flake.lock: Update

Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/e8e8d9a3a9c1d0e654ccda7834bf0288a9d15c47' (2024-07-18) → 'github:nix-community/disko/bec6e3cde912b8acb915fecdc509eda7c973fb42' (2024-07-19) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/bb90787ea034c8b9035dfcfc9b4dc23898d414be' (2024-07-18) → 'github:NixOS/nixos-hardware/ab165a8a6cd12781d76fe9cbccb9e975d0fb634f' (2024-07-19) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/c716603a63aca44f39bef1986c13402167450e0a' (2024-07-17) → 'github:NixOS/nixpkgs/0c53b6b8c2a3e46c68e04417e247bba660689c9d' (2024-07-19) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/ad0b5eed1b6031efaed382844806550c3dcb4206' (2024-07-16) → 'github:NixOS/nixpkgs/1d9c2c9b3e71b9ee663d11c5d298727dace8d374' (2024-07-19)
Enable mautrix-signal bridge
2024-07-20 21:42:06 +01:00 · 2024-07-20 12:55:42 +01:00 · 2024-07-20 12:55:08 +01:00 · 2024-07-19 08:51:13 +01:00 · 2024-07-17 21:40:32 +01:00 · 2024-07-17 21:00:09 +01:00
25 changed files with 815 additions and 287 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -8,11 +8,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1716561646,
-        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
+        "lastModified": 1720546205,
+        "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
+        "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
        "type": "github"
      },
      "original": {
@@ -66,11 +66,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1715699772,
-        "narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=",
+        "lastModified": 1718194053,
+        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "b3ea6f333f9057b77efd9091119ba67089399ced",
+        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
        "type": "github"
      },
      "original": {
@@ -88,11 +88,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1713532798,
-        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
+        "lastModified": 1717408969,
+        "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
+        "rev": "1ebbe68d57457c8cae98145410b164b5477761f4",
        "type": "github"
      },
      "original": {
@@ -108,11 +108,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717177033,
-        "narHash": "sha256-G3CZJafCO8WDy3dyA2EhpUJEmzd5gMJ2IdItAg0Hijw=",
+        "lastModified": 1721417620,
+        "narHash": "sha256-6q9b1h8fI3hXg2DG6/vrKWCeG8c5Wj2Kvv22RCgedzg=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "0274af4c92531ebfba4a5bd493251a143bc51f3c",
+        "rev": "bec6e3cde912b8acb915fecdc509eda7c973fb42",
        "type": "github"
      },
      "original": {
@@ -124,11 +124,11 @@
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1716813977,
-        "narHash": "sha256-8fabA8OY1n2OcJFbbE03+bMydVANSBrNGo8hkzhXxxU=",
+        "lastModified": 1721276923,
+        "narHash": "sha256-HJKuwVvi+yGv+8n9Ez4EwaJA0B79JRss9J30vpgy/GI=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
-        "rev": "8171c0578feb835ce66d49edba7429f46b7ac3f6",
+        "rev": "cc70ec20e2775df7cd2bccdd20dcdecc3e0a733b",
        "type": "github"
      },
      "original": {
@@ -207,11 +207,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715865404,
-        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
+        "lastModified": 1719994518,
+        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
+        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
        "type": "github"
      },
      "original": {
@@ -220,21 +220,6 @@
        "type": "github"
      }
    },
-    "flake-root": {
-      "locked": {
-        "lastModified": 1713493429,
-        "narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
-        "owner": "srid",
-        "repo": "flake-root",
-        "rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "srid",
-        "repo": "flake-root",
-        "type": "github"
-      }
-    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_4"
@@ -267,11 +252,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716213921,
-        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
+        "lastModified": 1721038330,
+        "narHash": "sha256-DyIGJ+DEnKeGd346YJCwjmp9hXwiYq8wqGtikgbDqSc=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
+        "rev": "622291c026190caf13cb26f5136616b1ff0a07aa",
        "type": "github"
      },
      "original": {
@@ -283,11 +268,11 @@
    "gitea-github-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1715978309,
-        "narHash": "sha256-L9FYLtrK8Lm/wBeafb6eTRL5l2BYov6X6nJOL6rYZvY=",
+        "lastModified": 1717248105,
+        "narHash": "sha256-BwSsIkl7DpN/c8HNXOh2aKjOuPmFsGybv4RegOC7Xq0=",
        "ref": "main",
-        "rev": "1b61f3f5cb38a1198d0a525d059a5a1905f2cfca",
-        "revCount": 96,
+        "rev": "4f829f88e6f443ff048c4d337bd010315aa4b50a",
+        "revCount": 101,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/gitea-github-theme.git"
      },
@@ -347,11 +332,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716736833,
-        "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
+        "lastModified": 1720042825,
+        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
+        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
        "type": "github"
      },
      "original": {
@@ -369,19 +354,36 @@
        ]
      },
      "locked": {
-        "lastModified": 1717052710,
-        "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=",
+        "lastModified": 1720042825,
+        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae",
+        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
+        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
+    "kvlibadwaita": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1710621848,
+        "narHash": "sha256-xBl6zmpqTAH5MIT5iNAdW6kdOcB5MY0Dtrb95hdYpwA=",
+        "owner": "GabePoel",
+        "repo": "KvLibadwaita",
+        "rev": "87c1ef9f44ec48855fd09ddab041007277e30e37",
+        "type": "github"
+      },
+      "original": {
+        "owner": "GabePoel",
+        "repo": "KvLibadwaita",
+        "type": "github"
+      }
+    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
@@ -390,11 +392,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716993688,
