feat(firefox): only set all profiles for steveej; nix fmt

feat(secret): prune and add age key as recipient
feat(elias-e525): bump to 25.05
2025-06-05 16:52:10 +02:00 · 2025-06-05 11:49:56 +02:00 · 2025-06-04 22:13:48 +02:00 · 2025-05-28 22:12:21 +02:00 · 2025-05-28 21:18:03 +02:00 · 2025-05-28 21:17:22 +02:00
303 changed files with 16622 additions and 5297 deletions
--- a/.envrc
+++ b/.envrc
@ -1 +1,5 @@
-eval "$(lorri direnv)"
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then
  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM="
 fi
 use flake .#develop
--- a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
+++ b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,10 @@
 *.qcow2
 .*.log
 .env
 **/result
 .direnv/
 # nixago: ignore-linked-files
 /treefmt.toml
 /debug-logs
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,10 +0,0 @@
 stages:
  - build
 build:
  stage: build
  tags:
    - nix
  script:
    # Test the nix-shell
    - just run-with-channels 'nix-shell --run "echo OK"'
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,129 @@
 # This example uses YAML anchors which allows reuse of multiple keys
 # without having to repeat yourself.
 # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
 # for a more complex example.
 # use `ssh-keyscan <IP> | ssh-to-age` to get the age key for a remote machine
 # use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating
 keys:
  - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
  - &steveej-age age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g
  - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
  - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
  - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
  - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0
  - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00
  - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4
  - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
 creation_rules:
  - path_regex: ^(.+/|)secrets/[^/]+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *steveej-x13s
          - *elias-e525
          - *router0-dmz0
          - *sj-srv1
          - *hstk0
          - *router0-ifog
          - *router0-hosthatch
  - path_regex: ^secrets/steveej-t14/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *steveej-t14
  - path_regex: ^secrets/desktop/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *steveej-t14
          - *steveej-x13s
  - path_regex: ^secrets/servers/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *sj-srv1
  - path_regex: ^nix/os/containers/.+_secrets.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *sj-srv1
  - path_regex: ^secrets/holochain-infra/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
  - path_regex: ^secrets/router0-dmz0/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *router0-dmz0
  - path_regex: ^secrets/router0-ifog/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *router0-ifog
  - path_regex: ^secrets/router0-hosthatch/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *router0-hosthatch
  - path_regex: ^secrets/sj-vps-htz0/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *sj-vps-htz0
  - path_regex: ^secrets/sj-srv1/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *sj-srv1
  - path_regex: ^secrets/hstk0/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *hstk0
  - path_regex: ^secrets/steveej-x13s/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *steveej-x13s
  - path_regex: ^secrets/work-holo/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-age
          - *steveej-x13s
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,20 @@
 {
  "editor.defaultFormatter": "ibecker.treefmt-vscode",
  "editor.formatOnSave": true,
  "nix.enableLanguageServer": true,
  "nix.serverPath": "nil",
  "nix.serverSettings": {
    // settings for 'nil' LSP
    "nil": {
      "autoArchive": true,
      "diagnostics": {
        "ignored": ["unused_binding", "unused_with"]
      },
      "formatting": {
        "command": ["treefmt", "--stdin", ".nil.nix"]
      }
    }
  },
  "treefmt.command": "treefmt",
  "treefmt.config": ""
 }
--- a/484
+++ b/484
@ -1,317 +1,321 @@
-_DEFAULT_VERSION_TMPL:
+# _DEFAULT_VERSION_TMPL:
-	echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"
+# 	echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"
 _DEFAULT_VERSION:
 	echo "{{invocation_directory()}}/nix/variables/versions.nix"
 _usage:
-	just -l
+    just -l
 # Re-render the default versions
 update-default-versions:
-	#!/usr/bin/env bash
+    nix flake update
 	template="$(just _DEFAULT_VERSION_TMPL)"
 	outfile="$(just _DEFAULT_VERSION)"
 	esh -o ${outfile} ${template}
 _get_nix_path versionsPath:
-	echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath  {{versionsPath}})
+    echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath  {{ versionsPath }})
 _device recipe dir +moreargs="":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix)
+    unset NIX_PATH
-	$(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}})
+    source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix)
    $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }})
 _render_templates:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	if ! ip route get 1.1.1.1; then
+    if ! ip route get 1.1.1.1; then
-		echo No route to WAN. Skipping template rendering...
+    	echo No route to WAN. Skipping template rendering...
-	else
+    else
-		source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
+    	source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)
-		nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
+    	# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
-	fi
+    fi
-_rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates
+rebuild-remote-device device +rebuildargs="dry-activate":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}}
+    nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }}
 rebuild-remote-device device target rebuildarg="dry-activate" :
 	#!/usr/bin/env bash
 	set -ex
 	just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'"
 # Rebuild this device's NixOS
-rebuild-this-device rebuildarg="dry-activate":
+rebuild-this-device +rebuildargs="dry-activate":
-	#!/usr/bin/env bash
+    nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }}
 	set -e
 	function parse_hm_rebuildarg() {
 		case $1 in
 			switch)
 				echo switch
 				;;
 			*)
 				echo build
 				;;
 		esac
 	}
 	export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
 	export HOMEREBUILD_LOG=.$(hostname -s)_homerebuild.log
 	echo Rebuilding system in {{rebuildarg}}-mode...
 	if just -v _rebuild-device nix/os/devices/$(hostname -s) {{rebuildarg}} > ${SYSREBUILD_LOG} 2>&1 ; then
 		echo System rebuild successful
 	else
 		cat ${SYSREBUILD_LOG}
 		echo ERROR: system rebuild failed
 		exit 1
 	fi
 	if type home-manager > /dev/null 2>&1; then
 		echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode...
 		source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix)
 		if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then
 			echo Home rebuild successful
 		else
 			cat ${HOMEREBUILD_LOG}
 			echo ERROR: home rebuild failed
 			exit 1
 		fi
 	fi
 # Re-render the versions of a remote device and rebuild its environment
-update-remote-device device target rebuildmode='switch':
+update-remote-device devicename +rebuildargs='build':
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	template=nix/os/devices/{{device}}/versions.tmpl.nix
+    (
-	outfile=nix/os/devices/{{device}}/versions.nix
+    	set -xe
-	
+    	cd nix/os/devices/{{ devicename }}
-	if ! test -e ${template}; then
+    	nix flake update
-		template="$(just _DEFAULT_VERSION_TMPL)"
+    )
 	fi
-	esh -o ${outfile} ${template}
+    just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }}
 	if ! test "$(git diff ${outfile})"; then
 		echo Already on latest versions
 		exit 0
 	fi
-	just -v rebuild-remote-device {{device}} {{target}} dry-activate || {
+    git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions"
 		echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile}
 		exit 1
 	}
 	just -v rebuild-remote-device {{ device }} {{ target }} {{ rebuildmode }} || {
 		echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile}
 		exit 1
 	}
 	git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions"
 # Re-render the versions of the current device and rebuild its environment
-update-this-device rebuild-mode='switch':
+update-this-device rebuild-mode='switch' +moreargs='':
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	template=nix/os/devices/$(hostname -s)/versions.tmpl.nix
+    (
-	outfile=nix/os/devices/$(hostname -s)/versions.nix
+    	set -xe
    	cd nix/os/devices/$(hostname -s)
    	nix flake update
    )
-	if ! test -e ${template}; then
+    just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }}
 		template="$(just _DEFAULT_VERSION_TMPL)"
 	fi
-	esh -o ${outfile} ${template}
+    git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"
 	if ! test "$(git diff ${outfile})"; then
 		echo Already on latest versions
 		exit 0
 	fi
 	export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
 	just -v rebuild-this-device dry-activate || {
 		echo ERROR: Update failed, reverting ${outfile}...
 		exit 1
 	}
 	just -v rebuild-this-device {{rebuild-mode}} || {
 		echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed
 		exit 1
 	}
 	git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions"
 # Rebuild an offline system
 rebuild-disk device:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -xe
+    set -xe
-	just -v disk-mount {{device}}
+    just -v disk-mount {{ device }}
-	trap "set +e; just -v disk-umount {{device}}" EXIT
+    trap "set +e; just -v disk-umount {{ device }}" EXIT
-	just -v disk-install {{device}}
+    just -v disk-install {{ device }}
 # Re-render the versions of the given offline system and reinstall it in offline-mode
 update-disk dir:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -exuo pipefail
+    set -exuo pipefail
-	dir={{dir}}
+    dir={{ dir }}
-	template={{dir}}/versions.tmpl.nix
+    template={{ dir }}/versions.tmpl.nix
-	outfile={{dir}}/versions.nix
+    outfile={{ dir }}/versions.nix
-	if ! test -e ${template}; then
+    if ! test -e ${template}; then
-		template="$(just _DEFAULT_VERSION_TMPL)"
+    	template="$(just _DEFAULT_VERSION_TMPL)"
-	fi
+    fi
-	esh -o ${outfile} ${template}
+    esh -o ${outfile} ${template}
-	if ! test "$(git diff ${outfile})"; then
+    if ! test "$(git diff ${outfile})"; then
-		echo Already on latest versions
+    	echo Already on latest versions
-		exit 0
+    	exit 0
-	fi
+    fi
-	export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log
+    export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log
-	just -v rebuild-disk {{dir}} || {
+    just -v rebuild-disk {{ dir }} || {
-		echo ERROR: Update of {{dir}} failed, reverting ${outfile}...
+    	echo ERROR: Update of {{ dir }} failed, reverting ${outfile}...
-		exit 1
+    	exit 1
-	}
+    }
-	git commit -v ${outfile} -m "${dir}: bump versions"
+    git commit -v ${outfile} -m "${dir}: bump versions"
 # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)
 hm-iterate-qtile:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -xe
+    set -xe
-	home-manager switch || just -v rebuild-this-device switch
+    home-manager switch || just -v rebuild-this-device switch
-	Xephyr -ac -br -resizeable :1 &
+    Xephyr -ac -br -resizeable :1 &
-	XEPHYR_PID=$!
+    XEPHYR_PID=$!
-	echo ${XEPHYR_PID}
+    echo ${XEPHYR_PID}
-	DISPLAY=:1 $(grep qtile ~/.xsession) &
+    DISPLAY=:1 $(grep qtile ~/.xsession) &
-	echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
+    echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
-	wait $!
+    wait $!
-	kill ${XEPHYR_PID}
+    kill ${XEPHYR_PID}
 # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device.
 disk-prepare dir:
-	just -v _device diskPrepare {{dir}} --argstr rebuildarg "dummy"
+    just -v _device diskPrepare {{ dir }}
 disk-relabel dir previous:
-	just -v _device diskRelabel {{dir}} --argstr rebuildarg "dummy" --argstr previousDiskId {{previous}}
+    just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }}
 # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
 disk-mount dir:
-	just -v _device diskMount {{dir}} --argstr rebuildarg "dummy"
+    just -v _device diskMount {{ dir }}
 # Unmount target disk, specified by device configuration directory
 disk-umount dir:
-	just -v _device diskUmount {{dir}} --argstr rebuildarg "dummy"
+    just -v _device diskUmount {{ dir }}
 # Perform an offline installation on the mounted target disk, specified by device configuration directory
 disk-install dir: _render_templates
-	just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy"
+    just -v _device diskInstall {{ dir }}
 verify-n-unlock sshserver attempts="10":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	: ${VNCSOCK:?VNCSOCK must be set}
+    env \
-	: ${VNCPW:?VNCPW must be set}
+      GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \
      SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \
      VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \
      VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }}  VNCPW)" \
      \
      just _verify-n-unlock {{ sshserver }} {{ attempts }}
-	export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
+_verify-n-unlock sshserver attempts:
-	export TESS_ARGS="-c debug_file=/dev/null --psm 4"
+    #!/usr/bin/env bash
    set -e
    : ${VNCSOCK:?VNCSOCK must be set}
    : ${VNCPW:?VNCPW must be set}
-	function send() {
+    export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
-		local what="${1:?need something to send}"
+    export TESS_ARGS="-c debug_file=/dev/null --psm 4"
 		ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null
 	}
-	function expect() {
+    function send() {
-		local what="${1:?need something to expect}"
+    	local what="${1:?need something to send}"
-		vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
+    	ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null
-		convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
+    }
 		tesseract ${TESS_ARGS} screenshot.tiff screenshot
 		grep --quiet "${what}" screenshot.txt
 	}
-	function send_and_expect() {
+    function expect() {
-		local send="${1:?need something to send}"
+    	local what="${1:?need something to expect}"
-		local expect="${2:?need something to expect}"
+    	vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
-		if ! send "${send}"; then
+    	convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
-			echo warning: cannot send > /dev/stderr
+    	tesseract ${TESS_ARGS} screenshot.tiff screenshot
-			return -1
+    	grep --quiet "${what}" screenshot.txt
-		fi
+    }
 		expect "${expect}"
 	}
-	trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
+    function send_and_expect() {
    	local send="${1:?need something to send}"
    	local expect="${2:?need something to expect}"
    	if ! send "${send}"; then
    		echo warning: cannot send > /dev/stderr
    		return -1
    	fi
    	expect "${expect}"
    }
-	for i in `seq 1 {{attempts}}`; do
+    trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
 		echo Attempt $i...
 		expect="$(pwgen -0 12)"
 		send="'\0033\0143'${expect}"
 		if send_and_expect "${send}" "${expect}"; then
 			pipe=$(mktemp -u)
 			mkfifo ${pipe}
 			exec 3<>${pipe}
 			rm ${pipe}
-			echo Verification succeeded at attempt $i. Unlocking remote drive...
+    for i in `seq 1 {{ attempts }}`; do
-			ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null &
+    	echo Attempt $i...
-			eval ${GETPW} | head -n1 >&3
+    	expect="$(pwgen -0 12)"
    	send="'\0033\0143'${expect}"
    	if send_and_expect "${send}" "${expect}"; then
    		pipe=$(mktemp -u)
    		mkfifo ${pipe}
    		exec 3<>${pipe}
    		rm ${pipe}
-			for j in `seq 1 120`; do
+    		echo Verification succeeded at attempt $i. Unlocking remote drive...
-				sleep 0.5
+    		ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null &
-				if expect '— success'; then
+    		eval ${GETPW} | head -n1 >&3
 					echo Unlock successful.
 					exit 0
 				fi
 			done
-			echo Unlock failed...
+    		for j in `seq 1 120`; do
-			exit 1
+    			sleep 0.5
-		fi
+    			if expect '— success'; then
-	done
+    				echo Unlock successful.
-	echo Verification failed {{attempts}} times. Giving up...
+    				exit 0
-	exit 1
+    			fi
    		done
    		echo Unlock failed...
    		exit 1
    	fi
    done
    echo Verification failed {{ attempts }} times. Giving up...
    exit 1
 _get_pass_entry path key:
-	pass show {{path}}| grep -E "^{{key}}:" | awk '{ print $2 }'
+    pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g'
 	# jq -sR 'split("\n") | map(split(":"))' <(pass show Infrastructure/VPS/CFB4ED74 | grep -E "^[A-Za-z_]+:")
 run-with-channels +cmds:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
+    source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)
-	{{cmds}}
+    {{ cmds }}
 install-config config root:
-	sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd
+    sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd
 # Switch between gpg-card capable devices which have a copy of the same key
-switch-gpg-card:
+switch-gpg-card key-id="6EEFA706CB17E89B":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	#
+    #
-	# Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
+    # Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
-	#
+    #
-	# Connect the new device and then run this script to make it known to gnupg.
+    # Connect the new device and then run this script to make it known to gnupg.
-	#
+    #
-	set -xe
+    set -xe
-	KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
+    if [[ -n "{{ key-id }}" ]]; then
        KEY_ID="{{ key-id }}"
    else
        KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
    fi
-	# export pubkey and ownertrust
+    # export pubkey and ownertrust
-	gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
+    gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
-	# if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
+    # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
-	gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust
+    gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust
-	# delete the key
+    # delete the key
-	gpg --yes --delete-secret-and-public-keys "${KEY_ID}"
+    gpg --yes --delete-secret-and-public-keys "${KEY_ID}"
-	# import pubkey and ownertrust back and cleanup
+    # import pubkey and ownertrust back and cleanup
-	gpg2 --import "${KEY_ID}".pubkey
+    gpg2 --import "${KEY_ID}".pubkey
-	gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
+    gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
-	rm "${KEY_ID}".{pubkey,ownertrust}
+    rm "${KEY_ID}".{pubkey,ownertrust}
-	# refresh the gpg agent
+    # refresh the gpg agent
-	gpg-connect-agent "scd serialno" "learn --force" /bye
+    gpg-connect-agent "scd serialno" "learn --force" /bye
-	gpg --card-status
+    gpg --card-status
 # Connect to `remote` UUID, and turn it into a short name
 uuid-to-device-name remote:
    #!/usr/bin/env bash
    set -e -o pipefail
    ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'
 test-connection:
    #! /usr/bin/env nix-shell
    #! nix-shell -p curl zsh
    #! nix-shell -i zsh
    #! nix-shell --pure
    while true; do
      FAILURE="false"
      output=$(
    	echo "$(date)\n---"
    	for url in \
    		"https://172.16.0.1:65443/0.7/gui/#/login/" \
    		"https://192.168.0.1" \
    		"http://172.172.171.9" \
    		"https://172.172.171.10:65443" \
    		"https://172.172.171.11:65443" \
    		"https://172.172.171.13:443" \
    		"https://172.172.171.14:443" \
    		"http://172.172.171.15:22" \
    		"http://172.172.171.16:22" \
    		"https://crates.io" \
    		"https://holo.host" \
    		; \
    	do
    	  print "trying ${url}": $(
    		curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1)
    		# if [ $? -ne 0 ]; then
    		if [[ "$curl_output" == *timeout* ]]; then
    		  echo failure: $(echo ${curl_output} | tail -n1)
    		  # BUG: outer FAILURE is not set by this
    		  FAILURE="true"
    		else
    		  echo success
    		fi
    	  )
    	done
      )
      clear
      echo ${output}
      if [[ ${FAILURE} == "true" ]]; then
    	echo something failed
    	tracepath -m5 -n1 172.16.0.1
    	tracepath -m5 -n1 192.168.0.1
      fi
      sleep 5
    done
 cachix-use name:
    nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/
 update-sops-keys:
    for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done
 deploy-router0-dmz0:
    NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1
 ttyusb:
    screen -fa /dev/ttyUSB0 115200
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
 # steveej's infra
 This repository helps me to manage all computer infrastructure.
 This is mostly achieved with the help of [Nix](https://nixos.org).
@ -19,7 +20,7 @@ In the unlikely case that you actually read this and have any questions please d
  - [ ] development environments
 - [x] (Semi-) automatic synchronization of important repositories
  - [x] Modification strategy
-      The approach is to use vcsh for the dotfiles
+        The approach is to use vcsh for the dotfiles
  - [x] dotfiles
 - [x] Toplevel Justfile for simple actions
  - [x] mount/umount disks
@ -29,19 +30,56 @@ In the unlikely case that you actually read this and have any questions please d
  - [x] annotate recipes with some documentation
  - [x] declare shell.nix with runtime deps
  - [x] partition/encrypt/format disks
- [ ] Document bootstrap process
+- [x] Maybe make this a nix-overlay
 - [x] refactor as a nix flake and adopt an existing framework
  - [x] devShell version
  - [x] ~~version templating~~ obsolete due to the usage of flakes
  - [x] elias-e525
  - [x] steveej-t14
  - [x] contabo vps
  - [x] sj-pve0
 - [x] use an existing secret management framework
 - [x] adapt (or abandon?) _just_ recipes
  - [x] `rebuild-this-device`
  - [x] `update-this-device`
  - [x] `rebuild-remote-device`
  - [x] `update-remote-device`
  evaluate, and understand a path to using these tools in a pull-based fashion:
  - [x] [colmena](https://github.com/zhaofengli/colmena)
    - bootstrapping: https://github.com/zhaofengli/colmena/issues/68
  - [ ] deploy-rs
 - [x] 🚧 find a better alternative for the qtile-desktop
      current issues:
  - floating windows often get lost in the background
  - plugging in-/out- screen crashes the desktop
  evaluate:
  - [x] ~~🚧 gnome3 + pop-shell~~
  - [x] ~~leftwm + eww (+ wayland?)~~
 - [ ] (Re-)document bootstrap process
  - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
  - [ ] a new machine
  - [ ] an install media
 - [ ] Design disaster recovery
 - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle *\_archived*
+- [ ] Recycle _\_archived_
- [x] Maybe make this a nix-overlay
+- [ ] container migrations
  - [ ] ensure DDNS is updated _before_ the containers are started
 ## Bugs
 - [ ] home-manager leaves ~/.gnupg at 0755
 ## Usage
-*(These are reminders for my future self)*
+
 _(These are reminders for my future self)_
 ```
 just --list
@ -50,9 +88,37 @@ just --list
 ## Bootstrap
 ### A new machine
 * ensure the dotfiles repo has a branch with the new machine's hostname
-* boot with an install media and go through setup
+- ensure the dotfiles repo has a branch with the new machine's hostname
 - boot with an install media and go through setup
 #### Post-Install Setup
-* `gpg2 --edit-card; fetch`
+
 - `chmod --recursive g-rwx,o-rwx ~/.gnupg`
 - `gpg2 --edit-card; fetch`
 - clone password-manager and infra repositories
 - gpg2: ultimately trust my own key
 ## Swapping out a disk
 1. offline-bitwise copy of drive
 2. disconnect remove the previous drive
 3. replace the driveId in the device's hw.nix
 4. run the `just disk-relabel nix/os/devices/<deviceName> <prevDiskId>` command to rename the filesystem and volume group
 ## Rebuilding an offline system
 ```
 (
 sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot
 sleep 5
 sudo mkdir -p /mnt/root
 sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos
 sudo mount /dev/sdb2 /mnt/root/boot
 sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home
 sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password
 )
 ```
--- a/_archive/environments/dev/cross.nix
+++ b/_archive/environments/dev/cross.nix
@ -1,89 +0,0 @@
 import /home/steveej/src/github/NixOS/nixpkgs/default.nix {
  crossSystem = rec {
    config = "armv7l-unknown-linux-gnueabi";  
    bigEndian = false;
    arch = "arm";
    float = "hard";
    fpu = "vfpv3-d16";
    withTLS = true;
    libc = "glibc";
    platform = {
      name = "armv7l-hf-multiplatform";
      gcc = {
        arch = "armv7-a";
        fpu = "neon";
        float = "hard";
      };
      kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
      kernelHeadersBaseConfig = "multi_v7_defconfig";
      kernelBaseConfig = "multi_v7_defconfig";
      kernelArch = "arm";
      kernelDTB = true;
      kernelAutoModules = false;
      kernelExtraConfig = ''
         NAMESPACES y
           BTRFS_FS y
           BTRFS_FS_POSIX_ACL y
           OVERLAY_FS y
           FUSE_FS y
        '';
      kernelTarget = "zImage";
      uboot = null;
    };
    openssl.system = "linux-generic32";
    gcc = {
      arch = "armv7-a";
      fpu = "neon";
      float = "hard";
    };
  };
 }
 #  pkgs.config = {
 #    packageOverrides = super: let self = super.pkgs; in {
 #      linux_4_0 = super.linux_3_18.override {
 #        kernelPatches = super.linux_3_18.kernelPatches ++ [
 #          # we'll also add one of our own patches
 #          { patch = ./dts.patch; name = "dts-fix"; }
 #        ];
 #   
 #        # add "CONFIG_PPP_FILTER y" option to the set of kernel options
 #        extraConfig = ''
 #           HAVE_IMX_ANATOP y
 #           HAVE_IMX_GPC y
 #           HAVE_IMX_MMDC y
 #           HAVE_IMX_SRC y
 #           SOC_IMX6 y
 #           SOC_IMX6Q y
 #           SOC_IMX6SL y
 #           PCI_IMX6 y
 #           ARM_IMX6Q_CPUFREQ y
 #           IMX_WEIM y
 #           AHCI_IMX y
 #           SERIAL_IMX y
 #           SERIAL_IMX_CONSOLE y
 #           I2C_IMX y
 #           SPI_IMX y
 #           PINCTRL_IMX y
 #           PINCTRL_IMX6Q y
 #           PINCTRL_IMX6SL y
 #           POWER_RESET_IMX y
 #           IMX_THERMAL y
 #           IMX2_WDT y
 #           IMX_IPUV3_CORE y
 #           DRM_IMX y
 #           DRM_IMX_FB_HELPER y
 #           DRM_IMX_PARALLEL_DISPLAY y
 #           DRM_IMX_TVE y
 #           DRM_IMX_LDB y
 #           DRM_IMX_IPUV3 y
 #           DRM_IMX_HDMI y
 #           MMC_SDHCI_ESDHC_IMX y
 #           IMX_SDMA y
 #           PWM_IMX y
 #           DEBUG_IMX6Q_UART y
 #
 #           PPP_FILTER y
 #        '';
 #      };
 #    };
 #  };
--- a/_archive/environments/dev/go/default.nix
+++ b/_archive/environments/dev/go/default.nix
@ -1,89 +0,0 @@
 { gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}
 , pkgs ? gitpkgs
 , name ? "generic"
 , version
 , extraBuildInputs ? []
 , extraShellHook ? ""
 }:
 let
  go = builtins.getAttr "go_${version}" pkgs;
  commonVimRC = ''
    let g:tagbar_type_go = {
      \ 'ctagstype' : 'go',
      \ 'kinds'     : [
          \ 'p:package',
          \ 'i:imports:1',
          \ 'c:constants',
          \ 'v:variables',
          \ 't:types',
          \ 'n:interfaces',
          \ 'w:fields',
          \ 'e:embedded',
          \ 'm:methods',
          \ 'r:constructor',
          \ 'f:functions'
      \ ],
      \ 'sro' : '.',
      \ 'kind2scope' : {
          \ 't' : 'ctype',
          \ 'n' : 'ntype'
      \ },
      \ 'scope2kind' : {
          \ 'ctype' : 't',
          \ 'ntype' : 'n'
      \ },
      \ 'ctagsbin'  : 'gotags',
      \ 'ctagsargs' : '-sort -silent'
      \ }
    " vim-go {
    let g:go_highlight_functions = 1
    let g:go_highlight_methods = 1
    let g:go_highlight_structs = 1
    let g:go_highlight_interfaces = 1
    let g:go_highlight_operators = 1
    let g:go_highlight_build_constraints = 1
    let g:go_fmt_command = 'gofmt'
    let g:go_fmt_options= '-s'
    let g:go_def_mode = 'godef'
    let g:go_def_reuse_buffer = 0
    au FileType go nmap <Leader>gds <Plug>(go-def-split)
    au FileType go nmap <Leader>gdv <Plug>(go-def-vertical)
    au FileType go nmap <Leader>gdt <Plug>(go-def-tab)
    au FileType go nmap <Leader>gi <Plug>(go-imports)
    " }
  '';
  buildInputs = with pkgs; [
      glibc.out
      glibc.static
      go
      gotools
      #gotools.bin
      #gocode.bin
      #godef godef.bin
      godep
      #godep.bin
      gox.bin
      #ginkgo ginkgo.bin
      #gomega
 #      ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
 #      ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
  ];
 in pkgs.stdenv.mkDerivation {
  inherit name;
  buildInputs = extraBuildInputs ++ buildInputs;
  shellHook = ''
    goname=${go.version}_$name
    # FIXME: setPS1 $goname
    export GOROOT=${go}/share/go
    export GOPATH="$HOME/.gopath_$goname"
    export PATH="$HOME/.gopath_$goname/bin:$PATH"
    unset name
    unset SSL_CERT_FILE
    ${extraShellHook}
  '';
 }
--- a/_archive/environments/dev/go/neovim-go.nix
+++ b/_archive/environments/dev/go/neovim-go.nix
@ -1,15 +0,0 @@
 { commonRC, ... } @ args :
 (import ../../pkg-configuration/vim-derivates/neovim.nix args // {
  additionalRC = commonRC + ''
    " deoplete {
    let g:deoplete#enable_at_startup = 1
    let g:deoplete#enable_smart_case = 1
    " }
  '';
  additionalPlugins = [
    "deoplete-go"
    "deoplete-nvim"
    "vim-go"
  ];
 })
--- a/_archive/environments/dev/pandoc.nix
+++ b/_archive/environments/dev/pandoc.nix
@ -1,26 +0,0 @@
 { gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}
 , pkgs ? gitpkgs
 , name ? "generic"
 , version ? "Stable"
 , extraBuildInputs ? []
 }: 
 let 
  commonVimRC = ''
  '';
 in pkgs.stdenv.mkDerivation {
  inherit name;
  buildInputs = with pkgs; [
    ( import ./vim-pandoc.nix { pkgs=gitpkgs; commonRC=commonVimRC; })
    pandoc
    texlive.combined.scheme-medium
    python27Packages.pandocfilters
    python27Packages.htmltreediff
    python27Packages.html5lib
    python27Packages.dbus-python
  ] ++ extraBuildInputs;
  shellHook = ''
    pandocname=pandoc_${pkgs.pandoc.version}
    setPS1 $pandocname
    unset name
  '';
 }
--- a/_archive/environments/dev/rkt.nix
+++ b/_archive/environments/dev/rkt.nix
@ -1,72 +0,0 @@
 {
 pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
 mkGoEnv ? import ./go.nix,
 rktPath,
 }:
 let 
  rktBasebuildInputs = with pkgs; [
    glibc.out
    glibc.static
    autoreconfHook
    gnupg1
    squashfsTools
    cpio
    tree
    intltool
    libtool
    pkgconfig
    libgcrypt
    gperf
    libcap
    libseccomp
    libzip
    eject
    iptables
    bc
    acl
    trousers
    systemd
  ];
  extraShellHook = ''
    TARGET=$GOPATH/src/github.com/coreos/rkt
    if [[ -e ${rktPath}/rkt/rkt.go ]]; then
      pushd ${rktPath}
    else 
      echo rktPath must be run the rkt repository clone, but got '${rktPath}'
      exit 1
    fi
    if ! [[ -e $TARGET/rkt/rkt.go ]]; then
      mkdir -p $TARGET
      echo $PWD
      sudo -E mount -o bind $PWD $TARGET
    fi
    pushd $TARGET
  '';
 in {
  go15 = mkGoEnv {
    inherit pkgs;
    name = "rktGo15";
    version = "1_5";
    extraBuildInputs = rktBasebuildInputs;
    inherit extraShellHook;
  };
  go16 = mkGoEnv {
    inherit pkgs;
    name = "rktGo16";
    version = "1_6";
    extraBuildInputs = rktBasebuildInputs;
    inherit extraShellHook;
  };
  go17 = mkGoEnv {
    inherit pkgs;
    name = "rktGo17";
    version = "1_7";
    extraBuildInputs = rktBasebuildInputs;
    inherit extraShellHook;
  };
 }
--- a/_archive/environments/dev/rust/.envrc
+++ b/_archive/environments/dev/rust/.envrc
@ -1 +0,0 @@
 eval "$(lorri direnv)"
--- a/_archive/environments/dev/rust/default.nix
+++ b/_archive/environments/dev/rust/default.nix
@ -1,32 +0,0 @@
 { gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}
 , pkgs ? gitpkgs
 , name ? "generic"
 , version ? "Stable"
 , extraBuildInputs ? []
 }: 
 let 
  rustPackages = builtins.getAttr "rust${version}" pkgs;
  rustc = rustPackages.rustc;
  rustShellHook = { rustc, name }: ''
    rustname=rust_${rustc.version}_${name}
    setPS1 $rustname
    unset name
  '';
  commonVimRC = ''
  '';
 in pkgs.stdenv.mkDerivation {
  inherit name;
  buildInputs = with rustPackages;[
    ( import ./vim-rust.nix { pkgs=gitpkgs; commonRC=commonVimRC;
        inherit rustc;
        racerd=pkgs.rustracerd;
    })
    rustc cargo
  ] ++ [
    pkgs.rustfmt
  ] ++ extraBuildInputs;
  shellHook = (rustShellHook){
    inherit name;
    inherit rustc;
  };
 }
--- a/_archive/environments/dev/vim-go.nix
+++ b/_archive/environments/dev/vim-go.nix
@ -1,20 +0,0 @@
 { commonRC, ... } @ args :
 import ../../pkg-configuration/vim-derivates/vim.nix (args // {
  name = "vim-for-go";
  additionalRC = commonRC + ''
 	  " Disable AutoComplPop.
