feat(syncthing): expose scan folder via samba

nix/os/devices/sj-srv1: bump versions
firefox: istilldontcareaboutcookies
2025-05-14 10:46:20 +02:00 · 2025-05-13 16:02:32 +02:00 · 2025-05-02 22:41:44 +02:00 · 2025-05-01 14:23:01 +02:00 · 2025-05-01 14:22:26 +02:00 · 2025-04-29 11:00:08 +02:00
293 changed files with 11465 additions and 7135 deletions
--- a/.envrc
+++ b/.envrc
@ -1 +1,5 @@
-use_flake . --impure
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then
  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM="
 fi
 use flake .#develop
--- a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
+++ b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,8 @@
 .env
 **/result
 .direnv/
 # nixago: ignore-linked-files
 /treefmt.toml
 /debug-logs
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,10 +0,0 @@
 stages:
  - build
 build:
  stage: build
  tags:
    - nix
  script:
    # Test the nix-shell
    - just run-with-channels 'nix-shell --run "echo OK"'
--- a/.sops.yaml
+++ b/.sops.yaml
@ -8,68 +8,115 @@
 keys:
  - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
  - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
  - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
  - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
  - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
-  # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz
+  - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0
-  - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
+  - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00
-  - &sj-bm-hostkey0  age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44
+  - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4
  - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
 creation_rules:
  - path_regex: ^(.+/|)secrets/[^/]+$
    key_groups:
-    - pgp:
+      - pgp:
-      - *steveej
+          - *steveej
-      age:
+        age:
-      - *steveej-t14
+          - *steveej-t14
-      - *elias-e525
+          - *steveej-x13s
-      - *justyna-p300
+          - *elias-e525
          - *justyna-p300
-      - *srv0-dmz0
+          - *srv0-dmz0
-      - *router0-dmz0
+          - *router0-dmz0
-      - *sj-vps-htz0
+          - *sj-vps-htz0
-      - *sj-bm-hostkey0
+          - *sj-srv1
          - *hstk0
          - *router0-ifog
          - *router0-hosthatch
  - path_regex: ^secrets/steveej-t14/.+$
    key_groups:
-    - pgp:
+      - pgp:
-      - *steveej
+          - *steveej
-      age:
+        age:
-      - *steveej-t14
+          - *steveej-t14
  - path_regex: ^secrets/desktop/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-t14
          - *steveej-x13s
  - path_regex: ^secrets/servers/.+$
    key_groups:
-    - pgp:
+      - pgp:
-      - *steveej
+          - *steveej
-      age:
+        age:
-      - *sj-vps-htz0
+          - *sj-vps-htz0
          - *sj-srv1
  - path_regex: ^nix/os/containers/.+_secrets.+$
    key_groups:
-    - pgp:
+      - pgp:
-      - *steveej
+          - *steveej
-      age:
+        age:
-      - *sj-vps-htz0
+          - *sj-vps-htz0
          - *sj-srv1
  - path_regex: ^secrets/holochain-infra/.+$
    key_groups:
-    - pgp:
+      - pgp:
-      - *steveej
+          - *steveej
-      age:
+        age:
-      - *srv0-dmz0
+          - *srv0-dmz0
  - path_regex: ^secrets/router0-dmz0/.+$
    key_groups:
-    - pgp:
+      - pgp:
-      - *steveej
+          - *steveej
-      age:
+        age:
-      - *router0-dmz0
+          - *router0-dmz0
  - path_regex: ^secrets/router0-ifog/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *router0-ifog
  - path_regex: ^secrets/router0-hosthatch/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *router0-hosthatch
  - path_regex: ^secrets/sj-vps-htz0/.+$
    key_groups:
-    - pgp:
+      - pgp:
-      - *steveej
+          - *steveej
-      age:
+        age:
-      - *sj-vps-htz0
+          - *sj-vps-htz0
-  - path_regex: ^secrets/sj-bm-hostkey0/.+$
+  - path_regex: ^secrets/sj-srv1/.+$
    key_groups:
-    - pgp:
+      - pgp:
-      - *steveej
+          - *steveej
-      age:
+        age:
-      - *sj-bm-hostkey0
+          - *sj-srv1
  - path_regex: ^secrets/hstk0/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *hstk0
  - path_regex: ^secrets/steveej-x13s/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-x13s
  - path_regex: ^secrets/work-holo/.+$
    key_groups:
      - pgp:
          - *steveej
        age:
          - *steveej-x13s
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,6 +1,20 @@
 {
-    "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix",
+  "editor.defaultFormatter": "ibecker.treefmt-vscode",
-    "[nix]": {
+  "editor.formatOnSave": true,
-        "editor.defaultFormatter": "jnoortheen.nix-ide"
+  "nix.enableLanguageServer": true,
-    },
+  "nix.serverPath": "nil",
  "nix.serverSettings": {
    // settings for 'nil' LSP
    "nil": {
      "autoArchive": true,
      "diagnostics": {
        "ignored": ["unused_binding", "unused_with"]
      },
      "formatting": {
        "command": ["treefmt", "--stdin", ".nil.nix"]
      }
    }
  },
  "treefmt.command": "treefmt",
  "treefmt.config": ""
 }
--- a/441
+++ b/441
@ -2,307 +2,320 @@
 # 	echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"
 _usage:
-	just -l
+    just -l
 # Re-render the default versions
 update-default-versions:
-	nix flake update
+    nix flake update
 _get_nix_path versionsPath:
-	echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath  {{versionsPath}})
+    echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath  {{ versionsPath }})
 _device recipe dir +moreargs="":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	unset NIX_PATH
+    unset NIX_PATH
-	source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix)
+    source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix)
-	$(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}})
+    $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }})
 _render_templates:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	if ! ip route get 1.1.1.1; then
+    if ! ip route get 1.1.1.1; then
-		echo No route to WAN. Skipping template rendering...
+    	echo No route to WAN. Skipping template rendering...
-	else
+    else
-		source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
+    	source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)
-		# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
+    	# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
-	fi
+    fi
 rebuild-remote-device device +rebuildargs="dry-activate":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	nix run .#colmena -- apply --on {{device}} {{rebuildargs}}
+    nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }}
 # Rebuild this device's NixOS
 rebuild-this-device +rebuildargs="dry-activate":
-	nix run .#colmena -- apply-local --sudo {{rebuildargs}}
+    nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }}
 # Re-render the versions of a remote device and rebuild its environment
 update-remote-device devicename +rebuildargs='build':
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	(
+    (
-		set -xe
+    	set -xe
-		cd nix/os/devices/{{devicename}}
+    	cd nix/os/devices/{{ devicename }}
-		nix flake update
+    	nix flake update
-	)
+    )
-	just -v rebuild-remote-device {{devicename}} {{rebuildargs}}
+    just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }}
-	git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions"
+    git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions"
 # Re-render the versions of the current device and rebuild its environment
 update-this-device rebuild-mode='switch' +moreargs='':
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	(
+    (
-		set -xe
+    	set -xe
-		cd nix/os/devices/$(hostname -s)
+    	cd nix/os/devices/$(hostname -s)
-		nix flake update
+    	nix flake update
-	)
+    )
-	just -v rebuild-this-device {{rebuild-mode}} {{moreargs}}
+    just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }}
-	git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"
+    git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"
 # Rebuild an offline system
 rebuild-disk device:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -xe
+    set -xe
-	just -v disk-mount {{device}}
+    just -v disk-mount {{ device }}
-	trap "set +e; just -v disk-umount {{device}}" EXIT
+    trap "set +e; just -v disk-umount {{ device }}" EXIT
-	just -v disk-install {{device}}
+    just -v disk-install {{ device }}
 # Re-render the versions of the given offline system and reinstall it in offline-mode
 update-disk dir:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -exuo pipefail
+    set -exuo pipefail
-	dir={{dir}}
+    dir={{ dir }}
-	template={{dir}}/versions.tmpl.nix
+    template={{ dir }}/versions.tmpl.nix
-	outfile={{dir}}/versions.nix
+    outfile={{ dir }}/versions.nix
-	if ! test -e ${template}; then
+    if ! test -e ${template}; then
-		template="$(just _DEFAULT_VERSION_TMPL)"
+    	template="$(just _DEFAULT_VERSION_TMPL)"
-	fi
+    fi
-	esh -o ${outfile} ${template}
+    esh -o ${outfile} ${template}
-	if ! test "$(git diff ${outfile})"; then
+    if ! test "$(git diff ${outfile})"; then
-		echo Already on latest versions
+    	echo Already on latest versions
-		exit 0
+    	exit 0
-	fi
+    fi
-	export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log
+    export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log
-	just -v rebuild-disk {{dir}} || {
+    just -v rebuild-disk {{ dir }} || {
-		echo ERROR: Update of {{dir}} failed, reverting ${outfile}...
+    	echo ERROR: Update of {{ dir }} failed, reverting ${outfile}...
-		exit 1
+    	exit 1
-	}
+    }
-	git commit -v ${outfile} -m "${dir}: bump versions"
+    git commit -v ${outfile} -m "${dir}: bump versions"
 # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)
 hm-iterate-qtile:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -xe
+    set -xe
-	home-manager switch || just -v rebuild-this-device switch
+    home-manager switch || just -v rebuild-this-device switch
-	Xephyr -ac -br -resizeable :1 &
+    Xephyr -ac -br -resizeable :1 &
-	XEPHYR_PID=$!
+    XEPHYR_PID=$!
-	echo ${XEPHYR_PID}
+    echo ${XEPHYR_PID}
-	DISPLAY=:1 $(grep qtile ~/.xsession) &
+    DISPLAY=:1 $(grep qtile ~/.xsession) &
-	echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
+    echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
-	wait $!
+    wait $!
-	kill ${XEPHYR_PID}
+    kill ${XEPHYR_PID}
 # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device.
 disk-prepare dir:
-	just -v _device diskPrepare {{dir}}
+    just -v _device diskPrepare {{ dir }}
 disk-relabel dir previous:
-	just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}}
+    just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }}
 # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
 disk-mount dir:
-	just -v _device diskMount {{dir}}
+    just -v _device diskMount {{ dir }}
 # Unmount target disk, specified by device configuration directory
 disk-umount dir:
-	just -v _device diskUmount {{dir}}
+    just -v _device diskUmount {{ dir }}
 # Perform an offline installation on the mounted target disk, specified by device configuration directory
 disk-install dir: _render_templates
-	just -v _device diskInstall {{dir}}
+    just -v _device diskInstall {{ dir }}
 verify-n-unlock sshserver attempts="10":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	env \
+    env \
-	  GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \
+      GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \
-	  SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \
+      SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \
-	  VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \
+      VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \
-	  VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}}  VNCPW)" \
+      VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }}  VNCPW)" \
-	  \
+      \
-	  just _verify-n-unlock {{sshserver}} {{attempts}}
+      just _verify-n-unlock {{ sshserver }} {{ attempts }}
 _verify-n-unlock sshserver attempts:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	: ${VNCSOCK:?VNCSOCK must be set}
+    : ${VNCSOCK:?VNCSOCK must be set}
-	: ${VNCPW:?VNCPW must be set}
+    : ${VNCPW:?VNCPW must be set}
-	export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
+    export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
-	export TESS_ARGS="-c debug_file=/dev/null --psm 4"
+    export TESS_ARGS="-c debug_file=/dev/null --psm 4"
-	function send() {
+    function send() {
-		local what="${1:?need something to send}"
+    	local what="${1:?need something to send}"
-		ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null
+    	ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null
-	}
+    }
-	function expect() {
+    function expect() {
-		local what="${1:?need something to expect}"
+    	local what="${1:?need something to expect}"
-		vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
+    	vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
-		convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
+    	convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
-		tesseract ${TESS_ARGS} screenshot.tiff screenshot
+    	tesseract ${TESS_ARGS} screenshot.tiff screenshot
-		grep --quiet "${what}" screenshot.txt
+    	grep --quiet "${what}" screenshot.txt
-	}
+    }
-	function send_and_expect() {
+    function send_and_expect() {
-		local send="${1:?need something to send}"
+    	local send="${1:?need something to send}"
-		local expect="${2:?need something to expect}"
+    	local expect="${2:?need something to expect}"
-		if ! send "${send}"; then
+    	if ! send "${send}"; then
-			echo warning: cannot send > /dev/stderr
+    		echo warning: cannot send > /dev/stderr
-			return -1
+    		return -1
-		fi
+    	fi
-		expect "${expect}"
+    	expect "${expect}"
-	}
+    }
-	trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
+    trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
-	for i in `seq 1 {{attempts}}`; do
+    for i in `seq 1 {{ attempts }}`; do
-		echo Attempt $i...
+    	echo Attempt $i...
-		expect="$(pwgen -0 12)"
+    	expect="$(pwgen -0 12)"
-		send="'\0033\0143'${expect}"
+    	send="'\0033\0143'${expect}"
-		if send_and_expect "${send}" "${expect}"; then
+    	if send_and_expect "${send}" "${expect}"; then
-			pipe=$(mktemp -u)
+    		pipe=$(mktemp -u)
-			mkfifo ${pipe}
+    		mkfifo ${pipe}
-			exec 3<>${pipe}
+    		exec 3<>${pipe}
-			rm ${pipe}
+    		rm ${pipe}
-			echo Verification succeeded at attempt $i. Unlocking remote drive...
+    		echo Verification succeeded at attempt $i. Unlocking remote drive...
-			ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null &
+    		ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null &
-			eval ${GETPW} | head -n1 >&3
+    		eval ${GETPW} | head -n1 >&3
-			for j in `seq 1 120`; do
+    		for j in `seq 1 120`; do
-				sleep 0.5
+    			sleep 0.5
-				if expect '— success'; then
+    			if expect '— success'; then
-					echo Unlock successful.
+    				echo Unlock successful.
-					exit 0
+    				exit 0
-				fi
+    			fi
-			done
+    		done
-			echo Unlock failed...
+    		echo Unlock failed...
-			exit 1
+    		exit 1
-		fi
+    	fi
-	done
+    done
-	echo Verification failed {{attempts}} times. Giving up...
+    echo Verification failed {{ attempts }} times. Giving up...
-	exit 1
+    exit 1
 _get_pass_entry path key:
-	pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g'
+    pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g'
 run-with-channels +cmds:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
+    source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)
-	{{cmds}}
+    {{ cmds }}
 install-config config root:
-	sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd
+    sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd
 # Switch between gpg-card capable devices which have a copy of the same key
-switch-gpg-card:
+switch-gpg-card key-id="6EEFA706CB17E89B":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	#
+    #
-	# Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
+    # Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
-	#
+    #
-	# Connect the new device and then run this script to make it known to gnupg.
+    # Connect the new device and then run this script to make it known to gnupg.
-	#
+    #
-	set -xe
+    set -xe
-	KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
+    if [[ -n "{{key-id}}" ]]; then
        KEY_ID="{{key-id}}"
    else
        KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
    fi
-	# export pubkey and ownertrust
+    # export pubkey and ownertrust
-	gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
+    gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
-	# if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
+    # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
-	gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust
+    gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust
-	# delete the key
+    # delete the key
-	gpg --yes --delete-secret-and-public-keys "${KEY_ID}"
+    gpg --yes --delete-secret-and-public-keys "${KEY_ID}"
-	# import pubkey and ownertrust back and cleanup
+    # import pubkey and ownertrust back and cleanup
-	gpg2 --import "${KEY_ID}".pubkey
+    gpg2 --import "${KEY_ID}".pubkey
-	gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
+    gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
-	rm "${KEY_ID}".{pubkey,ownertrust}
+    rm "${KEY_ID}".{pubkey,ownertrust}
-	# refresh the gpg agent
+    # refresh the gpg agent
-	gpg-connect-agent "scd serialno" "learn --force" /bye
+    gpg-connect-agent "scd serialno" "learn --force" /bye
-	gpg --card-status
+    gpg --card-status
 # Connect to `remote` UUID, and turn it into a short name
 uuid-to-device-name remote:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e -o pipefail
+    set -e -o pipefail
-	ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'
+    ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'
 test-connection:
-	#! /usr/bin/env nix-shell
+    #! /usr/bin/env nix-shell
-	#! nix-shell -p curl zsh
+    #! nix-shell -p curl zsh
-	#! nix-shell -i zsh
+    #! nix-shell -i zsh
-	#! nix-shell --pure
+    #! nix-shell --pure
-	while true; do
+    while true; do
-	  FAILURE="false"
+      FAILURE="false"
-	  output=$(
+      output=$(
-		echo "$(date)\n---"
+    	echo "$(date)\n---"
-		for url in \
+    	for url in \
-			"https://172.16.0.1:65443/0.7/gui/#/login/" \
+    		"https://172.16.0.1:65443/0.7/gui/#/login/" \
-			"https://192.168.0.1" \
+    		"https://192.168.0.1" \
-			"http://172.172.171.9" \
+    		"http://172.172.171.9" \
-			"https://172.172.171.10:65443" \
+    		"https://172.172.171.10:65443" \
-			"https://172.172.171.11:65443" \
+    		"https://172.172.171.11:65443" \
-			"https://172.172.171.13:443" \
+    		"https://172.172.171.13:443" \
-			"https://172.172.171.14:443" \
+    		"https://172.172.171.14:443" \
-			"http://172.172.171.15:22" \
+    		"http://172.172.171.15:22" \
-			"http://172.172.171.16:22" \
+    		"http://172.172.171.16:22" \
-			"https://crates.io" \
+    		"https://crates.io" \
-			"https://holo.host" \
+    		"https://holo.host" \
-			; \
+    		; \
-		do
+    	do
-		  print "trying ${url}": $(
+    	  print "trying ${url}": $(
-			curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1)
+    		curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1)
-			# if [ $? -ne 0 ]; then
+    		# if [ $? -ne 0 ]; then
-			if [[ "$curl_output" == *timeout* ]]; then
+    		if [[ "$curl_output" == *timeout* ]]; then
-			  echo failure: $(echo ${curl_output} | tail -n1)
+    		  echo failure: $(echo ${curl_output} | tail -n1)
-			  # BUG: outer FAILURE is not set by this
+    		  # BUG: outer FAILURE is not set by this
-			  FAILURE="true"
+    		  FAILURE="true"
-			else
+    		else
-			  echo success
+    		  echo success
-			fi
+    		fi
-		  )
+    	  )
-		done
+    	done
-	  )
+      )
-	  clear
+      clear
-	  echo ${output}
+      echo ${output}
-	  if [[ ${FAILURE} == "true" ]]; then
+      if [[ ${FAILURE} == "true" ]]; then
-		echo something failed
+    	echo something failed
-		tracepath -m5 -n1 172.16.0.1
+    	tracepath -m5 -n1 172.16.0.1
-		tracepath -m5 -n1 192.168.0.1
+    	tracepath -m5 -n1 192.168.0.1
-	  fi
+      fi
-	  sleep 5
+      sleep 5
-	done
+    done
 cachix-use name:
-	nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/
+    nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/
 update-sops-keys:
    for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done
 deploy-router0-dmz0:
    NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1
 ttyusb:
    screen -fa /dev/ttyUSB0 115200
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
 # steveej's infra
 This repository helps me to manage all computer infrastructure.
 This is mostly achieved with the help of [Nix](https://nixos.org).
@ -19,7 +20,7 @@ In the unlikely case that you actually read this and have any questions please d
  - [ ] development environments
 - [x] (Semi-) automatic synchronization of important repositories
  - [x] Modification strategy
-      The approach is to use vcsh for the dotfiles
+        The approach is to use vcsh for the dotfiles
  - [x] dotfiles
 - [x] Toplevel Justfile for simple actions
  - [x] mount/umount disks
@ -39,39 +40,46 @@ In the unlikely case that you actually read this and have any questions please d
  - [x] sj-pve0
 - [x] use an existing secret management framework
 - [x] adapt (or abandon?) _just_ recipes
    - [x] `rebuild-this-device`
    - [x] `update-this-device`
    - [x] `rebuild-remote-device`
    - [x] `update-remote-device`
-    evaluate, and understand a path to using these tools in a pull-based fashion:
+  - [x] `rebuild-this-device`
  - [x] `update-this-device`
  - [x] `rebuild-remote-device`
  - [x] `update-remote-device`
  evaluate, and understand a path to using these tools in a pull-based fashion:
  - [x] [colmena](https://github.com/zhaofengli/colmena)
-      * bootstrapping: https://github.com/zhaofengli/colmena/issues/68
+    - bootstrapping: https://github.com/zhaofengli/colmena/issues/68
  - [ ] deploy-rs
 - [x] 🚧 find a better alternative for the qtile-desktop
    current issues:
    - floating windows often get lost in the background 
    - plugging in-/out- screen crashes the desktop
-    evaluate: 
+- [x] 🚧 find a better alternative for the qtile-desktop
-    - [x] ~~🚧 gnome3 + pop-shell~~
+      current issues:
-    - [x] ~~leftwm + eww (+ wayland?)~~
+
  - floating windows often get lost in the background
  - plugging in-/out- screen crashes the desktop
  evaluate:
  - [x] ~~🚧 gnome3 + pop-shell~~
  - [x] ~~leftwm + eww (+ wayland?)~~
 - [ ] (Re-)document bootstrap process
  - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
  - [ ] a new machine
  - [ ] an install media
 - [ ] Design disaster recovery
 - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle *\_archived*
+- [ ] Recycle _\_archived_
 - [ ] container migrations
  - [ ] ensure DDNS is updated _before_ the containers are started
 ## Bugs
 - [ ] home-manager leaves ~/.gnupg at 0755
 ## Usage
-*(These are reminders for my future self)*
+
 _(These are reminders for my future self)_
 ```
 just --list
@ -80,15 +88,17 @@ just --list
 ## Bootstrap
 ### A new machine
 * ensure the dotfiles repo has a branch with the new machine's hostname
-* boot with an install media and go through setup
+- ensure the dotfiles repo has a branch with the new machine's hostname
 - boot with an install media and go through setup
 #### Post-Install Setup
-* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
+
-* `gpg2 --edit-card; fetch`
+- `chmod --recursive g-rwx,o-rwx ~/.gnupg`
-* clone password-manager and infra repositories
+- `gpg2 --edit-card; fetch`
-* gpg2: ultimately trust my own key
+- clone password-manager and infra repositories
 - gpg2: ultimately trust my own key
 ## Swapping out a disk
--- a/_archive/environments/dev/cross.nix
+++ b/_archive/environments/dev/cross.nix
@ -1,90 +0,0 @@
 import /home/steveej/src/github/NixOS/nixpkgs/default.nix {
  crossSystem = rec {
    config = "armv7l-unknown-linux-gnueabi";
    bigEndian = false;
    arch = "arm";
    float = "hard";
    fpu = "vfpv3-d16";
    withTLS = true;
    libc = "glibc";
    platform = {
      name = "armv7l-hf-multiplatform";
      gcc = {
        arch = "armv7-a";
        fpu = "neon";
        float = "hard";
      };
      kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
      kernelHeadersBaseConfig = "multi_v7_defconfig";
      kernelBaseConfig = "multi_v7_defconfig";
      kernelArch = "arm";
      kernelDTB = true;
      kernelAutoModules = false;
      kernelExtraConfig = ''
        NAMESPACES y
          BTRFS_FS y
          BTRFS_FS_POSIX_ACL y
          OVERLAY_FS y
          FUSE_FS y
      '';
      kernelTarget = "zImage";
      uboot = null;
    };
    openssl.system = "linux-generic32";
    gcc = {
      arch = "armv7-a";
      fpu = "neon";
      float = "hard";
    };
  };
 }
 #  pkgs.config = {
 #    packageOverrides = super: let self = super.pkgs; in {
 #      linux_4_0 = super.linux_3_18.override {
 #        kernelPatches = super.linux_3_18.kernelPatches ++ [
 #          # we'll also add one of our own patches
 #          { patch = ./dts.patch; name = "dts-fix"; }
 #        ];
 #
 #        # add "CONFIG_PPP_FILTER y" option to the set of kernel options
 #        extraConfig = ''
 #           HAVE_IMX_ANATOP y
 #           HAVE_IMX_GPC y
 #           HAVE_IMX_MMDC y
 #           HAVE_IMX_SRC y
 #           SOC_IMX6 y
 #           SOC_IMX6Q y
 #           SOC_IMX6SL y
 #           PCI_IMX6 y
 #           ARM_IMX6Q_CPUFREQ y
 #           IMX_WEIM y
 #           AHCI_IMX y
 #           SERIAL_IMX y
 #           SERIAL_IMX_CONSOLE y
 #           I2C_IMX y
 #           SPI_IMX y
 #           PINCTRL_IMX y
 #           PINCTRL_IMX6Q y
 #           PINCTRL_IMX6SL y
 #           POWER_RESET_IMX y
 #           IMX_THERMAL y
 #           IMX2_WDT y
 #           IMX_IPUV3_CORE y
 #           DRM_IMX y
 #           DRM_IMX_FB_HELPER y
 #           DRM_IMX_PARALLEL_DISPLAY y
 #           DRM_IMX_TVE y
 #           DRM_IMX_LDB y
 #           DRM_IMX_IPUV3 y
 #           DRM_IMX_HDMI y
 #           MMC_SDHCI_ESDHC_IMX y
 #           IMX_SDMA y
 #           PWM_IMX y
 #           DEBUG_IMX6Q_UART y
 #
 #           PPP_FILTER y
 #        '';
 #      };
 #    };
 #  };
--- a/_archive/environments/dev/go/default.nix
+++ b/_archive/environments/dev/go/default.nix
@ -1,89 +0,0 @@
 {
  gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
  pkgs ? gitpkgs,
  name ? "generic",
  version,
  extraBuildInputs ? [],
  extraShellHook ? "",
 }: let
  go = builtins.getAttr "go_${version}" pkgs;
  commonVimRC = ''
    let g:tagbar_type_go = {
      \ 'ctagstype' : 'go',
      \ 'kinds'     : [
          \ 'p:package',
          \ 'i:imports:1',
          \ 'c:constants',
          \ 'v:variables',
          \ 't:types',
          \ 'n:interfaces',
          \ 'w:fields',
          \ 'e:embedded',
          \ 'm:methods',
          \ 'r:constructor',
          \ 'f:functions'
      \ ],
      \ 'sro' : '.',
      \ 'kind2scope' : {
          \ 't' : 'ctype',
          \ 'n' : 'ntype'
      \ },
      \ 'scope2kind' : {
          \ 'ctype' : 't',
          \ 'ntype' : 'n'
      \ },
      \ 'ctagsbin'  : 'gotags',
      \ 'ctagsargs' : '-sort -silent'
      \ }
    " vim-go {
    let g:go_highlight_functions = 1
    let g:go_highlight_methods = 1
    let g:go_highlight_structs = 1
    let g:go_highlight_interfaces = 1
    let g:go_highlight_operators = 1
    let g:go_highlight_build_constraints = 1
    let g:go_fmt_command = 'gofmt'
    let g:go_fmt_options= '-s'
    let g:go_def_mode = 'godef'
    let g:go_def_reuse_buffer = 0
    au FileType go nmap <Leader>gds <Plug>(go-def-split)
    au FileType go nmap <Leader>gdv <Plug>(go-def-vertical)
    au FileType go nmap <Leader>gdt <Plug>(go-def-tab)
    au FileType go nmap <Leader>gi <Plug>(go-imports)
    " }
  '';
  buildInputs = with pkgs; [
    glibc.out
    glibc.static
    go
    gotools
    #gotools.bin
    #gocode.bin
    #godef godef.bin
    godep
    #godep.bin
    gox.bin
    #ginkgo ginkgo.bin
    #gomega
    #      ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
    #      ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
  ];
 in
  pkgs.stdenv.mkDerivation {
    inherit name;
    buildInputs = extraBuildInputs ++ buildInputs;
    shellHook = ''
      goname=${go.version}_$name
      # FIXME: setPS1 $goname
      export GOROOT=${go}/share/go
      export GOPATH="$HOME/.gopath_$goname"
      export PATH="$HOME/.gopath_$goname/bin:$PATH"
      unset name
      unset SSL_CERT_FILE
      ${extraShellHook}
    '';
  }
--- a/_archive/environments/dev/go/neovim-go.nix
+++ b/_archive/environments/dev/go/neovim-go.nix
@ -1,12 +0,0 @@
 {commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args
  // {
    additionalRC =
      commonRC
      + ''
        " deoplete {
        let g:deoplete#enable_at_startup = 1
        let g:deoplete#enable_smart_case = 1
        " }
      '';
    additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"];
  })
--- a/_archive/environments/dev/pandoc.nix
+++ b/_archive/environments/dev/pandoc.nix
@ -1,31 +0,0 @@
 {
  gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
  pkgs ? gitpkgs,
  name ? "generic",
  version ? "Stable",
  extraBuildInputs ? [],
 }: let
  commonVimRC = "";
 in
  pkgs.stdenv.mkDerivation {
    inherit name;
    buildInputs = with pkgs;
      [
        (import ./vim-pandoc.nix {
          pkgs = gitpkgs;
          commonRC = commonVimRC;
        })
        pandoc
        texlive.combined.scheme-medium
        python27Packages.pandocfilters
        python27Packages.htmltreediff
        python27Packages.html5lib
        python27Packages.dbus-python
      ]
      ++ extraBuildInputs;
    shellHook = ''
      pandocname=pandoc_${pkgs.pandoc.version}
      setPS1 $pandocname
      unset name
    '';
  }
--- a/_archive/environments/dev/rkt.nix
+++ b/_archive/environments/dev/rkt.nix
@ -1,71 +0,0 @@
 {
  pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
  mkGoEnv ? import ./go.nix,
  rktPath,
 }: let
  rktBasebuildInputs = with pkgs; [
    glibc.out
    glibc.static
    autoreconfHook
    gnupg1
    squashfsTools
    cpio
    tree
    intltool
    libtool
    pkgconfig
    libgcrypt
    gperf
    libcap
    libseccomp
    libzip
    eject
    iptables
    bc
    acl
    trousers
    systemd
  ];
  extraShellHook = ''
    TARGET=$GOPATH/src/github.com/coreos/rkt
    if [[ -e ${rktPath}/rkt/rkt.go ]]; then
      pushd ${rktPath}
    else
      echo rktPath must be run the rkt repository clone, but got '${rktPath}'
      exit 1
    fi
    if ! [[ -e $TARGET/rkt/rkt.go ]]; then
      mkdir -p $TARGET
      echo $PWD
      sudo -E mount -o bind $PWD $TARGET
    fi
    pushd $TARGET
  '';
 in {
  go15 = mkGoEnv {
    inherit pkgs;
    name = "rktGo15";
    version = "1_5";
    extraBuildInputs = rktBasebuildInputs;
    inherit extraShellHook;
  };
  go16 = mkGoEnv {
    inherit pkgs;
    name = "rktGo16";
    version = "1_6";
    extraBuildInputs = rktBasebuildInputs;
    inherit extraShellHook;
  };
  go17 = mkGoEnv {
    inherit pkgs;
    name = "rktGo17";
    version = "1_7";
    extraBuildInputs = rktBasebuildInputs;
    inherit extraShellHook;
  };
 }
--- a/_archive/environments/dev/rust/.envrc
+++ b/_archive/environments/dev/rust/.envrc
@ -1 +0,0 @@
 eval "$(lorri direnv)"
--- a/_archive/environments/dev/rust/default.nix
+++ b/_archive/environments/dev/rust/default.nix
@ -1,39 +0,0 @@
 {
  gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
  pkgs ? gitpkgs,
  name ? "generic",
  version ? "Stable",
  extraBuildInputs ? [],
 }: let
  rustPackages = builtins.getAttr "rust${version}" pkgs;
  rustc = rustPackages.rustc;
  rustShellHook = {
    rustc,
    name,
  }: ''
    rustname=rust_${rustc.version}_${name}
    setPS1 $rustname
    unset name
  '';
  commonVimRC = "";
 in
  pkgs.stdenv.mkDerivation {
    inherit name;
    buildInputs = with rustPackages;
      [
        (import ./vim-rust.nix {
          pkgs = gitpkgs;
          commonRC = commonVimRC;
          inherit rustc;
          racerd = pkgs.rustracerd;
        })
        rustc
        cargo
      ]
      ++ [pkgs.rustfmt]
      ++ extraBuildInputs;
    shellHook = rustShellHook {
      inherit name;
      inherit rustc;
    };
  }
--- a/_archive/environments/dev/vim-go.nix
+++ b/_archive/environments/dev/vim-go.nix
@ -1,19 +0,0 @@
 {commonRC, ...} @ args:
 import ../../pkg-configuration/vim-derivates/vim.nix (args
  // {
    name = "vim-for-go";
    additionalRC =
      commonRC
      + ''
         " Disable AutoComplPop.
