chore: Update inputs

It conflicted with the beta version of the nvidia drivers.

.envrc

@@ -0,0 +1 @@
+use flake

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "home/emacs.d"]
-	path = home/emacs.d
-	url = https://github.com/hlissner/doom-emacs

flake.lock

@@ -3,16 +3,18 @@
     "agenix": {
       "inputs": {
         "darwin": "darwin",
+        "home-manager": "home-manager",
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1677969766,
-        "narHash": "sha256-AIp/ZYZMNLDZR/H7iiAlaGpu4lcXsVt9JQpBlf43HRY=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "03b51fe8e459a946c4b88dcfb6446e45efb2c24e",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -45,11 +47,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -59,34 +61,89 @@
         "type": "github"
       }
     },
-    "emacs": {
+    "disko": {
       "inputs": {
-        "flake-utils": "flake-utils",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1680257010,
-        "narHash": "sha256-pNMB9sdoZOXEsszLD5TS0WG5Ysj2rVRmf92uxsxH/9A=",
+        "lastModified": 1763651264,
+        "narHash": "sha256-8vvwZbw0s7YvBMJeyPVpWke6lg6ROgtts5N2/SMCcv4=",
         "owner": "nix-community",
-        "repo": "emacs-overlay",
-        "rev": "cfec7f9501cc0e001f49d725a7cd733af7deb2ed",
+        "repo": "disko",
+        "rev": "e86a89079587497174ccab6d0d142a65811a4fd9",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "repo": "emacs-overlay",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "distro-grub-themes": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734806114,
+        "narHash": "sha256-FWkDtoLMTTk2Lz4d4LkFjtV/xYyIlpwZlX5Np1QhXls=",
+        "owner": "AdisonCavani",
+        "repo": "distro-grub-themes",
+        "rev": "ebbd17419890059e371a6f2dbf2a7e76190327d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "AdisonCavani",
+        "repo": "distro-grub-themes",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
         "type": "github"
       }
     },
     "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -95,19 +152,88 @@
         "type": "github"
       }
     },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "snm",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "snm",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1763319842,
+        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "snm",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
-          "nixpkgs-unstable"
-        ],
-        "utils": "utils"
+          "agenix",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1678831854,
-        "narHash": "sha256-7HBmLFNVD2KjovSzypIN9NfyzpWelMe8sNbUVZIRsS0=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "cae54dc45c0d61c99c1dc8b04bc42f36c76f9771",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
         "type": "github"
       },
       "original": {
@@ -119,17 +245,36 @@
     "home-manager_2": {
       "inputs": {
         "nixpkgs": [
-          "nix-on-droid",
           "nixpkgs"
-        ],
-        "utils": "utils_2"
+        ]
       },
       "locked": {
-        "lastModified": 1663932797,
-        "narHash": "sha256-IH8ZBW99W2k7wKLS+Sat9HiKX1TPZjFTnsPizK5crok=",
+        "lastModified": 1763906693,
+        "narHash": "sha256-inm7paa3myo8gE4TzjM8OPvsEg8xocWreIZBgBPEKgo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "de3758e31a3a1bc79d569f5deb5dac39791bf9b6",
+        "rev": "3d6c1c8fa0bea3a1a7ba23d6fa5993116766073b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_3": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-on-droid",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709445365,
+        "narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "4de84265d7ec7634a69ba75028696d74de9a44a7",
         "type": "github"
       },
       "original": {
@@ -148,11 +293,11 @@
         "nmt": "nmt"
       },
       "locked": {
-        "lastModified": 1666720474,
-        "narHash": "sha256-iWojjDS1D19zpeZXbBdjWb9MiKmVVFQCqtJmtTXgPx8=",
+        "lastModified": 1705252799,
+        "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=",
         "owner": "Gerschtli",
         "repo": "nix-formatter-pack",
-        "rev": "14876cc8fe94a3d329964ecb073b4c988c7b61f5",
+        "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5",
         "type": "github"
       },
       "original": {
@@ -163,90 +308,108 @@
     },
     "nix-on-droid": {
       "inputs": {
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager_3",
         "nix-formatter-pack": "nix-formatter-pack",
         "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-droid"
         ],
+        "nixpkgs-docs": "nixpkgs-docs",
         "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap",
         "nmd": "nmd_2"
       },
       "locked": {
-        "lastModified": 1670198918,
-        "narHash": "sha256-oNlUhAM0/a3pDdCMmBWA+CLrDAIYJqAAMyrDp8fNSM4=",
+        "lastModified": 1720396533,
+        "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=",
         "owner": "t184256",
         "repo": "nix-on-droid",
-        "rev": "b00cb5e7e2a47d85a019119069b153cda4002d0a",
+        "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25",
         "type": "github"
       },
       "original": {
         "owner": "t184256",
-        "ref": "release-22.11",
+        "ref": "release-24.05",
         "repo": "nix-on-droid",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1678703398,
-        "narHash": "sha256-Y1mW3dBsoWLHpYm+UIHb5VZ7rx024NNHaF16oZBx++o=",
+        "lastModified": 1763678758,
+        "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "67f26c1cfc5d5783628231e776a81c1ade623e0b",
+        "rev": "117cc7f94e8072499b0a7aa4c52084fa4e11cc9b",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-docs": {
+      "locked": {
+        "lastModified": 1705957679,
+        "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-droid": {
+      "locked": {
+        "lastModified": 1735563628,
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-for-bootstrap": {
       "locked": {
-        "lastModified": 1669834992,
-        "narHash": "sha256-YnhZGHgb4C3Q7DSGisO/stc50jFb9F/MzHeKS4giotg=",
+        "lastModified": 1720244366,
+        "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "596a8e828c5dfa504f91918d0fa4152db3ab5502",
+        "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "596a8e828c5dfa504f91918d0fa4152db3ab5502",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1678654296,
-        "narHash": "sha256-aVfw3ThpY7vkUeF1rFy10NAkpKDS2imj3IakrzT0Occ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5a1dc8acd977ff3dccd1328b7c4a6995429a656b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
+        "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
         "type": "github"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1669542132,
-        "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
+        "lastModified": 1763553727,
+        "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a115bb9bd56831941be3776c8a94005867f316a7",
+        "rev": "094318ea16502a7a81ce90dd3638697020f030a2",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nmd": {
@@ -266,19 +429,25 @@
       }
     },
     "nmd_2": {
-      "flake": false,
+      "inputs": {
+        "nixpkgs": [
+          "nix-on-droid",
+          "nixpkgs-docs"
+        ],
+        "scss-reset": "scss-reset"
+      },
       "locked": {
-        "lastModified": 1666190571,
-        "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=",
-        "owner": "rycee",
+        "lastModified": 1705050560,
+        "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=",
+        "owner": "~rycee",
         "repo": "nmd",
-        "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169",
-        "type": "gitlab"
+        "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3",
+        "type": "sourcehut"
       },
       "original": {
-        "owner": "rycee",
+        "owner": "~rycee",
         "repo": "nmd",
-        "type": "gitlab"
+        "type": "sourcehut"
       }
     },
     "nmt": {
@@ -297,83 +466,123 @@
         "type": "gitlab"
       }
     },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1763741496,
+        "narHash": "sha256-uIRqs/H18YEtMOn1OkbnPH+aNTwXKx+iU3qnxEkVUd0=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "20e71a403c5de9ce5bd799031440da9728c1cda1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
-        "emacs": "emacs",
-        "home-manager": "home-manager",
+        "disko": "disko",
+        "distro-grub-themes": "distro-grub-themes",
+        "home-manager": "home-manager_2",
         "nix-on-droid": "nix-on-droid",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
-        "snm": "snm"
+        "nixpkgs-droid": "nixpkgs-droid",
+        "pre-commit-hooks": "pre-commit-hooks",
+        "snm": "snm",
+        "stable": "stable"
+      }
+    },
+    "scss-reset": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1631450058,
+        "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=",
+        "owner": "andreymatin",
+        "repo": "scss-reset",
+        "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91",
+        "type": "github"
+      },
+      "original": {
+        "owner": "andreymatin",
+        "repo": "scss-reset",
+        "type": "github"
       }
     },
     "snm": {
       "inputs": {
         "blobs": "blobs",
-        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-22_11": [
-          "nixpkgs"
-        ],
-        "utils": "utils_3"
+        "flake-compat": "flake-compat_2",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1671659164,
-        "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=",
+        "lastModified": 1763564778,
+        "narHash": "sha256-HSWMOylEaTtVgzIjpTbjcjVLXHDwNyV081eVUBfAcMs=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd",
+        "rev": "4987d275a90392347f84923cd4cd8efcf0aa7a22",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-22.11",
+        "ref": "master",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
     },
-    "utils": {
+    "stable": {
       "locked": {
-        "lastModified": 1676283394,
-        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "lastModified": 1751274312,
+        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "utils_2": {
+    "systems": {
       "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "nix-systems",
+        "repo": "default",
         "type": "github"
       }
     },
-    "utils_3": {
+    "systems_2": {
       "locked": {
-        "lastModified": 1605370193,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "nix-systems",
+        "repo": "default",
         "type": "github"
       }
     }

flake.nix

@@ -1,73 +1,151 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    stable.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs-droid.url = "github:NixOS/nixpkgs/nixos-24.05";
+
+    distro-grub-themes = {
+      url = "github:AdisonCavani/distro-grub-themes";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
+    pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
 
     home-manager = {
       url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
 
     # simple mailserver
     snm = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11";
-      inputs.nixpkgs-22_11.follows = "nixpkgs";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
+      #      inputs.nixpkgs-23_05.follows = "nixpkgs";
     };
 
     nix-on-droid = {
-      url = "github:t184256/nix-on-droid/release-22.11";
-      inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:t184256/nix-on-droid/release-24.05";
+      inputs.nixpkgs.follows = "nixpkgs-droid";
     };
 
-    emacs = {
-      url = "github:nix-community/emacs-overlay";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-
-#    simplex-chat = {
-#      url = "github:simplex-chat/simplex-chat";
-#      inputs.nixpkgs.follows = "nixpkgs";
-#    };
-
     # age for nix to store encrypted passwords conveniently
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { home-manager, nixpkgs, agenix, snm, ... }@inputs: {
-    nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ({
-          nixpkgs = {
-            config.allowUnfree = true;
-            overlays = with inputs; [ emacs.overlay ];
-          };
-        })
-        snm.nixosModule
-        ./modules/security.nix
-        ./hosts/thrall
-        agenix.nixosModules.age
-        home-manager.nixosModules.home-manager
+  outputs =
+    {
+      self,
+      home-manager,
+      nixpkgs,
+      stable,
+      pre-commit-hooks,
+      ...
+    }@inputs:
+    {
+      checks."x86_64-linux" =
+        let
+          system = "x86_64-linux";
+          pkgs = import nixpkgs { inherit system; };
+        in
         {
-          home-manager.useGlobalPkgs = true;
-          home-manager.useUserPackages = true;
-          home-manager.users.alex = import ./home/cli.nix;
-        }
-      ];
-    };
+          pre-commit-check = pre-commit-hooks.lib.${system}.run {
+            src = ./.;
+            tools.fourmolu = pkgs.haskellPackages.fourmolu;
+            tools.nixfmt = pkgs.nixfmt-rfc-style;
+            hooks = {
+              nixfmt-rfc-style.enable = true;
+              fourmolu.enable = true;
+              hpack.enable = true;
+              hlint.enable = true;
+              ormolu = {
+                settings.defaultExtensions = [ "GHC2021" ];
+              };
+            };
+          };
+        };
 
-    nixosConfigurations."dregil" = import ./hosts/dregil { inherit inputs; };
-    homeConfigurations = import ./outputs/homeConfigurations inputs;
+      nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        specialArgs = {
+          inherit inputs;
+          inherit system;
+        };
+        modules = [
+          (
+            { inputs, lib, ... }:
+            {
+              nixpkgs = {
+                config.allowUnfree = true;
+                # overlays = with inputs; [
+                #   emacs.overlay
+                # ];
+              };
+            }
+          )
+          ./hosts/thrall
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.extraSpecialArgs = {
+              inherit inputs;
+            };
+          }
+          { home-manager.users.alex = ./hosts/thrall/alex.nix; }
+        ];
+      };
 
-    nixOnDroidConfigurations.default = inputs.nix-on-droid.lib.nixOnDroidConfiguration {
-      modules = [
-        ./hosts/redmi
-        { nix.registry.nixpkgs.flake = nixpkgs; }
-        { nix.nixPath = [ "nixpkgs=${nixpkgs}" ]; }
-      ];
+      nixosConfigurations."dregil" = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        specialArgs = {
+          inherit inputs;
+          inherit system;
+          stable = import inputs.stable { system = "x86_64-linux"; };
+        };
+        modules = [ ./hosts/dregil ];
+      };
+
+      nixosConfigurations."igor" = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {
+          inherit inputs;
+        };
+        modules = [ ./hosts/igor ];
+      };
+
+      homeConfigurations."alex@dregil" = home-manager.lib.homeManagerConfiguration {
+
+      };
+
+      nixOnDroidConfigurations.default =
+        with inputs;
+        nix-on-droid.lib.nixOnDroidConfiguration {
+          pkgs = import nixpkgs-droid { };
+          modules = [
+            ./hosts/redmi
+            { nix.registry.nixpkgs.flake = nixpkgs-droid; }
+            { nix.nixPath = [ "nixpkgs=${nixpkgs-droid}" ]; }
+          ];
+        };
+
+      devShells."x86_64-linux".default =
+        let
+          system = "x86_64-linux";
+          pkgs = import nixpkgs { inherit system; };
+        in
+        pkgs.mkShell {
+          inherit (self.checks.${system}.pre-commit-check) shellHook;
+
+          packages = with pkgs; [
+            nixfmt-rfc-style
+            nil
+          ];
+        };
     };
-  };
 }

home/alex/cli.nix

@@ -0,0 +1,214 @@
+{ config, pkgs, ... }:
+
+# minimal config, suitable for servers
+let
+  user = {
+    name = config.home.username;
+    fullName = "Alexander Kobjolke";
+    mail = "me@failco.de";
+  };
+
+  myEza = if builtins.hasAttr "eza" pkgs then "eza" else "exa";
+in
+{
+  imports = [
+    ./programs/neovim/default.nix
+    ./programs/emacs/default.nix
+    ./programs/editorconfig
+    ./programs/jq
+    ./programs/fzf
+    ./programs/git
+    ./programs/jujutsu
+    ./programs/shell
+    ./programs/devenv.nix
+  ];
+
+  programs.home-manager.enable = true;
+  home = {
+    stateVersion = "21.05";
+    sessionPath = [ "$HOME/.local/bin" ];
+  };
+
+  # do not show home-manager notifications
+  news.display = "silent";
+
+  home.packages = with pkgs; [
+    # archives
+    #p7zip
+    #unrar
+    git-absorb
+    git-annex
+    git-annex-remote-rclone
+
+    tea # command-line frontend for gitea
+
+    # nix tools
+    nix-index
+    nixfmt-rfc-style
+    # misc
+    fd # better find
+    file # info about files
+    unzip
+    dropbox
+    gotop
+    gnumake
+    ripgrep # better grep
+    pijul
+    sqlite.dev
+    sqlite
+
+    # editing
+    nil # nix language server
+    shellcheck
+    editorconfig-core-c
+    shfmt
+    (aspellWithDicts (
+      dicts: with dicts; [
+        en
+        en-computers
+        en-science
+        de
+      ]
+    ))
+
+    # system tools
+    htop-vim # htop with vim bindings
+    erdtree # du+tree had sex
+    dua # ncdu but better
+
+    gopass
+    gopass-jsonapi
+    gopass-hibp
+
+    gcc
+    cmake
+    graphviz
+    plantuml
+    gnuplot
+
+    pandoc
+    hledger
+    hledger-web
+    hledger-ui
+
+    nix-prefetch-git
+  ];
+  home.extraOutputsToInstall = [
+    "doc"
+    "info"
+    "devdoc"
+  ];
+
+  xdg.enable = true;
+
+  xdg.configFile.tmux = {
+    target = "tmux/tmux.conf";
+    text = ''
+      set -g default-terminal "xterm-256color"
+      set-window-option -g xterm-keys on
+      set -ag update-environment "SSH_TTY SSH_CLIENT"
+      set -g prefix C-z
+      set -g status-keys vi
+      setw -g mode-keys vi
+      setw -g aggressive-resize on
+      set -g mouse on
+      # do not wait for a manually entered escape sequence, just forward it immediately
+      set -g escape-time 0
+      bind-key C-z send-prefix
+      set -g renumber-windows on
+
+      bind-key T swap-window -t 0
+    '';
+  };
+
+  xdg.configFile.pijul = {
+    target = "pijul/config.toml";
+    text = ''
+      [author]
+      name = "${user.name}"
+      full_name = "${user.fullName}"
+      email = "${user.mail}"
+    '';
+  };
+
+  programs = {
+    bash = {
+      enable = true;
+    };
+
+    # better cat
+    bat.enable = true;
+
+    # htop replacement with a nice UI
+    btop.enable = true;
+
+    # better ls with icons and stuff, maybe also try lsd
+    ${myEza} = {
+      enable = true;
+      icons = "auto";
+    };
+
+    starship = {
+      enable = true;
+    };
+
+    direnv = {
+      enable = true;
+      nix-direnv = {
+        enable = true;
+      };
+      enableZshIntegration = true;
+      enableBashIntegration = true;
+    };
+
+    gh = {
+      enable = true;
+      settings.git_protocol = "ssh";
+    };
+
+    gpg = {
+      enable = true;
+      settings = {
+        homedir = "~/.local/share/gnupg";
+      };
+    };
+
+    helix = {
+      enable = true;
+      settings.theme = "gruvbox";
+    };
+
+    password-store = {
+      enable = true;
+      package = pkgs.gopass;
+      settings = {
+        PASSWORD_STORE_DIR = "$HOME/.local/share/password-store";
+      };
+    };
+
+    ssh = {
+      enable = true;
+      enableDefaultConfig = false;
+      matchBlocks = {
+        "*" = {
+          controlMaster = "auto";
+          controlPersist = "10m";
+        };
+      };
+    };
+
+    texlive.enable = true;
+  };
+
+  services.gpg-agent = {
+    enable = true;
+    enableSshSupport = true;
+    defaultCacheTtl = 7200;
+    defaultCacheTtlSsh = 7200;
+  };
+
+  home.file.".local" = {
+    recursive = true;
+    source = ./local;
+  };
+}

home/alex/default.nix

@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}:
+{
+  imports = [ ];
+
+  users.users."alex" = {
+    isNormalUser = true;
+    extraGroups = [
+      "input"
+      "networkmanager"
+      "wheel"
+      "video"
+    ];
+    description = "Alexander Kobjolke";
+    home = "/home/alex";
+    shell = pkgs.zsh;
+  };
+
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+  home-manager.users.alex = import ./home.nix;
+}