 	  let g:acp_enableAtStartup = 0
 	  " Use neocomplete.
 	  let g:neocomplete#enable_at_startup = 1
 	  " Use smartcase.
 	  let g:neocomplete#enable_smart_case = 1
      if !exists('g:neocomplete#sources#omni#input_patterns')
 		let g:neocomplete#sources#omni#input_patterns = {}
 	  endif
 '';
 additionalPlugins = [
   "neocomplete"
   "vim-go"
 ];
 })
--- a/_archive/environments/dev/vim-pandoc.nix
+++ b/_archive/environments/dev/vim-pandoc.nix
@ -1,22 +0,0 @@
 { commonRC
 ,
 ... } @ args :
 import ../../pkg-configuration/vim-derivates/vim.nix (args // {
  name = "vim-for-pandoc";
  additionalRC = commonRC + ''
    set statusline+=%#warningmsg#
    set statusline+=%{SyntasticStatuslineFlag()}
    set statusline+=%*
    let g:syntastic_always_populate_loc_list = 1
    let g:syntastic_auto_loc_list = 1
    let g:syntastic_check_on_open = 1
    let g:syntastic_check_on_wq = 0
 '';
 additionalPlugins = [
    "vim-pandoc"
    "vim-pandoc-syntax"
    "vimpreviewpandoc"
 ];
 })
--- a/_archive/environments/dev/vim-rust.nix
+++ b/_archive/environments/dev/vim-rust.nix
@ -1,46 +0,0 @@
 { commonRC
 , rustc
 , racerd,
 ... } @ args :
 import ../../pkg-configuration/vim-derivates/vim.nix (args // {
  name = "vim-for-rust";
  additionalRC = commonRC + ''
    set statusline+=%#warningmsg#
    set statusline+=%{SyntasticStatuslineFlag()}
    set statusline+=%*
    let g:syntastic_always_populate_loc_list = 1
    let g:syntastic_auto_loc_list = 1
    let g:syntastic_check_on_open = 1
    let g:syntastic_check_on_wq = 0
    " tagbar
    let g:tagbar_type_rust = {
        \ 'ctagstype' : 'rust',
        \ 'kinds' : [
            \'T:types,type definitions',
            \'f:functions,function definitions',
            \'g:enum,enumeration names',
            \'s:structure names',
            \'m:modules,module names',
            \'c:consts,static constants',
            \'t:traits,traits',
            \'i:impls,trait implementations',
        \]
    \}
    let g:syntastic_rust_checkers = ["rustc"]
    "rustfmt
    let g:rustfmt_autosave = 1
    let g:ycm_auto_trigger = 1
    let g:ycm_rust_src_path = '${rustc.src}/src'
    let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd'
 '';
 additionalPlugins = [
   "rust-vim"
 ];
 })
--- a/_archive/environments/fhs/android.nix
+++ b/_archive/environments/fhs/android.nix
@ -1,42 +0,0 @@
 { pkgs ? import <nixpkgs> {} }:                                                                                                                                                
 (pkgs.buildFHSUserEnv {
  name = "devfhs";
  multiPkgs = pkgs: (with pkgs; [
    android-udev-rules
    sudo
    gawk
    bzip2
    file
    gcc
    getopt
    git
    gnumake
    ncurses
    openssl
    patch
    perl
    pkgconfig
    python
    openssh
    subversion
    unzip
    wget
    which
    vim
    zlib
    libusb
    libusb1
    systemd
    strace
    swt
    xorg.libXtst
    glib
    gtk2
    gnome.gtk
  ]);
  profile = ''
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib
  '';
  runScript = "bash";
 }).env
--- a/_archive/environments/fhs/vscode.nix
+++ b/_archive/environments/fhs/vscode.nix
@ -1,38 +0,0 @@
 { pkgs ? import <nixpkgs> {} }:
 (pkgs.buildFHSUserEnv {
  name = "everydayFHS";
  targetPkgs = pkgs: (with pkgs;
    [ which
      gitFull
      zsh
      file
      direnv
      xdg_utils
      xsel
      vscode
      # vscode live share
      gnome3.gcr
      libgnome_keyring3
      liburcu
      libunwind
      lttng-ust
      curl
      openssl
      libkrb5
      libuuid
      icu
      zlib
      libsecret
    ]);
  multiPkgs = pkgs: (with pkgs;
    [ 
    ]);
  profile = ''
    export SHELL=/bin/zsh
  '';
  # FIXME runScript = "$SHELL";
 }).env
--- a/_archive/nixos-configuration/common/pkg/neovim.nix
+++ b/_archive/nixos-configuration/common/pkg/neovim.nix
@ -1,10 +0,0 @@
 { config
 , pkgs
 , ... } @ args:
 {
  environment.systemPackages = [
    pkgs.xsel
    (import ../../../pkg-configuration/vim-derivates/neovim.nix args)
  ];
 }
--- a/_archive/nixos-configuration/common/pkg/vim.nix
+++ b/_archive/nixos-configuration/common/pkg/vim.nix
@ -1,9 +0,0 @@
 { pkgs
 , ... } @ args:
 {
  environment.systemPackages = [
    pkgs.xsel
    (import ../../../pkg-configuration/vim-derivates/vim.nix (args // { name = "vim"; }))
  ];
 }
--- a/_archive/nixos-configuration/common/user/steveej.nix
+++ b/_archive/nixos-configuration/common/user/steveej.nix
@ -1,20 +0,0 @@
 { config
 , pkgs
 , ... }:
 let 
  passwords = import ../passwords.crypt.nix;
  keys = import ../keys.nix;
  inherit (import ../lib) mkUser;
 in {
  users.mutableUsers = false;
  users.defaultUserShell = pkgs.zsh;
  users.extraUsers.steveej = mkUser {
    uid = 1000;
    hashedPassword = passwords.users.steveej;
  };
  security.pam.enableU2F = true;
  security.pam.services.steveej.u2fAuth = true;
 }
--- a/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt
+++ b/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt
@ -1,98 +0,0 @@
 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d0:17:d1:86:81:d4:f1:28
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com
        Validity
            Not Before: Nov  2 15:37:13 2018 GMT
            Not After : Jan 17 15:37:13 2038 GMT
        Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:03:39:e3:af:3e:c7:89:bd:d0:07:66:83:18:
                    9c:c0:da:56:e8:bb:37:fe:03:67:94:9a:1c:9d:47:
                    da:6a:a7:6e:56:6d:0a:73:05:79:0e:44:61:71:78:
                    33:33:79:b1:ce:a6:9d:87:d0:01:81:10:d5:e3:21:
                    0f:d0:e9:ef:86:dc:13:34:62:42:47:81:f6:ce:d8:
                    78:de:00:0c:a6:5d:25:d8:cc:72:6a:c4:7c:e1:5b:
                    84:2b:e2:3c:b6:51:7e:8e:e6:e1:55:7d:b4:c8:e7:
                    98:76:eb:20:15:48:6f:2e:91:ca:b7:17:d4:d9:76:
                    5b:40:1c:7e:4c:0b:6f:2c:63:fa:78:c5:8b:b5:36:
                    b6:01:d9:da:58:a9:06:76:32:18:ca:b2:7c:2d:aa:
                    4f:4e:f5:67:30:4c:a6:a3:e3:ef:7c:1d:d3:67:de:
                    da:a5:b9:57:0d:74:01:c3:24:a9:03:61:98:91:c2:
                    1f:1d:a4:36:d2:a6:f4:95:6f:01:6a:99:41:ea:f0:
                    8c:7a:7d:a0:0d:34:93:a3:80:cb:19:fb:1a:e1:c4:
                    0b:60:5c:8d:33:ea:90:ed:98:d2:2a:06:6e:a2:02:
                    1f:f8:2c:1e:d4:d0:d4:8f:93:8d:c9:fe:21:39:6a:
                    5b:7b:60:5d:2a:9c:1e:3f:51:31:b1:be:56:28:cb:
                    4d:cd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Cert Type: 
                SSL Server, SSL CA
            Netscape Comment: 
                Katello SSL Tool Generated Certificate
            X509v3 Subject Key Identifier: 
                72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF
            X509v3 Authority Key Identifier: 
                keyid:72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF
                DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=sat-r220-02.lab.eng.rdu2.redhat.com
                serial:D0:17:D1:86:81:D4:F1:28
    Signature Algorithm: sha256WithRSAEncryption
         70:fe:c6:9f:1a:62:e8:b0:a6:25:df:e8:51:6c:e9:08:48:00:
         72:2b:d8:a2:95:6e:57:01:8e:2a:9c:a0:14:f8:c9:8a:e3:5d:
         48:64:f9:0f:81:e7:3e:b1:c2:cb:a0:ec:55:d6:e4:7f:c0:46:
         7b:bc:66:15:88:61:73:3b:ea:9e:ea:cb:32:79:35:bc:dc:eb:
         6f:d8:d0:89:c2:ae:fd:02:43:cd:e0:38:d6:9c:16:d7:6d:bb:
         2c:73:53:3c:82:56:51:d8:96:71:e1:28:49:31:be:fb:ed:23:
         08:e5:8d:eb:48:c7:25:5d:ef:0e:30:22:d3:93:7f:f1:66:b8:
         7f:8f:5c:d2:97:e7:13:0e:5b:06:1d:fd:97:1d:a5:24:93:d9:
         8a:d2:ba:51:00:b3:71:c8:61:da:79:31:64:75:96:d0:b8:d8:
         45:57:24:40:2f:11:d6:63:70:f5:bf:8d:fc:7f:1b:b9:ad:e0:
         16:6a:89:9b:6a:0c:d3:e3:b5:14:b4:5c:36:8a:b0:dd:15:4d:
         4e:77:e9:9b:29:df:e9:e3:27:dc:87:f8:6e:5d:a9:14:42:5c:
         8b:7b:13:9d:8b:c7:7a:4d:6d:52:7e:5f:02:9f:21:15:de:98:
         5d:f5:25:30:d3:fa:b4:34:f3:ff:8d:36:c7:e3:1c:d3:b1:f7:
         b6:7b:ad:40
 -----BEGIN CERTIFICATE-----
 MIIFEDCCA/igAwIBAgIJANAX0YaB1PEoMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD
 VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
 Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYD
 VQQDDCNzYXQtcjIyMC0wMi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTAeFw0xODEx
 MDIxNTM3MTNaFw0zODAxMTcxNTM3MTNaMIGOMQswCQYDVQQGEwJVUzEXMBUGA1UE
 CAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB0th
 dGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYDVQQDDCNzYXQtcjIyMC0w
 Mi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALoDOeOvPseJvdAHZoMYnMDaVui7N/4DZ5SaHJ1H2mqnblZtCnMF
 eQ5EYXF4MzN5sc6mnYfQAYEQ1eMhD9Dp74bcEzRiQkeB9s7YeN4ADKZdJdjMcmrE
 fOFbhCviPLZRfo7m4VV9tMjnmHbrIBVIby6RyrcX1Nl2W0AcfkwLbyxj+njFi7U2
 tgHZ2lipBnYyGMqyfC2qT071ZzBMpqPj73wd02fe2qW5Vw10AcMkqQNhmJHCHx2k
 NtKm9JVvAWqZQerwjHp9oA00k6OAyxn7GuHEC2BcjTPqkO2Y0ioGbqICH/gsHtTQ
 1I+Tjcn+ITlqW3tgXSqcHj9RMbG+VijLTc0CAwEAAaOCAW0wggFpMAwGA1UdEwQF
 MAMBAf8wCwYDVR0PBAQDAgGmMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
 AjARBglghkgBhvhCAQEEBAMCAkQwNQYJYIZIAYb4QgENBCgWJkthdGVsbG8gU1NM
 IFRvb2wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRyzYgGA/5dotCz
 IMc3dAaEqKgT3zCBwwYDVR0jBIG7MIG4gBRyzYgGA/5dotCzIMc3dAaEqKgT36GB
 lKSBkTCBjjELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
 DgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21l
 T3JnVW5pdDEsMCoGA1UEAwwjc2F0LXIyMjAtMDIubGFiLmVuZy5yZHUyLnJlZGhh
 dC5jb22CCQDQF9GGgdTxKDANBgkqhkiG9w0BAQsFAAOCAQEAcP7Gnxpi6LCmJd/o
 UWzpCEgAcivYopVuVwGOKpygFPjJiuNdSGT5D4HnPrHCy6DsVdbkf8BGe7xmFYhh
 czvqnurLMnk1vNzrb9jQicKu/QJDzeA41pwW1227LHNTPIJWUdiWceEoSTG+++0j
 COWN60jHJV3vDjAi05N/8Wa4f49c0pfnEw5bBh39lx2lJJPZitK6UQCzcchh2nkx
 ZHWW0LjYRVckQC8R1mNw9b+N/H8bua3gFmqJm2oM0+O1FLRcNoqw3RVNTnfpmynf
 6eMn3If4bl2pFEJci3sTnYvHek1tUn5fAp8hFd6YXfUlMNP6tDTz/402x+Mc07H3
 tnutQA==
 -----END CERTIFICATE-----
--- a/default.nix
+++ b/default.nix
@ -4,11 +4,9 @@
 # Having pkgs default to <nixpkgs> is fine though, and it lets you use short
 # commands such as:
 #     nix-build -A mypackage
 { pkgs ? import <nixpkgs> {} }:
 {
-  overlays = import ./nix/overlays;
+  pkgs ? import <nixpkgs> { },
 }:
 {
  pkgs = import ./nix/pkgs { inherit pkgs; };
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,388 @@
 # flake.nix
 {
  inputs = {
    # TODO: where has this been used?
    # dotfiles = {
    #   url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git";
    #   flake = false;
    # };
    # flake and infra basics
    nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
    radicalePkgs.follows = "nixpkgs-2211";
    nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11";
    nixpkgs-2505.url = "github:nixos/nixpkgs/nixos-25.05";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs.follows = "nixpkgs-2505";
    flake-parts.url = "github:hercules-ci/flake-parts";
    get-flake.url = "github:ursi/get-flake";
    srvos.url = "github:numtide/srvos";
    srvos.inputs.nixpkgs.follows = "nixpkgs";
    nixos-anywhere.url = "github:numtide/nixos-anywhere/main";
    nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs";
    disko.follows = "nixos-anywhere/disko";
    nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
    nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
    nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable";
    # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium`
    openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1";
    openvscode-server.flake = false;
    colmena = {
      url = "github:zhaofengli/colmena";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # libraries for building applications
    fenix = {
      url = "github:nix-community/fenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    crane.url = "github:ipetkov/crane";
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # applications
    aphorme_launcher = {
      url = "github:Iaphetes/aphorme_launcher/main";
      flake = false;
    };
    yofi = {
      url = "github:l4l/yofi/master";
      flake = true;
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ofi-pass = {
      url = "github:sereinity/ofi-pass";
      flake = false;
    };
    jay = {
      url = "github:mahkoh/jay";
      flake = false;
    };
    prs = {
      # url = "gitlab:timvisee/prs/v0.5.2";
      url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973";
      flake = false;
    };
    rperf = {
      url = "github:steveej-forks/rperf";
      flake = false;
    };
    # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage";
    espanso = {
      flake = false;
      url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b";
    };
    nix4vscode = {
      url = "github:nix-community/nix4vscode";
      # inputs.nixpkgs.follows = "nixpkgs";
    };
    nixvim = {
      # TODO: pin to nixos-24.11 once available
      url = "github:nix-community/nixvim";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    treefmt-nix = {
      url = "github:numtide/treefmt-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixago = {
      url = "github:jmgilman/nixago";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nur = {
      url = "github:nix-community/NUR";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson";
  };
  outputs =
    inputs@{
      self,
      flake-parts,
      nixpkgs,
      ...
    }:
    let
      inherit (nixpkgs) lib;
      systems = [
        "x86_64-linux"
        "aarch64-linux"
      ];
    in
    flake-parts.lib.mkFlake { inherit inputs; } (
      { withSystem, ... }:
      {
        flake.colmenaHive = inputs.colmena.lib.makeHive (
          lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
            { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; }
            # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
            # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
            (
              builtins.map
                (
                  nodeName:
                  import ./nix/os/devices/${nodeName} {
                    inherit nodeName;
                    repoFlake = self;
                    repoFlakeWithSystem = withSystem;
                    nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}");
                  }
                )
                [
                  "steveej-t14"
                  "steveej-x13s"
                  "steveej-x13s-rmvbl"
                  "elias-e525"
                  # "justyna-p300"
                  # "srv0-dmz0"
                  # "router0-dmz0"
                  "router0-ifog"
                  "router0-hosthatch"
                  "sj-srv1"
                ]
            )
        );
        flake.lib = {
          inherit withSystem;
          prsFn =
            {
              lib,
              prs,
              skim,
              rustPlatform,
              makeWrapper,
            }:
            prs.overrideAttrs (attrs: rec {
              pname = "prs";
              src = self.inputs.prs;
              version = self.inputs.prs.shortRev;
              nativeBuildInputs = attrs.nativeBuildInputs ++ [
                makeWrapper
              ];
              cargoDeps = rustPlatform.fetchCargoVendor {
                inherit src;
                hash = "sha256-6kCqrwcHFy7cEl2JM+CzTWDM9abepumzdcJLq1ChzUk=";
              };
              postFixup = ''
                wrapProgram $out/bin/prs \
                  --prefix PATH : ${lib.makeBinPath [ skim ]}
              '';
            });
        };
        # this makes nixos-anywhere work
        flake.nixosConfigurations =
          let
            colmenaHiveNodes = self.outputs.colmenaHive.nodes;
            router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations;
          in
          colmenaHiveNodes
          // {
            router0-dmz0 = router0-dmz0.native;
            # for now deploy directly with:
            # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
            router0-dmz0_cross = router0-dmz0.cross;
            steveej-x13s_cross =
              (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross;
            steveej-x13s-rmvbl_cross =
              (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
          };
        inherit systems;
        perSystem =
          {
            self',
            inputs',
            system,
            config,
            lib,
            pkgs,
            ...
          }:
          {
            imports = [ ./nix/modules/flake-parts/perSystem/default.nix ];
            packages =
              let
                dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { };
                craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain;
                craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain;
                local-xwayland = pkgs.writeShellScriptBin "local-xwayland" ''
                  set -x
                  ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
                    --wayland-display=wayland-3 \
                    --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
                    --x-display=0 \
                    # --x-unscale=3 \
                    --verbose
                '';
              in
              {
                dcpj4110dwDriver = dcpj4110dw.driver;
                dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
                inherit (inputs'.colmena.packages) colmena;
                nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
                ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
                  set -x
                  pkill -9 wayland-proxy-v
                  export NIXOS_OZONE_WL=""
                  ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
                    --wayland-display=wayland-3 \
                    --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
                    --x-display=3 \
                    &
                    # --x-unscale=3 \
                    #--verbose \
                  export PROXYPID="$!"
                  trap "kill -9 \$PROXYPID" EXIT
                  # trap "pkill -9 wayland-proxy-v" EXIT
                  env \
                      WAYLAND_DISPLAY=wayland-3 \
                      DISPLAY=:3 \
                    ledger-live-desktop
                '';
                syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" ''
                  ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
                '';
                rperf = craneLib.buildPackage {
                  src = inputs.rperf;
                  nativeBuildInputs = [ pkgs.pkg-config ];
                  buildInputs = [ ];
                };
                inherit local-xwayland;
                inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp;
              };
            formatter =
              let
                settingsNix = {
                  projectRootFile = ".git/config";
                  package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2;
                  programs = {
                    nixfmt.enable = true;
                    deadnix.enable = true;
                    statix.enable = true;
                    shfmt.enable = true;
                    shellcheck.enable = true;
                    prettier.enable = true;
                    just = {
                      enable = true;
                      includes = [
                        "*/Justfile"
                        "Justfile"
                      ];
                    };
                  } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
                  settings = {
                    global.excludes = [
                      "LICENSE"
                      "secrets/"
                      ".git-crypt/"
                      # unsupported extensions
                      "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}"
                    ];
                    formatter = {
                      deadnix = {
                        priority = 1;
                        options = [ "--no-underscore" ];
                      };
                      nixfmt = {
                        priority = 2;
                      };
                      statix = {
                        priority = 3;
                      };
                      prettier = {
                        options = [
                          "--tab-width"
                          "2"
                        ];
                        includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ];
                      };
                    };
                  };
                };
                eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
              in
              eval.config.build.wrapper.overrideAttrs (_: {
                passthru = {
                  inherit (eval.config) package settings;
                };
              });
            devShells =
              let
                all = import ./nix/devShells.nix {
                  inherit
                    self
                    self'
                    inputs'
                    pkgs
                    ;
                };
              in
              all
              // {
                default = all.develop;
              };
          };
      }
    );
 }
--- a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw
+++ b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw
--- a/nix/container-images/build.sh
+++ b/nix/container-images/build.sh
@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -xe
-[ ! -z "$NAME" ]
+[ -n "$NAME" ]
 nix-build . --show-trace -A "$NAME"
-docker image rm "$NAME":latest --force 
+docker image rm "$NAME":latest --force
 docker load -i result
--- a/nix/container-images/default.nix
+++ b/nix/container-images/default.nix
@ -1,14 +1,10 @@
-{ pkgs ? import <nixpkgs> {}
+{
  pkgs ? import <nixpkgs> { },
 }:
 let
-  baseEnv = [
+  baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
-    "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+in
-  ];
+rec {
 in rec {
  base = pkgs.dockerTools.buildImage rec {
    name = "base";
@ -41,50 +37,52 @@ in rec {
    };
  };
-  s3ql = let 
+  s3ql =
-    entrypoint = pkgs.writeScript "entrypoint" ''
+    let
-      #!${pkgs.stdenv.shell}
+      entrypoint = pkgs.writeScript "entrypoint" ''
        #!${pkgs.stdenv.shell}
-      if [ -z "$S3QL_BUCKET" ]; then
+        if [ -z "$S3QL_BUCKET" ]; then
-        echo S3QL_BUCKET not set
+          echo S3QL_BUCKET not set
-        exit 1
+          exit 1
-      fi
+        fi
-      if [ -z "$S3QL_STORAGE_URL" ]; then
+        if [ -z "$S3QL_STORAGE_URL" ]; then
-        echo S3QL_STORAGE_URL not set
+          echo S3QL_STORAGE_URL not set
-        exit 1
+          exit 1
-      fi
+        fi
-      if [ -z "$S3QL_CACHESIZE" ]; then
+        if [ -z "$S3QL_CACHESIZE" ]; then
-        echo S3QL_CACHESIZE not set
+          echo S3QL_CACHESIZE not set
-        exit 1
+          exit 1
-      fi
+        fi
-      set -x
+        set -x
-      if [ "$S3QL_SKIP_FSCK" != "1" ]; then 
+        if [ "$S3QL_SKIP_FSCK" != "1" ]; then
-        fsck.s3ql \
+          fsck.s3ql \
-          --authfile $S3QL_AUTHINFO2 \
+            --authfile $S3QL_AUTHINFO2 \
            --log none \
            --cachedir $S3QL_CACHE_DIR \
            $S3QL_STORAGE_URL
        fi
        exec mount.s3ql \
          --cachedir "$S3QL_CACHE_DIR" \
          --authfile "$S3QL_AUTHINFO2" \
          --cachesize "$S3QL_CACHESIZE" \
          --fg \
          --compress lzma-6 \
          --threads 4 \
          --log none \
-          --cachedir $S3QL_CACHE_DIR \
+          --allow-root \
-          $S3QL_STORAGE_URL
+          "$S3QL_STORAGE_URL" \
-      fi
+          /bucket
-      exec mount.s3ql \
+        # FIXME: touch .isbucket after mount
-        --cachedir "$S3QL_CACHE_DIR" \
+      '';
-        --authfile "$S3QL_AUTHINFO2" \
+    in
-        --cachesize "$S3QL_CACHESIZE" \
+    pkgs.dockerTools.buildImage {
        --fg \
        --compress lzma-6 \
        --threads 4 \
        --log none \
        --allow-root \
        "$S3QL_STORAGE_URL" \
        /bucket
      # FIXME: touch .isbucket after mount 
    '';
    in pkgs.dockerTools.buildImage {
      name = "s3ql";
      fromImage = interactive_base;
      contents = [
@ -95,11 +93,11 @@ in rec {
      runAsRoot = ''
        #!${pkgs.stdenv.shell}
        mkdir -p /usr/bin
-        cp -a ${pkgs.fuse}/bin/fusermount /usr/bin 
+        cp -a ${pkgs.fuse}/bin/fusermount /usr/bin
        chmod +s /usr/bin/fusermount
        echo user_allow_other >> /etc/fuse.conf
      '';
-      
+
      config = {
        Env = baseEnv ++ [
          "HOME=/home/s3ql"
@ -109,49 +107,49 @@ in rec {
        ];
        Cmd = [ entrypoint ];
        Volumes = {
-          "/var/cache/s3ql" = {};
+          "/var/cache/s3ql" = { };
-          "/etc/s3ql/authinfo2" = {};
+          "/etc/s3ql/authinfo2" = { };
-          "/buckets" = {};
+          "/buckets" = { };
-          "/tmp" = {};
+          "/tmp" = { };
        };
      };
    };
  };
-  syncthing = let 
+  syncthing =
-    entrypoint = pkgs.writeScript "entrypoint" ''
+    let
-      #!${pkgs.stdenv.shell}
+      entrypoint = pkgs.writeScript "entrypoint" ''
-      set -x
+        #!${pkgs.stdenv.shell}
-      if [ ! -e /data/.isbucket ]; then
+        set -x
-        echo ERROR: Bucket not mounted at /data
+        if [ ! -e /data/.isbucket ]; then
-        exit 1
+          echo ERROR: Bucket not mounted at /data
-      fi
+          exit 1
        fi
-      if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then
+        if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then
-        echo ERROR: SYNCTHING_GUI_ADDRESS is not set
+          echo ERROR: SYNCTHING_GUI_ADDRESS is not set
-        exit 1
+          exit 1
-      fi
+        fi
-      if [ ! -w "$SYNCTHING_HOME" ]; then
+        if [ ! -w "$SYNCTHING_HOME" ]; then
-        echo ERROR : SYNCTHING_HOME is not writable
+          echo ERROR : SYNCTHING_HOME is not writable
-      fi
+        fi
-      exec syncthing \
+        exec syncthing \
-        -home $SYNCTHING_HOME \
+          -home $SYNCTHING_HOME \
-        -gui-address=$SYNCTHING_GUI_ADDRESS \
+          -gui-address=$SYNCTHING_GUI_ADDRESS \
-        -no-browser
+          -no-browser
-    '';
+      '';
-    in pkgs.dockerTools.buildImage {
+    in
    pkgs.dockerTools.buildImage {
      name = "syncthing";
      fromImage = interactive_base;
      contents = pkgs.syncthing;
-      
+
      config = {
-        Env = baseEnv ++ [
+        Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ];
          "SYNCTHING_HOME=/home/syncthing"
        ];
        Cmd = [ entrypoint ];
        Volumes = {
-          "/data" = {};
+          "/data" = { };
        };
      };
    };
--- a/nix/default.nix
+++ b/nix/default.nix
@ -1,26 +1,33 @@
 { versionsPath }:
 let
-  channelVersions = (import versionsPath);
+  channelVersions = import versionsPath;
-  mkChannelSource = name:
+  mkChannelSource =
    name:
    let
      channelVersion = builtins.getAttr name channelVersions;
-    in builtins.fetchGit {
+    in
    builtins.fetchGit {
      # Descriptive name to make the store path easier to identify
      inherit name;
      inherit (channelVersion) url ref rev;
-  };
+    };
-  nixPath = builtins.foldl' (path: elemName:
+  nixPath = builtins.concatStringsSep ":" (
-    let
+    builtins.map (
-      elem = builtins.getAttr elemName channelVersions;
+      elemName:
-      elemPath = (mkChannelSource elemName);
+      let
-      suffix = if builtins.hasAttr "suffix" elem then elem.suffix else "";
+        elem = builtins.getAttr elemName channelVersions;
-    in
+        elemPath = mkChannelSource elemName;
-      path + ":" + builtins.concatStringsSep "=" [ elemName elemPath ] + suffix
+        suffix = if builtins.hasAttr "suffix" elem then elem.suffix else "";
-  ) "" (builtins.attrNames channelVersions);
+      in
-  pkgs = import (mkChannelSource "nixpkgs") {};
+      builtins.concatStringsSep "=" [
        elemName
        elemPath
      ]
      + suffix
    ) (builtins.attrNames channelVersions)
  );
  pkgs = import (mkChannelSource "nixpkgs") { };
 in
 {
  inherit nixPath;
  channelSources = pkgs.writeText "channels.rc" ''
--- a/nix/devShells.nix
+++ b/nix/devShells.nix
@ -0,0 +1,105 @@
 {
  self,
  self',
  inputs',
  pkgs,
 }:
 {
  install = pkgs.mkShell {
    name = "infra-install";
    packages = with pkgs; [
      nixos-install-tools
      inputs'.disko.packages.disko
      just
      git
      git-crypt
      gnupg
    ];
  };
  develop = pkgs.mkShell {
    name = "infra-develop";
    inputsFrom = [ self'.devShells.install ];
    packages = with pkgs; [
      self'.formatter # .package
      inputs'.colmena.packages.colmena
      dconf2nix
      inputs'.nixos-anywhere.packages.nixos-anywhere
      nurl
      vcsh
      ripgrep
      # pass
      age
      age-plugin-yubikey
      ssh-to-age
      yubico-piv-tool
      inputs'.sops-nix.packages.default
      sops
      nil
      nix-index
      apacheHttpd
      # vncdo
      # tesseract
      # imagemagick
      # lm_sensors
      # nmap
      # sysstat
      # lshw
      # xxHash
      # linssid
      # wavemon
      # wirelesstools
      # zathura
      # xorg.xwininfo
      # glxinfo
      # autorandr
      # arandr
      # playerctl
      # x11docker
      # fwupd
      # ntfy
      # hedgedoc-cli
      xwayland
      pulsemixer
      (pkgs.writeShellScriptBin "rflk" ''
        exec nix run nixpkgs#$@
      '')
      (pkgs.writeShellScriptBin "r11" ''
        exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@
      '')
      jq
      yq
      wireguard-tools
      screen
      inputs'.nixpkgs-unstable.legacyPackages.kanidm
      (flameshot.override { enableWlrSupport = true; })
    ];
    # Set Environment Variables
    RUST_BACKTRACE = 1;
    KANIDM_URL =
      self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
    shellHook = builtins.concatStringsSep "\n" [
      # (self.inputs.nixago.lib.${pkgs.system}.make {
      #   data = self'.formatter.settings;
      #   output = "treefmt.toml";
      #   format = "toml";
      # }).shellHook
    ];
  };
 }
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@ -1,89 +1,102 @@
-{ pkgs }:
+{
-
+  pkgs,
  lib,
  config,
  # these come in via home-manager.extraSpecialArgs and are specific to each node
  nodeFlake,
  repoFlake,
  ...
