland/default.nix
+++ b/modules/hyprland/default.nix
@ -0,0 +1,10 @@
 {
  pkgs,
  ...
 }:
 {
  config.programs.hyprland.enable = true;
  config.environment.systemPackages = [ pkgs.kitty ];
  config.environment.sessionVariables.NIXOS_OZONE_WL = "1";
 }
--- a/modules/iohk.nix
+++ b/modules/iohk.nix
@ -0,0 +1,9 @@
 { config, lib, pkgs, ... }:
 {
  # Binary Cache for Haskell.nix
  nix.settings.trusted-public-keys =
    [ "cache.iog.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
  nix.settings.substituters = lib.mkAfter [ "https://cache.iog.io" ];
 }
--- a/modules/keybase.nix
+++ b/modules/keybase.nix
@ -0,0 +1,5 @@
 { config, lib, pkgs, ... }:
 {
  services.keybase.enable = true;
 }
--- a/modules/mosh.nix
+++ b/modules/mosh.nix
@ -0,0 +1,8 @@
 { ... }:
 {
  programs.mosh = {
    enable = true;
    openFirewall = true;
  };
 }
--- a/modules/nh.nix
+++ b/modules/nh.nix
@ -0,0 +1,23 @@
 {
  lib,
  config,
  ...
 }:
 let
  cfg = config.programs.nh;
 in
 {
  config.programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 4d --keep 3";
    flake = "/home/alex/src/nixos-config";
  };
  config.nix.gc.automatic = lib.mkIf cfg.enable (lib.mkForce false);
  config.environment = lib.mkIf cfg.enable {
    variables = lib.mkIf (cfg.flake != null) {
      NH_FLAKE = cfg.flake;
    };
  };
 }
--- a/modules/nix-config.nix
+++ b/modules/nix-config.nix
@ -0,0 +1,43 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  nix = {
    package = pkgs.nixVersions.latest;
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    settings = {
      auto-optimise-store = true;
      experimental-features = [
        "nix-command"
        "flakes"
      ];
      warn-dirty = false;
      # avoid unwanted garbage collection when using direnv
      keep-outputs = true;
      keep-derivations = true;
      trusted-substituters = [
        "https://devenv.cachix.org"
        "https://nixcache.reflex-frp.org"
      ];
      trusted-public-keys = [
        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
        "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI="
      ];
      trusted-users = [
        "root"
        "alex"
      ];
    };
  };
 }
--- a/modules/podman/default.nix
+++ b/modules/podman/default.nix
@ -0,0 +1,24 @@
 { pkgs, ... }:
 {
  # Enable common container config files in /etc/containers
  virtualisation.containers.enable = true;
  virtualisation = {
    podman = {
      enable = true;
      # Create a `docker` alias for podman, to use it as a drop-in replacement
      dockerCompat = true;
      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };
  # Useful other development tools
  environment.systemPackages = with pkgs; [
    dive # look into docker image layers
    podman-tui # status of containers in the terminal
    # docker-compose # start group of containers for dev
    podman-compose # start group of containers for dev
  ];
 }
--- a/modules/security.nix
+++ b/modules/security.nix
@ -9,10 +9,10 @@
  # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
  # on ssd systems, and volatile! Because it's wiped on reboot.
-#  boot.tmpOnTmpfs = lib.mkDefault true;
+  #  boot.tmpOnTmpfs = lib.mkDefault true;