-        "narHash": "sha256-vo5k2wQekfeoq/2aleQkBN41dQiQHNTniZeVONWiWLs=",
+        "lastModified": 1720845312,
+        "narHash": "sha256-yPhAsJTpyoIPQZJGC8Fw8W2lAXyhLoTn+HP20bmfkfk=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "c0d5b8c54d6828516c97f6be9f2d00c63a363df4",
+        "rev": "5ce8503cf402cf76b203eba4b7e402bea8e44abc",
        "type": "github"
      },
      "original": {
@@ -405,11 +407,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1716987116,
-        "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=",
+        "lastModified": 1721413321,
+        "narHash": "sha256-0GdiQScDceUrVGbxYpV819LHesK3szHOhJ09e6sgES4=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "8251761f93d6f5b91cee45ac09edb6e382641009",
+        "rev": "ab165a8a6cd12781d76fe9cbccb9e975d0fb634f",
        "type": "github"
      },
      "original": {
@@ -425,18 +427,20 @@
        "nixpkgs": [
          "nixpkgs"
        ],
+        "nixpkgs-24_05": "nixpkgs-24_05",
        "utils": "utils_2"
      },
      "locked": {
-        "lastModified": 1714720456,
-        "narHash": "sha256-e0WFe1BHqX23ADpGBc4ZRu38Mg+GICCZCqyS6EWCbHc=",
+        "lastModified": 1718084203,
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "41059fc548088e49e3ddb3a2b4faeb5de018e60f",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-24.05",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
@@ -457,13 +461,28 @@
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-24_05": {
      "locked": {
-        "lastModified": 1716948383,
-        "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
+        "lastModified": 1717144377,
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.05",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1721379653,
+        "narHash": "sha256-8MUgifkJ7lkZs3u99UDZMB4kbOxvMEXQZ31FO3SopZ0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1d9c2c9b3e71b9ee663d11c5d298727dace8d374",
        "type": "github"
      },
      "original": {
@@ -490,11 +509,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1717144377,
-        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
+        "lastModified": 1721409541,
+        "narHash": "sha256-b6PLr0Ty7JPDBtJtjnYzlBf02bbH9alWMAgispMkTwk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "rev": "0c53b6b8c2a3e46c68e04417e247bba660689c9d",
        "type": "github"
      },
      "original": {
@@ -508,7 +527,6 @@
        "devshell": "devshell",
        "flake-compat": "flake-compat_3",
        "flake-parts": "flake-parts",
-        "flake-root": "flake-root",
        "git-hooks": "git-hooks",
        "home-manager": "home-manager_3",
        "nix-darwin": "nix-darwin",
@@ -518,19 +536,43 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1717188043,
-        "narHash": "sha256-qg8Tq7OcKtc0BS4RVUYrMZ+KofgMv6DiXOnqz7TN8CA=",
+        "lastModified": 1721045803,
+        "narHash": "sha256-dQGvOK+t45unF7DTp5bfO37hY0NkDUw6X3MH5CCTEAs=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "1bbd58b6b293840716355e63fb3d5aa5af00d389",
+        "rev": "eef2f4c6b190d92e296e47e5fe10e7ced65fd959",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
+        "ref": "nixos-24.05",
        "repo": "nixvim",
        "type": "github"
      }
    },
+    "plasma-manager": {
+      "inputs": {
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1720992717,
+        "narHash": "sha256-8j1bZVfKT1vJ0e+U7NYRNBG+DdBj5C/tpwe5krxT4/4=",
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "rev": "460b48dc3dcd05df568e27cbb90581d23baec8dc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "plasma-manager",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "agenix": "agenix",
@@ -539,11 +581,13 @@
        "firefox-gnome-theme": "firefox-gnome-theme",
        "gitea-github-theme": "gitea-github-theme",
        "home-manager": "home-manager_2",
+        "kvlibadwaita": "kvlibadwaita",
        "nixos-hardware": "nixos-hardware",
        "nixos-mailserver": "nixos-mailserver",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nixvim": "nixvim",
+        "plasma-manager": "plasma-manager",
        "secrets": "secrets",
        "thunderbird-gnome-theme": "thunderbird-gnome-theme"
      }
@@ -551,11 +595,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1716018239,
-        "narHash": "sha256-Ai13Sbj4DzuQSIrX2rjO0PG6PPpmvfwbCpTxX0kB7FI=",
+        "lastModified": 1720459643,
+        "narHash": "sha256-X71/NplPXPe9pCvrd9ELpnYBEYtju4+x3LA7S5I1GXM=",
        "ref": "refs/heads/master",
-        "rev": "c2adb575ca3a816287c7d8f3c23cde6dfd316e6f",
-        "revCount": 19,
+        "rev": "f8d68b934f4380ecbc6365b4ef7f7c632833d1aa",
+        "revCount": 21,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
@@ -627,11 +671,11 @@
    "thunderbird-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1710774977,
-        "narHash": "sha256-nQBz2PW3YF3+RTflPzDoAcs6vH1PTozESIYUGAwvSdA=",
+        "lastModified": 1721309490,
+        "narHash": "sha256-Xheela/OazoNH9YjP9IgC3hzxQdnPHRQMeH9yW7xl2c=",
        "owner": "rafaelmardojai",
        "repo": "thunderbird-gnome-theme",
-        "rev": "65d5c03fc9172d549a3ea72fd366d544981a002b",
+        "rev": "1c89a500dd35b7746ef1fde104a1baf809c2b59a",
        "type": "github"
      },
      "original": {
@@ -648,11 +692,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715940852,
-        "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
+        "lastModified": 1720930114,
+        "narHash": "sha256-VZK73b5hG5bSeAn97TTcnPjXUXtV7j/AtS4KN8ggCS0=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
+        "rev": "b92afa1501ac73f1d745526adc4f89b527595f14",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -23,15 +23,24 @@
      url = "git+ssh://git@git.vimium.com/jordan/gitea-github-theme.git?ref=main";
      flake = false;
    };
+    kvlibadwaita = {
+      url = "github:GabePoel/KvLibadwaita";
+      flake = false;
+    };
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixvim = {
-      url = "github:nix-community/nixvim";
+      url = "github:nix-community/nixvim/nixos-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    plasma-manager = {
+      url = "github:nix-community/plasma-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
    secrets = {
      url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
      flake = false;
@@ -42,7 +51,7 @@
    };
  };