 }:
 let
-  zshCurried = import ../programs/zsh.nix { inherit pkgs; };
+  pkgsUnstable =
    pkgs.pkgsUnstable
      or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; });
 in
-
+{
 { pkgs
 , config
 , ... }:
 let
  # gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
  unstablepkgs = import <channels-nixos-unstable> { config = config.nixpkgs.config; };
  masterpkgs = import <nixpkgs-master> { config = config.nixpkgs.config; };
 in {
  imports = [
    ../profiles/common.nix
-    ../profiles/qtile-desktop.nix
+    # ../profiles/dotfiles.nix
    ../profiles/dotfiles.nix
    ../programs/firefox.nix
    ../programs/chromium.nix
    # FIXME: fix homeshick when no WAN connection is available
    # ../programs/homeshick.nix
    # ../profiles/gnome-desktop.nix
    # ../profiles/experimental-desktop.nix
    ../programs/redshift.nix
    ../programs/gpg-agent.nix
    ../programs/pass.nix
    ../programs/espanso.nix
    ../programs/firefox.nix
    ../programs/chromium.nix
    ../programs/libreoffice.nix
    ../programs/neovim.nix
    ../programs/pass.nix
    zshCurried
    ../programs/podman.nix
    ../programs/vscode
    { home.packages = [ pkgsUnstable.markdown-oxide ]; }
  ];
-  nixpkgs.config = {
+  home.sessionVariables.HM_CONFIG = "graphical-fullblown";
-    pidgin = {
+  home.sessionVariables.GOPATH = "$HOME/src/go";
-      openssl = true;
+  home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [
-      gnutls = true;
+    "$HOME/.local/bin"
-    };
+    "$PATH"
  ];
-    packageOverrides = pkgs: with pkgs; {
+  nixpkgs.config.allowInsecurePredicate =
-    };
+    pkg:
-  };
+    builtins.elem (lib.getName pkg) [
-
+      "electron-28.3.3"
-  home.sessionVariables = {
+      "electron-27.3.11"
    # TODO: find a way to prevent using a store path for the current file
    # HM_CONFIG_PATH=builtins.toString "${./.}";
    HM_CONFIG="graphical-fullblown";
    GOPATH="$HOME/src/go";
    PATH=pkgs.lib.concatStringsSep ":" [
      "$HOME/.local/bin"
      "$PATH"
    ];
  };
-  home.packages = []
+  nixpkgs.config.permittedInsecurePackages = [
-    ++ (with pkgs; [
+    "electron-28.3.3"
    "electron-27.3.11"
  ];
  nixpkgs.config.allowUnfree = [
    "electron-28.3.3"
    "electron-27.3.11"
  ];
  # nixpkgs.config.allowUnfreePredicate = pkg:
  #   builtins.elem (lib.getName pkg) [
  #     "smartgithg"
  #     "electron-27.3.11"
  #   ];
  home.packages =
    (with pkgs; [
      # Authentication
-      cacert
+      # cacert
-      fprintd
+      # fprintd
-      openssl
+      # openssl
-      mkpasswd
+      # mkpasswd
      # Nix package related tools
      patchelf
-      nix-index
+      # nix-index
      nox
      nix-prefetch-scripts
-      nix-prefetch-github
+      nix-tree
      # Version Control Systems
-      pijul
+      gitFull
-      gitless
+      # gitless
      gitRepo
      git-lfs
      # Process/System Administration
      htop
-      gnome3.gnome-tweak-tool
+      # gnome.gnome-tweaks
      xorg.xhost
      dmidecode
      evtest
      # Archive Managers
-      sshfsFuse
+      sshfs-fuse
      xarchive
      p7zip
      zip
      unzip
@ -93,98 +106,74 @@ in {
      # Password Management
      gnupg
      yubikey-manager
      yubikey-neo-manager
      yubikey-personalization
      yubikey-personalization-gui
-      gnome3.gnome_keyring
+
-      gnome3.seahorse
+      # gnome.gnome-keyring
      gcr
      seahorse
      # Language Support
      hunspellDicts.en-us
      hunspellDicts.de-de
      # Messaging/Communication
-      signal-desktop
+      # pidgin
-      pidgin
+      # hexchat
-      hexchat
+      pkgsUnstable.element-desktop
      aspellDicts.en
      aspellDicts.de
-      skype
+      # skypeforlinux
-      unstablepkgs.jitsi-meet-electron
+      # pkgsUnstable.jitsi-meet-electron
-      zoom-us # broken as of 2019-10-30
+      thunderbird-128
-      bluejeans-gui
+      # betterbird
-      thunderbird
+
-      gnome3.evolution # gnome4.glib_networking
+      # FIXME: depends on insecure openssl 1.1.1t
-      # telegram
+      # kotatogram-desktop
-      unstablepkgs.tdesktop
+      pkgsUnstable.tdesktop
-      gnome3.cheese
+      pkgsUnstable.signal-desktop
      # Virtualization
-      virtmanager
+      virt-manager
      # (pkgs.lib.hiPrio qemu)
      # virtualbox
      # vagrant
      # docker_compose
      # unstablepkgs.kubernetes
      # unstablepkgs.minikube
      # unstablepkgs.openshift
      # (unstablepkgs.minikube.overrideAttrs (oldAttrs: {
      #   patches = oldAttrs.patches ++ [
      #     (builtins.fetchurl { url ="https://patch-diff.githubusercontent.com/raw/kubernetes/minikube/pull/2517.diff"; })
      #   ];
      # }))
      appimage-run
      # Remote Control Tools
      remmina
-      freerdp
+      # freerdp
      teamviewer
      # Audio/Video Players
-      ffmpeg
+      # ffmpeg
      vlc
-      audacity
+      # v4l-utils
-      spotify
+      # audacity
-      python38Packages.youtube-dl-light
+      # spotify
      yt-dlp
      (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
      libwebcam
      libcamera
      snapshot
      # Network Tools
      openvpn
      tcpdump
      iftop
      iperf
      bind
      socat
-      # 2019-03-05: broken on 19.03 linssid
+      nethogs
      iptraf-ng
      ipmitool
-      # samba
+      # Code Editing and Programming
-      iptables
+      # TODO(remove or use): pkgsUnstable.lapce
-      nftables
+      # TODO(remve or use): pkgsUnstable.helix
      wireshark
      # Code Editors
      # unstablepkgs.atom
      xclip
      xsel
      # Image/Graphic/Design Tools
-      gnome3.eog
+      eog
-      gimp
+      # gimp
-      imagemagick
+      # imagemagick
-      exiv2
+      # exiv2
-      graphviz
+      # graphviz
-      inkscape
+      # inkscape
-      # barcode
+      # qrencode
      qrencode
      zbar
      feh
      # digikam
-
+      # TODO: remove or move these: Modelling Tools
      # Modelling Tools
      # plantuml
      # umlet
      # staruml
@ -193,99 +182,46 @@ in {
      # astah-community
      # Misc Development Tools
-      qrcode
+      # qrcode
-      # travis
+      # jq
-      jq
+      # cdrtools
      # prometheus
      cdrtools
      # Document Processing and Management
-      # zathura
+      nautilus
-      mendeley
+      pcmanfm
-      # zotero
+      # mendeley
-      pandoc
+      evince
-
+      xournalpp
      # LaTeX
      perlPackages.YAMLTiny
      perlPackages.FileHomeDir
      perlPackages.UnicodeLineBreak
      (texlive.combine {
        inherit (texlive)
          scheme-small
          texlive-de
          texlive-en
          texlive-scripts
          collection-langgerman
          latexindent
          latexmk
          algorithms
          cm-super
          preprint
          enumitem
          draftwatermark
          everypage
          ulem
          placeins
          minted ifplatform fvextra xstring framed
          ;
      })
      pdftk
      masterpdfeditor
      # File Synchronzation
-      seafile-client
+      maestral
      grive2
      dropbox
      rsync
      # Filesystem Tools
-      ntfs3g
+      # ntfs3g
-      ddrescue
+      # ddrescue
-      ncdu
+      # ncdu
-      woeusb
+      # hdparm
-      unetbootin
+      # binwalk
-      pcmanfm
+      # gptfdisk
-      hdparm
+      # gparted
-      testdisk
+      # smartmontools
      python38Packages.binwalk
      gptfdisk
      gparted
      smartmontools
      ## Android
      androidenv.androidPkgs_9_0.platform-tools
      ## Python
-      myPython
+      # packages'.myPython
      # Code generators
      # unstablepkgs.swagger-codegen
      # Misc Desktop Tools
-      # TODO: this may be required if brightness control isn't working
+      # ltunify
-      # brightnessctl
+      # dex
      ltunify
      # solaar # TODO: conflicts with solar over udev rules
      dex
      # kitty
      busyboxStatic
      xorg.xbacklight
      coreutils
      lsof
-      x11_ssh_askpass
+      xdg-utils
      xdotool
      xdg_utils
      xdg-user-dirs
-      gnome3.dconf
+      dconf
      picocom
      glib.dev # contains gdbus tool
      alacritty
-      roxterm
+      # wally-cli
      unstablepkgs.wally-cli
      man-pages
      # Screen recording
@ -295,11 +231,58 @@ in {
      # shutter
      # kazam # doesn't start
      # xvidcap # doesn't keep the recording rectangle
      obs-studio
      screenkey
      # shotcut
      # openshot-qt
      # introduces python: screenkey
-      ledger-live-desktop
+      # avidemux # broken
-  ]);
+      # handbrake
      # snes9x
      # snes9x-gtk
      # this is a displaymanager!
      # libretro.snes9x2010
      # retroarchFull
      # pkgs.logseq-bin
      pkgs.logseq
      # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { })
    ])
    ++ (with repoFlake.packages.${pkgs.system}; [ gimp ])
    ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
      pkgsUnstable.ledger-live-desktop
      # unsupported on aarch64-linux
      pkgs.androidenv.androidPkgs_9_0.platform-tools
      pkgs.teamviewer
      pkgs.discord
      pkgsUnstable.session-desktop
      pkgsUnstable.rustdesk
    ]);
  systemd.user.startServices = true;
  services.syncthing.enable = true;
  services.udiskie = {
    enable = true;
    automount = false;
    notify = true;
  };
  # TODO: uncomment this when it's in stable home-manger
  # programs.joshuto = {
  #   enable = true;
  # };
  # systemd.user.services.maestral = {
  #   Unit.Description = "Maestral daemon";
  #   Install.WantedBy = ["default.target"];
  #   Service = {
  #     ExecStart = "${pkgs.maestral}/bin/maestral start -f";
  #     ExecStop = "${pkgs.maestral}/bin/maestral stop";
  #     Restart = "on-failure";
  #     Nice = 10;
  #   };
  # };
 }
--- a/nix/home-manager/configuration/graphical-gnome3.nix
+++ b/nix/home-manager/configuration/graphical-gnome3.nix
@ -0,0 +1,8 @@
 { pkgs, ... }:
 {
  home.packages = with pkgs; [
    gnome-tweaks
    gnome-keyring
    seahorse
  ];
 }
--- a/nix/home-manager/configuration/graphical-removable.nix
+++ b/nix/home-manager/configuration/graphical-removable.nix
@ -1,17 +1,5 @@
-{ pkgs }:
+{ pkgs, ... }:
-
+{
 let
  zshCurried = import ../programs/zsh.nix { inherit pkgs; };
 in
 { pkgs
 , config,
 ... }:
 let
  unstablepkgs = import <channels-nixos-unstable> { config = config.nixpkgs.config; };
 in {
  imports = [
    ../profiles/common.nix
    ../profiles/qtile-desktop.nix
@ -23,109 +11,89 @@ in {
    ../programs/libreoffice.nix
    ../programs/neovim.nix
    ../programs/pass.nix
    zshCurried
  ];
-  nixpkgs.config = {
+  home.packages = with pkgs; [
-    pidgin = {
+    # Nix package related tools
-      openssl = true;
+    patchelf
-      gnutls = true;
+    nix-index
-    };
+    nix-prefetch-scripts
-    packageOverrides = pkgs: with pkgs; {
+    # Version Control Systems
-    };
+    gitless
  };
-  home.sessionVariables = {
+    # Process/System Administration
-  };
+    htop
    gnome-tweaks
    xorg.xhost
    dmidecode
    evtest
    # Archive Managers
    sshfs-fuse
    xarchive
    p7zip
    zip
    unzip
    gzip
    lzop
-  home.packages =
+    # Password Management
-    [] ++ (with pkgs; [
+    gnome-keyring
-      # Nix package related tools
+    seahorse
      patchelf
      nix-index
      nix-prefetch-scripts
-      # Version Control Systems
+    # Remote Control Tools
-      gitless
+    remmina
    freerdp
-      # Process/System Administration
+    # Network Tools
-      htop
+    openvpn
-      gnome3.gnome-tweak-tool
+    tcpdump
-      xorg.xhost
+    iftop
-      dmidecode
+    iperf
-      evtest
+    bind
    socat
-      # Archive Managers
+    # samba
-      sshfsFuse
+    iptables
-      xarchive
+    nftables
-      p7zip
+    wireshark
      zip
      unzip
      gzip
      lzop
-      # Password Management
+    # Code Editors
-      gnome3.gnome_keyring
+    xclip
-      gnome3.seahorse
+    xsel
-      # Remote Control Tools
+    # Image/Graphic/Design Tools
-      remmina
+    gnome.eog
-      freerdp
+    gimp
    inkscape
-      # Network Tools
+    # Misc Development Tools
-      openvpn
+    qrcode
-      tcpdump
+    jq
-      iftop
+    cdrtools
      iperf
      bind
      socat
-      # samba
+    # Document Processing and Management
-      iptables
+    zathura
      nftables
      wireshark
-      # Code Editors
+    # File Synchronzation
-      xclip
+    rsync
      xsel
      unstablepkgs.vscode
-      # Image/Graphic/Design Tools
+    # Filesystem Tools
-      gnome3.eog
+    ntfs3g
-      gimp
+    ddrescue
-      inkscape
+    ncdu
    woeusb
    unetbootin
    pcmanfm
    hdparm
    testdisk
    binwalk
    gptfdisk
-      # Misc Development Tools
+    packages'.myPython
      qrcode
      jq
      cdrtools
-      # Document Processing and Management
+    # Virtualization
-      zathura
+    virtmanager
-
+  ];
      # File Synchronzation
      rsync
      # Filesystem Tools
      ntfs3g
      ddrescue
      ncdu
      unstablepkgs.woeusb
      unetbootin
      pcmanfm
      hdparm
      testdisk
      python38Packages.binwalk
      gptfdisk
      ## Python
      myPython
      busyboxStatic
      # Virtualization
      virtmanager
  ]);
 }
--- a/nix/home-manager/configuration/text-minimal.nix
+++ b/nix/home-manager/configuration/text-minimal.nix
@ -1,35 +0,0 @@
 { pkgs, extraPackages ? [] }:
 let
  zshCurried = import ../programs/zsh.nix { inherit pkgs; };
 in
 { pkgs
 , config
 , ... }:
 let
 in {
  imports = [
    ../profiles/common.nix
    ../profiles/nix-channels.nix
    ../programs/neovim.nix
    zshCurried
  ];
  nixpkgs.config = {
    packageOverrides = pkgs: with pkgs; {
    };
  };
  home.sessionVariables = {
  };
  home.packages = extraPackages
    ++ (with pkgs; [
    iperf3
    telnet
    speedtest-cli
  ]);
 }
--- a/nix/home-manager/lib.nix
+++ b/nix/home-manager/lib.nix
@ -1,22 +1,19 @@
-{ 
+_: {
-}:
+  mkSimpleTrayService =
    { execStart }:
    {
      Unit = {
        Description = "";
        After = [ "graphical-session-pre.target" ];
        PartOf = [ "graphical-session.target" ];
      };
-let 
+      Install = {
        WantedBy = [ "graphical-session.target" ];
      };
-in {
+      Service = {
-  mkSimpleTrayService = { execStart }: {
+        ExecStart = execStart;
-    Unit = {
+      };
      Description = "pasystray applet";
      After = [ "graphical-session-pre.target" ];
      PartOf = [ "graphical-session.target" ];
    };
    Install = {
      WantedBy = [ "graphical-session.target" ];
    };
    Service = {
      ExecStart = execStart;
    };
  };
 }
--- a/nix/home-manager/profiles/common.nix
+++ b/nix/home-manager/profiles/common.nix
@ -1,54 +1,97 @@
-{ pkgs
+{ pkgs, lib, ... }:
-, ...
+{
-}:
+  home.stateVersion = lib.mkDefault "23.11";
-let 
+  # TODO: re-enable this with the appropriate version?
 in {
  # TODO: re-enable this with the appropriate version
  # programs.home-manager.enable = true;
  # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz;
-  nixpkgs.overlays = builtins.attrValues (import ../../overlays);
+  # TODO: move this to an OS snippet?
  nixpkgs.config = {
-    allowBroken = true;
+    allowBroken = false;
    allowUnfree = true;
    allowUnsupportedSystem = true;
    allowInsecurePredicate =
      pkg:
      builtins.elem (lib.getName pkg) [
        "electron-32.3.3"
        "electron"
      ];
    permittedInsecurePackages = [
      "electron-32.3.3"
      "electron"
    ];
    allowUnfreePredicate =
      pkg:
      builtins.elem (lib.getName pkg) [
        "obsidian"
        "vivaldi"
        "aspell-dict-en-science"
      ];
  };
  home.keyboard = {
    layout = "us";
    variant = "altgr-intl";
-    options = [ 
+    options = [
-      "nodeadkeys"
+      # nodeadkeys doesn't make sense with us layout: see https://man.archlinux.org/man/xkeyboard-config.7 for valid options
-     # "caps:swapescape"
+      # "nodeadkeys"
      # "caps:swapescape"
    ];
  };
-  programs.direnv.enable = true;
+  xdg.enable = true;
  services.lorri.enable = true;
-  home.sessionVariables = {
+  programs.direnv.enable = true;
-    NIXPKGS_ALLOW_UNFREE = "1";
+
-    # Don't create .pyc files.
+  # Don't create .pyc files.
-    PYTHONDONTWRITEBYTECODE = "1";
+  home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1";
  };
  programs.command-not-found.enable = true;
  programs.fzf.enable = true;
-  home.packages =
+  home.packages = with pkgs; [
-    [] ++ (with pkgs; [
+    coreutils
      # git helpers
      git-crypt
-      vcsh
+    vcsh
      # Authentication
      cacert
      openssl
      mkpasswd
-      just
+    htop
-      ripgrep
+    iperf3
-      du-dust
+    nethogs
-      ]);
+
    # Authentication
    cacert
    openssl
    mkpasswd
    just
    ripgrep
    du-dust
    elfutils
    exfat
    file
    tree
    pwgen
    proot
    parted
    pv
    tmux
    wget
    curl
    # git helpers
    git-crypt
    gitFull
    pastebinit
    gist
    mr
    usbutils
    pciutils
  ];
 }
--- a/nix/home-manager/profiles/dotfiles.nix
+++ b/nix/home-manager/profiles/dotfiles.nix
@ -1,13 +1,6 @@
-{ pkgs
+_: {
-, config
+  # TODO: fix the dotfiles
-, ...
+  # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
-}:
+  #   $DRY_RUN_CMD ${vcshActivationScript}
-
+  # '';
 let
  vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {};
 in {
  home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
    $DRY_RUN_CMD ${vcshActivationScript}
  '';
 }
--- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
+++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
@ -1,39 +1,42 @@
-{ pkgs
+{
-, repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git"
+  pkgs,
-, repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git"
+  repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
-, ...
+  repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
  ...
 }:
 let
-  repoBareLocal = pkgs.runCommand "fetchbare" {
+  repoBareLocal =
-      outputHashMode = "recursive";
+    pkgs.runCommand "fetchbare"
-      outputHashAlgo = "sha256";
+      {
-      outputHash = "0000000000000000000000000000000000000000000000000000";
+        outputHashMode = "recursive";
-    } ''
+        outputHashAlgo = "sha256";
-    (
+        outputHash = "0000000000000000000000000000000000000000000000000000";
-      set -xe
+      }
-      export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+      ''
-      export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+        (
-      ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
+          set -xe
-    )
+          export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
-    '';
+          export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
          ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
        )
      '';
 in
 pkgs.writeScript "activation-script" ''
  export HOST=$(hostname -s)
-in pkgs.writeScript "activation-script" ''
+  function set_remotes {
-    export HOST=$(hostname -s)
+    ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
    ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
  }
-    function set_remotes {
+  if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
-      ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
+    echo Cloning dotfiles for $HOST...
-      ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
+    ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
-    }
+    set_remotes ${repoHttps} ${repoSsh}
-
+  else
-    if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
+    set_remotes ${repoBareLocal} ${repoSsh}
-      echo Cloning dotfiles for $HOST...
+    echo Updating dotfiles for $HOST...
-      ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
+    ${pkgs.vcsh}/bin/vcsh pull $HOST || true
-      set_remotes ${repoHttps} ${repoSsh}
+    set_remotes ${repoHttps} ${repoSsh}
-    else
+  fi
-      set_remotes ${repoBareLocal} ${repoSsh}
+''
      echo Updating dotfiles for $HOST...
      ${pkgs.vcsh}/bin/vcsh pull $HOST || true
      set_remotes ${repoHttps} ${repoSsh}
    fi
    ''
--- a/nix/home-manager/profiles/experimental-desktop.nix
+++ b/nix/home-manager/profiles/experimental-desktop.nix
@ -0,0 +1,10 @@
 { packages', ... }:
 {
  imports = [ ../profiles/wayland-desktop.nix ];
  home.packages = [
    # experimental WMs
    packages'.jay
    packages'.magmawm
  ];
 }
--- a/nix/home-manager/profiles/gnome-desktop.nix
+++ b/nix/home-manager/profiles/gnome-desktop.nix
@ -0,0 +1,100 @@
 { pkgs, ... }:
 {
  imports = [ ../profiles/wayland-desktop.nix ];
  services = {
    gnome-keyring.enable = false;
    blueman-applet.enable = true;
    flameshot.enable = true;
    pasystray.enable = true;
  };
  # TODO: remove this comment once i'm sure everything works
  # xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = ''
  #   [Desktop Entry]
  #   Type=Application
  #   Hidden=true
  # '';
  services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3;
  dconf.settings =
    let
      manualKeybindings = [
        {
          binding = "Print";
          command = "flameshot gui";
          name = "flameshot";
        }
        {
          binding = "<Super>t";
          command = "alacritty";
          name = "alacritty";
        }
      ];
      numWorkspaces = 10;
      customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
      customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") (
        (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace
      );
      workspacesKeyBindingsOffset = builtins.length manualKeybindings;
      # with this we can make use of all number keys [0-9]
      mapToNumber =
        i:
        if i < 10 then
          i
        else if i == 10 then
          0
        else
          throw "i exceeds 10: ${i}";
    in
    {
      "org/gnome/settings-daemon/plugins/media-keys" = {
        custom-keybindings = customKeybindingsNames;
        screenreader = "@as []";
        screensaver = [ "<Alt><Super>l" ];
      };
      # disable the builtin <Super>[1-9] functionality
      "org/gnome/shell/keybindings" = builtins.listToAttrs (
        (builtins.genList (i: {
          name = "switch-to-application-${toString (i + 1)}";
          value = [ ];
        }) numWorkspaces)
        ++ [
          {
            name = "toggle-overview";
            value = [ ];
          }
        ]
      );
      # remap it to switching to the workspaces
      "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (
        builtins.genList (i: {
          name = "switch-to-workspace-${toString (i + 1)}";
          value = [ "<Super>${toString (mapToNumber (i + 1))}" ];
        }) numWorkspaces
      );
    }
    // builtins.listToAttrs (
      builtins.genList (i: {
        name = "${customKeybindingBaseName}${toString i}";
        value = builtins.elemAt manualKeybindings i;
      }) (builtins.length manualKeybindings)
    )
    // builtins.listToAttrs (
      builtins.genList (i: {
        name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
        value = {
          binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
          command = "wmctrl -r :ACTIVE: -t ${toString i}";
          name = "Send to workspace ${toString (i + 1)}";
        };
      }) numWorkspaces
    );
 }
--- a/nix/home-manager/profiles/nix-channels.nix
+++ b/nix/home-manager/profiles/nix-channels.nix
@ -1,26 +1,22 @@
-{ pkgs
+{ pkgs, config, ... }:
-, config
+{
-, ...
+  home.file.".nix-channels".text = "";
 }:
-let
+  home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] ''
 in {
  home.file.".nix-channels".text = ''
  '';
  home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
    $DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
-    set -ex
+      set -ex
-    if test -f $HOME/.nix-channels; then
+      if test -f $HOME/.nix-channels; then
-      echo Uninstalling available channels...
+        echo Uninstalling available channels...
-      while read url channel; do
+        if test -f $HOME/.nix-channel; then
-        nix-channel --remove $channel
+          while read url channel; do
-      done < $HOME/.nix-channel
+            nix-channel --remove $channel
-      echo Moving existing file away...
+          done < $HOME/.nix-channel
-      touch $HOME/.nix-channels.dummy
+        fi
-      mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
+        echo Moving existing file away...
-      rm $HOME/.nix-channels
+        touch $HOME/.nix-channels.dummy
-    fi
+        mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
        rm $HOME/.nix-channels
      fi
    ''};
  '';
 }
--- a/nix/home-manager/profiles/qtile-desktop.nix
+++ b/nix/home-manager/profiles/qtile-desktop.nix
@ -1,17 +1,15 @@
-{ pkgs
+{ pkgs, ... }:
 , ...
 }:
 let
  inherit (import ../lib.nix { })
    mkSimpleTrayService
    ;
-  audio = pkgs.writeScript "audio" ''
+  audio = pkgs.writeShellScript "audio" ''
-    #!${pkgs.bash}/bin/bash
+    export PATH=${
-    export PATH=${with pkgs; lib.makeBinPath [
+      with pkgs;
-      pulseaudio findutils gnugrep
+      lib.makeBinPath [
-    ]}:$PATH
+        pulseaudio
        findutils
        gnugrep
      ]
    }:$PATH
    export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
    case $1 in
@ -33,13 +31,9 @@ let
    esac
  '';
  terminalCommand = "${pkgs.alacritty}/bin/alacritty";
  # terminalCommand = "${pkgs.roxterm}/bin/roxterm";
-  dpmsScript = pkgs.writeScript "dpmsScript" ''
+  dpmsScript = pkgs.writeShellScript "dpmsScript" ''
-    #!${pkgs.bash}/bin/bash
+    export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH
    export PATH=${with pkgs; lib.makeBinPath [
      xlibs.xset
    ]}:$PATH
    set -xe
@ -61,11 +55,8 @@ let
    esac
  '';
-  screenLockCommand = pkgs.writeScript "screenLock" ''
+  screenLockCommand = pkgs.writeShellScript "screenLock" ''
-    #!${pkgs.bash}/bin/bash
+    export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH
    export PATH=${with pkgs; lib.makeBinPath [
      i3lock
    ]}:$PATH
    revert() {
      ${dpmsScript} default
@ -78,229 +69,190 @@ let
    revert
  '';
  initScreen = pkgs.writeShellScript "initScreen" ''
    # ${pkgs.xorg.xinput}/bin/xinput set-prop "ZSA Moonlander Mark I Mouse" "libinput Natural Scrolling Enabled" 1
    ${pkgs.autorandr}/bin/autorandr -c
    ${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png
    ${dpmsScript} default
  '';
  qtileConfig = pkgs.writeScript "qtile_config.py" ''
-from libqtile.config import Key, Screen, Group, Drag, Click
+    from libqtile.config import Key, Screen, Group, Drag, Click
-from libqtile.command import lazy
+    from libqtile.command import lazy
-from libqtile import layout, bar, widget
+    from libqtile import layout, bar, widget
-from libqtile import hook
+    from libqtile import hook
-import logging, os
+    import logging, os
-logger = logging.getLogger()
+    logger = logging.getLogger()
-logger.setLevel(logging.WARN)
+    logger.setLevel(logging.WARN)
-handler = logging.handlers.RotatingFileHandler(
+    handler = logging.handlers.RotatingFileHandler(
-    os.path.join(os.getenv('TEMPDIR', default="/tmp"), '.qtilelog'), maxBytes=10240000,
+        os.path.join(os.getenv('TEMPDIR', default="/tmp"), '.qtilelog'), maxBytes=10240000,
-    backupCount=7
+        backupCount=7
 )
 handler.setLevel(logging.WARN)
 logger.addHandler(handler)
 # @hook.subscribe.screen_change
 # def restart_on_randr(qtile, ev):
 #     import time
 #
 #     with open(os.path.join(os.environ['TEMPDIR', default="/tmp"], ".qtilelastrestart"), "w"):
 #         pass
 #
 #     lastRestart = 0
 #     with open(os.path.join(os.environ['TEMPDIR', default="/tmp"], ".qtilelastrestart"), "r+") as lastRestartFile:
 #         lastRestartStr = lastRestartFile.read()
 #         if len(lastRestartStr) > 0:
 #             lastRestart = float(lastRestartStr)
 #
 #         print("screen changed. (last change: %s)" % lastRestart)
 #
 #         delta=time.time()-lastRestart
 #         if delta > 3:
 #             import subprocess
 #             lastRestartFile.seek(0)
 #             lastRestartFile.write("%s" % time.time())
 #             lastRestartFile.truncate()
 #
 #             subprocess.call(["autorandr","-c"])
 #             qtile.cmd_restart()
 #         else:
 #             print("screen is changing too fast: %s" % delta)
 #
 # active_screen = 0
 # @hook.subscribe.client_focus
 # def focus_changed(window):
 #     global active_screen
 #     pass
 #     active_screen = window.group.screen.index
 #
 # @hook.subscribe.current_screen_change
 # def move_widget():
 #     global active_screen
 #     systray = widget.Systray()
 #     logging.warn("Screen changed to %i" % active_screen)
 key_super = "mod4"
 key_alt = "mod1"
 key_control = "control"
 keys = [
    # https://github.com/qtile/qtile/blob/develop/libqtile/xkeysyms.py
    Key([key_super], "Return", lazy.spawn("${terminalCommand}")),
    Key([key_super], "backslash", lazy.spawn("${terminalCommand}")),
    Key([key_super], "apostrophe", lazy.spawn("${terminalCommand}")),
    Key([key_super], "r", lazy.spawncmd()),
    Key([key_super], "w", lazy.window.kill()),
    Key([key_alt, key_super], "l", lazy.spawn('${pkgs.bash}/bin/sh -c "loginctl lock-session $XDG_SESSION_ID"')),
    Key([key_alt, key_super], "s", lazy.spawn("${pkgs.systemd}/bin/systemctl suspend")),
    # Key([key_super, key_control], "r", lazy.restart()),
    Key([key_super, key_control], "r", lazy.spawn("${pkgs.autorandr}/bin/autorandr -c && ${dpmsScript} default"), lazy.restart()),
    Key([key_super, key_control], "q", lazy.shutdown()),
    # Toggle between different layouts as defined below
    Key([key_super], "Tab", lazy.next_layout()),
    # MonadTall keybindings
    Key([key_super], "h", lazy.layout.left()),
    Key([key_super], "l", lazy.layout.right()),
    Key([key_super], "j", lazy.layout.down()),
    Key([key_super], "k", lazy.layout.up()),
    Key([key_super, key_control], "h", lazy.layout.shuffle_left()),
    Key([key_super, key_control], "l", lazy.layout.shuffle_right()),
    Key([key_super, key_control], "j", lazy.layout.shuffle_down()),
    Key([key_super, key_control], "k", lazy.layout.shuffle_up()),
    Key([key_super, key_control], "space", lazy.layout.toggle_split()),
    Key([key_control, key_alt], "h", lazy.layout.grow_left()),
    Key([key_control, key_alt], "j", lazy.layout.grow_down()),
    Key([key_control, key_alt], "k", lazy.layout.grow_up()),
    Key([key_control, key_alt], "l", lazy.layout.grow_right()),
    Key([key_super], "n", lazy.layout.normalize()),
    Key([key_super], "o", lazy.layout.maximize()),
    # Stack
    Key([key_super], "h", lazy.layout.previous().when('stack')),
    Key([key_super], "l", lazy.layout.next().when('stack')),
    Key([key_super], "j", lazy.layout.up().when('stack')),
    Key([key_super], "k", lazy.layout.down().when('stack')),
    Key([key_super, key_control], "j", lazy.layout.shuffle_up().when('stack')),
    Key([key_super, key_control], "k", lazy.layout.shuffle_down().when('stack')),
    Key([key_super, key_control], "h", lazy.layout.client_to_previous().when('stack')),
    Key([key_super, key_control], "l", lazy.layout.client_to_next().when('stack')),
    # Columns
    Key([key_super], "h", lazy.layout.left().when('columns')),
    Key([key_super], "l", lazy.layout.right().when('columns')),
    Key([key_super], "j", lazy.layout.down().when('columns')),
    Key([key_super], "k", lazy.layout.up().when('columns')),
    Key([key_super, key_control], "j", lazy.layout.shuffle_down().when('columns')),
    Key([key_super, key_control], "k", lazy.layout.shuffle_up().when('columns')),
    Key([key_super, key_control], "h", lazy.layout.shuffle_left().when('columns')),
    Key([key_super, key_control], "l", lazy.layout.shuffle_right().when('columns')),
    # Max
    Key([key_super], "j", lazy.layout.next()),
    Key([key_super], "k", lazy.layout.previous()),
    # Multimedia Keys
    Key([], "XF86AudioPlay", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.PlayPause")),
    Key([], "XF86AudioPrev", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Previous")),
    Key([], "XF86AudioNext", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Next")),
    ## Microsoft Comfort Curve specific
    Key([key_super, "shift"], "XF86TouchpadToggle", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Previous")),
    Key([key_alt, key_super], "XF86TouchpadToggle", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Next")),
    Key([], "XF86AudioMute", lazy.spawn("${audio} mute")),
    Key([], "XF86AudioLowerVolume", lazy.spawn("${audio} lower")),
    Key([], "XF86AudioRaiseVolume", lazy.spawn("${audio} raise")),
    Key([], "Print", lazy.spawn("${pkgs.flameshot}/bin/flameshot gui")),
 ]
 groups = [Group(i) for i in "1234567890"]
 for i in groups:
    # super + letter of group = switch to group
    keys.append(
        Key([key_super], i.name, lazy.group[i.name].toscreen())
    )
    handler.setLevel(logging.WARN)
    logger.addHandler(handler)
-    # super + shift + letter of group = switch to & move focused window to group
+    key_super = "mod4"
-    keys.append(
+    key_alt = "mod1"
-        Key([key_super, key_control], i.name, lazy.window.togroup(i.name))
+    key_control = "control"
    )
-layouts = [
+    keys = [
-    layout.Columns(num_columns=3, border_focus='#00ff00', border_width=2),
+        # https://github.com/qtile/qtile/blob/master/libqtile/backend/x11/xkeysyms.py
-    layout.Max(),
+        Key([key_super], "Return", lazy.spawn("${terminalCommand}")),
-    # layout.Stack(num_stacks=3, border_focus='#00ff00', border_width=2, autosplit=True, previous_on_rm=True),
+        Key([key_super], "r", lazy.spawncmd()),
-   # layout.Wmii(border_focus='#00ff00'),
+        Key([key_super], "w", lazy.window.kill()),
   # layout.MonadTall(ratio=0.6, border_focus='#00ff00'),
 ]
-widget_defaults = dict(
+        Key([key_alt, key_super], "l", lazy.spawn('${pkgs.bash}/bin/sh -c "loginctl lock-session $XDG_SESSION_ID"')),
-    font='Arial',
+        Key([key_alt, key_super], "s", lazy.spawn("${pkgs.systemd}/bin/systemctl suspend")),
    fontsize=16,
    padding=3,
 )
-screens_count = 4
+        Key([key_super, key_control], "r", lazy.spawn("${initScreen}")),
-screens = []
+        Key([key_super, key_control], "q", lazy.shutdown()),
-for i in range(0, screens_count+1):
+
-    j = i+1
+        # Toggle between different layouts as defined below
-    widgets = [
+        Key([key_super], "Tab", lazy.next_layout()),
-        widget.TextBox("Screen %i" % j, name="Screen %i" % j),
+
-        widget.GroupBox(),
+        # this is usefull when floating windows get buried
-        widget.WindowName(),
+        Key([key_super], "Escape", lazy.window.bring_to_front()),
-        widget.Prompt(),
+
-        widget.CPUGraph(),
+        # common to all layouts
-        widget.ThermalSensor(),
+        Key([key_control, key_alt], "h", lazy.layout.grow_left()),
-        widget.Memory(),
+        Key([key_control, key_alt], "j", lazy.layout.grow_down()),
-        widget.Net(interface='eth0'),
+        Key([key_control, key_alt], "k", lazy.layout.grow_up()),
-        widget.Net(interface='wlan0'),
+        Key([key_control, key_alt], "l", lazy.layout.grow_right()),
-        widget.Clock(format='%Y-%m-%d %a %I:%M %p'),
+        Key([key_super], "n", lazy.layout.normalize()),
        Key([key_super], "o", lazy.layout.maximize()),
        # MonadTall keybindings
        Key([key_super], "h", lazy.layout.left().when(layout="monad")),
        Key([key_super], "l", lazy.layout.right().when(layout="monad")),
        Key([key_super], "j", lazy.layout.down().when(layout="monad")),
        Key([key_super], "k", lazy.layout.up().when(layout="monad")),
        Key([key_super, key_control], "h", lazy.layout.shuffle_left().when(layout="monad")),
        Key([key_super, key_control], "l", lazy.layout.shuffle_right().when(layout="monad")),
        Key([key_super, key_control], "j", lazy.layout.shuffle_down().when(layout="monad")),
        Key([key_super, key_control], "k", lazy.layout.shuffle_up().when(layout="monad")),
        Key([key_super, key_control], "space", lazy.layout.toggle_split().when(layout="monad")),
        # Stack
        Key([key_super], "h", lazy.layout.previous().when(layout='stack')),
        Key([key_super], "l", lazy.layout.next().when(layout='stack')),
        Key([key_super], "j", lazy.layout.up().when(layout='stack')),
        Key([key_super], "k", lazy.layout.down().when(layout='stack')),
        Key([key_super, key_control], "j", lazy.layout.shuffle_up().when(layout='stack')),
        Key([key_super, key_control], "k", lazy.layout.shuffle_down().when(layout='stack')),
        Key([key_super, key_control], "h", lazy.layout.client_to_previous().when(layout='stack')),
        Key([key_super, key_control], "l", lazy.layout.client_to_next().when(layout='stack')),
        # Columns
        Key([key_super], "h", lazy.layout.left().when(layout="columns")),
        Key([key_super], "l", lazy.layout.right().when(layout="columns")),
        Key([key_super], "j", lazy.layout.next().when(layout="columns")),
        Key([key_super], "k", lazy.layout.previous().when(layout="columns")),
        Key([key_super, key_control], "j", lazy.layout.shuffle_down().when(layout="columns")),
        Key([key_super, key_control], "k", lazy.layout.shuffle_up().when(layout="columns")),
        Key([key_super, key_control], "h", lazy.layout.shuffle_left().when(layout="columns")),
        Key([key_super, key_control], "l", lazy.layout.shuffle_right().when(layout="columns")),
        Key([key_super, key_control], "space", lazy.layout.toggle_split().when(layout="columns")),