         let g:acp_enableAtStartup = 0
         " Use neocomplete.
         let g:neocomplete#enable_at_startup = 1
         " Use smartcase.
         let g:neocomplete#enable_smart_case = 1
            if !exists('g:neocomplete#sources#omni#input_patterns')
        let g:neocomplete#sources#omni#input_patterns = {}
         endif
      '';
    additionalPlugins = ["neocomplete" "vim-go"];
  })
--- a/_archive/environments/dev/vim-pandoc.nix
+++ b/_archive/environments/dev/vim-pandoc.nix
@ -1,18 +0,0 @@
 {commonRC, ...} @ args:
 import ../../pkg-configuration/vim-derivates/vim.nix (args
  // {
    name = "vim-for-pandoc";
    additionalRC =
      commonRC
      + ''
        set statusline+=%#warningmsg#
        set statusline+=%{SyntasticStatuslineFlag()}
        set statusline+=%*
        let g:syntastic_always_populate_loc_list = 1
        let g:syntastic_auto_loc_list = 1
        let g:syntastic_check_on_open = 1
        let g:syntastic_check_on_wq = 0
      '';
    additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"];
  })
--- a/_archive/environments/dev/vim-rust.nix
+++ b/_archive/environments/dev/vim-rust.nix
@ -1,48 +0,0 @@
 {
  commonRC,
  rustc,
  racerd,
  ...
 } @ args:
 import ../../pkg-configuration/vim-derivates/vim.nix (args
  // {
    name = "vim-for-rust";
    additionalRC =
      commonRC
      + ''
        set statusline+=%#warningmsg#
        set statusline+=%{SyntasticStatuslineFlag()}
        set statusline+=%*
        let g:syntastic_always_populate_loc_list = 1
        let g:syntastic_auto_loc_list = 1
        let g:syntastic_check_on_open = 1
        let g:syntastic_check_on_wq = 0
        " tagbar
        let g:tagbar_type_rust = {
            \ 'ctagstype' : 'rust',
            \ 'kinds' : [
                \'T:types,type definitions',
                \'f:functions,function definitions',
                \'g:enum,enumeration names',
                \'s:structure names',
                \'m:modules,module names',
                \'c:consts,static constants',
                \'t:traits,traits',
                \'i:impls,trait implementations',
            \]
        \}
        let g:syntastic_rust_checkers = ["rustc"]
        "rustfmt
        let g:rustfmt_autosave = 1
        let g:ycm_auto_trigger = 1
        let g:ycm_rust_src_path = '${rustc.src}/src'
        let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd'
      '';
    additionalPlugins = ["rust-vim"];
  })
--- a/_archive/environments/fhs/android.nix
+++ b/_archive/environments/fhs/android.nix
@ -1,42 +0,0 @@
 {pkgs ? import <nixpkgs> {}}:
 (pkgs.buildFHSUserEnv {
  name = "devfhs";
  multiPkgs = pkgs: (with pkgs; [
    android-udev-rules
    sudo
    gawk
    bzip2
    file
    gcc
    getopt
    git
    gnumake
    ncurses
    openssl
    patch
    perl
    pkgconfig
    python
    openssh
    subversion
    unzip
    wget
    which
    vim
    zlib
    libusb
    libusb1
    systemd
    strace
    swt
    xorg.libXtst
    glib
    gtk2
    gnome.gtk
  ]);
  profile = ''
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib
  '';
  runScript = "bash";
 })
 .env
--- a/_archive/environments/fhs/vscode.nix
+++ b/_archive/environments/fhs/vscode.nix
@ -1,36 +0,0 @@
 {pkgs ? import <nixpkgs> {}}:
 (pkgs.buildFHSUserEnv {
  name = "everydayFHS";
  targetPkgs = pkgs: (with pkgs; [
    which
    gitFull
    zsh
    file
    direnv
    xdg_utils
    xsel
    vscode
    # vscode live share
    gnome3.gcr
    libgnome_keyring3
    liburcu
    libunwind
    lttng-ust
    curl
    openssl
    libkrb5
    libuuid
    icu
    zlib
    libsecret
  ]);
  multiPkgs = pkgs: (with pkgs; []);
  profile = ''
    export SHELL=/bin/zsh
  '';
  # FIXME runScript = "$SHELL";
 })
 .env
--- a/default.nix
+++ b/default.nix
@ -4,6 +4,9 @@
 # Having pkgs default to <nixpkgs> is fine though, and it lets you use short
 # commands such as:
 #     nix-build -A mypackage
-{pkgs ? import <nixpkgs> {}}: {
+{
-  pkgs = import ./nix/pkgs {inherit pkgs;};
+  pkgs ? import <nixpkgs> { },
 }:
 {
  pkgs = import ./nix/pkgs { inherit pkgs; };
 }
--- a/flake-sandbox/flake.lock
+++ b/flake-sandbox/flake.lock
@ -1,27 +0,0 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1681091990,
        "narHash": "sha256-ifIzhksUBZKp5WgCuoVhDY32qaEplXp7khzrB6zkaFc=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "ea96b4af6148114421fda90df33cf236ff5ecf1d",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake-sandbox/flake.nix
+++ b/flake-sandbox/flake.nix
@ -1,142 +0,0 @@
 {
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
  };
  outputs = {
    self,
    nixpkgs,
  }: let
    system = "x86_64-linux";
    pkgs = import nixpkgs {inherit system;};
  in {
    devShells."${system}".default = pkgs.mkShell {
      packages = with pkgs;
      with pkgs.gnome; [
        hexchat
        audacity
        proot
        yubikey-manager-qt
        cheese
        remmina
        exiv2
        wireshark-qt
        seahorse
        kotatogram-desktop
        usbutils
        networkmanagerapplet
        sshfs-fuse
        pavucontrol
        libwebcam
        just
        eog
        git-crypt
        espanso
        unetbootin
        vcsh
        skypeforlinux
        du-dust
        bind
        teamviewer
        gparted
        neovim
        inkscape
        rustdesk
        gnome-themes-extra
        pass
        xdg-user-dirs
        cbatticon
        yubikey-personalization-gui
        zoom
        signal-desktop
        xorg.xbacklight
        vscode
        ripgrep
        lightdm
        nixpkgs-fmt
        git-lfs
        qtpass
        gimp
        lxappearance
        flameshot
        thunderbird
        fprintd
        chromium
        evtest
        alejandra
        vlc
        pastebinit
        evolution
        zbar
        libreoffice
        brave
        pidgin
        direnv
        xorg.xhost
        lorri
        firefox
        logseq
        x11_ssh_askpass
        xsel
        feh
        htop
        openvpn
        syncthing
        ncdu
        rofi-pass
        testdisk
        vanilla-dmz
        wireguard-tools
        xarchive
        gnome-icon-theme
        wget
        nix-index
        mr
        passff-host
        browserpass
        xorg.xcursorthemes
        gitRepo
        gitSVN
        androidenv.androidPkgs_9_0.platform-tools
        # introduces python
        (qtile.passthru.unwrapped.overrideAttrs (oldAttrs: {
          propagatedBuildInputs =
            []
            # ++ oldAttrs.passthru.unwrapped.propagatedBuildInputs
            # ++ (with pkgs.python3Packages; [
            #   # python-wifi
            #   # iwlib
            #   keyring
            # ])
            ;
          makeWrapperArgs =
            oldAttrs.makeWrapperArgs
            ++ [
              "--prefix PATH : ${pkgs.lib.makeBinPath oldAttrs.propagatedBuildInputs}"
            ];
        }))
        # gi-docgen
        # yelp-tools
        # scons
        # autorandr
        # arandr
        # meson
        # mercurial
        # unrar-wrapper
        # orca
        # radicale
        # criu
        # gnome-music
        # gnome-browser-connector
        # radicale
        # hplip
        # qtile
        # gtk-doc
        # asciidoc
        # meson
      ];
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -1,24 +1,36 @@
 # flake.nix
 {
  inputs = {
    # TODO: where has this been used?
    # dotfiles = {
    #   url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git";
    #   flake = false;
    # };
    # flake and infra basics
    nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
-    nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05";
+    radicalePkgs.follows = "nixpkgs-2211";
-    nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.05";
+    nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    nixpkgs.follows = "nixpkgs-2411";
    nixpkgs.follows = "nixpkgs-2311";
    flake-parts.url = "github:hercules-ci/flake-parts";
    get-flake.url = "github:ursi/get-flake";
    srvos.url = "github:numtide/srvos";
    srvos.inputs.nixpkgs.follows = "nixpkgs";
-    nixos-anywhere.url = github:numtide/nixos-anywhere/main;
+    nixos-anywhere.url = "github:numtide/nixos-anywhere/main";
    nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs";
    disko.follows = "nixos-anywhere/disko";
    nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
    nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
    nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable";
    # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium`
    openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1";
    openvscode-server.flake = false;
    colmena = {
      url = "github:zhaofengli/colmena";
      inputs.nixpkgs.follows = "nixpkgs";
@ -29,14 +41,13 @@
      url = "github:nix-community/fenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    crane = {
+    crane.url = "github:ipetkov/crane";
-      url = "github:ipetkov/crane";
+
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    # applications
    aphorme_launcher = {
      url = "github:Iaphetes/aphorme_launcher/main";
@ -59,27 +70,56 @@
      flake = false;
    };
    magmawm = {
      url = "github:MagmaWM/MagmaWM";
      flake = false;
    };
    salut = {
      url = "gitlab:snakedye/salut";
      flake = false;
    };
    prs = {
-      url = "gitlab:timvisee/prs/master";
+      # url = "gitlab:timvisee/prs/v0.5.2";
      url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973";
      flake = false;
    };
    rperf = {
      url = "github:steveej-forks/rperf";
      flake = false;
    };
    # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage";
    espanso = {
      flake = false;
      url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b";
    };
    nix4vscode = {
      url = "github:nix-community/nix4vscode";
      # inputs.nixpkgs.follows = "nixpkgs";
    };
    nixvim = {
      # TODO: pin to nixos-24.11 once available
      url = "github:nix-community/nixvim";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    treefmt-nix = {
      url = "github:numtide/treefmt-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixago = {
      url = "github:jmgilman/nixago";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nur = {
      url = "github:nix-community/NUR";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson";
  };
  outputs =
-    inputs @ { self
+    inputs@{
-    , flake-parts
+      self,
-    , nixpkgs
+      flake-parts,
-    , ...
+      nixpkgs,
      ...
    }:
    let
      inherit (nixpkgs) lib;
@ -89,163 +129,176 @@
        "aarch64-linux"
      ];
    in
-    flake-parts.lib.mkFlake { inherit inputs; }
+    flake-parts.lib.mkFlake { inherit inputs; } (
-      ({ withSystem, ... }: {
+      { withSystem, ... }:
      {
        flake.colmena =
          lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
-            {
+            { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; }
              meta.nixpkgs = import inputs.nixpkgs.outPath {
                system = builtins.elemAt systems 0;
              };
            }
            # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
            # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
-            (builtins.map
+            (
-              (nodeName:
+              builtins.map
-                import ./nix/os/devices/${nodeName} {
+                (
-                  inherit nodeName;
+                  nodeName:
-                  repoFlake = self;
+                  import ./nix/os/devices/${nodeName} {
-                  repoFlakeWithSystem = withSystem;
+                    inherit nodeName;
-                  nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
+                    repoFlake = self;
-                }) [
+                    repoFlakeWithSystem = withSystem;
-              "steveej-t14"
+                    nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}");
-              # "elias-e525"
+                  }
-              # "justyna-p300"
+                )
                [
                  "steveej-t14"
                  "steveej-x13s"
                  "steveej-x13s-rmvbl"
                  # "elias-e525"
                  # "justyna-p300"
-              # "srv0-dmz0"
+                  # "srv0-dmz0"
-              # # "router0-dmz0"
+                  # "router0-dmz0"
                  "router0-ifog"
                  "router0-hosthatch"
-              # "sj-vps-htz0"
+                  "sj-srv1"
-              "sj-bm-hostkey0"
+                ]
            );
-              # "retro"
+        flake.lib = {
-            ]);
+          inherit withSystem;
        };
        # this makes nixos-anywhere work
        flake.nixosConfigurations =
-          (inputs.colmena.lib.makeHive self.outputs.colmena).nodes
+          let
-          // (
+            colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
-            let
+            router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations;
-              router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
+          in
-              steveej-x13s = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations;
+          colmenaHive
-              retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations;
+          // {
-            in
+            router0-dmz0 = router0-dmz0.native;
            {
              router0-dmz0 = router0-dmz0.native;
-              # for now deploy directly with:
+            # for now deploy directly with:
-              # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
+            # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
-              router0-dmz0_cross = router0-dmz0.cross;
+            router0-dmz0_cross = router0-dmz0.cross;
-              # nixos-install --flake .\#retro_cross
+            steveej-x13s_cross =
-              retro_cross = retro.cross;
+              (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross;
-
+            steveej-x13s-rmvbl_cross =
-              steveej-x13s_cross = steveej-x13s.cross;
+              (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
-            }
+          };
          );
        inherit systems;
        perSystem =
-          { inputs'
+          {
-          , system
+            self',
-          , config
+            inputs',
-          , lib
+            system,
-          , pkgs
+            config,
-          , ...
+            lib,
-          }: rec {
+            pkgs,
-            imports = [
+            ...