home/alex/home.nix

@@ -0,0 +1,119 @@
+{
+  config,
+  lib,
+  pkgs,
+  stable,
+  ...
+}:
+{
+  imports = [
+    ./cli.nix
+    ./programs/rofi
+    # ./programs/xmonad
+    # ./programs/i3
+    ./programs/jitsi-meet
+    ./programs/simplex-chat
+    ./programs/zathura
+    ./programs/autorandr
+    # ./services/polybar
+    # ./services/dunst
+    # ./services/udiskie
+    # ./services/picom
+    # ./services/screen-locker
+    # ./services/blueman-applet
+    # ./services/network-manager
+    ./services/syncthing
+    ./services/git-sync
+    ./modules/email.nix
+  ];
+
+  home = {
+    homeDirectory = "/home/alex";
+    stateVersion = "21.05";
+
+    language.base = "en_US.UTF-8";
+
+    keyboard.layout = "us";
+    keyboard.variant = "dvorak";
+    keyboard.options = [
+      "terminate:ctrl_alt_bksp"
+      "caps:escape"
+      "compose:ralt"
+    ];
+
+    packages = with pkgs; [
+      # social
+      discord # talk to other people
+      google-chrome
+      signal-desktop
+
+      # system tools
+      uhk-agent # my keyboard
+      mosh # ssh via udp
+      rclone
+      parallel-disk-usage
+      gdu
+
+      gnomeExtensions.paperwm
+
+      # gaming support
+      stable.bottles
+      wine64Packages.stagingFull
+      scummvm
+
+      # reading
+      xournalpp # pdf editor
+    ];
+  };
+
+  news.display = "silent";
+
+  my.git-sync.enable = true;
+
+  programs = {
+    alacritty.enable = true;
+
+    browserpass = {
+      enable = true;
+      browsers = [ "firefox" ];
+    };
+
+    feh.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        cfg = {
+          nativeMessagingHosts.packages = [
+            pkgs.browserpass
+            pkgs.tridactyl-native
+          ];
+          enableGnomeExtensions = true;
+        };
+      };
+    };
+    mpv.enable = true;
+
+    zsh =
+      let
+        auth-socket-env = ''
+          export SSH_AUTH_SOCK="$(${pkgs.gnupg}/bin/gpgconf -L agent-ssh-socket)"
+        '';
+      in
+      {
+        enable = true;
+        loginExtra = auth-socket-env;
+        initContent = auth-socket-env;
+      };
+  };
+
+  services.gpg-agent = {
+    enable = true;
+    enableSshSupport = true;
+    sshKeys = [ "9027AB16B9A7C20BD29F30F55CBA054430BF014C" ];
+    extraConfig = ''
+      pinentry-program ${pkgs.pinentry.qt}/bin/pinentry
+    '';
+  };
+
+  xsession.enable = true;
+}

home/alex/modules/email.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  mkAccount =
+    addr:
+    let
+      domain = lib.lists.elemAt (lib.strings.splitString "@" addr) 1;
+    in
+    {
+      address = addr;
+      gpg = {
+        key = "F2132F0C63730C6BC42BCC2A41A6D13FECA21280";
+        signByDefault = true;
+      };
+      mbsync = {
+        enable = true;
+        create = "maildir";
+      };
+      passwordCommand = "${lib.getBin pkgs.gopass}/bin/gopass --nosync show -o eMail/${domain}/${addr}";
+      msmtp.enable = true;
+      notmuch.enable = true;
+      realName = "Alexander Kobjolke";
+      userName = addr;
+    };
+in
+{
+  programs.afew.enable = true;
+  programs.mbsync.enable = true;
+  programs.msmtp.enable = true;
+  programs.notmuch = {
+    enable = true;
+    hooks.preNew = "mbsync --all";
+  };
+  programs.mu = {
+    enable = true;
+  };
+
+  accounts.email = {
+    accounts.failco = mkAccount "me@failco.de" // {
+      primary = true;
+      imap.host = "thrall.failco.de";
+      smtp.host = "thrall.failco.de";
+    };
+
+    accounts.jakalx = mkAccount "alex@jakalx.net" // {
+      imap.host = "thrall.failco.de";
+      smtp.host = "thrall.failco.de";
+    };
+
+    accounts.google = mkAccount "petry.alexander@gmail.com" // {
+      flavor = "gmail.com";
+    };
+  };
+}

home/alex/programs/autorandr/default.nix

@@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  config.programs.autorandr = {
+    enable = true;
+  };
+}

home/alex/programs/devenv.nix

@@ -0,0 +1,5 @@
+{ pkgs, ... }:
+
+{
+  config.home.packages = [ pkgs.devenv ];
+}

home/alex/programs/editorconfig/default.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+{
+  editorconfig = {
+    enable = true;
+    settings = {
+      "*" = {
+        charset = "utf-8";
+        end_of_line = "lf";
+        trim_trailing_whitespace = true;
+        insert_final_newline = true;
+        max_line_width = 78;
+        indent_style = "space";
+        indent_size = 2;
+      };
+    };
+  };
+}

home/alex/programs/emacs/default.nix

@@ -0,0 +1,26 @@
+{
+  pkgs,
+  ...
+}:
+let
+  emacsclient-wrapper = pkgs.writeShellScriptBin "e" ''
+    exec ${pkgs.emacs}/bin/emacsclient --reuse-frame --no-wait "$@"
+  '';
+in
+{
+  home = {
+    sessionPath = [ "$HOME/.emacs.d/bin" ];
+    packages = [ emacsclient-wrapper ];
+  };
+
+  programs.emacs = {
+    enable = true;
+    extraPackages = epkgs: with epkgs; [ vterm ];
+  };
+
+  services.emacs = {
+    enable = true;
+    defaultEditor = true;
+    startWithUserSession = true;
+  };
+}

home/alex/programs/emacs/doom/config.el

@@ -0,0 +1,410 @@
+;;; $DOOMDIR/config.el -*- lexical-binding: t; -*-
+
+;; Place your private configuration here! Remember, you do not need to run 'doom
+;; sync' after modifying this file!
+
+(setq ak/at-work? (getenv "I_AM_AT_WORK"))
+
+;; Some functionality uses this to identify you, e.g. GPG configuration, email
+;; clients, file templates and snippets.
+(setq! user-full-name "Alexander Kobjolke"
+       user-mail-address "me@failco.de"
+       auth-sources '("~/.local/share/emacs/authinfo.gpg" "~/.authinfo.gpg" "~/.netrc")
+       auth-source-cache-expiry nil)
+
+(when ak/at-work?
+  (setq! user-mail-address "alexander.kobjolke@atlas-elektronik.com"))
+
+
+;; Doom exposes five (optional) variables for controlling fonts in Doom. Here
+;; are the three important ones:
+;;
+;; + `doom-font'
+;; + `doom-variable-pitch-font'
+;; + `doom-big-font' -- used for `doom-big-font-mode'; use this for
+;;   presentations or streaming.
+;;
+;; They all accept either a font-spec, font string ("Input Mono-12"), or xlfd
+;; font string. You generally only need these two:
+;; (setq doom-font (font-spec :family "monospace" :size 12 :weight 'semi-light)
+;;       doom-variable-pitch-font (font-spec :family "sans" :size 13))
+
+;; There are two ways to load a theme. Both assume the theme is installed and
+;; available. You can either set `doom-theme' or manually load a theme with the
+;; `load-theme' function. This is the default:
+(setq! doom-theme 'doom-gruvbox)
+(setq! doom-localleader-key ",")
+(setq! doom-localleader-alt-key "M-,")
+
+(require 're-builder)
+(setq! reb-re-syntax 'string)
+
+;; do not create a new workspace for each emacsclient
+;; (after! persp-mode
+;;     (setq! persp-emacsclient-init-frame-behaviour-override "main"))
+
+(after! lsp
+  (add-to-list 'lsp-file-watch-ignored-directories "[/\\\\]\\.devenv\\'")
+  (add-to-list 'lsp-file-watch-ignored-directories "[/\\\\]target\\'")
+  )
+
+(defun set-frame-alpha (arg &optional active)
+  "Interactively set the transparency of the active frame"
+  (interactive "nEnter alpha value (1-100): \np")
+  (let* ((elt (assoc 'alpha default-frame-alist))
+         (old (frame-parameter nil 'alpha))
+         (new (cond ((atom old)     `(,arg ,arg))
+                    ((eql 1 active) `(,arg ,(cadr old)))
+                    (t              `(,(car old) ,arg)))))
+    (if elt (setcdr elt new) (push `(alpha ,@new) default-frame-alist))
+    (set-frame-parameter nil 'alpha new)))
+
+(defun my/org-id-update-id-current-file ()
+  "Scan the current buffer for Org-ID locations and update them."
+  (interactive)
+  (org-id-update-id-locations (list (buffer-file-name (current-buffer)))))
+
+(setq! undo-limit 80000000                         ; Raise undo-limit to 80Mb
+       auto-save-default t                         ; Nobody likes to loose work, I certainly don't
+       ;; switch-to-buffer-in-dedicated-window 'pop
+       ;; switch-to-buffer-obey-display-actions t
+       )
+
+;; tweak some VI defaults
+(after! evil
+  (setq! evil-ex-substitute-global t     ; I like my s/../.. to be global by default
+         evil-move-cursor-back nil       ; Don't move the block cursor when toggling insert mode
+         evil-want-fine-undo t                       ; By default while in insert all changes are one big blob. Be more granular
+         evil-want-Y-yank-to-eol t
+         evil-escape-key-sequence "qq"               ; define an escape sequence
+         evil-escape-delay 0.175
+         evil-move-beyond-eol t                      ; let the cursor move beyond eol just as in regular emacs
+         evil-kill-on-visual-paste nil ; Don't put overwritten text in the kill ring
+         evil-snipe-override-evil-repeat-keys nil))
+
+
+;; This determines the style of line numbers in effect. If set to `nil', line
+;; numbers are disabled. For relative line numbers, set this to `relative'.
+(setq! display-line-numbers-type 'relative)
+
+;; mouse
+;; enable mouse reporting for terminal emulators
+(unless window-system
+  (xterm-mouse-mode 1)
+  (global-set-key [mouse-4] (lambda ()
+                              (interactive)
+                              (scroll-down 1)))
+  (global-set-key [mouse-5] (lambda ()
+                              (interactive)
+                              (scroll-up 1))))
+
+(use-package! org
+  :init
+  ;; If you use `org' and don't want your org files in the default location below,
+  ;; change `org-directory'. It must be set before org loads!
+  (setq! org-directory "~/org/")
+  (setq! org-log-into-drawer t
+         org-agenda-include-diary t
+         org-agenda-sticky t
+         org-todo-keywords '(
+                             (sequence "NEXT(n)" "TODO(t)" "WAIT(w@/!)" "|" "DONE(d!)" "CNCL(k@)")
+                             (sequence "[ ](T)" "[-](S)" "[?](W)" "|" "[X](D)")
+                             )
+         org-tag-alist '(
+                         ;; Places
+                         ("@home" . ?h)
+                         ("@work" . ?w)
+
+                         ;; devices
+                         ("@phone" . ?p)
+                         ("@computer" . ?c)
+
+                         ;;
+                         ("@email" . ?e)
+
+                         ))
+
+
+  :config
+
+  (use-package! org-ql)
+  (use-package! org-modern)
+  (use-package! org-bookmark-heading)
+
+  (add-hook! 'org-mode-hook #'+org-init-keybinds-h))
+
+(use-package! org-contacts
+  :after org
+  :custom (org-contacts-files '("~/org/contacts.org")))
+
+(use-package! activities
+  :demand t
+  :config
+  (defun ak/activities-define--with-prefix-arg ()
+    "Call 'C-u activities-define' in order to save the current activity."
+    (interactive)
+    (let ((current-prefix-arg '(4)))
+      (call-interactively #'activities-define)))
+
+  (activities-mode)
+  (activities-tabs-mode)
+  (setopt tab-bar-show 1)
+  (map!
+   (:prefix-map ("C-c a" . "Activities")
+    :desc "Switch activity" "a" #'activities-switch
+    :desc "Resume activity" "r" #'activities-resume
+    :desc "Create new activity" "n" #'activities-new
+    :desc "List activities" "l" #'activities-list
+    :desc "Save current activity " "s" #'ak/activities-define--with-prefix-arg
+    :desc "Save all activities" "S" #'activities-save-all
+    :desc "Revert activity to default" "R" #'activities-revert
+    )
+   )
+  )
+
+(when ak/at-work?
+  (after! forge
+    (add-to-list 'forge-alist '("gitlab.atlas.de" "gitlab.atlas.de/api/v4" "gitlab.atlas.de" forge-gitlab-repository)))
+
+  (after! haskell-mode
+    (setq haskell-process-type 'cabal-new-repl))
+
+  (setq! plantuml-jar-path "~/opt/plantuml.jar")
+  (setq! org-plantuml-jar-path plantuml-jar-path)
+
+  (after! lsp
+    (add-to-list 'lsp-disabled-clients 'cmakels))
+
+  (add-to-list '+format-on-save-disabled-modes 'cmake-mode)
+  (add-to-list '+format-on-save-disabled-modes 'nxml-mode)
+
+  (use-package! code-review
+    :init
+    (setq code-review-auth-login-marker 'forge)
+    ;; (setq code-review-gitlab-host "gitlab.atlas.de/api")
+    ;; (setq code-review-gitlab-graphql-host "gitlab.atlas.de/api")
+    :config
+    (add-hook 'code-review-mode-hook
+              (lambda ()
+                ;; include *Code-Review* buffer into current workspace
+                (persp-add-buffer (current-buffer))))))
+
+(after! magit
+  (transient-append-suffix 'magit-fetch "-t"
+    '("-f" "Bypass safety checks" "--force"))
+  )
+
+(setq ak/bibliography (list (concat org-directory "references.bib")))
+;; (setq org-cite-global-bibliography (list (concat org-directory "references.bib")))
+(setq! bibtex-completion-bibliography ak/bibliography)
+(setq! citar-bibliography ak/bibliography)
+
+(after! ledger-mode
+  (setq!
+   ;; Use an ISO date format for ledger entries
+   ledger-default-date-format "%Y-%m-%d"
+   ledger-binary-path "hledger"
+   ledger-report-auto-width nil
+   ledger-mode-should-check-version nil
+   ledger-init-file-name " "
+   ledger-post-amount-alignment-column 58
+   ledger-report-native-highlighting-arguments '("--color=always")
+   ledger-highlight-xact-under-point t)
+
+  (setq! ledger-reports
+         '(("bal" "%(binary) -f %(ledger-file) bal -B")
+           ("reg" "%(binary) -f %(ledger-file) reg -B")
+           ("payee" "%(binary) -f %(ledger-file) reg -B @%(payee)")
+           ("account" "%(binary) -f %(ledger-file) reg -B %(account)"))) )
+
+
+(after! lsp-haskell
+  (setq lsp-haskell-formatting-provider "fourmolu")
+
+  ;; will define elisp functions for the given lsp code actions, prefixing the
+  ;; given function names with "lsp"
+  (lsp-make-interactive-code-action wingman-fill-hole "refactor.wingman.fillHole")
+  (lsp-make-interactive-code-action wingman-case-split "refactor.wingman.caseSplit")
+  (lsp-make-interactive-code-action wingman-refine "refactor.wingman.refine")
+  (lsp-make-interactive-code-action wingman-split-func-args "refactor.wingman.spltFuncArgs")
+  (lsp-make-interactive-code-action wingman-use-constructor "refactor.wingman.useConstructor")
+
+  ;; example key bindings
+  ;; (define-key haskell-mode-map (kbd "C-c d") #'lsp-wingman-case-split)
+  ;; (define-key haskell-mode-map (kbd "C-c n") #'lsp-wingman-fill-hole)
+  ;; (define-key haskell-mode-map (kbd "C-c r") #'lsp-wingman-refine)
+  ;; (define-key haskell-mode-map (kbd "C-c c") #'lsp-wingman-use-constructor)
+  ;; (define-key haskell-mode-map (kbd "C-c a") #'lsp-wingman-split-func-args)
+  )
+
+;; Org GTD support
+(use-package! org-gtd
+  :after org
+  :demand t
+  :init
+  (setq! org-gtd-update-ack "3.0.0")
+
+  :config
+  (setf  org-gtd-id--generate #'org-id-get-create)
+  (setq! org-gtd-directory org-directory)
+  (setq! org-gtd-default-file-name "actionable")
+  (setq! org-gtd-refile-to-any-target nil)
+  (setq! org-gtd-engage-prefix-width 40)
+  (setq! org-edna-use-inheritance t)
+  ;; (setq org-gtd-areas-of-focus '("house" "haskell" "foss"))
+  (setq org-gtd-organize-hooks nil)
+  (org-edna-mode)
+  (map! :leader
+        :desc "Capture"        "X"  #'org-gtd-capture
+        (:prefix-map ("d" . "GTD")
+         :desc "Capture"        "c"  #'org-gtd-capture
+         :desc "Engage"         "e"  #'org-gtd-engage
+         :desc "Engage Context" "@"  #'org-gtd-engage-grouped-by-context
+         :desc "Process inbox"  "p"  #'org-gtd-process-inbox
+         :desc "Show all next"  "n"  #'org-gtd-show-all-next
+         :desc "Fix project"  "f"  #'org-gtd-projects-fix-todo-keywords-for-project-at-point
+         (:prefix-map ("r" . "Review")
+          :desc "Stuck projects" "p"  #'org-gtd-review-stuck-projects
+          :desc "Stuck actions" "a"  #'org-gtd-review-stuck-single-action-items
+          :desc "Stuck habits" "h"  #'org-gtd-review-stuck-habit-items
+          )
+         ))
+  (map! :map org-gtd-clarify-map
+        :desc "Organize this item" "C-c C-c" #'org-gtd-organize)
+  (map! (:prefix-map ("C-c d" . "GTD")
+         :desc "Capture"        "c"  #'org-gtd-capture
+         :desc "Engage"         "e"  #'org-gtd-engage
+         :desc "Engage Context" "@"  #'org-gtd-engage-grouped-by-context
+         :desc "Process inbox"  "p"  #'org-gtd-process-inbox
+         :desc "Show all next"  "n"  #'org-gtd-show-all-next
+         :desc "Fix project"  "f"  #'org-gtd-projects-fix-todo-keywords-for-project-at-point
+         (:prefix-map ("r" . "Review")
+          :desc "Stuck projects" "p"  #'org-gtd-review-stuck-projects
+          :desc "Stuck actions" "a"  #'org-gtd-review-stuck-single-action-items
+          :desc "Stuck habits" "h"  #'org-gtd-review-stuck-habit-items))))
+
+(after! org-habit
+  (setq org-habit-show-habits t
+        org-habit-preceding-days 35
+        org-habit-following-days 7))
+
+(use-package! org-edna
+  :after org-gtd
+  :init
+  (setq org-edna-use-inheritance t)
+  :config
+  (org-edna-mode 1))
+
+(use-package! nov
+  :mode ("\\.epub\\'" . nov-mode)
+  :config
+  (setq nov-save-place-file (concat doom-cache-dir "nov-places")))
+
+(use-package! protobuf-mode
+  :mode ("\\.proto\\'" . protobuf-mode))
+
+(use-package! systemd
+  :mode ("\\.\\(service\\|target\\|socket\\|timer\\)\\'" . systemd-mode))
+
+(use-package! org-present
+  :after org)
+
+(use-package! denote
+  :after org
+  :config
+  (setq! denote-directory (concat org-directory "/notes"))
+  (map! :leader
+        (:prefix-map ("n" . "notes")
+         :desc "Denote"            "d"  #'denote-open-or-create-with-command
+         ))
+  :bind
+  (("C-c n d" . #'denote-open-or-create-with-command))
+  )
+
+(use-package! denote-org
+  :after denote)
+
+(use-package! denote-journal
+  :after denote)
+
+(use-package! denote-menu
+  :after denote)
+
+(use-package! denote-sequence
+  :after denote)
+
+(use-package! org-super-agenda
+  :after org-agenda
+  :init
+  (setq! org-agenda-skip-deadline-if-done t
+         org-agenda-skip-scheduled-if-done t
+         org-agenda-include-deadlines t
+         org-agenda-block-separator nil
+         org-agenda-compact-blocks t
+         org-agenda-start-day nil
+         org-agenda-span 1
+         org-agenda-start-on-weekday nil)
+
+  (setq! org-agenda-custom-commands
+         '(("a" "Getting Things done"
+            ((agenda "" ((org-agenda-overriding-header "")
+                         (org-super-agenda-groups
+                          '((:name "Today"
+                             :time-grid t
+                             :date today
+                             :order 1)))))
+             (alltodo "" ((org-agenda-overriding-header "")
+                          (org-super-agenda-groups
+                           '(;(:log t)
+                             (:name "Waiting for..."
+                              :todo "WAIT"
+                              :order 1)
+                             (:discard (:not (:todo ("NEXT" "STRT"))))
+                             (:name "Next actions"
+                              :auto-parent (:todo ("NEXT" "STRT"))
+                              :order 2
+                              )
+                             (:discard (:anything t)
+                              :order 99)
+                             ))))
+             ))))
+  :config
+  (org-super-agenda-mode)
+  )
+
+(use-package! org-fc
+  :after org straight
+  :config
+  (setq! org-fc-directories (concat org-directory "/cards"))
+  (setq! org-fc-source-path (concat straight-base-dir "repos/org-fc"))
+  )
+
+(after! vterm
+  (setq vterm-min-window-width 50)
+  )
+
+(use-package! consult-denote
+  :after denote)
+
+(use-package! cov)
+                                        ;(use-package! casual-suite)
+
+(map! :desc "Move workspace to the left" :leader :n "TAB <" #'+workspace/swap-left)
+(map! :desc "Move workspace to the left" :leader :n "TAB >" #'+workspace/swap-right)
+
+;; Here are some additional functions/macros that could help you configure Doom:
+;;
+;; - `load!' for loading external *.el files relative to this one
+;; - `use-package!' for configuring packages
+;; - `after!' for running code after a package has loaded
+;; - `add-load-path!' for adding directories to the `load-path', relative to
+;;   this file. Emacs searches the `load-path' when you load packages with
+;;   `require' or `use-package'.
+;; - `map!' for binding new keys
+;;
+;; To get information about any of these functions/macros, move the cursor over
+;; the highlighted symbol at press 'K' (non-evil users must press 'C-c c k').
+;; This will open documentation for it, including demos of how they are used.
+;;
+;; You can also try 'gd' (or 'C-c c d') to jump to their definition and see how
+;; they are implemented.