  # If not using tmpfs, which is naturally purged on reboot, we must clean it
  # /tmp ourselves. /tmp should be volatile storage!
-  boot.cleanTmpDir = lib.mkDefault (!config.boot.tmpOnTmpfs);
+  boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
  # Fix a security hole in place for backwards compatibility. See desc in
  # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -0,0 +1,14 @@
 { config, lib, pkgs, ... }:
 {
  services.openssh.enable = true;
  users.users.alex.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/aaVGcys7ZJ3chImea/8jTGtIVYKzDxXBGIeZMiLm/ u0_a204@localhost"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrPC2OMHYJX41vedlsgQeLobapDOZ8StPVwmTTp0Qc83OeXGXiaJ2P0wA65NoIjh+I7OZjc/kRCO+mC4BZs2Em3pmWOZNTvW4YA8lvhpkwFNrvmx+G+HKKG7F04lOgo9zAJltY8ENj0T5jddbWWuSRDNPrHCwet2jdiTWc2Ri5QNAdxXSmp+XG9rTPF6JfuH3kjU7UYgMG0c9dJAy7KzCj4p6GhlfvZlFndhmT+PMkJbn5liv8ldFIuHAqA0Hyo3UYfAieeUDBloevbZKpbsp7wVdtmySfJCgwRaOqVPyB+5QK6sY32s2L8sHHdKgnJ1czeLaX11ZEGQIb4wMd6VYD (none)"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIScA09BrNhQjUzoKhU8xl0Giq4o+eN4tOhdRrS3AHg9QtDd+cZ/6gx5iuVguwVPwCBSGlyilIhtTvUHBft7vEqdoSWDzsIv4nAq5+m4wBAV1WtNuzdIjgDBVtYqIKI+KHasIuj5ol8tDbMmNUfG4kvPgaIudGo9G+ynWSVR1mZyk+W0sAKJAeWmcv5EDxMaSS/4WWXZ7GeLy5t0RJlyO4Pspm69hb63Urz5N2YJHUwgXLZbirsTK0cKRGLKvyEwUOQDvnj13VvnSt5mjfYNGr0g770PLNRPno2PeS5ux2+/4dx03+enh6CA70a+Ialu1Z7qMsaZhLPwuUDTGJJX4F ads-1700w"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOlzj6jMbFgBeNIq1u6ixwtfsjcTV/S5VUchpH2GskodrAuWTE6G+eIj40nVO3JbaErderhfosIhN8HnZTP9uhXvDcAgqE98rVKLC1Pm0bDST4H+Qc358h4BRWamkojF7ub1RdMKVsIX9xQFAPCv+6iyLKBU5F8lNu70Wr9cNSPaMS1zvKdJzUzq34kdjKf6Jsc+64ux254MUbkoD9VgJpNq9cCbkI6JHDLL+6fer/66dvsEggEEoCgbupJljsHo+4SGDqiFFT8l81gfgsV6CwAib7gkSiR9ZgCDgwjd5QPMqPBFytIc5F8Gz4sbsB2TMlLraaD+vcTt7p3HlWCsDpW0QBeeDvmupZoWpQuT8R/4G3FnGAf5sJgccffO8R/na8/TpSrRdfj0GlGYvxasMKDJnbrVig+zi7JpdH9hvAXmpv6c8QHhjr191I15PV2m4Z2bPPo5BXDt1YEqSgAaFHpTlkIUheEpbKRJI28YwOWOv3r1CcaGM64KxFXSZIIIk= nix-on-droid@localhost"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0itMeWUBtvAjNUzU0iCNHvRo2DUewlGjmHgy8qk7QyYvrFO0DhadDUrkqGK3RjfPue5eM+L/4sib+fr4OIAjzTxvSBpZWfMZtU41/iWiT2bvz7mNvi9j/TDBl/+PfFt0VBUgSPk1cO00P4sExVvseF9hXq5h4NNR4iSuC9P9u6mbaUeg9X6ydlld9+W300erxEToK54alZ0+YOwEMypjytjCBSPFG2QfmFoeU8bCqJvSotOw5nu974LKHOxZgxluBKprlusrRjCxZim9XwTS07I9gZhiDKIdvThSzEWZX4nwLrTyIh19DlZTO2vPUwwqBZyGlwMPCjfFazeViBKuQXCEAmifFHc/4f5Ae1zRA+ombJQveigomlcMXdV9E7HsD0I976ErJbYmfH+QwI78HbwFvbOX3yazdrw02ltdjvasO30dH7wdckoC7fYEXOij3M2pKlLOUojKUF589uPjiBiGNtxGKGpg0TKG9Nj1rvYHljfzQNwqgHKKrRdZo5pOHwzhvl4/fQubu5S/eAppstDuVHTZwIzpd9sHez1JNYS7SKNxT1cIW8NfW41RUe/8rVF678FvIDzuqkcYLsmPd+tg+w78stMEJHaTLHYOCbfYqEdBnvcNRPUFY30MwCVkG7s9X3cEuOwMx8KbTlH5AFZj9IBVUNeJ4p4aMUw3Pbw== /home/alex/.ssh/id_rsa"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDG4BlH07+a+U3i89U11Oz81X1lZnMnzu5d0Em2zlQJYiIqnwj7uRUl7TerXxmum9vOYsDGLGP8RwQRzySM5xfIIEmn5wHb6zPzD8jC8sJQws9d7q84PJMDVUfUeTHR/xZ9QbzG3NHTNnGdbtQptkDwxzLnr/kL5rvGrudgYa0RwHHZbz0WK15iVcsRIHglhsf9gLlXhZZ8Hn2r2qS7jj32InH58KAtawRBd8/WE56h/QY5vUt2F4M8ZvvIJHndynOn71iPJY0tr+b/VIG5JSK89aIQyVRk222TlTn3BrYW2VudrKkkLtssDEIfTmQeALN/LYev4+bJNGDI7bmg7TD4L6AlgrkTJGvXoup410oeiOWP2vrbK2OLB8lcs4lH9iauFg6fMAQuboJjUisicj6tD2SyjELCP2Hvf625k1H2vyp5366dUROBRaUX/AKIZwkIstNgcaLkF7gmeAc1Atr3DK4Jtxc9CHTO7Dv0os+p2q4LJm+mnJy8H7PnfPiRB3thTfULUAWQ2H8RpAn1r0Txur/3D/Jde6PPzL41CefmF6z+UOd4gwMONns7FLjru5z6HG/egaXlJPJkfYbgB+253VDDOga2Y+1W99rgvX0UsF//dhYCqa/XWvmk3htjRTgz80B7tm/eKQwaM7Cm7YZzWq5mjfgxPptkB9SDS8HORw== joyeuse"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDad0tKjdZluogJz9Tir9szwd3olnmY+XqrZtaabgAv9M1V3+ktjZxb11fqbhxpspEW889fG0PrdDsKrYrp6Adm6mVcFXb2Rx8uEIcQ4XQfMqzTBLgNipBcU+7DiWHrejLf9hcrH6HL4o6py59CrX5lnAf1Elt9HxUXTVl9rbMp0SHif6EbYumrCwipWWmcLJWKWVJrJ6rf4YBsmLNtxhf7myjCJxECetQeWyAJodguJa8T7hDJSiE6rfPLanU673T/CU1IBgexriUxcSk09PmjLGB3fFbZnGJlIOAua7ctXtwVjzat5WAWoNo5JdC3cnEUoNkyx7krLbQ2oOzNJi9YgYneTR0KWHYG/v/WVoI+VtW0RQIS+QzVW+ox8Y2j209BZGBFN1d+/ZarUsizg5OEyO7ntiL/UhL/YbI9jknBiw08mzUwIHLpNrpz17duIFNaNkmaN1FAt3b5HBVyq9h4x9FXmp/zaiVzN//Md4GD8xnGmiR3fd+l51mz+WjHIQM= alex@dregil"
  ];
 }
--- a/modules/sudo.nix
+++ b/modules/sudo.nix
@ -0,0 +1,15 @@
 { config, lib, pkgs, ... }:
 {
  config.security.sudo = {
    enable = true;
    execWheelOnly = true;
    extraRules = [{
      groups = [ "wheel" ];
      commands = [{
        command = "/run/current-system/sw/bin/nixos-rebuild";
        options = [ "NOPASSWD" ];
      }];
    }];
  };
 }
--- a/modules/tailscale/default.nix
+++ b/modules/tailscale/default.nix
@ -0,0 +1,8 @@
 {
  ...
 }:
 {
  config.services.tailscale.enable = true;
  config.services.resolved.enable = true;
 }
--- a/modules/timezone.nix
+++ b/modules/timezone.nix
@ -0,0 +1,5 @@
 { config, lib, pkgs, ... }:
 {
  time.timeZone = lib.mkDefault "Europe/Berlin";
 }
--- a/modules/upgrade-pg-cluster.nix
+++ b/modules/upgrade-pg-cluster.nix
@ -0,0 +1,32 @@
 { config, pkgs, ... }:
 {
  environment.systemPackages = [
    (let
      # XXX specify the postgresql package you'd like to upgrade to.
      # Do not forget to list the extensions you need.
      newPostgres = pkgs.postgresql_15.withPackages (pp: [
        # pp.plv8
      ]);
    in pkgs.writeScriptBin "upgrade-pg-cluster" ''
      set -eux
      # XXX it's perhaps advisable to stop all services that depend on postgresql
      systemctl stop postgresql
      export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
      export NEWBIN="${newPostgres}/bin"
      export OLDDATA="${config.services.postgresql.dataDir}"
      export OLDBIN="${config.services.postgresql.package}/bin"
      install -d -m 0700 -o postgres -g postgres "$NEWDATA"
      cd "$NEWDATA"
      sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
      sudo -u postgres $NEWBIN/pg_upgrade \
        --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
        --old-bindir $OLDBIN --new-bindir $NEWBIN \
        "$@"
    '')
  ];
 }
--- a/modules/vsftpd/default.nix
+++ b/modules/vsftpd/default.nix
@ -0,0 +1,16 @@
 { lib, pkgs, ... }:
 {
   config.services.vsftpd = {
     enable = true;
     localUsers = true;
     writeEnable = true;
     chrootlocalUser = true;
     userDbPath = "/etc/vsftpd/users";
     enableVirtualUsers = true;
     virtualUseLocalPrivs = true;
     localRoot = "/var/lib/vsftpd/data";
     extraConfig = "local_umask=002";
   };
   config.networking.firewall.allowedTCPPorts = [ 20 21 ];
 }
--- a/modules/wm/gnome.nix
+++ b/modules/wm/gnome.nix
@ -0,0 +1,5 @@
 { config, lib, pkgs, ... }:
 {
 }
--- a/modules/wm/greetd.nix
+++ b/modules/wm/greetd.nix
@ -0,0 +1,18 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  services.greetd = {
    enable = true;
    settings = {
      default_session = {
        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
        user = "greeter";
      };
    };
  };
 }
--- a/modules/wm/light.nix
+++ b/modules/wm/light.nix
@ -0,0 +1,22 @@
 { config, lib, pkgs, ... }:
 {
  config.programs.light = { enable = true; };
  config.services.actkbd = let light = "${pkgs.light}/bin/light";
  in {
    enable = true;
    bindings = [
      {
        keys = [ 232 ];
        events = [ "key" ];
        command = "${light} -U 10";
      }
      {
        keys = [ 233 ];
        events = [ "key" ];
        command = "${light} -A 10";
      }
    ];
  };
 }
--- a/modules/wm/sway.nix
+++ b/modules/wm/sway.nix
@ -0,0 +1,24 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  environment.systemPackages = with pkgs; [
    grim # screenshot functionality
    slurp # screenshot functionality
    wl-clipboard # wl-copy and wl-paste for copy/paste from stdin / stdout
    mako # notification system developed by swaywm maintainer
  ];
  # Enable the gnome-keyring secrets vault.
  # Will be exposed through DBus to programs willing to store secrets.
  services.gnome.gnome-keyring.enable = true;
  # enable Sway window manager
  programs.sway = {
    enable = true;
    wrapperFeatures.gtk = true;
  };
 }
--- a/modules/wm/x.nix
+++ b/modules/wm/x.nix
@ -0,0 +1,41 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  # Enable the X11 windowing system.
  services = {
    dbus = {
      enable = true;
    };
    xserver = {
      enable = true;
      xkb = {
        options = "terminate:ctrl_alt_bksp,caps:escape,compose:ralt";
        layout = "us";
      };
      videoDrivers = [ "nvidia" ]; # "modesetting" ];
      displayManager.lightdm = {
        enable = true;
        greeters.slick.enable = true;
      };
    };
    desktopManager.gnome.enable = true;