-              ./nix/modules/flake-parts/perSystem/default.nix
+          }:
-            ];
+          {
            imports = [ ./nix/modules/flake-parts/perSystem/default.nix ];
            packages =
              let
                dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { };
-                craneLib =
+                craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain;
                  inputs.crane.lib.${system}.overrideToolchain
                    inputs'.fenix.packages.stable.toolchain;
-                craneLibOfiPass =
+                craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain;
-                  inputs.crane.lib.${system}.overrideToolchain
+
-                    (
+                _prsPackage =
-                      inputs'.fenix.packages.stable.toolchain
+                  {
-                      # .override {
+                    lib,
-                      #   date = "1.60.0";
+                    rustPlatform,
-                      # }
+                    installShellFiles,
-                    );
+                    pkg-config,
                    python3,
                    glib,
                    gpgme,
                    gtk3,
                    stdenv,
                    cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=",
                    src,
                    version,
                    makeWrapper,
                    skim,
                  }:
                  rustPlatform.buildRustPackage rec {
                    pname = "prs";
                    inherit src version cargoHash;
                    nativeBuildInputs = [
                      gpgme
                      installShellFiles
                      pkg-config
                      python3
                      makeWrapper
                    ];
                    cargoBuildFlags = [
                      "--no-default-features"
                      "--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp"
                    ];
                    buildInputs = [
                      glib
                      gpgme
                      gtk3
                    ];
                    postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
                      for shell in bash fish zsh; do
                        installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
                      done
                    '';
                    postFixup = ''
                      wrapProgram $out/bin/prs \
                        --prefix PATH : ${lib.makeBinPath [ skim ]}
                    '';
                    meta = with lib; {
                      description = "Secure, fast & convenient password manager CLI using GPG and git to sync";
                      homepage = "https://gitlab.com/timvisee/prs";
                      changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md";
                      license = with licenses; [
                        lgpl3Only # lib
                        gpl3Only # everything else
                      ];
                      maintainers = with maintainers; [ dotlambda ];
                      mainProgram = "prs";
                    };
                  };
                local-xwayland = pkgs.writeShellScriptBin "local-xwayland" ''
                  set -x
                  ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
                    --wayland-display=wayland-3 \
                    --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
                    --x-display=0 \
                    # --x-unscale=3 \
                    --verbose
                '';
              in
              {
                dcpj4110dwDriver = dcpj4110dw.driver;
                dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
                # broken as of 2023-04-27 because it doesn't load without a config
                # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;};
                # yofi = inputs'.yofi.packages.default;
                # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;};
                inherit (inputs'.colmena.packages) colmena;
-                # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) {
+                prs = pkgs.callPackage _prsPackage {
-                #   src = inputs.jay;
+                  src = inputs.prs;
-                #   rustPlatform = pkgs.makeRustPlatform {
+                  version = inputs.prs.shortRev;
-                #     cargo = inputs'.fenix.packages.stable.toolchain;
+                  cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8=";
                #     rustc = inputs'.fenix.packages.stable.toolchain;
                #   };
                # };
                # magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) {
                #   inherit craneLib;
                #   src = inputs.magmawm;
                # };
                salut = craneLib.buildPackage {
                  src = inputs.salut;
                  nativeBuildInputs = [
                    pkgs.pkg-config
                  ];
                  buildInputs = [
                    pkgs.libxkbcommon
                    pkgs.fontconfig
                  ];
                };
                prs = pkgs.callPackage
                  ({ pkgs
                   , dbus
                   , glib
                   , gpgme
                   , gtk3
                   , libxcb
                   , libxkbcommon
                   , installShellFiles
                   , pkg-config
                   , python3
                   }: craneLib.buildPackage {
                    pname = "prs";
                    version = inputs.prs.shortRev;
                    src = inputs.prs;
                    nativeBuildInputs = [ gpgme installShellFiles pkg-config python3 ];
                    buildInputs = [
                      dbus
                      glib
                      gpgme
                      gtk3
                      libxcb
                      libxkbcommon
                    ];
                    cargoExtraArgs = "--features backend-gpgme";
                    postInstall = ''
                      for shell in bash fish zsh; do
                        installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
                      done
                    '';
                  })
                  { };
                nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
                ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
@ -274,13 +327,102 @@
                syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" ''
                  ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
                '';
                rperf = craneLib.buildPackage {
                  src = inputs.rperf;
                  nativeBuildInputs = [ pkgs.pkg-config ];
                  buildInputs = [ ];
                };
                inherit local-xwayland;
                inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp;
              };
-            formatter = pkgs.alejandra;
+            formatter =
-            devShells.default = import ./nix/devShells.nix {
+              let
-              inherit inputs' pkgs;
+                settingsNix = {
-              packages' = packages;
+                  projectRootFile = ".git/config";
-            };
+
                  package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2;
                  programs = {
                    nixfmt.enable = true;
                    deadnix.enable = true;
                    statix.enable = true;
                    shfmt.enable = true;
                    shellcheck.enable = true;
                    prettier.enable = true;
                    just = {
                      enable = true;
                      includes = [
                        "*/Justfile"
                        "Justfile"
                      ];
                    };
                  } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
                  settings = {
                    global.excludes = [
                      "LICENSE"
                      "secrets/"
                      ".git-crypt/"
                      # unsupported extensions
                      "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}"
                    ];
                    formatter = {
                      deadnix = {
                        priority = 1;
                        options = [ "--no-underscore" ];
                      };
                      nixfmt = {
                        priority = 2;
                      };
                      statix = {
                        priority = 3;
                      };
                      prettier = {
                        options = [
                          "--tab-width"
                          "2"
                        ];
                        includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ];
                      };
                    };
                  };
                };
                eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
              in
              eval.config.build.wrapper.overrideAttrs (_: {
                passthru = {
                  inherit (eval.config) package settings;
                };
              });
            devShells =
              let
                all = import ./nix/devShells.nix {
                  inherit
                    self
                    self'
                    inputs'
                    pkgs
                    ;
                };
              in
              all
              // {
                default = all.develop;
              };
          };
-      });
+      }
    );
 }
--- a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw
+++ b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw
--- a/nix/container-images/build.sh
+++ b/nix/container-images/build.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 set -xe
-[ ! -z "$NAME" ]
+[ -n "$NAME" ]
 nix-build . --show-trace -A "$NAME"
 docker image rm "$NAME":latest --force
--- a/nix/container-images/default.nix
+++ b/nix/container-images/default.nix
@ -1,6 +1,10 @@
-{pkgs ? import <nixpkgs> {}}: let
+{
-  baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
+  pkgs ? import <nixpkgs> { },
-in rec {
+}:
 let
  baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
 in
 rec {
  base = pkgs.dockerTools.buildImage rec {
    name = "base";
@ -21,59 +25,70 @@ in rec {
  interactive_base = pkgs.dockerTools.buildImage {
    name = "interactive_base";
    fromImage = base;
-    contents = with pkgs; [procps zsh coreutils neovim];
+    contents = with pkgs; [
      procps
      zsh
      coreutils
      neovim
    ];
-    config = {Cmd = ["/bin/zsh"];};
+    config = {
      Cmd = [ "/bin/zsh" ];
    };
  };
-  s3ql = let
+  s3ql =
-    entrypoint = pkgs.writeScript "entrypoint" ''
+    let
-      #!${pkgs.stdenv.shell}
+      entrypoint = pkgs.writeScript "entrypoint" ''
        #!${pkgs.stdenv.shell}
-      if [ -z "$S3QL_BUCKET" ]; then
+        if [ -z "$S3QL_BUCKET" ]; then
-        echo S3QL_BUCKET not set
+          echo S3QL_BUCKET not set
-        exit 1
+          exit 1
-      fi
+        fi
-      if [ -z "$S3QL_STORAGE_URL" ]; then
+        if [ -z "$S3QL_STORAGE_URL" ]; then
-        echo S3QL_STORAGE_URL not set
+          echo S3QL_STORAGE_URL not set
-        exit 1
+          exit 1
-      fi
+        fi
-      if [ -z "$S3QL_CACHESIZE" ]; then
+        if [ -z "$S3QL_CACHESIZE" ]; then
-        echo S3QL_CACHESIZE not set
+          echo S3QL_CACHESIZE not set
-        exit 1
+          exit 1
-      fi
+        fi
-      set -x
+        set -x
-      if [ "$S3QL_SKIP_FSCK" != "1" ]; then
+        if [ "$S3QL_SKIP_FSCK" != "1" ]; then
-        fsck.s3ql \
+          fsck.s3ql \
-          --authfile $S3QL_AUTHINFO2 \
+            --authfile $S3QL_AUTHINFO2 \
            --log none \
            --cachedir $S3QL_CACHE_DIR \
            $S3QL_STORAGE_URL
        fi
        exec mount.s3ql \
          --cachedir "$S3QL_CACHE_DIR" \
          --authfile "$S3QL_AUTHINFO2" \
          --cachesize "$S3QL_CACHESIZE" \
          --fg \
          --compress lzma-6 \
          --threads 4 \
          --log none \
-          --cachedir $S3QL_CACHE_DIR \
+          --allow-root \
-          $S3QL_STORAGE_URL
+          "$S3QL_STORAGE_URL" \
-      fi
+          /bucket
-      exec mount.s3ql \
+        # FIXME: touch .isbucket after mount
-        --cachedir "$S3QL_CACHE_DIR" \
+      '';
-        --authfile "$S3QL_AUTHINFO2" \
+    in
        --cachesize "$S3QL_CACHESIZE" \
        --fg \
        --compress lzma-6 \
        --threads 4 \
        --log none \
        --allow-root \
        "$S3QL_STORAGE_URL" \
        /bucket
      # FIXME: touch .isbucket after mount
    '';
  in
    pkgs.dockerTools.buildImage {
      name = "s3ql";
      fromImage = interactive_base;
-      contents = [pkgs.s3ql pkgs.fuse];
+      contents = [
        pkgs.s3ql
        pkgs.fuse
      ];
      runAsRoot = ''
        #!${pkgs.stdenv.shell}
@ -84,57 +99,58 @@ in rec {
      '';
      config = {
-        Env =
+        Env = baseEnv ++ [
-          baseEnv
+          "HOME=/home/s3ql"
-          ++ [
+          "S3QL_CACHE_DIR=/var/cache/s3ql"
-            "HOME=/home/s3ql"
+          "S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
-            "S3QL_CACHE_DIR=/var/cache/s3ql"
+          "CONTAINER_ENTRYPOINT=${entrypoint}"
-            "S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
+        ];
-            "CONTAINER_ENTRYPOINT=${entrypoint}"
+        Cmd = [ entrypoint ];
          ];
        Cmd = [entrypoint];
        Volumes = {
-          "/var/cache/s3ql" = {};
+          "/var/cache/s3ql" = { };
-          "/etc/s3ql/authinfo2" = {};
+          "/etc/s3ql/authinfo2" = { };
-          "/buckets" = {};
+          "/buckets" = { };
-          "/tmp" = {};
+          "/tmp" = { };
        };
      };
    };
-  syncthing = let
+  syncthing =
-    entrypoint = pkgs.writeScript "entrypoint" ''
+    let
-      #!${pkgs.stdenv.shell}
+      entrypoint = pkgs.writeScript "entrypoint" ''
-      set -x
+        #!${pkgs.stdenv.shell}
-      if [ ! -e /data/.isbucket ]; then
+        set -x
-        echo ERROR: Bucket not mounted at /data
+        if [ ! -e /data/.isbucket ]; then
-        exit 1
+          echo ERROR: Bucket not mounted at /data
-      fi
+          exit 1
        fi
-      if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then
+        if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then
-        echo ERROR: SYNCTHING_GUI_ADDRESS is not set
+          echo ERROR: SYNCTHING_GUI_ADDRESS is not set
-        exit 1
+          exit 1
-      fi
+        fi
-      if [ ! -w "$SYNCTHING_HOME" ]; then
+        if [ ! -w "$SYNCTHING_HOME" ]; then
-        echo ERROR : SYNCTHING_HOME is not writable
+          echo ERROR : SYNCTHING_HOME is not writable
-      fi
+        fi
-      exec syncthing \
+        exec syncthing \
-        -home $SYNCTHING_HOME \
+          -home $SYNCTHING_HOME \
-        -gui-address=$SYNCTHING_GUI_ADDRESS \
+          -gui-address=$SYNCTHING_GUI_ADDRESS \
-        -no-browser
+          -no-browser
-    '';
+      '';
-  in
+    in
    pkgs.dockerTools.buildImage {
      name = "syncthing";
      fromImage = interactive_base;
      contents = pkgs.syncthing;
      config = {
-        Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"];
+        Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ];
-        Cmd = [entrypoint];
+        Cmd = [ entrypoint ];
-        Volumes = {"/data" = {};};
+        Volumes = {
          "/data" = { };
        };
      };
    };
 }
--- a/nix/default.nix
+++ b/nix/default.nix
@ -1,26 +1,34 @@
-{versionsPath}: let
+{ versionsPath }:
 let
  channelVersions = import versionsPath;
-  mkChannelSource = name: let
+  mkChannelSource =
-    channelVersion = builtins.getAttr name channelVersions;
+    name:
-  in
+    let
      channelVersion = builtins.getAttr name channelVersions;
    in
    builtins.fetchGit {
      # Descriptive name to make the store path easier to identify
      inherit name;
      inherit (channelVersion) url ref rev;
    };
-  nixPath = builtins.concatStringsSep ":" (builtins.map
+  nixPath = builtins.concatStringsSep ":" (
-    (elemName: let
+    builtins.map (
-      elem = builtins.getAttr elemName channelVersions;
+      elemName:
-      elemPath = mkChannelSource elemName;
+      let
-      suffix =
+        elem = builtins.getAttr elemName channelVersions;
-        if builtins.hasAttr "suffix" elem
+        elemPath = mkChannelSource elemName;
-        then elem.suffix
+        suffix = if builtins.hasAttr "suffix" elem then elem.suffix else "";
-        else "";
+      in
-    in
+      builtins.concatStringsSep "=" [
-      builtins.concatStringsSep "=" [elemName elemPath] + suffix)
+        elemName
-    (builtins.attrNames channelVersions));
+        elemPath
-  pkgs = import (mkChannelSource "nixpkgs") {};
+      ]
-in {
+      + suffix
    ) (builtins.attrNames channelVersions)
  );
  pkgs = import (mkChannelSource "nixpkgs") { };
 in
 {
  inherit nixPath;
  channelSources = pkgs.writeText "channels.rc" ''
    export NIX_PATH=${nixPath}
--- a/nix/devShells.nix
+++ b/nix/devShells.nix
@ -1,72 +1,73 @@
 {
  self,
  self',
  inputs',
  packages',
  pkgs,
 }:
-pkgs.stdenv.mkDerivation {
+{
-  name = "infra-env";
+  install = pkgs.mkShell {
-  buildInputs =
+    name = "infra-install";
-    [
+    packages = with pkgs; [
      (with pkgs.callPackage (pkgs.path + "/nixos") {configuration = {};};
        with config.system.build; [
          nixos-generate-config
          nixos-install
          nixos-enter
          manual.manpages
        ])
    ]
    ++ (with pkgs; [
      inputs'.colmena.packages.colmena
      nixos-install-tools
      inputs'.disko.packages.disko
      just
      git
      git-crypt
      gnupg
    ];
  };
  develop = pkgs.mkShell {
    name = "infra-develop";
    inputsFrom = [ self'.devShells.install ];
    packages = with pkgs; [
      self'.formatter # .package
      inputs'.colmena.packages.colmena
      dconf2nix
      inputs'.nixos-anywhere.packages.nixos-anywhere
      nurl
      just
      git-crypt
      vcsh
      gnupg
      git
      ripgrep
-      lm_sensors
+      # pass
      pass
      fuzzel
      wofi
      age
      age-plugin-yubikey
      ssh-to-age
      yubico-piv-tool
      inputs'.sops-nix.packages.default
      sops
      nil
      nix-index
      apacheHttpd
-      vncdo
+      # vncdo
-      tesseract
+      # tesseract
-      imagemagick
+      # imagemagick
-      nmap
+      # lm_sensors
      sysstat
      lshw
      xxHash
      linssid
      wavemon
      wirelesstools
-      zathura
+      # nmap
-      xorg.xwininfo
+      # sysstat
-      glxinfo
+      # lshw
-      autorandr
+      # xxHash
-      arandr
+      # linssid
-      playerctl
+      # wavemon
-      x11docker
+      # wirelesstools
      fwupd
-      ntfy
+      # zathura
      # xorg.xwininfo
      # glxinfo
      # autorandr
      # arandr
      # playerctl
      # x11docker
      # fwupd
-      hedgedoc-cli
+      # ntfy
      # hedgedoc-cli
      xwayland
      pulsemixer
      (pkgs.writeShellScriptBin "rflk" ''
        exec nix run nixpkgs#$@
@ -76,8 +77,27 @@ pkgs.stdenv.mkDerivation {
        exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@
      '')
-    ]);
+      jq
      yq
      wireguard-tools
-  # Set Environment Variables
+      screen
-  RUST_BACKTRACE = 1;
+
      inputs'.nixpkgs-unstable.legacyPackages.kanidm
    ];
    # Set Environment Variables
    RUST_BACKTRACE = 1;
    KANIDM_URL =
      self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
    shellHook = builtins.concatStringsSep "\n" [
      # (self.inputs.nixago.lib.${pkgs.system}.make {
      #   data = self'.formatter.settings;
      #   output = "treefmt.toml";
      #   format = "toml";
      # }).shellHook
    ];
  };
 }
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@ -1,25 +1,25 @@
 {
  pkgs,
  lib,
  config,
  # these come in via home-manager.extraSpecialArgs and are specific to each node
  nodeFlake,
-  packages',
+  repoFlake,
  # repoFlake,
  # repoFlakeInputs',
  ...
-}: let
+}:
-  # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system};
+let
-  pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;};
+  pkgsUnstable =
-  pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
+    pkgs.pkgsUnstable
-in {
+      or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; });
 in
 {
  imports = [
    ../profiles/common.nix
-    ../profiles/dotfiles.nix
+    # ../profiles/dotfiles.nix
    # FIXME: fix homeshick when no WAN connection is available
    # ../programs/homeshick.nix
    # ../profiles/gnome-desktop.nix
    ../profiles/sway-desktop.nix
    # ../profiles/experimental-desktop.nix
    ../programs/redshift.nix
@ -35,40 +35,55 @@ in {
    ../programs/libreoffice.nix
    ../programs/neovim.nix
    ../programs/vscode
-
+    { home.packages = [ pkgsUnstable.markdown-oxide ]; }
    # TODO: bump these to 23.05 and make it work
    (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;}))
    # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;}))
  ];
  home.sessionVariables.HM_CONFIG = "graphical-fullblown";
  home.sessionVariables.GOPATH = "$HOME/src/go";
-  home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
+  home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [
-
+    "$HOME/.local/bin"
-  nixpkgs.config.permittedInsecurePackages = [
+    "$PATH"
    "electron-24.8.6"
    "electron-25.9.0"
  ];
  nixpkgs.config.allowInsecurePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
      "electron-28.3.3"
      "electron-27.3.11"
    ];
  nixpkgs.config.permittedInsecurePackages = [
    "electron-28.3.3"
    "electron-27.3.11"
  ];
  nixpkgs.config.allowUnfree = [
    "electron-28.3.3"
    "electron-27.3.11"
  ];
  # nixpkgs.config.allowUnfreePredicate = pkg:
  #   builtins.elem (lib.getName pkg) [
  #     "smartgithg"
  #     "electron-27.3.11"
  #   ];
  home.packages =
-    []
+    (with pkgs; [
    ++ (with pkgs; [
      # Authentication
-      cacert
+      # cacert
-      fprintd
+      # fprintd
-      openssl
+      # openssl
-      mkpasswd
+      # mkpasswd
      # Nix package related tools
      patchelf
-      nix-index
+      # nix-index
      nix-prefetch-scripts
      # nix-prefetch-github
      nix-tree
      # Version Control Systems
      gitFull
      pijul
      # gitless
      gitRepo
      git-lfs
@ -90,14 +105,13 @@ in {
      # Password Management
      gnupg
-      # yubikey-manager
+      yubikey-manager
      yubikey-manager-qt
      yubikey-personalization
      yubikey-personalization-gui
      # gnome.gnome-keyring
      gcr
-      gnome.seahorse
+      seahorse
      # Language Support
      hunspellDicts.en-us
@ -106,129 +120,58 @@ in {
      # Messaging/Communication
      # pidgin
      # hexchat
-      # schildichat-desktop # insecure as of 2023-12-16
+      pkgsUnstable.element-desktop
      aspellDicts.en
      aspellDicts.de
      # skypeforlinux
      # pkgsUnstable.jitsi-meet-electron
-      thunderbird
+      thunderbird-128
-      evolution # gnome4.glib_networking
+      # betterbird
      # FIXME: depends on insecure openssl 1.1.1t
      # kotatogram-desktop
-      tdesktop
+      pkgsUnstable.tdesktop
-      pkgsUnstableSmall.signal-desktop
+      pkgsUnstable.signal-desktop-source
      #(let
      #  version = "6.20.0-beta.1";
      #in
      #  pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: {
      #    # inherit version;
      #    # src = builtins.fetchurl {
      #    #   url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb";
      #    #   sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a";
      #    # };
      #    preFixup =
      #      old.preFixup
      #      + ''
      #        gappsWrapperArgs+=(
      #          --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
      #          --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
      #        )
      #      '';
      #  }))
      pkgsUnstableSmall.session-desktop
      # --add-flags "--enable-features=UseOzonePlatform"
      # --add-flags "--ozone-platform=wayland"
      # (pkgsUnstableSmall.session-desktop.overrideAttrs (old: {
      #   nativeBuildInputs =
      #     old.nativeBuildInputs
      #     ++ [
      #       pkgs.wrapGAppsHook
      #     ];
      #   preFixup =
      #     (old.preFixup or "")
      #     + ''
      #       gappsWrapperArgs+=(
      #         --add-flags "--enable-features=UseOzonePlatform"
      #         --add-flags "--ozone-platform=wayland"
      #         # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
      #         # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}"
      #         # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
      #       )
      #     '';
      # }))
      #(pkgsUnstableSmall.session-desktop.overrideAttrs(old: {
      #    nativeBuildInputs = old.nativeBuildInputs ++ [
      #      pkgs.wrapGAppsHook
      #    ];
      #
      #    preFixup = (old.preFixup or "") + ''
      #      gappsWrapperArgs+=(
      #        --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}"
      #        --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
      #      )
      #    '';
      #  }))
      thunderbird
      # gnome.cheese
      discord
      # Virtualization
-      # virtmanager
+      virt-manager
      # Remote Control Tools
      remmina
-      freerdp
+      # freerdp
      teamviewer
      pkgsUnstableSmall.rustdesk
      # Audio/Video Players
-      ffmpeg
+      # ffmpeg
      vlc
-      v4l-utils
+      # v4l-utils
-      audacity
+      # audacity
-      spotify
+      # spotify
      yt-dlp
      (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
      libwebcam
      libcamera
      snapshot
      # Network Tools
      openvpn
      tcpdump
      iftop
      iperf
      bind
      socat
-      # 2019-03-05: broken on 19.03 linssid
+      nethogs
      iptraf-ng
      ipmitool
      iptables
      nftables
      wireshark
      wireguard-tools
      # Code Editing and Programming
-      xclip
+      # TODO(remove or use): pkgsUnstable.lapce
-      xsel
+      # TODO(remve or use): pkgsUnstable.helix
      pkgsUnstableSmall.lapce
      pkgsUnstableSmall.helix
      pkgsUnstableSmall.nil
      # Image/Graphic/Design Tools
-      gnome.eog
+      eog
-      gimp
+      # gimp
-      imagemagick
+      # imagemagick
-      exiv2
+      # exiv2
-      graphviz
+      # graphviz
-      inkscape
+      # inkscape
-      qrencode
+      # qrencode
      zbar
      feh
      # TODO: remove or move these: Modelling Tools
      # plantuml
@ -239,61 +182,46 @@ in {
      # astah-community
      # Misc Development Tools
-      qrcode
+      # qrcode
-      jq
+      # jq
-      cdrtools
+      # cdrtools
      # Document Processing and Management
-      gnome.nautilus
+      nautilus
      xfce.thunar
      pcmanfm
      # mendeley
      evince
-      (runCommand "logseq-wrapper" {
+      xournalpp
            nativeBuildInputs = [ makeWrapper ];
      } ''
            makeWrapper ${logseq}/bin/logseq $out/bin/logseq  \
                  --set NIXOS_OZONE_WL ""
      '')
      # (logseq.override({ electron_25 = electron_26; }))
      # File Synchronzation
      maestral
      maestral-gui
      rsync
      # Filesystem Tools
-      ntfs3g
+      # ntfs3g
-      ddrescue
+      # ddrescue
-      ncdu
+      # ncdu
-      unetbootin
+      # hdparm
      hdparm
      testdisk
      # binwalk
-      gptfdisk
+      # gptfdisk
-      gparted
+      # gparted
-      smartmontools
+      # smartmontools
      ## Android
      androidenv.androidPkgs_9_0.platform-tools
      ## Python
-      packages'.myPython
+      # packages'.myPython
      # Misc Desktop Tools
-      ltunify
+      # ltunify
      # dex
      xorg.xbacklight
      coreutils
      lsof
-      xdotool
+      xdg-utils
      xdg_utils
      xdg-user-dirs
      dconf
      picocom
      glib.dev # contains gdbus tool
      alacritty
-      wally-cli
+      # wally-cli
      man-pages
      # Screen recording
@ -303,70 +231,45 @@ in {
      # shutter
      # kazam # doesn't start
      # xvidcap # doesn't keep the recording rectangle
      # obs-studio
      # shotcut
      # openshot-qt
      # introduces python: screenkey
      # avidemux # broken
-      handbrake
+      # handbrake
-      pkgsUnstableSmall.ledger-live-desktop
+      # snes9x
-
+      # snes9x-gtk
      (banana-accounting.overrideDerivation (attrs:
        with inputs'.nixpkgs-2211.legacyPackages; {
          # dontWrapGApps = true;
          srcs = builtins.fetchurl {
            # hosted via https://web3.storage
            url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz";
            sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1";
          };
          # nativeBuildInputs =
          #   attrs.nativeBuildInputs
          #   ++ [
          #     qt5.qtbase
          #     qt5.wrapQtAppsHook
          #   ];
          # buildInputs =
          #   attrs.buildInputs
          #   ++ [
          #     qt5.qtwayland
          #   ];
          # preFixup =
          #   (attrs.preFixup or "")
          #   + ''
          #     qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
          #   '';
        }))
      snes9x
      snes9x-gtk
      # this is a displaymanager!
      # libretro.snes9x2010
      # retroarchFull
      # pkgs.logseq-bin
      pkgs.logseq
      # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { })
    ])
    ++ (with repoFlake.packages.${pkgs.system}; [ gimp ])
    ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
      pkgsUnstable.ledger-live-desktop
      # unsupported on aarch64-linux
      pkgs.androidenv.androidPkgs_9_0.platform-tools
      pkgs.teamviewer
      pkgs.discord
      pkgsUnstable.session-desktop
      pkgsUnstable.rustdesk
    ]);
  systemd.user.startServices = true;
  services.syncthing.enable = true;
  services.udiskie = {
    enable = true;
-    automount = true;
+    automount = false;
    notify = true;
  };
  # FIXME: doesn't work as the service can't seem to control its started PID
  services.dropbox = {
    enable = false;
    path = "${config.home.homeDirectory}/Dropbox-Hm";
  };
  # TODO: uncomment this when it's in stable home-manger
  # programs.joshuto = {
  #   enable = true;
--- a/nix/home-manager/configuration/graphical-gnome3.nix
+++ b/nix/home-manager/configuration/graphical-gnome3.nix
@ -1,13 +1,8 @@
 { pkgs, ... }:
 {
-  pkgs,
+  home.packages = with pkgs; [
-  config,
+    gnome.gnome-tweaks
-  ...
+    gnome.gnome-keyring
-}: {
+    gnome.seahorse
-  home.packages =
+  ];
    []
    ++ (with pkgs; [
      gnome.gnome-tweaks
      gnome.gnome-keyring
      gnome.seahorse
    ]);
 }
--- a/nix/home-manager/configuration/graphical-removable.nix
+++ b/nix/home-manager/configuration/graphical-removable.nix
@ -1,8 +1,5 @@
 { pkgs, ... }:
 {
  pkgs,
  config,
  ...
 }: {
  imports = [
    ../profiles/common.nix
    ../profiles/qtile-desktop.nix
@ -16,89 +13,87 @@
    ../programs/pass.nix
  ];
-  home.packages =
+  home.packages = with pkgs; [
-    []
+    # Nix package related tools
-    ++ (with pkgs; [
+    patchelf
-      # Nix package related tools
+    nix-index
-      patchelf
+    nix-prefetch-scripts
      nix-index
      nix-prefetch-scripts
-      # Version Control Systems
+    # Version Control Systems
-      gitless
+    gitless
-      # Process/System Administration
+    # Process/System Administration
-      htop
+    htop
-      gnome.gnome-tweaks
+    gnome.gnome-tweaks
-      xorg.xhost
+    xorg.xhost
-      dmidecode
+    dmidecode
-      evtest
+    evtest
-      # Archive Managers
+    # Archive Managers
-      sshfs-fuse
+    sshfs-fuse
-      xarchive
+    xarchive
-      p7zip
+    p7zip
-      zip
+    zip
-      unzip
+    unzip
-      gzip
+    gzip
-      lzop
+    lzop
-      # Password Management
+    # Password Management
-      gnome.gnome-keyring
+    gnome.gnome-keyring
-      gnome.seahorse
+    gnome.seahorse
-      # Remote Control Tools
+    # Remote Control Tools
-      remmina
+    remmina
-      freerdp
+    freerdp
-      # Network Tools
+    # Network Tools
-      openvpn
+    openvpn
-      tcpdump
+    tcpdump
-      iftop
+    iftop
-      iperf
+    iperf
-      bind
+    bind
-      socat
+    socat
-      # samba
+    # samba
-      iptables
+    iptables
-      nftables
+    nftables
-      wireshark
+    wireshark
-      # Code Editors
+    # Code Editors
-      xclip
+    xclip
-      xsel
+    xsel
-      # Image/Graphic/Design Tools
+    # Image/Graphic/Design Tools
-      gnome.eog
+    gnome.eog
-      gimp
+    gimp
-      inkscape
+    inkscape
-      # Misc Development Tools
+    # Misc Development Tools
-      qrcode
+    qrcode
-      jq
+    jq
-      cdrtools
+    cdrtools
-      # Document Processing and Management
+    # Document Processing and Management
-      zathura
+    zathura
-      # File Synchronzation
+    # File Synchronzation
-      rsync
+    rsync
-      # Filesystem Tools
+    # Filesystem Tools
-      ntfs3g
+    ntfs3g
-      ddrescue
+    ddrescue
-      ncdu
+    ncdu
-      woeusb
+    woeusb
-      unetbootin
+    unetbootin
-      pcmanfm
+    pcmanfm
-      hdparm
+    hdparm
-      testdisk
+    testdisk
-      binwalk
+    binwalk
-      gptfdisk
+    gptfdisk
-      packages'.myPython
+    packages'.myPython
-      # Virtualization
+    # Virtualization
-      virtmanager
+    virtmanager
-    ]);
+  ];
 }
--- a/nix/home-manager/configuration/text-minimal.nix
+++ b/nix/home-manager/configuration/text-minimal.nix
@ -1,12 +0,0 @@
 {pkgs, ...}: {
  imports = [
    ../profiles/common.nix
    ../programs/neovim.nix
  ];
  home.packages = with pkgs; [
    iperf3
    inetutils
    speedtest-cli
  ];
 }
--- a/nix/home-manager/lib.nix
+++ b/nix/home-manager/lib.nix
@ -1,14 +1,19 @@
-{}: let
+_: {
-in {
+  mkSimpleTrayService =
-  mkSimpleTrayService = {execStart}: {
+    { execStart }:
-    Unit = {
+    {
-      Description = "";
+      Unit = {
-      After = ["graphical-session-pre.target"];
+        Description = "";
-      PartOf = ["graphical-session.target"];
+        After = [ "graphical-session-pre.target" ];
        PartOf = [ "graphical-session.target" ];
      };
      Install = {
        WantedBy = [ "graphical-session.target" ];
      };
      Service = {
        ExecStart = execStart;
      };
    };
    Install = {WantedBy = ["graphical-session.target"];};
    Service = {ExecStart = execStart;};
  };
 }
--- a/nix/home-manager/profiles/common.nix
+++ b/nix/home-manager/profiles/common.nix
@ -1,22 +1,38 @@
-{pkgs, ...}: {
+{ pkgs, lib, ... }:
 {
  home.stateVersion = lib.mkDefault "23.11";
  # TODO: re-enable this with the appropriate version?
  # programs.home-manager.enable = true;
  # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz;
-  imports = [
+  # TODO: move this to an OS snippet?