-  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, nixos-mailserver, secrets, ... }:
+  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, nixos-mailserver, ... }:
    let
      mkPkgsForSystem = system: inputs.nixpkgs;
      overlays = [
@@ -77,6 +86,7 @@
                nixpkgs.pkgs = import nixpkgs {
                  inherit overlays system;
                  config.allowUnfree = true;
+                  config.nvidia.acceptLicense = true;
                };
                networking.hostName = name;
              })
--- a/hosts/atlas/default.nix
+++ b/hosts/atlas/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:

 {
  imports = [
@@ -16,6 +16,9 @@
    networkmanager.enable = true;
  };

+  virtualisation.virtualbox.host.enable = true;
+  users.extraGroups.vboxusers.members = [ "jordan" ];
+
  modules = {
    desktop = {
      apps = {
--- a/hosts/desktop.nix
+++ b/hosts/desktop.nix
@@ -30,6 +30,7 @@
      "nocto"
      "ro"
      "x-systemd.automount"
+      "x-systemd.requires=tailscaled.service"
      "noauto"
    ];
  };
--- a/hosts/hypnos/default.nix
+++ b/hosts/hypnos/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:

 {
  imports = [
@@ -14,13 +14,26 @@

  networking.hostId = "cf791898";

+  # nvidia 470 driver doesn't work with Wayland
+  services = {
+    xserver = {
+      displayManager.gdm.wayland = lib.mkForce false;
+      videoDrivers = [ "nvidia" ];
+    };
+    displayManager = {
+      defaultSession = if config.modules.desktop.kde.enable then "plasmax11" else "gnome-xorg";
+      sddm.wayland.enable = lib.mkForce false;
+    };
+  };
+
+  # Workaround for label rendering bug in GTK4 with nvidia 470 driver
+  environment.sessionVariables.GSK_RENDERER = "gl";
+
  modules = {
    desktop = {
      browsers = {
        firefox.enable = true;
      };
-      gnome.enable = lib.mkForce false;
-      kde.enable = true;
      media.recording = {
        audio.enable = true;
      };
--- a/hosts/hypnos/hardware-configuration.nix
+++ b/hosts/hypnos/hardware-configuration.nix
@@ -8,13 +8,10 @@
  boot = {
    initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    kernelModules = [ "applesmc" "kvm-intel" "wl" ];
-    kernelPatches = [
-      {
-        name = "spoof-mac-os-x";
-        patch = ./0001-Add-apple_set_os-EFI-boot-service.patch;
-      }
+    extraModulePackages = [
+      config.boot.kernelPackages.broadcom_sta
+      config.boot.kernelPackages.nvidiaPackages.legacy_470
    ];
-    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
  };

  networking.useDHCP = lib.mkDefault true;
@@ -23,19 +20,19 @@

  hardware = {
    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    nvidia = {
+      package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+      modesetting.enable = true;
+      powerManagement.enable = true;
+    };
    opengl = {
      enable = true;
      extraPackages = with pkgs; [
-        intel-vaapi-driver
-        intel-media-driver
        libvdpau-va-gl
      ];
      driSupport = true;
+      driSupport32Bit = true;
    };
  };
-
-  environment.variables = {
-    VDPAU_DRIVER = "va_gl";
-  };
 }

--- a/hosts/library/default.nix
+++ b/hosts/library/default.nix
@@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:

-with lib.my;
 {
  imports = [
    ./hardware-configuration.nix
@@ -22,7 +21,6 @@ with lib.my;
        22  # SSH
      ];
    };
-    networkmanager.enable = true;
  };

  services.zfs = {
@@ -44,6 +42,17 @@ with lib.my;
    enable = true;
  };

+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        domain = "library.mesh.vimium.net";
+        http_addr = "0.0.0.0";
+        http_port = 3000;
+      };
+    };
+  };
+
  services.prometheus = {
    enable = true;
    port = 9001;
@@ -60,7 +69,7 @@ with lib.my;
    };
    scrapeConfigs = [
      {
-        job_name = "library";
+        job_name = "node";
        static_configs = [{
          targets = [
            "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
@@ -146,7 +155,19 @@ with lib.my;
    };
  };

-  services.jellyfin.enable = true;
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      vaapiVdpau
+    ];
+    driSupport = true;
+  };
+  users.users.jellyfin.extraGroups = [ "video" "render" ];
+  services.jellyfin = {
+    enable = true;
+    cacheDir = "/var/cache/jellyfin";
+    dataDir = "/var/lib/jellyfin";
+  };

  modules = {
    podman.enable = true;
@@ -160,6 +181,7 @@ with lib.my;
      borgmatic = {
        enable = true;
        directories = [
+          config.services.jellyfin.dataDir
          "/home/jordan"
        ];
        repoPath = "ssh://b61758r4@b61758r4.repo.borgbase.com/./repo";
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@@ -67,6 +67,7 @@
        audio.enable = true;
        video.enable = true;
      };
+      office.libreoffice.enable = true;
    };
    dev = {
      node.enable = true;
--- a/hosts/odyssey/hardware-configuration.nix
+++ b/hosts/odyssey/hardware-configuration.nix
@@ -19,6 +19,7 @@
    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    nvidia = {
      modesetting.enable = true;
+      package = config.boot.kernelPackages.nvidiaPackages.beta;
      powerManagement.enable = true;
    };
  };
--- a/hosts/server.nix
+++ b/hosts/server.nix
@@ -18,13 +18,13 @@
        webroot = "/var/lib/acme/acme-challenge";
      };
    };
-    auditd.enable = true;
-    audit = {
-      enable = true;
-      rules = [
-        "-a exit,always -F arch=b64 -S execve"
-      ];
-    };
+    # auditd.enable = true;
+    # audit = {
+    #   enable = true;
+    #   rules = [
+    #     "-a exit,always -F arch=b64 -S execve"
+    #   ];
+    # };
  };

  systemd = {
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -1,4 +1,7 @@
-{ config, lib, pkgs, inputs, ... }:
+{
+  lib,
+  ...
+}:

 {
  imports = [
@@ -40,7 +43,8 @@

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

-  modules = {
+  modules = rec {
+    databases.postgresql.enable = true;
    services = {
      borgmatic = {
        enable = true;
@@ -51,10 +55,21 @@
        ];
        repoPath = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo";
      };
-      coturn.enable = true;
+      coturn = {
+        enable = true;
+        realm = "turn.vimium.com";
+        matrixIntegration = true;
+      };
      gitea.enable = true;
      headscale.enable = true;
-      matrix-synapse.enable = true;
+      matrix-synapse = {
+        enable = true;
+        usePostgresql = databases.postgresql.enable;
+        bridges = [
+          "signal"
+          "whatsapp"
+        ];
+      };
      nginx.enable = true;
      photoprism.enable = true;
    };
--- a/modules/databases/postgresql.nix
+++ b/modules/databases/postgresql.nix
@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.modules.databases.postgresql;
+in {
+  options.modules.databases.postgresql = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+      initdbArgs = [
+        "--allow-group-access"
+        "--encoding=UTF8"
+        "--locale=C"
+      ];
+      settings = {
+        log_connections = true;
+        log_disconnections = true;
+        log_destination = lib.mkForce "syslog";
+      };
+    };
+
+    services.borgmatic.settings = {
+      postgresql_databases = [
+        {
+          name = "all";
+        }
+      ];
+    };
+  };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -2,7 +2,9 @@
  imports = [
    ./options.nix
    ./podman.nix
+    ./databases/postgresql.nix
    ./desktop/gnome.nix
+    ./desktop/forensics.nix
    ./desktop/hyprland.nix
    ./desktop/kde.nix
    ./desktop/mimeapps.nix
@@ -10,6 +12,7 @@
    ./desktop/apps/slack.nix
    ./desktop/apps/thunderbird.nix
    ./desktop/apps/zoom.nix
+    ./desktop/browsers/brave.nix
    ./desktop/browsers/firefox.nix
    ./desktop/gaming/emulators.nix
    ./desktop/gaming/lutris.nix
--- a/modules/desktop/browsers/brave.nix
+++ b/modules/desktop/browsers/brave.nix
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, inputs, ... }:
+
+let cfg = config.modules.desktop.browsers.brave;
+in {
+  options.modules.desktop.browsers.brave = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    user.packages = with pkgs; [
+      brave
+    ];
+  };
+}
--- a/modules/desktop/browsers/firefox.nix
+++ b/modules/desktop/browsers/firefox.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, inputs, ... }:

 let cfg = config.modules.desktop.browsers.firefox;
 in {
@@ -35,23 +35,79 @@ in {