home/alex/programs/emacs/doom/custom.el

@@ -0,0 +1,51 @@
+(custom-set-variables
+ ;; custom-set-variables was added by Custom.
+ ;; If you edit it by hand, you could mess it up, so be careful.
+ ;; Your init file should contain only one such instance.
+ ;; If there is more than one, they won't work right.
+ '(ansi-color-names-vector
+   ["#282c34" "#ff6c6b" "#98be65" "#ECBE7B" "#51afef" "#c678dd" "#46D9FF" "#bbc2cf"])
+ '(custom-safe-themes
+   '("c4063322b5011829f7fdd7509979b5823e8eea2abf1fe5572ec4b7af1dd78519" "835868dcd17131ba8b9619d14c67c127aa18b90a82438c8613586331129dda63" "7eea50883f10e5c6ad6f81e153c640b3a288cd8dc1d26e4696f7d40f754cc703" default))
+ '(exwm-floating-border-color "#191b20")
+ '(fci-rule-color "#5B6268")
+ '(highlight-tail-colors
+   ((("#333a38" "#99bb66" "green")
+     . 0)
+    (("#2b3d48" "#46D9FF" "brightcyan")
+     . 20)))
+ '(jdee-db-active-breakpoint-face-colors (cons "#1B2229" "#51afef"))
+ '(jdee-db-requested-breakpoint-face-colors (cons "#1B2229" "#98be65"))
+ '(jdee-db-spec-breakpoint-face-colors (cons "#1B2229" "#3f444a"))
+ '(objed-cursor-color "#ff6c6b")
+ '(pdf-view-midnight-colors (cons "#bbc2cf" "#282c34"))
+ '(rustic-ansi-faces
+   ["#282c34" "#ff6c6b" "#98be65" "#ECBE7B" "#51afef" "#c678dd" "#46D9FF" "#bbc2cf"])
+ '(vc-annotate-background "#282c34")
+ '(vc-annotate-color-map
+   (list
+    (cons 20 "#98be65")
+    (cons 40 "#b4be6c")
+    (cons 60 "#d0be73")
+    (cons 80 "#ECBE7B")
+    (cons 100 "#e6ab6a")
+    (cons 120 "#e09859")
+    (cons 140 "#da8548")
+    (cons 160 "#d38079")
+    (cons 180 "#cc7cab")
+    (cons 200 "#c678dd")
+    (cons 220 "#d974b7")
+    (cons 240 "#ec7091")
+    (cons 260 "#ff6c6b")
+    (cons 280 "#cf6162")
+    (cons 300 "#9f585a")
+    (cons 320 "#6f4e52")
+    (cons 340 "#5B6268")
+    (cons 360 "#5B6268")))
+ '(vc-annotate-very-old-color nil))
+(custom-set-faces
+ ;; custom-set-faces was added by Custom.
+ ;; If you edit it by hand, you could mess it up, so be careful.
+ ;; Your init file should contain only one such instance.
+ ;; If there is more than one, they won't work right.
+ )

home/alex/programs/emacs/doom/init.el

@@ -0,0 +1,194 @@
+;;; init.el -*- lexical-binding: t; -*-
+
+;; This file controls what Doom modules are enabled and what order they load
+;; in. Remember to run 'doom sync' after modifying it!
+
+;; NOTE Press 'SPC h d h' (or 'C-h d h' for non-vim users) to access Doom's
+;;      documentation. There you'll find a "Module Index" link where you'll find
+;;      a comprehensive list of Doom's modules and what flags they support.
+
+;; NOTE Move your cursor over a module's name (or its flags) and press 'K' (or
+;;      'C-c c k' for non-vim users) to view its documentation. This works on
+;;      flags as well (those symbols that start with a plus).
+;;
+;;      Alternatively, press 'gd' (or 'C-c c d') on a module to browse its
+;;      directory (for easy access to its source code).
+
+(doom! :input
+       ;;chinese
+       ;;japanese
+       ;;layout            ; auie,ctsrnm is the superior home row
+
+       :completion
+       ;; company          ; the ultimate code completion backend
+       ;;helm              ; the *other* search engine for love and life
+       ;;ido               ; the other *other* search engine...
+       ;;ivy               ; a search engine for love and life
+       (vertico +orderless +icons)    ; the search engine of the future
+       (corfu +orderless +icons +dabbrev)
+
+       :ui
+       ;;deft              ; notational velocity for Emacs
+       doom              ; what makes DOOM look the way it does
+       doom-dashboard    ; a nifty splash screen for Emacs
+       doom-quit         ; DOOM quit-message prompts when you quit Emacs
+       (emoji +unicode +github +ascii)  ; 🙂
+       hl-todo           ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW
+       ;;hydra
+       ;;indent-guides     ; highlighted indent columns
+       ;;(ligatures +extra)  ; ligatures and symbols to make your code pretty again
+       ;;minimap           ; show a map of the code on the side
+       modeline          ; snazzy, Atom-inspired modeline, plus API
+       nav-flash         ; blink cursor line after big motions
+       ;;neotree           ; a project drawer, like NERDTree for vim
+       ophints           ; highlight the region an operation acts on
+       (popup +defaults +all)   ; tame sudden yet inevitable temporary windows
+       ;;tabs              ; a tab bar for Emacs
+       ;;treemacs          ; a project drawer, like neotree but cooler
+       unicode           ; extended unicode support for various languages
+       (vc-gutter +diff-hl) ; vcs diff in the fringe
+       vi-tilde-fringe   ; fringe tildes to mark beyond EOB
+       (window-select +numbers)     ; visually switch windows
+       workspaces        ; tab emulation, persistence & separate workspaces
+       zen               ; distraction-free coding or writing
+
+       :editor
+       (evil +everywhere); come to the dark side, we have cookies
+       file-templates    ; auto-snippets for empty files
+       fold              ; (nigh) universal code folding
+       (format +onsave)  ; automated prettiness
+       ;;god               ; run Emacs commands without modifier keys
+       ;; lispy             ; vim for lisp, for people who don't like vim
+       multiple-cursors
+                                        ; editing in many places at once
+       ;;objed             ; text object editing for the innocent
+       ;; parinfer          ; turn lisp into python, sort of
+       rotate-text       ; cycle region at point between text candidates
+       snippets          ; my elves. They type so I don't have to
+       word-wrap         ; soft wrapping with language-aware indent
+
+       :emacs
+       (dired +ranger +icons)             ; making dired pretty [functional]
+       electric          ; smarter, keyword-based electric-indent
+       (ibuffer +icons)         ; interactive buffer management
+       undo              ; persistent, smarter undo for your inevitable mistakes
+       vc                ; version-control and Emacs, sitting in a tree
+
+       :term
+       eshell            ; the elisp shell that works everywhere
+       ;;shell             ; simple shell REPL for Emacs
+       ;;term              ; basic terminal emulator for Emacs
+       vterm             ; the best terminal emulation in Emacs
+
+       :checkers
+       syntax              ; tasing you for every semicolon you forget
+       (spell +flyspell +everywhere +aspell) ; tasing you for misspelling mispelling
+       ;;grammar           ; tasing grammar mistake every you make
+
+       :tools
+       ansible
+       biblio              ; Writes a PhD for you (citation needed)
+       (debugger +lsp)          ; FIXME stepping through code, to help you add bugs
+       direnv
+       (docker +lsp)
+       editorconfig      ; let someone else argue about tabs vs spaces
+       ;;ein               ; tame Jupyter notebooks with emacs
+       (eval +overlay)     ; run code, run (also, repls)
+       ;;gist              ; interacting with github gists
+       lookup              ; navigate your code and its documentation
+       (lsp)               ; M-x vscode
+       (magit +forge)             ; a git porcelain for Emacs
+       make              ; run make tasks from Emacs
+       pass              ; password manager for nerds
+       pdf               ; pdf enhancements
+       ;;prodigy           ; FIXME managing external services & code builders
+       ;;rgb               ; creating color strings
+       ;;taskrunner        ; taskrunner for all your projects
+       tmux              ; an API for interacting with tmux
+       tree-sitter
+       (terraform +lsp)         ; infrastructure as code
+       ;;upload            ; map local to remote projects via ssh/ftp
+
+       :os
+       (:if IS-MAC macos)  ; improve compatibility with macOS
+       (tty +osc)               ; improve the terminal Emacs experience
+
+       :lang
+       ;;agda              ; types of types of types of types...
+       ;;beancount         ; mind the GAAP
+       (cc +lsp +tree-sitter)                ; C > C++ == 1
+       ;;clojure           ; java with a lisp
+       common-lisp       ; if you've seen one lisp, you've seen them all
+       ;;coq               ; proofs-as-programs
+       ;;crystal           ; ruby at the speed of c
+       ;;csharp            ; unity, .NET, and mono shenanigans
+       data              ; config/data formats
+       ;;(dart +flutter)   ; paint ui and not much else
+       ;;dhall
+       (elixir +lsp +tree-sitter)            ; erlang done right
+       (elm +lsp +tree-sitter)             ; care for a cup of TEA?
+       emacs-lisp        ; drown in parentheses
+       (erlang +lsp +tree-sitter)            ; an elegant language for a more civilized age
+       ;;ess               ; emacs speaks statistics
+       ;;factor
+       ;;faust             ; dsp, but you get to keep your soul
+       ;;fsharp            ; ML stands for Microsoft's Language
+       ;;fstar             ; (dependent) types and (monadic) effects and Z3
+       ;;gdscript          ; the language you waited for
+       (go +lsp +tree-sitter)         ; the hipster dialect
+       (graphql +lsp)    ; Give queries a REST
+       (haskell +lsp +tree-sitter)  ; a language that's lazier than I am
+       ;;hy                ; readability of scheme w/ speed of python
+       ;;idris             ; a language you can depend on
+       (json +lsp +tree-sitter)              ; At least it ain't XML
+       (java +lsp +tree-sitter)       ; the poster child for carpal tunnel syndrome
+       javascript        ; all(hope(abandon(ye(who(enter(here))))))
+       ;;julia             ; a better, faster MATLAB
+       (kotlin +lsp)            ; a better, slicker Java(Script)
+       latex             ; writing papers in Emacs has never been so fun
+       ;;lean              ; for folks with too much to prove
+       ledger            ; be audit you can be
+       (lua +lsp +tree-sitter)               ; one-based indices? one-based indices
+       (markdown +grip)          ; writing docs for people to ignore
+       ;;nim               ; python + lisp at the speed of c
+       (nix +lsp +tree-sitter)  ; I hereby declare "nix geht mehr!"
+       ;;ocaml             ; an objective camel
+       (org +pandoc +present +gnuplot +noter)               ; organize your plain life in plain text
+       ;;php               ; perl's insecure younger brother
+       plantuml          ; diagrams for confusing people more
+       (purescript +lsp)   ; javascript, but functional
+       (python +lsp +tree-sitter +pyenv)            ; beautiful is better than ugly
+       qt                ; the 'cutest' gui framework ever
+       (racket +lsp +xp) ; a DSL for DSLs
+       ;;raku              ; the artist formerly known as perl6
+       (rest +jq)          ; Emacs as a REST client
+       ;;rst               ; ReST in peace
+       ;;(ruby +rails)     ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"}
+       (rust +lsp +tree-sitter)             ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
+       ;;scala             ; java, but good
+       ;;(scheme +guile)   ; a fully conniving family of lisps
+       (sh +lsp +tree-sitter)                ; she sells {ba,z,fi}sh shells on the C xor
+       ;;sml
+       ;;solidity          ; do you need a blockchain? No.
+       ;;swift             ; who asked for emoji variables?
+       ;;terra             ; Earth and Moon in alignment for performance.
+       (web +lsp +tree-sitter)               ; the tubes
+       (yaml +lsp +tree-sitter)              ; JSON, but readable
+       (zig +lsp +tree-sitter)               ; C, but simpler
+
+       :email
+       (mu4e +org +gmail +mbsync)
+       ;; (notmuch +org +afew)
+       ;;(wanderlust +gmail)
+
+       :app
+       calendar
+       ;;emms
+       ;;everywhere        ; *leave* Emacs!? You must be joking
+       irc               ; how neckbeards socialize
+       (rss +org)        ; emacs as an RSS reader
+       ;;twitter           ; twitter client https://twitter.com/vnought
+
+       :config
+       ;;literate
+       (default +bindings +gnupg +smartparens))

home/alex/programs/emacs/doom/packages.el

@@ -0,0 +1,93 @@
+;; -*- no-byte-compile: t; -*-
+;;; $DOOMDIR/packages.el
+
+;; To install a package with Doom you must declare them here and run 'doom sync'
+;; on the command line, then restart Emacs for the changes to take effect -- or
+;; use 'M-x doom/reload'.
+
+
+;; To install SOME-PACKAGE from MELPA, ELPA or emacsmirror:
+;;(package! some-package)
+
+;; To install a package directly from a remote git repo, you must specify a
+;; `:recipe'. You'll find documentation on what `:recipe' accepts here:
+;; https://github.com/raxod502/straight.el#the-recipe-format
+;;(package! another-package
+;;  :recipe (:host github :repo "username/repo"))
+
+;; If the package you are trying to install does not contain a PACKAGENAME.el
+;; file, or is located in a subdirectory of the repo, you'll need to specify
+;; `:files' in the `:recipe':
+;;(package! this-package
+;;  :recipe (:host github :repo "username/repo"
+;;           :files ("some-file.el" "src/lisp/*.el")))
+
+;; If you'd like to disable a package included with Doom, you can do so here
+;; with the `:disable' property:
+;;(package! builtin-package :disable t)
+
+;; You can override the recipe of a built in package without having to specify
+;; all the properties for `:recipe'. These will inherit the rest of its recipe
+;; from Doom or MELPA/ELPA/Emacsmirror:
+;;(package! builtin-package :recipe (:nonrecursive t))
+;;(package! builtin-package-2 :recipe (:repo "myfork/package"))
+
+;; Specify a `:branch' to install a package from a particular branch or tag.
+;; This is required for some packages whose default branch isn't 'master' (which
+;; our package manager can't deal with; see raxod502/straight.el#279)
+;;(package! builtin-package :recipe (:branch "develop"))
+
+;; Use `:pin' to specify a particular commit to install.
+                                        ;(package! builtin-package :pin "1a2b3c4d5e")
+
+
+;; Doom's packages are pinned to a specific commit and updated from release to
+;; release. The `unpin!' macro allows you to unpin single packages...
+                                        ;(unpin! pinned-package)
+;; ...or multiple packages
+                                        ;(unpin! pinned-package another-pinned-package)
+;; ...Or *all* packages (NOT RECOMMENDED; will likely break things)
+;;(unpin! t)
+
+;;(package! this-package
+;;  :recipe (:host github :repo "username/repo"
+;;           :files ("some-file.el" "src/lisp/*.el")))
+
+;;(unpin! compat)
+;;(unpin! with-editor ghub)
+
+;;(package! transient :pin "25b994a565ce8035330b0a3071ee430c0282349e") ; 0.8.8
+
+(package! ormolu)
+(package! org-gtd
+  :recipe (:host github :repo "Trevoke/org-gtd.el" :branch "master"))
+(package! org-fc
+  :recipe (:host sourcehut :repo "l3kn/org-fc" :branch "main"))
+(package! org-edna)
+(package! org-review
+  :recipe (:host github :repo "jakalx/org-review" :branch "master"))
+(package! sqlite3)
+(package! emacsql-sqlite3)
+(package! nov)
+(package! org-present)
+
+(package! denote)
+(package! denote-org)
+(package! denote-journal)
+(package! denote-menu)
+(package! denote-sequence)
+
+(package! org-super-agenda)
+(package! org-modern)
+(package! org-ql)
+(package! org-contacts)
+(package! org-bookmark-heading)
+(package! activities
+  :recipe (:host github :repo "alphapapa/activities.el" :branch "master"))
+;; (package! elfeed-web)
+(package! systemd)
+(package! protobuf-mode)
+(package! cov)
+(package! modus-themes)
+(package! consult-denote)
+(package! casual-suite)

home/alex/programs/emacs/doom/snippets/org-mode/__

@@ -0,0 +1,3 @@
+# -*- mode: snippet -*-
+# name: Org Template file
+# --

home/alex/programs/fzf/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  programs.fzf = { enable = true; };
+}

home/alex/programs/git/default.nix

@@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+    ignores = [
+      "*~"
+      "*.swp"
+      "result"
+      "dist-newstyle"
+      ".direnv"
+      "*.bak"
+      ".pre-commit-config.yaml"
+    ];
+    signing = {
+      key = "41A6D13FECA21280";
+      signByDefault = false;
+    };
+
+    settings = {
+      pull = {
+        rebase = true;
+      };
+      merge = {
+        conflictstyle = "diff3";
+      };
+      submodule = {
+        recurse = true;
+      };
+      user = {
+        # TODO create option for my own account meta data
+        email = "me@failco.de";
+        name = "Alexander Kobjolke";
+      };
+      alias = {
+        a = "add";
+        c = "commit";
+        ca = "commit --amend";
+        can = "commit --amend --no-edit";
+        cl = "clone";
+        cm = "commit -m";
+        co = "checkout";
+        cp = "cherry-pick";
+        cpx = "cherry-pick -x";
+        d = "diff";
+        f = "fetch";
+        fo = "fetch origin";
+        fu = "fetch upstream";
+        lol = "log --graph --decorate --pretty=oneline --abbrev-commit";
+        lola = "log --graph --decorate --pretty=oneline --abbrev-commit --all";
+        pl = "pull";
+        pr = "pull -r";
+        ps = "push";
+        psf = "push -f";
+        rb = "rebase";
+        rbi = "rebase -i";
+        r = "remote";
+        ra = "remote add";
+        rr = "remote rm";
+        rv = "remote -v";
+        rs = "remote show";
+        st = "status";
+      };
+
+      init.defaultBranch = "main";
+    };
+  };
+
+  programs.delta = {
+    enable = true;
+    enableGitIntegration = true;
+  };
+
+  programs.git-cliff = {
+    enable = true;
+  };
+}