    ../programs/zsh.nix
  ];
  nixpkgs.config = {
    allowBroken = false;
    allowUnfree = true;
    allowUnsupportedSystem = true;
-    permittedInsecurePackages = [];
+    allowInsecurePredicate =
      pkg:
      builtins.elem (lib.getName pkg) [
        "electron-32.3.3"
        "electron"
      ];
    permittedInsecurePackages = [
      "electron-32.3.3"
      "electron"
    ];
    allowUnfreePredicate =
      pkg:
      builtins.elem (lib.getName pkg) [
        "obsidian"
        "vivaldi"
        "aspell-dict-en-science"
      ];
  };
  nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"];
  nix.settings.sandbox = "relaxed";
  home.keyboard = {
    layout = "us";
    variant = "altgr-intl";
@ -30,53 +46,52 @@
  xdg.enable = true;
  programs.direnv.enable = true;
  services.lorri.enable = true;
  home.sessionVariables.NIXPKGS_ALLOW_UNFREE = "1";
  # Don't create .pyc files.
  home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1";
  programs.command-not-found.enable = true;
  programs.fzf.enable = true;
-  home.packages =
+  home.packages = with pkgs; [
-    []
+    coreutils
    ++ (with pkgs; [
      htop
      vcsh
-      # Authentication
+    vcsh
      cacert
      openssl
      mkpasswd
-      just
+    htop
-      ripgrep
+    iperf3
-      du-dust
+    nethogs
-      elfutils
+    # Authentication
-      exfat
+    cacert
-      file
+    openssl
-      tree
+    mkpasswd
      pwgen
      proot
-      parted
+    just
-      pv
+    ripgrep
-      tmux
+    du-dust
      wget
      curl
-      # git helpers
+    elfutils
-      git-crypt
+    exfat
-      gitFull
+    file
-      pastebinit
+    tree
-      gist
+    pwgen
-      mr
+    proot
-      usbutils
+    parted
-      pciutils
+    pv
-    ]);
+    tmux
    wget
    curl
-  home.stateVersion = "22.05";
+    # git helpers
    git-crypt
    gitFull
    pastebinit
    gist
    mr
    usbutils
    pciutils
  ];
 }
--- a/nix/home-manager/profiles/dotfiles.nix
+++ b/nix/home-manager/profiles/dotfiles.nix
@ -1,10 +1,4 @@
-{
+_: {
  pkgs,
  config,
  ...
 }: let
  vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {};
 in {
  # TODO: fix the dotfiles
  # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
  #   $DRY_RUN_CMD ${vcshActivationScript}
--- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
+++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
@ -3,38 +3,40 @@
  repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
  repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
  ...
-}: let
+}:
 let
  repoBareLocal =
    pkgs.runCommand "fetchbare"
-    {
+      {
-      outputHashMode = "recursive";
+        outputHashMode = "recursive";
-      outputHashAlgo = "sha256";
+        outputHashAlgo = "sha256";
-      outputHash = "0000000000000000000000000000000000000000000000000000";
+        outputHash = "0000000000000000000000000000000000000000000000000000";
-    } ''
+      }
-      (
+      ''
-        set -xe
+        (
-        export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+          set -xe
-        export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+          export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
-        ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
+          export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
-      )
+          ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
-    '';
+        )
      '';
 in
-  pkgs.writeScript "activation-script" ''
+pkgs.writeScript "activation-script" ''
-    export HOST=$(hostname -s)
+  export HOST=$(hostname -s)
-    function set_remotes {
+  function set_remotes {
-      ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
+    ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
-      ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
+    ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
-    }
+  }
-    if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
+  if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
-      echo Cloning dotfiles for $HOST...
+    echo Cloning dotfiles for $HOST...
-      ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
+    ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
-      set_remotes ${repoHttps} ${repoSsh}
+    set_remotes ${repoHttps} ${repoSsh}
-    else
+  else
-      set_remotes ${repoBareLocal} ${repoSsh}
+    set_remotes ${repoBareLocal} ${repoSsh}
-      echo Updating dotfiles for $HOST...
+    echo Updating dotfiles for $HOST...
-      ${pkgs.vcsh}/bin/vcsh pull $HOST || true
+    ${pkgs.vcsh}/bin/vcsh pull $HOST || true
-      set_remotes ${repoHttps} ${repoSsh}
+    set_remotes ${repoHttps} ${repoSsh}
-    fi
+  fi
-  ''
+''
--- a/nix/home-manager/profiles/experimental-desktop.nix
+++ b/nix/home-manager/profiles/experimental-desktop.nix
@ -1,16 +1,6 @@
 { packages', ... }:
 {
-  pkgs,
+  imports = [ ../profiles/wayland-desktop.nix ];
  config,
  lib,
  nodeFlake,
  packages',
  ...
 }: let
  pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {};
 in {
  imports = [
    ../profiles/wayland-desktop.nix
  ];
  home.packages = [
    # experimental WMs
--- a/nix/home-manager/profiles/gnome-desktop.nix
+++ b/nix/home-manager/profiles/gnome-desktop.nix
@ -1,13 +1,6 @@
 { pkgs, ... }:
 {
-  pkgs,
+  imports = [ ../profiles/wayland-desktop.nix ];
  config,
  lib,
  ...
 }: let
 in {
  imports = [
    ../profiles/wayland-desktop.nix
  ];
  services = {
    gnome-keyring.enable = false;
@ -23,87 +16,85 @@ in {
  #   Hidden=true
  # '';
-  services.gpg-agent.pinentryFlavor = "gnome3";
+  services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
-  dconf.settings = let
+  dconf.settings =
-    manualKeybindings = [
+    let
-      {
+      manualKeybindings = [
-        binding = "Print";
+        {
-        command = "flameshot gui";
+          binding = "Print";
-        name = "flameshot";
+          command = "flameshot gui";
-      }
+          name = "flameshot";
        }
-      {
+        {
-        binding = "<Super>t";
+          binding = "<Super>t";
-        command = "alacritty";
+          command = "alacritty";
-        name = "alacritty";
+          name = "alacritty";
-      }
+        }
-    ];
+      ];
-    numWorkspaces = 10;
+      numWorkspaces = 10;
-    customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
+      customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
-    customKeybindingsNames =
+      customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") (
-      builtins.genList (i: "/${customKeybindingBaseName}${toString i}/")
+        (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace
      (
        (builtins.length manualKeybindings)
        + numWorkspaces # for sending to the workspace
      );
-    workspacesKeyBindingsOffset = builtins.length manualKeybindings;
+      workspacesKeyBindingsOffset = builtins.length manualKeybindings;
-    # with this we can make use of all number keys [0-9]
+      # with this we can make use of all number keys [0-9]
-    mapToNumber = i:
+      mapToNumber =
-      if i < 10
+        i:
-      then i
+        if i < 10 then
-      else if i == 10
+          i
-      then 0
+        else if i == 10 then
-      else throw "i exceeds 10: ${i}";
+          0
-  in
+        else
          throw "i exceeds 10: ${i}";
    in
    {
      "org/gnome/settings-daemon/plugins/media-keys" = {
        custom-keybindings = customKeybindingsNames;
        screenreader = "@as []";
-        screensaver = ["<Alt><Super>l"];
+        screensaver = [ "<Alt><Super>l" ];
      };
      # disable the builtin <Super>[1-9] functionality
-      "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList
+      "org/gnome/shell/keybindings" = builtins.listToAttrs (
-          (i: {
+        (builtins.genList (i: {
-            name = "switch-to-application-${toString (i + 1)}";
+          name = "switch-to-application-${toString (i + 1)}";
-            value = [];
+          value = [ ];
-          })
+        }) numWorkspaces)
          numWorkspaces)
        ++ [
          {
            name = "toggle-overview";
-            value = [];
+            value = [ ];
          }
-        ]);
+        ]
      );
      # remap it to switching to the workspaces
-      "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList
+      "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (
-        (i: {
+        builtins.genList (i: {
          name = "switch-to-workspace-${toString (i + 1)}";
-          value = [
+          value = [ "<Super>${toString (mapToNumber (i + 1))}" ];
-            "<Super>${toString (mapToNumber (i + 1))}"
+        }) numWorkspaces
-          ];
+      );
        })
        numWorkspaces);
    }
-    // builtins.listToAttrs (builtins.genList
+    // builtins.listToAttrs (
-      (i: {
+      builtins.genList (i: {
        name = "${customKeybindingBaseName}${toString i}";
        value = builtins.elemAt manualKeybindings i;
-      })
+      }) (builtins.length manualKeybindings)
-      (builtins.length manualKeybindings))
+    )
-    // builtins.listToAttrs (builtins.genList
+    // builtins.listToAttrs (
-      (i: {
+      builtins.genList (i: {
        name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
        value = {
          binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
          command = "wmctrl -r :ACTIVE: -t ${toString i}";
          name = "Send to workspace ${toString (i + 1)}";
        };
-      })
+      }) numWorkspaces
-      numWorkspaces);
+    );
 }
--- a/nix/home-manager/profiles/nix-channels.nix
+++ b/nix/home-manager/profiles/nix-channels.nix
@ -1,28 +1,22 @@
 { pkgs, config, ... }:
 {
  pkgs,
  config,
  ...
 }: let
 in {
  home.file.".nix-channels".text = "";
-  home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
+  home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] ''
-    $DRY_RUN_CMD ${
+    $DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
-      pkgs.writeScript "activation-script" ''
+      set -ex
-        set -ex
+      if test -f $HOME/.nix-channels; then
-        if test -f $HOME/.nix-channels; then
+        echo Uninstalling available channels...
-          echo Uninstalling available channels...
+        if test -f $HOME/.nix-channel; then
-          if test -f $HOME/.nix-channel; then
+          while read url channel; do
-            while read url channel; do
+            nix-channel --remove $channel
-              nix-channel --remove $channel
+          done < $HOME/.nix-channel
            done < $HOME/.nix-channel
          fi
          echo Moving existing file away...
          touch $HOME/.nix-channels.dummy
          mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
          rm $HOME/.nix-channels
        fi
-      ''
+        echo Moving existing file away...
-    };
+        touch $HOME/.nix-channels.dummy
        mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
        rm $HOME/.nix-channels
      fi
    ''};
  '';
 }
--- a/nix/home-manager/profiles/qtile-desktop.nix
+++ b/nix/home-manager/profiles/qtile-desktop.nix
@ -1,14 +1,14 @@
-{
+{ pkgs, ... }:
-  pkgs,
+let
  config,
  ...
 }: let
  inherit (import ../lib.nix {}) mkSimpleTrayService;
  audio = pkgs.writeShellScript "audio" ''
    export PATH=${
      with pkgs;
-        lib.makeBinPath [pulseaudio findutils gnugrep]
+      lib.makeBinPath [
        pulseaudio
        findutils
        gnugrep
      ]
    }:$PATH
    export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
@ -33,7 +33,7 @@
  terminalCommand = "${pkgs.alacritty}/bin/alacritty";
  dpmsScript = pkgs.writeShellScript "dpmsScript" ''
-    export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH
+    export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH
    set -xe
@ -56,7 +56,7 @@
  '';
  screenLockCommand = pkgs.writeShellScript "screenLock" ''
-    export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH
+    export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH
    revert() {
      ${dpmsScript} default
@ -251,7 +251,8 @@
    def print_new_window(window):
      print("new window: ", window)
  '';
-in {
+in
 {
  services = {
    gnome-keyring.enable = true;
    blueman-applet.enable = true;
@ -286,7 +287,7 @@ in {
    networkmanagerapplet
    gnome-icon-theme
    gnome.gnome-themes-extra
-    gnome.adwaita-icon-theme
+    adwaita-icon-theme
    lxappearance
    xorg.xcursorthemes
    pavucontrol
--- a/nix/home-manager/profiles/sway-desktop.nix
+++ b/nix/home-manager/profiles/sway-desktop.nix
@ -1,80 +1,64 @@
 /*
  TODO: create helper scripts for sharing of a screen portion
  ```
  # this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
  swaymsg create_output
  # find the name and the workspace number
  swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
  swaymsg output HEADLESS-1 mode 1920@108060Hz
  # mirror the headless workspace on the current one
  nix run nixpkgs\#wl-mirror -- HEADLESS-1
  # shift windows to the workspace and switch the focus to it
 */
 {
  pkgs,
  config,
  lib,
  # packages',
  repoFlakeInputs',
  ...
-}: let
+}:
-  inherit (import ../lib.nix {}) mkSimpleTrayService;
+let
  lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
  displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
  displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
  swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
-in {
+in
 {
  imports = [
    ../profiles/wayland-desktop.nix
    ../programs/waybar.nix
    # ../programs/salut.nix
  ];
  # TODO: autostart
  # environment.loginShellInit = ''
  #   if [[ "$(tty)" == /dev/tty1 ]]; then
  #     echo starting sway..
  #     exec sway
  #   fi
  # '';
  services = {
    # TODO: doesn't work with 2 screens
    # flameshot.enable = true;
  };
  services.dunst = {
    enable = true;
  };
-  services.gpg-agent.pinentryFlavor = "gnome3";
+  services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
  nixpkgs.overlays = [
    (final: prev: {
      # xdg-desktop-portal-wlr' = repoFlakeInputs'.nixpkgs-wayland.packages.xdg-desktop-portal-wlr;
      # xdg-desktop-portal-wlr-gtk' = repoFlakeInputs'.nixpkgs-wayland.packages.xdg-desktop-portal-wlr-gtk;
      # sway-unwrapped = let
      #   fixed_wlroots = prev.wlroots_0_16.overrideAttrs (old: {
      #     patches = [
      #       (builtins.fetchurl {
      #         sha256 = "05h9xzicz3fccskg2hbqnw2qh4bm7mwi70c4m00y87w5yhj9gxps";
      #         url = "https://gist.githubusercontent.com/steveej/1d8c96ed2fdb3d9ddd0344ca5136073f/raw/d6a097a452b950865b554587db606e718d99c572/fix-wlroots.patch";
      #       })
      #     ];
      #   });
      # in
      #   prev.sway-unwrapped.override {wlroots_0_16 = fixed_wlroots;};
    })
  ];
  home.packages = [
    pkgs.swayidle
    pkgs.swaylock
    ## themes
-    pkgs.gnome.adwaita-icon-theme
+    pkgs.adwaita-icon-theme
    pkgs.hicolor-icon-theme
    pkgs.gnome-icon-theme
    ## fonts
    # pkgs.nerd-fonts # TODO: reinstall selected ones
    pkgs.dejavu_fonts # just a basic good fond
    pkgs.font-awesome_5 # needed by i3status-rust
    pkgs.nerdfonts
    pkgs.font-awesome
    pkgs.roboto
    pkgs.ttf_bitstream_vera
    pkgs.noto-fonts
    pkgs.noto-fonts-cjk
    pkgs.noto-fonts-cjk-sans
    pkgs.noto-fonts-cjk-serif
    pkgs.noto-fonts-emoji
@ -89,117 +73,146 @@ in {
    pkgs.dina-font
    pkgs.monoid
    pkgs.hermit
-    # found on colemickens' repo
+    ### found on colemickens' repo
    pkgs.gelasio # metric-compatible with Georgia
    pkgs.powerline-symbols
    pkgs.iosevka-comfy.comfy-fixed
-    # experimental stuff
+    ## experimental stuff
    pkgs.fuzzel
  ];
  # TODO: configure kanshi to always set the 5K resolution
  # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)"
  #   Make: Philips Consumer Electronics Company
  #   Model: PHL 499P9
  #   Serial: AU02419010010
  #   Physical size: 1190x340 mm
  #   Enabled: yes
  #   Modes:
  #     3840x1080 px, 59.967999 Hz (preferred)
  #     5120x1440 px, 59.977001 Hz (current)
  wayland.windowManager.sway = {
    enable = true;
    systemd.enable = true;
-    xwayland = true;
+    xwayland = false;
-    config = let
+    config =
-      modifier = "Mod4";
+      let
-      inherit (config.wayland.windowManager.sway.config) left right up down;
+        modifier = "Mod4";
-    in {
+        inherit (config.wayland.windowManager.sway.config)
-      inherit modifier;
+          left
-      bars = [];
+          right
          up
          down
          ;
      in
      {
        inherit modifier;
        bars = [ ];
-      input = {
+        input = {
-        "type:keyboard" =
+          "type:keyboard" =
-          {
+            {
-            xkb_layout = config.home.keyboard.layout;
+              xkb_layout = config.home.keyboard.layout;
-            xkb_variant = config.home.keyboard.variant;
+              xkb_variant = config.home.keyboard.variant;
-          }
+            }
-          // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
+            // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) {
-            xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
+              xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
            };
          "type:touchpad" = {
            natural_scroll = "enabled";
          };
-        "type:touchpad" = {
+          # alternatively run this command
-          natural_scroll = "enabled";
+          # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative"
          # and then switch to a different VT (alt+ctrl+f2) and back
          "1386:914:Wacom_Intuos_Pro_S_Pen" = {
            tool_mode = "* relative";
          };
        };
        keybindings = lib.mkOptionDefault {
          # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
          # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
          "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
          # only 1-9 exist on the default config
          "${modifier}+0" = "workspace number 0";
          "${modifier}+Shift+0" = "move container to workspace number 0";
          # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it
          "${modifier}+b" = "nop";
          "${modifier}+v" = "nop";
          # move workspace to output
          "${modifier}+Control+Shift+${left}" = "move workspace to output left";
          "${modifier}+Control+Shift+${right}" = "move workspace to output right";
          "${modifier}+Control+Shift+${up}" = "move workspace to output up";
          "${modifier}+Control+Shift+${down}" = "move workspace to output down";
          # move workspace to output with arrow keys
          "${modifier}+Control+Shift+Left" = "move workspace to output left";
          "${modifier}+Control+Shift+Right" = "move workspace to output right";
          "${modifier}+Control+Shift+Up" = "move workspace to output up";
          "${modifier}+Control+Shift+Down" = "move workspace to output down";
          # TODO: i've been hitting this one accidentally way too often. find a better place.
          # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
          "${modifier}+q" = "kill";
          "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
          "${modifier}+x" = "exec ${swapOutputWorkspaces}";
          "${modifier}+Ctrl+l" = "exec ${lockCmd}";
          "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
          "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
          "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
          "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
          "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
          "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
          "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
        };
        terminal = "alacritty";
        startup =
          [
            {
              command = builtins.toString (
                pkgs.writeShellScript "ensure-graphical-session" ''
                  (
                    ${pkgs.coreutils}/bin/sleep 0.2
                    ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
                  ) &
                ''
              );
            }
          ]
          ++ lib.optionals config.services.swayidle.enable [
            {
              command = builtins.toString (
                pkgs.writeShellScript "ensure-graphical-session" ''
                  (
                    ${pkgs.coreutils}/bin/sleep 0.2
                    ${pkgs.systemd}/bin/systemctl --user restart swayidle
                  ) &
                ''
              );
            }
          ];
        colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; };
        window.titlebar = false;
        window.border = 4;
        # this maps to focus_on_window_activation
        focus.newWindow = "urgent";
      };
      keybindings = lib.mkOptionDefault {
        # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
        # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
        "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
        # only 1-9 exist on the default config
        "${modifier}+0" = "workspace number 0";
        "${modifier}+Shift+0" = "move container to workspace number 0";
        # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it
        "${modifier}+b" = "nop";
        "${modifier}+v" = "nop";
        # move workspace to output
        "${modifier}+Control+Shift+${left}" = "move workspace to output left";
        "${modifier}+Control+Shift+${right}" = "move workspace to output right";
        "${modifier}+Control+Shift+${up}" = "move workspace to output up";
        "${modifier}+Control+Shift+${down}" = "move workspace to output down";
        # move workspace to output with arrow keys
        "${modifier}+Control+Shift+Left" = "move workspace to output left";
        "${modifier}+Control+Shift+Right" = "move workspace to output right";
        "${modifier}+Control+Shift+Up" = "move workspace to output up";
        "${modifier}+Control+Shift+Down" = "move workspace to output down";
        "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
        "${modifier}+q" = "kill";
        "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
        "${modifier}+x" = "exec ${swapOutputWorkspaces}";
        "${modifier}+Ctrl+l" = "exec ${lockCmd}";
        "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
        "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
        "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
        "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
        "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
        "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
        "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
      };
      terminal = "alacritty";
      startup =
        [
          {
            command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
              (
                ${pkgs.coreutils}/bin/sleep 0.2
                ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
              ) &
            '');
          }
        ]
        ++ lib.optionals config.services.swayidle.enable [
          {
            command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
              (
                ${pkgs.coreutils}/bin/sleep 0.2
                ${pkgs.systemd}/bin/systemctl --user restart swayidle
              ) &
            '');
          }
        ];
      colors.focused = lib.mkOptionDefault {
        childBorder = lib.mkForce "#ffa500";
      };
      window.border = 4;
      # this maps to focus_on_window_activation
      focus.newWindow = "urgent";
    };
  };
  services.swayidle = {
--- a/nix/home-manager/profiles/wayland-desktop.nix
+++ b/nix/home-manager/profiles/wayland-desktop.nix
@ -1,19 +1,14 @@
 {
  pkgs,
  config,
  lib,
  repoFlake,
  nodeFlake,
  ...
-}: let
+}:
-  inherit (import ../lib.nix {}) mkSimpleTrayService;
+let
  nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
  nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system};
  nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
-
+in
-  wayprompt = nixpkgs-wayland'.wayprompt;
+{
 in {
  fonts.fontconfig.enable = true;
  # services.gpg-agent.pinentryFlavor = lib.mkForce null;
@ -29,45 +24,57 @@ in {
  systemd.user.targets.tray = {
    Unit = {
      Description = "Home Manager System Tray";
-      Requires = ["graphical-session-pre.target"];
+      Requires = [ "graphical-session-pre.target" ];
    };
  };
-  home.packages = with pkgs; [
+  home.packages =
-    # required by network-manager-applet
+    with pkgs;
-    pkgs.networkmanagerapplet
+    [
      # required by network-manager-applet
      networkmanagerapplet
-    wlr-randr
+      wlr-randr
-    wayout
+      wayout
-    wl-clipboard
+      wl-clipboard
-    wmctrl
+      wmctrl
-    wayprompt
+      nixpkgs-wayland'.shotman
    nixpkgs-wayland'.shotman
-    # identifies key input syms
+      # identifies key input syms
-    wev
+      wev
-    # TODO: whwat's this for?
+      # TODO: whwat's this for?
-    # wltype
+      # wltype
-    pavucontrol
+      qt5.qtwayland
-    playerctl
+      qt6.qtwayland
-    pasystray
+      # libsForQt5.qt5.qtwayland
-    qt5.qtwayland
+      # libsForQt6.qt6.qtwayland
    qt6.qtwayland
    # libsForQt5.qt5.qtwayland
    # libsForQt6.qt6.qtwayland
-    # probably required by flameshot
+      # audio
-    # xdg-desktop-portal xdg-desktop-portal-wlr
+      playerctl
-    # grim
+      helvum
-  ];
+      pasystray
      sonusmix
      pwvucontrol
      # probably required by flameshot
      # xdg-desktop-portal xdg-desktop-portal-wlr
      # grim
      waypipe
    ]
    ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64)
      # TODO: broken on aarch64
      [ ]
    );
  home.sessionVariables = {
    XDG_SESSION_TYPE = "wayland";
    NIXOS_OZONE_WL = "1";
    MOZ_ENABLE_WAYLAND = "1";
    WLR_NO_HARDWARE_CURSORS = "1";
  };
  home.pointerCursor = {
--- a/nix/home-manager/programs/chromium.nix
+++ b/nix/home-manager/programs/chromium.nix
@ -1,15 +1,17 @@
 {
  name,
  lib,
  pkgs,
  ...