          ## Preferences
          "browser.ctrlTab.sortByRecentlyUsed" = true;
+          "browser.discovery.enabled" = false;
+          "browser.download.open_pdf_attachments_inline" = true;
+          "browser.menu.showViewImageInfo" = true;
          "browser.newtabpage.enabled" = false;
+          "browser.newtabpage.activity-stream.showSponsored" = false;
+          "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+          "browser.newtabpage.activity-stream.default.sites" = "";
+          "browser.privatebrowsing.forceMediaMemoryCache" = true;
          "browser.search.widget.inNavBar" = true;
          "browser.startup.page" = 3;
          "browser.startup.homepage" = "https://www.vimium.com";
          "browser.toolbars.bookmarks.visibility" = "never";
+          "browser.uitour.enabled" = false;
+          "browser.urlbar.suggest.engines" = false;
+          "browser.urlbar.suggest.calculator" = true;
+          "browser.urlbar.trending.featureGate" = false;
+          "browser.urlbar.unitConversion.enabled" = true;
+          "cookiebanners.service.mode" = 1;
+          "cookiebanners.service.mode.privateBrowsing" = 1;
+          "network.IDN_show_punycode" = true;
+
+          ## Performance
+          "browser.cache.jsbc_compression_level" = 3;
+          "content.notify.interval" = 100000;
+          "dom.enable_web_task_scheduling" = true;
+          "dom.security.sanitizer.enabled" = true;
+          "gfx.canvas.accelerated.cache-items" = 4096;
+          "gfx.canvas.accelerated.cache-size" = 512;
+          "gfx.content.skia-font-cache-size" = 20;
+          "gfx.webrender.all" = true;
+          "gfx.webrender.compositor" = true;
+          "gfx.webrender.enable" = true;
+          "image.mem.decode_bytes_at_a_time" = 32768;
+          "layers.acceleration.force-enabled" = true;
+          "layout.css.grid-template-masonry-value.enabled" = true;
+          "media.ffmpeg.vaapi.enabled" = true;
+          "media.memory_cache_max_size" = 65536;
+          "media.cache_readahead_limit" = 7200;
+          "media.cache_resume_threshold" = 3600;
+          "network.dns.disablePrefetch" = true;
+          "network.dns.disablePrefetchFromHTTPS" = true;
+          "network.dnsCacheExpiration" = 3600;
+          "network.http.max-connections" = 1800;
+          "network.http.max-persistent-connections-per-server" = 10;
+          "network.http.max-urgent-start-excessive-connections-per-host" = 5;
+          "network.http.pacing.requests.enabled" = false;
+          "network.predictor.enabled" = false;
+          "network.prefetch-next" = false;
+          "network.ssl_tokens_cache_capacity" = 10240;
+          "pdfjs.enableScripting" = false;
+          "security.mixed_content.block_display_content" = true;

          ## Experiments
          "app.normandy.enabled" = false;
          "app.normandy.api_url" = "";
          "app.normandy.user_id" = "";
+          "app.shield.optoutstudies.enabled" = false;
+          "browser.shopping.experience2023.active" = false;
+          "browser.shopping.experience2023.enabled" = false;
          "extensions.screenshots.disabled" = true;
          "extensions.screenshots.upload-disabled" = true;
          "experiments.supported" = false;
          "experiments.enabled" = false;
          "experiments.manifest.uri" = "";
          "network.allow-experiments" = false;
-          "privacy.trackingprotection.enabled" = false;
+
+          ## Privacy
+          "dom.private-attribution.submission.enabled" = false;
+          # "privacy.resistFingerprinting" = true;
+          "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts" = false;
+          "privacy.trackingprotection.enabled" = true;
+          "privacy.trackingprotection.pbmode.enabled" = true;
+          "privacy.userContext.enabled" = true;

          ## Geo
          "geo.enabled" = false;
@@ -104,6 +160,28 @@ in {
          "privacy.firstparty.isolate" = true;
          "privacy.firstparty.isolate.restrict_opener_access" = true;

+          ## Telemetry
+          "beacon.enabled" = false;
+          "browser.newtabpage.activity-stream.feeds.telemetry" = false;
+          "browser.newtabpage.activity-stream.telemetry" = false;
+          "browser.send_pings" = false;
+          "datareporting.policy.dataSubmissionEnabled" = false;
+          "datareporting.healthReport.uploadEnabled" = false;
+          "toolkit.coverage.opt-out" = true;
+          "toolkit.coverage.endpoint.base" = "";
+          "toolkit.telemetry.archive.enabled" = false;
+          "toolkit.telemetry.bhrPing.enabled" = false;
+          "toolkit.telemetry.coverage.opt-out" = true;
+          "toolkit.telemetry.enabled" = false;
+          "toolkit.telemetry.firstShutdownPing.enabled" = false;
+          "toolkit.telemetry.hybridContent.enabled" = false;
+          "toolkit.telemetry.newProfilePing.enabled" = false;
+          "toolkit.telemetry.reportingPolicy.firstRun" = false;
+          "toolkit.telemetry.server" = "data:,";
+          "toolkit.telemetry.shutdownPingSender.enabled" = false;
+          "toolkit.telemetry.unified" = false;
+          "toolkit.telemetry.updatePing.enabled" = false;
+
          ## Pocket/Hello
          "loop.enabled" = false;
          "loop.feedback.baseUrl" = "";
@@ -125,6 +203,10 @@ in {
          "browser.pocket.useLocaleList" = false;
          "brwoser.pocket.enabledLocales" = "";

+          ## Plugins
+          "plugin.state.flash" = 0;
+          "plugin.state.java" = 0;
+
          ## Misc
          "browser.selfsupport.url" = "";
        };
--- a/modules/desktop/forensics.nix
+++ b/modules/desktop/forensics.nix
@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.modules.desktop.forensics;
+in {
+  options.modules.desktop.forensics = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    user.packages = with pkgs; [
+      acquire
+      afflib
+      autopsy
+      fatcat
+      foremost
+      hstsparser
+      networkminer
+      sleuthkit
+      testdisk-qt
+      tracee
+    ];
+  };
+}
--- a/modules/desktop/gnome.nix
+++ b/modules/desktop/gnome.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, inputs, lib, pkgs, ... }:

 let cfg = config.modules.desktop.gnome;
 in {
@@ -21,28 +21,89 @@ in {

    programs.dconf.enable = true;
    dconf.settings = {
+      "io/github/celluloid-player/celluloid" = {
+        draggable-video-area-enable = true;
+      };
+      "org/gnome/desktop/interface" = {
+        color-scheme = "prefer-dark";
+        cursor-theme = "Adwaita";
+        enable-hot-corners = false;
+        font-name = "Cantarell 11";
+        gtk-theme = "adw-gtk3-dark";
+        icon-theme = "MoreWaita";
+        monospace-font-name = "UbuntuMono Nerd Font 11";
+        toolbar-style = "both-horiz";
+      };
+      "org/gnome/desktop/peripherals/touchpad" = {
+        tap-to-click = true;
+      };
+      "org/gnome/desktop/sound" = {
+        theme-name = "freedesktop";
+      };
+      "org/gnome/desktop/search-providers" = {
+        disabled = [ "org.gnome.Epiphany.desktop" ];
+      };
+      "org/gnome/desktop/wm/keybindings" = {
+        switch-group = [ "<Super>grave" ];
+        switch-group-backward = [ "<Shift><Super>grave" ];
+      };
+      "org/gnome/desktop/wm/preferences" = {
+        button-layout = "appmenu:close";
+      };
+      "org/gnome/gnome-session" = {
+        auto-save-session = true;
+      };
+      "org/gnome/gnome-system-monitor" = {
+        show-dependencies = true;
+      };
+      "org/gnome/mutter" = {
+        center-new-windows = true;
+        edge-tiling = true;
+        experimental-features = [ "scale-monitor-framebuffer" ];
+      };
+      "org/gnome/settings-daemon/plugins/media-keys" = {
+        volume-up = [
+          "<Shift>F12"
+          "XF86AudioRaiseVolume"
+        ];
+        volume-down = [
+          "<Shift>F11"
+          "XF86AudioLowerVolume"
+        ];
+      };
      "org/gnome/shell" = {
        disable-user-extensions = false;
        enabled-extensions = [
-          # "another-window-session-manager@gmail.com"
+          "appindicatorsupport@rgcjonas.gmail.com"
+          # "arcmenu@arcmenu.com"
          "blur-my-shell@aunetx"
+          # "browser-tabs@com.github.harshadgavali"
          "burn-my-windows@schneegans.github.com"
+          "clipboard-indicator@tudmotu.com"
+          "CoverflowAltTab@palatis.blogspot.com"
+          # "dash-to-panel@jderose9.github.com"
          # "desktop-cube@schneegans.github.com"
-          # "desktop-zoom@colin.kinlo.ch"
+          # "EasyScreenCast@iacopodeenosee.gmail.com"
          "espresso@coadmunkee.github.com"
-          # "flypie@schneegans.github.com"
+          "flypie@schneegans.github.com"
          # "forge@jmmaranan.com"
-          "hue-lights@chlumskyvaclav@gmail.com"
+          "gsconnect@andyholmes.github.io"
+          # "gSnap@micahosborne"
+          # "hidetopbar@mathieu.bidon.ca"
          "just-perfection-desktop@just-perfection"
+          # "mediacontrols@cliffniff.github.com"
+          # "mousefollowsfocus@matthes.biz"
          # "pano@elhan.io"
          # "paperwm@hedning:matrix.org"
+          "pip-on-top@rafostar.github.com"
+          # "rounded-window-corners@yilozt"
          # "search-light@icedman.github.com"
-          "space-bar@luchrioh"
          # "smart-auto-move@khimaros.com"
-          # "systemd-manager@hardpixel.eu"
-          # "tailscale-status@maxgallup.github.com"
+          "space-bar@luchrioh"
          # "tiling-assistant@leleat-on-github"
          "Vitals@CoreCoding.com"
+          "windowIsReady_Remover@nunofarruca@gmail.com"
+          # "worksets@blipk.xyz"
          # "wsmatrix@martin.zurowietz.de"
        ];
        favorite-apps = [
@@ -50,9 +111,6 @@ in {
          "org.gnome.Nautilus.desktop"
        ];
      };
-      "org/gnome/shell/extensions/another-window-session-manager" = {
-        enable-autorestore-sessions = true;
-      };
      "org/gnome/shell/extensions/blur-my-shell/panel" = {
        static-blur = true;
      };
@@ -64,8 +122,14 @@ in {
        glide-open-effect = true;
        glide-close-effect = true;
      };
-      "org/gnome/shell/extensions/desktop-zoom" = {
-        mag-factor-delta = 0.07;
+      "org/gnome/shell/extensions/dash-to-panel" = {
+        intellihide = true;
+        panel-positions = ''
+          {"0":"TOP"}
+        '';
+        trans-panel-opacity = 0.3;
+        trans-use-custom-opacity = true;
+        trans-use-dynamic-opacity = true;
      };
      "org/gnome/shell/extensions/espresso" = {
        enable-fullscreen = true;
@@ -75,18 +139,32 @@ in {
          "com.obsproject.Studio.desktop"
        ];
      };
-      "org/gnome/shell/extensions/paperwm" = {
-        use-default-background = true;
+      "org/gnome/shell/extensions/flypie" = {
+        preview-on-right-side = true;
      };
      "org/gnome/shell/extensions/forge" = {
        window-gap-size = 8;
        window-gap-hidden-on-single = false;
      };
+      "org/gnome/shell/extensions/hidetopbar" = {
+        mouse-sensitive = true;
+        mouse-sensitive-fullscreen-window = true;
+        enable-active-window = false;
+      };
      "org/gnome/shell/extensions/just-perfection" = {
        activities-button = false;
        window-demands-attention-focus = true;
        workspace-wrap-around = true;
      };
+      "org/gnome/shell/extensions/paperwm" = {
+        use-default-background = true;
+      };
+      "org/gnome/shell/extensions/pip-on-top" = {
+        stick = true;
+      };
+      "org/gnome/shell/extensions/search-light" = {
+        popup-at-cursor-monitor = true;
+      };
      "org/gnome/shell/extensions/space-bar/behavior" = {
        enable-activate-workspace-shortcuts = true;
        show-empty-workspaces = true;
@@ -99,15 +177,10 @@ in {
        screen-left-gap = 8;
        window-gap = 8;
      };
-      "org/gnome/desktop/background" = {
-        picture-uri = "file://${pkgs.gnome.gnome-backgrounds}/share/backgrounds/gnome/adwaita-l.jxl";
-        picture-uri-dark = "file://${pkgs.gnome.gnome-backgrounds}/share/backgrounds/gnome/adwaita-d.jxl";
-      };
-      "org/gnome/desktop/peripherals/touchpad" = {
-        tap-to-click = true;
-      };
-      "org/gnome/desktop/search-providers" = {
-        disabled = [ "org.gnome.Epiphany.desktop" ];
+      "org/gnome/Console" = {
+        font-scale = 1.4;
+        use-system-font = false;
+        custom-font = "ComicShannsMono Nerd Font 10";
      };
      "org/gtk/settings/file-chooser" = {
        show-hidden = true;
@@ -117,44 +190,18 @@ in {
        show-hidden = true;
        sort-directories-first = true;
      };
-      "org/gnome/settings-daemon/plugins/media-keys" = {
-        volume-up = [
-          "<Shift>F12"
-          "XF86AudioRaiseVolume"
-        ];
-        volume-down = [
-          "<Shift>F11"
-          "XF86AudioLowerVolume"
-        ];
-      };
-      "org/gnome/gnome-session" = {
-        auto-save-session = true;
-      };
-      "org/gnome/gnome-system-monitor" = {
-        show-dependencies = true;
-      };
-      "org/gnome/Console" = {
-        font-scale = 1.4;
-        use-system-font = false;
-        custom-font = "ComicShannsMono Nerd Font 10";
-      };
-      "org/gnome/mutter" = {
-        center-new-windows = true;
-        edge-tiling = true;
-        experimental-features = [ "scale-monitor-framebuffer" ];
-      };
-      "org/gnome/desktop/interface" = {
-        enable-hot-corners = false;
-        icon-theme = "MoreWaita";
-        monospace-font-name = "UbuntuMono Nerd Font 11";
-      };
-      "org/gnome/desktop/wm/keybindings" = {
-        switch-group = [ "<Super>grave" ];
-        switch-group-backward = [ "<Shift><Super>grave" ];
-      };
-      "io/github/celluloid-player/celluloid" = {
-        draggable-video-area-enable = true;
+    };
+
+    environment.sessionVariables = {
+      QT_STYLE_OVERRIDE = lib.mkForce "kvantum";
+      QT_WAYLAND_DECORATION = lib.mkForce "adwaita";
+    };
+
+    home.configFile = {
+      "Kvantum/kvantum.kvconfig".text = lib.generators.toINI {} {
+        General.theme = "KvLibadwaitaDark";
      };
+      "Kvantum/KvLibadwaita".source = "${inputs.kvlibadwaita}/src/KvLibadwaita";
    };