home/alex/programs/i3/default.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  config.xsession.windowManager.i3 = {
+    enable = true;
+    config = {
+      modifier = "Mod4";
+    };
+  };
+}

home/alex/programs/jitsi-meet/default.nix

@@ -0,0 +1,11 @@
+{
+  config,
+  lib,
+  pkgs,
+  stable,
+  ...
+}:
+
+{
+  config.home.packages = [ stable.jitsi-meet-electron ];
+}

home/alex/programs/jq/default.nix

@@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  programs.jq = {
+    enable = true;
+  };
+}

home/alex/programs/jujutsu/default.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  programs.jujutsu = {
+    enable = true;
+    settings = {
+      user.name = config.programs.git.settings.user.name;
+      user.email = config.programs.git.settings.user.email;
+      ui.default-command = "log";
+      aliases.init = [
+        "git"
+        "init"
+      ];
+    };
+  };
+}

home/alex/programs/neovim/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+{
+  programs.neovim = {
+    enable = true;
+    vimAlias = true;
+
+    extraConfig = ''
+      set nowrap
+    '';
+
+    plugins = with pkgs.vimPlugins; [
+      vim-nix
+
+      indentLine
+      indent-blankline-nvim
+      neoformat
+    ];
+  };
+}

home/alex/programs/rofi/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.programs.rofi = {
+    enable = true;
+    plugins = with pkgs; [ rofi-calc rofi-emoji ];
+    terminal = "${pkgs.alacritty}/bin/alacritty";
+    theme = ./themes/gruvbox-dark-soft.rasi;
+    pass = {
+      enable = true;
+      stores = [ config.programs.password-store.settings.PASSWORD_STORE_DIR ];
+      extraConfig = ''
+        default_user=:filename
+      '';
+    };
+  };
+
+  # let rofi insert emojis directly
+  config.home.packages = [ pkgs.xdotool ];
+}

home/alex/programs/rofi/themes/gruvbox-dark-soft.rasi

@@ -0,0 +1,191 @@
+/* ==========================================================================
+   Rofi color theme
+
+   Based on the Gruvbox color scheme for Vim by morhetz
+   https://github.com/morhetz/gruvbox
+
+   File: gruvbox-dark-soft.rasi
+   Desc: Gruvbox dark (soft contrast) color theme for Rofi
+   Author: bardisty <b@bah.im>
+   Source: https://github.com/bardisty/gruvbox-rofi
+   Modified: Mon Feb 12 2018 06:04:37 PST -0800
+   ========================================================================== */
+
+* {
+    /* Theme settings */
+    highlight: bold italic;
+    scrollbar: true;
+
+    /* Gruvbox dark colors */
+    gruvbox-dark-bg0-soft:     #32302f;
+    gruvbox-dark-bg1:          #3c3836;
+    gruvbox-dark-bg3:          #665c54;
+    gruvbox-dark-fg0:          #fbf1c7;
+    gruvbox-dark-fg1:          #ebdbb2;
+    gruvbox-dark-red-dark:     #cc241d;
+    gruvbox-dark-red-light:    #fb4934;
+    gruvbox-dark-yellow-dark:  #d79921;
+    gruvbox-dark-yellow-light: #fabd2f;
+    gruvbox-dark-gray:         #a89984;
+
+    /* Theme colors */
+    background:                  @gruvbox-dark-bg0-soft;
+    background-color:            @background;
+    foreground:                  @gruvbox-dark-fg1;
+    border-color:                @gruvbox-dark-gray;
+    separatorcolor:              @border-color;
+    scrollbar-handle:            @border-color;
+
+    normal-background:           @background;
+    normal-foreground:           @foreground;
+    alternate-normal-background: @gruvbox-dark-bg1;
+    alternate-normal-foreground: @foreground;
+    selected-normal-background:  @gruvbox-dark-bg3;
+    selected-normal-foreground:  @gruvbox-dark-fg0;
+
+    active-background:           @gruvbox-dark-yellow-dark;
+    active-foreground:           @background;
+    alternate-active-background: @active-background;
+    alternate-active-foreground: @active-foreground;
+    selected-active-background:  @gruvbox-dark-yellow-light;
+    selected-active-foreground:  @active-foreground;
+
+    urgent-background:           @gruvbox-dark-red-dark;
+    urgent-foreground:           @background;
+    alternate-urgent-background: @urgent-background;
+    alternate-urgent-foreground: @urgent-foreground;
+    selected-urgent-background:  @gruvbox-dark-red-light;
+    selected-urgent-foreground:  @urgent-foreground;
+}
+
+/* ==========================================================================
+   File: gruvbox-common.rasi
+   Desc: Shared rules between all gruvbox themes
+   Author: bardisty <b@bah.im>
+   Source: https://github.com/bardisty/gruvbox-rofi
+   Modified: Mon Feb 12 2018 06:06:47 PST -0800
+   ========================================================================== */
+
+window {
+    background-color: @background;
+    border:           2;
+    padding:          2;
+}
+
+mainbox {
+    border:  0;
+    padding: 0;
+}
+
+message {
+    border:       2px 0 0;
+    border-color: @separatorcolor;
+    padding:      1px;
+}
+
+textbox {
+    highlight:  @highlight;
+    text-color: @foreground;
+}
+
+listview {
+    border:       2px solid 0 0;
+    padding:      2px 0 0;
+    border-color: @separatorcolor;
+    spacing:      2px;
+    scrollbar:    @scrollbar;
+}
+
+element {
+    border:  0;
+    padding: 2px;
+}
+
+element.normal.normal {
+    background-color: @normal-background;
+    text-color:       @normal-foreground;
+}
+
+element.normal.urgent {
+    background-color: @urgent-background;
+    text-color:       @urgent-foreground;
+}
+
+element.normal.active {
+    background-color: @active-background;
+    text-color:       @active-foreground;
+}
+
+element.selected.normal {
+    background-color: @selected-normal-background;
+    text-color:       @selected-normal-foreground;
+}
+
+element.selected.urgent {
+    background-color: @selected-urgent-background;
+    text-color:       @selected-urgent-foreground;
+}
+
+element.selected.active {
+    background-color: @selected-active-background;
+    text-color:       @selected-active-foreground;
+}
+
+element.alternate.normal {
+    background-color: @alternate-normal-background;
+    text-color:       @alternate-normal-foreground;
+}
+
+element.alternate.urgent {
+    background-color: @alternate-urgent-background;
+    text-color:       @alternate-urgent-foreground;
+}
+
+element.alternate.active {
+    background-color: @alternate-active-background;
+    text-color:       @alternate-active-foreground;
+}
+
+scrollbar {
+    width:        4px;
+    border:       0;
+    handle-color: @scrollbar-handle;
+    handle-width: 8px;
+    padding:      0;
+}
+
+mode-switcher {
+    border:       2px 0 0;
+    border-color: @separatorcolor;
+}
+
+inputbar {
+    spacing:    0;
+    text-color: @normal-foreground;
+    padding:    2px;
+    children:   [ prompt, textbox-prompt-sep, entry, case-indicator ];
+}
+
+case-indicator,
+entry,
+prompt,
+button {
+    spacing:    0;
+    text-color: @normal-foreground;
+}
+
+button.selected {
+    background-color: @selected-normal-background;
+    text-color:       @selected-normal-foreground;
+}
+
+textbox-prompt-sep {
+    expand:     false;
+    str:        ":";
+    text-color: @normal-foreground;
+    margin:     0 0.3em 0 0;
+}
+element-text, element-icon {
+    background-color: inherit;
+    text-color:       inherit;
+}

home/alex/programs/shell/default.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  home.shellAliases = {
+    suspend = "systemctl hibernate";
+    nrs = "sudo nixos-rebuild switch --flake ~/src/nixos-config";
+    nrb = "sudo nixos-rebuild build --flake ~/src/nixos-config";
+  };
+
+  programs.zsh = {
+    enable = true;
+    enableCompletion = true;
+    autosuggestion.enable = true;
+    syntaxHighlighting.enable = true;
+
+    initContent = ''
+      [ $TERM = "dumb" ] && unsetopt zle && PS1='$ '
+    '';
+
+    oh-my-zsh = {
+      enable = true;
+      plugins = [
+        "git"
+        "fzf"
+        "z"
+      ];
+      theme = "simple";
+    };
+  };
+}

home/alex/programs/simplex-chat/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.home.packages = [ pkgs.simplex-chat-desktop ];
+}

home/alex/programs/xmonad/config.hs

@@ -0,0 +1,157 @@
+import XMonad
+import XMonad.Actions.CycleWS qualified as WS
+import XMonad.Actions.Navigation2D (navigation2DP, windowGo, windowSwap)
+import XMonad.Hooks.EwmhDesktops
+import XMonad.Hooks.ManageDocks qualified as Docks
+import XMonad.Hooks.ManageHelpers (doCenterFloat, doFullFloat, isDialog, isFullscreen)
+import XMonad.Hooks.SetWMName
+import XMonad.Layout.BinarySpacePartition
+import XMonad.Layout.BorderResize (borderResize)
+import XMonad.Layout.NoBorders (smartBorders)
+import XMonad.Layout.ThreeColumns
+import XMonad.Layout.ToggleLayouts (ToggleLayout (..), toggleLayouts)
+import XMonad.ManageHook (doFloat)
+import XMonad.StackSet as W
+import XMonad.Util.EZConfig qualified as EZ
+import XMonad.Util.NamedScratchpad
+import XMonad.Util.Ungrab (unGrab)
+import XMonad.Util.WorkspaceCompare qualified as WS
+
+import Control.Monad (when)
+import Numeric.Natural
+import System.Environment (getArgs)
+import System.FilePath ((</>))
+import System.Info (arch, os)
+import System.Posix.Process (executeFile)
+import Text.Printf (printf)
+
+compiledConfig = printf "xmonad-%s-%s" arch os
+
+compileRestart resume = do
+    dirs <- asks directories
+    whenX (recompile dirs True) $ do
+        when resume writeStateToFile
+        catchIO
+            ( do
+                args <- getArgs
+                executeFile (cacheDir dirs </> compiledConfig) False args Nothing
+            )
+
+myLayout = smartBorders . borderResize . Docks.avoidStruts $ toggleLayouts Full emptyBSP
+
+main :: IO ()
+main = getDirectories >>= launch myConfig
+
+-- change size of window using direction so that it can be used together with the navigation2D function
+-- see: similar to windowGo and windowSwap
+windowMoveSplit :: Direction2D -> Bool -> X ()
+windowMoveSplit direction _ = sendMessage $ MoveSplit direction
+
+data VolumeCommand
+    = ToggleVolume
+    | LowerVolume Natural
+    | RaiseVolume Natural
+
+interpretVolumeCommand :: VolumeCommand -> String
+interpretVolumeCommand command = "amixer -q set Master " <> cmd
+  where
+    cmd = case command of
+        ToggleVolume -> "toggle"
+        LowerVolume delta -> show delta <> "%-"
+        RaiseVolume delta -> show delta <> "%+"
+
+changeVolume :: VolumeCommand -> X ()
+changeVolume = spawn . interpretVolumeCommand
+
+myWorkspaceFilter :: X WS.WorkspaceSort
+myWorkspaceFilter = do
+    sortXineramaAware <- WS.getSortByXineramaRule
+    pure $ sortXineramaAware . WS.filterOutWs [scratchpadWorkspaceTag]
+
+scratchpads =
+    [ NS
+        "notes"
+        "emacsclient -c -F '((name . \"gtd\"))'"
+        (resource =? "gtd")
+        doCenterFloat
+    , -- (customFloating $ W.RationalRect (1/6) (1/6) (2/3) (2/3))
+      NS
+        "shell"
+        "alacritty --class scratchpad"
+        (resource =? "scratchpad")
+        (customFloating $ W.RationalRect (1 / 6) (1 / 6) (2 / 3) (2 / 3))
+    ]
+
+myConfig =
+    addEwmhWorkspaceSort myWorkspaceFilter
+        . ewmhFullscreen
+        . ewmh
+        . Docks.docks
+        . nav
+        $ def
+            { modMask = mod4Mask -- Use Super instead of Alt
+            , terminal = "alacritty"
+            , layoutHook = myLayout
+            , handleEventHook = handleEventHook def <+> fullscreenEventHook
+            , -- this seems to be necessary to make java gui applications work :(
+              startupHook = ewmhDesktopsStartup >> setWMName "LG3D"
+            , manageHook =
+                mconcat
+                    [ namedScratchpadManageHook scratchpads
+                    , isDialog --> doFloat
+                    , isFullscreen --> doFullFloat
+                    , className =? "steam_proton" --> doFloat
+                    , manageHook def
+                    ]
+            }
+            `EZ.additionalKeysP` [ ("M-S-z", spawn "xscreensaver-command -lock")
+                                 , ("M-S-r", compileRestart True)
+                                 , ("M-S-q", restart "xmonad" True)
+                                 , ("M-C-s", unGrab *> spawn "scrot -s")
+                                 , ("M-S-s", sendMessage Docks.ToggleStruts)
+                                 , ("M-f", sendMessage (Toggle "Full"))
+                                 , ("M-p", spawn appLauncher)
+                                 , ("M-i", spawn passLauncher)
+                                 , ("M-w", kill)
+                                 , ("M-l", WS.toggleWS)
+                                 , ("M-g", WS.prevWS)
+                                 , ("M-C-g", WS.swapPrevScreen)
+                                 , ("M-S-g", WS.shiftPrevScreen)
+                                 , ("M-r", WS.nextWS)
+                                 , ("M-C-r", WS.swapNextScreen)
+                                 , ("M-S-r", WS.shiftNextScreen)
+                                 , -- scratchpads
+                                   ("M-s M-t", namedScratchpadAction scratchpads "shell")
+                                 , ("M-s M-s", namedScratchpadAction scratchpads "notes")
+                                 , -- backlight control
+                                   ("<XF86MonBrightnessDown>", spawn "xbacklight -dec 5")
+                                 , ("<XF86MonBrightnessUp>", spawn "xbacklight -inc 5")
+                                 , ("<F5>", spawn "xbacklight -dec 5")
+                                 , ("<F6>", spawn "xbacklight -inc 5")
+                                 , -- transparency
+                                   ("S-<XF86MonBrightnessDown>", spawn "picom-trans -c -5")
+                                 , ("S-<XF86MonBrightnessUp>", spawn "picom-trans -c +5")
+                                 , ("M-S-d", spawn "picom-trans -c +5")
+                                 , ("M-S-b", spawn "picom-trans -c -5")
+                                 , -- volume control
+                                   ("<XF86AudioMute>", changeVolume ToggleVolume)
+                                 , ("<XF86AudioLowerVolume>", changeVolume $ LowerVolume 5)
+                                 , ("<XF86AudioRaiseVolume>", changeVolume $ RaiseVolume 5)
+                                 , ("M-d", changeVolume $ RaiseVolume 5)
+                                 , ("M-b", changeVolume $ LowerVolume 5)
+                                 , ("M-a", sendMessage Balance)
+                                 , ("M-S-a", sendMessage Equalize)
+                                 , ("M-o", sendMessage Rotate)
+                                 , ("M-y", withFocused $ windows . W.sink)
+                                 ]
+  where
+    -- navigate using dvorak bindings
+    nav = navigation2DP def ("c", "h", "t", "n") [("M-", windowGo), ("M-C-", windowSwap), ("M-S-", windowMoveSplit)] True
+    appLauncher = "rofi -show combi -modes combi -combi-modes window,drun,run,ssh"
+    passLauncher = "rofi-pass"
+
+-- myManageHook :: ManageHook
+-- myManageHook = composeAll
+--     [ className =? "Gimp" --> doFloat
+--     , isDialog            --> doFloat
+--     ]

home/alex/programs/xmonad/default.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  config.xsession.windowManager.xmonad = {
+    enable = true;
+    enableContribAndExtras = true;
+    config = ./config.hs;
+  };
+
+  # control backlight
+  config.home.packages = [
+    pkgs.xorg.xbacklight
+    pkgs.scrot
+  ];
+}

home/alex/programs/zathura/default.nix

@@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.programs.zathura = {
+    enable = true;
+    extraConfig = builtins.readFile ./gruvbox-dark.zathurarc;
+  };
+}

home/alex/programs/zathura/gruvbox-dark.zathurarc

@@ -0,0 +1,40 @@
+set notification-error-bg       "#282828" # bg
+set notification-error-fg       "#fb4934" # bright:red
+set notification-warning-bg     "#282828" # bg
+set notification-warning-fg     "#fabd2f" # bright:yellow
+set notification-bg             "#282828" # bg
+set notification-fg             "#b8bb26" # bright:green
+
+set completion-bg               "#504945" # bg2
+set completion-fg               "#ebdbb2" # fg
+set completion-group-bg         "#3c3836" # bg1
+set completion-group-fg         "#928374" # gray
+set completion-highlight-bg     "#83a598" # bright:blue
+set completion-highlight-fg     "#504945" # bg2
+
+# Define the color in index mode
+set index-bg                    "#504945" # bg2
+set index-fg                    "#ebdbb2" # fg
+set index-active-bg             "#83a598" # bright:blue
+set index-active-fg             "#504945" # bg2
+
+set inputbar-bg                 "#282828" # bg
+set inputbar-fg                 "#ebdbb2" # fg
+
+set statusbar-bg                "#504945" # bg2
+set statusbar-fg                "#ebdbb2" # fg
+
+set highlight-color             "#fabd2f" # bright:yellow
+set highlight-active-color      "#fe8019" # bright:orange
+
+set default-bg                  "#282828" # bg
+set default-fg                  "#ebdbb2" # fg
+set render-loading              true
+set render-loading-bg           "#282828" # bg
+set render-loading-fg           "#ebdbb2" # fg
+
+# Recolor book content's color
+set recolor-lightcolor          "#282828" # bg
+set recolor-darkcolor           "#ebdbb2" # fg
+set recolor                     "true"
+# set recolor-keephue             true      # keep original color

home/alex/services/blueman-applet/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.blueman-applet = { enable = true; };
+}

home/alex/services/dunst/default.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  config.services.dunst = {
+    enable = true;
+    iconTheme = {
+      name = "Adwaita";
+      package = pkgs.adwaita-icon-theme;
+      size = "16x16";
+    };
+    settings = {
+      global = {
+        monitor = 0;
+        geometry = "600x50-50+65";
+        shrink = "yes";
+        transparency = 10;
+        padding = 16;
+        horizontal_padding = 16;
+        font = "JetBrainsMono Nerd Font 10";
+        line_height = 4;
+        format = "<b>%s</b>\\n%b";
+      };
+    };
+  };
+}

home/alex/services/git-sync/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+let cfg = config.my.git-sync;
+in {
+  options.my.git-sync = { enable = lib.mkEnableOption "git-sync"; };
+
+  config.services.git-sync = lib.mkIf cfg.enable {
+    enable = true;
+    repositories = {
+      "org" = {
+        path = "${config.home.homeDirectory}/org";
+        uri = "git+ssh://git@git.failco.de:jakalx/org.git";
+      };
+    };
+  };
+}

home/alex/services/network-manager/default.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.network-manager-applet = { enable = true; };
+}

home/alex/services/picom/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.picom = {
+    enable = true;
+    activeOpacity = 1.0;
+    inactiveOpacity = 0.8;
+    backend = "glx";
+    fade = true;
+    fadeDelta = 5;
+    opacityRules = [ "100:name *= 'i3lock'" ];
+    shadow = true;
+    shadowOpacity = 0.75;
+  };
+}