-}: let
+}:
 let
  extensions =
    [
      #undetectable adblocker
-      {id = "gcfcpohokifjldeandkfjoboemihipmb";}
+      { id = "gcfcpohokifjldeandkfjoboemihipmb"; }
      # ublock origin
-      {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";}
+      { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; }
      # # YT ad block
      # {id = "cmedhionkhpnakcndndgjdbohmhepckk";}
@ -18,15 +20,15 @@
      # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";}
      # Cookie Notice Blocker
-      {id = "odhmfmnoejhihkmfebnolljiibpnednn";}
+      { id = "odhmfmnoejhihkmfebnolljiibpnednn"; }
      # i don't care about cookies
-      {id = "fihnjjcciajhdojfnbdddfaoknhalnja";}
+      { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; }
      # NopeCHA
-      {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";}
+      { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; }
      # h264ify
-      {id = "aleakchihdccplidncghkekgioiakgal";}
+      { id = "aleakchihdccplidncghkekgioiakgal"; }
      # clippy
      # {id = "honbeilkanbghjimjoniipnnehlmhggk"}
@ -37,25 +39,43 @@
      }
      # cookie autodelete
-      {id = "fhcgjolkccmbidfldomjliifgaodjagh";}
+      { id = "fhcgjolkccmbidfldomjliifgaodjagh"; }
      # unhook
-      { id = "khncfooichmfjbepaaaebmommgaepoid";}
+      { id = "khncfooichmfjbepaaaebmommgaepoid"; }
    ]
    ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
      # polkadotjs
      { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; }
      # rabby wallet
      { id = "acmacodkjbdgmoleebolmdjonilkdbch"; }
      # phantom wallet
      { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; }
      # Vimium C
-      {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";}
+      { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; }
      # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report
      # always right
      { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; }
      # shazam music
      { id = "mmioliijnhnoblpgimnlajmefafdfilb"; }
    ]);
-in {
+in
 {
  programs.chromium = {
    enable = true;
    inherit extensions;
    # TODO: extensions currently don't work with ungoogled-chromium
    package = pkgs.chromium;
  };
  programs.brave = {
-    enable = true;
+    # TODO: enable this on aarch64-linux
    enable = true && !pkgs.stdenv.targetPlatform.isAarch64;
    inherit extensions;
  };
  programs.browserpass = {browsers = ["chromium" "brave"];};
 }
--- a/nix/home-manager/programs/espanso.nix
+++ b/nix/home-manager/programs/espanso.nix
@ -1,73 +1,82 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
 {
  services.espanso = {
-    # package = pkgs.espanso.overrideAttrs(_: {
+    package = pkgs.espanso-wayland;
-    #   # src =
+    # package = pkgs.espanso-wayland.overrideAttrs (_: {
-    # })
+    #   src = repoFlake.inputs.espanso;
-    enable = true;
+
    #   cargoLock = {
    #     # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock";
    #     lockFile = repoFlake.inputs.espanso + "/Cargo.lock";
    #     outputHashes = {
    #       "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU=";
    #     };
    #   };
    # });
    enable = false;
    configs = {
      default = {
        # backend = "Inject";
        # backend = "Clipboard";
      };
    };
-    matches = let
+    matches =
-      playerctl = ''
+      let
-        ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
+        playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
-    in {
+      in
-      default = {
+      {
-        matches = [
+        default = {
-          {
+          matches = [
-            trigger = ":vpos";
+            {
-            replace = "{{output}}";
+              trigger = ":vpos";
-            vars = [
+              replace = "{{output}}";
-              {
+              vars = [
-                name = "output";
+                {
-                type = "script";
+                  name = "output";
-                params = {
+                  type = "script";
-                  args = [
+                  params = {
-                    (pkgs.writeScript "espanso" ''
+                    args = [
-                      #! ${pkgs.python3}/bin/python
+                      (pkgs.writeScript "espanso" ''
-                      import subprocess, os, math, datetime
+                        #! ${pkgs.python3}/bin/python
                        import subprocess, os, math, datetime
-                      id=str(os.getuid())
+                        id=str(os.getuid())
-                      result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True)
+                        result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True)
-                      result.check_returncode()
+                        result.check_returncode()
-                      position_secs = math.trunc(float(result.stdout))
+                        position_secs = math.trunc(float(result.stdout))
-                      position_human = datetime.timedelta(seconds=position_secs)
+                        position_human = datetime.timedelta(seconds=position_secs)
-                      print("%s - %s" % (position_human, position_secs))
+                        print("%s - %s" % (position_human, position_secs))
-                    '')
+                      '')
-                  ];
+                    ];
-                };
+                  };
-              }
+                }
-            ];
+              ];
-          }
+            }
-          {
+            {
-            trigger = ":vtit";
+              trigger = ":vtit";
-            replace = "{{output}}";
+              replace = "{{output}}";
-            vars = [
+              vars = [
-              {
+                {
-                name = "output";
+                  name = "output";
-                type = "script";
+                  type = "script";
-                params = {
+                  params = {
-                  args = [
+                    args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ];
-                    (pkgs.writeShellScript "espanso"
+                  };
-                      "${playerctl} metadata title")
+                }
-                  ];
+              ];
-                };
+            }
-              }
+            {
-            ];
+              trigger = ":dunno";
-          }
+              replace = "¯\\_(ツ)_/¯";
-          {
+            }
-            trigger = ":dunno";
+            {
-            replace = "¯\\_(ツ)_/¯";
+              trigger = ":shrug";
-          }
+              replace = "¯\\_(ツ)_/¯";
-          {
+            }
-            trigger = ":shrug";
+          ];
-            replace = "¯\\_(ツ)_/¯";
+        };
          }
        ];
      };
    };
  };
 }
--- a/nix/home-manager/programs/firefox.nix
+++ b/nix/home-manager/programs/firefox.nix
@ -1,6 +1,417 @@
-{pkgs, ...}: {
+{
-  programs.librewolf = {enable = true;};
+  repoFlake,
-  programs.firefox = {enable = true;};
+  pkgs,
  config,
  lib,
  ...
 }:
 let
  # Search extension names with below command:
  # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY
  ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [
    ublock-origin
-  # home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
+    # bypass-paywalls-clean (can't use, was creating popups)
    consent-o-matic
    terms-of-service-didnt-read
    auto-tab-discard
    # redirector # For nixos wiki
    # darkreader
    facebook-container
    control-panel-for-twitter
    # containerise
    facebook-tracking-removal
    vimium
    cookie-autodelete
    auto-tab-discard
    istilldontcareaboutcookies
    youtube-recommended-videos
    display-_anchors
  ];
  customAddons = [
  ];
  search = {
    force = true;
    default = "DuckDuckGo";
    privateDefault = "DuckDuckGo";
  };
  mkProfile =
    override:
    lib.recursiveUpdate {
      extensions = ryceeAddons ++ customAddons;
      inherit search;
      settings = {
        # automatically enable extensions
        "extensions.autoDisableScopes" = 0;
        "middlemouse.paste" = false;
        "browser.download.useDownloadDir" = false;
        "browser.tabs.insertAfterCurrent" = true;
        "browser.tabs.warnOnClose" = true;
        "browser.toolbars.bookmarks.visibility" = "never";
        "browser.quitShortcut.disabled" = false;
        # restore the previous session automatically
        "browser.startup.page" = 3;
        "browser.sessionstore.resume_from_crash" = true;
        "browser.sessionstore.restore_pinned_tabs_on_demand" = true;
        "browser.sessionstore.restore_on_demand" = true;
        "browser.urlbar.suggest.bookmark" = true;
        "browser.urlbar.suggest.engines" = true;
        "browser.urlbar.suggest.history" = true;
        "browser.urlbar.suggest.openpage" = true;
        "browser.urlbar.suggest.topsites" = false;
        "browser.urlbar.trimHttps" = true;
        "sidebar.position_start" = false;
        "findbar.highlightAll" = true;
        "browser.tabs.hoverPreview.enabled" = true;
        # Disable fx accounts
        "identity.fxaccounts.enabled" = false;
        # Disable "save password" prompt
        "signon.rememberSignons" = false;
        # Harden
        "privacy.trackingprotection.enabled" = true;
        "dom.security.https_only_mode" = true;
        # Disable irritating first-run stuff
        "browser.disableResetPrompt" = true;
        "browser.download.panel.shown" = true;
        "browser.feeds.showFirstRunUI" = false;
        "browser.messaging-system.whatsNewPanel.enabled" = false;
        "browser.rights.3.shown" = true;
        "browser.shell.checkDefaultBrowser" = false;
        "browser.shell.defaultBrowserCheckCount" = 1;
        "browser.startup.homepage_override.mstone" = "ignore";
        "browser.uitour.enabled" = false;
        "startup.homepage_override_url" = "";
        "trailhead.firstrun.didSeeAboutWelcome" = true;
        "browser.bookmarks.restore_default_bookmarks" = false;
        "browser.bookmarks.addedImportButton" = true;
        # Disable "Save to Pocket" or Pocket entirely
        "extensions.pocket.enabled" = false;
        # Disable telemetry
        "toolkit.telemetry.enabled" = false;
        "toolkit.telemetry.unified" = false;
        "toolkit.telemetry.archive.enabled" = false;
        "datareporting.healthreport.uploadEnabled" = false;
        "app.shield.optoutstudies.enabled" = false;
        "browser.discovery.enabled" = false;
        "browser.newtabpage.activity-stream.feeds.telemetry" = false;
        "browser.newtabpage.activity-stream.telemetry" = false;
        "browser.ping-centre.telemetry" = false;
        "datareporting.healthreport.service.enabled" = false;
        "datareporting.policy.dataSubmissionEnabled" = false;
        "datareporting.sessions.current.clean" = true;
        "devtools.onboarding.telemetry.logged" = false;
        "toolkit.telemetry.bhrPing.enabled" = false;
        "toolkit.telemetry.firstShutdownPing.enabled" = false;
        "toolkit.telemetry.hybridContent.enabled" = false;
        "toolkit.telemetry.newProfilePing.enabled" = false;
        "toolkit.telemetry.prompted" = 2;
        "toolkit.telemetry.rejected" = true;
        "toolkit.telemetry.reportingpolicy.firstRun" = false;
        "toolkit.telemetry.server" = "";
        "toolkit.telemetry.shutdownPingSender.enabled" = false;
        "toolkit.telemetry.unifiedIsOptIn" = false;
        "toolkit.telemetry.updatePing.enabled" = false;
        # Disable any feeds on the new tab page
        "browser.newtabpage.activity-stream.showTopSites" = false;
        "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ];
        "browser.newtabpage.activity-stream.discoverystream.enabled" = false;
        "browser.newtabpage.activity-stream.feeds.topsites" = false;
        "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
        "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false;
        "browser.newtabpage.blocked" = lib.genAttrs [
          # Youtube
          "26UbzFJ7qT9/4DhodHKA1Q=="
          # Facebook
          "4gPpjkxgZzXPVtuEoAL9Ig=="
          # Wikipedia
          "eV8/WsSLxHadrTL1gAxhug=="
          # Reddit
          "gLv0ja2RYVgxKdp0I5qwvA=="
          # Amazon
          "K00ILysCaEq8+bEqV/3nuw=="
          # Twitter
          "T9nJot5PurhJSy8n038xGA=="
        ] (_: 1);
        "browser.topsites.blockedSponsors" = [
          "adidas"
          "temuaffiliateprogram.pxf"
          "s.click.aliexpress"
        ];
        # enable userChrome
        "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
        "devtools.chrome.enabled" = true;
        "devtools.debugger.remote-enabled" = true;
        # disable translations for some languages
        "browser.translations.neverTranslateLanguages" = [
          "en"
          "de"
        ];
        "browser.translations.automaticallyPopup" = false;
        # enable pipewire (and libcamera) sources
        "media.webrtc.camera.allow-pipewire" = true;
      };
      userChrome =
        let
          name = override.color or colors.grey;
          value = colorValues."${name}".normal;
          valueBright = colorValues."${name}".highlight;
          valueDark = colorValues."${name}".inactive;
        in
        ''
          @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */
          #nav-bar {
            background-color: ${value} !important;
            color: black !important;
          }
          /* don't show close button on background tabs */
          #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button {
            display: none !important;
          }
          /* show close button on hover */
          #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button {
            display: -moz-inline-box !important;
          }
          /* default */
          #TabsToolbar {
            background: ${valueDark} !important;
          }
          /* default tab */
          #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content {
            background: ${value} !important;
            opacity: 0.8
          }
          /* selected tab */
          #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content {
            background: ${valueBright} !important;
            box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19);
          }
          /* hovered tab */
          #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content {
            background: ${valueBright} !important;
          }
          /* unloaded/pending tab */
          #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content {
            background: ${valueDark} !important;
          }
        '';
      # /* new tab */
      # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon {
      #   background: unset !important;
      # }
      # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button {
      # /* background: var(--default_tabs_bg_newtab) !important;
      # }
      # /* hovered new tab */
      # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover {
      #   background: var(--default_tabs_bg_newtab_hovered) !important;
      # }
    } (builtins.removeAttrs override [ "color" ]);
  # TODO: insert the id automatically
  mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs;
  colors = builtins.mapAttrs (name: _: name) colorValues;
  colorValues = {
    blue = {
      normal = "#49b1fc";
      highlight = "#05a9fc"; # Brighter blue
      inactive = "#1f81c6"; # Darker blue
    };
    green = {
      normal = "#51cd00";
      highlight = "#5ae200"; # Brighter green
      inactive = "#45ad00"; # Darker green
    };
    orange = {
      normal = "#ff9800";
      highlight = "#ffb74d"; # Brighter orange
      inactive = "#c76a00"; # Darker orange
    };
    red = {
      normal = "#f6685e";
      highlight = "#ff4336"; # Brighter red
      inactive = "#aa463f"; # Darker red
    };
    yellow = {
      normal = "#fced4b";
      highlight = "#fce705"; # Brighter yellow
      inactive = "#dbbe00"; # Darker yellow
    };
    purple = {
      normal = "#9c27b0";
      highlight = "#ab47bc"; # Brighter purple
      inactive = "#7b1fa2"; # Darker purple
    };
    pink = {
      normal = "#e91e63";
      highlight = "#ff6090"; # Brighter pink
      inactive = "#c2185b"; # Darker pink
    };
    brown = {
      normal = "#795548";
      highlight = "#a88b6f"; # Brighter brown
      inactive = "#4e3b30"; # Darker brown
    };
    grey = {
      normal = "#9e9e9e";
      highlight = "#bdbdbd"; # Brighter grey
      inactive = "#757575"; # Darker grey
    };
    teal = {
      normal = "#009688";
      highlight = "#26c6da"; # Brighter teal
      inactive = "#00796b"; # Darker teal
    };
  };
 in
 {
  nixpkgs.overlays = [
    repoFlake.inputs.nur.overlays.default
  ];
  nixpkgs.config.allowUnfreePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
      "youtube-recommended-videos"
    ];
  programs.librewolf = {
    enable = false;
  };
  programs.firefox = {
    enable = true;
    package = pkgs.firefox-esr;
    profiles = mkProfiles {
      "personal" = mkProfile {
        id = 0;
        isDefault = true;
        color = colors.blue;
      };
      "comms" = mkProfile {
        id = 1;
        color = colors.blue;
      };
      "admin" = mkProfile {
        id = 2;
        color = colors.blue;
      };
      "infra" = mkProfile {
        id = 3;
        color = colors.blue;
      };
      "finance" = mkProfile {
        id = 4;
        color = colors.yellow;
      };
      "business-admin" = mkProfile {
        id = 5;
        color = colors.teal;
      };
      "business-comms" = mkProfile {
        id = 6;
        color = colors.teal;
      };
      "business-dev" = mkProfile {
        id = 7;
        color = colors.teal;
      };
      "holo-dev" = mkProfile {
        id = 8;
        color = colors.green;
      };
      "holo-infra" = mkProfile {
        id = 9;
        color = colors.green;
      };
      "holo-comms" = mkProfile {
        id = 10;
        color = colors.green;
      };
      "justyna" = mkProfile {
        id = 11;
        color = colors.pink;
      };
      "justyna-office" = mkProfile {
        id = 12;
        color = colors.pink;
      };
    };
  };
  # create one desktop entry for each profile
  xdg.desktopEntries = lib.mapAttrs' (
    k: _v:
    lib.nameValuePair "firefox-profile-${k}" {
      categories = [
        "Network"
        "WebBrowser"
      ];
      exec = "${lib.getExe config.programs.firefox.package} -P ${k}";
      genericName = "Web Browser";
      icon =
        builtins.replaceStrings [ ".desktop" ] [ "" ]
          config.programs.firefox.package.desktopItem.name;
      mimeType = [
        "text/html"
        "text/xml"
        "application/xhtml+xml"
        "application/vnd.mozilla.xul+xml"
        "x-scheme-handler/http"
        "x-scheme-handler/https"
      ];
      name = "Firefox: ${k}";
      startupNotify = true;
      settings.StartupWMClass =
        # To group windows of different profiles.
        # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name.
        #if profile.name == "default"
        #then "firefox"
        #else "firefox-${profile.name}";
        "firefox";
      terminal = false;
      type = "Application";
    }
  ) config.programs.firefox.profiles;
 }
--- a/nix/home-manager/programs/gpg-agent.nix
+++ b/nix/home-manager/programs/gpg-agent.nix
@ -1,29 +1,17 @@
 { lib, pkgs, osConfig, ... }:
 {
-  lib,
+  home.packages = [ pkgs.gcr ];
  pkgs,
  config,
  ...
 }: {
  home.packages =
    [
      pkgs.gcr
    ]
    ++ (
      if config.services.gpg-agent.pinentryFlavor == "gtk2"
      then [pkgs.pinentry-gtk2]
      else if config.services.gpg-agent.pinentryFlavor == "gnome3"
      then [pkgs.pinentry-gnome]
      else []
    );
  programs.gpg.enable = true;
  services.gpg-agent = {
    enable = true;
-    enableScDaemon = true;
+    enableScDaemon = !osConfig.services.pcscd.enable;
    enableSshSupport = true;
    grabKeyboardAndMouse = true;
-    pinentryFlavor = lib.mkDefault "gtk2";
+    pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2;
-    extraConfig = "";
+    extraConfig = ''
      no-allow-external-cache
    '';
    defaultCacheTtl = 0;
    maxCacheTtl = 0;
--- a/nix/home-manager/programs/homeshick.nix
+++ b/nix/home-manager/programs/homeshick.nix
@ -1,32 +1,25 @@
 { pkgs, config, ... }:
 {
  pkgs,
  config,
  ...
 }: let
  # TODO: clean up the impurity in here
 in {
  home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
-  home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
+  home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] ''
-    $DRY_RUN_CMD ${
+    $DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
-      pkgs.writeScript "activation-script" ''
+      set -e
-        set -e
+      echo home-manager path is ${config.home.path}
-        echo home-manager path is ${config.home.path}
+      echo home is $HOME
        echo home is $HOME
-        source ${pkgs.homeshick}/homeshick.sh
+      source ${pkgs.homeshick}/homeshick.sh
-        type homeshick
+      type homeshick
-        # echo Updating homeshick
+      # echo Updating homeshick
-        # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
+      # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
-        # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
+      # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
-      ''
+    ''};
    };
  '';
  nixpkgs.config = {
-    packageOverrides = pkgs:
+    packageOverrides =
-      with pkgs; {
+      pkgs: with pkgs; {
        homeshick = builtins.fetchGit {
          url = "https://github.com/andsens/homeshick.git";
          ref = "master";
--- a/nix/home-manager/programs/libreoffice.nix
+++ b/nix/home-manager/programs/libreoffice.nix
@ -1,3 +1,8 @@
-{pkgs, ...}: {
+{ pkgs, nodeFlake, ... }:
-  home.packages = with pkgs; [libreoffice-fresh];
+
 let
  pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system};
 in
 {
  home.packages = [ pkgsStable.libreoffice ];
 }
--- a/nix/home-manager/programs/neovim.nix
+++ b/nix/home-manager/programs/neovim.nix
@ -1,131 +1,161 @@
 { repoFlake, pkgs, ... }:
 {
-  pkgs,
+  imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ];
  lib,
  ...
 }: let
 in {
  # FIXME: this doesn't work
  home.sessionVariables.EDITOR = "nvim";
-  programs.neovim = {
+  programs.nixvim = {
    enable = true;
    defaultEditor = true;
    vimdiffAlias = true;
    vimAlias = true;
-    extraPython3Packages = ps: with ps; [];
+    extraPython3Packages = ps: with ps; [ ];
-    extraConfig = builtins.readFile ./neovim/vimrc;
+    # extraConfigVim = builtins.readFile ./neovim/vimrc;
-    plugins = with pkgs;
+    clipboard = {
-      [
+      register = "unnamedplus";
-        # yaml-folds
+      providers.wl-copy.enable = true;
-        {
+    };
          plugin = vimUtils.buildVimPlugin {
            name = "vim-yaml-folds";
            src = fetchFromGitHub {
              owner = "pedrohdz";
              repo = "vim-yaml-folds";
              rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
              sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
            };
            buildInputs = [zip vim];
          };
        }
-        {
+    plugins = {
-          plugin = vimUtils.buildVimPlugin {
+      airline = {
-            name = "vim-yaml";
+        enable = true;
-            src = fetchFromGitHub {
+        settings = {
-              owner = "stephpy";
+          powerline_fonts = 1;
-              repo = "vim-yaml";
+          skip_empty_sections = 1;
-              rev = "e97e063b16eba4e593d620676a0a15fa98613979";
+          theme = "papercolor";
-              sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
+        };
-            };
+      };
-          };
+      fugitive.enable = true;
-        }
+      gitblame.enable = true;
      lsp = {
        enable = true;
      };
-        # broken 2021-06-08
+      nix.enable = true;
        # {
        #  plugin = vimUtils.buildVimPlugin {
        #    name = "vim-markdown-toc";
        #    src = fetchFromGitHub {
        #      owner = "mzlogin";
        #      repo = "vim-markdown-toc";
        #      rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638";
        #      sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz";
        #    };
        #  };
        # }
-        # broken 2021-06-08
+      # TODO: enable in next release
-        # {
+      # numbertoggle.enable = true;
        #  plugin = vimUtils.buildVimPlugin {
        #    name = "vim-perl";
        #    src = fetchFromGitHub {
        #      owner = "vim-perl";
        #      repo = "vim-perl";
        #      rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb";
        #      sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr";
        #    };
        #  };
        # }
-        {
+      # successfor to ctrlp and fzf
-          plugin = vimUtils.buildVimPlugin {
+      telescope.enable = true;
            name = "git-blame";
            src = fetchFromGitHub {
              "owner" = "zivyangll";
              "repo" = "git-blame.vim";
              "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
              "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
            };
          };
        }
      ]
      ++ (with pkgs.vimPlugins; [
        delimitMate
        vim-airline
        vim-airline-themes
        ctrlp
        vim-css-color
        rainbow_parentheses
        vim-colorschemes
        vim-colorstepper
        vim-signify
        fugitive
        vim-indent-guides
        UltiSnips
        fzfWrapper
-        ncm2
+      todo-comments.enable = true;
        ncm2-bufword
        ncm2-path
        ncm2-tmux
        ncm2-ultisnips
        nvim-yarp
-        LanguageClient-neovim
+      toggleterm.enable = true;
-        Improved-AnsiEsc
+      treesitter = {
-        tabular
+        enable = true;
-        # Nix
+        grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [
-        vim-addon-nix
+          bash
-        tlib
+          json
-        vim-addon-vim2nix
+          lua
          make
          markdown
          nix
          regex
          toml
          vim
          vimdoc
          xml
          yaml
        ];
      };
-        # LaTeX
+      treesitter-context.enable = true;
-        vim-latex-live-preview
+      treesitter-refactor.enable = true;
        vimtex
-        # YAML
+      # This plugin trims trailing whitespace and lines.
-        vim-yaml
+      trim.enable = true;
    };
-        # markdown
+    # plugins = with pkgs;
-        vim-markdown
+    #   [
-        vim-markdown-toc
+    #     # yaml-folds
    #     {
    #       plugin = vimUtils.buildVimPlugin {
    #         name = "vim-yaml-folds";
    #         src = fetchFromGitHub {
    #           owner = "pedrohdz";
    #           repo = "vim-yaml-folds";
    #           rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
    #           sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
    #         };
    #         buildInputs = [zip vim];
    #       };
    #     }
-        # misc syntax support
+    #     {
-        vim-bazel
+    #       plugin = vimUtils.buildVimPlugin {
-        maktaba
+    #         name = "vim-yaml";
-      ]);
+    #         src = fetchFromGitHub {
    #           owner = "stephpy";
    #           repo = "vim-yaml";
    #           rev = "e97e063b16eba4e593d620676a0a15fa98613979";
    #           sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
    #         };
    #       };
    #     }
    #     {
    #       plugin = vimUtils.buildVimPlugin {
    #         name = "git-blame";
    #         src = fetchFromGitHub {
    #           "owner" = "zivyangll";
    #           "repo" = "git-blame.vim";
    #           "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
    #           "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
    #         };
    #       };
    #     }
    #   ]
    #   ++ (with pkgs.vimPlugins; [
    #     delimitMate
    #     vim-airline
    #     vim-airline-themes
    #     ctrlp
    #     vim-css-color
    #     rainbow_parentheses
    #     vim-colorschemes
    #     vim-colorstepper
    #     vim-signify
    #     fugitive
    #     vim-indent-guides
    #     UltiSnips
    #     fzfWrapper
    #     ncm2
    #     ncm2-bufword
    #     ncm2-path
    #     ncm2-tmux
    #     ncm2-ultisnips
    #     nvim-yarp
    #     LanguageClient-neovim
    #     Improved-AnsiEsc
    #     tabular
    #     # Nix
    #     vim-addon-nix
    #     tlib
    #     vim-addon-vim2nix
    #     # LaTeX
    #     vim-latex-live-preview
    #     vimtex
    #     # YAML
    #     vim-yaml
    #     # markdown
    #     vim-markdown
    #     vim-markdown-toc
    #     # misc syntax support
    #     vim-bazel
    #     maktaba
    #   ]);
  };
 }
--- a/nix/home-manager/programs/neovim/vimrc
+++ b/nix/home-manager/programs/neovim/vimrc
@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = {
 \ 'dir':  '\v[\/]\.(git|hg|svn)$$',
 \ 'file': '\v\.(exe|so|dll)$$',
 \ }
-let g:ctrlp_max_files=0
+"let g:ctrlp_max_files=0
-let g:ctrlp_max_depth=1000
+"let g:ctrlp_max_depth=1000
 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' }
 "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict'
--- a/nix/home-manager/programs/obs-studio.nix
+++ b/nix/home-manager/programs/obs-studio.nix
@ -0,0 +1,25 @@
 { pkgs, lib, ... }:
 {
  programs.obs-studio = {
    enable = true;
    plugins =
      builtins.map
        (
          plugin:
          (plugin.overrideAttrs (attrs: {
            meta = lib.mkMerge [
              { inherit (attrs) meta; }
              { meta.platforms = [ pkgs.stdenv.system ]; }
            ];
          }))
        )
        (
          with pkgs.obs-studio-plugins;
          [
            # wlrobs
            obs-backgroundremoval
            obs-pipewire-audio-capture
          ]
        );
  };
 }
--- a/nix/home-manager/programs/openvscode-server.nix
+++ b/nix/home-manager/programs/openvscode-server.nix
@ -0,0 +1,37 @@
 { pkgs, repoFlake, ... }:
 let
  pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
 in
 {
  home.packages = [
    pkgs.nil
    pkgs.nixd
    pkgs.nixfmt-rfc-style
    # TODO: automate linking this
    # 1. get the commit with: `codium --version`
    # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
    # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
    /*
      e.g.:
      ```
      (
        set -e
        export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
        ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
      )
      ```
    */
    (pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
      src = repoFlake.inputs.openvscode-server;
      version = "1.94.2";
      yarnCache = attrs.yarnCache.overrideAttrs (_: {
        outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
      });
    }))
    pkgs.waypipe
  ];
 }
--- a/nix/home-manager/programs/pass.nix
+++ b/nix/home-manager/programs/pass.nix
@ -1,4 +1,5 @@
-{repoFlake, pkgs, ...}: {
+{ repoFlake, pkgs, ... }:
 {
  # required by pass-otp
  # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
  # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
@ -6,7 +7,6 @@
  home.packages = with pkgs; [
    gnupg
    pass
    # broken on wayland
    # rofi-pass
--- a/nix/home-manager/programs/radicale.nix
+++ b/nix/home-manager/programs/radicale.nix
@ -4,7 +4,8 @@
  pkgs,
  osConfig,
  ...