        # Max
        Key([key_super], "j", lazy.layout.down().when(layout="max")),
        Key([key_super], "k", lazy.layout.up().when(layout="max")),
        # TODO: these are required to make the 'columns' layout work, but why?
        Key([key_super], "j", lazy.layout.next()),
        Key([key_super], "k", lazy.layout.previous()),
        # Multimedia Keys
        Key([], "XF86AudioPlay", lazy.spawn("${pkgs.playerctl}/bin/playerctl play-pause")),
        Key([], "XF86AudioPrev", lazy.spawn("${pkgs.playerctl}/bin/playerctl previous")),
        Key([], "XF86AudioNext", lazy.spawn("${pkgs.playerctl}/bin/playerctl next")),
        # TODO: the next two don't work yet
        Key([], "XF86AudioRewind", lazy.spawn("${pkgs.playerctl}/bin/playerctl offset 10-")),
        Key([], "XF86BackForward", lazy.spawn("${pkgs.playerctl}/bin/playerctl offset 10+")),
        Key([], "XF86AudioMute", lazy.spawn("${audio} mute")),
        Key([], "XF86AudioLowerVolume", lazy.spawn("${audio} lower")),
        Key([], "XF86AudioRaiseVolume", lazy.spawn("${audio} raise")),
        Key([], "Print", lazy.spawn("${pkgs.flameshot}/bin/flameshot gui")),
    ]
-    if i is 0:
+    groups = [Group(i) for i in "1234567890"]
        widgets.insert(-1, widget.Systray())
-    screens.append(Screen(bottom=bar.Bar(widgets, 30)))
+    for i in groups:
        # super + letter of group = switch to group
        keys.append(
            Key([key_super], i.name, lazy.group[i.name].toscreen())
        )
-    keys.append(Key([key_super, "shift"], "%i" % (i+1), lazy.to_screen(i)))
+        # super + shift + letter of group = switch to & move focused window to group
        keys.append(
            Key([key_super, key_control], i.name, lazy.window.togroup(i.name))
        )
-# subscribe.current_screen_change(func)
+    layouts = [
        layout.Columns(num_columns=3, border_focus='#00ff00', border_width=2),
        layout.Max(),
        # layout.Stack(num_stacks=3, border_focus='#00ff00', border_width=2, autosplit=True, previous_on_rm=True),
       # layout.Wmii(border_focus='#00ff00'),
       # layout.MonadTall(ratio=0.6, border_focus='#00ff00'),
    ]
-dgroups_key_binder = None
+    widget_defaults = dict(
-dgroups_app_rules = []
+        font='Arial',
-main = None
+        fontsize=16,
-follow_mouse_focus = False
+        padding=3,
-bring_front_click = True
+    )
-cursor_warp = False
+
-auto_fullscreen = True
+    screens_count = 4
-focus_on_window_activation = "urgent"
+    screens = []
    for i in range(0, screens_count+1):
        j = i+1
        widgets = [
            widget.TextBox("Screen %i" % j, name="Screen %i" % j),
            widget.GroupBox(),
            widget.WindowName(),
            widget.Prompt(),
            widget.CPUGraph(),
            widget.ThermalSensor(tag_sensor = "CPU"),
            widget.Memory(),
            # widget.Net(interface='eth0'),
            widget.Net(interface='wlan0'),
            widget.Clock(format='%Y-%m-%d %a %I:%M %p'),
        ]
        if i is 0:
            widgets.insert(-1, widget.Systray())
        screens.append(Screen(bottom=bar.Bar(widgets, 30)))
        keys.append(Key([key_super, "shift"], "%i" % (i+1), lazy.to_screen(i)))
    dgroups_key_binder = None
    dgroups_app_rules = []
    follow_mouse_focus = False
    bring_front_click = False
    cursor_warp = False
    auto_fullscreen = True
    auto_minimize = False
    # focus_on_window_activation = "urgent"
-# Drag floating layouts.
+    # Drag floating layouts.
-mouse = [
+    mouse = [
-    Drag([key_super,key_control], "Button1", lazy.window.set_position_floating(), start=lazy.window.get_position()),
+        # Drag([key_super,key_control], "Button1", lazy.window.set_position_floating(), start=lazy.window.get_position()),
-    Drag([key_super,key_control], "Button2", lazy.window.set_size_floating(), start=lazy.window.get_size()),
+        # Drag([key_super,key_control], "Button2", lazy.window.set_size_floating(), start=lazy.window.get_size()),
-    Click([key_super,key_control], "Button3", lazy.window.disable_floating())
+        Click([key_super,key_control], "Button3", lazy.window.disable_floating())
-]
+    ]
 floating_layout = layout.Floating()
-wmname = "LG3D"
+    # disable any floating
    @hook.subscribe.client_new
    def disable_floating_for_all_new_windows(window):
      window.floating = False
    @hook.subscribe.client_new
    def print_new_window(window):
      print("new window: ", window)
  '';
-in {
+in
-  systemd.user = {
+{
    startServices = true;
    services = {
      redshift-gtk = mkSimpleTrayService {
        execStart = "${pkgs.redshift}/bin/redshift-gtk -v -l 47.6691:9.1698 -t 7000:4500 -m randr";
      };
      pasystray = mkSimpleTrayService {
        execStart = "${pkgs.pasystray}/bin/pasystray";
      };
      cbatticon = mkSimpleTrayService {
        execStart = "${pkgs.cbatticon}/bin/cbatticon";
      };
    };
  };
  services = {
    gnome-keyring.enable = true;
    blueman-applet.enable = true;
@ -310,43 +262,32 @@ in {
      lockCmd = "${screenLockCommand}";
    };
    network-manager-applet.enable = true;
    syncthing.enable = true;
    gpg-agent = {
      enable = true;
      enableScDaemon = true;
      enableSshSupport = true;
      grabKeyboardAndMouse = true;
      extraConfig = "pinentry-program ${pkgs.pinentry-gtk2}/bin/pinentry";
    };
    flameshot.enable = true;
    pasystray.enable = true;
    cbatticon.enable = true;
  };
  home.pointerCursor = {
    name = "Vanilla-DMZ";
    package = pkgs.vanilla-dmz;
    size = 32;
    x11.enable = true;
    gtk.enable = true;
  };
  xsession = {
-    enable = true;
+    enable = false;
-    windowManager.command = "${pkgs.qtile}/bin/qtile -c ${qtileConfig}";
+    windowManager.command = "${pkgs.qtile}/bin/qtile start -c ${qtileConfig}";
-    initExtra = ''
+    initExtra = "${initScreen}";
      # ${pkgs.xorg.xinput}/bin/xinput set-prop "ErgoDox EZ ErgoDox EZ Mouse" "libinput Natural Scrolling Enabled"
      ${pkgs.autorandr}/bin/autorandr -c
      ${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png
      ${dpmsScript} default
    '';
    pointerCursor = {
      name = "Vanilla-DMZ-AA";
      package = pkgs.vanilla-dmz;
      size = 32;
    };
  };
  home.packages = with pkgs; [
    # X Tools/Libraries
    lightdm
-    qtile
+    networkmanagerapplet
-    gnome3.networkmanagerapplet
+    gnome-icon-theme
-    autorandr
+    gnome.gnome-themes-extra
-    arandr
+    adwaita-icon-theme
    gnome3.gnome_themes_standard
    gnome3.adwaita-icon-theme
    lxappearance
    xorg.xcursorthemes
    pavucontrol
--- a/nix/home-manager/profiles/sway-desktop.nix
+++ b/nix/home-manager/profiles/sway-desktop.nix
@ -0,0 +1,262 @@
 /*
  TODO: create helper scripts for sharing of a screen portion
  ```
  # this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
  swaymsg create_output
  # find the name and the workspace number
  swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
  swaymsg output HEADLESS-1 mode 1920@108060Hz
  # mirror the headless workspace on the current one
  nix run nixpkgs\#wl-mirror -- HEADLESS-1
  # shift windows to the workspace and switch the focus to it
 */
 {
  pkgs,
  config,
  lib,
  # packages',
  ...
 }:
 let
  lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
  displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
  displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
  swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
 in
 {
  imports = [
    ../profiles/wayland-desktop.nix
    ../programs/waybar.nix
  ];
  services.dunst = {
    enable = true;
  };
  services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3;
  home.packages = [
    pkgs.swayidle
    pkgs.swaylock
    ## themes
    pkgs.adwaita-icon-theme
    pkgs.hicolor-icon-theme
    pkgs.gnome-icon-theme
    ## fonts
    # pkgs.nerd-fonts # TODO: reinstall selected ones
    pkgs.dejavu_fonts # just a basic good fond
    pkgs.font-awesome_5 # needed by i3status-rust
    pkgs.font-awesome
    pkgs.roboto
    pkgs.ttf_bitstream_vera
    pkgs.noto-fonts
    pkgs.noto-fonts-cjk-sans
    pkgs.noto-fonts-cjk-serif
    pkgs.noto-fonts-emoji
    pkgs.noto-fonts-emoji-blob-bin
    pkgs.noto-fonts-extra
    pkgs.noto-fonts-lgc-plus
    pkgs.liberation_ttf
    pkgs.fira-code
    pkgs.fira-code-symbols
    pkgs.mplus-outline-fonts.githubRelease
    pkgs.dina-font
    pkgs.monoid
    pkgs.hermit
    ### found on colemickens' repo
    pkgs.gelasio # metric-compatible with Georgia
    pkgs.powerline-symbols
    pkgs.iosevka-comfy.comfy-fixed
    ## experimental stuff
    pkgs.fuzzel
  ];
  # TODO: configure kanshi to always set the 5K resolution
  # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)"
  #   Make: Philips Consumer Electronics Company
  #   Model: PHL 499P9
  #   Serial: AU02419010010
  #   Physical size: 1190x340 mm
  #   Enabled: yes
  #   Modes:
  #     3840x1080 px, 59.967999 Hz (preferred)
  #     5120x1440 px, 59.977001 Hz (current)
  wayland.windowManager.sway = {
    enable = true;
    systemd.enable = true;
    xwayland = false;
    config =
      let
        modifier = "Mod4";
        inherit (config.wayland.windowManager.sway.config)
          left
          right
          up
          down
          ;
      in
      {
        inherit modifier;
        bars = [ ];
        input = {
          "type:keyboard" =
            {
              xkb_layout = config.home.keyboard.layout;
              xkb_variant = config.home.keyboard.variant;
            }
            // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) {
              xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
            };
          "type:touchpad" = {
            natural_scroll = "enabled";
          };
          # alternatively run this command
          # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative"
          # and then switch to a different VT (alt+ctrl+f2) and back
          "1386:914:Wacom_Intuos_Pro_S_Pen" = {
            tool_mode = "* relative";
          };
        };
        keybindings = lib.mkOptionDefault {
          # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
          # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
          "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
          # only 1-9 exist on the default config
          "${modifier}+0" = "workspace number 0";
          "${modifier}+Shift+0" = "move container to workspace number 0";
          # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it
          "${modifier}+b" = "nop";
          "${modifier}+v" = "nop";
          # move workspace to output
          "${modifier}+Control+Shift+${left}" = "move workspace to output left";
          "${modifier}+Control+Shift+${right}" = "move workspace to output right";
          "${modifier}+Control+Shift+${up}" = "move workspace to output up";
          "${modifier}+Control+Shift+${down}" = "move workspace to output down";
          # move workspace to output with arrow keys
          "${modifier}+Control+Shift+Left" = "move workspace to output left";
          "${modifier}+Control+Shift+Right" = "move workspace to output right";
          "${modifier}+Control+Shift+Up" = "move workspace to output up";
          "${modifier}+Control+Shift+Down" = "move workspace to output down";
          # TODO: i've been hitting this one accidentally way too often. find a better place.
          # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
          "${modifier}+q" = "kill";
          "${modifier}+Shift+q" =
            "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
          "${modifier}+x" = "exec ${swapOutputWorkspaces}";
          "${modifier}+Ctrl+l" = "exec ${lockCmd}";
          "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
          "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
          "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
          "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
          "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
          "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
          "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
        };
        terminal = "alacritty";
        startup =
          [
            {
              command = builtins.toString (
                pkgs.writeShellScript "ensure-graphical-session" ''
                  (
                    ${pkgs.coreutils}/bin/sleep 0.2
                    ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
                  ) &
                ''
              );
            }
          ]
          ++ lib.optionals config.services.swayidle.enable [
            {
              command = builtins.toString (
                pkgs.writeShellScript "ensure-graphical-session" ''
                  (
                    ${pkgs.coreutils}/bin/sleep 0.2
                    ${pkgs.systemd}/bin/systemctl --user restart swayidle
                  ) &
                ''
              );
            }
          ];
        colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; };
        window.titlebar = false;
        window.border = 4;
        # this maps to focus_on_window_activation
        focus.newWindow = "urgent";
        window.commands = [
          {
            command = "border pixel 0, floating enable, fullscreen disable, move absolute position 0 0";
            criteria.app_id = "flameshot";
          }
        ];
      };
  };
  services.swayidle = {
    enable = true;
    timeouts = [
      {
        timeout = 10;
        command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi";
        resumeCommand = displayOnCmd;
      }
      {
        timeout = 60 * 5;
        command = lockCmd;
      }
      {
        timeout = 60 * 6;
        command = displayOffCmd;
        resumeCommand = displayOnCmd;
      }
    ];
    events = [
      {
        event = "before-sleep";
        command = builtins.concatStringsSep "; " [
          lockCmd
          "${pkgs.playerctl}/bin/playerctl pause"
        ];
      }
      {
        event = "after-resume";
        command = displayOnCmd;
      }
      {
        event = "lock";
        command = lockCmd;
      }
    ];
  };
 }
--- a/nix/home-manager/profiles/wayland-desktop.nix
+++ b/nix/home-manager/profiles/wayland-desktop.nix
@ -0,0 +1,87 @@
 {
  pkgs,
  lib,
  repoFlake,
  ...
 }:
 let
  nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
 in
 {
  fonts.fontconfig.enable = true;
  # services.gpg-agent.pinentryFlavor = lib.mkForce null;
  # services.gpg-agent.extraConfig = ''
  #   pinentry-program "${wayprompt}/bin/pinentry-wayprompt"
  # '';
  services = {
    blueman-applet.enable = true;
    network-manager-applet.enable = true;
  };
  systemd.user.targets.tray = {
    Unit = {
      Description = "Home Manager System Tray";
      Requires = [ "graphical-session-pre.target" ];
    };
  };
  home.packages =
    with pkgs;
    [
      # required by network-manager-applet
      networkmanagerapplet
      wlr-randr
      wayout
      wl-clipboard
      wmctrl
      nixpkgs-wayland'.shotman
      # identifies key input syms
      wev
      # TODO: whwat's this for?
      # wltype
      qt5.qtwayland
      qt6.qtwayland
      # libsForQt5.qt5.qtwayland
      # libsForQt6.qt6.qtwayland
      # audio
      playerctl
      helvum
      pasystray
      sonusmix
      pwvucontrol
      # probably required by flameshot
      # xdg-desktop-portal xdg-desktop-portal-wlr
      # grim
      waypipe
    ]
    ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64)
      # TODO: broken on aarch64
      [ ]
    );
  home.sessionVariables = {
    XDG_SESSION_TYPE = "wayland";
    NIXOS_OZONE_WL = "1";
    MOZ_ENABLE_WAYLAND = "1";
    WLR_NO_HARDWARE_CURSORS = "1";
  };
  home.pointerCursor = {
    name = "Vanilla-DMZ";
    package = pkgs.vanilla-dmz;
    size = 32;
    x11.enable = true;
    gtk.enable = true;
  };
 }
--- a/nix/home-manager/programs/chromium.nix
+++ b/nix/home-manager/programs/chromium.nix
@ -1,23 +1,81 @@
-{ 
+{
-...
+  name,
  lib,
  pkgs,
  ...
 }:
 let
  extensions =
    [
      #undetectable adblocker
      { id = "gcfcpohokifjldeandkfjoboemihipmb"; }
      # ublock origin
      { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; }
      # # YT ad block
      # {id = "cmedhionkhpnakcndndgjdbohmhepckk";}
      # # Adblock Plus
      # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";}
      # Cookie Notice Blocker
      { id = "odhmfmnoejhihkmfebnolljiibpnednn"; }
      # i don't care about cookies
      { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; }
      # NopeCHA
      { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; }
      # h264ify
      { id = "aleakchihdccplidncghkekgioiakgal"; }
      # clippy
      # {id = "honbeilkanbghjimjoniipnnehlmhggk"}
      {
        id = "dcpihecpambacapedldabdbpakmachpb";
        updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml";
      }
      # cookie autodelete
      { id = "fhcgjolkccmbidfldomjliifgaodjagh"; }
      # unhook
      { id = "khncfooichmfjbepaaaebmommgaepoid"; }
    ]
    ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
      # polkadotjs
      { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; }
      # rabby wallet
      { id = "acmacodkjbdgmoleebolmdjonilkdbch"; }
      # phantom wallet
      { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; }
      # Vimium C
      { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; }
      # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report
      # always right
      { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; }
      # shazam music
      { id = "mmioliijnhnoblpgimnlajmefafdfilb"; }
    ]);
 in
 {
  programs.chromium = {
    enable = true;
    inherit extensions;
    # TODO: extensions currently don't work with ungoogled-chromium
    package = pkgs.chromium;
  };
-  nixpkgs.config = {
+  programs.brave = {
-    chromium = {
+    # TODO: enable this on aarch64-linux
-      # 2019-03-05: missing on 19.03 enablePepperPDF = true;
+    enable = true && !pkgs.stdenv.targetPlatform.isAarch64;
-      enablePepperFlash = false;
+    inherit extensions;
    };
  };
  programs.browserpass = {
    browsers = [
      "chromium"
    ];
  };
 }
--- a/nix/home-manager/programs/emacs.nix
+++ b/nix/home-manager/programs/emacs.nix
@ -1,24 +0,0 @@
 { pkgs,
 ...
 }:
 {
  programs.emacs = {
    enable = true;
    extraPackages = epkgs: (with epkgs; [
      nix-mode
      magit          # ; Integrate git <C-x g>
      zerodark-theme # ; Nicolas' theme
      undo-tree      # ; <C-x u> to show the undo tree
      # zoom-frm       # ; increase/decrease font size for all buffers %lt;C-x C-+>
    ]) ++ (with epkgs.melpaPackages; [
      evil
    ]) ++ (with epkgs.elpaPackages; [
      auctex         # ; LaTeX mode
      beacon         # ; highlight my cursor when scrolling
      nameless       # ; hide current package name everywhere in elisp code
    ]) ++ (with pkgs; [
      pkgs.notmuch   # From main packages set
    ]);
  };
 }
--- a/nix/home-manager/programs/espanso.nix
+++ b/nix/home-manager/programs/espanso.nix
@ -0,0 +1,82 @@
 { pkgs, ... }:
 {
  services.espanso = {
    package = pkgs.espanso-wayland;
    # package = pkgs.espanso-wayland.overrideAttrs (_: {
    #   src = repoFlake.inputs.espanso;
    #   cargoLock = {
    #     # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock";
    #     lockFile = repoFlake.inputs.espanso + "/Cargo.lock";
    #     outputHashes = {
    #       "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU=";
    #     };
    #   };
    # });
    enable = false;
    configs = {
      default = {
        # backend = "Inject";
        # backend = "Clipboard";
      };
    };
    matches =
      let
        playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
      in
      {
        default = {
          matches = [
            {
              trigger = ":vpos";
              replace = "{{output}}";
              vars = [
                {
                  name = "output";
                  type = "script";
                  params = {
                    args = [
                      (pkgs.writeScript "espanso" ''
                        #! ${pkgs.python3}/bin/python
                        import subprocess, os, math, datetime
                        id=str(os.getuid())
                        result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True)
                        result.check_returncode()
                        position_secs = math.trunc(float(result.stdout))
                        position_human = datetime.timedelta(seconds=position_secs)
                        print("%s - %s" % (position_human, position_secs))
                      '')
                    ];
                  };
                }
              ];
            }
            {
              trigger = ":vtit";
              replace = "{{output}}";
              vars = [
                {
                  name = "output";
                  type = "script";
                  params = {
                    args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ];
                  };
                }
              ];
            }
            {
              trigger = ":dunno";
              replace = "¯\\_(ツ)_/¯";
            }
            {
              trigger = ":shrug";
              replace = "¯\\_(ツ)_/¯";
            }
          ];
        };
      };
  };
 }
--- a/nix/home-manager/programs/firefox.nix
+++ b/nix/home-manager/programs/firefox.nix
@ -1,19 +1,451 @@
 { pkgs
 , ...
 }:
 {
-  programs.firefox = {
+  repoFlake,
-    enable = true;
+  pkgs,
-    enableAdobeFlash = false;
+  config,
-  };
+  lib,
  ...