home/alex/services/polybar/config.ini

@@ -0,0 +1,235 @@
+;==========================================================
+;
+;
+;   ██████╗  ██████╗ ██╗  ██╗   ██╗██████╗  █████╗ ██████╗
+;   ██╔══██╗██╔═══██╗██║  ╚██╗ ██╔╝██╔══██╗██╔══██╗██╔══██╗
+;   ██████╔╝██║   ██║██║   ╚████╔╝ ██████╔╝███████║██████╔╝
+;   ██╔═══╝ ██║   ██║██║    ╚██╔╝  ██╔══██╗██╔══██║██╔══██╗
+;   ██║     ╚██████╔╝███████╗██║   ██████╔╝██║  ██║██║  ██║
+;   ╚═╝      ╚═════╝ ╚══════╝╚═╝   ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝
+;
+;
+;   To learn more about how to configure Polybar
+;   go to https://github.com/polybar/polybar
+;
+;   The README contains a lot of information
+;
+;==========================================================
+
+[colors]
+background = #282A2E
+background-alt = #373B41
+foreground = #C5C8C6
+primary = #F0C674
+secondary = #8ABEB7
+alert = #A54242
+disabled = #707880
+
+[bar/main]
+width = 100%
+height = 24pt
+radius = 6
+
+; dpi = 96
+
+background = ${colors.background}
+foreground = ${colors.foreground}
+
+line-size = 3pt
+
+border-size = 4pt
+border-color = #00000000
+
+padding-left = 0
+padding-right = 1
+
+module-margin = 1
+
+separator = |
+separator-foreground = ${colors.disabled}
+
+font-0 = monospace;2
+
+modules-left = xworkspaces xwindow
+modules-center = systray
+modules-right = filesystem pulseaudio xkeyboard memory cpu battery wlan eth backlight date
+
+cursor-click = pointer
+cursor-scroll = ns-resize
+
+enable-ipc = true
+
+tray-position = center
+
+; wm-restack = generic
+; wm-restack = bspwm
+; wm-restack = i3
+
+; override-redirect = true
+
+[module/systray]
+type = internal/tray
+
+format-margin = 8pt
+tray-spacing = 16pt
+
+[module/battery]
+type = internal/battery
+
+; This is useful in case the battery never reports 100% charge
+; Default: 100
+full-at = 99
+
+; format-low once this charge percentage is reached
+; Default: 10
+; New in version 3.6.0
+low-at = 10
+
+; Use the following command to list batteries and adapters:
+; $ ls -1 /sys/class/power_supply/
+battery = BAT0
+adapter = ADP0
+
+; If an inotify event haven't been reported in this many
+; seconds, manually poll for new values.
+;
+; Needed as a fallback for systems that don't report events
+; on sysfs/procfs.
+;
+; Disable polling by setting the interval to 0.
+;
+; Default: 5
+poll-interval = 5
+
+[module/backlight]
+type = internal/xbacklight
+
+; XRandR output to get get values from
+; Default: the monitor defined for the running bar
+;output = DP-4
+
+; Create scroll handlers used to set the backlight value
+; Default: true
+enable-scroll = true
+
+; Available tags:
+;   <label> (default)
+;   <ramp>
+;   <bar>
+format = <ramp>
+
+; Available tokens:
+;   %percentage% (default)
+label = %percentage%%
+
+; Only applies if <ramp> is used
+ramp-0 = 🌕
+ramp-1 = 🌔
+ramp-2 = 🌓
+ramp-3 = 🌒
+ramp-4 = 🌑
+
+[module/xworkspaces]
+type = internal/xworkspaces
+
+label-active = %name%
+label-active-background = ${colors.background-alt}
+label-active-underline= ${colors.primary}
+label-active-padding = 1
+
+label-occupied = %name%
+label-occupied-padding = 1
+
+label-urgent = %name%
+label-urgent-background = ${colors.alert}
+label-urgent-padding = 1
+
+label-empty = %name%
+label-empty-foreground = ${colors.disabled}
+label-empty-padding = 1
+
+[module/xwindow]
+type = internal/xwindow
+label = %title:0:60:...%
+
+[module/filesystem]
+type = internal/fs
+interval = 25
+
+mount-0 = /
+
+label-mounted = %{F#F0C674}%mountpoint%%{F-} %percentage_used%%
+
+label-unmounted = %mountpoint% not mounted
+label-unmounted-foreground = ${colors.disabled}
+
+[module/pulseaudio]
+type = internal/pulseaudio
+
+format-volume-prefix = "VOL "
+format-volume-prefix-foreground = ${colors.primary}
+format-volume = <label-volume>
+
+label-volume = %percentage%%
+
+label-muted = muted
+label-muted-foreground = ${colors.disabled}
+
+[module/xkeyboard]
+type = internal/xkeyboard
+blacklist-0 = num lock
+
+label-layout = %layout%
+label-layout-foreground = ${colors.primary}
+
+label-indicator-padding = 2
+label-indicator-margin = 1
+label-indicator-foreground = ${colors.background}
+label-indicator-background = ${colors.secondary}
+
+[module/memory]
+type = internal/memory
+interval = 2
+format-prefix = "RAM "
+format-prefix-foreground = ${colors.primary}
+label = %percentage_used:2%%
+
+[module/cpu]
+type = internal/cpu
+interval = 2
+format-prefix = "CPU "
+format-prefix-foreground = ${colors.primary}
+label = %percentage:2%%
+
+[network-base]
+type = internal/network
+interval = 5
+format-connected = <label-connected>
+format-disconnected = <label-disconnected>
+label-disconnected = %{F#F0C674}%ifname%%{F#707880} disconnected
+
+[module/wlan]
+inherit = network-base
+interface-type = wireless
+label-connected = %{F#F0C674}%ifname%%{F-} %essid% %local_ip%
+
+[module/eth]
+inherit = network-base
+interface-type = wired
+label-connected = %{F#F0C674}%ifname%%{F-} %local_ip%
+
+[module/date]
+type = internal/date
+interval = 1
+
+date = %H:%M
+date-alt = %Y-%m-%d %H:%M:%S
+
+label = %date%
+label-foreground = ${colors.primary}
+
+[settings]
+screenchange-reload = true
+pseudo-transparency = true
+
+; vim:ft=dosini

home/alex/services/polybar/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+let
+  mypolybar = pkgs.polybar.override {
+    alsaSupport = true;
+    mpdSupport = true;
+    pulseSupport = true;
+  };
+in {
+  config.home.packages = with pkgs; [ font-awesome material-design-icons ];
+
+  config.services.polybar = {
+    enable = true;
+    package = mypolybar;
+    config = ./config.ini;
+    script = ''
+      polybar & disown
+    '';
+  };
+}

home/alex/services/screen-locker/default.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  config.services.screen-locker = {
+    enable = false;
+    inactiveInterval = 30;
+    lockCmd = "${pkgs.i3lock}/bin/i3lock -n -c 000000";
+    xautolock.extraOptions = [ "-detectsleep" ];
+  };
+}

home/alex/services/syncthing/default.nix

@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.syncthing = {
+    enable = true;
+    tray = {
+      enable = true;
+      command = "syncthingtray --wait";
+    };
+  };
+}

home/alex/services/udiskie/default.nix

@@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services.udiskie = {
+    enable = true;
+    tray = "always";
+  };
+}

home/anne/default.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+let username = "anne";
+in {
+  users.users.${username} = {
+    isNormalUser = true;
+    extraGroups = [ "input" ];
+    description = "Anne Kobjolke";
+    home = "/home/${username}";
+    hashedPassword =
+      "$6$Lq3kAyI7Oh3uvf9T$lxE1V9adw1lqjRT0tvCdj17zUz.nJkqkMSA8Y6ipuBIHoZqJKJcQPLby/BWdDvzcmCbyEOtA7grToclNnbV49/";
+  };
+
+  home-manager.users.${username} = import ./home.nix;
+}

home/anne/home.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  home = {
+    language.base = "de_DE.UTF-8";
+    stateVersion = "23.05";
+    packages = with pkgs; [
+      firefox
+      alacritty
+      gnome-session
+      gnome-control-center
+    ];
+    keyboard.layout = "de";
+    keyboard.variant = "nodeadkeys";
+  };
+
+  xsession = {
+    enable = true;
+    windowManager.command = "${pkgs.gnome-session}/bin/gnome-session";
+  };
+}

home/cli.nix

@@ -1,160 +0,0 @@
-{ config, pkgs, ... }:
-
-# minimal config, suitable for servers
-let
-  myUser = "alex";
-  myName = "Alexander Kobjolke";
-  myMail = "me@failco.de";
-in {
-  imports = [
-    # shell config
-    #./modules/shell
-  ];
-
-  programs.home-manager.enable = true;
-  home = {
-    username = myUser;
-    homeDirectory = "/home/${myUser}";
-    stateVersion = "21.05";
-    sessionPath = [ "$HOME/.local/bin" "$HOME/.emacs.d/bin" ];
-  };
-
-  home.packages = with pkgs; [
-    # archives
-    #p7zip
-    #unrar
-    # nix tools
-    nix-index
-    nixfmt
-    # misc
-    fd # better find
-    file # info about files
-    unzip
-    dropbox
-    gotop
-    gnumake
-    ripgrep # better grep
-    pijul
-    sqlite.dev
-    sqlite
-    #    pass
-    pandoc
-    hledger
-    hledger-web
-    hledger-iadd
-    hledger-ui
-    #smos
-    #haskellPackages.patat # terminal based presentations using pandoc
-
-    nix-prefetch-git
-  ];
-  home.extraOutputsToInstall = [ "doc" "info" "devdoc" ];
-
-  xdg.enable = true;
-  # xdg.configFile = {
-  #   "emacs".source = ./emacs.d;
-  # };
-
-  xdg.configFile.tmux = {
-    target = "tmux/tmux.conf";
-    text = ''
-      set -g default-terminal "tmux-256color"
-      set -g prefix C-z
-      # do not wait for a manually entered escape sequence, just forward it immediately
-      set -g escape-time 0
-      bind-key C-z send-prefix
-      set -g renumber-windows on
-    '';
-  };
-
-  xdg.configFile.pijul = {
-    target = "pijul/config.toml";
-    text = ''
-      [author]
-      name = "${myUser}"
-      full_name = "${myName}"
-      email = "${myMail}"
-    '';
-  };
-
-  programs = {
-    zsh = {
-      enable = true;
-      enableAutosuggestions = true;
-      #      enableSyntaxHighlighting = true;
-      shellAliases = { e = "emacsclient -c $@"; };
-      oh-my-zsh = {
-        enable = true;
-        plugins = [ "git" ];
-        theme = "simple";
-      };
-    };
-
-    # better cat
-    bat.enable = true;
-
-    direnv = {
-      enable = true;
-      nix-direnv = { enable = true; };
-      enableZshIntegration = true;
-      enableBashIntegration = true;
-    };
-
-    emacs = {
-      enable = true;
-      package = pkgs.emacsGit;
-      extraPackages = epkgs: with epkgs; [ vterm ];
-      #package = pkgs.emacsUnstable;
-    };
-
-    gh = {
-      enable = true;
-      settings.git_protocol = "ssh";
-    };
-
-    git = {
-      enable = true;
-      ignores = [ "*~" "*.swp" "result" "dist-newstyle" ];
-      userEmail = myMail;
-      userName = myName;
-      aliases = { st = "status"; };
-      extraConfig = { init.defaultBranch = "main"; };
-    };
-
-    gpg = {
-      enable = true;
-      settings = { homedir = "~/.local/share/gnupg"; };
-    };
-
-    helix = {
-      enable = true;
-      settings.theme = "gruvbox";
-    };
-
-    password-store = {
-      enable = true;
-      package = pkgs.pass.withExtensions (exts: [ exts.pass-otp ]);
-      settings = { PASSWORD_STORE_DIR = "$HOME/.local/share/password-store"; };
-    };
-
-    ssh.enable = true;
-
-    neovim = import ./modules/nvim.nix pkgs;
-
-    texlive.enable = true;
-  };
-
-  services.gpg-agent = {
-    enable = true;
-    enableSshSupport = true;
-    defaultCacheTtl = 300;
-    defaultCacheTtlSsh = 300;
-  };
-
-  services.emacs = { enable = true; };
-
-  home.file.".local" = {
-    recursive = true;
-    source = ./local;
-  };
-}

home/emacs.d

@@ -1 +0,0 @@
-Subproject commit bf8495b4122701fb30cb6cea37281dc8f3bedcd0

hosts/dregil/configuration.nix

@@ -2,7 +2,13 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ inputs, config, pkgs, lib, ... }:
+{
+  inputs,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
   nvidia-offload = pkgs.writeShellScriptBin "nvidia-offload" ''
     export __NV_PRIME_RENDER_OFFLOAD=1
@@ -13,16 +19,20 @@ let
   '';
 in
 {
-  imports =
-    [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      # <nixos-hardware/lenovo/legion/15ich>
-    ];
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    # <nixos-hardware/lenovo/legion/15ich>
+    ../../modules/appimage.nix
+    ../../modules/sudo.nix
+    ../../modules/wm/x.nix
+    ../../modules/wm/xmonad/default.nix
+  ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.timeout = 5;
 
   # do not protect the kernel image to allow hibernation
   security.protectKernelImage = lib.mkForce false;
@@ -30,94 +40,68 @@ in
   networking.hostName = "dregil"; # Define your hostname.
   # Pick only one of the below networking options.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+  networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
 
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+  networking.extraHosts = ''
+    127.0.0.1 localhost dregil.localdomain dregil
+  '';
+
+  i18n = {
+    extraLocaleSettings = {
+      TIME_STYLE = "iso";
+    };
+    extraLocales = "all";
+  };
 
   console = {
     font = "Lat2-Terminus16";
-    useXkbConfig = true; # use xkbOptions in tty.
-  };
-
-  # Enable the X11 windowing system.
-  services.xserver = {
-    enable = true;
-    exportConfiguration = true;
-
-    # Configure keymap in X11
-    layout = "dvorak";
-
-    xkbOptions = "terminate:ctrl_alt_bksp,caps:escape,compose:ralt";
-
-    videoDrivers = [ "nvidia" ]; # "modesetting" ];
-
-    displayManager.lightdm = {
-      enable = true;
-    };
-
-    desktopManager.xfce.enable = true;
-    
-    # Enable touchpad support (enabled default in most desktopManager).
-    libinput = {
-      enable = true;
-      touchpad.disableWhileTyping = true;
-      touchpad.naturalScrolling = true;
-      mouse.naturalScrolling = config.services.xserver.libinput.touchpad.naturalScrolling;
-    };
+    keyMap = "dvorak";
   };
 
   fonts = {
-    enableDefaultFonts = true;
-    fonts = with pkgs; [
+    enableDefaultPackages = true;
+    packages =
+      with pkgs;
+      [
         corefonts
         noto-fonts
         noto-fonts-emoji
         fira-code
         fira-code-symbols
-        nerdfonts
-    ];
+      ]
+      ++ builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts);
   };
 
   # Enable CUPS to print documents.
   # services.printing.enable = true;
 
-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.alex = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" # Enable ‘sudo’ for the user.
-                    "input"
-                  ];
- };
+  # rtkit is optional but recommended
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    #jack.enable = true;
+  };
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-     wget
-     ripgrep
-     git
-     nvidia-offload
-     pinentry
+    wget
+    ripgrep
+    git
+    nvidia-offload
+    pinentry
   ];
 
   # adjust channels to nixpkgs used on this system via this flake
-  environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-unstable.outPath;
-  nix.nixPath = [
-    "nixpkgs=${inputs.nixpkgs-unstable}"
-  ];
+  environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs.outPath;
+  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
 
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  programs.gnupg.agent = {
-     enable = true;
-     enableSSHSupport = true;
-  };
+  nix.settings.max-jobs = 3;
+  nix.settings.cores = 4;
 
   programs.neovim = {
     enable = true;
@@ -127,24 +111,30 @@ in
     enable = true;
   };
 
+  programs.zsh = {
+    enable = true;
+  };
+
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
+  services.blueman.enable = true;
+
+  # Open ports in the firewall
+  # 22000, 21027 syncthing discovery and connectivity
+  networking.firewall.allowedTCPPorts = [
+    5223
+    22000
+  ];
+  networking.firewall.allowedUDPPorts = [
+    21027
+    22000
+  ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
-  system.nixos.tags = [ "HiDPI" "nvidia-only" ];
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
@@ -152,6 +142,4 @@ in
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "22.11"; # Did you read the comment?
-
 }
-

hosts/dregil/default.nix

@@ -1,22 +1,32 @@
-{ inputs, ... }:
-let
-  inherit (inputs.nixpkgs-unstable.lib) nixosSystem;
-
-  system = "x86_64-linux";
-
-  pkgs = import inputs.nixpkgs-unstable {
-    inherit system;
-    config = {
-        allowUnfree = true;
-    };      
-  };
-in
-nixosSystem {
-  inherit system pkgs;
-  specialArgs = { inherit inputs; };
-  modules = [
+{
+  inputs,
+  stable,
+  system,
+  ...
+}:
+{
+  imports = [
+    (
+      { inputs, lib, ... }:
+      {
+        nixpkgs = {
+          config.allowUnfree = true;
+        };
+        home-manager.extraSpecialArgs = { inherit stable; };
+      }
+    )
     ../../modules/security.nix
     ../../modules/common-system.nix
     ./configuration.nix
+    inputs.home-manager.nixosModules.home-manager
+    inputs.distro-grub-themes.nixosModules.${system}.default
+    ../../home/anne/default.nix
+    ../../home/alex/default.nix
+    ../../modules/grub-themes
+    ../../modules/hyprland
+    ../../modules/podman
+    ../../modules/tailscale
+    ../../modules/flatpak.nix
+    ../../modules/nh.nix
   ];
 }

hosts/dregil/hardware-configuration.nix

@@ -1,15 +1,34 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "thunderbolt"
+    "nvme"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [
+    "dm-snapshot"
+    "uas"
+    "usbcore"
+    "usb_storage"
+    "vfat"
+    "nls_cp437"
+    "nls_iso8859_1"
+  ];
   boot.initrd.luks.devices = {
     root = {
       device = "/dev/disk/by-uuid/bebf96d1-2a2b-412c-a5f0-f9ed5730a05f";
@@ -20,37 +39,46 @@
       keyFileSize = 4096;
     };
   };
-  boot.kernelModules = [ "kvm-intel" "nvidia" ];
-  boot.extraModulePackages = [ pkgs.linuxPackages.nvidia_x11 ];
+  boot.kernelModules = [
+    "kvm-intel"
+    "nvidia"
+  ];
   boot.kernelParams = [ "module_blacklist=i915" ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
-      fsType = "btrfs";
-      options = [ "subvol=root" "compress=zstd" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
-      fsType = "btrfs";
-      options = [ "subvol=home" "compress=zstd" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
-      fsType = "btrfs";
-      options = [ "subvol=nix" "compress=zstd" "noatime" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/786D-42D7";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/b8c224ad-095e-4a48-b5b2-a19451fdeb95";
-      }
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
+    fsType = "btrfs";
+    options = [
+      "subvol=root"
+      "compress=zstd"
     ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
+    fsType = "btrfs";
+    options = [
+      "subvol=home"
+      "compress=zstd"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/a88ac058-e704-419e-ba7d-1d0ff4b6f654";
+    fsType = "btrfs";
+    options = [
+      "subvol=nix"
+      "compress=zstd"
+      "noatime"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/786D-42D7";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/b8c224ad-095e-4a48-b5b2-a19451fdeb95"; } ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -64,29 +92,28 @@
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 
-  hardware.video.hidpi.enable = true;
-
   hardware.nvidia = {
-     nvidiaSettings = true;
-     nvidiaPersistenced = true;
+    nvidiaSettings = true;
+    nvidiaPersistenced = true;
+    open = true;
 