-}: let
+}:
 let
  libdecsync = pkgs.python3Packages.buildPythonPackage rec {
    pname = "libdecsync";
    version = "2.2.1";
@ -38,50 +39,51 @@
      # pkgs.libxcrypt
    ];
-    propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
+    propagatedBuildInputs = [
      libdecsync
      pkgs.python3Packages.setuptools
    ];
  };
  radicale-decsync = pkgs.radicale.overrideAttrs (old: {
-    propagatedBuildInputs =
+    propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ];
      old.propagatedBuildInputs
      ++ [radicale-storage-decsync];
  });
-  mkRadicaleService = {
+  mkRadicaleService =
-    suffix,
+    { suffix, port }:
-    port,
+    let
-  }: let
+      radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
-    radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
+        [server]
-      [server]
+        hosts = localhost:${builtins.toString port}
      hosts = localhost:${builtins.toString port}
-      [auth]
+        [auth]
-      type = htpasswd
+        type = htpasswd
-      htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
+        htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
-      htpasswd_encryption = bcrypt
+        htpasswd_encryption = bcrypt
-      [storage]
+        [storage]
-      type = radicale_storage_decsync
+        type = radicale_storage_decsync
-      filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix}
+        filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
-      decsync_dir = ${config.xdg.dataHome}/decsync-${suffix}
+        decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
-    '';
+      '';
-  in {
+    in
-    systemd.user.services."radicale-${suffix}" = {
+    {
-      Unit.Description = "Radicale with DecSync (${suffix})";
+      systemd.user.services."radicale-${suffix}" = {
-      Service = {
+        Unit.Description = "Radicale with DecSync (${suffix})";
-        ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
+        Service = {
-        Restart = "on-failure";
+          ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
          Restart = "on-failure";
        };
        Install.WantedBy = [ "default.target" ];
      };
      Install.WantedBy = ["default.target"];
    };
  };
 in
-  builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
+builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [
-    {
+  {
-      suffix = "personal";
+    suffix = "personal";
-      port = 5232;
+    port = 5232;
-    }
+  }
-    {
+  {
-      suffix = "family";
+    suffix = "family";
-      port = 5233;
+    port = 5233;
-    }
+  }
-  ]
+]
--- a/nix/home-manager/programs/redshift.nix
+++ b/nix/home-manager/programs/redshift.nix
@ -1,21 +1,26 @@
-{
+_:
-  pkgs,
+let
  config,
  ...
 }: let
  passwords = import ../../variables/passwords.crypt.nix;
-in {
+in
 {
  services.gammastep = {
    enable = true;
    provider = "manual";
    enableVerboseLogging = true;
    inherit (passwords.location.stefan) longitude latitude;
    temperature = {
-      day = 6700;
+      # day = 6700;
      day = 3000;
      night = 3000;
    };
    tray = true;
    settings = {
      general = {
        adjustment-method = "wayland";
      };
      gammastep = {
-        brightness-day = 1.0;
+        # brightness-day = 1.0;
        brightness-day = 0.5;
        brightness-night = 0.5;
      };
    };
--- a/nix/home-manager/programs/salut.nix
+++ b/nix/home-manager/programs/salut.nix
@ -1,18 +1,11 @@
-{
+{ pkgs, packages', ... }:
  pkgs,
  config,
  lib,
  packages',
  ...
 }:
 # useful testing command:
 # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
 let
-  inherit (import ../lib.nix {}) mkSimpleTrayService;
+  inherit (import ../lib.nix { }) mkSimpleTrayService;
-in {
+in
-  home.packages = [
+{
-    packages'.salut
+  home.packages = [ packages'.salut ];
  ];
  xdg.configFile."salut/config.ini" = {
    enable = true;
@ -34,7 +27,5 @@ in {
    onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
  };
-  systemd.user.services.salut = mkSimpleTrayService {
+  systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; };
    execStart = "${packages'.salut}/bin/salut";
  };
 }
--- a/nix/home-manager/programs/vscode/default.nix
+++ b/nix/home-manager/programs/vscode/default.nix
@ -1,24 +1,132 @@
-{pkgs, ...}: let
+{
-  marketPlaceExtensions =
+  config,
-    pkgs.vscode-utils.extensionsFromVscodeMarketplace [
+  pkgs,
-    ];
+  repoFlake,
-in {
+  lib,
  ...
 }:
 let
  pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
 in
 {
  programs.vscode = {
    enable = true;
-    # package = pkgs.vscodium;
+    package = pkgsVscodium.vscodium;
-    extensions = with pkgs.vscode-extensions;
+    extensions =
      with pkgsVscodium.vscode-extensions;
      [
-        ms-vscode-remote.remote-ssh
+        eamodio.gitlens
        mkhl.direnv
        tomoki1207.pdf
        vscodevim.vim
        # bbenoist.nix
-        # vscodevim.vim
+        jnoortheen.nix-ide
-        # rust-lang.rust-analyzer
+
-        # mkhl.direnv
+        ms-vscode.theme-tomorrowkit
        nonylene.dark-molokai-theme
        ms-python.vscode-pylance
        # TODO: these are not in nixpkgs
        # fredwangwang.vscode-hcl-format
        # hashicorp.hcl
        # mindaro-dev.file-downloader
        # ms-vscode.remote-explorer
        # TODO: not compatible with vscodium
        # ms-vscode-remote.remote-ssh
      ]
-      ++ marketPlaceExtensions;
+      ++ (
        let
          extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
        in
        with extensions.vscode-marketplace;
        with extensions.vscode-marketplace-release;
        [
          serayuzgur.crates
          rust-lang.rust-analyzer
          swellaby.vscode-rust-test-adapter
          tamasfe.even-better-toml
          golang.go
          jeff-hykin.better-go-syntax
          blueglassblock.better-json5
          nefrob.vscode-just-syntax
          # fabianlauer.vs-code-xml-format
          bierner.emojisense
        ]
      )
      ++ (
        let
          nix4vscodeToml = pkgs.writeText "nix4vscode.toml" ''
            vscode_version = "${config.programs.vscode.package.version}"
            [[extensions]]
            publisher_name = "FelixZeller"
            extension_name = "markdown-oxide"
            [[extensions]]
            publisher_name = "ibecker"
            extension_name = "treefmt-vscode"
            [[extensions]]
            publisher_name = "AntiAntiSepticeye"
            extension_name = "vscode-color-picker"
            # [[extensions]]
            # publisher_name = "nefrob"
            # extension_name = "vscode-just-syntax"
            [[extensions]]
            publisher_name = "fabianlauer"
            extension_name = "vs-code-xml-format"
          '';
          nix4vscodeNix =
            pkgs.runCommand "nix4vscode.nix"
              {
                # nix4vscode needs internet access
                __noChroot = true;
                requiredSystemFeatures = [ "recursive-nix" ];
                buildInputs = [
                  pkgs.nix
                  pkgs.cacert
                  (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { })
                  # pkgs.strace
                ];
                # outputHashAlgo = "sha256";
                # outputHashMode = "recursive";
                # outputHash = lib.fakeSha256;
              }
              ''
                # set -x
                # export RUST_BACKTRACE=full
                # export RUST_LOG=trace
                export HOME=$(mktemp -d)
                # strace -ffZyyY
                nix4vscode ${nix4vscodeToml} > $out
              '';
          nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [
            "override"
            "overrideDerivation"
          ];
          nix4vscodeExtensions' = lib.attrsets.mapAttrsToList (
            _: v: builtins.head (builtins.attrValues v)
          ) nix4vscodeExtensions;
        in
        nix4vscodeExtensions'
      );
    mutableExtensionsDir = true;
  };
-  home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra];
+  home.packages = [
    pkgs.nil
    pkgs.nixfmt-rfc-style
  ];
 }
 # TODO: automate
 ### original list:
@ -94,4 +202,3 @@ in {
 # xyz.plsql-language
 # yzane.markdown-pdf
 # zxh404.vscode-proto3
--- a/nix/home-manager/programs/waybar.css
+++ b/nix/home-manager/programs/waybar.css
@ -1,6 +1,5 @@
 #custom-cputemp {
-    padding: 0 10px;
+  padding: 0 10px;
-    background-color: #f0932b;
+  background-color: #f0932b;
-    color: #ffffff;
+  color: #ffffff;
 }
--- a/nix/home-manager/programs/waybar.nix
+++ b/nix/home-manager/programs/waybar.nix
@ -1,9 +1,5 @@
 { pkgs, repoFlake, ... }:
 {
  pkgs,
  config,
  repoFlake,
  ...
 }: {
  home.packages = [
    # required by any bar that has a tray plugin
    pkgs.libappindicator-gtk3
@ -12,17 +8,18 @@
  programs.waybar = {
    enable = true;
-    package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
+    package =
-    style =
+      repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
-      pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+    style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css;
      + pkgs.lib.readFile ./waybar.css;
    systemd.enable = true;
    settings = {
      mainBar = {
        layer = "top";
        position = "bottom";
        height = 30;
-        output = ["*"];
+        output =
          # hide the bar on HEADDLESS displays as i use them only for screensharing
          (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
        # output = [
        #   "eDP-1"
        #   "DP-*"
--- a/nix/home-manager/programs/zsh.nix
+++ b/nix/home-manager/programs/zsh.nix
@ -3,27 +3,29 @@
  lib,
  pkgs,
  ...
-}: let
+}:
-  just-plugin = let
+let
-    plugin_file = pkgs.writeText "_just" ''
+  just-plugin =
-      #compdef just
+    let
-      #autload
+      plugin_file = pkgs.writeText "_just" ''
        #compdef just
        #autload
-      alias justl="\just --list"
+        alias justl="\just --list"
-      alias juste="\just --evaluate"
+        alias juste="\just --evaluate"
-      local subcmds=()
+        local subcmds=()
-      while read -r line ; do
+        while read -r line ; do
-         if [[ ! $line == Available* ]] ;
+           if [[ ! $line == Available* ]] ;
-         then
+           then
-            subcmds+=(''${line/[[:space:]]*\#/:})
+              subcmds+=(''${line/[[:space:]]*\#/:})
-         fi
+           fi
-      done < <(just --list)
+        done < <(just --list)
-      _describe 'command' subcmds
+        _describe 'command' subcmds
-    '';
+      '';
-  in
+    in
    pkgs.stdenv.mkDerivation {
      name = "just-completions";
      version = "0.1.0";
@ -35,7 +37,8 @@
        chmod --recursive a-w $out
      '';
    };
-in {
+in
 {
  programs.zsh = {
    enable = true;
@ -46,47 +49,59 @@ in {
    # will be called again by oh-my-zsh
    enableCompletion = false;
    enableAutosuggestions = true;
-    initExtra = let
+    initExtra =
-      inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
+      let
-    in ''
+        inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
-      PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f '
+      in
-      RPROMPT=""
+      ''
        if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
          unset TMPDIR
        fi
-      # Automatic rehash
+        if test ! -n "$TMP" -a -z "$TMP"; then
-      zstyle ':completion:*' rehash true
+          unset TMP
        fi
      if [ -f $HOME/.shrc.d/sh_aliases ]; then
        . $HOME/.shrc.d/sh_aliases
      fi
-      ${
+        PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f '
-        if builtins.hasAttr "homeshick" pkgs
+        RPROMPT=""
        then ''
          source ${pkgs.homeshick}/homeshick.sh
          fpath=(${pkgs.homeshick}/completions $fpath)
        ''
        else ""
      }
-      # Disable intercepting of ctrl-s and ctrl-q as flow control.
+        # Automatic rehash
-      stty stop ''' -ixoff -ixon
+        zstyle ':completion:*' rehash true
-      # don't cd into directories when executed
+        if [ -f $HOME/.shrc.d/sh_aliases ]; then
-      unsetopt AUTO_CD
+          . $HOME/.shrc.d/sh_aliases
        fi
-      # print lines without termination
+        ${
-      setopt PROMPT_CR
+          if builtins.hasAttr "homeshick" pkgs then
-      setopt PROMPT_SP
+            ''
-      export PROMPT_EOL_MARK=""
+              source ${pkgs.homeshick}/homeshick.sh
              fpath=(${pkgs.homeshick}/completions $fpath)
            ''
          else
            ""
        }
-      ${lib.optionalString config.services.gpg-agent.enable ''
+        # Disable intercepting of ctrl-s and ctrl-q as flow control.
-        export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
+        stty stop ''' -ixoff -ixon
      ''}
-      ${lib.optionalString config.programs.neovim.enable ''
+        # don't cd into directories when executed
-        export EDITOR="nvim"
+        unsetopt AUTO_CD
-      ''}
+
-    '';
+        # print lines without termination
        setopt PROMPT_CR
        setopt PROMPT_SP
        export PROMPT_EOL_MARK=""
        ${lib.optionalString config.services.gpg-agent.enable ''
          export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
        ''}
        ${lib.optionalString config.programs.neovim.enable ''
          export EDITOR="nvim"
        ''}
      '';
    plugins = [
      {
@ -119,7 +134,10 @@ in {
    oh-my-zsh = {
      enable = true;
      theme = "tjkirch";
-      plugins = ["git" "sudo"];
+      plugins = [
        "git"
        "sudo"
      ];
    };
  };
 }
--- a/nix/modules/flake-parts/colmena.nix
+++ b/nix/modules/flake-parts/colmena.nix
@ -1,7 +1,8 @@
-{lib, ...}: {
+{ lib, ... }:
 {
  options.flake.colmena = lib.mkOption {
    # type = lib.types.attrsOf lib.types.unspecified;
    type = lib.types.raw;
-    default = {};
+    default = { };
  };
 }
--- a/nix/modules/flake-parts/perSystem/default.nix
+++ b/nix/modules/flake-parts/perSystem/default.nix
@ -1,38 +1,37 @@
 { pkgs, ... }:
 {
  inputs',
  system,
  config,
  lib,
  pkgs,
  ...
 }: {
  packages = {
-    myPython = pkgs.python310.withPackages (ps:
+    myPython = pkgs.python310.withPackages (
      ps:
      with ps;
-        [
+      [
-          pep8
+        pep8
-          yapf
+        yapf
-          flake8
+        flake8
-          # autopep8 (broken)
+        # autopep8 (broken)
-          # pylint (broken)
+        # pylint (broken)
-          ipython
+        ipython
-          llfuse
+        llfuse
-          dugong
+        dugong
-          defusedxml
+        defusedxml
-          wheel
+        wheel
-          pip
+        pip
-          virtualenv
+        virtualenv
-          cffi
+        cffi
-          # pyopenssl
+        # pyopenssl
-          urllib3
+        urllib3
-          # mistune (insecure)
+        # mistune (insecure)
-          sympy
+        sympy
-          flask
+        flask
-          pyaml
+        pyaml
-          requests
+        requests
-        ]
+      ]
-        ++ [pkgs.pypi2nix pkgs.libffi]);
+      ++ [
        pkgs.pypi2nix
        pkgs.libffi
      ]
    );
  };
 }
--- a/nix/os/cachix.nix
+++ b/nix/os/cachix.nix
@ -1,14 +1,12 @@
 # WARN: this file will get overwritten by $ cachix use <name>
-{
+{ lib, ... }:
-  pkgs,
+let
  lib,
  ...
 }: let
  folder = ./cachix;
-  toImport = name: value: folder + ("/" + name);
+  toImport = name: _value: folder + ("/" + name);
  filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
  imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
-in {
+in
 {
  inherit imports;
-  nix.settings.substituters = ["https://cache.nixos.org/"];
+  nix.settings.substituters = [ "https://cache.nixos.org/" ];
 }
--- a/nix/os/cachix/nixpkgs-wayland.nix
+++ b/nix/os/cachix/nixpkgs-wayland.nix
@ -1,8 +1,6 @@
 {
  nix = {
-    settings.substituters = [
+    settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ];
      "https://nixpkgs-wayland.cachix.org"
    ];
    settings.trusted-public-keys = [
      "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
    ];
--- a/nix/os/containers/backup-target.nix
+++ b/nix/os/containers/backup-target.nix
@ -1,87 +0,0 @@
 {
  hostAddress,
  localAddress,
  containerBackupCfg,
  sshPort ? containerBackupCfg.portInt,
  autoStart ? false,
 }: {
  config = {
    config,
    pkgs,
    lib,
    ...
  }: {
    system.stateVersion = "22.05"; # Did you read the comment?
    imports = [../profiles/containers/configuration.nix];
    networking.firewall.enable = false;
    # services.ddclientovh = {
    #   enable = true;
    #   domain = containerBackupCfg.addr;
    # };
    services.openssh.enable = true;
    users.extraUsers."${containerBackupCfg.user}" = {
      uid = 2000;
      group = containerBackupCfg.group;
      shell = pkgs.bashInteractive;
      home = "/${containerBackupCfg.targetPath}";
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp"
      ];
      packages = with pkgs; [btrfs-progs];
      isSystemUser = true;
    };
    security.sudo = {
      enable = true;
      extraRules = [
        {
          users = ["bkp"];
          commands = [
            {
              command = "/etc/profiles/per-user/bkp/bin/btrfs";
              options = ["NOPASSWD"];
            }
            {
              command = "/run/current-system/sw/bin/readlink";
              options = ["NOPASSWD"];
            }
            {
              command = "/run/current-system/sw/bin/test";
              options = ["NOPASSWD"];
            }
          ];
        }
      ];
    };
  };
  inherit autoStart;
  bindMounts = {
    "/${containerBackupCfg.targetPath}" = {
      hostPath = "/var/lib/container-volumes/backup-target";
      isReadOnly = false;
    };
  };
  extraFlags = ["--resolv-conf=bind-host"];
  privateNetwork = true;
  forwardPorts = [
    {
      # ssh
      containerPort = 22;
      hostPort = sshPort;
      protocol = "tcp";
    }
  ];
  inherit hostAddress localAddress;
 }
--- a/nix/os/containers/backup.nix
+++ b/nix/os/containers/backup.nix
@ -5,88 +5,107 @@
  subvolumes,
  targetPathSuffix ? "",
  autoStart ? false,
-}: let
+}:
 let
  passwords = import ../../variables/passwords.crypt.nix;
  subvolumeParentDir = "/var/lib/container-volumes";
-in {
+in
-  config = {pkgs, ...}: {
+{
-    system.stateVersion = "20.03"; # Did you read the comment?
+  config =
    { pkgs, ... }:
    {
      system.stateVersion = "20.03"; # Did you read the comment?
-    imports = [../profiles/containers/configuration.nix];
+      imports = [ ../profiles/containers/configuration.nix ];
-    environment.systemPackages = with pkgs; [btrfs-progs btrbk];
+      environment.systemPackages = with pkgs; [
        btrfs-progs
        btrbk
      ];
-    networking.firewall.enable = true;
+      networking.firewall.enable = true;
-    systemd.services."bkp-sync" = {
+      systemd.services."bkp-sync" = {
-      enable = true;
+        enable = true;
-      description = "bkp-sync service";
+        description = "bkp-sync service";
-      serviceConfig = {Type = "oneshot";};
+        serviceConfig = {
          Type = "oneshot";
        };
-      after = ["bkp-run.service"];
+        after = [ "bkp-run.service" ];
-      requires = ["bkp-run.service"];
+        requires = [ "bkp-run.service" ];
-      path = with pkgs; [utillinux];
+        path = with pkgs; [ utillinux ];
-      script = ''
+        script = ''
-        set -x
+          set -x
-        true
+          true
      '';
    };
    systemd.services."bkp-run" = {
      enable = true;
      description = "bkp-run";
      serviceConfig = {Type = "oneshot";};
      partOf = ["bkp-sync.service"];
      path = with pkgs; [btrfs-progs btrbk coreutils];
      script = let
        btrbkConf = pkgs.writeText "cfg" ''
          timestamp_format long
          ssh_identity ${passwords.storage.backupTarget.keyPath}
          ssh_user ${passwords.storage.backupTarget.user}
          ssh_compression no
          backend_remote btrfs-progs-sudo
          compat_remote busybox
          btrfs_commit_delete each
          snapshot_create onchange
          snapshot_preserve_min latest
          snapshot_preserve 7d 4w
          target_preserve_min latest
          target_preserve 7d 4w 12m *y
          volume ${subvolumeParentDir}
            target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
          ${builtins.foldl' (sum: elem: sum + "  subvolume " + elem + "\n") ""
            subvolumes}
        '';
-      in ''
+      };
        #! ${pkgs.bash}/bin/bash
        set -Eeuxo pipefail
-        btrbk -c ${btrbkConf} --progress ''${@:-run}
+      systemd.services."bkp-run" = {
-      '';
+        enable = true;
-    };
+        description = "bkp-run";
-    systemd.timers."bkp" = {
+        serviceConfig = {
-      description = "Timer to trigger bkp periodically";
+          Type = "oneshot";
-      enable = true;
+        };
-      wantedBy = ["timer.target" "multi-user.target"];
+
-      timerConfig = {
+        partOf = [ "bkp-sync.service" ];
-        # Obtained using `systemd-analyze calendar "Wed 23:00"`
+
-        # OnCalendar = "Wed *-*-* 23:00:00";
+        path = with pkgs; [
-        OnStartupSec = "1m";
+          btrfs-progs
-        Unit = "bkp-sync.service";
+          btrbk
-        OnUnitInactiveSec = "2h";
+          coreutils
-        Persistent = "true";
+        ];
        script =
          let
            btrbkConf = pkgs.writeText "cfg" ''
              timestamp_format long
              ssh_identity ${passwords.storage.backupTarget.keyPath}
              ssh_user ${passwords.storage.backupTarget.user}
              ssh_compression no
              backend_remote btrfs-progs-sudo
              compat_remote busybox
              btrfs_commit_delete each
              snapshot_create onchange
              snapshot_preserve_min latest
              snapshot_preserve 7d 4w
              target_preserve_min latest
              target_preserve 7d 4w 12m *y
              volume ${subvolumeParentDir}
                target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
              ${builtins.foldl' (sum: elem: sum + "  subvolume " + elem + "\n") "" subvolumes}
            '';
          in
          ''
            #! ${pkgs.bash}/bin/bash
            set -Eeuxo pipefail
            btrbk -c ${btrbkConf} --progress ''${@:-run}
          '';
      };
      systemd.timers."bkp" = {
        description = "Timer to trigger bkp periodically";
        enable = true;
        wantedBy = [
          "timer.target"
          "multi-user.target"
        ];
        timerConfig = {
          # Obtained using `systemd-analyze calendar "Wed 23:00"`
          # OnCalendar = "Wed *-*-* 23:00:00";
          OnStartupSec = "1m";
          Unit = "bkp-sync.service";
          OnUnitInactiveSec = "2h";
          Persistent = "true";
        };
      };
    };
  };
  inherit autoStart;
@ -114,10 +133,10 @@ in {
    }
  ];
-  extraFlags = ["--resolv-conf=bind-host"];
+  extraFlags = [ "--resolv-conf=bind-host" ];
  privateNetwork = true;
-  forwardPorts = [];
+  forwardPorts = [ ];
  inherit hostAddress localAddress;
 }
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -1,195 +1,211 @@
 {
-  repoFlake,
+  specialArgs,
  hostBridge,
  hostAddress,
  localAddress,
  imapsPort ? 993,
  sievePort ? 4190,
  autoStart ? false,
-}: {
+}:
-  config = {
+{
-    pkgs,
+  inherit specialArgs;
-    config,
+  config =
-    lib,
+    {
-    ...
+      pkgs,
-  }: {
+      config,
-    system.stateVersion = "21.11"; # Did you read the comment?
+      repoFlake,
      ...
    }:
    {
      system.stateVersion = "22.05"; # Did you read the comment?