 }:
 let
  # Search extension names with below command:
  # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY
  ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [
    ublock-origin
-  programs.browserpass = {
+    # bypass-paywalls-clean (can't use, was creating popups)
-    browsers = [
+    consent-o-matic
-      "firefox"
+    terms-of-service-didnt-read
    auto-tab-discard
    # redirector # For nixos wiki
    # darkreader
    facebook-container
    control-panel-for-twitter
    # containerise
    facebook-tracking-removal
    vimium
    cookie-autodelete
    auto-tab-discard
    istilldontcareaboutcookies
    youtube-recommended-videos
    display-_anchors
  ];
  customAddons = [
  ];
  search = {
    force = true;
    default = "ddg";
    privateDefault = "ddg";
    order = [
      "ddg"
      "ecosia"
      "google"
    ];
  };
-  home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
+  mkProfile =
-}
+    override:
    lib.recursiveUpdate {
      extensions.packages = ryceeAddons ++ customAddons;
      inherit search;
      settings = {
        # automatically enable extensions
        "extensions.autoDisableScopes" = 0;
        "middlemouse.paste" = false;
        "browser.download.useDownloadDir" = false;
        "browser.tabs.insertAfterCurrent" = true;
        "browser.tabs.warnOnClose" = true;
        "browser.toolbars.bookmarks.visibility" = "never";
        "browser.quitShortcut.disabled" = false;
        # restore the previous session automatically
        "browser.startup.page" = 3;
        "browser.sessionstore.resume_from_crash" = true;
        "browser.sessionstore.restore_pinned_tabs_on_demand" = true;
        "browser.sessionstore.restore_on_demand" = true;
        "browser.urlbar.suggest.bookmark" = true;
        "browser.urlbar.suggest.engines" = true;
        "browser.urlbar.suggest.history" = true;
        "browser.urlbar.suggest.openpage" = true;
        "browser.urlbar.suggest.topsites" = false;
        "browser.urlbar.trimHttps" = true;
        "sidebar.position_start" = false;
        "findbar.highlightAll" = true;
        "browser.tabs.hoverPreview.enabled" = true;
        # Disable fx accounts
        "identity.fxaccounts.enabled" = false;
        # Disable "save password" prompt
        "signon.rememberSignons" = false;
        # Harden
        "privacy.trackingprotection.enabled" = true;
        "dom.security.https_only_mode" = true;
        # Disable irritating first-run stuff
        "browser.disableResetPrompt" = true;
        "browser.download.panel.shown" = true;
        "browser.feeds.showFirstRunUI" = false;
        "browser.messaging-system.whatsNewPanel.enabled" = false;
        "browser.rights.3.shown" = true;
        "browser.shell.checkDefaultBrowser" = false;
        "browser.shell.defaultBrowserCheckCount" = 1;
        "browser.startup.homepage_override.mstone" = "ignore";
        "browser.uitour.enabled" = false;
        "startup.homepage_override_url" = "";
        "trailhead.firstrun.didSeeAboutWelcome" = true;
        "browser.bookmarks.restore_default_bookmarks" = false;
        "browser.bookmarks.addedImportButton" = true;
        # Disable "Save to Pocket" or Pocket entirely
        "extensions.pocket.enabled" = false;
        # Disable telemetry
        "toolkit.telemetry.enabled" = false;
        "toolkit.telemetry.unified" = false;
        "toolkit.telemetry.archive.enabled" = false;
        "datareporting.healthreport.uploadEnabled" = false;
        "app.shield.optoutstudies.enabled" = false;
        "browser.discovery.enabled" = false;
        "browser.newtabpage.activity-stream.feeds.telemetry" = false;
        "browser.newtabpage.activity-stream.telemetry" = false;
        "browser.ping-centre.telemetry" = false;
        "datareporting.healthreport.service.enabled" = false;
        "datareporting.policy.dataSubmissionEnabled" = false;
        "datareporting.sessions.current.clean" = true;
        "devtools.onboarding.telemetry.logged" = false;
        "toolkit.telemetry.bhrPing.enabled" = false;
        "toolkit.telemetry.firstShutdownPing.enabled" = false;
        "toolkit.telemetry.hybridContent.enabled" = false;
        "toolkit.telemetry.newProfilePing.enabled" = false;
        "toolkit.telemetry.prompted" = 2;
        "toolkit.telemetry.rejected" = true;
        "toolkit.telemetry.reportingpolicy.firstRun" = false;
        "toolkit.telemetry.server" = "";
        "toolkit.telemetry.shutdownPingSender.enabled" = false;
        "toolkit.telemetry.unifiedIsOptIn" = false;
        "toolkit.telemetry.updatePing.enabled" = false;
        # Disable any feeds on the new tab page
        "browser.newtabpage.activity-stream.showTopSites" = false;
        "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ];
        "browser.newtabpage.activity-stream.discoverystream.enabled" = false;
        "browser.newtabpage.activity-stream.feeds.topsites" = false;
        "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
        "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false;
        "browser.newtabpage.blocked" = lib.genAttrs [
          # Youtube
          "26UbzFJ7qT9/4DhodHKA1Q=="
          # Facebook
          "4gPpjkxgZzXPVtuEoAL9Ig=="
          # Wikipedia
          "eV8/WsSLxHadrTL1gAxhug=="
          # Reddit
          "gLv0ja2RYVgxKdp0I5qwvA=="
          # Amazon
          "K00ILysCaEq8+bEqV/3nuw=="
          # Twitter
          "T9nJot5PurhJSy8n038xGA=="
        ] (_: 1);
        "browser.topsites.blockedSponsors" = [
          "adidas"
          "temuaffiliateprogram.pxf"
          "s.click.aliexpress"
        ];
        # enable userChrome
        "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
        "devtools.chrome.enabled" = true;
        "devtools.debugger.remote-enabled" = true;
        # disable translations for some languages
        "browser.translations.neverTranslateLanguages" = [
          "en"
          "de"
        ];
        "browser.translations.automaticallyPopup" = false;
        # enable pipewire (and libcamera) sources
        "media.webrtc.camera.allow-pipewire" = true;
      };
      userChrome =
        let
          name = override.color or colors.grey;
          value = colorValues."${name}".normal;
          valueBright = colorValues."${name}".highlight;
          valueDark = colorValues."${name}".inactive;
        in
        ''
          @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */
          #nav-bar {
            background-color: ${value} !important;
            color: black !important;
          }
          /* don't show close button on background tabs */
          #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button {
            display: none !important;
          }
          /* show close button on hover */
          #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button {
            display: -moz-inline-box !important;
          }
          /* default */
          #TabsToolbar {
            background: ${valueDark} !important;
          }
          /* default tab */
          #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content {
            background: ${value} !important;
            opacity: 0.8
          }
          /* selected tab */
          #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content {
            background: ${valueBright} !important;
            box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19);
          }
          /* hovered tab */
          #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content {
            background: ${valueBright} !important;
          }
          /* unloaded/pending tab */
          #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content {
            background: ${valueDark} !important;
          }
        '';
      # /* new tab */
      # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon {
      #   background: unset !important;
      # }
      # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button {
      # /* background: var(--default_tabs_bg_newtab) !important;
      # }
      # /* hovered new tab */
      # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover {
      #   background: var(--default_tabs_bg_newtab_hovered) !important;
      # }
    } (builtins.removeAttrs override [ "color" ]);
  # TODO: insert the id automatically
  mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs;
  colors = builtins.mapAttrs (name: _: name) colorValues;
  colorValues = {
    blue = {
      normal = "#49b1fc";
      highlight = "#05a9fc"; # Brighter blue
      inactive = "#1f81c6"; # Darker blue
    };
    green = {
      normal = "#51cd00";
      highlight = "#5ae200"; # Brighter green
      inactive = "#45ad00"; # Darker green
    };
    orange = {
      normal = "#ff9800";
      highlight = "#ffb74d"; # Brighter orange
      inactive = "#c76a00"; # Darker orange
    };
    red = {
      normal = "#f6685e";
      highlight = "#ff4336"; # Brighter red
      inactive = "#aa463f"; # Darker red
    };
    yellow = {
      normal = "#fced4b";
      highlight = "#fce705"; # Brighter yellow
      inactive = "#dbbe00"; # Darker yellow
    };
    purple = {
      normal = "#9c27b0";
      highlight = "#ab47bc"; # Brighter purple
      inactive = "#7b1fa2"; # Darker purple
    };
    pink = {
      normal = "#e91e63";
      highlight = "#ff6090"; # Brighter pink
      inactive = "#c2185b"; # Darker pink
    };
    brown = {
      normal = "#795548";
      highlight = "#a88b6f"; # Brighter brown
      inactive = "#4e3b30"; # Darker brown
    };
    grey = {
      normal = "#9e9e9e";
      highlight = "#bdbdbd"; # Brighter grey
      inactive = "#757575"; # Darker grey
    };
    teal = {
      normal = "#009688";
      highlight = "#26c6da"; # Brighter teal
      inactive = "#00796b"; # Darker teal
    };
  };
 in
 {
  nixpkgs.overlays = [
    repoFlake.inputs.nur.overlays.default
  ];
  nixpkgs.config.allowUnfreePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
      "youtube-recommended-videos"
    ];
  programs.librewolf = {
    enable = false;
  };
  programs.firefox = {
    enable = true;
    package = pkgs.firefox;
    profiles =
      lib.filterAttrs (_: v: config.home.username == "steveej" || (v.isDefault or false))
        (mkProfiles {
          "personal" = mkProfile {
            id = 0;
            isDefault = true;
            color = colors.blue;
          };
          "comms" = mkProfile {
            id = 1;
            color = colors.blue;
          };
          "admin" = mkProfile {
            id = 2;
            color = colors.blue;
          };
          "infra" = mkProfile {
            id = 3;
            color = colors.blue;
          };
          "finance" = mkProfile {
            id = 4;
            color = colors.yellow;
          };
          "business-admin" = mkProfile {
            id = 5;
            color = colors.teal;
          };
          "business-comms" = mkProfile {
            id = 6;
            color = colors.teal;
          };
          "business-dev" = mkProfile {
            id = 7;
            color = colors.teal;
          };
          "holo-dev" = mkProfile {
            id = 8;
            color = colors.green;
          };
          "holo-infra" = mkProfile {
            id = 9;
            color = colors.green;
          };
          "holo-comms" = mkProfile {
            id = 10;
            color = colors.green;
          };
          "justyna" = mkProfile {
            id = 11;
            color = colors.pink;
          };
          "justyna-office" = mkProfile {
            id = 12;
            color = colors.pink;
          };
          "tech-research" = mkProfile {
            id = 13;
            color = colors.purple;
          };
        });
    # policies = {
    #   # search via policy. the other one doesn't always work because of schema version mismatch
    #   SearchEngines = {
    #     Default = "Qwant";
    #     PreventInstalls = true;
    #     Add = [
    #       {
    #         Method = "GET";
    #         Alias = "qwant";
    #         Description = "Description";
    #         # PostData= "name=value&q={searchTerms}";
    #         Name = "Qwant";
    #         SuggestURLTemplate = "https://api.qwant.com/api/suggest/?q={searchTerms}";
    #         URLTemplate = "https://www.qwant.com/?q={searchTerms}";
    #       }
    #     ];
    #   };
    # };
  };
  # create one desktop entry for each profile
  xdg.desktopEntries = lib.mapAttrs' (
    k: _v:
    lib.nameValuePair "firefox-profile-${k}" {
      categories = [
        "Network"
        "WebBrowser"
      ];
      exec = "${lib.getExe config.programs.firefox.package} -P ${k}";
      genericName = "Web Browser";
      icon =
        builtins.replaceStrings [ ".desktop" ] [ "" ]
          config.programs.firefox.package.desktopItem.name;
      mimeType = [
        "text/html"
        "text/xml"
        "application/xhtml+xml"
        "application/vnd.mozilla.xul+xml"
        "x-scheme-handler/http"
        "x-scheme-handler/https"
      ];
      name = "Firefox: ${k}";
      startupNotify = true;
      settings.StartupWMClass =
        # To group windows of different profiles.
        # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name.
        #if profile.name == "default"
        #then "firefox"
        #else "firefox-${profile.name}";
        "firefox";
      terminal = false;
      type = "Application";
    }
  ) config.programs.firefox.profiles;
 }
--- a/nix/home-manager/programs/gpg-agent.nix
+++ b/nix/home-manager/programs/gpg-agent.nix
@ -0,0 +1,24 @@
 {
  lib,
  pkgs,
  osConfig,
  ...
 }:
 {
  home.packages = [ pkgs.gcr ];
  programs.gpg.enable = true;
  services.gpg-agent = {
    enable = true;
    enableScDaemon = !osConfig.services.pcscd.enable;
    enableSshSupport = true;
    grabKeyboardAndMouse = true;
    pinentry.package = lib.mkDefault pkgs.pinentry-gtk2;
    extraConfig = ''
      no-allow-external-cache
    '';
    defaultCacheTtl = 0;
    maxCacheTtl = 0;
  };
 }
--- a/nix/home-manager/programs/homeshick.nix
+++ b/nix/home-manager/programs/homeshick.nix
@ -1,38 +1,29 @@
-{ pkgs
+{ pkgs, config, ... }:
-, config
+{
-, ...
+  home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
 }:
-let
+  home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] ''
  # TODO: clean up the impurity in here
 in {
  home.sessionVariables = {
    HOMESHICK_DIR="${pkgs.homeshick}";
  };
  home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
    $DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
-    set -e
+      set -e
-    echo home-manager path is ${config.home.path}
+      echo home-manager path is ${config.home.path}
-    echo home is $HOME
+      echo home is $HOME
-    source ${pkgs.homeshick}/homeshick.sh
+      source ${pkgs.homeshick}/homeshick.sh
-    type homeshick
+      type homeshick
-      
+
-    # echo Updating homeshick
+      # echo Updating homeshick
-    # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
+      # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
-    # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
+      # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
    ''};
  '';
  nixpkgs.config = {
-
+    packageOverrides =
-    packageOverrides = pkgs: with pkgs; {
+      pkgs: with pkgs; {
-      homeshick = builtins.fetchGit {
+        homeshick = builtins.fetchGit {
-        url = "https://github.com/andsens/homeshick.git";
+          url = "https://github.com/andsens/homeshick.git";
-        ref = "master";
+          ref = "master";
        };
      };
    };
  };
 }
--- a/nix/home-manager/programs/libreoffice.nix
+++ b/nix/home-manager/programs/libreoffice.nix
@ -1,14 +1,8 @@
-{ pkgs,
+{ pkgs, nodeFlake, ... }:
 ...
 }:
 let
  pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system};
 in
 {
-  home.sessionVariables = {
+  home.packages = [ pkgsStable.libreoffice ];
    # Workaround for Libreoffice to force gtk3
    SAL_USE_VCLPLUGIN = "gtk3";
  };
  home.packages = with pkgs; [
    libreoffice-fresh
  ];
 }
--- a/nix/home-manager/programs/neovim.nix
+++ b/nix/home-manager/programs/neovim.nix
@ -1,166 +1,163 @@
-{ pkgs,
+{ repoFlake, pkgs, ... }:
-...
+{
-}:
+  imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ];
-let
+  programs.nixvim = {
  unstablepkgs = import <channels-nixos-unstable> {};
 in {
  home.sessionVariables = {
    EDITOR = "nvim";
  };
  nixpkgs.config = {
    pidgin = {
      openssl = true;
      gnutls = true;
    };
    packageOverrides = pkgs: with pkgs; {
      neovim = unstablepkgs.neovim;
      vimPlugins = unstablepkgs.vimPlugins;
    };
  };
  programs.neovim = {
    enable = true;
    defaultEditor = true;
    vimdiffAlias = true;
    vimAlias = true;
-    extraPythonPackages = (ps: with ps; [ ]);
+    extraPython3Packages = ps: with ps; [ ];
    extraPython3Packages = (ps: with ps; [ ]);
-    configure = {
+    # extraConfigVim = builtins.readFile ./neovim/vimrc;
      customRC = builtins.readFile ./neovim/vimrc;
      vam = {
        knownPlugins = with pkgs; vimPlugins // {
          delimitMate = vimUtils.buildVimPlugin {
            name = "delimitMate-vim";
            src = fetchFromGitHub {
              owner = "Raimondi";
              repo = "delimitMate";
              rev = "728b57a6564c1d2bdfb9b9e0f2f8c5ba3d7e0c5c";
              sha256 = "0fskm9gz81dk8arcidrm71mv72a7isng1clssqkqn5wnygbiimsn";
            };
            buildInputs = [ zip vim ];
          };
-          yaml-folds = vimUtils.buildVimPlugin {
+    clipboard = {
-            name = "vim-yaml-folds";
+      register = "unnamedplus";
-            src = fetchFromGitHub {
+      providers.wl-copy.enable = true;
-              owner = "pedrohdz";
+    };
              repo = "vim-yaml-folds";
              rev = "0672d9a3b685b51b4c49d8716c2ad4e27cfa5abd";
              sha256 = "0yp2jgaqiria79lh75fkrs77rw7nk518bq63w9bvyy814i7s4scn";
            };
            buildInputs = [ zip vim ];
          };
-          vim-yaml = vimUtils.buildVimPlugin {
+    plugins = {
-            name = "vim-yaml";
+      airline = {
-            src = fetchFromGitHub {
+        enable = true;
-              owner = "stephpy";
+        settings = {
-              repo = "vim-yaml";
+          powerline_fonts = 1;
-              rev = "e97e063b16eba4e593d620676a0a15fa98613979";
+          skip_empty_sections = 1;
-              sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
+          theme = "papercolor";
            };
          };
          vim-markdown-toc = vimUtils.buildVimPlugin {
            name = "vim-markdown-toc";
            src = fetchFromGitHub {
              owner = "mzlogin";
              repo = "vim-markdown-toc";
              rev = "a6e227023f405a7c39590a8aaf0d54dde5614a2e";
              sha256 = "1vpsnjzc7hvrkp6mq68myxl3k1x363iif58rrd17njcsa4jh1zwy";
            };
          };
          vim-perl = vimUtils.buildVimPlugin {
            name = "vim-perl";
            src = fetchFromGitHub {
              owner = "vim-perl";
              repo = "vim-perl";
              rev = "21d0a0d795336acf8a9306da35f379c32cfc5e08";
              sha256 = "0f2sa0v3djd89k16n4saji9n7grziyhkljq75dskcbv8r19m8i1j";
            };
          };
          git-blame = vimUtils.buildVimPlugin {
            name = "git-blame";
            src = fetchFromGitHub {
              "owner" = "zivyangll";
              "repo" = "git-blame.vim";
              "rev" = "a5b666840eead1b1ea1c351038da6ce026716bb6";
              "sha256" = "181siphb87yzln9433159ssa6vmm1h2dd0kqhlx7bgsi51gng4rv";
            };
          };
          tlib = vimPlugins.tlib_vim;
        };
      };
      fugitive.enable = true;
      gitblame.enable = true;
      lsp = {
        enable = true;
      };
-        pluginDictionaries = let 
+      nix.enable = true;
          default = [
            "delimitMate"
            "vim-airline"
            "vim-airline-themes"
            "ctrlp"
            "vim-css-color"
            "rainbow_parentheses"
            "vim-colorschemes"
            "vim-colorstepper"
            "vim-signify"
            "fugitive"
            "vim-indent-guides"
            "UltiSnips"
            "fzfWrapper"
-            "ncm2"
+      # TODO: enable in next release
-            "ncm2-bufword"
+      # numbertoggle.enable = true;
            "ncm2-path"
            "ncm2-tmux"
            "ncm2-ultisnips"
            "nvim-yarp"
-            "LanguageClient-neovim"
+      # successfor to ctrlp and fzf
      telescope.enable = true;
-            "Improved-AnsiEsc"
+      todo-comments.enable = true;
            "tabular"
            "git-blame"
-            # Nix
+      toggleterm.enable = true;
            "vim-addon-nix" "tlib"
            "vim-addon-vim2nix"
-            # LaTeX
+      treesitter = {
-            "vim-latex-live-preview"
+        enable = true;
            "vimtex"
-            # YAML
+        grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [
-            "yaml-folds"
+          bash
-            "vim-yaml"
+          json
-
+          lua
-            # Perl
+          make
-            # "vim-perl"
+          markdown
-
+          nix
-
+          regex
-            # markdown
+          toml
-            "vim-markdown"
+          vim
-            "vim-markdown-toc"
+          vimdoc
-
+          xml
-            # misc syntax support
+          yaml
            "vim-bazel" "maktaba"
          ];
        in [
          { names = default; }
          { names = default ++ [
            ];
            filename_regex = ".*\.nix\$";
          }
          { names = default ++ [
            ];
            filename_regex = ".*\.tex\$";
          }
        ];
      };
      treesitter-context.enable = true;
      treesitter-refactor.enable = true;
      # This plugin trims trailing whitespace and lines.
      trim.enable = true;
      web-devicons.enable = true;
    };
    # plugins = with pkgs;
    #   [
    #     # yaml-folds
    #     {
    #       plugin = vimUtils.buildVimPlugin {
    #         name = "vim-yaml-folds";
    #         src = fetchFromGitHub {
    #           owner = "pedrohdz";
    #           repo = "vim-yaml-folds";
    #           rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
    #           sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
    #         };
    #         buildInputs = [zip vim];
    #       };
    #     }
    #     {
    #       plugin = vimUtils.buildVimPlugin {
    #         name = "vim-yaml";
    #         src = fetchFromGitHub {
    #           owner = "stephpy";
    #           repo = "vim-yaml";
    #           rev = "e97e063b16eba4e593d620676a0a15fa98613979";
    #           sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
    #         };
    #       };
    #     }
    #     {
    #       plugin = vimUtils.buildVimPlugin {
    #         name = "git-blame";
    #         src = fetchFromGitHub {
    #           "owner" = "zivyangll";
    #           "repo" = "git-blame.vim";
    #           "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
    #           "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
    #         };
    #       };
    #     }
    #   ]
    #   ++ (with pkgs.vimPlugins; [
    #     delimitMate
    #     vim-airline
    #     vim-airline-themes
    #     ctrlp
    #     vim-css-color
    #     rainbow_parentheses
    #     vim-colorschemes
    #     vim-colorstepper
    #     vim-signify
    #     fugitive
    #     vim-indent-guides
    #     UltiSnips
    #     fzfWrapper
    #     ncm2
    #     ncm2-bufword
    #     ncm2-path
    #     ncm2-tmux
    #     ncm2-ultisnips
    #     nvim-yarp
    #     LanguageClient-neovim
    #     Improved-AnsiEsc
    #     tabular
    #     # Nix
    #     vim-addon-nix
    #     tlib
    #     vim-addon-vim2nix
    #     # LaTeX
    #     vim-latex-live-preview
    #     vimtex
    #     # YAML
    #     vim-yaml
    #     # markdown
    #     vim-markdown
    #     vim-markdown-toc
    #     # misc syntax support
    #     vim-bazel
    #     maktaba
    #   ]);
  };
 }
--- a/nix/home-manager/programs/neovim/vimrc
+++ b/nix/home-manager/programs/neovim/vimrc
@ -46,9 +46,11 @@ noremap <C-p> :tabp<CR>
 let g:ctrlp_map = '<tab>'
 set wildignore+=*/site/*,*.so,*.swp,*.zip
 let g:ctrlp_custom_ignore = {
-\ 'dir':  '\v[\/]\.(git|hg|svn|)$$',
+\ 'dir':  '\v[\/]\.(git|hg|svn)$$',
 \ 'file': '\v\.(exe|so|dll)$$',
 \ }
 "let g:ctrlp_max_files=0
 "let g:ctrlp_max_depth=1000
 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' }
 "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict'
--- a/nix/home-manager/programs/obs-studio.nix
+++ b/nix/home-manager/programs/obs-studio.nix
@ -0,0 +1,25 @@
 { pkgs, lib, ... }:
 {
  programs.obs-studio = {
    enable = true;
    plugins =
      builtins.map
        (
          plugin:
          (plugin.overrideAttrs (attrs: {
            meta = lib.mkMerge [
              { inherit (attrs) meta; }
              { meta.platforms = [ pkgs.stdenv.system ]; }
            ];
          }))
        )
        (
          with pkgs.obs-studio-plugins;
          [
            # wlrobs
            obs-backgroundremoval
            obs-pipewire-audio-capture
          ]
        );
  };
 }
--- a/nix/home-manager/programs/openvscode-server.nix
+++ b/nix/home-manager/programs/openvscode-server.nix
@ -0,0 +1,37 @@
 { pkgs, repoFlake, ... }:
 let
  pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
 in
 {
  home.packages = [
    pkgs.nil
    pkgs.nixd
    pkgs.nixfmt-rfc-style
    # TODO: automate linking this
    # 1. get the commit with: `codium --version`
    # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
    # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
    /*
      e.g.:
      ```
      (
        set -e
        export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
        ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
      )
      ```
    */
    (pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
      src = repoFlake.inputs.openvscode-server;
      version = "1.94.2";
      yarnCache = attrs.yarnCache.overrideAttrs (_: {
        outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
      });
    }))
    pkgs.waypipe
  ];
 }
--- a/nix/home-manager/programs/pass.nix
+++ b/nix/home-manager/programs/pass.nix
@ -1,23 +1,17 @@
-{ pkgs
+{ repoFlake, pkgs, ... }:
 , ...
 }:
 {
-  home.sessionVariables = {
+  # required by pass-otp
-    # required by pass-otp
+  # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
-    PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
+  # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
-    PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
+  # programs.browserpass.enable = true;
  };
  programs.browserpass = {
    enable = true;
  };
-  home.packages = with pkgs; [
+  home.packages = [
-    pass-otp
+    pkgs.gnupg
-    qtpass
+
-    rofi-pass
+    # broken on wayland
-    gnupg
+    # rofi-pass
    (pkgs.callPackage repoFlake.lib.prsFn {
    })
  ];
 }
--- a/nix/home-manager/programs/podman.nix
+++ b/nix/home-manager/programs/podman.nix
@ -1,160 +0,0 @@
 { pkgs
 , ...
 }:
 let
  cniConfigDir = let
      loopback = pkgs.writeText "00-loopback.conf" ''
        {
          "cniVersion": "0.3.0",
          "type": "loopback"
        }
      '';
      podman-bridge = pkgs.writeText "87-podman-bridge.conflist" ''
        {
            "cniVersion": "0.3.0",
            "name": "podman",
            "plugins": [
              {
                "type": "bridge",
                "bridge": "cni0",
                "isGateway": true,
                "ipMasq": true,
                "ipam": {
                    "type": "host-local",
                    "subnet": "10.88.0.0/16",
                    "routes": [
                        { "dst": "0.0.0.0/0" }
                    ]
                }
              },
              {
                "type": "portmap",
                "capabilities": {
                  "portMappings": true
                }
              }
            ]
        }
      '';
    in pkgs.runCommand "cniConfig" {} ''
      set -x
      mkdir $out;
      ln -s ${loopback} $out/${loopback.name}
      ln -s ${podman-bridge} $out/${podman-bridge.name}
    '';
  containersConf = pkgs.writeText "containers.conf" ''
    # containers.conf is the default configuration file for all tools using libpod to
    # manage containers
    # Default transport method for pulling and pushing for images
    image_default_transport = "docker://"
    #  Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback.
    conmon_path = [ 
      "${pkgs.conmon}/bin/conmon"
    ]
    # --runtime ${pkgs.crun}/bin/crun \
    runtime = "crun"
    # Environment variables to pass into conmon
    conmon_env_vars = [
    ]
    # CGroup Manager - valid values are "systemd" and "cgroupfs"
    # cgroup_manager = "systemd"
    cgroup_manager = "cgroupfs"
    # Maximum size of log files (in bytes)
    # -1 is unlimited
    max_log_size = -1
    # Whether to use chroot instead of pivot_root in the runtime
    no_pivot_root = false
    # Directory containing CNI plugin configuration files
    cni_config_dir = "${cniConfigDir}"
    # Directories where the CNI plugin binaries may be located
    cni_plugin_dir = [
      "${pkgs.cni-plugins}/bin"
    ]
    # Default CNI network for libpod.
    # If multiple CNI network configs are present, libpod will use the network with
    # the name given here for containers unless explicitly overridden.
    # The default here is set to the name we set in the
    # 87-podman-bridge.conflist included in the repository.
    # Not setting this, or setting it to the empty string, will use normal CNI
    # precedence rules for selecting between multiple networks.
    cni_default_network = "podman"
    # Default libpod namespace
    # If libpod is joined to a namespace, it will see only containers and pods
    # that were created in the same namespace, and will create new containers and
    # pods in that namespace.
    # The default namespace is "", which corresponds to no namespace. When no
    # namespace is set, all containers and pods are visible.
    #namespace = ""
    # Default pause image name for pod pause containers
    pause_image = "k8s.gcr.io/pause:3.1"
    # Default command to run the pause container
    pause_command = "/pause"
    # Determines whether libpod will reserve ports on the host when they are
    # forwarded to containers. When enabled, when ports are forwarded to containers,
    # they are held open by conmon as long as the container is running, ensuring that
    # they cannot be reused by other programs on the host. However, this can cause
    # significant memory usage if a container has many ports forwarded to it.
    # Disabling this can save memory.
    enable_port_reservation = true
    # Default libpod support for container labeling
    # label=true
  '';
 in {
  home.packages = with pkgs; [
    podman
  ];
  home.file.".config/containers/containers.conf".source = containersConf;
  home.file.".config/containers/registries.conf".text = ''
    [registries.search]
    registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org']
    [registries.insecure]
    registries = []
    #blocked (docker only)
    [registries.block]
    registries = []
  '';
  home.file.".config/containers/storage.conf".text = ''
    [storage]
    driver = "btrfs"
  '';
  home.file.".config/containers/policy.json".text = ''
    {
        "default": [
            {
                "type": "insecureAcceptAnything"
            }
        ],
        "transports":
            {
                "docker-daemon":
                    {
                        "": [{"type":"insecureAcceptAnything"}]
                    }
            }
    }
  '';
 }
--- a/nix/home-manager/programs/radicale.nix
+++ b/nix/home-manager/programs/radicale.nix
@ -0,0 +1,89 @@
 {
  config,
  lib,
  pkgs,
  osConfig,
  ...
 }:
 let
  libdecsync = pkgs.python3Packages.buildPythonPackage rec {
    pname = "libdecsync";
    version = "2.2.1";
    src = pkgs.python3Packages.fetchPypi {
      inherit pname version;
      hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I=";
    };
    propagatedBuildInputs = [
      # pkgs.libxcrypt-legacy
    ];
  };
  radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec {
    pname = "radicale_storage_decsync";
    version = "2.1.0";
    src = pkgs.python3Packages.fetchPypi {
      inherit pname version;
      hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg=";
    };
    buildInputs = [
      pkgs.radicale
      # pkgs.libxcrypt-legacy
      # pkgs.libxcrypt
    ];
    nativeCheckInputs = [
      # pkgs.libxcrypt-legacy
      # pkgs.libxcrypt
    ];
    propagatedBuildInputs = [
      libdecsync
      pkgs.python3Packages.setuptools
    ];
  };
  radicale-decsync = pkgs.radicale.overrideAttrs (old: {
    propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ];
  });
  mkRadicaleService =
    { suffix, port }:
    let
      radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
        [server]
        hosts = localhost:${builtins.toString port}
        [auth]
        type = htpasswd
        htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
        htpasswd_encryption = bcrypt
        [storage]
        type = radicale_storage_decsync
        filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
        decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
      '';
    in
    {
      systemd.user.services."radicale-${suffix}" = {
        Unit.Description = "Radicale with DecSync (${suffix})";
        Service = {
          ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
          Restart = "on-failure";
        };
        Install.WantedBy = [ "default.target" ];
      };
    };
 in
 builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [
  {
    suffix = "personal";
    port = 5232;
  }
  {
    suffix = "family";
    port = 5233;
  }
 ]
--- a/nix/home-manager/programs/redshift.nix
+++ b/nix/home-manager/programs/redshift.nix
@ -0,0 +1,28 @@
 _:
 let
  passwords = import ../../variables/passwords.crypt.nix;
 in
 {
  services.gammastep = {
    enable = true;
    provider = "manual";
    enableVerboseLogging = true;
    inherit (passwords.location.stefan) longitude latitude;
    temperature = {
      # day = 6700;
      day = 3000;
      night = 3000;
    };
    tray = true;
    settings = {
      general = {
        adjustment-method = "wayland";
      };
      gammastep = {
        # brightness-day = 1.0;
        brightness-day = 0.5;
        brightness-night = 0.5;
      };
    };
  };
 }
--- a/nix/home-manager/programs/salut.nix
+++ b/nix/home-manager/programs/salut.nix
@ -0,0 +1,31 @@
 { pkgs, packages', ... }:
 # useful testing command:
 # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
 let
  inherit (import ../lib.nix { }) mkSimpleTrayService;
 in
 {
  home.packages = [ packages'.salut ];
  xdg.configFile."salut/config.ini" = {
    enable = true;
    text = ''
      [notifications]
      timeout = 5000
      [window]
      auto-hide = true
      anchor = bottom-right
      transition = slidebottom
      [mode]
      single = true
      [style]
      preference = dark
    '';
    onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
  };
  systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; };
 }
--- a/nix/home-manager/programs/vscode/default.nix
+++ b/nix/home-manager/programs/vscode/default.nix
@ -1,483 +1,134 @@
-{ pkgs, ... }:
+{
-
+  config,
  pkgs,
  repoFlake,
  lib,
  ...