-#    modesetting.enable = true;
-     package = config.boot.kernelPackages.nvidiaPackages.beta;
-#    prime = {
-#      offload.enable = true;
-#
-#      intelBusId = "PCI:1:0:0";
-#      nvidiaBusId = "PCI:1:0:0";
-#      intelBusId = "0@0:2:0";
-#      nvidiaBusId = "1@1:0:0";
-#    };
+    #    modesetting.enable = true;
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
+    #    prime = {
+    #      offload.enable = true;
+    #
+    #      intelBusId = "PCI:1:0:0";
+    #      nvidiaBusId = "PCI:1:0:0";
+    #      intelBusId = "0@0:2:0";
+    #      nvidiaBusId = "1@1:0:0";
+    #    };
   };
 
-  hardware.opengl = {
+  hardware.graphics = {
     enable = true;
-    driSupport = true;
-    driSupport32Bit = true;
+    enable32Bit = true;
   };
 
   hardware.keyboard.uhk.enable = true;
+  hardware.bluetooth.enable = true;
 }

hosts/igor/default.nix

@@ -0,0 +1,147 @@
+{
+  inputs,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    ./hardware-configuration.nix
+    ./disko-config.nix
+    ./syncthing.nix
+    ../../modules/security.nix
+    ../../modules/nix-config.nix
+    ../../modules/timezone.nix
+    ../../modules/keybase.nix
+    ../../modules/ssh.nix
+    ../../modules/tailscale
+    ../../modules/vsftpd
+    ../../modules/mosh.nix
+  ];
+
+  config.boot.loader.grub.enable = true;
+  config.boot.loader.grub.efiSupport = true;
+  config.boot.loader.grub.efiInstallAsRemovable = true;
+  #config.boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  config.boot.loader.grub.device = "/dev/disk/by-id/ata-HGST_HTS725050A7E630_TF655AY92SM3XL"; # or "nodev" for efi only
+
+  config.security.sudo.wheelNeedsPassword = false;
+
+  config.networking = {
+    hostName = "igor";
+    domain = "failco.de";
+
+    wireless = {
+      enable = true;
+      userControlled.enable = true;
+      allowAuxiliaryImperativeNetworks = true;
+      secretsFile = "/etc/wireless.conf";
+      networks = {
+        Prapsschnalinen.pskRaw = "ext:home";
+      };
+    };
+
+    useDHCP = true;
+    enableIPv6 = true;
+    networkmanager.enable = false;
+
+    firewall.enable = true;
+    firewall.allowedTCPPorts = [
+      config.services.mysql.settings.mysqld.port
+    ];
+  };
+
+  config.security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+  };
+
+  # Select internationalization properties.
+  config.i18n.defaultLocale = "en_US.UTF-8";
+  config.console = {
+    font = "Lat2-Terminus16";
+    keyMap = "dvorak";
+  };
+
+  # Set your time zone.
+  config.time.timeZone = "Europe/Berlin";
+
+  # Enable the X11 windowing system.
+  config.services.xserver.enable = true;
+
+  config.services.logind.lidSwitch = "lock";
+
+  # Enable the GNOME Desktop Environment.
+  config.services.xserver.displayManager.gdm.enable = true;
+  config.services.xserver.desktopManager.gnome.enable = true;
+
+  # Configure keymap in X11
+  config.services.xserver.xkb.layout = "us";
+  config.services.xserver.xkb.variant = "dvorak";
+  config.services.xserver.xkb.options = "eurosign:e,caps:escape";
+
+  # Enable CUPS to print documents.
+  config.services.printing.enable = true;
+
+  # Enable sound.
+  # hardware.pulseaudio.enable = true;
+  # OR
+  config.services.pipewire = {
+    enable = true;
+    pulse.enable = true;
+  };
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  config.services.libinput.enable = true;
+
+  config.services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+  };
+
+  config.programs.firefox.enable = true;
+  config.programs.git.enable = true;
+  config.programs.nm-applet.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  config.users.users.alex = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    shell = pkgs.zsh;
+    packages = [ pkgs.devenv ];
+  };
+
+  config.environment.systemPackages = with pkgs; [
+    alacritty
+    dolphin
+    waybar
+    hyprpaper
+    wofi
+    tmux
+    lftp
+  ];
+
+  config.programs.direnv = {
+    enable = true;
+    silent = true;
+  };
+
+  config.programs.hyprland = {
+    enable = true;
+    withUWSM = true;
+  };
+
+  config.programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+  };
+
+  config.programs.zsh.enable = true;
+
+  config.system.stateVersion = "24.11";
+}

hosts/igor/disko-config.nix

@@ -0,0 +1,67 @@
+{
+  disko.devices = {
+    disk.main = {
+      type = "disk";
+      device = "/dev/sdb";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            size = "1M";
+            type = "EF02";
+          };
+          ESP = {
+            priority = 1;
+            name = "ESP";
+            start = "1M";
+            end = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+
+          root = {
+            size = "100%";
+            content = {
+              type = "btrfs";
+              extraArgs = [ "-f" ];
+
+              subvolumes = {
+                "/rootfs" = {
+                  mountpoint = "/";
+                  mountOptions = [
+                    "compress=zstd"
+                    "noatime"
+                  ];
+                };
+                "/home" = {
+                  mountOptions = [
+                    "compress=zstd"
+                    "noatime"
+                  ];
+                  mountpoint = "/home";
+                };
+                "/nix" = {
+                  mountOptions = [
+                    "compress=zstd"
+                    "noatime"
+                  ];
+                  mountpoint = "/nix";
+                };
+                "/swap" = {
+                  mountpoint = "/.swapvol";
+                  swap = {
+                    swapfile.size = "2G";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/igor/hardware-configuration.nix

@@ -0,0 +1,72 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ehci_pci"
+    "ahci"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+#  fileSystems."/" =
+#    { device = "/dev/disk/by-uuid/e7720a57-f96a-4f37-a2ad-43527868418c";
+#      fsType = "btrfs";
+#      options = [ "subvol=rootfs" ];
+#    };
+#
+#  fileSystems."/.swapvol" =
+#    { device = "/dev/disk/by-uuid/e7720a57-f96a-4f37-a2ad-43527868418c";
+#      fsType = "btrfs";
+#      options = [ "subvol=swap" ];
+#    };
+#
+#  fileSystems."/boot" =
+#    { device = "/dev/disk/by-uuid/2EDA-47FD";
+#      fsType = "vfat";
+#      options = [ "fmask=0022" "dmask=0022" ];
+#    };
+#
+#  fileSystems."/home" =
+#    { device = "/dev/disk/by-uuid/e7720a57-f96a-4f37-a2ad-43527868418c";
+#      fsType = "btrfs";
+#      options = [ "subvol=home" ];
+#    };
+#
+#  fileSystems."/nix" =
+#    { device = "/dev/disk/by-uuid/e7720a57-f96a-4f37-a2ad-43527868418c";
+#      fsType = "btrfs";
+#      options = [ "subvol=nix" ];
+#    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wwp0s20u4i6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/igor/syncthing.nix

@@ -0,0 +1,29 @@
+{ config, lib, ... }:
+{
+  config.services.syncthing = {
+    enable = true;
+
+    user = "vsftpd";
+    group = "vsftpd";
+
+    dataDir = "/var/lib/vsftpd";
+
+    settings.devices = {
+      thrall = {
+        id = "P52YQU2-7LCEOVV-DSGTAZG-AJ2DSJD-JPHSUJE-HC2KAGO-YR4SXQD-V6OQ7QF";
+	addresses = [ "tcp://195.90.211.228:22000" ];
+      };
+    };
+
+    settings.folders = {
+      paperless = {
+	path = "${config.services.vsftpd.localRoot}/scan";
+	devices = [ "thrall" ];
+	versioning = {
+          type = "trashcan";
+          params.cleanoutDays = "90";
+        };
+      };
+    };
+  };
+}

hosts/redmi/default.nix

@@ -4,12 +4,14 @@
   # Simply install just the packages
   environment.packages = with pkgs; [
     # User-facing stuff that you really really want to have
-    vim # or some other editor, e.g. nano or neovim
+    neovim
 
     git
+    git-annex
     mosh
     openssh
     wget
+    tmux
 
     # Some common stuff that people expect to have
     #diffutils
@@ -27,13 +29,18 @@
     #xz
     #zip
     #unzip
+    inetutils
   ];
 
   # Backup etc files instead of failing to activate generation if a file already exists in /etc
   environment.etcBackupExtension = ".bak";
 
+  environment.sessionVariables = {
+    EDITOR = "${pkgs.neovim}/bin/nvim";
+  };
+
   # Read the changelog before changing this value
-  system.stateVersion = "22.11";
+  system.stateVersion = "24.05";
 
   # Set up nix for flakes
   nix.extraOptions = ''

hosts/thrall/alex.nix

@@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [ ../../home/alex/cli.nix ../../home/alex/services/git-sync ];
+
+  config.my.git-sync.enable = true;
+}

hosts/thrall/default.nix

@@ -2,28 +2,39 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, ... }:
-let extIface = "ens3";
-in {
-  imports = [ # Include the results of the hardware scan.
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  authorityFromUrl = url: builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
+in
+{
+  disabledModules = [ "services/web-apps/hledger-web.nix" ];
+
+  imports = [
     ./hardware-configuration.nix
+    inputs.snm.nixosModule
+    inputs.agenix.nixosModules.age
+    ../../modules/security.nix
+    ../../modules/sudo.nix
+    ../../modules/upgrade-pg-cluster.nix
+    ../../modules/nix-config.nix
+    ../../modules/iohk.nix
+    ../../modules/timezone.nix
+    ../../modules/keybase.nix
+    ../../modules/ssh.nix
+    ../../modules/hledger-web.nix
+    ../../modules/tailscale
+    ../../modules/mosh.nix
+    ../../modules/nh.nix
   ];
 
-  nix.package = pkgs.nixUnstable;
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes ca-derivations
-  '';
-  # nix.registry.nixpkgs.flake = nixpkgs;
-
-  # Binary Cache for Haskell.nix
-  nix.settings.trusted-public-keys =
-    [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
-
-  #nix.binaryCaches = [ "https://hydra.iohk.io" ];
-
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
   # boot.loader.grub.efiSupport = true;
   # boot.loader.grub.efiInstallAsRemovable = true;
   # boot.loader.efi.efiSysMountPoint = "/boot/efi";
@@ -31,9 +42,6 @@ in {
   boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
   # boot.loader.systemd-boot.enable = true;
 
-  # Set your time zone.
-  time.timeZone = "Europe/Berlin";
-
   age.secrets = {
     mailPass.file = ../../secrets/mailPass.age;
     paperless-mail.file = ../../secrets/paperless-mail.age;
@@ -41,85 +49,98 @@ in {
     hledger-web = {
       file = ../../secrets/hledger-web.htaccess.age;
       mode = "440";
-      owner = "nginx";
-      group = "nginx";
+      owner = config.services.nginx.user;
+      group = config.services.nginx.group;
     };
   };
 
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
-  networking = {
-    hostName = "thrall";
-    domain = "failco.de";
-    wireless.enable = false;
-    useDHCP = false;
-    enableIPv6 = false;
-    interfaces.${extIface}.ipv4.addresses = [{
-      address = "195.90.211.228";
-      prefixLength = 22;
-    }];
-    defaultGateway = "195.90.208.1";
-    nameservers = [ "1.1.1.1" "8.8.8.8" ];
-    firewall = {
-      allowedTCPPorts = [ 22 53 80 443 5000 ];
-      allowedUDPPorts = [ 53 42666 ];
-    };
-
-    # wireguard related config
-    nat.enable = true;
-    nat.externalInterface = extIface;
-    nat.internalInterfaces = [ "wg0" ];
-
-    wireguard.interfaces = {
-      wg0 = {
-        ips = [ "10.0.0.1/24" ];
-        listenPort = 42666;
-
-        postSetup = ''
-          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
-        '';
-        postShutdown = ''
-          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
-        '';
-
-        privateKeyFile = config.age.secrets.wireguard-thrall.path;
-        peers = [
+  networking =
+    let
+      extIface = "ens3";
+    in
+    {
+      hostName = "thrall";
+      domain = "failco.de";
+      wireless.enable = false;
+      useDHCP = false;
+      enableIPv6 = false;
+      interfaces.${extIface} = {
+        ipv4.addresses = [
           {
-            # my phone
-            publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
-            allowedIPs = [ "10.0.0.2/32" ];
-          }
-          {
-            # my tablet
-            publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
-            allowedIPs = [ "10.0.0.3/32" ];
+            address = "195.90.211.228";
+            prefixLength = 22;
           }
         ];
       };
+      defaultGateway = "195.90.208.1";
+      nameservers = [
+        "8.8.8.8"
+        "8.8.4.4"
+      ];
+      firewall = {
+        allowedTCPPorts = [
+          22
+          53
+          80
+          443
+          5000
+          40005 # syncthing
+        ];
+        allowedUDPPorts = [
+          53
+        ];
+      };
+
+      # wireguard related config
+      nat.enable = true;
+      nat.externalInterface = extIface;
+      nat.internalInterfaces = [ "wg0" ];
+
+      wireguard.interfaces = {
+        wg0 = {
+          ips = [ "10.0.0.1/24" ];
+          listenPort = 42666;
+
+          postSetup = ''
+            ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
+          '';
+          postShutdown = ''
+            ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
+          '';
+
+          privateKeyFile = config.age.secrets.wireguard-thrall.path;
+          peers = [
+            {
+              # my phone
+              publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
+              allowedIPs = [ "10.0.0.2/32" ];
+            }
+            {
+              # my tablet
+              publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
+              allowedIPs = [ "10.0.0.3/32" ];
+            }
+            {
+              # homematic
+              publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
+              allowedIPs = [ "10.0.0.4/32" ];
+            }
+          ];
+        };
+      };
     };
-  };
 
   security.acme = {
     acceptTerms = true;
     defaults.email = "alex@jakalx.net";
   };
 
-  security.sudo = {
-    enable = true;
-    execWheelOnly = true;
-    extraRules = [{
-      groups = [ "wheel" ];
-      commands = [{
-        command = "/run/current-system/sw/bin/nixos-rebuild";
-        options = [ "NOPASSWD" ];
-      }];
-    }];
-  };
-
-  # Select internationalisation properties.
+  # Select internationalization properties.
   i18n.defaultLocale = "en_US.UTF-8";
   console = {
     font = "Lat2-Terminus16";
@@ -128,6 +149,7 @@ in {
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.alex = {
+    description = "Alexander Kobjolke";
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     shell = pkgs.zsh;
@@ -141,21 +163,16 @@ in {
     htop
     tmux
     git
-    git-annex
-    #agenix.defaultPackage.x86_64-linux
-    restic # fast and secure backup
     rclone
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
-  # programs.mtr.enable = true;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
   };
 
-  programs.mosh.enable = true;
   programs.neovim = {
     enable = true;
     defaultEditor = true;
@@ -168,20 +185,19 @@ in {
 
   # List services that you want to enable:
 
-  # depending on wireguard
   services.kresd = {
     enable = true;
-    listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
+    listenPlain = [
+      "[::1]:53"
+      "127.0.0.1:53"
+      "10.0.0.1:53"
+    ];
   };
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
   services.lorri.enable = true;
 
   # configure backup via restic to gdrive
   services.restic.backups = { };
-  services.keybase = { enable = true; };
 
   services.nginx = {
     enable = true;
@@ -203,6 +219,16 @@ in {
       extraConfig = ''
         add_header X-Frame-Options 'SAMEORIGIN';
       '';
+
+      locations."/photo-groove" = {
+        proxyPass = "http://127.0.0.1:8000/";
+        proxyWebsockets = true;
+      };
+
+      locations."/elfeed" = {
+        proxyPass = "http://127.0.0.1:8080/elfeed";
+        proxyWebsockets = true;
+      };
     };
 
     "www.jakalx.net" = {
@@ -215,56 +241,80 @@ in {
       '';
     };
 
-    # gitea
-    "git.failco.de" = {
+    "kobjolke.de" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/srv/www/kobjolke.de";
+      serverAliases = [ "www.kobjolke.de" ];
+      extraConfig = ''
+        add_header X-Frame-Options 'SAMEORIGIN';
+      '';
+    };
+
+    # forgejo - git web frontend
+    "${config.services.forgejo.settings.server.DOMAIN}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:3001/";
+        proxyPass = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}/";
         proxyWebsockets = true;
       };
     };
 
     # paperless
-    "docs.failco.de" = {
+    "${authorityFromUrl config.services.paperless.settings.PAPERLESS_URL}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:3002/";
+        proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
         proxyWebsockets = true;
       };
     };
 
     # hledger
-    "ledger.failco.de" = {
+    "${authorityFromUrl config.services.hledger-web.baseUrl}" = {
       forceSSL = true;
       enableACME = true;
       basicAuthFile = config.age.secrets.hledger-web.path;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:3003/";
+        proxyPass = "http://${config.services.hledger-web.host}:${toString config.services.hledger-web.port}/";
         proxyWebsockets = true;
       };
     };
   };
 
-  services.gitea = {
+  users.users.git = {
+    home = config.services.forgejo.stateDir;
+    useDefaultShell = true;
+    group = config.services.forgejo.group;
+    isSystemUser = true;
+  };
+
+  services.forgejo = {
     enable = true;
+    user = "git";
     database.type = "sqlite3";
     lfs.enable = true;
-    domain = "git.failco.de";
-    rootUrl = "https://git.failco.de";
-    httpAddress = "127.0.0.1";
-    httpPort = 3001;
 
     settings = {
       service.DISABLE_REGISTRATION = true;
 
+      server = {
+        DOMAIN = "git.failco.de";
+        ROOT_URL = "https://git.failco.de";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3001;
+      };
+
       mailer = {
         ENABLED = true;
-        MAILER_TYPE = "smtp";
-        FROM = "git@failco.de";
-        HOST = "thrall.failco.de:25";
-        IS_TLS_ENABLED = false;
+        PROTOCOL = "smtp";
+        SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+        FROM = "noreply@failco.de";
+      };
+
+      other = {
+        SHOW_FOOTER_VERSION = false;
       };
     };
   };
@@ -274,63 +324,125 @@ in {
     address = "127.0.0.1";
     port = 3002;
     consumptionDirIsPublic = true;
-    extraConfig = {
+    configureTika = true;
+    settings = {
       PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_OCR_USER_ARGS = ''{"invalidate_digital_signatures": true}'';
       PAPERLESS_URL = "https://docs.failco.de";
+      PAPERLESS_CONSUMER_RECURSIVE = true;
+      PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
+
+      # workaround for classification getting stuck, see
+      # https://github.com/NixOS/nixpkgs/issues/240591#issuecomment-1915678490
+      OMP_NUM_THREADS = 1;
     };
   };
 