    user.packages = with pkgs; [
@@ -165,6 +212,7 @@ in {
      # d-spy
      # drawing
      # fragments
+      gnome.dconf-editor
      gnome.ghex
      # gnome-builder
      gnome-decoder
@@ -174,48 +222,60 @@ in {
      gnome-podcasts
      identity
      mission-center
+      mousam
      newsflash
      # schemes
      shortwave
-    ];
-
-    environment.systemPackages = with pkgs; [
-      adw-gtk3
-      gnome.gnome-boxes
-      gnomeExtensions.another-window-session-manager
-      # gnomeExtensions.bifocals
-      gnomeExtensions.blur-my-shell
-      gnomeExtensions.browser-tabs
-      gnomeExtensions.burn-my-windows
-      gnomeExtensions.desktop-cube
-      # gnomeExtensions.desktop-zoom
-      gnomeExtensions.espresso
-      gnome44Extensions."flypie@schneegans.github.com"
-      # gnomeExtensions.forge
-      # gnomeExtensions.gsnap
-      gnomeExtensions.hue-lights
-      gnomeExtensions.just-perfection
-      # gnomeExtensions.mutter-primary-gpu
-      gnomeExtensions.pano
-      gnomeExtensions.paperwm
-      # gnomeExtensions.pip-on-top
-      gnomeExtensions.rounded-window-corners
-      gnomeExtensions.search-light
-      gnomeExtensions.smart-auto-move
-      gnomeExtensions.space-bar
-      gnomeExtensions.systemd-manager
-      gnomeExtensions.tailscale-status
-      gnomeExtensions.tiling-assistant
-      # gnomeExtensions.todotxt
-      gnomeExtensions.vitals
-      # gnomeExtensions.window-is-ready-remover
-      # gnomeExtensions.worksets
-      # gnomeExtensions.workspace-matrix
-      unstable.morewaita-icon-theme
+      sysprof
    ] ++ (if config.virtualisation.podman.enable then [
      pods
    ] else []);

+    environment.systemPackages = with pkgs.unstable; [
+      adw-gtk3
+      kdePackages.qtstyleplugin-kvantum
+      libsForQt5.qtstyleplugin-kvantum
+      morewaita-icon-theme
+      nautilus-python
+      qadwaitadecorations
+      qadwaitadecorations-qt6
+
+      ## Shell extensions
+      gnomeExtensions.appindicator
+      gnomeExtensions.arcmenu
+      gnomeExtensions.blur-my-shell
+      gnomeExtensions.browser-tabs
+      gnomeExtensions.burn-my-windows
+      gnomeExtensions.clipboard-indicator
+      gnomeExtensions.coverflow-alt-tab
+      gnomeExtensions.dash-to-panel
+      gnomeExtensions.desktop-cube
+      gnomeExtensions.easyScreenCast
+      gnomeExtensions.espresso
+      gnomeExtensions.fly-pie
+      gnomeExtensions.forge
+      gnomeExtensions.gsconnect
+      gnomeExtensions.gsnap
+      gnomeExtensions.hide-top-bar
+      gnomeExtensions.just-perfection
+      gnomeExtensions.media-controls
+      gnomeExtensions.mouse-follows-focus
+      gnomeExtensions.pano
+      gnomeExtensions.paperwm
+      gnomeExtensions.pip-on-top
+      gnomeExtensions.rounded-window-corners
+      gnomeExtensions.search-light
+      gnomeExtensions.smart-auto-move
+      gnomeExtensions.space-bar
+      gnomeExtensions.tiling-assistant
+      # gnomeExtensions.tiling-shell
+      gnomeExtensions.todotxt
+      gnomeExtensions.vitals
+      gnomeExtensions.window-is-ready-remover
+      gnomeExtensions.worksets
+      gnomeExtensions.workspace-matrix
+    ];
+
    home.services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
  };
 }
--- a/modules/desktop/kde.nix
+++ b/modules/desktop/kde.nix
@@ -10,13 +10,15 @@ in {
  };

  config = lib.mkIf cfg.enable {
-    services.xserver = {
-      enable = true;
+    services = {
+      xserver = {
+        enable = true;
+      };
+      desktopManager.plasma6.enable = true;
      displayManager.sddm = {
        enable = true;
        wayland.enable = true;
      };
-      desktopManager.plasma5.enable = true;
    };

    networking.networkmanager.enable = true;
--- a/modules/desktop/office/libreoffice.nix
+++ b/modules/desktop/office/libreoffice.nix
@@ -1,6 +1,24 @@
 { config, lib, pkgs, ... }:

-let cfg = config.modules.desktop.office.libreoffice;
+let
+  cfg = config.modules.desktop.office.libreoffice;
+  # libreoffice-gtk4 = pkgs.libreoffice.override {
+  #   extraMakeWrapperArgs = [
+  #     "--set SAL_USE_VCLPLUGIN gtk4"
+  #   ];
+  #   unwrapped = pkgs.libreoffice-unwrapped.overrideAttrs (oldAttrs: {
+  #     buildInputs = oldAttrs.buildInputs ++ [
+  #       pkgs.gtk4
+  #     ];
+  #     configureFlags = oldAttrs.configureFlags ++ [
+  #       "--disable-werror"
+  #       "--enable-gtk4"
+  #     ];
+  #     passthru = oldAttrs.passthru // {
+  #       inherit (pkgs) gtk4;
+  #     };
+  #   });
+  # };
 in {
  options.modules.desktop.office.libreoffice = {
    enable = lib.mkOption {
--- a/modules/options.nix
+++ b/modules/options.nix
@@ -69,6 +69,7 @@ with lib;

      sharedModules = [
        inputs.nixvim.homeManagerModules.nixvim
+        inputs.plasma-manager.homeManagerModules.plasma-manager
      ];
    };