    # Enable touchpad support (enabled default in most desktopManager).
    libinput = {
      enable = true;
      touchpad.disableWhileTyping = true;
      touchpad.tapping = false;
      mouse.naturalScrolling = config.services.libinput.touchpad.naturalScrolling;
    };
  };
 }
--- a/modules/wm/xmonad/default.nix
+++ b/modules/wm/xmonad/default.nix
@ -0,0 +1,16 @@
 { config, lib, pkgs, ... }:
 {
  config.services = {
    upower.enable = true;
    xserver = {
      windowManager.xmonad = {
        enable = true;
        enableContribAndExtras = true;
      };
    };
  };
  config.systemd.services.upower.enable = true;
 }
--- a/outputs/homeConfigurations/default.nix
+++ b/outputs/homeConfigurations/default.nix
@ -1,69 +0,0 @@
 inputs: with inputs;
 let
  pkgs = import nixpkgs-unstable {
   system = "x86_64-linux";
   config.allowUnfree = true;
   overlays = []; 
  };
 in
 {
  "alex@dregil" = home-manager.lib.homeManagerConfiguration {
    inherit pkgs;    
    modules = [
      {
        programs.home-manager.enable = true;
        home = {
          username = "alex";
          homeDirectory = "/home/alex";
          stateVersion = "22.11";
          packages = with pkgs; [
            alacritty           # fast terminal
            firefox             # the browser with the fox
            # social
            jitsi-meet-electron # jitsi as a stand-alone app
            discord             # talk to other people
            #inputs.simplex-chat.packages."x86_64-linux"."exe:simplex-chat"
            # editing
            helix        # vim like editor
            nil          # nix language server
            # system tools
            htop-vim     # htop with vim bindings
            erdtree      # du+tree had sex
            dua          # ncdu but better
            bat          # better cat
            uhk-agent    # my keyboard
            mosh         # ssh via udp
            # gaming support
            lutris
          ];
        };
        programs.bash = {
          enable = true;
        };
        programs.zsh = {
          enable = true;
        };
        programs.git = {
          enable = true;
          userName = "Alexander Kobjolke";
          userEmail = "me@failco.de";
        };
        programs.password-store = {
          enable = true;
        };
        # do not show home-manager notifications
        news.display = "silent";
      }
    ];
   };
 }
--- a/scripts/nixos-mailserver-migration-03.py
+++ b/scripts/nixos-mailserver-migration-03.py
@ -0,0 +1,142 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i python3 -p python3
 import argparse
 import os
 import shutil
 import sys
 from enum import Enum
 from pathlib import Path
 from pwd import getpwnam
 class FolderLayout(Enum):
    Default = 1
    Folder = 2
 def check_user(vmail_root: Path):
    owner = vmail_root.owner()
    owner_uid = getpwnam(owner).pw_uid
    if os.geteuid() == owner_uid:
        return
    try:
        print(
            f"Trying to switch effective user id to {owner_uid} ({owner})",
            file=sys.stderr,
        )
        os.seteuid(owner_uid)
        return
    except PermissionError:
        print(
            f"Failed switching to virtual mail user. Please run this script under it, for example by using `sudo -u {owner}`)",
            file=sys.stderr,
        )
    sys.exit(1)
 def is_maildir_related(path: Path, layout: FolderLayout) -> bool:
    if path.name in [
        "subscriptions"
        # https://doc.dovecot.org/2.3/admin_manual/mailbox_formats/maildir/#imap-uid-mapping
        "dovecot-uidlist",
        # https://doc.dovecot.org/2.3/admin_manual/mailbox_formats/maildir/#imap-keywords
        "dovecot-keywords",
    ]:
        return True
    if not path.is_dir():