-    imports = [
+      imports = [
-      ../profiles/containers/configuration.nix
+        ../profiles/containers/configuration.nix
-      repoFlake.inputs.sops-nix.nixosModules.sops
+        repoFlake.inputs.sops-nix.nixosModules.sops
-      ../profiles/common/user.nix
+        ../profiles/common/user.nix
-    ];
+      ];
-    # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
+      networking.firewall.allowedTCPPorts = [
-    # sops.defaultSopsFile = ./mailserver_secrets.yaml;
+        imapsPort
        sievePort
      ];
-    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
-    sops.secrets.email_mailStefanjunkerDe = {
+      # sops.defaultSopsFile = ./mailserver_secrets.yaml;
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.steveej.name;
    };
    sops.secrets.email_mailStefanjunkerDeHetzner = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.steveej.name;
    };
    sops.secrets.email_schtifATwebDe = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.steveej.name;
    };
    sops.secrets.email_dovecot_steveej = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.dovecot2.name;
    };
-    # TODO: switch to something other than ddclient as it's no longer maintained
+      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      sops.secrets.email_mailStefanjunkerDe = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.steveej.name;
      };
      sops.secrets.email_mailStefanjunkerDeHetzner = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.steveej.name;
      };
      sops.secrets.email_schtifATwebDe = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.steveej.name;
      };
      sops.secrets.email_dovecot_steveej = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.dovecot2.name;
      };
-    # TODO: switch to a let's encrypt certificate
+      # TODO: switch to something other than ddclient as it's no longer maintained
    sops.secrets.dovecotSslServerCert = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.dovecot2.name;
    };
    sops.secrets.dovecotSslServerKey = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.dovecot2.name;
    };
    services.dovecot2 = {
      enable = true;
-      modules = [pkgs.dovecot_pigeonhole];
+      # TODO: switch to a let's encrypt certificate
-      protocols = ["sieve"];
+      sops.secrets.dovecotSslServerCert = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.dovecot2.name;
      };
      sops.secrets.dovecotSslServerKey = {
        sopsFile = ./mailserver_secrets.yaml;
        owner = config.users.users.dovecot2.name;
      };
      services.dovecot2 = {
        enable = true;
-      enableImap = true;
+        modules = [ pkgs.dovecot_pigeonhole ];
-      enableLmtp = true;
+        protocols = [ "sieve" ];
      enablePAM = true;
      showPAMFailure = true;
      mailLocation = "maildir:~/.maildir";
      sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
      sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
-      #configFile = "/etc/dovecot/dovecot2_manual.conf";
+        enableImap = true;
-      extraConfig = ''
+        enableLmtp = true;
-        auth_mechanisms = cram-md5 digest-md5
+        enablePAM = true;
-        auth_verbose = yes
+        showPAMFailure = true;
        mailLocation = "maildir:~/.maildir";
        sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
        sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
-        passdb {
+        #configFile = "/etc/dovecot/dovecot2_manual.conf";
-          driver = passwd-file
+        extraConfig = ''
-          args = scheme=CRYPT username_format=%u /etc/dovecot/users
+          auth_mechanisms = cram-md5 digest-md5
-        }
+          auth_verbose = yes
-        protocol lda {
+          passdb {
-          postmaster_address = "mail@stefanjunker.de"
+            driver = passwd-file
-          mail_plugins = $mail_plugins sieve
+            args = scheme=CRYPT username_format=%u /etc/dovecot/users
-        }
+          }
-        protocol imap {
+          protocol lda {
-          mail_max_userip_connections = 64
+            postmaster_address = "mail@stefanjunker.de"
-        }
+            mail_plugins = $mail_plugins sieve
-      '';
+          }
    };
-    environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
+          protocol imap {
-
+            mail_max_userip_connections = 64
-    systemd.services.steveej-getmail-stefanjunker = {
+          }
      enable = true;
      wantedBy = ["multi-user.target"];
      serviceConfig.User = "steveej";
      serviceConfig.Group = "dovecot2";
      serviceConfig.RestartSec = 600;
      serviceConfig.Restart = "always";
      description = "Getmail service";
      path = [pkgs.getmail6];
      script = let
        rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
          [options]
          verbose = 1
          read_all = 0
          delete_after = 30
          [retriever]
          type = SimpleIMAPSSLRetriever
          server = ssl0.ovh.net
          port = 993
          username = mail@stefanjunker.de
          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
          mailboxes = ('INBOX',)
          [destination]
          type = MDA_external
          path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
        '';
-      in ''
+      };
-        getmail --idle=INBOX --rcfile=${rc}
+
-      '';
+      environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
      systemd.services.steveej-getmail-stefanjunker = {
        enable = true;
        wantedBy = [ "multi-user.target" ];
        serviceConfig.User = "steveej";
        serviceConfig.Group = "dovecot2";
        serviceConfig.RestartSec = 600;
        serviceConfig.Restart = "always";
        description = "Getmail service";
        path = [ pkgs.getmail6 ];
        script =
          let
            rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
              [options]
              verbose = 1
              read_all = 0
              delete_after = 30
              [retriever]
              type = SimpleIMAPSSLRetriever
              server = ssl0.ovh.net
              port = 993
              username = mail@stefanjunker.de
              password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
              mailboxes = ('INBOX',)
              [destination]
              type = MDA_external
              path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
            '';
          in
          ''
            getmail --idle=INBOX --rcfile=${rc}
          '';
      };
      systemd.services.steveej-getmail-stefanjunker-hetzner = {
        enable = true;
        wantedBy = [ "multi-user.target" ];
        serviceConfig.User = "steveej";
        serviceConfig.Group = "dovecot2";
        serviceConfig.RestartSec = 60;
        serviceConfig.Restart = "always";
        description = "Getmail service";
        path = [ pkgs.getmail6 ];
        script =
          let
            rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
              [options]
              verbose = 2
              read_all = 0
              delete_after = 30
              [retriever]
              type = SimpleIMAPSSLRetriever
              server = mail.your-server.de
              port = 993
              username = mail@stefanjunker.de
              password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
              mailboxes = ('INBOX',)
              [destination]
              type = MDA_external
              path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
            '';
          in
          ''
            getmail --rcfile=${rc} --idle=INBOX
          '';
      };
      systemd.services.steveej-getmail-webde = {
        enable = true;
        wantedBy = [ "multi-user.target" ];
        serviceConfig.User = "steveej";
        serviceConfig.Group = "dovecot2";
        description = "Getmail service";
        path = [ pkgs.getmail6 ];
        serviceConfig.RestartSec = 1000;
        serviceConfig.Restart = "always";
        script =
          let
            rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
              [options]
              verbose = 1
              read_all = 0
              delete_after = 30
              [retriever]
              type = SimpleIMAPSSLRetriever
              server = imap.web.de
              port = 993
              username = schtif
              password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
              mailboxes = ('INBOX',)
              [destination]
              type = Maildir
              path = ~/.maildir/
            '';
          in
          ''
            getmail --rcfile=${rc} --idle=INBOX
          '';
      };
    };
    systemd.services.steveej-getmail-stefanjunker-hetzner = {
      enable = true;
      wantedBy = ["multi-user.target"];
      serviceConfig.User = "steveej";
      serviceConfig.Group = "dovecot2";
      serviceConfig.RestartSec = 60;
      serviceConfig.Restart = "always";
      description = "Getmail service";
      path = [pkgs.getmail6];
      script = let
        rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
          [options]
          verbose = 2
          read_all = 0
          delete_after = 30
          [retriever]
          type = SimpleIMAPSSLRetriever
          server = mail.your-server.de
          port = 993
          username = mail@stefanjunker.de
          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
          mailboxes = ('INBOX',)
          [destination]
          type = MDA_external
          path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
        '';
      in ''
        getmail --rcfile=${rc} --idle=INBOX
      '';
    };
    systemd.services.steveej-getmail-webde = {
      enable = true;
      wantedBy = ["multi-user.target"];
      serviceConfig.User = "steveej";
      serviceConfig.Group = "dovecot2";
      description = "Getmail service";
      path = [pkgs.getmail6];
      serviceConfig.RestartSec = 1000;
      serviceConfig.Restart = "always";
      script = let
        rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
          [options]
          verbose = 1
          read_all = 0
          delete_after = 30
          [retriever]
          type = SimpleIMAPSSLRetriever
          server = imap.web.de
          port = 993
          username = schtif
          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
          mailboxes = ('INBOX',)
          [destination]
          type = Maildir
          path = ~/.maildir/
        '';
      in ''
        getmail --rcfile=${rc} --idle=INBOX
      '';
    };
  };
  inherit autoStart;
  bindMounts = {
@ -203,8 +219,6 @@
    };
  };
  # extraFlags = ["--resolv-conf=bind-host"];
  privateNetwork = true;
  forwardPorts = [
    {
@ -222,5 +236,5 @@
    }
  ];
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/containers/mailserver_secrets.yaml
+++ b/nix/os/containers/mailserver_secrets.yaml
@ -7,37 +7,37 @@ dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2r
 dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str]
 hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str]
 sops:
-    kms: []
+  kms: []
-    gcp_kms: []
+  gcp_kms: []
-    azure_kv: []
+  azure_kv: []
-    hc_vault: []
+  hc_vault: []
-    age:
+  age:
-        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+    - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
-            R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
+        R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
-            dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
+        dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
-            bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
+        bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
-            T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
+        T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-17T12:01:21Z"
+  lastmodified: "2023-07-17T12:01:21Z"
-    mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str]
+  mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str]
-    pgp:
+  pgp:
-        - created_at: "2023-07-02T20:30:30Z"
+    - created_at: "2023-07-02T20:30:30Z"
-          enc: |-
+      enc: |-
-            -----BEGIN PGP MESSAGE-----
+        -----BEGIN PGP MESSAGE-----
-            wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
+        wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
-            0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
+        0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
-            SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
+        SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
-            5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
+        5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
-            Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
+        Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
-            RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
+        RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
-            44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
+        44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
-            uGcEfsNiUXPngkNrh/Nvhh9w
+        uGcEfsNiUXPngkNrh/Nvhh9w
-            =yHDZ
+        =yHDZ
-            -----END PGP MESSAGE-----
+        -----END PGP MESSAGE-----
-          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+      fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
-    unencrypted_suffix: _unencrypted
+  unencrypted_suffix: _unencrypted
-    version: 3.7.3
+  version: 3.7.3
--- a/nix/os/containers/mycelium/flake.lock
+++ b/nix/os/containers/mycelium/flake.lock
@ -0,0 +1,124 @@
 {
  "nodes": {
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "nix-snapshotter",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1704152458,
        "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "nix-snapshotter": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1723875769,
        "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=",
        "owner": "pdtpartners",
        "repo": "nix-snapshotter",
        "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da",
        "type": "github"
      },
      "original": {
        "owner": "pdtpartners",
        "repo": "nix-snapshotter",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
        "lastModified": 1728781282,
        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1728867876,
        "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
        "owner": "nix-community",
        "repo": "nixos-generators",
        "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixos-generators",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1728897630,
        "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nix-snapshotter": "nix-snapshotter",
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/os/containers/mycelium/flake.nix
+++ b/nix/os/containers/mycelium/flake.nix
@ -0,0 +1,371 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9";
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-snapshotter = {
      url = "github:pdtpartners/nix-snapshotter";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
    { self, nixpkgs, ... }:
    let
      systems = [
        "aarch64-linux"
        "x86_64-linux"
      ];
      forAllSystems = nixpkgs.lib.genAttrs systems;
    in
    {
      nixosConfigurations.default = nixpkgs.lib.nixosSystem {
        system = "aarch64-linux";
        specialArgs = { };
        modules = [
          (
            {
              config,
              modulesPath,
              pkgs,
              lib,
              ...
            }:
            {
              nixpkgs.overlays = [
                (_final: _previous: {
                  # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
                  # systemd =
                  # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: {
                  #   src = /home/steveej/src/others/systemd;
                  #   withAppArmor = false;
                  #   withRepart = false;
                  #   withHomed = false;
                  #   withAcl = false;
                  #   withEfi = false;
                  #   withBootloader = false;
                  #   withCryptsetup = false;
                  #   withLibBPF = false;
                  #   withOomd = false;
                  #   withFido2 = false;
                  #   withApparmor = false;
                  #   withDocumentation = false;
                  #   withUtmp = false;
                  #   withQrencode = false;
                  #   withVmspawn = false;
                  #   withMachined = false;
                  #   withLogTrace = true;
                  #   withArchive = false;
                  #   # don't need these but cause errors for exampel files not found
                  #   # withLogind = false;
                  # })
                  # pkgs.systemdMinimal.override {
                  #   # getting errors with these disabled
                  #   withCoredump = true;
                  #   withCompression = true;
                  #   withLogind = true;
                  #   withSysusers = true;
                  #   withUserDb = true;
                  # }
                  # pkgs.systemdMinimal
                  # pkgs.systemd.override {
                  #   withRepart = false;
                  #   withHomed = false;
                  #   withAcl = false;
                  #   withEfi = false;
                  #   withBootloader = false;
                  #   withCryptsetup = false;
                  #   withLibBPF = false;
                  #   withOomd = false;
                  #   withFido2 = false;
                  #   withApparmor = false;
                  #   withDocumentation = false;
                  #   withUtmp = false;
                  #   withQrencode = false;
                  #   withVmspawn = false;
                  #   withMachined = false;
                  #   withLogTrace = true;
                  #   # don't need these but cause errors for exampel files not found
                  #   # withLogind = false;
                  # }
                  # ;
                })
              ];
              imports = [ (modulesPath + "/profiles/minimal.nix") ];
              system.stateVersion = "24.11";
              # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
              boot.isContainer = true;
              # boot.tmp.useTmpfs = true;
              boot.loader.grub.enable = lib.mkForce false;
              boot.loader.systemd-boot.enable = lib.mkForce false;
              services.journald.console = "/dev/console";
              services.journald.storage = "none";
              # boot.specialFileSystems = lib.mkForce {};
              services.nscd.enable = false;
              system.nssModules = lib.mkForce [ ];
              systemd.services.systemd-logind.enable = false;
              systemd.services.console-getty.enable = false;
              systemd.sockets.nix-daemon.enable = false;
              systemd.services.nix-daemon.enable = false;
              systemd.oomd.enable = false;
              networking.useDHCP = false;
              networking.firewall.enable = false;
              # system.build.earlyMountScript =
              #   lib.mkForce ''
              #   '';
              # system.activationScripts.specialfs =
              #   lib.mkForce ''
              #   '';
              boot.postBootCommands = ''
                ls -lha /run
                mkdir -p /run/wrappers
              '';
              boot.kernelParams = [ "systemd.log_level=debug" ];
              # services.udev.enable = false;
              # TODO: this is only needed because `/run/current-system` is missing
              # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
              systemd.mounts = lib.mkForce [ ];
              fileSystems = lib.mkForce { };
              services.mycelium.enable = false;
              services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
              systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
              systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
              systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
                pkgs.writeShellScript "mycelium" ''
                  while true; do
                    ls -lha $CREDENTIALS_DIRECTORY
                    sleep 5
                  done
                ''
              );
              systemd.services.testing-credentials = {
                wantedBy = [ "multi-user.target" ];
                path = [ pkgs.coreutils ];
                serviceConfig = {
                  # SyslogIdentifier = "testing-credentials";
                  # StateDirectory = "testing-credentials";
                  # DynamicUser = true;
                  # User = "tc";
                  # ProtectHome = true;
                  # ProtectSystem = true;
                  # LoadCredential = [
                  #   "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
                  #   "hosts:/etc/hosts"
                  # ];
                  SetCredential = "mycelium-keyfile:not secret string";
                  ExecStart = lib.mkForce (
                    pkgs.writeShellScript "mycelium" ''
                      cd $STATE_DIRECTORY
                      pwd
                      env
                      while true; do
                        ls -lha $CREDENTIALS_DIRECTORY
                        sleep 5
                      done
                    ''
                  );
                };
              };
              services.caddy = {
                enable = true;
                globalConfig = ''
                  auto_https off
                '';
                virtualHosts.":80" = {
                  extraConfig = ''
                    respond "hello from ${config.networking.hostName}"
                  '';
                };
              };
            }
          )
        ];
      };
      packages = forAllSystems (
        system:
        let
          name = "mycelium";
          inherit (self.inputs) nix-snapshotter;
          config = {
            entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
            # port = 2379;
            args = [ ];
            # nodePort = 30001;
          };
          myceliumPorts = {
            tcp = [ 9651 ];
            udp = [
              9650
              9651
            ];
          };
          inherit (config)
            entrypoint
            # port
            args
            # nodePort
            ;
          pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
          image = pkgs.nix-snapshotter.buildImage {
            inherit name;
            resolvedByNix = true;
            config = {
              entrypoint = [ entrypoint ];
              env = [
                # this is read by the `/init` script and prevents various incompatible commands like mount, etc.
                # the value of this doesn't seem to matter as long as it's not an empty string.
                "container=nerd"
                "SYSTEMD_LOG_LEVEL=debug"
              ];
              volumes = {
                # "/var/lib/private/mycelium/key.bin" = {};
                # "/run" = {};
                # "/tmp" = {};
                # "/etc" = {};
              };
              copyToRoot = [
                # self.nixosConfigurations.default.config.system.build.toplevel
              ];
            };
          };
        in
        {
          k8s =
            let
              pod = pkgs.writeText "${name}-pod.json" (
                builtins.toJSON {
                  apiVersion = "v1";
                  kind = "Pod";
                  metadata = {
                    inherit name;
                    labels = {
                      inherit name;
                    };
                  };
                  spec.containers = [
                    {
                      inherit name args;
                      image = "nix:0${image}";
                      ports = [
                        {
                          name = "mycelium-tcp-0";
                          containerPort = builtins.elemAt myceliumPorts.tcp 0;
                        }
                        {
                          name = "mycelium-udp-0";
                          protocol = "UDP";
                          containerPort = builtins.elemAt myceliumPorts.udp 0;
                        }
                        {
                          name = "mycelium-udp-1";
                          protocol = "UDP";
                          containerPort = builtins.elemAt myceliumPorts.udp 1;
                        }
                      ];
                    }
                  ];
                }
              );
              service = pkgs.writeText "${name}-service.json" (
                builtins.toJSON {
                  apiVersion = "v1";
                  kind = "Service";
                  metadata.name = "${name}-service";
                  spec = {
                    type = "NodePort";
                    selector = {
                      inherit name;
                    };
                    ports = [
                      {
                        name = "mycelium-tcp-0";
                        port = builtins.elemAt myceliumPorts.tcp 0 + 50000;
                        targetPort = "mycelium-tcp-0";
                      }
                      {
                        name = "mycelium-udp-0";
                        protocol = "UDP";
                        port = builtins.elemAt myceliumPorts.udp 0 + 50000;
                        targetPort = "mycelium-udp-0";
                      }
                      {
                        name = "mycelium-udp-1";
                        protocol = "UDP";
                        port = builtins.elemAt myceliumPorts.udp 1 + 50000;
                        targetPort = "mycelium-udp-1";
                      }
                    ];
                  };
                }
              );
            in
            pkgs.runCommand "declarative-k8s" { } ''
              mkdir -p $out/share/k8s
              cp ${pod} $out/share/k8s/
              cp ${service} $out/share/k8s/
            '';
          inherit image;
          start = pkgs.writeShellApplication {
            name = "start";
            text = ''
              set -x
              rm -rf ./result
              nix build --impure .#image
              sudo nix2container load ./result
              sudo -E nerdctl run  --name ${name} --privileged -dt \
                --cgroup-manager cgroupfs \
                --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
                "nix:0$(readlink result):latest"
            '';
          };
          stop = pkgs.writeShellApplication {
            name = "stop";
            text = ''
              set +e
              sudo -E nerdctl stop -t 60 ${name}
              sudo -E nerdctl rm --force ${name}
              sudo -E nerdctl system prune --all --force
              sudo systemctl stop nix-snapshotter
              sudo systemctl stop containerd
              mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l
              sudo systemctl start containerd
              sudo systemctl start nix-snapshotter
            '';
            # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap)
            # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
          };
        }
      );
    };
 }
--- a/nix/os/containers/syncthing.nix
+++ b/nix/os/containers/syncthing.nix
@ -1,31 +1,81 @@
 {
  specialArgs,
  hostBridge,
  hostAddress,
  localAddress,
  syncthingPort ? 22000,
  syncthingLocalAnnouncePort ? 21027,
  smbTcpPort ? 445,
  autoStart ? false,
-}: {
+}:
-  config = {
+{
-    config,
+  inherit specialArgs;
-    pkgs,
+  config =
-    ...
+    { ... }:
-  }: {
+    {
-    system.stateVersion = "20.05"; # Did you read the comment?
+      system.stateVersion = "20.05"; # Did you read the comment?
-    imports = [../profiles/containers/configuration.nix];
+      imports = [ ../profiles/containers/configuration.nix ];
-    networking.firewall.enable = true;
+      networking.firewall.allowedTCPPorts = [
-    networking.firewall.allowedTCPPorts = [
+        # syncthing gui
-      # syncthing gui
+        8384
-      8384
+      ];
    ];
-    services.syncthing = {
+      services.syncthing = {
-      enable = true;
+        enable = true;
-      openDefaultPorts = true;
+        openDefaultPorts = true;
-      guiAddress = "0.0.0.0:8384";
+        guiAddress = "0.0.0.0:8384";
      };
      services.samba = {
        enable = true;
        securityType = "user";
        openFirewall = true;
        settings = {
          global = {
            "workgroup" = "DMZ";
            "server string" = "syncthing";
            "netbios name" = "syncthing";
            "security" = "user";
            #"use sendfile" = "yes";
            #"max protocol" = "smb2";
            # note: localhost is the ipv6 localhost ::1
            "hosts allow" = "192.168.23. 127.0.0.1 localhost";
            "hosts deny" = "0.0.0.0/0";
            "guest account" = "nobody";
            "map to guest" = "bad user";
          };
          "scan-stefan" = {
            "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan";
            "browseable" = "yes";
            "read only" = "no";
            "guest ok" = "no";
            "create mask" = "0644";
            "directory mask" = "0755";
            "force user" = "syncthing";
            "force group" = "syncthing";
          };
          "scan-justyna" = {
            "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna";
            "browseable" = "yes";
            "read only" = "no";
            "guest ok" = "no";
            "create mask" = "0644";
            "directory mask" = "0755";
            "force user" = "syncthing";
            "force group" = "syncthing";
          };
        };
      };
      # TODO: find out if smbpasswd file is still used and set it here. or find an alternative
      # sops.secrets.smbpasswd = {
      # };
      # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text;
    };
  };
  inherit autoStart;
@ -36,8 +86,6 @@
    };
  };
  extraFlags = ["--resolv-conf=bind-host"];
  privateNetwork = true;
  forwardPorts = [
    {
@ -55,7 +103,12 @@
      hostPort = syncthingLocalAnnouncePort;
      protocol = "udp";
    }
    {
      containerPort = 445;
      hostPort = smbTcpPort;
      protocol = "tcp";
    }
  ];
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -1,226 +1,426 @@
 {
-  repoFlake,
+  specialArgs,
  hostBridge,
  hostAddress,
  localAddress,
-  httpPort ? 80,
+  httpPort,
-  httpsPort ? 443,
+  httpsPort,
  forgejoSshPort,
  autoStart ? false,
-}: let
+}:
 let
  domain = "www.stefanjunker.de";
-in {
+in
-  config = {
+{
-    config,
+  inherit specialArgs;
-    pkgs,
+  config =
-    lib,
+    {
-    ...
+      config,
-  }: {
+      pkgs,
-    system.stateVersion = "22.05"; # Did you read the comment?
+      lib,
      repoFlake,
      nodeFlake,
      system,
      ...
    }:
    let
      nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable;
    in
    {
      system.stateVersion = "22.05"; # Did you read the comment?
-    imports = [
+      disabledModules = [
-      ../profiles/containers/configuration.nix
+        "services/misc/forgejo.nix"
        "services/security/kanidm.nix"
      ];
-      repoFlake.inputs.sops-nix.nixosModules.sops
+      imports = [
-    ];
+        "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
        "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
-    networking.firewall.enable = false;
+        ../profiles/containers/configuration.nix
-    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+        repoFlake.inputs.sops-nix.nixosModules.sops
-    sops.secrets.hedgedoc_environment_file = {
+      ];
      sopsFile = ./webserver_secrets.yaml;
      owner = config.users.users.hedgedoc.name;
    };
-    services.caddy = {
+      sops.defaultSopsFile = ./webserver_secrets.yaml;
      enable = true;
      virtualHosts."${domain}" = {
        extraConfig = let
          port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
          path = "${config.services.authelia.instances.default.settings.server.path}";
        in ''
          redir /hedgedoc* https://hedgedoc.${domain}
-          file_server /*/* {
+      networking.firewall.allowedTCPPorts = [
-            browse
+        httpPort
-            root /var/www/stefanjunker.de/htdocs/caddy
+        httpsPort
-            pass_thru
+        forgejoSshPort
-          }
+      ];
-          # respond "Hi"
+      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-          # respond (not /*/*) "Hi"
+      sops.secrets.hedgedoc_environment_file = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.hedgedoc.name;
      };
      services.caddy = {
        enable = true;
        logFormat = ''
          level ERROR
        '';
-      };
+        virtualHosts."${domain}" = {
          extraConfig = ''
            redir /hedgedoc* https://hedgedoc.${domain}
-      virtualHosts."hedgedoc.${domain}" = {
+            file_server /*/* {
-        extraConfig = ''
+              browse
-          reverse_proxy http://[::1]:3000
+              root /var/www/stefanjunker.de/htdocs/caddy
-        '';
+              pass_thru
-      };
+            }
-      virtualHosts."authelia.${domain}" = {
+            # respond "Hi"
-        extraConfig = ''
+            # respond (not /*/*) "Hi"
-          reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
+          '';
        '';
      };
      virtualHosts."lldap.${domain}" = {
        extraConfig = ''
          reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
        '';
      };
    };
    services.hedgedoc = {
      enable = true;
      settings = {
        domain = "hedgedoc.${domain}";
        urlPath = "";
        protocolUseSSL = true;
        db = {
          dialect = "sqlite";
          storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
        };
-        allowAnonymous = false;
+        virtualHosts."hedgedoc.${domain}" = {
-        allowAnonymousEdits = false;
+          extraConfig = ''
-        allowGravatar = false;
+            reverse_proxy http://[::1]:3000
-        allowFreeURL = false;
+          '';
        defaultPermission = "private";
        allowEmailRegister = false;
        email = false;
        ldap = {
          url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
          bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
          # these are set via the `environmentFile`
          bindCredentials = "$LDAP_ADMIN_PASSWORD";
          searchBase = "ou=people,dc=stefanjunker,dc=de";
          searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
          useridField = "uid";
        };
-        uploadsPath = "/var/lib/hedgedoc/uploads";
+        virtualHosts."authelia.${domain}" = {
-      };
+          extraConfig = ''
-
+            reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
-      environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
+          '';
    };
    services.jitsi-meet = {
      enable = false;
      hostName = "meet.${domain}";
      config = {
        prejoinPageEnabled = true;
      };
      caddy.enable = true;
      nginx.enable = false;
    };
    sops.secrets.authelia_storageEncryptionKey = {
      sopsFile = ./webserver_secrets.yaml;
      owner = config.users.users.authelia-default.name;
    };
    sops.secrets.authelia_jwtSecret = {
      sopsFile = ./webserver_secrets.yaml;
      owner = config.users.users.authelia-default.name;
    };
    services.authelia.instances.default = let
      baseDir = "/var/lib/authelia-default";
    in {
      enable = true;
      secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
      secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
      settings = {
        theme = "auto";
        default_2fa_method = "totp";
        log.level = "debug";
        server = {
          disable_healthcheck = true;
          host = "127.0.0.1";
          port = 9091;
          # path = "authelia";
        };
-        storage = {
+        virtualHosts."lldap.${domain}" = {
-          local.path = "${baseDir}/authelia.sqlite";
+          extraConfig = ''
            reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
          '';
        };
-        authentication_backend = {
+        virtualHosts."forgejo.${domain}" = {
-          file.path = "${baseDir}/first_factor.yaml";
+          extraConfig = ''
-          file.search.email = true;
+            reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
-          file.search.case_insensitive = false;
+          '';
        };
-        access_control = {
+        virtualHosts."kanidm.${domain}" = {
-          default_policy = "one_factor";
+          extraConfig = ''
-        };
+            reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
-
+              transport http {
-        session.domain = "stefanjunker.de";
+                  tls_server_name ${config.services.kanidm.serverSettings.domain}
-
+              }
-        notifier = {
+            }
-          disable_startup_check = true;
+          '';
          filesystem.filename = "${baseDir}/notification.txt";
        };
      };
    };
-    users.groups.lldap = {};
+      services.hedgedoc = {
-    users.users.lldap = {
+        enable = true;
-      isSystemUser = true;
+        settings = {
-      group = "lldap";
+          domain = "hedgedoc.${domain}";
-    };
+          urlPath = "";
          protocolUseSSL = true;
          db = {
            dialect = "sqlite";
            storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
          };
-    sops.secrets.lldap_jwtSecret = {
+          allowAnonymous = false;
-      sopsFile = ./webserver_secrets.yaml;
+          allowAnonymousEdits = false;
-      owner = config.users.users.lldap.name;
+          allowGravatar = false;
-    };
+          allowFreeURL = false;
          defaultPermission = "private";
-    sops.secrets.lldap_adminPassword = {
+          allowEmailRegister = false;
-      sopsFile = ./webserver_secrets.yaml;
+          email = false;
      owner = config.users.users.lldap.name;
    };
-    sops.secrets.lldap_environmentFile = {
+          ldap = {
-      sopsFile = ./webserver_secrets.yaml;
+            url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
-      owner = config.users.users.lldap.name;
+            bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
-    };
+            # these are set via the `environmentFile`
            # bindCredentials = "$LDAP_ADMIN_PASSWORD";
            searchBase = "ou=people,dc=stefanjunker,dc=de";
            searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
            useridField = "uid";
          };
-    services.lldap = {
+          oauth2 =
-      enable = true;
+            let
-      environment = {
+              originURL = config.services.kanidm.serverSettings.origin;
-        LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
+            in
-        LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
+            {
-      };
+              providerName = "kanidm (${originURL})";
      environmentFile = config.sops.secrets.lldap_environmentFile.path;
-      settings = {
+              authorizationURL = "${originURL}/ui/oauth2";
-        verbose = true;
+              tokenURL = "${originURL}/oauth2/token";
              userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
-        ldap_base_dn = "dc=stefanjunker,dc=de";
+              scope = "openid email profile";
-        http_url = "https://lldap.${domain}";
+              # rolesClaim = "roles";
              # accessRole = "role/hedgedoc";
-        ## Options to configure SMTP parameters, to send password reset emails.