--- a/modules/services/coturn/default.nix
+++ b/modules/services/coturn/default.nix
@@ -1,60 +1,123 @@
-{ config, lib, pkgs, inputs, ... }:
-
-with lib;
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:

 let
  cfg = config.modules.services.coturn;
 in {
  options.modules.services.coturn = {
-    enable = mkOption {
+    enable = lib.mkOption {
      default = false;
      example = true;
    };
+    realm = lib.mkOption {
+      type = lib.types.str;
+      description = "The realm to be used by the TURN server.";
+      example = "turn.vimium.com";
+    };
+    matrixIntegration = lib.mkOption {
+      default = false;
+      description = "Configure the matrix-synapse module to use this TURN server.";
+      example = true;
+    };
  };

-  config = mkIf cfg.enable {
-    networking.firewall = {
+  config = lib.mkIf cfg.enable {
+    networking.firewall = let
+      range = with config.services.coturn; lib.singleton {
+        from = min-port;
+        to = max-port;
+      };
+    in {
      allowedTCPPorts = [
+        3478  # TURN listener
        5349  # STUN TLS
        5350  # STUN TLS alt
      ];
-      allowedUDPPortRanges = [
-        { from = 49152; to = 49999; } # TURN relay
+      allowedUDPPorts = [
+        3478  # TURN listener
+        5349  # TLS
+        5350  # TLS alt
      ];
+      allowedUDPPortRanges = range; # TURN peer relays
    };

    security.acme.certs = {
-      "turn.vimium.com" = {
+      "${config.services.coturn.realm}" = {
+        group = "turnserver";
        reloadServices = [ "coturn" ];
      };
    };

-    age.secrets."passwords/services/coturn/shared-secret" = {
-      file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age";
-      owner = "turnserver";
-      group = "turnserver";
-    };
+    age.secrets = {
+      "passwords/services/coturn/static-auth-secret" = {
+        file = "${inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
+        owner = "turnserver";
+        group = "turnserver";
+      };
+    } // (if cfg.matrixIntegration then {
+      "passwords/services/coturn/matrix-turn-config.yml" = {
+        file = "${inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
+        owner = "matrix-synapse";
+        group = "matrix-synapse";
+      };
+    } else {});

-    services.coturn = {
+    services.coturn = rec {
      enable = true;
-      lt-cred-mech = true;
+      realm = cfg.realm;
      use-auth-secret = true;
-      static-auth-secret-file = config.age.secrets."passwords/services/coturn/shared-secret".path;
-      realm = "turn.vimium.com";
-      relay-ips = [
-        "198.244.190.160"
-      ];
+      static-auth-secret-file = config.age.secrets."passwords/services/coturn/static-auth-secret".path;
+      cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+      pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+      min-port = 49000;
+      max-port = 50000;
+      no-cli = true;
      no-tcp-relay = true;
      extraConfig = ''
        cipher-list="HIGH"
-        no-loopback-peers
        no-multicast-peers
+
+        # Ban private CIDR blocks
+        denied-peer-ip=0.0.0.0-0.255.255.255
+        denied-peer-ip=10.0.0.0-10.255.255.255
+        denied-peer-ip=100.64.0.0-100.127.255.255
+        denied-peer-ip=127.0.0.0-127.255.255.255
+        denied-peer-ip=169.254.0.0-169.254.255.255
+        denied-peer-ip=172.16.0.0-172.31.255.255
+        denied-peer-ip=192.0.0.0-192.0.0.255
+        denied-peer-ip=192.0.2.0-192.0.2.255
+        denied-peer-ip=192.88.99.0-192.88.99.255
+        denied-peer-ip=192.168.0.0-192.168.255.255
+        denied-peer-ip=198.18.0.0-198.19.255.255
+        denied-peer-ip=198.51.100.0-198.51.100.255
+        denied-peer-ip=203.0.113.0-203.0.113.255
+        denied-peer-ip=240.0.0.0-255.255.255.255
+        denied-peer-ip=::1
+        denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+        denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+        denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+        denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      '';
-      secure-stun = true;
-      cert = "/var/lib/acme/turn.vimium.com/fullchain.pem";
-      pkey = "/var/lib/acme/turn.vimium.com/key.pem";
-      min-port = 49152;
-      max-port = 49999;
+    };
+
+    services.matrix-synapse = lib.mkIf cfg.matrixIntegration {
+      settings = with config.services.coturn; {
+        turn_uris = [
+          "turn:${realm}:3478?transport=udp"
+          "turn:${realm}:3478?transport=tcp"
+        ];
+        turn_user_lifetime = "1h";
+      };
+      extraConfigFiles = [
+        config.age.secrets."passwords/services/coturn/matrix-turn-config.yml".path
+      ];
    };
  };
 }
--- a/modules/services/headscale/default.nix
+++ b/modules/services/headscale/default.nix
@@ -28,6 +28,18 @@ in {
        server_url = "https://${fqdn}";
        dns_config = {
          base_domain = "vimium.net";
+          extra_records = [
+            {
+              name = "grafana.mesh.vimium.net";
+              type = "A";
+              value = "100.64.0.6";
+            }
+            {
+              name = "home.mesh.vimium.net";
+              type = "A";
+              value = "100.64.0.7";
+            }
+          ];
        };
        logtail.enabled = false;
      };
--- a/modules/services/mail/default.nix
+++ b/modules/services/mail/default.nix
@@ -31,6 +31,7 @@ in {
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";
      '';
+      plugins = [ "contextmenu" ];
    };

    services.nginx.enable = true;
--- a/modules/services/matrix-synapse/default.nix
+++ b/modules/services/matrix-synapse/default.nix
@@ -1,58 +1,103 @@
-{ config, lib, pkgs, inputs, ... }:
-
-with lib;
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 let
  cfg = config.modules.services.matrix-synapse;
-  matrixClientConfig = {
-    "m.homeserver" = {
-      base_url = "https://matrix.vimium.com";
-      server_name = "vimium.com";
-    };
-    "m.identity_server" = {};
-  };
-  matrixServerConfig."m.server" = "matrix.vimium.com:443";
-  mkWellKnown = data: ''
-    more_set_headers 'Content-Type: application/json';
-    return 200 '${builtins.toJSON data}';
-  '';
+  validBridges = [
+    "signal"
+    "whatsapp"
+  ];
 in {
  options.modules.services.matrix-synapse = {
-    enable = mkOption {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+    enableElementWeb = lib.mkOption {
+      default = true;
+      example = false;
+    };
+    bridges = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "A list of bridges to configure with Synapse.";
+      example = [ "signal" "whatsapp" ];
+      default = [];
+      apply = bridges:
+        if lib.all (bridge: lib.elem bridge validBridges) bridges
+        then lib.map (b: "mautrix-${b}") bridges
+        else throw "Invalid bridge(s) specified. Valid bridges are: ${lib.concatStringsSep ", " validBridges}";
+    };
+    serverName = lib.mkOption {
+      type = lib.types.str;
+      default = "vimium.com";
+      example = "vimium.com";
+    };
+    usePostgresql = lib.mkOption {
      default = false;
      example = true;
    };
  };