 }:
 let
-  packagedExtensions = with pkgs.vscode-extensions; [
+  pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
    bbenoist.Nix
    ms-vscode-remote.remote-ssh
  ];
  marketPlaceExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [
    {
      name = "vim";
      publisher = "vscodevim";
      version = "1.17.1";
      sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1";
    }
    {
      name = "remote-ssh-edit";
      publisher = "ms-vscode-remote";
      version = "0.56.0";
      sha256 = "1gy03ff2xqg7q3y4j47z2l94x5gbw0mjd5h4cl3n0q3iaswk1c1r";
    }
    {
      name = "Theme-NaturalContrast-With-HC";
      publisher = "74th";
      version = "1.0.0";
      sha256 = "1wxwk059znkflip0c8hyqdfq0h15n4idmff4bnnfdggiqjwhr5rm";
    }
    {
      name = "markdown-toc";
      publisher = "AlanWalk";
      version = "1.5.6";
      sha256 = "0hh38i2dpmrm2akcd4jkxchp6b374m5jzcqm1jqqmkqjmlig7qm5";
    }
    {
      name = "Paper-tmTheme";
      publisher = "DiryoX";
      version = "0.4.0";
      sha256 = "0l8hgbwwg87ysfb22rvwgmkk91i4vjd0kgi30c1bn26bm2pd1gw0";
    }
    {
      name = "Monokai-Polished";
      publisher = "Mit";
      version = "0.3.1";
      sha256 = "11h7sfwp9ikwc8z6bkyxk1678ymfpff8i2p876b208yrq8dy2kr1";
    }
    {
      name = "dot";
      publisher = "Stephanvs";
      version = "0.0.1";
      sha256 = "0rq0wvnbcggg4zb4swxym77knfjma0v9lwf3x45p22qsqx2crvgf";
    }
    {
      name = "rust-snippets";
      publisher = "ZakCodes";
      version = "0.0.1";
      sha256 = "152i23mh8j2l26zpwid3hllxc2abkhr3g939rvxk8bry137vryy2";
    }
    {
      name = "better-comments";
      publisher = "aaron-bond";
      version = "2.1.0";
      sha256 = "0kmmk6bpsdrvbb7dqf0d3annpg41n9g6ljzc1dh0akjzpbchdcwp";
    }
    {
      name = "vscode-icalendar";
      publisher = "af4jm";
      version = "1.0.1";
      sha256 = "0g15f2595ayy9ch4f2ccd8prc51q1mwslilk8sk2ldsmdksaya79";
    }
    {
      name = "hugofy";
      publisher = "akmittal";
      version = "0.1.1";
      sha256 = "02rjwmy7z4qfxws8lgdki53q4b2hjklxn2nlxx3w04kahr759dlg";
    }
    {
      name = "asciidoctor-vscode";
      publisher = "asciidoctor";
      version = "2.8.4";
      sha256 = "0j019vwmd83mbc75kfcqzmpvqzsp3s595cgh6n9978k9q0zjrqad";
    }
    {
      name = "markdown-preview-github-styles";
      publisher = "bierner";
      version = "0.1.6";
      sha256 = "1plj6a1hgbhb740zbw4pbnk7919cx1s6agf5xiiqbb9485x2pqiw";
    }
    {
      name = "made-of-code";
      publisher = "brian-yu";
      version = "0.0.5";
      sha256 = "1cmw63vrpzxv8vkgq674xa2wqqag0a8spr623ngi87925f17p965";
    }
    {
      name = "better-toml";
      publisher = "bungcip";
      version = "0.3.2";
      sha256 = "08lhzhrn6p0xwi0hcyp6lj9bvpfj87vr99klzsiy8ji7621dzql3";
    }
    {
      name = "tabulous";
      publisher = "bwildeman";
      version = "1.2.0";
      sha256 = "0hbp345i19ncvn1v792nr257gmw0nz09nhjniiypnzvz9wszw2j9";
    }
    {
      name = "bracket-pair-colorizer";
      publisher = "CoenraadS";
      version = "1.0.61";
      sha256 = "0r3bfp8kvhf9zpbiil7acx7zain26grk133f0r0syxqgml12i652";
    }
    {
      name = "mustache";
      publisher = "dawhite";
      version = "1.1.1";
      sha256 = "1j8qn5grg8v3n3v66d8c77slwpdr130xzpv06z1wp2bmxhqsck1y";
    }
    {
      name = "vscode-nomnoml";
      publisher = "doctorrustynelson";
      version = "0.3.0";
      sha256 = "07nr6n5ai8m6rap8av47mqi3vv6zchymiqfw8jlbl4hsryszyr43";
    }
    {
      name = "gitlens";
      publisher = "eamodio";
      version = "11.0.5";
      sha256 = "1fi8j5r6cd82a50hv2lwzqnvyvhxf9waamkviyh0wyqi5i1k4q88";
    }
    {
      name = "monokai-light";
      publisher = "ethansugar";
      version = "0.2.1";
      sha256 = "1xn74arpv58hwdywaxvv9xhljl23wsqdpyfrgn9nvd29gsiz71w0";
    }
    {
      name = "Theme-Monokai-Contrast";
      publisher = "gerane";
      version = "0.0.5";
      sha256 = "1m1n1izdjgng0q3yljccwjxj0s60p5nfw3hlw7hb467a1wz479pm";
    }
    {
      name = "Theme-snappy-light";
      publisher = "gerane";
      version = "0.0.5";
      sha256 = "0syrm921l4lka6dmg258c2zi0a758acvcs8y0qm0kjim7h7xxf0w";
    }
    {
      name = "vscode-pull-request-github";
      publisher = "GitHub";
      version = "0.21.3";
      sha256 = "0p03v6y1gh62jby74vkhi897mzj8dg9xb561v0b99x81r9zhwqw0";
    }
    {
      name = "go";
      publisher = "golang";
      version = "0.19.0";
      sha256 = "1xr2c4xn0w68fdcbm8d2wqfb9dxf03w38367ghycrzmz2p4syr98";
    }
    {
      name = "terraform";
      publisher = "hashicorp";
      version = "2.3.0";
      sha256 = "0696q8nr6kb5q08295zvbqwj7lr98z18gz1chf0adgrh476zm6qq";
    }
    {
      name = "bonsai";
      publisher = "hawkeyegold";
      version = "1.4.0";
      sha256 = "0r7bxx1lgbg6p97xwd2wr8j7slz720a1v6vzpd0fhcq83vqzkl89";
    }
    {
      name = "live-html-previewer";
      publisher = "hdg";
      version = "0.3.0";
      sha256 = "0hv5plh44q97355j5la83r8hjsxpv9d173mba34xr4p82a3pcq5p";
    }
    {
      name = "yuml";
      publisher = "JaimeOlivares";
      version = "3.5.1";
      sha256 = "01phwj8kn2zmzpjk97wacnc8iiby0szv40b1030fkcm3szafnya0";
    }
    {
      name = "latex-workshop";
      publisher = "James-Yu";
      version = "8.14.0";
      sha256 = "12bh2gpmak7vgzhjnvk2hw0yqm6wkd7vsm4ki4zbqa6lpriscjyi";
    }
    {
      name = "plantuml";
      publisher = "jebbs";
      version = "2.13.16";
      sha256 = "0672x0a1c9yk0g4vka40f4amgxir2bs25zg6qsims9plj0x2s4si";
    }
    {
      name = "tasks-chooser";
      publisher = "jeremyfa";
      version = "0.3.0";
      sha256 = "0bq80wv7zf94cgn94ll3jj68z35p13r0zw5by62dnlnj1sv7dghi";
    }
    {
      name = "asciidoctor-vscode";
      publisher = "joaompinto";
      version = "2.8.0";
      sha256 = "06nx627fik3c3x4gsq01rj0v59ckd4byvxffwmmigy3q2ljzsp0x";
    }
    {
      name = "contrast-theme";
      publisher = "johndugan";
      version = "1.1.10";
      sha256 = "0hib85318940ajfbzqrpgqh4jr39w18aq6babargbf64yxg94mbw";
    }
    {
      name = "theme-dark-plus-contrast";
      publisher = "k3a";
      version = "0.1.101";
      sha256 = "137kq6i6xn394msjrhj7v6c8shrvw9yf8i01mf4yl4aan2bw3419";
    }
    {
      name = "vscode-gist";
      publisher = "kenhowardpdx";
      version = "3.0.3";
      sha256 = "033iry115hbd5jbdr04frbrcgfpfnsc2z551nlfsaczbg4j9dydw";
    }
    {
      name = "quick-open";
      publisher = "leizongmin";
      version = "1.1.0";
      sha256 = "03avjgkvl2w51f0lvvfksa6lxqb4i9jgz2c74hw686yaydj8mfsp";
    }
    {
      name = "rainbow-csv";
      publisher = "mechatroner";
      version = "1.7.1";
      sha256 = "0w5mijs4ll5qjkpyw7qpn1k40pq8spm0b3q72x150ydbcini5hxw";
    }
    {
      name = "openapi-lint";
      publisher = "mermade";
      version = "1.2.0";
      sha256 = "0q81ifgr211apymbs21y0l3x8n324k6mh7p8kykz2xz38cslyq49";
    }
    {
      name = "swagger-doc-viewer";
      publisher = "mimarec";
      version = "1.0.4";
      sha256 = "1vvqwmfav6c2r1xkyfczm564bi2cpa9nklj35w3h3hrp4f6dnvpx";
    }
    {
      name = "vscode-clang";
      publisher = "mitaki28";
      version = "0.2.3";
      sha256 = "0xbg2frb4dxv7zl43gi25w2mkkh4xq2aidcf5i8b4imys9h720yr";
    }
    {
      name = "prettify-json";
      publisher = "mohsen1";
      version = "0.0.3";
      sha256 = "1spj01dpfggfchwly3iyfm2ak618q2wqd90qx5ndvkj3a7x6rxwn";
    }
    {
      name = "vscode-docker";
      publisher = "ms-azuretools";
      version = "1.8.1";
      sha256 = "08691mwb3kgmk5fnjpw1g3a5i7qwalw1yrv2skm519wh62w6nmw8";
    }
    {
      name = "python";
      publisher = "ms-python";
      version = "2020.11.371526539";
      sha256 = "0iavy4c209k53jkqsbhsvibzjj3fjxa500rv72fywgb2vxsi9fc3";
    }
    {
      name = "jupyter";
      publisher = "ms-toolsai";
      version = "2020.11.372831992";
      sha256 = "0r39xqrbkzcfkz6rca039s87ibx79a983y8lbiglhkmw3bp4p658";
    }
    # fails to download C/C++ tools
    # {
    #   name = "cpptools";
    #   publisher = "ms-vscode";
    #   version = "1.1.2";
    #   sha256 = "09z1vrshvwimdrpsnfs4lyzca2qixp3h85xib8jf2fpxdjl3r5vg";
    # }
    {
      name = "vscode-quick-open-create";
      publisher = "nocksock";
      version = "0.6.0";
      sha256 = "0ipkjm74xpx44h130rmbnkjwsi63kcvq6fr0b0nxqqc9aa9jk22j";
    }
    {
      name = "indent-rainbow";
      publisher = "oderwat";
      version = "7.4.0";
      sha256 = "1xnsdwrcx24vlbpd2igjaqlk3ck5d6jzcfmxaisrgk7sac1aa81p";
    }
    {
      name = "phantypist";
      publisher = "paulofallon";
      version = "1.0.3";
      sha256 = "0rsaklwsd9i25p9j82ivblkbsk5cwjm22afzc2cq5klkbz9vxg62";
    }
    {
      name = "swaggitor";
      publisher = "qnsolutions";
      version = "0.1.1";
      sha256 = "0dhygxawxjhm0q1nmxwwcyhnk4hm1yzadnhc5ha7amdg7gddlrc1";
    }
    {
      name = "vscode-yaml";
      publisher = "redhat";
      version = "0.13.0";
      sha256 = "046kdk73a5xbrwq16ff0l64271c6q6ygjvxaph58z29gyiszfkig";
    }
    {
      name = "papercolor-vscode";
      publisher = "rozbo";
      version = "0.4.0";
      sha256 = "0fla4dfxm6ppqgfvp9rc2izhnv0909yk3r38xmh15ald84i1jhzm";
    }
    {
      name = "iferrblocks";
      publisher = "rstuven";
      version = "1.1.1";
      sha256 = "0ncj1g2dqa1wwqmj27w1356f4b9nlk2narvgyjn208axfwifz1lw";
    }
    {
      name = "rust";
      publisher = "rust-lang";
      version = "0.7.8";
      sha256 = "039ns854v1k4jb9xqknrjkj8lf62nfcpfn0716ancmjc4f0xlzb3";
    }
    {
      name = "bracket-jumper";
      publisher = "sashaweiss";
      version = "1.1.8";
      sha256 = "11sj7h13yjcpd94x07wlmck7cmidk1kla00kjq7wfw2xc1143rqs";
    }
    {
      name = "just";
      publisher = "skellock";
      version = "2.0.0";
      sha256 = "1ph869zl757a11f8iq643f79h8gry7650a9i03mlxyxlqmspzshl";
    }
    {
      name = "line-endings";
      publisher = "steditor";
      version = "1.0.3";
      sha256 = "1mdybbhs771w8r9xqy1n7x2is2vhh6axkssarb2yy7gps3v81ik7";
    }
    {
      name = "code-spell-checker";
      publisher = "streetsidesoftware";
      version = "1.10.0";
      sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i";
    }
    {
      name = "code-spell-checker-german";
      publisher = "streetsidesoftware";
      version = "0.1.8";
      sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz";
    }
    {
      name = "code-spell-checker-german";
      publisher = "streetsidesoftware";
      version = "0.1.8";
      sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz";
    }
    {
      name = "code-spell-checker";
      publisher = "streetsidesoftware";
      version = "1.10.0";
      sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i";
    }
    {
      name = "vscode-open-in-github";
      publisher = "sysoev";
      version = "1.14.0";
      sha256 = "1whyrsckx0gikgjj1812dlsykck7cs696wz9fn4fhcishp9479hp";
    }
    {
      name = "html-preview-vscode";
      publisher = "tht13";
      version = "0.2.5";
      sha256 = "0k75ivigzjfq8y4xwwrgs2iy913plkwp2a68f0i4bkz9kx39wq6v";
    }
    {
      name = "scrolloff";
      publisher = "tickleforce";
      version = "0.0.4";
      sha256 = "1n5xcbcwdj54c9dlscd5igdbga6v9wv5j1qbhjb7p2mf7sbps3cq";
    }
    {
      name = "shellcheck";
      publisher = "timonwong";
      version = "0.12.1";
      sha256 = "0apvbs90mdjk5y6vy2v4azwxhdjqfypqp5d5hh9rlgxyq4m0azz2";
    }
    {
      name = "sort-lines";
      publisher = "Tyriar";
      version = "1.9.0";
      sha256 = "0l4wibsjnlbzbrl1wcj18vnm1q4ygvxmh347jvzziv8f1l790qjl";
    }
    # slow and currently not needed
    # {
    #   name = "vscode-lldb";
    #   publisher = "vadimcn";
    #   version = "1.6.0";
    #   sha256 = "15m0idk75bvbzfxipdxwz2vpdklr15zv92h4mxxpr8db9jjr32vi";
    # }
    {
      name = "vim";
      publisher = "vscodevim";
      version = "1.17.1";
      sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1";
    }
    {
      name = "prettify-selected-json";
      publisher = "vthiery";
      version = "1.0.3";
      sha256 = "0g2svrls7x4w75fj6rr839mrwd3sn912vn6ysiy0sasnnc55rpgb";
    }
    {
      name = "debug";
      publisher = "webfreak";
      version = "0.25.0";
      sha256 = "0qm2jgkj17a0ca5z21xbqzfjpi0hzxw4h8y2hm8c4kk2bnw02sh1";
    }
    {
      name = "clang-format";
      publisher = "xaver";
      version = "1.9.0";
      sha256 = "0bwc4lpcjq1x73kwd6kxr674v3rb0d2cjj65g3r69y7gfs8yzl5b";
    }
    {
      name = "vscode-capnp";
      publisher = "xmonader";
      version = "1.0.0";
      sha256 = "0z2shl6qvr3y3m5y63v69x94rzyb2cmf5046afx2yswnll6j52fc";
    }
    {
      name = "plsql-language";
      publisher = "xyz";
      version = "1.8.2";
      sha256 = "16xxa6w03wzd95v1cycmjvw9hfg3chvpclrn28v0qsa3lir1mxrr";
    }
    {
      name = "markdown-pdf";
      publisher = "yzane";
      version = "1.4.4";
      sha256 = "00cjwjwzsv3wx2qy0faqxryirr2hp60yhkrlzsk0avmvb0bm9paf";
    }
    {
      name = "vscode-proto3";
      publisher = "zxh404";
      version = "0.5.2";
      sha256 = "1jmmbz3i0hxq5ka4rsk07mynxh3pkh5g736d9ryv1czhnrb06lwf";
    }
  ];
 in
 {
  programs.vscode = {
    enable = true;
-    extensions = []
+    package = pkgsVscodium.vscodium;
-      ++ packagedExtensions
+    profiles.default.extensions =
-      ++ marketPlaceExtensions
+      with pkgsVscodium.vscode-extensions;
-      ;
+      [
        eamodio.gitlens
        mkhl.direnv
        tomoki1207.pdf
        vscodevim.vim
        # bbenoist.nix
        jnoortheen.nix-ide
        ms-vscode.theme-tomorrowkit
        nonylene.dark-molokai-theme
        ms-python.vscode-pylance
        # TODO: these are not in nixpkgs
        # fredwangwang.vscode-hcl-format
        # hashicorp.hcl
        # mindaro-dev.file-downloader
        # ms-vscode.remote-explorer
        # TODO: not compatible with vscodium
        # ms-vscode-remote.remote-ssh
      ]
      ++ (
        let
          extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
        in
        with extensions.vscode-marketplace;
        with extensions.vscode-marketplace-release;
        [
          serayuzgur.crates
          rust-lang.rust-analyzer
          swellaby.vscode-rust-test-adapter
          tamasfe.even-better-toml
          golang.go
          jeff-hykin.better-go-syntax
          blueglassblock.better-json5
          nefrob.vscode-just-syntax
          # fabianlauer.vs-code-xml-format
          bierner.emojisense
        ]
      )
      ++ (
        let
          nix4vscodeToml = pkgs.writeText "nix4vscode.toml" ''
            vscode_version = "${config.programs.vscode.package.version}"
            [[extensions]]
            publisher_name = "FelixZeller"
            extension_name = "markdown-oxide"
            [[extensions]]
            publisher_name = "ibecker"
            extension_name = "treefmt-vscode"
            [[extensions]]
            publisher_name = "AntiAntiSepticeye"
            extension_name = "vscode-color-picker"
            # [[extensions]]
            # publisher_name = "nefrob"
            # extension_name = "vscode-just-syntax"
            [[extensions]]
            publisher_name = "fabianlauer"
            extension_name = "vs-code-xml-format"
          '';
          nix4vscodeNix =
            pkgs.runCommand "nix4vscode.nix"
              {
                # nix4vscode needs internet access
                __noChroot = true;
                requiredSystemFeatures = [ "recursive-nix" ];
                buildInputs = [
                  pkgs.nix
                  pkgs.cacert
                  (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { })
                  # pkgs.strace
                ];
                # outputHashAlgo = "sha256";
                # outputHashMode = "recursive";
                # outputHash = lib.fakeSha256;
              }
              ''
                # set -x
                # export RUST_BACKTRACE=full
                # export RUST_LOG=trace
                export HOME=$(mktemp -d)
                # strace -ffZyyY
                nix4vscode ${nix4vscodeToml} > $out
              '';
          nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [
            "override"
            "overrideDerivation"
          ];
          nix4vscodeExtensions' = lib.attrsets.mapAttrsToList (
            _: v: builtins.head (builtins.attrValues v)
          ) nix4vscodeExtensions;
        in
        nix4vscodeExtensions'
      );
    mutableExtensionsDir = true;
  };
  home.packages = [
    pkgs.nil
    pkgs.nixfmt-rfc-style
  ];
 }
 # TODO: automate
 # rustup install stable
 # rustup component add rust-analysis --toolchain stable
 # rustup component add rust-src --toolchain stable
 # rustup component add rls --toolchain stable
 ### original list:
 # 74th.Theme-NaturalContrast-With-HC
 # AlanWalk.markdown-toc
--- a/nix/home-manager/programs/waybar.css
+++ b/nix/home-manager/programs/waybar.css
@ -0,0 +1,5 @@
 #custom-cputemp {
  padding: 0 10px;
  background-color: #f0932b;
  color: #ffffff;
 }
--- a/nix/home-manager/programs/waybar.nix
+++ b/nix/home-manager/programs/waybar.nix
@ -0,0 +1,86 @@
 { pkgs, repoFlake, ... }:
 {
  home.packages = [
    # required by any bar that has a tray plugin
    pkgs.libappindicator-gtk3
    pkgs.libdbusmenu-gtk3
  ];
  programs.waybar = {
    enable = true;
    package =
      repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
    style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css;
    systemd.enable = true;
    settings = {
      mainBar = {
        layer = "top";
        position = "bottom";
        height = 30;
        output =
          # hide the bar on HEADDLESS displays as i use them only for screensharing
          (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
        # output = [
        #   "eDP-1"
        #   "DP-*"
        # ];
        modules-left = [
          "sway/workspaces"
          "sway/mode"
          # "wlr/taskbar"
        ];
        "sway/workspaces" = {
          disable-scroll = true;
          all-outputs = false;
        };
        modules-center = [
          "sway/window"
          # "custom/hello-from-waybar"
        ];
        modules-right = [
          "tray"
          "cpu"
          "memory"
          "custom/cputemp"
          "custom/fan"
          "battery"
          "pulseaudio"
          "clock"
          "clock#date"
        ];
        tray.spacing = 10;
        cpu.format = "  {usage}%";
        memory.format = "  {}%";
        "temperature" = {
          hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input";
          format = " {temperatureC} °C";
        };
        "custom/cputemp" = {
          format = " {}";
          exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'";
          interval = 2;
        };
        "custom/fan" = {
          format = "   {} rpm  ";
          exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'";
          interval = 2;
        };
        battery.format = "🔋 {}%";
        pulseaudio = {
          format = "🔉 {volume}%";
          # on-click-middle = ''${pkgs.sway}/bin/swaymsg exec "${pkgs.pavucontrol}/bin/pavucontrol"'';
        };
        clock.format = "{:%H:%M %p}";
        "clock#date".format = "{:%a, %d %b '%y}";
      };
    };
  };
 }
--- a/nix/home-manager/programs/zsh.nix
+++ b/nix/home-manager/programs/zsh.nix
@ -1,7 +1,9 @@
-{ pkgs }:
+{
-
+  config,
-{ ... }:
+  lib,
-
+  pkgs,
  ...
 }:
 let
  just-plugin =
    let
@ -23,8 +25,8 @@ let
        _describe 'command' subcmds
      '';
-
+    in
-    in pkgs.stdenv.mkDerivation {
+    pkgs.stdenv.mkDerivation {
      name = "just-completions";
      version = "0.1.0";
      phases = "installPhase";
@ -34,60 +36,77 @@ let
        cp ${plugin_file} $PLUGIN_PATH/_just
        chmod --recursive a-w $out
      '';
-  };
+    };
-
+in
-in {
+{
  programs.zsh = {
    enable = true;
-    # will be called again by oh-my-zsh
+    profileExtra = ''
-    enableCompletion = false;
+      . "${config.home.profileDirectory}/etc/profile.d/hm-session-vars.sh"
    enableAutosuggestions = true;
    initExtra = ''
      PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f %F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f '
      RPROMPT=""
      # Automatic rehash
      zstyle ':completion:*' rehash true
      if [ -f $HOME/.shrc.d/sh_aliases ]; then
        . $HOME/.shrc.d/sh_aliases
      fi
      ${if builtins.hasAttr "homeshick" pkgs then ''
        source ${pkgs.homeshick}/homeshick.sh
        fpath=(${pkgs.homeshick}/completions $fpath)
      '' else ''
      ''}
      # Disable intercepting of ctrl-s and ctrl-q as flow control.
      stty stop ''' -ixoff -ixon
      # don't cd into directories when executed
      unsetopt AUTO_CD
      export NIX_PATH="${pkgs.nixPath}"
      # print lines without termination
      setopt PROMPT_CR
      setopt PROMPT_SP
      export PROMPT_EOL_MARK=""
    '';
-    sessionVariables = {
+    # will be called again by oh-my-zsh
-      # Add more envrionment variables here
+    enableCompletion = false;
-    };
+    autosuggestion.enable = true;
    initContent =
      let
        inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
      in
      ''
        if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
          unset TMPDIR
        fi
        if test ! -n "$TMP" -a -z "$TMP"; then
          unset TMP
        fi
        PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f '
        RPROMPT=""
        # Automatic rehash
        zstyle ':completion:*' rehash true
        if [ -f $HOME/.shrc.d/sh_aliases ]; then
          . $HOME/.shrc.d/sh_aliases
        fi
        ${
          if builtins.hasAttr "homeshick" pkgs then
            ''
              source ${pkgs.homeshick}/homeshick.sh
              fpath=(${pkgs.homeshick}/completions $fpath)
            ''
          else
            ""
        }
        # Disable intercepting of ctrl-s and ctrl-q as flow control.
        stty stop ''' -ixoff -ixon
        # don't cd into directories when executed
        unsetopt AUTO_CD
        # print lines without termination
        setopt PROMPT_CR
        setopt PROMPT_SP
        export PROMPT_EOL_MARK=""
        ${lib.optionalString config.services.gpg-agent.enable ''
          export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
        ''}
        ${lib.optionalString config.programs.neovim.enable ''
          export EDITOR="nvim"
        ''}
      '';
    plugins = [
      {
        # will source zsh-autosuggestions.plugin.zsh
        name = "zsh-autosuggestions";
-        src = pkgs.fetchFromGitHub {
+        src = pkgs.zsh-autosuggestions;
          owner = "zsh-users";
          repo = "zsh-autosuggestions";
          rev = "v0.6.3";
          sha256 = "1h8h2mz9wpjpymgl2p7pc146c1jgb3dggpvzwm9ln3in336wl95c";
        };
      }
      {
        name = "enhancd";
@ -95,8 +114,8 @@ in {
        src = pkgs.fetchFromGitHub {
          owner = "b4b4r07";
          repo = "enhancd";
-          rev = "v2.2.4";
+          rev = "v2.5.1";
-          sha256 = "1smskx9vkx78yhwspjq2c5r5swh9fc5xxa40ib4753f00wk4dwpp";
+          sha256 = "sha256-kaintLXSfLH7zdLtcoZfVNobCJCap0S/Ldq85wd3krI=";
        };
      }
      {
--- a/nix/modules/flake-parts/colmena.nix
+++ b/nix/modules/flake-parts/colmena.nix
@ -0,0 +1,8 @@
 { lib, ... }:
 {
  options.flake.colmena = lib.mkOption {
    # type = lib.types.attrsOf lib.types.unspecified;
    type = lib.types.raw;
    default = { };
  };
 }
--- a/nix/modules/flake-parts/perSystem/default.nix
+++ b/nix/modules/flake-parts/perSystem/default.nix
@ -0,0 +1,37 @@
 { pkgs, ... }:
 {
  packages = {
    myPython = pkgs.python310.withPackages (
      ps:
      with ps;
      [
        pep8
        yapf
        flake8
        # autopep8 (broken)
        # pylint (broken)
        ipython
        llfuse
        dugong
        defusedxml
        wheel
        pip
        virtualenv
        cffi
        # pyopenssl
        urllib3
        # mistune (insecure)
        sympy
        flask
        pyaml
        requests
      ]
      ++ [
        pkgs.pypi2nix
        pkgs.libffi
      ]
    );
  };
 }
--- a/nix/ops/nano/configuration.nix
+++ b/nix/ops/nano/configuration.nix
@ -1,65 +0,0 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { n, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/sdb";
  networking.hostName = "nano${toString n}"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # Select internationalisation properties.
  # i18n = {
  #   consoleFont = "Lat2-Terminus16";
  #   consoleKeyMap = "us";
  #   defaultLocale = "en_US.UTF-8";
  # };
  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";
  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  # environment.systemPackages = with pkgs; [
  #   wget
  # ];
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.openssh.permitRootLogin = "yes";
  # Enable CUPS to print documents.
  services.printing.enable = false;
  # Enable the X11 windowing system.
  services.xserver.enable = false;
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";
  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.kdm.enable = true;
  # services.xserver.desktopManager.kde4.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.extraUsers.guest = {
  #   isNormalUser = true;
  #   uid = 1000;
  # };
  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "16.03";
 }
--- a/nix/ops/nano/hardware-configuration.nix
+++ b/nix/ops/nano/hardware-configuration.nix
@ -1,23 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, ... }:
 {
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/e02a410e-5044-440f-90e9-b573e51f1315";
      fsType = "ext4";
    };
  swapDevices = [ ];
  nix.maxJobs = 2;
 }
--- a/nix/ops/nanos@kn.nix
+++ b/nix/ops/nanos@kn.nix
@ -1,26 +0,0 @@
 { nixpkgs ? import <nixpkgs> {}
 , nrNanos ? 1 # Number of nanos
 }:
 let 
  pkgs = nixpkgs;
  webserver = { services.httpd.enable = true;
      services.httpd.adminAddr = "mail@stefanjunker.de";
      services.httpd.documentRoot = "${pkgs.nixops}/share/doc/nixops/";
      networking.firewall.allowedTCPPorts = [ 80 ];
  };
  mkNano = { n }: {
      imports = [
        (import ./nano/configuration.nix {inherit pkgs n;})
        ../configuration/common/user/root.nix
      ];
      deployment.targetEnv = "none";
      deployment.targetHost = "nano${toString n}";
  };
  mkNanos = n: nixpkgs.lib.nameValuePair "nano${toString n}" (
    mkNano { inherit n; } 
  );
 in nixpkgs.lib.listToAttrs (map mkNanos (nixpkgs.lib.range 0 (nrNanos - 1)))
--- a/nix/os/cachix.nix
+++ b/nix/os/cachix.nix
@ -0,0 +1,12 @@
 # WARN: this file will get overwritten by $ cachix use <name>
 { lib, ... }:
 let
  folder = ./cachix;
  toImport = name: _value: folder + ("/" + name);
  filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
  imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
 in
 {
  inherit imports;
  nix.settings.substituters = [ "https://cache.nixos.org/" ];
 }
--- a/nix/os/cachix/nixpkgs-wayland.nix
+++ b/nix/os/cachix/nixpkgs-wayland.nix
@ -0,0 +1,8 @@
 {
  nix = {
    settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ];
    settings.trusted-public-keys = [
      "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
    ];
  };
 }
--- a/nix/os/containers/backup.nix
+++ b/nix/os/containers/backup.nix
@ -1,185 +1,125 @@
-{ config
+{
-, hostAddress
+  config,
-, localAddress
+  hostAddress,
  localAddress,
  subvolumes,
  targetPathSuffix ? "",
  autoStart ? false,
 }:
 let
  unstablepkgs = import <channels-nixos-unstable> { config = config.nixpkgs.config; };
  passwords = import ../../variables/passwords.crypt.nix;
-  bucket = "bkp";
+  subvolumeParentDir = "/var/lib/container-volumes";
-  subvolumeParentDir = "/var/lib";
+in
 {
  config =
    { pkgs, ... }:
    {
      system.stateVersion = "20.03"; # Did you read the comment?
-  subvolumeDir = "/var/lib/container-volumes";
+      imports = [ ../profiles/containers/configuration.nix ];
  subvolumeSnapshot = "/var/lib/container-volumes.snapshot";
-  bkpSource = subvolumeSnapshot;
+      environment.systemPackages = with pkgs; [
-  bkpDestination = "/container/backup";
+        btrfs-progs
-  cacheDir = "/var/lib/rclone-cachedir";
+        btrbk
  wasabiRc = pkgs: pkgs.writeText "rc" ''
    [wasabi-${bucket}]
    type = s3
    provider = Wasabi
    env_auth = false
    #bkp user
    access_key_id = ${passwords.storage.wasabi.bkp.key}
    secret_access_key = ${passwords.storage.wasabi.bkp.secret}
    region = us-east-1
    endpoint = s3.wasabisys.com
    location_constraint =
    acl =
    server_side_encryption =
    storage_class =
  '';
  bkp-mount-rclone-manual = pkgs: {
      enable = true;
      description = "bkp-mount-rclone-manual service";
      path = with pkgs; [ unstablepkgs.rclone utillinux ];
      serviceConfig = {
        Type = "notify";
      };
      script = ''
        export PATH="$PATH:/run/wrappers/bin"
        exec rclone --config ${wasabiRc pkgs} mount wasabi-${bucket}:${bucket} ${bkpDestination} \
                    --stats=50m --stats-log-level=NOTICE \
                    --cache-dir=${cacheDir} \
                    --vfs-cache-mode=full
      '';
      preStart  = ''
          mkdir -p ${bkpDestination}
          mkdir -p ${cacheDir}
      '';
      postStop = ''
          sync
          umount ${bkpDestination} \
            || umount -l ${bkpDestination} \
            || :
          rmdir ${bkpDestination}
      '';
    };
 in {
  config = { pkgs, ... }: {
    imports = [
      ../profiles/containers/configuration.nix
    ];
    environment.systemPackages = with pkgs; [
      btrfs-progs
      rdup rdedup
      iptraf-ng nethogs
      rclone
    ];
    networking.firewall.enable = true;
    systemd.services."bkp-mount-rclone-manual" = bkp-mount-rclone-manual pkgs;
    systemd.services."bkp-sync-rclone" = {
      enable = true;
      description = "bkp-sync-rclone service";
      serviceConfig = {
        Type = "oneshot";
      };
      after = [
        "bkp-run.service"
      ];
-      requires = [
+      networking.firewall.enable = true;
        "bkp-run.service"
      ];
-      path = with pkgs; [ unstablepkgs.rclone utillinux ];
+      systemd.services."bkp-sync" = {
-      script = ''
+        enable = true;
-        set -x
+        description = "bkp-sync service";
        echo Starting rclone sync...
        rclone --config ${wasabiRc pkgs} sync \
          ${bkpDestination}/rdedup/ wasabi-${bucket}:${bucket}/rdedup/  \
            --stats=50m --stats-log-level=WARNING
        echo Finished rclone sync...
      '';
    };
-    systemd.services."bkp-run" = {
+        serviceConfig = {
-      enable = true;
+          Type = "oneshot";
-      description = "bkp-run";
+        };
-      serviceConfig = {
+        after = [ "bkp-run.service" ];
-        Type = "oneshot";
+
        requires = [ "bkp-run.service" ];
        path = with pkgs; [ utillinux ];
        script = ''
          set -x
          true
        '';
      };
-      partOf = [
+      systemd.services."bkp-run" = {
-        "bkp-sync-rclone.service"
+        enable = true;
-      ];
+        description = "bkp-run";
-      path = with pkgs; [ btrfs-progs rdup rdedup coreutils ];
+        serviceConfig = {
-      preStart = ''
+          Type = "oneshot";
-        echo Creating new btrfs snapshot of ${subvolumeDir} at ${subvolumeSnapshot}
+        };
        btrfs subvolume snapshot -r ${subvolumeDir} ${subvolumeSnapshot}
      '';
      script = ''
        #! ${pkgs.bash}/bin/bash
        set -Eeuxo pipefail
-        export RUST_BACKTRACE=1
+        partOf = [ "bkp-sync.service" ];
        export TIMESTAMP=$(date +"%Y%m%d.%H%M%S")
-        echo Starting rdup/rdedup backup...