+              userProfileUsernameAttr = "name";
-        ## To set these options from environment variables, use the following format
+              userProfileDisplayNameAttr = "displayname";
-        ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
+              userProfileEmailAttr = "email";
        smtp_options = {
          ## Whether to enabled password reset via email, from LLDAP.
          enable_password_reset = true;
-          # port = 465;
+              clientID = "hedgedoc";
-          ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
+              # set via the `environmentFile`
-          # smtp_encryption = "TLS";
+              # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
            };
          uploadsPath = "/var/lib/hedgedoc/uploads";
        };
-        # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
+        environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
      };
    };
-    systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
+      services.jitsi-meet = {
-    systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
+        enable = false;
-    systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
+        hostName = "meet.${domain}";
-  };
+        config = {
          prejoinPageEnabled = true;
        };
        caddy.enable = true;
        nginx.enable = false;
      };
      sops.secrets.authelia_storageEncryptionKey = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.authelia-default.name;
      };
      sops.secrets.authelia_jwtSecret = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.authelia-default.name;
      };
      services.authelia.instances.default =
        let
          baseDir = "/var/lib/authelia-default";
        in
        {
          enable = true;
          secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
          secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
          settings = {
            theme = "auto";
            default_2fa_method = "totp";
            log.level = "debug";
            server = {
              disable_healthcheck = true;
              host = "127.0.0.1";
              port = 9091;
              # path = "authelia";
            };
            storage = {
              local.path = "${baseDir}/authelia.sqlite";
            };
            authentication_backend = {
              file.path = "${baseDir}/first_factor.yaml";
              file.search.email = true;
              file.search.case_insensitive = false;
            };
            access_control = {
              default_policy = "one_factor";
            };
            session.domain = "stefanjunker.de";
            notifier = {
              disable_startup_check = true;
              filesystem.filename = "${baseDir}/notification.txt";
            };
          };
        };
      users.groups.lldap = { };
      users.users.lldap = {
        isSystemUser = true;
        group = "lldap";
      };
      sops.secrets.lldap_jwtSecret = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.lldap.name;
      };
      sops.secrets.lldap_adminPassword = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.lldap.name;
      };
      sops.secrets.lldap_environmentFile = {
        sopsFile = ./webserver_secrets.yaml;
        owner = config.users.users.lldap.name;
      };
      services.lldap = {
        enable = true;
        environment = {
          LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
        };
        environmentFile = config.sops.secrets.lldap_environmentFile.path;
        settings = {
          verbose = true;
          ldap_base_dn = "dc=stefanjunker,dc=de";
          http_url = "https://lldap.${domain}";
          ## Options to configure SMTP parameters, to send password reset emails.
          ## To set these options from environment variables, use the following format
          ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
          smtp_options = {
            ## Whether to enabled password reset via email, from LLDAP.
            enable_password_reset = true;
            # port = 465;
            ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
            # smtp_encryption = "TLS";
          };
          # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
        };
      };
      sops.secrets.FORGEJO_JWT_SECRET = { };
      sops.secrets.FORGEJO_INTERNAL_TOKEN = { };
      sops.secrets.FORGEJO_SECRET_KEY = { };
      services.forgejo = {
        enable = true;
        package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
        settings = {
          service.DISABLE_REGISTRATION = true;
          server.HTTP_ADDR = "127.0.0.1";
          server.START_SSH_SERVER = true;
          server.SSH_PORT = forgejoSshPort;
          server.ROOT_URL = "https://forgejo.${domain}";
          server.HTTP_PORT = 3001;
          # TODO: how do i get a 3072 length SSH key with the yubikey?
          "ssh.minimum_key_sizes".RSA = 2048;
        };
        secrets = {
          oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
          security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path;
          security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path;
        };
      };
      systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
      systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
      systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
      # combine a path watcher with a service that transfers the certs by caddy to kanidm
      # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate
      systemd.paths.kanidm-tls-watch = {
        enable = true;
        requiredBy = [ "kanidm.service" ];
        pathConfig = {
          PathChanged = [
            "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
            "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
          ];
          Unit = "kanidm-tls-update.service";
        };
      };
      systemd.services.kanidm-tls-update =
        let
          dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
        in
        {
          enable = true;
          requiredBy = [ "kanidm.service" ];
          unitConfig = {
            # ConditionPathExists = [
            #   "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
            #   "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
            # ];
          };
          serviceConfig.Type = "oneshot";
          script =
            let
              tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
            in
            ''
              set -xe
              cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
              cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
              chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
              chmod 400 tls.{key,chain}
              # create the kanidm directory in case it's missing
              if [[ ! -d ${tlsDir} ]]; then
                mkdir -p ${tlsDir}
                chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
                chmod 700 ${tlsDir}
              fi
              mv tls.key ${config.services.kanidm.serverSettings.tls_key}
              mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
              if [[ ! -d ${dbDir} ]]; then
                mkdir -p ${dbDir}
                chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
                chmod 700 ${dbDir}
              fi
            '';
        };
      systemd.services.kanidm.serviceConfig =
        let
          dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
        in
        # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
        {
          # ExecStartPre = ''
          #   mkdir -p ${dbDir}
          # '';
          BindPaths = [
            dbDir
            # stateDir
          ];
        };
      services.kanidm =
        let
          dataDir = "/var/lib/kanidm";
        in
        {
          package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
          enablePam = false;
          enableClient = false;
          enableServer = true;
          serverSettings = {
            role = "WriteReplica";
            log_level = "debug";
            domain = "kanidm.${domain}";
            origin = "https://kanidm.${domain}";
            bindaddress = "127.0.0.1:8444";
            # don't expose ldap
            # ldapbindaddress = "[::1]:6636";
            tls_key = "${dataDir}/tls/tls.key";
            tls_chain = "${dataDir}/tls/tls.chain";
            online_backup = {
              schedule = "00 06 * * *";
            };
          };
        };
    };
  inherit autoStart;
@ -253,10 +453,17 @@ in {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap";
      isReadOnly = false;
    };
  };
-  # extraFlags = ["--resolv-conf=bind-host"];
+    "/var/lib/forgejo" = {
-  # networking.useHostResolvConf = true;
+      hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo";
      isReadOnly = false;
    };
    "/var/lib/kanidm" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm";
      isReadOnly = false;
    };
  };
  privateNetwork = true;
  forwardPorts = [
@ -272,7 +479,14 @@ in {
      hostPort = httpsPort;
      protocol = "tcp";
    }
    {
      # forgejo ssh
      containerPort = forgejoSshPort;
      hostPort = forgejoSshPort;
      protocol = "tcp";
    }
  ];
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/containers/webserver_secrets.yaml
+++ b/nix/os/containers/webserver_secrets.yaml
@ -1,41 +1,45 @@
-hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str]
+hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str]
 authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str]
 authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str]
 lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str]
 lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str]
 lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str]
 #ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment]
 FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str]
 FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str]
 FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str]
 sops:
-    kms: []
+  kms: []
-    gcp_kms: []
+  gcp_kms: []
-    azure_kv: []
+  azure_kv: []
-    hc_vault: []
+  hc_vault: []
-    age:
+  age:
-        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+    - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh
-            U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh
+        U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh
-            YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP
+        YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP
-            eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
+        eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
-            KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
+        KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-17T11:48:04Z"
+  lastmodified: "2024-10-16T12:28:51Z"
-    mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str]
+  mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str]
-    pgp:
+  pgp:
-        - created_at: "2023-07-09T17:51:27Z"
+    - created_at: "2023-07-09T17:51:27Z"
-          enc: |-
+      enc: |-
-            -----BEGIN PGP MESSAGE-----
+        -----BEGIN PGP MESSAGE-----
-            wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD
+        wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD
-            gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO
+        gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO
-            8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+
+        8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+
-            XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w
+        XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w
-            YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku
+        YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku
-            bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI
+        bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI
-            F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i
+        F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i
-            g+ZF+9NNqOTKsBzEnuGsZRnI
+        g+ZF+9NNqOTKsBzEnuGsZRnI
-            =iXfo
+        =iXfo
-            -----END PGP MESSAGE-----
+        -----END PGP MESSAGE-----
-          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+      fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
-    unencrypted_suffix: _unencrypted
+  unencrypted_suffix: _unencrypted
-    version: 3.7.3
+  version: 3.8.1
--- a/nix/os/devices/default.nix
+++ b/nix/os/devices/default.nix
@ -1,20 +1,25 @@
 {
  dir,
-  pkgs ? import <channels-nixos-stable> {},
+  pkgs ? import <channels-nixos-stable> { },
-  ownLib ? import ../lib/default.nix {inherit (pkgs) lib;},
+  ownLib ? import ../lib/default.nix { inherit (pkgs) lib; },
  gitRoot ? "$(git rev-parse --show-toplevel)",
  # FIXME: why do these need explicit mentioning?
  moreargs ? "",
  rebuildarg ? "",
  ...
-} @ args: let
+}@args:
-  rebuildargsSudo = ["switch" "boot"];
+let
-  rebuild = {
+  rebuildargsSudo = [
-    gitRoot,
+    "switch"
-    rebuildarg ? "dry-activate",
+    "boot"
-    moreargs ? "",
+  ];
-    ...
+  rebuild =
-  }:
+    {
      gitRoot,
      rebuildarg ? "dry-activate",
      moreargs ? "",
      ...
    }:
    pkgs.writeScript "script" ''
      #!/usr/bin/env bash
      set -xe
@ -30,25 +35,24 @@
      ${
        if
-          (builtins.elem rebuildarg rebuildargsSudo)
+          (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null
-          && (builtins.match ".*--target-host.*" moreargs) == null
+        then
-        then "sudo -E \\"
+          "sudo -E \\"
-        else ""
+        else
          ""
      }
      nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
    '';
-in {
+in
-  recipes =
+{
-    {
+  recipes = {
-      rebuild =
+    rebuild = rebuild {
-        rebuild {
+      inherit gitRoot;
-          inherit gitRoot;
+      inherit moreargs;
-          inherit moreargs;
+      inherit rebuildarg;
          inherit rebuildarg;
        }
        # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
        # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
        ;
    }
-    // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;}));
+    # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
    # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
    ;
  } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; }));
 }
--- a/nix/os/devices/disk.nix
+++ b/nix/os/devices/disk.nix
@ -3,40 +3,29 @@
  ownLib,
  dir,
  gitRoot,
-  diskId ?
+  diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId,
    (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
      {})
    .hardware
    .opinionatedDisk
    .diskId,
  encrypted ?
-    (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
+    (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted,
      {})
    .hardware
    .opinionatedDisk
    .encrypted,
  previousDiskId ? "",
  ...
-}: let
+}:
 let
  mntRootVol = "/mnt/${diskId}-root";
-in rec {
+in
 rec {
  diskMount = pkgs.writeScript "script" ''
    #!/usr/bin/env bash
    set -xe
    echo Mounting ${diskId}
    ${pkgs.lib.strings.optionalString encrypted ''
-      sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
+      sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
        ownLib.disk.luksName diskId
      }
    ''}
    sleep 1
    sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
    sudo mkdir -p /mnt
    sudo mkdir ${mntRootVol}
    sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
-    sudo mount ${
+    sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home
      ownLib.disk.rootFsDevice diskId
    } ${mntRootVol}/nixos/home -o subvol=home
    sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
  '';
@ -73,9 +62,7 @@ in rec {
    #!/usr/bin/env bash
    set -xe
-    read -p "Continue to format ${
+    read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice
      ownLib.disk.bootGrubDevice diskId
    } (YES/n)? " choice
    case "$choice" in
      YES ) echo "Continuing in 3 seconds..."; sleep 3;;
      n|N ) echo "Exiting..."; exit 0;;
@ -122,15 +109,11 @@ in rec {
    ${pkgs.lib.strings.optionalString encrypted ''
      # Encrypt
      sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
-      sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
+      sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
        ownLib.disk.luksName diskId
      }
    ''}
    # LVM
-    sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${
+    sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted}
      ownLib.disk.lvmPv diskId encrypted
    }
    sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
    sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -154,9 +137,7 @@ in rec {
    #!/usr/bin/env bash
    set -xe
-    read -p "Continue to relabel ${
+    read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
      ownLib.disk.bootGrubDevice diskId
    } (YES/n)?" choice
    case "$choice" in
      YES ) echo "Continuing in 3 seconds..."; sleep 3;;
      n|N ) echo "Exiting..."; exit 0;;
@ -187,13 +168,9 @@ in rec {
    if test "${previousDiskId}"; then
-      ${
+      ${pkgs.lib.strings.optionalString encrypted ''
-      pkgs.lib.strings.optionalString encrypted ''
+        sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
-        sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
+      ''}
          ownLib.disk.luksName diskId
        }
      ''
    }
      sync
      sleep 1
      if sudo vgs ${previousDiskId}; then
--- a/nix/os/devices/elias-e525/boot.nix
+++ b/nix/os/devices/elias-e525/boot.nix
@ -1,4 +1,5 @@
-{lib, ...}: {
+{ lib, ... }:
 {
  boot.loader.grub.efiSupport = lib.mkForce false;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
 }
--- a/nix/os/devices/elias-e525/configuration.nix
+++ b/nix/os/devices/elias-e525/configuration.nix
@ -1,4 +1,5 @@
-{...}: {
+{ ... }:
 {
  imports = [
    ../../profiles/common/configuration.nix
    ../../profiles/graphical/configuration.nix
--- a/nix/os/devices/elias-e525/default.nix
+++ b/nix/os/devices/elias-e525/default.nix
@ -3,17 +3,17 @@
  repoFlake,
  nodeFlake,
  ...
-}: let
+}:
 let
  system = "x86_64-linux";
-in {
+in
 {
  meta.nodeSpecialArgs.${nodeName} = {
    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
  };
-  meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
+  meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
    inherit system;
  };
  ${nodeName} = {
    deployment.targetHost = "elias-e525.lan";
--- a/nix/os/devices/elias-e525/flake.nix
+++ b/nix/os/devices/elias-e525/flake.nix
@ -6,5 +6,5 @@
    inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = _: {};
+  outputs = _: { };
 }
--- a/nix/os/devices/elias-e525/hw.nix
+++ b/nix/os/devices/elias-e525/hw.nix
@ -1,4 +1,4 @@
-{...}: {
+_: {
  # TASK: new device
  hardware.opinionatedDisk = {
    enable = true;
--- a/nix/os/devices/elias-e525/pkg.nix
+++ b/nix/os/devices/elias-e525/pkg.nix
@ -1,8 +1,5 @@
-{
+{ pkgs, lib, ... }:
-  pkgs,
+let
  lib,
  ...
 }: let
  homeEnv = keyboard: {
    imports = [
      ../../../home-manager/profiles/common.nix
@ -22,26 +19,27 @@
      rustdesk
    ];
  };
-in {
+in
-  services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
+{
  services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
    gnome-remote-desktop.enable = true;
  };
  home-manager.users.steveej = homeEnv {
    layout = "en";
-    options = ["nodeadkey"];
+    options = [ "nodeadkey" ];
    variant = "altgr-intl";
  };
  home-manager.users.elias = homeEnv {
    layout = "de";
-    options = [];
+    options = [ ];
    variant = "";
  };
  home-manager.users.justyna = homeEnv {
    layout = "de";
-    options = [];
+    options = [ ];
    variant = "";
  };
--- a/nix/os/devices/elias-e525/system.nix
+++ b/nix/os/devices/elias-e525/system.nix
@ -1,10 +1,5 @@
 { pkgs, lib, ... }:
 {
  pkgs,
  lib,
  config,
  ...
 }: let
 in {
  # TASK: new device
  networking.hostName = "elias-e525"; # Define your hostname.
@ -38,11 +33,13 @@ in {
    # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
  };
-  security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
+  security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
-  services.xserver.videoDrivers = ["modesetting"];
+  services.xserver.videoDrivers = [ "modesetting" ];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
-  nix.gc = {automatic = true;};
+  nix.gc = {
    automatic = true;
  };
 }
--- a/nix/os/devices/elias-e525/user.nix
+++ b/nix/os/devices/elias-e525/user.nix
@ -1,12 +1,9 @@
-{
+{ config, pkgs, ... }:
-  config,
+let
  pkgs,
  lib,
  ...
 }: let
  keys = import ../../../variables/keys.nix;
-  inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
+  inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser;
-in {
+in
 {
  sops.secrets.sharedUsers-elias = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
--- a/nix/os/devices/fwhost1/boot.nix
+++ b/nix/os/devices/fwhost1/boot.nix
@ -1,4 +1,5 @@
-{lib, ...}: {
+{ lib, ... }:
 {
  boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
 }
--- a/nix/os/devices/fwhost1/configuration.nix
+++ b/nix/os/devices/fwhost1/configuration.nix
@ -1,4 +1,5 @@
-{...}: {
+{ ... }:
 {
  imports = [
    ../../profiles/common/configuration.nix
    ../../modules/opinionatedDisk.nix
--- a/nix/os/devices/fwhost1/hw.nix
+++ b/nix/os/devices/fwhost1/hw.nix
@ -1,5 +1,4 @@
-{...}: let
+_: {
 in {
  # TASK: new device
  hardware.opinionatedDisk = {
    enable = true;
--- a/nix/os/devices/fwhost1/pkg.nix
+++ b/nix/os/devices/fwhost1/pkg.nix
@ -1,17 +1,17 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
-  nixpkgs.config.packageOverrides = pkgs:
+{
-    with pkgs; {
+  nixpkgs.config.packageOverrides =
-      nixPath =
+    pkgs: with pkgs; {
-        (import ../../../default.nix {
+      inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath;
          versionsPath = ./versions.nix;
        })
        .nixPath;
    };
  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
    inherit pkgs;
  };
-  environment.systemPackages = with pkgs; [iw wirelesstools];
+  environment.systemPackages = with pkgs; [
    iw
    wirelesstools
  ];
  system.stateVersion = "21.11";
 }
--- a/nix/os/devices/fwhost1/system.nix
+++ b/nix/os/devices/fwhost1/system.nix
@ -1,12 +1,8 @@
-{
+{ pkgs, lib, ... }:
-  pkgs,
+let
  lib,
  config,
  ...
 }: let
  keys = import ../../../variables/keys.nix;
  passwords = import ../../../variables/passwords.crypt.nix;
-in {
+in
 {
  # TASK: new device
  networking.hostName = "fwhost1"; # Define your hostname.
@ -21,11 +17,14 @@ in {
  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;
-  networking.bridges.breth.interfaces = ["eth0" "eth1"];
+  networking.bridges.breth.interfaces = [
    "eth0"
    "eth1"
  ];
  networking.bridges.breth.rstp = true;
  networking.defaultGateway.address = "172.172.171.10";
-  networking.nameservers = ["172.172.171.10"];
+  networking.nameservers = [ "172.172.171.10" ];
  # WAN interfaces, currently unused because the OPNsense guest acts as a router.
  networking.vlans.wan1.id = 3;
--- a/nix/os/devices/fwhost1/user.nix
+++ b/nix/os/devices/fwhost1/user.nix
@ -1,9 +1 @@
-{
+_: { }
  config,
  pkgs,
  ...
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
  inherit (import ../../lib/default.nix {}) mkUser;
 in {}
--- a/nix/os/devices/fwhost1/versions.nix
+++ b/nix/os/devices/fwhost1/versions.nix
@ -4,9 +4,12 @@ let
    ref = "nixos-21.11";
    rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
  };
-in {
+in
 {
  inherit nixpkgs;
-  nixos = nixpkgs // {suffix = "/nixos";};
+  nixos = nixpkgs // {
    suffix = "/nixos";
  };
  "channels-nixos-stable" = nixpkgs;
  "channels-nixos-unstable" = {
--- a/nix/os/devices/fwhost1/versions.tmpl.nix
+++ b/nix/os/devices/fwhost1/versions.tmpl.nix
@ -6,9 +6,12 @@ let
      <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
      ' -%>'';
  };
-in {
+in
 {
  inherit nixpkgs;
-  nixos = nixpkgs // {suffix = "/nixos";};
+  nixos = nixpkgs // {
    suffix = "/nixos";
  };
  "channels-nixos-stable" = nixpkgs;
  "channels-nixos-unstable" = {
--- a/nix/os/devices/fwhost2/boot.nix
+++ b/nix/os/devices/fwhost2/boot.nix
@ -1,4 +1,5 @@
-{lib, ...}: {
+{ lib, ... }:
 {
  boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
 }
--- a/nix/os/devices/fwhost2/configuration.nix
+++ b/nix/os/devices/fwhost2/configuration.nix
@ -1,4 +1,5 @@
-{...}: {
+{ ... }:
 {
  imports = [
    ../../profiles/common/configuration.nix
    ../../modules/opinionatedDisk.nix
--- a/nix/os/devices/fwhost2/hw.nix
+++ b/nix/os/devices/fwhost2/hw.nix
@ -1,5 +1,4 @@
-{...}: let
+_: {
 in {
  # TASK: new device
  hardware.opinionatedDisk = {
    enable = true;
--- a/nix/os/devices/fwhost2/pkg.nix
+++ b/nix/os/devices/fwhost2/pkg.nix
@ -1,17 +1,17 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
-  nixpkgs.config.packageOverrides = pkgs:
+{
-    with pkgs; {
+  nixpkgs.config.packageOverrides =
-      nixPath =
+    pkgs: with pkgs; {
-        (import ../../../default.nix {
+      inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath;
          versionsPath = ./versions.nix;
        })
        .nixPath;
    };
  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
    inherit pkgs;
  };
-  environment.systemPackages = with pkgs; [iw wirelesstools];
+  environment.systemPackages = with pkgs; [
    iw
    wirelesstools
  ];
  system.stateVersion = "21.11";
 }
--- a/nix/os/devices/fwhost2/system.nix
+++ b/nix/os/devices/fwhost2/system.nix
@ -1,13 +1,8 @@
-{
+{ pkgs, lib, ... }:
-  pkgs,
+let
  lib,
  config,
  utils,
  ...
 }: let
  keys = import ../../../variables/keys.nix;
  passwords = import ../../../variables/passwords.crypt.nix;
-in {
+in
 {
  # TASK: new device
  networking.hostName = "fwhost2"; # Define your hostname.
@ -22,11 +17,14 @@ in {
  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;
-  networking.bridges.breth.interfaces = ["eth0" "eth1"];
+  networking.bridges.breth.interfaces = [
    "eth0"
    "eth1"
  ];
  networking.bridges.breth.rstp = true;
  networking.defaultGateway.address = "172.172.171.10";
-  networking.nameservers = ["172.172.171.10"];
+  networking.nameservers = [ "172.172.171.10" ];
  # WAN interfaces, currently unused because the OPNsense guest acts as a router.
  networking.vlans.wan1.id = 3;
--- a/nix/os/devices/fwhost2/user.nix
+++ b/nix/os/devices/fwhost2/user.nix
@ -1,12 +1,4 @@
-{
+_: {
  config,
  pkgs,
  ...
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
  # users.extraUsers.steveej2 = mkUser {
  #   uid = 1001;
  #   openssh.authorizedKeys.keys = keys.users.steveej.openssh;
--- a/nix/os/devices/fwhost2/versions.nix
+++ b/nix/os/devices/fwhost2/versions.nix
@ -4,9 +4,12 @@ let
    ref = "nixos-21.11";
    rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
  };
-in {
+in
 {
  inherit nixpkgs;
-  nixos = nixpkgs // {suffix = "/nixos";};
+  nixos = nixpkgs // {
    suffix = "/nixos";
  };
  "channels-nixos-stable" = nixpkgs;
  "channels-nixos-unstable" = {
--- a/Show more
+++ b/Show more