-  config = mkIf cfg.enable {
+  config = let
+    mkBridgeDatabase = bridge: {
+      name = bridge;
+      ensureDBOwnership = true;
+    };
+    commonBridgeSettings = bridge: {
+      appservice = {
+        database = lib.mkIf cfg.usePostgresql {
+          type = "postgres";
+          uri = "postgresql:///${bridge}?host=/run/postgresql";
+        };
+      };
+      bridge = {
+        encryption = {
+          allow = true;
+          default = true;
+          require = true;
+        };
+        permissions = {
+          "${cfg.serverName}" = "user";
+          "@jordan:vimium.com" = "admin";
+        };
+        provisioning = {
+          shared_secret = "disable";
+        };
+      };
+      homeserver = {
+        address = "https://matrix.${cfg.serverName}";
+        domain = cfg.serverName;
+      };
+    };
+    matrixClientConfig = {
+      "m.homeserver" = {
+        base_url = "https://matrix.${cfg.serverName}";
+        server_name = cfg.serverName;
+      };
+      "m.identity_server" = {};
+    };
+    matrixServerConfig."m.server" = "matrix.${cfg.serverName}:443";
+    mkWellKnown = data: ''
+      more_set_headers 'Content-Type: application/json';
+      return 200 '${builtins.toJSON data}';
+    '';
+  in lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [
      8448 # Matrix federation
    ];

    security.acme.certs = {
-      "matrix.vimium.com" = {
+      "matrix.${cfg.serverName}" = {
        reloadServices = [ "matrix-synapse" ];
      };
    };

    services.nginx.virtualHosts = {
-      "chat.vimium.com" = {
-        forceSSL = true;
-        enableACME = true;
-        root = pkgs.unstable.element-web.override {
-          conf = {
-            default_server_config = matrixClientConfig;
-            brand = "Vimium Chat";
-            branding = {
-              auth_header_logo_url = "https://vimium.com/images/logo.svg";
-              auth_footer_links = [
-                { "text" = "Vimium.com"; "url" = "https://vimium.com"; }
-              ];
-            };
-          };
-        };
-      };
-      "matrix.vimium.com" = {
+      "matrix.${cfg.serverName}" = {
        forceSSL = true;
        enableACME = true;
        listen = [
@@ -102,26 +147,77 @@ in {
          "/_synapse/client".proxyPass = "http://localhost:8008";
        };
      };
-      "vimium.com" = {
+      "${cfg.serverName}" = {
        locations."= /.well-known/matrix/server".extraConfig = (mkWellKnown matrixServerConfig);
        locations."= /.well-known/matrix/client".extraConfig = (mkWellKnown matrixClientConfig);
      };
-    };
+    } // (if cfg.enableElementWeb then {
+      "chat.${cfg.serverName}" = {
+        forceSSL = true;
+        enableACME = true;
+        root = pkgs.unstable.element-web.override {
+          conf = {
+            default_server_config = matrixClientConfig;
+            brand = "Vimium Chat";
+            branding = {
+              auth_header_logo_url = "https://vimium.com/images/logo.svg";
+              auth_footer_links = [
+                { "text" = "Vimium.com"; "url" = "https://vimium.com"; }
+              ];
+            };
+          };
+        };
+      };
+    } else {});

    services.matrix-synapse = {
      enable = true;
+      enableRegistrationScript = true;
      settings = {
-        database.name = "sqlite3";
+        database.name = (if cfg.usePostgresql then "psycopg2" else "sqlite3");
+        enable_metrics = false;
        enable_registration = false;
-        server_name = "vimium.com";
-        # turn_shared_secret = "???";
-        # turn_uris = [
-        #   "turn:turn.vimium.com:5349?transport=udp"
-        #   "turn:turn.vimium.com:5350?transport=udp"
-        #   "turn:turn.vimium.com:5349?transport=tcp"
-        #   "turn:turn.vimium.com:5350?transport=tcp"
-        # ];
+        max_upload_size = "100M";
+        report_stats = false;
+        server_name = cfg.serverName;
+        app_service_config_files = (lib.optional (lib.elem "mautrix-whatsapp" cfg.bridges)
+          "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml");
      };
    };
+    systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups =
+      (lib.optional (lib.elem "mautrix-whatsapp" cfg.bridges)
+        config.systemd.services.mautrix-whatsapp.serviceConfig.Group);
+
+    services.postgresql = lib.mkIf cfg.usePostgresql {
+      ensureUsers = [
+        {
+          name = "matrix-synapse";
+          ensureDBOwnership = true;
+        }
+      ] ++ lib.map mkBridgeDatabase cfg.bridges;
+      ensureDatabases = [
+        "matrix-synapse"
+      ] ++ cfg.bridges;
+    };
+
+    services.mautrix-signal = lib.mkIf (lib.elem "mautrix-signal" cfg.bridges) {
+      enable = true;
+      settings = commonBridgeSettings "mautrix-signal";
+    };
+
+    services.mautrix-whatsapp = lib.mkIf (lib.elem "mautrix-whatsapp" cfg.bridges) {
+      enable = true;
+      settings = {
+        bridge = {
+          history_sync = {
+            backfill = true;
+            max_initial_conversations = -1;
+            message_count = 50;
+            request_full_sync = true;
+          };
+          mute_bridging = true;
+        };
+      } // commonBridgeSettings "mautrix-whatsapp";
+    };
  };
 }
--- a/overlays/gnome.nix
+++ b/overlays/gnome.nix
@@ -4,7 +4,7 @@ self: super:
    mutter = gsuper.mutter.overrideAttrs (oldAttrs: {
      src = super.fetchurl {
        url = "https://gitlab.gnome.org/Community/Ubuntu/mutter/-/archive/triple-buffering-v4-46/mutter-triple-buffering-v4-46.tar.gz";
-        sha256 = "Rdao3TR6wG7YcpoD+nFFiCaE+97G0MreBgwsQJa3GCE=";
+        sha256 = "mmFABDsRMzYnLO3+Cf3CJ60XyUBl3y9NAUj+vs7nLqE=";
      };
    });
  });