+        path = with pkgs; [
-        for d in `ls -1 ${bkpSource}`; do
+          btrfs-progs
-          echo Determining backup source size ${bkpSource}/$d...
+          btrbk
-          du -hs ${bkpSource}/$d
+          coreutils
-          rdup -x /dev/null ${bkpSource}/$d | rdedup -v -ttt --dir=${bkpDestination}/rdedup store $d-''${TIMESTAMP}
+        ];
        done
        sync
        echo Finished rdup/rdedup backup...
-        echo Removing all previous backups...
+        script =
-        rdedup --dir=${bkpDestination}/rdedup list | grep -v ''${TIMESTAMP} | xargs echo rdedup --dir=${bkpDestination}/rdedup remove
+          let
            btrbkConf = pkgs.writeText "cfg" ''
              timestamp_format long
              ssh_identity ${passwords.storage.backupTarget.keyPath}
              ssh_user ${passwords.storage.backupTarget.user}
              ssh_compression no
              backend_remote btrfs-progs-sudo
              compat_remote busybox
              btrfs_commit_delete each
              snapshot_create onchange
              snapshot_preserve_min latest
              snapshot_preserve 7d 4w
              target_preserve_min latest
              target_preserve 7d 4w 12m *y
-        echo Running rdedup garbage-collector...
+              volume ${subvolumeParentDir}
-        time rdedup -v -ttt --dir=${bkpDestination}/rdedup gc
+                target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
              ${builtins.foldl' (sum: elem: sum + "  subvolume " + elem + "\n") "" subvolumes}
            '';
          in
          ''
            #! ${pkgs.bash}/bin/bash
            set -Eeuxo pipefail
-        echo Determining backup destination size ${bkpDestination}/rdedup...
+            btrbk -c ${btrbkConf} --progress ''${@:-run}
-        du -hs ${bkpDestination}/rdedup
+          '';
-      '';
+      };
      postStop = ''
        btrfs subvolume delete ${subvolumeSnapshot}
      '';
    };
-    systemd.timers."bkp" = {
+      systemd.timers."bkp" = {
-      description = "Timer to trigger bkp periodically";
+        description = "Timer to trigger bkp periodically";
-      enable = true;
+        enable = true;
-      wantedBy = [ "timer.target" "multi-user.target" ];
+        wantedBy = [
-      timerConfig = {
+          "timer.target"
-        # Obtained using `systemd-analyze calendar "Wed 23:00"`
+          "multi-user.target"
-        # OnCalendar = "Wed *-*-* 23:00:00";
+        ];
-        OnStartupSec="2d";
+        timerConfig = {
-        Unit = "bkp-sync-rclone.service";
+          # Obtained using `systemd-analyze calendar "Wed 23:00"`
-        OnUnitInactiveSec="2d";
+          # OnCalendar = "Wed *-*-* 23:00:00";
-        Persistent="true";
+          OnStartupSec = "1m";
          Unit = "bkp-sync.service";
          OnUnitInactiveSec = "2h";
          Persistent = "true";
        };
      };
    };
  };
-  autoStart = true;
+  inherit autoStart;
  bindMounts = {
    "${subvolumeParentDir}" = {
-      hostPath = "/var/lib/";
+      hostPath = subvolumeParentDir;
      isReadOnly = false;
    };
    "/etc/secrets/" = {
      hostPath = "/var/lib/container-volumes/backup/etc-secrets";
      isReadOnly = true;
    };
    "/dev/fuse" = {
      hostPath = "/dev/fuse";
      isReadOnly = false;
@ -187,12 +127,16 @@ in {
  };
  allowedDevices = [
-    { node = "/dev/fuse"; modifier = "rw"; }
+    {
      node = "/dev/fuse";
      modifier = "rw";
    }
  ];
  extraFlags = [ "--resolv-conf=bind-host" ];
  privateNetwork = true;
-  forwardPorts = [
+  forwardPorts = [ ];
  ];
  inherit hostAddress localAddress;
 }
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -1,149 +1,228 @@
-{ hostAddress
+{
-, localAddress
+  specialArgs,
-, imapsPort ? 993
+  hostBridge,
-, sievePort ? 4190
+  hostAddress,
  localAddress,
  imapsPort ? 993,
  sievePort ? 4190,
  autoStart ? false,
 }:
 {
  inherit specialArgs;
  config =
    {
      pkgs,
      config,
      repoFlake,
      ...
    }:
    {
      system.stateVersion = "22.05"; # Did you read the comment?
-let
+      imports = [
-  passwords = import ../../variables/passwords.crypt.nix;
+        ../profiles/containers/configuration.nix
-in {
+        repoFlake.inputs.sops-nix.nixosModules.sops
        ../profiles/common/user.nix
      ];
-  config = { pkgs, ... }: {
+      networking.firewall.allowedTCPPorts = [
-    imports = [
+        imapsPort
-      ../profiles/containers/configuration.nix
+        sievePort
-      ../profiles/common/user.nix
+      ];
    ];
-    networking.firewall.enable = false;
+      # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
      # sops.defaultSopsFile = ./mailserver_secrets.yaml;
-    services.ddclientovh = {
+      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      sops.secrets.email_mailStefanjunkerDe = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.steveej.name;
      };
      sops.secrets.email_mailStefanjunkerDeHetzner = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.steveej.name;
      };
      sops.secrets.email_schtifATwebDe = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.steveej.name;
      };
      sops.secrets.email_dovecot_steveej = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.dovecot2.name;
      };
      # TODO: switch to something other than ddclient as it's no longer maintained
      # TODO: switch to a let's encrypt certificate
      sops.secrets.dovecotSslServerCert = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.dovecot2.name;
      };
      sops.secrets.dovecotSslServerKey = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.dovecot2.name;
      };
      services.dovecot2 = {
        enable = true;
        domain = "mailserver.svc.stefanjunker.de";
    };
-    services.dovecot2 = {
+        protocols = [ "sieve" ];
      enable = true;
-      modules = [ pkgs.dovecot_pigeonhole ];
+        enableImap = true;
-      protocols = [ "sieve" ];
+        enableLmtp = true;
        enablePAM = true;
        showPAMFailure = true;
        mailLocation = "maildir:~/.maildir";
        sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
        sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
-      enableImap = true;
+        #configFile = "/etc/dovecot/dovecot2_manual.conf";
-      enableLmtp = true;
+        extraConfig = ''
-      enablePAM = true;
+          auth_mechanisms = cram-md5 digest-md5
-      showPAMFailure = true;
+          auth_verbose = yes
      mailLocation = "maildir:~/.maildir";
      sslServerCert = "/etc/secrets/server.pem";
      sslServerKey = "/etc/secrets/server.key";
-      #configFile = "/etc/dovecot/dovecot2_manual.conf";
+          passdb {
-      extraConfig = ''
+            driver = passwd-file
-        auth_mechanisms = cram-md5 digest-md5
+            args = scheme=CRYPT username_format=%u /etc/dovecot/users
-        auth_verbose = yes
+          }
        passdb {
          driver = passwd-file
          args = scheme=CRYPT username_format=%u /etc/dovecot/users
        }
-        protocol lda {
+          protocol lda {
-          postmaster_address = "mail@stefanjunker.de"
+            postmaster_address = "mail@stefanjunker.de"
-          mail_plugins = $mail_plugins sieve
+            mail_plugins = $mail_plugins sieve
-        }
+          }
-        protocol imap {
+          protocol imap {
-          mail_max_userip_connections = 64
+            mail_max_userip_connections = 64
-        }
+          }
-      '';
+        '';
      };
-    };
+      environment.systemPackages = [
        pkgs.dovecot_pigeonhole
      ];
-    environment.etc."dovecot/users".text = ''
+      environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
      steveej:${passwords.email.steveej}
    '';
-    systemd.services.steveej-getmail-stefanjunker = {
+      systemd.services.steveej-getmail-stefanjunker = {
-      enable = true;
+        enable = true;
-      wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "multi-user.target" ];
-      serviceConfig.User = "steveej";
+        serviceConfig.User = "steveej";
-      serviceConfig.Group = "dovecot2";
+        serviceConfig.Group = "dovecot2";
-      serviceConfig.RestartSec = 600;
+        serviceConfig.RestartSec = 600;
-      serviceConfig.Restart = "always";
+        serviceConfig.Restart = "always";
-      description = "Getmail service";
+        description = "Getmail service";
-      path = [ ];
+        path = [ pkgs.getmail6 ];
-      script = let
+        script =
-          rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
+          let
-            [options]
+            rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
-            verbose = 1
+              [options]
-            read_all = 0
+              verbose = 1
-            delete_after = 30
+              read_all = 0
              delete_after = 30
-            [retriever]
+              [retriever]
-            type = SimpleIMAPSSLRetriever
+              type = SimpleIMAPSSLRetriever
-            server = ssl0.ovh.net
+              server = ssl0.ovh.net
-            port = 993
+              port = 993
-            username = mail@stefanjunker.de
+              username = mail@stefanjunker.de
-            password = ${passwords.email.mailStefanjunkerDe}
+              password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
-            mailboxes = ('INBOX',)
+              mailboxes = ('INBOX',)
-            [destination]
+              [destination]
-            type = MDA_external
+              type = MDA_external
-            path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
+              path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
            '';
          in
          ''
            getmail --idle=INBOX --rcfile=${rc}
          '';
-        in ''
+      };
          ${pkgs.getmail}/bin/getmail --rcfile=${rc} --idle=INBOX
      '';
    };
-    systemd.services.steveej-getmail-webde = {
+      systemd.services.steveej-getmail-stefanjunker-hetzner = {
-      enable = true;
+        enable = true;
-      wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "multi-user.target" ];
-      serviceConfig.User = "steveej";
+        serviceConfig.User = "steveej";
-      serviceConfig.Group = "dovecot2";
+        serviceConfig.Group = "dovecot2";
-      description = "Getmail service";
+        serviceConfig.RestartSec = 60;
-      path = [ pkgs.getmail ];
+        serviceConfig.Restart = "always";
-      serviceConfig.RestartSec = 1000;
+        description = "Getmail service";
-      serviceConfig.Restart = "always";
+        path = [ pkgs.getmail6 ];
-      script = let
+        script =
-          rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
+          let
-            [options]
+            rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
-            verbose = 1
+              [options]
-            read_all = 0
+              verbose = 2
-            delete_after = 30
+              read_all = 0
              delete_after = 30
-            [retriever]
+              [retriever]
-            type = SimpleIMAPSSLRetriever
+              type = SimpleIMAPSSLRetriever
-            server = imap.web.de
+              server = mail.your-server.de
-            port = 993
+              port = 993
-            username = schtif
+              username = mail@stefanjunker.de
-            password = ${passwords.email.schtifATwebDe}
+              password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
-            mailboxes = ('INBOX',)
+              mailboxes = ('INBOX',)
-            [destination]
+              [destination]
-            type = Maildir
+              type = MDA_external
-            path = ~/.maildir/
+              path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
            '';
          in
          ''
            getmail --rcfile=${rc} --idle=INBOX
          '';
      };
      systemd.services.steveej-getmail-webde = {
        enable = true;
        wantedBy = [ "multi-user.target" ];
        serviceConfig.User = "steveej";
        serviceConfig.Group = "dovecot2";
        description = "Getmail service";
        path = [ pkgs.getmail6 ];
        serviceConfig.RestartSec = 1000;
        serviceConfig.Restart = "always";
        script =
          let
            rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
              [options]
              verbose = 1
              read_all = 0
              delete_after = 30
              [retriever]
              type = SimpleIMAPSSLRetriever
              server = imap.web.de
              port = 993
              username = schtif
              password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
              mailboxes = ('INBOX',)
              [destination]
              type = Maildir
              path = ~/.maildir/
            '';
          in
          ''
            getmail --rcfile=${rc} --idle=INBOX
          '';
        in ''
          getmail --rcfile=${rc}
      '';
      };
    };
-  autoStart = true;
+  inherit autoStart;
  bindMounts = {
-    "/etc/secrets/" = { 
+    # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
-      hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
+    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
-      isReadOnly = false;
+    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
    };
-    "/home" = { 
+    "/home" = {
      hostPath = "/var/lib/container-volumes/mailserver/home";
      isReadOnly = false;
    };
  };
-  privateNetwork = true ;
+  privateNetwork = true;
  forwardPorts = [
    {
      # imaps
@ -160,5 +239,5 @@ in {
    }
  ];
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/containers/mailserver_secrets.yaml
+++ b/nix/os/containers/mailserver_secrets.yaml
@ -0,0 +1,53 @@
 email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str]
 email_mailStefanjunkerDeHetzner: ENC[AES256_GCM,data:HvPU/tV2uwutE8q6BzMjkw==,iv:sxERmGojxJhTre2XhslD/B3hesJaP8Cn6TJ7G2WygQw=,tag:JeRI3a2oc/cMJWqyiICgYw==,type:str]
 email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str]
 email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str]
 email_postmasterStefanjunkerDe: ENC[AES256_GCM,data:mUe2SbT1aj6yCav0X0lZ04rxYjJjQfKOqw==,iv:ZtOca09m2ne36cmLem/dNnmrsTV6fWaluuoPS85HdGc=,tag:2Z8RwuKJteXUKyuzpFzyfg==,type:str]
 dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str]
 dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str]
 hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str]
 sops:
  age:
    - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQjVya2RyY1MxQUxtTHdX
        MGlZRWdxZ3VXb01KbCtTSkJMR3dkZkZ0UGw0CitXcldZT3NJWExYZG50QnowMVhV
        WDBpc0VFYjZnZDJDSWhUcHFHTzBiYkUKLS0tIFlrMmlxUkNVZExSNGN4VlMxcUw1
        VW8rSVdDcGZKcHpocjdqZldiaFpqRlUKfQNcKrI6PuyeFv06Es8NsHm8I7NzxJ1k
        ir088kx66xcXeEiyA4DnIcAWG9O6HEVXXnSahAIE2jcupSSouDF3ug==
        -----END AGE ENCRYPTED FILE-----
    - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OGlqTEhtaGR2Yi8vTVcv
        NUtvd0ptS3h5Rnd1RGNuYlY2bHMrUmpKWHhRCkJpYjloQWhSM0FsNlNYSVcvWktV
        VkkvblAyRXBadUJjK3h3c2JJbDZHc0kKLS0tIEhMbVZsekM5VDRhbDB0KzdyK1li
        dWdhSGtFN1oybGpIb294ZE0zcDFUaEkK/AyEXeVmiYk1/IZdkyNGN4bccMFx5+JE
        BazBF2NkztUWnyhqRvyp0cBucx7h/HhRSzqxwSr20lvv8XpRPGh8Iw==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2023-07-17T12:01:21Z"
  mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str]
  pgp:
    - created_at: "2025-06-05T09:49:08Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMAw+OdhfgD3wfAQ/8DFSjoJYmO4+yvi4WT6mgrlzmAIvX0Ozch9XY+6DDOwiN
        746QgI6FI5NpmayTbhddhL1J3tiWkzOyAMhxd8JVNDdZHDJ9lDMCq5s/6yYJZvst
        qpoU2pjeYFc+ag+H7m8d5dIaR352aBlKw+MMGOvBinM+5qAWNWo1Vams/9HV3BAV
        vsFKLSj3eo3/MjjzY3bPlfBwhkDnudzfVJXcY7GhbVVzaQKXosoGjMfCKvSQNMWr
        z52P40pfkXx1nWUt79G4xcH/G+lCUlz93RmS89sLS+YrrjKGQc4xcYpqpNjy5Xdw
        rz+nGuOsMKXqLuxYJVuiTcxN0agVily9BTifUYiJZfS9cpbMvLwTyUOcc64EVCKH
        Gg0b5l5DhyUKKk3klzgeXTlj2zPhKjGVT2MnZShZRspfGfV6T7iP761YD4ucaExd
        1+/cegyfeCNAykt4lD6ACeQXRLDs8rU2hUjpN3J6AemLW+Aj/ZnRVZWzgIvnDEEY
        pyz/rAk5J6m7Q7909TcMuFg3j9ENeJZuRSwxwF0MRUYLZByKCH3QY9CE3mCh7Xni
        p5znHpYaYqNIoiTmbBcxEx4mYRXUkorLTJXt4AO7zQB24ZReLDRsSzvrnQqyLIdA
        b4pK2k2/L0Hagu2SZFvfhgw4qWZpIlgcoOVbe2dkmbIXMbjb8SuF/2jFwushALjS
        XAG+iXYORCrvsuJoNjnQtSW0OGqYwuNNvWo2Ymyg2sA6CW+O6gsCZpZE0FKHcbl/
        FxgecFBl+P6Dk4OOewie+E4cZWIq2uXQch8QPSk5huuyUms6VZI2fre83dMv
        =mHmB
        -----END PGP MESSAGE-----
      fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
  unencrypted_suffix: _unencrypted
  version: 3.7.3
--- a/nix/os/containers/mycelium/flake.lock
+++ b/nix/os/containers/mycelium/flake.lock
@ -0,0 +1,124 @@
 {
  "nodes": {
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "nix-snapshotter",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1704152458,
        "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "nix-snapshotter": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1723875769,
        "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=",
        "owner": "pdtpartners",
        "repo": "nix-snapshotter",
        "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da",
        "type": "github"
      },
      "original": {
        "owner": "pdtpartners",
        "repo": "nix-snapshotter",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
        "lastModified": 1728781282,
        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1728867876,
        "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
        "owner": "nix-community",
        "repo": "nixos-generators",
        "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixos-generators",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1728897630,
        "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nix-snapshotter": "nix-snapshotter",
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/os/containers/mycelium/flake.nix
+++ b/nix/os/containers/mycelium/flake.nix
@ -0,0 +1,371 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9";
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-snapshotter = {
      url = "github:pdtpartners/nix-snapshotter";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
    { self, nixpkgs, ... }:
    let
      systems = [
        "aarch64-linux"
        "x86_64-linux"
      ];
      forAllSystems = nixpkgs.lib.genAttrs systems;
    in
    {
      nixosConfigurations.default = nixpkgs.lib.nixosSystem {
        system = "aarch64-linux";
        specialArgs = { };
        modules = [
          (
            {
              config,
              modulesPath,
              pkgs,
              lib,
              ...
            }:
            {
              nixpkgs.overlays = [
                (_final: _previous: {
                  # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
                  # systemd =
                  # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: {
                  #   src = /home/steveej/src/others/systemd;
                  #   withAppArmor = false;
                  #   withRepart = false;
                  #   withHomed = false;
                  #   withAcl = false;
                  #   withEfi = false;
                  #   withBootloader = false;
                  #   withCryptsetup = false;
                  #   withLibBPF = false;
                  #   withOomd = false;
                  #   withFido2 = false;
                  #   withApparmor = false;
                  #   withDocumentation = false;
                  #   withUtmp = false;
                  #   withQrencode = false;
                  #   withVmspawn = false;
                  #   withMachined = false;
                  #   withLogTrace = true;
                  #   withArchive = false;
                  #   # don't need these but cause errors for exampel files not found
                  #   # withLogind = false;
                  # })
                  # pkgs.systemdMinimal.override {
                  #   # getting errors with these disabled
                  #   withCoredump = true;
                  #   withCompression = true;
                  #   withLogind = true;
                  #   withSysusers = true;
                  #   withUserDb = true;
                  # }
                  # pkgs.systemdMinimal
                  # pkgs.systemd.override {
                  #   withRepart = false;
                  #   withHomed = false;
                  #   withAcl = false;
                  #   withEfi = false;
                  #   withBootloader = false;
                  #   withCryptsetup = false;
                  #   withLibBPF = false;
                  #   withOomd = false;
                  #   withFido2 = false;
                  #   withApparmor = false;
                  #   withDocumentation = false;
                  #   withUtmp = false;
                  #   withQrencode = false;
                  #   withVmspawn = false;
                  #   withMachined = false;
                  #   withLogTrace = true;
                  #   # don't need these but cause errors for exampel files not found
                  #   # withLogind = false;
                  # }
                  # ;
                })
              ];
              imports = [ (modulesPath + "/profiles/minimal.nix") ];
              system.stateVersion = "24.11";
              # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
              boot.isContainer = true;
              # boot.tmp.useTmpfs = true;
              boot.loader.grub.enable = lib.mkForce false;
              boot.loader.systemd-boot.enable = lib.mkForce false;
              services.journald.console = "/dev/console";
              services.journald.storage = "none";
              # boot.specialFileSystems = lib.mkForce {};
              services.nscd.enable = false;
              system.nssModules = lib.mkForce [ ];
              systemd.services.systemd-logind.enable = false;
              systemd.services.console-getty.enable = false;
              systemd.sockets.nix-daemon.enable = false;
              systemd.services.nix-daemon.enable = false;
              systemd.oomd.enable = false;
              networking.useDHCP = false;
              networking.firewall.enable = false;
              # system.build.earlyMountScript =
              #   lib.mkForce ''
              #   '';
              # system.activationScripts.specialfs =
              #   lib.mkForce ''
              #   '';
              boot.postBootCommands = ''
                ls -lha /run
                mkdir -p /run/wrappers
              '';
              boot.kernelParams = [ "systemd.log_level=debug" ];
              # services.udev.enable = false;
              # TODO: this is only needed because `/run/current-system` is missing
              # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
              systemd.mounts = lib.mkForce [ ];
              fileSystems = lib.mkForce { };
              services.mycelium.enable = false;
              services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
              systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
              systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
              systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
                pkgs.writeShellScript "mycelium" ''
                  while true; do
                    ls -lha $CREDENTIALS_DIRECTORY
                    sleep 5
                  done
                ''
              );
              systemd.services.testing-credentials = {
                wantedBy = [ "multi-user.target" ];
                path = [ pkgs.coreutils ];
                serviceConfig = {
                  # SyslogIdentifier = "testing-credentials";
                  # StateDirectory = "testing-credentials";
                  # DynamicUser = true;
                  # User = "tc";
                  # ProtectHome = true;
                  # ProtectSystem = true;
                  # LoadCredential = [
                  #   "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
                  #   "hosts:/etc/hosts"
                  # ];
                  SetCredential = "mycelium-keyfile:not secret string";
                  ExecStart = lib.mkForce (
                    pkgs.writeShellScript "mycelium" ''
                      cd $STATE_DIRECTORY
                      pwd
                      env
                      while true; do
                        ls -lha $CREDENTIALS_DIRECTORY
                        sleep 5
                      done
                    ''
                  );
                };
              };
              services.caddy = {
                enable = true;
                globalConfig = ''
                  auto_https off
                '';
                virtualHosts.":80" = {
                  extraConfig = ''
                    respond "hello from ${config.networking.hostName}"
                  '';
                };
              };
            }
          )
        ];
      };
      packages = forAllSystems (
        system:
        let
          name = "mycelium";
          inherit (self.inputs) nix-snapshotter;
          config = {
            entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
            # port = 2379;
            args = [ ];
            # nodePort = 30001;
          };
          myceliumPorts = {
            tcp = [ 9651 ];
            udp = [
              9650
              9651
            ];
          };
          inherit (config)
            entrypoint
            # port
            args
            # nodePort
            ;
          pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
          image = pkgs.nix-snapshotter.buildImage {
            inherit name;
            resolvedByNix = true;
            config = {
              entrypoint = [ entrypoint ];
              env = [
                # this is read by the `/init` script and prevents various incompatible commands like mount, etc.
                # the value of this doesn't seem to matter as long as it's not an empty string.
                "container=nerd"
                "SYSTEMD_LOG_LEVEL=debug"
              ];
              volumes = {
                # "/var/lib/private/mycelium/key.bin" = {};
                # "/run" = {};
                # "/tmp" = {};
                # "/etc" = {};
              };
              copyToRoot = [
                # self.nixosConfigurations.default.config.system.build.toplevel
              ];
            };
          };
        in
        {
          k8s =
            let
              pod = pkgs.writeText "${name}-pod.json" (
                builtins.toJSON {
                  apiVersion = "v1";
                  kind = "Pod";
                  metadata = {
                    inherit name;
                    labels = {
                      inherit name;
                    };
                  };
                  spec.containers = [
                    {
                      inherit name args;
                      image = "nix:0${image}";
                      ports = [
                        {
                          name = "mycelium-tcp-0";
                          containerPort = builtins.elemAt myceliumPorts.tcp 0;
                        }
                        {
                          name = "mycelium-udp-0";
                          protocol = "UDP";
                          containerPort = builtins.elemAt myceliumPorts.udp 0;
                        }
                        {
                          name = "mycelium-udp-1";
                          protocol = "UDP";
                          containerPort = builtins.elemAt myceliumPorts.udp 1;
                        }
                      ];
                    }
                  ];
                }
              );
              service = pkgs.writeText "${name}-service.json" (
                builtins.toJSON {
                  apiVersion = "v1";
                  kind = "Service";
                  metadata.name = "${name}-service";
                  spec = {
                    type = "NodePort";
                    selector = {
                      inherit name;
                    };
                    ports = [
                      {
                        name = "mycelium-tcp-0";
                        port = builtins.elemAt myceliumPorts.tcp 0 + 50000;
                        targetPort = "mycelium-tcp-0";
                      }
                      {
                        name = "mycelium-udp-0";
                        protocol = "UDP";
                        port = builtins.elemAt myceliumPorts.udp 0 + 50000;
                        targetPort = "mycelium-udp-0";
                      }
                      {
                        name = "mycelium-udp-1";
                        protocol = "UDP";
                        port = builtins.elemAt myceliumPorts.udp 1 + 50000;
                        targetPort = "mycelium-udp-1";
                      }
                    ];
                  };
                }
              );
            in
            pkgs.runCommand "declarative-k8s" { } ''
              mkdir -p $out/share/k8s
              cp ${pod} $out/share/k8s/
              cp ${service} $out/share/k8s/
            '';
          inherit image;
          start = pkgs.writeShellApplication {
            name = "start";
            text = ''
              set -x
              rm -rf ./result
              nix build --impure .#image
              sudo nix2container load ./result
              sudo -E nerdctl run  --name ${name} --privileged -dt \
                --cgroup-manager cgroupfs \
                --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
                "nix:0$(readlink result):latest"
            '';
          };
          stop = pkgs.writeShellApplication {
            name = "stop";
            text = ''
              set +e
              sudo -E nerdctl stop -t 60 ${name}
              sudo -E nerdctl rm --force ${name}
              sudo -E nerdctl system prune --all --force
              sudo systemctl stop nix-snapshotter
              sudo systemctl stop containerd
              mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l
              sudo systemctl start containerd
              sudo systemctl start nix-snapshotter
            '';
            # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap)
            # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
          };
        }
      );
    };
 }
--- a/nix/os/containers/syncthing.nix
+++ b/nix/os/containers/syncthing.nix
@ -1,29 +1,82 @@
 { hostAddress
 , localAddress
 , syncthingPort ? 22000
 }:
 {
  specialArgs,
  hostBridge,
  hostAddress,
  localAddress,
  syncthingPort ? 22000,
  syncthingLocalAnnouncePort ? 21027,
  smbTcpPort ? 445,
  autoStart ? false,
 }:
 {
  inherit specialArgs;
  config =
    { ... }:
    {
      system.stateVersion = "20.05"; # Did you read the comment?
-  config = { config, pkgs, ... }: {
+      imports = [ ../profiles/containers/configuration.nix ];
    imports = [
      ../profiles/containers/configuration.nix
    ];
-    networking.firewall.enable = true;
+      networking.firewall.allowedTCPPorts = [
-    networking.firewall.allowedTCPPorts = [
+        # syncthing gui
-      # syncthing gui
+        8384
-      8384
+      ];
    ];
-    services.syncthing = {
+      services.syncthing = {
-      enable = true;
+        enable = true;
-      openDefaultPorts = true;
+        openDefaultPorts = true;
-      guiAddress = "0.0.0.0:8384";
+        guiAddress = "0.0.0.0:8384";
      };
      services.samba = {
        enable = true;
        securityType = "user";
        openFirewall = true;
        settings = {
          global = {
            "workgroup" = "DMZ";
            "server string" = "syncthing";
            "netbios name" = "syncthing";
            "security" = "user";
            #"use sendfile" = "yes";
            #"max protocol" = "smb2";
            # note: localhost is the ipv6 localhost ::1
            "hosts allow" = "192.168.23. 127.0.0.1 localhost";
            "hosts deny" = "0.0.0.0/0";
            "guest account" = "nobody";
            "map to guest" = "bad user";
          };
          "scan-stefan" = {
            "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan";
            "browseable" = "yes";
            "read only" = "no";
            "guest ok" = "no";
            "create mask" = "0644";
            "directory mask" = "0755";
            "force user" = "syncthing";
            "force group" = "syncthing";
          };
          "scan-justyna" = {
            "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna";
            "browseable" = "yes";
            "read only" = "no";
            "guest ok" = "no";
            "create mask" = "0644";
            "directory mask" = "0755";
            "force user" = "syncthing";
            "force group" = "syncthing";
          };
        };
      };
      # TODO: find out if smbpasswd file is still used and set it here. or find an alternative
      # sops.secrets.smbpasswd = {
      # };
      # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text;
    };
  };
-  autoStart = true;
+  inherit autoStart;
  bindMounts = {
    "/var/lib/syncthing/" = {
@ -39,7 +92,22 @@
      hostPort = syncthingPort;
      protocol = "tcp";
    }
    {
      containerPort = 22000;
      hostPort = syncthingPort;
      protocol = "udp";
    }
    {
      containerPort = 21027;
      hostPort = syncthingLocalAnnouncePort;
      protocol = "udp";
    }
    {
      containerPort = 445;
      hostPort = smbTcpPort;
      protocol = "tcp";
    }
  ];
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -1,76 +1,436 @@
-{ hostAddress
+{
-, localAddress
+  specialArgs,
-, httpsPort ? 443
+  hostBridge,
-}: {
+  hostAddress,
-  config = { config, pkgs, lib, ... }: {
+  localAddress,
-    imports = [
+  httpPort,
-      ../profiles/containers/configuration.nix
+  httpsPort,
-    ];
+  forgejoSshPort,
  autoStart ? false,
 }:
 let
  domain = "www.stefanjunker.de";
 in
 {
  inherit specialArgs;
  config =
    {
      config,
      pkgs,
      lib,
      repoFlake,
      nodeFlake,
      system,
      ...
    }:
    let
      nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable;
    in
    {
      system.stateVersion = "22.05"; # Did you read the comment?