+  services.hledger-web = {
+    enable = true;
+    baseUrl = "https://ledger.failco.de";
+    port = 3003;
+    capabilities = {
+      view = true;
+      add = true;
+      manage = true;
+    };
+    journalFiles = [ "current.journal" ];
+    extraOptions = [
+      "-B"
+      "--value=then"
+    ];
+  };
+
   services.fail2ban = {
     enable = true;
     maxretry = 5;
-    ignoreIP =
-      [ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ];
+
+    bantime = "1h";
+    bantime-increment.enable = true;
+
+    ignoreIP = [
+      "127.0.0.0/8"
+      "195.90.211.228"
+      "10.0.0.0/8"
+      "192.168.0.0/16"
+    ];
+
+    jails.postfix = ''
+      filter   = postfix
+      maxretry = 3
+      action   = iptables[name=postfix, port=smtp, protocol=tcp]
+      enabled  = true
+    '';
   };
 
   services.syncthing = {
     enable = true;
     user = "alex";
     dataDir = "/home/alex/sync";
-    overrideDevices =
-      true; # overrides any devices added or deleted through the WebUI
-    overrideFolders =
-      true; # overrides any folders added or deleted through the WebUI
-    folders = {
-      "org" = {
-        path = "/home/alex/org";
-        devices = [ "redmi" ];
+    overrideDevices = true; # overrides any devices added or deleted through the WebUI
+    overrideFolders = true; # overrides any folders added or deleted through the WebUI
+    settings = {
+      folders = {
+        "org" = {
+          path = "/home/alex/org";
+          devices = [ "redmi" ];
+        };
+        "paperless" = {
+          path = "${config.services.paperless.consumptionDir}";
+          devices = [
+            "redmi"
+            "dregil"
+            "igor"
+          ];
+        };
       };
-      "scan" = {
-        path = "/home/alex/media/scan";
-        devices = [ "redmi" ];
-      };
-    };
-    devices = {
-      "redmi" = {
-        id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
+      devices = {
+        redmi = {
+          id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
+        };
+        dregil = {
+          id = "SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
+        };
+        igor = {
+          id = "NHSYYF6-I5GWMTI-2SQ6PIA-EU3TYZF-3I7BI3K-QTSRGCT-QVLSFG4-74TL2QW";
+        };
       };
     };
   };
 
   mailserver = {
     enable = true;
+    stateVersion = 3;
     fqdn = "thrall.failco.de";
-    domains = [ "failco.de" "jakalx.net" ];
+    domains = [
+      "failco.de"
+      "jakalx.net"
+      "kobjolke.de"
+    ];
 
     loginAccounts = {
       "me@failco.de" = {
         # nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt'
         hashedPasswordFile = config.age.secrets.mailPass.path;
 
-        aliases = [ "lx@failco.de" "alex@failco.de" ];
+        aliases = [
+          "lx@failco.de"
+          "alex@failco.de"
+          "abuse@failco.de"
+          "postmaster@failco.de"
+          "abuse@kobjolke.de"
+          "postmaster@kobjolke.de"
+          "abuse@jakalx.net"
+          "postmaster@jakalx.net"
+        ];
 
-        catchAll = [ "failco.de" ];
+        catchAll = [
+        ];
       };
 
       "alex@jakalx.net" = {
         hashedPasswordFile = config.age.secrets.mailPass.path;
-
-        catchAll = [ "jakalx.net" ];
       };
 
       "archive@failco.de" = {
@@ -338,18 +450,45 @@ in {
       };
     };
 
-    certificateScheme = 3;
+    extraVirtualAliases = {
+      "alex@kobjolke.de" = [ "me@failco.de" ];
+    };
+
+    forwards = {
+      "familie@kobjolke.de" = [
+        "alex@kobjolke.de"
+        "anne@kobjolke.de"
+      ];
+      "anne@kobjolke.de" = "anne.kobjolke@gmail.com";
+      "alexander@kobjolke.de" = "alex@kobjolke.de";
+      "ida@kobjolke.de" = "alex@kobjolke.de";
+      "klara@kobjolke.de" = "alex@kobjolke.de";
+      "charlie@kobjolke.de" = "alex@kobjolke.de";
+    };
+
+    certificateScheme = "acme-nginx";
 
     enableImapSsl = true;
     enableManageSieve = true;
     virusScanning = true;
   };
 
+  services.postgresql = {
+    package = pkgs.postgresql_15;
+  };
   services.roundcube = {
     enable = true;
     hostName = "mail.failco.de";
-    dicts = with pkgs.aspellDicts; [ en de ];
-    plugins = [ "archive" "attachment_reminder" "managesieve" "markasjunk" ];
+    dicts = with pkgs.aspellDicts; [
+      en
+      de
+    ];
+    plugins = [
+      "archive"
+      "attachment_reminder"
+      "managesieve"
+      "markasjunk"
+    ];
     extraConfig = ''
       # starttls needed for authentication, so the fqdn required to match
       # the certificate
@@ -366,6 +505,4 @@ in {
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "20.09"; # Did you read the comment?
-
 }
-

modules/appimage.nix

@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.binfmt.registrations.appimage = {
+    wrapInterpreterInShell = false;
+    interpreter = "${pkgs.appimage-run}/bin/appimage-run";
+    recognitionType = "magic";
+    offset = 0;
+    mask = "\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff";
+    magicOrExtension = "\\x7fELF....AI\\x02";
+  };
+}

modules/common-system.nix

@@ -1,5 +1,6 @@
-{config, pkgs, inputs, ...}:
-{
+{ config, pkgs, inputs, ... }: {
+  imports = [ ./nix-config.nix ];
+
   i18n.defaultLocale = "en_US.UTF-8";
   time.timeZone = "Europe/Berlin";
 
@@ -10,7 +11,7 @@
     git
     dua
     erdtree
-    exa
+    eza
     fd
     fzf
     bat
@@ -20,26 +21,5 @@
 
   networking.firewall.enable = true;
 
-  nix = {
-      gc = {
-        automatic = true;
-        dates = "weekly";
-        options = "--delete-older-than 30d";
-      };
-
-      registry = {
-        nixpkgs.flake = inputs.nixpkgs;
-        nixpkgs-unstable.flake = inputs.nixpkgs-unstable;
-      };
-
-      settings = {
-        auto-optimise-store = true;
-        experimental-features = [ "nix-command" "flakes" ];
-        warn-dirty = false;
-
-        # avoid unwanted garbage collection when using direnv
-        keep-outputs = true;
-        keep-derivations = true;
-      };
-  };
+  nix = { registry = { nixpkgs.flake = inputs.nixpkgs; }; };
 }

modules/flatpak.nix

@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  services.flatpak.enable = true;
+
+  systemd.services.flatpak-repo = {
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.flatpak ];
+    script = ''
+      flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+    '';
+  };
+}

modules/grub-themes/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  config.distro-grub-themes = {
+    enable = true;
+    theme = "nixos";
+  };
+}

modules/hardening.nix

@@ -0,0 +1,752 @@
+{ config, lib, pkgs, ... }: {
+  systemd.services.systemd-rfkill = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.syslog = {
+    serviceConfig = {
+      PrivateNetwork = true;
+      CapabilityBoundingSet =
+        [ "CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE" ];
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      PrivateMounts = true;
+      SystemCallArchitectures = "native";
+      MemoryDenyWriteExecute = true;
+      LockPersonality = true;
+      ProtectKernelTunables = true;
+      RestrictRealtime = true;
+      PrivateUsers = true;
+      PrivateTmp = true;
+      UMask = "0077";
+      RestrictNamespace = true;
+      ProtectProc = "invisible";
+      ProtectHome = true;
+      DeviceAllow = false;
+      ProtectSystem = "full";
+    };
+  };
+
+  systemd.services.systemd-journald = {
+    serviceConfig = {
+      UMask = 77;
+      PrivateNetwork = true;
+      ProtectHostname = true;
+      ProtectKernelModules = true;
+    };
+  };
+  systemd.services.auto-cpufreq = {
+    serviceConfig = {
+      CapabilityBoundingSet = "";
+      ProtectSystem = "full";
+      ProtectHome = true;
+      PrivateNetwork = true;
+      IPAddressDeny = "any";
+      NoNewPrivileges = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectHostname = false;
+      MemoryDenyWriteExecute = true;
+      ProtectClock = true;
+      RestrictNamespaces = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectProc = true;
+      ReadOnlyPaths = [ "/" ];
+      InaccessiblePaths = [ "/home" "/root" "/proc" ];
+      SystemCallFilter = [ "@system-service" ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+    };
+  };
+  systemd.services.NetworkManager-dispatcher = {
+    serviceConfig = {
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateUsers = true;
+      PrivateDevices = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.display-manager = {
+    serviceConfig = {
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true; # so we won't need all of this
+    };
+  };
+  systemd.services.emergency = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # Might need adjustment for emergency access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."getty@tty1" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."getty@tty7" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET";
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.NetworkManager = {
+    serviceConfig = {
+      NoNewPrivileges = true;
+      ProtectClock = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      SystemCallArchitectures = "native";
+      MemoryDenyWriteExecute = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      RestrictNamespaces = true;
+      ProtectKernelTunables = true;
+      ProtectHome = true;
+      PrivateTmp = true;
+      UMask = "0077";
+    };
+  };
+  systemd.services."nixos-rebuild-switch-to-configuration" = {
+    serviceConfig = {
+      ProtectHome = true;
+      NoNewPrivileges = true; # Prevent gaining new privileges
+    };
+  };
+  systemd.services."dbus" = {
+    serviceConfig = {
+      PrivateTmp = true;
+      PrivateNetwork = true;
+      ProtectSystem = "full";
+      ProtectHome = true;
+      SystemCallFilter =
+        "~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap";
+      ProtectKernelTunables = true;
+      NoNewPrivileges = true;
+      CapabilityBoundingSet = [
+        "~CAP_SYS_TIME"
+        "~CAP_SYS_PACCT"
+        "~CAP_KILL"
+        "~CAP_WAKE_ALARM"
+        "~CAP_SYS_BOOT"
+        "~CAP_SYS_CHROOT"
+        "~CAP_LEASE"
+        "~CAP_MKNOD"
+        "~CAP_NET_ADMIN"
+        "~CAP_SYS_ADMIN"
+        "~CAP_SYSLOG"
+        "~CAP_NET_BIND_SERVICE"
+        "~CAP_NET_BROADCAST"
+        "~CAP_AUDIT_WRITE"
+        "~CAP_AUDIT_CONTROL"
+        "~CAP_SYS_RAWIO"
+        "~CAP_SYS_NICE"
+        "~CAP_SYS_RESOURCE"
+        "~CAP_SYS_TTY_CONFIG"
+        "~CAP_SYS_MODULE"
+        "~CAP_IPC_LOCK"
+        "~CAP_LINUX_IMMUTABLE"
+        "~CAP_BLOCK_SUSPEND"
+        "~CAP_MAC_*"
+        "~CAP_DAC_*"
+        "~CAP_FOWNER"
+        "~CAP_IPC_OWNER"
+        "~CAP_SYS_PTRACE"
+        "~CAP_SETUID"
+        "~CAP_SETGID"
+        "~CAP_SETPCAP"
+        "~CAP_FSETID"
+        "~CAP_SETFCAP"
+        "~CAP_CHOWN"
+      ];
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      RestrictNamespaces = true;
+      MemoryDenyWriteExecute = true;
+      RestrictAddressFamilies = [ "~AF_PACKET" "~AF_NETLINK" ];
+      ProtectHostname = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      PrivateUsers = true;
+    };
+  };
+  systemd.services.nix-daemon = {
+    serviceConfig = {
+      ProtectHome = true;
+      PrivateUsers = false;
+    };
+  };
+  systemd.services.reload-systemd-vconsole-setup = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictNamespaces = true;
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.rescue = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # Might need adjustment for rescue operations
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Networking might be necessary in rescue mode
+      RestrictNamespaces = true;
+      SystemCallFilter = [
+        "write"
+        "read"
+        "openat"
+        "close"
+        "brk"
+        "fstat"
+        "lseek"
+        "mmap"
+        "mprotect"
+        "munmap"
+        "rt_sigaction"
+        "rt_sigprocmask"
+        "ioctl"
+        "nanosleep"
+        "select"
+        "access"
+        "execve"
+        "getuid"
+        "arch_prctl"
+        "set_tid_address"
+        "set_robust_list"
+        "prlimit64"
+        "pread64"
+        "getrandom"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny =
+        "any"; # May need to be relaxed for network troubleshooting in rescue mode
+    };
+  };
+  systemd.services."systemd-ask-password-console" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for console access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # A more permissive filter
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services."systemd-ask-password-wall" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # A more permissive filter
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.thermald = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for adjusting cooling policies
+      ProtectKernelModules = true; # May need adjustment for module control
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May require access to specific hardware devices
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      CapabilityBoundingSet = "";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+      DeviceAllow = [ ];
+      RestrictAddressFamilies = [ ];
+    };
+  };
+  systemd.services."user@1000" = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true; # Be cautious, as this may restrict user operations
+      PrivateDevices = true;
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+  systemd.services.virtlockd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for accessing VM resources
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust as necessary
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need adjustment for network operations
+    };
+  };
+  systemd.services.virtlogd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers = true;
+      PrivateDevices = true; # May need adjustment for accessing VM logs
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = true;
+      SystemCallFilter =
+        [ "@system-service" ]; # Adjust based on log management needs
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny =
+        "any"; # May need to be relaxed for network-based log collection
+    };
+  };
+  systemd.services.virtlxcd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for container management
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for container user management
+      PrivateDevices = true; # Containers might require broader device access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked containers
+      RestrictNamespaces = true;
+      SystemCallFilter =
+        [ "@system-service" ]; # Adjust based on container operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+  systemd.services.virtqemud = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Necessary for VM management
+      ProtectKernelModules =
+        true; # May need adjustment for VM hardware emulation
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for VM user management
+      PrivateDevices = true; # VMs might require broader device access
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked VMs
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+  systemd.services.virtvboxd = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true; # Required for some VM management tasks
+      ProtectKernelModules = true; # May need adjustment for module handling
+      ProtectControlGroups = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      PrivateUsers =
+        true; # Be cautious, might need adjustment for VM user management
+      PrivateDevices = true; # VMs may require access to certain devices
+      PrivateIPC = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies =
+        "AF_INET AF_INET6"; # Necessary for networked VMs
+      RestrictNamespaces = true;
+      SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any"; # May need to be relaxed for network functionality
+    };
+  };
+}

modules/hledger-web.nix

@@ -0,0 +1,140 @@
+{ lib, pkgs, config, ... }:
+with lib;
+let cfg = config.services.hledger-web;
+in {
+  options.services.hledger-web = {
+
+    enable = mkEnableOption (lib.mdDoc "hledger-web service");
+
+    serveApi = mkEnableOption
+      (lib.mdDoc "serving only the JSON web API, without the web UI");
+
+    host = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = lib.mdDoc ''
+        Address to listen on.
+      '';
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 5000;
+      example = 80;
+      description = lib.mdDoc ''
+        Port to listen on.
+      '';
+    };
+
+    capabilities = {
+      view = mkOption {
+        type = types.bool;
+        default = true;
+        description = lib.mdDoc ''
+          Enable the view capability.
+        '';
+      };
+      add = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Enable the add capability.
+        '';
+      };
+      manage = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Enable the manage capability.
+        '';
+      };
+    };
+
+    stateDir = mkOption {
+      type = types.path;
+      default = "/var/lib/hledger-web";
+      description = lib.mdDoc ''
+        Path the service has access to. If left as the default value this
+        directory will automatically be created before the hledger-web server
+        starts, otherwise the sysadmin is responsible for ensuring the
+        directory exists with appropriate ownership and permissions.
+      '';
+    };
+
+    journalFiles = mkOption {
+      type = types.listOf types.str;
+      default = [ ".hledger.journal" ];
+      description = lib.mdDoc ''
+        Paths to journal files relative to {option}`services.hledger-web.stateDir`.
+      '';
+    };
+
+    baseUrl = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "https://example.org";
+      description = lib.mdDoc ''
+        Base URL, when sharing over a network.
+      '';
+    };
+
+    extraOptions = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      example = [ "--forecast" ];
+      description = lib.mdDoc ''
+        Extra command line arguments to pass to hledger-web.
+      '';
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    users.users.hledger = {
+      name = "hledger";
+      group = "hledger";
+      isSystemUser = true;
+      home = cfg.stateDir;
+      useDefaultShell = true;
+    };
+
+    users.groups.hledger = { };
+
+    systemd.services.hledger-web = let
+      serverArgs = with cfg;
+        escapeShellArgs ([
+          "--serve"
+          "--host=${host}"
+          "--port=${toString port}"
+          (optionalString capabilities.add "--allow=add")
+          (optionalString capabilities.view "--allow=view")
+          (optionalString capabilities.manage "--allow=edit")
+          (optionalString (cfg.baseUrl != null) "--base-url=${cfg.baseUrl}")
+          (optionalString (cfg.serveApi) "--serve-api")
+        ] ++ (map (f: "--file=${stateDir}/${f}") cfg.journalFiles)
+          ++ extraOptions);
+    in {
+      description = "hledger-web - web-app for the hledger accounting tool.";
+      documentation = [ "https://hledger.org/hledger-web.html" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "networking.target" ];
+      serviceConfig = mkMerge [
+        {
+          ExecStart = "${pkgs.hledger-web}/bin/hledger-web ${serverArgs}";
+          Restart = "always";
+          WorkingDirectory = cfg.stateDir;
+          User = "hledger";
+          Group = "hledger";
+          PrivateTmp = true;
+        }
+        (mkIf (cfg.stateDir == "/var/lib/hledger-web") {
+          StateDirectory = "hledger-web";
+        })
+      ];
+    };
+
+  };
+
+  meta.maintainers = with lib.maintainers; [ marijanp erictapen ];
+}

modules/hleger-web.nix

@@ -1,19 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib;
-let cfg = config.services.hledger;
-in {
-  options = {
-    services.hledger = {
-      enable = mkEnableOption (lib.mdDoc "hledger web service");
-
-      package = mkOption {
-        default = pkgs.hledger;
-        defaultText = literalExpression "pkgs.hledger";
-        type = types.package;
-        description = lib.mdDoc ''
-          HLedger package to use.
-        '';
-      };
-    };
-  };
-}

modules/hyprland/default.nix

@@ -0,0 +1,10 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  config.programs.hyprland.enable = true;
+  config.environment.systemPackages = [ pkgs.kitty ];
+  config.environment.sessionVariables.NIXOS_OZONE_WL = "1";
+}

modules/iohk.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Binary Cache for Haskell.nix
+  nix.settings.trusted-public-keys =
+    [ "cache.iog.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+
+  nix.settings.substituters = lib.mkAfter [ "https://cache.iog.io" ];
+}

modules/keybase.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.keybase.enable = true;
+}

modules/mosh.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  programs.mosh = {
+    enable = true;
+    openFirewall = true;
+  };
+}

modules/nh.nix

@@ -0,0 +1,23 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.programs.nh;
+in
+{
+  config.programs.nh = {
+    enable = true;
+    clean.enable = true;
+    clean.extraArgs = "--keep-since 4d --keep 3";
+    flake = "/home/alex/src/nixos-config";
+  };
+
+  config.nix.gc.automatic = lib.mkIf cfg.enable (lib.mkForce false);
+  config.environment = lib.mkIf cfg.enable {
+    variables = lib.mkIf (cfg.flake != null) {
+      NH_FLAKE = cfg.flake;
+    };
+  };
+}

modules/nix-config.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  nix = {
+    package = pkgs.nixVersions.latest;
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+      warn-dirty = false;
+
+      # avoid unwanted garbage collection when using direnv
+      keep-outputs = true;
+      keep-derivations = true;
+
+      trusted-substituters = [
+        "https://devenv.cachix.org"
+        "https://nixcache.reflex-frp.org"
+      ];
+      trusted-public-keys = [
+        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+        "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI="
+      ];
+      trusted-users = [
+        "root"
+        "alex"
+      ];
+    };
+  };
+}

modules/podman/default.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+{
+  # Enable common container config files in /etc/containers
+  virtualisation.containers.enable = true;
+  virtualisation = {
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    dive # look into docker image layers
+    podman-tui # status of containers in the terminal
+    # docker-compose # start group of containers for dev
+    podman-compose # start group of containers for dev
+  ];
+}

modules/security.nix

@@ -9,10 +9,10 @@
 
   # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
   # on ssd systems, and volatile! Because it's wiped on reboot.
-#  boot.tmpOnTmpfs = lib.mkDefault true;
+  #  boot.tmpOnTmpfs = lib.mkDefault true;
   # If not using tmpfs, which is naturally purged on reboot, we must clean it
   # /tmp ourselves. /tmp should be volatile storage!
-  boot.cleanTmpDir = lib.mkDefault (!config.boot.tmpOnTmpfs);
+  boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
 