        return False
    if path.name in ["cur", "new", "tmp"]:
        return True
    if layout is FolderLayout.Default and path.name.startswith("."):
        return True
    if layout is FolderLayout.Folder:
        if path.name in ["mail"]:
            return False
        return True
    return False
 def mkdir(dst: Path, dry_run: bool = True):
    print(f'mkdir "{dst}"')
    if not dry_run:
        # u+rwx, setgid
        dst.mkdir(mode=0o2700)
 def move(src: Path, dst: Path, dry_run: bool = True):
    print(f'mv "{src}" "{dst}"')
    if not dry_run:
        src.rename(dst)
 def delete(dst: Path, dry_run: bool = True):
    if not dst.exists():
        return
    if dst.is_dir():
        print(f'rm --recursive "{dst}"')
        if not dry_run:
            shutil.rmtree(dst)
    else:
        print(f'rm "{dst}"')
        if not dry_run:
            dst.unlink()
 def main(vmail_root: Path, layout: FolderLayout, dry_run: bool = True):
    maildirs = {path.parent for path in vmail_root.glob("*/*/cur")}
    maybe_delete = []
    # The old maildir will be the new home directory
    for homedir in maildirs:
        maildir = homedir / "mail"
        mkdir(maildir, dry_run)
        for path in homedir.iterdir():
            if is_maildir_related(path, layout):
                move(path, maildir / path.name, dry_run)
            else:
                maybe_delete.append(path)
    # Files that are part of the previous home directory, but now obsolete
    for path in [
        vmail_root / ".dovecot.lda-dupes",
        vmail_root / ".dovecot.lda-dupes.locks",
    ]:
        delete(path, dry_run)
    # The remaining files are likely obsolete, but should still be checked with care
    for path in maybe_delete:
        print(f"# rm {str(path)}")
 if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description="""
        NixOS Mailserver Migration #3: Dovecot mail directory migration
        (https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-mail-directory-migration)
    """
    )
    parser.add_argument(
        "vmail_root", type=Path, help="Path to the `mailserver.mailDirectory`"
    )
    parser.add_argument(
        "--layout",
        choices=["default", "folder"],
        required=True,
        help="Folder layout: 'default' unless `mailserver.useFsLayout` was enabled, then'folder'",
    )
    parser.add_argument(
        "--execute", action="store_true", help="Actually perform changes"
    )
    args = parser.parse_args()
    layout = FolderLayout.Default if args.layout == "default" else FolderLayout.Folder
    check_user(args.vmail_root)
    main(args.vmail_root, layout, not args.execute)
--- a/secrets/hledger-web.htaccess.age
+++ b/secrets/hledger-web.htaccess.age
@ -1,10 +1,10 @@
 age-encryption.org/v1
-> X25519 ntNFHjGdIlYJTbloT8Ujpn8Yh+oAaX/m0DHrq9ukLHQ
+-> X25519 FrE3cLVPZshP6+VgS5aRSggS/3XEjLZW2/yCcxQT6z0
-CTj9AefZLuZ0sBuFatp8/lEL8bUf2IXOHW00XJEdSVY
+xlPC1bF0NqiDVEk/xU+7GPGpwbTPZk+iSZ4QvvJzCcU
-> ssh-ed25519 NCz+gA kj420yScWjDD95LtvEb/62uXVzJU/v0ZSuJ+15MRdS8
+-> ssh-ed25519 NCz+gA Ag6jD9h0FTR+jVR2K3wpQgGqyLJzQZyNvU2+AJPz+Xc
-vFZNC94TxoXh1vVjHFPwPIV+nta5rWgdYWTokbBitxE
+3QJhYsIl23/ve++5r9X/a2YUPSUgIBHJ8srPmeSnpKw
-> 9-grease %8XR5/t }
+-> BaPA]-grease A\OcT5|
-22U6Glc0+L2vlRnrx1Sd1g9b4sfpt/1d0ihfEk5ZQOgEcy45+eNmbHTLQHYzpkFo
+L4Nk5eiaKq72ELBFQemUGlXJXpmUt5aN++g9ljz+DBG8XL3bQ9RbPMhbEy/gzKf6
-PmIBJrRj07B93Pp1MR4sHmOMtK358D9l1LSURdWQtmtcocOoKdQWmPq+IQ
+8WbY
--- 1F50mU6ZhA2vbJq1Nkae6KWzxGY1DGdPNhlA6S3r2GM
+--- hVjNjD1o1TI5B+CZqTdcoHjx3rRJCgrd4f13Vbhazmw
-—F<EFBFBD>ŁśMŃ®ćťL~š†:5vÖ3ß<>d?	ő¬l~˝Š:_€Ő„ZůDřÔJÝR„Ő+Ź"
+Řľt,AýÄ¬[w3¬LŘ’śbÎ`´4Ţ?¬”6 üĐ¬ś‚Ţ®ŐŞş„1qźÍ?.'K¤jú€če¦idĹUëŤ˙÷¤ád¬<64><C2AC>“Ňf÷éeJJ=·«ĂpĹ—‰?oá ú
		`@ -1 +0,0 @@`
			`Subproject commit bf8495b4122701fb30cb6cea37281dc8f3bedcd0`