-    networking.firewall.enable = false;
+      disabledModules = [
        "services/misc/forgejo.nix"
        "services/security/kanidm.nix"
      ];
-    services.ddclientovh = {
+      imports = [
        "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
        "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
        ../profiles/containers/configuration.nix
        repoFlake.inputs.sops-nix.nixosModules.sops
      ];
      sops.defaultSopsFile = ./webserver_secrets.yaml;
      networking.firewall.allowedTCPPorts = [
        httpPort
        httpsPort
        forgejoSshPort
      ];
      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      sops.secrets.hedgedoc_environment_file = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.hedgedoc.name;
      };
      services.caddy = {
        enable = true;
-        domain = "www.stefanjunker.de";
+        logFormat = ''
-    };
+          level ERROR
        '';
        virtualHosts."${domain}" = {
          extraConfig = ''
            redir /hedgedoc* https://hedgedoc.${domain}
-    services.nginx.enable = true;
+            basic_auth /justyna/202505_prt_teil1* {
-    services.nginx.virtualHosts."stefanjunker.de" = {
+                prt $2a$14$y7tZYZxTlJ2JFsBtRM.D8Ok0oHhWt53mGXk.xJMLXc/JF.bTtOWaq
-      default = true;
+            }
      onlySSL = true;
      root = "/var/www/stefanjunker.de/htdocs";
-      sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
+            file_server /* {
-      sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
+              browse
              root /var/www/stefanjunker.de/htdocs/caddy
              pass_thru
            }
-      locations."/fi" = {
+            # respond "Hi"
-        index = "index.php";
+            # respond (not /*/*) "Hi"
          '';
        };
        virtualHosts."hedgedoc.${domain}" = {
          extraConfig = ''
            reverse_proxy http://[::1]:3000
          '';
        };
        virtualHosts."authelia.${domain}" = {
          extraConfig = ''
            reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
          '';
        };
        virtualHosts."lldap.${domain}" = {
          extraConfig = ''
            reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
          '';
        };
        virtualHosts."forgejo.${domain}" = {
          extraConfig = ''
            reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
          '';
        };
        virtualHosts."kanidm.${domain}" = {
          extraConfig = ''
            reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
              transport http {
                  tls_server_name ${config.services.kanidm.serverSettings.domain}
              }
            }
          '';
        };
      };
-      locations."~ ^(.+\.php)(.*)$".extraConfig = ''
+      services.hedgedoc = {
-        fastcgi_split_path_info  ^(.+\.php)(.*)$;
+        enable = true;
        settings = {
          domain = "hedgedoc.${domain}";
          urlPath = "";
          protocolUseSSL = true;
          db = {
            dialect = "sqlite";
            storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
          };
-        fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
+          allowAnonymous = false;
-        fastcgi_index index.php;
+          allowAnonymousEdits = false;
-      '';
+          allowGravatar = false;
-    };
+          allowFreeURL = false;
          defaultPermission = "private";
-    services.phpfpm.pools.mypool = {
+          allowEmailRegister = false;
-      user = "nobody";
+          email = false;
      phpPackage = pkgs.php5;
      settings = {
        "listen.owner" = config.services.nginx.user;
        "pm" = "dynamic";
        "pm.max_children" = 5;
        "pm.start_servers" = 2;
        "pm.min_spare_servers" = 1;
        "pm.max_spare_servers" = 3;
        "pm.max_requests" = 500;
-        "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
+          ldap = {
            url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
            bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
            # these are set via the `environmentFile`
            # bindCredentials = "$LDAP_ADMIN_PASSWORD";
            searchBase = "ou=people,dc=stefanjunker,dc=de";
            searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
            useridField = "uid";
          };
          oauth2 =
            let
              originURL = config.services.kanidm.serverSettings.origin;
            in
            {
              providerName = "kanidm (${originURL})";
              authorizationURL = "${originURL}/ui/oauth2";
              tokenURL = "${originURL}/oauth2/token";
              userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
              scope = "openid email profile";
              # rolesClaim = "roles";
              # accessRole = "role/hedgedoc";
              userProfileUsernameAttr = "name";
              userProfileDisplayNameAttr = "displayname";
              userProfileEmailAttr = "email";
              clientID = "hedgedoc";
              # set via the `environmentFile`
              # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
            };
          uploadsPath = "/var/lib/hedgedoc/uploads";
        };
        environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
      };
    };
-    # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work
+      services.jitsi-meet = {
-    systemd.services."phpfpm-mypool" = {
+        enable = false;
-      serviceConfig = {
+        hostName = "meet.${domain}";
-        Type = lib.mkForce "simple";
+        config = {
          prejoinPageEnabled = true;
        };
        caddy.enable = true;
        nginx.enable = false;
      };
      sops.secrets.authelia_storageEncryptionKey = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.authelia-default.name;
      };
      sops.secrets.authelia_jwtSecret = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.authelia-default.name;
      };
      services.authelia.instances.default =
        let
          baseDir = "/var/lib/authelia-default";
        in
        {
          enable = true;
          secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
          secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
          settings = {
            theme = "auto";
            default_2fa_method = "totp";
            log.level = "debug";
            server = {
              disable_healthcheck = true;
              host = "127.0.0.1";
              port = 9091;
              # path = "authelia";
            };
            storage = {
              local.path = "${baseDir}/authelia.sqlite";
            };
            authentication_backend = {
              file.path = "${baseDir}/first_factor.yaml";
              file.search.email = true;
              file.search.case_insensitive = false;
            };
            access_control = {
              default_policy = "one_factor";
            };
            session.domain = "stefanjunker.de";
            notifier = {
              disable_startup_check = true;
              filesystem.filename = "${baseDir}/notification.txt";
            };
          };
        };
      users.groups.lldap = { };
      users.users.lldap = {
        isSystemUser = true;
        group = "lldap";
      };
      sops.secrets.lldap_jwtSecret = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.lldap.name;
      };
      sops.secrets.lldap_adminPassword = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.lldap.name;
      };
      sops.secrets.lldap_environmentFile = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.lldap.name;
      };
      services.lldap = {
        enable = true;
        environment = {
          LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
        };
        environmentFile = config.sops.secrets.lldap_environmentFile.path;
        settings = {
          verbose = true;
          ldap_base_dn = "dc=stefanjunker,dc=de";
          http_url = "https://lldap.${domain}";
          ## Options to configure SMTP parameters, to send password reset emails.
          ## To set these options from environment variables, use the following format
          ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
          smtp_options = {
            ## Whether to enabled password reset via email, from LLDAP.
            enable_password_reset = true;
            # port = 465;
            ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
            # smtp_encryption = "TLS";
          };
          # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
        };
      };
      sops.secrets.FORGEJO_JWT_SECRET = { };
      sops.secrets.FORGEJO_INTERNAL_TOKEN = { };
      sops.secrets.FORGEJO_SECRET_KEY = { };
      services.forgejo = {
        enable = true;
        package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
        settings = {
          service.DISABLE_REGISTRATION = true;
          server.HTTP_ADDR = "127.0.0.1";
          server.START_SSH_SERVER = true;
          server.SSH_PORT = forgejoSshPort;
          server.ROOT_URL = "https://forgejo.${domain}";
          server.HTTP_PORT = 3001;
          # TODO: how do i get a 3072 length SSH key with the yubikey?
          "ssh.minimum_key_sizes".RSA = 2048;
        };
        secrets = {
          oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
          security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path;
          security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path;
        };
      };
      systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
      systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
      systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
      # combine a path watcher with a service that transfers the certs by caddy to kanidm
      # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate
      systemd.paths.kanidm-tls-watch = {
        enable = true;
        requiredBy = [ "kanidm.service" ];
        pathConfig = {
          PathChanged = [
            "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
            "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
          ];
          Unit = "kanidm-tls-update.service";
        };
      };
      systemd.services.kanidm-tls-update =
        let
          dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
        in
        {
          enable = true;
          requiredBy = [ "kanidm.service" ];
          unitConfig = {
            # ConditionPathExists = [
            #   "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
            #   "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
            # ];
          };
          serviceConfig.Type = "oneshot";
          script =
            let
              tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
            in
            ''
              set -xe
              cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
              cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
              chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
              chmod 400 tls.{key,chain}
              # create the kanidm directory in case it's missing
              if [[ ! -d ${tlsDir} ]]; then
                mkdir -p ${tlsDir}
                chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
                chmod 700 ${tlsDir}
              fi
              mv tls.key ${config.services.kanidm.serverSettings.tls_key}
              mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
              if [[ ! -d ${dbDir} ]]; then
                mkdir -p ${dbDir}
                chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
                chmod 700 ${dbDir}
              fi
            '';
        };
      systemd.services.kanidm.serviceConfig =
        let
          dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
        in
        # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
        {
          # ExecStartPre = ''
          #   mkdir -p ${dbDir}
          # '';
          BindPaths = [
            dbDir
            # stateDir
          ];
        };
      services.kanidm =
        let
          dataDir = "/var/lib/kanidm";
        in
        {
          package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
          enablePam = false;
          enableClient = false;
          enableServer = true;
          serverSettings = {
            role = "WriteReplica";
            log_level = "debug";
            domain = "kanidm.${domain}";
            origin = "https://kanidm.${domain}";
            bindaddress = "127.0.0.1:8444";
            # don't expose ldap
            # ldapbindaddress = "[::1]:6636";
            tls_key = "${dataDir}/tls/tls.key";
            tls_chain = "${dataDir}/tls/tls.chain";
            online_backup = {
              schedule = "00 06 * * *";
            };
          };
        };
    };
-    services.mysql = {
+  inherit autoStart;
      enable = true;
      package = pkgs.mariadb;
    };
  };
  autoStart = true;
  bindMounts = {
-    "/etc/secrets/" = {
+    # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
-      hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
+    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
-      isReadOnly = true;
+    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
    };
    "/var/www" = {
      hostPath = "/var/lib/container-volumes/webserver/var-www";
@ -81,17 +441,55 @@
      hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
      isReadOnly = false;
    };
    "/var/lib/hedgedoc" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc";
      isReadOnly = false;
    };
    "/var/lib/authelia-default" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-authelia-default";
      isReadOnly = false;
    };
    "/var/lib/lldap" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap";
      isReadOnly = false;
    };
    "/var/lib/forgejo" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo";
      isReadOnly = false;
    };
    "/var/lib/kanidm" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm";
      isReadOnly = false;
    };
  };
  privateNetwork = true;
  forwardPorts = [
    {
      # http
      containerPort = 80;
      hostPort = httpPort;
      protocol = "tcp";
    }
    {
      # https
      containerPort = 443;
      hostPort = httpsPort;
      protocol = "tcp";
    }
    {
      # forgejo ssh
      containerPort = forgejoSshPort;
      hostPort = forgejoSshPort;
      protocol = "tcp";
    }
  ];
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/containers/webserver_secrets.yaml
+++ b/nix/os/containers/webserver_secrets.yaml
@ -0,0 +1,55 @@
 hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str]
 authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str]
 authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str]
 lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str]
 lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str]
 lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str]
 #ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment]
 FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str]
 FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str]
 FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str]
 sops:
  age:
    - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTitidDZpWVJsZWxmWDFa
        emdyTSszczVNbDhZSlVjeWRDMDdXQmg4QmpBCmNLZ0tob2hsRHhlTXY5VHZEY01T
        MUtRdUxBM0lmeEo2OVBMdElrYVVvY1EKLS0tIHIwWllkQU9RRjF1U0F0OWdCKzlq
        Y3ZxSWI3MUxQNEljNXlUSnlTdlpxazAKKjJYqcDsBzo6yOYDkgtBZntxhsHjqOyZ
        yg5G8vtuOiDvPLvODzI/I9VupGyLwEkxaFc67bpg4u/1Cql7oaAADQ==
        -----END AGE ENCRYPTED FILE-----
    - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdFg1cm9JTFFyUmYxb1ZP
        WWtKTDE4bDBya3pWakJ0bFVkSnZvdExGMlNVCmo0N1BvNnV4MERUTjU2blUzbngv
        VDduRWd2K1VlK1k2OWp6L0JhTERnOUEKLS0tIGV0aFZMTGRHNW5HUUhGRkYxNGMz
        dHJwN0R1eHkyWXpiVDlRcldHT0gvV28KRiwauYvF4CCu5LeW7+kR3GSkZ+rpIbsC
        JF9vV3rxbE9SdJ3nP6CyYQX7tQ6rbXtOKawq3k+z4zV/Dw7gYSNn5Q==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-16T12:28:51Z"
  mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str]
  pgp:
    - created_at: "2025-06-05T09:49:08Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMAw+OdhfgD3wfAQ/8DIuNUO6tpyuG0j4Ros6MjHs1USkfY+2ntzqyugGe4OpA
        cXLzXWGT7pCxE6bcd7FepG/Nln17219siP9PX1WqEl324GnKXjbAbczjnu/9ggeF
        bUWBhKFwGivVXDfO8VusG0MN41tJMoDwAelaJdgnXnbAwHISJ20UzFtnTBx67ALs
        5pqHzOf7uuY7eZbl79iEiBJ8Ecj/Y3yrcANbVXQtET7X5629nTMHuizFsym9fy0p
        6elwdrJSGPlncWA/+wsec5WIxwOsrLoEz8rvFpZJo/YI4/5heiL6RmgqKODzAhFp
        +PD/VoksJQ0lynzH2jBUKNte7UU5fyMAn9CEu0eY7sNRHpEKWjj/uPoWPkaV3JQ/
        Au2YN9VV0qkyqYZ/6mU1L+Ukaci3kG/hJKM9MxXZ6rVEsuOnbuHPgW9jW/xogo38
        /522CAF+NThKPWbiS/VDHyUsH+h2ubh9jGyFuesP/dNhXbc+6vkcIIBgfsb2IWt1
        Fc2fvUlX9tpJYobk3PmyR88DHv4pXPkgIIEqW6JUHmkjdH+q82sGsRtni58eWUj6
        DXn09tSpM3gu02wlqobca1qrOIKVsQJ/bHB4p6PRFoeqx6Yzfdy8h4WvT75PONGD
        DGW7uLYo/ISb/SDgbclNw6vlYsI7ZFtYDTWxtCjrYXFBqRSMftgreRwhi8gU0rTS
        XAFXAkIp4B0y8cfxofqJyDsZmil0gJraJpkz/Y0JA+jXlQ2jHlC03xoMZIn60RKn
        XI91UY65PAyoQ0LROa/TRBFCLJarLFcCSeth4MhDq06f4spXYtCV9i+2HNBj
        =bUJ6
        -----END PGP MESSAGE-----
      fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
  unencrypted_suffix: _unencrypted
  version: 3.8.1
--- a/nix/os/devices/167.233.1.14/hw.nix
+++ b/nix/os/devices/167.233.1.14/hw.nix
@ -1,56 +0,0 @@
 { ... }:
 let
  stage1Modules =  [
    # "aesni_intel"
    # "kvm-intel"
    "aes_x86_64"
    "virtio_balloon"
    "virtio_scsi"
    "virtio_net"
    "virtio_pci"
    "virtio_ring"
    "virtio"
    "scsi_mod"
    "virtio_blk"
    "virtio_ring"
    "bochs_drm"
    "ata_piix"
    "pata_acpi"
    "ata_generic"
  ];
 in
 {
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/354fb107-2f4a-42ad-80dd-9dddb61bfd02";
    fsType = "ext4";
  };
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b";
    fsType = "btrfs";
    options = [ "subvol=root" ];
    neededForBoot = true;
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b";
    fsType = "btrfs";
    options = [ "subvol=home" ];
    neededForBoot = true;
  };
  swapDevices = [ { device = "/dev/disk/by-uuid/d16b5f4a-f38c-41c6-8aae-1625be815f9d"; } ];
  boot.loader.grub = {
    device = "/dev/vda";
  };
  boot.initrd.availableKernelModules = stage1Modules;
  boot.initrd.kernelModules = stage1Modules;
  boot.extraModprobeConfig = ''
  '';
 }
--- a/nix/os/devices/167.233.1.14/pkg.nix
+++ b/nix/os/devices/167.233.1.14/pkg.nix
@ -1,30 +0,0 @@
 { config
 , pkgs
 , lib
 , ...
 }:
 {
  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
    nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath;
  };
  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
    inherit pkgs;
    extraPackages = [
      # required by vscode's remote-ssh plugin
      pkgs.nodejs
      # allow clipboard exchanges
      pkgs.xsel
      pkgs.xclip
    ];
  };
  nix.buildMachines = [
    { hostName = "localhost";
      system = "x86_64-linux";
      supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
      maxJobs = 4;
    }
  ];
 }
--- a/nix/os/devices/167.233.1.14/system.nix
+++ b/nix/os/devices/167.233.1.14/system.nix
@ -1,104 +0,0 @@
 { pkgs
 , lib
 , config
 , ... }:
 let
  keys = import ../../../variables/keys.nix;
 in {
  # TASK: new device
  networking.hostName = "sj-pvehtz-0"; # Define your hostname.
  # networking.domain =  "";
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [
    # iperf3
    5201
  ];
  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;
  networking.interfaces.eth0 = {
    mtu = 1400;
    useDHCP = false;
    ipv4.addresses = [
      { "address" = "167.233.1.14"; "prefixLength" = 29; }
    ];
    ipv6.addresses = [
    ];
  };
  networking.defaultGateway = {
    address = "167.233.1.9";
    interface = "eth0";
  };
  networking.defaultGateway6 = {
    address = "fe80::1";
    interface = "eth0";
  };
  networking.nameservers = [
    "1.1.1.1"
  ];
  networking.nat = {
    enable = true;
    internalInterfaces = [ "ve-+" ];
    externalInterface = "eth0";
  };
  # Kubernetes
  # services.kubernetes.roles = ["master" "node"];
  # virtualization
  virtualisation = {
    docker.enable = true;
  };
  services.spice-vdagentd.enable = true;
  services.qemuGuest.enable = true;
  systemd.services."sshd-status" = {
    enable = true;
    description = "sshd-status service";
    path = [ pkgs.systemd ];
    script = ''
      systemctl status sshd | grep -i tasks
    '';
  };
  systemd.services.sshd.serviceConfig = {
    TasksMax = 32;
  };
  systemd.timers."sshd-status" = {
    description = "Timer to trigger sshd-status periodically";
    enable = true;
    wantedBy = [ "timer.target" "multi-user.target" ];
    timerConfig = {
      OnActiveSec="360s";
      OnUnitActiveSec="360s";
      AccuracySec="1s";
      Unit = "sshd-status.service";
    };
  };
  nix.gc = {
    automatic = true;
  };
  networking.useHostResolvConf = true;
  services.openssh.forwardX11 = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "20.09"; # Did you read the comment?
 }
--- a/nix/os/devices/167.233.1.14/versions.nix
+++ b/nix/os/devices/167.233.1.14/versions.nix
@ -1,37 +0,0 @@
 let
  nixpkgs = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-20.09";
    rev = "51aaa3fa1b69559456f9bd4968bd5b179a784f67";
  };
 in
 {
  inherit nixpkgs;
  "channels-nixos-stable" = nixpkgs;
  "channels-nixos-20.03" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-20.03";
    rev = "ff6fda61600cc60404bab5cb6b18b8636785b7bc";
  };
  "channels-nixos-19.09" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-19.09";
    rev = "75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1";
  };
  "channels-nixos-unstable" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-unstable";
    rev = "24c9b05ac53e422f1af81a156f1fd58499eb27fb";
  };
  "nixpkgs-master" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "master";
    rev = "9b3e35d991ea6a43f256069dcb2e006006730d05";
  };
  "home-manager-module" = {
    url = "https://github.com/nix-community/home-manager";
    ref = "release-20.09";
    rev = "7339784e07217ed0232e08d1ea33b610c94657d8";
  };
 }
--- a/nix/os/devices/167.233.1.14/versions.tmpl.nix
+++ b/nix/os/devices/167.233.1.14/versions.tmpl.nix
@ -1,37 +0,0 @@
 let
  nixpkgs = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-20.09";
    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>";
  };
 in
 {
  inherit nixpkgs;
  "channels-nixos-stable" = nixpkgs;
  "channels-nixos-20.03" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-20.03";
    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.03 | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  "channels-nixos-19.09" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-19.09";
    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-19.09 | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  "channels-nixos-unstable" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-unstable";
    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  "nixpkgs-master" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "master";
    rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  "home-manager-module" = {
    url = "https://github.com/nix-community/home-manager";
    ref = "release-20.09";
    rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>";
  };
 }
--- a/nix/os/devices/default.nix
+++ b/nix/os/devices/default.nix
@ -1,40 +1,58 @@
-{ pkgs ? import <channels-nixos-stable> {}
+{
-, ownLib ? import ../lib/default.nix { }
+  dir,
-, dir
+  pkgs ? import <channels-nixos-stable> { },
-, rebuildarg
+  ownLib ? import ../lib/default.nix { inherit (pkgs) lib; },
-, moreargs ? ""
+  gitRoot ? "$(git rev-parse --show-toplevel)",
-, diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId
+  # FIXME: why do these need explicit mentioning?
-, gitRoot ? "$(git rev-parse --show-toplevel)"
+  moreargs ? "",
-, previousDiskId ? ""
+  rebuildarg ? "",
-}:
+  ...
-
+}@args:
 let
-  rebuildargsSudo = [ "switch" "boot" ];
+  rebuildargsSudo = [
-  rebuild = pkgs.writeScript "script" ''
+    "switch"
-    #!/usr/bin/env bash
+    "boot"
-    set -xe
+  ];
  rebuild =
    {
      gitRoot,
      rebuildarg ? "dry-activate",
      moreargs ? "",
      ...
    }:
    pkgs.writeScript "script" ''
      #!/usr/bin/env bash
      set -xe
-    pushd ${gitRoot}/${dir}
+      pushd ${gitRoot}/${dir}
-    export NIXOS_CONFIG="$PWD"/configuration.nix
+      export NIXOS_CONFIG="$PWD"/configuration.nix
-    [[ -e "''${NIXOS_CONFIG}" ]]
+      [[ -e "''${NIXOS_CONFIG}" ]]
-    ${if (builtins.elem rebuildarg rebuildargsSudo)
+      if test -L result; then
-          && builtins.match ".*--target-host.*" moreargs == null
+        rm result
-    then
+      fi
      "sudo -E \\"
    else
      ""
    }
    nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
    if test -L result; then
      rm result
    fi
  '';
-
+      ${
-in {
+        if
          (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null
        then
          "sudo -E \\"
        else
          ""
      }
      nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
    '';
 in
 {
  recipes = {
-    inherit rebuild;
+    rebuild = rebuild {
-  } // (import ./disk.nix { inherit pkgs ownLib dir rebuildarg moreargs diskId gitRoot previousDiskId; });
+      inherit gitRoot;
      inherit moreargs;
      inherit rebuildarg;
    }
    # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
    # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
    ;
  } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; }));
 }
--- a/nix/os/devices/disk.nix
+++ b/nix/os/devices/disk.nix
@ -1,22 +1,25 @@
-{ pkgs
+{
-, ownLib
+  pkgs,
-, dir
+  ownLib,
-, rebuildarg
+  dir,
-, moreargs
+  gitRoot,
-, diskId
+  diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId,
-, gitRoot
+  encrypted ?
-, previousDiskId ? ""
+    (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted,
  previousDiskId ? "",
  ...
 }:
 let
-  mntRootVol="/mnt/${diskId}-root";
+  mntRootVol = "/mnt/${diskId}-root";
-
+in
-in rec {
+rec {
  diskMount = pkgs.writeScript "script" ''
    #!/usr/bin/env bash
    set -xe
    echo Mounting ${diskId}
-    sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
+    ${pkgs.lib.strings.optionalString encrypted ''
      sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
    ''}
    sleep 1
    sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
    sudo mkdir -p /mnt
@ -32,7 +35,9 @@ in rec {
    sudo umount -Rl ${mntRootVol}
    sudo rmdir ${mntRootVol}
    sudo vgchange -an ${ownLib.disk.volumeGroup diskId}
-    sudo cryptsetup close ${ownLib.disk.luksName diskId}
+    ${pkgs.lib.strings.optionalString encrypted ''
      sudo cryptsetup close ${ownLib.disk.luksName diskId}
    ''}
    sync
  '';
@ -45,9 +50,10 @@ in rec {
    [[ -e "''${NIXOS_CONFIG}" ]]
    [[ -e "${mntRootVol}/nixos" ]]
-    sudo -E $SHELL <<EOF
+    sudo --preserve-env=PATH -E $SHELL <<EOF
    # 'having $system set breaks nixos-install'
    unset system
    echo $NIX_PATH
    nixos-install --max-jobs 5 --cores 4  --no-root-passwd --root ${mntRootVol}/nixos
    EOF
  '';
@ -56,7 +62,7 @@ in rec {
    #!/usr/bin/env bash
    set -xe
-    read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
+    read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice
    case "$choice" in
      YES ) echo "Continuing in 3 seconds..."; sleep 3;;
      n|N ) echo "Exiting..."; exit 0;;
@ -70,16 +76,16 @@ in rec {
    g
    n
    1
-   
+
    +1M
    n
    2
-   
+
    +512M
    n
    3
-   
+
-   
+
    t
    1
    4
@ -100,12 +106,14 @@ in rec {
    sleep 1
-    # Encrypt
+    ${pkgs.lib.strings.optionalString encrypted ''
-    sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
+      # Encrypt
-    sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
+      sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
      sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
    ''}
    # LVM
-    sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.luksPhysicalVolume diskId}
+    sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted}
    sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
    sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -120,7 +128,7 @@ in rec {
    sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
    sudo btrfs subvolume create ${mntRootVol}/nixos
    sudo btrfs subvolume create ${mntRootVol}/home
-    sudo mkdir ${mntRootVol}/nixos/{boot,home}
+    sudo mkdir ${mntRootVol}/nixos/{boot,home,tmp}
    ${diskUmount}
  '';
@ -160,7 +168,9 @@ in rec {
    if test "${previousDiskId}"; then
-      sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
+      ${pkgs.lib.strings.optionalString encrypted ''
        sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
      ''}
      sync
      sleep 1
      if sudo vgs ${previousDiskId}; then
@ -168,6 +178,8 @@ in rec {
        sudo vgscan
      fi
    fi
-    sudo cryptsetup close ${ownLib.disk.luksName diskId}
+    ${pkgs.lib.strings.optionalString encrypted ''
      sudo cryptsetup close ${ownLib.disk.luksName diskId}
    ''}
  '';
 }
--- a/nix/os/devices/elias-e525/boot.nix
+++ b/nix/os/devices/elias-e525/boot.nix
@ -0,0 +1,5 @@
 { lib, ... }:
 {
  boot.loader.grub.efiSupport = lib.mkForce false;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
 }
--- a/nix/os/devices/steveej-t480s-work/configuration.nix
+++ b/nix/os/devices/steveej-t480s-work/configuration.nix
@ -1,20 +1,15 @@
 { ... }:
 {
  disabledModules = [
    "system/boot/initrd-network.nix"
  ];
  imports = [
    ../../modules/initrd-network.nix
    ../../profiles/common/configuration.nix
    ../../profiles/graphical/configuration.nix
-    ../../modules/encryptedDisk.nix
+    ../../profiles/graphical-gnome-xorg.nix
    ../../modules/opinionatedDisk.nix
    ./system.nix
    ./hw.nix
    ./pkg.nix
    ./user.nix
    ./boot.nix
  ];
 }
--- a/nix/os/devices/elias-e525/default.nix
+++ b/nix/os/devices/elias-e525/default.nix
@ -0,0 +1,29 @@
 {
  nodeName,
  repoFlake,
  nodeFlake,
  ...
 }:
 let
  system = "x86_64-linux";
 in
 {
  meta.nodeSpecialArgs.${nodeName} = {
    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
  };
  meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
  ${nodeName} = {
    deployment.targetHost = "elias-e525";
    deployment.replaceUnknownProfiles = true;
    # deployment.allowLocalDeployment = true;
    imports = [
      nodeFlake.inputs.home-manager.nixosModules.home-manager
      ./configuration.nix
    ];
  };
 }
--- a/nix/os/devices/elias-e525/flake.lock
+++ b/nix/os/devices/elias-e525/flake.lock
@ -0,0 +1,52 @@
 {
  "nodes": {
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1748665073,
        "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "282e1e029cb6ab4811114fc85110613d72771dea",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-25.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1749024892,
        "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs-stable"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/os/devices/elias-e525/flake.nix
+++ b/nix/os/devices/elias-e525/flake.nix
@ -0,0 +1,11 @@
 {
  inputs.nixpkgs.follows = "nixpkgs-stable";
  inputs.nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
  inputs.home-manager = {
    url = "github:nix-community/home-manager/release-25.05";
    inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = _: { };
 }
--- a/nix/os/devices/elias-e525/hw.nix
+++ b/nix/os/devices/elias-e525/hw.nix
@ -0,0 +1,11 @@
 _: {
  # TASK: new device
  hardware.opinionatedDisk = {
    enable = true;
    encrypted = false;
    diskId = "ata-KINGSTON_SV100S2128G_08BAB0020855";
  };
  # boot.initrd.availableKernelModules = stage1Modules;
  boot.extraModprobeConfig = "";
 }
--- a/nix/os/devices/elias-e525/pkg.nix
+++ b/nix/os/devices/elias-e525/pkg.nix
@ -0,0 +1,47 @@
 { pkgs, lib, ... }:
 let
  homeEnv = keyboard: {
    imports = [
      ../../../home-manager/profiles/common.nix
      ../../../home-manager/configuration/graphical-gnome3.nix
      ../../../home-manager/programs/firefox.nix
      ../../../home-manager/programs/libreoffice.nix
      ../../../home-manager/programs/neovim.nix
    ];
    home.keyboard = keyboard;
    home.packages = with pkgs; [
      dia
      rustdesk
    ];
  };
 in
 {
  services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
    gnome-remote-desktop.enable = true;
  };
  home-manager.users.steveej = homeEnv {
    layout = "en";
    options = [ "nodeadkey" ];
    variant = "altgr-intl";
  };
  home-manager.users.elias = homeEnv {
    layout = "de";
    options = [ ];
    variant = "";
  };
  home-manager.users.justyna = homeEnv {
    layout = "de";
    options = [ ];
    variant = "";
  };
  system.stateVersion = "21.11";
 }
--- a/nix/os/devices/elias-e525/system.nix
+++ b/nix/os/devices/elias-e525/system.nix
@ -0,0 +1,47 @@
 { pkgs, lib, ... }:
 {
  # TASK: new device
  networking.hostName = "elias-e525"; # Define your hostname.
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [
    # iperf3
    5201
  ];
  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;
  services.fprintd.enable = true;
  security.pam.services = {
    # conflicts with nixpkgs' gdm.nix
    # login.fprintAuth = true;
    sudo.fprintAuth = true;
  };
  services = {
    xserver = {
      xkb.layout = lib.mkForce "de";
      xkb.variant = lib.mkForce "";
      xkb.options = lib.mkForce "";
      displayManager.gdm.enable = lib.mkForce true;
      displayManager.lightdm.enable = lib.mkForce false;
      desktopManager.gnome.enable = true;
    };
    displayManager.autoLogin.enable = lib.mkForce false;
    # dbus.packages = [ pkgs.gnome3.dconf ];
    # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
  };
  security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
  services.xserver.videoDrivers = [ "modesetting" ];
  # boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
  nix.gc = {
    automatic = true;
  };
 }
--- a/nix/os/devices/elias-e525/user.nix
+++ b/nix/os/devices/elias-e525/user.nix
@ -0,0 +1,36 @@
 { config, lib, ... }:
 let
  keys = import ../../../variables/keys.nix;
  inherit (import ../../lib/default.nix { inherit lib config; }) mkUser deepMergeAttrsets;
 in
 deepMergeAttrsets [
  {
    sops.secrets.sharedUsers-elias = {
      sopsFile = ../../../../secrets/shared-users.yaml;
      neededForUsers = true;
      format = "yaml";
    };
    sops.secrets.sharedUsers-justyna = {
      sopsFile = ../../../../secrets/shared-users.yaml;
      neededForUsers = true;
      format = "yaml";
    };
  }
  (mkUser {
    username = "elias";
    uid = 1001;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
    hashedPasswordFile = config.sops.secrets.sharedUsers-elias.path;
  })
  (mkUser {
    username = "justyna";
    uid = 1002;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
    hashedPasswordFile = config.sops.secrets.sharedUsers-justyna.path;
  })
 ]
--- a/nix/os/devices/fwhost1/boot.nix
+++ b/nix/os/devices/fwhost1/boot.nix
@ -0,0 +1,5 @@
 { lib, ... }:
 {
  boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
 }
--- a/nix/os/devices/167.233.1.14/configuration.nix
+++ b/nix/os/devices/167.233.1.14/configuration.nix
@ -1,14 +1,12 @@
 { ... }:
 {
  disabledModules = [
  ];
  imports = [
    ../../profiles/common/configuration.nix
    ../../modules/opinionatedDisk.nix
    ./system.nix
    ./hw.nix
    ./pkg.nix
-    ./boot.nix
+    ./user.nix
  ];
 }
--- a/nix/os/devices/fwhost1/hw.nix
+++ b/nix/os/devices/fwhost1/hw.nix
@ -0,0 +1,11 @@
 _: {
  # TASK: new device
  hardware.opinionatedDisk = {
    enable = true;
    encrypted = false;
    diskId = "ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN";
  };
  hardware.enableRedistributableFirmware = true;
  boot.extraModprobeConfig = "";
 }
--- a/Show more
+++ b/Show more