   # Fix a security hole in place for backwards compatibility. See desc in
   # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix

modules/ssh.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.openssh.enable = true;
+  users.users.alex.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/aaVGcys7ZJ3chImea/8jTGtIVYKzDxXBGIeZMiLm/ u0_a204@localhost"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrPC2OMHYJX41vedlsgQeLobapDOZ8StPVwmTTp0Qc83OeXGXiaJ2P0wA65NoIjh+I7OZjc/kRCO+mC4BZs2Em3pmWOZNTvW4YA8lvhpkwFNrvmx+G+HKKG7F04lOgo9zAJltY8ENj0T5jddbWWuSRDNPrHCwet2jdiTWc2Ri5QNAdxXSmp+XG9rTPF6JfuH3kjU7UYgMG0c9dJAy7KzCj4p6GhlfvZlFndhmT+PMkJbn5liv8ldFIuHAqA0Hyo3UYfAieeUDBloevbZKpbsp7wVdtmySfJCgwRaOqVPyB+5QK6sY32s2L8sHHdKgnJ1czeLaX11ZEGQIb4wMd6VYD (none)"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIScA09BrNhQjUzoKhU8xl0Giq4o+eN4tOhdRrS3AHg9QtDd+cZ/6gx5iuVguwVPwCBSGlyilIhtTvUHBft7vEqdoSWDzsIv4nAq5+m4wBAV1WtNuzdIjgDBVtYqIKI+KHasIuj5ol8tDbMmNUfG4kvPgaIudGo9G+ynWSVR1mZyk+W0sAKJAeWmcv5EDxMaSS/4WWXZ7GeLy5t0RJlyO4Pspm69hb63Urz5N2YJHUwgXLZbirsTK0cKRGLKvyEwUOQDvnj13VvnSt5mjfYNGr0g770PLNRPno2PeS5ux2+/4dx03+enh6CA70a+Ialu1Z7qMsaZhLPwuUDTGJJX4F ads-1700w"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOlzj6jMbFgBeNIq1u6ixwtfsjcTV/S5VUchpH2GskodrAuWTE6G+eIj40nVO3JbaErderhfosIhN8HnZTP9uhXvDcAgqE98rVKLC1Pm0bDST4H+Qc358h4BRWamkojF7ub1RdMKVsIX9xQFAPCv+6iyLKBU5F8lNu70Wr9cNSPaMS1zvKdJzUzq34kdjKf6Jsc+64ux254MUbkoD9VgJpNq9cCbkI6JHDLL+6fer/66dvsEggEEoCgbupJljsHo+4SGDqiFFT8l81gfgsV6CwAib7gkSiR9ZgCDgwjd5QPMqPBFytIc5F8Gz4sbsB2TMlLraaD+vcTt7p3HlWCsDpW0QBeeDvmupZoWpQuT8R/4G3FnGAf5sJgccffO8R/na8/TpSrRdfj0GlGYvxasMKDJnbrVig+zi7JpdH9hvAXmpv6c8QHhjr191I15PV2m4Z2bPPo5BXDt1YEqSgAaFHpTlkIUheEpbKRJI28YwOWOv3r1CcaGM64KxFXSZIIIk= nix-on-droid@localhost"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0itMeWUBtvAjNUzU0iCNHvRo2DUewlGjmHgy8qk7QyYvrFO0DhadDUrkqGK3RjfPue5eM+L/4sib+fr4OIAjzTxvSBpZWfMZtU41/iWiT2bvz7mNvi9j/TDBl/+PfFt0VBUgSPk1cO00P4sExVvseF9hXq5h4NNR4iSuC9P9u6mbaUeg9X6ydlld9+W300erxEToK54alZ0+YOwEMypjytjCBSPFG2QfmFoeU8bCqJvSotOw5nu974LKHOxZgxluBKprlusrRjCxZim9XwTS07I9gZhiDKIdvThSzEWZX4nwLrTyIh19DlZTO2vPUwwqBZyGlwMPCjfFazeViBKuQXCEAmifFHc/4f5Ae1zRA+ombJQveigomlcMXdV9E7HsD0I976ErJbYmfH+QwI78HbwFvbOX3yazdrw02ltdjvasO30dH7wdckoC7fYEXOij3M2pKlLOUojKUF589uPjiBiGNtxGKGpg0TKG9Nj1rvYHljfzQNwqgHKKrRdZo5pOHwzhvl4/fQubu5S/eAppstDuVHTZwIzpd9sHez1JNYS7SKNxT1cIW8NfW41RUe/8rVF678FvIDzuqkcYLsmPd+tg+w78stMEJHaTLHYOCbfYqEdBnvcNRPUFY30MwCVkG7s9X3cEuOwMx8KbTlH5AFZj9IBVUNeJ4p4aMUw3Pbw== /home/alex/.ssh/id_rsa"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDG4BlH07+a+U3i89U11Oz81X1lZnMnzu5d0Em2zlQJYiIqnwj7uRUl7TerXxmum9vOYsDGLGP8RwQRzySM5xfIIEmn5wHb6zPzD8jC8sJQws9d7q84PJMDVUfUeTHR/xZ9QbzG3NHTNnGdbtQptkDwxzLnr/kL5rvGrudgYa0RwHHZbz0WK15iVcsRIHglhsf9gLlXhZZ8Hn2r2qS7jj32InH58KAtawRBd8/WE56h/QY5vUt2F4M8ZvvIJHndynOn71iPJY0tr+b/VIG5JSK89aIQyVRk222TlTn3BrYW2VudrKkkLtssDEIfTmQeALN/LYev4+bJNGDI7bmg7TD4L6AlgrkTJGvXoup410oeiOWP2vrbK2OLB8lcs4lH9iauFg6fMAQuboJjUisicj6tD2SyjELCP2Hvf625k1H2vyp5366dUROBRaUX/AKIZwkIstNgcaLkF7gmeAc1Atr3DK4Jtxc9CHTO7Dv0os+p2q4LJm+mnJy8H7PnfPiRB3thTfULUAWQ2H8RpAn1r0Txur/3D/Jde6PPzL41CefmF6z+UOd4gwMONns7FLjru5z6HG/egaXlJPJkfYbgB+253VDDOga2Y+1W99rgvX0UsF//dhYCqa/XWvmk3htjRTgz80B7tm/eKQwaM7Cm7YZzWq5mjfgxPptkB9SDS8HORw== joyeuse"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDad0tKjdZluogJz9Tir9szwd3olnmY+XqrZtaabgAv9M1V3+ktjZxb11fqbhxpspEW889fG0PrdDsKrYrp6Adm6mVcFXb2Rx8uEIcQ4XQfMqzTBLgNipBcU+7DiWHrejLf9hcrH6HL4o6py59CrX5lnAf1Elt9HxUXTVl9rbMp0SHif6EbYumrCwipWWmcLJWKWVJrJ6rf4YBsmLNtxhf7myjCJxECetQeWyAJodguJa8T7hDJSiE6rfPLanU673T/CU1IBgexriUxcSk09PmjLGB3fFbZnGJlIOAua7ctXtwVjzat5WAWoNo5JdC3cnEUoNkyx7krLbQ2oOzNJi9YgYneTR0KWHYG/v/WVoI+VtW0RQIS+QzVW+ox8Y2j209BZGBFN1d+/ZarUsizg5OEyO7ntiL/UhL/YbI9jknBiw08mzUwIHLpNrpz17duIFNaNkmaN1FAt3b5HBVyq9h4x9FXmp/zaiVzN//Md4GD8xnGmiR3fd+l51mz+WjHIQM= alex@dregil"
+  ];
+}

modules/sudo.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    extraRules = [{
+      groups = [ "wheel" ];
+      commands = [{
+        command = "/run/current-system/sw/bin/nixos-rebuild";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+  };
+}

modules/tailscale/default.nix

@@ -0,0 +1,8 @@
+{
+  ...
+}:
+
+{
+  config.services.tailscale.enable = true;
+  config.services.resolved.enable = true;
+}

modules/timezone.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  time.timeZone = lib.mkDefault "Europe/Berlin";
+}

modules/upgrade-pg-cluster.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = [
+    (let
+      # XXX specify the postgresql package you'd like to upgrade to.
+      # Do not forget to list the extensions you need.
+      newPostgres = pkgs.postgresql_15.withPackages (pp: [
+        # pp.plv8
+      ]);
+    in pkgs.writeScriptBin "upgrade-pg-cluster" ''
+      set -eux
+      # XXX it's perhaps advisable to stop all services that depend on postgresql
+      systemctl stop postgresql
+
+      export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
+
+      export NEWBIN="${newPostgres}/bin"
+
+      export OLDDATA="${config.services.postgresql.dataDir}"
+      export OLDBIN="${config.services.postgresql.package}/bin"
+
+      install -d -m 0700 -o postgres -g postgres "$NEWDATA"
+      cd "$NEWDATA"
+      sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
+
+      sudo -u postgres $NEWBIN/pg_upgrade \
+        --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
+        --old-bindir $OLDBIN --new-bindir $NEWBIN \
+        "$@"
+    '')
+  ];
+}

modules/vsftpd/default.nix

@@ -0,0 +1,16 @@
+{ lib, pkgs, ... }:
+{
+   config.services.vsftpd = {
+     enable = true;
+     localUsers = true;
+     writeEnable = true;
+     chrootlocalUser = true;
+     userDbPath = "/etc/vsftpd/users";
+     enableVirtualUsers = true;
+     virtualUseLocalPrivs = true;
+     localRoot = "/var/lib/vsftpd/data";
+     extraConfig = "local_umask=002";
+   };
+
+   config.networking.firewall.allowedTCPPorts = [ 20 21 ];
+}

modules/wm/gnome.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+}

modules/wm/greetd.nix

@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
+        user = "greeter";
+      };
+    };
+  };
+}

modules/wm/light.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.programs.light = { enable = true; };
+  config.services.actkbd = let light = "${pkgs.light}/bin/light";
+  in {
+    enable = true;
+    bindings = [
+      {
+        keys = [ 232 ];
+        events = [ "key" ];
+        command = "${light} -U 10";
+      }
+
+      {
+        keys = [ 233 ];
+        events = [ "key" ];
+        command = "${light} -A 10";
+      }
+    ];
+  };
+}

modules/wm/sway.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  environment.systemPackages = with pkgs; [
+    grim # screenshot functionality
+    slurp # screenshot functionality
+    wl-clipboard # wl-copy and wl-paste for copy/paste from stdin / stdout
+    mako # notification system developed by swaywm maintainer
+  ];
+
+  # Enable the gnome-keyring secrets vault.
+  # Will be exposed through DBus to programs willing to store secrets.
+  services.gnome.gnome-keyring.enable = true;
+
+  # enable Sway window manager
+  programs.sway = {
+    enable = true;
+    wrapperFeatures.gtk = true;
+  };
+}

modules/wm/x.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  # Enable the X11 windowing system.
+  services = {
+    dbus = {
+      enable = true;
+    };
+
+    xserver = {
+      enable = true;
+
+      xkb = {
+        options = "terminate:ctrl_alt_bksp,caps:escape,compose:ralt";
+        layout = "us";
+      };
+
+      videoDrivers = [ "nvidia" ]; # "modesetting" ];
+
+      displayManager.lightdm = {
+        enable = true;
+        greeters.slick.enable = true;
+      };
+    };
+
+    desktopManager.gnome.enable = true;
+
+    # Enable touchpad support (enabled default in most desktopManager).
+    libinput = {
+      enable = true;
+      touchpad.disableWhileTyping = true;
+      touchpad.tapping = false;
+      mouse.naturalScrolling = config.services.libinput.touchpad.naturalScrolling;
+    };
+  };
+}

modules/wm/xmonad/default.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config.services = {
+    upower.enable = true;
+
+    xserver = {
+      windowManager.xmonad = {
+        enable = true;
+        enableContribAndExtras = true;
+      };
+    };
+  };
+
+  config.systemd.services.upower.enable = true;
+}

outputs/homeConfigurations/default.nix

@@ -1,69 +0,0 @@
-inputs: with inputs;
-let
-  pkgs = import nixpkgs-unstable {
-   system = "x86_64-linux";
-   config.allowUnfree = true;
-   overlays = []; 
-  };
-in
-{
-  "alex@dregil" = home-manager.lib.homeManagerConfiguration {
-    inherit pkgs;    
-    modules = [
-      {
-        programs.home-manager.enable = true;
-        
-        home = {
-          username = "alex";
-          homeDirectory = "/home/alex";
-          stateVersion = "22.11";
-          packages = with pkgs; [
-            alacritty           # fast terminal
-            firefox             # the browser with the fox
-
-            # social
-            jitsi-meet-electron # jitsi as a stand-alone app
-            discord             # talk to other people
-            #inputs.simplex-chat.packages."x86_64-linux"."exe:simplex-chat"
-
-            # editing
-            helix        # vim like editor
-            nil          # nix language server
-
-            # system tools
-            htop-vim     # htop with vim bindings
-            erdtree      # du+tree had sex
-            dua          # ncdu but better
-            bat          # better cat
-            uhk-agent    # my keyboard
-            mosh         # ssh via udp
-
-            # gaming support
-            lutris
-          ];
-        };
-
-        programs.bash = {
-          enable = true;
-        };
-
-        programs.zsh = {
-          enable = true;
-        };
-
-        programs.git = {
-          enable = true;
-          userName = "Alexander Kobjolke";
-          userEmail = "me@failco.de";
-        };
-
-        programs.password-store = {
-          enable = true;
-        };
-
-        # do not show home-manager notifications
-        news.display = "silent";
-      }
-    ];
-   };
-}

scripts/nixos-mailserver-migration-03.py

@@ -0,0 +1,142 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p python3
+
+import argparse
+import os
+import shutil
+import sys
+from enum import Enum
+from pathlib import Path
+from pwd import getpwnam
+
+
+class FolderLayout(Enum):
+    Default = 1
+    Folder = 2
+
+
+def check_user(vmail_root: Path):
+    owner = vmail_root.owner()
+    owner_uid = getpwnam(owner).pw_uid
+
+    if os.geteuid() == owner_uid:
+        return
+
+    try:
+        print(
+            f"Trying to switch effective user id to {owner_uid} ({owner})",
+            file=sys.stderr,
+        )
+        os.seteuid(owner_uid)
+        return
+    except PermissionError:
+        print(
+            f"Failed switching to virtual mail user. Please run this script under it, for example by using `sudo -u {owner}`)",
+            file=sys.stderr,
+        )
+    sys.exit(1)
+
+
+def is_maildir_related(path: Path, layout: FolderLayout) -> bool:
+    if path.name in [
+        "subscriptions"
+        # https://doc.dovecot.org/2.3/admin_manual/mailbox_formats/maildir/#imap-uid-mapping
+        "dovecot-uidlist",
+        # https://doc.dovecot.org/2.3/admin_manual/mailbox_formats/maildir/#imap-keywords
+        "dovecot-keywords",
+    ]:
+        return True
+    if not path.is_dir():
+        return False
+    if path.name in ["cur", "new", "tmp"]:
+        return True
+    if layout is FolderLayout.Default and path.name.startswith("."):
+        return True
+    if layout is FolderLayout.Folder:
+        if path.name in ["mail"]:
+            return False
+        return True
+
+    return False
+
+
+def mkdir(dst: Path, dry_run: bool = True):
+    print(f'mkdir "{dst}"')
+    if not dry_run:
+        # u+rwx, setgid
+        dst.mkdir(mode=0o2700)
+
+
+def move(src: Path, dst: Path, dry_run: bool = True):
+    print(f'mv "{src}" "{dst}"')
+    if not dry_run:
+        src.rename(dst)
+
+
+def delete(dst: Path, dry_run: bool = True):
+    if not dst.exists():
+        return
+
+    if dst.is_dir():
+        print(f'rm --recursive "{dst}"')
+        if not dry_run:
+            shutil.rmtree(dst)
+    else:
+        print(f'rm "{dst}"')
+        if not dry_run:
+            dst.unlink()
+
+
+def main(vmail_root: Path, layout: FolderLayout, dry_run: bool = True):
+    maildirs = {path.parent for path in vmail_root.glob("*/*/cur")}
+    maybe_delete = []
+
+    # The old maildir will be the new home directory
+    for homedir in maildirs:
+        maildir = homedir / "mail"
+        mkdir(maildir, dry_run)
+
+        for path in homedir.iterdir():
+            if is_maildir_related(path, layout):
+                move(path, maildir / path.name, dry_run)
+            else:
+                maybe_delete.append(path)
+
+    # Files that are part of the previous home directory, but now obsolete
+    for path in [
+        vmail_root / ".dovecot.lda-dupes",
+        vmail_root / ".dovecot.lda-dupes.locks",
+    ]:
+        delete(path, dry_run)
+
+    # The remaining files are likely obsolete, but should still be checked with care
+    for path in maybe_delete:
+        print(f"# rm {str(path)}")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="""
+        NixOS Mailserver Migration #3: Dovecot mail directory migration
+        (https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-mail-directory-migration)
+    """
+    )
+    parser.add_argument(
+        "vmail_root", type=Path, help="Path to the `mailserver.mailDirectory`"
+    )
+    parser.add_argument(
+        "--layout",
+        choices=["default", "folder"],
+        required=True,
+        help="Folder layout: 'default' unless `mailserver.useFsLayout` was enabled, then'folder'",
+    )
+    parser.add_argument(
+        "--execute", action="store_true", help="Actually perform changes"
+    )
+
+    args = parser.parse_args()
+
+    layout = FolderLayout.Default if args.layout == "default" else FolderLayout.Folder
+
+    check_user(args.vmail_root)
+    main(args.vmail_root, layout, not args.execute)

secrets/hledger-web.htaccess.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> X25519 ntNFHjGdIlYJTbloT8Ujpn8Yh+oAaX/m0DHrq9ukLHQ
-CTj9AefZLuZ0sBuFatp8/lEL8bUf2IXOHW00XJEdSVY
--> ssh-ed25519 NCz+gA kj420yScWjDD95LtvEb/62uXVzJU/v0ZSuJ+15MRdS8
-vFZNC94TxoXh1vVjHFPwPIV+nta5rWgdYWTokbBitxE
--> 9-grease %8XR5/t }
-22U6Glc0+L2vlRnrx1Sd1g9b4sfpt/1d0ihfEk5ZQOgEcy45+eNmbHTLQHYzpkFo
-PmIBJrRj07B93Pp1MR4sHmOMtK358D9l1LSURdWQtmtcocOoKdQWmPq+IQ
---- 1F50mU6ZhA2vbJq1Nkae6KWzxGY1DGdPNhlA6S3r2GM
-—F<EFBFBD>ŁśMŃ®ćťL~š†:5vÖ3ß<>d?	ő¬l~˝Š:_€Ő„ZůDřÔJÝR„Ő+Ź"
+-> X25519 FrE3cLVPZshP6+VgS5aRSggS/3XEjLZW2/yCcxQT6z0
+xlPC1bF0NqiDVEk/xU+7GPGpwbTPZk+iSZ4QvvJzCcU
+-> ssh-ed25519 NCz+gA Ag6jD9h0FTR+jVR2K3wpQgGqyLJzQZyNvU2+AJPz+Xc
+3QJhYsIl23/ve++5r9X/a2YUPSUgIBHJ8srPmeSnpKw
+-> BaPA]-grease A\OcT5|
+L4Nk5eiaKq72ELBFQemUGlXJXpmUt5aN++g9ljz+DBG8XL3bQ9RbPMhbEy/gzKf6
+8WbY
+--- hVjNjD1o1TI5B+CZqTdcoHjx3rRJCgrd4f13Vbhazmw
+Řľt,AýĬ[w3¬LŘ’śbÎ`´4Ţ?¬”6 üЬś‚ޮժş„1qźÍ?.'K¤jú€če¦idĹUëŤ˙÷¤ád¬<64><C2AC>“Ňf÷éeJJ=·«ĂpĹ—‰?oá ú